sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-27 22:50:26 +03:00
Code

r23456: Update Samba4 to current lorikeet-heimdal.

Browse Source 
Andrew Bartlett
(This used to be commit ae0f81ab235c72cceb120bcdeb051a483cf3cc4f)
This commit is contained in:
Andrew Bartlett 2007-06-13 05:44:24 +00:00 committed by Gerald (Jerry) Carter
parent f7110d928a
commit 91adebe749
454 changed files with 8673 additions and 2973 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
source4/heimdal/kdc/524.c
View File

@ -33,7 +33,7 @@
#include "kdc_locl.h"
RCSID("$Id: 524.c,v 1.40 2006/10/06 17:06:30 lha Exp $");
RCSID("$Id: 524.c 18270 2006-10-06 17:06:30Z lha $");
#include <krb5-v4compat.h>

390
source4/heimdal/kdc/default_config.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
* Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
*
* All rights reserved.
@ -33,110 +33,61 @@
*/
#include "kdc_locl.h"
#include <getarg.h>
#include <parse_bytes.h>
int require_preauth = -1; /* 1 == require preauth for all principals */
RCSID("$Id: default_config.c 20532 2007-04-23 07:46:57Z lha $");
const char *trpolicy_str;
int disable_des = -1;
int enable_v4 = -1;
int enable_kaserver = -1;
int enable_524 = -1;
int enable_v4_cross_realm = -1;
int detach_from_console = -1;
char *v4_realm;
/*
* Setup some of the defaults for the KDC configuration.
*
* Note: Caller must also fill in:
* - db
* - num_db
* - logf
*
*/
void
krb5_kdc_default_config(krb5_kdc_configuration *config)
int
krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
{
memset(config, 0, sizeof(*config));
config->require_preauth = TRUE;
config->kdc_warn_pwexpire = 0;
config->encode_as_rep_as_tgs_rep = FALSE; /* bug compatibility */
config->check_ticket_addresses = TRUE;
config->allow_null_ticket_addresses = TRUE;
config->allow_anonymous = FALSE;
config->trpolicy = TRPOLICY_ALWAYS_CHECK;
config->enable_v4 = FALSE;
config->enable_kaserver = FALSE;
config->enable_524 = FALSE; /* overriden by enable_v4 in configure()) */
config->enable_v4_cross_realm = FALSE;
config->enable_pkinit = FALSE;
config->enable_pkinit_princ_in_cert = TRUE;
config->db = NULL;
config->num_db = 0;
config->logf = NULL;
}
krb5_kdc_configuration *c;
/*
* Setup some valudes for the KDC configuration, from the config file
*
* Note: Caller must also fill in:
* - db
* - num_db
* - logf
*
*/
void krb5_kdc_configure(krb5_context context, krb5_kdc_configuration *config)
{
const char *p;
if(require_preauth == -1) {
config->require_preauth = krb5_config_get_bool_default(context, NULL,
config->require_preauth,
"kdc",
"require-preauth", NULL);
} else {
config->require_preauth = require_preauth;
c = calloc(1, sizeof(*c));
if (c == NULL) {
krb5_set_error_string(context, "malloc: out of memory");
return ENOMEM;
}
if(enable_v4 == -1) {
config->enable_v4 = krb5_config_get_bool_default(context, NULL,
config->enable_v4,
"kdc",
"enable-kerberos4",
NULL);
} else {
config->enable_v4 = enable_v4;
}
c->require_preauth = TRUE;
c->kdc_warn_pwexpire = 0;
c->encode_as_rep_as_tgs_rep = FALSE;
c->check_ticket_addresses = TRUE;
c->allow_null_ticket_addresses = TRUE;
c->allow_anonymous = FALSE;
c->trpolicy = TRPOLICY_ALWAYS_CHECK;
c->enable_v4 = FALSE;
c->enable_kaserver = FALSE;
c->enable_524 = FALSE;
c->enable_v4_cross_realm = FALSE;
c->enable_pkinit = FALSE;
c->enable_pkinit_princ_in_cert = TRUE;
c->db = NULL;
c->num_db = 0;
c->logf = NULL;
if(enable_v4_cross_realm == -1) {
config->enable_v4_cross_realm =
krb5_config_get_bool_default(context, NULL,
config->enable_v4_cross_realm,
"kdc",
"enable-kerberos4-cross-realm",
NULL);
} else {
config->enable_v4_cross_realm = enable_v4_cross_realm;
}
if(enable_524 == -1) {
config->enable_524 = krb5_config_get_bool_default(context, NULL,
config->enable_v4,
"kdc", "enable-524",
NULL);
} else {
config->enable_524 = enable_524;
}
config->enable_digest =
c->require_preauth =
krb5_config_get_bool_default(context, NULL,
FALSE,
"kdc",
"enable-digest", NULL);
c->require_preauth,
"kdc", "require-preauth", NULL);
c->enable_v4 =
krb5_config_get_bool_default(context, NULL,
c->enable_v4,
"kdc", "enable-kerberos4", NULL);
c->enable_v4_cross_realm =
krb5_config_get_bool_default(context, NULL,
c->enable_v4_cross_realm,
"kdc",
"enable-kerberos4-cross-realm", NULL);
c->enable_524 =
krb5_config_get_bool_default(context, NULL,
c->enable_v4,
"kdc", "enable-524", NULL);
c->enable_digest =
krb5_config_get_bool_default(context, NULL,
FALSE,
"kdc", "enable-digest", NULL);
{
const char *digests;
@ -146,46 +97,57 @@ void krb5_kdc_configure(krb5_context context, krb5_kdc_configuration *config)
"digests_allowed", NULL);
if (digests == NULL)
digests = "ntlm-v2";
config->digests_allowed = parse_flags(digests,
_kdc_digestunits,
0);
if (config->digests_allowed == -1) {
kdc_log(context, config, 0,
c->digests_allowed = parse_flags(digests,_kdc_digestunits, 0);
if (c->digests_allowed == -1) {
kdc_log(context, c, 0,
"unparsable digest units (%s), turning off digest",
digests);
config->enable_digest = 0;
} else if (config->digests_allowed == 0) {
kdc_log(context, config, 0,
c->enable_digest = 0;
} else if (c->digests_allowed == 0) {
kdc_log(context, c, 0,
"no digest enable, turning digest off",
digests);
config->enable_digest = 0;
c->enable_digest = 0;
}
}
config->enable_kx509 =
c->enable_kx509 =
krb5_config_get_bool_default(context, NULL,
FALSE,
"kdc",
"enable-kx509", NULL);
"kdc", "enable-kx509", NULL);
config->check_ticket_addresses =
if (c->enable_kx509) {
c->kx509_template =
krb5_config_get_string(context, NULL,
"kdc", "kx509_template", NULL);
c->kx509_ca =
krb5_config_get_string(context, NULL,
"kdc", "kx509_ca", NULL);
if (c->kx509_ca == NULL || c->kx509_template == NULL) {
kdc_log(context, c, 0,
"missing kx509 configuration, turning off");
c->enable_kx509 = FALSE;
}
}
c->check_ticket_addresses =
krb5_config_get_bool_default(context, NULL,
config->check_ticket_addresses,
c->check_ticket_addresses,
"kdc",
"check-ticket-addresses", NULL);
config->allow_null_ticket_addresses =
c->allow_null_ticket_addresses =
krb5_config_get_bool_default(context, NULL,
config->allow_null_ticket_addresses,
c->allow_null_ticket_addresses,
"kdc",
"allow-null-ticket-addresses", NULL);
config->allow_anonymous =
c->allow_anonymous =
krb5_config_get_bool_default(context, NULL,
config->allow_anonymous,
c->allow_anonymous,
"kdc",
"allow-anonymous", NULL);
config->max_datagram_reply_length =
c->max_datagram_reply_length =
krb5_config_get_int_default(context,
NULL,
1400,
@ -193,178 +155,124 @@ void krb5_kdc_configure(krb5_context context, krb5_kdc_configuration *config)
"max-kdc-datagram-reply-length",
NULL);
trpolicy_str =
krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc",
"transited-policy", NULL);
if(strcasecmp(trpolicy_str, "always-check") == 0) {
config->trpolicy = TRPOLICY_ALWAYS_CHECK;
} else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) {
config->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL;
} else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) {
config->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST;
} else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) {
/* default */
} else {
kdc_log(context, config,
0, "unknown transited-policy: %s, reverting to default (always-check)",
trpolicy_str);
}
if (krb5_config_get_string(context, NULL, "kdc",
"enforce-transited-policy", NULL))
krb5_errx(context, 1, "enforce-transited-policy deprecated, "
"use [kdc]transited-policy instead");
{
const char *trpolicy_str;
if(v4_realm == NULL){
trpolicy_str =
krb5_config_get_string_default(context, NULL, "DEFAULT", "kdc",
"transited-policy", NULL);
if(strcasecmp(trpolicy_str, "always-check") == 0) {
c->trpolicy = TRPOLICY_ALWAYS_CHECK;
} else if(strcasecmp(trpolicy_str, "allow-per-principal") == 0) {
c->trpolicy = TRPOLICY_ALLOW_PER_PRINCIPAL;
} else if(strcasecmp(trpolicy_str, "always-honour-request") == 0) {
c->trpolicy = TRPOLICY_ALWAYS_HONOUR_REQUEST;
} else if(strcasecmp(trpolicy_str, "DEFAULT") == 0) {
/* default */
} else {
kdc_log(context, c, 0,
"unknown transited-policy: %s, "
"reverting to default (always-check)",
trpolicy_str);
}
}
{
const char *p;
p = krb5_config_get_string (context, NULL,
"kdc",
"v4-realm",
NULL);
if(p != NULL) {
config->v4_realm = strdup(p);
if (config->v4_realm == NULL)
c->v4_realm = strdup(p);
if (c->v4_realm == NULL)
krb5_errx(context, 1, "out of memory");
} else {
config->v4_realm = NULL;
c->v4_realm = NULL;
}
} else {
config->v4_realm = v4_realm;
}
if (enable_kaserver == -1) {
config->enable_kaserver =
krb5_config_get_bool_default(context,
NULL,
config->enable_kaserver,
"kdc",
"enable-kaserver",
NULL);
} else {
config->enable_kaserver = enable_kaserver;
}
config->encode_as_rep_as_tgs_rep =
krb5_config_get_bool_default(context, NULL,
config->encode_as_rep_as_tgs_rep,
"kdc",
"encode_as_rep_as_tgs_rep",
NULL);
config->kdc_warn_pwexpire =
krb5_config_get_time_default (context, NULL,
config->kdc_warn_pwexpire,
"kdc",
"kdc_warn_pwexpire",
NULL);
if(detach_from_console == -1)
detach_from_console = krb5_config_get_bool_default(context, NULL,
DETACH_IS_DEFAULT,
"kdc",
"detach", NULL);
#ifdef PKINIT
config->enable_pkinit =
c->enable_kaserver =
krb5_config_get_bool_default(context,
NULL,
config->enable_pkinit,
c->enable_kaserver,
"kdc", "enable-kaserver", NULL);
c->encode_as_rep_as_tgs_rep =
krb5_config_get_bool_default(context, NULL,
c->encode_as_rep_as_tgs_rep,
"kdc",
"encode_as_rep_as_tgs_rep", NULL);
c->kdc_warn_pwexpire =
krb5_config_get_time_default (context, NULL,
c->kdc_warn_pwexpire,
"kdc", "kdc_warn_pwexpire", NULL);
#ifdef PKINIT
c->enable_pkinit =
krb5_config_get_bool_default(context,
NULL,
c->enable_pkinit,
"kdc",
"enable-pkinit",
NULL);
if (config->enable_pkinit) {
if (c->enable_pkinit) {
const char *user_id, *anchors, *ocsp_file;
char **pool_list, **revoke_list;
user_id = krb5_config_get_string(context, NULL,
"kdc",
"pkinit_identity",
NULL);
user_id =
krb5_config_get_string(context, NULL,
"kdc", "pkinit_identity", NULL);
if (user_id == NULL)
krb5_errx(context, 1, "pkinit enabled but no identity");
anchors = krb5_config_get_string(context, NULL,
"kdc",
"pkinit_anchors",
NULL);
"kdc", "pkinit_anchors", NULL);
if (anchors == NULL)
krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
pool_list = krb5_config_get_strings(context, NULL,
"kdc",
"pkinit_pool",
NULL);
pool_list =
krb5_config_get_strings(context, NULL,
"kdc", "pkinit_pool", NULL);
revoke_list = krb5_config_get_strings(context, NULL,
"kdc",
"pkinit_revoke",
NULL);
revoke_list =
krb5_config_get_strings(context, NULL,
"kdc", "pkinit_revoke", NULL);
ocsp_file =
krb5_config_get_string(context, NULL,
"kdc",
"pkinit_kdc_ocsp",
NULL);
"kdc", "pkinit_kdc_ocsp", NULL);
if (ocsp_file) {
config->pkinit_kdc_ocsp_file = strdup(ocsp_file);
if (config->pkinit_kdc_ocsp_file == NULL)
c->pkinit_kdc_ocsp_file = strdup(ocsp_file);
if (c->pkinit_kdc_ocsp_file == NULL)
krb5_errx(context, 1, "out of memory");
}
_kdc_pk_initialize(context, config, user_id, anchors,
_kdc_pk_initialize(context, c, user_id, anchors,
pool_list, revoke_list);
krb5_config_free_strings(pool_list);
krb5_config_free_strings(revoke_list);
config->enable_pkinit_princ_in_cert =
krb5_config_get_bool_default(context,
NULL,
config->enable_pkinit_princ_in_cert,
c->enable_pkinit_princ_in_cert =
krb5_config_get_bool_default(context, NULL,
c->enable_pkinit_princ_in_cert,
"kdc",
"pkinit_principal_in_certificate",
NULL);
}
config->pkinit_dh_min_bits =
krb5_config_get_int_default(context,
NULL,
c->pkinit_dh_min_bits =
krb5_config_get_int_default(context, NULL,
0,
"kdc",
"pkinit_dh_min_bits",
NULL);
"kdc", "pkinit_dh_min_bits", NULL);
#endif
if(config->v4_realm == NULL && (config->enable_kaserver || config->enable_v4)){
#ifdef KRB4
config->v4_realm = malloc(40); /* REALM_SZ */
if (config->v4_realm == NULL)
krb5_errx(context, 1, "out of memory");
krb_get_lrealm(config->v4_realm, 1);
#else
krb5_errx(context, 1, "No Kerberos 4 realm configured");
#endif
}
if(disable_des == -1)
disable_des = krb5_config_get_bool_default(context, NULL,
FALSE,
"kdc",
"disable-des", NULL);
if(disable_des) {
krb5_enctype_disable(context, ETYPE_DES_CBC_CRC);
krb5_enctype_disable(context, ETYPE_DES_CBC_MD4);
krb5_enctype_disable(context, ETYPE_DES_CBC_MD5);
krb5_enctype_disable(context, ETYPE_DES_CBC_NONE);
krb5_enctype_disable(context, ETYPE_DES_CFB64_NONE);
krb5_enctype_disable(context, ETYPE_DES_PCBC_NONE);
*config = c;
kdc_log(context, config,
0, "DES was disabled, turned off Kerberos V4, 524 "
"and kaserver");
config->enable_v4 = 0;
config->enable_524 = 0;
config->enable_kaserver = 0;
}
_kdc_windc_init(context);
return 0;
}

