diff options
133 files changed, 9108 insertions, 4002 deletions
diff --git a/kerberosV/src/aclocal.m4 b/kerberosV/src/aclocal.m4 index 1e2ce60528b..f82cf3b0f10 100644 --- a/kerberosV/src/aclocal.m4 +++ b/kerberosV/src/aclocal.m4 @@ -6057,30 +6057,6 @@ AC_CONFIG_COMMANDS_PRE( Usually this means the macro was only invoked conditionally.]) fi])]) -# Like AC_CONFIG_HEADER, but automatically create stamp file. -*- Autoconf -*- - -# Copyright (C) 1996, 1997, 2000, 2001, 2003 Free Software Foundation, Inc. - -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2, or (at your option) -# any later version. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. - -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA -# 02111-1307, USA. - -# serial 7 - -# AM_CONFIG_HEADER is obsolete. It has been replaced by AC_CONFIG_HEADERS. -AU_DEFUN([AM_CONFIG_HEADER], [AC_CONFIG_HEADERS($@)]) - # Do all the work for Automake. -*- Autoconf -*- # This macro actually does too much some checks are only needed if @@ -6608,7 +6584,6 @@ m4_include([cf/broken2.m4]) m4_include([cf/c-attribute.m4]) m4_include([cf/capabilities.m4]) m4_include([cf/check-compile-et.m4]) -m4_include([cf/check-declaration.m4]) m4_include([cf/check-getpwnam_r-posix.m4]) m4_include([cf/check-man.m4]) m4_include([cf/check-netinet-ip-and-tcp.m4]) @@ -6634,16 +6609,20 @@ m4_include([cf/krb-prog-ln-s.m4]) m4_include([cf/krb-readline.m4]) m4_include([cf/krb-struct-spwd.m4]) m4_include([cf/krb-struct-winsize.m4]) +m4_include([cf/largefile.m4]) m4_include([cf/mips-abi.m4]) m4_include([cf/misc.m4]) m4_include([cf/need-proto.m4]) m4_include([cf/osfc2.m4]) m4_include([cf/otp.m4]) m4_include([cf/proto-compat.m4]) +m4_include([cf/pthreads.m4]) m4_include([cf/retsigtype.m4]) m4_include([cf/roken-frag.m4]) m4_include([cf/sunos.m4]) m4_include([cf/telnet.m4]) m4_include([cf/test-package.m4]) m4_include([cf/wflags.m4]) +m4_include([cf/win32.m4]) m4_include([cf/with-all.m4]) +m4_include([acinclude.m4]) diff --git a/kerberosV/src/admin/ktutil.c b/kerberosV/src/admin/ktutil.c index 5b585747d3f..f9c001dae64 100644 --- a/kerberosV/src/admin/ktutil.c +++ b/kerberosV/src/admin/ktutil.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -34,7 +34,7 @@ #include "ktutil_locl.h" #include <err.h> -RCSID("$KTH: ktutil.c,v 1.36 2002/02/11 14:14:11 joda Exp $"); +RCSID("$KTH: ktutil.c,v 1.38 2005/05/02 19:10:19 lha Exp $"); static int help_flag; static int version_flag; @@ -42,35 +42,6 @@ int verbose_flag; char *keytab_string; static char keytab_buf[256]; -static int help(int argc, char **argv); - -static SL_cmd cmds[] = { - { "add", kt_add, "add", - "adds key to keytab" }, - { "change", kt_change, "change [principal...]", - "get new key for principals (all)" }, - { "copy", kt_copy, "copy src dst", - "copy one keytab to another" }, - { "get", kt_get, "get [principal...]", - "create key in database and add to keytab" }, - { "list", kt_list, "list", - "shows contents of a keytab" }, - { "purge", kt_purge, "purge", - "remove old and superceeded entries" }, - { "remove", kt_remove, "remove", - "remove key from keytab" }, - { "rename", kt_rename, "rename from to", - "rename entry" }, - { "srvconvert", srvconv, "srvconvert [flags]", - "convert v4 srvtab to keytab" }, - { "srv2keytab" }, - { "srvcreate", srvcreate, "srvcreate [flags]", - "convert keytab to v4 srvtab" }, - { "key2srvtab" }, - { "help", help, "help", "" }, - { NULL, NULL, NULL, NULL } -}; - static struct getargs args[] = { { "version", @@ -134,10 +105,37 @@ ktutil_open_keytab(void) return keytab; } -static int -help(int argc, char **argv) +int +help(void *opt, int argc, char **argv) { - sl_help(cmds, argc, argv); + if(argc == 0) { + sl_help(commands, 1, argv - 1 /* XXX */); + } else { + SL_cmd *c = sl_match (commands, argv[0], 0); + if(c == NULL) { + fprintf (stderr, "No such command: %s. " + "Try \"help\" for a list of commands\n", + argv[0]); + } else { + if(c->func) { + char *fake[] = { NULL, "--help", NULL }; + fake[0] = argv[0]; + (*c->func)(2, fake); + fprintf(stderr, "\n"); + } + if(c->help && *c->help) + fprintf (stderr, "%s\n", c->help); + if((++c)->name && c->func == NULL) { + int f = 0; + fprintf (stderr, "Synonyms:"); + while (c->name && c->func == NULL) { + fprintf (stderr, "%s%s", f ? ", " : " ", (c++)->name); + f = 1; + } + fprintf (stderr, "\n"); + } + } + } return 0; } @@ -169,7 +167,7 @@ main(int argc, char **argv) argv += optind; if(argc == 0) usage(1); - ret = sl_command(cmds, argc, argv); + ret = sl_command(commands, argc, argv); if(ret == -1) krb5_warnx (context, "unrecognized command: %s", argv[0]); return ret; diff --git a/kerberosV/src/admin/ktutil_locl.h b/kerberosV/src/admin/ktutil_locl.h index ef1399df4f8..6450d66c185 100644 --- a/kerberosV/src/admin/ktutil_locl.h +++ b/kerberosV/src/admin/ktutil_locl.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,7 +32,7 @@ */ /* - * $KTH: ktutil_locl.h,v 1.18 2002/09/10 20:03:45 joda Exp $ + * $KTH: ktutil_locl.h,v 1.20 2005/04/15 05:02:39 lha Exp $ */ #ifndef __KTUTIL_LOCL_H__ @@ -61,6 +61,7 @@ #include <sl.h> #include <getarg.h> +#include <hex.h> extern krb5_context context; @@ -69,15 +70,6 @@ extern char *keytab_string; krb5_keytab ktutil_open_keytab(void); -int kt_add (int argc, char **argv); -int kt_change (int argc, char **argv); -int kt_copy (int argc, char **argv); -int kt_get (int argc, char **argv); -int kt_list(int argc, char **argv); -int kt_purge(int argc, char **argv); -int kt_remove(int argc, char **argv); -int kt_rename(int argc, char **argv); -int srvconv(int argc, char **argv); -int srvcreate(int argc, char **argv); +#include "ktutil-commands.h" #endif /* __KTUTIL_LOCL_H__ */ diff --git a/kerberosV/src/admin/list.c b/kerberosV/src/admin/list.c index 4e1332ad7ae..5b49534a8d1 100644 --- a/kerberosV/src/admin/list.c +++ b/kerberosV/src/admin/list.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,182 +32,119 @@ */ #include "ktutil_locl.h" +#include <rtbl.h> -RCSID("$KTH: list.c,v 1.10 2002/01/30 10:12:21 joda Exp $"); - -static int help_flag; -static int list_keys; -static int list_timestamp; - -static struct getargs args[] = { - { "help", 'h', arg_flag, &help_flag }, - { "keys", 0, arg_flag, &list_keys, "show key value" }, - { "timestamp", 0, arg_flag, &list_timestamp, "show timestamp" }, -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -struct key_info { - char *version; - char *etype; - char *principal; - char *timestamp; - char *key; - struct key_info *next; -}; +RCSID("$KTH: list.c,v 1.13 2004/09/29 11:17:13 lha Exp $"); static int -do_list(const char *keytab_string) +do_list(struct list_options *opt, const char *keytab_string) { krb5_error_code ret; krb5_keytab keytab; krb5_keytab_entry entry; krb5_kt_cursor cursor; - struct key_info *ki, **kie = &ki, *kp; - - int max_version = sizeof("Vno") - 1; - int max_etype = sizeof("Type") - 1; - int max_principal = sizeof("Principal") - 1; - int max_timestamp = sizeof("Date") - 1; - int max_key = sizeof("Key") - 1; + rtbl_t table; /* XXX specialcase the ANY type */ if(strncasecmp(keytab_string, "ANY:", 4) == 0) { int flag = 0; char buf[1024]; keytab_string += 4; + ret = 0; while (strsep_copy((const char**)&keytab_string, ",", buf, sizeof(buf)) != -1) { if(flag) printf("\n"); - do_list(buf); + if(do_list(opt, buf)) + ret = 1; flag = 1; } - return 0; + return ret; } ret = krb5_kt_resolve(context, keytab_string, &keytab); if (ret) { krb5_warn(context, ret, "resolving keytab %s", keytab_string); - return 0; + return ret; } ret = krb5_kt_start_seq_get(context, keytab, &cursor); - if(ret){ + if(ret) { krb5_warn(context, ret, "krb5_kt_start_seq_get %s", keytab_string); - goto out; + krb5_kt_close(context, keytab); + return ret; } printf ("%s:\n\n", keytab_string); + table = rtbl_create(); + rtbl_add_column_by_id(table, 0, "Vno", RTBL_ALIGN_RIGHT); + rtbl_add_column_by_id(table, 1, "Type", 0); + rtbl_add_column_by_id(table, 2, "Principal", 0); + if (opt->timestamp_flag) + rtbl_add_column_by_id(table, 3, "Date", 0); + if(opt->keys_flag) + rtbl_add_column_by_id(table, 4, "Key", 0); + rtbl_set_separator(table, " "); + while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){ -#define CHECK_MAX(F) if(max_##F < strlen(kp->F)) max_##F = strlen(kp->F) - - kp = malloc(sizeof(*kp)); - if (kp == NULL) { - krb5_kt_free_entry(context, &entry); - krb5_kt_end_seq_get(context, keytab, &cursor); - krb5_warn(context, ret, "malloc failed"); - goto out; - } + char buf[1024], *s; + + snprintf(buf, sizeof(buf), "%d", entry.vno); + rtbl_add_column_entry_by_id(table, 0, buf); - asprintf(&kp->version, "%d", entry.vno); - CHECK_MAX(version); ret = krb5_enctype_to_string(context, - entry.keyblock.keytype, &kp->etype); - if (ret != 0) - asprintf(&kp->etype, "unknown (%d)", entry.keyblock.keytype); - CHECK_MAX(etype); - krb5_unparse_name(context, entry.principal, &kp->principal); - CHECK_MAX(principal); - if (list_timestamp) { - char tstamp[256]; - - krb5_format_time(context, entry.timestamp, - tstamp, sizeof(tstamp), FALSE); - - kp->timestamp = strdup(tstamp); - CHECK_MAX(timestamp); + entry.keyblock.keytype, &s); + if (ret != 0) { + snprintf(buf, sizeof(buf), "unknown (%d)", entry.keyblock.keytype); + rtbl_add_column_entry_by_id(table, 1, buf); + } else { + rtbl_add_column_entry_by_id(table, 1, s); + free(s); } - if(list_keys) { + + krb5_unparse_name_fixed(context, entry.principal, buf, sizeof(buf)); + rtbl_add_column_entry_by_id(table, 2, buf); + + if (opt->timestamp_flag) { + krb5_format_time(context, entry.timestamp, buf, + sizeof(buf), FALSE); + rtbl_add_column_entry_by_id(table, 3, buf); + } + if(opt->keys_flag) { int i; - kp->key = malloc(2 * entry.keyblock.keyvalue.length + 1); + s = malloc(2 * entry.keyblock.keyvalue.length + 1); for(i = 0; i < entry.keyblock.keyvalue.length; i++) - snprintf(kp->key + 2 * i, 3, "%02x", + snprintf(s + 2 * i, 3, "%02x", ((unsigned char*)entry.keyblock.keyvalue.data)[i]); - CHECK_MAX(key); + rtbl_add_column_entry_by_id(table, 4, s); + free(s); } - *kie = kp; - kie = &kp->next; krb5_kt_free_entry(context, &entry); } - *kie = NULL; /* terminate list */ ret = krb5_kt_end_seq_get(context, keytab, &cursor); + rtbl_format(table, stdout); + rtbl_destroy(table); - printf("%-*s %-*s %-*s", max_version, "Vno", - max_etype, "Type", - max_principal, "Principal"); - if(list_timestamp) - printf(" %-*s", max_timestamp, "Date"); - if(list_keys) - printf(" %s", "Key"); - printf("\n"); - - for(kp = ki; kp; ) { - printf("%*s %-*s %-*s", max_version, kp->version, - max_etype, kp->etype, - max_principal, kp->principal); - if(list_timestamp) - printf(" %-*s", max_timestamp, kp->timestamp); - if(list_keys) - printf(" %s", kp->key); - printf("\n"); - - /* free entries */ - free(kp->version); - free(kp->etype); - free(kp->principal); - if(list_timestamp) - free(kp->timestamp); - if(list_keys) { - memset(kp->key, 0, strlen(kp->key)); - free(kp->key); - } - ki = kp; - kp = kp->next; - free(ki); - } -out: krb5_kt_close(context, keytab); - return 0; + return ret; } int -kt_list(int argc, char **argv) +kt_list(struct list_options *opt, int argc, char **argv) { krb5_error_code ret; - int optind = 0; char kt[1024]; if(verbose_flag) - list_timestamp = 1; - - if(getarg(args, num_args, argc, argv, &optind)){ - arg_printusage(args, num_args, "ktutil list", ""); - return 1; - } - if(help_flag){ - arg_printusage(args, num_args, "ktutil list", ""); - return 0; - } + opt->timestamp_flag = 1; if (keytab_string == NULL) { if((ret = krb5_kt_default_name(context, kt, sizeof(kt))) != 0) { krb5_warn(context, ret, "getting default keytab name"); - return 0; + return 1; } keytab_string = kt; } - do_list(keytab_string); - return 0; + return do_list(opt, keytab_string) != 0; } diff --git a/kerberosV/src/appl/afsutil/afslog.c b/kerberosV/src/appl/afsutil/afslog.c index 63c67d3ad2d..aec953ac1ee 100644 --- a/kerberosV/src/appl/afsutil/afslog.c +++ b/kerberosV/src/appl/afsutil/afslog.c @@ -33,7 +33,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: afslog.c,v 1.21.2.2 2003/08/25 11:43:51 lha Exp $"); +RCSID("$KTH: afslog.c,v 1.24 2004/09/03 12:11:40 lha Exp $"); #endif #include <ctype.h> #ifdef KRB5 @@ -70,10 +70,10 @@ struct getargs args[] = { { "realm", 'k', arg_string, &realm, "realm for afs cell", "realm" }, { "unlog", 'u', arg_flag, &unlog_flag, "remove tokens" }, #ifdef KRB4 - { "v4", 0, arg_negative_flag, &use_krb4, "use Kerberos 4" }, + { "v4", 0, arg_negative_flag, &use_krb4, "don't use Kerberos 4" }, #endif #ifdef KRB5 - { "v5", 0, arg_negative_flag, &use_krb5, "use Kerberos 5" }, + { "v5", 0, arg_negative_flag, &use_krb5, "don't use Kerberos 5" }, #endif #if 0 { "create-user", 0, arg_flag, &create_user, "create user if not found" }, diff --git a/kerberosV/src/appl/afsutil/pagsh.c b/kerberosV/src/appl/afsutil/pagsh.c index abad790ceb1..fa03ca1a71a 100644 --- a/kerberosV/src/appl/afsutil/pagsh.c +++ b/kerberosV/src/appl/afsutil/pagsh.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1995 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1995 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -35,7 +35,7 @@ #include <config.h> #endif -RCSID("$KTH: pagsh.c,v 1.6 2002/08/23 17:54:20 assar Exp $"); +RCSID("$KTH: pagsh.c,v 1.10 2005/02/12 14:23:28 lha Exp $"); #include <stdio.h> #include <stdlib.h> @@ -64,12 +64,22 @@ RCSID("$KTH: pagsh.c,v 1.6 2002/08/23 17:54:20 assar Exp $"); #include <roken.h> #include <getarg.h> +#ifndef TKT_ROOT +#define TKT_ROOT "/tmp/tkt" +#endif + static int help_flag; static int version_flag; static int c_flag; +#ifdef KRB5 +static char *typename_arg; +#endif struct getargs getargs[] = { { NULL, 'c', arg_flag, &c_flag }, +#ifdef KRB5 + { "cache-type", 0, arg_string, &typename_arg }, +#endif { "version", 0, arg_flag, &version_flag }, { "help", 'h', arg_flag, &help_flag }, }; @@ -90,93 +100,139 @@ usage(int ecode) int main(int argc, char **argv) { - int f; - char tf[1024]; - char *p; - - char *path; - char **args; - int i; - int optind = 0; - - if(getarg(getargs, num_args, argc, argv, &optind)) - usage(1); - if(help_flag) - usage(0); - if(version_flag) { - print_version(NULL); - exit(0); - } - - argc -= optind; - argv += optind; + int f; + char tf[1024]; + char *p; + + char *path; + char **args; + int i; + int optind = 0; + + if(getarg(getargs, num_args, argc, argv, &optind)) + usage(1); + if(help_flag) + usage(0); + if(version_flag) { + print_version(NULL); + exit(0); + } + + argc -= optind; + argv += optind; #ifdef KRB5 - snprintf (tf, sizeof(tf), "%sXXXXXXXXXX", KRB5_DEFAULT_CCROOT); - f = mkstemp (tf + 5); - close (f); - unlink (tf + 5); - esetenv("KRB5CCNAME", tf, 1); + { + const krb5_cc_ops *type; + krb5_error_code ret; + krb5_context context; + krb5_ccache id; + const char *name; + + ret = krb5_init_context(&context); + if (ret) /* XXX should this really call exit ? */ + errx(1, "no kerberos 5 support"); + + if (typename_arg == NULL) { + char *s; + + name = krb5_cc_default_name(context); + if (name == NULL) + krb5_errx(context, 1, "Failed getting default " + "credential cache type"); + + typename_arg = strdup(name); + if (typename_arg == NULL) + errx(1, "strdup"); + + s = strchr(typename_arg, ':'); + if (s) + *s = '\0'; + } + + type = krb5_cc_get_prefix_ops(context, typename_arg); + if (type == NULL) + krb5_err(context, 1, ret, "Failed getting ops for %s " + "credential cache", typename_arg); + + ret = krb5_cc_gen_new(context, type, &id); + if (ret) + krb5_err(context, 1, ret, "Failed generating credential cache"); + + name = krb5_cc_get_name(context, id); + if (name == NULL) + krb5_errx(context, 1, "Generated credential cache have no name"); + + snprintf(tf, sizeof(tf), "%s:%s", typename_arg, name); + + ret = krb5_cc_close(context, id); + if (ret) + krb5_err(context, 1, ret, "Failed closing credential cache"); + + krb5_free_context(context); + + esetenv("KRB5CCNAME", tf, 1); + } #endif -#ifdef KRB4 - snprintf (tf, sizeof(tf), "%s_XXXXXXXXXX", TKT_ROOT); - f = mkstemp (tf); - close (f); - unlink (tf); - esetenv("KRBTKFILE", tf, 1); -#endif + snprintf (tf, sizeof(tf), "%s_XXXXXXXXXX", TKT_ROOT); + f = mkstemp (tf); + if (f < 0) + err(1, "mkstemp failed"); + close (f); + unlink (tf); + esetenv("KRBTKFILE", tf, 1); - i = 0; + i = 0; - args = (char **) malloc((argc + 10)*sizeof(char *)); - if (args == NULL) - errx (1, "Out of memory allocating %lu bytes", - (unsigned long)((argc + 10)*sizeof(char *))); + args = (char **) malloc((argc + 10)*sizeof(char *)); + if (args == NULL) + errx (1, "Out of memory allocating %lu bytes", + (unsigned long)((argc + 10)*sizeof(char *))); - if(*argv == NULL) { - path = getenv("SHELL"); - if(path == NULL){ - struct passwd *pw = k_getpwuid(geteuid()); - path = strdup(pw->pw_shell); + if(*argv == NULL) { + path = getenv("SHELL"); + if(path == NULL){ + struct passwd *pw = k_getpwuid(geteuid()); + path = strdup(pw->pw_shell); + } + } else { + path = strdup(*argv++); } - } else { - path = strdup(*argv++); - } - if (path == NULL) - errx (1, "Out of memory copying path"); + if (path == NULL) + errx (1, "Out of memory copying path"); - p=strrchr(path, '/'); - if(p) - args[i] = strdup(p+1); - else - args[i] = strdup(path); - - if (args[i++] == NULL) - errx (1, "Out of memory copying arguments"); + p=strrchr(path, '/'); + if(p) + args[i] = strdup(p+1); + else + args[i] = strdup(path); + + if (args[i++] == NULL) + errx (1, "Out of memory copying arguments"); - while(*argv) - args[i++] = *argv++; - - args[i++] = NULL; - - if(k_hasafs()) - k_setpag(); - - unsetenv("PAGPID"); - execvp(path, args); - if (errno == ENOENT) { - char **sh_args = malloc ((i + 2) * sizeof(char *)); - int j; - - if (sh_args == NULL) - errx (1, "Out of memory copying sh arguments"); - for (j = 1; j < i; ++j) - sh_args[j + 2] = args[j]; - sh_args[0] = "sh"; - sh_args[1] = "-c"; - sh_args[2] = path; - execv ("/bin/sh", sh_args); - } - err (1, "execvp"); + while(*argv) + args[i++] = *argv++; + + args[i++] = NULL; + + if(k_hasafs()) + k_setpag(); + + unsetenv("PAGPID"); + execvp(path, args); + if (errno == ENOENT || c_flag) { + char **sh_args = malloc ((i + 2) * sizeof(char *)); + int j; + + if (sh_args == NULL) + errx (1, "Out of memory copying sh arguments"); + for (j = 1; j < i; ++j) + sh_args[j + 2] = args[j]; + sh_args[0] = "sh"; + sh_args[1] = "-c"; + sh_args[2] = path; + execv ("/bin/sh", sh_args); + } + err (1, "execvp"); } diff --git a/kerberosV/src/doc/heimdal.texi b/kerberosV/src/doc/heimdal.texi index c42da655066..de635c65b18 100644 --- a/kerberosV/src/doc/heimdal.texi +++ b/kerberosV/src/doc/heimdal.texi @@ -1,6 +1,6 @@ \input texinfo @c -*- texinfo -*- @c %**start of header -@c $KTH: heimdal.texi,v 1.17 2001/02/24 05:09:24 assar Exp $ +@c $KTH: heimdal.texi,v 1.22 2005/04/24 09:18:32 lha Exp $ @setfilename heimdal.info @settitle HEIMDAL @iftex @@ -14,10 +14,10 @@ @syncodeindex pg cp @c %**end of header -@c not yet @include version.texi -@set UPDATED $Date: 2004/10/29 16:20:29 $ +@c @include version.texi +@set UPDATED $Date: 2006/04/14 08:15:03 $ @set EDITION 0.1 -@set VERSION 0.3a +@set VERSION 0.7 @ifinfo @dircategory Heimdal @@ -31,8 +31,9 @@ @title Heimdal @subtitle Kerberos 5 from KTH @subtitle Edition @value{EDITION}, for version @value{VERSION} -@subtitle 1999 +@subtitle 2004 @author Johan Danielsson +@author Love Hörnquist Åstrand @author Assar Westerlund @author last updated @value{UPDATED} @@ -41,7 +42,7 @@ @def@copyrightend{} @page @copyrightstart -Copyright (c) 1997-2000 Kungliga Tekniska Högskolan +Copyright (c) 1997-2005 Kungliga Tekniska Högskolan (Royal Institute of Technology, Stockholm, Sweden). All rights reserved. @@ -74,52 +75,6 @@ SUCH DAMAGE. @copynext -Copyright (C) 1995-1997 Eric Young (eay@@mincom.oz.au) -All rights reserved. - -This package is an DES implementation written by Eric Young (eay@@mincom.oz.au). -The implementation was written so as to conform with MIT's libdes. - -This library is free for commercial and non-commercial use as long as -the following conditions are aheared to. The following conditions -apply to all code found in this distribution. - -Copyright remains Eric Young's, and as such any Copyright notices in -the code are not to be removed. -If this package is used in a product, Eric Young should be given attribution -as the author of that the SSL library. This can be in the form of a textual -message at program startup or in documentation (online or textual) provided -with the package. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met: - -1. Redistributions of source code must retain the copyright - notice, this list of conditions and the following disclaimer. - -2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - -3. All advertising materials mentioning features or use of this software - must display the following acknowledgement: - This product includes software developed by Eric Young (eay@@mincom.oz.au) - -THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -SUCH DAMAGE. - -@copynext - Copyright (C) 1990 by the Massachusetts Institute of Technology Export of this software from the United States of America may @@ -197,6 +152,10 @@ to the following restrictions: @copyrightend @end titlepage +@macro manpage{man, section} +@cite{\man\(\section\)} +@end macro + @c Less filling! Tastes great! @iftex @parindent=0pt @@ -209,16 +168,17 @@ to the following restrictions: @paragraphindent 0 @end ifinfo -@ifinfo +@ifnottex @node Top, Introduction, (dir), (dir) @top Heimdal -@end ifinfo +@end ifnottex @menu * Introduction:: * What is Kerberos?:: * Building and Installing:: * Setting up a realm:: +* Applications:: * Things in search for a better place:: * Kerberos 4 issues:: * Windows 2000 compatability:: @@ -232,6 +192,7 @@ to the following restrictions: @include whatis.texi @include install.texi @include setup.texi +@include apps.texi @include misc.texi @include kerberos4.texi @include win2k.texi diff --git a/kerberosV/src/doc/setup.texi b/kerberosV/src/doc/setup.texi index a313c3287c9..5b2ddc068e5 100644 --- a/kerberosV/src/doc/setup.texi +++ b/kerberosV/src/doc/setup.texi @@ -1,23 +1,26 @@ -@c $KTH: setup.texi,v 1.27.2.2 2003/10/21 21:37:56 lha Exp $ +@c $KTH: setup.texi,v 1.55 2005/06/07 00:54:51 lha Exp $ -@node Setting up a realm, Things in search for a better place, Building and Installing, Top +@node Setting up a realm, Applications, Building and Installing, Top @chapter Setting up a realm @menu -* Configuration file:: -* Creating the database:: -* keytabs:: +* Configuration file:: +* Creating the database:: +* Modifying the database:: +* keytabs:: * Serving Kerberos 4/524/kaserver:: -* Remote administration:: -* Password changing:: -* Testing clients and servers:: -* Slave Servers:: -* Incremental propagation:: +* Remote administration:: +* Password changing:: +* Testing clients and servers:: +* Slave Servers:: +* Incremental propagation:: * Salting:: * Cross realm:: * Transit policy:: * Setting up DNS:: +* Using LDAP to store the database:: +* Providing Kerberos credentials to servers and programs:: @end menu A @@ -40,9 +43,9 @@ There is a sample @file{krb5.conf} supplied in The configuration file is a hierarchical structure consisting of sections, each containing a list of bindings (either variable assignments or subsections). A section starts with -@samp{[section-name]}. A binding consists of a left hand side, an equal +@samp{[@samp{section-name}]}. A binding consists of a left hand side, an equal (@samp{=}) and a right hand side (the left hand side tag must be -separated from the equal with some whitespace.) Subsections has a +separated from the equal with some whitespace). Subsections has a @samp{@{} as the first non-whitespace character after the equal. All other bindings are treated as variable assignments. The value of a variable extends to the end of the line. @@ -72,7 +75,7 @@ are briefly described here. The @samp{libdefaults} section contains a list of library configuration parameters, such as the default realm and the timeout for KDC responses. The @samp{realms} section contains information about specific -realms, such as where they hide their KDC. This section serves the same +realms, such as where they hide their KDC@. This section serves the same purpose as the Kerberos 4 @file{krb.conf} file, but can contain more information. Finally the @samp{domain_realm} section contains a list of mappings from domains to realms, equivalent to the Kerberos 4 @@ -95,16 +98,16 @@ with contents similar to the following. @end example If you use a realm name equal to your domain name, you can omit the -@samp{libdefaults}, and @samp{domain_realm}, sections. If you have a -SRV-record for your realm, or your Kerberos server has CNAME called +@samp{libdefaults}, and @samp{domain_realm}, sections. If you have a DNS +SRV-record for your realm, or your Kerberos server has DNS CNAME @samp{kerberos.my.realm}, you can omit the @samp{realms} section too. -@node Creating the database, keytabs, Configuration file, Setting up a realm +@node Creating the database, Modifying the database, Configuration file, Setting up a realm @section Creating the database The database library will look for the database in the directory @file{/var/heimdal}, so you should probably create that directory. -Make sure the directory have restrictive permissions. +Make sure the directory has restrictive permissions. @example # mkdir /var/heimdal @@ -122,18 +125,25 @@ Master key: Verifying password - Master key: @end example -To initialise the database use the @code{kadmin} program, with the +If you want to generate a random master key you can use the +--random-key to kstash. This will make sure you have a good key +on which attackers can't do a dictionary attack. + +If you have a master key, make sure you make a backup of your master +key file; without it backups of the database are of no use. + +To initialise the database use the @command{kadmin} program, with the @samp{-l} option (to enable local database mode). First issue a @kbd{init MY.REALM} command. This will create the database and insert default principals for that realm. You can have more than one realm in one database, so @samp{init} does not destroy any old database. Before creating the database, @samp{init} will ask you some questions -about max ticket lifetimes. +about maximum ticket lifetimes. After creating the database you should probably add yourself to it. You do this with the @samp{add} command. It takes as argument the name of a -principal. The principal should contain a realm, so if you haven't setup +principal. The principal should contain a realm, so if you haven't set up a default realm, you will need to explicitly include the realm. @example @@ -179,10 +189,72 @@ krbtgt/MY.REALM@@MY.REALM 1:0:1:52b53b61c875ce16:-:0:7:c8943be ... kadmin/changepw@@MY.REALM 1:0:1:f48c8af2b340e9fb:-:0:7:e3e6088 ... @end smallexample -@node keytabs, Serving Kerberos 4/524/kaserver, Creating the database, Setting up a realm +@node Modifying the database, keytabs, Creating the database, Setting up a realm +@section Modifying the database + +All modifications of principals are done with with kadmin. + +A principal have several attributes and lifetimes associated with it. + +Principals are added, renamed, modified, and deleted with the kadmin +commands @samp{add}, @samp{rename}, @samp{modify}, @samp{delete}. +Both interactive editing and command switches can be used (use --help +to list the available options). + +There are different kind of types for the fields in the database, +attributes, absolute time times and relative times. + +@subsection Attributes + +When doing interactive editing, attributes are listed with @samp{?}. + +The attributes are given in a comma (@samp{,}) separated list. +Attributes are removed from the list by prefixing them with @samp{-}. + +@smallexample +kadmin> modify me +Max ticket life [1 day]: +Max renewable life [1 week]: +Principal expiration time [never]: +Password expiration time [never]: +Attributes [disallow-renewable]: requires-pre-auth,-disallow-renewable +kadmin> get me + Principal: me@@MY.REALM +[...] + Attributes: requires-pre-auth +@end smallexample + +@subsection Absolute times + +The format for absolute times are any of the following + +@smallexample +never +now +YYYY-mm-dd +YYYY-mm-dd HH:MM:SS +@end smallexample + + +@subsection Relative times + +The format for relative times are any of the following combined + +@smallexample +N year +M month +O day +P hour +Q minute +R second +@end smallexample + +@c Describe more of kadmin commands here... + +@node keytabs, Serving Kerberos 4/524/kaserver, Modifying the database, Setting up a realm @section keytabs -To extract a service ticket from the database and put it in a keytab you +To extract a service ticket from the database and put it in a keytab, you need to first create the principal in the database with @samp{ank} (using the @kbd{--random-key} flag to get a random key) and then extract it with @samp{ext_keytab}. @@ -193,6 +265,7 @@ Max ticket life [unlimited]: Max renewable life [unlimited]: Attributes []: kadmin> ext host/my.host.name +kadmin> exit # ktutil list Version Type Principal 1 des-cbc-md5 host/my.host.name@@MY.REALM @@ -209,8 +282,8 @@ Support for Kerberos 4 has been removed in OpenBSD. @node Remote administration, Password changing, Serving Kerberos 4/524/kaserver, Setting up a realm @section Remote administration -The admin, @file{kadmin} is started automatically at boot by enabling it in -@file{/etc/rc.conf}. +The administration server, @command{kadmind}, can be started automatically +at boot by enabling it in @file{/etc/rc.conf}. For testing purposes, you can start it manually by running: @@ -218,26 +291,26 @@ For testing purposes, you can start it manually by running: # /usr/libexec/kadmind & @end smallexample -Access to the administration server is controlled by an acl-file, (default -@file{/var/heimdal/kadmind.acl}.) The lines in the access file, has the +Access to the administration server is controlled by an ACL file, (default +@file{/var/heimdal/kadmind.acl}.) The lines in the access file, have the following syntax: @smallexample principal [priv1,priv2,...] [glob-pattern] @end smallexample -The matching is from top to bottom for matching principal (and if given, -glob-pattern). When there is a match, the rights of that lines are +The matching is from top to bottom for matching principals (and if given, +glob-pattern). When there is a match, the access rights of that line are used. The privileges you can assign to a principal are: @samp{add}, @samp{change-password} (or @samp{cpw} for short), @samp{delete}, @samp{get}, @samp{list}, and @samp{modify}, or the special privilege @samp{all}. All of these roughly corresponds to the different commands -in @samp{kadmin}. +in @command{kadmin}. -If a @var{glob-pattern} is given on a line, it restricts the right for +If a @var{glob-pattern} is given on a line, it restricts the access rights for the principal to only apply for the subjects that match the pattern. -The patters are of the same type as those used in shell globbing, see +The patterns are of the same type as those used in shell globbing, see @url{none,,fnmatch(3)}. In the example below @samp{lha/admin} can change every principal in the @@ -263,31 +336,72 @@ automatically at boot if the master KDC is enabled in @file{/etc/rc.conf}. @subsection Password quality assurance It is important that users have good passwords, both to make it harder -to guess them and to avoid off-line attacks (pre-authentication provides -some defense against off-line attacks). To ensure that the users choose -good passwords, you can enable password quality controls in -@samp{kpasswdd}. The controls themselves are done in a shared library -that is used by @samp{kpasswdd}. To configure in these controls, add -lines similar to the following to your @file{/etc/kerberosV/krb5.conf}: +to guess them and to avoid off-line attacks (although +pre-authentication provides some defense against off-line attacks). +To ensure that the users choose good passwords, you can enable +password quality controls in @command{kpasswdd} and @command{kadmind}. +The controls themselves are done in a shared library or an external +program that is used by @command{kpasswdd}. To configure in these +controls, add lines similar to the following to your +@file{/etc/krb5.conf}: @example [password_quality] - check_library = @var{library} - check_function = @var{function} + policies = external-check builtin:minimum-length module:policyname + external_program = /bin/false + policy_libraries = @var{library1.so} @var{library2.so} @end example -The function @var{function} in the shared library @var{library} will be -called for proposed new passwords. The function should be declared as: +In @samp{[password_quality]policies} the module name is optional if +the policy name is unique in all modules (members of +@samp{policy_libraries}). + +The builtin polices are + +@itemize @bullet + +@item external-check + +Executes the program specified by @samp{[password_quality]external_program}. +A number of key/value pairs is passed as input to the program, one per +line, ending with the string @samp{end}. The key/value lines are of +the form @example -const char * -function(krb5_context context, krb5_principal principal, krb5_data *pwd); +principal: @var{principal} +new-password: @var{password} @end example +where @var{password} is the password to check for the previous +@var{principal}. + +If the external application approves the password, it should return +@samp{APPROVED} on standard out and exit with exit code 0. If it +doesn't approve the password, a one line error message explaining the +problem should be returned on standard error and the application +should exit with exit code 0. In case of a fatal error, the +application should, if possible, print an error message on standard +error and exit with a non-zero error code. + +@item minimum-length -The function should verify that @var{pwd} is a good password for -@var{principal} and if so return @code{NULL}. If it is deemed to be of -low quality, it should return a string explaining why that password -should not be used. +The minimum length password quality check reads the configuration file +stanza @samp{[password_quality]min_length} and requires the password +to be at least this length. + +@item character-class + +The character-class password quality check reads the configuration +file stanza @samp{[password_quality]min_classes}. The policy requires +the password to have characters from at least that many characters +classes. Default value if not given is 3. + +The four diffrent characters classes are, uppercase, lowercase, +number, special characters. + +@end itemize + +If you want to write you own shared object that checks password +policies, see the manual page @manpage{kadm5_pwcheck,3}. Code for a password quality checking function that uses the cracklib library can be found in @file{lib/kadm5/sample_password_check.c} in the @@ -295,8 +409,17 @@ source code distribution. It requires the cracklib library built with the patch available at @url{ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch}. +A sample policy external program is included in +@file{lib/kadm5/check-cracklib.pl}. + If no password quality checking function is configured, it is only -verified that it is at least six characters of length. +verified that it is at least six characters long. + +The program @command{test_pw_quality}, which is built in +@file{lib/kadm5}, but not installed, can be used to check password +policy settings. It may be convenient to set the environment variable +@samp{KRB5_CONFIG} to point to a test version of @file{krb5.conf} +while you're testing the @samp{[password_quality]} stanza that way. @node Testing clients and servers, Slave Servers, Password changing, Setting up a realm @section Testing clients and servers @@ -311,21 +434,21 @@ It is desirable to have at least one backup (slave) server in case the master server fails. It is possible to have any number of such slave servers but more than three usually doesn't buy much more redundancy. -All Kerberos servers for a realm shall have the same database so that +All Kerberos servers for a realm must have the same database so that they present the same service to all the users. The @pindex hprop -@code{hprop} program, running on the master, will propagate the database +@command{hprop} program, running on the master, will propagate the database to the slaves, running @pindex hpropd -@code{hpropd} processes. +@command{hpropd} processes. Every slave needs a database directory, the master key (if it was used for the database) and a keytab with the principal @samp{hprop/@var{hostname}}. Add the principal with the @pindex ktutil -@code{ktutil} command and start +@command{ktutil} command and start @pindex hpropd -@code{hpropd}, as follows: +@command{hpropd}, as follows: @example slave# ktutil get -p foo/admin hprop/`hostname` @@ -346,39 +469,40 @@ Then run master# hprop slave @end example -This was just an on-hands example to make sure that everything was -working properly. Doing it manually is of course the wrong way and to +This was just an hands-on example to make sure that everything was +working properly. Doing it manually is of course the wrong way, and to automate this you will want to start @pindex hpropd -@code{hpropd} from @code{inetd} on the slave(s) and regularly run +@command{hpropd} from @command{inetd} on the slave(s) and regularly run @pindex hprop -@code{hprop} on the master to regularly propagate the database. -Starting the propagation once an hour from @code{cron} is probably a +@command{hprop} on the master to regularly propagate the database. +Starting the propagation once an hour from @command{cron} is probably a good idea. f@node Incremental propagation, Salting , Slave Servers, Setting up a realm @section Incremental propagation -There is also a newer and still somewhat experimental mechanism for +There is also a newer, and still somewhat experimental, mechanism for doing incremental propagation in Heimdal. Instead of sending the whole database regularly, it sends the changes as they happen on the master to -the slaves. The master keeps track of all the changes by assigned a +the slaves. The master keeps track of all the changes by assigning a version number to every change to the database. The slaves know which was the latest version they saw and in this way it can be determined if -they are in sync or not. A log of all the changes is kept on the master -and when a slave is at an older versioner than the oldest one in the +they are in sync or not. A log of all the changes is kept on the master, +and when a slave is at an older version than the oldest one in the log, the whole database has to be sent. -Protocol-wise, all the slaves connects to the master and as a greeting +Protocol-wise, all the slaves connect to the master and as a greeting tell it the latest version that they have (@samp{IHAVE} message). The master then responds by sending all the changes between that version and the current version at the master (a series of @samp{FORYOU} messages) -or the whole database in a @samp{TELLYOUEVERYTHING} message. +or the whole database in a @samp{TELLYOUEVERYTHING} message. There is +also a keep-alive protocol that makes sure all slaves are up and running. @subsection Configuring incremental propagation -The program that runs on the master is @code{ipropd-master} and all -clients run @code{ipropd-slave}. +The program that runs on the master is @command{ipropd-master} and all +clients run @command{ipropd-slave}. Create the file @file{/var/heimdal/slaves} on the master containing all the slaves that the database should be propagated to. Each line contains @@ -390,7 +514,7 @@ You should already have @samp{iprop/tcp} defined as 2121, in your for some peculiar reason, you can use the @kbd{--port} option. This is useful when you have multiple realms to distribute from one server. -Then you need to create these principals that you added in the +Then you need to create those principals that you added in the configuration file. Create one @samp{iprop/hostname} for the master and for every slave. @@ -399,13 +523,13 @@ for every slave. master# /usr/heimdal/sbin/ktutil get iprop/`hostname` @end example -The next step is to start the @code{ipropd-master} process on the master -server. The @code{ipropd-master} listens on the UNIX-socket +The next step is to start the @command{ipropd-master} process on the master +server. The @command{ipropd-master} listens on the UNIX domain socket @file{/var/heimdal/signal} to know when changes have been made to the database so they can be propagated to the slaves. There is also a safety feature of testing the version number regularly (every 30 seconds) to see if it has been modified by some means that do not raise -this signal. Then, start @code{ipropd-slave} on all the slaves: +this signal. Then, start @command{ipropd-slave} on all the slaves: @example master# /usr/heimdal/libexec/ipropd-master & @@ -420,7 +544,7 @@ Salting is used to make it harder to precalculate all possible keys. Using a salt increases the search space to make it almost impossible to precalculate all keys. Salting is the process of mixing a public string (the salt) with the password, then sending it through an -encryption-type specific string-to-key function that will output the +encryption type specific string-to-key function that will output the fixed size encryption key. In Kerberos 5 the salt is determined by the encryption-type, except @@ -428,7 +552,7 @@ in some special cases. In @code{des} there is the Kerberos 4 salt (none at all) or the afs-salt (using the cell (realm in -afs-lingo)). +AFS lingo)). In @code{arcfour} (the encryption type that Microsoft Windows 2000 uses) there is no salt. This is to be compatible with NTLM keys in Windows @@ -444,23 +568,25 @@ or afs3-salt), and the salt-string is the string that will be used as salt (remember that if the salt is appended/prepended, the empty salt "" is the same thing as no salt at all). -Common types of salting includes +Common types of salting include @itemize @bullet @item @code{v4} (or @code{des:pw-salt:}) -The Kerberos 4 salting is using no salt att all. Reason there is colon -that the end or the salt string is that it makes the salt the empty +The Kerberos 4 salting is using no salt at all. Reason there is colon +at the end of the salt string is that it makes the salt the empty string (same as no salt). @item @code{v5} (or @code{pw-salt}) -@code{pw-salt} means all regular encryption-types that is regular +@code{pw-salt} uses the default salt for each encryption type is +specified for. If the encryption type @samp{etype} isn't given, all +default encryption will be used. @item @code{afs3-salt} -@code{afs3-salt} is the salting that is used with Transarc kaserver. Its -the cell appended to the password. +@code{afs3-salt} is the salt that is used with Transarc kaserver. Its +the cell name appended to the password. @end itemize @@ -468,14 +594,14 @@ the cell appended to the password. @section Cross realm @cindex Cross realm -Suppose you are residing in the realm @samp{MY.REALM}, how do you +Suppose you reside in the realm @samp{MY.REALM}, how do you authenticate to a server in @samp{OTHER.REALM}? Having valid tickets in -@samp{MY.REALM} allows you to communicate with kerberised services in that +@samp{MY.REALM} allows you to communicate with Kerberised services in that realm. However, the computer in the other realm does not have a secret key shared with the Kerberos server in your realm. -It is possible to add a share keys between two realms that trust each -other. When a client program, such as @code{telnet} or @code{ssh}, +It is possible to share keys between two realms that trust each +other. When a client program, such as @command{telnet} or @command{ssh}, finds that the other computer is in a different realm, it will try to get a ticket granting ticket for that other realm, but from the local Kerberos server. With that ticket granting ticket, it will then obtain @@ -488,7 +614,7 @@ add the following principals to each realm. The principals should be @samp{krbtgt/MY.REALM@@OTHER.REALM} and @samp{krbtgt/OTHER.REALM@@MY.REALM}in @samp{OTHER.REALM}. -In Kerberos 5 the trust can be one configured to be one way. So that +In Kerberos 5 the trust can be configured to be one way. So that users from @samp{MY.REALM} can authenticate to services in @samp{OTHER.REALM}, but not the opposite. In the example above, the @samp{krbtgt/MY.REALM@@OTHER.REALM} then should be removed. @@ -534,13 +660,13 @@ May 3 14:10:54 May 3 23:55:54 host/hummel.it.su.se@@SU.SE @cindex Transit policy If you want to use cross realm authentication through an intermediate -realm it must be explicitly allowed by either the KDCs or the server +realm, it must be explicitly allowed by either the KDCs or the server receiving the request. This is done in @file{krb5.conf} in the @code{[capaths]} section. When the ticket transits through a realm to another realm, the destination realm adds its peer to the "transited-realms" field in the -ticket. The field is unordered, this is since there is no way to know if +ticket. The field is unordered, since there is no way to know if know if one of the transited-realms changed the order of the list. The syntax for @code{[capaths]} section: @@ -555,7 +681,7 @@ The syntax for @code{[capaths]} section: @end example The realm @code{STACKEN.KTH.SE} allows clients from @code{SU.SE} and -@code{DSV.SU.SE} to cross in. Since @code{STACKEN.KTH.SE} only have +@code{DSV.SU.SE} to cross it. Since @code{STACKEN.KTH.SE} only have direct cross realm with @code{KTH.SE}, and @code{DSV.SU.SE} only have direct cross realm with @code{SU.SE} they need to use both @code{SU.SE} and @code{KTH.SE} as transit realms. @@ -573,20 +699,31 @@ realm with @code{SU.SE} they need to use both @code{SU.SE} and @end cartouche @end example +The order of the @code{PERMITTED-CROSS-REALMS} is not important when +doing transit cross realm verification. + +However the order is important when the @code{[capaths]} section is used +to figure out the intermediate realm to go to when doing multi-realm +transit. When figuring out the next realm, the first realm of the list +of @code{PERMITTED-CROSS-REALMS} is chosen. This is done in both the +client kerberos library and the KDC. + @c To test the cross realm configuration, use: @c kmumble transit-check client server transit-realms ... -@node Setting up DNS, , Transit policy, Setting up a realm +@node Setting up DNS, Using LDAP to store the database, Transit policy, Setting up a realm @section Setting up DNS @cindex Setting up DNS +@subsection Using DNS to find KDC + If there is information about where to find the KDC or kadmind for a realm in the @file{krb5.conf} for a realm, that information will be -preferred and DNS will not be queried. +preferred, and DNS will not be queried. Heimdal will try to use DNS to find the KDCs for a realm. First it -will try to find @code{SRV} resource record (RR) for the realm. If no -SRV RRs are found, it will fall back to looking for a @code{A} RR for +will try to find a @code{SRV} resource record (RR) for the realm. If no +SRV RRs are found, it will fall back to looking for an @code{A} RR for a machine named kerberos.REALM, and then kerberos-1.REALM, etc Adding this information to DNS makes the client have less @@ -594,12 +731,12 @@ configuration (in the common case, no configuration) and allows the system administrator to change the number of KDCs and on what machines they are running without caring about clients. -The backside of using DNS that the client might be fooled to use the +The down side of using DNS that the client might be fooled to use the wrong server if someone fakes DNS replies/data, but storing the IP addresses of the KDC on all the clients makes it very hard to change the infrastructure. -Example of the configuration for the realm @code{EXAMPLE.COM}, +An example of the configuration for the realm @code{EXAMPLE.COM}, @example @@ -616,3 +753,237 @@ _kerberos-adm._tcp SRV 10 1 749 kerberos.example.com. More information about DNS SRV resource records can be found in RFC-2782 (A DNS RR for specifying the location of services (DNS SRV)). +@subsection Using DNS to map hostname to Kerberos realm + +Heimdal also supports a way to lookup a realm from a hostname. This to +minimize configuration needed on clients. Using this has the drawback +that clients can be redirected by an attacker to realms within the +same cross realm trust and made to believe they are talking to the +right server (since Kerberos authentication will succeed). + +An example configuration that informs clients that for the realms +it.example.com and srv.example.com, they should use the realm +EXAMPLE.COM: + +@example + +$ORIGIN example.com. +_kerberos.it TXT "EXAMPLE.COM" +_kerberos.srv TXT "EXAMPLE.COM" + +@end example + +@node Using LDAP to store the database, Providing Kerberos credentials to servers and programs, Setting up DNS, Setting up a realm +@section Using LDAP to store the database +@cindex Using the LDAP backend + +This document describes how to install the LDAP backend for +Heimdal. Note that before attempting to configure such an +installation, you should be aware of the implications of storing +private information (such as users' keys) in a directory service +primarily designed for public information. Nonetheless, with a +suitable authorization policy, it is possible to set this up in a +secure fashion. A knowledge of LDAP, Kerberos, and C is necessary to +install this backend. The HDB schema was devised by Leif Johansson. + +Requirements: + +@itemize @bullet + +@item +A current release of Heimdal, configured with +@code{--with-openldap=/usr/local} (adjust according to where you have +installed OpenLDAP). + +You can verify that you manage to configure LDAP support by running +@file{kdc --builtin-hdb}, and checking that @samp{ldap:} is one entry +in the list. + +Its also possible to configure the ldap backend as a shared module, +see option --hdb-openldap-module to configure. + +@item +OpenLDAP 2.0.x. Configure OpenLDAP with @kbd{--enable-local} to enable the +local transport. (A patch to support SASL EXTERNAL authentication is +necessary in order to use OpenLDAP 2.1.x.) + +@item +Add the hdb schema to the LDAP server, its included in the source-tree +in @file{lib/hdb/hdb.schema}. Example from slapd.conf: + +@example +include /usr/local/etc/openldap/schema/hdb.schema +@end example + +@item +Configure the LDAP server ACLs to accept writes from clients over the +local transport. For example: + +@example +access to * + by dn.exact="uid=heimdal,dc=services,dc=example,dc=com" write + ... + +sasl-regexp "uidNumber=0\\\+gidNumber=.