From 88ebe65e3ecce63cf5bcc86804d9c53ace1efcb0 Mon Sep 17 00:00:00 2001 From: Ezra Peisach Date: Tue, 12 Sep 1995 16:43:27 +0000 Subject: [PATCH] Reintegrate Macintosh changes t_ser.c: Work around an optimizer bug in gcc under OSF/1 2.1. The timeofday calls were left in the stage as described in the ChangeLog git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6766 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/krb5/krb/ChangeLog | 44 ++++++++++++++++++++++ src/lib/krb5/krb/auth_con.c | 2 +- src/lib/krb5/krb/decode_kdc.c | 17 +++------ src/lib/krb5/krb/decrypt_tk.c | 17 ++++----- src/lib/krb5/krb/encode_kdc.c | 4 +- src/lib/krb5/krb/encrypt_tk.c | 2 +- src/lib/krb5/krb/gc_frm_kdc.c | 18 +++------ src/lib/krb5/krb/gc_via_tkt.c | 68 ++++++++++++++-------------------- src/lib/krb5/krb/gen_seqnum.c | 6 +-- src/lib/krb5/krb/gen_subkey.c | 6 +-- src/lib/krb5/krb/get_creds.c | 2 +- src/lib/krb5/krb/get_in_tkt.c | 67 ++++++++++++++++----------------- src/lib/krb5/krb/in_tkt_ktb.c | 14 +++---- src/lib/krb5/krb/in_tkt_pwd.c | 16 ++++---- src/lib/krb5/krb/in_tkt_sky.c | 16 ++++---- src/lib/krb5/krb/init_ctx.c | 70 ++++++++++++++++++++--------------- src/lib/krb5/krb/kdc_rep_dc.c | 4 +- src/lib/krb5/krb/krbconfig.c | 2 +- src/lib/krb5/krb/mk_cred.c | 6 +-- src/lib/krb5/krb/mk_priv.c | 6 +-- src/lib/krb5/krb/mk_rep.c | 16 +++----- src/lib/krb5/krb/mk_req_ext.c | 9 ++--- src/lib/krb5/krb/preauth.c | 4 +- src/lib/krb5/krb/rd_cred.c | 4 +- src/lib/krb5/krb/rd_priv.c | 4 +- src/lib/krb5/krb/rd_rep.c | 5 +-- src/lib/krb5/krb/rd_req_dec.c | 21 ++++------- src/lib/krb5/krb/send_tgs.c | 44 ++++++++++------------ src/lib/krb5/krb/sendauth.c | 4 +- src/lib/krb5/krb/ser_actx.c | 4 +- src/lib/krb5/krb/ser_ctx.c | 36 +++++++++--------- src/lib/krb5/krb/ser_eblk.c | 31 ++++------------ src/lib/krb5/krb/ser_key.c | 19 +++------- src/lib/krb5/krb/t_ser.c | 14 ++++--- 34 files changed, 293 insertions(+), 309 deletions(-) diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog index 05c914eba..cbedca806 100644 --- a/src/lib/krb5/krb/ChangeLog +++ b/src/lib/krb5/krb/ChangeLog @@ -1,3 +1,8 @@ +Tue Sep 12 12:40:30 1995 Ezra Peisach + + * t_ser.c (ser_cksum_test): Work around an optimizer bug unser + OSF/1 and gcc. + Sun Sep 10 12:00:00 1995 James Mattly (mattly@fusion.com) * gen_seqnum.c: change usage of krb5_crypto_us_timeofday to krb5_timeofday @@ -6,6 +11,16 @@ Sun Sep 10 12:00:00 1995 James Mattly (mattly@fusion.com) * mk_req_ext.c: change usage of krb5_crypto_us_timeofday to krb5_timeofday * send_tgs.c: change usage of krb5_timeofday over to krb5_crypto_us_timeofday +Wed Sep 06 14:20:57 1995 Chris Provenzano (proven@mit.edu) + + * auth_con.c, decrypt_tk.c, encode_kdc.c, encrypt_tk.c, + * gc_frm_kdc.c, gen_seqnum.c, get_creds.c, get_in_tkt.c, + * in_tkt_ktb.c, in_tkt_pwd.c, in_tkt_sky.c, init_ctx.c, + * kdc_rep_dc.c, mk_cred.c, mk_priv.c, mk_rep.c, mk_req._ext.c, + * preauth.c, rd_cred.c, rd_priv.c, rd_rep.c, rd_req_dec.c, + * send_tgs.c, sendauth.c, ser_actx.c, ser_ctx.c, ser_eblk.c, + * ser_key.c, t_ser.c : s/keytype/enctype/g, s/KEYTYPE/ENCTYPE/g + Wed Sept 6 12:00:00 EDT 1995 James Mattly (mattly@fusion.com) * get_in_tkt.c: change usage of krb5_timeofday to krb5_crypto_us_timeofday @@ -16,6 +31,35 @@ Wed Sept 6 12:00:00 EDT 1995 James Mattly (mattly@fusion.com) * unparse.c: include +Tue Sep 05 22:10:34 1995 Chris Provenzano (proven@mit.edu) + + * decode_kdc.c, decrypt_tk.c, encode_kdc.c, encrypt_tk.c, gc_frm_kdc.c + * gc_via_tkt.c, get_in_tkt.c, in_tkt_ktb.c, in_tkt_pwd.c, in_tkt_sky.c + * init_ctx.c, kdc_rep_dc.c, mk_cred.c, mk_priv.c, mk_rep.c + * mk_req_ext.c, rd_cred.c, rd_priv.c, rd_rep.c, rd_req_dec.c, + * send_tgs.c, ser_ctx.c, ser_eblk.c, ser_key.c, t_ser.c: + Remove krb5_enctype references, and replace with + krb5_keytype where appropriate + +Fri Sep 1 20:03:41 1995 Theodore Y. Ts'o + + * get_in_tkt.c (krb5_get_in_tkt): If kdc_settime is enabled, then + set the time_offset fields from the returned ticket's + authtime value. + + * init_ctx.c (krb5_init_context): Initialize new fields in + krb5_context (clockskew, kdc_req_sumtype, and + kdc_default_options). + + * gc_via_tkt.c (krb5_get_cred_via_tkt): Perform the necessary + sanity checking on the KDC response to make sure we detect + tampering. + + * send_tgs.c (krb5_send_tgs): Set the expected nonce in the + response structure. + + * krbconfig.c: Set the default checksum to use MD5 + Fri Sep 1 11:16:43 EDT 1995 Paul Park (pjpark@mit.edu) * ser_ctx.c - Add handling of new time offset fields in the os_context. diff --git a/src/lib/krb5/krb/auth_con.c b/src/lib/krb5/krb/auth_con.c index c8ee71c38..fc96acbc2 100644 --- a/src/lib/krb5/krb/auth_con.c +++ b/src/lib/krb5/krb/auth_con.c @@ -265,7 +265,7 @@ krb5_auth_con_initivector(context, auth_context) krb5_auth_context auth_context; { if (auth_context->keyblock) { - int size = krb5_keytype_array[auth_context->keyblock->keytype]-> + int size = krb5_enctype_array[auth_context->keyblock->enctype]-> system->block_length; if ((auth_context->i_vector = (krb5_pointer)malloc(size))) { diff --git a/src/lib/krb5/krb/decode_kdc.c b/src/lib/krb5/krb/decode_kdc.c index 642de5b08..71e01a811 100644 --- a/src/lib/krb5/krb/decode_kdc.c +++ b/src/lib/krb5/krb/decode_kdc.c @@ -40,11 +40,10 @@ */ krb5_error_code -krb5_decode_kdc_rep(context, enc_rep, key, etype, dec_rep) +krb5_decode_kdc_rep(context, enc_rep, key, dec_rep) krb5_context context; krb5_data * enc_rep; const krb5_keyblock * key; - const krb5_enctype etype; krb5_kdc_rep ** dec_rep; { krb5_error_code retval; @@ -60,16 +59,10 @@ krb5_decode_kdc_rep(context, enc_rep, key, etype, dec_rep) if (retval) return retval; - if (local_dec_rep->enc_part.etype != etype) { + if (retval = krb5_kdc_rep_decrypt_proc(context, key, 0, local_dec_rep)) krb5_free_kdc_rep(context, local_dec_rep); - return KRB5_WRONG_ETYPE; - } - retval = krb5_kdc_rep_decrypt_proc(context, key, 0, local_dec_rep); - if (retval) { - krb5_free_kdc_rep(context, local_dec_rep); - return(retval); - } - *dec_rep = local_dec_rep; - return 0; + else + *dec_rep = local_dec_rep; + return(retval); } diff --git a/src/lib/krb5/krb/decrypt_tk.c b/src/lib/krb5/krb/decrypt_tk.c index 3777ffa6b..f8850b178 100644 --- a/src/lib/krb5/krb/decrypt_tk.c +++ b/src/lib/krb5/krb/decrypt_tk.c @@ -46,29 +46,27 @@ krb5_decrypt_tkt_part(context, srv_key, ticket) krb5_data scratch; krb5_error_code retval; - if (!valid_etype(ticket->enc_part.etype)) + if (!valid_enctype(ticket->enc_part.enctype)) return KRB5_PROG_ETYPE_NOSUPP; /* put together an eblock for this encryption */ - - krb5_use_cstype(context, &eblock, ticket->enc_part.etype); + krb5_use_enctype(context, &eblock, ticket->enc_part.enctype); scratch.length = ticket->enc_part.ciphertext.length; if (!