sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-24 10:50:22 +03:00
Code

s4:heimdal: import lorikeet-heimdal-201107150856 (commit 48936803fae4a2fb362c79365d31f420c917b85b)

Browse Source
This commit is contained in:
Stefan Metzmacher 2011-07-15 09:10:30 +02:00
parent 70da27838b
commit 255e3e18e0
312 changed files with 3555 additions and 2501 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
source4/heimdal/base/baselocl.h
View File

@ -35,6 +35,13 @@
#include "config.h"
#ifdef HAVE_SYS_TYPES_H
#include <sys/types.h>
#endif
#ifdef HAVE_SYS_SELECT_H
#include <sys/select.h>
#endif
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

4
source4/heimdal/base/dict.c
View File

@ -77,7 +77,7 @@ struct heim_type_data dict_object = {
static size_t
isprime(size_t p)
{
int q, i;
size_t q, i;
for(i = 2 ; i < p; i++) {
q = p / i;
@ -120,7 +120,7 @@ heim_dict_create(size_t size)
heim_release(dict);
return NULL;
}
dict->tab = calloc(dict->size, sizeof(dict->tab[0]));
if (dict->tab == NULL) {
dict->size = 0;

2
source4/heimdal/base/heimbase.c
View File

@ -369,7 +369,7 @@ void
heim_abortv(const char *fmt, va_list ap)
{
static char str[1024];
vsnprintf(str, sizeof(str), fmt, ap);
syslog(LOG_ERR, "heim_abort: %s", str);
abort();

18
source4/heimdal/base/heimbase.h
View File

@ -48,6 +48,22 @@ typedef heim_object_t heim_null_t;
#define HEIM_BASE_ONCE_INIT 0
typedef long heim_base_once_t; /* XXX arch dependant */
#if !defined(__has_extension)
#define __has_extension(x) 0
#endif
#define HEIM_REQUIRE_GNUC(m,n,p) \
(((__GNUC__ * 10000) + (__GNUC_MINOR__ * 100) + __GNUC_PATCHLEVEL__) >= \
(((m) * 10000) + ((n) * 100) + (p)))
#if __has_extension(__builtin_expect) || HEIM_REQUIRE_GNUC(3,0,0)
#define heim_builtin_expect(_op,_res) __builtin_expect(_op,_res)
#else
#define heim_builtin_expect(_op,_res) (_op)
#endif
void * heim_retain(heim_object_t);
void heim_release(heim_object_t);
@ -79,7 +95,7 @@ heim_abortv(const char *fmt, va_list ap)
HEIMDAL_PRINTF_ATTRIBUTE((printf, 1, 0));
#define heim_assert(e,t) \
(__builtin_expect(!(e), 0) ? heim_abort(t ":" #e) : (void)0)
(heim_builtin_expect(!(e), 0) ? heim_abort(t ":" #e) : (void)0)
/*
*

48
source4/heimdal/cf/make-proto.pl
View File

@ -11,6 +11,7 @@ my $line = "";
my $debug = 0;
my $oproto = 1;
my $private_func_re = "^_";
my %depfunction = ();
Getopts('x:m:o:p:dqE:R:P:') || die "foo";
@ -25,7 +26,7 @@ if($opt_q) {
if($opt_R) {
$private_func_re = $opt_R;
}
%flags = (
my %flags = (
'multiline-proto' => 1,
'header' => 1,
'function-blocking' => 0,
@ -100,16 +101,21 @@ while(<>) {
s/^\s*//;
s/\s*$//;
s/\s+/ /g;
if($_ =~ /\)$/ or $_ =~ /DEPRECATED$/){
if($_ =~ /\)$/){
if(!/^static/ && !/^PRIVATE/){
$attr = "";
if(m/(.*)(__attribute__\s?\(.*\))/) {
$attr .= " $2";
$_ = $1;
}
if(m/(.*)\s(\w+DEPRECATED)/) {
if(m/(.*)\s(\w+DEPRECATED_FUNCTION)\s?(\(.*\))(.*)/) {
$depfunction{$2} = 1;
$attr .= " $2$3";
$_ = "$1 $4";
}
if(m/(.*)\s(\w+DEPRECATED)(.*)/) {
$attr .= " $2";
$_ = $1;
$_ = "$1 $3";
}
# remove outer ()
s/\s*\(/</;
@ -302,17 +308,44 @@ if($flags{"gnuc-attribute"}) {
";
}
}
my $depstr = "";
my $undepstr = "";
foreach (keys %depfunction) {
$depstr .= "#ifndef $_
#if defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 )))
#define $_(X) __attribute__((__deprecated__))
#else
#define $_(X)
#endif
#endif
";
$public_h_trailer .= "#undef $_
";
$private_h_trailer .= "#undef $_
#define $_(X)
";
}
$public_h_header .= $depstr;
$private_h_header .= $depstr;
if($flags{"cxx"}) {
$public_h_header .= "#ifdef __cplusplus
extern \"C\" {
#endif
";
$public_h_trailer .= "#ifdef __cplusplus
$public_h_trailer = "#ifdef __cplusplus
}
#endif
";
" . $public_h_trailer;
}
if ($opt_E) {
@ -348,6 +381,9 @@ if ($opt_E) {
";
}
$public_h_trailer .= $undepstr;
$private_h_trailer .= $undepstr;
if ($public_h ne "" && $flags{"header"}) {
$public_h = $public_h_header . $public_h .
$public_h_trailer . "#endif /* $block */\n";

28
source4/heimdal/include/heim_threads.h
View File

@ -67,13 +67,13 @@
#define HEIMDAL_RWLOCK rwlock_t
#define HEIMDAL_RWLOCK_INITIALIZER RWLOCK_INITIALIZER
#define HEIMDAL_RWLOCK_init(l) rwlock_init(l, NULL)
#define HEIMDAL_RWLOCK_rdlock(l) rwlock_rdlock(l)
#define HEIMDAL_RWLOCK_wrlock(l) rwlock_wrlock(l)
#define HEIMDAL_RWLOCK_tryrdlock(l) rwlock_tryrdlock(l)
#define HEIMDAL_RWLOCK_trywrlock(l) rwlock_trywrlock(l)
#define HEIMDAL_RWLOCK_unlock(l) rwlock_unlock(l)
#define HEIMDAL_RWLOCK_destroy(l) rwlock_destroy(l)
#define HEIMDAL_RWLOCK_init(l) rwlock_init(l, NULL)
#define HEIMDAL_RWLOCK_rdlock(l) rwlock_rdlock(l)
#define HEIMDAL_RWLOCK_wrlock(l) rwlock_wrlock(l)
#define HEIMDAL_RWLOCK_tryrdlock(l) rwlock_tryrdlock(l)
#define HEIMDAL_RWLOCK_trywrlock(l) rwlock_trywrlock(l)
#define HEIMDAL_RWLOCK_unlock(l) rwlock_unlock(l)
#define HEIMDAL_RWLOCK_destroy(l) rwlock_destroy(l)
#define HEIMDAL_thread_key thread_key_t
#define HEIMDAL_key_create(k,d,r) do { r = thr_keycreate(k,d); } while(0)
@ -94,13 +94,13 @@
#define HEIMDAL_RWLOCK rwlock_t
#define HEIMDAL_RWLOCK_INITIALIZER RWLOCK_INITIALIZER
#define HEIMDAL_RWLOCK_init(l) pthread_rwlock_init(l, NULL)
#define HEIMDAL_RWLOCK_rdlock(l) pthread_rwlock_rdlock(l)
#define HEIMDAL_RWLOCK_wrlock(l) pthread_rwlock_wrlock(l)
#define HEIMDAL_RWLOCK_tryrdlock(l) pthread_rwlock_tryrdlock(l)
#define HEIMDAL_RWLOCK_trywrlock(l) pthread_rwlock_trywrlock(l)
#define HEIMDAL_RWLOCK_unlock(l) pthread_rwlock_unlock(l)
#define HEIMDAL_RWLOCK_destroy(l) pthread_rwlock_destroy(l)
#define HEIMDAL_RWLOCK_init(l) pthread_rwlock_init(l, NULL)
#define HEIMDAL_RWLOCK_rdlock(l) pthread_rwlock_rdlock(l)
#define HEIMDAL_RWLOCK_wrlock(l) pthread_rwlock_wrlock(l)
#define HEIMDAL_RWLOCK_tryrdlock(l) pthread_rwlock_tryrdlock(l)
#define HEIMDAL_RWLOCK_trywrlock(l) pthread_rwlock_trywrlock(l)
#define HEIMDAL_RWLOCK_unlock(l) pthread_rwlock_unlock(l)
#define HEIMDAL_RWLOCK_destroy(l) pthread_rwlock_destroy(l)
#define HEIMDAL_thread_key pthread_key_t
#define HEIMDAL_key_create(k,d,r) do { r = pthread_key_create(k,d); } while(0)

74
source4/heimdal/kdc/default_config.c
View File

@ -51,14 +51,14 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
c->require_preauth = TRUE;
c->kdc_warn_pwexpire = 0;
c->encode_as_rep_as_tgs_rep = FALSE;
c->as_use_strongest_session_key = FALSE;
c->preauth_use_strongest_session_key = FALSE;
c->tgs_use_strongest_session_key = FALSE;
c->use_strongest_server_key = FALSE;
c->check_ticket_addresses = TRUE;
c->allow_null_ticket_addresses = TRUE;
c->allow_anonymous = FALSE;
c->trpolicy = TRPOLICY_ALWAYS_CHECK;
c->enable_v4 = FALSE;
c->enable_kaserver = FALSE;
c->enable_524 = FALSE;
c->enable_v4_cross_realm = FALSE;
c->enable_pkinit = FALSE;
c->pkinit_princ_in_cert = TRUE;
c->pkinit_require_binding = TRUE;
@ -70,19 +70,6 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
krb5_config_get_bool_default(context, NULL,
c->require_preauth,
"kdc", "require-preauth", NULL);
c->enable_v4 =
krb5_config_get_bool_default(context, NULL,
c->enable_v4,
"kdc", "enable-kerberos4", NULL);
c->enable_v4_cross_realm =
krb5_config_get_bool_default(context, NULL,
c->enable_v4_cross_realm,
"kdc",
"enable-kerberos4-cross-realm", NULL);
c->enable_524 =
krb5_config_get_bool_default(context, NULL,
c->enable_v4,
"kdc", "enable-524", NULL);
#ifdef DIGEST
c->enable_digest =
krb5_config_get_bool_default(context, NULL,
@ -133,6 +120,27 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
}
#endif
c->as_use_strongest_session_key =
krb5_config_get_bool_default(context, NULL,
c->as_use_strongest_session_key,
"kdc",
"as-use-strongest-session-key", NULL);
c->preauth_use_strongest_session_key =
krb5_config_get_bool_default(context, NULL,
c->preauth_use_strongest_session_key,
"kdc",
"preauth-use-strongest-session-key", NULL);
c->tgs_use_strongest_session_key =
krb5_config_get_bool_default(context, NULL,
c->tgs_use_strongest_session_key,
"kdc",
"tgs-use-strongest-session-key", NULL);
c->use_strongest_server_key =
krb5_config_get_bool_default(context, NULL,
c->use_strongest_server_key,
"kdc",
"use-strongest-server-key", NULL);
c->check_ticket_addresses =
krb5_config_get_bool_default(context, NULL,
c->check_ticket_addresses,
@ -180,28 +188,6 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
}
}
{
const char *p;
p = krb5_config_get_string (context, NULL,
"kdc",
"v4-realm",
NULL);
if(p != NULL) {
c->v4_realm = strdup(p);
if (c->v4_realm == NULL)
krb5_errx(context, 1, "out of memory");
} else {
c->v4_realm = NULL;
}
}
c->enable_kaserver =
krb5_config_get_bool_default(context,
NULL,
c->enable_kaserver,
"kdc", "enable-kaserver", NULL);
c->encode_as_rep_as_tgs_rep =
krb5_config_get_bool_default(context, NULL,
c->encode_as_rep_as_tgs_rep,
@ -223,7 +209,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
NULL);
c->pkinit_kdc_identity =
c->pkinit_kdc_identity =
krb5_config_get_string(context, NULL,
"kdc", "pkinit_identity", NULL);
c->pkinit_kdc_anchors =
@ -235,7 +221,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
c->pkinit_kdc_revoke =
krb5_config_get_strings(context, NULL,
"kdc", "pkinit_revoke", NULL);
c->pkinit_kdc_ocsp_file =
c->pkinit_kdc_ocsp_file =
krb5_config_get_string(context, NULL,
"kdc", "pkinit_kdc_ocsp", NULL);
c->pkinit_kdc_friendly_name =
@ -272,7 +258,7 @@ krb5_kdc_pkinit_config(krb5_context context, krb5_kdc_configuration *config)
if (config->pkinit_kdc_identity == NULL) {
if (config->pkinit_kdc_friendly_name == NULL)
config->pkinit_kdc_friendly_name =
config->pkinit_kdc_friendly_name =
strdup("O=System Identity,CN=com.apple.kerberos.kdc");
config->pkinit_kdc_identity = strdup("KEYCHAIN:");
}
@ -284,7 +270,7 @@ krb5_kdc_pkinit_config(krb5_context context, krb5_kdc_configuration *config)
if (config->enable_pkinit) {
if (config->pkinit_kdc_identity == NULL)
krb5_errx(context, 1, "pkinit enabled but no identity");
if (config->pkinit_kdc_anchors == NULL)
krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
@ -298,4 +284,4 @@ krb5_kdc_pkinit_config(krb5_context context, krb5_kdc_configuration *config)
return 0;
#endif /* PKINIT */
}
}

142
source4/heimdal/kdc/digest.c
View File

@ -257,7 +257,7 @@ _kdc_do_digest(krb5_context context,
/* check the server principal in the ticket matches digest/R@R */
{
krb5_principal principal = NULL;
const char *p, *r;
const char *p, *rr;
ret = krb5_ticket_get_server(context, ticket, &principal);
if (ret)
@ -280,12 +280,12 @@ _kdc_do_digest(krb5_context context,
krb5_free_principal(context, principal);
goto out;
}
r = krb5_principal_get_realm(context, principal);
if (r == NULL) {
rr = krb5_principal_get_realm(context, principal);
if (rr == NULL) {
krb5_free_principal(context, principal);
goto out;
}
if (strcmp(p, r) != 0) {
if (strcmp(p, rr) != 0) {
krb5_free_principal(context, principal);
goto out;
}
@ -356,7 +356,7 @@ _kdc_do_digest(krb5_context context,
crypto = NULL;
if (ret)
goto out;
ret = decode_DigestReqInner(buf.data, buf.length, &ireq, NULL);
krb5_data_free(&buf);
if (ret) {
@ -419,7 +419,7 @@ _kdc_do_digest(krb5_context context,
free(r.u.initReply.nonce);
r.u.initReply.nonce = s;
}
ret = krb5_store_stringz(sp, r.u.initReply.nonce);
if (ret) {
krb5_clear_error_message(context);
@ -475,7 +475,7 @@ _kdc_do_digest(krb5_context context,
krb5_data_free(&buf);
if (ret)
goto out;
ASN1_MALLOC_ENCODE(Checksum, buf.data, buf.length, &res, &size, ret);
free_Checksum(&res);
if (ret) {
@ -547,7 +547,7 @@ _kdc_do_digest(krb5_context context,
"Failed to decode digest Checksum");
goto out;
}
ret = krb5_storage_to_data(sp, &buf);
if (ret) {
krb5_clear_error_message(context);
@ -561,14 +561,14 @@ _kdc_do_digest(krb5_context context,
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
/*
* CHAP does the checksum of the raw nonce, but do it for all
* types, since we need to check the timestamp.
*/
{
ssize_t ssize;
ssize = hex_decode(ireq.u.digestRequest.serverNonce,
serverNonce.data, serverNonce.length);
if (ssize <= 0) {
@ -597,7 +597,7 @@ _kdc_do_digest(krb5_context context,
{
unsigned char *p = serverNonce.data;
uint32_t t;
if (serverNonce.length < 4) {
ret = EINVAL;
krb5_set_error_message(context, ret, "server nonce too short");
@ -616,7 +616,7 @@ _kdc_do_digest(krb5_context context,
EVP_MD_CTX *ctx;
unsigned char md[MD5_DIGEST_LENGTH];
char *mdx;
char id;
char idx;
if ((config->digests_allowed & CHAP_MD5) == 0) {
kdc_log(context, config, 0, "Digest CHAP MD5 not allowed");
@ -629,13 +629,13 @@ _kdc_do_digest(krb5_context context,
"from CHAP request");
goto out;
}
if (hex_decode(*ireq.u.digestRequest.identifier, &id, 1) != 1) {
if (hex_decode(*ireq.u.digestRequest.identifier, &idx, 1) != 1) {
ret = EINVAL;
krb5_set_error_message(context, ret, "failed to decode identifier");
goto out;
}
ret = get_password_entry(context, config,
ireq.u.digestRequest.username,
&password);
@ -645,7 +645,7 @@ _kdc_do_digest(krb5_context context,
ctx = EVP_MD_CTX_create();
EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
EVP_DigestUpdate(ctx, &id, 1);
EVP_DigestUpdate(ctx, &idx, 1);
EVP_DigestUpdate(ctx, password, strlen(password));
EVP_DigestUpdate(ctx, serverNonce.data, serverNonce.length);
EVP_DigestFinal_ex(ctx, md, NULL);
@ -691,7 +691,7 @@ _kdc_do_digest(krb5_context context,
goto out;
if (ireq.u.digestRequest.realm == NULL)
goto out;
ret = get_password_entry(context, config,
ireq.u.digestRequest.username,
&password);
@ -709,7 +709,7 @@ _kdc_do_digest(krb5_context context,
EVP_DigestUpdate(ctx, ":", 1);
EVP_DigestUpdate(ctx, password, strlen(password));
EVP_DigestFinal_ex(ctx, md, NULL);
EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
EVP_DigestUpdate(ctx, md, sizeof(md));
EVP_DigestUpdate(ctx, ":", 1);
@ -731,19 +731,19 @@ _kdc_do_digest(krb5_context context,
EVP_MD_CTX_destroy(ctx);
goto failed;
}
EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
EVP_DigestUpdate(ctx,
"AUTHENTICATE:", sizeof("AUTHENTICATE:") - 1);
EVP_DigestUpdate(ctx, *ireq.u.digestRequest.uri,
strlen(*ireq.u.digestRequest.uri));
/* conf|int */
if (strcmp(ireq.u.digestRequest.digest, "clear") != 0) {
static char conf_zeros[] = ":00000000000000000000000000000000";
EVP_DigestUpdate(ctx, conf_zeros, sizeof(conf_zeros) - 1);
}
EVP_DigestFinal_ex(ctx, md, NULL);
hex_encode(md, sizeof(md), &A2);
@ -804,7 +804,7 @@ _kdc_do_digest(krb5_context context,
const char *username;
struct ntlm_buf answer;
Key *key = NULL;
EVP_MD_CTX *ctx;
EVP_MD_CTX *ctp;
if ((config->digests_allowed & MS_CHAP_V2) == 0) {
kdc_log(context, config, 0, "MS-CHAP-V2 not allowed");
@ -816,7 +816,7 @@ _kdc_do_digest(krb5_context context,
krb5_set_error_message(context, ret,
"MS-CHAP-V2 clientNonce missing");
goto failed;
}
}
if (serverNonce.length != 16) {
ret = EINVAL;
krb5_set_error_message(context, ret,
@ -831,21 +831,21 @@ _kdc_do_digest(krb5_context context,
else
username++;
ctx = EVP_MD_CTX_create();
ctp = EVP_MD_CTX_create();
/* ChallangeHash */
EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
EVP_DigestInit_ex(ctp, EVP_sha1(), NULL);
{
ssize_t ssize;
krb5_data clientNonce;
clientNonce.length = strlen(*ireq.u.digestRequest.clientNonce);
clientNonce.data = malloc(clientNonce.length);
if (clientNonce.data == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret,
"malloc: out of memory");
EVP_MD_CTX_destroy(ctx);
EVP_MD_CTX_destroy(ctp);
goto out;
}
@ -855,24 +855,24 @@ _kdc_do_digest(krb5_context context,
ret = ENOMEM;
krb5_set_error_message(context, ret,
"Failed to decode clientNonce");
EVP_MD_CTX_destroy(ctx);
EVP_MD_CTX_destroy(ctp);
goto out;
}
EVP_DigestUpdate(ctx, clientNonce.data, ssize);
EVP_DigestUpdate(ctp, clientNonce.data, ssize);
free(clientNonce.data);
}
EVP_DigestUpdate(ctx, serverNonce.data, serverNonce.length);
EVP_DigestUpdate(ctx, username, strlen(username));
EVP_DigestUpdate(ctp, serverNonce.data, serverNonce.length);
EVP_DigestUpdate(ctp, username, strlen(username));
EVP_DigestFinal_ex(ctx, challange, NULL);
EVP_DigestFinal_ex(ctp, challange, NULL);
EVP_MD_CTX_destroy(ctx);
EVP_MD_CTX_destroy(ctp);
/* NtPasswordHash */
ret = krb5_parse_name(context, username, &clientprincipal);
if (ret)
goto failed;
ret = _kdc_db_fetch(context, config, clientprincipal,
HDB_F_GET_CLIENT, NULL, NULL, &user);
krb5_free_principal(context, clientprincipal);
@ -900,7 +900,7 @@ _kdc_do_digest(krb5_context context,
krb5_set_error_message(context, ret, "NTLM missing arcfour key");
goto failed;
}
hex_encode(answer.data, answer.length, &mdx);
if (mdx == NULL) {
free(answer.data);
@ -923,39 +923,39 @@ _kdc_do_digest(krb5_context context,
if (r.u.response.success) {
unsigned char hashhash[MD4_DIGEST_LENGTH];
EVP_MD_CTX *ctx;
EVP_MD_CTX *ctxp;
ctx = EVP_MD_CTX_create();
ctxp = EVP_MD_CTX_create();
/* hashhash */
{
EVP_DigestInit_ex(ctx, EVP_md4(), NULL);
EVP_DigestUpdate(ctx,
EVP_DigestInit_ex(ctxp, EVP_md4(), NULL);
EVP_DigestUpdate(ctxp,
key->key.keyvalue.data,
key->key.keyvalue.length);
EVP_DigestFinal_ex(ctx, hashhash, NULL);
EVP_DigestFinal_ex(ctxp, hashhash, NULL);
}
/* GenerateAuthenticatorResponse */
EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
EVP_DigestUpdate(ctx, hashhash, sizeof(hashhash));
EVP_DigestUpdate(ctx, answer.data, answer.length);
EVP_DigestUpdate(ctx, ms_chap_v2_magic1,
EVP_DigestInit_ex(ctxp, EVP_sha1(), NULL);
EVP_DigestUpdate(ctxp, hashhash, sizeof(hashhash));
EVP_DigestUpdate(ctxp, answer.data, answer.length);
EVP_DigestUpdate(ctxp, ms_chap_v2_magic1,
sizeof(ms_chap_v2_magic1));
EVP_DigestFinal_ex(ctx, md, NULL);
EVP_DigestFinal_ex(ctxp, md, NULL);
EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
EVP_DigestUpdate(ctx, md, sizeof(md));
EVP_DigestUpdate(ctx, challange, 8);
EVP_DigestUpdate(ctx, ms_chap_v2_magic2,
EVP_DigestInit_ex(ctxp, EVP_sha1(), NULL);
EVP_DigestUpdate(ctxp, md, sizeof(md));
EVP_DigestUpdate(ctxp, challange, 8);
EVP_DigestUpdate(ctxp, ms_chap_v2_magic2,
sizeof(ms_chap_v2_magic2));
EVP_DigestFinal_ex(ctx, md, NULL);
EVP_DigestFinal_ex(ctxp, md, NULL);
r.u.response.rsp = calloc(1, sizeof(*r.u.response.rsp));
if (r.u.response.rsp == NULL) {
free(answer.data);
krb5_clear_error_message(context);
EVP_MD_CTX_destroy(ctx);
EVP_MD_CTX_destroy(ctxp);
ret = ENOMEM;
goto out;
}
@ -964,22 +964,22 @@ _kdc_do_digest(krb5_context context,
if (r.u.response.rsp == NULL) {
free(answer.data);
krb5_clear_error_message(context);
EVP_MD_CTX_destroy(ctx);
EVP_MD_CTX_destroy(ctxp);
ret = ENOMEM;
goto out;
}
/* get_master, rfc 3079 3.4 */
EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
EVP_DigestUpdate(ctx, hashhash, 16);
EVP_DigestUpdate(ctx, answer.data, answer.length);
EVP_DigestUpdate(ctx, ms_rfc3079_magic1,
EVP_DigestInit_ex(ctxp, EVP_sha1(), NULL);
EVP_DigestUpdate(ctxp, hashhash, 16);
EVP_DigestUpdate(ctxp, answer.data, answer.length);
EVP_DigestUpdate(ctxp, ms_rfc3079_magic1,
sizeof(ms_rfc3079_magic1));
EVP_DigestFinal_ex(ctx, md, NULL);
EVP_DigestFinal_ex(ctxp, md, NULL);
free(answer.data);
EVP_MD_CTX_destroy(ctx);
EVP_MD_CTX_destroy(ctxp);
r.u.response.session_key =
calloc(1, sizeof(*r.u.response.session_key));
@ -1101,7 +1101,7 @@ _kdc_do_digest(krb5_context context,
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
ret = krb5_storage_write(sp, r.u.ntlmInitReply.challange.data, 8);
if (ret != 8) {
ret = ENOMEM;
@ -1143,7 +1143,7 @@ _kdc_do_digest(krb5_context context,
uint32_t flags;
Key *key = NULL;
int version;
r.element = choice_DigestRepInner_ntlmResponse;
r.u.ntlmResponse.success = 0;
r.u.ntlmResponse.flags = 0;
@ -1187,7 +1187,7 @@ _kdc_do_digest(krb5_context context,
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
ret = krb5_storage_read(sp, challange, sizeof(challange));
if (ret != sizeof(challange)) {
ret = ENOMEM;
@ -1266,7 +1266,7 @@ _kdc_do_digest(krb5_context context,
if (flags & NTLM_NEG_NTLM2_SESSION) {
unsigned char sessionhash[MD5_DIGEST_LENGTH];
EVP_MD_CTX *ctx;
if ((config->digests_allowed & NTLM_V1_SESSION) == 0) {
kdc_log(context, config, 0, "NTLM v1-session not allowed");
ret = EINVAL;
@ -1279,7 +1279,7 @@ _kdc_do_digest(krb5_context context,
"for NTLM session key");
goto failed;
}
ctx = EVP_MD_CTX_create();
EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
@ -1297,7 +1297,7 @@ _kdc_do_digest(krb5_context context,
goto failed;
}
}
ret = heim_ntlm_calculate_ntlm1(key->key.keyvalue.data,
key->key.keyvalue.length,
challange, &answer);
@ -1305,7 +1305,7 @@ _kdc_do_digest(krb5_context context,
krb5_set_error_message(context, ret, "NTLM missing arcfour key");
goto failed;
}
if (ireq.u.ntlmRequest.ntlm.length != answer.length ||
memcmp(ireq.u.ntlmRequest.ntlm.data, answer.data, answer.length) != 0)
{
@ -1335,7 +1335,7 @@ _kdc_do_digest(krb5_context context,
unsigned char masterkey[MD4_DIGEST_LENGTH];
EVP_CIPHER_CTX rc4;
size_t len;
if ((flags & NTLM_NEG_KEYEX) == 0) {
ret = EINVAL;
krb5_set_error_message(context, ret,
@ -1343,7 +1343,7 @@ _kdc_do_digest(krb5_context context,
"exchange but still sent key");
goto failed;
}
len = ireq.u.ntlmRequest.sessionkey->length;
if (len != sizeof(masterkey)){
ret = EINVAL;
@ -1352,7 +1352,7 @@ _kdc_do_digest(krb5_context context,
(unsigned long)len);
goto failed;
}
EVP_CIPHER_CTX_init(&rc4);
EVP_CipherInit_ex(&rc4, EVP_rc4(), NULL, sessionkey, NULL, 1);
@ -1360,7 +1360,7 @@ _kdc_do_digest(krb5_context context,
masterkey, ireq.u.ntlmRequest.sessionkey->data,
sizeof(masterkey));
EVP_CIPHER_CTX_cleanup(&rc4);
r.u.ntlmResponse.sessionkey =
malloc(sizeof(*r.u.ntlmResponse.sessionkey));
if (r.u.ntlmResponse.sessionkey == NULL) {
@ -1368,7 +1368,7 @@ _kdc_do_digest(krb5_context context,
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
ret = krb5_data_copy(r.u.ntlmResponse.sessionkey,
masterkey, sizeof(masterkey));
if (ret) {
@ -1415,7 +1415,7 @@ _kdc_do_digest(krb5_context context,
krb5_clear_error_message(context);
goto out;
}
kdc_log(context, config, 0, "Digest failed with: %s", s);
r.element = choice_DigestRepInner_error;

