1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

third_party/heimdal: Import lorikeet-heimdal-202307040259 (commit 33d117b8a9c11714ef709e63a005d87e34b9bfde)

NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2023-07-04 15:16:27 +12:00 committed by Andrew Bartlett
parent 5bfccbb764
commit a25f549e9a
69 changed files with 749 additions and 276 deletions

View File

@ -66,44 +66,7 @@
#
# PK-INIT tests
#
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_aes128.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_computer.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_computer_dh.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_dh.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_empty_supported_cms_types.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_empty_supported_cms_types_dh.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_no_des3.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_no_des3_dh.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_no_supported_cms_types.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_no_supported_cms_types_dh.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_rc4.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_service.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_service_dh.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_sha256_certificate_signature.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_sha256_certificate_signature_dh.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_sha256_signature.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_sha256_signature_dh.ad_dc
#
# PK-INIT Freshness tests
#
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_current.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_current_dh.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_dh.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_empty.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_empty_dh.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_future.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_future_dh.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_invalid.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_invalid_dh.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_non_empty.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_old.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_old_dh.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_rodc_dh.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_rodc_ts.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_wrong_header.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_freshness_wrong_header_dh.ad_dc
#
# Windows 2000 PK-INIT tests
#

View File

@ -646,7 +646,7 @@ static int
HandleOP(GetVersionAndCapabilities)
{
int32_t cap = HAS_MONIKER;
char name[256] = "unknown", *str;
char *name = NULL, *str = NULL;
int ret;
if (targetname)
@ -656,13 +656,16 @@ HandleOP(GetVersionAndCapabilities)
{
struct utsname ut;
if (uname(&ut) == 0) {
snprintf(name, sizeof(name), "%s-%s-%s",
ut.sysname, ut.version, ut.machine);
if (asprintf(&name, "%s-%s-%s",
ut.sysname, ut.version, ut.machine) == -1) {
errx(1, "out of memory");
}
}
}
#endif
ret = asprintf(&str, "gssmask %s %s", PACKAGE_STRING, name);
ret = asprintf(&str, "gssmask %s %s", PACKAGE_STRING,
name ? name : "unknown");
if (ret == -1)
errx(1, "out of memory");
@ -670,6 +673,7 @@ HandleOP(GetVersionAndCapabilities)
put32(c, cap);
putstring(c, str);
free(str);
free(name);
return 0;
}

View File

@ -4,7 +4,7 @@
use Getopt::Std;
use File::Compare;
use JSON;
use JSON::PP
my $comment = 0;
my $doxygen = 0;
@ -70,7 +70,7 @@ if($opt_x) {
my $EXP;
local $/;
open(EXP, '<', $opt_x) || die "open ${opt_x}";
my $obj = JSON->new->utf8->decode(<EXP>);
my $obj = JSON::PP->new->utf8->decode(<EXP>);
close $EXP;
foreach my $x (keys %$obj) {

View File

@ -56,7 +56,6 @@ if ! test -f "$srcdir/lib/asn1/der-protos.h" ||
AC_KRB_PROG_PERL
AC_KRB_PERL_MOD(Getopt::Std)
AC_KRB_PERL_MOD(File::Compare)
AC_KRB_PERL_MOD(JSON)
fi
AC_KRB_PROG_YACC
@ -764,16 +763,16 @@ if test -d "$srcdir/.git"; then
#ifndef VERSION_HIDDEN
#define VERSION_HIDDEN
#endif
VERSION_HIDDEN const char *heimdal_long_version = "@([#])\$Version: $PACKAGE_STRING by @USER@ on @HOST@ @BRANCH@ @TAG@ ($host) @COMMIT@ @DATE@ \$";
VERSION_HIDDEN const char *heimdal_version = "AC_PACKAGE_STRING";
VERSION_HIDDEN const char *const heimdal_long_version = "@([#])\$Version: $PACKAGE_STRING by @USER@ on @HOST@ @BRANCH@ @TAG@ ($host) @COMMIT@ @DATE@ \$";
VERSION_HIDDEN const char *const heimdal_version = "AC_PACKAGE_STRING";
EOF
else
cat > include/newversion.h.in <<EOF
#ifndef VERSION_HIDDEN
#define VERSION_HIDDEN
#endif
VERSION_HIDDEN const char *heimdal_long_version = "@([#])\$Version: $PACKAGE_STRING by @USER@ on @HOST@ ($host) @DATE@ \$";
VERSION_HIDDEN const char *heimdal_version = "AC_PACKAGE_STRING";
VERSION_HIDDEN const char *const heimdal_long_version = "@([#])\$Version: $PACKAGE_STRING by @USER@ on @HOST@ ($host) @DATE@ \$";
VERSION_HIDDEN const char *const heimdal_version = "AC_PACKAGE_STRING";
EOF
fi

View File

@ -111,8 +111,8 @@ while(<>) {
$(INCDIR)\version.h: ..\windows\NTMakefile.version NTMakefile
$(CP) << $@
const char *heimdal_long_version = "@(#)$$Version: $(VER_PACKAGE_NAME) $(VER_PACKAGE_VERSION) by $(USERNAME) on $(COMPUTERNAME) ($(CPU)-pc-windows) $$";
const char *heimdal_version = "$(VER_PACKAGE_NAME) $(VER_PACKAGE_VERSION)";
const char *const heimdal_long_version = "@(#)$$Version: $(VER_PACKAGE_NAME) $(VER_PACKAGE_VERSION) by $(USERNAME) on $(COMPUTERNAME) ($(CPU)-pc-windows) $$";
const char *const heimdal_version = "$(VER_PACKAGE_NAME) $(VER_PACKAGE_VERSION)";
<<
all:: $(INCFILES)

View File

@ -136,8 +136,9 @@ check(void *opt, int argc, char **argv)
ret = get_check_entry(p, &ent);
if (ret) {
printf("%s doesn't exist, are you sure %s is a realm in your database",
p, realm);
fprintf(stderr,
"%s does not exist, are you sure %s is a realm in your database?\n",
p, realm);
free(p);
goto fail;
}
@ -156,8 +157,9 @@ check(void *opt, int argc, char **argv)
ret = get_check_entry(p, &ent);
if (ret) {
printf("%s doesn't exist, "
"there is no way to do remote administration", p);
fprintf(stderr,
"%s does not exist, there is no way to do remote administration.\n",
p);
free(p);
goto fail;
}
@ -176,8 +178,9 @@ check(void *opt, int argc, char **argv)
ret = get_check_entry(p, &ent);
if (ret) {
printf("%s doesn't exist, "
"there is no way to do change password", p);
fprintf(stderr,
"%s does not exist, there is no way to do change password.\n",
p);
free(p);
goto fail;
}
@ -189,7 +192,7 @@ check(void *opt, int argc, char **argv)
* Check default@REALM
*
* Check that disallow-all-tix is set on the default principal
* (or that the entry doesn't exists)
* (or that the entry does not exist)
*/
if (asprintf(&p, "default@%s", realm) == -1) {
@ -200,7 +203,7 @@ check(void *opt, int argc, char **argv)
ret = get_check_entry(p, &ent);
if (ret == 0) {
if ((ent.attributes & KRB5_KDB_DISALLOW_ALL_TIX) == 0) {
printf("default template entry is not disabled\n");
fprintf(stderr, "default template entry is not disabled\n");
ret = EINVAL;
}
kadm5_free_principal_ent(kadm_handle, &ent);

View File

@ -473,25 +473,49 @@ The only policy supported by Heimdal is
If a krb5 config file is given, it will be saved in the entry.
.Pp
Possible attributes are:
.Li new-princ ,
.Li support-desmd5 ,
.Li pwchange-service ,
.Li disallow-client ,
.Li disallow-svr ,
.Li requires-pw-change ,
.Li requires-hw-auth ,
.Li requires-pre-auth ,
.Li allow-digest ,
.Li trusted-for-delegation ,
.Li ok-as-delegate ,
.Li disallow-all-tix ,
.Li disallow-dup-skey ,
.Li disallow-proxiable ,
.Li disallow-renewable ,
.Li disallow-tgt-based ,
.Li disallow-forwardable ,
.Li disallow-postdated ,
.Li no-auth-data-reqd
.Bl -tag -width Ds
.It new-princ
not used
.It support-desmd5
not used
.It pwchange-service
for kadmin/admin style service principals
.It requires-pw-change
force the user to change their password
.It requires-hw-auth
.It requires-pre-auth
.It allow-digest
allow NTLM for this user in the KDC's digest service
.It trusted-for-delegation
.It ok-as-delegate
allow forwarding of tickets to this service principal
.It disallow-client
disallow issuance of tickets for this principal as a client
.It disallow-svr
disallow issuance of tickets for this principal as a server
.It disallow-all-tix
disallow issuance of tickets for this principal as a client or
server
.It disallow-dup-skey
not used
.It disallow-proxiable
disallow proxiable tickets
.It disallow-renewable ,
disallow reneable tickets
.It disallow-tgt-based ,
require initial tickets for this service, such as password
changing services
.It disallow-forwardable
disallow forwardable tickets
.It disallow-postdated
disallow postdated tickets
.It no-auth-data-reqd
do not include a PAC in tickets issued to this service
.It auth-data-reqd
do include a PAC in tickets issued to this service even if the
.Li disable_pac
KDC configuration parameter is set to true
.El
.Pp
Attributes may be negated with a "-", e.g.,
.Pp

View File

@ -47,6 +47,7 @@ get_response(const char *prompt, const char *def, char *buf, size_t len);
*/
struct units kdb_attrs[] = {
{ "auth-data-reqd", KRB5_KDB_AUTH_DATA_REQUIRED },
{ "no-auth-data-reqd", KRB5_KDB_NO_AUTH_DATA_REQUIRED },
{ "disallow-client", KRB5_KDB_DISALLOW_CLIENT },
{ "virtual", KRB5_KDB_VIRTUAL },

