mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
r24614: Merge with current lorikeet-heimdal. This brings us one step closer
to an alpha release.
Andrew Bartlett
(This used to be commit 30e02747d5
)
This commit is contained in:
parent
db24e606f1
commit
b39330c487
@ -36,7 +36,7 @@
|
||||
#include <getarg.h>
|
||||
#include <parse_bytes.h>
|
||||
|
||||
RCSID("$Id: default_config.c 21296 2007-06-25 14:49:11Z lha $");
|
||||
RCSID("$Id: default_config.c 21405 2007-07-04 10:35:45Z lha $");
|
||||
|
||||
krb5_error_code
|
||||
krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
|
||||
|
@ -34,7 +34,7 @@
|
||||
#include "kdc_locl.h"
|
||||
#include <hex.h>
|
||||
|
||||
RCSID("$Id: digest.c 21241 2007-06-20 11:30:19Z lha $");
|
||||
RCSID("$Id: digest.c 21606 2007-07-17 07:03:25Z lha $");
|
||||
|
||||
#define MS_CHAP_V2 0x20
|
||||
#define CHAP_MD5 0x10
|
||||
@ -975,7 +975,7 @@ _kdc_do_digest(krb5_context context,
|
||||
}
|
||||
|
||||
kdc_log(context, config, 0, "Digest %s request successful %s",
|
||||
ireq.u.digestRequest.type, from);
|
||||
ireq.u.digestRequest.type, ireq.u.digestRequest.username);
|
||||
|
||||
break;
|
||||
}
|
||||
@ -1227,7 +1227,7 @@ _kdc_do_digest(krb5_context context,
|
||||
version = 1;
|
||||
|
||||
if (flags & NTLM_NEG_NTLM2_SESSION) {
|
||||
char sessionhash[MD5_DIGEST_LENGTH];
|
||||
unsigned char sessionhash[MD5_DIGEST_LENGTH];
|
||||
MD5_CTX md5ctx;
|
||||
|
||||
if ((config->digests_allowed & NTLM_V1_SESSION) == 0) {
|
||||
@ -1331,10 +1331,24 @@ _kdc_do_digest(krb5_context context,
|
||||
version, ireq.u.ntlmRequest.username);
|
||||
break;
|
||||
}
|
||||
default:
|
||||
default: {
|
||||
char *s;
|
||||
krb5_set_error_string(context, "unknown operation to digest");
|
||||
ret = EINVAL;
|
||||
|
||||
failed:
|
||||
|
||||
s = krb5_get_error_message(context, ret);
|
||||
if (s == NULL) {
|
||||
krb5_clear_error_string(context);
|
||||
goto out;
|
||||
}
|
||||
|
||||
kdc_log(context, config, 0, "Digest failed with: %s", s);
|
||||
|
||||
r.element = choice_DigestRepInner_error;
|
||||
r.u.error.reason = strdup("unknown/failed operation");
|
||||
r.u.error.reason = strdup("unknown error");
|
||||
krb5_free_error_string(context, s);
|
||||
if (r.u.error.reason == NULL) {
|
||||
krb5_set_error_string(context, "out of memory");
|
||||
ret = ENOMEM;
|
||||
@ -1343,6 +1357,7 @@ _kdc_do_digest(krb5_context context,
|
||||
r.u.error.code = EINVAL;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
ASN1_MALLOC_ENCODE(DigestRepInner, buf.data, buf.length, &r, &size, ret);
|
||||
if (ret) {
|
||||
|
@ -33,7 +33,7 @@
|
||||
|
||||
#include "kdc_locl.h"
|
||||
|
||||
RCSID("$Id: kaserver.c 17904 2006-08-23 11:45:16Z lha $");
|
||||
RCSID("$Id: kaserver.c 21661 2007-07-22 01:57:17Z lha $");
|
||||
|
||||
#include <krb5-v4compat.h>
|
||||
#include <rx.h>
|
||||
@ -191,19 +191,28 @@ init_reply_header (struct rx_header *hdr,
|
||||
reply_hdr->serviceid = hdr->serviceid;
|
||||
}
|
||||
|
||||
/*
|
||||
* Create an error `reply´ using for the packet `hdr' with the error
|
||||
* `error´ code.
|
||||
*/
|
||||
static void
|
||||
make_error_reply (struct rx_header *hdr,
|
||||
uint32_t ret,
|
||||
uint32_t error,
|
||||
krb5_data *reply)
|
||||
|
||||
{
|
||||
krb5_storage *sp;
|
||||
struct rx_header reply_hdr;
|
||||
krb5_error_code ret;
|
||||
krb5_storage *sp;
|
||||
|
||||
init_reply_header (hdr, &reply_hdr, HT_ABORT, HF_LAST);
|
||||
sp = krb5_storage_emem();
|
||||
if (sp == NULL)
|
||||
return;
|
||||
ret = encode_rx_header (&reply_hdr, sp);
|
||||
krb5_store_int32(sp, ret);
|
||||
if (ret)
|
||||
return;
|
||||
krb5_store_int32(sp, error);
|
||||
krb5_storage_to_data (sp, reply);
|
||||
krb5_storage_free (sp);
|
||||
}
|
||||
|
@ -35,7 +35,7 @@
|
||||
|
||||
#include <krb5-v4compat.h>
|
||||
|
||||
RCSID("$Id: kerberos4.c 18349 2006-10-08 13:43:52Z lha $");
|
||||
RCSID("$Id: kerberos4.c 21577 2007-07-16 08:14:06Z lha $");
|
||||
|
||||
#ifndef swap32
|
||||
static uint32_t
|
||||
@ -151,7 +151,8 @@ _kdc_do_version4(krb5_context context,
|
||||
if(!config->enable_v4) {
|
||||
kdc_log(context, config, 0,
|
||||
"Rejected version 4 request from %s", from);
|
||||
make_err_reply(context, reply, KDC_GEN_ERR, "function not enabled");
|
||||
make_err_reply(context, reply, KRB4ET_KDC_GEN_ERR,
|
||||
"Function not enabled");
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -160,7 +161,7 @@ _kdc_do_version4(krb5_context context,
|
||||
if(pvno != 4){
|
||||
kdc_log(context, config, 0,
|
||||
"Protocol version mismatch (krb4) (%d)", pvno);
|
||||
make_err_reply(context, reply, KDC_PKT_VER, "protocol mismatch");
|
||||
make_err_reply(context, reply, KRB4ET_KDC_PKT_VER, "protocol mismatch");
|
||||
goto out;
|
||||
}
|
||||
RCHECK(krb5_ret_int8(sp, &msg_type), out);
|
||||
@ -196,7 +197,7 @@ _kdc_do_version4(krb5_context context,
|
||||
if(ret) {
|
||||
kdc_log(context, config, 0, "Client not found in database: %s: %s",
|
||||
client_name, krb5_get_err_text(context, ret));
|
||||
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
|
||||
make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
|
||||
"principal unknown");
|
||||
goto out1;
|
||||
}
|
||||
@ -205,7 +206,7 @@ _kdc_do_version4(krb5_context context,
|
||||
if(ret){
|
||||
kdc_log(context, config, 0, "Server not found in database: %s: %s",
|
||||
server_name, krb5_get_err_text(context, ret));
|
||||
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
|
||||
make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
|
||||
"principal unknown");
|
||||
goto out1;
|
||||
}
|
||||
@ -216,7 +217,7 @@ _kdc_do_version4(krb5_context context,
|
||||
TRUE);
|
||||
if (ret) {
|
||||
/* good error code? */
|
||||
make_err_reply(context, reply, KERB_ERR_NAME_EXP,
|
||||
make_err_reply(context, reply, KRB4ET_KDC_NAME_EXP,
|
||||
"operation not allowed");
|
||||
goto out1;
|
||||
}
|
||||
@ -227,7 +228,7 @@ _kdc_do_version4(krb5_context context,
|
||||
kdc_log(context, config, 0,
|
||||
"Per principal Kerberos 4 flag not turned on for %s",
|
||||
client_name);
|
||||
make_err_reply(context, reply, KERB_ERR_NULL_KEY,
|
||||
make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
|
||||
"allow kerberos4 flag required");
|
||||
goto out1;
|
||||
}
|
||||
@ -244,7 +245,7 @@ _kdc_do_version4(krb5_context context,
|
||||
"Pre-authentication required for v4-request: "
|
||||
"%s for %s",
|
||||
client_name, server_name);
|
||||
make_err_reply(context, reply, KERB_ERR_NULL_KEY,
|
||||
make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
|
||||
"preauth required");
|
||||
goto out1;
|
||||
}
|
||||
@ -252,7 +253,7 @@ _kdc_do_version4(krb5_context context,
|
||||
ret = _kdc_get_des_key(context, client, FALSE, FALSE, &ckey);
|
||||
if(ret){
|
||||
kdc_log(context, config, 0, "no suitable DES key for client");
|
||||
make_err_reply(context, reply, KDC_NULL_KEY,
|
||||
make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
|
||||
"no suitable DES key for client");
|
||||
goto out1;
|
||||
}
|
||||
@ -265,7 +266,7 @@ _kdc_do_version4(krb5_context context,
|
||||
if(ret){
|
||||
kdc_log(context, config, 0, "No version-4 salted key in database -- %s.%s@%s",
|
||||
name, inst, realm);
|
||||
make_err_reply(context, reply, KDC_NULL_KEY,
|
||||
make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
|
||||
"No version-4 salted key in database");
|
||||
goto out1;
|
||||
}
|
||||
@ -274,8 +275,7 @@ _kdc_do_version4(krb5_context context,
|
||||
ret = _kdc_get_des_key(context, server, TRUE, FALSE, &skey);
|
||||
if(ret){
|
||||
kdc_log(context, config, 0, "no suitable DES key for server");
|
||||
/* XXX */
|
||||
make_err_reply(context, reply, KDC_NULL_KEY,
|
||||
make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
|
||||
"no suitable DES key for server");
|
||||
goto out1;
|
||||
}
|
||||
@ -400,7 +400,7 @@ _kdc_do_version4(krb5_context context,
|
||||
"tgs-req (krb4) with old kvno %d (current %d) for "
|
||||
"krbtgt.%s@%s", kvno, tgt->entry.kvno % 256,
|
||||
realm, config->v4_realm);
|
||||
make_err_reply(context, reply, KDC_AUTH_EXP,
|
||||
make_err_reply(context, reply, KRB4ET_KDC_AUTH_EXP,
|
||||
"old krbtgt kvno used");
|
||||
goto out2;
|
||||
}
|
||||
@ -409,8 +409,7 @@ _kdc_do_version4(krb5_context context,
|
||||
if(ret){
|
||||
kdc_log(context, config, 0,
|
||||
"no suitable DES key for krbtgt (krb4)");
|
||||
/* XXX */
|
||||
make_err_reply(context, reply, KDC_NULL_KEY,
|
||||
make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
|
||||
"no suitable DES key for krbtgt");
|
||||
goto out2;
|
||||
}
|
||||
@ -456,7 +455,7 @@ _kdc_do_version4(krb5_context context,
|
||||
if(strcmp(ad.prealm, realm)){
|
||||
kdc_log(context, config, 0,
|
||||
"Can't hop realms (krb4) %s -> %s", realm, ad.prealm);
|
||||
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
|
||||
make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
|
||||
"Can't hop realms");
|
||||
goto out2;
|
||||
}
|
||||
@ -465,7 +464,7 @@ _kdc_do_version4(krb5_context context,
|
||||
kdc_log(context, config, 0,
|
||||
"krb4 Cross-realm %s -> %s disabled",
|
||||
realm, config->v4_realm);
|
||||
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
|
||||
make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
|
||||
"Can't hop realms");
|
||||
goto out2;
|
||||
}
|
||||
@ -473,7 +472,7 @@ _kdc_do_version4(krb5_context context,
|
||||
if(strcmp(sname, "changepw") == 0){
|
||||
kdc_log(context, config, 0,
|
||||
"Bad request for changepw ticket (krb4)");
|
||||
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN,
|
||||
make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN,
|
||||
"Can't authorize password change based on TGT");
|
||||
goto out2;
|
||||
}
|
||||
@ -485,7 +484,7 @@ _kdc_do_version4(krb5_context context,
|
||||
s = kdc_log_msg(context, config, 0,
|
||||
"Client not found in database: (krb4) %s: %s",
|
||||
client_name, krb5_get_err_text(context, ret));
|
||||
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
|
||||
make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s);
|
||||
free(s);
|
||||
goto out2;
|
||||
}
|
||||
@ -494,7 +493,7 @@ _kdc_do_version4(krb5_context context,
|
||||
s = kdc_log_msg(context, config, 0,
|
||||
"Local client not found in database: (krb4) "
|
||||
"%s", client_name);
|
||||
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
|
||||
make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s);
|
||||
free(s);
|
||||
goto out2;
|
||||
}
|
||||
@ -506,7 +505,7 @@ _kdc_do_version4(krb5_context context,
|
||||
s = kdc_log_msg(context, config, 0,
|
||||
"Server not found in database (krb4): %s: %s",
|
||||
server_name, krb5_get_err_text(context, ret));
|
||||
make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
|
||||
make_err_reply(context, reply, KRB4ET_KDC_PR_UNKNOWN, s);
|
||||
free(s);
|
||||
goto out2;
|
||||
}
|
||||
@ -516,8 +515,7 @@ _kdc_do_version4(krb5_context context,
|
||||
server, server_name,
|
||||
FALSE);
|
||||
if (ret) {
|
||||
/* good error code? */
|
||||
make_err_reply(context, reply, KERB_ERR_NAME_EXP,
|
||||
make_err_reply(context, reply, KRB4ET_KDC_NAME_EXP,
|
||||
"operation not allowed");
|
||||
goto out2;
|
||||
}
|
||||
@ -526,8 +524,7 @@ _kdc_do_version4(krb5_context context,
|
||||
if(ret){
|
||||
kdc_log(context, config, 0,
|
||||
"no suitable DES key for server (krb4)");
|
||||
/* XXX */
|
||||
make_err_reply(context, reply, KDC_NULL_KEY,
|
||||
make_err_reply(context, reply, KRB4ET_KDC_NULL_KEY,
|
||||
"no suitable DES key for server");
|
||||
goto out2;
|
||||
}
|
||||
@ -787,7 +784,7 @@ _kdc_get_des_key(krb5_context context,
|
||||
else if(is_server && server_key)
|
||||
*ret_key = server_key;
|
||||
else
|
||||
return KERB_ERR_NULL_KEY;
|
||||
return KRB4ET_KDC_NULL_KEY;
|
||||
} else {
|
||||
if(v4_key)
|
||||
*ret_key = v4_key;
|
||||
@ -798,11 +795,11 @@ _kdc_get_des_key(krb5_context context,
|
||||
else if(is_server && server_key)
|
||||
*ret_key = server_key;
|
||||
else
|
||||
return KERB_ERR_NULL_KEY;
|
||||
return KRB4ET_KDC_NULL_KEY;
|
||||
}
|
||||
|
||||
if((*ret_key)->key.keyvalue.length == 0)
|
||||
return KERB_ERR_NULL_KEY;
|
||||
return KRB4ET_KDC_NULL_KEY;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -33,7 +33,7 @@
|
||||
|
||||
#include "kdc_locl.h"
|
||||
|
||||
RCSID("$Id: kerberos5.c 21040 2007-06-10 06:20:59Z lha $");
|
||||
RCSID("$Id: kerberos5.c 21529 2007-07-13 12:37:14Z lha $");
|
||||
|
||||
#define MAX_TIME ((time_t)((1U << 31) - 1))
|
||||
|
||||
@ -84,6 +84,22 @@ _kdc_find_padata(const KDC_REQ *req, int *start, int type)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/*
|
||||
* Detect if `key' is the using the the precomputed `default_salt'.