*,cn=peercred,cn=external,cn=auth" + "uid=heimdal,dc=services,dc=example,dc=com" + +@end example + +The sasl-regexp is for mapping between the SASL/EXTERNAL and a user in +a tree. The user that the key is mapped to should be have a +krb5Principal aux object with krb5PrincipalName set so that the +``creator'' and ``modifier'' is right in @file{kadmin}. + +Another option is to create an admins group and add the dn to that +group. + +Since Heimdal talkes to the LDAP server over a UNIX domain socket, and +uses external sasl authentication, its not possible to require +security layer quality (ssf in cyrus-sasl lingo). So that requirement +has to be turned off in OpenLDAP @command{slapd} configuration file +@file{slapd.conf}. + +@example +sasl-secprops minssf=0 +@end example + +@item + +Start @command{slapd} with the local listener (as well as the default TCP/IP +listener on port 389) as follows: + +@example + slapd -h "ldapi:/// ldap:///" +@end example + +Note: These is a bug in @command{slapd} where it appears to corrupt the krb5Key +binary attribute on shutdown. This may be related to our use of the V3 +schema definition syntax instead of the old UMich-style, V2 syntax. + +@item +You should specify the distinguished name under which your +principals will be stored in @file{krb5.conf}: + +@example +[kdc] + database = @{ + dbname = ldap:ou=KerberosPrincipals,dc=example,dc=com + mkey_file = /path/to/mkey + @} +@end example + +@samp{mkey_file} can be excluded if you feel that you trust your ldap +directory to have the raw keys inside it. + + +@item +Once you have built Heimdal and started the LDAP server, run kadmin +(as usual) to initialize the database. Note that the instructions for +stashing a master key are as per any Heimdal installation. + +@example +kdc# kadmin -l +kadmin> init EXAMPLE.COM +Realm max ticket life [unlimited]: +Realm max renewable ticket life [unlimited]: +kadmin> ank lukeh +Max ticket life [1 day]: +Max renewable life [1 week]: +Principal expiration time [never]: +Password expiration time [never]: +Attributes []: +lukeh@@EXAMPLE.COM's Password: +Verifying password - lukeh@@EXAMPLE.COM's Password: +kadmin> exit +@end example + +Verify that the principal database has indeed been stored in the +directory with the following command: + +@example +kdc# ldapsearch -L -h localhost -D cn=manager \ + -w secret -b ou=KerberosPrincipals,dc=example,dc=com \ + 'objectclass=krb5KDCEntry' +@end example + +@item +Now consider adding indexes to the database to speed up the access, at +least theses should be added to slapd.conf. + +@example +index objectClass eq +index cn eq,sub,pres +index uid eq,sub,pres +index displayName eq,sub,pres +index krb5PrincipalName eq +@end example + +@end itemize + +@subsection Troubleshooting guide + +@url{https://sec.miljovern.no/bin/view/Info/TroubleshootingGuide} + + +@subsection Using Samba LDAP password database +@cindex Samba + +@c @node Using Samba LDAP password database, Providing Kerberos credentials to servers and programs, Using LDAP to store the database, Setting up a realm +@c @section Using Samba LDAP password database + +Samba domain and the Kerberos realm can have diffrent names since +arcfour's string to key function principal/realm independent. So now +will be your first and only chance name your Kerberos without needing +to deal with old configuration files. + +First you should set up Samba and get that working with LDAP backend. + +Now you can proceed as in @xref{Using LDAP to store the database}, +Heimdal will pick up the Samba LDAP entries if they are in the same +search space as the Kerberos entries. + +@node Providing Kerberos credentials to servers and programs, , Using LDAP to store the database, Setting up a realm +@section Providing Kerberos credentials to servers and programs + +Some service require Kerberos credentials when they start to make +connections to other services or use them when they have started. + +The easiest way to get ticket for the a service is to store the key in +a keytab. Both ktutil get and kadmin ext can be used to get a +keytab. ktutil get is better in that way it changes the key/password +for the user. This the problem with the ktutil. It ktutil is used for +the same service principal on several hosts, they keytab will only +useful on the last host. In that case, run the command on host and +copy the keytab around to all other hosts that needs it. + +@example +host# ktutil -k /etc/krb5-service.keytab \ + get -p lha/admin@@EXAMPLE.ORG service-principal@@EXAMPLE.ORG +lha/admin@@EXAMPLE.ORG's Password: +@end example + +To get a Kerberos credential file for the service, use kinit in the +--keytab mode, this will not ask for a password but rather that the +key from the keytab. + +@example +service@@host$ kinit --cache=/var/run/service_krb5_cache \ + --keytab=/etc/krb5-service.keytab \ + service-principal@@EXAMPLE.ORG +@end example + +Long running services might need credentials longer then the +expiration time of the tickets. kinit can run in a mode that refreshes +the tickets before they expire. This is useful for services that write +into AFS and other distributed file systems using Kerberos. To run the +long running script, just append the program and arguments (if any) +after the principal. kinit will stop refreshing credentials and remove +the credentials when the script-to-start-service exits. + +@example +service@@host$ kinit --cache=/var/run/service_krb5_cache \ + --keytab=/etc/krb5-service.keytab \ + service-principal@@EXAMPLE.ORG \ + script-to-start-service argument1 argument2 +@end example + diff --git a/kerberosV/src/include/bits.c b/kerberosV/src/include/bits.c index f5529f97732..7a631c994be 100644 --- a/kerberosV/src/include/bits.c +++ b/kerberosV/src/include/bits.c @@ -33,7 +33,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: bits.c,v 1.22 2002/08/28 16:08:44 joda Exp $"); +RCSID("$KTH: bits.c,v 1.23 2005/01/05 15:22:02 lha Exp $"); #endif #include <stdio.h> #include <string.h> @@ -112,7 +112,7 @@ int main(int argc, char **argv) { FILE *f; int flag; - char *fn, *hb; + const char *fn, *hb; if(argc < 2){ fn = "bits.h"; @@ -121,8 +121,9 @@ int main(int argc, char **argv) } else { char *p; fn = argv[1]; - asprintf(&hb, "__%s__", fn); - for(p = hb; *p; p++){ + asprintf(&p, "__%s__", fn); + hb = p; + for(; *p; p++){ if(!isalnum((unsigned char)*p)) *p = '_'; } @@ -130,7 +131,7 @@ int main(int argc, char **argv) } fprintf(f, "/* %s -- this file was generated for %s by\n", fn, HOST); fprintf(f, " %*s %s */\n\n", (int)strlen(fn), "", - "$KTH: bits.c,v 1.22 2002/08/28 16:08:44 joda Exp $"); + "$KTH: bits.c,v 1.23 2005/01/05 15:22:02 lha Exp $"); fprintf(f, "#ifndef %s\n", hb); fprintf(f, "#define %s\n", hb); fprintf(f, "\n"); diff --git a/kerberosV/src/kadmin/kadm_conn.c b/kerberosV/src/kadmin/kadm_conn.c index c0023aa8642..f68cddc6ee3 100644 --- a/kerberosV/src/kadmin/kadm_conn.c +++ b/kerberosV/src/kadmin/kadm_conn.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 2000 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -36,7 +36,7 @@ #include <sys/wait.h> #endif -RCSID("$KTH: kadm_conn.c,v 1.14 2002/10/21 13:21:24 joda Exp $"); +RCSID("$KTH: kadm_conn.c,v 1.15 2004/05/13 17:46:20 joda Exp $"); struct kadm_port { char *port; @@ -62,16 +62,10 @@ add_kadm_port(krb5_context context, const char *service, unsigned int port) kadm_ports = p; } -extern int do_kerberos4; - static void add_standard_ports (krb5_context context) { add_kadm_port(context, "kerberos-adm", 749); -#ifdef KRB4 - if(do_kerberos4) - add_kadm_port(context, "kerberos-master", 751); -#endif } /* diff --git a/kerberosV/src/kadmin/kadmin.8 b/kerberosV/src/kadmin/kadmin.8 index cadcd0fb825..0c6974f35e6 100644 --- a/kerberosV/src/kadmin/kadmin.8 +++ b/kerberosV/src/kadmin/kadmin.8 @@ -1,37 +1,37 @@ -.\" Copyright (c) 2000 - 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2000 - 2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $KTH: kadmin.8,v 1.10 2003/03/31 10:42:32 lha Exp $ +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.Dd September 10, 2000 +.\" $KTH: kadmin.8,v 1.15 2005/03/26 10:10:56 lha Exp $ +.\" +.Dd June 27, 2004 .Dt KADMIN 8 .Os HEIMDAL .Sh NAME @@ -130,7 +130,18 @@ If no .Ar command is given on the command line, .Nm -will prompt for commands to process. Commands include: +will prompt for commands to process. Some of the commands that take +one or more principals as argument +.Ns ( Nm delete , +.Nm ext_keytab , +.Nm get , +.Nm modify , +and +.Nm passwd ) +will accept a glob style wildcard, and perform the operation on all +matching principals. +.Pp +Commands include: .\" not using a list here, since groff apparently gets confused .\" with nested Xo/Xc .Bd -ragged -offset indent @@ -150,36 +161,23 @@ will prompt for commands to process. Commands include: .Ar principal... .Pp .Bd -ragged -offset indent -creates a new principal -.Ed -.Pp -.Nm passwd -.Op Fl r | Fl -random-key -.Op Fl -random-password -.Oo Fl p Ar string \*(Ba Xo -.Fl -password= Ns Ar string -.Xc -.Oc -.Op Fl -key= Ns Ar string -.Ar principal... -.Pp -.Bd -ragged -offset indent -changes the password of an existing principal +Adds a new principal to the database. The options not passed on the +command line will be promped for. .Ed .Pp .Nm delete .Ar principal... .Pp .Bd -ragged -offset indent -removes a principal +Removes a principal. .Ed .Pp .Nm del_enctype .Ar principal enctypes... .Pp .Bd -ragged -offset indent -removes some enctypes from a principal; this can be useful if the service -belonging to the principal is known to not handle certain enctypes +Removes some enctypes from a principal; this can be useful if the service +belonging to the principal is known to not handle certain enctypes. .Ed .Pp .Nm ext_keytab @@ -190,26 +188,49 @@ belonging to the principal is known to not handle certain enctypes .Ar principal... .Pp .Bd -ragged -offset indent -creates a keytab with the keys of the specified principals +Creates a keytab with the keys of the specified principals. .Ed .Pp .Nm get .Op Fl l | Fl -long .Op Fl s | Fl -short .Op Fl t | Fl -terse -.Ar expression... +.Op Fl o Ar string | Fl -column-info= Ns Ar string +.Ar principal... .Pp .Bd -ragged -offset indent -lists the principals that match the expressions (which are shell glob -like), long format gives more information, and terse just prints the -names -.Ed +Lists the matching principals, short prints the result as a table, +while long format produces a more verbose output. Which columns to +print can be selected with the +.Fl o +option. The argument is a comma separated list of column names +optionally appended with an equal sign +.Pq Sq = +and a column header. Which columns are printed by default differ +slightly between short and long output. .Pp -.Nm rename -.Ar from to +The default terse output format is similar to +.Fl s o Ar principal= , +just printing the names of matched principals. .Pp -.Bd -ragged -offset indent -renames a principal +Possible column names include: +.Li principal , +.Li princ_expire_time , +.Li pw_expiration , +.Li last_pwd_change , +.Li max_life , +.Li max_rlife , +.Li mod_time , +.Li mod_name , +.Li attributes , +.Li kvno , +.Li mkvno , +.Li last_success , +.Li last_failed , +.Li fail_auth_count , +.Li policy , +and +.Li keytypes . .Ed .Pp .Nm modify @@ -222,16 +243,81 @@ renames a principal .Op Fl -expiration-time= Ns Ar time .Op Fl -pw-expiration-time= Ns Ar time .Op Fl -kvno= Ns Ar number +.Ar principal... +.Pp +.Bd -ragged -offset indent +Modifies certain attributes of a principal. If run without command +line options, you will be prompted. With command line options, it will +only change the ones specified. +.Pp +Possible attributes are: +.Li new-princ , +.Li support-desmd5 , +.Li pwchange-service , +.Li disallow-svr , +.Li requires-pw-change , +.Li requires-hw-auth , +.Li requires-pre-auth , +.Li disallow-all-tix , +.Li disallow-dup-skey , +.Li disallow-proxiable , +.Li disallow-renewable , +.Li disallow-tgt-based , +.Li disallow-forwardable , +.Li disallow-postdated +.Pp +Attributes may be negated with a "-", e.g., +.Pp +kadmin -l modify -a -disallow-proxiable user +.Ed +.Pp +.Nm passwd +.Op Fl r | Fl -random-key +.Op Fl -random-password +.Oo Fl p Ar string \*(Ba Xo +.Fl -password= Ns Ar string +.Xc +.Oc +.Op Fl -key= Ns Ar string +.Ar principal... +.Pp +.Bd -ragged -offset indent +Changes the password of an existing principal. +.Ed +.Pp +.Nm password-quality .Ar principal +.Ar password .Pp .Bd -ragged -offset indent -modifies certain attributes of a principal +Run the password quality check function locally. +You can run this on the host that is configured to run the kadmind +process to verify that your configuration file is correct. +The verification is done locally, if kadmin is is run in remote mode, +no rpc call is done to the server. .Ed .Pp .Nm privileges .Pp .Bd -ragged -offset indent -lists the operations you are allowed to perform +Lists the operations you are allowed to perform. These include +.Li add , +.Li change-password , +.Li delete , +.Li get , +.Li list , +and +.Li modify . +.Ed +.Pp +.Nm rename +.Ar from to +.Pp +.Bd -ragged -offset indent +Renames a principal. This is normally transparent, but since keys are +salted with the principal name, they will have a non-standard salt, +and clients which are unable to cope with this will fail. Kerberos 4 +suffers from this. .Ed .Pp .Ed @@ -243,9 +329,12 @@ When running in local mode, the following commands can also be used: .Op Ar dump-file .Pp .Bd -ragged -offset indent -writes the database in +Writes the database in .Dq human readable -form to the specified file, or standard out +form to the specified file, or standard out. If the database is +encrypted, the dump will also have encrypted keys, unless +.Fl -decrypt +is used. .Ed .Pp .Nm init @@ -254,24 +343,41 @@ form to the specified file, or standard out .Ar realm .Pp .Bd -ragged -offset indent -initializes the Kerberos database with entries for a new realm. It's -possible to have more than one realm served by one server +Initializes the Kerberos database with entries for a new realm. It's +possible to have more than one realm served by one server. .Ed .Pp .Nm load .Ar file .Pp .Bd -ragged -offset indent -reads a previously dumped database, and re-creates that database from scratch +Reads a previously dumped database, and re-creates that database from +scratch. .Ed .Pp .Nm merge .Ar file .Pp .Bd -ragged -offset indent -similar to -.Nm list -but just modifies the database with the entries in the dump file +Similar to +.Nm load +but just modifies the database with the entries in the dump file. +.Ed +.Pp +.Nm stash +.Oo Fl e Ar enctype \*(Ba Xo +.Fl -enctype= Ns Ar enctype +.Xc +.Oc +.Oo Fl k Ar keyfile \*(Ba Xo +.Fl -key-file= Ns Ar keyfile +.Xc +.Oc +.Op Fl -convert-file +.Op Fl -master-key-fd= Ns Ar fd +.Pp +.Bd -ragged -offset indent +Writes the Kerberos master key to a file used by the KDC. .Ed .Pp .Ed diff --git a/kerberosV/src/kadmin/kadmin.c b/kerberosV/src/kadmin/kadmin.c index 5c647ab69f7..c56f95b1396 100644 --- a/kerberosV/src/kadmin/kadmin.c +++ b/kerberosV/src/kadmin/kadmin.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,13 +32,15 @@ */ #include "kadmin_locl.h" +#include "kadmin-commands.h" #include <sl.h> -RCSID("$KTH: kadmin.c,v 1.42 2003/03/31 10:20:19 lha Exp $"); +RCSID("$KTH: kadmin.c,v 1.56 2005/05/09 15:35:22 lha Exp $"); static char *config_file; static char *keyfile; -static int local_flag; +int local_flag; +static int ad_flag; static int help_flag; static int version_flag; static char *realm; @@ -46,6 +48,9 @@ static char *admin_server; static int server_port = 0; static char *client_name; static char *keytab; +static char *check_library = NULL; +static char *check_function = NULL; +static getarg_strings policy_libraries = { 0, NULL }; static struct getargs args[] = { { "principal", 'p', arg_string, &client_name, @@ -72,6 +77,15 @@ static struct getargs args[] = { "server-port", 's', arg_integer, &server_port, "port to use", "port number" }, + { "ad", 0, arg_flag, &ad_flag, "active directory admin mode" }, +#ifdef HAVE_DLOPEN + { "check-library", 0, arg_string, &check_library, + "library to load password check function from", "library" }, + { "check-function", 0, arg_string, &check_function, + "password check function to load", "function" }, + { "policy-libraries", 0, arg_strings, &policy_libraries, + "password check function to load", "function" }, +#endif { "local", 'l', arg_flag, &local_flag, "local admin mode" }, { "help", 'h', arg_flag, &help_flag }, { "version", 'v', arg_flag, &version_flag } @@ -79,100 +93,51 @@ static struct getargs args[] = { static int num_args = sizeof(args) / sizeof(args[0]); -static SL_cmd commands[] = { - /* commands that are only available with `-l' */ - { - "dump", dump, "dump [file]", - "Dumps the database in a human readable format to the\n" - "specified file, or the standard out." - }, - { - "load", load, "load file", - "Loads a previously dumped file." - }, - { - "merge", merge, "merge file" , - "Merges the contents of a dump file into the database." - }, - { - "init", init, "init realm...", - "Initializes the default principals for a realm.\n" - "Creates the database if necessary." - }, - /* common commands */ - { - "add", add_new_key, "add principal" , - "Adds a principal to the database." - }, - { "add_new_key"}, - { "ank"}, - { - "passwd", cpw_entry, "passwd expression..." , - "Changes the password of one or more principals\n" - "matching the expressions." - }, - { "change_password"}, - { "cpw"}, - { - "delete", del_entry, "delete expression...", - "Deletes all principals matching the expressions." - }, - { "del_entry" }, - { "del" }, - { - "del_enctype", del_enctype, "del_enctype principal enctype...", - "Delete all the mentioned enctypes for principal." - }, - { - "ext_keytab", ext_keytab, "ext_keytab expression...", - "Extracts the keys of all principals matching the expressions,\n" - "and stores them in a keytab." - }, - { - "get", get_entry, "get expression...", - "Shows information about principals matching the expressions." - }, - { "get_entry" }, - { - "rename", rename_entry, "rename source target", - "Renames `source' to `target'." - }, - { - "modify", mod_entry, "modify principal", - "Modifies some attributes of the specified principal." - }, - { - "privileges", get_privs, "privileges", - "Shows which kinds of operations you are allowed to perform." - }, - { "privs" }, - { - "list", list_princs, "list expression...", - "Lists principals in a terse format. The same as `get -t'." - }, - { "help", help, "help"}, - { "?"}, - { "exit", exit_kadmin, "exit"}, - { "quit" }, - { NULL} -}; krb5_context context; void *kadm_handle; -static SL_cmd *actual_cmds; - int -help(int argc, char **argv) +help(void *opt, int argc, char **argv) { - sl_help(actual_cmds, argc, argv); + if(argc == 0) { + sl_help(commands, 1, argv - 1 /* XXX */); + } else { + SL_cmd *c = sl_match (commands, argv[0], 0); + if(c == NULL) { + fprintf (stderr, "No such command: %s. " + "Try \"help\" for a list of commands\n", + argv[0]); + } else { + if(c->func) { + char *fake[] = { NULL, "--help", NULL }; + fake[0] = argv[0]; + (*c->func)(2, fake); + fprintf(stderr, "\n"); + } + if(c->help && *c->help) + fprintf (stderr, "%s\n", c->help); + if((++c)->name && c->func == NULL) { + int f = 0; + fprintf (stderr, "Synonyms:"); + while (c->name && c->func == NULL) { + fprintf (stderr, "%s%s", f ? ", " : " ", (c++)->name); + f = 1; + } + fprintf (stderr, "\n"); + } + } + } return 0; } +static int exit_seen = 0; + int -exit_kadmin (int argc, char **argv) +exit_kadmin (void *opt, int argc, char **argv) { - return 1; + exit_seen = 1; + return 0; } static void @@ -183,30 +148,12 @@ usage(int ret) } int -get_privs(int argc, char **argv) +get_privs(void *opt, int argc, char **argv) { u_int32_t privs; char str[128]; kadm5_ret_t ret; - int help_flag = 0; - struct getargs args[] = { - { "help", 'h', arg_flag, NULL } - }; - int num_args = sizeof(args) / sizeof(args[0]); - int optind = 0; - - args[0].value = &help_flag; - - if(getarg(args, num_args, argc, argv, &optind)) { - arg_printusage (args, num_args, "privileges", NULL); - return 0; - } - if(help_flag) { - arg_printusage (args, num_args, "privileges", NULL); - return 0; - } - ret = kadm5_get_privs(kadm_handle, &privs); if(ret) krb5_warn(context, ret, "kadm5_get_privs"); @@ -221,9 +168,10 @@ int main(int argc, char **argv) { krb5_error_code ret; - krb5_config_section *cf = NULL; + char **files; kadm5_config_params conf; int optind = 0; + int exit_status = 0; ret = krb5_init_context(&context); if (ret) @@ -246,14 +194,15 @@ main(int argc, char **argv) if (config_file == NULL) config_file = HDB_DB_DIR "/kdc.conf"; - if(krb5_config_parse_file(context, config_file, &cf) == 0) { - const char *p = krb5_config_get_string (context, cf, - "kdc", "key-file", NULL); - if (p) - keyfile = strdup(p); - } - krb5_clear_error_string (context); - + ret = krb5_prepend_config_files_default(config_file, &files); + if (ret) + krb5_err(context, 1, ret, "getting configuration files"); + + ret = krb5_set_config_files(context, files); + krb5_free_config_files(files); + if(ret) + krb5_err(context, 1, ret, "reading configuration files"); + memset(&conf, 0, sizeof(conf)); if(realm) { krb5_set_default_realm(context, realm); /* XXX should be fixed @@ -272,31 +221,58 @@ main(int argc, char **argv) conf.mask |= KADM5_CONFIG_KADMIND_PORT; } - if(local_flag){ + if (keyfile) { + conf.stash_file = keyfile; + conf.mask |= KADM5_CONFIG_STASH_FILE; + } + + if(local_flag) { + int i; + + kadm5_setup_passwd_quality_check (context, + check_library, check_function); + + for (i = 0; i < policy_libraries.num_strings; i++) { + ret = kadm5_add_passwd_quality_verifier(context, + policy_libraries.strings[i]); + if (ret) + krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier"); + } + ret = kadm5_add_passwd_quality_verifier(context, NULL); + if (ret) + krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier"); + ret = kadm5_s_init_with_password_ctx(context, KADM5_ADMIN_SERVICE, NULL, KADM5_ADMIN_SERVICE, &conf, 0, 0, &kadm_handle); - actual_cmds = commands; + } else if (ad_flag) { + if (client_name == NULL) + krb5_errx(context, 1, "keytab mode require principal name"); + ret = kadm5_ad_init_with_password_ctx(context, + client_name, + NULL, + KADM5_ADMIN_SERVICE, + &conf, 0, 0, + &kadm_handle); } else if (keytab) { + if (client_name == NULL) + krb5_errx(context, 1, "keytab mode require principal name"); ret = kadm5_c_init_with_skey_ctx(context, client_name, keytab, KADM5_ADMIN_SERVICE, &conf, 0, 0, &kadm_handle); - actual_cmds = commands + 4; /* XXX */ - } else { + } else ret = kadm5_c_init_with_password_ctx(context, client_name, NULL, KADM5_ADMIN_SERVICE, &conf, 0, 0, &kadm_handle); - actual_cmds = commands + 4; /* XXX */ - } if(ret) krb5_err(context, 1, ret, "kadm5_init_with_password"); @@ -307,14 +283,24 @@ main(int argc, char **argv) each function, f.i `get' might be interruptable, but not `create' */ if (argc != 0) { - ret = sl_command (actual_cmds, argc, argv); + ret = sl_command (commands, argc, argv); if(ret == -1) krb5_warnx (context, "unrecognized command: %s", argv[0]); - } else - ret = sl_loop (actual_cmds, "kadmin> ") != 0; + else if (ret == -2) + ret = 0; + if(ret != 0) + exit_status = 1; + } else { + while(!exit_seen) { + ret = sl_command_loop(commands, "kadmin> ", NULL); + if (ret == -2) + exit_seen = 1; + else if (ret != 0) + exit_status = 1; + } + } kadm5_destroy(kadm_handle); - krb5_config_file_free (context, cf); krb5_free_context(context); - return ret; + return exit_status; } diff --git a/kerberosV/src/kadmin/kadmin_locl.h b/kerberosV/src/kadmin/kadmin_locl.h index a23c5e07be4..6c0d929da13 100644 --- a/kerberosV/src/kadmin/kadmin_locl.h +++ b/kerberosV/src/kadmin/kadmin_locl.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,7 +32,7 @@ */ /* - * $KTH: kadmin_locl.h,v 1.41 2002/09/10 20:04:45 joda Exp $ + * $KTH: kadmin_locl.h,v 1.45 2004/06/27 15:04:07 joda Exp $ */ #ifndef __ADMIN_LOCL_H__ @@ -96,29 +96,9 @@ #include <parse_time.h> #include <getarg.h> - extern krb5_context context; extern void * kadm_handle; -#define DECL(X) int X(int, char **) - -DECL(add_new_key); -DECL(cpw_entry); -DECL(del_entry); -DECL(del_enctype); -DECL(exit_kadmin); -DECL(ext_keytab); -DECL(get_entry); -DECL(get_privs); -DECL(help); -DECL(list_princs); -DECL(mod_entry); -DECL(rename_entry); -DECL(init); -DECL(dump); -DECL(load); -DECL(merge); - #undef ALLOC #define ALLOC(X) ((X) = malloc(sizeof(*(X)))) @@ -167,11 +147,6 @@ int parse_des_key (const char *key_string, krb5_error_code kadmind_loop (krb5_context, krb5_auth_context, krb5_keytab, int); -/* version4.c */ - -void -handle_v4(krb5_context context, krb5_keytab keytab, int len, int fd); - /* random_password.c */ void diff --git a/kerberosV/src/kadmin/kadmind.8 b/kerberosV/src/kadmin/kadmind.8 index 41a4699ed79..724475bd106 100644 --- a/kerberosV/src/kadmin/kadmind.8 +++ b/kerberosV/src/kadmin/kadmind.8 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2002 - 2003 Kungliga Tekniska Högskolan +.\" Copyright (c) 2002 - 2004 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,9 +29,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $KTH: kadmind.8,v 1.14 2003/04/06 17:47:57 lha Exp $ +.\" $KTH: kadmind.8,v 1.17 2004/12/08 17:20:21 lha Exp $ .\" -.Dd March 5, 2002 +.Dd December 8, 2004 .Dt KADMIND 8 .Os HEIMDAL .Sh NAME @@ -58,7 +58,6 @@ .Fl -ports= Ns Ar port .Xc .Oc -.Op Fl -no-kerberos4 .Ek .Sh DESCRIPTION .Nm @@ -73,11 +72,7 @@ option causes .Nm to accept exactly one connection, which is useful for debugging. .Pp -If built with krb4 support, it implements both the Heimdal Kerberos 5 -administrative protocol and the Kerberos 4 protocol. Password changes -via the Kerberos 4 protocol are also performed by -.Nm kadmind , -but the +The .Xr kpasswdd 8 daemon is responsible for the Kerberos 5 password changing protocol (used by @@ -151,17 +146,12 @@ enable debugging .Fl p Ar port , .Fl -ports= Ns Ar port .Xc -ports to listen to. By default, if run as a daemon, it listens to ports -749, and 751 (if Kerberos 4 support is built and enabled), but you can -add any number of ports with this option. The port string is a -whitespace separated list of port specifications, with the special -string +ports to listen to. By default, if run as a daemon, it listens to port +749, but you can add any number of ports with this option. The port +string is a whitespace separated list of port specifications, with the +special string .Dq + -representing the default set of ports. -.It Fl -no-kerberos4 -make -.Nm -ignore Kerberos 4 kadmin requests. +representing the default port. .El .\".Sh ENVIRONMENT .Sh FILES diff --git a/kerberosV/src/kadmin/kadmind.c b/kerberosV/src/kadmin/kadmind.c index 12141093cc9..cd40d7b1ba8 100644 --- a/kerberosV/src/kadmin/kadmind.c +++ b/kerberosV/src/kadmin/kadmind.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,21 +33,18 @@ #include "kadmin_locl.h" -RCSID("$KTH: kadmind.c,v 1.28.2.1 2004/04/29 12:30:32 lha Exp $"); +RCSID("$KTH: kadmind.c,v 1.34 2005/04/15 11:16:32 lha Exp $"); static char *check_library = NULL; static char *check_function = NULL; +static getarg_strings policy_libraries = { 0, NULL }; static char *config_file; -static char *keyfile; static char *keytab_str = "HDB:"; static int help_flag; static int version_flag; static int debug_flag; static char *port_str; char *realm; -#ifdef KRB4 -int do_kerberos4 = 0; -#endif static struct getargs args[] = { { @@ -55,10 +52,6 @@ static struct getargs args[] = { "location of config file", "file" }, { - "key-file", 'k', arg_string, &keyfile, - "location of master key file", "file" - }, - { "keytab", 0, arg_string, &keytab_str, "what keytab to use", "keytab" }, @@ -70,15 +63,12 @@ static struct getargs args[] = { "library to load password check function from", "library" }, { "check-function", 0, arg_string, &check_function, "password check function to load", "function" }, + { "policy-libraries", 0, arg_strings, &policy_libraries, + "password check function to load", "function" }, #endif { "debug", 'd', arg_flag, &debug_flag, "enable debugging" }, -#ifdef KRB4 - { "kerberos4", 0, arg_flag, &do_kerberos4, - "don't respond to kerberos 4 requests" - }, -#endif { "ports", 'p', arg_string, &port_str, "ports to listen to", "port" }, { "help", 'h', arg_flag, &help_flag }, @@ -100,9 +90,9 @@ int main(int argc, char **argv) { krb5_error_code ret; - krb5_config_section *cf; + char **files; int optind = 0; - int e; + int e, i; krb5_log_facility *logf; krb5_keytab keytab; @@ -110,9 +100,6 @@ main(int argc, char **argv) if (ret) errx (1, "krb5_init_context failed: %d", ret); - ret = krb5_openlog(context, "kadmind", &logf); - ret = krb5_set_warn_dest(context, logf); - while((e = getarg(args, num_args, argc, argv, &optind))) warnx("error at argument `%s'", argv[optind]); @@ -127,19 +114,28 @@ main(int argc, char **argv) argc -= optind; argv += optind; - ret = krb5_kt_register(context, &hdb_kt_ops); - if(ret) - krb5_err(context, 1, ret, "krb5_kt_register"); - if (config_file == NULL) config_file = HDB_DB_DIR "/kdc.conf"; - if(krb5_config_parse_file(context, config_file, &cf) == 0) { - const char *p = krb5_config_get_string (context, cf, - "kdc", "key-file", NULL); - if (p) - keyfile = strdup(p); - } + ret = krb5_prepend_config_files_default(config_file, &files); + if (ret) + krb5_err(context, 1, ret, "getting configuration files"); + + ret = krb5_set_config_files(context, files); + krb5_free_config_files(files); + if(ret) + krb5_err(context, 1, ret, "reading configuration files"); + + ret = krb5_openlog(context, "kadmind", &logf); + if (ret) + krb5_err(context, 1, ret, "krb5_openlog"); + ret = krb5_set_warn_dest(context, logf); + if (ret) + krb5_err(context, 1, ret, "krb5_set_warn_dest"); + + ret = krb5_kt_register(context, &hdb_kt_ops); + if(ret) + krb5_err(context, 1, ret, "krb5_kt_register"); ret = krb5_kt_resolve(context, keytab_str, &keytab); if(ret) @@ -147,6 +143,16 @@ main(int argc, char **argv) kadm5_setup_passwd_quality_check (context, check_library, check_function); + for (i = 0; i < policy_libraries.num_strings; i++) { + ret = kadm5_add_passwd_quality_verifier(context, + policy_libraries.strings[i]); + if (ret) + krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier"); + } + ret = kadm5_add_passwd_quality_verifier(context, NULL); + if (ret) + krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier"); + { int fd = 0; struct sockaddr_storage __ss; diff --git a/kerberosV/src/kadmin/load.c b/kerberosV/src/kadmin/load.c index 92ace9afaeb..25b5df82102 100644 --- a/kerberosV/src/kadmin/load.c +++ b/kerberosV/src/kadmin/load.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,9 +32,10 @@ */ #include "kadmin_locl.h" +#include "kadmin-commands.h" #include <kadm5/private.h> -RCSID("$KTH: load.c,v 1.44 2002/09/04 20:44:35 joda Exp $"); +RCSID("$KTH: load.c,v 1.52 2005/04/04 18:01:35 lha Exp $"); struct entry { char *principal; @@ -116,7 +117,7 @@ parse_time_string_alloc (time_t **t, const char *s) */ static int -parse_integer(unsigned *u, const char *s) +parse_integer(unsigned int *u, const char *s) { if(strcmp(s, "-") == 0) return 0; @@ -126,9 +127,9 @@ parse_integer(unsigned *u, const char *s) } static int -parse_integer_alloc (int **u, const char *s) +parse_integer_alloc (unsigned int **u, const char *s) { - unsigned tmp; + unsigned int tmp; int ret; *u = NULL; @@ -276,7 +277,7 @@ static int parse_hdbflags2int(HDBFlags *f, const char *s) { int ret; - unsigned tmp; + unsigned int tmp; ret = parse_integer (&tmp, s); if (ret == 1) @@ -345,7 +346,7 @@ doit(const char *filename, int merge) if(!merge) flags |= O_CREAT | O_TRUNC; - ret = db->open(context, db, flags, 0600); + ret = db->hdb_open(context, db, flags, 0600); if(ret){ krb5_warn(context, ret, "hdb_open"); fclose(f); @@ -474,71 +475,41 @@ doit(const char *filename, int merge) continue; } - ret = db->store(context, db, HDB_F_REPLACE, &ent); + ret = db->hdb_store(context, db, HDB_F_REPLACE, &ent); hdb_free_entry (context, &ent); if (ret) { krb5_warn(context, ret, "db_store"); break; } } - db->close(context, db); + db->hdb_close(context, db); fclose(f); return ret != 0; } -static struct getargs args[] = { - { "help", 'h', arg_flag, NULL } -}; - -static int num_args = sizeof(args) / sizeof(args[0]); - -static void -usage(const char *name) -{ - arg_printusage (args, num_args, name, "file"); -} - - +extern int local_flag; -int -load(int argc, char **argv) +static int +loadit(int merge, const char *name, int argc, char **argv) { - int optind = 0; - int help_flag = 0; - - args[0].value = &help_flag; - - if(getarg(args, num_args, argc, argv, &optind)) { - usage ("load"); - return 0; - } - if(argc - optind != 1 || help_flag) { - usage ("load"); + if(!local_flag) { + krb5_warnx(context, "%s is only available in local (-l) mode", name); return 0; } - doit(argv[optind], 0); + doit(argv[0], merge); return 0; } - + int -merge(int argc, char **argv) +load(void *opt, int argc, char **argv) { - int optind = 0; - int help_flag = 0; - - args[0].value = &help_flag; - - if(getarg(args, num_args, argc, argv, &optind)) { - usage ("merge"); - return 0; - } - if(argc - optind != 1 || help_flag) { - usage ("merge"); - return 0; - } - - doit(argv[optind], 1); - return 0; + return loadit(0, "load", argc, argv); +} + +int +merge(void *opt, int argc, char **argv) +{ + return loadit(1, "merge", argc, argv); } diff --git a/kerberosV/src/kadmin/util.c b/kerberosV/src/kadmin/util.c index 0ed852e2e4b..28767ed93df 100644 --- a/kerberosV/src/kadmin/util.c +++ b/kerberosV/src/kadmin/util.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -34,7 +34,7 @@ #include "kadmin_locl.h" #include <parse_units.h> -RCSID("$KTH: util.c,v 1.39 2003/04/14 11:55:27 lha Exp $"); +RCSID("$KTH: util.c,v 1.44 2005/05/30 20:47:04 lha Exp $"); /* * util.c - functions for parsing, unparsing, and editing different @@ -49,6 +49,7 @@ get_response(const char *prompt, const char *def, char *buf, size_t len); */ struct units kdb_attrs[] = { + { "ok-as-delegate", KRB5_KDB_OK_AS_DELEGATE }, { "new-princ", KRB5_KDB_NEW_PRINC }, { "support-desmd5", KRB5_KDB_SUPPORT_DESMD5 }, { "pwchange-service", KRB5_KDB_PWCHANGE_SERVICE }, @@ -114,7 +115,7 @@ parse_attributes (const char *resp, krb5_flags *attr, int *mask, int bit) } else if(*resp == '?') { print_flags_table (kdb_attrs, stderr); } else { - fprintf (stderr, "Unable to parse '%s'\n", resp); + fprintf (stderr, "Unable to parse \"%s\"\n", resp); } return -1; } @@ -194,15 +195,18 @@ str2time_t (const char *str, time_t *t) if (p == NULL) return -1; - /* Do it on the end of the day */ - tm2.tm_hour = 23; - tm2.tm_min = 59; - tm2.tm_sec = 59; + /* XXX this is really a bit optimistic, we should really complain + if there was a problem parsing the time */ if(strptime (p, "%t%H:%M:%S", &tm2) != NULL) { tm.tm_hour = tm2.tm_hour; tm.tm_min = tm2.tm_min; tm.tm_sec = tm2.tm_sec; + } else { + /* Do it on the end of the day */ + tm.tm_hour = 23; + tm.tm_min = 59; + tm.tm_sec = 59; } *t = tm2time (tm, 0); @@ -223,11 +227,10 @@ parse_timet (const char *resp, krb5_timestamp *value, int *mask, int bit) if(mask) *mask |= bit; return 0; - } else if(*resp == '?') { - printf ("Print date on format YYYY-mm-dd [hh:mm:ss]\n"); - } else { - fprintf (stderr, "Unable to parse time '%s'\n", resp); - } + } + if(*resp != '?') + fprintf (stderr, "Unable to parse time \"%s\"\n", resp); + fprintf (stderr, "Print date on format YYYY-mm-dd [hh:mm:ss]\n"); return -1; } @@ -313,7 +316,7 @@ parse_deltat (const char *resp, krb5_deltat *value, int *mask, int bit) } else if(*resp == '?') { print_time_table (stderr); } else { - fprintf (stderr, "Unable to parse time '%s'\n", resp); + fprintf (stderr, "Unable to parse time \"%s\"\n", resp); } return -1; } @@ -492,7 +495,7 @@ foreach_principal(const char *exp, char **princs; int num_princs; int i; - krb5_error_code ret; + krb5_error_code ret = 0; krb5_principal princ_ent; int is_expr; @@ -556,11 +559,11 @@ get_response(const char *prompt, const char *def, char *buf, size_t len) osig = signal(SIGINT, interrupt); if(setjmp(jmpbuf)) { signal(SIGINT, osig); - printf("\n"); + fprintf(stderr, "\n"); return 1; } - printf("%s [%s]:", prompt, def); + fprintf(stderr, "%s [%s]:", prompt, def); if(fgets(buf, len, stdin) == NULL) { int save_errno = errno; if(ferror(stdin)) diff --git a/kerberosV/src/kdc/524.c b/kerberosV/src/kdc/524.c index 14c195bce2d..74b7d25f417 100644 --- a/kerberosV/src/kdc/524.c +++ b/kerberosV/src/kdc/524.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,11 +33,9 @@ #include "kdc_locl.h" -RCSID("$KTH: 524.c,v 1.29 2003/03/17 05:35:47 assar Exp $"); +RCSID("$KTH: 524.c,v 1.31.2.1 2005/07/26 20:43:13 lha Exp $"); -#ifndef KRB4 #include <krb5-v4compat.h> -#endif /* * fetch the server from `t', returning the name in malloced memory in @@ -53,9 +51,9 @@ fetch_server (const Ticket *t, krb5_error_code ret; krb5_principal sprinc; - ret = principalname2krb5_principal(&sprinc, t->sname, t->realm); + ret = _krb5_principalname2krb5_principal(&sprinc, t->sname, t->realm); if (ret) { - kdc_log(0, "principalname2krb5_principal: %s", + kdc_log(0, "_krb5_principalname2krb5_principal: %s", krb5_get_err_text(context, ret)); return ret; } @@ -87,9 +85,9 @@ log_524 (const EncTicketPart *et, char *cpn; krb5_error_code ret; - ret = principalname2krb5_principal(&client, et->cname, et->crealm); + ret = _krb5_principalname2krb5_principal(&client, et->cname, et->crealm); if (ret) { - kdc_log(0, "principalname2krb5_principal: %s", + kdc_log(0, "_krb5_principalname2krb5_principal: %s", krb5_get_err_text (context, ret)); return ret; } @@ -283,7 +281,7 @@ do_524(const Ticket *t, krb5_data *reply, char *spn = NULL; unsigned char buf[MAX_KTXT_LEN + 4 * 4]; size_t len; - int kvno; + int kvno = 0; if(!enable_524) { ret = KRB5KDC_ERR_POLICY; diff --git a/kerberosV/src/kdc/config.c b/kerberosV/src/kdc/config.c index a4f2850bef8..20cd465dc36 100644 --- a/kerberosV/src/kdc/config.c +++ b/kerberosV/src/kdc/config.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -35,7 +35,7 @@ #include <getarg.h> #include <parse_bytes.h> -RCSID("$KTH: config.c,v 1.46.2.2 2003/10/27 11:06:52 joda Exp $"); +RCSID("$KTH: config.c,v 1.59 2005/05/23 17:34:12 lha Exp $"); static const char *config_file; /* location of kdc config file */ @@ -53,10 +53,8 @@ int num_db; const char *port_str; -#ifdef HAVE_DAEMON int detach_from_console = -1; #define DETACH_IS_DEFAULT FALSE -#endif int enable_http = -1; krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */ @@ -70,15 +68,16 @@ static const char *trpolicy_str; static struct getarg_strings addresses_str; /* addresses to listen on */ krb5_addresses explicit_addresses; -#ifdef KRB4 +static int disable_des = -1; + char *v4_realm; int enable_v4 = -1; int enable_kaserver = -1; -#endif int enable_524 = -1; int enable_v4_cross_realm = -1; +static int builtin_hdb_flag; static int help_flag; static int version_flag; @@ -105,7 +104,6 @@ static struct getargs args[] = { { "524", 0, arg_negative_flag, &enable_524, "don't respond to 524 requests" }, -#ifdef KRB4 { "kaserver", 'K', arg_flag, &enable_kaserver, "enable kaserver support" @@ -117,7 +115,6 @@ static struct getargs args[] = { "v4-realm", 'r', arg_string, &v4_realm, "realm to serve v4-requests for" }, -#endif { "kerberos4-cross-realm", 0, arg_flag, &enable_v4_cross_realm, "respond to kerberos 4 requests from foreign realms" @@ -125,7 +122,6 @@ static struct getargs args[] = { { "ports", 'P', arg_string, &port_str, "ports to listen to", "portspec" }, -#ifdef HAVE_DAEMON #if DETACH_IS_DEFAULT { "detach", 'D', arg_negative_flag, &detach_from_console, @@ -137,9 +133,12 @@ static struct getargs args[] = { "detach from console" }, #endif -#endif { "addresses", 0, arg_strings, &addresses_str, "addresses to listen on", "list of addresses" }, + { "disable-des", 0, arg_flag, &disable_des, + "disable DES" }, + { "builtin-hdb", 0, arg_flag, &builtin_hdb_flag, + "list builtin hdb backends"}, { "help", 'h', arg_flag, &help_flag }, { "version", 'v', arg_flag, &version_flag } }; @@ -251,11 +250,11 @@ add_one_address (const char *str, int first) void configure(int argc, char **argv) { + krb5_error_code ret; int optind = 0; - int e; const char *p; - while((e = getarg(args, num_args, argc, argv, &optind))) + while(getarg(args, num_args, argc, argv, &optind)) warnx("error at argument `%s'", argv[optind]); if(help_flag) @@ -266,6 +265,16 @@ configure(int argc, char **argv) exit(0); } + if (builtin_hdb_flag) { + char *list; + ret = hdb_list_builtin(context, &list); + if (ret) + krb5_err(context, 1, ret, "listing builtin hdb backends"); + printf("builtin hdb backends: %s\n", list); + free(list); + exit(0); + } + argc -= optind; argv += optind; @@ -273,20 +282,15 @@ configure(int argc, char **argv) usage(1); { - krb5_error_code ret; char **files; - char *tmp; + if(config_file == NULL) config_file = _PATH_KDC_CONF; - asprintf(&tmp, "%s:%s", config_file, krb5_config_file); - if(tmp == NULL) - krb5_errx(context, 1, "out of memory"); - - krb5_config_file = tmp; - ret = krb5_get_default_config_files(&files); - if(ret) - krb5_err(context, 1, ret, "reading configuration files"); + ret = krb5_prepend_config_files_default(config_file, &files); + if (ret) + krb5_err(context, 1, ret, "getting configuration files"); + ret = krb5_set_config_files(context, files); krb5_free_config_files(files); if(ret) @@ -337,13 +341,9 @@ configure(int argc, char **argv) } } -#ifdef KRB4 if(enable_v4 == -1) enable_v4 = krb5_config_get_bool_default(context, NULL, FALSE, "kdc", - "enable-kerberos4", NULL); -#else -#define enable_v4 0 -#endif + "enable-kerberos4", NULL); if(enable_v4_cross_realm == -1) enable_v4_cross_realm = krb5_config_get_bool_default(context, NULL, @@ -382,9 +382,11 @@ configure(int argc, char **argv) trpolicy = TRPOLICY_ALWAYS_CHECK; } - krb5_config_get_bool_default(context, NULL, TRUE, "kdc", - "enforce-transited-policy", NULL); -#ifdef KRB4 + if (krb5_config_get_string(context, NULL, "kdc", + "enforce-transited-policy", NULL)) + krb5_errx(context, 1, "enforce-transited-policy deprecated, " + "use [kdc]transited-policy instead"); + if(v4_realm == NULL){ p = krb5_config_get_string (context, NULL, "kdc", @@ -401,7 +403,6 @@ configure(int argc, char **argv) "kdc", "enable-kaserver", NULL); -#endif encode_as_rep_as_tgs_rep = krb5_config_get_bool(context, NULL, "kdc", "encode_as_rep_as_tgs_rep", @@ -412,13 +413,11 @@ configure(int argc, char **argv) "kdc_warn_pwexpire", NULL); -#ifdef HAVE_DAEMON if(detach_from_console == -1) detach_from_console = krb5_config_get_bool_default(context, NULL, DETACH_IS_DEFAULT, "kdc", "detach", NULL); -#endif kdc_openlog(); if(max_request == 0) max_request = 64 * 1024; @@ -426,12 +425,67 @@ configure(int argc, char **argv) require_preauth = 1; if (port_str == NULL) port_str = "+"; + +#ifdef PKINIT + enable_pkinit = krb5_config_get_bool_default(context, NULL, FALSE, + "kdc", + "enable-pkinit", + NULL); + if (enable_pkinit) { + const char *user_id, *x509_anchors; + + user_id = krb5_config_get_string(context, NULL, + "kdc", + "pki-identity", + NULL); + if (user_id == NULL) + krb5_errx(context, 1, "pkinit enabled but no identity"); + + x509_anchors = krb5_config_get_string(context, NULL, + "kdc", + "pki-anchors", + NULL); + if (x509_anchors == NULL) + krb5_errx(context, 1, "pkinit enabled but no X509 anchors"); + + pk_initialize(user_id, x509_anchors); + + enable_pkinit_princ_in_cert = + krb5_config_get_bool_default(context, + NULL, TRUE, + "kdc", + "pkinit-principal-in-certificate", + NULL); + } +#endif + + if(v4_realm == NULL && (enable_kaserver || enable_v4)){ #ifdef KRB4 - if(v4_realm == NULL){ v4_realm = malloc(40); /* REALM_SZ */ if (v4_realm == NULL) krb5_errx(context, 1, "out of memory"); krb_get_lrealm(v4_realm, 1); - } +#else + krb5_errx(context, 1, "No Kerberos 4 realm configured"); #endif + } + if(disable_des == -1) + disable_des = krb5_config_get_bool_default(context, NULL, + 0, + "kdc", + "disable-des", NULL); + if(disable_des) { + krb5_enctype_disable(context, ETYPE_DES_CBC_CRC); + krb5_enctype_disable(context, ETYPE_DES_CBC_MD4); + krb5_enctype_disable(context, ETYPE_DES_CBC_MD5); + krb5_enctype_disable(context, ETYPE_DES_CBC_NONE); + krb5_enctype_disable(context, ETYPE_DES_CFB64_NONE); + krb5_enctype_disable(context, ETYPE_DES_PCBC_NONE); + + kdc_log(0, "DES was disabled, turned off Kerberos V4, 524 " + "and kaserver"); + enable_v4 = 0; + enable_524 = 0; + enable_kaserver = 0; + } } diff --git a/kerberosV/src/kdc/headers.h b/kerberosV/src/kdc/headers.h index 4ad24004ee0..471bc57f5e6 100644 --- a/kerberosV/src/kdc/headers.h +++ b/kerberosV/src/kdc/headers.h @@ -32,7 +32,7 @@ */ /* - * $KTH: headers.h,v 1.15 2002/09/10 20:04:46 joda Exp $ + * $KTH: headers.h,v 1.16 2005/04/24 13:49:00 lha Exp $ */ #ifndef __HEADERS_H__ @@ -92,13 +92,6 @@ #include <hdb_err.h> #include <der.h> /* copy_octet_string */ -#ifdef KRB4 -#include <krb.h> -#include <prot.h> -#define Principal Principal4 -#include <krb_db.h> -#endif - #undef ALLOC #define ALLOC(X) ((X) = malloc(sizeof(*(X)))) #undef ALLOC_SEQ diff --git a/kerberosV/src/kdc/hprop.8 b/kerberosV/src/kdc/hprop.8 index dac72d5d44e..732c85cfb8e 100644 --- a/kerberosV/src/kdc/hprop.8 +++ b/kerberosV/src/kdc/hprop.8 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2000 - 2003 Kungliga Tekniska Högskolan +.\" Copyright (c) 2000 - 2004 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,9 +29,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $KTH: hprop.8,v 1.18 2003/02/16 21:10:19 lha Exp $ +.\" $KTH: hprop.8,v 1.20 2004/12/08 17:34:22 lha Exp $ .\" -.Dd June 19, 2000 +.Dd December 8, 2004 .Dt HPROP 8 .Os HEIMDAL .Sh NAME @@ -185,7 +185,7 @@ Deprecated, identical to .Sh EXAMPLES The following will propagate a database to another machine (which should run -.Xr hpropd 8): +.Xr hpropd 8 ): .Bd -literal -offset indent $ hprop slave-1 slave-2 .Ed diff --git a/kerberosV/src/kdc/hprop.c b/kerberosV/src/kdc/hprop.c index c728291433b..bd48a5ae98b 100644 --- a/kerberosV/src/kdc/hprop.c +++ b/kerberosV/src/kdc/hprop.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,14 @@ #include "hprop.h" -RCSID("$KTH: hprop.c,v 1.70 2002/09/04 18:19:41 joda Exp $"); +#ifdef KRB4 +#include <krb.h> +#include <prot.h> +#define Principal Principal4 +#include <krb_db.h> +#endif + +RCSID("$KTH: hprop.c,v 1.76 2005/04/24 13:48:37 lha Exp $"); static int version_flag; static int help_flag; @@ -236,7 +243,7 @@ v4_prop(void *arg, struct v4_principal *p) ent.keys.val[0].salt = calloc(1, sizeof(*ent.keys.val[0].salt)); ent.keys.val[0].salt->type = KRB5_PADATA_PW_SALT; ent.keys.val[0].key.keytype = ETYPE_DES_CBC_MD5; - krb5_data_alloc(&ent.keys.val[0].key.keyvalue, sizeof(des_cblock)); + krb5_data_alloc(&ent.keys.val[0].key.keyvalue, DES_KEY_SZ); memcpy(ent.keys.val[0].key.keyvalue.data, p->key, 8); copy_Key(&ent.keys.val[0], &ent.keys.val[1]); @@ -384,7 +391,7 @@ ka_convert(struct prop_data *pd, int fd, struct ka_entry *ent) ALLOC(hdb.max_life); *hdb.max_life = ntohl(ent->max_life); - if(ntohl(ent->valid_end) != NEVERDATE && ntohl(ent->valid_end) != -1){ + if(ntohl(ent->valid_end) != NEVERDATE && ntohl(ent->valid_end) != 0xffffffff) { ALLOC(hdb.valid_end); *hdb.valid_end = ntohl(ent->valid_end); } @@ -503,7 +510,7 @@ get_creds(krb5_context context, krb5_ccache *cache) krb5_keytab keytab; krb5_principal client; krb5_error_code ret; - krb5_get_init_creds_opt init_opts; + krb5_get_init_creds_opt *init_opts; krb5_preauthtype preauth = KRB5_PADATA_ENC_TIMESTAMP; krb5_creds creds; @@ -517,11 +524,14 @@ get_creds(krb5_context context, krb5_ccache *cache) "kadmin", HPROP_NAME, NULL); if(ret) krb5_err(context, 1, ret, "krb5_make_principal"); - krb5_get_init_creds_opt_init(&init_opts); - krb5_get_init_creds_opt_set_preauth_list(&init_opts, &preauth, 1); + ret = krb5_get_init_creds_opt_alloc(context, &init_opts); + if(ret) krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc"); + krb5_get_init_creds_opt_set_preauth_list(init_opts, &preauth, 1); - ret = krb5_get_init_creds_keytab(context, &creds, client, keytab, 0, NULL, &init_opts); + ret = krb5_get_init_creds_keytab(context, &creds, client, keytab, 0, NULL, init_opts); if(ret) krb5_err(context, 1, ret, "krb5_get_init_creds"); + + krb5_get_init_creds_opt_free(init_opts); ret = krb5_kt_close(context, keytab); if(ret) krb5_err(context, 1, ret, "krb5_kt_close"); @@ -537,7 +547,7 @@ get_creds(krb5_context context, krb5_ccache *cache) ret = krb5_cc_store_cred(context, *cache, &creds); if(ret) krb5_err(context, 1, ret, "krb5_cc_store_cred"); - krb5_free_creds_contents(context, &creds); + krb5_free_cred_contents(context, &creds); } enum hprop_source { @@ -840,9 +850,9 @@ main(int argc, char **argv) ret = hdb_create (context, &db, database); if(ret) krb5_err(context, 1, ret, "hdb_create: %s", database); - ret = db->open(context, db, O_RDONLY, 0); + ret = db->hdb_open(context, db, O_RDONLY, 0); if(ret) - krb5_err(context, 1, ret, "db->open"); + krb5_err(context, 1, ret, "db->hdb_open"); break; default: krb5_errx(context, 1, "unknown dump type `%d'", type); @@ -859,7 +869,7 @@ main(int argc, char **argv) krb5_cc_destroy(context, ccache); if(db != NULL) - (*db->destroy)(context, db); + (*db->hdb_destroy)(context, db); krb5_free_context(context); return 0; diff --git a/kerberosV/src/kdc/hpropd.8 b/kerberosV/src/kdc/hpropd.8 index 32f8e3871d7..bab0aaa7c63 100644 --- a/kerberosV/src/kdc/hpropd.8 +++ b/kerberosV/src/kdc/hpropd.8 @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $KTH: hpropd.8,v 1.11 2003/02/16 21:10:20 lha Exp $ +.\" $KTH: hpropd.8,v 1.13 2004/12/10 09:44:05 lha Exp $ .\" .Dd August 27, 1997 .Dt HPROPD 8 diff --git a/kerberosV/src/kdc/hpropd.c b/kerberosV/src/kdc/hpropd.c index 234b6d688d8..62b35c1f34c 100644 --- a/kerberosV/src/kdc/hpropd.c +++ b/kerberosV/src/kdc/hpropd.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,9 +33,14 @@ #include "hprop.h" -RCSID("$KTH: hpropd.c,v 1.36 2003/04/16 15:46:32 lha Exp $"); +RCSID("$KTH: hpropd.c,v 1.40 2005/04/24 13:48:08 lha Exp $"); #ifdef KRB4 +#include <krb.h> +#include <prot.h> +#define Principal Principal4 +#include <krb_db.h> + static des_cblock mkey4; static des_key_schedule msched4; @@ -65,9 +70,11 @@ dump_krb4(krb5_context context, hdb_entry *ent, int fd) ret = krb5_524_conv_principal(context, ent->principal, name, instance, realm); if (ret) { - krb5_unparse_name(context, ent->principal, &princ_name); - krb5_warn(context, ret, "%s", princ_name); - free(princ_name); + ret = krb5_unparse_name(context, ent->principal, &princ_name); + if (ret == 0) { + krb5_warn(context, ret, "%s", princ_name); + free(princ_name); + } return -1; } @@ -141,9 +148,11 @@ dump_krb4(krb5_context context, hdb_entry *ent, int fd) ret = krb5_524_conv_principal(context, modifier->principal, name, instance, realm); if (ret) { - krb5_unparse_name(context, modifier->principal, &princ_name); - krb5_warn(context, ret, "%s", princ_name); - free(princ_name); + ret = krb5_unparse_name(context, modifier->principal, &princ_name); + if (ret == 0) { + krb5_warn(context, ret, "%s", princ_name); + free(princ_name); + } return -1; } asprintf(&p, "%s %s %s\n", time2str(modifier->time), @@ -317,10 +326,13 @@ main(int argc, char **argv) ret = krb5_make_principal(context, &c1, NULL, "kadmin", "hprop", NULL); if(ret) krb5_err(context, 1, ret, "krb5_make_principal"); - principalname2krb5_principal(&c2, authent->cname, authent->crealm); + _krb5_principalname2krb5_principal(&c2, + authent->cname, authent->crealm); if(!krb5_principal_compare(context, c1, c2)) { char *s; - krb5_unparse_name(context, c2, &s); + ret = krb5_unparse_name(context, c2, &s); + if (ret) + s = "unparseable name"; krb5_errx(context, 1, "Unauthorized connection from %s", s); } krb5_free_principal(context, c1); @@ -345,7 +357,7 @@ main(int argc, char **argv) ret = hdb_create(context, &db, tmp_db); if(ret) krb5_err(context, 1, ret, "hdb_create(%s)", tmp_db); - ret = db->open(context, db, O_RDWR | O_CREAT | O_TRUNC, 0600); + ret = db->hdb_open(context, db, O_RDWR | O_CREAT | O_TRUNC, 0600); if(ret) krb5_err(context, 1, ret, "hdb_open(%s)", tmp_db); } @@ -393,10 +405,10 @@ main(int argc, char **argv) } else #endif /* KRB4 */ { - ret = db->rename(context, db, database); + ret = db->hdb_rename(context, db, database); if(ret) krb5_err(context, 1, ret, "db_rename"); - ret = db->close(context, db); + ret = db->hdb_close(context, db); if(ret) krb5_err(context, 1, ret, "db_close"); } @@ -417,10 +429,12 @@ main(int argc, char **argv) else #endif /* KRB4 */ { - ret = db->store(context, db, 0, &entry); + ret = db->hdb_store(context, db, 0, &entry); if(ret == HDB_ERR_EXISTS) { char *s; - krb5_unparse_name(context, entry.principal, &s); + ret = krb5_unparse_name(context, entry.principal, &s); + if (ret) + s = strdup("unparseable name"); krb5_warnx(context, "Entry exists: %s", s); free(s); } else if(ret) diff --git a/kerberosV/src/kdc/kaserver.c b/kerberosV/src/kdc/kaserver.c index acbc940a3b5..e27c7403859 100644 --- a/kerberosV/src/kdc/kaserver.c +++ b/kerberosV/src/kdc/kaserver.