View File

@ -36,6 +36,8 @@
#include <getarg.h>
#include <parse_bytes.h>
#define MAX_REQUEST_MAX 67108864ll /* 64MB, the maximum accepted value of max_request */
static const char *config_file; /* location of kcm config file */
size_t max_request = 0; /* maximal size of a request */
@ -360,13 +362,16 @@ kcm_configure(int argc, char **argv)
}
if (max_request_str) {
ssize_t bytes;
int64_t bytes;
if ((bytes = parse_bytes(max_request_str, NULL)) < 0)
krb5_errx(kcm_context, 1,
"--max-request size must be non-negative");
if (bytes > MAX_REQUEST_MAX)
krb5_errx(kcm_context, 1, "--max-request size is too big "
"(must be smaller than %lld)", MAX_REQUEST_MAX);
max_request = bytes;
max_request = bytes;
}
if(max_request == 0){
@ -376,11 +381,15 @@ kcm_configure(int argc, char **argv)
"max-request",
NULL);
if (p) {
ssize_t bytes;
int64_t bytes;
if ((bytes = parse_bytes(max_request_str, NULL)) < 0)
krb5_errx(kcm_context, 1,
"[kcm] max-request size must be non-negative");
if (bytes > MAX_REQUEST_MAX)
krb5_errx(kcm_context, 1, "[kcm] max-request size is too big "
"(must be smaller than %lld)", MAX_REQUEST_MAX);
max_request = bytes;
}
}

View File

@ -37,6 +37,8 @@
#include <getarg.h>
#include <parse_bytes.h>
#define MAX_REQUEST_MAX 67108864ll /* 64MB, the maximum accepted value of max_request */
struct dbinfo {
char *realm;
char *dbname;
@ -222,11 +224,16 @@ configure(krb5_context context, int argc, char **argv, int *optidx)
krb5_err(context, 1, ret, "krb5_kdc_set_dbinfo");
if (max_request_str) {
ssize_t bytes;
int64_t bytes;
if ((bytes = parse_bytes(max_request_str, NULL)) < 0)
krb5_errx(context, 1, "--max-request must be non-negative");
max_request_tcp = max_request_udp = bytes;
if (bytes > MAX_REQUEST_MAX)
krb5_errx(context, 1, "--max-request size is too big "
"(must be smaller than %lld)", MAX_REQUEST_MAX);
max_request_tcp = max_request_udp = bytes;
}
if(max_request_tcp == 0){
@ -236,10 +243,15 @@ configure(krb5_context context, int argc, char **argv, int *optidx)
"max-request",
NULL);
if (p) {
ssize_t bytes;
int64_t bytes;
if ((bytes = parse_bytes(max_request_str, NULL)) < 0)
krb5_errx(context, 1, "[kdc] max-request must be non-negative");
if (bytes > MAX_REQUEST_MAX)
krb5_errx(context, 1, "[kdc] max-request size is too big "
"(must be smaller than %lld)", MAX_REQUEST_MAX);
max_request_tcp = max_request_udp = bytes;
}
}

View File

@ -101,11 +101,13 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
c->strict_nametypes = FALSE;
c->trpolicy = TRPOLICY_ALWAYS_CHECK;
c->require_pac = FALSE;
c->disable_pac = FALSE;
c->enable_fast = TRUE;
c->enable_fast_cookie = TRUE;
c->enable_armored_pa_enc_timestamp = TRUE;
c->enable_unarmored_pa_enc_timestamp = TRUE;
c->enable_pkinit = FALSE;
c->require_pkinit_freshness = FALSE;
c->pkinit_princ_in_cert = TRUE;
c->pkinit_require_binding = TRUE;
c->synthetic_clients = FALSE;
@ -264,6 +266,14 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
"require_pac",
NULL);
c->disable_pac =
krb5_config_get_bool_default(context,
NULL,
c->disable_pac,
"kdc",
"disable_pac",
NULL);
c->enable_fast =
krb5_config_get_bool_default(context,
NULL,
@ -304,6 +314,13 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
"enable-pkinit",
NULL);
c->require_pkinit_freshness =
krb5_config_get_bool_default(context,
NULL,
c->require_pkinit_freshness,
"kdc",
"require-pkinit-freshness",
NULL);
c->pkinit_kdc_identity =
krb5_config_get_string(context, NULL,

View File

@ -1274,6 +1274,7 @@ make_kstuple(krb5_context context,
/* Copied from kadmin/util.c */
struct units kdb_attrs[] = {
{ "auth-data-reqd", KRB5_KDB_AUTH_DATA_REQUIRED },
{ "no-auth-data-reqd", KRB5_KDB_NO_AUTH_DATA_REQUIRED },
{ "disallow-client", KRB5_KDB_DISALLOW_CLIENT },
{ "virtual", KRB5_KDB_VIRTUAL },

View File

@ -86,9 +86,11 @@ struct krb5_kdc_configuration {
unsigned int strict_nametypes : 1;
enum krb5_kdc_trpolicy trpolicy;
unsigned int disable_pac : 1;
unsigned int enable_unarmored_pa_enc_timestamp : 1;
unsigned int enable_pkinit : 1;
unsigned int require_pkinit_freshness : 1;
unsigned int pkinit_princ_in_cert : 1;
const char *pkinit_kdc_identity;
const char *pkinit_kdc_anchors;

View File

@ -585,6 +585,13 @@ pa_pkinit_validate(astgs_request_t r, const PA_DATA *pa)
goto out;
}
/* Validate the freshness token. */
ret = _kdc_pk_validate_freshness_token(r, pkp);
if (ret) {
_kdc_r_log(r, 4, "Failed to validate freshness token");
goto out;
}
ret = _kdc_pk_check_client(r, pkp, &client_cert);
if (client_cert)
kdc_audit_addkv((kdc_request_t)r, 0, KDC_REQUEST_KV_PKINIT_CLIENT_CERT,
@ -615,6 +622,12 @@ pa_pkinit_validate(astgs_request_t r, const PA_DATA *pa)
kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
KDC_AUTH_EVENT_PREAUTH_SUCCEEDED);
/*
* Match Windows by preferring the authenticator nonce over the one in the
* request body.
*/
r->ek.nonce = _kdc_pk_nonce(pkp);
out:
if (pkp)
_kdc_pk_free_client_param(r->context, pkp);
@ -1273,6 +1286,109 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
return ret;
}
#ifdef PKINIT
static krb5_error_code
make_freshness_token(astgs_request_t r, const Key *krbtgt_key, unsigned krbtgt_kvno)
{
krb5_error_code ret = 0;
const struct timeval current_kdc_time = krb5_kdc_get_time();
int usec = current_kdc_time.tv_usec;
const PA_ENC_TS_ENC ts_enc = {
.patimestamp = current_kdc_time.tv_sec,
.pausec = &usec,
};
unsigned char *encoded_ts_enc = NULL;
size_t ts_enc_size;
size_t ts_enc_len = 0;
EncryptedData encdata;
krb5_crypto crypto;
unsigned char *token = NULL;
size_t token_size;
size_t token_len = 0;
size_t token_alloc_size;
ASN1_MALLOC_ENCODE(PA_ENC_TS_ENC,
encoded_ts_enc,
ts_enc_size,
&ts_enc,
&ts_enc_len,
ret);
if (ret)
return ret;
if (ts_enc_size != ts_enc_len)
krb5_abortx(r->context, "internal error in ASN.1 encoder");
ret = krb5_crypto_init(r->context, &krbtgt_key->key, 0, &crypto);
if (ret) {
free(encoded_ts_enc);
return ret;
}
ret = krb5_encrypt_EncryptedData(r->context,
crypto,
KRB5_KU_AS_FRESHNESS,
encoded_ts_enc,
ts_enc_len,
krbtgt_kvno,
&encdata);
free(encoded_ts_enc);
krb5_crypto_destroy(r->context, crypto);
if (ret)
return ret;
token_size = length_EncryptedData(&encdata);
token_alloc_size = token_size + 2; /* Account for the two leading zero bytes. */
token = calloc(1, token_alloc_size);
if (token == NULL) {
free_EncryptedData(&encdata);
return ENOMEM;
}
ret = encode_EncryptedData(token + token_alloc_size - 1,
token_size,
&encdata,
&token_len);
free_EncryptedData(&encdata);
if (ret) {
free(token);
return ret;
}
if (token_size != token_len)
krb5_abortx(r->context, "internal error in ASN.1 encoder");
ret = krb5_padata_add(r->context,
r->rep.padata,
KRB5_PADATA_AS_FRESHNESS,
token,
token_alloc_size);
if (ret)
free(token);
return ret;
}
#endif /* PKINIT */
static krb5_error_code
send_freshness_token(astgs_request_t r, const Key *krbtgt_key, unsigned krbtgt_kvno)
{
krb5_error_code ret = 0;
#ifdef PKINIT
int idx = 0;
const PA_DATA *freshness_padata = NULL;
freshness_padata = _kdc_find_padata(&r->req,
&idx,
KRB5_PADATA_AS_FRESHNESS);
if (freshness_padata == NULL) {
return 0;
}
ret = make_freshness_token(r, krbtgt_key, krbtgt_kvno);
#endif /* PKINIT */
return ret;
}
struct kdc_patypes {
int type;
const char *name;
@ -1629,8 +1745,8 @@ get_pa_etype_info(krb5_context context,
*
*/
extern int _krb5_AES_SHA1_string_to_default_iterator;
extern int _krb5_AES_SHA2_string_to_default_iterator;
extern const int _krb5_AES_SHA1_string_to_default_iterator;
extern const int _krb5_AES_SHA2_string_to_default_iterator;
static krb5_error_code
make_s2kparams(int value, size_t len, krb5_data **ps2kparams)
@ -2365,6 +2481,7 @@ _kdc_as_rep(astgs_request_t r)
krb5_boolean is_tgs;
const char *msg;
Key *krbtgt_key;
unsigned krbtgt_kvno;
memset(rep, 0, sizeof(*rep));
@ -2531,6 +2648,36 @@ _kdc_as_rep(astgs_request_t r)
goto out;
}
/*
* Select the best encryption type for the KDC without regard to
* the client since the client never needs to read that data.
*/
ret = _kdc_get_preferred_key(r->context, config,
r->server, r->sname,
&setype, &skey);
if(ret)
goto out;
/* If server is not krbtgt, fetch local krbtgt key for signing authdata */
if (is_tgs) {
krbtgt_key = skey;
krbtgt_kvno = r->server->kvno;
} else {
ret = get_local_tgs(r->context, config, r->server_princ->realm,
&r->krbtgtdb, &r->krbtgt);
if (ret)
goto out;
ret = _kdc_get_preferred_key(r->context, config, r->krbtgt,
r->server_princ->realm,
NULL, &krbtgt_key);
if (ret)
goto out;
krbtgt_kvno = r->server->kvno;
}
/*
* Pre-auth processing
*/
@ -2654,6 +2801,14 @@ _kdc_as_rep(astgs_request_t r)
goto out;
}
/*
* If the client indicated support for PKINIT Freshness, send back a
* freshness token.
*/
ret = send_freshness_token(r, krbtgt_key, krbtgt_kvno);
if (ret)
goto out;
/*
* send requre preauth is its required or anon is requested,
* anon is today only allowed via preauth mechanisms.
@ -2690,33 +2845,6 @@ _kdc_as_rep(astgs_request_t r)
kdc_audit_setkv_number((kdc_request_t)r, KDC_REQUEST_KV_AUTH_EVENT,
KDC_AUTH_EVENT_CLIENT_AUTHORIZED);
/*
* Select the best encryption type for the KDC with out regard to
* the client since the client never needs to read that data.
*/
ret = _kdc_get_preferred_key(r->context, config,
r->server, r->sname,
&setype, &skey);
if(ret)
goto out;
/* If server is not krbtgt, fetch local krbtgt key for signing authdata */
if (is_tgs) {
krbtgt_key = skey;
} else {
ret = get_local_tgs(r->context, config, r->server_princ->realm,
&r->krbtgtdb, &r->krbtgt);
if (ret)
goto out;
ret = _kdc_get_preferred_key(r->context, config, r->krbtgt,
r->server_princ->realm,
NULL, &krbtgt_key);
if (ret)
goto out;
}
if(f.renew || f.validate || f.proxy || f.forwarded || f.enc_tkt_in_skey) {
ret = KRB5KDC_ERR_BADOPTION;
_kdc_set_e_text(r, "Bad KDC options");
@ -2925,7 +3053,10 @@ _kdc_as_rep(astgs_request_t r)
r->ek.last_req.val[r->ek.last_req.len].lr_value = 0;
++r->ek.last_req.len;
}
r->ek.nonce = b->nonce;
/* Set the nonce if its not already set. */
if (!r->ek.nonce) {
r->ek.nonce = b->nonce;
}
if (r->client->valid_end || r->client->pw_end) {
ALLOC(r->ek.key_expiration);
if (r->client->valid_end) {

