diff options
| author |   biorn <biorn@openbsd.org> | 2006-04-14 08:15:03 +0000 |
|---|---|---|
| committer | biorn <biorn@openbsd.org> | 2006-04-14 08:15:03 +0000 |
| commit | 2bb5d18aad7b43e8f56b64a358d77ce727eb665a (patch) | |
| tree | 74c78c0c5f873d6441a2907a7978d90d81dc67e8 /kerberosV/src/lib | |
| parent | Import of heimdal-0.7.2 (diff) | |
| download | wireguard-openbsd-2bb5d18aad7b43e8f56b64a358d77ce727eb665a.tar.xz wireguard-openbsd-2bb5d18aad7b43e8f56b64a358d77ce727eb665a.zip | |
Merge of heimdal 0.7.2
Tested by todd & beck, ok beck.
Diffstat (limited to 'kerberosV/src/lib')
87 files changed, 6363 insertions, 2607 deletions
diff --git a/kerberosV/src/lib/asn1/asn1_print.c b/kerberosV/src/lib/asn1/asn1_print.c index c3689179ff0..e01c4cd6dbc 100644 --- a/kerberosV/src/lib/asn1/asn1_print.c +++ b/kerberosV/src/lib/asn1/asn1_print.c @@ -38,7 +38,7 @@ #include <getarg.h> #include <err.h> -RCSID("$KTH: asn1_print.c,v 1.11 2002/08/29 20:45:35 assar Exp $"); +RCSID("$KTH: asn1_print.c,v 1.16 2005/05/29 14:23:00 lha Exp $"); const char *class_names[] = { "UNIV", /* 0 */ @@ -63,7 +63,7 @@ const char *tag_names[] = { NULL, /* 7 */ NULL, /* 8 */ NULL, /* 9 */ - NULL, /* 10 */ + "Enumerated", /* 10 */ NULL, /* 11 */ NULL, /* 12 */ NULL, /* 13 */ @@ -116,10 +116,10 @@ loop (unsigned char *buf, size_t len, int indent) buf += sz; len -= sz; - if (class == CONTEXT) { + if (class == ASN1_C_CONTEXT) { printf ("[%d]\n", tag); loop (buf, length, indent); - } else if (class == UNIV) { + } else if (class == ASN1_C_UNIV) { switch (tag) { case UT_Sequence : printf ("{\n"); @@ -138,24 +138,30 @@ loop (unsigned char *buf, size_t len, int indent) break; } case UT_OctetString : { - octet_string str; + heim_octet_string str; int i; unsigned char *uc; ret = der_get_octet_string (buf, length, &str, NULL); if (ret) errx (1, "der_get_octet_string: %s", error_message (ret)); - printf ("(length %lu), ", (unsigned long)length); + printf ("(length %lu)%s", (unsigned long)str.length, + str.length > 0 ? ", " : ""); uc = (unsigned char *)str.data; - for (i = 0; i < 16; ++i) + length = str.length; + if (length > 16) + length = 16; + for (i = 0; i < length; ++i) printf ("%02x", uc[i]); printf ("\n"); free (str.data); break; } case UT_GeneralizedTime : + case UT_IA5String: + case UT_UTF8String : case UT_GeneralString : { - general_string str; + heim_general_string str; ret = der_get_general_string (buf, length, &str, NULL); if (ret) @@ -166,7 +172,7 @@ loop (unsigned char *buf, size_t len, int indent) break; } case UT_OID: { - oid o; + heim_oid o; int i; ret = der_get_oid(buf, length, &o, NULL); @@ -180,6 +186,16 @@ loop (unsigned char *buf, size_t len, int indent) free_oid(&o); break; } + case UT_Enumerated: { + unsigned num; + + ret = der_get_int (buf, length, &num, NULL); + if (ret) + errx (1, "der_get_enum: %s", error_message (ret)); + + printf("%u\n", num); + break; + } default : printf ("%lu bytes\n", (unsigned long)length); break; diff --git a/kerberosV/src/lib/asn1/der_copy.c b/kerberosV/src/lib/asn1/der_copy.c index 0f8efc6af87..f5482912cc3 100644 --- a/kerberosV/src/lib/asn1/der_copy.c +++ b/kerberosV/src/lib/asn1/der_copy.c @@ -33,10 +33,10 @@ #include "der_locl.h" -RCSID("$KTH: der_copy.c,v 1.10 2003/04/17 07:13:08 lha Exp $"); +RCSID("$KTH: der_copy.c,v 1.12 2003/11/07 07:39:43 lha Exp $"); int -copy_general_string (const general_string *from, general_string *to) +copy_general_string (const heim_general_string *from, heim_general_string *to) { *to = strdup(*from); if(*to == NULL) @@ -45,7 +45,7 @@ copy_general_string (const general_string *from, general_string *to) } int -copy_octet_string (const octet_string *from, octet_string *to) +copy_octet_string (const heim_octet_string *from, heim_octet_string *to) { to->length = from->length; to->data = malloc(to->length); @@ -56,12 +56,13 @@ copy_octet_string (const octet_string *from, octet_string *to) } int -copy_oid (const oid *from, oid *to) +copy_oid (const heim_oid *from, heim_oid *to) { to->length = from->length; to->components = malloc(to->length * sizeof(*to->components)); if (to->length != 0 && to->components == NULL) return ENOMEM; - memcpy(to->components, from->components, to->length * sizeof(*to->components)); + memcpy(to->components, from->components, + to->length * sizeof(*to->components)); return 0; } diff --git a/kerberosV/src/lib/asn1/der_put.c b/kerberosV/src/lib/asn1/der_put.c index 4aa54dc759c..3388ed8d536 100644 --- a/kerberosV/src/lib/asn1/der_put.c +++ b/kerberosV/src/lib/asn1/der_put.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "der_locl.h" -RCSID("$KTH: der_put.c,v 1.28 2003/04/17 07:12:24 lha Exp $"); +RCSID("$KTH: der_put.c,v 1.32 2005/05/29 14:23:01 lha Exp $"); /* * All encoding functions take a pointer `p' to first position in @@ -133,8 +133,21 @@ der_put_length (unsigned char *p, size_t len, size_t val, size_t *size) } int +der_put_boolean(unsigned char *p, size_t len, const int *data, size_t *size) +{ + if(len < 1) + return ASN1_OVERFLOW; + if(*data != 0) + *p = 0xff; + else + *p = 0; + *size = 1; + return 0; +} + +int der_put_general_string (unsigned char *p, size_t len, - const general_string *str, size_t *size) + const heim_general_string *str, size_t *size) { size_t slen = strlen(*str); @@ -149,7 +162,7 @@ der_put_general_string (unsigned char *p, size_t len, int der_put_octet_string (unsigned char *p, size_t len, - const octet_string *data, size_t *size) + const heim_octet_string *data, size_t *size) { if (len < data->length) return ASN1_OVERFLOW; @@ -162,7 +175,7 @@ der_put_octet_string (unsigned char *p, size_t len, int der_put_oid (unsigned char *p, size_t len, - const oid *data, size_t *size) + const heim_oid *data, size_t *size) { unsigned char *base = p; int n; @@ -226,6 +239,30 @@ der_put_length_and_tag (unsigned char *p, size_t len, size_t len_val, } int +encode_boolean (unsigned char *p, size_t len, const int *data, + size_t *size) +{ + size_t ret = 0; + size_t l; + int e; + + e = der_put_boolean (p, len, data, &l); + if(e) + return e; + p -= l; + len -= l; + ret += l; + e = der_put_length_and_tag (p, len, l, ASN1_C_UNIV, PRIM, UT_Boolean, &l); + if (e) + return e; + p -= l; + len -= l; + ret += l; + *size = ret; + return 0; +} + +int encode_integer (unsigned char *p, size_t len, const int *data, size_t *size) { int num = *data; @@ -239,7 +276,7 @@ encode_integer (unsigned char *p, size_t len, const int *data, size_t *size) p -= l; len -= l; ret += l; - e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_Integer, &l); + e = der_put_length_and_tag (p, len, l, ASN1_C_UNIV, PRIM, UT_Integer, &l); if (e) return e; p -= l; @@ -264,7 +301,16 @@ encode_unsigned (unsigned char *p, size_t len, const unsigned *data, p -= l; len -= l; ret += l; - e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_Integer, &l); + /* if first octet has msb set, we need to pad with a zero byte */ + if(p[1] >= 128) { + if(len == 0) + return ASN1_OVERFLOW; + *p-- = 0; + len--; + ret++; + l++; + } + e = der_put_length_and_tag (p, len, l, ASN1_C_UNIV, PRIM, UT_Integer, &l); if (e) return e; p -= l; @@ -289,7 +335,7 @@ encode_enumerated (unsigned char *p, size_t len, const unsigned *data, p -= l; len -= l; ret += l; - e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_Enumerated, &l); + e = der_put_length_and_tag (p, len, l, ASN1_C_UNIV, PRIM, UT_Enumerated, &l); if (e) return e; p -= l; @@ -301,7 +347,7 @@ encode_enumerated (unsigned char *p, size_t len, const unsigned *data, int encode_general_string (unsigned char *p, size_t len, - const general_string *data, size_t *size) + const heim_general_string *data, size_t *size) { size_t ret = 0; size_t l; @@ -313,7 +359,7 @@ encode_general_string (unsigned char *p, size_t len, p -= l; len -= l; ret += l; - e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_GeneralString, &l); + e = der_put_length_and_tag (p, len, l, ASN1_C_UNIV, PRIM, UT_GeneralString, &l); if (e) return e; p -= l; @@ -325,7 +371,7 @@ encode_general_string (unsigned char *p, size_t len, int encode_octet_string (unsigned char *p, size_t len, - const octet_string *k, size_t *size) + const heim_octet_string *k, size_t *size) { size_t ret = 0; size_t l; @@ -337,7 +383,7 @@ encode_octet_string (unsigned char *p, size_t len, p -= l; len -= l; ret += l; - e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_OctetString, &l); + e = der_put_length_and_tag (p, len, l, ASN1_C_UNIV, PRIM, UT_OctetString, &l); if (e) return e; p -= l; @@ -349,7 +395,7 @@ encode_octet_string (unsigned char *p, size_t len, int encode_oid(unsigned char *p, size_t len, - const oid *k, size_t *size) + const heim_oid *k, size_t *size) { size_t ret = 0; size_t l; @@ -361,7 +407,7 @@ encode_oid(unsigned char *p, size_t len, p -= l; len -= l; ret += l; - e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_OID, &l); + e = der_put_length_and_tag (p, len, l, ASN1_C_UNIV, PRIM, UT_OID, &l); if (e) return e; p -= l; @@ -372,7 +418,7 @@ encode_oid(unsigned char *p, size_t len, } int -time2generalizedtime (time_t t, octet_string *s) +time2generalizedtime (time_t t, heim_octet_string *s) { struct tm *tm; size_t len; @@ -397,7 +443,7 @@ encode_generalized_time (unsigned char *p, size_t len, { size_t ret = 0; size_t l; - octet_string k; + heim_octet_string k; int e; e = time2generalizedtime (*t, &k); @@ -410,7 +456,7 @@ encode_generalized_time (unsigned char *p, size_t len, p -= l; len -= l; ret += l; - e = der_put_length_and_tag (p, len, k.length, UNIV, PRIM, + e = der_put_length_and_tag (p, len, k.length, ASN1_C_UNIV, PRIM, UT_GeneralizedTime, &l); if (e) return e; diff --git a/kerberosV/src/lib/asn1/gen.c b/kerberosV/src/lib/asn1/gen.c index 6d556ff269a..b08fe0f15fd 100644 --- a/kerberosV/src/lib/asn1/gen.c +++ b/kerberosV/src/lib/asn1/gen.c @@ -33,7 +33,7 @@ #include "gen_locl.h" -RCSID("$KTH: gen.c,v 1.50 2003/04/17 07:09:18 lha Exp $"); +RCSID("$KTH: gen.c,v 1.58 2005/03/31 00:08:58 lha Exp $"); FILE *headerfile, *codefile, *logfile; @@ -41,7 +41,7 @@ FILE *headerfile, *codefile, *logfile; static const char *orig_filename; static char *header; -static char *headerbase = STEM; +static char *headerbase; /* * list of all IMPORTs @@ -76,6 +76,8 @@ init_generate (const char *filename, const char *base) orig_filename = filename; if(base) asprintf(&headerbase, "%s", base); + else + headerbase = strdup(STEM); asprintf(&header, "%s.h", headerbase); headerfile = fopen (header, "w"); if (headerfile == NULL) @@ -97,18 +99,21 @@ init_generate (const char *filename, const char *base) "#ifndef __asn1_common_definitions__\n" "#define __asn1_common_definitions__\n\n"); fprintf (headerfile, - "typedef struct octet_string {\n" + "typedef struct heim_octet_string {\n" " size_t length;\n" " void *data;\n" - "} octet_string;\n\n"); + "} heim_octet_string;\n\n"); fprintf (headerfile, - "typedef char *general_string;\n\n" + "typedef char *heim_general_string;\n\n" ); fprintf (headerfile, - "typedef struct oid {\n" + "typedef char *heim_utf8_string;\n\n" + ); + fprintf (headerfile, + "typedef struct heim_oid {\n" " size_t length;\n" " unsigned *components;\n" - "} oid;\n\n"); + "} heim_oid;\n\n"); fputs("#define ASN1_MALLOC_ENCODE(T, B, BL, S, L, R) \\\n" " do { \\\n" " (BL) = length_##T((S)); \\\n" @@ -267,13 +272,25 @@ define_asn1 (int level, Type *t) fprintf (headerfile, "[APPLICATION %d] ", t->application); define_asn1 (level, t->subtype); break; + case TBoolean: + space(level); + fprintf (headerfile, "BOOLEAN"); + break; + case TUTF8String: + space(level); + fprintf (headerfile, "UTF8String"); + break; + case TNull: + space(level); + fprintf (headerfile, "NULL"); + break; default: abort (); } } static void -define_type (int level, char *name, Type *t, int typedefp) +define_type (int level, const char *name, Type *t, int typedefp) { switch (t->type) { case TType: @@ -304,11 +321,11 @@ define_type (int level, char *name, Type *t, int typedefp) break; case TOctetString: space(level); - fprintf (headerfile, "octet_string %s;\n", name); + fprintf (headerfile, "heim_octet_string %s;\n", name); break; case TOID : space(level); - fprintf (headerfile, "oid %s;\n", name); + fprintf (headerfile, "heim_oid %s;\n", name); break; case TBitString: { Member *m; @@ -390,7 +407,19 @@ define_type (int level, char *name, Type *t, int typedefp) break; case TGeneralString: space(level); - fprintf (headerfile, "general_string %s;\n", name); + fprintf (headerfile, "heim_general_string %s;\n", name); + break; + case TUTF8String: + space(level); + fprintf (headerfile, "heim_utf8_string %s;\n", name); + break; + case TBoolean: + space(level); + fprintf (headerfile, "int %s;\n", name); + break; + case TNull: + space(level); + fprintf (headerfile, "NULL %s;\n", name); break; case TApplication: define_type (level, name, t->subtype, FALSE); @@ -448,13 +477,20 @@ generate_type (const Symbol *s) "#include <asn1_err.h>\n" "#include <der.h>\n" "#include <parse_units.h>\n\n"); - generate_type_header (s); - generate_type_encode (s); - generate_type_decode (s); - generate_type_free (s); - generate_type_length (s); - generate_type_copy (s); - generate_glue (s); + + if (s->stype == Stype && s->type->type == TChoice) { + fprintf(codefile, + "/* CHOICE */\n" + "int asn1_%s_dummy_holder = 1;\n", s->gen_name); + } else { + generate_type_header (s); + generate_type_encode (s); + generate_type_decode (s); + generate_type_free (s); + generate_type_length (s); + generate_type_copy (s); + generate_glue (s); + } fprintf(headerfile, "\n\n"); fclose(codefile); } diff --git a/kerberosV/src/lib/asn1/main.c b/kerberosV/src/lib/asn1/main.c index f5adc429ade..5bd4d20d46b 100644 --- a/kerberosV/src/lib/asn1/main.c +++ b/kerberosV/src/lib/asn1/main.c @@ -34,7 +34,7 @@ #include "gen_locl.h" #include <getarg.h> -RCSID("$KTH: main.c,v 1.11 2001/02/20 01:44:52 assar Exp $"); +RCSID("$KTH: main.c,v 1.12 2005/03/31 00:37:42 lha Exp $"); extern FILE *yyin; @@ -57,8 +57,8 @@ int main(int argc, char **argv) { int ret; - char *file; - char *name = NULL; + const char *file; + const char *name = NULL; int optind = 0; if(getarg(args, num_args, argc, argv, &optind)) diff --git a/kerberosV/src/lib/com_err/com_err.c b/kerberosV/src/lib/com_err/com_err.c index 07a1d7f9c7a..ca39e64c72f 100644 --- a/kerberosV/src/lib/com_err/com_err.c +++ b/kerberosV/src/lib/com_err/com_err.c @@ -33,7 +33,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: com_err.c,v 1.18 2002/03/10 23:07:01 assar Exp $"); +RCSID("$KTH: com_err.c,v 1.19 2005/04/24 19:42:39 lha Exp $"); #endif #include <stdio.h> #include <stdlib.h> @@ -51,15 +51,14 @@ error_message (long code) const char *p = com_right(_et_list, code); if (p == NULL) { if (code < 0) - snprintf(msg, sizeof (msg), "Unknown error %ld", code); + snprintf(msg, sizeof(msg), "Unknown error %ld", code); else p = strerror(code); } if (p != NULL && *p != '\0') { - strncpy(msg, p, sizeof(msg) - 1); - msg[sizeof(msg) - 1] = 0; + strlcpy(msg, p, sizeof(msg)); } else - snprintf(msg, sizeof (msg), "Unknown error %ld", code); + snprintf(msg, sizeof(msg), "Unknown error %ld", code); return msg; } diff --git a/kerberosV/src/lib/com_err/com_err.h b/kerberosV/src/lib/com_err/com_err.h index 383d88e691b..ccee437d55b 100644 --- a/kerberosV/src/lib/com_err/com_err.h +++ b/kerberosV/src/lib/com_err/com_err.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $KTH: com_err.h,v 1.9 2001/05/11 20:03:36 assar Exp $ */ +/* $KTH: com_err.h,v 1.10 2005/02/03 08:42:05 lha Exp $ */ /* MIT compatible com_err library */ @@ -44,22 +44,22 @@ #define __attribute__(X) #endif -typedef void (*errf) __P((const char *, long, const char *, va_list)); +typedef void (*errf) (const char *, long, const char *, va_list); -const char * error_message __P((long)); -int init_error_table __P((const char**, long, int)); +const char * error_message (long); +int init_error_table (const char**, long, int); -void com_err_va __P((const char *, long, const char *, va_list)) +void com_err_va (const char *, long, const char *, va_list) __attribute__((format(printf, 3, 0))); -void com_err __P((const char *, long, const char *, ...)) +void com_err (const char *, long, const char *, ...) __attribute__((format(printf, 3, 4))); -errf set_com_err_hook __P((errf)); -errf reset_com_err_hook __P((void)); +errf set_com_err_hook (errf); +errf reset_com_err_hook (void); -const char *error_table_name __P((int num)); +const char *error_table_name (int num); -void add_to_error_table __P((struct et_list *new_table)); +void add_to_error_table (struct et_list *new_table); #endif /* __COM_ERR_H__ */ diff --git a/kerberosV/src/lib/com_err/com_right.h b/kerberosV/src/lib/com_err/com_right.h index 511e2f20dcb..9f70e2699c1 100644 --- a/kerberosV/src/lib/com_err/com_right.h +++ b/kerberosV/src/lib/com_err/com_right.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: com_right.h,v 1.3 2003/06/03 09:11:14 hin Exp $ */ +/* $KTH: com_right.h,v 1.12 2005/02/03 08:43:01 lha Exp $ */ #ifndef __COM_RIGHT_H__ #define __COM_RIGHT_H__ @@ -40,14 +40,6 @@ #include <stdarg.h> #endif -#ifndef __P -#ifdef __STDC__ -#define __P(X) X -#else -#define __P(X) () -#endif -#endif - struct error_table { char const * const * msgs; long base; @@ -59,8 +51,8 @@ struct et_list { }; extern struct et_list *_et_list; -const char *com_right __P((struct et_list *list, long code)); -void initialize_error_table_r __P((struct et_list **, const char **, int, long)); -void free_error_table __P((struct et_list *)); +const char *com_right (struct et_list *list, long code); +void initialize_error_table_r (struct et_list **, const char **, int, long); +void free_error_table (struct et_list *); #endif /* __COM_RIGHT_H__ */ diff --git a/kerberosV/src/lib/gssapi/gss_acquire_cred.3 b/kerberosV/src/lib/gssapi/gss_acquire_cred.3 index 5bfd2482590..7b58e044559 100644 --- a/kerberosV/src/lib/gssapi/gss_acquire_cred.3 +++ b/kerberosV/src/lib/gssapi/gss_acquire_cred.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan +.\" Copyright (c) 2003 - 2004 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,9 +29,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $KTH: gss_acquire_cred.3,v 1.8.2.1 2003/04/28 13:41:42 lha Exp $ +.\" $KTH: gss_acquire_cred.3,v 1.23 2004/09/06 07:08:58 lha Exp $ .\" -.Dd April 2, 2003 +.Dd September 9, 2003 .Dt GSS_ACQUIRE_CRED 3 .Os HEIMDAL .Sh NAME @@ -59,8 +59,11 @@ .Nm gss_inquire_cred_by_mech , .Nm gss_inquire_mechs_for_name , .Nm gss_inquire_names_for_mech , -.Nm gss_krb5_copy_ccache , +.Nm gss_krb5_ccache_name , .Nm gss_krb5_compat_des3_mic , +.Nm gss_krb5_copy_ccache , +.Nm gsskrb5_extract_authz_data_from_sec_context , +.Nm gss_krb5_get_tkt_flags , .Nm gss_process_context_token , .Nm gss_release_buffer , .Nm gss_release_cred , @@ -107,7 +110,20 @@ GSS-API library (libgssapi, -lgssapi) .Fa "gss_OID_set * actual_mechs" .Fa "OM_uint32 * time_rec" .Fc -.\" .Fn gss_add_cred +.Ft OM_uint32 +.Fo gss_add_cred +.Fa "OM_uint32 *minor_status" +.Fa "const gss_cred_id_t input_cred_handle" +.Fa "const gss_name_t desired_name" +.Fa "const gss_OID desired_mech" +.Fa "gss_cred_usage_t cred_usage" +.Fa "OM_uint32 initiator_time_req" +.Fa "OM_uint32 acceptor_time_req" +.Fa "gss_cred_id_t *output_cred_handle" +.Fa "gss_OID_set *actual_mechs" +.Fa "OM_uint32 *initiator_time_rec" +.Fa "OM_uint32 *acceptor_time_rec" +.Fc .Ft OM_uint32 .Fo gss_add_oid_set_member .Fa "OM_uint32 * minor_status" @@ -244,12 +260,31 @@ GSS-API library (libgssapi, -lgssapi) .Fc .Ft OM_uint32 .Fo gss_inquire_cred_by_mech +.Fa "OM_uint32 * minor_status" +.Fa "const gss_cred_id_t cred_handle" +.Fa "const gss_OID mech_type" +.Fa "gss_name_t * name" +.Fa "OM_uint32 * initiator_lifetime" +.Fa "OM_uint32 * acceptor_lifetime" +.Fa "gss_cred_usage_t * cred_usage" .Fc .Ft OM_uint32 .Fo gss_inquire_mechs_for_name +.Fa "OM_uint32 * minor_status" +.Fa "const gss_name_t input_name" +.Fa "gss_OID_set * mech_types" .Fc .Ft OM_uint32 .Fo gss_inquire_names_for_mech +.Fa "OM_uint32 * minor_status" +.Fa "const gss_OID mechanism" +.Fa "gss_OID_set * name_types" +.Fc +.Ft OM_uint32 +.Fo gss_krb5_ccache_name +.Fa "OM_uint32 *minor" +.Fa "const char *name" +.Fa "const char **old_name" .Fc .Ft OM_uint32 .Fo gss_krb5_copy_ccache @@ -264,7 +299,23 @@ GSS-API library (libgssapi, -lgssapi) .Fa "int onoff" .Fc .Ft OM_uint32 +.Fo gsskrb5_extract_authz_data_from_sec_context +.Fa "OM_uint32 *minor_status" +.Fa "gss_ctx_id_t context_handle" +.Fa "int ad_type" +.Fa "gss_buffer_t ad_data" +.Fc +.Ft OM_uint32 +.Fo gss_krb5_get_tkt_flags +.Fa "OM_uint32 *minor_status" +.Fa "gss_ctx_id_t context_handle" +.Fa "OM_uint32 *tkt_flags" +.Fc +.Ft OM_uint32 .Fo gss_process_context_token +.Fa "OM_uint32 * minor_status" +.Fa "const gss_ctx_id_t context_handle" +.Fa "const gss_buffer_t token_buffer" .Fc .Ft OM_uint32 .Fo gss_release_buffer @@ -370,9 +421,12 @@ are described in RFC 2743 and RFC 2744. Version 1 (deprecated) of the C binding is described in RFC 1509. .Pp Heimdals GSS-API implementation supports the following mechanisms -.Bl -bullet +.Pp +.Bl -bullet -offset indent -compact .It .Li GSS_KRB5_MECHANISM +.It +.Li GSS_SPNEGO_MECHANISM .El .Pp GSS-API have generic name types that all mechanism are supposed to @@ -407,6 +461,82 @@ name types: .Li GSS_KRB5_NT_STRING_UID_NAME .El .Pp +In GSS-API, names have two forms, internal names and contiguous string +names. +.Bl -bullet +.It +.Li Internal name and mechanism name +.Pp +Internal names are implementation specific representation of +a GSS-API name. +.Li Mechanism names +special form of internal names corresponds to one and only one mechanism. +.Pp +In GSS-API an internal name is stored in a +.Dv gss_name_t . +.It +.Li Contiguous string name and exported name +.Pp +Contiguous string names are gssapi names stored in a +.Dv OCTET STRING +that together with a name type identifier (OID) uniquely specifies a +gss-name. +A special form of the contiguous string name is the exported name that +have a OID embedded in the string to make it unique. +Exported name have the nametype +.Dv GSS_C_NT_EXPORT_NAME . +.Pp +In GSS-API an contiguous string name is stored in a +.Dv gss_buffer_t . +.Pp +Exported names also have the property that they are specified by the +mechanism itself and compatible between diffrent GSS-API +implementations. +.El +.Sh ACCESS CONTROL +There are two ways of comparing GSS-API names, either comparing two +internal names with each other or two contiguous string names with +either other. +.Pp +To compare two internal names with each other, import (if needed) the +names with +.Fn gss_import_name +into the GSS-API implementation and the compare the imported name with +.Fn gss_compare_name . +.Pp +Importing names can be slow, so when its possible to store exported +names in the access control list, comparing contiguous string name +might be better. +.Pp +when comparing contiguous string name, first export them into a +.Dv GSS_C_NT_EXPORT_NAME +name with +.Fn gss_export_name +and then compare with +.Xr memcmp 3 . +.Pp +Note that there are might be a difference between the two methods of +comparing names. +The first (using +.Fn gss_compare_name ) +will compare to (unauthenticated) names are the same. +The second will compare if a mechanism will authenticate them as the +same principal. +.Pp +For example, if +.Fn gss_import_name +name was used with +.Dv GSS_C_NO_OID +the default syntax is used for all mechanism the GSS-API +implementation supports. +When compare the imported name of +.Dv GSS_C_NO_OID +it may match serveral mechanism names (MN). +.Pp +The resulting name from +.Fn gss_display_name +must not be used for acccess control. +.Sh FUNCTIONS .Fn gss_display_name takes the gss name in .Fa input_name @@ -421,9 +551,35 @@ can either be or a pointer to a .Li gss_OID and will in the latter case contain the OID type of the name. -The name should only be used for printing. -Access control should be done with the result of -.Fn gss_export_name . +The name must only be used for printing. +If access control is needed, see section +.Sx ACCESS CONTROL . +.Pp +.Fn gss_inquire_context +returns information about the context. +Information is available even after the context have expired. +.Fa lifetime_rec +argument is set to +.Dv GSS_C_INDEFINITE +(dont expire) or the number of seconds that the context is still valid. +A value of 0 means that the context is expired. +.Fa mech_type +argument should be considered readonly and must not be released. +.Fa src_name +and +.Fn dest_name +are both mechanims names and must be released with +.Fn gss_release_name +when no longer used. +.Pp +.Nm gss_context_time +will return the amount of time (in seconds) of the context is still +valid. +If its expired +.Fa time_rec +will be set to 0 and +.Dv GSS_S_CONTEXT_EXPIRED +returned. .Pp .Fn gss_sign , .Fn gss_verify , @@ -434,17 +590,47 @@ are part of the GSS-API V1 interface and are obsolete. The functions should not be used for new applications. They are provided so that version 1 applications can link against the library. +.Sh EXTENSIONS +.Fn gss_krb5_ccache_name +sets the internal kerberos 5 credential cache name to +.Fa name . +The old name is returned in +.Fa old_name , +and must not be freed. +The data allocated for +.Fa old_name +is free upon next call to +.Fn gss_krb5_ccache_name . +This function is not threadsafe if +.Fa old_name +argument is used. .Pp .Fn gss_krb5_copy_ccache -is an extension to the GSS-API API. -The function will extract the krb5 credentials that are transferred from -the initiator to the acceptor when using token delegation in the -Kerberos mechanism. +will extract the krb5 credentials that are transferred from the +initiator to the acceptor when using token delegation in the Kerberos +mechanism. The acceptor receives the delegated token in the last argument to .Fn gss_accept_sec_context . .Pp -.Nm gss_krb5_compat_des3_mic -turns on or off the compatibility with older versions of Heimdal using +.Fn gsskrb5_register_acceptor_identity +sets the Kerberos 5 principal that the acceptor will use. +.Pp +.Fn gsskrb5_extract_authz_data_from_sec_context +extracts the Kerberos authorizationdata that may be stored within the +context. +Tha caller must free the returned buffer +.Fa ad_data +with +.Fn gss_release_buffer +upon success. +.Pp +.Fn gss_krb5_get_tkt_flags +return the ticket flags for the kerberos ticket receive when +authenticating the initiator. +Only valid on the acceptor context. +.Pp +.Fn gss_krb5_compat_des3_mic +turns on or off the compatibility with older version of Heimdal using des3 get and verify mic, this is way to programmatically set the [gssapi]broken_des3_mic and [gssapi]correct_des3_mic flags (see COMPATIBILITY section in @@ -452,9 +638,9 @@ COMPATIBILITY section in If the CPP symbol .Dv GSS_C_KRB5_COMPAT_DES3_MIC is present, -.Nm gss_krb5_compat_des3_mic +.Fn gss_krb5_compat_des3_mic exists. -.Nm gss_krb5_compat_des3_mic +.Fn gss_krb5_compat_des3_mic will be removed in a later version of the GSS-API library. .Sh SEE ALSO .Xr gssapi 3 , diff --git a/kerberosV/src/lib/gssapi/gssapi.3 b/kerberosV/src/lib/gssapi/gssapi.3 index 3b85a556799..5ee61fa583b 100644 --- a/kerberosV/src/lib/gssapi/gssapi.3 +++ b/kerberosV/src/lib/gssapi/gssapi.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan +.\" Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,9 +29,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $KTH: gssapi.3,v 1.5.2.2 2003/04/30 09:56:26 lha Exp $ +.\" $KTH: gssapi.3,v 1.11 2005/04/20 10:46:15 lha Exp $ .\" -.Dd January 23, 2003 +.Dd April 20, 2005 .Dt GSSAPI 3 .Os .Sh NAME @@ -45,6 +45,9 @@ provides security services to callers in a generic fashion, supportable with a range of underlying mechanisms and technologies and hence allowing source-level portability of applications to different environments. +.Pp +The GSS-API implementation in Heimdal implements the Kerberos 5 and +the SPNEGO GSS-API security mechanisms. .Sh LIST OF FUNCTIONS These functions constitute the gssapi library, .Em libgssapi . @@ -80,7 +83,10 @@ gss_inquire_cred.3 gss_inquire_cred_by_mech.3 gss_inquire_mechs_for_name.3 gss_inquire_names_for_mech.3 +gss_krb5_ccache_name.3 gss_krb5_copy_ccache.3 +gss_krb5_compat_des3_mic.3 +gss_krb5_extract_authz_data_from_sec_context.3 gss_process_context_token.3 gss_release_buffer.3 gss_release_cred.3 @@ -106,15 +112,15 @@ implementations when using .Fn gss_get_mic / .Fn gss_verify_mic . -Its possible to modify the behavior of the generator of the MIC with +It is possible to modify the behavior of the generator of the MIC with the .Pa krb5.conf configuration file so that old clients/servers will still work. .Pp New clients/servers will try both the old and new MIC in Heimdal 0.6. -In 0.7 it will check only if configured and the compatibility code -will be removed in 0.8. +In 0.7 it will check only if configured - the compatibility code will +be removed in 0.8. .Pp Heimdal 0.6 still generates by default the broken GSS-API DES3 mic, this will change in 0.7 to generate correct des3 mic. @@ -140,12 +146,24 @@ the later will override. .Pp This config option modifies behaviour for both clients and servers. .Pp -Example: +Microsoft implemented SPNEGO to Windows2000, however, they manage to +get it wrong, their implementation didn't fill in the MechListMIC in +the reply token with the right content. +There is a work around for this problem, but not all implementation +support it. +.Pp +Heimdal defaults to correct SPNEGO when the the kerberos +implementation uses CFX, or when its configured by the user. +To turn on compatibility with peers, use option +.Nm [gssapi] +.Ar require_mechlist_mic . +.Sh EXAMPLES .Bd -literal -offset indent [gssapi] broken_des3_mic = cvs/*@SU.SE broken_des3_mic = host/*@E.KTH.SE correct_des3_mic = host/*@SU.SE + require_mechlist_mic = host/*@SU.SE .Ed .Sh BUGS All of 0.5.x versions of diff --git a/kerberosV/src/lib/hdb/convert_db.c b/kerberosV/src/lib/hdb/convert_db.c index 7e3a56c58c9..129eed76aca 100644 --- a/kerberosV/src/lib/hdb/convert_db.c +++ b/kerberosV/src/lib/hdb/convert_db.c @@ -41,7 +41,7 @@ #include <getarg.h> #include <err.h> -RCSID("$KTH: convert_db.c,v 1.12 2001/02/20 01:44:53 assar Exp $"); +RCSID("$KTH: convert_db.c,v 1.13 2003/09/19 00:17:42 lha Exp $"); static krb5_error_code update_keytypes(krb5_context context, HDB *db, hdb_entry *entry, void *data) @@ -81,7 +81,7 @@ update_keytypes(krb5_context context, HDB *db, hdb_entry *entry, void *data) save_val = entry->keys.val; entry->keys.len = n; entry->keys.val = k; - ret = new->store(context, new, HDB_F_REPLACE, entry); + ret = new->hdb_store(context, new, HDB_F_REPLACE, entry); entry->keys.len = save_len; entry->keys.val = save_val; for(i = 0; i < n; i++) @@ -94,14 +94,14 @@ static krb5_error_code update_version2(krb5_context context, HDB *db, hdb_entry *entry, void *data) { HDB *new = data; - if(!db->master_key_set) { + if(!db->hdb_master_key_set) { int i; for(i = 0; i < entry->keys.len; i++) { free(entry->keys.val[i].mkvno); entry->keys.val[i].mkvno = NULL; } } - new->store(context, new, HDB_F_REPLACE, entry); + new->hdb_store(context, new, HDB_F_REPLACE, entry); return 0; } @@ -167,7 +167,7 @@ main(int argc, char **argv) if (ret) krb5_err(context, 1, ret, "hdb_set_master_keyfile"); } - ret = db->open(context, db, O_RDONLY, 0); + ret = db->hdb_open(context, db, O_RDONLY, 0); if(ret == HDB_ERR_BADVERSION) { krb5_data tag; krb5_data version; @@ -175,7 +175,7 @@ main(int argc, char **argv) unsigned ver; tag.data = HDB_DB_FORMAT_ENTRY; tag.length = strlen(tag.data); - ret = (*db->_get)(context, db, tag, &version); + ret = (*db->hdb__get)(context, db, tag, &version); if(ret) krb5_errx(context, 1, "database is wrong version, " "but couldn't find version key (%s)", @@ -195,7 +195,7 @@ main(int argc, char **argv) ver, HDB_DB_FORMAT); } else if(ret) krb5_err(context, 1, ret, "%s", old_database); - ret = new->open(context, new, O_CREAT|O_EXCL|O_RDWR, 0600); + ret = new->hdb_open(context, new, O_CREAT|O_EXCL|O_RDWR, 0600); if(ret) krb5_err(context, 1, ret, "%s", new_database); if(update_version) @@ -204,8 +204,8 @@ main(int argc, char **argv) ret = hdb_foreach(context, db, 0, update_keytypes, new); if(ret != 0) krb5_err(context, 1, ret, "hdb_foreach"); - db->close(context, db); - new->close(context, new); + db->hdb_close(context, db); + new->hdb_close(context, new); krb5_warnx(context, "wrote converted database to `%s'", new_database); return 0; } diff --git a/kerberosV/src/lib/hdb/hdb_locl.h b/kerberosV/src/lib/hdb/hdb_locl.h index 1d9976615e3..1d58cb0feaf 100644 --- a/kerberosV/src/lib/hdb/hdb_locl.h +++ b/kerberosV/src/lib/hdb/hdb_locl.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $KTH: hdb_locl.h,v 1.18.4.1 2003/09/10 22:04:39 lha Exp $ */ +/* $KTH: hdb_locl.h,v 1.19 2003/09/10 21:54:58 lha Exp $ */ #ifndef __HDB_LOCL_H__ #define __HDB_LOCL_H__ diff --git a/kerberosV/src/lib/hdb/mkey.c b/kerberosV/src/lib/hdb/mkey.c index 930f6589d83..75f60227c3a 100644 --- a/kerberosV/src/lib/hdb/mkey.c +++ b/kerberosV/src/lib/hdb/mkey.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 2000 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -36,7 +36,7 @@ #define O_BINARY 0 #endif -RCSID("$KTH: mkey.c,v 1.15 2003/03/28 02:01:33 lha Exp $"); +RCSID("$KTH: mkey.c,v 1.18.4.2 2005/08/19 13:23:11 lha Exp $"); struct hdb_master_key_data { krb5_keytab_entry keytab; @@ -148,7 +148,7 @@ read_master_mit(krb5_context context, const char *filename, int fd; krb5_error_code ret; krb5_storage *sp; - u_int16_t enctype; + int16_t enctype; krb5_keyblock key; fd = open(filename, O_RDONLY | O_BINARY); @@ -372,50 +372,62 @@ find_master_key(Key *key, hdb_master_key mkey) } krb5_error_code -hdb_unseal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey) +hdb_unseal_key_mkey(krb5_context context, Key *k, hdb_master_key mkey) { - int i; + krb5_error_code ret; krb5_data res; size_t keysize; - Key *k; - for(i = 0; i < ent->keys.len; i++){ - hdb_master_key key; + hdb_master_key key; - k = &ent->keys.val[i]; - if(k->mkvno == NULL) - continue; + if(k->mkvno == NULL) + return 0; + + key = find_master_key(k, mkey); + + if (key == NULL) + return HDB_ERR_NO_MKEY; - key = find_master_key(&ent->keys.val[i], mkey); + ret = krb5_decrypt(context, key->crypto, HDB_KU_MKEY, + k->key.keyvalue.data, + k->key.keyvalue.length, + &res); + if (ret) + return ret; - if (key == NULL) - return HDB_ERR_NO_MKEY; + /* fixup keylength if the key got padded when encrypting it */ + ret = krb5_enctype_keysize(context, k->key.keytype, &keysize); + if (ret) { + krb5_data_free(&res); + return ret; + } + if (keysize > res.length) { + krb5_data_free(&res); + return KRB5_BAD_KEYSIZE; + } - ret = krb5_decrypt(context, key->crypto, HDB_KU_MKEY, - k->key.keyvalue.data, - k->key.keyvalue.length, - &res); - if (ret) - return ret; + memset(k->key.keyvalue.data, 0, k->key.keyvalue.length); + free(k->key.keyvalue.data); + k->key.keyvalue = res; + k->key.keyvalue.length = keysize; + free(k->mkvno); + k->mkvno = NULL; - /* fixup keylength if the key got padded when encrypting it */ - ret = krb5_enctype_keysize(context, k->key.keytype, &keysize); - if (ret) { - krb5_data_free(&res); + return 0; +} + +krb5_error_code +hdb_unseal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey) +{ + int i; + + for(i = 0; i < ent->keys.len; i++){ + krb5_error_code ret; + + ret = hdb_unseal_key_mkey(context, &ent->keys.val[i], mkey); + if (ret) return ret; - } - if (keysize > res.length) { - krb5_data_free(&res); - return KRB5_BAD_KEYSIZE; - } - - memset(k->key.keyvalue.data, 0, k->key.keyvalue.length); - free(k->key.keyvalue.data); - k->key.keyvalue = res; - k->key.keyvalue.length = keysize; - free(k->mkvno); - k->mkvno = NULL; } return 0; } @@ -423,44 +435,63 @@ hdb_unseal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey) krb5_error_code hdb_unseal_keys(krb5_context context, HDB *db, hdb_entry *ent) { - if (db->master_key_set == 0) + if (db->hdb_master_key_set == 0) return 0; - return hdb_unseal_keys_mkey(context, ent, db->master_key); + return hdb_unseal_keys_mkey(context, ent, db->hdb_master_key); } krb5_error_code -hdb_seal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey) +hdb_unseal_key(krb5_context context, HDB *db, Key *k) +{ + if (db->hdb_master_key_set == 0) + return 0; + return hdb_unseal_key_mkey(context, k, db->hdb_master_key); +} + +krb5_error_code +hdb_seal_key_mkey(krb5_context context, Key *k, hdb_master_key mkey) { - int i; krb5_error_code ret; krb5_data res; - for(i = 0; i < ent->keys.len; i++){ - Key *k = &ent->keys.val[i]; - hdb_master_key key; + hdb_master_key key; - if(k->mkvno != NULL) - continue; + if(k->mkvno != NULL) + return 0; - key = find_master_key(k, mkey); + key = find_master_key(k, mkey); - if (key == NULL) - return HDB_ERR_NO_MKEY; + if (key == NULL) + return HDB_ERR_NO_MKEY; - ret = krb5_encrypt(context, key->crypto, HDB_KU_MKEY, - k->key.keyvalue.data, - k->key.keyvalue.length, - &res); - if (ret) - return ret; + ret = krb5_encrypt(context, key->crypto, HDB_KU_MKEY, + k->key.keyvalue.data, + k->key.keyvalue.length, + &res); + if (ret) + return ret; + + memset(k->key.keyvalue.data, 0, k->key.keyvalue.length); + free(k->key.keyvalue.data); + k->key.keyvalue = res; + + k->mkvno = malloc(sizeof(*k->mkvno)); + if (k->mkvno == NULL) + return ENOMEM; + *k->mkvno = key->keytab.vno; + + return 0; +} - memset(k->key.keyvalue.data, 0, k->key.keyvalue.length); - free(k->key.keyvalue.data); - k->key.keyvalue = res; +krb5_error_code +hdb_seal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey) +{ + int i; + for(i = 0; i < ent->keys.len; i++){ + krb5_error_code ret; - k->mkvno = malloc(sizeof(*k->mkvno)); - if (k->mkvno == NULL) - return ENOMEM; - *k->mkvno = key->keytab.vno; + ret = hdb_seal_key_mkey(context, &ent->keys.val[i], mkey); + if (ret) + return ret; } return 0; } @@ -468,10 +499,19 @@ hdb_seal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey) krb5_error_code hdb_seal_keys(krb5_context context, HDB *db, hdb_entry *ent) { - if (db->master_key_set == 0) + if (db->hdb_master_key_set == 0) + return 0; + + return hdb_seal_keys_mkey(context, ent, db->hdb_master_key); +} + +krb5_error_code +hdb_seal_key(krb5_context context, HDB *db, Key *k) +{ + if (db->hdb_master_key_set == 0) return 0; - return hdb_seal_keys_mkey(context, ent, db->master_key); + return hdb_seal_key_mkey(context, k, db->hdb_master_key); } krb5_error_code @@ -485,11 +525,11 @@ hdb_set_master_key (krb5_context context, ret = hdb_process_master_key(context, 0, key, 0, &mkey); if (ret) return ret; - db->master_key = mkey; + db->hdb_master_key = mkey; #if 0 /* XXX - why? */ des_set_random_generator_seed(key.keyvalue.data); #endif - db->master_key_set = 1; + db->hdb_master_key_set = 1; return 0; } @@ -508,8 +548,8 @@ hdb_set_master_keyfile (krb5_context context, krb5_clear_error_string(context); return 0; } - db->master_key = key; - db->master_key_set = 1; + db->hdb_master_key = key; + db->hdb_master_key_set = 1; return ret; } @@ -517,9 +557,9 @@ krb5_error_code hdb_clear_master_key (krb5_context context, HDB *db) { - if (db->master_key_set) { - hdb_free_master_key(context, db->master_key); - db->master_key_set = 0; + if (db->hdb_master_key_set) { + hdb_free_master_key(context, db->hdb_master_key); + db->hdb_master_key_set = 0; } return 0; } diff --git a/kerberosV/src/lib/kadm5/dump_log.c b/kerberosV/src/lib/kadm5/dump_log.c index 378433e1b2b..8446bdb2dbe 100644 --- a/kerberosV/src/lib/kadm5/dump_log.c +++ b/kerberosV/src/lib/kadm5/dump_log.c @@ -34,7 +34,7 @@ #include "iprop.h" #include "parse_time.h" -RCSID("$KTH: dump_log.c,v 1.13 2003/04/16 17:56:02 lha Exp $"); +RCSID("$KTH: dump_log.c,v 1.16 2005/04/25 18:17:51 lha Exp $"); static char *op_names[] = { "get", @@ -150,7 +150,7 @@ print_entry(kadm5_server_context *server_context, } if(mask & KADM5_ATTRIBUTES) { unparse_flags(HDBFlags2int(ent.flags), - HDBFlags_units, t, sizeof(t)); + asn1_HDBFlags_units(), t, sizeof(t)); printf(" attributes = %s\n", t); } if(mask & KADM5_MAX_LIFE) { @@ -214,10 +214,12 @@ print_entry(kadm5_server_context *server_context, } static char *realm; +static char *config_file; static int version_flag; static int help_flag; static struct getargs args[] = { + { "config-file", 'c', arg_string, &config_file }, { "realm", 'r', arg_string, &realm }, { "version", 0, arg_flag, &version_flag }, { "help", 0, arg_flag, &help_flag } @@ -232,6 +234,7 @@ main(int argc, char **argv) void *kadm_handle; kadm5_server_context *server_context; kadm5_config_params conf; + char **files; krb5_program_setup(&context, argc, argv, args, num_args, NULL); @@ -242,6 +245,18 @@ main(int argc, char **argv) exit(0); } + if (config_file == NULL) + config_file = HDB_DB_DIR "/kdc.conf"; + + ret = krb5_prepend_config_files_default(config_file, &files); + if (ret) + krb5_err(context, 1, ret, "getting configuration files"); + + ret = krb5_set_config_files(context, files); + krb5_free_config_files(files); + if (ret) + krb5_err(context, 1, ret, "reading configuration files"); + memset(&conf, 0, sizeof(conf)); if(realm) { conf.mask |= KADM5_CONFIG_REALM; diff --git a/kerberosV/src/lib/kadm5/iprop.h b/kerberosV/src/lib/kadm5/iprop.h index ef642267fa8..5fb5c934df0 100644 --- a/kerberosV/src/lib/kadm5/iprop.h +++ b/kerberosV/src/lib/kadm5/iprop.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1998-2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $KTH: iprop.h,v 1.7 2002/07/04 14:39:19 joda Exp $ */ +/* $KTH: iprop.h,v 1.9 2003/11/23 06:24:16 lha Exp $ */ #ifndef __IPROP_H__ #define __IPROP_H__ @@ -46,6 +46,8 @@ #include <util.h> #endif +#include <parse_time.h> + #define IPROP_VERSION "iprop-0.0" #define KADM5_SLAVE_ACL HDB_DB_DIR "/slaves" @@ -62,7 +64,9 @@ enum iprop_cmd { I_HAVE = 1, FOR_YOU = 2, TELL_YOU_EVERYTHING = 3, ONE_PRINC = 4, - NOW_YOU_HAVE = 5 + NOW_YOU_HAVE = 5, + ARE_YOU_THERE = 6, + I_AM_HERE = 7 }; #endif /* __IPROP_H__ */ diff --git a/kerberosV/src/lib/kadm5/ipropd_master.c b/kerberosV/src/lib/kadm5/ipropd_master.c index f02fa4e29b0..3c4fee3c594 100644 --- a/kerberosV/src/lib/kadm5/ipropd_master.c +++ b/kerberosV/src/lib/kadm5/ipropd_master.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -34,11 +34,16 @@ #include "iprop.h" #include <rtbl.h> -RCSID("$KTH: ipropd_master.c,v 1.29 2003/03/19 11:56:38 lha Exp $"); +RCSID("$KTH: ipropd_master.c,v 1.42 2005/05/23 17:38:46 lha Exp $"); static krb5_log_facility *log_facility; const char *slave_stats_file = KADM5_SLAVE_STATS; +const char *slave_time_missing = "2 min"; +const char *slave_time_gone = "5 min"; + +static int time_before_missing; +static int time_before_gone; static int make_signal_socket (krb5_context context) @@ -59,7 +64,7 @@ make_signal_socket (krb5_context context) } static int -make_listen_socket (krb5_context context) +make_listen_socket (krb5_context context, const char *port_str) { int fd; int one = 1; @@ -71,8 +76,24 @@ make_listen_socket (krb5_context context) setsockopt (fd, SOL_SOCKET, SO_REUSEADDR, (void *)&one, sizeof(one)); memset (&addr, 0, sizeof(addr)); addr.sin_family = AF_INET; - addr.sin_port = krb5_getportbyname (context, - IPROP_SERVICE, "tcp", IPROP_PORT); + + if (port_str) { + addr.sin_port = krb5_getportbyname (context, + port_str, "tcp", + 0); + if (addr.sin_port == 0) { + char *ptr; + long port; + + port = strtol (port_str, &ptr, 10); + if (port == 0 && ptr == port_str) + krb5_errx (context, 1, "bad port `%s'", port_str); + addr.sin_port = htons(port); + } + } else { + addr.sin_port = krb5_getportbyname (context, IPROP_SERVICE, + "tcp", IPROP_PORT); + } if(bind(fd, (struct sockaddr *)&addr, sizeof(addr)) < 0) krb5_err (context, 1, errno, "bind"); if (listen(fd, SOMAXCONN) < 0) @@ -89,6 +110,7 @@ struct slave { time_t seen; unsigned long flags; #define SLAVE_F_DEAD 0x1 +#define SLAVE_F_AYT 0x2 struct slave *next; }; @@ -119,9 +141,26 @@ check_acl (krb5_context context, const char *name) static void slave_seen(slave *s) { + s->flags &= ~SLAVE_F_AYT; s->seen = time(NULL); } +static int +slave_missing_p (slave *s) +{ + if (time(NULL) > s->seen + time_before_missing) + return 1; + return 0; +} + +static int +slave_gone_p (slave *s) +{ + if (time(NULL) > s->seen + time_before_gone) + return 1; + return 0; +} + static void slave_dead(slave *s) { @@ -243,6 +282,7 @@ static int prop_one (krb5_context context, HDB *db, hdb_entry *entry, void *v) { krb5_error_code ret; + krb5_storage *sp; krb5_data data; struct slave *slave = (struct slave *)v; @@ -255,7 +295,13 @@ prop_one (krb5_context context, HDB *db, hdb_entry *entry, void *v) return ret; } memmove ((char *)data.data + 4, data.data, data.length - 4); - _krb5_put_int (data.data, ONE_PRINC, 4); + sp = krb5_storage_from_data(&data); + if (sp == NULL) { + krb5_data_free (&data); + return ENOMEM; + } + krb5_store_int32(sp, ONE_PRINC); + krb5_storage_free(sp); ret = krb5_write_priv_message (context, slave->ac, &slave->fd, &data); krb5_data_free (&data); @@ -267,6 +313,7 @@ send_complete (krb5_context context, slave *s, const char *database, u_int32_t current_version) { krb5_error_code ret; + krb5_storage *sp; HDB *db; krb5_data data; char buf[8]; @@ -274,11 +321,15 @@ send_complete (krb5_context context, slave *s, ret = hdb_create (context, &db, database); if (ret) krb5_err (context, 1, ret, "hdb_create: %s", database); - ret = db->open (context, db, O_RDONLY, 0); + ret = db->hdb_open (context, db, O_RDONLY, 0); if (ret) krb5_err (context, 1, ret, "db->open"); - _krb5_put_int(buf, TELL_YOU_EVERYTHING, 4); + sp = krb5_storage_from_mem (buf, 4); + if (sp == NULL) + krb5_errx (context, 1, "krb5_storage_from_mem"); + krb5_store_int32 (sp, TELL_YOU_EVERYTHING); + krb5_storage_free (sp); data.data = buf; data.length = 4; @@ -298,8 +349,16 @@ send_complete (krb5_context context, slave *s, return ret; } - _krb5_put_int (buf, NOW_YOU_HAVE, 4); - _krb5_put_int (buf + 4, current_version, 4); + (*db->hdb_close)(context, db); + (*db->hdb_destroy)(context, db); + + sp = krb5_storage_from_mem (buf, 8); + if (sp == NULL) + krb5_errx (context, 1, "krb5_storage_from_mem"); + krb5_store_int32 (sp, NOW_YOU_HAVE); + krb5_store_int32 (sp, current_version); + krb5_storage_free (sp); + data.length = 8; s->version = current_version; @@ -317,6 +376,42 @@ send_complete (krb5_context context, slave *s, } static int +send_are_you_there (krb5_context context, slave *s) +{ + krb5_storage *sp; + krb5_data data; + char buf[4]; + int ret; + + if (s->flags & (SLAVE_F_DEAD|SLAVE_F_AYT)) + return 0; + + s->flags |= SLAVE_F_AYT; + + data.data = buf; + data.length = 4; + + sp = krb5_storage_from_mem (buf, 4); + if (sp == NULL) { + krb5_warnx (context, "are_you_there: krb5_data_alloc"); + slave_dead(s); + return 1; + } + krb5_store_int32 (sp, ARE_YOU_THERE); + krb5_storage_free (sp); + + ret = krb5_write_priv_message(context, s->ac, &s->fd, &data); + + if (ret) { + krb5_warn (context, ret, "are_you_there: krb5_write_priv_message"); + slave_dead(s); + return 1; + } + + return 0; +} + +static int send_diffs (krb5_context context, slave *s, int log_fd, const char *database, u_int32_t current_version) { @@ -348,17 +443,29 @@ send_diffs (krb5_context context, slave *s, int log_fd, if (left == 0) return send_complete (context, s, database, current_version); } - krb5_data_alloc (&data, right - left + 4); + ret = krb5_data_alloc (&data, right - left + 4); + if (ret) { + krb5_warn (context, ret, "send_diffs: krb5_data_alloc"); + slave_dead(s); + return 1; + } krb5_storage_read (sp, (char *)data.data + 4, data.length - 4); krb5_storage_free(sp); - _krb5_put_int(data.data, FOR_YOU, 4); + sp = krb5_storage_from_data (&data); + if (sp == NULL) { + krb5_warnx (context, "send_diffs: krb5_storage_from_data"); + slave_dead(s); + return 1; + } + krb5_store_int32 (sp, FOR_YOU); + krb5_storage_free(sp); ret = krb5_write_priv_message(context, s->ac, &s->fd, &data); krb5_data_free(&data); if (ret) { - krb5_warn (context, ret, "krb5_write_priv_message"); + krb5_warn (context, ret, "send_diffs: krb5_write_priv_message"); slave_dead(s); return 1; } @@ -383,13 +490,29 @@ process_msg (krb5_context context, slave *s, int log_fd, } sp = krb5_storage_from_mem (out.data, out.length); - krb5_ret_int32 (sp, &tmp); + if (sp == NULL) { + krb5_warnx (context, "process_msg: no memory"); + krb5_data_free (&out); + return 1; + } + if (krb5_ret_int32 (sp, &tmp) != 0) { + krb5_warnx (context, "process_msg: client send too short command"); + krb5_data_free (&out); + return 1; + } switch (tmp) { case I_HAVE : - krb5_ret_int32 (sp, &tmp); + ret = krb5_ret_int32 (sp, &tmp); + if (ret != 0) { + krb5_warnx (context, "process_msg: client send too I_HAVE data"); + break; + } s->version = tmp; ret = send_diffs (context, s, log_fd, database, current_version); break; + case I_AM_HERE : + break; + case ARE_YOU_THERE: case FOR_YOU : default : krb5_warnx (context, "Ignoring command %d", tmp); @@ -421,8 +544,7 @@ write_stats(krb5_context context, slave *slaves, u_int32_t current_version) if (fp == NULL) return; - strftime(str, sizeof(str), "%Y-%m-%d %H:%M:%S", - localtime(&t)); + krb5_format_time(context, t, str, sizeof(str), TRUE); fprintf(fp, "Status for slaves, last updated: %s\n\n", str); fprintf(fp, "Master version: %lu\n\n", (unsigned long)current_version); @@ -463,9 +585,7 @@ write_stats(krb5_context context, slave *slaves, u_int32_t current_version) else rtbl_add_column_entry(tbl, SLAVE_STATUS, "Up"); - if (strftime(str, sizeof(str), "%Y-%m-%d %H:%M:%S %Z", - localtime(&slaves->seen)) == 0) - strlcpy(str, "Unknown time", sizeof(str)); + ret = krb5_format_time(context, slaves->seen, str, sizeof(str), TRUE); rtbl_add_column_entry(tbl, SLAVE_SEEN, str); slaves = slaves->next; @@ -483,13 +603,26 @@ static int version_flag; static int help_flag; static char *keytab_str = "HDB:"; static char *database; +static char *config_file; +static char *port_str; +static int detach_from_console = 0; static struct getargs args[] = { + { "config-file", 'c', arg_string, &config_file }, { "realm", 'r', arg_string, &realm }, { "keytab", 'k', arg_string, &keytab_str, "keytab to get authentication from", "kspec" }, { "database", 'd', arg_string, &database, "database", "file"}, - { "slave-stats-file", 0, arg_string, &slave_stats_file, "file"}, + { "slave-stats-file", 0, arg_string, &slave_stats_file, + "file for slave status information", "file"}, + { "time-missing", 0, arg_string, &slave_time_missing, + "time before slave is polled for presence", "time"}, + { "time-gone", 0, arg_string, &slave_time_gone, + "time of inactivity after which a slave is considered gone", "time"}, + { "port", 0, arg_string, &port_str, + "port ipropd will listen to", "port"}, + { "detach", 0, arg_flag, &detach_from_console, + "detach from console" }, { "version", 0, arg_flag, &version_flag }, { "help", 0, arg_flag, &help_flag } }; @@ -506,9 +639,10 @@ main(int argc, char **argv) int signal_fd, listen_fd; int log_fd; slave *slaves = NULL; - u_int32_t current_version, old_version = 0; + u_int32_t current_version = 0, old_version = 0; krb5_keytab keytab; int optind; + char **files; optind = krb5_program_setup(&context, argc, argv, args, num_args, NULL); @@ -519,6 +653,27 @@ main(int argc, char **argv) exit(0); } + if (config_file == NULL) + config_file = HDB_DB_DIR "/kdc.conf"; + + ret = krb5_prepend_config_files_default(config_file, &files); + if (ret) + krb5_err(context, 1, ret, "getting configuration files"); + + ret = krb5_set_config_files(context, files); + krb5_free_config_files(files); + if (ret) + krb5_err(context, 1, ret, "reading configuration files"); + + time_before_gone = parse_time (slave_time_gone, "s"); + if (time_before_gone < 0) + krb5_errx (context, 1, "couldn't parse time: %s", slave_time_gone); + time_before_missing = parse_time (slave_time_missing, "s"); + if (time_before_missing < 0) + krb5_errx (context, 1, "couldn't parse time: %s", slave_time_missing); + + if (detach_from_console) + daemon(0, 0); pidfile (NULL); krb5_openlog (context, "ipropd-master", &log_facility); krb5_set_warn_dest(context, log_facility); @@ -553,7 +708,7 @@ main(int argc, char **argv) server_context->log_context.log_file); signal_fd = make_signal_socket (context); - listen_fd = make_listen_socket (context); + listen_fd = make_listen_socket (context, port_str); signal (SIGPIPE, SIG_IGN); @@ -593,12 +748,13 @@ main(int argc, char **argv) old_version = current_version; kadm5_log_get_version_fd (log_fd, ¤t_version); - if (current_version > old_version) + if (current_version > old_version) { for (p = slaves; p != NULL; p = p->next) { if (p->flags & SLAVE_F_DEAD) continue; send_diffs (context, p, log_fd, database, current_version); } + } } if (ret && FD_ISSET(signal_fd, &readset)) { @@ -611,25 +767,31 @@ main(int argc, char **argv) continue; } --ret; + assert(ret >= 0); old_version = current_version; kadm5_log_get_version_fd (log_fd, ¤t_version); for (p = slaves; p != NULL; p = p->next) send_diffs (context, p, log_fd, database, current_version); - } + } - for(p = slaves; ret && p != NULL; p = p->next) { + for(p = slaves; p != NULL; p = p->next) { if (p->flags & SLAVE_F_DEAD) - continue; - if (FD_ISSET(p->fd, &readset)) { + continue; + if (ret && FD_ISSET(p->fd, &readset)) { --ret; + assert(ret >= 0); if(process_msg (context, p, log_fd, database, current_version)) slave_dead(p); - } + } else if (slave_gone_p (p)) + slave_dead (p); + else if (slave_missing_p (p)) + send_are_you_there (context, p); } if (ret && FD_ISSET(listen_fd, &readset)) { add_slave (context, keytab, &slaves, listen_fd); --ret; + assert(ret >= 0); } write_stats(context, slaves, current_version); } diff --git a/kerberosV/src/lib/kadm5/ipropd_slave.c b/kerberosV/src/lib/kadm5/ipropd_slave.c index f1c0c9f8031..9759c5ae9a1 100644 --- a/kerberosV/src/lib/kadm5/ipropd_slave.c +++ b/kerberosV/src/lib/kadm5/ipropd_slave.