From 5b29d97a015eacc14425518fa5e4b4467931c12e Mon Sep 17 00:00:00 2001 From: no author Date: Thu, 15 May 2003 02:34:38 +0000 Subject: [PATCH] This commit was manufactured by cvs2svn to create tag 'krb5-1-3-beta1'. git-svn-id: svn://anonsvn.mit.edu/krb5/tags/krb5-1-3-beta1@15445 dc483132-0cff-0310-8789-dd5450dbe970 --- README | 129 +++- doc/ChangeLog | 20 + doc/api/ChangeLog | 4 + doc/api/krb5.tex | 31 +- doc/definitions.texinfo | 4 +- doc/install.texinfo | 4 +- doc/krb4-xrealm.txt | 143 ++++ src/ChangeLog | 36 + src/aclocal.m4 | 29 +- src/appl/bsd/ChangeLog | 17 + src/appl/bsd/krcp.c | 12 +- src/appl/bsd/krlogin.c | 4 +- src/appl/bsd/krlogind.c | 2 +- src/appl/bsd/krsh.c | 4 +- src/appl/bsd/krshd.c | 10 +- src/appl/gssftp/ftpd/ChangeLog | 4 + src/appl/gssftp/ftpd/ftpd.c | 1 - src/appl/telnet/libtelnet/ChangeLog | 26 + src/appl/telnet/libtelnet/Makefile.in | 22 +- src/appl/telnet/libtelnet/configure.in | 5 +- src/appl/telnet/libtelnet/kerberos.c | 9 +- src/appl/telnet/libtelnet/kerberos5.c | 21 +- src/appl/telnet/telnet/ChangeLog | 4 + src/appl/telnet/telnet/externs.h | 4 - src/appl/telnet/telnetd/ChangeLog | 4 + src/appl/telnet/telnetd/telnetd.h | 1 - src/clients/ksu/ChangeLog | 7 + src/clients/ksu/heuristic.c | 2 +- src/clients/ksu/krb_auth_su.c | 4 +- src/config/ChangeLog | 12 + src/config/post.in | 3 +- src/config/pre.in | 5 +- src/include/ChangeLog | 71 ++ src/include/configure.in | 3 + src/include/fake-addrinfo.h | 75 +- src/include/k5-int.h | 51 +- src/include/krb5.hin | 53 +- src/include/port-sockets.h | 15 + src/kadmin/dbutil/ChangeLog | 4 + src/kadmin/dbutil/kdb5_destroy.c | 1 - src/kadmin/dbutil/kdb5_stash.c | 2 - src/kdc/ChangeLog | 56 ++ src/kdc/do_tgs_req.c | 2 +- src/kdc/kdc_preauth.c | 256 +++++-- src/kdc/kdc_util.c | 10 +- src/kdc/kdc_util.h | 1 + src/kdc/kerberos_v4.c | 129 ++-- src/kdc/main.c | 9 +- src/krb5-config.in | 5 +- src/krb524/ChangeLog | 13 + src/krb524/cnv_tkt_skey.c | 20 +- src/krb524/krb524d.c | 38 +- src/lib/ChangeLog | 14 + src/lib/crypto/ChangeLog | 18 + src/lib/crypto/aes/ChangeLog | 15 + src/lib/crypto/aes/aes_s2k.c | 40 +- src/lib/crypto/aes/uitypes.h | 2 +- src/lib/crypto/dk/ChangeLog | 20 + src/lib/crypto/dk/dk.h | 19 + src/lib/crypto/dk/dk_decrypt.c | 51 +- src/lib/crypto/dk/dk_encrypt.c | 174 ++++- src/lib/crypto/enc_provider/ChangeLog | 11 + src/lib/crypto/enc_provider/aes.c | 78 ++- src/lib/crypto/etypes.c | 14 +- src/lib/crypto/pbkdf2.c | 25 +- src/lib/crypto/string_to_key.c | 1 - src/lib/des425/ChangeLog | 5 + src/lib/des425/quad_cksum.c | 4 - src/lib/des425/t_pcbc.c | 2 - src/lib/des425/t_quad.c | 2 - src/lib/des425/verify.c | 2 - src/lib/gssapi/krb5/ChangeLog | 23 + src/lib/gssapi/krb5/accept_sec_context.c | 9 +- src/lib/gssapi/krb5/gssapiP_krb5.h | 2 +- src/lib/gssapi/krb5/gssapi_krb5.h | 3 - src/lib/gssapi/krb5/init_sec_context.c | 5 +- src/lib/kadm5/ChangeLog | 10 + src/lib/kadm5/alt_prof.c | 2 +- src/lib/kadm5/srv/ChangeLog | 6 + src/lib/kadm5/srv/Makefile.in | 8 +- src/lib/kdb/ChangeLog | 23 + src/lib/kdb/Makefile.in | 15 +- src/lib/kdb/keytab.c | 49 +- src/lib/krb4/ChangeLog | 34 + src/lib/krb4/Makefile.in | 4 +- src/lib/krb4/configure.in | 3 + src/lib/krb4/err_txt.c | 13 +- src/lib/krb4/g_ad_tkt.c | 9 + src/lib/krb4/kadm_stream.c | 10 +- src/lib/krb5/asn.1/ChangeLog | 24 + src/lib/krb5/asn.1/asn1_k_decode.c | 28 +- src/lib/krb5/asn.1/asn1_k_encode.c | 14 +- src/lib/krb5/asn.1/asn1_k_encode.h | 4 +- src/lib/krb5/asn.1/krb5_decode.c | 10 + src/lib/krb5/asn.1/krb5_encode.c | 29 +- src/lib/krb5/keytab/ChangeLog | 7 + src/lib/krb5/keytab/kt_file.c | 10 +- src/lib/krb5/krb/ChangeLog | 134 ++++ src/lib/krb5/krb/auth_con.c | 54 +- src/lib/krb5/krb/auth_con.h | 4 +- src/lib/krb5/krb/chpw.c | 320 ++++++++- src/lib/krb5/krb/copy_data.c | 22 + src/lib/krb5/krb/fwd_tgt.c | 12 +- src/lib/krb5/krb/gc_frm_kdc.c | 41 +- src/lib/krb5/krb/get_in_tkt.c | 12 +- src/lib/krb5/krb/gic_keytab.c | 1 + src/lib/krb5/krb/gic_pwd.c | 4 +- src/lib/krb5/krb/init_ctx.c | 36 +- src/lib/krb5/krb/kfree.c | 21 +- src/lib/krb5/krb/mk_cred.c | 5 +- src/lib/krb5/krb/mk_priv.c | 5 +- src/lib/krb5/krb/mk_req_ext.c | 13 +- src/lib/krb5/krb/mk_safe.c | 5 +- src/lib/krb5/krb/parse.c | 9 +- src/lib/krb5/krb/preauth2.c | 217 +++--- src/lib/krb5/krb/rd_cred.c | 5 +- src/lib/krb5/krb/rd_priv.c | 5 +- src/lib/krb5/krb/rd_rep.c | 10 +- src/lib/krb5/krb/rd_req.c | 4 +- src/lib/krb5/krb/rd_req_dec.c | 12 +- src/lib/krb5/krb/rd_safe.c | 5 +- src/lib/krb5/krb/ser_actx.c | 28 +- src/lib/krb5/krb/srv_rcache.c | 3 + src/lib/krb5/krb/unparse.c | 3 +- src/lib/krb5/os/ChangeLog | 34 + src/lib/krb5/os/changepw.c | 115 ++- src/lib/krb5/os/init_os_ctx.c | 8 +- src/lib/krb5/os/read_pwd.c | 9 +- src/lib/krb5_32.def | 7 + src/lib/rpc/ChangeLog | 13 + src/lib/rpc/bindresvport.c | 2 +- src/lib/rpc/clnt_tcp.c | 2 - src/lib/rpc/svc.c | 3 +- src/lib/rpc/xdr_mem.c | 21 +- src/mac/MacOSX/Headers/Kerberos5Prefix.h | 4 +- src/mac/MacOSX/Projects/Kerberos5.pbexp | 19 +- .../Projects/Kerberos5.pbproj/project.pbxproj | 155 +---- .../MacOSX/Scripts/Kerberos5ServerBuild.jam | 88 ++- src/tests/asn.1/ChangeLog | 23 + src/tests/asn.1/krb5_decode_test.c | 247 ++++--- src/tests/asn.1/krb5_encode_test.c | 80 ++- src/tests/asn.1/ktest.c | 384 ++++++++++- src/tests/asn.1/ktest.h | 57 +- src/tests/asn.1/reference_encode.out | 2 + src/tests/asn.1/trval_reference.out | 23 + src/tests/asn.1/utility.c | 2 + src/tests/dejagnu/config/ChangeLog | 15 + src/tests/dejagnu/config/default.exp | 162 ++--- src/tests/dejagnu/krb-standalone/ChangeLog | 9 + src/tests/dejagnu/krb-standalone/v4gssftp.exp | 4 + .../dejagnu/krb-standalone/v4krb524d.exp | 4 + .../dejagnu/krb-standalone/v4standalone.exp | 5 + src/util/ChangeLog | 14 + src/util/db2/ChangeLog | 5 + src/util/db2/Makefile.in | 1 - src/util/db2/test/Makefile | 652 ------------------ src/util/et/ChangeLog | 10 + src/util/et/compile_et.c | 6 +- src/util/et/test_et.c | 6 +- src/util/reconf | 20 +- src/util/ss/ChangeLog | 4 + src/util/ss/ss.h | 3 +- src/windows/ChangeLog | 16 + src/windows/version.rc | 4 +- 164 files changed, 3828 insertions(+), 1648 deletions(-) create mode 100644 doc/krb4-xrealm.txt delete mode 100644 src/util/db2/test/Makefile diff --git a/README b/README index e161fcd70..b7eac0982 100644 --- a/README +++ b/README @@ -6,36 +6,21 @@ Unpacking the Source Distribution --------------------------------- -The source distribution of Kerberos 5 comes in three gzipped tarfiles, -krb5-1.3.src.tar.gz, krb5-1.3.doc.tar.gz, and krb5-1.3.crypto.tar.gz. -The krb5-1.3.doc.tar.gz contains the doc/ directory and this README -file. The krb5-1.3.src.tar.gz contains the src/ directory and this -README file, except for the crypto library sources, which are in -krb5-1.3.crypto.tar.gz. - -Instruction on how to extract the entire distribution follow. These -directions assume that you want to extract into a directory called -DIST. +The source distribution of Kerberos 5 comes in a gzipped tarfile, +krb5-1.3.tar.gz. Instructions on how to extract the entire +distribution follow. If you have the GNU tar program and gzip installed, you can simply do: - mkdir DIST - cd DIST - gtar zxpf krb5-1.3.src.tar.gz - gtar zxpf krb5-1.3.crypto.tar.gz - gtar zxpf krb5-1.3.doc.tar.gz + gtar zxpf krb5-1.3.tar.gz If you don't have GNU tar, you will need to get the FSF gzip distribution and use gzcat: - mkdir DIST - cd DIST - gzcat krb5-1.3.src.tar.gz | tar xpf - - gzcat krb5-1.3.crypto.tar.gz | tar xpf - - gzcat krb5-1.3.doc.tar.gz | tar xpf - + gzcat krb5-1.3.tar.gz | tar xpf - -Both of these methods will extract the sources into DIST/krb5-1.3/src -and the documentation into DIST/krb5-1.3/doc. +Both of these methods will extract the sources into krb5-1.3/src and +the documentation into krb5-1.3/doc. Building and Installing Kerberos 5 ---------------------------------- @@ -138,6 +123,27 @@ Major changes listed by ticket ID * [1189, 1251] The KfM krb4 library source base has been merged. +* [1377, 1442, 1443] The Microsoft set-password protocol has been + implemented. Thanks to Paul Nelson. + +* [1385, 1395, 1410] The krb4 protocol vulnerabilities + [MITKRB5-SA-2003-004] have been worked around. Note that this will + disable krb4 cross-realm functionality, as well as krb4 triple-DES + functionality. Please see doc/krb4-xrealm.txt for details of the + patch. + +* [1393] The xdrmem integer overflows [MITKRB5-SA-2003-003] have + been fixed. + +* [1397] The krb5_principal buffer bounds problems + [MITKRB5-SA-2003-005] have been fixed. Thanks to Nalin Dahyabhai. + +* [1415] Subsession key negotiation has been fixed to allow for + server-selected subsession keys in the future. + +* [1418, 1429, 1446, 1484, 1486, 1487] The AES cryptosystem has been + implemented. It is not usable for GSSAPI, though. + Minor changes listed by ticket ID --------------------------------- @@ -172,6 +178,11 @@ Minor changes listed by ticket ID * [771] .rconf files are excluded from the release now. +* [772] LOG_AUTHPRIV syslog facility is now usable for logging on + systems that support it. + +* [844] krshd now syslogs using the LOG_AUTH facility. + * [850] Berekely DB build is better integrated into the krb5 library build process. @@ -189,6 +200,8 @@ Minor changes listed by ticket ID * [953] des3 no longer failing on Windows due to SHA1 implementation problems. +* [970] A minor inconsistency in ccache.tex has been fixed. + * [971] option parsing bugs rendered irrelevant by removal of unused gss mechanism. @@ -211,6 +224,9 @@ Minor changes listed by ticket ID host having a large number of local network interfaces should be fixed now. +* [1064] krb5_auth_con_genaddrs() no longer inappropriately returns -1 + on some error cases. + * [1065, 1225] krb5_get_init_creds_password() should properly warn about password expiration. @@ -264,6 +280,9 @@ Minor changes listed by ticket ID * [1240] Windows calling conventions for krb5int_c_combine_keys() have been aligned. +* [1242] Build system incompatibilities with Debian's chimeric + autoconf installation have been worked around. + * [1256] Incorrect sizes passed to memset() in combine_keys() operations have been corrected. @@ -279,6 +298,8 @@ Minor changes listed by ticket ID * [1304] kadmind4 no longer leaves sa_flags uninitialized. +* [1305] Expired tickets now cause KfM to pop up a password dialog. + * [1309] krb5_send_tgs() no longer leaks the storage associated with the TGS-REQ. @@ -287,30 +308,77 @@ Minor changes listed by ticket ID * [1311] Output from krb5-config no longer contains spurious uses of $(PURE). +* [1324] The KDC no longer logs an inappropriate "no matching key" + error when an encrypted timestamp preauth password is incorrect. + +* [1342] gawk is no longer required for building kerbsrc.zip for the + Windows build. + * [1346] gss_krb5_ccache_name() no longer attempts to return a pointer to freed memory. +* [1352] GSS_C_PROT_READY_FLAG is no longer asserted inappropriately + during GSSAPI context establishment. + * [1356] krb5_gss_accept_sec_context() no longer attempts to validate a null credential if one is passed in. +* [1362] The "-a user" option to telnetd now does the right thing. + Thanks to Nathan Neulinger. + +* [1363] ksu no longer inappropriately syslogs to stderr. + * [1357] krb__get_srvtab_name() no longer leaks memory. * [1373] Handling of SAM preauth no longer attempts to stuff a size_t into an unsigned int. -[ DELETE BEFORE RELEASE ---changes to unreleased code, etc.--- ] +* [1387] BIND versions later than 8 now supported. + +* [1392] The getaddrinfo() wrapper should work better on AIX. + +* [1400] If DO_TIME is not set in the auth_context, and no replay + cache is available, no replay cache will be used. + +* [1406] libdb is no longer installed. If you installed + krb5-1.3-alpha1, you should ensure that no spurious libdb is left in + your install tree. + +* [1412] ETYPE_INFO handling no longer goes into an infinite loop. + +* [1414] libtelnet is now built using the same library build framework + as the rest of the tree. + +* [1417] A minor memory leak in krb5_read_password() has been fixed. -* [1054] KRB-CRED messages for RC4 are encrypted now. +* [1419] A memory leak in asn1_decode_kdc_req_body() has been fixed. -* [1177] krb5-1-2-2-branch merged onto trunk. +* [1435] inet_ntop() is now emulated when needed. -* [1193] Punted comment about reworking key storage architecture. +* [1439] krb5_free_pwd_sequences() now correctly frees the entire + sequence of elements. -* [1208] install-headers target implemented. +* [1440] errno is no longer explicitly declared. -* [1223] asn1_decode_oid, asn1_encode_oid implemented +* [1454] The etype-info2 preauth type is now supported. -* [1276] Generated dependencies handle --without-krb4 properly now. +* [1459] (KfM/KLL internal) config file resolution can now be + prevented from accessing the user's homedir. + +* [1463] Preauth handling in the KDC has been reorganized. + +* [1470] Double-free in client-side preauth code fixed. + +* [1473] Ticket forwarding when the TGS and the end service have + different enctypes should work somewhat better now. + +* [1474] ASN.1 testsuite memory management has been cleaned up a + little to allow for memory leak checking. + +* [1476] Documentation updated to reflect default krb4 mode. + +* [1482] RFC-1964 OIDs now provided using the suggested symbolic + names. Copyright Notice and Legal Administrivia ---------------------------------------- @@ -494,6 +562,9 @@ providing patches for numerous buffer overruns. Thanks to Christopher Thompson and Marcus Watts for discovering the ftpd security bug. +Thanks to Paul Nelson of Thursby Software Systems for implementing the +Microsoft set password protocol. + Thanks to the members of the Kerberos V5 development team at MIT, both past and present: Danilo Almeida, Jay Berkenbilt, Richard Basch, Mitch Berger, John Carr, Don Davis, Alexandra Ellwood, Nancy Gilman, Matt diff --git a/doc/ChangeLog b/doc/ChangeLog index 709c55980..484ebe1da 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,23 @@ +2003-05-13 Ken Raeburn + + * definitions.texinfo: Updated DefaultSupportedEnctypes. + +2003-05-12 Sam Hartman + + * definitions.texinfo: Default v4 mode is now none + +2003-04-18 Ken Raeburn + + * definitions.texinfo (DefaultETypeList, + DefaultSupportedEnctypes): Update for AES. + * install.texinfo (Client Machine Configuration Files): Fix typo + in variable reference. + +2003-04-08 Tom Yu + + * krb4-xrealm.txt: New file. Describe the krb4 cross-realm + patchkit. Copied from 2003-004-krb4_patchkit. + 2003-02-04 Sam Hartman * krb425.texinfo (Upgrading KDCs): Note that -4 needs to be specified diff --git a/doc/api/ChangeLog b/doc/api/ChangeLog index 3728895f4..4446ccf26 100644 --- a/doc/api/ChangeLog +++ b/doc/api/ChangeLog @@ -1,3 +1,7 @@ +2003-05-09 Tom Yu + + * krb5.tex: Update subkey-related information to match code. + 2002-01-15 Sam Hartman * krb5.tex (subsubsection{Principal access functions}): krb5_princ_realm returns a pointer. diff --git a/doc/api/krb5.tex b/doc/api/krb5.tex index 1574f169b..d70910ec0 100644 --- a/doc/api/krb5.tex +++ b/doc/api/krb5.tex @@ -183,28 +183,45 @@ Retrieves the keyblock stored in \funcparam{auth_context}. The memory allocated in this function should be freed with a call to \funcname{krb5_free_keyblock}. -\begin{funcdecl}{krb5_auth_con_getlocalsubkey}{krb5_error_code}{\funcinout} +\begin{funcdecl}{krb5_auth_con_getrecvsubkey}{krb5_error_code}{\funcinout} \funcarg{krb5_context}{context} \funcarg{krb5_auth_context}{auth_context} \funcout \funcarg{krb5_keyblock **}{keyblock} \end{funcdecl} -Retrieves the local_subkey keyblock stored in +Retrieves the recv\_subkey keyblock stored in \funcparam{auth_context}. The memory allocated in this function should be freed with a call to \funcname{krb5_free_keyblock}. -\begin{funcdecl}{krb5_auth_con_getremotesubkey}{krb5_error_code}{\funcinout} +\begin{funcdecl}{krb5_auth_con_getsendsubkey}{krb5_error_code}{\funcinout} \funcarg{krb5_context}{context} \funcarg{krb5_auth_context}{auth_context} \funcout \funcarg{krb5_keyblock **}{keyblock} \end{funcdecl} -Retrieves the remote_subkey keyblock stored in +Retrieves the send\_subkey keyblock stored in \funcparam{auth_context}. The memory allocated in this function should be freed with a call to \funcname{krb5_free_keyblock}. +\begin{funcdecl}{krb5_auth_con_setrecvsubkey}{krb5_error_code}{\funcinout} +\funcarg{krb5_context}{context} +\funcarg{krb5_auth_context}{auth_context} +\funcout +\funcarg{krb5_keyblock *}{keyblock} +\end{funcdecl} + +Sets the recv\_subkey keyblock stored in \funcparam{auth_context}. + +\begin{funcdecl}{krb5_auth_con_setsendsubkey}{krb5_error_code}{\funcinout} +\funcarg{krb5_context}{context} +\funcarg{krb5_auth_context}{auth_context} +\funcout +\funcarg{krb5_keyblock *}{keyblock} +\end{funcdecl} + +Sets the send\_subkey keyblock stored in \funcparam{auth_context}. \begin{funcdecl}{krb5_auth_setcksumtype}{krb5_error_code}{\funcinout} \funcarg{krb5_context}{context} @@ -1508,9 +1525,9 @@ Parses a KRB_SAFE message from \funcparam{inbuf}, placing the data in \funcparam{*outbuf} after verifying its integrity. The keyblock used for verifying the integrity of the message is taken -from the \funcparam{auth_context} local_subkey, remote_subkey, or -keyblock. The keyblock is chosen in the above order by the first one -which is not NULL. +from the \funcparam{auth_context} recv\_subkey or keyblock. The +keyblock is chosen in the above order by the first one which is not +NULL. The remote_addr and localaddr portions of the \funcparam{*auth_context} specify the full addresses (host and port) of the sender and receiver, diff --git a/doc/definitions.texinfo b/doc/definitions.texinfo index 1acf0f4d0..8cfb8571b 100644 --- a/doc/definitions.texinfo +++ b/doc/definitions.texinfo @@ -43,7 +43,7 @@ default was set. the following should be consistent with the variables set in krb5/src/lib/krb5/krb/init_ctx.c @end ignore -@set DefaultETypeList des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 +@set DefaultETypeList aes256-cts-hmac-sha1-96 des3-cbc-sha1 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 @comment DEFAULT_ETYPE_LIST @set DefaultDefaultTgsEnctypes @value{DefaultETypeList} @set DefaultDefaultTktEnctypes @value{DefaultETypeList} @@ -146,7 +146,7 @@ krb5/src/appl/bsd/login.c the following defaults should be consistent with the values set in krb5/src/kdc/kerberos_v4 @end ignore -@set DefaultV4Mode nopreauth +@set DefaultV4Mode none @comment KDC_V4_DEFAULT_MODE @ignore diff --git a/doc/install.texinfo b/doc/install.texinfo index b105435e2..c9f2df6a3 100644 --- a/doc/install.texinfo +++ b/doc/install.texinfo @@ -1059,8 +1059,8 @@ kerberos @value{DefaultPort}/udp kdc # Kerberos V5 KDC kerberos @value{DefaultPort}/tcp kdc # Kerberos V5 KDC klogin @value{DefaultKloginPort}/tcp # Kerberos authenticated rlogin kshell @value{DefaultKshellPort}/tcp cmd # and remote shell -kerberos-adm @value{DefaultKamdindPort}/tcp # Kerberos 5 admin/changepw -kerberos-adm @value{DefaultKamdindPort}/udp # Kerberos 5 admin/changepw +kerberos-adm @value{DefaultKadmindPort}/tcp # Kerberos 5 admin/changepw +kerberos-adm @value{DefaultKadmindPort}/udp # Kerberos 5 admin/changepw krb5_prop @value{DefaultKrbPropPort}/tcp # Kerberos slave propagation @c kpop 1109/tcp # Pop with Kerberos eklogin @value{DefaultEkloginPort}/tcp # Kerberos auth. & encrypted rlogin diff --git a/doc/krb4-xrealm.txt b/doc/krb4-xrealm.txt new file mode 100644 index 000000000..f8c4566e5 --- /dev/null +++ b/doc/krb4-xrealm.txt @@ -0,0 +1,143 @@ +The following text was taken from the patchkit disabling cross-realm +authentication and triple-DES in krb4. + +PATCH KIT DESCRIPTION +===================== + +** FLAG DAY REQUIRED ** + +One of the things we decided to do (and must do for security reasons) +was drop support for the 3DES krb4 TGTs. Unfortunately the current +code will only accept 3DES TGTs if it issues 3DES TGTs. Since the new +code issues only DES TGTs, the old code will not understand its v4 +TGTs if the site has a 3DES key available for the krbtgt principal. +The new code will understand and accept both DES and 3DES v4 TGTs. + +So, the easiest upgrade option is to deploy the code on all KDCs at +once, being sure to deploy it on the master KDC last. Under this +scenario, a brief window exists where slaves may be able to issue +tickets that the master will not understand. However, the slaves will +understand tickets issued by the master throughout the upgrade. + +An alternate and more annoying upgrade strategy exists. At least one +max TGT life time before the upgrade, the TGT key can be changed to be +a single-des key. Since we support adding a new TGT key while +preserving the old one, this does not create an interruption in +service. Since no 3DES key is available then both the old and new +code will issue and accept DES v4 TGTs. After the upgrade, the TGT +key can again be rekeyed to add 3DES keys. This does require two TGT +key changes and creates a window where DES is used for the v5 TGT, but +creates no window in which slaves will issue TGTs the master cannot +accept. + +* What the patch does +===================== + +1) Kerberos 4 cross-realm authentication is disabled by default. A + "-X" switch is added to both krb524d and krb5kdc to enable v4 + cross-realm. This switch logs a note that a security hole has been + opened in the KDC log. We said while designing the patch, that we + were going to try to allow per-realm configuration; because of a + design problem in the kadm5 library, we could not do this without + bumping the ABI version of that library. We are unwilling to bump + an ABI version in a security patch release to get that feature, so + the configuration of v4 cross-realm is a global switch. + +2) Code responsible for v5 TGTs has been changed to require that the + enctype of the ticket service key be the same as the enctype that + would currently be issued for that kvno. This means that even if a + service has multiple keys, you cannot use a weak key to fake the + KDC into accepting tickets for that service. If you have a non-DES + TGT key, this separates keys used for v4 and v5. We actually relax + this requirement for cross-realm TGT keys (which in the new code + are only used for v5) because we cannot guarantee other Kerberos + implementations will choose keys the same way. + +3) We no longer issue 3DES v4 tickets either in the KDC or krb524d. + We add code to accept either DES or 3DES tickets for v4. None of + the attacks discovered so far can be implemented given a KDC that + accepts but does not issue 3DES tickets, so we believe that leaving + this functionality in as compatibility for a version or two is + reasonable. Note however that the attacks described do allow + successful attackers to print future tickets, so sites probably + want to rekey important keys after installing this update. Note + also that even if issuance of 3DES v4 tickets has been disabled, + outstanding tickets may be used to perform the 3DES cut-and-paste + attack. + +* Test Cases +============ + +This code is difficult to test for two reasons. First, you need a +cross-realm relationship between two KDCs. Secondly, you need a KDC +that will issue 3DES v4 tickets even though the code with the patch +applied can no longer do this. + +I propose to meet these requirements by setting up a cross-realm 3DES +key between a realm I control and the test environment. In order to +provide concrete examples of what I plan to test with the automated +tests, I assume a shared key between a realm PREPATCH.KRBTEST.COM and the +test realm PATCH. + +In all of the following tests I assume the following configuration. +A principal v4test@PREPATCH.KRBTEST.COM exists with known password and +without requiring preauthentication. The PREPATCH.KRBTEST.COM KDC will +issue v4 tickets for this principal. A principal test@PATCH exists +with known password and without requiring preauthentication. A +principal service@PATCH exists. The TGT for the PATCH realm has a +3des and des key. The shared TGT keys between PATCH and +PREPATCH.KRBTEST.COM are identical in both directions (required for v4) and +support both 3DES and DES keys. + +1) Run krb524d and krb5kdc for PATCH with no special options using a + krb5.conf without permitted_enctypes (fully permissive). + + +A) Get v4 tickets as v4test@PREPATCH.KRBTEST.COM. Confirm that kvno -4 +service@PATCH fails with an unknown principal error and logs an error +about cross-realm being denied to the PATCH KDC log. This confirms +that v4 cross-realm is not accepted. + +B) Get v5 tickets as v4test@PREPATCH.KRBTEST.COM. Confirm that krb524init +-p service@PATCH fails with a prohibited by policy error, but that +klist -5 includes a ticket for service@PATCH. This confirms that v5 +cross-realm works but the krb524d denies converting such a ticket into +a cross-realm ticket. Note that the krb524init currently in the +mainline source tree will not be useful for this test because the +client denies cross-realm for the simple reason that the v4 ticket +file format is not flexible enough to support it. The krb524init in +the 1.2.x release is useful for this test. + + +2) Restart the krb5kdc and krb524d for PATCH with the -X option + enabling v4 cross-realm. + +A) Confirm that the security warning is written to kdc.log. + +B) Get v4 tickets as v4test@PREPATCH.KRBTEST.COM. Confirm that kvno -4 +service@PATCH works and leaves a service@PATCH ticket in the cache. +This confirms that v4 cross-realm works in the KDC. It also confirms +that the KDC can accept 3DES v4 TGTs. The code path for decrypting a +TGT is the same for the local realm and for foreign realms, so I don't +see a need to test local 3DES TGTs in an automated manner although I +did test it manually. + +C) Get v5 tickets as v4test@PREPATCH.KRBTEST.COM. Confirm that krb524init +-p service@PATCH works. This confirms that krb524d will issue +cross-realm tickets. They're completely useless because the v4 ticket +file can't represent them, but that's not our problem today. + +3) Start the kdc and krb524d with a krb5.conf that includes + permitted_enctypes only listing des-cbc-crc. Get tickets as + test@PATCH. Restart the KDC and confirm that kvno service fails + logging an error about permitted enctypes. This confirms that if + you manage to obtain a ticket of the wrong enctype it will not be + accepted later. + +These tests do not check to make sure that 3DES tickets are not +issued by the v4 code. I'm fairly certain that is true as I've +physically remove the calls to the routine that generates 3DES tickets +from the code in both the KDC and krb524d. These tests also do not +check to make sure that cross-realm TGTs are not required to follow +the strict enctype policy. I've tested that manually but don't know +how to test that without significantly complicating the test setup. diff --git a/src/ChangeLog b/src/ChangeLog index 6f18978f5..c87b8fa99 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,39 @@ +2003-04-24 Ken Raeburn + + * aclocal.m4: Require autoconf 2.52 only. + +2003-04-23 Ken Raeburn + + * aclocal.m4: Require autoconf 2.53. + (CONFIG_RULES): Always set AUTOCONFINCFLAGS to --include. + +2003-04-10 Tom Yu + + * aclocal.m4: Revert requrement of autoconf-2.53, since MacOS X + doesn't have it. + +2003-04-01 Tom Yu + + * aclocal.m4 (KRB5_AC_CHOOSE_DB): Set new variable KDB5_DB_LIB to + empty if using in-tree db. It is now used to pass -ldb to link + commands, if needed, when linking programs with libkdb5. DB_LIB + is now only used for programs that explicitly need the actual + libdb independently of libkdb5. + + * krb5-config.in: Use $KDB5_DB_LIB instead of "-ldb" for kdb + libraries. + +2003-03-31 Tom Yu + + * aclocal.m4: Require autoconf-2.53, since 2.52 generates + configure scripts that NetBSD /bin/sh doesn't like. + +2003-03-18 Alexandra Ellwood + + * aclocal.m4: Define KRB5_AC_NEED_BIND_8_COMPAT to check for bind 9 + and higher. When bind 9 is present, BIND_8_COMPAT needs to be defined to + get bind 8 types. + 2003-03-12 Tom Yu * Makefile.in (AWK): Default to awk, not gawk. User can override diff --git a/src/aclocal.m4 b/src/aclocal.m4 index 3a0895f71..1a7c11b3c 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 @@ -79,9 +79,7 @@ dnl else AUTOCONFFLAGS= AUTOHEADER=autoheader AUTOHEADERFLAGS= -dnl Autoconf 2.54+ use --include, --localdir is obsolete and removed -ifdef([AC_MSG_FAILURE], AUTOCONFINCFLAGS="--include", dnl - AUTOCONFINCFLAGS="--localdir") + AUTOCONFINCFLAGS="--include" dnl fi AC_SUBST(AUTOCONF) AC_SUBST(AUTOCONFFLAGS) @@ -1506,16 +1504,41 @@ if test "x$with_system_db" = xyes ; then else DB_HEADER_VERSION=redirect fi + KDB5_DB_LIB="$DB_LIB" else DB_VERSION=k5 AC_DEFINE(HAVE_BT_RSEQ,1,[Define if bt_rseq is available, for recursive btree traversal.]) DB_HEADER=db.h DB_HEADER_VERSION=k5 + # libdb gets sucked into libkdb + KDB5_DB_LIB= + # needed for a couple of things that need libdb for its own sake DB_LIB=-ldb fi AC_SUBST(DB_VERSION) AC_SUBST(DB_HEADER) AC_SUBST(DB_HEADER_VERSION) AC_SUBST(DB_LIB) +AC_SUBST(KDB5_DB_LIB) +]) +dnl +dnl +dnl KRB5_AC_NEED_BIND_8_COMPAT --- check to see if we are on a bind 9 system +dnl +dnl +AC_DEFUN(KRB5_AC_NEED_BIND_8_COMPAT,[ +AC_REQUIRE([AC_PROG_CC])dnl +dnl +dnl On a bind 9 system, we need to define BIND_8_COMPAT +dnl +AC_MSG_CHECKING(for bind 9 or higher) +AC_CACHE_VAL(krb5_cv_need_bind_8_compat,[ +AC_TRY_COMPILE([#include ], [HEADER hdr;], +krb5_cv_need_bind_8_compat=no, +[AC_TRY_COMPILE([#define BIND_8_COMPAT +#include ], [HEADER hdr;], +krb5_cv_need_bind_8_compat=yes, krb5_cv_need_bind_8_compat=no)])]) +AC_MSG_RESULT($krb5_cv_need_bind_8_compat) +test $krb5_cv_need_bind_8_compat = yes && AC_DEFINE(BIND_8_COMPAT,1,[Define if OS has bind 9]) ]) dnl diff --git a/src/appl/bsd/ChangeLog b/src/appl/bsd/ChangeLog index 303400170..3bf182121 100644 --- a/src/appl/bsd/ChangeLog +++ b/src/appl/bsd/ChangeLog @@ -1,3 +1,20 @@ +2003-05-09 Tom Yu + + * krcp.c (main): Rename getlocalsubkey -> getsendsubkey. + + * krlogin.c (main): Rename getlocalsubkey -> getsendsubkey. + + * krlogind.c (recvauth): Rename getremotesubkey -> getrecvsubkey. + + * krsh.c (main): Rename getlocalsubkey -> getsendsubkey. + + * krshd.c (recvauth): Rename getremotesubkey -> getrecvsubkey. + +2003-04-08 Ken Raeburn + + * krshd.c (main): Use LOG_AUTH syslog facility, not LOG_DAEMON, + for consistency with krlogind.c. + 2003-03-04 Ken Raeburn * compat_recv.c: Only include krb.h if KRB5_KRB4_COMPAT. diff --git a/src/appl/bsd/krcp.c b/src/appl/bsd/krcp.c index 5ad6a25a1..707985a5a 100644 --- a/src/appl/bsd/krcp.c +++ b/src/appl/bsd/krcp.c @@ -480,9 +480,9 @@ int main(argc, argv) try_normal(orig_argv); /* doesn't return */ if (!similar) { - status = krb5_auth_con_getlocalsubkey (bsd_context, - auth_context, - &key); + status = krb5_auth_con_getsendsubkey (bsd_context, + auth_context, + &key); if ((status || !key) && encryptflag) try_normal(orig_argv); } @@ -599,9 +599,9 @@ int main(argc, argv) krb5_keyblock *key = &cred->keyblock; if (kcmd_proto == KCMD_NEW_PROTOCOL) { - status = krb5_auth_con_getlocalsubkey (bsd_context, - auth_context, - &key); + status = krb5_auth_con_getsendsubkey (bsd_context, + auth_context, + &key); if (status) { com_err (argv[0], status, "determining subkey for session"); diff --git a/src/appl/bsd/krlogin.c b/src/appl/bsd/krlogin.c index c497dc2fb..a1e63a645 100644 --- a/src/appl/bsd/krlogin.c +++ b/src/appl/bsd/krlogin.c @@ -702,8 +702,8 @@ main(argc, argv) if (kcmd_proto == KCMD_NEW_PROTOCOL) { do_inband = 1; - status = krb5_auth_con_getlocalsubkey (bsd_context, auth_context, - &key); + status = krb5_auth_con_getsendsubkey (bsd_context, auth_context, + &key); if ((status || !key) && encrypt_flag) try_normal(orig_argv); } diff --git a/src/appl/bsd/krlogind.c b/src/appl/bsd/krlogind.c index 82e560143..d2979e141 100644 --- a/src/appl/bsd/krlogind.c +++ b/src/appl/bsd/krlogind.c @@ -1537,7 +1537,7 @@ recvauth(valid_checksum) return status; key = 0; - status = krb5_auth_con_getremotesubkey (bsd_context, auth_context, &key); + status = krb5_auth_con_getrecvsubkey (bsd_context, auth_context, &key); if (status) fatal (netf, "Server can't get session subkey"); if (!key && do_encrypt && kcmd_proto == KCMD_NEW_PROTOCOL) diff --git a/src/appl/bsd/krsh.c b/src/appl/bsd/krsh.c index 3f8273ec0..bd9c20572 100644 --- a/src/appl/bsd/krsh.c +++ b/src/appl/bsd/krsh.c @@ -411,8 +411,8 @@ main(argc, argv0) krb5_keyblock *key = &cred->keyblock; if (kcmd_proto == KCMD_NEW_PROTOCOL) { - status = krb5_auth_con_getlocalsubkey (bsd_context, auth_context, - &key); + status = krb5_auth_con_getsendsubkey (bsd_context, auth_context, + &key); if (status) { com_err (argv[0], status, "determining subkey for session"); exit (1); diff --git a/src/appl/bsd/krshd.c b/src/appl/bsd/krshd.c index 2a67b7613..d625d8bd9 100644 --- a/src/appl/bsd/krshd.c +++ b/src/appl/bsd/krshd.c @@ -303,10 +303,10 @@ int main(argc, argv) #ifndef LOG_ODELAY /* 4.2 syslog */ openlog(progname, LOG_PID); #else -#ifndef LOG_DAEMON -#define LOG_DAEMON 0 +#ifndef LOG_AUTH +#define LOG_AUTH 0 #endif - openlog(progname, LOG_PID | LOG_ODELAY, LOG_DAEMON); + openlog(progname, LOG_PID | LOG_ODELAY, LOG_AUTH); #endif /* 4.2 syslog */ #ifdef KERBEROS @@ -1962,8 +1962,8 @@ recvauth(netfd, peersin, valid_checksum) { krb5_keyblock *key; - status = krb5_auth_con_getremotesubkey (bsd_context, auth_context, - &key); + status = krb5_auth_con_getrecvsubkey (bsd_context, auth_context, + &key); if (status) fatal (netfd, "Server can't get session subkey"); if (!key && do_encrypt && kcmd_proto == KCMD_NEW_PROTOCOL) diff --git a/src/appl/gssftp/ftpd/ChangeLog b/src/appl/gssftp/ftpd/ChangeLog index c940e015c..9b480c514 100644 --- a/src/appl/gssftp/ftpd/ChangeLog +++ b/src/appl/gssftp/ftpd/ChangeLog @@ -1,3 +1,7 @@ +2003-04-23 Ken Raeburn + + * ftpd.c: Don't declare errno. + 2003-01-03 Ken Raeburn * ftpd.c (auth_data): Kerberos v4 checksum must be a 32-bit diff --git a/src/appl/gssftp/ftpd/ftpd.c b/src/appl/gssftp/ftpd/ftpd.c index 7fd78991e..c6d3ee0d3 100644 --- a/src/appl/gssftp/ftpd/ftpd.c +++ b/src/appl/gssftp/ftpd/ftpd.c @@ -170,7 +170,6 @@ int have_creds; /* User has credentials on disk */ #include "ftpd_var.h" #include "secure.h" -extern int errno; extern char *crypt(); extern char version[]; extern char *home; /* pointer to home directory for glob */ diff --git a/src/appl/telnet/libtelnet/ChangeLog b/src/appl/telnet/libtelnet/ChangeLog index 899927446..4f9de7ade 100644 --- a/src/appl/telnet/libtelnet/ChangeLog +++ b/src/appl/telnet/libtelnet/ChangeLog @@ -1,3 +1,29 @@ +2003-05-09 Tom Yu + + * kerberos5.c (kerberos5_send): Rename getlocalsubkey -> + getsendsubkey. + (kerberos5_is): Rename getremotesubkey -> getrecvsubkey. + +2003-04-10 Tom Yu + + * Makefile.in: Use library build framework. + + * configure.in: Add support for library build framework. Remove + old explicit checks for ranlib, etc. + +2003-04-09 Tom Yu + + * kerberos.c (kerberos4_status): Always copy in username if + present. Patch from Nathan Neulinger to make "-a user" work. + + * kerberos5.c (kerberos5_status): Always copy in username if + present. Patch from Nathan Neulinger to make "-a user" work. + +2003-04-01 Nalin Dahyabhai + + * kerberos5.c (kerberos5_is): Check principal name length before + examining components. + 2003-01-07 Ken Raeburn * Makefile.orig: Deleted. diff --git a/src/appl/telnet/libtelnet/Makefile.in b/src/appl/telnet/libtelnet/Makefile.in index 93986e005..cad5d5f54 100644 --- a/src/appl/telnet/libtelnet/Makefile.in +++ b/src/appl/telnet/libtelnet/Makefile.in @@ -32,7 +32,12 @@ LIBOBJS=@LIBOBJS@ SETENVSRC=@SETENVSRC@ SETENVOBJ=@SETENVOBJ@ -LIB= libtelnet.a +LIB=telnet +LIBMAJOR=0 +LIBMINOR=0 +RELDIR=../../../appl/telnet/libtelnet +STOBJLISTS=OBJS.ST + SRCS= $(srcdir)/auth.c \ $(srcdir)/encrypt.c \ $(srcdir)/genget.c \ @@ -52,20 +57,15 @@ SRCS= $(srcdir)/auth.c \ $(srcdir)/strftime.c \ $(srcdir)/strerror.c -OBJS= auth.o encrypt.o genget.o \ +STLIBOBJS= auth.o encrypt.o genget.o \ misc.o kerberos.o kerberos5.o forward.o spx.o enc_des.o \ $(LIBOBJS) getent.o $(SETENVOBJ) TELNET_H= $(srcdir)/../arpa/telnet.h -all:: $(LIB) -$(LIB): $(OBJS) - $(RM) $(LIB) - $(ARADD) $@ $(OBJS) - $(RANLIB) $@ +all:: all-libs -clean:: - $(RM) $(LIB) +clean:: clean-libs clean-libobjs auth.o: $(TELNET_H) auth.o: encrypt.h @@ -88,6 +88,10 @@ enc_des.o: encrypt.h enc_des.o: key-proto.h enc_des.o: misc-proto.h install:: + +# @lib_frag@ +# @libobj_frag@ + # +++ Dependency line eater +++ # # Makefile dependencies follow. This must be the last section in diff --git a/src/appl/telnet/libtelnet/configure.in b/src/appl/telnet/libtelnet/configure.in index 8f2434eaa..8767cd7d0 100644 --- a/src/appl/telnet/libtelnet/configure.in +++ b/src/appl/telnet/libtelnet/configure.in @@ -1,8 +1,5 @@ AC_INIT(auth.c) CONFIG_RULES -AC_PROG_ARCHIVE -AC_PROG_ARCHIVE_ADD -AC_PROG_RANLIB AC_REPLACE_FUNCS([strcasecmp strdup setsid strerror strftime getopt herror parsetos]) AC_CHECK_FUNCS(setenv unsetenv getenv gettosbyname cgetent) AC_CHECK_HEADERS(stdlib.h string.h unistd.h) @@ -23,4 +20,6 @@ else AC_MSG_RESULT(Kerberos 4 authentication enabled) AC_DEFINE(KRB4) fi +KRB5_BUILD_LIBRARY_STATIC +KRB5_BUILD_LIBOBJS V5_AC_OUTPUT_MAKEFILE diff --git a/src/appl/telnet/libtelnet/kerberos.c b/src/appl/telnet/libtelnet/kerberos.c index 56a073191..8d4c7f330 100644 --- a/src/appl/telnet/libtelnet/kerberos.c +++ b/src/appl/telnet/libtelnet/kerberos.c @@ -612,10 +612,17 @@ kerberos4_status(ap, kname, level) if (level < AUTH_USER) return(level); - if (UserNameRequested && !kuserok(&adat, UserNameRequested)) { + /* + * Always copy in UserNameRequested if the authentication + * is valid, because the higher level routines need it. + */ + if (UserNameRequested) { /* the name buffer comes from telnetd/telnetd{-ktd}.c */ strncpy(kname, UserNameRequested, 255); name[255] = '\0'; + } + + if (UserNameRequested && !kuserok(&adat, UserNameRequested)) { return(AUTH_VALID); } else return(AUTH_USER); diff --git a/src/appl/telnet/libtelnet/kerberos5.c b/src/appl/telnet/libtelnet/kerberos5.c index 3a1c8f24e..ad36aedda 100644 --- a/src/appl/telnet/libtelnet/kerberos5.c +++ b/src/appl/telnet/libtelnet/kerberos5.c @@ -327,7 +327,7 @@ kerberos5_send(ap) &check_data, new_creds, &auth); #ifdef ENCRYPTION - krb5_auth_con_getlocalsubkey(telnet_context, auth_context, &newkey); + krb5_auth_con_getsendsubkey(telnet_context, auth_context, &newkey); if (session_key) { krb5_free_keyblock(telnet_context, session_key); session_key = 0; @@ -446,6 +446,10 @@ kerberos5_is(ap, data, cnt) * first component of a service name especially since * the default is of length 4. */ + if (krb5_princ_size(telnet_context,ticket->server) < 1) { + (void) strcpy(errbuf, "malformed service name"); + goto errout; + } if (krb5_princ_component(telnet_context,ticket->server,0)->length < 256) { char princ[256]; strncpy(princ, @@ -548,7 +552,7 @@ kerberos5_is(ap, data, cnt) if (name) free(name); - krb5_auth_con_getremotesubkey(telnet_context, auth_context, + krb5_auth_con_getrecvsubkey(telnet_context, auth_context, &newkey); if (session_key) { krb5_free_keyblock(telnet_context, session_key); @@ -727,13 +731,20 @@ kerberos5_status(ap, name, level) if (level < AUTH_USER) return(level); + /* + * Always copy in UserNameRequested if the authentication + * is valid, because the higher level routines need it. + * the name buffer comes from telnetd/telnetd{-ktd}.c + */ + if (UserNameRequested) { + strncpy(name, UserNameRequested, 255); + name[255] = '\0'; + } + if (UserNameRequested && krb5_kuserok(telnet_context, ticket->enc_part2->client, UserNameRequested)) { - /* the name buffer comes from telnetd/telnetd{-ktd}.c */ - strncpy(name, UserNameRequested, 255); - name[255] = '\0'; return(AUTH_VALID); } else return(AUTH_USER); diff --git a/src/appl/telnet/telnet/ChangeLog b/src/appl/telnet/telnet/ChangeLog index bcc361750..60f9bf1f0 100644 --- a/src/appl/telnet/telnet/ChangeLog +++ b/src/appl/telnet/telnet/ChangeLog @@ -1,3 +1,7 @@ +2003-04-23 Ken Raeburn + + * externs.h: Don't declare errno. + 2003-01-07 Ken Raeburn * Makefile.orig: Deleted. diff --git a/src/appl/telnet/telnet/externs.h b/src/appl/telnet/telnet/externs.h index 65a1c67c0..dccb424f0 100644 --- a/src/appl/telnet/telnet/externs.h +++ b/src/appl/telnet/telnet/externs.h @@ -111,10 +111,6 @@ extern char *malloc(), *calloc(), *realloc(); #define SUBBUFSIZE 256 -#ifndef CRAY -extern int errno; /* outside this world */ -#endif /* !CRAY */ - extern int autologin, /* Autologin enabled */ skiprc, /* Don't process the ~/.telnetrc file */ diff --git a/src/appl/telnet/telnetd/ChangeLog b/src/appl/telnet/telnetd/ChangeLog index c380d11f8..b343e9cc0 100644 --- a/src/appl/telnet/telnetd/ChangeLog +++ b/src/appl/telnet/telnetd/ChangeLog @@ -1,3 +1,7 @@ +2003-04-23 Ken Raeburn + + * telnetd.h: Don't declare errno. + 2003-01-09 Ken Raeburn * telnetd.c (main): Use socklen_t when passing address to socket diff --git a/src/appl/telnet/telnetd/telnetd.h b/src/appl/telnet/telnetd/telnetd.h index 234b9739e..f21f617e5 100644 --- a/src/appl/telnet/telnetd/telnetd.h +++ b/src/appl/telnet/telnetd/telnetd.h @@ -45,5 +45,4 @@ /* other external variables */ extern char **environ; -extern int errno; diff --git a/src/clients/ksu/ChangeLog b/src/clients/ksu/ChangeLog index 44415a033..17a1dffe8 100644 --- a/src/clients/ksu/ChangeLog +++ b/src/clients/ksu/ChangeLog @@ -1,3 +1,10 @@ +2003-04-01 Nalin Dahyabhai + + * heuristic.c (get_closest_principal): Don't try to examine + principal name components after the last. + * krb_auth_su.c (get_best_principal): Check principal name length + before examining components. + 2002-12-23 Ezra Peisach * authorization.c, heuristic.c, ksu.h: Use uid_t instead of int in diff --git a/src/clients/ksu/heuristic.c b/src/clients/ksu/heuristic.c index c79f94369..85b94b5e2 100644 --- a/src/clients/ksu/heuristic.c +++ b/src/clients/ksu/heuristic.c @@ -364,7 +364,7 @@ krb5_error_code get_closest_principal(context, plist, client, found) krb5_data *p2 = krb5_princ_component(context, temp_client, j); - if ((p1->length != p2->length) || + if (!p1 || !p2 || (p1->length != p2->length) || memcmp(p1->data,p2->data,p1->length)){ got_one = FALSE; break; diff --git a/src/clients/ksu/krb_auth_su.c b/src/clients/ksu/krb_auth_su.c index 6e76149c1..8e1834240 100644 --- a/src/clients/ksu/krb_auth_su.c +++ b/src/clients/ksu/krb_auth_su.c @@ -547,7 +547,9 @@ krb5_error_code get_best_principal(context, plist, client) krb5_princ_realm(context, temp_client)->length))){ - if(nelem){ + if (nelem && + krb5_princ_size(context, *client) > 0 && + krb5_princ_size(context, temp_client) > 0) { krb5_data *p1 = krb5_princ_component(context, *client, 0); krb5_data *p2 = diff --git a/src/config/ChangeLog b/src/config/ChangeLog index 7a0623513..28192ddc3 100644 --- a/src/config/ChangeLog +++ b/src/config/ChangeLog @@ -1,3 +1,15 @@ +2003-04-24 Ken Raeburn + + * post.in (configure): Try running autoconf with --include, and if + that doesn't work, try --localdir. Don't use AUTOCONFINCFLAGS. + +2003-04-01 Tom Yu + + * pre.in (KDB5_DEPLIBS): Don't depend on $(DB_DEPLIB) anymore. + (KDB5_DB_LIB): New variable; is empty if not building with system + libdb. + (KDB5_LIBS): Use $(KDB5_DB_LIB) instead of $(DB_LIB). + 2003-03-03 Tom Yu * libobj.in: Change .c.so and .c.po rules to use ALL_CFLAGS. diff --git a/src/config/post.in b/src/config/post.in index 2c49dd304..0a14ce852 100644 --- a/src/config/post.in +++ b/src/config/post.in @@ -149,7 +149,8 @@ $(srcdir)/$(thisconfigdir)/configure: $(srcdir)/$(thisconfigdir)/configure.in \ $(SRCTOP)/aclocal.m4 -$(RM) -r $(srcdir)/$(thisconfigdir)/autom4te.cache cd $(srcdir)/$(thisconfigdir) && \ - $(AUTOCONF) ${AUTOCONFINCFLAGS}=$(CONFIG_RELTOPDIR) $(AUTOCONFFLAGS) + ($(AUTOCONF) --include=$(CONFIG_RELTOPDIR) $(AUTOCONFFLAGS) || \ + $(AUTOCONF) --localdir=$(CONFIG_RELTOPDIR) $(AUTOCONFFLAGS)) -$(RM) -r $(srcdir)/$(thisconfigdir)/autom4te.cache RECURSE_TARGETS=all-recurse clean-recurse distclean-recurse install-recurse \ diff --git a/src/config/pre.in b/src/config/pre.in index c36b4ee8b..b3bdec715 100644 --- a/src/config/pre.in +++ b/src/config/pre.in @@ -296,7 +296,7 @@ PTY_DEPLIB = $(TOPLIBD)/libpty.a KRB5_BASE_DEPLIBS = $(KRB5_DEPLIB) $(CRYPTO_DEPLIB) $(COM_ERR_DEPLIB) KRB4COMPAT_DEPLIBS = $(KRB4_DEPLIB) $(DES425_DEPLIB) $(KRB5_BASE_DEPLIBS) -KDB5_DEPLIBS = $(KDB5_DEPLIB) $(DB_DEPLIB) +KDB5_DEPLIBS = $(KDB5_DEPLIB) GSS_DEPLIBS = $(GSS_DEPLIB) GSSRPC_DEPLIBS = $(GSSRPC_DEPLIB) $(GSS_DEPLIBS) KADM_COMM_DEPLIBS = $(GSSRPC_DEPLIBS) $(KDB5_DEPLIBS) $(GSSRPC_DEPLIBS) @@ -338,6 +338,7 @@ SS_LIB-sys = @SS_LIB@ SS_LIB-k5 = $(TOPLIBD)/libss.a KDB5_LIB = -lkdb5 DB_LIB = @DB_LIB@ +KDB5_DB_LIB = @KDB5_DB_LIB@ KRB5_LIB = -lkrb5 K5CRYPTO_LIB = -lk5crypto @@ -361,7 +362,7 @@ HESIOD_LIBS = @HESIOD_LIBS@ KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(GEN_LIB) $(LIBS) KRB4COMPAT_LIBS = $(KRB4_LIB) $(DES425_LIB) $(KRB5_BASE_LIBS) -KDB5_LIBS = $(KDB5_LIB) $(DB_LIB) +KDB5_LIBS = $(KDB5_LIB) $(KDB5_DB_LIB) GSS_LIBS = $(GSS_KRB5_LIB) # needs fixing if ever used on Mac OS X! GSSRPC_LIBS = -lgssrpc $(GSS_LIBS) diff --git a/src/include/ChangeLog b/src/include/ChangeLog index a8e7726f5..416ac2b52 100644 --- a/src/include/ChangeLog +++ b/src/include/ChangeLog @@ -1,3 +1,74 @@ +2003-05-13 Sam Hartman + + * k5-int.h: Add krb5int_copy_data_contents + +2003-05-08 Sam Hartman + + * krb5.hin: Add prototype for krb5_c_string_to_key_with_params + + * k5-int.h: Add s2kparams to krb5_gic_get_as_key_fct + +2003-05-07 Sam Hartman + + * krb5.hin: Add KRB5_PADATA_ETYPE_INFO2 + +2003-05-09 Ken Raeburn + + * k5-int.h (struct _krb5_context): New fields conf_tgs_ktypes, + conf_tgs_ktypes_count, use_conf_ktypes. + +2003-05-09 Tom Yu + + * krb5.hin: Add krb5_auth_con_getsendsubkey, + krb5_auth_con_getrecvsubkey, krb5_auth_con_setsendsubkey, + krb5_auth_con_setrecvsubkey. Mark krb5_auth_con_getlocalsubkey + and krb5_auth_con_getremotesubkey as deprecated. + +2003-05-06 Sam Hartman + + * k5-int.h: Add s2kparams to + krb5_etype_info_entry + Add encode_etype_info2 and decode_etype_info2 + +2003-05-02 Ken Raeburn + + * port-sockets.h (inet_ntop) [!