View File

@ -331,6 +331,10 @@ _kdc_verify_checksum(krb5_context context,
* tickets, policy is governed by whether the client explicitly requested
* a PAC be omitted when requesting a TGT, or if the no-auth-data-reqd
* flag is set on the service principal entry.
*
* However, when issuing a cross-realm TGT to an AD realm our PAC might not
* interoperate correctly. Therefore we honor the no-auth-data-reqd HDB entry
* flag on cross-realm TGTs.
*/
krb5_boolean

View File

@ -67,6 +67,7 @@ struct pk_client_params {
hx509_peer_info peer;
hx509_certs client_anchors;
hx509_verify_ctx verify_ctx;
heim_octet_string *freshness_token;
};
struct pk_principal_mapping {
@ -681,6 +682,7 @@ _kdc_pk_rd_padata(astgs_request_t priv,
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
"DH not supported for Win2k");
free_AuthPack_Win2k(&ap);
goto out;
}
free_AuthPack_Win2k(&ap);
@ -766,6 +768,25 @@ _kdc_pk_rd_padata(astgs_request_t priv,
hx509_peer_info_add_cms_alg(context->hx509ctx, cp->peer,
hx509_signature_sha1());
}
/*
* Copy the freshness token into the out parameters if it is present.
*/
if (ap.pkAuthenticator.freshnessToken != NULL) {
cp->freshness_token = calloc(1, sizeof (cp->freshness_token));
if (cp->freshness_token == NULL) {
ret = ENOMEM;
free_AuthPack(&ap);
goto out;
}
ret = der_copy_octet_string(ap.pkAuthenticator.freshnessToken, cp->freshness_token);
if (ret) {
free_AuthPack(&ap);
goto out;
}
}
free_AuthPack(&ap);
} else
krb5_abortx(context, "internal pkinit error");
@ -800,6 +821,12 @@ _kdc_pk_max_life(pk_client_params *pkp)
return pkp->max_life;
}
unsigned
_kdc_pk_nonce(pk_client_params *pkp)
{
return pkp->nonce;
}
/*
*
*/
@ -1813,6 +1840,156 @@ _kdc_pk_check_client(astgs_request_t r,
return ret;
}
krb5_error_code
_kdc_pk_validate_freshness_token(astgs_request_t r,
pk_client_params *cp)
{
krb5_error_code ret = 0;
uint8_t *token_data = NULL;
size_t token_len;
uint8_t *remaining_token_data = NULL;
size_t remaining_len;
EncryptedData enc_data;
size_t size;
const hdb_entry *krbtgt = NULL;
krb5_kvno kvno;
const Keys *keys = NULL;
Key *key = NULL;
krb5_crypto crypto;
krb5_data ts_data;
PA_ENC_TS_ENC ts_enc;
long time_diff;
if (cp->freshness_token == NULL) {
if (r->config->require_pkinit_freshness) {
ret = KRB5KDC_ERR_PREAUTH_FAILED;
kdc_log(r->context, r->config, 0, "PKINIT request is missing required freshness token");
}
return ret;
}
token_data = cp->freshness_token->data;
token_len = cp->freshness_token->length;
/* Ensure that the token be not empty. */
if (token_data == NULL) {
kdc_log(r->context, r->config, 0, "Got empty freshness token");
return KRB5KDC_ERR_PREAUTH_FAILED;
}
/* Ensure that the two leading bytes are zero. */
if (token_len < 2 || token_data[0] || token_data[1]) {
kdc_log(r->context, r->config, 0, "Freshness token contains invalid data");
return KRB5KRB_AP_ERR_MODIFIED;
}
/* Decrypt the freshness token. */
remaining_token_data = token_data + 2;
remaining_len = token_len - 2;
ret = decode_EncryptedData(remaining_token_data, remaining_len, &enc_data, &size);
if (ret) {
kdc_log(r->context, r->config, 0, "Failed to decode freshness token");
return KRB5KRB_AP_ERR_MODIFIED;
}
if (size != remaining_len) {
kdc_log(r->context, r->config, 0, "Trailing data in EncryptedData of freshness token");
free_EncryptedData(&enc_data);
return KRB5KRB_AP_ERR_MODIFIED;
}
krbtgt = (r->krbtgt != NULL) ? r->krbtgt : r->server;
kvno = (enc_data.kvno != NULL) ? *enc_data.kvno : 0;
/* We will only accept freshness tokens signed by our local krbtgt. */
keys = hdb_kvno2keys(r->context, krbtgt, kvno);
if (keys == NULL) {
kdc_log(r->context, r->config, 0,
"No key with kvno %"PRId32" to decrypt freshness token",
kvno);
free_EncryptedData(&enc_data);
return KRB5KDC_ERR_PREAUTH_FAILED;
}
ret = hdb_enctype2key(r->context, r->client, keys,
enc_data.etype, &key);
if (ret) {
kdc_log(r->context, r->config, 0,
"No key with kvno %"PRId32", enctype %d to decrypt freshness token",
kvno, enc_data.etype);
free_EncryptedData(&enc_data);
return KRB5KDC_ERR_PREAUTH_FAILED;
}
ret = krb5_crypto_init(r->context, &key->key, 0, &crypto);
if (ret) {
const char *msg = krb5_get_error_message(r->context, ret);
kdc_log(r->context, r->config, 0,
"While attempting to decrypt freshness token, krb5_crypto_init failed: %s", msg);
krb5_free_error_message(r->context, msg);
free_EncryptedData(&enc_data);
return ret;
}
ret = krb5_decrypt_EncryptedData(r->context,
crypto,
KRB5_KU_AS_FRESHNESS,
&enc_data,
&ts_data);
krb5_crypto_destroy(r->context, crypto);
free_EncryptedData(&enc_data);
if (ret) {
kdc_log(r->context, r->config, 0, "Failed to decrypt freshness token");
free_EncryptedData(&enc_data);
return KRB5KRB_AP_ERR_MODIFIED;
}
/* Decode the timestamp. */
ret = decode_PA_ENC_TS_ENC(ts_data.data,
ts_data.length,
&ts_enc,
&size);
if (ret) {
kdc_log(r->context, r->config, 0, "Failed to decode PA-ENC-TS-ENC in freshness token");
krb5_data_free(&ts_data);
return KRB5KRB_AP_ERR_MODIFIED;
}
if (size != ts_data.length) {
kdc_log(r->context, r->config, 0, "Trailing data in PA-ENC-TS-ENC of freshness token");
free_PA_ENC_TS_ENC(&ts_enc);
krb5_data_free(&ts_data);
return KRB5KRB_AP_ERR_MODIFIED;
}
krb5_data_free(&ts_data);
time_diff = labs(kdc_time - ts_enc.patimestamp);
if (time_diff > r->context->max_skew) {
char token_time[100];
krb5_format_time(r->context, ts_enc.patimestamp,
token_time, sizeof(token_time), TRUE);
kdc_log(r->context, r->config, 4, "Freshness token has too large time skew: "
"time in token %s is out by %ld > %ld seconds — %s",
token_time,
time_diff,
r->context->max_skew,
r->cname);
r->e_text = NULL;
free_PA_ENC_TS_ENC(&ts_enc);
return KRB5_KDC_ERR_PREAUTH_EXPIRED;
}
free_PA_ENC_TS_ENC(&ts_enc);
return 0;
}
static krb5_error_code
add_principal_mapping(krb5_context context,
const char *principal_name,