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,9 +33,9 @@ #include "kdc_locl.h" -RCSID("$KTH: kaserver.c,v 1.21.2.1 2003/10/06 21:02:35 lha Exp $"); - +RCSID("$KTH: kaserver.c,v 1.27 2005/06/08 17:58:09 lha Exp $"); +#include <krb5-v4compat.h> #include <rx.h> #define KA_AUTHENTICATION_SERVICE 731 @@ -250,28 +250,35 @@ create_reply_ticket (struct rx_header *hdr, const char *sname, const char *sinstance, u_int32_t challenge, const char *label, - des_cblock *key, + krb5_keyblock *key, krb5_data *reply) { - KTEXT_ST ticket; - des_cblock session; + krb5_data ticket; + krb5_keyblock session; krb5_storage *sp; krb5_data enc_data; - des_key_schedule schedule; struct rx_header reply_hdr; - des_cblock zero; + char zero[8]; size_t pad; - unsigned fyrtiosjuelva; /* XXX better variable name - (this means 4711 in swedish. not kidding */ + unsigned fyrtiosjuelva; /* create the ticket */ - des_new_random_key((unsigned char *)&session); - - krb_create_ticket (&ticket, 0, name, instance, realm, - addr->sin_addr.s_addr, - &session, life, kdc_time, - sname, sinstance, skey->key.keyvalue.data); + krb5_generate_random_keyblock(context, ETYPE_DES_PCBC_NONE, &session); + + _krb5_krb_create_ticket(context, + 0, + name, + instance, + realm, + addr->sin_addr.s_addr, + &session, + life, + kdc_time, + sname, + sinstance, + &skey->key, + &ticket); /* create the encrypted part of the reply */ sp = krb5_storage_emem (); @@ -279,10 +286,10 @@ create_reply_ticket (struct rx_header *hdr, fyrtiosjuelva &= 0xffffffff; krb5_store_int32 (sp, fyrtiosjuelva); krb5_store_int32 (sp, challenge); - krb5_storage_write (sp, session, 8); - memset (&session, 0, sizeof(session)); + krb5_storage_write (sp, session.keyvalue.data, 8); + krb5_free_keyblock_contents(context, &session); krb5_store_int32 (sp, kdc_time); - krb5_store_int32 (sp, kdc_time + krb_life_to_time (0, life)); + krb5_store_int32 (sp, kdc_time + _krb5_krb_life_to_time (0, life)); krb5_store_int32 (sp, kvno); krb5_store_int32 (sp, ticket.length); krb5_store_stringz (sp, name); @@ -294,7 +301,7 @@ create_reply_ticket (struct rx_header *hdr, #endif krb5_store_stringz (sp, sname); krb5_store_stringz (sp, sinstance); - krb5_storage_write (sp, ticket.dat, ticket.length); + krb5_storage_write (sp, ticket.data, ticket.length); krb5_storage_write (sp, label, strlen(label)); /* pad to DES block */ @@ -312,14 +319,21 @@ create_reply_ticket (struct rx_header *hdr, } /* encrypt it */ - des_set_key (key, schedule); - des_pcbc_encrypt (enc_data.data, - enc_data.data, - enc_data.length, - schedule, - key, - DES_ENCRYPT); - memset (&schedule, 0, sizeof(schedule)); + { + DES_key_schedule schedule; + DES_cblock deskey; + + memcpy (&deskey, key->keyvalue.data, sizeof(deskey)); + DES_set_key (&deskey, &schedule); + DES_pcbc_encrypt (enc_data.data, + enc_data.data, + enc_data.length, + &schedule, + &deskey, + DES_ENCRYPT); + memset (&schedule, 0, sizeof(schedule)); + memset (&deskey, 0, sizeof(deskey)); + } /* create the reply packet */ init_reply_header (hdr, &reply_hdr, HT_DATA, HF_LAST); @@ -390,8 +404,6 @@ do_authenticate (struct rx_header *hdr, hdb_entry *server_entry = NULL; Key *ckey = NULL; Key *skey = NULL; - des_cblock key; - des_key_schedule schedule; krb5_storage *reply_sp; time_t max_life; u_int8_t life; @@ -401,9 +413,9 @@ do_authenticate (struct rx_header *hdr, krb5_data_zero (&request); - unparse_auth_args (sp, &name, &instance, &start_time, &end_time, - &request, &max_seq_len); - if (request.length < 8) { + ret = unparse_auth_args (sp, &name, &instance, &start_time, &end_time, + &request, &max_seq_len); + if (ret != 0 || request.length < 8) { make_error_reply (hdr, KABADREQUEST, reply); goto out; } @@ -454,19 +466,26 @@ do_authenticate (struct rx_header *hdr, goto out; } - /* try to decode the `request' */ - memcpy (&key, ckey->key.keyvalue.data, sizeof(key)); - des_set_key (&key, schedule); - des_pcbc_encrypt (request.data, - request.data, - request.length, - schedule, - &key, - DES_DECRYPT); - memset (&schedule, 0, sizeof(schedule)); + { + DES_cblock key; + DES_key_schedule schedule; + + /* try to decode the `request' */ + memcpy (&key, ckey->key.keyvalue.data, sizeof(key)); + DES_set_key (&key, &schedule); + DES_pcbc_encrypt (request.data, + request.data, + request.length, + &schedule, + &key, + DES_DECRYPT); + memset (&schedule, 0, sizeof(schedule)); + memset (&key, 0, sizeof(key)); + } /* check for the magic label */ if (memcmp ((char *)request.data + 4, "gTGS", 4) != 0) { + kdc_log(0, "preauth failed for %s", client_name); make_error_reply (hdr, KABADREQUEST, reply); goto out; } @@ -499,8 +518,7 @@ do_authenticate (struct rx_header *hdr, max_seq_len, "krbtgt", v4_realm, chal + 1, "tgsT", - &key, reply); - memset (&key, 0, sizeof(key)); + &ckey->key, reply); out: if (request.length) { @@ -586,23 +604,25 @@ do_getticket (struct rx_header *hdr, krb5_data times; int32_t max_seq_len; hdb_entry *server_entry = NULL; + hdb_entry *client_entry = NULL; hdb_entry *krbtgt_entry = NULL; Key *kkey = NULL; Key *skey = NULL; - des_cblock key; - des_key_schedule schedule; - des_cblock session; + DES_cblock key; + DES_key_schedule schedule; + DES_cblock session; time_t max_life; int8_t life; time_t start_time, end_time; - char pname[ANAME_SZ]; - char pinst[INST_SZ]; - char prealm[REALM_SZ]; char server_name[256]; + char client_name[256]; + struct _krb5_krb_auth_data ad; krb5_data_zero (&aticket); krb5_data_zero (×); + memset(&ad, 0, sizeof(ad)); + unparse_getticket_args (sp, &kvno, &auth_domain, &aticket, &name, &instance, ×, &max_seq_len); if (times.length < 8) { @@ -622,14 +642,6 @@ do_getticket (struct rx_header *hdr, goto out; } - ret = check_flags (NULL, NULL, - server_entry, server_name, - FALSE); - if (ret) { - make_error_reply (hdr, KAPWEXPIRED, reply); - goto out; - } - ret = db_fetch4 ("krbtgt", v4_realm, v4_realm, &krbtgt_entry); if (ret) { kdc_log(0, "Server not found in database: %s.%s@%s: %s", @@ -659,55 +671,73 @@ do_getticket (struct rx_header *hdr, /* unpack the ticket */ { - KTEXT_ST ticket; - u_char flags; - int life; - u_int32_t time_sec; - char sname[ANAME_SZ]; - char sinstance[SNAME_SZ]; - u_int32_t paddress; - - if (aticket.length > sizeof(ticket.dat)) { - kdc_log(0, "ticket too long (%u > %u)", - (unsigned)aticket.length, - (unsigned)sizeof(ticket.dat)); + char *sname = NULL; + char *sinstance = NULL; + + ret = _krb5_krb_decomp_ticket(context, &aticket, &kkey->key, + v4_realm, &sname, &sinstance, &ad); + if (ret) { + kdc_log(0, "kaserver: decomp failed for %s.%s with %d", + sname, sinstance, ret); make_error_reply (hdr, KABADTICKET, reply); goto out; } - ticket.length = aticket.length; - memcpy (ticket.dat, aticket.data, ticket.length); - - des_set_key (&key, schedule); - decomp_ticket (&ticket, &flags, pname, pinst, prealm, - &paddress, session, &life, &time_sec, - sname, sinstance, - &key, schedule); - if (strcmp (sname, "krbtgt") != 0 || strcmp (sinstance, v4_realm) != 0) { kdc_log(0, "no TGT: %s.%s for %s.%s@%s", sname, sinstance, - pname, pinst, prealm); + ad.pname, ad.pinst, ad.prealm); make_error_reply (hdr, KABADTICKET, reply); + free(sname); + free(sinstance); goto out; } + free(sname); + free(sinstance); - if (kdc_time > krb_life_to_time(time_sec, life)) { + if (kdc_time > _krb5_krb_life_to_time(ad.time_sec, ad.life)) { kdc_log(0, "TGT expired: %s.%s@%s", - pname, pinst, prealm); + ad.pname, ad.pinst, ad.prealm); make_error_reply (hdr, KABADTICKET, reply); goto out; } } + snprintf (client_name, sizeof(client_name), + "%s.%s@%s", ad.pname, ad.pinst, ad.prealm); + + ret = db_fetch4 (ad.pname, ad.pinst, ad.prealm, &client_entry); + if(ret && ret != HDB_ERR_NOENTRY) { + kdc_log(0, "Client not found in database: (krb4) %s: %s", + client_name, krb5_get_err_text(context, ret)); + make_error_reply (hdr, KANOENT, reply); + goto out; + } + if (client_entry == NULL && strcmp(ad.prealm, v4_realm) == 0) { + kdc_log(0, "Local client not found in database: (krb4) " + "%s", client_name); + make_error_reply (hdr, KANOENT, reply); + goto out; + } + + ret = check_flags (client_entry, client_name, + server_entry, server_name, + FALSE); + if (ret) { + make_error_reply (hdr, KAPWEXPIRED, reply); + goto out; + } + /* decrypt the times */ - des_set_key (&session, schedule); - des_ecb_encrypt (times.data, + memcpy(&session, ad.session.keyvalue.data, sizeof(session)); + DES_set_key (&session, &schedule); + DES_ecb_encrypt (times.data, times.data, - schedule, + &schedule, DES_DECRYPT); memset (&schedule, 0, sizeof(schedule)); + memset (&session, 0, sizeof(session)); /* and extract them */ { @@ -732,19 +762,23 @@ do_getticket (struct rx_header *hdr, max_life = min(max_life, *krbtgt_entry->max_life); if (server_entry->max_life) max_life = min(max_life, *server_entry->max_life); + /* if this is a cross realm request, the client_entry will likely + be NULL */ + if (client_entry && client_entry->max_life) + max_life = min(max_life, *client_entry->max_life); - life = krb_time_to_life(kdc_time, kdc_time + max_life); + life = _krb5_krb_time_to_life(kdc_time, kdc_time + max_life); create_reply_ticket (hdr, skey, - pname, pinst, prealm, + ad.pname, ad.pinst, ad.prealm, addr, life, server_entry->kvno, max_seq_len, name, instance, 0, "gtkt", - &session, reply); - memset (&session, 0, sizeof(session)); + &ad.session, reply); out: + _krb5_krb_free_auth_data(context, &ad); if (aticket.length) { memset (aticket.data, 0, aticket.length); krb5_data_free (&aticket); @@ -810,6 +844,7 @@ do_kaserver(unsigned char *buf, krb5_ret_int32(sp, &op); switch (op) { case AUTHENTICATE : + case AUTHENTICATE_V2 : do_authenticate (&hdr, sp, addr, reply); break; case GETTICKET : @@ -828,7 +863,6 @@ do_kaserver(unsigned char *buf, case DEBUG : case GETPASSWORD : case GETRANDOMKEY : - case AUTHENTICATE_V2 : default : make_error_reply (&hdr, RXGEN_OPCODE, reply); break; diff --git a/kerberosV/src/kdc/kdc.8 b/kerberosV/src/kdc/kdc.8 index c48acce2cf5..9335ab78264 100644 --- a/kerberosV/src/kdc/kdc.8 +++ b/kerberosV/src/kdc/kdc.8 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan +.\" Copyright (c) 2003 - 2004 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,9 +29,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $KTH: kdc.8,v 1.23.2.1 2003/10/21 20:06:01 lha Exp $ +.\" $KTH: kdc.8,v 1.29 2004/12/17 18:36:19 lha Exp $ .\" -.Dd October 21, 2003 +.Dd December 17, 2004 .Dt KDC 8 .Os HEIMDAL .Sh NAME @@ -60,6 +60,7 @@ .Xc .Oc .Op Fl -detach +.Op Fl -disable-DES .Op Fl -addresses= Ns Ar list of addresses .Ek .Sh DESCRIPTION @@ -155,6 +156,10 @@ By default, the kdc will listen on all the locally configured addresses. If only a subset is desired, or the automatic detection fails, this option might be used. +.It Fl -detach +detach from pty and run as a daemon. +.It Fl -disable-DES +disable add des encryption types, makes the kdc not use them. .El .Pp All activities are logged to one or more destinations, see @@ -187,7 +192,7 @@ command-line equivalents: .Bl -tag -width "xxx" -offset indent .It Li check-ticket-addresses = Va boolean Check the addresses in the ticket when processing TGS requests. -The default is FALSE. +The default is TRUE. .It Li allow-null-ticket-addresses = Va boolean Permit tickets with no addresses. This option is only relevant when check-ticket-addresses is TRUE. @@ -234,7 +239,6 @@ An example of a config file: [kdc] require-preauth = no v4-realm = FOO.SE - key-file = /key-file .Ed .Sh BUGS If the machine running the KDC has new addresses added to it, the KDC diff --git a/kerberosV/src/kdc/kdc_locl.h b/kerberosV/src/kdc/kdc_locl.h index 1c97fac3e8e..384a5868ff1 100644 --- a/kerberosV/src/kdc/kdc_locl.h +++ b/kerberosV/src/kdc/kdc_locl.h @@ -32,7 +32,7 @@ */ /* - * $KTH: kdc_locl.h,v 1.58.2.2 2003/10/27 11:07:16 joda Exp $ + * $KTH: kdc_locl.h,v 1.66 2005/04/23 19:52:51 lha Exp $ */ #ifndef __KDC_LOCL_H__ @@ -69,12 +69,9 @@ extern int trpolicy; extern int enable_524; extern int enable_v4_cross_realm; -#ifdef KRB4 -extern char *v4_realm; -extern int enable_v4; -extern int enable_524; -extern int enable_v4_cross_realm; -extern krb5_boolean enable_kaserver; +#ifdef PKINIT +extern int enable_pkinit; +extern int enable_pkinit_princ_in_cert; #endif #define _PATH_KDC_CONF HDB_DB_DIR "/kdc.conf" @@ -108,20 +105,43 @@ krb5_error_code encode_v4_ticket (void*, size_t, const EncTicketPart*, const PrincipalName*, size_t*); krb5_error_code do_524 (const Ticket*, krb5_data*, const char*, struct sockaddr*); -#ifdef KRB4 +#ifdef HAVE_OPENSSL +#define des_new_random_key des_random_key +#endif + +#ifdef PKINIT +typedef struct pk_client_params pk_client_params; +krb5_error_code pk_initialize(const char *, const char *); +krb5_error_code pk_rd_padata(krb5_context, KDC_REQ *, + PA_DATA *, pk_client_params **); +krb5_error_code pk_mk_pa_reply(krb5_context, + pk_client_params *, + const hdb_entry *, + const KDC_REQ *, + krb5_keyblock **, + METHOD_DATA *); +krb5_error_code pk_check_client(krb5_context, krb5_principal, + const hdb_entry *, + pk_client_params *, char **); +void pk_free_client_param(krb5_context, pk_client_params *); +#endif + +/* + * Kerberos 4 + */ + +extern char *v4_realm; +extern int enable_v4; +extern krb5_boolean enable_kaserver; + krb5_error_code db_fetch4 (const char*, const char*, const char*, hdb_entry**); krb5_error_code do_version4 (unsigned char*, size_t, krb5_data*, const char*, struct sockaddr_in*); int maybe_version4 (unsigned char*, int); -#endif -#ifdef KRB4 krb5_error_code do_kaserver (unsigned char*, size_t, krb5_data*, const char*, struct sockaddr_in*); -#endif -#ifdef HAVE_OPENSSL -#define des_new_random_key des_random_key -#endif + #endif /* __KDC_LOCL_H__ */ diff --git a/kerberosV/src/kdc/kerberos4.c b/kerberosV/src/kdc/kerberos4.c index bf6e2eb7373..1420765e401 100644 --- a/kerberosV/src/kdc/kerberos4.c +++ b/kerberosV/src/kdc/kerberos4.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,9 +33,9 @@ #include "kdc_locl.h" -RCSID("$KTH: kerberos4.c,v 1.45.2.1 2004/03/30 10:29:27 lha Exp $"); +#include <krb5-v4compat.h> -#ifdef KRB4 +RCSID("$KTH: kerberos4.c,v 1.52 2005/04/23 20:11:55 lha Exp $"); #ifndef swap32 static u_int32_t @@ -55,18 +55,11 @@ maybe_version4(unsigned char *buf, int len) } static void -make_err_reply(krb5_data *reply, int code, const char *msg) +make_err_reply(krb5_context context, krb5_data *reply, + int code, const char *msg) { - KTEXT_ST er; - - /* name, instance and realm are not checked in most (all?) - implementations; msg is also never used, but we send it anyway - (for debugging purposes) */ - - if(msg == NULL) - msg = krb_get_err_text(code); - cr_err_reply(&er, "", "", "", kdc_time, code, (char*)msg); - krb5_data_copy(reply, er.dat, er.length); + _krb5_krb_cr_err_reply(context, "", "", "", + kdc_time, code, msg, reply); } static krb5_boolean @@ -108,7 +101,7 @@ db_fetch4(const char *name, const char *instance, const char *realm, return ret; } -#define RCHECK(X, L) if(X){make_err_reply(reply, KFAILURE, "Packet too short"); goto L;} +#define RCHECK(X, L) if(X){make_err_reply(context, reply, KFAILURE, "Packet too short"); goto L;} /* * Process the v4 request in `buf, len' (received from `addr' @@ -133,14 +126,14 @@ do_version4(unsigned char *buf, char *name = NULL, *inst = NULL, *realm = NULL; char *sname = NULL, *sinst = NULL; int32_t req_time; - time_t max_life, max_end, actual_end, issue_time; + time_t max_life; u_int8_t life; char client_name[256]; char server_name[256]; if(!enable_v4) { kdc_log(0, "Rejected version 4 request from %s", from); - make_err_reply(reply, KDC_GEN_ERR, "function not enabled"); + make_err_reply(context, reply, KDC_GEN_ERR, "function not enabled"); return 0; } @@ -148,14 +141,20 @@ do_version4(unsigned char *buf, RCHECK(krb5_ret_int8(sp, &pvno), out); if(pvno != 4){ kdc_log(0, "Protocol version mismatch (krb4) (%d)", pvno); - make_err_reply(reply, KDC_PKT_VER, NULL); + make_err_reply(context, reply, KDC_PKT_VER, "protocol mismatch"); goto out; } RCHECK(krb5_ret_int8(sp, &msg_type), out); lsb = msg_type & 1; msg_type &= ~1; switch(msg_type){ - case AUTH_MSG_KDC_REQUEST: + case AUTH_MSG_KDC_REQUEST: { + krb5_data ticket, cipher; + krb5_keyblock session; + + krb5_data_zero(&ticket); + krb5_data_zero(&cipher); + RCHECK(krb5_ret_stringz(sp, &name), out1); RCHECK(krb5_ret_stringz(sp, &inst), out1); RCHECK(krb5_ret_stringz(sp, &realm), out1); @@ -177,14 +176,16 @@ do_version4(unsigned char *buf, if(ret) { kdc_log(0, "Client not found in database: %s: %s", client_name, krb5_get_err_text(context, ret)); - make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL); + make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, + "principal unknown"); goto out1; } ret = db_fetch4(sname, sinst, v4_realm, &server); if(ret){ kdc_log(0, "Server not found in database: %s: %s", server_name, krb5_get_err_text(context, ret)); - make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, NULL); + make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, + "principal unknown"); goto out1; } @@ -193,7 +194,8 @@ do_version4(unsigned char *buf, TRUE); if (ret) { /* good error code? */ - make_err_reply(reply, KERB_ERR_NAME_EXP, NULL); + make_err_reply(context, reply, KERB_ERR_NAME_EXP, + "operation not allowed"); goto out1; } @@ -209,14 +211,15 @@ do_version4(unsigned char *buf, "Pre-authentication required for v4-request: " "%s for %s", client_name, server_name); - make_err_reply(reply, KERB_ERR_NULL_KEY, NULL); + make_err_reply(context, reply, KERB_ERR_NULL_KEY, + "preauth required"); goto out1; } ret = get_des_key(client, FALSE, FALSE, &ckey); if(ret){ kdc_log(0, "no suitable DES key for client"); - make_err_reply(reply, KDC_NULL_KEY, + make_err_reply(context, reply, KDC_NULL_KEY, "no suitable DES key for client"); goto out1; } @@ -229,7 +232,7 @@ do_version4(unsigned char *buf, if(ret){ kdc_log(0, "No version-4 salted key in database -- %s.%s@%s", name, inst, realm); - make_err_reply(reply, KDC_NULL_KEY, + make_err_reply(context, reply, KDC_NULL_KEY, "No version-4 salted key in database"); goto out1; } @@ -239,12 +242,12 @@ do_version4(unsigned char *buf, if(ret){ kdc_log(0, "no suitable DES key for server"); /* XXX */ - make_err_reply(reply, KDC_NULL_KEY, + make_err_reply(context, reply, KDC_NULL_KEY, "no suitable DES key for server"); goto out1; } - max_life = krb_life_to_time(0, life); + max_life = _krb5_krb_life_to_time(0, life); if(client->max_life) max_life = min(max_life, *client->max_life); if(server->max_life) @@ -252,41 +255,85 @@ do_version4(unsigned char *buf, life = krb_time_to_life(kdc_time, kdc_time + max_life); - { - KTEXT_ST cipher, ticket; - KTEXT r; - des_cblock session; - - des_new_random_key((unsigned char *)&session); - - krb_create_ticket(&ticket, 0, name, inst, v4_realm, - addr->sin_addr.s_addr, session, life, kdc_time, - sname, sinst, skey->key.keyvalue.data); + ret = krb5_generate_random_keyblock(context, + ETYPE_DES_PCBC_NONE, + &session); + if (ret) { + make_err_reply(context, reply, KFAILURE, + "Not enough random i KDC"); + goto out1; + } - create_ciph(&cipher, session, sname, sinst, v4_realm, - life, server->kvno % 256, &ticket, kdc_time, - ckey->key.keyvalue.data); - memset(&session, 0, sizeof(session)); - r = create_auth_reply(name, inst, realm, req_time, 0, - client->pw_end ? *client->pw_end : 0, - client->kvno % 256, &cipher); - krb5_data_copy(reply, r->dat, r->length); - memset(&cipher, 0, sizeof(cipher)); - memset(&ticket, 0, sizeof(ticket)); + ret = _krb5_krb_create_ticket(context, + 0, + name, + inst, + v4_realm, + addr->sin_addr.s_addr, + &session, + life, + kdc_time, + sname, + sinst, + &skey->key, + &ticket); + if (ret) { + krb5_free_keyblock_contents(context, &session); + make_err_reply(context, reply, KFAILURE, + "failed to create v4 ticket"); + goto out1; + } + + ret = _krb5_krb_create_ciph(context, + &session, + sname, + sinst, + v4_realm, + life, + server->kvno % 255, + &ticket, + kdc_time, + &ckey->key, + &cipher); + krb5_free_keyblock_contents(context, &session); + krb5_data_free(&ticket); + if (ret) { + make_err_reply(context, reply, KFAILURE, + "Failed to create v4 cipher"); + goto out1; } + + ret = _krb5_krb_create_auth_reply(context, + name, + inst, + realm, + req_time, + 0, + client->pw_end ? *client->pw_end : 0, + client->kvno % 256, + &cipher, + reply); + krb5_data_free(&cipher); + out1: break; + } case AUTH_MSG_APPL_REQUEST: { + struct _krb5_krb_auth_data ad; int8_t kvno; int8_t ticket_len; int8_t req_len; - KTEXT_ST auth; - AUTH_DAT ad; + krb5_data auth; + int32_t address; size_t pos; krb5_principal tgt_princ = NULL; hdb_entry *tgt = NULL; Key *tkey; + time_t max_end, actual_end, issue_time; + memset(&ad, 0, sizeof(ad)); + krb5_data_zero(&auth); + RCHECK(krb5_ret_int8(sp, &kvno), out2); RCHECK(krb5_ret_stringz(sp, &realm), out2); @@ -295,7 +342,7 @@ do_version4(unsigned char *buf, if(ret){ kdc_log(0, "Converting krbtgt principal (krb4): %s", krb5_get_err_text(context, ret)); - make_err_reply(reply, KFAILURE, + make_err_reply(context, reply, KFAILURE, "Failed to convert v4 principal (krbtgt)"); goto out2; } @@ -307,7 +354,7 @@ do_version4(unsigned char *buf, "found in database (krb4): krbtgt.%s@%s: %s", realm, v4_realm, krb5_get_err_text(context, ret)); - make_err_reply(reply, KFAILURE, s); + make_err_reply(context, reply, KFAILURE, s); free(s); goto out2; } @@ -315,7 +362,7 @@ do_version4(unsigned char *buf, if(tgt->kvno % 256 != kvno){ kdc_log(0, "tgs-req (krb4) with old kvno %d (current %d) for " "krbtgt.%s@%s", kvno, tgt->kvno % 256, realm, v4_realm); - make_err_reply(reply, KDC_AUTH_EXP, + make_err_reply(context, reply, KDC_AUTH_EXP, "old krbtgt kvno used"); goto out2; } @@ -324,7 +371,7 @@ do_version4(unsigned char *buf, if(ret){ kdc_log(0, "no suitable DES key for krbtgt (krb4)"); /* XXX */ - make_err_reply(reply, KDC_NULL_KEY, + make_err_reply(context, reply, KDC_NULL_KEY, "no suitable DES key for krbtgt"); goto out2; } @@ -334,18 +381,19 @@ do_version4(unsigned char *buf, pos = krb5_storage_seek(sp, ticket_len + req_len, SEEK_CUR); - memset(&auth, 0, sizeof(auth)); - memcpy(&auth.dat, buf, pos); + auth.data = buf; auth.length = pos; - krb_set_key(tkey->key.keyvalue.data, 0); - krb_ignore_ip_address = !check_ticket_addresses; + if (check_ticket_addresses) + address = addr->sin_addr.s_addr; + else + address = 0; - ret = krb_rd_req(&auth, "krbtgt", realm, - addr->sin_addr.s_addr, &ad, 0); + ret = _krb5_krb_rd_req(context, &auth, "krbtgt", realm, v4_realm, + address, &tkey->key, &ad); if(ret){ - kdc_log(0, "krb_rd_req: %s", krb_get_err_text(ret)); - make_err_reply(reply, ret, NULL); + kdc_log(0, "krb_rd_req: %d", ret); + make_err_reply(context, reply, ret, "failed to parse request"); goto out2; } @@ -358,68 +406,69 @@ do_version4(unsigned char *buf, snprintf (server_name, sizeof(server_name), "%s.%s@%s", sname, sinst, v4_realm); + snprintf (client_name, sizeof(client_name), + "%s.%s@%s", + ad.pname, ad.pinst, ad.prealm); - kdc_log(0, "TGS-REQ (krb4) %s.%s@%s from %s for %s", - ad.pname, ad.pinst, ad.prealm, from, server_name); + kdc_log(0, "TGS-REQ (krb4) %s from %s for %s", + client_name, from, server_name); if(strcmp(ad.prealm, realm)){ kdc_log(0, "Can't hop realms (krb4) %s -> %s", realm, ad.prealm); - make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, - "Can't hop realms"); - goto out2; - } - - if (!enable_v4_cross_realm && strcmp(realm, v4_realm) != 0) { - kdc_log(0, "krb4 Cross-realm %s -> %s disabled", realm, v4_realm); - make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, + make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, "Can't hop realms"); goto out2; } if (!enable_v4_cross_realm && strcmp(realm, v4_realm) != 0) { kdc_log(0, "krb4 Cross-realm %s -> %s disabled", realm, v4_realm); - make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, + make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, "Can't hop realms"); goto out2; } if(strcmp(sname, "changepw") == 0){ kdc_log(0, "Bad request for changepw ticket (krb4)"); - make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, + make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, "Can't authorize password change based on TGT"); goto out2; } -#if 0 ret = db_fetch4(ad.pname, ad.pinst, ad.prealm, &client); - if(ret){ + if(ret && ret != HDB_ERR_NOENTRY) { char *s; - s = kdc_log_msg(0, "Client not found in database: (krb4) " - "%s.%s@%s: %s", - ad.pname, ad.pinst, ad.prealm, - krb5_get_err_text(context, ret)); - make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s); + s = kdc_log_msg(0, "Client not found in database: (krb4) %s: %s", + client_name, krb5_get_err_text(context, ret)); + make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s); free(s); goto out2; } -#endif - + if (client == NULL && strcmp(ad.prealm, v4_realm) == 0) { + char *s; + s = kdc_log_msg(0, "Local client not found in database: (krb4) " + "%s", client_name); + make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s); + free(s); + goto out2; + } + ret = db_fetch4(sname, sinst, v4_realm, &server); if(ret){ char *s; s = kdc_log_msg(0, "Server not found in database (krb4): %s: %s", server_name, krb5_get_err_text(context, ret)); - make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s); + make_err_reply(context, reply, KERB_ERR_PRINCIPAL_UNKNOWN, s); free(s); goto out2; } - ret = check_flags (NULL, NULL, + ret = check_flags (client, client_name, server, server_name, FALSE); if (ret) { /* good error code? */ - make_err_reply(reply, KERB_ERR_NAME_EXP, NULL); + make_err_reply(context, reply, KERB_ERR_NAME_EXP, + "operation not allowed"); goto out2; } @@ -427,21 +476,25 @@ do_version4(unsigned char *buf, if(ret){ kdc_log(0, "no suitable DES key for server (krb4)"); /* XXX */ - make_err_reply(reply, KDC_NULL_KEY, + make_err_reply(context, reply, KDC_NULL_KEY, "no suitable DES key for server"); goto out2; } - max_end = krb_life_to_time(ad.time_sec, ad.life); - max_end = min(max_end, krb_life_to_time(kdc_time, life)); + max_end = _krb5_krb_life_to_time(ad.time_sec, ad.life); + max_end = min(max_end, _krb5_krb_life_to_time(kdc_time, life)); + if(server->max_life) + max_end = min(max_end, kdc_time + *server->max_life); + if(client && client->max_life) + max_end = min(max_end, kdc_time + *client->max_life); life = min(life, krb_time_to_life(kdc_time, max_end)); issue_time = kdc_time; - actual_end = krb_life_to_time(issue_time, life); + actual_end = _krb5_krb_life_to_time(issue_time, life); while (actual_end > max_end && life > 1) { /* move them into the next earlier lifetime bracket */ life--; - actual_end = krb_life_to_time(issue_time, life); + actual_end = _krb5_krb_life_to_time(issue_time, life); } if (actual_end > max_end) { /* if life <= 1 and it's still too long, backdate the ticket */ @@ -449,45 +502,88 @@ do_version4(unsigned char *buf, } { - KTEXT_ST cipher, ticket; - KTEXT r; - des_cblock session; - des_new_random_key((unsigned char *)&session); - krb_create_ticket(&ticket, 0, ad.pname, ad.pinst, ad.prealm, - addr->sin_addr.s_addr, &session, life, - issue_time, - sname, sinst, skey->key.keyvalue.data); - - create_ciph(&cipher, session, sname, sinst, v4_realm, - life, server->kvno % 256, &ticket, - issue_time, &ad.session); + krb5_data ticket, cipher; + krb5_keyblock session; + + krb5_data_zero(&ticket); + krb5_data_zero(&cipher); + + ret = krb5_generate_random_keyblock(context, + ETYPE_DES_PCBC_NONE, + &session); + if (ret) { + make_err_reply(context, reply, KFAILURE, + "Not enough random i KDC"); + goto out2; + } + + ret = _krb5_krb_create_ticket(context, + 0, + ad.pname, + ad.pinst, + ad.prealm, + addr->sin_addr.s_addr, + &session, + life, + issue_time, + sname, + sinst, + &skey->key, + &ticket); + if (ret) { + krb5_free_keyblock_contents(context, &session); + make_err_reply(context, reply, KFAILURE, + "failed to create v4 ticket"); + goto out2; + } + + ret = _krb5_krb_create_ciph(context, + &session, + sname, + sinst, + v4_realm, + life, + server->kvno % 255, + &ticket, + issue_time, + &ad.session, + &cipher); + krb5_free_keyblock_contents(context, &session); + if (ret) { + make_err_reply(context, reply, KFAILURE, + "failed to create v4 cipher"); + goto out2; + } - memset(&session, 0, sizeof(session)); - memset(ad.session, 0, sizeof(ad.session)); - - r = create_auth_reply(ad.pname, ad.pinst, ad.prealm, - req_time, 0, 0, 0, &cipher); - krb5_data_copy(reply, r->dat, r->length); - memset(&cipher, 0, sizeof(cipher)); - memset(&ticket, 0, sizeof(ticket)); + ret = _krb5_krb_create_auth_reply(context, + ad.pname, + ad.pinst, + ad.prealm, + req_time, + 0, + 0, + 0, + &cipher, + reply); + krb5_data_free(&cipher); } out2: + _krb5_krb_free_auth_data(context, &ad); if(tgt_princ) krb5_free_principal(context, tgt_princ); if(tgt) free_ent(tgt); break; } - case AUTH_MSG_ERR_REPLY: break; default: kdc_log(0, "Unknown message type (krb4): %d from %s", msg_type, from); - make_err_reply(reply, KFAILURE, "Unknown message type"); + make_err_reply(context, reply, KFAILURE, "Unknown message type"); } -out: + out: if(name) free(name); if(inst) @@ -506,12 +602,6 @@ out: return 0; } -#else /* KRB4 */ - -#include <krb5-v4compat.h> - -#endif /* KRB4 */ - krb5_error_code encode_v4_ticket(void *buf, size_t len, const EncTicketPart *et, const PrincipalName *service, size_t *size) @@ -523,9 +613,9 @@ encode_v4_ticket(void *buf, size_t len, const EncTicketPart *et, { krb5_principal princ; - principalname2krb5_principal(&princ, - *service, - et->crealm); + _krb5_principalname2krb5_principal(&princ, + *service, + et->crealm); ret = krb5_524_conv_principal(context, princ, sname, @@ -535,9 +625,9 @@ encode_v4_ticket(void *buf, size_t len, const EncTicketPart *et, if(ret) return ret; - principalname2krb5_principal(&princ, - et->cname, - et->crealm); + _krb5_principalname2krb5_principal(&princ, + et->cname, + et->crealm); ret = krb5_524_conv_principal(context, princ, diff --git a/kerberosV/src/kdc/kerberos5.c b/kerberosV/src/kdc/kerberos5.c index de5478ec542..3f0b61439bd 100644 --- a/kerberosV/src/kdc/kerberos5.c +++ b/kerberosV/src/kdc/kerberos5.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "kdc_locl.h" -RCSID("$KTH: kerberos5.c,v 1.145.2.4 2004/08/13 19:28:26 lha Exp $"); +RCSID("$KTH: kerberos5.c,v 1.173.2.2 2005/06/15 11:33:33 lha Exp $"); #define MAX_TIME ((time_t)((1U << 31) - 1)) @@ -47,16 +47,26 @@ fix_time(time_t **t) if(**t == 0) **t = MAX_TIME; /* fix for old clients */ } +static int +realloc_method_data(METHOD_DATA *md) +{ + PA_DATA *pa; + pa = realloc(md->val, (md->len + 1) * sizeof(*md->val)); + if(pa == NULL) + return ENOMEM; + md->val = pa; + md->len++; + return 0; +} + static void -set_salt_padata (METHOD_DATA **m, Salt *salt) +set_salt_padata (METHOD_DATA *md, Salt *salt) { if (salt) { - ALLOC(*m); - (*m)->len = 1; - ALLOC((*m)->val); - (*m)->val->padata_type = salt->type; + realloc_method_data(md); + md->val[md->len - 1].padata_type = salt->type; copy_octet_string(&salt->salt, - &(*m)->val->padata_value); + &md->val[md->len - 1].padata_value); } } @@ -87,6 +97,9 @@ find_etype(hdb_entry *princ, krb5_enctype *etypes, unsigned len, for(i = 0; ret != 0 && i < len ; i++) { Key *key = NULL; + if (krb5_enctype_valid(context, etypes[i]) != 0) + continue; + while (hdb_next_enctype2key(context, princ, etypes[i], &key) == 0) { if (key->key.keyvalue.length == 0) { ret = KRB5KDC_ERR_NULL_KEY; @@ -112,13 +125,19 @@ find_keys(hdb_entry *client, krb5_enctype *etypes, unsigned num_etypes) { + char unparse_name[] = "krb5_unparse_name failed"; krb5_error_code ret; + char *name; if(client){ /* find client key */ ret = find_etype(client, etypes, num_etypes, ckey, cetype); if (ret) { - kdc_log(0, "Client has no support for etypes"); + if (krb5_unparse_name(context, client->principal, &name) != 0) + name = unparse_name; + kdc_log(0, "Client (%s) has no support for etypes", name); + if (name != unparse_name) + free(name); return ret; } } @@ -127,7 +146,11 @@ find_keys(hdb_entry *client, /* find server key */ ret = find_etype(server, etypes, num_etypes, skey, setype); if (ret) { - kdc_log(0, "Server has no support for etypes"); + if (krb5_unparse_name(context, server->principal, &name) != 0) + name = unparse_name; + kdc_log(0, "Server (%s) has no support for etypes", name); + if (name != unparse_name) + free(name); return ret; } } @@ -261,18 +284,6 @@ encode_reply(KDC_REP *rep, EncTicketPart *et, EncKDCRepPart *ek, return 0; } -static int -realloc_method_data(METHOD_DATA *md) -{ - PA_DATA *pa; - pa = realloc(md->val, (md->len + 1) * sizeof(*md->val)); - if(pa == NULL) - return ENOMEM; - md->val = pa; - md->len++; - return 0; -} - static krb5_error_code make_etype_info_entry(ETYPE_INFO_ENTRY *ent, Key *key) { @@ -329,18 +340,22 @@ get_pa_etype_info(METHOD_DATA *md, hdb_entry *client, pa.val = malloc(pa.len * sizeof(*pa.val)); if(pa.val == NULL) return ENOMEM; + memset(pa.val, 0, pa.len * sizeof(*pa.val)); for(j = 0; j < etypes_len; j++) { for (i = 0; i < n; i++) if (pa.val[i].etype == etypes[j]) goto skip1; for(i = 0; i < client->keys.len; i++) { - if(client->keys.val[i].key.keytype == etypes[j]) + if(client->keys.val[i].key.keytype == etypes[j]) { + if (krb5_enctype_valid(context, etypes[j]) != 0) + continue; if((ret = make_etype_info_entry(&pa.val[n++], &client->keys.val[i])) != 0) { free_ETYPE_INFO(&pa); return ret; } + } } skip1:; } @@ -349,21 +364,26 @@ get_pa_etype_info(METHOD_DATA *md, hdb_entry *client, if(client->keys.val[i].key.keytype == etypes[j]) goto skip2; } + if (krb5_enctype_valid(context, client->keys.val[i].key.keytype) != 0) + continue; if((ret = make_etype_info_entry(&pa.val[n++], &client->keys.val[i])) != 0) { free_ETYPE_INFO(&pa); return ret; } - skip2:; + skip2:; } if(n != pa.len) { char *name; - krb5_unparse_name(context, client->principal, &name); + ret = krb5_unparse_name(context, client->principal, &name); + if (ret) + name = "<unparse_name failed>"; kdc_log(0, "internal error in get_pa_etype_info(%s): %d != %d", name, n, pa.len); - free(name); - pa.len = n; + if (ret == 0) + free(name); + pa.len = n; } ASN1_MALLOC_ENCODE(ETYPE_INFO, buf, len, &pa, &len, ret); @@ -382,6 +402,164 @@ get_pa_etype_info(METHOD_DATA *md, hdb_entry *client, } /* + * + */ + +extern int _krb5_AES_string_to_default_iterator; + +static krb5_error_code +make_etype_info2_entry(ETYPE_INFO2_ENTRY *ent, Key *key) +{ + ent->etype = key->key.keytype; + if(key->salt) { + ALLOC(ent->salt); + if (ent->salt == NULL) + return ENOMEM; + *ent->salt = malloc(key->salt->salt.length + 1); + if (*ent->salt == NULL) { + free(ent->salt); + ent->salt = NULL; + return ENOMEM; + } + memcpy(*ent->salt, key->salt->salt.data, key->salt->salt.length); + (*ent->salt)[key->salt->salt.length] = '\0'; + } else + ent->salt = NULL; + + ent->s2kparams = NULL; + + switch (key->key.keytype) { + case KEYTYPE_AES128: + case KEYTYPE_AES256: + ALLOC(ent->s2kparams); + if (ent->s2kparams == NULL) + return ENOMEM; + ent->s2kparams->length = 4; + ent->s2kparams->data = malloc(ent->s2kparams->length); + if (ent->s2kparams->data == NULL) { + free(ent->s2kparams); + ent->s2kparams = NULL; + return ENOMEM; + } + _krb5_put_int(ent->s2kparams->data, + _krb5_AES_string_to_default_iterator, + ent->s2kparams->length); + break; + default: + break; + } + return 0; +} + +/* + * Return 1 if the client have only older enctypes, this is for + * determining if the server should send ETYPE_INFO2 or not. + */ + +static int +only_older_enctype_p(const KDC_REQ *req) +{ + int i; + + for(i = 0; i < req->req_body.etype.len; i++) { + switch (req->req_body.etype.val[i]) { + case ETYPE_DES_CBC_CRC: + case ETYPE_DES_CBC_MD4: + case ETYPE_DES_CBC_MD5: + case ETYPE_DES3_CBC_SHA1: + case ETYPE_ARCFOUR_HMAC_MD5: + case ETYPE_ARCFOUR_HMAC_MD5_56: + break; + default: + return 0; + } + } + return 1; +} + +/* + * + */ + +static krb5_error_code +get_pa_etype_info2(METHOD_DATA *md, hdb_entry *client, + ENCTYPE *etypes, unsigned int etypes_len) +{ + krb5_error_code ret = 0; + int i, j; + unsigned int n = 0; + ETYPE_INFO2 pa; + unsigned char *buf; + size_t len; + + pa.len = client->keys.len; + if(pa.len > UINT_MAX/sizeof(*pa.val)) + return ERANGE; + pa.val = malloc(pa.len * sizeof(*pa.val)); + if(pa.val == NULL) + return ENOMEM; + memset(pa.val, 0, pa.len * sizeof(*pa.val)); + + for(j = 0; j < etypes_len; j++) { + for (i = 0; i < n; i++) + if (pa.val[i].etype == etypes[j]) + goto skip1; + for(i = 0; i < client->keys.len; i++) { + if(client->keys.val[i].key.keytype == etypes[j]) { + if (krb5_enctype_valid(context, etypes[j]) != 0) + continue; + if((ret = make_etype_info2_entry(&pa.val[n++], + &client->keys.val[i])) != 0) { + free_ETYPE_INFO2(&pa); + return ret; + } + } + } + skip1:; + } + for(i = 0; i < client->keys.len; i++) { + for(j = 0; j < etypes_len; j++) { + if(client->keys.val[i].key.keytype == etypes[j]) + goto skip2; + } + if (krb5_enctype_valid(context, client->keys.val[i].key.keytype) != 0) + continue; + if((ret = make_etype_info2_entry(&pa.val[n++], + &client->keys.val[i])) != 0) { + free_ETYPE_INFO2(&pa); + return ret; + } + skip2:; + } + + if(n != pa.len) { + char *name; + ret = krb5_unparse_name(context, client->principal, &name); + if (ret) + name = "<unparse_name failed>"; + kdc_log(0, "internal error in get_pa_etype_info2(%s): %d != %d", + name, n, pa.len); + if (ret == 0) + free(name); + pa.len = n; + } + + ASN1_MALLOC_ENCODE(ETYPE_INFO2, buf, len, &pa, &len, ret); + free_ETYPE_INFO2(&pa); + if(ret) + return ret; + ret = realloc_method_data(md); + if(ret) { + free(buf); + return ret; + } + md->val[md->len - 1].padata_type = KRB5_PADATA_ETYPE_INFO2; + md->val[md->len - 1].padata_value.length = len; + md->val[md->len - 1].padata_value.data = buf; + return 0; +} + +/* * verify the flags on `client' and `server', returning 0 * if they are OK and generating an error messages and returning * and error code otherwise. @@ -506,6 +684,10 @@ as_rep(KDC_REQ *req, const char *e_text = NULL; krb5_crypto crypto; Key *ckey, *skey; + EncryptionKey *reply_key; +#ifdef PKINIT + pk_client_params *pkp = NULL; +#endif memset(&rep, 0, sizeof(rep)); @@ -513,8 +695,9 @@ as_rep(KDC_REQ *req, ret = KRB5KRB_ERR_GENERIC; e_text = "No server in request"; } else{ - principalname2krb5_principal (&server_princ, *(b->sname), b->realm); - krb5_unparse_name(context, server_princ, &server_name); + _krb5_principalname2krb5_principal (&server_princ, + *(b->sname), b->realm); + ret = krb5_unparse_name(context, server_princ, &server_name); } if (ret) { kdc_log(0, "AS-REQ malformed server name from %s", from); @@ -525,15 +708,17 @@ as_rep(KDC_REQ *req, ret = KRB5KRB_ERR_GENERIC; e_text = "No client in request"; } else { - principalname2krb5_principal (&client_princ, *(b->cname), b->realm); - krb5_unparse_name(context, client_princ, &client_name); + _krb5_principalname2krb5_principal (&client_princ, + *(b->cname), b->realm); + ret = krb5_unparse_name(context, client_princ, &client_name); } if (ret) { kdc_log(0, "AS-REQ malformed client name from %s", from); goto out; } - kdc_log(0, "AS-REQ %s from %s for %s", client_name, from, server_name); + kdc_log(0, "AS-REQ %s from %s for %s", + client_name, from, server_name); ret = db_fetch(client_princ, &client); if(ret){ @@ -562,11 +747,67 @@ as_rep(KDC_REQ *req, int i = 0; PA_DATA *pa; int found_pa = 0; - kdc_log(5, "Looking for pa-data -- %s", client_name); + +#ifdef PKINIT + kdc_log(5, "Looking for PKINIT pa-data -- %s", client_name); + + e_text = "No PKINIT PA found"; + + i = 0; + if ((pa = find_padata(req, &i, KRB5_PADATA_PK_AS_REQ))) + ; + if (pa == NULL) { + i = 0; + if((pa = find_padata(req, &i, KRB5_PADATA_PK_AS_REQ_19))) + ; + } + if (pa == NULL) { + i = 0; + if((pa = find_padata(req, &i, KRB5_PADATA_PK_AS_REQ_WIN))) + ; + } + if (pa) { + char *client_cert = NULL; + + ret = pk_rd_padata(context, req, pa, &pkp); + if (ret) { + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; + kdc_log(5, "Failed to decode PKINIT PA-DATA -- %s", + client_name); + goto ts_enc; + } + if (ret == 0 && pkp == NULL) + goto ts_enc; + + ret = pk_check_client(context, + client_princ, + client, + pkp, + &client_cert); + if (ret) { + e_text = "PKINIT certificate not allowed to " + "impersonate principal"; + pk_free_client_param(context, pkp); + pkp = NULL; + goto ts_enc; + } + found_pa = 1; + et.flags.pre_authent = 1; + kdc_log(2, "PKINIT pre-authentication succeeded -- %s using %s", + client_name, client_cert); + free(client_cert); + if (pkp) + goto preauth_done; + } + ts_enc: +#endif + kdc_log(5, "Looking for ENC-TS pa-data -- %s", client_name); + + i = 0; + e_text = "No ENC-TS found"; while((pa = find_padata(req, &i, KRB5_PADATA_ENC_TIMESTAMP))){ krb5_data ts_data; PA_ENC_TS_ENC p; - time_t patime; size_t len; EncryptedData enc_data; Key *pa_key; @@ -642,7 +883,6 @@ as_rep(KDC_REQ *req, client_name); continue; } - patime = p.patimestamp; free_PA_ENC_TS_ENC(&p); if (abs(kdc_time - p.patimestamp) > context->max_skew) { ret = KRB5KDC_ERR_PREAUTH_FAILED; @@ -651,9 +891,13 @@ as_rep(KDC_REQ *req, goto out; } et.flags.pre_authent = 1; - kdc_log(2, "Pre-authentication succeded -- %s", client_name); + kdc_log(2, "ENC-TS Pre-authentication succeeded -- %s", + client_name); break; } +#ifdef PKINIT + preauth_done: +#endif if(found_pa == 0 && require_preauth) goto use_pa; /* We come here if we found a pa-enc-timestamp, but if there @@ -682,8 +926,28 @@ as_rep(KDC_REQ *req, pa->padata_value.length = 0; pa->padata_value.data = NULL; - ret = get_pa_etype_info(&method_data, client, - b->etype.val, b->etype.len); /* XXX check ret */ +#ifdef PKINIT + ret = realloc_method_data(&method_data); + pa = &method_data.val[method_data.len-1]; + pa->padata_type = KRB5_PADATA_PK_AS_REQ; + pa->padata_value.length = 0; + pa->padata_value.data = NULL; + + ret = realloc_method_data(&method_data); + pa = &method_data.val[method_data.len-1]; + pa->padata_type = KRB5_PADATA_PK_AS_REQ_19; + pa->padata_value.length = 0; + pa->padata_value.data = NULL; +#endif + + /* XXX check ret */ + if (only_older_enctype_p(req)) + ret = get_pa_etype_info(&method_data, client, + b->etype.val, b->etype.len); + /* XXX check ret */ + ret = get_pa_etype_info2(&method_data, client, + b->etype.val, b->etype.len); + ASN1_MALLOC_ENCODE(METHOD_DATA, buf, len, &method_data, &len, ret); free_METHOD_DATA(&method_data); @@ -693,7 +957,7 @@ as_rep(KDC_REQ *req, ret = KRB5KDC_ERR_PREAUTH_REQUIRED; krb5_mk_error(context, ret, - "Need to use PA-ENC-TIMESTAMP", + "Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ", &foo_data, client_princ, server_princ, @@ -701,7 +965,8 @@ as_rep(KDC_REQ *req, NULL, reply); free(buf); - kdc_log(0, "No PA-ENC-TIMESTAMP -- %s", client_name); + kdc_log(0, "No preauth found, returning PREAUTH-REQUIRED -- %s", + client_name); ret = 0; goto out2; } @@ -732,7 +997,8 @@ as_rep(KDC_REQ *req, { char str[128]; - unparse_flags(KDCOptions2int(f), KDCOptions_units, str, sizeof(str)); + unparse_flags(KDCOptions2int(f), asn1_KDCOptions_units(), + str, sizeof(str)); if(*str) kdc_log(2, "Requested flags: %s", str); } @@ -912,9 +1178,29 @@ as_rep(KDC_REQ *req, copy_HostAddresses(et.caddr, ek.caddr); } - set_salt_padata (&rep.padata, ckey->salt); + ALLOC(rep.padata); + rep.padata->len = 0; + rep.padata->val = NULL; + + reply_key = &ckey->key; +#if PKINIT + if (pkp) { + ret = pk_mk_pa_reply(context, pkp, client, req, + &reply_key, rep.padata); + if (ret) + goto out; + } +#endif + + set_salt_padata (rep.padata, ckey->salt); + + if (rep.padata->len == 0) { + free(rep.padata); + rep.padata = NULL; + } + ret = encode_reply(&rep, &et, &ek, setype, server->kvno, &skey->key, - client->kvno, &ckey->key, &e_text, reply); + client->kvno, reply_key, &e_text, reply); free_EncTicketPart(&et); free_EncKDCRepPart(&ek); out: @@ -932,6 +1218,10 @@ as_rep(KDC_REQ *req, ret = 0; } out2: +#ifdef PKINIT + if (pkp) + pk_free_client_param(context, pkp); +#endif if (client_princ) krb5_free_principal(context, client_princ); free(client_name); @@ -1241,7 +1531,7 @@ tgs_make_reply(KDC_REQ_BODY *b, copy_Realm(krb5_princ_realm(context, server->principal), &rep.ticket.realm); - krb5_principal2principalname(&rep.ticket.sname, server->principal); + _krb5_principal2principalname(&rep.ticket.sname, server->principal); copy_Realm(&tgt->crealm, &rep.crealm); if (f.request_anonymous) make_anonymous_principalname (&tgt->cname); @@ -1299,6 +1589,7 @@ tgs_make_reply(KDC_REQ_BODY *b, et.flags.pre_authent = tgt->flags.pre_authent; et.flags.hw_authent = tgt->flags.hw_authent; et.flags.anonymous = tgt->flags.anonymous; + et.flags.ok_as_delegate = server->flags.ok_as_delegate; /* XXX Check enc-authorization-data */ et.authorization_data = auth_data; @@ -1453,8 +1744,8 @@ need_referral(krb5_principal server, krb5_realm **realms) server->name.name_string.len != 2) return FALSE; - return krb5_get_host_realm_int(context, server->name.name_string.val[1], - FALSE, realms) == 0; + return _krb5_get_host_realm_int(context, server->name.name_string.val[1], + FALSE, realms) == 0; } static krb5_error_code @@ -1502,19 +1793,22 @@ tgs_rep2(KDC_REQ_BODY *b, goto out2; } - principalname2krb5_principal(&princ, - ap_req.ticket.sname, - ap_req.ticket.realm); + _krb5_principalname2krb5_principal(&princ, + ap_req.ticket.sname, + ap_req.ticket.realm); ret = db_fetch(princ, &krbtgt); if(ret) { char *p; - krb5_unparse_name(context, princ, &p); + ret = krb5_unparse_name(context, princ, &p); + if (ret != 0) + p = "<unparse_name failed>"; krb5_free_principal(context, princ); kdc_log(0, "Ticket-granting ticket not found in database: %s: %s", p, krb5_get_err_text(context, ret)); - free(p); + if (ret == 0) + free(p); ret = KRB5KRB_AP_ERR_NOT_US; goto out2; } @@ -1523,13 +1817,16 @@ tgs_rep2(KDC_REQ_BODY *b, *ap_req.ticket.enc_part.kvno != krbtgt->kvno){ char *p; - krb5_unparse_name (context, princ, &p); + ret = krb5_unparse_name (context, princ, &p); krb5_free_principal(context, princ); + if (ret != 0) + p = "<unparse_name failed>"; kdc_log(0, "Ticket kvno = %d, DB kvno = %d (%s)", *ap_req.ticket.enc_part.kvno, krbtgt->kvno, p); - free (p); + if (ret == 0) + free (p); ret = KRB5KRB_AP_ERR_BADKEYVER; goto out2; } @@ -1691,7 +1988,7 @@ tgs_rep2(KDC_REQ_BODY *b, ret = KRB5KDC_ERR_POLICY; goto out2; } - principalname2krb5_principal(&p, t->sname, t->realm); + _krb5_principalname2krb5_principal(&p, t->sname, t->realm); ret = db_fetch(p, &uu); krb5_free_principal(context, p); if(ret){ @@ -1712,11 +2009,16 @@ tgs_rep2(KDC_REQ_BODY *b, r = adtkt.crealm; } - principalname2krb5_principal(&sp, *s, r); - krb5_unparse_name(context, sp, &spn); - principalname2krb5_principal(&cp, tgt->cname, tgt->crealm); - krb5_unparse_name(context, cp, &cpn); - unparse_flags (KDCOptions2int(b->kdc_options), KDCOptions_units, + _krb5_principalname2krb5_principal(&sp, *s, r); + ret = krb5_unparse_name(context, sp, &spn); + if (ret) + goto out; + _krb5_principalname2krb5_principal(&cp, tgt->cname, tgt->crealm); + ret = krb5_unparse_name(context, cp, &cpn); + if (ret) + goto out; + unparse_flags (KDCOptions2int(b->kdc_options), + asn1_KDCOptions_units(), opt_str, sizeof(opt_str)); if(*opt_str) kdc_log(0, "TGS-REQ %s from %s for %s [%s]", @@ -1740,7 +2042,9 @@ tgs_rep2(KDC_REQ_BODY *b, free(spn); krb5_make_principal(context, &sp, r, KRB5_TGS_NAME, new_rlm, NULL); - krb5_unparse_name(context, sp, &spn); + ret = krb5_unparse_name(context, sp, &spn); + if (ret) + goto out; goto server_lookup; } } @@ -1753,7 +2057,9 @@ tgs_rep2(KDC_REQ_BODY *b, free(spn); krb5_make_principal(context, &sp, r, KRB5_TGS_NAME, realms[0], NULL); - krb5_unparse_name(context, sp, &spn); + ret = krb5_unparse_name(context, sp, &spn); + if (ret) + goto out; krb5_free_host_realm(context, realms); goto server_lookup; } @@ -1852,10 +2158,8 @@ out2: } krb5_free_principal(context, cp); krb5_free_principal(context, sp); - if (ticket) { + if (ticket) krb5_free_ticket(context, ticket); - free(ticket); - } free_AP_REQ(&ap_req); if(auth_data){ free_AuthorizationData(auth_data); diff --git a/kerberosV/src/kdc/kstash.8 b/kerberosV/src/kdc/kstash.8 index 6c21d086616..b7ee31e39b2 100644 --- a/kerberosV/src/kdc/kstash.8 +++ b/kerberosV/src/kdc/kstash.8 @@ -1,6 +1,37 @@ -.\" $KTH: kstash.8,v 1.7 2002/08/20 16:37:14 joda Exp $ +.\" Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.Dd September 1, 2000 +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $KTH: kstash.8,v 1.8 2004/12/09 12:15:20 lha Exp $ +.\" +.Dd December 9, 2004 .Dt KSTASH 8 .Os HEIMDAL .Sh NAME @@ -8,6 +39,7 @@ .Nd "store the KDC master password in a file" .Sh SYNOPSIS .Nm +.Bk -words .Oo Fl e Ar string \*(Ba Xo .Fl -enctype= Ns Ar string .Xc @@ -17,9 +49,12 @@ .Xc .Oc .Op Fl -convert-file +.Op Fl -random-key .Op Fl -master-key-fd= Ns Ar fd +.Op Fl -random-key .Op Fl h | Fl -help .Op Fl -version +.Ek .Sh DESCRIPTION .Nm reads the Kerberos master key and stores it in a file that will be @@ -31,25 +66,34 @@ Supported options: .Fl e Ar string , .Fl -enctype= Ns Ar string .Xc -the encryption type to use, defaults to DES3-CBC-SHA1 +the encryption type to use, defaults to DES3-CBC-SHA1. .It Xo .Fl k Ar file , .Fl -key-file= Ns Ar file .Xc -the name of the master key file +the name of the master key file. .It Xo .Fl -convert-file .Xc don't ask for a new master key, just read an old master key file, and -write it back in the new keyfile format +write it back in the new keyfile format. +.It Xo +.Fl -random-key +.Xc +generate a random master key. .It Xo .Fl -master-key-fd= Ns Ar fd .Xc filedescriptor to read passphrase from, if not specified the -passphrase will be read from the terminal +passphrase will be read from the terminal/. .El .\".Sh ENVIRONMENT -.\".Sh FILES +.Sh FILES +.Pa /var/heimdal/m-key +is the default keyfile is no other keyfile is specified. +The format of a Heimdal master key is the same as a keytab, so +.Nm ktutil +list can be used to list the content of the file. .\".Sh EXAMPLES .\".Sh DIAGNOSTICS .Sh SEE ALSO diff --git a/kerberosV/src/kdc/main.c b/kerberosV/src/kdc/main.c index e55a904d76a..dbc00765b1d 100644 --- a/kerberosV/src/kdc/main.c +++ b/kerberosV/src/kdc/main.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -36,19 +36,17 @@ #include <util.h> #endif -RCSID("$KTH: main.c,v 1.27 2002/08/28 21:27:16 joda Exp $"); +RCSID("$KTH: main.c,v 1.31 2005/06/14 00:13:11 lha Exp $"); volatile sig_atomic_t exit_flag = 0; krb5_context context; -#ifdef HAVE_DAEMON extern int detach_from_console; -#endif static RETSIGTYPE sigterm(int sig) { - exit_flag = 1; + exit_flag = sig; } int @@ -57,7 +55,9 @@ main(int argc, char **argv) krb5_error_code ret; ret = krb5_init_context(&context); - if (ret) + if (ret == KRB5_CONFIG_BADFORMAT) + errx (1, "krb5_init_context failed to parse configuration file"); + else if (ret) errx (1, "krb5_init_context failed: %d", ret); configure(argc, argv); @@ -97,15 +97,19 @@ main(int argc, char **argv) sigaction(SIGINT, &sa, NULL); sigaction(SIGTERM, &sa, NULL); + sigaction(SIGXCPU, &sa, NULL); + + sa.sa_handler = SIG_IGN; + sigaction(SIGPIPE, &sa, NULL); } #else signal(SIGINT, sigterm); signal(SIGTERM, sigterm); + signal(SIGXCPU, sigterm); + signal(SIGPIPE, SIG_IGN); #endif -#ifdef HAVE_DAEMON if (detach_from_console) daemon(0, 0); -#endif pidfile(NULL); loop(); krb5_free_context(context); diff --git a/kerberosV/src/kdc/string2key.c b/kerberosV/src/kdc/string2key.c index 67f4af1a0c9..077b1525918 100644 --- a/kerberosV/src/kdc/string2key.c +++ b/kerberosV/src/kdc/string2key.c @@ -34,7 +34,7 @@ #include "headers.h" #include <getarg.h> -RCSID("$KTH: string2key.c,v 1.20 2003/03/25 12:28:52 joda Exp $"); +RCSID("$KTH: string2key.c,v 1.22 2003/09/03 09:34:15 lha Exp $"); int version5; int version4; @@ -122,6 +122,7 @@ main(int argc, char **argv) krb5_keytype keytype; int *etypes; unsigned num; + char *str; ret = krb5_string_to_keytype(context, keytype_str, &keytype); if(ret) krb5_err(context, 1, ret, "%s", keytype_str); @@ -131,7 +132,8 @@ main(int argc, char **argv) if(num == 0) krb5_errx(context, 1, "there are no encryption types for that keytype"); etype = etypes[0]; - krb5_enctype_to_string(context, etype, (char **) &keytype_str); + krb5_enctype_to_string(context, etype, &str); + keytype_str = str; if(num > 1 && version5) krb5_warnx(context, "ambiguous keytype, using %s", keytype_str); } @@ -167,7 +169,7 @@ main(int argc, char **argv) if(argv[0]) password = argv[0]; if(password == NULL){ - if(des_read_pw_string(buf, sizeof(buf), "Password: ", 0)) + if(UI_UTIL_read_pw_string(buf, sizeof(buf), "Password: ", 0)) return 1; password = buf; } diff --git a/kerberosV/src/kdc/v4_dump.c b/kerberosV/src/kdc/v4_dump.c index a6c5d215c16..65ab19e34ef 100644 --- a/kerberosV/src/kdc/v4_dump.c +++ b/kerberosV/src/kdc/v4_dump.c @@ -33,7 +33,7 @@ #include "hprop.h" -RCSID("$KTH: v4_dump.c,v 1.4.8.1 2003/04/28 12:24:54 lha Exp $"); +RCSID("$KTH: v4_dump.c,v 1.5 2003/04/28 11:35:55 lha Exp $"); static time_t time_parse(const char *cp) diff --git a/kerberosV/src/kpasswd/kpasswd-generator.c b/kerberosV/src/kpasswd/kpasswd-generator.c index 217e42d4ca4..6d45160383d 100644 --- a/kerberosV/src/kpasswd/kpasswd-generator.c +++ b/kerberosV/src/kpasswd/kpasswd-generator.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 2000 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "kpasswd_locl.h" -RCSID("$KTH: kpasswd-generator.c,v 1.5 2001/07/31 02:44:42 assar Exp $"); +RCSID("$KTH: kpasswd-generator.c,v 1.8 2004/04/25 19:25:32 joda Exp $"); static unsigned read_words (const char *filename, char ***ret_w) @@ -88,17 +88,17 @@ generate_requests (const char *filename, unsigned nreq) for (i = 0; i < nreq; ++i) { char *name = words[rand() % nwords]; - krb5_get_init_creds_opt opt; + krb5_get_init_creds_opt *opt; krb5_creds cred; krb5_principal principal; int result_code; krb5_data result_code_string, result_string; char *old_pwd, *new_pwd; - krb5_get_init_creds_opt_init (&opt); - krb5_get_init_creds_opt_set_tkt_life (&opt, 300); - krb5_get_init_creds_opt_set_forwardable (&opt, FALSE); - krb5_get_init_creds_opt_set_proxiable (&opt, FALSE); + krb5_get_init_creds_opt_alloc (context, &opt); + krb5_get_init_creds_opt_set_tkt_life (opt, 300); + krb5_get_init_creds_opt_set_forwardable (opt, FALSE); + krb5_get_init_creds_opt_set_proxiable (opt, FALSE); ret = krb5_parse_name (context, name, &principal); if (ret) @@ -115,7 +115,7 @@ generate_requests (const char *filename, unsigned nreq) NULL, 0, "kadmin/changepw", - &opt); + opt); if( ret == KRB5KRB_AP_ERR_BAD_INTEGRITY || ret == KRB5KRB_AP_ERR_MODIFIED) { char *tmp; @@ -132,7 +132,7 @@ generate_requests (const char *filename, unsigned nreq) NULL, 0, "kadmin/changepw", - &opt); + opt); } if (ret) krb5_err (context, 1, ret, "krb5_get_init_creds_password"); @@ -148,7 +148,8 @@ generate_requests (const char *filename, unsigned nreq) free (old_pwd); free (new_pwd); - krb5_free_creds_contents (context, &cred); + krb5_free_cred_contents (context, &cred); + krb5_get_init_creds_opt_free(opt); } } diff --git a/kerberosV/src/kpasswd/kpasswdd.8 b/kerberosV/src/kpasswd/kpasswdd.8 index b7d55dd2e3d..3bc989b5020 100644 --- a/kerberosV/src/kpasswd/kpasswdd.8 +++ b/kerberosV/src/kpasswd/kpasswdd.8 @@ -1,4 +1,4 @@ -.