|
||||
*/
|
||||
|
||||
static krb5_boolean
|
||||
is_default_salt_p(const krb5_salt *default_salt, const Key *key)
|
||||
{
|
||||
if (key->salt == NULL)
|
||||
return TRUE;
|
||||
if (default_salt->salttype != key->salt->type)
|
||||
return FALSE;
|
||||
if (krb5_data_cmp(&default_salt->saltvalue, &key->salt->salt))
|
||||
return FALSE;
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
/*
|
||||
* return the first appropriate key of `princ' in `ret_key'. Look for
|
||||
* all the etypes in (`etypes', `len'), stopping as soon as we find
|
||||
@ -97,6 +113,9 @@ _kdc_find_etype(krb5_context context, const hdb_entry_ex *princ,
|
||||
{
|
||||
int i;
|
||||
krb5_error_code ret = KRB5KDC_ERR_ETYPE_NOSUPP;
|
||||
krb5_salt def_salt;
|
||||
|
||||
krb5_get_pw_salt (context, princ->entry.principal, &def_salt);
|
||||
|
||||
for(i = 0; ret != 0 && i < len ; i++) {
|
||||
Key *key = NULL;
|
||||
@ -112,10 +131,13 @@ _kdc_find_etype(krb5_context context, const hdb_entry_ex *princ,
|
||||
*ret_key = key;
|
||||
*ret_etype = etypes[i];
|
||||
ret = 0;
|
||||
if (key->salt == NULL)
|
||||
if (is_default_salt_p(&def_salt, key)) {
|
||||
krb5_free_salt (context, def_salt);
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
}
|
||||
krb5_free_salt (context, def_salt);
|
||||
return ret;
|
||||
}
|
||||
|
||||
@ -325,6 +347,43 @@ _kdc_encode_reply(krb5_context context,
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* Return 1 if the client have only older enctypes, this is for
|
||||
* determining if the server should send ETYPE_INFO2 or not.
|
||||
*/
|
||||
|
||||
static int
|
||||
older_enctype(krb5_enctype enctype)
|
||||
{
|
||||
switch (enctype) {
|
||||
case ETYPE_DES_CBC_CRC:
|
||||
case ETYPE_DES_CBC_MD4:
|
||||
case ETYPE_DES_CBC_MD5:
|
||||
case ETYPE_DES3_CBC_SHA1:
|
||||
case ETYPE_ARCFOUR_HMAC_MD5:
|
||||
case ETYPE_ARCFOUR_HMAC_MD5_56:
|
||||
return 1;
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
static int
|
||||
only_older_enctype_p(const KDC_REQ *req)
|
||||
{
|
||||
int i;
|
||||
|
||||
for(i = 0; i < req->req_body.etype.len; i++) {
|
||||
if (!older_enctype(req->req_body.etype.val[i]))
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
/*
|
||||
*
|
||||
*/
|
||||
|
||||
static krb5_error_code
|
||||
make_etype_info_entry(krb5_context context, ETYPE_INFO_ENTRY *ent, Key *key)
|
||||
{
|
||||
@ -395,14 +454,18 @@ get_pa_etype_info(krb5_context context,
|
||||
return ENOMEM;
|
||||
memset(pa.val, 0, pa.len * sizeof(*pa.val));
|
||||
|
||||
for(j = 0; j < etypes_len; j++) {
|
||||
for (i = 0; i < n; i++)
|
||||
if (pa.val[i].etype == etypes[j])
|
||||
for(i = 0; i < client->keys.len; i++) {
|
||||
for (j = 0; j < n; j++)
|
||||
if (pa.val[j].etype == client->keys.val[i].key.keytype)
|
||||
goto skip1;
|
||||
for(i = 0; i < client->keys.len; i++) {
|
||||
for(j = 0; j < etypes_len; j++) {
|
||||
if(client->keys.val[i].key.keytype == etypes[j]) {
|
||||
if (krb5_enctype_valid(context, etypes[j]) != 0)
|
||||
continue;
|
||||
if (!older_enctype(etypes[j]))
|
||||
continue;
|
||||
if (n >= pa.len)
|
||||
krb5_abortx(context, "internal error: n >= p.len");
|
||||
if((ret = make_etype_info_entry(context,
|
||||
&pa.val[n++],
|
||||
&client->keys.val[i])) != 0) {
|
||||
@ -420,6 +483,10 @@ get_pa_etype_info(krb5_context context,
|
||||
}
|
||||
if (krb5_enctype_valid(context, client->keys.val[i].key.keytype) != 0)
|
||||
continue;
|
||||
if (!older_enctype(etypes[j]))
|
||||
continue;
|
||||
if (n >= pa.len)
|
||||
krb5_abortx(context, "internal error: n >= p.len");
|
||||
if((ret = make_etype_info_entry(context,
|
||||
&pa.val[n++],
|
||||
&client->keys.val[i])) != 0) {
|
||||
@ -429,16 +496,8 @@ get_pa_etype_info(krb5_context context,
|
||||
skip2:;
|
||||
}
|
||||
|
||||
if(n != pa.len) {
|
||||
char *name;
|
||||
ret = krb5_unparse_name(context, client->principal, &name);
|
||||
if (ret)
|
||||
name = rk_UNCONST("<unparse_name failed>");
|
||||
kdc_log(context, config, 0,
|
||||
"internal error in get_pa_etype_info(%s): %d != %d",
|
||||
name, n, pa.len);
|
||||
if (ret == 0)
|
||||
free(name);
|
||||
if(n < pa.len) {
|
||||
/* stripped out newer enctypes */
|
||||
pa.len = n;
|
||||
}
|
||||
|
||||
@ -528,33 +587,9 @@ make_etype_info2_entry(ETYPE_INFO2_ENTRY *ent, Key *key)
|
||||
}
|
||||
|
||||
/*
|
||||
* Return 1 if the client have only older enctypes, this is for
|
||||
* determining if the server should send ETYPE_INFO2 or not.
|
||||
*/
|
||||
|
||||
static int
|
||||
only_older_enctype_p(const KDC_REQ *req)
|
||||
{
|
||||
int i;
|
||||
|
||||
for(i = 0; i < req->req_body.etype.len; i++) {
|
||||
switch (req->req_body.etype.val[i]) {
|
||||
case ETYPE_DES_CBC_CRC:
|
||||
case ETYPE_DES_CBC_MD4:
|
||||
case ETYPE_DES_CBC_MD5:
|
||||
case ETYPE_DES3_CBC_SHA1:
|
||||
case ETYPE_ARCFOUR_HMAC_MD5:
|
||||
case ETYPE_ARCFOUR_HMAC_MD5_56:
|
||||
break;
|
||||
default:
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
/*
|
||||
*
|
||||
* Return an ETYPE-INFO2. Enctypes are storted the same way as in the
|
||||
* database (client supported enctypes first, then the unsupported
|
||||
* enctypes).
|
||||
*/
|
||||
|
||||
static krb5_error_code
|
||||
@ -578,11 +613,11 @@ get_pa_etype_info2(krb5_context context,
|
||||
return ENOMEM;
|
||||
memset(pa.val, 0, pa.len * sizeof(*pa.val));
|
||||
|
||||
for(j = 0; j < etypes_len; j++) {
|
||||
for (i = 0; i < n; i++)
|
||||
if (pa.val[i].etype == etypes[j])
|
||||
for(i = 0; i < client->keys.len; i++) {
|
||||
for (j = 0; j < n; j++)
|
||||
if (pa.val[j].etype == client->keys.val[i].key.keytype)
|
||||
goto skip1;
|
||||
for(i = 0; i < client->keys.len; i++) {
|
||||
for(j = 0; j < etypes_len; j++) {
|
||||
if(client->keys.val[i].key.keytype == etypes[j]) {
|
||||
if (krb5_enctype_valid(context, etypes[j]) != 0)
|
||||
continue;
|
||||
@ -595,6 +630,7 @@ get_pa_etype_info2(krb5_context context,
|
||||
}
|
||||
skip1:;
|
||||
}
|
||||
/* send enctypes that the cliene doesn't know about too */
|
||||
for(i = 0; i < client->keys.len; i++) {
|
||||
for(j = 0; j < etypes_len; j++) {
|
||||
if(client->keys.val[i].key.keytype == etypes[j])
|
||||
@ -959,7 +995,9 @@ _kdc_as_rep(krb5_context context,
|
||||
if (b->cname->name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
|
||||
if (b->cname->name_string.len != 1) {
|
||||
kdc_log(context, config, 0,
|
||||
"AS-REQ malformed canon request from %s", from);
|
||||
"AS-REQ malformed canon request from %s, "
|
||||
"enterprise name with %d name components",
|
||||
from, b->cname->name_string.len);
|
||||
ret = KRB5_PARSE_MALFORMED;
|
||||
goto out;
|
||||
}
|
||||
@ -1395,6 +1433,12 @@ _kdc_as_rep(krb5_context context,
|
||||
copy_Realm(&server->entry.principal->realm, &rep.ticket.realm);
|
||||
_krb5_principal2principalname(&rep.ticket.sname,
|
||||
server->entry.principal);
|
||||
/* java 1.6 expects the name to be the same type, lets allow that
|
||||
* uncomplicated name-types. */
|
||||
#define CNT(sp,t) (((sp)->sname->name_type) == KRB5_NT_##t)
|
||||
if (CNT(b, UNKNOWN) || CNT(b, PRINCIPAL) || CNT(b, SRV_INST) || CNT(b, SRV_HST) || CNT(b, SRV_XHST))
|
||||
rep.ticket.sname.name_type = b->sname->name_type;
|
||||
#undef CNT
|
||||
|
||||
et.flags.initial = 1;
|
||||
if(client->entry.flags.forwardable && server->entry.flags.forwardable)
|
||||
|
@ -36,7 +36,7 @@
|
||||
#include <rfc2459_asn1.h>
|
||||
#include <hx509.h>
|
||||
|
||||
RCSID("$Id: kx509.c 19992 2007-01-20 09:06:18Z lha $");
|
||||
RCSID("$Id: kx509.c 21607 2007-07-17 07:04:52Z lha $");
|
||||
|
||||
/*
|
||||
*
|
||||
@ -56,7 +56,7 @@ _kdc_try_kx509_request(void *ptr, size_t len, Kx509Request *req, size_t *size)
|
||||
*
|
||||
*/
|
||||
|
||||
static const char version_2_0[4] = {0 , 0, 2, 0};
|
||||
static const unsigned char version_2_0[4] = {0 , 0, 2, 0};
|
||||
|
||||
static krb5_error_code
|
||||
verify_req_hash(krb5_context context,
|
||||
@ -122,7 +122,7 @@ calculate_reply_hash(krb5_context context,
|
||||
if (rep->certificate)
|
||||
HMAC_Update(&ctx, rep->certificate->data, rep->certificate->length);
|
||||
if (rep->e_text)
|
||||
HMAC_Update(&ctx, *rep->e_text, strlen(*rep->e_text));
|
||||
HMAC_Update(&ctx, (unsigned char *)*rep->e_text, strlen(*rep->e_text));
|
||||
|
||||
HMAC_Final(&ctx, rep->hash->data, 0);
|
||||
HMAC_CTX_cleanup(&ctx);
|
||||
|
@ -32,18 +32,10 @@
|
||||
*/
|
||||
|
||||
#include "kuser_locl.h"
|
||||
RCSID("$Id: kinit.c 20517 2007-04-22 10:42:26Z lha $");
|
||||
RCSID("$Id: kinit.c 21483 2007-07-10 16:40:46Z lha $");
|
||||
|
||||
#include "krb5-v4compat.h"
|
||||
|
||||
struct krb5_pk_identity;
|
||||
struct krb5_pk_cert;
|
||||
struct ContentInfo;
|
||||
struct _krb5_krb_auth_data;
|
||||
struct krb5_dh_moduli;
|
||||
struct krb5_plugin;
|
||||
enum plugin_type;
|
||||
#include "krb5-private.h"
|
||||
#include "heimntlm.h"
|
||||
|
||||
int forwardable_flag = -1;
|
||||
|
@ -3,7 +3,7 @@
|
||||
#
|
||||
# This might look like a com_err file, but is not
|
||||
#
|
||||
id "$Id: asn1_err.et 20010 2007-01-20 21:52:27Z lha $"
|
||||
id "$Id: asn1_err.et 21394 2007-07-02 10:14:43Z lha $"
|
||||
|
||||
error_table asn1
|
||||
prefix ASN1
|
||||
@ -19,4 +19,7 @@ error_code BAD_FORMAT, "ASN.1 badly-formatted encoding"
|
||||
error_code PARSE_ERROR, "ASN.1 parse error"
|
||||
error_code EXTRA_DATA, "ASN.1 extra data past end of end structure"
|
||||
error_code BAD_CHARACTER, "ASN.1 invalid character in string"
|
||||
error_code MIN_CONSTRAINT, "ASN.1 too few elements"
|
||||
error_code MAX_CONSTRAINT, "ASN.1 too many elements"
|
||||
error_code EXACT_CONSTRAINT, "ASN.1 wrong number of elements"
|
||||
end
|
||||
|
@ -33,7 +33,7 @@
|
||||
|
||||
#include "der_locl.h"
|
||||
|
||||
RCSID("$Id: der_get.c 20570 2007-04-27 14:06:27Z lha $");
|
||||
RCSID("$Id: der_get.c 21369 2007-06-27 10:14:39Z lha $");
|
||||
|
||||
#include <version.h>
|
||||
|
||||
@ -336,32 +336,25 @@ generalizedtime2time (const char *s, time_t *t)
|
||||
*t = _der_timegm (&tm);
|
||||
return 0;
|
||||
}
|
||||
#undef timegm
|
||||
|
||||
static int
|
||||
der_get_time (const unsigned char *p, size_t len,
|
||||
time_t *data, size_t *size)
|
||||
{
|
||||
heim_octet_string k;
|
||||
char *times;
|
||||
size_t ret = 0;
|
||||
size_t l;
|
||||
int e;
|
||||
|
||||
e = der_get_octet_string (p, len, &k, &l);
|
||||
if (e) return e;
|
||||
p += l;
|
||||
len -= l;
|
||||
ret += l;
|
||||
times = realloc(k.data, k.length + 1);
|
||||
if (times == NULL){
|
||||
free(k.data);
|
||||
if (len > len + 1 || len == 0)
|
||||
return ASN1_BAD_LENGTH;
|
||||
|
||||
times = malloc(len + 1);
|
||||
if (times == NULL)
|
||||
return ENOMEM;
|
||||
}
|
||||
times[k.length] = 0;
|
||||
memcpy(times, p, len);
|
||||
times[len] = '\0';
|
||||
e = generalizedtime2time(times, data);
|
||||
free (times);
|
||||
if(size) *size = ret;
|
||||
if(size) *size = len;
|
||||
return e;
|
||||
}
|
||||
|
||||
|
@ -33,7 +33,7 @@
|
||||
|
||||
#include "gen_locl.h"
|
||||
|
||||
RCSID("$Id: gen.c 20670 2007-05-11 00:39:41Z lha $");
|
||||
RCSID("$Id: gen.c 21364 2007-06-27 08:51:06Z lha $");
|
||||
|
||||
FILE *headerfile, *codefile, *logfile;
|
||||
|
||||
@ -253,6 +253,7 @@ generate_header_of_codefile(const char *name)
|
||||
"#include <time.h>\n"
|
||||
"#include <string.h>\n"
|
||||
"#include <errno.h>\n"
|
||||
"#include <limits.h>\n"
|
||||
"#include <krb5-types.h>\n",
|
||||
orig_filename);
|
||||
|
||||
|
@ -34,7 +34,7 @@
|
||||
#include "gen_locl.h"
|
||||
#include "lex.h"
|
||||
|
||||
RCSID("$Id: gen_decode.c 19572 2006-12-29 17:30:32Z lha $");
|
||||
RCSID("$Id: gen_decode.c 21503 2007-07-12 11:57:19Z lha $");
|
||||
|
||||
static void
|
||||
decode_primitive (const char *typename, const char *name, const char *forwstr)
|
||||
@ -202,6 +202,32 @@ find_tag (const Type *t,
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
range_check(const char *name,
|
||||
const char *length,
|
||||
const char *forwstr,
|
||||
struct range *r)
|
||||
{
|
||||
if (r->min == r->max + 2 || r->min < r->max)
|
||||
fprintf (codefile,
|
||||
"if ((%s)->%s > %d) {\n"
|
||||
"e = ASN1_MAX_CONSTRAINT; %s;\n"
|
||||
"}\n",
|
||||
name, length, r->max, forwstr);
|
||||
if (r->min - 1 == r->max || r->min < r->max)
|
||||
fprintf (codefile,
|
||||
"if ((%s)->%s < %d) {\n"
|
||||
"e = ASN1_MIN_CONSTRAINT; %s;\n"
|
||||
"}\n",
|
||||