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -34,12 +34,15 @@ #include "iprop.h" #include <util.h> -RCSID("$KTH: ipropd_slave.c,v 1.27.2.1 2003/08/15 16:45:15 lha Exp $"); +RCSID("$KTH: ipropd_slave.c,v 1.39 2005/05/23 17:39:35 lha Exp $"); static krb5_log_facility *log_facility; +static char *server_time_lost = "5 min"; +static int time_before_lost; static int -connect_to_master (krb5_context context, const char *master) +connect_to_master (krb5_context context, const char *master, + const char *port_str) { int fd; struct sockaddr_in addr; @@ -50,8 +53,23 @@ connect_to_master (krb5_context context, const char *master) krb5_err (context, 1, errno, "socket AF_INET"); memset (&addr, 0, sizeof(addr)); addr.sin_family = AF_INET; - addr.sin_port = krb5_getportbyname (context, - IPROP_SERVICE, "tcp", IPROP_PORT); + if (port_str) { + addr.sin_port = krb5_getportbyname (context, + port_str, "tcp", + 0); + if (addr.sin_port == 0) { + char *ptr; + long port; + + port = strtol (port_str, &ptr, 10); + if (port == 0 && ptr == port_str) + krb5_errx (context, 1, "bad port `%s'", port_str); + addr.sin_port = htons(port); + } + } else { + addr.sin_port = krb5_getportbyname (context, IPROP_SERVICE, + "tcp", IPROP_PORT); + } he = roken_gethostbyname (master); if (he == NULL) krb5_errx (context, 1, "gethostbyname: %s", hstrerror(h_errno)); @@ -68,7 +86,7 @@ get_creds(krb5_context context, const char *keytab_str, krb5_keytab keytab; krb5_principal client; krb5_error_code ret; - krb5_get_init_creds_opt init_opts; + krb5_get_init_creds_opt *init_opts; krb5_creds creds; char *server; char keytab_buf[256]; @@ -88,15 +106,17 @@ get_creds(krb5_context context, const char *keytab_str, KRB5_NT_SRV_HST, &client); if (ret) krb5_err(context, 1, ret, "krb5_sname_to_principal"); - krb5_get_init_creds_opt_init(&init_opts); + ret = krb5_get_init_creds_opt_alloc(context, &init_opts); + if (ret) krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc"); asprintf (&server, "%s/%s", IPROP_NAME, host); if (server == NULL) krb5_errx (context, 1, "malloc: no memory"); ret = krb5_get_init_creds_keytab(context, &creds, client, keytab, - 0, server, &init_opts); + 0, server, init_opts); free (server); + krb5_get_init_creds_opt_free(init_opts); if(ret) krb5_err(context, 1, ret, "krb5_get_init_creds"); ret = krb5_kt_close(context, keytab); @@ -119,7 +139,7 @@ ihave (krb5_context context, krb5_auth_context auth_context, int ret; u_char buf[8]; krb5_storage *sp; - krb5_data data, priv_data; + krb5_data data; sp = krb5_storage_from_mem (buf, 8); krb5_store_int32 (sp, I_HAVE); @@ -128,15 +148,9 @@ ihave (krb5_context context, krb5_auth_context auth_context, data.length = 8; data.data = buf; - ret = krb5_mk_priv (context, auth_context, &data, &priv_data, NULL); - if (ret) - krb5_err (context, 1, ret, "krb_mk_priv"); - - ret = krb5_write_message (context, &fd, &priv_data); + ret = krb5_write_priv_message(context, auth_context, &fd, &data); if (ret) - krb5_err (context, 1, ret, "krb5_write_message"); - - krb5_data_free (&priv_data); + krb5_err (context, 1, ret, "krb5_write_priv_message"); } static void @@ -160,7 +174,7 @@ receive_loop (krb5_context context, op = tmp; krb5_ret_int32 (sp, &len); if (vers <= server_context->log_context.version) - krb5_storage_seek(sp, len, SEEK_CUR); + krb5_storage_seek(sp, len + 8, SEEK_CUR); } while(vers <= server_context->log_context.version); left = krb5_storage_seek (sp, -16, SEEK_CUR); @@ -192,7 +206,7 @@ receive_loop (krb5_context context, ret = kadm5_log_replay (server_context, op, vers, len, sp); if (ret) - krb5_warn (context, ret, "kadm5_log_replay"); + krb5_warn (context, ret, "kadm5_log_replay: %d", (int)vers); else server_context->log_context.version = vers; krb5_storage_seek (sp, 8, SEEK_CUR); @@ -206,20 +220,45 @@ receive (krb5_context context, { int ret; - ret = server_context->db->open(context, - server_context->db, - O_RDWR | O_CREAT, 0600); + ret = server_context->db->hdb_open(context, + server_context->db, + O_RDWR | O_CREAT, 0600); if (ret) krb5_err (context, 1, ret, "db->open"); receive_loop (context, sp, server_context); - ret = server_context->db->close (context, server_context->db); + ret = server_context->db->hdb_close (context, server_context->db); if (ret) krb5_err (context, 1, ret, "db->close"); } static void +send_im_here (krb5_context context, int fd, + krb5_auth_context auth_context) +{ + krb5_storage *sp; + krb5_data data; + int ret; + + ret = krb5_data_alloc (&data, 4); + if (ret) + krb5_err (context, 1, ret, "send_im_here"); + + sp = krb5_storage_from_data (&data); + if (sp == NULL) + krb5_errx (context, 1, "krb5_storage_from_data"); + krb5_store_int32(sp, I_AM_HERE); + krb5_storage_free(sp); + + ret = krb5_write_priv_message(context, auth_context, &fd, &data); + krb5_data_free(&data); + + if (ret) + krb5_err (context, 1, ret, "krb5_write_priv_message"); +} + +static void receive_everything (krb5_context context, int fd, kadm5_server_context *server_context, krb5_auth_context auth_context) @@ -228,12 +267,12 @@ receive_everything (krb5_context context, int fd, krb5_data data; int32_t vno; int32_t opcode; - unsigned long tmp; + krb5_storage *sp; char *dbname; HDB *mydb; - asprintf(&dbname, "%s-NEW", server_context->db->name); + asprintf(&dbname, "%s-NEW", server_context->db->hdb_name); ret = hdb_create(context, &mydb, dbname); if(ret) krb5_err(context,1, ret, "hdb_create"); @@ -246,47 +285,53 @@ receive_everything (krb5_context context, int fd, /* I really want to use O_EXCL here, but given that I can't easily clean up on error, I won't */ - ret = mydb->open(context, mydb, O_RDWR | O_CREAT | O_TRUNC, 0600); + ret = mydb->hdb_open(context, mydb, O_RDWR | O_CREAT | O_TRUNC, 0600); if (ret) krb5_err (context, 1, ret, "db->open"); + sp = NULL; do { - krb5_storage *sp; - ret = krb5_read_priv_message(context, auth_context, &fd, &data); if (ret) krb5_err (context, 1, ret, "krb5_read_priv_message"); sp = krb5_storage_from_data (&data); + if (sp == NULL) + krb5_errx (context, 1, "krb5_storage_from_data"); krb5_ret_int32 (sp, &opcode); if (opcode == ONE_PRINC) { krb5_data fake_data; hdb_entry entry; + krb5_storage_free(sp); + fake_data.data = (char *)data.data + 4; fake_data.length = data.length - 4; ret = hdb_value2entry (context, &fake_data, &entry); if (ret) krb5_err (context, 1, ret, "hdb_value2entry"); - ret = mydb->store(server_context->context, - mydb, - 0, &entry); + ret = mydb->hdb_store(server_context->context, + mydb, + 0, &entry); if (ret) krb5_err (context, 1, ret, "hdb_store"); hdb_free_entry (context, &entry); krb5_data_free (&data); - } + } else if (opcode == NOW_YOU_HAVE) + ; + else + krb5_errx (context, 1, "strange opcode %d", opcode); } while (opcode == ONE_PRINC); if (opcode != NOW_YOU_HAVE) krb5_errx (context, 1, "receive_everything: strange %d", opcode); - _krb5_get_int ((char *)data.data + 4, &tmp, 4); - vno = tmp; + krb5_ret_int32 (sp, &vno); + krb5_storage_free(sp); ret = kadm5_log_reinit (server_context); if (ret) @@ -302,28 +347,38 @@ receive_everything (krb5_context context, int fd, krb5_data_free (&data); - ret = mydb->rename (context, mydb, server_context->db->name); + ret = mydb->hdb_rename (context, mydb, server_context->db->hdb_name); if (ret) krb5_err (context, 1, ret, "db->rename"); - ret = mydb->close (context, mydb); + ret = mydb->hdb_close (context, mydb); if (ret) krb5_err (context, 1, ret, "db->close"); - ret = mydb->destroy (context, mydb); + ret = mydb->hdb_destroy (context, mydb); if (ret) krb5_err (context, 1, ret, "db->destroy"); } +static char *config_file; static char *realm; static int version_flag; static int help_flag; static char *keytab_str; +static char *port_str; +static int detach_from_console = 0; static struct getargs args[] = { + { "config-file", 'c', arg_string, &config_file }, { "realm", 'r', arg_string, &realm }, { "keytab", 'k', arg_string, &keytab_str, "keytab to get authentication from", "kspec" }, + { "time-lost", 0, arg_string, &server_time_lost, + "time before server is considered lost", "time" }, + { "port", 0, arg_string, &port_str, + "port ipropd-slave will connect to", "port"}, + { "detach", 0, arg_flag, &detach_from_console, + "detach from console" }, { "version", 0, arg_flag, &version_flag }, { "help", 0, arg_flag, &help_flag } }; @@ -349,6 +404,7 @@ main(int argc, char **argv) int master_fd; krb5_ccache ccache; krb5_principal server; + char **files; int optind; const char *master; @@ -362,6 +418,18 @@ main(int argc, char **argv) exit(0); } + if (config_file == NULL) + config_file = HDB_DB_DIR "/kdc.conf"; + + ret = krb5_prepend_config_files_default(config_file, &files); + if (ret) + krb5_err(context, 1, ret, "getting configuration files"); + + ret = krb5_set_config_files(context, files); + krb5_free_config_files(files); + if (ret) + krb5_err(context, 1, ret, "reading configuration files"); + argc -= optind; argv += optind; @@ -370,6 +438,8 @@ main(int argc, char **argv) master = argv[0]; + if (detach_from_console) + daemon(0, 0); pidfile (NULL); krb5_openlog (context, "ipropd-slave", &log_facility); krb5_set_warn_dest(context, log_facility); @@ -378,6 +448,10 @@ main(int argc, char **argv) if(ret) krb5_err(context, 1, ret, "krb5_kt_register"); + time_before_lost = parse_time (server_time_lost, "s"); + if (time_before_lost < 0) + krb5_errx (context, 1, "couldn't parse time: %s", server_time_lost); + memset(&conf, 0, sizeof(conf)); if(realm) { conf.mask |= KADM5_CONFIG_REALM; @@ -400,7 +474,7 @@ main(int argc, char **argv) get_creds(context, keytab_str, &ccache, master); - master_fd = connect_to_master (context, master); + master_fd = connect_to_master (context, master, port_str); ret = krb5_sname_to_principal (context, master, IPROP_NAME, KRB5_NT_SRV_HST, &server); @@ -423,6 +497,29 @@ main(int argc, char **argv) krb5_data out; krb5_storage *sp; int32_t tmp; + fd_set readset; + struct timeval to; + + if (master_fd >= FD_SETSIZE) + krb5_errx (context, 1, "fd too large"); + + FD_ZERO(&readset); + FD_SET(master_fd, &readset); + + to.tv_sec = time_before_lost; + to.tv_usec = 0; + + ret = select (master_fd + 1, + &readset, NULL, NULL, &to); + if (ret < 0) { + if (errno == EINTR) + continue; + else + krb5_err (context, 1, errno, "select"); + } + if (ret == 0) + krb5_errx (context, 1, "server didn't send a message " + "in %d seconds", time_before_lost); ret = krb5_read_priv_message(context, auth_context, &master_fd, &out); @@ -441,9 +538,13 @@ main(int argc, char **argv) receive_everything (context, master_fd, server_context, auth_context); break; + case ARE_YOU_THERE : + send_im_here (context, master_fd, auth_context); + break; case NOW_YOU_HAVE : case I_HAVE : case ONE_PRINC : + case I_AM_HERE : default : krb5_warnx (context, "Ignoring command %d", tmp); break; diff --git a/kerberosV/src/lib/kafs/afssys.c b/kerberosV/src/lib/kafs/afssys.c index dda9af7c0ae..bcac9845994 100644 --- a/kerberosV/src/lib/kafs/afssys.c +++ b/kerberosV/src/lib/kafs/afssys.c @@ -33,7 +33,7 @@ #include "kafs_locl.h" -RCSID("$KTH: afssys.c,v 1.69.2.2 2004/06/22 14:29:48 lha Exp $"); +RCSID("$KTH: afssys.c,v 1.73 2005/06/02 07:25:58 lha Exp $"); struct procdata { unsigned long param4; @@ -112,6 +112,8 @@ try_aix(void) * there's a /etc/name_to_sysnum file. */ +#if defined(AFS_SYSCALL) || defined(AFS_SYSCALL2) || defined(AFS_SYSCALL3) + #define _PATH_ETC_NAME_TO_SYSNUM "/etc/name_to_sysnum" static int @@ -143,6 +145,7 @@ map_syscall_name_to_number (const char *str, int *res) fclose (f); return -1; } +#endif static int try_proc(const char *path) diff --git a/kerberosV/src/lib/kafs/common.c b/kerberosV/src/lib/kafs/common.c index 49c74650536..5d6d77d5170 100644 --- a/kerberosV/src/lib/kafs/common.c +++ b/kerberosV/src/lib/kafs/common.c @@ -33,7 +33,7 @@ #include "kafs_locl.h" -RCSID("$KTH: common.c,v 1.26.2.1 2003/04/23 18:03:20 lha Exp $"); +RCSID("$KTH: common.c,v 1.31 2005/06/02 07:38:06 lha Exp $"); #define AUTH_SUPERUSER "afs" @@ -242,7 +242,7 @@ find_cells(const char *file, char ***cells, int *index) * Get tokens for all cells[] */ static int -afslog_cells(kafs_data *data, char **cells, int max, uid_t uid, +afslog_cells(struct kafs_data *data, char **cells, int max, uid_t uid, const char *homedir) { int ret = 0; @@ -256,7 +256,8 @@ afslog_cells(kafs_data *data, char **cells, int max, uid_t uid, } int -_kafs_afslog_all_local_cells(kafs_data *data, uid_t uid, const char *homedir) +_kafs_afslog_all_local_cells(struct kafs_data *data, + uid_t uid, const char *homedir) { int ret; char **cells = NULL; @@ -278,8 +279,12 @@ _kafs_afslog_all_local_cells(kafs_data *data, uid_t uid, const char *homedir) #if 0 find_cells(_PATH_OPENAFS_DEBIAN_THESECELLS, &cells, &index); find_cells(_PATH_OPENAFS_DEBIAN_THISCELL, &cells, &index); + find_cells(_PATH_OPENAFS_MACOSX_THESECELLS, &cells, &index); + find_cells(_PATH_OPENAFS_MACOSX_THISCELL, &cells, &index); find_cells(_PATH_ARLA_DEBIAN_THESECELLS, &cells, &index); find_cells(_PATH_ARLA_DEBIAN_THISCELL, &cells, &index); + find_cells(_PATH_ARLA_OPENBSD_THESECELLS, &cells, &index); + find_cells(_PATH_ARLA_OPENBSD_THISCELL, &cells, &index); #endif ret = afslog_cells(data, cells, index, uid, homedir); @@ -291,7 +296,8 @@ _kafs_afslog_all_local_cells(kafs_data *data, uid_t uid, const char *homedir) static int -file_find_cell(kafs_data *data, const char *cell, char **realm, int exact) +file_find_cell(struct kafs_data *data, + const char *cell, char **realm, int exact) { FILE *F; char buf[1024]; @@ -336,9 +342,9 @@ file_find_cell(kafs_data *data, const char *cell, char **realm, int exact) return ret; } -/* Find the realm associated with cell. Do this by opening - /usr/vice/etc/CellServDB and getting the realm-of-host for the - first VL-server for the cell. +/* Find the realm associated with cell. Do this by opening CellServDB + file and getting the realm-of-host for the first VL-server for the + cell. This does not work when the VL-server is living in one realm, but the cell it is serving is living in another realm. @@ -347,7 +353,8 @@ file_find_cell(kafs_data *data, const char *cell, char **realm, int exact) */ int -_kafs_realm_of_cell(kafs_data *data, const char *cell, char **realm) +_kafs_realm_of_cell(struct kafs_data *data, + const char *cell, char **realm) { char buf[1024]; int ret; @@ -364,7 +371,7 @@ _kafs_realm_of_cell(kafs_data *data, const char *cell, char **realm) } static int -_kafs_try_get_cred(kafs_data *data, const char *user, const char *cell, +_kafs_try_get_cred(struct kafs_data *data, const char *user, const char *cell, const char *realm, uid_t uid, struct kafs_token *kt) { int ret; @@ -384,7 +391,7 @@ _kafs_try_get_cred(kafs_data *data, const char *user, const char *cell, int -_kafs_get_cred(kafs_data *data, +_kafs_get_cred(struct kafs_data *data, const char *cell, const char *realm_hint, const char *realm, @@ -395,7 +402,7 @@ _kafs_get_cred(kafs_data *data, char *vl_realm; char CELL[64]; - /* We're about to find the the realm that holds the key for afs in + /* We're about to find the realm that holds the key for afs in * the specified cell. The problem is that null-instance * afs-principals are common and that hitting the wrong realm might * yield the wrong afs key. The following assumptions were made. diff --git a/kerberosV/src/lib/kafs/kafs.3 b/kerberosV/src/lib/kafs/kafs.3 index 1bb0130f2fb..7216a4ac558 100644 --- a/kerberosV/src/lib/kafs/kafs.3 +++ b/kerberosV/src/lib/kafs/kafs.3 @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $KTH: kafs.3,v 1.16 2003/04/16 13:58:27 lha Exp $ +.\" $KTH: kafs.3,v 1.17 2003/11/07 23:18:02 lha Exp $ .\" .Dd March 17, 2003 .Os HEIMDAL @@ -151,7 +151,7 @@ and .Pp .Fn krb5_afslog , .Fn kafs_settoken5 -can be configured to behave differently via a +can be configured to behave differently via a .Nm krb5_appdefault option .Li afs-use-524 @@ -186,7 +186,7 @@ as application name when running the .Nm krb5_appdefault function call. .Pp -The (uppercased) cellname is used as the realm to the +The (uppercased) cell name is used as the realm to the .Nm krb5_appdefault function. .Pp .\" The extra arguments are the ubiquitous context, and the cache id where @@ -208,7 +208,7 @@ characters is put in .Fn k_pioctl does a .Fn pioctl -syscall with the specified arguments. This function is equivalent to +system call with the specified arguments. This function is equivalent to .Fn lpioctl . .Pp .Fn k_setpag diff --git a/kerberosV/src/lib/kafs/kafs.h b/kerberosV/src/lib/kafs/kafs.h index 12b2e2e29b8..12e38dba565 100644 --- a/kerberosV/src/lib/kafs/kafs.h +++ b/kerberosV/src/lib/kafs/kafs.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $KTH: kafs.h,v 1.39.2.1 2003/04/23 18:03:21 lha Exp $ */ +/* $KTH: kafs.h,v 1.43 2005/02/03 08:45:13 lha Exp $ */ #ifndef __KAFS_H #define __KAFS_H @@ -45,41 +45,31 @@ #include<xfs/xfs_pioctl.h> -#ifdef __STDC__ -#ifndef __P -#define __P(x) x -#endif -#else -#ifndef __P -#define __P(x) () -#endif -#endif - /* Use k_hasafs() to probe if the machine supports AFS syscalls. The other functions will generate a SIGSYS if AFS is not supported */ -int k_hasafs __P((void)); +int k_hasafs (void); -int krb_afslog __P((const char *cell, const char *realm)); -int krb_afslog_uid __P((const char *cell, const char *realm, uid_t uid)); -int krb_afslog_home __P((const char *cell, const char *realm, - const char *homedir)); -int krb_afslog_uid_home __P((const char *cell, const char *realm, uid_t uid, - const char *homedir)); +int krb_afslog (const char *cell, const char *realm); +int krb_afslog_uid (const char *cell, const char *realm, uid_t uid); +int krb_afslog_home (const char *cell, const char *realm, + const char *homedir); +int krb_afslog_uid_home (const char *cell, const char *realm, uid_t uid, + const char *homedir); -int krb_realm_of_cell __P((const char *cell, char **realm)); +int krb_realm_of_cell (const char *cell, char **realm); /* compat */ #define k_afsklog krb_afslog #define k_afsklog_uid krb_afslog_uid -int k_pioctl __P((char *a_path, +int k_pioctl (char *a_path, int o_opcode, struct ViceIoctl *a_paramsP, - int a_followSymlinks)); -int k_unlog __P((void)); -int k_setpag __P((void)); -int k_afs_cell_of_file __P((const char *path, char *cell, int len)); + int a_followSymlinks); +int k_unlog (void); +int k_setpag (void); +int k_afs_cell_of_file (const char *path, char *cell, int len); @@ -92,41 +82,41 @@ int k_afs_cell_of_file __P((const char *path, char *cell, int len)); #define KRB5_H_INCLUDED #endif -void kafs_set_verbose __P((void (*kafs_verbose)(void *, const char *), void *)); -int kafs_settoken_rxkad __P((const char *, struct ClearToken *, - void *ticket, size_t ticket_len)); +void kafs_set_verbose (void (*kafs_verbose)(void *, const char *), void *); +int kafs_settoken_rxkad (const char *, struct ClearToken *, + void *ticket, size_t ticket_len); #ifdef KRB_H_INCLUDED -int kafs_settoken __P((const char*, uid_t, CREDENTIALS*)); +int kafs_settoken (const char*, uid_t, CREDENTIALS*); #endif #ifdef KRB5_H_INCLUDED -int kafs_settoken5 __P((krb5_context, const char*, uid_t, krb5_creds*)); +int kafs_settoken5 (krb5_context, const char*, uid_t, krb5_creds*); #endif #ifdef KRB5_H_INCLUDED -krb5_error_code krb5_afslog_uid __P((krb5_context context, +krb5_error_code krb5_afslog_uid (krb5_context context, krb5_ccache id, const char *cell, krb5_const_realm realm, - uid_t uid)); -krb5_error_code krb5_afslog __P((krb5_context context, + uid_t uid); +krb5_error_code krb5_afslog (krb5_context context, krb5_ccache id, const char *cell, - krb5_const_realm realm)); -krb5_error_code krb5_afslog_uid_home __P((krb5_context context, + krb5_const_realm realm); +krb5_error_code krb5_afslog_uid_home (krb5_context context, krb5_ccache id, const char *cell, krb5_const_realm realm, uid_t uid, - const char *homedir)); + const char *homedir); -krb5_error_code krb5_afslog_home __P((krb5_context context, +krb5_error_code krb5_afslog_home (krb5_context context, krb5_ccache id, const char *cell, krb5_const_realm realm, - const char *homedir)); + const char *homedir); -krb5_error_code krb5_realm_of_cell __P((const char *cell, char **realm)); +krb5_error_code krb5_realm_of_cell (const char *cell, char **realm); #endif @@ -147,11 +137,21 @@ krb5_error_code krb5_realm_of_cell __P((const char *cell, char **realm)); #define _PATH_OPENAFS_DEBIAN_THESECELLS _PATH_OPENAFS_DEBIAN_VICE "TheseCells" #endif +#define _PATH_OPENAFS_MACOSX_VICE "/var/db/openafs/etc/" +#define _PATH_OPENAFS_MACOSX_THISCELL _PATH_OPENAFS_MACOSX_VICE "ThisCell" +#define _PATH_OPENAFS_MACOSX_CELLSERVDB _PATH_OPENAFS_MACOSX_VICE "CellServDB" +#define _PATH_OPENAFS_MACOSX_THESECELLS _PATH_OPENAFS_MACOSX_VICE "TheseCells" + #define _PATH_ARLA_DEBIAN_VICE "/etc/arla/" #define _PATH_ARLA_DEBIAN_THISCELL _PATH_ARLA_DEBIAN_VICE "ThisCell" #define _PATH_ARLA_DEBIAN_CELLSERVDB _PATH_ARLA_DEBIAN_VICE "CellServDB" #define _PATH_ARLA_DEBIAN_THESECELLS _PATH_ARLA_DEBIAN_VICE "TheseCells" +#define _PATH_ARLA_OPENBSD_VICE "/etc/afs/" +#define _PATH_ARLA_OPENBSD_THISCELL _PATH_ARLA_OPENBSD_VICE "ThisCell" +#define _PATH_ARLA_OPENBSD_CELLSERVDB _PATH_ARLA_OPENBSD_VICE "CellServDB" +#define _PATH_ARLA_OPENBSD_THESECELLS _PATH_ARLA_OPENBSD_VICE "TheseCells" + extern int _kafs_debug; #endif /* __KAFS_H */ diff --git a/kerberosV/src/lib/krb5/addr_families.c b/kerberosV/src/lib/krb5/addr_families.c index 5354f33ec39..22ccc63af4f 100644 --- a/kerberosV/src/lib/krb5/addr_families.c +++ b/kerberosV/src/lib/krb5/addr_families.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$KTH: addr_families.c,v 1.38 2003/03/25 12:37:02 joda Exp $"); +RCSID("$KTH: addr_families.c,v 1.47 2005/05/18 04:20:36 lha Exp $"); struct addr_operations { int af; @@ -52,6 +52,8 @@ struct addr_operations { int (*order_addr)(krb5_context, const krb5_address*, const krb5_address*); int (*free_addr)(krb5_context, krb5_address*); int (*copy_addr)(krb5_context, const krb5_address*, krb5_address*); + int (*mask_boundary)(krb5_context, const krb5_address*, unsigned long, + krb5_address*, krb5_address*); }; /* @@ -154,13 +156,9 @@ ipv4_print_addr (const krb5_address *addr, char *str, size_t len) { struct in_addr ia; - if (len == 0) - return(0); - memcpy (&ia, addr->address.data, 4); - (void) snprintf (str, len, "IPv4:%s", inet_ntoa(ia)); - return(strlen(str)); + return snprintf (str, len, "IPv4:%s", inet_ntoa(ia)); } static int @@ -196,6 +194,40 @@ ipv4_parse_addr (krb5_context context, const char *address, krb5_address *addr) return 0; } +static int +ipv4_mask_boundary(krb5_context context, const krb5_address *inaddr, + unsigned long len, krb5_address *low, krb5_address *high) +{ + unsigned long ia; + u_int32_t l, h, m = 0xffffffff; + + if (len > 32) { + krb5_set_error_string(context, "IPv4 prefix too large (%ld)", len); + return KRB5_PROG_ATYPE_NOSUPP; + } + m = m << (32 - len); + + _krb5_get_int(inaddr->address.data, &ia, inaddr->address.length); + + l = ia & m; + h = l | ~m; + + low->addr_type = KRB5_ADDRESS_INET; + if(krb5_data_alloc(&low->address, 4) != 0) + return -1; + _krb5_put_int(low->address.data, l, low->address.length); + + high->addr_type = KRB5_ADDRESS_INET; + if(krb5_data_alloc(&high->address, 4) != 0) { + krb5_free_address(context, low); + return -1; + } + _krb5_put_int(high->address.data, h, high->address.length); + + return 0; +} + + /* * AF_INET6 - aka IPv6 implementation */ @@ -307,13 +339,23 @@ ipv6_anyaddr (struct sockaddr *sa, krb5_socklen_t *sa_size, int port) static int ipv6_print_addr (const krb5_address *addr, char *str, size_t len) { - char buf[128]; + char buf[128], buf2[3]; +#ifdef HAVE_INET_NTOP if(inet_ntop(AF_INET6, addr->address.data, buf, sizeof(buf)) == NULL) - return (0); - if (len == 0) - return(0); - (void) snprintf(str, len, "IPv6:%s", buf); - return(strlen(str)); +#endif + { + /* XXX this is pretty ugly, but better than abort() */ + int i; + unsigned char *p = addr->address.data; + buf[0] = '\0'; + for(i = 0; i < addr->address.length; i++) { + snprintf(buf2, sizeof(buf2), "%02x", p[i]); + if(i > 0 && (i & 1) == 0) + strlcat(buf, ":", sizeof(buf)); + strlcat(buf, buf2, sizeof(buf)); + } + } + return snprintf(str, len, "IPv6:%s", buf); } static int @@ -344,6 +386,55 @@ ipv6_parse_addr (krb5_context context, const char *address, krb5_address *addr) return -1; } +static int +ipv6_mask_boundary(krb5_context context, const krb5_address *inaddr, + unsigned long len, krb5_address *low, krb5_address *high) +{ + struct in6_addr addr, laddr, haddr; + u_int32_t m; + int i, sub_len; + + if (len > 128) { + krb5_set_error_string(context, "IPv6 prefix too large (%ld)", len); + return KRB5_PROG_ATYPE_NOSUPP; + } + + if (inaddr->address.length != sizeof(addr)) { + krb5_set_error_string(context, "IPv6 addr bad length"); + return KRB5_PROG_ATYPE_NOSUPP; + } + + memcpy(&addr, inaddr->address.data, inaddr->address.length); + + for (i = 0; i < 16; i++) { + sub_len = min(8, len); + + m = 0xff << (8 - sub_len); + + laddr.s6_addr[i] = addr.s6_addr[i] & m; + haddr.s6_addr[i] = (addr.s6_addr[i] & m) | ~m; + + if (len > 8) + len -= 8; + else + len = 0; + } + + low->addr_type = KRB5_ADDRESS_INET6; + if (krb5_data_alloc(&low->address, sizeof(laddr.s6_addr)) != 0) + return -1; + memcpy(low->address.data, laddr.s6_addr, sizeof(laddr.s6_addr)); + + high->addr_type = KRB5_ADDRESS_INET6; + if (krb5_data_alloc(&high->address, sizeof(haddr.s6_addr)) != 0) { + krb5_free_address(context, low); + return -1; + } + memcpy(high->address.data, haddr.s6_addr, sizeof(haddr.s6_addr)); + + return 0; +} + #endif /* IPv6 */ /* @@ -361,8 +452,8 @@ static int arange_parse_addr (krb5_context context, const char *address, krb5_address *addr) { - char buf[1024]; - krb5_addresses low, high; + char buf[1024], *p; + krb5_address low0, high0; struct arange *a; krb5_error_code ret; @@ -371,39 +462,84 @@ arange_parse_addr (krb5_context context, address += 6; - /* should handle netmasks */ - strsep_copy(&address, "-", buf, sizeof(buf)); - ret = krb5_parse_address(context, buf, &low); - if(ret) - return ret; - if(low.len != 1) { - krb5_free_addresses(context, &low); - return -1; - } + p = strrchr(address, '/'); + if (p) { + krb5_addresses addrmask; + char *q; + long num; - strsep_copy(&address, "-", buf, sizeof(buf)); - ret = krb5_parse_address(context, buf, &high); - if(ret) { - krb5_free_addresses(context, &low); - return ret; - } + if (strlcpy(buf, address, sizeof(buf)) > sizeof(buf)) + return -1; + buf[p - address] = '\0'; + ret = krb5_parse_address(context, buf, &addrmask); + if (ret) + return ret; + if(addrmask.len != 1) { + krb5_free_addresses(context, &addrmask); + return -1; + } + + address += p - address + 1; + + num = strtol(address, &q, 10); + if (q == address || *q != '\0' || num < 0) { + krb5_free_addresses(context, &addrmask); + return -1; + } + + ret = krb5_address_prefixlen_boundary(context, &addrmask.val[0], num, + &low0, &high0); + krb5_free_addresses(context, &addrmask); + if (ret) + return ret; + + } else { + krb5_addresses low, high; + + strsep_copy(&address, "-", buf, sizeof(buf)); + ret = krb5_parse_address(context, buf, &low); + if(ret) + return ret; + if(low.len != 1) { + krb5_free_addresses(context, &low); + return -1; + } + + strsep_copy(&address, "-", buf, sizeof(buf)); + ret = krb5_parse_address(context, buf, &high); + if(ret) { + krb5_free_addresses(context, &low); + return ret; + } + + if(high.len != 1 && high.val[0].addr_type != low.val[0].addr_type) { + krb5_free_addresses(context, &low); + krb5_free_addresses(context, &high); + return -1; + } - if(high.len != 1 || high.val[0].addr_type != low.val[0].addr_type) { + ret = krb5_copy_address(context, &high.val[0], &high0); + if (ret == 0) { + ret = krb5_copy_address(context, &low.val[0], &low0); + if (ret) + krb5_free_address(context, &high0); + } krb5_free_addresses(context, &low); krb5_free_addresses(context, &high); - return -1; + if (ret) + return ret; } krb5_data_alloc(&addr->address, sizeof(*a)); addr->addr_type = KRB5_ADDRESS_ARANGE; a = addr->address.data; - if(krb5_address_order(context, &low.val[0], &high.val[0]) < 0) { - a->low = low.val[0]; - a->high = high.val[0]; + if(krb5_address_order(context, &low0, &high0) < 0) { + a->low = low0; + a->high = high0; } else { - a->low = high.val[0]; - a->high = low.val[0]; + a->low = high0; + a->high = low0; } return 0; } @@ -451,23 +587,35 @@ arange_print_addr (const krb5_address *addr, char *str, size_t len) { struct arange *a; krb5_error_code ret; - size_t l, ret_len = 0; - - if (len == 0) - return(0); + size_t l, size, ret_len; a = addr->address.data; - (void) strlcpy(str, "RANGE:", len); - ret_len += strlen(str); /* truncate if too long */ - - ret = krb5_print_address (&a->low, str + ret_len, len - ret_len, &l); + l = strlcpy(str, "RANGE:", len); + ret_len = l; + if (l > len) + l = len; + size = l; + + ret = krb5_print_address (&a->low, str + size, len - size, &l); + if (ret) + return ret; ret_len += l; + if (len - size > l) + size += l; + else + size = len; - (void) strlcat(str, "-", len); - ret_len += strlen(str); /* truncate if too long */ + l = strlcat(str + size, "-", len - size); + ret_len += l; + if (len - size > l) + size += l; + else + size = len; - ret = krb5_print_address (&a->high, str + ret_len, len - ret_len, &l); + ret = krb5_print_address (&a->high, str + size, len - size, &l); + if (ret) + return ret; ret_len += l; return ret_len; @@ -515,9 +663,10 @@ arange_order_addr(krb5_context context, static int addrport_print_addr (const krb5_address *addr, char *str, size_t len) { + krb5_error_code ret; krb5_address addr1, addr2; uint16_t port = 0; - size_t ret_len = 0, l; + size_t ret_len = 0, l, size = 0; krb5_storage *sp = krb5_storage_from_data((krb5_data*)&addr->address); /* for totally obscure reasons, these are not in network byteorder */ krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_LE); @@ -534,14 +683,26 @@ addrport_print_addr (const krb5_address *addr, char *str, size_t len) port = value; } l = strlcpy(str, "ADDRPORT:", len); - ret_len += strlen(str); /* truncate if too long */ - krb5_print_address(&addr1, str + ret_len, len - ret_len, &l); ret_len += l; - /* XXX oh the horror */ - if ((len - ret_len) == 0) - return(ret_len); - (void) snprintf(str + ret_len, len - ret_len, ",PORT=%u", port); - return(strlen(str)); + if (len > l) + size += l; + else + size = len; + + ret = krb5_print_address(&addr1, str + size, len - size, &l); + if (ret) + return ret; + ret_len += l; + if (len - size > l) + size += l; + else + size = len; + + ret = snprintf(str + size, len - size, ",PORT=%u", port); + if (ret < 0) + return EINVAL; + ret_len += ret; + return ret_len; } static struct addr_operations at[] = { @@ -551,7 +712,8 @@ static struct addr_operations at[] = { ipv4_addr2sockaddr, ipv4_h_addr2sockaddr, ipv4_h_addr2addr, - ipv4_uninteresting, ipv4_anyaddr, ipv4_print_addr, ipv4_parse_addr}, + ipv4_uninteresting, ipv4_anyaddr, ipv4_print_addr, ipv4_parse_addr, + NULL, NULL, NULL, ipv4_mask_boundary }, #ifdef HAVE_IPV6 {AF_INET6, KRB5_ADDRESS_INET6, sizeof(struct sockaddr_in6), ipv6_sockaddr2addr, @@ -559,7 +721,8 @@ static struct addr_operations at[] = { ipv6_addr2sockaddr, ipv6_h_addr2sockaddr, ipv6_h_addr2addr, - ipv6_uninteresting, ipv6_anyaddr, ipv6_print_addr, ipv6_parse_addr} , + ipv6_uninteresting, ipv6_anyaddr, ipv6_print_addr, ipv6_parse_addr, + NULL, NULL, NULL, ipv6_mask_boundary } , #endif {KRB5_ADDRESS_ADDRPORT, KRB5_ADDRESS_ADDRPORT, 0, NULL, NULL, NULL, NULL, NULL, @@ -601,7 +764,7 @@ find_atype(int atype) return NULL; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_sockaddr2address (krb5_context context, const struct sockaddr *sa, krb5_address *addr) { @@ -614,7 +777,7 @@ krb5_sockaddr2address (krb5_context context, return (*a->sockaddr2addr)(sa, addr); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_sockaddr2port (krb5_context context, const struct sockaddr *sa, int16_t *port) { @@ -627,7 +790,7 @@ krb5_sockaddr2port (krb5_context context, return (*a->sockaddr2port)(sa, port); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_addr2sockaddr (krb5_context context, const krb5_address *addr, struct sockaddr *sa, @@ -650,7 +813,7 @@ krb5_addr2sockaddr (krb5_context context, return 0; } -size_t +size_t KRB5_LIB_FUNCTION krb5_max_sockaddr_size (void) { if (max_sockaddr_size == 0) { @@ -662,7 +825,7 @@ krb5_max_sockaddr_size (void) return max_sockaddr_size; } -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_sockaddr_uninteresting(const struct sockaddr *sa) { struct addr_operations *a = find_af(sa->sa_family); @@ -671,7 +834,7 @@ krb5_sockaddr_uninteresting(const struct sockaddr *sa) return (*a->uninteresting)(sa); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_h_addr2sockaddr (krb5_context context, int af, const char *addr, struct sockaddr *sa, @@ -687,7 +850,7 @@ krb5_h_addr2sockaddr (krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_h_addr2addr (krb5_context context, int af, const char *haddr, krb5_address *addr) @@ -700,7 +863,7 @@ krb5_h_addr2addr (krb5_context context, return (*a->h_addr2addr)(haddr, addr); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_anyaddr (krb5_context context, int af, struct sockaddr *sa, @@ -718,19 +881,12 @@ krb5_anyaddr (krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_print_address (const krb5_address *addr, char *str, size_t len, size_t *ret_len) { - size_t ret; - int r = 0; struct addr_operations *a = find_atype(addr->addr_type); - - if (len == 0) { - ret = 0; - r = EINVAL; - goto out; - } + int ret; if (a == NULL || a->print_addr == NULL) { char *s; @@ -739,38 +895,30 @@ krb5_print_address (const krb5_address *addr, s = str; l = snprintf(s, len, "TYPE_%d:", addr->addr_type); - if (l < 0 || l > (len - 1)) { - ret = 0; - r = EINVAL; - goto out; - } + if (l < 0 || l >= len) + return EINVAL; s += l; len -= l; for(i = 0; i < addr->address.length; i++) { l = snprintf(s, len, "%02x", ((char*)addr->address.data)[i]); - if (l < 0 || l > (len - 1)) { - ret = 0; - r = EINVAL; - goto out; - } + if (l < 0 || l >= len) + return EINVAL; len -= l; s += l; } - ret = s - str; - goto out; + if(ret_len != NULL) + *ret_len = s - str; + return 0; } ret = (*a->print_addr)(addr, str, len); - if (ret <= 0 || ret > (len - 1)) { - ret = 0; - r = EINVAL; - } -out: + if (ret < 0) + return EINVAL; if(ret_len != NULL) *ret_len = ret; - return r; + return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_parse_address(krb5_context context, const char *string, krb5_addresses *addresses) @@ -803,17 +951,26 @@ krb5_parse_address(krb5_context context, ++n; ALLOC_SEQ(addresses, n); + if (addresses->val == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + freeaddrinfo(ai); + return ENOMEM; + } + addresses->len = 0; for (a = ai, i = 0; a != NULL; a = a->ai_next) { - if(krb5_sockaddr2address (context, ai->ai_addr, - &addresses->val[i]) == 0) - i++; + if (krb5_sockaddr2address (context, ai->ai_addr, &addresses->val[i])) + continue; + if(krb5_address_search(context, &addresses->val[i], addresses)) + continue; + addresses->len = i; + i++; } freeaddrinfo (ai); return 0; } -int +int KRB5_LIB_FUNCTION krb5_address_order(krb5_context context, const krb5_address *addr1, const krb5_address *addr2) @@ -847,7 +1004,7 @@ krb5_address_order(krb5_context context, addr1->address.length); } -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_address_compare(krb5_context context, const krb5_address *addr1, const krb5_address *addr2) @@ -855,7 +1012,7 @@ krb5_address_compare(krb5_context context, return krb5_address_order (context, addr1, addr2) == 0; } -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_address_search(krb5_context context, const krb5_address *addr, const krb5_addresses *addrlist) @@ -868,18 +1025,19 @@ krb5_address_search(krb5_context context, return FALSE; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_address(krb5_context context, krb5_address *address) { - struct addr_operations *a = find_af (address->addr_type); + struct addr_operations *a = find_atype (address->addr_type); if(a != NULL && a->free_addr != NULL) return (*a->free_addr)(context, address); krb5_data_free (&address->address); + memset(address, 0, sizeof(*address)); return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_addresses(krb5_context context, krb5_addresses *addresses) { @@ -890,7 +1048,7 @@ krb5_free_addresses(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_address(krb5_context context, const krb5_address *inaddr, krb5_address *outaddr) @@ -901,7 +1059,7 @@ krb5_copy_address(krb5_context context, return copy_HostAddress(inaddr, outaddr); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_addresses(krb5_context context, const krb5_addresses *inaddr, krb5_addresses *outaddr) @@ -915,7 +1073,7 @@ krb5_copy_addresses(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_append_addresses(krb5_context context, krb5_addresses *dest, const krb5_addresses *source) @@ -949,7 +1107,7 @@ krb5_append_addresses(krb5_context context, * Create an address of type KRB5_ADDRESS_ADDRPORT from (addr, port) */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_make_addrport (krb5_context context, krb5_address **res, const krb5_address *addr, int16_t port) { @@ -998,3 +1156,23 @@ krb5_make_addrport (krb5_context context, return 0; } + +/* + * Calculate the boundary addresses of `inaddr'/`prefixlen' and store + * them in `low' and `high'. + */ + +krb5_error_code KRB5_LIB_FUNCTION +krb5_address_prefixlen_boundary(krb5_context context, + const krb5_address *inaddr, + unsigned long prefixlen, + krb5_address *low, + krb5_address *high) +{ + struct addr_operations *a = find_atype (inaddr->addr_type); + if(a != NULL && a->mask_boundary != NULL) + return (*a->mask_boundary)(context, inaddr, prefixlen, low, high); + krb5_set_error_string(context, "Address family %d doesn't support " + "address mask operation", inaddr->addr_type); + return KRB5_PROG_ATYPE_NOSUPP; +} diff --git a/kerberosV/src/lib/krb5/aname_to_localname.c b/kerberosV/src/lib/krb5/aname_to_localname.c index 9a41811a84c..ac8432794cb 100644 --- a/kerberosV/src/lib/krb5/aname_to_localname.c +++ b/kerberosV/src/lib/krb5/aname_to_localname.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 1999, 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 1999, 2002 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,9 +33,9 @@ #include <krb5_locl.h> -RCSID("$KTH: aname_to_localname.c,v 1.6 2003/04/16 16:01:06 lha Exp $"); +RCSID("$KTH: aname_to_localname.c,v 1.8 2004/05/25 21:16:49 lha Exp $"); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_aname_to_localname (krb5_context context, krb5_const_principal aname, size_t lnsize, diff --git a/kerberosV/src/lib/krb5/appdefault.c b/kerberosV/src/lib/krb5/appdefault.c index a70c6392687..f88853db767 100644 --- a/kerberosV/src/lib/krb5/appdefault.c +++ b/kerberosV/src/lib/krb5/appdefault.c @@ -33,11 +33,11 @@ #include "krb5_locl.h" -RCSID("$KTH: appdefault.c,v 1.7 2001/09/16 04:48:55 assar Exp $"); +RCSID("$KTH: appdefault.c,v 1.10 2005/01/05 05:40:59 lukeh Exp $"); extern char *__progname; -void +void KRB5_LIB_FUNCTION krb5_appdefault_boolean(krb5_context context, const char *appname, krb5_const_realm realm, const char *option, krb5_boolean def_val, krb5_boolean *ret_val) @@ -79,7 +79,7 @@ krb5_appdefault_boolean(krb5_context context, const char *appname, *ret_val = def_val; } -void +void KRB5_LIB_FUNCTION krb5_appdefault_string(krb5_context context, const char *appname, krb5_const_realm realm, const char *option, const char *def_val, char **ret_val) @@ -123,17 +123,22 @@ krb5_appdefault_string(krb5_context context, const char *appname, *ret_val = NULL; } -void +void KRB5_LIB_FUNCTION krb5_appdefault_time(krb5_context context, const char *appname, krb5_const_realm realm, const char *option, time_t def_val, time_t *ret_val) { - time_t t; - char tstr[32]; + krb5_deltat t; char *val; - snprintf(tstr, sizeof(tstr), "%ld", (long)def_val); - krb5_appdefault_string(context, appname, realm, option, tstr, &val); - t = parse_time (val, NULL); + + krb5_appdefault_string(context, appname, realm, option, NULL, &val); + if (val == NULL) { + *ret_val = def_val; + return; + } + if (krb5_string_to_deltat(val, &t)) + *ret_val = def_val; + else + *ret_val = t; free(val); - *ret_val = t; } diff --git a/kerberosV/src/lib/krb5/config_file.c b/kerberosV/src/lib/krb5/config_file.c index 25369df3c58..5194aff1ca6 100644 --- a/kerberosV/src/lib/krb5/config_file.c +++ b/kerberosV/src/lib/krb5/config_file.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,18 +32,50 @@ */ #include "krb5_locl.h" -RCSID("$KTH: config_file.c,v 1.46.4.2 2003/10/13 13:46:10 lha Exp $"); +RCSID("$KTH: config_file.c,v 1.52 2004/09/30 11:22:48 lha Exp $"); #ifndef HAVE_NETINFO +/* Gaah! I want a portable funopen */ +struct fileptr { + const char *s; + FILE *f; +}; + +static char * +config_fgets(char *str, size_t len, struct fileptr *ptr) +{ + /* XXX this is not correct, in that they don't do the same if the + line is longer than len */ + if(ptr->f != NULL) + return fgets(str, len, ptr->f); + else { + /* this is almost strsep_copy */ + const char *p; + ssize_t l; + if(*ptr->s == '\0') + return NULL; + p = ptr->s + strcspn(ptr->s, "\n"); + if(*p == '\n') + p++; + l = min(len, p - ptr->s); + if(len > 0) { + memcpy(str, ptr->s, l); + str[l] = '\0'; + } + ptr->s = p; + return str; + } +} + static krb5_error_code parse_section(char *p, krb5_config_section **s, krb5_config_section **res, const char **error_message); -static krb5_error_code parse_binding(FILE *f, unsigned *lineno, char *p, +static krb5_error_code parse_binding(struct fileptr *f, unsigned *lineno, char *p, krb5_config_binding **b, krb5_config_binding **parent, const char **error_message); -static krb5_error_code parse_list(FILE *f, unsigned *lineno, +static krb5_error_code parse_list(struct fileptr *f, unsigned *lineno, krb5_config_binding **parent, const char **error_message); @@ -114,7 +146,7 @@ parse_section(char *p, krb5_config_section **s, krb5_config_section **parent, */ static krb5_error_code -parse_list(FILE *f, unsigned *lineno, krb5_config_binding **parent, +parse_list(struct fileptr *f, unsigned *lineno, krb5_config_binding **parent, const char **error_message) { char buf[BUFSIZ]; @@ -122,7 +154,7 @@ parse_list(FILE *f, unsigned *lineno, krb5_config_binding **parent, krb5_config_binding *b = NULL; unsigned beg_lineno = *lineno; - while(fgets(buf, sizeof(buf), f) != NULL) { + while(config_fgets(buf, sizeof(buf), f) != NULL) { char *p; ++*lineno; @@ -153,7 +185,7 @@ parse_list(FILE *f, unsigned *lineno, krb5_config_binding **parent, */ static krb5_error_code -parse_binding(FILE *f, unsigned *lineno, char *p, +parse_binding(struct fileptr *f, unsigned *lineno, char *p, krb5_config_binding **b, krb5_config_binding **parent, const char **error_message) { @@ -209,26 +241,17 @@ parse_binding(FILE *f, unsigned *lineno, char *p, */ static krb5_error_code -krb5_config_parse_file_debug (const char *fname, - krb5_config_section **res, - unsigned *lineno, - const char **error_message) +krb5_config_parse_debug (struct fileptr *f, + krb5_config_section **res, + unsigned *lineno, + const char **error_message) { - FILE *f; - krb5_config_section *s; - krb5_config_binding *b; + krb5_config_section *s = NULL; + krb5_config_binding *b = NULL; char buf[BUFSIZ]; - krb5_error_code ret = 0; + krb5_error_code ret; - s = NULL; - b = NULL; - *lineno = 0; - f = fopen (fname, "r"); - if (f == NULL) { - *error_message = "cannot open file"; - return ENOENT; - } - while (fgets(buf, sizeof(buf), f) != NULL) { + while (config_fgets(buf, sizeof(buf), f) != NULL) { char *p; ++*lineno; @@ -241,40 +264,64 @@ krb5_config_parse_file_debug (const char *fname, continue; if (*p == '[') { ret = parse_section(p, &s, res, error_message); - if (ret) { - goto out; - } + if (ret) + return ret; b = NULL; } else if (*p == '}') { *error_message = "unmatched }"; - ret = EINVAL; /* XXX */ - goto out; + return EINVAL; /* XXX */ } else if(*p != '\0') { if (s == NULL) { *error_message = "binding before section"; - ret = EINVAL; - goto out; + return EINVAL; } ret = parse_binding(f, lineno, p, &b, &s->u.list, error_message); if (ret) - goto out; + return ret; } } -out: - fclose (f); - return ret; + return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_config_parse_string_multi(krb5_context context, + const char *string, + krb5_config_section **res) +{ + const char *str; + unsigned lineno = 0; + krb5_error_code ret; + struct fileptr f; + f.f = NULL; + f.s = string; + + ret = krb5_config_parse_debug (&f, res, &lineno, &str); + if (ret) { + krb5_set_error_string (context, "%s:%u: %s", "<constant>", lineno, str); + return ret; + } + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_config_parse_file_multi (krb5_context context, const char *fname, krb5_config_section **res) { const char *str; - unsigned lineno; + unsigned lineno = 0; krb5_error_code ret; + struct fileptr f; + f.f = fopen(fname, "r"); + f.s = NULL; + if(f.f == NULL) { + ret = errno; + krb5_set_error_string (context, "open %s: %s", fname, strerror(ret)); + return ret; + } - ret = krb5_config_parse_file_debug (fname, res, &lineno, &str); + ret = krb5_config_parse_debug (&f, res, &lineno, &str); + fclose(f.f); if (ret) { krb5_set_error_string (context, "%s:%u: %s", fname, lineno, str); return ret; @@ -282,7 +329,7 @@ krb5_config_parse_file_multi (krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_config_parse_file (krb5_context context, const char *fname, krb5_config_section **res) @@ -313,7 +360,7 @@ free_binding (krb5_context context, krb5_config_binding *b) } } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_config_file_free (krb5_context context, krb5_config_section *s) { free_binding (context, s); @@ -443,7 +490,7 @@ krb5_config_vget_list (krb5_context context, return krb5_config_vget (context, c, krb5_config_list, args); } -const char * +const char* KRB5_LIB_FUNCTION krb5_config_get_string (krb5_context context, const krb5_config_section *c, ...) @@ -457,7 +504,7 @@ krb5_config_get_string (krb5_context context, return ret; } -const char * +const char* KRB5_LIB_FUNCTION krb5_config_vget_string (krb5_context context, const krb5_config_section *c, va_list args) @@ -465,7 +512,7 @@ krb5_config_vget_string (krb5_context context, return krb5_config_vget (context, c, krb5_config_string, args); } -const char * +const char* KRB5_LIB_FUNCTION krb5_config_vget_string_default (krb5_context context, const krb5_config_section *c, const char *def_value, @@ -479,7 +526,7 @@ krb5_config_vget_string_default (krb5_context context, return ret; } -const char * +const char* KRB5_LIB_FUNCTION krb5_config_get_string_default (krb5_context context, const krb5_config_section *c, const char *def_value, @@ -494,7 +541,7 @@ krb5_config_get_string_default (krb5_context context, return ret; } -char ** +char ** KRB5_LIB_FUNCTION krb5_config_vget_strings(krb5_context context, const krb5_config_section *c, va_list args) @@ -554,7 +601,7 @@ krb5_config_get_strings(krb5_context context, return ret; } -void +void KRB5_LIB_FUNCTION krb5_config_free_strings(char **strings) { char **s = strings; @@ -565,7 +612,7 @@ krb5_config_free_strings(char **strings) free(strings); } -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_config_vget_bool_default (krb5_context context, const krb5_config_section *c, krb5_boolean def_value, @@ -581,7 +628,7 @@ krb5_config_vget_bool_default (krb5_context context, return FALSE; } -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_config_vget_bool (krb5_context context, const krb5_config_section *c, va_list args) @@ -589,7 +636,7 @@ krb5_config_vget_bool (krb5_context context, return krb5_config_vget_bool_default (context, c, FALSE, args); } -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_config_get_bool_default (krb5_context context, const krb5_config_section *c, krb5_boolean def_value, @@ -603,7 +650,7 @@ krb5_config_get_bool_default (krb5_context context, return ret; } -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_config_get_bool (krb5_context context, const krb5_config_section *c, ...) @@ -616,20 +663,24 @@ krb5_config_get_bool (krb5_context context, return ret; } -int +int KRB5_LIB_FUNCTION krb5_config_vget_time_default (krb5_context context, const krb5_config_section *c, int def_value, va_list args) { const char *str; + krb5_deltat t; + str = krb5_config_vget_string (context, c, args); if(str == NULL) return def_value; - return parse_time (str, NULL); + if (krb5_string_to_deltat(str, &t)) + return def_value; + return t; } -int +int KRB5_LIB_FUNCTION krb5_config_vget_time (krb5_context context, const krb5_config_section *c, va_list args) @@ -637,7 +688,7 @@ krb5_config_vget_time (krb5_context context, return krb5_config_vget_time_default (context, c, -1, args); } -int +int KRB5_LIB_FUNCTION krb5_config_get_time_default (krb5_context context, const krb5_config_section *c, int def_value, @@ -651,7 +702,7 @@ krb5_config_get_time_default (krb5_context context, return ret; } -int +int KRB5_LIB_FUNCTION krb5_config_get_time (krb5_context context, const krb5_config_section *c, ...) @@ -665,7 +716,7 @@ krb5_config_get_time (krb5_context context, } -int +int KRB5_LIB_FUNCTION krb5_config_vget_int_default (krb5_context context, const krb5_config_section *c, int def_value, @@ -686,7 +737,7 @@ krb5_config_vget_int_default (krb5_context context, } } -int +int KRB5_LIB_FUNCTION krb5_config_vget_int (krb5_context context, const krb5_config_section *c, va_list args) @@ -694,7 +745,7 @@ krb5_config_vget_int (krb5_context context, return krb5_config_vget_int_default (context, c, -1, args); } -int +int KRB5_LIB_FUNCTION krb5_config_get_int_default (krb5_context context, const krb5_config_section *c, int def_value, @@ -708,7 +759,7 @@ krb5_config_get_int_default (krb5_context context, return ret; } -int +int KRB5_LIB_FUNCTION krb5_config_get_int (krb5_context context, const krb5_config_section *c, ...) diff --git a/kerberosV/src/lib/krb5/constants.c b/kerberosV/src/lib/krb5/constants.c index b21f6424678..e67756a18aa 100644 --- a/kerberosV/src/lib/krb5/constants.c +++ b/kerberosV/src/lib/krb5/constants.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,11 @@ #include "krb5_locl.h" -RCSID("$KTH: constants.c,v 1.7 2002/08/16 20:52:15 joda Exp $"); +RCSID("$KTH: constants.c,v 1.8 2004/09/23 07:57:37 joda Exp $"); -const char *krb5_config_file = SYSCONFDIR "/krb5.conf:/etc/krb5.conf"; +const char *krb5_config_file = +#ifdef __APPLE__ +"/Library/Preferences/edu.mit.Kerberos:" +#endif +SYSCONFDIR "/krb5.conf:/etc/krb5.conf"; const char *krb5_defkeyname = KEYTAB_DEFAULT; diff --git a/kerberosV/src/lib/krb5/context.c b/kerberosV/src/lib/krb5/context.c index 7ab49ff1f2c..b442f195d0e 100644 --- a/kerberosV/src/lib/krb5/context.c +++ b/kerberosV/src/lib/krb5/context.