(scratch.data = malloc(ticket->enc_part.ciphertext.length))) return(ENOMEM); /* do any necessary key pre-processing */ - retval = krb5_process_key(context, &eblock, srv_key); - if (retval) { + if (retval = krb5_process_key(context, &eblock, srv_key)) { free(scratch.data); return(retval); } /* call the encryption routine */ - retval = krb5_decrypt(context, (krb5_pointer) ticket->enc_part.ciphertext.data, - (krb5_pointer) scratch.data, - scratch.length, &eblock, 0); - if (retval) { + if (retval = krb5_decrypt(context, + (krb5_pointer) ticket->enc_part.ciphertext.data, + (krb5_pointer) scratch.data, scratch.length, + &eblock, 0)) { (void) krb5_finish_key(context, &eblock); free(scratch.data); return retval; @@ -87,6 +85,5 @@ free(scratch.data);} ticket->enc_part2 = dec_tkt_part; } clean_scratch(); - ticket->enc_part2->session->etype = ticket->enc_part.etype; return retval; } diff --git a/src/lib/krb5/krb/encode_kdc.c b/src/lib/krb5/krb/encode_kdc.c index a4d0edb32..502a87ecb 100644 --- a/src/lib/krb5/krb/encode_kdc.c +++ b/src/lib/krb5/krb/encode_kdc.c @@ -54,7 +54,7 @@ krb5_encode_kdc_rep(context, type, encpart, eblock, client_key, dec_rep, enc_rep krb5_error_code retval; krb5_enc_kdc_rep_part tmp_encpart; - if (!valid_etype(dec_rep->enc_part.etype)) + if (!valid_enctype(dec_rep->enc_part.enctype)) return KRB5_PROG_ETYPE_NOSUPP; switch (type) { @@ -127,7 +127,7 @@ dec_rep->enc_part.ciphertext.data = 0;} goto clean_prockey; } - dec_rep->enc_part.etype = krb5_eblock_enctype(context, eblock); + dec_rep->enc_part.enctype = krb5_eblock_enctype(context, eblock); /* do some cleanup */ cleanup_scratch(); diff --git a/src/lib/krb5/krb/encrypt_tk.c b/src/lib/krb5/krb/encrypt_tk.c index 0220e42f9..88b23209a 100644 --- a/src/lib/krb5/krb/encrypt_tk.c +++ b/src/lib/krb5/krb/encrypt_tk.c @@ -95,7 +95,7 @@ dec_ticket->enc_part.ciphertext.data = 0;} goto clean_prockey; } - dec_ticket->enc_part.etype = krb5_eblock_enctype(context, eblock); + dec_ticket->enc_part.enctype = krb5_eblock_enctype(context, eblock); /* ticket is now assembled-- do some cleanup */ cleanup_scratch(); diff --git a/src/lib/krb5/krb/gc_frm_kdc.c b/src/lib/krb5/krb/gc_frm_kdc.c index 255c4492d..597582334 100644 --- a/src/lib/krb5/krb/gc_frm_kdc.c +++ b/src/lib/krb5/krb/gc_frm_kdc.c @@ -60,8 +60,6 @@ extern krb5_cksumtype krb5_kdc_req_sumtype; /* helper macro: convert flags to necessary KDC options */ #define FLAGS2OPTS(flags) (flags & KDC_TKT_COMMON_MASK) -#define TGT_ETYPE \ - krb5_keytype_array[tgt.keyblock.keytype]->system->proto_enctype; krb5_error_code krb5_get_cred_from_kdc(context, ccache, in_cred, out_cred, tgts) @@ -75,7 +73,6 @@ krb5_get_cred_from_kdc(context, ccache, in_cred, out_cred, tgts) int ntgts = 0; krb5_creds tgt, tgtq, *tgtr = NULL; - krb5_enctype etype; krb5_error_code retval; krb5_principal int_server = NULL; /* Intermediate server for request */ @@ -231,8 +228,8 @@ krb5_get_cred_from_kdc(context, ccache, in_cred, out_cred, tgts) /* didn't find it in the cache so try and get one */ /* with current tgt. */ - if (!valid_keytype(tgt.keyblock.keytype)) { - retval = KRB5_PROG_KEYTYPE_NOSUPP; + if (!valid_enctype(tgt.keyblock.enctype)) { + retval = KRB5_PROG_ETYPE_NOSUPP; goto cleanup; } @@ -250,7 +247,6 @@ krb5_get_cred_from_kdc(context, ccache, in_cred, out_cred, tgts) goto cleanup; tgtq.is_skey = FALSE; tgtq.ticket_flags = tgt.ticket_flags; - etype = TGT_ETYPE; if ((retval = krb5_get_cred_via_tkt(context, &tgt, FLAGS2OPTS(tgtq.ticket_flags), tgt.addresses, &tgtq, &tgtr))) { @@ -293,8 +289,8 @@ krb5_get_cred_from_kdc(context, ccache, in_cred, out_cred, tgts) /* not in the cache so try and get one with our current tgt. */ - if (!valid_keytype(tgt.keyblock.keytype)) { - retval = KRB5_PROG_KEYTYPE_NOSUPP; + if (!valid_enctype(tgt.keyblock.enctype)) { + retval = KRB5_PROG_ETYPE_NOSUPP; goto cleanup; } @@ -309,7 +305,6 @@ krb5_get_cred_from_kdc(context, ccache, in_cred, out_cred, tgts) goto cleanup; tgtq.is_skey = FALSE; tgtq.ticket_flags = tgt.ticket_flags; - etype = TGT_ETYPE; if ((retval = krb5_get_cred_via_tkt(context, &tgt, FLAGS2OPTS(tgtq.ticket_flags), tgt.addresses, @@ -378,12 +373,11 @@ krb5_get_cred_from_kdc(context, ccache, in_cred, out_cred, tgts) /* got/finally have tgt! try for the creds */ - if (!valid_keytype(tgt.keyblock.keytype)) { - retval = KRB5_PROG_KEYTYPE_NOSUPP; + if (!valid_enctype(tgt.keyblock.enctype)) { + retval = KRB5_PROG_ETYPE_NOSUPP; goto cleanup; } - etype = TGT_ETYPE; retval = krb5_get_cred_via_tkt(context, &tgt, FLAGS2OPTS(tgt.ticket_flags) | (in_cred->second_ticket.length ? KDC_OPT_ENC_TKT_IN_SKEY : 0), diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c index c2f531f48..643bca566 100644 --- a/src/lib/krb5/krb/gc_via_tkt.c +++ b/src/lib/krb5/krb/gc_via_tkt.c @@ -28,6 +28,9 @@ #include "k5-int.h" #include "int-proto.h" +extern krb5_deltat krb5_clockskew; +#define in_clock_skew(date, now) (labs((date)-(now)) < krb5_clockskew) + static krb5_error_code krb5_kdcrep2creds(context, pkdcrep, address, psectkt, ppcreds) krb5_context context; @@ -63,7 +66,6 @@ krb5_kdcrep2creds(context, pkdcrep, address, psectkt, ppcreds) (*ppcreds)->second_ticket = *pdata; krb5_xfree(pdata); - (*ppcreds)->keyblock.etype = pkdcrep->ticket->enc_part.etype; (*ppcreds)->ticket_flags = pkdcrep->enc_part2->flags; (*ppcreds)->times = pkdcrep->enc_part2->times; (*ppcreds)->magic = KV5M_CREDS; @@ -162,24 +164,14 @@ krb5_get_cred_via_tkt (context, tkt, kdcoptions, address, in_cred, out_cred) if (retval) /* neither proper reply nor error! */ goto error_4; -#if 0 - /* XXX need access to the actual assembled request... - need a change to send_tgs */ - if ((err_reply->ctime != request.ctime) || - !krb5_principal_compare(context,err_reply->server,request.server) || - !krb5_principal_compare(context, err_reply->client, request.client)) - retval = KRB5_KDCREP_MODIFIED; - else -#endif - retval = err_reply->error + ERROR_TABLE_BASE_krb5; + retval = err_reply->error + ERROR_TABLE_BASE_krb5; krb5_free_error(context, err_reply); goto error_4; } if ((retval = krb5_decode_kdc_rep(context, &tgsrep.response, - &tkt->keyblock, - tkt->keyblock.etype, &dec_rep))) + &tkt->keyblock, &dec_rep))) goto error_4; if (dec_rep->msg_type != KRB5_TGS_REP) { @@ -187,42 +179,36 @@ krb5_get_cred_via_tkt (context, tkt, kdcoptions, address, in_cred, out_cred) goto error_3; } - /* now it's decrypted and ready for prime time */ - if (!krb5_principal_compare(context, dec_rep->client, tkt->client)) { + /* make sure the response hasn't been tampered with..... */ + if (!krb5_principal_compare(context, dec_rep->client, tkt->client) || + !krb5_principal_compare(context, dec_rep->enc_part2->server, + in_cred->server) || + !krb5_principal_compare(context, dec_rep->ticket->server, + in_cred->server) || + (dec_rep->enc_part2->nonce != tgsrep.expected_nonce) || + ((in_cred->times.starttime != 0) && + (in_cred->times.starttime != dec_rep->enc_part2->times.starttime)) || + ((in_cred->times.endtime != 0) && + (dec_rep->enc_part2->times.endtime > in_cred->times.endtime)) || + ((kdcoptions & KDC_OPT_RENEWABLE) && + (in_cred->times.renew_till != 0) && + (dec_rep->enc_part2->times.renew_till > in_cred->times.renew_till)) || + ((kdcoptions & KDC_OPT_RENEWABLE_OK) && + (dec_rep->enc_part2->flags & KDC_OPT_RENEWABLE) && + (in_cred->times.endtime != 0) && + (dec_rep->enc_part2->times.renew_till > in_cred->times.endtime)) + ) { retval = KRB5_KDCREP_MODIFIED; goto error_3; } -#if 0 - /* XXX probably need access to the request */ - /* check the contents for sanity: */ - if (!krb5_principal_compare(context, dec_rep->client, request.client) - || !krb5_principal_compare(context, dec_rep->enc_part2->server, request.server) - || !krb5_principal_compare(context, dec_rep->ticket->server, request.server) - || (request.nonce != dec_rep->enc_part2->nonce) - /* XXX check for extraneous flags */ - /* XXX || (!krb5_addresses_compare(context, addrs, dec_rep->enc_part2->caddrs)) */ - || ((request.from != 0) && - (request.from != dec_rep->enc_part2->times.starttime)) - || ((request.till != 0) && - (dec_rep->enc_part2->times.endtime > request.till)) - || ((request.kdc_options & KDC_OPT_RENEWABLE) && - (request.rtime != 0) && - (dec_rep->enc_part2->times.renew_till > request.rtime)) - || ((request.kdc_options & KDC_OPT_RENEWABLE_OK) && - (dec_rep->enc_part2->flags & KDC_OPT_RENEWABLE) && - (request.till != 0) && - (dec_rep->enc_part2->times.renew_till > request.till)) - ) - retval = KRB5_KDCREP_MODIFIED; - - if (!request.from && !in_clock_skew(dec_rep->enc_part2->times.starttime)) { + if (!in_cred->times.starttime && + !in_clock_skew(dec_rep->enc_part2->times.starttime, + tgsrep.request_time)) { retval = KRB5_KDCREP_SKEW; goto error_3; } -#endif - retval = krb5_kdcrep2creds(context, dec_rep, address, &in_cred->second_ticket, out_cred); diff --git a/src/lib/krb5/krb/gen_seqnum.c b/src/lib/krb5/krb/gen_seqnum.c index 0dde74e0d..3694d2cd0 100644 --- a/src/lib/krb5/krb/gen_seqnum.c +++ b/src/lib/krb5/krb/gen_seqnum.c @@ -49,10 +49,10 @@ krb5_generate_seq_number(context, key, seqno) krb5_octet *intmp = 0, *outtmp = 0; int esize; - if (!valid_keytype(key->keytype)) - return KRB5_PROG_KEYTYPE_NOSUPP; + if (!valid_enctype(key->enctype)) + return KRB5_PROG_ETYPE_NOSUPP; - krb5_use_keytype(context, &eblock, key->keytype); + krb5_use_enctype(context, &eblock, key->enctype); if ((retval = krb5_init_random_key(context, &eblock, key, &random_state))) return(retval); diff --git a/src/lib/krb5/krb/gen_subkey.c b/src/lib/krb5/krb/gen_subkey.c index 9d8ad84f4..66a79d19e 100644 --- a/src/lib/krb5/krb/gen_subkey.c +++ b/src/lib/krb5/krb/gen_subkey.c @@ -36,10 +36,10 @@ krb5_generate_subkey(context, key, subkey) krb5_encrypt_block eblock; krb5_error_code retval; - if (!valid_keytype(key->keytype)) - return KRB5_PROG_KEYTYPE_NOSUPP; + if (!valid_enctype(key->enctype)) + return KRB5_PROG_ETYPE_NOSUPP; - krb5_use_keytype(context, &eblock, key->keytype); + krb5_use_enctype(context, &eblock, key->enctype); if ((retval = krb5_init_random_key(context, &eblock, key, &random_state))) return(retval); diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c index 8ea0bf9ee..ed7f145a1 100644 --- a/src/lib/krb5/krb/get_creds.c +++ b/src/lib/krb5/krb/get_creds.c @@ -32,7 +32,7 @@ client identified by in_creds->client, the server identified by in_creds->server, with options options, expiration date specified in in_creds->times.endtime (0 means as long as possible), session key type - specified in in_creds->keyblock.keytype (if non-zero) + specified in in_creds->keyblock.enctype (if non-zero) Any returned ticket and intermediate ticket-granting tickets are stored in ccache. diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index cd9e0b87f..3bd684dd7 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -61,7 +61,7 @@ extern krb5_deltat krb5_clockskew; /* some typedef's for the function args to make things look a bit cleaner */ typedef krb5_error_code (*git_key_proc) PROTOTYPE((krb5_context, - const krb5_keytype, + const krb5_enctype, krb5_data *, krb5_const_pointer, krb5_keyblock **)); @@ -71,12 +71,12 @@ typedef krb5_error_code (*git_decrypt_proc) PROTOTYPE((krb5_context, krb5_const_pointer, krb5_kdc_rep * )); krb5_error_code -krb5_get_in_tkt(context, options, addrs, etypes, ptypes, key_proc, keyseed, +krb5_get_in_tkt(context, options, addrs, ktypes, ptypes, key_proc, keyseed, decrypt_proc, decryptarg, creds, ccache, ret_as_reply) krb5_context context; const krb5_flags options; krb5_address * const * addrs; - krb5_enctype * etypes; + krb5_enctype * ktypes; krb5_preauthtype * ptypes; git_key_proc key_proc; krb5_const_pointer keyseed; @@ -86,8 +86,7 @@ krb5_get_in_tkt(context, options, addrs, etypes, ptypes, key_proc, keyseed, krb5_ccache ccache; krb5_kdc_rep ** ret_as_reply; { - krb5_keytype keytype; - krb5_enctype etype; + krb5_enctype enctype, ktype; krb5_kdc_req request; krb5_kdc_rep *as_reply = 0; krb5_error *err_reply; @@ -97,6 +96,7 @@ krb5_get_in_tkt(context, options, addrs, etypes, ptypes, key_proc, keyseed, krb5_keyblock *decrypt_key = 0; krb5_timestamp time_now; /* krb5_pa_data *padata; */ + krb5_pa_data **preauth_to_use = 0; int f_salt = 0, use_salt = 0; krb5_data salt; char k4_version; /* same type as *(krb5_data::data) */ @@ -132,7 +132,7 @@ krb5_get_in_tkt(context, options, addrs, etypes, ptypes, key_proc, keyseed, * default. But if we're changing salts, because of a * realm renaming, or some such, this won't work. */ -/* retval = (*key_proc)(context, keytype, &decrypt_key, keyseed, 0); */ +/* retval = (*key_proc)(context, enctype, &decrypt_key, keyseed, 0); */ if (retval) return retval; request.padata = (krb5_pa_data **) malloc(sizeof(krb5_pa_data *) @@ -159,34 +159,32 @@ krb5_get_in_tkt(context, options, addrs, etypes, ptypes, key_proc, keyseed, request.till = creds->times.endtime; request.rtime = creds->times.renew_till; -{ -krb5_int32 usec; -#if 0 if ((retval = krb5_timeofday(context, &time_now))) goto cleanup; -#else - if ((retval = krb5_us_timeofday(context, &time_now, &usec))) - goto cleanup; -#endif -} /* XXX we know they are the same size... */ request.nonce = (krb5_int32) time_now; - if (etypes) - request.etype = etypes; + if (ktypes) + request.ktype = ktypes; else - krb5_get_default_in_tkt_etypes(context, &request.etype); - for (request.netypes = 0;request.etype[request.netypes];request.netypes++); + krb5_get_default_in_tkt_ktypes(context, &request.ktype); + for (request.nktypes = 0;request.ktype[request.nktypes];request.nktypes++); request.authorization_data.ciphertext.length = 0; request.authorization_data.ciphertext.data = 0; request.unenc_authdata = 0; request.second_ticket = 0; + if ((retval = krb5_timeofday(context, &time_now))) + goto cleanup; + + /* XXX we know they are the same size... */ + request.nonce = (krb5_int32) time_now; + /* encode & send to KDC */ retval = encode_krb5_as_req(&request, &packet); - if (!etypes) - free(request.etype); + if (!ktypes) + free(request.ktype); if (retval) goto cleanup; @@ -204,14 +202,15 @@ krb5_int32 usec; /* some other error code--??? */ goto cleanup; - /* it was an error */ + if (err_reply->error == KDC_ERR_PREAUTH_REQUIRED && + err_reply->e_data.length > 0) { + retval = decode_krb5_padata_sequence(&err_reply->e_data, + &preauth_to_use); + /* XXX we need to actually do something with the info */ + krb5_free_pa_data(context, preauth_to_use); + } - if ((err_reply->ctime != request.nonce) || - !krb5_principal_compare(context, err_reply->server, request.server) || - !krb5_principal_compare(context, err_reply->client, request.client)) - retval = KRB5_KDCREP_MODIFIED; - else - retval = err_reply->error + ERROR_TABLE_BASE_krb5; + retval = err_reply->error + ERROR_TABLE_BASE_krb5; /* XXX somehow make error msg text available to application? */ @@ -250,9 +249,8 @@ krb5_int32 usec; goto cleanup; } - /* Encryption