name, length, r->min, forwstr);
|
||||
if (r->max == r->min)
|
||||
fprintf (codefile,
|
||||
"if ((%s)->%s != %d) {\n"
|
||||
"e = ASN1_EXACT_CONSTRAINT; %s;\n"
|
||||
"}\n",
|
||||
name, length, r->min, forwstr);
|
||||
}
|
||||
|
||||
static int
|
||||
decode_type (const char *name, const Type *t, int optional,
|
||||
const char *forwstr, const char *tmpstr)
|
||||
@ -236,12 +262,14 @@ decode_type (const char *name, const Type *t, int optional,
|
||||
}
|
||||
case TInteger:
|
||||
if(t->members) {
|
||||
char *s;
|
||||
asprintf(&s, "(int*)%s", name);
|
||||
if (s == NULL)
|
||||
errx (1, "out of memory");
|
||||
decode_primitive ("integer", s, forwstr);
|
||||
free(s);
|
||||
fprintf(codefile,
|
||||
"{\n"
|
||||
"int enumint;\n");
|
||||
decode_primitive ("integer", "&enumint", forwstr);
|
||||
fprintf(codefile,
|
||||
"*%s = enumint;\n"
|
||||
"}\n",
|
||||
name);
|
||||
} else if (t->range == NULL) {
|
||||
decode_primitive ("heim_integer", name, forwstr);
|
||||
} else if (t->range->min == INT_MIN && t->range->max == INT_MAX) {
|
||||
@ -262,6 +290,8 @@ decode_type (const char *name, const Type *t, int optional,
|
||||
break;
|
||||
case TOctetString:
|
||||
decode_primitive ("octet_string", name, forwstr);
|
||||
if (t->range)
|
||||
range_check(name, "length", forwstr, t->range);
|
||||
break;
|
||||
case TBitString: {
|
||||
Member *m;
|
||||
@ -394,19 +424,31 @@ decode_type (const char *name, const Type *t, int optional,
|
||||
"{\n"
|
||||
"size_t %s_origlen = len;\n"
|
||||
"size_t %s_oldret = ret;\n"
|
||||
"size_t %s_olen = 0;\n"
|
||||
"void *%s_tmp;\n"
|
||||
"ret = 0;\n"
|
||||
"(%s)->len = 0;\n"
|
||||
"(%s)->val = NULL;\n"
|
||||
"(%s)->val = NULL;\n",
|
||||
tmpstr,
|
||||
tmpstr,
|
||||
tmpstr,
|
||||
tmpstr,
|
||||
name,
|
||||
name);
|
||||
|
||||
fprintf (codefile,
|
||||
"while(ret < %s_origlen) {\n"
|
||||
"%s_tmp = realloc((%s)->val, "
|
||||
" sizeof(*((%s)->val)) * ((%s)->len + 1));\n"
|
||||
"if (%s_tmp == NULL) { %s; }\n"
|
||||
"size_t %s_nlen = %s_olen + sizeof(*((%s)->val));\n"
|
||||
"if (%s_olen > %s_nlen) { e = ASN1_OVERFLOW; %s; }\n"
|
||||
"%s_olen = %s_nlen;\n"
|
||||
"%s_tmp = realloc((%s)->val, %s_olen);\n"
|
||||
"if (%s_tmp == NULL) { e = ENOMEM; %s; }\n"
|
||||
"(%s)->val = %s_tmp;\n",
|
||||
tmpstr, tmpstr, tmpstr,
|
||||
name, name,
|
||||
tmpstr,
|
||||
tmpstr, tmpstr, name,
|
||||
tmpstr, tmpstr, forwstr,
|
||||
tmpstr, tmpstr,
|
||||
name, name, name,
|
||||
tmpstr, name, tmpstr,
|
||||
tmpstr, forwstr,
|
||||
name, tmpstr);
|
||||
|
||||
@ -425,6 +467,8 @@ decode_type (const char *name, const Type *t, int optional,
|
||||
"}\n",
|
||||
name,
|
||||
tmpstr, tmpstr);
|
||||
if (t->range)
|
||||
range_check(name, "len", forwstr, t->range);
|
||||
free (n);
|
||||
free (sname);
|
||||
break;
|
||||
|
@ -33,7 +33,7 @@
|
||||
|
||||
#include "gen_locl.h"
|
||||
|
||||
RCSID("$Id: gen_encode.c 19572 2006-12-29 17:30:32Z lha $");
|
||||
RCSID("$Id: gen_encode.c 21503 2007-07-12 11:57:19Z lha $");
|
||||
|
||||
static void
|
||||
encode_primitive (const char *typename, const char *name)
|
||||
@ -121,12 +121,12 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
|
||||
break;
|
||||
case TInteger:
|
||||
if(t->members) {
|
||||
char *s;
|
||||
asprintf(&s, "(const int*)%s", name);
|
||||
if(s == NULL)
|
||||
errx(1, "out of memory");
|
||||
encode_primitive ("integer", s);
|
||||
free(s);
|
||||
fprintf(codefile,
|
||||
"{\n"
|
||||
"int enumint = (int)*%s;\n",
|
||||
name);
|
||||
encode_primitive ("integer", "&enumint");
|
||||
fprintf(codefile, "}\n;");
|
||||
} else if (t->range == NULL) {
|
||||
encode_primitive ("heim_integer", name);
|
||||
} else if (t->range->min == INT_MIN && t->range->max == INT_MAX) {
|
||||
@ -292,6 +292,11 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
|
||||
"size_t elen, totallen = 0;\n"
|
||||
"int eret;\n");
|
||||
|
||||
fprintf(codefile,
|
||||
"if ((%s)->len > UINT_MAX/sizeof(val[0]))\n"
|
||||
"return ERANGE;\n",
|
||||
name);
|
||||
|
||||
fprintf(codefile,
|
||||
"val = malloc(sizeof(val[0]) * (%s)->len);\n"
|
||||
"if (val == NULL && (%s)->len != 0) return ENOMEM;\n",
|
||||
|
@ -33,7 +33,7 @@
|
||||
|
||||
#include "gen_locl.h"
|
||||
|
||||
RCSID("$Id: gen_length.c 19539 2006-12-28 17:15:05Z lha $");
|
||||
RCSID("$Id: gen_length.c 21503 2007-07-12 11:57:19Z lha $");
|
||||
|
||||
static void
|
||||
length_primitive (const char *typename,
|
||||
@ -72,12 +72,11 @@ length_type (const char *name, const Type *t,
|
||||
break;
|
||||
case TInteger:
|
||||
if(t->members) {
|
||||
char *s;
|
||||
asprintf(&s, "(const int*)%s", name);
|
||||
if(s == NULL)
|
||||
errx (1, "out of memory");
|
||||
length_primitive ("integer", s, variable);
|
||||
free(s);
|
||||
fprintf(codefile,
|
||||
"{\n"
|
||||
"int enumint = *%s;\n", name);
|
||||
length_primitive ("integer", "&enumint", variable);
|
||||
fprintf(codefile, "}\n");
|
||||
} else if (t->range == NULL) {
|
||||
length_primitive ("heim_integer", name, variable);
|
||||
} else if (t->range->min == INT_MIN && t->range->max == INT_MAX) {
|
||||
|
@ -1,4 +1,4 @@
|
||||
-- $Id: k5.asn1 21092 2007-06-15 19:47:46Z lha $
|
||||
-- $Id: k5.asn1 21400 2007-07-02 19:57:31Z lha $
|
||||
|
||||
KERBEROS5 DEFINITIONS ::=
|
||||
BEGIN
|
||||
@ -332,7 +332,7 @@ ETYPE-INFO2-ENTRY ::= SEQUENCE {
|
||||
s2kparams[2] OCTET STRING OPTIONAL
|
||||
}
|
||||
|
||||
ETYPE-INFO2 ::= SEQUENCE OF ETYPE-INFO2-ENTRY
|
||||
ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY
|
||||
|
||||
METHOD-DATA ::= SEQUENCE OF PA-DATA
|
||||
|
||||
@ -341,7 +341,7 @@ TypedData ::= SEQUENCE {
|
||||
data-value[1] OCTET STRING OPTIONAL
|
||||
}
|
||||
|
||||
TYPED-DATA ::= SEQUENCE OF TypedData
|
||||
TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF TypedData
|
||||
|
||||
KDC-REQ-BODY ::= SEQUENCE {
|
||||
kdc-options[0] KDCOptions,
|
||||
|
@ -1,6 +1,5 @@
|
||||
#include "config.h"
|
||||
|
||||
#line 3 "lex.yy.c"
|
||||
#line 3 "lex.c"
|
||||
|
||||
#define YY_INT_ALIGNED short int
|
||||
|
||||
@ -343,6 +342,9 @@ FILE *yyin = (FILE *) 0, *yyout = (FILE *) 0;
|
||||
typedef int yy_state_type;
|
||||
|
||||
extern int yylineno;
|
||||
|
||||
int yylineno = 1;
|
||||
|
||||
extern char *yytext;
|
||||
#define yytext_ptr yytext
|
||||
|
||||
@ -824,7 +826,7 @@ char *yytext;
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
/* $Id: lex.l,v 1.31 2006/10/21 11:57:22 lha Exp $ */
|
||||
/* $Id: lex.l 18738 2006-10-21 11:57:22Z lha $ */
|
||||
|
||||
#ifdef HAVE_CONFIG_H
|
||||
#include <config.h>
|
||||
@ -849,7 +851,7 @@ static unsigned lineno = 1;
|
||||
static void unterminated(const char *, unsigned);
|
||||
|
||||
/* This is for broken old lexes (solaris 10 and hpux) */
|
||||
#line 852 "lex.yy.c"
|
||||
#line 855 "lex.c"
|
||||
|
||||
#define INITIAL 0
|
||||
|
||||
@ -1004,7 +1006,7 @@ YY_DECL
|
||||
|
||||
#line 68 "lex.l"
|
||||
|
||||
#line 1007 "lex.yy.c"
|
||||
#line 1010 "lex.c"
|
||||
|
||||
if ( !(yy_init) )
|
||||
{
|
||||
@ -1673,7 +1675,7 @@ YY_RULE_SETUP
|
||||
#line 274 "lex.l"
|
||||
ECHO;
|
||||
YY_BREAK
|
||||
#line 1676 "lex.yy.c"
|
||||
#line 1679 "lex.c"
|
||||
case YY_STATE_EOF(INITIAL):
|
||||
yyterminate();
|
||||
|
||||
@ -2483,6 +2485,15 @@ static void yy_fatal_error (yyconst char* msg )
|
||||
|
||||
/* Accessor methods (get/set functions) to struct members. */
|
||||
|
||||
/** Get the current line number.
|
||||
*
|
||||
*/
|
||||
int yyget_lineno (void)
|
||||
{
|
||||
|
||||
return yylineno;
|
||||
}
|
||||
|
||||
/** Get the input stream.
|
||||
*
|
||||
*/
|
||||
@ -2516,6 +2527,16 @@ char *yyget_text (void)
|
||||
return yytext;
|
||||
}
|
||||
|
||||
/** Set the current line number.
|
||||
* @param line_number
|
||||
*
|
||||
*/
|
||||
void yyset_lineno (int line_number )
|
||||
{
|
||||
|
||||
yylineno = line_number;
|
||||
}
|
||||
|
||||
/** Set the input stream. This does not discard the current
|
||||
* input buffer.
|
||||
* @param in_str A readable stream.
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -16,7 +16,9 @@
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program; if not, see <http://www.gnu.org/licenses/>. */
|
||||
along with this program; if not, write to the Free Software
|
||||
Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||
Boston, MA 02110-1301, USA. */
|
||||
|
||||
/* As a special exception, you may create a larger work that contains
|
||||
part or all of the Bison parser skeleton and distribute that work
|
||||
@ -224,7 +226,7 @@ typedef union YYSTYPE
|
||||
{
|
||||
int constant;
|
||||
struct value *value;
|
||||
struct range range;
|
||||
struct range *range;
|
||||
char *name;
|
||||
Type *type;
|
||||
Member *member;
|
||||
|
@ -169,7 +169,7 @@ Extension ::= SEQUENCE {
|
||||
extnValue OCTET STRING
|
||||
}
|
||||
|
||||
Extensions ::= SEQUENCE OF Extension -- SIZE (1..MAX)
|
||||
Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
|
||||
|
||||
TBSCertificate ::= SEQUENCE {
|
||||
version [0] Version OPTIONAL, -- EXPLICIT nnn DEFAULT 1,
|
||||
@ -232,7 +232,7 @@ GeneralName ::= CHOICE {
|
||||
registeredID [8] IMPLICIT OBJECT IDENTIFIER
|
||||
}
|
||||
|
||||
GeneralNames ::= SEQUENCE -- SIZE (1..MAX) -- OF GeneralName
|
||||
GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
|
||||
|
||||
id-x509-ce-keyUsage OBJECT IDENTIFIER ::= { id-x509-ce 15 }
|
||||
|
||||
@ -320,7 +320,7 @@ DistributionPointReasonFlags ::= BIT STRING {
|
||||
}
|
||||
|
||||
DistributionPointName ::= CHOICE {
|
||||
fullName [0] IMPLICIT -- GeneralNames -- SEQUENCE -- SIZE (1..MAX) -- OF GeneralName,
|
||||
fullName [0] IMPLICIT -- GeneralNames -- SEQUENCE SIZE (1..MAX) OF GeneralName,
|
||||
nameRelativeToCRLIssuer [1] RelativeDistinguishedName
|
||||
}
|
||||
|
||||
@ -330,7 +330,7 @@ DistributionPoint ::= SEQUENCE {
|
||||
cRLIssuer [2] IMPLICIT heim_any -- GeneralNames -- OPTIONAL
|
||||
}
|
||||
|
||||
CRLDistributionPoints ::= SEQUENCE -- SIZE (1..MAX) -- OF DistributionPoint
|
||||
CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
|
||||
|
||||
|
||||
-- rfc3279
|
||||
@ -449,11 +449,20 @@ id-pkix-kp-emailProtection OBJECT IDENTIFIER ::= { id-pkix-kp 4 }
|
||||
id-pkix-kp-timeStamping OBJECT IDENTIFIER ::= { id-pkix-kp 8 }
|
||||
id-pkix-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-pkix-kp 9 }
|
||||
|
||||
-- RFC 3820 Proxy Certificate Profile
|
||||
|
||||
id-pkix-pe OBJECT IDENTIFIER ::= { id-pkix 1 }
|
||||
|
||||
id-pe-proxyCertInfo OBJECT IDENTIFIER ::= { id-pkix-pe 14 }
|
||||
id-pkix-pe-authorityInfoAccess OBJECT IDENTIFIER ::= { id-pkix-pe 1 }
|
||||
|
||||
AccessDescription ::= SEQUENCE {
|
||||
accessMethod OBJECT IDENTIFIER,
|
||||
accessLocation GeneralName
|
||||
}
|
||||
|
||||
AuthorityInfoAccessSyntax ::= SEQUENCE SIZE (1..MAX) OF AccessDescription
|
||||
|
||||
-- RFC 3820 Proxy Certificate Profile
|
||||
|
||||
id-pkix-pe-proxyCertInfo OBJECT IDENTIFIER ::= { id-pkix-pe 14 }
|
||||
|
||||
id-pkix-ppl OBJECT IDENTIFIER ::= { id-pkix 21 }
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
-- $Id: test.asn1 18013 2006-09-05 14:00:44Z lha $ --
|
||||
-- $Id: test.asn1 21455 2007-07-10 12:51:19Z lha $ --
|
||||
|
||||
TEST DEFINITIONS ::=
|
||||
|
||||
@ -85,4 +85,11 @@ TESTUSERCONSTRAINED ::= OCTET STRING (CONSTRAINED BY { -- meh -- })
|
||||
|
||||
TESTSeqOf ::= SEQUENCE OF TESTInteger
|
||||
|
||||
TESTSeqSizeOf1 ::= SEQUENCE SIZE (2) OF TESTInteger
|
||||
TESTSeqSizeOf2 ::= SEQUENCE SIZE (1..2) OF TESTInteger
|
||||
TESTSeqSizeOf3 ::= SEQUENCE SIZE (1..MAX) OF TESTInteger
|
||||
TESTSeqSizeOf4 ::= SEQUENCE SIZE (MIN..2) OF TESTInteger
|
||||
|
||||
TESTOSSize1 ::= OCTET STRING SIZE (1..2)
|
||||
|
||||
END
|
||||
|
@ -33,7 +33,7 @@
|
||||
|
||||
#include "der_locl.h"
|
||||
|
||||
RCSID("$Id: timegm.c 18607 2006-10-19 16:19:32Z lha $");
|
||||
RCSID("$Id: timegm.c 21366 2007-06-27 10:06:22Z lha $");
|
||||
|
||||
static int
|
||||
is_leap(unsigned y)
|
||||
@ -43,8 +43,8 @@ is_leap(unsigned y)
|
||||
}
|
||||
|
||||
/*
|
||||
* This is a simplifed version of _der_timegm that doesn't accept out
|
||||
* of bound values that timegm(3) normally accepts but those are not
|
||||
* This is a simplifed version of timegm(3) that doesn't accept out of
|
||||
* bound values that timegm(3) normally accepts but those are not
|
||||
* valid in asn1 encodings.