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -34,7 +34,7 @@ #include "krb5_locl.h" #include <com_err.h> -RCSID("$KTH: context.c,v 1.83.2.1 2004/08/20 15:30:24 lha Exp $"); +RCSID("$KTH: context.c,v 1.102 2005/05/18 04:20:50 lha Exp $"); #define INIT_FIELD(C, T, E, D, F) \ (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \ @@ -65,8 +65,12 @@ set_etypes (krb5_context context, return ENOMEM; } for(j = 0, k = 0; j < i; j++) { - if(krb5_string_to_enctype(context, etypes_str[j], &etypes[k]) == 0) - k++; + krb5_enctype e; + if(krb5_string_to_enctype(context, etypes_str[j], &e) != 0) + continue; + if (krb5_enctype_valid(context, e) != 0) + continue; + etypes[k++] = e; } etypes[k] = ETYPE_NULL; krb5_config_free_strings(etypes_str); @@ -176,21 +180,31 @@ init_context_from_config_file(krb5_context context) /* prefer dns_lookup_kdc over srv_lookup. */ INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup"); INIT_FIELD(context, bool, srv_lookup, context->srv_lookup, "dns_lookup_kdc"); + INIT_FIELD(context, int, large_msg_size, 6000, "large_message_size"); context->default_cc_name = NULL; return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_init_context(krb5_context *context) { krb5_context p; krb5_error_code ret; char **files; + *context = NULL; + p = calloc(1, sizeof(*p)); if(!p) return ENOMEM; + p->mutex = malloc(sizeof(HEIMDAL_MUTEX)); + if (p->mutex == NULL) { + free(p); + return ENOMEM; + } + HEIMDAL_MUTEX_init(p->mutex); + ret = krb5_get_default_config_files(&files); if(ret) goto out; @@ -204,12 +218,18 @@ krb5_init_context(krb5_context *context) p->cc_ops = NULL; p->num_cc_ops = 0; + krb5_cc_register(p, &krb5_acc_ops, TRUE); krb5_cc_register(p, &krb5_fcc_ops, TRUE); krb5_cc_register(p, &krb5_mcc_ops, TRUE); +#ifdef HAVE_KCM + krb5_cc_register(p, &krb5_kcm_ops, TRUE); +#endif p->num_kt_types = 0; p->kt_types = NULL; krb5_kt_register (p, &krb5_fkt_ops); + krb5_kt_register (p, &krb5_wrfkt_ops); + krb5_kt_register (p, &krb5_javakt_ops); krb5_kt_register (p, &krb5_mkt_ops); krb5_kt_register (p, &krb5_akf_ops); krb5_kt_register (p, &krb4_fkt_ops); @@ -225,7 +245,7 @@ out: return ret; } -void +void KRB5_LIB_FUNCTION krb5_free_context(krb5_context context) { if (context->default_cc_name) @@ -242,17 +262,22 @@ krb5_free_context(krb5_context context) krb5_closelog(context, context->warn_dest); krb5_set_extra_addresses(context, NULL); krb5_set_ignore_addresses(context, NULL); + if (context->mutex != NULL) { + HEIMDAL_MUTEX_destroy(context->mutex); + free(context->mutex); + } + memset(context, 0, sizeof(*context)); free(context); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_config_files(krb5_context context, char **filenames) { krb5_error_code ret; krb5_config_binding *tmp = NULL; while(filenames != NULL && *filenames != NULL && **filenames != '\0') { ret = krb5_config_parse_file_multi(context, *filenames, &tmp); - if(ret != 0 && ret != ENOENT) { + if(ret != 0 && ret != ENOENT && ret != EACCES) { krb5_config_file_free(context, tmp); return ret; } @@ -270,54 +295,124 @@ krb5_set_config_files(krb5_context context, char **filenames) return ret; } -krb5_error_code -krb5_get_default_config_files(char ***pfilenames) +static krb5_error_code +add_file(char ***pfilenames, int *len, char *file) { - const char *p, *q; - char **pp; - int n, i; + char **pp = *pfilenames; + int i; - const char *files = NULL; - if (pfilenames == NULL) - return EINVAL; - if(!issuid()) - files = getenv("KRB5_CONFIG"); - if (files == NULL) - files = krb5_config_file; + for(i = 0; i < *len; i++) { + if(strcmp(pp[i], file) == 0) { + free(file); + return 0; + } + } - for(n = 0, p = files; strsep_copy(&p, ":", NULL, 0) != -1; n++); - pp = malloc((n + 1) * sizeof(*pp)); - if(pp == NULL) + pp = realloc(*pfilenames, (*len + 2) * sizeof(*pp)); + if (pp == NULL) { + free(file); return ENOMEM; + } - n = 0; - p = files; + pp[*len] = file; + pp[*len + 1] = NULL; + *pfilenames = pp; + *len += 1; + return 0; +} + +/* + * `pq' isn't free, its up the the caller + */ + +krb5_error_code KRB5_LIB_FUNCTION +krb5_prepend_config_files(const char *filelist, char **pq, char ***ret_pp) +{ + krb5_error_code ret; + const char *p, *q; + char **pp; + int len; + char *fn; + + pp = NULL; + + len = 0; + p = filelist; while(1) { ssize_t l; q = p; l = strsep_copy(&q, ":", NULL, 0); if(l == -1) break; - pp[n] = malloc(l + 1); - if(pp[n] == NULL) { + fn = malloc(l + 1); + if(fn == NULL) { krb5_free_config_files(pp); return ENOMEM; } - l = strsep_copy(&p, ":", pp[n], l + 1); - for(i = 0; i < n; i++) - if(strcmp(pp[i], pp[n]) == 0) { - free(pp[n]); - goto skip; + l = strsep_copy(&p, ":", fn, l + 1); + ret = add_file(&pp, &len, fn); + if (ret) { + krb5_free_config_files(pp); + return ret; + } + } + + if (pq != NULL) { + int i; + + for (i = 0; pq[i] != NULL; i++) { + fn = strdup(pq[i]); + if (fn == NULL) { + krb5_free_config_files(pp); + return ENOMEM; } - n++; - skip:; + ret = add_file(&pp, &len, fn); + if (ret) { + krb5_free_config_files(pp); + return ret; + } + } } - pp[n] = NULL; + + *ret_pp = pp; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_prepend_config_files_default(const char *filelist, char ***pfilenames) +{ + krb5_error_code ret; + char **defpp, **pp = NULL; + + ret = krb5_get_default_config_files(&defpp); + if (ret) + return ret; + + ret = krb5_prepend_config_files(filelist, defpp, &pp); + krb5_free_config_files(defpp); + if (ret) { + return ret; + } *pfilenames = pp; return 0; } -void +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_default_config_files(char ***pfilenames) +{ + const char *files = NULL; + + if (pfilenames == NULL) + return EINVAL; + if(!issuid()) + files = getenv("KRB5_CONFIG"); + if (files == NULL) + files = krb5_config_file; + + return krb5_prepend_config_files(files, NULL, pfilenames); +} + +void KRB5_LIB_FUNCTION krb5_free_config_files(char **filenames) { char **p; @@ -334,38 +429,50 @@ static krb5_error_code default_etypes(krb5_context context, krb5_enctype **etype) { krb5_enctype p[] = { + ETYPE_AES256_CTS_HMAC_SHA1_96, + ETYPE_AES128_CTS_HMAC_SHA1_96, ETYPE_DES3_CBC_SHA1, ETYPE_DES3_CBC_MD5, ETYPE_ARCFOUR_HMAC_MD5, ETYPE_DES_CBC_MD5, ETYPE_DES_CBC_MD4, - ETYPE_DES_CBC_CRC, - ETYPE_NULL + ETYPE_DES_CBC_CRC }; - - *etype = malloc(sizeof(p)); - if(*etype == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; + krb5_enctype *e = NULL, *ep; + int i, n = 0; + + for (i = 0; i < sizeof(p)/sizeof(p[0]); i++) { + if (krb5_enctype_valid(context, p[i]) != 0) + continue; + ep = realloc(e, (n + 2) * sizeof(*e)); + if (ep == NULL) { + free(e); + krb5_set_error_string (context, "malloc: out of memory"); + return ENOMEM; + } + e = ep; + e[n] = p[i]; + e[n + 1] = ETYPE_NULL; + n++; } - memcpy(*etype, p, sizeof(p)); + *etype = e; return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_default_in_tkt_etypes(krb5_context context, const krb5_enctype *etypes) { - int i; krb5_enctype *p = NULL; + int i; if(etypes) { - for (i = 0; etypes[i]; ++i) - if(!krb5_enctype_valid(context, etypes[i])) { - krb5_set_error_string(context, "enctype %d not supported", - etypes[i]); - return KRB5_PROG_ETYPE_NOSUPP; - } + for (i = 0; etypes[i]; ++i) { + krb5_error_code ret; + ret = krb5_enctype_valid(context, etypes[i]); + if (ret) + return ret; + } ++i; ALLOC(p, i); if(!p) { @@ -381,7 +488,7 @@ krb5_set_default_in_tkt_etypes(krb5_context context, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_default_in_tkt_etypes(krb5_context context, krb5_enctype **etypes) { @@ -407,7 +514,7 @@ krb5_get_default_in_tkt_etypes(krb5_context context, return 0; } -const char * +const char* KRB5_LIB_FUNCTION krb5_get_err_text(krb5_context context, krb5_error_code code) { const char *p = NULL; @@ -420,7 +527,7 @@ krb5_get_err_text(krb5_context context, krb5_error_code code) return p; } -void +void KRB5_LIB_FUNCTION krb5_init_ets(krb5_context context) { if(context->et_list == NULL){ @@ -431,19 +538,19 @@ krb5_init_ets(krb5_context context) } } -void +void KRB5_LIB_FUNCTION krb5_set_use_admin_kdc (krb5_context context, krb5_boolean flag) { context->use_admin_kdc = flag; } -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_get_use_admin_kdc (krb5_context context) { return context->use_admin_kdc; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses) { @@ -454,7 +561,7 @@ krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses) return krb5_set_extra_addresses(context, addresses); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses) { if(context->extra_addresses) @@ -477,7 +584,7 @@ krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses) return krb5_copy_addresses(context, addresses, context->extra_addresses); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses) { if(context->extra_addresses == NULL) { @@ -487,7 +594,7 @@ krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses) return krb5_copy_addresses(context,context->extra_addresses, addresses); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_add_ignore_addresses(krb5_context context, krb5_addresses *addresses) { @@ -498,7 +605,7 @@ krb5_add_ignore_addresses(krb5_context context, krb5_addresses *addresses) return krb5_set_ignore_addresses(context, addresses); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_ignore_addresses(krb5_context context, const krb5_addresses *addresses) { if(context->ignore_addresses) @@ -520,7 +627,7 @@ krb5_set_ignore_addresses(krb5_context context, const krb5_addresses *addresses) return krb5_copy_addresses(context, addresses, context->ignore_addresses); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_ignore_addresses(krb5_context context, krb5_addresses *addresses) { if(context->ignore_addresses == NULL) { @@ -530,16 +637,26 @@ krb5_get_ignore_addresses(krb5_context context, krb5_addresses *addresses) return krb5_copy_addresses(context, context->ignore_addresses, addresses); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_fcache_version(krb5_context context, int version) { context->fcache_vno = version; return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_fcache_version(krb5_context context, int *version) { *version = context->fcache_vno; return 0; } + +krb5_boolean KRB5_LIB_FUNCTION +krb5_is_thread_safe(void) +{ +#ifdef ENABLE_PTHREAD_SUPPORT + return TRUE; +#else + return FALSE; +#endif +} diff --git a/kerberosV/src/lib/krb5/crypto.c b/kerberosV/src/lib/krb5/crypto.c index 98a1eac1d67..ad584732827 100644 --- a/kerberosV/src/lib/krb5/crypto.c +++ b/kerberosV/src/lib/krb5/crypto.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,7 +32,7 @@ */ #include "krb5_locl.h" -RCSID("$KTH: crypto.c,v 1.73.2.4 2004/03/06 16:38:00 lha Exp $"); +RCSID("$KTH: crypto.c,v 1.120.2.1 2005/08/11 07:56:11 lha Exp $"); #undef CRYPTO_DEBUG #ifdef CRYPTO_DEBUG @@ -55,8 +55,11 @@ struct krb5_crypto_data { struct key_data key; int num_key_usage; struct key_usage *key_usage; + void *params; }; +#define kcrypto_oid_enc(n) { sizeof(n)/sizeof(n[0]), n } + #define CRYPTO_ETYPE(C) ((C)->et->type) /* bits for `flags' below */ @@ -66,6 +69,8 @@ struct krb5_crypto_data { #define F_VARIANT 8 /* uses `variant' keys (6.4.3) */ #define F_PSEUDO 16 /* not a real protocol type */ #define F_SPECIAL 32 /* backwards */ +#define F_DISABLED 64 /* enctype/checksum disabled */ +#define F_PADCMS 128 /* padding done like in CMS */ struct salt_type { krb5_salttype type; @@ -79,13 +84,19 @@ struct key_type { const char *name; size_t bits; size_t size; + size_t minsize; size_t schedule_size; #if 0 krb5_enctype best_etype; #endif void (*random_key)(krb5_context, krb5_keyblock*); - void (*schedule)(krb5_context, struct key_data *); + void (*schedule)(krb5_context, struct key_data *, const void *); struct salt_type *string_to_key; + void (*random_to_key)(krb5_context, krb5_keyblock*, const void*, size_t); + krb5_error_code (*get_params)(krb5_context, const krb5_data *, + void **, krb5_data *); + krb5_error_code (*set_params)(krb5_context, const void *, + const krb5_data *, krb5_data *); }; struct checksum_type { @@ -109,6 +120,7 @@ struct checksum_type { struct encryption_type { krb5_enctype type; const char *name; + heim_oid *oid; size_t blocksize; size_t padsize; size_t confoundersize; @@ -147,34 +159,39 @@ static krb5_error_code hmac(krb5_context context, struct key_data *keyblock, Checksum *result); static void free_key_data(krb5_context context, struct key_data *key); -static krb5_error_code usage2arcfour (krb5_context, int *); +static krb5_error_code usage2arcfour (krb5_context, unsigned *); +static void xor (DES_cblock *, const unsigned char *); /************************************************************ * * ************************************************************/ +static HEIMDAL_MUTEX crypto_mutex = HEIMDAL_MUTEX_INITIALIZER; + + static void krb5_DES_random_key(krb5_context context, krb5_keyblock *key) { - des_cblock *k = key->keyvalue.data; + DES_cblock *k = key->keyvalue.data; do { - krb5_generate_random_block(k, sizeof(des_cblock)); - des_set_odd_parity(k); - } while(des_is_weak_key(k)); + krb5_generate_random_block(k, sizeof(DES_cblock)); + DES_set_odd_parity(k); + } while(DES_is_weak_key(k)); } static void krb5_DES_schedule(krb5_context context, - struct key_data *key) + struct key_data *key, + const void *params) { - des_set_key(key->key->keyvalue.data, key->schedule->data); + DES_set_key(key->key->keyvalue.data, key->schedule->data); } static void -DES_string_to_key_int(unsigned char *data, size_t length, des_cblock *key) +DES_string_to_key_int(unsigned char *data, size_t length, DES_cblock *key) { - des_key_schedule schedule; + DES_key_schedule schedule; int i; int reverse = 0; unsigned char *p; @@ -193,13 +210,15 @@ DES_string_to_key_int(unsigned char *data, size_t length, des_cblock *key) if((i % 8) == 7) reverse = !reverse; } - des_set_odd_parity(key); - if(des_is_weak_key(key)) + DES_set_odd_parity(key); + if(DES_is_weak_key(key)) + (*key)[7] ^= 0xF0; + DES_set_key(key, &schedule); + DES_cbc_cksum((void*)data, key, length, &schedule, key); + memset(&schedule, 0, sizeof(schedule)); + DES_set_odd_parity(key); + if(DES_is_weak_key(key)) (*key)[7] ^= 0xF0; - des_set_key(key, schedule); - des_cbc_cksum((void*)data, key, length, schedule, key); - memset(schedule, 0, sizeof(schedule)); - des_set_odd_parity(key); } static krb5_error_code @@ -212,7 +231,7 @@ krb5_DES_string_to_key(krb5_context context, { unsigned char *s; size_t len; - des_cblock tmp; + DES_cblock tmp; len = password.length + salt.saltvalue.length; s = malloc(len); @@ -243,7 +262,7 @@ krb5_DES_string_to_key(krb5_context context, static void krb5_DES_AFS3_CMU_string_to_key (krb5_data pw, krb5_data cell, - des_cblock *key) + DES_cblock *key) { char password[8+1]; /* crypt is limited to 8 chars anyway */ int i; @@ -256,14 +275,14 @@ krb5_DES_AFS3_CMU_string_to_key (krb5_data pw, } password[8] = '\0'; - memcpy(key, crypt(password, "p1") + 2, sizeof(des_cblock)); + memcpy(key, crypt(password, "p1") + 2, sizeof(DES_cblock)); /* parity is inserted into the LSB so left shift each byte up one bit. This allows ascii characters with a zero MSB to retain as much significance as possible. */ - for (i = 0; i < sizeof(des_cblock); i++) + for (i = 0; i < sizeof(DES_cblock); i++) ((unsigned char*)key)[i] <<= 1; - des_set_odd_parity (key); + DES_set_odd_parity (key); } /* @@ -272,11 +291,11 @@ krb5_DES_AFS3_CMU_string_to_key (krb5_data pw, static void krb5_DES_AFS3_Transarc_string_to_key (krb5_data pw, krb5_data cell, - des_cblock *key) + DES_cblock *key) { - des_key_schedule schedule; - des_cblock temp_key; - des_cblock ivec; + DES_key_schedule schedule; + DES_cblock temp_key; + DES_cblock ivec; char password[512]; size_t passlen; @@ -292,21 +311,20 @@ krb5_DES_AFS3_Transarc_string_to_key (krb5_data pw, passlen = min(sizeof(password), pw.length + cell.length); memcpy(&ivec, "kerberos", 8); memcpy(&temp_key, "kerberos", 8); - des_set_odd_parity (&temp_key); - des_set_key (&temp_key, schedule); - des_cbc_cksum ((des_cblock *) password, &ivec, passlen, schedule, &ivec); + DES_set_odd_parity (&temp_key); + DES_set_key (&temp_key, &schedule); + DES_cbc_cksum ((void*)password, &ivec, passlen, &schedule, &ivec); memcpy(&temp_key, &ivec, 8); - des_set_odd_parity (&temp_key); - des_set_key (&temp_key, schedule); - des_cbc_cksum ((des_cblock *) password, (des_cblock *) key, passlen, - schedule, &ivec); + DES_set_odd_parity (&temp_key); + DES_set_key (&temp_key, &schedule); + DES_cbc_cksum ((void*)password, key, passlen, &schedule, &ivec); memset(&schedule, 0, sizeof(schedule)); memset(&temp_key, 0, sizeof(temp_key)); memset(&ivec, 0, sizeof(ivec)); memset(password, 0, sizeof(password)); - des_set_odd_parity (key); + DES_set_odd_parity (key); } static krb5_error_code @@ -317,7 +335,7 @@ DES_AFS3_string_to_key(krb5_context context, krb5_data opaque, krb5_keyblock *key) { - des_cblock tmp; + DES_cblock tmp; if(password.length > 8) krb5_DES_AFS3_Transarc_string_to_key(password, salt.saltvalue, &tmp); else @@ -329,29 +347,47 @@ DES_AFS3_string_to_key(krb5_context context, } static void +krb5_DES_random_to_key(krb5_context context, + krb5_keyblock *key, + const void *data, + size_t size) +{ + DES_cblock *k = key->keyvalue.data; + memcpy(k, data, key->keyvalue.length); + DES_set_odd_parity(k); + if(DES_is_weak_key(k)) + xor(k, (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); +} + +/* + * + */ + +static void DES3_random_key(krb5_context context, krb5_keyblock *key) { - des_cblock *k = key->keyvalue.data; + DES_cblock *k = key->keyvalue.data; do { - krb5_generate_random_block(k, 3 * sizeof(des_cblock)); - des_set_odd_parity(&k[0]); - des_set_odd_parity(&k[1]); - des_set_odd_parity(&k[2]); - } while(des_is_weak_key(&k[0]) || - des_is_weak_key(&k[1]) || - des_is_weak_key(&k[2])); + krb5_generate_random_block(k, 3 * sizeof(DES_cblock)); + DES_set_odd_parity(&k[0]); + DES_set_odd_parity(&k[1]); + DES_set_odd_parity(&k[2]); + } while(DES_is_weak_key(&k[0]) || + DES_is_weak_key(&k[1]) || + DES_is_weak_key(&k[2])); } static void DES3_schedule(krb5_context context, - struct key_data *key) + struct key_data *key, + const void *params) { - des_cblock *k = key->key->keyvalue.data; - des_key_schedule *s = key->schedule->data; - des_set_key(&k[0], s[0]); - des_set_key(&k[1], s[1]); - des_set_key(&k[2], s[2]); + DES_cblock *k = key->key->keyvalue.data; + DES_key_schedule *s = key->schedule->data; + DES_set_key(&k[0], &s[0]); + DES_set_key(&k[1], &s[1]); + DES_set_key(&k[2], &s[2]); } /* @@ -359,7 +395,7 @@ DES3_schedule(krb5_context context, */ static void -xor (des_cblock *key, const unsigned char *b) +xor (DES_cblock *key, const unsigned char *b) { unsigned char *a = (unsigned char*)key; a[0] ^= b[0]; @@ -383,7 +419,7 @@ DES3_string_to_key(krb5_context context, char *str; size_t len; unsigned char tmp[24]; - des_cblock keys[3]; + DES_cblock keys[3]; len = password.length + salt.saltvalue.length; str = malloc(len); @@ -394,29 +430,29 @@ DES3_string_to_key(krb5_context context, memcpy(str, password.data, password.length); memcpy(str + password.length, salt.saltvalue.data, salt.saltvalue.length); { - des_cblock ivec; - des_key_schedule s[3]; + DES_cblock ivec; + DES_key_schedule s[3]; int i; _krb5_n_fold(str, len, tmp, 24); for(i = 0; i < 3; i++){ memcpy(keys + i, tmp + i * 8, sizeof(keys[i])); - des_set_odd_parity(keys + i); - if(des_is_weak_key(keys + i)) + DES_set_odd_parity(keys + i); + if(DES_is_weak_key(keys + i)) xor(keys + i, (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); - des_set_key(keys + i, s[i]); + DES_set_key(keys + i, &s[i]); } memset(&ivec, 0, sizeof(ivec)); - des_ede3_cbc_encrypt((des_cblock *) tmp, - (des_cblock *) tmp, sizeof(tmp), - s[0], s[1], s[2], &ivec, DES_ENCRYPT); + DES_ede3_cbc_encrypt(tmp, + tmp, sizeof(tmp), + &s[0], &s[1], &s[2], &ivec, DES_ENCRYPT); memset(s, 0, sizeof(s)); memset(&ivec, 0, sizeof(ivec)); for(i = 0; i < 3; i++){ memcpy(keys + i, tmp + i * 8, sizeof(keys[i])); - des_set_odd_parity(keys + i); - if(des_is_weak_key(keys + i)) + DES_set_odd_parity(keys + i); + if(DES_is_weak_key(keys + i)) xor(keys + i, (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); } memset(tmp, 0, sizeof(tmp)); @@ -458,19 +494,48 @@ DES3_string_to_key_derived(krb5_context context, return ret; } -/* - * ARCFOUR - */ - static void -ARCFOUR_random_key(krb5_context context, krb5_keyblock *key) +DES3_random_to_key(krb5_context context, + krb5_keyblock *key, + const void *data, + size_t size) { - krb5_generate_random_block (key->keyvalue.data, - key->keyvalue.length); + unsigned char *x = key->keyvalue.data; + const u_char *q = data; + DES_cblock *k; + int i, j; + + memset(x, 0, sizeof(x)); + for (i = 0; i < 3; ++i) { + unsigned char foo; + for (j = 0; j < 7; ++j) { + unsigned char b = q[7 * i + j]; + + x[8 * i + j] = b; + } + foo = 0; + for (j = 6; j >= 0; --j) { + foo |= q[7 * i + j] & 1; + foo <<= 1; + } + x[8 * i + 7] = foo; + } + k = key->keyvalue.data; + for (i = 0; i < 3; i++) { + DES_set_odd_parity(&k[i]); + if(DES_is_weak_key(&k[i])) + xor(&k[i], (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); + } } +/* + * ARCFOUR + */ + static void -ARCFOUR_schedule(krb5_context context, struct key_data *kd) +ARCFOUR_schedule(krb5_context context, + struct key_data *kd, + const void *params) { RC4_set_key (kd->schedule->data, kd->key->keyvalue.length, kd->key->keyvalue.data); @@ -509,17 +574,16 @@ ARCFOUR_string_to_key(krb5_context context, return 0; } -#ifdef ENABLE_AES /* * AES */ /* iter is really 1 based, so iter == 0 will be 1 iteration */ -krb5_error_code -krb5_PKCS5_PBKDF2(krb5_context context, krb5_cksumtype cktype, - krb5_data password, krb5_salt salt, u_int32_t iter, - krb5_keytype type, krb5_keyblock *key) +krb5_error_code KRB5_LIB_FUNCTION +_krb5_PKCS5_PBKDF2(krb5_context context, krb5_cksumtype cktype, + krb5_data password, krb5_salt salt, u_int32_t iter, + krb5_keytype type, krb5_keyblock *key) { struct checksum_type *c = _find_checksum(cktype); struct key_type *kt; @@ -622,6 +686,8 @@ krb5_PKCS5_PBKDF2(krb5_context context, krb5_cksumtype cktype, return 0; } +int _krb5_AES_string_to_default_iterator = 4096; + static krb5_error_code AES_string_to_key(krb5_context context, krb5_enctype enctype, @@ -636,7 +702,7 @@ AES_string_to_key(krb5_context context, struct key_data kd; if (opaque.length == 0) - iter = 45056 - 1; + iter = _krb5_AES_string_to_default_iterator - 1; else if (opaque.length == 4) { unsigned long v; _krb5_get_int(opaque.data, &v, 4); @@ -649,8 +715,8 @@ AES_string_to_key(krb5_context context, if (et == NULL) return KRB5_PROG_KEYTYPE_NOSUPP; - ret = krb5_PKCS5_PBKDF2(context, CKSUMTYPE_SHA1, password, salt, - iter, enctype, key); + ret = _krb5_PKCS5_PBKDF2(context, CKSUMTYPE_SHA1, password, salt, + iter, enctype, key); if (ret) return ret; @@ -658,10 +724,8 @@ AES_string_to_key(krb5_context context, kd.schedule = NULL; ret = derive_key(context, et, &kd, "kerberos", strlen("kerberos")); - - if (ret) { - krb5_data_free(&key->keyvalue); - } else { + krb5_free_keyblock_contents(context, key); + if (ret == 0) { ret = krb5_copy_keyblock_contents(context, kd.key, key); free_key_data(context, &kd); } @@ -669,115 +733,314 @@ AES_string_to_key(krb5_context context, return ret; } +struct krb5_aes_schedule { + AES_KEY ekey; + AES_KEY dkey; +}; + static void -AES_schedule(krb5_context context, struct key_data *kd) +AES_schedule(krb5_context context, + struct key_data *kd, + const void *params) { - AES_KEY *key = kd->schedule->data; + struct krb5_aes_schedule *key = kd->schedule->data; int bits = kd->key->keyvalue.length * 8; - - AES_set_encrypt_key(kd->key->keyvalue.data, bits, &key[0]); - AES_set_decrypt_key(kd->key->keyvalue.data, bits, &key[1]); + + memset(key, 0, sizeof(*key)); + AES_set_encrypt_key(kd->key->keyvalue.data, bits, &key->ekey); + AES_set_decrypt_key(kd->key->keyvalue.data, bits, &key->dkey); } /* + * RC2 + */ + +struct _RC2_params { + int maximum_effective_key; +}; + +static krb5_error_code +rc2_get_params(krb5_context context, + const krb5_data *data, + void **params, + krb5_data *ivec) +{ + RC2CBCParameter rc2params; + struct _RC2_params *p; + krb5_error_code ret; + size_t size; + + ret = decode_RC2CBCParameter(data->data, data->length, &rc2params, &size); + if (ret) { + krb5_set_error_string(context, "Can't decode RC2 parameters"); + return ret; + } + p = malloc(sizeof(*p)); + if (p == NULL) { + free_RC2CBCParameter(&rc2params); + krb5_set_error_string(context, "malloc - out of memory"); + return ENOMEM; + } + /* XXX */ + switch(rc2params.rc2ParameterVersion) { + case 160: + p->maximum_effective_key = 40; + break; + case 120: + p->maximum_effective_key = 64; + break; + case 58: + p->maximum_effective_key = 128; + break; + + } + if (ivec) + ret = copy_octet_string(&rc2params.iv, ivec); + free_RC2CBCParameter(&rc2params); + *params = p; + + return ret; +} + +static krb5_error_code +rc2_set_params(krb5_context context, + const void *params, + const krb5_data *ivec, + krb5_data *data) +{ + RC2CBCParameter rc2params; + const struct _RC2_params *p = params; + int maximum_effective_key = 128; + krb5_error_code ret; + size_t size; + + memset(&rc2params, 0, sizeof(rc2params)); + + if (p) + maximum_effective_key = p->maximum_effective_key; + + /* XXX */ + switch(maximum_effective_key) { + case 40: + rc2params.rc2ParameterVersion = 160; + break; + case 64: + rc2params.rc2ParameterVersion = 120; + break; + case 128: + rc2params.rc2ParameterVersion = 58; + break; + } + ret = copy_octet_string(ivec, &rc2params.iv); + if (ret) + return ret; + + ASN1_MALLOC_ENCODE(RC2CBCParameter, data->data, data->length, + &rc2params, &size, ret); + if (ret == 0 && size != data->length) + krb5_abortx(context, "Internal asn1 encoder failure"); + free_RC2CBCParameter(&rc2params); + + return ret; +} + +static void +rc2_schedule(krb5_context context, + struct key_data *kd, + const void *params) +{ + const struct _RC2_params *p = params; + int maximum_effective_key = 128; + if (p) + maximum_effective_key = p->maximum_effective_key; + RC2_set_key (kd->schedule->data, + kd->key->keyvalue.length, + kd->key->keyvalue.data, + maximum_effective_key); +} + + +/* * */ -extern struct salt_type AES_salt[]; +static struct salt_type des_salt[] = { + { + KRB5_PW_SALT, + "pw-salt", + krb5_DES_string_to_key + }, + { + KRB5_AFS3_SALT, + "afs3-salt", + DES_AFS3_string_to_key + }, + { 0 } +}; + +static struct salt_type des3_salt[] = { + { + KRB5_PW_SALT, + "pw-salt", + DES3_string_to_key + }, + { 0 } +}; + +static struct salt_type des3_salt_derived[] = { + { + KRB5_PW_SALT, + "pw-salt", + DES3_string_to_key_derived + }, + { 0 } +}; -#endif /* ENABLE_AES */ +static struct salt_type AES_salt[] = { + { + KRB5_PW_SALT, + "pw-salt", + AES_string_to_key + }, + { 0 } +}; + +static struct salt_type arcfour_salt[] = { + { + KRB5_PW_SALT, + "pw-salt", + ARCFOUR_string_to_key + }, + { 0 } +}; -extern struct salt_type des_salt[], - des3_salt[], des3_salt_derived[], arcfour_salt[]; +/* + * + */ -struct key_type keytype_null = { +static struct key_type keytype_null = { KEYTYPE_NULL, "null", 0, 0, 0, + 0, NULL, NULL, NULL }; -struct key_type keytype_des = { +static struct key_type keytype_des = { KEYTYPE_DES, "des", 56, - sizeof(des_cblock), - sizeof(des_key_schedule), + sizeof(DES_cblock), + sizeof(DES_cblock), + sizeof(DES_key_schedule), krb5_DES_random_key, krb5_DES_schedule, - des_salt + des_salt, + krb5_DES_random_to_key }; -struct key_type keytype_des3 = { +static struct key_type keytype_des3 = { KEYTYPE_DES3, "des3", 168, - 3 * sizeof(des_cblock), - 3 * sizeof(des_key_schedule), + 3 * sizeof(DES_cblock), + 3 * sizeof(DES_cblock), + 3 * sizeof(DES_key_schedule), DES3_random_key, DES3_schedule, - des3_salt + des3_salt, + DES3_random_to_key }; -struct key_type keytype_des3_derived = { +static struct key_type keytype_des3_derived = { KEYTYPE_DES3, "des3", 168, - 3 * sizeof(des_cblock), - 3 * sizeof(des_key_schedule), + 3 * sizeof(DES_cblock), + 3 * sizeof(DES_cblock), + 3 * sizeof(DES_key_schedule), DES3_random_key, DES3_schedule, - des3_salt_derived + des3_salt_derived, + DES3_random_to_key }; -#ifdef ENABLE_AES -struct key_type keytype_aes128 = { +static struct key_type keytype_aes128 = { KEYTYPE_AES128, "aes-128", 128, 16, - sizeof(AES_KEY) * 2, + 16, + sizeof(struct krb5_aes_schedule), + NULL, + AES_schedule, + AES_salt +}; + +static struct key_type keytype_aes192 = { + KEYTYPE_AES192, + "aes-192", + 192, + 24, + 24, + sizeof(struct krb5_aes_schedule), NULL, AES_schedule, AES_salt }; -struct key_type keytype_aes256 = { +static struct key_type keytype_aes256 = { KEYTYPE_AES256, "aes-256", 256, - 16, - sizeof(AES_KEY) * 2, + 32, + 32, + sizeof(struct krb5_aes_schedule), NULL, AES_schedule, AES_salt }; -#endif /* ENABLE_AES */ -struct key_type keytype_arcfour = { +static struct key_type keytype_arcfour = { KEYTYPE_ARCFOUR, "arcfour", 128, 16, + 16, sizeof(RC4_KEY), - ARCFOUR_random_key, + NULL, ARCFOUR_schedule, arcfour_salt }; -struct key_type *keytypes[] = { +static struct key_type keytype_rc2 = { + KEYTYPE_RC2, + "rc2", + 128, + 16, + 1, + sizeof(RC2_KEY), + NULL, + rc2_schedule, + NULL, /* XXX salt */ + NULL, + rc2_get_params, + rc2_set_params +}; + +static struct key_type *keytypes[] = { &keytype_null, &keytype_des, &keytype_des3_derived, &keytype_des3, -#ifdef ENABLE_AES &keytype_aes128, + &keytype_aes192, &keytype_aes256, -#endif /* ENABLE_AES */ + &keytype_rc2, &keytype_arcfour }; @@ -794,59 +1057,7 @@ _find_keytype(krb5_keytype type) } -struct salt_type des_salt[] = { - { - KRB5_PW_SALT, - "pw-salt", - krb5_DES_string_to_key - }, - { - KRB5_AFS3_SALT, - "afs3-salt", - DES_AFS3_string_to_key - }, - { 0 } -}; - -struct salt_type des3_salt[] = { - { - KRB5_PW_SALT, - "pw-salt", - DES3_string_to_key - }, - { 0 } -}; - -struct salt_type des3_salt_derived[] = { - { - KRB5_PW_SALT, - "pw-salt", - DES3_string_to_key_derived - }, - { 0 } -}; - -#ifdef ENABLE_AES -struct salt_type AES_salt[] = { - { - KRB5_PW_SALT, - "pw-salt", - AES_string_to_key - }, - { 0 } -}; -#endif /* ENABLE_AES */ - -struct salt_type arcfour_salt[] = { - { - KRB5_PW_SALT, - "pw-salt", - ARCFOUR_string_to_key - }, - { 0 } -}; - -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_salttype_to_string (krb5_context context, krb5_enctype etype, krb5_salttype stype, @@ -875,7 +1086,7 @@ krb5_salttype_to_string (krb5_context context, return HEIM_ERR_SALTTYPE_NOSUPP; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_salttype (krb5_context context, krb5_enctype etype, const char *string, @@ -900,7 +1111,7 @@ krb5_string_to_salttype (krb5_context context, return HEIM_ERR_SALTTYPE_NOSUPP; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_pw_salt(krb5_context context, krb5_const_principal principal, krb5_salt *salt) @@ -929,7 +1140,7 @@ krb5_get_pw_salt(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_salt(krb5_context context, krb5_salt salt) { @@ -937,7 +1148,7 @@ krb5_free_salt(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_data (krb5_context context, krb5_enctype enctype, krb5_data password, @@ -955,7 +1166,7 @@ krb5_string_to_key_data (krb5_context context, return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key (krb5_context context, krb5_enctype enctype, const char *password, @@ -968,7 +1179,7 @@ krb5_string_to_key (krb5_context context, return krb5_string_to_key_data(context, enctype, pw, principal, key); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_data_salt (krb5_context context, krb5_enctype enctype, krb5_data password, @@ -987,7 +1198,7 @@ krb5_string_to_key_data_salt (krb5_context context, * `opaque'), returning the resulting key in `key' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_data_salt_opaque (krb5_context context, krb5_enctype enctype, krb5_data password, @@ -1017,7 +1228,7 @@ krb5_string_to_key_data_salt_opaque (krb5_context context, * in `key' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_salt (krb5_context context, krb5_enctype enctype, const char *password, @@ -1030,7 +1241,22 @@ krb5_string_to_key_salt (krb5_context context, return krb5_string_to_key_data_salt(context, enctype, pw, salt, key); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_string_to_key_salt_opaque (krb5_context context, + krb5_enctype enctype, + const char *password, + krb5_salt salt, + krb5_data opaque, + krb5_keyblock *key) +{ + krb5_data pw; + pw.data = (void*)password; + pw.length = strlen(password); + return krb5_string_to_key_data_salt_opaque(context, enctype, + pw, salt, opaque, key); +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_keytype_to_string(krb5_context context, krb5_keytype keytype, char **string) @@ -1048,7 +1274,7 @@ krb5_keytype_to_string(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_keytype(krb5_context context, const char *string, krb5_keytype *keytype) @@ -1063,7 +1289,7 @@ krb5_string_to_keytype(krb5_context context, return KRB5_PROG_KEYTYPE_NOSUPP; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_enctype_keysize(krb5_context context, krb5_enctype type, size_t *keysize) @@ -1078,7 +1304,7 @@ krb5_enctype_keysize(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_generate_random_keyblock(krb5_context context, krb5_enctype type, krb5_keyblock *key) @@ -1104,7 +1330,8 @@ krb5_generate_random_keyblock(krb5_context context, static krb5_error_code _key_schedule(krb5_context context, - struct key_data *key) + struct key_data *key, + const void *params) { krb5_error_code ret; struct encryption_type *et = _find_enctype(key->key->keytype); @@ -1125,7 +1352,7 @@ _key_schedule(krb5_context context, key->schedule = NULL; return ret; } - (*kt->schedule)(context, key); + (*kt->schedule)(context, key, params); return 0; } @@ -1185,7 +1412,7 @@ RSA_MD4_DES_checksum(krb5_context context, Checksum *cksum) { MD4_CTX md4; - des_cblock ivec; + DES_cblock ivec; unsigned char *p = cksum->checksum.data; krb5_generate_random_block(p, 8); @@ -1194,8 +1421,8 @@ RSA_MD4_DES_checksum(krb5_context context, MD4_Update (&md4, data, len); MD4_Final (p + 8, &md4); memset (&ivec, 0, sizeof(ivec)); - des_cbc_encrypt((des_cblock *) p, - (des_cblock *) p, + DES_cbc_encrypt(p, + p, 24, key->schedule->data, &ivec, @@ -1213,11 +1440,11 @@ RSA_MD4_DES_verify(krb5_context context, MD4_CTX md4; unsigned char tmp[24]; unsigned char res[16]; - des_cblock ivec; + DES_cblock ivec; krb5_error_code ret = 0; memset(&ivec, 0, sizeof(ivec)); - des_cbc_encrypt(C->checksum.data, + DES_cbc_encrypt(C->checksum.data, (void*)tmp, C->checksum.length, key->schedule->data, @@ -1260,7 +1487,7 @@ RSA_MD5_DES_checksum(krb5_context context, Checksum *C) { MD5_CTX md5; - des_cblock ivec; + DES_cblock ivec; unsigned char *p = C->checksum.data; krb5_generate_random_block(p, 8); @@ -1269,8 +1496,8 @@ RSA_MD5_DES_checksum(krb5_context context, MD5_Update (&md5, data, len); MD5_Final (p + 8, &md5); memset (&ivec, 0, sizeof(ivec)); - des_cbc_encrypt((des_cblock *) p, - (des_cblock *) p, + DES_cbc_encrypt(p, + p, 24, key->schedule->data, &ivec, @@ -1288,15 +1515,15 @@ RSA_MD5_DES_verify(krb5_context context, MD5_CTX md5; unsigned char tmp[24]; unsigned char res[16]; - des_cblock ivec; - des_key_schedule *sched = key->schedule->data; + DES_cblock ivec; + DES_key_schedule *sched = key->schedule->data; krb5_error_code ret = 0; memset(&ivec, 0, sizeof(ivec)); - des_cbc_encrypt(C->checksum.data, + DES_cbc_encrypt(C->checksum.data, (void*)tmp, C->checksum.length, - sched[0], + &sched[0], &ivec, DES_DECRYPT); MD5_Init (&md5); @@ -1321,9 +1548,9 @@ RSA_MD5_DES3_checksum(krb5_context context, Checksum *C) { MD5_CTX md5; - des_cblock ivec; + DES_cblock ivec; unsigned char *p = C->checksum.data; - des_key_schedule *sched = key->schedule->data; + DES_key_schedule *sched = key->schedule->data; krb5_generate_random_block(p, 8); MD5_Init (&md5); @@ -1331,10 +1558,10 @@ RSA_MD5_DES3_checksum(krb5_context context, MD5_Update (&md5, data, len); MD5_Final (p + 8, &md5); memset (&ivec, 0, sizeof(ivec)); - des_ede3_cbc_encrypt((des_cblock *)p, - (des_cblock *)p, + DES_ede3_cbc_encrypt(p, + p, 24, - sched[0], sched[1], sched[2], + &sched[0], &sched[1], &sched[2], &ivec, DES_ENCRYPT); } @@ -1350,15 +1577,15 @@ RSA_MD5_DES3_verify(krb5_context context, MD5_CTX md5; unsigned char tmp[24]; unsigned char res[16]; - des_cblock ivec; - des_key_schedule *sched = key->schedule->data; + DES_cblock ivec; + DES_key_schedule *sched = key->schedule->data; krb5_error_code ret = 0; memset(&ivec, 0, sizeof(ivec)); - des_ede3_cbc_encrypt(C->checksum.data, + DES_ede3_cbc_encrypt(C->checksum.data, (void*)tmp, C->checksum.length, - sched[0], sched[1], sched[2], + &sched[0], &sched[1], &sched[2], &ivec, DES_DECRYPT); MD5_Init (&md5); @@ -1447,7 +1674,7 @@ hmac(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_hmac(krb5_context context, krb5_cksumtype cktype, const void *data, @@ -1579,16 +1806,16 @@ HMAC_MD5_checksum_enc(krb5_context context, krb5_abortx(context, "hmac failed"); } -struct checksum_type checksum_none = { +static struct checksum_type checksum_none = { CKSUMTYPE_NONE, "none", 1, 0, - 0, + 0, NONE_checksum, NULL }; -struct checksum_type checksum_crc32 = { +static struct checksum_type checksum_crc32 = { CKSUMTYPE_CRC32, "crc32", 1, @@ -1597,7 +1824,7 @@ struct checksum_type checksum_crc32 = { CRC32_checksum, NULL }; -struct checksum_type checksum_rsa_md4 = { +static struct checksum_type checksum_rsa_md4 = { CKSUMTYPE_RSA_MD4, "rsa-md4", 64, @@ -1606,7 +1833,7 @@ struct checksum_type checksum_rsa_md4 = { RSA_MD4_checksum, NULL }; -struct checksum_type checksum_rsa_md4_des = { +static struct checksum_type checksum_rsa_md4_des = { CKSUMTYPE_RSA_MD4_DES, "rsa-md4-des", 64, @@ -1616,7 +1843,7 @@ struct checksum_type checksum_rsa_md4_des = { RSA_MD4_DES_verify }; #if 0 -struct checksum_type checksum_des_mac = { +static struct checksum_type checksum_des_mac = { CKSUMTYPE_DES_MAC, "des-mac", 0, @@ -1624,7 +1851,7 @@ struct checksum_type checksum_des_mac = { 0, DES_MAC_checksum }; -struct checksum_type checksum_des_mac_k = { +static struct checksum_type checksum_des_mac_k = { CKSUMTYPE_DES_MAC_K, "des-mac-k", 0, @@ -1632,7 +1859,7 @@ struct checksum_type checksum_des_mac_k = { 0, DES_MAC_K_checksum }; -struct checksum_type checksum_rsa_md4_des_k = { +static struct checksum_type checksum_rsa_md4_des_k = { CKSUMTYPE_RSA_MD4_DES_K, "rsa-md4-des-k", 0, @@ -1642,7 +1869,7 @@ struct checksum_type checksum_rsa_md4_des_k = { RSA_MD4_DES_K_verify }; #endif -struct checksum_type checksum_rsa_md5 = { +static struct checksum_type checksum_rsa_md5 = { CKSUMTYPE_RSA_MD5, "rsa-md5", 64, @@ -1651,7 +1878,7 @@ struct checksum_type checksum_rsa_md5 = { RSA_MD5_checksum, NULL }; -struct checksum_type checksum_rsa_md5_des = { +static struct checksum_type checksum_rsa_md5_des = { CKSUMTYPE_RSA_MD5_DES, "rsa-md5-des", 64, @@ -1660,7 +1887,7 @@ struct checksum_type checksum_rsa_md5_des = { RSA_MD5_DES_checksum, RSA_MD5_DES_verify }; -struct checksum_type checksum_rsa_md5_des3 = { +static struct checksum_type checksum_rsa_md5_des3 = { CKSUMTYPE_RSA_MD5_DES3, "rsa-md5-des3", 64, @@ -1669,7 +1896,7 @@ struct checksum_type checksum_rsa_md5_des3 = { RSA_MD5_DES3_checksum, RSA_MD5_DES3_verify }; -struct checksum_type checksum_sha1 = { +static struct checksum_type checksum_sha1 = { CKSUMTYPE_SHA1, "sha1", 64, @@ -1678,7 +1905,7 @@ struct checksum_type checksum_sha1 = { SHA1_checksum, NULL }; -struct checksum_type checksum_hmac_sha1_des3 = { +static struct checksum_type checksum_hmac_sha1_des3 = { CKSUMTYPE_HMAC_SHA1_DES3, "hmac-sha1-des3", 64, @@ -1688,8 +1915,7 @@ struct checksum_type checksum_hmac_sha1_des3 = { NULL }; -#ifdef ENABLE_AES -struct checksum_type checksum_hmac_sha1_aes128 = { +static struct checksum_type checksum_hmac_sha1_aes128 = { CKSUMTYPE_HMAC_SHA1_96_AES_128, "hmac-sha1-96-aes128", 64, @@ -1699,7 +1925,7 @@ struct checksum_type checksum_hmac_sha1_aes128 = { NULL }; -struct checksum_type checksum_hmac_sha1_aes256 = { +static struct checksum_type checksum_hmac_sha1_aes256 = { CKSUMTYPE_HMAC_SHA1_96_AES_256, "hmac-sha1-96-aes256", 64, @@ -1708,9 +1934,8 @@ struct checksum_type checksum_hmac_sha1_aes256 = { SP_HMAC_SHA1_checksum, NULL }; -#endif /* ENABLE_AES */ -struct checksum_type checksum_hmac_md5 = { +static struct checksum_type checksum_hmac_md5 = { CKSUMTYPE_HMAC_MD5, "hmac-md5", 64, @@ -1720,7 +1945,7 @@ struct checksum_type checksum_hmac_md5 = { NULL }; -struct checksum_type checksum_hmac_md5_enc = { +static struct checksum_type checksum_hmac_md5_enc = { CKSUMTYPE_HMAC_MD5_ENC, "hmac-md5-enc", 64, @@ -1730,7 +1955,7 @@ struct checksum_type checksum_hmac_md5_enc = { NULL }; -struct checksum_type *checksum_types[] = { +static struct checksum_type *checksum_types[] = { &checksum_none, &checksum_crc32, &checksum_rsa_md4, @@ -1745,10 +1970,8 @@ struct checksum_type *checksum_types[] = { &checksum_rsa_md5_des3, &checksum_sha1, &checksum_hmac_sha1_des3, -#ifdef ENABLE_AES &checksum_hmac_sha1_aes128, &checksum_hmac_sha1_aes256, -#endif &checksum_hmac_md5, &checksum_hmac_md5_enc }; @@ -1793,7 +2016,7 @@ get_checksum_key(krb5_context context, *key = &crypto->key; } if(ret == 0) - ret = _key_schedule(context, *key); + ret = _key_schedule(context, *key, crypto->params); return ret; } @@ -1810,6 +2033,10 @@ create_checksum (krb5_context context, struct key_data *dkey; int keyed_checksum; + if (ct->flags & F_DISABLED) { + krb5_clear_error_string (context); + return KRB5_PROG_SUMTYPE_NOSUPP; + } keyed_checksum = (ct->flags & F_KEYED) != 0; if(keyed_checksum && crypto == NULL) { krb5_clear_error_string (context); @@ -1834,7 +2061,7 @@ arcfour_checksum_p(struct checksum_type *ct, krb5_crypto crypto) (crypto->key.key->keytype == KEYTYPE_ARCFOUR); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_create_checksum(krb5_context context, krb5_crypto crypto, krb5_key_usage usage, @@ -1886,7 +2113,7 @@ verify_checksum(krb5_context context, struct checksum_type *ct; ct = _find_checksum(cksum->cksumtype); - if (ct == NULL) { + if (ct == NULL || (ct->flags & F_DISABLED)) { krb5_set_error_string (context, "checksum type %d not supported", cksum->cksumtype); return KRB5_PROG_SUMTYPE_NOSUPP; @@ -1924,7 +2151,7 @@ verify_checksum(krb5_context context, return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_checksum(krb5_context context, krb5_crypto crypto, krb5_key_usage usage, @@ -1952,7 +2179,31 @@ krb5_verify_checksum(krb5_context context, data, len, cksum); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_get_checksum_type(krb5_context context, + krb5_crypto crypto, + krb5_cksumtype *type) +{ + struct checksum_type *ct = NULL; + + if (crypto != NULL) { + ct = crypto->et->keyed_checksum; + if (ct == NULL) + ct = crypto->et->checksum; + } + + if (ct == NULL) { + krb5_set_error_string (context, "checksum type not found"); + return KRB5_PROG_SUMTYPE_NOSUPP; + } + + *type = ct->type; + + return 0; +} + + +krb5_error_code KRB5_LIB_FUNCTION krb5_checksumsize(krb5_context context, krb5_cksumtype type, size_t *size) @@ -1967,32 +2218,49 @@ krb5_checksumsize(krb5_context context, return 0; } -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_checksum_is_keyed(krb5_context context, krb5_cksumtype type) { struct checksum_type *ct = _find_checksum(type); if(ct == NULL) { - krb5_set_error_string (context, "checksum type %d not supported", - type); + if (context) + krb5_set_error_string (context, "checksum type %d not supported", + type); return KRB5_PROG_SUMTYPE_NOSUPP; } return ct->flags & F_KEYED; } -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_checksum_is_collision_proof(krb5_context context, krb5_cksumtype type) { struct checksum_type *ct = _find_checksum(type); if(ct == NULL) { - krb5_set_error_string (context, "checksum type %d not supported", - type); + if (context) + krb5_set_error_string (context, "checksum type %d not supported", + type); return KRB5_PROG_SUMTYPE_NOSUPP; } return ct->flags & F_CPROOF; } +krb5_error_code KRB5_LIB_FUNCTION +krb5_checksum_disable(krb5_context context, + krb5_cksumtype type) +{ + struct checksum_type *ct = _find_checksum(type); + if(ct == NULL) { + if (context) + krb5_set_error_string (context, "checksum type %d not supported", + type); + return KRB5_PROG_SUMTYPE_NOSUPP; + } + ct->flags |= F_DISABLED; + return 0; +} + /************************************************************ * * ************************************************************/ @@ -2018,10 +2286,10 @@ DES_CBC_encrypt_null_ivec(krb5_context context, int usage, void *ignore_ivec) { - des_cblock ivec; - des_key_schedule *s = key->schedule->data; + DES_cblock ivec; + DES_key_schedule *s = key->schedule->data; memset(&ivec, 0, sizeof(ivec)); - des_cbc_encrypt(data, data, len, *s, &ivec, encrypt); + DES_cbc_encrypt(data, data, len, s, &ivec, encrypt); return 0; } @@ -2034,10 +2302,10 @@ DES_CBC_encrypt_key_ivec(krb5_context context, int usage, void *ignore_ivec) { - des_cblock ivec; - des_key_schedule *s = key->schedule->data; + DES_cblock ivec; + DES_key_schedule *s = key->schedule->data; memcpy(&ivec, key->key->keyvalue.data, sizeof(ivec)); - des_cbc_encrypt(data, data, len, *s, &ivec, encrypt); + DES_cbc_encrypt(data, data, len, s, &ivec, encrypt); return 0; } @@ -2050,13 +2318,13 @@ DES3_CBC_encrypt(krb5_context context, int usage, void *ivec) { - des_cblock local_ivec; - des_key_schedule *s = key->schedule->data; + DES_cblock local_ivec; + DES_key_schedule *s = key->schedule->data; if(ivec == NULL) { ivec = &local_ivec; memset(local_ivec, 0, sizeof(local_ivec)); } - des_ede3_cbc_encrypt(data, data, len, s[0], s[1], s[2], ivec, encrypt); + DES_ede3_cbc_encrypt(data, data, len, &s[0], &s[1], &s[2], ivec, encrypt); return 0; } @@ -2069,12 +2337,12 @@ DES_CFB64_encrypt_null_ivec(krb5_context context, int usage, void *ignore_ivec) { - des_cblock ivec; + DES_cblock ivec; int num = 0; - des_key_schedule *s = key->schedule->data; + DES_key_schedule *s = key->schedule->data; memset(&ivec, 0, sizeof(ivec)); - des_cfb64_encrypt(data, data, len, *s, &ivec, &num, encrypt); + DES_cfb64_encrypt(data, data, len, s, &ivec, &num, encrypt); return 0; } @@ -2087,24 +2355,22 @@ DES_PCBC_encrypt_key_ivec(krb5_context context, int usage, void *ignore_ivec) { - des_cblock ivec; - des_key_schedule *s = key->schedule->data; + DES_cblock ivec; + DES_key_schedule *s = key->schedule->data; memcpy(&ivec, key->key->keyvalue.data, sizeof(ivec)); - des_pcbc_encrypt(data, data, len, *s, &ivec, encrypt); + DES_pcbc_encrypt(data, data, len, s, &ivec, encrypt); return 0; } -#ifdef ENABLE_AES - /* * AES draft-raeburn-krb-rijndael-krb-02 */ -void +void KRB5_LIB_FUNCTION _krb5_aes_cts_encrypt(const unsigned char *in, unsigned char *out, size_t len, const void *aes_key, - unsigned char *ivec, const int enc) + unsigned char *ivec, const int encrypt) { unsigned char tmp[AES_BLOCK_SIZE]; const AES_KEY *key = aes_key; /* XXX remove this when we always have AES */ @@ -2115,7 +2381,7 @@ _krb5_aes_cts_encrypt(const unsigned char *in, unsigned char *out, * then at least one blocksize. */ - if (enc == AES_ENCRYPT) { + if (encrypt) { while(len > AES_BLOCK_SIZE) { for (i = 0; i < AES_BLOCK_SIZE; i++) @@ -2135,10 +2401,11 @@ _krb5_aes_cts_encrypt(const unsigned char *in, unsigned char *out, AES_encrypt(tmp, out - AES_BLOCK_SIZE, key); memcpy(out, ivec, len); + memcpy(ivec, out - AES_BLOCK_SIZE, AES_BLOCK_SIZE); } else { - char tmp2[AES_BLOCK_SIZE]; - char tmp3[AES_BLOCK_SIZE]; + unsigned char tmp2[AES_BLOCK_SIZE]; + unsigned char tmp3[AES_BLOCK_SIZE]; while(len > AES_BLOCK_SIZE * 2) { memcpy(tmp, in, AES_BLOCK_SIZE); @@ -2153,6 +2420,7 @@ _krb5_aes_cts_encrypt(const unsigned char *in, unsigned char *out, len -= AES_BLOCK_SIZE; + memcpy(tmp, in, AES_BLOCK_SIZE); /* save last iv */ AES_decrypt(in, tmp2, key); memcpy(tmp3, in + AES_BLOCK_SIZE, len); @@ -2164,6 +2432,7 @@ _krb5_aes_cts_encrypt(const unsigned char *in, unsigned char *out, AES_decrypt(tmp3, out, key); for (i = 0; i < AES_BLOCK_SIZE; i++) out[i] ^= ivec[i]; + memcpy(ivec, tmp, AES_BLOCK_SIZE); } } @@ -2176,13 +2445,14 @@ AES_CTS_encrypt(krb5_context context, int usage, void *ivec) { - AES_KEY *k = key->schedule->data; + struct krb5_aes_schedule *aeskey = key->schedule->data; char local_ivec[AES_BLOCK_SIZE]; + AES_KEY *k; if (encrypt) - k = &k[0]; + k = &aeskey->ekey; else - k = &k[1]; + k = &aeskey->dkey; if (len < AES_BLOCK_SIZE) krb5_abortx(context, "invalid use of AES_CTS_encrypt"); @@ -2201,7 +2471,55 @@ AES_CTS_encrypt(krb5_context context, return 0; } -#endif /* ENABLE_AES */ + +static krb5_error_code +AES_CBC_encrypt(krb5_context context, + struct key_data *key, + void *data, + size_t len, + krb5_boolean encrypt, + int usage, + void *ivec) +{ + struct krb5_aes_schedule *aeskey = key->schedule->data; + char local_ivec[AES_BLOCK_SIZE]; + AES_KEY *k; + + if (encrypt) + k = &aeskey->ekey; + else + k = &aeskey->dkey; + + if(ivec == NULL) { + ivec = &local_ivec; + memset(local_ivec, 0, sizeof(local_ivec)); + } + AES_cbc_encrypt(data, data, len, k, ivec, encrypt); + return 0; +} + +/* + * RC2 + */ + +static krb5_error_code +RC2_CBC_encrypt(krb5_context context, + struct key_data *key, + void *data, + size_t len, + krb5_boolean encrypt, + int usage, + void *ivec) +{ + unsigned char local_ivec[8]; + RC2_KEY *s = key->schedule->data; + if(ivec == NULL) { + ivec = &local_ivec; + memset(local_ivec, 0, sizeof(local_ivec)); + } + RC2_cbc_encrypt(data, data, len, s, ivec, encrypt); + return 0; +} /* * section 6 of draft-brezak-win2k-krb-rc4-hmac-03 @@ -2214,7 +2532,7 @@ ARCFOUR_subencrypt(krb5_context context, struct key_data *key, void *data, size_t len, - int usage, + unsigned usage, void *ivec) { struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5); @@ -2277,7 +2595,7 @@ ARCFOUR_subdecrypt(krb5_context context, struct key_data *key, void *data, size_t len, - int usage, + unsigned usage, void *ivec) { struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5); @@ -2350,7 +2668,7 @@ ARCFOUR_subdecrypt(krb5_context context, */ static krb5_error_code -usage2arcfour (krb5_context context, int *usage) +usage2arcfour (krb5_context context, unsigned *usage) { switch (*usage) { case KRB5_KU_AS_REP_ENC_PART : /* 3 */ @@ -2381,13 +2699,15 @@ ARCFOUR_encrypt(krb5_context context, void *ivec) { krb5_error_code ret; - if((ret = usage2arcfour (context, &usage)) != 0) + unsigned keyusage = usage; + + if((ret = usage2arcfour (context, &keyusage)) != 0) return ret; if (encrypt) - return ARCFOUR_subencrypt (context, key, data, len, usage, ivec); + return ARCFOUR_subencrypt (context, key, data, len, keyusage, ivec); else - return ARCFOUR_subdecrypt (context, key, data, len, usage, ivec); + return ARCFOUR_subdecrypt (context, key, data, len, keyusage, ivec); } @@ -2398,18 +2718,20 @@ ARCFOUR_encrypt(krb5_context context, static struct encryption_type enctype_null = { ETYPE_NULL, "null", + NULL, 1, 1, 0, &keytype_null, &checksum_none, NULL, - 0, + F_DISABLED, NULL_encrypt, }; static struct encryption_type enctype_des_cbc_crc = { ETYPE_DES_CBC_CRC, "des-cbc-crc", + NULL, 8, 8, 8, @@ -2422,6 +2744,7 @@ static struct encryption_type enctype_des_cbc_crc = { static struct encryption_type enctype_des_cbc_md4 = { ETYPE_DES_CBC_MD4, "des-cbc-md4", + NULL, 8, 8, 8, @@ -2434,6 +2757,7 @@ static struct encryption_type enctype_des_cbc_md4 = { static struct encryption_type enctype_des_cbc_md5 = { ETYPE_DES_CBC_MD5, "des-cbc-md5", + NULL, 8, 8, 8, @@ -2446,18 +2770,20 @@ static struct encryption_type enctype_des_cbc_md5 = { static struct encryption_type enctype_arcfour_hmac_md5 = { ETYPE_ARCFOUR_HMAC_MD5, "arcfour-hmac-md5", + NULL, 1, 1, 8, &keytype_arcfour, &checksum_hmac_md5, - /* &checksum_hmac_md5_enc */ NULL, + NULL, F_SPECIAL, ARCFOUR_encrypt }; static struct encryption_type enctype_des3_cbc_md5 = { ETYPE_DES3_CBC_MD5, "des3-cbc-md5", + NULL, 8, 8, 8, @@ -2470,6 +2796,7 @@ static struct encryption_type enctype_des3_cbc_md5 = { static struct encryption_type enctype_des3_cbc_sha1 = { ETYPE_DES3_CBC_SHA1, "des3-cbc-sha1", + NULL, 8, 8, 8, @@ -2482,6 +2809,7 @@ static struct encryption_type enctype_des3_cbc_sha1 = { static struct encryption_type enctype_old_des3_cbc_sha1 = { ETYPE_OLD_DES3_CBC_SHA1, "old-des3-cbc-sha1", + NULL, 8, 8, 8, @@ -2491,35 +2819,81 @@ static struct encryption_type enctype_old_des3_cbc_sha1 = { 0, DES3_CBC_encrypt, }; -#ifdef ENABLE_AES static struct encryption_type enctype_aes128_cts_hmac_sha1 = { ETYPE_AES128_CTS_HMAC_SHA1_96, "aes128-cts-hmac-sha1-96", + NULL, 16, 1, 16, &keytype_aes128, &checksum_sha1, &checksum_hmac_sha1_aes128, - 0, + F_DERIVED, AES_CTS_encrypt, }; static struct encryption_type enctype_aes256_cts_hmac_sha1 = { ETYPE_AES256_CTS_HMAC_SHA1_96, "aes256-cts-hmac-sha1-96", + NULL, 16, 1, 16, &keytype_aes256, &checksum_sha1, &checksum_hmac_sha1_aes256, - 0, + F_DERIVED, AES_CTS_encrypt, }; -#endif /* ENABLE_AES */ +static unsigned aes_128_cbc_num[] = { 2, 16, 840, 1, 101, 3, 4, 1, 2 }; +static heim_oid aes_128_cbc_oid = kcrypto_oid_enc(aes_128_cbc_num); +static struct encryption_type enctype_aes128_cbc_none = { + ETYPE_AES128_CBC_NONE, + "aes128-cbc-none", + &aes_128_cbc_oid, + 16, + 16, + 16, + &keytype_aes128, + &checksum_none, + NULL, + F_PSEUDO|F_PADCMS, + AES_CBC_encrypt, +}; +static unsigned aes_192_cbc_num[] = { 2, 16, 840, 1, 101, 3, 4, 1, 22 }; +static heim_oid aes_192_cbc_oid = kcrypto_oid_enc(aes_192_cbc_num); +static struct encryption_type enctype_aes192_cbc_none = { + ETYPE_AES192_CBC_NONE, + "aes192-cbc-none", + &aes_192_cbc_oid, + 16, + 16, + 16, + &keytype_aes192, + &checksum_none, + NULL, + F_PSEUDO|F_PADCMS, + AES_CBC_encrypt, +}; +static unsigned aes_256_cbc_num[] = { 2, 16, 840, 1, 101, 3, 4, 1, 42 }; +static heim_oid aes_256_cbc_oid = kcrypto_oid_enc(aes_256_cbc_num); +static struct encryption_type enctype_aes256_cbc_none = { + ETYPE_AES256_CBC_NONE, + "aes256-cbc-none", + &aes_256_cbc_oid, + 16, + 16, + 16, + &keytype_aes256, + &checksum_none, + NULL, + F_PSEUDO|F_PADCMS, + AES_CBC_encrypt, +}; static struct encryption_type enctype_des_cbc_none = { ETYPE_DES_CBC_NONE, "des-cbc-none", + NULL, 8, 8, 0, @@ -2532,6 +2906,7 @@ static struct encryption_type enctype_des_cbc_none = { static struct encryption_type enctype_des_cfb64_none = { ETYPE_DES_CFB64_NONE, "des-cfb64-none", + NULL, 1, 1, 0, @@ -2544,6 +2919,7 @@ static struct encryption_type enctype_des_cfb64_none = { static struct encryption_type enctype_des_pcbc_none = { ETYPE_DES_PCBC_NONE, "des-pcbc-none", + NULL, 8, 8, 0, @@ -2553,9 +2929,25 @@ static struct encryption_type enctype_des_pcbc_none = { F_PSEUDO, DES_PCBC_encrypt_key_ivec, }; +static unsigned des_ede3_cbc_num[] = { 1, 2, 840, 113549, 3, 7 }; +static heim_oid des_ede3_cbc_oid = kcrypto_oid_enc(des_ede3_cbc_num); +static struct encryption_type enctype_des3_cbc_none_cms = { + ETYPE_DES3_CBC_NONE_CMS, + "des3-cbc-none-cms", + &des_ede3_cbc_oid, + 8, + 8, + 0, + &keytype_des3_derived, + &checksum_none, + NULL, + F_PSEUDO|F_PADCMS, + DES3_CBC_encrypt, +}; static struct encryption_type enctype_des3_cbc_none = { ETYPE_DES3_CBC_NONE, "des3-cbc-none", + NULL, 8, 8, 0, @@ -2565,6 +2957,21 @@ static struct encryption_type enctype_des3_cbc_none = { F_PSEUDO, DES3_CBC_encrypt, }; +static unsigned rc2CBC_num[] = { 1, 2, 840, 113549, 3, 2 }; +static heim_oid rc2CBC_oid = kcrypto_oid_enc(rc2CBC_num); +static struct encryption_type enctype_rc2_cbc_none = { + ETYPE_RC2_CBC_NONE, + "rc2-cbc-none", + &rc2CBC_oid, + 8, + 8, + 0, + &keytype_rc2, + &checksum_none, + NULL, + F_PSEUDO|F_PADCMS, + RC2_CBC_encrypt, +}; static struct encryption_type *etypes[] = { &enctype_null, @@ -2575,14 +2982,17 @@ static struct encryption_type *etypes[] = { &enctype_des3_cbc_md5, &enctype_des3_cbc_sha1, &enctype_old_des3_cbc_sha1, -#ifdef ENABLE_AES &enctype_aes128_cts_hmac_sha1, &enctype_aes256_cts_hmac_sha1, -#endif + &enctype_aes128_cbc_none, + &enctype_aes192_cbc_none, + &enctype_aes256_cbc_none, &enctype_des_cbc_none, &enctype_des_cfb64_none, &enctype_des_pcbc_none, - &enctype_des3_cbc_none + &enctype_des3_cbc_none, + &enctype_des3_cbc_none_cms, + &enctype_rc2_cbc_none }; static unsigned num_etypes = sizeof(etypes) / sizeof(etypes[0]); @@ -2599,7 +3009,7 @@ _find_enctype(krb5_enctype type) } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_enctype_to_string(krb5_context context, krb5_enctype etype, char **string) @@ -2619,7 +3029,7 @@ krb5_enctype_to_string(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_enctype(krb5_context context, const char *string, krb5_enctype *etype) @@ -2635,7 +3045,42 @@ krb5_string_to_enctype(krb5_context context, return KRB5_PROG_ETYPE_NOSUPP; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_enctype_to_oid(krb5_context context, + krb5_enctype etype, + heim_oid *oid) +{ + struct encryption_type *et = _find_enctype(etype); + if(et == NULL) { + krb5_set_error_string (context, "encryption type %d not supported", + etype); + return KRB5_PROG_ETYPE_NOSUPP; + } + if(et->oid == NULL) { + krb5_set_error_string (context, "%s have not oid", et->name); + return KRB5_PROG_ETYPE_NOSUPP; + } + krb5_clear_error_string(context); + return copy_oid(et->oid, oid); +} + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_oid_to_enctype(krb5_context context, + const heim_oid *oid, + krb5_enctype *etype) +{ + int i; + for(i = 0; i < num_etypes; i++) { + if(etypes[i]->oid && heim_oid_cmp(etypes[i]->oid, oid) == 0) { + *etype = etypes[i]->type; + return 0; + } + } + krb5_set_error_string(context, "enctype for oid not supported"); + return KRB5_PROG_ETYPE_NOSUPP; +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_enctype_to_keytype(krb5_context context, krb5_enctype etype, krb5_keytype *keytype) @@ -2651,7 +3096,7 @@ krb5_enctype_to_keytype(krb5_context context, } #if 0 -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_keytype_to_enctype(krb5_context context, krb5_keytype keytype, krb5_enctype *etype) @@ -2665,7 +3110,7 @@ krb5_keytype_to_enctype(krb5_context context, } #endif -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_keytype_to_enctypes (krb5_context context, krb5_keytype keytype, unsigned *len, @@ -2701,7 +3146,7 @@ krb5_keytype_to_enctypes (krb5_context context, * else, do `krb5_keytype_to_enctypes'. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_keytype_to_enctypes_default (krb5_context context, krb5_keytype keytype, unsigned *len, @@ -2727,15 +3172,45 @@ krb5_keytype_to_enctypes_default (krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_enctype_valid(krb5_context context, krb5_enctype etype) { - return _find_enctype(etype) != NULL; + struct encryption_type *e = _find_enctype(etype); + if(e == NULL) { + krb5_set_error_string (context, "encryption type %d not supported", + etype); + return KRB5_PROG_ETYPE_NOSUPP; + } + if (e->flags & F_DISABLED) { + krb5_set_error_string (context, "encryption type %s is disabled", + e->name); + return KRB5_PROG_ETYPE_NOSUPP; + } + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_cksumtype_valid(krb5_context context, + krb5_cksumtype ctype) +{ + struct checksum_type *c = _find_checksum(ctype); + if (c == NULL) { + krb5_set_error_string (context, "checksum type %d not supported", + ctype); + return KRB5_PROG_SUMTYPE_NOSUPP; + } + if (c->flags & F_DISABLED) { + krb5_set_error_string (context, "checksum type %s is disabled", + c->name); + return KRB5_PROG_SUMTYPE_NOSUPP; + } + return 0; } + /* if two enctypes have compatible keys */ -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_enctypes_compatible_keys(krb5_context context, krb5_enctype etype1, krb5_enctype etype2) @@ -2813,7 +3288,7 @@ encrypt_internal_derived(krb5_context context, ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey); if(ret) goto fail; - ret = _key_schedule(context, dkey); + ret = _key_schedule(context, dkey, crypto->params); if(ret) goto fail; #ifdef CRYPTO_DEBUG @@ -2840,7 +3315,7 @@ encrypt_internal(krb5_context context, krb5_data *result, void *ivec) { - size_t sz, block_sz, checksum_sz; + size_t sz, block_sz, checksum_sz, padsize = 0; Checksum cksum; unsigned char *p, *q; krb5_error_code ret; @@ -2850,6 +3325,11 @@ encrypt_internal(krb5_context context, sz = et->confoundersize + checksum_sz + len; block_sz = (sz + et->padsize - 1) &~ (et->padsize - 1); /* pad */ + if ((et->flags & F_PADCMS) && et->padsize != 1) { + padsize = et->padsize - (sz % et->padsize); + if (padsize == et->padsize) + block_sz += et->padsize; + } p = calloc(1, block_sz); if(p == NULL) { krb5_set_error_string(context, "malloc: out of memory"); @@ -2879,9 +3359,15 @@ encrypt_internal(krb5_context context, goto fail; memcpy(p + et->confoundersize, cksum.checksum.data, cksum.checksum.length); free_Checksum(&cksum); - ret = _key_schedule(context, &crypto->key); + ret = _key_schedule(context, &crypto->key, crypto->params); if(ret) goto fail; + if (et->flags & F_PADCMS) { + int i; + q = p + len + checksum_sz + et->confoundersize; + for (i = 0; i < padsize; i++) + q[i] = padsize; + } #ifdef CRYPTO_DEBUG krb5_crypto_debug(context, 1, block_sz, crypto->key.key); #endif @@ -2979,7 +3465,7 @@ decrypt_internal_derived(krb5_context context, free(p); return ret; } - ret = _key_schedule(context, dkey); + ret = _key_schedule(context, dkey, crypto->params); if(ret) { free(p); return ret; @@ -3046,7 +3532,7 @@ decrypt_internal(krb5_context context, } memcpy(p, data, len); - ret = _key_schedule(context, &crypto->key); + ret = _key_schedule(context, &crypto->key, crypto->params); if(ret) { free(p); return ret; @@ -3129,7 +3615,7 @@ decrypt_internal_special(krb5_context context, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encrypt_ivec(krb5_context context, krb5_crypto crypto, unsigned usage, @@ -3148,7 +3634,7 @@ krb5_encrypt_ivec(krb5_context context, return encrypt_internal(context, crypto, data, len, result, ivec); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encrypt(krb5_context context, krb5_crypto crypto, unsigned usage, @@ -3159,7 +3645,7 @@ krb5_encrypt(krb5_context context, return krb5_encrypt_ivec(context, crypto, usage, data, len, result, NULL); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encrypt_EncryptedData(krb5_context context, krb5_crypto crypto, unsigned usage, @@ -3177,7 +3663,7 @@ krb5_encrypt_EncryptedData(krb5_context context, return krb5_encrypt(context, crypto, usage, data, len, &result->cipher); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decrypt_ivec(krb5_context context, krb5_crypto crypto, unsigned usage, @@ -3196,7 +3682,7 @@ krb5_decrypt_ivec(krb5_context context, return decrypt_internal(context, crypto, data, len, result, ivec); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decrypt(krb5_context context, krb5_crypto crypto, unsigned usage, @@ -3208,7 +3694,7 @@ krb5_decrypt(krb5_context context, NULL); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decrypt_EncryptedData(krb5_context context, krb5_crypto crypto, unsigned usage, @@ -3231,17 +3717,19 @@ krb5_decrypt_EncryptedData(krb5_context context, static int seed_something(void) { - int fd = -1; char buf[1024], seedfile[256]; /* If there is a seed file, load it. But such a file cannot be trusted, so use 0 for the entropy estimate */ if (RAND_file_name(seedfile, sizeof(seedfile))) { + int fd; fd = open(seedfile, O_RDONLY); if (fd >= 0) { - read(fd, buf, sizeof(buf)); - /* Use the full buffer anyway */ - RAND_add(buf, sizeof(buf), 0.0); + ssize_t ret; + ret = read(fd, buf, sizeof(buf)); + if (ret > 0) + RAND_add(buf, ret, 0.0); + close(fd); } else seedfile[0] = '\0'; } else @@ -3273,39 +3761,44 @@ seed_something(void) return -1; } -void +void KRB5_LIB_FUNCTION krb5_generate_random_block(void *buf, size_t len) { static int rng_initialized = 0; + HEIMDAL_MUTEX_lock(&crypto_mutex); if (!rng_initialized) { if (seed_something()) krb5_abortx(NULL, "Fatal: could not seed the random number generator"); rng_initialized = 1; } + HEIMDAL_MUTEX_unlock(&crypto_mutex); RAND_bytes(buf, len); } #else -void +void KRB5_LIB_FUNCTION krb5_generate_random_block(void *buf, size_t len) { - des_cblock key, out; - static des_cblock counter; - static des_key_schedule schedule; + DES_cblock key, out; + static DES_cblock counter; + static DES_key_schedule schedule; int i; static int initialized = 0; + HEIMDAL_MUTEX_lock(&crypto_mutex); if(!initialized) { - des_new_random_key(&key); - des_set_key(&key, schedule); + DES_new_random_key(&key); + DES_set_key(&key, &schedule); memset(&key, 0, sizeof(key)); - des_new_random_key(&counter); + DES_new_random_key(&counter); + initialized = 1; } + HEIMDAL_MUTEX_unlock(&crypto_mutex); while(len > 0) { - des_ecb_encrypt(&counter, &out, schedule, DES_ENCRYPT); + DES_ecb_encrypt(&counter, &out, &schedule, DES_ENCRYPT); for(i = 7; i >=0; i--) if(counter[i]++) break; @@ -3320,35 +3813,12 @@ static void DES3_postproc(krb5_context context, unsigned char *k, size_t len, struct key_data *key) { - unsigned char x[24]; - int i, j; - - memset(x, 0, sizeof(x)); - for (i = 0; i < 3; ++i) { - unsigned char foo; - - for (j = 0; j < 7; ++j) { - unsigned char b = k[7 * i + j]; + DES3_random_to_key(context, key->key, k, len); - x[8 * i + j] = b; - } - foo = 0; - for (j = 6; j >= 0; --j) { - foo |= k[7 * i + j] & 1; - foo <<= 1; - } - x[8 * i + 7] = foo; - } - k = key->key->keyvalue.data; - memcpy(k, x, 24); - memset(x, 0, sizeof(x)); if (key->schedule) { krb5_free_data(context, key->schedule); key->schedule = NULL; } - des_set_odd_parity((des_cblock*)k); - des_set_odd_parity((des_cblock*)(k + 8)); - des_set_odd_parity((des_cblock*)(k + 16)); } static krb5_error_code @@ -3363,7 +3833,9 @@ derive_key(krb5_context context, krb5_error_code ret = 0; struct key_type *kt = et->keytype; - ret = _key_schedule(context, key); + /* since RC2 is only the weird crypto alg with parameter and this + * function not defined with work with RC2, this is ok */ + ret = _key_schedule(context, key, NULL); if(ret) return ret; if(et->blocksize * 8 < kt->bits || @@ -3409,12 +3881,10 @@ derive_key(krb5_context context, case KEYTYPE_DES3: DES3_postproc(context, k, nblocks * et->blocksize, key); break; -#ifdef ENABLE_AES case KEYTYPE_AES128: case KEYTYPE_AES256: memcpy(key->key->keyvalue.data, k, key->key->keyvalue.length); break; -#endif /* ENABLE_AES */ default: krb5_set_error_string(context, "derive_key() called with unknown keytype (%u)", @@ -3422,6 +3892,10 @@ derive_key(krb5_context context, ret = KRB5_CRYPTO_INTERNAL; break; } + if (key->schedule) { + krb5_free_data(context, key->schedule); + key->schedule = NULL; + } memset(k, 0, nblocks * et->blocksize); free(k); return ret; @@ -3441,7 +3915,7 @@ _new_derived_key(krb5_crypto crypto, unsigned usage) return &d->key; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_derive_key(krb5_context context, const krb5_keyblock *key, krb5_enctype etype, @@ -3501,7 +3975,7 @@ _get_derived_key(krb5_context context, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_crypto_init(krb5_context context, const krb5_keyblock *key, krb5_enctype etype, @@ -3516,25 +3990,29 @@ krb5_crypto_init(krb5_context context, if(etype == ETYPE_NULL) etype = key->keytype; (*crypto)->et = _find_enctype(etype); - if((*crypto)->et == NULL) { + if((*crypto)->et == NULL || ((*crypto)->et->flags & F_DISABLED)) { free(*crypto); + *crypto = NULL; krb5_set_error_string (context, "encryption type %d not supported", etype); return KRB5_PROG_ETYPE_NOSUPP; } - if((*crypto)->et->keytype->size != key->keyvalue.length) { + if((*crypto)->et->keytype->minsize > key->keyvalue.length) { free(*crypto); + *crypto = NULL; krb5_set_error_string (context, "encryption key has bad length"); return KRB5_BAD_KEYSIZE; } ret = krb5_copy_keyblock(context, key, &(*crypto)->key.key); if(ret) { free(*crypto); + *crypto = NULL; return ret; } (*crypto)->key.schedule = NULL; (*crypto)->num_key_usage = 0; (*crypto)->key_usage = NULL; + (*crypto)->params = NULL; return 0; } @@ -3554,7 +4032,7 @@ free_key_usage(krb5_context context, struct key_usage *ku) free_key_data(context, &ku->key); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_crypto_destroy(krb5_context context, krb5_crypto crypto) { @@ -3564,11 +4042,80 @@ krb5_crypto_destroy(krb5_context context, free_key_usage(context, &crypto->key_usage[i]); free(crypto->key_usage); free_key_data(context, &crypto->key); + free(crypto->params); free (crypto); return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_get_params(krb5_context context, + const krb5_crypto crypto, + const krb5_data *params, + krb5_data *ivec) +{ + krb5_error_code (*gp)(krb5_context, const krb5_data *,void **,krb5_data *); + krb5_error_code ret; + + gp = crypto->et->keytype->get_params; + if (gp) { + if (crypto->params) { + krb5_set_error_string(context, + "krb5_crypto_get_params called " + "more than once"); + return KRB5_PROG_ETYPE_NOSUPP; + } + ret = (*gp)(context, params, &crypto->params, ivec); + } else { + size_t size; + if (ivec == NULL) + return 0; + ret = decode_CBCParameter(params->data, params->length, ivec, &size); + } + if (ret) + return ret; + if (ivec->length < crypto->et->blocksize) { + krb5_data_free(ivec); + krb5_set_error_string(context, "%s IV of wrong size", + crypto->et->name); + return ASN1_PARSE_ERROR; + } + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_set_params(krb5_context context, + const krb5_crypto crypto, + const krb5_data *ivec, + krb5_data *params) +{ + krb5_error_code (*sp)(krb5_context, const void *, + const krb5_data *, krb5_data *); + krb5_error_code ret; + + sp = crypto->et->keytype->set_params; + if (sp == NULL) { + size_t size; + if (ivec == NULL) + return 0; + ASN1_MALLOC_ENCODE(CBCParameter, params->data, params->length, + ivec, &size, ret); + if (ret) + return ret; + if (size != params->length) + krb5_abortx(context, "Internal asn1 encoder failure"); + return 0; + } + if (crypto->params) { + krb5_set_error_string(context, + "krb5_crypto_set_params called " + "more than once"); + return KRB5_PROG_ETYPE_NOSUPP; + } + return (*sp)(context, crypto->params, ivec, params); +} + + +krb5_error_code KRB5_LIB_FUNCTION krb5_crypto_getblocksize(krb5_context context, krb5_crypto crypto, size_t *blocksize) @@ -3577,7 +4124,49 @@ krb5_crypto_getblocksize(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_getenctype(krb5_context context, + krb5_crypto crypto, + krb5_enctype *enctype) +{ + *enctype = crypto->et->type; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_getpadsize(krb5_context context, + krb5_crypto crypto, + size_t *padsize) +{ + *padsize = crypto->et->padsize; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_getconfoundersize(krb5_context context, + krb5_crypto crypto, + size_t *confoundersize) +{ + *confoundersize = crypto->et->confoundersize; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_enctype_disable(krb5_context context, + krb5_enctype enctype) +{ + struct encryption_type *et = _find_enctype(enctype); + if(et == NULL) { + if (context) + krb5_set_error_string (context, "encryption type %d not supported", + enctype); + return KRB5_PROG_ETYPE_NOSUPP; + } + et->flags |= F_DISABLED; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_derived(krb5_context context, const void *str, size_t len, @@ -3634,9 +4223,10 @@ wrapped_length (krb5_context context, { struct encryption_type *et = crypto->et; size_t padsize = et->padsize; + size_t checksumsize = CHECKSUMSIZE(et->checksum); size_t res; - res = et->confoundersize + et->checksum->checksumsize + data_len; + res = et->confoundersize + checksumsize + data_len; res = (res + padsize - 1) / padsize * padsize; return res; } @@ -3652,7 +4242,10 @@ wrapped_length_dervied (krb5_context context, res = et->confoundersize + data_len; res = (res + padsize - 1) / padsize * padsize; - res += et->checksum->checksumsize; + if (et->keyed_checksum) + res += et->keyed_checksum->checksumsize; + else + res += et->checksum->checksumsize; return res; } @@ -3671,6 +4264,38 @@ krb5_get_wrapped_length (krb5_context context, return wrapped_length (context, crypto, data_len); } +krb5_error_code KRB5_LIB_FUNCTION +krb5_random_to_key(krb5_context context, + krb5_enctype type, + const void *data, + size_t size, + krb5_keyblock *key) +{ + krb5_error_code ret; + struct encryption_type *et = _find_enctype(type); + if(et == NULL) { + krb5_set_error_string(context, "encryption type %d not supported", + type); + return KRB5_PROG_ETYPE_NOSUPP; + } + if ((et->keytype->bits + 7) / 8 > size) { + krb5_set_error_string(context, "encryption key %s needs %d bytes " + "of random to make an encryption key out of it", + et->name, (int)et->keytype->size); + return KRB5_PROG_ETYPE_NOSUPP; + } + ret = krb5_data_alloc(&key->keyvalue, et->keytype->size); + if(ret) + return ret; + key->keytype = type; + if (et->keytype->random_to_key) + (*et->keytype->random_to_key)(context, key, data, size); + else + memcpy(key->keyvalue.data, data, et->keytype->size); + + return 0; +} + #ifdef CRYPTO_DEBUG static krb5_error_code diff --git a/kerberosV/src/lib/krb5/fcache.c b/kerberosV/src/lib/krb5/fcache.c index be9dbb6731d..8d1a2db0dd6 100644 --- a/kerberosV/src/lib/krb5/fcache.c +++ b/kerberosV/src/lib/krb5/fcache.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$KTH: fcache.c,v 1.34.6.6 2004/03/10 13:30:59 lha Exp $"); +RCSID("$KTH: fcache.c,v 1.48 2005/05/31 22:06:15 lha Exp $"); typedef struct krb5_fcache{ char *filename; @@ -105,18 +105,33 @@ _krb5_xlock(krb5_context context, int fd, krb5_boolean exclusive, } int -_krb5_xunlock(int fd) +_krb5_xunlock(krb5_context context, int fd) { + int ret; #ifdef HAVE_FCNTL_LOCK struct flock l; l.l_start = 0; l.l_len = 0; l.l_type = F_UNLCK; l.l_whence = SEEK_SET; - return fcntl(fd, F_SETLKW, &l); + ret = fcntl(fd, F_SETLKW, &l); #else - return flock(fd, LOCK_UN); + ret = flock(fd, LOCK_UN); #endif + if (ret < 0) + ret = errno; + switch (ret) { + case 0: + break; + case EINVAL: /* filesystem doesn't support locking, let the user have it */ + ret = 0; + break; + default: + krb5_set_error_string(context, + "Failed to unlock file: %s", strerror(ret)); + break; + } + return ret; } static krb5_error_code @@ -129,7 +144,7 @@ fcc_lock(krb5_context context, krb5_ccache id, static krb5_error_code fcc_unlock(krb5_context context, int fd) { - return _krb5_xunlock(fd); + return _krb5_xunlock(context, fd); } static krb5_error_code @@ -405,13 +420,12 @@ fcc_store_cred(krb5_context context, sp = krb5_storage_from_fd(fd); krb5_storage_set_eof_code(sp, KRB5_CC_END); storage_set_flags(context, sp, FCACHE(id)->version); - if (krb5_config_get_bool_default(context, NULL, FALSE, - "libdefaults", - "fcc-mit-ticketflags", - NULL)) - ret = _krb5_store_creds_heimdal_0_7(sp, creds); - else - ret = _krb5_store_creds_heimdal_pre_0_7(sp, creds); + if (!krb5_config_get_bool_default(context, NULL, TRUE, + "libdefaults", + "fcc-mit-ticketflags", + NULL)) + krb5_storage_set_flags(sp, KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER); + ret = krb5_store_creds(sp, creds); krb5_storage_free(sp); } fcc_unlock(context, fd); @@ -436,12 +450,12 @@ init_fcc (krb5_context context, krb5_error_code ret; ret = fcc_open(context, id, &fd, O_RDONLY | O_BINARY, 0); - if(ret) return ret; sp = krb5_storage_from_fd(fd); if(sp == NULL) { + krb5_clear_error_string(context); ret = ENOMEM; goto out; } @@ -450,14 +464,18 @@ init_fcc (krb5_context context, if(ret != 0) { if(ret == KRB5_CC_END) ret = ENOENT; /* empty file */ + krb5_clear_error_string(context); goto out; } if(pvno != 5) { + krb5_set_error_string(context, "Bad version number in credential " + "cache file: %s", FILENAME(id)); ret = KRB5_CCACHE_BADVNO; goto out; } ret = krb5_ret_int8(sp, &tag); /* should not be host byte order */ if(ret != 0) { + krb5_clear_error_string(context); ret = KRB5_CC_FORMAT; goto out; } @@ -470,6 +488,7 @@ init_fcc (krb5_context context, ret = krb5_ret_int16 (sp, &length); if(ret) { ret = KRB5_CC_FORMAT; + krb5_clear_error_string(context); goto out; } while(length > 0) { @@ -479,11 +498,13 @@ init_fcc (krb5_context context, ret = krb5_ret_int16 (sp, &tag); if(ret) { + krb5_clear_error_string(context); ret = KRB5_CC_FORMAT; goto out; } ret = krb5_ret_int16 (sp, &data_len); if(ret) { + krb5_clear_error_string(context); ret = KRB5_CC_FORMAT; goto out; } @@ -491,11 +512,13 @@ init_fcc (krb5_context context, case FCC_TAG_DELTATIME : ret = krb5_ret_int32 (sp, &context->kdc_sec_offset); if(ret) { + krb5_clear_error_string(context); ret = KRB5_CC_FORMAT; goto out; } ret = krb5_ret_int32 (sp, &context->kdc_usec_offset); if(ret) { + krb5_clear_error_string(context); ret = KRB5_CC_FORMAT; goto out; } @@ -504,6 +527,7 @@ init_fcc (krb5_context context, for (i = 0; i < data_len; ++i) { ret = krb5_ret_int8 (sp, &dummy); if(ret) { + krb5_clear_error_string(context); ret = KRB5_CC_FORMAT; goto out; } @@ -520,6 +544,9 @@ init_fcc (krb5_context context, break; default : ret = KRB5_CCACHE_BADVNO; + krb5_set_error_string(context, "Unknown version number (%d) in " + "credential cache file: %s", + (int)tag, FILENAME(id)); goto out; } *ret_sp = sp; @@ -547,6 +574,8 @@ fcc_get_principal(krb5_context context, if (ret) return ret; ret = krb5_ret_principal(sp, principal); + if (ret) + krb5_clear_error_string(context); krb5_storage_free(sp); fcc_unlock(context, fd); close(fd); @@ -567,15 +596,22 @@ fcc_get_first (krb5_context context, krb5_principal principal; *cursor = malloc(sizeof(struct fcc_cursor)); + if (*cursor == NULL) { + krb5_set_error_string (context, "malloc: out of memory"); + return ENOMEM; + } + memset(*cursor, 0, sizeof(struct fcc_cursor)); ret = init_fcc (context, id, &FCC_CURSOR(*cursor)->sp, &FCC_CURSOR(*cursor)->fd); if (ret) { free(*cursor); + *cursor = NULL; return ret; } ret = krb5_ret_principal (FCC_CURSOR(*cursor)->sp, &principal); if(ret) { + krb5_clear_error_string(context); fcc_end_get(context, id, cursor); return ret; } @@ -595,6 +631,8 @@ fcc_get_next (krb5_context context, return ret; ret = krb5_ret_creds(FCC_CURSOR(*cursor)->sp, creds); + if (ret) + krb5_clear_error_string(context); fcc_unlock(context, FCC_CURSOR(*cursor)->fd); return ret; @@ -618,7 +656,31 @@ fcc_remove_cred(krb5_context context, krb5_flags which, krb5_creds *cred) { - return 0; /* XXX */ + krb5_error_code ret; + krb5_ccache copy; + + ret = krb5_cc_gen_new(context, &krb5_mcc_ops, ©); + if (ret) + return ret; + + ret = krb5_cc_copy_cache(context, id, copy); + if (ret) { + krb5_cc_destroy(context, copy); + return ret; + } + + ret = krb5_cc_remove_cred(context, copy, which, cred); + if (ret) { + krb5_cc_destroy(context, copy); + return ret; + } + + fcc_destroy(context, id); + + ret = krb5_cc_copy_cache(context, copy, id); + krb5_cc_destroy(context, copy); + + return ret; } static krb5_error_code diff --git a/kerberosV/src/lib/krb5/get_host_realm.c b/kerberosV/src/lib/krb5/get_host_realm.c index 92e978cbb92..61c1d4af230 100644 --- a/kerberosV/src/lib/krb5/get_host_realm.c +++ b/kerberosV/src/lib/krb5/get_host_realm.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -34,7 +34,7 @@ #include "krb5_locl.h" #include <resolve.h> -RCSID("$KTH: get_host_realm.c,v 1.29 2002/08/28 13:36:57 nectar Exp $"); +RCSID("$KTH: get_host_realm.c,v 1.34 2005/04/19 18:52:51 lha Exp $"); /* To automagically find the correct realm of a host (without * [domain_realm] in krb5.conf) add a text record for your domain with @@ -98,7 +98,7 @@ dns_find_realm(krb5_context context, char dom[MAXHOSTNAMELEN]; struct dns_reply *r; char **labels; - int i, j, ret; + int i, ret; labels = krb5_config_get_strings(context, NULL, "libdefaults", "dns_lookup_realm_labels", NULL); @@ -107,8 +107,8 @@ dns_find_realm(krb5_context context, if(*domain == '.') domain++; for (i = 0; labels[i] != NULL; i++) { - j = snprintf(dom, sizeof(dom), "%s.%s.", labels[i], domain); - if (j >= sizeof(dom) || j < 0) /* fucking solaris assholes */ + ret = snprintf(dom, sizeof(dom), "%s.%s.", labels[i], domain); + if(ret < 0 || ret >= sizeof(dom)) return -1; r = dns_lookup(dom, "TXT"); if(r != NULL) { @@ -149,11 +149,11 @@ config_find_realm(krb5_context context, * fall back to guessing */ -krb5_error_code -krb5_get_host_realm_int (krb5_context context, - const char *host, - krb5_boolean use_dns, - krb5_realm **realms) +krb5_error_code KRB5_LIB_FUNCTION +_krb5_get_host_realm_int (krb5_context context, + const char *host, + krb5_boolean use_dns, + krb5_realm **realms) { const char *p, *q; krb5_boolean dns_locate_enable; @@ -203,7 +203,7 @@ krb5_get_host_realm_int (krb5_context context, * Return the realm(s) of `host' as a NULL-terminated list in `realms'. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_host_realm(krb5_context context, const char *host, krb5_realm **realms) @@ -216,5 +216,5 @@ krb5_get_host_realm(krb5_context context, host = hostname; } - return krb5_get_host_realm_int (context, host, 1, realms); + return _krb5_get_host_realm_int (context, host, 1, realms); } diff --git a/kerberosV/src/lib/krb5/init_creds.c b/kerberosV/src/lib/krb5/init_creds.c index 7478dd149cf..0038c900cef 100644 --- a/kerberosV/src/lib/krb5/init_creds.c +++ b/kerberosV/src/lib/krb5/init_creds.c @@ -1,45 +1,114 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$KTH: init_creds.c,v 1.9 2001/07/03 18:42:07 assar Exp $"); +RCSID("$KTH: init_creds.c,v 1.20.4.2 2005/10/13 03:11:06 lha Exp $"); -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt) { memset (opt, 0, sizeof(*opt)); opt->flags = 0; + opt->opt_private = NULL; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_alloc(krb5_context context, + krb5_get_init_creds_opt **opt) +{ + krb5_get_init_creds_opt *o; + + *opt = NULL; + o = calloc(1, sizeof(*o)); + if (o == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + krb5_get_init_creds_opt_init(o); + o->opt_private = calloc(1, sizeof(*o->opt_private)); + if (o->opt_private == NULL) { + krb5_set_error_string(context, "out of memory"); + free(o); + return ENOMEM; + } + o->opt_private->refcount = 1; + *opt = o; + return 0; +} + +krb5_error_code +_krb5_get_init_creds_opt_copy(krb5_context context, + const krb5_get_init_creds_opt *in, + krb5_get_init_creds_opt **out) +{ + krb5_get_init_creds_opt *opt; + + *out = NULL; + opt = malloc(sizeof(*opt)); + if (opt == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + if (in) + *opt = *in; + if(opt->opt_private == NULL) { + opt->opt_private = calloc(1, sizeof(*opt->opt_private)); + if (opt->opt_private == NULL) { + krb5_set_error_string(context, "out of memory"); + free(opt); + return ENOMEM; + } + opt->opt_private->refcount = 1; + } else + opt->opt_private->refcount++; + *out = opt; + return 0; +} + +void KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_free(krb5_get_init_creds_opt *opt) +{ + if (opt->opt_private == NULL) + return; + if (opt->opt_private->refcount < 1) /* abort ? */ + return; + if (--opt->opt_private->refcount == 0) { + _krb5_get_init_creds_opt_free_pkinit(opt); + free(opt->opt_private); + } + memset(opt, 0, sizeof(*opt)); + free(opt); } static int @@ -93,9 +162,9 @@ get_config_bool (krb5_context context, static krb5_addresses no_addrs = {0, NULL}; -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_default_flags(krb5_context context, - const char *appname, + const char *appname, krb5_const_realm realm, krb5_get_init_creds_opt *opt) { @@ -115,8 +184,8 @@ krb5_get_init_creds_opt_set_default_flags(krb5_context context, t = get_config_time (context, realm, "ticket_lifetime", 0); if(t != 0) krb5_get_init_creds_opt_set_tkt_life(opt, t); - - krb5_appdefault_time(context, appname, (krb5_realm)realm, "renew_lifetime", 0, &t); + + krb5_appdefault_time(context, appname, realm, "renew_lifetime", 0, &t); if (t == 0) t = get_config_time (context, realm, "renew_lifetime", 0); if(t != 0) @@ -130,7 +199,7 @@ krb5_get_init_creds_opt_set_default_flags(krb5_context context, krb5_appdefault_boolean(context, appname, realm, "anonymous", FALSE, &b); krb5_get_init_creds_opt_set_anonymous (opt, b); - krb5_get_init_creds_opt_set_etype_list(opt, enctype, + krb5_get_init_creds_opt_set_etype_list(opt, enctype, etype_str.num_strings); krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt, @@ -143,7 +212,7 @@ krb5_get_init_creds_opt_set_default_flags(krb5_context context, } -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt, krb5_deltat tkt_life) { @@ -151,7 +220,7 @@ krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt, opt->tkt_life = tkt_life; } -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt, krb5_deltat renew_life) { @@ -159,7 +228,7 @@ krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt, opt->renew_life = renew_life; } -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt, int forwardable) { @@ -167,7 +236,7 @@ krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt, opt->forwardable = forwardable; } -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt, int proxiable) { @@ -175,7 +244,7 @@ krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt, opt->proxiable = proxiable; } -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt, krb5_enctype *etype_list, int etype_list_length) @@ -185,7 +254,7 @@ krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt, opt->etype_list_length = etype_list_length; } -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt, krb5_addresses *addresses) { @@ -193,7 +262,7 @@ krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt, opt->address_list = addresses; } -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt, krb5_preauthtype *preauth_list, int preauth_list_length) @@ -203,7 +272,7 @@ krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt, opt->preauth_list = preauth_list; } -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt, krb5_data *salt) { @@ -211,10 +280,52 @@ krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt, opt->salt = salt; } -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_anonymous(krb5_get_init_creds_opt *opt, int anonymous) { opt->flags |= KRB5_GET_INIT_CREDS_OPT_ANONYMOUS; opt->anonymous = anonymous; } + +static krb5_error_code +require_ext_opt(krb5_context context, + krb5_get_init_creds_opt *opt, + const char *type) +{ + if (opt->opt_private == NULL) { + krb5_set_error_string(context, "%s on non extendable opt", type); + return EINVAL; + } + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_set_pa_password(krb5_context context, + krb5_get_init_creds_opt *opt, + const char *password, + krb5_s2k_proc key_proc) +{ + krb5_error_code ret; + ret = require_ext_opt(context, opt, "init_creds_opt_set_pa_password"); + if (ret) + return ret; + opt->opt_private->password = password; + opt->opt_private->key_proc = key_proc; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_set_pac_request(krb5_context context, + krb5_get_init_creds_opt *opt, + krb5_boolean req_pac) +{ + krb5_error_code ret; + ret = require_ext_opt(context, opt, "init_creds_opt_set_pac_req"); + if (ret) + return ret; + opt->opt_private->req_pac = req_pac ? + KRB5_PA_PAC_REQ_TRUE : + KRB5_PA_PAC_REQ_FALSE; + return 0; +} diff --git a/kerberosV/src/lib/krb5/kerberos.8 b/kerberosV/src/lib/krb5/kerberos.8 index 422a6d0b94d..7cfee3b7b85 100644 --- a/kerberosV/src/lib/krb5/kerberos.8 +++ b/kerberosV/src/lib/krb5/kerberos.8 @@ -1,35 +1,35 @@ .\" Copyright (c) 2000 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $KTH: kerberos.8,v 1.6 2003/03/10 02:19:23 lha Exp $ +.\" $KTH: kerberos.8,v 1.8 2003/07/26 17:05:42 lha Exp $ .\" .Dd September 1, 2000 .Dt KERBEROS 8 diff --git a/kerberosV/src/lib/krb5/krb5-protos.h b/kerberosV/src/lib/krb5/krb5-protos.h index 58788aebab5..068edd51860 100644 --- a/kerberosV/src/lib/krb5/krb5-protos.h +++ b/kerberosV/src/lib/krb5/krb5-protos.h @@ -8,20 +8,32 @@ #define __attribute__(x) #endif -krb5_error_code +#ifdef __cplusplus +extern "C" { +#endif + +#ifndef KRB5_LIB_FUNCTION +#if defined(_WIN32) +#define KRB5_LIB_FUNCTION _stdcall +#else +#define KRB5_LIB_FUNCTION +#endif +#endif + +krb5_error_code KRB5_LIB_FUNCTION krb524_convert_creds_kdc ( krb5_context /*context*/, krb5_creds */*in_cred*/, struct credentials */*v4creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb524_convert_creds_kdc_ccache ( krb5_context /*context*/, krb5_ccache /*ccache*/, krb5_creds */*in_cred*/, struct credentials */*v4creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_425_conv_principal ( krb5_context /*context*/, const char */*name*/, @@ -29,7 +41,7 @@ krb5_425_conv_principal ( const char */*realm*/, krb5_principal */*princ*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_425_conv_principal_ext ( krb5_context /*context*/, const char */*name*/, @@ -39,7 +51,7 @@ krb5_425_conv_principal_ext ( krb5_boolean /*resolve*/, krb5_principal */*princ*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_524_conv_principal ( krb5_context /*context*/, const krb5_principal /*principal*/, @@ -47,17 +59,7 @@ krb5_524_conv_principal ( char */*instance*/, char */*realm*/); -krb5_error_code -krb5_PKCS5_PBKDF2 ( - krb5_context /*context*/, - krb5_cksumtype /*cktype*/, - krb5_data /*password*/, - krb5_salt /*salt*/, - u_int32_t /*iter*/, - krb5_keytype /*type*/, - krb5_keyblock */*key*/); - -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_abort ( krb5_context /*context*/, krb5_error_code /*code*/, @@ -65,49 +67,49 @@ krb5_abort ( ...) __attribute__ ((noreturn, format (printf, 3, 4))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_abortx ( krb5_context /*context*/, const char */*fmt*/, ...) __attribute__ ((noreturn, format (printf, 2, 3))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_acl_match_file ( krb5_context /*context*/, const char */*file*/, const char */*format*/, ...); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_acl_match_string ( krb5_context /*context*/, const char */*string*/, const char */*format*/, ...); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_add_et_list ( krb5_context /*context*/, void (*/*func*/)(struct et_list **)); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_add_extra_addresses ( krb5_context /*context*/, krb5_addresses */*addresses*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_add_ignore_addresses ( krb5_context /*context*/, krb5_addresses */*addresses*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_addlog_dest ( krb5_context /*context*/, krb5_log_facility */*f*/, const char */*orig*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_addlog_func ( krb5_context /*context*/, krb5_log_facility */*fac*/, @@ -117,7 +119,7 @@ krb5_addlog_func ( krb5_log_close_func_t /*close*/, void */*data*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_addr2sockaddr ( krb5_context /*context*/, const krb5_address */*addr*/, @@ -125,32 +127,40 @@ krb5_addr2sockaddr ( krb5_socklen_t */*sa_size*/, int /*port*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_address_compare ( krb5_context /*context*/, const krb5_address */*addr1*/, const krb5_address */*addr2*/); -int +int KRB5_LIB_FUNCTION krb5_address_order ( krb5_context /*context*/, const krb5_address */*addr1*/, const krb5_address */*addr2*/); -krb5_boolean +krb5_error_code KRB5_LIB_FUNCTION +krb5_address_prefixlen_boundary ( + krb5_context /*context*/, + const krb5_address */*inaddr*/, + unsigned long /*prefixlen*/, + krb5_address */*low*/, + krb5_address */*high*/); + +krb5_boolean KRB5_LIB_FUNCTION krb5_address_search ( krb5_context /*context*/, const krb5_address */*addr*/, const krb5_addresses */*addrlist*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_aname_to_localname ( krb5_context /*context*/, krb5_const_principal /*aname*/, size_t /*lnsize*/, char */*lname*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_anyaddr ( krb5_context /*context*/, int /*af*/, @@ -158,7 +168,7 @@ krb5_anyaddr ( krb5_socklen_t */*sa_size*/, int /*port*/); -void +void KRB5_LIB_FUNCTION krb5_appdefault_boolean ( krb5_context /*context*/, const char */*appname*/, @@ -167,7 +177,7 @@ krb5_appdefault_boolean ( krb5_boolean /*def_val*/, krb5_boolean */*ret_val*/); -void +void KRB5_LIB_FUNCTION krb5_appdefault_string ( krb5_context /*context*/, const char */*appname*/, @@ -176,7 +186,7 @@ krb5_appdefault_string ( const char */*def_val*/, char **/*ret_val*/); -void +void KRB5_LIB_FUNCTION krb5_appdefault_time ( krb5_context /*context*/, const char */*appname*/, @@ -185,176 +195,190 @@ krb5_appdefault_time ( time_t /*def_val*/, time_t */*ret_val*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_append_addresses ( krb5_context /*context*/, krb5_addresses */*dest*/, const krb5_addresses */*source*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_auth_con_addflags ( + krb5_context /*context*/, + krb5_auth_context /*auth_context*/, + int32_t /*addflags*/, + int32_t */*flags*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_free ( krb5_context /*context*/, krb5_auth_context /*auth_context*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_genaddrs ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, int /*fd*/, int /*flags*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_generatelocalsubkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock */*key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getaddrs ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_address **/*local_addr*/, krb5_address **/*remote_addr*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getauthenticator ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_authenticator */*authenticator*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getcksumtype ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_cksumtype */*cksumtype*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getflags ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, int32_t */*flags*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock **/*keyblock*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getkeytype ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keytype */*keytype*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getlocalseqnumber ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, int32_t */*seqnumber*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getlocalsubkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock **/*keyblock*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getrcache ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_rcache */*rcache*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getremotesubkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock **/*keyblock*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_init ( krb5_context /*context*/, krb5_auth_context */*auth_context*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_auth_con_removeflags ( + krb5_context /*context*/, + krb5_auth_context /*auth_context*/, + int32_t /*removeflags*/, + int32_t */*flags*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setaddrs ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_address */*local_addr*/, krb5_address */*remote_addr*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setaddrs_from_fd ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, void */*p_fd*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setcksumtype ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_cksumtype /*cksumtype*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setflags ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, int32_t /*flags*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock */*keyblock*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setkeytype ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keytype /*keytype*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setlocalseqnumber ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, int32_t /*seqnumber*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setlocalsubkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock */*keyblock*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setrcache ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_rcache /*rcache*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setremoteseqnumber ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, int32_t /*seqnumber*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setremotesubkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock */*keyblock*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setuserkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock */*keyblock*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_getremoteseqnumber ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, int32_t */*seqnumber*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_build_ap_req ( krb5_context /*context*/, krb5_enctype /*enctype*/, @@ -363,7 +387,7 @@ krb5_build_ap_req ( krb5_data /*authenticator*/, krb5_data */*retdata*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_build_authenticator ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, @@ -374,7 +398,7 @@ krb5_build_authenticator ( krb5_data */*result*/, krb5_key_usage /*usage*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_build_principal ( krb5_context /*context*/, krb5_principal */*principal*/, @@ -382,7 +406,7 @@ krb5_build_principal ( krb5_const_realm /*realm*/, ...); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_build_principal_ext ( krb5_context /*context*/, krb5_principal */*principal*/, @@ -390,7 +414,7 @@ krb5_build_principal_ext ( krb5_const_realm /*realm*/, ...); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_build_principal_va ( krb5_context /*context*/, krb5_principal */*principal*/, @@ -398,7 +422,7 @@ krb5_build_principal_va ( krb5_const_realm /*realm*/, va_list /*ap*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_build_principal_va_ext ( krb5_context /*context*/, krb5_principal */*principal*/, @@ -406,43 +430,149 @@ krb5_build_principal_va_ext ( krb5_const_realm /*realm*/, va_list /*ap*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_block_size ( + krb5_context /*context*/, + krb5_enctype /*enctype*/, + size_t */*blocksize*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_checksum_length ( + krb5_context /*context*/, + krb5_cksumtype /*cksumtype*/, + size_t */*length*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_decrypt ( + krb5_context /*context*/, + const krb5_keyblock /*key*/, + krb5_keyusage /*usage*/, + const krb5_data */*ivec*/, + krb5_enc_data */*input*/, + krb5_data */*output*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_encrypt ( + krb5_context /*context*/, + const krb5_keyblock */*key*/, + krb5_keyusage /*usage*/, + const krb5_data */*ivec*/, + const krb5_data */*input*/, + krb5_enc_data */*output*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_encrypt_length ( + krb5_context /*context*/, + krb5_enctype /*enctype*/, + size_t /*inputlen*/, + size_t */*length*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_enctype_compare ( + krb5_context /*context*/, + krb5_enctype /*e1*/, + krb5_enctype /*e2*/, + krb5_boolean */*similar*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_get_checksum ( + krb5_context /*context*/, + const krb5_checksum */*cksum*/, + krb5_cksumtype */*type*/, + krb5_data **/*data*/); + +krb5_boolean KRB5_LIB_FUNCTION +krb5_c_is_coll_proof_cksum (krb5_cksumtype /*ctype*/); + +krb5_boolean KRB5_LIB_FUNCTION +krb5_c_is_keyed_cksum (krb5_cksumtype /*ctype*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_make_checksum ( + krb5_context /*context*/, + krb5_cksumtype /*cksumtype*/, + const krb5_keyblock */*key*/, + krb5_keyusage /*usage*/, + const krb5_data */*input*/, + krb5_checksum */*cksum*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_make_random_key ( + krb5_context /*context*/, + krb5_enctype /*enctype*/, + krb5_keyblock */*random_key*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_set_checksum ( + krb5_context /*context*/, + krb5_checksum */*cksum*/, + krb5_cksumtype /*type*/, + const krb5_data */*data*/); + +krb5_boolean KRB5_LIB_FUNCTION +krb5_c_valid_cksumtype (krb5_cksumtype /*ctype*/); + +krb5_boolean KRB5_LIB_FUNCTION +krb5_c_valid_enctype (krb5_enctype /*etype*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_verify_checksum ( + krb5_context /*context*/, + const krb5_keyblock */*key*/, + krb5_keyusage /*usage*/, + const krb5_data */*data*/, + const krb5_checksum */*cksum*/, + krb5_boolean */*valid*/); + +void KRB5_LIB_FUNCTION +krb5_cc_clear_mcred (krb5_creds */*mcred*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_close ( krb5_context /*context*/, krb5_ccache /*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_copy_cache ( krb5_context /*context*/, const krb5_ccache /*from*/, krb5_ccache /*to*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_cc_copy_cache_match ( + krb5_context /*context*/, + const krb5_ccache /*from*/, + krb5_ccache /*to*/, + krb5_flags /*whichfields*/, + const krb5_creds * /*mcreds*/, + unsigned int */*matched*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_default ( krb5_context /*context*/, krb5_ccache */*id*/); -const char* +const char* KRB5_LIB_FUNCTION krb5_cc_default_name (krb5_context /*context*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_destroy ( krb5_context /*context*/, krb5_ccache /*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_end_seq_get ( krb5_context /*context*/, const krb5_ccache /*id*/, krb5_cc_cursor */*cursor*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_gen_new ( krb5_context /*context*/, const krb5_cc_ops */*ops*/, krb5_ccache */*id*/); -const char* +const char* KRB5_LIB_FUNCTION krb5_cc_get_name ( krb5_context /*context*/, krb5_ccache /*id*/); @@ -452,55 +582,76 @@ krb5_cc_get_ops ( krb5_context /*context*/, krb5_ccache /*id*/); -krb5_error_code +const krb5_cc_ops * +krb5_cc_get_prefix_ops ( + krb5_context /*context*/, + const char */*prefix*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_get_principal ( krb5_context /*context*/, krb5_ccache /*id*/, krb5_principal */*principal*/); -const char* +const char* KRB5_LIB_FUNCTION krb5_cc_get_type ( krb5_context /*context*/, krb5_ccache /*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_get_version ( krb5_context /*context*/, const krb5_ccache /*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_initialize ( krb5_context /*context*/, krb5_ccache /*id*/, krb5_principal /*primary_principal*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_cc_new_unique ( + krb5_context /*context*/, + const char */*type*/, + const char */*hint*/, + krb5_ccache */*id*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_next_cred ( krb5_context /*context*/, const krb5_ccache /*id*/, krb5_cc_cursor */*cursor*/, krb5_creds */*creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_cc_next_cred_match ( + krb5_context /*context*/, + const krb5_ccache /*id*/, + krb5_cc_cursor * /*cursor*/, + krb5_creds * /*creds*/, + krb5_flags /*whichfields*/, + const krb5_creds * /*mcreds*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_register ( krb5_context /*context*/, const krb5_cc_ops */*ops*/, krb5_boolean /*override*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_remove_cred ( krb5_context /*context*/, krb5_ccache /*id*/, krb5_flags /*which*/, krb5_creds */*cred*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_resolve ( krb5_context /*context*/, const char */*name*/, krb5_ccache */*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_retrieve_cred ( krb5_context /*context*/, krb5_ccache /*id*/, @@ -508,30 +659,30 @@ krb5_cc_retrieve_cred ( const krb5_creds */*mcreds*/, krb5_creds */*creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_set_default_name ( krb5_context /*context*/, const char */*name*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_set_flags ( krb5_context /*context*/, krb5_ccache /*id*/, krb5_flags /*flags*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_start_seq_get ( krb5_context /*context*/, const krb5_ccache /*id*/, krb5_cc_cursor */*cursor*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_store_cred ( krb5_context /*context*/, krb5_ccache /*id*/, krb5_creds */*creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_change_password ( krb5_context /*context*/, krb5_creds */*creds*/, @@ -540,7 +691,7 @@ krb5_change_password ( krb5_data */*result_code_string*/, krb5_data */*result_string*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_check_transited ( krb5_context /*context*/, krb5_const_realm /*client_realm*/, @@ -549,50 +700,65 @@ krb5_check_transited ( int /*num_realms*/, int */*bad_realm*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_check_transited_realms ( krb5_context /*context*/, const char *const */*realms*/, int /*num_realms*/, int */*bad_realm*/); -krb5_boolean +krb5_error_code KRB5_LIB_FUNCTION +krb5_checksum_disable ( + krb5_context /*context*/, + krb5_cksumtype /*type*/); + +void KRB5_LIB_FUNCTION +krb5_checksum_free ( + krb5_context /*context*/, + krb5_checksum */*cksum*/); + +krb5_boolean KRB5_LIB_FUNCTION krb5_checksum_is_collision_proof ( krb5_context /*context*/, krb5_cksumtype /*type*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_checksum_is_keyed ( krb5_context /*context*/, krb5_cksumtype /*type*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_checksumsize ( krb5_context /*context*/, krb5_cksumtype /*type*/, size_t */*size*/); -void +krb5_error_code KRB5_LIB_FUNCTION +krb5_cksumtype_valid ( + krb5_context /*context*/, + krb5_cksumtype /*ctype*/); + +void KRB5_LIB_FUNCTION krb5_clear_error_string (krb5_context /*context*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_closelog ( krb5_context /*context*/, krb5_log_facility */*fac*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_compare_creds ( krb5_context /*context*/, krb5_flags /*whichfields*/, - const krb5_creds */*mcreds*/, - const krb5_creds */*creds*/); + const krb5_creds * /*mcreds*/, + const krb5_creds * /*creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_config_file_free ( krb5_context /*context*/, krb5_config_section */*s*/); -void +void KRB5_LIB_FUNCTION krb5_config_free_strings (char **/*strings*/); const void * @@ -602,26 +768,26 @@ krb5_config_get ( int /*type*/, ...); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_config_get_bool ( krb5_context /*context*/, const krb5_config_section */*c*/, ...); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_config_get_bool_default ( krb5_context /*context*/, const krb5_config_section */*c*/, krb5_boolean /*def_value*/, ...); -int +int KRB5_LIB_FUNCTION krb5_config_get_int ( krb5_context /*context*/, const krb5_config_section */*c*/, ...); -int +int KRB5_LIB_FUNCTION krb5_config_get_int_default ( krb5_context /*context*/, const krb5_config_section */*c*/, @@ -642,13 +808,13 @@ krb5_config_get_next ( int /*type*/, ...); -const char * +const char* KRB5_LIB_FUNCTION krb5_config_get_string ( krb5_context /*context*/, const krb5_config_section */*c*/, ...); -const char * +const char* KRB5_LIB_FUNCTION krb5_config_get_string_default ( krb5_context /*context*/, const krb5_config_section */*c*/, @@ -661,31 +827,37 @@ krb5_config_get_strings ( const krb5_config_section */*c*/, ...); -int +int KRB5_LIB_FUNCTION krb5_config_get_time ( krb5_context /*context*/, const krb5_config_section */*c*/, ...); -int +int KRB5_LIB_FUNCTION krb5_config_get_time_default ( krb5_context /*context*/, const krb5_config_section */*c*/, int /*def_value*/, ...); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_config_parse_file ( krb5_context /*context*/, const char */*fname*/, krb5_config_section **/*res*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_config_parse_file_multi ( krb5_context /*context*/, const char */*fname*/, krb5_config_section **/*res*/); +krb5_error_code KRB5_LIB_FUNCTION +krb5_config_parse_string_multi ( + krb5_context /*context*/, + const char */*string*/, + krb5_config_section **/*res*/); + const void * krb5_config_vget ( krb5_context /*context*/, @@ -693,26 +865,26 @@ krb5_config_vget ( int /*type*/, va_list /*args*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_config_vget_bool ( krb5_context /*context*/, const krb5_config_section */*c*/, va_list /*args*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_config_vget_bool_default ( krb5_context /*context*/, const krb5_config_section */*c*/, krb5_boolean /*def_value*/, va_list /*args*/); -int +int KRB5_LIB_FUNCTION krb5_config_vget_int ( krb5_context /*context*/, const krb5_config_section */*c*/, va_list /*args*/); -int +int KRB5_LIB_FUNCTION krb5_config_vget_int_default ( krb5_context /*context*/, const krb5_config_section */*c*/, @@ -733,99 +905,105 @@ krb5_config_vget_next ( int /*type*/, va_list /*args*/); -const char * +const char* KRB5_LIB_FUNCTION krb5_config_vget_string ( krb5_context /*context*/, const krb5_config_section */*c*/, va_list /*args*/); -const char * +const char* KRB5_LIB_FUNCTION krb5_config_vget_string_default ( krb5_context /*context*/, const krb5_config_section */*c*/, const char */*def_value*/, va_list /*args*/); -char ** +char ** KRB5_LIB_FUNCTION krb5_config_vget_strings ( krb5_context /*context*/, const krb5_config_section */*c*/, va_list /*args*/); -int +int KRB5_LIB_FUNCTION krb5_config_vget_time ( krb5_context /*context*/, const krb5_config_section */*c*/, va_list /*args*/); -int +int KRB5_LIB_FUNCTION krb5_config_vget_time_default ( krb5_context /*context*/, const krb5_config_section */*c*/, int /*def_value*/, va_list /*args*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_address ( krb5_context /*context*/, const krb5_address */*inaddr*/, krb5_address */*outaddr*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_addresses ( krb5_context /*context*/, const krb5_addresses */*inaddr*/, krb5_addresses */*outaddr*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_copy_checksum ( + krb5_context /*context*/, + const krb5_checksum */*old*/, + krb5_checksum **/*new*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_creds ( krb5_context /*context*/, const krb5_creds */*incred*/, krb5_creds **/*outcred*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_creds_contents ( krb5_context /*context*/, const krb5_creds */*incred*/, krb5_creds */*c*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_data ( krb5_context /*context*/, const krb5_data */*indata*/, krb5_data **/*outdata*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_host_realm ( krb5_context /*context*/, const krb5_realm */*from*/, krb5_realm **/*to*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_keyblock ( krb5_context /*context*/, const krb5_keyblock */*inblock*/, krb5_keyblock **/*to*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_keyblock_contents ( krb5_context /*context*/, const krb5_keyblock */*inblock*/, krb5_keyblock */*to*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_principal ( krb5_context /*context*/, krb5_const_principal /*inprinc*/, krb5_principal */*outprinc*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_ticket ( krb5_context /*context*/, const krb5_ticket */*from*/, krb5_ticket **/*to*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_create_checksum ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -835,47 +1013,85 @@ krb5_create_checksum ( size_t /*len*/, Checksum */*result*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_crypto_destroy ( krb5_context /*context*/, krb5_crypto /*crypto*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_get_checksum_type ( + krb5_context /*context*/, + krb5_crypto /*crypto*/, + krb5_cksumtype */*type*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_get_params ( + krb5_context /*context*/, + const krb5_crypto /*crypto*/, + const krb5_data */*params*/, + krb5_data */*ivec*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_crypto_getblocksize ( krb5_context /*context*/, krb5_crypto /*crypto*/, size_t */*blocksize*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_getconfoundersize ( + krb5_context /*context*/, + krb5_crypto /*crypto*/, + size_t */*confoundersize*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_getenctype ( + krb5_context /*context*/, + krb5_crypto /*crypto*/, + krb5_enctype */*enctype*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_getpadsize ( + krb5_context /*context*/, + krb5_crypto /*crypto*/, + size_t */*padsize*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_crypto_init ( krb5_context /*context*/, const krb5_keyblock */*key*/, krb5_enctype /*etype*/, krb5_crypto */*crypto*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_set_params ( + krb5_context /*context*/, + const krb5_crypto /*crypto*/, + const krb5_data */*ivec*/, + krb5_data */*params*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_data_alloc ( krb5_data */*p*/, int /*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_data_copy ( krb5_data */*p*/, const void */*data*/, size_t /*len*/); -void +void KRB5_LIB_FUNCTION krb5_data_free (krb5_data */*p*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_data_realloc ( krb5_data */*p*/, int /*len*/); -void +void KRB5_LIB_FUNCTION krb5_data_zero (krb5_data */*p*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_Authenticator ( krb5_context /*context*/, const void */*data*/, @@ -883,7 +1099,7 @@ krb5_decode_Authenticator ( Authenticator */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_ETYPE_INFO ( krb5_context /*context*/, const void */*data*/, @@ -891,7 +1107,15 @@ krb5_decode_ETYPE_INFO ( ETYPE_INFO */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_decode_ETYPE_INFO2 ( + krb5_context /*context*/, + const void */*data*/, + size_t /*length*/, + ETYPE_INFO2 */*t*/, + size_t */*len*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_EncAPRepPart ( krb5_context /*context*/, const void */*data*/, @@ -899,7 +1123,7 @@ krb5_decode_EncAPRepPart ( EncAPRepPart */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_EncASRepPart ( krb5_context /*context*/, const void */*data*/, @@ -907,7 +1131,7 @@ krb5_decode_EncASRepPart ( EncASRepPart */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_EncKrbCredPart ( krb5_context /*context*/, const void */*data*/, @@ -915,7 +1139,7 @@ krb5_decode_EncKrbCredPart ( EncKrbCredPart */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_EncTGSRepPart ( krb5_context /*context*/, const void */*data*/, @@ -923,7 +1147,7 @@ krb5_decode_EncTGSRepPart ( EncTGSRepPart */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_EncTicketPart ( krb5_context /*context*/, const void */*data*/, @@ -931,13 +1155,13 @@ krb5_decode_EncTicketPart ( EncTicketPart */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_ap_req ( krb5_context /*context*/, const krb5_data */*inbuf*/, krb5_ap_req */*ap_req*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decrypt ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -946,7 +1170,7 @@ krb5_decrypt ( size_t /*len*/, krb5_data */*result*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decrypt_EncryptedData ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -954,7 +1178,7 @@ krb5_decrypt_EncryptedData ( const EncryptedData */*e*/, krb5_data */*result*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decrypt_ivec ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -964,7 +1188,7 @@ krb5_decrypt_ivec ( krb5_data */*result*/, void */*ivec*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decrypt_ticket ( krb5_context /*context*/, Ticket */*ticket*/, @@ -972,7 +1196,7 @@ krb5_decrypt_ticket ( EncTicketPart */*out*/, krb5_flags /*flags*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_derive_key ( krb5_context /*context*/, const krb5_keyblock */*key*/, @@ -981,7 +1205,7 @@ krb5_derive_key ( size_t /*constant_len*/, krb5_keyblock **/*derived_key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_domain_x500_decode ( krb5_context /*context*/, krb5_data /*tr*/, @@ -990,18 +1214,18 @@ krb5_domain_x500_decode ( const char */*client_realm*/, const char */*server_realm*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_domain_x500_encode ( char **/*realms*/, int /*num_realms*/, krb5_data */*encoding*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_eai_to_heim_errno ( int /*eai_errno*/, int /*system_error*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encode_Authenticator ( krb5_context /*context*/, void */*data*/, @@ -1009,7 +1233,7 @@ krb5_encode_Authenticator ( Authenticator */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encode_ETYPE_INFO ( krb5_context /*context*/, void */*data*/, @@ -1017,7 +1241,15 @@ krb5_encode_ETYPE_INFO ( ETYPE_INFO */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_encode_ETYPE_INFO2 ( + krb5_context /*context*/, + void */*data*/, + size_t /*length*/, + ETYPE_INFO2 */*t*/, + size_t */*len*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_encode_EncAPRepPart ( krb5_context /*context*/, void */*data*/, @@ -1025,7 +1257,7 @@ krb5_encode_EncAPRepPart ( EncAPRepPart */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encode_EncASRepPart ( krb5_context /*context*/, void */*data*/, @@ -1033,7 +1265,7 @@ krb5_encode_EncASRepPart ( EncASRepPart */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encode_EncKrbCredPart ( krb5_context /*context*/, void */*data*/, @@ -1041,7 +1273,7 @@ krb5_encode_EncKrbCredPart ( EncKrbCredPart */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encode_EncTGSRepPart ( krb5_context /*context*/, void */*data*/, @@ -1049,7 +1281,7 @@ krb5_encode_EncTGSRepPart ( EncTGSRepPart */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encode_EncTicketPart ( krb5_context /*context*/, void */*data*/, @@ -1057,7 +1289,7 @@ krb5_encode_EncTicketPart ( EncTicketPart */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encrypt ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -1066,7 +1298,7 @@ krb5_encrypt ( size_t /*len*/, krb5_data */*result*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encrypt_EncryptedData ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -1076,7 +1308,7 @@ krb5_encrypt_EncryptedData ( int /*kvno*/, EncryptedData */*result*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encrypt_ivec ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -1086,36 +1318,47 @@ krb5_encrypt_ivec ( krb5_data */*result*/, void */*ivec*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_enctype_disable ( + krb5_context /*context*/, + krb5_enctype /*enctype*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_enctype_keysize ( krb5_context /*context*/, krb5_enctype /*type*/, size_t */*keysize*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_enctype_to_keytype ( krb5_context /*context*/, krb5_enctype /*etype*/, krb5_keytype */*keytype*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_enctype_to_oid ( + krb5_context /*context*/, + krb5_enctype /*etype*/, + heim_oid */*oid*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_enctype_to_string ( krb5_context /*context*/, krb5_enctype /*etype*/, char **/*string*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_enctype_valid ( krb5_context /*context*/, krb5_enctype /*etype*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_enctypes_compatible_keys ( krb5_context /*context*/, krb5_enctype /*etype1*/, krb5_enctype /*etype2*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_err ( krb5_context /*context*/, int /*eval*/, @@ -1124,13 +1367,13 @@ krb5_err ( ...) __attribute__ ((noreturn, format (printf, 4, 5))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_error_from_rd_error ( krb5_context /*context*/, const krb5_error */*error*/, const krb5_creds */*creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_errx ( krb5_context /*context*/, int /*eval*/, @@ -1138,13 +1381,13 @@ krb5_errx ( ...) __attribute__ ((noreturn, format (printf, 3, 4))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_expand_hostname ( krb5_context /*context*/, const char */*orig_hostname*/, char **/*new_hostname*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_expand_hostname_realms ( krb5_context /*context*/, const char */*orig_hostname*/, @@ -1158,7 +1401,7 @@ krb5_find_padata ( int /*type*/, int */*index*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_format_time ( krb5_context /*context*/, time_t /*t*/, @@ -1166,113 +1409,123 @@ krb5_format_time ( size_t /*len*/, krb5_boolean /*include_time*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_address ( krb5_context /*context*/, krb5_address */*address*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_addresses ( krb5_context /*context*/, krb5_addresses */*addresses*/); -void +void KRB5_LIB_FUNCTION krb5_free_ap_rep_enc_part ( krb5_context /*context*/, krb5_ap_rep_enc_part */*val*/); -void +void KRB5_LIB_FUNCTION krb5_free_authenticator ( krb5_context /*context*/, krb5_authenticator */*authenticator*/); -void +void KRB5_LIB_FUNCTION +krb5_free_checksum ( + krb5_context /*context*/, + krb5_checksum */*cksum*/); + +void KRB5_LIB_FUNCTION +krb5_free_checksum_contents ( + krb5_context /*context*/, + krb5_checksum */*cksum*/); + +void KRB5_LIB_FUNCTION krb5_free_config_files (char **/*filenames*/); -void +void KRB5_LIB_FUNCTION krb5_free_context (krb5_context /*context*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_cred_contents ( krb5_context /*context*/, krb5_creds */*c*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_creds ( krb5_context /*context*/, krb5_creds */*c*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_creds_contents ( krb5_context /*context*/, krb5_creds */*c*/); -void +void KRB5_LIB_FUNCTION krb5_free_data ( krb5_context /*context*/, krb5_data */*p*/); -void +void KRB5_LIB_FUNCTION krb5_free_data_contents ( krb5_context /*context*/, krb5_data */*data*/); -void +void KRB5_LIB_FUNCTION krb5_free_error ( krb5_context /*context*/, krb5_error */*error*/); -void +void KRB5_LIB_FUNCTION krb5_free_error_contents ( krb5_context /*context*/, krb5_error */*error*/); -void +void KRB5_LIB_FUNCTION krb5_free_error_string ( krb5_context /*context*/, char */*str*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_host_realm ( krb5_context /*context*/, krb5_realm */*realmlist*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_kdc_rep ( krb5_context /*context*/, krb5_kdc_rep */*rep*/); -void +void KRB5_LIB_FUNCTION krb5_free_keyblock ( krb5_context /*context*/, krb5_keyblock */*keyblock*/); -void +void KRB5_LIB_FUNCTION krb5_free_keyblock_contents ( krb5_context /*context*/, krb5_keyblock */*keyblock*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_krbhst ( krb5_context /*context*/, char **/*hostlist*/); -void +void KRB5_LIB_FUNCTION krb5_free_principal ( krb5_context /*context*/, krb5_principal /*p*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_salt ( krb5_context /*context*/, krb5_salt /*salt*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_ticket ( krb5_context /*context*/, krb5_ticket */*ticket*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_fwd_tgt_creds ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, @@ -1283,40 +1536,47 @@ krb5_fwd_tgt_creds ( int /*forwardable*/, krb5_data */*out_data*/); -void +void KRB5_LIB_FUNCTION krb5_generate_random_block ( void */*buf*/, size_t /*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_generate_random_keyblock ( krb5_context /*context*/, krb5_enctype /*type*/, krb5_keyblock */*key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_generate_seq_number ( krb5_context /*context*/, const krb5_keyblock */*key*/, u_int32_t */*seqno*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_generate_subkey ( krb5_context /*context*/, const krb5_keyblock */*key*/, krb5_keyblock **/*subkey*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_generate_subkey_extended ( + krb5_context /*context*/, + const krb5_keyblock */*key*/, + krb5_enctype /*etype*/, + krb5_keyblock **/*subkey*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_get_all_client_addrs ( krb5_context /*context*/, krb5_addresses */*res*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_all_server_addrs ( krb5_context /*context*/, krb5_addresses */*res*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_cred_from_kdc ( krb5_context /*context*/, krb5_ccache /*ccache*/, @@ -1324,7 +1584,7 @@ krb5_get_cred_from_kdc ( krb5_creds **/*out_creds*/, krb5_creds ***/*ret_tgts*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_cred_from_kdc_opt ( krb5_context /*context*/, krb5_ccache /*ccache*/, @@ -1333,7 +1593,7 @@ krb5_get_cred_from_kdc_opt ( krb5_creds ***/*ret_tgts*/, krb5_flags /*flags*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_credentials ( krb5_context /*context*/, krb5_flags /*options*/, @@ -1341,7 +1601,7 @@ krb5_get_credentials ( krb5_creds */*in_creds*/, krb5_creds **/*out_creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_credentials_with_flags ( krb5_context /*context*/, krb5_flags /*options*/, @@ -1350,48 +1610,48 @@ krb5_get_credentials_with_flags ( krb5_creds */*in_creds*/, krb5_creds **/*out_creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_default_config_files (char ***/*pfilenames*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_default_in_tkt_etypes ( krb5_context /*context*/, krb5_enctype **/*etypes*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_default_principal ( krb5_context /*context*/, krb5_principal */*princ*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_default_realm ( krb5_context /*context*/, krb5_realm */*realm*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_default_realms ( krb5_context /*context*/, krb5_realm **/*realms*/); -const char * +const char* KRB5_LIB_FUNCTION krb5_get_err_text ( krb5_context /*context*/, krb5_error_code /*code*/); -char* +char * KRB5_LIB_FUNCTION krb5_get_error_string (krb5_context /*context*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_extra_addresses ( krb5_context /*context*/, krb5_addresses */*addresses*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_fcache_version ( krb5_context /*context*/, int */*version*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_forwarded_creds ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, @@ -1401,25 +1661,18 @@ krb5_get_forwarded_creds ( krb5_creds */*in_creds*/, krb5_data */*out_data*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_host_realm ( krb5_context /*context*/, const char */*host*/, krb5_realm **/*realms*/); -krb5_error_code -krb5_get_host_realm_int ( - krb5_context /*context*/, - const char */*host*/, - krb5_boolean /*use_dns*/, - krb5_realm **/*realms*/); - -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_ignore_addresses ( krb5_context /*context*/, krb5_addresses */*addresses*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_in_cred ( krb5_context /*context*/, krb5_flags /*options*/, @@ -1434,7 +1687,7 @@ krb5_get_in_cred ( krb5_creds */*creds*/, krb5_kdc_rep */*ret_as_reply*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_in_tkt ( krb5_context /*context*/, krb5_flags /*options*/, @@ -1449,7 +1702,7 @@ krb5_get_in_tkt ( krb5_ccache /*ccache*/, krb5_kdc_rep */*ret_as_reply*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_in_tkt_with_keytab ( krb5_context /*context*/, krb5_flags /*options*/, @@ -1461,7 +1714,7 @@ krb5_get_in_tkt_with_keytab ( krb5_creds */*creds*/, krb5_kdc_rep */*ret_as_reply*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_in_tkt_with_password ( krb5_context /*context*/, krb5_flags /*options*/, @@ -1473,7 +1726,7 @@ krb5_get_in_tkt_with_password ( krb5_creds */*creds*/, krb5_kdc_rep */*ret_as_reply*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_in_tkt_with_skey ( krb5_context /*context*/, krb5_flags /*options*/, @@ -1485,7 +1738,28 @@ krb5_get_in_tkt_with_skey ( krb5_creds */*creds*/, krb5_kdc_rep */*ret_as_reply*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds ( + krb5_context /*context*/, + krb5_creds */*creds*/, + krb5_principal /*client*/, + krb5_prompter_fct /*prompter*/, + void */*data*/, + krb5_deltat /*start_time*/, + const char */*in_tkt_service*/, + krb5_get_init_creds_opt */*options*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_keyblock ( + krb5_context /*context*/, + krb5_creds */*creds*/, + krb5_principal /*client*/, + krb5_keyblock */*keyblock*/, + krb5_deltat /*start_time*/, + const char */*in_tkt_service*/, + krb5_get_init_creds_opt */*options*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_get_init_creds_keytab ( krb5_context /*context*/, krb5_creds */*creds*/, @@ -1495,64 +1769,97 @@ krb5_get_init_creds_keytab ( const char */*in_tkt_service*/, krb5_get_init_creds_opt */*options*/); -void +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_alloc ( + krb5_context /*context*/, + krb5_get_init_creds_opt **/*opt*/); + +void KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_free (krb5_get_init_creds_opt */*opt*/); + +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_init (krb5_get_init_creds_opt */*opt*/); -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_address_list ( krb5_get_init_creds_opt */*opt*/, krb5_addresses */*addresses*/); -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_anonymous ( krb5_get_init_creds_opt */*opt*/, int /*anonymous*/); -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_default_flags ( krb5_context /*context*/, const char */*appname*/, krb5_const_realm /*realm*/, krb5_get_init_creds_opt */*opt*/); -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_etype_list ( krb5_get_init_creds_opt */*opt*/, krb5_enctype */*etype_list*/, int /*etype_list_length*/); -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_forwardable ( krb5_get_init_creds_opt */*opt*/, int /*forwardable*/); -void +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_set_pa_password ( + krb5_context /*context*/, + krb5_get_init_creds_opt */*opt*/, + const char */*password*/, + krb5_s2k_proc /*key_proc*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_set_pac_request ( + krb5_context /*context*/, + krb5_get_init_creds_opt */*opt*/, + krb5_boolean /*req_pac*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_set_pkinit ( + krb5_context /*context*/, + krb5_get_init_creds_opt */*opt*/, + krb5_principal /*principal*/, + const char */*user_id*/, + const char */*x509_anchors*/, + int /*flags*/, + krb5_prompter_fct /*prompter*/, + void */*prompter_data*/, + char */*password*/); + +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_preauth_list ( krb5_get_init_creds_opt */*opt*/, krb5_preauthtype */*preauth_list*/, int /*preauth_list_length*/); -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_proxiable ( krb5_get_init_creds_opt */*opt*/, int /*proxiable*/); -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_renew_life ( krb5_get_init_creds_opt */*opt*/, krb5_deltat /*renew_life*/); -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_salt ( krb5_get_init_creds_opt */*opt*/, krb5_data */*salt*/); -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_tkt_life ( krb5_get_init_creds_opt */*opt*/, krb5_deltat /*tkt_life*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_init_creds_password ( krb5_context /*context*/, krb5_creds */*creds*/, @@ -1562,9 +1869,9 @@ krb5_get_init_creds_password ( void */*data*/, krb5_deltat /*start_time*/, const char */*in_tkt_service*/, - krb5_get_init_creds_opt */*options*/); + krb5_get_init_creds_opt */*in_options*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_kdc_cred ( krb5_context /*context*/, krb5_ccache /*id*/, @@ -1574,43 +1881,43 @@ krb5_get_kdc_cred ( krb5_creds */*in_creds*/, krb5_creds **out_creds ); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_krb524hst ( krb5_context /*context*/, const krb5_realm */*realm*/, char ***/*hostlist*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_krb_admin_hst ( krb5_context /*context*/, const krb5_realm */*realm*/, char ***/*hostlist*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_krb_changepw_hst ( krb5_context /*context*/, const krb5_realm */*realm*/, char ***/*hostlist*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_krbhst ( krb5_context /*context*/, const krb5_realm */*realm*/, char ***/*hostlist*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_pw_salt ( krb5_context /*context*/, krb5_const_principal /*principal*/, krb5_salt */*salt*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_server_rcache ( krb5_context /*context*/, const krb5_data */*piece*/, krb5_rcache */*id*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_get_use_admin_kdc (krb5_context /*context*/); size_t @@ -1619,21 +1926,21 @@ krb5_get_wrapped_length ( krb5_crypto /*crypto*/, size_t /*data_len*/); -int +int KRB5_LIB_FUNCTION krb5_getportbyname ( krb5_context /*context*/, const char */*service*/, const char */*proto*/, int /*default_port*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_h_addr2addr ( krb5_context /*context*/, int /*af*/, const char */*haddr*/, krb5_address */*addr*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_h_addr2sockaddr ( krb5_context /*context*/, int /*af*/, @@ -1642,13 +1949,13 @@ krb5_h_addr2sockaddr ( krb5_socklen_t */*sa_size*/, int /*port*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_h_errno_to_heim_errno (int /*eai_errno*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_have_error_string (krb5_context /*context*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_hmac ( krb5_context /*context*/, krb5_cksumtype /*cktype*/, @@ -1658,26 +1965,40 @@ krb5_hmac ( krb5_keyblock */*key*/, Checksum */*result*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_init_context (krb5_context */*context*/); -void +void KRB5_LIB_FUNCTION krb5_init_ets (krb5_context /*context*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_init_etype ( krb5_context /*context*/, unsigned */*len*/, krb5_enctype **/*val*/, const krb5_enctype */*etypes*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_initlog ( krb5_context /*context*/, const char */*program*/, krb5_log_facility **/*fac*/); -krb5_error_code +krb5_boolean KRB5_LIB_FUNCTION +krb5_is_thread_safe (void); + +krb5_enctype +krb5_keyblock_get_enctype (const krb5_keyblock */*block*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_keyblock_init ( + krb5_context /*context*/, + krb5_enctype /*type*/, + const void */*data*/, + size_t /*size*/, + krb5_keyblock */*key*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_keyblock_key_proc ( krb5_context /*context*/, krb5_keytype /*type*/, @@ -1685,7 +2006,10 @@ krb5_keyblock_key_proc ( krb5_const_pointer /*keyseed*/, krb5_keyblock **/*key*/); -krb5_error_code +void KRB5_LIB_FUNCTION +krb5_keyblock_zero (krb5_keyblock */*keyblock*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_keytab_key_proc ( krb5_context /*context*/, krb5_enctype /*enctype*/, @@ -1693,81 +2017,89 @@ krb5_keytab_key_proc ( krb5_const_pointer /*keyseed*/, krb5_keyblock **/*key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_keytype_to_enctypes ( krb5_context /*context*/, krb5_keytype /*keytype*/, unsigned */*len*/, krb5_enctype **/*val*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_keytype_to_enctypes_default ( krb5_context /*context*/, krb5_keytype /*keytype*/, unsigned */*len*/, krb5_enctype **/*val*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_keytype_to_string ( krb5_context /*context*/, krb5_keytype /*keytype*/, char **/*string*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_krbhst_format_string ( krb5_context /*context*/, const krb5_krbhst_info */*host*/, char */*hostname*/, size_t /*hostlen*/); -void +void KRB5_LIB_FUNCTION krb5_krbhst_free ( krb5_context /*context*/, krb5_krbhst_handle /*handle*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_krbhst_get_addrinfo ( krb5_context /*context*/, krb5_krbhst_info */*host*/, struct addrinfo **/*ai*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_krbhst_init ( krb5_context /*context*/, const char */*realm*/, unsigned int /*type*/, krb5_krbhst_handle */*handle*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_krbhst_init_flags ( + krb5_context /*context*/, + const char */*realm*/, + unsigned int /*type*/, + int /*flags*/, + krb5_krbhst_handle */*handle*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_krbhst_next ( krb5_context /*context*/, krb5_krbhst_handle /*handle*/, krb5_krbhst_info **/*host*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_krbhst_next_as_string ( krb5_context /*context*/, krb5_krbhst_handle /*handle*/, char */*hostname*/, size_t /*hostlen*/); -void +void KRB5_LIB_FUNCTION krb5_krbhst_reset ( krb5_context /*context*/, krb5_krbhst_handle /*handle*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_add_entry ( krb5_context /*context*/, krb5_keytab /*id*/, krb5_keytab_entry */*entry*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_close ( krb5_context /*context*/, krb5_keytab /*id*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_kt_compare ( krb5_context /*context*/, krb5_keytab_entry */*entry*/, @@ -1775,41 +2107,41 @@ krb5_kt_compare ( krb5_kvno /*vno*/, krb5_enctype /*enctype*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_copy_entry_contents ( krb5_context /*context*/, const krb5_keytab_entry */*in*/, krb5_keytab_entry */*out*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_default ( krb5_context /*context*/, krb5_keytab */*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_default_modify_name ( krb5_context /*context*/, char */*name*/, size_t /*namesize*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_default_name ( krb5_context /*context*/, char */*name*/, size_t /*namesize*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_end_seq_get ( krb5_context /*context*/, krb5_keytab /*id*/, krb5_kt_cursor */*cursor*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_free_entry ( krb5_context /*context*/, krb5_keytab_entry */*entry*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_get_entry ( krb5_context /*context*/, krb5_keytab /*id*/, @@ -1818,28 +2150,28 @@ krb5_kt_get_entry ( krb5_enctype /*enctype*/, krb5_keytab_entry */*entry*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_get_name ( krb5_context /*context*/, krb5_keytab /*keytab*/, char */*name*/, size_t /*namesize*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_get_type ( krb5_context /*context*/, krb5_keytab /*keytab*/, char */*prefix*/, size_t /*prefixsize*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_next_entry ( krb5_context /*context*/, krb5_keytab /*id*/, krb5_keytab_entry */*entry*/, krb5_kt_cursor */*cursor*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_read_service_key ( krb5_context /*context*/, krb5_pointer /*keyprocarg*/, @@ -1848,36 +2180,36 @@ krb5_kt_read_service_key ( krb5_enctype /*enctype*/, krb5_keyblock **/*key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_register ( krb5_context /*context*/, const krb5_kt_ops */*ops*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_remove_entry ( krb5_context /*context*/, krb5_keytab /*id*/, krb5_keytab_entry */*entry*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_resolve ( krb5_context /*context*/, const char */*name*/, krb5_keytab */*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_start_seq_get ( krb5_context /*context*/, krb5_keytab /*id*/, krb5_kt_cursor */*cursor*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_kuserok ( krb5_context /*context*/, krb5_principal /*principal*/, const char */*luser*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_log ( krb5_context /*context*/, krb5_log_facility */*fac*/, @@ -1886,7 +2218,7 @@ krb5_log ( ...) __attribute__((format (printf, 4, 5))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_log_msg ( krb5_context /*context*/, krb5_log_facility */*fac*/, @@ -1896,24 +2228,24 @@ krb5_log_msg ( ...) __attribute__((format (printf, 5, 6))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_make_addrport ( krb5_context /*context*/, krb5_address **/*res*/, const krb5_address */*addr*/, int16_t /*port*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_make_principal ( krb5_context /*context*/, krb5_principal */*principal*/, krb5_const_realm /*realm*/, ...); -size_t +size_t KRB5_LIB_FUNCTION krb5_max_sockaddr_size (void); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_mk_error ( krb5_context /*context*/, krb5_error_code /*error_code*/, @@ -1925,21 +2257,21 @@ krb5_mk_error ( int */*client_usec*/, krb5_data */*reply*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_mk_priv ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, const krb5_data */*userdata*/, krb5_data */*outbuf*/, - void */*outdata*/); + krb5_replay_data */*outdata*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_mk_rep ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_data */*outbuf*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_mk_req ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -1950,7 +2282,7 @@ krb5_mk_req ( krb5_ccache /*ccache*/, krb5_data */*outbuf*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_mk_req_exact ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -1960,7 +2292,7 @@ krb5_mk_req_exact ( krb5_ccache /*ccache*/, krb5_data */*outbuf*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_mk_req_extended ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -1969,63 +2301,68 @@ krb5_mk_req_extended ( krb5_creds */*in_creds*/, krb5_data */*outbuf*/); -krb5_error_code -krb5_mk_req_internal ( - krb5_context /*context*/, - krb5_auth_context */*auth_context*/, - const krb5_flags /*ap_req_options*/, - krb5_data */*in_data*/, - krb5_creds */*in_creds*/, - krb5_data */*outbuf*/, - krb5_key_usage /*checksum_usage*/, - krb5_key_usage /*encrypt_usage*/); - -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_mk_safe ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, const krb5_data */*userdata*/, krb5_data */*outbuf*/, - void */*outdata*/); + krb5_replay_data */*outdata*/); -krb5_ssize_t +krb5_ssize_t KRB5_LIB_FUNCTION krb5_net_read ( krb5_context /*context*/, void */*p_fd*/, void */*buf*/, size_t /*len*/); -krb5_ssize_t +krb5_ssize_t KRB5_LIB_FUNCTION krb5_net_write ( krb5_context /*context*/, void */*p_fd*/, const void */*buf*/, size_t /*len*/); -krb5_error_code +krb5_ssize_t KRB5_LIB_FUNCTION +krb5_net_write_block ( + krb5_context /*context*/, + void */*p_fd*/, + const void */*buf*/, + size_t /*len*/, + time_t /*timeout*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_openlog ( krb5_context /*context*/, const char */*program*/, krb5_log_facility **/*fac*/); -krb5_error_code +int KRB5_LIB_FUNCTION +krb5_padata_add ( + krb5_context /*context*/, + METHOD_DATA */*md*/, + int /*type*/, + void */*buf*/, + size_t /*len*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_parse_address ( krb5_context /*context*/, const char */*string*/, krb5_addresses */*addresses*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_parse_name ( krb5_context /*context*/, const char */*name*/, krb5_principal */*principal*/); -const char* +const char* KRB5_LIB_FUNCTION krb5_passwd_result_to_string ( krb5_context /*context*/, int /*result*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_password_key_proc ( krb5_context /*context*/, krb5_enctype /*type*/, @@ -2033,64 +2370,76 @@ krb5_password_key_proc ( krb5_const_pointer /*keyseed*/, krb5_keyblock **/*key*/); +krb5_error_code KRB5_LIB_FUNCTION +krb5_prepend_config_files ( + const char */*filelist*/, + char **/*pq*/, + char ***/*ret_pp*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_prepend_config_files_default ( + const char */*filelist*/, + char ***/*pfilenames*/); + krb5_realm* krb5_princ_realm ( krb5_context /*context*/, krb5_principal /*principal*/); -void +void KRB5_LIB_FUNCTION krb5_princ_set_realm ( krb5_context /*context*/, krb5_principal /*principal*/, krb5_realm */*realm*/); -krb5_error_code -krb5_principal2principalname ( - PrincipalName */*p*/, - const krb5_principal /*from*/); - -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_principal_compare ( krb5_context /*context*/, krb5_const_principal /*princ1*/, krb5_const_principal /*princ2*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_principal_compare_any_realm ( krb5_context /*context*/, krb5_const_principal /*princ1*/, krb5_const_principal /*princ2*/); -const char * +const char* KRB5_LIB_FUNCTION krb5_principal_get_comp_string ( krb5_context /*context*/, krb5_principal /*principal*/, unsigned int /*component*/); -const char * +const char* KRB5_LIB_FUNCTION krb5_principal_get_realm ( krb5_context /*context*/, krb5_principal /*principal*/); -int +int KRB5_LIB_FUNCTION krb5_principal_get_type ( krb5_context /*context*/, krb5_principal /*principal*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_principal_match ( krb5_context /*context*/, krb5_const_principal /*princ*/, krb5_const_principal /*pattern*/); -krb5_error_code +void KRB5_LIB_FUNCTION +krb5_principal_set_type ( + krb5_context /*context*/, + krb5_principal /*principal*/, + int /*type*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_print_address ( const krb5_address */*addr*/, char */*str*/, size_t /*len*/, size_t */*ret_len*/); -int +int KRB5_LIB_FUNCTION krb5_program_setup ( krb5_context */*context*/, int /*argc*/, @@ -2099,7 +2448,7 @@ krb5_program_setup ( int /*num_args*/, void (*/*usage*/)(int, struct getargs*, int)); -int +int KRB5_LIB_FUNCTION krb5_prompter_posix ( krb5_context /*context*/, void */*data*/, @@ -2108,120 +2457,128 @@ krb5_prompter_posix ( int /*num_prompts*/, krb5_prompt prompts[]); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_random_to_key ( + krb5_context /*context*/, + krb5_enctype /*type*/, + const void */*data*/, + size_t /*size*/, + krb5_keyblock */*key*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_close ( krb5_context /*context*/, krb5_rcache /*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_default ( krb5_context /*context*/, krb5_rcache */*id*/); -const char * +const char* KRB5_LIB_FUNCTION krb5_rc_default_name (krb5_context /*context*/); -const char * +const char* KRB5_LIB_FUNCTION krb5_rc_default_type (krb5_context /*context*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_destroy ( krb5_context /*context*/, krb5_rcache /*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_expunge ( krb5_context /*context*/, krb5_rcache /*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_get_lifespan ( krb5_context /*context*/, krb5_rcache /*id*/, krb5_deltat */*auth_lifespan*/); -const char* +const char* KRB5_LIB_FUNCTION krb5_rc_get_name ( krb5_context /*context*/, krb5_rcache /*id*/); -const char* +const char* KRB5_LIB_FUNCTION krb5_rc_get_type ( krb5_context /*context*/, krb5_rcache /*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_initialize ( krb5_context /*context*/, krb5_rcache /*id*/, krb5_deltat /*auth_lifespan*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_recover ( krb5_context /*context*/, krb5_rcache /*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_resolve ( krb5_context /*context*/, krb5_rcache /*id*/, const char */*name*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_resolve_full ( krb5_context /*context*/, krb5_rcache */*id*/, const char */*string_name*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_resolve_type ( krb5_context /*context*/, krb5_rcache */*id*/, const char */*type*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_store ( krb5_context /*context*/, krb5_rcache /*id*/, krb5_donot_replay */*rep*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_cred ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_data */*in_data*/, krb5_creds ***/*ret_creds*/, - krb5_replay_data */*out_data*/); + krb5_replay_data */*outdata*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_cred2 ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_ccache /*ccache*/, krb5_data */*in_data*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_error ( krb5_context /*context*/, krb5_data */*msg*/, KRB_ERROR */*result*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_priv ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, const krb5_data */*inbuf*/, krb5_data */*outbuf*/, - void */*outdata*/); + krb5_replay_data */*outdata*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_rep ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, const krb5_data */*inbuf*/, krb5_ap_rep_enc_part **/*repl*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_req ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -2231,7 +2588,7 @@ krb5_rd_req ( krb5_flags */*ap_req_options*/, krb5_ticket **/*ticket*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_req_with_keyblock ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -2241,41 +2598,41 @@ krb5_rd_req_with_keyblock ( krb5_flags */*ap_req_options*/, krb5_ticket **/*ticket*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_safe ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, const krb5_data */*inbuf*/, krb5_data */*outbuf*/, - void */*outdata*/); + krb5_replay_data */*outdata*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_read_message ( krb5_context /*context*/, krb5_pointer /*p_fd*/, krb5_data */*data*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_read_priv_message ( krb5_context /*context*/, krb5_auth_context /*ac*/, krb5_pointer /*p_fd*/, krb5_data */*data*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_read_safe_message ( krb5_context /*context*/, krb5_auth_context /*ac*/, krb5_pointer /*p_fd*/, krb5_data */*data*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_realm_compare ( krb5_context /*context*/, krb5_const_principal /*princ1*/, krb5_const_principal /*princ2*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_recvauth ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -2286,7 +2643,7 @@ krb5_recvauth ( krb5_keytab /*keytab*/, krb5_ticket **/*ticket*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_recvauth_match_version ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -2298,79 +2655,84 @@ krb5_recvauth_match_version ( krb5_keytab /*keytab*/, krb5_ticket **/*ticket*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_address ( krb5_storage */*sp*/, krb5_address */*adr*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_addrs ( krb5_storage */*sp*/, krb5_addresses */*adr*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_authdata ( krb5_storage */*sp*/, krb5_authdata */*auth*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_creds ( krb5_storage */*sp*/, krb5_creds */*creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_ret_creds_tag ( + krb5_storage */*sp*/, + krb5_creds */*creds*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_data ( krb5_storage */*sp*/, krb5_data */*data*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_int16 ( krb5_storage */*sp*/, int16_t */*value*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_int32 ( krb5_storage */*sp*/, int32_t */*value*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_int8 ( krb5_storage */*sp*/, int8_t */*value*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_keyblock ( krb5_storage */*sp*/, krb5_keyblock */*p*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_principal ( krb5_storage */*sp*/, krb5_principal */*princ*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_string ( krb5_storage */*sp*/, char **/*string*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_stringz ( krb5_storage */*sp*/, char **/*string*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_times ( krb5_storage */*sp*/, krb5_times */*times*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_salttype_to_string ( krb5_context /*context*/, krb5_enctype /*etype*/, krb5_salttype /*stype*/, char **/*string*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_sendauth ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -2386,66 +2748,66 @@ krb5_sendauth ( krb5_ap_rep_enc_part **/*rep_result*/, krb5_creds **/*out_creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_sendto ( krb5_context /*context*/, const krb5_data */*send_data*/, krb5_krbhst_handle /*handle*/, krb5_data */*receive*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_sendto_kdc ( krb5_context /*context*/, const krb5_data */*send_data*/, const krb5_realm */*realm*/, krb5_data */*receive*/); -krb5_error_code -krb5_sendto_kdc2 ( +krb5_error_code KRB5_LIB_FUNCTION +krb5_sendto_kdc_flags ( krb5_context /*context*/, const krb5_data */*send_data*/, const krb5_realm */*realm*/, krb5_data */*receive*/, - krb5_boolean /*master*/); + int /*flags*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_config_files ( krb5_context /*context*/, char **/*filenames*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_default_in_tkt_etypes ( krb5_context /*context*/, const krb5_enctype */*etypes*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_default_realm ( krb5_context /*context*/, const char */*realm*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_error_string ( krb5_context /*context*/, const char */*fmt*/, ...) __attribute__((format (printf, 2, 3))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_extra_addresses ( krb5_context /*context*/, const krb5_addresses */*addresses*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_fcache_version ( krb5_context /*context*/, int /*version*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_ignore_addresses ( krb5_context /*context*/, const krb5_addresses */*addresses*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_password ( krb5_context /*context*/, krb5_creds */*creds*/, @@ -2455,7 +2817,7 @@ krb5_set_password ( krb5_data */*result_code_string*/, krb5_data */*result_string*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_password_using_ccache ( krb5_context /*context*/, krb5_ccache /*ccache*/, @@ -2465,17 +2827,23 @@ krb5_set_password_using_ccache ( krb5_data */*result_code_string*/, krb5_data */*result_string*/); -void +krb5_error_code KRB5_LIB_FUNCTION +krb5_set_real_time ( + krb5_context /*context*/, + krb5_timestamp /*sec*/, + int32_t /*usec*/); + +void KRB5_LIB_FUNCTION krb5_set_use_admin_kdc ( krb5_context /*context*/, krb5_boolean /*flag*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_warn_dest ( krb5_context /*context*/, krb5_log_facility */*fac*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_sname_to_principal ( krb5_context /*context*/, const char */*hostname*/, @@ -2483,7 +2851,7 @@ krb5_sname_to_principal ( int32_t /*type*/, krb5_principal */*ret_princ*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_sock_to_principal ( krb5_context /*context*/, int /*sock*/, @@ -2491,174 +2859,179 @@ krb5_sock_to_principal ( int32_t /*type*/, krb5_principal */*ret_princ*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_sockaddr2address ( krb5_context /*context*/, const struct sockaddr */*sa*/, krb5_address */*addr*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_sockaddr2port ( krb5_context /*context*/, const struct sockaddr */*sa*/, int16_t */*port*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_sockaddr_uninteresting (const struct sockaddr */*sa*/); -void +void KRB5_LIB_FUNCTION krb5_std_usage ( int /*code*/, struct getargs */*args*/, int /*num_args*/); -void +void KRB5_LIB_FUNCTION krb5_storage_clear_flags ( krb5_storage */*sp*/, krb5_flags /*flags*/); -krb5_storage * +krb5_storage * KRB5_LIB_FUNCTION krb5_storage_emem (void); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_storage_free (krb5_storage */*sp*/); -krb5_storage * +krb5_storage * KRB5_LIB_FUNCTION krb5_storage_from_data (krb5_data */*data*/); -krb5_storage * +krb5_storage * KRB5_LIB_FUNCTION krb5_storage_from_fd (int /*fd*/); -krb5_storage * +krb5_storage * KRB5_LIB_FUNCTION krb5_storage_from_mem ( void */*buf*/, size_t /*len*/); -krb5_flags +krb5_flags KRB5_LIB_FUNCTION krb5_storage_get_byteorder ( krb5_storage */*sp*/, krb5_flags /*byteorder*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_storage_is_flags ( krb5_storage */*sp*/, krb5_flags /*flags*/); -krb5_ssize_t +krb5_ssize_t KRB5_LIB_FUNCTION krb5_storage_read ( krb5_storage */*sp*/, void */*buf*/, size_t /*len*/); -off_t +off_t KRB5_LIB_FUNCTION krb5_storage_seek ( krb5_storage */*sp*/, off_t /*offset*/, int /*whence*/); -void +void KRB5_LIB_FUNCTION krb5_storage_set_byteorder ( krb5_storage */*sp*/, krb5_flags /*byteorder*/); -void +void KRB5_LIB_FUNCTION krb5_storage_set_eof_code ( krb5_storage */*sp*/, int /*code*/); -void +void KRB5_LIB_FUNCTION krb5_storage_set_flags ( krb5_storage */*sp*/, krb5_flags /*flags*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_storage_to_data ( krb5_storage */*sp*/, krb5_data */*data*/); -krb5_ssize_t +krb5_ssize_t KRB5_LIB_FUNCTION krb5_storage_write ( krb5_storage */*sp*/, const void */*buf*/, size_t /*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_address ( krb5_storage */*sp*/, krb5_address /*p*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_addrs ( krb5_storage */*sp*/, krb5_addresses /*p*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_authdata ( krb5_storage */*sp*/, krb5_authdata /*auth*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_creds ( krb5_storage */*sp*/, krb5_creds */*creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_store_creds_tag ( + krb5_storage */*sp*/, + krb5_creds */*creds*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_store_data ( krb5_storage */*sp*/, krb5_data /*data*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_int16 ( krb5_storage */*sp*/, int16_t /*value*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_int32 ( krb5_storage */*sp*/, int32_t /*value*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_int8 ( krb5_storage */*sp*/, int8_t /*value*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_keyblock ( krb5_storage */*sp*/, krb5_keyblock /*p*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_principal ( krb5_storage */*sp*/, krb5_principal /*p*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_string ( krb5_storage */*sp*/, const char */*s*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_stringz ( krb5_storage */*sp*/, const char */*s*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_times ( krb5_storage */*sp*/, krb5_times /*times*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_deltat ( const char */*string*/, krb5_deltat */*deltat*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_enctype ( krb5_context /*context*/, const char */*string*/, krb5_enctype */*etype*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key ( krb5_context /*context*/, krb5_enctype /*enctype*/, @@ -2666,7 +3039,7 @@ krb5_string_to_key ( krb5_principal /*principal*/, krb5_keyblock */*key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_data ( krb5_context /*context*/, krb5_enctype /*enctype*/, @@ -2674,7 +3047,7 @@ krb5_string_to_key_data ( krb5_principal /*principal*/, krb5_keyblock */*key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_data_salt ( krb5_context /*context*/, krb5_enctype /*enctype*/, @@ -2682,7 +3055,7 @@ krb5_string_to_key_data_salt ( krb5_salt /*salt*/, krb5_keyblock */*key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_data_salt_opaque ( krb5_context /*context*/, krb5_enctype /*enctype*/, @@ -2691,7 +3064,7 @@ krb5_string_to_key_data_salt_opaque ( krb5_data /*opaque*/, krb5_keyblock */*key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_derived ( krb5_context /*context*/, const void */*str*/, @@ -2699,7 +3072,7 @@ krb5_string_to_key_derived ( krb5_enctype /*etype*/, krb5_keyblock */*key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_salt ( krb5_context /*context*/, krb5_enctype /*enctype*/, @@ -2707,57 +3080,85 @@ krb5_string_to_key_salt ( krb5_salt /*salt*/, krb5_keyblock */*key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_string_to_key_salt_opaque ( + krb5_context /*context*/, + krb5_enctype /*enctype*/, + const char */*password*/, + krb5_salt /*salt*/, + krb5_data /*opaque*/, + krb5_keyblock */*key*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_keytype ( krb5_context /*context*/, const char */*string*/, krb5_keytype */*keytype*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_salttype ( krb5_context /*context*/, krb5_enctype /*etype*/, const char */*string*/, krb5_salttype */*salttype*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_ticket_get_authorization_data_type ( + krb5_context /*context*/, + krb5_ticket */*ticket*/, + int /*type*/, + krb5_data */*data*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_ticket_get_client ( + krb5_context /*context*/, + const krb5_ticket */*ticket*/, + krb5_principal */*client*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_ticket_get_server ( + krb5_context /*context*/, + const krb5_ticket */*ticket*/, + krb5_principal */*server*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_timeofday ( krb5_context /*context*/, krb5_timestamp */*timeret*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_unparse_name ( krb5_context /*context*/, krb5_const_principal /*principal*/, char **/*name*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_unparse_name_fixed ( krb5_context /*context*/, krb5_const_principal /*principal*/, char */*name*/, size_t /*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_unparse_name_fixed_short ( krb5_context /*context*/, krb5_const_principal /*principal*/, char */*name*/, size_t /*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_unparse_name_short ( krb5_context /*context*/, krb5_const_principal /*principal*/, char **/*name*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_us_timeofday ( krb5_context /*context*/, - int32_t */*sec*/, + krb5_timestamp */*sec*/, int32_t */*usec*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vabort ( krb5_context /*context*/, krb5_error_code /*code*/, @@ -2765,14 +3166,14 @@ krb5_vabort ( va_list /*ap*/) __attribute__ ((noreturn, format (printf, 3, 0))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vabortx ( krb5_context /*context*/, const char */*fmt*/, va_list /*ap*/) __attribute__ ((noreturn, format (printf, 2, 0))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_ap_req ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -2783,7 +3184,7 @@ krb5_verify_ap_req ( krb5_flags */*ap_req_options*/, krb5_ticket **/*ticket*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_ap_req2 ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -2795,14 +3196,14 @@ krb5_verify_ap_req2 ( krb5_ticket **/*ticket*/, krb5_key_usage /*usage*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_authenticator_checksum ( krb5_context /*context*/, krb5_auth_context /*ac*/, void */*data*/, size_t /*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_checksum ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -2811,7 +3212,7 @@ krb5_verify_checksum ( size_t /*len*/, Checksum */*cksum*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_init_creds ( krb5_context /*context*/, krb5_creds */*creds*/, @@ -2820,43 +3221,43 @@ krb5_verify_init_creds ( krb5_ccache */*ccache*/, krb5_verify_init_creds_opt */*options*/); -void +void KRB5_LIB_FUNCTION krb5_verify_init_creds_opt_init (krb5_verify_init_creds_opt */*options*/); -void +void KRB5_LIB_FUNCTION krb5_verify_init_creds_opt_set_ap_req_nofail ( krb5_verify_init_creds_opt */*options*/, int /*ap_req_nofail*/); -void +void KRB5_LIB_FUNCTION krb5_verify_opt_init (krb5_verify_opt */*opt*/); -void +void KRB5_LIB_FUNCTION krb5_verify_opt_set_ccache ( krb5_verify_opt */*opt*/, krb5_ccache /*ccache*/); -void +void KRB5_LIB_FUNCTION krb5_verify_opt_set_flags ( krb5_verify_opt */*opt*/, unsigned int /*flags*/); -void +void KRB5_LIB_FUNCTION krb5_verify_opt_set_keytab ( krb5_verify_opt */*opt*/, krb5_keytab /*keytab*/); -void +void KRB5_LIB_FUNCTION krb5_verify_opt_set_secure ( krb5_verify_opt */*opt*/, krb5_boolean /*secure*/); -void +void KRB5_LIB_FUNCTION krb5_verify_opt_set_service ( krb5_verify_opt */*opt*/, const char */*service*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_user ( krb5_context /*context*/, krb5_principal /*principal*/, @@ -2865,7 +3266,7 @@ krb5_verify_user ( krb5_boolean /*secure*/, const char */*service*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_user_lrealm ( krb5_context /*context*/, krb5_principal /*principal*/, @@ -2874,14 +3275,14 @@ krb5_verify_user_lrealm ( krb5_boolean /*secure*/, const char */*service*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_user_opt ( krb5_context /*context*/, krb5_principal /*principal*/, const char */*password*/, krb5_verify_opt */*opt*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verr ( krb5_context /*context*/, int /*eval*/, @@ -2890,7 +3291,7 @@ krb5_verr ( va_list /*ap*/) __attribute__ ((noreturn, format (printf, 4, 0))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verrx ( krb5_context /*context*/, int /*eval*/, @@ -2898,7 +3299,7 @@ krb5_verrx ( va_list /*ap*/) __attribute__ ((noreturn, format (printf, 3, 0))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vlog ( krb5_context /*context*/, krb5_log_facility */*fac*/, @@ -2907,7 +3308,7 @@ krb5_vlog ( va_list /*ap*/) __attribute__((format (printf, 4, 0))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vlog_msg ( krb5_context /*context*/, krb5_log_facility */*fac*/, @@ -2917,14 +3318,14 @@ krb5_vlog_msg ( va_list /*ap*/) __attribute__((format (printf, 5, 0))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vset_error_string ( krb5_context /*context*/, const char */*fmt*/, va_list /*args*/) __attribute__ ((format (printf, 2, 0))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vwarn ( krb5_context /*context*/, krb5_error_code /*code*/, @@ -2932,14 +3333,14 @@ krb5_vwarn ( va_list /*ap*/) __attribute__ ((format (printf, 3, 0))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vwarnx ( krb5_context /*context*/, const char */*fmt*/, va_list /*ap*/) __attribute__ ((format (printf, 2, 0))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_warn ( krb5_context /*context*/, krb5_error_code /*code*/, @@ -2947,40 +3348,38 @@ krb5_warn ( ...) __attribute__ ((format (printf, 3, 4))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_warnx ( krb5_context /*context*/, const char */*fmt*/, ...) __attribute__ ((format (printf, 2, 3))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_write_message ( krb5_context /*context*/, krb5_pointer /*p_fd*/, krb5_data */*data*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_write_priv_message ( krb5_context /*context*/, krb5_auth_context /*ac*/, krb5_pointer /*p_fd*/, krb5_data */*data*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_write_safe_message ( krb5_context /*context*/, krb5_auth_context /*ac*/, krb5_pointer /*p_fd*/, krb5_data */*data*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_xfree (void */*ptr*/); -krb5_error_code -principalname2krb5_principal ( - krb5_principal */*principal*/, - const PrincipalName /*from*/, - const Realm /*realm*/); +#ifdef __cplusplus +} +#endif #endif /* __krb5_protos_h__ */ diff --git a/kerberosV/src/lib/krb5/krb5.3 b/kerberosV/src/lib/krb5/krb5.3 index 7ac783646b5..c04c7cc4ac5 100644 --- a/kerberosV/src/lib/krb5/krb5.3 +++ b/kerberosV/src/lib/krb5/krb5.3 @@ -1,35 +1,37 @@ -.