type, keytype, */ - etype = as_reply->ticket->enc_part.etype; - keytype = krb5_csarray[etype]->system->proto_keytype; + /* Encryption type, enctype, */ + enctype = as_reply->ticket->enc_part.enctype; /* and salt */ if (as_reply->padata) { @@ -278,7 +276,7 @@ krb5_int32 usec; /* it was a kdc_rep--decrypt & check */ /* Generate the key, if we haven't done so already. */ if (!decrypt_key) { - if ((retval = (*key_proc)(context, keytype, & salt, keyseed, + if ((retval = (*key_proc)(context, enctype, & salt, keyseed, &decrypt_key))) goto cleanup; } @@ -319,7 +317,11 @@ krb5_int32 usec; retval = KRB5_KDCREP_SKEW; goto cleanup; } - + + if (context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) + krb5_set_time_offsets(context, + as_reply->enc_part2->times.authtime - time_now, + 0); /* XXX issue warning if as_reply->enc_part2->key_exp is nearby */ @@ -328,7 +330,6 @@ krb5_int32 usec; as_reply->enc_part2->session, &creds->keyblock))) goto cleanup; - creds->keyblock.etype = as_reply->ticket->enc_part.etype; creds->times = as_reply->enc_part2->times; creds->is_skey = FALSE; /* this is an AS_REQ, so cannot diff --git a/src/lib/krb5/krb/in_tkt_ktb.c b/src/lib/krb5/krb/in_tkt_ktb.c index 2a96b1160..c56ed3c3d 100644 --- a/src/lib/krb5/krb/in_tkt_ktb.c +++ b/src/lib/krb5/krb/in_tkt_ktb.c @@ -39,7 +39,7 @@ struct keytab_keyproc_arg { */ krb5_error_code keytab_keyproc PROTOTYPE((krb5_context, - const krb5_keytype, + const krb5_enctype, krb5_data *, krb5_const_pointer, krb5_keyblock **)); @@ -47,7 +47,7 @@ krb5_error_code keytab_keyproc krb5_error_code keytab_keyproc(context, type, salt, keyseed, key) krb5_context context; - const krb5_keytype type; + const krb5_enctype type; krb5_data * salt; krb5_const_pointer keyseed; krb5_keyblock ** key; @@ -60,7 +60,7 @@ keytab_keyproc(context, type, salt, keyseed, key) kt_id = arg->keytab; - if (!valid_keytype(type)) + if (!valid_enctype(type)) return KRB5_PROG_ETYPE_NOSUPP; if (kt_id == NULL) @@ -79,7 +79,7 @@ keytab_keyproc(context, type, salt, keyseed, key) goto cleanup; } - if (realkey->keytype != type) { + if (realkey->enctype != type) { (void) krb5_kt_free_entry(context, &kt_ent); krb5_free_keyblock(context, realkey); retval = KRB5_PROG_ETYPE_NOSUPP; @@ -113,12 +113,12 @@ cleanup: */ krb5_error_code -krb5_get_in_tkt_with_keytab(context, options, addrs, etypes, pre_auth_types, +krb5_get_in_tkt_with_keytab(context, options, addrs, ktypes, pre_auth_types, keytab, ccache, creds, ret_as_reply) krb5_context context; const krb5_flags options; krb5_address * const * addrs; - krb5_enctype * etypes; + krb5_enctype * ktypes; krb5_preauthtype * pre_auth_types; const krb5_keytab keytab; krb5_ccache ccache; @@ -130,7 +130,7 @@ krb5_get_in_tkt_with_keytab(context, options, addrs, etypes, pre_auth_types, arg.keytab = keytab; arg.client = creds->client; - return (krb5_get_in_tkt(context, options, addrs, etypes, pre_auth_types, + return (krb5_get_in_tkt(context, options, addrs, ktypes, pre_auth_types, keytab_keyproc, (krb5_pointer)&arg, krb5_kdc_rep_decrypt_proc, 0, creds, ccache, ret_as_reply)); diff --git a/src/lib/krb5/krb/in_tkt_pwd.c b/src/lib/krb5/krb/in_tkt_pwd.c index 7ef870520..e73b1898d 100644 --- a/src/lib/krb5/krb/in_tkt_pwd.c +++ b/src/lib/krb5/krb/in_tkt_pwd.c @@ -33,7 +33,7 @@ extern char *krb5_default_pwd_prompt1; */ krb5_error_code pwd_keyproc PROTOTYPE((krb5_context, - const krb5_keytype, + const krb5_enctype, krb5_data *, krb5_const_pointer, krb5_keyblock **)); @@ -41,7 +41,7 @@ krb5_error_code pwd_keyproc krb5_error_code pwd_keyproc(context, type, salt, keyseed, key) krb5_context context; - const krb5_keytype type; + const krb5_enctype type; krb5_data * salt; krb5_const_pointer keyseed; krb5_keyblock ** key; @@ -52,10 +52,10 @@ pwd_keyproc(context, type, salt, keyseed, key) krb5_data * password; int pwsize = sizeof(pwdbuf); - if (!valid_keytype(type)) - return KRB5_PROG_KEYTYPE_NOSUPP; + if (!valid_enctype(type)) + return KRB5_PROG_ETYPE_NOSUPP; - krb5_use_keytype(context, &eblock, type); + krb5_use_enctype(context, &eblock, type); password = (krb5_data *)keyseed; @@ -96,12 +96,12 @@ pwd_keyproc(context, type, salt, keyseed, key) returns system errors, encryption errors */ krb5_error_code INTERFACE -krb5_get_in_tkt_with_password(context, options, addrs, etypes, pre_auth_types, +krb5_get_in_tkt_with_password(context, options, addrs, ktypes, pre_auth_types, password, ccache, creds, ret_as_reply) krb5_context context; const krb5_flags options; krb5_address * const * addrs; - krb5_enctype * etypes; + krb5_enctype * ktypes; krb5_preauthtype * pre_auth_types; const char * password; krb5_ccache ccache; @@ -118,7 +118,7 @@ krb5_get_in_tkt_with_password(context, options, addrs, etypes, pre_auth_types, data.length = 0; } - retval = krb5_get_in_tkt(context, options, addrs, etypes, pre_auth_types, + retval = krb5_get_in_tkt(context, options, addrs, ktypes, pre_auth_types, pwd_keyproc, (krb5_pointer) &data, krb5_kdc_rep_decrypt_proc, 0, creds, ccache, ret_as_reply); diff --git a/src/lib/krb5/krb/in_tkt_sky.c b/src/lib/krb5/krb/in_tkt_sky.c index 8cc03a025..9e4bea0dc 100644 --- a/src/lib/krb5/krb/in_tkt_sky.c +++ b/src/lib/krb5/krb/in_tkt_sky.c @@ -39,7 +39,7 @@ struct skey_keyproc_arg { */ krb5_error_code skey_keyproc PROTOTYPE((krb5_context, - const krb5_keytype, + const krb5_enctype, krb5_data *, krb5_const_pointer, krb5_keyblock **)); @@ -47,7 +47,7 @@ krb5_error_code skey_keyproc krb5_error_code skey_keyproc(context, type, salt, keyseed, key) krb5_context context; - const krb5_keytype type; + const krb5_enctype type; krb5_data * salt; krb5_const_pointer keyseed; krb5_keyblock ** key; @@ -58,13 +58,13 @@ skey_keyproc(context, type, salt, keyseed, key) keyblock = (const krb5_keyblock *)keyseed; - if (!valid_keytype(type)) + if (!valid_enctype(type)) return KRB5_PROG_ETYPE_NOSUPP; if ((retval = krb5_copy_keyblock(context, keyblock, &realkey))) return retval; - if (realkey->keytype != type) { + if (realkey->enctype != type) { krb5_free_keyblock(context, realkey); return KRB5_PROG_ETYPE_NOSUPP; } @@ -95,12 +95,12 @@ skey_keyproc(context, type, salt, keyseed, key) */ krb5_error_code -krb5_get_in_tkt_with_skey(context, options, addrs, etypes, pre_auth_types, +krb5_get_in_tkt_with_skey(context, options, addrs, ktypes, pre_auth_types, key, ccache, creds, ret_as_reply) krb5_context context; const krb5_flags options; krb5_address * const * addrs; - krb5_enctype * etypes; + krb5_enctype * ktypes; krb5_preauthtype * pre_auth_types; const krb5_keyblock * key; krb5_ccache ccache; @@ -109,12 +109,12 @@ krb5_get_in_tkt_with_skey(context, options, addrs, etypes, pre_auth_types, { if (key) - return krb5_get_in_tkt(context, options, addrs, etypes, pre_auth_types, + return krb5_get_in_tkt(context, options, addrs, ktypes, pre_auth_types, skey_keyproc, (krb5_pointer)key, krb5_kdc_rep_decrypt_proc, 0, creds, ccache, ret_as_reply); else - return krb5_get_in_tkt_with_keytab(context, options, addrs, etypes, + return krb5_get_in_tkt_with_keytab(context, options, addrs, ktypes, pre_auth_types, NULL, ccache, creds, ret_as_reply); } diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c index 00bf2d528..88de37064 100644 --- a/src/lib/krb5/krb/init_ctx.c +++ b/src/lib/krb5/krb/init_ctx.c @@ -31,6 +31,7 @@ krb5_init_context(context) { krb5_context ctx; krb5_error_code retval; + int tmp; *context = 0; @@ -41,14 +42,23 @@ krb5_init_context(context) ctx->magic = KV5M_CONTEXT; /* Set the default encryption types, possible defined in krb5/conf */ - if ((retval = krb5_set_default_in_tkt_etypes(ctx, NULL))) + if ((retval = krb5_set_default_in_tkt_ktypes(ctx, NULL))) goto cleanup; if ((retval = krb5_os_init_context(ctx))) goto cleanup; - ctx->default_realm = 0; + profile_get_integer(ctx->profile, "libdefaults", + "clockskew", 0, 5 * 60, + &tmp); + ctx->clockskew = tmp; + ctx->kdc_req_sumtype = CKSUMTYPE_RSA_MD5; + ctx->kdc_default_options = KDC_OPT_RENEWABLE_OK; + profile_get_integer(ctx->profile, "libdefaults", + "kdc_timesync", 0, 0, + &tmp); + ctx->library_options = tmp ? KRB5_LIBOPT_SYNC_KDCTIME : 0; *context = ctx; return 0; @@ -64,8 +74,8 @@ krb5_free_context(ctx) { krb5_os_free_context(ctx); - if (ctx->etypes) - free(ctx->etypes); + if (ctx->ktypes) + free(ctx->ktypes); if (ctx->default_realm) free(ctx->default_realm); @@ -78,25 +88,25 @@ krb5_free_context(ctx) } /* - * Set the desired default etypes, making sure they are valid. + * Set the desired default ktypes, making sure they are valid. */ krb5_error_code -krb5_set_default_in_tkt_etypes(context, etypes) +krb5_set_default_in_tkt_ktypes(context, ktypes) krb5_context context; - const krb5_enctype *etypes; + const krb5_enctype *ktypes; { - krb5_enctype * new_etypes; + krb5_enctype * new_ktypes; int i; - if (etypes) { - for (i = 0; etypes[i]; i++) { - if (!valid_etype(etypes[i])) + if (ktypes) { + for (i = 0; ktypes[i]; i++) { + if (!valid_enctype(ktypes[i])) return KRB5_PROG_ETYPE_NOSUPP; } - /* Now copy the default etypes into the context pointer */ - if ((new_etypes = (krb5_enctype *)malloc(sizeof(krb5_enctype) * i))) - memcpy(new_etypes, etypes, sizeof(krb5_enctype) * i); + /* Now copy the default ktypes into the context pointer */ + if ((new_ktypes = (krb5_enctype *)malloc(sizeof(krb5_enctype) * i))) + memcpy(new_ktypes, ktypes, sizeof(krb5_enctype) * i); else return ENOMEM; @@ -104,38 +114,38 @@ krb5_set_default_in_tkt_etypes(context, etypes) i = 2; /* Should reset the list to the runtime defaults */ - if ((new_etypes = (krb5_enctype *)malloc(sizeof(krb5_enctype) * i))) { - new_etypes[0] = ETYPE_DES_CBC_MD5; - new_etypes[1] = ETYPE_DES_CBC_CRC; + if ((new_ktypes = (krb5_enctype *)malloc(sizeof(krb5_enctype) * i))) { + new_ktypes[0] = ENCTYPE_DES_CBC_MD5; + new_ktypes[1] = ENCTYPE_DES_CBC_CRC; } else { return ENOMEM; } } - if (context->etypes) - free(context->etypes); - context->etypes = new_etypes; - context->etype_count = i; + if (context->ktypes) + free(context->ktypes); + context->ktypes = new_ktypes; + context->ktype_count = i; return 0; } krb5_error_code -krb5_get_default_in_tkt_etypes(context, etypes) +krb5_get_default_in_tkt_ktypes(context, ktypes) krb5_context context; - krb5_enctype **etypes; + krb5_enctype **ktypes; { - krb5_enctype * old_etypes; + krb5_enctype * old_ktypes; - if ((old_etypes = (krb5_enctype *)malloc(sizeof(krb5_enctype) * - (context->etype_count + 1)))) { - memcpy(old_etypes, context->etypes, sizeof(krb5_enctype) * - context->etype_count); - old_etypes[context->etype_count] = 0; + if ((old_ktypes = (krb5_enctype *)malloc(sizeof(krb5_enctype) * + (context->ktype_count + 1)))) { + memcpy(old_ktypes, context->ktypes, sizeof(krb5_enctype) * + context->ktype_count); + old_ktypes[context->ktype_count] = 0; } else { return ENOMEM; } - *etypes = old_etypes; + *ktypes = old_ktypes; return 0; } diff --git a/src/lib/krb5/krb/kdc_rep_dc.c b/src/lib/krb5/krb/kdc_rep_dc.c index b1f9a7dac..e9431aef9 100644 --- a/src/lib/krb5/krb/kdc_rep_dc.c +++ b/src/lib/krb5/krb/kdc_rep_dc.c @@ -45,7 +45,7 @@ krb5_kdc_rep_decrypt_proc(context, key, decryptarg, dec_rep) krb5_data scratch; krb5_enc_kdc_rep_part *local_encpart; - if (!valid_etype(dec_rep->enc_part.etype)) + if (!valid_enctype(dec_rep->enc_part.enctype)) return KRB5_PROG_ETYPE_NOSUPP; /* set up scratch decrypt/decode area */ @@ -57,7 +57,7 @@ krb5_kdc_rep_decrypt_proc(context, key, decryptarg, dec_rep) /* put together an eblock for this encryption */ - krb5_use_cstype(context, &eblock, dec_rep->enc_part.etype); + krb5_use_enctype(context, &eblock, dec_rep->enc_part.enctype); /* do any necessary key pre-processing */ if ((retval = krb5_process_key(context, &eblock, key))) { diff --git a/src/lib/krb5/krb/krbconfig.c b/src/lib/krb5/krb/krbconfig.c index f0ae06d5c..7401bd38f 100644 --- a/src/lib/krb5/krb/krbconfig.c +++ b/src/lib/krb5/krb/krbconfig.c @@ -27,5 +27,5 @@ #include "k5-int.h" krb5_deltat krb5_clockskew = 5 * 60; /* five minutes */ -krb5_cksumtype krb5_kdc_req_sumtype = CKSUMTYPE_RSA_MD4; +krb5_cksumtype krb5_kdc_req_sumtype = CKSUMTYPE_RSA_MD5; krb5_flags krb5_kdc_default_options = KDC_OPT_RENEWABLE_OK; diff --git a/src/lib/krb5/krb/mk_cred.c b/src/lib/krb5/krb/mk_cred.c index 9d2ef6d8e..5e399a106 100644 --- a/src/lib/krb5/krb/mk_cred.c +++ b/src/lib/krb5/krb/mk_cred.c @@ -31,7 +31,7 @@ encrypt_credencpart(context, pcredpart, pkeyblock, pencdata) krb5_encrypt_block eblock; krb5_data * scratch; - if (!valid_etype(pkeyblock->etype)) + if (!valid_enctype(pkeyblock->enctype)) return KRB5_PROG_ETYPE_NOSUPP; /* start by encoding to-be-encrypted part of the message */ @@ -41,9 +41,9 @@ encrypt_credencpart(context, pcredpart, pkeyblock, pencdata) /* put together an eblock for this encryption */ pencdata->kvno = 0; - pencdata->etype = pkeyblock->etype; + pencdata->enctype = pkeyblock->enctype; - krb5_use_cstype(context, &eblock, pkeyblock->etype); + krb5_use_enctype(context, &eblock, pkeyblock->enctype); pencdata->ciphertext.length = krb5_encrypt_size(scratch->length, eblock.crypto_entry); diff --git a/src/lib/krb5/krb/mk_priv.c b/src/lib/krb5/krb/mk_priv.c index cf535ff07..dabfd8dc9 100644 --- a/src/lib/krb5/krb/mk_priv.c +++ b/src/lib/krb5/krb/mk_priv.c @@ -46,11 +46,11 @@ krb5_mk_priv_basic(context, userdata, keyblock, replaydata, local_addr, krb5_priv_enc_part privmsg_enc_part; krb5_data *scratch1, *scratch2; - if (!valid_etype(keyblock->etype)) + if (!valid_enctype(keyblock->enctype)) return KRB5_PROG_ETYPE_NOSUPP; privmsg.enc_part.kvno = 0; /* XXX allow user-set? */ - privmsg.enc_part.etype = keyblock->etype; + privmsg.enc_part.enctype = keyblock->enctype; privmsg_enc_part.user_data = *userdata; privmsg_enc_part.s_address = local_addr; @@ -66,7 +66,7 @@ krb5_mk_priv_basic(context, userdata, keyblock, replaydata, local_addr, return retval; /* put together an eblock for this encryption */ - krb5_use_cstype(context, &eblock, keyblock->etype); + krb5_use_enctype(context, &eblock, keyblock->enctype); privmsg.enc_part.ciphertext.length = krb5_encrypt_size(scratch1->length, eblock.crypto_entry); /* add padding area, and zero it */ diff --git a/src/lib/krb5/krb/mk_rep.c b/src/lib/krb5/krb/mk_rep.c index e1f31be38..b1c17b6b9 100644 --- a/src/lib/krb5/krb/mk_rep.c +++ b/src/lib/krb5/krb/mk_rep.c @@ -43,21 +43,15 @@ krb5_mk_rep(context, auth_context, outbuf) krb5_data * outbuf; { krb5_error_code retval; - krb5_keytype keytype; - krb5_enctype etype; + krb5_enctype enctype; krb5_ap_rep_enc_part