277
source4/heimdal/kdc/digest.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2006 Kungliga Tekniska Högskolan
* Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@ -34,8 +34,9 @@
#include "kdc_locl.h"
#include <hex.h>
RCSID("$Id: digest.c,v 1.19 2006/12/28 17:03:51 lha Exp $");
RCSID("$Id: digest.c 20877 2007-06-04 04:07:26Z lha $");
#define MS_CHAP_V2 0x20
#define CHAP_MD5 0x10
#define DIGEST_MD5 0x08
#define NTLM_V2 0x04
@ -43,6 +44,7 @@ RCSID("$Id: digest.c,v 1.19 2006/12/28 17:03:51 lha Exp $");
#define NTLM_V1 0x01
const struct units _kdc_digestunits[] = {
{"ms-chap-v2", 1U << 5},
{"chap-md5", 1U << 4},
{"digest-md5", 1U << 3},
{"ntlm-v2", 1U << 2},
@ -135,6 +137,25 @@ fill_targetinfo(krb5_context context,
}
static const unsigned char ms_chap_v2_magic1[39] = {
0x4D, 0x61, 0x67, 0x69, 0x63, 0x20, 0x73, 0x65, 0x72, 0x76,
0x65, 0x72, 0x20, 0x74, 0x6F, 0x20, 0x63, 0x6C, 0x69, 0x65,
0x6E, 0x74, 0x20, 0x73, 0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67,
0x20, 0x63, 0x6F, 0x6E, 0x73, 0x74, 0x61, 0x6E, 0x74
};
static const unsigned char ms_chap_v2_magic2[41] = {
0x50, 0x61, 0x64, 0x20, 0x74, 0x6F, 0x20, 0x6D, 0x61, 0x6B,
0x65, 0x20, 0x69, 0x74, 0x20, 0x64, 0x6F, 0x20, 0x6D, 0x6F,
0x72, 0x65, 0x20, 0x74, 0x68, 0x61, 0x6E, 0x20, 0x6F, 0x6E,
0x65, 0x20, 0x69, 0x74, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6F,
0x6E
};
static const unsigned char ms_rfc3079_magic1[27] = {
0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74,
0x68, 0x65, 0x20, 0x4d, 0x50, 0x50, 0x45, 0x20, 0x4d,
0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x4b, 0x65, 0x79
};
/*
*
*/
@ -382,11 +403,6 @@ _kdc_do_digest(krb5_context context,
goto out;
}
ret = krb5_store_stringz(sp, *r.u.initReply.identifier);
if (ret) {
krb5_clear_error_string(context);
goto out;
}
} else
r.u.initReply.identifier = NULL;
@ -461,13 +477,7 @@ _kdc_do_digest(krb5_context context,
}
krb5_store_stringz(sp, ireq.u.digestRequest.serverNonce);
if (ireq.u.digestRequest.identifier) {
ret = krb5_store_stringz(sp, *ireq.u.digestRequest.identifier);
if (ret) {
krb5_clear_error_string(context);
goto out;
}
}
if (ireq.u.digestRequest.hostname) {
ret = krb5_store_stringz(sp, *ireq.u.digestRequest.hostname);
if (ret) {
@ -587,6 +597,7 @@ _kdc_do_digest(krb5_context context,
if (strcasecmp(ireq.u.digestRequest.type, "CHAP") == 0) {
MD5_CTX ctx;
unsigned char md[MD5_DIGEST_LENGTH];
char *mdx;
char id;
if ((config->digests_allowed & CHAP_MD5) == 0) {
@ -613,16 +624,30 @@ _kdc_do_digest(krb5_context context,
MD5_Update(&ctx, serverNonce.data, serverNonce.length);
MD5_Final(md, &ctx);
r.element = choice_DigestRepInner_response;
hex_encode(md, sizeof(md), &r.u.response.responseData);
if (r.u.response.responseData == NULL) {
hex_encode(md, sizeof(md), &mdx);
if (mdx == NULL) {
krb5_clear_error_string(context);
ret = ENOMEM;
goto out;
}
r.element = choice_DigestRepInner_response;
ret = strcasecmp(mdx, ireq.u.digestRequest.responseData);
free(mdx);
if (ret == 0) {
r.u.response.success = TRUE;
} else {
kdc_log(context, config, 0,
"CHAP reply mismatch for %s",
ireq.u.digestRequest.username);
r.u.response.success = FALSE;
}
} else if (strcasecmp(ireq.u.digestRequest.type, "SASL-DIGEST-MD5") == 0) {
MD5_CTX ctx;
unsigned char md[MD5_DIGEST_LENGTH];
char *mdx;
char *A1, *A2;
if ((config->digests_allowed & DIGEST_MD5) == 0) {
@ -709,21 +734,212 @@ _kdc_do_digest(krb5_context context,
MD5_Final(md, &ctx);
r.element = choice_DigestRepInner_response;
hex_encode(md, sizeof(md), &r.u.response.responseData);
free(A1);
free(A2);
if (r.u.response.responseData == NULL) {
krb5_set_error_string(context, "out of memory");
hex_encode(md, sizeof(md), &mdx);
if (mdx == NULL) {
krb5_clear_error_string(context);
ret = ENOMEM;
goto out;
}
r.element = choice_DigestRepInner_response;
ret = strcasecmp(mdx, ireq.u.digestRequest.responseData);
free(mdx);
if (ret == 0) {
r.u.response.success = TRUE;
} else {
kdc_log(context, config, 0,
"DIGEST-MD5 reply mismatch for %s",
ireq.u.digestRequest.username);
r.u.response.success = FALSE;
}
} else if (strcasecmp(ireq.u.digestRequest.type, "MS-CHAP-V2") == 0) {
unsigned char md[SHA_DIGEST_LENGTH], challange[SHA_DIGEST_LENGTH];
char *mdx;
const char *username;
struct ntlm_buf answer;
Key *key = NULL;
SHA_CTX ctx;
if ((config->digests_allowed & MS_CHAP_V2) == 0) {
kdc_log(context, config, 0, "MS-CHAP-V2 not allowed");
goto out;
}
if (ireq.u.digestRequest.clientNonce == NULL) {
krb5_set_error_string(context,
"MS-CHAP-V2 clientNonce missing");
ret = EINVAL;
goto out;
}
if (serverNonce.length != 16) {
krb5_set_error_string(context,
"MS-CHAP-V2 serverNonce wrong length");
ret = EINVAL;
goto out;
}
/* strip of the domain component */
username = strchr(ireq.u.digestRequest.username, '\\');
if (username == NULL)
username = ireq.u.digestRequest.username;
else
username++;
/* ChallangeHash */
SHA1_Init(&ctx);
{
ssize_t ssize;
krb5_data clientNonce;
clientNonce.length = strlen(*ireq.u.digestRequest.clientNonce);
clientNonce.data = malloc(clientNonce.length);
if (clientNonce.data == NULL) {
ret = ENOMEM;
krb5_set_error_string(context, "out of memory");
goto out;
}
ssize = hex_decode(*ireq.u.digestRequest.clientNonce,
clientNonce.data, clientNonce.length);
if (ssize != 16) {
krb5_set_error_string(context,
"Failed to decode clientNonce");
ret = ENOMEM;
goto out;
}
SHA1_Update(&ctx, clientNonce.data, ssize);
free(clientNonce.data);
}
SHA1_Update(&ctx, serverNonce.data, serverNonce.length);
SHA1_Update(&ctx, username, strlen(username));
SHA1_Final(challange, &ctx);
/* NtPasswordHash */
ret = krb5_parse_name(context, username, &clientprincipal);
if (ret)
goto out;
ret = _kdc_db_fetch(context, config, clientprincipal,
HDB_F_GET_CLIENT, NULL, &user);
krb5_free_principal(context, clientprincipal);
if (ret) {
krb5_set_error_string(context,
"MS-CHAP-V2 user %s not in database",
username);
goto out;
}
ret = hdb_enctype2key(context, &user->entry,
ETYPE_ARCFOUR_HMAC_MD5, &key);
if (ret) {
krb5_set_error_string(context,
"MS-CHAP-V2 missing arcfour key %s",
username);
goto out;
}
/* ChallengeResponse */
ret = heim_ntlm_calculate_ntlm1(key->key.keyvalue.data,
key->key.keyvalue.length,
challange, &answer);
if (ret) {
krb5_set_error_string(context, "NTLM missing arcfour key");
goto out;
}
hex_encode(answer.data, answer.length, &mdx);
if (mdx == NULL) {
free(answer.data);
krb5_clear_error_string(context);
ret = ENOMEM;
goto out;
}
r.element = choice_DigestRepInner_response;
ret = strcasecmp(mdx, ireq.u.digestRequest.responseData);
free(mdx);
if (ret == 0) {
r.u.response.success = TRUE;
} else {
kdc_log(context, config, 0,
"MS-CHAP-V2 reply mismatch for %s",
ireq.u.digestRequest.username);
r.u.response.success = FALSE;
}
if (r.u.response.success) {
unsigned char hashhash[MD4_DIGEST_LENGTH];
/* hashhash */
{
MD4_CTX hctx;
MD4_Init(&hctx);
MD4_Update(&hctx, key->key.keyvalue.data,
key->key.keyvalue.length);
MD4_Final(hashhash, &hctx);
}
/* GenerateAuthenticatorResponse */
SHA1_Init(&ctx);
SHA1_Update(&ctx, hashhash, sizeof(hashhash));
SHA1_Update(&ctx, answer.data, answer.length);
SHA1_Update(&ctx, ms_chap_v2_magic1,sizeof(ms_chap_v2_magic1));
SHA1_Final(md, &ctx);
SHA1_Init(&ctx);
SHA1_Update(&ctx, md, sizeof(md));
SHA1_Update(&ctx, challange, 8);
SHA1_Update(&ctx, ms_chap_v2_magic2, sizeof(ms_chap_v2_magic2));
SHA1_Final(md, &ctx);
r.u.response.rsp = calloc(1, sizeof(*r.u.response.rsp));
if (r.u.response.rsp == NULL) {
free(answer.data);
krb5_clear_error_string(context);
ret = ENOMEM;
goto out;
}
hex_encode(md, sizeof(md), r.u.response.rsp);
if (r.u.response.rsp == NULL) {
free(answer.data);
krb5_clear_error_string(context);
ret = ENOMEM;
goto out;
}
/* get_master, rfc 3079 3.4 */
SHA1_Init(&ctx);
SHA1_Update(&ctx, hashhash, 16); /* md4(hash) */
SHA1_Update(&ctx, answer.data, answer.length);
SHA1_Update(&ctx, ms_rfc3079_magic1, sizeof(ms_rfc3079_magic1));
SHA1_Final(md, &ctx);
free(answer.data);
r.u.response.session_key =
calloc(1, sizeof(*r.u.response.session_key));
if (r.u.response.session_key == NULL) {
krb5_clear_error_string(context);
ret = ENOMEM;
goto out;
}
ret = krb5_data_copy(r.u.response.session_key, md, 16);
if (ret) {
krb5_clear_error_string(context);
goto out;
}
}
} else {
r.element = choice_DigestRepInner_error;
asprintf(&r.u.error.reason, "unsupported digest type %s",
asprintf(&r.u.error.reason, "Unsupported digest type %s",
ireq.u.digestRequest.type);
if (r.u.error.reason == NULL) {
krb5_set_error_string(context, "out of memory");
@ -745,7 +961,6 @@ _kdc_do_digest(krb5_context context,
goto out;
}
r.element = choice_DigestRepInner_ntlmInitReply;
r.u.ntlmInitReply.flags = NTLM_NEG_UNICODE;
@ -766,12 +981,12 @@ _kdc_do_digest(krb5_context context,
NTLM_NEG_TARGET_DOMAIN |
NTLM_ENC_128;
#define ALL \
NTLM_NEG_SIGN| \
NTLM_NEG_SEAL| \
NTLM_NEG_ALWAYS_SIGN| \
NTLM_NEG_NTLM2_SESSION| \
NTLM_NEG_KEYEX
#define ALL \
NTLM_NEG_SIGN| \
NTLM_NEG_SEAL| \
NTLM_NEG_ALWAYS_SIGN| \
NTLM_NEG_NTLM2_SESSION| \
NTLM_NEG_KEYEX
r.u.ntlmInitReply.flags |= (ireq.u.ntlmInit.flags & (ALL));
@ -989,6 +1204,7 @@ _kdc_do_digest(krb5_context context,
if ((config->digests_allowed & NTLM_V1_SESSION) == 0) {
kdc_log(context, config, 0, "NTLM v1-session not allowed");
ret = EINVAL;
goto out;
}
@ -1048,6 +1264,7 @@ _kdc_do_digest(krb5_context context,
krb5_set_error_string(context,
"NTLM client failed to neg key "
"exchange but still sent key");
ret = EINVAL;
goto out;
}

2
source4/heimdal/kdc/headers.h
View File

@ -32,7 +32,7 @@
*/
/*
* $Id: headers.h,v 1.22 2007/01/04 00:15:34 lha Exp $
* $Id: headers.h 19658 2007-01-04 00:15:34Z lha $
*/
#ifndef __HEADERS_H__

2
source4/heimdal/kdc/kaserver.c
View File

@ -33,7 +33,7 @@
#include "kdc_locl.h"
RCSID("$Id: kaserver.c,v 1.36 2006/08/23 11:43:44 lha Exp $");
RCSID("$Id: kaserver.c 17904 2006-08-23 11:45:16Z lha $");
#include <krb5-v4compat.h>
#include <rx.h>

11
source4/heimdal/kdc/kdc-private.h
View File

@ -149,9 +149,9 @@ _kdc_find_etype (
Key **/*ret_key*/,
krb5_enctype */*ret_etype*/);
PA_DATA*
const PA_DATA*
_kdc_find_padata (
KDC_REQ */*req*/,
const KDC_REQ */*req*/,
int */*start*/,
int /*type*/);
@ -249,8 +249,8 @@ krb5_error_code
_kdc_pk_rd_padata (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/,
KDC_REQ */*req*/,
PA_DATA */*pa*/,
const KDC_REQ */*req*/,
const PA_DATA */*pa*/,
pk_client_params **/*ret_params*/);
krb5_error_code
@ -283,7 +283,4 @@ _kdc_windc_client_access (
struct hdb_entry_ex */*client*/,
KDC_REQ */*req*/);
krb5_error_code
_kdc_windc_init (krb5_context /*context*/);
#endif /* __kdc_private_h__ */

21
source4/heimdal/kdc/kdc-protos.h
View File

@ -37,8 +37,10 @@ kdc_openlog (
krb5_context /*context*/,
krb5_kdc_configuration */*config*/);
void
krb5_kdc_default_config (krb5_kdc_configuration */*config*/);
int
krb5_kdc_get_config (
krb5_context /*context*/,
krb5_kdc_configuration **/*config*/);
int
krb5_kdc_process_krb5_request (
@ -63,6 +65,21 @@ krb5_kdc_process_request (
struct sockaddr */*addr*/,
int /*datagram_reply*/);
int
krb5_kdc_save_request (
krb5_context /*context*/,
const char */*fn*/,
const unsigned char */*buf*/,
size_t /*len*/,
const krb5_data */*reply*/,
const struct sockaddr */*sa*/);
void
krb5_kdc_update_time (struct timeval */*tv*/);
krb5_error_code
krb5_kdc_windc_init (krb5_context /*context*/);
#ifdef __cplusplus
}
#endif

4
source4/heimdal/kdc/kdc.h
View File

@ -35,7 +35,7 @@
*/
/*
* $Id: kdc.h,v 1.11 2006/12/28 21:06:56 lha Exp $
* $Id: kdc.h 19907 2007-01-14 23:10:24Z lha $
*/
#ifndef __KDC_H__
@ -86,6 +86,8 @@ typedef struct krb5_kdc_configuration {
size_t max_datagram_reply_length;
int enable_kx509;
const char *kx509_template;
const char *kx509_ca;
} krb5_kdc_configuration;

17
source4/heimdal/kdc/kdc_locl.h
View File

@ -32,7 +32,7 @@
*/
/*
* $Id: kdc_locl.h,v 1.76 2006/12/26 17:18:14 lha Exp $
* $Id: kdc_locl.h 20954 2007-06-07 03:30:15Z lha $
*/
#ifndef __KDC_LOCL_H__
@ -46,6 +46,7 @@ typedef struct pk_client_params pk_client_params;
extern sig_atomic_t exit_flag;
extern size_t max_request;
extern const char *request_log;
extern const char *port_str;
extern krb5_addresses explicit_addresses;
@ -55,18 +56,6 @@ extern int enable_http;
extern int detach_from_console;
extern int require_preauth; /* 1 == require preauth for all principals */
extern const char *trpolicy_str;
extern int disable_des;
extern int enable_v4;
extern int enable_kaserver;
extern int enable_524;
extern int enable_v4_cross_realm;
extern char *v4_realm;
extern const struct units _kdc_digestunits[];
#define _PATH_KDC_CONF HDB_DB_DIR "/kdc.conf"
@ -81,6 +70,4 @@ loop(krb5_context context, krb5_kdc_configuration *config);
krb5_kdc_configuration *
configure(krb5_context context, int argc, char **argv);
void krb5_kdc_configure(krb5_context context, krb5_kdc_configuration *config);
#endif /* __KDC_LOCL_H__ */

2
source4/heimdal/kdc/kerberos4.c
View File

@ -35,7 +35,7 @@
#include <krb5-v4compat.h>
RCSID("$Id: kerberos4.c,v 1.63 2006/10/08 13:43:27 lha Exp $");
RCSID("$Id: kerberos4.c 18349 2006-10-08 13:43:52Z lha $");
#ifndef swap32
static uint32_t

198
source4/heimdal/kdc/kerberos5.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997-2006 Kungliga Tekniska Högskolan
* Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@ -33,7 +33,7 @@
#include "kdc_locl.h"
RCSID("$Id: kerberos5.c,v 1.231 2007/01/04 13:27:27 lha Exp $");
RCSID("$Id: kerberos5.c 21040 2007-06-10 06:20:59Z lha $");
#define MAX_TIME ((time_t)((1U << 31) - 1))
@ -70,9 +70,12 @@ set_salt_padata (METHOD_DATA *md, Salt *salt)
}
}
PA_DATA*
_kdc_find_padata(KDC_REQ *req, int *start, int type)
const PA_DATA*
_kdc_find_padata(const KDC_REQ *req, int *start, int type)
{
if (req->padata == NULL)
return NULL;
while(*start < req->padata->len){
(*start)++;
if(req->padata->val[*start - 1].padata_type == type)
@ -431,7 +434,8 @@ get_pa_etype_info(krb5_context context,
ret = krb5_unparse_name(context, client->principal, &name);
if (ret)
name = rk_UNCONST("<unparse_name failed>");
kdc_log(context, config, 0, "internal error in get_pa_etype_info(%s): %d != %d",
kdc_log(context, config, 0,
"internal error in get_pa_etype_info(%s): %d != %d",
name, n, pa.len);
if (ret == 0)
free(name);
@ -689,11 +693,11 @@ log_as_req(krb5_context context,
}
{
char _str[128];
char fixedstr[128];
unparse_flags(KDCOptions2int(b->kdc_options), asn1_KDCOptions_units(),
_str, sizeof(_str));
if(*_str)
kdc_log(context, config, 2, "Requested flags: %s", _str);
fixedstr, sizeof(fixedstr));
if(*fixedstr)
kdc_log(context, config, 2, "Requested flags: %s", fixedstr);
}
}
@ -870,7 +874,7 @@ send_pac_p(krb5_context context, KDC_REQ *req)
{
krb5_error_code ret;
PA_PAC_REQUEST pacreq;
PA_DATA *pa;
const PA_DATA *pa;
int i = 0;
pa = _kdc_find_padata(req, &i, KRB5_PADATA_PA_PAC_REQUEST);
@ -909,32 +913,37 @@ _kdc_as_rep(krb5_context context,
KDCOptions f = b->kdc_options;
hdb_entry_ex *client = NULL, *server = NULL;
krb5_enctype cetype, setype, sessionetype;
krb5_data e_data;
EncTicketPart et;
EncKDCRepPart ek;
krb5_principal client_princ = NULL, server_princ = NULL;
char *client_name = NULL, *server_name = NULL;
krb5_error_code ret = 0;
const char *e_text = NULL;
krb5_data e_data;
krb5_crypto crypto;
Key *ckey, *skey;
EncryptionKey *reply_key;
int flags = 0;
#ifdef PKINIT
pk_client_params *pkp = NULL;
#endif
memset(&rep, 0, sizeof(rep));
memset(&e_data, 0, sizeof(e_data));
krb5_data_zero(&e_data);
if (f.canonicalize)
flags |= HDB_F_CANON;
if(b->sname == NULL){
ret = KRB5KRB_ERR_GENERIC;
e_text = "No server in request";
} else{
_krb5_principalname2krb5_principal (context,
&server_princ,
*(b->sname),
b->realm);
ret = krb5_unparse_name(context, server_princ, &server_name);
ret = _krb5_principalname2krb5_principal (context,
&server_princ,
*(b->sname),
b->realm);
if (ret == 0)
ret = krb5_unparse_name(context, server_princ, &server_name);
}
if (ret) {
kdc_log(context, config, 0,
@ -946,10 +955,26 @@ _kdc_as_rep(krb5_context context,
ret = KRB5KRB_ERR_GENERIC;
e_text = "No client in request";
} else {
_krb5_principalname2krb5_principal (context,
&client_princ,
*(b->cname),
b->realm);
if (b->cname->name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
if (b->cname->name_string.len != 1) {
kdc_log(context, config, 0,
"AS-REQ malformed canon request from %s", from);
ret = KRB5_PARSE_MALFORMED;
goto out;
}
ret = krb5_parse_name(context, b->cname->name_string.val[0],
&client_princ);
if (ret)
goto out;
} else {
ret = _krb5_principalname2krb5_principal (context,
&client_princ,
*(b->cname),
b->realm);
if (ret)
goto out;
}
ret = krb5_unparse_name(context, client_princ, &client_name);
}
if (ret) {
@ -962,7 +987,7 @@ _kdc_as_rep(krb5_context context,
client_name, from, server_name);
ret = _kdc_db_fetch(context, config, client_princ,
HDB_F_GET_CLIENT, NULL, &client);
HDB_F_GET_CLIENT | flags, NULL, &client);
if(ret){
kdc_log(context, config, 0, "UNKNOWN -- %s: %s", client_name,
krb5_get_err_text(context, ret));
@ -996,7 +1021,7 @@ _kdc_as_rep(krb5_context context,
if(req->padata){
int i;
PA_DATA *pa;
const PA_DATA *pa;
int found_pa = 0;
log_patypes(context, config, req->padata);
@ -1041,7 +1066,7 @@ _kdc_as_rep(krb5_context context,
kdc_log(context, config, 0, "%s", e_text);
pkp = NULL;
goto ts_enc;
goto out;
}
found_pa = 1;
et.flags.pre_authent = 1;
@ -1169,6 +1194,8 @@ _kdc_as_rep(krb5_context context,
(unsigned)abs(kdc_time - p.patimestamp),
context->max_skew,
client_name);
#if 1
/* This code is from samba, needs testing */
/*
* the following is needed to make windows clients
* to retry using the timestamp in the error message
@ -1177,6 +1204,9 @@ _kdc_as_rep(krb5_context context,
* is present...
*/
e_text = NULL;
#else
e_text = "Too large time skew";
#endif
goto out;
}
et.flags.pre_authent = 1;
@ -1227,6 +1257,12 @@ _kdc_as_rep(krb5_context context,
pa->padata_type = KRB5_PADATA_PK_AS_REQ;
pa->padata_value.length = 0;
pa->padata_value.data = NULL;
ret = realloc_method_data(&method_data);
pa = &method_data.val[method_data.len-1];
pa->padata_type = KRB5_PADATA_PK_AS_REQ_WIN;
pa->padata_value.length = 0;
pa->padata_value.data = NULL;
#endif
/*
@ -1253,12 +1289,12 @@ _kdc_as_rep(krb5_context context,
e_data.data = buf;
e_data.length = len;
e_text ="Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ",
ret = KRB5KDC_ERR_PREAUTH_REQUIRED;
kdc_log(context, config, 0,
"No preauth found, returning PREAUTH-REQUIRED -- %s",
client_name);
goto out;
}
@ -1283,45 +1319,57 @@ _kdc_as_rep(krb5_context context,
if(ret)
goto out;
/*
* Select a session enctype from the list of the crypto systems
* supported enctype, is supported by the client and is one of the
* enctype of the enctype of the krbtgt.
*
* The later is used as a hint what enctype all KDC are supporting
* to make sure a newer version of KDC wont generate a session
* enctype that and older version of a KDC in the same realm can't
* decrypt.
*
* But if the KDC admin is paranoid and doesn't want to have "no
* the best" enctypes on the krbtgt, lets save the best pick from
* the client list and hope that that will work for any other
* KDCs.
*/
{
const krb5_enctype *p;
int i, j, y;
krb5_enctype clientbest = ETYPE_NULL;
int i, j;
p = krb5_kerberos_enctypes(context);
sessionetype = ETYPE_NULL;
for (i = 0; p[i] != ETYPE_NULL && sessionetype == ETYPE_NULL; i++) {
/* check it's valid */
if (krb5_enctype_valid(context, p[i]) != 0)
continue;
/* check if the client supports it */
for (j = 0; j < b->etype.len && sessionetype == ETYPE_NULL; j++) {
if (p[i] == b->etype.val[j]) {
/*
* if the server (krbtgt) has explicit etypes,
* check if it also supports it
*/
if (server->entry.etypes) {
for (y = 0; y < server->entry.etypes->len; y++) {
if (p[i] == server->entry.etypes->val[y]) {
sessionetype = p[i];
break;
}
}
} else {
sessionetype = p[i];
break;
}
}
Key *dummy;
/* check with client */
if (p[i] != b->etype.val[j])
continue;
/* save best of union of { client, crypto system } */
if (clientbest == ETYPE_NULL)
clientbest = p[i];
/* check with krbtgt */
ret = hdb_enctype2key(context, &server->entry, p[i], &dummy);
if (ret)
continue;
sessionetype = p[i];
}
}
if (sessionetype == ETYPE_NULL) {
kdc_log(context, config, 0,
/* if krbtgt had no shared keys with client, pick clients best */
if (clientbest != ETYPE_NULL && sessionetype == ETYPE_NULL) {
sessionetype = clientbest;
} else if (sessionetype == ETYPE_NULL) {
kdc_log(context, config, 0,
"Client (%s) from %s has no common enctypes with KDC"
"to use for the session key",
client_name, from);
"to use for the session key",
client_name, from);
goto out;
}
}
@ -1534,6 +1582,58 @@ _kdc_as_rep(krb5_context context,
set_salt_padata (rep.padata, ckey->salt);
/* Add signing of alias referral */
if (f.canonicalize) {
PA_ClientCanonicalized canon;
krb5_data data;
PA_DATA pa;
krb5_crypto crypto;
size_t len;
memset(&canon, 0, sizeof(canon));
canon.names.requested_name = *b->cname;
canon.names.real_name = client->entry.principal->name;
ASN1_MALLOC_ENCODE(PA_ClientCanonicalizedNames, data.data, data.length,
&canon.names, &len, ret);
if (ret)
goto out;
if (data.length != len)
krb5_abortx(context, "internal asn.1 error");
/* sign using "returned session key" */
ret = krb5_crypto_init(context, &et.key, 0, &crypto);
if (ret) {
free(data.data);
goto out;
}
ret = krb5_create_checksum(context, crypto,
KRB5_KU_CANONICALIZED_NAMES, 0,
data.data, data.length,
&canon.canon_checksum);
free(data.data);
krb5_crypto_destroy(context, crypto);
if (ret)
goto out;
ASN1_MALLOC_ENCODE(PA_ClientCanonicalized, data.data, data.length,
&canon, &len, ret);
free_Checksum(&canon.canon_checksum);
if (ret)
goto out;
if (data.length != len)
krb5_abortx(context, "internal asn.1 error");
pa.padata_type = KRB5_PADATA_CLIENT_CANONICALIZED;
pa.padata_value = data;
ret = add_METHOD_DATA(rep.padata, &pa);
free(data.data);
if (ret)
goto out;
}
if (rep.padata->len == 0) {
free(rep.padata);
rep.padata = NULL;