_WIN32 && !HAVE_MACSOCK_H]: Define + as a macro if not provided by the OS. + +2003-04-17 Sam Hartman + + * k5-int.h: Add encode_krb5_setpw_req + +2003-04-15 Sam Hartman + + * krb5.hin: Add krb5_set_password + Move krb5*_chpw internals to k5int.h + + * k5-int.h: Add prototypes for set-password helper functions + +2003-04-07 Ken Raeburn + + * fake-addrinfo.h (getaddrinfo) [NUMERIC_SERVICE_BROKEN]: + Overwrite the port number only if a numeric service port was + supplied. + +2003-04-01 Ken Raeburn + + * fake-addrinfo.h (COPY_FIRST_CANONNAME) [_AIX]: Define. + (GET_HOST_BY_NAME) [_AIX]: New version for AIX version of + gethostbyname_r. + (getaddrinfo) [NUMERIC_SERVICE_BROKEN]: Use "discard" as a dummy + service name instead of none at all. Don't check for unsigned + value less than zero. + (getaddrinfo) [COPY_FIRST_CANONNAME]: Set any ai_canonname fields + other than the first one to null. + +2003-03-18 Alexandra Ellwood + + * configure.in: Use KRB5_AC_NEED_BIND_8_COMPAT to check for bind 9 + and higher. When bind 9 is present, BIND_8_COMPAT needs to be + defined to get bind 8 types. + 2003-03-06 Alexandra Ellwood * krb5.h: Removed enumsalwaysint because there are no typed diff --git a/src/include/configure.in b/src/include/configure.in index 7287f153e..71b47ff3d 100644 --- a/src/include/configure.in +++ b/src/include/configure.in @@ -181,6 +181,9 @@ if test $krb5_cv_has_type_socklen_t = yes; then fi dnl dnl +KRB5_AC_NEED_BIND_8_COMPAT +dnl +dnl AC_ARG_ENABLE([athena], [ --enable-athena build with MIT Project Athena configuration], AC_DEFINE(KRB5_ATHENA_COMPAT,1,[Define if MIT Project Athena default configuration should be used]),) diff --git a/src/include/fake-addrinfo.h b/src/include/fake-addrinfo.h index d32802a77..b019c3823 100644 --- a/src/include/fake-addrinfo.h +++ b/src/include/fake-addrinfo.h @@ -91,6 +91,7 @@ #include "socket-utils.h" #ifdef S_SPLINT_S +/*@-incondefs@*/ extern int getaddrinfo (/*@in@*/ /*@null@*/ const char *, /*@in@*/ /*@null@*/ const char *, @@ -108,8 +109,8 @@ getnameinfo (const struct sockaddr *addr, socklen_t addrsz, /*@requires (maxSet(h)+1) >= hsz /\ (maxSet(s)+1) >= ssz @*/ /* too hard: maxRead(addr) >= (addrsz-1) */ /*@modifies *h, *s@*/; -extern /*@dependent@*/ char * -gai_strerror (int code) /*@*/; +extern /*@dependent@*/ char *gai_strerror (int code) /*@*/; +/*@=incondefs@*/ #endif @@ -125,6 +126,7 @@ gai_strerror (int code) /*@*/; #ifdef _AIX # define NUMERIC_SERVICE_BROKEN +# define COPY_FIRST_CANONNAME #endif @@ -152,6 +154,29 @@ gai_strerror (int code) /*@*/; #define GET_HOST_BY_ADDR(ADDR, ADDRLEN, FAMILY, HP, ERR) \ { (HP) = gethostbyaddr ((ADDR), (ADDRLEN), (FAMILY)); (ERR) = h_errno; } #else +#ifdef _AIX /* XXX should have a feature test! */ +#define GET_HOST_BY_NAME(NAME, HP, ERR) \ + { \ + struct hostent my_h_ent; \ + struct hostent_data my_h_ent_data; \ + (HP) = (gethostbyname_r((NAME), &my_h_ent, &my_h_ent_data) \ + ? 0 \ + : &my_h_ent); \ + (ERR) = h_errno; \ + } +/* +#define GET_HOST_BY_ADDR(ADDR, ADDRLEN, FAMILY, HP, ERR) \ + { \ + struct hostent my_h_ent; \ + struct hostent_data my_h_ent_data; \ + (HP) = (gethostbyaddr_r((ADDR), (ADDRLEN), (FAMILY), &my_h_ent, \ + &my_h_ent_data) \ + ? 0 \ + : &my_h_ent); \ + (ERR) = my_h_err; \ + } +*/ +#else #ifdef GETHOSTBYNAME_R_RETURNS_INT #define GET_HOST_BY_NAME(NAME, HP, ERR) \ { \ @@ -196,7 +221,8 @@ gai_strerror (int code) /*@*/; my_h_buf, sizeof (my_h_buf), &my_h_err); \ (ERR) = my_h_err; \ } -#endif +#endif /* returns int? */ +#endif /* _AIX */ #endif /* Now do the same for getservby* functions. */ @@ -898,19 +924,19 @@ getaddrinfo (const char *name, const char *serv, const struct addrinfo *hint, /* AIX 4.3.3 is broken. (Or perhaps out of date?) If a numeric service is provided, and it doesn't correspond to - a known service name, an error code (for "host not found") is - returned. If the port maps to a known service, all is - well. */ + a known service name for tcp or udp (as appropriate), an error + code (for "host not found") is returned. If the port maps to a + known service for both udp and tcp, all is well. */ if (serv && serv[0] && isdigit(serv[0])) { unsigned long lport; char *end; lport = strtoul(serv, &end, 10); if (!*end) { - if (lport < 0 || lport > 65535) + if (lport > 65535) return EAI_SOCKTYPE; service_is_numeric = 1; service_port = htons(lport); - serv = 0; + serv = "discard"; /* defined for both udp and tcp */ if (hint) socket_type = hint->ai_socktype; } @@ -948,7 +974,10 @@ getaddrinfo (const char *name, const char *serv, const struct addrinfo *hint, approach: If getaddrinfo sets ai_canonname, we'll replace the *first* one with allocated storage, and free up that pointer in freeaddrinfo if it's set; the other ai_canonname fields will be - left untouched. + left untouched. And we'll just pray that the application code + won't mess around with the list structure; if we start doing + that, we'll have to start replacing and freeing all of the + ai_canonname fields. Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=133668 . @@ -1017,20 +1046,28 @@ getaddrinfo (const char *name, const char *serv, const struct addrinfo *hint, #endif return EAI_MEMORY; } + /* Zap the remaining ai_canonname fields glibc fills in, in + case the application messes around with the list + structure. */ + while ((ai = ai->ai_next) != NULL) + ai->ai_canonname = 0; } #endif #ifdef NUMERIC_SERVICE_BROKEN - for (ai = *result; ai; ai = ai->ai_next) { - if (socket_type != 0 && ai->ai_socktype == 0) - ai->ai_socktype = socket_type; - switch (ai->ai_family) { - case AF_INET: - ((struct sockaddr_in *)ai->ai_addr)->sin_port = service_port; - break; - case AF_INET6: - ((struct sockaddr_in6 *)ai->ai_addr)->sin6_port = service_port; - break; + if (service_port != 0) { + for (ai = *result; ai; ai = ai->ai_next) { + if (socket_type != 0 && ai->ai_socktype == 0) + /* Is this check actually needed? */ + ai->ai_socktype = socket_type; + switch (ai->ai_family) { + case AF_INET: + ((struct sockaddr_in *)ai->ai_addr)->sin_port = service_port; + break; + case AF_INET6: + ((struct sockaddr_in6 *)ai->ai_addr)->sin6_port = service_port; + break; + } } } #endif diff --git a/src/include/k5-int.h b/src/include/k5-int.h index 41c325da1..575bec539 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -282,12 +282,15 @@ typedef struct _krb5_alt_method { * A null-terminated array of this structure is returned by the KDC as * the data part of the ETYPE_INFO preauth type. It informs the * client which encryption types are supported. + * The same data structure is used by both etype-info and etype-info2 + * but s2kparams must be null when encoding etype-info. */ typedef struct _krb5_etype_info_entry { krb5_magic magic; krb5_enctype etype; unsigned int length; krb5_octet *salt; + krb5_data s2kparams; } krb5_etype_info_entry; /* @@ -903,6 +906,8 @@ void krb5_free_etype_info /* * End "preauth.h" */ +krb5_error_code +krb5int_copy_data_contents (krb5_context, const krb5_data *, krb5_data *); typedef krb5_error_code (*krb5_gic_get_as_key_fct) (krb5_context, @@ -911,6 +916,7 @@ typedef krb5_error_code (*krb5_gic_get_as_key_fct) krb5_prompter_fct, void *prompter_data, krb5_data *salt, + krb5_data *s2kparams, krb5_keyblock *as_key, void *gak_data); @@ -933,7 +939,8 @@ krb5_get_init_creds krb5_error_code krb5_do_preauth (krb5_context, krb5_kdc_req *, krb5_pa_data **, krb5_pa_data ***, - krb5_data *, krb5_enctype *, + krb5_data *salt, krb5_data *s2kparams, + krb5_enctype *, krb5_keyblock *, krb5_prompter_fct, void *, krb5_gic_get_as_key_fct, void *); @@ -1005,6 +1012,17 @@ struct _krb5_context { absolute limit on the UDP packet size. */ int udp_pref_limit; + /* This is the tgs_ktypes list as read from the profile, or + set to compiled-in defaults. The application code cannot + override it. This is used for session keys for + intermediate ticket-granting tickets used to acquire the + requested ticket (the session key of which may be + constrained by tgs_ktypes above). */ + krb5_enctype *conf_tgs_ktypes; + int conf_tgs_ktypes_count; + /* Use the _configured version? */ + krb5_boolean use_conf_ktypes; + #ifdef KRB5_DNS_LOOKUP krb5_boolean profile_in_memory; #endif /* KRB5_DNS_LOOKUP */ @@ -1221,6 +1239,8 @@ krb5_error_code encode_krb5_alt_method krb5_error_code encode_krb5_etype_info (const krb5_etype_info_entry **, krb5_data **code); +krb5_error_code encode_krb5_etype_info2 + (const krb5_etype_info_entry **, krb5_data **code); krb5_error_code encode_krb5_enc_data (const krb5_enc_data *, krb5_data **); @@ -1270,6 +1290,9 @@ krb5_error_code encode_krb5_sam_response krb5_error_code encode_krb5_predicted_sam_response (const krb5_predicted_sam_response * , krb5_data **); +krb5_error_code encode_krb5_setpw_req +(const krb5_principal target, char *password, krb5_data **code); + /************************************************************************* * End of prototypes for krb5_encode.c *************************************************************************/ @@ -1396,6 +1419,9 @@ krb5_error_code decode_krb5_alt_method krb5_error_code decode_krb5_etype_info (const krb5_data *output, krb5_etype_info_entry ***rep); +krb5_error_code decode_krb5_etype_info2 + (const krb5_data *output, krb5_etype_info_entry ***rep); + krb5_error_code decode_krb5_enc_data (const krb5_data *output, krb5_enc_data **rep); @@ -1559,6 +1585,29 @@ krb5_error_code KRB5_CALLCONV krb5_cc_retrieve_cred_default void krb5int_set_prompt_types (krb5_context, krb5_prompt_type *); +/* set and change password helpers */ + +krb5_error_code krb5int_mk_chpw_req + (krb5_context context, krb5_auth_context auth_context, + krb5_data *ap_req, char *passwd, krb5_data *packet); +krb5_error_code krb5int_rd_chpw_rep + (krb5_context context, krb5_auth_context auth_context, + krb5_data *packet, int *result_code, + krb5_data *result_data); +krb5_error_code KRB5_CALLCONV krb5_chpw_result_code_string + (krb5_context context, int result_code, + char **result_codestr); +krb5_error_code krb5int_mk_setpw_req + (krb5_context context, krb5_auth_context auth_context, + krb5_data *ap_req, krb5_principal targetprinc, char *passwd, krb5_data *packet); +krb5_error_code krb5int_rd_setpw_rep + (krb5_context context, krb5_auth_context auth_context, + krb5_data *packet, int *result_code, + krb5_data *result_data); +krb5_error_code krb5int_setpw_result_code_string + (krb5_context context, int result_code, + const char **result_codestr); + #if defined(macintosh) && defined(__CFM68K__) && !defined(__USING_STATIC_LIBS__) diff --git a/src/include/krb5.hin b/src/include/krb5.hin index eece828f1..7d033902c 100644 --- a/src/include/krb5.hin +++ b/src/include/krb5.hin @@ -491,6 +491,13 @@ krb5_error_code KRB5_CALLCONV (krb5_context context, krb5_enctype enctype, const krb5_data *string, const krb5_data *salt, krb5_keyblock *key); +krb5_error_code KRB5_CALLCONV +krb5_c_string_to_key_with_params(krb5_context context, + krb5_enctype enctype, + const krb5_data *string, + const krb5_data *salt, + const krb5_data *params, + krb5_keyblock *key); krb5_error_code KRB5_CALLCONV krb5_c_enctype_compare @@ -874,7 +881,7 @@ krb5_error_code krb5_decrypt_data #define KRB5_PADATA_SAM_RESPONSE 13 /* draft challenge system response */ #define KRB5_PADATA_PK_AS_REQ 14 /* PKINIT */ #define KRB5_PADATA_PK_AS_REP 15 /* PKINIT */ - +#define KRB5_PADATA_ETYPE_INFO2 19 #define KRB5_PADATA_SAM_CHALLENGE_2 30 /* draft challenge system, updated */ #define KRB5_PADATA_SAM_RESPONSE_2 31 /* draft challenge system, updated */ @@ -1658,18 +1665,6 @@ krb5_error_code KRB5_CALLCONV krb5_524_conv_principal (krb5_context context, krb5_const_principal princ, char *name, char *inst, char *realm); -#if KRB5_PRIVATE -krb5_error_code KRB5_CALLCONV krb5_mk_chpw_req - (krb5_context context, krb5_auth_context auth_context, - krb5_data *ap_req, char *passwd, krb5_data *packet); -krb5_error_code KRB5_CALLCONV krb5_rd_chpw_rep - (krb5_context context, krb5_auth_context auth_context, - krb5_data *packet, int *result_code, - krb5_data *result_data); -krb5_error_code KRB5_CALLCONV krb5_chpw_result_code_string - (krb5_context context, int result_code, - char **result_codestr); -#endif /* libkt.spec */ #if KRB5_PRIVATE @@ -1871,6 +1866,14 @@ krb5_change_password (krb5_context context, krb5_creds *creds, char *newpw, int *result_code, krb5_data *result_code_string, krb5_data *result_string); +krb5_error_code KRB5_CALLCONV +krb5_set_password + (krb5_context context, krb5_creds *creds, char *newpw, krb5_principal change_password_for, + int *result_code, krb5_data *result_code_string, krb5_data *result_string); +krb5_error_code KRB5_CALLCONV +krb5_set_password_using_ccache + (krb5_context context, krb5_ccache ccache, char *newpw, krb5_principal change_password_for, + int *result_code, krb5_data *result_code_string, krb5_data *result_string); #if KRB5_PRIVATE #ifndef macintosh @@ -2152,11 +2155,30 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_getkey krb5_auth_context, krb5_keyblock **); +krb5_error_code KRB5_CALLCONV krb5_auth_con_getsendsubkey( + krb5_context, krb5_auth_context, krb5_keyblock **); + +krb5_error_code KRB5_CALLCONV krb5_auth_con_getrecvsubkey( + krb5_context, krb5_auth_context, krb5_keyblock **); + +krb5_error_code KRB5_CALLCONV krb5_auth_con_setsendsubkey( + krb5_context, krb5_auth_context, krb5_keyblock *); + +krb5_error_code KRB5_CALLCONV krb5_auth_con_setrecvsubkey( + krb5_context, krb5_auth_context, krb5_keyblock *); + +#if KRB5_DEPRECATED krb5_error_code KRB5_CALLCONV krb5_auth_con_getlocalsubkey (krb5_context, krb5_auth_context, krb5_keyblock **); +krb5_error_code KRB5_CALLCONV krb5_auth_con_getremotesubkey + (krb5_context, + krb5_auth_context, + krb5_keyblock **); +#endif + #if KRB5_PRIVATE krb5_error_code KRB5_CALLCONV krb5_auth_con_set_req_cksumtype (krb5_context, @@ -2224,11 +2246,6 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_getauthenticator krb5_auth_context, krb5_authenticator **); -krb5_error_code KRB5_CALLCONV krb5_auth_con_getremotesubkey - (krb5_context, - krb5_auth_context, - krb5_keyblock **); - #define KRB5_REALM_BRANCH_CHAR '.' /* diff --git a/src/include/port-sockets.h b/src/include/port-sockets.h index 34489669b..eb87bc1c9 100644 --- a/src/include/port-sockets.h +++ b/src/include/port-sockets.h @@ -153,6 +153,21 @@ typedef struct iovec sg_buf; #define SHUTDOWN_WRITE 1 #define SHUTDOWN_BOTH 2 +#ifndef HAVE_INET_NTOP +#define inet_ntop(AF,SRC,DST,CNT) \ + ((AF) == AF_INET \ + ? ((CNT) < 16 \ + ? (SOCKET_SET_ERRNO(ENOSPC), NULL) \ + : (sprintf((DST), "%d.%d.%d.%d", \ + ((const unsigned char *)(const void *)(SRC))[0] & 0xff, \ + ((const unsigned char *)(const void *)(SRC))[1] & 0xff, \ + ((const unsigned char *)(const void *)(SRC))[2] & 0xff, \ + ((const unsigned char *)(const void *)(SRC))[3] & 0xff), \ + (DST))) \ + : (SOCKET_SET_ERRNO(EAFNOSUPPORT), NULL)) +#define HAVE_INET_NTOP +#endif + #endif /* HAVE_MACSOCK_H */ #endif /* _WIN32 */ diff --git a/src/kadmin/dbutil/ChangeLog b/src/kadmin/dbutil/ChangeLog index 5f32c1eee..711302500 100644 --- a/src/kadmin/dbutil/ChangeLog +++ b/src/kadmin/dbutil/ChangeLog @@ -1,3 +1,7 @@ +2003-04-23 Ken Raeburn + + * kdb5_destroy.c, kdb5_stash.c: Don't declare errno. + 2003-01-07 Ken Raeburn * Makefile.ov: Deleted. diff --git a/src/kadmin/dbutil/kdb5_destroy.c b/src/kadmin/dbutil/kdb5_destroy.c index 62d65ed49..2545bdb5d 100644 --- a/src/kadmin/dbutil/kdb5_destroy.c +++ b/src/kadmin/dbutil/kdb5_destroy.c @@ -36,7 +36,6 @@ #include #include "kdb5_util.h" -extern int errno; extern int exit_status; extern krb5_boolean dbactive; extern kadm5_config_params global_params; diff --git a/src/kadmin/dbutil/kdb5_stash.c b/src/kadmin/dbutil/kdb5_stash.c index 37db048ac..6d7251541 100644 --- a/src/kadmin/dbutil/kdb5_stash.c +++ b/src/kadmin/dbutil/kdb5_stash.c @@ -59,8 +59,6 @@ #include #include "kdb5_util.h" -extern int errno; - extern krb5_keyblock master_keyblock; extern krb5_principal master_princ; extern kadm5_config_params global_params; diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index eb4273615..64fbb4844 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,3 +1,59 @@ +2003-05-08 Sam Hartman + + * kdc_preauth.c (return_pw_salt): Don't return pw-salt if the + client's enctype list mandates it supports enctype-info2 + +2003-05-09 Tom Yu + + * kdc_util.c (kdc_process_tgs_req): Rename getremotesubkey -> + getrecvsubkey. + +2003-05-07 Sam Hartman + + * kdc_preauth.c (get_etype_info): Patch from Sun to reorganize + code and make sure that even for md5 the database order is + preserved. + (enctype_requires_etype_info_2): new function; determines wether a + particular enctype in a client request means that the client is + required to support etype_info2 by Kerberos clarifications. + (etype_info_helper): Renamed from get_etype_info to abstract out + code in common between etype_info and etype_info2 + (get_enctype_info): Return etype info only if request contains no + enctypes that require etype_info2 + (return_etype_info2): New function. + +2003-04-02 Sam Hartman + + * kdc_preauth.c (get_etype_info): Avoid infinite loop if request + does not contain des-cbc-crc and database does + +2003-04-01 Nalin Dahyabhai + + * do_tgs_req.c (process_tgs_req): Check that principal name + component 1 is present before examining it. + * kdc_util.c (krb5_is_tgs_principal, validate_tgs_request): Check + principal name length before examining components. + +2003-03-28 Tom Yu + + * kdc_preauth.c (verify_enc_timestamp): Save decryption error, in + case we get NO_MATCHING_KEY later. This allows us to log a more + sane error if an incorrect password is used for encrypting the + enc-timestamp preauth. + +2003-03-16 Sam Hartman + + * main.c (initialize_realms): Add support to call + enable_v4_crossrealm if the user wants insecure operation + + * kerberos_v4.c: Add enable_v4_crossrealm. By default krb4 + cross-realm is not allowed as it is insecure. Also, remove + support for generating krb4 tickets encrypted in 3DES as they are + insecure. + + * kdc_util.h: Define enable_v4_crossrealm, new function to enable + secure krb4 cross-realm authentication + 2003-03-05 Tom Yu * main.c (init_realm): Update call to krb5_ktdb_resolve(). diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 0c6116e21..c8b679bc2 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -174,7 +174,7 @@ tgt_again: krb5_data *tgs_1 = krb5_princ_component(kdc_context, tgs_server, 1); - if (server_1->length != tgs_1->length || + if (!tgs_1 || server_1->length != tgs_1->length || memcmp(server_1->data, tgs_1->data, tgs_1->length)) { krb5_db_free_principal(kdc_context, &server, nprincs); find_alternate_tgs(request, &server, &more, &nprincs); diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 4747f27de..31e6f4705 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -59,6 +59,8 @@ #include "adm_proto.h" #include +#include + /* XXX This is ugly and should be in a header file somewhere */ #ifndef KRB5INT_DES_TYPES_DEFINED #define KRB5INT_DES_TYPES_DEFINED @@ -104,6 +106,18 @@ static krb5_error_code get_etype_info (krb5_context, krb5_kdc_req *request, krb5_db_entry *client, krb5_db_entry *server, krb5_pa_data *data); +static krb5_error_code +get_etype_info2(krb5_context context, krb5_kdc_req *request, + krb5_db_entry *client, krb5_db_entry *server, + krb5_pa_data *pa_data); +static krb5_error_code +return_etype_info2(krb5_context, krb5_pa_data * padata, + krb5_db_entry *client, + krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_key_data *client_key, + krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa); + static krb5_error_code return_pw_salt (krb5_context, krb5_pa_data * padata, krb5_db_entry *client, @@ -155,6 +169,14 @@ static krb5_preauth_systems preauth_systems[] = { 0, 0 }, + { + "etype-info2", + KRB5_PADATA_ETYPE_INFO2, + 0, + get_etype_info2, + 0, + return_etype_info2 + }, { "pw-salt", KRB5_PADATA_PW_SALT, @@ -431,6 +453,26 @@ cleanup: return (retval); } +static krb5_boolean +enctype_requires_etype_info_2(krb5_enctype enctype) +{ + switch(enctype) { + case ENCTYPE_DES_CBC_CRC: + case ENCTYPE_DES_CBC_MD4: + case ENCTYPE_DES_CBC_MD5: + case ENCTYPE_DES3_CBC_SHA1: + case ENCTYPE_DES3_CBC_RAW: + case ENCTYPE_ARCFOUR_HMAC: + case ENCTYPE_ARCFOUR_HMAC_EXP : + case ENCTYPE_LOCAL_DES3_HMAC_SHA1: + return 0; + default: + if (krb5_c_valid_enctype(enctype)) + return 1; + else return 0; + } +} + static krb5_boolean request_contains_enctype (krb5_context context, const krb5_kdc_req *request, krb5_enctype enctype) @@ -457,7 +499,8 @@ verify_enc_timestamp(krb5_context context, krb5_db_entry *client, krb5_key_data * client_key; krb5_int32 start; krb5_timestamp timenow; - + krb5_error_code decrypt_err; + scratch.data = pa->contents; scratch.length = pa->length; @@ -471,6 +514,7 @@ verify_enc_timestamp(krb5_context context, krb5_db_entry *client, goto cleanup; start = 0; + decrypt_err = 0; while (1) { if ((retval = krb5_dbe_search_enctype(context, client, &start, enc_data->enctype, @@ -488,6 +532,8 @@ verify_enc_timestamp(krb5_context context, krb5_db_entry *client, krb5_free_keyblock_contents(context, &key); if (retval == 0) break; + else + decrypt_err = retval; } if ((retval = decode_krb5_pa_enc_ts(&enc_ts_data, &pa_enc)) != 0) @@ -513,29 +559,79 @@ cleanup: krb5_free_data_contents(context, &enc_ts_data); if (pa_enc) free(pa_enc); + /* + * If we get NO_MATCHING_KEY and decryption previously failed, and + * we failed to find any other keys of the correct enctype after + * that failed decryption, it probably means that the password was + * incorrect. + */ + if (retval == KRB5_KDB_NO_MATCHING_KEY && decrypt_err != 0) + retval = decrypt_err; return retval; } +static krb5_error_code +_make_etype_info_entry(context, request, client_key, etype, entry) + krb5_context context; + krb5_kdc_req * request; + krb5_key_data * client_key; + const krb5_enctype etype; + krb5_etype_info_entry ** entry; +{ + krb5_data salt; + krb5_etype_info_entry * tmp_entry; + krb5_error_code retval; + + if ((tmp_entry = malloc(sizeof(krb5_etype_info_entry))) == NULL) + return ENOMEM; + + salt.data = 0; + + tmp_entry->magic = KV5M_ETYPE_INFO_ENTRY; + tmp_entry->etype = etype; + tmp_entry->length = KRB5_ETYPE_NO_SALT; + tmp_entry->salt = 0; + tmp_entry->s2kparams.data = NULL; + tmp_entry->s2kparams.length = 0; + retval = get_salt_from_key(context, request->client, + client_key, &salt); + if (retval) + goto fail; + + if (salt.length >= 0) { + tmp_entry->length = salt.length; + tmp_entry->salt = (unsigned char *) salt.data; + salt.data = 0; + } + *entry = tmp_entry; + return 0; + +fail: + if (tmp_entry) + free(tmp_entry); + if (salt.data) + free(salt.data); + return retval; +} /* * This function returns the etype information for a particular * client, to be passed back in the preauth list in the KRB_ERROR - * message. + * message. It supports generating both etype_info and etype_info2 + * as most of the work is the same. */ static krb5_error_code -get_etype_info(krb5_context context, krb5_kdc_req *request, +etype_info_helper(krb5_context context, krb5_kdc_req *request, krb5_db_entry *client, krb5_db_entry *server, - krb5_pa_data *pa_data) + krb5_pa_data *pa_data, int etype_info2) { krb5_etype_info_entry ** entry = 0; krb5_key_data *client_key; krb5_error_code retval; - krb5_data salt; krb5_data * scratch; krb5_enctype db_etype; int i = 0; int start = 0; - - salt.data = 0; + int seen_des = 0; entry = malloc((client->n_key_data * 2 + 1) * sizeof(krb5_etype_info_entry *)); if (entry == NULL) @@ -550,51 +646,55 @@ get_etype_info(krb5_context context, krb5_kdc_req *request, if (retval) goto cleanup; db_etype = client_key->key_data_type[0]; - if (db_etype == ENCTYPE_DES_CBC_MD4 || db_etype == ENCTYPE_DES_CBC_MD5) - db_etype = ENCTYPE_DES_CBC_CRC; + if (db_etype == ENCTYPE_DES_CBC_MD4) + db_etype = ENCTYPE_DES_CBC_MD5; - while (1) { - if (!request_contains_enctype(context, - request, db_etype)) { - if (db_etype == ENCTYPE_DES_CBC_CRC) - continue; - else break; - } - - if ((entry[i] = malloc(sizeof(krb5_etype_info_entry))) == NULL) { - retval = ENOMEM; + if (request_contains_enctype(context, request, db_etype)) { + assert(etype_info2 || + !enctype_requires_etype_info_2(db_etype)); + if ((retval = _make_etype_info_entry(context, request, client_key, + db_etype, &entry[i])) != 0) { goto cleanup; } entry[i+1] = 0; - entry[i]->magic = KV5M_ETYPE_INFO_ENTRY; - entry[i]->etype = db_etype; - entry[i]->length = KRB5_ETYPE_NO_SALT; - entry[i]->salt = 0; - retval = get_salt_from_key(context, request->client, - client_key, &salt); - if (retval) - goto cleanup; - if (salt.length >= 0 && salt.length != SALT_TYPE_NO_LENGTH) { - entry[i]->length = salt.length; - entry[i]->salt = salt.data; - salt.data = 0; - } i++; - /* - * If we have a DES_CRC key, it can also be used as a - * DES_MD5 key. - */ - if (db_etype == ENCTYPE_DES_CBC_CRC) + } + + /* + * If there is a des key in the kdb, try the "similar" enctypes, + * avoid duplicate entries. + */ + if (!seen_des) { + switch (db_etype) { + case ENCTYPE_DES_CBC_MD5: + db_etype = ENCTYPE_DES_CBC_CRC; + break; + case ENCTYPE_DES_CBC_CRC: db_etype = ENCTYPE_DES_CBC_MD5; - else break; + default: + continue; + + } + if (request_contains_enctype(context, request, db_etype)) { + if ((retval = _make_etype_info_entry(context, request, + client_key, db_etype, &entry[i])) != 0) { + goto cleanup; + } + entry[i+1] = 0; + i++; + } + seen_des++; } } - retval = encode_krb5_etype_info((const krb5_etype_info_entry **) entry, + if (etype_info2) + retval = encode_krb5_etype_info2((const krb5_etype_info_entry **) entry, + &scratch); + else retval = encode_krb5_etype_info((const krb5_etype_info_entry **) entry, &scratch); if (retval) goto cleanup; - pa_data->contents = scratch->data; + pa_data->contents = (unsigned char *)scratch->data; pa_data->length = scratch->length; free(scratch); @@ -603,11 +703,78 @@ get_etype_info(krb5_context context, krb5_kdc_req *request, cleanup: if (entry) krb5_free_etype_info(context, entry); - if (salt.data) - free(salt.data); return retval; } +static krb5_error_code +get_etype_info(krb5_context context, krb5_kdc_req *request, + krb5_db_entry *client, krb5_db_entry *server, + krb5_pa_data *pa_data) +{ + int i; + for (i=0; i < request->nktypes; i++) { + if (enctype_requires_etype_info_2(request->ktype[i])) + return KRB5KDC_ERR_PADATA_TYPE_NOSUPP ;;;; /*Caller will + * skip this + * type*/ + } + return etype_info_helper(context, request, client, server, pa_data, 0); +} + +static krb5_error_code +get_etype_info2(krb5_context context, krb5_kdc_req *request, + krb5_db_entry *client, krb5_db_entry *server, + krb5_pa_data *pa_data) +{ + return etype_info_helper( context, request, client, server, pa_data, 1); +} + +static krb5_error_code +return_etype_info2(krb5_context context, krb5_pa_data * padata, + krb5_db_entry *client, + krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_key_data *client_key, + krb5_keyblock *encrypting_key, + krb5_pa_data **send_pa) +{ + krb5_error_code retval; + krb5_pa_data *tmp_padata; + krb5_etype_info_entry **entry = NULL; + krb5_data *scratch = NULL; + tmp_padata = malloc( sizeof(krb5_pa_data)); + if (tmp_padata == NULL) + return ENOMEM; + tmp_padata->pa_type = KRB5_PADATA_ETYPE_INFO2; + entry = malloc(2 * sizeof(krb5_etype_info_entry *)); + if (entry == NULL) { + retval = ENOMEM; + goto cleanup; + } + entry[0] = NULL; + entry[1] = NULL; + retval = _make_etype_info_entry(context, request, client_key, client_key->key_data_type[0], + entry); + if (retval) + goto cleanup; + retval = encode_krb5_etype_info2((const krb5_etype_info_entry **) entry, &scratch); + if (retval) + goto cleanup; + tmp_padata->contents = scratch->data; + tmp_padata->length = scratch->length; + *send_pa = tmp_padata; + cleanup: + if (entry) + krb5_free_etype_info(context, entry); + if (retval) { + if (tmp_padata) + free(tmp_padata); + if (scratch) + krb5_free_data(context, scratch); + } + return retval; +} + + static krb5_error_code return_pw_salt(krb5_context context, krb5_pa_data *in_padata, krb5_db_entry *client, krb5_kdc_req *request, @@ -618,7 +785,12 @@ return_pw_salt(krb5_context context, krb5_pa_data *in_padata, krb5_pa_data * padata; krb5_data * scratch; krb5_data salt_data; + int i; + for (i = 0; i < request->nktypes; i++) { + if (enctype_requires_etype_info_2(request->ktype[i])) + return 0; + } if (client_key->key_data_ver == 1 || client_key->key_data_type[1] == KRB5_KDB_SALTTYPE_NORMAL) return 0; diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 736c51d12..753f84a0a 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -150,7 +150,8 @@ realm_compare(krb5_principal princ1, krb5_principal princ2) */ krb5_boolean krb5_is_tgs_principal(krb5_principal principal) { - if ((krb5_princ_component(kdc_context, principal, 0)->length == + if ((krb5_princ_size(kdc_context, principal) > 0) && + (krb5_princ_component(kdc_context, principal, 0)->length == KRB5_TGS_NAME_SIZE) && (!memcmp(krb5_princ_component(kdc_context, principal, 0)->data, KRB5_TGS_NAME, KRB5_TGS_NAME_SIZE))) @@ -312,8 +313,8 @@ kdc_process_tgs_req(krb5_kdc_req *request, const krb5_fulladdr *from, goto cleanup_auth_context; } - if ((retval = krb5_auth_con_getremotesubkey(kdc_context, - auth_context, subkey))) + if ((retval = krb5_auth_con_getrecvsubkey(kdc_context, + auth_context, subkey))) goto cleanup_auth_context; if ((retval = krb5_auth_con_getauthenticator(kdc_context, auth_context, @@ -1162,7 +1163,8 @@ validate_tgs_request(register krb5_kdc_req *request, krb5_db_entry server, return KRB_AP_ERR_NOT_US; } /* ...and that the second component matches the server realm... */ - if ((krb5_princ_component(kdc_context, ticket->server, 1)->length != + if ((krb5_princ_size(kdc_context, ticket->server) <= 1) || + (krb5_princ_component(kdc_context, ticket->server, 1)->length != krb5_princ_realm(kdc_context, request->server)->length) || memcmp(krb5_princ_component(kdc_context, ticket->server, 1)->data, krb5_princ_realm(kdc_context, request->server)->data, diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index 9abe3b860..05ba07f4f 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -176,6 +176,7 @@ krb5_error_code process_v4 (const krb5_data *, const krb5_fulladdr *, krb5_data **); void process_v4_mode (const char *, const char *); +void enable_v4_crossrealm(char *); #else #define process_v4(foo,bar,quux,foobar) KRB5KRB_AP_ERR_BADVERSION #endif diff --git a/src/kdc/kerberos_v4.c b/src/kdc/kerberos_v4.c index a87a1d5e5..01359792f 100644 --- a/src/kdc/kerberos_v4.c +++ b/src/kdc/kerberos_v4.c @@ -146,7 +146,7 @@ static krb5_data *response; void kerberos_v4 (struct sockaddr_in *, KTEXT); void kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *); -static int set_tgtkey (char *, krb5_kvno); +static int set_tgtkey (char *, krb5_kvno, krb5_boolean); /* Attributes converted from V5 to V4 - internal representation */ #define V4_KDB_REQUIRES_PREAUTH 0x1 @@ -180,6 +180,8 @@ static const struct v4mode_lookup_entry v4mode_table[] = { static const int v4mode_table_nents = sizeof(v4mode_table)/ sizeof(v4mode_table[0]); +static int allow_v4_crossrealm = 0; + void process_v4_mode(const char *program_name, const char *string) { int i, found; @@ -205,6 +207,11 @@ void process_v4_mode(const char *program_name, const char *string) return; } +void enable_v4_crossrealm ( char *programname) { + allow_v4_crossrealm = 1; + krb5_klog_syslog(LOG_ERR, "Enabling v4 cross-realm compatibility; this is a known security hole"); +} + krb5_error_code process_v4(const krb5_data *pkt, const krb5_fulladdr *client_fulladdr, krb5_data **resp) @@ -382,6 +389,14 @@ compat_decrypt_key (krb5_key_data *in5, unsigned char *out4, /* array of name-components + NULL ptr */ +/* + * Previously this code returned either a v4 key or a v5 key and you + * could tell from the enctype of the v5 key whether the v4 key was + * useful. Now we return both keys so the code can try both des3 and + * des decryption. We fail if the ticket doesn't have a v4 key. + * Also, note as a side effect, the v5 key is basically useless in + * the client case. It is still returned so the caller can free it. + */ static int kerb_get_principal(char *name, char *inst, /* could have wild cards */ Principal *principal, @@ -461,8 +476,28 @@ kerb_get_principal(char *name, char *inst, /* could have wild cards */ return(0); } } else { - /* XXX yes I know this is a hardcoded search order */ - if (krb5_dbe_find_enctype(kdc_context, &entries, + if ( krb5_dbe_find_enctype(kdc_context, &entries, + ENCTYPE_DES_CBC_CRC, + KRB5_KDB_SALTTYPE_V4, kvno, &pkey) && + krb5_dbe_find_enctype(kdc_context, &entries, + ENCTYPE_DES_CBC_CRC, + -1, kvno, &pkey)) { + lt = klog(L_KRB_PERR, + "KDC V4: failed to find key for %s.%s #%d", + name, inst, kvno); + krb5_db_free_principal(kdc_context, &entries, nprinc); + return(0); + } + } + + if (!compat_decrypt_key(pkey, k, k5key, issrv)) { + memcpy( &principal->key_low, k, LONGLEN); + memcpy( &principal->key_high, (krb5_ui_4 *) k + 1, LONGLEN); + } + memset(k, 0, sizeof k); + if (issrv) { + krb5_free_keyblock_contents (kdc_context, k5key); + if (krb5_dbe_find_enctype(kdc_context, &entries, ENCTYPE_DES3_CBC_RAW, -1, kvno, &pkey) && krb5_dbe_find_enctype(kdc_context, &entries, @@ -478,17 +513,16 @@ kerb_get_principal(char *name, char *inst, /* could have wild cards */ ENCTYPE_DES_CBC_CRC, -1, kvno, &pkey)) { lt = klog(L_KRB_PERR, - "KDC V4: failed to find key for %s.%s #%d", + "KDC V4: failed to find key for %s.