16
source4/heimdal/kdc/kdc.h
View File

@ -58,21 +58,17 @@ typedef struct krb5_kdc_configuration {
int num_db;
krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */
krb5_boolean as_use_strongest_session_key;
krb5_boolean preauth_use_strongest_session_key;
krb5_boolean tgs_use_strongest_session_key;
krb5_boolean use_strongest_server_key;
krb5_boolean check_ticket_addresses;
krb5_boolean allow_null_ticket_addresses;
krb5_boolean allow_anonymous;
enum krb5_kdc_trpolicy trpolicy;
char *v4_realm;
krb5_boolean enable_v4;
krb5_boolean enable_v4_cross_realm;
krb5_boolean enable_v4_per_principal;
krb5_boolean enable_kaserver;
krb5_boolean enable_524;
krb5_boolean enable_pkinit;
krb5_boolean pkinit_princ_in_cert;
const char *pkinit_kdc_identity;

236
source4/heimdal/kdc/kerberos5.c
View File

@ -74,9 +74,9 @@ _kdc_find_padata(const KDC_REQ *req, int *start, int type)
if (req->padata == NULL)
return NULL;
while(*start < req->padata->len){
while((size_t)*start < req->padata->len){
(*start)++;
if(req->padata->val[*start - 1].padata_type == type)
if(req->padata->val[*start - 1].padata_type == (unsigned)type)
return &req->padata->val[*start - 1];
}
return NULL;
@ -123,36 +123,103 @@ is_default_salt_p(const krb5_salt *default_salt, const Key *key)
*/
krb5_error_code
_kdc_find_etype(krb5_context context, const hdb_entry_ex *princ,
_kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key,
krb5_boolean is_preauth, hdb_entry_ex *princ,
krb5_enctype *etypes, unsigned len,
Key **ret_key)
krb5_enctype *ret_enctype, Key **ret_key)
{
int i;
krb5_error_code ret = KRB5KDC_ERR_ETYPE_NOSUPP;
krb5_error_code ret;
krb5_salt def_salt;
krb5_enctype enctype = ETYPE_NULL;
Key *key;
int i;
krb5_get_pw_salt (context, princ->entry.principal, &def_salt);
/* We'll want to avoid keys with v4 salted keys in the pre-auth case... */
ret = krb5_get_pw_salt(context, princ->entry.principal, &def_salt);
if (ret)
return ret;
for(i = 0; ret != 0 && i < len ; i++) {
Key *key = NULL;
ret = KRB5KDC_ERR_ETYPE_NOSUPP;
if (krb5_enctype_valid(context, etypes[i]) != 0 &&
!_kdc_is_weak_exception(princ->entry.principal, etypes[i]))
continue;
if (use_strongest_session_key) {
const krb5_enctype *p;
krb5_enctype clientbest = ETYPE_NULL;
int j;
while (hdb_next_enctype2key(context, &princ->entry, etypes[i], &key) == 0) {
if (key->key.keyvalue.length == 0) {
ret = KRB5KDC_ERR_NULL_KEY;
/*
* Pick the strongest key that the KDC, target service, and
* client all support, using the local cryptosystem enctype
* list in strongest-to-weakest order to drive the search.
*
* This is not what RFC4120 says to do, but it encourages
* adoption of stronger enctypes. This doesn't play well with
* clients that have multiple Kerberos client implementations
* available with different supported enctype lists.
*/
/* drive the search with local supported enctypes list */
p = krb5_kerberos_enctypes(context);
for (i = 0; p[i] != ETYPE_NULL && enctype == ETYPE_NULL; i++) {
if (krb5_enctype_valid(context, p[i]) != 0)
continue;
/* check that the client supports it too */
for (j = 0; j < len && enctype == ETYPE_NULL; j++) {
if (p[i] != etypes[j])
continue;
/* save best of union of { client, crypto system } */
if (clientbest == ETYPE_NULL)
clientbest = p[i];
/* check target princ support */
ret = hdb_enctype2key(context, &princ->entry, p[i], &key);
if (ret)
continue;
if (is_preauth && !is_default_salt_p(&def_salt, key))
continue;
enctype = p[i];
}
*ret_key = key;
ret = 0;
if (is_default_salt_p(&def_salt, key)) {
krb5_free_salt (context, def_salt);
return ret;
}
if (clientbest != ETYPE_NULL && enctype == ETYPE_NULL)
enctype = clientbest;
else if (enctype == ETYPE_NULL)
ret = KRB5KDC_ERR_ETYPE_NOSUPP;
if (ret == 0 && ret_enctype != NULL)
*ret_enctype = enctype;
if (ret == 0 && ret_key != NULL)
*ret_key = key;
} else {
/*
* Pick the first key from the client's enctype list that is
* supported by the cryptosystem and by the given principal.
*
* RFC4120 says we SHOULD pick the first _strong_ key from the
* client's list... not the first key... If the admin disallows
* weak enctypes in krb5.conf and selects this key selection
* algorithm, then we get exactly what RFC4120 says.
*/
for(key = NULL, i = 0; ret != 0 && i < len; i++, key = NULL) {
if (krb5_enctype_valid(context, etypes[i]) != 0 &&
!_kdc_is_weak_exception(princ->entry.principal, etypes[i]))
continue;
while (hdb_next_enctype2key(context, &princ->entry, etypes[i], &key) == 0) {
if (key->key.keyvalue.length == 0) {
ret = KRB5KDC_ERR_NULL_KEY;
continue;
}
if (ret_key != NULL)
*ret_key = key;
if (ret_enctype != NULL)
*ret_enctype = etypes[i];
ret = 0;
if (is_preauth && is_default_salt_p(&def_salt, key))
goto out;
}
}
}
out:
krb5_free_salt (context, def_salt);
return ret;
}
@ -211,8 +278,8 @@ log_patypes(krb5_context context,
{
struct rk_strpool *p = NULL;
char *str;
int i;
size_t i;
for (i = 0; i < padata->len; i++) {
switch(padata->val[i].padata_type) {
case KRB5_PADATA_PK_AS_REQ:
@ -240,7 +307,7 @@ log_patypes(krb5_context context,
}
if (p == NULL)
p = rk_strpoolprintf(p, "none");
str = rk_strpoolcollect(p);
kdc_log(context, config, 0, "Client sent patypes: %s", str);
free(str);
@ -264,7 +331,7 @@ _kdc_encode_reply(krb5_context context,
{
unsigned char *buf;
size_t buf_size;
size_t len;
size_t len = 0;
krb5_error_code ret;
krb5_crypto crypto;
@ -614,7 +681,7 @@ log_as_req(krb5_context context,
krb5_error_code ret;
struct rk_strpool *p;
char *str;
int i;
size_t i;
p = rk_strpoolprintf(NULL, "%s", "Client supported enctypes: ");
@ -694,13 +761,13 @@ kdc_check_flags(krb5_context context,
"Client (%s) has invalid bit set", client_name);
return KRB5KDC_ERR_POLICY;
}
if(!client->flags.client){
kdc_log(context, config, 0,
"Principal may not act as client -- %s", client_name);
return KRB5KDC_ERR_POLICY;
}
if (client->valid_start && *client->valid_start > kdc_time) {
char starttime_str[100];
krb5_format_time(context, *client->valid_start,
@ -710,7 +777,7 @@ kdc_check_flags(krb5_context context,
starttime_str, client_name);
return KRB5KDC_ERR_CLIENT_NOTYET;
}
if (client->valid_end && *client->valid_end < kdc_time) {
char endtime_str[100];
krb5_format_time(context, *client->valid_end,
@ -720,7 +787,7 @@ kdc_check_flags(krb5_context context,
endtime_str, client_name);
return KRB5KDC_ERR_NAME_EXP;
}
if (client->pw_end && *client->pw_end < kdc_time
&& (server_ex == NULL || !server_ex->entry.flags.change_pw)) {
char pwend_str[100];
@ -809,7 +876,7 @@ _kdc_check_addresses(krb5_context context,
krb5_address addr;
krb5_boolean result;
krb5_boolean only_netbios = TRUE;
int i;
size_t i;
if(config->check_ticket_addresses == 0)
return TRUE;
@ -976,7 +1043,7 @@ _kdc_as_rep(krb5_context context,
goto out;
}
} else if (b->kdc_options.request_anonymous) {
kdc_log(context, config, 0,
kdc_log(context, config, 0,
"Request for a anonymous ticket with non "
"anonymous client name: %s", client_name);
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
@ -1018,59 +1085,31 @@ _kdc_as_rep(krb5_context context,
memset(&ek, 0, sizeof(ek));
/*
* Select a session enctype from the list of the crypto systems
* supported enctype, is supported by the client and is one of the
* enctype of the enctype of the krbtgt.
* Select a session enctype from the list of the crypto system
* supported enctypes that is supported by the client and is one of
* the enctype of the enctype of the service (likely krbtgt).
*
* The later is used as a hint what enctype all KDC are supporting
* to make sure a newer version of KDC wont generate a session
* enctype that and older version of a KDC in the same realm can't
* The latter is used as a hint of what enctypes all KDC support,
* to make sure a newer version of KDC won't generate a session
* enctype that an older version of a KDC in the same realm can't
* decrypt.
*
* But if the KDC admin is paranoid and doesn't want to have "no
*/
ret = _kdc_find_etype(context, config->as_use_strongest_session_key, FALSE,
client, b->etype.val, b->etype.len, &sessionetype,
NULL);
if (ret) {
kdc_log(context, config, 0,
"Client (%s) from %s has no common enctypes with KDC "
"to use for the session key",
client_name, from);
goto out;
}
/*
* But if the KDC admin is paranoid and doesn't want to have "not
* the best" enctypes on the krbtgt, lets save the best pick from
* the client list and hope that that will work for any other
* KDCs.
*/
{
const krb5_enctype *p;
krb5_enctype clientbest = ETYPE_NULL;
int i, j;
p = krb5_kerberos_enctypes(context);
sessionetype = ETYPE_NULL;
for (i = 0; p[i] != ETYPE_NULL && sessionetype == ETYPE_NULL; i++) {
if (krb5_enctype_valid(context, p[i]) != 0)
continue;
for (j = 0; j < b->etype.len && sessionetype == ETYPE_NULL; j++) {
Key *dummy;
/* check with client */
if (p[i] != b->etype.val[j])
continue;
/* save best of union of { client, crypto system } */
if (clientbest == ETYPE_NULL)
clientbest = p[i];
/* check with krbtgt */
ret = hdb_enctype2key(context, &server->entry, p[i], &dummy);
if (ret)
continue;
sessionetype = p[i];
}
}
/* if krbtgt had no shared keys with client, pick clients best */
if (clientbest != ETYPE_NULL && sessionetype == ETYPE_NULL) {
sessionetype = clientbest;
} else if (sessionetype == ETYPE_NULL) {
kdc_log(context, config, 0,
"Client (%s) from %s has no common enctypes with KDC"
"to use for the session key",
client_name, from);
goto out;
}
}
/*
* Pre-auth processing
@ -1111,7 +1150,7 @@ _kdc_as_rep(krb5_context context,
ret = _kdc_pk_check_client(context,
config,
clientdb,
clientdb,
client,
pkp,
&client_cert);
@ -1119,7 +1158,7 @@ _kdc_as_rep(krb5_context context,
e_text = "PKINIT certificate not allowed to "
"impersonate principal";
_kdc_pk_free_client_param(context, pkp);
kdc_log(context, config, 0, "%s", e_text);
pkp = NULL;
goto out;
@ -1148,9 +1187,9 @@ _kdc_as_rep(krb5_context context,
EncryptedData enc_data;
Key *pa_key;
char *str;
found_pa = 1;
if (b->kdc_options.request_anonymous) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
kdc_log(context, config, 0, "ENC-TS doesn't support anon");
@ -1167,7 +1206,7 @@ _kdc_as_rep(krb5_context context,
client_name);
goto out;
}
ret = hdb_enctype2key(context, &client->entry,
enc_data.etype, &pa_key);
if(ret){
@ -1256,7 +1295,7 @@ _kdc_as_rep(krb5_context context,
free_PA_ENC_TS_ENC(&p);
if (abs(kdc_time - p.patimestamp) > context->max_skew) {
char client_time[100];
krb5_format_time(context, p.patimestamp,
client_time, sizeof(client_time), TRUE);
@ -1353,8 +1392,9 @@ _kdc_as_rep(krb5_context context,
/*
* If there is a client key, send ETYPE_INFO{,2}
*/
ret = _kdc_find_etype(context, client, b->etype.val, b->etype.len,
&ckey);
ret = _kdc_find_etype(context,
config->preauth_use_strongest_session_key, TRUE,
client, b->etype.val, b->etype.len, NULL, &ckey);
if (ret == 0) {
/*
@ -1384,7 +1424,7 @@ _kdc_as_rep(krb5_context context,
goto out;
}
}
ASN1_MALLOC_ENCODE(METHOD_DATA, buf, len, &method_data, &len, ret);
free_METHOD_DATA(&method_data);
@ -1401,7 +1441,7 @@ _kdc_as_rep(krb5_context context,
}
if (clientdb->hdb_auth_status)
(clientdb->hdb_auth_status)(context, clientdb, client,
(clientdb->hdb_auth_status)(context, clientdb, client,
HDB_AUTH_SUCCESS);
/*
@ -1503,7 +1543,7 @@ _kdc_as_rep(krb5_context context,
{
time_t start;
time_t t;
start = et.authtime = kdc_time;
if(f.postdated && req->req_body.from){
@ -1663,8 +1703,8 @@ _kdc_as_rep(krb5_context context,
PA_ClientCanonicalized canon;
krb5_data data;
PA_DATA pa;
krb5_crypto crypto;
size_t len;
krb5_crypto cryptox;
size_t len = 0;
memset(&canon, 0, sizeof(canon));
@ -1679,21 +1719,21 @@ _kdc_as_rep(krb5_context context,
krb5_abortx(context, "internal asn.1 error");
/* sign using "returned session key" */
ret = krb5_crypto_init(context, &et.key, 0, &crypto);
ret = krb5_crypto_init(context, &et.key, 0, &cryptox);
if (ret) {
free(data.data);
goto out;
}
ret = krb5_create_checksum(context, crypto,
ret = krb5_create_checksum(context, cryptox,
KRB5_KU_CANONICALIZED_NAMES, 0,
data.data, data.length,
&canon.canon_checksum);
free(data.data);
krb5_crypto_destroy(context, crypto);
krb5_crypto_destroy(context, cryptox);
if (ret)
goto out;
ASN1_MALLOC_ENCODE(PA_ClientCanonicalized, data.data, data.length,
&canon, &len, ret);
free_Checksum(&canon.canon_checksum);
@ -1826,7 +1866,7 @@ _kdc_tkt_add_if_relevant_ad(krb5_context context,
const krb5_data *data)
{
krb5_error_code ret;
size_t size;
size_t size = 0;
if (tkt->authorization_data == NULL) {
tkt->authorization_data = calloc(1, sizeof(*tkt->authorization_data));
@ -1835,7 +1875,7 @@ _kdc_tkt_add_if_relevant_ad(krb5_context context,
return ENOMEM;
}
}
/* add the entry to the last element */
{
AuthorizationData ad = { 0, NULL };
@ -1863,7 +1903,7 @@ _kdc_tkt_add_if_relevant_ad(krb5_context context,
}
if (ade.ad_data.length != size)
krb5_abortx(context, "internal asn.1 encoder error");
ret = add_AuthorizationData(tkt->authorization_data, &ade);
der_free_octet_string(&ade.ad_data);
if (ret) {

104
source4/heimdal/kdc/krb5tgs.c
View File

@ -64,7 +64,7 @@ find_KRB5SignedPath(krb5_context context,
AuthorizationData child;
krb5_error_code ret;
int pos;
if (ad == NULL || ad->len == 0)
return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
@ -113,7 +113,7 @@ _kdc_add_KRB5SignedPath(krb5_context context,
KRB5SignedPath sp;
krb5_data data;
krb5_crypto crypto = NULL;
size_t size;
size_t size = 0;
if (server && principals) {
ret = add_Principals(principals, server);
@ -123,12 +123,12 @@ _kdc_add_KRB5SignedPath(krb5_context context,
{
KRB5SignedPathData spd;
spd.client = client;
spd.authtime = tkt->authtime;
spd.delegated = principals;
spd.method_data = NULL;
ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
&spd, &size, ret);
if (ret)
@ -203,7 +203,7 @@ check_KRB5SignedPath(krb5_context context,
if (ret == 0) {
KRB5SignedPathData spd;
KRB5SignedPath sp;
size_t size;
size_t size = 0;
ret = decode_KRB5SignedPath(data.data, data.length, &sp, NULL);
krb5_data_free(&data);
@ -357,7 +357,7 @@ check_PAC(krb5_context context,
server_sign_key, krbtgt_sign_key, rspac);
}
krb5_pac_free(context, pac);
return ret;
}
}
@ -376,7 +376,7 @@ check_tgs_flags(krb5_context context,
KDC_REQ_BODY *b, const EncTicketPart *tgt, EncTicketPart *et)
{
KDCOptions f = b->kdc_options;
if(f.validate){
if(!tgt->flags.invalid || tgt->starttime == NULL){
kdc_log(context, config, 0,
@ -415,7 +415,7 @@ check_tgs_flags(krb5_context context,
}
if(tgt->flags.forwarded)
et->flags.forwarded = 1;
if(f.proxiable){
if(!tgt->flags.proxiable){
kdc_log(context, config, 0,
@ -485,7 +485,7 @@ check_tgs_flags(krb5_context context,
et->endtime = *et->starttime + old_life;
if (et->renew_till != NULL)
et->endtime = min(*et->renew_till, et->endtime);
}
}
#if 0
/* checks for excess flags */
@ -512,7 +512,7 @@ check_constrained_delegation(krb5_context context,
{
const HDB_Ext_Constrained_delegation_acl *acl;
krb5_error_code ret;
int i;
size_t i;
/*
* constrained_delegation (S4U2Proxy) only works within
@ -541,7 +541,7 @@ check_constrained_delegation(krb5_context context,
krb5_clear_error_message(context);
return ret;
}
if (acl) {
for (i = 0; i < acl->len; i++) {
if (krb5_principal_compare(context, target, &acl->val[i]) == TRUE)
@ -623,7 +623,7 @@ fix_transited_encoding(krb5_context context,
krb5_error_code ret = 0;
char **realms, **tmp;
unsigned int num_realms;
int i;
size_t i;
switch (tr->tr_type) {
case DOMAIN_X500_COMPRESS:
@ -843,7 +843,7 @@ tgs_make_reply(krb5_context context,
renew = min(renew, *server->entry.max_renew);
*et.renew_till = et.authtime + renew;
}
if(et.renew_till){
*et.renew_till = min(*et.renew_till, *tgt->renew_till);
*et.starttime = min(*et.starttime, *et.renew_till);
@ -877,7 +877,7 @@ tgs_make_reply(krb5_context context,
if (ret)
goto out;
}
if (auth_data) {
unsigned int i = 0;
@ -919,7 +919,7 @@ tgs_make_reply(krb5_context context,
goto out;
et.crealm = tgt_name->realm;
et.cname = tgt_name->name;
ek.key = et.key;
/* MIT must have at least one last_req */
ek.last_req.len = 1;
@ -1021,7 +1021,7 @@ tgs_check_authenticator(krb5_context context,
krb5_keyblock *key)
{
krb5_authenticator auth;
size_t len;
size_t len = 0;
unsigned char *buf;
size_t buf_size;
krb5_error_code ret;
@ -1048,7 +1048,7 @@ tgs_check_authenticator(krb5_context context,
ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
goto out;
}
/* XXX should not re-encode this */
ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
if(ret){
@ -1107,7 +1107,7 @@ find_rpath(krb5_context context, Realm crealm, Realm srealm)
NULL);
return new_realm;
}
static krb5_boolean
need_referral(krb5_context context, krb5_kdc_configuration *config,
@ -1148,6 +1148,7 @@ tgs_parse_request(krb5_context context,
krb5_keyblock **replykey,
int *rk_is_subkey)
{
static char failed[] = "<unparse_name failed>";
krb5_ap_req ap_req;
krb5_error_code ret;
krb5_principal princ;
@ -1191,7 +1192,7 @@ tgs_parse_request(krb5_context context,
char *p;
ret = krb5_unparse_name(context, princ, &p);
if (ret != 0)
p = "<unparse_name failed>";
p = failed;
krb5_free_principal(context, princ);
kdc_log(context, config, 5, "Ticket-granting ticket account %s does not have secrets at this KDC, need to proxy", p);
if (ret == 0)
@ -1203,7 +1204,7 @@ tgs_parse_request(krb5_context context,
char *p;
ret = krb5_unparse_name(context, princ, &p);
if (ret != 0)
p = "<unparse_name failed>";
p = failed;
krb5_free_principal(context, princ);
kdc_log(context, config, 0,
"Ticket-granting ticket not found in database: %s", msg);
@ -1215,13 +1216,13 @@ tgs_parse_request(krb5_context context,
}
if(ap_req.ticket.enc_part.kvno &&
*ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){
(unsigned int)*ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){
char *p;
ret = krb5_unparse_name (context, princ, &p);
krb5_free_principal(context, princ);
if (ret != 0)
p = "<unparse_name failed>";
p = failed;
kdc_log(context, config, 0,
"Ticket kvno = %d, DB kvno = %d (%s)",
*ap_req.ticket.enc_part.kvno,
@ -1266,7 +1267,7 @@ tgs_parse_request(krb5_context context,
&ap_req_options,
ticket,
KRB5_KU_TGS_REQ_AUTH);
krb5_free_principal(context, princ);
if(ret) {
const char *msg = krb5_get_error_message(context, ret);
@ -1396,12 +1397,12 @@ build_server_referral(krb5_context context,
const PrincipalName *true_principal_name,
const PrincipalName *requested_principal,
krb5_data *outdata)
{
{
PA_ServerReferralData ref;
krb5_error_code ret;
EncryptedData ed;
krb5_data data;
size_t size;
size_t size = 0;
memset(&ref, 0, sizeof(ref));
@ -1521,7 +1522,7 @@ tgs_build_reply(krb5_context context,
hdb_entry_ex *uu;
krb5_principal p;
Key *uukey;
if(b->additional_tickets == NULL ||
b->additional_tickets->len == 0){
ret = KRB5KDC_ERR_BADOPTION; /* ? */
@ -1567,7 +1568,7 @@ tgs_build_reply(krb5_context context,
}
_krb5_principalname2krb5_principal(context, &sp, *s, r);
ret = krb5_unparse_name(context, sp, &spn);
ret = krb5_unparse_name(context, sp, &spn);
if (ret)
goto out;
_krb5_principalname2krb5_principal(context, &cp, tgt->cname, tgt->crealm);
@ -1612,7 +1613,7 @@ server_lookup:
free(spn);
krb5_make_principal(context, &sp, r,
KRB5_TGS_NAME, new_rlm, NULL);
ret = krb5_unparse_name(context, sp, &spn);
ret = krb5_unparse_name(context, sp, &spn);
if (ret)
goto out;
@ -1662,7 +1663,7 @@ server_lookup:
krb5_enctype etype;
if(b->kdc_options.enc_tkt_in_skey) {
int i;
size_t i;
ekey = &adtkt.key;
for(i = 0; i < b->etype.len; i++)
if (b->etype.val[i] == adtkt.key.keytype)
@ -1678,9 +1679,11 @@ server_lookup:
kvno = 0;
} else {
Key *skey;
ret = _kdc_find_etype(context, server,
b->etype.val, b->etype.len, &skey);
ret = _kdc_find_etype(context,
config->tgs_use_strongest_session_key, FALSE,
server, b->etype.val, b->etype.len, NULL,
&skey);
if(ret) {
kdc_log(context, config, 0,
"Server (%s) has no support for etypes", spn);
@ -1690,7 +1693,7 @@ server_lookup:
etype = skey->key.keytype;
kvno = server->entry.kvno;
}
ret = krb5_generate_random_keyblock(context, etype, &sessionkey);
if (ret)
goto out;
@ -1717,11 +1720,11 @@ server_lookup:
/* Now refetch the primary krbtgt, and get the current kvno (the
* sign check may have been on an old kvno, and the server may
* have been an incoming trust) */
ret = krb5_make_principal(context, &krbtgt_principal,
ret = krb5_make_principal(context, &krbtgt_principal,
krb5_principal_get_comp_string(context,
krbtgt->entry.principal,
1),
KRB5_TGS_NAME,
KRB5_TGS_NAME,
krb5_principal_get_comp_string(context,
krbtgt->entry.principal,
1), NULL);
@ -2052,7 +2055,7 @@ server_lookup:
goto out;
}
ret = check_constrained_delegation(context, config, clientdb,
ret = check_constrained_delegation(context, config, clientdb,
client, server, sp);
if (ret) {
kdc_log(context, config, 0,
@ -2067,17 +2070,18 @@ server_lookup:
}
krb5_data_free(&rspac);
/*
* generate the PAC for the user and pass
* dp for the S4U_DELEGATION_INFO blob in the PAC.
* generate the PAC for the user.
*
* TODO: pass in t->sname and t->realm and build
* a S4U_DELEGATION_INFO blob to the PAC.
*/
ret = check_PAC(context, config, tp, dp,
client, server, krbtgt,
&clientkey->key, &tkey_check->key,
ekey, &tkey_sign->key,
&adtkt, &rspac, &ad_signedpath);
if (ret == 0 && !ad_signedpath)
ret = KRB5KDC_ERR_BADOPTION;
if (ret) {
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0,
@ -2094,12 +2098,10 @@ server_lookup:
ret = check_KRB5SignedPath(context,
config,
krbtgt,
tp,
cp,
&adtkt,
NULL,
&ad_signedpath);
if (ret == 0 && !ad_signedpath)
ret = KRB5KDC_ERR_BADOPTION;
if (ret) {
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0,
@ -2111,6 +2113,16 @@ server_lookup:
goto out;
}
if (!ad_signedpath) {
ret = KRB5KDC_ERR_BADOPTION;
kdc_log(context, config, 0,
"Ticket not signed with PAC nor SignedPath service %s failed "
"for delegation to %s for client %s (%s)"
"from %s",
spn, tpn, dpn, cpn, from);
goto out;
}
kdc_log(context, config, 0, "constrained delegation for %s "
"from %s (%s) to %s", tpn, cpn, dpn, spn);
}
@ -2141,7 +2153,7 @@ server_lookup:
kdc_log(context, config, 0, "Request from wrong address");
goto out;
}
/*
* If this is an referral, add server referral data to the
* auth_data reply .
@ -2203,7 +2215,7 @@ server_lookup:
&enc_pa_data,
e_text,
reply);
out:
if (tpn != cpn)
free(tpn);
@ -2279,7 +2291,7 @@ _kdc_tgs_rep(krb5_context context,
if(tgs_req == NULL){
ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
kdc_log(context, config, 0,
"TGS-REQ from %s without PA-TGS-REQ", from);
goto out;