35
source4/heimdal/kdc/krb5tgs.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997-2006 Kungliga Tekniska Högskolan
* Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@ -33,7 +33,7 @@
#include "kdc_locl.h"
RCSID("$Id: krb5tgs.c,v 1.25 2007/01/04 12:49:45 lha Exp $");
RCSID("$Id: krb5tgs.c 21041 2007-06-10 06:21:12Z lha $");
/*
* return the realm of a krbtgt-ticket or NULL
@ -656,7 +656,7 @@ tgs_make_reply(krb5_context context,
KDC_REQ_BODY *b,
krb5_const_principal tgt_name,
const EncTicketPart *tgt,
const EncryptionKey *ekey,
const EncryptionKey *serverkey,
const krb5_keyblock *sessionkey,
krb5_kvno kvno,
AuthorizationData *auth_data,
@ -883,7 +883,7 @@ tgs_make_reply(krb5_context context,
ret = _kdc_encode_reply(context, config,
&rep, &et, &ek, et.key.keytype,
kvno,
ekey, 0, &tgt->key, e_text, reply);
serverkey, 0, &tgt->key, e_text, reply);
out:
free_TGS_REP(&rep);
free_TransitedEncoding(&et.transited);
@ -1010,7 +1010,7 @@ static krb5_error_code
tgs_parse_request(krb5_context context,
krb5_kdc_configuration *config,
KDC_REQ_BODY *b,
PA_DATA *tgs_req,
const PA_DATA *tgs_req,
hdb_entry_ex **krbtgt,
krb5_enctype *krbtgt_etype,
krb5_ticket **ticket,
@ -1258,6 +1258,7 @@ tgs_build_reply(krb5_context context,
krb5_keyblock sessionkey;
krb5_kvno kvno;
krb5_data rspac;
int cross_realm = 0;
PrincipalName *s;
Realm r;
@ -1421,6 +1422,8 @@ server_lookup:
kdc_log(context, config, 1, "Client not found in database: %s: %s",
cpn, krb5_get_err_text(context, ret));
cross_realm = 1;
}
/*
@ -1707,21 +1710,25 @@ server_lookup:
/* check PAC if there is one */
{
Key *tkey;
krb5_keyblock *tgtkey = NULL;
ret = hdb_enctype2key(context, &krbtgt->entry,
krbtgt_etype, &tkey);
if(ret) {
kdc_log(context, config, 0,
"Failed to find key for krbtgt PAC check");
goto out;
if (!cross_realm) {
ret = hdb_enctype2key(context, &krbtgt->entry,
krbtgt_etype, &tkey);
if(ret) {
kdc_log(context, config, 0,
"Failed to find key for krbtgt PAC check");
goto out;
}
tgtkey = &tkey->key;
}
ret = check_PAC(context, config, client_principal,
client, server, ekey, &tkey->key,
client, server, ekey, tgtkey,
tgt, &rspac, &require_signedpath);
if (ret) {
kdc_log(context, config, 0,
"check_PAC check failed for %s (%s) from %s with %s",
"Verify PAC failed for %s (%s) from %s with %s",
spn, cpn, from, krb5_get_err_text(context, ret));
goto out;
}
@ -1804,7 +1811,7 @@ _kdc_tgs_rep(krb5_context context,
AuthorizationData *auth_data = NULL;
krb5_error_code ret;
int i = 0;
PA_DATA *tgs_req = NULL;
const PA_DATA *tgs_req;
hdb_entry_ex *krbtgt = NULL;
krb5_ticket *ticket = NULL;

202
source4/heimdal/kdc/kx509.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2006 Kungliga Tekniska Högskolan
* Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@ -33,8 +33,10 @@
#include "kdc_locl.h"
#include <hex.h>
#include <rfc2459_asn1.h>
#include <hx509.h>
RCSID("$Id: kx509.c,v 1.1 2006/12/28 21:03:53 lha Exp $");
RCSID("$Id: kx509.c 19992 2007-01-20 09:06:18Z lha $");
/*
*
@ -140,72 +142,146 @@ build_certificate(krb5_context context,
krb5_principal principal,
krb5_data *certificate)
{
/* XXX write code here to generate certificates */
FILE *in, *out;
krb5_error_code ret;
const char *program;
char *str, *strkey;
char tstr[64];
pid_t pid;
hx509_context hxctx = NULL;
hx509_ca_tbs tbs = NULL;
hx509_env env = NULL;
hx509_cert cert = NULL;
hx509_cert signer = NULL;
int ret;
snprintf(tstr, sizeof(tstr), "%lu", (unsigned long)endtime);
ret = base64_encode(key->data, key->length, &strkey);
if (ret < 0) {
krb5_set_error_string(context, "failed to base64 encode key");
return ENOMEM;
if (krb5_principal_get_comp_string(context, principal, 1) != NULL) {
kdc_log(context, config, 0, "Principal is not a user");
return EINVAL;
}
program = krb5_config_get_string(context,
NULL,
"kdc",
"kx509_cert_program",
NULL);
if (program == NULL) {
free(strkey);
krb5_set_error_string(context, "no certificate program configured");
return ENOENT;
}
ret = hx509_context_init(&hxctx);
if (ret)
goto out;
ret = krb5_unparse_name(context, principal, &str);
if (ret) {
free(strkey);
return ret;
}
ret = hx509_env_init(hxctx, &env);
if (ret)
goto out;
pid = pipe_execv(&in, &out, NULL, program, str, tstr, NULL);
free(str);
if (pid <= 0) {
free(strkey);
krb5_set_error_string(context,
"Failed to run the cert program %s",
program);
return ret;
}
fprintf(in, "%s\n", strkey);
fclose(in);
free(strkey);
ret = hx509_env_add(hxctx, env, "principal-name",
krb5_principal_get_comp_string(context, principal, 0));
if (ret)
goto out;
{
unsigned buf[1024 * 10];
size_t len;
hx509_certs certs;
hx509_query *q;
len = fread(buf, 1, sizeof(buf), out);
fclose(out);
if(len == 0) {
krb5_set_error_string(context,
"Certificate program returned no data");
return KRB5KDC_ERR_PREAUTH_FAILED;
}
ret = krb5_data_copy(certificate, buf, len);
ret = hx509_certs_init(hxctx, config->kx509_ca, 0,
NULL, &certs);
if (ret) {
krb5_set_error_string(context, "Failed To copy certificate");
return ret;
kdc_log(context, config, 0, "Failed to load CA %s",
config->kx509_ca);
goto out;
}
ret = hx509_query_alloc(hxctx, &q);
if (ret) {
hx509_certs_free(&certs);
goto out;
}
hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
hx509_query_match_option(q, HX509_QUERY_OPTION_KU_KEYCERTSIGN);
ret = hx509_certs_find(hxctx, certs, q, &signer);
hx509_query_free(hxctx, q);
hx509_certs_free(&certs);
if (ret) {
kdc_log(context, config, 0, "Failed to find a CA in %s",
config->kx509_ca);
goto out;
}
}
kill(pid, SIGKILL);
waitpid(pid, NULL, 0);
ret = hx509_ca_tbs_init(hxctx, &tbs);
if (ret)
goto out;
{
SubjectPublicKeyInfo spki;
heim_any any;
memset(&spki, 0, sizeof(spki));
spki.subjectPublicKey.data = key->data;
spki.subjectPublicKey.length = key->length * 8;
ret = der_copy_oid(oid_id_pkcs1_rsaEncryption(),
&spki.algorithm.algorithm);
any.data = "\x05\x00";
any.length = 2;
spki.algorithm.parameters = &any;
ret = hx509_ca_tbs_set_spki(hxctx, tbs, &spki);
der_free_oid(&spki.algorithm.algorithm);
if (ret)
goto out;
}
{
hx509_certs certs;
hx509_cert template;
ret = hx509_certs_init(hxctx, config->kx509_template, 0,
NULL, &certs);
if (ret) {
kdc_log(context, config, 0, "Failed to load template %s",
config->kx509_template);
goto out;
}
ret = hx509_get_one_cert(hxctx, certs, &template);
hx509_certs_free(&certs);
if (ret) {
kdc_log(context, config, 0, "Failed to find template in %s",
config->kx509_template);
goto out;
}
ret = hx509_ca_tbs_set_template(hxctx, tbs,
HX509_CA_TEMPLATE_SUBJECT|
HX509_CA_TEMPLATE_KU|
HX509_CA_TEMPLATE_EKU,
template);
hx509_cert_free(template);
if (ret)
goto out;
}
hx509_ca_tbs_set_notAfter(hxctx, tbs, endtime);
hx509_ca_tbs_subject_expand(hxctx, tbs, env);
hx509_env_free(&env);
ret = hx509_ca_sign(hxctx, tbs, signer, &cert);
hx509_cert_free(signer);
if (ret)
goto out;
hx509_ca_tbs_free(&tbs);
ret = hx509_cert_binary(hxctx, cert, certificate);
hx509_cert_free(cert);
if (ret)
goto out;
hx509_context_free(&hxctx);
return 0;
out:
if (env)
hx509_env_free(&env);
if (tbs)
hx509_ca_tbs_free(&tbs);
if (signer)
hx509_cert_free(signer);
if (hxctx)
hx509_context_free(&hxctx);
krb5_set_error_string(context, "cert creation failed");
return ret;
}
/*
@ -299,6 +375,20 @@ _kdc_do_kx509(krb5_context context,
if (ret)
goto out;
/* Verify that the key is encoded RSA key */
{
RSAPublicKey key;
size_t size;
ret = decode_RSAPublicKey(req->pk_key.data, req->pk_key.length,
&key, &size);
if (ret)
goto out;
free_RSAPublicKey(&key);
if (size != req->pk_key.length)
;
}
ALLOC(rep.certificate);
if (rep.certificate == NULL)
goto out;

2
source4/heimdal/kdc/log.c
View File

@ -32,7 +32,7 @@
*/
#include "kdc_locl.h"
RCSID("$Id: log.c,v 1.16 2005/06/30 01:52:48 lha Exp $");
RCSID("$Id: log.c 15532 2005-06-30 01:54:49Z lha $");
void
kdc_openlog(krb5_context context,

2
source4/heimdal/kdc/misc.c
View File

@ -33,7 +33,7 @@
#include "kdc_locl.h"
RCSID("$Id: misc.c,v 1.32 2006/08/28 14:41:49 lha Exp $");
RCSID("$Id: misc.c 17951 2006-08-28 14:41:49Z lha $");
struct timeval _kdc_now;