|
||||
*/
|
||||
|
||||
|
@ -27,7 +27,7 @@
|
||||
*/
|
||||
|
||||
#include "mech_locl.h"
|
||||
RCSID("$Id: gss_acquire_cred.c 20626 2007-05-08 13:56:49Z lha $");
|
||||
RCSID("$Id: gss_acquire_cred.c 21478 2007-07-10 16:32:01Z lha $");
|
||||
|
||||
OM_uint32
|
||||
gss_acquire_cred(OM_uint32 *minor_status,
|
||||
@ -50,7 +50,7 @@ gss_acquire_cred(OM_uint32 *minor_status,
|
||||
int i;
|
||||
|
||||
*minor_status = 0;
|
||||
if (actual_mechs)
|
||||
if (output_cred_handle)
|
||||
*output_cred_handle = GSS_C_NO_CREDENTIAL;
|
||||
if (actual_mechs)
|
||||
*actual_mechs = GSS_C_NO_OID_SET;
|
||||
@ -106,8 +106,9 @@ gss_acquire_cred(OM_uint32 *minor_status,
|
||||
continue;
|
||||
|
||||
if (desired_name != GSS_C_NO_NAME) {
|
||||
mn = _gss_find_mn(name, &mechs->elements[i]);
|
||||
if (!mn)
|
||||
major_status = _gss_find_mn(minor_status, name,
|
||||
&mechs->elements[i], &mn);
|
||||
if (major_status != GSS_S_COMPLETE)
|
||||
continue;
|
||||
}
|
||||
|
||||
|
@ -27,7 +27,7 @@
|
||||
*/
|
||||
|
||||
#include "mech_locl.h"
|
||||
RCSID("$Id: gss_add_cred.c 20626 2007-05-08 13:56:49Z lha $");
|
||||
RCSID("$Id: gss_add_cred.c 21474 2007-07-10 16:30:23Z lha $");
|
||||
|
||||
static struct _gss_mechanism_cred *
|
||||
_gss_copy_cred(struct _gss_mechanism_cred *mc)
|
||||
@ -136,11 +136,13 @@ gss_add_cred(OM_uint32 *minor_status,
|
||||
* Figure out a suitable mn, if any.
|
||||
*/
|
||||
if (desired_name) {
|
||||
mn = _gss_find_mn((struct _gss_name *) desired_name,
|
||||
desired_mech);
|
||||
if (!mn) {
|
||||
major_status = _gss_find_mn(minor_status,
|
||||
(struct _gss_name *) desired_name,
|
||||
desired_mech,
|
||||
&mn);
|
||||
if (major_status != GSS_S_COMPLETE) {
|
||||
free(new_cred);
|
||||
return (GSS_S_BAD_NAME);
|
||||
return major_status;
|
||||
}
|
||||
} else {
|
||||
mn = 0;
|
||||
|
@ -27,7 +27,7 @@
|
||||
*/
|
||||
|
||||
#include "mech_locl.h"
|
||||
RCSID("$Id: gss_canonicalize_name.c 19928 2007-01-16 10:37:54Z lha $");
|
||||
RCSID("$Id: gss_canonicalize_name.c 21476 2007-07-10 16:31:27Z lha $");
|
||||
|
||||
OM_uint32
|
||||
gss_canonicalize_name(OM_uint32 *minor_status,
|
||||
@ -44,10 +44,9 @@ gss_canonicalize_name(OM_uint32 *minor_status,
|
||||
*minor_status = 0;
|
||||
*output_name = 0;
|
||||
|
||||
mn = _gss_find_mn(name, mech_type);
|
||||
if (!mn) {
|
||||
return (GSS_S_BAD_MECH);
|
||||
}
|
||||
major_status = _gss_find_mn(minor_status, name, mech_type, &mn);
|
||||
if (major_status)
|
||||
return major_status;
|
||||
|
||||
m = mn->gmn_mech;
|
||||
major_status = m->gm_canonicalize_name(minor_status,
|
||||
|
@ -27,7 +27,7 @@
|
||||
*/
|
||||
|
||||
#include "mech_locl.h"
|
||||
RCSID("$Id: gss_compare_name.c 17700 2006-06-28 09:00:26Z lha $");
|
||||
RCSID("$Id: gss_compare_name.c 21475 2007-07-10 16:31:03Z lha $");
|
||||
|
||||
OM_uint32
|
||||
gss_compare_name(OM_uint32 *minor_status,
|
||||
@ -57,8 +57,11 @@ gss_compare_name(OM_uint32 *minor_status,
|
||||
struct _gss_mechanism_name *mn2;
|
||||
|
||||
SLIST_FOREACH(mn1, &name1->gn_mn, gmn_link) {
|
||||
mn2 = _gss_find_mn(name2, mn1->gmn_mech_oid);
|
||||
if (mn2) {
|
||||
OM_uint32 major_status;
|
||||
|
||||
major_status = _gss_find_mn(minor_status, name2,
|
||||
mn1->gmn_mech_oid, &mn2);
|
||||
if (major_status == GSS_S_COMPLETE) {
|
||||
return (mn1->gmn_mech->gm_compare_name(
|
||||
minor_status,
|
||||
mn1->gmn_name,
|
||||
|
@ -27,7 +27,7 @@
|
||||
*/
|
||||
|
||||
#include "mech_locl.h"
|
||||
RCSID("$Id: gss_duplicate_name.c 21219 2007-06-20 08:27:11Z lha $");
|
||||
RCSID("$Id: gss_duplicate_name.c 21480 2007-07-10 16:32:32Z lha $");
|
||||
|
||||
OM_uint32 gss_duplicate_name(OM_uint32 *minor_status,
|
||||
const gss_name_t src_name,
|
||||
@ -54,7 +54,9 @@ OM_uint32 gss_duplicate_name(OM_uint32 *minor_status,
|
||||
new_name = (struct _gss_name *) *dest_name;
|
||||
|
||||
SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
|
||||
_gss_find_mn(new_name, mn->gmn_mech_oid);
|
||||
struct _gss_mechanism_name *mn2;
|
||||
_gss_find_mn(minor_status, new_name,
|
||||
mn->gmn_mech_oid, &mn2);
|
||||
}
|
||||
} else {
|
||||
new_name = malloc(sizeof(struct _gss_name));
|
||||
|
@ -27,7 +27,7 @@
|
||||
*/
|
||||
|
||||
#include "mech_locl.h"
|
||||
RCSID("$Id: gss_init_sec_context.c 19957 2007-01-17 13:48:11Z lha $");
|
||||
RCSID("$Id: gss_init_sec_context.c 21479 2007-07-10 16:32:19Z lha $");
|
||||
|
||||
static gss_cred_id_t
|
||||
_gss_mech_cred_find(gss_cred_id_t cred_handle, gss_OID mech_type)
|
||||
@ -109,11 +109,11 @@ gss_init_sec_context(OM_uint32 * minor_status,
|
||||
/*
|
||||
* Find the MN for this mechanism.
|
||||
*/
|
||||
mn = _gss_find_mn(name, mech_type);
|
||||
if (mn == NULL) {
|
||||
major_status = _gss_find_mn(minor_status, name, mech_type, &mn);
|
||||
if (major_status != GSS_S_COMPLETE) {
|
||||
if (allocated_ctx)
|
||||
free(ctx);
|
||||
return GSS_S_BAD_NAME;
|
||||
return major_status;
|
||||
}
|
||||
|
||||
/*
|
||||
|
@ -28,7 +28,7 @@
|
||||
|
||||
#include "mech_locl.h"
|
||||
#include <heim_threads.h>
|
||||
RCSID("$Id: gss_mech_switch.c 20625 2007-05-08 13:55:03Z lha $");
|
||||
RCSID("$Id: gss_mech_switch.c 21700 2007-07-26 19:08:34Z lha $");
|
||||
|
||||
#ifndef _PATH_GSS_MECH
|
||||
#define _PATH_GSS_MECH "/etc/gss/mech"
|
||||
@ -223,9 +223,9 @@ _gss_load_mech(void)
|
||||
add_builtin(__gss_spnego_initialize());
|
||||
add_builtin(__gss_ntlm_initialize());
|
||||
|
||||
#ifdef HAVE_DLOPEN
|
||||
fp = fopen(_PATH_GSS_MECH, "r");
|
||||
if (!fp) {
|
||||
/* perror(_PATH_GSS_MECH); */
|
||||
HEIMDAL_MUTEX_unlock(&_gss_mech_mutex);
|
||||
return;
|
||||
}
|
||||
@ -316,6 +316,7 @@ _gss_load_mech(void)
|
||||
continue;
|
||||
}
|
||||
fclose(fp);
|
||||
#endif
|
||||
HEIMDAL_MUTEX_unlock(&_gss_mech_mutex);
|
||||
}
|
||||
|
||||
|
@ -27,15 +27,18 @@
|
||||
*/
|
||||
|
||||
#include "mech_locl.h"
|
||||
RCSID("$Id: gss_names.c 19928 2007-01-16 10:37:54Z lha $");
|
||||
RCSID("$Id: gss_names.c 21473 2007-07-10 16:29:53Z lha $");
|
||||
|
||||
struct _gss_mechanism_name *
|
||||
_gss_find_mn(struct _gss_name *name, gss_OID mech)
|
||||
OM_uint32
|
||||
_gss_find_mn(OM_uint32 *minor_status, struct _gss_name *name, gss_OID mech,
|
||||
struct _gss_mechanism_name **output_mn)
|
||||
{
|
||||
OM_uint32 major_status, minor_status;
|
||||
OM_uint32 major_status;
|
||||
gssapi_mech_interface m;
|
||||
struct _gss_mechanism_name *mn;
|
||||
|
||||
*output_mn = NULL;
|
||||
|
||||
SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
|
||||
if (gss_oid_equal(mech, mn->gmn_mech_oid))
|
||||
break;
|
||||
@ -47,34 +50,36 @@ _gss_find_mn(struct _gss_name *name, gss_OID mech)
|
||||
* MN but it is from a different mech), give up now.
|
||||
*/
|
||||
if (!name->gn_value.value)
|
||||
return (0);
|
||||
return GSS_S_BAD_NAME;
|
||||
|
||||
m = __gss_get_mechanism(mech);
|
||||
if (!m)
|
||||
return (0);
|
||||
return (GSS_S_BAD_MECH);
|
||||
|
||||
mn = malloc(sizeof(struct _gss_mechanism_name));
|
||||
if (!mn)
|
||||
return (0);
|
||||
return GSS_S_FAILURE;
|
||||
|
||||
major_status = m->gm_import_name(&minor_status,
|
||||
major_status = m->gm_import_name(minor_status,
|
||||
&name->gn_value,
|
||||
(name->gn_type.elements
|
||||
? &name->gn_type : GSS_C_NO_OID),
|
||||
&mn->gmn_name);
|
||||
if (major_status != GSS_S_COMPLETE) {
|
||||
_gss_mg_error(m, major_status, minor_status);
|
||||
_gss_mg_error(m, major_status, *minor_status);
|
||||
free(mn);
|
||||
return (0);
|
||||
return major_status;
|
||||
}
|
||||
|
||||
mn->gmn_mech = m;
|
||||
mn->gmn_mech_oid = &m->gm_mech_oid;
|
||||
SLIST_INSERT_HEAD(&name->gn_mn, mn, gmn_link);
|
||||
}
|
||||
return (mn);
|
||||
*output_mn = mn;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Make a name from an MN.