\" $KTH: kpasswdd.8,v 1.8 2003/02/04 21:48:01 lha Exp $ +.\" $KTH: kpasswdd.8,v 1.11 2005/01/05 18:07:44 lha Exp $ .\" .Dd April 19, 1999 .Dt KPASSWDD 8 @@ -9,6 +9,7 @@ .Sh SYNOPSIS .Nm kpasswdd .Bk -words +.Op Fl -addresses= Ns Ar address .Op Fl -check-library= Ns Ar library .Op Fl -check-function= Ns Ar function .Oo Fl k Ar kspec \*(Ba Xo @@ -35,6 +36,11 @@ the database directly and should thus only run on the master KDC. Supported options: .Bl -tag -width Ds .It Xo +.Fl -addresses= Ns Ar address +.Xc +For each till the argument is given, add the address to what kpasswdd +should listen too. +.It Xo .Fl -check-library= Ns Ar library .Xc If your system has support for dynamic loading of shared libraries, diff --git a/kerberosV/src/kpasswd/kpasswdd.c b/kerberosV/src/kpasswd/kpasswdd.c index 6c9e21cdd17..9b8c7c40925 100644 --- a/kerberosV/src/kpasswd/kpasswdd.c +++ b/kerberosV/src/kpasswd/kpasswdd.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,7 +32,7 @@ */ #include "kpasswd_locl.h" -RCSID("$KTH: kpasswdd.c,v 1.54 2002/12/02 14:31:52 joda Exp $"); +RCSID("$KTH: kpasswdd.c,v 1.62 2005/04/22 11:03:11 lha Exp $"); #include <kadm5/admin.h> #ifdef HAVE_SYS_UN_H @@ -44,9 +44,28 @@ RCSID("$KTH: kpasswdd.c,v 1.54 2002/12/02 14:31:52 joda Exp $"); static krb5_context context; static krb5_log_facility *log_facility; +static struct getarg_strings addresses_str; +krb5_addresses explicit_addresses; + static volatile sig_atomic_t exit_flag = 0; static void +add_one_address (const char *str, int first) +{ + krb5_error_code ret; + krb5_addresses tmp; + + ret = krb5_parse_address (context, str, &tmp); + if (ret) + krb5_err (context, 1, ret, "parse_address `%s'", str); + if (first) + krb5_copy_addresses(context, &tmp, &explicit_addresses); + else + krb5_append_addresses(context, &explicit_addresses, &tmp); + krb5_free_addresses (context, &tmp); +} + +static void send_reply (int s, struct sockaddr *sa, int sa_size, @@ -115,12 +134,12 @@ make_result (krb5_data *data, if (data->data == NULL) { krb5_warnx (context, "Out of memory generating error reply"); return 1; - } + } return 0; } static void -reply_error (krb5_principal server, +reply_error (krb5_realm realm, int s, struct sockaddr *sa, int sa_size, @@ -131,10 +150,20 @@ reply_error (krb5_principal server, krb5_error_code ret; krb5_data error_data; krb5_data e_data; + krb5_principal server = NULL; if (make_result(&e_data, result_code, expl)) return; + if (realm) { + ret = krb5_make_principal (context, &server, realm, + "kadmin", "changepw", NULL); + if (ret) { + krb5_data_free (&e_data); + return; + } + } + ret = krb5_mk_error (context, error_code, NULL, @@ -144,6 +173,8 @@ reply_error (krb5_principal server, NULL, NULL, &error_data); + if (server) + krb5_free_principal(context, server); krb5_data_free (&e_data); if (ret) { krb5_warn (context, ret, "Could not even generate error reply"); @@ -199,78 +230,202 @@ reply_priv (krb5_auth_context auth_context, static void change (krb5_auth_context auth_context, - krb5_principal principal, + krb5_principal admin_principal, + u_int16_t version, int s, struct sockaddr *sa, int sa_size, - krb5_data *pwd_data) + krb5_data *in_data) { krb5_error_code ret; - char *client; + char *client = NULL, *admin = NULL; const char *pwd_reason; kadm5_config_params conf; - void *kadm5_handle; + void *kadm5_handle = NULL; + krb5_principal principal; + krb5_data *pwd_data = NULL; char *tmp; + ChangePasswdDataMS chpw; memset (&conf, 0, sizeof(conf)); + memset(&chpw, 0, sizeof(chpw)); - krb5_unparse_name (context, principal, &client); + if (version == KRB5_KPASSWD_VERS_CHANGEPW) { + ret = krb5_copy_data(context, in_data, &pwd_data); + if (ret) { + krb5_warn (context, ret, "krb5_copy_data"); + reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_MALFORMED, + "out out memory copying password"); + return; + } + principal = admin_principal; + } else if (version == KRB5_KPASSWD_VERS_SETPW) { + size_t len; + + ret = decode_ChangePasswdDataMS(in_data->data, in_data->length, + &chpw, &len); + if (ret) { + krb5_warn (context, ret, "decode_ChangePasswdDataMS"); + reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_MALFORMED, + "malformed ChangePasswdData"); + return; + } + + + ret = krb5_copy_data(context, &chpw.newpasswd, &pwd_data); + if (ret) { + krb5_warn (context, ret, "krb5_copy_data"); + reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_MALFORMED, + "out out memory copying password"); + goto out; + } + + if (chpw.targname == NULL && chpw.targrealm != NULL) { + krb5_warn (context, ret, "kadm5_init_with_password_ctx"); + reply_priv (auth_context, s, sa, sa_size, + KRB5_KPASSWD_MALFORMED, + "targrealm but not targname"); + goto out; + } + + if (chpw.targname) { + krb5_principal_data princ; + + princ.name = *chpw.targname; + princ.realm = *chpw.targrealm; + if (princ.realm == NULL) { + ret = krb5_get_default_realm(context, &princ.realm); + + if (ret) { + krb5_warnx (context, + "kadm5_init_with_password_ctx: " + "failed to allocate realm"); + reply_priv (auth_context, s, sa, sa_size, + KRB5_KPASSWD_SOFTERROR, + "failed to allocate realm"); + goto out; + } + } + ret = krb5_copy_principal(context, &princ, &principal); + if (*chpw.targrealm == NULL) + free(princ.realm); + if (ret) { + krb5_warn(context, ret, "krb5_copy_principal"); + reply_priv(auth_context, s, sa, sa_size, + KRB5_KPASSWD_HARDERROR, + "failed to allocate principal"); + goto out; + } + } else + principal = admin_principal; + } else { + krb5_warnx (context, "kadm5_init_with_password_ctx: unknown proto"); + reply_priv (auth_context, s, sa, sa_size, + KRB5_KPASSWD_HARDERROR, + "Unknown protocol used"); + return; + } + + ret = krb5_unparse_name (context, admin_principal, &admin); + if (ret) { + krb5_warn (context, ret, "unparse_name failed"); + reply_priv (auth_context, s, sa, sa_size, + KRB5_KPASSWD_HARDERROR, "out of memory error"); + goto out; + } ret = kadm5_init_with_password_ctx(context, - client, + admin, NULL, KADM5_ADMIN_SERVICE, &conf, 0, 0, &kadm5_handle); if (ret) { - free (client); krb5_warn (context, ret, "kadm5_init_with_password_ctx"); reply_priv (auth_context, s, sa, sa_size, 2, "Internal error"); - return; + goto out; } - krb5_warnx (context, "Changing password for %s", client); - free (client); + ret = krb5_unparse_name(context, principal, &client); + if (ret) { + krb5_warn (context, ret, "unparse_name failed"); + reply_priv (auth_context, s, sa, sa_size, + KRB5_KPASSWD_HARDERROR, "out of memory error"); + goto out; + } - pwd_reason = kadm5_check_password_quality (context, principal, pwd_data); - if (pwd_reason != NULL ) { - krb5_warnx (context, "%s", pwd_reason); - reply_priv (auth_context, s, sa, sa_size, 4, pwd_reason); - kadm5_destroy (kadm5_handle); - return; + /* + * Check password quality if not changing as administrator + */ + + if (krb5_principal_compare(context, admin_principal, principal) == TRUE) { + + pwd_reason = kadm5_check_password_quality (context, principal, + pwd_data); + if (pwd_reason != NULL ) { + krb5_warnx (context, + "%s didn't pass password quality check with error: %s", + client, pwd_reason); + reply_priv (auth_context, s, sa, sa_size, + KRB5_KPASSWD_SOFTERROR, pwd_reason); + goto out; + } + krb5_warnx (context, "Changing password for %s", client); + } else { + ret = _kadm5_acl_check_permission(kadm5_handle, KADM5_PRIV_CPW, + principal); + if (ret) { + krb5_warn (context, ret, + "Check ACL failed for %s for changing %s password", + admin, client); + reply_priv (auth_context, s, sa, sa_size, + KRB5_KPASSWD_HARDERROR, "permission denied"); + goto out; + } + krb5_warnx (context, "%s is changing password for %s", admin, client); } - tmp = malloc (pwd_data->length + 1); - if (tmp == NULL) { - krb5_warnx (context, "malloc: out of memory"); - reply_priv (auth_context, s, sa, sa_size, 2, + ret = krb5_data_realloc(pwd_data, pwd_data->length + 1); + if (ret) { + krb5_warn (context, ret, "malloc: out of memory"); + reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_HARDERROR, "Internal error"); goto out; } - memcpy (tmp, pwd_data->data, pwd_data->length); - tmp[pwd_data->length] = '\0'; + tmp = pwd_data->data; + tmp[pwd_data->length - 1] = '\0'; ret = kadm5_s_chpass_principal_cond (kadm5_handle, principal, tmp); - memset (tmp, 0, pwd_data->length); - free (tmp); + krb5_free_data (context, pwd_data); + pwd_data = NULL; if (ret) { krb5_warn (context, ret, "kadm5_s_chpass_principal_cond"); - reply_priv (auth_context, s, sa, sa_size, 2, + reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_HARDERROR, "Internal error"); goto out; } - reply_priv (auth_context, s, sa, sa_size, 0, "Password changed"); + reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_SUCCESS, + "Password changed"); out: - kadm5_destroy (kadm5_handle); + free_ChangePasswdDataMS(&chpw); + if (admin) + free(admin); + if (client) + free(client); + if (pwd_data) + krb5_free_data(context, pwd_data); + if (kadm5_handle) + kadm5_destroy (kadm5_handle); } static int verify (krb5_auth_context *auth_context, - krb5_principal server, + krb5_realm *realms, krb5_keytab keytab, krb5_ticket **ticket, krb5_data *out_data, + u_int16_t *version, int s, struct sockaddr *sa, int sa_size, @@ -281,6 +436,7 @@ verify (krb5_auth_context *auth_context, u_int16_t pkt_len, pkt_ver, ap_req_len; krb5_data ap_req_data; krb5_data krb_priv_data; + krb5_realm *r; pkt_len = (msg[0] << 8) | (msg[1]); pkt_ver = (msg[2] << 8) | (msg[3]); @@ -288,14 +444,16 @@ verify (krb5_auth_context *auth_context, if (pkt_len != len) { krb5_warnx (context, "Strange len: %ld != %ld", (long)pkt_len, (long)len); - reply_error (server, s, sa, sa_size, 0, 1, "Bad request"); + reply_error (NULL, s, sa, sa_size, 0, 1, "Bad request"); return 1; } - if (pkt_ver != 0x0001) { + if (pkt_ver != KRB5_KPASSWD_VERS_CHANGEPW && + pkt_ver != KRB5_KPASSWD_VERS_SETPW) { krb5_warnx (context, "Bad version (%d)", pkt_ver); - reply_error (server, s, sa, sa_size, 0, 1, "Wrong program version"); + reply_error (NULL, s, sa, sa_size, 0, 1, "Wrong program version"); return 1; } + *version = pkt_ver; ap_req_data.data = msg + 6; ap_req_data.length = ap_req_len; @@ -303,26 +461,56 @@ verify (krb5_auth_context *auth_context, ret = krb5_rd_req (context, auth_context, &ap_req_data, - server, + NULL, keytab, NULL, ticket); if (ret) { - if(ret == KRB5_KT_NOTFOUND) { - char *name; - krb5_unparse_name(context, server, &name); - krb5_warnx (context, "krb5_rd_req: %s (%s)", - krb5_get_err_text(context, ret), name); - free(name); - } else - krb5_warn (context, ret, "krb5_rd_req"); - reply_error (server, s, sa, sa_size, ret, 3, "Authentication failed"); + krb5_warn (context, ret, "krb5_rd_req"); + reply_error (NULL, s, sa, sa_size, ret, 3, "Authentication failed"); return 1; } + /* verify realm and principal */ + for (r = realms; *r != NULL; r++) { + krb5_principal principal; + krb5_boolean same; + + ret = krb5_make_principal (context, + &principal, + *r, + "kadmin", + "changepw", + NULL); + if (ret) + krb5_err (context, 1, ret, "krb5_make_principal"); + + same = krb5_principal_compare(context, principal, (*ticket)->server); + krb5_free_principal(context, principal); + if (same == TRUE) + break; + } + if (*r == NULL) { + char *str; + krb5_unparse_name(context, (*ticket)->server, &str); + krb5_warnx (context, "client used not valid principal %s", str); + free(str); + reply_error (NULL, s, sa, sa_size, ret, 1, + "Bad request"); + goto out; + } + + if (strcmp((*ticket)->server->realm, (*ticket)->client->realm) != 0) { + krb5_warnx (context, "server realm (%s) not same a client realm (%s)", + (*ticket)->server->realm, (*ticket)->client->realm); + reply_error ((*ticket)->server->realm, s, sa, sa_size, ret, 1, + "Bad request"); + goto out; + } + if (!(*ticket)->ticket.flags.initial) { krb5_warnx (context, "initial flag not set"); - reply_error (server, s, sa, sa_size, ret, 1, + reply_error ((*ticket)->server->realm, s, sa, sa_size, ret, 1, "Bad request"); goto out; } @@ -337,17 +525,19 @@ verify (krb5_auth_context *auth_context, if (ret) { krb5_warn (context, ret, "krb5_rd_priv"); - reply_error (server, s, sa, sa_size, ret, 3, "Bad request"); + reply_error ((*ticket)->server->realm, s, sa, sa_size, ret, 3, + "Bad request"); goto out; } return 0; out: krb5_free_ticket (context, *ticket); + ticket = NULL; return 1; } static void -process (krb5_principal server, +process (krb5_realm *realms, krb5_keytab keytab, int s, krb5_address *this_addr, @@ -361,6 +551,8 @@ process (krb5_principal server, krb5_data out_data; krb5_ticket *ticket; krb5_address other_addr; + u_int16_t version; + krb5_data_zero (&out_data); @@ -389,16 +581,16 @@ process (krb5_principal server, goto out; } - if (verify (&auth_context, server, keytab, &ticket, &out_data, - s, sa, sa_size, msg, len) == 0) { + if (verify (&auth_context, realms, keytab, &ticket, &out_data, + &version, s, sa, sa_size, msg, len) == 0) { change (auth_context, ticket->client, + version, s, sa, sa_size, &out_data); memset (out_data.data, 0, out_data.length); krb5_free_ticket (context, ticket); - free (ticket); } out: @@ -410,36 +602,26 @@ static int doit (krb5_keytab keytab, int port) { krb5_error_code ret; - krb5_principal server; int *sockets; int maxfd; - char *realm; + krb5_realm *realms; krb5_addresses addrs; unsigned n, i; fd_set real_fdset; struct sockaddr_storage __ss; struct sockaddr *sa = (struct sockaddr *)&__ss; - ret = krb5_get_default_realm (context, &realm); - if (ret) - krb5_err (context, 1, ret, "krb5_get_default_realm"); - - ret = krb5_build_principal (context, - &server, - strlen(realm), - realm, - "kadmin", - "changepw", - NULL); + ret = krb5_get_default_realms(context, &realms); if (ret) - krb5_err (context, 1, ret, "krb5_build_principal"); - - free (realm); - - ret = krb5_get_all_server_addrs (context, &addrs); - if (ret) - krb5_err (context, 1, ret, "krb5_get_all_server_addrs"); + krb5_err (context, 1, ret, "krb5_get_default_realms"); + if (explicit_addresses.len) { + addrs = explicit_addresses; + } else { + ret = krb5_get_all_server_addrs (context, &addrs); + if (ret) + krb5_err (context, 1, ret, "krb5_get_all_server_addrs"); + } n = addrs.len; sockets = malloc (n * sizeof(*sockets)); @@ -499,14 +681,14 @@ doit (krb5_keytab keytab, int port) krb5_err (context, 1, errno, "recvfrom"); } - process (server, keytab, sockets[i], + process (realms, keytab, sockets[i], &addrs.val[i], sa, addrlen, buf, ret); } } krb5_free_addresses (context, &addrs); - krb5_free_principal (context, server); + krb5_free_host_realm (context, realms); krb5_free_context (context); return 0; } @@ -519,11 +701,13 @@ sigterm(int sig) const char *check_library = NULL; const char *check_function = NULL; +static getarg_strings policy_libraries = { 0, NULL }; char *keytab_str = "HDB:"; char *realm_str; int version_flag; int help_flag; char *port_str; +char *config_file; struct getargs args[] = { #ifdef HAVE_DLOPEN @@ -531,9 +715,14 @@ struct getargs args[] = { "library to load password check function from", "library" }, { "check-function", 0, arg_string, &check_function, "password check function to load", "function" }, + { "policy-libraries", 0, arg_strings, &policy_libraries, + "password check function to load", "function" }, #endif + { "addresses", 0, arg_strings, &addresses_str, + "addresses to listen on", "list of addresses" }, { "keytab", 'k', arg_string, &keytab_str, "keytab to get authentication key from", "kspec" }, + { "config-file", 'c', arg_string, &config_file }, { "realm", 'r', arg_string, &realm_str, "default realm", "realm" }, { "port", 'p', arg_string, &port_str, "port" }, { "version", 0, arg_flag, &version_flag }, @@ -547,7 +736,8 @@ main (int argc, char **argv) int optind; krb5_keytab keytab; krb5_error_code ret; - int port; + char **files; + int port, i; optind = krb5_program_setup(&context, argc, argv, args, num_args, NULL); @@ -558,6 +748,18 @@ main (int argc, char **argv) exit(0); } + if (config_file == NULL) + config_file = HDB_DB_DIR "/kdc.conf"; + + ret = krb5_prepend_config_files_default(config_file, &files); + if (ret) + krb5_err(context, 1, ret, "getting configuration files"); + + ret = krb5_set_config_files(context, files); + krb5_free_config_files(files); + if (ret) + krb5_err(context, 1, ret, "reading configuration files"); + if(realm_str) krb5_set_default_realm(context, realm_str); @@ -590,6 +792,36 @@ main (int argc, char **argv) kadm5_setup_passwd_quality_check (context, check_library, check_function); + for (i = 0; i < policy_libraries.num_strings; i++) { + ret = kadm5_add_passwd_quality_verifier(context, + policy_libraries.strings[i]); + if (ret) + krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier"); + } + ret = kadm5_add_passwd_quality_verifier(context, NULL); + if (ret) + krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier"); + + + explicit_addresses.len = 0; + + if (addresses_str.num_strings) { + int i; + + for (i = 0; i < addresses_str.num_strings; ++i) + add_one_address (addresses_str.strings[i], i == 0); + free_getarg_strings (&addresses_str); + } else { + char **foo = krb5_config_get_strings (context, NULL, + "kdc", "addresses", NULL); + + if (foo != NULL) { + add_one_address (*foo++, TRUE); + while (*foo) + add_one_address (*foo++, FALSE); + } + } + #ifdef HAVE_SIGACTION { struct sigaction sa; diff --git a/kerberosV/src/kuser/generate-requests.c b/kerberosV/src/kuser/generate-requests.c index 7f2873752ea..748f589bcc9 100644 --- a/kerberosV/src/kuser/generate-requests.c +++ b/kerberosV/src/kuser/generate-requests.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 2000 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "kuser_locl.h" -RCSID("$KTH: generate-requests.c,v 1.4 2001/08/24 01:07:22 assar Exp $"); +RCSID("$KTH: generate-requests.c,v 1.5 2004/04/25 19:25:33 joda Exp $"); static krb5_error_code null_key_proc (krb5_context context, @@ -105,7 +105,7 @@ generate_requests (const char *filename, unsigned nreq) ret = krb5_get_in_cred (context, 0, NULL, NULL, NULL, NULL, null_key_proc, NULL, NULL, NULL, &cred, NULL); - krb5_free_creds_contents (context, &cred); + krb5_free_cred_contents (context, &cred); } } diff --git a/kerberosV/src/kuser/kdecode_ticket.c b/kerberosV/src/kuser/kdecode_ticket.c index 17885a6d31b..ab140119271 100644 --- a/kerberosV/src/kuser/kdecode_ticket.c +++ b/kerberosV/src/kuser/kdecode_ticket.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "kuser_locl.h" -RCSID("$KTH: kdecode_ticket.c,v 1.5 2001/02/20 01:44:51 assar Exp $"); +RCSID("$KTH: kdecode_ticket.c,v 1.6 2004/04/25 19:25:33 joda Exp $"); static char *etype_str; static int version_flag; @@ -155,6 +155,6 @@ main(int argc, char **argv) print_and_decode_tkt (context, &out->ticket, out->server, out->session.keytype); - krb5_free_creds_contents(context, out); + krb5_free_cred_contents(context, out); return 0; } diff --git a/kerberosV/src/kuser/kdestroy.1 b/kerberosV/src/kuser/kdestroy.1 index e80ec3fc048..45291e3e66a 100644 --- a/kerberosV/src/kuser/kdestroy.1 +++ b/kerberosV/src/kuser/kdestroy.1 @@ -1,4 +1,4 @@ -.\" Copyright (c) 1997, 1999, 2001 Kungliga Tekniska Högskolan +.\" Copyright (c) 1997, 1999, 2001, 2004 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,9 +29,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $KTH: kdestroy.1,v 1.4 2003/02/16 21:10:23 lha Exp $ +.\" $KTH: kdestroy.1,v 1.5 2004/12/08 17:38:28 lha Exp $ .\" -.Dd August 27, 1997 +.Dd December 8, 2004 .Dt KDESTROY 1 .Os HEIMDAL .Sh NAME @@ -39,12 +39,14 @@ .Nd destroy the current ticket file .Sh SYNOPSIS .Nm +.Bk -words .Op Fl c Ar cachefile .Op Fl -cache= Ns Ar cachefile .Op Fl -no-unlog .Op Fl -no-delete-v4 .Op Fl -version .Op Fl -help +.Ek .Sh DESCRIPTION .Nm removes the current set of tickets. diff --git a/kerberosV/src/kuser/kdestroy.c b/kerberosV/src/kuser/kdestroy.c index 2427b27eb1b..9ef6fd9f22f 100644 --- a/kerberosV/src/kuser/kdestroy.c +++ b/kerberosV/src/kuser/kdestroy.c @@ -32,15 +32,18 @@ */ #include "kuser_locl.h" -RCSID("$KTH: kdestroy.c,v 1.14.2.1 2003/05/08 18:59:17 lha Exp $"); +RCSID("$KTH: kdestroy.c,v 1.16 2004/04/17 17:00:06 lha Exp $"); static const char *cache; +static const char *credential; static int help_flag; static int version_flag; static int unlog_flag = 1; static int dest_tkt_flag = 1; struct getargs args[] = { + { "credential", 0, arg_string, &credential, + "remove one credential", "principal" }, { "cache", 'c', arg_string, &cache, "cache to destroy", "cache" }, { "unlog", 0, arg_negative_flag, &unlog_flag, "do not destroy tokens", NULL }, @@ -97,11 +100,30 @@ main (int argc, char **argv) } } - ret = krb5_cc_resolve(context, + ret = krb5_cc_resolve(context, cache, &ccache); if (ret == 0) { + if (credential) { + krb5_creds mcred; + + krb5_cc_clear_mcred(&mcred); + + ret = krb5_parse_name(context, credential, &mcred.server); + if (ret) + krb5_err(context, 1, ret, + "Can't parse principal %s", credential); + + ret = krb5_cc_remove_cred(context, ccache, 0, &mcred); + if (ret) + krb5_err(context, 1, ret, + "Failed to remove principal %s", credential); + + krb5_free_context(context); + return 0; + } + ret = krb5_cc_destroy (context, ccache); if (ret) { warnx ("krb5_cc_destroy: %s", krb5_get_err_text(context, ret)); diff --git a/kerberosV/src/kuser/kgetcred.c b/kerberosV/src/kuser/kgetcred.c index 5c9b3bf5cce..3b9e9ae75b5 100644 --- a/kerberosV/src/kuser/kgetcred.c +++ b/kerberosV/src/kuser/kgetcred.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,15 +33,22 @@ #include "kuser_locl.h" -RCSID("$KTH: kgetcred.c,v 1.5 2001/02/20 01:44:51 assar Exp $"); +RCSID("$KTH: kgetcred.c,v 1.9 2004/08/05 18:49:25 lha Exp $"); +static char *cache_str; static char *etype_str; static int version_flag; static int help_flag; +static int transit_check = 1; +static int canonicalize = 0; struct getargs args[] = { + { "cache", 'c', arg_string, &cache_str, + "credential cache to use", "cache"}, { "enctype", 'e', arg_string, &etype_str, "encryption type to use", "enctype"}, + { "transit-check", 0, arg_negative_flag, &transit_check }, + { "canonicalize", 0, arg_flag, &canonicalize }, { "version", 0, arg_flag, &version_flag }, { "help", 0, arg_flag, &help_flag } }; @@ -63,8 +70,11 @@ main(int argc, char **argv) krb5_context context; krb5_ccache cache; krb5_creds in, *out; + krb5_kdc_flags flags; int optind = 0; + flags.i = 0; + ret = krb5_init_context (&context); if (ret) errx(1, "krb5_init_context failed: %d", ret); @@ -90,6 +100,16 @@ main(int argc, char **argv) if (ret) krb5_err (context, 1, ret, "krb5_cc_default"); + if(cache_str) { + ret = krb5_cc_resolve(context, cache_str, &cache); + if (ret) + krb5_err (context, 1, ret, "%s", cache_str); + } else { + ret = krb5_cc_default (context, &cache); + if (ret) + krb5_err (context, 1, ret, "krb5_cc_resolve"); + } + memset(&in, 0, sizeof(in)); if (etype_str) { @@ -109,11 +129,17 @@ main(int argc, char **argv) if (ret) krb5_err (context, 1, ret, "krb5_parse_name %s", argv[0]); + if (!transit_check) + flags.b.disable_transited_check = 1; + if (canonicalize) + flags.b.canonicalize = 1; + + in.times.endtime = 0; - ret = krb5_get_credentials(context, 0, cache, &in, &out); + ret = krb5_get_credentials_with_flags(context, 0, flags, cache, &in, &out); if (ret) krb5_err (context, 1, ret, "krb5_get_credentials"); - krb5_free_creds_contents(context, out); + krb5_free_cred_contents(context, out); return 0; } diff --git a/kerberosV/src/kuser/kinit.1 b/kerberosV/src/kuser/kinit.1 index f7f6d3f1eb7..6062e3155af 100644 --- a/kerberosV/src/kuser/kinit.1 +++ b/kerberosV/src/kuser/kinit.1 @@ -1,4 +1,4 @@ -.\" Copyright (c) 1998 - 2002 Kungliga Tekniska Högskolan +.\" Copyright (c) 1998 - 2003 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $KTH: kinit.1,v 1.23 2003/04/06 17:49:05 lha Exp $ +.\" $KTH: kinit.1,v 1.25 2003/06/23 11:39:49 joda Exp $ .\" .Dd May 29, 1998 .Dt KINIT 1 @@ -82,7 +82,7 @@ .Xc .Oc .Op Fl -fcache-version= Ns Ar integer -.Op Fl -no-addresses +.Op Fl A | Fl -no-addresses .Op Fl -anonymous .Op Fl -version .Op Fl -help @@ -125,8 +125,9 @@ keytab. .Fl l Ar time , .Fl -lifetime= Ns Ar time .Xc -Specifies the lifetime of the ticket. The argument can either be in -seconds, or a more human readable string like +Specifies the lifetime of the ticket. +The argument can either be in seconds, or a more human readable string +like .Sq 1h . .It Xo .Fl p , @@ -137,7 +138,8 @@ Request tickets with the proxiable flag set. .Fl R , .Fl -renew .Xc -Try to renew ticket. The ticket must have the +Try to renew ticket. +The ticket must have the .Sq renewable flag set, and must not be expired. .It Fl -renewable @@ -191,13 +193,16 @@ Create a credentials cache of version .Fl -extra-addresses= Ns Ar enctypes .Xc Adds a set of addresses that will, in addition to the systems local -addresses, be put in the ticket. This can be useful if all addresses a -client can use can't be automatically figured out. One such example is -if the client is behind a firewall. Also settable via +addresses, be put in the ticket. +This can be useful if all addresses a client can use can't be +automatically figured out. +One such example is if the client is behind a firewall. +Also settable via .Li libdefaults/extra_addresses in .Xr krb5.conf 5 . .It Xo +.Fl A , .Fl -no-addresses .Xc Request a ticket with no addresses. @@ -218,8 +223,8 @@ has been compiled with support for Kerberos 4. .Fl -524init .Xc Try to convert the obtained Kerberos 5 krbtgt to a version 4 -compatible ticket. It will store this ticket in the default Kerberos 4 -ticket file. +compatible ticket. +It will store this ticket in the default Kerberos 4 ticket file. .It Xo .Fl 9 , .Fl -524convert @@ -227,7 +232,8 @@ ticket file. only convert ticket to version 4 .It Fl -afslog Gets AFS tickets, converts them to version 4 format, and stores them -in the kernel. Only useful if you have AFS. +in the kernel. +Only useful if you have AFS. .El .Pp The @@ -245,16 +251,17 @@ If a .Ar command is given, .Nm kinit -will setup new credentials caches, and AFS PAG, and then run the given -command. When it finishes the credentials will be removed. +will set up new credentials caches, and AFS PAG, and then run the given +command. +When it finishes the credentials will be removed. .Sh ENVIRONMENT .Bl -tag -width Ds .It Ev KRB5CCNAME Specifies the default credentials cache. .It Ev KRB5_CONFIG The file name of -.Pa krb5.conf -, the default being +.Pa krb5.conf , +the default being .Pa /etc/kerberosV/krb5.conf . .It Ev KRBTKFILE Specifies the Kerberos 4 ticket file to store version 4 tickets in. diff --git a/kerberosV/src/kuser/kinit.c b/kerberosV/src/kuser/kinit.c index e3deae7f65c..82782d669c2 100644 --- a/kerberosV/src/kuser/kinit.c +++ b/kerberosV/src/kuser/kinit.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,12 +32,23 @@ */ #include "kuser_locl.h" -RCSID("$KTH: kinit.c,v 1.90.4.5 2004/06/21 08:17:06 lha Exp $"); +RCSID("$KTH: kinit.c,v 1.121 2005/06/14 00:14:43 lha Exp $"); + +#ifndef KRB4 +#include "krb5-v4compat.h" +#endif + +struct krb5_pk_identity; +struct krb5_pk_cert; +struct ContentInfo; +struct _krb5_krb_auth_data; +#include "krb5-private.h" int forwardable_flag = -1; int proxiable_flag = -1; int renewable_flag = -1; int renew_flag = 0; +int pac_flag = -1; int validate_flag = 0; int version_flag = 0; int help_flag = 0; @@ -53,20 +64,31 @@ struct getarg_strings etype_str; int use_keytab = 0; char *keytab_str = NULL; int do_afslog = -1; -#ifdef KRB4 int get_v4_tgt = -1; -int convert_524; -#endif +int convert_524 = 0; int fcache_version; +char *pk_user_id = NULL; +char *pk_x509_anchors = NULL; +int pk_use_dh = -1; + +static char *krb4_cc_name; static struct getargs args[] = { -#ifdef KRB4 + /* + * used by MIT + * a: ~A + * V: verbose + * F: ~f + * P: ~p + * C: v4 cache name? + * 5: + */ { "524init", '4', arg_flag, &get_v4_tgt, "obtain version 4 TGT" }, - + { "524convert", '9', arg_flag, &convert_524, "only convert ticket to version 4" }, -#endif + { "afslog", 0 , arg_flag, &do_afslog, "obtain afs tokens" }, @@ -112,7 +134,7 @@ static struct getargs args[] = { { "fcache-version", 0, arg_integer, &fcache_version, "file cache version to create" }, - { "addresses", 0, arg_negative_flag, &addrs_flag, + { "addresses", 'A', arg_negative_flag, &addrs_flag, "request a ticket with no addresses" }, { "extra-addresses",'a', arg_strings, &extra_addresses, @@ -121,6 +143,20 @@ static struct getargs args[] = { { "anonymous", 0, arg_flag, &anonymous_flag, "request an anonymous ticket" }, + { "request-pac", 0, arg_flag, &pac_flag, + "request a Windows PAC" }, + +#ifdef PKINIT + { "pk-user", 'C', arg_string, &pk_user_id, + "principal's public/private/certificate identifier", + "id" }, + + { "x509-anchors", 'D', arg_string, &pk_x509_anchors, + "directory with CA certificates", "directory" }, + + { "pkinit-use-dh", 0, arg_flag, &pk_use_dh, + "make pkinit use DH" }, +#endif { "version", 0, arg_flag, &version_flag }, { "help", 0, arg_flag, &help_flag } }; @@ -274,13 +310,13 @@ get_server(krb5_context context, KRB5_TGS_NAME, *client_realm, NULL); } -#ifdef KRB4 static krb5_error_code do_524init(krb5_context context, krb5_ccache ccache, krb5_creds *creds, const char *server) { krb5_error_code ret; - CREDENTIALS c; + + struct credentials c; krb5_creds in_creds, *real_creds; if(creds != NULL) @@ -305,9 +341,9 @@ do_524init(krb5_context context, krb5_ccache ccache, if(ret) krb5_warn(context, ret, "converting creds"); else { - int tret = tf_setup(&c, c.pname, c.pinst); + krb5_error_code tret = _krb5_krb_tf_setup(context, &c, NULL, 0); if(tret) - krb5_warnx(context, "saving v4 creds: %s", krb_get_err_text(tret)); + krb5_warn(context, tret, "saving v4 creds"); } if(creds == NULL) @@ -316,7 +352,6 @@ do_524init(krb5_context context, krb5_ccache ccache, return ret; } -#endif static int renew_validate(krb5_context context, @@ -374,11 +409,9 @@ renew_validate(krb5_context context, ret = krb5_cc_store_cred(context, cache, out); if(ret == 0 && server == NULL) { -#ifdef KRB4 /* only do this if it's a general renew-my-tgt request */ if(get_v4_tgt) do_524init(context, cache, out, NULL); -#endif if(do_afslog && k_hasafs()) krb5_afslog(context, cache, NULL, NULL); } @@ -389,7 +422,7 @@ renew_validate(krb5_context context, goto out; } out: - krb5_free_creds_contents(context, &in); + krb5_free_cred_contents(context, &in); return ret; } @@ -397,49 +430,73 @@ static krb5_error_code get_new_tickets(krb5_context context, krb5_principal principal, krb5_ccache ccache, - krb5_deltat ticket_life) + krb5_deltat ticket_life, + int interactive) { krb5_error_code ret; - krb5_get_init_creds_opt opt; + krb5_get_init_creds_opt *opt; krb5_addresses no_addrs; krb5_creds cred; char passwd[256]; krb5_deltat start_time = 0; krb5_deltat renew = 0; + char *renewstr = NULL; memset(&cred, 0, sizeof(cred)); - krb5_get_init_creds_opt_init (&opt); + ret = krb5_get_init_creds_opt_alloc (context, &opt); + if (ret) + krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc"); krb5_get_init_creds_opt_set_default_flags(context, "kinit", - /* XXX */principal->realm, &opt); + /* XXX */principal->realm, opt); if(forwardable_flag != -1) - krb5_get_init_creds_opt_set_forwardable (&opt, forwardable_flag); + krb5_get_init_creds_opt_set_forwardable (opt, forwardable_flag); if(proxiable_flag != -1) - krb5_get_init_creds_opt_set_proxiable (&opt, proxiable_flag); + krb5_get_init_creds_opt_set_proxiable (opt, proxiable_flag); if(anonymous_flag != -1) - krb5_get_init_creds_opt_set_anonymous (&opt, anonymous_flag); + krb5_get_init_creds_opt_set_anonymous (opt, anonymous_flag); + if (pac_flag != -1) + krb5_get_init_creds_opt_set_pac_request(context, opt, + pac_flag ? TRUE : FALSE); + if (pk_user_id) { + int flags = 0; + if (pk_use_dh == 1) + flags |= 1; + ret = krb5_get_init_creds_opt_set_pkinit(context, opt, + principal, + pk_user_id, + pk_x509_anchors, + flags, + NULL, + NULL, + NULL); + if (ret) + krb5_err(context, 1, ret, "krb5_get_init_creds_opt_set_pkinit"); + } if (!addrs_flag) { no_addrs.len = 0; no_addrs.val = NULL; - krb5_get_init_creds_opt_set_address_list (&opt, &no_addrs); + krb5_get_init_creds_opt_set_address_list (opt, &no_addrs); } if (renew_life == NULL && renewable_flag) - renew_life = "1 month"; - if(renew_life) { - renew = parse_time (renew_life, "s"); + renewstr = "1 month"; + if (renew_life) + renewstr = renew_life; + if (renewstr) { + renew = parse_time (renewstr, "s"); if (renew < 0) - errx (1, "unparsable time: %s", renew_life); - - krb5_get_init_creds_opt_set_renew_life (&opt, renew); + errx (1, "unparsable time: %s", renewstr); + + krb5_get_init_creds_opt_set_renew_life (opt, renew); } if(ticket_life != 0) - krb5_get_init_creds_opt_set_tkt_life (&opt, ticket_life); + krb5_get_init_creds_opt_set_tkt_life (opt, ticket_life); if(start_str) { int tmp = parse_time (start_str, "s"); @@ -462,7 +519,7 @@ get_new_tickets(krb5_context context, if(ret) errx(1, "unrecognized enctype: %s", etype_str.strings[i]); } - krb5_get_init_creds_opt_set_etype_list(&opt, enctype, + krb5_get_init_creds_opt_set_etype_list(opt, enctype, etype_str.num_strings); } @@ -480,8 +537,22 @@ get_new_tickets(krb5_context context, kt, start_time, server, - &opt); + opt); krb5_kt_close(context, kt); + } else if (pk_user_id) { + ret = krb5_get_init_creds_password (context, + &cred, + principal, + NULL, + krb5_prompter_posix, + NULL, + start_time, + server, + opt); + } else if (!interactive) { + krb5_warnx(context, "Not interactive, failed to get initial ticket"); + krb5_get_init_creds_opt_free(opt); + return 0; } else { char *p, *prompt; @@ -489,13 +560,13 @@ get_new_tickets(krb5_context context, asprintf (&prompt, "%s's Password: ", p); free (p); - if (des_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){ + if (UI_UTIL_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){ memset(passwd, 0, sizeof(passwd)); exit(1); } free (prompt); - + ret = krb5_get_init_creds_password (context, &cred, principal, @@ -504,8 +575,9 @@ get_new_tickets(krb5_context context, NULL, start_time, server, - &opt); + opt); } + krb5_get_init_creds_opt_free(opt); #ifdef KRB4 if (ret == KRB5KRB_AP_ERR_V4_REPLY || ret == KRB5_KDC_UNREACH) { int exit_val; @@ -536,17 +608,17 @@ get_new_tickets(krb5_context context, if(ticket_life != 0) { if(abs(cred.times.endtime - cred.times.starttime - ticket_life) > 30) { - char life[32]; - unparse_time(cred.times.endtime - cred.times.starttime, - life, sizeof(life)); + char life[64]; + unparse_time_approx(cred.times.endtime - cred.times.starttime, + life, sizeof(life)); krb5_warnx(context, "NOTICE: ticket lifetime is %s", life); } } - if(renew != 0) { + if(renew_life) { if(abs(cred.times.renew_till - cred.times.starttime - renew) > 30) { - char life[32]; - unparse_time(cred.times.renew_till - cred.times.starttime, - life, sizeof(life)); + char life[64]; + unparse_time_approx(cred.times.renew_till - cred.times.starttime, + life, sizeof(life)); krb5_warnx(context, "NOTICE: ticket renewable lifetime is %s", life); } @@ -560,11 +632,79 @@ get_new_tickets(krb5_context context, if (ret) krb5_err (context, 1, ret, "krb5_cc_store_cred"); - krb5_free_creds_contents (context, &cred); + krb5_free_cred_contents (context, &cred); return 0; } +static time_t +ticket_lifetime(krb5_context context, krb5_ccache cache, + krb5_principal client, const char *server) +{ + krb5_creds in_cred, *cred; + krb5_error_code ret; + time_t timeout; + + memset(&in_cred, 0, sizeof(in_cred)); + + ret = krb5_cc_get_principal(context, cache, &in_cred.client); + if(ret) { + krb5_warn(context, ret, "krb5_cc_get_principal"); + return 0; + } + ret = get_server(context, in_cred.client, server, &in_cred.server); + if(ret) { + krb5_free_principal(context, in_cred.client); + krb5_warn(context, ret, "get_server"); + return 0; + } + + ret = krb5_get_credentials(context, KRB5_GC_CACHED, + cache, &in_cred, &cred); + krb5_free_principal(context, in_cred.client); + krb5_free_principal(context, in_cred.server); + if(ret) { + krb5_warn(context, ret, "krb5_get_credentials"); + return 0; + } + timeout = cred->times.endtime - cred->times.starttime; + if (timeout < 0) + timeout = 0; + krb5_free_creds(context, cred); + return timeout; +} + +struct renew_ctx { + krb5_context context; + krb5_ccache ccache; + krb5_principal principal; + krb5_deltat ticket_life; +}; + +static time_t +renew_func(void *ptr) +{ + struct renew_ctx *ctx = ptr; + krb5_error_code ret; + time_t expire; + + + ret = renew_validate(ctx->context, renewable_flag, validate_flag, + ctx->ccache, server, ctx->ticket_life); + if (ret) + get_new_tickets(ctx->context, ctx->principal, + ctx->ccache, ctx->ticket_life, 0); + + if(get_v4_tgt || convert_524) + do_524init(ctx->context, ctx->ccache, NULL, server); + if(do_afslog && k_hasafs()) + krb5_afslog(ctx->context, ctx->ccache, NULL, NULL); + + expire = ticket_lifetime(ctx->context, ctx->ccache, ctx->principal, + server) / 2; + return expire + 1; +} + int main (int argc, char **argv) { @@ -576,7 +716,9 @@ main (int argc, char **argv) krb5_deltat ticket_life = 0; ret = krb5_init_context (&context); - if (ret) + if (ret == KRB5_CONFIG_BADFORMAT) + errx (1, "krb5_init_context failed to parse configuration file"); + else if (ret) errx(1, "krb5_init_context failed: %d", ret); if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) @@ -618,23 +760,25 @@ main (int argc, char **argv) krb5_cc_get_type(context, ccache), krb5_cc_get_name(context, ccache)); setenv("KRB5CCNAME", s, 1); -#ifdef KRB4 - { + if (get_v4_tgt) { int fd; - snprintf(s, sizeof(s), "%s_XXXXXXXXXX", TKT_ROOT); - if((fd = mkstemp(s)) >= 0) { + if (asprintf(&krb4_cc_name, "%s_XXXXXXXXXXX", TKT_ROOT) < 0) + krb5_errx(context, 1, "out of memory"); + if((fd = mkstemp(krb4_cc_name)) >= 0) { close(fd); - setenv("KRBTKFILE", s, 1); + setenv("KRBTKFILE", krb4_cc_name, 1); + } else { + free(krb4_cc_name); + krb4_cc_name = NULL; } } -#endif } else ret = krb5_cc_default (context, &ccache); } if (ret) krb5_err (context, 1, ret, "resolving credentials cache"); - if (argc > 1 && k_hasafs ()) + if(argc > 1 && k_hasafs ()) k_setpag(); if (lifetime) { @@ -644,17 +788,32 @@ main (int argc, char **argv) ticket_life = tmp; } -#ifdef KRB4 + if(renewable_flag == -1) + /* this seems somewhat pointless, but whatever */ + krb5_appdefault_boolean(context, "kinit", + krb5_principal_get_realm(context, principal), + "renewable", FALSE, &renewable_flag); if(get_v4_tgt == -1) krb5_appdefault_boolean(context, "kinit", - (krb5_realm)krb5_principal_get_realm(context, principal), - "krb4_get_tickets", TRUE, &get_v4_tgt); -#endif + krb5_principal_get_realm(context, principal), + "krb4_get_tickets", FALSE, &get_v4_tgt); if(do_afslog == -1) krb5_appdefault_boolean(context, "kinit", krb5_principal_get_realm(context, principal), "afslog", TRUE, &do_afslog); + if (pk_x509_anchors == NULL) + krb5_appdefault_string(context, "kinit", + krb5_principal_get_realm(context, principal), + "pkinit-anchors", NULL, &pk_x509_anchors); + +#ifdef PKINIT + if(pk_use_dh == -1) + krb5_appdefault_boolean(context, "kinit", + krb5_principal_get_realm(context, principal), + "pkinit-use-dh", FALSE, &pk_use_dh); +#endif + if(!addrs_flag && extra_addresses.num_strings > 0) krb5_errx(context, 1, "specifying both extra addresses and " "no addresses makes no sense"); @@ -673,46 +832,41 @@ main (int argc, char **argv) free_getarg_strings(&extra_addresses); } - if(renew_flag || validate_flag) { ret = renew_validate(context, renew_flag, validate_flag, ccache, server, ticket_life); exit(ret != 0); } -#ifdef KRB4 if(!convert_524) -#endif - get_new_tickets(context, principal, ccache, ticket_life); + get_new_tickets(context, principal, ccache, ticket_life, 1); -#ifdef KRB4 - if(get_v4_tgt) + if(get_v4_tgt || convert_524) do_524init(context, ccache, NULL, server); -#endif if(do_afslog && k_hasafs()) krb5_afslog(context, ccache, NULL, NULL); if(argc > 1) { - pid_t pid = fork(); - if(pid == 0) { - execvp(argv[1], argv+1); - exit(1); - } - while(1) { - int status; - while(waitpid(pid, &status, 0) < 0) - if(errno != EINTR) - break; - if(WIFSTOPPED(status)) - continue; - if(WIFEXITED(status)) - break; - if(WIFSIGNALED(status)) - break; - } + struct renew_ctx ctx; + time_t timeout; + + timeout = ticket_lifetime(context, ccache, principal, server) / 2; + + ctx.context = context; + ctx.ccache = ccache; + ctx.principal = principal; + ctx.ticket_life = ticket_life; + + ret = simple_execvp_timed(argv[1], argv+1, + renew_func, &ctx, timeout); +#define EX_NOEXEC 126 +#define EX_NOTFOUND 127 + if(ret == EX_NOEXEC) + krb5_warnx(context, "permission denied: %s", argv[1]); + else if(ret == EX_NOTFOUND) + krb5_warnx(context, "command not found: %s", argv[1]); + krb5_cc_destroy(context, ccache); -#ifdef KRB4 - dest_tkt(); -#endif + _krb5_krb_dest_tkt(context, krb4_cc_name); if(k_hasafs()) k_unlog(); } else { diff --git a/kerberosV/src/kuser/klist.1 b/kerberosV/src/kuser/klist.1 index 9071a39483a..156f47a449a 100644 --- a/kerberosV/src/kuser/klist.1 +++ b/kerberosV/src/kuser/klist.1 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2000 - 2002 Kungliga Tekniska Högskolan +.\" Copyright (c) 2000 - 2004 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,9 +29,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $KTH: klist.1,v 1.12 2003/02/16 21:10:26 lha Exp $ +.\" $KTH: klist.1,v 1.14 2004/12/08 17:40:10 lha Exp $ .\" -.Dd July 8, 2000 +.Dd December 8, 2004 .Dt KLIST 1 .Os HEIMDAL .Sh NAME @@ -39,6 +39,7 @@ .Nd list Kerberos credentials .Sh SYNOPSIS .Nm +.Bk -words .Oo Fl c Ar cache \*(Ba Xo .Fl -cache= Ns Ar cache .Xc @@ -51,6 +52,7 @@ .Op Fl f .Op Fl -version .Op Fl -help +.Ek .Sh DESCRIPTION .Nm reads and displays the current tickets in the credential cache (also diff --git a/kerberosV/src/kuser/klist.c b/kerberosV/src/kuser/klist.c index bc6a5356bb2..791f76f77c0 100644 --- a/kerberosV/src/kuser/klist.c +++ b/kerberosV/src/kuser/klist.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -34,13 +34,13 @@ #include "kuser_locl.h" #include "rtbl.h" -RCSID("$KTH: klist.c,v 1.68.2.2 2003/10/13 15:13:39 joda Exp $"); +RCSID("$KTH: klist.c,v 1.76 2005/04/24 19:47:44 lha Exp $"); static char* printable_time(time_t t) { static char s[128]; - strlcpy(s, ctime(&t)+ 4, sizeof s); + strlcpy(s, ctime(&t)+ 4, sizeof(s)); s[15] = 0; return s; } @@ -49,7 +49,7 @@ static char* printable_time_long(time_t t) { static char s[128]; - strlcpy(s, ctime(&t)+ 4, sizeof s); + strlcpy(s, ctime(&t)+ 4, sizeof(s)); s[20] = 0; return s; } @@ -150,10 +150,7 @@ print_cred_verbose(krb5_context context, krb5_creds *cred) printf(", kvno %d", *t.enc_part.kvno); printf("\n"); if(cred->session.keytype != t.enc_part.etype) { - ret = krb5_keytype_to_string(context, cred->session.keytype, &str); - if(ret == KRB5_PROG_KEYTYPE_NOSUPP) - ret = krb5_enctype_to_string(context, cred->session.keytype, - &str); + ret = krb5_enctype_to_string(context, cred->session.keytype, &str); if(ret) krb5_warn(context, ret, "session keytype"); else { @@ -270,8 +267,7 @@ print_tickets (krb5_context context, if(do_flags) rtbl_add_column(ct, COL_FLAGS, 0); rtbl_add_column(ct, COL_PRINCIPAL, 0); - rtbl_set_prefix(ct, " "); - rtbl_set_column_prefix(ct, COL_ISSUED, ""); + rtbl_set_separator(ct, " "); } while ((ret = krb5_cc_next_cred (context, ccache, @@ -282,7 +278,7 @@ print_tickets (krb5_context context, }else{ print_cred(context, &creds, ct, do_flags); } - krb5_free_creds_contents (context, &creds); + krb5_free_cred_contents (context, &creds); } if(ret != KRB5_CC_END) krb5_err(context, 1, ret, "krb5_cc_get_next"); @@ -311,6 +307,8 @@ check_for_tgt (krb5_context context, krb5_realm *client_realm; int expired; + krb5_cc_clear_mcred(&pattern); + client_realm = krb5_princ_realm (context, principal); ret = krb5_make_principal (context, &pattern.server, @@ -318,11 +316,12 @@ check_for_tgt (krb5_context context, NULL); if (ret) krb5_err (context, 1, ret, "krb5_make_principal"); + pattern.client = principal; ret = krb5_cc_retrieve_cred (context, ccache, 0, &pattern, &creds); expired = time(NULL) > creds.times.endtime; krb5_free_principal (context, pattern.server); - krb5_free_creds_contents (context, &creds); + krb5_free_cred_contents (context, &creds); if (ret) { if (ret == KRB5_CC_END) return 1; diff --git a/kerberosV/src/kuser/kverify.c b/kerberosV/src/kuser/kverify.c index 324d02be773..dd6b0f1d52b 100644 --- a/kerberosV/src/kuser/kverify.c +++ b/kerberosV/src/kuser/kverify.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "kuser_locl.h" -RCSID("$KTH: kverify.c,v 1.6 2001/08/24 01:08:13 assar Exp $"); +RCSID("$KTH: kverify.c,v 1.9 2004/04/25 19:25:33 joda Exp $"); static int help_flag = 0; static int version_flag = 0; @@ -60,7 +60,7 @@ main(int argc, char **argv) krb5_error_code ret; krb5_creds cred; krb5_preauthtype pre_auth_types[] = {KRB5_PADATA_ENC_TIMESTAMP}; - krb5_get_init_creds_opt get_options; + krb5_get_init_creds_opt *get_options; krb5_verify_init_creds_opt verify_options; int optind = 0; @@ -79,9 +79,11 @@ main(int argc, char **argv) if (ret) errx (1, "krb5_init_context failed: %d", ret); - krb5_get_init_creds_opt_init (&get_options); + ret = krb5_get_init_creds_opt_alloc (context, &get_options); + if (ret) + krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc"); - krb5_get_init_creds_opt_set_preauth_list (&get_options, + krb5_get_init_creds_opt_set_preauth_list (get_options, pre_auth_types, 1); @@ -95,7 +97,7 @@ main(int argc, char **argv) NULL, 0, NULL, - &get_options); + get_options); if (ret) errx (1, "krb5_get_init_creds: %s", krb5_get_err_text(context, ret)); @@ -108,7 +110,7 @@ main(int argc, char **argv) if (ret) errx (1, "krb5_verify_init_creds: %s", krb5_get_err_text(context, ret)); - krb5_free_creds_contents (context, &cred); + krb5_free_cred_contents (context, &cred); krb5_free_context (context); return 0; } diff --git a/kerberosV/src/lib/asn1/asn1_print.c b/kerberosV/src/lib/asn1/asn1_print.c index c3689179ff0..e01c4cd6dbc 100644 --- a/kerberosV/src/lib/asn1/asn1_print.c +++ b/kerberosV/src/lib/asn1/asn1_print.c @@ -38,7 +38,7 @@ #include <getarg.h> #include <err.h> -RCSID("$KTH: asn1_print.c,v 1.11 2002/08/29 20:45:35 assar Exp $"); +RCSID("$KTH: asn1_print.c,v 1.16 2005/05/29 14:23:00 lha Exp $"); const char *class_names[] = { "UNIV", /* 0 */ @@ -63,7 +63,7 @@ const char *tag_names[] = { NULL, /* 7 */ NULL, /* 8 */ NULL, /* 9 */ - NULL, /* 10 */ + "Enumerated", /* 10 */ NULL, /* 11 */ NULL, /* 12 */ NULL, /* 13 */ @@ -116,10 +116,10 @@ loop (unsigned char *buf, size_t len, int indent) buf += sz; len -= sz; - if (class == CONTEXT) { + if (class == ASN1_C_CONTEXT) { printf ("[%d]\n", tag); loop (buf, length, indent); - } else if (class == UNIV) { + } else if (class == ASN1_C_UNIV) { switch (tag) { case UT_Sequence : printf ("{\n"); @@ -138,24 +138,30 @@ loop (unsigned char *buf, size_t len, int indent) break; } case UT_OctetString : { - octet_string str; + heim_octet_string str; int i; unsigned char *uc; ret = der_get_octet_string (buf, length, &str, NULL); if (ret) errx (1, "der_get_octet_string: %s", error_message (ret)); - printf ("(length %lu), ", (unsigned long)length); + printf ("(length %lu)%s", (unsigned long)str.length, + str.length > 0 ? ", " : ""); uc = (unsigned char *)str.data; - for (i = 0; i < 16; ++i) + length = str.length; + if (length > 16) + length = 16; + for (i = 0; i < length; ++i) printf ("%02x", uc[i]); printf ("\n"); free (str.data); break; } case UT_GeneralizedTime : + case UT_IA5String: + case UT_UTF8String : case UT_GeneralString : { - general_string str; + heim_general_string str; ret = der_get_general_string (buf, length, &str, NULL); if (ret) @@ -166,7 +172,7 @@ loop (unsigned char *buf, size_t len, int indent) break; } case UT_OID: { - oid o; + heim_oid o; int i; ret = der_get_oid(buf, length, &o, NULL); @@ -180,6 +186,16 @@ loop (unsigned char *buf, size_t len, int indent) free_oid(&o); break; } + case UT_Enumerated: { + unsigned num; + + ret = der_get_int (buf, length, &num, NULL); + if (ret) + errx (1, "der_get_enum: %s", error_message (ret)); + + printf("%u\n", num); + break; + } default : printf ("%lu bytes\n", (unsigned long)length); break; diff --git a/kerberosV/src/lib/asn1/der_copy.c b/kerberosV/src/lib/asn1/der_copy.c index 0f8efc6af87..f5482912cc3 100644 --- a/kerberosV/src/lib/asn1/der_copy.c +++ b/kerberosV/src/lib/asn1/der_copy.c @@ -33,10 +33,10 @@ #include "der_locl.h" -RCSID("$KTH: der_copy.c,v 1.10 2003/04/17 07:13:08 lha Exp $"); +RCSID("$KTH: der_copy.c,v 1.12 2003/11/07 07:39:43 lha Exp $"); int -copy_general_string (const general_string *from, general_string *to) +copy_general_string (const heim_general_string *from, heim_general_string *to) { *to = strdup(*from); if(*to == NULL) @@ -45,7 +45,7 @@ copy_general_string (const general_string *from, general_string *to) } int -copy_octet_string (const octet_string *from, octet_string *to) +copy_octet_string (const heim_octet_string *from, heim_octet_string *to) { to->length = from->length; to->data = malloc(to->length); @@ -56,12 +56,13 @@ copy_octet_string (const octet_string *from, octet_string *to) } int -copy_oid (const oid *from, oid *to) +copy_oid (const heim_oid *from, heim_oid *to) { to->length = from->length; to->components = malloc(to->length * sizeof(*to->components)); if (to->length != 0 && to->components == NULL) return ENOMEM; - memcpy(to->components, from->components, to->length * sizeof(*to->components)); + memcpy(to->components, from->components, + to->length * sizeof(*to->components)); return 0; } diff --git a/kerberosV/src/lib/asn1/der_put.c b/kerberosV/src/lib/asn1/der_put.c index 4aa54dc759c..3388ed8d536 100644 --- a/kerberosV/src/lib/asn1/der_put.c +++ b/kerberosV/src/lib/asn1/der_put.