264
source4/heimdal/kdc/pkinit.c
View File

@ -33,7 +33,7 @@
#include "kdc_locl.h"
RCSID("$Id: pkinit.c,v 1.86 2007/01/04 12:54:09 lha Exp $");
RCSID("$Id: pkinit.c 21039 2007-06-10 06:20:31Z lha $");
#ifdef PKINIT
@ -97,7 +97,7 @@ static struct {
static krb5_error_code
pk_check_pkauthenticator_win2k(krb5_context context,
PKAuthenticator_Win2k *a,
KDC_REQ *req)
const KDC_REQ *req)
{
krb5_timestamp now;
@ -114,7 +114,7 @@ pk_check_pkauthenticator_win2k(krb5_context context,
static krb5_error_code
pk_check_pkauthenticator(krb5_context context,
PKAuthenticator *a,
KDC_REQ *req)
const KDC_REQ *req)
{
u_char *buf = NULL;
size_t buf_size;
@ -365,8 +365,8 @@ get_dh_param(krb5_context context,
krb5_error_code
_kdc_pk_rd_padata(krb5_context context,
krb5_kdc_configuration *config,
KDC_REQ *req,
PA_DATA *pa,
const KDC_REQ *req,
const PA_DATA *pa,
pk_client_params **ret_params)
{
pk_client_params *client_params;
@ -375,7 +375,6 @@ _kdc_pk_rd_padata(krb5_context context,
krb5_data eContent = { 0, NULL };
krb5_data signed_content = { 0, NULL };
const char *type = "unknown type";
const heim_oid *pa_contentType;
int have_data = 0;
*ret_params = NULL;
@ -385,6 +384,8 @@ _kdc_pk_rd_padata(krb5_context context,
return 0;
}
hx509_verify_set_time(kdc_identity->verify_ctx, _kdc_now.tv_sec);
client_params = calloc(1, sizeof(*client_params));
if (client_params == NULL) {
krb5_clear_error_string(context);
@ -396,7 +397,6 @@ _kdc_pk_rd_padata(krb5_context context,
PA_PK_AS_REQ_Win2k r;
type = "PK-INIT-Win2k";
pa_contentType = oid_id_pkcs7_data();
ret = decode_PA_PK_AS_REQ_Win2k(pa->padata_value.data,
pa->padata_value.length,
@ -422,7 +422,6 @@ _kdc_pk_rd_padata(krb5_context context,
PA_PK_AS_REQ r;
type = "PK-INIT-IETF";
pa_contentType = oid_id_pkauthdata();
ret = decode_PA_PK_AS_REQ(pa->padata_value.data,
pa->padata_value.length,
@ -467,7 +466,7 @@ _kdc_pk_rd_padata(krb5_context context,
edi->val[i].issuerAndSerialNumber->length,
&iasn,
&size);
if (ret || size != 0) {
if (ret) {
hx509_query_free(kdc_identity->hx509ctx, q);
continue;
}
@ -527,6 +526,7 @@ _kdc_pk_rd_padata(krb5_context context,
kdc_identity->verify_ctx,
signed_content.data,
signed_content.length,
NULL,
kdc_identity->certpool,
&eContentType,
&eContent,
@ -547,7 +547,9 @@ _kdc_pk_rd_padata(krb5_context context,
}
/* Signature is correct, now verify the signed message */
if (der_heim_oid_cmp(&eContentType, pa_contentType)) {
if (der_heim_oid_cmp(&eContentType, oid_id_pkcs7_data()) != 0 &&
der_heim_oid_cmp(&eContentType, oid_id_pkauthdata()) != 0)
{
krb5_set_error_string(context, "got wrong oid for pkauthdata");
ret = KRB5_BADMSGTYPE;
goto out;
@ -639,6 +641,8 @@ _kdc_pk_rd_padata(krb5_context context,
kdc_log(context, config, 0, "PK-INIT request of type %s", type);
out:
if (ret)
krb5_warn(context, ret, "PKINIT");
if (signed_content.data)
free(signed_content.data);
@ -678,18 +682,41 @@ pk_mk_pa_reply_enckey(krb5_context context,
krb5_keyblock *reply_key,
ContentInfo *content_info)
{
const heim_oid *envelopedAlg = NULL, *sdAlg = NULL;
krb5_error_code ret;
krb5_data buf, signed_data;
size_t size;
int do_win2k = 0;
krb5_data_zero(&buf);
krb5_data_zero(&signed_data);
/*
* If the message client is a win2k-type but it send pa data
* 09-binding it expects a IETF (checksum) reply so there can be
* no replay attacks.
*/
switch (client_params->type) {
case PKINIT_COMPAT_WIN2K: {
int i = 0;
if (_kdc_find_padata(req, &i, KRB5_PADATA_PK_AS_09_BINDING) == NULL)
do_win2k = 1;
break;
}
case PKINIT_COMPAT_27:
break;
default:
krb5_abortx(context, "internal pkinit error");
}
if (do_win2k) {
ReplyKeyPack_Win2k kp;
memset(&kp, 0, sizeof(kp));
envelopedAlg = oid_id_rsadsi_des_ede3_cbc();
sdAlg = oid_id_pkcs7_data();
ret = copy_EncryptionKey(reply_key, &kp.replyKey);
if (ret) {
krb5_clear_error_string(context);
@ -701,13 +728,13 @@ pk_mk_pa_reply_enckey(krb5_context context,
buf.data, buf.length,
&kp, &size,ret);
free_ReplyKeyPack_Win2k(&kp);
break;
}
case PKINIT_COMPAT_27: {
} else {
krb5_crypto ascrypto;
ReplyKeyPack kp;
memset(&kp, 0, sizeof(kp));
sdAlg = oid_id_pkrkeydata();
ret = copy_EncryptionKey(reply_key, &kp.replyKey);
if (ret) {
krb5_clear_error_string(context);
@ -735,10 +762,6 @@ pk_mk_pa_reply_enckey(krb5_context context,
}
ASN1_MALLOC_ENCODE(ReplyKeyPack, buf.data, buf.length, &kp, &size,ret);
free_ReplyKeyPack(&kp);
break;
}
default:
krb5_abortx(context, "internal pkinit error");
}
if (ret) {
krb5_set_error_string(context, "ASN.1 encoding of ReplyKeyPack "
@ -768,7 +791,8 @@ pk_mk_pa_reply_enckey(krb5_context context,
goto out;
ret = hx509_cms_create_signed_1(kdc_identity->hx509ctx,
oid_id_pkrkeydata(),
0,
sdAlg,
buf.data,
buf.length,
NULL,
@ -784,9 +808,21 @@ pk_mk_pa_reply_enckey(krb5_context context,
if (ret)
goto out;
if (client_params->type == PKINIT_COMPAT_WIN2K) {
ret = hx509_cms_wrap_ContentInfo(oid_id_pkcs7_signedData(),
&signed_data,
&buf);
if (ret)
goto out;
krb5_data_free(&signed_data);
signed_data = buf;
}
ret = hx509_cms_envelope_1(kdc_identity->hx509ctx,
0,
client_params->cert,
signed_data.data, signed_data.length, NULL,
signed_data.data, signed_data.length,
envelopedAlg,
oid_id_pkcs7_signedData(), &buf);
if (ret)
goto out;
@ -881,6 +917,7 @@ pk_mk_pa_reply_dh(krb5_context context,
goto out;
ret = hx509_cms_create_signed_1(kdc_identity->hx509ctx,
0,
oid_id_pkdhkeydata(),
buf.data,
buf.length,
@ -1125,6 +1162,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
krb5_data_free(&ocsp.data);
ocsp.expire = 0;
ocsp.next_update = kdc_time + 60 * 5;
fd = open(config->pkinit_kdc_ocsp_file, O_RDONLY);
if (fd < 0) {
@ -1168,11 +1206,13 @@ _kdc_pk_mk_pa_reply(krb5_context context,
"PK-INIT failed to verify ocsp data %d", ret);
krb5_data_free(&ocsp.data);
ocsp.expire = 0;
} else if (ocsp.expire > 180)
} else if (ocsp.expire > 180) {
ocsp.expire -= 180; /* refetch the ocsp before it expire */
ocsp.next_update = ocsp.expire;
} else {
ocsp.next_update = kdc_time;
}
out_ocsp:
ocsp.next_update = kdc_time + 3600;
ret = 0;
}
@ -1199,10 +1239,10 @@ out:
}
static int
pk_principal_from_X509(krb5_context context,
krb5_kdc_configuration *config,
hx509_cert client_cert,
krb5_const_principal match)
match_rfc_san(krb5_context context,
krb5_kdc_configuration *config,
hx509_cert client_cert,
krb5_const_principal match)
{
hx509_octet_string_list list;
int ret, i, found = 0;
@ -1254,6 +1294,68 @@ out:
return 0;
}
static int
match_ms_upn_san(krb5_context context,
krb5_kdc_configuration *config,
hx509_cert client_cert,
krb5_const_principal match)
{
hx509_octet_string_list list;
krb5_principal principal = NULL;
int ret, found = 0;
MS_UPN_SAN upn;
size_t size;
memset(&list, 0 , sizeof(list));
ret = hx509_cert_find_subjectAltName_otherName(client_cert,
oid_id_pkinit_ms_san(),
&list);
if (ret)
goto out;
if (list.len != 1) {
kdc_log(context, config, 0,
"More then one PK-INIT MS UPN SAN");
goto out;
}
ret = decode_MS_UPN_SAN(list.val[0].data, list.val[0].length, &upn, &size);
if (ret) {
kdc_log(context, config, 0, "Decode of MS-UPN-SAN failed");
goto out;
}
kdc_log(context, config, 0, "found MS UPN SAN: %s", upn);
ret = krb5_parse_name(context, upn, &principal);
free_MS_UPN_SAN(&upn);
if (ret) {
kdc_log(context, config, 0, "Failed to parse principal in MS UPN SAN");
goto out;
}
/*
* This is very wrong, but will do for now, should really and a
* plugin to the windc layer to very this ACL.
*/
strupr(principal->realm);
if (krb5_principal_compare(context, principal, match) == TRUE)
found = 1;
out:
if (principal)
krb5_free_principal(context, principal);
hx509_free_octet_string_list(&list);
if (ret)
return ret;
if (!found)
return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
return 0;
}
krb5_error_code
_kdc_pk_check_client(krb5_context context,
@ -1283,14 +1385,22 @@ _kdc_pk_check_client(krb5_context context,
*subject_name);
if (config->enable_pkinit_princ_in_cert) {
ret = pk_principal_from_X509(context, config,
client_params->cert,
client->entry.principal);
ret = match_rfc_san(context, config,
client_params->cert,
client->entry.principal);
if (ret == 0) {
kdc_log(context, config, 5,
"Found matching PK-INIT SAN in certificate");
return 0;
}
ret = match_ms_upn_san(context, config,
client_params->cert,
client->entry.principal);
if (ret == 0) {
kdc_log(context, config, 5,
"Found matching MS UPN SAN in certificate");
return 0;
}
}
ret = hdb_entry_get_pkinit_acl(&client->entry, &acl);
@ -1330,10 +1440,17 @@ _kdc_pk_check_client(krb5_context context,
return 0;
}
krb5_set_error_string(context,
"PKINIT no matching principals for %s",
*subject_name);
kdc_log(context, config, 5,
"PKINIT no matching principals for %s",
*subject_name);
free(*subject_name);
*subject_name = NULL;
krb5_set_error_string(context, "PKINIT no matching principals");
return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
}
@ -1396,7 +1513,56 @@ _kdc_add_inital_verified_cas(krb5_context context,
return ret;
}
/*
*
*/
static void
load_mappings(krb5_context context, const char *fn)
{
krb5_error_code ret;
char buf[1024];
unsigned long lineno = 0;
FILE *f;
f = fopen(fn, "r");
if (f == NULL)
return;
while (fgets(buf, sizeof(buf), f) != NULL) {
char *subject_name, *p;
buf[strcspn(buf, "\n")] = '\0';
lineno++;
p = buf + strspn(buf, " \t");
if (*p == '#' || *p == '\0')
continue;
subject_name = strchr(p, ':');
if (subject_name == NULL) {
krb5_warnx(context, "pkinit mapping file line %lu "
"missing \":\" :%s",
lineno, buf);
continue;
}
*subject_name++ = '\0';
ret = add_principal_mapping(context, p, subject_name);
if (ret) {
krb5_warn(context, ret, "failed to add line %lu \":\" :%s\n",
lineno, buf);
continue;
}
}
fclose(f);
}
/*
*
*/
krb5_error_code
_kdc_pk_initialize(krb5_context context,
@ -1408,9 +1574,6 @@ _kdc_pk_initialize(krb5_context context,
{
const char *file;
krb5_error_code ret;
char buf[1024];
unsigned long lineno = 0;
FILE *f;
file = krb5_config_get_string(context, NULL,
"libdefaults", "moduli", NULL);
@ -1481,41 +1644,8 @@ _kdc_pk_initialize(krb5_context context,
"kdc",
"pkinit_mappings_file",
NULL);
f = fopen(file, "r");
if (f == NULL) {
krb5_warnx(context, "PKINIT: failed to load mappings file %s", file);
return 0;
}
while (fgets(buf, sizeof(buf), f) != NULL) {
char *subject_name, *p;
buf[strcspn(buf, "\n")] = '\0';
lineno++;
p = buf + strspn(buf, " \t");
if (*p == '#' || *p == '\0')
continue;
subject_name = strchr(p, ':');
if (subject_name == NULL) {
krb5_warnx(context, "pkinit mapping file line %lu "
"missing \":\" :%s",
lineno, buf);
continue;
}
*subject_name++ = '\0';
ret = add_principal_mapping(context, p, subject_name);
if (ret) {
krb5_warn(context, ret, "failed to add line %lu \":\" :%s\n",
lineno, buf);
continue;
}
}
fclose(f);
load_mappings(context, file);
return 0;
}

84
source4/heimdal/kdc/process.c
View File

@ -34,7 +34,20 @@
#include "kdc_locl.h"
RCSID("$Id: process.c,v 1.7 2006/12/28 21:09:35 lha Exp $");
RCSID("$Id: process.c 20959 2007-06-07 04:46:06Z lha $");
/*
*
*/
void
krb5_kdc_update_time(struct timeval *tv)
{
if (tv == NULL)
gettimeofday(&_kdc_now, NULL);
else
_kdc_now = *tv;
}
/*
* handle the request in `buf, len', from `addr' (or `from' as a string),
@ -59,7 +72,6 @@ krb5_kdc_process_request(krb5_context context,
krb5_error_code ret;
size_t i;
gettimeofday(&_kdc_now, NULL);
if(decode_AS_REQ(buf, len, &req, &i) == 0){
krb5_data req_buffer;
@ -121,7 +133,6 @@ krb5_kdc_process_krb5_request(krb5_context context,
krb5_error_code ret;
size_t i;
gettimeofday(&_kdc_now, NULL);
if(decode_AS_REQ(buf, len, &req, &i) == 0){
krb5_data req_buffer;
@ -139,3 +150,70 @@ krb5_kdc_process_krb5_request(krb5_context context,
}
return -1;
}
/*
*
*/
int
krb5_kdc_save_request(krb5_context context,
const char *fn,
const unsigned char *buf,
size_t len,
const krb5_data *reply,
const struct sockaddr *sa)
{
krb5_storage *sp;
krb5_address a;
int fd, ret;
uint32_t t;
krb5_data d;
memset(&a, 0, sizeof(a));
d.data = rk_UNCONST(buf);
d.length = len;
t = _kdc_now.tv_sec;
fd = open(fn, O_WRONLY|O_CREAT|O_APPEND, 0600);
if (fd < 0) {
krb5_set_error_string(context, "Failed to open: %s", fn);
return errno;
}
sp = krb5_storage_from_fd(fd);
close(fd);
if (sp == NULL) {
krb5_set_error_string(context, "Storage failed to open fd");
return ENOMEM;
}
ret = krb5_sockaddr2address(context, sa, &a);
if (ret)
goto out;
krb5_store_uint32(sp, 1);
krb5_store_uint32(sp, t);
krb5_store_address(sp, a);
krb5_store_data(sp, d);
{
Der_class cl;
Der_type ty;
unsigned int tag;
ret = der_get_tag (reply->data, reply->length,
&cl, &ty, &tag, NULL);
if (ret) {
krb5_store_uint32(sp, 0xffffffff);
krb5_store_uint32(sp, 0xffffffff);
} else {
krb5_store_uint32(sp, MAKE_TAG(cl, ty, 0));
krb5_store_uint32(sp, tag);
}
}
krb5_free_address(context, &a);
out:
krb5_storage_free(sp);
return 0;
}

2
source4/heimdal/kdc/rx.h
View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: rx.h,v 1.5 2006/05/05 10:51:10 lha Exp $ */
/* $Id: rx.h 17447 2006-05-05 10:52:01Z lha $ */
#ifndef __RX_H__
#define __RX_H__

9
source4/heimdal/kdc/windc.c
View File

@ -33,7 +33,7 @@
#include "kdc_locl.h"
RCSID("$Id: windc.c,v 1.3 2007/01/04 11:10:06 lha Exp $");
RCSID("$Id: windc.c 20559 2007-04-24 16:00:07Z lha $");
static krb5plugin_windc_ftable *windcft;
static void *windcctx;
@ -43,7 +43,7 @@ static void *windcctx;
*/
krb5_error_code
_kdc_windc_init(krb5_context context)
krb5_kdc_windc_init(krb5_context context)
{
struct krb5_plugin *list = NULL, *e;
krb5_error_code ret;
@ -91,10 +91,11 @@ _kdc_pac_verify(krb5_context context,
krb5_pac *pac)
{
if (windcft == NULL) {
krb5_set_error_string(context, "Can't verify WINDC, no function");
krb5_set_error_string(context, "Can't verify PAC, no function");
return EINVAL;
}
return (windcft->pac_verify)(windcctx, context, client_principal, client, server, pac);
return (windcft->pac_verify)(windcctx, context,
client_principal, client, server, pac);
}
krb5_error_code

6
source4/heimdal/kdc/windc_plugin.h
View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: windc_plugin.h,v 1.2 2007/01/04 11:13:51 lha Exp $ */
/* $Id: windc_plugin.h 19798 2007-01-10 15:24:51Z lha $ */
#ifndef HEIMDAL_KRB5_PAC_PLUGIN_H
#define HEIMDAL_KRB5_PAC_PLUGIN_H 1
@ -58,7 +58,9 @@ typedef krb5_error_code
typedef krb5_error_code
(*krb5plugin_windc_pac_verify)(void *, krb5_context,
const krb5_principal,
struct hdb_entry_ex *, struct hdb_entry_ex *, krb5_pac *);
struct hdb_entry_ex *,
struct hdb_entry_ex *,
krb5_pac *);
typedef krb5_error_code
(*krb5plugin_windc_client_access)(

221
source4/heimdal/kuser/kinit.c
View File

@ -32,11 +32,9 @@
*/
#include "kuser_locl.h"
RCSID("$Id: kinit.c,v 1.141 2006/12/12 16:35:41 lha Exp $");
RCSID("$Id: kinit.c 20517 2007-04-22 10:42:26Z lha $");
#ifndef KRB4
#include "krb5-v4compat.h"
#endif
struct krb5_pk_identity;
struct krb5_pk_cert;
@ -46,6 +44,7 @@ struct krb5_dh_moduli;
struct krb5_plugin;
enum plugin_type;
#include "krb5-private.h"
#include "heimntlm.h"
int forwardable_flag = -1;
int proxiable_flag = -1;
@ -74,6 +73,8 @@ char *password_file = NULL;
char *pk_user_id = NULL;
char *pk_x509_anchors = NULL;
int pk_use_enckey = 0;
static int canonicalize_flag = 0;
static char *ntlm_domain;
static char *krb4_cc_name;
@ -153,18 +154,21 @@ static struct getargs args[] = {
{ "password-file", 0, arg_string, &password_file,
"read the password from a file" },
{ "canonicalize",0, arg_flag, &canonicalize_flag,
"canonicalize client principal" },
#ifdef PKINIT
{ "pk-user", 'C', arg_string, &pk_user_id,
"principal's public/private/certificate identifier",
"id" },
{ "pk-user", 'C', arg_string, &pk_user_id,
"principal's public/private/certificate identifier", "id" },
{ "x509-anchors", 'D', arg_string, &pk_x509_anchors,
"directory with CA certificates", "directory" },
{ "pk-use-enckey", 0, arg_flag, &pk_use_enckey,
"Use RSA encrypted reply (instead of DH)" },
{ "x509-anchors", 'D', arg_string, &pk_x509_anchors,
"directory with CA certificates", "directory" },
{ "pk-use-enckey", 0, arg_flag, &pk_use_enckey,
"Use RSA encrypted reply (instead of DH)" },
#endif
{ "ntlm-domain", 0, arg_string, &ntlm_domain,
"NTLM domain", "domain" },
{ "version", 0, arg_flag, &version_flag },
{ "help", 0, arg_flag, &help_flag }
};
@ -179,130 +183,6 @@ usage (int ret)
exit (ret);
}
#ifdef KRB4
/* for when the KDC tells us it's a v4 one, we try to talk that */
static int
key_to_key(const char *user,
char *instance,
const char *realm,
const void *arg,
des_cblock *key)
{
memcpy(key, arg, sizeof(des_cblock));
return 0;
}
static int
do_v4_fallback (krb5_context context,
const krb5_principal principal,
int lifetime,
int use_srvtab, const char *srvtab_str,
const char *passwd)
{
int ret;
krb_principal princ;
des_cblock key;
krb5_error_code kret;
if (lifetime == 0)
lifetime = DEFAULT_TKT_LIFE;
else
lifetime = krb_time_to_life (0, lifetime);
kret = krb5_524_conv_principal (context, principal,
princ.name,
princ.instance,
princ.realm);
if (kret) {
krb5_warn (context, kret, "krb5_524_conv_principal");
return 1;
}
if (use_srvtab || srvtab_str) {
if (srvtab_str == NULL)
srvtab_str = KEYFILE;
ret = read_service_key (princ.name, princ.instance, princ.realm,
0, srvtab_str, (char *)&key);
if (ret) {
warnx ("read_service_key %s: %s", srvtab_str,
krb_get_err_text (ret));
return 1;
}
ret = krb_get_in_tkt (princ.name, princ.instance, princ.realm,
KRB_TICKET_GRANTING_TICKET, princ.realm,
lifetime, key_to_key, NULL, key);
} else {
ret = krb_get_pw_in_tkt(princ.name, princ.instance, princ.realm,
KRB_TICKET_GRANTING_TICKET, princ.realm,
lifetime, passwd);
}
memset (key, 0, sizeof(key));
if (ret) {
warnx ("%s", krb_get_err_text(ret));
return 1;
}
if (do_afslog && k_hasafs()) {
if ((ret = krb_afslog(NULL, NULL)) != 0 && ret != KDC_PR_UNKNOWN) {
if(ret > 0)
warnx ("%s", krb_get_err_text(ret));
else
warnx ("failed to store AFS token");
}
}
return 0;
}
/*
* the special version of get_default_principal that takes v4 into account
*/
static krb5_error_code
kinit_get_default_principal (krb5_context context,
krb5_principal *princ)
{
krb5_error_code ret;
krb5_ccache id;
krb_principal v4_princ;
int kret;
ret = krb5_cc_default (context, &id);
if (ret == 0) {
ret = krb5_cc_get_principal (context, id, princ);
krb5_cc_close (context, id);
if (ret == 0)
return 0;
}
kret = krb_get_tf_fullname (tkt_string(),
v4_princ.name,
v4_princ.instance,
v4_princ.realm);
if (kret == KSUCCESS) {
ret = krb5_425_conv_principal (context,
v4_princ.name,
v4_princ.instance,
v4_princ.realm,
princ);
if (ret == 0)
return 0;
}
return krb5_get_default_principal (context, princ);
}
#else /* !KRB4 */
static krb5_error_code
kinit_get_default_principal (krb5_context context,
krb5_principal *princ)
{
return krb5_get_default_principal (context, princ);
}
#endif /* !KRB4 */
static krb5_error_code
get_server(krb5_context context,
krb5_principal client,
@ -456,6 +336,39 @@ out:
return ret;
}
static krb5_error_code
store_ntlmkey(krb5_context context, krb5_ccache id,
const char *domain, krb5_const_principal client,
struct ntlm_buf *buf)
{
krb5_error_code ret;
krb5_creds cred;
memset(&cred, 0, sizeof(cred));
ret = krb5_make_principal(context, &cred.server,
krb5_principal_get_realm(context, client),
"@ntlm-key", domain, NULL);
if (ret)
goto out;
ret = krb5_copy_principal(context, client, &cred.client);
if (ret)
goto out;
cred.times.authtime = time(NULL);
cred.times.endtime = time(NULL) + 3600 * 24 * 30; /* XXX */
cred.session.keytype = ENCTYPE_ARCFOUR_HMAC_MD5;
ret = krb5_data_copy(&cred.session.keyvalue, buf->data, buf->length);
if (ret)
goto out;
ret = krb5_cc_store_cred(context, id, &cred);
out:
krb5_free_cred_contents (context, &cred);
return 0;
}
static krb5_error_code
get_new_tickets(krb5_context context,
krb5_principal principal,
@ -471,7 +384,9 @@ get_new_tickets(krb5_context context,
krb5_deltat renew = 0;
char *renewstr = NULL;
krb5_enctype *enctype = NULL;
struct ntlm_buf ntlmkey;
memset(&ntlmkey, 0, sizeof(ntlmkey));
passwd[0] = '\0';
if (password_file) {
@ -500,8 +415,8 @@ get_new_tickets(krb5_context context,
if (ret)
krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc");
krb5_get_init_creds_opt_set_default_flags(context, "kinit",
/* XXX */principal->realm, opt);
krb5_get_init_creds_opt_set_default_flags(context, "kinit",
krb5_principal_get_realm(context, principal), opt);
if(forwardable_flag != -1)
krb5_get_init_creds_opt_set_forwardable (opt, forwardable_flag);
@ -512,6 +427,8 @@ get_new_tickets(krb5_context context,
if (pac_flag != -1)
krb5_get_init_creds_opt_set_pac_request(context, opt,
pac_flag ? TRUE : FALSE);
if (canonicalize_flag)
krb5_get_init_creds_opt_set_canonicalize(context, opt, TRUE);
if (pk_user_id) {
ret = krb5_get_init_creds_opt_set_pkinit(context, opt,
principal,
@ -629,19 +546,8 @@ get_new_tickets(krb5_context context,
opt);
}
krb5_get_init_creds_opt_free(context, opt);
#ifdef KRB4
if (ret == KRB5KRB_AP_ERR_V4_REPLY || ret == KRB5_KDC_UNREACH) {
int exit_val;
exit_val = do_v4_fallback (context, principal, ticket_life,
use_keytab, keytab_str, passwd);
get_v4_tgt = 0;
do_afslog = 0;
memset(passwd, 0, sizeof(passwd));
if (exit_val == 0 || ret == KRB5KRB_AP_ERR_V4_REPLY)
return exit_val;
}
#endif
if (ntlm_domain && passwd[0])
heim_ntlm_nt_key(passwd, &ntlmkey);
memset(passwd, 0, sizeof(passwd));
switch(ret){
@ -651,8 +557,12 @@ get_new_tickets(krb5_context context,
exit(1);
case KRB5KRB_AP_ERR_BAD_INTEGRITY:
case KRB5KRB_AP_ERR_MODIFIED:
case KRB5KDC_ERR_PREAUTH_FAILED:
krb5_errx(context, 1, "Password incorrect");
break;
case KRB5KRB_AP_ERR_V4_REPLY:
krb5_errx(context, 1, "Looks like a Kerberos 4 reply");
break;
default:
krb5_err(context, 1, ret, "krb5_get_init_creds");
}
@ -685,6 +595,9 @@ get_new_tickets(krb5_context context,
krb5_free_cred_contents (context, &cred);
if (ntlm_domain && ntlmkey.data)
store_ntlmkey(context, ccache, ntlm_domain, principal, &ntlmkey);
if (enctype)
free(enctype);
@ -774,6 +687,7 @@ main (int argc, char **argv)
krb5_principal principal;
int optidx = 0;
krb5_deltat ticket_life = 0;
int parseflags = 0;
setprogname (argv[0]);
@ -797,12 +711,15 @@ main (int argc, char **argv)
argc -= optidx;
argv += optidx;
if (canonicalize_flag)
parseflags |= KRB5_PRINCIPAL_PARSE_ENTERPRISE;
if (argv[0]) {
ret = krb5_parse_name (context, argv[0], &principal);
ret = krb5_parse_name_flags (context, argv[0], parseflags, &principal);
if (ret)
krb5_err (context, 1, ret, "krb5_parse_name");
} else {
ret = kinit_get_default_principal (context, &principal);
ret = krb5_get_default_principal (context, &principal);
if (ret)
krb5_err (context, 1, ret, "krb5_get_default_principal");
}