%s #%d (after having found it once)", name, inst, kvno); krb5_db_free_principal(kdc_context, &entries, nprinc); return(0); } - } + compat_decrypt_key(pkey, k, k5key, issrv); + memset (k, 0, sizeof k); + } + - if (!compat_decrypt_key(pkey, k, k5key, issrv)) { - memcpy( &principal->key_low, k, LONGLEN); - memcpy( &principal->key_high, (krb5_ui_4 *) k + 1, LONGLEN); - } /* * Convert v5's entries struct to v4's Principal struct: * v5's time-unit for lifetimes is 1 sec, while v4 uses 5 minutes, @@ -732,21 +766,14 @@ kerberos_v4(struct sockaddr_in *client, KTEXT pkt) kdb_encrypt_key(key, key, master_key, master_key_schedule, DECRYPT); /* construct and seal the ticket */ - if (K4KDC_ENCTYPE_OK(k5key.enctype)) { - krb_create_ticket(tk, k_flags, a_name_data.name, - a_name_data.instance, local_realm, - client_host.s_addr, (char *) session_key, - lifetime, kerb_time.tv_sec, - s_name_data.name, s_name_data.instance, - key); - } else { - krb_cr_tkt_krb5(tk, k_flags, a_name_data.name, - a_name_data.instance, local_realm, - client_host.s_addr, (char *) session_key, - lifetime, kerb_time.tv_sec, - s_name_data.name, s_name_data.instance, - &k5key); - } + /* We always issue des tickets; the 3des tickets are a broken hack*/ + krb_create_ticket(tk, k_flags, a_name_data.name, + a_name_data.instance, local_realm, + client_host.s_addr, (char *) session_key, + lifetime, kerb_time.tv_sec, + s_name_data.name, s_name_data.instance, + key); + krb5_free_keyblock_contents(kdc_context, &k5key); memset(key, 0, sizeof(key)); memset(key_s, 0, sizeof(key_s)); @@ -826,8 +853,15 @@ kerberos_v4(struct sockaddr_in *client, KTEXT pkt) strncpy(tktrlm, (char *)auth->dat + 3, REALM_SZ); tktrlm[REALM_SZ-1] = '\0'; kvno = (krb5_kvno)auth->dat[2]; - if (set_tgtkey(tktrlm, kvno)) { - lt = klog(L_ERR_UNK, + if ((!allow_v4_crossrealm)&&strcmp(tktrlm, local_realm) != 0) { + lt = klog(L_ERR_UNK, + "Cross realm ticket from %s denied by policy,", tktrlm); + kerb_err_reply(client, pkt, + KERB_ERR_PRINCIPAL_UNKNOWN, lt); + return; + } + if (set_tgtkey(tktrlm, kvno, 0)) { + lt = klog(L_ERR_UNK, "FAILED set_tgtkey realm %s, kvno %d. Host: %s ", tktrlm, kvno, inet_ntoa(client_host)); /* no better error code */ @@ -837,6 +871,19 @@ kerberos_v4(struct sockaddr_in *client, KTEXT pkt) } kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr, ad, 0); + if (kerno) { + if (set_tgtkey(tktrlm, kvno, 1)) { + lt = klog(L_ERR_UNK, + "FAILED 3des set_tgtkey realm %s, kvno %d. Host: %s ", + tktrlm, kvno, inet_ntoa(client_host)); + /* no better error code */ + kerb_err_reply(client, pkt, + KERB_ERR_PRINCIPAL_UNKNOWN, lt); + return; + } + kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr, + ad, 0); + } if (kerno) { klog(L_ERR_UNK, "FAILED krb_rd_req from %s: %s", @@ -913,21 +960,13 @@ kerberos_v4(struct sockaddr_in *client, KTEXT pkt) des_new_random_key(session_key); #endif - if (K4KDC_ENCTYPE_OK(k5key.enctype)) { - krb_create_ticket(tk, k_flags, ad->pname, ad->pinst, - ad->prealm, client_host.s_addr, - (char *) session_key, lifetime, - kerb_time.tv_sec, - s_name_data.name, s_name_data.instance, - key); - } else { - krb_cr_tkt_krb5(tk, k_flags, ad->pname, ad->pinst, - ad->prealm, client_host.s_addr, - (char *) session_key, lifetime, - kerb_time.tv_sec, - s_name_data.name, s_name_data.instance, - &k5key); - } + /* ALways issue des tickets*/ + krb_create_ticket(tk, k_flags, ad->pname, ad->pinst, + ad->prealm, client_host.s_addr, + (char *) session_key, lifetime, + kerb_time.tv_sec, + s_name_data.name, s_name_data.instance, + key); krb5_free_keyblock_contents(kdc_context, &k5key); memset(key, 0, sizeof(key)); memset(key_s, 0, sizeof(key_s)); @@ -1107,11 +1146,12 @@ check_princ(char *p_name, char *instance, int lifetime, Principal *p, /* Set the key for krb_rd_req so we can check tgt */ static int -set_tgtkey(char *r, krb5_kvno kvno) +set_tgtkey(char *r, krb5_kvno kvno, krb5_boolean use_3des) { int n; static char lastrealm[REALM_SZ] = ""; static int last_kvno = 0; + static krb5_boolean last_use_3des = 0; static int more; Principal p_st; Principal *p = &p_st; @@ -1119,7 +1159,7 @@ set_tgtkey(char *r, krb5_kvno kvno) krb5_keyblock k5key; k5key.contents = NULL; - if (!strcmp(lastrealm, r) && last_kvno == kvno) + if (!strcmp(lastrealm, r) && last_kvno == kvno && last_use_3des == use_3des) return (KSUCCESS); /* log("Getting key for %s", r); */ @@ -1141,11 +1181,12 @@ set_tgtkey(char *r, krb5_kvno kvno) return KFAILURE; } - if (!K4KDC_ENCTYPE_OK(k5key.enctype)) { + if (use_3des&&!K4KDC_ENCTYPE_OK(k5key.enctype)) { krb_set_key_krb5(kdc_context, &k5key); strncpy(lastrealm, r, sizeof(lastrealm) - 1); lastrealm[sizeof(lastrealm) - 1] = '\0'; last_kvno = kvno; + last_use_3des = use_3des; } else { /* unseal tgt key from master key */ memcpy(key, &p->key_low, 4); diff --git a/src/kdc/main.c b/src/kdc/main.c index 3e5091cbf..5fb460b0a 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -551,7 +551,7 @@ setup_sam(void) void usage(char *name) { - fprintf(stderr, "usage: %s [-d dbpathname] [-r dbrealmname] [-R replaycachename ]\n\t[-m] [-k masterenctype] [-M masterkeyname] [-p port] [-4 v4mode] [-n]\n", name); + fprintf(stderr, "usage: %s [-d dbpathname] [-r dbrealmname] [-R replaycachename ]\n\t[-m] [-k masterenctype] [-M masterkeyname] [-p port] [-4 v4mode] [-X] [-n]\n", name); return; } @@ -606,7 +606,7 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) * Loop through the option list. Each time we encounter a realm name, * use the previously scanned options to fill in for defaults. */ - while ((c = getopt(argc, argv, "r:d:mM:k:R:e:p:s:n4:3")) != -1) { + while ((c = getopt(argc, argv, "r:d:mM:k:R:e:p:s:n4:X3")) != -1) { switch(c) { case 'r': /* realm name for db */ if (!find_realm_data(optarg, (krb5_ui_4) strlen(optarg))) { @@ -662,6 +662,11 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) v4mode = strdup(optarg); #endif break; + case 'X': +#ifdef KRB5_KRB4_COMPAT + enable_v4_crossrealm(argv[0]); +#endif + break; case '3': #ifdef ATHENA_DES3_KLUDGE if (krb5_enctypes_list[krb5_enctypes_length-1].etype diff --git a/src/krb5-config.in b/src/krb5-config.in index d5ace8b39..4096cccd4 100644 --- a/src/krb5-config.in +++ b/src/krb5-config.in @@ -34,6 +34,7 @@ libdir=@libdir@ CC_LINK='@CC_LINK@' KRB4_LIB=@KRB4_LIB@ DES425_LIB=@DES425_LIB@ +KDB5_DB_LIB=@KDB5_DB_LIB@ LDFLAGS='@LDFLAGS@' RPATH_FLAG='@RPATH_FLAG@' @@ -179,12 +180,12 @@ if test -n "$do_libs"; then -e 's#\$(CFLAGS)#'"$CFLAGS"'#'` if test $library = 'kdb'; then - lib_flags="$lib_flags -lkdb5 -ldb" + lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" library=krb5 fi if test $library = 'kadm_server'; then - lib_flags="$lib_flags -lkadm5srv -lkdb5 -ldb" + lib_flags="$lib_flags -lkadm5srv -lkdb5 $KDB5_DB_LIB" library=kadm_common fi diff --git a/src/krb524/ChangeLog b/src/krb524/ChangeLog index 2a7b6cc54..80e6c891f 100644 --- a/src/krb524/ChangeLog +++ b/src/krb524/ChangeLog @@ -1,3 +1,16 @@ +2003-04-01 Nalin Dahyabhai + + * krb524d.c (do_connection): Use krb5_princ_size rather than + direct structure field access. + +2003-03-16 Sam Hartman + + * krb524d.c (handle_classic_v4): Do not support 3des enctypes as + they are insecure. Also, by default do not allow krb4 + cross-realm. + + * cnv_tkt_skey.c (krb524_convert_tkt_skey): Don't support 3des tickets + 2003-03-12 Ken Raeburn * cnv_tkt_skey.c (krb524_convert_tkt_skey): Extract source IP diff --git a/src/krb524/cnv_tkt_skey.c b/src/krb524/cnv_tkt_skey.c index 595a1d392..3730ce43c 100644 --- a/src/krb524/cnv_tkt_skey.c +++ b/src/krb524/cnv_tkt_skey.c @@ -184,26 +184,8 @@ int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey, sname, sinst, v4_skey->contents); - } else { - /* Force enctype to be raw if using DES3. */ - if (v4_skey->enctype == ENCTYPE_DES3_CBC_SHA1 || - v4_skey->enctype == ENCTYPE_LOCAL_DES3_HMAC_SHA1) - v4_skey->enctype = ENCTYPE_DES3_CBC_RAW; - ret = krb524int_krb_cr_tkt_krb5(v4tkt, - 0, /* flags */ - pname, - pinst, - prealm, - sinp->sin_addr.s_addr, - (char *) v5etkt->session->contents, - lifetime, - /* issue_data */ - server_time, - sname, - sinst, - v4_skey); } - + else abort(); krb5_free_enc_tkt_part(context, v5etkt); v5tkt->enc_part2 = NULL; if (ret == KSUCCESS) diff --git a/src/krb524/krb524d.c b/src/krb524/krb524d.c index 4995b515f..76025067e 100644 --- a/src/krb524/krb524d.c +++ b/src/krb524/krb524d.c @@ -76,6 +76,7 @@ static int debug = 0; void *handle = NULL; int use_keytab, use_master; +int allow_v4_crossrealm = 0; char *keytab = NULL; krb5_keytab kt; @@ -137,7 +138,10 @@ int main(argc, argv) config_params.mask = 0; while (argc) { - if (strncmp(*argv, "-k", 2) == 0) + if (strncmp(*argv, "-X", 2) == 0) { + allow_v4_crossrealm = 1; + } + else if (strncmp(*argv, "-k", 2) == 0) use_keytab = 1; else if (strncmp(*argv, "-m", 2) == 0) use_master = 1; @@ -346,7 +350,7 @@ krb5_error_code do_connection(s, context) if (debug) printf("V5 ticket decoded\n"); - if( v5tkt->server->length >= 1 + if( krb5_princ_size(context, v5tkt->server) >= 1 &&krb5_princ_component(context, v5tkt->server, 0)->length == 3 &&strncmp(krb5_princ_component(context, v5tkt->server, 0)->data, "afs", 3) == 0) { @@ -524,19 +528,7 @@ handle_classic_v4 (krb5_context context, krb5_ticket *v5tkt, &v5_service_key, NULL))) goto error; - if ((ret = lookup_service_key(context, v5tkt->server, - ENCTYPE_DES3_CBC_RAW, - 0, /* highest kvno */ - &v4_service_key, v4kvno)) && - (ret = lookup_service_key(context, v5tkt->server, - ENCTYPE_LOCAL_DES3_HMAC_SHA1, - 0, - &v4_service_key, v4kvno)) && - (ret = lookup_service_key(context, v5tkt->server, - ENCTYPE_DES3_CBC_SHA1, - 0, - &v4_service_key, v4kvno)) && - (ret = lookup_service_key(context, v5tkt->server, + if ( (ret = lookup_service_key(context, v5tkt->server, ENCTYPE_DES_CBC_CRC, 0, &v4_service_key, v4kvno))) @@ -544,8 +536,19 @@ handle_classic_v4 (krb5_context context, krb5_ticket *v5tkt, if (debug) printf("service key retrieved\n"); + if ((ret = krb5_decrypt_tkt_part(context, &v5_service_key, v5tkt))) { + goto error; + } - ret = krb524_convert_tkt_skey(context, v5tkt, &v4tkt, &v5_service_key, + if (!(allow_v4_crossrealm || krb5_realm_compare(context, v5tkt->server, + v5tkt->enc_part2->client))) { +ret = KRB5KDC_ERR_POLICY ; + goto error; + } + krb5_free_enc_tkt_part(context, v5tkt->enc_part2); + v5tkt->enc_part2= NULL; + + ret = krb524_convert_tkt_skey(context, v5tkt, &v4tkt, &v5_service_key, &v4_service_key, (struct sockaddr_in *)saddr); if (ret) @@ -561,6 +564,9 @@ handle_classic_v4 (krb5_context context, krb5_ticket *v5tkt, printf("v4 credentials encoded\n"); error: + if (v5tkt->enc_part2) + krb5_free_enc_tkt_part(context, v5tkt->enc_part2); + if(v5_service_key.contents) krb5_free_keyblock_contents(context, &v5_service_key); if (v4_service_key.contents) diff --git a/src/lib/ChangeLog b/src/lib/ChangeLog index bfa7678b0..205153305 100644 --- a/src/lib/ChangeLog +++ b/src/lib/ChangeLog @@ -1,3 +1,17 @@ +2003-05-08 Sam Hartman + + * krb5_32.def: Add krb5_c_string_to_key_with_params + +2003-05-09 Tom Yu + + * krb5_32.def: Add krb5_auth_con_getrecvsubkey, + krb5_auth_con_getsendsubkey, krb5_auth_con_setrecvsubkey, + krb5_auth_con_setsendsubkey. + +2003-04-15 Sam Hartman + + * krb5_32.def: Add krb5_set_password and krb5_set_password_using_ccache + 2003-02-10 Tom Yu * Makefile.in (K4LIBS): Revert previous. diff --git a/src/lib/crypto/ChangeLog b/src/lib/crypto/ChangeLog index 6f73ddf62..be8841ef5 100644 --- a/src/lib/crypto/ChangeLog +++ b/src/lib/crypto/ChangeLog @@ -1,3 +1,21 @@ +2003-05-13 Ken Raeburn + + * etypes.c (krb5_enctypes_list): Add names aes128-cts and + aes256-cts as aliases. + +2003-05-08 Sam Hartman + + * string_to_key.c: Move krb5_c_string_to_key_with_params to krb5.h + +2003-04-13 Ken Raeburn + + * pbkdf2.c (krb5int_pbkdf2): Provide a temporary buffer for the + output from F, if the remaining space in the output buffer isn't + big enough. Free the temporary buffers before returning. + + * etypes.c (krb5_enctypes_list): Use krb5int_aes_encrypt_length, + and krb5int_aes_dk_encrypt, and krb5int_aes_dk_decrypt for AES. + 2003-03-06 Alexandra Ellwood * prng.c: use Unix randomness sources on Mac OS X. diff --git a/src/lib/crypto/aes/ChangeLog b/src/lib/crypto/aes/ChangeLog index 443aabdd9..5852b3bc0 100644 --- a/src/lib/crypto/aes/ChangeLog +++ b/src/lib/crypto/aes/ChangeLog @@ -1,3 +1,18 @@ +2003-05-13 Ken Raeburn + + * aes_s2k.c (DEFAULT_ITERATION_COUNT): New macro; define to 4096. + (MAX_ITERATION_COUNT): New macro. + (krb5int_aes_string_to_key): Use them. + +2003-04-29 Ken Raeburn + + * uitypes.h: Use inttypes.h if HAVE_INTTYPES_H is defined. + +2003-04-13 Ken Raeburn + + * aes_s2k.c (krb5int_aes_string_to_key): Return an error if the + supplied iteration count is really, really large. + 2003-03-04 Ken Raeburn * aes_s2k.c, aes_s2k.h: New files. diff --git a/src/lib/crypto/aes/aes_s2k.c b/src/lib/crypto/aes/aes_s2k.c index f3670d7d8..9d48bd0cb 100644 --- a/src/lib/crypto/aes/aes_s2k.c +++ b/src/lib/crypto/aes/aes_s2k.c @@ -1,9 +1,39 @@ -/* Insert MIT copyright here. */ +/* + * lib/crypto/aes/aes_s2k.c + * + * Copyright 2003 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * krb5int_aes_string_to_key + */ #include "k5-int.h" #include "dk.h" #include "aes_s2k.h" +#define DEFAULT_ITERATION_COUNT 4096 /* was 0xb000L in earlier drafts */ +#define MAX_ITERATION_COUNT 0x1000000L + krb5_error_code krb5int_aes_string_to_key(const struct krb5_enc_provider *enc, const krb5_data *string, @@ -27,7 +57,13 @@ krb5int_aes_string_to_key(const struct krb5_enc_provider *enc, return KRB5_ERR_BAD_S2K_PARAMS; } } else - iter_count = 0xb000L; + iter_count = DEFAULT_ITERATION_COUNT; + + /* This is not a protocol specification constraint; this is an + implementation limit, which should eventually be controlled by + a config file. */ + if (iter_count >= MAX_ITERATION_COUNT) + return KRB5_ERR_BAD_S2K_PARAMS; /* * Dense key space, no parity bits or anything, so take a shortcut diff --git a/src/lib/crypto/aes/uitypes.h b/src/lib/crypto/aes/uitypes.h index 4e50ef7df..02dd3b072 100644 --- a/src/lib/crypto/aes/uitypes.h +++ b/src/lib/crypto/aes/uitypes.h @@ -44,7 +44,7 @@ #endif #endif -#if defined HAS_INTTYPES_H +#if defined HAS_INTTYPES_H || defined HAVE_INTTYPES_H #include #define s_u32 u #define s_u64 ull diff --git a/src/lib/crypto/dk/ChangeLog b/src/lib/crypto/dk/ChangeLog index 9ed3a8de9..e30e76e88 100644 --- a/src/lib/crypto/dk/ChangeLog +++ b/src/lib/crypto/dk/ChangeLog @@ -1,3 +1,23 @@ +2003-04-17 Ken Raeburn + + * dk_encrypt.c (krb5int_aes_dk_encrypt): Set output length + properly. + +2003-04-13 Ken Raeburn + + * dk_decrypt.c (krb5_dk_decrypt_maybe_trunc_hmac): Renamed from + krb5_dk_decrypt, made static, added extra HMACSIZE argument to + indicate size of HMAC. Cast byte values to char to silence + compiler warning. + (krb5_dk_decrypt): Call it. + (krb5int_aes_dk_decrypt): New function. + * dk_encrypt.c (krb5_dk_encrypt): Cast byte values to char to + silence compiler warning. + (krb5int_aes_encrypt_length, trunc_hmac, krb5int_aes_dk_encrypt): + New functions. + * dk.h (krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, + krb5int_aes_dk_decrypt): Declare. + 2003-03-04 Ken Raeburn * stringtokey.c (krb5int_dk_string_to_key): Renamed from diff --git a/src/lib/crypto/dk/dk.h b/src/lib/crypto/dk/dk.h index 017101617..a224167ea 100644 --- a/src/lib/crypto/dk/dk.h +++ b/src/lib/crypto/dk/dk.h @@ -38,6 +38,18 @@ krb5_error_code krb5_dk_encrypt const krb5_data *ivec, const krb5_data *input, krb5_data *output); +void krb5int_aes_encrypt_length +(const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + size_t input, size_t *length); + +krb5_error_code krb5int_aes_dk_encrypt +(const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, krb5_keyusage usage, + const krb5_data *ivec, + const krb5_data *input, krb5_data *output); + krb5_error_code krb5_dk_decrypt (const struct krb5_enc_provider *enc, const struct krb5_hash_provider *hash, @@ -45,6 +57,13 @@ krb5_error_code krb5_dk_decrypt const krb5_data *ivec, const krb5_data *input, krb5_data *arg_output); +krb5_error_code krb5int_aes_dk_decrypt +(const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, krb5_keyusage usage, + const krb5_data *ivec, const krb5_data *input, + krb5_data *arg_output); + krb5_error_code krb5int_dk_string_to_key (const struct krb5_enc_provider *enc, const krb5_data *string, const krb5_data *salt, diff --git a/src/lib/crypto/dk/dk_decrypt.c b/src/lib/crypto/dk/dk_decrypt.c index adc4d2348..5f35fa6ac 100644 --- a/src/lib/crypto/dk/dk_decrypt.c +++ b/src/lib/crypto/dk/dk_decrypt.c @@ -29,6 +29,16 @@ #define K5CLENGTH 5 /* 32 bit net byte order integer + one byte seed */ +static krb5_error_code +krb5_dk_decrypt_maybe_trunc_hmac(const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, + krb5_keyusage usage, + const krb5_data *ivec, + const krb5_data *input, + krb5_data *output, + size_t hmacsize); + krb5_error_code krb5_dk_decrypt(enc, hash, key, usage, ivec, input, output) const struct krb5_enc_provider *enc; @@ -38,6 +48,36 @@ krb5_dk_decrypt(enc, hash, key, usage, ivec, input, output) const krb5_data *ivec; const krb5_data *input; krb5_data *output; +{ + return krb5_dk_decrypt_maybe_trunc_hmac(enc, hash, key, usage, + ivec, input, output, 0); +} + +krb5_error_code +krb5int_aes_dk_decrypt(enc, hash, key, usage, ivec, input, output) + const struct krb5_enc_provider *enc; + const struct krb5_hash_provider *hash; + const krb5_keyblock *key; + krb5_keyusage usage; + const krb5_data *ivec; + const krb5_data *input; + krb5_data *output; +{ + return krb5_dk_decrypt_maybe_trunc_hmac(enc, hash, key, usage, + ivec, input, output, 96 / 8); +} + +static krb5_error_code +krb5_dk_decrypt_maybe_trunc_hmac(enc, hash, key, usage, ivec, input, output, + hmacsize) + const struct krb5_enc_provider *enc; + const struct krb5_hash_provider *hash; + const krb5_keyblock *key; + krb5_keyusage usage; + const krb5_data *ivec; + const krb5_data *input; + krb5_data *output; + size_t hmacsize; { krb5_error_code ret; size_t hashsize, blocksize, keybytes, keylength, enclen, plainlen; @@ -52,7 +92,12 @@ krb5_dk_decrypt(enc, hash, key, usage, ivec, input, output) (*(enc->block_size))(&blocksize); (*(enc->keysize))(&keybytes, &keylength); - enclen = input->length - hashsize; + if (hmacsize == 0) + hmacsize = hashsize; + else if (hmacsize > hashsize) + return KRB5KRB_AP_ERR_BAD_INTEGRITY; + + enclen = input->length - hmacsize; if ((kedata = (unsigned char *) malloc(keylength)) == NULL) return(ENOMEM); @@ -87,7 +132,7 @@ krb5_dk_decrypt(enc, hash, key, usage, ivec, input, output) d1.data[2] = (usage>>8)&0xff; d1.data[3] = usage&0xff; - d1.data[4] = 0xAA; + d1.data[4] = (char) 0xAA; if ((ret = krb5_derive_key(enc, key, &ke, &d1)) != 0) goto cleanup; @@ -121,7 +166,7 @@ krb5_dk_decrypt(enc, hash, key, usage, ivec, input, output) if ((ret = krb5_hmac(hash, &ki, 1, &d2, &d1)) != 0) goto cleanup; - if (memcmp(cksum, input->data+enclen, hashsize) != 0) { + if (memcmp(cksum, input->data+enclen, hmacsize) != 0) { ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; goto cleanup; } diff --git a/src/lib/crypto/dk/dk_encrypt.c b/src/lib/crypto/dk/dk_encrypt.c index eb9fe5fa3..9de05fc02 100644 --- a/src/lib/crypto/dk/dk_encrypt.c +++ b/src/lib/crypto/dk/dk_encrypt.c @@ -108,7 +108,7 @@ krb5_dk_encrypt(enc, hash, key, usage, ivec, input, output) d1.data[2] = (usage>>8)&0xff; d1.data[3] = usage&0xff; - d1.data[4] = 0xAA; + d1.data[4] = (char) 0xAA; if ((ret = krb5_derive_key(enc, key, &ke, &d1))) goto cleanup; @@ -177,6 +177,178 @@ cleanup: return(ret); } +/* Not necessarily "AES", per se, but "a CBC+CTS mode block cipher + with a 96-bit truncated HMAC". */ +void +krb5int_aes_encrypt_length(enc, hash, inputlen, length) + const struct krb5_enc_provider *enc; + const struct krb5_hash_provider *hash; + size_t inputlen; + size_t *length; +{ + size_t blocksize, hashsize; + + (*(enc->block_size))(&blocksize); + hashsize = 96 / 8; + + /* No roundup, since CTS requires no padding once we've hit the + block size. */ + *length = blocksize+inputlen + hashsize; +} + +static krb5_error_code +trunc_hmac (const struct krb5_hash_provider *hash, + const krb5_keyblock *ki, int num, + const krb5_data *input, const krb5_data *output) +{ + size_t hashsize; + krb5_data tmp; + krb5_error_code ret; + + (hash->hash_size)(&hashsize); + if (hashsize < output->length) + return KRB5_CRYPTO_INTERNAL; + tmp.length = hashsize; + tmp.data = malloc(hashsize); + if (tmp.data == NULL) + return errno; + ret = krb5_hmac(hash, ki, num, input, &tmp); + if (ret == 0) + memcpy(output->data, tmp.data, output->length); + memset(tmp.data, 0, hashsize); + free(tmp.data); + return ret; +} + +krb5_error_code +krb5int_aes_dk_encrypt(enc, hash, key, usage, ivec, input, output) + const struct krb5_enc_provider *enc; + const struct krb5_hash_provider *hash; + const krb5_keyblock *key; + krb5_keyusage usage; + const krb5_data *ivec; + const krb5_data *input; + krb5_data *output; +{ + size_t blocksize, keybytes, keylength, plainlen, enclen; + krb5_error_code ret; + unsigned char constantdata[K5CLENGTH]; + krb5_data d1, d2; + unsigned char *plaintext, *kedata, *kidata, *cn; + krb5_keyblock ke, ki; + + /* allocate and set up plaintext and to-be-derived keys */ + + (*(enc->block_size))(&blocksize); + (*(enc->keysize))(&keybytes, &keylength); + plainlen = blocksize+input->length; + + krb5int_aes_encrypt_length(enc, hash, input->length, &enclen); + + /* key->length, ivec will be tested in enc->encrypt */ + + if (output->length < enclen) + return(KRB5_BAD_MSIZE); + + if ((kedata = (unsigned char *) malloc(keylength)) == NULL) + return(ENOMEM); + if ((kidata = (unsigned char *) malloc(keylength)) == NULL) { + free(kedata); + return(ENOMEM); + } + if ((plaintext = (unsigned char *) malloc(plainlen)) == NULL) { + free(kidata); + free(kedata); + return(ENOMEM); + } + + ke.contents = kedata; + ke.length = keylength; + ki.contents = kidata; + ki.length = keylength; + + /* derive the keys */ + + d1.data = constantdata; + d1.length = K5CLENGTH; + + d1.data[0] = (usage>>24)&0xff; + d1.data[1] = (usage>>16)&0xff; + d1.data[2] = (usage>>8)&0xff; + d1.data[3] = usage&0xff; + + d1.data[4] = (char) 0xAA; + + if ((ret = krb5_derive_key(enc, key, &ke, &d1))) + goto cleanup; + + d1.data[4] = 0x55; + + if ((ret = krb5_derive_key(enc, key, &ki, &d1))) + goto cleanup; + + /* put together the plaintext */ + + d1.length = blocksize; + d1.data = plaintext; + + if ((ret = krb5_c_random_make_octets(/* XXX */ 0, &d1))) + goto cleanup; + + memcpy(plaintext+blocksize, input->data, input->length); + + /* Ciphertext stealing; there should be no more. */ + if (plainlen != blocksize + input->length) + abort(); + + /* encrypt the plaintext */ + + d1.length = plainlen; + d1.data = plaintext; + + d2.length = plainlen; + d2.data = output->data; + + if ((ret = ((*(enc->encrypt))(&ke, ivec, &d1, &d2)))) + goto cleanup; + + if (ivec != NULL && ivec->length == blocksize) + cn = d2.data + d2.length - blocksize; + else + cn = NULL; + + /* hash the plaintext */ + + d2.length = enclen - plainlen; + d2.data = output->data+plainlen; + if (d2.length != 96 / 8) + abort(); + + if ((ret = trunc_hmac(hash, &ki, 1, &d1, &d2))) { + memset(d2.data, 0, d2.length); + goto cleanup; + } + + output->length = enclen; + + /* update ivec */ + if (cn != NULL) + memcpy(ivec->data, cn, blocksize); + + /* ret is set correctly by the prior call */ + +cleanup: + memset(kedata, 0, keylength); + memset(kidata, 0, keylength); + memset(plaintext, 0, plainlen); + + free(plaintext); + free(kidata); + free(kedata); + + return(ret); +} + #ifdef ATHENA_DES3_KLUDGE void krb5_marc_dk_encrypt_length(enc, hash, inputlen, length) diff --git a/src/lib/crypto/enc_provider/ChangeLog b/src/lib/crypto/enc_provider/ChangeLog index 08a614e96..f954f7fa2 100644 --- a/src/lib/crypto/enc_provider/ChangeLog +++ b/src/lib/crypto/enc_provider/ChangeLog @@ -1,3 +1,14 @@ +2003-04-13 Ken Raeburn + + * aes.c (enc): Replaced function with a macro. + (dec): New macro. + (krb5int_aes_encrypt): Use enc and dec. Delete unused variable + OFFSET. + (krb5int_aes_decrypt): Renamed from k5_aes_dencrypt, implemented + decryption, made non-static. + (krb5int_enc_aes128, krb5int_enc_aes256): Use new name for + krb5int_aes_decrypt. + 2003-03-04 Ken Raeburn * aes.c (krb5int_aes_init_state): Implement. diff --git a/src/lib/crypto/enc_provider/aes.c b/src/lib/crypto/enc_provider/aes.c index d3dc2a5a7..013a688eb 100644 --- a/src/lib/crypto/enc_provider/aes.c +++ b/src/lib/crypto/enc_provider/aes.c @@ -52,23 +52,8 @@ static void printd (const char *descr, krb5_data *d) { } printf("\n"); } -static void enc(char *out, const char *in, aes_ctx *ctx) -{ - if (aes_enc_blk(in, out, ctx) != aes_good) - abort(); -#if 0 - { - krb5_data e_in, e_out; - e_in.data = in; - e_out.data = out; - e_in.length = e_out.length = BLOCK_SIZE; - printf("encrypting [[\n"); - printd("input block", &e_in); - printd("output block", &e_out); - printf("]]\n"); - } -#endif -} +#define enc(OUT, IN, CTX) (aes_enc_blk((IN),(OUT),(CTX)) == aes_good ? (void) 0 : abort()) +#define dec(OUT, IN, CTX) (aes_dec_blk((IN),(OUT),(CTX)) == aes_good ? (void) 0 : abort()) static void xorblock(char *out, const char *in) { @@ -83,7 +68,6 @@ krb5int_aes_encrypt(const krb5_keyblock *key, const krb5_data *ivec, { aes_ctx ctx; unsigned char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE]; - int offset; int nblocks = 0, blockno; /* CHECK_SIZES; */ @@ -100,8 +84,7 @@ krb5int_aes_encrypt(const krb5_keyblock *key, const krb5_data *ivec, if (nblocks == 1) { /* XXX Used for DK function. */ - if (aes_enc_blk(input->data, output->data, &ctx) != aes_good) - abort(); + enc(output->data, input->data, &ctx); } else { int nleft; @@ -112,7 +95,6 @@ krb5int_aes_encrypt(const krb5_keyblock *key, const krb5_data *ivec, /* Set up for next block. */ memcpy(tmp, tmp2, BLOCK_SIZE); - offset += BLOCK_SIZE; } /* Do final CTS step for last two blocks (the second of which may or may not be incomplete). */ @@ -132,18 +114,60 @@ krb5int_aes_encrypt(const krb5_keyblock *key, const krb5_data *ivec, return 0; } -static krb5_error_code -k5_aes_decrypt(const krb5_keyblock *key, const krb5_data *ivec, - const krb5_data *input, krb5_data *output) +krb5_error_code +krb5int_aes_decrypt(const krb5_keyblock *key, const krb5_data *ivec, + const krb5_data *input, krb5_data *output) { aes_ctx ctx; + unsigned char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE]; + int nblocks = 0, blockno; CHECK_SIZES; if (aes_dec_key(key->contents, key->length, &ctx) != aes_good) abort(); - abort(); + if (ivec) + memcpy(tmp, ivec->data, BLOCK_SIZE); + else + memset(tmp, 0, BLOCK_SIZE); + + nblocks = (input->length + BLOCK_SIZE - 1) / BLOCK_SIZE; + + if (nblocks == 1) { + if (input->length < BLOCK_SIZE) + abort(); + dec(output->data, input->data, &ctx); + } else { + int nleft; + + for (blockno = 0; blockno < nblocks - 2; blockno++) { + dec(tmp2, input->data + blockno * BLOCK_SIZE, &ctx); + xorblock(tmp2, tmp); + memcpy(output->data + blockno * BLOCK_SIZE, tmp2, BLOCK_SIZE); + memcpy(tmp, input->data + blockno * BLOCK_SIZE, BLOCK_SIZE); + } + /* Do last two blocks, the second of which (next-to-last block + of plaintext) may be incomplete. */ + dec(tmp2, input->data + (nblocks - 2) * BLOCK_SIZE, &ctx); + /* Set tmp3 to last ciphertext block, padded. */ + memset(tmp3, 0, sizeof(tmp3)); + memcpy(tmp3, input->data + (nblocks - 1) * BLOCK_SIZE, + input->length - (nblocks - 1) * BLOCK_SIZE); + /* Set tmp2 to last (possibly partial) plaintext block, and + save it. */ + xorblock(tmp2, tmp3); + memcpy(output->data + (nblocks - 1) * BLOCK_SIZE, tmp2, + input->length - (nblocks - 1) * BLOCK_SIZE); + /* Maybe keep the trailing part, and copy in the last + ciphertext block. */ + memcpy(tmp2, tmp3, input->length - (nblocks - 1) * BLOCK_SIZE); + /* Decrypt, to get next to last plaintext block xor previous + ciphertext. */ + dec(tmp3, tmp2, &ctx); + xorblock(tmp3, tmp); + memcpy(output->data + (nblocks - 2) * BLOCK_SIZE, tmp3, BLOCK_SIZE); + } return 0; } @@ -178,7 +202,7 @@ const struct krb5_enc_provider krb5int_enc_aes128 = { aes_block_size, aes128_keysize, krb5int_aes_encrypt, - k5_aes_decrypt, + krb5int_aes_decrypt, k5_aes_make_key, krb5int_aes_init_state, krb5int_default_free_state @@ -188,7 +212,7 @@ const struct krb5_enc_provider krb5int_enc_aes256 = { aes_block_size, aes256_keysize, krb5int_aes_encrypt, - k5_aes_decrypt, + krb5int_aes_decrypt, k5_aes_make_key, krb5int_aes_init_state, krb5int_default_free_state diff --git a/src/lib/crypto/etypes.c b/src/lib/crypto/etypes.c index 1cc570cd8..6c195e4b2 100644 --- a/src/lib/crypto/etypes.c +++ b/src/lib/crypto/etypes.c @@ -125,12 +125,22 @@ const struct krb5_keytypes krb5_enctypes_list[] = { { ENCTYPE_AES128_CTS_HMAC_SHA1_96, "aes128-cts-hmac-sha1-96", "AES-128 CTS mode with 96-bit SHA-1 HMAC", &krb5int_enc_aes128, &krb5int_hash_sha1, - krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, + krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt, + krb5int_aes_string_to_key }, + { ENCTYPE_AES128_CTS_HMAC_SHA1_96, /* alias */ + "aes128-cts", "AES-128 CTS mode with 96-bit SHA-1 HMAC", + &krb5int_enc_aes128, &krb5int_hash_sha1, + krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt, krb5int_aes_string_to_key }, { ENCTYPE_AES256_CTS_HMAC_SHA1_96, "aes256-cts-hmac-sha1-96", "AES-256 CTS mode with 96-bit SHA-1 HMAC", &krb5int_enc_aes256, &krb5int_hash_sha1, - krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, + krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt, + krb5int_aes_string_to_key }, + { ENCTYPE_AES256_CTS_HMAC_SHA1_96, /* alias */ + "aes256-cts", "AES-256 CTS mode with 96-bit SHA-1 HMAC", + &krb5int_enc_aes256, &krb5int_hash_sha1, + krb5int_aes_encrypt_length, krb5int_aes_dk_encrypt, krb5int_aes_dk_decrypt, krb5int_aes_string_to_key }, #ifdef ATHENA_DES3_KLUDGE diff --git a/src/lib/crypto/pbkdf2.c b/src/lib/crypto/pbkdf2.c index d8a3f8b58..165e4cf6a 100644 --- a/src/lib/crypto/pbkdf2.c +++ b/src/lib/crypto/pbkdf2.c @@ -158,6 +158,7 @@ krb5int_pbkdf2 (krb5_error_code (*prf)(krb5_keyblock *, krb5_data *, { int l, r, i; char *utmp1, *utmp2; + char utmp3[20]; /* XXX length shouldn't be hardcoded! */ if (output->length == 0 || hlen == 0) abort(); @@ -169,7 +170,13 @@ krb5int_pbkdf2 (krb5_error_code (*prf)(krb5_keyblock *, krb5_data *, r = output->length - (l - 1) * hlen; utmp1 = /*output + dklen; */ malloc(hlen); + if (utmp1 == NULL) + return errno; utmp2 = /*utmp1 + hlen; */ malloc(salt->length + 4 + hlen); + if (utmp2 == NULL) { + free(utmp1); + return errno; + } /* Step 3. */ for (i = 1; i <= l; i++) { @@ -177,11 +184,21 @@ krb5int_pbkdf2 (krb5_error_code (*prf)(krb5_keyblock *, krb5_data *, int j; #endif krb5_error_code err; + char *out; - err = F(output->data + (i-1) * hlen, utmp1, utmp2, prf, hlen, - pass, salt, count, i); - if (err) + if (i == l) + out = utmp3; + else + out = output->data + (i-1) * hlen; + err = F(out, utmp1, utmp2, prf, hlen, pass, salt, count, i); + if (err) { + free(utmp1); + free(utmp2); return err; + } + if (i == l) + memcpy(output->data + (i-1) * hlen, utmp3, + output->length - (i-1) * hlen); #if 0 printf("after F(%d), @%p:\n", i, output->data); @@ -190,6 +207,8 @@ krb5int_pbkdf2 (krb5_error_code (*prf)(krb5_keyblock *, krb5_data *, printf ("\n"); #endif } + free(utmp1); + free(utmp2); return 0; } diff --git a/src/lib/crypto/string_to_key.c b/src/lib/crypto/string_to_key.c index c9434e08d..3bd7a4e73 100644 --- a/src/lib/crypto/string_to_key.c +++ b/src/lib/crypto/string_to_key.c @@ -27,7 +27,6 @@ #include "k5-int.h" #include "etypes.h" -/* Eventually this declaration should move to krb5.h. */ krb5_error_code KRB5_CALLCONV krb5_c_string_to_key_with_params(krb5_context context, krb5_enctype enctype, diff --git a/src/lib/des425/ChangeLog b/src/lib/des425/ChangeLog index acd4ea66e..9ab878a94 100644 --- a/src/lib/des425/ChangeLog +++ b/src/lib/des425/ChangeLog @@ -1,3 +1,8 @@ +2003-04-23 Ken Raeburn + + * quad_cksum.c, t_pcbc.c, t_quad.c, verify.c: Don't declare errno + or errmsg. + 2003-03-06 Alexandra Ellwood * mac_des_glue.c, des.c, enc_dec.c, key_sched.c, str_to_key.c: diff --git a/src/lib/des425/quad_cksum.c b/src/lib/des425/quad_cksum.c index b9ef031ef..2a7b78cfd 100644 --- a/src/lib/des425/quad_cksum.c +++ b/src/lib/des425/quad_cksum.c @@ -119,10 +119,6 @@ #define vaxtohs(x) two_bytes_vax_to_nets(((const unsigned char *)(x))) /* Externals */ -extern char *errmsg(); -#ifndef HAVE_ERRNO -extern int errno; -#endif extern int des_debug; /*** Routines ***************************************************** */ diff --git a/src/lib/des425/t_pcbc.c b/src/lib/des425/t_pcbc.c index 8bd6a08bc..2932148b7 100644 --- a/src/lib/des425/t_pcbc.c +++ b/src/lib/des425/t_pcbc.c @@ -30,8 +30,6 @@ #include "des_int.h" #include "des.h" -extern char *errmsg(); -extern int errno; char *progname; int des_debug; diff --git a/src/lib/des425/t_quad.c b/src/lib/des425/t_quad.c index 421a55584..b9299fd20 100644 --- a/src/lib/des425/t_quad.c +++ b/src/lib/des425/t_quad.c @@ -30,8 +30,6 @@ #include "des_int.h" #include "des.h" -extern char *errmsg(); -extern int errno; extern unsigned long quad_cksum(); char *progname; int des_debug; diff --git a/src/lib/des425/verify.c b/src/lib/des425/verify.c index 91718e350..653730a2f 100644 --- a/src/lib/des425/verify.c +++ b/src/lib/des425/verify.c @@ -37,8 +37,6 @@ #include "des_int.h" #include "des.h" -extern char *errmsg(); -extern int errno; char *progname; int nflag = 2; int vflag; diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog index 7424a251d..fdecc83dc 100644 --- a/src/lib/gssapi/krb5/ChangeLog +++ b/src/lib/gssapi/krb5/ChangeLog @@ -1,3 +1,26 @@ +2003-05-13 Tom Yu + + * gssapi_krb5.h: Remove check for GSS_RFC_COMPLIANT_OIDS. + +2003-05-09 Tom Yu + + * accept_sec_context.c (krb5_gss_accept_sec_context): Rename + remote_subkey -> recv_subkey. + + * init_sec_context.c (krb5_gss_init_sec_context): Rename + local_subkey -> send_subkey. + +2003-03-14 Sam Hartman + + * accept_sec_context.c (krb5_gss_accept_sec_context): Set + prot_ready here + + * init_sec_context.c (krb5_gss_init_sec_context): Set prot_ready + after context established + + * gssapiP_krb5.h (KG_IMPLFLAGS): Don't claim prot_ready until the + context is established because we don't currently support it. + 2003-03-06 Alexandra Ellwood * disp_status.c, gssapi_krb5.h, gssapiP_krb5.h: diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index 5ff6146ea..4cc0651af 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -101,8 +101,8 @@ rd_and_store_for_creds(context, auth_context, inbuf, out_cred) * By the time krb5_rd_cred is called here (after krb5_rd_req has been * called in krb5_gss_accept_sec_context), the "keyblock" field of * auth_context contains a pointer to the session key, and the - * "remote_subkey" field might contain a session subkey. Either of - * these (the "remote_subkey" if it isn't NULL, otherwise the + * "recv_subkey" field might contain a session subkey. Either of + * these (the "recv_subkey" if it isn't NULL, otherwise the * "keyblock") might have been used to encrypt the encrypted part of * the KRB_CRED message that contains the forwarded credentials. (The * Java Crypto and Security Implementation from the DSTC in Australia @@ -592,8 +592,8 @@ krb5_gss_accept_sec_context(minor_status, context_handle, goto fail; } - if ((code = krb5_auth_con_getremotesubkey(context, auth_context, - &ctx->subkey))) { + if ((code = krb5_auth_con_getrecvsubkey(context, auth_context, + &ctx->subkey))) { major_status = GSS_S_FAILURE; goto fail; } @@ -719,6 +719,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle, &ctx->seq_send); /* the reply token hasn't been sent yet, but that's ok. */ + ctx->gss_flags |= GSS_C_PROT_READY_FLAG; ctx->established = 1; token.length = g_token_size((gss_OID) mech_used, ap_rep.length); diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index 325108612..f50653dbf 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -83,7 +83,7 @@ #define KG_TOK_DEL_CTX 0x0102 #define KG_IMPLFLAGS(x) (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG | \ - GSS_C_TRANS_FLAG | GSS_C_PROT_READY_FLAG | \ + GSS_C_TRANS_FLAG | \ ((x) & (GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | \ GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG))) diff --git a/src/lib/gssapi/krb5/gssapi_krb5.h b/src/lib/gssapi/krb5/gssapi_krb5.h index c142802e4..3007a0fd8 100644 --- a/src/lib/gssapi/krb5/gssapi_krb5.h +++ b/src/lib/gssapi/krb5/gssapi_krb5.h @@ -31,7 +31,6 @@ extern "C" { #endif /* __cplusplus */ -#if GSS_RFC_COMPLIANT_OIDS /* Reserved static storage for GSS_oids. See rfc 1964 for more details. */ /* 2.1.1. Kerberos Principal Name Form: */ @@ -71,8 +70,6 @@ GSS_DLLIMP extern const gss_OID_desc * const GSS_KRB5_NT_PRINCIPAL_NAME; * generic(1) string_uid_name(3)}. The recommended symbolic name for * this type is "GSS_KRB5_NT_STRING_UID_NAME". */ -#endif /* GSS_RFC_COMPLIANT_OIDS */ - extern const gss_OID_desc * const gss_mech_krb5; extern const gss_OID_desc * const gss_mech_krb5_old; extern const gss_OID_set_desc * const gss_mech_set_krb5; diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c index 8877052ba..ed3631152 100644 --- a/src/lib/gssapi/krb5/init_sec_context.c +++ b/src/lib/gssapi/krb5/init_sec_context.c @@ -572,8 +572,8 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle, krb5_auth_con_getlocalseqnumber(context, ctx->auth_context, &ctx->seq_send); - krb5_auth_con_getlocalsubkey(context, ctx->auth_context, - &ctx->subkey); + krb5_auth_con_getsendsubkey(context, ctx->auth_context, + &ctx->subkey); /* fill in the encryption descriptors */ @@ -688,6 +688,7 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle, g_order_init(&(ctx->seqstate), ctx->seq_recv, (ctx->gss_flags & GSS_C_REPLAY_FLAG) != 0, (ctx->gss_flags & GSS_C_SEQUENCE_FLAG) != 0); + ctx->gss_flags |= GSS_C_PROT_READY_FLAG; ctx->established = 1; /* fall through to GSS_S_COMPLETE */ } diff --git a/src/lib/kadm5/ChangeLog b/src/lib/kadm5/ChangeLog index d663d7f9b..63ab9da26 100644 --- a/src/lib/kadm5/ChangeLog +++ b/src/lib/kadm5/ChangeLog @@ -1,3 +1,13 @@ +2003-05-13 Ken Raeburn + + * alt_prof.c (kadm5_get_config_params): Remove aes256 from the + default supported enctypes list for now. + +2003-04-18 Ken Raeburn + + * alt_prof.c (kadm5_get_config_params): Add aes256 to the default + supported enctypes list. + 2003-01-10 Ken Raeburn * configure.in: Don't explicitly invoke AC_PROG_ARCHIVE, diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c index 758c8857d..4c14c4c04 100644 --- a/src/lib/kadm5/alt_prof.c +++ b/src/lib/kadm5/alt_prof.c @@ -702,7 +702,7 @@ krb5_error_code kadm5_get_config_params(context, kdcprofile, kdcenv, if (aprofile) krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue); if (svalue == NULL) - svalue = strdup("des3-hmac-sha1:normal des-cbc-crc:normal"); + svalue = strdup("des3-hmac-sha1:normal des-cbc-crc:normal"); params.keysalts = NULL; params.num_keysalts = 0; diff --git a/src/lib/kadm5/srv/ChangeLog b/src/lib/kadm5/srv/ChangeLog index 6d3e3de5b..334d063cd 100644 --- a/src/lib/kadm5/srv/ChangeLog +++ b/src/lib/kadm5/srv/ChangeLog @@ -1,3 +1,9 @@ +2003-04-01 Tom Yu + + * Makefile.in: Remove $(SHLIB_DBLIB_DEPS) and related variables. + (SHLIB_EXPDEPS): Remove $(SHLIB_DBLIB_DEPS). + (SHLIB_EXPLIBS): Change $(DB_LIB) to $(KDB5_DB_LIB). + 2003-01-12 Ezra Peisach * svr_iters.c (kadm5_get_either): For POSIX_REGEXPS diff --git a/src/lib/kadm5/srv/Makefile.in b/src/lib/kadm5/srv/Makefile.in index db61a8c57..0b0ad3626 100644 --- a/src/lib/kadm5/srv/Makefile.in +++ b/src/lib/kadm5/srv/Makefile.in @@ -13,18 +13,14 @@ LIBMAJOR=5 LIBMINOR=1 STOBJLISTS=../OBJS.ST OBJS.ST -SHLIB_DBLIB_DEPS = $(SHLIB_DBLIB-@DB_VERSION@) -SHLIB_DBLIB-k5 = $(TOPLIBD)/libdb$(SHLIBEXT) -SHLIB_DBLIB-sys = - SHLIB_EXPDEPS=\ $(TOPLIBD)/libgssrpc$(SHLIBEXT) \ $(TOPLIBD)/libgssapi_krb5$(SHLIBEXT) \ - $(TOPLIBD)/libkdb5$(SHLIBEXT) $(SHLIB_DBLIB_DEPS) \ + $(TOPLIBD)/libkdb5$(SHLIBEXT) \ $(TOPLIBD)/libkrb5$(SHLIBEXT) \ $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ $(COM_ERR_DEPLIB) -SHLIB_EXPLIBS = -lgssrpc -lgssapi_krb5 -lkdb5 $(DB_LIB) \ +SHLIB_EXPLIBS = -lgssrpc -lgssapi_krb5 -lkdb5 $(KDB5_DB_LIB) \ -lkrb5 -lk5crypto -lcom_err @GEN_LIB@ SHLIB_DIRS=-L$(TOPLIBD) SHLIB_RDIRS=$(KRB5_LIBDIR) diff --git a/src/lib/kdb/ChangeLog b/src/lib/kdb/ChangeLog index d685be6d9..de4ff5a5e 100644 --- a/src/lib/kdb/ChangeLog +++ b/src/lib/kdb/ChangeLog @@ -1,3 +1,26 @@ +2003-04-01 Tom Yu + + * Makefile.in: Remove $(SHLIB_DBLIB_DEPS) and related variables. + (SHLIB_EXPDEPS): Remove $(SHLIB_DBLIB_DEPS). + (SHLIB_EXPLIBS): Change $(DB_LIB) to $(KDB5_DB_LIB). + (DBOBJLISTS, STOBJLISTS): Pull in object lists of in-tree libdb so + we don't need to install libdb. Don't do this if building with + system libdb, though, since we need to explicitly link against the + system libdb in that case. + +2003-03-18 Tom Yu + + * keytab.c (krb5_ktkdb_get_entry): Do not perform the enctype + comparison if the requested enctype is a wildcard. + +2003-03-16 Sam Hartman + + * keytab.c (krb5_ktkdb_get_entry): Match only against the first + enctype for non-cross-realm tickets so we will only accept + tickets that the current configuration would have issued. For + cross-realm tickets be liberal and match against the specified + enctype. + 2003-03-05 Tom Yu * kdb_xdr.c (krb5_dbe_search_enctype): Check for ktype > 0 rather diff --git a/src/lib/kdb/Makefile.in b/src/lib/kdb/Makefile.in index ea80b7652..76261194a 100644 --- a/src/lib/kdb/Makefile.in +++ b/src/lib/kdb/Makefile.in @@ -12,17 +12,20 @@ LIBMAJOR=4 LIBMINOR=0 RELDIR=kdb # Depends on libk5crypto and libkrb5 -SHLIB_DBLIB_DEPS = $(SHLIB_DBLIB-@DB_VERSION@) -SHLIB_DBLIB-k5 = $(TOPLIBD)/libdb$(SHLIBEXT) -SHLIB_DBLIB-sys = SHLIB_EXPDEPS = \ $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ - $(TOPLIBD)/libkrb5$(SHLIBEXT) $(SHLIB_DBLIB_DEPS) -SHLIB_EXPLIBS=-lkrb5 -lcom_err -lk5crypto $(DB_LIB) $(LIBS) + $(TOPLIBD)/libkrb5$(SHLIBEXT) +SHLIB_EXPLIBS=-lkrb5 -lcom_err -lk5crypto $(KDB5_DB_LIB) $(LIBS) SHLIB_DIRS=-L$(TOPLIBD) SHLIB_RDIRS=$(KRB5_LIBDIR) +DBDIR = $(BUILDTOP)/util/db2 +DBOBJLISTS = $(DBOBJLISTS-@DB_VERSION@) +DBOBJLISTS-sys = +DBOBJLISTS-k5 = $(DBDIR)/hash/OBJS.ST $(DBDIR)/btree/OBJS.ST \ + $(DBDIR)/db/OBJS.ST $(DBDIR)/mpool/OBJS.ST $(DBDIR)/recno/OBJS.ST \ + $(DBDIR)/clib/OBJS.ST all:: @@ -38,7 +41,7 @@ SRCS= \ $(srcdir)/setup_mkey.c \ $(srcdir)/store_mkey.c -STOBJLISTS=OBJS.ST +STOBJLISTS=OBJS.ST $(DBOBJLISTS) STLIBOBJS= \ keytab.o \ encrypt_key.o \ diff --git a/src/lib/kdb/keytab.c b/src/lib/kdb/keytab.c index 6ec375ac2..90a81cac8 100644 --- a/src/lib/kdb/keytab.c +++ b/src/lib/kdb/keytab.c @@ -24,10 +24,14 @@ * or implied warranty. * */ +#include #include "k5-int.h" #include "kdb_kt.h" +static int +is_xrealm_tgt(krb5_context, krb5_const_principal); + krb5_error_code krb5_ktkdb_close (krb5_context, krb5_keytab); krb5_error_code krb5_ktkdb_get_entry (krb5_context, krb5_keytab, krb5_const_principal, @@ -116,6 +120,8 @@ krb5_ktkdb_get_entry(in_context, id, principal, kvno, enctype, entry) krb5_db_entry db_entry; krb5_boolean more = 0; int n = 0; + int xrealm_tgt = is_xrealm_tgt(context, principal); + int similar; if (ktkdb_ctx) context = ktkdb_ctx; @@ -150,16 +156,33 @@ krb5_ktkdb_get_entry(in_context, id, principal, kvno, enctype, entry) if (kerror) goto error; + /* For cross realm tgts, we match whatever enctype is provided; + * for other principals, we only match the first enctype that is + * found. Since the TGS and AS code do the same thing, then we + * will only successfully decrypt tickets we have issued.