4
source4/heimdal/kdc/kx509.c
View File

@ -259,7 +259,7 @@ build_certificate(krb5_context context,
hx509_cert_free(cert);
if (ret)
goto out;
return 0;
out:
if (env)
@ -355,7 +355,7 @@ _kdc_do_kx509(krb5_context context,
krb5_xfree(expected);
goto out;
}
ret = KRB5KDC_ERR_SERVER_NOMATCH;
krb5_set_error_message(context, ret,
"User %s used wrong Kx509 service "

10
source4/heimdal/kdc/log.c
View File

@ -50,10 +50,12 @@ kdc_openlog(krb5_context context,
krb5_addlog_dest(context, config->logf, *p);
krb5_config_free_strings(s);
}else {
char *s;
asprintf(&s, "0-1/FILE:%s/%s", hdb_db_dir(context), KDC_LOG_FILE);
krb5_addlog_dest(context, config->logf, s);
free(s);
char *ss;
if (asprintf(&ss, "0-1/FILE:%s/%s", hdb_db_dir(context),
KDC_LOG_FILE) < 0)
err(1, NULL);
krb5_addlog_dest(context, config->logf, ss);
free(ss);
}
krb5_set_warn_dest(context, config->logf);
}

37
source4/heimdal/kdc/misc.c
View File

@ -62,7 +62,7 @@ _kdc_db_fetch(krb5_context context,
for(i = 0; i < config->num_db; i++) {
krb5_principal enterprise_principal = NULL;
if (!(config->db[i]->hdb_capability_flags & HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL)
if (!(config->db[i]->hdb_capability_flags & HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL)
&& principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
if (principal->name.name_string.len != 1) {
ret = KRB5_PARSE_MALFORMED;
@ -134,24 +134,41 @@ _kdc_get_preferred_key(krb5_context context,
krb5_enctype *enctype,
Key **key)
{
const krb5_enctype *p;
krb5_error_code ret;
int i;
p = krb5_kerberos_enctypes(context);
if (config->use_strongest_server_key) {
const krb5_enctype *p = krb5_kerberos_enctypes(context);
for (i = 0; p[i] != ETYPE_NULL; i++) {
if (krb5_enctype_valid(context, p[i]) != 0)
continue;
ret = hdb_enctype2key(context, &h->entry, p[i], key);
if (ret == 0) {
*enctype = p[i];
for (i = 0; p[i] != ETYPE_NULL; i++) {
if (krb5_enctype_valid(context, p[i]) != 0)
continue;
ret = hdb_enctype2key(context, &h->entry, p[i], key);
if (ret != 0)
continue;
if (enctype != NULL)
*enctype = p[i];
return 0;
}
} else {
*key = NULL;
for (i = 0; i < h->entry.keys.len; i++) {
if (krb5_enctype_valid(context, h->entry.keys.val[i].key.keytype)
!= 0)
continue;
ret = hdb_enctype2key(context, &h->entry,
h->entry.keys.val[i].key.keytype, key);
if (ret != 0)
continue;
if (enctype != NULL)
*enctype = (*key)->key.keytype;
return 0;
}
}
krb5_set_error_message(context, EINVAL,
"No valid kerberos key found for %s", name);
return EINVAL;
return EINVAL; /* XXX */
}

115
source4/heimdal/kdc/pkinit.c
View File

@ -116,7 +116,7 @@ pk_check_pkauthenticator(krb5_context context,
u_char *buf = NULL;
size_t buf_size;
krb5_error_code ret;
size_t len;
size_t len = 0;
krb5_timestamp now;
Checksum checksum;
@ -148,7 +148,7 @@ pk_check_pkauthenticator(krb5_context context,
krb5_clear_error_message(context);
return ret;
}
if (a->paChecksum == NULL) {
krb5_clear_error_message(context);
ret = KRB5_KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED;
@ -222,7 +222,7 @@ generate_dh_keyblock(krb5_context context,
if (!DH_generate_key(client_params->u.dh.key)) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
krb5_set_error_message(context, ret,
"Can't generate Diffie-Hellman keys");
goto out;
}
@ -237,7 +237,7 @@ generate_dh_keyblock(krb5_context context,
}
dh_gen_keylen = DH_compute_key(dh_gen_key,client_params->u.dh.public_key, client_params->u.dh.key);
if (dh_gen_keylen == -1) {
if (dh_gen_keylen == (size_t)-1) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
"Can't compute Diffie-Hellman key");
@ -281,14 +281,14 @@ generate_dh_keyblock(krb5_context context,
goto out;
}
dh_gen_keylen = ECDH_compute_key(dh_gen_key, size,
dh_gen_keylen = ECDH_compute_key(dh_gen_key, size,
EC_KEY_get0_public_key(client_params->u.ecdh.public_key),
client_params->u.ecdh.key, NULL);
#endif /* HAVE_OPENSSL */
} else {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
krb5_set_error_message(context, ret,
"Diffie-Hellman not selected keys");
goto out;
}
@ -525,7 +525,7 @@ _kdc_pk_rd_padata(krb5_context context,
goto out;
}
ret = hx509_certs_merge(context->hx509ctx, trust_anchors,
ret = hx509_certs_merge(context->hx509ctx, trust_anchors,
kdc_identity->anchors);
if (ret) {
hx509_certs_free(&trust_anchors);
@ -538,7 +538,7 @@ _kdc_pk_rd_padata(krb5_context context,
if (ret == 0 && pc != NULL) {
hx509_cert cert;
unsigned int i;
for (i = 0; i < pc->len; i++) {
ret = hx509_cert_init_data(context->hx509ctx,
pc->val[i].cert.data,
@ -572,7 +572,7 @@ _kdc_pk_rd_padata(krb5_context context,
if (req->req_body.kdc_options.request_anonymous) {
ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED;
krb5_set_error_message(context, ret,
krb5_set_error_message(context, ret,
"Anon not supported in RSA mode");
goto out;
}
@ -586,7 +586,7 @@ _kdc_pk_rd_padata(krb5_context context,
"PK-AS-REQ-Win2k: %d", ret);
goto out;
}
ret = hx509_cms_unwrap_ContentInfo(&r.signed_auth_pack,
&contentInfoOid,
&signed_content,
@ -612,7 +612,7 @@ _kdc_pk_rd_padata(krb5_context context,
"Can't decode PK-AS-REQ: %d", ret);
goto out;
}
/* XXX look at r.kdcPkId */
if (r.trustedCertifiers) {
ExternalPrincipalIdentifiers *edi = r.trustedCertifiers;
@ -624,12 +624,12 @@ _kdc_pk_rd_padata(krb5_context context,
&cp->client_anchors);
if (ret) {
krb5_set_error_message(context, ret,
"Can't allocate client anchors: %d",
"Can't allocate client anchors: %d",
ret);
goto out;
}
/*
/*
* If the client sent more then 10 EDI, don't bother
* looking more then 10 of performance reasons.
*/
@ -651,7 +651,7 @@ _kdc_pk_rd_padata(krb5_context context,
"Failed to allocate hx509_query");
goto out;
}
ret = decode_IssuerAndSerialNumber(edi->val[i].issuerAndSerialNumber->data,
edi->val[i].issuerAndSerialNumber->length,
&iasn,
@ -704,7 +704,7 @@ _kdc_pk_rd_padata(krb5_context context,
"PK-AS-REQ-Win2k invalid content type oid");
goto out;
}
if (!have_data) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
@ -805,7 +805,7 @@ _kdc_pk_rd_padata(krb5_context context,
ap.clientPublicValue == NULL) {
free_AuthPack(&ap);
ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED;
krb5_set_error_message(context, ret,
krb5_set_error_message(context, ret,
"Anon not supported in RSA mode");
goto out;
}
@ -849,7 +849,7 @@ _kdc_pk_rd_padata(krb5_context context,
free_AuthPack(&ap);
goto out;
}
if (ap.supportedCMSTypes) {
ret = hx509_peer_info_set_cms_algs(context->hx509ctx,
cp->peer,
@ -885,7 +885,7 @@ out:
der_free_oid(&contentInfoOid);
if (ret) {
_kdc_pk_free_client_param(context, cp);
} else
} else
*ret_params = cp;
return ret;
}
@ -921,7 +921,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
const heim_oid *envelopedAlg = NULL, *sdAlg = NULL, *evAlg = NULL;
krb5_error_code ret;
krb5_data buf, signed_data;
size_t size;
size_t size = 0;
int do_win2k = 0;
krb5_data_zero(&buf);
@ -954,7 +954,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
break;
default:
krb5_abortx(context, "internal pkinit error");
}
}
if (do_win2k) {
ReplyKeyPack_Win2k kp;
@ -966,7 +966,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
goto out;
}
kp.nonce = cp->nonce;
ASN1_MALLOC_ENCODE(ReplyKeyPack_Win2k,
buf.data, buf.length,
&kp, &size,ret);
@ -995,7 +995,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
krb5_clear_error_message(context);
goto out;
}
ret = krb5_crypto_destroy(context, ascrypto);
if (ret) {
krb5_clear_error_message(context);
@ -1015,15 +1015,15 @@ pk_mk_pa_reply_enckey(krb5_context context,
{
hx509_query *q;
hx509_cert cert;
ret = hx509_query_alloc(context->hx509ctx, &q);
if (ret)
goto out;
hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
if (config->pkinit_kdc_friendly_name)
hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
ret = hx509_certs_find(context->hx509ctx,
kdc_identity->certs,
q,
@ -1031,7 +1031,7 @@ pk_mk_pa_reply_enckey(krb5_context context,
hx509_query_free(context->hx509ctx, q);
if (ret)
goto out;
ret = hx509_cms_create_signed_1(context->hx509ctx,
0,
sdAlg,
@ -1078,7 +1078,7 @@ out:
hx509_cert_free(*kdc_cert);
*kdc_cert = NULL;
}
krb5_data_free(&buf);
krb5_data_free(&signed_data);
return ret;
@ -1101,7 +1101,7 @@ pk_mk_pa_reply_dh(krb5_context context,
krb5_error_code ret;
hx509_cert cert;
hx509_query *q;
size_t size;
size_t size = 0;
memset(&contentinfo, 0, sizeof(contentinfo));
memset(&dh_info, 0, sizeof(dh_info));
@ -1117,7 +1117,7 @@ pk_mk_pa_reply_dh(krb5_context context,
ret = BN_to_integer(context, kdc_dh->pub_key, &i);
if (ret)
return ret;
ASN1_MALLOC_ENCODE(DHPublicKey, buf.data, buf.length, &i, &size, ret);
der_free_heim_integer(&i);
if (ret) {
@ -1127,7 +1127,7 @@ pk_mk_pa_reply_dh(krb5_context context,
}
if (buf.length != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
dh_info.subjectPublicKey.length = buf.length * 8;
dh_info.subjectPublicKey.data = buf.data;
krb5_data_zero(&buf);
@ -1154,7 +1154,7 @@ pk_mk_pa_reply_dh(krb5_context context,
} else
krb5_abortx(context, "no keyex selected ?");
dh_info.nonce = cp->nonce;
ASN1_MALLOC_ENCODE(KDCDHKeyInfo, buf.data, buf.length, &dh_info, &size,
@ -1175,11 +1175,11 @@ pk_mk_pa_reply_dh(krb5_context context,
ret = hx509_query_alloc(context->hx509ctx, &q);
if (ret)
goto out;
hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
if (config->pkinit_kdc_friendly_name)
hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
ret = hx509_certs_find(context->hx509ctx,
kdc_identity->certs,
q,
@ -1187,7 +1187,7 @@ pk_mk_pa_reply_dh(krb5_context context,
hx509_query_free(context->hx509ctx, q);
if (ret)
goto out;
ret = hx509_cms_create_signed_1(context->hx509ctx,
0,
&asn1_oid_id_pkdhkeydata,
@ -1242,12 +1242,12 @@ _kdc_pk_mk_pa_reply(krb5_context context,
METHOD_DATA *md)
{
krb5_error_code ret;
void *buf;
size_t len, size;
void *buf = NULL;
size_t len = 0, size = 0;
krb5_enctype enctype;
int pa_type;
hx509_cert kdc_cert = NULL;
int i;
size_t i;
if (!config->enable_pkinit) {
krb5_clear_error_message(context);
@ -1263,7 +1263,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
krb5_set_error_message(context, ret,
"No valid enctype available from client");
goto out;
}
}
enctype = req->req_body.etype.val[i];
} else
enctype = ETYPE_DES3_CBC_SHA1;
@ -1314,7 +1314,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
if (rep.u.encKeyPack.length != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
ret = krb5_generate_random_keyblock(context, sessionetype,
ret = krb5_generate_random_keyblock(context, sessionetype,
sessionkey);
if (ret) {
free_PA_PK_AS_REP(&rep);
@ -1368,7 +1368,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
krb5_abortx(context, "Internal ASN.1 encoder error");
/* XXX KRB-FX-CF2 */
ret = krb5_generate_random_keyblock(context, sessionetype,
ret = krb5_generate_random_keyblock(context, sessionetype,
sessionkey);
if (ret) {
free_PA_PK_AS_REP(&rep);
@ -1463,7 +1463,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
if (len != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
ret = krb5_generate_random_keyblock(context, sessionetype,
ret = krb5_generate_random_keyblock(context, sessionetype,
sessionkey);
if (ret) {
free(buf);
@ -1507,7 +1507,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
"PK-INIT failed to stat ocsp data %d", ret);
goto out_ocsp;
}
ret = krb5_data_alloc(&ocsp.data, sb.st_size);
if (ret) {
close(fd);
@ -1575,7 +1575,8 @@ match_rfc_san(krb5_context context,
krb5_const_principal match)
{
hx509_octet_string_list list;
int ret, i, found = 0;
int ret, found = 0;
size_t i;
memset(&list, 0 , sizeof(list));
@ -1679,12 +1680,12 @@ match_ms_upn_san(krb5_context context,
if (clientdb->hdb_check_pkinit_ms_upn_match) {
ret = clientdb->hdb_check_pkinit_ms_upn_match(context, clientdb, client, principal);
} else {
/*
* This is very wrong, but will do for a fallback
*/
strupr(principal->realm);
if (krb5_principal_compare(context, principal, client->entry.principal) == FALSE)
ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
}
@ -1709,7 +1710,7 @@ _kdc_pk_check_client(krb5_context context,
const HDB_Ext_PKINIT_cert *pc;
krb5_error_code ret;
hx509_name name;
int i;
size_t i;
if (cp->cert == NULL) {
@ -1737,12 +1738,12 @@ _kdc_pk_check_client(krb5_context context,
ret = hdb_entry_get_pkinit_cert(&client->entry, &pc);
if (ret == 0 && pc) {
hx509_cert cert;
unsigned int i;
for (i = 0; i < pc->len; i++) {
size_t j;
for (j = 0; j < pc->len; j++) {
ret = hx509_cert_init_data(context->hx509ctx,
pc->val[i].cert.data,
pc->val[i].cert.length,
pc->val[j].cert.data,
pc->val[j].cert.length,
&cert);
if (ret)
continue;
@ -1770,7 +1771,7 @@ _kdc_pk_check_client(krb5_context context,
ret = match_ms_upn_san(context, config,
context->hx509ctx,
cp->cert,
clientdb,
clientdb,
client);
if (ret == 0) {
kdc_log(context, config, 5,
@ -1871,7 +1872,7 @@ _kdc_add_inital_verified_cas(krb5_context context,
AD_INITIAL_VERIFIED_CAS cas;
krb5_error_code ret;
krb5_data data;
size_t size;
size_t size = 0;
memset(&cas, 0, sizeof(cas));
@ -1937,7 +1938,7 @@ load_mappings(krb5_context context, const char *fn)
fclose(f);
}
/*
*
*/
@ -1982,17 +1983,17 @@ krb5_kdc_pk_initialize(krb5_context context,
{
hx509_query *q;
hx509_cert cert;
ret = hx509_query_alloc(context->hx509ctx, &q);
if (ret) {
krb5_warnx(context, "PKINIT: out of memory");
return ENOMEM;
}
hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
if (config->pkinit_kdc_friendly_name)
hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
ret = hx509_certs_find(context->hx509ctx,
kdc_identity->certs,
q,

18
source4/heimdal/kdc/process.c
View File

@ -47,7 +47,7 @@ krb5_kdc_update_time(struct timeval *tv)
_kdc_now = *tv;
}
static krb5_error_code
static krb5_error_code
kdc_as_req(krb5_context context,
krb5_kdc_configuration *config,
krb5_data *req_buffer,
@ -74,7 +74,7 @@ kdc_as_req(krb5_context context,
}
static krb5_error_code
static krb5_error_code
kdc_tgs_req(krb5_context context,
krb5_kdc_configuration *config,
krb5_data *req_buffer,
@ -91,10 +91,10 @@ kdc_tgs_req(krb5_context context,
ret = decode_TGS_REQ(req_buffer->data, req_buffer->length, &req, &len);
if (ret)
return ret;
*claim = 1;
ret = _kdc_tgs_rep(context, config, &req, reply,
ret = _kdc_tgs_rep(context, config, &req, reply,
from, addr, datagram_reply);
free_TGS_REQ(&req);
return ret;
@ -102,7 +102,7 @@ kdc_tgs_req(krb5_context context,
#ifdef DIGEST
static krb5_error_code
static krb5_error_code
kdc_digest(krb5_context context,
krb5_kdc_configuration *config,
krb5_data *req_buffer,
@ -132,7 +132,7 @@ kdc_digest(krb5_context context,
#ifdef KX509
static krb5_error_code
static krb5_error_code
kdc_kx509(krb5_context context,
krb5_kdc_configuration *config,
krb5_data *req_buffer,
@ -193,7 +193,7 @@ krb5_kdc_process_request(krb5_context context,
unsigned int i;
krb5_data req_buffer;
int claim = 0;
req_buffer.data = buf;
req_buffer.length = len;
@ -232,7 +232,7 @@ krb5_kdc_process_krb5_request(krb5_context context,
unsigned int i;
krb5_data req_buffer;
int claim = 0;
req_buffer.data = buf;
req_buffer.length = len;
@ -245,7 +245,7 @@ krb5_kdc_process_krb5_request(krb5_context context,
if (claim)
return ret;
}
return -1;
}

10
source4/heimdal/kdc/windc.c
View File

@ -55,7 +55,7 @@ krb5_kdc_windc_init(krb5_context context)
windcft = _krb5_plugin_get_symbol(e);
if (windcft->minor_version < KRB5_WINDC_PLUGIN_MINOR)
continue;
(*windcft->init)(context, &windcctx);
break;
}
@ -119,9 +119,9 @@ _kdc_check_access(krb5_context context,
server_ex, server_name,
req->msg_type == krb_as_req);
return (windcft->client_access)(windcctx,
context, config,
client_ex, client_name,
server_ex, server_name,
return (windcft->client_access)(windcctx,
context, config,
client_ex, client_name,
server_ex, server_name,
req, e_data);
}

6
source4/heimdal/kdc/windc_plugin.h
View File

@ -66,10 +66,10 @@ typedef krb5_error_code
typedef krb5_error_code
(*krb5plugin_windc_client_access)(
void *, krb5_context,
void *, krb5_context,
krb5_kdc_configuration *config,
hdb_entry_ex *, const char *,
hdb_entry_ex *, const char *,
hdb_entry_ex *, const char *,
hdb_entry_ex *, const char *,
KDC_REQ *, krb5_data *);

15
source4/heimdal/kpasswd/kpasswd.c
View File

@ -40,10 +40,11 @@ static char *admin_principal_str;
static char *cred_cache_str;
static struct getargs args[] = {
{ "admin-principal", 0, arg_string, &admin_principal_str },
{ "cache", 'c', arg_string, &cred_cache_str },
{ "version", 0, arg_flag, &version_flag },
{ "help", 0, arg_flag, &help_flag }
{ "admin-principal", 0, arg_string, &admin_principal_str, NULL,
NULL },
{ "cache", 'c', arg_string, &cred_cache_str, NULL, NULL },
{ "version", 0, arg_flag, &version_flag, NULL, NULL },
{ "help", 0, arg_flag, &help_flag, NULL, NULL }
};
static void
@ -197,9 +198,9 @@ main (int argc, char **argv)
default:
krb5_err(context, 1, ret, "krb5_get_init_creds");
}
krb5_get_init_creds_opt_free(context, opt);
ret = krb5_cc_initialize(context, id, admin_principal);
krb5_free_principal(context, admin_principal);
if (ret)
@ -208,7 +209,7 @@ main (int argc, char **argv)
ret = krb5_cc_store_cred(context, id, &cred);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_store_cred");
krb5_free_cred_contents (context, &cred);
}

