mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
third_party/heimdal: Import lorikeet-heimdal-202307040259 (commit 33d117b8a9c11714ef709e63a005d87e34b9bfde)
NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN! Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
5bfccbb764
commit
a25f549e9a
@ -66,44 +66,7 @@
|
||||
#
|
||||
# PK-INIT tests
|
||||
#
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_aes128.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_computer.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_computer_dh.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_dh.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_empty_supported_cms_types.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_empty_supported_cms_types_dh.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_no_des3.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_no_des3_dh.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_no_supported_cms_types.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_no_supported_cms_types_dh.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_rc4.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_service.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_service_dh.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_sha256_certificate_signature.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_sha256_certificate_signature_dh.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_sha256_signature.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_sha256_signature_dh.ad_dc
|
||||
#
|
||||
# PK-INIT Freshness tests
|
||||
#
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_current.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_current_dh.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_dh.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_empty.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_empty_dh.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_future.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_future_dh.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_invalid.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_invalid_dh.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_non_empty.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_old.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_old_dh.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_rodc_dh.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_rodc_ts.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_wrong_header.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_wrong_header_dh.ad_dc
|
||||
#
|
||||
# Windows 2000 PK-INIT tests
|
||||
#
|
||||
|
12
third_party/heimdal/appl/gssmask/gssmask.c
vendored
12
third_party/heimdal/appl/gssmask/gssmask.c
vendored
@ -646,7 +646,7 @@ static int
|
||||
HandleOP(GetVersionAndCapabilities)
|
||||
{
|
||||
int32_t cap = HAS_MONIKER;
|
||||
char name[256] = "unknown", *str;
|
||||
char *name = NULL, *str = NULL;
|
||||
int ret;
|
||||
|
||||
if (targetname)
|
||||
@ -656,13 +656,16 @@ HandleOP(GetVersionAndCapabilities)
|
||||
{
|
||||
struct utsname ut;
|
||||
if (uname(&ut) == 0) {
|
||||
snprintf(name, sizeof(name), "%s-%s-%s",
|
||||
ut.sysname, ut.version, ut.machine);
|
||||
if (asprintf(&name, "%s-%s-%s",
|
||||
ut.sysname, ut.version, ut.machine) == -1) {
|
||||
errx(1, "out of memory");
|
||||
}
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
ret = asprintf(&str, "gssmask %s %s", PACKAGE_STRING, name);
|
||||
ret = asprintf(&str, "gssmask %s %s", PACKAGE_STRING,
|
||||
name ? name : "unknown");
|
||||
if (ret == -1)
|
||||
errx(1, "out of memory");
|
||||
|
||||
@ -670,6 +673,7 @@ HandleOP(GetVersionAndCapabilities)
|
||||
put32(c, cap);
|
||||
putstring(c, str);
|
||||
free(str);
|
||||
free(name);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
4
third_party/heimdal/cf/make-proto.pl
vendored
4
third_party/heimdal/cf/make-proto.pl
vendored
@ -4,7 +4,7 @@
|
||||
use Getopt::Std;
|
||||
use File::Compare;
|
||||
|
||||
use JSON;
|
||||
use JSON::PP
|
||||
|
||||
my $comment = 0;
|
||||
my $doxygen = 0;
|
||||
@ -70,7 +70,7 @@ if($opt_x) {
|
||||
my $EXP;
|
||||
local $/;
|
||||
open(EXP, '<', $opt_x) || die "open ${opt_x}";
|
||||
my $obj = JSON->new->utf8->decode(<EXP>);
|
||||
my $obj = JSON::PP->new->utf8->decode(<EXP>);
|
||||
close $EXP;
|
||||
|
||||
foreach my $x (keys %$obj) {
|
||||
|
9
third_party/heimdal/configure.ac
vendored
9
third_party/heimdal/configure.ac
vendored
@ -56,7 +56,6 @@ if ! test -f "$srcdir/lib/asn1/der-protos.h" ||
|
||||
AC_KRB_PROG_PERL
|
||||
AC_KRB_PERL_MOD(Getopt::Std)
|
||||
AC_KRB_PERL_MOD(File::Compare)
|
||||
AC_KRB_PERL_MOD(JSON)
|
||||
fi
|
||||
|
||||
AC_KRB_PROG_YACC
|
||||
@ -764,16 +763,16 @@ if test -d "$srcdir/.git"; then
|
||||
#ifndef VERSION_HIDDEN
|
||||
#define VERSION_HIDDEN
|
||||
#endif
|
||||
VERSION_HIDDEN const char *heimdal_long_version = "@([#])\$Version: $PACKAGE_STRING by @USER@ on @HOST@ @BRANCH@ @TAG@ ($host) @COMMIT@ @DATE@ \$";
|
||||
VERSION_HIDDEN const char *heimdal_version = "AC_PACKAGE_STRING";
|
||||
VERSION_HIDDEN const char *const heimdal_long_version = "@([#])\$Version: $PACKAGE_STRING by @USER@ on @HOST@ @BRANCH@ @TAG@ ($host) @COMMIT@ @DATE@ \$";
|
||||
VERSION_HIDDEN const char *const heimdal_version = "AC_PACKAGE_STRING";
|
||||
EOF
|
||||
else
|
||||
cat > include/newversion.h.in <<EOF
|
||||
#ifndef VERSION_HIDDEN
|
||||
#define VERSION_HIDDEN
|
||||
#endif
|
||||
VERSION_HIDDEN const char *heimdal_long_version = "@([#])\$Version: $PACKAGE_STRING by @USER@ on @HOST@ ($host) @DATE@ \$";
|
||||
VERSION_HIDDEN const char *heimdal_version = "AC_PACKAGE_STRING";
|
||||
VERSION_HIDDEN const char *const heimdal_long_version = "@([#])\$Version: $PACKAGE_STRING by @USER@ on @HOST@ ($host) @DATE@ \$";
|
||||
VERSION_HIDDEN const char *const heimdal_version = "AC_PACKAGE_STRING";
|
||||
EOF
|
||||
fi
|
||||
|
||||
|
4
third_party/heimdal/include/NTMakefile
vendored
4
third_party/heimdal/include/NTMakefile
vendored
@ -111,8 +111,8 @@ while(<>) {
|
||||
|
||||
$(INCDIR)\version.h: ..\windows\NTMakefile.version NTMakefile
|
||||
$(CP) << $@
|
||||
const char *heimdal_long_version = "@(#)$$Version: $(VER_PACKAGE_NAME) $(VER_PACKAGE_VERSION) by $(USERNAME) on $(COMPUTERNAME) ($(CPU)-pc-windows) $$";
|
||||
const char *heimdal_version = "$(VER_PACKAGE_NAME) $(VER_PACKAGE_VERSION)";
|
||||
const char *const heimdal_long_version = "@(#)$$Version: $(VER_PACKAGE_NAME) $(VER_PACKAGE_VERSION) by $(USERNAME) on $(COMPUTERNAME) ($(CPU)-pc-windows) $$";
|
||||
const char *const heimdal_version = "$(VER_PACKAGE_NAME) $(VER_PACKAGE_VERSION)";
|
||||
<<
|
||||
|
||||
all:: $(INCFILES)
|
||||
|
19
third_party/heimdal/kadmin/check.c
vendored
19
third_party/heimdal/kadmin/check.c
vendored
@ -136,8 +136,9 @@ check(void *opt, int argc, char **argv)
|
||||
|
||||
ret = get_check_entry(p, &ent);
|
||||
if (ret) {
|
||||
printf("%s doesn't exist, are you sure %s is a realm in your database",
|
||||
p, realm);
|
||||
fprintf(stderr,
|
||||
"%s does not exist, are you sure %s is a realm in your database?\n",
|
||||
p, realm);
|
||||
free(p);
|
||||
goto fail;
|
||||
}
|
||||
@ -156,8 +157,9 @@ check(void *opt, int argc, char **argv)
|
||||
|
||||
ret = get_check_entry(p, &ent);
|
||||
if (ret) {
|
||||
printf("%s doesn't exist, "
|
||||
"there is no way to do remote administration", p);
|
||||
fprintf(stderr,
|
||||
"%s does not exist, there is no way to do remote administration.\n",
|
||||
p);
|
||||
free(p);
|
||||
goto fail;
|
||||
}
|
||||
@ -176,8 +178,9 @@ check(void *opt, int argc, char **argv)
|
||||
|
||||
ret = get_check_entry(p, &ent);
|
||||
if (ret) {
|
||||
printf("%s doesn't exist, "
|
||||
"there is no way to do change password", p);
|
||||
fprintf(stderr,
|
||||
"%s does not exist, there is no way to do change password.\n",
|
||||
p);
|
||||
free(p);
|
||||
goto fail;
|
||||
}
|
||||
@ -189,7 +192,7 @@ check(void *opt, int argc, char **argv)
|
||||
* Check default@REALM
|
||||
*
|
||||
* Check that disallow-all-tix is set on the default principal
|
||||
* (or that the entry doesn't exists)
|
||||
* (or that the entry does not exist)
|
||||
*/
|
||||
|
||||
if (asprintf(&p, "default@%s", realm) == -1) {
|
||||
@ -200,7 +203,7 @@ check(void *opt, int argc, char **argv)
|
||||
ret = get_check_entry(p, &ent);
|
||||
if (ret == 0) {
|
||||
if ((ent.attributes & KRB5_KDB_DISALLOW_ALL_TIX) == 0) {
|
||||
printf("default template entry is not disabled\n");
|
||||
fprintf(stderr, "default template entry is not disabled\n");
|
||||
ret = EINVAL;
|
||||
}
|
||||
kadm5_free_principal_ent(kadm_handle, &ent);
|
||||
|
62
third_party/heimdal/kadmin/kadmin.1
vendored
62
third_party/heimdal/kadmin/kadmin.1
vendored
@ -473,25 +473,49 @@ The only policy supported by Heimdal is
|
||||
If a krb5 config file is given, it will be saved in the entry.
|
||||
.Pp
|
||||
Possible attributes are:
|
||||
.Li new-princ ,
|
||||
.Li support-desmd5 ,
|
||||
.Li pwchange-service ,
|
||||
.Li disallow-client ,
|
||||
.Li disallow-svr ,
|
||||
.Li requires-pw-change ,
|
||||
.Li requires-hw-auth ,
|
||||
.Li requires-pre-auth ,
|
||||
.Li allow-digest ,
|
||||
.Li trusted-for-delegation ,
|
||||
.Li ok-as-delegate ,
|
||||
.Li disallow-all-tix ,
|
||||
.Li disallow-dup-skey ,
|
||||
.Li disallow-proxiable ,
|
||||
.Li disallow-renewable ,
|
||||
.Li disallow-tgt-based ,
|
||||
.Li disallow-forwardable ,
|
||||
.Li disallow-postdated ,
|
||||
.Li no-auth-data-reqd
|
||||
.Bl -tag -width Ds
|
||||
.It new-princ
|
||||
not used
|
||||
.It support-desmd5
|
||||
not used
|
||||
.It pwchange-service
|
||||
for kadmin/admin style service principals
|
||||
.It requires-pw-change
|
||||
force the user to change their password
|
||||
.It requires-hw-auth
|
||||
.It requires-pre-auth
|
||||
.It allow-digest
|
||||
allow NTLM for this user in the KDC's digest service
|
||||
.It trusted-for-delegation
|
||||
.It ok-as-delegate
|
||||
allow forwarding of tickets to this service principal
|
||||
.It disallow-client
|
||||
disallow issuance of tickets for this principal as a client
|
||||
.It disallow-svr
|
||||
disallow issuance of tickets for this principal as a server
|
||||
.It disallow-all-tix
|
||||
disallow issuance of tickets for this principal as a client or
|
||||
server
|
||||
.It disallow-dup-skey
|
||||
not used
|
||||
.It disallow-proxiable
|
||||
disallow proxiable tickets
|
||||
.It disallow-renewable ,
|
||||
disallow reneable tickets
|
||||
.It disallow-tgt-based ,
|
||||
require initial tickets for this service, such as password
|
||||
changing services
|
||||
.It disallow-forwardable
|
||||
disallow forwardable tickets
|
||||
.It disallow-postdated
|
||||
disallow postdated tickets
|
||||
.It no-auth-data-reqd
|
||||
do not include a PAC in tickets issued to this service
|
||||
.It auth-data-reqd
|
||||
do include a PAC in tickets issued to this service even if the
|
||||
.Li disable_pac
|
||||
KDC configuration parameter is set to true
|
||||
.El
|
||||
.Pp
|
||||
Attributes may be negated with a "-", e.g.,
|
||||
.Pp
|
||||
|
1
third_party/heimdal/kadmin/util.c
vendored
1
third_party/heimdal/kadmin/util.c
vendored
@ -47,6 +47,7 @@ get_response(const char *prompt, const char *def, char *buf, size_t len);
|
||||
*/
|
||||
|
||||
struct units kdb_attrs[] = {
|
||||
{ "auth-data-reqd", KRB5_KDB_AUTH_DATA_REQUIRED },
|
||||
{ "no-auth-data-reqd", KRB5_KDB_NO_AUTH_DATA_REQUIRED },
|
||||
{ "disallow-client", KRB5_KDB_DISALLOW_CLIENT },
|
||||
{ "virtual", KRB5_KDB_VIRTUAL },
|
||||
|
15