*/ kerror = krb5_dbe_find_enctype(context, &db_entry, - enctype, -1, kvno, &key_data); + xrealm_tgt?enctype:-1, + -1, kvno, &key_data); if (kerror) goto error; + kerror = krb5_dbekd_decrypt_key_data(context, master_key, key_data, &entry->key, NULL); if (kerror) goto error; + if (enctype > 0) { + kerror = krb5_c_enctype_compare(context, enctype, + entry->key.enctype, &similar); + if (kerror) + goto error; + + if (!similar) { + kerror = KRB5_KDB_NO_PERMITTED_KEY; + goto error; + } + } /* * Coerce the enctype of the output keyblock in case we got an * inexact match on the enctype. @@ -176,3 +199,27 @@ krb5_ktkdb_get_entry(in_context, id, principal, kvno, enctype, entry) krb5_db_close_database(context); return(kerror); } + +/* + * is_xrealm_tgt: Returns true if the principal is a cross-realm TGT + * principal-- a principal with first component krbtgt and second + * component not equal to realm. + */ +static int +is_xrealm_tgt(krb5_context context, krb5_const_principal princ) +{ + krb5_data *dat; + if (krb5_princ_size(context, princ) != 2) + return 0; + dat = krb5_princ_component(context, princ, 0); + if (strncmp("krbtgt", dat->data, dat->length) != 0) + return 0; + dat = krb5_princ_component(context, princ, 1); + if (dat->length != princ->realm.length) + return 1; + if (strcmp(dat->data, princ->realm.data) == 0) + return 0; + return 1; + +} + diff --git a/src/lib/krb4/ChangeLog b/src/lib/krb4/ChangeLog index 9c53ca17b..8f8b94fe9 100644 --- a/src/lib/krb4/ChangeLog +++ b/src/lib/krb4/ChangeLog @@ -1,3 +1,37 @@ +2003-05-12 Tom Yu + + * Makefile.in: Add setting of KRB_ERR on Windows. + +2003-05-11 Sam Hartman + + * Makefile.in: Build krb_err.c when appropriate. + + * configure.in: Set KRB_ERR to be the object file generated by + krb_err.c on non-Darwin + + * err_txt.c : Don't include krb_err.c on non-Darwin UNIX. Doing + so may break with some compile_et implementations. Also not + included on Windows. + +2003-05-01 Alexandra Ellwood + ÊÊ + * kadm_stream.c: Fixed vts_long() and vts_short() so they return a + pointer to the beginning of the memory they allocate and place + their data at the end of the buffer which was passed in. + +2003-04-15 Alexandra Ellwood + ÊÊ + * g_ad_tkt.c: accidentally checked a non-space character into + the USE_LOGIN_LIBRARY part of get_ad_tkt so it doesn't build + on the Mac. Oops. + +2003-04-14 Alexandra Ellwood + ÊÊ + * g_ad_tkt.c: Added support for login library to get_ad_tkt. + Support is copied from Mac Kerberos4 library and conditionalized + for USE_LOGIN_LIBRARY to avoid changing get_ad_tkt's behavior for + non-Kerberos Login Library builds. + 2003-03-06 Alexandra Ellwood * CCache-glue.c: Added prototypes for deprecated functions. diff --git a/src/lib/krb4/Makefile.in b/src/lib/krb4/Makefile.in index 0a8ecff3e..feea32b78 100644 --- a/src/lib/krb4/Makefile.in +++ b/src/lib/krb4/Makefile.in @@ -29,6 +29,8 @@ SHLIB_DIRS=-L$(TOPLIBD) SHLIB_RDIRS=$(KRB5_LIBDIR) EHDRDIR=$(BUILDTOP)$(S)include$(S)kerberosIV +KRB_ERR=@KRB_ERR@ +##DOS##KRB_ERR=$(OUTPRE)krb_err.$(OBJEXT) OBJS = \ $(OUTPRE)change_password.$(OBJEXT) \ @@ -72,7 +74,7 @@ OBJS = \ $(OUTPRE)rd_preauth.$(OBJEXT) \ $(OUTPRE)mk_preauth.$(OBJEXT) \ $(OSOBJS) $(CACHEOBJS) $(SETENVOBJS) $(STRCASEOBJS) $(SHMOBJS) \ - $(LIB_KRB_HOSTOBJS) $(SERVER_KRB_OBJS) $(NETIO_OBJS) $(REALMDBOBJS) + $(LIB_KRB_HOSTOBJS) $(SERVER_KRB_OBJS) $(NETIO_OBJS) $(REALMDBOBJS) $(KRB_ERR) SRCS = \ change_password.c \ diff --git a/src/lib/krb4/configure.in b/src/lib/krb4/configure.in index 87aeebccf..8a60058b0 100644 --- a/src/lib/krb4/configure.in +++ b/src/lib/krb4/configure.in @@ -5,12 +5,15 @@ AC_TYPE_UID_T case $krb5_cv_host in powerpc-apple-darwin*) KRB_ERR_TXT= + KRB_ERR= ;; *) + KRB_ERR='$(OUTPRE)krb_err.$(OBJEXT)' KRB_ERR_TXT=krb_err_txt.c ;; esac AC_SUBST([KRB_ERR_TXT]) +AC_SUBST([KRB_ERR]) AC_PROG_AWK KRB5_BUILD_LIBOBJS KRB5_BUILD_LIBRARY_WITH_DEPS diff --git a/src/lib/krb4/err_txt.c b/src/lib/krb4/err_txt.c index 9d942a071..a7a290c94 100644 --- a/src/lib/krb4/err_txt.c +++ b/src/lib/krb4/err_txt.c @@ -31,17 +31,14 @@ * This is gross. We want krb_err_txt to match the contents of the * com_err error table, but the text is static in krb_err.c. We can't * alias it by making a pointer to it, either, so we have to suck in - * another copy of it that is named differently. Also, to avoid - * multiple registrations of the error table, we want to override - * initialize_krb_error_table() in case someone decides to call it. - */ + * another copy of it that is named differently. */ +#if TARGET_OS_MAC #undef initialize_krb_error_table #define initialize_krb_error_table krb4int_init_krb_err_tbl void krb4int_init_krb_err_tbl(void); #include "krb_err.c" #undef initialize_krb_error_table -#if TARGET_OS_MAC /* * Depends on the name of the static table generated by compile_et, * but since this is only on Darwin, where we will always use a @@ -68,12 +65,6 @@ krb4int_et_init(void) inited = 1;\ } -void -initialize_krb_error_table(void) -{ - krb4int_et_init(); -} - void krb4int_et_fini(void) { diff --git a/src/lib/krb4/g_ad_tkt.c b/src/lib/krb4/g_ad_tkt.c index daae7515f..353fdcee5 100644 --- a/src/lib/krb4/g_ad_tkt.c +++ b/src/lib/krb4/g_ad_tkt.c @@ -256,6 +256,15 @@ get_ad_tkt(service, sinstance, realm, lifetime) size_t snamelen, sinstlen; kerror = krb_get_tf_realm(TKT_FILE, lrealm); +#if USE_LOGIN_LIBRARY + if (kerror == GC_NOTKT) { + /* No tickets... call krb_get_cred (KLL will prompt) and try again. */ + if ((kerror = krb_get_cred ("krbtgt", realm, realm, &cr)) == KSUCCESS) { + /* Now get the realm again. */ + kerror = krb_get_tf_realm (TKT_FILE, lrealm); + } + } +#endif if (kerror != KSUCCESS) return kerror; diff --git a/src/lib/krb4/kadm_stream.c b/src/lib/krb4/kadm_stream.c index 3a9861eda..dc9fef110 100644 --- a/src/lib/krb4/kadm_stream.c +++ b/src/lib/krb4/kadm_stream.c @@ -129,8 +129,11 @@ vts_short(KRB_UINT32 dat, u_char **st, int loc) if (p == NULL) return -1; + *st = p; /* KRB4_PUT32BE will modify p */ + + p += loc; /* place bytes at the end */ KRB4_PUT16BE(p, dat); - *st = p; + return 2; } @@ -145,8 +148,11 @@ vts_long(KRB_UINT32 dat, u_char **st, int loc) if (p == NULL) return -1; + *st = p; /* KRB4_PUT32BE will modify p */ + + p += loc; /* place bytes at the end */ KRB4_PUT32BE(p, dat); - *st = p; + return 4; } diff --git a/src/lib/krb5/asn.1/ChangeLog b/src/lib/krb5/asn.1/ChangeLog index b1ff161c4..c4bd9bc08 100644 --- a/src/lib/krb5/asn.1/ChangeLog +++ b/src/lib/krb5/asn.1/ChangeLog @@ -1,3 +1,27 @@ +2003-05-06 Sam Hartman + + * krb5_decode.c (decode_krb5_etype_info2): New function; currently + the same code as decode_krb5_etype_info. This means that we can + manage to accept s2kparams in etype_info which is wrong but + probably harmless. + + * asn1_k_decode.c (asn1_decode_etype_info_entry): Add etype_info2 + support + + * asn1_k_encode.c (asn1_encode_etype_info_entry): Add support for + etype-info2 + + * krb5_encode.c (encode_krb5_etype_info2): New function + +2003-04-15 Sam Hartman + + * krb5_encode.c (encode_krb5_setpw_req): new function + +2003-04-13 Ezra Peisach + + * asn1_k_decode.c (asn1_decode_kdc_req_body): Fix memory leak if + optional server field is lacking, + 2003-03-11 Ken Raeburn * asn1_get.c (asn1_get_tag): Deleted. diff --git a/src/lib/krb5/asn.1/asn1_k_decode.c b/src/lib/krb5/asn.1/asn1_k_decode.c index c64ebb84e..e56832a7b 100644 --- a/src/lib/krb5/asn.1/asn1_k_decode.c +++ b/src/lib/krb5/asn.1/asn1_k_decode.c @@ -541,7 +541,9 @@ asn1_error_code asn1_decode_kdc_req(asn1buf *buf, krb5_kdc_req *val) asn1_error_code asn1_decode_kdc_req_body(asn1buf *buf, krb5_kdc_req *val) { setup(); - { begin_structure(); + { + krb5_principal psave; + begin_structure(); get_field(val->kdc_options,0,asn1_decode_kdc_options); if(tagnum == 1){ alloc_field(val->client,krb5_principal_data); } opt_field(val->client,1,asn1_decode_principal_name,NULL); @@ -550,7 +552,19 @@ asn1_error_code asn1_decode_kdc_req_body(asn1buf *buf, krb5_kdc_req *val) if(val->client != NULL){ retval = asn1_krb5_realm_copy(val->client,val->server); if(retval) return retval; } + + /* If opt_field server is missing, memory reference to server is + lost and results in memory leak */ + psave = val->server; opt_field(val->server,3,asn1_decode_principal_name,NULL); + if(val->server == NULL){ + if(psave->realm.data) { + free(psave->realm.data); + psave->realm.data = NULL; + psave->realm.length=0; + } + free(psave); + } opt_field(val->from,4,asn1_decode_kerberos_time,0); get_field(val->till,5,asn1_decode_kerberos_time); opt_field(val->rtime,6,asn1_decode_kerberos_time,0); @@ -782,7 +796,7 @@ asn1_error_code asn1_decode_sequence_of_checksum(asn1buf *buf, krb5_checksum *** decode_array_body(krb5_checksum, asn1_decode_checksum); } -asn1_error_code asn1_decode_etype_info_entry(asn1buf *buf, krb5_etype_info_entry *val) +asn1_error_code asn1_decode_etype_info_entry(asn1buf *buf, krb5_etype_info_entry *val ) { setup(); { begin_structure(); @@ -793,13 +807,21 @@ asn1_error_code asn1_decode_etype_info_entry(asn1buf *buf, krb5_etype_info_entry val->length = KRB5_ETYPE_NO_SALT; val->salt = 0; } + if ( tagnum ==2) { + krb5_octet *params = (krb5_octet *) val->s2kparams.data; + get_lenfield( val->s2kparams.length, params, + 2, asn1_decode_octetstring); + } else { + val->s2kparams.data = NULL; + val->s2kparams.length = 0; + } end_structure(); val->magic = KV5M_ETYPE_INFO_ENTRY; } cleanup(); } -asn1_error_code asn1_decode_etype_info(asn1buf *buf, krb5_etype_info_entry ***val) +asn1_error_code asn1_decode_etype_info(asn1buf *buf, krb5_etype_info_entry ***val ) { decode_array_body(krb5_etype_info_entry,asn1_decode_etype_info_entry); } diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c index 9226f7ca2..703214dd2 100644 --- a/src/lib/krb5/asn.1/asn1_k_encode.c +++ b/src/lib/krb5/asn.1/asn1_k_encode.c @@ -27,6 +27,7 @@ #include "asn1_k_encode.h" #include "asn1_make.h" #include "asn1_encode.h" +#include /**** asn1 macros ****/ #if 0 @@ -708,14 +709,18 @@ asn1_error_code asn1_encode_krb_cred_info(asn1buf *buf, const krb5_cred_info *va asn1_cleanup(); } -asn1_error_code asn1_encode_etype_info_entry(asn1buf *buf, const krb5_etype_info_entry *val, unsigned int *retlen) +asn1_error_code asn1_encode_etype_info_entry(asn1buf *buf, const krb5_etype_info_entry *val, + unsigned int *retlen, int etype_info2) { asn1_setup(); + assert(val->s2kparams.data == NULL || etype_info2); if(val == NULL || (val->length > 0 && val->length != KRB5_ETYPE_NO_SALT && val->salt == NULL)) return ASN1_MISSING_FIELD; - + if(val->s2kparams.data != NULL) + asn1_addlenfield(val->s2kparams.length, val->s2kparams.data, 2, + asn1_encode_octetstring); if (val->length >= 0 && val->length != KRB5_ETYPE_NO_SALT) asn1_addlenfield(val->length,val->salt,1, asn1_encode_octetstring); @@ -725,7 +730,8 @@ asn1_error_code asn1_encode_etype_info_entry(asn1buf *buf, const krb5_etype_info asn1_cleanup(); } -asn1_error_code asn1_encode_etype_info(asn1buf *buf, const krb5_etype_info_entry **val, unsigned int *retlen) +asn1_error_code asn1_encode_etype_info(asn1buf *buf, const krb5_etype_info_entry **val, + unsigned int *retlen, int etype_info2) { asn1_setup(); int i; @@ -734,7 +740,7 @@ asn1_error_code asn1_encode_etype_info(asn1buf *buf, const krb5_etype_info_entry for(i=0; val[i] != NULL; i++); /* get to the end of the array */ for(i--; i>=0; i--){ - retval = asn1_encode_etype_info_entry(buf,val[i],&length); + retval = asn1_encode_etype_info_entry(buf,val[i],&length, etype_info2); if(retval) return retval; sum += length; } diff --git a/src/lib/krb5/asn.1/asn1_k_encode.h b/src/lib/krb5/asn.1/asn1_k_encode.h index 5914e0981..a2429a778 100644 --- a/src/lib/krb5/asn.1/asn1_k_encode.h +++ b/src/lib/krb5/asn.1/asn1_k_encode.h @@ -219,11 +219,11 @@ asn1_error_code asn1_encode_alt_method asn1_error_code asn1_encode_etype_info_entry (asn1buf *buf, const krb5_etype_info_entry *val, - unsigned int *retlen); + unsigned int *retlen, int etype_info2); asn1_error_code asn1_encode_etype_info (asn1buf *buf, const krb5_etype_info_entry **val, - unsigned int *retlen); + unsigned int *retlen, int etype_info2); asn1_error_code asn1_encode_passwdsequence (asn1buf *buf, const passwd_phrase_element *val, unsigned int *retlen); diff --git a/src/lib/krb5/asn.1/krb5_decode.c b/src/lib/krb5/asn.1/krb5_decode.c index 03a30295b..b39bae5c4 100644 --- a/src/lib/krb5/asn.1/krb5_decode.c +++ b/src/lib/krb5/asn.1/krb5_decode.c @@ -744,6 +744,16 @@ krb5_error_code decode_krb5_etype_info(const krb5_data *code, krb5_etype_info_en cleanup_none(); /* we're not allocating anything here */ } +krb5_error_code decode_krb5_etype_info2(const krb5_data *code, krb5_etype_info_entry ***rep) +{ + setup_buf_only(); + *rep = 0; + retval = asn1_decode_etype_info(&buf,rep); + if(retval) clean_return(retval); + cleanup_none(); /* we're not allocating anything here */ +} + + krb5_error_code decode_krb5_enc_data(const krb5_data *code, krb5_enc_data **rep) { setup_buf_only(); diff --git a/src/lib/krb5/asn.1/krb5_encode.c b/src/lib/krb5/asn.1/krb5_encode.c index 2a4f7bb14..7412209f6 100644 --- a/src/lib/krb5/asn.1/krb5_encode.c +++ b/src/lib/krb5/asn.1/krb5_encode.c @@ -678,12 +678,22 @@ krb5_error_code encode_krb5_alt_method(const krb5_alt_method *rep, krb5_data **c krb5_error_code encode_krb5_etype_info(const krb5_etype_info_entry **rep, krb5_data **code) { krb5_setup(); - retval = asn1_encode_etype_info(buf,rep,&length); + retval = asn1_encode_etype_info(buf,rep,&length, 0); if(retval) return retval; sum += length; krb5_cleanup(); } +krb5_error_code encode_krb5_etype_info2(const krb5_etype_info_entry **rep, krb5_data **code) +{ + krb5_setup(); + retval = asn1_encode_etype_info(buf,rep,&length, 1); + if(retval) return retval; + sum += length; + krb5_cleanup(); +} + + krb5_error_code encode_krb5_enc_data(const krb5_enc_data *rep, krb5_data **code) { krb5_setup(); @@ -822,3 +832,20 @@ krb5_error_code encode_krb5_predicted_sam_response(const krb5_predicted_sam_resp sum += length; krb5_cleanup(); } + +krb5_error_code encode_krb5_setpw_req(const krb5_principal target, + char *password, krb5_data **code) +{ + /* Macros really want us to have a variable called rep which we do not need*/ + const char *rep = "dummy string"; + + krb5_setup(); + + krb5_addfield(target,2,asn1_encode_realm); + krb5_addfield(target,1,asn1_encode_principal_name); + krb5_addlenfield(strlen(password), password,0,asn1_encode_octetstring); + krb5_makeseq(); + + + krb5_cleanup(); +} diff --git a/src/lib/krb5/keytab/ChangeLog b/src/lib/krb5/keytab/ChangeLog index ef0e702f1..864a412e7 100644 --- a/src/lib/krb5/keytab/ChangeLog +++ b/src/lib/krb5/keytab/ChangeLog @@ -1,3 +1,10 @@ +2003-04-01 Nalin Dahyabhai + + * kt_file.c (krb5_ktfileint_internal_read_entry): Use + krb5_princ_size instead of direct field access. + (krb5_ktfileint_write_entry, krb5_ktfileint_size_entry): + Likewise. + 2003-02-08 Tom Yu * kt_file.c (krb5_ktfile_get_entry): Fix comment; not going to diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c index 9e4f15aa7..9b7b9ae8f 100644 --- a/src/lib/krb5/keytab/kt_file.c +++ b/src/lib/krb5/keytab/kt_file.c @@ -1324,7 +1324,7 @@ krb5_ktfileint_internal_read_entry(krb5_context context, krb5_keytab id, krb5_ke return 0; fail: - for (i = 0; i < ret_entry->principal->length; i++) { + for (i = 0; i < krb5_princ_size(context, ret_entry->principal); i++) { princ = krb5_princ_component(context, ret_entry->principal, i); if (princ->data) free(princ->data); @@ -1375,9 +1375,9 @@ krb5_ktfileint_write_entry(krb5_context context, krb5_keytab id, krb5_keytab_ent } if (KTVERSION(id) == KRB5_KT_VNO_1) { - count = (krb5_int16) entry->principal->length + 1; + count = (krb5_int16) krb5_princ_size(context, entry->principal) + 1; } else { - count = htons((u_short) entry->principal->length); + count = htons((u_short) krb5_princ_size(context, entry->principal)); } if (!xfwrite(&count, sizeof(count), 1, KTFILEP(id))) { @@ -1396,7 +1396,7 @@ krb5_ktfileint_write_entry(krb5_context context, krb5_keytab id, krb5_keytab_ent goto abend; } - count = (krb5_int16) entry->principal->length; + count = (krb5_int16) krb5_princ_size(context, entry->principal); for (i = 0; i < count; i++) { princ = krb5_princ_component(context, entry->principal, i); size = princ->length; @@ -1494,7 +1494,7 @@ krb5_ktfileint_size_entry(krb5_context context, krb5_keytab_entry *entry, krb5_i krb5_int32 total_size, i; krb5_error_code retval = 0; - count = (krb5_int16) entry->principal->length; + count = (krb5_int16) krb5_princ_size(context, entry->principal); total_size = sizeof(count); total_size += krb5_princ_realm(context, entry->principal)->length + (sizeof(krb5_int16)); diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog index c936ca4fd..fc4182f9e 100644 --- a/src/lib/krb5/krb/ChangeLog +++ b/src/lib/krb5/krb/ChangeLog @@ -1,3 +1,137 @@ +2003-05-13 Sam Hartman + + * fwd_tgt.c (krb5_fwd_tgt_creds): Try with no specified enctype if + forwarding a specific enctype fails. l + + * get_in_tkt.c (krb5_get_init_creds): Free s2kparams + + * preauth2.c (krb5_do_preauth): Fix memory management + (pa_salt): Use copy_data_contents + + * copy_data.c (krb5int_copy_data_contents): New function + +2003-05-09 Sam Hartman + + * preauth2.c: Patch from Sun to reorganize code for handling + etype_info requests. More efficient and easier to implement etype_info2 + (krb5_do_preauth): Support enctype_info2 + +2003-05-08 Sam Hartman + + * preauth2.c: Add s2kparams to the declaration of a preauth + function, to every instance of a preauth function and to every + call to gak_fct + + * get_in_tkt.c (krb5_get_init_creds): Add s2kparams support + + * gic_keytab.c (krb5_get_as_key_keytab): Add s2kparams + + * gic_pwd.c (krb5_get_as_key_password): Add s2kparams support + +2003-05-09 Ken Raeburn + + * init_ctx.c (init_common): Copy tgs_ktypes array to + conf_tgs_ktypes. Clear use_conf_ktypes. + (krb5_free_context): Free conf_tgs_ktypes. + (krb5_get_tgs_ktypes): Use use_conf_ktypes to choose between + tgs_ktypes and conf_tgs_ktypes. + + * gc_frm_kdc.c (krb5_get_cred_from_kdc_opt): Set use_conf_ktypes + in context to 1 for all operations except the acquisition of the + desired service ticket. + +2003-05-09 Tom Yu + + * auth_con.c (krb5_auth_con_setsendsubkey) + (krb5_auth_con_setrecvsubkey, krb5_auth_con_getsendsubkey) + (krb5_auth_con_getrecvsubkey): New functions. Set or retrieve + subkeys from an auth_context. + (krb5_auth_con_getlocalsubkey, krb5_auth_con_getremotesubkey): + Reimplement in terms of the above. + + * auth_con.h, ser_actx.c: Rename {local,remote}_subkey -> + {send,recv}_subkey. + + * chpw.c (krb5int_rd_chpw_rep): Save send_subkey prior to rd_rep; + use saved send_subkey to smash recv_subkey obtained from rd_rep. + + * mk_req_ext.c (krb5_mk_req_extended): Rename + {local,remote}_subkey -> {send,recv}_subkey. Set both subkeys if + subkey generation is requested. + + * mk_cred.c, mk_priv.c, mk_safe.c: Rename {local,remote}_subkey -> + {send,recv}_subkey. Use either send_subkey or keyblock, in that + order. + + * rd_cred.c, rd_priv.c, rd_safe.c: Rename {local,remote}_subkey -> + {send,recv}_subkey. Use either recv_subkey or keyblock, in that + order. + + * rd_rep.c (krb5_rd_rep): Rename {local,remote}_subkey -> + {send,recv}_subkey. Set both subkeys if a subkey is present in + the AP-REP message. + + * rd_req_dec.c (krb5_rd_req_decoded_opt): Rename + {local,remote}_subkey -> {send,recv}_subkey. Set both subkeys if + a subkey is present in the AP-REQ message. + +2003-05-06 Sam Hartman + + * kfree.c (krb5_free_etype_info): Free s2kparams + +2003-04-27 Sam Hartman + + * chpw.c (krb5int_setpw_result_code_string): Make internal + +2003-04-25 Sam Hartman + + * chpw.c (krb5int_rd_setpw_rep): Fix error handling; allow + krberrors to be read correctly; fix memory alloctaion so that + allocated structures are freed. + +2003-04-24 Ezra Peisach + + * kfree.c (krb5_free_pwd_sequences): Correction to previous + fix. Free contents of krb5_data - not just the pointer. + +2003-04-23 Ezra Peisach + + * kfree.c (krb5_free_pwd_sequences): Actually free the entire + sequence of passwd_phase_elements and not just the first one. + +2003-04-16 Sam Hartman + + * chpw.c (krb5int_mk_setpw_req): Use encode_krb5_setpw_req. Fix + memory handling to free data that is allocated + +2003-04-15 Sam Hartman + + * chpw.c (krb5int_mk_setpw_req krb5int_rd_setpw_rep): New function + +2003-04-13 Ken Raeburn + + * init_ctx.c (DEFAULT_ETYPE_LIST): Add AES with 256 bits at the + front of the list. No 128-bit support by defaut. + +2003-04-01 Nalin Dahyabhai + + * gc_frm_kdc.c (krb5_get_cred_from_kdc_opt): Check principal name + length before examining components. + + * parse.c (krb5_parse_name): Double-check principal name length + before filling in components. + + * srv_rcache.c (krb5_get_server_rcache): Check for null pointer + supplied in place of name. + + * unparse.c (krb5_unparse_name_ext): Don't move buffer pointer + backwards if nothing has been put into the buffer yet. + +2003-04-01 Sam Hartman + + * rd_req.c (krb5_rd_req): If AUTH_CONTEXT_DO_TIME is cleared, + don't set up a replay cache. + 2003-03-08 Ezra Peisach * t_kerb.c: Only include krb.h if krb4 support compiled in, diff --git a/src/lib/krb5/krb/auth_con.c b/src/lib/krb5/krb/auth_con.c index 09ccf9808..bc26774a6 100644 --- a/src/lib/krb5/krb/auth_con.c +++ b/src/lib/krb5/krb/auth_con.c @@ -59,10 +59,10 @@ krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context) krb5_free_authenticator(context, auth_context->authentp); if (auth_context->keyblock) krb5_free_keyblock(context, auth_context->keyblock); - if (auth_context->local_subkey) - krb5_free_keyblock(context, auth_context->local_subkey); - if (auth_context->remote_subkey) - krb5_free_keyblock(context, auth_context->remote_subkey); + if (auth_context->send_subkey) + krb5_free_keyblock(context, auth_context->send_subkey); + if (auth_context->recv_subkey) + krb5_free_keyblock(context, auth_context->recv_subkey); if (auth_context->rcache) krb5_rc_close(context, auth_context->rcache); if (auth_context->permitted_etypes) @@ -176,17 +176,53 @@ krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context, krb5_ krb5_error_code KRB5_CALLCONV krb5_auth_con_getlocalsubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock) { - if (auth_context->local_subkey) - return krb5_copy_keyblock(context,auth_context->local_subkey,keyblock); + return krb5_auth_con_getsendsubkey(context, auth_context, keyblock); +} + +krb5_error_code KRB5_CALLCONV +krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock) +{ + return krb5_auth_con_getrecvsubkey(context, auth_context, keyblock); +} + +krb5_error_code KRB5_CALLCONV +krb5_auth_con_setsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock *keyblock) +{ + if (ac->send_subkey != NULL) + krb5_free_keyblock(ctx, ac->send_subkey); + ac->send_subkey = NULL; + if (keyblock !=NULL) + return krb5_copy_keyblock(ctx, keyblock, &ac->send_subkey); + else + return 0; +} + +krb5_error_code KRB5_CALLCONV +krb5_auth_con_setrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock *keyblock) +{ + if (ac->recv_subkey != NULL) + krb5_free_keyblock(ctx, ac->recv_subkey); + ac->recv_subkey = NULL; + if (keyblock != NULL) + return krb5_copy_keyblock(ctx, keyblock, &ac->recv_subkey); + else + return 0; +} + +krb5_error_code KRB5_CALLCONV +krb5_auth_con_getsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock) +{ + if (ac->send_subkey != NULL) + return krb5_copy_keyblock(ctx, ac->send_subkey, keyblock); *keyblock = NULL; return 0; } krb5_error_code KRB5_CALLCONV -krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock) +krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock) { - if (auth_context->remote_subkey) - return krb5_copy_keyblock(context,auth_context->remote_subkey,keyblock); + if (ac->recv_subkey != NULL) + return krb5_copy_keyblock(ctx, ac->recv_subkey, keyblock); *keyblock = NULL; return 0; } diff --git a/src/lib/krb5/krb/auth_con.h b/src/lib/krb5/krb/auth_con.h index d83d6b86e..1dcfc89e7 100644 --- a/src/lib/krb5/krb/auth_con.h +++ b/src/lib/krb5/krb/auth_con.h @@ -9,8 +9,8 @@ struct _krb5_auth_context { krb5_address * local_addr; krb5_address * local_port; krb5_keyblock * keyblock; - krb5_keyblock * local_subkey; - krb5_keyblock * remote_subkey; + krb5_keyblock * send_subkey; + krb5_keyblock * recv_subkey; krb5_int32 auth_context_flags; krb5_int32 remote_seq_number; diff --git a/src/lib/krb5/krb/chpw.c b/src/lib/krb5/krb/chpw.c index bb2cfe9c7..f640ce66c 100644 --- a/src/lib/krb5/krb/chpw.c +++ b/src/lib/krb5/krb/chpw.c @@ -1,11 +1,15 @@ +/* +** set password functions added by Paul W. Nelson, Thursby Software Systems, Inc. +*/ #include #include "k5-int.h" #include "krb5_err.h" #include "auth_con.h" -krb5_error_code KRB5_CALLCONV -krb5_mk_chpw_req(krb5_context context, krb5_auth_context auth_context, krb5_data *ap_req, char *passwd, krb5_data *packet) + +krb5_error_code +krb5int_mk_chpw_req(krb5_context context, krb5_auth_context auth_context, krb5_data *ap_req, char *passwd, krb5_data *packet) { krb5_error_code ret = 0; krb5_data clearpw; @@ -66,8 +70,8 @@ cleanup: return(ret); } -krb5_error_code KRB5_CALLCONV -krb5_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *packet, int *result_code, krb5_data *result_data) +krb5_error_code +krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_data *packet, int *result_code, krb5_data *result_data) { char *ptr; int plen, vno; @@ -116,8 +120,18 @@ krb5_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_data ap_rep.data = ptr; ptr += ap_rep.length; - if ((ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc))) + /* + * Save send_subkey to later smash recv_subkey. + */ + ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmp); + if (ret) + return ret; + + ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc); + if (ret) { + krb5_free_keyblock(context, tmp); return(ret); + } krb5_free_ap_rep_enc_part(context, ap_rep_enc); @@ -126,18 +140,17 @@ krb5_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_data cipherresult.data = ptr; cipherresult.length = (packet->data + packet->length) - ptr; - /* XXX there's no api to do this right. The problem is that - if there's a remote subkey, it will be used. This is - not what the spec requires */ - - tmp = auth_context->remote_subkey; - auth_context->remote_subkey = NULL; + /* + * Smash recv_subkey to be send_subkey, per spec. + */ + ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmp); + krb5_free_keyblock(context, tmp); + if (ret) + return ret; ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult, &replay); - auth_context->remote_subkey = tmp; - if (ret) return(ret); } else { @@ -221,3 +234,284 @@ krb5_chpw_result_code_string(krb5_context context, int result_code, char **code_ return(0); } + +krb5_error_code +krb5int_mk_setpw_req( + krb5_context context, + krb5_auth_context auth_context, + krb5_data *ap_req, + krb5_principal targprinc, + char *passwd, + krb5_data *packet ) +{ + krb5_error_code ret; + krb5_data cipherpw; + krb5_data *encoded_setpw; + + char *ptr; + int count = 2; + + cipherpw.data = NULL; + cipherpw.length = 0; + + if (ret = krb5_auth_con_setflags(context, auth_context, + KRB5_AUTH_CONTEXT_DO_SEQUENCE)) + return(ret); + + ret = encode_krb5_setpw_req(targprinc, passwd, &encoded_setpw); + if (ret) { + return ret; + } + + if ( (ret = krb5_mk_priv(context, auth_context, encoded_setpw, &cipherpw, NULL)) != 0) { + krb5_free_data( context, encoded_setpw); + return(ret); + } + krb5_free_data( context, encoded_setpw); + + + packet->length = 6 + ap_req->length + cipherpw.length; + packet->data = (char *) malloc(packet->length); + if (packet->data == NULL) { + ret = ENOMEM; + goto cleanup; + } + ptr = packet->data; +/* +** build the packet - +*/ +/* put in the length */ + *ptr++ = (packet->length>>8) & 0xff; + *ptr++ = packet->length & 0xff; +/* put in the version */ + *ptr++ = (char)0xff; + *ptr++ = (char)0x80; +/* the ap_req length is big endian */ + *ptr++ = (ap_req->length>>8) & 0xff; + *ptr++ = ap_req->length & 0xff; +/* put in the request data */ + memcpy(ptr, ap_req->data, ap_req->length); + ptr += ap_req->length; +/* +** put in the "private" password data - +*/ + memcpy(ptr, cipherpw.data, cipherpw.length); + ret = 0; + cleanup: + if (cipherpw.data) + krb5_free_data_contents(context, &cipherpw); + if ((ret != 0) && packet->data) { + free( packet->data); + packet->data = NULL; + } + return ret; +} + +krb5_error_code +krb5int_rd_setpw_rep( krb5_context context, krb5_auth_context auth_context, krb5_data *packet, + int *result_code, krb5_data *result_data ) +{ + char *ptr; + unsigned int message_length, version_number; + krb5_data ap_rep; + krb5_ap_rep_enc_part *ap_rep_enc; + krb5_error_code ret; + krb5_data cipherresult; + krb5_data clearresult; + krb5_replay_data replay; + krb5_keyblock *tmpkey; +/* +** validate the packet length - +*/ + if (packet->length < 4) + return(KRB5KRB_AP_ERR_MODIFIED); + + ptr = packet->data; + +/* +** see if it is an error +*/ + if (krb5_is_krb_error(packet)) { + krb5_error *krberror; + if (ret = krb5_rd_error(context, packet, &krberror)) + return(ret); + if (krberror->e_data.data == NULL) { + ret = ERROR_TABLE_BASE_krb5 + krberror->error; + krb5_free_error(context, krberror); + return (ret); + } + clearresult = krberror->e_data; + krberror->e_data.data = NULL; /*So we can free it later*/ + krberror->e_data.length = 0; + krb5_free_error(context, krberror); + + } else { /* Not an error*/ + +/* +** validate the message length - +** length is big endian +*/ + message_length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff)); + ptr += 2; +/* +** make sure the message length and packet length agree - +*/ + if (message_length != packet->length) + return(KRB5KRB_AP_ERR_MODIFIED); +/* +** get the version number - +*/ + version_number = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff)); + ptr += 2; +/* +** make sure we support the version returned - +*/ +/* +** set password version is 0xff80, change password version is 1 +*/ + if (version_number != 0xff80 && version_number != 1) + return(KRB5KDC_ERR_BAD_PVNO); +/* +** now fill in ap_rep with the reply - +*/ +/* +** get the reply length - +*/ + ap_rep.length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff)); + ptr += 2; +/* +** validate ap_rep length agrees with the packet length - +*/ + if (ptr + ap_rep.length >= packet->data + packet->length) + return(KRB5KRB_AP_ERR_MODIFIED); +/* +** if data was returned, set the ap_rep ptr - +*/ + if( ap_rep.length ) { + ap_rep.data = ptr; + ptr += ap_rep.length; + + /* + * Save send_subkey to later smash recv_subkey. + */ + ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmpkey); + if (ret) + return ret; + + ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc); + if (ret) { + krb5_free_keyblock(context, tmpkey); + return(ret); + } + + krb5_free_ap_rep_enc_part(context, ap_rep_enc); +/* +** now decrypt the result - +*/ + cipherresult.data = ptr; + cipherresult.length = (packet->data + packet->length) - ptr; + + /* + * Smash recv_subkey to be send_subkey, per spec. + */ + ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmpkey); + krb5_free_keyblock(context, tmpkey); + if (ret) + return ret; + + ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult, + NULL); + if (ret) + return(ret); + } /*We got an ap_rep*/ + else + return (KRB5KRB_AP_ERR_MODIFIED); + } /*Response instead of error*/ + +/* +** validate the cleartext length +*/ + if (clearresult.length < 2) { + ret = KRB5KRB_AP_ERR_MODIFIED; + goto cleanup; + } +/* +** now decode the result - +*/ + ptr = clearresult.data; + + *result_code = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff)); + ptr += 2; + +/* +** result code 5 is access denied +*/ + if ((*result_code < KRB5_KPASSWD_SUCCESS) || (*result_code > 5)) + { + ret = KRB5KRB_AP_ERR_MODIFIED; + goto cleanup; + } +/* +** all success replies should be authenticated/encrypted +*/ + if( (ap_rep.length == 0) && (*result_code == KRB5_KPASSWD_SUCCESS) ) + { + ret = KRB5KRB_AP_ERR_MODIFIED; + goto cleanup; + } + + if (result_data) { + result_data->length = (clearresult.data + clearresult.length) - ptr; + + if (result_data->length) + { + result_data->data = (char *) malloc(result_data->length); + if (result_data->data) + memcpy(result_data->data, ptr, result_data->length); + } + else + result_data->data = NULL; + } + ret = 0; + + cleanup: + krb5_free_data_contents(context, &clearresult); + return(ret); +} + +krb5_error_code +krb5int_setpw_result_code_string( krb5_context context, int result_code, const char **code_string ) +{ + switch (result_code) + { + case KRB5_KPASSWD_MALFORMED: + *code_string = "Malformed request error"; + break; + case KRB5_KPASSWD_HARDERROR: + *code_string = "Server error"; + break; + case KRB5_KPASSWD_AUTHERROR: + *code_string = "Authentication error"; + break; + case KRB5_KPASSWD_SOFTERROR: + *code_string = "Password change rejected"; + break; + case 5: /* access denied */ + *code_string = "Access denied"; + break; + case 6: /* bad version */ + *code_string = "Wrong protocol version"; + break; + case 7: /* initial flag is needed */ + *code_string = "Initial password required"; + break; + case 0: + *code_string = "Success"; + default: + *code_string = "Password change failed"; + break; + } + + return(0); +} + diff --git a/src/lib/krb5/krb/copy_data.c b/src/lib/krb5/krb/copy_data.c index 2899c5a88..1be2a2da5 100644 --- a/src/lib/krb5/krb/copy_data.c +++ b/src/lib/krb5/krb/copy_data.c @@ -58,3 +58,25 @@ krb5_copy_data(krb5_context context, const krb5_data *indata, krb5_data **outdat *outdata = tempdata; return 0; } + +krb5_error_code +krb5int_copy_data_contents(krb5_context context, const krb5_data *indata, krb5_data *outdata) +{ + if (!indata) { + return EINVAL; + } + + + outdata->length = indata->length; + if (outdata->length) { + if (!(outdata->data = malloc(outdata->length))) { + krb5_xfree(outdata); + return ENOMEM; + } + memcpy((char *)outdata->data, (char *)indata->data, outdata->length); + } else + outdata->data = 0; + outdata->magic = KV5M_DATA; + + return 0; +} diff --git a/src/lib/krb5/krb/fwd_tgt.c b/src/lib/krb5/krb/fwd_tgt.c index aa42f8cc1..844536bbd 100644 --- a/src/lib/krb5/krb/fwd_tgt.c +++ b/src/lib/krb5/krb/fwd_tgt.c @@ -161,9 +161,15 @@ retval = KRB5_FWD_BAD_PRINCIPAL; kdcoptions &= ~(KDC_OPT_FORWARDABLE); if ((retval = krb5_get_cred_via_tkt(context, &tgt, kdcoptions, - addrs, &creds, &pcreds))) - goto errout; - + addrs, &creds, &pcreds))) { + if (enctype) { + creds.keyblock.enctype = 0; + if ((retval = krb5_get_cred_via_tkt(context, &tgt, kdcoptions, + addrs, &creds, &pcreds))) + goto errout; + } + else goto errout; + } retval = krb5_mk_1cred(context, auth_context, pcreds, &scratch, &replaydata); krb5_free_creds(context, pcreds); diff --git a/src/lib/krb5/krb/gc_frm_kdc.c b/src/lib/krb5/krb/gc_frm_kdc.c index fdf00e6b1..8ca62cce6 100644 --- a/src/lib/krb5/krb/gc_frm_kdc.c +++ b/src/lib/krb5/krb/gc_frm_kdc.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1994 by the Massachusetts Institute of Technology. + * Copyright (c) 1994,2003 by the Massachusetts Institute of Technology. * Copyright (c) 1994 CyberSAFE Corporation * Copyright (c) 1993 Open Computing Security Group * Copyright (c) 1990,1991 by the Massachusetts Institute of Technology. @@ -76,6 +76,7 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds krb5_principal *top_server = NULL; krb5_principal *next_server = NULL; unsigned int nservers = 0; + krb5_boolean old_use_conf_ktypes = context->use_conf_ktypes; /* in case we never get a TGT, zero the return */ @@ -114,6 +115,7 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds goto cleanup; } + context->use_conf_ktypes = 1; if ((retval = krb5_cc_retrieve_cred(context, ccache, KRB5_TC_MATCH_SRV_NAMEONLY | KRB5_TC_SUPPORTED_KTYPES, &tgtq, &tgt))) { @@ -231,21 +233,17 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds krb5_free_cred_contents(context, &tgtq); memset(&tgtq, 0, sizeof(tgtq)); -#ifdef HAVE_C_STRUCTURE_ASSIGNMENT tgtq.times = tgt.times; -#else - memcpy(&tgtq.times, &tgt.times, sizeof(krb5_ticket_times)); -#endif - if ((retval = krb5_copy_principal(context, tgt.client, &tgtq.client))) goto cleanup; if ((retval = krb5_copy_principal(context, int_server, &tgtq.server))) goto cleanup; tgtq.is_skey = FALSE; tgtq.ticket_flags = tgt.ticket_flags; - if ((retval = krb5_get_cred_via_tkt(context, &tgt, - FLAGS2OPTS(tgtq.ticket_flags), - tgt.addresses, &tgtq, &tgtr))) { + retval = krb5_get_cred_via_tkt(context, &tgt, + FLAGS2OPTS(tgtq.ticket_flags), + tgt.addresses, &tgtq, &tgtr); + if (retval) { /* * couldn't get one so now loop backwards through the realms @@ -301,12 +299,12 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds goto cleanup; tgtq.is_skey = FALSE; tgtq.ticket_flags = tgt.ticket_flags; - if ((retval = krb5_get_cred_via_tkt(context, &tgt, - FLAGS2OPTS(tgtq.ticket_flags), - tgt.addresses, - &tgtq, &tgtr))) { + retval = krb5_get_cred_via_tkt(context, &tgt, + FLAGS2OPTS(tgtq.ticket_flags), + tgt.addresses, + &tgtq, &tgtr); + if (retval) continue; - } /* save tgt in return array */ if ((retval = krb5_copy_creds(context, tgtr, @@ -341,7 +339,9 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds for (next_server = top_server; *next_server; next_server++) { krb5_data *realm_1 = krb5_princ_component(context, next_server[0], 1); krb5_data *realm_2 = krb5_princ_component(context, tgtr->server, 1); - if (realm_1->length == realm_2->length && + if (realm_1 != NULL && + realm_2 != NULL && + realm_1->length == realm_2->length && !memcmp(realm_1->data, realm_2->data, realm_1->length)) { break; } @@ -374,10 +374,12 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_creds goto cleanup; } - retval = krb5_get_cred_via_tkt(context, &tgt, FLAGS2OPTS(tgt.ticket_flags) | - kdcopt | - (in_cred->second_ticket.length ? - KDC_OPT_ENC_TKT_IN_SKEY : 0), + context->use_conf_ktypes = old_use_conf_ktypes; + retval = krb5_get_cred_via_tkt(context, &tgt, + FLAGS2OPTS(tgt.ticket_flags) | + kdcopt | + (in_cred->second_ticket.length ? + KDC_OPT_ENC_TKT_IN_SKEY : 0), tgt.addresses, in_cred, out_cred); /* cleanup and return */ @@ -393,6 +395,7 @@ cleanup: if (ret_tgts) free(ret_tgts); krb5_free_cred_contents(context, &tgt); } + context->use_conf_ktypes = old_use_conf_ktypes; return(retval); } diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index dc06c5353..3ccb6066f 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -1,7 +1,7 @@ /* * lib/krb5/krb/get_in_tkt.c * - * Copyright 1990,1991 by the Massachusetts Institute of Technology. + * Copyright 1990,1991, 2003 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -734,6 +734,7 @@ krb5_get_init_creds(krb5_context context, krb5_deltat renew_life; int loopcount; krb5_data salt; + krb5_data s2kparams; krb5_keyblock as_key; krb5_error *err_reply; krb5_kdc_rep *local_as_reply; @@ -742,6 +743,8 @@ krb5_get_init_creds(krb5_context context, /* initialize everything which will be freed at cleanup */ + s2kparams.data = NULL; + s2kparams.length = 0; request.server = NULL; request.ktype = NULL; request.addresses = NULL; @@ -927,7 +930,7 @@ krb5_get_init_creds(krb5_context context, if ((ret = krb5_do_preauth(context, &request, padata, &request.padata, - &salt, &etype, &as_key, prompter, + &salt, &s2kparams, &etype, &as_key, prompter, prompter_data, gak_fct, gak_data))) goto cleanup; @@ -973,7 +976,7 @@ krb5_get_init_creds(krb5_context context, if ((ret = krb5_do_preauth(context, &request, local_as_reply->padata, &padata, - &salt, &etype, &as_key, prompter, + &salt, &s2kparams, &etype, &as_key, prompter, prompter_data, gak_fct, gak_data))) goto cleanup; @@ -1005,7 +1008,7 @@ krb5_get_init_creds(krb5_context context, if ((ret = ((*gak_fct)(context, request.client, local_as_reply->enc_part.enctype, - prompter, prompter_data, &salt, + prompter, prompter_data, &salt, &s2kparams, &as_key, gak_data)))) goto cleanup; @@ -1050,6 +1053,7 @@ cleanup: if (salt.data && (!