66
source4/heimdal/kuser/kinit.c
View File

@ -96,31 +96,31 @@ static struct getargs args[] = {
* 9:
*/
{ "afslog", 0 , arg_flag, &do_afslog,
NP_("obtain afs tokens", "") },
NP_("obtain afs tokens", ""), NULL },
{ "cache", 'c', arg_string, &cred_cache,
NP_("credentials cache", ""), "cachename" },
{ "forwardable", 0, arg_negative_flag, &forwardable_flag,
NP_("get tickets not forwardable", "")},
NP_("get tickets not forwardable", ""), NULL },
{ NULL, 'f', arg_flag, &forwardable_flag,
NP_("get forwardable tickets", "")},
NP_("get forwardable tickets", ""), NULL },
{ "keytab", 't', arg_string, &keytab_str,
NP_("keytab to use", ""), "keytabname" },
{ "lifetime", 'l', arg_string, &lifetime,
NP_("lifetime of tickets", ""), "time"},
NP_("lifetime of tickets", ""), "time" },
{ "proxiable", 'p', arg_flag, &proxiable_flag,
NP_("get proxiable tickets", "") },
NP_("get proxiable tickets", ""), NULL },
{ "renew", 'R', arg_flag, &renew_flag,
NP_("renew TGT", "") },
NP_("renew TGT", ""), NULL },
{ "renewable", 0, arg_flag, &renewable_flag,
NP_("get renewable tickets", "") },
NP_("get renewable tickets", ""), NULL },
{ "renewable-life", 'r', arg_string, &renew_life,
NP_("renewable lifetime of tickets", ""), "time" },
@ -132,40 +132,40 @@ static struct getargs args[] = {
NP_("when ticket gets valid", ""), "time" },
{ "use-keytab", 'k', arg_flag, &use_keytab,
NP_("get key from keytab", "") },
NP_("get key from keytab", ""), NULL },
{ "validate", 'v', arg_flag, &validate_flag,
NP_("validate TGT", "") },
NP_("validate TGT", ""), NULL },
{ "enctypes", 'e', arg_strings, &etype_str,
NP_("encryption types to use", ""), "enctypes" },
{ "fcache-version", 0, arg_integer, &fcache_version,
NP_("file cache version to create", "") },
NP_("file cache version to create", ""), NULL },
{ "addresses", 'A', arg_negative_flag, &addrs_flag,
NP_("request a ticket with no addresses", "") },
NP_("request a ticket with no addresses", ""), NULL },
{ "extra-addresses",'a', arg_strings, &extra_addresses,
NP_("include these extra addresses", ""), "addresses" },
{ "anonymous", 0, arg_flag, &anonymous_flag,
NP_("request an anonymous ticket", "") },
NP_("request an anonymous ticket", ""), NULL },
{ "request-pac", 0, arg_flag, &pac_flag,
NP_("request a Windows PAC", "") },
NP_("request a Windows PAC", ""), NULL },
{ "password-file", 0, arg_string, &password_file,
NP_("read the password from a file", "") },
NP_("read the password from a file", ""), NULL },
{ "canonicalize",0, arg_flag, &canonicalize_flag,
NP_("canonicalize client principal", "") },
NP_("canonicalize client principal", ""), NULL },
{ "enterprise",0, arg_flag, &enterprise_flag,
NP_("parse principal as a KRB5-NT-ENTERPRISE name", "") },
NP_("parse principal as a KRB5-NT-ENTERPRISE name", ""), NULL },
#ifdef PKINIT
{ "pk-enterprise", 0, arg_flag, &pk_enterprise_flag,
NP_("use enterprise name from certificate", "") },
NP_("use enterprise name from certificate", ""), NULL },
{ "pk-user", 'C', arg_string, &pk_user_id,
NP_("principal's public/private/certificate identifier", ""), "id" },
@ -174,7 +174,7 @@ static struct getargs args[] = {
NP_("directory with CA certificates", ""), "directory" },
{ "pk-use-enckey", 0, arg_flag, &pk_use_enckey,
NP_("Use RSA encrypted reply (instead of DH)", "") },
NP_("Use RSA encrypted reply (instead of DH)", ""), NULL },
#endif
#ifndef NO_NTLM
{ "ntlm-domain", 0, arg_string, &ntlm_domain,
@ -182,19 +182,19 @@ static struct getargs args[] = {
#endif
{ "change-default", 0, arg_negative_flag, &switch_cache_flags,
NP_("switch the default cache to the new credentials cache", "") },
NP_("switch the default cache to the new credentials cache", ""), NULL },
{ "ok-as-delegate", 0, arg_flag, &ok_as_delegate_flag,
NP_("honor ok-as-delegate on tickets", "") },
NP_("honor ok-as-delegate on tickets", ""), NULL },
{ "use-referrals", 0, arg_flag, &use_referrals_flag,
NP_("only use referrals, no dns canalisation", "") },
NP_("only use referrals, no dns canalisation", ""), NULL },
{ "windows", 0, arg_flag, &windows_flag,
NP_("get windows behavior", "") },
NP_("get windows behavior", ""), NULL },
{ "version", 0, arg_flag, &version_flag },
{ "help", 0, arg_flag, &help_flag }
{ "version", 0, arg_flag, &version_flag, NULL, NULL },
{ "help", 0, arg_flag, &help_flag, NULL, NULL }
};
static void
@ -357,7 +357,7 @@ get_new_tickets(krb5_context context,
char passwd[256];
krb5_deltat start_time = 0;
krb5_deltat renew = 0;
char *renewstr = NULL;
const char *renewstr = NULL;
krb5_enctype *enctype = NULL;
krb5_ccache tempccache;
#ifndef NO_NTLM
@ -466,7 +466,7 @@ get_new_tickets(krb5_context context,
renew = parse_time (renewstr, "s");
if (renew < 0)
errx (1, "unparsable time: %s", renewstr);
krb5_get_init_creds_opt_set_renew_life (opt, renew);
}
@ -532,11 +532,11 @@ get_new_tickets(krb5_context context,
if (passwd[0] == '\0') {
char *p, *prompt;
krb5_unparse_name (context, principal, &p);
asprintf (&prompt, N_("%s's Password: ", ""), p);
free (p);
if (UI_UTIL_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){
memset(passwd, 0, sizeof(passwd));
exit(1);
@ -544,7 +544,7 @@ get_new_tickets(krb5_context context,
free (prompt);
}
ret = krb5_get_init_creds_password (context,
&cred,
principal,
@ -592,7 +592,7 @@ get_new_tickets(krb5_context context,
char life[64];
unparse_time_approx(cred.times.renew_till - cred.times.starttime,
life, sizeof(life));
krb5_warnx(context,
krb5_warnx(context,
N_("NOTICE: ticket renewable lifetime is %s", ""),
life);
}
@ -773,7 +773,7 @@ main (int argc, char **argv)
} else if (anonymous_flag) {
ret = krb5_make_principal(context, &principal, argv[0],
KRB5_WELLKNOWN_NAME, KRB5_ANON_NAME,
KRB5_WELLKNOWN_NAME, KRB5_ANON_NAME,
NULL);
if (ret)
krb5_err(context, 1, ret, "krb5_make_principal");
@ -825,7 +825,7 @@ main (int argc, char **argv)
if (ret)
krb5_err (context, 1, ret, N_("resolving credentials cache", ""));
/*
/*
* Check if the type support switching, and we do,
* then do that instead over overwriting the current
* default credential
@ -904,7 +904,7 @@ main (int argc, char **argv)
krb5_warnx(context, N_("permission denied: %s", ""), argv[1]);
else if(ret == EX_NOTFOUND)
krb5_warnx(context, N_("command not found: %s", ""), argv[1]);
krb5_cc_destroy(context, ccache);
#ifndef NO_AFS
if(k_hasafs())

2
source4/heimdal/lib/asn1/asn1-common.h
View File

@ -75,5 +75,5 @@ typedef struct heim_octet_string heim_any_set;
#define ASN1EXP
#define ASN1CALL
#endif
#endif

4
source4/heimdal/lib/asn1/asn1parse.c
View File

@ -1905,7 +1905,7 @@ yyreduce:
/* Line 1455 of yacc.c */
#line 368 "asn1parse.c"
{
{
if((yyvsp[(2) - (5)].value)->type != integervalue)
lex_error_message("Non-integer in first part of range");
(yyval.range) = ecalloc(1, sizeof(*(yyval.range)));
@ -1918,7 +1918,7 @@ yyreduce:
/* Line 1455 of yacc.c */
#line 376 "asn1parse.c"
{
{
if((yyvsp[(4) - (5)].value)->type != integervalue)
lex_error_message("Non-integer in second part of range");
(yyval.range) = ecalloc(1, sizeof(*(yyval.range)));

4
source4/heimdal/lib/asn1/asn1parse.y
View File

@ -365,7 +365,7 @@ range : '(' Value RANGE Value ')'
$$->max = $4->u.integervalue;
}
| '(' Value RANGE kw_MAX ')'
{
{
if($2->type != integervalue)
lex_error_message("Non-integer in first part of range");
$$ = ecalloc(1, sizeof(*$$));
@ -373,7 +373,7 @@ range : '(' Value RANGE Value ')'
$$->max = $2->u.integervalue - 1;
}
| '(' kw_MIN RANGE Value ')'
{
{
if($4->type != integervalue)
lex_error_message("Non-integer in second part of range");
$$ = ecalloc(1, sizeof(*$$));

4
source4/heimdal/lib/asn1/der_cmp.c
View File

@ -53,14 +53,14 @@ der_heim_octet_string_cmp(const heim_octet_string *p,
}
int
der_printable_string_cmp(const heim_printable_string *p,
der_printable_string_cmp(const heim_printable_string *p,
const heim_printable_string *q)
{
return der_heim_octet_string_cmp(p, q);
}
int
der_ia5_string_cmp(const heim_ia5_string *p,
der_ia5_string_cmp(const heim_ia5_string *p,
const heim_ia5_string *q)
{
return der_heim_octet_string_cmp(p, q);

2
source4/heimdal/lib/asn1/der_format.c
View File

@ -108,7 +108,7 @@ int
der_print_heim_oid (const heim_oid *oid, char delim, char **str)
{
struct rk_strpool *p = NULL;
int i;
size_t i;
if (oid->length == 0)
return EINVAL;

4
source4/heimdal/lib/asn1/der_get.c
View File

@ -141,9 +141,9 @@ der_get_general_string (const unsigned char *p, size_t len,
* an strings in the NEED_PREAUTH case that includes a
* trailing NUL.
*/
while (p1 - p < len && *p1 == '\0')
while ((size_t)(p1 - p) < len && *p1 == '\0')
p1++;
if (p1 - p != len)
if ((size_t)(p1 - p) != len)
return ASN1_BAD_CHARACTER;
}
if (len > len + 1)

2
source4/heimdal/lib/asn1/der_length.c
View File

@ -86,7 +86,7 @@ static size_t
len_oid (const heim_oid *oid)
{
size_t ret = 1;
int n;
size_t n;
for (n = 2; n < oid->length; ++n) {
unsigned u = oid->components[n];

3
source4/heimdal/lib/asn1/der_put.c
View File

@ -433,7 +433,8 @@ _heim_time2generalizedtime (time_t t, heim_octet_string *s, int gtimep)
if (s->data == NULL)
return ENOMEM;
s->length = len;
_der_gmtime(t, &tm);
if (_der_gmtime(t, &tm) == NULL)
return ASN1_BAD_TIMEFORMAT;
if (gtimep)
snprintf (s->data, len + 1, "%04d%02d%02d%02d%02d%02dZ",
tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday,

4
source4/heimdal/lib/asn1/extra.c
View File

@ -71,13 +71,13 @@ decode_heim_any(const unsigned char *p, size_t len,
if (len < length + len_len + l)
return ASN1_OVERFLOW;
}
data->data = malloc(length + len_len + l);
if (data->data == NULL)
return ENOMEM;
data->length = length + len_len + l;
memcpy(data->data, p, length + len_len + l);
if (size)
*size = length + len_len + l;

6
source4/heimdal/lib/asn1/gen.c
View File

@ -761,7 +761,7 @@ define_type (int level, const char *name, const char *basename, Type *t, int typ
fprintf (headerfile, "struct %s {\n", newbasename);
ASN1_TAILQ_FOREACH(m, t->members, members) {
char *n = NULL;
/* pad unused */
while (pos < m->val) {
if (asprintf (&n, "_unused%d:1", pos) < 0 || n == NULL)
@ -1021,7 +1021,7 @@ generate_type (const Symbol *s)
h = privheaderfile;
exp = "";
}
fprintf (h,
"%sint ASN1CALL "
"decode_%s(const unsigned char *, size_t, %s *, size_t *);\n",
@ -1044,7 +1044,7 @@ generate_type (const Symbol *s)
"%svoid ASN1CALL free_%s (%s *);\n",
exp,
s->gen_name, s->gen_name);
fprintf(h, "\n\n");
if (!one_code_file) {

38
source4/heimdal/lib/asn1/gen_decode.c
View File

@ -209,7 +209,8 @@ range_check(const char *name,
static int
decode_type (const char *name, const Type *t, int optional,
const char *forwstr, const char *tmpstr, const char *dertype)
const char *forwstr, const char *tmpstr, const char *dertype,
unsigned int depth)
{
switch (t->type) {
case TType: {
@ -328,7 +329,8 @@ decode_type (const char *name, const Type *t, int optional,
if (asprintf (&s, "%s(%s)->%s", m->optional ? "" : "&",
name, m->gen_name) < 0 || s == NULL)
errx(1, "malloc");
decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL);
decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL,
depth + 1);
free (s);
}
@ -369,7 +371,7 @@ decode_type (const char *name, const Type *t, int optional,
"%s = calloc(1, sizeof(*%s));\n"
"if (%s == NULL) { e = ENOMEM; %s; }\n",
s, s, s, forwstr);
decode_type (s, m->type, 0, forwstr, m->gen_name, NULL);
decode_type (s, m->type, 0, forwstr, m->gen_name, NULL, depth + 1);
free (s);
fprintf(codefile, "members |= (1 << %d);\n", memno);
@ -442,7 +444,7 @@ decode_type (const char *name, const Type *t, int optional,
errx(1, "malloc");
if (asprintf (&sname, "%s_s_of", tmpstr) < 0 || sname == NULL)
errx(1, "malloc");
decode_type (n, t->subtype, 0, forwstr, sname, NULL);
decode_type (n, t->subtype, 0, forwstr, sname, NULL, depth + 1);
fprintf (codefile,
"(%s)->len++;\n"
"len = %s_origlen - ret;\n"
@ -480,7 +482,7 @@ decode_type (const char *name, const Type *t, int optional,
tmpstr, tmpstr, typestring);
if(support_ber)
fprintf(codefile,
"int is_indefinite;\n");
"int is_indefinite%u;\n", depth);
fprintf(codefile, "e = der_match_tag_and_length(p, len, %s, &%s, %s, "
"&%s_datalen, &l);\n",
@ -516,20 +518,20 @@ decode_type (const char *name, const Type *t, int optional,
tmpstr);
if(support_ber)
fprintf (codefile,
"if((is_indefinite = _heim_fix_dce(%s_datalen, &len)) < 0)\n"
"if((is_indefinite%u = _heim_fix_dce(%s_datalen, &len)) < 0)\n"
"{ e = ASN1_BAD_FORMAT; %s; }\n"
"if (is_indefinite) { if (len < 2) { e = ASN1_OVERRUN; %s; } len -= 2; }",
tmpstr, forwstr, forwstr);
"if (is_indefinite%u) { if (len < 2) { e = ASN1_OVERRUN; %s; } len -= 2; }",
depth, tmpstr, forwstr, depth, forwstr);
else
fprintf(codefile,
"if (%s_datalen > len) { e = ASN1_OVERRUN; %s; }\n"
"len = %s_datalen;\n", tmpstr, forwstr, tmpstr);
if (asprintf (&tname, "%s_Tag", tmpstr) < 0 || tname == NULL)
errx(1, "malloc");
decode_type (name, t->subtype, 0, forwstr, tname, ide);
decode_type (name, t->subtype, 0, forwstr, tname, ide, depth + 1);
if(support_ber)
fprintf(codefile,
"if(is_indefinite){\n"
"if(is_indefinite%u){\n"
"len += 2;\n"
"e = der_match_tag_and_length(p, len, "
"(Der_class)0, &%s, UT_EndOfContent, "
@ -538,6 +540,7 @@ decode_type (const char *name, const Type *t, int optional,
"p += l; len -= l; ret += l;\n"
"if (%s != (Der_type)0) { e = ASN1_BAD_ID; %s; }\n"
"} else \n",
depth,
typestring,
tmpstr,
forwstr,
@ -584,7 +587,8 @@ decode_type (const char *name, const Type *t, int optional,
if (asprintf (&s, "%s(%s)->u.%s", m->optional ? "" : "&",
name, m->gen_name) < 0 || s == NULL)
errx(1, "malloc");
decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL);
decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL,
depth + 1);
fprintf(codefile,
"(%s)->element = %s;\n",
name, m->label);
@ -605,7 +609,7 @@ decode_type (const char *name, const Type *t, int optional,
"(%s)->element = %s;\n"
"p += len;\n"
"ret += len;\n"
"len -= len;\n"
"len = 0;\n"
"}\n",
name, have_ellipsis->gen_name,
name, have_ellipsis->gen_name,
@ -662,8 +666,8 @@ generate_type_decode (const Symbol *s)
int preserve = preserve_type(s->name) ? TRUE : FALSE;
fprintf (codefile, "int ASN1CALL\n"
"decode_%s(const unsigned char *p,"
" size_t len, %s *data, size_t *size)\n"
"decode_%s(const unsigned char *p HEIMDAL_UNUSED_ATTRIBUTE,"
" size_t len HEIMDAL_UNUSED_ATTRIBUTE, %s *data, size_t *size)\n"
"{\n",
s->gen_name, s->gen_name);
@ -694,15 +698,15 @@ generate_type_decode (const Symbol *s)
case TChoice:
fprintf (codefile,
"size_t ret = 0;\n"
"size_t l;\n"
"int e;\n");
"size_t l HEIMDAL_UNUSED_ATTRIBUTE;\n"
"int e HEIMDAL_UNUSED_ATTRIBUTE;\n");
if (preserve)
fprintf (codefile, "const unsigned char *begin = p;\n");
fprintf (codefile, "\n");
fprintf (codefile, "memset(data, 0, sizeof(*data));\n"); /* hack to avoid `unused variable' */
decode_type ("data", s->type, 0, "goto fail", "Top", NULL);
decode_type ("data", s->type, 0, "goto fail", "Top", NULL, 1);
if (preserve)
fprintf (codefile,
"data->_save.data = calloc(1, ret);\n"

19
source4/heimdal/lib/asn1/gen_encode.c
View File

@ -274,7 +274,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
else if(m->defval)
gen_compare_defval(s + 1, m->defval);
fprintf (codefile, "{\n");
fprintf (codefile, "size_t %s_oldret = ret;\n", tmpstr);
fprintf (codefile, "size_t %s_oldret HEIMDAL_UNUSED_ATTRIBUTE = ret;\n", tmpstr);
fprintf (codefile, "ret = 0;\n");
encode_type (s, m->type, m->gen_name);
fprintf (codefile, "ret += %s_oldret;\n", tmpstr);
@ -302,7 +302,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
name, name);
fprintf(codefile,
"for(i = 0; i < (%s)->len; i++) {\n",
"for(i = 0; i < (int)(%s)->len; i++) {\n",
name);
fprintf(codefile,
@ -326,7 +326,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
fprintf(codefile,
"if (totallen > len) {\n"
"for (i = 0; i < (%s)->len; i++) {\n"
"for (i = 0; i < (int)(%s)->len; i++) {\n"
"free(val[i].data);\n"
"}\n"
"free(val);\n"
@ -339,7 +339,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
name);
fprintf (codefile,
"for(i = (%s)->len - 1; i >= 0; --i) {\n"
"for(i = (int)(%s)->len - 1; i >= 0; --i) {\n"
"p -= val[i].length;\n"
"ret += val[i].length;\n"
"memcpy(p + 1, val[i].data, val[i].length);\n"
@ -355,7 +355,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
char *n = NULL;
fprintf (codefile,
"for(i = (%s)->len - 1; i >= 0; --i) {\n"
"for(i = (int)(%s)->len - 1; i >= 0; --i) {\n"
"size_t %s_for_oldret = ret;\n"
"ret = 0;\n",
name, tmpstr);
@ -503,7 +503,7 @@ void
generate_type_encode (const Symbol *s)
{
fprintf (codefile, "int ASN1CALL\n"
"encode_%s(unsigned char *p, size_t len,"
"encode_%s(unsigned char *p HEIMDAL_UNUSED_ATTRIBUTE, size_t len HEIMDAL_UNUSED_ATTRIBUTE,"
" const %s *data, size_t *size)\n"
"{\n",
s->gen_name, s->gen_name);
@ -534,10 +534,9 @@ generate_type_encode (const Symbol *s)
case TType:
case TChoice:
fprintf (codefile,
"size_t ret = 0;\n"
"size_t l;\n"
"int i, e;\n\n");
fprintf(codefile, "i = 0;\n"); /* hack to avoid `unused variable' */
"size_t ret HEIMDAL_UNUSED_ATTRIBUTE = 0;\n"
"size_t l HEIMDAL_UNUSED_ATTRIBUTE;\n"
"int i HEIMDAL_UNUSED_ATTRIBUTE, e HEIMDAL_UNUSED_ATTRIBUTE;\n\n");
encode_type("data", s->type, "Top");

4
source4/heimdal/lib/asn1/gen_free.c
View File

@ -179,12 +179,12 @@ void
generate_type_free (const Symbol *s)
{
int preserve = preserve_type(s->name) ? TRUE : FALSE;
fprintf (codefile, "void ASN1CALL\n"
"free_%s(%s *data)\n"
"{\n",
s->gen_name, s->gen_name);
free_type ("data", s->type, preserve);
fprintf (codefile, "}\n\n");
}

22
source4/heimdal/lib/asn1/gen_template.c
View File

@ -342,7 +342,7 @@ tlist_cmp(const struct tlist *tl, const struct tlist *ql)
ret = strcmp(tl->header, ql->header);
if (ret) return ret;
q = ASN1_TAILQ_FIRST(&ql->template);
ASN1_TAILQ_FOREACH(t, &tl->template, members) {
if (q == NULL) return 1;
@ -353,7 +353,7 @@ tlist_cmp(const struct tlist *tl, const struct tlist *ql)
} else {
ret = strcmp(t->tt, q->tt);
if (ret) return ret;
ret = strcmp(t->offset, q->offset);
if (ret) return ret;
@ -479,12 +479,12 @@ template_members(struct templatehead *temp, const char *basetype, const char *na
optional ? "|A1_FLAG_OPTIONAL" : "",
poffset, t->symbol->gen_name);
} else {
add_line_pointer(temp, t->symbol->gen_name, poffset,
add_line_pointer(temp, t->symbol->gen_name, poffset,
"A1_OP_TYPE %s", optional ? "|A1_FLAG_OPTIONAL" : "");
}
break;
case TInteger: {
char *itype;
char *itype = NULL;
if (t->members)
itype = "IMEMBER";
@ -499,7 +499,7 @@ template_members(struct templatehead *temp, const char *basetype, const char *na
else
errx(1, "%s: unsupported range %d -> %d",
name, t->range->min, t->range->max);
add_line(temp, "{ A1_PARSE_T(A1T_%s), %s, NULL }", itype, poffset);
break;
}
@ -557,7 +557,7 @@ template_members(struct templatehead *temp, const char *basetype, const char *na
break;
}
if (asprintf(&bname, "bmember_%s_%lu", name ? name : "", (unsigned long)t) < 0 || bname == NULL)
if (asprintf(&bname, "bmember_%s_%p", name ? name : "", t) < 0 || bname == NULL)
errx(1, "malloc");
output_name(bname);
@ -591,7 +591,7 @@ template_members(struct templatehead *temp, const char *basetype, const char *na
ASN1_TAILQ_FOREACH(m, t->members, members) {
char *newbasename = NULL;
if (m->ellipsis)
continue;
@ -620,7 +620,7 @@ template_members(struct templatehead *temp, const char *basetype, const char *na
else
sename = symbol_name(basetype, t->subtype);
if (asprintf(&tname, "tag_%s_%lu", name ? name : "", (unsigned long)t) < 0 || tname == NULL)
if (asprintf(&tname, "tag_%s_%p", name ? name : "", t) < 0 || tname == NULL)
errx(1, "malloc");
output_name(tname);
@ -644,7 +644,7 @@ template_members(struct templatehead *temp, const char *basetype, const char *na
}
case TSetOf:
case TSequenceOf: {
const char *type, *tname, *dupname;
const char *type = NULL, *tname, *dupname;
char *sename = NULL, *elname = NULL;
int subtype_is_struct = is_struct(t->subtype, 0);
@ -670,7 +670,7 @@ template_members(struct templatehead *temp, const char *basetype, const char *na
else if (t->type == TSequenceOf) type = "A1_OP_SEQOF";
else abort();
if (asprintf(&elname, "%s_%s_%lu", basetype, tname, (unsigned long)t) < 0 || elname == NULL)
if (asprintf(&elname, "%s_%s_%p", basetype, tname, t) < 0 || elname == NULL)
errx(1, "malloc");
generate_template_type(elname, &dupname, NULL, sename, NULL, t->subtype,
@ -699,7 +699,7 @@ template_members(struct templatehead *temp, const char *basetype, const char *na
char *elname = NULL;
char *newbasename = NULL;
int subtype_is_struct;
if (m->ellipsis) {
ellipsis = 1;
continue;