repl; krb5_encrypt_block eblock; krb5_ap_rep reply; krb5_data * scratch; krb5_data * toutbuf; - /* verify a valid etype is available */ - if (!valid_keytype(keytype = auth_context->keyblock->keytype)) - return KRB5_PROG_KEYTYPE_NOSUPP; - - etype = krb5_keytype_array[keytype]->system->proto_enctype; - - if (!valid_etype(etype)) + /* verify a valid enctype is available */ + if (!valid_enctype(enctype = auth_context->keyblock->enctype)) return KRB5_PROG_ETYPE_NOSUPP; /* Make the reply */ @@ -79,8 +73,8 @@ krb5_mk_rep(context, auth_context, outbuf) return retval; /* put together an eblock for this encryption */ - krb5_use_cstype(context, &eblock, etype); - reply.enc_part.etype = etype; + krb5_use_enctype(context, &eblock, enctype); + reply.enc_part.enctype = enctype; reply.enc_part.kvno = 0; /* XXX user set? */ reply.enc_part.ciphertext.length = krb5_encrypt_size(scratch->length, diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c index 20d0da4ee..df97c2bf5 100644 --- a/src/lib/krb5/krb/mk_req_ext.c +++ b/src/lib/krb5/krb/mk_req_ext.c @@ -98,8 +98,8 @@ krb5_mk_req_extended(context, auth_context, ap_req_options, in_data, in_creds, if ((retval = decode_krb5_ticket(&(in_creds)->ticket, &request.ticket))) return(retval); - /* verify a valid etype is available */ - if (!valid_etype(request.ticket->enc_part.etype)) { + /* verify a valid enctype is available */ + if (!valid_enctype(request.ticket->enc_part.enctype)) { retval = KRB5_PROG_ETYPE_NOSUPP; goto cleanup; } @@ -139,7 +139,6 @@ krb5_mk_req_extended(context, auth_context, ap_req_options, in_data, in_creds, checksum.length = in_data->length; checksum.contents = (krb5_octet *) in_data->data; } else { - int T = krb5_checksum_size(context, (*auth_context)->cksumtype); /* Generate checksum, XXX What should the seed be? */ if ((checksum.contents = (krb5_octet *)malloc(krb5_checksum_size(context, (*auth_context)->cksumtype))) == NULL) { @@ -186,8 +185,8 @@ krb5_mk_req_extended(context, auth_context, ap_req_options, in_data, in_creds, /* put together an eblock for this encryption */ - krb5_use_cstype(context, &eblock, request.ticket->enc_part.etype); - request.authenticator.etype = request.ticket->enc_part.etype; + krb5_use_enctype(context, &eblock, request.ticket->enc_part.enctype); + request.authenticator.enctype = request.ticket->enc_part.enctype; request.authenticator.kvno = 0; request.authenticator.ciphertext.length = krb5_encrypt_size(scratch->length, eblock.crypto_entry); diff --git a/src/lib/krb5/krb/preauth.c b/src/lib/krb5/krb/preauth.c index 664597617..e41399a46 100644 --- a/src/lib/krb5/krb/preauth.c +++ b/src/lib/krb5/krb/preauth.c @@ -122,7 +122,7 @@ krb5_obtain_padata(context, type, client, src_addr, encrypt_key, ret_data) retval = KRB5_PREAUTH_NO_KEY; goto error_out; } - krb5_use_keytype(context, &eblock, encrypt_key->keytype); + krb5_use_enctype(context, &eblock, encrypt_key->enctype); /* do any necessay key pre-processing */ retval = krb5_process_key(context, &eblock, encrypt_key); @@ -214,7 +214,7 @@ krb5_verify_padata(context, data,client,src_addr, decrypt_key, req_id, flags) if (!decrypt_key) return(EINVAL); - krb5_use_keytype(context, &eblock, decrypt_key->keytype); + krb5_use_enctype(context, &eblock, decrypt_key->enctype); scratch.length = data->length; if (!(scratch.data = (char *)malloc(scratch.length))) { diff --git a/src/lib/krb5/krb/rd_cred.c b/src/lib/krb5/krb/rd_cred.c index c8effba83..bb2398e19 100644 --- a/src/lib/krb5/krb/rd_cred.c +++ b/src/lib/krb5/krb/rd_cred.c @@ -23,11 +23,11 @@ decrypt_credencdata(context, pcred, pkeyblock, pcredenc) krb5_error_code retval; krb5_data scratch; - if (!valid_etype(pcred->enc_part.etype)) + if (!valid_enctype(pcred->enc_part.enctype)) return KRB5_PROG_ETYPE_NOSUPP; /* put together an eblock for this decryption */ - krb5_use_cstype(context, &eblock, pcred->enc_part.etype); + krb5_use_enctype(context, &eblock, pcred->enc_part.enctype); scratch.length = pcred->enc_part.ciphertext.length; if (!(scratch.data = (char *)malloc(scratch.length))) diff --git a/src/lib/krb5/krb/rd_priv.c b/src/lib/krb5/krb/rd_priv.c index 75df2f17e..9dd975e05 100644 --- a/src/lib/krb5/krb/rd_priv.c +++ b/src/lib/krb5/krb/rd_priv.c @@ -77,13 +77,13 @@ krb5_rd_priv_basic(context, inbuf, keyblock, local_addr, remote_addr, if ((retval = decode_krb5_priv(inbuf, &privmsg))) return retval; - if (!valid_etype(privmsg->enc_part.etype)) { + if (!valid_enctype(privmsg->enc_part.enctype)) { retval = KRB5_PROG_ETYPE_NOSUPP; goto cleanup_privmsg; } /* put together an eblock for this decryption */ - krb5_use_cstype(context, &eblock, privmsg->enc_part.etype); + krb5_use_enctype(context, &eblock, privmsg->enc_part.enctype); scratch.length = privmsg->enc_part.ciphertext.length; if (!(scratch.data = malloc(scratch.length))) { diff --git a/src/lib/krb5/krb/rd_rep.c b/src/lib/krb5/krb/rd_rep.c index 4414215cb..9f811cdf3 100644 --- a/src/lib/krb5/krb/rd_rep.c +++ b/src/lib/krb5/krb/rd_rep.c @@ -60,11 +60,11 @@ krb5_rd_rep(context, auth_context, inbuf, repl) /* put together an eblock for this encryption */ - if (!valid_etype(reply->enc_part.etype)) { + if (!valid_enctype(reply->enc_part.enctype)) { krb5_free_ap_rep(context, reply); return KRB5_PROG_ETYPE_NOSUPP; } - krb5_use_cstype(context, &eblock, reply->enc_part.etype); + krb5_use_enctype(context, &eblock, reply->enc_part.enctype); scratch.length = reply->enc_part.ciphertext.length; if (!(scratch.data = malloc(scratch.length))) { @@ -103,7 +103,6 @@ krb5_rd_rep(context, auth_context, inbuf, repl) /* Set auth subkey */ if ((*repl)->subkey) { - (*repl)->subkey->etype = reply->enc_part.etype; retval = krb5_copy_keyblock(context, (*repl)->subkey, &auth_context->remote_subkey); } diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c index 10e566aa7..f6348c3f9 100644 --- a/src/lib/krb5/krb/rd_req_dec.c +++ b/src/lib/krb5/krb/rd_req_dec.c @@ -70,18 +70,18 @@ krb5_rd_req_decrypt_tkt_part(context, req, keytab) { krb5_error_code retval; - krb5_keytype keytype; + krb5_enctype enctype; krb5_keytab_entry ktent; /* - * OK we know the encryption type req->ticket->enc_part.etype, - * and now we need to get the keytype + * OK we know the encryption type req->ticket->enc_part.enctype, + * and now we need to get the enctype */ - keytype = krb5_csarray[req->ticket->enc_part.etype]->system->proto_keytype; + enctype = req->ticket->enc_part.enctype; if ((retval = krb5_kt_get_entry(context, keytab, req->ticket->server, req->ticket->enc_part.kvno, - keytype, &ktent))) + enctype, &ktent))) return retval; if ((retval = krb5_decrypt_tkt_part(context, &ktent.key, req->ticket))) @@ -301,15 +301,12 @@ decrypt_authenticator(context, request, authpp) sesskey = request->ticket->enc_part2->session; - if (!valid_keytype(sesskey->keytype)) - return KRB5_PROG_KEYTYPE_NOSUPP; + if (!valid_enctype(sesskey->enctype)) + return KRB5_PROG_ETYPE_NOSUPP; /* put together an eblock for this encryption */ - if (!valid_etype(request->authenticator.etype)) - return KRB5_PROG_ETYPE_NOSUPP; - - krb5_use_cstype(context, &eblock, request->authenticator.etype); + krb5_use_enctype(context, &eblock, request->authenticator.enctype); scratch.length = request->authenticator.ciphertext.length; if (!