(options && (options->flags & KRB5_GET_INIT_CREDS_OPT_SALT)))) krb5_xfree(salt.data); + krb5_free_data_contents(context, &s2kparams); if (as_reply) *as_reply = local_as_reply; else if (local_as_reply) diff --git a/src/lib/krb5/krb/gic_keytab.c b/src/lib/krb5/krb/gic_keytab.c index a7cb773a0..e7fb1aec6 100644 --- a/src/lib/krb5/krb/gic_keytab.c +++ b/src/lib/krb5/krb/gic_keytab.c @@ -8,6 +8,7 @@ krb5_get_as_key_keytab( krb5_prompter_fct prompter, void *prompter_data, krb5_data *salt, + krb5_data *params, krb5_keyblock *as_key, void *gak_data) { diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c index 7b5e0bab3..54cf5f461 100644 --- a/src/lib/krb5/krb/gic_pwd.c +++ b/src/lib/krb5/krb/gic_pwd.c @@ -9,6 +9,7 @@ krb5_get_as_key_password( krb5_prompter_fct prompter, void *prompter_data, krb5_data *salt, + krb5_data *params, krb5_keyblock *as_key, void *gak_data) { @@ -74,7 +75,8 @@ krb5_get_as_key_password( defsalt.length = 0; } - ret = krb5_c_string_to_key(context, etype, password, salt, as_key); + ret = krb5_c_string_to_key_with_params(context, etype, password, salt, + params->data?params:NULL, as_key); if (defsalt.length) krb5_xfree(defsalt.data); diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c index 59b6123e6..a37d8e0a7 100644 --- a/src/lib/krb5/krb/init_ctx.c +++ b/src/lib/krb5/krb/init_ctx.c @@ -1,7 +1,7 @@ /* * lib/krb5/krb/init_ctx.c * - * Copyright 1994,1999,2000, 2002 by the Massachusetts Institute of Technology. + * Copyright 1994,1999,2000, 2002, 2003 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -65,9 +65,14 @@ them. This'll be fixed, but for better compatibility, let's prefer des-crc for now. */ #define DEFAULT_ETYPE_LIST \ + "aes256-cts-hmac-sha1-96 " \ "des3-cbc-sha1 arcfour-hmac-md5 " \ "des-cbc-crc des-cbc-md5 des-cbc-md4 " +/* Not included: + "aes128-cts-hmac-sha1-96 " \ + */ + #if (defined(_WIN32)) extern krb5_error_code krb5_vercheck(); extern void krb5_win_ccdll_load(krb5_context context); @@ -142,6 +147,13 @@ init_common (krb5_context *context, krb5_boolean secure) if ((retval = krb5_set_default_tgs_ktypes(ctx, NULL))) goto cleanup; + ctx->conf_tgs_ktypes = calloc(ctx->tgs_ktype_count, sizeof(krb5_enctype)); + if (ctx->conf_tgs_ktypes == NULL && ctx->tgs_ktype_count != 0) + goto cleanup; + memcpy(ctx->conf_tgs_ktypes, ctx->tgs_ktypes, + sizeof(krb5_enctype) * ctx->tgs_ktype_count); + ctx->conf_tgs_ktypes_count = ctx->tgs_ktype_count; + if ((retval = krb5_os_init_context(ctx))) goto cleanup; @@ -217,6 +229,7 @@ init_common (krb5_context *context, krb5_boolean secure) ctx->fcc_default_format = tmp + 0x0500; ctx->scc_default_format = tmp + 0x0500; ctx->prompt_types = 0; + ctx->use_conf_ktypes = 0; ctx->udp_pref_limit = -1; *context = ctx; @@ -243,6 +256,11 @@ krb5_free_context(krb5_context ctx) ctx->tgs_ktypes = 0; } + if (ctx->conf_tgs_ktypes) { + free(ctx->conf_tgs_ktypes); + ctx->conf_tgs_ktypes = 0; + } + if (ctx->default_realm) { free(ctx->default_realm); ctx->default_realm = 0; @@ -291,7 +309,8 @@ krb5_set_default_in_tkt_ktypes(krb5_context context, const krb5_enctype *ktypes) } static krb5_error_code -get_profile_etype_list(krb5_context context, krb5_enctype **ktypes, char *profstr, int ctx_count, krb5_enctype *ctx_list) +get_profile_etype_list(krb5_context context, krb5_enctype **ktypes, char *profstr, + int ctx_count, krb5_enctype *ctx_list) { krb5_enctype *old_ktypes; @@ -426,9 +445,16 @@ krb5_error_code KRB5_CALLCONV krb5_get_tgs_ktypes(krb5_context context, krb5_const_principal princ, krb5_enctype **ktypes) { - return(get_profile_etype_list(context, ktypes, "default_tgs_enctypes", - context->tgs_ktype_count, - context->tgs_ktypes)); + if (context->use_conf_ktypes) + /* This one is set *only* by reading the config file; it's not + set by the application. */ + return(get_profile_etype_list(context, ktypes, "default_tgs_enctypes", + context->conf_tgs_ktypes_count, + context->conf_tgs_ktypes)); + else + return(get_profile_etype_list(context, ktypes, "default_tgs_enctypes", + context->tgs_ktype_count, + context->tgs_ktypes)); } krb5_error_code diff --git a/src/lib/krb5/krb/kfree.c b/src/lib/krb5/krb/kfree.c index 46d485d32..470043971 100644 --- a/src/lib/krb5/krb/kfree.c +++ b/src/lib/krb5/krb/kfree.c @@ -246,6 +246,7 @@ void krb5_free_etype_info(krb5_context context, krb5_etype_info info) for(i=0; info[i] != NULL; i++) { if (info[i]->salt) free(info[i]->salt); + krb5_free_data_contents( context, &info[i]->s2kparams); free(info[i]); } free(info); @@ -429,14 +430,20 @@ krb5_free_pwd_data(krb5_context context, krb5_pwd_data *val) void KRB5_CALLCONV krb5_free_pwd_sequences(krb5_context context, passwd_phrase_element **val) { - if ((*val)->passwd) { - krb5_xfree((*val)->passwd); - (*val)->passwd = 0; - } - if ((*val)->phrase) { - krb5_xfree((*val)->phrase); - (*val)->phrase = 0; + register passwd_phrase_element **temp; + + for (temp = val; *temp; temp++) { + if ((*temp)->passwd) { + krb5_free_data(context, (*temp)->passwd); + (*temp)->passwd = 0; + } + if ((*temp)->phrase) { + krb5_free_data(context, (*temp)->phrase); + (*temp)->phrase = 0; + } + krb5_xfree(*temp); } + krb5_xfree(val); } diff --git a/src/lib/krb5/krb/mk_cred.c b/src/lib/krb5/krb/mk_cred.c index 638929861..04248c08d 100644 --- a/src/lib/krb5/krb/mk_cred.c +++ b/src/lib/krb5/krb/mk_cred.c @@ -182,9 +182,8 @@ krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, krb5_creds * memset(pcred->tickets, 0, sizeof(krb5_ticket *) * (ncred +1)); /* Get keyblock */ - if ((keyblock = auth_context->local_subkey) == NULL) - if ((keyblock = auth_context->remote_subkey) == NULL) - keyblock = auth_context->keyblock; + if ((keyblock = auth_context->send_subkey) == NULL) + keyblock = auth_context->keyblock; /* Get replay info */ if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && diff --git a/src/lib/krb5/krb/mk_priv.c b/src/lib/krb5/krb/mk_priv.c index 196b6eea0..efe254ac0 100644 --- a/src/lib/krb5/krb/mk_priv.c +++ b/src/lib/krb5/krb/mk_priv.c @@ -119,9 +119,8 @@ krb5_mk_priv(krb5_context context, krb5_auth_context auth_context, memset((char *) &replaydata, 0, sizeof(krb5_replay_data)); /* Get keyblock */ - if ((keyblock = auth_context->local_subkey) == NULL) - if ((keyblock = auth_context->remote_subkey) == NULL) - keyblock = auth_context->keyblock; + if ((keyblock = auth_context->send_subkey) == NULL) + keyblock = auth_context->keyblock; /* Get replay info */ if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c index 1ed14a922..91a4f3d1c 100644 --- a/src/lib/krb5/krb/mk_req_ext.c +++ b/src/lib/krb5/krb/mk_req_ext.c @@ -130,7 +130,7 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, goto cleanup; } - if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->local_subkey)) { + if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->send_subkey)) { /* Provide some more fodder for random number code. This isn't strong cryptographically; the point here is not to guarantee randomness, but to make it less likely that multiple @@ -145,8 +145,15 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, (void) krb5_c_random_add_entropy (context, KRB5_C_RANDSOURCE_TIMING, &d); if ((retval = krb5_generate_subkey(context, &(in_creds)->keyblock, - &(*auth_context)->local_subkey))) + &(*auth_context)->send_subkey))) goto cleanup; + retval = krb5_copy_keyblock(context, (*auth_context)->send_subkey, + &((*auth_context)->recv_subkey)); + if (retval) { + krb5_free_keyblock(context, (*auth_context)->send_subkey); + (*auth_context)->send_subkey = NULL; + goto cleanup; + } } @@ -178,7 +185,7 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, if ((retval = krb5_generate_authenticator(context, (*auth_context)->authentp, (in_creds)->client, checksump, - (*auth_context)->local_subkey, + (*auth_context)->send_subkey, (*auth_context)->local_seq_number, (in_creds)->authdata))) goto cleanup_cksum; diff --git a/src/lib/krb5/krb/mk_safe.c b/src/lib/krb5/krb/mk_safe.c index 992a456a9..eefcab7cd 100644 --- a/src/lib/krb5/krb/mk_safe.c +++ b/src/lib/krb5/krb/mk_safe.c @@ -120,9 +120,8 @@ krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, const krb5_da memset((char *) &replaydata, 0, sizeof(krb5_replay_data)); /* Get keyblock */ - if ((keyblock = auth_context->local_subkey) == NULL) - if ((keyblock = auth_context->remote_subkey) == NULL) - keyblock = auth_context->keyblock; + if ((keyblock = auth_context->send_subkey) == NULL) + keyblock = auth_context->keyblock; /* Get replay info */ if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && diff --git a/src/lib/krb5/krb/parse.c b/src/lib/krb5/krb/parse.c index abbcfbe2d..3debb6acf 100644 --- a/src/lib/krb5/krb/parse.c +++ b/src/lib/krb5/krb/parse.c @@ -170,11 +170,13 @@ krb5_parse_name(krb5_context context, const char *name, krb5_principal *nprincip cp++; size++; } else if (c == COMPONENT_SEP) { - krb5_princ_component(context, principal, i)->length = size; + if (krb5_princ_size(context, principal) > i) + krb5_princ_component(context, principal, i)->length = size; size = 0; i++; } else if (c == REALM_SEP) { - krb5_princ_component(context, principal, i)->length = size; + if (krb5_princ_size(context, principal) > i) + krb5_princ_component(context, principal, i)->length = size; size = 0; parsed_realm = cp+1; } else @@ -183,7 +185,8 @@ krb5_parse_name(krb5_context context, const char *name, krb5_principal *nprincip if (parsed_realm) krb5_princ_realm(context, principal)->length = size; else - krb5_princ_component(context, principal, i)->length = size; + if (krb5_princ_size(context, principal) > i) + krb5_princ_component(context, principal, i)->length = size; if (i + 1 != components) { #if !defined(_WIN32) && !defined(macintosh) fprintf(stderr, diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c index e50440e2b..cdce093b8 100644 --- a/src/lib/krb5/krb/preauth2.c +++ b/src/lib/krb5/krb/preauth2.c @@ -35,7 +35,7 @@ typedef krb5_error_code (*pa_function)(krb5_context, krb5_kdc_req *request, krb5_pa_data *in_padata, krb5_pa_data **out_padata, - krb5_data *salt, + krb5_data *salt, krb5_data *s2kparams, krb5_enctype *etype, krb5_keyblock *as_key, krb5_prompter_fct prompter_fct, @@ -57,7 +57,7 @@ krb5_error_code pa_salt(krb5_context context, krb5_kdc_req *request, krb5_pa_data *in_padata, krb5_pa_data **out_padata, - krb5_data *salt, + krb5_data *salt, krb5_data *s2kparams, krb5_enctype *etype, krb5_keyblock *as_key, krb5_prompter_fct prompter, void *prompter_data, @@ -65,22 +65,11 @@ krb5_error_code pa_salt(krb5_context context, { krb5_data tmp; - /* screw the abstraction. If there was a *reasonable* copy_data, - I'd use it. But I'm inside the library, which is the twilight - zone of source code, so I can do anything. */ - + tmp.data = in_padata->contents; tmp.length = in_padata->length; - if (tmp.length) { - if ((tmp.data = malloc(tmp.length)) == NULL) - return ENOMEM; - memcpy(tmp.data, in_padata->contents, tmp.length); - } else { - tmp.data = NULL; - } - - *salt = tmp; - - /* assume that no other salt was allocated */ + krb5_free_data_contents(context, salt); + krb5int_copy_data_contents(context, &tmp, salt); + if (in_padata->pa_type == KRB5_PADATA_AFS3_SALT) salt->length = SALT_TYPE_AFS_LENGTH; @@ -94,6 +83,7 @@ krb5_error_code pa_enc_timestamp(krb5_context context, krb5_pa_data *in_padata, krb5_pa_data **out_padata, krb5_data *salt, + krb5_data *s2kparams, krb5_enctype *etype, krb5_keyblock *as_key, krb5_prompter_fct prompter, @@ -119,7 +109,7 @@ krb5_error_code pa_enc_timestamp(krb5_context context, if ((ret = ((*gak_fct)(context, request->client, *etype ? *etype : request->ktype[0], prompter, prompter_data, - salt, as_key, gak_data)))) + salt, s2kparams, as_key, gak_data)))) return(ret); } @@ -233,6 +223,7 @@ krb5_error_code pa_sam(krb5_context context, krb5_pa_data *in_padata, krb5_pa_data **out_padata, krb5_data *salt, + krb5_data *s2kparams, krb5_enctype *etype, krb5_keyblock *as_key, krb5_prompter_fct prompter, @@ -283,7 +274,7 @@ krb5_error_code pa_sam(krb5_context context, *etype = ENCTYPE_DES_CBC_CRC; if ((ret = (gak_fct)(context, request->client, *etype, prompter, - prompter_data, salt, as_key, gak_data))) + prompter_data, salt, s2kparams, as_key, gak_data))) return(ret); } sprintf(name, "%.*s", @@ -472,6 +463,7 @@ krb5_error_code pa_sam_2(krb5_context context, krb5_pa_data *in_padata, krb5_pa_data **out_padata, krb5_data *salt, + krb5_data *s2kparams, krb5_enctype *etype, krb5_keyblock *as_key, krb5_prompter_fct prompter, @@ -542,7 +534,7 @@ krb5_error_code pa_sam_2(krb5_context context, retval = (gak_fct)(context, request->client, sc2b->sam_etype, prompter, - prompter_data, salt, as_key, gak_data); + prompter_data, salt, s2kparams, as_key, gak_data); if (retval) { krb5_free_sam_challenge_2(context, sc2); krb5_free_sam_challenge_2_body(context, sc2b); @@ -827,87 +819,19 @@ static const pa_types_t pa_types[] = { }, }; -static void -sort_etype_info(krb5_context context, krb5_kdc_req *request, - krb5_etype_info_entry **etype_info) -{ -/* Originally adapted from a proposed solution in ticket 1006. This - * solution is not efficient, but implementing an efficient sort - * with a comparison function based on order in the kdc request would - * be difficult.*/ - krb5_etype_info_entry *tmp; - int i, j, e; - krb5_boolean similar; - - if (etype_info == NULL) - return; - - /* First, move up etype_info_entries whose enctype exactly matches a - * requested enctype. - */ - e = 0; - for ( i = 0 ; i < request->nktypes && etype_info[e] != NULL ; i++ ) - { - if (request->ktype[i] == etype_info[e]->etype) - { - e++; - continue; - } - for ( j = e+1 ; etype_info[j] ; j++ ) - if (request->ktype[i] == etype_info[j]->etype) - break; - if (etype_info[j] == NULL) - continue; - - tmp = etype_info[j]; - etype_info[j] = etype_info[e]; - etype_info[e] = tmp; - e++; - } - - /* Then move up etype_info_entries whose enctype is similar to a - * requested enctype. - */ - for ( i = 0 ; i < request->nktypes && etype_info[e] != NULL ; i++ ) - { - if (krb5_c_enctype_compare(context, request->ktype[i], etype_info[e]->etype, &similar) != 0) - continue; - - if (similar) - { - e++; - continue; - } - for ( j = e+1 ; etype_info[j] ; j++ ) - { - if (krb5_c_enctype_compare(context, request->ktype[i], etype_info[j]->etype, &similar) != 0) - continue; - - if (similar) - break; - } - if (etype_info[j] == NULL) - continue; - - tmp = etype_info[j]; - etype_info[j] = etype_info[e]; - etype_info[e] = tmp; - e++; - } -} - - krb5_error_code krb5_do_preauth(krb5_context context, krb5_kdc_req *request, krb5_pa_data **in_padata, krb5_pa_data ***out_padata, - krb5_data *salt, krb5_enctype *etype, + krb5_data *salt, krb5_data *s2kparams, + krb5_enctype *etype, krb5_keyblock *as_key, krb5_prompter_fct prompter, void *prompter_data, krb5_gic_get_as_key_fct gak_fct, void *gak_data) { int h, i, j, out_pa_list_size; - krb5_pa_data *out_pa, **out_pa_list; + int seen_etype_info2 = 0; + krb5_pa_data *out_pa = NULL, **out_pa_list = NULL; krb5_data scratch; krb5_etype_info etype_info = NULL; krb5_error_code ret; @@ -938,6 +862,7 @@ krb5_do_preauth(krb5_context context, for (h=0; h<(sizeof(paorder)/sizeof(paorder[0])); h++) { realdone = 0; for (i=0; in_padata[i] && !realdone; i++) { + int k, l, etype_found, valid_etype_found; /* * This is really gross, but is necessary to prevent * lossge when talking to a 1.0.x KDC, which returns an @@ -946,27 +871,76 @@ krb5_do_preauth(krb5_context context, */ switch (in_padata[i]->pa_type) { case KRB5_PADATA_ETYPE_INFO: - if (etype_info) - continue; + case KRB5_PADATA_ETYPE_INFO2: + { + krb5_preauthtype pa_type = in_padata[i]->pa_type; + if (etype_info) { + if (seen_etype_info2 || pa_type != KRB5_PADATA_ETYPE_INFO2) + continue; + if (pa_type == KRB5_PADATA_ETYPE_INFO2) { + krb5_free_etype_info( context, etype_info); + etype_info = NULL; + } + } + + if (pa_type == KRB5_PADATA_ETYPE_INFO2) + seen_etype_info2++; scratch.length = in_padata[i]->length; scratch.data = (char *) in_padata[i]->contents; ret = decode_krb5_etype_info(&scratch, &etype_info); if (ret) { - if (out_pa_list) { - out_pa_list[out_pa_list_size++] = NULL; - krb5_free_pa_data(context, out_pa_list); - } - return ret; + goto cleanup; } if (etype_info[0] == NULL) { krb5_free_etype_info(context, etype_info); etype_info = NULL; break; } - sort_etype_info(context, request, etype_info); - salt->data = (char *) etype_info[0]->salt; - salt->length = etype_info[0]->length; - *etype = etype_info[0]->etype; + /* + * Select first etype in our request which is also in + * etype-info (preferring client request ktype order). + */ + for (etype_found = 0, valid_etype_found = 0, k = 0; + !etype_found && k < request->nktypes; k++) { + for (l = 0; etype_info[l]; l++) { + if (etype_info[l]->etype == request->ktype[k]) { + etype_found++; + break; + } + /* check if program has support for this etype for more + * precise error reporting. + */ + if (valid_enctype(etype_info[l]->etype)) + valid_etype_found++; + } + } + if (!etype_found) { + if (valid_etype_found) { + /* supported enctype but not requested */ + ret = KRB5_CONFIG_ETYPE_NOSUPP; + goto cleanup; + } + else { + /* unsupported enctype */ + ret = KRB5_PROG_ETYPE_NOSUPP; + goto cleanup; + } + + } + scratch.data = (char *) etype_info[l]->salt; + scratch.length = etype_info[l]->length; + krb5_free_data_contents(context, salt); + if (scratch.length == KRB5_ETYPE_NO_SALT) + salt->data = NULL; + else + if ((ret = krb5int_copy_data_contents( context, &scratch, salt)) != 0) + goto cleanup; + *etype = etype_info[l]->etype; + krb5_free_data_contents(context, s2kparams); + if ((ret = krb5int_copy_data_contents(context, + &etype_info[l]->s2kparams, + s2kparams)) != 0) + goto cleanup; #ifdef DEBUG for (j = 0; etype_info[j]; j++) { krb5_etype_info_entry *e = etype_info[j]; @@ -978,6 +952,7 @@ krb5_do_preauth(krb5_context context, } #endif break; + } case KRB5_PADATA_PW_SALT: case KRB5_PADATA_AFS3_SALT: if (etype_info) @@ -993,16 +968,10 @@ krb5_do_preauth(krb5_context context, if ((ret = ((*pa_types[j].fct)(context, request, in_padata[i], &out_pa, - salt, etype, as_key, + salt, s2kparams, etype, as_key, prompter, prompter_data, gak_fct, gak_data)))) { - if (out_pa_list) { - out_pa_list[out_pa_list_size++] = NULL; - krb5_free_pa_data(context, out_pa_list); - } - if (etype_info) - krb5_free_etype_info(context, etype_info); - return(ret); + goto cleanup; } if (out_pa) { @@ -1010,18 +979,22 @@ krb5_do_preauth(krb5_context context, if ((out_pa_list = (krb5_pa_data **) malloc(2*sizeof(krb5_pa_data *))) - == NULL) - return(ENOMEM); + == NULL) { + ret = ENOMEM; + goto cleanup; + } } else { if ((out_pa_list = (krb5_pa_data **) realloc(out_pa_list, (out_pa_list_size+2)* sizeof(krb5_pa_data *))) - == NULL) - /* XXX this will leak the pointers which + == NULL) { + /* XXX this will leak the pointers which have already been allocated. oh well. */ - return(ENOMEM); + ret = ENOMEM; + goto cleanup; + } } out_pa_list[out_pa_list_size++] = out_pa; @@ -1037,6 +1010,16 @@ krb5_do_preauth(krb5_context context, out_pa_list[out_pa_list_size++] = NULL; *out_padata = out_pa_list; - + if (etype_info) + krb5_free_etype_info(context, etype_info); + return(0); + cleanup: + if (out_pa_list) { + out_pa_list[out_pa_list_size++] = NULL; + krb5_free_pa_data(context, out_pa_list); + } + if (etype_info) + krb5_free_etype_info(context, etype_info); + return (ret); } diff --git a/src/lib/krb5/krb/rd_cred.c b/src/lib/krb5/krb/rd_cred.c index 228219f76..0359d40c3 100644 --- a/src/lib/krb5/krb/rd_cred.c +++ b/src/lib/krb5/krb/rd_cred.c @@ -169,9 +169,8 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, krb5_data *pc krb5_replay_data replaydata; /* Get keyblock */ - if ((keyblock = auth_context->remote_subkey) == NULL) - if ((keyblock = auth_context->local_subkey) == NULL) - keyblock = auth_context->keyblock; + if ((keyblock = auth_context->recv_subkey) == NULL) + keyblock = auth_context->keyblock; if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && diff --git a/src/lib/krb5/krb/rd_priv.c b/src/lib/krb5/krb/rd_priv.c index 813205662..180559cc2 100644 --- a/src/lib/krb5/krb/rd_priv.c +++ b/src/lib/krb5/krb/rd_priv.c @@ -156,9 +156,8 @@ krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, const krb5_da krb5_replay_data replaydata; /* Get keyblock */ - if ((keyblock = auth_context->remote_subkey) == NULL) - if ((keyblock = auth_context->local_subkey) == NULL) - keyblock = auth_context->keyblock; + if ((keyblock = auth_context->recv_subkey) == NULL) + keyblock = auth_context->keyblock; if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && diff --git a/src/lib/krb5/krb/rd_rep.c b/src/lib/krb5/krb/rd_rep.c index e35e43f5d..50ce51331 100644 --- a/src/lib/krb5/krb/rd_rep.c +++ b/src/lib/krb5/krb/rd_rep.c @@ -82,7 +82,15 @@ krb5_rd_rep(krb5_context context, krb5_auth_context auth_context, const krb5_dat /* Set auth subkey */ if ((*repl)->subkey) { retval = krb5_copy_keyblock(context, (*repl)->subkey, - &auth_context->remote_subkey); + &auth_context->recv_subkey); + if (retval) + goto clean_scratch; + retval = krb5_copy_keyblock(context, (*repl)->subkey, + &auth_context->send_subkey); + if (retval) { + krb5_free_keyblock(context, auth_context->send_subkey); + auth_context->send_subkey = NULL; + } } /* Get remote sequence number */ diff --git a/src/lib/krb5/krb/rd_req.c b/src/lib/krb5/krb/rd_req.c index f844e3cd6..9a2f4589d 100644 --- a/src/lib/krb5/krb/rd_req.c +++ b/src/lib/krb5/krb/rd_req.c @@ -83,7 +83,9 @@ krb5_rd_req(krb5_context context, krb5_auth_context *auth_context, const krb5_da server = request->ticket->server; } /* Get an rcache if necessary. */ - if (((*auth_context)->rcache == NULL) && server) { + if (((*auth_context)->rcache == NULL) + && ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) +&& server) { if ((retval = krb5_get_server_rcache(context, krb5_princ_component(context,server,0), &(*auth_context)->rcache))) goto cleanup_auth_context; diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c index fa126b4ab..3c398aed1 100644 --- a/src/lib/krb5/krb/rd_req_dec.c +++ b/src/lib/krb5/krb/rd_req_dec.c @@ -290,10 +290,18 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, c if ((*auth_context)->authentp->subkey) { if ((retval = krb5_copy_keyblock(context, (*auth_context)->authentp->subkey, - &((*auth_context)->remote_subkey)))) + &((*auth_context)->recv_subkey)))) goto cleanup; + retval = krb5_copy_keyblock(context, (*auth_context)->authentp->subkey, + &((*auth_context)->send_subkey)); + if (retval) { + krb5_free_keyblock(context, (*auth_context)->recv_subkey); + (*auth_context)->recv_subkey = NULL; + goto cleanup; + } } else { - (*auth_context)->remote_subkey = 0; + (*auth_context)->recv_subkey = 0; + (*auth_context)->send_subkey = 0; } if ((retval = krb5_copy_keyblock(context, req->ticket->enc_part2->session, diff --git a/src/lib/krb5/krb/rd_safe.c b/src/lib/krb5/krb/rd_safe.c index 0f6cec27f..3194229a3 100644 --- a/src/lib/krb5/krb/rd_safe.c +++ b/src/lib/krb5/krb/rd_safe.c @@ -161,9 +161,8 @@ krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, const krb5_da return KRB5_RC_REQUIRED; /* Get keyblock */ - if ((keyblock = auth_context->remote_subkey) == NULL) - if ((keyblock = auth_context->local_subkey) == NULL) - keyblock = auth_context->keyblock; + if ((keyblock = auth_context->recv_subkey) == NULL) + keyblock = auth_context->keyblock; { krb5_address * premote_fulladdr = NULL; diff --git a/src/lib/krb5/krb/ser_actx.c b/src/lib/krb5/krb/ser_actx.c index a8ec90ee6..32519e19f 100644 --- a/src/lib/krb5/krb/ser_actx.c +++ b/src/lib/krb5/krb/ser_actx.c @@ -151,21 +151,21 @@ krb5_auth_context_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) required += sizeof(krb5_int32); } - /* Calculate size required by local_subkey, if appropriate */ - if (!kret && auth_context->local_subkey) { + /* Calculate size required by send_subkey, if appropriate */ + if (!kret && auth_context->send_subkey) { kret = krb5_size_opaque(kcontext, KV5M_KEYBLOCK, - (krb5_pointer) auth_context->local_subkey, + (krb5_pointer) auth_context->send_subkey, &required); if (!kret) required += sizeof(krb5_int32); } - /* Calculate size required by remote_subkey, if appropriate */ - if (!kret && auth_context->remote_subkey) { + /* Calculate size required by recv_subkey, if appropriate */ + if (!kret && auth_context->recv_subkey) { kret = krb5_size_opaque(kcontext, KV5M_KEYBLOCK, - (krb5_pointer) auth_context->remote_subkey, + (krb5_pointer) auth_context->recv_subkey, &required); if (!kret) required += sizeof(krb5_int32); @@ -300,23 +300,23 @@ krb5_auth_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octe } /* Now handle subkey, if appropriate */ - if (!kret && auth_context->local_subkey) { + if (!kret && auth_context->send_subkey) { (void) krb5_ser_pack_int32(TOKEN_LSKBLOCK, &bp, &remain); kret = krb5_externalize_opaque(kcontext, KV5M_KEYBLOCK, (krb5_pointer) - auth_context->local_subkey, + auth_context->send_subkey, &bp, &remain); } /* Now handle subkey, if appropriate */ - if (!kret && auth_context->remote_subkey) { + if (!kret && auth_context->recv_subkey) { (void) krb5_ser_pack_int32(TOKEN_RSKBLOCK, &bp, &remain); kret = krb5_externalize_opaque(kcontext, KV5M_KEYBLOCK, (krb5_pointer) - auth_context->remote_subkey, + auth_context->recv_subkey, &bp, &remain); } @@ -474,26 +474,26 @@ krb5_auth_context_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_oc kret = krb5_ser_unpack_int32(&tag, &bp, &remain); } - /* This is the local_subkey */ + /* This is the send_subkey */ if (!kret && (tag == TOKEN_LSKBLOCK)) { if (!(kret = krb5_internalize_opaque(kcontext, KV5M_KEYBLOCK, (krb5_pointer *) &auth_context-> - local_subkey, + send_subkey, &bp, &remain))) kret = krb5_ser_unpack_int32(&tag, &bp, &remain); } - /* This is the remote_subkey */ + /* This is the recv_subkey */ if (!kret) { if (tag == TOKEN_RSKBLOCK) { kret = krb5_internalize_opaque(kcontext, KV5M_KEYBLOCK, (krb5_pointer *) &auth_context-> - remote_subkey, + recv_subkey, &bp, &remain); } diff --git a/src/lib/krb5/krb/srv_rcache.c b/src/lib/krb5/krb/srv_rcache.c index aa41bc52b..e2e5ed690 100644 --- a/src/lib/krb5/krb/srv_rcache.c +++ b/src/lib/krb5/krb/srv_rcache.c @@ -48,6 +48,9 @@ krb5_get_server_rcache(krb5_context context, const krb5_data *piece, krb5_rcache unsigned long uid = geteuid(); #endif + if (piece == NULL) + return ENOMEM; + rcache = (krb5_rcache) malloc(sizeof(*rcache)); if (!rcache) return ENOMEM; diff --git a/src/lib/krb5/krb/unparse.c b/src/lib/krb5/krb/unparse.c index f0e52dcee..6f1a3c9e8 100644 --- a/src/lib/krb5/krb/unparse.c +++ b/src/lib/krb5/krb/unparse.c @@ -149,7 +149,8 @@ krb5_unparse_name_ext(krb5_context context, krb5_const_principal principal, regi *q++ = COMPONENT_SEP; } - q--; /* Back up last component separator */ + if (i > 0) + q--; /* Back up last component separator */ *q++ = REALM_SEP; cp = krb5_princ_realm(context, principal)->data; diff --git a/src/lib/krb5/os/ChangeLog b/src/lib/krb5/os/ChangeLog index 51638d9e4..b5bb85cf6 100644 --- a/src/lib/krb5/os/ChangeLog +++ b/src/lib/krb5/os/ChangeLog @@ -1,3 +1,37 @@ +2003-05-06 Alexandra Ellwood + * init_os_ctx.c: Added support for KLL's __KLAllowHomeDirectoryAccess() + function so that krb4, krb5 and gssapi will not access the user's homedir + if the application forbids it. + +2003-04-28 Sam Hartman + + * changepw.c (krb5_change_set_password): Locate server in realm of + creds.server, not in realm of target principal because target + principal is null in the changepw case. + +2003-04-27 Sam Hartman + + * changepw.c (krb5_change_set_password): Call + krb5_setpw_result_code_string not krb5_setpw_result_code_string + +2003-04-24 Sam Hartman + + * changepw.c (krb5_change_set_password): return error from + auth_con_setaddrs not last socket errno if auth_con_setaddrs fails + +2003-04-15 Sam Hartman + + * changepw.c (krb5_change_set_password): Patches from Paul Nelson + to implement Microsoft set password protocol + (krb5_set_password_using_ccache): Use kadmin/changepw in target realm, not local realm and use a two-component principal + (krb5_change_set_password): Find the kpasswd server for the realm + of the target principal not the client + +2003-04-13 Ken Raeburn + + * read_pwd.c (krb5_read_password): Always free temporary storage + used for verification version of password. + 2003-03-06 Alexandra Ellwood * c_ustime.c: Removed Mac OS 9 code. diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c index 60cb3a915..f8ec224db 100644 --- a/src/lib/krb5/os/changepw.c +++ b/src/lib/krb5/os/changepw.c @@ -24,6 +24,10 @@ * or implied warranty. * */ +/* + * krb5_set_password - Implements set password per RFC 3244 + * Added by Paul W. Nelson, Thursby Software Systems, Inc. + */ #define NEED_SOCKETS #include "fake-addrinfo.h" @@ -69,8 +73,16 @@ krb5_locate_kpasswd(krb5_context context, const krb5_data *realm, } +/* +** The logic for setting and changing a password is mostly the same +** krb5_change_set_password handles both cases +** if set_password_for is NULL, then a password change is performed, +** otherwise, the password is set for the principal indicated in set_password_for +*/ krb5_error_code KRB5_CALLCONV -krb5_change_password(krb5_context context, krb5_creds *creds, char *newpw, int *result_code, krb5_data *result_code_string, krb5_data *result_string) +krb5_change_set_password( + krb5_context context, krb5_creds *creds, char *newpw, krb5_principal set_password_for, + int *result_code, krb5_data *result_code_string, krb5_data *result_string) { krb5_auth_context auth_context; krb5_data ap_req, chpw_req, chpw_rep; @@ -104,7 +116,7 @@ krb5_change_password(krb5_context context, krb5_creds *creds, char *newpw, int * goto cleanup; if ((code = krb5_locate_kpasswd(context, - krb5_princ_realm(context, creds->client), + krb5_princ_realm(context, creds->server), &al))) goto cleanup; @@ -218,14 +230,15 @@ krb5_change_password(krb5_context context, krb5_creds *creds, char *newpw, int * if ((code = krb5_auth_con_setaddrs(context, auth_context, &local_kaddr, NULL))) { - code = SOCKET_ERRNO; - goto cleanup; + goto cleanup; } - if ((code = krb5_mk_chpw_req(context, auth_context, &ap_req, - newpw, &chpw_req))) + if( set_password_for ) + code = krb5int_mk_setpw_req(context, auth_context, &ap_req, set_password_for, newpw, &chpw_req); + else + code = krb5int_mk_chpw_req(context, auth_context, &ap_req, newpw, &chpw_req); + if (code) { - code = SOCKET_ERRNO; goto cleanup; } @@ -289,19 +302,23 @@ krb5_change_password(krb5_context context, krb5_creds *creds, char *newpw, int * NULL, &remote_kaddr))) goto cleanup; - if ((code = krb5_rd_chpw_rep(context, auth_context, &chpw_rep, - &local_result_code, - result_string))) - goto cleanup; + if( set_password_for ) + code = krb5int_rd_setpw_rep(context, auth_context, &chpw_rep, &local_result_code, result_string); + else + code = krb5int_rd_chpw_rep(context, auth_context, &chpw_rep, &local_result_code, result_string); + if (code) + goto cleanup; if (result_code) *result_code = local_result_code; if (result_code_string) { - if ((code = krb5_chpw_result_code_string(context, - local_result_code, - &code_string))) - goto cleanup; + if( set_password_for ) + code = krb5int_setpw_result_code_string(context, local_result_code, (const char **)&code_string); + else + code = krb5_chpw_result_code_string(context, local_result_code, &code_string); + if(code) + goto cleanup; result_code_string->length = strlen(code_string); result_code_string->data = malloc(result_code_string->length); @@ -343,3 +360,71 @@ cleanup: return(code); } + +krb5_error_code KRB5_CALLCONV +krb5_change_password(krb5_context context, krb5_creds *creds, char *newpw, int *result_code, krb5_data *result_code_string, krb5_data *result_string) +{ + return krb5_change_set_password( + context, creds, newpw, NULL, result_code, result_code_string, result_string ); +} + +/* + * krb5_set_password - Implements set password per RFC 3244 + * + */ + +krb5_error_code KRB5_CALLCONV +krb5_set_password( + krb5_context context, + krb5_creds *creds, + char *newpw, + krb5_principal change_password_for, + int *result_code, krb5_data *result_code_string, krb5_data *result_string + ) +{ + return krb5_change_set_password( + context, creds, newpw, change_password_for, result_code, result_code_string, result_string ); +} + +krb5_error_code KRB5_CALLCONV +krb5_set_password_using_ccache( + krb5_context context, + krb5_ccache ccache, + char *newpw, + krb5_principal change_password_for, + int *result_code, krb5_data *result_code_string, krb5_data *result_string + ) +{ + krb5_creds creds; + krb5_creds *credsp; + krb5_error_code code; + +/* +** get the proper creds for use with krb5_set_password - +*/ + memset( &creds, 0, sizeof(creds) ); +/* +** first get the principal for the password service - +*/ + code = krb5_cc_get_principal( context, ccache, &creds.client ); + if( !code ) + { + code = krb5_build_principal( context, &creds.server, + krb5_princ_realm(context, change_password_for)->length, + krb5_princ_realm(context, change_password_for)->data, + "kadmin", "changepw", NULL ); + if(!code) + { + code = krb5_get_credentials(context, 0, ccache, &creds, &credsp); + if( ! code ) + { + code = krb5_set_password(context, credsp, newpw, change_password_for, + result_code, result_code_string, + result_string); + krb5_free_creds(context, credsp); + } + } + krb5_free_cred_contents(context, &creds); + } + return code; +} diff --git a/src/lib/krb5/os/init_os_ctx.c b/src/lib/krb5/os/init_os_ctx.c index eb2321d42..e70882df6 100644 --- a/src/lib/krb5/os/init_os_ctx.c +++ b/src/lib/krb5/os/init_os_ctx.c @@ -234,8 +234,14 @@ os_get_default_config_files(profile_filespec_t **pfiles, krb5_boolean secure) unsigned int ent_len; const char *s, *t; +#ifdef USE_LOGIN_LIBRARY + /* If __KLAllowHomeDirectoryAccess() == FALSE, we are probably + trying to authenticate to a fileserver for the user's homedir. */ + if (secure || !__KLAllowHomeDirectoryAccess ()) { +#else if (secure) { - filepath = DEFAULT_SECURE_PROFILE_PATH; +#endif + filepath = DEFAULT_SECURE_PROFILE_PATH; } else { filepath = getenv("KRB5_CONFIG"); if (!filepath) filepath = DEFAULT_PROFILE_PATH; diff --git a/src/lib/krb5/os/read_pwd.c b/src/lib/krb5/os/read_pwd.c index 9023b8e98..1bb631c6a 100644 --- a/src/lib/krb5/os/read_pwd.c +++ b/src/lib/krb5/os/read_pwd.c @@ -64,15 +64,12 @@ krb5_read_password(krb5_context context, const char *prompt, const char *prompt2 return ENOMEM; retval = krb5_prompter_posix(NULL, NULL,NULL, NULL, 1, &k5prompt); - if (retval) { - free(verify_data.data); - } else { + if (retval == 0) { /* compare */ - if (strncmp(return_pwd, (char *)verify_data.data, *size_return)) { + if (strncmp(return_pwd, (char *)verify_data.data, *size_return)) retval = KRB5_LIBOS_BADPWDMATCH; - free(verify_data.data); - } } + free(verify_data.data); } if (!retval) *size_return = k5prompt.reply->length; diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def index 53172a85c..db136c44a 100644 --- a/src/lib/krb5_32.def +++ b/src/lib/krb5_32.def @@ -36,8 +36,10 @@ EXPORTS krb5_auth_con_getlocalseqnumber krb5_auth_con_getlocalsubkey krb5_auth_con_getrcache ; KRB5_CALLCONV_WRONG + krb5_auth_con_getrecvsubkey krb5_auth_con_getremoteseqnumber krb5_auth_con_getremotesubkey + krb5_auth_con_getsendsubkey krb5_auth_con_init krb5_auth_con_initivector ; DEPRECATED krb5_auth_con_setaddrs ; KRB5_CALLCONV_WRONG @@ -45,6 +47,8 @@ EXPORTS krb5_auth_con_setflags krb5_auth_con_setports krb5_auth_con_setrcache + krb5_auth_con_setrecvsubkey + krb5_auth_con_setsendsubkey krb5_auth_con_setuseruserkey krb5_build_principal krb5_build_principal_ext @@ -63,6 +67,7 @@ EXPORTS krb5_c_random_make_octets krb5_c_random_seed krb5_c_string_to_key +krb5_c_string_to_key_with_params krb5_c_valid_cksumtype krb5_c_valid_enctype krb5_c_verify_checksum @@ -204,6 +209,8 @@ EXPORTS krb5_sendauth krb5_set_default_realm krb5_set_default_tgs_enctypes +krb5_set_password +krb5_set_password_using_ccache krb5_set_principal_realm krb5_sname_to_principal krb5_string_to_cksumtype diff --git a/src/lib/rpc/ChangeLog b/src/lib/rpc/ChangeLog index 653424054..279ec8adb 100644 --- a/src/lib/rpc/ChangeLog +++ b/src/lib/rpc/ChangeLog @@ -1,3 +1,16 @@ +2003-04-23 Ken Raeburn + + * bindresvport.c: Include errno.h. + (gssrpc_bindresvport): Don't declare errno. + * clnt_tcp.c: Don't declare errno. + * svc.c: Don't declare errno. Include errno.h. + +2003-03-24 Tom Yu + + * xdr_mem.c (xdrmem_create): Perform some additional size checks. + (xdrmem_getlong, xdrmem_putlong, xdrmem_getbytes): Check x_handy + prior to decrementing it. + 2003-01-12 Ezra Peisach * svc_auth_gssapi.c (_svcauth_gssapi_unset_names): If invoked more diff --git a/src/lib/rpc/bindresvport.c b/src/lib/rpc/bindresvport.c index 36b3ed533..28017d6cf 100644 --- a/src/lib/rpc/bindresvport.c +++ b/src/lib/rpc/bindresvport.c @@ -41,6 +41,7 @@ static char sccsid[] = "@(#)bindresvport.c 2.2 88/07/29 4.0 RPCSRC 1.8 88/02/08 #include #include #include +#include /* * Bind a socket to a privileged IP port @@ -53,7 +54,6 @@ gssrpc_bindresvport(sd, sockin) int res; static short port; struct sockaddr_in myaddr; - extern int errno; int i; #define STARTPORT 600 diff --git a/src/lib/rpc/clnt_tcp.c b/src/lib/rpc/clnt_tcp.c index abadf339c..9906bca0e 100644 --- a/src/lib/rpc/clnt_tcp.c +++ b/src/lib/rpc/clnt_tcp.c @@ -60,8 +60,6 @@ static char sccsid[] = "@(#)clnt_tcp.c 1.37 87/10/05 Copyr 1984 Sun Micro"; #define MCALL_MSG_SIZE 24 -extern int errno; - static enum clnt_stat clnttcp_call(CLIENT *, rpc_u_int32, xdrproc_t, void *, xdrproc_t, void *, struct timeval); static void clnttcp_abort(CLIENT *); diff --git a/src/lib/rpc/svc.c b/src/lib/rpc/svc.c index 7429acda1..902681541 100644 --- a/src/lib/rpc/svc.c +++ b/src/lib/rpc/svc.c @@ -46,8 +46,7 @@ static char sccsid[] = "@(#)svc.c 1.41 87/10/13 Copyr 1984 Sun Micro"; #include #include #include - -extern int errno; +#include #ifdef FD_SETSIZE static SVCXPRT **xports; diff --git a/src/lib/rpc/xdr_mem.c b/src/lib/rpc/xdr_mem.c index 18265da81..58e2d82a3 100644 --- a/src/lib/rpc/xdr_mem.c +++ b/src/lib/rpc/xdr_mem.c @@ -48,6 +48,7 @@ static char sccsid[] = "@(#)xdr_mem.c 1.19 87/08/11 Copyr 1984 Sun Micro"; #include #include #include +#include static bool_t xdrmem_getlong(XDR *, long *); static bool_t xdrmem_putlong(XDR *, long *); @@ -84,7 +85,7 @@ xdrmem_create(xdrs, addr, size, op) xdrs->x_op = op; xdrs->x_ops = &xdrmem_ops; xdrs->x_private = xdrs->x_base = addr; - xdrs->x_handy = size; + xdrs->x_handy = (size > INT_MAX) ? INT_MAX : size; /* XXX */ } static void @@ -99,8 +100,10 @@ xdrmem_getlong(xdrs, lp) long *lp; { - if ((xdrs->x_handy -= sizeof(rpc_int32)) < 0) + if (xdrs->x_handy < sizeof(rpc_int32)) return (FALSE); + else + xdrs->x_handy -= sizeof(rpc_int32); *lp = (long)ntohl(*((rpc_u_int32 *)(xdrs->x_private))); xdrs->x_private = (char *)xdrs->x_private + sizeof(rpc_int32); return (TRUE); @@ -112,8 +115,10 @@ xdrmem_putlong(xdrs, lp) long *lp; { - if ((xdrs->x_handy -= sizeof(rpc_int32)) < 0) + if (xdrs->x_handy < sizeof(rpc_int32)) return (FALSE); + else + xdrs->x_handy -= sizeof(rpc_int32); *(rpc_int32 *)xdrs->x_private = (rpc_int32)htonl((rpc_u_int32)(*lp)); xdrs->x_private = (char *)xdrs->x_private + sizeof(rpc_int32); return (TRUE); @@ -126,8 +131,10 @@ xdrmem_getbytes(xdrs, addr, len) register unsigned int len; { - if ((xdrs->x_handy -= len) < 0) + if (xdrs->x_handy < len) return (FALSE); + else + xdrs->x_handy -= len; memmove(addr, xdrs->x_private, len); xdrs->x_private = (char *)xdrs->x_private + len; return (TRUE); @@ -140,8 +147,10 @@ xdrmem_putbytes(xdrs, addr, len) register unsigned int len; { - if ((xdrs->x_handy -= len) < 0) + if (xdrs->x_handy < len) return (FALSE); + else + xdrs->x_handy -= len; memmove(xdrs->x_private, addr, len); xdrs->x_private = (char *)xdrs->x_private + len; return (TRUE); @@ -180,7 +189,7 @@ xdrmem_inline(xdrs, len) { rpc_int32 *buf = 0; - if (xdrs->x_handy >= len) { + if (len >= 0 && xdrs->x_handy >= len) { xdrs->x_handy -= len; buf = (rpc_int32 *) xdrs->x_private; xdrs->x_private = (char *)xdrs->x_private + len; diff --git a/src/mac/MacOSX/Headers/Kerberos5Prefix.h b/src/mac/MacOSX/Headers/Kerberos5Prefix.h index 24acb4845..acd5ebb4f 100644 --- a/src/mac/MacOSX/Headers/Kerberos5Prefix.h +++ b/src/mac/MacOSX/Headers/Kerberos5Prefix.h @@ -146,8 +146,8 @@ #define KRB4_USE_KEYTAB 1 #define KRB5 1 #define KRB524_PRIVATE 1 -#define KRB5_DNS_LOOKUP 0 -#define KRB5_DNS_LOOKUP_KDC 0 +#define KRB5_DNS_LOOKUP 1 +#define KRB5_DNS_LOOKUP_KDC 1 #define KRB5_KRB4_COMPAT 1 #define KRB5_PRIVATE 1 #define krb5_sigtype void diff --git a/src/mac/MacOSX/Projects/Kerberos5.pbexp b/src/mac/MacOSX/Projects/Kerberos5.pbexp index a3dfbe985..70dd599d2 100644 --- a/src/mac/MacOSX/Projects/Kerberos5.pbexp +++ b/src/mac/MacOSX/Projects/Kerberos5.pbexp @@ -24,11 +24,11 @@ _krb5_c_random_make_octets _krb5_c_random_seed # -# Will be added for 1.3 -# _krb5_c_random_os_entropy -# _krb5_c_random_add_entropy -# _krb5_c_init_state -# _krb5_c_free_state +# Added for 1.3 + _krb5_c_random_os_entropy + _krb5_c_random_add_entropy + _krb5_c_init_state + _krb5_c_free_state # _krb5_c_string_to_key _krb5_c_enctype_compare @@ -57,6 +57,10 @@ _krb5_auth_con_getremotesubkey _krb5_auth_con_getlocalseqnumber _krb5_auth_con_getremoteseqnumber + _krb5_auth_con_getrecvsubkey + _krb5_auth_con_getsendsubkey + _krb5_auth_con_setrecvsubkey + _krb5_auth_con_setsendsubkey _krb5_auth_con_setrcache _krb5_auth_con_getrcache _krb5_auth_con_getauthenticator @@ -218,8 +222,11 @@ _krb5_free_default_realm # _krb5_sname_to_principal - _krb5_principal2salt + _krb5_principal2salt _krb5_change_password +# + _krb5_set_password + _krb5_set_password_using_ccache # _krb5_get_profile # diff --git a/src/mac/MacOSX/Projects/Kerberos5.pbproj/project.pbxproj b/src/mac/MacOSX/Projects/Kerberos5.pbproj/project.pbxproj index c674f4b5b..6ef793876 100644 --- a/src/mac/MacOSX/Projects/Kerberos5.pbproj/project.pbxproj +++ b/src/mac/MacOSX/Projects/Kerberos5.pbproj/project.pbxproj @@ -1695,6 +1695,12 @@ settings = { }; }; + A1BBFF1604226DBD00120114 = { + fileEncoding = 30; + isa = PBXFileReference; + path = configure.in; + refType = 4; + }; A1CA6042040F24850013F915 = { fileRef = F517325103F1B65901120114; isa = PBXBuildFile; @@ -2339,6 +2345,7 @@ children = ( F51730E203F1B65801120114, F51730E303F1B65801120114, + A1BBFF1604226DBD00120114, F51730E503F1B65801120114, F51730E603F1B65801120114, F51730E703F1B65801120114, @@ -2525,12 +2532,10 @@ F51730FF03F1B65801120114, F517310003F1B65801120114, F517310103F1B65801120114, - F517310203F1B65801120114, F517310303F1B65801120114, F517310403F1B65801120114, F517310503F1B65801120114, F517310603F1B65801120114, - F517310703F1B65801120114, F517310803F1B65801120114, F517310903F1B65801120114, F517310A03F1B65801120114, @@ -2557,13 +2562,6 @@ path = adm_proto.h; refType = 4; }; - F517310203F1B65801120114 = { - children = ( - ); - isa = PBXGroup; - path = asn.1; - refType = 4; - }; F517310303F1B65801120114 = { fileEncoding = 30; isa = PBXFileReference; @@ -2588,12 +2586,6 @@ path = kdb_dbc.h; refType = 4; }; - F517310703F1B65801120114 = { - fileEncoding = 30; - isa = PBXFileReference; - path = kdb_dbm.h; - refType = 4; - }; F517310803F1B65801120114 = { fileEncoding = 30; isa = PBXFileReference; @@ -8721,12 +8713,6 @@ settings = { }; }; - F51738E403F1BA7F01120114 = { - fileRef = F517310D03F1B65801120114; - isa = PBXBuildFile; - settings = { - }; - }; F51738E503F1BAF701120114 = { fileRef = F51734DE03F1B65A01120114; isa = PBXBuildFile; @@ -9759,18 +9745,6 @@ settings = { }; }; - F58183510253A2F201120112 = { - fileRef = F5C2DF200240F9F601650119; - isa = PBXBuildFile; - settings = { - }; - }; - F58183520253A2F301120112 = { - fileRef = F5C2DF210240F9F601650119; - isa = PBXBuildFile; - settings = { - }; - }; F5C2DF100240F9F601650119 = { children = ( F5C2DF140240F9F601650119, @@ -9952,90 +9926,6 @@ path = prof_err.strings; refType = 4; }; - F5C2DF2E0240F9F601650119 = { - fileRef = F5C2DF140240F9F601650119; - isa = PBXBuildFile; - settings = { - }; - }; - F5C2DF2F0240F9F601650119 = { - fileRef = F5C2DF150240F9F601650119; - isa = PBXBuildFile; - settings = { - }; - }; - F5C2DF340240F9F601650119 = { - fileRef = F5C2DF1D0240F9F601650119; - isa = PBXBuildFile; - settings = { - }; - }; - F5C2DF350240F9F601650119 = { - fileRef = F5C2DF1E0240F9F601650119; - isa = PBXBuildFile; - settings = { - }; - }; - F5C2DF380240F9F601650119 = { - fileRef = F5C2DF230240F9F601650119; - isa = PBXBuildFile; - settings = { - }; - }; - F5C2DF390240F9F601650119 = { - fileRef = F5C2DF240240F9F601650119; - isa = PBXBuildFile; - settings = { - }; - }; - F5C2DF3A0240F9F601650119 = { - fileRef = F5C2DF260240F9F601650119; - isa = PBXBuildFile; - settings = { - }; - }; - F5C2DF3B0240F9F601650119 = { - fileRef = F5C2DF270240F9F601650119; - isa = PBXBuildFile; - settings = { - }; - }; - F5C2DF3E0240F9FC01650119 = { - fileRef = F5C2DF290240F9F601650119; - isa = PBXBuildFile; - settings = { - }; - }; - F5C2DF3F0240F9FD01650119 = { - fileRef = F5C2DF2A0240F9F601650119; - isa = PBXBuildFile; - settings = { - }; - }; - F5C2DF420240FA1301650119 = { - fileRef = F5C2DF1B0240F9F601650119; - isa = PBXBuildFile; - settings = { - }; - }; - F5C2DF430240FA1401650119 = { - fileRef = F5C2DF1A0240F9F601650119; - isa = PBXBuildFile; - settings = { - }; - }; - F5C2DF440240FA1501650119 = { - fileRef = F5C2DF180240F9F601650119; - isa = PBXBuildFile; - settings = { - }; - }; - F5C2DF450240FA1601650119 = { - fileRef = F5C2DF170240F9F601650119; - isa = PBXBuildFile; - settings = { - }; - }; F5C44E900231BD6801120112 = { isa = PBXLibraryReference; path = libGSS.a; @@ -10072,8 +9962,6 @@ F5C44E920231BD6801120112 = { buildActionMask = 2147483647; files = ( - F5C2DF420240FA1301650119, - F5C2DF440240FA1501650119, F517395503F1BC9701120114, F517395A03F1BCAB01120114, F517397703F1BCCF01120114, @@ -10086,8 +9974,6 @@ F5C44E9C0231BD6801120112 = { buildActionMask = 2147483647; files = ( - F5C2DF430240FA1401650119, - F5C2DF450240FA1601650119, F517395403F1BC9601120114, F517395603F1BCA801120114, F517395703F1BCA801120114, @@ -10270,7 +10156,6 @@ F5CFD5CE022D86AD01120112 = { buildActionMask = 2147483647; files = ( - F5C2DF3F0240F9FD01650119, F517399703F1BD1301120114, F5E266F803F4443301120114, F5E266F903F4443301120114, @@ -10281,7 +10166,6 @@ F5CFD5CF022D86AD01120112 = { buildActionMask = 2147483647; files = ( - F5C2DF3E0240F9FC01650119, F517399403F1BD1201120114, F517399503F1BD1201120114, F517399603F1BD1301120114, @@ -10444,11 +10328,6 @@ F5CFD63A022DD45401120112 = { buildActionMask = 2147483647; files = ( - F5C2DF2F0240F9F601650119, - F5C2DF350240F9F601650119, - F5C2DF390240F9F601650119, - F5C2DF3B0240F9F601650119, - F58183520253A2F301120112, F517388F03F1B8BE01120114, F51738AA03F1B96401120114, F51738BE03F1B9B001120114, @@ -10466,7 +10345,6 @@ F51738DE03F1BA2701120114, F51738DF03F1BA2701120114, F51738E303F1BA7501120114, - F51738E403F1BA7F01120114, F51738F303F1BB1701120114, F51738F903F1BB1A01120114, F517391B03F1BB2D01120114, @@ -10507,11 +10385,6 @@ F5CFD63B022DD45401120112 = { buildActionMask = 2147483647; files = ( - F5C2DF2E0240F9F601650119, - F5C2DF340240F9F601650119, - F5C2DF380240F9F601650119, - F5C2DF3A0240F9F601650119, - F58183510253A2F201120112, F517388E03F1B8BD01120114, F517389003F1B90D01120114, F517389103F1B90E01120114, @@ -11106,7 +10979,6 @@ F5E2688003F83E7D01120114 = { buildActionMask = 2147483647; files = ( - F5E2689C03F8423F01120114, ); isa = PBXHeadersBuildPhase; runOnlyForDeploymentPostprocessing = 0; @@ -11114,7 +10986,6 @@ F5E2688103F83E7D01120114 = { buildActionMask = 2147483647; files = ( - F5E2689B03F8423E01120114, F5E268A503F8428101120114, F5E268A603F8428301120114, F5E268A703F8428401120114, @@ -11233,18 +11104,6 @@ isa = PBXTargetDependency; target = F5E2686C03F8336601120114; }; - F5E2689B03F8423E01120114 = { - fileRef = F5E2671F03F8200601120114; - isa = PBXBuildFile; - settings = { - }; - }; - F5E2689C03F8423F01120114 = { - fileRef = F5E2672003F8200601120114; - isa = PBXBuildFile; - settings = { - }; - }; F5E268A503F8428101120114 = { fileRef = F517345A03F1B65A01120114; isa = PBXBuildFile; diff --git a/src/mac/MacOSX/Scripts/Kerberos5ServerBuild.jam b/src/mac/MacOSX/Scripts/Kerberos5ServerBuild.jam index 9969720be..185fe83b2 100644 --- a/src/mac/MacOSX/Scripts/Kerberos5ServerBuild.jam +++ b/src/mac/MacOSX/Scripts/Kerberos5ServerBuild.jam @@ -5,7 +5,7 @@ Sources = "$(SRCROOT)/../Sources" ; Reconf = "$(Sources)/util/reconf" ; Configure = "$(Sources)/configure" ; Makefile = "$(IntermediateBuild)/Makefile" ; - +MakeStamp = "$(IntermediateBuild)/make.stamp" ; # # Note: in this jam script we have separated the dependency tree from the # actual scripts. This is so that CVS checkouts trigger a rebuild but the jam @@ -32,10 +32,10 @@ rule Configure actions Configure { mkdir -p "$(1:D)" - cd "$(1:D)" && /bin/sh "$(2)" --prefix=/usr CFLAGS="-fno-common" || rm -f "$(1)" + cd "$(1:D)" && /bin/sh "$(2)" --prefix=/usr CFLAGS="-fno-common -include /usr/include/TargetConditionals.h" LDFLAGS="-Wl,-search_paths_first" || rm -f "$(1)" } -# Make : +# Make : rule Make { DEPENDS "$(1)" : "$(2)" ; @@ -48,8 +48,84 @@ actions Make cd "$(1:D)" && make && touch "$(1)" && echo "### HAPPINESS ###" } -Make "$(IntermediateBuild)/make.stamp" : "$(Makefile)" ; +# InstallProgram : +rule InstallProgram +{ + DEPENDS "$(1)" : "$(2)" ; + DEPENDS "$(2)" : "$(MakeStamp)" ; + Clean.Remove clean "$(1)" ; +} +actions InstallProgram +{ + mkdir -p "$(1:D)" + /usr/bin/install -c -s "$(2)" "$(1)" +} + +# InstallFile : +rule InstallFile +{ + DEPENDS "$(1)" : "$(2)" ; + DEPENDS "$(2)" : "$(MakeStamp)" ; + Clean.Remove clean "$(1)" ; +} +actions InstallFile +{ + mkdir -p "$(1:D)" + /usr/bin/install -c -m 644 "$(2)" "$(1)" +} + +Make "$(MakeStamp)" : "$(Makefile)" ; + +InstallProgram "$(DSTROOT)/usr/sbin/kadmin" : "$(IntermediateBuild)/kadmin/cli/kadmin" ; +InstallProgram "$(DSTROOT)/usr/sbin/kadmin.local" : "$(IntermediateBuild)/kadmin/cli/kadmin.local" ; +InstallProgram "$(DSTROOT)/usr/sbin/kadmind" : "$(IntermediateBuild)/kadmin/server/kadmind" ; +InstallProgram "$(DSTROOT)/usr/sbin/kadmind4" : "$(IntermediateBuild)/kadmin/v4server/kadmind4" ; +InstallProgram "$(DSTROOT)/usr/sbin/v5passwdd" : "$(IntermediateBuild)/kadmin/v5passwdd/v5passwdd" ; +InstallProgram "$(DSTROOT)/usr/sbin/ktutil" : "$(IntermediateBuild)/kadmin/ktutil/ktutil" ; +InstallProgram "$(DSTROOT)/usr/sbin/kdb5_util" : "$(IntermediateBuild)/kadmin/dbutil/kdb5_util" ; +InstallProgram "$(DSTROOT)/usr/sbin/kprop" : "$(IntermediateBuild)/slave/kprop" ; +InstallProgram "$(DSTROOT)/usr/sbin/kpropd" : "$(IntermediateBuild)/slave/kpropd" ; +InstallProgram "$(DSTROOT)/usr/sbin/krb524d" : "$(IntermediateBuild)/krb524/krb524d" ; +InstallProgram "$(DSTROOT)/usr/sbin/krb5kdc" : "$(IntermediateBuild)/kdc/krb5kdc" ; + +InstallFile "$(DSTROOT)/usr/share/man/man1/kerberos.1" : "$(SRCROOT)/../Sources/gen-manpages/kerberos.M" ; +InstallFile "$(DSTROOT)/usr/share/man/man5/kdc.conf.5" : "$(SRCROOT)/../Sources/config-files/kdc.conf.M" ; +InstallFile "$(DSTROOT)/usr/share/man/man5/krb5.conf.5" : "$(SRCROOT)/../Sources/config-files/krb5.conf.M" ; +InstallFile "$(DSTROOT)/usr/share/man/man8/kadmin.8" : "$(SRCROOT)/../Sources/kadmin/cli/kadmin.M" ; +InstallFile "$(DSTROOT)/usr/share/man/man8/kadmin.local.8" : "$(SRCROOT)/../Sources/kadmin/cli/kadmin.local.M" ; +InstallFile "$(DSTROOT)/usr/share/man/man8/kadmind.8" : "$(SRCROOT)/../Sources/kadmin/server/kadmind.M" ; +InstallFile "$(DSTROOT)/usr/share/man/man8/ktutil.8" : "$(SRCROOT)/../Sources/kadmin/ktutil/ktutil.M" ; +InstallFile "$(DSTROOT)/usr/share/man/man8/kdb5_util.8" : "$(SRCROOT)/../Sources/kadmin/dbutil/kdb5_util.M" ; +InstallFile "$(DSTROOT)/usr/share/man/man8/kprop.8" : "$(SRCROOT)/../Sources/slave/kprop.M" ; +InstallFile "$(DSTROOT)/usr/share/man/man8/kpropd.8" : "$(SRCROOT)/../Sources/slave/kpropd.M" ; +InstallFile "$(DSTROOT)/usr/share/man/man8/krb5kdc.8" : "$(SRCROOT)/../Sources/kdc/krb5kdc.M" ; + + +DEPENDS all : "$(MakeStamp)" ; -DEPENDS all : "$(IntermediateBuild)/make.stamp" ; -DEPENDS install : all ; +DEPENDS install : all + "$(DSTROOT)/usr/sbin/kadmin" + "$(DSTROOT)/usr/sbin/kadmin.local" + "$(DSTROOT)/usr/sbin/kadmind" + "$(DSTROOT)/usr/sbin/kadmind4" + "$(DSTROOT)/usr/sbin/kdb5_util" + "$(DSTROOT)/usr/sbin/kprop" + "$(DSTROOT)/usr/sbin/kpropd" + "$(DSTROOT)/usr/sbin/krb524d" + "$(DSTROOT)/usr/sbin/krb5kdc" + "$(DSTROOT)/usr/sbin/ktutil" + "$(DSTROOT)/usr/sbin/v5passwdd" + + "$(DSTROOT)/usr/share/man/man1/kerberos.1" + "$(DSTROOT)/usr/share/man/man5/kdc.conf.5" + "$(DSTROOT)/usr/share/man/man5/krb5.conf.5" + "$(DSTROOT)/usr/share/man/man8/kadmin.8" + "$(DSTROOT)/usr/share/man/man8/kadmin.local.8" + "$(DSTROOT)/usr/share/man/man8/kadmind.8" + "$(DSTROOT)/usr/share/man/man8/kdb5_util.8" + "$(DSTROOT)/usr/share/man/man8/kprop.8" + "$(DSTROOT)/usr/share/man/man8/kpropd.8" + "$(DSTROOT)/usr/share/man/man8/krb5kdc.8" + "$(DSTROOT)/usr/share/man/man8/ktutil.8" ; + DEPENDS installhdrs : all ; diff --git a/src/tests/asn.1/ChangeLog b/src/tests/asn.1/ChangeLog index d4c543025..2fefd05f3 100644 --- a/src/tests/asn.1/ChangeLog +++ b/src/tests/asn.1/ChangeLog @@ -1,3 +1,26 @@ +2003-05-12 Ezra Peisach + + * krb5_decode_test.c: Modify decode_run macro to take a cleanup + handler to free allocated memory. Add static handlers to free + krb5_alt_method, passwd_phrase_element and krb5_enc_data as the + krb5 library does not handle at this time. + + * krb5_encode_test.c: Free krb5_context at end. Utilize the many + ktest_empty and detroy functions to cleanup memory. + + * ktest.h, ktest.c: Add many ktest free and empty functions to + cleanup allocated structures in tests. + + * utility.c (krb5_data_hex_parse): Free temporary data. + + +2003-05-06 Sam Hartman + + * krb5_encode_test.c (main): Add etype_info2 support + + * ktest.c (ktest_make_sample_etype_info): Initialize s2kparams to be null. + (ktest_make_sample_etype_info2): New function + 2002-11-07 Ezra Peisach * krb5_decode_test.c: Test for sam_challenege without empty diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c index ea679cc0c..b86c9fc8c 100644 --- a/src/tests/asn.1/krb5_decode_test.c +++ b/src/tests/asn.1/krb5_decode_test.c @@ -10,6 +10,11 @@ krb5_context test_context; int error_count = 0; +void krb5_ktest_free_alt_method(krb5_context context, krb5_alt_method *val); +void krb5_ktest_free_pwd_sequence(krb5_context context, + passwd_phrase_element *val); +void krb5_ktest_free_enc_data(krb5_context context, krb5_enc_data *val); + int main(argc, argv) int argc; char **argv; @@ -23,6 +28,7 @@ int main(argc, argv) exit(1); } + #define setup(type,typestring,constructor)\ type ref, *var;\ retval = constructor(&ref);\ @@ -30,8 +36,8 @@ int main(argc, argv) com_err("krb5_decode_test", retval, "while making sample %s", typestring);\ exit(1);\ } - -#define decode_run(typestring,description,encoding,decoder,comparator)\ + +#define decode_run(typestring,description,encoding,decoder,comparator,cleanup)\ retval = krb5_data_hex_parse(&code,encoding);\ if(retval){\ com_err("krb5_decode_test", retval, "while parsing %s", typestring);\ @@ -43,32 +49,36 @@ int main(argc, argv) error_count++;\ }\ assert(comparator(&ref,var),typestring);\ - printf("%s\n",description) + printf("%s\n",description);\ + krb5_free_data_contents(test_context, &code);\ + cleanup(test_context, var); /****************************************************************/ /* decode_krb5_authenticator */ { setup(krb5_authenticator,"krb5_authenticator",ktest_make_sample_authenticator); - decode_run("authenticator","","62 81 A1 30 81 9E A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 A4 05 02 03 01 E2 40 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A7 03 02 01 11 A8 24 30 22 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72",decode_krb5_authenticator,ktest_equal_authenticator); + decode_run("authenticator","","62 81 A1 30 81 9E A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 A4 05 02 03 01 E2 40 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A7 03 02 01 11 A8 24 30 22 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72",decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator); ktest_destroy_checksum(&(ref.checksum)); ktest_destroy_keyblock(&(ref.subkey)); ref.seq_number = 0; ktest_empty_authorization_data(ref.authorization_data); - decode_run("authenticator","(optionals empty)","62 4F 30 4D A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 05 02 03 01 E2 40 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_authenticator,ktest_equal_authenticator); + decode_run("authenticator","(optionals empty)","62 4F 30 4D A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 05 02 03 01 E2 40 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator); - ktest_destroy_authorization_data(&(ref.authorization_data)); + ktest_destroy_authorization_data(&(ref.authorization_data)); - decode_run("authenticator","(optionals NULL)","62 4F 30 4D A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 05 02 03 01 E2 40 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_authenticator,ktest_equal_authenticator); + decode_run("authenticator","(optionals NULL)","62 4F 30 4D A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 05 02 03 01 E2 40 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_authenticator,ktest_equal_authenticator,krb5_free_authenticator); + + ktest_empty_authenticator(&ref); } /****************************************************************/ /* decode_krb5_ticket */ { setup(krb5_ticket,"krb5_ticket",ktest_make_sample_ticket); - decode_run("ticket","","61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_ticket,ktest_equal_ticket); - decode_run("ticket","(+ trailing [4] INTEGER","61 61 30 5F A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A4 03 02 01 01",decode_krb5_ticket,ktest_equal_ticket); + decode_run("ticket","","61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_ticket,ktest_equal_ticket,krb5_free_ticket); + decode_run("ticket","(+ trailing [4] INTEGER","61 61 30 5F A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A4 03 02 01 01",decode_krb5_ticket,ktest_equal_ticket,krb5_free_ticket); /* "61 80 30 80 " @@ -89,7 +99,7 @@ int main(argc, argv) " 00 00 00 00" "00 00 00 00" */ - decode_run("ticket","(indefinite lengths)", "61 80 30 80 A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A3 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 00 00 00 00" ,decode_krb5_ticket,ktest_equal_ticket); + decode_run("ticket","(indefinite lengths)", "61 80 30 80 A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A3 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 00 00 00 00" ,decode_krb5_ticket,ktest_equal_ticket,krb5_free_ticket); /* "61 80 30 80 " " A0 03 02 01 05 " @@ -110,37 +120,44 @@ int main(argc, argv) " A4 03 02 01 01 " "00 00 00 00" */ - decode_run("ticket","(indefinite lengths + trailing [4] INTEGER)", "61 80 30 80 A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A3 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 A4 03 02 01 01 00 00 00 00",decode_krb5_ticket,ktest_equal_ticket); + decode_run("ticket","(indefinite lengths + trailing [4] INTEGER)", "61 80 30 80 A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A3 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 A4 03 02 01 01 00 00 00 00",decode_krb5_ticket,ktest_equal_ticket,krb5_free_ticket); + + ktest_empty_ticket(&ref); + } /****************************************************************/ /* decode_krb5_encryption_key */ { setup(krb5_keyblock,"krb5_keyblock",ktest_make_sample_keyblock); - decode_run("encryption_key","","30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key); - decode_run("encryption_key","(+ trailing [2] INTEGER)","30 16 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 03 02 01 01",decode_krb5_encryption_key,ktest_equal_encryption_key); - decode_run("encryption_key","(+ trailing [2] SEQUENCE {[0] INTEGER})","30 1A A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 07 30 05 A0 03 02 01 01",decode_krb5_encryption_key,ktest_equal_encryption_key); - decode_run("encryption_key","(indefinite lengths)","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key); - decode_run("encryption_key","(indefinite lengths + trailing [2] INTEGER)","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 03 02 01 01 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key); - decode_run("encryption_key","(indefinite lengths + trailing [2] SEQUENCE {[0] INTEGER})","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 80 30 80 A0 03 02 01 01 00 00 00 00 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key); - decode_run("encryption_key","(indefinite lengths + trailing SEQUENCE {[0] INTEGER})","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 30 80 A0 03 02 01 01 00 00 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key); + + decode_run("encryption_key","","30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock); + + decode_run("encryption_key","(+ trailing [2] INTEGER)","30 16 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 03 02 01 01",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock); + decode_run("encryption_key","(+ trailing [2] SEQUENCE {[0] INTEGER})","30 1A A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 07 30 05 A0 03 02 01 01",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock); + decode_run("encryption_key","(indefinite lengths)","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock); + decode_run("encryption_key","(indefinite lengths + trailing [2] INTEGER)","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 03 02 01 01 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock); + decode_run("encryption_key","(indefinite lengths + trailing [2] SEQUENCE {[0] INTEGER})","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 80 30 80 A0 03 02 01 01 00 00 00 00 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock); + decode_run("encryption_key","(indefinite lengths + trailing SEQUENCE {[0] INTEGER})","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 30 80 A0 03 02 01 01 00 00 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock); ref.enctype = -1; - decode_run("encryption_key","(enctype = -1)","30 11 A0 03 02 01 FF A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key); + decode_run("encryption_key","(enctype = -1)","30 11 A0 03 02 01 FF A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock); ref.enctype = -255; - decode_run("encryption_key","(enctype = -255)","30 12 A0 04 02 02 FF 01 A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key); + decode_run("encryption_key","(enctype = -255)","30 12 A0 04 02 02 FF 01 A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock); ref.enctype = 255; - decode_run("encryption_key","(enctype = 255)","30 12 A0 04 02 02 00 FF A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key); + decode_run("encryption_key","(enctype = 255)","30 12 A0 04 02 02 00 FF A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock); ref.enctype = -2147483648; - decode_run("encryption_key","(enctype = -2147483648)","30 14 A0 06 02 04 80 00 00 00 A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key); + decode_run("encryption_key","(enctype = -2147483648)","30 14 A0 06 02 04 80 00 00 00 A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock); ref.enctype = 2147483647; - decode_run("encryption_key","(enctype = 2147483647)","30 14 A0 06 02 04 7F FF FF FF A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key); + decode_run("encryption_key","(enctype = 2147483647)","30 14 A0 06 02 04 7F FF FF FF A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key,krb5_free_keyblock); + + ktest_empty_keyblock(&ref); } /****************************************************************/ /* decode_krb5_enc_tkt_part */ { setup(krb5_enc_tkt_part,"krb5_enc_tkt_part",ktest_make_sample_enc_tkt_part); - decode_run("enc_tkt_part","","63 82 01 14 30 82 01 10 A0 07 03 05 00 FE DC BA 98 A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 24 30 22 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part); + decode_run("enc_tkt_part","","63 82 01 14 30 82 01 10 A0 07 03 05 00 FE DC BA 98 A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 24 30 22 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72 30 0F A0 03 02 01 01 A1 08 04 06 66 6F 6F 62 61 72",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part,krb5_free_enc_tkt_part); /* ref.times.starttime = 0; */ ref.times.starttime = ref.times.authtime; @@ -153,18 +170,19 @@ int main(argc, argv) ktest_destroy_addresses(&(ref.caddrs)); ktest_destroy_authorization_data(&(ref.authorization_data)); - decode_run("enc_tkt_part","(optionals NULL)","63 81 A5 30 81 A2 A0 07 03 05 00 FE DC BA 98 A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part); + decode_run("enc_tkt_part","(optionals NULL)","63 81 A5 30 81 A2 A0 07 03 05 00 FE DC BA 98 A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part, krb5_free_enc_tkt_part); - decode_run("enc_tkt_part","(optionals NULL + bitstring enlarged to 38 bits)","63 81 A6 30 81 A3 A0 08 03 06 02 FE DC BA 98 DC A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part); + decode_run("enc_tkt_part","(optionals NULL + bitstring enlarged to 38 bits)","63 81 A6 30 81 A3 A0 08 03 06 02 FE DC BA 98 DC A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part,krb5_free_enc_tkt_part); - decode_run("enc_tkt_part","(optionals NULL + bitstring enlarged to 40 bits)","63 81 A6 30 81 A3 A0 08 03 06 00 FE DC BA 98 DE A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part); + decode_run("enc_tkt_part","(optionals NULL + bitstring enlarged to 40 bits)","63 81 A6 30 81 A3 A0 08 03 06 00 FE DC BA 98 DE A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part,krb5_free_enc_tkt_part); - decode_run("enc_tkt_part","(optionals NULL + bitstring reduced to 29 bits)","63 81 A5 30 81 A2 A0 07 03 05 03 FE DC BA 98 A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part); + decode_run("enc_tkt_part","(optionals NULL + bitstring reduced to 29 bits)","63 81 A5 30 81 A2 A0 07 03 05 03 FE DC BA 98 A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part,krb5_free_enc_tkt_part); ref.flags &= 0xFFFFFF00; - decode_run("enc_tkt_part","(optionals NULL + bitstring reduced to 24 bits)","63 81 A4 30 81 A1 A0 06 03 04 00 FE DC BA A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part); - + decode_run("enc_tkt_part","(optionals NULL + bitstring reduced to 24 bits)","63 81 A4 30 81 A1 A0 06 03 04 00 FE DC BA A1 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 2E 30 2C A0 03 02 01 01 A1 25 04 23 45 44 55 2C 4D 49 54 2E 2C 41 54 48 45 4E 41 2E 2C 57 41 53 48 49 4E 47 54 4F 4E 2E 45 44 55 2C 43 53 2E A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_enc_tkt_part,ktest_equal_enc_tkt_part,krb5_free_enc_tkt_part); + + ktest_empty_enc_tkt_part(&ref); } /****************************************************************/ @@ -173,10 +191,10 @@ int main(argc, argv) setup(krb5_enc_kdc_rep_part,"krb5_enc_kdc_rep_part",ktest_make_sample_enc_kdc_rep_part); #ifdef KRB5_GENEROUS_LR_TYPE - decode_run("enc_kdc_rep_part","(compat_lr_type)","7A 82 01 10 30 82 01 0C A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 38 30 36 30 19 A0 04 02 02 00 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 30 19 A0 04 02 02 00 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A3 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A4 07 03 05 00 FE DC BA 98 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AB 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_kdc_rep_part,ktest_equal_enc_kdc_rep_part); + decode_run("enc_kdc_rep_part","(compat_lr_type)","7A 82 01 10 30 82 01 0C A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 38 30 36 30 19 A0 04 02 02 00 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 30 19 A0 04 02 02 00 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A3 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A4 07 03 05 00 FE DC BA 98 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AB 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_kdc_rep_part,ktest_equal_enc_kdc_rep_part,krb5_free_enc_kdc_rep_part); #endif - decode_run("enc_kdc_rep_part","","7A 82 01 0E 30 82 01 0A A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 36 30 34 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A3 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A4 07 03 05 00 FE DC BA 98 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AB 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_kdc_rep_part,ktest_equal_enc_kdc_rep_part); + decode_run("enc_kdc_rep_part","","7A 82 01 0E 30 82 01 0A A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 36 30 34 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A3 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A4 07 03 05 00 FE DC BA 98 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AB 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_kdc_rep_part,ktest_equal_enc_kdc_rep_part,krb5_free_enc_kdc_rep_part); ref.key_exp = 0; /* ref.times.starttime = 0;*/ @@ -186,10 +204,12 @@ int main(argc, argv) ktest_destroy_addresses(&(ref.caddrs)); #ifdef KRB5_GENEROUS_LR_TYPE - decode_run("enc_kdc_rep_part","(optionals NULL)(compat lr_type)","7A 81 B4 30 81 B1 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 38 30 36 30 19 A0 04 02 02 00 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 30 19 A0 04 02 02 00 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A4 07 03 05 00 FE 5C BA 98 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61",decode_krb5_enc_kdc_rep_part,ktest_equal_enc_kdc_rep_part); + decode_run("enc_kdc_rep_part","(optionals NULL)(compat lr_type)","7A 81 B4 30 81 B1 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 38 30 36 30 19 A0 04 02 02 00 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 30 19 A0 04 02 02 00 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A4 07 03 05 00 FE 5C BA 98 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61",decode_krb5_enc_kdc_rep_part,ktest_equal_enc_kdc_rep_part,krb5_free_enc_kdc_rep_part); #endif - decode_run("enc_kdc_rep_part","(optionals NULL)","7A 81 B2 30 81 AF A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 36 30 34 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A4 07 03 05 00 FE 5C BA 98 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61",decode_krb5_enc_kdc_rep_part,ktest_equal_enc_kdc_rep_part); + decode_run("enc_kdc_rep_part","(optionals NULL)","7A 81 B2 30 81 AF A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 36 30 34 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A 30 18 A0 03 02 01 FB A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A4 07 03 05 00 FE 5C BA 98 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61",decode_krb5_enc_kdc_rep_part,ktest_equal_enc_kdc_rep_part,krb5_free_enc_kdc_rep_part); + + ktest_empty_enc_kdc_rep_part(&ref); } /****************************************************************/ @@ -198,7 +218,7 @@ int main(argc, argv) setup(krb5_kdc_rep,"krb5_kdc_rep",ktest_make_sample_kdc_rep); ref.msg_type = KRB5_AS_REP; - decode_run("as_rep","","6B 81 EA 30 81 E7 A0 03 02 01 05 A1 03 02 01 0B A2 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_as_rep,ktest_equal_as_rep); + decode_run("as_rep","","6B 81 EA 30 81 E7 A0 03 02 01 05 A1 03 02 01 0B A2 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_as_rep,ktest_equal_as_rep,krb5_free_kdc_rep); /* 6B 80 30 80 @@ -249,9 +269,11 @@ int main(argc, argv) 00 00 00 00 00 00 00 00 */ - decode_run("as_rep","(indefinite lengths)","6B 80 30 80 A0 03 02 01 05 A1 03 02 01 0B A2 80 30 80 30 80 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 00 00 30 80 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 00 00 00 00 00 00 A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A5 80 61 80 30 80 A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A3 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 00 00 00 00 00 00 A6 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 00 00 00 00",decode_krb5_as_rep,ktest_equal_as_rep); + decode_run("as_rep","(indefinite lengths)","6B 80 30 80 A0 03 02 01 05 A1 03 02 01 0B A2 80 30 80 30 80 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 00 00 30 80 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 00 00 00 00 00 00 A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A5 80 61 80 30 80 A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A3 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 00 00 00 00 00 00 A6 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 00 00 00 00",decode_krb5_as_rep,ktest_equal_as_rep,krb5_free_kdc_rep); ktest_destroy_pa_data_array(&(ref.padata)); - decode_run("as_rep","(optionals NULL)","6B 81 C2 30 81 BF A0 03 02 01 05 A1 03 02 01 0B A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_as_rep,ktest_equal_as_rep); + decode_run("as_rep","(optionals NULL)","6B 81 C2 30 81 BF A0 03 02 01 05 A1 03 02 01 0B A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_as_rep,ktest_equal_as_rep,krb5_free_kdc_rep); + + ktest_empty_kdc_rep(&ref); } /****************************************************************/ @@ -260,24 +282,29 @@ int main(argc, argv) setup(krb5_kdc_rep,"krb5_kdc_rep",ktest_make_sample_kdc_rep); ref.msg_type = KRB5_TGS_REP; - decode_run("tgs_rep","","6D 81 EA 30 81 E7 A0 03 02 01 05 A1 03 02 01 0D A2 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_tgs_rep,ktest_equal_tgs_rep); + decode_run("tgs_rep","","6D 81 EA 30 81 E7 A0 03 02 01 05 A1 03 02 01 0D A2 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_tgs_rep,ktest_equal_tgs_rep,krb5_free_kdc_rep); ktest_destroy_pa_data_array(&(ref.padata)); - decode_run("tgs_rep","(optionals NULL)","6D 81 C2 30 81 BF A0 03 02 01 05 A1 03 02 01 0D A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_tgs_rep,ktest_equal_tgs_rep); + decode_run("tgs_rep","(optionals NULL)","6D 81 C2 30 81 BF A0 03 02 01 05 A1 03 02 01 0D A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_tgs_rep,ktest_equal_tgs_rep,krb5_free_kdc_rep); + + ktest_empty_kdc_rep(&ref); } /****************************************************************/ /* decode_krb5_ap_req */ { setup(krb5_ap_req,"krb5_ap_req",ktest_make_sample_ap_req); - decode_run("ap_req","","6E 81 9D 30 81 9A A0 03 02 01 05 A1 03 02 01 0E A2 07 03 05 00 FE DC BA 98 A3 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A4 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_ap_req,ktest_equal_ap_req); + decode_run("ap_req","","6E 81 9D 30 81 9A A0 03 02 01 05 A1 03 02 01 0E A2 07 03 05 00 FE DC BA 98 A3 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A4 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_ap_req,ktest_equal_ap_req,krb5_free_ap_req); + ktest_empty_ap_req(&ref); + } /****************************************************************/ /* decode_krb5_ap_rep */ { setup(krb5_ap_rep,"krb5_ap_rep",ktest_make_sample_ap_rep); - decode_run("ap_rep","","6F 33 30 31 A0 03 02 01 05 A1 03 02 01 0F A2 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_ap_rep,ktest_equal_ap_rep); + decode_run("ap_rep","","6F 33 30 31 A0 03 02 01 05 A1 03 02 01 0F A2 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_ap_rep,ktest_equal_ap_rep,krb5_free_ap_rep); + ktest_empty_ap_rep(&ref); } /****************************************************************/ @@ -285,11 +312,12 @@ int main(argc, argv) { setup(krb5_ap_rep_enc_part,"krb5_ap_rep_enc_part",ktest_make_sample_ap_rep_enc_part); - decode_run("ap_rep_enc_part","","7B 36 30 34 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40 A2 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A3 03 02 01 11",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part); + decode_run("ap_rep_enc_part","","7B 36 30 34 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40 A2 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A3 03 02 01 11",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part); ktest_destroy_keyblock(&(ref.subkey)); ref.seq_number = 0; - decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part); + decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part); + ktest_empty_ap_rep_enc_part(&ref); } /****************************************************************/ @@ -299,7 +327,7 @@ int main(argc, argv) ref.msg_type = KRB5_AS_REQ; ref.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY; - decode_run("as_req","","6A 82 01 E4 30 82 01 E0 A1 03 02 01 05 A2 03 02 01 0A A3 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A4 82 01 AA 30 82 01 A6 A0 07 03 05 00 FE DC BA 90 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_as_req,ktest_equal_as_req); + decode_run("as_req","","6A 82 01 E4 30 82 01 E0 A1 03 02 01 05 A2 03 02 01 0A A3 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A4 82 01 AA 30 82 01 A6 A0 07 03 05 00 FE DC BA 90 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_as_req,ktest_equal_as_req,krb5_free_kdc_req); ktest_destroy_pa_data_array(&(ref.padata)); ktest_destroy_principal(&(ref.client)); @@ -311,14 +339,18 @@ int main(argc, argv) ref.rtime = 0; ktest_destroy_addresses(&(ref.addresses)); ktest_destroy_enc_data(&(ref.authorization_data)); - decode_run("as_req","(optionals NULL except second_ticket)","6A 82 01 14 30 82 01 10 A1 03 02 01 05 A2 03 02 01 0A A4 82 01 02 30 81 FF A0 07 03 05 00 FE DC BA 98 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_as_req,ktest_equal_as_req); + decode_run("as_req","(optionals NULL except second_ticket)","6A 82 01 14 30 82 01 10 A1 03 02 01 05 A2 03 02 01 0A A4 82 01 02 30 81 FF A0 07 03 05 00 FE DC BA 98 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_as_req,ktest_equal_as_req,krb5_free_kdc_req); ktest_destroy_sequence_of_ticket(&(ref.second_ticket)); #ifndef ISODE_SUCKS ktest_make_sample_principal(&(ref.server)); #endif ref.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY; - decode_run("as_req","(optionals NULL except server)","6A 69 30 67 A1 03 02 01 05 A2 03 02 01 0A A4 5B 30 59 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01",decode_krb5_as_req,ktest_equal_as_req); + decode_run("as_req","(optionals NULL except server)","6A 69 30 67 A1 03 02 01 05 A2 03 02 01 0A A4 5B 30 59 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01",decode_krb5_as_req,ktest_equal_as_req,krb5_free_kdc_req); + + ktest_empty_kdc_req(&ref); + } + /****************************************************************/ /* decode_krb5_tgs_req */ @@ -327,7 +359,7 @@ int main(argc, argv) ref.msg_type = KRB5_TGS_REQ; ref.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY; - decode_run("tgs_req","","6C 82 01 E4 30 82 01 E0 A1 03 02 01 05 A2 03 02 01 0C A3 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A4 82 01 AA 30 82 01 A6 A0 07 03 05 00 FE DC BA 90 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_tgs_req,ktest_equal_tgs_req); + decode_run("tgs_req","","6C 82 01 E4 30 82 01 E0 A1 03 02 01 05 A2 03 02 01 0C A3 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A4 82 01 AA 30 82 01 A6 A0 07 03 05 00 FE DC BA 90 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_tgs_req,ktest_equal_tgs_req,krb5_free_kdc_req); ktest_destroy_pa_data_array(&(ref.padata)); ktest_destroy_principal(&(ref.client)); @@ -339,27 +371,30 @@ int main(argc, argv) ref.rtime = 0; ktest_destroy_addresses(&(ref.addresses)); ktest_destroy_enc_data(&(ref.authorization_data)); - decode_run("tgs_req","(optionals NULL except second_ticket)","6C 82 01 14 30 82 01 10 A1 03 02 01 05 A2 03 02 01 0C A4 82 01 02 30 81 FF A0 07 03 05 00 FE DC BA 98 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_tgs_req,ktest_equal_tgs_req); + decode_run("tgs_req","(optionals NULL except second_ticket)","6C 82 01 14 30 82 01 10 A1 03 02 01 05 A2 03 02 01 0C A4 82 01 02 30 81 FF A0 07 03 05 00 FE DC BA 98 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_tgs_req,ktest_equal_tgs_req,krb5_free_kdc_req); ktest_destroy_sequence_of_ticket(&(ref.second_ticket)); #ifndef ISODE_SUCKS ktest_make_sample_principal(&(ref.server)); #endif ref.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY; - decode_run("tgs_req","(optionals NULL except server)","6C 69 30 67 A1 03 02 01 05 A2 03 02 01 0C A4 5B 30 59 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01",decode_krb5_tgs_req,ktest_equal_tgs_req); + decode_run("tgs_req","(optionals NULL except server)","6C 69 30 67 A1 03 02 01 05 A2 03 02 01 0C A4 5B 30 59 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01",decode_krb5_tgs_req,ktest_equal_tgs_req,krb5_free_kdc_req); + + ktest_empty_kdc_req(&ref); } /****************************************************************/ /* decode_krb5_kdc_req_body */ { krb5_kdc_req ref, *var; + memset(&ref, 0, sizeof(krb5_kdc_req)); retval = ktest_make_sample_kdc_req_body(&ref); if(retval){ com_err("making sample kdc_req_body",retval,""); exit(1); } ref.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY; - decode_run("kdc_req_body","","30 82 01 A6 A0 07 03 05 00 FE DC BA 90 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_kdc_req_body,ktest_equal_kdc_req_body); + decode_run("kdc_req_body","","30 82 01 A6 A0 07 03 05 00 FE DC BA 90 A1 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 A9 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 AA 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_kdc_req_body,ktest_equal_kdc_req_body,krb5_free_kdc_req); ktest_destroy_principal(&(ref.client)); #ifndef ISODE_SUCKS @@ -370,66 +405,75 @@ int main(argc, argv) ref.rtime = 0; ktest_destroy_addresses(&(ref.addresses)); ktest_destroy_enc_data(&(ref.authorization_data)); - decode_run("kdc_req_body","(optionals NULL except second_ticket)","30 81 FF A0 07 03 05 00 FE DC BA 98 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_kdc_req_body,ktest_equal_kdc_req_body); + decode_run("kdc_req_body","(optionals NULL except second_ticket)","30 81 FF A0 07 03 05 00 FE DC BA 98 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01 AB 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_kdc_req_body,ktest_equal_kdc_req_body,krb5_free_kdc_req); ktest_destroy_sequence_of_ticket(&(ref.second_ticket)); #ifndef ISODE_SUCKS ktest_make_sample_principal(&(ref.server)); #endif ref.