View File

@ -779,29 +779,81 @@ get_new_tickets(krb5_context context,
#ifdef HAVE_FRAMEWORK_SECURITY
if (passwd[0] == '\0') {
enum querykey {
qk_class, qk_matchlimit, qk_service, qk_account, qk_secreturndata,
};
const void *querykeys[] = {
[qk_class] = kSecClass,
[qk_matchlimit] = kSecMatchLimit,
[qk_service] = kSecAttrService,
[qk_account] = kSecAttrAccount,
[qk_secreturndata] = kSecReturnData,
};
const void *queryargs[] = {
[qk_class] = kSecClassGenericPassword,
[qk_matchlimit] = kSecMatchLimitOne,
[qk_service] = NULL, /* filled in later */
[qk_account] = NULL, /* filled in later */
[qk_secreturndata] = kCFBooleanTrue,
};
CFStringRef service_ref = NULL;
CFStringRef account_ref = NULL;
CFDictionaryRef query_ref = NULL;
const char *realm;
OSStatus osret;
UInt32 length;
void *buffer;
char *name;
char *name = NULL;
CFTypeRef item_ref = NULL;
CFDataRef item;
CFIndex length;
realm = krb5_principal_get_realm(context, principal);
ret = krb5_unparse_name_flags(context, principal,
KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name);
if (ret)
goto nopassword;
goto fail;
osret = SecKeychainFindGenericPassword(NULL, strlen(realm), realm,
strlen(name), name,
&length, &buffer, NULL);
service_ref = CFStringCreateWithCString(kCFAllocatorDefault, realm,
kCFStringEncodingUTF8);
if (service_ref == NULL)
goto fail;
account_ref = CFStringCreateWithCString(kCFAllocatorDefault, name,
kCFStringEncodingUTF8);
if (account_ref == NULL)
goto fail;
queryargs[qk_service] = service_ref;
queryargs[qk_account] = account_ref;
query_ref = CFDictionaryCreate(kCFAllocatorDefault,
querykeys, queryargs,
/*numValues*/sizeof(querykeys)/sizeof(querykeys[0]),
/*keyCallbacks*/NULL, /*valueCallbacks*/NULL);
if (query_ref == NULL)
goto fail;
osret = SecItemCopyMatching(query_ref, &item_ref);
if (osret != noErr)
goto fail;
item = item_ref;
length = CFDataGetLength(item);
if (length >= sizeof(passwd) - 1)
goto fail;
CFDataGetBytes(item, CFRangeMake(0, length), (UInt8 *)passwd);
passwd[length] = '\0';
fail:
if (item_ref)
CFRelease(item_ref);
if (query_ref)
CFRelease(query_ref);
if (account_ref)
CFRelease(account_ref);
if (service_ref)
CFRelease(service_ref);
free(name);
if (osret == noErr && length < sizeof(passwd) - 1) {
memcpy(passwd, buffer, length);
passwd[length] = '\0';
}
nopassword:
do { } while(0);
}
#endif

View File

@ -4,7 +4,7 @@ include $(top_srcdir)/Makefile.am.common
WFLAGS += $(WFLAGS_ENUM_CONV)
YFLAGS = -o asn1parse.c -t
AM_YFLAGS = -d -o asn1parse.c -t
AM_CPPFLAGS += $(ROKEN_RENAME) -I$(top_builddir)/include -I$(top_srcdir)/lib/base

View File

@ -54,6 +54,12 @@
static int my_copy_vers_called;
static int my_free_vers_called;
#include <limits.h>
#if UINT_MAX == 0xffffffff
// 32 bit
#define DISABLE_TEST_64
#endif
int
my_copy_vers(const my_vers *from, my_vers *to)
{
@ -2143,17 +2149,21 @@ static int
test_default(void)
{
struct test_case tests[] = {
#ifndef DISABLE_TEST_64
{ NULL, 2, "\x30\x00", NULL },
#endif
{ NULL, 25,
"\x30\x17\x0c\x07\x68\x65\x69\x6d\x64\x61"
"\x6c\xa0\x03\x02\x01\x07\x02\x04\x7f\xff"
"\xff\xff\x01\x01\x00",
NULL
},
#ifndef DISABLE_TEST_64
{ NULL, 10,
"\x30\x08\xa0\x03\x02\x01\x07\x01\x01\x00",
NULL
},
#endif
{ NULL, 17,
"\x30\x0f\x0c\x07\x68\x65\x69\x6d\x64\x61\x6c\x02\x04"
"\x7f\xff\xff\xff",
@ -2162,9 +2172,13 @@ test_default(void)
};
TESTDefault values[] = {
{ "Heimdal", 8, 9223372036854775807, 1 },
#ifndef DISABLE_TEST_64
{ "Heimdal", 8, 9223372036854775807LL, 1 },
#endif
{ "heimdal", 7, 2147483647, 0 },
{ "Heimdal", 7, 9223372036854775807, 0 },
#ifndef DISABLE_TEST_64
{ "Heimdal", 7, 9223372036854775807LL, 0 },
#endif
{ "heimdal", 8, 2147483647, 1 },
};
int i, ret;

View File

@ -197,6 +197,7 @@ PADATA-TYPE ::= INTEGER {
KRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon
KRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u
KRB5-PADATA-REQ-ENC-PA-REP(149), --
KRB5-PADATA-AS-FRESHNESS(150), -- RFC 8070
KER5-PADATA-KERB-KEY-LIST-REQ(161), -- MS-KILE
KER5-PADATA-KERB-PAKEY-LIST-REP(162), -- MS-KILE
KRB5-PADATA-SUPPORTED-ETYPES(165), -- MS-KILE

View File

@ -83,6 +83,7 @@ PKAuthenticator ::= SEQUENCE {
ctime [1] KerberosTime,
nonce [2] INTEGER (0..4294967295),
paChecksum [3] OCTET STRING OPTIONAL,
freshnessToken [4] OCTET STRING OPTIONAL,
...
}

View File

@ -75,6 +75,7 @@ struct heim_plugin_common_ftable_desc {
};
typedef struct heim_plugin_common_ftable_desc heim_plugin_common_ftable;
typedef struct heim_plugin_common_ftable_desc *heim_plugin_common_ftable_p;
typedef const struct heim_plugin_common_ftable_desc *heim_plugin_common_ftable_const_p;
typedef struct heim_plugin_common_ftable_desc * const heim_plugin_common_ftable_cp;
typedef int

View File

@ -52,10 +52,8 @@ dict_dealloc(void *ptr)
{
heim_dict_t dict = ptr;
struct hashentry **h, *g, *i;
size_t j;
for (j = 0; j < dict->size; ++j) {
h = &dict->tab[j];
for (h = dict->tab; h < &dict->tab[dict->size]; ++h) {
for (g = h[0]; g; g = i) {
i = g->next;
heim_release(g->key);

View File

@ -40,7 +40,7 @@
static heim_base_atomic(uint32_t) tidglobal = HEIM_TID_USER;
struct heim_base {
heim_type_t isa;
heim_const_type_t isa;
heim_base_atomic(uint32_t) ref_cnt;
HEIM_TAILQ_ENTRY(heim_base) autorel;
heim_auto_release_t autorelpool;
@ -49,7 +49,7 @@ struct heim_base {
/* specialized version of base */
struct heim_base_mem {
heim_type_t isa;
heim_const_type_t isa;
heim_base_atomic(uint32_t) ref_cnt;
HEIM_TAILQ_ENTRY(heim_base) autorel;
heim_auto_release_t autorelpool;
@ -182,7 +182,7 @@ static heim_type_t tagged_isa[9] = {
NULL
};
heim_type_t
heim_const_type_t
_heim_get_isa(heim_object_t ptr)
{
struct heim_base *p;
@ -206,7 +206,7 @@ _heim_get_isa(heim_object_t ptr)
heim_tid_t
heim_get_tid(heim_object_t ptr)
{
heim_type_t isa = _heim_get_isa(ptr);
heim_const_type_t isa = _heim_get_isa(ptr);
return isa->tid;
}
@ -221,7 +221,7 @@ heim_get_tid(heim_object_t ptr)
uintptr_t
heim_get_hash(heim_object_t ptr)
{
heim_type_t isa = _heim_get_isa(ptr);
heim_const_type_t isa = _heim_get_isa(ptr);
if (isa->hash)
return isa->hash(ptr);
return (uintptr_t)ptr;
@ -241,7 +241,7 @@ int
heim_cmp(heim_object_t a, heim_object_t b)
{
heim_tid_t ta, tb;
heim_type_t isa;
heim_const_type_t isa;
ta = heim_get_tid(a);
tb = heim_get_tid(b);
@ -272,7 +272,7 @@ memory_dealloc(void *ptr)
}
}
struct heim_type_data memory_object = {
static const struct heim_type_data memory_object = {
HEIM_TID_MEMORY,
"memory-object",
NULL,
@ -338,7 +338,7 @@ _heim_create_type(const char *name,
}
heim_object_t
_heim_alloc_object(heim_type_t type, size_t size)
_heim_alloc_object(heim_const_type_t type, size_t size)
{
/* XXX should use posix_memalign */
struct heim_base *p = calloc(1, size + sizeof(*p));

View File

@ -102,7 +102,7 @@ struct heim_plugin_data {
const char *module;
const char *name;
int min_version;
const char **deps;
const char *const *deps;
heim_get_instance_func_t get_instance;
};

View File

@ -46,6 +46,7 @@ typedef uintptr_t (*heim_type_hash)(void *);
typedef heim_string_t (*heim_type_description)(void *);
typedef struct heim_type_data *heim_type_t;
typedef const struct heim_type_data *heim_const_type_t;
struct heim_type_data {
heim_tid_t tid;
@ -58,7 +59,7 @@ struct heim_type_data {
heim_type_description desc;
};
heim_type_t _heim_get_isa(heim_object_t);
heim_const_type_t _heim_get_isa(heim_object_t);
heim_type_t
_heim_create_type(const char *name,
@ -70,7 +71,7 @@ _heim_create_type(const char *name,
heim_type_description desc);
heim_object_t
_heim_alloc_object(heim_type_t type, size_t size);
_heim_alloc_object(heim_const_type_t type, size_t size);
void *
_heim_get_isaextra(heim_object_t o, size_t idx);

View File

@ -152,7 +152,7 @@ copy_internal_dso(const char *name)
}
struct heim_plugin {
heim_plugin_common_ftable_p ftable;
heim_plugin_common_ftable_const_p ftable;
void *ctx;
};
@ -166,7 +166,7 @@ plugin_free(void *ptr)
}
struct heim_plugin_register_ctx {
void *symbol;
const void *symbol;
int is_dup;
};
@ -199,7 +199,7 @@ heim_plugin_register(heim_context context,
heim_pcontext pcontext,
const char *module,
const char *name,
void *ftable)
const void *ftable)
{
heim_error_code ret;
heim_array_t plugins;
@ -480,7 +480,7 @@ struct iter_ctx {
heim_context context;
heim_pcontext pcontext;
heim_string_t n;
struct heim_plugin_data *caller;
const struct heim_plugin_data *caller;
int flags;
heim_array_t result;
int32_t (HEIM_LIB_CALL *func)(void *, const void *, void *, void *);
@ -540,7 +540,7 @@ add_dso_plugin_struct(heim_context context,
static int
validate_plugin_deps(heim_context context,
struct heim_plugin_data *caller,
const struct heim_plugin_data *caller,
const char *dsopath,
heim_get_instance_func_t get_instance)
{
@ -583,7 +583,7 @@ validate_plugin_deps(heim_context context,
static heim_array_t
add_dso_plugins_load_fn(heim_context context,
heim_pcontext pcontext,
struct heim_plugin_data *caller,
const struct heim_plugin_data *caller,
const char *dsopath,
void *dsohandle)
{
@ -635,7 +635,7 @@ add_dso_plugins_load_fn(heim_context context,
heim_warn(context, ret, "plugin %s[%zu] failed to initialize",
dsopath, i);
} else {
pl->ftable = rk_UNCONST(cpm);
pl->ftable = cpm;
heim_array_append_value(plugins, pl);
}
heim_release(pl);
@ -738,7 +738,7 @@ eval_results(heim_object_t value, void *ctx, int *stop)
heim_error_code
heim_plugin_run_f(heim_context context,
heim_pcontext pcontext,
struct heim_plugin_data *caller,
const struct heim_plugin_data *caller,
int flags,
int32_t nohandle,
void *userctx,