\" Copyright (c) 2001, 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2001, 2003 - 2005 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.Dd March 20, 2003 +.\" $KTH: krb5.3,v 1.35 2005/05/25 13:18:33 lha Exp $ +.\" +.Dd March 21, 2004 .Dt KRB5 3 .Os .Sh NAME @@ -37,21 +39,30 @@ .Nd kerberos 5 library .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h .Sh DESCRIPTION These functions constitute the Kerberos 5 library, .Em libkrb5 . -Declarations for these functions may be obtained from the include file -.Pa krb5.h . .Sh LIST OF FUNCTIONS .sp 2 .nf -.ta \w'krb5_checksum_is_collision_proof.3'u+2n +\w'Description goes here'u +.ta \w'krb5_ticket_get_authorization_data_type.3'u+2n +\w'Description goes here'u \fIName/Page\fP \fIDescription\fP -.ta \w'krb5_checksum_is_collision_proof.3'u+2n +\w'Description goes here'u+6nC +.ta \w'krb5_ticket_get_authorization_data_type.3'u+2n +\w'Description goes here'u+6nC .sp 5p +krb524_convert_creds_kdc.3 +krb524_convert_creds_kdc_cache.3 krb5_425_conv_principal.3 krb5_425_conv_principal_ext.3 krb5_524_conv_principal.3 +krb5_abort.3 +krb5_abortx.3 +krb5_acl_match_file.3 +krb5_acl_match_string.3 +krb5_add_et_list.3 +krb5_add_extra_addresses.3 +krb5_add_ignore_addresses.3 krb5_addlog_dest.3 krb5_addlog_func.3 krb5_addr2sockaddr.3 @@ -60,45 +71,64 @@ krb5_address_compare.3 krb5_address_order.3 krb5_address_search.3 krb5_addresses.3 +krb5_aname_to_localname.3 krb5_anyaddr.3 krb5_appdefault_boolean.3 krb5_appdefault_string.3 krb5_appdefault_time.3 krb5_append_addresses.3 +krb5_auth_con_addflags.3 krb5_auth_con_free.3 krb5_auth_con_genaddrs.3 +krb5_auth_con_generatelocalsubkey.3 krb5_auth_con_getaddrs.3 +krb5_auth_con_getauthenticator.3 +krb5_auth_con_getcksumtype.3 krb5_auth_con_getflags.3 krb5_auth_con_getkey.3 +krb5_auth_con_getkeytype.3 +krb5_auth_con_getlocalseqnumber.3 krb5_auth_con_getlocalsubkey.3 krb5_auth_con_getrcache.3 krb5_auth_con_getremotesubkey.3 krb5_auth_con_getuserkey.3 krb5_auth_con_init.3 krb5_auth_con_initivector.3 +krb5_auth_con_removeflags.3 krb5_auth_con_setaddrs.3 krb5_auth_con_setaddrs_from_fd.3 +krb5_auth_con_setcksumtype.3 krb5_auth_con_setflags.3 krb5_auth_con_setivector.3 krb5_auth_con_setkey.3 +krb5_auth_con_setkeytype.3 +krb5_auth_con_setlocalseqnumber.3 krb5_auth_con_setlocalsubkey.3 krb5_auth_con_setrcache.3 +krb5_auth_con_setremoteseqnumber.3 krb5_auth_con_setremotesubkey.3 krb5_auth_con_setuserkey.3 krb5_auth_context.3 -krb5_auth_getauthenticator.3 -krb5_auth_getcksumtype.3 -krb5_auth_getkeytype.3 -krb5_auth_getlocalseqnumber.3 krb5_auth_getremoteseqnumber.3 -krb5_auth_setcksumtype.3 -krb5_auth_setkeytype.3 -krb5_auth_setlocalseqnumber.3 -krb5_auth_setremoteseqnumber.3 krb5_build_principal.3 krb5_build_principal_ext.3 krb5_build_principal_va.3 krb5_build_principal_va_ext.3 +krb5_c_block_size.3 +krb5_c_checksum_length.3 +krb5_c_decrypt.3 +krb5_c_encrypt.3 +krb5_c_encrypt_length.3 +krb5_c_enctype_compare.3 +krb5_c_get_checksum.3 +krb5_c_is_coll_proof_cksum.3 +krb5_c_is_keyed_cksum.3 +krb5_c_make_checksum.3 +krb5_c_make_random_key.3 +krb5_c_set_checksum.3 +krb5_c_valid_cksumtype.3 +krb5_c_valid_enctype.3 +krb5_c_verify_checksum.3 krb5_cc_close.3 krb5_cc_copy_cache.3 krb5_cc_default.3 @@ -107,10 +137,12 @@ krb5_cc_destroy.3 krb5_cc_end_seq_get.3 krb5_cc_gen_new.3 krb5_cc_get_name.3 +krb5_cc_get_ops.3 krb5_cc_get_principal.3 krb5_cc_get_type.3 krb5_cc_get_version.3 krb5_cc_initialize.3 +krb5_cc_new_unique.3 krb5_cc_next_cred.3 krb5_cc_register.3 krb5_cc_remove_cred.3 @@ -119,20 +151,62 @@ krb5_cc_retrieve_cred.3 krb5_cc_set_default_name.3 krb5_cc_set_flags.3 krb5_cc_store_cred.3 +krb5_change_password.3 +krb5_check_transited.3 +krb5_check_transited_realms.3 +krb5_checksum_disable.3 +krb5_checksum_free.3 krb5_checksum_is_collision_proof.3 krb5_checksum_is_keyed.3 krb5_checksumsize.3 +krb5_clear_error_string.3 krb5_closelog.3 +krb5_config_file_free.3 +krb5_config_free_strings.3 +krb5_config_get.3 +krb5_config_get_bool.3 krb5_config_get_bool_default.3 +krb5_config_get_int.3 krb5_config_get_int_default.3 +krb5_config_get_list.3 +krb5_config_get_next.3 +krb5_config_get_string.3 krb5_config_get_string_default.3 +krb5_config_get_strings.3 +krb5_config_get_time.3 krb5_config_get_time_default.3 +krb5_config_parse_file.3 +krb5_config_parse_file_multi.3 +krb5_config_vget.3 +krb5_config_vget_bool.3 +krb5_config_vget_bool_default.3 +krb5_config_vget_int.3 +krb5_config_vget_int_default.3 +krb5_config_vget_list.3 +krb5_config_vget_next.3 +krb5_config_vget_string.3 +krb5_config_vget_string_default.3 +krb5_config_vget_strings.3 +krb5_config_vget_time.3 +krb5_config_vget_time_default.3 krb5_context.3 krb5_copy_address.3 krb5_copy_addresses.3 +krb5_copy_checksum.3 krb5_copy_data.3 +krb5_copy_host_realm.3 +krb5_copy_keyblock.3 +krb5_copy_keyblock_contents.3 +krb5_copy_principal.3 +krb5_copy_ticket.3 krb5_create_checksum.3 +krb5_creds.3 krb5_crypto_destroy.3 +krb5_crypto_get_checksum_type.3 +krb5_crypto_getblocksize.3 +krb5_crypto_getconfoundersize.3 +krb5_crypto_getenctype.3 +krb5_crypto_getpadsize.3 krb5_crypto_init.3 krb5_data_alloc.3 krb5_data_copy.3 @@ -141,36 +215,110 @@ krb5_data_realloc.3 krb5_data_zero.3 krb5_decrypt.3 krb5_decrypt_EncryptedData.3 +krb5_domain_x500_decode.3 +krb5_domain_x500_encode.3 +krb5_eai_to_heim_errno.3 krb5_encrypt.3 krb5_encrypt_EncryptedData.3 +krb5_enctype_disable.3 +krb5_enctype_to_string.3 +krb5_enctype_valid.3 krb5_err.3 krb5_errx.3 +krb5_expand_hostname.3 +krb5_expand_hostname_realms.3 +krb5_find_padata.3 +krb5_format_time.3 krb5_free_address.3 krb5_free_addresses.3 +krb5_free_authenticator.3 +krb5_free_checksum.3 +krb5_free_checksum_contents.3 +krb5_free_config_files.3 krb5_free_context.3 krb5_free_data.3 krb5_free_data_contents.3 +krb5_free_error_string.3 krb5_free_host_realm.3 +krb5_free_kdc_rep.3 +krb5_free_keyblock.3 +krb5_free_keyblock_contents.3 krb5_free_krbhst.3 krb5_free_principal.3 +krb5_free_ticket.3 +krb5_free_salt.3 +krb5_fwd_tgt_creds.3 +krb5_generate_random_block.3 +krb5_generate_random_keyblock.3 +krb5_generate_subkey.3 krb5_get_all_client_addrs.3 krb5_get_all_server_addrs.3 +krb5_get_cred_from_kdc.3 +krb5_get_cred_from_kdc_opt.3 +krb5_get_credentials.3 +krb5_get_credentials_with_flags.3 +krb5_get_default_config_files.3 +krb5_get_default_principal.3 krb5_get_default_realm.3 krb5_get_default_realms.3 +krb5_get_err_text.3 +krb5_get_error_string.3 +krb5_get_extra_addresses.3 +krb5_get_fcache_version.3 +krb5_get_forwarded_creds.3 krb5_get_host_realm.3 +krb5_get_ignore_addresses.3 +krb5_get_in_cred.3 +krb5_get_in_tkt.3 +krb5_get_in_tkt_with_keytab.3 +krb5_get_in_tkt_with_password.3 +krb5_get_in_tkt_with_skey.3 +krb5_get_init_creds.3 +krb5_get_init_creds_keytab.3 +krb5_get_init_creds_opt_alloc.3 +krb5_get_init_creds_opt_free.3 +krb5_get_init_creds_opt_free_pkinit.3 +krb5_get_init_creds_opt_init.3 +krb5_get_init_creds_opt_set_address_list.3 +krb5_get_init_creds_opt_set_anonymous.3 +krb5_get_init_creds_opt_set_default_flags.3 +krb5_get_init_creds_opt_set_etype_list.3 +krb5_get_init_creds_opt_set_forwardable.3 +krb5_get_init_creds_opt_set_pa_password.3 +krb5_get_init_creds_opt_set_paq_request.3 +krb5_get_init_creds_opt_set_pkinit.3 +krb5_get_init_creds_opt_set_preauth_list.3 +krb5_get_init_creds_opt_set_proxiable.3 +krb5_get_init_creds_opt_set_renew_life.3 +krb5_get_init_creds_opt_set_salt.3 +krb5_get_init_creds_opt_set_tkt_life.3 +krb5_get_init_creds_password.3 +krb5_get_kdc_cred.3 krb5_get_krb524hst.3 krb5_get_krb_admin_hst.3 krb5_get_krb_changepw_hst.3 krb5_get_krbhst.3 +krb5_get_pw_salt.3 +krb5_get_server_rcache.3 +krb5_get_use_admin_kdc.3 +krb5_get_wrapped_length.3 +krb5_getportbyname.3 krb5_h_addr2addr.3 krb5_h_addr2sockaddr.3 +krb5_h_errno_to_heim_errno.3 +krb5_have_error_string.3 +krb5_hmac.3 krb5_init_context.3 +krb5_init_ets.3 krb5_initlog.3 +krb5_keyblock_get_enctype.3 +krb5_keyblock_zero.3 krb5_keytab_entry.3 krb5_krbhst_format_string.3 krb5_krbhst_free.3 krb5_krbhst_get_addrinfo.3 krb5_krbhst_init.3 +krb5_krbhst_init_flags.3 krb5_krbhst_next.3 krb5_krbhst_next_as_string.3 krb5_krbhst_reset.3 @@ -179,13 +327,14 @@ krb5_kt_close.3 krb5_kt_compare.3 krb5_kt_copy_entry_contents.3 krb5_kt_cursor.3 -krb5_kt_cursor.3 krb5_kt_default.3 +krb5_kt_default_modify_name.3 krb5_kt_default_name.3 krb5_kt_end_seq_get.3 krb5_kt_free_entry.3 krb5_kt_get_entry.3 krb5_kt_get_name.3 +krb5_kt_get_type.3 krb5_kt_next_entry.3 krb5_kt_ops.3 krb5_kt_read_service_key.3 @@ -193,30 +342,133 @@ krb5_kt_register.3 krb5_kt_remove_entry.3 krb5_kt_resolve.3.3 krb5_kt_start_seq_get +krb5_kuserok.3 krb5_log.3 krb5_log_msg.3 krb5_make_addrport.3 krb5_make_principal.3 krb5_max_sockaddr_size.3 krb5_openlog.3 +krb5_padata_add.3 krb5_parse_address.3 krb5_parse_name.3 +krb5_passwd_result_to_string.3 +krb5_password_key_proc.3 +krb5_prepend_config_files.3 +krb5_prepend_config_files_default.3 +krb5_princ_realm.3 +krb5_princ_set_realm.3 krb5_principal.3 +krb5_principal_compare.3 +krb5_principal_compare_any_realm.3 krb5_principal_get_comp_string.3 krb5_principal_get_realm.3 +krb5_principal_get_type.3 +krb5_principal_match.3 +krb5_principal_set_type.3 krb5_print_address.3 +krb5_rc_close.3 +krb5_rc_default.3 +krb5_rc_default_name.3 +krb5_rc_default_type.3 +krb5_rc_destroy.3 +krb5_rc_expunge.3 +krb5_rc_get_lifespan.3 +krb5_rc_get_name.3 +krb5_rc_get_type.3 +krb5_rc_initialize.3 +krb5_rc_recover.3 +krb5_rc_resolve.3 +krb5_rc_resolve_full.3 +krb5_rc_resolve_type.3 +krb5_rc_store.3 +krb5_rcache.3 +krb5_realm_compare.3 +krb5_ret_address.3 +krb5_ret_addrs.3 +krb5_ret_authdata.3 +krb5_ret_creds.3 +krb5_ret_data.3 +krb5_ret_int16.3 +krb5_ret_int32.3 +krb5_ret_int8.3 +krb5_ret_keyblock.3 +krb5_ret_principal.3 +krb5_ret_string.3 +krb5_ret_stringz.3 +krb5_ret_times.3 +krb5_set_config_files.3 krb5_set_default_realm.3 +krb5_set_error_string.3 +krb5_set_extra_addresses.3 +krb5_set_fcache_version.3 +krb5_set_ignore_addresses.3 +krb5_set_password.3 +krb5_set_password_using_ccache.3 +krb5_set_real_time.3 +krb5_set_use_admin_kdc.3 krb5_set_warn_dest.3 krb5_sname_to_principal.3 krb5_sock_to_principal.3 krb5_sockaddr2address.3 krb5_sockaddr2port.3 krb5_sockaddr_uninteresting.3 +krb5_storage.3 +krb5_storage_clear_flags.3 +krb5_storage_emem.3 +krb5_storage_free.3 +krb5_storage_from_data.3 +krb5_storage_from_fd.3 +krb5_storage_from_mem.3 +krb5_storage_get_byteorder.3 +krb5_storage_is_flags.3 +krb5_storage_read.3 +krb5_storage_seek.3 +krb5_storage_set_byteorder.3 +krb5_storage_set_eof_code.3 +krb5_storage_set_flags.3 +krb5_storage_to_data.3 +krb5_storage_write.3 +krb5_store_address.3 +krb5_store_addrs.3 +krb5_store_authdata.3 +krb5_store_creds.3 +krb5_store_data.3 +krb5_store_int16.3 +krb5_store_int32.3 +krb5_store_int8.3 +krb5_store_keyblock.3 +krb5_store_principal.3 +krb5_store_string.3 +krb5_store_stringz.3 +krb5_store_times.3 +krb5_string_to_deltat.3 +krb5_string_to_enctype.3 +krb5_string_to_key.3 +krb5_string_to_key_data.3 +krb5_string_to_key_data_salt.3 +krb5_string_to_key_data_salt_opaque.3 +krb5_string_to_key_derived.3 +krb5_string_to_key_salt.3 +krb5_string_to_key_salt_opaque.3 +krb5_ticket.3 +krb5_ticket_get_authorization_data_type.3 +krb5_ticket_get_client.3 +krb5_ticket_get_server.3 krb5_timeofday.3 krb5_unparse_name.3 +krb5_unparse_name_fixed.3 +krb5_unparse_name_fixed_short.3 +krb5_unparse_name_short.3 krb5_us_timeofday.3 +krb5_vabort.3 +krb5_vabortx.3 krb5_verify_checksum.3 +krb5_verify_init_creds.3 +krb5_verify_init_creds_opt_init.3 +krb5_verify_init_creds_opt_set_ap_req_nofail.3 krb5_verify_opt_init.3 +krb5_verify_opt_set_ccache.3 krb5_verify_opt_set_flags.3 krb5_verify_opt_set_keytab.3 krb5_verify_opt_set_secure.3 @@ -228,11 +480,11 @@ krb5_verr.3 krb5_verrx.3 krb5_vlog.3 krb5_vlog_msg.3 +krb5_vset_error_string.3 krb5_vwarn.3 krb5_vwarnx.3 krb5_warn.3 krb5_warnx.3 -krb5_kuserok.3 .ta .Fi .Sh SEE ALSO diff --git a/kerberosV/src/lib/krb5/krb5.conf.5 b/kerberosV/src/lib/krb5/krb5.conf.5 index 50192f0f418..c071edb3645 100644 --- a/kerberosV/src/lib/krb5/krb5.conf.5 +++ b/kerberosV/src/lib/krb5/krb5.conf.5 @@ -1,4 +1,4 @@ -.\" Copyright (c) 1999 - 2004 Kungliga Tekniska Högskolan +.\" Copyright (c) 1999 - 2005 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,9 +29,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $KTH: krb5.conf.5,v 1.35.2.2 2004/03/09 19:52:07 lha Exp $ +.\" $KTH: krb5.conf.5,v 1.60 2005/05/29 13:14:50 lha Exp $ .\" -.Dd March 9, 2004 +.Dd May 4, 2005 .Dt KRB5.CONF 5 .Os HEIMDAL .Sh NAME @@ -88,6 +88,7 @@ values can be either yes/true or no/false. .It time values can be a list of year, month, day, hour, min, second. Example: 1 month 2 days 30 min. +If no unit is given, seconds is assumed. .It etypes valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-md5, des3-cbc-sha1, arcfour-hmac-md5, aes128-cts-hmac-sha1-96, and @@ -148,8 +149,8 @@ times. Default is 300 seconds (five minutes). .It Li kdc_timeout = Va time Maximum time to wait for a reply from the kdc, default is 3 seconds. -.It v4_name_convert -.It v4_instance_resolve +.It Li v4_name_convert +.It Li v4_instance_resolve These are described in the .Xr krb5_425_conv_principal 3 manual page. @@ -162,6 +163,12 @@ manual page. This is deprecated, see the .Li capaths section below. +.It Li default_cc_name = Va ccname +the default credentials cache name. +The string can contain variables that are expanded on runtime. +Only support variable now is +.Li %{uid} +that expands to the current user id. .It Li default_etypes = Va etypes ... A list of default encryption types to use. .It Li default_etypes_des = Va etypes ... @@ -178,6 +185,9 @@ Try to keep track of the time differential between the local machine and the KDC, and then compensate for that when issuing requests. .It Li max_retries = Va number The max number of times to try to contact each KDC. +.It Li large_msg_size = Va number +The threshold where protocols with tiny maximum message sizes are not +considered usable to send messages to the KDC. .It Li ticket_lifetime = Va time Default ticket lifetime. .It Li renew_lifetime = Va time @@ -203,8 +213,8 @@ Default is seven days. A HTTP-proxy to use when talking to the KDC via HTTP. .It Li dns_proxy = Va proxy-spec Enable using DNS via HTTP. -.It Li extra_addresses = Va address... -A list of addresses to get tickets for, along with all local addresses. +.It Li extra_addresses = Va address ... +A list of addresses to get tickets for along with all local addresses. .It Li time_format = Va string How to print time strings in logs, this string is passed to .Xr strftime 3 . @@ -241,6 +251,13 @@ Each binding in this section looks like: The domain can be either a full name of a host or a trailing component, in the latter case the domain-string should start with a period. +The trailing component only matches hosts that are in the same domain, ie +.Dq .example.com +matches +.Dq foo.example.com , +but not +.Dq foo.test.example.com . +.Pp The realm may be the token `dns_locate', in which case the actual realm will be determined using DNS (independently of the setting of the `dns_lookup_realm' option). @@ -330,71 +347,93 @@ manual page for a list of defined destinations. .El .It Li [kdc] .Bl -tag -width "xxx" -offset indent -.It database Li = { +.It Li database Li = { .Bl -tag -width "xxx" -offset indent -.It dbname Li = Va DATABASENAME +.It Li dbname Li = Va DATABASENAME Use this database for this realm. -.It realm Li = Va REALM +See the info documetation how to configure diffrent database backends. +.It Li realm Li = Va REALM Specifies the realm that will be stored in this database. -.It mkey_file Li = Pa FILENAME +It realm isn't set, it will used as the default database, there can +only be one entry that doesn't have a +.Li realm +stanza. +.It Li mkey_file Li = Pa FILENAME Use this keytab file for the master key of this database. If not specified .Va DATABASENAME Ns .mkey will be used. -.It acl_file Li = PA FILENAME +.It Li acl_file Li = PA FILENAME Use this file for the ACL list of this database. -.It log_file Li = Pa FILENAME +.It Li log_file Li = Pa FILENAME Use this file as the log of changes performed to the database. This file is used by .Nm ipropd-master for propagating changes to slaves. .El .It Li } -.It max-request = Va SIZE +.It Li max-request = Va SIZE Maximum size of a kdc request. -.It require-preauth = Va BOOL +.It Li require-preauth = Va BOOL If set pre-authentication is required. Since krb4 requests are not pre-authenticated they will be rejected. -.It ports = Va "list of ports" +.It Li ports = Va "list of ports" List of ports the kdc should listen to. -.It addresses = Va "list of interfaces" +.It Li addresses = Va "list of interfaces" List of addresses the kdc should bind to. -.It enable-kerberos4 = Va BOOL +.It Li enable-kerberos4 = Va BOOL Turn on Kerberos 4 support. -.It v4-realm = Va REALM +.It Li v4-realm = Va REALM To what realm v4 requests should be mapped. -.It enable-524 = Va BOOL +.It Li enable-524 = Va BOOL Should the Kerberos 524 converting facility be turned on. Default is the same as .Va enable-kerberos4 . -.It enable-http = Va BOOL +.It Li enable-http = Va BOOL Should the kdc answer kdc-requests over http. -.It enable-kaserver = Va BOOL +.It Li enable-kaserver = Va BOOL If this kdc should emulate the AFS kaserver. -.It check-ticket-addresses = Va BOOL +.It Li check-ticket-addresses = Va BOOL Verify the addresses in the tickets used in tgs requests. .\" XXX -.It allow-null-ticket-addresses = Va BOOL +.It Li allow-null-ticket-addresses = Va BOOL Allow address-less tickets. -.\" XXX -.It allow-anonymous = Va BOOL +.\" XXX +.It Li allow-anonymous = Va BOOL If the kdc is allowed to hand out anonymous tickets. -.It encode_as_rep_as_tgs_rep = Va BOOL +.It Li encode_as_rep_as_tgs_rep = Va BOOL Encode as-rep as tgs-rep tobe compatible with mistakes older DCE secd did. .\" XXX -.It kdc_warn_pwexpire = Va TIME +.It Li kdc_warn_pwexpire = Va TIME The time before expiration that the user should be warned that her password is about to expire. -.It logging = Va Logging +.It Li logging = Va Logging What type of logging the kdc should use, see also [logging]/kdc. -.It use_2b = Va principal list -List of principals to use AFS 2b tokens for. +.It Li use_2b = { +.Bl -tag -width "xxx" -offset indent +.It Va principal Li = Va BOOL +boolean value if the 524 daemon should return AFS 2b tokens for +.Fa principal . +.It ... +.El +.It Li } +.It Li hdb-ldap-structural-object Va structural object +If the LDAP backend is used for storing principals, this is the +structural object that will be used when creating and when reading +objects. +The default value is account . +.It Li hdb-ldap-create-base Va creation dn +is the dn that will be appended to the principal when creating entries. +Default value is the search dn. .El .It Li [kadmin] .Bl -tag -width "xxx" -offset indent -.It require-preauth = Va BOOL +.It Li require-preauth = Va BOOL If pre-authentication is required to talk to the kadmin server. -.It default_keys = Va keytypes... +.It Li password_lifetime = Va time +If a principal already have its password set for expiration, this is +the time it will be valid for after a change. +.It Li default_keys = Va keytypes... For each entry in .Va default_keys try to parse it as a sequence of @@ -409,14 +448,14 @@ is omitted it means everything, and if string is omitted it means the default salt string (for that principal and encryption type). Additional special values of keytypes are: .Bl -tag -width "xxx" -offset indent -.It v5 +.It Li v5 The Kerberos 5 salt .Va pw-salt -.It v4 +.It Li v4 The Kerberos 4 salt .Va des:pw-salt: .El -.It use_v4_salt = Va BOOL +.It Li use_v4_salt = Va BOOL When true, this is the same as .Pp .Va default_keys = Va des3:pw-salt Va v4 diff --git a/kerberosV/src/lib/krb5/krb5.h b/kerberosV/src/lib/krb5/krb5.h index 543d2e858ac..d7f07ad9036 100644 --- a/kerberosV/src/lib/krb5/krb5.h +++ b/kerberosV/src/lib/krb5/krb5.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $KTH: krb5.h,v 1.209.2.2 2004/06/21 08:32:00 lha Exp $ */ +/* $KTH: krb5.h,v 1.236.2.1 2005/10/12 12:42:09 lha Exp $ */ #ifndef __KRB5_H__ #define __KRB5_H__ @@ -69,8 +69,6 @@ typedef u_int32_t krb5_flags; typedef void *krb5_pointer; typedef const void *krb5_const_pointer; -typedef octet_string krb5_data; - struct krb5_crypto_data; typedef struct krb5_crypto_data *krb5_crypto; @@ -80,6 +78,20 @@ typedef Checksum krb5_checksum; typedef ENCTYPE krb5_enctype; +typedef heim_octet_string krb5_data; + +/* PKINIT related forward declarations */ +struct ContentInfo; +struct krb5_pk_identity; +struct krb5_pk_cert; + +/* krb5_enc_data is a mit compat structure */ +typedef struct krb5_enc_data { + krb5_enctype enctype; + krb5_kvno kvno; + krb5_data ciphertext; +} krb5_enc_data; + /* alternative names */ enum { ENCTYPE_NULL = ETYPE_NULL, @@ -92,6 +104,9 @@ enum { ENCTYPE_ENCRYPT_RSA_PRIV = ETYPE_ENCRYPT_RSA_PRIV, ENCTYPE_ENCRYPT_RSA_PUB = ETYPE_ENCRYPT_RSA_PUB, ENCTYPE_DES3_CBC_SHA1 = ETYPE_DES3_CBC_SHA1, + ENCTYPE_AES128_CTS_HMAC_SHA1_96 = ETYPE_AES128_CTS_HMAC_SHA1_96, + ENCTYPE_AES256_CTS_HMAC_SHA1_96 = ETYPE_AES256_CTS_HMAC_SHA1_96, + ENCTYPE_ARCFOUR_HMAC = ETYPE_ARCFOUR_HMAC_MD5, ENCTYPE_ARCFOUR_HMAC_MD5 = ETYPE_ARCFOUR_HMAC_MD5, ENCTYPE_ARCFOUR_HMAC_MD5_56 = ETYPE_ARCFOUR_HMAC_MD5_56, ENCTYPE_ENCTYPE_PK_CROSS = ETYPE_ENCTYPE_PK_CROSS, @@ -170,8 +185,26 @@ typedef enum krb5_key_usage { /* seal in GSSAPI krb5 mechanism */ KRB5_KU_USAGE_SIGN = 23, /* sign in GSSAPI krb5 mechanism */ - KRB5_KU_USAGE_SEQ = 24 + KRB5_KU_USAGE_SEQ = 24, /* SEQ in GSSAPI krb5 mechanism */ + KRB5_KU_USAGE_ACCEPTOR_SEAL = 22, + /* acceptor sign in GSSAPI CFX krb5 mechanism */ + KRB5_KU_USAGE_ACCEPTOR_SIGN = 23, + /* acceptor seal in GSSAPI CFX krb5 mechanism */ + KRB5_KU_USAGE_INITIATOR_SEAL = 24, + /* initiator sign in GSSAPI CFX krb5 mechanism */ + KRB5_KU_USAGE_INITIATOR_SIGN = 25, + /* initiator seal in GSSAPI CFX krb5 mechanism */ + KRB5_KU_PA_SERVER_REFERRAL_DATA = 22, + /* encrypted server referral data */ + KRB5_KU_SAM_CHECKSUM = 25, + /* Checksum for the SAM-CHECKSUM field */ + KRB5_KU_SAM_ENC_TRACK_ID = 26, + /* Encryption of the SAM-TRACK-ID field */ + KRB5_KU_PA_SERVER_REFERRAL = 26, + /* Keyusage for the server referral in a TGS req */ + KRB5_KU_SAM_ENC_NONCE_SAD = 27 + /* Encryption of the SAM-NONCE-OR-SAD field */ } krb5_key_usage; typedef krb5_key_usage krb5_keyusage; @@ -222,7 +255,9 @@ typedef enum krb5_keytype { KEYTYPE_AES128 = 17, KEYTYPE_AES256 = 18, KEYTYPE_ARCFOUR = 23, - KEYTYPE_ARCFOUR_56 = 24 + KEYTYPE_ARCFOUR_56 = 24, + KEYTYPE_RC2 = -0x1005, + KEYTYPE_AES192 = -0x1006 } krb5_keytype; typedef EncryptionKey krb5_keyblock; @@ -302,10 +337,20 @@ typedef union { #define KRB5_GC_CACHED (1U << 0) #define KRB5_GC_USER_USER (1U << 1) +#define KRB5_GC_EXPIRED_OK (1U << 2) /* constants for compare_creds (and cc_retrieve_cred) */ #define KRB5_TC_DONT_MATCH_REALM (1U << 31) #define KRB5_TC_MATCH_KEYTYPE (1U << 30) +#define KRB5_TC_MATCH_KTYPE KRB5_TC_MATCH_KEYTYPE /* MIT name */ +#define KRB5_TC_MATCH_SRV_NAMEONLY (1 << 29) +#define KRB5_TC_MATCH_FLAGS_EXACT (1 << 28) +#define KRB5_TC_MATCH_FLAGS (1 << 27) +#define KRB5_TC_MATCH_TIMES_EXACT (1 << 26) +#define KRB5_TC_MATCH_TIMES (1 << 25) +#define KRB5_TC_MATCH_AUTHDATA (1 << 24) +#define KRB5_TC_MATCH_2ND_TKT (1 << 23) +#define KRB5_TC_MATCH_IS_SKEY (1 << 22) typedef AuthorizationData krb5_authdata; @@ -333,7 +378,7 @@ typedef struct krb5_cc_ops { krb5_error_code (*close)(krb5_context, krb5_ccache); krb5_error_code (*store)(krb5_context, krb5_ccache, krb5_creds*); krb5_error_code (*retrieve)(krb5_context, krb5_ccache, - krb5_flags, krb5_creds*, krb5_creds); + krb5_flags, const krb5_creds*, krb5_creds *); krb5_error_code (*get_princ)(krb5_context, krb5_ccache, krb5_principal*); krb5_error_code (*get_first)(krb5_context, krb5_ccache, krb5_cc_cursor *); krb5_error_code (*get_next)(krb5_context, krb5_ccache, @@ -395,8 +440,16 @@ typedef struct krb5_context_data { char error_buf[256]; krb5_addresses *ignore_addresses; char *default_cc_name; + int pkinit_flags; + void *mutex; /* protects error_string/error_buf */ + int large_msg_size; } krb5_context_data; +enum { + KRB5_PKINIT_WIN2K = 1, /* wire compatible with Windows 2k */ + KRB5_PKINIT_PACKET_CABLE = 2 /* use packet cable standard */ +}; + typedef struct krb5_ticket { EncTicketPart ticket; krb5_principal client; @@ -419,6 +472,7 @@ typedef Authenticator krb5_donot_replay; #define KRB5_STORAGE_BYTEORDER_BE 0x00 /* default */ #define KRB5_STORAGE_BYTEORDER_LE 0x20 #define KRB5_STORAGE_BYTEORDER_HOST 0x40 +#define KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER 0x80 struct krb5_storage_data; typedef struct krb5_storage_data krb5_storage; @@ -470,17 +524,19 @@ typedef struct krb5_keytab_key_proc_args krb5_keytab_key_proc_args; typedef struct krb5_replay_data { krb5_timestamp timestamp; - u_int32_t usec; + int32_t usec; u_int32_t seq; } krb5_replay_data; /* flags for krb5_auth_con_setflags */ enum { - KRB5_AUTH_CONTEXT_DO_TIME = 1, - KRB5_AUTH_CONTEXT_RET_TIME = 2, - KRB5_AUTH_CONTEXT_DO_SEQUENCE = 4, - KRB5_AUTH_CONTEXT_RET_SEQUENCE = 8, - KRB5_AUTH_CONTEXT_PERMIT_ALL = 16 + KRB5_AUTH_CONTEXT_DO_TIME = 1, + KRB5_AUTH_CONTEXT_RET_TIME = 2, + KRB5_AUTH_CONTEXT_DO_SEQUENCE = 4, + KRB5_AUTH_CONTEXT_RET_SEQUENCE = 8, + KRB5_AUTH_CONTEXT_PERMIT_ALL = 16, + KRB5_AUTH_CONTEXT_USE_SUBKEY = 32, + KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED = 64 }; /* flags for krb5_auth_con_genaddrs */ @@ -528,7 +584,7 @@ typedef void (*krb5_log_log_func_t)(const char*, const char*, void*); typedef void (*krb5_log_close_func_t)(void*); typedef struct krb5_log_facility { - const char *program; + char *program; int len; struct facility *val; } krb5_log_facility; @@ -567,7 +623,6 @@ typedef int (*krb5_prompter_fct)(krb5_context context, const char *banner, int num_prompts, krb5_prompt prompts[]); - typedef krb5_error_code (*krb5_key_proc)(krb5_context context, krb5_enctype type, krb5_salt salt, @@ -578,7 +633,14 @@ typedef krb5_error_code (*krb5_decrypt_proc)(krb5_context context, krb5_key_usage usage, krb5_const_pointer decrypt_arg, krb5_kdc_rep *dec_rep); +typedef krb5_error_code (*krb5_s2k_proc)(krb5_context context, + krb5_enctype type, + krb5_const_pointer keyseed, + krb5_salt salt, + krb5_data *s2kparms, + krb5_keyblock **key); +struct _krb5_get_init_creds_opt_private; typedef struct _krb5_get_init_creds_opt { krb5_flags flags; @@ -590,14 +652,12 @@ typedef struct _krb5_get_init_creds_opt { krb5_enctype *etype_list; int etype_list_length; krb5_addresses *address_list; -#if 0 /* this is the MIT-way */ - krb5_address **address_list; -#endif /* XXX the next three should not be used, as they may be removed later */ krb5_preauthtype *preauth_list; int preauth_list_length; krb5_data *salt; + struct _krb5_get_init_creds_opt_private *opt_private; } krb5_get_init_creds_opt; #define KRB5_GET_INIT_CREDS_OPT_TKT_LIFE 0x0001 @@ -609,6 +669,7 @@ typedef struct _krb5_get_init_creds_opt { #define KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST 0x0040 #define KRB5_GET_INIT_CREDS_OPT_SALT 0x0080 #define KRB5_GET_INIT_CREDS_OPT_ANONYMOUS 0x0100 +#define KRB5_GET_INIT_CREDS_OPT_DISABLE_TRANSITED_CHECK 0x0200 typedef struct _krb5_verify_init_creds_opt { krb5_flags flags; @@ -628,10 +689,14 @@ typedef struct krb5_verify_opt { #define KRB5_VERIFY_LREALMS 1 #define KRB5_VERIFY_NO_ADDRESSES 2 +extern const krb5_cc_ops krb5_acc_ops; extern const krb5_cc_ops krb5_fcc_ops; extern const krb5_cc_ops krb5_mcc_ops; +extern const krb5_cc_ops krb5_kcm_ops; extern const krb5_kt_ops krb5_fkt_ops; +extern const krb5_kt_ops krb5_wrfkt_ops; +extern const krb5_kt_ops krb5_javakt_ops; extern const krb5_kt_ops krb5_mkt_ops; extern const krb5_kt_ops krb5_akf_ops; extern const krb5_kt_ops krb4_fkt_ops; @@ -672,6 +737,11 @@ typedef struct krb5_krbhst_info { char hostname[1]; /* has to come last */ } krb5_krbhst_info; +/* flags for krb5_krbhst_init_flags (and krb5_send_to_kdc_flags) */ +enum { + KRB5_KRBHST_FLAGS_MASTER = 1, + KRB5_KRBHST_FLAGS_LARGE_MSG = 2 +}; struct credentials; /* this is to keep the compiler happy */ struct getargs; diff --git a/kerberosV/src/lib/krb5/krb5_address.3 b/kerberosV/src/lib/krb5/krb5_address.3 index cbd262ac353..62adccc8c96 100644 --- a/kerberosV/src/lib/krb5/krb5_address.3 +++ b/kerberosV/src/lib/krb5/krb5_address.3 @@ -1,37 +1,37 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2003, 2005 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $KTH: krb5_address.3,v 1.4 2003/04/16 13:58:12 lha Exp $ -.\" -.Dd March 11, 2002 +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $KTH: krb5_address.3,v 1.10 2005/04/24 07:52:03 lha Exp $ +.\" +.Dd April 24, 2005 .Dt KRB5_ADDRESS 3 .Os HEIMDAL .Sh NAME @@ -192,7 +192,7 @@ The structure holds a set of krb5_address:es. .Pp .Fn krb5_sockaddr2address -stores a address a +stores a address a .Li "struct sockaddr" .Fa sa in the krb5_address @@ -213,8 +213,9 @@ from .Fa addr and .Fa port . +The argument .Fa sa_size -should be initially contain the size of the +should initially contain the size of the .Fa sa , and after the call, it will contain the actual length of the address. .Pp @@ -241,8 +242,9 @@ and the .Li "struct hostent" (see .Xr gethostbyname 3 ) -.Fa h_addr_list +.Fa h_addr_list component. +The argument .Fa sa_size should initially contain the size of the .Fa sa , @@ -263,8 +265,9 @@ fills in a that can be used to .Xr bind 2 to. +The argument .Fa sa_size -should be initially contain the size of the +should initially contain the size of the .Fa sa , and after the call, it will contain the actual length of the address. .Pp @@ -279,7 +282,9 @@ If .Fa ret_len is not .Dv NULL , -it will be filled with the length of the string. +it will be filled with the length of the string if size where unlimited (not +included the final +.Ql \e0 ) . .Pp .Fn krb5_parse_address Returns the resolved hostname in @@ -343,7 +348,7 @@ to While copying the addresses, duplicates are also sorted out. .Pp .Fn krb5_make_addrport -allocates and creates an +allocates and creates an krb5_address in .Fa res of type KRB5_ADDRESS_ADDRPORT from diff --git a/kerberosV/src/lib/krb5/krb5_aname_to_localname.3 b/kerberosV/src/lib/krb5/krb5_aname_to_localname.3 index 88694c46237..5edc7b2c85a 100644 --- a/kerberosV/src/lib/krb5/krb5_aname_to_localname.3 +++ b/kerberosV/src/lib/krb5/krb5_aname_to_localname.3 @@ -1,37 +1,37 @@ .\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $KTH: krb5_aname_to_localname.3,v 1.2 2003/04/16 13:58:13 lha Exp $ +.\" $KTH: krb5_aname_to_localname.3,v 1.4 2005/04/24 07:37:52 lha Exp $ .\" -.Dd March 17, 2003 +.Dd April 24, 2005 .Dt KRB5_ANAME_TO_LOCALNAME 3 .Os HEIMDAL .Sh NAME diff --git a/kerberosV/src/lib/krb5/krb5_ccache.3 b/kerberosV/src/lib/krb5/krb5_ccache.3 index bd2fdd5783a..409e454bf1b 100644 --- a/kerberosV/src/lib/krb5/krb5_ccache.3 +++ b/kerberosV/src/lib/krb5/krb5_ccache.3 @@ -1,37 +1,37 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2003-2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $KTH: krb5_ccache.3,v 1.7 2003/04/16 13:58:12 lha Exp $ -.\" -.Dd March 16, 2003 +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $KTH: krb5_ccache.3,v 1.13 2005/04/24 13:57:33 lha Exp $ +.\" +.Dd April 24, 2005 .Dt KRB5_CCACHE 3 .Os HEIMDAL .Sh NAME @@ -40,6 +40,7 @@ .Nm krb5_cc_ops , .Nm krb5_fcc_ops , .Nm krb5_mcc_ops , +.Nm krb5_cc_clear_mcred , .Nm krb5_cc_close , .Nm krb5_cc_copy_cache , .Nm krb5_cc_default , @@ -48,19 +49,22 @@ .Nm krb5_cc_end_seq_get , .Nm krb5_cc_gen_new , .Nm krb5_cc_get_name , +.Nm krb5_cc_get_ops , +.Nm krb5_cc_get_prefix_ops , .Nm krb5_cc_get_principal , .Nm krb5_cc_get_type , -.Nm krb5_cc_get_ops , .Nm krb5_cc_get_version , .Nm krb5_cc_initialize , +.Nm krb5_cc_next_cred , +.Nm krb5_cc_next_cred_match , +.Nm krb5_cc_new_unique , .Nm krb5_cc_register , +.Nm krb5_cc_remove_cred , .Nm krb5_cc_resolve , .Nm krb5_cc_retrieve_cred , -.Nm krb5_cc_remove_cred , .Nm krb5_cc_set_default_name , -.Nm krb5_cc_store_cred , .Nm krb5_cc_set_flags , -.Nm krb5_cc_next_cred +.Nm krb5_cc_store_cred .Nd mange credential cache .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) @@ -77,6 +81,10 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Pp .Li "struct krb5_cc_ops *krb5_mcc_ops;" .Pp +.Ft void +.Fo krb5_cc_clear_mcred +.Fa "krb5_creds *mcred" +.Fc .Ft krb5_error_code .Fo krb5_cc_close .Fa "krb5_context *context" @@ -135,6 +143,11 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Fa "krb5_context *context" .Fa "krb5_ccache id" .Fc +.Ft "const krb5_cc_ops *" +.Fo krb5_cc_get_prefix_ops +.Fa "krb5_context context" +.Fa "const char *prefix" +.Fc .Ft krb5_error_code .Fo krb5_cc_get_version .Fa "krb5_context *context" @@ -197,6 +210,22 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Fa "krb5_cc_cursor *cursor" .Fa "krb5_creds *creds" .Fc +.Ft krb5_error_code +.Fo krb5_cc_next_cred_match +.Fa "krb5_context *context" +.Fa "const krb5_ccache id" +.Fa "krb5_cc_cursor *cursor" +.Fa "krb5_creds *creds" +.Fa "krb5_flags whichfields" +.Fa "const krb5_creds *mcreds" +.Fc +.Ft krb5_error_code +.Fo krb5_cc_new_unique +.Fa "krb5_context context" +.Fa "const char *type" +.Fa "const char *hint" +.Fa "krb5_ccache *id" +.Fc .Sh DESCRIPTION The .Li krb5_ccache @@ -231,68 +260,95 @@ gets and sets the default name for the .Fa context . .Pp .Fn krb5_cc_default -opens the default ccache in +opens the default credential cache in .Fa id . Return 0 or an error code. .Pp .Fn krb5_cc_gen_new -generates a new ccache of type +generates a new credential cache of type .Fa ops in .Fa id . Return 0 or an error code. +The Heimdal version of this function also runs +.Fn krb5_cc_initialize +on the credential cache, but since the MIT version doesn't, portable +code must call krb5_cc_initialize. +.Pp +.Fn krb5_cc_new_unique +generates a new unique credential cache of +.Fa type +in +.Fa id . +If type is +.Dv NULL , +the library chooses the default credential cache type. +The supplied +.Fa hint +(that can be +.Dv NULL ) +is a string that the credential cache type can use to base the name of +the credential on, this is to make its easier for the user to +differentiate the credentials. +The returned credential cache +.Fa id +should be freed using +.Fn krb5_cc_close +or +.Fn krb5_cc_destroy . +Returns 0 or an error code. .Pp .Fn krb5_cc_resolve -finds and allocates a ccache in +finds and allocates a credential cache in .Fa id -from the specification in +from the specification in .Fa residual . -If the ccache name doesn't contain any colon (:), interpret it as a +If the credential cache name doesn't contain any colon (:), interpret it as a file name. Return 0 or an error code. .Pp .Fn krb5_cc_initialize -creates a new ccache in +creates a new credential cache in .Fa id for .Fa primary_principal . Return 0 or an error code. .Pp .Fn krb5_cc_close -stops using the ccache +stops using the credential cache .Fa id and frees the related resources. Return 0 or an error code. .Fn krb5_cc_destroy -removes the ccache +removes the credential cache and closes (by calling .Fn krb5_cc_close ) .Fa id . Return 0 or an error code. .Pp .Fn krb5_cc_copy_cache -copys the contents of +copys the contents of .Fa from -to +to .Fa to . .Pp .Fn krb5_cc_get_name -returns the name of the ccache +returns the name of the credential cache .Fa id . .Pp .Fn krb5_cc_get_principal -returns the principal of +returns the principal of .Fa id in .Fa principal . Return 0 or an error code. .Pp .Fn krb5_cc_get_type -returns the type of the ccache +returns the type of the credential cache .Fa id . .Pp .Fn krb5_cc_get_ops -returns the ops of the ccache +returns the ops of the credential cache .Fa id . .Pp .Fn krb5_cc_get_version @@ -300,23 +356,32 @@ returns the version of .Fa id . .Pp .Fn krb5_cc_register -Adds a new ccache type with operations +Adds a new credential cache type with operations .Fa ops , overwriting any existing one if .Fa override . Return an error code or 0. .Pp +.Fn krb5_cc_get_prefix_ops +Get the cc ops that is registered in +.Fa context +to handle the +.Fa prefix . +Returns +.Dv NULL +if ops not found. +.Pp .Fn krb5_cc_remove_cred removes the credential identified by .Fa ( cred , .Fa which ) -from +from .Fa id . .Pp .Fn krb5_cc_store_cred stores .Fa creds -in the ccache +in the credential cache .Fa id . Return 0 or an error code. .Pp @@ -326,8 +391,14 @@ sets the flags of to .Fa flags . .Pp +.Fn krb5_cc_clear_mcred +clears the +.Fa mcreds +argument so its reset and can be used with +.Fa krb5_cc_retrieve_cred . +.Pp .Fn krb5_cc_retrieve_cred , -retrieves the credential identified by +retrieves the credential identified by .Fa mcreds (and .Fa whichfields ) @@ -347,6 +418,16 @@ and advance .Fa cursor . Return 0 or an error code. .Pp +.Fn krb5_cc_next_cred_match +is similar to +.Fn krb5_cc_next_cred +except that it will only return creds matching +.Fa whichfields +and +.Fa mcreds +(as interpreted by +.Xr krb5_compare_creds 3 . ) +.Pp .Fn krb5_cc_end_seq_get Destroys the cursor .Fa cursor . diff --git a/kerberosV/src/lib/krb5/krb5_context.3 b/kerberosV/src/lib/krb5/krb5_context.3 index 228ce5bf52d..bf8b17ccc46 100644 --- a/kerberosV/src/lib/krb5/krb5_context.3 +++ b/kerberosV/src/lib/krb5/krb5_context.3 @@ -1,35 +1,35 @@ -.\" Copyright (c) 2001 - 200 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2001 - 2003 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $KTH: krb5_context.3,v 1.5 2003/03/10 02:19:28 lha Exp $ +.\" $KTH: krb5_context.3,v 1.7 2003/05/26 14:08:54 lha Exp $ .\" .Dd January 21, 2001 .Dt KRB5_CONTEXT 3 @@ -37,6 +37,10 @@ .Sh NAME .Nm krb5_context .Nd krb5 state structure +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h .Sh DESCRIPTION The .Nm diff --git a/kerberosV/src/lib/krb5/krb5_create_checksum.3 b/kerberosV/src/lib/krb5/krb5_create_checksum.3 index e9e5170aab5..0eacfa33dd6 100644 --- a/kerberosV/src/lib/krb5/krb5_create_checksum.3 +++ b/kerberosV/src/lib/krb5/krb5_create_checksum.3 @@ -1,60 +1,145 @@ -.\" Copyright (c) 1999 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 1999-2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $KTH: krb5_create_checksum.3,v 1.6 2003/04/16 13:58:14 lha Exp $ +.\" $KTH: krb5_create_checksum.3,v 1.13 2005/01/08 20:52:19 lha Exp $ .\" -.Dd April 7, 1999 +.Dd March 20, 2004 .Dt NAME 3 .Os HEIMDAL .Sh NAME +.Nm krb5_checksum , +.Nm krb5_checksum_disable , .Nm krb5_checksum_is_collision_proof , .Nm krb5_checksum_is_keyed , .Nm krb5_checksumsize , +.Nm krb5_cksumtype_valid , +.Nm krb5_copy_checksum , .Nm krb5_create_checksum , +.Nm krb5_crypto_get_checksum_type +.Nm krb5_free_checksum , +.Nm krb5_free_checksum_contents , +.Nm krb5_hmac , .Nm krb5_verify_checksum -.Nd creates and verifies checksums +.Nd creates, handles and verifies checksums .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) .Sh SYNOPSIS .In krb5.h -.Ft krb5_error_code -.Fn krb5_create_checksum "krb5_context context" "krb5_crypto crypto" "unsigned usage_or_type" "void *data" "size_t len" "Checksum *result" -.Ft krb5_error_code -.Fn krb5_verify_checksum "krb5_context context" "krb5_crypto crypto" "krb5_key_usage usage" "void *data" "size_t len" "Checksum *cksum" +.Pp +.Li "typedef Checksum krb5_checksum;" +.Ft void +.Fo krb5_checksum_disable +.Fa "krb5_context context" +.Fa "krb5_cksumtype type" +.Fc .Ft krb5_boolean -.Fn krb5_checksum_is_collision_proof "krb5_context context" "krb5_cksumtype type" +.Fo krb5_checksum_is_collision_proof +.Fa "krb5_context context" +.Fa "krb5_cksumtype type" +.Fc .Ft krb5_boolean -.Fn krb5_checksum_is_keyed "krb5_context context" "krb5_cksumtype type" +.Fo krb5_checksum_is_keyed +.Fa "krb5_context context" +.Fa "krb5_cksumtype type" +.Fc +.Ft krb5_error_code +.Fo krb5_cksumtype_valid +.Fa "krb5_context context" +.Fa "krb5_cksumtype ctype" +.Fc +.Ft krb5_error_code +.Fo krb5_checksumsize +.Fa "krb5_context context" +.Fa "krb5_cksumtype type" +.Fa "size_t *size" +.Fc +.Ft krb5_error_code +.Fo krb5_create_checksum +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "unsigned usage_or_type" +.Fa "void *data" +.Fa "size_t len" +.Fa "Checksum *result" +.Fc +.Ft krb5_error_code +.Fo krb5_verify_checksum +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "krb5_key_usage usage" +.Fa "void *data" +.Fa "size_t len" +.Fa "Checksum *cksum" +.Fc +.Ft krb5_error_code +.Fo krb5_crypto_get_checksum_type +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "krb5_cksumtype *type" +.Fc +.Ft void +.Fo krb5_free_checksum +.Fa "krb5_context context" +.Fa "krb5_checksum *cksum" +.Fc +.Ft void +.Fo krb5_free_checksum_contents +.Fa "krb5_context context" +.Fa "krb5_checksum *cksum" +.Fc +.Ft krb5_error_code +.Fo krb5_hmac +.Fa "krb5_context context" +.Fa "krb5_cksumtype cktype" +.Fa "const void *data" +.Fa "size_t len" +.Fa "unsigned usage" +.Fa "krb5_keyblock *key" +.Fa "Checksum *result" +.Fc +.Ft krb5_error_code +.Fo krb5_copy_checksum +.Fa "krb5_context context" +.Fa "const krb5_checksum *old" +.Fa "krb5_checksum **new" +.Fc .Sh DESCRIPTION -These functions are used to create and verify checksums. +The +.Li krb5_checksum +structure holds a Kerberos checksum. +There is no component inside +.Li krb5_checksum +that is directly referable. +.Pp +The functions are used to create and verify checksums. .Fn krb5_create_checksum creates a checksum of the specified data, and puts it in .Fa result . @@ -73,7 +158,7 @@ specifies a key-usage. .Pp .Fn krb5_verify_checksum verifies the -.Fa checksum , +.Fa checksum against the provided data. .Pp .Fn krb5_checksum_is_collision_proof @@ -88,6 +173,50 @@ value is a function of both the data, and a separate key). Examples of keyed hash algorithms are HMAC-SHA1-DES3, and RSA-MD5-DES. The .Dq plain hash functions MD5, and SHA1 are not keyed. +.Pp +.Fn krb5_crypto_get_checksum_type +returns the checksum type that will be used when creating a checksum for the given +.Fa crypto +context. +This function is useful in combination with +.Fn krb5_checksumsize +when you want to know the size a checksum will +use when you create it. +.Pp +.Fn krb5_cksumtype_valid +returns 0 or an error if the checksumtype is implemented and not +currently disabled in this kerberos library. +.Pp +.Fn krb5_checksumsize +returns the size of the outdata of checksum function. +.Pp +.Fn krb5_copy_checksum +returns a copy of the checksum +.Fn krb5_free_checksum +should use used to free the +.Fa new +checksum. +.Pp +.Fn krb5_free_checksum +free the checksum and the content of the checksum. +.Pp +.Fn krb5_free_checksum_contents +frees the content of checksum in +.Fa cksum . +.Pp +.Fn krb5_hmac +calculates the HMAC over +.Fa data +(with length +.Fa len ) +using the keyusage +.Fa usage +and keyblock +.Fa key . +Note that keyusage is not always used in checksums. +.Pp +.Nm krb5_checksum_disable +globally disables the checksum type. .\" .Sh EXAMPLE .\" .Sh BUGS .Sh SEE ALSO diff --git a/kerberosV/src/lib/krb5/krb5_crypto_init.3 b/kerberosV/src/lib/krb5/krb5_crypto_init.3 index 397120ad7ff..e5476a72cfb 100644 --- a/kerberosV/src/lib/krb5/krb5_crypto_init.3 +++ b/kerberosV/src/lib/krb5/krb5_crypto_init.3 @@ -1,43 +1,43 @@ .\" Copyright (c) 1999 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $KTH: krb5_crypto_init.3,v 1.6 2003/04/16 13:58:15 lha Exp $ +.\" $KTH: krb5_crypto_init.3,v 1.9 2004/03/20 12:00:01 lha Exp $ .\" .Dd April 7, 1999 .Dt NAME 3 .Os HEIMDAL .Sh NAME -.Nm krb5_crypto_init , -.Nm krb5_crypto_destroy -.Nd initialize encryption context +.Nm krb5_crypto_destroy , +.Nm krb5_crypto_init +.Nd encryption support in krb5 .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) .Sh SYNOPSIS @@ -47,22 +47,19 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Ft krb5_error_code .Fn krb5_crypto_destroy "krb5_context context" "krb5_crypto crypto" .Sh DESCRIPTION -These functions are used to initialize an encryption context that can -be used to encrypt or checksum data. +Heimdal exports parts of the Kerberos crypto interface for applications. .Pp -The -.Fn krb5_crypt_init -initializes the encrytion context -.Fa crypto . -The -.Fa key -parameter is the key to use for encryption, and checksums. The -encryption type to use is taken from the key, but can be overridden +Each kerberos encrytion/checksum function takes a crypto context. +.Pp +To setup and destroy crypto contextes there are two functions +.Fn krb5_crypto_init +and +.Fn krb5_crypto_destroy . +The encryption type to use is taken from the key, but can be overridden with the .Fa enctype parameter . -.Pp -.Fn krb5_crypto_destroy -frees a previously allocated encrypion context. +This can be useful for encryptions types which is compatiable (DES for +example). .\" .Sh EXAMPLE .\" .Sh BUGS .Sh SEE ALSO diff --git a/kerberosV/src/lib/krb5/krb5_data.3 b/kerberosV/src/lib/krb5/krb5_data.3 index c0e999a779a..6664b84405a 100644 --- a/kerberosV/src/lib/krb5/krb5_data.3 +++ b/kerberosV/src/lib/krb5/krb5_data.3 @@ -1,37 +1,37 @@ .\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $KTH: krb5_data.3,v 1.4 2003/04/16 13:58:13 lha Exp $ -.\" -.Dd March 20, 2003 +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $KTH: krb5_data.3,v 1.7 2005/04/24 07:40:35 lha Exp $ +.\" +.Dd April 24, 2005 .Dt KRB5_DATA 3 .Os HEIMDAL .Sh NAME @@ -86,7 +86,9 @@ resets the content of .Pp .Fn krb5_data_free free the data in -.Fa p . +.Fa p +and reset the content of the structure with +.Fn krb5_data_zero . .Pp .Fn krb5_free_data_contents works the same way as @@ -105,7 +107,7 @@ itself. allocates .Fa len bytes in -.Fa p . +.Fa p . Returns 0 or an error. .Pp .Fn krb5_data_realloc diff --git a/kerberosV/src/lib/krb5/krb5_encrypt.3 b/kerberosV/src/lib/krb5/krb5_encrypt.3 index b64ed57c045..159f685b921 100644 --- a/kerberosV/src/lib/krb5/krb5_encrypt.3 +++ b/kerberosV/src/lib/krb5/krb5_encrypt.3 @@ -1,61 +1,186 @@ -.\" Copyright (c) 1999 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 1999 - 2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $KTH: krb5_encrypt.3,v 1.7 2003/04/16 13:58:15 lha Exp $ +.\" $KTH: krb5_encrypt.3,v 1.15.4.1 2005/10/26 10:06:18 lha Exp $ .\" -.Dd April 7, 1999 +.Dd March 20, 2004 .Dt KRB5_ENCRYPT 3 .Os HEIMDAL .Sh NAME +.Nm krb5_crypto_getblocksize , +.Nm krb5_crypto_getconfoundersize +.Nm krb5_crypto_getenctype , +.Nm krb5_crypto_getpadsize , .Nm krb5_decrypt , .Nm krb5_decrypt_EncryptedData , +.Nm krb5_decrypt_ivec , +.Nm krb5_decrypt_ticket , .Nm krb5_encrypt , -.Nm krb5_encrypt_EncryptedData -.Nd encrypt and decrypt data +.Nm krb5_encrypt_EncryptedData , +.Nm krb5_encrypt_ivec , +.Nm krb5_enctype_disable , +.Nm krb5_enctype_keysize , +.Nm krb5_enctype_to_string , +.Nm krb5_enctype_valid , +.Nm krb5_get_wrapped_length , +.Nm krb5_string_to_enctype +.Nd encrypt and decrypt data, set and get encryption type parameters .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) .Sh SYNOPSIS .In krb5.h .Ft krb5_error_code -.Fn krb5_encrypt "krb5_context context" "krb5_crypto crypto" "unsigned usage" "void *data" "size_t len" "krb5_data *result" +.Fo krb5_encrypt +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "unsigned usage" +.Fa "void *data" +.Fa "size_t len" +.Fa "krb5_data *result" +.Fc .Ft krb5_error_code -.Fn krb5_encrypt_EncryptedData "krb5_context context" "krb5_crypto crypto" "unsigned usage" "void *data" "size_t len" "int kvno" "EncryptedData *result" +.Fo krb5_encrypt_EncryptedData +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "unsigned usage" +.Fa "void *data" +.Fa "size_t len" +.Fa "int kvno" +.Fa "EncryptedData *result" +.Fc .Ft krb5_error_code -.Fn krb5_decrypt "krb5_context context" "krb5_crypto crypto" "unsigned usage" "void *data" "size_t len" "krb5_data *result" +.Fo krb5_encrypt_ivec +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "unsigned usage" +.Fa "void *data" +.Fa "size_t len" +.Fa "krb5_data *result" +.Fa "void *ivec" +.Fc .Ft krb5_error_code -.Fn krb5_decrypt_EncryptedData "krb5_context context" "krb5_crypto crypto" "unsigned usage" "EncryptedData *e" "krb5_data *result" +.Fo krb5_decrypt +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "unsigned usage" +.Fa "void *data" +.Fa "size_t len" +.Fa "krb5_data *result" +.Fc +.Ft krb5_error_code +.Fo krb5_decrypt_EncryptedData +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "unsigned usage" +.Fa "EncryptedData *e" +.Fa "krb5_data *result" +.Fc +.Ft krb5_error_code +.Fo krb5_decrypt_ivec +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "unsigned usage" +.Fa "void *data" +.Fa "size_t len" +.Fa "krb5_data *result" +.Fa "void *ivec" +.Fc +.Ft krb5_error_code +.Fo krb5_decrypt_ticket +.Fa "krb5_context context" +.Fa "Ticket *ticket" +.Fa "krb5_keyblock *key" +.Fa "EncTicketPart *out" +.Fa "krb5_flags flags" +.Fc +.Ft krb5_error_code +.Fo krb5_crypto_getblocksize +.Fa "krb5_context context" +.Fa "size_t *blocksize" +.Fc +.Ft krb5_error_code +.Fo krb5_crypto_getenctype +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "krb5_enctype *enctype" +.Fc +.Ft krb5_error_code +.Fo krb5_crypto_getpadsize +.Fa "krb5_context context" +.Fa size_t *padsize" +.Fc +.Ft krb5_error_code +.Fo krb5_crypto_getconfoundersize +.Fa "krb5_context context" +.Fa "krb5_crypto crypto +.Fa size_t *confoundersize" +.Fc +.Ft krb5_error_code +.Fo krb5_enctype_keysize +.Fa "krb5_context context" +.Fa "krb5_enctype type" +.Fa "size_t *keysize" +.Fc +.Ft krb5_error_code +.Fo krb5_string_to_enctype +.Fa "krb5_context context" +.Fa "const char *string" +.Fa "krb5_enctype *etype" +.Fc +.Ft krb5_error_code +.Fo krb5_enctype_to_string +.Fa "krb5_context context" +.Fa "krb5_enctype etype" +.Fa "char **string" +.Fc +.Ft krb5_error_code +.Fo krb5_enctype_valid +.Fa "krb5_context context" +.Fa "krb5_enctype etype" +.Fc +.Ft void +.Fo krb5_enctype_disable +.Fa "krb5_context context" +.Fa "krb5_enctype etype" +.Fc +.Ft size_t +.Fo krb5_get_wrapped_length +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "size_t data_len" +.Fc .Sh DESCRIPTION These functions are used to encrypt and decrypt data. .Pp -.Fn krb5_encrypt +.Fn krb5_encrypt_ivec puts the encrypted version of .Fa data (of size @@ -65,6 +190,20 @@ in If the encryption type supports using derived keys, .Fa usage should be the appropriate key-usage. +.Fa ivec +is a pointer to a initial IV, its modified to the end IV at the end of +the round. +Ivec should be the size of +If +.Dv NULL +is passed in, the default IV is used. +.Fn krb5_encrypt +does the same as +.Fn krb5_encrypt_ivec +but with +.Fa ivec +being +.Dv NULL . .Fn krb5_encrypt_EncryptedData does the same as .Fn krb5_encrypt , @@ -72,14 +211,55 @@ but it puts the encrypted data in a .Fa EncryptedData structure instead. If .Fa kvno -is not zero, it will be put in the -.Fa kvno field in the +is not zero, it will be put in the (optional) +.Fa kvno +field in the .Fa EncryptedData . .Pp +.Fn krb5_decrypt_ivec , .Fn krb5_decrypt , and .Fn krb5_decrypt_EncryptedData works similarly. +.Pp +.Fn krb5_decrypt_ticket +decrypts the encrypted part of +.Fa ticket +with +.Fa key . +.Fn krb5_decrypt_ticket +also verifies the timestamp in the ticket, invalid flag and if the KDC +haven't verified the transited path, the transit path. +.Pp +.Fn krb5_enctype_keysize , +.Fn krb5_crypto_getconfoundersize , +.Fn krb5_crypto_getblocksize , +.Fn krb5_crypto_getenctype , +.Fn krb5_crypto_getpadsize +all returns various (sometimes) useful information from a crypto context. +.Pp +.Fn krb5_enctype_to_string +converts a encryption type number to a string that can be printable +and stored. The strings returned should be freed with +.Xr free 3 . +.Pp +.Fn krb5_string_to_enctype +converts a encryption type strings to a encryption type number that +can use used for other Kerberos crypto functions. +.Pp +.Fn krb5_enctype_valid +returns 0 if the encrypt is supported and not disabled, otherwise and +error code is returned. +.Pp +.Fn krb5_enctype_disable +(globally, for all contextes) disables the +.Fa enctype . +.Pp +.Fn krb5_get_wrapped_length +returns the size of an encrypted packet by +.Fa crypto +of length +.Fa data_len . .