|
||||
*/
|
||||
|
@ -32,7 +32,7 @@
|
||||
*/
|
||||
|
||||
#include "mech_locl.h"
|
||||
RCSID("$Id: gss_oid_to_str.c 19963 2007-01-17 16:01:22Z lha $");
|
||||
RCSID("$Id: gss_oid_to_str.c 21409 2007-07-04 14:19:11Z lha $");
|
||||
|
||||
OM_uint32
|
||||
gss_oid_to_str(OM_uint32 *minor_status, gss_OID oid, gss_buffer_t oid_str)
|
||||
@ -44,6 +44,9 @@ gss_oid_to_str(OM_uint32 *minor_status, gss_OID oid, gss_buffer_t oid_str)
|
||||
|
||||
_mg_buffer_zero(oid_str);
|
||||
|
||||
if (oid == GSS_C_NULL_OID)
|
||||
return GSS_S_FAILURE;
|
||||
|
||||
ret = der_get_oid (oid->elements, oid->length, &o, &size);
|
||||
if (ret) {
|
||||
*minor_status = ret;
|
||||
|
@ -24,7 +24,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* $FreeBSD: src/lib/libgssapi/name.h,v 1.1 2005/12/29 14:40:20 dfr Exp $
|
||||
* $Id: name.h 18246 2006-10-05 18:36:07Z lha $
|
||||
* $Id: name.h 21477 2007-07-10 16:31:44Z lha $
|
||||
*/
|
||||
|
||||
struct _gss_mechanism_name {
|
||||
@ -41,7 +41,8 @@ struct _gss_name {
|
||||
struct _gss_mechanism_name_list gn_mn; /* list of MNs */
|
||||
};
|
||||
|
||||
struct _gss_mechanism_name *
|
||||
_gss_find_mn(struct _gss_name *name, gss_OID mech);
|
||||
OM_uint32
|
||||
_gss_find_mn(OM_uint32 *, struct _gss_name *, gss_OID,
|
||||
struct _gss_mechanism_name **);
|
||||
struct _gss_name *
|
||||
_gss_make_name(gssapi_mech_interface m, gss_name_t new_mn);
|
||||
|
@ -33,7 +33,7 @@
|
||||
|
||||
#include "spnego/spnego_locl.h"
|
||||
|
||||
RCSID("$Id: accept_sec_context.c 21243 2007-06-20 15:16:22Z lha $");
|
||||
RCSID("$Id: accept_sec_context.c 21461 2007-07-10 14:01:13Z lha $");
|
||||
|
||||
static OM_uint32
|
||||
send_reject (OM_uint32 *minor_status,
|
||||
@ -555,23 +555,16 @@ acceptor_start
|
||||
int get_mic = 0;
|
||||
int first_ok = 0;
|
||||
|
||||
if (src_name)
|
||||
*src_name = GSS_C_NO_NAME;
|
||||
|
||||
mech_output_token.value = NULL;
|
||||
mech_output_token.length = 0;
|
||||
mech_buf.value = NULL;
|
||||
|
||||
if (*context_handle == GSS_C_NO_CONTEXT) {
|
||||
ret = _gss_spnego_alloc_sec_context(minor_status,
|
||||
context_handle);
|
||||
if (ret != GSS_S_COMPLETE)
|
||||
return ret;
|
||||
|
||||
if (input_token_buffer->length == 0) {
|
||||
return send_supported_mechs (minor_status, output_token);
|
||||
}
|
||||
}
|
||||
if (input_token_buffer->length == 0)
|
||||
return send_supported_mechs (minor_status, output_token);
|
||||
|
||||
ret = _gss_spnego_alloc_sec_context(minor_status, context_handle);
|
||||
if (ret != GSS_S_COMPLETE)
|
||||
return ret;
|
||||
|
||||
ctx = (gssspnego_ctx)*context_handle;
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
-- $Id: spnego.asn1 19420 2006-12-18 18:28:49Z lha $
|
||||
-- $Id: spnego.asn1 21403 2007-07-04 08:13:12Z lha $
|
||||
|
||||
SPNEGO DEFINITIONS ::=
|
||||
BEGIN
|
||||
@ -8,34 +8,34 @@ MechType::= OBJECT IDENTIFIER
|
||||
MechTypeList ::= SEQUENCE OF MechType
|
||||
|
||||
ContextFlags ::= BIT STRING {
|
||||
delegFlag (0),
|
||||
mutualFlag (1),
|
||||
replayFlag (2),
|
||||
sequenceFlag (3),
|
||||
anonFlag (4),
|
||||
confFlag (5),
|
||||
integFlag (6)
|
||||
delegFlag (0),
|
||||
mutualFlag (1),
|
||||
replayFlag (2),
|
||||
sequenceFlag (3),
|
||||
anonFlag (4),
|
||||
confFlag (5),
|
||||
integFlag (6)
|
||||
}
|
||||
|
||||
NegHints ::= SEQUENCE {
|
||||
hintName [0] GeneralString OPTIONAL,
|
||||
hintAddress [1] OCTET STRING OPTIONAL
|
||||
hintName [0] GeneralString OPTIONAL,
|
||||
hintAddress [1] OCTET STRING OPTIONAL
|
||||
}
|
||||
|
||||
NegTokenInitWin ::= SEQUENCE {
|
||||
mechTypes [0] MechTypeList,
|
||||
reqFlags [1] ContextFlags OPTIONAL,
|
||||
mechToken [2] OCTET STRING OPTIONAL,
|
||||
negHints [3] NegHints OPTIONAL
|
||||
}
|
||||
mechTypes [0] MechTypeList,
|
||||
reqFlags [1] ContextFlags OPTIONAL,
|
||||
mechToken [2] OCTET STRING OPTIONAL,
|
||||
negHints [3] NegHints OPTIONAL
|
||||
}
|
||||
|
||||
NegTokenInit ::= SEQUENCE {
|
||||
mechTypes [0] MechTypeList,
|
||||
reqFlags [1] ContextFlags OPTIONAL,
|
||||
mechToken [2] OCTET STRING OPTIONAL,
|
||||
mechListMIC [3] OCTET STRING OPTIONAL
|
||||
}
|
||||
|
||||
mechTypes [0] MechTypeList,
|
||||
reqFlags [1] ContextFlags OPTIONAL,
|
||||
mechToken [2] OCTET STRING OPTIONAL,
|
||||
mechListMIC [3] OCTET STRING OPTIONAL,
|
||||
...
|
||||
}
|
||||
|
||||
-- NB: negResult is not OPTIONAL in the new SPNEGO spec but
|
||||
-- Windows clients do not always send it
|
||||
@ -47,7 +47,8 @@ NegTokenResp ::= SEQUENCE {
|
||||
request-mic (3) } OPTIONAL,
|
||||
supportedMech [1] MechType OPTIONAL,
|
||||
responseToken [2] OCTET STRING OPTIONAL,
|
||||
mechListMIC [3] OCTET STRING OPTIONAL
|
||||
mechListMIC [3] OCTET STRING OPTIONAL,
|
||||
...
|
||||
}
|
||||
|
||||
NegotiationToken ::= CHOICE {
|
||||
|
@ -52,8 +52,10 @@ HMAC_Init_ex(HMAC_CTX *ctx,
|
||||
|
||||
if (ctx->md != md) {
|
||||
ctx->md = md;
|
||||
if (ctx->buf)
|
||||
if (ctx->buf) {
|
||||
memset(ctx->buf, 0, ctx->key_length);
|
||||
free (ctx->buf);
|
||||
}
|
||||
ctx->key_length = EVP_MD_size(ctx->md);
|
||||
ctx->buf = malloc(ctx->key_length);
|
||||
}
|
||||
@ -67,10 +69,14 @@ HMAC_Init_ex(HMAC_CTX *ctx,
|
||||
keylen = EVP_MD_size(ctx->md);
|
||||
}
|
||||
|
||||
if (ctx->opad)
|
||||
if (ctx->opad) {
|
||||
memset(ctx->opad, 0, ctx->key_length);
|
||||
free(ctx->opad);
|
||||
if (ctx->ipad)
|
||||
}
|
||||
if (ctx->ipad) {
|
||||
memset(ctx->ipad, 0, ctx->key_length);
|
||||
free(ctx->ipad);
|
||||
}
|
||||
|
||||
ctx->opad = malloc(EVP_MD_block_size(ctx->md));
|
||||
ctx->ipad = malloc(EVP_MD_block_size(ctx->md));
|
||||
|
@ -33,7 +33,7 @@
|
||||
|
||||
#include "hx_locl.h"
|
||||
#include <pkinit_asn1.h>
|
||||
RCSID("$Id: ca.c 20904 2007-06-05 01:58:45Z lha $");
|
||||
RCSID("$Id: ca.c 21379 2007-06-28 07:38:17Z lha $");
|
||||
|
||||
struct hx509_ca_tbs {
|
||||
hx509_name subject;
|
||||
@ -1002,7 +1002,7 @@ ca_sign(hx509_context context,
|
||||
if (size != data.length)
|
||||
_hx509_abort("internal ASN.1 encoder error");
|
||||
ret = add_extension(context, tbsc, 0,
|
||||
oid_id_pe_proxyCertInfo(),
|
||||
oid_id_pkix_pe_proxyCertInfo(),
|
||||
&data);
|
||||
free(data.data);
|
||||
if (ret)
|
||||
|
@ -32,7 +32,7 @@
|
||||
*/
|
||||
|
||||
#include "hx_locl.h"
|
||||
RCSID("$Id: cert.c 21294 2007-06-25 14:37:15Z lha $");
|
||||
RCSID("$Id: cert.c 21380 2007-06-28 07:38:38Z lha $");
|
||||
#include "crypto-headers.h"
|
||||
#include <rtbl.h>
|
||||
|
||||
@ -898,7 +898,7 @@ is_proxy_cert(hx509_context context,
|
||||
if (rinfo)
|
||||
memset(rinfo, 0, sizeof(*rinfo));
|
||||
|
||||
e = find_extension(cert, oid_id_pe_proxyCertInfo(), &i);
|
||||
e = find_extension(cert, oid_id_pkix_pe_proxyCertInfo(), &i);
|
||||
if (e == NULL) {
|
||||
hx509_clear_error_string(context);
|
||||
return HX509_EXTENSION_NOT_FOUND;
|
||||
|
@ -314,14 +314,6 @@ _hx509_pbe_decrypt (
|
||||
const heim_octet_string */*econtent*/,
|
||||
heim_octet_string */*content*/);
|
||||
|
||||
int
|
||||
_hx509_pbe_encrypt (
|
||||
hx509_context /*context*/,
|
||||
hx509_lock /*lock*/,
|
||||
const AlgorithmIdentifier */*ai*/,
|
||||
const heim_octet_string */*content*/,
|
||||
heim_octet_string */*econtent*/);
|
||||
|
||||
void
|
||||
_hx509_pi_printf (
|
||||
int (*/*func*/)(void *, const char *),
|
||||
@ -422,35 +414,11 @@ _hx509_request_add_email (
|
||||
void
|
||||
_hx509_request_free (hx509_request */*req*/);
|
||||
|
||||
int
|
||||
_hx509_request_get_SubjectPublicKeyInfo (
|
||||
hx509_context /*context*/,
|
||||
hx509_request /*req*/,
|
||||
SubjectPublicKeyInfo */*key*/);
|
||||
|
||||
int
|
||||
_hx509_request_get_name (
|
||||
hx509_context /*context*/,
|
||||
hx509_request /*req*/,
|
||||
hx509_name */*name*/);
|
||||
|
||||
int
|
||||
_hx509_request_init (
|
||||
hx509_context /*context*/,
|
||||
hx509_request */*req*/);
|
||||
|
||||
int
|
||||
_hx509_request_parse (
|
||||
hx509_context /*context*/,
|
||||
const char */*path*/,
|
||||
hx509_request */*req*/);
|
||||
|
||||
int
|
||||
_hx509_request_print (
|
||||
hx509_context /*context*/,
|
||||
hx509_request /*req*/,
|
||||
FILE */*f*/);
|
||||
|
||||
int
|
||||
_hx509_request_set_SubjectPublicKeyInfo (
|
||||
hx509_context /*context*/,
|
||||
|
@ -32,7 +32,7 @@
|
||||
*/
|
||||
|
||||
#include "hx_locl.h"
|
||||
RCSID("$Id: ks_p11.c 21085 2007-06-13 06:39:53Z lha $");
|
||||
RCSID("$Id: ks_p11.c 21387 2007-06-28 08:53:45Z lha $");
|
||||
#ifdef HAVE_DLFCN_H
|
||||
#include <dlfcn.h>
|
||||
#endif
|
||||
@ -1129,8 +1129,17 @@ p11_printinfo(hx509_context context,
|
||||
MECHNAME(CKM_RSA_X_509, "rsa-x-509");
|
||||
MECHNAME(CKM_MD5_RSA_PKCS, "md5-rsa-pkcs");
|
||||
MECHNAME(CKM_SHA1_RSA_PKCS, "sha1-rsa-pkcs");
|
||||
MECHNAME(CKM_SHA256_RSA_PKCS, "sha256-rsa-pkcs");
|
||||
MECHNAME(CKM_SHA384_RSA_PKCS, "sha384-rsa-pkcs");
|
||||
MECHNAME(CKM_SHA512_RSA_PKCS, "sha512-rsa-pkcs");
|
||||
MECHNAME(CKM_RIPEMD160_RSA_PKCS, "ripemd160-rsa-pkcs");
|
||||
MECHNAME(CKM_RSA_PKCS_OAEP, "rsa-pkcs-oaep");
|
||||
MECHNAME(CKM_SHA512_HMAC, "sha512-hmac");
|
||||
MECHNAME(CKM_SHA512, "sha512");
|
||||
MECHNAME(CKM_SHA384_HMAC, "sha384-hmac");
|
||||
MECHNAME(CKM_SHA384, "sha384");
|
||||
MECHNAME(CKM_SHA256_HMAC, "sha256-hmac");
|
||||
MECHNAME(CKM_SHA256, "sha256");
|
||||
MECHNAME(CKM_SHA_1, "sha1");
|
||||
MECHNAME(CKM_MD5, "md5");
|
||||
MECHNAME(CKM_MD2, "md2");
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2006 Kungliga Tekniska Högskolan
|
||||
* Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
|
||||
* (Royal Institute of Technology, Stockholm, Sweden).
|
||||
* All rights reserved.
|
||||
*
|
||||
@ -32,7 +32,7 @@
|
||||
*/
|
||||
|
||||
#include "hx_locl.h"
|
||||
RCSID("$Id: peer.c 20938 2007-06-06 20:51:34Z lha $");
|
||||
RCSID("$Id: peer.c 21481 2007-07-10 16:33:23Z lha $");
|
||||
|
||||
int
|
||||
hx509_peer_info_alloc(hx509_context context, hx509_peer_info *peer)
|
||||
@ -143,7 +143,7 @@ hx509_peer_info_parse(hx509_peer_info peer,
|
||||
|
||||
int
|
||||
hx509_peer_info_unparse(hx509_peer_info peer,
|
||||
heim_octet_string *data)
|
||||
heim_octet_string *data)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
@ -32,7 +32,7 @@
|
||||
*/
|
||||
|
||||
#include "hx_locl.h"
|
||||
RCSID("$Id: print.c 20908 2007-06-05 02:59:33Z lha $");
|
||||
RCSID("$Id: print.c 21381 2007-06-28 08:29:22Z lha $");
|
||||
|
||||
|
||||
struct hx509_validate_ctx_data {
|
||||
@ -591,11 +591,50 @@ check_proxyCertInfo(hx509_validate_ctx ctx,
|
||||
enum critical_flag cf,
|
||||
const Extension *e)
|
||||
{
|
||||
check_Null(ctx, status, cf, e);
|
||||
status->isproxy = 1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int
|
||||
check_authorityInfoAccess(hx509_validate_ctx ctx,
|
||||
struct cert_status *status,
|
||||
enum critical_flag cf,
|
||||
const Extension *e)
|
||||
{
|
||||
AuthorityInfoAccessSyntax aia;
|
||||
size_t size;
|
||||
int ret, i;
|
||||
|
||||
check_Null(ctx, status, cf, e);
|
||||
|
||||
ret = decode_AuthorityInfoAccessSyntax(e->extnValue.data,
|
||||
e->extnValue.length,
|
||||
&aia, &size);
|
||||
if (ret) {
|
||||
printf("\tret = %d while decoding AuthorityInfoAccessSyntax\n", ret);
|
||||
return 0;
|
||||
}
|
||||
|
||||
for (i = 0; i < aia.len; i++) {
|
||||
char *str;
|
||||
validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
|
||||
"\ttype: ");
|
||||
hx509_oid_print(&aia.val[i].accessMethod, validate_vprint, ctx);
|
||||
hx509_general_name_unparse(&aia.val[i].accessLocation, &str);
|
||||
validate_print(ctx, HX509_VALIDATE_F_VERBOSE,
|
||||
"\n\tdirname: %s\n", str);
|
||||
free(str);
|
||||
}
|
||||
free_AuthorityInfoAccessSyntax(&aia);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
*
|
||||
*/
|
||||
|
||||
struct {
|
||||
const char *name;
|
||||
const heim_oid *(*oid)(void);
|
||||
@ -628,8 +667,11 @@ struct {
|
||||
{ ext(extKeyUsage, Null), D_C },
|
||||
{ ext(freshestCRL, Null), M_N_C },
|
||||
{ ext(inhibitAnyPolicy, Null), M_C },
|
||||
{ "proxyCertInfo", oid_id_pe_proxyCertInfo,
|
||||
check_proxyCertInfo, M_C },
|
||||
#undef ext
|
||||
#define ext(name, checkname) #name, &oid_id_pkix_pe_##name, check_##checkname
|
||||
{ ext(proxyCertInfo, proxyCertInfo), M_C },
|
||||
{ ext(authorityInfoAccess, authorityInfoAccess), M_C },
|
||||
#undef ext
|
||||
{ "US Fed PKI - PIV Interim", oid_id_uspkicommon_piv_interim,
|
||||
check_Null, D_C },
|
||||
{ "Netscape cert comment", oid_id_netscape_cert_comment,
|
||||
|
@ -33,7 +33,7 @@
|
||||
|
||||
#include "krb5_locl.h"
|
||||
|
||||
RCSID("$Id: cache.c 20503 2007-04-21 22:03:56Z lha $");
|
||||
RCSID("$Id: cache.c 21498 2007-07-11 09:41:43Z lha $");
|
||||
|
||||
/*
|
||||
* Add a new ccache type with operations `ops', overwriting any
|
||||
@ -338,6 +338,35 @@ _krb5_expand_default_cc_name(krb5_context context, const char *str, char **res)
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* Return non-zero if envirnoment that will determine default krb5cc
|
||||
* name has changed.