View File

@ -2,8 +2,8 @@
include $(top_srcdir)/Makefile.am.common
YFLAGS = -d -o parse.c
LFLAGS = @FLEXNOUNPUTARGS@
AM_YFLAGS = -d -o parse.c
AM_LFLAGS = @FLEXNOUNPUTARGS@
lib_LTLIBRARIES = libcom_err.la
libcom_err_la_LDFLAGS = -version-info 2:3:1

View File

@ -63,7 +63,7 @@ error_message (long code)
}
KRB5_LIB_FUNCTION int KRB5_LIB_CALL
init_error_table(const char **msgs, long base, int count)
init_error_table(const char *const *msgs, long base, int count)
{
initialize_error_table_r(&_et_list, msgs, count, base);
return 0;

View File

@ -51,7 +51,7 @@ KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL
error_message (long);
KRB5_LIB_FUNCTION int KRB5_LIB_CALL
init_error_table (const char**, long, int);
init_error_table (const char *const *, long, int);
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
com_err_va (const char *, long, const char *, va_list)

View File

@ -79,7 +79,7 @@ KRB5_LIB_FUNCTION const char * KRB5_LIB_CALL
com_right_r (struct et_list *list, long code, char *, size_t);
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
initialize_error_table_r (struct et_list **, const char **, int, long);
initialize_error_table_r (struct et_list **, const char *const *, int, long);
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
free_error_table (struct et_list *);

View File

@ -87,7 +87,7 @@ generate_c(void)
fprintf(c_file, "#define N_(x) (x)\n");
fprintf(c_file, "\n");
fprintf(c_file, "static const char *%s_error_strings[] = {\n", name);
fprintf(c_file, "static const char *const %s_error_strings[] = {\n", name);
for(ec = codes, n = 0; ec; ec = ec->next, n++) {
while(n < ec->number) {

View File

@ -81,7 +81,7 @@ struct foobar {
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
initialize_error_table_r(struct et_list **list,
const char **messages,
const char *const *messages,
int num_errors,
long base)
{

View File

@ -769,7 +769,7 @@ mdb_seq(krb5_context context, HDB *db,
{
DB *d = (DB*)db->hdb_db;
DBT key, value;
krb5_data key_data, data;
krb5_data data;
int code;
code = db->hdb_lock(context, db, HDB_RLOCK);
@ -790,8 +790,6 @@ mdb_seq(krb5_context context, HDB *db,
return HDB_ERR_NOENTRY;
}
key_data.data = key.data;
key_data.length = key.size;
data.data = value.data;
data.length = value.size;
memset(entry, 0, sizeof(*entry));

View File

@ -55,6 +55,7 @@ HDBFlags ::= BIT STRING {
virtual(21), -- entry not stored; keys always derived
synthetic(22), -- entry not stored; for PKINIT
no-auth-data-reqd(23), -- omit PAC from service tickets
auth-data-reqd(24), -- include PAC in service tickets
force-canonicalize(30), -- force the KDC to return the canonical
-- principal irrespective of the setting

View File

@ -11,7 +11,7 @@ BUILT_SOURCES = \
hx509_err.c \
hx509_err.h
AM_YFLAGS = -o sel-gram.c
AM_YFLAGS = -d -o sel-gram.c
dist_libhx509_la_SOURCES = \
ca.c \

View File

@ -33,6 +33,7 @@
#include "hx_locl.h"
#include <stdint.h>
#include <hxtool-commands.h>
#include <sl.h>
#include <rtbl.h>
@ -1661,13 +1662,15 @@ random_data(void *opt, int argc, char **argv)
{
void *ptr;
ssize_t len;
int64_t bytes;
int ret;
len = parse_bytes(argv[0], "byte");
if (len <= 0) {
bytes = parse_bytes(argv[0], "byte");
if (bytes <= 0 || bytes > SSIZE_MAX) {
fprintf(stderr, "bad argument to random-data\n");
return 1;
}
len = bytes;
ptr = malloc(len);
if (ptr == NULL) {

View File

@ -520,7 +520,7 @@ struct hipc_ops {
void (*)(void *, int, heim_idata *, heim_icred));
};
struct hipc_ops ipcs[] = {
static const struct hipc_ops ipcs[] = {
#if defined(__APPLE__) && defined(HAVE_GCD)
{ "MACH", mach_init, mach_release, mach_ipc, mach_async },
#endif
@ -531,7 +531,7 @@ struct hipc_ops ipcs[] = {
};
struct heim_ipc {
struct hipc_ops *ops;
const struct hipc_ops *ops;
void *ctx;
};

View File

@ -78,6 +78,7 @@
#define KRB5_KDB_VIRTUAL 0x00400000 /* MIT doesn't have this */
#define KRB5_KDB_DISALLOW_CLIENT 0x00800000 /* MIT doesn't have this */
#define KRB5_KDB_NO_AUTH_DATA_REQUIRED 0x01000000 /* 0x00400000 in MIT */
#define KRB5_KDB_AUTH_DATA_REQUIRED 0x02000000
/*
* MIT has:

View File

@ -64,6 +64,10 @@ attr_to_flags(unsigned attr, HDBFlags *flags)
flags->virtual_keys = !!(attr & KRB5_KDB_VIRTUAL_KEYS);
flags->virtual = !!(attr & KRB5_KDB_VIRTUAL);
flags->no_auth_data_reqd = !!(attr & KRB5_KDB_NO_AUTH_DATA_REQUIRED);
flags->auth_data_reqd = !!(attr & KRB5_KDB_AUTH_DATA_REQUIRED);
if (flags->no_auth_data_reqd && flags->auth_data_reqd)
flags->auth_data_reqd = 0;
}
/*

View File

@ -186,6 +186,7 @@ kadm5_s_get_principal(void *server_handle,
out->attributes |= ent.flags.virtual_keys ? KRB5_KDB_VIRTUAL_KEYS : 0;
out->attributes |= ent.flags.virtual ? KRB5_KDB_VIRTUAL : 0;
out->attributes |= ent.flags.no_auth_data_reqd ? KRB5_KDB_NO_AUTH_DATA_REQUIRED : 0;
out->attributes |= ent.flags.auth_data_reqd ? KRB5_KDB_AUTH_DATA_REQUIRED : 0;
}
if(mask & KADM5_MAX_LIFE) {
if(ent.max_life)

View File

@ -734,7 +734,7 @@ addrport_print_addr (const krb5_address *addr, char *str, size_t len)
return ret_len;
}
static struct addr_operations at[] = {
static const struct addr_operations at[] = {
{
AF_INET, KRB5_ADDRESS_INET, sizeof(struct sockaddr_in),
ipv4_sockaddr2addr,
@ -810,7 +810,7 @@ static struct addr_operations at[] = {
}
};
static size_t num_addrs = sizeof(at) / sizeof(at[0]);
static const size_t num_addrs = sizeof(at) / sizeof(at[0]);
static size_t max_sockaddr_size = 0;
@ -818,7 +818,7 @@ static size_t max_sockaddr_size = 0;
* generic functions
*/
static struct addr_operations *
static const struct addr_operations *
find_af(int af)
{
size_t i;
@ -830,7 +830,7 @@ find_af(int af)
return NULL;
}
static struct addr_operations *
static const struct addr_operations *
find_atype(krb5_address_type atype)
{
size_t i;
@ -859,7 +859,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_sockaddr2address (krb5_context context,
const struct sockaddr *sa, krb5_address *addr)
{
struct addr_operations *a = find_af(sa->sa_family);
const struct addr_operations *a = find_af(sa->sa_family);
if (a == NULL) {
krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP,
N_("Address family %d not supported", ""),
@ -887,7 +887,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_sockaddr2port (krb5_context context,
const struct sockaddr *sa, int16_t *port)
{
struct addr_operations *a = find_af(sa->sa_family);
const struct addr_operations *a = find_af(sa->sa_family);
if (a == NULL) {
krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP,
N_("Address family %d not supported", ""),
@ -925,7 +925,7 @@ krb5_addr2sockaddr (krb5_context context,
krb5_socklen_t *sa_size,
int port)
{
struct addr_operations *a = find_atype(addr->addr_type);
const struct addr_operations *a = find_atype(addr->addr_type);
if (a == NULL) {
krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP,
@ -981,7 +981,7 @@ krb5_max_sockaddr_size (void)
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
krb5_sockaddr_uninteresting(const struct sockaddr *sa)
{
struct addr_operations *a = find_af(sa->sa_family);
const struct addr_operations *a = find_af(sa->sa_family);
if (a == NULL || a->uninteresting == NULL)
return TRUE;
return (*a->uninteresting)(sa);
@ -990,7 +990,7 @@ krb5_sockaddr_uninteresting(const struct sockaddr *sa)
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
krb5_sockaddr_is_loopback(const struct sockaddr *sa)
{
struct addr_operations *a = find_af(sa->sa_family);
const struct addr_operations *a = find_af(sa->sa_family);
if (a == NULL || a->is_loopback == NULL)
return TRUE;
return (*a->is_loopback)(sa);
@ -1022,7 +1022,7 @@ krb5_h_addr2sockaddr (krb5_context context,
krb5_socklen_t *sa_size,
int port)
{
struct addr_operations *a = find_af(af);
const struct addr_operations *a = find_af(af);
if (a == NULL) {
krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP,
"Address family %d not supported", af);
@ -1051,7 +1051,7 @@ krb5_h_addr2addr (krb5_context context,
int af,
const char *haddr, krb5_address *addr)
{
struct addr_operations *a = find_af(af);
const struct addr_operations *a = find_af(af);
if (a == NULL) {
krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP,
N_("Address family %d not supported", ""), af);
@ -1084,7 +1084,7 @@ krb5_anyaddr (krb5_context context,
krb5_socklen_t *sa_size,
int port)
{
struct addr_operations *a = find_af (af);
const struct addr_operations *a = find_af (af);
if (a == NULL) {
krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP,
@ -1116,7 +1116,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_print_address (const krb5_address *addr,
char *str, size_t len, size_t *ret_len)
{
struct addr_operations *a = find_atype(addr->addr_type);
const struct addr_operations *a = find_atype(addr->addr_type);
int ret;
if (a == NULL || a->print_addr == NULL) {
@ -1267,7 +1267,7 @@ krb5_address_order(krb5_context context,
{
/* this sucks; what if both addresses have order functions, which
should we call? this works for now, though */
struct addr_operations *a;
const struct addr_operations *a;
a = find_atype(addr1->addr_type);
if(a == NULL) {
krb5_set_error_message (context, KRB5_PROG_ATYPE_NOSUPP,
@ -1359,7 +1359,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_free_address(krb5_context context,
krb5_address *address)
{
struct addr_operations *a = find_atype (address->addr_type);
const struct addr_operations *a = find_atype (address->addr_type);
if(a != NULL && a->free_addr != NULL)
return (*a->free_addr)(context, address);
krb5_data_free (&address->address);
@ -1405,7 +1405,7 @@ krb5_copy_address(krb5_context context,
const krb5_address *inaddr,
krb5_address *outaddr)
{
struct addr_operations *a = find_af (inaddr->addr_type);
const struct addr_operations *a = find_af (inaddr->addr_type);
if(a != NULL && a->copy_addr != NULL)
return (*a->copy_addr)(context, inaddr, outaddr);
return copy_HostAddress(inaddr, outaddr);
@ -1563,7 +1563,7 @@ krb5_address_prefixlen_boundary(krb5_context context,
krb5_address *low,
krb5_address *high)
{
struct addr_operations *a = find_atype (inaddr->addr_type);
const struct addr_operations *a = find_atype (inaddr->addr_type);
if(a != NULL && a->mask_boundary != NULL)
return (*a->mask_boundary)(context, inaddr, prefixlen, low, high);
krb5_set_error_message(context, KRB5_PROG_ATYPE_NOSUPP,