\" .Sh EXAMPLE .\" .Sh BUGS .Sh SEE ALSO diff --git a/kerberosV/src/lib/krb5/krb5_get_all_client_addrs.3 b/kerberosV/src/lib/krb5/krb5_get_all_client_addrs.3 index 4560c41abb6..23c4542eabd 100644 --- a/kerberosV/src/lib/krb5/krb5_get_all_client_addrs.3 +++ b/kerberosV/src/lib/krb5/krb5_get_all_client_addrs.3 @@ -1,38 +1,39 @@ .\" Copyright (c) 2001 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $KTH: krb5_get_all_client_addrs.3,v 1.6 2003/04/16 13:58:16 lha Exp $ +.\" $KTH: krb5_get_all_client_addrs.3,v 1.8 2003/05/26 14:08:56 lha Exp $ .\" .Dd July 1, 2001 .Dt KRB5_GET_ADDRS 3 +.Os HEIMDAL .Sh NAME .Nm krb5_get_all_client_addrs , .Nm krb5_get_all_server_addrs diff --git a/kerberosV/src/lib/krb5/krb5_get_krbhst.3 b/kerberosV/src/lib/krb5/krb5_get_krbhst.3 index 1f876b386a0..5e772750da4 100644 --- a/kerberosV/src/lib/krb5/krb5_get_krbhst.3 +++ b/kerberosV/src/lib/krb5/krb5_get_krbhst.3 @@ -1,37 +1,37 @@ .\" Copyright (c) 2001 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $KTH: krb5_get_krbhst.3,v 1.6 2003/04/16 13:58:16 lha Exp $ +.\" $KTH: krb5_get_krbhst.3,v 1.9 2005/04/24 07:42:27 lha Exp $ .\" -.Dd June 17, 2001 +.Dd April 24, 2005 .Dt KRB5_GET_KRBHST 3 .Os HEIMDAL .Sh NAME diff --git a/kerberosV/src/lib/krb5/krb5_init_context.3 b/kerberosV/src/lib/krb5/krb5_init_context.3 index 1ffabc220ae..3b9809d13d1 100644 --- a/kerberosV/src/lib/krb5/krb5_init_context.3 +++ b/kerberosV/src/lib/krb5/krb5_init_context.3 @@ -1,51 +1,158 @@ -.\" Copyright (c) 2001 - 2002 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2001 - 2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $KTH: krb5_init_context.3,v 1.9 2003/04/16 13:58:11 lha Exp $ -.\" -.Dd January 21, 2001 +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $KTH: krb5_init_context.3,v 1.15 2004/12/08 17:50:00 lha Exp $ +.\" +.Dd December 8, 2004 .Dt KRB5_CONTEXT 3 .Os HEIMDAL .Sh NAME +.Nm krb5_context , .Nm krb5_init_context , -.Nm krb5_free_context -.Nd create and delete krb5_context structures +.Nm krb5_free_context , +.Nm krb5_init_ets , +.Nm krb5_add_et_list , +.Nm krb5_add_extra_addresses , +.Nm krb5_add_ignore_addresses , +.Nm krb5_get_extra_addresses , +.Nm krb5_get_ignore_addresses , +.Nm krb5_set_extra_addresses , +.Nm krb5_set_ignore_addresses , +.Nm krb5_set_fcache_version , +.Nm krb5_get_fcache_version , +.Nm krb5_set_config_files , +.Nm krb5_prepend_config_files , +.Nm krb5_prepend_config_files_default , +.Nm krb5_get_default_config_files , +.Nm krb5_free_config_files , +.Nm krb5_set_use_admin_kdc , +.Nm krb5_get_use_admin_kdc +.Nd create, modify and delete krb5_context structures .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) .Sh SYNOPSIS .In krb5.h +.Pp +.Li "struct krb5_context;" +.Pp +.Ft krb5_error_code +.Fo krb5_init_context +.Fa "krb5_context *context" +.Fc +.Ft void +.Fo krb5_free_context +.Fa "krb5_context context" +.Fc +.Ft void +.Fo krb5_init_ets +.Fa "krb5_context context" +.Fc +.Ft krb5_error_code +.Fo krb5_add_et_list +.Fa "krb5_context context" +.Fa "void (*func)(struct et_list **)" +.Fc +.Ft krb5_error_code +.Fo krb5_add_extra_addresses +.Fa "krb5_context context" +.Fa "krb5_addresses *addresses" +.Fc .Ft krb5_error_code -.Fn krb5_init_context "krb5_context *context" +.Fo krb5_set_extra_addresses +.Fa "krb5_context context" +.Fa "const krb5_addresses *addresses" +.Fc +.Ft krb5_error_code +.Fo krb5_get_extra_addresses +.Fa "krb5_context context" +.Fa "krb5_addresses *addresses" +.Fc +.Ft krb5_error_code +.Fo krb5_add_ignore_addresses +.Fa "krb5_context context" +.Fa "krb5_addresses *addresses" +.Fc +.Ft krb5_error_code +.Fo krb5_set_ignore_addresses +.Fa "krb5_context context" +.Fa "const krb5_addresses *addresses" +.Fc +.Ft krb5_error_code +.Fo krb5_get_ignore_addresses +.Fa "krb5_context context" +.Fa "krb5_addresses *addresses" +.Fc +.Ft krb5_error_code +.Fo krb5_set_fcache_version +.Fa "krb5_context context" +.Fa "int version" +.Fc +.Ft krb5_error_code +.Fo krb5_get_fcache_version +.Fa "krb5_context context" +.Fa "int *version" +.Fc +.Ft krb5_error_code +.Fo krb5_set_config_files +.Fa "krb5_context context" +.Fa "char **filenames" +.Fc +.Ft krb5_error_code +.Fo krb5_prepend_config_files +.Fa "const char *filelist" +.Fa "char **pq" +.Fa "char ***ret_pp" +.Fc +.ft krb5_error_code +.Fo krb5_prepend_config_files_default +.Fa "const char *filelist" +.Fa "char ***pfilenames" +.Fc +.Ft krb5_error_code +.Fo krb5_get_default_config_files +.Fa "char ***pfilenames" +.Fc +.Ft void +.Fo krb5_free_config_files +.Fa "char **filenames" +.Fc .Ft void -.Fn krb5_free_context "krb5_context context" +.Fo krb5_set_use_admin_kdc +.Fa "krb5_context context" +.Fa "krb5_boolean flag" +.Fc +.Ft krb5_boolean +.Fo krb5_get_use_admin_kdc +.Fa "krb5_context context" +.Fc .Sh DESCRIPTION The .Fn krb5_init_context @@ -57,7 +164,7 @@ structure and reads the configuration file The structure should be freed by calling .Fn krb5_free_context when it is no longer being used. -.Sh RETURN VALUES +.Pp .Fn krb5_init_context returns 0 to indicate success. Otherwise an errno code is returned. @@ -66,7 +173,87 @@ Failure means either that something bad happened during initialization .Bq ENOMEM ) or that Kerberos should not be used .Bq ENXIO . +.Pp +.Fn krb5_init_ets +adds all +.Xr com_err 3 +libs to +.Fa context . +This is done by +.Fn krb5_init_context . +.Pp +.Fn krb5_add_et_list +adds a +.Xr com_err 3 +error-code handler +.Fa func +to the specified +.Fa context . +The error handler must generated by the the re-rentrant version of the +.Xr compile_et 3 +program. +.Fn krb5_add_extra_addresses +add a list of addresses that should be added when requesting tickets. +.Pp +.Fn krb5_add_ignore_addresses +add a list of addresses that should be ignored when requesting tickets. +.Pp +.Fn krb5_get_extra_addresses +get the list of addresses that should be added when requesting tickets. +.Pp +.Fn krb5_get_ignore_addresses +get the list of addresses that should be ignored when requesting tickets. +.Pp +.Fn krb5_set_ignore_addresses +set the list of addresses that should be ignored when requesting tickets. +.Pp +.Fn krb5_set_extra_addresses +set the list of addresses that should be added when requesting tickets. +.Pp +.Fn krb5_set_fcache_version +sets the version of file credentials caches that should be used. +.Pp +.Fn krb5_get_fcache_version +gets the version of file credentials caches that should be used. +.Pp +.Fn krb5_set_config_files +set the list of configuration files to use and re-initialize the +configuration from the files. +.Pp +.Fn krb5_prepend_config_files +parse the +.Fa filelist +and prepend the result to the already existing list +.Fa pq +The result is returned in +.Fa ret_pp +and should be freed with +.Fn krb5_free_config_files . +.Pp +.Fn krb5_prepend_config_files_default +parse the +.Fa filelist +and append that to the default +list of configuration files. +.Pp +.Fn krb5_get_default_config_files +get a list of default configuration files. +.Pp +.Fn krb5_free_config_files +free a list of configuration files returned by +.Fn krb5_get_default_config_files , +.Fn krb5_prepend_config_files_default , +or +.Fn krb5_prepend_config_files . +.Pp +.Fn krb5_set_use_admin_kdc +sets if all KDC requests should go admin KDC. +.Pp +.Fn krb5_get_use_admin_kdc +gets if all KDC requests should go admin KDC. .Sh SEE ALSO .Xr errno 2 , +.Xr krb5 3 , +.Xr krb5_config 3 , .Xr krb5_context 3 , .Xr kerberos 8 diff --git a/kerberosV/src/lib/krb5/krb5_keytab.3 b/kerberosV/src/lib/krb5/krb5_keytab.3 index 9e69e40ed4a..9f0f51af509 100644 --- a/kerberosV/src/lib/krb5/krb5_keytab.3 +++ b/kerberosV/src/lib/krb5/krb5_keytab.3 @@ -1,37 +1,37 @@ .\" Copyright (c) 2001 - 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $KTH: krb5_keytab.3,v 1.9 2003/04/16 13:58:16 lha Exp $ +.\" $KTH: krb5_keytab.3,v 1.16 2005/05/23 14:07:32 lha Exp $ .\" -.Dd February 5, 2001 +.Dd March 28, 2005 .Dt KRB5_KEYTAB 3 .Os HEIMDAL .Sh NAME @@ -43,6 +43,7 @@ .Nm krb5_kt_compare , .Nm krb5_kt_copy_entry_contents , .Nm krb5_kt_default , +.Nm krb5_kt_default_modify_name , .Nm krb5_kt_default_name , .Nm krb5_kt_end_seq_get , .Nm krb5_kt_free_entry , @@ -92,6 +93,12 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Fa "krb5_keytab *id" .Fc .Ft krb5_error_code +.Fo krb5_kt_default_modify_name +.Fa "krb5_context context" +.Fa "char *name" +.Fa "size_t namesize" +.Fc +.Ft krb5_error_code .Fo krb5_kt_default_name .Fa "krb5_context context" .Fa "char *name" @@ -191,8 +198,20 @@ are: .Bl -tag -width Ds .It Nm file store the keytab in a file, the type's name is -.Li KEYFILE . +.Li FILE . The residual part is a filename. +For compatibility with other Kerberos implemtation +.Li WRFILE +and +.LI JAVA14 +is also accepted. +.Li WRFILE +has the same format as +.Li FILE . +.Li JAVA14 +have a format that is compatible with older versions of MIT kerberos +and SUN's Java based installation. They store a truncted kvno, so +when the knvo excess 255, they are truncted in this format. .It Nm keyfile store the keytab in a .Li AFS @@ -244,6 +263,7 @@ Returns 0 or an error. The opposite of .Fn krb5_kt_resolve is .Fn krb5_kt_close . +.Pp .Fn krb5_kt_close frees all resources allocated to the keytab. .Pp @@ -253,15 +273,22 @@ sets the argument to the default keytab. Returns 0 or an error. .Pp +.Fn krb5_kt_default_modify_name +copies the name of the default modify keytab into +.Fa name . +Return 0 or KRB5_CONFIG_NOTENUFSPACE if +.Fa namesize +is too short. +.Pp .Fn krb5_kt_default_name -copy the name of the default keytab into +copies the name of the default keytab into .Fa name . Return 0 or KRB5_CONFIG_NOTENUFSPACE if .Fa namesize is too short. .Pp .Fn krb5_kt_add_entry -Add a new +adds a new .Fa entry to the keytab .Fa id . @@ -306,7 +333,7 @@ and store the prefix/name for type of the keytab into .Fa prefix , .Fa prefixsize . The prefix will have the maximum length of -.Dv KRB5_KT_PREFIX_MAX_LEN +.Dv KRB5_KT_PREFIX_MAX_LEN (including terminating .Dv NUL ) . Returns 0 or an error. @@ -329,6 +356,8 @@ pointed to by .Fa cursor and advance the .Fa cursor . +On success the returne entry must be freed with +.Fn krb5_kt_free_entry . Returns 0 or an error. .Pp .Fn krb5_kt_end_seq_get @@ -338,23 +367,45 @@ releases all resources associated with .Fn krb5_kt_get_entry retrieves the keytab entry for .Fa principal , -.Fa kvno, +.Fa kvno , .Fa enctype into .Fa entry from the keytab .Fa id . +When comparing an entry in the keytab to determine a match, the +function +.Fn krb5_kt_compare +is used, so the wildcard rules applies to the argument of +.F krb5_kt_get_entry +too. +On success the returne entry must be freed with +.Fn krb5_kt_free_entry . Returns 0 or an error. .Pp .Fn krb5_kt_read_service_key reads the key identified by -.Ns ( Fa principal , +.Fa ( principal , .Fa vno , .Fa enctype ) from the keytab in .Fa keyprocarg -(the default if == NULL) into +(the system default keytab if +.Dv NULL +is used) into .Fa *key . +.Fa keyprocarg +is the same argument as to +.Fa name +argument to +.Fn krb5_kt_resolve . +Internal +.Fn krb5_kt_compare +will be used, so the same wildcard rules applies +to +.Fn krb5_kt_read_service_key . +On success the returned key must be freed with +.Fa krb5_free_keyblock . Returns 0 or an error. .Pp .Fn krb5_kt_remove_entry @@ -362,13 +413,20 @@ removes the entry .Fa entry from the keytab .Fa id . -Returns 0 or an error. +When comparing an entry in the keytab to determine a match, the +function +.Fn krb5_kt_compare +is use, so the wildcard rules applies to the argument of +.Fn krb5_kt_remove_entry . +Returns 0, +.Dv KRB5_KT_NOTFOUND +if not entry matched or another error. .Pp .Fn krb5_kt_register registers a new keytab type .Fa ops . Returns 0 or an error. -.Sh EXAMPLE +.Sh EXAMPLES This is a minimalistic version of .Nm ktutil . .Pp @@ -402,6 +460,9 @@ main (int argc, char **argv) ret = krb5_kt_end_seq_get(context, keytab, &cursor); if (ret) krb5_err(context, 1, ret, "krb5_kt_end_seq_get"); + ret = krb5_kt_close(context, keytab); + if (ret) + krb5_err(context, 1, ret, "krb5_kt_close"); krb5_free_context(context); return 0; } diff --git a/kerberosV/src/lib/krb5/krb5_krbhst_init.3 b/kerberosV/src/lib/krb5/krb5_krbhst_init.3 index ca582764c53..0e87719bb2d 100644 --- a/kerberosV/src/lib/krb5/krb5_krbhst_init.3 +++ b/kerberosV/src/lib/krb5/krb5_krbhst_init.3 @@ -1,41 +1,42 @@ -.\" Copyright (c) 2001 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2001-2005 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $KTH: krb5_krbhst_init.3,v 1.7 2003/04/16 13:58:16 lha Exp $ +.\" $KTH: krb5_krbhst_init.3,v 1.12 2005/05/10 09:21:02 lha Exp $ .\" -.Dd June 17, 2001 +.Dd May 10, 2005 .Dt KRB5_KRBHST_INIT 3 .Os HEIMDAL .Sh NAME .Nm krb5_krbhst_init , +.Nm krb5_krbhst_init_flags , .Nm krb5_krbhst_next , .Nm krb5_krbhst_next_as_string , .Nm krb5_krbhst_reset , @@ -50,6 +51,8 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Ft krb5_error_code .Fn krb5_krbhst_init "krb5_context context" "const char *realm" "unsigned int type" "krb5_krbhst_handle *handle" .Ft krb5_error_code +.Fn krb5_krbhst_init_flags "krb5_context context" "const char *realm" "unsigned int type" "int flags" "krb5_krbhst_handle *handle" +.Ft krb5_error_code .Fn "krb5_krbhst_next" "krb5_context context" "krb5_krbhst_handle handle" "krb5_krbhst_info **host" .Ft krb5_error_code .Fn krb5_krbhst_next_as_string "krb5_context context" "krb5_krbhst_handle handle" "char *hostname" "size_t hostlen" @@ -69,13 +72,15 @@ for Kerberos 4 ticket conversion. .Pp First a handle to a particular service is obtained by calling .Fn krb5_krbhst_init +(or +.Fn krb5_krbhst_init_flags ) with the .Fa realm of interest and the type of service to lookup. The .Fa type can be one of: .Pp -.Bl -hang -compact -offset indent +.Bl -tag -width Ds -compact -offset indent .It KRB5_KRBHST_KDC .It KRB5_KRBHST_ADMIN .It KRB5_KRBHST_CHANGEPW @@ -87,6 +92,22 @@ The is returned to the caller, and should be passed to the other functions. .Pp +The +.Fa flag +argument to +.Nm krb5_krbhst_init_flags +is the same flags as +.Fn krb5_send_to_kdc_flags +uses. +Possible values are: +.Pp +.Bl -tag -width KRB5_KRBHST_FLAGS_LARGE_MSG -compact -offset indent +.It KRB5_KRBHST_FLAGS_MASTER +only talk to master (readwrite) KDC +.It KRB5_KRBHST_FLAGS_LARGE_MSG +this is a large message, so use transport that can handle that. +.El +.Pp For each call to .Fn krb5_krbhst_next information on a new host is returned. The former function returns in @@ -107,7 +128,7 @@ typedef struct krb5_krbhst_info { .Pp The related function, .Fn krb5_krbhst_next_as_string , -return the same information as a url-like string. +return the same information as a URL-like string. .Pp When there are no more hosts, these functions return .Dv KRB5_KDC_UNREACH . @@ -132,7 +153,7 @@ and that will return a .Va struct addrinfo that can then be used for communicating with the server mentioned. -.Sh EXAMPLE +.Sh EXAMPLES The following code will print the KDCs of the realm .Dq MY.REALM : .Bd -literal -offset indent @@ -145,8 +166,9 @@ while(krb5_krbhst_next_as_string(context, handle, krb5_krbhst_free(context, handle); .Ed .\" .Sh BUGS -.Sh HISTORY -These functions first appeared in Heimdal 0.3g. .Sh SEE ALSO .Xr getaddrinfo 3 , -.Xr krb5_get_krbhst 3 +.Xr krb5_get_krbhst 3 , +.Xr krb5_send_to_kdc_flags 3 +.Sh HISTORY +These functions first appeared in Heimdal 0.3g. diff --git a/kerberosV/src/lib/krb5/krb5_kuserok.3 b/kerberosV/src/lib/krb5/krb5_kuserok.3 index 21c9f635467..2f9ac18554a 100644 --- a/kerberosV/src/lib/krb5/krb5_kuserok.3 +++ b/kerberosV/src/lib/krb5/krb5_kuserok.3 @@ -1,91 +1,100 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2003-2005 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $KTH: krb5_kuserok.3,v 1.5 2003/04/16 13:58:10 lha Exp $ +.\" $KTH: krb5_kuserok.3,v 1.9 2005/05/04 12:11:22 joda Exp $ .\" -.Dd October 17, 2002 +.Dd May 4, 2005 .Dt KRB5_KUSEROK 3 .Os HEIMDAL .Sh NAME .Nm krb5_kuserok -.Nd "verifies if a principal can log in as a user" +.Nd "checks if a principal is permitted to login as a user" .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) .Sh SYNOPSIS .In krb5.h .Ft krb5_boolean -.Fo krb5_kuserok +.Fo krb5_kuserok .Fa "krb5_context context" .Fa "krb5_principal principal" -.Fa "const char *name" +.Fa "const char *user" .Fc .Sh DESCRIPTION -This function takes a local user -.Fa name -and verifies if +This function takes the name of a local +.Fa user +and checks if .Fa principal is allowed to log in as that user. .Pp -First -.Nm -check if there is a local account name -.Fa username. -If there isn't, -.Nm -returns -.Dv FALSE . +The +.Fa user +may have a +.Pa ~/.k5login +file listing principals that are allowed to login as that user. If +that file does not exist, all principals with a first component +identical to the username, and a realm considered local, are allowed +access. .Pp -Then -.Nm -checks if principal is the same as user@realm in any of the default -realms. If that is the case, +The +.Pa .k5login +file must contain one principal per line, be owned by +.Fa user , +and not be writable by group or other (but must be readable by +anyone). +.Pp +Note that if the file exists, no implicit access rights are given to +.Fa user Ns @ Ns Aq localrealm . +.Pp +Optionally, a set of files may be put in +.Pa ~/.k5login.d ( Ns +a directory), in which case they will all be checked in the same +manner as +.Pa .k5login . +The files may be called anything, but files starting with a hash +.Dq ( # ) , +or ending with a tilde +.Dq ( ~ ) +are ignored. Subdirectories are not traversed. Note that this +directory may not be checked by other implementations. +.Sh RETURN VALUES .Nm returns -.Dv TRUE . -.Pp -After that it reads the file -.Pa .k5login -(if it exists) in the users home directory and checks if -.Fa principal -is in the file. -If it does exists, .Dv TRUE -is returned. -If neither of the above turns out to be true, +if access should be granted, .Dv FALSE -is returned. -.Pp +otherwise. +.Sh HISTORY The -.Pa .k5login -should contain one principal per line. +.Pa ~/.k5login.d +feature appeared in Heimdal 0.7. .Sh SEE ALSO .Xr krb5_get_default_realms 3 , .Xr krb5_verify_user 3 , diff --git a/kerberosV/src/lib/krb5/krb5_locl.h b/kerberosV/src/lib/krb5/krb5_locl.h index 29b50079122..fa45ecda69e 100644 --- a/kerberosV/src/lib/krb5/krb5_locl.h +++ b/kerberosV/src/lib/krb5/krb5_locl.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $KTH: krb5_locl.h,v 1.71 2002/09/10 20:10:45 joda Exp $ */ +/* $KTH: krb5_locl.h,v 1.81 2005/05/29 14:28:39 lha Exp $ */ #ifndef __KRB5_LOCL_H__ #define __KRB5_LOCL_H__ @@ -50,6 +50,9 @@ #ifdef HAVE_SYS_TYPES_H #include <sys/types.h> #endif +#ifdef HAVE_SYS_MMAN_H +#include <sys/mman.h> +#endif #ifdef HAVE_UNISTD_H #include <unistd.h> #endif @@ -61,6 +64,9 @@ #include <sys/ioctl.h> #endif #ifdef HAVE_PWD_H +#undef _POSIX_PTHREAD_SEMANTICS +/* This gets us the 5-arg getpwnam_r on Solaris 9. */ +#define _POSIX_PTHREAD_SEMANTICS #include <pwd.h> #endif @@ -109,13 +115,36 @@ struct sockaddr_dl; #ifdef HAVE_SYS_FILE_H #include <sys/file.h> #endif + +#ifdef HAVE_CRYPT_H +#undef des_encrypt +#define des_encrypt wingless_pigs_mostly_fail_to_fly +#include <crypt.h> +#undef des_encrypt +#endif + +#ifdef HAVE_DOOR_CREATE +#include <door.h> +#endif + #include <roken.h> #include <parse_time.h> #include <base64.h> #include "crypto-headers.h" + #include <krb5_asn1.h> + +/* XXX glue for pkinit */ +struct krb5_pk_identity; +struct krb5_pk_cert; +struct ContentInfo; +typedef struct krb5_pk_init_ctx_data *krb5_pk_init_ctx; + +/* v4 glue */ +struct _krb5_krb_auth_data; + #include <der.h> #include <krb5.h> @@ -123,6 +152,8 @@ struct sockaddr_dl; #include <asn1_err.h> #include <krb5-private.h> +#include "heim_threads.h" + #define ALLOC(X, N) (X) = calloc((N), sizeof(*(X))) #define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0) @@ -135,4 +166,24 @@ struct sockaddr_dl; #define O_BINARY 0 #endif +#define KRB5_BUFSIZ 1024 + +typedef enum { + KRB5_PA_PAC_DONT_CARE = 0, + KRB5_PA_PAC_REQ_TRUE, + KRB5_PA_PAC_REQ_FALSE +} krb5_get_init_creds_req_pac; + +struct _krb5_get_init_creds_opt_private { + int refcount; + /* ENC_TIMESTAMP */ + const char *password; + krb5_s2k_proc key_proc; + /* PA_PAC_REQUEST */ + krb5_get_init_creds_req_pac req_pac; + /* PKINIT */ + krb5_pk_init_ctx pk_init_ctx; + int canonicalize; +}; + #endif /* __KRB5_LOCL_H__ */ diff --git a/kerberosV/src/lib/krb5/krb5_set_default_realm.3 b/kerberosV/src/lib/krb5/krb5_set_default_realm.3 index b2765e77d72..532feb2f05d 100644 --- a/kerberosV/src/lib/krb5/krb5_set_default_realm.3 +++ b/kerberosV/src/lib/krb5/krb5_set_default_realm.3 @@ -1,44 +1,45 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $KTH: krb5_set_default_realm.3,v 1.2 2003/04/16 13:58:11 lha Exp $ +.\" $KTH: krb5_set_default_realm.3,v 1.8 2005/04/24 07:49:34 lha Exp $ .\" -.Dd March 16, 2003 +.Dd April 24, 2005 .Dt KRB5_SET_DEFAULT_REALM 3 .Os HEIMDAL .Sh NAME -.Nm krb5_free_host_realm -.Nm krb5_get_default_realm -.Nm krb5_get_default_realms -.Nm krb5_get_host_realm +.Nm krb5_copy_host_realm , +.Nm krb5_free_host_realm , +.Nm krb5_get_default_realm , +.Nm krb5_get_default_realms , +.Nm krb5_get_host_realm , .Nm krb5_set_default_realm .Nd default and host realm read and manipulation routines .Sh LIBRARY @@ -46,6 +47,12 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Sh SYNOPSIS .In krb5.h .Ft krb5_error_code +.Fo krb5_copy_host_realm +.Fa "krb5_context context" +.Fa "const krb5_realm *from" +.Fa "krb5_realm **to" +.Fc +.Ft krb5_error_code .Fo krb5_free_host_realm .Fa "krb5_context context" .Fa "krb5_realm *realmlist" @@ -72,6 +79,15 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Fa "const char *realm" .Fc .Sh DESCRIPTION +.Fn krb5_copy_host_realm +copies the list of realms from +.Fa from +to +.Fa to . +.Fa to +should be freed by the caller using +.Fa krb5_free_host_realm . +.Pp .Fn krb5_free_host_realm frees all memory allocated by .Fa realmlist . @@ -109,11 +125,11 @@ DNS is used to lookup the realm. .Pp When using .Li DNS -to a resolve the domain for the host a.b.c, +to a resolve the domain for the host a.b.c, .Fn krb5_get_host_realm looks for a .Dv TXT -resource record named +resource record named .Li _kerberos.a.b.c , and if not found, it strips off the first component and tries a again (_kerberos.b.c) until it reaches the root. @@ -123,6 +139,10 @@ If there is no configuration or DNS information found, assumes it can use the domain part of the .Fa host to form a realm. +Caller must free +.Fa realmlist +with +.Fn krb5_free_host_realm . .Pp .Fn krb5_set_default_realm sets the default realm for the diff --git a/kerberosV/src/lib/krb5/krb5_set_password.3 b/kerberosV/src/lib/krb5/krb5_set_password.3 index 9f7cc708f2f..420da69c938 100644 --- a/kerberosV/src/lib/krb5/krb5_set_password.3 +++ b/kerberosV/src/lib/krb5/krb5_set_password.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan +.\" Copyright (c) 2003 - 2004 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,15 +29,16 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $KTH: krb5_set_password.3,v 1.3.2.1 2004/06/21 10:51:20 lha Exp $ +.\" $KTH: krb5_set_password.3,v 1.7 2004/07/15 14:39:06 lha Exp $ .\" -.Dd June 2, 2004 +.Dd July 15, 2004 .Dt KRB5_SET_PASSWORD 3 .Os HEIMDAL .Sh NAME .Nm krb5_change_password , .Nm krb5_set_password , -.Nm krb5_set_password_using_ccache +.Nm krb5_set_password_using_ccache , +.Nm krb5_passwd_result_to_string .Nd change password functions .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) @@ -57,7 +58,7 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Fa "krb5_context context" .Fa "krb5_creds *creds" .Fa "char *newpw" -.Fa "krb5_principal targprinc", +.Fa "krb5_principal targprinc" .Fa "int *result_code" .Fa "krb5_data *result_code_string" .Fa "krb5_data *result_string" @@ -72,17 +73,23 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Fa "krb5_data *result_code_string" .Fa "krb5_data *result_string" .Fc +.Ft "const char *" +.Fo krb5_passwd_result_to_string +.Fa "krb5_context context" +.Fa "int result" +.Fc .Sh DESCRIPTION These functions change the password for a given principal. .Pp .Fn krb5_set_password and -.Fa krb5_set_password_using_ccache -is the newer two of the three functions and uses a newer version of the -protocol (and falls back to the older when the newer doesn't work). +.Fn krb5_set_password_using_ccache +are the newer of the three functions, and use a newer version of the +protocol (and also fall back to the older set-password protocol if the +newer protocol doesn't work). .Pp .Fn krb5_change_password -set the password +sets the password .Fa newpasswd for the client principal in .Fa creds . @@ -90,20 +97,47 @@ The server principal of creds must be .Li kadmin/changepw . .Pp .Fn krb5_set_password -changes the password for the principal -.Fa targprinc , -if +and +.Fn krb5_set_password_using_ccache +change the password for the principal +.Fa targprinc . +.Pp +.Fn krb5_set_password +requires that the credential for +.Li kadmin/changepw@REALM +is in +.Fa creds . +If the user caller isn't an administrator, this credential +needs to be an initial credential, see +.Xr krb5_get_init_creds 3 +how to get such credentials. +.Pp +.Fn krb5_set_password_using_ccache +will get the credential from +.Fa ccache . +.Pp +If .Fa targprinc is -.Dv NULL -the default principal in +.Dv NULL , +.Fn krb5_set_password_using_ccache +uses the the default principal in .Fa ccache -is used. +and +.Fn krb5_set_password +uses the global the default principal. .Pp -Both functions returns and error in +All three functions return an error in .Fa result_code -and maybe an error strings to print in +and maybe an error string to print in .Fa result_string . +.Pp +.Fn krb5_passwd_result_to_string +returns an human readable string describing the error code in +.Fa result_code +from the +.Fn krb5_set_password +functions. .Sh SEE ALSO .Xr krb5_ccache 3 , .Xr krb5_init_context 3 diff --git a/kerberosV/src/lib/krb5/krb5_timeofday.3 b/kerberosV/src/lib/krb5/krb5_timeofday.3 index 686270291ba..4658b8612d4 100644 --- a/kerberosV/src/lib/krb5/krb5_timeofday.3 +++ b/kerberosV/src/lib/krb5/krb5_timeofday.3 @@ -1,57 +1,118 @@ -.\" Copyright (c) 2001 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $KTH: krb5_timeofday.3,v 1.5 2003/04/16 13:58:18 lha Exp $ -.\" -.Dd July 1, 2001 +.\" $KTH: krb5_timeofday.3,v 1.8 2003/06/24 05:12:43 lha Exp $ +.\" +.\" Copyright (c) 2001, 2003 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $KTH: krb5_timeofday.3,v 1.8 2003/06/24 05:12:43 lha Exp $ +.\" +.Dd June 17, 2003 .Dt KRB5_TIMEOFDAY 3 +.Os HEIMDAL .Sh NAME -.Nm krb5_timeofday , +.Nm krb5_timeofday +.Nm krb5_set_real_time .Nm krb5_us_timeofday -.Nd whatever these functions do +.Nm krb5_format_time +.Nm krb5_string_to_deltat +.Nd Kerberos 5 time handling functions .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) .Sh SYNOPSIS .In krb5.h -.Ft "krb5_error_code" -.Fn krb5_timeofday "krb5_context context" "krb5_timestamp *timeret" -.Ft "krb5_error_code" -.Fn krb5_us_timeofday "krb5_context context" "int32_t *sec" "int32_t *usec" +.Pp +.Li krb5_timestamp ; +.Pp +.Li krb5_deltat ; +.Ft krb5_error_code +.Fo krb5_set_real_time +.Fa "krb5_context context" +.Fa "krb5_timestamp sec" +.Fa "int32_t usec" +.Fc +.Ft krb5_error_code +.Fo krb5_timeofday +.Fa "krb5_context context" +.Fa "krb5_timestamp *timeret" +.Fc +.Ft krb5_error_code +.Fo krb5_us_timeofday +.Fa "krb5_context context" +.Fa "krb5_timestamp *sec" +.Fa "int32_t *usec" +.Fc +.Ft krb5_error_code +.Fo krb5_format_time +.Fa "krb5_context context" +.Fa "time_t t" +.Fa "char *s" +.Fa "size_t len" +.Fa "krb5_boolean include_time" +.Fc +.Ft krb5_error_code +.Fo krb5_string_to_deltat +.Fa "const char *string" +.Fa "krb5_deltat *deltat" +.Fc .Sh DESCRIPTION +.Nm krb5_set_real_time +sets the absolute time that the caller knows the KDC has. +With this the to the Kerberos library can calculate the relative +diffrence beteen the KDC time and the local system time and store it +in the +.Fa content . +With this information the Kerberos library can adjust all time stamps +Kerberos packages. +.Pp .Fn krb5_timeofday returns the current time, but adjusted with the time difference between the local host and the KDC. .Fn krb5_us_timeofday also returns microseconds. .Pp -.\".Sh EXAMPLE +.Nm krb5_format_time +formats the time +.Fa t +into the string +.Fa s +of length +.Fa len . +If +.Fa include_time +is set, the time is set include_time. +.Pp +.Nm krb5_string_to_deltat +Parses delta time +.Fa string +into +.Fa deltat . .Sh SEE ALSO -.Xr gettimeofday 2 +.Xr gettimeofday 2 , +.Xr krb5 3 diff --git a/kerberosV/src/lib/krb5/krb5_verify_user.3 b/kerberosV/src/lib/krb5/krb5_verify_user.3 index ae8006668a3..a6d5dea8f97 100644 --- a/kerberosV/src/lib/krb5/krb5_verify_user.3 +++ b/kerberosV/src/lib/krb5/krb5_verify_user.3 @@ -1,36 +1,36 @@ .\" Copyright (c) 2001 - 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $KTH: krb5_verify_user.3,v 1.13 2004/03/20 18:36:51 lha Exp $ .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $KTH: krb5_verify_user.3,v 1.10 2003/04/16 13:58:11 lha Exp $ -.\" .Dd March 25, 2003 .Dt KRB5_VERIFY_USER 3 .Os HEIMDAL @@ -39,6 +39,7 @@ .Nm krb5_verify_user_lrealm , .Nm krb5_verify_user_opt , .Nm krb5_verify_opt_init +.Nm krb5_verify_opt_set_ccache , .Nm krb5_verify_opt_set_flags , .Nm krb5_verify_opt_set_service , .Nm krb5_verify_opt_set_secure , @@ -79,7 +80,7 @@ The principal whose password will be verified is specified in .Fa principal . New tickets will be obtained as a side-effect and stored in .Fa ccache -(if +(if .Dv NULL , the default ccache is used). .Fn krb5_verify_user @@ -180,7 +181,7 @@ The principal whose password will be verified is specified in .Fa principal . Options the to the verification process is pass in in .Fa opt . -.Sh EXAMPLE +.Sh EXAMPLES Here is a example program that verifies a password. it uses the .Ql host/`hostname` service principal in @@ -218,6 +219,7 @@ main(int argc, char **argv) .Xr krb5_cc_gen_new 3 , .Xr krb5_cc_initialize 3 , .Xr krb5_cc_resolve 3 , +.Xr krb5_cc_initialize 3 , .Xr krb5_err 3 , .Xr krb5_free_principal 3 , .Xr krb5_init_context 3 , diff --git a/kerberosV/src/lib/krb5/krbhst.c b/kerberosV/src/lib/krb5/krbhst.c index aab044b217f..b563b3e4b53 100644 --- a/kerberosV/src/lib/krb5/krbhst.c +++ b/kerberosV/src/lib/krb5/krbhst.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2001 Kungliga Tekniska Högskolan + * Copyright (c) 2001 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -34,7 +34,7 @@ #include "krb5_locl.h" #include <resolve.h> -RCSID("$KTH: krbhst.c,v 1.43.2.1 2003/04/22 15:00:38 lha Exp $"); +RCSID("$KTH: krbhst.c,v 1.51 2005/05/20 09:09:42 lha Exp $"); static int string_to_proto(const char *string) @@ -66,6 +66,9 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count, int proto_num; int def_port; + *res = NULL; + *count = 0; + proto_num = string_to_proto(proto); if(proto_num < 0) { krb5_set_error_string(context, "unknown protocol `%s'", proto); @@ -82,11 +85,8 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count, snprintf(domain, sizeof(domain), "_%s._%s.%s.", service, proto, realm); r = dns_lookup(domain, dns_type); - if(r == NULL) { - *res = NULL; - *count = 0; + if(r == NULL) return KRB5_KDC_UNREACH; - } for(num_srv = 0, rr = r->head; rr; rr = rr->next) if(rr->type == T_SRV) @@ -112,6 +112,7 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count, while(--num_srv >= 0) free((*res)[num_srv]); free(*res); + *res = NULL; return ENOMEM; } (*res)[num_srv++] = hi; @@ -139,13 +140,13 @@ struct krb5_krbhst_data { unsigned int flags; int def_port; int port; /* hardwired port number if != 0 */ -#define KD_CONFIG 1 -#define KD_SRV_UDP 2 -#define KD_SRV_TCP 4 -#define KD_SRV_HTTP 8 -#define KD_FALLBACK 16 -#define KD_CONFIG_EXISTS 32 - +#define KD_CONFIG 1 +#define KD_SRV_UDP 2 +#define KD_SRV_TCP 4 +#define KD_SRV_HTTP 8 +#define KD_FALLBACK 16 +#define KD_CONFIG_EXISTS 32 +#define KD_LARGE_MSG 64 krb5_error_code (*get_next)(krb5_context, struct krb5_krbhst_data *, krb5_krbhst_info**); @@ -161,12 +162,26 @@ krbhst_empty(const struct krb5_krbhst_data *kd) } /* + * Return the default protocol for the `kd' (either TCP or UDP) + */ + +static int +krbhst_get_default_proto(struct krb5_krbhst_data *kd) +{ + if (kd->flags & KD_LARGE_MSG) + return KRB5_KRBHST_TCP; + return KRB5_KRBHST_UDP; +} + + +/* * parse `spec' into a krb5_krbhst_info, defaulting the port to `def_port' * and forcing it to `port' if port != 0 */ static struct krb5_krbhst_info* -parse_hostspec(krb5_context context, const char *spec, int def_port, int port) +parse_hostspec(krb5_context context, struct krb5_krbhst_data *kd, + const char *spec, int def_port, int port) { const char *p = spec; struct krb5_krbhst_info *hi; @@ -175,7 +190,7 @@ parse_hostspec(krb5_context context, const char *spec, int def_port, int port) if(hi == NULL) return NULL; - hi->proto = KRB5_KRBHST_UDP; + hi->proto = krbhst_get_default_proto(kd); if(strncmp(p, "http://", 7) == 0){ hi->proto = KRB5_KRBHST_HTTP; @@ -243,7 +258,7 @@ append_host_string(krb5_context context, struct krb5_krbhst_data *kd, { struct krb5_krbhst_info *hi; - hi = parse_hostspec(context, host, def_port, port); + hi = parse_hostspec(context, kd, host, def_port, port); if(hi == NULL) return ENOMEM; @@ -255,7 +270,7 @@ append_host_string(krb5_context context, struct krb5_krbhst_data *kd, * return a readable representation of `host' in `hostname, hostlen' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_krbhst_format_string(krb5_context context, const krb5_krbhst_info *host, char *hostname, size_t hostlen) { @@ -296,7 +311,7 @@ make_hints(struct addrinfo *hints, int proto) * in `host'. free:ing is handled by krb5_krbhst_free. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_krbhst_get_addrinfo(krb5_context context, krb5_krbhst_info *host, struct addrinfo **ai) { @@ -329,13 +344,14 @@ get_next(struct krb5_krbhst_data *kd, krb5_krbhst_info **host) static void srv_get_hosts(krb5_context context, struct krb5_krbhst_data *kd, - const char *proto, const char *service) + const char *proto, const char *service) { krb5_krbhst_info **res; int count, i; - srv_find_realm(context, &res, &count, kd->realm, "SRV", proto, service, - kd->port); + if (srv_find_realm(context, &res, &count, kd->realm, "SRV", proto, service, + kd->port)) + return; for(i = 0; i < count; i++) append_host_hostinfo(kd, res[i]); free(res); @@ -438,7 +454,7 @@ kdc_get_next(krb5_context context, return KRB5_KDC_UNREACH; /* XXX */ if(context->srv_lookup) { - if((kd->flags & KD_SRV_UDP) == 0) { + if((kd->flags & KD_SRV_UDP) == 0 && (kd->flags & KD_LARGE_MSG) == 0) { srv_get_hosts(context, kd, "udp", "kerberos"); kd->flags |= KD_SRV_UDP; if(get_next(kd, host)) @@ -461,7 +477,8 @@ kdc_get_next(krb5_context context, while((kd->flags & KD_FALLBACK) == 0) { ret = fallback_get_hosts(context, kd, "kerberos", - kd->def_port, KRB5_KRBHST_UDP); + kd->def_port, + krbhst_get_default_proto(kd)); if(ret) return ret; if(get_next(kd, host)) @@ -500,7 +517,8 @@ admin_get_next(krb5_context context, if (krbhst_empty(kd) && (kd->flags & KD_FALLBACK) == 0) { ret = fallback_get_hosts(context, kd, "kerberos", - kd->def_port, KRB5_KRBHST_UDP); + kd->def_port, + krbhst_get_default_proto(kd)); if(ret) return ret; kd->flags |= KD_FALLBACK; @@ -520,6 +538,7 @@ kpasswd_get_next(krb5_context context, if((kd->flags & KD_CONFIG) == 0) { config_get_hosts(context, kd, "kpasswd_server"); + kd->flags |= KD_CONFIG; if(get_next(kd, host)) return 0; } @@ -534,6 +553,12 @@ kpasswd_get_next(krb5_context context, if(get_next(kd, host)) return 0; } + if((kd->flags & KD_SRV_TCP) == 0) { + srv_get_hosts(context, kd, "tcp", "kpasswd"); + kd->flags |= KD_SRV_TCP; + if(get_next(kd, host)) + return 0; + } } /* no matches -> try admin */ @@ -544,7 +569,7 @@ kpasswd_get_next(krb5_context context, kd->get_next = admin_get_next; ret = (*kd->get_next)(context, kd, host); if (ret == 0) - (*host)->proto = KRB5_KRBHST_UDP; + (*host)->proto = krbhst_get_default_proto(kd); return ret; } @@ -596,7 +621,8 @@ krb524_get_next(krb5_context context, static struct krb5_krbhst_data* common_init(krb5_context context, - const char *realm) + const char *realm, + int flags) { struct krb5_krbhst_data *kd; @@ -608,6 +634,8 @@ common_init(krb5_context context, return NULL; } + if (flags & KRB5_KRBHST_FLAGS_LARGE_MSG) + kd->flags |= KD_LARGE_MSG; kd->end = kd->index = &kd->hosts; return kd; } @@ -616,12 +644,22 @@ common_init(krb5_context context, * initialize `handle' to look for hosts of type `type' in realm `realm' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_krbhst_init(krb5_context context, const char *realm, unsigned int type, krb5_krbhst_handle *handle) { + return krb5_krbhst_init_flags(context, realm, type, 0, handle); +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_krbhst_init_flags(krb5_context context, + const char *realm, + unsigned int type, + int flags, + krb5_krbhst_handle *handle) +{ struct krb5_krbhst_data *kd; krb5_error_code (*get_next)(krb5_context, struct krb5_krbhst_data *, krb5_krbhst_info **); @@ -650,7 +688,7 @@ krb5_krbhst_init(krb5_context context, krb5_set_error_string(context, "unknown krbhst type (%u)", type); return ENOTTY; } - if((kd = common_init(context, realm)) == NULL) + if((kd = common_init(context, realm, flags)) == NULL) return ENOMEM; kd->get_next = get_next; kd->def_port = def_port; @@ -662,7 +700,7 @@ krb5_krbhst_init(krb5_context context, * return the next host information from `handle' in `host' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_krbhst_next(krb5_context context, krb5_krbhst_handle handle, krb5_krbhst_info **host) @@ -678,7 +716,7 @@ krb5_krbhst_next(krb5_context context, * in `hostname' (or length `hostlen) */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_krbhst_next_as_string(krb5_context context, krb5_krbhst_handle handle, char *hostname, @@ -693,13 +731,13 @@ krb5_krbhst_next_as_string(krb5_context context, } -void +void KRB5_LIB_FUNCTION krb5_krbhst_reset(krb5_context context, krb5_krbhst_handle handle) { handle->index = &handle->hosts; } -void +void KRB5_LIB_FUNCTION krb5_krbhst_free(krb5_context context, krb5_krbhst_handle handle) { krb5_krbhst_info *h, *next; @@ -761,7 +799,7 @@ gethostlist(krb5_context context, const char *realm, * return an malloced list of kadmin-hosts for `realm' in `hostlist' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_krb_admin_hst (krb5_context context, const krb5_realm *realm, char ***hostlist) @@ -773,7 +811,7 @@ krb5_get_krb_admin_hst (krb5_context context, * return an malloced list of changepw-hosts for `realm' in `hostlist' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_krb_changepw_hst (krb5_context context, const krb5_realm *realm, char ***hostlist) @@ -785,7 +823,7 @@ krb5_get_krb_changepw_hst (krb5_context context, * return an malloced list of 524-hosts for `realm' in `hostlist' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_krb524hst (krb5_context context, const krb5_realm *realm, char ***hostlist) @@ -798,7 +836,7 @@ krb5_get_krb524hst (krb5_context context, * return an malloced list of KDC's for `realm' in `hostlist' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_krbhst (krb5_context context, const krb5_realm *realm, char ***hostlist) @@ -810,7 +848,7 @@ krb5_get_krbhst (krb5_context context, * free all the memory allocated in `hostlist' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_krbhst (krb5_context context, char **hostlist) { diff --git a/kerberosV/src/lib/krb5/log.c b/kerberosV/src/lib/krb5/log.c index 36f5d51f53d..67f21e95933 100644 --- a/kerberosV/src/lib/krb5/log.c +++ b/kerberosV/src/lib/krb5/log.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$KTH: log.c,v 1.31 2002/09/05 14:59:14 joda Exp $"); +RCSID("$KTH: log.c,v 1.34 2005/06/11 00:14:28 lha Exp $"); struct facility { int min; @@ -47,10 +47,10 @@ static struct facility* log_realloc(krb5_log_facility *f) { struct facility *fp; - f->len++; - fp = realloc(f->val, f->len * sizeof(*f->val)); + fp = realloc(f->val, (f->len + 1) * sizeof(*f->val)); if(fp == NULL) return NULL; + f->len++; f->val = fp; fp += f->len - 1; return fp; @@ -114,7 +114,7 @@ find_value(const char *s, struct s2i *table) return table->val; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_initlog(krb5_context context, const char *program, krb5_log_facility **fac) @@ -134,7 +134,7 @@ krb5_initlog(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_addlog_func(krb5_context context, krb5_log_facility *fac, int min, @@ -254,7 +254,7 @@ open_file(krb5_context context, krb5_log_facility *fac, int min, int max, -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_addlog_dest(krb5_context context, krb5_log_facility *f, const char *orig) { krb5_error_code ret = 0; @@ -337,7 +337,7 @@ krb5_addlog_dest(krb5_context context, krb5_log_facility *f, const char *orig) } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_openlog(krb5_context context, const char *program, krb5_log_facility **fac) @@ -361,20 +361,26 @@ krb5_openlog(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_closelog(krb5_context context, krb5_log_facility *fac) { int i; for(i = 0; i < fac->len; i++) (*fac->val[i].close)(fac->val[i].data); + free(fac->val); + free(fac->program); + fac->val = NULL; + fac->len = 0; + fac->program = NULL; + free(fac); return 0; } #undef __attribute__ #define __attribute__(X) -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vlog_msg(krb5_context context, krb5_log_facility *fac, char **reply, @@ -413,7 +419,7 @@ krb5_vlog_msg(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vlog(krb5_context context, krb5_log_facility *fac, int level, @@ -424,7 +430,7 @@ krb5_vlog(krb5_context context, return krb5_vlog_msg(context, fac, NULL, level, fmt, ap); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_log_msg(krb5_context context, krb5_log_facility *fac, int level, @@ -443,7 +449,7 @@ krb5_log_msg(krb5_context context, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_log(krb5_context context, krb5_log_facility *fac, int level, diff --git a/kerberosV/src/lib/krb5/name-45-test.c b/kerberosV/src/lib/krb5/name-45-test.c index 39145824701..04941cbae7e 100644 --- a/kerberosV/src/lib/krb5/name-45-test.c +++ b/kerberosV/src/lib/krb5/name-45-test.c @@ -31,8 +31,9 @@ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "krb5_locl.h" +#include <err.h> -RCSID("$KTH: name-45-test.c,v 1.3.2.1 2003/05/06 16:49:14 joda Exp $"); +RCSID("$KTH: name-45-test.c,v 1.7 2005/05/29 18:22:59 lha Exp $"); enum { MAX_COMPONENTS = 3 }; @@ -152,8 +153,15 @@ main(int argc, char **argv) struct testcase *t; krb5_context context; krb5_error_code ret; + char hostname[1024]; int val = 0; + setprogname(argv[0]); + + gethostname(hostname, sizeof(hostname)); + if (!(strstr(hostname, "kth.se") != NULL || strstr(hostname, "su.se") != NULL)) + return 0; + for (t = tests; t->v4_name; ++t) { krb5_principal princ; int i; diff --git a/kerberosV/src/lib/krb5/prog_setup.c b/kerberosV/src/lib/krb5/prog_setup.c index fefae4a9f7f..86efa7900a6 100644 --- a/kerberosV/src/lib/krb5/prog_setup.c +++ b/kerberosV/src/lib/krb5/prog_setup.c @@ -35,16 +35,16 @@ #include <getarg.h> #include <err.h> -RCSID("$KTH: prog_setup.c,v 1.9 2001/02/20 01:44:54 assar Exp $"); +RCSID("$KTH: prog_setup.c,v 1.10 2004/05/25 21:37:55 lha Exp $"); -void +void KRB5_LIB_FUNCTION krb5_std_usage(int code, struct getargs *args, int num_args) { arg_printusage(args, num_args, NULL, ""); exit(code); } -int +int KRB5_LIB_FUNCTION krb5_program_setup(krb5_context *context, int argc, char **argv, struct getargs *args, int num_args, void (*usage)(int, struct getargs*, int)) diff --git a/kerberosV/src/lib/krb5/rd_req.c b/kerberosV/src/lib/krb5/rd_req.c index bf9de9c1a23..1ff1ab920bb 100644 --- a/kerberosV/src/lib/krb5/rd_req.c +++ b/kerberosV/src/lib/krb5/rd_req.c @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$KTH: rd_req.c,v 1.47.8.3 2003/10/21 20:10:33 lha Exp $"); +RCSID("$KTH: rd_req.c,v 1.57.4.1 2006/02/03 14:38:02 lha Exp $"); static krb5_error_code decrypt_tkt_enc_part (krb5_context context, @@ -101,7 +101,7 @@ decrypt_authenticator (krb5_context context, return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_ap_req(krb5_context context, const krb5_data *inbuf, krb5_ap_req *ap_req) @@ -155,7 +155,58 @@ check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc) return ret; } -krb5_error_code +static krb5_error_code +find_etypelist(krb5_context context, + krb5_auth_context auth_context, + EtypeList *etypes) +{ + krb5_error_code ret; + krb5_authdata *ad; + krb5_authdata adIfRelevant; + unsigned i; + + adIfRelevant.len = 0; + + etypes->len = 0; + etypes->val = NULL; + + ad = auth_context->authenticator->authorization_data; + if (ad == NULL) + return 0; + + for (i = 0; i < ad->len; i++) { + if (ad->val[i].ad_type == KRB5_AUTHDATA_IF_RELEVANT) { + ret = decode_AD_IF_RELEVANT(ad->val[i].ad_data.data, + ad->val[i].ad_data.length, + &adIfRelevant, + NULL); + if (ret) + return ret; + + if (adIfRelevant.len == 1 && + adIfRelevant.val[0].ad_type == + KRB5_AUTHDATA_GSS_API_ETYPE_NEGOTIATION) { + break; + } + free_AD_IF_RELEVANT(&adIfRelevant); + adIfRelevant.len = 0; + } + } + + if (adIfRelevant.len == 0) + return 0; + + ret = decode_EtypeList(adIfRelevant.val[0].ad_data.data, + adIfRelevant.val[0].ad_data.length, + etypes, + NULL); + + free_AD_IF_RELEVANT(&adIfRelevant); + + return ret; +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_decrypt_ticket(krb5_context context, Ticket *ticket, krb5_keyblock *key, @@ -204,7 +255,7 @@ krb5_decrypt_ticket(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_authenticator_checksum(krb5_context context, krb5_auth_context ac, void *data, @@ -244,7 +295,7 @@ out: } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_ap_req(krb5_context context, krb5_auth_context *auth_context, krb5_ap_req *ap_req, @@ -265,7 +316,7 @@ krb5_verify_ap_req(krb5_context context, KRB5_KU_AP_REQ_AUTH); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_ap_req2(krb5_context context, krb5_auth_context *auth_context, krb5_ap_req *ap_req, @@ -276,9 +327,10 @@ krb5_verify_ap_req2(krb5_context context, krb5_ticket **ticket, krb5_key_usage usage) { - krb5_ticket t; + krb5_ticket *t; krb5_auth_context ac; krb5_error_code ret; + EtypeList etypes; if (auth_context && *auth_context) { ac = *auth_context; @@ -288,69 +340,90 @@ krb5_verify_ap_req2(krb5_context context, return ret; } + t = malloc(sizeof(*t)); + if (t == NULL) { + ret = ENOMEM; + krb5_clear_error_string (context); + goto out; + } + memset(t, 0, sizeof(*t)); + if (ap_req->ap_options.use_session_key && ac->keyblock){ ret = krb5_decrypt_ticket(context, &ap_req->ticket, ac->keyblock, - &t.ticket, + &t->ticket, flags); krb5_free_keyblock(context, ac->keyblock); ac->keyblock = NULL; }else ret = krb5_decrypt_ticket(context, &ap_req->ticket, keyblock, - &t.ticket, + &t->ticket, flags); if(ret) goto out; - principalname2krb5_principal(&t.server, ap_req->ticket.sname, - ap_req->ticket.realm); - principalname2krb5_principal(&t.client, t.ticket.cname, - t.ticket.crealm); + _krb5_principalname2krb5_principal(&t->server, ap_req->ticket.sname, + ap_req->ticket.realm); + _krb5_principalname2krb5_principal(&t->client, t->ticket.cname, + t->ticket.crealm); /* save key */ - krb5_copy_keyblock(context, &t.ticket.key, &ac->keyblock); + krb5_copy_keyblock(context, &t->ticket.key, &ac->keyblock); ret = decrypt_authenticator (context, - &t.ticket.key, + &t->ticket.key, &ap_req->authenticator, ac->authenticator, usage); if (ret) - goto out2; + goto out; { krb5_principal p1, p2; krb5_boolean res; - principalname2krb5_principal(&p1, - ac->authenticator->cname, - ac->authenticator->crealm); - principalname2krb5_principal(&p2, - t.ticket.cname, - t.ticket.crealm); + _krb5_principalname2krb5_principal(&p1, + ac->authenticator->cname, + ac->authenticator->crealm); + _krb5_principalname2krb5_principal(&p2, + t->ticket.cname, + t->ticket.crealm); res = krb5_principal_compare (context, p1, p2); krb5_free_principal (context, p1); krb5_free_principal (context, p2); if (!res) { ret = KRB5KRB_AP_ERR_BADMATCH; krb5_clear_error_string (context); - goto out2; + goto out; } } /* check addresses */ - if (t.ticket.caddr + if (t->ticket.caddr && ac->remote_address && !krb5_address_search (context, ac->remote_address, - t.ticket.caddr)) { + t->ticket.caddr)) { ret = KRB5KRB_AP_ERR_BADADDR; krb5_clear_error_string (context); - goto out2; + goto out; + } + + /* check timestamp in authenticator */ + { + krb5_timestamp now; + + krb5_timeofday (context, &now); + + if (abs(ac->authenticator->ctime - now) > context->max_skew) { + ret = KRB5KRB_AP_ERR_SKEW; + krb5_clear_error_string (context); + goto out; + } } if (ac->authenticator->seq_number) @@ -363,38 +436,57 @@ krb5_verify_ap_req2(krb5_context context, ret = krb5_auth_con_setremotesubkey(context, ac, ac->authenticator->subkey); if (ret) - goto out2; + goto out; + } + + ret = find_etypelist(context, ac, &etypes); + if (ret) + goto out; + + ac->keytype = ETYPE_NULL; + + if (etypes.val) { + int i; + + for (i = 0; i < etypes.len; i++) { + if (krb5_enctype_valid(context, etypes.val[i]) == 0) { + ac->keytype = etypes.val[i]; + break; + } + } } if (ap_req_options) { *ap_req_options = 0; + if (ac->keytype != ETYPE_NULL) + *ap_req_options |= AP_OPTS_USE_SUBKEY; if (ap_req->ap_options.use_session_key) *ap_req_options |= AP_OPTS_USE_SESSION_KEY; if (ap_req->ap_options.mutual_required) *ap_req_options |= AP_OPTS_MUTUAL_REQUIRED; } - if(ticket){ - *ticket = malloc(sizeof(**ticket)); - **ticket = t; - } else - krb5_free_ticket (context, &t); + if(ticket) + *ticket = t; + else + krb5_free_ticket (context, t); if (auth_context) { if (*auth_context == NULL) *auth_context = ac; } else krb5_auth_con_free (context, ac); + free_EtypeList(&etypes); return 0; - out2: - krb5_free_ticket (context, &t); out: + if (t) + krb5_free_ticket (context, t); if (auth_context == NULL || *auth_context == NULL) krb5_auth_con_free (context, ac); return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_req_with_keyblock(krb5_context context, krb5_auth_context *auth_context, const krb5_data *inbuf, @@ -469,7 +561,7 @@ out: return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_req(krb5_context context, krb5_auth_context *auth_context, const krb5_data *inbuf, @@ -494,9 +586,9 @@ krb5_rd_req(krb5_context context, return ret; if(server == NULL){ - principalname2krb5_principal(&service, - ap_req.ticket.sname, - ap_req.ticket.realm); + _krb5_principalname2krb5_principal(&service, + ap_req.ticket.sname, + ap_req.ticket.realm); server = service; } if (ap_req.ap_options.use_session_key && @@ -533,8 +625,7 @@ krb5_rd_req(krb5_context context, ap_req_options, ticket); - if(keyblock != NULL) - krb5_free_keyblock(context, keyblock); + krb5_free_keyblock(context, keyblock); out: free_AP_REQ(&ap_req); diff --git a/kerberosV/src/lib/krb5/transited.c b/kerberosV/src/lib/krb5/transited.c index 7af9a319b16..4635a7d71d2 100644 --- a/kerberosV/src/lib/krb5/transited.c +++ b/kerberosV/src/lib/krb5/transited.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$KTH: transited.c,v 1.10.2.3 2003/10/22 06:07:41 lha Exp $"); +RCSID("$KTH: transited.c,v 1.15 2004/05/25 21:45:27 lha Exp $"); /* this is an attempt at one of the most horrible `compression' schemes that has ever been invented; it's so amazingly brain-dead @@ -299,7 +299,7 @@ decode_realms(krb5_context context, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_domain_x500_decode(krb5_context context, krb5_data tr, char ***realms, int *num_realms, const char *client_realm, const char *server_realm) @@ -362,7 +362,7 @@ krb5_domain_x500_decode(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_domain_x500_encode(char **realms, int num_realms, krb5_data *encoding) { char *s = NULL; @@ -393,7 +393,7 @@ krb5_domain_x500_encode(char **realms, int num_realms, krb5_data *encoding) return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_check_transited(krb5_context context, krb5_const_realm client_realm, krb5_const_realm server_realm, @@ -431,7 +431,7 @@ krb5_check_transited(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_check_transited_realms(krb5_context context, const char *const *realms, int num_realms, diff --git a/kerberosV/src/lib/krb5/verify_krb5_conf.8 b/kerberosV/src/lib/krb5/verify_krb5_conf.8 index 667d026deef..3a758141636 100644 --- a/kerberosV/src/lib/krb5/verify_krb5_conf.8 +++ b/kerberosV/src/lib/krb5/verify_krb5_conf.8 @@ -1,6 +1,37 @@ -.\" $KTH: verify_krb5_conf.8,v 1.7 2002/08/20 17:07:28 joda Exp $ +.\" Copyright (c) 2000 - 2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.Dd August 30, 2001 +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $KTH: verify_krb5_conf.8,v 1.11 2004/12/08 17:52:41 lha Exp $ +.