50
source4/heimdal/lib/asn1/krb5.asn1
View File

@ -221,32 +221,32 @@ CKSUMTYPE ::= INTEGER {
--enctypes
ENCTYPE ::= INTEGER {
ETYPE_NULL(0),
ETYPE_DES_CBC_CRC(1),
ETYPE_DES_CBC_MD4(2),
ETYPE_DES_CBC_MD5(3),
ETYPE_DES3_CBC_MD5(5),
ETYPE_OLD_DES3_CBC_SHA1(7),
ETYPE_SIGN_DSA_GENERATE(8),
ETYPE_ENCRYPT_RSA_PRIV(9),
ETYPE_ENCRYPT_RSA_PUB(10),
ETYPE_DES3_CBC_SHA1(16), -- with key derivation
ETYPE_AES128_CTS_HMAC_SHA1_96(17),
ETYPE_AES256_CTS_HMAC_SHA1_96(18),
ETYPE_ARCFOUR_HMAC_MD5(23),
ETYPE_ARCFOUR_HMAC_MD5_56(24),
ETYPE_ENCTYPE_PK_CROSS(48),
KRB5_ENCTYPE_NULL(0),
KRB5_ENCTYPE_DES_CBC_CRC(1),
KRB5_ENCTYPE_DES_CBC_MD4(2),
KRB5_ENCTYPE_DES_CBC_MD5(3),
KRB5_ENCTYPE_DES3_CBC_MD5(5),
KRB5_ENCTYPE_OLD_DES3_CBC_SHA1(7),
KRB5_ENCTYPE_SIGN_DSA_GENERATE(8),
KRB5_ENCTYPE_ENCRYPT_RSA_PRIV(9),
KRB5_ENCTYPE_ENCRYPT_RSA_PUB(10),
KRB5_ENCTYPE_DES3_CBC_SHA1(16), -- with key derivation
KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96(17),
KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96(18),
KRB5_ENCTYPE_ARCFOUR_HMAC_MD5(23),
KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56(24),
KRB5_ENCTYPE_ENCTYPE_PK_CROSS(48),
-- some "old" windows types
ETYPE_ARCFOUR_MD4(-128),
ETYPE_ARCFOUR_HMAC_OLD(-133),
ETYPE_ARCFOUR_HMAC_OLD_EXP(-135),
KRB5_ENCTYPE_ARCFOUR_MD4(-128),
KRB5_ENCTYPE_ARCFOUR_HMAC_OLD(-133),
KRB5_ENCTYPE_ARCFOUR_HMAC_OLD_EXP(-135),
-- these are for Heimdal internal use
ETYPE_DES_CBC_NONE(-0x1000),
ETYPE_DES3_CBC_NONE(-0x1001),
ETYPE_DES_CFB64_NONE(-0x1002),
ETYPE_DES_PCBC_NONE(-0x1003),
ETYPE_DIGEST_MD5_NONE(-0x1004), -- private use, lukeh@padl.com
ETYPE_CRAM_MD5_NONE(-0x1005) -- private use, lukeh@padl.com
KRB5_ENCTYPE_DES_CBC_NONE(-0x1000),
KRB5_ENCTYPE_DES3_CBC_NONE(-0x1001),
KRB5_ENCTYPE_DES_CFB64_NONE(-0x1002),
KRB5_ENCTYPE_DES_PCBC_NONE(-0x1003),
KRB5_ENCTYPE_DIGEST_MD5_NONE(-0x1004), -- private use, lukeh@padl.com
KRB5_ENCTYPE_CRAM_MD5_NONE(-0x1005) -- private use, lukeh@padl.com
}
@ -625,7 +625,7 @@ ChangePasswdDataMS ::= SEQUENCE {
targrealm[2] Realm OPTIONAL
}
EtypeList ::= SEQUENCE OF krb5int32
EtypeList ::= SEQUENCE OF ENCTYPE
-- the client's proposed enctype list in
-- decreasing preference order, favorite choice first

4
source4/heimdal/lib/asn1/lex.c
View File

@ -1626,7 +1626,7 @@ YY_RULE_SETUP
char *p = buf;
int f = 0;
int skip_ws = 0;
while((c = input()) != EOF) {
if(isspace(c) && skip_ws) {
if(c == '\n')
@ -1634,7 +1634,7 @@ YY_RULE_SETUP
continue;
}
skip_ws = 0;
if(c == '"') {
if(f) {
*p++ = '"';

4
source4/heimdal/lib/asn1/lex.l
View File

@ -216,7 +216,7 @@ WITH { return kw_WITH; }
char *p = buf;
int f = 0;
int skip_ws = 0;
while((c = input()) != EOF) {
if(isspace(c) && skip_ws) {
if(c == '\n')
@ -224,7 +224,7 @@ WITH { return kw_WITH; }
continue;
}
skip_ws = 0;
if(c == '"') {
if(f) {
*p++ = '"';

2
source4/heimdal/lib/asn1/main.c
View File

@ -202,6 +202,6 @@ main(int argc, char **argv)
free(arg[i]);
free(arg);
}
return 0;
}

3
source4/heimdal/lib/asn1/test.asn1
View File

@ -132,4 +132,7 @@ TESTBitString ::= BIT STRING {
thirtyone(31)
}
TESTMechType::= OBJECT IDENTIFIER
TESTMechTypeList ::= SEQUENCE OF TESTMechType
END

21
source4/heimdal/lib/asn1/timegm.c
View File

@ -33,7 +33,7 @@
#include "der_locl.h"
RCSID("$Id$");
#define ASN1_MAX_YEAR 2000
static int
is_leap(unsigned y)
@ -56,13 +56,19 @@ time_t
_der_timegm (struct tm *tm)
{
time_t res = 0;
unsigned i;
int i;
/*
* See comment in _der_gmtime
*/
if (tm->tm_year > ASN1_MAX_YEAR)
return 0;
if (tm->tm_year < 0)
return -1;
if (tm->tm_mon < 0 || tm->tm_mon > 11)
return -1;
if (tm->tm_mday < 1 || tm->tm_mday > ndays[is_leap(tm->tm_year)][tm->tm_mon])
if (tm->tm_mday < 1 || tm->tm_mday > (int)ndays[is_leap(tm->tm_year)][tm->tm_mon])
return -1;
if (tm->tm_hour < 0 || tm->tm_hour > 23)
return -1;
@ -98,6 +104,15 @@ _der_gmtime(time_t t, struct tm *tm)
tm->tm_min = (secday % 3600) / 60;
tm->tm_hour = secday / 3600;
/*
* Refuse to calculate time ~ 2000 years into the future, this is
* not possible for systems where time_t is a int32_t, however,
* when time_t is a int64_t, that can happen, and this becomes a
* denial of sevice.
*/
if (days > (ASN1_MAX_YEAR * 365))
return NULL;
tm->tm_year = 70;
while(1) {
unsigned dayinyear = (is_leap(tm->tm_year) ? 366 : 365);

4
source4/heimdal/lib/com_err/compile_et.c
View File

@ -93,7 +93,7 @@ generate_c(void)
fprintf(c_file, "\t/* %03d */ \"Reserved %s error (%d)\",\n",
n, name, n);
n++;
}
fprintf(c_file, "\t/* %03d */ N_(\"%s\"),\n",
ec->number, ec->string);
@ -220,7 +220,7 @@ main(int argc, char **argv)
yyin = fopen(filename, "r");
if(yyin == NULL)
err(1, "%s", filename);
p = strrchr(filename, rk_PATH_DELIM);
if(p)

2
source4/heimdal/lib/com_err/error.c
View File

@ -101,7 +101,7 @@ initialize_error_table_r(struct et_list **list,
et->next = NULL;
*end = et;
}
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
free_error_table(struct et_list *et)

2
source4/heimdal/lib/com_err/parse.c
View File

@ -1465,7 +1465,7 @@ yyreduce:
#line 118 "parse.c"
{
struct error_code *ec = malloc(sizeof(*ec));
if (ec == NULL)
errx(1, "malloc");

2
source4/heimdal/lib/com_err/parse.y
View File

@ -117,7 +117,7 @@ statement : INDEX NUMBER
| EC STRING ',' STRING
{
struct error_code *ec = malloc(sizeof(*ec));
if (ec == NULL)
errx(1, "malloc");

98
source4/heimdal/lib/gssapi/gssapi/gssapi.h
View File

@ -31,8 +31,6 @@
* SUCH DAMAGE.
*/
/* $Id$ */
#ifndef GSSAPI_GSSAPI_H_
#define GSSAPI_GSSAPI_H_
@ -55,13 +53,11 @@
#endif
#endif
#ifndef GSSAPI_DEPRECATED
#ifndef GSSAPI_DEPRECATED_FUNCTION
#if defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 )))
#define GSSAPI_DEPRECATED __attribute__((deprecated))
#elif defined(_MSC_VER)
#define GSSAPI_DEPRECATED __declspec(deprecated)
#define GSSAPI_DEPRECATED_FUNCTION(X) __attribute__((deprecated))
#else
#define GSSAPI_DEPRECATED
#define GSSAPI_DEPRECATED_FUNCTION(X)
#endif
#endif
@ -375,7 +371,7 @@ extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_anonymous_oid_desc;
* to that gss_OID_desc.
*/
extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_export_name_oid_desc;
#define GSS_C_NT_EXPORT_NAME (&__gss_c_nt_export_name_oid_desc)
#define GSS_C_NT_EXPORT_NAME (&__gss_c_nt_export_name_oid_desc)
/* Major status codes */
@ -446,6 +442,11 @@ extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_export_name_oid_desc;
#define GSS_S_NAME_NOT_MN (18ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_BAD_MECH_ATTR (19ul << GSS_C_ROUTINE_ERROR_OFFSET)
/*
* Apparently awating spec fix.
*/
#define GSS_S_CRED_UNAVAIL GSS_S_FAILURE
/*
* Supplementary info bits:
*/
@ -459,6 +460,9 @@ extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_export_name_oid_desc;
* Finally, function prototypes for the GSS-API routines.
*/
#define GSS_C_OPTION_MASK 0xffff
#define GSS_C_CRED_NO_UI 0x10000
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_acquire_cred
(OM_uint32 * /*minor_status*/,
const gss_name_t /*desired_name*/,
@ -827,7 +831,7 @@ typedef struct {
size_t blocksize; /**< Specificed optimal size of messages, also
is the maximum padding size
(GSS_IOV_BUFFER_TYPE_PADDING) */
} gss_context_stream_sizes;
} gss_context_stream_sizes;
extern gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_attr_stream_sizes_oid_desc;
#define GSS_C_ATTR_STREAM_SIZES (&__gss_c_attr_stream_sizes_oid_desc)
@ -850,23 +854,23 @@ gss_context_query_attributes(OM_uint32 * /* minor_status */,
* obsolete versions of these routines and their current forms.
*/
GSSAPI_DEPRECATED GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_sign
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_sign
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
int /*qop_req*/,
gss_buffer_t /*message_buffer*/,
gss_buffer_t /*message_token*/
);
) GSSAPI_DEPRECATED_FUNCTION("Use gss_get_mic");
GSSAPI_DEPRECATED GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_verify
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_verify
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
gss_buffer_t /*message_buffer*/,
gss_buffer_t /*token_buffer*/,
int * /*qop_state*/
);
) GSSAPI_DEPRECATED_FUNCTION("Use gss_verify_mic");
GSSAPI_DEPRECATED GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_seal
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_seal
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
int /*conf_req_flag*/,
@ -874,29 +878,29 @@ GSSAPI_DEPRECATED GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_seal
gss_buffer_t /*input_message_buffer*/,
int * /*conf_state*/,
gss_buffer_t /*output_message_buffer*/
);
) GSSAPI_DEPRECATED_FUNCTION("Use gss_wrap");
GSSAPI_DEPRECATED GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_unseal
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_unseal
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
gss_buffer_t /*input_message_buffer*/,
gss_buffer_t /*output_message_buffer*/,
int * /*conf_state*/,
int * /*qop_state*/
);
) GSSAPI_DEPRECATED_FUNCTION("Use gss_unwrap");
/**
*
*/
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_encapsulate_token(const gss_buffer_t /* input_token */,
const gss_OID /* oid */,
gss_encapsulate_token(gss_const_buffer_t /* input_token */,
gss_const_OID /* oid */,
gss_buffer_t /* output_token */);
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_decapsulate_token(const gss_buffer_t /* input_token */,
const gss_OID /* oid */,
gss_decapsulate_token(gss_const_buffer_t /* input_token */,
gss_const_OID /* oid */,
gss_buffer_t /* output_token */);
@ -989,6 +993,56 @@ gss_display_mech_attr(OM_uint32 * minor_status,
gss_buffer_t short_desc,
gss_buffer_t long_desc);
/*
* Solaris compat
*/
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_acquire_cred_with_password
(OM_uint32 * /*minor_status*/,
const gss_name_t /*desired_name*/,
const gss_buffer_t /*password*/,
OM_uint32 /*time_req*/,
const gss_OID_set /*desired_mechs*/,
gss_cred_usage_t /*cred_usage*/,
gss_cred_id_t * /*output_cred_handle*/,
gss_OID_set * /*actual_mechs*/,
OM_uint32 * /*time_rec*/
);
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_add_cred_with_password (
OM_uint32 * /*minor_status*/,
const gss_cred_id_t /*input_cred_handle*/,
const gss_name_t /*desired_name*/,
const gss_OID /*desired_mech*/,
const gss_buffer_t /*password*/,
gss_cred_usage_t /*cred_usage*/,
OM_uint32 /*initiator_time_req*/,
OM_uint32 /*acceptor_time_req*/,
gss_cred_id_t * /*output_cred_handle*/,
gss_OID_set * /*actual_mechs*/,
OM_uint32 * /*initiator_time_rec*/,
OM_uint32 * /*acceptor_time_rec*/
);
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_pname_to_uid(
OM_uint32 *minor,
const gss_name_t name,
const gss_OID mech_type,
uid_t *uidOut);
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_authorize_localname(
OM_uint32 *minor,
const gss_name_t name,
const gss_name_t user);
GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL
gss_userok(const gss_name_t name,
const char *user);
extern GSSAPI_LIB_VARIABLE gss_buffer_t GSS_C_ATTR_LOCAL_LOGIN_USER;
/*
* Naming extensions
*/
@ -1051,4 +1105,6 @@ gss_name_to_oid(const char *name);
GSSAPI_CPP_END
#undef GSSAPI_DEPRECATED_FUNCTION
#endif /* GSSAPI_GSSAPI_H_ */

7
source4/heimdal/lib/gssapi/gssapi/gssapi_oid.h
View File

@ -109,6 +109,13 @@ extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_mech_name_oid_desc;
extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_mech_description_oid_desc;
#define GSS_C_MA_MECH_DESCRIPTION (&__gss_c_ma_mech_description_oid_desc)
/* credential types */
extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_cred_password_oid_desc;
#define GSS_C_CRED_PASSWORD (&__gss_c_cred_password_oid_desc)
extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_cred_certificate_oid_desc;
#define GSS_C_CRED_CERTIFICATE (&__gss_c_cred_certificate_oid_desc)
/* Heimdal mechanisms - 1.2.752.43.14 */
extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_sasl_digest_md5_mechanism_oid_desc;
#define GSS_SASL_DIGEST_MD5_MECHANISM (&__gss_sasl_digest_md5_mechanism_oid_desc)

59
source4/heimdal/lib/gssapi/gssapi_mech.h
View File

@ -355,14 +355,14 @@ _gss_import_cred_t(OM_uint32 * minor_status,
typedef OM_uint32 GSSAPI_CALLCONV
_gss_acquire_cred_ex_t(void * /* status */,
const gss_name_t /* desired_name */,
OM_uint32 /* flags */,
OM_uint32 /* time_req */,
gss_cred_usage_t /* cred_usage */,
void * /* identity */,
void * /* ctx */,
void (* /*complete */)(void *, OM_uint32, void *, gss_cred_id_t, OM_uint32));
_gss_acquire_cred_ext_t(OM_uint32 * /*minor_status */,
const gss_name_t /* desired_name */,
gss_const_OID /* credential_type */,
const void * /* credential_data */,
OM_uint32 /* time_req */,
gss_const_OID /* desired_mech */,
gss_cred_usage_t /* cred_usage */,
gss_cred_id_t * /* output_cred_handle */);
typedef void GSSAPI_CALLCONV
_gss_iter_creds_t(OM_uint32 /* flags */,
@ -460,13 +460,28 @@ struct gss_mo_desc_struct {
int (*set)(gss_const_OID, gss_mo_desc *, int, gss_buffer_t);
};
typedef OM_uint32 GSSAPI_CALLCONV _gss_pname_to_uid_t (
OM_uint32 *, /* minor_status */
const gss_name_t, /* name */
const gss_OID, /* mech_type */
uid_t * /* uidOut */
);
typedef OM_uint32 GSSAPI_CALLCONV _gss_authorize_localname_t (
OM_uint32 *, /* minor_status */
const gss_name_t, /* name */
gss_const_buffer_t, /* user */
gss_const_OID /* user_name_type */
);
/* mechglue internal */
struct gss_mech_compat_desc_struct;
#define GMI_VERSION 5
/* gm_flags */
#define GM_USE_MG_CRED 1 /* uses mech glue credentials */
typedef struct gssapi_mech_interface_desc {
unsigned gm_version;
const char *gm_name;
@ -512,7 +527,7 @@ typedef struct gssapi_mech_interface_desc {
_gss_store_cred_t *gm_store_cred;
_gss_export_cred_t *gm_export_cred;
_gss_import_cred_t *gm_import_cred;
_gss_acquire_cred_ex_t *gm_acquire_cred_ex;
_gss_acquire_cred_ext_t *gm_acquire_cred_ext;
_gss_iter_creds_t *gm_iter_creds;
_gss_destroy_cred_t *gm_destroy_cred;
_gss_cred_hold_t *gm_cred_hold;
@ -521,12 +536,15 @@ typedef struct gssapi_mech_interface_desc {
_gss_cred_label_set_t *gm_cred_label_set;
gss_mo_desc *gm_mo;
size_t gm_mo_num;
_gss_pname_to_uid_t *gm_pname_to_uid;
_gss_authorize_localname_t *gm_authorize_localname;
_gss_display_name_ext_t *gm_display_name_ext;
_gss_inquire_name_t *gm_inquire_name;
_gss_get_name_attribute_t *gm_get_name_attribute;
_gss_set_name_attribute_t *gm_set_name_attribute;
_gss_delete_name_attribute_t *gm_delete_name_attribute;
_gss_export_name_composite_t *gm_export_name_composite;
struct gss_mech_compat_desc_struct *gm_compat;
} gssapi_mech_interface_desc, *gssapi_mech_interface;
gssapi_mech_interface
@ -552,4 +570,25 @@ struct _gss_oid_name_table {
extern struct _gss_oid_name_table _gss_ont_mech[];
extern struct _gss_oid_name_table _gss_ont_ma[];
/*
* Extended credentials acqusition API, not to be exported until
* it or something equivalent has been standardised.
*/
extern gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_password_oid_desc;
#define GSS_C_CRED_PASSWORD (&__gss_c_cred_password_oid_desc)
extern gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_certificate_oid_desc;
#define GSS_C_CRED_CERTIFICATE (&__gss_c_cred_certificate_oid_desc)
OM_uint32 _gss_acquire_cred_ext
(OM_uint32 * /*minor_status*/,
const gss_name_t /*desired_name*/,
gss_const_OID /*credential_type*/,
const void * /*credential_data*/,
OM_uint32 /*time_req*/,
gss_const_OID /*desired_mech*/,
gss_cred_usage_t /*cred_usage*/,
gss_cred_id_t * /*output_cred_handle*/
);
#endif /* GSSAPI_MECH_H */

2
source4/heimdal/lib/gssapi/krb5/8003.c
View File

@ -92,7 +92,7 @@ hash_input_chan_bindings (const gss_channel_bindings_t b,
_gsskrb5_encode_om_uint32 (b->acceptor_address.length, num);
EVP_DigestUpdate(ctx, num, sizeof(num));
if (b->acceptor_address.length)
EVP_DigestUpdate(ctx,
EVP_DigestUpdate(ctx,
b->acceptor_address.value,
b->acceptor_address.length);
_gsskrb5_encode_om_uint32 (b->application_data.length, num);

70
source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
View File

@ -36,12 +36,32 @@
HEIMDAL_MUTEX gssapi_keytab_mutex = HEIMDAL_MUTEX_INITIALIZER;
krb5_keytab _gsskrb5_keytab;
static krb5_error_code
validate_keytab(krb5_context context, const char *name, krb5_keytab *id)
{
krb5_error_code ret;
ret = krb5_kt_resolve(context, name, id);
if (ret)
return ret;
ret = krb5_kt_have_content(context, *id);
if (ret) {
krb5_kt_close(context, *id);
*id = NULL;
}
return ret;
}
OM_uint32
_gsskrb5_register_acceptor_identity (const char *identity)
_gsskrb5_register_acceptor_identity(OM_uint32 *min_stat, const char *identity)
{
krb5_context context;
krb5_error_code ret;
*min_stat = 0;
ret = _gsskrb5_init(&context);
if(ret)
return GSS_S_FAILURE;
@ -55,19 +75,29 @@ _gsskrb5_register_acceptor_identity (const char *identity)
if (identity == NULL) {
ret = krb5_kt_default(context, &_gsskrb5_keytab);
} else {
char *p = NULL;
ret = asprintf(&p, "FILE:%s", identity);
if(ret < 0 || p == NULL) {
HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
return GSS_S_FAILURE;
/*
* First check if we can the keytab as is and if it has content...
*/
ret = validate_keytab(context, identity, &_gsskrb5_keytab);
/*
* if it doesn't, lets prepend FILE: and try again
*/
if (ret) {
char *p = NULL;
ret = asprintf(&p, "FILE:%s", identity);
if(ret < 0 || p == NULL) {
HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
return GSS_S_FAILURE;
}
ret = validate_keytab(context, p, &_gsskrb5_keytab);
free(p);
}
ret = krb5_kt_resolve(context, p, &_gsskrb5_keytab);
free(p);
}
HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
if(ret)
if(ret) {
*min_stat = ret;
return GSS_S_FAILURE;
}
return GSS_S_COMPLETE;
}
@ -93,7 +123,7 @@ _gsskrb5i_is_cfx(krb5_context context, gsskrb5_ctx ctx, int acceptor)
if (key == NULL)
return;
switch (key->keytype) {
case ETYPE_DES_CBC_CRC:
case ETYPE_DES_CBC_MD4:
@ -171,7 +201,7 @@ gsskrb5_accept_delegated_token
if (delegated_cred_handle) {
gsskrb5_cred handle;
ret = _gsskrb5_krb5_import_cred(minor_status,
ccache,
NULL,
@ -541,10 +571,10 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
if(ctx->flags & GSS_C_MUTUAL_FLAG) {
krb5_data outbuf;
int use_subkey = 0;
_gsskrb5i_is_cfx(context, ctx, 1);
is_cfx = (ctx->more_flags & IS_CFX);
if (is_cfx || (ap_options & AP_OPTS_USE_SUBKEY)) {
use_subkey = 1;
} else {
@ -572,7 +602,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
KRB5_AUTH_CONTEXT_USE_SUBKEY,
NULL);
}
kret = krb5_mk_rep(context,
ctx->auth_context,
&outbuf);
@ -580,7 +610,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
*minor_status = kret;
return GSS_S_FAILURE;
}
if (IS_DCE_STYLE(ctx)) {
output_token->length = outbuf.length;
output_token->value = outbuf.data;
@ -659,7 +689,7 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
krb5_error_code kret;
krb5_data inbuf;
int32_t r_seq_number, l_seq_number;
/*
* We know it's GSS_C_DCE_STYLE so we don't need to decapsulate the AP_REP
*/
@ -706,7 +736,7 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
{
krb5_ap_rep_enc_part *repl;
int32_t auth_flags;
krb5_auth_con_removeflags(context,
ctx->auth_context,
KRB5_AUTH_CONTEXT_DO_TIME,
@ -735,7 +765,7 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
if (lifetime_rec == 0) {
return GSS_S_CONTEXT_EXPIRED;
}
if (time_rec) *time_rec = lifetime_rec;
}
@ -793,7 +823,7 @@ acceptor_wait_for_dcestyle(OM_uint32 * minor_status,
{
kret = krb5_auth_con_setremoteseqnumber(context,
ctx->auth_context,
r_seq_number);
r_seq_number);
if (kret) {
*minor_status = kret;
return GSS_S_FAILURE;