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY; - decode_run("kdc_req_body","(optionals NULL except server)","30 59 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01",decode_krb5_kdc_req_body,ktest_equal_kdc_req_body); + decode_run("kdc_req_body","(optionals NULL except server)","30 59 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 08 30 06 02 01 00 02 01 01",decode_krb5_kdc_req_body,ktest_equal_kdc_req_body,krb5_free_kdc_req); ref.nktypes = 0; free(ref.ktype); ref.ktype = NULL; - decode_run("kdc_req_body","(optionals NULL except server; zero-length etypes)","30 53 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 02 30 00",decode_krb5_kdc_req_body,ktest_equal_kdc_req_body); + decode_run("kdc_req_body","(optionals NULL except server; zero-length etypes)","30 53 A0 07 03 05 00 FE DC BA 90 A2 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A3 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 03 02 01 2A A8 02 30 00",decode_krb5_kdc_req_body,ktest_equal_kdc_req_body,krb5_free_kdc_req); + + ktest_empty_kdc_req(&ref); } + /****************************************************************/ /* decode_krb5_safe */ { setup(krb5_safe,"krb5_safe",ktest_make_sample_safe); - decode_run("safe","","74 6E 30 6C A0 03 02 01 05 A1 03 02 01 14 A2 4F 30 4D A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 05 02 03 01 E2 40 A3 03 02 01 11 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A5 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A3 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_safe,ktest_equal_safe); + decode_run("safe","","74 6E 30 6C A0 03 02 01 05 A1 03 02 01 14 A2 4F 30 4D A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 05 02 03 01 E2 40 A3 03 02 01 11 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A5 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A3 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_safe,ktest_equal_safe,krb5_free_safe); ref.timestamp = 0; ref.usec = 0; ref.seq_number = 0; ktest_destroy_address(&(ref.r_address)); - decode_run("safe","(optionals NULL)","74 3E 30 3C A0 03 02 01 05 A1 03 02 01 14 A2 1F 30 1D A0 0A 04 08 6B 72 62 35 64 61 74 61 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A3 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_safe,ktest_equal_safe); + decode_run("safe","(optionals NULL)","74 3E 30 3C A0 03 02 01 05 A1 03 02 01 14 A2 1F 30 1D A0 0A 04 08 6B 72 62 35 64 61 74 61 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A3 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_safe,ktest_equal_safe,krb5_free_safe); + + ktest_empty_safe(&ref); } /****************************************************************/ /* decode_krb5_priv */ { setup(krb5_priv,"krb5_priv",ktest_make_sample_priv); - decode_run("priv","","75 33 30 31 A0 03 02 01 05 A1 03 02 01 15 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_priv,ktest_equal_priv); + decode_run("priv","","75 33 30 31 A0 03 02 01 05 A1 03 02 01 15 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_priv,ktest_equal_priv,krb5_free_priv); + ktest_empty_priv(&ref); } /****************************************************************/ /* decode_krb5_enc_priv_part */ { setup(krb5_priv_enc_part,"krb5_priv_enc_part",ktest_make_sample_priv_enc_part); - decode_run("enc_priv_part","","7C 4F 30 4D A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 05 02 03 01 E2 40 A3 03 02 01 11 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A5 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_priv_part,ktest_equal_enc_priv_part); + decode_run("enc_priv_part","","7C 4F 30 4D A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 05 02 03 01 E2 40 A3 03 02 01 11 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A5 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_priv_part,ktest_equal_enc_priv_part,krb5_free_priv_enc_part); ref.timestamp = 0; ref.usec = 0; ref.seq_number = 0; ktest_destroy_address(&(ref.r_address)); - decode_run("enc_priv_part","(optionals NULL)","7C 1F 30 1D A0 0A 04 08 6B 72 62 35 64 61 74 61 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_priv_part,ktest_equal_enc_priv_part); + decode_run("enc_priv_part","(optionals NULL)","7C 1F 30 1D A0 0A 04 08 6B 72 62 35 64 61 74 61 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_priv_part,ktest_equal_enc_priv_part,krb5_free_priv_enc_part); + ktest_empty_priv_enc_part(&ref); } /****************************************************************/ /* decode_krb5_cred */ { setup(krb5_cred,"krb5_cred",ktest_make_sample_cred); - decode_run("cred","","76 81 F6 30 81 F3 A0 03 02 01 05 A1 03 02 01 16 A2 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_cred,ktest_equal_cred); + decode_run("cred","","76 81 F6 30 81 F3 A0 03 02 01 05 A1 03 02 01 16 A2 81 BF 30 81 BC 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_cred,ktest_equal_cred,krb5_free_cred); + ktest_empty_cred(&ref); } /****************************************************************/ /* decode_krb5_enc_cred_part */ { setup(krb5_cred_enc_part,"krb5_cred_enc_part",ktest_make_sample_cred_enc_part); - decode_run("enc_cred_part","","7D 82 02 23 30 82 02 1F A0 82 01 DA 30 82 01 D6 30 81 E8 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 07 03 05 00 FE DC BA 98 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A9 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AA 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 81 E8 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 07 03 05 00 FE DC BA 98 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A9 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AA 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A1 03 02 01 2A A2 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A3 05 02 03 01 E2 40 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A5 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_cred_part,ktest_equal_enc_cred_part); - + decode_run("enc_cred_part","","7D 82 02 23 30 82 02 1F A0 82 01 DA 30 82 01 D6 30 81 E8 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 07 03 05 00 FE DC BA 98 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A9 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AA 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 81 E8 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 07 03 05 00 FE DC BA 98 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A9 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AA 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A1 03 02 01 2A A2 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A3 05 02 03 01 E2 40 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A5 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_cred_part,ktest_equal_enc_cred_part,krb5_free_cred_enc_part); + /* free_cred_enc_part does not free the pointer */ + krb5_xfree(var); ktest_destroy_principal(&(ref.ticket_info[0]->client)); ktest_destroy_principal(&(ref.ticket_info[0]->server)); ref.ticket_info[0]->flags = 0; @@ -443,20 +487,26 @@ int main(argc, argv) ref.usec = 0; ktest_destroy_address(&(ref.s_address)); ktest_destroy_address(&(ref.r_address)); - decode_run("enc_cred_part","(optionals NULL)","7D 82 01 0E 30 82 01 0A A0 82 01 06 30 82 01 02 30 15 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 30 81 E8 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 07 03 05 00 FE DC BA 98 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A9 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AA 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_cred_part,ktest_equal_enc_cred_part); + decode_run("enc_cred_part","(optionals NULL)","7D 82 01 0E 30 82 01 0A A0 82 01 06 30 82 01 02 30 15 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 30 81 E8 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 07 03 05 00 FE DC BA 98 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A9 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AA 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_cred_part,ktest_equal_enc_cred_part,krb5_free_cred_enc_part); + /* free_cred_enc_part does not free the pointer */ + krb5_xfree(var); + + ktest_empty_cred_enc_part(&ref); } /****************************************************************/ /* decode_krb5_error */ { setup(krb5_error,"krb5_error",ktest_make_sample_error); - decode_run("error","","7E 81 BA 30 81 B7 A0 03 02 01 05 A1 03 02 01 1E A2 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A3 05 02 03 01 E2 40 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 05 02 03 01 E2 40 A6 03 02 01 3C A7 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A8 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AB 0A 1B 08 6B 72 62 35 64 61 74 61 AC 0A 04 08 6B 72 62 35 64 61 74 61",decode_krb5_error,ktest_equal_error); + decode_run("error","","7E 81 BA 30 81 B7 A0 03 02 01 05 A1 03 02 01 1E A2 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A3 05 02 03 01 E2 40 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 05 02 03 01 E2 40 A6 03 02 01 3C A7 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A8 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AB 0A 1B 08 6B 72 62 35 64 61 74 61 AC 0A 04 08 6B 72 62 35 64 61 74 61",decode_krb5_error,ktest_equal_error,krb5_free_error); ref.ctime = 0; ktest_destroy_principal(&(ref.client)); ktest_empty_data(&(ref.text)); ktest_empty_data(&(ref.e_data)); - decode_run("error","(optionals NULL)","7E 60 30 5E A0 03 02 01 05 A1 03 02 01 1E A3 05 02 03 01 E2 40 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 05 02 03 01 E2 40 A6 03 02 01 3C A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61",decode_krb5_error,ktest_equal_error); + decode_run("error","(optionals NULL)","7E 60 30 5E A0 03 02 01 05 A1 03 02 01 1E A3 05 02 03 01 E2 40 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 05 02 03 01 E2 40 A6 03 02 01 3C A9 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 AA 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61",decode_krb5_error,ktest_equal_error,krb5_free_error); + + ktest_empty_error(&ref); } /****************************************************************/ @@ -476,20 +526,25 @@ int main(argc, argv) retval = decode_krb5_authdata(&code,&var); if(retval) com_err("decoding authorization_data",retval,""); assert(ktest_equal_authorization_data(ref,var),"authorization_data\n") + krb5_free_data_contents(test_context, &code); + krb5_free_authdata(test_context, var); + ktest_destroy_authorization_data(&ref); } /****************************************************************/ /* decode_pwd_sequence */ { setup(passwd_phrase_element,"passwd_phrase_element",ktest_make_sample_passwd_phrase_element); - decode_run("PasswdSequence","","30 18 A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61",decode_krb5_pwd_sequence,ktest_equal_passwd_phrase_element); + decode_run("PasswdSequence","","30 18 A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61",decode_krb5_pwd_sequence,ktest_equal_passwd_phrase_element,krb5_ktest_free_pwd_sequence); + ktest_empty_passwd_phrase_element(&ref); } /****************************************************************/ /* decode_passwd_data */ { setup(krb5_pwd_data,"krb5_pwd_data",ktest_make_sample_krb5_pwd_data); - decode_run("PasswdData","","30 3D A0 03 02 01 02 A1 36 30 34 30 18 A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61 30 18 A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61",decode_krb5_pwd_data,ktest_equal_krb5_pwd_data); + decode_run("PasswdData","","30 3D A0 03 02 01 02 A1 36 30 34 30 18 A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61 30 18 A0 0A 04 08 6B 72 62 35 64 61 74 61 A1 0A 04 08 6B 72 62 35 64 61 74 61",decode_krb5_pwd_data,ktest_equal_krb5_pwd_data,krb5_free_pwd_data); + ktest_empty_pwd_data(&ref); } /****************************************************************/ @@ -508,7 +563,10 @@ int main(argc, argv) } retval = decode_krb5_padata_sequence(&code,&var); if(retval) com_err("decoding padata_sequence",retval,""); - assert(ktest_equal_sequence_of_pa_data(ref,var),"pa_data\n") + assert(ktest_equal_sequence_of_pa_data(ref,var),"pa_data\n"); + krb5_free_pa_data(test_context, var); + krb5_free_data_contents(test_context, &code); + ktest_destroy_pa_data_array(&ref); } /****************************************************************/ @@ -527,17 +585,20 @@ int main(argc, argv) } retval = decode_krb5_padata_sequence(&code,&var); if(retval) com_err("decoding padata_sequence (empty)",retval,""); - assert(ktest_equal_sequence_of_pa_data(ref,var),"pa_data (empty)\n") + assert(ktest_equal_sequence_of_pa_data(ref,var),"pa_data (empty)\n"); + krb5_free_pa_data(test_context, var); + krb5_free_data_contents(test_context, &code); + ktest_destroy_pa_data_array(&ref); } /****************************************************************/ /* decode_pwd_sequence */ { setup(krb5_alt_method,"krb5_alt_method",ktest_make_sample_alt_method); - decode_run("alt_method","","30 0F A0 03 02 01 2A A1 08 04 06 73 65 63 72 65 74",decode_krb5_alt_method,ktest_equal_krb5_alt_method); + decode_run("alt_method","","30 0F A0 03 02 01 2A A1 08 04 06 73 65 63 72 65 74",decode_krb5_alt_method,ktest_equal_krb5_alt_method,krb5_ktest_free_alt_method); ref.length = 0; - decode_run("alt_method (no data)","","30 05 A0 03 02 01 2A",decode_krb5_alt_method,ktest_equal_krb5_alt_method); - + decode_run("alt_method (no data)","","30 05 A0 03 02 01 2A",decode_krb5_alt_method,ktest_equal_krb5_alt_method,krb5_ktest_free_alt_method); + ktest_empty_alt_method(&ref); } /****************************************************************/ @@ -565,6 +626,7 @@ int main(argc, argv) ktest_destroy_etype_info(var); ktest_destroy_etype_info_entry(ref[2]); ref[2] = 0; ktest_destroy_etype_info_entry(ref[1]); ref[1] = 0; + krb5_free_data_contents(test_context, &code); retval = krb5_data_hex_parse(&code,"30 16 30 14 A0 03 02 01 00 A1 0D 04 0B 4D 6F 72 74 6F 6E 27 73 20 23 30"); if(retval){ @@ -581,6 +643,7 @@ int main(argc, argv) ktest_destroy_etype_info(var); ktest_destroy_etype_info_entry(ref[0]); ref[0] = 0; + krb5_free_data_contents(test_context, &code); retval = krb5_data_hex_parse(&code,"30 00"); if(retval){ @@ -595,6 +658,7 @@ int main(argc, argv) } assert(ktest_equal_etype_info(ref,var),"etype_info (no info)\n"); + krb5_free_data_contents(test_context, &code); ktest_destroy_etype_info(var); ktest_destroy_etype_info(ref); } @@ -603,41 +667,70 @@ int main(argc, argv) /* decode_pa_enc_ts */ { setup(krb5_pa_enc_ts,"krb5_pa_enc_ts",ktest_make_sample_pa_enc_ts); - decode_run("pa_enc_ts","","30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_pa_enc_ts,ktest_equal_krb5_pa_enc_ts); + decode_run("pa_enc_ts","","30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_pa_enc_ts,ktest_equal_krb5_pa_enc_ts,krb5_free_pa_enc_ts); ref.pausec = 0; - decode_run("pa_enc_ts (no usec)","","30 13 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_pa_enc_ts,ktest_equal_krb5_pa_enc_ts); + decode_run("pa_enc_ts (no usec)","","30 13 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_pa_enc_ts,ktest_equal_krb5_pa_enc_ts,krb5_free_pa_enc_ts); } /****************************************************************/ /* decode_enc_data */ { setup(krb5_enc_data,"krb5_enc_data",ktest_make_sample_enc_data); - decode_run("enc_data","","30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_enc_data,ktest_equal_enc_data); + decode_run("enc_data","","30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_enc_data,ktest_equal_enc_data,krb5_ktest_free_enc_data); + ktest_destroy_enc_data(&ref); } /****************************************************************/ /* decode_sam_challenge */ { setup(krb5_sam_challenge,"krb5_sam_challenge",ktest_make_sample_sam_challenge); - decode_run("sam_challenge","","30 78 A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0B 04 09 74 79 70 65 20 6E 61 6D 65 A3 02 04 00 A4 11 04 0F 63 68 61 6C 6C 65 6E 67 65 20 6C 61 62 65 6C A5 10 04 0E 63 68 61 6C 6C 65 6E 67 65 20 69 70 73 65 A6 16 04 14 72 65 73 70 6F 6E 73 65 5F 70 72 6F 6D 70 74 20 69 70 73 65 A7 02 04 00 A8 05 02 03 54 32 10 A9 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_sam_challenge,ktest_equal_sam_challenge); + decode_run("sam_challenge","","30 78 A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0B 04 09 74 79 70 65 20 6E 61 6D 65 A3 02 04 00 A4 11 04 0F 63 68 61 6C 6C 65 6E 67 65 20 6C 61 62 65 6C A5 10 04 0E 63 68 61 6C 6C 65 6E 67 65 20 69 70 73 65 A6 16 04 14 72 65 73 70 6F 6E 73 65 5F 70 72 6F 6D 70 74 20 69 70 73 65 A7 02 04 00 A8 05 02 03 54 32 10 A9 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_sam_challenge,ktest_equal_sam_challenge,krb5_free_sam_challenge); + ktest_empty_sam_challenge(&ref); + } /****************************************************************/ /* decode_sam_challenge */ { setup(krb5_sam_challenge,"krb5_sam_challenge - no optionals",ktest_make_sample_sam_challenge); - decode_run("sam_challenge","","30 70 A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0B 04 09 74 79 70 65 20 6E 61 6D 65 A4 11 04 0F 63 68 61 6C 6C 65 6E 67 65 20 6C 61 62 65 6C A5 10 04 0E 63 68 61 6C 6C 65 6E 67 65 20 69 70 73 65 A6 16 04 14 72 65 73 70 6F 6E 73 65 5F 70 72 6F 6D 70 74 20 69 70 73 65 A8 05 02 03 54 32 10 A9 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_sam_challenge,ktest_equal_sam_challenge); + decode_run("sam_challenge","","30 70 A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0B 04 09 74 79 70 65 20 6E 61 6D 65 A4 11 04 0F 63 68 61 6C 6C 65 6E 67 65 20 6C 61 62 65 6C A5 10 04 0E 63 68 61 6C 6C 65 6E 67 65 20 69 70 73 65 A6 16 04 14 72 65 73 70 6F 6E 73 65 5F 70 72 6F 6D 70 74 20 69 70 73 65 A8 05 02 03 54 32 10 A9 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34",decode_krb5_sam_challenge,ktest_equal_sam_challenge,krb5_free_sam_challenge); + ktest_empty_sam_challenge(&ref); } /****************************************************************/ /* decode_sam_response */ { setup(krb5_sam_response,"krb5_sam_response",ktest_make_sample_sam_response); - decode_run("sam_response","","30 6A A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0C 04 0A 74 72 61 63 6B 20 64 61 74 61 A3 14 30 12 A0 03 02 01 01 A1 04 02 02 07 96 A2 05 04 03 6B 65 79 A4 1C 30 1A A0 03 02 01 01 A1 04 02 02 0D 36 A2 0D 04 0B 6E 6F 6E 63 65 20 6F 72 20 74 73 A5 05 02 03 54 32 10 A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_sam_response,ktest_equal_sam_response); + decode_run("sam_response","","30 6A A0 03 02 01 2A A1 07 03 05 00 80 00 00 00 A2 0C 04 0A 74 72 61 63 6B 20 64 61 74 61 A3 14 30 12 A0 03 02 01 01 A1 04 02 02 07 96 A2 05 04 03 6B 65 79 A4 1C 30 1A A0 03 02 01 01 A1 04 02 02 0D 36 A2 0D 04 0B 6E 6F 6E 63 65 20 6F 72 20 74 73 A5 05 02 03 54 32 10 A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A",decode_krb5_sam_response,ktest_equal_sam_response,krb5_free_sam_response); + + ktest_empty_sam_response(&ref); } + krb5_free_context(test_context); exit(error_count); return(error_count); } +void krb5_ktest_free_alt_method(krb5_context context, krb5_alt_method *val) +{ + if (val->data) + krb5_xfree(val->data); + krb5_xfree(val); +} + +void krb5_ktest_free_pwd_sequence(krb5_context context, + passwd_phrase_element *val) +{ + krb5_free_data(context, val->passwd); + krb5_free_data(context, val->phrase); + krb5_xfree(val); +} + +void krb5_ktest_free_enc_data(krb5_context context, krb5_enc_data *val) +{ + if(val) { + krb5_free_data_contents(context, &(val->ciphertext)); + free(val); + } +} diff --git a/src/tests/asn.1/krb5_encode_test.c b/src/tests/asn.1/krb5_encode_test.c index 012be90b4..284d31b77 100644 --- a/src/tests/asn.1/krb5_encode_test.c +++ b/src/tests/asn.1/krb5_encode_test.c @@ -133,6 +133,7 @@ main(argc, argv) ktest_destroy_authorization_data(&(authent.authorization_data)); encode_run(authent,authenticator,"authenticator","(optionals NULL)",encode_krb5_authenticator); + ktest_empty_authenticator(&authent); } /****************************************************************/ @@ -141,6 +142,7 @@ main(argc, argv) krb5_ticket tkt; setup(tkt,ticket,"ticket",ktest_make_sample_ticket); encode_run(tkt,ticket,"ticket","",encode_krb5_ticket); + ktest_empty_ticket(&tkt); } /****************************************************************/ @@ -150,12 +152,14 @@ main(argc, argv) setup(keyblk,keyblock,"keyblock",ktest_make_sample_keyblock); current_appl_type = 1005; encode_run(keyblk,keyblock,"keyblock","",encode_krb5_encryption_key); + ktest_empty_keyblock(&keyblk); } /****************************************************************/ /* encode_krb5_enc_tkt_part */ { krb5_ticket tkt; + memset(&tkt, 0, sizeof(krb5_ticket)); tkt.enc_part2 = (krb5_enc_tkt_part*)calloc(1,sizeof(krb5_enc_tkt_part)); if(tkt.enc_part2 == NULL) com_err("allocating enc_tkt_part",errno,""); setup(*(tkt.enc_part2),enc_tkt_part,"enc_tkt_part",ktest_make_sample_enc_tkt_part); @@ -174,13 +178,16 @@ main(argc, argv) ktest_destroy_authorization_data(&(tkt.enc_part2->authorization_data)); encode_run(*(tkt.enc_part2),enc_tkt_part,"enc_tkt_part","(optionals NULL)",encode_krb5_enc_tkt_part); + ktest_empty_ticket(&tkt); } /****************************************************************/ /* encode_krb5_enc_kdc_rep_part */ { krb5_kdc_rep kdcr; - + + memset(&kdcr, 0, sizeof(kdcr)); + kdcr.enc_part2 = (krb5_enc_kdc_rep_part*) calloc(1,sizeof(krb5_enc_kdc_rep_part)); if(kdcr.enc_part2 == NULL) com_err("allocating enc_kdc_rep_part",errno,""); @@ -194,6 +201,8 @@ main(argc, argv) ktest_destroy_addresses(&(kdcr.enc_part2->caddrs)); encode_run(*(kdcr.enc_part2),enc_kdc_rep_part,"enc_kdc_rep_part","(optionals NULL)",encode_krb5_enc_kdc_rep_part); + + ktest_empty_kdc_rep(&kdcr); } /****************************************************************/ @@ -212,6 +221,9 @@ main(argc, argv) ktest_destroy_pa_data_array(&(kdcr.padata)); encode_run(kdcr,as_rep,"as_rep","(optionals NULL)",encode_krb5_as_rep); + + ktest_empty_kdc_rep(&kdcr); + } /****************************************************************/ @@ -229,6 +241,9 @@ main(argc, argv) ktest_destroy_pa_data_array(&(kdcr.padata)); encode_run(kdcr,tgs_rep,"tgs_rep","(optionals NULL)",encode_krb5_tgs_rep); + + ktest_empty_kdc_rep(&kdcr); + } /****************************************************************/ @@ -237,6 +252,7 @@ main(argc, argv) krb5_ap_req apreq; setup(apreq,ap_req,"ap_req",ktest_make_sample_ap_req); encode_run(apreq,ap_req,"ap_req","",encode_krb5_ap_req); + ktest_empty_ap_req(&apreq); } /****************************************************************/ @@ -245,6 +261,7 @@ main(argc, argv) krb5_ap_rep aprep; setup(aprep,ap_rep,"ap_rep",ktest_make_sample_ap_rep); encode_run(aprep,ap_rep,"ap_rep","",encode_krb5_ap_rep); + ktest_empty_ap_rep(&aprep); } /****************************************************************/ @@ -257,6 +274,7 @@ main(argc, argv) ktest_destroy_keyblock(&(apenc.subkey)); apenc.seq_number = 0; encode_run(apenc,ap_rep_enc_part,"ap_rep_enc_part","(optionals NULL)",encode_krb5_ap_rep_enc_part); + ktest_empty_ap_rep_enc_part(&apenc); } /****************************************************************/ @@ -285,6 +303,7 @@ main(argc, argv) #endif asreq.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY; encode_run(asreq,as_req,"as_req","(optionals NULL except server)",encode_krb5_as_req); + ktest_empty_kdc_req(&asreq); } /****************************************************************/ @@ -314,12 +333,15 @@ main(argc, argv) #endif tgsreq.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY; encode_run(tgsreq,tgs_req,"tgs_req","(optionals NULL except server)",encode_krb5_tgs_req); + + ktest_empty_kdc_req(&tgsreq); } /****************************************************************/ /* encode_krb5_kdc_req_body */ { krb5_kdc_req kdcrb; + memset(&kdcrb, 0, sizeof(kdcrb)); setup(kdcrb,kdc_req_body,"kdc_req_body",ktest_make_sample_kdc_req_body); kdcrb.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY; current_appl_type = 1007; /* Force interpretation as kdc-req-body */ @@ -344,6 +366,8 @@ main(argc, argv) kdcrb.kdc_options &= ~KDC_OPT_ENC_TKT_IN_SKEY; current_appl_type = 1007; /* Force interpretation as kdc-req-body */ encode_run(kdcrb,kdc_req_body,"kdc_req_body","(optionals NULL except server)",encode_krb5_kdc_req_body); + + ktest_empty_kdc_req(&kdcrb); } /****************************************************************/ @@ -358,6 +382,8 @@ main(argc, argv) s.seq_number = 0; ktest_destroy_address(&(s.r_address)); encode_run(s,safe,"safe","(optionals NULL)",encode_krb5_safe); + + ktest_empty_safe(&s); } /****************************************************************/ @@ -366,6 +392,7 @@ main(argc, argv) krb5_priv p; setup(p,priv,"priv",ktest_make_sample_priv); encode_run(p,priv,"priv","",encode_krb5_priv); + ktest_empty_priv(&p); } /****************************************************************/ @@ -380,6 +407,8 @@ main(argc, argv) ep.seq_number = 0; ktest_destroy_address(&(ep.r_address)); encode_run(ep,enc_priv_part,"enc_priv_part","(optionals NULL)",encode_krb5_enc_priv_part); + + ktest_empty_priv_enc_part(&ep); } /****************************************************************/ @@ -388,6 +417,7 @@ main(argc, argv) krb5_cred c; setup(c,cred,"cred",ktest_make_sample_cred); encode_run(c,cred,"cred","",encode_krb5_cred); + ktest_empty_cred(&c); } /****************************************************************/ @@ -410,6 +440,8 @@ main(argc, argv) ktest_destroy_address(&(cep.s_address)); ktest_destroy_address(&(cep.r_address)); encode_run(cep,enc_cred_part,"enc_cred_part","(optionals NULL)",encode_krb5_enc_cred_part); + + ktest_empty_cred_enc_part(&cep); } /****************************************************************/ @@ -424,6 +456,8 @@ main(argc, argv) ktest_empty_data(&(kerr.text)); ktest_empty_data(&(kerr.e_data)); encode_run(kerr,error,"error","(optionals NULL)",encode_krb5_error); + + ktest_empty_error(&kerr); } /****************************************************************/ @@ -439,6 +473,8 @@ main(argc, argv) } current_appl_type = 1004; /* Force type to be authdata */ encoder_print_results(code, "authorization_data", ""); + + ktest_destroy_authorization_data(&ad); } /****************************************************************/ @@ -447,6 +483,7 @@ main(argc, argv) passwd_phrase_element ppe; setup(ppe,passwd_phrase_element,"PasswdSequence",ktest_make_sample_passwd_phrase_element); encode_run(ppe,passwd_phrase_element,"pwd_sequence","",encode_krb5_pwd_sequence); + ktest_empty_passwd_phrase_element(&ppe); } /****************************************************************/ @@ -455,6 +492,7 @@ main(argc, argv) krb5_pwd_data pd; setup(pd,krb5_pwd_data,"PasswdData",ktest_make_sample_krb5_pwd_data); encode_run(pd,krb5_pwd_data,"pwd_data","",encode_krb5_pwd_data); + ktest_empty_pwd_data(&pd); } /****************************************************************/ @@ -469,6 +507,8 @@ main(argc, argv) exit(1); } encoder_print_results(code, "padata_sequence", ""); + + ktest_destroy_pa_data_array(&pa); } /****************************************************************/ @@ -483,6 +523,8 @@ main(argc, argv) exit(1); } encoder_print_results(code, "padata_sequence(empty)", ""); + + ktest_destroy_pa_data_array(&pa); } /****************************************************************/ @@ -492,9 +534,12 @@ main(argc, argv) setup(am,krb5_alt_method,"AltMethod",ktest_make_sample_alt_method); encode_run(am,krb5_alt_method,"alt_method","",encode_krb5_alt_method); am.length = 0; + if (am.data) + free(am.data); am.data = 0; encode_run(am,krb5_alt_method,"alt_method (no data)","", encode_krb5_alt_method); + ktest_empty_alt_method(&am); } /****************************************************************/ @@ -529,7 +574,34 @@ main(argc, argv) } encoder_print_results(code, "etype_info (no info)", ""); - free(info); + ktest_destroy_etype_info(info); + } + + /* encode_etype_info 2*/ + { + krb5_etype_info_entry **info; + + setup(info,krb5_etype_info_entry **,"etype_info2", + ktest_make_sample_etype_info2); + retval = encode_krb5_etype_info2((const krb5_etype_info_entry **)info,&(code)); + if(retval) { + com_err("encoding etype_info",retval,""); + exit(1); + } + encoder_print_results(code, "etype_info2", ""); + ktest_destroy_etype_info_entry(info[2]); info[2] = 0; + ktest_destroy_etype_info_entry(info[1]); info[1] = 0; + + retval = encode_krb5_etype_info2((const krb5_etype_info_entry **)info,&(code)); + if(retval) { + com_err("encoding etype_info (only 1)",retval,""); + exit(1); + } + encoder_print_results(code, "etype_info2 (only 1)", ""); + + ktest_destroy_etype_info(info); +/* ktest_destroy_etype_info_entry(info[0]); info[0] = 0;*/ + } /****************************************************************/ @@ -549,6 +621,7 @@ main(argc, argv) setup(enc_data,krb5_enc_data,"enc_data",ktest_make_sample_enc_data); current_appl_type = 1001; encode_run(enc_data,krb5_enc_data,"enc_data","",encode_krb5_enc_data); + ktest_destroy_enc_data(&enc_data); } /****************************************************************/ /* encode_krb5_sam_challenge */ @@ -558,6 +631,7 @@ main(argc, argv) ktest_make_sample_sam_challenge); encode_run(sam_ch,krb5_sam_challenge,"sam_challenge","", encode_krb5_sam_challenge); + ktest_empty_sam_challenge(&sam_ch); } /****************************************************************/ /* encode_krb5_sam_response */ @@ -567,6 +641,7 @@ main(argc, argv) ktest_make_sample_sam_response); encode_run(sam_ch,krb5_sam_response,"sam_response","", encode_krb5_sam_response); + ktest_empty_sam_response(&sam_ch); } #if 0 /****************************************************************/ @@ -598,6 +673,7 @@ main(argc, argv) } #endif + krb5_free_context(test_context); exit(error_count); return(error_count); } diff --git a/src/tests/asn.1/ktest.c b/src/tests/asn.1/ktest.c index af02d1ad7..12ff8fb93 100644 --- a/src/tests/asn.1/ktest.c +++ b/src/tests/asn.1/ktest.c @@ -71,6 +71,7 @@ krb5_error_code ktest_make_sample_ticket(tkt) if(retval) return retval; retval = ktest_make_sample_enc_data(&(tkt->enc_part)); if(retval) return retval; + tkt->enc_part2 = NULL; return 0; } @@ -228,8 +229,6 @@ krb5_error_code ktest_make_sample_last_req(lr) *lr = (krb5_last_req_entry**)calloc(3,sizeof(krb5_last_req_entry*)); if(*lr == NULL) return ENOMEM; for(i=0; i<=1; i++){ - (*lr)[i] = (krb5_last_req_entry*)calloc(1,sizeof(krb5_last_req_entry)); - if((*lr)[i] == NULL) return ENOMEM; retval = ktest_make_sample_last_req_entry(&((*lr)[i])); if(retval) return retval; } @@ -628,7 +627,8 @@ krb5_error_code ktest_make_sample_alt_method(p) krb5_alt_method * p; { p->method = 42; - p->data = (krb5_octet *) "secret"; + p->data = (krb5_octet *) strdup("secret"); + if(p->data == NULL) return ENOMEM; p->length = strlen((char *) p->data); return 0; } @@ -656,6 +656,8 @@ krb5_error_code ktest_make_sample_etype_info(p) if (info[i]->salt == 0) goto memfail; strcpy((char *) info[i]->salt, buf); + info[i]->s2kparams.data = NULL; + info[i]->s2kparams.length = 0; info[i]->magic = KV5M_ETYPE_INFO_ENTRY; } free(info[1]->salt); @@ -668,6 +670,49 @@ memfail: return ENOMEM; } + +krb5_error_code ktest_make_sample_etype_info2(p) + krb5_etype_info_entry *** p; +{ + krb5_etype_info_entry **info; + int i; + char buf[80]; + + info = malloc(sizeof(krb5_etype_info_entry *) * 4); + if (!info) + return ENOMEM; + memset(info, 0, sizeof(krb5_etype_info_entry *) * 4); + + for (i=0; i < 3; i++) { + info[i] = malloc(sizeof(krb5_etype_info_entry)); + if (info[i] == 0) + goto memfail; + info[i]->etype = i; + sprintf(buf, "Morton's #%d", i); + info[i]->length = strlen(buf); + info[i]->salt = malloc((size_t) (info[i]->length+1)); + if (info[i]->salt == 0) + goto memfail; + strcpy((char *) info[i]->salt, buf); + sprintf(buf, "s2k: %d", i); + info[i]->s2kparams.data = malloc(strlen(buf)+1); + if (info[i]->s2kparams.data == NULL) + goto memfail; + strcpy( info[i]->s2kparams.data, buf); + info[i]->s2kparams.length = strlen(buf); + info[i]->magic = KV5M_ETYPE_INFO_ENTRY; + } + free(info[1]->salt); + info[1]->length = KRB5_ETYPE_NO_SALT; + info[1]->salt = 0; + *p = info; + return 0; +memfail: + ktest_destroy_etype_info(info); + return ENOMEM; +} + + krb5_error_code ktest_make_sample_pa_enc_ts(pa_enc) krb5_pa_enc_ts * pa_enc; { @@ -685,15 +730,19 @@ krb5_error_code ktest_make_sample_sam_challenge(p) p->magic = KV5M_SAM_CHALLENGE; p->sam_type = 42; /* information */ p->sam_flags = KRB5_SAM_USE_SAD_AS_KEY; /* KRB5_SAM_* values */ - p->sam_type_name.data = "type name"; + p->sam_type_name.data = strdup("type name"); + if (p->sam_type_name.data == NULL) return ENOMEM; p->sam_type_name.length = strlen(p->sam_type_name.data); p->sam_track_id.data = 0; p->sam_track_id.length = 0; - p->sam_challenge_label.data = "challenge label"; + p->sam_challenge_label.data = strdup("challenge label"); + if (p->sam_challenge_label.data == NULL) return ENOMEM; p->sam_challenge_label.length = strlen(p->sam_challenge_label.data); - p->sam_challenge.data = "challenge ipse"; + p->sam_challenge.data = strdup("challenge ipse"); + if (p->sam_challenge.data == NULL) return ENOMEM; p->sam_challenge.length = strlen(p->sam_challenge.data); - p->sam_response_prompt.data = "response_prompt ipse"; + p->sam_response_prompt.data = strdup("response_prompt ipse"); + if (p->sam_response_prompt.data == NULL) return ENOMEM; p->sam_response_prompt.length = strlen(p->sam_response_prompt.data); p->sam_pk_for_sad.data = 0; p->sam_pk_for_sad.length = 0; @@ -710,13 +759,16 @@ krb5_error_code ktest_make_sample_sam_response(p) p->magic = KV5M_SAM_RESPONSE; p->sam_type = 42; /* information */ p->sam_flags = KRB5_SAM_USE_SAD_AS_KEY; /* KRB5_SAM_* values */ - p->sam_track_id.data = "track data"; + p->sam_track_id.data = strdup("track data"); + if (p->sam_track_id.data == NULL) return ENOMEM; p->sam_track_id.length = strlen(p->sam_track_id.data); - p->sam_enc_key.ciphertext.data = "key"; + p->sam_enc_key.ciphertext.data = strdup("key"); + if (p->sam_enc_key.ciphertext.data == NULL) return ENOMEM; p->sam_enc_key.ciphertext.length = strlen(p->sam_enc_key.ciphertext.data); p->sam_enc_key.enctype = ENCTYPE_DES_CBC_CRC; p->sam_enc_key.kvno = 1942; - p->sam_enc_nonce_or_ts.ciphertext.data = "nonce or ts"; + p->sam_enc_nonce_or_ts.ciphertext.data = strdup("nonce or ts"); + if (p->sam_enc_nonce_or_ts.ciphertext.data == NULL) return ENOMEM; p->sam_enc_nonce_or_ts.ciphertext.length = strlen(p->sam_enc_nonce_or_ts.ciphertext.data); p->sam_enc_nonce_or_ts.enctype = ENCTYPE_DES_CBC_CRC; @@ -764,6 +816,17 @@ void ktest_destroy_checksum(cs) } } +void ktest_empty_keyblock(kb) + krb5_keyblock * kb; +{ + if (kb != NULL) { + if (kb->contents) { + free (kb->contents); + kb->contents = NULL; + } + } +} + void ktest_destroy_keyblock(kb) krb5_keyblock ** kb; { @@ -779,8 +842,10 @@ void ktest_empty_authorization_data(ad) { int i; - for(i=0; ad[i] != NULL; i++) - ktest_destroy_authdata(&(ad[i])); + if(*ad != NULL) { + for(i=0; ad[i] != NULL; i++) + ktest_destroy_authdata(&(ad[i])); + } } void ktest_destroy_authorization_data(ad) @@ -863,6 +928,8 @@ void ktest_destroy_principal(p) for(i=0; i<(*p)->length; i++) ktest_empty_data(&(((*p)->data)[i])); + ktest_empty_data(&((*p)->realm)); + free((*p)->data); free(*p); *p = NULL; } @@ -899,10 +966,22 @@ void ktest_destroy_ticket(tkt) { ktest_destroy_principal(&((*tkt)->server)); ktest_destroy_enc_data(&((*tkt)->enc_part)); + /* ktest_empty_enc_tkt_part(((*tkt)->enc_part2));*/ free(*tkt); *tkt = NULL; } +void ktest_empty_ticket(tkt) + krb5_ticket * tkt; +{ + if(tkt->server) + ktest_destroy_principal(&((tkt)->server)); + ktest_destroy_enc_data(&((tkt)->enc_part)); + if (tkt->enc_part2) { + ktest_destroy_enc_tkt_part(&(tkt->enc_part2)); + } +} + void ktest_destroy_enc_data(ed) krb5_enc_data * ed; { @@ -915,6 +994,7 @@ void ktest_destroy_etype_info_entry(i) { if (i->salt) free(i->salt); + ktest_empty_data(&(i->s2kparams)); free(i); } @@ -929,3 +1009,283 @@ void ktest_destroy_etype_info(info) } +void ktest_empty_kdc_req(kr) + krb5_kdc_req *kr; +{ + if (kr->padata) + ktest_destroy_pa_data_array(&(kr->padata)); + + if (kr->client) + ktest_destroy_principal(&(kr->client)); + + if (kr->server) + ktest_destroy_principal(&(kr->server)); + if (kr->ktype) + free(kr->ktype); + if (kr->addresses) + ktest_destroy_addresses(&(kr->addresses)); + ktest_destroy_enc_data(&(kr->authorization_data)); + if (kr->unenc_authdata) + ktest_destroy_authorization_data(&(kr->unenc_authdata)); + if (kr->second_ticket) + ktest_destroy_sequence_of_ticket(&(kr->second_ticket)); + +} + +void ktest_empty_kdc_rep(kr) + krb5_kdc_rep *kr; +{ + if (kr->padata) + ktest_destroy_pa_data_array(&(kr->padata)); + + if (kr->client) + ktest_destroy_principal(&(kr->client)); + + if (kr->ticket) + ktest_destroy_ticket(&(kr->ticket)); + + ktest_destroy_enc_data(&kr->enc_part); + + if (kr->enc_part2) { + ktest_empty_enc_kdc_rep_part(kr->enc_part2); + free(kr->enc_part2); + kr->enc_part2 = NULL; + } +} + + +void ktest_empty_authenticator(a) + krb5_authenticator * a; +{ + + if(a->client) + ktest_destroy_principal(&(a->client)); + if(a->checksum) + ktest_destroy_checksum(&(a->checksum)); + if(a->subkey) + ktest_destroy_keyblock(&(a->subkey)); + if(a->authorization_data) + ktest_destroy_authorization_data(&(a->authorization_data)); +} + +void ktest_empty_enc_tkt_part(etp) + krb5_enc_tkt_part * etp; +{ + + if(etp->session) + ktest_destroy_keyblock(&(etp->session)); + if(etp->client) + ktest_destroy_principal(&(etp->client)); + if (etp->caddrs) + ktest_destroy_addresses(&(etp->caddrs)); + if(etp->authorization_data) + ktest_destroy_authorization_data(&(etp->authorization_data)); + ktest_destroy_transited(&(etp->transited)); +} + +void ktest_destroy_enc_tkt_part(etp) + krb5_enc_tkt_part ** etp; +{ + if(*etp) { + ktest_empty_enc_tkt_part(*etp); + free(*etp); + *etp = NULL; + } +} + +void ktest_empty_enc_kdc_rep_part(ekr) + krb5_enc_kdc_rep_part * ekr; +{ + + if(ekr->session) + ktest_destroy_keyblock(&(ekr->session)); + + if(ekr->server) + ktest_destroy_principal(&(ekr->server)); + + if (ekr->caddrs) + ktest_destroy_addresses(&(ekr->caddrs)); + ktest_destroy_last_req(&(ekr->last_req)); +} + + +void ktest_destroy_transited(t) + krb5_transited * t; +{ + if(t->tr_contents.data) + ktest_empty_data(&(t->tr_contents)); +} + + +void ktest_empty_ap_rep(ar) + krb5_ap_rep * ar; +{ + ktest_destroy_enc_data(&ar->enc_part); +} + +void ktest_empty_ap_req(ar) + krb5_ap_req * ar; +{ + + if(ar->ticket) + ktest_destroy_ticket(&(ar->ticket)); + ktest_destroy_enc_data(&(ar->authenticator)); +} + +void ktest_empty_cred_enc_part(cep) + krb5_cred_enc_part * cep; +{ + if (cep->s_address) + ktest_destroy_address(&(cep->s_address)); + if (cep->r_address) + ktest_destroy_address(&(cep->r_address)); + if (cep->ticket_info) + ktest_destroy_sequence_of_cred_info(&(cep->ticket_info)); +} + +void ktest_destroy_cred_info(ci) + krb5_cred_info ** ci; +{ + if((*ci)->session) + ktest_destroy_keyblock(&((*ci)->session)); + if((*ci)->client) + ktest_destroy_principal(&((*ci)->client)); + if((*ci)->server) + ktest_destroy_principal(&((*ci)->server)); + if ((*ci)->caddrs) + ktest_destroy_addresses(&((*ci)->caddrs)); + free(*ci); + *ci = NULL; +} + +void ktest_destroy_sequence_of_cred_info(soci) + krb5_cred_info *** soci; +{ + int i; + + for(i=0; (*soci)[i] != NULL; i++) + ktest_destroy_cred_info(&((*soci)[i])); + free(*soci); + *soci = NULL; +} + + +void ktest_empty_safe(s) + krb5_safe * s; +{ + ktest_empty_data(&(s->user_data)); + ktest_destroy_address(&(s->s_address)); + ktest_destroy_address(&(s->r_address)); + ktest_destroy_checksum(&(s->checksum)); +} + +void ktest_empty_priv_enc_part(pep) + krb5_priv_enc_part * pep; +{ + ktest_empty_data(&(pep->user_data)); + ktest_destroy_address(&(pep->s_address)); + ktest_destroy_address(&(pep->r_address)); +} + +void ktest_empty_priv(p) + krb5_priv * p; +{ + ktest_destroy_enc_data(&(p->enc_part)); +} + +void ktest_empty_cred(c) + krb5_cred * c; +{ + + ktest_destroy_sequence_of_ticket(&(c->tickets)); + ktest_destroy_enc_data(&(c->enc_part)); + /* enc_part2 */ + +} + +void ktest_destroy_last_req(lr) + krb5_last_req_entry *** lr; +{ + int i; + + if(*lr) { + for(i=0; (*lr)[i] != NULL; i++) { + free((*lr)[i]); + } + free(*lr); + } +} + +void ktest_empty_error(kerr) + krb5_error * kerr; +{ + if(kerr->client) + ktest_destroy_principal(&(kerr->client)); + if(kerr->server) + ktest_destroy_principal(&(kerr->server)); + ktest_empty_data(&(kerr->text)); + ktest_empty_data(&(kerr->e_data)); +} + +void ktest_empty_ap_rep_enc_part(arep) + krb5_ap_rep_enc_part * arep; +{ + ktest_destroy_keyblock(&((arep)->subkey)); +} + +void ktest_empty_passwd_phrase_element(ppe) + passwd_phrase_element * ppe; +{ + ktest_destroy_data(&(ppe->passwd)); + ktest_destroy_data(&(ppe->phrase)); +} + +void ktest_empty_pwd_data(pd) + krb5_pwd_data * pd; +{ + int i; + + for(i=0; i <= pd->sequence_count; i++){ + if(pd->element[i]) { + ktest_empty_passwd_phrase_element(pd->element[i]); + free(pd->element[i]); + pd->element[i] = NULL; + } + } + free(pd->element); + +} + +void ktest_empty_alt_method(am) + krb5_alt_method *am; +{ + if (am->data) { + free(am->data); + am->data = NULL; + } +} + +void ktest_empty_sam_challenge(p) + krb5_sam_challenge * p; +{ + ktest_empty_data(&(p->sam_type_name)); + ktest_empty_data(&(p->sam_track_id)); + ktest_empty_data(&(p->sam_challenge_label)); + ktest_empty_data(&(p->sam_challenge)); + ktest_empty_data(&(p->sam_response_prompt)); + ktest_empty_data(&(p->sam_pk_for_sad)); + + if(p->sam_cksum.contents != NULL) { + free(p->sam_cksum.contents); + p->sam_cksum.contents = NULL; + } + +} + +void ktest_empty_sam_response(p) + krb5_sam_response * p; +{ + ktest_empty_data(&(p->sam_track_id)); + ktest_empty_data(&(p->sam_enc_key.ciphertext)); + ktest_empty_data(&(p->sam_enc_nonce_or_ts.ciphertext)); +} diff --git a/src/tests/asn.1/ktest.h b/src/tests/asn.1/ktest.h index 59e87047c..915f36a00 100644 --- a/src/tests/asn.1/ktest.h +++ b/src/tests/asn.1/ktest.h @@ -89,6 +89,8 @@ krb5_error_code ktest_make_sample_alt_method krb5_error_code ktest_make_sample_etype_info (krb5_etype_info_entry *** p); +krb5_error_code ktest_make_sample_etype_info2 + (krb5_etype_info_entry *** p); krb5_error_code ktest_make_sample_pa_enc_ts (krb5_pa_enc_ts *am); krb5_error_code ktest_make_sample_sam_challenge @@ -125,6 +127,8 @@ void ktest_destroy_principal (krb5_principal *p); void ktest_destroy_checksum (krb5_checksum **cs); +void ktest_empty_keyblock + (krb5_keyblock *kb); void ktest_destroy_keyblock (krb5_keyblock **kb); void ktest_destroy_authdata @@ -135,14 +139,65 @@ void ktest_destroy_sequence_of_ticket (krb5_ticket ***sot); void ktest_destroy_ticket (krb5_ticket **tkt); +void ktest_empty_ticket + (krb5_ticket *tkt); void ktest_destroy_enc_data (krb5_enc_data *ed); - +void ktest_empty_error + (krb5_error * kerr); void ktest_destroy_etype_info_entry (krb5_etype_info_entry *i); void ktest_destroy_etype_info (krb5_etype_info_entry **info); +void ktest_empty_kdc_req + (krb5_kdc_req *kr); +void ktest_empty_kdc_rep + (krb5_kdc_rep *kr); + +void ktest_empty_authenticator + (krb5_authenticator *a); +void ktest_empty_enc_tkt_part + (krb5_enc_tkt_part * etp); +void ktest_destroy_enc_tkt_part + (krb5_enc_tkt_part ** etp); +void ktest_empty_enc_kdc_rep_part + (krb5_enc_kdc_rep_part * ekr); +void ktest_destroy_transited + (krb5_transited * t); +void