third_party/heimdal/kcm/config.c
vendored
15
third_party/heimdal/kcm/config.c
vendored
@ -36,6 +36,8 @@
|
||||
#include <getarg.h>
|
||||
#include <parse_bytes.h>
|
||||
|
||||
#define MAX_REQUEST_MAX 67108864ll /* 64MB, the maximum accepted value of max_request */
|
||||
|
||||
static const char *config_file; /* location of kcm config file */
|
||||
|
||||
size_t max_request = 0; /* maximal size of a request */
|
||||
@ -360,13 +362,16 @@ kcm_configure(int argc, char **argv)
|
||||
}
|
||||
|
||||
if (max_request_str) {
|
||||
ssize_t bytes;
|
||||
int64_t bytes;
|
||||
|
||||
if ((bytes = parse_bytes(max_request_str, NULL)) < 0)
|
||||
krb5_errx(kcm_context, 1,
|
||||
"--max-request size must be non-negative");
|
||||
if (bytes > MAX_REQUEST_MAX)
|
||||
krb5_errx(kcm_context, 1, "--max-request size is too big "
|
||||
"(must be smaller than %lld)", MAX_REQUEST_MAX);
|
||||
|
||||
max_request = bytes;
|
||||
max_request = bytes;
|
||||
}
|
||||
|
||||
if(max_request == 0){
|
||||
@ -376,11 +381,15 @@ kcm_configure(int argc, char **argv)
|
||||
"max-request",
|
||||
NULL);
|
||||
if (p) {
|
||||
ssize_t bytes;
|
||||
int64_t bytes;
|
||||
|
||||
if ((bytes = parse_bytes(max_request_str, NULL)) < 0)
|
||||
krb5_errx(kcm_context, 1,
|
||||
"[kcm] max-request size must be non-negative");
|
||||
if (bytes > MAX_REQUEST_MAX)
|
||||
krb5_errx(kcm_context, 1, "[kcm] max-request size is too big "
|
||||
"(must be smaller than %lld)", MAX_REQUEST_MAX);
|
||||
|
||||
max_request = bytes;
|
||||
}
|
||||
}
|
||||
|
18
third_party/heimdal/kdc/config.c
vendored
18
third_party/heimdal/kdc/config.c
vendored
@ -37,6 +37,8 @@
|
||||
#include <getarg.h>
|
||||
#include <parse_bytes.h>
|
||||
|
||||
#define MAX_REQUEST_MAX 67108864ll /* 64MB, the maximum accepted value of max_request */
|
||||
|
||||
struct dbinfo {
|
||||
char *realm;
|
||||
char *dbname;
|
||||
@ -222,11 +224,16 @@ configure(krb5_context context, int argc, char **argv, int *optidx)
|
||||
krb5_err(context, 1, ret, "krb5_kdc_set_dbinfo");
|
||||
|
||||
if (max_request_str) {
|
||||
ssize_t bytes;
|
||||
int64_t bytes;
|
||||
|
||||
if ((bytes = parse_bytes(max_request_str, NULL)) < 0)
|
||||
krb5_errx(context, 1, "--max-request must be non-negative");
|
||||
max_request_tcp = max_request_udp = bytes;
|
||||
|
||||
if (bytes > MAX_REQUEST_MAX)
|
||||
krb5_errx(context, 1, "--max-request size is too big "
|
||||
"(must be smaller than %lld)", MAX_REQUEST_MAX);
|
||||
|
||||
max_request_tcp = max_request_udp = bytes;
|
||||
}
|
||||
|
||||
if(max_request_tcp == 0){
|
||||
@ -236,10 +243,15 @@ configure(krb5_context context, int argc, char **argv, int *optidx)
|
||||
"max-request",
|
||||
NULL);
|
||||
if (p) {
|
||||
ssize_t bytes;
|
||||
int64_t bytes;
|
||||
|
||||
if ((bytes = parse_bytes(max_request_str, NULL)) < 0)
|
||||
krb5_errx(context, 1, "[kdc] max-request must be non-negative");
|
||||
|
||||
if (bytes > MAX_REQUEST_MAX)
|
||||
krb5_errx(context, 1, "[kdc] max-request size is too big "
|
||||
"(must be smaller than %lld)", MAX_REQUEST_MAX);
|
||||
|
||||
max_request_tcp = max_request_udp = bytes;
|
||||
}
|
||||
}
|
||||
|
17
third_party/heimdal/kdc/default_config.c
vendored
17
third_party/heimdal/kdc/default_config.c
vendored
@ -101,11 +101,13 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
|
||||
c->strict_nametypes = FALSE;
|
||||
c->trpolicy = TRPOLICY_ALWAYS_CHECK;
|
||||
c->require_pac = FALSE;
|
||||
c->disable_pac = FALSE;
|
||||
c->enable_fast = TRUE;
|
||||
c->enable_fast_cookie = TRUE;
|
||||
c->enable_armored_pa_enc_timestamp = TRUE;
|
||||
c->enable_unarmored_pa_enc_timestamp = TRUE;
|
||||
c->enable_pkinit = FALSE;
|
||||
c->require_pkinit_freshness = FALSE;
|
||||
c->pkinit_princ_in_cert = TRUE;
|
||||
c->pkinit_require_binding = TRUE;
|
||||
c->synthetic_clients = FALSE;
|
||||
@ -264,6 +266,14 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
|
||||
"require_pac",
|
||||
NULL);
|
||||
|
||||
c->disable_pac =
|
||||
krb5_config_get_bool_default(context,
|
||||
NULL,
|
||||
c->disable_pac,
|
||||
"kdc",
|
||||
"disable_pac",
|
||||
NULL);
|
||||
|
||||
c->enable_fast =
|
||||
krb5_config_get_bool_default(context,
|
||||
NULL,
|
||||
@ -304,6 +314,13 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
|
||||
"enable-pkinit",
|
||||
NULL);
|
||||
|
||||
c->require_pkinit_freshness =
|
||||
krb5_config_get_bool_default(context,
|
||||
NULL,
|
||||
c->require_pkinit_freshness,
|
||||
"kdc",
|
||||
"require-pkinit-freshness",
|
||||
NULL);
|
||||
|
||||
c->pkinit_kdc_identity =
|
||||
krb5_config_get_string(context, NULL,
|
||||
|
1
third_party/heimdal/kdc/httpkadmind.c
vendored
1
third_party/heimdal/kdc/httpkadmind.c
vendored
@ -1274,6 +1274,7 @@ make_kstuple(krb5_context context,
|
||||
|
||||
/* Copied from kadmin/util.c */
|
||||
struct units kdb_attrs[] = {
|
||||
{ "auth-data-reqd", KRB5_KDB_AUTH_DATA_REQUIRED },
|
||||
{ "no-auth-data-reqd", KRB5_KDB_NO_AUTH_DATA_REQUIRED },
|
||||
{ "disallow-client", KRB5_KDB_DISALLOW_CLIENT },
|
||||
{ "virtual", KRB5_KDB_VIRTUAL },
|
||||
|
2
third_party/heimdal/kdc/kdc_locl.h
vendored
2
third_party/heimdal/kdc/kdc_locl.h
vendored
@ -86,9 +86,11 @@ struct krb5_kdc_configuration {
|
||||
unsigned int strict_nametypes : 1;
|
||||
enum krb5_kdc_trpolicy trpolicy;
|
||||
|
||||
unsigned int disable_pac : 1;
|
||||
unsigned int enable_unarmored_pa_enc_timestamp : 1;
|
||||
|
||||
unsigned int enable_pkinit : 1;
|
||||
unsigned int require_pkinit_freshness : 1;
|
||||
unsigned int pkinit_princ_in_cert : 1;
|
||||
const char *pkinit_kdc_identity;
|
||||
const char *pkinit_kdc_anchors;
|
||||
|
191
third_party/heimdal/kdc/kerberos5.c
vendored
191
third_party/heimdal/kdc/kerberos5.c
vendored
@ -585,6 +585,13 @@ pa_pkinit_validate(astgs_request_t r, const PA_DATA *pa)
|
||||
goto out;
|
||||
}
|
||||
|
||||
/* Validate the freshness token. */
|
||||
ret = _kdc_pk_validate_freshness_token(r, pkp);
|
||||
if (ret) {
|
||||
_kdc_r_log(r, 4, "Failed to validate freshness token");
|
||||
goto out;
|
||||
}
|
||||
|
||||
ret = _kdc_pk_check_client(r, pkp, &client_cert);
|
||||
if (client_cert)
|
||||
kdc_audit_addkv((kdc_request_t)r, 0, KDC_REQUEST_KV_PKINIT_CLIENT_CERT,
|
||||
@ -615,6 +622,12 @@ pa_pkinit_validate(astgs_request_t r, const PA_DATA *pa)
|
||||
kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
||||
KDC_AUTH_EVENT_PREAUTH_SUCCEEDED);
|
||||
|
||||
/*
|
||||
* Match Windows by preferring the authenticator nonce over the one in the
|
||||
* request body.
|
||||
*/
|
||||
r->ek.nonce = _kdc_pk_nonce(pkp);
|
||||
|
||||
out:
|
||||
if (pkp)
|
||||
_kdc_pk_free_client_param(r->context, pkp);
|
||||
@ -1273,6 +1286,109 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
|
||||
return ret;
|
||||
}
|
||||
|
||||
#ifdef PKINIT
|
||||
|
||||
static krb5_error_code
|
||||
make_freshness_token(astgs_request_t r, const Key *krbtgt_key, unsigned krbtgt_kvno)
|
||||
{
|
||||
krb5_error_code ret = 0;
|
||||
const struct timeval current_kdc_time = krb5_kdc_get_time();
|
||||
int usec = current_kdc_time.tv_usec;
|
||||
const PA_ENC_TS_ENC ts_enc = {
|
||||
.patimestamp = current_kdc_time.tv_sec,
|
||||
.pausec = &usec,
|
||||
};
|
||||
unsigned char *encoded_ts_enc = NULL;
|
||||
size_t ts_enc_size;
|
||||
size_t ts_enc_len = 0;
|
||||
EncryptedData encdata;
|
||||
krb5_crypto crypto;
|
||||
unsigned char *token = NULL;
|
||||
size_t token_size;
|
||||
size_t token_len = 0;
|
||||
size_t token_alloc_size;
|
||||
|
||||
ASN1_MALLOC_ENCODE(PA_ENC_TS_ENC,
|
||||
encoded_ts_enc,
|
||||
ts_enc_size,
|
||||
&ts_enc,
|
||||
&ts_enc_len,
|
||||
ret);
|
||||
if (ret)
|
||||
return ret;
|
||||
if (ts_enc_size != ts_enc_len)
|
||||
krb5_abortx(r->context, "internal error in ASN.1 encoder");
|
||||
|
||||
ret = krb5_crypto_init(r->context, &krbtgt_key->key, 0, &crypto);
|
||||
if (ret) {
|
||||
free(encoded_ts_enc);
|
||||
return ret;
|
||||
}
|
||||
|
||||
ret = krb5_encrypt_EncryptedData(r->context,
|
||||
crypto,
|
||||
KRB5_KU_AS_FRESHNESS,
|
||||
encoded_ts_enc,
|
||||
ts_enc_len,
|
||||
krbtgt_kvno,
|
||||
&encdata);
|
||||
free(encoded_ts_enc);
|
||||
krb5_crypto_destroy(r->context, crypto);
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
token_size = length_EncryptedData(&encdata);
|
||||
token_alloc_size = token_size + 2; /* Account for the two leading zero bytes. */
|
||||
token = calloc(1, token_alloc_size);
|
||||
if (token == NULL) {
|
||||
free_EncryptedData(&encdata);
|
||||
return ENOMEM;
|
||||
}
|
||||
|
||||
ret = encode_EncryptedData(token + token_alloc_size - 1,
|
||||
token_size,
|
||||
&encdata,
|
||||
&token_len);
|
||||
free_EncryptedData(&encdata);
|
||||
if (ret) {
|
||||
free(token);
|
||||
return ret;
|
||||
}
|
||||
if (token_size != token_len)
|
||||
krb5_abortx(r->context, "internal error in ASN.1 encoder");
|
||||
|
||||
ret = krb5_padata_add(r->context,
|
||||
r->rep.padata,
|
||||
KRB5_PADATA_AS_FRESHNESS,
|
||||
token,
|
||||
token_alloc_size);
|
||||
if (ret)
|
||||
free(token);
|
||||
return ret;
|
||||
}
|
||||
|
||||
#endif /* PKINIT */
|
||||
|
||||
static krb5_error_code
|
||||
send_freshness_token(astgs_request_t r, const Key *krbtgt_key, unsigned krbtgt_kvno)
|
||||
{
|
||||
krb5_error_code ret = 0;
|
||||
#ifdef PKINIT
|
||||
int idx = 0;
|
||||
const PA_DATA *freshness_padata = NULL;
|
||||
|
||||
freshness_padata = _kdc_find_padata(&r->req,
|
||||
&idx,
|
||||
KRB5_PADATA_AS_FRESHNESS);
|
||||
if (freshness_padata == NULL) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
ret = make_freshness_token(r, krbtgt_key, krbtgt_kvno);
|
||||
#endif /* PKINIT */
|
||||
return ret;
|
||||
}
|
||||
|
||||
struct kdc_patypes {
|
||||
int type;
|
||||
const char *name;
|
||||
@ -1629,8 +1745,8 @@ get_pa_etype_info(krb5_context context,
|
||||
*
|
||||
*/
|
||||
|
||||
extern int _krb5_AES_SHA1_string_to_default_iterator;
|
||||
extern int _krb5_AES_SHA2_string_to_default_iterator;
|
||||
extern const int _krb5_AES_SHA1_string_to_default_iterator;
|
||||
extern const int _krb5_AES_SHA2_string_to_default_iterator;
|
||||
|
||||
static krb5_error_code
|
||||
make_s2kparams(int value, size_t len, krb5_data **ps2kparams)
|
||||
@ -2365,6 +2481,7 @@ _kdc_as_rep(astgs_request_t r)
|
||||
krb5_boolean is_tgs;
|
||||
const char *msg;
|
||||
Key *krbtgt_key;
|
||||
unsigned krbtgt_kvno;
|
||||
|
||||
memset(rep, 0, sizeof(*rep));
|
||||
|
||||
@ -2531,6 +2648,36 @@ _kdc_as_rep(astgs_request_t r)
|
||||
goto out;
|
||||
}
|
||||
|
||||
/*
|
||||
* Select the best encryption type for the KDC without regard to
|
||||
* the client since the client never needs to read that data.
|
||||
*/
|
||||
|
||||
ret = _kdc_get_preferred_key(r->context, config,
|
||||
r->server, r->sname,
|
||||
&setype, &skey);
|
||||
if(ret)
|
||||
goto out;
|
||||
|
||||
/* If server is not krbtgt, fetch local krbtgt key for signing authdata */
|
||||
if (is_tgs) {
|
||||
krbtgt_key = skey;
|
||||
krbtgt_kvno = r->server->kvno;
|
||||
} else {
|
||||
ret = get_local_tgs(r->context, config, r->server_princ->realm,
|
||||
&r->krbtgtdb, &r->krbtgt);
|
||||
if (ret)
|
||||
goto out;
|
||||
|
||||
ret = _kdc_get_preferred_key(r->context, config, r->krbtgt,
|
||||
r->server_princ->realm,
|
||||
NULL, &krbtgt_key);
|
||||
if (ret)
|
||||
goto out;
|
||||
|
||||
krbtgt_kvno = r->server->kvno;
|
||||
}
|
||||
|
||||
/*
|
||||
* Pre-auth processing
|
||||
*/
|
||||
@ -2654,6 +2801,14 @@ _kdc_as_rep(astgs_request_t r)
|
||||
goto out;
|
||||
}
|
||||
|
||||
/*
|
||||
* If the client indicated support for PKINIT Freshness, send back a
|
||||
* freshness token.