153
source4/heimdal/lib/gssapi/krb5/acquire_cred.c
View File

@ -46,7 +46,7 @@ __gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
memset(&in_cred, 0, sizeof(in_cred));
in_cred.client = principal;
realm = krb5_principal_get_realm(context, principal);
if (realm == NULL) {
_gsskrb5_clear_status ();
@ -81,17 +81,18 @@ __gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
static krb5_error_code
get_keytab(krb5_context context, krb5_keytab *keytab)
{
char kt_name[256];
krb5_error_code kret;
HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex);
if (_gsskrb5_keytab != NULL) {
kret = krb5_kt_get_name(context,
_gsskrb5_keytab,
kt_name, sizeof(kt_name));
if (kret == 0)
kret = krb5_kt_resolve(context, kt_name, keytab);
char *name = NULL;
kret = krb5_kt_get_full_name(context, _gsskrb5_keytab, &name);
if (kret == 0) {
kret = krb5_kt_resolve(context, name, keytab);
krb5_xfree(name);
}
} else
kret = krb5_kt_default(context, keytab);
@ -103,13 +104,13 @@ get_keytab(krb5_context context, krb5_keytab *keytab)
static OM_uint32 acquire_initiator_cred
(OM_uint32 * minor_status,
krb5_context context,
gss_const_OID credential_type,
const void *credential_data,
const gss_name_t desired_name,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
gss_const_OID desired_mech,
gss_cred_usage_t cred_usage,
gsskrb5_cred handle,
gss_OID_set * actual_mechs,
OM_uint32 * time_rec
gsskrb5_cred handle
)
{
OM_uint32 ret;
@ -132,6 +133,12 @@ static OM_uint32 acquire_initiator_cred
* errors while searching.
*/
if (credential_type != GSS_C_NO_OID &&
!gss_oid_equal(credential_type, GSS_C_CRED_PASSWORD)) {
kret = KRB5_NOCREDS_SUPPLIED; /* XXX */
goto end;
}
if (handle->principal) {
kret = krb5_cc_cache_match (context,
handle->principal,
@ -174,14 +181,29 @@ static OM_uint32 acquire_initiator_cred
if (kret)
goto end;
}
kret = get_keytab(context, &keytab);
if (kret)
goto end;
kret = krb5_get_init_creds_opt_alloc(context, &opt);
if (kret)
goto end;
kret = krb5_get_init_creds_keytab(context, &cred,
handle->principal, keytab, 0, NULL, opt);
if (credential_type != GSS_C_NO_OID &&
gss_oid_equal(credential_type, GSS_C_CRED_PASSWORD)) {
gss_buffer_t password = (gss_buffer_t)credential_data;
/* XXX are we requiring password to be NUL terminated? */
kret = krb5_get_init_creds_password(context, &cred,
handle->principal,
password->value,
NULL, NULL, 0, NULL, opt);
} else {
kret = get_keytab(context, &keytab);
if (kret) {
krb5_get_init_creds_opt_free(context, opt);
goto end;
}
kret = krb5_get_init_creds_keytab(context, &cred,
handle->principal, keytab,
0, NULL, opt);
}
krb5_get_init_creds_opt_free(context, opt);
if (kret)
goto end;
@ -233,19 +255,25 @@ end:
static OM_uint32 acquire_acceptor_cred
(OM_uint32 * minor_status,
krb5_context context,
gss_const_OID credential_type,
const void *credential_data,
const gss_name_t desired_name,
OM_uint32 time_req,
const gss_OID_set desired_mechs,
gss_const_OID desired_mech,
gss_cred_usage_t cred_usage,
gsskrb5_cred handle,
gss_OID_set * actual_mechs,
OM_uint32 * time_rec
gsskrb5_cred handle
)
{
OM_uint32 ret;
krb5_error_code kret;
ret = GSS_S_FAILURE;
if (credential_type != GSS_C_NO_OID) {
kret = EINVAL;
goto end;
}
kret = get_keytab(context, &handle->keytab);
if (kret)
goto end;
@ -299,23 +327,8 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
OM_uint32 * time_rec
)
{
krb5_context context;
gsskrb5_cred handle;
OM_uint32 ret;
if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) {
*minor_status = GSS_KRB5_S_G_BAD_USAGE;
return GSS_S_FAILURE;
}
GSSAPI_KRB5_INIT(&context);
*output_cred_handle = NULL;
if (time_rec)
*time_rec = 0;
if (actual_mechs)
*actual_mechs = GSS_C_NO_OID_SET;
if (desired_mechs) {
int present = 0;
@ -329,6 +342,54 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
}
}
ret = _gsskrb5_acquire_cred_ext(minor_status,
desired_name,
GSS_C_NO_OID,
NULL,
time_req,
GSS_KRB5_MECHANISM,
cred_usage,
output_cred_handle);
if (ret)
return ret;
ret = _gsskrb5_inquire_cred(minor_status, *output_cred_handle,
NULL, time_rec, NULL, actual_mechs);
if (ret) {
OM_uint32 tmp;
_gsskrb5_release_cred(&tmp, output_cred_handle);
}
return ret;
}
OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred_ext
(OM_uint32 * minor_status,
const gss_name_t desired_name,
gss_const_OID credential_type,
const void *credential_data,
OM_uint32 time_req,
gss_const_OID desired_mech,
gss_cred_usage_t cred_usage,
gss_cred_id_t * output_cred_handle
)
{
krb5_context context;
gsskrb5_cred handle;
OM_uint32 ret;
cred_usage &= GSS_C_OPTION_MASK;
if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) {
*minor_status = GSS_KRB5_S_G_BAD_USAGE;
return GSS_S_FAILURE;
}
GSSAPI_KRB5_INIT(&context);
*output_cred_handle = NULL;
handle = calloc(1, sizeof(*handle));
if (handle == NULL) {
*minor_status = ENOMEM;
@ -338,7 +399,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
if (desired_name != GSS_C_NO_NAME) {
ret = _gsskrb5_canon_name(minor_status, context, 1, NULL,
desired_name, &handle->principal);
if (ret) {
@ -349,9 +409,9 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
}
if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {
ret = acquire_initiator_cred(minor_status, context,
credential_type, credential_data,
desired_name, time_req,
desired_mechs, cred_usage, handle,
actual_mechs, time_rec);
desired_mech, cred_usage, handle);
if (ret != GSS_S_COMPLETE) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
krb5_free_principal(context, handle->principal);
@ -361,8 +421,9 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
}
if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) {
ret = acquire_acceptor_cred(minor_status, context,
credential_type, credential_data,
desired_name, time_req,
desired_mechs, cred_usage, handle, actual_mechs, time_rec);
desired_mech, cred_usage, handle);
if (ret != GSS_S_COMPLETE) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
krb5_free_principal(context, handle->principal);
@ -374,9 +435,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
if (ret == GSS_S_COMPLETE)
ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
&handle->mechanisms);
if (ret == GSS_S_COMPLETE)
ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)handle,
NULL, time_rec, NULL, actual_mechs);
if (ret != GSS_S_COMPLETE) {
if (handle->mechanisms != NULL)
gss_release_oid_set(NULL, &handle->mechanisms);
@ -385,17 +443,8 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred
free(handle);
return (ret);
}
*minor_status = 0;
if (time_rec) {
ret = _gsskrb5_lifetime_left(minor_status,
context,
handle->lifetime,
time_rec);
if (ret)
return ret;
}
handle->usage = cred_usage;
*minor_status = 0;
*output_cred_handle = (gss_cred_id_t)handle;
return (GSS_S_COMPLETE);
}

31
source4/heimdal/lib/gssapi/krb5/add_cred.c
View File

@ -81,7 +81,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred (
return(GSS_S_FAILURE);
}
}
/* check that we have the same name */
if (dname != NULL &&
krb5_principal_compare(context, dname,
@ -110,7 +110,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred (
handle->ccache = NULL;
handle->mechanisms = NULL;
HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
ret = GSS_S_FAILURE;
kret = krb5_copy_principal(context, cred->principal,
@ -123,23 +123,11 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred (
}
if (cred->keytab) {
char name[KRB5_KT_PREFIX_MAX_LEN + MAXPATHLEN];
int len;
char *name = NULL;
ret = GSS_S_FAILURE;
kret = krb5_kt_get_type(context, cred->keytab,
name, KRB5_KT_PREFIX_MAX_LEN);
if (kret) {
*minor_status = kret;
goto failure;
}
len = strlen(name);
name[len++] = ':';
kret = krb5_kt_get_name(context, cred->keytab,
name + len,
sizeof(name) - len);
kret = krb5_kt_get_full_name(context, cred->keytab, &name);
if (kret) {
*minor_status = kret;
goto failure;
@ -147,6 +135,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred (
kret = krb5_kt_resolve(context, name,
&handle->keytab);
krb5_xfree(name);
if (kret){
*minor_status = kret;
goto failure;
@ -166,7 +155,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred (
}
if (strcmp(type, "MEMORY") == 0) {
ret = krb5_cc_new_unique(context, type,
ret = krb5_cc_new_unique(context, type,
NULL, &handle->ccache);
if (ret) {
*minor_status = ret;
@ -186,20 +175,20 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred (
*minor_status = ENOMEM;
goto failure;
}
kret = asprintf(&type_name, "%s:%s", type, name);
if (kret < 0 || type_name == NULL) {
*minor_status = ENOMEM;
goto failure;
}
kret = krb5_cc_resolve(context, type_name,
&handle->ccache);
free(type_name);
if (kret) {
*minor_status = kret;
goto failure;
}
}
}
}
ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);

10
source4/heimdal/lib/gssapi/krb5/aeap.c
View File

@ -69,11 +69,11 @@ _gk_unwrap_iov(OM_uint32 *minor_status,
krb5_context context;
GSSAPI_KRB5_INIT (&context);
if (ctx->more_flags & IS_CFX)
return _gssapi_unwrap_cfx_iov(minor_status, ctx, context,
conf_state, qop_state, iov, iov_count);
return GSS_S_FAILURE;
}
@ -88,13 +88,13 @@ _gk_wrap_iov_length(OM_uint32 * minor_status,
{
const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
krb5_context context;
GSSAPI_KRB5_INIT (&context);
if (ctx->more_flags & IS_CFX)
return _gssapi_wrap_iov_length_cfx(minor_status, ctx, context,
conf_req_flag, qop_req, conf_state,
iov, iov_count);
return GSS_S_FAILURE;
}

14
source4/heimdal/lib/gssapi/krb5/arcfour.c
View File

@ -255,7 +255,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
krb5_keyblock *key,
char *type)
const char *type)
{
krb5_error_code ret;
uint32_t seq_number;
@ -270,7 +270,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
p = token_buffer->value;
omret = _gsskrb5_verify_header (&p,
token_buffer->length,
(u_char *)type,
type,
GSS_KRB5_MECHANISM);
if (omret)
return omret;
@ -309,7 +309,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
{
EVP_CIPHER_CTX rc4_key;
EVP_CIPHER_CTX_init(&rc4_key);
EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, (void *)k6_data, NULL, 0);
EVP_Cipher(&rc4_key, SND_SEQ, p, 8);
@ -462,7 +462,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
if(conf_req_flag) {
EVP_CIPHER_CTX rc4_key;
EVP_CIPHER_CTX_init(&rc4_key);
EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
EVP_Cipher(&rc4_key, p0 + 24, p0 + 24, 8 + datalen);
@ -481,7 +481,7 @@ _gssapi_wrap_arcfour(OM_uint32 * minor_status,
{
EVP_CIPHER_CTX rc4_key;
EVP_CIPHER_CTX_init(&rc4_key);
EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
EVP_Cipher(&rc4_key, p0 + 8, p0 + 8 /* SND_SEQ */, 8);
@ -581,7 +581,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
{
EVP_CIPHER_CTX rc4_key;
EVP_CIPHER_CTX_init(&rc4_key);
EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
EVP_Cipher(&rc4_key, SND_SEQ, p0 + 8, 8);
@ -629,7 +629,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
if(conf_flag) {
EVP_CIPHER_CTX rc4_key;
EVP_CIPHER_CTX_init(&rc4_key);
EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
EVP_Cipher(&rc4_key, Confounder, p0 + 24, 8);

12
source4/heimdal/lib/gssapi/krb5/cfx.c
View File

@ -285,7 +285,8 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status,
gss_iov_buffer_desc *header, *trailer, *padding;
size_t gsshsize, k5hsize;
size_t gsstsize, k5tsize;
size_t i, rrc = 0, ec = 0;
size_t rrc = 0, ec = 0;
int i;
gss_cfx_wrap_token token;
krb5_error_code ret;
int32_t seq_number;
@ -424,6 +425,9 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status,
token->Flags = 0;
token->Filler = 0xFF;
if ((ctx->more_flags & LOCAL) == 0)
token->Flags |= CFXSentByAcceptor;
if (ctx->more_flags & ACCEPTOR_SUBKEY)
token->Flags |= CFXAcceptorSubkey;
@ -565,7 +569,7 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status,
plain packet:
{data | "header" | gss-trailer (krb5 checksum)
don't do RRC != 0
*/
@ -647,7 +651,7 @@ unrotate_iov(OM_uint32 *minor_status, size_t rrc, gss_iov_buffer_desc *iov, int
GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_PADDING ||
GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_TRAILER)
len += iov[i].buffer.length;
p = malloc(len);
if (p == NULL) {
*minor_status = ENOMEM;
@ -666,7 +670,7 @@ unrotate_iov(OM_uint32 *minor_status, size_t rrc, gss_iov_buffer_desc *iov, int
q += iov[i].buffer.length;
}
}
assert((q - p) == len);
assert((size_t)(q - p) == len);
/* unrotate first part */
q = p + rrc;

2
source4/heimdal/lib/gssapi/krb5/compat.c
View File

@ -59,7 +59,7 @@ check_compat(OM_uint32 *minor_status,
*compat = match_val;
break;
}
krb5_free_principal(context, match);
match = NULL;
}

2
source4/heimdal/lib/gssapi/krb5/context_time.c
View File

@ -88,6 +88,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_context_time
if (*time_rec == 0)
return GSS_S_CONTEXT_EXPIRED;
return GSS_S_COMPLETE;
}

2
source4/heimdal/lib/gssapi/krb5/copy_ccache.c
View File

@ -100,7 +100,7 @@ _gsskrb5_krb5_import_cred(OM_uint32 *minor_status,
*minor_status = kret;
return GSS_S_FAILURE;
}
if (keytab_principal) {
krb5_boolean match;

8
source4/heimdal/lib/gssapi/krb5/creds.c
View File

@ -47,7 +47,7 @@ _gsskrb5_export_cred(OM_uint32 *minor_status,
char *str;
GSSAPI_KRB5_INIT (&context);
if (handle->usage != GSS_C_INITIATE && handle->usage != GSS_C_BOTH) {
*minor_status = GSS_KRB5_S_G_BAD_USAGE;
return GSS_S_FAILURE;
@ -93,14 +93,14 @@ _gsskrb5_export_cred(OM_uint32 *minor_status,
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = krb5_cc_get_full_name(context, handle->ccache, &str);
if (ret) {
krb5_storage_free(sp);
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = krb5_store_string(sp, str);
free(str);
if (ret) {
@ -222,7 +222,7 @@ _gsskrb5_import_cred(OM_uint32 * minor_status,
*minor_status = ret;
return GSS_S_FAILURE;
}
ret = krb5_cc_resolve(context, str, &id);
krb5_xfree(str);
if (ret) {

4
source4/heimdal/lib/gssapi/krb5/encapsulate.c
View File

@ -114,7 +114,7 @@ _gssapi_encapsulate(
if (output_token->value == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
}
p = _gssapi_make_mech_header (output_token->value, len, mech);
memcpy (p, in_data->data, in_data->length);
@ -145,7 +145,7 @@ _gsskrb5_encapsulate(
if (output_token->value == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
}
p = _gsskrb5_make_header (output_token->value, len, type, mech);
memcpy (p, in_data->data, in_data->length);

21
source4/heimdal/lib/gssapi/krb5/external.c
View File

@ -180,7 +180,7 @@ static gss_mo_desc krb5_mo[] = {
GSS_C_MA_SASL_MECH_NAME,
GSS_MO_MA,
"SASL mech name",
"GS2-KRB5",
rk_UNCONST("GS2-KRB5"),
_gss_mo_get_ctx_as_string,
NULL
},
@ -188,7 +188,7 @@ static gss_mo_desc krb5_mo[] = {
GSS_C_MA_MECH_NAME,
GSS_MO_MA,
"Mechanism name",
"KRB5",
rk_UNCONST("KRB5"),
_gss_mo_get_ctx_as_string,
NULL
},
@ -196,7 +196,7 @@ static gss_mo_desc krb5_mo[] = {
GSS_C_MA_MECH_DESCRIPTION,
GSS_MO_MA,
"Mechanism description",
"Heimdal Kerberos 5 mech",
rk_UNCONST("Heimdal Kerberos 5 mech"),
_gss_mo_get_ctx_as_string,
NULL
},
@ -273,7 +273,7 @@ static gss_mo_desc krb5_mo[] = {
static gssapi_mech_interface_desc krb5_mech = {
GMI_VERSION,
"kerberos 5",
{9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" },
{9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") },
0,
_gsskrb5_acquire_cred,
_gsskrb5_release_cred,
@ -315,7 +315,7 @@ static gssapi_mech_interface_desc krb5_mech = {
_gsskrb5_store_cred,
_gsskrb5_export_cred,
_gsskrb5_import_cred,
NULL,
_gsskrb5_acquire_cred_ext,
NULL,
NULL,
NULL,
@ -323,7 +323,16 @@ static gssapi_mech_interface_desc krb5_mech = {
NULL,
NULL,
krb5_mo,
sizeof(krb5_mo) / sizeof(krb5_mo[0])
sizeof(krb5_mo) / sizeof(krb5_mo[0]),
_gsskrb5_pname_to_uid,
_gsskrb5_authorize_localname,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL
};
gssapi_mech_interface

4
source4/heimdal/lib/gssapi/krb5/import_name.c
View File

@ -107,9 +107,9 @@ _gsskrb5_canon_name(OM_uint32 *minor_status, krb5_context context,
return GSS_S_BAD_NAME;
else if (p->name.name_string.len > 1)
hostname = p->name.name_string.val[1];
service = p->name.name_string.val[0];
ret = krb5_sname_to_principal(context,
hostname,
service,

36
source4/heimdal/lib/gssapi/krb5/init_sec_context.c
View File

@ -41,7 +41,7 @@
static OM_uint32
set_addresses (krb5_context context,
krb5_auth_context ac,
const gss_channel_bindings_t input_chan_bindings)
const gss_channel_bindings_t input_chan_bindings)
{
/* Port numbers are expected to be in application_data.value,
* initator's port first */
@ -422,11 +422,6 @@ init_auth
goto failure;
}
ret = _gss_DES3_get_mic_compat(minor_status, ctx, context);
if (ret)
goto failure;
/*
* This is hideous glue for (NFS) clients that wants to limit the
* available enctypes to what it can support (encryption in
@ -458,17 +453,21 @@ init_auth
* DNS canonicalizion.
*/
ret = gsskrb5_get_creds(minor_status, context, ctx->ccache,
ctx, name, 0, time_req,
ctx, name, 0, time_req,
time_rec);
if (ret && allow_dns)
ret = gsskrb5_get_creds(minor_status, context, ctx->ccache,
ctx, name, 1, time_req,
ctx, name, 1, time_req,
time_rec);
if (ret)
goto failure;
ctx->lifetime = ctx->kcred->times.endtime;
ret = _gss_DES3_get_mic_compat(minor_status, ctx, context);
if (ret)
goto failure;
ret = _gsskrb5_lifetime_left(minor_status,
context,
ctx->lifetime,
@ -530,7 +529,7 @@ init_auth_restart
Checksum cksum;
krb5_enctype enctype;
krb5_data fwd_data, timedata;
int32_t offset = 0, oldoffset;
int32_t offset = 0, oldoffset = 0;
uint32_t flagmask;
krb5_data_zero(&outbuf);
@ -544,7 +543,7 @@ init_auth_restart
*/
if (!ctx->kcred->flags.b.ok_as_delegate) {
krb5_data data;
ret = krb5_cc_get_config(context, ctx->ccache, NULL,
"realm-config", &data);
if (ret == 0) {
@ -676,7 +675,8 @@ init_auth_restart
output_token->length = outbuf.length;
} else {
ret = _gsskrb5_encapsulate (minor_status, &outbuf, output_token,
(u_char *)"\x01\x00", GSS_KRB5_MECHANISM);
(u_char *)(intptr_t)"\x01\x00",
GSS_KRB5_MECHANISM);
krb5_data_free (&outbuf);
if (ret)
goto failure;
@ -848,9 +848,9 @@ repl_mutual
*minor_status = kret;
return GSS_S_FAILURE;
}
/* reset local seq number */
krb5_auth_con_setlocalseqnumber(context, ctx->auth_context, local_seq);
krb5_auth_con_setlocalseqnumber(context, ctx->auth_context, local_seq);
output_token->length = outbuf.length;
output_token->value = outbuf.data;
@ -911,20 +911,20 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_init_sec_context
return GSS_S_BAD_MECH;
if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) {
OM_uint32 ret;
OM_uint32 ret1;
if (*context_handle != GSS_C_NO_CONTEXT) {
*minor_status = 0;
return GSS_S_FAILURE | GSS_S_CALL_BAD_STRUCTURE;
}
ret = _gsskrb5_create_ctx(minor_status,
ret1 = _gsskrb5_create_ctx(minor_status,
context_handle,
context,
input_chan_bindings,
INITIATOR_START);
if (ret)
return ret;
if (ret1)
return ret1;
}
if (*context_handle == GSS_C_NO_CONTEXT) {
@ -953,7 +953,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_init_sec_context
ret_flags,
time_rec);
if (ret != GSS_S_COMPLETE)
break;
break;
/* FALL THOUGH */
case INITIATOR_RESTART:
ret = init_auth_restart(minor_status,

4
source4/heimdal/lib/gssapi/krb5/inquire_cred.c
View File

@ -95,12 +95,12 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_cred
if (output_name != NULL) {
if (icred && icred->principal != NULL) {
gss_name_t name;
if (acred && acred->principal)
name = (gss_name_t)acred->principal;
else
name = (gss_name_t)icred->principal;
ret = _gsskrb5_duplicate_name(minor_status, name, output_name);
if (ret)
goto out;

2
source4/heimdal/lib/gssapi/krb5/inquire_names_for_mech.c
View File

@ -72,6 +72,6 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_names_for_mech (
if (ret != GSS_S_COMPLETE)
gss_release_oid_set(NULL, name_types);
return GSS_S_COMPLETE;
}

53
source4/heimdal/lib/gssapi/krb5/inquire_sec_context_by_oid.c
View File

@ -159,10 +159,10 @@ static OM_uint32 inquire_sec_context_get_subkey
{
gss_buffer_desc value;
value.length = data.length;
value.value = data.data;
maj_stat = gss_add_buffer_set_member(minor_status,
&value,
data_set);
@ -179,6 +179,46 @@ out:
return maj_stat;
}
static OM_uint32 inquire_sec_context_get_sspi_session_key
(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle,
krb5_context context,
gss_buffer_set_t *data_set)
{
krb5_keyblock *key;
OM_uint32 maj_stat = GSS_S_COMPLETE;
krb5_error_code ret;
gss_buffer_desc value;
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
ret = _gsskrb5i_get_token_key(context_handle, context, &key);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
if (ret)
goto out;
if (key == NULL) {
ret = EINVAL;
goto out;
}
value.length = key->keyvalue.length;
value.value = key->keyvalue.data;
maj_stat = gss_add_buffer_set_member(minor_status,
&value,
data_set);
krb5_free_keyblock(context, key);
/* MIT also returns the enctype encoded as an OID in data_set[1] */
out:
if (ret) {
*minor_status = ret;
maj_stat = GSS_S_FAILURE;
}
return maj_stat;
}
static OM_uint32 inquire_sec_context_authz_data
(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle,
@ -464,10 +504,10 @@ get_service_keyblock
{
gss_buffer_desc value;
value.length = data.length;
value.value = data.data;
maj_stat = gss_add_buffer_set_member(minor_status,
&value,
data_set);
@ -530,6 +570,11 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_inquire_sec_context_by_oid
context,
ACCEPTOR_KEY,
data_set);
} else if (gss_oid_equal(desired_object, GSS_C_INQ_SSPI_SESSION_KEY)) {
return inquire_sec_context_get_sspi_session_key(minor_status,
ctx,
context,
data_set);
} else if (gss_oid_equal(desired_object, GSS_KRB5_GET_AUTHTIME_X)) {
return get_authtime(minor_status, ctx, data_set);
} else if (oid_prefix_equal(desired_object,

24
source4/heimdal/lib/gssapi/krb5/prf.c
View File

@ -47,18 +47,21 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
krb5_crypto crypto;
krb5_data input, output;
uint32_t num;
OM_uint32 junk;
unsigned char *p;
krb5_keyblock *key = NULL;
size_t dol;
if (ctx == NULL) {
*minor_status = 0;
return GSS_S_NO_CONTEXT;
}
if (desired_output_len <= 0) {
if (desired_output_len <= 0 || prf_in->length + 4 < prf_in->length) {
*minor_status = 0;
return GSS_S_FAILURE;
}
dol = desired_output_len;
GSSAPI_KRB5_INIT (&context);
@ -88,21 +91,20 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
return GSS_S_FAILURE;
}
prf_out->value = malloc(desired_output_len);
prf_out->value = malloc(dol);
if (prf_out->value == NULL) {
_gsskrb5_set_status(GSS_KRB5_S_KG_INPUT_TOO_LONG, "Out of memory");
*minor_status = GSS_KRB5_S_KG_INPUT_TOO_LONG;
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
prf_out->length = desired_output_len;
prf_out->length = dol;
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
input.length = prf_in->length + 4;
input.data = malloc(prf_in->length + 4);
if (input.data == NULL) {
OM_uint32 junk;
_gsskrb5_set_status(GSS_KRB5_S_KG_INPUT_TOO_LONG, "Out of memory");
*minor_status = GSS_KRB5_S_KG_INPUT_TOO_LONG;
gss_release_buffer(&junk, prf_out);
@ -110,15 +112,17 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
return GSS_S_FAILURE;
}
memcpy(((unsigned char *)input.data) + 4, prf_in->value, prf_in->length);
memcpy(((uint8_t *)input.data) + 4, prf_in->value, prf_in->length);
num = 0;
p = prf_out->value;
while(desired_output_len > 0) {
while(dol > 0) {
size_t tsize;
_gsskrb5_encode_om_uint32(num, input.data);
ret = krb5_crypto_prf(context, crypto, &input, &output);
if (ret) {
OM_uint32 junk;
*minor_status = ret;
free(input.data);
gss_release_buffer(&junk, prf_out);
@ -126,9 +130,11 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
return GSS_S_FAILURE;
}
memcpy(p, output.data, min(desired_output_len, output.length));
tsize = min(dol, output.length);
memcpy(p, output.data, tsize);
p += output.length;
desired_output_len -= output.length;
dol -= tsize;
krb5_data_free(&output);
num++;
}

3
source4/heimdal/lib/gssapi/krb5/process_context_token.c
View File

@ -52,7 +52,8 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_process_context_token (
(gsskrb5_ctx)context_handle,
context,
token_buffer, &empty_buffer,
GSS_C_QOP_DEFAULT, "\x01\x02");
GSS_C_QOP_DEFAULT,
"\x01\x02");
if (ret == GSS_S_COMPLETE)
ret = _gsskrb5_delete_sec_context(minor_status,

4
source4/heimdal/lib/gssapi/krb5/sequence.c
View File

@ -64,7 +64,7 @@ msg_order_alloc(OM_uint32 *minor_status,
if (*o == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
}
*minor_status = 0;
return GSS_S_COMPLETE;
@ -141,7 +141,7 @@ OM_uint32
_gssapi_msg_order_check(struct gss_msg_order *o, OM_uint32 seq_num)
{
OM_uint32 r;
int i;
size_t i;
if (o == NULL)
return GSS_S_COMPLETE;

4
source4/heimdal/lib/gssapi/krb5/set_cred_option.c
View File

@ -209,7 +209,7 @@ no_ci_flags(OM_uint32 *minor_status,
cred = (gsskrb5_cred)*cred_handle;
cred->cred_flags |= GSS_CF_NO_CI_FLAGS;
*minor_status = 0;
return GSS_S_COMPLETE;
@ -241,7 +241,7 @@ _gsskrb5_set_cred_option
if (gss_oid_equal(desired_object, GSS_KRB5_CRED_NO_CI_FLAGS_X)) {
return no_ci_flags(minor_status, context, cred_handle, value);
}
*minor_status = EINVAL;
return GSS_S_FAILURE;