(scratch.data = malloc(scratch.length))) @@ -340,8 +337,6 @@ free(scratch.data);} /* now decode the decrypted stuff */ if (!(retval = decode_krb5_authenticator(&scratch, &local_auth))) { *authpp = local_auth; - if (local_auth->subkey) - local_auth->subkey->etype = request->authenticator.etype; } clean_scratch(); return retval; diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c index 971686483..1481c555d 100644 --- a/src/lib/krb5/krb/send_tgs.c +++ b/src/lib/krb5/krb/send_tgs.c @@ -30,7 +30,7 @@ Sends a request to the TGS and waits for a response. options is used for the options in the KRB_TGS_REQ. timestruct values are used for from, till, rtime " " " - etype is used for etype " " ", and to encrypt the authorization data, + enctype is used for enctype " " ", and to encrypt the authorization data, sname is used for sname " " " addrs, if non-NULL, is used for addresses " " " authorization_dat, if non-NULL, is used for authorization_dat " " " @@ -105,8 +105,8 @@ krb5_send_tgs_basic(context, in_data, in_cred, outbuf) goto cleanup_data; /* put together an eblock for this encryption */ - krb5_use_cstype(context, &eblock, request.ticket->enc_part.etype); - request.authenticator.etype = request.ticket->enc_part.etype; + krb5_use_enctype(context, &eblock, request.ticket->enc_part.enctype); + request.authenticator.enctype = request.ticket->enc_part.enctype; request.authenticator.ciphertext.length = krb5_encrypt_size(scratch->length, eblock.crypto_entry); @@ -165,12 +165,12 @@ cleanup_scratch: } krb5_error_code -krb5_send_tgs(context, kdcoptions, timestruct, etypes, sname, addrs, +krb5_send_tgs(context, kdcoptions, timestruct, ktypes, sname, addrs, authorization_data, padata, second_ticket, in_cred, rep) krb5_context context; const krb5_flags kdcoptions; const krb5_ticket_times * timestruct; - const krb5_enctype * etypes; + const krb5_enctype * ktypes; krb5_const_principal sname; krb5_address * const * addrs; krb5_authdata * const * authorization_data; @@ -203,17 +203,11 @@ krb5_send_tgs(context, kdcoptions, timestruct, etypes, sname, addrs, tgsreq.from = timestruct->starttime; tgsreq.till = timestruct->endtime; tgsreq.rtime = timestruct->renew_till; -#if 0 if ((retval = krb5_timeofday(context, &time_now))) return(retval); -#else -{long usec; - if ((retval = krb5_us_timeofday(context, &time_now, &usec))) - return(retval); -} -#endif /* XXX we know they are the same size... */ - tgsreq.nonce = (krb5_int32) time_now; + rep->expected_nonce = tgsreq.nonce = (krb5_int32) time_now; + rep->request_time = time_now; tgsreq.addresses = (krb5_address **) addrs; @@ -224,8 +218,8 @@ krb5_send_tgs(context, kdcoptions, timestruct, etypes, sname, addrs, if ((retval = encode_krb5_authdata((const krb5_authdata**)authorization_data, &scratch))) return(retval); - krb5_use_cstype(context, &eblock, in_cred->keyblock.etype); - tgsreq.authorization_data.etype = in_cred->keyblock.etype; + krb5_use_enctype(context, &eblock, in_cred->keyblock.enctype); + tgsreq.authorization_data.enctype = in_cred->keyblock.enctype; tgsreq.authorization_data.kvno = 0; /* ticket session key has */ /* no version */ tgsreq.authorization_data.ciphertext.length = @@ -266,17 +260,17 @@ krb5_send_tgs(context, kdcoptions, timestruct, etypes, sname, addrs, } /* Get the encryption types list */ - if (etypes) { - /* Check passed etypes and make sure they're valid. */ - for (tgsreq.netypes = 0; etypes[tgsreq.netypes]; tgsreq.netypes++) { - if (!valid_etype(etypes[tgsreq.netypes])) + if (ktypes) { + /* Check passed ktypes and make sure they're valid. */ + for (tgsreq.nktypes = 0; ktypes[tgsreq.nktypes]; tgsreq.nktypes++) { + if (!valid_enctype(ktypes[tgsreq.nktypes])) return KRB5_PROG_ETYPE_NOSUPP; } - tgsreq.etype = (krb5_enctype *)etypes; + tgsreq.ktype = (krb5_enctype *)ktypes; } else { - /* Get the default etypes */ - krb5_get_default_in_tkt_etypes(context, &(tgsreq.etype)); - for(tgsreq.netypes = 0; tgsreq.etype[tgsreq.netypes]; tgsreq.netypes++); + /* Get the default ktypes */ + krb5_get_default_in_tkt_ktypes(context, &(tgsreq.ktype)); + for(tgsreq.nktypes = 0; tgsreq.ktype[tgsreq.nktypes]; tgsreq.nktypes++); } if (second_ticket) { @@ -359,8 +353,8 @@ send_tgs_error_2:; krb5_free_ticket(context, sec_ticket); send_tgs_error_1:; - if (etypes == NULL) - krb5_xfree(tgsreq.etype); + if (ktypes == NULL) + krb5_xfree(tgsreq.ktype); if (tgsreq.authorization_data.ciphertext.data) { memset(tgsreq.authorization_data.ciphertext.data, 0, tgsreq.authorization_data.ciphertext.length); diff --git a/src/lib/krb5/krb/sendauth.c b/src/lib/krb5/krb/sendauth.c index 631d86129..6ca38d9ce 100644 --- a/src/lib/krb5/krb/sendauth.c +++ b/src/lib/krb5/krb/sendauth.c @@ -137,8 +137,8 @@ krb5_sendauth(context, auth_context, } /* creds.times.endtime = 0; -- memset 0 takes care of this zero means "as long as possible" */ - /* creds.keyblock.keytype = 0; -- as well as this. - zero means no session keytype + /* creds.keyblock.enctype = 0; -- as well as this. + zero means no session enctype preference */ in_creds = &creds; } diff --git a/src/lib/krb5/krb/ser_actx.c b/src/lib/krb5/krb/ser_actx.c index 0b0cdd4c5..ed15d1283 100644 --- a/src/lib/krb5/krb/ser_actx.c +++ b/src/lib/krb5/krb/ser_actx.c @@ -100,7 +100,7 @@ krb5_auth_context_size(kcontext, arg, sizep) /* Calculate size required by i_vector - ptooey */ if (auth_context->i_vector && auth_context->keyblock) required += (size_t) - krb5_keytype_array[auth_context->keyblock->keytype]-> + krb5_enctype_array[auth_context->keyblock->enctype]-> system->block_length; /* Calculate size required by remote_addr, if appropriate */ @@ -225,7 +225,7 @@ krb5_auth_context_externalize(kcontext, arg, buffer, lenremain) /* Now figure out the number of bytes for i_vector and write it */ obuf = (!auth_context->i_vector) ? 0 : (krb5_int32) - krb5_keytype_array[auth_context->keyblock->keytype]-> + krb5_enctype_array[auth_context->keyblock->enctype]-> system->block_length; (void) krb5_ser_pack_int32(obuf, &bp, &remain); diff --git a/src/lib/krb5/krb/ser_ctx.c b/src/lib/krb5/krb/ser_ctx.c index d1c296be4..695c43c96 100644 --- a/src/lib/krb5/krb/ser_ctx.c +++ b/src/lib/krb5/krb/ser_ctx.c @@ -105,8 +105,8 @@ krb5_context_size(kcontext, arg, sizep) * krb5_int32 for KV5M_CONTEXT * krb5_int32 for sizeof(default_realm) * strlen(default_realm) for default_realm. - * krb5_int32 for netypes*sizeof(krb5_int32) - * netypes*sizeof(krb5_int32) for etypes. + * krb5_int32 for nktypes*sizeof(krb5_int32) + * nktypes*sizeof(krb5_int32) for ktypes. * krb5_int32 for trailer. */ kret = EINVAL; @@ -116,7 +116,7 @@ krb5_context_size(kcontext, arg, sizep) sizeof(krb5_int32) + sizeof(krb5_int32) + sizeof(krb5_int32) + - (context->etype_count * sizeof(krb5_int32))); + (context->ktype_count * sizeof(krb5_int32))); if (context->default_realm) required += strlen(context->default_realm); @@ -187,13 +187,13 @@ krb5_context_externalize(kcontext, arg, buffer, lenremain) strlen(context->default_realm), &bp, &remain); - /* Now number of etypes */ - (void) krb5_ser_pack_int32((krb5_int32) context->etype_count, + /* Now number of ktypes */ + (void) krb5_ser_pack_int32((krb5_int32) context->ktype_count, &bp, &remain); - /* Now serialize etypes */ - for (i=0; ietype_count; i++) - (void) krb5_ser_pack_int32((krb5_int32) context->etypes[i], + /* Now serialize ktypes */ + for (i=0; iktype_count; i++) + (void) krb5_ser_pack_int32((krb5_int32) context->ktypes[i], &bp, &remain); kret = 0; @@ -280,22 +280,22 @@ krb5_context_internalize(kcontext, argp, buffer, lenremain) context->default_realm[ibuf] = '\0'; } - /* Get the number of etypes */ + /* Get the number of ktypes */ if (!(kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) { /* Reduce it to a count */ - context->etype_count = ibuf; - if ((context->etypes = (krb5_enctype *) + context->ktype_count = ibuf; + if ((context->ktypes = (krb5_enctype *) malloc(sizeof(krb5_enctype) * - (context->etype_count+1)))) { - memset(context->etypes, + (context->ktype_count+1)))) { + memset(context->ktypes, 0, sizeof(krb5_enctype) * - (context->etype_count + 1)); - for (i=0; ietype_count; i++) { + (context->ktype_count + 1)); + for (i=0; iktype_count; i++) { if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) break; - context->etypes[i] = (krb5_enctype) ibuf; + context->ktypes[i] = (krb5_enctype) ibuf; } } } @@ -448,6 +448,7 @@ krb5_oscontext_internalize(kcontext, argp, buffer, lenremain) malloc(sizeof(struct _krb5_os_context))) && (remain >= 4*sizeof(krb5_int32))) { memset(os_ctx, 0, sizeof(struct _krb5_os_context)); + os_ctx->magic = KV5M_OS_CONTEXT; /* Read out our context */ (void) krb5_ser_unpack_int32(&os_ctx->time_offset, &bp, &remain); @@ -460,8 +461,7 @@ krb5_oscontext_internalize(kcontext, argp, buffer, lenremain) kret = 0; *buffer = bp; *lenremain = remain; - } - else + } else kret = EINVAL; } } diff --git a/src/lib/krb5/krb/ser_eblk.c b/src/lib/krb5/krb/ser_eblk.c index 791963e7d..20b3da672 100644 --- a/src/lib/krb5/krb/ser_eblk.c +++ b/src/lib/krb5/krb/ser_eblk.c @@ -63,14 +63,13 @@ krb5_encrypt_block_size(kcontext, arg, sizep) size_t required; /* - * NOTE: This ASSuMES that keytype and etype are sufficient to recreate + * NOTE: This ASSuMES that enctype are sufficient to recreate * the _krb5_cryptosystem_entry. If this is not true, then something else * had better be encoded here. * * krb5_encrypt_block base requirements: * krb5_int32 for KV5M_ENCRYPT_BLOCK - * krb5_int32 for keytype - * krb5_int32 for etype; + * krb5_int32 for enctype * krb5_int32 for private length * encrypt_block->priv_size for private contents * krb5_int32 for KV5M_ENCRYPT_BLOCK @@ -123,12 +122,7 @@ krb5_encrypt_block_externalize(kcontext, arg, buffer, lenremain) /* Our identifier */ (void) krb5_ser_pack_int32(KV5M_ENCRYPT_BLOCK, &bp, &remain); - /* Our keytype */ - (void) krb5_ser_pack_int32((krb5_int32) encrypt_block-> - crypto_entry->proto_keytype, - &bp, &remain); - - /* Our etype */ + /* Our enctype */ (void) krb5_ser_pack_int32((krb5_int32) encrypt_block-> crypto_entry->proto_enctype, &bp, &remain); @@ -177,8 +171,7 @@ krb5_encrypt_block_internalize(kcontext, argp, buffer, lenremain) krb5_error_code kret; krb5_encrypt_block *encrypt_block; krb5_int32 ibuf; - krb5_keytype ktype; - krb5_enctype etype; + krb5_enctype ktype; krb5_octet *bp; size_t remain; @@ -197,20 +190,12 @@ krb5_encrypt_block_internalize(kcontext, argp, buffer, lenremain) malloc(sizeof(krb5_encrypt_block)))) { memset(encrypt_block, 0, sizeof(krb5_encrypt_block)); - /* Get the keytype */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - ktype = (krb5_keytype) ibuf; - - /* Get the etype */ + /* Get the enctype */ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - etype = (krb5_enctype) ibuf; + ktype = (krb5_enctype) ibuf; - /* - * Use the etype to determine the crypto_system entry. In the - * future, we may need to use a combination of keytype/etype or - * just keytype here. - */ - krb5_use_cstype(kcontext, encrypt_block, etype); + /* Use the ktype to determine the crypto_system entry. */ + krb5_use_enctype(kcontext, encrypt_block, ktype); /* Get the length */ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); diff --git a/src/lib/krb5/krb/ser_key.c b/src/lib/krb5/krb/ser_key.c index eacbf011a..d999647b5 100644 --- a/src/lib/krb5/krb/ser_key.c +++ b/src/lib/krb5/krb/ser_key.c @@ -64,8 +64,7 @@ krb5_keyblock_size(kcontext, arg, sizep) /* * krb5_keyblock requires: * krb5_int32 for KV5M_KEYBLOCK - * krb5_int32 for keytype - * krb5_int32 for etype; + * krb5_int32 for enctype * krb5_int32 for length * keyblock->length for contents * krb5_int32 for KV5M_KEYBLOCK @@ -110,12 +109,8 @@ krb5_keyblock_externalize(kcontext, arg, buffer, lenremain) /* Our identifier */ (void) krb5_ser_pack_int32(KV5M_KEYBLOCK, &bp, &remain); - /* Our keytype */ - (void) krb5_ser_pack_int32((krb5_int32) keyblock->keytype, - &bp, &remain); - - /* Our etype */ - (void) krb5_ser_pack_int32((krb5_int32) keyblock->etype, + /* Our enctype */ + (void) krb5_ser_pack_int32((krb5_int32) keyblock->enctype, &bp, &remain); /* Our length */ @@ -168,13 +163,9 @@ krb5_keyblock_internalize(kcontext, argp, buffer, lenremain) (keyblock = (krb5_keyblock *) malloc(sizeof(krb5_keyblock)))) { memset(keyblock, 0, sizeof(krb5_keyblock)); - /* Get the keytype */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - keyblock->keytype = (krb5_keytype) ibuf; - - /* Get the etype */ + /* Get the enctype */ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - keyblock->etype = (krb5_enctype) ibuf; + keyblock->enctype = (krb5_enctype) ibuf; /* Get the length */ (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); diff --git a/src/lib/krb5/krb/t_ser.c b/src/lib/krb5/krb/t_ser.c index ad635d97d..08235ec9d 100644 --- a/src/lib/krb5/krb/t_ser.c +++ b/src/lib/krb5/krb/t_ser.c @@ -293,8 +293,7 @@ ser_acontext_test(kcontext, verbose) KV5M_AUTH_CONTEXT))) { memset(&ukeyblock, 0, sizeof(ukeyblock)); memset(keydata, 0, sizeof(keydata)); - ukeyblock.keytype = KEYTYPE_DES; - ukeyblock.etype = ETYPE_DES_CBC_MD5; + ukeyblock.enctype = ENCTYPE_DES_CBC_MD5; ukeyblock.length = sizeof(keydata); ukeyblock.contents = keydata; keydata[0] = 0xde; @@ -510,7 +509,7 @@ ser_eblock_test(kcontext, verbose) memset(&eblock, 0, sizeof(krb5_encrypt_block)); eblock.magic = KV5M_ENCRYPT_BLOCK; - krb5_use_cstype(kcontext, &eblock, DEFAULT_KDC_ETYPE); + krb5_use_enctype(kcontext, &eblock, DEFAULT_KDC_ENCTYPE); if (!(kret = ser_data(verbose, "> NULL eblock", (krb5_pointer) &eblock, KV5M_ENCRYPT_BLOCK))) { eblock.priv = (krb5_pointer) ser_eblock_test; @@ -520,8 +519,7 @@ ser_eblock_test(kcontext, verbose) KV5M_ENCRYPT_BLOCK))) { memset(&ukeyblock, 0, sizeof(ukeyblock)); memset(keydata, 0, sizeof(keydata)); - ukeyblock.keytype = KEYTYPE_DES; - ukeyblock.etype = ETYPE_DES_CBC_MD5; + ukeyblock.enctype = ENCTYPE_DES_CBC_MD5; ukeyblock.length = sizeof(keydata); ukeyblock.contents = keydata; keydata[0] = 0xde; @@ -591,7 +589,11 @@ ser_cksum_test(kcontext, verbose) checksum.checksum_type = 123; checksum.length = sizeof(ckdata); checksum.contents = ckdata; - memcpy(ckdata, (char *) ser_cksum_test, sizeof(ckdata)); +#if 0 + memcpy(ckdata, (char *) &ser_cksum_test, sizeof(ckdata)); +#else + memcpy(ckdata, (char *) &ser_princ_test, sizeof(ckdata)); +#endif if (!(kret = ser_data(verbose, "> checksum with data", (krb5_pointer) &checksum, KV5M_CHECKSUM))) { if (verbose) -- 2.26.2