|
||||
*/
|
||||
ret = send_freshness_token(r, krbtgt_key, krbtgt_kvno);
|
||||
if (ret)
|
||||
goto out;
|
||||
|
||||
/*
|
||||
* send requre preauth is its required or anon is requested,
|
||||
* anon is today only allowed via preauth mechanisms.
|
||||
@ -2690,33 +2845,6 @@ _kdc_as_rep(astgs_request_t r)
|
||||
kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
|
||||
KDC_AUTH_EVENT_CLIENT_AUTHORIZED);
|
||||
|
||||
/*
|
||||
* Select the best encryption type for the KDC with out regard to
|
||||
* the client since the client never needs to read that data.
|
||||
*/
|
||||
|
||||
ret = _kdc_get_preferred_key(r->context, config,
|
||||
r->server, r->sname,
|
||||
&setype, &skey);
|
||||
if(ret)
|
||||
goto out;
|
||||
|
||||
/* If server is not krbtgt, fetch local krbtgt key for signing authdata */
|
||||
if (is_tgs) {
|
||||
krbtgt_key = skey;
|
||||
} else {
|
||||
ret = get_local_tgs(r->context, config, r->server_princ->realm,
|
||||
&r->krbtgtdb, &r->krbtgt);
|
||||
if (ret)
|
||||
goto out;
|
||||
|
||||
ret = _kdc_get_preferred_key(r->context, config, r->krbtgt,
|
||||
r->server_princ->realm,
|
||||
NULL, &krbtgt_key);
|
||||
if (ret)
|
||||
goto out;
|
||||
}
|
||||
|
||||
if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey) {
|
||||
ret = KRB5KDC_ERR_BADOPTION;
|
||||
_kdc_set_e_text(r, "Bad KDC options");
|
||||
@ -2925,7 +3053,10 @@ _kdc_as_rep(astgs_request_t r)
|
||||
r->ek.last_req.val[r->ek.last_req.len].lr_value = 0;
|
||||
++r->ek.last_req.len;
|
||||
}
|
||||
r->ek.nonce = b->nonce;
|
||||
/* Set the nonce if it’s not already set. */
|
||||
if (!r->ek.nonce) {
|
||||
r->ek.nonce = b->nonce;
|
||||
}
|
||||
if (r->client->valid_end || r->client->pw_end) {
|
||||
ALLOC(r->ek.key_expiration);
|
||||
if (r->client->valid_end) {
|
||||
|
4
third_party/heimdal/kdc/misc.c
vendored
4
third_party/heimdal/kdc/misc.c
vendored
@ -331,6 +331,10 @@ _kdc_verify_checksum(krb5_context context,
|
||||
* tickets, policy is governed by whether the client explicitly requested
|
||||
* a PAC be omitted when requesting a TGT, or if the no-auth-data-reqd
|
||||
* flag is set on the service principal entry.
|
||||
*
|
||||
* However, when issuing a cross-realm TGT to an AD realm our PAC might not
|
||||
* interoperate correctly. Therefore we honor the no-auth-data-reqd HDB entry
|
||||
* flag on cross-realm TGTs.
|
||||
*/
|
||||
|
||||
krb5_boolean
|
||||
|
177
third_party/heimdal/kdc/pkinit.c
vendored
177
third_party/heimdal/kdc/pkinit.c
vendored
@ -67,6 +67,7 @@ struct pk_client_params {
|
||||
hx509_peer_info peer;
|
||||
hx509_certs client_anchors;
|
||||
hx509_verify_ctx verify_ctx;
|
||||
heim_octet_string *freshness_token;
|
||||
};
|
||||
|
||||
struct pk_principal_mapping {
|
||||
@ -681,6 +682,7 @@ _kdc_pk_rd_padata(astgs_request_t priv,
|
||||
ret = KRB5KRB_ERR_GENERIC;
|
||||
krb5_set_error_message(context, ret,
|
||||
"DH not supported for Win2k");
|
||||
free_AuthPack_Win2k(&ap);
|
||||
goto out;
|
||||
}
|
||||
free_AuthPack_Win2k(&ap);
|
||||
@ -766,6 +768,25 @@ _kdc_pk_rd_padata(astgs_request_t priv,
|
||||
hx509_peer_info_add_cms_alg(context->hx509ctx, cp->peer,
|
||||
hx509_signature_sha1());
|
||||
}
|
||||
|
||||
/*
|
||||
* Copy the freshness token into the out parameters if it is present.
|
||||
*/
|
||||
if (ap.pkAuthenticator.freshnessToken != NULL) {
|
||||
cp->freshness_token = calloc(1, sizeof (cp->freshness_token));
|
||||
if (cp->freshness_token == NULL) {
|
||||
ret = ENOMEM;
|
||||
free_AuthPack(&ap);
|
||||
goto out;
|
||||
}
|
||||
|
||||
ret = der_copy_octet_string(ap.pkAuthenticator.freshnessToken, cp->freshness_token);
|
||||
if (ret) {
|
||||
free_AuthPack(&ap);
|
||||
goto out;
|
||||
}
|
||||
}
|
||||
|
||||
free_AuthPack(&ap);
|
||||
} else
|
||||
krb5_abortx(context, "internal pkinit error");
|
||||
@ -800,6 +821,12 @@ _kdc_pk_max_life(pk_client_params *pkp)
|
||||
return pkp->max_life;
|
||||
}
|
||||
|
||||
unsigned
|
||||
_kdc_pk_nonce(pk_client_params *pkp)
|
||||
{
|
||||
return pkp->nonce;
|
||||
}
|
||||
|
||||
/*
|
||||
*
|
||||
*/
|
||||
@ -1813,6 +1840,156 @@ _kdc_pk_check_client(astgs_request_t r,
|
||||
return ret;
|
||||
}
|
||||
|
||||
krb5_error_code
|
||||
_kdc_pk_validate_freshness_token(astgs_request_t r,
|
||||
pk_client_params *cp)
|
||||
{
|
||||
krb5_error_code ret = 0;
|
||||
uint8_t *token_data = NULL;
|
||||
size_t token_len;
|
||||
uint8_t *remaining_token_data = NULL;
|
||||
size_t remaining_len;
|
||||
EncryptedData enc_data;
|
||||
size_t size;
|
||||
const hdb_entry *krbtgt = NULL;
|
||||
krb5_kvno kvno;
|
||||
const Keys *keys = NULL;
|
||||
Key *key = NULL;
|
||||
krb5_crypto crypto;
|
||||
krb5_data ts_data;
|
||||
PA_ENC_TS_ENC ts_enc;
|
||||
long time_diff;
|
||||
|
||||
if (cp->freshness_token == NULL) {
|
||||
if (r->config->require_pkinit_freshness) {
|
||||
ret = KRB5KDC_ERR_PREAUTH_FAILED;
|
||||
kdc_log(r->context, r->config, 0, "PKINIT request is missing required freshness token");
|
||||
}
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
token_data = cp->freshness_token->data;
|
||||
token_len = cp->freshness_token->length;
|
||||
|
||||
/* Ensure that the token be not empty. */
|
||||
if (token_data == NULL) {
|
||||
kdc_log(r->context, r->config, 0, "Got empty freshness token");
|
||||
return KRB5KDC_ERR_PREAUTH_FAILED;
|
||||
}
|
||||
|
||||
/* Ensure that the two leading bytes are zero. */
|
||||
if (token_len < 2 || token_data[0] || token_data[1]) {
|
||||
kdc_log(r->context, r->config, 0, "Freshness token contains invalid data");
|
||||
return KRB5KRB_AP_ERR_MODIFIED;
|
||||
}
|
||||
|
||||
/* Decrypt the freshness token. */
|
||||
|
||||
remaining_token_data = token_data + 2;
|
||||
remaining_len = token_len - 2;
|
||||
|
||||
ret = decode_EncryptedData(remaining_token_data, remaining_len, &enc_data, &size);
|
||||
if (ret) {
|
||||
kdc_log(r->context, r->config, 0, "Failed to decode freshness token");
|
||||
return KRB5KRB_AP_ERR_MODIFIED;
|
||||
}
|
||||
if (size != remaining_len) {
|
||||
kdc_log(r->context, r->config, 0, "Trailing data in EncryptedData of freshness token");
|
||||
free_EncryptedData(&enc_data);
|
||||
return KRB5KRB_AP_ERR_MODIFIED;
|
||||
}
|
||||
|
||||
krbtgt = (r->krbtgt != NULL) ? r->krbtgt : r->server;
|
||||
kvno = (enc_data.kvno != NULL) ? *enc_data.kvno : 0;
|
||||
|
||||
/* We will only accept freshness tokens signed by our local krbtgt. */
|
||||
keys = hdb_kvno2keys(r->context, krbtgt, kvno);
|
||||
if (keys == NULL) {
|
||||
kdc_log(r->context, r->config, 0,
|
||||
"No key with kvno %"PRId32" to decrypt freshness token",
|
||||
kvno);
|
||||
free_EncryptedData(&enc_data);
|
||||
return KRB5KDC_ERR_PREAUTH_FAILED;
|
||||
}
|
||||
|
||||
ret = hdb_enctype2key(r->context, r->client, keys,
|
||||
enc_data.etype, &key);
|
||||
if (ret) {
|
||||
kdc_log(r->context, r->config, 0,
|
||||
"No key with kvno %"PRId32", enctype %d to decrypt freshness token",
|
||||
kvno, enc_data.etype);
|
||||
free_EncryptedData(&enc_data);
|
||||
return KRB5KDC_ERR_PREAUTH_FAILED;
|
||||
}
|
||||
|
||||
ret = krb5_crypto_init(r->context, &key->key, 0, &crypto);
|
||||
if (ret) {
|
||||
const char *msg = krb5_get_error_message(r->context, ret);
|
||||
kdc_log(r->context, r->config, 0,
|
||||
"While attempting to decrypt freshness token, krb5_crypto_init failed: %s", msg);
|
||||
krb5_free_error_message(r->context, msg);
|
||||
|
||||
free_EncryptedData(&enc_data);
|
||||
return ret;
|
||||
}
|
||||
|
||||
ret = krb5_decrypt_EncryptedData(r->context,
|
||||
crypto,
|
||||
KRB5_KU_AS_FRESHNESS,
|
||||
&enc_data,
|
||||
&ts_data);
|
||||
krb5_crypto_destroy(r->context, crypto);
|
||||
free_EncryptedData(&enc_data);
|
||||
if (ret) {
|
||||
kdc_log(r->context, r->config, 0, "Failed to decrypt freshness token");
|
||||
|
||||
free_EncryptedData(&enc_data);
|
||||
return KRB5KRB_AP_ERR_MODIFIED;
|
||||
}
|
||||
|
||||
/* Decode the timestamp. */
|
||||
|
||||
ret = decode_PA_ENC_TS_ENC(ts_data.data,
|
||||
ts_data.length,
|
||||
&ts_enc,
|
||||
&size);
|
||||
if (ret) {
|
||||
kdc_log(r->context, r->config, 0, "Failed to decode PA-ENC-TS-ENC in freshness token");
|
||||
krb5_data_free(&ts_data);
|
||||
return KRB5KRB_AP_ERR_MODIFIED;
|
||||
}
|
||||
if (size != ts_data.length) {
|
||||
kdc_log(r->context, r->config, 0, "Trailing data in PA-ENC-TS-ENC of freshness token");
|
||||
free_PA_ENC_TS_ENC(&ts_enc);
|
||||
krb5_data_free(&ts_data);
|
||||
return KRB5KRB_AP_ERR_MODIFIED;
|
||||
}
|
||||
krb5_data_free(&ts_data);
|
||||
|
||||
time_diff = labs(kdc_time - ts_enc.patimestamp);
|
||||
if (time_diff > r->context->max_skew) {
|
||||
char token_time[100];
|
||||
|
||||
krb5_format_time(r->context, ts_enc.patimestamp,
|
||||
token_time, sizeof(token_time), TRUE);
|
||||
|
||||
kdc_log(r->context, r->config, 4, "Freshness token has too large time skew: "
|
||||
"time in token %s is out by %ld > %ld seconds — %s",
|
||||
token_time,
|
||||
time_diff,
|
||||
r->context->max_skew,
|
||||
r->cname);
|
||||
|
||||
r->e_text = NULL;
|
||||
free_PA_ENC_TS_ENC(&ts_enc);
|
||||
return KRB5_KDC_ERR_PREAUTH_EXPIRED;
|
||||
}
|
||||
|
||||
free_PA_ENC_TS_ENC(&ts_enc);
|
||||
return 0;
|
||||
}
|
||||
|
||||
static krb5_error_code
|
||||
add_principal_mapping(krb5_context context,
|
||||
const char *principal_name,
|
||||
|
78
third_party/heimdal/kuser/kinit.c
vendored
78
third_party/heimdal/kuser/kinit.c
vendored
@ -779,29 +779,81 @@ get_new_tickets(krb5_context context,
|
||||
|
||||
#ifdef HAVE_FRAMEWORK_SECURITY
|
||||
if (passwd[0] == '\0') {
|
||||
enum querykey {
|
||||
qk_class, qk_matchlimit, qk_service, qk_account, qk_secreturndata,
|
||||
};
|
||||
const void *querykeys[] = {
|
||||
[qk_class] = kSecClass,
|
||||
[qk_matchlimit] = kSecMatchLimit,
|
||||
[qk_service] = kSecAttrService,
|
||||
[qk_account] = kSecAttrAccount,
|
||||
[qk_secreturndata] = kSecReturnData,
|
||||
};
|
||||
const void *queryargs[] = {
|
||||
[qk_class] = kSecClassGenericPassword,
|
||||
[qk_matchlimit] = kSecMatchLimitOne,
|
||||
[qk_service] = NULL, /* filled in later */
|
||||
[qk_account] = NULL, /* filled in later */
|
||||
[qk_secreturndata] = kCFBooleanTrue,
|
||||
};
|
||||
CFStringRef service_ref = NULL;
|
||||
CFStringRef account_ref = NULL;
|
||||
CFDictionaryRef query_ref = NULL;
|
||||
const char *realm;
|
||||
OSStatus osret;
|
||||
UInt32 length;
|
||||
void *buffer;
|
||||
char *name;
|
||||
char *name = NULL;
|
||||
CFTypeRef item_ref = NULL;
|
||||
CFDataRef item;
|
||||
CFIndex length;
|
||||
|
||||
realm = krb5_principal_get_realm(context, principal);
|
||||
|
||||
ret = krb5_unparse_name_flags(context, principal,
|
||||
KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name);
|
||||
if (ret)
|
||||
goto nopassword;
|
||||
goto fail;
|
||||
|
||||
osret = SecKeychainFindGenericPassword(NULL, strlen(realm), realm,
|
||||
strlen(name), name,
|
||||
&length, &buffer, NULL);
|
||||
service_ref = CFStringCreateWithCString(kCFAllocatorDefault, realm,
|
||||
kCFStringEncodingUTF8);
|
||||
if (service_ref == NULL)
|
||||
goto fail;
|
||||
|
||||
account_ref = CFStringCreateWithCString(kCFAllocatorDefault, name,
|
||||
kCFStringEncodingUTF8);
|
||||
if (account_ref == NULL)
|
||||
goto fail;
|
||||
|
||||
queryargs[qk_service] = service_ref;
|
||||
queryargs[qk_account] = account_ref;
|
||||
query_ref = CFDictionaryCreate(kCFAllocatorDefault,
|
||||
querykeys, queryargs,
|
||||
/*numValues*/sizeof(querykeys)/sizeof(querykeys[0]),
|
||||
/*keyCallbacks*/NULL, /*valueCallbacks*/NULL);
|
||||
if (query_ref == NULL)
|
||||
goto fail;
|
||||
|
||||
osret = SecItemCopyMatching(query_ref, &item_ref);
|
||||
if (osret != noErr)
|
||||
goto fail;
|
||||
|
||||
item = item_ref;
|
||||
length = CFDataGetLength(item);
|
||||
if (length >= sizeof(passwd) - 1)
|
||||
goto fail;
|
||||
|
||||
CFDataGetBytes(item, CFRangeMake(0, length), (UInt8 *)passwd);
|
||||
passwd[length] = '\0';
|
||||
|
||||
fail:
|
||||
if (item_ref)
|
||||
CFRelease(item_ref);
|
||||
if (query_ref)
|
||||
CFRelease(query_ref);
|
||||
if (account_ref)
|
||||
CFRelease(account_ref);
|
||||
if (service_ref)
|
||||
CFRelease(service_ref);
|
||||
free(name);
|
||||
if (osret == noErr && length < sizeof(passwd) - 1) {
|
||||
memcpy(passwd, buffer, length);
|
||||
passwd[length] = '\0';
|
||||
}
|
||||
nopassword:
|
||||
do { } while(0);
|
||||
}
|
||||
#endif
|
||||
|
||||
|
2
third_party/heimdal/lib/asn1/Makefile.am
vendored
2
third_party/heimdal/lib/asn1/Makefile.am
vendored
@ -4,7 +4,7 @@ include $(top_srcdir)/Makefile.am.common
|
||||
|
||||
WFLAGS += $(WFLAGS_ENUM_CONV)
|
||||
|
||||
YFLAGS = -o asn1parse.c -t
|
||||
AM_YFLAGS = -d -o asn1parse.c -t
|
||||
|
||||
AM_CPPFLAGS += $(ROKEN_RENAME) -I$(top_builddir)/include -I$(top_srcdir)/lib/base
|
||||
|
||||
|
18
third_party/heimdal/lib/asn1/check-gen.c
vendored
18
third_party/heimdal/lib/asn1/check-gen.c
vendored
@ -54,6 +54,12 @@
|
||||
static int my_copy_vers_called;
|
||||
static int my_free_vers_called;
|
||||
|
||||
#include <limits.h>
|
||||
#if UINT_MAX == 0xffffffff
|
||||
// 32 bit
|
||||
#define DISABLE_TEST_64
|
||||
#endif
|
||||
|
||||
int
|
||||
my_copy_vers(const my_vers *from, my_vers *to)
|
||||
{
|
||||
@ -2143,17 +2149,21 @@ static int
|
||||
test_default(void)
|
||||
{
|
||||
struct test_case tests[] = {
|
||||
#ifndef DISABLE_TEST_64
|
||||
{ NULL, 2, "\x30\x00", NULL },
|
||||
#endif
|
||||
{ NULL, 25,
|
||||
"\x30\x17\x0c\x07\x68\x65\x69\x6d\x64\x61"
|
||||
"\x6c\xa0\x03\x02\x01\x07\x02\x04\x7f\xff"
|
||||
"\xff\xff\x01\x01\x00",
|
||||
NULL
|
||||
},
|
||||
#ifndef DISABLE_TEST_64
|
||||
{ NULL, 10,
|
||||
"\x30\x08\xa0\x03\x02\x01\x07\x01\x01\x00",
|
||||
NULL
|
||||
},
|
||||
#endif
|
||||
{ NULL, 17,
|
||||
"\x30\x0f\x0c\x07\x68\x65\x69\x6d\x64\x61\x6c\x02\x04"
|
||||
"\x7f\xff\xff\xff",
|
||||
@ -2162,9 +2172,13 @@ test_default(void)
|
||||
};
|
||||
|
||||
TESTDefault values[] = {
|
||||
{ "Heimdal", 8, 9223372036854775807, 1 },
|
||||
#ifndef DISABLE_TEST_64
|
||||
{ "Heimdal", 8, 9223372036854775807LL, 1 },
|
||||
#endif
|
||||
{ "heimdal", 7, 2147483647, 0 },
|
||||
{ "Heimdal", 7, 9223372036854775807, 0 },
|
||||
#ifndef DISABLE_TEST_64
|
||||
{ "Heimdal", 7, 9223372036854775807LL, 0 },
|
||||
#endif
|
||||
{ "heimdal", 8, 2147483647, 1 },
|
||||
};
|
||||
int i, ret;
|
||||
|
1
third_party/heimdal/lib/asn1/krb5.asn1
vendored
1
third_party/heimdal/lib/asn1/krb5.asn1
vendored
@ -197,6 +197,7 @@ PADATA-TYPE ::= INTEGER {
|
||||
KRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon
|
||||
KRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u
|
||||
KRB5-PADATA-REQ-ENC-PA-REP(149), --
|
||||
KRB5-PADATA-AS-FRESHNESS(150), -- RFC 8070
|
||||
KER5-PADATA-KERB-KEY-LIST-REQ(161), -- MS-KILE
|
||||
KER5-PADATA-KERB-PAKEY-LIST-REP(162), -- MS-KILE
|
||||
KRB5-PADATA-SUPPORTED-ETYPES(165), -- MS-KILE
|
||||
|
1
third_party/heimdal/lib/asn1/pkinit.asn1
vendored
1
third_party/heimdal/lib/asn1/pkinit.asn1
vendored
@ -83,6 +83,7 @@ PKAuthenticator ::= SEQUENCE {
|
||||
ctime [1] KerberosTime,
|
||||
nonce [2] INTEGER (0..4294967295),
|
||||
paChecksum [3] OCTET STRING OPTIONAL,
|
||||
freshnessToken [4] OCTET STRING OPTIONAL,
|
||||
...
|
||||
}
|
||||
|
||||
|
1
third_party/heimdal/lib/base/common_plugin.h
vendored
1
third_party/heimdal/lib/base/common_plugin.h
vendored
@ -75,6 +75,7 @@ struct heim_plugin_common_ftable_desc {
|
||||
};
|
||||
typedef struct heim_plugin_common_ftable_desc heim_plugin_common_ftable;
|
||||
typedef struct heim_plugin_common_ftable_desc *heim_plugin_common_ftable_p;
|
||||
typedef const struct heim_plugin_common_ftable_desc *heim_plugin_common_ftable_const_p;
|
||||
typedef struct heim_plugin_common_ftable_desc * const heim_plugin_common_ftable_cp;
|
||||
|
||||
typedef int
|
||||
|
4
third_party/heimdal/lib/base/dict.c
vendored
4
third_party/heimdal/lib/base/dict.c
vendored
@ -52,10 +52,8 @@ dict_dealloc(void *ptr)
|
||||
{
|
||||
heim_dict_t dict = ptr;
|
||||
struct hashentry **h, *g, *i;
|
||||
size_t j;
|
||||
|
||||
for (j = 0; j < dict->size; ++j) {
|
||||
h = &dict->tab[j];
|
||||
for (h = dict->tab; h < &dict->tab[dict->size]; ++h) {
|
||||
for (g = h[0]; g; g = i) {
|
||||
i = g->next;
|
||||
heim_release(g->key);
|
||||
|
16
third_party/heimdal/lib/base/heimbase.c
vendored
16
third_party/heimdal/lib/base/heimbase.c
vendored
@ -40,7 +40,7 @@
|
||||
static heim_base_atomic(uint32_t) tidglobal = HEIM_TID_USER;
|
||||
|
||||
struct heim_base {
|
||||
heim_type_t isa;
|
||||
heim_const_type_t isa;
|
||||
heim_base_atomic(uint32_t) ref_cnt;
|
||||
HEIM_TAILQ_ENTRY(heim_base) autorel;
|
||||
heim_auto_release_t autorelpool;
|
||||
@ -49,7 +49,7 @@ struct heim_base {
|
||||
|
||||
/* specialized version of base */
|
||||
struct heim_base_mem {
|
||||
heim_type_t isa;
|
||||
heim_const_type_t isa;
|
||||
heim_base_atomic(uint32_t) ref_cnt;
|
||||
HEIM_TAILQ_ENTRY(heim_base) autorel;
|
||||
heim_auto_release_t autorelpool;
|
||||
@ -182,7 +182,7 @@ static heim_type_t tagged_isa[9] = {
|
||||
NULL
|
||||
};
|
||||
|
||||
heim_type_t
|
||||
heim_const_type_t
|
||||
_heim_get_isa(heim_object_t ptr)
|
||||
{
|
||||
struct heim_base *p;
|
||||
@ -206,7 +206,7 @@ _heim_get_isa(heim_object_t ptr)
|
||||
heim_tid_t
|
||||
heim_get_tid(heim_object_t ptr)
|
||||
{
|
||||
heim_type_t isa = _heim_get_isa(ptr);
|
||||
heim_const_type_t isa = _heim_get_isa(ptr);
|
||||
return isa->tid;
|
||||
}
|
||||
|
||||
@ -221,7 +221,7 @@ heim_get_tid(heim_object_t ptr)
|
||||
uintptr_t
|
||||
heim_get_hash(heim_object_t ptr)
|
||||
{
|
||||
heim_type_t isa = _heim_get_isa(ptr);
|
||||
heim_const_type_t isa = _heim_get_isa(ptr);
|
||||
if (isa->hash)
|
||||
return isa->hash(ptr);
|
||||
return (uintptr_t)ptr;
|
||||
@ -241,7 +241,7 @@ int
|
||||
heim_cmp(heim_object_t a, heim_object_t b)
|
||||
{
|
||||
heim_tid_t ta, tb;
|
||||
heim_type_t isa;
|
||||
heim_const_type_t isa;
|
||||
|
||||
ta = heim_get_tid(a);
|
||||
tb = heim_get_tid(b);
|
||||
@ -272,7 +272,7 @@ memory_dealloc(void *ptr)
|
||||
}
|
||||
}
|
||||
|
||||
struct heim_type_data memory_object = {
|
||||
static const struct heim_type_data memory_object = {
|
||||
HEIM_TID_MEMORY,
|
||||
"memory-object",
|
||||
NULL,
|
||||
@ -338,7 +338,7 @@ _heim_create_type(const char *name,
|
||||
}
|
||||
|
||||
heim_object_t
|
||||
_heim_alloc_object(heim_type_t type, size_t size)
|
||||
_heim_alloc_object(heim_const_type_t type, size_t size)
|
||||
{
|
||||
/* XXX should use posix_memalign */
|
||||
struct heim_base *p = calloc(1, size + sizeof(*p));
|
||||
|
2
third_party/heimdal/lib/base/heimbase.h
vendored
2
third_party/heimdal/lib/base/heimbase.h
vendored
@ -102,7 +102,7 @@ struct heim_plugin_data {
|
||||
const char *module;
|
||||
const char *name;
|
||||
int min_version;
|
||||
const char **deps;
|
||||
const char *const *deps;
|
||||
heim_get_instance_func_t get_instance;
|
||||
};
|
||||
|
||||
|
5
third_party/heimdal/lib/base/heimbasepriv.h
vendored
5
third_party/heimdal/lib/base/heimbasepriv.h
vendored
@ -46,6 +46,7 @@ typedef uintptr_t (*heim_type_hash)(void *);
|
||||
typedef heim_string_t (*heim_type_description)(void *);
|
||||
|
||||
typedef struct heim_type_data *heim_type_t;
|
||||
typedef const struct heim_type_data *heim_const_type_t;
|
||||
|
||||
struct heim_type_data {
|
||||
heim_tid_t tid;
|
||||
@ -58,7 +59,7 @@ struct heim_type_data {
|
||||
heim_type_description desc;
|
||||
};
|
||||
|
||||
heim_type_t _heim_get_isa(heim_object_t);
|
||||
heim_const_type_t _heim_get_isa(heim_object_t);
|
||||
|
||||
heim_type_t
|
||||
_heim_create_type(const char *name,
|
||||
@ -70,7 +71,7 @@ _heim_create_type(const char *name,
|
||||
heim_type_description desc);
|
||||
|
||||
heim_object_t
|
||||
_heim_alloc_object(heim_type_t type, size_t size);
|
||||
_heim_alloc_object(heim_const_type_t type, size_t size);
|
||||
|
||||
void *
|
||||
_heim_get_isaextra(heim_object_t o, size_t idx);
|
||||
|
16
third_party/heimdal/lib/base/plugin.c
vendored
16
third_party/heimdal/lib/base/plugin.c
vendored
@ -152,7 +152,7 @@ copy_internal_dso(const char *name)
|
||||
}
|
||||
|
||||
struct heim_plugin {
|
||||
heim_plugin_common_ftable_p ftable;
|
||||
heim_plugin_common_ftable_const_p ftable;
|
||||
void *ctx;
|
||||
};
|
||||
|
||||
@ -166,7 +166,7 @@ plugin_free(void *ptr)
|
||||
}
|
||||
|
||||
struct heim_plugin_register_ctx {
|
||||
void *symbol;
|
||||
const void *symbol;
|
||||
int is_dup;
|
||||
};
|
||||
|
||||
@ -199,7 +199,7 @@ heim_plugin_register(heim_context context,
|
||||
heim_pcontext pcontext,
|
||||
const char *module,
|
||||
const char *name,
|
||||
void *ftable)
|
||||
const void *ftable)
|
||||
{
|
||||
heim_error_code ret;
|
||||
heim_array_t plugins;
|
||||
@ -480,7 +480,7 @@ struct iter_ctx {
|
||||
heim_context context;
|
||||
heim_pcontext pcontext;
|
||||
heim_string_t n;
|
||||
struct heim_plugin_data *caller;
|
||||
const struct heim_plugin_data *caller;
|
||||
int flags;
|
||||
heim_array_t result;
|
||||
int32_t (HEIM_LIB_CALL *func)(void *, const void *, void *, void *);
|
||||
@ -540,7 +540,7 @@ add_dso_plugin_struct(heim_context context,
|
||||
|
||||
static int
|
||||
validate_plugin_deps(heim_context context,
|
||||
struct heim_plugin_data *caller,
|
||||
const struct heim_plugin_data *caller,
|
||||
const char *dsopath,
|
||||