7
source4/heimdal/lib/gssapi/krb5/set_sec_context_option.c
View File

@ -154,11 +154,10 @@ _gsskrb5_set_sec_context_option
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
_gsskrb5_register_acceptor_identity(str);
maj_stat = _gsskrb5_register_acceptor_identity(minor_status, str);
free(str);
*minor_status = 0;
return GSS_S_COMPLETE;
return maj_stat;
} else if (gss_oid_equal(desired_object, GSS_KRB5_SET_DEFAULT_REALM_X)) {
char *str;
@ -222,7 +221,7 @@ _gsskrb5_set_sec_context_option
return maj_stat;
t = time(NULL) + offset;
krb5_set_real_time(context, t, 0);
*minor_status = 0;

2
source4/heimdal/lib/gssapi/krb5/store_cred.c
View File

@ -103,7 +103,7 @@ _gsskrb5_store_cred(OM_uint32 *minor_status,
*minor_status = ret;
return(GSS_S_FAILURE);
}
if (default_cred)
krb5_cc_switch(context, id);

3
source4/heimdal/lib/gssapi/krb5/unwrap.c
View File

@ -54,7 +54,7 @@ unwrap_des
DES_key_schedule schedule;
DES_cblock deskey;
DES_cblock zero;
int i;
size_t i;
uint32_t seq_number;
size_t padlength;
OM_uint32 ret;
@ -98,6 +98,7 @@ unwrap_des
if(cstate) {
/* decrypt data */
memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
memset (&zero, 0, sizeof(zero));
for (i = 0; i < sizeof(deskey); ++i)
deskey[i] ^= 0xf0;

8
source4/heimdal/lib/gssapi/krb5/verify_mic.c
View File

@ -44,7 +44,7 @@ verify_mic_des
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
krb5_keyblock *key,
char *type
const char *type
)
{
u_char *p;
@ -142,7 +142,7 @@ verify_mic_des3
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
krb5_keyblock *key,
char *type
const char *type
)
{
u_char *p;
@ -276,7 +276,7 @@ _gsskrb5_verify_mic_internal
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
char * type
const char * type
)
{
krb5_keyblock *key;
@ -348,7 +348,7 @@ _gsskrb5_verify_mic
(gsskrb5_ctx)context_handle,
context,
message_buffer, token_buffer,
qop_state, "\x01\x01");
qop_state, (void *)(intptr_t)"\x01\x01");
return ret;
}

2
source4/heimdal/lib/gssapi/krb5/wrap.c
View File

@ -214,7 +214,7 @@ wrap_des
EVP_CIPHER_CTX des_ctx;
DES_cblock deskey;
DES_cblock zero;
int i;
size_t i;
int32_t seq_number;
size_t len, total_len, padlength, datalen;

16
source4/heimdal/lib/gssapi/mech/cred.h
View File

@ -39,3 +39,19 @@ struct _gss_cred {
struct _gss_mechanism_cred_list gc_mc;
};
struct _gss_mechanism_cred *
_gss_copy_cred(struct _gss_mechanism_cred *mc);
struct _gss_mechanism_name;
OM_uint32
_gss_acquire_mech_cred(OM_uint32 *minor_status,
gssapi_mech_interface m,
const struct _gss_mechanism_name *mn,
gss_const_OID credential_type,
const void *credential_data,
OM_uint32 time_req,
gss_const_OID desired_mech,
gss_cred_usage_t cred_usage,
struct _gss_mechanism_cred **output_cred_handle);

16
source4/heimdal/lib/gssapi/mech/gss_accept_sec_context.c
View File

@ -34,17 +34,17 @@ parse_header(const gss_buffer_t input_token, gss_OID mech_oid)
unsigned char *p = input_token->value;
size_t len = input_token->length;
size_t a, b;
/*
* Token must start with [APPLICATION 0] SEQUENCE.
* But if it doesn't assume it is DCE-STYLE Kerberos!
*/
if (len == 0)
return (GSS_S_DEFECTIVE_TOKEN);
p++;
len--;
/*
* Decode the length and make sure it agrees with the
* token length.
@ -71,7 +71,7 @@ parse_header(const gss_buffer_t input_token, gss_OID mech_oid)
}
if (a != len)
return (GSS_S_DEFECTIVE_TOKEN);
/*
* Decode the OID for the mechanism. Simplify life by
* assuming that the OID length is less than 128 bytes.
@ -84,9 +84,9 @@ parse_header(const gss_buffer_t input_token, gss_OID mech_oid)
p += 2;
len -= 2;
mech_oid->elements = p;
return GSS_S_COMPLETE;
}
}
static gss_OID_desc krb5_mechanism =
{9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02")};
@ -221,7 +221,7 @@ gss_accept_sec_context(OM_uint32 *minor_status,
acceptor_mc = GSS_C_NO_CREDENTIAL;
}
delegated_mc = GSS_C_NO_CREDENTIAL;
mech_ret_flags = 0;
major_status = m->gm_accept_sec_context(minor_status,
&ctx->gc_ctx,
@ -267,7 +267,7 @@ gss_accept_sec_context(OM_uint32 *minor_status,
mech_ret_flags &=
~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG);
} else if (gss_oid_equal(mech_ret_type, &m->gm_mech_oid) == 0) {
/*
/*
* If the returned mech_type is not the same
* as the mech, assume its pseudo mech type
* and the returned type is already a

2
source4/heimdal/lib/gssapi/mech/gss_acquire_cred.c
View File

@ -46,7 +46,7 @@ gss_acquire_cred(OM_uint32 *minor_status,
struct _gss_cred *cred;
struct _gss_mechanism_cred *mc;
OM_uint32 min_time, cred_time;
int i;
size_t i;
*minor_status = 0;
if (output_cred_handle == NULL)

2
source4/heimdal/lib/gssapi/mech/gss_add_cred.c
View File

@ -28,7 +28,7 @@
#include "mech_locl.h"
static struct _gss_mechanism_cred *
struct _gss_mechanism_cred *
_gss_copy_cred(struct _gss_mechanism_cred *mc)
{
struct _gss_mechanism_cred *new_mc;

2
source4/heimdal/lib/gssapi/mech/gss_add_oid_set_member.c
View File

@ -47,7 +47,7 @@
*
* @returns a gss_error code, see gss_display_status() about printing
* the error code.
*
*
* @ingroup gssapi
*/

6
source4/heimdal/lib/gssapi/mech/gss_aeap.c
View File

@ -1,6 +1,6 @@
/*
* AEAD support
*/
*/
#include "mech_locl.h"
@ -90,7 +90,7 @@ gss_unwrap_iov(OM_uint32 *minor_status,
int iov_count)
{
struct _gss_context *ctx = (struct _gss_context *) context_handle;
gssapi_mech_interface m;
gssapi_mech_interface m;
if (minor_status)
*minor_status = 0;
@ -168,7 +168,7 @@ gss_release_iov_buffer(OM_uint32 *minor_status,
int iov_count)
{
OM_uint32 junk;
size_t i;
int i;
if (minor_status)
*minor_status = 0;

2
source4/heimdal/lib/gssapi/mech/gss_buffer_set.c
View File

@ -100,7 +100,7 @@ GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_release_buffer_set(OM_uint32 * minor_status,
gss_buffer_set_t *buffer_set)
{
int i;
size_t i;
OM_uint32 minor;
*minor_status = 0;

2
source4/heimdal/lib/gssapi/mech/gss_canonicalize_name.c
View File

@ -48,7 +48,7 @@
*
* @returns a gss_error code, see gss_display_status() about printing
* the error code.
*
*
* @ingroup gssapi
*/

4
source4/heimdal/lib/gssapi/mech/gss_cred.c
View File

@ -85,7 +85,7 @@ gss_export_cred(OM_uint32 * minor_status,
}
ret = krb5_storage_write(sp, buffer.value, buffer.length);
if (ret != buffer.length) {
if (ret < 0 || (size_t)ret != buffer.length) {
gss_release_buffer(minor_status, &buffer);
krb5_storage_free(sp);
*minor_status = EINVAL;
@ -183,7 +183,7 @@ gss_import_cred(OM_uint32 * minor_status,
buffer.value = data.data;
buffer.length = data.length;
major = m->gm_import_cred(minor_status,
major = m->gm_import_cred(minor_status,
&buffer, &mcred);
krb5_data_free(&data);
if (major) {

6
source4/heimdal/lib/gssapi/mech/gss_decapsulate_token.c
View File

@ -34,8 +34,8 @@
#include "mech_locl.h"
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_decapsulate_token(const gss_buffer_t input_token,
const gss_OID oid,
gss_decapsulate_token(gss_const_buffer_t input_token,
gss_const_OID oid,
gss_buffer_t output_token)
{
GSSAPIContextToken ct;
@ -55,7 +55,7 @@ gss_decapsulate_token(const gss_buffer_t input_token,
if (ret) {
der_free_oid(&o);
return GSS_S_FAILURE;
}
}
if (der_heim_oid_cmp(&ct.thisMech, &o) == 0) {
status = GSS_S_COMPLETE;

2
source4/heimdal/lib/gssapi/mech/gss_display_status.c
View File

@ -190,7 +190,7 @@ gss_display_status(OM_uint32 *minor_status,
oid.value = rk_UNCONST("unknown");
oid.length = 7;
}
e = asprintf (&buf, "unknown mech-code %lu for mech %.*s",
(unsigned long)status_value,
(int)oid.length, (char *)oid.value);

8
source4/heimdal/lib/gssapi/mech/gss_duplicate_name.c
View File

@ -52,7 +52,7 @@ gss_duplicate_name(OM_uint32 *minor_status,
if (major_status != GSS_S_COMPLETE)
return (major_status);
new_name = (struct _gss_name *) *dest_name;
HEIM_SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
struct _gss_mechanism_name *mn2;
_gss_find_mn(minor_status, new_name,
@ -67,10 +67,10 @@ gss_duplicate_name(OM_uint32 *minor_status,
memset(new_name, 0, sizeof(struct _gss_name));
HEIM_SLIST_INIT(&new_name->gn_mn);
*dest_name = (gss_name_t) new_name;
HEIM_SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
struct _gss_mechanism_name *new_mn;
new_mn = malloc(sizeof(*new_mn));
if (!new_mn) {
*minor_status = ENOMEM;
@ -78,7 +78,7 @@ gss_duplicate_name(OM_uint32 *minor_status,
}
new_mn->gmn_mech = mn->gmn_mech;
new_mn->gmn_mech_oid = mn->gmn_mech_oid;
major_status =
mn->gmn_mech->gm_duplicate_name(minor_status,
mn->gmn_name, &new_mn->gmn_name);

6
source4/heimdal/lib/gssapi/mech/gss_encapsulate_token.c
View File

@ -34,8 +34,8 @@
#include "mech_locl.h"
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_encapsulate_token(const gss_buffer_t input_token,
const gss_OID oid,
gss_encapsulate_token(gss_const_buffer_t input_token,
gss_const_OID oid,
gss_buffer_t output_token)
{
GSSAPIContextToken ct;
@ -58,7 +58,7 @@ gss_encapsulate_token(const gss_buffer_t input_token,
if (ret) {
_mg_buffer_zero(output_token);
return GSS_S_FAILURE;
}
}
if (output_token->length != size)
abort();

2
source4/heimdal/lib/gssapi/mech/gss_export_sec_context.c
View File

@ -42,7 +42,7 @@ gss_export_sec_context(OM_uint32 *minor_status,
major_status = m->gm_export_sec_context(minor_status,
&ctx->gc_ctx, &buf);
if (major_status == GSS_S_COMPLETE) {
unsigned char *p;

18
source4/heimdal/lib/gssapi/mech/gss_import_name.c
View File

@ -41,6 +41,7 @@ _gss_import_export_name(OM_uint32 *minor_status,
gssapi_mech_interface m;
struct _gss_name *name;
gss_name_t new_canonical_name;
int composite = 0;
*minor_status = 0;
*output_name = 0;
@ -50,8 +51,17 @@ _gss_import_export_name(OM_uint32 *minor_status,
*/
if (len < 2)
return (GSS_S_BAD_NAME);
if (p[0] != 4 || p[1] != 1)
if (p[0] != 4)
return (GSS_S_BAD_NAME);
switch (p[1]) {
case 1: /* non-composite name */
break;
case 2: /* composite name */
composite = 1;
break;
default:
return (GSS_S_BAD_NAME);
}
p += 2;
len -= 2;
@ -106,7 +116,7 @@ _gss_import_export_name(OM_uint32 *minor_status,
p += 4;
len -= 4;
if (len != t)
if (!composite && len != t)
return (GSS_S_BAD_NAME);
m = __gss_get_mechanism(&mech_oid);
@ -159,7 +169,7 @@ _gss_import_export_name(OM_uint32 *minor_status,
*
* @returns a gss_error code, see gss_display_status() about printing
* the error code.
*
*
* @ingroup gssapi
*/
@ -231,7 +241,7 @@ gss_import_name(OM_uint32 *minor_status,
HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
int present = 0;
major_status = gss_test_oid_set_member(minor_status,
major_status = gss_test_oid_set_member(minor_status,
name_type, m->gm_name_types, &present);
if (major_status || present == 0)

2
source4/heimdal/lib/gssapi/mech/gss_import_sec_context.c
View File

@ -58,7 +58,7 @@ gss_import_sec_context(OM_uint32 *minor_status,
mech_oid.elements = p + 2;
buf.length = len - 2 - mech_oid.length;
buf.value = p + 2 + mech_oid.length;
m = __gss_get_mechanism(&mech_oid);
if (!m)
return (GSS_S_DEFECTIVE_TOKEN);

4
source4/heimdal/lib/gssapi/mech/gss_indicate_mechs.c
View File

@ -35,14 +35,14 @@ gss_indicate_mechs(OM_uint32 *minor_status,
struct _gss_mech_switch *m;
OM_uint32 major_status;
gss_OID_set set;
int i;
size_t i;
_gss_load_mech();
major_status = gss_create_empty_oid_set(minor_status, mech_set);
if (major_status)
return (major_status);
HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
if (m->gm_mech.gm_indicate_mechs) {
major_status = m->gm_mech.gm_indicate_mechs(

2
source4/heimdal/lib/gssapi/mech/gss_init_sec_context.c
View File

@ -99,7 +99,7 @@ _gss_mech_cred_find(gss_cred_id_t cred_handle, gss_OID mech_type)
*
* @returns a gss_error code, see gss_display_status() about printing
* the error code.
*
*
* @ingroup gssapi
*/

8
source4/heimdal/lib/gssapi/mech/gss_inquire_context.c
View File

@ -37,7 +37,7 @@ gss_inquire_context(OM_uint32 *minor_status,
gss_OID *mech_type,
OM_uint32 *ctx_flags,
int *locally_initiated,
int *open)
int *xopen)
{
OM_uint32 major_status;
struct _gss_context *ctx = (struct _gss_context *) context_handle;
@ -47,8 +47,8 @@ gss_inquire_context(OM_uint32 *minor_status,
if (locally_initiated)
*locally_initiated = 0;
if (open)
*open = 0;
if (xopen)
*xopen = 0;
if (lifetime_rec)
*lifetime_rec = 0;
@ -68,7 +68,7 @@ gss_inquire_context(OM_uint32 *minor_status,
mech_type,
ctx_flags,
locally_initiated,
open);
xopen);
if (major_status != GSS_S_COMPLETE) {
_gss_mg_error(m, major_status, *minor_status);

2
source4/heimdal/lib/gssapi/mech/gss_inquire_cred_by_oid.c
View File

@ -52,7 +52,7 @@ gss_inquire_cred_by_oid (OM_uint32 *minor_status,
HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) {
gss_buffer_set_t rset = GSS_C_NO_BUFFER_SET;
int i;
size_t i;
m = mc->gmc_mech;
if (m == NULL) {

16
source4/heimdal/lib/gssapi/mech/gss_krb5.c
View File

@ -188,7 +188,7 @@ out:
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gsskrb5_register_acceptor_identity(const char *identity)
{
struct _gss_mech_switch *m;
gssapi_mech_interface m;
gss_buffer_desc buffer;
OM_uint32 junk;
@ -197,14 +197,12 @@ gsskrb5_register_acceptor_identity(const char *identity)
buffer.value = rk_UNCONST(identity);
buffer.length = strlen(identity);
HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
if (m->gm_mech.gm_set_sec_context_option == NULL)
continue;
m->gm_mech.gm_set_sec_context_option(&junk, NULL,
GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X, &buffer);
}
m = __gss_get_mechanism(GSS_KRB5_MECHANISM);
if (m == NULL || m->gm_set_sec_context_option == NULL)
return GSS_S_FAILURE;
return (GSS_S_COMPLETE);
return m->gm_set_sec_context_option(&junk, NULL,
GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X, &buffer);
}
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
@ -441,7 +439,7 @@ gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status,
gss_buffer_desc buffer;
krb5_storage *sp;
krb5_data data;
int i;
size_t i;
sp = krb5_storage_emem();
if (sp == NULL) {

100
source4/heimdal/lib/gssapi/mech/gss_mech_switch.c
View File

@ -62,7 +62,7 @@ _gss_string_to_oid(const char* s, gss_OID oid)
if (q) q = q + 1;
number_count++;
}
/*
* The first two numbers are in the first byte and each
* subsequent number is encoded in a variable byte sequence.
@ -126,7 +126,7 @@ _gss_string_to_oid(const char* s, gss_OID oid)
while (bytes) {
if (res) {
int bit = 7*(bytes-1);
*res = (number >> bit) & 0x7f;
if (bytes != 1)
*res |= 0x80;
@ -152,7 +152,8 @@ _gss_string_to_oid(const char* s, gss_OID oid)
#define SYM(name) \
do { \
m->gm_mech.gm_ ## name = dlsym(so, "gss_" #name); \
if (!m->gm_mech.gm_ ## name) { \
if (!m->gm_mech.gm_ ## name || \
m->gm_mech.gm_ ##name == gss_ ## name) { \
fprintf(stderr, "can't find symbol gss_" #name "\n"); \
goto bad; \
} \
@ -160,7 +161,28 @@ do { \
#define OPTSYM(name) \
do { \
m->gm_mech.gm_ ## name = dlsym(so, "gss_" #name); \
m->gm_mech.gm_ ## name = dlsym(so, "gss_" #name); \
if (m->gm_mech.gm_ ## name == gss_ ## name) \
m->gm_mech.gm_ ## name = NULL; \
} while (0)
#define OPTSPISYM(name) \
do { \
m->gm_mech.gm_ ## name = dlsym(so, "gssspi_" #name); \
} while (0)
#define COMPATSYM(name) \
do { \
m->gm_mech.gm_compat->gmc_ ## name = dlsym(so, "gss_" #name); \
if (m->gm_mech.gm_compat->gmc_ ## name == gss_ ## name) \
m->gm_mech.gm_compat->gmc_ ## name = NULL; \
} while (0)
#define COMPATSPISYM(name) \
do { \
m->gm_mech.gm_compat->gmc_ ## name = dlsym(so, "gssspi_" #name);\
if (m->gm_mech.gm_compat->gmc_ ## name == gss_ ## name) \
m->gm_mech.gm_compat->gmc_ ## name = NULL; \
} while (0)
/*
@ -283,28 +305,26 @@ _gss_load_mech(void)
#endif
so = dlopen(lib, RTLD_LAZY | RTLD_LOCAL | RTLD_GROUP);
if (!so) {
if (so == NULL) {
/* fprintf(stderr, "dlopen: %s\n", dlerror()); */
free(mech_oid.elements);
continue;
goto bad;
}
m = malloc(sizeof(*m));
if (!m) {
free(mech_oid.elements);
break;
}
m = calloc(1, sizeof(*m));
if (m == NULL)
goto bad;
m->gm_so = so;
m->gm_mech.gm_mech_oid = mech_oid;
m->gm_mech.gm_flags = 0;
m->gm_mech.gm_compat = calloc(1, sizeof(struct gss_mech_compat_desc_struct));
if (m->gm_mech.gm_compat == NULL)
goto bad;
major_status = gss_add_oid_set_member(&minor_status,
&m->gm_mech.gm_mech_oid, &_gss_mech_oids);
if (major_status) {
free(m->gm_mech.gm_mech_oid.elements);
free(m);
continue;
}
if (GSS_ERROR(major_status))
goto bad;
SYM(acquire_cred);
SYM(release_cred);
@ -338,34 +358,64 @@ _gss_load_mech(void)
OPTSYM(inquire_cred_by_oid);
OPTSYM(inquire_sec_context_by_oid);
OPTSYM(set_sec_context_option);
OPTSYM(set_cred_option);
OPTSPISYM(set_cred_option);
OPTSYM(pseudo_random);
OPTSYM(wrap_iov);
OPTSYM(unwrap_iov);
OPTSYM(wrap_iov_length);
OPTSYM(store_cred);
OPTSYM(export_cred);
OPTSYM(import_cred);
#if 0
OPTSYM(acquire_cred_ext);
OPTSYM(iter_creds);
OPTSYM(destroy_cred);
OPTSYM(cred_hold);
OPTSYM(cred_unhold);
OPTSYM(cred_label_get);
OPTSYM(cred_label_set);
#endif
OPTSYM(display_name_ext);
OPTSYM(inquire_name);
OPTSYM(get_name_attribute);
OPTSYM(set_name_attribute);
OPTSYM(delete_name_attribute);
OPTSYM(export_name_composite);
OPTSYM(pname_to_uid);
OPTSPISYM(authorize_localname);
mi = dlsym(so, "gss_mo_init");
if (mi != NULL) {
major_status = mi(&minor_status,
&mech_oid,
&m->gm_mech.gm_mo,
&m->gm_mech.gm_mo_num);
major_status = mi(&minor_status, &mech_oid,
&m->gm_mech.gm_mo, &m->gm_mech.gm_mo_num);
if (GSS_ERROR(major_status))
goto bad;
} else {
/* API-as-SPI compatibility */
COMPATSYM(inquire_saslname_for_mech);
COMPATSYM(inquire_mech_for_saslname);
COMPATSYM(inquire_attrs_for_mech);
COMPATSPISYM(acquire_cred_with_password);
}
/* pick up the oid sets of names */
if (m->gm_mech.gm_inquire_names_for_mech)
(*m->gm_mech.gm_inquire_names_for_mech)(&minor_status,
&m->gm_mech.gm_mech_oid, &m->gm_name_types);
if (m->gm_name_types == NULL)
gss_create_empty_oid_set(&minor_status, &m->gm_name_types);
HEIM_SLIST_INSERT_HEAD(&_gss_mechs, m, gm_link);
continue;
bad:
free(m->gm_mech.gm_mech_oid.elements);
free(m);
if (m != NULL) {
free(m->gm_mech.gm_compat);
free(m->gm_mech.gm_mech_oid.elements);
free(m);
}
dlclose(so);
continue;
}