5
source4/heimdal/kuser/kuser_locl.h
View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: kuser_locl.h,v 1.13 2003/01/21 14:13:51 nectar Exp $ */
/* $Id: kuser_locl.h 20458 2007-04-19 20:41:27Z lha $ */
#ifndef __KUSER_LOCL_H__
#define __KUSER_LOCL_H__
@ -75,9 +75,6 @@
#include <err.h>
#include <krb5.h>
#ifdef KRB4
#include <krb.h>
#endif
#if defined(HAVE_SYS_IOCTL_H) && SunOS != 40
#include <sys/ioctl.h>
#endif

2
source4/heimdal/lib/asn1/CMS.asn1
View File

@ -1,5 +1,5 @@
-- From RFC 3369 --
-- $Id: CMS.asn1,v 1.5 2006/09/07 12:20:42 lha Exp $ --
-- $Id: CMS.asn1 18054 2006-09-07 12:20:42Z lha $ --
CMS DEFINITIONS ::= BEGIN

2
source4/heimdal/lib/asn1/asn1-common.h
View File

@ -1,4 +1,4 @@
/* $Id: asn1-common.h,v 1.7 2006/12/28 17:14:10 lha Exp $ */
/* $Id: asn1-common.h 19539 2006-12-28 17:15:05Z lha $ */
#include <stddef.h>
#include <time.h>

3
source4/heimdal/lib/asn1/asn1_err.et
View File

@ -3,7 +3,7 @@
#
# This might look like a com_err file, but is not
#
id "$Id: asn1_err.et,v 1.6 2006/10/24 14:11:20 lha Exp $"
id "$Id: asn1_err.et 20010 2007-01-20 21:52:27Z lha $"
error_table asn1
prefix ASN1
@ -18,4 +18,5 @@ error_code BAD_LENGTH, "ASN.1 length doesn't match expected value"
error_code BAD_FORMAT, "ASN.1 badly-formatted encoding"
error_code PARSE_ERROR, "ASN.1 parse error"
error_code EXTRA_DATA, "ASN.1 extra data past end of end structure"
error_code BAD_CHARACTER, "ASN.1 invalid character in string"
end

2
source4/heimdal/lib/asn1/asn1_gen.c
View File

@ -40,7 +40,7 @@
#include <hex.h>
#include <err.h>
RCSID("$Id: asn1_gen.c,v 1.4 2006/01/30 15:06:03 lha Exp $");
RCSID("$Id: asn1_gen.c 16666 2006-01-30 15:06:03Z lha $");
static int
doit(const char *fn)

2
source4/heimdal/lib/asn1/asn1_queue.h
View File

@ -1,5 +1,5 @@
/* $NetBSD: queue.h,v 1.38 2004/04/18 14:12:05 lukem Exp $ */
/* $Id: asn1_queue.h,v 1.2 2005/07/12 06:27:15 lha Exp $ */
/* $Id: asn1_queue.h 15617 2005-07-12 06:27:42Z lha $ */
/*
* Copyright (c) 1991, 1993

2
source4/heimdal/lib/asn1/canthandle.asn1
View File

@ -1,4 +1,4 @@
-- $Id: canthandle.asn1,v 1.6 2006/01/18 19:12:33 lha Exp $ --
-- $Id: canthandle.asn1 16593 2006-01-18 19:12:33Z lha $ --
CANTHANDLE DEFINITIONS ::= BEGIN

2
source4/heimdal/lib/asn1/der.c
View File

@ -38,7 +38,7 @@
#include <getarg.h>
#include <err.h>
RCSID("$Id: der.c,v 1.2 2005/07/12 06:27:19 lha Exp $");
RCSID("$Id: der.c 15617 2005-07-12 06:27:42Z lha $");
static const char *class_names[] = {

2
source4/heimdal/lib/asn1/der.h
View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: der.h,v 1.36 2006/10/14 05:16:08 lha Exp $ */
/* $Id: der.h 18437 2006-10-14 05:16:08Z lha $ */
#ifndef __DER_H__
#define __DER_H__

2
source4/heimdal/lib/asn1/der_copy.c
View File

@ -33,7 +33,7 @@
#include "der_locl.h"
RCSID("$Id: der_copy.c,v 1.17 2006/12/28 17:14:17 lha Exp $");
RCSID("$Id: der_copy.c 19539 2006-12-28 17:15:05Z lha $");
int
der_copy_general_string (const heim_general_string *from,

6
source4/heimdal/lib/asn1/der_format.c
View File

@ -34,7 +34,7 @@
#include "der_locl.h"
#include <hex.h>
RCSID("$Id: der_format.c,v 1.8 2006/11/27 10:32:21 lha Exp $");
RCSID("$Id: der_format.c 20861 2007-06-03 20:18:29Z lha $");
int
der_parse_hex_heim_integer (const char *p, heim_integer *data)
@ -51,7 +51,7 @@ der_parse_hex_heim_integer (const char *p, heim_integer *data)
}
len = strlen(p);
if (len < 0) {
if (len <= 0) {
data->data = NULL;
data->length = 0;
return EINVAL;
@ -74,7 +74,7 @@ der_parse_hex_heim_integer (const char *p, heim_integer *data)
{
unsigned char *q = data->data;
while(*q == 0 && len > 0) {
while(len > 0 && *q == 0) {
q++;
len--;
}

2
source4/heimdal/lib/asn1/der_free.c
View File

@ -33,7 +33,7 @@
#include "der_locl.h"
RCSID("$Id: der_free.c,v 1.14 2006/12/28 17:14:21 lha Exp $");
RCSID("$Id: der_free.c 19539 2006-12-28 17:15:05Z lha $");
void
der_free_general_string (heim_general_string *str)

28
source4/heimdal/lib/asn1/der_get.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
* Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@ -33,7 +33,7 @@
#include "der_locl.h"
RCSID("$Id: der_get.c,v 1.51 2006/12/28 17:14:25 lha Exp $");
RCSID("$Id: der_get.c 20570 2007-04-27 14:06:27Z lha $");
#include <version.h>
@ -135,8 +135,21 @@ int
der_get_general_string (const unsigned char *p, size_t len,
heim_general_string *str, size_t *size)
{
const unsigned char *p1;
char *s;
p1 = memchr(p, 0, len);
if (p1 != NULL) {
/*
* Allow trailing NULs. We allow this since MIT Kerberos sends
* an strings in the NEED_PREAUTH case that includes a
* trailing NUL.
*/
while (p1 - p < len && *p1 == '\0')
p1++;
if (p1 - p != len)
return ASN1_BAD_CHARACTER;
}
if (len > len + 1)
return ASN1_BAD_LENGTH;
@ -180,6 +193,8 @@ der_get_bmp_string (const unsigned char *p, size_t len,
if (len & 1)
return ASN1_BAD_FORMAT;
data->length = len / 2;
if (data->length > UINT_MAX/sizeof(data->data[0]))
return ERANGE;
data->data = malloc(data->length * sizeof(data->data[0]));
if (data->data == NULL && data->length != 0)
return ENOMEM;
@ -202,6 +217,8 @@ der_get_universal_string (const unsigned char *p, size_t len,
if (len & 3)
return ASN1_BAD_FORMAT;
data->length = len / 4;
if (data->length > UINT_MAX/sizeof(data->data[0]))
return ERANGE;
data->data = malloc(data->length * sizeof(data->data[0]));
if (data->data == NULL && data->length != 0)
return ENOMEM;
@ -366,7 +383,7 @@ int
der_get_oid (const unsigned char *p, size_t len,
heim_oid *data, size_t *size)
{
int n;
size_t n;
size_t oldlen = len;
if (len < 1)
@ -375,7 +392,10 @@ der_get_oid (const unsigned char *p, size_t len,
if (len > len + 1)
return ASN1_BAD_LENGTH;
data->components = malloc((len + 1) * sizeof(*data->components));
if (len + 1 > UINT_MAX/sizeof(data->components[0]))
return ERANGE;
data->components = malloc((len + 1) * sizeof(data->components[0]));
if (data->components == NULL)
return ENOMEM;
data->components[0] = (*p) / 40;

2
source4/heimdal/lib/asn1/der_length.c
View File

@ -33,7 +33,7 @@
#include "der_locl.h"
RCSID("$Id: der_length.c,v 1.20 2006/12/28 17:14:28 lha Exp $");
RCSID("$Id: der_length.c 19539 2006-12-28 17:15:05Z lha $");
size_t
_heim_len_unsigned (unsigned val)

2
source4/heimdal/lib/asn1/der_locl.h
View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: der_locl.h,v 1.8 2006/10/19 16:24:02 lha Exp $ */
/* $Id: der_locl.h 18608 2006-10-19 16:24:02Z lha $ */
#ifndef __DER_LOCL_H__
#define __DER_LOCL_H__

2
source4/heimdal/lib/asn1/der_put.c
View File

@ -33,7 +33,7 @@
#include "der_locl.h"
RCSID("$Id: der_put.c,v 1.34 2006/12/28 17:14:33 lha Exp $");
RCSID("$Id: der_put.c 19539 2006-12-28 17:15:05Z lha $");
/*
* All encoding functions take a pointer `p' to first position in

7
source4/heimdal/lib/asn1/digest.asn1
View File

@ -1,4 +1,4 @@
-- $Id: digest.asn1,v 1.10 2006/12/15 19:13:39 lha Exp $
-- $Id: digest.asn1 20138 2007-02-02 21:08:24Z lha $
DIGEST DEFINITIONS ::=
BEGIN
@ -25,6 +25,7 @@ DigestRequest ::= SEQUENCE {
type UTF8String, -- http, sasl-md5, chap, cram-md5 --
digest UTF8String, -- http:md5/md5-sess sasl:clear/int/conf --
username UTF8String, -- username user used
responseData UTF8String, -- client response
authid [0] UTF8String OPTIONAL,
authentication-user [1] Principal OPTIONAL, -- principal to get key from
realm [2] UTF8String OPTIONAL,
@ -48,14 +49,14 @@ DigestError ::= SEQUENCE {
}
DigestResponse ::= SEQUENCE {
responseData UTF8String,
success BOOLEAN,
rsp [0] UTF8String OPTIONAL,
tickets [1] SEQUENCE OF OCTET STRING OPTIONAL,
channel [2] SEQUENCE {
cb-type UTF8String,
cb-binding UTF8String
} OPTIONAL,
hash-a1 [3] OCTET STRING OPTIONAL
session-key [3] OCTET STRING OPTIONAL
}
NTLMInit ::= SEQUENCE {

2
source4/heimdal/lib/asn1/extra.c
View File

@ -34,7 +34,7 @@
#include "der_locl.h"
#include "heim_asn1.h"
RCSID("$Id: extra.c,v 1.6 2006/01/31 09:44:54 lha Exp $");
RCSID("$Id: extra.c 16672 2006-01-31 09:44:54Z lha $");
int
encode_heim_any(unsigned char *p, size_t len,

3
source4/heimdal/lib/asn1/gen.c
View File

@ -33,7 +33,7 @@
#include "gen_locl.h"
RCSID("$Id: gen.c,v 1.70 2006/12/28 17:14:37 lha Exp $");
RCSID("$Id: gen.c 20670 2007-05-11 00:39:41Z lha $");
FILE *headerfile, *codefile, *logfile;
@ -167,6 +167,7 @@ init_generate (const char *filename, const char *base)
" } \\\n"
" } while (0)\n\n",
headerfile);
fprintf (headerfile, "struct units;\n\n");
fprintf (headerfile, "#endif\n\n");
asprintf(&fn, "%s_files", base);
if (fn == NULL)

2
source4/heimdal/lib/asn1/gen_copy.c
View File

@ -33,7 +33,7 @@
#include "gen_locl.h"
RCSID("$Id: gen_copy.c,v 1.19 2006/12/28 17:14:42 lha Exp $");
RCSID("$Id: gen_copy.c 19539 2006-12-28 17:15:05Z lha $");
static int used_fail;

2
source4/heimdal/lib/asn1/gen_decode.c
View File

@ -34,7 +34,7 @@
#include "gen_locl.h"
#include "lex.h"
RCSID("$Id: gen_decode.c,v 1.32 2006/12/29 17:30:32 lha Exp $");
RCSID("$Id: gen_decode.c 19572 2006-12-29 17:30:32Z lha $");
static void
decode_primitive (const char *typename, const char *name, const char *forwstr)

2
source4/heimdal/lib/asn1/gen_encode.c
View File

@ -33,7 +33,7 @@
#include "gen_locl.h"
RCSID("$Id: gen_encode.c,v 1.22 2006/12/29 17:30:03 lha Exp $");
RCSID("$Id: gen_encode.c 19572 2006-12-29 17:30:32Z lha $");
static void
encode_primitive (const char *typename, const char *name)

2
source4/heimdal/lib/asn1/gen_free.c
View File

@ -33,7 +33,7 @@
#include "gen_locl.h"
RCSID("$Id: gen_free.c,v 1.17 2006/12/28 17:14:54 lha Exp $");
RCSID("$Id: gen_free.c 19539 2006-12-28 17:15:05Z lha $");
static void
free_primitive (const char *typename, const char *name)

2
source4/heimdal/lib/asn1/gen_glue.c
View File

@ -33,7 +33,7 @@
#include "gen_locl.h"
RCSID("$Id: gen_glue.c,v 1.9 2005/07/12 06:27:29 lha Exp $");
RCSID("$Id: gen_glue.c 15617 2005-07-12 06:27:42Z lha $");
static void
generate_2int (const Type *t, const char *gen_name)

2
source4/heimdal/lib/asn1/gen_length.c
View File

@ -33,7 +33,7 @@
#include "gen_locl.h"
RCSID("$Id: gen_length.c,v 1.22 2006/12/28 17:14:57 lha Exp $");
RCSID("$Id: gen_length.c 19539 2006-12-28 17:15:05Z lha $");
static void
length_primitive (const char *typename,

2
source4/heimdal/lib/asn1/gen_locl.h
View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: gen_locl.h,v 1.14 2006/09/05 12:29:18 lha Exp $ */
/* $Id: gen_locl.h 18008 2006-09-05 12:29:18Z lha $ */
#ifndef __GEN_LOCL_H__
#define __GEN_LOCL_H__

4
source4/heimdal/lib/asn1/gen_seq.c
View File

@ -33,7 +33,7 @@
#include "gen_locl.h"
RCSID("$Id: gen_seq.c,v 1.4 2006/10/04 10:18:10 lha Exp $");
RCSID("$Id: gen_seq.c 20561 2007-04-24 16:14:30Z lha $");
void
generate_type_seq (const Symbol *s)
@ -111,7 +111,7 @@ generate_type_seq (const Symbol *s)
"\t\tsizeof(data->val[0]) * data->len);\n"
/* resize but don't care about failures since it doesn't matter */
"ptr = realloc(data->val, data->len * sizeof(data->val[0]));\n"
"if (ptr) data->val = ptr;\n"
"if (ptr != NULL || data->len == 0) data->val = ptr;\n"
"return 0;\n",
subname);