heim_get_instance_func_t get_instance)
|
||||
{
|
||||
@ -583,7 +583,7 @@ validate_plugin_deps(heim_context context,
|
||||
static heim_array_t
|
||||
add_dso_plugins_load_fn(heim_context context,
|
||||
heim_pcontext pcontext,
|
||||
struct heim_plugin_data *caller,
|
||||
const struct heim_plugin_data *caller,
|
||||
const char *dsopath,
|
||||
void *dsohandle)
|
||||
{
|
||||
@ -635,7 +635,7 @@ add_dso_plugins_load_fn(heim_context context,
|
||||
heim_warn(context, ret, "plugin %s[%zu] failed to initialize",
|
||||
dsopath, i);
|
||||
} else {
|
||||
pl->ftable = rk_UNCONST(cpm);
|
||||
pl->ftable = cpm;
|
||||
heim_array_append_value(plugins, pl);
|
||||
}
|
||||
heim_release(pl);
|
||||
@ -738,7 +738,7 @@ eval_results(heim_object_t value, void *ctx, int *stop)
|
||||
heim_error_code
|
||||
heim_plugin_run_f(heim_context context,
|
||||
heim_pcontext pcontext,
|
||||
struct heim_plugin_data *caller,
|
||||
const struct heim_plugin_data *caller,
|
||||
int flags,
|
||||
int32_t nohandle,
|
||||
void *userctx,
|
||||
|
4
third_party/heimdal/lib/com_err/Makefile.am
vendored
4
third_party/heimdal/lib/com_err/Makefile.am
vendored
@ -2,8 +2,8 @@
|
||||
|
||||
include $(top_srcdir)/Makefile.am.common
|
||||
|
||||
YFLAGS = -d -o parse.c
|
||||
LFLAGS = @FLEXNOUNPUTARGS@
|
||||
AM_YFLAGS = -d -o parse.c
|
||||
AM_LFLAGS = @FLEXNOUNPUTARGS@
|
||||
|
||||
lib_LTLIBRARIES = libcom_err.la
|
||||
libcom_err_la_LDFLAGS = -version-info 2:3:1
|
||||
|
2
third_party/heimdal/lib/com_err/com_err.c
vendored
2
third_party/heimdal/lib/com_err/com_err.c
vendored
@ -63,7 +63,7 @@ error_message (long code)
|
||||
}
|
||||
|
||||
KRB5_LIB_FUNCTION int KRB5_LIB_CALL
|
||||
init_error_table(const char **msgs, long base, int count)
|
||||
init_error_table(const char *const *msgs, long base, int count)
|
||||
{
|
||||
initialize_error_table_r(&_et_list, msgs, count, base);
|
||||
return 0;
|
||||
|
2
third_party/heimdal/lib/com_err/com_err.h
vendored
2
third_party/heimdal/lib/com_err/com_err.h
vendored
@ -51,7 +51,7 @@ KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL
|
||||
error_message (long);
|
||||
|
||||
KRB5_LIB_FUNCTION int KRB5_LIB_CALL
|
||||
init_error_table (const char**, long, int);
|
||||
init_error_table (const char *const *, long, int);
|
||||
|
||||
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
|
||||
com_err_va (const char *, long, const char *, va_list)
|
||||
|
2
third_party/heimdal/lib/com_err/com_right.h
vendored
2
third_party/heimdal/lib/com_err/com_right.h
vendored
@ -79,7 +79,7 @@ KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL
|
||||
com_right_r (struct et_list *list, long code, char *, size_t);
|
||||
|
||||
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
|
||||
initialize_error_table_r (struct et_list **, const char **, int, long);
|
||||
initialize_error_table_r (struct et_list **, const char *const *, int, long);
|
||||
|
||||
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
|
||||
free_error_table (struct et_list *);
|
||||
|
2
third_party/heimdal/lib/com_err/compile_et.c
vendored
2
third_party/heimdal/lib/com_err/compile_et.c
vendored
@ -87,7 +87,7 @@ generate_c(void)
|
||||
fprintf(c_file, "#define N_(x) (x)\n");
|
||||
fprintf(c_file, "\n");
|
||||
|
||||
fprintf(c_file, "static const char *%s_error_strings[] = {\n", name);
|
||||
fprintf(c_file, "static const char *const %s_error_strings[] = {\n", name);
|
||||
|
||||
for(ec = codes, n = 0; ec; ec = ec->next, n++) {
|
||||
while(n < ec->number) {
|
||||
|
2
third_party/heimdal/lib/com_err/error.c
vendored
2
third_party/heimdal/lib/com_err/error.c
vendored
@ -81,7 +81,7 @@ struct foobar {
|
||||
|
||||
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
|
||||
initialize_error_table_r(struct et_list **list,
|
||||
const char **messages,
|
||||
const char *const *messages,
|
||||
int num_errors,
|
||||
long base)
|
||||
{
|
||||
|
4
third_party/heimdal/lib/hdb/hdb-mitdb.c
vendored
4
third_party/heimdal/lib/hdb/hdb-mitdb.c
vendored
@ -769,7 +769,7 @@ mdb_seq(krb5_context context, HDB *db,
|
||||
{
|
||||
DB *d = (DB*)db->hdb_db;
|
||||
DBT key, value;
|
||||
krb5_data key_data, data;
|
||||
krb5_data data;
|
||||
int code;
|
||||
|
||||
code = db->hdb_lock(context, db, HDB_RLOCK);
|
||||
@ -790,8 +790,6 @@ mdb_seq(krb5_context context, HDB *db,
|
||||
return HDB_ERR_NOENTRY;
|
||||
}
|
||||
|
||||
key_data.data = key.data;
|
||||
key_data.length = key.size;
|
||||
data.data = value.data;
|
||||
data.length = value.size;
|
||||
memset(entry, 0, sizeof(*entry));
|
||||
|
1
third_party/heimdal/lib/hdb/hdb.asn1
vendored
1
third_party/heimdal/lib/hdb/hdb.asn1
vendored
@ -55,6 +55,7 @@ HDBFlags ::= BIT STRING {
|
||||
virtual(21), -- entry not stored; keys always derived
|
||||
synthetic(22), -- entry not stored; for PKINIT
|
||||
no-auth-data-reqd(23), -- omit PAC from service tickets
|
||||
auth-data-reqd(24), -- include PAC in service tickets
|
||||
|
||||
force-canonicalize(30), -- force the KDC to return the canonical
|
||||
-- principal irrespective of the setting
|
||||
|
2
third_party/heimdal/lib/hx509/Makefile.am
vendored
2
third_party/heimdal/lib/hx509/Makefile.am
vendored
@ -11,7 +11,7 @@ BUILT_SOURCES = \
|
||||
hx509_err.c \
|
||||
hx509_err.h
|
||||
|
||||
AM_YFLAGS = -o sel-gram.c
|
||||
AM_YFLAGS = -d -o sel-gram.c
|
||||
|
||||
dist_libhx509_la_SOURCES = \
|
||||
ca.c \
|
||||
|
7
third_party/heimdal/lib/hx509/hxtool.c
vendored
7
third_party/heimdal/lib/hx509/hxtool.c
vendored
@ -33,6 +33,7 @@
|
||||
|
||||
#include "hx_locl.h"
|
||||
|
||||
#include <stdint.h>
|
||||
#include <hxtool-commands.h>
|
||||
#include <sl.h>
|
||||
#include <rtbl.h>
|
||||
@ -1661,13 +1662,15 @@ random_data(void *opt, int argc, char **argv)
|
||||
{
|
||||
void *ptr;
|
||||
ssize_t len;
|
||||
int64_t bytes;
|
||||
int ret;
|
||||
|
||||
len = parse_bytes(argv[0], "byte");
|
||||
if (len <= 0) {
|
||||
bytes = parse_bytes(argv[0], "byte");
|
||||
if (bytes <= 0 || bytes > SSIZE_MAX) {
|
||||
fprintf(stderr, "bad argument to random-data\n");
|
||||
return 1;
|
||||
}
|
||||
len = bytes;
|
||||
|
||||
ptr = malloc(len);
|
||||
if (ptr == NULL) {
|
||||
|
4
third_party/heimdal/lib/ipc/client.c
vendored
4
third_party/heimdal/lib/ipc/client.c
vendored
@ -520,7 +520,7 @@ struct hipc_ops {
|
||||
void (*)(void *, int, heim_idata *, heim_icred));
|
||||
};
|
||||
|
||||
struct hipc_ops ipcs[] = {
|
||||
static const struct hipc_ops ipcs[] = {
|
||||
#if defined(__APPLE__) && defined(HAVE_GCD)
|
||||
{ "MACH", mach_init, mach_release, mach_ipc, mach_async },
|
||||
#endif
|
||||
@ -531,7 +531,7 @@ struct hipc_ops ipcs[] = {
|
||||
};
|
||||
|
||||
struct heim_ipc {
|
||||
struct hipc_ops *ops;
|
||||
const struct hipc_ops *ops;
|
||||
void *ctx;
|
||||
};
|
||||
|
||||
|
1
third_party/heimdal/lib/kadm5/admin.h
vendored
1
third_party/heimdal/lib/kadm5/admin.h
vendored
@ -78,6 +78,7 @@
|
||||
#define KRB5_KDB_VIRTUAL 0x00400000 /* MIT doesn't have this */
|
||||
#define KRB5_KDB_DISALLOW_CLIENT 0x00800000 /* MIT doesn't have this */
|
||||
#define KRB5_KDB_NO_AUTH_DATA_REQUIRED 0x01000000 /* 0x00400000 in MIT */
|
||||
#define KRB5_KDB_AUTH_DATA_REQUIRED 0x02000000
|
||||
|
||||
/*
|
||||
* MIT has:
|
||||
|
4
third_party/heimdal/lib/kadm5/ent_setup.c
vendored
4
third_party/heimdal/lib/kadm5/ent_setup.c
vendored
@ -64,6 +64,10 @@ attr_to_flags(unsigned attr, HDBFlags *flags)
|
||||
flags->virtual_keys = !!(attr & KRB5_KDB_VIRTUAL_KEYS);
|
||||
flags->virtual = !!(attr & KRB5_KDB_VIRTUAL);
|
||||
flags->no_auth_data_reqd = !!(attr & KRB5_KDB_NO_AUTH_DATA_REQUIRED);
|
||||
flags->auth_data_reqd = !!(attr & KRB5_KDB_AUTH_DATA_REQUIRED);
|
||||
|
||||
if (flags->no_auth_data_reqd && flags->auth_data_reqd)
|
||||
flags->auth_data_reqd = 0;
|
||||
}
|
||||
|
||||
/*
|
||||
|
1
third_party/heimdal/lib/kadm5/get_s.c
vendored
1
third_party/heimdal/lib/kadm5/get_s.c
vendored
@ -186,6 +186,7 @@ kadm5_s_get_principal(void *server_handle,
|
||||
out->attributes |= ent.flags.virtual_keys ? KRB5_KDB_VIRTUAL_KEYS : 0;
|
||||
out->attributes |= ent.flags.virtual ? KRB5_KDB_VIRTUAL : 0;
|
||||
out->attributes |= ent.flags.no_auth_data_reqd ? KRB5_KDB_NO_AUTH_DATA_REQUIRED : 0;
|
||||
out->attributes |= ent.flags.auth_data_reqd ? KRB5_KDB_AUTH_DATA_REQUIRED : 0;
|
||||
}
|
||||
if(mask & KADM5_MAX_LIFE) {
|
||||
if(ent.max_life)
|
||||
|
34
third_party/heimdal/lib/krb5/addr_families.c
vendored
34
third_party/heimdal/lib/krb5/addr_families.c
vendored
@ -734,7 +734,7 @@ addrport_print_addr (const krb5_address *addr, char *str, size_t len)
|
||||
return ret_len;
|
||||
}
|
||||
|
||||
static struct addr_operations at[] = {
|
||||
static const struct addr_operations at[] = {
|
||||
{
|
||||
AF_INET, KRB5_ADDRESS_INET, sizeof(struct sockaddr_in),
|
||||
ipv4_sockaddr2addr,
|
||||
@ -810,7 +810,7 @@ static struct addr_operations at[] = {
|
||||
}
|
||||
};
|
||||
|
||||
static size_t num_addrs = sizeof(at) / sizeof(at[0]);
|
||||
static const size_t num_addrs = sizeof(at) / sizeof(at[0]);
|
||||
|
||||
static size_t max_sockaddr_size = 0;
|
||||
|
||||
@ -818,7 +818,7 @@ static size_t max_sockaddr_size = 0;
|
||||
* generic functions
|
||||
*/
|
||||
|
||||
static struct addr_operations *
|
||||
static const struct addr_operations *
|
||||
find_af(int af)
|
||||
{
|
||||
size_t i;
|
||||
@ -830,7 +830,7 @@ find_af(int af)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static struct addr_operations *
|
||||
static const struct addr_operations *
|
||||
find_atype(krb5_address_type atype)
|
||||
{
|
||||
size_t i;
|
||||
@ -859,7 +859,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
|
||||
krb5_sockaddr2address (krb5_context context,
|
||||
const struct sockaddr *sa, krb5_address *addr)
|
||||
{
|
||||
struct addr_operations *a = find_af(sa->sa_family);
|
||||
const struct addr_operations *a = find_af(sa->sa_family);
|
||||
if (a == NULL) {
|
||||
krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP,
|
||||
N_("Address family %d not supported", ""),
|
||||
@ -887,7 +887,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
|
||||
krb5_sockaddr2port (krb5_context context,
|
||||
const struct sockaddr *sa, int16_t *port)
|
||||
{
|
||||
struct addr_operations *a = find_af(sa->sa_family);
|
||||
const struct addr_operations *a = find_af(sa->sa_family);
|
||||
if (a == NULL) {
|
||||
krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP,
|
||||
N_("Address family %d not supported", ""),
|
||||
@ -925,7 +925,7 @@ krb5_addr2sockaddr (krb5_context context,
|
||||
krb5_socklen_t *sa_size,
|
||||
int port)
|
||||
{
|
||||
struct addr_operations *a = find_atype(addr->addr_type);