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "der_locl.h" -RCSID("$KTH: der_put.c,v 1.28 2003/04/17 07:12:24 lha Exp $"); +RCSID("$KTH: der_put.c,v 1.32 2005/05/29 14:23:01 lha Exp $"); /* * All encoding functions take a pointer `p' to first position in @@ -133,8 +133,21 @@ der_put_length (unsigned char *p, size_t len, size_t val, size_t *size) } int +der_put_boolean(unsigned char *p, size_t len, const int *data, size_t *size) +{ + if(len < 1) + return ASN1_OVERFLOW; + if(*data != 0) + *p = 0xff; + else + *p = 0; + *size = 1; + return 0; +} + +int der_put_general_string (unsigned char *p, size_t len, - const general_string *str, size_t *size) + const heim_general_string *str, size_t *size) { size_t slen = strlen(*str); @@ -149,7 +162,7 @@ der_put_general_string (unsigned char *p, size_t len, int der_put_octet_string (unsigned char *p, size_t len, - const octet_string *data, size_t *size) + const heim_octet_string *data, size_t *size) { if (len < data->length) return ASN1_OVERFLOW; @@ -162,7 +175,7 @@ der_put_octet_string (unsigned char *p, size_t len, int der_put_oid (unsigned char *p, size_t len, - const oid *data, size_t *size) + const heim_oid *data, size_t *size) { unsigned char *base = p; int n; @@ -226,6 +239,30 @@ der_put_length_and_tag (unsigned char *p, size_t len, size_t len_val, } int +encode_boolean (unsigned char *p, size_t len, const int *data, + size_t *size) +{ + size_t ret = 0; + size_t l; + int e; + + e = der_put_boolean (p, len, data, &l); + if(e) + return e; + p -= l; + len -= l; + ret += l; + e = der_put_length_and_tag (p, len, l, ASN1_C_UNIV, PRIM, UT_Boolean, &l); + if (e) + return e; + p -= l; + len -= l; + ret += l; + *size = ret; + return 0; +} + +int encode_integer (unsigned char *p, size_t len, const int *data, size_t *size) { int num = *data; @@ -239,7 +276,7 @@ encode_integer (unsigned char *p, size_t len, const int *data, size_t *size) p -= l; len -= l; ret += l; - e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_Integer, &l); + e = der_put_length_and_tag (p, len, l, ASN1_C_UNIV, PRIM, UT_Integer, &l); if (e) return e; p -= l; @@ -264,7 +301,16 @@ encode_unsigned (unsigned char *p, size_t len, const unsigned *data, p -= l; len -= l; ret += l; - e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_Integer, &l); + /* if first octet has msb set, we need to pad with a zero byte */ + if(p[1] >= 128) { + if(len == 0) + return ASN1_OVERFLOW; + *p-- = 0; + len--; + ret++; + l++; + } + e = der_put_length_and_tag (p, len, l, ASN1_C_UNIV, PRIM, UT_Integer, &l); if (e) return e; p -= l; @@ -289,7 +335,7 @@ encode_enumerated (unsigned char *p, size_t len, const unsigned *data, p -= l; len -= l; ret += l; - e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_Enumerated, &l); + e = der_put_length_and_tag (p, len, l, ASN1_C_UNIV, PRIM, UT_Enumerated, &l); if (e) return e; p -= l; @@ -301,7 +347,7 @@ encode_enumerated (unsigned char *p, size_t len, const unsigned *data, int encode_general_string (unsigned char *p, size_t len, - const general_string *data, size_t *size) + const heim_general_string *data, size_t *size) { size_t ret = 0; size_t l; @@ -313,7 +359,7 @@ encode_general_string (unsigned char *p, size_t len, p -= l; len -= l; ret += l; - e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_GeneralString, &l); + e = der_put_length_and_tag (p, len, l, ASN1_C_UNIV, PRIM, UT_GeneralString, &l); if (e) return e; p -= l; @@ -325,7 +371,7 @@ encode_general_string (unsigned char *p, size_t len, int encode_octet_string (unsigned char *p, size_t len, - const octet_string *k, size_t *size) + const heim_octet_string *k, size_t *size) { size_t ret = 0; size_t l; @@ -337,7 +383,7 @@ encode_octet_string (unsigned char *p, size_t len, p -= l; len -= l; ret += l; - e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_OctetString, &l); + e = der_put_length_and_tag (p, len, l, ASN1_C_UNIV, PRIM, UT_OctetString, &l); if (e) return e; p -= l; @@ -349,7 +395,7 @@ encode_octet_string (unsigned char *p, size_t len, int encode_oid(unsigned char *p, size_t len, - const oid *k, size_t *size) + const heim_oid *k, size_t *size) { size_t ret = 0; size_t l; @@ -361,7 +407,7 @@ encode_oid(unsigned char *p, size_t len, p -= l; len -= l; ret += l; - e = der_put_length_and_tag (p, len, l, UNIV, PRIM, UT_OID, &l); + e = der_put_length_and_tag (p, len, l, ASN1_C_UNIV, PRIM, UT_OID, &l); if (e) return e; p -= l; @@ -372,7 +418,7 @@ encode_oid(unsigned char *p, size_t len, } int -time2generalizedtime (time_t t, octet_string *s) +time2generalizedtime (time_t t, heim_octet_string *s) { struct tm *tm; size_t len; @@ -397,7 +443,7 @@ encode_generalized_time (unsigned char *p, size_t len, { size_t ret = 0; size_t l; - octet_string k; + heim_octet_string k; int e; e = time2generalizedtime (*t, &k); @@ -410,7 +456,7 @@ encode_generalized_time (unsigned char *p, size_t len, p -= l; len -= l; ret += l; - e = der_put_length_and_tag (p, len, k.length, UNIV, PRIM, + e = der_put_length_and_tag (p, len, k.length, ASN1_C_UNIV, PRIM, UT_GeneralizedTime, &l); if (e) return e; diff --git a/kerberosV/src/lib/asn1/gen.c b/kerberosV/src/lib/asn1/gen.c index 6d556ff269a..b08fe0f15fd 100644 --- a/kerberosV/src/lib/asn1/gen.c +++ b/kerberosV/src/lib/asn1/gen.c @@ -33,7 +33,7 @@ #include "gen_locl.h" -RCSID("$KTH: gen.c,v 1.50 2003/04/17 07:09:18 lha Exp $"); +RCSID("$KTH: gen.c,v 1.58 2005/03/31 00:08:58 lha Exp $"); FILE *headerfile, *codefile, *logfile; @@ -41,7 +41,7 @@ FILE *headerfile, *codefile, *logfile; static const char *orig_filename; static char *header; -static char *headerbase = STEM; +static char *headerbase; /* * list of all IMPORTs @@ -76,6 +76,8 @@ init_generate (const char *filename, const char *base) orig_filename = filename; if(base) asprintf(&headerbase, "%s", base); + else + headerbase = strdup(STEM); asprintf(&header, "%s.h", headerbase); headerfile = fopen (header, "w"); if (headerfile == NULL) @@ -97,18 +99,21 @@ init_generate (const char *filename, const char *base) "#ifndef __asn1_common_definitions__\n" "#define __asn1_common_definitions__\n\n"); fprintf (headerfile, - "typedef struct octet_string {\n" + "typedef struct heim_octet_string {\n" " size_t length;\n" " void *data;\n" - "} octet_string;\n\n"); + "} heim_octet_string;\n\n"); fprintf (headerfile, - "typedef char *general_string;\n\n" + "typedef char *heim_general_string;\n\n" ); fprintf (headerfile, - "typedef struct oid {\n" + "typedef char *heim_utf8_string;\n\n" + ); + fprintf (headerfile, + "typedef struct heim_oid {\n" " size_t length;\n" " unsigned *components;\n" - "} oid;\n\n"); + "} heim_oid;\n\n"); fputs("#define ASN1_MALLOC_ENCODE(T, B, BL, S, L, R) \\\n" " do { \\\n" " (BL) = length_##T((S)); \\\n" @@ -267,13 +272,25 @@ define_asn1 (int level, Type *t) fprintf (headerfile, "[APPLICATION %d] ", t->application); define_asn1 (level, t->subtype); break; + case TBoolean: + space(level); + fprintf (headerfile, "BOOLEAN"); + break; + case TUTF8String: + space(level); + fprintf (headerfile, "UTF8String"); + break; + case TNull: + space(level); + fprintf (headerfile, "NULL"); + break; default: abort (); } } static void -define_type (int level, char *name, Type *t, int typedefp) +define_type (int level, const char *name, Type *t, int typedefp) { switch (t->type) { case TType: @@ -304,11 +321,11 @@ define_type (int level, char *name, Type *t, int typedefp) break; case TOctetString: space(level); - fprintf (headerfile, "octet_string %s;\n", name); + fprintf (headerfile, "heim_octet_string %s;\n", name); break; case TOID : space(level); - fprintf (headerfile, "oid %s;\n", name); + fprintf (headerfile, "heim_oid %s;\n", name); break; case TBitString: { Member *m; @@ -390,7 +407,19 @@ define_type (int level, char *name, Type *t, int typedefp) break; case TGeneralString: space(level); - fprintf (headerfile, "general_string %s;\n", name); + fprintf (headerfile, "heim_general_string %s;\n", name); + break; + case TUTF8String: + space(level); + fprintf (headerfile, "heim_utf8_string %s;\n", name); + break; + case TBoolean: + space(level); + fprintf (headerfile, "int %s;\n", name); + break; + case TNull: + space(level); + fprintf (headerfile, "NULL %s;\n", name); break; case TApplication: define_type (level, name, t->subtype, FALSE); @@ -448,13 +477,20 @@ generate_type (const Symbol *s) "#include <asn1_err.h>\n" "#include <der.h>\n" "#include <parse_units.h>\n\n"); - generate_type_header (s); - generate_type_encode (s); - generate_type_decode (s); - generate_type_free (s); - generate_type_length (s); - generate_type_copy (s); - generate_glue (s); + + if (s->stype == Stype && s->type->type == TChoice) { + fprintf(codefile, + "/* CHOICE */\n" + "int asn1_%s_dummy_holder = 1;\n", s->gen_name); + } else { + generate_type_header (s); + generate_type_encode (s); + generate_type_decode (s); + generate_type_free (s); + generate_type_length (s); + generate_type_copy (s); + generate_glue (s); + } fprintf(headerfile, "\n\n"); fclose(codefile); } diff --git a/kerberosV/src/lib/asn1/main.c b/kerberosV/src/lib/asn1/main.c index f5adc429ade..5bd4d20d46b 100644 --- a/kerberosV/src/lib/asn1/main.c +++ b/kerberosV/src/lib/asn1/main.c @@ -34,7 +34,7 @@ #include "gen_locl.h" #include <getarg.h> -RCSID("$KTH: main.c,v 1.11 2001/02/20 01:44:52 assar Exp $"); +RCSID("$KTH: main.c,v 1.12 2005/03/31 00:37:42 lha Exp $"); extern FILE *yyin; @@ -57,8 +57,8 @@ int main(int argc, char **argv) { int ret; - char *file; - char *name = NULL; + const char *file; + const char *name = NULL; int optind = 0; if(getarg(args, num_args, argc, argv, &optind)) diff --git a/kerberosV/src/lib/com_err/com_err.c b/kerberosV/src/lib/com_err/com_err.c index 07a1d7f9c7a..ca39e64c72f 100644 --- a/kerberosV/src/lib/com_err/com_err.c +++ b/kerberosV/src/lib/com_err/com_err.c @@ -33,7 +33,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: com_err.c,v 1.18 2002/03/10 23:07:01 assar Exp $"); +RCSID("$KTH: com_err.c,v 1.19 2005/04/24 19:42:39 lha Exp $"); #endif #include <stdio.h> #include <stdlib.h> @@ -51,15 +51,14 @@ error_message (long code) const char *p = com_right(_et_list, code); if (p == NULL) { if (code < 0) - snprintf(msg, sizeof (msg), "Unknown error %ld", code); + snprintf(msg, sizeof(msg), "Unknown error %ld", code); else p = strerror(code); } if (p != NULL && *p != '\0') { - strncpy(msg, p, sizeof(msg) - 1); - msg[sizeof(msg) - 1] = 0; + strlcpy(msg, p, sizeof(msg)); } else - snprintf(msg, sizeof (msg), "Unknown error %ld", code); + snprintf(msg, sizeof(msg), "Unknown error %ld", code); return msg; } diff --git a/kerberosV/src/lib/com_err/com_err.h b/kerberosV/src/lib/com_err/com_err.h index 383d88e691b..ccee437d55b 100644 --- a/kerberosV/src/lib/com_err/com_err.h +++ b/kerberosV/src/lib/com_err/com_err.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $KTH: com_err.h,v 1.9 2001/05/11 20:03:36 assar Exp $ */ +/* $KTH: com_err.h,v 1.10 2005/02/03 08:42:05 lha Exp $ */ /* MIT compatible com_err library */ @@ -44,22 +44,22 @@ #define __attribute__(X) #endif -typedef void (*errf) __P((const char *, long, const char *, va_list)); +typedef void (*errf) (const char *, long, const char *, va_list); -const char * error_message __P((long)); -int init_error_table __P((const char**, long, int)); +const char * error_message (long); +int init_error_table (const char**, long, int); -void com_err_va __P((const char *, long, const char *, va_list)) +void com_err_va (const char *, long, const char *, va_list) __attribute__((format(printf, 3, 0))); -void com_err __P((const char *, long, const char *, ...)) +void com_err (const char *, long, const char *, ...) __attribute__((format(printf, 3, 4))); -errf set_com_err_hook __P((errf)); -errf reset_com_err_hook __P((void)); +errf set_com_err_hook (errf); +errf reset_com_err_hook (void); -const char *error_table_name __P((int num)); +const char *error_table_name (int num); -void add_to_error_table __P((struct et_list *new_table)); +void add_to_error_table (struct et_list *new_table); #endif /* __COM_ERR_H__ */ diff --git a/kerberosV/src/lib/com_err/com_right.h b/kerberosV/src/lib/com_err/com_right.h index 511e2f20dcb..9f70e2699c1 100644 --- a/kerberosV/src/lib/com_err/com_right.h +++ b/kerberosV/src/lib/com_err/com_right.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $Id: com_right.h,v 1.3 2003/06/03 09:11:14 hin Exp $ */ +/* $KTH: com_right.h,v 1.12 2005/02/03 08:43:01 lha Exp $ */ #ifndef __COM_RIGHT_H__ #define __COM_RIGHT_H__ @@ -40,14 +40,6 @@ #include <stdarg.h> #endif -#ifndef __P -#ifdef __STDC__ -#define __P(X) X -#else -#define __P(X) () -#endif -#endif - struct error_table { char const * const * msgs; long base; @@ -59,8 +51,8 @@ struct et_list { }; extern struct et_list *_et_list; -const char *com_right __P((struct et_list *list, long code)); -void initialize_error_table_r __P((struct et_list **, const char **, int, long)); -void free_error_table __P((struct et_list *)); +const char *com_right (struct et_list *list, long code); +void initialize_error_table_r (struct et_list **, const char **, int, long); +void free_error_table (struct et_list *); #endif /* __COM_RIGHT_H__ */ diff --git a/kerberosV/src/lib/gssapi/gss_acquire_cred.3 b/kerberosV/src/lib/gssapi/gss_acquire_cred.3 index 5bfd2482590..7b58e044559 100644 --- a/kerberosV/src/lib/gssapi/gss_acquire_cred.3 +++ b/kerberosV/src/lib/gssapi/gss_acquire_cred.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan +.\" Copyright (c) 2003 - 2004 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,9 +29,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $KTH: gss_acquire_cred.3,v 1.8.2.1 2003/04/28 13:41:42 lha Exp $ +.\" $KTH: gss_acquire_cred.3,v 1.23 2004/09/06 07:08:58 lha Exp $ .\" -.Dd April 2, 2003 +.Dd September 9, 2003 .Dt GSS_ACQUIRE_CRED 3 .Os HEIMDAL .Sh NAME @@ -59,8 +59,11 @@ .Nm gss_inquire_cred_by_mech , .Nm gss_inquire_mechs_for_name , .Nm gss_inquire_names_for_mech , -.Nm gss_krb5_copy_ccache , +.Nm gss_krb5_ccache_name , .Nm gss_krb5_compat_des3_mic , +.Nm gss_krb5_copy_ccache , +.Nm gsskrb5_extract_authz_data_from_sec_context , +.Nm gss_krb5_get_tkt_flags , .Nm gss_process_context_token , .Nm gss_release_buffer , .Nm gss_release_cred , @@ -107,7 +110,20 @@ GSS-API library (libgssapi, -lgssapi) .Fa "gss_OID_set * actual_mechs" .Fa "OM_uint32 * time_rec" .Fc -.\" .Fn gss_add_cred +.Ft OM_uint32 +.Fo gss_add_cred +.Fa "OM_uint32 *minor_status" +.Fa "const gss_cred_id_t input_cred_handle" +.Fa "const gss_name_t desired_name" +.Fa "const gss_OID desired_mech" +.Fa "gss_cred_usage_t cred_usage" +.Fa "OM_uint32 initiator_time_req" +.Fa "OM_uint32 acceptor_time_req" +.Fa "gss_cred_id_t *output_cred_handle" +.Fa "gss_OID_set *actual_mechs" +.Fa "OM_uint32 *initiator_time_rec" +.Fa "OM_uint32 *acceptor_time_rec" +.Fc .Ft OM_uint32 .Fo gss_add_oid_set_member .Fa "OM_uint32 * minor_status" @@ -244,12 +260,31 @@ GSS-API library (libgssapi, -lgssapi) .Fc .Ft OM_uint32 .Fo gss_inquire_cred_by_mech +.Fa "OM_uint32 * minor_status" +.Fa "const gss_cred_id_t cred_handle" +.Fa "const gss_OID mech_type" +.Fa "gss_name_t * name" +.Fa "OM_uint32 * initiator_lifetime" +.Fa "OM_uint32 * acceptor_lifetime" +.Fa "gss_cred_usage_t * cred_usage" .Fc .Ft OM_uint32 .Fo gss_inquire_mechs_for_name +.Fa "OM_uint32 * minor_status" +.Fa "const gss_name_t input_name" +.Fa "gss_OID_set * mech_types" .Fc .Ft OM_uint32 .Fo gss_inquire_names_for_mech +.Fa "OM_uint32 * minor_status" +.Fa "const gss_OID mechanism" +.Fa "gss_OID_set * name_types" +.Fc +.Ft OM_uint32 +.Fo gss_krb5_ccache_name +.Fa "OM_uint32 *minor" +.Fa "const char *name" +.Fa "const char **old_name" .Fc .Ft OM_uint32 .Fo gss_krb5_copy_ccache @@ -264,7 +299,23 @@ GSS-API library (libgssapi, -lgssapi) .Fa "int onoff" .Fc .Ft OM_uint32 +.Fo gsskrb5_extract_authz_data_from_sec_context +.Fa "OM_uint32 *minor_status" +.Fa "gss_ctx_id_t context_handle" +.Fa "int ad_type" +.Fa "gss_buffer_t ad_data" +.Fc +.Ft OM_uint32 +.Fo gss_krb5_get_tkt_flags +.Fa "OM_uint32 *minor_status" +.Fa "gss_ctx_id_t context_handle" +.Fa "OM_uint32 *tkt_flags" +.Fc +.Ft OM_uint32 .Fo gss_process_context_token +.Fa "OM_uint32 * minor_status" +.Fa "const gss_ctx_id_t context_handle" +.Fa "const gss_buffer_t token_buffer" .Fc .Ft OM_uint32 .Fo gss_release_buffer @@ -370,9 +421,12 @@ are described in RFC 2743 and RFC 2744. Version 1 (deprecated) of the C binding is described in RFC 1509. .Pp Heimdals GSS-API implementation supports the following mechanisms -.Bl -bullet +.Pp +.Bl -bullet -offset indent -compact .It .Li GSS_KRB5_MECHANISM +.It +.Li GSS_SPNEGO_MECHANISM .El .Pp GSS-API have generic name types that all mechanism are supposed to @@ -407,6 +461,82 @@ name types: .Li GSS_KRB5_NT_STRING_UID_NAME .El .Pp +In GSS-API, names have two forms, internal names and contiguous string +names. +.Bl -bullet +.It +.Li Internal name and mechanism name +.Pp +Internal names are implementation specific representation of +a GSS-API name. +.Li Mechanism names +special form of internal names corresponds to one and only one mechanism. +.Pp +In GSS-API an internal name is stored in a +.Dv gss_name_t . +.It +.Li Contiguous string name and exported name +.Pp +Contiguous string names are gssapi names stored in a +.Dv OCTET STRING +that together with a name type identifier (OID) uniquely specifies a +gss-name. +A special form of the contiguous string name is the exported name that +have a OID embedded in the string to make it unique. +Exported name have the nametype +.Dv GSS_C_NT_EXPORT_NAME . +.Pp +In GSS-API an contiguous string name is stored in a +.Dv gss_buffer_t . +.Pp +Exported names also have the property that they are specified by the +mechanism itself and compatible between diffrent GSS-API +implementations. +.El +.Sh ACCESS CONTROL +There are two ways of comparing GSS-API names, either comparing two +internal names with each other or two contiguous string names with +either other. +.Pp +To compare two internal names with each other, import (if needed) the +names with +.Fn gss_import_name +into the GSS-API implementation and the compare the imported name with +.Fn gss_compare_name . +.Pp +Importing names can be slow, so when its possible to store exported +names in the access control list, comparing contiguous string name +might be better. +.Pp +when comparing contiguous string name, first export them into a +.Dv GSS_C_NT_EXPORT_NAME +name with +.Fn gss_export_name +and then compare with +.Xr memcmp 3 . +.Pp +Note that there are might be a difference between the two methods of +comparing names. +The first (using +.Fn gss_compare_name ) +will compare to (unauthenticated) names are the same. +The second will compare if a mechanism will authenticate them as the +same principal. +.Pp +For example, if +.Fn gss_import_name +name was used with +.Dv GSS_C_NO_OID +the default syntax is used for all mechanism the GSS-API +implementation supports. +When compare the imported name of +.Dv GSS_C_NO_OID +it may match serveral mechanism names (MN). +.Pp +The resulting name from +.Fn gss_display_name +must not be used for acccess control. +.Sh FUNCTIONS .Fn gss_display_name takes the gss name in .Fa input_name @@ -421,9 +551,35 @@ can either be or a pointer to a .Li gss_OID and will in the latter case contain the OID type of the name. -The name should only be used for printing. -Access control should be done with the result of -.Fn gss_export_name . +The name must only be used for printing. +If access control is needed, see section +.Sx ACCESS CONTROL . +.Pp +.Fn gss_inquire_context +returns information about the context. +Information is available even after the context have expired. +.Fa lifetime_rec +argument is set to +.Dv GSS_C_INDEFINITE +(dont expire) or the number of seconds that the context is still valid. +A value of 0 means that the context is expired. +.Fa mech_type +argument should be considered readonly and must not be released. +.Fa src_name +and +.Fn dest_name +are both mechanims names and must be released with +.Fn gss_release_name +when no longer used. +.Pp +.Nm gss_context_time +will return the amount of time (in seconds) of the context is still +valid. +If its expired +.Fa time_rec +will be set to 0 and +.Dv GSS_S_CONTEXT_EXPIRED +returned. .Pp .Fn gss_sign , .Fn gss_verify , @@ -434,17 +590,47 @@ are part of the GSS-API V1 interface and are obsolete. The functions should not be used for new applications. They are provided so that version 1 applications can link against the library. +.Sh EXTENSIONS +.Fn gss_krb5_ccache_name +sets the internal kerberos 5 credential cache name to +.Fa name . +The old name is returned in +.Fa old_name , +and must not be freed. +The data allocated for +.Fa old_name +is free upon next call to +.Fn gss_krb5_ccache_name . +This function is not threadsafe if +.Fa old_name +argument is used. .Pp .Fn gss_krb5_copy_ccache -is an extension to the GSS-API API. -The function will extract the krb5 credentials that are transferred from -the initiator to the acceptor when using token delegation in the -Kerberos mechanism. +will extract the krb5 credentials that are transferred from the +initiator to the acceptor when using token delegation in the Kerberos +mechanism. The acceptor receives the delegated token in the last argument to .Fn gss_accept_sec_context . .Pp -.Nm gss_krb5_compat_des3_mic -turns on or off the compatibility with older versions of Heimdal using +.Fn gsskrb5_register_acceptor_identity +sets the Kerberos 5 principal that the acceptor will use. +.Pp +.Fn gsskrb5_extract_authz_data_from_sec_context +extracts the Kerberos authorizationdata that may be stored within the +context. +Tha caller must free the returned buffer +.Fa ad_data +with +.Fn gss_release_buffer +upon success. +.Pp +.Fn gss_krb5_get_tkt_flags +return the ticket flags for the kerberos ticket receive when +authenticating the initiator. +Only valid on the acceptor context. +.Pp +.Fn gss_krb5_compat_des3_mic +turns on or off the compatibility with older version of Heimdal using des3 get and verify mic, this is way to programmatically set the [gssapi]broken_des3_mic and [gssapi]correct_des3_mic flags (see COMPATIBILITY section in @@ -452,9 +638,9 @@ COMPATIBILITY section in If the CPP symbol .Dv GSS_C_KRB5_COMPAT_DES3_MIC is present, -.Nm gss_krb5_compat_des3_mic +.Fn gss_krb5_compat_des3_mic exists. -.Nm gss_krb5_compat_des3_mic +.Fn gss_krb5_compat_des3_mic will be removed in a later version of the GSS-API library. .Sh SEE ALSO .Xr gssapi 3 , diff --git a/kerberosV/src/lib/gssapi/gssapi.3 b/kerberosV/src/lib/gssapi/gssapi.3 index 3b85a556799..5ee61fa583b 100644 --- a/kerberosV/src/lib/gssapi/gssapi.3 +++ b/kerberosV/src/lib/gssapi/gssapi.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan +.\" Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,9 +29,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $KTH: gssapi.3,v 1.5.2.2 2003/04/30 09:56:26 lha Exp $ +.\" $KTH: gssapi.3,v 1.11 2005/04/20 10:46:15 lha Exp $ .\" -.Dd January 23, 2003 +.Dd April 20, 2005 .Dt GSSAPI 3 .Os .Sh NAME @@ -45,6 +45,9 @@ provides security services to callers in a generic fashion, supportable with a range of underlying mechanisms and technologies and hence allowing source-level portability of applications to different environments. +.Pp +The GSS-API implementation in Heimdal implements the Kerberos 5 and +the SPNEGO GSS-API security mechanisms. .Sh LIST OF FUNCTIONS These functions constitute the gssapi library, .Em libgssapi . @@ -80,7 +83,10 @@ gss_inquire_cred.3 gss_inquire_cred_by_mech.3 gss_inquire_mechs_for_name.3 gss_inquire_names_for_mech.3 +gss_krb5_ccache_name.3 gss_krb5_copy_ccache.3 +gss_krb5_compat_des3_mic.3 +gss_krb5_extract_authz_data_from_sec_context.3 gss_process_context_token.3 gss_release_buffer.3 gss_release_cred.3 @@ -106,15 +112,15 @@ implementations when using .Fn gss_get_mic / .Fn gss_verify_mic . -Its possible to modify the behavior of the generator of the MIC with +It is possible to modify the behavior of the generator of the MIC with the .Pa krb5.conf configuration file so that old clients/servers will still work. .Pp New clients/servers will try both the old and new MIC in Heimdal 0.6. -In 0.7 it will check only if configured and the compatibility code -will be removed in 0.8. +In 0.7 it will check only if configured - the compatibility code will +be removed in 0.8. .Pp Heimdal 0.6 still generates by default the broken GSS-API DES3 mic, this will change in 0.7 to generate correct des3 mic. @@ -140,12 +146,24 @@ the later will override. .Pp This config option modifies behaviour for both clients and servers. .Pp -Example: +Microsoft implemented SPNEGO to Windows2000, however, they manage to +get it wrong, their implementation didn't fill in the MechListMIC in +the reply token with the right content. +There is a work around for this problem, but not all implementation +support it. +.Pp +Heimdal defaults to correct SPNEGO when the the kerberos +implementation uses CFX, or when its configured by the user. +To turn on compatibility with peers, use option +.Nm [gssapi] +.Ar require_mechlist_mic . +.Sh EXAMPLES .Bd -literal -offset indent [gssapi] broken_des3_mic = cvs/*@SU.SE broken_des3_mic = host/*@E.KTH.SE correct_des3_mic = host/*@SU.SE + require_mechlist_mic = host/*@SU.SE .Ed .Sh BUGS All of 0.5.x versions of diff --git a/kerberosV/src/lib/hdb/convert_db.c b/kerberosV/src/lib/hdb/convert_db.c index 7e3a56c58c9..129eed76aca 100644 --- a/kerberosV/src/lib/hdb/convert_db.c +++ b/kerberosV/src/lib/hdb/convert_db.c @@ -41,7 +41,7 @@ #include <getarg.h> #include <err.h> -RCSID("$KTH: convert_db.c,v 1.12 2001/02/20 01:44:53 assar Exp $"); +RCSID("$KTH: convert_db.c,v 1.13 2003/09/19 00:17:42 lha Exp $"); static krb5_error_code update_keytypes(krb5_context context, HDB *db, hdb_entry *entry, void *data) @@ -81,7 +81,7 @@ update_keytypes(krb5_context context, HDB *db, hdb_entry *entry, void *data) save_val = entry->keys.val; entry->keys.len = n; entry->keys.val = k; - ret = new->store(context, new, HDB_F_REPLACE, entry); + ret = new->hdb_store(context, new, HDB_F_REPLACE, entry); entry->keys.len = save_len; entry->keys.val = save_val; for(i = 0; i < n; i++) @@ -94,14 +94,14 @@ static krb5_error_code update_version2(krb5_context context, HDB *db, hdb_entry *entry, void *data) { HDB *new = data; - if(!db->master_key_set) { + if(!db->hdb_master_key_set) { int i; for(i = 0; i < entry->keys.len; i++) { free(entry->keys.val[i].mkvno); entry->keys.val[i].mkvno = NULL; } } - new->store(context, new, HDB_F_REPLACE, entry); + new->hdb_store(context, new, HDB_F_REPLACE, entry); return 0; } @@ -167,7 +167,7 @@ main(int argc, char **argv) if (ret) krb5_err(context, 1, ret, "hdb_set_master_keyfile"); } - ret = db->open(context, db, O_RDONLY, 0); + ret = db->hdb_open(context, db, O_RDONLY, 0); if(ret == HDB_ERR_BADVERSION) { krb5_data tag; krb5_data version; @@ -175,7 +175,7 @@ main(int argc, char **argv) unsigned ver; tag.data = HDB_DB_FORMAT_ENTRY; tag.length = strlen(tag.data); - ret = (*db->_get)(context, db, tag, &version); + ret = (*db->hdb__get)(context, db, tag, &version); if(ret) krb5_errx(context, 1, "database is wrong version, " "but couldn't find version key (%s)", @@ -195,7 +195,7 @@ main(int argc, char **argv) ver, HDB_DB_FORMAT); } else if(ret) krb5_err(context, 1, ret, "%s", old_database); - ret = new->open(context, new, O_CREAT|O_EXCL|O_RDWR, 0600); + ret = new->hdb_open(context, new, O_CREAT|O_EXCL|O_RDWR, 0600); if(ret) krb5_err(context, 1, ret, "%s", new_database); if(update_version) @@ -204,8 +204,8 @@ main(int argc, char **argv) ret = hdb_foreach(context, db, 0, update_keytypes, new); if(ret != 0) krb5_err(context, 1, ret, "hdb_foreach"); - db->close(context, db); - new->close(context, new); + db->hdb_close(context, db); + new->hdb_close(context, new); krb5_warnx(context, "wrote converted database to `%s'", new_database); return 0; } diff --git a/kerberosV/src/lib/hdb/hdb_locl.h b/kerberosV/src/lib/hdb/hdb_locl.h index 1d9976615e3..1d58cb0feaf 100644 --- a/kerberosV/src/lib/hdb/hdb_locl.h +++ b/kerberosV/src/lib/hdb/hdb_locl.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $KTH: hdb_locl.h,v 1.18.4.1 2003/09/10 22:04:39 lha Exp $ */ +/* $KTH: hdb_locl.h,v 1.19 2003/09/10 21:54:58 lha Exp $ */ #ifndef __HDB_LOCL_H__ #define __HDB_LOCL_H__ diff --git a/kerberosV/src/lib/hdb/mkey.c b/kerberosV/src/lib/hdb/mkey.c index 930f6589d83..75f60227c3a 100644 --- a/kerberosV/src/lib/hdb/mkey.c +++ b/kerberosV/src/lib/hdb/mkey.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 2000 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -36,7 +36,7 @@ #define O_BINARY 0 #endif -RCSID("$KTH: mkey.c,v 1.15 2003/03/28 02:01:33 lha Exp $"); +RCSID("$KTH: mkey.c,v 1.18.4.2 2005/08/19 13:23:11 lha Exp $"); struct hdb_master_key_data { krb5_keytab_entry keytab; @@ -148,7 +148,7 @@ read_master_mit(krb5_context context, const char *filename, int fd; krb5_error_code ret; krb5_storage *sp; - u_int16_t enctype; + int16_t enctype; krb5_keyblock key; fd = open(filename, O_RDONLY | O_BINARY); @@ -372,50 +372,62 @@ find_master_key(Key *key, hdb_master_key mkey) } krb5_error_code -hdb_unseal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey) +hdb_unseal_key_mkey(krb5_context context, Key *k, hdb_master_key mkey) { - int i; + krb5_error_code ret; krb5_data res; size_t keysize; - Key *k; - for(i = 0; i < ent->keys.len; i++){ - hdb_master_key key; + hdb_master_key key; - k = &ent->keys.val[i]; - if(k->mkvno == NULL) - continue; + if(k->mkvno == NULL) + return 0; + + key = find_master_key(k, mkey); + + if (key == NULL) + return HDB_ERR_NO_MKEY; - key = find_master_key(&ent->keys.val[i], mkey); + ret = krb5_decrypt(context, key->crypto, HDB_KU_MKEY, + k->key.keyvalue.data, + k->key.keyvalue.length, + &res); + if (ret) + return ret; - if (key == NULL) - return HDB_ERR_NO_MKEY; + /* fixup keylength if the key got padded when encrypting it */ + ret = krb5_enctype_keysize(context, k->key.keytype, &keysize); + if (ret) { + krb5_data_free(&res); + return ret; + } + if (keysize > res.length) { + krb5_data_free(&res); + return KRB5_BAD_KEYSIZE; + } - ret = krb5_decrypt(context, key->crypto, HDB_KU_MKEY, - k->key.keyvalue.data, - k->key.keyvalue.length, - &res); - if (ret) - return ret; + memset(k->key.keyvalue.data, 0, k->key.keyvalue.length); + free(k->key.keyvalue.data); + k->key.keyvalue = res; + k->key.keyvalue.length = keysize; + free(k->mkvno); + k->mkvno = NULL; - /* fixup keylength if the key got padded when encrypting it */ - ret = krb5_enctype_keysize(context, k->key.keytype, &keysize); - if (ret) { - krb5_data_free(&res); + return 0; +} + +krb5_error_code +hdb_unseal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey) +{ + int i; + + for(i = 0; i < ent->keys.len; i++){ + krb5_error_code ret; + + ret = hdb_unseal_key_mkey(context, &ent->keys.val[i], mkey); + if (ret) return ret; - } - if (keysize > res.length) { - krb5_data_free(&res); - return KRB5_BAD_KEYSIZE; - } - - memset(k->key.keyvalue.data, 0, k->key.keyvalue.length); - free(k->key.keyvalue.data); - k->key.keyvalue = res; - k->key.keyvalue.length = keysize; - free(k->mkvno); - k->mkvno = NULL; } return 0; } @@ -423,44 +435,63 @@ hdb_unseal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey) krb5_error_code hdb_unseal_keys(krb5_context context, HDB *db, hdb_entry *ent) { - if (db->master_key_set == 0) + if (db->hdb_master_key_set == 0) return 0; - return hdb_unseal_keys_mkey(context, ent, db->master_key); + return hdb_unseal_keys_mkey(context, ent, db->hdb_master_key); } krb5_error_code -hdb_seal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey) +hdb_unseal_key(krb5_context context, HDB *db, Key *k) +{ + if (db->hdb_master_key_set == 0) + return 0; + return hdb_unseal_key_mkey(context, k, db->hdb_master_key); +} + +krb5_error_code +hdb_seal_key_mkey(krb5_context context, Key *k, hdb_master_key mkey) { - int i; krb5_error_code ret; krb5_data res; - for(i = 0; i < ent->keys.len; i++){ - Key *k = &ent->keys.val[i]; - hdb_master_key key; + hdb_master_key key; - if(k->mkvno != NULL) - continue; + if(k->mkvno != NULL) + return 0; - key = find_master_key(k, mkey); + key = find_master_key(k, mkey); - if (key == NULL) - return HDB_ERR_NO_MKEY; + if (key == NULL) + return HDB_ERR_NO_MKEY; - ret = krb5_encrypt(context, key->crypto, HDB_KU_MKEY, - k->key.keyvalue.data, - k->key.keyvalue.length, - &res); - if (ret) - return ret; + ret = krb5_encrypt(context, key->crypto, HDB_KU_MKEY, + k->key.keyvalue.data, + k->key.keyvalue.length, + &res); + if (ret) + return ret; + + memset(k->key.keyvalue.data, 0, k->key.keyvalue.length); + free(k->key.keyvalue.data); + k->key.keyvalue = res; + + k->mkvno = malloc(sizeof(*k->mkvno)); + if (k->mkvno == NULL) + return ENOMEM; + *k->mkvno = key->keytab.vno; + + return 0; +} - memset(k->key.keyvalue.data, 0, k->key.keyvalue.length); - free(k->key.keyvalue.data); - k->key.keyvalue = res; +krb5_error_code +hdb_seal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey) +{ + int i; + for(i = 0; i < ent->keys.len; i++){ + krb5_error_code ret; - k->mkvno = malloc(sizeof(*k->mkvno)); - if (k->mkvno == NULL) - return ENOMEM; - *k->mkvno = key->keytab.vno; + ret = hdb_seal_key_mkey(context, &ent->keys.val[i], mkey); + if (ret) + return ret; } return 0; } @@ -468,10 +499,19 @@ hdb_seal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey) krb5_error_code hdb_seal_keys(krb5_context context, HDB *db, hdb_entry *ent) { - if (db->master_key_set == 0) + if (db->hdb_master_key_set == 0) + return 0; + + return hdb_seal_keys_mkey(context, ent, db->hdb_master_key); +} + +krb5_error_code +hdb_seal_key(krb5_context context, HDB *db, Key *k) +{ + if (db->hdb_master_key_set == 0) return 0; - return hdb_seal_keys_mkey(context, ent, db->master_key); + return hdb_seal_key_mkey(context, k, db->hdb_master_key); } krb5_error_code @@ -485,11 +525,11 @@ hdb_set_master_key (krb5_context context, ret = hdb_process_master_key(context, 0, key, 0, &mkey); if (ret) return ret; - db->master_key = mkey; + db->hdb_master_key = mkey; #if 0 /* XXX - why? */ des_set_random_generator_seed(key.keyvalue.data); #endif - db->master_key_set = 1; + db->hdb_master_key_set = 1; return 0; } @@ -508,8 +548,8 @@ hdb_set_master_keyfile (krb5_context context, krb5_clear_error_string(context); return 0; } - db->master_key = key; - db->master_key_set = 1; + db->hdb_master_key = key; + db->hdb_master_key_set = 1; return ret; } @@ -517,9 +557,9 @@ krb5_error_code hdb_clear_master_key (krb5_context context, HDB *db) { - if (db->master_key_set) { - hdb_free_master_key(context, db->master_key); - db->master_key_set = 0; + if (db->hdb_master_key_set) { + hdb_free_master_key(context, db->hdb_master_key); + db->hdb_master_key_set = 0; } return 0; } diff --git a/kerberosV/src/lib/kadm5/dump_log.c b/kerberosV/src/lib/kadm5/dump_log.c index 378433e1b2b..8446bdb2dbe 100644 --- a/kerberosV/src/lib/kadm5/dump_log.c +++ b/kerberosV/src/lib/kadm5/dump_log.c @@ -34,7 +34,7 @@ #include "iprop.h" #include "parse_time.h" -RCSID("$KTH: dump_log.c,v 1.13 2003/04/16 17:56:02 lha Exp $"); +RCSID("$KTH: dump_log.c,v 1.16 2005/04/25 18:17:51 lha Exp $"); static char *op_names[] = { "get", @@ -150,7 +150,7 @@ print_entry(kadm5_server_context *server_context, } if(mask & KADM5_ATTRIBUTES) { unparse_flags(HDBFlags2int(ent.flags), - HDBFlags_units, t, sizeof(t)); + asn1_HDBFlags_units(), t, sizeof(t)); printf(" attributes = %s\n", t); } if(mask & KADM5_MAX_LIFE) { @@ -214,10 +214,12 @@ print_entry(kadm5_server_context *server_context, } static char *realm; +static char *config_file; static int version_flag; static int help_flag; static struct getargs args[] = { + { "config-file", 'c', arg_string, &config_file }, { "realm", 'r', arg_string, &realm }, { "version", 0, arg_flag, &version_flag }, { "help", 0, arg_flag, &help_flag } @@ -232,6 +234,7 @@ main(int argc, char **argv) void *kadm_handle; kadm5_server_context *server_context; kadm5_config_params conf; + char **files; krb5_program_setup(&context, argc, argv, args, num_args, NULL); @@ -242,6 +245,18 @@ main(int argc, char **argv) exit(0); } + if (config_file == NULL) + config_file = HDB_DB_DIR "/kdc.conf"; + + ret = krb5_prepend_config_files_default(config_file, &files); + if (ret) + krb5_err(context, 1, ret, "getting configuration files"); + + ret = krb5_set_config_files(context, files); + krb5_free_config_files(files); + if (ret) + krb5_err(context, 1, ret, "reading configuration files"); + memset(&conf, 0, sizeof(conf)); if(realm) { conf.mask |= KADM5_CONFIG_REALM; diff --git a/kerberosV/src/lib/kadm5/iprop.h b/kerberosV/src/lib/kadm5/iprop.h index ef642267fa8..5fb5c934df0 100644 --- a/kerberosV/src/lib/kadm5/iprop.h +++ b/kerberosV/src/lib/kadm5/iprop.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1998-2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $KTH: iprop.h,v 1.7 2002/07/04 14:39:19 joda Exp $ */ +/* $KTH: iprop.h,v 1.9 2003/11/23 06:24:16 lha Exp $ */ #ifndef __IPROP_H__ #define __IPROP_H__ @@ -46,6 +46,8 @@ #include <util.h> #endif +#include <parse_time.h> + #define IPROP_VERSION "iprop-0.0" #define KADM5_SLAVE_ACL HDB_DB_DIR "/slaves" @@ -62,7 +64,9 @@ enum iprop_cmd { I_HAVE = 1, FOR_YOU = 2, TELL_YOU_EVERYTHING = 3, ONE_PRINC = 4, - NOW_YOU_HAVE = 5 + NOW_YOU_HAVE = 5, + ARE_YOU_THERE = 6, + I_AM_HERE = 7 }; #endif /* __IPROP_H__ */ diff --git a/kerberosV/src/lib/kadm5/ipropd_master.c b/kerberosV/src/lib/kadm5/ipropd_master.c index f02fa4e29b0..3c4fee3c594 100644 --- a/kerberosV/src/lib/kadm5/ipropd_master.c +++ b/kerberosV/src/lib/kadm5/ipropd_master.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -34,11 +34,16 @@ #include "iprop.h" #include <rtbl.h> -RCSID("$KTH: ipropd_master.c,v 1.29 2003/03/19 11:56:38 lha Exp $"); +RCSID("$KTH: ipropd_master.c,v 1.42 2005/05/23 17:38:46 lha Exp $"); static krb5_log_facility *log_facility; const char *slave_stats_file = KADM5_SLAVE_STATS; +const char *slave_time_missing = "2 min"; +const char *slave_time_gone = "5 min"; + +static int time_before_missing; +static int time_before_gone; static int make_signal_socket (krb5_context context) @@ -59,7 +64,7 @@ make_signal_socket (krb5_context context) } static int -make_listen_socket (krb5_context context) +make_listen_socket (krb5_context context, const char *port_str) { int fd; int one = 1; @@ -71,8 +76,24 @@ make_listen_socket (krb5_context context) setsockopt (fd, SOL_SOCKET, SO_REUSEADDR, (void *)&one, sizeof(one)); memset (&addr, 0, sizeof(addr)); addr.sin_family = AF_INET; - addr.sin_port = krb5_getportbyname (context, - IPROP_SERVICE, "tcp", IPROP_PORT); + + if (port_str) { + addr.sin_port = krb5_getportbyname (context, + port_str, "tcp", + 0); + if (addr.sin_port == 0) { + char *ptr; + long port; + + port = strtol (port_str, &ptr, 10); + if (port == 0 && ptr == port_str) + krb5_errx (context, 1, "bad port `%s'", port_str); + addr.sin_port = htons(port); + } + } else { + addr.sin_port = krb5_getportbyname (context, IPROP_SERVICE, + "tcp", IPROP_PORT); + } if(bind(fd, (struct sockaddr *)&addr, sizeof(addr)) < 0) krb5_err (context, 1, errno, "bind"); if (listen(fd, SOMAXCONN) < 0) @@ -89,6 +110,7 @@ struct slave { time_t seen; unsigned long flags; #define SLAVE_F_DEAD 0x1 +#define SLAVE_F_AYT 0x2 struct slave *next; }; @@ -119,9 +141,26 @@ check_acl (krb5_context context, const char *name) static void slave_seen(slave *s) { + s->flags &= ~SLAVE_F_AYT; s->seen = time(NULL); } +static int +slave_missing_p (slave *s) +{ + if (time(NULL) > s->seen + time_before_missing) + return 1; + return 0; +} + +static int +slave_gone_p (slave *s) +{ + if (time(NULL) > s->seen + time_before_gone) + return 1; + return 0; +} + static void slave_dead(slave *s) { @@ -243,6 +282,7 @@ static int prop_one (krb5_context context, HDB *db, hdb_entry *entry, void *v) { krb5_error_code ret; + krb5_storage *sp; krb5_data data; struct slave *slave = (struct slave *)v; @@ -255,7 +295,13 @@ prop_one (krb5_context context, HDB *db, hdb_entry *entry, void *v) return ret; } memmove ((char *)data.data + 4, data.data, data.length - 4); - _krb5_put_int (data.data, ONE_PRINC, 4); + sp = krb5_storage_from_data(&data); + if (sp == NULL) { + krb5_data_free (&data); + return ENOMEM; + } + krb5_store_int32(sp, ONE_PRINC); + krb5_storage_free(sp); ret = krb5_write_priv_message (context, slave->ac, &slave->fd, &data); krb5_data_free (&data); @@ -267,6 +313,7 @@ send_complete (krb5_context context, slave *s, const char *database, u_int32_t current_version) { krb5_error_code ret; + krb5_storage *sp; HDB *db; krb5_data data; char buf[8]; @@ -274,11 +321,15 @@ send_complete (krb5_context context, slave *s, ret = hdb_create (context, &db, database); if (ret) krb5_err (context, 1, ret, "hdb_create: %s", database); - ret = db->open (context, db, O_RDONLY, 0); + ret = db->hdb_open (context, db, O_RDONLY, 0); if (ret) krb5_err (context, 1, ret, "db->open"); - _krb5_put_int(buf, TELL_YOU_EVERYTHING, 4); + sp = krb5_storage_from_mem (buf, 4); + if (sp == NULL) + krb5_errx (context, 1, "krb5_storage_from_mem"); + krb5_store_int32 (sp, TELL_YOU_EVERYTHING); + krb5_storage_free (sp); data.data = buf; data.length = 4; @@ -298,8 +349,16 @@ send_complete (krb5_context context, slave *s, return ret; } - _krb5_put_int (buf, NOW_YOU_HAVE, 4); - _krb5_put_int (buf + 4, current_version, 4); + (*db->hdb_close)(context, db); + (*db->hdb_destroy)(context, db); + + sp = krb5_storage_from_mem (buf, 8); + if (sp == NULL) + krb5_errx (context, 1, "krb5_storage_from_mem"); + krb5_store_int32 (sp, NOW_YOU_HAVE); + krb5_store_int32 (sp, current_version); + krb5_storage_free (sp); + data.length = 8; s->version = current_version; @@ -317,6 +376,42 @@ send_complete (krb5_context context, slave *s, } static int +send_are_you_there (krb5_context context, slave *s) +{ + krb5_storage *sp; + krb5_data data; + char buf[4]; + int ret; + + if (s->flags & (SLAVE_F_DEAD|SLAVE_F_AYT)) + return 0; + + s->flags |= SLAVE_F_AYT; + + data.data = buf; + data.length = 4; + + sp = krb5_storage_from_mem (buf, 4); + if (sp == NULL) { + krb5_warnx (context, "are_you_there: krb5_data_alloc"); + slave_dead(s); + return 1; + } + krb5_store_int32 (sp, ARE_YOU_THERE); + krb5_storage_free (sp); + + ret = krb5_write_priv_message(context, s->ac, &s->fd, &data); + + if (ret) { + krb5_warn (context, ret, "are_you_there: krb5_write_priv_message"); + slave_dead(s); + return 1; + } + + return 0; +} + +static int send_diffs (krb5_context context, slave *s, int log_fd, const char *database, u_int32_t current_version) { @@ -348,17 +443,29 @@ send_diffs (krb5_context context, slave *s, int log_fd, if (left == 0) return send_complete (context, s, database, current_version); } - krb5_data_alloc (&data, right - left + 4); + ret = krb5_data_alloc (&data, right - left + 4); + if (ret) { + krb5_warn (context, ret, "send_diffs: krb5_data_alloc"); + slave_dead(s); + return 1; + } krb5_storage_read (sp, (char *)data.data + 4, data.length - 4); krb5_storage_free(sp); - _krb5_put_int(data.data, FOR_YOU, 4); + sp = krb5_storage_from_data (&data); + if (sp == NULL) { + krb5_warnx (context, "send_diffs: krb5_storage_from_data"); + slave_dead(s); + return 1; + } + krb5_store_int32 (sp, FOR_YOU); + krb5_storage_free(sp); ret = krb5_write_priv_message(context, s->ac, &s->fd, &data); krb5_data_free(&data); if (ret) { - krb5_warn (context, ret, "krb5_write_priv_message"); + krb5_warn (context, ret, "send_diffs: krb5_write_priv_message"); slave_dead(s); return 1; } @@ -383,13 +490,29 @@ process_msg (krb5_context context, slave *s, int log_fd, } sp = krb5_storage_from_mem (out.data, out.length); - krb5_ret_int32 (sp, &tmp); + if (sp == NULL) { + krb5_warnx (context, "process_msg: no memory"); + krb5_data_free (&out); + return 1; + } + if (krb5_ret_int32 (sp, &tmp) != 0) { + krb5_warnx (context, "process_msg: client send too short command"); + krb5_data_free (&out); + return 1; + } switch (tmp) { case I_HAVE : - krb5_ret_int32 (sp, &tmp); + ret = krb5_ret_int32 (sp, &tmp); + if (ret != 0) { + krb5_warnx (context, "process_msg: client send too I_HAVE data"); + break; + } s->version = tmp; ret = send_diffs (context, s, log_fd, database, current_version); break; + case I_AM_HERE : + break; + case ARE_YOU_THERE: case FOR_YOU : default : krb5_warnx (context, "Ignoring command %d", tmp); @@ -421,8 +544,7 @@ write_stats(krb5_context context, slave *slaves, u_int32_t current_version) if (fp == NULL) return; - strftime(str, sizeof(str), "%Y-%m-%d %H:%M:%S", - localtime(&t)); + krb5_format_time(context, t, str, sizeof(str), TRUE); fprintf(fp, "Status for slaves, last updated: %s\n\n", str); fprintf(fp, "Master version: %lu\n\n", (unsigned long)current_version); @@ -463,9 +585,7 @@ write_stats(krb5_context context, slave *slaves, u_int32_t current_version) else rtbl_add_column_entry(tbl, SLAVE_STATUS, "Up"); - if (strftime(str, sizeof(str), "%Y-%m-%d %H:%M:%S %Z", - localtime(&slaves->seen)) == 0) - strlcpy(str, "Unknown time", sizeof(str)); + ret = krb5_format_time(context, slaves->seen, str, sizeof(str), TRUE); rtbl_add_column_entry(tbl, SLAVE_SEEN, str); slaves = slaves->next; @@ -483,13 +603,26 @@ static int version_flag; static int help_flag; static char *keytab_str = "HDB:"; static char *database; +static char *config_file; +static char *port_str; +static int detach_from_console = 0; static struct getargs args[] = { + { "config-file", 'c', arg_string, &config_file }, { "realm", 'r', arg_string, &realm }, { "keytab", 'k', arg_string, &keytab_str, "keytab to get authentication from", "kspec" }, { "database", 'd', arg_string, &database, "database", "file"}, - { "slave-stats-file", 0, arg_string, &slave_stats_file, "file"}, + { "slave-stats-file", 0, arg_string, &slave_stats_file, + "file for slave status information", "file"}, + { "time-missing", 0, arg_string, &slave_time_missing, + "time before slave is polled for presence", "time"}, + { "time-gone", 0, arg_string, &slave_time_gone, + "time of inactivity after which a slave is considered gone", "time"}, + { "port", 0, arg_string, &port_str, + "port ipropd will listen to", "port"}, + { "detach", 0, arg_flag, &detach_from_console, + "detach from console" }, { "version", 0, arg_flag, &version_flag }, { "help", 0, arg_flag, &help_flag } }; @@ -506,9 +639,10 @@ main(int argc, char **argv) int signal_fd, listen_fd; int log_fd; slave *slaves = NULL; - u_int32_t current_version, old_version = 0; + u_int32_t current_version = 0, old_version = 0; krb5_keytab keytab; int optind; + char **files; optind = krb5_program_setup(&context, argc, argv, args, num_args, NULL); @@ -519,6 +653,27 @@ main(int argc, char **argv) exit(0); } + if (config_file == NULL) + config_file = HDB_DB_DIR "/kdc.conf"; + + ret = krb5_prepend_config_files_default(config_file, &files); + if (ret) + krb5_err(context, 1, ret, "getting configuration files"); + + ret = krb5_set_config_files(context, files); + krb5_free_config_files(files); + if (ret) + krb5_err(context, 1, ret, "reading configuration files"); + + time_before_gone = parse_time (slave_time_gone, "s"); + if (time_before_gone < 0) + krb5_errx (context, 1, "couldn't parse time: %s", slave_time_gone); + time_before_missing = parse_time (slave_time_missing, "s"); + if (time_before_missing < 0) + krb5_errx (context, 1, "couldn't parse time: %s", slave_time_missing); + + if (detach_from_console) + daemon(0, 0); pidfile (NULL); krb5_openlog (context, "ipropd-master", &log_facility); krb5_set_warn_dest(context, log_facility); @@ -553,7 +708,7 @@ main(int argc, char **argv) server_context->log_context.log_file); signal_fd = make_signal_socket (context); - listen_fd = make_listen_socket (context); + listen_fd = make_listen_socket (context, port_str); signal (SIGPIPE, SIG_IGN); @@ -593,12 +748,13 @@ main(int argc, char **argv) old_version = current_version; kadm5_log_get_version_fd (log_fd, ¤t_version); - if (current_version > old_version) + if (current_version > old_version) { for (p = slaves; p != NULL; p = p->next) { if (p->flags & SLAVE_F_DEAD) continue; send_diffs (context, p, log_fd, database, current_version); } + } } if (ret && FD_ISSET(signal_fd, &readset)) { @@ -611,25 +767,31 @@ main(int argc, char **argv) continue; } --ret; + assert(ret >= 0); old_version = current_version; kadm5_log_get_version_fd (log_fd, ¤t_version); for (p = slaves; p != NULL; p = p->next) send_diffs (context, p, log_fd, database, current_version); - } + } - for(p = slaves; ret && p != NULL; p = p->next) { + for(p = slaves; p != NULL; p = p->next) { if (p->flags & SLAVE_F_DEAD) - continue; - if (FD_ISSET(p->fd, &readset)) { + continue; + if (ret && FD_ISSET(p->fd, &readset)) { --ret; + assert(ret >= 0); if(process_msg (context, p, log_fd, database, current_version)) slave_dead(p); - } + } else if (slave_gone_p (p)) + slave_dead (p); + else if (slave_missing_p (p)) + send_are_you_there (context, p); } if (ret && FD_ISSET(listen_fd, &readset)) { add_slave (context, keytab, &slaves, listen_fd); --ret; + assert(ret >= 0); } write_stats(context, slaves, current_version); } diff --git a/kerberosV/src/lib/kadm5/ipropd_slave.c b/kerberosV/src/lib/kadm5/ipropd_slave.c index f1c0c9f8031..9759c5ae9a1 100644 --- a/kerberosV/src/lib/kadm5/ipropd_slave.c +++ b/kerberosV/src/lib/kadm5/ipropd_slave.