2
source4/heimdal/lib/asn1/hash.c
View File

@ -37,7 +37,7 @@
#include "gen_locl.h"
RCSID("$Id: hash.c,v 1.11 2006/04/07 22:16:00 lha Exp $");
RCSID("$Id: hash.c 17016 2006-04-07 22:16:00Z lha $");
static Hashentry *_search(Hashtab * htab, /* The hash table */
void *ptr); /* And key */

2
source4/heimdal/lib/asn1/hash.h
View File

@ -35,7 +35,7 @@
* hash.h. Header file for hash table functions
*/
/* $Id: hash.h,v 1.3 1999/12/02 17:05:02 joda Exp $ */
/* $Id: hash.h 7464 1999-12-02 17:05:13Z joda $ */
struct hashentry { /* Entry in bucket */
struct hashentry **prev;

31
source4/heimdal/lib/asn1/k5.asn1
View File

@ -1,4 +1,4 @@
-- $Id: k5.asn1,v 1.51 2006/11/21 05:17:47 lha Exp $
-- $Id: k5.asn1 21004 2007-06-08 01:53:10Z lha $
KERBEROS5 DEFINITIONS ::=
BEGIN
@ -59,6 +59,7 @@ PADATA-TYPE ::= INTEGER {
KRB5-PADATA-PA-PK-OCSP-RESPONSE(18),
KRB5-PADATA-ETYPE-INFO2(19),
KRB5-PADATA-USE-SPECIFIED-KVNO(20),
KRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number
KRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp)
KRB5-PADATA-GET-FROM-TYPED-DATA(22),
KRB5-PADATA-SAM-ETYPE-INFO(23),
@ -71,10 +72,11 @@ PADATA-TYPE ::= INTEGER {
KRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER
KRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com
KRB5-PADATA-S4U2SELF(129),
KRB5-PADATA-PK-AS-09-BINDING(132) -- client send this to
KRB5-PADATA-PK-AS-09-BINDING(132), -- client send this to
-- tell KDC that is supports
-- the asCheckSum in the
-- PK-AS-REP
KRB5-PADATA-CLIENT-CANONICALIZED(133) --
}
AUTHDATA-TYPE ::= INTEGER {
@ -229,6 +231,7 @@ KDCOptions ::= BIT STRING {
unused11(11),
request-anonymous(14),
canonicalize(15),
constrained-delegation(16), -- ms extension
disable-transited-check(26),
renewable-ok(27),
enc-tkt-in-skey(28),
@ -409,7 +412,8 @@ EncKDCRepPart ::= SEQUENCE {
renew-till[8] KerberosTime OPTIONAL,
srealm[9] Realm,
sname[10] PrincipalName,
caddr[11] HostAddresses OPTIONAL
caddr[11] HostAddresses OPTIONAL,
encrypted-pa-data[12] METHOD-DATA OPTIONAL
}
EncASRepPart ::= [APPLICATION 25] EncKDCRepPart
@ -624,6 +628,27 @@ KRB5SignedPath ::= SEQUENCE {
delegated[2] KRB5SignedPathPrincipals OPTIONAL
}
PA-ClientCanonicalizedNames ::= SEQUENCE{
requested-name [0] PrincipalName,
real-name [1] PrincipalName
}
PA-ClientCanonicalized ::= SEQUENCE {
names [0] PA-ClientCanonicalizedNames,
canon-checksum [1] Checksum
}
AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD --
login-alias [0] PrincipalName,
checksum [1] Checksum
}
-- old ms referral
PA-SvrReferralData ::= SEQUENCE {
referred-name [1] PrincipalName OPTIONAL,
referred-realm [0] Realm
}
END
-- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1

2
source4/heimdal/lib/asn1/kx509.asn1
View File

@ -1,4 +1,4 @@
-- $Id: kx509.asn1,v 1.1 2006/12/28 21:05:23 lha Exp $
-- $Id: kx509.asn1 19546 2006-12-28 21:05:23Z lha $
KX509 DEFINITIONS ::=
BEGIN

1388
source4/heimdal/lib/asn1/lex.c
View File

File diff suppressed because it is too large Load Diff

2
source4/heimdal/lib/asn1/lex.h
View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: lex.h,v 1.6 2005/07/12 06:27:33 lha Exp $ */
/* $Id: lex.h 15617 2005-07-12 06:27:42Z lha $ */
#include <roken.h>

2
source4/heimdal/lib/asn1/libasn1.h
View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: libasn1.h,v 1.11 2005/07/12 06:27:34 lha Exp $ */
/* $Id: libasn1.h 15617 2005-07-12 06:27:42Z lha $ */
#ifndef __LIBASN1_H__
#define __LIBASN1_H__

4
source4/heimdal/lib/asn1/main.c
View File

@ -35,7 +35,7 @@
#include <getarg.h>
#include "lex.h"
RCSID("$Id: main.c,v 1.16 2006/09/05 12:27:29 lha Exp $");
RCSID("$Id: main.c 20858 2007-06-03 18:56:41Z lha $");
extern FILE *yyin;
@ -127,5 +127,7 @@ main(int argc, char **argv)
if(ret != 0 || error_flag != 0)
exit(1);
close_generate ();
if (argc != optidx)
fclose(yyin);
return 0;
}

176
source4/heimdal/lib/asn1/parse.c
View File

@ -248,7 +248,7 @@
/* Copy the first part of user declarations. */
#line 36 "heimdal/lib/asn1/parse.y"
#line 36 "parse.y"
#ifdef HAVE_CONFIG_H
#include <config.h>
@ -261,7 +261,7 @@
#include "gen_locl.h"
#include "der.h"
RCSID("$Id: parse.y,v 1.29 2006/12/28 17:15:02 lha Exp $");
RCSID("$Id: parse.y 19539 2006-12-28 17:15:05Z lha $");
static Type *new_type (Typetype t);
static struct constraint_spec *new_constraint_spec(enum ctype);
@ -280,7 +280,7 @@ struct string_list {
/* Enabling traces. */
#ifndef YYDEBUG
# define YYDEBUG 0
# define YYDEBUG 1
#endif
/* Enabling verbose error messages. */
@ -298,7 +298,7 @@ struct string_list {
#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
typedef union YYSTYPE
#line 65 "heimdal/lib/asn1/parse.y"
#line 65 "parse.y"
{
int constant;
struct value *value;
@ -314,7 +314,7 @@ typedef union YYSTYPE
struct constraint_spec *constraint_spec;
}
/* Line 187 of yacc.c. */
#line 318 "heimdal/lib/asn1/parse.y"
#line 318 "parse.c"
YYSTYPE;
# define yystype YYSTYPE /* obsolescent; will be withdrawn */
# define YYSTYPE_IS_DECLARED 1
@ -327,7 +327,7 @@ typedef union YYSTYPE
/* Line 216 of yacc.c. */
#line 331 "heimdal/lib/asn1/parse.y"
#line 331 "parse.c"
#ifdef short
# undef short
@ -1750,29 +1750,29 @@ yyreduce:
switch (yyn)
{
case 2:
#line 233 "heimdal/lib/asn1/parse.y"
#line 233 "parse.y"
{
checkundefined();
}
break;
case 4:
#line 240 "heimdal/lib/asn1/parse.y"
#line 240 "parse.y"
{ error_message("implicit tagging is not supported"); }
break;
case 5:
#line 242 "heimdal/lib/asn1/parse.y"
#line 242 "parse.y"
{ error_message("automatic tagging is not supported"); }
break;
case 7:
#line 247 "heimdal/lib/asn1/parse.y"
#line 247 "parse.y"
{ error_message("no extensibility options supported"); }
break;
case 17:
#line 268 "heimdal/lib/asn1/parse.y"
#line 268 "parse.y"
{
struct string_list *sl;
for(sl = (yyvsp[(1) - (4)].sl); sl != NULL; sl = sl->next) {
@ -1784,7 +1784,7 @@ yyreduce:
break;
case 22:
#line 287 "heimdal/lib/asn1/parse.y"
#line 287 "parse.y"
{
(yyval.sl) = emalloc(sizeof(*(yyval.sl)));
(yyval.sl)->string = (yyvsp[(1) - (3)].name);
@ -1793,7 +1793,7 @@ yyreduce:
break;
case 23:
#line 293 "heimdal/lib/asn1/parse.y"
#line 293 "parse.y"
{
(yyval.sl) = emalloc(sizeof(*(yyval.sl)));
(yyval.sl)->string = (yyvsp[(1) - (1)].name);
@ -1802,7 +1802,7 @@ yyreduce:
break;
case 24:
#line 301 "heimdal/lib/asn1/parse.y"
#line 301 "parse.y"
{
Symbol *s = addsym ((yyvsp[(1) - (3)].name));
s->stype = Stype;
@ -1813,7 +1813,7 @@ yyreduce:
break;
case 42:
#line 332 "heimdal/lib/asn1/parse.y"
#line 332 "parse.y"
{
(yyval.type) = new_tag(ASN1_C_UNIV, UT_Boolean,
TE_EXPLICIT, new_type(TBoolean));
@ -1821,7 +1821,7 @@ yyreduce:
break;
case 43:
#line 339 "heimdal/lib/asn1/parse.y"
#line 339 "parse.y"
{
if((yyvsp[(2) - (5)].value)->type != integervalue ||
(yyvsp[(4) - (5)].value)->type != integervalue)
@ -1832,7 +1832,7 @@ yyreduce:
break;
case 44:
#line 349 "heimdal/lib/asn1/parse.y"
#line 349 "parse.y"
{
(yyval.type) = new_tag(ASN1_C_UNIV, UT_Integer,
TE_EXPLICIT, new_type(TInteger));
@ -1840,7 +1840,7 @@ yyreduce:
break;
case 45:
#line 354 "heimdal/lib/asn1/parse.y"
#line 354 "parse.y"
{
(yyval.type) = new_type(TInteger);
(yyval.type)->range = emalloc(sizeof(*(yyval.type)->range));
@ -1850,7 +1850,7 @@ yyreduce:
break;
case 46:
#line 361 "heimdal/lib/asn1/parse.y"
#line 361 "parse.y"
{
(yyval.type) = new_type(TInteger);
(yyval.type)->members = (yyvsp[(3) - (4)].members);
@ -1859,7 +1859,7 @@ yyreduce:
break;
case 47:
#line 369 "heimdal/lib/asn1/parse.y"
#line 369 "parse.y"
{
(yyval.members) = emalloc(sizeof(*(yyval.members)));
ASN1_TAILQ_INIT((yyval.members));
@ -1868,7 +1868,7 @@ yyreduce:
break;
case 48:
#line 375 "heimdal/lib/asn1/parse.y"
#line 375 "parse.y"
{
ASN1_TAILQ_INSERT_TAIL((yyvsp[(1) - (3)].members), (yyvsp[(3) - (3)].member), members);
(yyval.members) = (yyvsp[(1) - (3)].members);
@ -1876,12 +1876,12 @@ yyreduce:
break;
case 49:
#line 380 "heimdal/lib/asn1/parse.y"
#line 380 "parse.y"
{ (yyval.members) = (yyvsp[(1) - (3)].members); }
break;
case 50:
#line 384 "heimdal/lib/asn1/parse.y"
#line 384 "parse.y"
{
(yyval.member) = emalloc(sizeof(*(yyval.member)));
(yyval.member)->name = (yyvsp[(1) - (4)].name);
@ -1895,7 +1895,7 @@ yyreduce:
break;
case 51:
#line 397 "heimdal/lib/asn1/parse.y"
#line 397 "parse.y"
{
(yyval.type) = new_type(TInteger);
(yyval.type)->members = (yyvsp[(3) - (4)].members);
@ -1904,7 +1904,7 @@ yyreduce:
break;
case 53:
#line 408 "heimdal/lib/asn1/parse.y"
#line 408 "parse.y"
{
(yyval.type) = new_type(TBitString);
(yyval.type)->members = emalloc(sizeof(*(yyval.type)->members));
@ -1914,7 +1914,7 @@ yyreduce:
break;
case 54:
#line 415 "heimdal/lib/asn1/parse.y"
#line 415 "parse.y"
{
(yyval.type) = new_type(TBitString);
(yyval.type)->members = (yyvsp[(4) - (5)].members);
@ -1923,7 +1923,7 @@ yyreduce:
break;
case 55:
#line 423 "heimdal/lib/asn1/parse.y"
#line 423 "parse.y"
{
(yyval.type) = new_tag(ASN1_C_UNIV, UT_OID,
TE_EXPLICIT, new_type(TOID));
@ -1931,7 +1931,7 @@ yyreduce:
break;
case 56:
#line 429 "heimdal/lib/asn1/parse.y"
#line 429 "parse.y"
{
(yyval.type) = new_tag(ASN1_C_UNIV, UT_OctetString,
TE_EXPLICIT, new_type(TOctetString));
@ -1939,7 +1939,7 @@ yyreduce:
break;
case 57:
#line 436 "heimdal/lib/asn1/parse.y"
#line 436 "parse.y"
{
(yyval.type) = new_tag(ASN1_C_UNIV, UT_Null,
TE_EXPLICIT, new_type(TNull));
@ -1947,7 +1947,7 @@ yyreduce:
break;
case 58:
#line 443 "heimdal/lib/asn1/parse.y"
#line 443 "parse.y"
{
(yyval.type) = new_type(TSequence);
(yyval.type)->members = (yyvsp[(3) - (4)].members);
@ -1956,7 +1956,7 @@ yyreduce:
break;
case 59:
#line 449 "heimdal/lib/asn1/parse.y"
#line 449 "parse.y"
{
(yyval.type) = new_type(TSequence);
(yyval.type)->members = NULL;
@ -1965,7 +1965,7 @@ yyreduce:
break;
case 60:
#line 457 "heimdal/lib/asn1/parse.y"
#line 457 "parse.y"
{
(yyval.type) = new_type(TSequenceOf);
(yyval.type)->subtype = (yyvsp[(3) - (3)].type);
@ -1974,7 +1974,7 @@ yyreduce:
break;
case 61:
#line 465 "heimdal/lib/asn1/parse.y"
#line 465 "parse.y"
{
(yyval.type) = new_type(TSet);
(yyval.type)->members = (yyvsp[(3) - (4)].members);
@ -1983,7 +1983,7 @@ yyreduce:
break;
case 62:
#line 471 "heimdal/lib/asn1/parse.y"
#line 471 "parse.y"
{
(yyval.type) = new_type(TSet);
(yyval.type)->members = NULL;
@ -1992,7 +1992,7 @@ yyreduce:
break;
case 63:
#line 479 "heimdal/lib/asn1/parse.y"
#line 479 "parse.y"
{
(yyval.type) = new_type(TSetOf);
(yyval.type)->subtype = (yyvsp[(3) - (3)].type);
@ -2001,7 +2001,7 @@ yyreduce:
break;
case 64:
#line 487 "heimdal/lib/asn1/parse.y"
#line 487 "parse.y"
{
(yyval.type) = new_type(TChoice);
(yyval.type)->members = (yyvsp[(3) - (4)].members);
@ -2009,7 +2009,7 @@ yyreduce:
break;
case 67:
#line 498 "heimdal/lib/asn1/parse.y"
#line 498 "parse.y"
{
Symbol *s = addsym((yyvsp[(1) - (1)].name));
(yyval.type) = new_type(TType);
@ -2021,7 +2021,7 @@ yyreduce:
break;
case 68:
#line 509 "heimdal/lib/asn1/parse.y"
#line 509 "parse.y"
{
(yyval.type) = new_tag(ASN1_C_UNIV, UT_GeneralizedTime,
TE_EXPLICIT, new_type(TGeneralizedTime));
@ -2029,7 +2029,7 @@ yyreduce:
break;
case 69:
#line 514 "heimdal/lib/asn1/parse.y"
#line 514 "parse.y"
{
(yyval.type) = new_tag(ASN1_C_UNIV, UT_UTCTime,
TE_EXPLICIT, new_type(TUTCTime));
@ -2037,7 +2037,7 @@ yyreduce:
break;
case 70:
#line 521 "heimdal/lib/asn1/parse.y"
#line 521 "parse.y"
{
/* if (Constraint.type == contentConstrant) {
assert(Constraint.u.constraint.type == octetstring|bitstring-w/o-NamedBitList); // remember to check type reference too
@ -2053,14 +2053,14 @@ yyreduce:
break;
case 71:
#line 537 "heimdal/lib/asn1/parse.y"
#line 537 "parse.y"
{
(yyval.constraint_spec) = (yyvsp[(2) - (3)].constraint_spec);
}
break;
case 75:
#line 550 "heimdal/lib/asn1/parse.y"
#line 550 "parse.y"
{
(yyval.constraint_spec) = new_constraint_spec(CT_CONTENTS);
(yyval.constraint_spec)->u.content.type = (yyvsp[(2) - (2)].type);
@ -2069,7 +2069,7 @@ yyreduce:
break;
case 76:
#line 556 "heimdal/lib/asn1/parse.y"
#line 556 "parse.y"
{
if ((yyvsp[(3) - (3)].value)->type != objectidentifiervalue)
error_message("Non-OID used in ENCODED BY constraint");
@ -2080,7 +2080,7 @@ yyreduce:
break;
case 77:
#line 564 "heimdal/lib/asn1/parse.y"
#line 564 "parse.y"
{
if ((yyvsp[(5) - (5)].value)->type != objectidentifiervalue)
error_message("Non-OID used in ENCODED BY constraint");
@ -2091,14 +2091,14 @@ yyreduce:
break;
case 78:
#line 574 "heimdal/lib/asn1/parse.y"
#line 574 "parse.y"
{
(yyval.constraint_spec) = new_constraint_spec(CT_USER);
}
break;
case 79:
#line 580 "heimdal/lib/asn1/parse.y"
#line 580 "parse.y"
{
(yyval.type) = new_type(TTag);
(yyval.type)->tag = (yyvsp[(1) - (3)].tag);
@ -2112,7 +2112,7 @@ yyreduce:
break;
case 80:
#line 593 "heimdal/lib/asn1/parse.y"
#line 593 "parse.y"
{
(yyval.tag).tagclass = (yyvsp[(2) - (4)].constant);
(yyval.tag).tagvalue = (yyvsp[(3) - (4)].constant);
@ -2121,56 +2121,56 @@ yyreduce:
break;
case 81:
#line 601 "heimdal/lib/asn1/parse.y"
#line 601 "parse.y"
{
(yyval.constant) = ASN1_C_CONTEXT;
}
break;
case 82:
#line 605 "heimdal/lib/asn1/parse.y"
#line 605 "parse.y"
{
(yyval.constant) = ASN1_C_UNIV;
}
break;
case 83:
#line 609 "heimdal/lib/asn1/parse.y"
#line 609 "parse.y"
{
(yyval.constant) = ASN1_C_APPL;
}
break;
case 84:
#line 613 "heimdal/lib/asn1/parse.y"
#line 613 "parse.y"
{
(yyval.constant) = ASN1_C_PRIVATE;
}
break;
case 85:
#line 619 "heimdal/lib/asn1/parse.y"
#line 619 "parse.y"
{
(yyval.constant) = TE_EXPLICIT;
}
break;
case 86:
#line 623 "heimdal/lib/asn1/parse.y"
#line 623 "parse.y"
{
(yyval.constant) = TE_EXPLICIT;
}
break;
case 87:
#line 627 "heimdal/lib/asn1/parse.y"
#line 627 "parse.y"
{
(yyval.constant) = TE_IMPLICIT;
}
break;
case 88:
#line 634 "heimdal/lib/asn1/parse.y"
#line 634 "parse.y"
{
Symbol *s;
s = addsym ((yyvsp[(1) - (4)].name));
@ -2182,7 +2182,7 @@ yyreduce:
break;
case 90:
#line 648 "heimdal/lib/asn1/parse.y"
#line 648 "parse.y"
{
(yyval.type) = new_tag(ASN1_C_UNIV, UT_GeneralString,
TE_EXPLICIT, new_type(TGeneralString));
@ -2190,7 +2190,7 @@ yyreduce:
break;
case 91:
#line 653 "heimdal/lib/asn1/parse.y"
#line 653 "parse.y"
{
(yyval.type) = new_tag(ASN1_C_UNIV, UT_UTF8String,
TE_EXPLICIT, new_type(TUTF8String));
@ -2198,7 +2198,7 @@ yyreduce:
break;
case 92:
#line 658 "heimdal/lib/asn1/parse.y"
#line 658 "parse.y"
{
(yyval.type) = new_tag(ASN1_C_UNIV, UT_PrintableString,
TE_EXPLICIT, new_type(TPrintableString));
@ -2206,7 +2206,7 @@ yyreduce:
break;
case 93:
#line 663 "heimdal/lib/asn1/parse.y"
#line 663 "parse.y"
{
(yyval.type) = new_tag(ASN1_C_UNIV, UT_VisibleString,
TE_EXPLICIT, new_type(TVisibleString));
@ -2214,7 +2214,7 @@ yyreduce:
break;
case 94:
#line 668 "heimdal/lib/asn1/parse.y"
#line 668 "parse.y"
{
(yyval.type) = new_tag(ASN1_C_UNIV, UT_IA5String,
TE_EXPLICIT, new_type(TIA5String));
@ -2222,7 +2222,7 @@ yyreduce:
break;
case 95:
#line 673 "heimdal/lib/asn1/parse.y"
#line 673 "parse.y"
{
(yyval.type) = new_tag(ASN1_C_UNIV, UT_BMPString,
TE_EXPLICIT, new_type(TBMPString));
@ -2230,7 +2230,7 @@ yyreduce:
break;
case 96:
#line 678 "heimdal/lib/asn1/parse.y"
#line 678 "parse.y"
{
(yyval.type) = new_tag(ASN1_C_UNIV, UT_UniversalString,
TE_EXPLICIT, new_type(TUniversalString));
@ -2238,7 +2238,7 @@ yyreduce:
break;
case 97:
#line 686 "heimdal/lib/asn1/parse.y"
#line 686 "parse.y"
{
(yyval.members) = emalloc(sizeof(*(yyval.members)));
ASN1_TAILQ_INIT((yyval.members));
@ -2247,7 +2247,7 @@ yyreduce:
break;
case 98:
#line 692 "heimdal/lib/asn1/parse.y"
#line 692 "parse.y"
{
ASN1_TAILQ_INSERT_TAIL((yyvsp[(1) - (3)].members), (yyvsp[(3) - (3)].member), members);
(yyval.members) = (yyvsp[(1) - (3)].members);
@ -2255,7 +2255,7 @@ yyreduce:
break;
case 99:
#line 697 "heimdal/lib/asn1/parse.y"
#line 697 "parse.y"
{
struct member *m = ecalloc(1, sizeof(*m));
m->name = estrdup("...");
@ -2267,7 +2267,7 @@ yyreduce:
break;
case 100:
#line 708 "heimdal/lib/asn1/parse.y"
#line 708 "parse.y"
{
(yyval.member) = emalloc(sizeof(*(yyval.member)));
(yyval.member)->name = (yyvsp[(1) - (2)].name);
@ -2279,7 +2279,7 @@ yyreduce:
break;
case 101:
#line 719 "heimdal/lib/asn1/parse.y"
#line 719 "parse.y"
{
(yyval.member) = (yyvsp[(1) - (1)].member);
(yyval.member)->optional = 0;
@ -2288,7 +2288,7 @@ yyreduce:
break;
case 102:
#line 725 "heimdal/lib/asn1/parse.y"
#line 725 "parse.y"
{
(yyval.member) = (yyvsp[(1) - (2)].member);
(yyval.member)->optional = 1;
@ -2297,7 +2297,7 @@ yyreduce:
break;
case 103:
#line 731 "heimdal/lib/asn1/parse.y"
#line 731 "parse.y"
{
(yyval.member) = (yyvsp[(1) - (3)].member);
(yyval.member)->optional = 0;
@ -2306,7 +2306,7 @@ yyreduce:
break;
case 104:
#line 739 "heimdal/lib/asn1/parse.y"
#line 739 "parse.y"
{
(yyval.members) = emalloc(sizeof(*(yyval.members)));
ASN1_TAILQ_INIT((yyval.members));
@ -2315,7 +2315,7 @@ yyreduce:
break;
case 105:
#line 745 "heimdal/lib/asn1/parse.y"
#line 745 "parse.y"
{
ASN1_TAILQ_INSERT_TAIL((yyvsp[(1) - (3)].members), (yyvsp[(3) - (3)].member), members);
(yyval.members) = (yyvsp[(1) - (3)].members);
@ -2323,7 +2323,7 @@ yyreduce:
break;
case 106:
#line 752 "heimdal/lib/asn1/parse.y"
#line 752 "parse.y"
{
(yyval.member) = emalloc(sizeof(*(yyval.member)));
(yyval.member)->name = (yyvsp[(1) - (4)].name);
@ -2337,26 +2337,26 @@ yyreduce:
break;
case 108:
#line 765 "heimdal/lib/asn1/parse.y"
#line 765 "parse.y"
{ (yyval.objid) = NULL; }
break;
case 109:
#line 769 "heimdal/lib/asn1/parse.y"
#line 769 "parse.y"
{
(yyval.objid) = (yyvsp[(2) - (3)].objid);
}
break;
case 110:
#line 775 "heimdal/lib/asn1/parse.y"
#line 775 "parse.y"
{
(yyval.objid) = NULL;
}
break;
case 111:
#line 779 "heimdal/lib/asn1/parse.y"
#line 779 "parse.y"
{
if ((yyvsp[(2) - (2)].objid)) {
(yyval.objid) = (yyvsp[(2) - (2)].objid);
@ -2368,14 +2368,14 @@ yyreduce:
break;
case 112:
#line 790 "heimdal/lib/asn1/parse.y"
#line 790 "parse.y"
{
(yyval.objid) = new_objid((yyvsp[(1) - (4)].name), (yyvsp[(3) - (4)].constant));
}
break;
case 113:
#line 794 "heimdal/lib/asn1/parse.y"
#line 794 "parse.y"
{
Symbol *s = addsym((yyvsp[(1) - (1)].name));
if(s->stype != SValue ||
@ -2389,14 +2389,14 @@ yyreduce:
break;
case 114:
#line 805 "heimdal/lib/asn1/parse.y"
#line 805 "parse.y"
{
(yyval.objid) = new_objid(NULL, (yyvsp[(1) - (1)].constant));
}
break;
case 124:
#line 828 "heimdal/lib/asn1/parse.y"
#line 828 "parse.y"
{
Symbol *s = addsym((yyvsp[(1) - (1)].name));
if(s->stype != SValue)
@ -2408,7 +2408,7 @@ yyreduce:
break;
case 125:
#line 839 "heimdal/lib/asn1/parse.y"
#line 839 "parse.y"
{
(yyval.value) = emalloc(sizeof(*(yyval.value)));
(yyval.value)->type = stringvalue;
@ -2417,7 +2417,7 @@ yyreduce:
break;
case 126:
#line 847 "heimdal/lib/asn1/parse.y"
#line 847 "parse.y"
{
(yyval.value) = emalloc(sizeof(*(yyval.value)));
(yyval.value)->type = booleanvalue;
@ -2426,7 +2426,7 @@ yyreduce:
break;
case 127:
#line 853 "heimdal/lib/asn1/parse.y"
#line 853 "parse.y"
{
(yyval.value) = emalloc(sizeof(*(yyval.value)));
(yyval.value)->type = booleanvalue;
@ -2435,7 +2435,7 @@ yyreduce:
break;
case 128:
#line 861 "heimdal/lib/asn1/parse.y"
#line 861 "parse.y"
{
(yyval.value) = emalloc(sizeof(*(yyval.value)));
(yyval.value)->type = integervalue;
@ -2444,13 +2444,13 @@ yyreduce:
break;
case 130:
#line 872 "heimdal/lib/asn1/parse.y"
#line 872 "parse.y"
{
}
break;
case 131:
#line 877 "heimdal/lib/asn1/parse.y"
#line 877 "parse.y"
{
(yyval.value) = emalloc(sizeof(*(yyval.value)));
(yyval.value)->type = objectidentifiervalue;
@ -2460,7 +2460,7 @@ yyreduce:
/* Line 1267 of yacc.c. */
#line 2464 "heimdal/lib/asn1/parse.y"
#line 2464 "parse.c"
default: break;
}
YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc);
@ -2674,7 +2674,7 @@ yyreturn:
}
#line 884 "heimdal/lib/asn1/parse.y"
#line 884 "parse.y"
void