ktest_empty_ap_rep + (krb5_ap_rep * ar); +void ktest_empty_ap_req + (krb5_ap_req * ar); +void ktest_empty_cred_enc_part + (krb5_cred_enc_part * cep); +void ktest_destroy_cred_info + (krb5_cred_info ** ci); +void ktest_destroy_sequence_of_cred_info + (krb5_cred_info *** soci); +void ktest_empty_safe + (krb5_safe * s); +void ktest_empty_priv + (krb5_priv * p); +void ktest_empty_priv_enc_part + (krb5_priv_enc_part * pep); +void ktest_empty_cred + (krb5_cred * c); +void ktest_destroy_last_req + (krb5_last_req_entry *** lr); +void ktest_empty_ap_rep_enc_part + (krb5_ap_rep_enc_part * arep); +void ktest_empty_passwd_phrase_element + (passwd_phrase_element * ppe); +void ktest_empty_pwd_data + (krb5_pwd_data * pd); +void ktest_empty_alt_method + (krb5_alt_method *am); +void ktest_empty_sam_challenge + (krb5_sam_challenge * p); +void ktest_empty_sam_response + (krb5_sam_response * p); + extern krb5_context test_context; extern char *sample_principal_name; diff --git a/src/tests/asn.1/reference_encode.out b/src/tests/asn.1/reference_encode.out index 0dbfc8d77..0d449d232 100644 --- a/src/tests/asn.1/reference_encode.out +++ b/src/tests/asn.1/reference_encode.out @@ -44,6 +44,8 @@ encode_krb5_alt_method (no data): 30 05 A0 03 02 01 2A encode_krb5_etype_info: 30 33 30 14 A0 03 02 01 00 A1 0D 04 0B 4D 6F 72 74 6F 6E 27 73 20 23 30 30 05 A0 03 02 01 01 30 14 A0 03 02 01 02 A1 0D 04 0B 4D 6F 72 74 6F 6E 27 73 20 23 32 encode_krb5_etype_info (only 1): 30 16 30 14 A0 03 02 01 00 A1 0D 04 0B 4D 6F 72 74 6F 6E 27 73 20 23 30 encode_krb5_etype_info (no info): 30 00 +encode_krb5_etype_info2: 30 51 30 1E A0 03 02 01 00 A1 0D 04 0B 4D 6F 72 74 6F 6E 27 73 20 23 30 A2 08 04 06 73 32 6B 3A 20 30 30 0F A0 03 02 01 01 A2 08 04 06 73 32 6B 3A 20 31 30 1E A0 03 02 01 02 A1 0D 04 0B 4D 6F 72 74 6F 6E 27 73 20 23 32 A2 08 04 06 73 32 6B 3A 20 32 +encode_krb5_etype_info2 (only 1): 30 20 30 1E A0 03 02 01 00 A1 0D 04 0B 4D 6F 72 74 6F 6E 27 73 20 23 30 A2 08 04 06 73 32 6B 3A 20 30 encode_krb5_pa_enc_ts: 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40 encode_krb5_pa_enc_ts (no usec): 30 13 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A encode_krb5_enc_data: 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 diff --git a/src/tests/asn.1/trval_reference.out b/src/tests/asn.1/trval_reference.out index 2287d5fac..4422ad4cb 100644 --- a/src/tests/asn.1/trval_reference.out +++ b/src/tests/asn.1/trval_reference.out @@ -1124,6 +1124,29 @@ encode_krb5_etype_info (no info): [Sequence/Sequence Of] +encode_krb5_etype_info2: + +[Sequence/Sequence Of] +. [Sequence/Sequence Of] +. . [0] [Integer] 0 +. . [1] [Octet String] "Morton's #0" +. . [2] [Octet String] "s2k: 0" +. [Sequence/Sequence Of] +. . [0] [Integer] 1 +. . [2] [Octet String] "s2k: 1" +. [Sequence/Sequence Of] +. . [0] [Integer] 2 +. . [1] [Octet String] "Morton's #2" +. . [2] [Octet String] "s2k: 2" + +encode_krb5_etype_info2 (only 1): + +[Sequence/Sequence Of] +. [Sequence/Sequence Of] +. . [0] [Integer] 0 +. . [1] [Octet String] "Morton's #0" +. . [2] [Octet String] "s2k: 0" + encode_krb5_pa_enc_ts: [Sequence/Sequence Of] diff --git a/src/tests/asn.1/utility.c b/src/tests/asn.1/utility.c index 07addc4a1..76fa79ef8 100644 --- a/src/tests/asn.1/utility.c +++ b/src/tests/asn.1/utility.c @@ -86,6 +86,8 @@ krb5_error_code krb5_data_hex_parse(d, s) } d->data[i] = (char)digit; } + if (copy) + free(copy); return 0; } diff --git a/src/tests/dejagnu/config/ChangeLog b/src/tests/dejagnu/config/ChangeLog index 7d8589b47..a347d22bb 100644 --- a/src/tests/dejagnu/config/ChangeLog +++ b/src/tests/dejagnu/config/ChangeLog @@ -1,3 +1,18 @@ +2003-04-18 Ken Raeburn + + * default.exp: Add passes for testing AES. + (start_kerberos_daemons): Add a small delay between starting the + "tail -f" processes and appending the markers to their files. + (spawn_xterm): Add RLOGIN, RLOGIND, FTP, and FTPD to the list of + variables to export to the environment. Check that variables are + defined before exporting them. + +2003-03-26 Tom Yu + + * default.exp (v4kinit): Expect failure when kiniting to a des3 + TGT, due to fix for MITKRB5-SA-2003-004. + (setup_kadmind_srvtab): Remove. It's not needed anymore. + 2003-02-04 Tom Yu * default.exp (start_kerberos_daemons): Use correct argument to diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp index f025eb763..bee08ed48 100644 --- a/src/tests/dejagnu/config/default.exp +++ b/src/tests/dejagnu/config/default.exp @@ -85,6 +85,39 @@ set passes { {kdc_supported_enctypes=des3-cbc-sha1:normal des-cbc-crc:normal} {dummy=[verbose -log "DES3 TGT, DES3 + DES enctypes"]} } + { + aes + des3_krbtgt=0 + {supported_enctypes=aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal} + {kdc_supported_enctypes=aes256-cts-hmac-sha1-96:normal des-cbc-crc:normal} + {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des-cbc-crc} + {permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des-cbc-crc} + {permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des-cbc-crc} + {master_key_type=aes256-cts-hmac-sha1-96} + {dummy=[verbose -log "AES + DES enctypes"]} + } + { + aes-des3 + des3_krbtgt=0 + {supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des-cbc-crc:normal} + {kdc_supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des-cbc-crc:normal} + {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc} + {permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc} + {permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc} + {master_key_type=aes256-cts-hmac-sha1-96} + {dummy=[verbose -log "AES + DES enctypes"]} + } + { + des3-aes + des3_krbtgt=1 + {supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des-cbc-crc:normal} + {kdc_supported_enctypes=aes256-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des-cbc-crc:normal} + {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc} + {permitted_enctypes(client)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc} + {permitted_enctypes(server)=aes256-cts-hmac-sha1-96 des3-cbc-sha1 des-cbc-crc} + {master_key_type=aes256-cts-hmac-sha1-96} + {dummy=[verbose -log "AES + DES enctypes, DES3 TGT"]} + } { des-v4 des3_krbtgt=0 @@ -203,31 +236,30 @@ set unused_passes { all-enctypes des3_krbtgt=1 {supported_enctypes=\ - rijndael256-hmac-sha1:normal rijndael192-hmac-sha1:normal rijndael128-hmac-sha1:normal \ - serpent256-hmac-sha1:normal serpent192-hmac-sha1:norealm serpent128-hmac-sha1:normal \ - twofish256-hmac-sha1:normal twofish192-hmac-sha1:norealm twofish128-hmac-sha1:normal \ + aes256-cts-hmac-sha1-96:normal aes256-cts-hmac-sha1-96:norealm \ + aes128-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:norealm \ des3-cbc-sha1:normal des3-cbc-sha1:none \ des-cbc-md5:normal des-cbc-md4:normal des-cbc-crc:normal \ des-cbc-md5:v4 des-cbc-md4:v4 des-cbc-crc:v4 \ } {kdc_supported_enctypes=\ - rijndael256-hmac-sha1:normal rijndael192-hmac-sha1:normal rijndael128-hmac-sha1:normal \ - serpent256-hmac-sha1:normal serpent192-hmac-sha1:norealm serpent128-hmac-sha1:normal \ - twofish256-hmac-sha1:normal twofish192-hmac-sha1:norealm twofish128-hmac-sha1:normal \ des3-cbc-sha1:normal des3-cbc-sha1:none \ des-cbc-md5:normal des-cbc-md4:normal des-cbc-crc:normal \ des-cbc-md5:v4 des-cbc-md4:v4 des-cbc-crc:v4 \ } {dummy=[verbose -log "DES3 TGT, default enctypes"]} } + # This won't work for anything using GSSAPI until it gets AES support. { - aes + aes-only des3_krbtgt=0 - {supported_enctypes=des-cbc-md5:normal des-cbc-crc:normal twofish256-hmac-sha1:normal} - {kdc_supported_enctypes=des-cbc-md5:normal des-cbc-crc:normal twofish256-hmac-sha1:normal} - {default_tgs_enctypes=rijndael256-hmac-sha1 des-cbc-crc} - {default_tkt_enctypes=rijndael256-hmac-sha1 des-cbc-crc} - {dummy=[verbose -log "DES3 TGT, default enctypes"]} + {supported_enctypes=aes256-cts-hmac-sha1-96:normal} + {kdc_supported_enctypes=aes256-cts-hmac-sha1-96:normal} + {permitted_enctypes(kdc)=aes256-cts-hmac-sha1-96} + {permitted_enctypes(client)=aes256-cts-hmac-sha1-96} + {permitted_enctypes(server)=aes256-cts-hmac-sha1-96} + {master_key_type=aes256-cts-hmac-sha1-96} + {dummy=[verbose -log "AES only, no DES or DES3 support"]} } } # {supported_enctypes=des-cbc-md5:normal des-cbc-crc:normal twofish256-hmac-sha1:normal } @@ -692,7 +724,6 @@ proc setup_kerberos_files { } { puts $conffile " database_name = $tmppwd/db" puts $conffile " admin_database_name = $tmppwd/adb" puts $conffile " admin_database_lockfile = $tmppwd/adb.lock" - puts $conffile " admin_keytab = $tmppwd/admin-keytab" puts $conffile " key_stash_file = $tmppwd/stash" puts $conffile " acl_file = $tmppwd/acl" puts $conffile " kadmind_port = 3750" @@ -938,83 +969,6 @@ proc restore_kerberos_env { } { } -# setup_kadmind_srvtab -# A procedure to build the srvtab for kadmind5 so that kadmin5 and it -# may successfully communicate. -# Returns 1 on success, 0 on failure. -proc setup_kadmind_srvtab { } { - global REALMNAME - global KADMIN_LOCAL - global KEY - global tmppwd - - catch "exec rm -f $tmppwd/admin-keytab" - envstack_push - setup_kerberos_env kdc - spawn $KADMIN_LOCAL -r $REALMNAME - envstack_pop - catch expect_after - expect_after { - -re "(.*)\r\nkadmin.local: " { - fail "kadmin.local admin-keytab (unmatched output: $expect_out(1,string)" - catch "exec rm -f $tmppwd/admin-keytab" - catch "expect_after" - return 0 - } - timeout { - fail "kadmin.local admin-keytab (timeout)" - catch "exec rm -f $tmppwd/admin-keytab" - catch "expect_after" - return 0 - } - eof { - fail "kadmin.local admin-keytab (eof)" - catch "exec rm -f $tmppwd/admin-keytab" - catch "expect_after" - return 0 - } - } - expect "kadmin.local: " - send "xst -k admin-new-srvtab kadmin/admin\r" - expect "xst -k admin-new-srvtab kadmin/admin\r\n" - expect -re ".*Entry for principal kadmin/admin.* added to keytab WRFILE:admin-new-srvtab." - expect "kadmin.local: " - - catch "exec mv -f admin-new-srvtab changepw-new-srvtab" exec_output - if ![string match "" $exec_output] { - verbose -log "$exec_output" - perror "can't mv admin-new-srvtab" - catch expect_after - return 0 - } - - send "xst -k changepw-new-srvtab kadmin/changepw\r" - expect "xst -k changepw-new-srvtab kadmin/changepw\r\n" - expect -re ".*Entry for principal kadmin/changepw.* added to keytab WRFILE:changepw-new-srvtab." - expect "kadmin.local: " - send "quit\r" - expect eof - catch expect_after - if ![check_exit_status "kadmin.local admin-keytab"] { - catch "exec rm -f $tmppwd/admin-keytab" - perror "kadmin.local admin-keytab exited abnormally" - return 0 - } - - catch "exec mv -f changepw-new-srvtab $tmppwd/admin-keytab" exec_output - if ![string match "" $exec_output] { - verbose -log "$exec_output" - perror "can't mv new admin-keytab" - return 0 - } - - # Make the srvtab file globally readable in case we are using a - # root shell and the srvtab is NFS mounted. - catch "exec chmod a+r $tmppwd/admin-keytab" - - return 1 -} - # setup_kerberos_db # Initialize the Kerberos database. If the argument is non-zero, call # pass at relevant points. Returns 1 on success, 0 on failure. @@ -1270,12 +1224,7 @@ proc setup_kerberos_db { standalone } { } } } - # XXX should deal with envstack inside setup_kadmind_srvtab too - set ret [setup_kadmind_srvtab] envstack_pop - if !$ret { - return 0 - } # create the admin database lock file catch "exec touch $tmppwd/adb.lock" @@ -1336,6 +1285,7 @@ proc start_kerberos_daemons { standalone } { set tailf_pid [exp_pid] set markstr "===MARK $tailf_pid [exec date] ===" + sleep 2 set f [open $kdc_lfile a] puts $f $markstr close $f @@ -1413,6 +1363,7 @@ proc start_kerberos_daemons { standalone } { set tailf_pid [exp_pid] set markstr "===MARK $tailf_pid [exec date] ===" + sleep 2 set f [open $kadmind_lfile a] puts $f $markstr close $f @@ -2029,6 +1980,7 @@ proc v4kinit { name pass standalone } { global REALMNAME global KINIT global spawn_id + global des3_krbtgt # Use kinit to get a ticket. # @@ -2052,10 +2004,20 @@ proc v4kinit { name pass standalone } { } send "$pass\r" expect eof - if ![check_exit_status kinit] { - return 0 + if {$des3_krbtgt == 0} { + if ![check_exit_status v4kinit] { + return 0 + } + } else { + # Fail if kinit is successful with a des3 TGT. + set status_list [wait -i $spawn_id] + set testname v4kinit + verbose "wait -i $spawn_id returned $status_list ($testname)" + if { [lindex $status_list 2] != 0 || [lindex $status_list 3] != 1 } { + verbose -log "exit status: $status_list" + fail "$testname (exit status)" + } } - if {$standalone} { pass "v4kinit" } @@ -2501,9 +2463,9 @@ proc krb_exit { } { # helpful sometimes for debugging the test suite proc spawn_xterm { } { global env - foreach i {KDB5_UTIL KRB5KDC KADMIND KADMIN KADMIN_LOCAL KINIT KTUTIL KLIST} { + foreach i {KDB5_UTIL KRB5KDC KADMIND KADMIN KADMIN_LOCAL KINIT KTUTIL KLIST RLOGIN RLOGIND FTP FTPD} { global $i - set env($i) [set $i] + if [info exists $i] { set env($i) [set $i] } } exec "xterm" } diff --git a/src/tests/dejagnu/krb-standalone/ChangeLog b/src/tests/dejagnu/krb-standalone/ChangeLog index fe3f185a6..01f490230 100644 --- a/src/tests/dejagnu/krb-standalone/ChangeLog +++ b/src/tests/dejagnu/krb-standalone/ChangeLog @@ -1,3 +1,12 @@ +2003-03-26 Tom Yu + + * v4gssftp.exp (v4ftp_test): Return early if $des3_krbtgt set. + + * v4krb524d.exp (doit): Return early if $des3_krbtgt set. + + * v4standalone.exp (check_and_destroy_v4_tix): Return early if + $des3_krbtgt set. + 2003-01-01 Ezra Peisach * standalone.exp: Only run the keytab to srvtab tests if kerberos 4 diff --git a/src/tests/dejagnu/krb-standalone/v4gssftp.exp b/src/tests/dejagnu/krb-standalone/v4gssftp.exp index c0b95d0ae..c4d5fd35c 100644 --- a/src/tests/dejagnu/krb-standalone/v4gssftp.exp +++ b/src/tests/dejagnu/krb-standalone/v4gssftp.exp @@ -179,7 +179,11 @@ proc v4ftp_test { } { global tmppwd global ftp_save_ktname global ftp_save_ccname + global des3_krbtgt + if {$des3_krbtgt} { + return + } # Start up the kerberos and kadmind daemons and get a srvtab and a # ticket file. if {![start_kerberos_daemons 0] \ diff --git a/src/tests/dejagnu/krb-standalone/v4krb524d.exp b/src/tests/dejagnu/krb-standalone/v4krb524d.exp index 5506a06b7..6e922c7e1 100644 --- a/src/tests/dejagnu/krb-standalone/v4krb524d.exp +++ b/src/tests/dejagnu/krb-standalone/v4krb524d.exp @@ -78,7 +78,11 @@ proc doit { } { global KDESTROY global tmppwd global REALMNAME + global des3_krbtgt + if {$des3_krbtgt} { + return + } # Start up the kerberos and kadmind daemons. if ![start_kerberos_daemons 1] { return diff --git a/src/tests/dejagnu/krb-standalone/v4standalone.exp b/src/tests/dejagnu/krb-standalone/v4standalone.exp index 62db0a794..cc42e8dab 100644 --- a/src/tests/dejagnu/krb-standalone/v4standalone.exp +++ b/src/tests/dejagnu/krb-standalone/v4standalone.exp @@ -26,7 +26,12 @@ if ![setup_kerberos_db 1] { proc check_and_destroy_v4_tix { client server } { global REALMNAME + global des3_krbtgt + # Skip this if we're using a des3 TGT, since that's supposed to fail. + if {$des3_krbtgt} { + return + } # Make sure that klist can see the ticket. if ![v4klist "$client" "$server" "v4klist"] { return diff --git a/src/util/ChangeLog b/src/util/ChangeLog index 926b6c46d..40b2a9174 100644 --- a/src/util/ChangeLog +++ b/src/util/ChangeLog @@ -1,3 +1,17 @@ +2003-04-24 Ken Raeburn + + * reconf: Restore support for 2.52; reject older versions. + +2003-04-23 Ken Raeburn + + * reconf: Drop support for 2.52 and earlier. + +2003-04-10 Tom Yu + + * reconf: Warn if autoconf-2.52 is used, as it generates buggy + configure scripts that don't work with BSD /bin/sh, and don't + comply with POSIX.2 (no conditions inside "case" statement). + 2003-02-05 Tom Yu * mkrel: Exclude .rconf files. diff --git a/src/util/db2/ChangeLog b/src/util/db2/ChangeLog index acac38ef1..7c9d1dfa9 100644 --- a/src/util/db2/ChangeLog +++ b/src/util/db2/ChangeLog @@ -1,3 +1,8 @@ +2003-04-01 Tom Yu + + * Makefile.in (install-unix): Delete install-libs. We don't want + to install our in-tree libdb. + 2003-01-10 Ken Raeburn * configure.in: Don't explicitly invoke AC_PROG_INSTALL. diff --git a/src/util/db2/Makefile.in b/src/util/db2/Makefile.in index 0d4634ff0..6ca755097 100644 --- a/src/util/db2/Makefile.in +++ b/src/util/db2/Makefile.in @@ -17,7 +17,6 @@ HDRS = $(HDRDIR)/db.h $(HDRDIR)/db-config.h $(HDRDIR)/db-ndbm.h all-unix:: all-liblinks includes clean-unix:: clean-liblinks clean-libs clean-includes -install-unix:: install-libs includes:: $(HDRS) diff --git a/src/util/db2/test/Makefile b/src/util/db2/test/Makefile deleted file mode 100644 index 6685decb5..000000000 --- a/src/util/db2/test/Makefile +++ /dev/null @@ -1,652 +0,0 @@ -############################################################ -## config/pre.in -## common prefix for all Makefile.in in the Kerberos V5 tree. -## - -WHAT = unix -SHELL=/bin/sh - -all:: all-$(WHAT) - -clean:: clean-$(WHAT) - -distclean:: distclean-$(WHAT) - -install:: install-$(WHAT) - -check:: check-$(WHAT) - -install-headers:: install-headers-$(WHAT) - -############################## -# Recursion rule support -# - -# The commands for the recursion targets live in config/post.in. -# -# General form of recursion rules: -# -# Each recursive target foo-unix has related targets: foo-prerecurse, -# foo-recurse, and foo-postrecurse -# -# The foo-recurse rule is in post.in. It is what actually recursively -# calls make. -# -# foo-recurse depends on foo-prerecurse, so any targets that must be -# built before descending into subdirectories must be dependencies of -# foo-prerecurse. -# -# foo-postrecurse depends on foo-recurse, but targets that must be -# built after descending into subdirectories should be have -# foo-recurse as dependencies in addition to being listed under -# foo-postrecurse, to avoid ordering issues. -# -# The foo-prerecurse, foo-recurse, and foo-postrecurse rules are all -# single-colon rules, to avoid nasty ordering problems with -# double-colon rules. -# -# e.g. -# all:: includes foo -# foo: -# echo foo -# includes:: -# echo bar -# includes:: -# echo baz -# -# will result in "bar", "foo", "baz" on AIX, and possibly others. -all-unix:: all-postrecurse -all-postrecurse: all-recurse -all-recurse: all-prerecurse - -all-prerecurse: -all-postrecurse: - -clean-unix:: clean-postrecurse -clean-postrecurse: clean-recurse -clean-recurse: clean-prerecurse - -clean-prerecurse: -clean-postrecurse: - -distclean-unix: distclean-postrecurse -distclean-postrecurse: distclean-recurse -distclean-recurse: distclean-prerecurse - -distclean-prerecurse: -distclean-postrecurse: - -install-unix:: install-postrecurse -install-postrecurse: install-recurse -install-recurse: install-prerecurse - -install-prerecurse: -install-postrecurse: - -install-headers-unix:: install-headers-postrecurse -install-headers-postrecurse: install-headers-recurse -install-headers-recurse: install-headers-prerecurse - -install-headers-prerecurse: -install-headers-postrecurse: - -check-unix:: check-postrecurse -check-postrecurse: check-recurse -check-recurse: check-prerecurse - -check-prerecurse: -check-postrecurse: - -Makefiles: Makefiles-postrecurse -Makefiles-postrecurse: Makefiles-recurse -Makefiles-recurse: Makefiles-prerecurse - -Makefiles-prerecurse: -Makefiles-postrecurse: - -# -# end recursion rule support -############################## - -# Directory syntax: -# -# begin relative path -REL= -# this is magic... should only be used for preceding a program invocation -C=./ -# "/" for UNIX, "\" for Windows; *sigh* -S=/ - -SUBDIRS = $(LOCAL_SUBDIRS) -srcdir = . -SRCTOP = ./$(BUILDTOP) - -CONFIG_RELTOPDIR = ../.. - -ALL_CFLAGS = $(DEFS) $(DEFINES) $(LOCALINCLUDES) $(CPPFLAGS) $(CFLAGS) -CFLAGS = -g -CPPFLAGS = -I$(BUILDTOP)/include -I$(SRCTOP)/include -I$(BUILDTOP)/include/krb5 -I$(SRCTOP)/include/krb5 -I/usr/athena/include -DKRB5_KRB4_COMPAT -DKRB5_PRIVATE=1 -DEFS = -DHAVE_CONFIG_H -CC = /usr/gcc/bin/gcc -LD = $(PURE) /usr/gcc/bin/gcc -DEPLIBS = @DEPLIBS@ -LDFLAGS = -L/usr/athena/lib -LD_UNRESOLVED_PREFIX = @LD_UNRESOLVED_PREFIX@ -LD_SHLIBDIR_PREFIX = @LD_SHLIBDIR_PREFIX@ -LDARGS = @LDARGS@ -LIBS = -lsocket -lnsl -lresolv -SRVLIBS = @SRVLIBS@ -SRVDEPLIBS = @SRVDEPLIBS@ -CLNTLIBS = @CLNTLIBS@ -CLNTDEPLIBS = @CLNTDEPLIBS@ - -INSTALL=/usr/athena/bin/install -c -INSTALL_STRIP= -INSTALL_PROGRAM=${INSTALL} $(INSTALL_STRIP) -INSTALL_DATA=${INSTALL} -m 644 -INSTALL_SHLIB=$(INSTALL_DATA) -INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root -## This is needed because autoconf will sometimes define ${prefix} to be -## ${prefix}. -prefix=/usr/local -INSTALL_PREFIX=$(prefix) -INSTALL_EXEC_PREFIX=${prefix} -exec_prefix=${prefix} -SHLIB_TAIL_COMP=@SHLIB_TAIL_COMP@ - -KRB5MANROOT = ${prefix}/man -ADMIN_BINDIR = ${exec_prefix}/sbin -SERVER_BINDIR = ${exec_prefix}/sbin -CLIENT_BINDIR =${exec_prefix}/bin -ADMIN_MANDIR = $(KRB5MANROOT)/man8 -SERVER_MANDIR = $(KRB5MANROOT)/man8 -CLIENT_MANDIR = $(KRB5MANROOT)/man1 -FILE_MANDIR = $(KRB5MANROOT)/man5 -KRB5_LIBDIR = ${exec_prefix}/lib -KRB5_SHLIBDIR = ${exec_prefix}/lib$(SHLIB_TAIL_COMP) -KRB5_INCDIR = ${prefix}/include -KRB5_INCSUBDIRS = \ - $(KRB5_INCDIR)/gssapi \ - $(KRB5_INCDIR)/kerberosIV - -# -# Macros used by the KADM5 (OV-based) unit test system. -# XXX check which of these are actually used! -# -TESTDIR = $(BUILDTOP)/kadmin/testing -STESTDIR = $(SRCTOP)/kadmin/testing -COMPARE_DUMP = $(TESTDIR)/scripts/compare_dump.pl -FIX_CONF_FILES = $(TESTDIR)/scripts/fixup-conf-files.pl -INITDB = $(STESTDIR)/scripts/init_db -MAKE_KEYTAB = $(TESTDIR)/scripts/make-host-keytab.pl -LOCAL_MAKE_KEYTAB= $(TESTDIR)/scripts/make-host-keytab.pl -RESTORE_FILES = $(STESTDIR)/scripts/restore_files.sh -SAVE_FILES = $(STESTDIR)/scripts/save_files.sh -ENV_SETUP = $(TESTDIR)/scripts/env-setup.sh -CLNTTCL = $(TESTDIR)/util/ovsec_kadm_clnt_tcl -SRVTCL = $(TESTDIR)/util/ovsec_kadm_srv_tcl -# Dejagnu variables. -# We have to set the host with --host so that setup_xfail will work. -# If we don't set it, then the host type used is "native", which -# doesn't match "*-*-*". -host=sparc-sun-solaris2.8 -DEJAFLAGS = $(DEJALFLAGS) $(CLFLAGS) --debug --srcdir $(srcdir) --host \ - $(host) -RUNTEST = runtest $(DEJAFLAGS) - -START_SERVERS = $(STESTDIR)/scripts/start_servers $(TEST_SERVER) $(TEST_PATH) -START_SERVERS_LOCAL = $(STESTDIR)/scripts/start_servers_local - -STOP_SERVERS = $(STESTDIR)/scripts/stop_servers $(TEST_SERVER) $(TEST_PATH) -STOP_SERVERS_LOCAL = $(STESTDIR)/scripts/stop_servers_local -# -# End of macros for the KADM5 unit test system. -# - -transform = s,x,x, - -RM = rm -f -CP = cp -MV = mv -f -CHMOD=chmod -RANLIB = ranlib -ARCHIVE = @ARCHIVE@ -ARADD = @ARADD@ -LN = ln -s -AWK = @AWK@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -YACC = @YACC@ -AUTOCONF = autoconf -AUTOCONFFLAGS = -AUTOCONFINCFLAGS = --localdir -AUTOHEADER = autoheader -AUTOHEADERFLAGS = - -HOST_TYPE = @HOST_TYPE@ -SHEXT = @SHEXT@ -STEXT=@STEXT@ -VEXT=@VEXT@ -DO_MAKE_SHLIB = @DO_MAKE_SHLIB@ -SHLIB_STATIC_TARGET=@SHLIB_STATIC_TARGET@ - -TOPLIBD = $(BUILDTOP)/lib - -OBJEXT = o -LIBEXT = a -EXEEXT = - -# -# variables for libraries, for use in linking programs -# -- this may want to get broken out into a separate frag later -# -# -# Note: the following variables must be set in any Makefile.in that -# uses KRB5_BUILD_PROGRAM -# -# PROG_LIBPATH list of dirs, in -Ldir form, to search for libraries at link -# PROG_RPATH list of dirs, in dir1:dir2 form, for rpath purposes -# -# invocation is like: -# prog: foo.o bar.o $(KRB5_BASE_DEPLIBS) -# $(CC_LINK) -o $@ foo.o bar.o $(KRB5_BASE_LIBS) - - -CC_LINK=$(PURE) $(CC) $(PROG_LIBPATH) $(LDFLAGS) - -# prefix (with no spaces after) for rpath flag to cc -RPATH_FLAG=-R - -# this gets set by configure to either $(STLIBEXT) or $(SHLIBEXT), -# depending on whether we're building with shared libraries. -DEPLIBEXT=.a - -KADMCLNT_DEPLIB = $(TOPLIBD)/libkadm5clnt$(DEPLIBEXT) -KADMSRV_DEPLIB = $(TOPLIBD)/libkadm5srv$(DEPLIBEXT) -KDB5_DEPLIB = $(TOPLIBD)/libkdb5$(DEPLIBEXT) -DB_DEPLIB = $(DB_DEPLIB-k5) -DB_DEPLIB-k5 = $(TOPLIBD)/libdb$(DEPLIBEXT) -DB_DEPLIB-sys = -GSSRPC_DEPLIB = $(TOPLIBD)/libgssrpc$(DEPLIBEXT) -GSS_DEPLIB = $(TOPLIBD)/libgssapi_krb5$(DEPLIBEXT) -KRB4_DEPLIB = $(TOPLIBD)/libkrb4$(DEPLIBEXT) # $(TOPLIBD)/libkrb4$(DEPLIBEXT) -DES425_DEPLIB = $(TOPLIBD)/libdes425$(DEPLIBEXT) # $(TOPLIBD)/libdes425$(DEPLIBEXT) -KRB5_DEPLIB = $(TOPLIBD)/libkrb5$(DEPLIBEXT) -CRYPTO_DEPLIB = $(TOPLIBD)/libk5crypto$(DEPLIBEXT) -COM_ERR_DEPLIB = $(COM_ERR_DEPLIB-k5) -COM_ERR_DEPLIB-sys = # empty -COM_ERR_DEPLIB-k5 = $(TOPLIBD)/libcom_err$(DEPLIBEXT) - -# These are forced to use ".a" as an extension because they're never -# built shared. -SS_DEPLIB = $(SS_DEPLIB-k5) -SS_DEPLIB-k5 = $(TOPLIBD)/libss.a -SS_DEPLIB-sys = -KRB524_DEPLIB = $(BUILDTOP)/krb524/libkrb524.a -PTY_DEPLIB = $(TOPLIBD)/libpty.a - -KRB5_BASE_DEPLIBS = $(KRB5_DEPLIB) $(CRYPTO_DEPLIB) $(COM_ERR_DEPLIB) -KRB4COMPAT_DEPLIBS = $(KRB4_DEPLIB) $(DES425_DEPLIB) $(KRB5_BASE_DEPLIBS) -KDB5_DEPLIBS = $(KDB5_DEPLIB) $(DB_DEPLIB) -GSS_DEPLIBS = $(GSS_DEPLIB) -GSSRPC_DEPLIBS = $(GSSRPC_DEPLIB) $(GSS_DEPLIBS) -KADM_COMM_DEPLIBS = $(GSSRPC_DEPLIBS) $(KDB5_DEPLIBS) $(GSSRPC_DEPLIBS) -KADMSRV_DEPLIBS = $(KADMSRV_DEPLIB) $(KDB5_DEPLIBS) $(KADM_COMM_DEPLIBS) -KADMCLNT_DEPLIBS = $(KADMCLNT_DEPLIB) $(KADM_COMM_DEPLIBS) - -# Header file dependencies we might override. -# See util/depfix.sed. -# Also see depend-verify-* in post.in, which wants to confirm that we're using -# the in-tree versions. -COM_ERR_VERSION = k5 -COM_ERR_DEPS = $(COM_ERR_DEPS-k5) -COM_ERR_DEPS-sys = -COM_ERR_DEPS-k5 = $(BUILDTOP)/include/com_err.h -SS_VERSION = k5 -SS_DEPS = $(SS_DEPS-k5) -SS_DEPS-sys = -SS_DEPS-k5 = $(BUILDTOP)/include/ss/ss.h $(BUILDTOP)/include/ss/ss_err.h -DB_VERSION = k5 -DB_DEPS = $(DB_DEPS-k5) -DB_DEPS-sys = -DB_DEPS-k5 = $(BUILDTOP)/include/db.h $(BUILDTOP)/include/db-config.h -DB_DEPS-redirect = $(BUILDTOP)/include/db.h - -# Header file dependencies that might depend on whether krb4 support -# is compiled. - -KRB_ERR_H_DEP = $(BUILDTOP)/include/kerberosIV/krb_err.h -KRB524_H_DEP = $(BUILDTOP)/include/krb524.h -KRB524_ERR_H_DEP= $(BUILDTOP)/include/krb524_err.h - -# LIBS gets substituted in... e.g. -lnsl -lsocket - -# GEN_LIB is -lgen if needed for regexp -GEN_LIB = - -SS_LIB = $(SS_LIB-k5) -SS_LIB-sys = -SS_LIB-k5 = $(TOPLIBD)/libss.a -KDB5_LIB = -lkdb5 -DB_LIB = -ldb - -KRB5_LIB = -lkrb5 -K5CRYPTO_LIB = -lk5crypto -COM_ERR_LIB = -lcom_err -GSS_KRB5_LIB = -lgssapi_krb5 - -# KRB4_LIB is -lkrb4 if building --with-krb4 -# needs fixing if ever used on Mac OS X! -KRB4_LIB = -lkrb4 - -# DES425_LIB is -ldes425 if building --with-krb4 -# needs fixing if ever used on Mac OS X! -DES425_LIB = -ldes425 - -# KRB524_LIB is $(BUILDTOP)/krb524/libkrb524.a if building --with-krb4 -# needs fixing if ever used on Mac OS X! -KRB524_LIB = $(BUILDTOP)/krb524/libkrb524.a - -# HESIOD_LIBS is -lhesiod... -HESIOD_LIBS = - -KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(GEN_LIB) $(LIBS) -KRB4COMPAT_LIBS = $(KRB4_LIB) $(DES425_LIB) $(KRB5_BASE_LIBS) -KDB5_LIBS = $(KDB5_LIB) $(DB_LIB) -GSS_LIBS = $(GSS_KRB5_LIB) -# needs fixing if ever used on Mac OS X! -GSSRPC_LIBS = -lgssrpc $(GSS_LIBS) -KADM_COMM_LIBS = $(GSSRPC_LIBS) -# need fixing if ever used on Mac OS X! -KADMSRV_LIBS = -lkadm5srv $(HESIOD_LIBS) $(KDB5_LIBS) $(KADM_COMM_LIBS) -KADMCLNT_LIBS = -lkadm5clnt $(KADM_COMM_LIBS) - -# need fixing if ever used on Mac OS X! -PTY_LIB = -lpty - -# -# some more stuff for --with-krb4 -KRB4_LIBPATH = -KRB4_INCLUDES = -I$(SRCTOP)/include/kerberosIV -I$(BUILDTOP)/include/kerberosIV - -# -# variables for --with-tcl= -TCL_LIBS = @TCL_LIBS@ -TCL_LIBPATH = @TCL_LIBPATH@ -TCL_RPATH = @TCL_RPATH@ -TCL_MAYBE_RPATH = @TCL_MAYBE_RPATH@ -TCL_INCLUDES = @TCL_INCLUDES@ - -# error table rules -# -### /* these are invoked as $(...) foo.et, which works, but could be better */ -COMPILE_ET= $(COMPILE_ET-k5) -COMPILE_ET-sys= compile_et -COMPILE_ET-k5= $(BUILDTOP)/util/et/compile_et -d $(SRCTOP)/util/et - -.SUFFIXES: .h .c .et .ct - -# These versions cause both .c and .h files to be generated at once. -# But GNU make doesn't understand this, and parallel builds can trigger -# both of them at once, causing them to stomp on each other. The versions -# below only update one of the files, so compile_et has to get run twice, -# but it won't break parallel builds. -#.et.h: ; $(COMPILE_ET) $< -#.et.c: ; $(COMPILE_ET) $< - -.et.h: - d=ettmp$$$$ ; (cp $< $$d.et && $(COMPILE_ET) $$d.et && mv $$d.h $*.h) ; \ - e=$$? ; rm -f $$d.* ; exit $$e - -.et.c: - d=ettmp$$$$ ; (cp $< $$d.et && $(COMPILE_ET) $$d.et && mv $$d.c $*.c) ; \ - e=$$? ; rm -f $$d.* ; exit $$e - -# rule to make object files -# -.SUFFIXES: .c .o -.c.o: - $(CC) $(ALL_CFLAGS) -c $< - -# ss command table rules -# -MAKE_COMMANDS= $(MAKE_COMMANDS-k5) -MAKE_COMMANDS-sys= mk_cmds -MAKE_COMMANDS-k5= $(BUILDTOP)/util/ss/mk_cmds - -.ct.c: - $(MAKE_COMMANDS) $< - -## -## end of pre.in -############################################################ -thisconfigdir=./.. -myfulldir=util/db2/test -mydir=test -BUILDTOP=$(REL)..$(S)..$(S).. - -FCTSH = /usr/bin/sh -TMPDIR=. - -LOCALINCLUDES= -I. -I$(srcdir)/../include -I../include -I$(srcdir)/../mpool \ - -I$(srcdir)/../btree -I$(srcdir)/../hash -I$(srcdir)/../db - -PROG_LIBPATH=-L$(TOPLIBD) -PROG_RPATH=$(KRB5_LIBDIR) - -KRB5_RUN_ENV= - -all:: - -dbtest: dbtest.o $(DB_DEPLIB) - $(CC_LINK) -o $@ dbtest.o $(STRERROR_OBJ) $(DB_LIB) - -check:: dbtest - $(KRB5_RUN_ENV) srcdir=$(srcdir) TMPDIR=$(TMPDIR) $(FCTSH) $(srcdir)/run.test - -bttest.o: $(srcdir)/btree.tests/main.c - $(CC) $(ALL_CFLAGS) -c $(srcdir)/btree.tests/main.c -o $@ - -bttest: bttest.o $(DB_DEPLIB) - $(CC_LINK) -o $@ bttest.o $(STRERROR_OBJ) $(DB_LIB) - -clean-unix:: - $(RM) dbtest.o dbtest __dbtest - $(RM) bttest.o bttest -############################################################ -## config/post.in -## - -# in case there is no default target (very unlikely) -all:: - -check-windows:: - -############################## -# dependency generation -# - -depend:: depend-postrecurse -depend-postrecurse: depend-recurse -depend-recurse: depend-prerecurse - -depend-prerecurse: -depend-postrecurse: - -depend-postrecurse: depend-update-makefile - -ALL_DEP_SRCS= $(SRCS) $(EXTRADEPSRCS) - -# be sure to check ALL_DEP_SRCS against *what it would be if SRCS and -# EXTRADEPSRCS are both empty* -.depend-verify-srcdir: - @if test "$(srcdir)" = "." ; then \ - echo 1>&2 error: cannot build dependencies with srcdir=. ; \ - echo 1>&2 "(can't distinguish generated files from source files)" ; \ - exit 1 ; \ - else \ - if test -r .depend-verify-srcdir; then :; \ - else (set -x; touch .depend-verify-srcdir); fi \ - fi -.depend-verify-et: depend-verify-et-$(COM_ERR_VERSION) -depend-verify-et-k5: - @if test -r .depend-verify-et; then :; \ - else (set -x; touch .depend-verify-et); fi -depend-verify-et-sys: - @echo 1>&2 error: cannot build dependencies using system et package - @exit 1 -.depend-verify-ss: depend-verify-ss-$(SS_VERSION) -depend-verify-ss-k5: - @if test -r .depend-verify-ss; then :; \ - else (set -x; touch .depend-verify-ss); fi -depend-verify-ss-sys: - @echo 1>&2 error: cannot build dependencies using system ss package - @exit 1 -.depend-verify-db: depend-verify-db-$(DB_VERSION) -depend-verify-db-k5: - @if test -r .depend-verify-db; then :; \ - else (set -x; touch .depend-verify-db); fi -depend-verify-db-sys: - @echo 1>&2 error: cannot build dependencies using system db package - @exit 1 -.depend-verify-gcc: depend-verify-gcc-yes -depend-verify-gcc-yes: - @if test -r .depend-verify-gcc; then :; \ - else (set -x; touch .depend-verify-gcc); fi -depend-verify-gcc-no: - @echo 1>&2 error: The '"depend"' rules are written for gcc. - @echo 1>&2 Please use gcc, or update the rules to handle your compiler. - @exit 1 - -DEP_CFG_VERIFY = .depend-verify-srcdir \ - .depend-verify-et .depend-verify-ss .depend-verify-db -DEP_VERIFY = $(DEP_CFG_VERIFY) .depend-verify-gcc - -.d: $(ALL_DEP_SRCS) $(DEP_CFG_VERIFY) depend-dependencies - if test "$(ALL_DEP_SRCS)" != " " ; then \ - $(RM) .dtmp && $(MAKE) .dtmp && mv -f .dtmp .d ; \ - else \ - touch .d ; \ - fi - -# These are dependencies of the depend target that do not get fed to -# the compiler. Examples include generated header files. -depend-dependencies: - -# .dtmp must *always* be out of date so that $? can be used to perform -# VPATH searches on the sources. -# -# NOTE: This will fail when using Make programs whose VPATH support is -# broken. -.dtmp: $(ALL_DEP_SRCS) - $(CC) -M $(ALL_CFLAGS) $? > .dtmp - -# Generate a script for dropping in the appropriate make variables, using -# directory-specific parameters. General substitutions independent of local -# make variables happen in depfix.sed. -.depfix2.sed: .depend-verify-gcc Makefile $(SRCTOP)/util/depgen.sed - x=`$(CC) -print-libgcc-file-name` ; \ - echo '$(SRCTOP)' '$(myfulldir)' '$(srcdir)' '$(BUILDTOP)' "$$x" | sed -f $(SRCTOP)/util/depgen.sed > .depfix2.tmp - mv -f .depfix2.tmp .depfix2.sed - -DEPLIBOBJNAMEFIX = sed -e 's;^\$$(OUTPRE)\([a-zA-Z0-9_\-]*\)\.\$$(OBJEXT):;\1.so \1.po &;' - -# NOTE: This will also generate spurious $(OUTPRE) and $(OBJEXT) -# references in rules for non-library objects in a directory where -# library objects happen to be built. It's mostly harmless. -.depend: .d .depfix2.sed $(SRCTOP)/util/depfix.sed - sed -f .depfix2.sed < .d | sed -f $(SRCTOP)/util/depfix.sed | \ - (if test "x$(STLIBOBJS)" != "x"; then $(DEPLIBOBJNAMEFIX) ; else cat; fi ) \ - > .depend - -depend-update-makefile: .depend depend-recurse - if test -n "$(SRCS)" ; then \ - sed -e '/^# +++ Dependency line eater +++/,$$d' \ - < $(srcdir)/Makefile.in | cat - .depend \ - > $(srcdir)/Makefile.in.new; \ - $(SRCTOP)/config/move-if-changed $(srcdir)/Makefile.in.new $(srcdir)/Makefile.in ; \ - else :; fi - -DEPTARGETS = .depend .d .dtmp .depfix2.sed .depfix2.tmp $(DEP_VERIFY) - -# -# end dependency generation -############################## - -clean:: clean-$(WHAT) - -clean-unix:: - $(RM) $(OBJS) $(DEPTARGETS) - -clean-windows:: - $(RM) *.$(OBJEXT) - $(RM) msvc.pdb *.err - -distclean:: distclean-$(WHAT) - -distclean-normal-clean: - $(MAKE) NORECURSE=true clean -distclean-prerecurse: distclean-normal-clean -distclean-nuke-configure-state: - $(RM) config.log config.cache config.status Makefile -distclean-postrecurse: distclean-nuke-configure-state - -Makefiles-prerecurse: Makefile - -# thisconfigdir = relative path from this Makefile to config.status -# mydir = relative path from config.status to this Makefile -Makefile: $(srcdir)/Makefile.in $(thisconfigdir)/config.status \ - $(SRCTOP)/config/pre.in $(SRCTOP)/config/post.in - cd $(thisconfigdir) && $(SHELL) config.status $(mydir)/Makefile -$(thisconfigdir)/config.status: $(srcdir)/$(thisconfigdir)/configure - cd $(thisconfigdir) && $(SHELL) config.status --recheck -$(srcdir)/$(thisconfigdir)/configure: $(srcdir)/$(thisconfigdir)/configure.in \ - $(SRCTOP)/aclocal.m4 - -$(RM) -r $(srcdir)/$(thisconfigdir)/autom4te.cache - cd $(srcdir)/$(thisconfigdir) && \ - $(AUTOCONF) ${AUTOCONFINCFLAGS}=$(CONFIG_RELTOPDIR) $(AUTOCONFFLAGS) - -$(RM) -r $(srcdir)/$(thisconfigdir)/autom4te.cache - -RECURSE_TARGETS=all-recurse clean-recurse distclean-recurse install-recurse \ - check-recurse depend-recurse Makefiles-recurse install-headers-recurse - -# MY_SUBDIRS overrides any setting of SUBDIRS generated by the -# configure script that generated this Makefile. This is needed when -# the configure script that produced this Makefile creates multiple -# Makefiles in different directories; the setting of SUBDIRS will be -# the same in each. -# -# LOCAL_SUBDIRS seems to account for the case where the configure -# script doesn't call any other subsidiary configure scripts, but -# generates multiple Makefiles. -$(RECURSE_TARGETS): - @case "`echo 'x$(MFLAGS)'|sed -e 's/^x//' -e 's/ --.*$$//'`" \ - in *[ik]*) e="status=1" ;; *) e="exit 1";; esac; \ - if test -z "$(MY_SUBDIRS)" ; then \ - do_subdirs="$(SUBDIRS)" ; \ - else \ - do_subdirs="$(MY_SUBDIRS)" ; \ - fi; \ - status=0; \ - if test -n "$$do_subdirs" && test -z "$(NORECURSE)"; then \ - for i in $$do_subdirs ; do \ - if test -d $$i && test -r $$i/Makefile ; then \ - case $$i in .);; *) \ - target=`echo $@|sed s/-recurse//`; \ - echo "making $$target in $(CURRENT_DIR)$$i..."; \ - if (cd $$i ; $(MAKE) \ - CURRENT_DIR=$(CURRENT_DIR)$$i/ $$target) then :; \ - else eval $$e; fi; \ - ;; \ - esac; \ - else \ - echo "Skipping missing directory $(CURRENT_DIR)$$i" ; \ - fi; \ - done; \ - else :; \ - fi;\ - exit $$status - -## -## end of post.in -############################################################ diff --git a/src/util/et/ChangeLog b/src/util/et/ChangeLog index 1aaaf6ca2..e1661b17b 100644 --- a/src/util/et/ChangeLog +++ b/src/util/et/ChangeLog @@ -1,3 +1,13 @@ +2003-04-29 Ken Raeburn + + * test_et.c [HAVE_SYS_ERRLIST]: Do declare sys_nerr. + +2003-04-23 Ken Raeburn + + * compile_et.c: Don't declare malloc or errno. Include stdlib.h + and errno.h. + * test_et.c: Don't declare errno or sys_nerr. + 2003-03-06 Alexandra Ellwood * com_err.c, com_err.h, error_message.c, et_c.awk, et_h.awk: Removed Mac OS 9-specific code. diff --git a/src/util/et/compile_et.c b/src/util/et/compile_et.c index 23771a0a7..dfaad5f57 100644 --- a/src/util/et/compile_et.c +++ b/src/util/et/compile_et.c @@ -12,6 +12,8 @@ #include #include #include +#include +#include #include "mit-sipb-copyright.h" #include "compiler.h" @@ -27,10 +29,6 @@ char buffer[BUFSIZ]; char *table_name = (char *)NULL; FILE *hfile, *cfile; -/* C library */ -extern char *malloc(); -extern int errno; - /* lex stuff */ extern FILE *yyin; extern int yylineno; diff --git a/src/util/et/test_et.c b/src/util/et/test_et.c index 41ac394d5..a9d545787 100644 --- a/src/util/et/test_et.c +++ b/src/util/et/test_et.c @@ -4,11 +4,13 @@ #include "test1.h" #include "test2.h" -extern int sys_nerr, errno; - /* XXX Not part of official public API. */ extern const char *error_table_name (errcode_t); +#ifdef HAVE_SYS_ERRLIST +extern int sys_nerr; +#endif + int main() { printf("Before initiating error table:\n\n"); diff --git a/src/util/reconf b/src/util/reconf index c24627203..6a5038145 100644 --- a/src/util/reconf +++ b/src/util/reconf @@ -24,9 +24,8 @@ do esac done -# Currently (2000-10-03) we need 2.13 or later. -# The pattern also recognizes 2.40 and up. -patb="2.(1[3-9])|([4-9][0-9])" +# Currently (2003-04-24) we need 2.52 or later. +patb="2.(1[0-9][0-9])|(5[2-9])|([6-9][0-9])" # sedcmd1 recognizes the older 2.12 version, and sedcmd2 the newer 2.49 sedcmd1="s,.*version \(.*\)$,\1," @@ -39,18 +38,13 @@ if autoreconf --version | sed -e "$sedcmd1" -e "$sedcmd2" | egrep "$patb" >/dev/ autoreconfoptions= autoconfversion=`autoconf --version | sed -e "$sedcmd1" -e "$sedcmd2"` echo "Using autoconf version $autoconfversion found in your path..." - # Determine if localdir needs to be relative or absolute - case "$autoconfversion" in - 2.1*) - localdir=. - ;; - *) - localdir=`pwd` - ;; - esac + localdir=`pwd` # Determine if we need to patch autoreconf for 2.53 case "$autoconfversion" in + 2.52) + echo "WARNING: autoconf 2.52 is known to generate buggy configure scripts!" + ;; 2.53) echo "Patching autoreconf" # Walk the path to find autoreconf @@ -89,7 +83,7 @@ if autoreconf --version | sed -e "$sedcmd1" -e "$sedcmd2" | egrep "$patb" >/dev/ ;; esac else - echo "Couldn't find autoconf 2.13 or higher in your path." + echo "Couldn't find autoconf 2.52 or higher in your path." echo " " echo "Please install or add to your path and re-run ./util/reconf" exit 1 diff --git a/src/util/ss/ChangeLog b/src/util/ss/ChangeLog index 15d6edc6a..66c86c764 100644 --- a/src/util/ss/ChangeLog +++ b/src/util/ss/ChangeLog @@ -1,3 +1,7 @@ +2003-04-23 Ken Raeburn + + * ss.h: Don't declare errno. Include errno.h. + 2003-02-05 Ken Raeburn * Makefile.in (std_rqs.c): Depend on ct_c.sed and ct_c.awk. diff --git a/src/util/ss/ss.h b/src/util/ss/ss.h index b2fd21f00..062003d3c 100644 --- a/src/util/ss/ss.h +++ b/src/util/ss/ss.h @@ -7,10 +7,9 @@ #ifndef _ss_h #define _ss_h __FILE__ +#include #include -extern int errno; - #ifdef __STDC__ #define __SS_CONST const #define __SS_PROTO (int, const char * const *, int, void *) diff --git a/src/windows/ChangeLog b/src/windows/ChangeLog index 5fa15b833..f85982f4a 100644 --- a/src/windows/ChangeLog +++ b/src/windows/ChangeLog @@ -1,3 +1,19 @@ +2003-05-14 Tom Yu + + * version.rc: krb5-1.3-beta1. + +2003-04-29 Tom Yu + + * version.rc: krb5-1.3-alpha3. + +2003-04-11 Tom Yu + + * version.rc: krb5-1.3-alpha2. + +2003-03-14 Tom Yu + + * version.rc: krb5-1.3-alpha1. + 2002-04-10 Danilo Almeida * Makefile.in: Build ms2mit. diff --git a/src/windows/version.rc b/src/windows/version.rc index 1b8ca9d9f..4714c2c43 100644 --- a/src/windows/version.rc +++ b/src/windows/version.rc @@ -8,7 +8,7 @@ #define PRE_RELEASE #ifdef PRE_RELEASE -#define BETA_STR " beta" +#define BETA_STR " beta 1" #define BETA_FLAG VS_FF_PRERELEASE #else #define BETA_STR "" @@ -23,7 +23,7 @@ /* we're going to stamp all the DLLs with the same version number */ -#define K5_PRODUCT_VERSION_STRING "1.3 (TEST)" BETA_STR "\0" +#define K5_PRODUCT_VERSION_STRING "1.3" BETA_STR "\0" #define K5_PRODUCT_VERSION 1, 3, 0, 0 #define K5_COPYRIGHT "Copyright (C) 1997-2000 by the Massachusetts Institute of Technology\0" -- 2.26.2