View File

@ -44,7 +44,7 @@ static krb5_error_code KRB5_LIB_CALL an2ln_def_plug_an2ln(void *, krb5_context,
krb5_const_principal, set_result_f,
void *);
static krb5plugin_an2ln_ftable an2ln_def_plug = {
static const krb5plugin_an2ln_ftable an2ln_def_plug = {
0,
an2ln_def_plug_init,
an2ln_def_plug_fini,
@ -81,9 +81,9 @@ plcallback(krb5_context context,
return locate->an2ln(plugctx, context, plctx->rule, plctx->aname, set_res, plctx);
}
static const char *an2ln_plugin_deps[] = { "krb5", NULL };
static const char *const an2ln_plugin_deps[] = { "krb5", NULL };
static struct heim_plugin_data
static const struct heim_plugin_data
an2ln_plugin_data = {
"krb5",
KRB5_PLUGIN_AN2LN,

View File

@ -478,7 +478,7 @@ typedef krb5_error_code (*kpwd_process_reply) (krb5_context,
krb5_data *,
const char *);
static struct kpwd_proc {
static const struct kpwd_proc {
const char *name;
int flags;
#define SUPPORT_TCP 1
@ -513,7 +513,7 @@ change_password_loop (krb5_context context,
int *result_code,
krb5_data *result_code_string,
krb5_data *result_string,
struct kpwd_proc *proc)
const struct kpwd_proc *proc)
{
krb5_error_code ret;
krb5_auth_context auth_context = NULL;
@ -662,10 +662,10 @@ change_password_loop (krb5_context context,
#ifndef HEIMDAL_SMALLER
static struct kpwd_proc *
static const struct kpwd_proc *
find_chpw_proto(const char *name)
{
struct kpwd_proc *p;
const struct kpwd_proc *p;
for (p = procs; p->name != NULL; p++) {
if (strcmp(p->name, name) == 0)
return p;
@ -697,7 +697,7 @@ krb5_change_password (krb5_context context,
krb5_data *result_string)
KRB5_DEPRECATED_FUNCTION("Use krb5_set_password instead")
{
struct kpwd_proc *p = find_chpw_proto("change password");
const struct kpwd_proc *p = find_chpw_proto("change password");
*result_code = KRB5_KPASSWD_MALFORMED;
result_code_string->data = result_string->data = NULL;

View File

@ -35,7 +35,7 @@
#include "krb5_locl.h"
KRB5_LIB_VARIABLE const char *krb5_config_file =
KRB5_LIB_VARIABLE const char *const krb5_config_file =
#ifdef KRB5_DEFAULT_CONFIG_FILE
KRB5_DEFAULT_CONFIG_FILE
#else
@ -56,12 +56,12 @@ SYSCONFDIR "/krb5.conf" PATH_SEP
#endif /* KRB5_DEFAULT_CONFIG_FILE */
;
KRB5_LIB_VARIABLE const char *krb5_defkeyname = KEYTAB_DEFAULT;
KRB5_LIB_VARIABLE const char *const krb5_defkeyname = KEYTAB_DEFAULT;
KRB5_LIB_VARIABLE const char *krb5_cc_type_api = "API";
KRB5_LIB_VARIABLE const char *krb5_cc_type_file = "FILE";
KRB5_LIB_VARIABLE const char *krb5_cc_type_memory = "MEMORY";
KRB5_LIB_VARIABLE const char *krb5_cc_type_kcm = "KCM";
KRB5_LIB_VARIABLE const char *krb5_cc_type_scc = "SCC";
KRB5_LIB_VARIABLE const char *krb5_cc_type_dcc = "DIR";
KRB5_LIB_VARIABLE const char *krb5_cc_type_keyring = "KEYRING";
KRB5_LIB_VARIABLE const char *const krb5_cc_type_api = "API";
KRB5_LIB_VARIABLE const char *const krb5_cc_type_file = "FILE";
KRB5_LIB_VARIABLE const char *const krb5_cc_type_memory = "MEMORY";
KRB5_LIB_VARIABLE const char *const krb5_cc_type_kcm = "KCM";
KRB5_LIB_VARIABLE const char *const krb5_cc_type_scc = "SCC";
KRB5_LIB_VARIABLE const char *const krb5_cc_type_dcc = "DIR";
KRB5_LIB_VARIABLE const char *const krb5_cc_type_keyring = "KEYRING";

View File

@ -372,7 +372,7 @@ kt_ops_copy(krb5_context context, const krb5_context src_context)
return 0;
}
static const char *sysplugin_dirs[] = {
static const char *const sysplugin_dirs[] = {
#ifdef _WIN32
"$ORIGIN",
#else

View File

@ -1922,13 +1922,13 @@ krb5_decrypt_iov_ivec(krb5_context context,
goto cleanup;
} else {
krb5_data ivec_data;
static unsigned char zero_ivec[EVP_MAX_IV_LENGTH];
static const unsigned char zero_ivec[EVP_MAX_IV_LENGTH];
heim_assert(et->blocksize <= sizeof(zero_ivec),
"blocksize too big for ivec buffer");
ivec_data.length = et->blocksize;
ivec_data.data = ivec ? ivec : zero_ivec;
ivec_data.data = ivec ? ivec : rk_UNCONST(zero_ivec);
ret = iov_coalesce(context, &ivec_data, data, num_data, TRUE, &sign_data);
if(ret)

View File

@ -14,9 +14,9 @@ db_plugins_plcallback(krb5_context context, const void *plug, void *plugctx,
return 0;
}
static const char *db_plugin_deps[] = { "krb5", NULL };
static const char *const db_plugin_deps[] = { "krb5", NULL };
static struct heim_plugin_data
static const struct heim_plugin_data
db_plugin_data = {
"krb5",
KRB5_PLUGIN_DB,

View File

@ -109,17 +109,17 @@ dns_find_realm(krb5_context context,
const char *domain,
krb5_realm **realms)
{
static const char *default_labels[] = { "_kerberos", NULL };
static const char *const default_labels[] = { "_kerberos", NULL };
char dom[MAXHOSTNAMELEN];
struct rk_dns_reply *r;
const char **labels;
const char *const *labels;
char **config_labels;
int i, ret = 0;
config_labels = krb5_config_get_strings(context, NULL, "libdefaults",
"dns_lookup_realm_labels", NULL);
if(config_labels != NULL)
labels = (const char **)config_labels;
labels = (const char *const *)config_labels;
else
labels = default_labels;
if(*domain == '.')