4
source4/heimdal/lib/asn1/parse.h
View File

@ -222,7 +222,7 @@
#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
typedef union YYSTYPE
#line 65 "heimdal/lib/asn1/parse.y"
#line 65 "parse.y"
{
int constant;
struct value *value;
@ -238,7 +238,7 @@ typedef union YYSTYPE
struct constraint_spec *constraint_spec;
}
/* Line 1489 of yacc.c. */
#line 242 "heimdal/lib/asn1/parse.y"
#line 242 "parse.h"
YYSTYPE;
# define yystype YYSTYPE /* obsolescent; will be withdrawn */
# define YYSTYPE_IS_DECLARED 1

2
source4/heimdal/lib/asn1/pkcs12.asn1
View File

@ -1,4 +1,4 @@
-- $Id: pkcs12.asn1,v 1.3 2005/07/23 11:07:39 lha Exp $ --
-- $Id: pkcs12.asn1 15715 2005-07-23 11:08:47Z lha $ --
PKCS12 DEFINITIONS ::=

2
source4/heimdal/lib/asn1/pkcs8.asn1
View File

@ -1,4 +1,4 @@
-- $Id: pkcs8.asn1,v 1.3 2005/09/13 19:41:29 lha Exp $ --
-- $Id: pkcs8.asn1 16060 2005-09-13 19:41:29Z lha $ --
PKCS8 DEFINITIONS ::=

2
source4/heimdal/lib/asn1/pkcs9.asn1
View File

@ -1,4 +1,4 @@
-- $Id: pkcs9.asn1,v 1.5 2006/04/24 08:59:10 lha Exp $ --
-- $Id: pkcs9.asn1 17202 2006-04-24 08:59:10Z lha $ --
PKCS9 DEFINITIONS ::=

10
source4/heimdal/lib/asn1/pkinit.asn1
View File

@ -21,9 +21,15 @@ id-pkinit-san OBJECT IDENTIFIER ::=
{ iso(1) org(3) dod(6) internet(1) security(5) kerberosv5(2)
x509-sanan(2) }
id-pkinit-ms-eku OBJECT IDENTIFIER ::=
{ iso(1) org(3) dod(6) internet(1) private(4)
enterprise(1) microsoft(311) 20 2 2 }
id-pkinit-ms-san OBJECT IDENTIFIER ::=
{ iso(1) org(3) dod(6) internet(1) foo1(4)
foo2(1) foo3(311) foo4(20) foo5(2) foo6(3) }
{ iso(1) org(3) dod(6) internet(1) private(4)
enterprise(1) microsoft(311) 20 2 3 }
MS-UPN-SAN ::= UTF8String
pa-pk-as-req INTEGER ::= 16
pa-pk-as-rep INTEGER ::= 17

51
source4/heimdal/lib/asn1/rfc2459.asn1
View File

@ -87,6 +87,7 @@ id-at-serialNumber OBJECT IDENTIFIER ::= { id-x520-at 5 }
id-at-countryName OBJECT IDENTIFIER ::= { id-x520-at 6 }
id-at-localityName OBJECT IDENTIFIER ::= { id-x520-at 7 }
id-at-stateOrProvinceName OBJECT IDENTIFIER ::= { id-x520-at 8 }
id-at-streetAddress OBJECT IDENTIFIER ::= { id-x520-at 9 }
id-at-organizationName OBJECT IDENTIFIER ::= { id-x520-at 10 }
id-at-organizationalUnitName OBJECT IDENTIFIER ::= { id-x520-at 11 }
id-at-name OBJECT IDENTIFIER ::= { id-x520-at 41 }
@ -306,6 +307,32 @@ id-x509-ce-invalidityDate OBJECT IDENTIFIER ::= { id-x509-ce 24 }
id-x509-ce-certificateIssuer OBJECT IDENTIFIER ::= { id-x509-ce 29 }
id-x509-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= { id-x509-ce 54 }
DistributionPointReasonFlags ::= BIT STRING {
unused (0),
keyCompromise (1),
cACompromise (2),
affiliationChanged (3),
superseded (4),
cessationOfOperation (5),
certificateHold (6),
privilegeWithdrawn (7),
aACompromise (8)
}
DistributionPointName ::= CHOICE {
fullName [0] IMPLICIT -- GeneralNames -- SEQUENCE -- SIZE (1..MAX) -- OF GeneralName,
nameRelativeToCRLIssuer [1] RelativeDistinguishedName
}
DistributionPoint ::= SEQUENCE {
distributionPoint [0] IMPLICIT heim_any -- DistributionPointName -- OPTIONAL,
reasons [1] IMPLICIT heim_any -- DistributionPointReasonFlags -- OPTIONAL,
cRLIssuer [2] IMPLICIT heim_any -- GeneralNames -- OPTIONAL
}
CRLDistributionPoints ::= SEQUENCE -- SIZE (1..MAX) -- OF DistributionPoint
-- rfc3279
DSASigValue ::= SEQUENCE {
@ -406,10 +433,13 @@ CRLReason ::= ENUMERATED {
aACompromise (10)
}
PKIXXmppAddr ::= UTF8String
id-pkix OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7) }
id-pkix-on OBJECT IDENTIFIER ::= { id-pkix 8 }
id-pkix-on-xmppAddr OBJECT IDENTIFIER ::= { id-pkix-on 5 }
id-pkix-on-dnsSRV OBJECT IDENTIFIER ::= { id-pkix-on 7 }
id-pkix-kp OBJECT IDENTIFIER ::= { id-pkix 3 }
@ -441,4 +471,25 @@ ProxyCertInfo ::= SEQUENCE {
proxyPolicy ProxyPolicy
}
--- U.S. Federal PKI Common Policy Framework
-- Card Authentication key
id-uspkicommon-card-id OBJECT IDENTIFIER ::= { 2 16 840 1 101 3 6 6 }
id-uspkicommon-piv-interim OBJECT IDENTIFIER ::= { 2 16 840 1 101 3 6 9 1 }
--- Netscape extentions
id-netscape OBJECT IDENTIFIER ::=
{ joint-iso-itu-t(2) country(16) us(840) organization(1) netscape(113730) }
id-netscape-cert-comment OBJECT IDENTIFIER ::= { id-netscape 1 13 }
--- MS extentions
id-ms-cert-enroll-domaincontroller OBJECT IDENTIFIER ::=
{ 1 3 6 1 4 1 311 20 2 }
id-ms-client-authentication OBJECT IDENTIFIER ::=
{ 1 3 6 1 5 5 7 3 2 }
-- DER:1e:20:00:44:00:6f:00:6d:00:61:00:69:00:6e:00:43:00:6f:00:6e:00:74:00:72:00:6f:00:6c:00:6c:00:65:00:72
END

2
source4/heimdal/lib/asn1/symbol.c
View File

@ -34,7 +34,7 @@
#include "gen_locl.h"
#include "lex.h"
RCSID("$Id: symbol.c,v 1.10 2005/07/12 06:27:39 lha Exp $");
RCSID("$Id: symbol.c 15617 2005-07-12 06:27:42Z lha $");
static Hashtab *htab;

2
source4/heimdal/lib/asn1/symbol.h
View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: symbol.h,v 1.14 2006/12/28 17:15:05 lha Exp $ */
/* $Id: symbol.h 19539 2006-12-28 17:15:05Z lha $ */
#ifndef _SYMBOL_H
#define _SYMBOL_H

2
source4/heimdal/lib/asn1/test.asn1
View File

@ -1,4 +1,4 @@
-- $Id: test.asn1,v 1.9 2006/09/05 14:00:44 lha Exp $ --
-- $Id: test.asn1 18013 2006-09-05 14:00:44Z lha $ --
TEST DEFINITIONS ::=

2
source4/heimdal/lib/asn1/timegm.c
View File

@ -33,7 +33,7 @@
#include "der_locl.h"
RCSID("$Id: timegm.c,v 1.11 2006/10/19 16:19:32 lha Exp $");
RCSID("$Id: timegm.c 18607 2006-10-19 16:19:32Z lha $");
static int
is_leap(unsigned y)

2
source4/heimdal/lib/com_err/com_err.c
View File

@ -33,7 +33,7 @@
#ifdef HAVE_CONFIG_H
#include <config.h>
RCSID("$Id: com_err.c,v 1.19 2005/04/24 19:42:39 lha Exp $");
RCSID("$Id: com_err.c 14930 2005-04-24 19:43:06Z lha $");
#endif
#include <stdio.h>
#include <stdlib.h>

2
source4/heimdal/lib/com_err/com_err.h
View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: com_err.h,v 1.11 2005/07/07 14:58:07 lha Exp $ */
/* $Id: com_err.h 15566 2005-07-07 14:58:07Z lha $ */
/* MIT compatible com_err library */

2
source4/heimdal/lib/com_err/com_right.h
View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: com_right.h,v 1.12 2005/02/03 08:43:01 lha Exp $ */
/* $Id: com_right.h 14551 2005-02-03 08:45:13Z lha $ */
#ifndef __COM_RIGHT_H__
#define __COM_RIGHT_H__

2
source4/heimdal/lib/com_err/compile_et.c
View File

@ -35,7 +35,7 @@
#include "compile_et.h"
#include <getarg.h>
RCSID("$Id: compile_et.c,v 1.19 2005/06/16 19:21:00 lha Exp $");
RCSID("$Id: compile_et.c 15426 2005-06-16 19:21:42Z lha $");
#include <roken.h>
#include <err.h>

2
source4/heimdal/lib/com_err/compile_et.h
View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: compile_et.h,v 1.8 2005/06/16 19:21:26 lha Exp $ */
/* $Id: compile_et.h 15426 2005-06-16 19:21:42Z lha $ */
#ifndef __COMPILE_ET_H__
#define __COMPILE_ET_H__

2
source4/heimdal/lib/com_err/error.c
View File

@ -33,7 +33,7 @@
#ifdef HAVE_CONFIG_H
#include <config.h>
RCSID("$Id: error.c,v 1.15 2001/02/28 20:00:13 joda Exp $");
RCSID("$Id: error.c 9724 2001-02-28 20:00:13Z joda $");
#endif
#include <stdio.h>
#include <stdlib.h>