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -34,12 +34,15 @@ #include "iprop.h" #include <util.h> -RCSID("$KTH: ipropd_slave.c,v 1.27.2.1 2003/08/15 16:45:15 lha Exp $"); +RCSID("$KTH: ipropd_slave.c,v 1.39 2005/05/23 17:39:35 lha Exp $"); static krb5_log_facility *log_facility; +static char *server_time_lost = "5 min"; +static int time_before_lost; static int -connect_to_master (krb5_context context, const char *master) +connect_to_master (krb5_context context, const char *master, + const char *port_str) { int fd; struct sockaddr_in addr; @@ -50,8 +53,23 @@ connect_to_master (krb5_context context, const char *master) krb5_err (context, 1, errno, "socket AF_INET"); memset (&addr, 0, sizeof(addr)); addr.sin_family = AF_INET; - addr.sin_port = krb5_getportbyname (context, - IPROP_SERVICE, "tcp", IPROP_PORT); + if (port_str) { + addr.sin_port = krb5_getportbyname (context, + port_str, "tcp", + 0); + if (addr.sin_port == 0) { + char *ptr; + long port; + + port = strtol (port_str, &ptr, 10); + if (port == 0 && ptr == port_str) + krb5_errx (context, 1, "bad port `%s'", port_str); + addr.sin_port = htons(port); + } + } else { + addr.sin_port = krb5_getportbyname (context, IPROP_SERVICE, + "tcp", IPROP_PORT); + } he = roken_gethostbyname (master); if (he == NULL) krb5_errx (context, 1, "gethostbyname: %s", hstrerror(h_errno)); @@ -68,7 +86,7 @@ get_creds(krb5_context context, const char *keytab_str, krb5_keytab keytab; krb5_principal client; krb5_error_code ret; - krb5_get_init_creds_opt init_opts; + krb5_get_init_creds_opt *init_opts; krb5_creds creds; char *server; char keytab_buf[256]; @@ -88,15 +106,17 @@ get_creds(krb5_context context, const char *keytab_str, KRB5_NT_SRV_HST, &client); if (ret) krb5_err(context, 1, ret, "krb5_sname_to_principal"); - krb5_get_init_creds_opt_init(&init_opts); + ret = krb5_get_init_creds_opt_alloc(context, &init_opts); + if (ret) krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc"); asprintf (&server, "%s/%s", IPROP_NAME, host); if (server == NULL) krb5_errx (context, 1, "malloc: no memory"); ret = krb5_get_init_creds_keytab(context, &creds, client, keytab, - 0, server, &init_opts); + 0, server, init_opts); free (server); + krb5_get_init_creds_opt_free(init_opts); if(ret) krb5_err(context, 1, ret, "krb5_get_init_creds"); ret = krb5_kt_close(context, keytab); @@ -119,7 +139,7 @@ ihave (krb5_context context, krb5_auth_context auth_context, int ret; u_char buf[8]; krb5_storage *sp; - krb5_data data, priv_data; + krb5_data data; sp = krb5_storage_from_mem (buf, 8); krb5_store_int32 (sp, I_HAVE); @@ -128,15 +148,9 @@ ihave (krb5_context context, krb5_auth_context auth_context, data.length = 8; data.data = buf; - ret = krb5_mk_priv (context, auth_context, &data, &priv_data, NULL); - if (ret) - krb5_err (context, 1, ret, "krb_mk_priv"); - - ret = krb5_write_message (context, &fd, &priv_data); + ret = krb5_write_priv_message(context, auth_context, &fd, &data); if (ret) - krb5_err (context, 1, ret, "krb5_write_message"); - - krb5_data_free (&priv_data); + krb5_err (context, 1, ret, "krb5_write_priv_message"); } static void @@ -160,7 +174,7 @@ receive_loop (krb5_context context, op = tmp; krb5_ret_int32 (sp, &len); if (vers <= server_context->log_context.version) - krb5_storage_seek(sp, len, SEEK_CUR); + krb5_storage_seek(sp, len + 8, SEEK_CUR); } while(vers <= server_context->log_context.version); left = krb5_storage_seek (sp, -16, SEEK_CUR); @@ -192,7 +206,7 @@ receive_loop (krb5_context context, ret = kadm5_log_replay (server_context, op, vers, len, sp); if (ret) - krb5_warn (context, ret, "kadm5_log_replay"); + krb5_warn (context, ret, "kadm5_log_replay: %d", (int)vers); else server_context->log_context.version = vers; krb5_storage_seek (sp, 8, SEEK_CUR); @@ -206,20 +220,45 @@ receive (krb5_context context, { int ret; - ret = server_context->db->open(context, - server_context->db, - O_RDWR | O_CREAT, 0600); + ret = server_context->db->hdb_open(context, + server_context->db, + O_RDWR | O_CREAT, 0600); if (ret) krb5_err (context, 1, ret, "db->open"); receive_loop (context, sp, server_context); - ret = server_context->db->close (context, server_context->db); + ret = server_context->db->hdb_close (context, server_context->db); if (ret) krb5_err (context, 1, ret, "db->close"); } static void +send_im_here (krb5_context context, int fd, + krb5_auth_context auth_context) +{ + krb5_storage *sp; + krb5_data data; + int ret; + + ret = krb5_data_alloc (&data, 4); + if (ret) + krb5_err (context, 1, ret, "send_im_here"); + + sp = krb5_storage_from_data (&data); + if (sp == NULL) + krb5_errx (context, 1, "krb5_storage_from_data"); + krb5_store_int32(sp, I_AM_HERE); + krb5_storage_free(sp); + + ret = krb5_write_priv_message(context, auth_context, &fd, &data); + krb5_data_free(&data); + + if (ret) + krb5_err (context, 1, ret, "krb5_write_priv_message"); +} + +static void receive_everything (krb5_context context, int fd, kadm5_server_context *server_context, krb5_auth_context auth_context) @@ -228,12 +267,12 @@ receive_everything (krb5_context context, int fd, krb5_data data; int32_t vno; int32_t opcode; - unsigned long tmp; + krb5_storage *sp; char *dbname; HDB *mydb; - asprintf(&dbname, "%s-NEW", server_context->db->name); + asprintf(&dbname, "%s-NEW", server_context->db->hdb_name); ret = hdb_create(context, &mydb, dbname); if(ret) krb5_err(context,1, ret, "hdb_create"); @@ -246,47 +285,53 @@ receive_everything (krb5_context context, int fd, /* I really want to use O_EXCL here, but given that I can't easily clean up on error, I won't */ - ret = mydb->open(context, mydb, O_RDWR | O_CREAT | O_TRUNC, 0600); + ret = mydb->hdb_open(context, mydb, O_RDWR | O_CREAT | O_TRUNC, 0600); if (ret) krb5_err (context, 1, ret, "db->open"); + sp = NULL; do { - krb5_storage *sp; - ret = krb5_read_priv_message(context, auth_context, &fd, &data); if (ret) krb5_err (context, 1, ret, "krb5_read_priv_message"); sp = krb5_storage_from_data (&data); + if (sp == NULL) + krb5_errx (context, 1, "krb5_storage_from_data"); krb5_ret_int32 (sp, &opcode); if (opcode == ONE_PRINC) { krb5_data fake_data; hdb_entry entry; + krb5_storage_free(sp); + fake_data.data = (char *)data.data + 4; fake_data.length = data.length - 4; ret = hdb_value2entry (context, &fake_data, &entry); if (ret) krb5_err (context, 1, ret, "hdb_value2entry"); - ret = mydb->store(server_context->context, - mydb, - 0, &entry); + ret = mydb->hdb_store(server_context->context, + mydb, + 0, &entry); if (ret) krb5_err (context, 1, ret, "hdb_store"); hdb_free_entry (context, &entry); krb5_data_free (&data); - } + } else if (opcode == NOW_YOU_HAVE) + ; + else + krb5_errx (context, 1, "strange opcode %d", opcode); } while (opcode == ONE_PRINC); if (opcode != NOW_YOU_HAVE) krb5_errx (context, 1, "receive_everything: strange %d", opcode); - _krb5_get_int ((char *)data.data + 4, &tmp, 4); - vno = tmp; + krb5_ret_int32 (sp, &vno); + krb5_storage_free(sp); ret = kadm5_log_reinit (server_context); if (ret) @@ -302,28 +347,38 @@ receive_everything (krb5_context context, int fd, krb5_data_free (&data); - ret = mydb->rename (context, mydb, server_context->db->name); + ret = mydb->hdb_rename (context, mydb, server_context->db->hdb_name); if (ret) krb5_err (context, 1, ret, "db->rename"); - ret = mydb->close (context, mydb); + ret = mydb->hdb_close (context, mydb); if (ret) krb5_err (context, 1, ret, "db->close"); - ret = mydb->destroy (context, mydb); + ret = mydb->hdb_destroy (context, mydb); if (ret) krb5_err (context, 1, ret, "db->destroy"); } +static char *config_file; static char *realm; static int version_flag; static int help_flag; static char *keytab_str; +static char *port_str; +static int detach_from_console = 0; static struct getargs args[] = { + { "config-file", 'c', arg_string, &config_file }, { "realm", 'r', arg_string, &realm }, { "keytab", 'k', arg_string, &keytab_str, "keytab to get authentication from", "kspec" }, + { "time-lost", 0, arg_string, &server_time_lost, + "time before server is considered lost", "time" }, + { "port", 0, arg_string, &port_str, + "port ipropd-slave will connect to", "port"}, + { "detach", 0, arg_flag, &detach_from_console, + "detach from console" }, { "version", 0, arg_flag, &version_flag }, { "help", 0, arg_flag, &help_flag } }; @@ -349,6 +404,7 @@ main(int argc, char **argv) int master_fd; krb5_ccache ccache; krb5_principal server; + char **files; int optind; const char *master; @@ -362,6 +418,18 @@ main(int argc, char **argv) exit(0); } + if (config_file == NULL) + config_file = HDB_DB_DIR "/kdc.conf"; + + ret = krb5_prepend_config_files_default(config_file, &files); + if (ret) + krb5_err(context, 1, ret, "getting configuration files"); + + ret = krb5_set_config_files(context, files); + krb5_free_config_files(files); + if (ret) + krb5_err(context, 1, ret, "reading configuration files"); + argc -= optind; argv += optind; @@ -370,6 +438,8 @@ main(int argc, char **argv) master = argv[0]; + if (detach_from_console) + daemon(0, 0); pidfile (NULL); krb5_openlog (context, "ipropd-slave", &log_facility); krb5_set_warn_dest(context, log_facility); @@ -378,6 +448,10 @@ main(int argc, char **argv) if(ret) krb5_err(context, 1, ret, "krb5_kt_register"); + time_before_lost = parse_time (server_time_lost, "s"); + if (time_before_lost < 0) + krb5_errx (context, 1, "couldn't parse time: %s", server_time_lost); + memset(&conf, 0, sizeof(conf)); if(realm) { conf.mask |= KADM5_CONFIG_REALM; @@ -400,7 +474,7 @@ main(int argc, char **argv) get_creds(context, keytab_str, &ccache, master); - master_fd = connect_to_master (context, master); + master_fd = connect_to_master (context, master, port_str); ret = krb5_sname_to_principal (context, master, IPROP_NAME, KRB5_NT_SRV_HST, &server); @@ -423,6 +497,29 @@ main(int argc, char **argv) krb5_data out; krb5_storage *sp; int32_t tmp; + fd_set readset; + struct timeval to; + + if (master_fd >= FD_SETSIZE) + krb5_errx (context, 1, "fd too large"); + + FD_ZERO(&readset); + FD_SET(master_fd, &readset); + + to.tv_sec = time_before_lost; + to.tv_usec = 0; + + ret = select (master_fd + 1, + &readset, NULL, NULL, &to); + if (ret < 0) { + if (errno == EINTR) + continue; + else + krb5_err (context, 1, errno, "select"); + } + if (ret == 0) + krb5_errx (context, 1, "server didn't send a message " + "in %d seconds", time_before_lost); ret = krb5_read_priv_message(context, auth_context, &master_fd, &out); @@ -441,9 +538,13 @@ main(int argc, char **argv) receive_everything (context, master_fd, server_context, auth_context); break; + case ARE_YOU_THERE : + send_im_here (context, master_fd, auth_context); + break; case NOW_YOU_HAVE : case I_HAVE : case ONE_PRINC : + case I_AM_HERE : default : krb5_warnx (context, "Ignoring command %d", tmp); break; diff --git a/kerberosV/src/lib/kafs/afssys.c b/kerberosV/src/lib/kafs/afssys.c index dda9af7c0ae..bcac9845994 100644 --- a/kerberosV/src/lib/kafs/afssys.c +++ b/kerberosV/src/lib/kafs/afssys.c @@ -33,7 +33,7 @@ #include "kafs_locl.h" -RCSID("$KTH: afssys.c,v 1.69.2.2 2004/06/22 14:29:48 lha Exp $"); +RCSID("$KTH: afssys.c,v 1.73 2005/06/02 07:25:58 lha Exp $"); struct procdata { unsigned long param4; @@ -112,6 +112,8 @@ try_aix(void) * there's a /etc/name_to_sysnum file. */ +#if defined(AFS_SYSCALL) || defined(AFS_SYSCALL2) || defined(AFS_SYSCALL3) + #define _PATH_ETC_NAME_TO_SYSNUM "/etc/name_to_sysnum" static int @@ -143,6 +145,7 @@ map_syscall_name_to_number (const char *str, int *res) fclose (f); return -1; } +#endif static int try_proc(const char *path) diff --git a/kerberosV/src/lib/kafs/common.c b/kerberosV/src/lib/kafs/common.c index 49c74650536..5d6d77d5170 100644 --- a/kerberosV/src/lib/kafs/common.c +++ b/kerberosV/src/lib/kafs/common.c @@ -33,7 +33,7 @@ #include "kafs_locl.h" -RCSID("$KTH: common.c,v 1.26.2.1 2003/04/23 18:03:20 lha Exp $"); +RCSID("$KTH: common.c,v 1.31 2005/06/02 07:38:06 lha Exp $"); #define AUTH_SUPERUSER "afs" @@ -242,7 +242,7 @@ find_cells(const char *file, char ***cells, int *index) * Get tokens for all cells[] */ static int -afslog_cells(kafs_data *data, char **cells, int max, uid_t uid, +afslog_cells(struct kafs_data *data, char **cells, int max, uid_t uid, const char *homedir) { int ret = 0; @@ -256,7 +256,8 @@ afslog_cells(kafs_data *data, char **cells, int max, uid_t uid, } int -_kafs_afslog_all_local_cells(kafs_data *data, uid_t uid, const char *homedir) +_kafs_afslog_all_local_cells(struct kafs_data *data, + uid_t uid, const char *homedir) { int ret; char **cells = NULL; @@ -278,8 +279,12 @@ _kafs_afslog_all_local_cells(kafs_data *data, uid_t uid, const char *homedir) #if 0 find_cells(_PATH_OPENAFS_DEBIAN_THESECELLS, &cells, &index); find_cells(_PATH_OPENAFS_DEBIAN_THISCELL, &cells, &index); + find_cells(_PATH_OPENAFS_MACOSX_THESECELLS, &cells, &index); + find_cells(_PATH_OPENAFS_MACOSX_THISCELL, &cells, &index); find_cells(_PATH_ARLA_DEBIAN_THESECELLS, &cells, &index); find_cells(_PATH_ARLA_DEBIAN_THISCELL, &cells, &index); + find_cells(_PATH_ARLA_OPENBSD_THESECELLS, &cells, &index); + find_cells(_PATH_ARLA_OPENBSD_THISCELL, &cells, &index); #endif ret = afslog_cells(data, cells, index, uid, homedir); @@ -291,7 +296,8 @@ _kafs_afslog_all_local_cells(kafs_data *data, uid_t uid, const char *homedir) static int -file_find_cell(kafs_data *data, const char *cell, char **realm, int exact) +file_find_cell(struct kafs_data *data, + const char *cell, char **realm, int exact) { FILE *F; char buf[1024]; @@ -336,9 +342,9 @@ file_find_cell(kafs_data *data, const char *cell, char **realm, int exact) return ret; } -/* Find the realm associated with cell. Do this by opening - /usr/vice/etc/CellServDB and getting the realm-of-host for the - first VL-server for the cell. +/* Find the realm associated with cell. Do this by opening CellServDB + file and getting the realm-of-host for the first VL-server for the + cell. This does not work when the VL-server is living in one realm, but the cell it is serving is living in another realm. @@ -347,7 +353,8 @@ file_find_cell(kafs_data *data, const char *cell, char **realm, int exact) */ int -_kafs_realm_of_cell(kafs_data *data, const char *cell, char **realm) +_kafs_realm_of_cell(struct kafs_data *data, + const char *cell, char **realm) { char buf[1024]; int ret; @@ -364,7 +371,7 @@ _kafs_realm_of_cell(kafs_data *data, const char *cell, char **realm) } static int -_kafs_try_get_cred(kafs_data *data, const char *user, const char *cell, +_kafs_try_get_cred(struct kafs_data *data, const char *user, const char *cell, const char *realm, uid_t uid, struct kafs_token *kt) { int ret; @@ -384,7 +391,7 @@ _kafs_try_get_cred(kafs_data *data, const char *user, const char *cell, int -_kafs_get_cred(kafs_data *data, +_kafs_get_cred(struct kafs_data *data, const char *cell, const char *realm_hint, const char *realm, @@ -395,7 +402,7 @@ _kafs_get_cred(kafs_data *data, char *vl_realm; char CELL[64]; - /* We're about to find the the realm that holds the key for afs in + /* We're about to find the realm that holds the key for afs in * the specified cell. The problem is that null-instance * afs-principals are common and that hitting the wrong realm might * yield the wrong afs key. The following assumptions were made. diff --git a/kerberosV/src/lib/kafs/kafs.3 b/kerberosV/src/lib/kafs/kafs.3 index 1bb0130f2fb..7216a4ac558 100644 --- a/kerberosV/src/lib/kafs/kafs.3 +++ b/kerberosV/src/lib/kafs/kafs.3 @@ -29,7 +29,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $KTH: kafs.3,v 1.16 2003/04/16 13:58:27 lha Exp $ +.\" $KTH: kafs.3,v 1.17 2003/11/07 23:18:02 lha Exp $ .\" .Dd March 17, 2003 .Os HEIMDAL @@ -151,7 +151,7 @@ and .Pp .Fn krb5_afslog , .Fn kafs_settoken5 -can be configured to behave differently via a +can be configured to behave differently via a .Nm krb5_appdefault option .Li afs-use-524 @@ -186,7 +186,7 @@ as application name when running the .Nm krb5_appdefault function call. .Pp -The (uppercased) cellname is used as the realm to the +The (uppercased) cell name is used as the realm to the .Nm krb5_appdefault function. .Pp .\" The extra arguments are the ubiquitous context, and the cache id where @@ -208,7 +208,7 @@ characters is put in .Fn k_pioctl does a .Fn pioctl -syscall with the specified arguments. This function is equivalent to +system call with the specified arguments. This function is equivalent to .Fn lpioctl . .Pp .Fn k_setpag diff --git a/kerberosV/src/lib/kafs/kafs.h b/kerberosV/src/lib/kafs/kafs.h index 12b2e2e29b8..12e38dba565 100644 --- a/kerberosV/src/lib/kafs/kafs.h +++ b/kerberosV/src/lib/kafs/kafs.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $KTH: kafs.h,v 1.39.2.1 2003/04/23 18:03:21 lha Exp $ */ +/* $KTH: kafs.h,v 1.43 2005/02/03 08:45:13 lha Exp $ */ #ifndef __KAFS_H #define __KAFS_H @@ -45,41 +45,31 @@ #include<xfs/xfs_pioctl.h> -#ifdef __STDC__ -#ifndef __P -#define __P(x) x -#endif -#else -#ifndef __P -#define __P(x) () -#endif -#endif - /* Use k_hasafs() to probe if the machine supports AFS syscalls. The other functions will generate a SIGSYS if AFS is not supported */ -int k_hasafs __P((void)); +int k_hasafs (void); -int krb_afslog __P((const char *cell, const char *realm)); -int krb_afslog_uid __P((const char *cell, const char *realm, uid_t uid)); -int krb_afslog_home __P((const char *cell, const char *realm, - const char *homedir)); -int krb_afslog_uid_home __P((const char *cell, const char *realm, uid_t uid, - const char *homedir)); +int krb_afslog (const char *cell, const char *realm); +int krb_afslog_uid (const char *cell, const char *realm, uid_t uid); +int krb_afslog_home (const char *cell, const char *realm, + const char *homedir); +int krb_afslog_uid_home (const char *cell, const char *realm, uid_t uid, + const char *homedir); -int krb_realm_of_cell __P((const char *cell, char **realm)); +int krb_realm_of_cell (const char *cell, char **realm); /* compat */ #define k_afsklog krb_afslog #define k_afsklog_uid krb_afslog_uid -int k_pioctl __P((char *a_path, +int k_pioctl (char *a_path, int o_opcode, struct ViceIoctl *a_paramsP, - int a_followSymlinks)); -int k_unlog __P((void)); -int k_setpag __P((void)); -int k_afs_cell_of_file __P((const char *path, char *cell, int len)); + int a_followSymlinks); +int k_unlog (void); +int k_setpag (void); +int k_afs_cell_of_file (const char *path, char *cell, int len); @@ -92,41 +82,41 @@ int k_afs_cell_of_file __P((const char *path, char *cell, int len)); #define KRB5_H_INCLUDED #endif -void kafs_set_verbose __P((void (*kafs_verbose)(void *, const char *), void *)); -int kafs_settoken_rxkad __P((const char *, struct ClearToken *, - void *ticket, size_t ticket_len)); +void kafs_set_verbose (void (*kafs_verbose)(void *, const char *), void *); +int kafs_settoken_rxkad (const char *, struct ClearToken *, + void *ticket, size_t ticket_len); #ifdef KRB_H_INCLUDED -int kafs_settoken __P((const char*, uid_t, CREDENTIALS*)); +int kafs_settoken (const char*, uid_t, CREDENTIALS*); #endif #ifdef KRB5_H_INCLUDED -int kafs_settoken5 __P((krb5_context, const char*, uid_t, krb5_creds*)); +int kafs_settoken5 (krb5_context, const char*, uid_t, krb5_creds*); #endif #ifdef KRB5_H_INCLUDED -krb5_error_code krb5_afslog_uid __P((krb5_context context, +krb5_error_code krb5_afslog_uid (krb5_context context, krb5_ccache id, const char *cell, krb5_const_realm realm, - uid_t uid)); -krb5_error_code krb5_afslog __P((krb5_context context, + uid_t uid); +krb5_error_code krb5_afslog (krb5_context context, krb5_ccache id, const char *cell, - krb5_const_realm realm)); -krb5_error_code krb5_afslog_uid_home __P((krb5_context context, + krb5_const_realm realm); +krb5_error_code krb5_afslog_uid_home (krb5_context context, krb5_ccache id, const char *cell, krb5_const_realm realm, uid_t uid, - const char *homedir)); + const char *homedir); -krb5_error_code krb5_afslog_home __P((krb5_context context, +krb5_error_code krb5_afslog_home (krb5_context context, krb5_ccache id, const char *cell, krb5_const_realm realm, - const char *homedir)); + const char *homedir); -krb5_error_code krb5_realm_of_cell __P((const char *cell, char **realm)); +krb5_error_code krb5_realm_of_cell (const char *cell, char **realm); #endif @@ -147,11 +137,21 @@ krb5_error_code krb5_realm_of_cell __P((const char *cell, char **realm)); #define _PATH_OPENAFS_DEBIAN_THESECELLS _PATH_OPENAFS_DEBIAN_VICE "TheseCells" #endif +#define _PATH_OPENAFS_MACOSX_VICE "/var/db/openafs/etc/" +#define _PATH_OPENAFS_MACOSX_THISCELL _PATH_OPENAFS_MACOSX_VICE "ThisCell" +#define _PATH_OPENAFS_MACOSX_CELLSERVDB _PATH_OPENAFS_MACOSX_VICE "CellServDB" +#define _PATH_OPENAFS_MACOSX_THESECELLS _PATH_OPENAFS_MACOSX_VICE "TheseCells" + #define _PATH_ARLA_DEBIAN_VICE "/etc/arla/" #define _PATH_ARLA_DEBIAN_THISCELL _PATH_ARLA_DEBIAN_VICE "ThisCell" #define _PATH_ARLA_DEBIAN_CELLSERVDB _PATH_ARLA_DEBIAN_VICE "CellServDB" #define _PATH_ARLA_DEBIAN_THESECELLS _PATH_ARLA_DEBIAN_VICE "TheseCells" +#define _PATH_ARLA_OPENBSD_VICE "/etc/afs/" +#define _PATH_ARLA_OPENBSD_THISCELL _PATH_ARLA_OPENBSD_VICE "ThisCell" +#define _PATH_ARLA_OPENBSD_CELLSERVDB _PATH_ARLA_OPENBSD_VICE "CellServDB" +#define _PATH_ARLA_OPENBSD_THESECELLS _PATH_ARLA_OPENBSD_VICE "TheseCells" + extern int _kafs_debug; #endif /* __KAFS_H */ diff --git a/kerberosV/src/lib/krb5/addr_families.c b/kerberosV/src/lib/krb5/addr_families.c index 5354f33ec39..22ccc63af4f 100644 --- a/kerberosV/src/lib/krb5/addr_families.c +++ b/kerberosV/src/lib/krb5/addr_families.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$KTH: addr_families.c,v 1.38 2003/03/25 12:37:02 joda Exp $"); +RCSID("$KTH: addr_families.c,v 1.47 2005/05/18 04:20:36 lha Exp $"); struct addr_operations { int af; @@ -52,6 +52,8 @@ struct addr_operations { int (*order_addr)(krb5_context, const krb5_address*, const krb5_address*); int (*free_addr)(krb5_context, krb5_address*); int (*copy_addr)(krb5_context, const krb5_address*, krb5_address*); + int (*mask_boundary)(krb5_context, const krb5_address*, unsigned long, + krb5_address*, krb5_address*); }; /* @@ -154,13 +156,9 @@ ipv4_print_addr (const krb5_address *addr, char *str, size_t len) { struct in_addr ia; - if (len == 0) - return(0); - memcpy (&ia, addr->address.data, 4); - (void) snprintf (str, len, "IPv4:%s", inet_ntoa(ia)); - return(strlen(str)); + return snprintf (str, len, "IPv4:%s", inet_ntoa(ia)); } static int @@ -196,6 +194,40 @@ ipv4_parse_addr (krb5_context context, const char *address, krb5_address *addr) return 0; } +static int +ipv4_mask_boundary(krb5_context context, const krb5_address *inaddr, + unsigned long len, krb5_address *low, krb5_address *high) +{ + unsigned long ia; + u_int32_t l, h, m = 0xffffffff; + + if (len > 32) { + krb5_set_error_string(context, "IPv4 prefix too large (%ld)", len); + return KRB5_PROG_ATYPE_NOSUPP; + } + m = m << (32 - len); + + _krb5_get_int(inaddr->address.data, &ia, inaddr->address.length); + + l = ia & m; + h = l | ~m; + + low->addr_type = KRB5_ADDRESS_INET; + if(krb5_data_alloc(&low->address, 4) != 0) + return -1; + _krb5_put_int(low->address.data, l, low->address.length); + + high->addr_type = KRB5_ADDRESS_INET; + if(krb5_data_alloc(&high->address, 4) != 0) { + krb5_free_address(context, low); + return -1; + } + _krb5_put_int(high->address.data, h, high->address.length); + + return 0; +} + + /* * AF_INET6 - aka IPv6 implementation */ @@ -307,13 +339,23 @@ ipv6_anyaddr (struct sockaddr *sa, krb5_socklen_t *sa_size, int port) static int ipv6_print_addr (const krb5_address *addr, char *str, size_t len) { - char buf[128]; + char buf[128], buf2[3]; +#ifdef HAVE_INET_NTOP if(inet_ntop(AF_INET6, addr->address.data, buf, sizeof(buf)) == NULL) - return (0); - if (len == 0) - return(0); - (void) snprintf(str, len, "IPv6:%s", buf); - return(strlen(str)); +#endif + { + /* XXX this is pretty ugly, but better than abort() */ + int i; + unsigned char *p = addr->address.data; + buf[0] = '\0'; + for(i = 0; i < addr->address.length; i++) { + snprintf(buf2, sizeof(buf2), "%02x", p[i]); + if(i > 0 && (i & 1) == 0) + strlcat(buf, ":", sizeof(buf)); + strlcat(buf, buf2, sizeof(buf)); + } + } + return snprintf(str, len, "IPv6:%s", buf); } static int @@ -344,6 +386,55 @@ ipv6_parse_addr (krb5_context context, const char *address, krb5_address *addr) return -1; } +static int +ipv6_mask_boundary(krb5_context context, const krb5_address *inaddr, + unsigned long len, krb5_address *low, krb5_address *high) +{ + struct in6_addr addr, laddr, haddr; + u_int32_t m; + int i, sub_len; + + if (len > 128) { + krb5_set_error_string(context, "IPv6 prefix too large (%ld)", len); + return KRB5_PROG_ATYPE_NOSUPP; + } + + if (inaddr->address.length != sizeof(addr)) { + krb5_set_error_string(context, "IPv6 addr bad length"); + return KRB5_PROG_ATYPE_NOSUPP; + } + + memcpy(&addr, inaddr->address.data, inaddr->address.length); + + for (i = 0; i < 16; i++) { + sub_len = min(8, len); + + m = 0xff << (8 - sub_len); + + laddr.s6_addr[i] = addr.s6_addr[i] & m; + haddr.s6_addr[i] = (addr.s6_addr[i] & m) | ~m; + + if (len > 8) + len -= 8; + else + len = 0; + } + + low->addr_type = KRB5_ADDRESS_INET6; + if (krb5_data_alloc(&low->address, sizeof(laddr.s6_addr)) != 0) + return -1; + memcpy(low->address.data, laddr.s6_addr, sizeof(laddr.s6_addr)); + + high->addr_type = KRB5_ADDRESS_INET6; + if (krb5_data_alloc(&high->address, sizeof(haddr.s6_addr)) != 0) { + krb5_free_address(context, low); + return -1; + } + memcpy(high->address.data, haddr.s6_addr, sizeof(haddr.s6_addr)); + + return 0; +} + #endif /* IPv6 */ /* @@ -361,8 +452,8 @@ static int arange_parse_addr (krb5_context context, const char *address, krb5_address *addr) { - char buf[1024]; - krb5_addresses low, high; + char buf[1024], *p; + krb5_address low0, high0; struct arange *a; krb5_error_code ret; @@ -371,39 +462,84 @@ arange_parse_addr (krb5_context context, address += 6; - /* should handle netmasks */ - strsep_copy(&address, "-", buf, sizeof(buf)); - ret = krb5_parse_address(context, buf, &low); - if(ret) - return ret; - if(low.len != 1) { - krb5_free_addresses(context, &low); - return -1; - } + p = strrchr(address, '/'); + if (p) { + krb5_addresses addrmask; + char *q; + long num; - strsep_copy(&address, "-", buf, sizeof(buf)); - ret = krb5_parse_address(context, buf, &high); - if(ret) { - krb5_free_addresses(context, &low); - return ret; - } + if (strlcpy(buf, address, sizeof(buf)) > sizeof(buf)) + return -1; + buf[p - address] = '\0'; + ret = krb5_parse_address(context, buf, &addrmask); + if (ret) + return ret; + if(addrmask.len != 1) { + krb5_free_addresses(context, &addrmask); + return -1; + } + + address += p - address + 1; + + num = strtol(address, &q, 10); + if (q == address || *q != '\0' || num < 0) { + krb5_free_addresses(context, &addrmask); + return -1; + } + + ret = krb5_address_prefixlen_boundary(context, &addrmask.val[0], num, + &low0, &high0); + krb5_free_addresses(context, &addrmask); + if (ret) + return ret; + + } else { + krb5_addresses low, high; + + strsep_copy(&address, "-", buf, sizeof(buf)); + ret = krb5_parse_address(context, buf, &low); + if(ret) + return ret; + if(low.len != 1) { + krb5_free_addresses(context, &low); + return -1; + } + + strsep_copy(&address, "-", buf, sizeof(buf)); + ret = krb5_parse_address(context, buf, &high); + if(ret) { + krb5_free_addresses(context, &low); + return ret; + } + + if(high.len != 1 && high.val[0].addr_type != low.val[0].addr_type) { + krb5_free_addresses(context, &low); + krb5_free_addresses(context, &high); + return -1; + } - if(high.len != 1 || high.val[0].addr_type != low.val[0].addr_type) { + ret = krb5_copy_address(context, &high.val[0], &high0); + if (ret == 0) { + ret = krb5_copy_address(context, &low.val[0], &low0); + if (ret) + krb5_free_address(context, &high0); + } krb5_free_addresses(context, &low); krb5_free_addresses(context, &high); - return -1; + if (ret) + return ret; } krb5_data_alloc(&addr->address, sizeof(*a)); addr->addr_type = KRB5_ADDRESS_ARANGE; a = addr->address.data; - if(krb5_address_order(context, &low.val[0], &high.val[0]) < 0) { - a->low = low.val[0]; - a->high = high.val[0]; + if(krb5_address_order(context, &low0, &high0) < 0) { + a->low = low0; + a->high = high0; } else { - a->low = high.val[0]; - a->high = low.val[0]; + a->low = high0; + a->high = low0; } return 0; } @@ -451,23 +587,35 @@ arange_print_addr (const krb5_address *addr, char *str, size_t len) { struct arange *a; krb5_error_code ret; - size_t l, ret_len = 0; - - if (len == 0) - return(0); + size_t l, size, ret_len; a = addr->address.data; - (void) strlcpy(str, "RANGE:", len); - ret_len += strlen(str); /* truncate if too long */ - - ret = krb5_print_address (&a->low, str + ret_len, len - ret_len, &l); + l = strlcpy(str, "RANGE:", len); + ret_len = l; + if (l > len) + l = len; + size = l; + + ret = krb5_print_address (&a->low, str + size, len - size, &l); + if (ret) + return ret; ret_len += l; + if (len - size > l) + size += l; + else + size = len; - (void) strlcat(str, "-", len); - ret_len += strlen(str); /* truncate if too long */ + l = strlcat(str + size, "-", len - size); + ret_len += l; + if (len - size > l) + size += l; + else + size = len; - ret = krb5_print_address (&a->high, str + ret_len, len - ret_len, &l); + ret = krb5_print_address (&a->high, str + size, len - size, &l); + if (ret) + return ret; ret_len += l; return ret_len; @@ -515,9 +663,10 @@ arange_order_addr(krb5_context context, static int addrport_print_addr (const krb5_address *addr, char *str, size_t len) { + krb5_error_code ret; krb5_address addr1, addr2; uint16_t port = 0; - size_t ret_len = 0, l; + size_t ret_len = 0, l, size = 0; krb5_storage *sp = krb5_storage_from_data((krb5_data*)&addr->address); /* for totally obscure reasons, these are not in network byteorder */ krb5_storage_set_byteorder(sp, KRB5_STORAGE_BYTEORDER_LE); @@ -534,14 +683,26 @@ addrport_print_addr (const krb5_address *addr, char *str, size_t len) port = value; } l = strlcpy(str, "ADDRPORT:", len); - ret_len += strlen(str); /* truncate if too long */ - krb5_print_address(&addr1, str + ret_len, len - ret_len, &l); ret_len += l; - /* XXX oh the horror */ - if ((len - ret_len) == 0) - return(ret_len); - (void) snprintf(str + ret_len, len - ret_len, ",PORT=%u", port); - return(strlen(str)); + if (len > l) + size += l; + else + size = len; + + ret = krb5_print_address(&addr1, str + size, len - size, &l); + if (ret) + return ret; + ret_len += l; + if (len - size > l) + size += l; + else + size = len; + + ret = snprintf(str + size, len - size, ",PORT=%u", port); + if (ret < 0) + return EINVAL; + ret_len += ret; + return ret_len; } static struct addr_operations at[] = { @@ -551,7 +712,8 @@ static struct addr_operations at[] = { ipv4_addr2sockaddr, ipv4_h_addr2sockaddr, ipv4_h_addr2addr, - ipv4_uninteresting, ipv4_anyaddr, ipv4_print_addr, ipv4_parse_addr}, + ipv4_uninteresting, ipv4_anyaddr, ipv4_print_addr, ipv4_parse_addr, + NULL, NULL, NULL, ipv4_mask_boundary }, #ifdef HAVE_IPV6 {AF_INET6, KRB5_ADDRESS_INET6, sizeof(struct sockaddr_in6), ipv6_sockaddr2addr, @@ -559,7 +721,8 @@ static struct addr_operations at[] = { ipv6_addr2sockaddr, ipv6_h_addr2sockaddr, ipv6_h_addr2addr, - ipv6_uninteresting, ipv6_anyaddr, ipv6_print_addr, ipv6_parse_addr} , + ipv6_uninteresting, ipv6_anyaddr, ipv6_print_addr, ipv6_parse_addr, + NULL, NULL, NULL, ipv6_mask_boundary } , #endif {KRB5_ADDRESS_ADDRPORT, KRB5_ADDRESS_ADDRPORT, 0, NULL, NULL, NULL, NULL, NULL, @@ -601,7 +764,7 @@ find_atype(int atype) return NULL; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_sockaddr2address (krb5_context context, const struct sockaddr *sa, krb5_address *addr) { @@ -614,7 +777,7 @@ krb5_sockaddr2address (krb5_context context, return (*a->sockaddr2addr)(sa, addr); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_sockaddr2port (krb5_context context, const struct sockaddr *sa, int16_t *port) { @@ -627,7 +790,7 @@ krb5_sockaddr2port (krb5_context context, return (*a->sockaddr2port)(sa, port); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_addr2sockaddr (krb5_context context, const krb5_address *addr, struct sockaddr *sa, @@ -650,7 +813,7 @@ krb5_addr2sockaddr (krb5_context context, return 0; } -size_t +size_t KRB5_LIB_FUNCTION krb5_max_sockaddr_size (void) { if (max_sockaddr_size == 0) { @@ -662,7 +825,7 @@ krb5_max_sockaddr_size (void) return max_sockaddr_size; } -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_sockaddr_uninteresting(const struct sockaddr *sa) { struct addr_operations *a = find_af(sa->sa_family); @@ -671,7 +834,7 @@ krb5_sockaddr_uninteresting(const struct sockaddr *sa) return (*a->uninteresting)(sa); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_h_addr2sockaddr (krb5_context context, int af, const char *addr, struct sockaddr *sa, @@ -687,7 +850,7 @@ krb5_h_addr2sockaddr (krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_h_addr2addr (krb5_context context, int af, const char *haddr, krb5_address *addr) @@ -700,7 +863,7 @@ krb5_h_addr2addr (krb5_context context, return (*a->h_addr2addr)(haddr, addr); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_anyaddr (krb5_context context, int af, struct sockaddr *sa, @@ -718,19 +881,12 @@ krb5_anyaddr (krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_print_address (const krb5_address *addr, char *str, size_t len, size_t *ret_len) { - size_t ret; - int r = 0; struct addr_operations *a = find_atype(addr->addr_type); - - if (len == 0) { - ret = 0; - r = EINVAL; - goto out; - } + int ret; if (a == NULL || a->print_addr == NULL) { char *s; @@ -739,38 +895,30 @@ krb5_print_address (const krb5_address *addr, s = str; l = snprintf(s, len, "TYPE_%d:", addr->addr_type); - if (l < 0 || l > (len - 1)) { - ret = 0; - r = EINVAL; - goto out; - } + if (l < 0 || l >= len) + return EINVAL; s += l; len -= l; for(i = 0; i < addr->address.length; i++) { l = snprintf(s, len, "%02x", ((char*)addr->address.data)[i]); - if (l < 0 || l > (len - 1)) { - ret = 0; - r = EINVAL; - goto out; - } + if (l < 0 || l >= len) + return EINVAL; len -= l; s += l; } - ret = s - str; - goto out; + if(ret_len != NULL) + *ret_len = s - str; + return 0; } ret = (*a->print_addr)(addr, str, len); - if (ret <= 0 || ret > (len - 1)) { - ret = 0; - r = EINVAL; - } -out: + if (ret < 0) + return EINVAL; if(ret_len != NULL) *ret_len = ret; - return r; + return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_parse_address(krb5_context context, const char *string, krb5_addresses *addresses) @@ -803,17 +951,26 @@ krb5_parse_address(krb5_context context, ++n; ALLOC_SEQ(addresses, n); + if (addresses->val == NULL) { + krb5_set_error_string(context, "malloc: out of memory"); + freeaddrinfo(ai); + return ENOMEM; + } + addresses->len = 0; for (a = ai, i = 0; a != NULL; a = a->ai_next) { - if(krb5_sockaddr2address (context, ai->ai_addr, - &addresses->val[i]) == 0) - i++; + if (krb5_sockaddr2address (context, ai->ai_addr, &addresses->val[i])) + continue; + if(krb5_address_search(context, &addresses->val[i], addresses)) + continue; + addresses->len = i; + i++; } freeaddrinfo (ai); return 0; } -int +int KRB5_LIB_FUNCTION krb5_address_order(krb5_context context, const krb5_address *addr1, const krb5_address *addr2) @@ -847,7 +1004,7 @@ krb5_address_order(krb5_context context, addr1->address.length); } -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_address_compare(krb5_context context, const krb5_address *addr1, const krb5_address *addr2) @@ -855,7 +1012,7 @@ krb5_address_compare(krb5_context context, return krb5_address_order (context, addr1, addr2) == 0; } -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_address_search(krb5_context context, const krb5_address *addr, const krb5_addresses *addrlist) @@ -868,18 +1025,19 @@ krb5_address_search(krb5_context context, return FALSE; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_address(krb5_context context, krb5_address *address) { - struct addr_operations *a = find_af (address->addr_type); + struct addr_operations *a = find_atype (address->addr_type); if(a != NULL && a->free_addr != NULL) return (*a->free_addr)(context, address); krb5_data_free (&address->address); + memset(address, 0, sizeof(*address)); return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_addresses(krb5_context context, krb5_addresses *addresses) { @@ -890,7 +1048,7 @@ krb5_free_addresses(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_address(krb5_context context, const krb5_address *inaddr, krb5_address *outaddr) @@ -901,7 +1059,7 @@ krb5_copy_address(krb5_context context, return copy_HostAddress(inaddr, outaddr); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_addresses(krb5_context context, const krb5_addresses *inaddr, krb5_addresses *outaddr) @@ -915,7 +1073,7 @@ krb5_copy_addresses(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_append_addresses(krb5_context context, krb5_addresses *dest, const krb5_addresses *source) @@ -949,7 +1107,7 @@ krb5_append_addresses(krb5_context context, * Create an address of type KRB5_ADDRESS_ADDRPORT from (addr, port) */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_make_addrport (krb5_context context, krb5_address **res, const krb5_address *addr, int16_t port) { @@ -998,3 +1156,23 @@ krb5_make_addrport (krb5_context context, return 0; } + +/* + * Calculate the boundary addresses of `inaddr'/`prefixlen' and store + * them in `low' and `high'. + */ + +krb5_error_code KRB5_LIB_FUNCTION +krb5_address_prefixlen_boundary(krb5_context context, + const krb5_address *inaddr, + unsigned long prefixlen, + krb5_address *low, + krb5_address *high) +{ + struct addr_operations *a = find_atype (inaddr->addr_type); + if(a != NULL && a->mask_boundary != NULL) + return (*a->mask_boundary)(context, inaddr, prefixlen, low, high); + krb5_set_error_string(context, "Address family %d doesn't support " + "address mask operation", inaddr->addr_type); + return KRB5_PROG_ATYPE_NOSUPP; +} diff --git a/kerberosV/src/lib/krb5/aname_to_localname.c b/kerberosV/src/lib/krb5/aname_to_localname.c index 9a41811a84c..ac8432794cb 100644 --- a/kerberosV/src/lib/krb5/aname_to_localname.c +++ b/kerberosV/src/lib/krb5/aname_to_localname.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 1999, 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 1999, 2002 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,9 +33,9 @@ #include <krb5_locl.h> -RCSID("$KTH: aname_to_localname.c,v 1.6 2003/04/16 16:01:06 lha Exp $"); +RCSID("$KTH: aname_to_localname.c,v 1.8 2004/05/25 21:16:49 lha Exp $"); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_aname_to_localname (krb5_context context, krb5_const_principal aname, size_t lnsize, diff --git a/kerberosV/src/lib/krb5/appdefault.c b/kerberosV/src/lib/krb5/appdefault.c index a70c6392687..f88853db767 100644 --- a/kerberosV/src/lib/krb5/appdefault.c +++ b/kerberosV/src/lib/krb5/appdefault.c @@ -33,11 +33,11 @@ #include "krb5_locl.h" -RCSID("$KTH: appdefault.c,v 1.7 2001/09/16 04:48:55 assar Exp $"); +RCSID("$KTH: appdefault.c,v 1.10 2005/01/05 05:40:59 lukeh Exp $"); extern char *__progname; -void +void KRB5_LIB_FUNCTION krb5_appdefault_boolean(krb5_context context, const char *appname, krb5_const_realm realm, const char *option, krb5_boolean def_val, krb5_boolean *ret_val) @@ -79,7 +79,7 @@ krb5_appdefault_boolean(krb5_context context, const char *appname, *ret_val = def_val; } -void +void KRB5_LIB_FUNCTION krb5_appdefault_string(krb5_context context, const char *appname, krb5_const_realm realm, const char *option, const char *def_val, char **ret_val) @@ -123,17 +123,22 @@ krb5_appdefault_string(krb5_context context, const char *appname, *ret_val = NULL; } -void +void KRB5_LIB_FUNCTION krb5_appdefault_time(krb5_context context, const char *appname, krb5_const_realm realm, const char *option, time_t def_val, time_t *ret_val) { - time_t t; - char tstr[32]; + krb5_deltat t; char *val; - snprintf(tstr, sizeof(tstr), "%ld", (long)def_val); - krb5_appdefault_string(context, appname, realm, option, tstr, &val); - t = parse_time (val, NULL); + + krb5_appdefault_string(context, appname, realm, option, NULL, &val); + if (val == NULL) { + *ret_val = def_val; + return; + } + if (krb5_string_to_deltat(val, &t)) + *ret_val = def_val; + else + *ret_val = t; free(val); - *ret_val = t; } diff --git a/kerberosV/src/lib/krb5/config_file.c b/kerberosV/src/lib/krb5/config_file.c index 25369df3c58..5194aff1ca6 100644 --- a/kerberosV/src/lib/krb5/config_file.c +++ b/kerberosV/src/lib/krb5/config_file.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,18 +32,50 @@ */ #include "krb5_locl.h" -RCSID("$KTH: config_file.c,v 1.46.4.2 2003/10/13 13:46:10 lha Exp $"); +RCSID("$KTH: config_file.c,v 1.52 2004/09/30 11:22:48 lha Exp $"); #ifndef HAVE_NETINFO +/* Gaah! I want a portable funopen */ +struct fileptr { + const char *s; + FILE *f; +}; + +static char * +config_fgets(char *str, size_t len, struct fileptr *ptr) +{ + /* XXX this is not correct, in that they don't do the same if the + line is longer than len */ + if(ptr->f != NULL) + return fgets(str, len, ptr->f); + else { + /* this is almost strsep_copy */ + const char *p; + ssize_t l; + if(*ptr->s == '\0') + return NULL; + p = ptr->s + strcspn(ptr->s, "\n"); + if(*p == '\n') + p++; + l = min(len, p - ptr->s); + if(len > 0) { + memcpy(str, ptr->s, l); + str[l] = '\0'; + } + ptr->s = p; + return str; + } +} + static krb5_error_code parse_section(char *p, krb5_config_section **s, krb5_config_section **res, const char **error_message); -static krb5_error_code parse_binding(FILE *f, unsigned *lineno, char *p, +static krb5_error_code parse_binding(struct fileptr *f, unsigned *lineno, char *p, krb5_config_binding **b, krb5_config_binding **parent, const char **error_message); -static krb5_error_code parse_list(FILE *f, unsigned *lineno, +static krb5_error_code parse_list(struct fileptr *f, unsigned *lineno, krb5_config_binding **parent, const char **error_message); @@ -114,7 +146,7 @@ parse_section(char *p, krb5_config_section **s, krb5_config_section **parent, */ static krb5_error_code -parse_list(FILE *f, unsigned *lineno, krb5_config_binding **parent, +parse_list(struct fileptr *f, unsigned *lineno, krb5_config_binding **parent, const char **error_message) { char buf[BUFSIZ]; @@ -122,7 +154,7 @@ parse_list(FILE *f, unsigned *lineno, krb5_config_binding **parent, krb5_config_binding *b = NULL; unsigned beg_lineno = *lineno; - while(fgets(buf, sizeof(buf), f) != NULL) { + while(config_fgets(buf, sizeof(buf), f) != NULL) { char *p; ++*lineno; @@ -153,7 +185,7 @@ parse_list(FILE *f, unsigned *lineno, krb5_config_binding **parent, */ static krb5_error_code -parse_binding(FILE *f, unsigned *lineno, char *p, +parse_binding(struct fileptr *f, unsigned *lineno, char *p, krb5_config_binding **b, krb5_config_binding **parent, const char **error_message) { @@ -209,26 +241,17 @@ parse_binding(FILE *f, unsigned *lineno, char *p, */ static krb5_error_code -krb5_config_parse_file_debug (const char *fname, - krb5_config_section **res, - unsigned *lineno, - const char **error_message) +krb5_config_parse_debug (struct fileptr *f, + krb5_config_section **res, + unsigned *lineno, + const char **error_message) { - FILE *f; - krb5_config_section *s; - krb5_config_binding *b; + krb5_config_section *s = NULL; + krb5_config_binding *b = NULL; char buf[BUFSIZ]; - krb5_error_code ret = 0; + krb5_error_code ret; - s = NULL; - b = NULL; - *lineno = 0; - f = fopen (fname, "r"); - if (f == NULL) { - *error_message = "cannot open file"; - return ENOENT; - } - while (fgets(buf, sizeof(buf), f) != NULL) { + while (config_fgets(buf, sizeof(buf), f) != NULL) { char *p; ++*lineno; @@ -241,40 +264,64 @@ krb5_config_parse_file_debug (const char *fname, continue; if (*p == '[') { ret = parse_section(p, &s, res, error_message); - if (ret) { - goto out; - } + if (ret) + return ret; b = NULL; } else if (*p == '}') { *error_message = "unmatched }"; - ret = EINVAL; /* XXX */ - goto out; + return EINVAL; /* XXX */ } else if(*p != '\0') { if (s == NULL) { *error_message = "binding before section"; - ret = EINVAL; - goto out; + return EINVAL; } ret = parse_binding(f, lineno, p, &b, &s->u.list, error_message); if (ret) - goto out; + return ret; } } -out: - fclose (f); - return ret; + return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_config_parse_string_multi(krb5_context context, + const char *string, + krb5_config_section **res) +{ + const char *str; + unsigned lineno = 0; + krb5_error_code ret; + struct fileptr f; + f.f = NULL; + f.s = string; + + ret = krb5_config_parse_debug (&f, res, &lineno, &str); + if (ret) { + krb5_set_error_string (context, "%s:%u: %s", "<constant>", lineno, str); + return ret; + } + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_config_parse_file_multi (krb5_context context, const char *fname, krb5_config_section **res) { const char *str; - unsigned lineno; + unsigned lineno = 0; krb5_error_code ret; + struct fileptr f; + f.f = fopen(fname, "r"); + f.s = NULL; + if(f.f == NULL) { + ret = errno; + krb5_set_error_string (context, "open %s: %s", fname, strerror(ret)); + return ret; + } - ret = krb5_config_parse_file_debug (fname, res, &lineno, &str); + ret = krb5_config_parse_debug (&f, res, &lineno, &str); + fclose(f.f); if (ret) { krb5_set_error_string (context, "%s:%u: %s", fname, lineno, str); return ret; @@ -282,7 +329,7 @@ krb5_config_parse_file_multi (krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_config_parse_file (krb5_context context, const char *fname, krb5_config_section **res) @@ -313,7 +360,7 @@ free_binding (krb5_context context, krb5_config_binding *b) } } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_config_file_free (krb5_context context, krb5_config_section *s) { free_binding (context, s); @@ -443,7 +490,7 @@ krb5_config_vget_list (krb5_context context, return krb5_config_vget (context, c, krb5_config_list, args); } -const char * +const char* KRB5_LIB_FUNCTION krb5_config_get_string (krb5_context context, const krb5_config_section *c, ...) @@ -457,7 +504,7 @@ krb5_config_get_string (krb5_context context, return ret; } -const char * +const char* KRB5_LIB_FUNCTION krb5_config_vget_string (krb5_context context, const krb5_config_section *c, va_list args) @@ -465,7 +512,7 @@ krb5_config_vget_string (krb5_context context, return krb5_config_vget (context, c, krb5_config_string, args); } -const char * +const char* KRB5_LIB_FUNCTION krb5_config_vget_string_default (krb5_context context, const krb5_config_section *c, const char *def_value, @@ -479,7 +526,7 @@ krb5_config_vget_string_default (krb5_context context, return ret; } -const char * +const char* KRB5_LIB_FUNCTION krb5_config_get_string_default (krb5_context context, const krb5_config_section *c, const char *def_value, @@ -494,7 +541,7 @@ krb5_config_get_string_default (krb5_context context, return ret; } -char ** +char ** KRB5_LIB_FUNCTION krb5_config_vget_strings(krb5_context context, const krb5_config_section *c, va_list args) @@ -554,7 +601,7 @@ krb5_config_get_strings(krb5_context context, return ret; } -void +void KRB5_LIB_FUNCTION krb5_config_free_strings(char **strings) { char **s = strings; @@ -565,7 +612,7 @@ krb5_config_free_strings(char **strings) free(strings); } -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_config_vget_bool_default (krb5_context context, const krb5_config_section *c, krb5_boolean def_value, @@ -581,7 +628,7 @@ krb5_config_vget_bool_default (krb5_context context, return FALSE; } -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_config_vget_bool (krb5_context context, const krb5_config_section *c, va_list args) @@ -589,7 +636,7 @@ krb5_config_vget_bool (krb5_context context, return krb5_config_vget_bool_default (context, c, FALSE, args); } -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_config_get_bool_default (krb5_context context, const krb5_config_section *c, krb5_boolean def_value, @@ -603,7 +650,7 @@ krb5_config_get_bool_default (krb5_context context, return ret; } -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_config_get_bool (krb5_context context, const krb5_config_section *c, ...) @@ -616,20 +663,24 @@ krb5_config_get_bool (krb5_context context, return ret; } -int +int KRB5_LIB_FUNCTION krb5_config_vget_time_default (krb5_context context, const krb5_config_section *c, int def_value, va_list args) { const char *str; + krb5_deltat t; + str = krb5_config_vget_string (context, c, args); if(str == NULL) return def_value; - return parse_time (str, NULL); + if (krb5_string_to_deltat(str, &t)) + return def_value; + return t; } -int +int KRB5_LIB_FUNCTION krb5_config_vget_time (krb5_context context, const krb5_config_section *c, va_list args) @@ -637,7 +688,7 @@ krb5_config_vget_time (krb5_context context, return krb5_config_vget_time_default (context, c, -1, args); } -int +int KRB5_LIB_FUNCTION krb5_config_get_time_default (krb5_context context, const krb5_config_section *c, int def_value, @@ -651,7 +702,7 @@ krb5_config_get_time_default (krb5_context context, return ret; } -int +int KRB5_LIB_FUNCTION krb5_config_get_time (krb5_context context, const krb5_config_section *c, ...) @@ -665,7 +716,7 @@ krb5_config_get_time (krb5_context context, } -int +int KRB5_LIB_FUNCTION krb5_config_vget_int_default (krb5_context context, const krb5_config_section *c, int def_value, @@ -686,7 +737,7 @@ krb5_config_vget_int_default (krb5_context context, } } -int +int KRB5_LIB_FUNCTION krb5_config_vget_int (krb5_context context, const krb5_config_section *c, va_list args) @@ -694,7 +745,7 @@ krb5_config_vget_int (krb5_context context, return krb5_config_vget_int_default (context, c, -1, args); } -int +int KRB5_LIB_FUNCTION krb5_config_get_int_default (krb5_context context, const krb5_config_section *c, int def_value, @@ -708,7 +759,7 @@ krb5_config_get_int_default (krb5_context context, return ret; } -int +int KRB5_LIB_FUNCTION krb5_config_get_int (krb5_context context, const krb5_config_section *c, ...) diff --git a/kerberosV/src/lib/krb5/constants.c b/kerberosV/src/lib/krb5/constants.c index b21f6424678..e67756a18aa 100644 --- a/kerberosV/src/lib/krb5/constants.c +++ b/kerberosV/src/lib/krb5/constants.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,11 @@ #include "krb5_locl.h" -RCSID("$KTH: constants.c,v 1.7 2002/08/16 20:52:15 joda Exp $"); +RCSID("$KTH: constants.c,v 1.8 2004/09/23 07:57:37 joda Exp $"); -const char *krb5_config_file = SYSCONFDIR "/krb5.conf:/etc/krb5.conf"; +const char *krb5_config_file = +#ifdef __APPLE__ +"/Library/Preferences/edu.mit.Kerberos:" +#endif +SYSCONFDIR "/krb5.conf:/etc/krb5.conf"; const char *krb5_defkeyname = KEYTAB_DEFAULT; diff --git a/kerberosV/src/lib/krb5/context.c b/kerberosV/src/lib/krb5/context.c index 7ab49ff1f2c..b442f195d0e 100644 --- a/kerberosV/src/lib/krb5/context.c +++ b/kerberosV/src/lib/krb5/context.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -34,7 +34,7 @@ #include "krb5_locl.h" #include <com_err.h> -RCSID("$KTH: context.c,v 1.83.2.1 2004/08/20 15:30:24 lha Exp $"); +RCSID("$KTH: context.c,v 1.102 2005/05/18 04:20:50 lha Exp $"); #define INIT_FIELD(C, T, E, D, F) \ (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), \ @@ -65,8 +65,12 @@ set_etypes (krb5_context context, return ENOMEM; } for(j = 0, k = 0; j < i; j++) { - if(krb5_string_to_enctype(context, etypes_str[j], &etypes[k]) == 0) - k++; + krb5_enctype e; + if(krb5_string_to_enctype(context, etypes_str[j], &e) != 0) + continue; + if (krb5_enctype_valid(context, e) != 0) + continue; + etypes[k++] = e; } etypes[k] = ETYPE_NULL; krb5_config_free_strings(etypes_str); @@ -176,21 +180,31 @@ init_context_from_config_file(krb5_context context) /* prefer dns_lookup_kdc over srv_lookup. */ INIT_FIELD(context, bool, srv_lookup, TRUE, "srv_lookup"); INIT_FIELD(context, bool, srv_lookup, context->srv_lookup, "dns_lookup_kdc"); + INIT_FIELD(context, int, large_msg_size, 6000, "large_message_size"); context->default_cc_name = NULL; return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_init_context(krb5_context *context) { krb5_context p; krb5_error_code ret; char **files; + *context = NULL; + p = calloc(1, sizeof(*p)); if(!p) return ENOMEM; + p->mutex = malloc(sizeof(HEIMDAL_MUTEX)); + if (p->mutex == NULL) { + free(p); + return ENOMEM; + } + HEIMDAL_MUTEX_init(p->mutex); + ret = krb5_get_default_config_files(&files); if(ret) goto out; @@ -204,12 +218,18 @@ krb5_init_context(krb5_context *context) p->cc_ops = NULL; p->num_cc_ops = 0; + krb5_cc_register(p, &krb5_acc_ops, TRUE); krb5_cc_register(p, &krb5_fcc_ops, TRUE); krb5_cc_register(p, &krb5_mcc_ops, TRUE); +#ifdef HAVE_KCM + krb5_cc_register(p, &krb5_kcm_ops, TRUE); +#endif p->num_kt_types = 0; p->kt_types = NULL; krb5_kt_register (p, &krb5_fkt_ops); + krb5_kt_register (p, &krb5_wrfkt_ops); + krb5_kt_register (p, &krb5_javakt_ops); krb5_kt_register (p, &krb5_mkt_ops); krb5_kt_register (p, &krb5_akf_ops); krb5_kt_register (p, &krb4_fkt_ops); @@ -225,7 +245,7 @@ out: return ret; } -void +void KRB5_LIB_FUNCTION krb5_free_context(krb5_context context) { if (context->default_cc_name) @@ -242,17 +262,22 @@ krb5_free_context(krb5_context context) krb5_closelog(context, context->warn_dest); krb5_set_extra_addresses(context, NULL); krb5_set_ignore_addresses(context, NULL); + if (context->mutex != NULL) { + HEIMDAL_MUTEX_destroy(context->mutex); + free(context->mutex); + } + memset(context, 0, sizeof(*context)); free(context); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_config_files(krb5_context context, char **filenames) { krb5_error_code ret; krb5_config_binding *tmp = NULL; while(filenames != NULL && *filenames != NULL && **filenames != '\0') { ret = krb5_config_parse_file_multi(context, *filenames, &tmp); - if(ret != 0 && ret != ENOENT) { + if(ret != 0 && ret != ENOENT && ret != EACCES) { krb5_config_file_free(context, tmp); return ret; } @@ -270,54 +295,124 @@ krb5_set_config_files(krb5_context context, char **filenames) return ret; } -krb5_error_code -krb5_get_default_config_files(char ***pfilenames) +static krb5_error_code +add_file(char ***pfilenames, int *len, char *file) { - const char *p, *q; - char **pp; - int n, i; + char **pp = *pfilenames; + int i; - const char *files = NULL; - if (pfilenames == NULL) - return EINVAL; - if(!issuid()) - files = getenv("KRB5_CONFIG"); - if (files == NULL) - files = krb5_config_file; + for(i = 0; i < *len; i++) { + if(strcmp(pp[i], file) == 0) { + free(file); + return 0; + } + } - for(n = 0, p = files; strsep_copy(&p, ":", NULL, 0) != -1; n++); - pp = malloc((n + 1) * sizeof(*pp)); - if(pp == NULL) + pp = realloc(*pfilenames, (*len + 2) * sizeof(*pp)); + if (pp == NULL) { + free(file); return ENOMEM; + } - n = 0; - p = files; + pp[*len] = file; + pp[*len + 1] = NULL; + *pfilenames = pp; + *len += 1; + return 0; +} + +/* + * `pq' isn't free, its up the the caller + */ + +krb5_error_code KRB5_LIB_FUNCTION +krb5_prepend_config_files(const char *filelist, char **pq, char ***ret_pp) +{ + krb5_error_code ret; + const char *p, *q; + char **pp; + int len; + char *fn; + + pp = NULL; + + len = 0; + p = filelist; while(1) { ssize_t l; q = p; l = strsep_copy(&q, ":", NULL, 0); if(l == -1) break; - pp[n] = malloc(l + 1); - if(pp[n] == NULL) { + fn = malloc(l + 1); + if(fn == NULL) { krb5_free_config_files(pp); return ENOMEM; } - l = strsep_copy(&p, ":", pp[n], l + 1); - for(i = 0; i < n; i++) - if(strcmp(pp[i], pp[n]) == 0) { - free(pp[n]); - goto skip; + l = strsep_copy(&p, ":", fn, l + 1); + ret = add_file(&pp, &len, fn); + if (ret) { + krb5_free_config_files(pp); + return ret; + } + } + + if (pq != NULL) { + int i; + + for (i = 0; pq[i] != NULL; i++) { + fn = strdup(pq[i]); + if (fn == NULL) { + krb5_free_config_files(pp); + return ENOMEM; } - n++; - skip:; + ret = add_file(&pp, &len, fn); + if (ret) { + krb5_free_config_files(pp); + return ret; + } + } } - pp[n] = NULL; + + *ret_pp = pp; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_prepend_config_files_default(const char *filelist, char ***pfilenames) +{ + krb5_error_code ret; + char **defpp, **pp = NULL; + + ret = krb5_get_default_config_files(&defpp); + if (ret) + return ret; + + ret = krb5_prepend_config_files(filelist, defpp, &pp); + krb5_free_config_files(defpp); + if (ret) { + return ret; + } *pfilenames = pp; return 0; } -void +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_default_config_files(char ***pfilenames) +{ + const char *files = NULL; + + if (pfilenames == NULL) + return EINVAL; + if(!issuid()) + files = getenv("KRB5_CONFIG"); + if (files == NULL) + files = krb5_config_file; + + return krb5_prepend_config_files(files, NULL, pfilenames); +} + +void KRB5_LIB_FUNCTION krb5_free_config_files(char **filenames) { char **p; @@ -334,38 +429,50 @@ static krb5_error_code default_etypes(krb5_context context, krb5_enctype **etype) { krb5_enctype p[] = { + ETYPE_AES256_CTS_HMAC_SHA1_96, + ETYPE_AES128_CTS_HMAC_SHA1_96, ETYPE_DES3_CBC_SHA1, ETYPE_DES3_CBC_MD5, ETYPE_ARCFOUR_HMAC_MD5, ETYPE_DES_CBC_MD5, ETYPE_DES_CBC_MD4, - ETYPE_DES_CBC_CRC, - ETYPE_NULL + ETYPE_DES_CBC_CRC }; - - *etype = malloc(sizeof(p)); - if(*etype == NULL) { - krb5_set_error_string (context, "malloc: out of memory"); - return ENOMEM; + krb5_enctype *e = NULL, *ep; + int i, n = 0; + + for (i = 0; i < sizeof(p)/sizeof(p[0]); i++) { + if (krb5_enctype_valid(context, p[i]) != 0) + continue; + ep = realloc(e, (n + 2) * sizeof(*e)); + if (ep == NULL) { + free(e); + krb5_set_error_string (context, "malloc: out of memory"); + return ENOMEM; + } + e = ep; + e[n] = p[i]; + e[n + 1] = ETYPE_NULL; + n++; } - memcpy(*etype, p, sizeof(p)); + *etype = e; return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_default_in_tkt_etypes(krb5_context context, const krb5_enctype *etypes) { - int i; krb5_enctype *p = NULL; + int i; if(etypes) { - for (i = 0; etypes[i]; ++i) - if(!krb5_enctype_valid(context, etypes[i])) { - krb5_set_error_string(context, "enctype %d not supported", - etypes[i]); - return KRB5_PROG_ETYPE_NOSUPP; - } + for (i = 0; etypes[i]; ++i) { + krb5_error_code ret; + ret = krb5_enctype_valid(context, etypes[i]); + if (ret) + return ret; + } ++i; ALLOC(p, i); if(!p) { @@ -381,7 +488,7 @@ krb5_set_default_in_tkt_etypes(krb5_context context, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_default_in_tkt_etypes(krb5_context context, krb5_enctype **etypes) { @@ -407,7 +514,7 @@ krb5_get_default_in_tkt_etypes(krb5_context context, return 0; } -const char * +const char* KRB5_LIB_FUNCTION krb5_get_err_text(krb5_context context, krb5_error_code code) { const char *p = NULL; @@ -420,7 +527,7 @@ krb5_get_err_text(krb5_context context, krb5_error_code code) return p; } -void +void KRB5_LIB_FUNCTION krb5_init_ets(krb5_context context) { if(context->et_list == NULL){ @@ -431,19 +538,19 @@ krb5_init_ets(krb5_context context) } } -void +void KRB5_LIB_FUNCTION krb5_set_use_admin_kdc (krb5_context context, krb5_boolean flag) { context->use_admin_kdc = flag; } -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_get_use_admin_kdc (krb5_context context) { return context->use_admin_kdc; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses) { @@ -454,7 +561,7 @@ krb5_add_extra_addresses(krb5_context context, krb5_addresses *addresses) return krb5_set_extra_addresses(context, addresses); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses) { if(context->extra_addresses) @@ -477,7 +584,7 @@ krb5_set_extra_addresses(krb5_context context, const krb5_addresses *addresses) return krb5_copy_addresses(context, addresses, context->extra_addresses); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses) { if(context->extra_addresses == NULL) { @@ -487,7 +594,7 @@ krb5_get_extra_addresses(krb5_context context, krb5_addresses *addresses) return krb5_copy_addresses(context,context->extra_addresses, addresses); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_add_ignore_addresses(krb5_context context, krb5_addresses *addresses) { @@ -498,7 +605,7 @@ krb5_add_ignore_addresses(krb5_context context, krb5_addresses *addresses) return krb5_set_ignore_addresses(context, addresses); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_ignore_addresses(krb5_context context, const krb5_addresses *addresses) { if(context->ignore_addresses) @@ -520,7 +627,7 @@ krb5_set_ignore_addresses(krb5_context context, const krb5_addresses *addresses) return krb5_copy_addresses(context, addresses, context->ignore_addresses); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_ignore_addresses(krb5_context context, krb5_addresses *addresses) { if(context->ignore_addresses == NULL) { @@ -530,16 +637,26 @@ krb5_get_ignore_addresses(krb5_context context, krb5_addresses *addresses) return krb5_copy_addresses(context, context->ignore_addresses, addresses); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_fcache_version(krb5_context context, int version) { context->fcache_vno = version; return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_fcache_version(krb5_context context, int *version) { *version = context->fcache_vno; return 0; } + +krb5_boolean KRB5_LIB_FUNCTION +krb5_is_thread_safe(void) +{ +#ifdef ENABLE_PTHREAD_SUPPORT + return TRUE; +#else + return FALSE; +#endif +} diff --git a/kerberosV/src/lib/krb5/crypto.c b/kerberosV/src/lib/krb5/crypto.c index 98a1eac1d67..ad584732827 100644 --- a/kerberosV/src/lib/krb5/crypto.c +++ b/kerberosV/src/lib/krb5/crypto.