|
||||
const struct addr_operations *a = find_atype(addr->addr_type);
|
||||
|
||||
if (a == NULL) {
|
||||
krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP,
|
||||
@ -981,7 +981,7 @@ krb5_max_sockaddr_size (void)
|
||||
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
|
||||
krb5_sockaddr_uninteresting(const struct sockaddr *sa)
|
||||
{
|
||||
struct addr_operations *a = find_af(sa->sa_family);
|
||||
const struct addr_operations *a = find_af(sa->sa_family);
|
||||
if (a == NULL || a->uninteresting == NULL)
|
||||
return TRUE;
|
||||
return (*a->uninteresting)(sa);
|
||||
@ -990,7 +990,7 @@ krb5_sockaddr_uninteresting(const struct sockaddr *sa)
|
||||
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
|
||||
krb5_sockaddr_is_loopback(const struct sockaddr *sa)
|
||||
{
|
||||
struct addr_operations *a = find_af(sa->sa_family);
|
||||
const struct addr_operations *a = find_af(sa->sa_family);
|
||||
if (a == NULL || a->is_loopback == NULL)
|
||||
return TRUE;
|
||||
return (*a->is_loopback)(sa);
|
||||
@ -1022,7 +1022,7 @@ krb5_h_addr2sockaddr (krb5_context context,
|
||||
krb5_socklen_t *sa_size,
|
||||
int port)
|
||||
{
|
||||
struct addr_operations *a = find_af(af);
|
||||
const struct addr_operations *a = find_af(af);
|
||||
if (a == NULL) {
|
||||
krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP,
|
||||
"Address family %d not supported", af);
|
||||
@ -1051,7 +1051,7 @@ krb5_h_addr2addr (krb5_context context,
|
||||
int af,
|
||||
const char *haddr, krb5_address *addr)
|
||||
{
|
||||
struct addr_operations *a = find_af(af);
|
||||
const struct addr_operations *a = find_af(af);
|
||||
if (a == NULL) {
|
||||
krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP,
|
||||
N_("Address family %d not supported", ""), af);
|
||||
@ -1084,7 +1084,7 @@ krb5_anyaddr (krb5_context context,
|
||||
krb5_socklen_t *sa_size,
|
||||
int port)
|
||||
{
|
||||
struct addr_operations *a = find_af (af);
|
||||
const struct addr_operations *a = find_af (af);
|
||||
|
||||
if (a == NULL) {
|
||||
krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP,
|
||||
@ -1116,7 +1116,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
|
||||
krb5_print_address (const krb5_address *addr,
|
||||
char *str, size_t len, size_t *ret_len)
|
||||
{
|
||||
struct addr_operations *a = find_atype(addr->addr_type);
|
||||
const struct addr_operations *a = find_atype(addr->addr_type);
|
||||
int ret;
|
||||
|
||||
if (a == NULL || a->print_addr == NULL) {
|
||||
@ -1267,7 +1267,7 @@ krb5_address_order(krb5_context context,
|
||||
{
|
||||
/* this sucks; what if both addresses have order functions, which
|
||||
should we call? this works for now, though */
|
||||
struct addr_operations *a;
|
||||
const struct addr_operations *a;
|
||||
a = find_atype(addr1->addr_type);
|
||||
if(a == NULL) {
|
||||
krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP,
|
||||
@ -1359,7 +1359,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
|
||||
krb5_free_address(krb5_context context,
|
||||
krb5_address *address)
|
||||
{
|
||||
struct addr_operations *a = find_atype (address->addr_type);
|
||||
const struct addr_operations *a = find_atype (address->addr_type);
|
||||
if(a != NULL && a->free_addr != NULL)
|
||||
return (*a->free_addr)(context, address);
|
||||
krb5_data_free (&address->address);
|
||||
@ -1405,7 +1405,7 @@ krb5_copy_address(krb5_context context,
|
||||
const krb5_address *inaddr,
|
||||
krb5_address *outaddr)
|
||||
{
|
||||
struct addr_operations *a = find_af (inaddr->addr_type);
|
||||
const struct addr_operations *a = find_af (inaddr->addr_type);
|
||||
if(a != NULL && a->copy_addr != NULL)
|
||||
return (*a->copy_addr)(context, inaddr, outaddr);
|
||||
return copy_HostAddress(inaddr, outaddr);
|
||||
@ -1563,7 +1563,7 @@ krb5_address_prefixlen_boundary(krb5_context context,
|
||||
krb5_address *low,
|
||||
krb5_address *high)
|
||||
{
|
||||
struct addr_operations *a = find_atype (inaddr->addr_type);
|
||||
const struct addr_operations *a = find_atype (inaddr->addr_type);
|
||||
if(a != NULL && a->mask_boundary != NULL)
|
||||
return (*a->mask_boundary)(context, inaddr, prefixlen, low, high);
|
||||
krb5_set_error_message(context, KRB5_PROG_ATYPE_NOSUPP,
|
||||
|
@ -44,7 +44,7 @@ static krb5_error_code KRB5_LIB_CALL an2ln_def_plug_an2ln(void *, krb5_context,
|
||||
krb5_const_principal, set_result_f,
|
||||
void *);
|
||||
|
||||
static krb5plugin_an2ln_ftable an2ln_def_plug = {
|
||||
static const krb5plugin_an2ln_ftable an2ln_def_plug = {
|
||||
0,
|
||||
an2ln_def_plug_init,
|
||||
an2ln_def_plug_fini,
|
||||
@ -81,9 +81,9 @@ plcallback(krb5_context context,
|
||||
return locate->an2ln(plugctx, context, plctx->rule, plctx->aname, set_res, plctx);
|
||||
}
|
||||
|
||||
static const char *an2ln_plugin_deps[] = { "krb5", NULL };
|
||||
static const char *const an2ln_plugin_deps[] = { "krb5", NULL };
|
||||
|
||||
static struct heim_plugin_data
|
||||
static const struct heim_plugin_data
|
||||
an2ln_plugin_data = {
|
||||
"krb5",
|
||||
KRB5_PLUGIN_AN2LN,
|
||||
|
10
third_party/heimdal/lib/krb5/changepw.c
vendored
10
third_party/heimdal/lib/krb5/changepw.c
vendored
@ -478,7 +478,7 @@ typedef krb5_error_code (*kpwd_process_reply) (krb5_context,
|
||||
krb5_data *,
|
||||
const char *);
|
||||
|
||||
static struct kpwd_proc {
|
||||
static const struct kpwd_proc {
|
||||
const char *name;
|
||||
int flags;
|
||||
#define SUPPORT_TCP 1
|
||||
@ -513,7 +513,7 @@ change_password_loop (krb5_context context,
|
||||
int *result_code,
|
||||
krb5_data *result_code_string,
|
||||
krb5_data *result_string,
|
||||
struct kpwd_proc *proc)
|
||||
const struct kpwd_proc *proc)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
krb5_auth_context auth_context = NULL;
|
||||
@ -662,10 +662,10 @@ change_password_loop (krb5_context context,
|
||||
|
||||
#ifndef HEIMDAL_SMALLER
|
||||
|
||||
static struct kpwd_proc *
|
||||
static const struct kpwd_proc *
|
||||
find_chpw_proto(const char *name)
|
||||
{
|
||||
struct kpwd_proc *p;
|
||||
const struct kpwd_proc *p;
|
||||
for (p = procs; p->name != NULL; p++) {
|
||||
if (strcmp(p->name, name) == 0)
|
||||
return p;
|
||||
@ -697,7 +697,7 @@ krb5_change_password (krb5_context context,
|
||||
krb5_data *result_string)
|
||||
KRB5_DEPRECATED_FUNCTION("Use krb5_set_password instead")
|
||||
{
|
||||
struct kpwd_proc *p = find_chpw_proto("change password");
|
||||
const struct kpwd_proc *p = find_chpw_proto("change password");
|
||||
|
||||
*result_code = KRB5_KPASSWD_MALFORMED;
|
||||
result_code_string->data = result_string->data = NULL;
|
||||
|
18
third_party/heimdal/lib/krb5/constants.c
vendored
18
third_party/heimdal/lib/krb5/constants.c
vendored
@ -35,7 +35,7 @@
|
||||
|
||||
#include "krb5_locl.h"
|
||||
|
||||
KRB5_LIB_VARIABLE const char *krb5_config_file =
|
||||
KRB5_LIB_VARIABLE const char *const krb5_config_file =
|
||||
#ifdef KRB5_DEFAULT_CONFIG_FILE
|
||||
KRB5_DEFAULT_CONFIG_FILE
|
||||
#else
|
||||
@ -56,12 +56,12 @@ SYSCONFDIR "/krb5.conf" PATH_SEP
|
||||
#endif /* KRB5_DEFAULT_CONFIG_FILE */
|
||||
;
|
||||
|
||||
KRB5_LIB_VARIABLE const char *krb5_defkeyname = KEYTAB_DEFAULT;
|
||||
KRB5_LIB_VARIABLE const char *const krb5_defkeyname = KEYTAB_DEFAULT;
|
||||
|
||||
KRB5_LIB_VARIABLE const char *krb5_cc_type_api = "API";
|
||||
KRB5_LIB_VARIABLE const char *krb5_cc_type_file = "FILE";
|
||||
KRB5_LIB_VARIABLE const char *krb5_cc_type_memory = "MEMORY";
|
||||
KRB5_LIB_VARIABLE const char *krb5_cc_type_kcm = "KCM";
|
||||
KRB5_LIB_VARIABLE const char *krb5_cc_type_scc = "SCC";
|
||||
KRB5_LIB_VARIABLE const char *krb5_cc_type_dcc = "DIR";
|
||||
KRB5_LIB_VARIABLE const char *krb5_cc_type_keyring = "KEYRING";
|
||||
KRB5_LIB_VARIABLE const char *const krb5_cc_type_api = "API";
|
||||
KRB5_LIB_VARIABLE const char *const krb5_cc_type_file = "FILE";
|
||||
KRB5_LIB_VARIABLE const char *const krb5_cc_type_memory = "MEMORY";
|
||||
KRB5_LIB_VARIABLE const char *const krb5_cc_type_kcm = "KCM";
|
||||
KRB5_LIB_VARIABLE const char *const krb5_cc_type_scc = "SCC";
|
||||
KRB5_LIB_VARIABLE const char *const krb5_cc_type_dcc = "DIR";
|
||||
KRB5_LIB_VARIABLE const char *const krb5_cc_type_keyring = "KEYRING";
|
||||
|
2
third_party/heimdal/lib/krb5/context.c
vendored
2
third_party/heimdal/lib/krb5/context.c
vendored
@ -372,7 +372,7 @@ kt_ops_copy(krb5_context context, const krb5_context src_context)
|
||||
return 0;
|
||||
}
|
||||
|
||||
static const char *sysplugin_dirs[] = {
|
||||
static const char *const sysplugin_dirs[] = {
|
||||
#ifdef _WIN32
|
||||
"$ORIGIN",
|
||||
#else
|
||||
|
4
third_party/heimdal/lib/krb5/crypto.c
vendored
4
third_party/heimdal/lib/krb5/crypto.c
vendored
@ -1922,13 +1922,13 @@ krb5_decrypt_iov_ivec(krb5_context context,
|
||||
goto cleanup;
|
||||
} else {
|
||||
krb5_data ivec_data;
|
||||
static unsigned char zero_ivec[EVP_MAX_IV_LENGTH];
|
||||
static const unsigned char zero_ivec[EVP_MAX_IV_LENGTH];
|
||||
|
||||
heim_assert(et->blocksize <= sizeof(zero_ivec),
|
||||
"blocksize too big for ivec buffer");
|
||||
|
||||
ivec_data.length = et->blocksize;
|
||||
ivec_data.data = ivec ? ivec : zero_ivec;
|
||||
ivec_data.data = ivec ? ivec : rk_UNCONST(zero_ivec);
|
||||
|
||||
ret = iov_coalesce(context, &ivec_data, data, num_data, TRUE, &sign_data);
|
||||
if(ret)
|
||||
|
4
third_party/heimdal/lib/krb5/db_plugin.c
vendored
4
third_party/heimdal/lib/krb5/db_plugin.c
vendored
@ -14,9 +14,9 @@ db_plugins_plcallback(krb5_context context, const void *plug, void *plugctx,
|
||||
return 0;
|
||||
}
|
||||
|
||||
static const char *db_plugin_deps[] = { "krb5", NULL };
|
||||
static const char *const db_plugin_deps[] = { "krb5", NULL };
|
||||
|
||||
static struct heim_plugin_data
|
||||
static const struct heim_plugin_data
|
||||
db_plugin_data = {
|
||||
"krb5",
|
||||
KRB5_PLUGIN_DB,
|
||||
|
@ -109,17 +109,17 @@ dns_find_realm(krb5_context context,
|
||||
const char *domain,
|
||||
krb5_realm **realms)
|
||||
{
|
||||
static const char *default_labels[] = { "_kerberos", NULL };
|
||||
static const char *const default_labels[] = { "_kerberos", NULL };
|
||||
char dom[MAXHOSTNAMELEN];
|
||||
struct rk_dns_reply *r;
|
||||
const char **labels;
|
||||
const char *const *labels;
|
||||
char **config_labels;
|
||||
int i, ret = 0;
|
||||
|
||||
config_labels = krb5_config_get_strings(context, NULL, "libdefaults",
|
||||
"dns_lookup_realm_labels", NULL);
|
||||
if(config_labels != NULL)
|
||||
labels = (const char **)config_labels;
|
||||
labels = (const char *const *)config_labels;
|
||||
else
|
||||
labels = default_labels;
|
||||
if(*domain == '.')