15
source4/heimdal/lib/com_err/lex.c
View File

@ -1,6 +1,5 @@
#include "config.h"
#line 3 "lex.yy.c"
#line 3 "lex.c"
#define YY_INT_ALIGNED short int
@ -524,7 +523,7 @@ char *yytext;
#include "parse.h"
#include "lex.h"
RCSID("$Id: lex.l,v 1.8 2005/05/16 08:52:54 lha Exp $");
RCSID("$Id: lex.l 15143 2005-05-16 08:52:54Z lha $");
static unsigned lineno = 1;
static int getstring(void);
@ -533,7 +532,7 @@ static int getstring(void);
#undef ECHO
#line 536 "lex.yy.c"
#line 536 "lex.c"
#define INITIAL 0
@ -688,7 +687,7 @@ YY_DECL
#line 59 "lex.l"
#line 691 "lex.yy.c"
#line 691 "lex.c"
if ( !(yy_init) )
{
@ -852,7 +851,7 @@ YY_RULE_SETUP
#line 75 "lex.l"
ECHO;
YY_BREAK
#line 855 "lex.yy.c"
#line 855 "lex.c"
case YY_STATE_EOF(INITIAL):
yyterminate();
@ -1083,7 +1082,7 @@ static int yy_get_next_buffer (void)
/* Read in more data. */
YY_INPUT( (&YY_CURRENT_BUFFER_LVALUE->yy_ch_buf[number_to_move]),
(yy_n_chars), (size_t) num_to_read );
(yy_n_chars), num_to_read );
YY_CURRENT_BUFFER_LVALUE->yy_n_chars = (yy_n_chars);
}
@ -1584,7 +1583,7 @@ YY_BUFFER_STATE yy_scan_buffer (char * base, yy_size_t size )
/** Setup the input buffer state to scan a string. The next call to yylex() will
* scan from a @e copy of @a str.
* @param yystr a NUL-terminated string to scan
* @param str a NUL-terminated string to scan
*
* @return the newly allocated buffer state object.
* @note If you want to scan bytes that may contain NUL values, then use

2
source4/heimdal/lib/com_err/lex.h
View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: lex.h,v 1.1 2000/06/22 00:42:52 assar Exp $ */
/* $Id: lex.h 8451 2000-06-22 00:42:52Z assar $ */
void error_message (const char *, ...)
__attribute__ ((format (printf, 1, 2)));

30
source4/heimdal/lib/com_err/parse.c
View File

@ -90,7 +90,7 @@
/* Copy the first part of user declarations. */
#line 1 "./heimdal/lib/com_err/parse.y"
#line 1 "parse.y"
/*
* Copyright (c) 1998 - 2000 Kungliga Tekniska Högskolan
@ -128,7 +128,7 @@
#include "compile_et.h"
#include "lex.h"
RCSID("$Id: parse.y,v 1.15 2005/06/16 19:21:42 lha Exp $");
RCSID("$Id: parse.y 15426 2005-06-16 19:21:42Z lha $");
void yyerror (char *s);
static long name2number(const char *str);
@ -163,13 +163,13 @@ extern char *yytext;
#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
typedef union YYSTYPE
#line 53 "./heimdal/lib/com_err/parse.y"
#line 53 "parse.y"
{
char *string;
int number;
}
/* Line 187 of yacc.c. */
#line 173 "./heimdal/lib/com_err/parse.y"
#line 173 "parse.c"
YYSTYPE;
# define yystype YYSTYPE /* obsolescent; will be withdrawn */
# define YYSTYPE_IS_DECLARED 1
@ -182,7 +182,7 @@ typedef union YYSTYPE
/* Line 216 of yacc.c. */
#line 186 "./heimdal/lib/com_err/parse.y"
#line 186 "parse.c"
#ifdef short
# undef short
@ -1381,14 +1381,14 @@ yyreduce:
switch (yyn)
{
case 6:
#line 73 "./heimdal/lib/com_err/parse.y"
#line 73 "parse.y"
{
id_str = (yyvsp[(2) - (2)].string);
}
break;
case 7:
#line 79 "./heimdal/lib/com_err/parse.y"
#line 79 "parse.y"
{
base_id = name2number((yyvsp[(2) - (2)].string));
strlcpy(name, (yyvsp[(2) - (2)].string), sizeof(name));
@ -1397,7 +1397,7 @@ yyreduce:
break;
case 8:
#line 85 "./heimdal/lib/com_err/parse.y"
#line 85 "parse.y"
{
base_id = name2number((yyvsp[(2) - (3)].string));
strlcpy(name, (yyvsp[(3) - (3)].string), sizeof(name));
@ -1407,14 +1407,14 @@ yyreduce:
break;
case 11:
#line 98 "./heimdal/lib/com_err/parse.y"
#line 98 "parse.y"
{
number = (yyvsp[(2) - (2)].number);
}
break;
case 12:
#line 102 "./heimdal/lib/com_err/parse.y"
#line 102 "parse.y"
{
free(prefix);
asprintf (&prefix, "%s_", (yyvsp[(2) - (2)].string));
@ -1425,7 +1425,7 @@ yyreduce:
break;
case 13:
#line 110 "./heimdal/lib/com_err/parse.y"
#line 110 "parse.y"
{
prefix = realloc(prefix, 1);
if (prefix == NULL)
@ -1435,7 +1435,7 @@ yyreduce:
break;
case 14:
#line 117 "./heimdal/lib/com_err/parse.y"
#line 117 "parse.y"
{
struct error_code *ec = malloc(sizeof(*ec));
@ -1458,7 +1458,7 @@ yyreduce:
break;
case 15:
#line 137 "./heimdal/lib/com_err/parse.y"
#line 137 "parse.y"
{
YYACCEPT;
}
@ -1466,7 +1466,7 @@ yyreduce:
/* Line 1267 of yacc.c. */
#line 1470 "./heimdal/lib/com_err/parse.y"
#line 1470 "parse.c"
default: break;
}
YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc);
@ -1680,7 +1680,7 @@ yyreturn:
}
#line 142 "./heimdal/lib/com_err/parse.y"
#line 142 "parse.y"
static long

4
source4/heimdal/lib/com_err/parse.h
View File

@ -64,13 +64,13 @@
#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
typedef union YYSTYPE
#line 53 "./heimdal/lib/com_err/parse.y"
#line 53 "parse.y"
{
char *string;
int number;
}
/* Line 1489 of yacc.c. */
#line 74 "./heimdal/lib/com_err/parse.y"
#line 74 "parse.h"
YYSTYPE;
# define yystype YYSTYPE /* obsolescent; will be withdrawn */
# define YYSTYPE_IS_DECLARED 1

21
source4/heimdal/lib/gssapi/gssapi/gssapi.h
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997 - 2006 Kungliga Tekniska Högskolan
* Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: gssapi.h,v 1.7 2006/12/15 20:02:54 lha Exp $ */
/* $Id: gssapi.h 21004 2007-06-08 01:53:10Z lha $ */
#ifndef GSSAPI_GSSAPI_H_
#define GSSAPI_GSSAPI_H_
@ -714,6 +714,23 @@ gss_inquire_cred_by_oid(OM_uint32 *minor_status,
const gss_OID desired_object,
gss_buffer_set_t *data_set);
/*
* RFC 4401
*/
#define GSS_C_PRF_KEY_FULL 0
#define GSS_C_PRF_KEY_PARTIAL 1
OM_uint32
gss_pseudo_random
(OM_uint32 *minor_status,
gss_ctx_id_t context,
int prf_key,
const gss_buffer_t prf_in,
ssize_t desired_output_len,
gss_buffer_t prf_out
);
/*
* The following routines are obsolete variants of gss_get_mic,
* gss_verify_mic, gss_wrap and gss_unwrap. They should be

3
source4/heimdal/lib/gssapi/gssapi/gssapi_krb5.h
View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: gssapi_krb5.h,v 1.17 2006/11/10 01:05:34 lha Exp $ */
/* $Id: gssapi_krb5.h 20385 2007-04-18 08:51:32Z lha $ */
#ifndef GSSAPI_KRB5_H_
#define GSSAPI_KRB5_H_
@ -65,6 +65,7 @@ extern gss_OID GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X;
extern gss_OID GSS_KRB5_SET_DNS_CANONICALIZE_X;
extern gss_OID GSS_KRB5_SEND_TO_KDC_X;
extern gss_OID GSS_KRB5_SET_DEFAULT_REALM_X;
extern gss_OID GSS_KRB5_CCACHE_NAME_X;
/* Extensions inquire context */
extern gss_OID GSS_KRB5_GET_TKT_FLAGS_X;
extern gss_OID GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X;

2
source4/heimdal/lib/gssapi/gssapi/gssapi_spnego.h
View File

@ -31,7 +31,7 @@
* SUCH DAMAGE.
*/
/* $Id: gssapi_spnego.h,v 1.1 2006/10/07 22:26:21 lha Exp $ */
/* $Id: gssapi_spnego.h 18335 2006-10-07 22:26:21Z lha $ */
#ifndef GSSAPI_SPNEGO_H_
#define GSSAPI_SPNEGO_H_

10
source4/heimdal/lib/gssapi/gssapi_mech.h
View File

@ -298,6 +298,15 @@ typedef OM_uint32 _gss_set_cred_option (
);
typedef OM_uint32 _gss_pseudo_random(
OM_uint32 *minor_status,
gss_ctx_id_t context,
int prf_key,
const gss_buffer_t prf_in,
ssize_t desired_output_len,
gss_buffer_t prf_out
);
#define GMI_VERSION 1
typedef struct gssapi_mech_interface_desc {
@ -337,6 +346,7 @@ typedef struct gssapi_mech_interface_desc {
_gss_inquire_cred_by_oid *gm_inquire_cred_by_oid;
_gss_set_sec_context_option *gm_set_sec_context_option;
_gss_set_cred_option *gm_set_cred_option;
_gss_pseudo_random *gm_pseudo_random;
} gssapi_mech_interface_desc, *gssapi_mech_interface;
gssapi_mech_interface

2
source4/heimdal/lib/gssapi/krb5/8003.c
View File

@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: 8003.c,v 1.20 2006/10/07 22:13:51 lha Exp $");
RCSID("$Id: 8003.c 18334 2006-10-07 22:16:04Z lha $");
krb5_error_code
_gsskrb5_encode_om_uint32(OM_uint32 n, u_char *p)

3
source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
View File

@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: accept_sec_context.c,v 1.66 2006/11/13 18:00:54 lha Exp $");
RCSID("$Id: accept_sec_context.c 20199 2007-02-07 22:36:39Z lha $");
HEIMDAL_MUTEX gssapi_keytab_mutex = HEIMDAL_MUTEX_INITIALIZER;
krb5_keytab _gsskrb5_keytab;
@ -187,6 +187,7 @@ gsskrb5_accept_delegated_token
out:
if (ccache) {
/* Don't destroy the default cred cache */
if (delegated_cred_handle == NULL)
krb5_cc_close(context, ccache);
else

14
source4/heimdal/lib/gssapi/krb5/acquire_cred.c
View File

@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: acquire_cred.c,v 1.33 2006/11/20 18:09:30 lha Exp $");
RCSID("$Id: acquire_cred.c 20688 2007-05-17 18:44:31Z lha $");
OM_uint32
__gsskrb5_ccache_lifetime(OM_uint32 *minor_status,
@ -301,8 +301,8 @@ OM_uint32 _gsskrb5_acquire_cred
if (desired_mechs) {
int present = 0;
ret = _gsskrb5_test_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
desired_mechs, &present);
ret = gss_test_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
desired_mechs, &present);
if (ret)
return ret;
if (!present) {
@ -352,16 +352,16 @@ OM_uint32 _gsskrb5_acquire_cred
return (ret);
}
}
ret = _gsskrb5_create_empty_oid_set(minor_status, &handle->mechanisms);
ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
if (ret == GSS_S_COMPLETE)
ret = _gsskrb5_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
&handle->mechanisms);
ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
&handle->mechanisms);
if (ret == GSS_S_COMPLETE)
ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)handle,
NULL, time_rec, NULL, actual_mechs);
if (ret != GSS_S_COMPLETE) {
if (handle->mechanisms != NULL)
_gsskrb5_release_oid_set(NULL, &handle->mechanisms);
gss_release_oid_set(NULL, &handle->mechanisms);
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
krb5_free_principal(context, handle->principal);
free(handle);

10
source4/heimdal/lib/gssapi/krb5/add_cred.c
View File

@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: add_cred.c,v 1.10 2006/11/13 18:01:01 lha Exp $");
RCSID("$Id: add_cred.c 20688 2007-05-17 18:44:31Z lha $");
OM_uint32 _gsskrb5_add_cred (
OM_uint32 *minor_status,
@ -204,12 +204,12 @@ OM_uint32 _gsskrb5_add_cred (
}
}
}
ret = _gsskrb5_create_empty_oid_set(minor_status, &handle->mechanisms);
ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
if (ret)
goto failure;
ret = _gsskrb5_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
&handle->mechanisms);
ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
&handle->mechanisms);
if (ret)
goto failure;
}
@ -243,7 +243,7 @@ OM_uint32 _gsskrb5_add_cred (
if (handle->ccache)
krb5_cc_destroy(context, handle->ccache);
if (handle->mechanisms)
_gsskrb5_release_oid_set(NULL, &handle->mechanisms);
gss_release_oid_set(NULL, &handle->mechanisms);
free(handle);
}
if (output_cred_handle)

70
source4/heimdal/lib/gssapi/krb5/add_oid_set_member.c
View File

@ -1,70 +0,0 @@
/*
* Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: add_oid_set_member.c,v 1.10 2006/10/07 22:14:00 lha Exp $");
OM_uint32 _gsskrb5_add_oid_set_member (
OM_uint32 * minor_status,
const gss_OID member_oid,
gss_OID_set * oid_set
)
{
gss_OID tmp;
size_t n;
OM_uint32 res;
int present;
res = _gsskrb5_test_oid_set_member(minor_status, member_oid,
*oid_set, &present);
if (res != GSS_S_COMPLETE)
return res;
if (present) {
*minor_status = 0;
return GSS_S_COMPLETE;
}
n = (*oid_set)->count + 1;
tmp = realloc ((*oid_set)->elements, n * sizeof(gss_OID_desc));
if (tmp == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
(*oid_set)->elements = tmp;
(*oid_set)->count = n;
(*oid_set)->elements[n-1] = *member_oid;
*minor_status = 0;
return GSS_S_COMPLETE;
}

2
source4/heimdal/lib/gssapi/krb5/arcfour.c
View File

@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: arcfour.c,v 1.31 2006/11/13 18:01:08 lha Exp $");
RCSID("$Id: arcfour.c 19031 2006-11-13 18:02:57Z lha $");
/*
* Implements draft-brezak-win2k-krb-rc4-hmac-04.txt

2
source4/heimdal/lib/gssapi/krb5/canonicalize_name.c
View File

@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: canonicalize_name.c,v 1.4 2006/10/07 22:14:08 lha Exp $");
RCSID("$Id: canonicalize_name.c 18334 2006-10-07 22:16:04Z lha $");
OM_uint32 _gsskrb5_canonicalize_name (
OM_uint32 * minor_status,

2
source4/heimdal/lib/gssapi/krb5/cfx.c
View File

@ -32,7 +32,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: cfx.c,v 1.25 2006/11/13 18:01:14 lha Exp $");
RCSID("$Id: cfx.c 19031 2006-11-13 18:02:57Z lha $");
/*
* Implementation of draft-ietf-krb-wg-gssapi-cfx-06.txt

2
source4/heimdal/lib/gssapi/krb5/cfx.h
View File

@ -30,7 +30,7 @@
* SUCH DAMAGE.
*/
/* $Id: cfx.h,v 1.8 2006/11/13 18:01:17 lha Exp $ */
/* $Id: cfx.h 19031 2006-11-13 18:02:57Z lha $ */
#ifndef GSSAPI_CFX_H_
#define GSSAPI_CFX_H_ 1

2
source4/heimdal/lib/gssapi/krb5/compare_name.c
View File

@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: compare_name.c,v 1.8 2006/11/13 18:01:20 lha Exp $");
RCSID("$Id: compare_name.c 19031 2006-11-13 18:02:57Z lha $");
OM_uint32 _gsskrb5_compare_name
(OM_uint32 * minor_status,

2
source4/heimdal/lib/gssapi/krb5/compat.c
View File

@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: compat.c,v 1.14 2006/11/13 18:01:23 lha Exp $");
RCSID("$Id: compat.c 19031 2006-11-13 18:02:57Z lha $");
static krb5_error_code

2
source4/heimdal/lib/gssapi/krb5/context_time.c
View File

@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: context_time.c,v 1.14 2006/11/13 18:01:26 lha Exp $");
RCSID("$Id: context_time.c 19031 2006-11-13 18:02:57Z lha $");
OM_uint32
_gsskrb5_lifetime_left(OM_uint32 *minor_status,

13
source4/heimdal/lib/gssapi/krb5/copy_ccache.c
View File

@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: copy_ccache.c,v 1.17 2006/11/13 18:01:29 lha Exp $");
RCSID("$Id: copy_ccache.c 20688 2007-05-17 18:44:31Z lha $");
#if 0
OM_uint32
@ -166,10 +166,10 @@ _gsskrb5_import_cred(OM_uint32 *minor_status,
if (id || keytab) {
ret = _gsskrb5_create_empty_oid_set(minor_status, &handle->mechanisms);
ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
if (ret == GSS_S_COMPLETE)
ret = _gsskrb5_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
&handle->mechanisms);
ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
&handle->mechanisms);
if (ret != GSS_S_COMPLETE) {
kret = *minor_status;
goto out;
@ -181,6 +181,11 @@ _gsskrb5_import_cred(OM_uint32 *minor_status,
return GSS_S_COMPLETE;
out:
gss_release_oid_set(minor_status, &handle->mechanisms);
if (handle->ccache)
krb5_cc_close(context, handle->ccache);
if (handle->keytab)
krb5_kt_close(context, handle->keytab);
if (handle->principal)
krb5_free_principal(context, handle->principal);
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);

52
source4/heimdal/lib/gssapi/krb5/create_emtpy_oid_set.c
View File

@ -1,52 +0,0 @@
/*
* Copyright (c) 1997 - 2001, 2003 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: create_emtpy_oid_set.c,v 1.7 2006/10/07 22:14:24 lha Exp $");
OM_uint32 _gsskrb5_create_empty_oid_set (
OM_uint32 * minor_status,
gss_OID_set * oid_set
)
{
*oid_set = malloc(sizeof(**oid_set));
if (*oid_set == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
(*oid_set)->count = 0;
(*oid_set)->elements = NULL;
*minor_status = 0;
return GSS_S_COMPLETE;
}

2
source4/heimdal/lib/gssapi/krb5/decapsulate.c
View File

@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: decapsulate.c,v 1.16 2006/10/07 22:14:26 lha Exp $");
RCSID("$Id: decapsulate.c 18334 2006-10-07 22:16:04Z lha $");
/*
* return the length of the mechanism in token or -1

2
source4/heimdal/lib/gssapi/krb5/delete_sec_context.c
View File

@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: delete_sec_context.c,v 1.20 2006/11/13 18:01:32 lha Exp $");
RCSID("$Id: delete_sec_context.c 19031 2006-11-13 18:02:57Z lha $");
OM_uint32
_gsskrb5_delete_sec_context(OM_uint32 * minor_status,

2
source4/heimdal/lib/gssapi/krb5/display_name.c
View File

@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: display_name.c,v 1.13 2006/11/13 18:01:36 lha Exp $");
RCSID("$Id: display_name.c 19031 2006-11-13 18:02:57Z lha $");
OM_uint32 _gsskrb5_display_name
(OM_uint32 * minor_status,

2
source4/heimdal/lib/gssapi/krb5/display_status.c
View File

@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: display_status.c,v 1.17 2006/11/13 18:01:38 lha Exp $");
RCSID("$Id: display_status.c 19031 2006-11-13 18:02:57Z lha $");
static const char *
calling_error(OM_uint32 v)

2
source4/heimdal/lib/gssapi/krb5/duplicate_name.c
View File

@ -33,7 +33,7 @@
#include "krb5/gsskrb5_locl.h"
RCSID("$Id: duplicate_name.c,v 1.11 2006/11/13 18:01:42 lha Exp $");
RCSID("$Id: duplicate_name.c 19031 2006-11-13 18:02:57Z lha $");
OM_uint32 _gsskrb5_duplicate_name (
OM_uint32 * minor_status,

Some files were not shown because too many files have changed in this diff Show More