|
||||
*/
|
||||
|
||||
static int
|
||||
environment_changed(krb5_context context)
|
||||
{
|
||||
const char *e;
|
||||
|
||||
if(issuid())
|
||||
return 0;
|
||||
|
||||
e = getenv("KRB5CCNAME");
|
||||
if (e == NULL) {
|
||||
if (context->default_cc_name_env) {
|
||||
free(context->default_cc_name_env);
|
||||
context->default_cc_name_env = NULL;
|
||||
return 1;
|
||||
}
|
||||
} else {
|
||||
if (context->default_cc_name_env == NULL)
|
||||
return 1;
|
||||
if (strcmp(e, context->default_cc_name_env) != 0)
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* Set the default cc name for `context' to `name'.
|
||||
*/
|
||||
@ -353,8 +382,12 @@ krb5_cc_set_default_name(krb5_context context, const char *name)
|
||||
|
||||
if(!issuid()) {
|
||||
e = getenv("KRB5CCNAME");
|
||||
if (e)
|
||||
if (e) {
|
||||
p = strdup(e);
|
||||
if (context->default_cc_name_env)
|
||||
free(context->default_cc_name_env);
|
||||
context->default_cc_name_env = strdup(e);
|
||||
}
|
||||
}
|
||||
if (e == NULL) {
|
||||
e = krb5_config_get_string(context, NULL, "libdefaults",
|
||||
@ -389,7 +422,7 @@ krb5_cc_set_default_name(krb5_context context, const char *name)
|
||||
const char* KRB5_LIB_FUNCTION
|
||||
krb5_cc_default_name(krb5_context context)
|
||||
{
|
||||
if (context->default_cc_name == NULL)
|
||||
if (context->default_cc_name == NULL || environment_changed(context))
|
||||
krb5_cc_set_default_name(context, NULL);
|
||||
|
||||
return context->default_cc_name;
|
||||
|
@ -33,7 +33,7 @@
|
||||
|
||||
#include <krb5_locl.h>
|
||||
|
||||
RCSID("$Id: changepw.c 17442 2006-05-05 09:31:15Z lha $");
|
||||
RCSID("$Id: changepw.c 21505 2007-07-12 12:28:38Z lha $");
|
||||
|
||||
static void
|
||||
str2data (krb5_data *d,
|
||||
@ -46,10 +46,12 @@ str2data (krb5_data *d,
|
||||
...)
|
||||
{
|
||||
va_list args;
|
||||
char *str;
|
||||
|
||||
va_start(args, fmt);
|
||||
d->length = vasprintf ((char **)&d->data, fmt, args);
|
||||
d->length = vasprintf (&str, fmt, args);
|
||||
va_end(args);
|
||||
d->data = str;
|
||||
}
|
||||
|
||||
/*
|
||||
|
@ -33,7 +33,7 @@
|
||||
|
||||
#include <krb5_locl.h>
|
||||
|
||||
RCSID("$Id: get_cred.c 21327 2007-06-26 10:54:15Z lha $");
|
||||
RCSID("$Id: get_cred.c 21669 2007-07-22 11:29:13Z lha $");
|
||||
|
||||
/*
|
||||
* Take the `body' and encode it into `padata' using the credentials
|
||||
@ -1224,9 +1224,10 @@ krb5_get_renewed_creds(krb5_context context,
|
||||
{
|
||||
krb5_error_code ret;
|
||||
krb5_kdc_flags flags;
|
||||
krb5_creds in, *template;
|
||||
krb5_creds in, *template, *out = NULL;
|
||||
|
||||
memset(&in, 0, sizeof(in));
|
||||
memset(creds, 0, sizeof(*creds));
|
||||
|
||||
ret = krb5_copy_principal(context, client, &in.client);
|
||||
if (ret)
|
||||
@ -1263,9 +1264,14 @@ krb5_get_renewed_creds(krb5_context context,
|
||||
krb5_free_creds (context, template);
|
||||
}
|
||||
|
||||
ret = krb5_get_kdc_cred(context, ccache, flags, NULL, NULL, &in, &creds);
|
||||
ret = krb5_get_kdc_cred(context, ccache, flags, NULL, NULL, &in, &out);
|
||||
krb5_free_principal(context, in.client);
|
||||
krb5_free_principal(context, in.server);
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
ret = krb5_copy_creds_contents(context, out, creds);
|
||||
krb5_free_creds(context, out);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
@ -33,7 +33,7 @@
|
||||
|
||||
#include "krb5_locl.h"
|
||||
|
||||
RCSID("$Id: init_creds.c 20541 2007-04-23 12:19:14Z lha $");
|
||||
RCSID("$Id: init_creds.c 21712 2007-07-27 14:23:41Z lha $");
|
||||
|
||||
void KRB5_LIB_FUNCTION
|
||||
krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt)
|
||||
@ -225,9 +225,8 @@ krb5_get_init_creds_opt_set_default_flags(krb5_context context,
|
||||
krb5_get_init_creds_opt_set_renew_life(opt, t);
|
||||
|
||||
krb5_appdefault_boolean(context, appname, realm, "no-addresses",
|
||||
FALSE, &b);
|
||||
if (b)
|
||||
krb5_get_init_creds_opt_set_addressless (context, opt, TRUE);
|
||||
KRB5_ADDRESSLESS_DEFAULT, &b);
|
||||
krb5_get_init_creds_opt_set_addressless (context, opt, b);
|
||||
|
||||
#if 0
|
||||
krb5_appdefault_boolean(context, appname, realm, "anonymous", FALSE, &b);
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan
|
||||
* Copyright (c) 1997 - 2007 Kungliga Tekniska Högskolan
|
||||
* (Royal Institute of Technology, Stockholm, Sweden).
|
||||
* All rights reserved.
|
||||
*
|
||||
@ -33,7 +33,7 @@
|
||||
|
||||
#include "krb5_locl.h"
|
||||
|
||||
RCSID("$Id: init_creds_pw.c 21061 2007-06-12 17:56:30Z lha $");
|
||||
RCSID("$Id: init_creds_pw.c 21428 2007-07-10 12:31:58Z lha $");
|
||||
|
||||
typedef struct krb5_get_init_creds_ctx {
|
||||
KDCOptions flags;
|
||||
|
@ -383,7 +383,7 @@ _krb5_pk_verify_sign (
|
||||
krb5_error_code
|
||||
_krb5_plugin_find (
|
||||
krb5_context /*context*/,
|
||||
enum plugin_type /*type*/,
|
||||
enum krb5_plugin_type /*type*/,
|
||||
const char */*name*/,
|
||||
struct krb5_plugin **/*list*/);
|
||||
|
||||
@ -399,7 +399,7 @@ _krb5_plugin_get_symbol (struct krb5_plugin */*p*/);
|
||||
krb5_error_code
|
||||
_krb5_plugin_register (
|
||||
krb5_context /*context*/,
|
||||
enum plugin_type /*type*/,
|
||||
enum krb5_plugin_type /*type*/,
|
||||
const char */*name*/,
|
||||
void */*symbol*/);
|
||||
|
||||
|
@ -2243,14 +2243,6 @@ krb5_get_pw_salt (
|
||||
krb5_const_principal /*principal*/,
|
||||
krb5_salt */*salt*/);
|
||||
|
||||
krb5_error_code KRB5_LIB_FUNCTION
|
||||
krb5_get_renewed_creds (
|
||||
krb5_context /*context*/,
|
||||
krb5_creds */*creds*/,
|
||||
krb5_const_principal /*client*/,
|
||||
krb5_ccache /*ccache*/,
|
||||
const char */*in_tkt_service*/);
|
||||
|
||||
krb5_error_code KRB5_LIB_FUNCTION
|
||||
krb5_get_server_rcache (
|
||||
krb5_context /*context*/,
|
||||
|
@ -31,11 +31,13 @@
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
/* $Id: krb5-v4compat.h 17442 2006-05-05 09:31:15Z lha $ */
|
||||
/* $Id: krb5-v4compat.h 21575 2007-07-16 07:44:54Z lha $ */
|
||||
|
||||
#ifndef __KRB5_V4COMPAT_H__
|
||||
#define __KRB5_V4COMPAT_H__
|
||||
|
||||
#include "krb_err.h"
|
||||
|
||||
/*
|
||||
* This file must only be included with v4 compat glue stuff in
|
||||
* heimdal sources.
|
||||
@ -57,56 +59,10 @@
|
||||
#define AUTH_MSG_KDC_RENEW (10<<1)
|
||||
#define AUTH_MSG_DIE (63<<1)
|
||||
|
||||
/* values for kerb error codes */
|
||||
|
||||
#define KERB_ERR_OK 0
|
||||
#define KERB_ERR_NAME_EXP 1
|
||||
#define KERB_ERR_SERVICE_EXP 2
|
||||
#define KERB_ERR_AUTH_EXP 3
|
||||
#define KERB_ERR_PKT_VER 4
|
||||
#define KERB_ERR_NAME_MAST_KEY_VER 5
|
||||
#define KERB_ERR_SERV_MAST_KEY_VER 6
|
||||
#define KERB_ERR_BYTE_ORDER 7
|
||||
#define KERB_ERR_PRINCIPAL_UNKNOWN 8
|
||||
#define KERB_ERR_PRINCIPAL_NOT_UNIQUE 9
|
||||
#define KERB_ERR_NULL_KEY 10
|
||||
#define KERB_ERR_TIMEOUT 11
|
||||
|
||||
|
||||
/* Error codes returned from the KDC */
|
||||
#define KDC_OK 0 /* Request OK */
|
||||
#define KDC_NAME_EXP 1 /* Principal expired */
|
||||
#define KDC_SERVICE_EXP 2 /* Service expired */
|
||||
#define KDC_AUTH_EXP 3 /* Auth expired */
|
||||
#define KDC_PKT_VER 4 /* Protocol version unknown */
|
||||
#define KDC_P_MKEY_VER 5 /* Wrong master key version */
|
||||
#define KDC_S_MKEY_VER 6 /* Wrong master key version */
|
||||
#define KDC_BYTE_ORDER 7 /* Byte order unknown */
|
||||
#define KDC_PR_UNKNOWN 8 /* Principal unknown */
|
||||
#define KDC_PR_N_UNIQUE 9 /* Principal not unique */
|
||||
#define KDC_NULL_KEY 10 /* Principal has null key */
|
||||
#define KDC_GEN_ERR 20 /* Generic error from KDC */
|
||||
|
||||
/* General definitions */
|
||||
#define KSUCCESS 0
|
||||
#define KFAILURE 255
|
||||
|
||||
/* Values returned by rd_ap_req */
|
||||
#define RD_AP_OK 0 /* Request authentic */
|
||||
#define RD_AP_UNDEC 31 /* Can't decode authenticator */
|
||||
#define RD_AP_EXP 32 /* Ticket expired */
|
||||
#define RD_AP_NYV 33 /* Ticket not yet valid */
|
||||
#define RD_AP_REPEAT 34 /* Repeated request */
|
||||
#define RD_AP_NOT_US 35 /* The ticket isn't for us */
|
||||
#define RD_AP_INCON 36 /* Request is inconsistent */
|
||||
#define RD_AP_TIME 37 /* delta_t too big */
|
||||
#define RD_AP_BADD 38 /* Incorrect net address */
|
||||
#define RD_AP_VERSION 39 /* protocol version mismatch */
|
||||
#define RD_AP_MSG_TYPE 40 /* invalid msg type */
|
||||
#define RD_AP_MODIFIED 41 /* message stream modified */
|
||||
#define RD_AP_ORDER 42 /* message out of order */
|
||||
#define RD_AP_UNAUTHOR 43 /* unauthorized request */
|
||||
|
||||
/* */
|
||||
|
||||
#define MAX_KTXT_LEN 1250
|
||||
|
@ -31,7 +31,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
/* $Id: krb5.h 21252 2007-06-21 04:18:28Z lha $ */
|
||||
/* $Id: krb5.h 21551 2007-07-15 09:03:39Z lha $ */
|
||||
|
||||
#ifndef __KRB5_H__
|
||||
#define __KRB5_H__
|
||||
@ -436,11 +436,6 @@ typedef struct krb5_config_binding krb5_config_binding;
|
||||
|
||||
typedef krb5_config_binding krb5_config_section;
|
||||
|
||||
enum {
|
||||
KRB5_PKINIT_WIN2K = 1, /* wire compatible with Windows 2k */
|
||||
KRB5_PKINIT_PACKET_CABLE = 2 /* use packet cable standard */
|
||||
};
|
||||
|
||||
typedef struct krb5_ticket {
|
||||
EncTicketPart ticket;
|
||||
krb5_principal client;
|
||||
@ -766,6 +761,12 @@ typedef struct krb5_sendto_ctx *krb5_sendto_ctx;
|
||||
|
||||
typedef krb5_error_code (*krb5_sendto_ctx_func)(krb5_context, krb5_sendto_ctx, void *, const krb5_data *, int *);
|
||||
|
||||
struct krb5_plugin;
|
||||
enum krb5_plugin_type {
|
||||
PLUGIN_TYPE_DATA = 1,
|
||||
PLUGIN_TYPE_FUNC
|
||||
};
|
||||
|
||||
struct credentials; /* this is to keep the compiler happy */
|
||||
struct getargs;
|
||||
struct sockaddr;
|
||||
|
@ -31,7 +31,7 @@
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
/* $Id: krb5_locl.h 20261 2007-02-18 00:32:22Z lha $ */
|
||||
/* $Id: krb5_locl.h 21552 2007-07-15 09:04:00Z lha $ */
|
||||
|
||||
#ifndef __KRB5_LOCL_H__
|
||||
#define __KRB5_LOCL_H__
|
||||
@ -148,12 +148,6 @@ struct krb5_dh_moduli;
|
||||
/* v4 glue */
|
||||
struct _krb5_krb_auth_data;
|
||||
|
||||
struct krb5_plugin;
|
||||
enum plugin_type {
|
||||
PLUGIN_TYPE_DATA = 1,
|
||||
PLUGIN_TYPE_FUNC
|
||||
};
|
||||
|
||||
#include <der.h>
|
||||
|
||||
#include <krb5.h>
|
||||