|
||||
|
4
third_party/heimdal/lib/krb5/get_in_tkt.c
vendored
4
third_party/heimdal/lib/krb5/get_in_tkt.c
vendored
@ -319,7 +319,9 @@ set_ptypes(krb5_context context,
|
||||
krb5_preauthdata **preauth)
|
||||
{
|
||||
static krb5_preauthdata preauth2;
|
||||
static krb5_preauthtype ptypes2[] = { KRB5_PADATA_ENC_TIMESTAMP, KRB5_PADATA_NONE };
|
||||
static const krb5_preauthtype ptypes2[] = {
|
||||
KRB5_PADATA_ENC_TIMESTAMP, KRB5_PADATA_NONE
|
||||
};
|
||||
|
||||
if(error->e_data) {
|
||||
METHOD_DATA md;
|
||||
|
14
third_party/heimdal/lib/krb5/init_creds_pw.c
vendored
14
third_party/heimdal/lib/krb5/init_creds_pw.c
vendored
@ -61,7 +61,7 @@ struct krb5_gss_init_ctx_data {
|
||||
struct krb5_get_init_creds_ctx {
|
||||
KDCOptions flags;
|
||||
krb5_creds cred;
|
||||
krb5_addresses *addrs;
|
||||
const krb5_addresses *addrs;
|
||||
krb5_enctype *etypes;
|
||||
krb5_preauthtype *pre_auth_types;
|
||||
char *in_tkt_service;
|
||||
@ -447,7 +447,7 @@ krb5_init_creds_warn_user(krb5_context context,
|
||||
return 0;
|
||||
}
|
||||
|
||||
static krb5_addresses no_addrs = { 0, NULL };
|
||||
static const krb5_addresses no_addrs = { 0, NULL };
|
||||
|
||||
static krb5_error_code
|
||||
get_init_creds_common(krb5_context context,
|
||||
@ -1941,9 +1941,9 @@ typedef krb5_error_code (*pa_restart_f)(krb5_context, krb5_init_creds_context, v
|
||||
typedef krb5_error_code (*pa_step_f)(krb5_context, krb5_init_creds_context, void *, PA_DATA *, const AS_REQ *, const AS_REP *, METHOD_DATA *, METHOD_DATA *);
|
||||
typedef void (*pa_release_f)(void *);
|
||||
|
||||
struct patype {
|
||||
static const struct patype {
|
||||
int type;
|
||||
char *name;
|
||||
const char *name;
|
||||
int flags;
|
||||
#define PA_F_ANNOUNCE 1
|
||||
#define PA_F_CONFIG 2
|
||||
@ -2085,7 +2085,7 @@ get_pa_type_name(int type)
|
||||
*/
|
||||
|
||||
struct pa_auth_mech {
|
||||
struct patype *patype;
|
||||
const struct patype *patype;
|
||||
struct pa_auth_mech *next; /* when doing authentication sets */
|
||||
char pactx[1];
|
||||
};
|
||||
@ -2155,7 +2155,7 @@ mech_dealloc(void *ctx)
|
||||
pa_mech->patype->release((void *)&pa_mech->pactx[0]);
|
||||
}
|
||||
|
||||
struct heim_type_data pa_auth_mech_object = {
|
||||
static const struct heim_type_data pa_auth_mech_object = {
|
||||
HEIM_TID_PA_AUTH_MECH,
|
||||
"heim-pa-mech-context",
|
||||
NULL,
|
||||
@ -2170,7 +2170,7 @@ static struct pa_auth_mech *
|
||||
pa_mech_create(krb5_context context, krb5_init_creds_context ctx, int pa_type)
|
||||
{
|
||||
struct pa_auth_mech *pa_mech;
|
||||
struct patype *patype = NULL;
|
||||
const struct patype *patype = NULL;
|
||||
size_t n;
|
||||
|
||||
for (n = 0; patype == NULL && n < sizeof(patypes)/sizeof(patypes[0]); n++) {
|
||||
|
9
third_party/heimdal/lib/krb5/krb5.conf.5
vendored
9
third_party/heimdal/lib/krb5/krb5.conf.5
vendored
@ -828,6 +828,11 @@ addresses in the tickets.
|
||||
.It Li allow-null-ticket-addresses = Va BOOL
|
||||
Allow address-less tickets.
|
||||
.\" XXX
|
||||
.It Li disable_pac = Va BOOL
|
||||
Do not include a PAC in service tickets.
|
||||
However, if a service has the
|
||||
.Li auth-data-reqd
|
||||
attribute then the KDC will include a PAC anyways.
|
||||
.It Li enable_fast = Va BOOL
|
||||
Enable RFC 6113 FAST support, this is enabled by default.
|
||||
.It Li enable_fast_cookie = Va BOOL
|
||||
@ -846,6 +851,10 @@ Enabled by default for now, but in a future release will be
|
||||
disabled.
|
||||
.It Li enable-pkinit = Va BOOL
|
||||
Enable PKINIT (disabled by default).
|
||||
.It Li require-pkinit-freshness = Va BOOL
|
||||
If PKINIT is enabled, require that PKINIT requests contain a
|
||||
freshness token proving recent possession of the private key.
|
||||
Disabled by default.
|
||||
.It Li allow-anonymous = Va BOOL
|
||||
If the kdc is allowed to hand out anonymous tickets.
|
||||
.It Li synthetic_clients = Va BOOL
|
||||
|
22
third_party/heimdal/lib/krb5/krb5.h
vendored
22
third_party/heimdal/lib/krb5/krb5.h
vendored
@ -296,6 +296,8 @@ typedef enum krb5_key_usage {
|
||||
/* fast challenge from client */
|
||||
KRB5_KU_ENC_CHALLENGE_KDC = 55,
|
||||
/* fast challenge from kdc */
|
||||
KRB5_KU_AS_FRESHNESS = 60,
|
||||
/* Freshness token from KDC */
|
||||
KRB5_KU_DIGEST_ENCRYPT = -18,
|
||||
/* Encryption key usage used in the digest encryption field */
|
||||
KRB5_KU_DIGEST_OPAQUE = -19,
|
||||
@ -697,7 +699,7 @@ typedef struct {
|
||||
KRB_ERROR error;
|
||||
} krb5_kdc_rep;
|
||||
|
||||
extern const char *heimdal_version, *heimdal_long_version;
|
||||
extern const char *const heimdal_version, *const heimdal_long_version;
|
||||
|
||||
typedef void (KRB5_CALLCONV * krb5_log_log_func_t)(krb5_context,
|
||||
const char*,
|
||||
@ -1018,8 +1020,8 @@ typedef struct krb5_kx509_req_ctx_data *krb5_kx509_req_ctx;
|
||||
|
||||
/* variables */
|
||||
|
||||
extern KRB5_LIB_VARIABLE const char *krb5_config_file;
|
||||
extern KRB5_LIB_VARIABLE const char *krb5_defkeyname;
|
||||
extern KRB5_LIB_VARIABLE const char *const krb5_config_file;
|
||||
extern KRB5_LIB_VARIABLE const char *const krb5_defkeyname;
|
||||
|
||||
|
||||
extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_acc_ops;
|
||||
@ -1038,13 +1040,13 @@ extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_mkt_ops;
|
||||
extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_akf_ops;
|
||||
extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_any_ops;
|
||||
|
||||
extern KRB5_LIB_VARIABLE const char *krb5_cc_type_api;
|
||||
extern KRB5_LIB_VARIABLE const char *krb5_cc_type_file;
|
||||
extern KRB5_LIB_VARIABLE const char *krb5_cc_type_memory;
|
||||
extern KRB5_LIB_VARIABLE const char *krb5_cc_type_kcm;
|
||||
extern KRB5_LIB_VARIABLE const char *krb5_cc_type_scc;
|
||||
extern KRB5_LIB_VARIABLE const char *krb5_cc_type_dcc;
|
||||
extern KRB5_LIB_VARIABLE const char *krb5_cc_type_keyring;
|
||||
extern KRB5_LIB_VARIABLE const char *const krb5_cc_type_api;
|
||||
extern KRB5_LIB_VARIABLE const char *const krb5_cc_type_file;
|
||||
extern KRB5_LIB_VARIABLE const char *const krb5_cc_type_memory;
|
||||
extern KRB5_LIB_VARIABLE const char *const krb5_cc_type_kcm;
|
||||
extern KRB5_LIB_VARIABLE const char *const krb5_cc_type_scc;
|
||||
extern KRB5_LIB_VARIABLE const char *const krb5_cc_type_dcc;
|
||||
extern KRB5_LIB_VARIABLE const char *const krb5_cc_type_keyring;
|
||||
|
||||
/* clang analyzer workarounds */
|
||||
|
||||
|
3
third_party/heimdal/lib/krb5/krb5_err.et
vendored
3
third_party/heimdal/lib/krb5/krb5_err.et
vendored
@ -108,6 +108,9 @@ error_code PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED, "Public key encryption not suppo
|
||||
#error_code ERR_KDC_NOT_FOUND, "IAKERB proxy could not find a KDC"
|
||||
#error_code ERR_KDC_NO_RESPONSE, "IAKERB proxy never reeived a response from a KDC"
|
||||
|
||||
index 90
|
||||
error_code PREAUTH_EXPIRED, "Pre-authentication data expired"
|
||||
|
||||
index 91
|
||||
error_code MORE_PREAUTH_DATA_REQUIRED, "More pre-authentication data required"
|
||||
|
||||
|
4
third_party/heimdal/lib/krb5/krbhst.c
vendored
4
third_party/heimdal/lib/krb5/krbhst.c
vendored
@ -709,9 +709,9 @@ plcallback(krb5_context context,
|
||||
return KRB5_PLUGIN_NO_HANDLE;
|
||||
}
|
||||
|
||||
static const char *locate_plugin_deps[] = { "krb5", NULL };
|
||||
static const char *const locate_plugin_deps[] = { "krb5", NULL };
|
||||
|
||||
static struct heim_plugin_data
|
||||
static const struct heim_plugin_data
|
||||
locate_plugin_data = {
|
||||
"krb5",
|
||||
KRB5_PLUGIN_LOCATE,
|
||||
|
20
third_party/heimdal/lib/krb5/kuserok.c
vendored
20
third_party/heimdal/lib/krb5/kuserok.c
vendored
@ -67,10 +67,10 @@ plcallback(krb5_context context, const void *plug, void *plugctx, void *userctx)
|
||||
}
|
||||
|
||||
static krb5_error_code plugin_reg_ret;
|
||||
static krb5plugin_kuserok_ftable kuserok_simple_plug;
|
||||
static krb5plugin_kuserok_ftable kuserok_sys_k5login_plug;
|
||||
static krb5plugin_kuserok_ftable kuserok_user_k5login_plug;
|
||||
static krb5plugin_kuserok_ftable kuserok_deny_plug;
|
||||
static const krb5plugin_kuserok_ftable kuserok_simple_plug;
|
||||
static const krb5plugin_kuserok_ftable kuserok_sys_k5login_plug;
|
||||
static const krb5plugin_kuserok_ftable kuserok_user_k5login_plug;
|
||||
static const krb5plugin_kuserok_ftable kuserok_deny_plug;
|
||||
|
||||
static void
|
||||
reg_def_plugins_once(void *ctx)
|
||||
@ -455,9 +455,9 @@ krb5_kuserok(krb5_context context,
|
||||
}
|
||||
|
||||
|
||||
static const char *kuserok_plugin_deps[] = { "krb5", NULL };
|
||||
static const char *const kuserok_plugin_deps[] = { "krb5", NULL };
|
||||
|
||||
static struct heim_plugin_data
|
||||
static const struct heim_plugin_data
|
||||
kuserok_plugin_data = {
|
||||
"krb5",
|
||||
KRB5_PLUGIN_KUSEROK,
|
||||
@ -723,28 +723,28 @@ kuser_ok_null_plugin_fini(void *ctx)
|
||||
return;
|
||||
}
|
||||
|
||||
static krb5plugin_kuserok_ftable kuserok_simple_plug = {
|
||||
static const krb5plugin_kuserok_ftable kuserok_simple_plug = {
|
||||
KRB5_PLUGIN_KUSEROK_VERSION_0,
|
||||
kuser_ok_null_plugin_init,
|
||||
kuser_ok_null_plugin_fini,
|
||||
kuserok_simple_plug_f,
|
||||
};
|
||||
|
||||
static krb5plugin_kuserok_ftable kuserok_sys_k5login_plug = {
|
||||
static const krb5plugin_kuserok_ftable kuserok_sys_k5login_plug = {
|
||||
KRB5_PLUGIN_KUSEROK_VERSION_0,
|
||||
kuser_ok_null_plugin_init,
|
||||
kuser_ok_null_plugin_fini,
|
||||
kuserok_sys_k5login_plug_f,
|
||||
};
|
||||
|
||||
static krb5plugin_kuserok_ftable kuserok_user_k5login_plug = {
|
||||
static const krb5plugin_kuserok_ftable kuserok_user_k5login_plug = {
|
||||
KRB5_PLUGIN_KUSEROK_VERSION_0,
|
||||
kuser_ok_null_plugin_init,
|
||||
kuser_ok_null_plugin_fini,
|
||||
kuserok_user_k5login_plug_f,
|
||||
};
|
||||
|
||||
static krb5plugin_kuserok_ftable kuserok_deny_plug = {
|
||||
static const krb5plugin_kuserok_ftable kuserok_deny_plug = {
|
||||
KRB5_PLUGIN_KUSEROK_VERSION_0,
|
||||
kuser_ok_null_plugin_init,
|
||||
kuser_ok_null_plugin_fini,
|
||||
|
4
third_party/heimdal/lib/krb5/mk_error.c
vendored
4
third_party/heimdal/lib/krb5/mk_error.c
vendored
@ -76,8 +76,8 @@ krb5_mk_error_ext(krb5_context context,
|
||||
msg.realm = server->realm;
|
||||
msg.sname = server->name;
|
||||
}else{
|
||||
static char unspec[] = "<unspecified realm>";
|
||||
msg.realm = unspec;
|
||||
static const char unspec[] = "<unspecified realm>";
|
||||
msg.realm = rk_UNCONST(unspec);
|
||||
}
|
||||
msg.crealm = rk_UNCONST(client_realm);
|
||||
msg.cname = rk_UNCONST(client_name);
|
||||
|
8
third_party/heimdal/lib/krb5/pac.c
vendored
8
third_party/heimdal/lib/krb5/pac.c
vendored
@ -141,7 +141,7 @@ pac_dealloc(void *ctx)
|
||||
free(pac->pac);
|
||||
}
|
||||
|
||||
struct heim_type_data pac_object = {
|
||||
static const struct heim_type_data pac_object = {
|
||||
HEIM_TID_PAC,
|
||||
"heim-pac",
|
||||
NULL,
|
||||
@ -597,7 +597,7 @@ krb5_pac_get_buffer(krb5_context context, krb5_const_pac p,
|
||||
return ENOENT;
|
||||
}
|
||||
|
||||
static struct {
|
||||
static const struct {
|
||||
uint32_t type;
|
||||
krb5_data name;
|
||||
} pac_buffer_name_map[] = {
|
||||
@ -1982,8 +1982,8 @@ _krb5_pac_get_attributes_info(krb5_context context,
|
||||
return 0;
|
||||
}
|
||||
|
||||
static unsigned char single_zero = '\0';
|
||||
static krb5_data single_zero_pac = { 1, &single_zero };
|
||||
static const unsigned char single_zero = '\0';
|
||||
static const krb5_data single_zero_pac = { 1, rk_UNCONST(&single_zero) };
|
||||
|
||||
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
|
||||
_krb5_kdc_pac_ticket_parse(krb5_context context,
|
||||
|
4
third_party/heimdal/lib/krb5/pcache.c
vendored
4