View File

@ -319,7 +319,9 @@ set_ptypes(krb5_context context,
krb5_preauthdata **preauth)
{
static krb5_preauthdata preauth2;
static krb5_preauthtype ptypes2[] = { KRB5_PADATA_ENC_TIMESTAMP, KRB5_PADATA_NONE };
static const krb5_preauthtype ptypes2[] = {
KRB5_PADATA_ENC_TIMESTAMP, KRB5_PADATA_NONE
};
if(error->e_data) {
METHOD_DATA md;

View File

@ -61,7 +61,7 @@ struct krb5_gss_init_ctx_data {
struct krb5_get_init_creds_ctx {
KDCOptions flags;
krb5_creds cred;
krb5_addresses *addrs;
const krb5_addresses *addrs;
krb5_enctype *etypes;
krb5_preauthtype *pre_auth_types;
char *in_tkt_service;
@ -447,7 +447,7 @@ krb5_init_creds_warn_user(krb5_context context,
return 0;
}
static krb5_addresses no_addrs = { 0, NULL };
static const krb5_addresses no_addrs = { 0, NULL };
static krb5_error_code
get_init_creds_common(krb5_context context,
@ -1941,9 +1941,9 @@ typedef krb5_error_code (*pa_restart_f)(krb5_context, krb5_init_creds_context, v
typedef krb5_error_code (*pa_step_f)(krb5_context, krb5_init_creds_context, void *, PA_DATA *, const AS_REQ *, const AS_REP *, METHOD_DATA *, METHOD_DATA *);
typedef void (*pa_release_f)(void *);
struct patype {
static const struct patype {
int type;
char *name;
const char *name;
int flags;
#define PA_F_ANNOUNCE 1
#define PA_F_CONFIG 2
@ -2085,7 +2085,7 @@ get_pa_type_name(int type)
*/
struct pa_auth_mech {
struct patype *patype;
const struct patype *patype;
struct pa_auth_mech *next; /* when doing authentication sets */
char pactx[1];
};
@ -2155,7 +2155,7 @@ mech_dealloc(void *ctx)
pa_mech->patype->release((void *)&pa_mech->pactx[0]);
}
struct heim_type_data pa_auth_mech_object = {
static const struct heim_type_data pa_auth_mech_object = {
HEIM_TID_PA_AUTH_MECH,
"heim-pa-mech-context",
NULL,
@ -2170,7 +2170,7 @@ static struct pa_auth_mech *
pa_mech_create(krb5_context context, krb5_init_creds_context ctx, int pa_type)
{
struct pa_auth_mech *pa_mech;
struct patype *patype = NULL;
const struct patype *patype = NULL;
size_t n;
for (n = 0; patype == NULL && n < sizeof(patypes)/sizeof(patypes[0]); n++) {

View File

@ -828,6 +828,11 @@ addresses in the tickets.
.It Li allow-null-ticket-addresses = Va BOOL
Allow address-less tickets.
.\" XXX
.It Li disable_pac = Va BOOL
Do not include a PAC in service tickets.
However, if a service has the
.Li auth-data-reqd
attribute then the KDC will include a PAC anyways.
.It Li enable_fast = Va BOOL
Enable RFC 6113 FAST support, this is enabled by default.
.It Li enable_fast_cookie = Va BOOL
@ -846,6 +851,10 @@ Enabled by default for now, but in a future release will be
disabled.
.It Li enable-pkinit = Va BOOL
Enable PKINIT (disabled by default).
.It Li require-pkinit-freshness = Va BOOL
If PKINIT is enabled, require that PKINIT requests contain a
freshness token proving recent possession of the private key.
Disabled by default.
.It Li allow-anonymous = Va BOOL
If the kdc is allowed to hand out anonymous tickets.
.It Li synthetic_clients = Va BOOL

View File

@ -296,6 +296,8 @@ typedef enum krb5_key_usage {
/* fast challenge from client */
KRB5_KU_ENC_CHALLENGE_KDC = 55,
/* fast challenge from kdc */
KRB5_KU_AS_FRESHNESS = 60,
/* Freshness token from KDC */
KRB5_KU_DIGEST_ENCRYPT = -18,
/* Encryption key usage used in the digest encryption field */
KRB5_KU_DIGEST_OPAQUE = -19,
@ -697,7 +699,7 @@ typedef struct {
KRB_ERROR error;
} krb5_kdc_rep;
extern const char *heimdal_version, *heimdal_long_version;
extern const char *const heimdal_version, *const heimdal_long_version;
typedef void (KRB5_CALLCONV * krb5_log_log_func_t)(krb5_context,
const char*,
@ -1018,8 +1020,8 @@ typedef struct krb5_kx509_req_ctx_data *krb5_kx509_req_ctx;
/* variables */
extern KRB5_LIB_VARIABLE const char *krb5_config_file;
extern KRB5_LIB_VARIABLE const char *krb5_defkeyname;
extern KRB5_LIB_VARIABLE const char *const krb5_config_file;
extern KRB5_LIB_VARIABLE const char *const krb5_defkeyname;
extern KRB5_LIB_VARIABLE const krb5_cc_ops krb5_acc_ops;
@ -1038,13 +1040,13 @@ extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_mkt_ops;
extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_akf_ops;
extern KRB5_LIB_VARIABLE const krb5_kt_ops krb5_any_ops;
extern KRB5_LIB_VARIABLE const char *krb5_cc_type_api;
extern KRB5_LIB_VARIABLE const char *krb5_cc_type_file;
extern KRB5_LIB_VARIABLE const char *krb5_cc_type_memory;
extern KRB5_LIB_VARIABLE const char *krb5_cc_type_kcm;
extern KRB5_LIB_VARIABLE const char *krb5_cc_type_scc;
extern KRB5_LIB_VARIABLE const char *krb5_cc_type_dcc;
extern KRB5_LIB_VARIABLE const char *krb5_cc_type_keyring;
extern KRB5_LIB_VARIABLE const char *const krb5_cc_type_api;
extern KRB5_LIB_VARIABLE const char *const krb5_cc_type_file;
extern KRB5_LIB_VARIABLE const char *const krb5_cc_type_memory;
extern KRB5_LIB_VARIABLE const char *const krb5_cc_type_kcm;
extern KRB5_LIB_VARIABLE const char *const krb5_cc_type_scc;
extern KRB5_LIB_VARIABLE const char *const krb5_cc_type_dcc;
extern KRB5_LIB_VARIABLE const char *const krb5_cc_type_keyring;
/* clang analyzer workarounds */

View File

@ -108,6 +108,9 @@ error_code PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED, "Public key encryption not suppo
#error_code ERR_KDC_NOT_FOUND, "IAKERB proxy could not find a KDC"
#error_code ERR_KDC_NO_RESPONSE, "IAKERB proxy never reeived a response from a KDC"
index 90
error_code PREAUTH_EXPIRED, "Pre-authentication data expired"
index 91
error_code MORE_PREAUTH_DATA_REQUIRED, "More pre-authentication data required"

View File

@ -709,9 +709,9 @@ plcallback(krb5_context context,
return KRB5_PLUGIN_NO_HANDLE;
}
static const char *locate_plugin_deps[] = { "krb5", NULL };
static const char *const locate_plugin_deps[] = { "krb5", NULL };
static struct heim_plugin_data
static const struct heim_plugin_data
locate_plugin_data = {
"krb5",
KRB5_PLUGIN_LOCATE,

View File

@ -67,10 +67,10 @@ plcallback(krb5_context context, const void *plug, void *plugctx, void *userctx)
}
static krb5_error_code plugin_reg_ret;
static krb5plugin_kuserok_ftable kuserok_simple_plug;
static krb5plugin_kuserok_ftable kuserok_sys_k5login_plug;
static krb5plugin_kuserok_ftable kuserok_user_k5login_plug;
static krb5plugin_kuserok_ftable kuserok_deny_plug;
static const krb5plugin_kuserok_ftable kuserok_simple_plug;
static const krb5plugin_kuserok_ftable kuserok_sys_k5login_plug;
static const krb5plugin_kuserok_ftable kuserok_user_k5login_plug;
static const krb5plugin_kuserok_ftable kuserok_deny_plug;
static void
reg_def_plugins_once(void *ctx)
@ -455,9 +455,9 @@ krb5_kuserok(krb5_context context,
}
static const char *kuserok_plugin_deps[] = { "krb5", NULL };
static const char *const kuserok_plugin_deps[] = { "krb5", NULL };
static struct heim_plugin_data
static const struct heim_plugin_data
kuserok_plugin_data = {
"krb5",
KRB5_PLUGIN_KUSEROK,
@ -723,28 +723,28 @@ kuser_ok_null_plugin_fini(void *ctx)
return;
}
static krb5plugin_kuserok_ftable kuserok_simple_plug = {
static const krb5plugin_kuserok_ftable kuserok_simple_plug = {
KRB5_PLUGIN_KUSEROK_VERSION_0,
kuser_ok_null_plugin_init,
kuser_ok_null_plugin_fini,
kuserok_simple_plug_f,
};
static krb5plugin_kuserok_ftable kuserok_sys_k5login_plug = {
static const krb5plugin_kuserok_ftable kuserok_sys_k5login_plug = {
KRB5_PLUGIN_KUSEROK_VERSION_0,
kuser_ok_null_plugin_init,
kuser_ok_null_plugin_fini,
kuserok_sys_k5login_plug_f,
};
static krb5plugin_kuserok_ftable kuserok_user_k5login_plug = {
static const krb5plugin_kuserok_ftable kuserok_user_k5login_plug = {
KRB5_PLUGIN_KUSEROK_VERSION_0,
kuser_ok_null_plugin_init,
kuser_ok_null_plugin_fini,
kuserok_user_k5login_plug_f,
};
static krb5plugin_kuserok_ftable kuserok_deny_plug = {
static const krb5plugin_kuserok_ftable kuserok_deny_plug = {
KRB5_PLUGIN_KUSEROK_VERSION_0,
kuser_ok_null_plugin_init,
kuser_ok_null_plugin_fini,

View File

@ -76,8 +76,8 @@ krb5_mk_error_ext(krb5_context context,
msg.realm = server->realm;
msg.sname = server->name;
}else{
static char unspec[] = "<unspecified realm>";
msg.realm = unspec;
static const char unspec[] = "<unspecified realm>";
msg.realm = rk_UNCONST(unspec);
}
msg.crealm = rk_UNCONST(client_realm);
msg.cname = rk_UNCONST(client_name);

View File

@ -141,7 +141,7 @@ pac_dealloc(void *ctx)
free(pac->pac);
}
struct heim_type_data pac_object = {
static const struct heim_type_data pac_object = {
HEIM_TID_PAC,
"heim-pac",
NULL,
@ -597,7 +597,7 @@ krb5_pac_get_buffer(krb5_context context, krb5_const_pac p,
return ENOENT;
}
static struct {
static const struct {
uint32_t type;
krb5_data name;
} pac_buffer_name_map[] = {
@ -1982,8 +1982,8 @@ _krb5_pac_get_attributes_info(krb5_context context,
return 0;
}
static unsigned char single_zero = '\0';
static krb5_data single_zero_pac = { 1, &single_zero };
static const unsigned char single_zero = '\0';
static const krb5_data single_zero_pac = { 1, rk_UNCONST(&single_zero) };
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_kdc_pac_ticket_parse(krb5_context context,

View File

@ -58,9 +58,9 @@ cc_plugin_register_to_context(krb5_context context, const void *plug, void *plug
return KRB5_PLUGIN_NO_HANDLE;
}
static const char *ccache_plugin_deps[] = { "krb5", NULL };
static const char *const ccache_plugin_deps[] = { "krb5", NULL };
static struct heim_plugin_data
static const struct heim_plugin_data
ccache_plugin_data = {
"krb5",
KRB5_PLUGIN_CCACHE,