@ -236,7 +230,7 @@ typedef struct krb5_context_data {
|
||||
char error_buf[256];
|
||||
krb5_addresses *ignore_addresses;
|
||||
char *default_cc_name;
|
||||
int pkinit_flags;
|
||||
char *default_cc_name_env;
|
||||
void *mutex; /* protects error_string/error_buf */
|
||||
int large_msg_size;
|
||||
int dns_canonicalize_hostname;
|
||||
|
63
source4/heimdal/lib/krb5/krb_err.et
Normal file
63
source4/heimdal/lib/krb5/krb_err.et
Normal file
@ -0,0 +1,63 @@
|
||||
#
|
||||
# Error messages for the krb4 library
|
||||
#
|
||||
# This might look like a com_err file, but is not
|
||||
#
|
||||
id "$Id: krb_err.et,v 1.7 1998/03/29 14:19:52 bg Exp $"
|
||||
|
||||
error_table krb
|
||||
|
||||
prefix KRB4ET
|
||||
ec KSUCCESS, "Kerberos 4 successful"
|
||||
ec KDC_NAME_EXP, "Kerberos 4 principal expired"
|
||||
ec KDC_SERVICE_EXP, "Kerberos 4 service expired"
|
||||
ec KDC_AUTH_EXP, "Kerberos 4 auth expired"
|
||||
ec KDC_PKT_VER, "Incorrect Kerberos 4 master key version"
|
||||
ec KDC_P_MKEY_VER, "Incorrect Kerberos 4 master key version"
|
||||
ec KDC_S_MKEY_VER, "Incorrect Kerberos 4 master key version"
|
||||
ec KDC_BYTE_ORDER, "Kerberos 4 byte order unknown"
|
||||
ec KDC_PR_UNKNOWN, "Kerberos 4 principal unknown"
|
||||
ec KDC_PR_N_UNIQUE, "Kerberos 4 principal not unique"
|
||||
ec KDC_NULL_KEY, "Kerberos 4 principal has null key"
|
||||
index 20
|
||||
ec KDC_GEN_ERR, "Generic error from KDC (Kerberos 4)"
|
||||
ec GC_TKFIL, "Can't read Kerberos 4 ticket file"
|
||||
ec GC_NOTKT, "Can't find Kerberos 4 ticket or TGT"
|
||||
index 26
|
||||
ec MK_AP_TGTEXP, "Kerberos 4 TGT Expired"
|
||||
index 31
|
||||
ec RD_AP_UNDEC, "Kerberos 4: Can't decode authenticator"
|
||||
ec RD_AP_EXP, "Kerberos 4 ticket expired"
|
||||
ec RD_AP_NYV, "Kerberos 4 ticket not yet valid"
|
||||
ec RD_AP_REPEAT, "Kerberos 4: Repeated request"
|
||||
ec RD_AP_NOT_US, "The Kerberos 4 ticket isn't for us"
|
||||
ec RD_AP_INCON, "Kerberos 4 request inconsistent"
|
||||
ec RD_AP_TIME, "Kerberos 4: delta_t too big"
|
||||
ec RD_AP_BADD, "Kerberos 4: incorrect net address"
|
||||
ec RD_AP_VERSION, "Kerberos protocol not version 4"
|
||||
ec RD_AP_MSG_TYPE, "Kerberos 4: invalid msg type"
|
||||
ec RD_AP_MODIFIED, "Kerberos 4: message stream modified"
|
||||
ec RD_AP_ORDER, "Kerberos 4: message out of order"
|
||||
ec RD_AP_UNAUTHOR, "Kerberos 4: unauthorized request"
|
||||
index 51
|
||||
ec GT_PW_NULL, "Kerberos 4: current PW is null"
|
||||
ec GT_PW_BADPW, "Kerberos 4: Incorrect current password"
|
||||
ec GT_PW_PROT, "Kerberos 4 protocol error"
|
||||
ec GT_PW_KDCERR, "Error returned by KDC (Kerberos 4)"
|
||||
ec GT_PW_NULLTKT, "Null Kerberos 4 ticket returned by KDC"
|
||||
ec SKDC_RETRY, "Kerberos 4: Retry count exceeded"
|
||||
ec SKDC_CANT, "Kerberos 4: Can't send request"
|
||||
index 61
|
||||
ec INTK_W_NOTALL, "Kerberos 4: not all tickets returned"
|
||||
ec INTK_BADPW, "Kerberos 4: incorrect password"
|
||||
ec INTK_PROT, "Kerberos 4: Protocol Error"
|
||||
index 70
|
||||
ec INTK_ERR, "Other error in Kerberos 4"
|
||||
ec AD_NOTGT, "Don't have Kerberos 4 ticket-granting ticket"
|
||||
index 76
|
||||
ec NO_TKT_FIL, "No Kerberos 4 ticket file found"
|
||||
ec TKT_FIL_ACC, "Couldn't access Kerberos 4 ticket file"
|
||||
ec TKT_FIL_LCK, "Couldn't lock Kerberos 4 ticket file"
|
||||
ec TKT_FIL_FMT, "Bad Kerberos 4 ticket file format"
|
||||
ec TKT_FIL_INI, "Kerberos 4: tf_init not called first"
|
||||
ec KNAME_FMT, "Bad Kerberos 4 name format"
|
@ -35,7 +35,7 @@
|
||||
#include <resolve.h>
|
||||
#include "locate_plugin.h"
|
||||
|
||||
RCSID("$Id: krbhst.c 21131 2007-06-18 20:48:09Z lha $");
|
||||
RCSID("$Id: krbhst.c 21457 2007-07-10 12:53:25Z lha $");
|
||||
|
||||
static int
|
||||
string_to_proto(const char *string)
|
||||
@ -919,8 +919,10 @@ gethostlist(krb5_context context, const char *realm,
|
||||
|
||||
while(krb5_krbhst_next(context, handle, &hostinfo) == 0)
|
||||
nhost++;
|
||||
if(nhost == 0)
|
||||
if(nhost == 0) {
|
||||
krb5_set_error_string(context, "No KDC found for realm %s", realm);
|
||||
return KRB5_KDC_UNREACH;
|
||||
}
|
||||
*hostlist = calloc(nhost + 1, sizeof(**hostlist));
|
||||
if(*hostlist == NULL) {
|
||||
krb5_krbhst_free(context, handle);
|
||||
|
@ -33,7 +33,7 @@
|
||||
|
||||
#include "krb5_locl.h"
|
||||
|
||||
RCSID("$Id: pkinit.c 21321 2007-06-26 05:21:56Z lha $");
|
||||
RCSID("$Id: pkinit.c 21684 2007-07-23 23:09:10Z lha $");
|
||||
|
||||
struct krb5_dh_moduli {
|
||||
char *name;
|
||||
@ -645,8 +645,6 @@ _krb5_pk_mk_padata(krb5_context context,
|
||||
req_body->realm,
|
||||
"pkinit_win2k",
|
||||
NULL);
|
||||
if (context->pkinit_flags & KRB5_PKINIT_WIN2K)
|
||||
win2k_compat = 1;
|
||||
|
||||
if (win2k_compat) {
|
||||
ctx->require_binding =
|
||||
@ -1721,7 +1719,7 @@ _krb5_free_moduli(struct krb5_dh_moduli **moduli)
|
||||
free(moduli);
|
||||
}
|
||||
|
||||
static const char *default_moduli =
|
||||
static const char *default_moduli_RFC2412_MODP_group2 =
|
||||
/* name */
|
||||
"RFC2412-MODP-group2 "
|
||||
/* bits */
|
||||
@ -1743,6 +1741,37 @@ static const char *default_moduli =
|
||||
"F71C35FD" "AD44CFD2" "D74F9208" "BE258FF3" "24943328" "F67329C0"
|
||||
"FFFFFFFF" "FFFFFFFF";
|
||||
|
||||
static const char *default_moduli_rfc3526_MODP_group14 =
|
||||
/* name */
|
||||
"rfc3526-MODP-group14 "
|
||||
/* bits */
|
||||
"1760 "
|
||||
/* p */
|
||||
"FFFFFFFF" "FFFFFFFF" "C90FDAA2" "2168C234" "C4C6628B" "80DC1CD1"
|
||||
"29024E08" "8A67CC74" "020BBEA6" "3B139B22" "514A0879" "8E3404DD"
|
||||
"EF9519B3" "CD3A431B" "302B0A6D" "F25F1437" "4FE1356D" "6D51C245"
|
||||
"E485B576" "625E7EC6" "F44C42E9" "A637ED6B" "0BFF5CB6" "F406B7ED"
|
||||
"EE386BFB" "5A899FA5" "AE9F2411" "7C4B1FE6" "49286651" "ECE45B3D"
|
||||
"C2007CB8" "A163BF05" "98DA4836" "1C55D39A" "69163FA8" "FD24CF5F"
|
||||
"83655D23" "DCA3AD96" "1C62F356" "208552BB" "9ED52907" "7096966D"
|
||||
"670C354E" "4ABC9804" "F1746C08" "CA18217C" "32905E46" "2E36CE3B"
|
||||
"E39E772C" "180E8603" "9B2783A2" "EC07A28F" "B5C55DF0" "6F4C52C9"
|
||||
"DE2BCBF6" "95581718" "3995497C" "EA956AE5" "15D22618" "98FA0510"
|
||||
"15728E5A" "8AACAA68" "FFFFFFFF" "FFFFFFFF "
|
||||
/* g */
|
||||
"02 "
|
||||
/* q */
|
||||
"7FFFFFFF" "FFFFFFFF" "E487ED51" "10B4611A" "62633145" "C06E0E68"
|
||||
"94812704" "4533E63A" "0105DF53" "1D89CD91" "28A5043C" "C71A026E"
|
||||
"F7CA8CD9" "E69D218D" "98158536" "F92F8A1B" "A7F09AB6" "B6A8E122"
|
||||
"F242DABB" "312F3F63" "7A262174" "D31BF6B5" "85FFAE5B" "7A035BF6"
|
||||
"F71C35FD" "AD44CFD2" "D74F9208" "BE258FF3" "24943328" "F6722D9E"
|
||||
"E1003E5C" "50B1DF82" "CC6D241B" "0E2AE9CD" "348B1FD4" "7E9267AF"
|
||||
"C1B2AE91" "EE51D6CB" "0E3179AB" "1042A95D" "CF6A9483" "B84B4B36"
|
||||
"B3861AA7" "255E4C02" "78BA3604" "650C10BE" "19482F23" "171B671D"
|
||||
"F1CF3B96" "0C074301" "CD93C1D1" "7603D147" "DAE2AEF8" "37A62964"
|
||||
"EF15E5FB" "4AAC0B8C" "1CCAA4BE" "754AB572" "8AE9130C" "4C7D0288"
|
||||
"0AB9472D" "45565534" "7FFFFFFF" "FFFFFFFF";
|
||||
|
||||
krb5_error_code
|
||||
_krb5_parse_moduli(krb5_context context, const char *file,
|
||||
@ -1757,19 +1786,28 @@ _krb5_parse_moduli(krb5_context context, const char *file,
|
||||
|
||||
*moduli = NULL;
|
||||
|
||||
m = calloc(1, sizeof(m[0]) * 2);
|
||||
m = calloc(1, sizeof(m[0]) * 3);
|
||||
if (m == NULL) {
|
||||
krb5_set_error_string(context, "malloc: out of memory");
|
||||
return ENOMEM;
|
||||
}
|
||||
|
||||
strlcpy(buf, default_moduli, sizeof(buf));
|
||||
strlcpy(buf, default_moduli_rfc3526_MODP_group14, sizeof(buf));
|
||||
ret = _krb5_parse_moduli_line(context, "builtin", 1, buf, &m[0]);
|
||||
if (ret) {
|
||||
_krb5_free_moduli(m);
|
||||
return ret;
|
||||
}
|
||||
n = 1;
|
||||
n++;
|
||||
|
||||
strlcpy(buf, default_moduli_RFC2412_MODP_group2, sizeof(buf));
|
||||
ret = _krb5_parse_moduli_line(context, "builtin", 1, buf, &m[1]);
|
||||
if (ret) {
|
||||
_krb5_free_moduli(m);
|
||||
return ret;
|
||||
}
|
||||
n++;
|
||||
|
||||
|
||||
if (file == NULL)
|
||||
file = MODULI_FILE;
|
||||
|
@ -32,7 +32,7 @@
|
||||
*/
|
||||
|
||||
#include "krb5_locl.h"
|
||||
RCSID("$Id: plugin.c 21134 2007-06-18 21:02:23Z lha $");
|
||||
RCSID("$Id: plugin.c 21702 2007-07-26 19:13:53Z lha $");
|
||||
#ifdef HAVE_DLFCN_H
|
||||
#include <dlfcn.h>
|
||||
#endif
|
||||
@ -45,7 +45,7 @@ struct krb5_plugin {
|
||||
};
|
||||
|
||||
struct plugin {
|
||||
enum plugin_type type;
|
||||
enum krb5_plugin_type type;
|
||||
void *name;
|
||||
void *symbol;
|
||||
struct plugin *next;
|
||||
@ -76,9 +76,11 @@ _krb5_plugin_get_next(struct krb5_plugin *p)
|
||||
*
|
||||
*/
|
||||
|
||||
#ifdef HAVE_DLOPEN
|
||||
|
||||
static krb5_error_code
|
||||
loadlib(krb5_context context,
|
||||
enum plugin_type type,
|
||||
enum krb5_plugin_type type,
|
||||
const char *name,
|
||||
const char *lib,
|
||||
struct krb5_plugin **e)
|
||||
@ -113,10 +115,11 @@ loadlib(krb5_context context,
|
||||
|
||||
return 0;
|
||||
}
|
||||
#endif /* HAVE_DLOPEN */
|
||||
|
||||
krb5_error_code
|
||||
_krb5_plugin_register(krb5_context context,
|
||||
enum plugin_type type,
|
||||
enum krb5_plugin_type type,
|
||||
const char *name,
|
||||
void *symbol)
|
||||
{
|
||||
@ -146,7 +149,7 @@ _krb5_plugin_register(krb5_context context,
|
||||
|
||||
krb5_error_code
|
||||
_krb5_plugin_find(krb5_context context,
|
||||
enum plugin_type type,
|
||||
enum krb5_plugin_type type,
|
||||
const char *name,
|
||||
struct krb5_plugin **list)
|
||||
{
|
||||
@ -181,6 +184,8 @@ _krb5_plugin_find(krb5_context context,
|
||||
}
|
||||
HEIMDAL_MUTEX_unlock(&plugin_mutex);
|
||||
|
||||
#ifdef HAVE_DLOPEN
|
||||
|
||||
dirs = krb5_config_get_strings(context, NULL, "libdefaults",
|
||||
"plugin_dir", NULL);
|
||||
if (dirs == NULL) {
|
||||
@ -213,6 +218,7 @@ _krb5_plugin_find(krb5_context context,
|
||||
}
|
||||
if (dirs != sysdirs)
|
||||
krb5_config_free_strings(dirs);
|
||||
#endif /* HAVE_DLOPEN */
|
||||
|
||||
if (*list == NULL) {
|
||||
krb5_set_error_string(context, "Did not find a plugin for %s", name);
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
|
||||
* Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
|
||||
* (Royal Institute of Technology, Stockholm, Sweden).
|
||||
* All rights reserved.