third_party/heimdal/lib/krb5/pcache.c
vendored
@ -58,9 +58,9 @@ cc_plugin_register_to_context(krb5_context context, const void *plug, void *plug
|
||||
return KRB5_PLUGIN_NO_HANDLE;
|
||||
}
|
||||
|
||||
static const char *ccache_plugin_deps[] = { "krb5", NULL };
|
||||
static const char *const ccache_plugin_deps[] = { "krb5", NULL };
|
||||
|
||||
static struct heim_plugin_data
|
||||
static const struct heim_plugin_data
|
||||
ccache_plugin_data = {
|
||||
"krb5",
|
||||
KRB5_PLUGIN_CCACHE,
|
||||
|
4
third_party/heimdal/lib/krb5/plugin.c
vendored
4
third_party/heimdal/lib/krb5/plugin.c
vendored
@ -75,7 +75,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
|
||||
krb5_plugin_register(krb5_context context,
|
||||
enum krb5_plugin_type type,
|
||||
const char *name,
|
||||
void *symbol)
|
||||
const void *symbol)
|
||||
{
|
||||
/*
|
||||
* It's not clear that PLUGIN_TYPE_FUNC was ever used or supported. It likely
|
||||
@ -147,7 +147,7 @@ _krb5_unload_plugins(krb5_context context, const char *name)
|
||||
*/
|
||||
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
|
||||
_krb5_plugin_run_f(krb5_context context,
|
||||
struct heim_plugin_data *caller,
|
||||
const struct heim_plugin_data *caller,
|
||||
int flags,
|
||||
void *userctx,
|
||||
krb5_error_code (KRB5_LIB_CALL *func)(krb5_context, const void *, void *, void *))
|
||||
|
2
third_party/heimdal/lib/krb5/salt-aes-sha1.c
vendored
2
third_party/heimdal/lib/krb5/salt-aes-sha1.c
vendored
@ -33,7 +33,7 @@
|
||||
|
||||
#include "krb5_locl.h"
|
||||
|
||||
int _krb5_AES_SHA1_string_to_default_iterator = 4096;
|
||||
const int _krb5_AES_SHA1_string_to_default_iterator = 4096;
|
||||
|
||||
static krb5_error_code
|
||||
AES_SHA1_string_to_key(krb5_context context,
|
||||
|
2
third_party/heimdal/lib/krb5/salt-aes-sha2.c
vendored
2
third_party/heimdal/lib/krb5/salt-aes-sha2.c
vendored
@ -33,7 +33,7 @@
|
||||
|
||||
#include "krb5_locl.h"
|
||||
|
||||
int _krb5_AES_SHA2_string_to_default_iterator = 32768;
|
||||
const int _krb5_AES_SHA2_string_to_default_iterator = 32768;
|
||||
|
||||
static krb5_error_code
|
||||
AES_SHA2_string_to_key(krb5_context context,
|
||||
|
12
third_party/heimdal/lib/krb5/send_to_kdc.c
vendored
12
third_party/heimdal/lib/krb5/send_to_kdc.c
vendored
@ -96,9 +96,9 @@ realmcallback(krb5_context context, const void *plug, void *plugctx, void *userc
|
||||
ctx->send_data, ctx->receive);
|
||||
}
|
||||
|
||||
static const char *send_to_kdc_plugin_deps[] = { "krb5", NULL };
|
||||
static const char *const send_to_kdc_plugin_deps[] = { "krb5", NULL };
|
||||
|
||||
static struct heim_plugin_data
|
||||
static const struct heim_plugin_data
|
||||
send_to_kdc_plugin_data = {
|
||||
"krb5",
|
||||
KRB5_PLUGIN_SEND_TO_KDC,
|
||||
@ -330,7 +330,7 @@ struct host {
|
||||
krb5_krbhst_info *hi;
|
||||
struct addrinfo *ai;
|
||||
rk_socket_t fd;
|
||||
struct host_fun *fun;
|
||||
const struct host_fun *fun;
|
||||
unsigned int tries;
|
||||
time_t timeout;
|
||||
krb5_data data;
|
||||
@ -715,19 +715,19 @@ recv_udp(krb5_context context, struct host *host, krb5_data *data)
|
||||
return 0;
|
||||
}
|
||||
|
||||
static struct host_fun http_fun = {
|
||||
static const struct host_fun http_fun = {
|
||||
prepare_http,
|
||||
send_stream,
|
||||
recv_http,
|
||||
1
|
||||
};
|
||||
static struct host_fun tcp_fun = {
|
||||
static const struct host_fun tcp_fun = {
|
||||
prepare_tcp,
|
||||
send_stream,
|
||||
recv_tcp,
|
||||
1
|
||||
};
|
||||
static struct host_fun udp_fun = {
|
||||
static const struct host_fun udp_fun = {
|
||||
prepare_udp,
|
||||
send_udp,
|
||||
recv_udp,
|
||||
|
@ -38,7 +38,7 @@
|
||||
|
||||
static struct testcase {
|
||||
int canonicalp;
|
||||
ssize_t val;
|
||||
int64_t val;
|
||||
const char *def_unit;
|
||||
const char *str;
|
||||
} tests[] = {
|
||||
@ -52,7 +52,7 @@ static struct testcase {
|
||||
{1, 1024 * 1024, NULL, "1 megabyte"},
|
||||
{0, 1025, NULL, "1 kilobyte 1"},
|
||||
{1, 1025, NULL, "1 kilobyte 1 byte"},
|
||||
{1, 1024UL * 1024 * 1024 * 1024, NULL, "1 terabyte"},
|
||||
{1, 1024ULL * 1024 * 1024 * 1024, NULL, "1 terabyte"},
|
||||
};
|
||||
|
||||
int
|
||||
@ -63,7 +63,7 @@ main(int argc, char **argv)
|
||||
|
||||
for (i = 0; i < sizeof(tests)/sizeof(tests[0]); ++i) {
|
||||
char buf[256];
|
||||
ssize_t val = parse_bytes (tests[i].str, tests[i].def_unit);
|
||||
int64_t val = parse_bytes (tests[i].str, tests[i].def_unit);
|
||||
|
||||
if (val != tests[i].val) {
|
||||
printf ("parse_bytes (%s, %s) = %lld != %lld\n",
|
||||
|
18
third_party/heimdal/lib/roken/parse_bytes.c
vendored
18
third_party/heimdal/lib/roken/parse_bytes.c
vendored
@ -37,10 +37,10 @@
|
||||
#include "parse_bytes.h"
|
||||
|
||||
static struct units bytes_units[] = {
|
||||
{ "petabyte", 1024UL * 1024 * 1024 * 1024 * 1024 },
|
||||
{ "PB", 1024UL * 1024 * 1024 * 1024 * 1024 },
|
||||
{ "terabyte", 1024UL * 1024 * 1024 * 1024 },
|
||||
{ "TB", 1024UL * 1024 * 1024 * 1024 },
|
||||
{ "petabyte", 1024ULL * 1024 * 1024 * 1024 * 1024 },
|
||||
{ "PB", 1024ULL * 1024 * 1024 * 1024 * 1024 },
|
||||
{ "terabyte", 1024ULL * 1024 * 1024 * 1024 },
|
||||
{ "TB", 1024ULL * 1024 * 1024 * 1024 },
|
||||
{ "gigabyte", 1024 * 1024 * 1024 },
|
||||
{ "gbyte", 1024 * 1024 * 1024 },
|
||||
{ "GB", 1024 * 1024 * 1024 },
|
||||
@ -54,28 +54,28 @@ static struct units bytes_units[] = {
|
||||
};
|
||||
|
||||
static struct units bytes_short_units[] = {
|
||||
{ "PB", 1024UL * 1024 * 1024 * 1024 * 1024 },
|
||||
{ "TB", 1024UL * 1024 * 1024 * 1024 },
|
||||
{ "PB", 1024ULL * 1024 * 1024 * 1024 * 1024 },
|
||||
{ "TB", 1024ULL * 1024 * 1024 * 1024 },
|
||||
{ "GB", 1024 * 1024 * 1024 },
|
||||
{ "MB", 1024 * 1024 },
|
||||
{ "KB", 1024 },
|
||||
{ NULL, 0 }
|
||||
};
|
||||
|
||||
ROKEN_LIB_FUNCTION ssize_t ROKEN_LIB_CALL
|
||||
ROKEN_LIB_FUNCTION int64_t ROKEN_LIB_CALL
|
||||
parse_bytes(const char *s, const char *def_unit)
|
||||
{
|
||||
return parse_units (s, bytes_units, def_unit);
|
||||
}
|
||||
|
||||
ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL
|
||||
unparse_bytes(ssize_t t, char *s, size_t len)
|
||||
unparse_bytes(int64_t t, char *s, size_t len)
|
||||
{
|
||||
return unparse_units (t, bytes_units, s, len);
|
||||
}
|
||||
|
||||
ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL
|
||||
unparse_bytes_short (ssize_t t, char *s, size_t len)
|
||||
unparse_bytes_short (int64_t t, char *s, size_t len)
|
||||
{
|
||||
return unparse_units_approx (t, bytes_short_units, s, len);
|
||||
}
|
||||
|
6
third_party/heimdal/lib/roken/parse_bytes.h
vendored
6
third_party/heimdal/lib/roken/parse_bytes.h
vendored
@ -38,13 +38,13 @@
|
||||
|
||||
#include <roken.h>
|
||||
|
||||
ROKEN_LIB_FUNCTION ssize_t ROKEN_LIB_CALL
|
||||
ROKEN_LIB_FUNCTION int64_t ROKEN_LIB_CALL
|
||||
parse_bytes(const char *s, const char *def_unit);
|
||||
|
||||
ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL
|
||||
unparse_bytes(ssize_t t, char *s, size_t len);
|
||||
unparse_bytes(int64_t t, char *s, size_t len);
|
||||
|
||||
ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL
|
||||
unparse_bytes_short(ssize_t t, char *s, size_t len);
|
||||
unparse_bytes_short(int64_t t, char *s, size_t len);
|
||||
|
||||
#endif /* __PARSE_BYTES_H__ */
|
||||
|
4
third_party/heimdal/lib/sl/Makefile.am
vendored
4
third_party/heimdal/lib/sl/Makefile.am
vendored
@ -8,8 +8,8 @@ endif
|
||||
|
||||
AM_CPPFLAGS += $(ROKEN_RENAME)
|
||||
|
||||
YFLAGS = -d -o slc-gram.c
|
||||
LFLAGS = @FLEXNOUNPUTARGS@
|
||||
AM_YFLAGS = -d -o slc-gram.c
|
||||
AM_LFLAGS = @FLEXNOUNPUTARGS@
|
||||
|
||||
include_HEADERS = sl.h
|
||||
|
||||
|
@ -39,7 +39,7 @@
|
||||
#include <string.h>
|
||||
|
||||
#ifdef KRB5
|
||||
extern const char *heimdal_version;
|
||||
extern const char *const heimdal_version;
|
||||
#endif
|
||||
#include <version.h>
|
||||
|
||||
|
38
third_party/heimdal/tests/kdc/check-kdc.in
vendored
38
third_party/heimdal/tests/kdc/check-kdc.in
vendored
@ -261,6 +261,7 @@ ${kadmin} ext -k ${keytab} ${alias1}@${R} || exit 1
|
||||
${kadmin} modify --alias=${alias2}@${R} ${alias1}@${R}
|
||||
|
||||
${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1
|
||||
${kadmin} modify --attributes=+no-auth-data-reqd krbtgt/${R2}@${R} || exit 1
|
||||
${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1
|
||||
|
||||
${kadmin} add -p cross1 --use-defaults krbtgt/${R3}@${R2} || exit 1
|
||||
@ -551,6 +552,20 @@ for a in $enctypes; do
|
||||
done
|
||||
${kdestroy}
|
||||
|
||||
echo "Getting client initial tickets with PAC"; > messages.log
|
||||
${kinit} --request-pac --password-file=${objdir}/foopassword foo@$R || \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
for a in $enctypes; do
|
||||
echo "Getting tickets for PAC-less service principal ($a)"; > messages.log
|
||||
${kgetcred} -e $a ${server4}@${R2} || { ec=1 ; eval "${testfailed}"; }
|
||||
${test_ap_req} --verify-pac ${server4}@${R2} ${keytab} ${cache} && \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
${test_ap_req} --no-verify-pac ${server4}@${R2} ${keytab} ${cache} || \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
${kdestroy} --credential=${server4}@${R2}
|
||||
done
|
||||
${kdestroy}
|
||||
|
||||
echo "Getting client authenticated anonymous initial tickets"; > messages.log
|
||||
${kinit} -n --password-file=${objdir}/foopassword foo@$R || \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
@ -559,6 +574,8 @@ for a in $enctypes; do
|
||||
${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
|
||||
${test_ap_req} --no-verify-pac ${server}@${R} ${keytab} ${cache} || \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
${test_ap_req} --verify-pac ${server}@${R} ${keytab} ${cache} && \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
${kdestroy} --credential=${server}@${R}
|
||||
done
|
||||
${kdestroy}
|
||||
@ -575,7 +592,7 @@ for a in $enctypes; do
|
||||
done
|
||||
${kdestroy}
|
||||
|
||||
echo "Getting client initial tickets for cross realm case"; > messages.log
|
||||
echo "Getting client initial tickets for cross realm case (no-auth-data-reqd for ${R2})"; > messages.log
|
||||
${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
|
||||
for a in $enctypes; do
|
||||
echo "Getting cross realm tickets ($a)"; > messages.log
|
||||
@ -583,7 +600,24 @@ for a in $enctypes; do
|
||||
echo " checking we we got back right ticket"
|
||||
${klist} | grep ${server2}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
||||
echo " checking if ticket is useful"
|
||||
${test_ap_req} ${server2}@${R2} ${keytab} ${cache} || \
|
||||
${test_ap_req} --no-verify-pac ${server2}@${R2} ${keytab} ${cache} || \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
${test_ap_req} --verify-pac ${server2}@${R2} ${keytab} ${cache} && \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
${kdestroy} --credential=${server2}@${R2}
|
||||
done
|
||||
${kdestroy}
|
||||
|
||||
echo "Getting client initial tickets for cross realm case (w/ PAC)"; > messages.log
|
||||
${kadmin} modify --attributes=-no-auth-data-reqd krbtgt/${R2}@${R} || exit 1
|
||||
${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
|
||||
for a in $enctypes; do
|
||||
echo "Getting cross realm tickets ($a)"; > messages.log
|
||||
${kgetcred} -e $a ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
|
||||
echo " checking we we got back right ticket"
|
||||
${klist} | grep ${server2}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
|
||||
echo " checking if ticket is useful"
|
||||
${test_ap_req} --verify-pac ${server2}@${R2} ${keytab} ${cache} || \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
${kdestroy} --credential=${server2}@${R2}
|
||||
done
|
||||
|
Loading…
Reference in New Issue
Block a user