View File

@ -75,7 +75,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_plugin_register(krb5_context context,
enum krb5_plugin_type type,
const char *name,
void *symbol)
const void *symbol)
{
/*
* It's not clear that PLUGIN_TYPE_FUNC was ever used or supported. It likely
@ -147,7 +147,7 @@ _krb5_unload_plugins(krb5_context context, const char *name)
*/
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_plugin_run_f(krb5_context context,
struct heim_plugin_data *caller,
const struct heim_plugin_data *caller,
int flags,
void *userctx,
krb5_error_code (KRB5_LIB_CALL *func)(krb5_context, const void *, void *, void *))

View File

@ -33,7 +33,7 @@
#include "krb5_locl.h"
int _krb5_AES_SHA1_string_to_default_iterator = 4096;
const int _krb5_AES_SHA1_string_to_default_iterator = 4096;
static krb5_error_code
AES_SHA1_string_to_key(krb5_context context,

View File

@ -33,7 +33,7 @@
#include "krb5_locl.h"
int _krb5_AES_SHA2_string_to_default_iterator = 32768;
const int _krb5_AES_SHA2_string_to_default_iterator = 32768;
static krb5_error_code
AES_SHA2_string_to_key(krb5_context context,

View File

@ -96,9 +96,9 @@ realmcallback(krb5_context context, const void *plug, void *plugctx, void *userc
ctx->send_data, ctx->receive);
}
static const char *send_to_kdc_plugin_deps[] = { "krb5", NULL };
static const char *const send_to_kdc_plugin_deps[] = { "krb5", NULL };
static struct heim_plugin_data
static const struct heim_plugin_data
send_to_kdc_plugin_data = {
"krb5",
KRB5_PLUGIN_SEND_TO_KDC,
@ -330,7 +330,7 @@ struct host {
krb5_krbhst_info *hi;
struct addrinfo *ai;
rk_socket_t fd;
struct host_fun *fun;
const struct host_fun *fun;
unsigned int tries;
time_t timeout;
krb5_data data;
@ -715,19 +715,19 @@ recv_udp(krb5_context context, struct host *host, krb5_data *data)
return 0;
}
static struct host_fun http_fun = {
static const struct host_fun http_fun = {
prepare_http,
send_stream,
recv_http,
1
};
static struct host_fun tcp_fun = {
static const struct host_fun tcp_fun = {
prepare_tcp,
send_stream,
recv_tcp,
1
};
static struct host_fun udp_fun = {
static const struct host_fun udp_fun = {
prepare_udp,
send_udp,
recv_udp,

View File

@ -38,7 +38,7 @@
static struct testcase {
int canonicalp;
ssize_t val;
int64_t val;
const char *def_unit;
const char *str;
} tests[] = {
@ -52,7 +52,7 @@ static struct testcase {
{1, 1024 * 1024, NULL, "1 megabyte"},
{0, 1025, NULL, "1 kilobyte 1"},
{1, 1025, NULL, "1 kilobyte 1 byte"},
{1, 1024UL * 1024 * 1024 * 1024, NULL, "1 terabyte"},
{1, 1024ULL * 1024 * 1024 * 1024, NULL, "1 terabyte"},
};
int
@ -63,7 +63,7 @@ main(int argc, char **argv)
for (i = 0; i < sizeof(tests)/sizeof(tests[0]); ++i) {
char buf[256];
ssize_t val = parse_bytes (tests[i].str, tests[i].def_unit);
int64_t val = parse_bytes (tests[i].str, tests[i].def_unit);
if (val != tests[i].val) {
printf ("parse_bytes (%s, %s) = %lld != %lld\n",

View File

@ -37,10 +37,10 @@
#include "parse_bytes.h"
static struct units bytes_units[] = {
{ "petabyte", 1024UL * 1024 * 1024 * 1024 * 1024 },
{ "PB", 1024UL * 1024 * 1024 * 1024 * 1024 },
{ "terabyte", 1024UL * 1024 * 1024 * 1024 },
{ "TB", 1024UL * 1024 * 1024 * 1024 },
{ "petabyte", 1024ULL * 1024 * 1024 * 1024 * 1024 },
{ "PB", 1024ULL * 1024 * 1024 * 1024 * 1024 },
{ "terabyte", 1024ULL * 1024 * 1024 * 1024 },
{ "TB", 1024ULL * 1024 * 1024 * 1024 },
{ "gigabyte", 1024 * 1024 * 1024 },
{ "gbyte", 1024 * 1024 * 1024 },
{ "GB", 1024 * 1024 * 1024 },
@ -54,28 +54,28 @@ static struct units bytes_units[] = {
};
static struct units bytes_short_units[] = {
{ "PB", 1024UL * 1024 * 1024 * 1024 * 1024 },
{ "TB", 1024UL * 1024 * 1024 * 1024 },
{ "PB", 1024ULL * 1024 * 1024 * 1024 * 1024 },
{ "TB", 1024ULL * 1024 * 1024 * 1024 },
{ "GB", 1024 * 1024 * 1024 },
{ "MB", 1024 * 1024 },
{ "KB", 1024 },
{ NULL, 0 }
};
ROKEN_LIB_FUNCTION ssize_t ROKEN_LIB_CALL
ROKEN_LIB_FUNCTION int64_t ROKEN_LIB_CALL
parse_bytes(const char *s, const char *def_unit)
{
return parse_units (s, bytes_units, def_unit);
}
ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL
unparse_bytes(ssize_t t, char *s, size_t len)
unparse_bytes(int64_t t, char *s, size_t len)
{
return unparse_units (t, bytes_units, s, len);
}
ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL
unparse_bytes_short (ssize_t t, char *s, size_t len)
unparse_bytes_short (int64_t t, char *s, size_t len)
{
return unparse_units_approx (t, bytes_short_units, s, len);
}

View File

@ -38,13 +38,13 @@
#include <roken.h>
ROKEN_LIB_FUNCTION ssize_t ROKEN_LIB_CALL
ROKEN_LIB_FUNCTION int64_t ROKEN_LIB_CALL
parse_bytes(const char *s, const char *def_unit);
ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL
unparse_bytes(ssize_t t, char *s, size_t len);
unparse_bytes(int64_t t, char *s, size_t len);
ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL
unparse_bytes_short(ssize_t t, char *s, size_t len);
unparse_bytes_short(int64_t t, char *s, size_t len);
#endif /* __PARSE_BYTES_H__ */

View File

@ -8,8 +8,8 @@ endif
AM_CPPFLAGS += $(ROKEN_RENAME)
YFLAGS = -d -o slc-gram.c
LFLAGS = @FLEXNOUNPUTARGS@
AM_YFLAGS = -d -o slc-gram.c
AM_LFLAGS = @FLEXNOUNPUTARGS@
include_HEADERS = sl.h

View File

@ -39,7 +39,7 @@
#include <string.h>
#ifdef KRB5
extern const char *heimdal_version;
extern const char *const heimdal_version;
#endif
#include <version.h>

View File

@ -261,6 +261,7 @@ ${kadmin} ext -k ${keytab} ${alias1}@${R} || exit 1
${kadmin} modify --alias=${alias2}@${R} ${alias1}@${R}
${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1
${kadmin} modify --attributes=+no-auth-data-reqd krbtgt/${R2}@${R} || exit 1
${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1
${kadmin} add -p cross1 --use-defaults krbtgt/${R3}@${R2} || exit 1
@ -551,6 +552,20 @@ for a in $enctypes; do
done
${kdestroy}
echo "Getting client initial tickets with PAC"; > messages.log
${kinit} --request-pac --password-file=${objdir}/foopassword foo@$R || \
{ ec=1 ; eval "${testfailed}"; }
for a in $enctypes; do
echo "Getting tickets for PAC-less service principal ($a)"; > messages.log
${kgetcred} -e $a ${server4}@${R2} || { ec=1 ; eval "${testfailed}"; }
${test_ap_req} --verify-pac ${server4}@${R2} ${keytab} ${cache} && \
{ ec=1 ; eval "${testfailed}"; }
${test_ap_req} --no-verify-pac ${server4}@${R2} ${keytab} ${cache} || \
{ ec=1 ; eval "${testfailed}"; }
${kdestroy} --credential=${server4}@${R2}
done
${kdestroy}
echo "Getting client authenticated anonymous initial tickets"; > messages.log
${kinit} -n --password-file=${objdir}/foopassword foo@$R || \
{ ec=1 ; eval "${testfailed}"; }
@ -559,6 +574,8 @@ for a in $enctypes; do
${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
${test_ap_req} --no-verify-pac ${server}@${R} ${keytab} ${cache} || \
{ ec=1 ; eval "${testfailed}"; }
${test_ap_req} --verify-pac ${server}@${R} ${keytab} ${cache} && \
{ ec=1 ; eval "${testfailed}"; }
${kdestroy} --credential=${server}@${R}
done
${kdestroy}
@ -575,7 +592,7 @@ for a in $enctypes; do
done
${kdestroy}
echo "Getting client initial tickets for cross realm case"; > messages.log
echo "Getting client initial tickets for cross realm case (no-auth-data-reqd for ${R2})"; > messages.log
${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
for a in $enctypes; do
echo "Getting cross realm tickets ($a)"; > messages.log
@ -583,7 +600,24 @@ for a in $enctypes; do
echo " checking we we got back right ticket"
${klist} | grep ${server2}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
echo " checking if ticket is useful"
${test_ap_req} ${server2}@${R2} ${keytab} ${cache} || \
${test_ap_req} --no-verify-pac ${server2}@${R2} ${keytab} ${cache} || \
{ ec=1 ; eval "${testfailed}"; }
${test_ap_req} --verify-pac ${server2}@${R2} ${keytab} ${cache} && \
{ ec=1 ; eval "${testfailed}"; }
${kdestroy} --credential=${server2}@${R2}
done
${kdestroy}
echo "Getting client initial tickets for cross realm case (w/ PAC)"; > messages.log
${kadmin} modify --attributes=-no-auth-data-reqd krbtgt/${R2}@${R} || exit 1
${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
for a in $enctypes; do
echo "Getting cross realm tickets ($a)"; > messages.log
${kgetcred} -e $a ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
echo " checking we we got back right ticket"
${klist} | grep ${server2}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
echo " checking if ticket is useful"
${test_ap_req} --verify-pac ${server2}@${R2} ${keytab} ${cache} || \
{ ec=1 ; eval "${testfailed}"; }
${kdestroy} --credential=${server2}@${R2}
done