|
||||
*
|
||||
@ -33,7 +33,7 @@
|
||||
|
||||
#include <krb5_locl.h>
|
||||
|
||||
RCSID("$Id: rd_priv.c 17056 2006-04-12 16:18:10Z lha $");
|
||||
RCSID("$Id: rd_priv.c 21770 2007-08-01 04:04:33Z lha $");
|
||||
|
||||
krb5_error_code KRB5_LIB_FUNCTION
|
||||
krb5_rd_priv(krb5_context context,
|
||||
@ -55,13 +55,17 @@ krb5_rd_priv(krb5_context context,
|
||||
|
||||
if ((auth_context->flags &
|
||||
(KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
|
||||
outdata == NULL)
|
||||
outdata == NULL) {
|
||||
krb5_clear_error_string (context);
|
||||
return KRB5_RC_REQUIRED; /* XXX better error, MIT returns this */
|
||||
}
|
||||
|
||||
memset(&priv, 0, sizeof(priv));
|
||||
ret = decode_KRB_PRIV (inbuf->data, inbuf->length, &priv, &len);
|
||||
if (ret)
|
||||
if (ret) {
|
||||
krb5_clear_error_string (context);
|
||||
goto failure;
|
||||
}
|
||||
if (priv.pvno != 5) {
|
||||
krb5_clear_error_string (context);
|
||||
ret = KRB5KRB_AP_ERR_BADVERSION;
|
||||
@ -94,8 +98,10 @@ krb5_rd_priv(krb5_context context,
|
||||
|
||||
ret = decode_EncKrbPrivPart (plain.data, plain.length, &part, &len);
|
||||
krb5_data_free (&plain);
|
||||
if (ret)
|
||||
if (ret) {
|
||||
krb5_clear_error_string (context);
|
||||
goto failure;
|
||||
}
|
||||
|
||||
/* check sender address */
|
||||
|
||||
|
@ -32,7 +32,7 @@
|
||||
*/
|
||||
|
||||
#include "krb5_locl.h"
|
||||
RCSID("$Id: v4_glue.c 17442 2006-05-05 09:31:15Z lha $");
|
||||
RCSID("$Id: v4_glue.c 21572 2007-07-16 05:13:08Z lha $");
|
||||
|
||||
#include "krb5-v4compat.h"
|
||||
|
||||
@ -351,12 +351,12 @@ storage_to_etext(krb5_context context,
|
||||
|
||||
size = krb5_storage_seek(sp, 0, SEEK_END);
|
||||
if (size < 0)
|
||||
return EINVAL;
|
||||
return KRB4ET_RD_AP_UNDEC;
|
||||
size = 8 - (size & 7);
|
||||
|
||||
ret = krb5_storage_write(sp, eightzeros, size);
|
||||
if (ret != size)
|
||||
return EINVAL;
|
||||
return KRB4ET_RD_AP_UNDEC;
|
||||
|
||||
ret = krb5_storage_to_data(sp, &data);
|
||||
if (ret)
|
||||
@ -435,7 +435,7 @@ _krb5_krb_create_ticket(krb5_context context,
|
||||
session->keyvalue.data,
|
||||
session->keyvalue.length);
|
||||
if (ret != session->keyvalue.length) {
|
||||
ret = EINVAL;
|
||||
ret = KRB4ET_INTK_PROT;
|
||||
goto error;
|
||||
}
|
||||
|
||||
@ -487,7 +487,7 @@ _krb5_krb_create_ciph(krb5_context context,
|
||||
session->keyvalue.data,
|
||||
session->keyvalue.length);
|
||||
if (ret != session->keyvalue.length) {
|
||||
ret = EINVAL;
|
||||
ret = KRB4ET_INTK_PROT;
|
||||
goto error;
|
||||
}
|
||||
|
||||
@ -497,7 +497,7 @@ _krb5_krb_create_ciph(krb5_context context,
|
||||
RCHECK(ret, krb5_store_int8(sp, ticket->length), error);
|
||||
ret = krb5_storage_write(sp, ticket->data, ticket->length);
|
||||
if (ret != ticket->length) {
|
||||
ret = EINVAL;
|
||||
ret = KRB4ET_INTK_PROT;
|
||||
goto error;
|
||||
}
|
||||
RCHECK(ret, krb5_store_int32(sp, kdc_time), error);
|
||||
@ -550,7 +550,7 @@ _krb5_krb_create_auth_reply(krb5_context context,
|
||||
RCHECK(ret, krb5_store_int16(sp, cipher->length), error);
|
||||
ret = krb5_storage_write(sp, cipher->data, cipher->length);
|
||||
if (ret != cipher->length) {
|
||||
ret = EINVAL;
|
||||
ret = KRB4ET_INTK_PROT;
|
||||
goto error;
|
||||
}
|
||||
|
||||
@ -599,6 +599,9 @@ _krb5_krb_cr_err_reply(krb5_context context,
|
||||
RCHECK(ret, krb5_store_int8(sp, AUTH_MSG_ERR_REPLY), error);
|
||||
RCHECK(ret, put_nir(sp, name, inst, realm), error);
|
||||
RCHECK(ret, krb5_store_int32(sp, time_ws), error);
|
||||
/* If its a Kerberos 4 error-code, remove the et BASE */
|
||||
if (e >= ERROR_TABLE_BASE_krb && e <= ERROR_TABLE_BASE_krb + 255)
|
||||
e -= ERROR_TABLE_BASE_krb;
|
||||
RCHECK(ret, krb5_store_int32(sp, e), error);
|
||||
RCHECK(ret, krb5_store_stringz(sp, e_string), error);
|
||||
|
||||
@ -623,7 +626,7 @@ get_v4_stringz(krb5_storage *sp, char **str, size_t max_len)
|
||||
if (strlen(*str) > max_len) {
|
||||
free(*str);
|
||||
*str = NULL;
|
||||
return EINVAL;
|
||||
return KRB4ET_INTK_PROT;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
@ -662,7 +665,7 @@ _krb5_krb_decomp_ticket(krb5_context context,
|
||||
return ENOMEM;
|
||||
}
|
||||
|
||||
krb5_storage_set_eof_code(sp, EINVAL); /* XXX */
|
||||
krb5_storage_set_eof_code(sp, KRB4ET_INTK_PROT);
|
||||
|
||||
RCHECK(ret, krb5_ret_int8(sp, &ad->k_flags), error);
|
||||
RCHECK(ret, get_v4_stringz(sp, &ad->pname, ANAME_SZ), error);
|
||||
@ -672,7 +675,7 @@ _krb5_krb_decomp_ticket(krb5_context context,
|
||||
|
||||
size = krb5_storage_read(sp, des_key, sizeof(des_key));
|
||||
if (size != sizeof(des_key)) {
|
||||
ret = EINVAL; /* XXX */
|
||||
ret = KRB4ET_INTK_PROT;
|
||||
goto error;
|
||||
}
|
||||
|
||||
@ -770,26 +773,32 @@ _krb5_krb_rd_req(krb5_context context,
|
||||
return ENOMEM;
|
||||
}
|
||||
|
||||
krb5_storage_set_eof_code(sp, EINVAL); /* XXX */
|
||||
krb5_storage_set_eof_code(sp, KRB4ET_INTK_PROT);
|
||||
|
||||
ret = krb5_ret_int8(sp, &pvno);
|
||||
if (ret)
|
||||
if (ret) {
|
||||
krb5_set_error_string(context, "Failed reading v4 pvno");
|
||||
goto error;
|
||||
}
|
||||
|
||||
if (pvno != KRB_PROT_VERSION) {
|
||||
ret = EINVAL; /* XXX */
|
||||
ret = KRB4ET_RD_AP_VERSION;
|
||||
krb5_set_error_string(context, "Failed v4 pvno not 4");
|
||||
goto error;
|
||||
}
|
||||
|
||||
ret = krb5_ret_int8(sp, &type);
|
||||
if (ret)
|
||||
if (ret) {
|
||||
krb5_set_error_string(context, "Failed readin v4 type");
|
||||
goto error;
|
||||
}
|
||||
|
||||
little_endian = type & 1;
|
||||
type &= ~1;
|
||||
|
||||
if(type != AUTH_MSG_APPL_REQUEST && type != AUTH_MSG_APPL_REQUEST_MUTUAL) {
|
||||
ret = EINVAL; /* RD_AP_MSG_TYPE */
|
||||
ret = KRB4ET_RD_AP_MSG_TYPE;
|
||||
krb5_set_error_string(context, "Not a valid v4 request type");
|
||||
goto error;
|
||||
}
|
||||
|
||||
@ -801,7 +810,8 @@ _krb5_krb_rd_req(krb5_context context,
|
||||
|
||||
size = krb5_storage_read(sp, ticket.data, ticket.length);
|
||||
if (size != ticket.length) {
|
||||
ret = EINVAL;
|
||||
ret = KRB4ET_INTK_PROT;
|
||||
krb5_set_error_string(context, "Failed reading v4 ticket");
|
||||
goto error;
|
||||
}
|
||||
|
||||
@ -815,7 +825,8 @@ _krb5_krb_rd_req(krb5_context context,
|
||||
|
||||
size = krb5_storage_read(sp, eaut.data, eaut.length);
|
||||
if (size != eaut.length) {
|
||||
ret = EINVAL;
|
||||
ret = KRB4ET_INTK_PROT;
|
||||
krb5_set_error_string(context, "Failed reading v4 authenticator");
|
||||
goto error;
|
||||
}
|
||||
|
||||
@ -828,8 +839,8 @@ _krb5_krb_rd_req(krb5_context context,
|
||||
|
||||
sp = krb5_storage_from_data(&aut);
|
||||
if (sp == NULL) {
|
||||
krb5_set_error_string(context, "alloc: out of memory");
|
||||
ret = ENOMEM;
|
||||
krb5_set_error_string(context, "alloc: out of memory");
|
||||
goto error;
|
||||
}
|
||||
|
||||
@ -849,19 +860,22 @@ _krb5_krb_rd_req(krb5_context context,
|
||||
if (strcmp(ad->pname, r_name) != 0 ||
|
||||
strcmp(ad->pinst, r_instance) != 0 ||
|
||||
strcmp(ad->prealm, r_realm) != 0) {
|
||||
ret = EINVAL; /* RD_AP_INCON */
|
||||
krb5_set_error_string(context, "v4 principal mismatch");
|
||||
ret = KRB4ET_RD_AP_INCON;
|
||||
goto error;
|
||||
}
|
||||
|
||||
if (from_addr && from_addr != ad->address) {
|
||||
ret = EINVAL; /* RD_AP_BADD */
|
||||
if (from_addr && ad->address && from_addr != ad->address) {
|
||||
krb5_set_error_string(context, "v4 bad address in ticket");
|
||||
ret = KRB4ET_RD_AP_BADD;
|
||||
goto error;
|
||||
}
|
||||
|
||||
gettimeofday(&tv, NULL);
|
||||
delta_t = abs((int)(tv.tv_sec - r_time_sec));
|
||||
if (delta_t > CLOCK_SKEW) {
|
||||
ret = EINVAL; /* RD_AP_TIME */
|
||||
ret = KRB4ET_RD_AP_TIME;
|
||||
krb5_set_error_string(context, "v4 clock skew");
|
||||
goto error;
|
||||
}
|
||||
|
||||
@ -870,12 +884,14 @@ _krb5_krb_rd_req(krb5_context context,
|
||||
tkt_age = tv.tv_sec - ad->time_sec;
|
||||
|
||||
if ((tkt_age < 0) && (-tkt_age > CLOCK_SKEW)) {
|
||||
ret = EINVAL; /* RD_AP_NYV */
|
||||
ret = KRB4ET_RD_AP_NYV;
|
||||
krb5_set_error_string(context, "v4 clock skew for expiration");
|
||||
goto error;
|
||||
}
|
||||
|
||||
if (tv.tv_sec > _krb5_krb_life_to_time(ad->time_sec, ad->life)) {
|
||||
ret = EINVAL; /* RD_AP_EXP */
|
||||
ret = KRB4ET_RD_AP_EXP;
|
||||
krb5_set_error_string(context, "v4 ticket expired");
|
||||
goto error;
|
||||
}
|
||||
|
||||
|
@ -33,7 +33,7 @@
|
||||
|
||||
#include <config.h>
|
||||
|
||||
RCSID("$Id: ntlm.c 21317 2007-06-25 19:22:02Z lha $");
|
||||
RCSID("$Id: ntlm.c 21604 2007-07-17 06:48:55Z lha $");
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
@ -1105,7 +1105,7 @@ heim_ntlm_verify_ntlm2(const void *key, size_t len,
|
||||
HMAC_CTX_init(&c);
|
||||
HMAC_Init_ex(&c, ntlmv2, 16, EVP_md5(), NULL);
|
||||
HMAC_Update(&c, serverchallange, 8);
|
||||
HMAC_Update(&c, ((char *)answer->data) + 16, answer->length - 16);
|
||||
HMAC_Update(&c, ((unsigned char *)answer->data) + 16, answer->length - 16);
|
||||
HMAC_Final(&c, serveranswer, &hmaclen);
|
||||
HMAC_CTX_cleanup(&c);
|
||||
|
||||
|
@ -259,7 +259,8 @@ OBJ_FILES = \
|
||||
../heimdal/lib/krb5/warn.o \
|
||||
../heimdal/lib/krb5/krb5_err.o \
|
||||
../heimdal/lib/krb5/heim_err.o \
|
||||
../heimdal/lib/krb5/k524_err.o
|
||||
../heimdal/lib/krb5/k524_err.o \
|
||||
../heimdal/lib/krb5/krb_err.o
|
||||
# End SUBSYSTEM HEIMDAL_KRB5
|
||||
#######################
|
||||
|
||||
@ -568,10 +569,15 @@ include perl_path_wrapper.sh asn1_deps.pl heimdal/lib/asn1/CMS.asn1 cms_asn1 hei
|
||||
include perl_path_wrapper.sh asn1_deps.pl heimdal/lib/hx509/ocsp.asn1 ocsp_asn1 heimdal/lib/hx509 --preserve-binary=OCSPTBSRequest --preserve-binary=OCSPResponseData|
|
||||
include perl_path_wrapper.sh asn1_deps.pl heimdal/lib/asn1/kx509.asn1 kx509_asn1 heimdal/lib/asn1|
|
||||
include perl_path_wrapper.sh asn1_deps.pl heimdal/lib/hx509/pkcs10.asn1 pkcs10_asn1 heimdal/lib/hx509 --preserve-binary=CertificationRequestInfo|
|
||||
|
||||
#
|
||||
# Ensure to update ../static_deps.mk when you add a new entry here!
|
||||
#
|
||||
include perl_path_wrapper.sh et_deps.pl heimdal/lib/asn1/asn1_err.et heimdal/lib/asn1|
|
||||
include perl_path_wrapper.sh et_deps.pl heimdal/lib/hdb/hdb_err.et heimdal/lib/hdb|
|
||||
include perl_path_wrapper.sh et_deps.pl heimdal/lib/krb5/heim_err.et heimdal/lib/krb5|
|
||||
include perl_path_wrapper.sh et_deps.pl heimdal/lib/krb5/k524_err.et heimdal/lib/krb5|
|
||||
include perl_path_wrapper.sh et_deps.pl heimdal/lib/krb5/krb_err.et heimdal/lib/krb5|
|
||||
include perl_path_wrapper.sh et_deps.pl heimdal/lib/krb5/krb5_err.et heimdal/lib/krb5|
|
||||
include perl_path_wrapper.sh et_deps.pl heimdal/lib/gssapi/krb5/gkrb5_err.et heimdal/lib/gssapi|
|
||||
include perl_path_wrapper.sh et_deps.pl heimdal/lib/hx509/hx509_err.et heimdal/lib/hx509|
|
||||
|
@ -35,6 +35,7 @@ heimdal_basics: \
|
||||
heimdal/lib/hdb/hdb_err.h \
|
||||
heimdal/lib/krb5/heim_err.h \
|
||||
heimdal/lib/krb5/k524_err.h \
|
||||
heimdal/lib/krb5/krb_err.h \
|
||||
heimdal/lib/krb5/krb5_err.h \
|
||||
heimdal/lib/gssapi/gkrb5_err.h \
|
||||
heimdal/lib/hx509/hx509_err.h
|
||||
|
Loading…
Reference in New Issue
Block a user