341
source4/heimdal/lib/gssapi/mech/gss_mo.c
View File

@ -4,6 +4,7 @@
* All rights reserved.
*
* Portions Copyright (c) 2010 Apple Inc. All rights reserved.
* Portions Copyright (c) 2010 PADL Software Pty Ltd. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@ -35,13 +36,14 @@
#include "mech_locl.h"
#include <crypto-headers.h>
static int
get_option_def(int def, gss_const_OID mech, gss_mo_desc *mo, gss_buffer_t value)
{
return def;
}
int
_gss_mo_get_option_1(gss_const_OID mech, gss_mo_desc *mo, gss_buffer_t value)
{
@ -60,10 +62,10 @@ _gss_mo_get_ctx_as_string(gss_const_OID mech, gss_mo_desc *mo, gss_buffer_t valu
if (value) {
value->value = strdup((char *)mo->ctx);
if (value->value == NULL)
return 1;
return GSS_S_FAILURE;
value->length = strlen((char *)mo->ctx);
}
return 0;
return GSS_S_COMPLETE;
}
GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL
@ -79,7 +81,8 @@ gss_mo_set(gss_const_OID mech, gss_const_OID option,
for (n = 0; n < m->gm_mo_num; n++)
if (gss_oid_equal(option, m->gm_mo[n].option) && m->gm_mo[n].set)
return m->gm_mo[n].set(mech, &m->gm_mo[n], enable, value);
return 0;
return GSS_S_UNAVAILABLE;
}
GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL
@ -91,13 +94,13 @@ gss_mo_get(gss_const_OID mech, gss_const_OID option, gss_buffer_t value)
_mg_buffer_zero(value);
if ((m = __gss_get_mechanism(mech)) == NULL)
return 0;
return GSS_S_BAD_MECH;
for (n = 0; n < m->gm_mo_num; n++)
if (gss_oid_equal(option, m->gm_mo[n].option) && m->gm_mo[n].get)
return m->gm_mo[n].get(mech, &m->gm_mo[n], value);
return 0;
return GSS_S_UNAVAILABLE;
}
static void
@ -147,7 +150,8 @@ gss_mo_name(gss_const_OID mech, gss_const_OID option, gss_buffer_t name)
for (n = 0; n < m->gm_mo_num; n++) {
if (gss_oid_equal(option, m->gm_mo[n].option)) {
/*
* If ther is no name, its because its a GSS_C_MA and there is already a table for that.
* If there is no name, its because its a GSS_C_MA and
* there is already a table for that.
*/
if (m->gm_mo[n].name) {
name->value = strdup(m->gm_mo[n].name);
@ -175,14 +179,86 @@ mo_value(const gss_const_OID mech, gss_const_OID option, gss_buffer_t name)
if (name == NULL)
return GSS_S_COMPLETE;
if (gss_mo_get(mech, option, name) != 0 && name->length == 0)
return GSS_S_FAILURE;
return gss_mo_get(mech, option, name);
}
/* code derived from draft-ietf-cat-sasl-gssapi-01 */
static char basis_32[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
static OM_uint32
make_sasl_name(OM_uint32 *minor, const gss_OID mech, char sasl_name[16])
{
EVP_MD_CTX *ctx;
char *p = sasl_name;
u_char hdr[2], hash[20], *h = hash;
if (mech->length > 127)
return GSS_S_BAD_MECH;
hdr[0] = 0x06;
hdr[1] = mech->length;
ctx = EVP_MD_CTX_create();
EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
EVP_DigestUpdate(ctx, hdr, 2);
EVP_DigestUpdate(ctx, mech->elements, mech->length);
EVP_DigestFinal_ex(ctx, hash, NULL);
memcpy(p, "GS2-", 4);
p += 4;
*p++ = basis_32[(h[0] >> 3)];
*p++ = basis_32[((h[0] & 7) << 2) | (h[1] >> 6)];
*p++ = basis_32[(h[1] & 0x3f) >> 1];
*p++ = basis_32[((h[1] & 1) << 4) | (h[2] >> 4)];
*p++ = basis_32[((h[2] & 0xf) << 1) | (h[3] >> 7)];
*p++ = basis_32[(h[3] & 0x7f) >> 2];
*p++ = basis_32[((h[3] & 3) << 3) | (h[4] >> 5)];
*p++ = basis_32[(h[4] & 0x1f)];
*p++ = basis_32[(h[5] >> 3)];
*p++ = basis_32[((h[5] & 7) << 2) | (h[6] >> 6)];
*p++ = basis_32[(h[6] & 0x3f) >> 1];
*p = '\0';
return GSS_S_COMPLETE;
}
/*
* gss_inquire_saslname_for_mech() wrapper that uses MIT SPI
*/
static OM_uint32
inquire_saslname_for_mech_compat(OM_uint32 *minor,
const gss_OID desired_mech,
gss_buffer_t sasl_mech_name,
gss_buffer_t mech_name,
gss_buffer_t mech_description)
{
struct gss_mech_compat_desc_struct *gmc;
gssapi_mech_interface m;
OM_uint32 major;
m = __gss_get_mechanism(desired_mech);
if (m == NULL)
return GSS_S_BAD_MECH;
gmc = m->gm_compat;
if (gmc != NULL && gmc->gmc_inquire_saslname_for_mech != NULL) {
major = gmc->gmc_inquire_saslname_for_mech(minor,
desired_mech,
sasl_mech_name,
mech_name,
mech_description);
} else {
major = GSS_S_UNAVAILABLE;
}
return major;
}
/**
* Returns differnt protocol names and description of the mechanism.
* Returns different protocol names and description of the mechanism.
*
* @param minor_status minor status code
* @param desired_mech mech list query
@ -215,15 +291,41 @@ gss_inquire_saslname_for_mech(OM_uint32 *minor_status,
return GSS_S_BAD_MECH;
major = mo_value(desired_mech, GSS_C_MA_SASL_MECH_NAME, sasl_mech_name);
if (major) return major;
if (major == GSS_S_COMPLETE) {
/* Native SPI */
major = mo_value(desired_mech, GSS_C_MA_MECH_NAME, mech_name);
if (GSS_ERROR(major))
return major;
major = mo_value(desired_mech, GSS_C_MA_MECH_NAME, mech_name);
if (major) return major;
major = mo_value(desired_mech, GSS_C_MA_MECH_DESCRIPTION, mech_description);
if (GSS_ERROR(major))
return major;
}
major = mo_value(desired_mech, GSS_C_MA_MECH_DESCRIPTION, mech_description);
if (major) return major;
if (GSS_ERROR(major)) {
/* API-as-SPI compatibility */
major = inquire_saslname_for_mech_compat(minor_status,
desired_mech,
sasl_mech_name,
mech_name,
mech_description);
}
return GSS_S_COMPLETE;
if (GSS_ERROR(major)) {
/* Algorithmically dervied SASL mechanism name */
char buf[16];
gss_buffer_desc tmp = { sizeof(buf) - 1, buf };
major = make_sasl_name(minor_status, desired_mech, buf);
if (GSS_ERROR(major))
return major;
major = _gss_copy_buffer(minor_status, &tmp, sasl_mech_name);
if (GSS_ERROR(major))
return major;
}
return major;
}
/**
@ -243,29 +345,91 @@ gss_inquire_mech_for_saslname(OM_uint32 *minor_status,
{
struct _gss_mech_switch *m;
gss_buffer_desc name;
OM_uint32 major;
OM_uint32 major, junk;
char buf[16];
_gss_load_mech();
*mech_type = NULL;
HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
struct gss_mech_compat_desc_struct *gmc;
major = mo_value(&m->gm_mech_oid, GSS_C_MA_SASL_MECH_NAME, &name);
if (major)
continue;
if (name.length == sasl_mech_name->length &&
memcmp(name.value, sasl_mech_name->value, name.length) == 0) {
gss_release_buffer(&major, &name);
*mech_type = &m->gm_mech_oid;
return 0;
/* Native SPI */
major = mo_value(&m->gm_mech_oid, GSS_C_MA_SASL_MECH_NAME, &name);
if (major == GSS_S_COMPLETE &&
name.length == sasl_mech_name->length &&
memcmp(name.value, sasl_mech_name->value, name.length) == 0) {
gss_release_buffer(&junk, &name);
*mech_type = &m->gm_mech_oid;
return GSS_S_COMPLETE;
}
gss_release_buffer(&major, &name);
gss_release_buffer(&junk, &name);
if (GSS_ERROR(major)) {
/* API-as-SPI compatibility */
gmc = m->gm_mech.gm_compat;
if (gmc && gmc->gmc_inquire_mech_for_saslname) {
major = gmc->gmc_inquire_mech_for_saslname(minor_status,
sasl_mech_name,
mech_type);
if (major == GSS_S_COMPLETE)
return GSS_S_COMPLETE;
}
}
if (GSS_ERROR(major)) {
/* Algorithmically dervied SASL mechanism name */
if (sasl_mech_name->length == 16 &&
make_sasl_name(minor_status, &m->gm_mech_oid, buf) == GSS_S_COMPLETE &&
memcmp(buf, sasl_mech_name->value, 16) == 0) {
*mech_type = &m->gm_mech_oid;
return GSS_S_COMPLETE;
}
}
}
return GSS_S_BAD_MECH;
}
/*
* Test mechanism against indicated attributes using both Heimdal and
* MIT SPIs.
*/
static int
test_mech_attrs(gssapi_mech_interface mi,
gss_const_OID_set mech_attrs,
gss_const_OID_set against_attrs,
int except)
{
size_t n, m;
int eq = 0;
if (against_attrs == GSS_C_NO_OID_SET)
return 1;
for (n = 0; n < against_attrs->count; n++) {
for (m = 0; m < mi->gm_mo_num; m++) {
eq = gss_oid_equal(mi->gm_mo[m].option,
&against_attrs->elements[n]);
if (eq)
break;
}
if (mech_attrs != GSS_C_NO_OID_SET) {
for (m = 0; m < mech_attrs->count; m++) {
eq = gss_oid_equal(&mech_attrs->elements[m],
&against_attrs->elements[n]);
if (eq)
break;
}
}
if (!eq ^ except)
return 0;
}
return 1;
}
/**
* Return set of mechanism that fullfill the criteria
*
@ -286,57 +450,49 @@ gss_indicate_mechs_by_attrs(OM_uint32 * minor_status,
gss_OID_set *mechs)
{
struct _gss_mech_switch *ms;
gss_OID_set mech_attrs = GSS_C_NO_OID_SET;
gss_OID_set known_mech_attrs = GSS_C_NO_OID_SET;
OM_uint32 major;
size_t n, m;
major = gss_create_empty_oid_set(minor_status, mechs);
if (major)
if (GSS_ERROR(major))
return major;
_gss_load_mech();
HEIM_SLIST_FOREACH(ms, &_gss_mechs, gm_link) {
gssapi_mech_interface mi = &ms->gm_mech;
struct gss_mech_compat_desc_struct *gmc = mi->gm_compat;
OM_uint32 tmp;
if (desired_mech_attrs) {
for (n = 0; n < desired_mech_attrs->count; n++) {
for (m = 0; m < mi->gm_mo_num; m++)
if (gss_oid_equal(mi->gm_mo[m].option, &desired_mech_attrs->elements[n]))
break;
if (m == mi->gm_mo_num)
goto next;
}
}
if (gmc && gmc->gmc_inquire_attrs_for_mech) {
major = gmc->gmc_inquire_attrs_for_mech(minor_status,
&mi->gm_mech_oid,
&mech_attrs,
&known_mech_attrs);
if (GSS_ERROR(major))
continue;
}
if (except_mech_attrs) {
for (n = 0; n < desired_mech_attrs->count; n++) {
for (m = 0; m < mi->gm_mo_num; m++) {
if (gss_oid_equal(mi->gm_mo[m].option, &desired_mech_attrs->elements[n]))
goto next;
}
}
}
/*
* Test mechanism supports all of desired_mech_attrs;
* none of except_mech_attrs;
* and knows of all critical_mech_attrs.
*/
if (test_mech_attrs(mi, mech_attrs, desired_mech_attrs, 0) &&
test_mech_attrs(mi, mech_attrs, except_mech_attrs, 1) &&
test_mech_attrs(mi, known_mech_attrs, critical_mech_attrs, 0)) {
major = gss_add_oid_set_member(minor_status, &mi->gm_mech_oid, mechs);
}
if (critical_mech_attrs) {
for (n = 0; n < desired_mech_attrs->count; n++) {
for (m = 0; m < mi->gm_mo_num; m++) {
if (mi->gm_mo[m].flags & GSS_MO_MA_CRITICAL)
continue;
if (gss_oid_equal(mi->gm_mo[m].option, &desired_mech_attrs->elements[n]))
break;
}
if (m == mi->gm_mo_num)
goto next;
}
}
gss_release_oid_set(&tmp, &mech_attrs);
gss_release_oid_set(&tmp, &known_mech_attrs);
next:
do { } while(0);
if (GSS_ERROR(major))
break;
}
return GSS_S_FAILURE;
return major;
}
/**
@ -361,30 +517,45 @@ gss_inquire_attrs_for_mech(OM_uint32 * minor_status,
{
OM_uint32 major, junk;
if (known_mech_attrs)
*known_mech_attrs = GSS_C_NO_OID_SET;
if (mech_attr && mech) {
gssapi_mech_interface m;
struct gss_mech_compat_desc_struct *gmc;
if ((m = __gss_get_mechanism(mech)) == NULL) {
*minor_status = 0;
return GSS_S_BAD_MECH;
}
major = gss_create_empty_oid_set(minor_status, mech_attr);
if (major != GSS_S_COMPLETE)
return major;
gmc = m->gm_compat;
add_all_mo(m, mech_attr, GSS_MO_MA);
}
if (gmc && gmc->gmc_inquire_attrs_for_mech) {
major = gmc->gmc_inquire_attrs_for_mech(minor_status,
mech,
mech_attr,
known_mech_attrs);
} else {
major = gss_create_empty_oid_set(minor_status, mech_attr);
if (major == GSS_S_COMPLETE)
add_all_mo(m, mech_attr, GSS_MO_MA);
}
if (GSS_ERROR(major))
return major;
}
if (known_mech_attrs) {
struct _gss_mech_switch *m;
major = gss_create_empty_oid_set(minor_status, known_mech_attrs);
if (major) {
if (mech_attr)
gss_release_oid_set(&junk, mech_attr);
return major;
}
if (*known_mech_attrs == GSS_C_NO_OID_SET) {
major = gss_create_empty_oid_set(minor_status, known_mech_attrs);
if (GSS_ERROR(major)) {
if (mech_attr)
gss_release_oid_set(&junk, mech_attr);
return major;
}
}
_gss_load_mech();
@ -434,28 +605,28 @@ gss_display_mech_attr(OM_uint32 * minor_status,
return GSS_S_BAD_MECH_ATTR;
if (name) {
gss_buffer_desc n;
n.value = rk_UNCONST(ma->name);
n.length = strlen(ma->name);
major = _gss_copy_buffer(minor_status, &n, name);
gss_buffer_desc bd;
bd.value = rk_UNCONST(ma->name);
bd.length = strlen(ma->name);
major = _gss_copy_buffer(minor_status, &bd, name);
if (major != GSS_S_COMPLETE)
return major;
}
if (short_desc) {
gss_buffer_desc n;
n.value = rk_UNCONST(ma->short_desc);
n.length = strlen(ma->short_desc);
major = _gss_copy_buffer(minor_status, &n, short_desc);
gss_buffer_desc bd;
bd.value = rk_UNCONST(ma->short_desc);
bd.length = strlen(ma->short_desc);
major = _gss_copy_buffer(minor_status, &bd, short_desc);
if (major != GSS_S_COMPLETE)
return major;
}
if (long_desc) {
gss_buffer_desc n;
n.value = rk_UNCONST(ma->long_desc);
n.length = strlen(ma->long_desc);
major = _gss_copy_buffer(minor_status, &n, long_desc);
gss_buffer_desc bd;
bd.value = rk_UNCONST(ma->long_desc);
bd.length = strlen(ma->long_desc);
major = _gss_copy_buffer(minor_status, &bd, long_desc);
if (major != GSS_S_COMPLETE)
return major;
}

2
source4/heimdal/lib/gssapi/mech/gss_names.c
View File

@ -58,7 +58,7 @@ _gss_find_mn(OM_uint32 *minor_status, struct _gss_name *name, gss_OID mech,
mn = malloc(sizeof(struct _gss_mechanism_name));
if (!mn)
return GSS_S_FAILURE;
major_status = m->gm_import_name(minor_status,
&name->gn_value,
(name->gn_type.elements

150
source4/heimdal/lib/gssapi/mech/gss_oid.c
View File

@ -2,220 +2,226 @@
#include "mech_locl.h"
/* GSS_KRB5_COPY_CCACHE_X - 1.2.752.43.13.1 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_copy_ccache_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x01" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_copy_ccache_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x01") };
/* GSS_KRB5_GET_TKT_FLAGS_X - 1.2.752.43.13.2 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_tkt_flags_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x02" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_tkt_flags_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x02") };
/* GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X - 1.2.752.43.13.3 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_extract_authz_data_from_sec_context_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x03" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_extract_authz_data_from_sec_context_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x03") };
/* GSS_KRB5_COMPAT_DES3_MIC_X - 1.2.752.43.13.4 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_compat_des3_mic_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x04" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_compat_des3_mic_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x04") };
/* GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X - 1.2.752.43.13.5 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_register_acceptor_identity_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x05" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_register_acceptor_identity_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x05") };
/* GSS_KRB5_EXPORT_LUCID_CONTEXT_X - 1.2.752.43.13.6 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x06" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06") };
/* GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X - 1.2.752.43.13.6.1 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_v1_x_oid_desc = { 7, "\x2a\x85\x70\x2b\x0d\x06\x01" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_v1_x_oid_desc = { 7, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06\x01") };
/* GSS_KRB5_SET_DNS_CANONICALIZE_X - 1.2.752.43.13.7 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_dns_canonicalize_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x07" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_dns_canonicalize_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x07") };
/* GSS_KRB5_GET_SUBKEY_X - 1.2.752.43.13.8 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_subkey_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x08" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_subkey_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x08") };
/* GSS_KRB5_GET_INITIATOR_SUBKEY_X - 1.2.752.43.13.9 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_initiator_subkey_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x09" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_initiator_subkey_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x09") };
/* GSS_KRB5_GET_ACCEPTOR_SUBKEY_X - 1.2.752.43.13.10 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_acceptor_subkey_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0a" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_acceptor_subkey_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0a") };
/* GSS_KRB5_SEND_TO_KDC_X - 1.2.752.43.13.11 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_send_to_kdc_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0b" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_send_to_kdc_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0b") };
/* GSS_KRB5_GET_AUTHTIME_X - 1.2.752.43.13.12 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_authtime_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0c" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_authtime_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0c") };
/* GSS_KRB5_GET_SERVICE_KEYBLOCK_X - 1.2.752.43.13.13 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_service_keyblock_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0d" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_service_keyblock_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0d") };
/* GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X - 1.2.752.43.13.14 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_allowable_enctypes_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0e" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_allowable_enctypes_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0e") };
/* GSS_KRB5_SET_DEFAULT_REALM_X - 1.2.752.43.13.15 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_default_realm_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0f" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_default_realm_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0f") };
/* GSS_KRB5_CCACHE_NAME_X - 1.2.752.43.13.16 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_ccache_name_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x10" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_ccache_name_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x10") };
/* GSS_KRB5_SET_TIME_OFFSET_X - 1.2.752.43.13.17 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_time_offset_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x11" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_time_offset_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x11") };
/* GSS_KRB5_GET_TIME_OFFSET_X - 1.2.752.43.13.18 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_time_offset_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x12" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_time_offset_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x12") };
/* GSS_KRB5_PLUGIN_REGISTER_X - 1.2.752.43.13.19 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_plugin_register_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x13" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_plugin_register_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x13") };
/* GSS_NTLM_GET_SESSION_KEY_X - 1.2.752.43.13.20 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_get_session_key_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x14" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_get_session_key_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x14") };
/* GSS_C_NT_NTLM - 1.2.752.43.13.21 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_ntlm_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x15" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_ntlm_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x15") };
/* GSS_C_NT_DN - 1.2.752.43.13.22 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_dn_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x16" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_dn_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x16") };
/* GSS_KRB5_NT_PRINCIPAL_NAME_REFERRAL - 1.2.752.43.13.23 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_nt_principal_name_referral_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x17" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_nt_principal_name_referral_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x17") };
/* GSS_C_NTLM_AVGUEST - 1.2.752.43.13.24 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_avguest_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x18" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_avguest_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x18") };
/* GSS_C_NTLM_V1 - 1.2.752.43.13.25 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_v1_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x19" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_v1_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x19") };
/* GSS_C_NTLM_V2 - 1.2.752.43.13.26 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_v2_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1a" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_v2_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1a") };
/* GSS_C_NTLM_SESSION_KEY - 1.2.752.43.13.27 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_session_key_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1b" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_session_key_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1b") };
/* GSS_C_NTLM_FORCE_V1 - 1.2.752.43.13.28 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_force_v1_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1c" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_force_v1_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1c") };
/* GSS_KRB5_CRED_NO_CI_FLAGS_X - 1.2.752.43.13.29 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_cred_no_ci_flags_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1d" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_cred_no_ci_flags_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1d") };
/* GSS_KRB5_IMPORT_CRED_X - 1.2.752.43.13.30 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_import_cred_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1e" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_import_cred_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1e") };
/* GSS_C_MA_SASL_MECH_NAME - 1.2.752.43.13.100 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_sasl_mech_name_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x64" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_sasl_mech_name_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x64") };
/* GSS_C_MA_MECH_NAME - 1.2.752.43.13.101 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_name_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x65" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_name_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x65") };
/* GSS_C_MA_MECH_DESCRIPTION - 1.2.752.43.13.102 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_description_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x66" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_description_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x66") };
/* GSS_C_CRED_PASSWORD - 1.2.752.43.13.200 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_password_oid_desc = { 7, "\x2a\x85\x70\x2b\x0d\x81\x48" };
/* GSS_C_CRED_CERTIFICATE - 1.2.752.43.13.201 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_certificate_oid_desc = { 7, "\x2a\x85\x70\x2b\x0d\x81\x49" };
/* GSS_SASL_DIGEST_MD5_MECHANISM - 1.2.752.43.14.1 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_sasl_digest_md5_mechanism_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x01" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_sasl_digest_md5_mechanism_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") };
/* GSS_NETLOGON_MECHANISM - 1.2.752.43.14.2 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_mechanism_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x02" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_mechanism_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x02") };
/* GSS_NETLOGON_SET_SESSION_KEY_X - 1.2.752.43.14.3 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_set_session_key_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x03" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_set_session_key_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x03") };
/* GSS_NETLOGON_SET_SIGN_ALGORITHM_X - 1.2.752.43.14.4 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_set_sign_algorithm_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x04" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_set_sign_algorithm_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x04") };
/* GSS_NETLOGON_NT_NETBIOS_DNS_NAME - 1.2.752.43.14.5 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_nt_netbios_dns_name_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x05" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_nt_netbios_dns_name_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x05") };
/* GSS_C_INQ_WIN2K_PAC_X - 1.2.752.43.13.3.128 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_inq_win2k_pac_x_oid_desc = { 8, "\x2a\x85\x70\x2b\x0d\x03\x81\x00" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_inq_win2k_pac_x_oid_desc = { 8, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x03\x81\x00") };
/* GSS_C_INQ_SSPI_SESSION_KEY - 1.2.840.113554.1.2.2.5.5 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_inq_sspi_session_key_oid_desc = { 11, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_inq_sspi_session_key_oid_desc = { 11, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05") };
/* GSS_KRB5_MECHANISM - 1.2.840.113554.1.2.2 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_mechanism_oid_desc = { 9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_mechanism_oid_desc = { 9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") };
/* GSS_NTLM_MECHANISM - 1.3.6.1.4.1.311.2.2.10 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_mechanism_oid_desc = { 10, "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_mechanism_oid_desc = { 10, rk_UNCONST("\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a") };
/* GSS_SPNEGO_MECHANISM - 1.3.6.1.5.5.2 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_spnego_mechanism_oid_desc = { 6, "\x2b\x06\x01\x05\x05\x02" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_spnego_mechanism_oid_desc = { 6, rk_UNCONST("\x2b\x06\x01\x05\x05\x02") };
/* GSS_C_PEER_HAS_UPDATED_SPNEGO - 1.3.6.1.4.1.9513.19.5 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_peer_has_updated_spnego_oid_desc = { 9, "\x2b\x06\x01\x04\x01\xca\x29\x13\x05" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_peer_has_updated_spnego_oid_desc = { 9, rk_UNCONST("\x2b\x06\x01\x04\x01\xca\x29\x13\x05") };
/* GSS_C_MA_MECH_CONCRETE - 1.3.6.1.5.5.13.1 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_concrete_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x01" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_concrete_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x01") };
/* GSS_C_MA_MECH_PSEUDO - 1.3.6.1.5.5.13.2 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_pseudo_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x02" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_pseudo_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x02") };
/* GSS_C_MA_MECH_COMPOSITE - 1.3.6.1.5.5.13.3 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_composite_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x03" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_composite_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x03") };
/* GSS_C_MA_MECH_NEGO - 1.3.6.1.5.5.13.4 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_nego_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x04" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_nego_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x04") };
/* GSS_C_MA_MECH_GLUE - 1.3.6.1.5.5.13.5 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_glue_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x05" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_glue_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x05") };
/* GSS_C_MA_NOT_MECH - 1.3.6.1.5.5.13.6 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_not_mech_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x06" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_not_mech_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x06") };
/* GSS_C_MA_DEPRECATED - 1.3.6.1.5.5.13.7 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_deprecated_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x07" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_deprecated_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x07") };
/* GSS_C_MA_NOT_DFLT_MECH - 1.3.6.1.5.5.13.8 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_not_dflt_mech_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x08" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_not_dflt_mech_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x08") };
/* GSS_C_MA_ITOK_FRAMED - 1.3.6.1.5.5.13.9 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_itok_framed_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x09" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_itok_framed_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x09") };
/* GSS_C_MA_AUTH_INIT - 1.3.6.1.5.5.13.10 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0a" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0a") };
/* GSS_C_MA_AUTH_TARG - 1.3.6.1.5.5.13.11 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0b" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0b") };
/* GSS_C_MA_AUTH_INIT_INIT - 1.3.6.1.5.5.13.12 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_init_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0c" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_init_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0c") };
/* GSS_C_MA_AUTH_TARG_INIT - 1.3.6.1.5.5.13.13 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_init_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0d" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_init_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0d") };
/* GSS_C_MA_AUTH_INIT_ANON - 1.3.6.1.5.5.13.14 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_anon_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0e" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_anon_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0e") };
/* GSS_C_MA_AUTH_TARG_ANON - 1.3.6.1.5.5.13.15 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_anon_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0f" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_anon_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0f") };
/* GSS_C_MA_DELEG_CRED - 1.3.6.1.5.5.13.16 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_deleg_cred_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x10" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_deleg_cred_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x10") };
/* GSS_C_MA_INTEG_PROT - 1.3.6.1.5.5.13.17 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_integ_prot_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x11" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_integ_prot_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x11") };
/* GSS_C_MA_CONF_PROT - 1.3.6.1.5.5.13.18 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_conf_prot_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x12" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_conf_prot_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x12") };
/* GSS_C_MA_MIC - 1.3.6.1.5.5.13.19 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mic_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x13" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mic_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x13") };
/* GSS_C_MA_WRAP - 1.3.6.1.5.5.13.20 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_wrap_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x14" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_wrap_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x14") };
/* GSS_C_MA_PROT_READY - 1.3.6.1.5.5.13.21 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_prot_ready_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x15" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_prot_ready_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x15") };
/* GSS_C_MA_REPLAY_DET - 1.3.6.1.5.5.13.22 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_replay_det_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x16" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_replay_det_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x16") };
/* GSS_C_MA_OOS_DET - 1.3.6.1.5.5.13.23 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_oos_det_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x17" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_oos_det_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x17") };
/* GSS_C_MA_CBINDINGS - 1.3.6.1.5.5.13.24 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_cbindings_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x18" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_cbindings_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x18") };
/* GSS_C_MA_PFS - 1.3.6.1.5.5.13.25 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_pfs_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x19" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_pfs_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x19") };
/* GSS_C_MA_COMPRESS - 1.3.6.1.5.5.13.26 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_compress_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x1a" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_compress_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x1a") };
/* GSS_C_MA_CTX_TRANS - 1.3.6.1.5.5.13.27 */
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_ctx_trans_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x1b" };
gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_ctx_trans_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x1b") };
struct _gss_oid_name_table _gss_ont_ma[] = {
{ GSS_C_MA_COMPRESS, "GSS_C_MA_COMPRESS", "compress", "" },

2
source4/heimdal/lib/gssapi/mech/gss_oid_equal.c
View File

@ -43,7 +43,7 @@
*
* @return non-zero when both oid are the same OID, zero when they are
* not the same.
*
*
* @ingroup gssapi
*/

Some files were not shown because too many files have changed in this diff Show More