\" +.Dd December 8, 2004 .Dt VERIFY_KRB5_CONF 8 .Os HEIMDAL .Sh NAME @@ -19,11 +50,19 @@ and parses it, thereby verifying that the syntax is correct. If the file is syntactically correct, .Nm tries to verify that the contents of the file is of relevant nature. +.Sh ENVIRONMENT +.Ev KRB5_CONFIG +points to the configuration file to read. +.Sh FILES +.Bl -tag -width /etc/kerberosV/krb5.conf -compact +.It Pa /etc/kerberosV/krb5.conf +Kerberos 5 configuration file +.El .Sh DIAGNOSTICS Possible output from .Nm include: -.Bl -tag -width "<path>" +.Bl -tag -width "FpathF" .It "<path>: failed to parse <something> as size/time/number/boolean" Usually means that <something> is misspelled, or that it contains weird characters. The parsing done by @@ -42,14 +81,6 @@ is confused. Means that <string> is unknown to .Nm Ns . .El -.Sh ENVIRONMENT -.Ev KRB5_CONFIG -points to the configuration file to read. -.Sh FILES -.Bl -tag -width /etc/kerberosV/krb5.conf -compact -.It Pa /etc/kerberosV/krb5.conf -Kerberos 5 configuration file -.El .Sh SEE ALSO .Xr krb5.conf 5 .Sh BUGS diff --git a/kerberosV/src/lib/krb5/verify_krb5_conf.c b/kerberosV/src/lib/krb5/verify_krb5_conf.c index 5a4e9784e19..20a6e515102 100644 --- a/kerberosV/src/lib/krb5/verify_krb5_conf.c +++ b/kerberosV/src/lib/krb5/verify_krb5_conf.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan + * Copyright (c) 1999 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -35,17 +35,20 @@ #include <getarg.h> #include <parse_bytes.h> #include <err.h> -RCSID("$KTH: verify_krb5_conf.c,v 1.17.2.2 2004/02/13 16:19:44 lha Exp $"); +RCSID("$KTH: verify_krb5_conf.c,v 1.33 2005/06/14 00:06:17 lha Exp $"); /* verify krb5.conf */ static int dumpconfig_flag = 0; static int version_flag = 0; static int help_flag = 0; +static int warn_mit_syntax_flag = 0; static struct getargs args[] = { {"dumpconfig", 0, arg_flag, &dumpconfig_flag, "show the parsed config files", NULL }, + {"warn-mit-syntax", 0, arg_flag, &warn_mit_syntax_flag, + "show the parsed config files", NULL }, {"version", 0, arg_flag, &version_flag, "print version", NULL }, {"help", 0, arg_flag, &help_flag, @@ -138,23 +141,68 @@ check_host(krb5_context context, const char *path, char *data) int ret; char hostname[128]; const char *p = data; + struct addrinfo hints; + char service[32]; + int defport; struct addrinfo *ai; + + hints.ai_flags = 0; + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = 0; + hints.ai_protocol = 0; + + hints.ai_addrlen = 0; + hints.ai_canonname = NULL; + hints.ai_addr = NULL; + hints.ai_next = NULL; + /* XXX data could be a list of hosts that this code can't handle */ /* XXX copied from krbhst.c */ if(strncmp(p, "http://", 7) == 0){ p += 7; + hints.ai_socktype = SOCK_STREAM; + strlcpy(service, "http", sizeof(service)); + defport = 80; } else if(strncmp(p, "http/", 5) == 0) { p += 5; + hints.ai_socktype = SOCK_STREAM; + strlcpy(service, "http", sizeof(service)); + defport = 80; }else if(strncmp(p, "tcp/", 4) == 0){ p += 4; + hints.ai_socktype = SOCK_STREAM; + strlcpy(service, "kerberos", sizeof(service)); + defport = 88; } else if(strncmp(p, "udp/", 4) == 0) { p += 4; + hints.ai_socktype = SOCK_DGRAM; + strlcpy(service, "kerberos", sizeof(service)); + defport = 88; + } else { + hints.ai_socktype = SOCK_DGRAM; + strlcpy(service, "kerberos", sizeof(service)); + defport = 88; } if(strsep_copy(&p, ":", hostname, sizeof(hostname)) < 0) { return 1; } hostname[strcspn(hostname, "/")] = '\0'; - ret = getaddrinfo(hostname, "telnet" /* XXX */, NULL, &ai); + if(p != NULL) { + char *end; + int tmp = strtol(p, &end, 0); + if(end == p) { + krb5_warnx(context, "%s: failed to parse port number in %s", + path, data); + return 1; + } + defport = tmp; + snprintf(service, sizeof(service), "%u", defport); + } + ret = getaddrinfo(hostname, service, &hints, &ai); + if(ret == EAI_SERVICE && !isdigit((unsigned char)service[0])) { + snprintf(service, sizeof(service), "%u", defport); + ret = getaddrinfo(hostname, service, &hints, &ai); + } if(ret != 0) { krb5_warnx(context, "%s: %s (%s)", path, gai_strerror(ret), hostname); return 1; @@ -162,17 +210,16 @@ check_host(krb5_context context, const char *path, char *data) return 0; } -#if 0 static int mit_entry(krb5_context context, const char *path, char *data) { - krb5_warnx(context, "%s is only used by MIT Kerberos", path); + if (warn_mit_syntax_flag) + krb5_warnx(context, "%s is only used by MIT Kerberos", path); return 0; } -#endif struct s2i { - char *s; + const char *s; int val; }; @@ -304,6 +351,12 @@ struct entry all_strings[] = { { NULL } }; +struct entry all_boolean[] = { + { "", krb5_config_string, check_boolean }, + { NULL } +}; + + struct entry v4_name_convert_entries[] = { { "host", krb5_config_list, all_strings }, { "plain", krb5_config_list, all_strings }, @@ -328,6 +381,7 @@ struct entry libdefaults_entries[] = { { "encrypt", krb5_config_string, check_boolean }, { "extra_addresses", krb5_config_string, NULL }, { "fcache_version", krb5_config_string, check_numeric }, + { "fcc-mit-ticketflags", krb5_config_string, check_boolean }, { "forward", krb5_config_string, check_boolean }, { "forwardable", krb5_config_string, check_boolean }, { "http_proxy", krb5_config_string, check_host /* XXX */ }, @@ -342,21 +396,34 @@ struct entry libdefaults_entries[] = { { "ticket_lifetime", krb5_config_string, check_time }, { "time_format", krb5_config_string, NULL }, { "transited_realms_reject", krb5_config_string, NULL }, + { "no-addresses", krb5_config_string, check_boolean }, { "v4_instance_resolve", krb5_config_string, check_boolean }, { "v4_name_convert", krb5_config_list, v4_name_convert_entries }, { "verify_ap_req_nofail", krb5_config_string, check_boolean }, + { "pkinit-openssl-engine", krb5_config_string, NULL }, + { "max_retries", krb5_config_string, check_time }, + { "renew_lifetime", krb5_config_string, check_time }, + { "proxiable", krb5_config_string, check_boolean }, + { "warn_pwexpire", krb5_config_string, check_time }, + /* MIT stuff */ + { "permitted_enctypes", krb5_config_string, mit_entry }, + { "default_tgs_enctypes", krb5_config_string, mit_entry }, + { "default_tkt_enctypes", krb5_config_string, mit_entry }, { NULL } }; struct entry appdefaults_entries[] = { { "afslog", krb5_config_string, check_boolean }, { "afs-use-524", krb5_config_string, check_524 }, + { "encrypt", krb5_config_string, check_boolean }, + { "forward", krb5_config_string, check_boolean }, { "forwardable", krb5_config_string, check_boolean }, { "proxiable", krb5_config_string, check_boolean }, { "ticket_lifetime", krb5_config_string, check_time }, { "renew_lifetime", krb5_config_string, check_time }, { "no-addresses", krb5_config_string, check_boolean }, { "krb4_get_tickets", krb5_config_string, check_boolean }, + { "pkinit-anchors", krb5_config_string, NULL }, #if 0 { "anonymous", krb5_config_string, check_boolean }, #endif @@ -378,7 +445,7 @@ struct entry realms_entries[] = { { "v4_instance_convert", krb5_config_list, all_strings }, { "v4_domains", krb5_config_string, NULL }, { "default_domain", krb5_config_string, NULL }, -#if 0 + { "win2k_pkinit", krb5_config_string, NULL }, /* MIT stuff */ { "admin_keytab", krb5_config_string, mit_entry }, { "acl_file", krb5_config_string, mit_entry }, @@ -394,7 +461,6 @@ struct entry realms_entries[] = { { "default_principal_flags", krb5_config_string, mit_entry }, { "supported_enctypes", krb5_config_string, mit_entry }, { "database_name", krb5_config_string, mit_entry }, -#endif { NULL } }; @@ -408,6 +474,8 @@ struct entry kdc_database_entries[] = { { "realm", krb5_config_string, NULL }, { "dbname", krb5_config_string, NULL }, { "mkey_file", krb5_config_string, NULL }, + { "acl_file", krb5_config_string, NULL }, + { "log_file", krb5_config_string, NULL }, { NULL } }; @@ -422,13 +490,19 @@ struct entry kdc_entries[] = { { "enable-kerberos4", krb5_config_string, check_boolean }, { "enable-524", krb5_config_string, check_boolean }, { "enable-http", krb5_config_string, check_boolean }, - { "check_ticket-addresses", krb5_config_string, check_boolean }, - { "allow-null-addresses", krb5_config_string, check_boolean }, + { "check-ticket-addresses", krb5_config_string, check_boolean }, + { "allow-null-ticket-addresses", krb5_config_string, check_boolean }, { "allow-anonymous", krb5_config_string, check_boolean }, { "v4_realm", krb5_config_string, NULL }, { "enable-kaserver", krb5_config_string, check_boolean }, { "encode_as_rep_as_tgs_rep", krb5_config_string, check_boolean }, { "kdc_warn_pwexpire", krb5_config_string, check_time }, + { "use_2b", krb5_config_list, NULL }, + { "enable-pkinit", krb5_config_string, check_boolean }, + { "pki-identity", krb5_config_string, NULL }, + { "pki-anchors", krb5_config_string, NULL }, + { "hdb-ldap-create-base", krb5_config_string, NULL }, + { "v4-realm", krb5_config_string, NULL }, { NULL } }; @@ -436,6 +510,7 @@ struct entry kadmin_entries[] = { { "password_lifetime", krb5_config_string, check_time }, { "default_keys", krb5_config_string, NULL }, { "use_v4_salt", krb5_config_string, NULL }, + { "require-preauth", krb5_config_string, check_boolean }, { NULL } }; struct entry log_strings[] = { @@ -444,13 +519,24 @@ struct entry log_strings[] = { }; -#if 0 +/* MIT stuff */ struct entry kdcdefaults_entries[] = { { "kdc_ports", krb5_config_string, mit_entry }, { "v4_mode", krb5_config_string, mit_entry }, { NULL } }; -#endif + +struct entry capaths_entries[] = { + { "", krb5_config_list, all_strings }, + { NULL } +}; + +struct entry password_quality_entries[] = { + { "policies", krb5_config_string, NULL }, + { "external_program", krb5_config_string, NULL }, + { "", krb5_config_list, all_strings }, + { NULL } +}; struct entry toplevel_sections[] = { { "libdefaults" , krb5_config_list, libdefaults_entries }, @@ -460,10 +546,11 @@ struct entry toplevel_sections[] = { { "kdc", krb5_config_list, kdc_entries }, { "kadmin", krb5_config_list, kadmin_entries }, { "appdefaults", krb5_config_list, appdefaults_entries }, -#if 0 + { "gssapi", krb5_config_list, NULL }, + { "capaths", krb5_config_list, capaths_entries }, + { "password_quality", krb5_config_list, password_quality_entries }, /* MIT stuff */ { "kdcdefaults", krb5_config_list, kdcdefaults_entries }, -#endif { NULL } }; @@ -535,8 +622,10 @@ main(int argc, char **argv) int optind = 0; ret = krb5_init_context(&context); - if (ret) - errx (1, "krb5_init_context failed"); + if (ret == KRB5_CONFIG_BADFORMAT) + errx (1, "krb5_init_context failed to parse configuration file"); + else if (ret) + errx (1, "krb5_init_context failed with %d", ret); if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) usage(1); diff --git a/kerberosV/src/lib/krb5/warn.c b/kerberosV/src/lib/krb5/warn.c index 91b4375a7d5..be4980d8dfa 100644 --- a/kerberosV/src/lib/krb5/warn.c +++ b/kerberosV/src/lib/krb5/warn.c @@ -34,7 +34,7 @@ #include "krb5_locl.h" #include <err.h> -RCSID("$KTH: warn.c,v 1.14 2003/04/16 16:13:08 lha Exp $"); +RCSID("$KTH: warn.c,v 1.15 2004/05/25 21:46:26 lha Exp $"); static krb5_error_code _warnerr(krb5_context context, int do_errtext, krb5_error_code code, int level, const char *fmt, va_list ap) @@ -96,7 +96,7 @@ _warnerr(krb5_context context, int do_errtext, #undef __attribute__ #define __attribute__(X) -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vwarn(krb5_context context, krb5_error_code code, const char *fmt, va_list ap) __attribute__ ((format (printf, 3, 0))) @@ -105,7 +105,7 @@ krb5_vwarn(krb5_context context, krb5_error_code code, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_warn(krb5_context context, krb5_error_code code, const char *fmt, ...) __attribute__ ((format (printf, 3, 4))) { @@ -113,14 +113,14 @@ krb5_warn(krb5_context context, krb5_error_code code, const char *fmt, ...) return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vwarnx(krb5_context context, const char *fmt, va_list ap) __attribute__ ((format (printf, 2, 0))) { return _warnerr(context, 0, 0, 1, fmt, ap); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_warnx(krb5_context context, const char *fmt, ...) __attribute__ ((format (printf, 2, 3))) { @@ -128,7 +128,7 @@ krb5_warnx(krb5_context context, const char *fmt, ...) return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verr(krb5_context context, int eval, krb5_error_code code, const char *fmt, va_list ap) __attribute__ ((noreturn, format (printf, 4, 0))) @@ -138,7 +138,7 @@ krb5_verr(krb5_context context, int eval, krb5_error_code code, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_err(krb5_context context, int eval, krb5_error_code code, const char *fmt, ...) __attribute__ ((noreturn, format (printf, 4, 5))) @@ -147,7 +147,7 @@ krb5_err(krb5_context context, int eval, krb5_error_code code, exit(eval); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verrx(krb5_context context, int eval, const char *fmt, va_list ap) __attribute__ ((noreturn, format (printf, 3, 0))) { @@ -155,7 +155,7 @@ krb5_verrx(krb5_context context, int eval, const char *fmt, va_list ap) exit(eval); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_errx(krb5_context context, int eval, const char *fmt, ...) __attribute__ ((noreturn, format (printf, 3, 4))) { @@ -163,7 +163,7 @@ krb5_errx(krb5_context context, int eval, const char *fmt, ...) exit(eval); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vabort(krb5_context context, krb5_error_code code, const char *fmt, va_list ap) __attribute__ ((noreturn, format (printf, 3, 0))) @@ -173,7 +173,7 @@ krb5_vabort(krb5_context context, krb5_error_code code, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_abort(krb5_context context, krb5_error_code code, const char *fmt, ...) __attribute__ ((noreturn, format (printf, 3, 4))) { @@ -181,7 +181,7 @@ krb5_abort(krb5_context context, krb5_error_code code, const char *fmt, ...) abort(); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vabortx(krb5_context context, const char *fmt, va_list ap) __attribute__ ((noreturn, format (printf, 2, 0))) { @@ -189,7 +189,7 @@ krb5_vabortx(krb5_context context, const char *fmt, va_list ap) abort(); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_abortx(krb5_context context, const char *fmt, ...) __attribute__ ((noreturn, format (printf, 2, 3))) { @@ -197,7 +197,7 @@ krb5_abortx(krb5_context context, const char *fmt, ...) abort(); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_warn_dest(krb5_context context, krb5_log_facility *fac) { context->warn_dest = fac; diff --git a/kerberosV/src/lib/roken/daemon.c b/kerberosV/src/lib/roken/daemon.c index 072e8d29156..bafb9513b83 100644 --- a/kerberosV/src/lib/roken/daemon.c +++ b/kerberosV/src/lib/roken/daemon.c @@ -35,7 +35,7 @@ static char sccsid[] = "@(#)daemon.c 8.1 (Berkeley) 6/4/93"; #include <config.h> #endif -RCSID("$KTH: daemon.c,v 1.3 1997/10/04 21:55:48 joda Exp $"); +RCSID("$KTH: daemon.c,v 1.5 2005/04/12 11:28:36 lha Exp $"); #ifndef HAVE_DAEMON @@ -51,7 +51,7 @@ RCSID("$KTH: daemon.c,v 1.3 1997/10/04 21:55:48 joda Exp $"); #include "roken.h" -int +int ROKEN_LIB_FUNCTION daemon(int nochdir, int noclose) { int fd; diff --git a/kerberosV/src/lib/roken/fnmatch.c b/kerberosV/src/lib/roken/fnmatch.c index e8bb44c876f..d3620cac058 100644 --- a/kerberosV/src/lib/roken/fnmatch.c +++ b/kerberosV/src/lib/roken/fnmatch.c @@ -52,7 +52,7 @@ static char rcsid[] = "$NetBSD: fnmatch.c,v 1.11 1995/02/27 03:43:06 cgd Exp $"; static const char *rangematch (const char *, int, int); -int +int ROKEN_LIB_FUNCTION fnmatch(const char *pattern, const char *string, int flags) { const char *stringstart; diff --git a/kerberosV/src/lib/roken/fnmatch.hin b/kerberosV/src/lib/roken/fnmatch.hin index 41df392c23b..47beb8d495b 100644 --- a/kerberosV/src/lib/roken/fnmatch.hin +++ b/kerberosV/src/lib/roken/fnmatch.hin @@ -34,12 +34,21 @@ #ifndef _FNMATCH_H_ #define _FNMATCH_H_ +#ifndef ROKEN_LIB_FUNCTION +#ifdef _WIN32 +#define ROKEN_LIB_FUNCTION _stdcall +#else +#define ROKEN_LIB_FUNCTION +#endif +#endif + #define FNM_NOMATCH 1 /* Match failed. */ #define FNM_NOESCAPE 0x01 /* Disable backslash escaping. */ #define FNM_PATHNAME 0x02 /* Slash must be matched by slash. */ #define FNM_PERIOD 0x04 /* Period must be matched by period. */ -int fnmatch (const char *, const char *, int); +int ROKEN_LIB_FUNCTION +fnmatch (const char *, const char *, int); #endif /* !_FNMATCH_H_ */ diff --git a/kerberosV/src/lib/roken/getaddrinfo-test.c b/kerberosV/src/lib/roken/getaddrinfo-test.c index 93844250f82..3cdc8dd57c4 100644 --- a/kerberosV/src/lib/roken/getaddrinfo-test.c +++ b/kerberosV/src/lib/roken/getaddrinfo-test.c @@ -33,7 +33,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: getaddrinfo-test.c,v 1.4 2001/02/20 01:44:54 assar Exp $"); +RCSID("$KTH: getaddrinfo-test.c,v 1.5 2005/03/02 22:51:36 lha Exp $"); #endif #include "roken.h" @@ -96,7 +96,7 @@ doit (const char *nodename, const char *servname) printf ("\tbad address?\n"); continue; } - printf ("\t(family = %d, socktype = %d, protocol = %d, " + printf ("\tfamily = %d, socktype = %d, protocol = %d, " "address = \"%s\", port = %d", r->ai_family, r->ai_socktype, r->ai_protocol, addrstr, diff --git a/kerberosV/src/lib/roken/getarg.c b/kerberosV/src/lib/roken/getarg.c index 383803b4ba2..03633fca755 100644 --- a/kerberosV/src/lib/roken/getarg.c +++ b/kerberosV/src/lib/roken/getarg.c @@ -33,7 +33,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: getarg.c,v 1.46 2002/08/20 16:23:07 joda Exp $"); +RCSID("$KTH: getarg.c,v 1.48 2005/04/12 11:28:43 lha Exp $"); #endif #include <stdio.h> @@ -200,7 +200,7 @@ check_column(FILE *f, int col, int len, int columns) return col; } -void +void ROKEN_LIB_FUNCTION arg_printusage (struct getargs *args, size_t num_args, const char *progname, @@ -309,12 +309,22 @@ arg_printusage (struct getargs *args, } } -static void +static int add_string(getarg_strings *s, char *value) { - s->strings = realloc(s->strings, (s->num_strings + 1) * sizeof(*s->strings)); + char **strings; + + strings = realloc(s->strings, (s->num_strings + 1) * sizeof(*s->strings)); + if (strings == NULL) { + free(s->strings); + s->strings = NULL; + s->num_strings = 0; + return ENOMEM; + } + s->strings = strings; s->strings[s->num_strings] = value; s->num_strings++; + return 0; } static int @@ -392,8 +402,7 @@ arg_match_long(struct getargs *args, size_t num_args, } case arg_strings: { - add_string((getarg_strings*)current->value, goptarg + 1); - return 0; + return add_string((getarg_strings*)current->value, goptarg + 1); } case arg_flag: case arg_negative_flag: @@ -499,8 +508,7 @@ arg_match_short (struct getargs *args, size_t num_args, *(char**)args[k].value = goptarg; return 0; } else if(args[k].type == arg_strings) { - add_string((getarg_strings*)args[k].value, goptarg); - return 0; + return add_string((getarg_strings*)args[k].value, goptarg); } else if(args[k].type == arg_double) { double tmp; if(sscanf(goptarg, "%lf", &tmp) != 1) @@ -517,7 +525,7 @@ arg_match_short (struct getargs *args, size_t num_args, return 0; } -int +int ROKEN_LIB_FUNCTION getarg(struct getargs *args, size_t num_args, int argc, char **argv, int *goptind) { @@ -553,7 +561,7 @@ getarg(struct getargs *args, size_t num_args, return ret; } -void +void ROKEN_LIB_FUNCTION free_getarg_strings (getarg_strings *s) { free (s->strings); diff --git a/kerberosV/src/lib/roken/getcap.c b/kerberosV/src/lib/roken/getcap.c index 04989a76933..0bc2af20b34 100644 --- a/kerberosV/src/lib/roken/getcap.c +++ b/kerberosV/src/lib/roken/getcap.c @@ -36,7 +36,7 @@ #include <config.h> #endif #include "roken.h" -RCSID("$KTH: getcap.c,v 1.8 2003/04/16 16:23:36 lha Exp $"); +RCSID("$KTH: getcap.c,v 1.10 2005/04/12 11:28:44 lha Exp $"); #include <sys/types.h> #include <ctype.h> @@ -80,24 +80,24 @@ static int getent (char **, size_t *, char **, int, const char *, int, char *); static int nfcmp (char *, char *); -int cgetset(const char *ent); -char *cgetcap(char *buf, const char *cap, int type); -int cgetent(char **buf, char **db_array, const char *name); -int cgetmatch(const char *buf, const char *name); -int cgetclose(void); +int ROKEN_LIB_FUNCTION cgetset(const char *ent); +char *ROKEN_LIB_FUNCTION cgetcap(char *buf, const char *cap, int type); +int ROKEN_LIB_FUNCTION cgetent(char **buf, char **db_array, const char *name); +int ROKEN_LIB_FUNCTION cgetmatch(const char *buf, const char *name); +int ROKEN_LIB_FUNCTION cgetclose(void); #if 0 int cgetfirst(char **buf, char **db_array); int cgetnext(char **bp, char **db_array); #endif -int cgetstr(char *buf, const char *cap, char **str); -int cgetustr(char *buf, const char *cap, char **str); -int cgetnum(char *buf, const char *cap, long *num); +int ROKEN_LIB_FUNCTION cgetstr(char *buf, const char *cap, char **str); +int ROKEN_LIB_FUNCTION cgetustr(char *buf, const char *cap, char **str); +int ROKEN_LIB_FUNCTION cgetnum(char *buf, const char *cap, long *num); /* * Cgetset() allows the addition of a user specified buffer to be added * to the database array, in effect "pushing" the buffer on top of the * virtual database. 0 is returned on success, -1 on failure. */ -int +int ROKEN_LIB_FUNCTION cgetset(const char *ent) { const char *source, *check; @@ -150,7 +150,7 @@ cgetset(const char *ent) * If (cap, '@') or (cap, terminator, '@') is found before (cap, terminator) * return NULL. */ -char * +char * ROKEN_LIB_FUNCTION cgetcap(char *buf, const char *cap, int type) { char *bp; @@ -201,7 +201,7 @@ cgetcap(char *buf, const char *cap, int type) * encountered (couldn't open/read a file, etc.), and -3 if a potential * reference loop is detected. */ -int +int ROKEN_LIB_FUNCTION cgetent(char **buf, char **db_array, const char *name) { size_t dummy; @@ -695,7 +695,7 @@ static FILE *pfp; static int slash; static char **dbp; -int +int ROKEN_LIB_FUNCTION cgetclose(void) { if (pfp != NULL) { @@ -842,7 +842,7 @@ cgetnext(char **bp, char **db_array) * couldn't be found, -2 if a system error was encountered (storage * allocation failure). */ -int +int ROKEN_LIB_FUNCTION cgetstr(char *buf, const char *cap, char **str) { u_int m_room; @@ -966,7 +966,7 @@ cgetstr(char *buf, const char *cap, char **str) * -1 if the requested string capability couldn't be found, -2 if a system * error was encountered (storage allocation failure). */ -int +int ROKEN_LIB_FUNCTION cgetustr(char *buf, const char *cap, char **str) { u_int m_room; @@ -1035,7 +1035,7 @@ cgetustr(char *buf, const char *cap, char **str) * the long pointed to by num. 0 is returned on success, -1 if the requested * numeric capability couldn't be found. */ -int +int ROKEN_LIB_FUNCTION cgetnum(char *buf, const char *cap, long *num) { long n; diff --git a/kerberosV/src/lib/roken/getopt.c b/kerberosV/src/lib/roken/getopt.c index d935c655506..12bf138d026 100644 --- a/kerberosV/src/lib/roken/getopt.c +++ b/kerberosV/src/lib/roken/getopt.c @@ -51,7 +51,7 @@ char *optarg; /* argument associated with option */ #define BADARG (int)':' #define EMSG "" -int +int ROKEN_LIB_FUNCTION getopt(nargc, nargv, ostr) int nargc; char * const *nargv; diff --git a/kerberosV/src/lib/roken/getprogname.c b/kerberosV/src/lib/roken/getprogname.c index 5cf6b0e21d9..547c9f3ee8d 100644 --- a/kerberosV/src/lib/roken/getprogname.c +++ b/kerberosV/src/lib/roken/getprogname.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1995-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: getprogname.c,v 1.1 2001/07/09 14:56:51 assar Exp $"); +RCSID("$KTH: getprogname.c,v 1.3 2005/04/12 11:28:48 lha Exp $"); #endif #include "roken.h" @@ -41,16 +41,9 @@ RCSID("$KTH: getprogname.c,v 1.1 2001/07/09 14:56:51 assar Exp $"); extern char *__progname; #ifndef HAVE_GETPROGNAME -const char * +const char * ROKEN_LIB_FUNCTION getprogname(void) { return __progname; } #endif /* HAVE_GETPROGNAME */ - -const char * -get_progname (void) -{ - return getprogname (); -} - diff --git a/kerberosV/src/lib/roken/getusershell.c b/kerberosV/src/lib/roken/getusershell.c index bf878776dd5..aed746cac3f 100644 --- a/kerberosV/src/lib/roken/getusershell.c +++ b/kerberosV/src/lib/roken/getusershell.c @@ -31,13 +31,14 @@ #include <config.h> #endif -RCSID("$KTH: getusershell.c,v 1.10 2000/05/22 09:11:59 joda Exp $"); +RCSID("$KTH: getusershell.c,v 1.14 2005/04/27 08:05:00 lha Exp $"); #ifndef HAVE_GETUSERSHELL #include <stdio.h> #include <stdlib.h> #include <string.h> +#include <ctype.h> #ifdef HAVE_PATHS_H #include <paths.h> #endif @@ -58,6 +59,7 @@ struct aud_rec; #ifdef HAVE_USERCONF_H #include <userconf.h> #endif +#include <roken.h> #ifndef _PATH_SHELLS #define _PATH_SHELLS "/etc/shells" @@ -83,7 +85,7 @@ static char **initshells (void); /* * Get a list of shells from _PATH_SHELLS, if it exists. */ -char * +char * ROKEN_LIB_FUNCTION getusershell() { char *ret; @@ -96,7 +98,7 @@ getusershell() return (ret); } -void +void ROKEN_LIB_FUNCTION endusershell() { if (shells != NULL) @@ -108,7 +110,7 @@ endusershell() curshell = NULL; } -void +void ROKEN_LIB_FUNCTION setusershell() { curshell = initshells(); @@ -175,7 +177,7 @@ initshells() if (*cp == '#' || *cp == '\0') continue; *sp++ = cp; - while (!isspace(*cp) && *cp != '#' && *cp != '\0') + while (!isspace((unsigned char)*cp) && *cp != '#' && *cp != '\0') cp++; *cp++ = '\0'; } diff --git a/kerberosV/src/lib/roken/glob.c b/kerberosV/src/lib/roken/glob.c index 55767ce7846..803eda17d1e 100644 --- a/kerberosV/src/lib/roken/glob.c +++ b/kerberosV/src/lib/roken/glob.c @@ -166,7 +166,7 @@ static int match (Char *, Char *, Char *); static void qprintf (const char *, Char *); #endif -int +int ROKEN_LIB_FUNCTION glob(const char *pattern, int flags, int (*errfunc)(const char *, int), @@ -741,7 +741,7 @@ match(Char *name, Char *pat, Char *patend) } /* Free allocated data belonging to a glob_t structure. */ -void +void ROKEN_LIB_FUNCTION globfree(glob_t *pglob) { int i; diff --git a/kerberosV/src/lib/roken/glob.hin b/kerberosV/src/lib/roken/glob.hin index 660d1edca31..fb6b5398615 100644 --- a/kerberosV/src/lib/roken/glob.hin +++ b/kerberosV/src/lib/roken/glob.hin @@ -35,6 +35,18 @@ #ifndef _GLOB_H_ #define _GLOB_H_ +#ifndef ROKEN_LIB_FUNCTION +#ifdef _WIN32 +#define ROKEN_LIB_FUNCTION _stdcall +#else +#define ROKEN_LIB_FUNCTION +#endif +#endif + +#define glob_t rk_glob_t +#define glob rk_glob +#define globfree rk_globfree + struct stat; typedef struct { int gl_pathc; /* Count of total paths so far. */ @@ -75,7 +87,10 @@ typedef struct { #define GLOB_NOSPACE (-1) /* Malloc call failed. */ #define GLOB_ABEND (-2) /* Unignored error. */ -int glob (const char *, int, int (*)(const char *, int), glob_t *); -void globfree (glob_t *); +int ROKEN_LIB_FUNCTION +glob (const char *, int, int (*)(const char *, int), glob_t *); + +void ROKEN_LIB_FUNCTION +globfree (glob_t *); #endif /* !_GLOB_H_ */ diff --git a/kerberosV/src/lib/roken/iruserok.c b/kerberosV/src/lib/roken/iruserok.c index ed6046d3864..395b3b9c6a8 100644 --- a/kerberosV/src/lib/roken/iruserok.c +++ b/kerberosV/src/lib/roken/iruserok.c @@ -29,7 +29,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: iruserok.c,v 1.23 1999/12/05 13:27:05 assar Exp $"); +RCSID("$KTH: iruserok.c,v 1.25 2005/04/12 11:28:54 lha Exp $"); #endif #include <stdio.h> @@ -217,7 +217,7 @@ __ivaliduser(FILE *hostf, unsigned raddr, const char *luser, * * Returns 0 if ok, -1 if not ok. */ -int +int ROKEN_LIB_FUNCTION iruserok(unsigned raddr, int superuser, const char *ruser, const char *luser) { char *cp; diff --git a/kerberosV/src/lib/roken/ndbm_wrap.c b/kerberosV/src/lib/roken/ndbm_wrap.c index 4e5d43e6d75..23354071c30 100644 --- a/kerberosV/src/lib/roken/ndbm_wrap.c +++ b/kerberosV/src/lib/roken/ndbm_wrap.c @@ -33,7 +33,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: ndbm_wrap.c,v 1.1.8.1 2003/08/29 17:00:34 lha Exp $"); +RCSID("$KTH: ndbm_wrap.c,v 1.4 2005/04/12 11:28:57 lha Exp $"); #endif #include "ndbm_wrap.h" @@ -50,6 +50,8 @@ RCSID("$KTH: ndbm_wrap.c,v 1.1.8.1 2003/08/29 17:00:34 lha Exp $"); #include <string.h> #include <fcntl.h> +/* XXX undefine open so this works on Solaris with large file support */ +#undef open #define DBT2DATUM(DBT, DATUM) do { (DATUM)->dptr = (DBT)->data; (DATUM)->dsize = (DBT)->size; } while(0) #define DATUM2DBT(DATUM, DBT) do { (DBT)->data = (DATUM)->dptr; (DBT)->size = (DATUM)->dsize; } while(0) @@ -61,7 +63,7 @@ static DBC *cursor; #define D(X) ((DB*)(X)) -void +void ROKEN_LIB_FUNCTION dbm_close (DBM *db) { #ifdef HAVE_DB3 @@ -72,7 +74,7 @@ dbm_close (DBM *db) #endif } -int +int ROKEN_LIB_FUNCTION dbm_delete (DBM *db, datum dkey) { DBT key; @@ -127,19 +129,19 @@ dbm_get (DB *db, int flags) #define DB_KEYEXIST 1 #endif -datum +datum ROKEN_LIB_FUNCTION dbm_firstkey (DBM *db) { return dbm_get(D(db), DB_FIRST); } -datum +datum ROKEN_LIB_FUNCTION dbm_nextkey (DBM *db) { return dbm_get(D(db), DB_NEXT); } -DBM* +DBM* ROKEN_LIB_FUNCTION dbm_open (const char *file, int flags, mode_t mode) { DB *db; @@ -180,7 +182,7 @@ dbm_open (const char *file, int flags, mode_t mode) return (DBM*)db; } -int +int ROKEN_LIB_FUNCTION dbm_store (DBM *db, datum dkey, datum dvalue, int flags) { int ret; @@ -200,13 +202,13 @@ dbm_store (DBM *db, datum dkey, datum dvalue, int flags) RETURN(ret); } -int +int ROKEN_LIB_FUNCTION dbm_error (DBM *db) { return 0; } -int +int ROKEN_LIB_FUNCTION dbm_clearerr (DBM *db) { return 0; diff --git a/kerberosV/src/lib/roken/parse_units.c b/kerberosV/src/lib/roken/parse_units.c index 7955f01dd92..3444c7ee3e7 100644 --- a/kerberosV/src/lib/roken/parse_units.c +++ b/kerberosV/src/lib/roken/parse_units.c @@ -33,7 +33,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: parse_units.c,v 1.14 2001/09/04 09:56:00 assar Exp $"); +RCSID("$KTH: parse_units.c,v 1.18 2005/04/12 11:28:59 lha Exp $"); #endif #include <stdio.h> @@ -152,7 +152,7 @@ acc_units(int res, int val, unsigned mult) return res + val * mult; } -int +int ROKEN_LIB_FUNCTION parse_units (const char *s, const struct units *units, const char *def_unit) { @@ -178,7 +178,7 @@ acc_flags(int res, int val, unsigned mult) return -1; } -int +int ROKEN_LIB_FUNCTION parse_flags (const char *s, const struct units *units, int orig) { @@ -193,9 +193,8 @@ parse_flags (const char *s, const struct units *units, static int unparse_something (int num, const struct units *units, char *s, size_t len, - int (*print) (char *s, size_t len, int div, - const char *name, int rem), - int (*update) (int in, unsigned mult), + int (*print) (char *, size_t, int, const char *, int), + int (*update) (int, unsigned), const char *zero_string) { const struct units *u; @@ -211,17 +210,21 @@ unparse_something (int num, const struct units *units, char *s, size_t len, } for (u = units; num > 0 && u->name; ++u) { - int div; + int divisor; - div = num / u->mult; - if (div) { + divisor = num / u->mult; + if (divisor) { num = (*update) (num, u->mult); - tmp = (*print) (s, len, div, u->name, num); + tmp = (*print) (s, len, divisor, u->name, num); if (tmp < 0) return tmp; - - len -= tmp; - s += tmp; + if (tmp > len) { + len = 0; + s = NULL; + } else { + len -= tmp; + s += tmp; + } ret += tmp; } } @@ -229,13 +232,12 @@ unparse_something (int num, const struct units *units, char *s, size_t len, } static int -print_unit (char *s, size_t len, int div, const char *name, int rem) +print_unit (char *s, size_t len, int divisor, const char *name, int rem) { - if (len == 0) - return(0); - (void) snprintf (s, len, "%u %s%s%s", - div, name, div == 1 ? "" : "s", rem > 0 ? " " : ""); - return(strlen(s)); + return snprintf (s, len, "%u %s%s%s", + divisor, name, + divisor == 1 ? "" : "s", + rem > 0 ? " " : ""); } static int @@ -253,7 +255,7 @@ update_unit_approx (int in, unsigned mult) return update_unit (in, mult); } -int +int ROKEN_LIB_FUNCTION unparse_units (int num, const struct units *units, char *s, size_t len) { return unparse_something (num, units, s, len, @@ -262,7 +264,7 @@ unparse_units (int num, const struct units *units, char *s, size_t len) "0"); } -int +int ROKEN_LIB_FUNCTION unparse_units_approx (int num, const struct units *units, char *s, size_t len) { return unparse_something (num, units, s, len, @@ -271,7 +273,7 @@ unparse_units_approx (int num, const struct units *units, char *s, size_t len) "0"); } -void +void ROKEN_LIB_FUNCTION print_units_table (const struct units *units, FILE *f) { const struct units *u, *u2; @@ -305,7 +307,7 @@ print_units_table (const struct units *units, FILE *f) } static int -print_flag (char *s, size_t len, int div, const char *name, int rem) +print_flag (char *s, size_t len, int divisor, const char *name, int rem) { if (len == 0) return(0); @@ -319,7 +321,7 @@ update_flag (int in, unsigned mult) return in - mult; } -int +int ROKEN_LIB_FUNCTION unparse_flags (int num, const struct units *units, char *s, size_t len) { return unparse_something (num, units, s, len, @@ -328,7 +330,7 @@ unparse_flags (int num, const struct units *units, char *s, size_t len) ""); } -void +void ROKEN_LIB_FUNCTION print_flags_table (const struct units *units, FILE *f) { const struct units *u; diff --git a/kerberosV/src/lib/roken/print_version.c b/kerberosV/src/lib/roken/print_version.c index d46ab992ba2..ffe7f58b419 100644 --- a/kerberosV/src/lib/roken/print_version.c +++ b/kerberosV/src/lib/roken/print_version.c @@ -33,7 +33,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: print_version.c,v 1.8 2001/02/20 01:44:55 assar Exp $"); +RCSID("$KTH: print_version.c,v 1.9 2005/04/12 11:29:00 lha Exp $"); #endif #include "roken.h" @@ -41,7 +41,7 @@ RCSID("$KTH: print_version.c,v 1.8 2001/02/20 01:44:55 assar Exp $"); extern char *__progname; -void +void ROKEN_LIB_FUNCTION print_version(const char *progname) { const char *arg[] = VERSIONLIST; diff --git a/kerberosV/src/lib/roken/resolve.c b/kerberosV/src/lib/roken/resolve.c index 452cd55bc9e..0db6bc31312 100644 --- a/kerberosV/src/lib/roken/resolve.c +++ b/kerberosV/src/lib/roken/resolve.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1995 - 2003 Kungliga Tekniska Högskolan + * Copyright (c) 1995 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -45,35 +45,39 @@ #include <assert.h> -RCSID("$KTH: resolve.c,v 1.38.2.1 2003/04/22 15:02:47 lha Exp $"); +RCSID("$KTH: resolve.c,v 1.50 2005/04/12 11:29:01 lha Exp $"); +#ifdef _AIX /* AIX have broken res_nsearch() in 5.1 (5.0 also ?) */ #undef HAVE_RES_NSEARCH -#if (defined(HAVE_RES_SEARCH) || defined(HAVE_RES_NSEARCH)) && defined(HAVE_DN_EXPAND) +#endif -#define DECL(X) {#X, T_##X} +#define DECL(X) {#X, rk_ns_t_##X} static struct stot{ const char *name; int type; }stot[] = { - DECL(A), - DECL(NS), - DECL(CNAME), - DECL(SOA), - DECL(PTR), - DECL(MX), - DECL(TXT), - DECL(AFSDB), - DECL(SIG), - DECL(KEY), - DECL(SRV), - DECL(NAPTR), + DECL(a), + DECL(aaaa), + DECL(ns), + DECL(cname), + DECL(soa), + DECL(ptr), + DECL(mx), + DECL(txt), + DECL(afsdb), + DECL(sig), + DECL(key), + DECL(srv), + DECL(naptr), + DECL(sshfp), + DECL(ds), {NULL, 0} }; int _resolve_debug = 0; -int +int ROKEN_LIB_FUNCTION dns_string_to_type(const char *name) { struct stot *p = stot; @@ -83,7 +87,7 @@ dns_string_to_type(const char *name) return -1; } -const char * +const char * ROKEN_LIB_FUNCTION dns_type_to_string(int type) { struct stot *p = stot; @@ -93,7 +97,9 @@ dns_type_to_string(int type) return NULL; } -void +#if (defined(HAVE_RES_SEARCH) || defined(HAVE_RES_NSEARCH)) && defined(HAVE_DN_EXPAND) + +void ROKEN_LIB_FUNCTION dns_free_data(struct dns_reply *r) { struct resource_record *rr; @@ -150,9 +156,9 @@ parse_record(const unsigned char *data, const unsigned char *end_data, (*rr)->ttl = ttl; (*rr)->size = size; switch(type){ - case T_NS: - case T_CNAME: - case T_PTR: + case rk_ns_t_ns: + case rk_ns_t_cname: + case rk_ns_t_ptr: status = dn_expand(data, end_data, p, host, sizeof(host)); if(status < 0) { free(*rr); @@ -164,8 +170,8 @@ parse_record(const unsigned char *data, const unsigned char *end_data, return -1; } break; - case T_MX: - case T_AFSDB:{ + case rk_ns_t_mx: + case rk_ns_t_afsdb:{ size_t hostlen; status = dn_expand(data, end_data, p + 2, host, sizeof(host)); @@ -189,7 +195,7 @@ parse_record(const unsigned char *data, const unsigned char *end_data, strlcpy((*rr)->u.mx->domain, host, hostlen + 1); break; } - case T_SRV:{ + case rk_ns_t_srv:{ size_t hostlen; status = dn_expand(data, end_data, p + 6, host, sizeof(host)); if(status < 0){ @@ -215,7 +221,7 @@ parse_record(const unsigned char *data, const unsigned char *end_data, strlcpy((*rr)->u.srv->target, host, hostlen + 1); break; } - case T_TXT:{ + case rk_ns_t_txt:{ if(size == 0 || size < *p + 1) { free(*rr); return -1; @@ -229,7 +235,7 @@ parse_record(const unsigned char *data, const unsigned char *end_data, (*rr)->u.txt[*p] = '\0'; break; } - case T_KEY : { + case rk_ns_t_key : { size_t key_len; if (size < 4) { @@ -251,7 +257,7 @@ parse_record(const unsigned char *data, const unsigned char *end_data, memcpy ((*rr)->u.key->key_data, p + 4, key_len); break; } - case T_SIG : { + case rk_ns_t_sig : { size_t sig_len, hostlen; if(size <= 18) { @@ -298,7 +304,7 @@ parse_record(const unsigned char *data, const unsigned char *end_data, break; } - case T_CERT : { + case rk_ns_t_cert : { size_t cert_len; if (size < 5) { @@ -320,6 +326,51 @@ parse_record(const unsigned char *data, const unsigned char *end_data, memcpy ((*rr)->u.cert->cert_data, p + 5, cert_len); break; } + case rk_ns_t_sshfp : { + size_t sshfp_len; + + if (size < 2) { + free(*rr); + return -1; + } + + sshfp_len = size - 2; + + (*rr)->u.sshfp = malloc (sizeof(*(*rr)->u.sshfp) + sshfp_len - 1); + if ((*rr)->u.sshfp == NULL) { + free(*rr); + return -1; + } + + (*rr)->u.sshfp->algorithm = p[0]; + (*rr)->u.sshfp->type = p[1]; + (*rr)->u.sshfp->sshfp_len = sshfp_len; + memcpy ((*rr)->u.sshfp->sshfp_data, p + 2, sshfp_len); + break; + } + case rk_ns_t_ds: { + size_t digest_len; + + if (size < 4) { + free(*rr); + return -1; + } + + digest_len = size - 4; + + (*rr)->u.ds = malloc (sizeof(*(*rr)->u.ds) + digest_len - 1); + if ((*rr)->u.ds == NULL) { + free(*rr); + return -1; + } + + (*rr)->u.ds->key_tag = (p[0] << 8) | p[1]; + (*rr)->u.ds->algorithm = p[2]; + (*rr)->u.ds->digest_type = p[3]; + (*rr)->u.ds->digest_len = digest_len; + memcpy ((*rr)->u.ds->digest_data, p + 4, digest_len); + break; + } default: (*rr)->u.data = (unsigned char*)malloc(size); if(size != 0 && (*rr)->u.data == NULL) { @@ -351,15 +402,33 @@ parse_reply(const unsigned char *data, size_t len) return NULL; p = data; -#if 0 - /* doesn't work on Crays */ - memcpy(&r->h, p, sizeof(HEADER)); - p += sizeof(HEADER); -#else - memcpy(&r->h, p, 12); /* XXX this will probably be mostly garbage */ + + r->h.id = (p[0] << 8) | p[1]; + r->h.flags = 0; + if (p[2] & 0x01) + r->h.flags |= rk_DNS_HEADER_RESPONSE_FLAG; + r->h.opcode = (p[2] >> 1) & 0xf; + if (p[2] & 0x20) + r->h.flags |= rk_DNS_HEADER_AUTHORITIVE_ANSWER; + if (p[2] & 0x40) + r->h.flags |= rk_DNS_HEADER_TRUNCATED_MESSAGE; + if (p[2] & 0x80) + r->h.flags |= rk_DNS_HEADER_RECURSION_DESIRED; + if (p[3] & 0x01) + r->h.flags |= rk_DNS_HEADER_RECURSION_AVAILABLE; + if (p[3] & 0x04) + r->h.flags |= rk_DNS_HEADER_AUTHORITIVE_ANSWER; + if (p[3] & 0x08) + r->h.flags |= rk_DNS_HEADER_CHECKING_DISABLED; + r->h.response_code = (p[3] >> 4) & 0xf; + r->h.qdcount = (p[4] << 8) | p[5]; + r->h.ancount = (p[6] << 8) | p[7]; + r->h.nscount = (p[8] << 8) | p[9]; + r->h.arcount = (p[10] << 8) | p[11]; + p += 12; -#endif - if(ntohs(r->h.qdcount) != 1) { + + if(r->h.qdcount != 1) { free(r); return NULL; } @@ -384,21 +453,21 @@ parse_reply(const unsigned char *data, size_t len) p += 2; rr = &r->head; - for(i = 0; i < ntohs(r->h.ancount); i++) { + for(i = 0; i < r->h.ancount; i++) { if(parse_record(data, end_data, &p, rr) != 0) { dns_free_data(r); return NULL; } rr = &(*rr)->next; } - for(i = 0; i < ntohs(r->h.nscount); i++) { + for(i = 0; i < r->h.nscount; i++) { if(parse_record(data, end_data, &p, rr) != 0) { dns_free_data(r); return NULL; } rr = &(*rr)->next; } - for(i = 0; i < ntohs(r->h.arcount); i++) { + for(i = 0; i < r->h.arcount; i++) { if(parse_record(data, end_data, &p, rr) != 0) { dns_free_data(r); return NULL; @@ -412,51 +481,76 @@ parse_reply(const unsigned char *data, size_t len) static struct dns_reply * dns_lookup_int(const char *domain, int rr_class, int rr_type) { - unsigned char reply[1024]; + struct dns_reply *r; + unsigned char *reply = NULL; + int size; int len; #ifdef HAVE_RES_NSEARCH - struct __res_state stat; - memset(&stat, 0, sizeof(stat)); - if(res_ninit(&stat)) + struct __res_state state; + memset(&state, 0, sizeof(state)); + if(res_ninit(&state)) return NULL; /* is this the best we can do? */ #elif defined(HAVE__RES) u_long old_options = 0; #endif - if (_resolve_debug) { + size = 0; + len = 1000; + do { + if (reply) { + free(reply); + reply = NULL; + } + if (size <= len) + size = len; + if (_resolve_debug) { #ifdef HAVE_RES_NSEARCH - stat.options |= RES_DEBUG; + state.options |= RES_DEBUG; #elif defined(HAVE__RES) - old_options = _res.options; - _res.options |= RES_DEBUG; + old_options = _res.options; + _res.options |= RES_DEBUG; #endif - fprintf(stderr, "dns_lookup(%s, %d, %s)\n", domain, - rr_class, dns_type_to_string(rr_type)); - } + fprintf(stderr, "dns_lookup(%s, %d, %s), buffer size %d\n", domain, + rr_class, dns_type_to_string(rr_type), size); + } + reply = malloc(size); + if (reply == NULL) { +#ifdef HAVE_RES_NSEARCH + res_nclose(&state); +#endif + return NULL; + } #ifdef HAVE_RES_NSEARCH - len = res_nsearch(&stat, domain, rr_class, rr_type, reply, sizeof(reply)); + len = res_nsearch(&state, domain, rr_class, rr_type, reply, size); #else - len = res_search(domain, rr_class, rr_type, reply, sizeof(reply)); + len = res_search(domain, rr_class, rr_type, reply, size); #endif - if (_resolve_debug) { + if (_resolve_debug) { #if defined(HAVE__RES) && !defined(HAVE_RES_NSEARCH) - _res.options = old_options; + _res.options = old_options; #endif - fprintf(stderr, "dns_lookup(%s, %d, %s) --> %d\n", - domain, rr_class, dns_type_to_string(rr_type), len); - } + fprintf(stderr, "dns_lookup(%s, %d, %s) --> %d\n", + domain, rr_class, dns_type_to_string(rr_type), len); + } + if (len < 0) { #ifdef HAVE_RES_NSEARCH - res_nclose(&stat); -#endif - if(len < 0) { - return NULL; - } else { - len = min(len, sizeof(reply)); - return parse_reply(reply, len); - } + res_nclose(&state); +#endif + free(reply); + return NULL; + } + } while (size < len && len < rk_DNS_MAX_PACKET_SIZE); +#ifdef HAVE_RES_NSEARCH + res_nclose(&state); +#endif + + len = min(len, size); + r = parse_reply(reply, len); + free(reply); + return r; } -struct dns_reply * +struct dns_reply * ROKEN_LIB_FUNCTION dns_lookup(const char *domain, const char *type_name) { int type; @@ -486,7 +580,7 @@ compare_srv(const void *a, const void *b) #endif /* try to rearrange the srv-records by the algorithm in RFC2782 */ -void +void ROKEN_LIB_FUNCTION dns_srv_order(struct dns_reply *r) { struct resource_record **srvs, **ss, **headp; @@ -499,7 +593,7 @@ dns_srv_order(struct dns_reply *r) #endif for(rr = r->head; rr; rr = rr->next) - if(rr->type == T_SRV) + if(rr->type == rk_ns_t_srv) num_srv++; if(num_srv == 0) @@ -512,7 +606,7 @@ dns_srv_order(struct dns_reply *r) /* unlink all srv-records from the linked list and put them in a vector */ for(ss = srvs, headp = &r->head; *headp; ) - if((*headp)->type == T_SRV) { + if((*headp)->type == rk_ns_t_srv) { *ss = *headp; *headp = (*headp)->next; (*ss)->next = NULL; @@ -577,88 +671,20 @@ dns_srv_order(struct dns_reply *r) #else /* NOT defined(HAVE_RES_SEARCH) && defined(HAVE_DN_EXPAND) */ -struct dns_reply * +struct dns_reply * ROKEN_LIB_FUNCTION dns_lookup(const char *domain, const char *type_name) { return NULL; } -void +void ROKEN_LIB_FUNCTION dns_free_data(struct dns_reply *r) { } -void +void ROKEN_LIB_FUNCTION dns_srv_order(struct dns_reply *r) { } #endif - -#ifdef TEST -int -main(int argc, char **argv) -{ - struct dns_reply *r; - struct resource_record *rr; - r = dns_lookup(argv[1], argv[2]); - if(r == NULL){ - printf("No reply.\n"); - return 1; - } - if(r->q.type == T_SRV) - dns_srv_order(r); - - for(rr = r->head; rr;rr=rr->next){ - printf("%-30s %-5s %-6d ", rr->domain, dns_type_to_string(rr->type), rr->ttl); - switch(rr->type){ - case T_NS: - case T_CNAME: - case T_PTR: - printf("%s\n", (char*)rr->u.data); - break; - case T_A: - printf("%s\n", inet_ntoa(*rr->u.a)); - break; - case T_MX: - case T_AFSDB:{ - printf("%d %s\n", rr->u.mx->preference, rr->u.mx->domain); - break; - } - case T_SRV:{ - struct srv_record *srv = rr->u.srv; - printf("%d %d %d %s\n", srv->priority, srv->weight, - srv->port, srv->target); - break; - } - case T_TXT: { - printf("%s\n", rr->u.txt); - break; - } - case T_SIG : { - struct sig_record *sig = rr->u.sig; - const char *type_string = dns_type_to_string (sig->type); - - printf ("type %u (%s), algorithm %u, labels %u, orig_ttl %u, sig_expiration %u, sig_inception %u, key_tag %u, signer %s\n", - sig->type, type_string ? type_string : "", - sig->algorithm, sig->labels, sig->orig_ttl, - sig->sig_expiration, sig->sig_inception, sig->key_tag, - sig->signer); - break; - } - case T_KEY : { - struct key_record *key = rr->u.key; - - printf ("flags %u, protocol %u, algorithm %u\n", - key->flags, key->protocol, key->algorithm); - break; - } - default: - printf("\n"); - break; - } - } - - return 0; -} -#endif diff --git a/kerberosV/src/lib/roken/unvis.c b/kerberosV/src/lib/roken/unvis.c index fc3eaf0b1fb..10df0d77934 100644 --- a/kerberosV/src/lib/roken/unvis.c +++ b/kerberosV/src/lib/roken/unvis.c @@ -32,7 +32,7 @@ #if 1 #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: unvis.c,v 1.2 2000/12/06 21:41:46 joda Exp $"); +RCSID("$KTH: unvis.c,v 1.5 2005/04/18 08:28:35 lha Exp $"); #endif #include <roken.h> #ifndef _DIAGASSERT @@ -86,7 +86,7 @@ __warn_references(unvis, * unvis - decode characters previously encoded by vis */ #ifndef HAVE_UNVIS -int +int ROKEN_LIB_FUNCTION unvis(char *cp, int c, int *astate, int flag) { @@ -250,7 +250,7 @@ unvis(char *cp, int c, int *astate, int flag) */ #ifndef HAVE_STRUNVIS -int +int ROKEN_LIB_FUNCTION strunvis(char *dst, const char *src) { char c; @@ -262,7 +262,7 @@ strunvis(char *dst, const char *src) while ((c = *src++) != '\0') { again: - switch (unvis(dst, c, &state, 0)) { + switch (unvis(dst, (unsigned char)c, &state, 0)) { case UNVIS_VALID: dst++; break; @@ -276,7 +276,7 @@ strunvis(char *dst, const char *src) return (-1); } } - if (unvis(dst, c, &state, UNVIS_END) == UNVIS_VALID) + if (unvis(dst, (unsigned char)c, &state, UNVIS_END) == UNVIS_VALID) dst++; *dst = '\0'; return (dst - start); diff --git a/kerberosV/src/lib/roken/vis.c b/kerberosV/src/lib/roken/vis.c index d2cb1783f58..dc1c2e330a9 100644 --- a/kerberosV/src/lib/roken/vis.c +++ b/kerberosV/src/lib/roken/vis.c @@ -1,7 +1,6 @@ -/* $NetBSD: vis.c,v 1.19 2000/01/22 22:42:45 mycroft Exp $ */ +/* $NetBSD: vis.c,v 1.4 2003/08/07 09:15:32 agc Exp $ */ /*- - * Copyright (c) 1999 The NetBSD Foundation, Inc. * Copyright (c) 1989, 1993 * The Regents of the University of California. All rights reserved. * @@ -30,11 +29,43 @@ * SUCH DAMAGE. */ +/*- + * Copyright (c) 1999 The NetBSD Foundation, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + #if 1 #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: vis.c,v 1.5 2001/09/03 05:37:23 assar Exp $"); +RCSID("$KTH: vis.c,v 1.9 2005/04/12 11:29:15 lha Exp $"); #endif #include <roken.h> #ifndef _DIAGASSERT @@ -43,7 +74,7 @@ RCSID("$KTH: vis.c,v 1.5 2001/09/03 05:37:23 assar Exp $"); #else #include <sys/cdefs.h> #if !defined(lint) -__RCSID("$NetBSD: vis.c,v 1.19 2000/01/22 22:42:45 mycroft Exp $"); +__RCSID("$NetBSD: vis.c,v 1.4 2003/08/07 09:15:32 agc Exp $"); #endif /* not lint */ #endif @@ -178,7 +209,7 @@ do { \ * pointed to by `extra' */ #ifndef HAVE_SVIS -char * +char * ROKEN_LIB_FUNCTION svis(char *dst, int c, int flag, int nextc, const char *extra) { _DIAGASSERT(dst != NULL); @@ -207,7 +238,7 @@ svis(char *dst, int c, int flag, int nextc, const char *extra) * This is useful for encoding a block of data. */ #ifndef HAVE_STRSVIS -int +int ROKEN_LIB_FUNCTION strsvis(char *dst, const char *src, int flag, const char *extra) { char c; @@ -226,7 +257,7 @@ strsvis(char *dst, const char *src, int flag, const char *extra) #ifndef HAVE_STRVISX -int +int ROKEN_LIB_FUNCTION strsvisx(char *dst, const char *src, size_t len, int flag, const char *extra) { char c; @@ -250,7 +281,7 @@ strsvisx(char *dst, const char *src, size_t len, int flag, const char *extra) * vis - visually encode characters */ #ifndef HAVE_VIS -char * +char * ROKEN_LIB_FUNCTION vis(char *dst, int c, int flag, int nextc) { char extra[MAXEXTRAS]; @@ -276,7 +307,7 @@ vis(char *dst, int c, int flag, int nextc) * This is useful for encoding a block of data. */ #ifndef HAVE_STRVIS -int +int ROKEN_LIB_FUNCTION strvis(char *dst, const char *src, int flag) { char extra[MAXEXTRAS]; @@ -288,7 +319,7 @@ strvis(char *dst, const char *src, int flag) #ifndef HAVE_STRVISX -int +int ROKEN_LIB_FUNCTION strvisx(char *dst, const char *src, size_t len, int flag) { char extra[MAXEXTRAS]; diff --git a/kerberosV/src/lib/roken/vis.hin b/kerberosV/src/lib/roken/vis.hin index a2ac48f81d6..c9f3f7cdc17 100644 --- a/kerberosV/src/lib/roken/vis.hin +++ b/kerberosV/src/lib/roken/vis.hin @@ -1,5 +1,5 @@ /* $NetBSD: vis.h,v 1.11 1999/11/25 16:55:50 wennmach Exp $ */ -/* $KTH: vis.hin,v 1.1 2000/12/06 21:35:47 joda Exp $ */ +/* $KTH: vis.hin,v 1.3 2005/04/12 11:29:15 lha Exp $ */ /*- * Copyright (c) 1990, 1993 @@ -35,6 +35,14 @@ #ifndef _VIS_H_ #define _VIS_H_ +#ifndef ROKEN_LIB_FUNCTION +#ifdef _WIN32 +#define ROKEN_LIB_FUNCTION _stdcall +#else +#define ROKEN_LIB_FUNCTION +#endif +#endif + /* * to select alternate encoding format */ @@ -70,13 +78,21 @@ */ #define UNVIS_END 1 /* no more characters */ -char *vis (char *, int, int, int); -char *svis (char *, int, int, int, const char *); -int strvis (char *, const char *, int); -int strsvis (char *, const char *, int, const char *); -int strvisx (char *, const char *, size_t, int); -int strsvisx (char *, const char *, size_t, int, const char *); -int strunvis (char *, const char *); -int unvis (char *, int, int *, int); +char ROKEN_LIB_FUNCTION + *vis (char *, int, int, int); +char ROKEN_LIB_FUNCTION + *svis (char *, int, int, int, const char *); +int ROKEN_LIB_FUNCTION + strvis (char *, const char *, int); +int ROKEN_LIB_FUNCTION + strsvis (char *, const char *, int, const char *); +int ROKEN_LIB_FUNCTION + strvisx (char *, const char *, size_t, int); +int ROKEN_LIB_FUNCTION + strsvisx (char *, const char *, size_t, int, const char *); +int ROKEN_LIB_FUNCTION + strunvis (char *, const char *); +int ROKEN_LIB_FUNCTION + unvis (char *, int, int *, int); #endif /* !_VIS_H_ */ diff --git a/kerberosV/src/lib/roken/warnerr.c b/kerberosV/src/lib/roken/warnerr.c index e37493b2530..0dbfa18a747 100644 --- a/kerberosV/src/lib/roken/warnerr.c +++ b/kerberosV/src/lib/roken/warnerr.c @@ -33,13 +33,13 @@ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: warnerr.c,v 1.15 2001/07/09 14:56:51 assar Exp $"); +RCSID("$KTH: warnerr.c,v 1.16 2005/04/12 11:29:17 lha Exp $"); #endif #include "roken.h" #include "err.h" -void +void ROKEN_LIB_FUNCTION warnerr(int doerrno, const char *fmt, va_list ap) { int sverrno = errno; diff --git a/kerberosV/src/lib/roken/write_pid.c b/kerberosV/src/lib/roken/write_pid.c index 9c7662f80e4..2d5874e7944 100644 --- a/kerberosV/src/lib/roken/write_pid.c +++ b/kerberosV/src/lib/roken/write_pid.c @@ -33,7 +33,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: write_pid.c,v 1.6 2001/09/02 23:58:15 assar Exp $"); +RCSID("$KTH: write_pid.c,v 1.7 2005/04/12 11:29:17 lha Exp $"); #endif #include <stdio.h> @@ -43,7 +43,7 @@ RCSID("$KTH: write_pid.c,v 1.6 2001/09/02 23:58:15 assar Exp $"); #include "roken.h" -char * +char * ROKEN_LIB_FUNCTION pid_file_write (const char *progname) { FILE *fp; @@ -62,7 +62,7 @@ pid_file_write (const char *progname) return ret; } -void +void ROKEN_LIB_FUNCTION pid_file_delete (char **filename) { if (*filename != NULL) { diff --git a/kerberosV/src/lib/sl/sl.c b/kerberosV/src/lib/sl/sl.c index 86e1f7cbccb..c45877f2f1d 100644 --- a/kerberosV/src/lib/sl/sl.c +++ b/kerberosV/src/lib/sl/sl.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1995 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: sl.c,v 1.29 2001/02/20 01:44:55 assar Exp $"); +RCSID("$KTH: sl.c,v 1.31 2005/05/09 15:31:43 lha Exp $"); #endif #include "sl_locl.h" @@ -131,7 +131,7 @@ mandoc_template(SL_cmd *cmds, printf(".\\\".Sh BUGS\n"); } -static SL_cmd * +SL_cmd * sl_match (SL_cmd *cmds, char *cmd, int exactp) { SL_cmd *c, *current = NULL, *partial_cmd = NULL; @@ -295,7 +295,11 @@ static char *sl_readline(const char *prompt) return s; } -/* return values: 0 on success, -1 on fatal error, or return value of command */ +/* return values: + * 0 on success, + * -1 on fatal error, + * -2 if EOF, or + * return value of command */ int sl_command_loop(SL_cmd *cmds, const char *prompt, void **data) { @@ -307,7 +311,7 @@ sl_command_loop(SL_cmd *cmds, const char *prompt, void **data) ret = 0; buf = sl_readline(prompt); if(buf == NULL) - return 1; + return -2; if(*buf) add_history(buf); @@ -334,7 +338,7 @@ sl_loop(SL_cmd *cmds, const char *prompt) { void *data = NULL; int ret; - while((ret = sl_command_loop(cmds, prompt, &data)) == 0) + while((ret = sl_command_loop(cmds, prompt, &data)) >= 0) ; return ret; } diff --git a/kerberosV/src/lib/vers/print_version.c b/kerberosV/src/lib/vers/print_version.c index a87849ed6ba..499fd5e22b7 100644 --- a/kerberosV/src/lib/vers/print_version.c +++ b/kerberosV/src/lib/vers/print_version.c @@ -33,7 +33,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: print_version.c,v 1.6.2.1 2004/02/12 18:31:33 joda Exp $"); +RCSID("$KTH: print_version.c,v 1.9 2005/01/01 14:27:47 lha Exp $"); #endif #include "roken.h" @@ -52,6 +52,6 @@ print_version(const char *progname) if(*package_list == '\0') package_list = "no version information"; fprintf(stderr, "%s (%s)\n", progname, package_list); - fprintf(stderr, "Copyright 1999-2004 Kungliga Tekniska Högskolan\n"); + fprintf(stderr, "Copyright 1999-2005 Kungliga Tekniska Högskolan\n"); fprintf(stderr, "Send bug-reports to %s\n", PACKAGE_BUGREPORT); } |