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -32,7 +32,7 @@ */ #include "krb5_locl.h" -RCSID("$KTH: crypto.c,v 1.73.2.4 2004/03/06 16:38:00 lha Exp $"); +RCSID("$KTH: crypto.c,v 1.120.2.1 2005/08/11 07:56:11 lha Exp $"); #undef CRYPTO_DEBUG #ifdef CRYPTO_DEBUG @@ -55,8 +55,11 @@ struct krb5_crypto_data { struct key_data key; int num_key_usage; struct key_usage *key_usage; + void *params; }; +#define kcrypto_oid_enc(n) { sizeof(n)/sizeof(n[0]), n } + #define CRYPTO_ETYPE(C) ((C)->et->type) /* bits for `flags' below */ @@ -66,6 +69,8 @@ struct krb5_crypto_data { #define F_VARIANT 8 /* uses `variant' keys (6.4.3) */ #define F_PSEUDO 16 /* not a real protocol type */ #define F_SPECIAL 32 /* backwards */ +#define F_DISABLED 64 /* enctype/checksum disabled */ +#define F_PADCMS 128 /* padding done like in CMS */ struct salt_type { krb5_salttype type; @@ -79,13 +84,19 @@ struct key_type { const char *name; size_t bits; size_t size; + size_t minsize; size_t schedule_size; #if 0 krb5_enctype best_etype; #endif void (*random_key)(krb5_context, krb5_keyblock*); - void (*schedule)(krb5_context, struct key_data *); + void (*schedule)(krb5_context, struct key_data *, const void *); struct salt_type *string_to_key; + void (*random_to_key)(krb5_context, krb5_keyblock*, const void*, size_t); + krb5_error_code (*get_params)(krb5_context, const krb5_data *, + void **, krb5_data *); + krb5_error_code (*set_params)(krb5_context, const void *, + const krb5_data *, krb5_data *); }; struct checksum_type { @@ -109,6 +120,7 @@ struct checksum_type { struct encryption_type { krb5_enctype type; const char *name; + heim_oid *oid; size_t blocksize; size_t padsize; size_t confoundersize; @@ -147,34 +159,39 @@ static krb5_error_code hmac(krb5_context context, struct key_data *keyblock, Checksum *result); static void free_key_data(krb5_context context, struct key_data *key); -static krb5_error_code usage2arcfour (krb5_context, int *); +static krb5_error_code usage2arcfour (krb5_context, unsigned *); +static void xor (DES_cblock *, const unsigned char *); /************************************************************ * * ************************************************************/ +static HEIMDAL_MUTEX crypto_mutex = HEIMDAL_MUTEX_INITIALIZER; + + static void krb5_DES_random_key(krb5_context context, krb5_keyblock *key) { - des_cblock *k = key->keyvalue.data; + DES_cblock *k = key->keyvalue.data; do { - krb5_generate_random_block(k, sizeof(des_cblock)); - des_set_odd_parity(k); - } while(des_is_weak_key(k)); + krb5_generate_random_block(k, sizeof(DES_cblock)); + DES_set_odd_parity(k); + } while(DES_is_weak_key(k)); } static void krb5_DES_schedule(krb5_context context, - struct key_data *key) + struct key_data *key, + const void *params) { - des_set_key(key->key->keyvalue.data, key->schedule->data); + DES_set_key(key->key->keyvalue.data, key->schedule->data); } static void -DES_string_to_key_int(unsigned char *data, size_t length, des_cblock *key) +DES_string_to_key_int(unsigned char *data, size_t length, DES_cblock *key) { - des_key_schedule schedule; + DES_key_schedule schedule; int i; int reverse = 0; unsigned char *p; @@ -193,13 +210,15 @@ DES_string_to_key_int(unsigned char *data, size_t length, des_cblock *key) if((i % 8) == 7) reverse = !reverse; } - des_set_odd_parity(key); - if(des_is_weak_key(key)) + DES_set_odd_parity(key); + if(DES_is_weak_key(key)) + (*key)[7] ^= 0xF0; + DES_set_key(key, &schedule); + DES_cbc_cksum((void*)data, key, length, &schedule, key); + memset(&schedule, 0, sizeof(schedule)); + DES_set_odd_parity(key); + if(DES_is_weak_key(key)) (*key)[7] ^= 0xF0; - des_set_key(key, schedule); - des_cbc_cksum((void*)data, key, length, schedule, key); - memset(schedule, 0, sizeof(schedule)); - des_set_odd_parity(key); } static krb5_error_code @@ -212,7 +231,7 @@ krb5_DES_string_to_key(krb5_context context, { unsigned char *s; size_t len; - des_cblock tmp; + DES_cblock tmp; len = password.length + salt.saltvalue.length; s = malloc(len); @@ -243,7 +262,7 @@ krb5_DES_string_to_key(krb5_context context, static void krb5_DES_AFS3_CMU_string_to_key (krb5_data pw, krb5_data cell, - des_cblock *key) + DES_cblock *key) { char password[8+1]; /* crypt is limited to 8 chars anyway */ int i; @@ -256,14 +275,14 @@ krb5_DES_AFS3_CMU_string_to_key (krb5_data pw, } password[8] = '\0'; - memcpy(key, crypt(password, "p1") + 2, sizeof(des_cblock)); + memcpy(key, crypt(password, "p1") + 2, sizeof(DES_cblock)); /* parity is inserted into the LSB so left shift each byte up one bit. This allows ascii characters with a zero MSB to retain as much significance as possible. */ - for (i = 0; i < sizeof(des_cblock); i++) + for (i = 0; i < sizeof(DES_cblock); i++) ((unsigned char*)key)[i] <<= 1; - des_set_odd_parity (key); + DES_set_odd_parity (key); } /* @@ -272,11 +291,11 @@ krb5_DES_AFS3_CMU_string_to_key (krb5_data pw, static void krb5_DES_AFS3_Transarc_string_to_key (krb5_data pw, krb5_data cell, - des_cblock *key) + DES_cblock *key) { - des_key_schedule schedule; - des_cblock temp_key; - des_cblock ivec; + DES_key_schedule schedule; + DES_cblock temp_key; + DES_cblock ivec; char password[512]; size_t passlen; @@ -292,21 +311,20 @@ krb5_DES_AFS3_Transarc_string_to_key (krb5_data pw, passlen = min(sizeof(password), pw.length + cell.length); memcpy(&ivec, "kerberos", 8); memcpy(&temp_key, "kerberos", 8); - des_set_odd_parity (&temp_key); - des_set_key (&temp_key, schedule); - des_cbc_cksum ((des_cblock *) password, &ivec, passlen, schedule, &ivec); + DES_set_odd_parity (&temp_key); + DES_set_key (&temp_key, &schedule); + DES_cbc_cksum ((void*)password, &ivec, passlen, &schedule, &ivec); memcpy(&temp_key, &ivec, 8); - des_set_odd_parity (&temp_key); - des_set_key (&temp_key, schedule); - des_cbc_cksum ((des_cblock *) password, (des_cblock *) key, passlen, - schedule, &ivec); + DES_set_odd_parity (&temp_key); + DES_set_key (&temp_key, &schedule); + DES_cbc_cksum ((void*)password, key, passlen, &schedule, &ivec); memset(&schedule, 0, sizeof(schedule)); memset(&temp_key, 0, sizeof(temp_key)); memset(&ivec, 0, sizeof(ivec)); memset(password, 0, sizeof(password)); - des_set_odd_parity (key); + DES_set_odd_parity (key); } static krb5_error_code @@ -317,7 +335,7 @@ DES_AFS3_string_to_key(krb5_context context, krb5_data opaque, krb5_keyblock *key) { - des_cblock tmp; + DES_cblock tmp; if(password.length > 8) krb5_DES_AFS3_Transarc_string_to_key(password, salt.saltvalue, &tmp); else @@ -329,29 +347,47 @@ DES_AFS3_string_to_key(krb5_context context, } static void +krb5_DES_random_to_key(krb5_context context, + krb5_keyblock *key, + const void *data, + size_t size) +{ + DES_cblock *k = key->keyvalue.data; + memcpy(k, data, key->keyvalue.length); + DES_set_odd_parity(k); + if(DES_is_weak_key(k)) + xor(k, (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); +} + +/* + * + */ + +static void DES3_random_key(krb5_context context, krb5_keyblock *key) { - des_cblock *k = key->keyvalue.data; + DES_cblock *k = key->keyvalue.data; do { - krb5_generate_random_block(k, 3 * sizeof(des_cblock)); - des_set_odd_parity(&k[0]); - des_set_odd_parity(&k[1]); - des_set_odd_parity(&k[2]); - } while(des_is_weak_key(&k[0]) || - des_is_weak_key(&k[1]) || - des_is_weak_key(&k[2])); + krb5_generate_random_block(k, 3 * sizeof(DES_cblock)); + DES_set_odd_parity(&k[0]); + DES_set_odd_parity(&k[1]); + DES_set_odd_parity(&k[2]); + } while(DES_is_weak_key(&k[0]) || + DES_is_weak_key(&k[1]) || + DES_is_weak_key(&k[2])); } static void DES3_schedule(krb5_context context, - struct key_data *key) + struct key_data *key, + const void *params) { - des_cblock *k = key->key->keyvalue.data; - des_key_schedule *s = key->schedule->data; - des_set_key(&k[0], s[0]); - des_set_key(&k[1], s[1]); - des_set_key(&k[2], s[2]); + DES_cblock *k = key->key->keyvalue.data; + DES_key_schedule *s = key->schedule->data; + DES_set_key(&k[0], &s[0]); + DES_set_key(&k[1], &s[1]); + DES_set_key(&k[2], &s[2]); } /* @@ -359,7 +395,7 @@ DES3_schedule(krb5_context context, */ static void -xor (des_cblock *key, const unsigned char *b) +xor (DES_cblock *key, const unsigned char *b) { unsigned char *a = (unsigned char*)key; a[0] ^= b[0]; @@ -383,7 +419,7 @@ DES3_string_to_key(krb5_context context, char *str; size_t len; unsigned char tmp[24]; - des_cblock keys[3]; + DES_cblock keys[3]; len = password.length + salt.saltvalue.length; str = malloc(len); @@ -394,29 +430,29 @@ DES3_string_to_key(krb5_context context, memcpy(str, password.data, password.length); memcpy(str + password.length, salt.saltvalue.data, salt.saltvalue.length); { - des_cblock ivec; - des_key_schedule s[3]; + DES_cblock ivec; + DES_key_schedule s[3]; int i; _krb5_n_fold(str, len, tmp, 24); for(i = 0; i < 3; i++){ memcpy(keys + i, tmp + i * 8, sizeof(keys[i])); - des_set_odd_parity(keys + i); - if(des_is_weak_key(keys + i)) + DES_set_odd_parity(keys + i); + if(DES_is_weak_key(keys + i)) xor(keys + i, (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); - des_set_key(keys + i, s[i]); + DES_set_key(keys + i, &s[i]); } memset(&ivec, 0, sizeof(ivec)); - des_ede3_cbc_encrypt((des_cblock *) tmp, - (des_cblock *) tmp, sizeof(tmp), - s[0], s[1], s[2], &ivec, DES_ENCRYPT); + DES_ede3_cbc_encrypt(tmp, + tmp, sizeof(tmp), + &s[0], &s[1], &s[2], &ivec, DES_ENCRYPT); memset(s, 0, sizeof(s)); memset(&ivec, 0, sizeof(ivec)); for(i = 0; i < 3; i++){ memcpy(keys + i, tmp + i * 8, sizeof(keys[i])); - des_set_odd_parity(keys + i); - if(des_is_weak_key(keys + i)) + DES_set_odd_parity(keys + i); + if(DES_is_weak_key(keys + i)) xor(keys + i, (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); } memset(tmp, 0, sizeof(tmp)); @@ -458,19 +494,48 @@ DES3_string_to_key_derived(krb5_context context, return ret; } -/* - * ARCFOUR - */ - static void -ARCFOUR_random_key(krb5_context context, krb5_keyblock *key) +DES3_random_to_key(krb5_context context, + krb5_keyblock *key, + const void *data, + size_t size) { - krb5_generate_random_block (key->keyvalue.data, - key->keyvalue.length); + unsigned char *x = key->keyvalue.data; + const u_char *q = data; + DES_cblock *k; + int i, j; + + memset(x, 0, sizeof(x)); + for (i = 0; i < 3; ++i) { + unsigned char foo; + for (j = 0; j < 7; ++j) { + unsigned char b = q[7 * i + j]; + + x[8 * i + j] = b; + } + foo = 0; + for (j = 6; j >= 0; --j) { + foo |= q[7 * i + j] & 1; + foo <<= 1; + } + x[8 * i + 7] = foo; + } + k = key->keyvalue.data; + for (i = 0; i < 3; i++) { + DES_set_odd_parity(&k[i]); + if(DES_is_weak_key(&k[i])) + xor(&k[i], (const unsigned char*)"\0\0\0\0\0\0\0\xf0"); + } } +/* + * ARCFOUR + */ + static void -ARCFOUR_schedule(krb5_context context, struct key_data *kd) +ARCFOUR_schedule(krb5_context context, + struct key_data *kd, + const void *params) { RC4_set_key (kd->schedule->data, kd->key->keyvalue.length, kd->key->keyvalue.data); @@ -509,17 +574,16 @@ ARCFOUR_string_to_key(krb5_context context, return 0; } -#ifdef ENABLE_AES /* * AES */ /* iter is really 1 based, so iter == 0 will be 1 iteration */ -krb5_error_code -krb5_PKCS5_PBKDF2(krb5_context context, krb5_cksumtype cktype, - krb5_data password, krb5_salt salt, u_int32_t iter, - krb5_keytype type, krb5_keyblock *key) +krb5_error_code KRB5_LIB_FUNCTION +_krb5_PKCS5_PBKDF2(krb5_context context, krb5_cksumtype cktype, + krb5_data password, krb5_salt salt, u_int32_t iter, + krb5_keytype type, krb5_keyblock *key) { struct checksum_type *c = _find_checksum(cktype); struct key_type *kt; @@ -622,6 +686,8 @@ krb5_PKCS5_PBKDF2(krb5_context context, krb5_cksumtype cktype, return 0; } +int _krb5_AES_string_to_default_iterator = 4096; + static krb5_error_code AES_string_to_key(krb5_context context, krb5_enctype enctype, @@ -636,7 +702,7 @@ AES_string_to_key(krb5_context context, struct key_data kd; if (opaque.length == 0) - iter = 45056 - 1; + iter = _krb5_AES_string_to_default_iterator - 1; else if (opaque.length == 4) { unsigned long v; _krb5_get_int(opaque.data, &v, 4); @@ -649,8 +715,8 @@ AES_string_to_key(krb5_context context, if (et == NULL) return KRB5_PROG_KEYTYPE_NOSUPP; - ret = krb5_PKCS5_PBKDF2(context, CKSUMTYPE_SHA1, password, salt, - iter, enctype, key); + ret = _krb5_PKCS5_PBKDF2(context, CKSUMTYPE_SHA1, password, salt, + iter, enctype, key); if (ret) return ret; @@ -658,10 +724,8 @@ AES_string_to_key(krb5_context context, kd.schedule = NULL; ret = derive_key(context, et, &kd, "kerberos", strlen("kerberos")); - - if (ret) { - krb5_data_free(&key->keyvalue); - } else { + krb5_free_keyblock_contents(context, key); + if (ret == 0) { ret = krb5_copy_keyblock_contents(context, kd.key, key); free_key_data(context, &kd); } @@ -669,115 +733,314 @@ AES_string_to_key(krb5_context context, return ret; } +struct krb5_aes_schedule { + AES_KEY ekey; + AES_KEY dkey; +}; + static void -AES_schedule(krb5_context context, struct key_data *kd) +AES_schedule(krb5_context context, + struct key_data *kd, + const void *params) { - AES_KEY *key = kd->schedule->data; + struct krb5_aes_schedule *key = kd->schedule->data; int bits = kd->key->keyvalue.length * 8; - - AES_set_encrypt_key(kd->key->keyvalue.data, bits, &key[0]); - AES_set_decrypt_key(kd->key->keyvalue.data, bits, &key[1]); + + memset(key, 0, sizeof(*key)); + AES_set_encrypt_key(kd->key->keyvalue.data, bits, &key->ekey); + AES_set_decrypt_key(kd->key->keyvalue.data, bits, &key->dkey); } /* + * RC2 + */ + +struct _RC2_params { + int maximum_effective_key; +}; + +static krb5_error_code +rc2_get_params(krb5_context context, + const krb5_data *data, + void **params, + krb5_data *ivec) +{ + RC2CBCParameter rc2params; + struct _RC2_params *p; + krb5_error_code ret; + size_t size; + + ret = decode_RC2CBCParameter(data->data, data->length, &rc2params, &size); + if (ret) { + krb5_set_error_string(context, "Can't decode RC2 parameters"); + return ret; + } + p = malloc(sizeof(*p)); + if (p == NULL) { + free_RC2CBCParameter(&rc2params); + krb5_set_error_string(context, "malloc - out of memory"); + return ENOMEM; + } + /* XXX */ + switch(rc2params.rc2ParameterVersion) { + case 160: + p->maximum_effective_key = 40; + break; + case 120: + p->maximum_effective_key = 64; + break; + case 58: + p->maximum_effective_key = 128; + break; + + } + if (ivec) + ret = copy_octet_string(&rc2params.iv, ivec); + free_RC2CBCParameter(&rc2params); + *params = p; + + return ret; +} + +static krb5_error_code +rc2_set_params(krb5_context context, + const void *params, + const krb5_data *ivec, + krb5_data *data) +{ + RC2CBCParameter rc2params; + const struct _RC2_params *p = params; + int maximum_effective_key = 128; + krb5_error_code ret; + size_t size; + + memset(&rc2params, 0, sizeof(rc2params)); + + if (p) + maximum_effective_key = p->maximum_effective_key; + + /* XXX */ + switch(maximum_effective_key) { + case 40: + rc2params.rc2ParameterVersion = 160; + break; + case 64: + rc2params.rc2ParameterVersion = 120; + break; + case 128: + rc2params.rc2ParameterVersion = 58; + break; + } + ret = copy_octet_string(ivec, &rc2params.iv); + if (ret) + return ret; + + ASN1_MALLOC_ENCODE(RC2CBCParameter, data->data, data->length, + &rc2params, &size, ret); + if (ret == 0 && size != data->length) + krb5_abortx(context, "Internal asn1 encoder failure"); + free_RC2CBCParameter(&rc2params); + + return ret; +} + +static void +rc2_schedule(krb5_context context, + struct key_data *kd, + const void *params) +{ + const struct _RC2_params *p = params; + int maximum_effective_key = 128; + if (p) + maximum_effective_key = p->maximum_effective_key; + RC2_set_key (kd->schedule->data, + kd->key->keyvalue.length, + kd->key->keyvalue.data, + maximum_effective_key); +} + + +/* * */ -extern struct salt_type AES_salt[]; +static struct salt_type des_salt[] = { + { + KRB5_PW_SALT, + "pw-salt", + krb5_DES_string_to_key + }, + { + KRB5_AFS3_SALT, + "afs3-salt", + DES_AFS3_string_to_key + }, + { 0 } +}; + +static struct salt_type des3_salt[] = { + { + KRB5_PW_SALT, + "pw-salt", + DES3_string_to_key + }, + { 0 } +}; + +static struct salt_type des3_salt_derived[] = { + { + KRB5_PW_SALT, + "pw-salt", + DES3_string_to_key_derived + }, + { 0 } +}; -#endif /* ENABLE_AES */ +static struct salt_type AES_salt[] = { + { + KRB5_PW_SALT, + "pw-salt", + AES_string_to_key + }, + { 0 } +}; + +static struct salt_type arcfour_salt[] = { + { + KRB5_PW_SALT, + "pw-salt", + ARCFOUR_string_to_key + }, + { 0 } +}; -extern struct salt_type des_salt[], - des3_salt[], des3_salt_derived[], arcfour_salt[]; +/* + * + */ -struct key_type keytype_null = { +static struct key_type keytype_null = { KEYTYPE_NULL, "null", 0, 0, 0, + 0, NULL, NULL, NULL }; -struct key_type keytype_des = { +static struct key_type keytype_des = { KEYTYPE_DES, "des", 56, - sizeof(des_cblock), - sizeof(des_key_schedule), + sizeof(DES_cblock), + sizeof(DES_cblock), + sizeof(DES_key_schedule), krb5_DES_random_key, krb5_DES_schedule, - des_salt + des_salt, + krb5_DES_random_to_key }; -struct key_type keytype_des3 = { +static struct key_type keytype_des3 = { KEYTYPE_DES3, "des3", 168, - 3 * sizeof(des_cblock), - 3 * sizeof(des_key_schedule), + 3 * sizeof(DES_cblock), + 3 * sizeof(DES_cblock), + 3 * sizeof(DES_key_schedule), DES3_random_key, DES3_schedule, - des3_salt + des3_salt, + DES3_random_to_key }; -struct key_type keytype_des3_derived = { +static struct key_type keytype_des3_derived = { KEYTYPE_DES3, "des3", 168, - 3 * sizeof(des_cblock), - 3 * sizeof(des_key_schedule), + 3 * sizeof(DES_cblock), + 3 * sizeof(DES_cblock), + 3 * sizeof(DES_key_schedule), DES3_random_key, DES3_schedule, - des3_salt_derived + des3_salt_derived, + DES3_random_to_key }; -#ifdef ENABLE_AES -struct key_type keytype_aes128 = { +static struct key_type keytype_aes128 = { KEYTYPE_AES128, "aes-128", 128, 16, - sizeof(AES_KEY) * 2, + 16, + sizeof(struct krb5_aes_schedule), + NULL, + AES_schedule, + AES_salt +}; + +static struct key_type keytype_aes192 = { + KEYTYPE_AES192, + "aes-192", + 192, + 24, + 24, + sizeof(struct krb5_aes_schedule), NULL, AES_schedule, AES_salt }; -struct key_type keytype_aes256 = { +static struct key_type keytype_aes256 = { KEYTYPE_AES256, "aes-256", 256, - 16, - sizeof(AES_KEY) * 2, + 32, + 32, + sizeof(struct krb5_aes_schedule), NULL, AES_schedule, AES_salt }; -#endif /* ENABLE_AES */ -struct key_type keytype_arcfour = { +static struct key_type keytype_arcfour = { KEYTYPE_ARCFOUR, "arcfour", 128, 16, + 16, sizeof(RC4_KEY), - ARCFOUR_random_key, + NULL, ARCFOUR_schedule, arcfour_salt }; -struct key_type *keytypes[] = { +static struct key_type keytype_rc2 = { + KEYTYPE_RC2, + "rc2", + 128, + 16, + 1, + sizeof(RC2_KEY), + NULL, + rc2_schedule, + NULL, /* XXX salt */ + NULL, + rc2_get_params, + rc2_set_params +}; + +static struct key_type *keytypes[] = { &keytype_null, &keytype_des, &keytype_des3_derived, &keytype_des3, -#ifdef ENABLE_AES &keytype_aes128, + &keytype_aes192, &keytype_aes256, -#endif /* ENABLE_AES */ + &keytype_rc2, &keytype_arcfour }; @@ -794,59 +1057,7 @@ _find_keytype(krb5_keytype type) } -struct salt_type des_salt[] = { - { - KRB5_PW_SALT, - "pw-salt", - krb5_DES_string_to_key - }, - { - KRB5_AFS3_SALT, - "afs3-salt", - DES_AFS3_string_to_key - }, - { 0 } -}; - -struct salt_type des3_salt[] = { - { - KRB5_PW_SALT, - "pw-salt", - DES3_string_to_key - }, - { 0 } -}; - -struct salt_type des3_salt_derived[] = { - { - KRB5_PW_SALT, - "pw-salt", - DES3_string_to_key_derived - }, - { 0 } -}; - -#ifdef ENABLE_AES -struct salt_type AES_salt[] = { - { - KRB5_PW_SALT, - "pw-salt", - AES_string_to_key - }, - { 0 } -}; -#endif /* ENABLE_AES */ - -struct salt_type arcfour_salt[] = { - { - KRB5_PW_SALT, - "pw-salt", - ARCFOUR_string_to_key - }, - { 0 } -}; - -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_salttype_to_string (krb5_context context, krb5_enctype etype, krb5_salttype stype, @@ -875,7 +1086,7 @@ krb5_salttype_to_string (krb5_context context, return HEIM_ERR_SALTTYPE_NOSUPP; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_salttype (krb5_context context, krb5_enctype etype, const char *string, @@ -900,7 +1111,7 @@ krb5_string_to_salttype (krb5_context context, return HEIM_ERR_SALTTYPE_NOSUPP; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_pw_salt(krb5_context context, krb5_const_principal principal, krb5_salt *salt) @@ -929,7 +1140,7 @@ krb5_get_pw_salt(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_salt(krb5_context context, krb5_salt salt) { @@ -937,7 +1148,7 @@ krb5_free_salt(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_data (krb5_context context, krb5_enctype enctype, krb5_data password, @@ -955,7 +1166,7 @@ krb5_string_to_key_data (krb5_context context, return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key (krb5_context context, krb5_enctype enctype, const char *password, @@ -968,7 +1179,7 @@ krb5_string_to_key (krb5_context context, return krb5_string_to_key_data(context, enctype, pw, principal, key); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_data_salt (krb5_context context, krb5_enctype enctype, krb5_data password, @@ -987,7 +1198,7 @@ krb5_string_to_key_data_salt (krb5_context context, * `opaque'), returning the resulting key in `key' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_data_salt_opaque (krb5_context context, krb5_enctype enctype, krb5_data password, @@ -1017,7 +1228,7 @@ krb5_string_to_key_data_salt_opaque (krb5_context context, * in `key' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_salt (krb5_context context, krb5_enctype enctype, const char *password, @@ -1030,7 +1241,22 @@ krb5_string_to_key_salt (krb5_context context, return krb5_string_to_key_data_salt(context, enctype, pw, salt, key); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_string_to_key_salt_opaque (krb5_context context, + krb5_enctype enctype, + const char *password, + krb5_salt salt, + krb5_data opaque, + krb5_keyblock *key) +{ + krb5_data pw; + pw.data = (void*)password; + pw.length = strlen(password); + return krb5_string_to_key_data_salt_opaque(context, enctype, + pw, salt, opaque, key); +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_keytype_to_string(krb5_context context, krb5_keytype keytype, char **string) @@ -1048,7 +1274,7 @@ krb5_keytype_to_string(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_keytype(krb5_context context, const char *string, krb5_keytype *keytype) @@ -1063,7 +1289,7 @@ krb5_string_to_keytype(krb5_context context, return KRB5_PROG_KEYTYPE_NOSUPP; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_enctype_keysize(krb5_context context, krb5_enctype type, size_t *keysize) @@ -1078,7 +1304,7 @@ krb5_enctype_keysize(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_generate_random_keyblock(krb5_context context, krb5_enctype type, krb5_keyblock *key) @@ -1104,7 +1330,8 @@ krb5_generate_random_keyblock(krb5_context context, static krb5_error_code _key_schedule(krb5_context context, - struct key_data *key) + struct key_data *key, + const void *params) { krb5_error_code ret; struct encryption_type *et = _find_enctype(key->key->keytype); @@ -1125,7 +1352,7 @@ _key_schedule(krb5_context context, key->schedule = NULL; return ret; } - (*kt->schedule)(context, key); + (*kt->schedule)(context, key, params); return 0; } @@ -1185,7 +1412,7 @@ RSA_MD4_DES_checksum(krb5_context context, Checksum *cksum) { MD4_CTX md4; - des_cblock ivec; + DES_cblock ivec; unsigned char *p = cksum->checksum.data; krb5_generate_random_block(p, 8); @@ -1194,8 +1421,8 @@ RSA_MD4_DES_checksum(krb5_context context, MD4_Update (&md4, data, len); MD4_Final (p + 8, &md4); memset (&ivec, 0, sizeof(ivec)); - des_cbc_encrypt((des_cblock *) p, - (des_cblock *) p, + DES_cbc_encrypt(p, + p, 24, key->schedule->data, &ivec, @@ -1213,11 +1440,11 @@ RSA_MD4_DES_verify(krb5_context context, MD4_CTX md4; unsigned char tmp[24]; unsigned char res[16]; - des_cblock ivec; + DES_cblock ivec; krb5_error_code ret = 0; memset(&ivec, 0, sizeof(ivec)); - des_cbc_encrypt(C->checksum.data, + DES_cbc_encrypt(C->checksum.data, (void*)tmp, C->checksum.length, key->schedule->data, @@ -1260,7 +1487,7 @@ RSA_MD5_DES_checksum(krb5_context context, Checksum *C) { MD5_CTX md5; - des_cblock ivec; + DES_cblock ivec; unsigned char *p = C->checksum.data; krb5_generate_random_block(p, 8); @@ -1269,8 +1496,8 @@ RSA_MD5_DES_checksum(krb5_context context, MD5_Update (&md5, data, len); MD5_Final (p + 8, &md5); memset (&ivec, 0, sizeof(ivec)); - des_cbc_encrypt((des_cblock *) p, - (des_cblock *) p, + DES_cbc_encrypt(p, + p, 24, key->schedule->data, &ivec, @@ -1288,15 +1515,15 @@ RSA_MD5_DES_verify(krb5_context context, MD5_CTX md5; unsigned char tmp[24]; unsigned char res[16]; - des_cblock ivec; - des_key_schedule *sched = key->schedule->data; + DES_cblock ivec; + DES_key_schedule *sched = key->schedule->data; krb5_error_code ret = 0; memset(&ivec, 0, sizeof(ivec)); - des_cbc_encrypt(C->checksum.data, + DES_cbc_encrypt(C->checksum.data, (void*)tmp, C->checksum.length, - sched[0], + &sched[0], &ivec, DES_DECRYPT); MD5_Init (&md5); @@ -1321,9 +1548,9 @@ RSA_MD5_DES3_checksum(krb5_context context, Checksum *C) { MD5_CTX md5; - des_cblock ivec; + DES_cblock ivec; unsigned char *p = C->checksum.data; - des_key_schedule *sched = key->schedule->data; + DES_key_schedule *sched = key->schedule->data; krb5_generate_random_block(p, 8); MD5_Init (&md5); @@ -1331,10 +1558,10 @@ RSA_MD5_DES3_checksum(krb5_context context, MD5_Update (&md5, data, len); MD5_Final (p + 8, &md5); memset (&ivec, 0, sizeof(ivec)); - des_ede3_cbc_encrypt((des_cblock *)p, - (des_cblock *)p, + DES_ede3_cbc_encrypt(p, + p, 24, - sched[0], sched[1], sched[2], + &sched[0], &sched[1], &sched[2], &ivec, DES_ENCRYPT); } @@ -1350,15 +1577,15 @@ RSA_MD5_DES3_verify(krb5_context context, MD5_CTX md5; unsigned char tmp[24]; unsigned char res[16]; - des_cblock ivec; - des_key_schedule *sched = key->schedule->data; + DES_cblock ivec; + DES_key_schedule *sched = key->schedule->data; krb5_error_code ret = 0; memset(&ivec, 0, sizeof(ivec)); - des_ede3_cbc_encrypt(C->checksum.data, + DES_ede3_cbc_encrypt(C->checksum.data, (void*)tmp, C->checksum.length, - sched[0], sched[1], sched[2], + &sched[0], &sched[1], &sched[2], &ivec, DES_DECRYPT); MD5_Init (&md5); @@ -1447,7 +1674,7 @@ hmac(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_hmac(krb5_context context, krb5_cksumtype cktype, const void *data, @@ -1579,16 +1806,16 @@ HMAC_MD5_checksum_enc(krb5_context context, krb5_abortx(context, "hmac failed"); } -struct checksum_type checksum_none = { +static struct checksum_type checksum_none = { CKSUMTYPE_NONE, "none", 1, 0, - 0, + 0, NONE_checksum, NULL }; -struct checksum_type checksum_crc32 = { +static struct checksum_type checksum_crc32 = { CKSUMTYPE_CRC32, "crc32", 1, @@ -1597,7 +1824,7 @@ struct checksum_type checksum_crc32 = { CRC32_checksum, NULL }; -struct checksum_type checksum_rsa_md4 = { +static struct checksum_type checksum_rsa_md4 = { CKSUMTYPE_RSA_MD4, "rsa-md4", 64, @@ -1606,7 +1833,7 @@ struct checksum_type checksum_rsa_md4 = { RSA_MD4_checksum, NULL }; -struct checksum_type checksum_rsa_md4_des = { +static struct checksum_type checksum_rsa_md4_des = { CKSUMTYPE_RSA_MD4_DES, "rsa-md4-des", 64, @@ -1616,7 +1843,7 @@ struct checksum_type checksum_rsa_md4_des = { RSA_MD4_DES_verify }; #if 0 -struct checksum_type checksum_des_mac = { +static struct checksum_type checksum_des_mac = { CKSUMTYPE_DES_MAC, "des-mac", 0, @@ -1624,7 +1851,7 @@ struct checksum_type checksum_des_mac = { 0, DES_MAC_checksum }; -struct checksum_type checksum_des_mac_k = { +static struct checksum_type checksum_des_mac_k = { CKSUMTYPE_DES_MAC_K, "des-mac-k", 0, @@ -1632,7 +1859,7 @@ struct checksum_type checksum_des_mac_k = { 0, DES_MAC_K_checksum }; -struct checksum_type checksum_rsa_md4_des_k = { +static struct checksum_type checksum_rsa_md4_des_k = { CKSUMTYPE_RSA_MD4_DES_K, "rsa-md4-des-k", 0, @@ -1642,7 +1869,7 @@ struct checksum_type checksum_rsa_md4_des_k = { RSA_MD4_DES_K_verify }; #endif -struct checksum_type checksum_rsa_md5 = { +static struct checksum_type checksum_rsa_md5 = { CKSUMTYPE_RSA_MD5, "rsa-md5", 64, @@ -1651,7 +1878,7 @@ struct checksum_type checksum_rsa_md5 = { RSA_MD5_checksum, NULL }; -struct checksum_type checksum_rsa_md5_des = { +static struct checksum_type checksum_rsa_md5_des = { CKSUMTYPE_RSA_MD5_DES, "rsa-md5-des", 64, @@ -1660,7 +1887,7 @@ struct checksum_type checksum_rsa_md5_des = { RSA_MD5_DES_checksum, RSA_MD5_DES_verify }; -struct checksum_type checksum_rsa_md5_des3 = { +static struct checksum_type checksum_rsa_md5_des3 = { CKSUMTYPE_RSA_MD5_DES3, "rsa-md5-des3", 64, @@ -1669,7 +1896,7 @@ struct checksum_type checksum_rsa_md5_des3 = { RSA_MD5_DES3_checksum, RSA_MD5_DES3_verify }; -struct checksum_type checksum_sha1 = { +static struct checksum_type checksum_sha1 = { CKSUMTYPE_SHA1, "sha1", 64, @@ -1678,7 +1905,7 @@ struct checksum_type checksum_sha1 = { SHA1_checksum, NULL }; -struct checksum_type checksum_hmac_sha1_des3 = { +static struct checksum_type checksum_hmac_sha1_des3 = { CKSUMTYPE_HMAC_SHA1_DES3, "hmac-sha1-des3", 64, @@ -1688,8 +1915,7 @@ struct checksum_type checksum_hmac_sha1_des3 = { NULL }; -#ifdef ENABLE_AES -struct checksum_type checksum_hmac_sha1_aes128 = { +static struct checksum_type checksum_hmac_sha1_aes128 = { CKSUMTYPE_HMAC_SHA1_96_AES_128, "hmac-sha1-96-aes128", 64, @@ -1699,7 +1925,7 @@ struct checksum_type checksum_hmac_sha1_aes128 = { NULL }; -struct checksum_type checksum_hmac_sha1_aes256 = { +static struct checksum_type checksum_hmac_sha1_aes256 = { CKSUMTYPE_HMAC_SHA1_96_AES_256, "hmac-sha1-96-aes256", 64, @@ -1708,9 +1934,8 @@ struct checksum_type checksum_hmac_sha1_aes256 = { SP_HMAC_SHA1_checksum, NULL }; -#endif /* ENABLE_AES */ -struct checksum_type checksum_hmac_md5 = { +static struct checksum_type checksum_hmac_md5 = { CKSUMTYPE_HMAC_MD5, "hmac-md5", 64, @@ -1720,7 +1945,7 @@ struct checksum_type checksum_hmac_md5 = { NULL }; -struct checksum_type checksum_hmac_md5_enc = { +static struct checksum_type checksum_hmac_md5_enc = { CKSUMTYPE_HMAC_MD5_ENC, "hmac-md5-enc", 64, @@ -1730,7 +1955,7 @@ struct checksum_type checksum_hmac_md5_enc = { NULL }; -struct checksum_type *checksum_types[] = { +static struct checksum_type *checksum_types[] = { &checksum_none, &checksum_crc32, &checksum_rsa_md4, @@ -1745,10 +1970,8 @@ struct checksum_type *checksum_types[] = { &checksum_rsa_md5_des3, &checksum_sha1, &checksum_hmac_sha1_des3, -#ifdef ENABLE_AES &checksum_hmac_sha1_aes128, &checksum_hmac_sha1_aes256, -#endif &checksum_hmac_md5, &checksum_hmac_md5_enc }; @@ -1793,7 +2016,7 @@ get_checksum_key(krb5_context context, *key = &crypto->key; } if(ret == 0) - ret = _key_schedule(context, *key); + ret = _key_schedule(context, *key, crypto->params); return ret; } @@ -1810,6 +2033,10 @@ create_checksum (krb5_context context, struct key_data *dkey; int keyed_checksum; + if (ct->flags & F_DISABLED) { + krb5_clear_error_string (context); + return KRB5_PROG_SUMTYPE_NOSUPP; + } keyed_checksum = (ct->flags & F_KEYED) != 0; if(keyed_checksum && crypto == NULL) { krb5_clear_error_string (context); @@ -1834,7 +2061,7 @@ arcfour_checksum_p(struct checksum_type *ct, krb5_crypto crypto) (crypto->key.key->keytype == KEYTYPE_ARCFOUR); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_create_checksum(krb5_context context, krb5_crypto crypto, krb5_key_usage usage, @@ -1886,7 +2113,7 @@ verify_checksum(krb5_context context, struct checksum_type *ct; ct = _find_checksum(cksum->cksumtype); - if (ct == NULL) { + if (ct == NULL || (ct->flags & F_DISABLED)) { krb5_set_error_string (context, "checksum type %d not supported", cksum->cksumtype); return KRB5_PROG_SUMTYPE_NOSUPP; @@ -1924,7 +2151,7 @@ verify_checksum(krb5_context context, return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_checksum(krb5_context context, krb5_crypto crypto, krb5_key_usage usage, @@ -1952,7 +2179,31 @@ krb5_verify_checksum(krb5_context context, data, len, cksum); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_get_checksum_type(krb5_context context, + krb5_crypto crypto, + krb5_cksumtype *type) +{ + struct checksum_type *ct = NULL; + + if (crypto != NULL) { + ct = crypto->et->keyed_checksum; + if (ct == NULL) + ct = crypto->et->checksum; + } + + if (ct == NULL) { + krb5_set_error_string (context, "checksum type not found"); + return KRB5_PROG_SUMTYPE_NOSUPP; + } + + *type = ct->type; + + return 0; +} + + +krb5_error_code KRB5_LIB_FUNCTION krb5_checksumsize(krb5_context context, krb5_cksumtype type, size_t *size) @@ -1967,32 +2218,49 @@ krb5_checksumsize(krb5_context context, return 0; } -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_checksum_is_keyed(krb5_context context, krb5_cksumtype type) { struct checksum_type *ct = _find_checksum(type); if(ct == NULL) { - krb5_set_error_string (context, "checksum type %d not supported", - type); + if (context) + krb5_set_error_string (context, "checksum type %d not supported", + type); return KRB5_PROG_SUMTYPE_NOSUPP; } return ct->flags & F_KEYED; } -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_checksum_is_collision_proof(krb5_context context, krb5_cksumtype type) { struct checksum_type *ct = _find_checksum(type); if(ct == NULL) { - krb5_set_error_string (context, "checksum type %d not supported", - type); + if (context) + krb5_set_error_string (context, "checksum type %d not supported", + type); return KRB5_PROG_SUMTYPE_NOSUPP; } return ct->flags & F_CPROOF; } +krb5_error_code KRB5_LIB_FUNCTION +krb5_checksum_disable(krb5_context context, + krb5_cksumtype type) +{ + struct checksum_type *ct = _find_checksum(type); + if(ct == NULL) { + if (context) + krb5_set_error_string (context, "checksum type %d not supported", + type); + return KRB5_PROG_SUMTYPE_NOSUPP; + } + ct->flags |= F_DISABLED; + return 0; +} + /************************************************************ * * ************************************************************/ @@ -2018,10 +2286,10 @@ DES_CBC_encrypt_null_ivec(krb5_context context, int usage, void *ignore_ivec) { - des_cblock ivec; - des_key_schedule *s = key->schedule->data; + DES_cblock ivec; + DES_key_schedule *s = key->schedule->data; memset(&ivec, 0, sizeof(ivec)); - des_cbc_encrypt(data, data, len, *s, &ivec, encrypt); + DES_cbc_encrypt(data, data, len, s, &ivec, encrypt); return 0; } @@ -2034,10 +2302,10 @@ DES_CBC_encrypt_key_ivec(krb5_context context, int usage, void *ignore_ivec) { - des_cblock ivec; - des_key_schedule *s = key->schedule->data; + DES_cblock ivec; + DES_key_schedule *s = key->schedule->data; memcpy(&ivec, key->key->keyvalue.data, sizeof(ivec)); - des_cbc_encrypt(data, data, len, *s, &ivec, encrypt); + DES_cbc_encrypt(data, data, len, s, &ivec, encrypt); return 0; } @@ -2050,13 +2318,13 @@ DES3_CBC_encrypt(krb5_context context, int usage, void *ivec) { - des_cblock local_ivec; - des_key_schedule *s = key->schedule->data; + DES_cblock local_ivec; + DES_key_schedule *s = key->schedule->data; if(ivec == NULL) { ivec = &local_ivec; memset(local_ivec, 0, sizeof(local_ivec)); } - des_ede3_cbc_encrypt(data, data, len, s[0], s[1], s[2], ivec, encrypt); + DES_ede3_cbc_encrypt(data, data, len, &s[0], &s[1], &s[2], ivec, encrypt); return 0; } @@ -2069,12 +2337,12 @@ DES_CFB64_encrypt_null_ivec(krb5_context context, int usage, void *ignore_ivec) { - des_cblock ivec; + DES_cblock ivec; int num = 0; - des_key_schedule *s = key->schedule->data; + DES_key_schedule *s = key->schedule->data; memset(&ivec, 0, sizeof(ivec)); - des_cfb64_encrypt(data, data, len, *s, &ivec, &num, encrypt); + DES_cfb64_encrypt(data, data, len, s, &ivec, &num, encrypt); return 0; } @@ -2087,24 +2355,22 @@ DES_PCBC_encrypt_key_ivec(krb5_context context, int usage, void *ignore_ivec) { - des_cblock ivec; - des_key_schedule *s = key->schedule->data; + DES_cblock ivec; + DES_key_schedule *s = key->schedule->data; memcpy(&ivec, key->key->keyvalue.data, sizeof(ivec)); - des_pcbc_encrypt(data, data, len, *s, &ivec, encrypt); + DES_pcbc_encrypt(data, data, len, s, &ivec, encrypt); return 0; } -#ifdef ENABLE_AES - /* * AES draft-raeburn-krb-rijndael-krb-02 */ -void +void KRB5_LIB_FUNCTION _krb5_aes_cts_encrypt(const unsigned char *in, unsigned char *out, size_t len, const void *aes_key, - unsigned char *ivec, const int enc) + unsigned char *ivec, const int encrypt) { unsigned char tmp[AES_BLOCK_SIZE]; const AES_KEY *key = aes_key; /* XXX remove this when we always have AES */ @@ -2115,7 +2381,7 @@ _krb5_aes_cts_encrypt(const unsigned char *in, unsigned char *out, * then at least one blocksize. */ - if (enc == AES_ENCRYPT) { + if (encrypt) { while(len > AES_BLOCK_SIZE) { for (i = 0; i < AES_BLOCK_SIZE; i++) @@ -2135,10 +2401,11 @@ _krb5_aes_cts_encrypt(const unsigned char *in, unsigned char *out, AES_encrypt(tmp, out - AES_BLOCK_SIZE, key); memcpy(out, ivec, len); + memcpy(ivec, out - AES_BLOCK_SIZE, AES_BLOCK_SIZE); } else { - char tmp2[AES_BLOCK_SIZE]; - char tmp3[AES_BLOCK_SIZE]; + unsigned char tmp2[AES_BLOCK_SIZE]; + unsigned char tmp3[AES_BLOCK_SIZE]; while(len > AES_BLOCK_SIZE * 2) { memcpy(tmp, in, AES_BLOCK_SIZE); @@ -2153,6 +2420,7 @@ _krb5_aes_cts_encrypt(const unsigned char *in, unsigned char *out, len -= AES_BLOCK_SIZE; + memcpy(tmp, in, AES_BLOCK_SIZE); /* save last iv */ AES_decrypt(in, tmp2, key); memcpy(tmp3, in + AES_BLOCK_SIZE, len); @@ -2164,6 +2432,7 @@ _krb5_aes_cts_encrypt(const unsigned char *in, unsigned char *out, AES_decrypt(tmp3, out, key); for (i = 0; i < AES_BLOCK_SIZE; i++) out[i] ^= ivec[i]; + memcpy(ivec, tmp, AES_BLOCK_SIZE); } } @@ -2176,13 +2445,14 @@ AES_CTS_encrypt(krb5_context context, int usage, void *ivec) { - AES_KEY *k = key->schedule->data; + struct krb5_aes_schedule *aeskey = key->schedule->data; char local_ivec[AES_BLOCK_SIZE]; + AES_KEY *k; if (encrypt) - k = &k[0]; + k = &aeskey->ekey; else - k = &k[1]; + k = &aeskey->dkey; if (len < AES_BLOCK_SIZE) krb5_abortx(context, "invalid use of AES_CTS_encrypt"); @@ -2201,7 +2471,55 @@ AES_CTS_encrypt(krb5_context context, return 0; } -#endif /* ENABLE_AES */ + +static krb5_error_code +AES_CBC_encrypt(krb5_context context, + struct key_data *key, + void *data, + size_t len, + krb5_boolean encrypt, + int usage, + void *ivec) +{ + struct krb5_aes_schedule *aeskey = key->schedule->data; + char local_ivec[AES_BLOCK_SIZE]; + AES_KEY *k; + + if (encrypt) + k = &aeskey->ekey; + else + k = &aeskey->dkey; + + if(ivec == NULL) { + ivec = &local_ivec; + memset(local_ivec, 0, sizeof(local_ivec)); + } + AES_cbc_encrypt(data, data, len, k, ivec, encrypt); + return 0; +} + +/* + * RC2 + */ + +static krb5_error_code +RC2_CBC_encrypt(krb5_context context, + struct key_data *key, + void *data, + size_t len, + krb5_boolean encrypt, + int usage, + void *ivec) +{ + unsigned char local_ivec[8]; + RC2_KEY *s = key->schedule->data; + if(ivec == NULL) { + ivec = &local_ivec; + memset(local_ivec, 0, sizeof(local_ivec)); + } + RC2_cbc_encrypt(data, data, len, s, ivec, encrypt); + return 0; +} /* * section 6 of draft-brezak-win2k-krb-rc4-hmac-03 @@ -2214,7 +2532,7 @@ ARCFOUR_subencrypt(krb5_context context, struct key_data *key, void *data, size_t len, - int usage, + unsigned usage, void *ivec) { struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5); @@ -2277,7 +2595,7 @@ ARCFOUR_subdecrypt(krb5_context context, struct key_data *key, void *data, size_t len, - int usage, + unsigned usage, void *ivec) { struct checksum_type *c = _find_checksum (CKSUMTYPE_RSA_MD5); @@ -2350,7 +2668,7 @@ ARCFOUR_subdecrypt(krb5_context context, */ static krb5_error_code -usage2arcfour (krb5_context context, int *usage) +usage2arcfour (krb5_context context, unsigned *usage) { switch (*usage) { case KRB5_KU_AS_REP_ENC_PART : /* 3 */ @@ -2381,13 +2699,15 @@ ARCFOUR_encrypt(krb5_context context, void *ivec) { krb5_error_code ret; - if((ret = usage2arcfour (context, &usage)) != 0) + unsigned keyusage = usage; + + if((ret = usage2arcfour (context, &keyusage)) != 0) return ret; if (encrypt) - return ARCFOUR_subencrypt (context, key, data, len, usage, ivec); + return ARCFOUR_subencrypt (context, key, data, len, keyusage, ivec); else - return ARCFOUR_subdecrypt (context, key, data, len, usage, ivec); + return ARCFOUR_subdecrypt (context, key, data, len, keyusage, ivec); } @@ -2398,18 +2718,20 @@ ARCFOUR_encrypt(krb5_context context, static struct encryption_type enctype_null = { ETYPE_NULL, "null", + NULL, 1, 1, 0, &keytype_null, &checksum_none, NULL, - 0, + F_DISABLED, NULL_encrypt, }; static struct encryption_type enctype_des_cbc_crc = { ETYPE_DES_CBC_CRC, "des-cbc-crc", + NULL, 8, 8, 8, @@ -2422,6 +2744,7 @@ static struct encryption_type enctype_des_cbc_crc = { static struct encryption_type enctype_des_cbc_md4 = { ETYPE_DES_CBC_MD4, "des-cbc-md4", + NULL, 8, 8, 8, @@ -2434,6 +2757,7 @@ static struct encryption_type enctype_des_cbc_md4 = { static struct encryption_type enctype_des_cbc_md5 = { ETYPE_DES_CBC_MD5, "des-cbc-md5", + NULL, 8, 8, 8, @@ -2446,18 +2770,20 @@ static struct encryption_type enctype_des_cbc_md5 = { static struct encryption_type enctype_arcfour_hmac_md5 = { ETYPE_ARCFOUR_HMAC_MD5, "arcfour-hmac-md5", + NULL, 1, 1, 8, &keytype_arcfour, &checksum_hmac_md5, - /* &checksum_hmac_md5_enc */ NULL, + NULL, F_SPECIAL, ARCFOUR_encrypt }; static struct encryption_type enctype_des3_cbc_md5 = { ETYPE_DES3_CBC_MD5, "des3-cbc-md5", + NULL, 8, 8, 8, @@ -2470,6 +2796,7 @@ static struct encryption_type enctype_des3_cbc_md5 = { static struct encryption_type enctype_des3_cbc_sha1 = { ETYPE_DES3_CBC_SHA1, "des3-cbc-sha1", + NULL, 8, 8, 8, @@ -2482,6 +2809,7 @@ static struct encryption_type enctype_des3_cbc_sha1 = { static struct encryption_type enctype_old_des3_cbc_sha1 = { ETYPE_OLD_DES3_CBC_SHA1, "old-des3-cbc-sha1", + NULL, 8, 8, 8, @@ -2491,35 +2819,81 @@ static struct encryption_type enctype_old_des3_cbc_sha1 = { 0, DES3_CBC_encrypt, }; -#ifdef ENABLE_AES static struct encryption_type enctype_aes128_cts_hmac_sha1 = { ETYPE_AES128_CTS_HMAC_SHA1_96, "aes128-cts-hmac-sha1-96", + NULL, 16, 1, 16, &keytype_aes128, &checksum_sha1, &checksum_hmac_sha1_aes128, - 0, + F_DERIVED, AES_CTS_encrypt, }; static struct encryption_type enctype_aes256_cts_hmac_sha1 = { ETYPE_AES256_CTS_HMAC_SHA1_96, "aes256-cts-hmac-sha1-96", + NULL, 16, 1, 16, &keytype_aes256, &checksum_sha1, &checksum_hmac_sha1_aes256, - 0, + F_DERIVED, AES_CTS_encrypt, }; -#endif /* ENABLE_AES */ +static unsigned aes_128_cbc_num[] = { 2, 16, 840, 1, 101, 3, 4, 1, 2 }; +static heim_oid aes_128_cbc_oid = kcrypto_oid_enc(aes_128_cbc_num); +static struct encryption_type enctype_aes128_cbc_none = { + ETYPE_AES128_CBC_NONE, + "aes128-cbc-none", + &aes_128_cbc_oid, + 16, + 16, + 16, + &keytype_aes128, + &checksum_none, + NULL, + F_PSEUDO|F_PADCMS, + AES_CBC_encrypt, +}; +static unsigned aes_192_cbc_num[] = { 2, 16, 840, 1, 101, 3, 4, 1, 22 }; +static heim_oid aes_192_cbc_oid = kcrypto_oid_enc(aes_192_cbc_num); +static struct encryption_type enctype_aes192_cbc_none = { + ETYPE_AES192_CBC_NONE, + "aes192-cbc-none", + &aes_192_cbc_oid, + 16, + 16, + 16, + &keytype_aes192, + &checksum_none, + NULL, + F_PSEUDO|F_PADCMS, + AES_CBC_encrypt, +}; +static unsigned aes_256_cbc_num[] = { 2, 16, 840, 1, 101, 3, 4, 1, 42 }; +static heim_oid aes_256_cbc_oid = kcrypto_oid_enc(aes_256_cbc_num); +static struct encryption_type enctype_aes256_cbc_none = { + ETYPE_AES256_CBC_NONE, + "aes256-cbc-none", + &aes_256_cbc_oid, + 16, + 16, + 16, + &keytype_aes256, + &checksum_none, + NULL, + F_PSEUDO|F_PADCMS, + AES_CBC_encrypt, +}; static struct encryption_type enctype_des_cbc_none = { ETYPE_DES_CBC_NONE, "des-cbc-none", + NULL, 8, 8, 0, @@ -2532,6 +2906,7 @@ static struct encryption_type enctype_des_cbc_none = { static struct encryption_type enctype_des_cfb64_none = { ETYPE_DES_CFB64_NONE, "des-cfb64-none", + NULL, 1, 1, 0, @@ -2544,6 +2919,7 @@ static struct encryption_type enctype_des_cfb64_none = { static struct encryption_type enctype_des_pcbc_none = { ETYPE_DES_PCBC_NONE, "des-pcbc-none", + NULL, 8, 8, 0, @@ -2553,9 +2929,25 @@ static struct encryption_type enctype_des_pcbc_none = { F_PSEUDO, DES_PCBC_encrypt_key_ivec, }; +static unsigned des_ede3_cbc_num[] = { 1, 2, 840, 113549, 3, 7 }; +static heim_oid des_ede3_cbc_oid = kcrypto_oid_enc(des_ede3_cbc_num); +static struct encryption_type enctype_des3_cbc_none_cms = { + ETYPE_DES3_CBC_NONE_CMS, + "des3-cbc-none-cms", + &des_ede3_cbc_oid, + 8, + 8, + 0, + &keytype_des3_derived, + &checksum_none, + NULL, + F_PSEUDO|F_PADCMS, + DES3_CBC_encrypt, +}; static struct encryption_type enctype_des3_cbc_none = { ETYPE_DES3_CBC_NONE, "des3-cbc-none", + NULL, 8, 8, 0, @@ -2565,6 +2957,21 @@ static struct encryption_type enctype_des3_cbc_none = { F_PSEUDO, DES3_CBC_encrypt, }; +static unsigned rc2CBC_num[] = { 1, 2, 840, 113549, 3, 2 }; +static heim_oid rc2CBC_oid = kcrypto_oid_enc(rc2CBC_num); +static struct encryption_type enctype_rc2_cbc_none = { + ETYPE_RC2_CBC_NONE, + "rc2-cbc-none", + &rc2CBC_oid, + 8, + 8, + 0, + &keytype_rc2, + &checksum_none, + NULL, + F_PSEUDO|F_PADCMS, + RC2_CBC_encrypt, +}; static struct encryption_type *etypes[] = { &enctype_null, @@ -2575,14 +2982,17 @@ static struct encryption_type *etypes[] = { &enctype_des3_cbc_md5, &enctype_des3_cbc_sha1, &enctype_old_des3_cbc_sha1, -#ifdef ENABLE_AES &enctype_aes128_cts_hmac_sha1, &enctype_aes256_cts_hmac_sha1, -#endif + &enctype_aes128_cbc_none, + &enctype_aes192_cbc_none, + &enctype_aes256_cbc_none, &enctype_des_cbc_none, &enctype_des_cfb64_none, &enctype_des_pcbc_none, - &enctype_des3_cbc_none + &enctype_des3_cbc_none, + &enctype_des3_cbc_none_cms, + &enctype_rc2_cbc_none }; static unsigned num_etypes = sizeof(etypes) / sizeof(etypes[0]); @@ -2599,7 +3009,7 @@ _find_enctype(krb5_enctype type) } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_enctype_to_string(krb5_context context, krb5_enctype etype, char **string) @@ -2619,7 +3029,7 @@ krb5_enctype_to_string(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_enctype(krb5_context context, const char *string, krb5_enctype *etype) @@ -2635,7 +3045,42 @@ krb5_string_to_enctype(krb5_context context, return KRB5_PROG_ETYPE_NOSUPP; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_enctype_to_oid(krb5_context context, + krb5_enctype etype, + heim_oid *oid) +{ + struct encryption_type *et = _find_enctype(etype); + if(et == NULL) { + krb5_set_error_string (context, "encryption type %d not supported", + etype); + return KRB5_PROG_ETYPE_NOSUPP; + } + if(et->oid == NULL) { + krb5_set_error_string (context, "%s have not oid", et->name); + return KRB5_PROG_ETYPE_NOSUPP; + } + krb5_clear_error_string(context); + return copy_oid(et->oid, oid); +} + +krb5_error_code KRB5_LIB_FUNCTION +_krb5_oid_to_enctype(krb5_context context, + const heim_oid *oid, + krb5_enctype *etype) +{ + int i; + for(i = 0; i < num_etypes; i++) { + if(etypes[i]->oid && heim_oid_cmp(etypes[i]->oid, oid) == 0) { + *etype = etypes[i]->type; + return 0; + } + } + krb5_set_error_string(context, "enctype for oid not supported"); + return KRB5_PROG_ETYPE_NOSUPP; +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_enctype_to_keytype(krb5_context context, krb5_enctype etype, krb5_keytype *keytype) @@ -2651,7 +3096,7 @@ krb5_enctype_to_keytype(krb5_context context, } #if 0 -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_keytype_to_enctype(krb5_context context, krb5_keytype keytype, krb5_enctype *etype) @@ -2665,7 +3110,7 @@ krb5_keytype_to_enctype(krb5_context context, } #endif -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_keytype_to_enctypes (krb5_context context, krb5_keytype keytype, unsigned *len, @@ -2701,7 +3146,7 @@ krb5_keytype_to_enctypes (krb5_context context, * else, do `krb5_keytype_to_enctypes'. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_keytype_to_enctypes_default (krb5_context context, krb5_keytype keytype, unsigned *len, @@ -2727,15 +3172,45 @@ krb5_keytype_to_enctypes_default (krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_enctype_valid(krb5_context context, krb5_enctype etype) { - return _find_enctype(etype) != NULL; + struct encryption_type *e = _find_enctype(etype); + if(e == NULL) { + krb5_set_error_string (context, "encryption type %d not supported", + etype); + return KRB5_PROG_ETYPE_NOSUPP; + } + if (e->flags & F_DISABLED) { + krb5_set_error_string (context, "encryption type %s is disabled", + e->name); + return KRB5_PROG_ETYPE_NOSUPP; + } + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_cksumtype_valid(krb5_context context, + krb5_cksumtype ctype) +{ + struct checksum_type *c = _find_checksum(ctype); + if (c == NULL) { + krb5_set_error_string (context, "checksum type %d not supported", + ctype); + return KRB5_PROG_SUMTYPE_NOSUPP; + } + if (c->flags & F_DISABLED) { + krb5_set_error_string (context, "checksum type %s is disabled", + c->name); + return KRB5_PROG_SUMTYPE_NOSUPP; + } + return 0; } + /* if two enctypes have compatible keys */ -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_enctypes_compatible_keys(krb5_context context, krb5_enctype etype1, krb5_enctype etype2) @@ -2813,7 +3288,7 @@ encrypt_internal_derived(krb5_context context, ret = _get_derived_key(context, crypto, ENCRYPTION_USAGE(usage), &dkey); if(ret) goto fail; - ret = _key_schedule(context, dkey); + ret = _key_schedule(context, dkey, crypto->params); if(ret) goto fail; #ifdef CRYPTO_DEBUG @@ -2840,7 +3315,7 @@ encrypt_internal(krb5_context context, krb5_data *result, void *ivec) { - size_t sz, block_sz, checksum_sz; + size_t sz, block_sz, checksum_sz, padsize = 0; Checksum cksum; unsigned char *p, *q; krb5_error_code ret; @@ -2850,6 +3325,11 @@ encrypt_internal(krb5_context context, sz = et->confoundersize + checksum_sz + len; block_sz = (sz + et->padsize - 1) &~ (et->padsize - 1); /* pad */ + if ((et->flags & F_PADCMS) && et->padsize != 1) { + padsize = et->padsize - (sz % et->padsize); + if (padsize == et->padsize) + block_sz += et->padsize; + } p = calloc(1, block_sz); if(p == NULL) { krb5_set_error_string(context, "malloc: out of memory"); @@ -2879,9 +3359,15 @@ encrypt_internal(krb5_context context, goto fail; memcpy(p + et->confoundersize, cksum.checksum.data, cksum.checksum.length); free_Checksum(&cksum); - ret = _key_schedule(context, &crypto->key); + ret = _key_schedule(context, &crypto->key, crypto->params); if(ret) goto fail; + if (et->flags & F_PADCMS) { + int i; + q = p + len + checksum_sz + et->confoundersize; + for (i = 0; i < padsize; i++) + q[i] = padsize; + } #ifdef CRYPTO_DEBUG krb5_crypto_debug(context, 1, block_sz, crypto->key.key); #endif @@ -2979,7 +3465,7 @@ decrypt_internal_derived(krb5_context context, free(p); return ret; } - ret = _key_schedule(context, dkey); + ret = _key_schedule(context, dkey, crypto->params); if(ret) { free(p); return ret; @@ -3046,7 +3532,7 @@ decrypt_internal(krb5_context context, } memcpy(p, data, len); - ret = _key_schedule(context, &crypto->key); + ret = _key_schedule(context, &crypto->key, crypto->params); if(ret) { free(p); return ret; @@ -3129,7 +3615,7 @@ decrypt_internal_special(krb5_context context, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encrypt_ivec(krb5_context context, krb5_crypto crypto, unsigned usage, @@ -3148,7 +3634,7 @@ krb5_encrypt_ivec(krb5_context context, return encrypt_internal(context, crypto, data, len, result, ivec); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encrypt(krb5_context context, krb5_crypto crypto, unsigned usage, @@ -3159,7 +3645,7 @@ krb5_encrypt(krb5_context context, return krb5_encrypt_ivec(context, crypto, usage, data, len, result, NULL); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encrypt_EncryptedData(krb5_context context, krb5_crypto crypto, unsigned usage, @@ -3177,7 +3663,7 @@ krb5_encrypt_EncryptedData(krb5_context context, return krb5_encrypt(context, crypto, usage, data, len, &result->cipher); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decrypt_ivec(krb5_context context, krb5_crypto crypto, unsigned usage, @@ -3196,7 +3682,7 @@ krb5_decrypt_ivec(krb5_context context, return decrypt_internal(context, crypto, data, len, result, ivec); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decrypt(krb5_context context, krb5_crypto crypto, unsigned usage, @@ -3208,7 +3694,7 @@ krb5_decrypt(krb5_context context, NULL); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decrypt_EncryptedData(krb5_context context, krb5_crypto crypto, unsigned usage, @@ -3231,17 +3717,19 @@ krb5_decrypt_EncryptedData(krb5_context context, static int seed_something(void) { - int fd = -1; char buf[1024], seedfile[256]; /* If there is a seed file, load it. But such a file cannot be trusted, so use 0 for the entropy estimate */ if (RAND_file_name(seedfile, sizeof(seedfile))) { + int fd; fd = open(seedfile, O_RDONLY); if (fd >= 0) { - read(fd, buf, sizeof(buf)); - /* Use the full buffer anyway */ - RAND_add(buf, sizeof(buf), 0.0); + ssize_t ret; + ret = read(fd, buf, sizeof(buf)); + if (ret > 0) + RAND_add(buf, ret, 0.0); + close(fd); } else seedfile[0] = '\0'; } else @@ -3273,39 +3761,44 @@ seed_something(void) return -1; } -void +void KRB5_LIB_FUNCTION krb5_generate_random_block(void *buf, size_t len) { static int rng_initialized = 0; + HEIMDAL_MUTEX_lock(&crypto_mutex); if (!rng_initialized) { if (seed_something()) krb5_abortx(NULL, "Fatal: could not seed the random number generator"); rng_initialized = 1; } + HEIMDAL_MUTEX_unlock(&crypto_mutex); RAND_bytes(buf, len); } #else -void +void KRB5_LIB_FUNCTION krb5_generate_random_block(void *buf, size_t len) { - des_cblock key, out; - static des_cblock counter; - static des_key_schedule schedule; + DES_cblock key, out; + static DES_cblock counter; + static DES_key_schedule schedule; int i; static int initialized = 0; + HEIMDAL_MUTEX_lock(&crypto_mutex); if(!initialized) { - des_new_random_key(&key); - des_set_key(&key, schedule); + DES_new_random_key(&key); + DES_set_key(&key, &schedule); memset(&key, 0, sizeof(key)); - des_new_random_key(&counter); + DES_new_random_key(&counter); + initialized = 1; } + HEIMDAL_MUTEX_unlock(&crypto_mutex); while(len > 0) { - des_ecb_encrypt(&counter, &out, schedule, DES_ENCRYPT); + DES_ecb_encrypt(&counter, &out, &schedule, DES_ENCRYPT); for(i = 7; i >=0; i--) if(counter[i]++) break; @@ -3320,35 +3813,12 @@ static void DES3_postproc(krb5_context context, unsigned char *k, size_t len, struct key_data *key) { - unsigned char x[24]; - int i, j; - - memset(x, 0, sizeof(x)); - for (i = 0; i < 3; ++i) { - unsigned char foo; - - for (j = 0; j < 7; ++j) { - unsigned char b = k[7 * i + j]; + DES3_random_to_key(context, key->key, k, len); - x[8 * i + j] = b; - } - foo = 0; - for (j = 6; j >= 0; --j) { - foo |= k[7 * i + j] & 1; - foo <<= 1; - } - x[8 * i + 7] = foo; - } - k = key->key->keyvalue.data; - memcpy(k, x, 24); - memset(x, 0, sizeof(x)); if (key->schedule) { krb5_free_data(context, key->schedule); key->schedule = NULL; } - des_set_odd_parity((des_cblock*)k); - des_set_odd_parity((des_cblock*)(k + 8)); - des_set_odd_parity((des_cblock*)(k + 16)); } static krb5_error_code @@ -3363,7 +3833,9 @@ derive_key(krb5_context context, krb5_error_code ret = 0; struct key_type *kt = et->keytype; - ret = _key_schedule(context, key); + /* since RC2 is only the weird crypto alg with parameter and this + * function not defined with work with RC2, this is ok */ + ret = _key_schedule(context, key, NULL); if(ret) return ret; if(et->blocksize * 8 < kt->bits || @@ -3409,12 +3881,10 @@ derive_key(krb5_context context, case KEYTYPE_DES3: DES3_postproc(context, k, nblocks * et->blocksize, key); break; -#ifdef ENABLE_AES case KEYTYPE_AES128: case KEYTYPE_AES256: memcpy(key->key->keyvalue.data, k, key->key->keyvalue.length); break; -#endif /* ENABLE_AES */ default: krb5_set_error_string(context, "derive_key() called with unknown keytype (%u)", @@ -3422,6 +3892,10 @@ derive_key(krb5_context context, ret = KRB5_CRYPTO_INTERNAL; break; } + if (key->schedule) { + krb5_free_data(context, key->schedule); + key->schedule = NULL; + } memset(k, 0, nblocks * et->blocksize); free(k); return ret; @@ -3441,7 +3915,7 @@ _new_derived_key(krb5_crypto crypto, unsigned usage) return &d->key; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_derive_key(krb5_context context, const krb5_keyblock *key, krb5_enctype etype, @@ -3501,7 +3975,7 @@ _get_derived_key(krb5_context context, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_crypto_init(krb5_context context, const krb5_keyblock *key, krb5_enctype etype, @@ -3516,25 +3990,29 @@ krb5_crypto_init(krb5_context context, if(etype == ETYPE_NULL) etype = key->keytype; (*crypto)->et = _find_enctype(etype); - if((*crypto)->et == NULL) { + if((*crypto)->et == NULL || ((*crypto)->et->flags & F_DISABLED)) { free(*crypto); + *crypto = NULL; krb5_set_error_string (context, "encryption type %d not supported", etype); return KRB5_PROG_ETYPE_NOSUPP; } - if((*crypto)->et->keytype->size != key->keyvalue.length) { + if((*crypto)->et->keytype->minsize > key->keyvalue.length) { free(*crypto); + *crypto = NULL; krb5_set_error_string (context, "encryption key has bad length"); return KRB5_BAD_KEYSIZE; } ret = krb5_copy_keyblock(context, key, &(*crypto)->key.key); if(ret) { free(*crypto); + *crypto = NULL; return ret; } (*crypto)->key.schedule = NULL; (*crypto)->num_key_usage = 0; (*crypto)->key_usage = NULL; + (*crypto)->params = NULL; return 0; } @@ -3554,7 +4032,7 @@ free_key_usage(krb5_context context, struct key_usage *ku) free_key_data(context, &ku->key); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_crypto_destroy(krb5_context context, krb5_crypto crypto) { @@ -3564,11 +4042,80 @@ krb5_crypto_destroy(krb5_context context, free_key_usage(context, &crypto->key_usage[i]); free(crypto->key_usage); free_key_data(context, &crypto->key); + free(crypto->params); free (crypto); return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_get_params(krb5_context context, + const krb5_crypto crypto, + const krb5_data *params, + krb5_data *ivec) +{ + krb5_error_code (*gp)(krb5_context, const krb5_data *,void **,krb5_data *); + krb5_error_code ret; + + gp = crypto->et->keytype->get_params; + if (gp) { + if (crypto->params) { + krb5_set_error_string(context, + "krb5_crypto_get_params called " + "more than once"); + return KRB5_PROG_ETYPE_NOSUPP; + } + ret = (*gp)(context, params, &crypto->params, ivec); + } else { + size_t size; + if (ivec == NULL) + return 0; + ret = decode_CBCParameter(params->data, params->length, ivec, &size); + } + if (ret) + return ret; + if (ivec->length < crypto->et->blocksize) { + krb5_data_free(ivec); + krb5_set_error_string(context, "%s IV of wrong size", + crypto->et->name); + return ASN1_PARSE_ERROR; + } + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_set_params(krb5_context context, + const krb5_crypto crypto, + const krb5_data *ivec, + krb5_data *params) +{ + krb5_error_code (*sp)(krb5_context, const void *, + const krb5_data *, krb5_data *); + krb5_error_code ret; + + sp = crypto->et->keytype->set_params; + if (sp == NULL) { + size_t size; + if (ivec == NULL) + return 0; + ASN1_MALLOC_ENCODE(CBCParameter, params->data, params->length, + ivec, &size, ret); + if (ret) + return ret; + if (size != params->length) + krb5_abortx(context, "Internal asn1 encoder failure"); + return 0; + } + if (crypto->params) { + krb5_set_error_string(context, + "krb5_crypto_set_params called " + "more than once"); + return KRB5_PROG_ETYPE_NOSUPP; + } + return (*sp)(context, crypto->params, ivec, params); +} + + +krb5_error_code KRB5_LIB_FUNCTION krb5_crypto_getblocksize(krb5_context context, krb5_crypto crypto, size_t *blocksize) @@ -3577,7 +4124,49 @@ krb5_crypto_getblocksize(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_getenctype(krb5_context context, + krb5_crypto crypto, + krb5_enctype *enctype) +{ + *enctype = crypto->et->type; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_getpadsize(krb5_context context, + krb5_crypto crypto, + size_t *padsize) +{ + *padsize = crypto->et->padsize; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_getconfoundersize(krb5_context context, + krb5_crypto crypto, + size_t *confoundersize) +{ + *confoundersize = crypto->et->confoundersize; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_enctype_disable(krb5_context context, + krb5_enctype enctype) +{ + struct encryption_type *et = _find_enctype(enctype); + if(et == NULL) { + if (context) + krb5_set_error_string (context, "encryption type %d not supported", + enctype); + return KRB5_PROG_ETYPE_NOSUPP; + } + et->flags |= F_DISABLED; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_derived(krb5_context context, const void *str, size_t len, @@ -3634,9 +4223,10 @@ wrapped_length (krb5_context context, { struct encryption_type *et = crypto->et; size_t padsize = et->padsize; + size_t checksumsize = CHECKSUMSIZE(et->checksum); size_t res; - res = et->confoundersize + et->checksum->checksumsize + data_len; + res = et->confoundersize + checksumsize + data_len; res = (res + padsize - 1) / padsize * padsize; return res; } @@ -3652,7 +4242,10 @@ wrapped_length_dervied (krb5_context context, res = et->confoundersize + data_len; res = (res + padsize - 1) / padsize * padsize; - res += et->checksum->checksumsize; + if (et->keyed_checksum) + res += et->keyed_checksum->checksumsize; + else + res += et->checksum->checksumsize; return res; } @@ -3671,6 +4264,38 @@ krb5_get_wrapped_length (krb5_context context, return wrapped_length (context, crypto, data_len); } +krb5_error_code KRB5_LIB_FUNCTION +krb5_random_to_key(krb5_context context, + krb5_enctype type, + const void *data, + size_t size, + krb5_keyblock *key) +{ + krb5_error_code ret; + struct encryption_type *et = _find_enctype(type); + if(et == NULL) { + krb5_set_error_string(context, "encryption type %d not supported", + type); + return KRB5_PROG_ETYPE_NOSUPP; + } + if ((et->keytype->bits + 7) / 8 > size) { + krb5_set_error_string(context, "encryption key %s needs %d bytes " + "of random to make an encryption key out of it", + et->name, (int)et->keytype->size); + return KRB5_PROG_ETYPE_NOSUPP; + } + ret = krb5_data_alloc(&key->keyvalue, et->keytype->size); + if(ret) + return ret; + key->keytype = type; + if (et->keytype->random_to_key) + (*et->keytype->random_to_key)(context, key, data, size); + else + memcpy(key->keyvalue.data, data, et->keytype->size); + + return 0; +} + #ifdef CRYPTO_DEBUG static krb5_error_code diff --git a/kerberosV/src/lib/krb5/fcache.c b/kerberosV/src/lib/krb5/fcache.c index be9dbb6731d..8d1a2db0dd6 100644 --- a/kerberosV/src/lib/krb5/fcache.c +++ b/kerberosV/src/lib/krb5/fcache.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$KTH: fcache.c,v 1.34.6.6 2004/03/10 13:30:59 lha Exp $"); +RCSID("$KTH: fcache.c,v 1.48 2005/05/31 22:06:15 lha Exp $"); typedef struct krb5_fcache{ char *filename; @@ -105,18 +105,33 @@ _krb5_xlock(krb5_context context, int fd, krb5_boolean exclusive, } int -_krb5_xunlock(int fd) +_krb5_xunlock(krb5_context context, int fd) { + int ret; #ifdef HAVE_FCNTL_LOCK struct flock l; l.l_start = 0; l.l_len = 0; l.l_type = F_UNLCK; l.l_whence = SEEK_SET; - return fcntl(fd, F_SETLKW, &l); + ret = fcntl(fd, F_SETLKW, &l); #else - return flock(fd, LOCK_UN); + ret = flock(fd, LOCK_UN); #endif + if (ret < 0) + ret = errno; + switch (ret) { + case 0: + break; + case EINVAL: /* filesystem doesn't support locking, let the user have it */ + ret = 0; + break; + default: + krb5_set_error_string(context, + "Failed to unlock file: %s", strerror(ret)); + break; + } + return ret; } static krb5_error_code @@ -129,7 +144,7 @@ fcc_lock(krb5_context context, krb5_ccache id, static krb5_error_code fcc_unlock(krb5_context context, int fd) { - return _krb5_xunlock(fd); + return _krb5_xunlock(context, fd); } static krb5_error_code @@ -405,13 +420,12 @@ fcc_store_cred(krb5_context context, sp = krb5_storage_from_fd(fd); krb5_storage_set_eof_code(sp, KRB5_CC_END); storage_set_flags(context, sp, FCACHE(id)->version); - if (krb5_config_get_bool_default(context, NULL, FALSE, - "libdefaults", - "fcc-mit-ticketflags", - NULL)) - ret = _krb5_store_creds_heimdal_0_7(sp, creds); - else - ret = _krb5_store_creds_heimdal_pre_0_7(sp, creds); + if (!krb5_config_get_bool_default(context, NULL, TRUE, + "libdefaults", + "fcc-mit-ticketflags", + NULL)) + krb5_storage_set_flags(sp, KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER); + ret = krb5_store_creds(sp, creds); krb5_storage_free(sp); } fcc_unlock(context, fd); @@ -436,12 +450,12 @@ init_fcc (krb5_context context, krb5_error_code ret; ret = fcc_open(context, id, &fd, O_RDONLY | O_BINARY, 0); - if(ret) return ret; sp = krb5_storage_from_fd(fd); if(sp == NULL) { + krb5_clear_error_string(context); ret = ENOMEM; goto out; } @@ -450,14 +464,18 @@ init_fcc (krb5_context context, if(ret != 0) { if(ret == KRB5_CC_END) ret = ENOENT; /* empty file */ + krb5_clear_error_string(context); goto out; } if(pvno != 5) { + krb5_set_error_string(context, "Bad version number in credential " + "cache file: %s", FILENAME(id)); ret = KRB5_CCACHE_BADVNO; goto out; } ret = krb5_ret_int8(sp, &tag); /* should not be host byte order */ if(ret != 0) { + krb5_clear_error_string(context); ret = KRB5_CC_FORMAT; goto out; } @@ -470,6 +488,7 @@ init_fcc (krb5_context context, ret = krb5_ret_int16 (sp, &length); if(ret) { ret = KRB5_CC_FORMAT; + krb5_clear_error_string(context); goto out; } while(length > 0) { @@ -479,11 +498,13 @@ init_fcc (krb5_context context, ret = krb5_ret_int16 (sp, &tag); if(ret) { + krb5_clear_error_string(context); ret = KRB5_CC_FORMAT; goto out; } ret = krb5_ret_int16 (sp, &data_len); if(ret) { + krb5_clear_error_string(context); ret = KRB5_CC_FORMAT; goto out; } @@ -491,11 +512,13 @@ init_fcc (krb5_context context, case FCC_TAG_DELTATIME : ret = krb5_ret_int32 (sp, &context->kdc_sec_offset); if(ret) { + krb5_clear_error_string(context); ret = KRB5_CC_FORMAT; goto out; } ret = krb5_ret_int32 (sp, &context->kdc_usec_offset); if(ret) { + krb5_clear_error_string(context); ret = KRB5_CC_FORMAT; goto out; } @@ -504,6 +527,7 @@ init_fcc (krb5_context context, for (i = 0; i < data_len; ++i) { ret = krb5_ret_int8 (sp, &dummy); if(ret) { + krb5_clear_error_string(context); ret = KRB5_CC_FORMAT; goto out; } @@ -520,6 +544,9 @@ init_fcc (krb5_context context, break; default : ret = KRB5_CCACHE_BADVNO; + krb5_set_error_string(context, "Unknown version number (%d) in " + "credential cache file: %s", + (int)tag, FILENAME(id)); goto out; } *ret_sp = sp; @@ -547,6 +574,8 @@ fcc_get_principal(krb5_context context, if (ret) return ret; ret = krb5_ret_principal(sp, principal); + if (ret) + krb5_clear_error_string(context); krb5_storage_free(sp); fcc_unlock(context, fd); close(fd); @@ -567,15 +596,22 @@ fcc_get_first (krb5_context context, krb5_principal principal; *cursor = malloc(sizeof(struct fcc_cursor)); + if (*cursor == NULL) { + krb5_set_error_string (context, "malloc: out of memory"); + return ENOMEM; + } + memset(*cursor, 0, sizeof(struct fcc_cursor)); ret = init_fcc (context, id, &FCC_CURSOR(*cursor)->sp, &FCC_CURSOR(*cursor)->fd); if (ret) { free(*cursor); + *cursor = NULL; return ret; } ret = krb5_ret_principal (FCC_CURSOR(*cursor)->sp, &principal); if(ret) { + krb5_clear_error_string(context); fcc_end_get(context, id, cursor); return ret; } @@ -595,6 +631,8 @@ fcc_get_next (krb5_context context, return ret; ret = krb5_ret_creds(FCC_CURSOR(*cursor)->sp, creds); + if (ret) + krb5_clear_error_string(context); fcc_unlock(context, FCC_CURSOR(*cursor)->fd); return ret; @@ -618,7 +656,31 @@ fcc_remove_cred(krb5_context context, krb5_flags which, krb5_creds *cred) { - return 0; /* XXX */ + krb5_error_code ret; + krb5_ccache copy; + + ret = krb5_cc_gen_new(context, &krb5_mcc_ops, ©); + if (ret) + return ret; + + ret = krb5_cc_copy_cache(context, id, copy); + if (ret) { + krb5_cc_destroy(context, copy); + return ret; + } + + ret = krb5_cc_remove_cred(context, copy, which, cred); + if (ret) { + krb5_cc_destroy(context, copy); + return ret; + } + + fcc_destroy(context, id); + + ret = krb5_cc_copy_cache(context, copy, id); + krb5_cc_destroy(context, copy); + + return ret; } static krb5_error_code diff --git a/kerberosV/src/lib/krb5/get_host_realm.c b/kerberosV/src/lib/krb5/get_host_realm.c index 92e978cbb92..61c1d4af230 100644 --- a/kerberosV/src/lib/krb5/get_host_realm.c +++ b/kerberosV/src/lib/krb5/get_host_realm.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -34,7 +34,7 @@ #include "krb5_locl.h" #include <resolve.h> -RCSID("$KTH: get_host_realm.c,v 1.29 2002/08/28 13:36:57 nectar Exp $"); +RCSID("$KTH: get_host_realm.c,v 1.34 2005/04/19 18:52:51 lha Exp $"); /* To automagically find the correct realm of a host (without * [domain_realm] in krb5.conf) add a text record for your domain with @@ -98,7 +98,7 @@ dns_find_realm(krb5_context context, char dom[MAXHOSTNAMELEN]; struct dns_reply *r; char **labels; - int i, j, ret; + int i, ret; labels = krb5_config_get_strings(context, NULL, "libdefaults", "dns_lookup_realm_labels", NULL); @@ -107,8 +107,8 @@ dns_find_realm(krb5_context context, if(*domain == '.') domain++; for (i = 0; labels[i] != NULL; i++) { - j = snprintf(dom, sizeof(dom), "%s.%s.", labels[i], domain); - if (j >= sizeof(dom) || j < 0) /* fucking solaris assholes */ + ret = snprintf(dom, sizeof(dom), "%s.%s.", labels[i], domain); + if(ret < 0 || ret >= sizeof(dom)) return -1; r = dns_lookup(dom, "TXT"); if(r != NULL) { @@ -149,11 +149,11 @@ config_find_realm(krb5_context context, * fall back to guessing */ -krb5_error_code -krb5_get_host_realm_int (krb5_context context, - const char *host, - krb5_boolean use_dns, - krb5_realm **realms) +krb5_error_code KRB5_LIB_FUNCTION +_krb5_get_host_realm_int (krb5_context context, + const char *host, + krb5_boolean use_dns, + krb5_realm **realms) { const char *p, *q; krb5_boolean dns_locate_enable; @@ -203,7 +203,7 @@ krb5_get_host_realm_int (krb5_context context, * Return the realm(s) of `host' as a NULL-terminated list in `realms'. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_host_realm(krb5_context context, const char *host, krb5_realm **realms) @@ -216,5 +216,5 @@ krb5_get_host_realm(krb5_context context, host = hostname; } - return krb5_get_host_realm_int (context, host, 1, realms); + return _krb5_get_host_realm_int (context, host, 1, realms); } diff --git a/kerberosV/src/lib/krb5/init_creds.c b/kerberosV/src/lib/krb5/init_creds.c index 7478dd149cf..0038c900cef 100644 --- a/kerberosV/src/lib/krb5/init_creds.c +++ b/kerberosV/src/lib/krb5/init_creds.c @@ -1,45 +1,114 @@ /* - * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. */ #include "krb5_locl.h" -RCSID("$KTH: init_creds.c,v 1.9 2001/07/03 18:42:07 assar Exp $"); +RCSID("$KTH: init_creds.c,v 1.20.4.2 2005/10/13 03:11:06 lha Exp $"); -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt) { memset (opt, 0, sizeof(*opt)); opt->flags = 0; + opt->opt_private = NULL; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_alloc(krb5_context context, + krb5_get_init_creds_opt **opt) +{ + krb5_get_init_creds_opt *o; + + *opt = NULL; + o = calloc(1, sizeof(*o)); + if (o == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + krb5_get_init_creds_opt_init(o); + o->opt_private = calloc(1, sizeof(*o->opt_private)); + if (o->opt_private == NULL) { + krb5_set_error_string(context, "out of memory"); + free(o); + return ENOMEM; + } + o->opt_private->refcount = 1; + *opt = o; + return 0; +} + +krb5_error_code +_krb5_get_init_creds_opt_copy(krb5_context context, + const krb5_get_init_creds_opt *in, + krb5_get_init_creds_opt **out) +{ + krb5_get_init_creds_opt *opt; + + *out = NULL; + opt = malloc(sizeof(*opt)); + if (opt == NULL) { + krb5_set_error_string(context, "out of memory"); + return ENOMEM; + } + if (in) + *opt = *in; + if(opt->opt_private == NULL) { + opt->opt_private = calloc(1, sizeof(*opt->opt_private)); + if (opt->opt_private == NULL) { + krb5_set_error_string(context, "out of memory"); + free(opt); + return ENOMEM; + } + opt->opt_private->refcount = 1; + } else + opt->opt_private->refcount++; + *out = opt; + return 0; +} + +void KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_free(krb5_get_init_creds_opt *opt) +{ + if (opt->opt_private == NULL) + return; + if (opt->opt_private->refcount < 1) /* abort ? */ + return; + if (--opt->opt_private->refcount == 0) { + _krb5_get_init_creds_opt_free_pkinit(opt); + free(opt->opt_private); + } + memset(opt, 0, sizeof(*opt)); + free(opt); } static int @@ -93,9 +162,9 @@ get_config_bool (krb5_context context, static krb5_addresses no_addrs = {0, NULL}; -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_default_flags(krb5_context context, - const char *appname, + const char *appname, krb5_const_realm realm, krb5_get_init_creds_opt *opt) { @@ -115,8 +184,8 @@ krb5_get_init_creds_opt_set_default_flags(krb5_context context, t = get_config_time (context, realm, "ticket_lifetime", 0); if(t != 0) krb5_get_init_creds_opt_set_tkt_life(opt, t); - - krb5_appdefault_time(context, appname, (krb5_realm)realm, "renew_lifetime", 0, &t); + + krb5_appdefault_time(context, appname, realm, "renew_lifetime", 0, &t); if (t == 0) t = get_config_time (context, realm, "renew_lifetime", 0); if(t != 0) @@ -130,7 +199,7 @@ krb5_get_init_creds_opt_set_default_flags(krb5_context context, krb5_appdefault_boolean(context, appname, realm, "anonymous", FALSE, &b); krb5_get_init_creds_opt_set_anonymous (opt, b); - krb5_get_init_creds_opt_set_etype_list(opt, enctype, + krb5_get_init_creds_opt_set_etype_list(opt, enctype, etype_str.num_strings); krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt, @@ -143,7 +212,7 @@ krb5_get_init_creds_opt_set_default_flags(krb5_context context, } -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt, krb5_deltat tkt_life) { @@ -151,7 +220,7 @@ krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt, opt->tkt_life = tkt_life; } -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt, krb5_deltat renew_life) { @@ -159,7 +228,7 @@ krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt, opt->renew_life = renew_life; } -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt, int forwardable) { @@ -167,7 +236,7 @@ krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt, opt->forwardable = forwardable; } -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt, int proxiable) { @@ -175,7 +244,7 @@ krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt, opt->proxiable = proxiable; } -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt, krb5_enctype *etype_list, int etype_list_length) @@ -185,7 +254,7 @@ krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt, opt->etype_list_length = etype_list_length; } -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt, krb5_addresses *addresses) { @@ -193,7 +262,7 @@ krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt, opt->address_list = addresses; } -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt, krb5_preauthtype *preauth_list, int preauth_list_length) @@ -203,7 +272,7 @@ krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt, opt->preauth_list = preauth_list; } -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt, krb5_data *salt) { @@ -211,10 +280,52 @@ krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt, opt->salt = salt; } -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_anonymous(krb5_get_init_creds_opt *opt, int anonymous) { opt->flags |= KRB5_GET_INIT_CREDS_OPT_ANONYMOUS; opt->anonymous = anonymous; } + +static krb5_error_code +require_ext_opt(krb5_context context, + krb5_get_init_creds_opt *opt, + const char *type) +{ + if (opt->opt_private == NULL) { + krb5_set_error_string(context, "%s on non extendable opt", type); + return EINVAL; + } + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_set_pa_password(krb5_context context, + krb5_get_init_creds_opt *opt, + const char *password, + krb5_s2k_proc key_proc) +{ + krb5_error_code ret; + ret = require_ext_opt(context, opt, "init_creds_opt_set_pa_password"); + if (ret) + return ret; + opt->opt_private->password = password; + opt->opt_private->key_proc = key_proc; + return 0; +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_set_pac_request(krb5_context context, + krb5_get_init_creds_opt *opt, + krb5_boolean req_pac) +{ + krb5_error_code ret; + ret = require_ext_opt(context, opt, "init_creds_opt_set_pac_req"); + if (ret) + return ret; + opt->opt_private->req_pac = req_pac ? + KRB5_PA_PAC_REQ_TRUE : + KRB5_PA_PAC_REQ_FALSE; + return 0; +} diff --git a/kerberosV/src/lib/krb5/kerberos.8 b/kerberosV/src/lib/krb5/kerberos.8 index 422a6d0b94d..7cfee3b7b85 100644 --- a/kerberosV/src/lib/krb5/kerberos.8 +++ b/kerberosV/src/lib/krb5/kerberos.8 @@ -1,35 +1,35 @@ .\" Copyright (c) 2000 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $KTH: kerberos.8,v 1.6 2003/03/10 02:19:23 lha Exp $ +.\" $KTH: kerberos.8,v 1.8 2003/07/26 17:05:42 lha Exp $ .\" .Dd September 1, 2000 .Dt KERBEROS 8 diff --git a/kerberosV/src/lib/krb5/krb5-protos.h b/kerberosV/src/lib/krb5/krb5-protos.h index 58788aebab5..068edd51860 100644 --- a/kerberosV/src/lib/krb5/krb5-protos.h +++ b/kerberosV/src/lib/krb5/krb5-protos.h @@ -8,20 +8,32 @@ #define __attribute__(x) #endif -krb5_error_code +#ifdef __cplusplus +extern "C" { +#endif + +#ifndef KRB5_LIB_FUNCTION +#if defined(_WIN32) +#define KRB5_LIB_FUNCTION _stdcall +#else +#define KRB5_LIB_FUNCTION +#endif +#endif + +krb5_error_code KRB5_LIB_FUNCTION krb524_convert_creds_kdc ( krb5_context /*context*/, krb5_creds */*in_cred*/, struct credentials */*v4creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb524_convert_creds_kdc_ccache ( krb5_context /*context*/, krb5_ccache /*ccache*/, krb5_creds */*in_cred*/, struct credentials */*v4creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_425_conv_principal ( krb5_context /*context*/, const char */*name*/, @@ -29,7 +41,7 @@ krb5_425_conv_principal ( const char */*realm*/, krb5_principal */*princ*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_425_conv_principal_ext ( krb5_context /*context*/, const char */*name*/, @@ -39,7 +51,7 @@ krb5_425_conv_principal_ext ( krb5_boolean /*resolve*/, krb5_principal */*princ*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_524_conv_principal ( krb5_context /*context*/, const krb5_principal /*principal*/, @@ -47,17 +59,7 @@ krb5_524_conv_principal ( char */*instance*/, char */*realm*/); -krb5_error_code -krb5_PKCS5_PBKDF2 ( - krb5_context /*context*/, - krb5_cksumtype /*cktype*/, - krb5_data /*password*/, - krb5_salt /*salt*/, - u_int32_t /*iter*/, - krb5_keytype /*type*/, - krb5_keyblock */*key*/); - -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_abort ( krb5_context /*context*/, krb5_error_code /*code*/, @@ -65,49 +67,49 @@ krb5_abort ( ...) __attribute__ ((noreturn, format (printf, 3, 4))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_abortx ( krb5_context /*context*/, const char */*fmt*/, ...) __attribute__ ((noreturn, format (printf, 2, 3))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_acl_match_file ( krb5_context /*context*/, const char */*file*/, const char */*format*/, ...); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_acl_match_string ( krb5_context /*context*/, const char */*string*/, const char */*format*/, ...); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_add_et_list ( krb5_context /*context*/, void (*/*func*/)(struct et_list **)); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_add_extra_addresses ( krb5_context /*context*/, krb5_addresses */*addresses*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_add_ignore_addresses ( krb5_context /*context*/, krb5_addresses */*addresses*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_addlog_dest ( krb5_context /*context*/, krb5_log_facility */*f*/, const char */*orig*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_addlog_func ( krb5_context /*context*/, krb5_log_facility */*fac*/, @@ -117,7 +119,7 @@ krb5_addlog_func ( krb5_log_close_func_t /*close*/, void */*data*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_addr2sockaddr ( krb5_context /*context*/, const krb5_address */*addr*/, @@ -125,32 +127,40 @@ krb5_addr2sockaddr ( krb5_socklen_t */*sa_size*/, int /*port*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_address_compare ( krb5_context /*context*/, const krb5_address */*addr1*/, const krb5_address */*addr2*/); -int +int KRB5_LIB_FUNCTION krb5_address_order ( krb5_context /*context*/, const krb5_address */*addr1*/, const krb5_address */*addr2*/); -krb5_boolean +krb5_error_code KRB5_LIB_FUNCTION +krb5_address_prefixlen_boundary ( + krb5_context /*context*/, + const krb5_address */*inaddr*/, + unsigned long /*prefixlen*/, + krb5_address */*low*/, + krb5_address */*high*/); + +krb5_boolean KRB5_LIB_FUNCTION krb5_address_search ( krb5_context /*context*/, const krb5_address */*addr*/, const krb5_addresses */*addrlist*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_aname_to_localname ( krb5_context /*context*/, krb5_const_principal /*aname*/, size_t /*lnsize*/, char */*lname*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_anyaddr ( krb5_context /*context*/, int /*af*/, @@ -158,7 +168,7 @@ krb5_anyaddr ( krb5_socklen_t */*sa_size*/, int /*port*/); -void +void KRB5_LIB_FUNCTION krb5_appdefault_boolean ( krb5_context /*context*/, const char */*appname*/, @@ -167,7 +177,7 @@ krb5_appdefault_boolean ( krb5_boolean /*def_val*/, krb5_boolean */*ret_val*/); -void +void KRB5_LIB_FUNCTION krb5_appdefault_string ( krb5_context /*context*/, const char */*appname*/, @@ -176,7 +186,7 @@ krb5_appdefault_string ( const char */*def_val*/, char **/*ret_val*/); -void +void KRB5_LIB_FUNCTION krb5_appdefault_time ( krb5_context /*context*/, const char */*appname*/, @@ -185,176 +195,190 @@ krb5_appdefault_time ( time_t /*def_val*/, time_t */*ret_val*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_append_addresses ( krb5_context /*context*/, krb5_addresses */*dest*/, const krb5_addresses */*source*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_auth_con_addflags ( + krb5_context /*context*/, + krb5_auth_context /*auth_context*/, + int32_t /*addflags*/, + int32_t */*flags*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_free ( krb5_context /*context*/, krb5_auth_context /*auth_context*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_genaddrs ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, int /*fd*/, int /*flags*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_generatelocalsubkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock */*key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getaddrs ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_address **/*local_addr*/, krb5_address **/*remote_addr*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getauthenticator ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_authenticator */*authenticator*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getcksumtype ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_cksumtype */*cksumtype*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getflags ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, int32_t */*flags*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock **/*keyblock*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getkeytype ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keytype */*keytype*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getlocalseqnumber ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, int32_t */*seqnumber*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getlocalsubkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock **/*keyblock*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getrcache ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_rcache */*rcache*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_getremotesubkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock **/*keyblock*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_init ( krb5_context /*context*/, krb5_auth_context */*auth_context*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_auth_con_removeflags ( + krb5_context /*context*/, + krb5_auth_context /*auth_context*/, + int32_t /*removeflags*/, + int32_t */*flags*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setaddrs ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_address */*local_addr*/, krb5_address */*remote_addr*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setaddrs_from_fd ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, void */*p_fd*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setcksumtype ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_cksumtype /*cksumtype*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setflags ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, int32_t /*flags*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock */*keyblock*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setkeytype ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keytype /*keytype*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setlocalseqnumber ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, int32_t /*seqnumber*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setlocalsubkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock */*keyblock*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setrcache ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_rcache /*rcache*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setremoteseqnumber ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, int32_t /*seqnumber*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setremotesubkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock */*keyblock*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_con_setuserkey ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_keyblock */*keyblock*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_auth_getremoteseqnumber ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, int32_t */*seqnumber*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_build_ap_req ( krb5_context /*context*/, krb5_enctype /*enctype*/, @@ -363,7 +387,7 @@ krb5_build_ap_req ( krb5_data /*authenticator*/, krb5_data */*retdata*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_build_authenticator ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, @@ -374,7 +398,7 @@ krb5_build_authenticator ( krb5_data */*result*/, krb5_key_usage /*usage*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_build_principal ( krb5_context /*context*/, krb5_principal */*principal*/, @@ -382,7 +406,7 @@ krb5_build_principal ( krb5_const_realm /*realm*/, ...); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_build_principal_ext ( krb5_context /*context*/, krb5_principal */*principal*/, @@ -390,7 +414,7 @@ krb5_build_principal_ext ( krb5_const_realm /*realm*/, ...); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_build_principal_va ( krb5_context /*context*/, krb5_principal */*principal*/, @@ -398,7 +422,7 @@ krb5_build_principal_va ( krb5_const_realm /*realm*/, va_list /*ap*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_build_principal_va_ext ( krb5_context /*context*/, krb5_principal */*principal*/, @@ -406,43 +430,149 @@ krb5_build_principal_va_ext ( krb5_const_realm /*realm*/, va_list /*ap*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_block_size ( + krb5_context /*context*/, + krb5_enctype /*enctype*/, + size_t */*blocksize*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_checksum_length ( + krb5_context /*context*/, + krb5_cksumtype /*cksumtype*/, + size_t */*length*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_decrypt ( + krb5_context /*context*/, + const krb5_keyblock /*key*/, + krb5_keyusage /*usage*/, + const krb5_data */*ivec*/, + krb5_enc_data */*input*/, + krb5_data */*output*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_encrypt ( + krb5_context /*context*/, + const krb5_keyblock */*key*/, + krb5_keyusage /*usage*/, + const krb5_data */*ivec*/, + const krb5_data */*input*/, + krb5_enc_data */*output*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_encrypt_length ( + krb5_context /*context*/, + krb5_enctype /*enctype*/, + size_t /*inputlen*/, + size_t */*length*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_enctype_compare ( + krb5_context /*context*/, + krb5_enctype /*e1*/, + krb5_enctype /*e2*/, + krb5_boolean */*similar*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_get_checksum ( + krb5_context /*context*/, + const krb5_checksum */*cksum*/, + krb5_cksumtype */*type*/, + krb5_data **/*data*/); + +krb5_boolean KRB5_LIB_FUNCTION +krb5_c_is_coll_proof_cksum (krb5_cksumtype /*ctype*/); + +krb5_boolean KRB5_LIB_FUNCTION +krb5_c_is_keyed_cksum (krb5_cksumtype /*ctype*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_make_checksum ( + krb5_context /*context*/, + krb5_cksumtype /*cksumtype*/, + const krb5_keyblock */*key*/, + krb5_keyusage /*usage*/, + const krb5_data */*input*/, + krb5_checksum */*cksum*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_make_random_key ( + krb5_context /*context*/, + krb5_enctype /*enctype*/, + krb5_keyblock */*random_key*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_set_checksum ( + krb5_context /*context*/, + krb5_checksum */*cksum*/, + krb5_cksumtype /*type*/, + const krb5_data */*data*/); + +krb5_boolean KRB5_LIB_FUNCTION +krb5_c_valid_cksumtype (krb5_cksumtype /*ctype*/); + +krb5_boolean KRB5_LIB_FUNCTION +krb5_c_valid_enctype (krb5_enctype /*etype*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_c_verify_checksum ( + krb5_context /*context*/, + const krb5_keyblock */*key*/, + krb5_keyusage /*usage*/, + const krb5_data */*data*/, + const krb5_checksum */*cksum*/, + krb5_boolean */*valid*/); + +void KRB5_LIB_FUNCTION +krb5_cc_clear_mcred (krb5_creds */*mcred*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_close ( krb5_context /*context*/, krb5_ccache /*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_copy_cache ( krb5_context /*context*/, const krb5_ccache /*from*/, krb5_ccache /*to*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_cc_copy_cache_match ( + krb5_context /*context*/, + const krb5_ccache /*from*/, + krb5_ccache /*to*/, + krb5_flags /*whichfields*/, + const krb5_creds * /*mcreds*/, + unsigned int */*matched*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_default ( krb5_context /*context*/, krb5_ccache */*id*/); -const char* +const char* KRB5_LIB_FUNCTION krb5_cc_default_name (krb5_context /*context*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_destroy ( krb5_context /*context*/, krb5_ccache /*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_end_seq_get ( krb5_context /*context*/, const krb5_ccache /*id*/, krb5_cc_cursor */*cursor*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_gen_new ( krb5_context /*context*/, const krb5_cc_ops */*ops*/, krb5_ccache */*id*/); -const char* +const char* KRB5_LIB_FUNCTION krb5_cc_get_name ( krb5_context /*context*/, krb5_ccache /*id*/); @@ -452,55 +582,76 @@ krb5_cc_get_ops ( krb5_context /*context*/, krb5_ccache /*id*/); -krb5_error_code +const krb5_cc_ops * +krb5_cc_get_prefix_ops ( + krb5_context /*context*/, + const char */*prefix*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_get_principal ( krb5_context /*context*/, krb5_ccache /*id*/, krb5_principal */*principal*/); -const char* +const char* KRB5_LIB_FUNCTION krb5_cc_get_type ( krb5_context /*context*/, krb5_ccache /*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_get_version ( krb5_context /*context*/, const krb5_ccache /*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_initialize ( krb5_context /*context*/, krb5_ccache /*id*/, krb5_principal /*primary_principal*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_cc_new_unique ( + krb5_context /*context*/, + const char */*type*/, + const char */*hint*/, + krb5_ccache */*id*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_next_cred ( krb5_context /*context*/, const krb5_ccache /*id*/, krb5_cc_cursor */*cursor*/, krb5_creds */*creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_cc_next_cred_match ( + krb5_context /*context*/, + const krb5_ccache /*id*/, + krb5_cc_cursor * /*cursor*/, + krb5_creds * /*creds*/, + krb5_flags /*whichfields*/, + const krb5_creds * /*mcreds*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_register ( krb5_context /*context*/, const krb5_cc_ops */*ops*/, krb5_boolean /*override*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_remove_cred ( krb5_context /*context*/, krb5_ccache /*id*/, krb5_flags /*which*/, krb5_creds */*cred*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_resolve ( krb5_context /*context*/, const char */*name*/, krb5_ccache */*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_retrieve_cred ( krb5_context /*context*/, krb5_ccache /*id*/, @@ -508,30 +659,30 @@ krb5_cc_retrieve_cred ( const krb5_creds */*mcreds*/, krb5_creds */*creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_set_default_name ( krb5_context /*context*/, const char */*name*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_set_flags ( krb5_context /*context*/, krb5_ccache /*id*/, krb5_flags /*flags*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_start_seq_get ( krb5_context /*context*/, const krb5_ccache /*id*/, krb5_cc_cursor */*cursor*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_cc_store_cred ( krb5_context /*context*/, krb5_ccache /*id*/, krb5_creds */*creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_change_password ( krb5_context /*context*/, krb5_creds */*creds*/, @@ -540,7 +691,7 @@ krb5_change_password ( krb5_data */*result_code_string*/, krb5_data */*result_string*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_check_transited ( krb5_context /*context*/, krb5_const_realm /*client_realm*/, @@ -549,50 +700,65 @@ krb5_check_transited ( int /*num_realms*/, int */*bad_realm*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_check_transited_realms ( krb5_context /*context*/, const char *const */*realms*/, int /*num_realms*/, int */*bad_realm*/); -krb5_boolean +krb5_error_code KRB5_LIB_FUNCTION +krb5_checksum_disable ( + krb5_context /*context*/, + krb5_cksumtype /*type*/); + +void KRB5_LIB_FUNCTION +krb5_checksum_free ( + krb5_context /*context*/, + krb5_checksum */*cksum*/); + +krb5_boolean KRB5_LIB_FUNCTION krb5_checksum_is_collision_proof ( krb5_context /*context*/, krb5_cksumtype /*type*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_checksum_is_keyed ( krb5_context /*context*/, krb5_cksumtype /*type*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_checksumsize ( krb5_context /*context*/, krb5_cksumtype /*type*/, size_t */*size*/); -void +krb5_error_code KRB5_LIB_FUNCTION +krb5_cksumtype_valid ( + krb5_context /*context*/, + krb5_cksumtype /*ctype*/); + +void KRB5_LIB_FUNCTION krb5_clear_error_string (krb5_context /*context*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_closelog ( krb5_context /*context*/, krb5_log_facility */*fac*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_compare_creds ( krb5_context /*context*/, krb5_flags /*whichfields*/, - const krb5_creds */*mcreds*/, - const krb5_creds */*creds*/); + const krb5_creds * /*mcreds*/, + const krb5_creds * /*creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_config_file_free ( krb5_context /*context*/, krb5_config_section */*s*/); -void +void KRB5_LIB_FUNCTION krb5_config_free_strings (char **/*strings*/); const void * @@ -602,26 +768,26 @@ krb5_config_get ( int /*type*/, ...); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_config_get_bool ( krb5_context /*context*/, const krb5_config_section */*c*/, ...); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_config_get_bool_default ( krb5_context /*context*/, const krb5_config_section */*c*/, krb5_boolean /*def_value*/, ...); -int +int KRB5_LIB_FUNCTION krb5_config_get_int ( krb5_context /*context*/, const krb5_config_section */*c*/, ...); -int +int KRB5_LIB_FUNCTION krb5_config_get_int_default ( krb5_context /*context*/, const krb5_config_section */*c*/, @@ -642,13 +808,13 @@ krb5_config_get_next ( int /*type*/, ...); -const char * +const char* KRB5_LIB_FUNCTION krb5_config_get_string ( krb5_context /*context*/, const krb5_config_section */*c*/, ...); -const char * +const char* KRB5_LIB_FUNCTION krb5_config_get_string_default ( krb5_context /*context*/, const krb5_config_section */*c*/, @@ -661,31 +827,37 @@ krb5_config_get_strings ( const krb5_config_section */*c*/, ...); -int +int KRB5_LIB_FUNCTION krb5_config_get_time ( krb5_context /*context*/, const krb5_config_section */*c*/, ...); -int +int KRB5_LIB_FUNCTION krb5_config_get_time_default ( krb5_context /*context*/, const krb5_config_section */*c*/, int /*def_value*/, ...); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_config_parse_file ( krb5_context /*context*/, const char */*fname*/, krb5_config_section **/*res*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_config_parse_file_multi ( krb5_context /*context*/, const char */*fname*/, krb5_config_section **/*res*/); +krb5_error_code KRB5_LIB_FUNCTION +krb5_config_parse_string_multi ( + krb5_context /*context*/, + const char */*string*/, + krb5_config_section **/*res*/); + const void * krb5_config_vget ( krb5_context /*context*/, @@ -693,26 +865,26 @@ krb5_config_vget ( int /*type*/, va_list /*args*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_config_vget_bool ( krb5_context /*context*/, const krb5_config_section */*c*/, va_list /*args*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_config_vget_bool_default ( krb5_context /*context*/, const krb5_config_section */*c*/, krb5_boolean /*def_value*/, va_list /*args*/); -int +int KRB5_LIB_FUNCTION krb5_config_vget_int ( krb5_context /*context*/, const krb5_config_section */*c*/, va_list /*args*/); -int +int KRB5_LIB_FUNCTION krb5_config_vget_int_default ( krb5_context /*context*/, const krb5_config_section */*c*/, @@ -733,99 +905,105 @@ krb5_config_vget_next ( int /*type*/, va_list /*args*/); -const char * +const char* KRB5_LIB_FUNCTION krb5_config_vget_string ( krb5_context /*context*/, const krb5_config_section */*c*/, va_list /*args*/); -const char * +const char* KRB5_LIB_FUNCTION krb5_config_vget_string_default ( krb5_context /*context*/, const krb5_config_section */*c*/, const char */*def_value*/, va_list /*args*/); -char ** +char ** KRB5_LIB_FUNCTION krb5_config_vget_strings ( krb5_context /*context*/, const krb5_config_section */*c*/, va_list /*args*/); -int +int KRB5_LIB_FUNCTION krb5_config_vget_time ( krb5_context /*context*/, const krb5_config_section */*c*/, va_list /*args*/); -int +int KRB5_LIB_FUNCTION krb5_config_vget_time_default ( krb5_context /*context*/, const krb5_config_section */*c*/, int /*def_value*/, va_list /*args*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_address ( krb5_context /*context*/, const krb5_address */*inaddr*/, krb5_address */*outaddr*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_addresses ( krb5_context /*context*/, const krb5_addresses */*inaddr*/, krb5_addresses */*outaddr*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_copy_checksum ( + krb5_context /*context*/, + const krb5_checksum */*old*/, + krb5_checksum **/*new*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_creds ( krb5_context /*context*/, const krb5_creds */*incred*/, krb5_creds **/*outcred*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_creds_contents ( krb5_context /*context*/, const krb5_creds */*incred*/, krb5_creds */*c*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_data ( krb5_context /*context*/, const krb5_data */*indata*/, krb5_data **/*outdata*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_host_realm ( krb5_context /*context*/, const krb5_realm */*from*/, krb5_realm **/*to*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_keyblock ( krb5_context /*context*/, const krb5_keyblock */*inblock*/, krb5_keyblock **/*to*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_keyblock_contents ( krb5_context /*context*/, const krb5_keyblock */*inblock*/, krb5_keyblock */*to*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_principal ( krb5_context /*context*/, krb5_const_principal /*inprinc*/, krb5_principal */*outprinc*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_copy_ticket ( krb5_context /*context*/, const krb5_ticket */*from*/, krb5_ticket **/*to*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_create_checksum ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -835,47 +1013,85 @@ krb5_create_checksum ( size_t /*len*/, Checksum */*result*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_crypto_destroy ( krb5_context /*context*/, krb5_crypto /*crypto*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_get_checksum_type ( + krb5_context /*context*/, + krb5_crypto /*crypto*/, + krb5_cksumtype */*type*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_get_params ( + krb5_context /*context*/, + const krb5_crypto /*crypto*/, + const krb5_data */*params*/, + krb5_data */*ivec*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_crypto_getblocksize ( krb5_context /*context*/, krb5_crypto /*crypto*/, size_t */*blocksize*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_getconfoundersize ( + krb5_context /*context*/, + krb5_crypto /*crypto*/, + size_t */*confoundersize*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_getenctype ( + krb5_context /*context*/, + krb5_crypto /*crypto*/, + krb5_enctype */*enctype*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_getpadsize ( + krb5_context /*context*/, + krb5_crypto /*crypto*/, + size_t */*padsize*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_crypto_init ( krb5_context /*context*/, const krb5_keyblock */*key*/, krb5_enctype /*etype*/, krb5_crypto */*crypto*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_crypto_set_params ( + krb5_context /*context*/, + const krb5_crypto /*crypto*/, + const krb5_data */*ivec*/, + krb5_data */*params*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_data_alloc ( krb5_data */*p*/, int /*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_data_copy ( krb5_data */*p*/, const void */*data*/, size_t /*len*/); -void +void KRB5_LIB_FUNCTION krb5_data_free (krb5_data */*p*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_data_realloc ( krb5_data */*p*/, int /*len*/); -void +void KRB5_LIB_FUNCTION krb5_data_zero (krb5_data */*p*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_Authenticator ( krb5_context /*context*/, const void */*data*/, @@ -883,7 +1099,7 @@ krb5_decode_Authenticator ( Authenticator */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_ETYPE_INFO ( krb5_context /*context*/, const void */*data*/, @@ -891,7 +1107,15 @@ krb5_decode_ETYPE_INFO ( ETYPE_INFO */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_decode_ETYPE_INFO2 ( + krb5_context /*context*/, + const void */*data*/, + size_t /*length*/, + ETYPE_INFO2 */*t*/, + size_t */*len*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_EncAPRepPart ( krb5_context /*context*/, const void */*data*/, @@ -899,7 +1123,7 @@ krb5_decode_EncAPRepPart ( EncAPRepPart */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_EncASRepPart ( krb5_context /*context*/, const void */*data*/, @@ -907,7 +1131,7 @@ krb5_decode_EncASRepPart ( EncASRepPart */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_EncKrbCredPart ( krb5_context /*context*/, const void */*data*/, @@ -915,7 +1139,7 @@ krb5_decode_EncKrbCredPart ( EncKrbCredPart */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_EncTGSRepPart ( krb5_context /*context*/, const void */*data*/, @@ -923,7 +1147,7 @@ krb5_decode_EncTGSRepPart ( EncTGSRepPart */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_EncTicketPart ( krb5_context /*context*/, const void */*data*/, @@ -931,13 +1155,13 @@ krb5_decode_EncTicketPart ( EncTicketPart */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_ap_req ( krb5_context /*context*/, const krb5_data */*inbuf*/, krb5_ap_req */*ap_req*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decrypt ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -946,7 +1170,7 @@ krb5_decrypt ( size_t /*len*/, krb5_data */*result*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decrypt_EncryptedData ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -954,7 +1178,7 @@ krb5_decrypt_EncryptedData ( const EncryptedData */*e*/, krb5_data */*result*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decrypt_ivec ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -964,7 +1188,7 @@ krb5_decrypt_ivec ( krb5_data */*result*/, void */*ivec*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decrypt_ticket ( krb5_context /*context*/, Ticket */*ticket*/, @@ -972,7 +1196,7 @@ krb5_decrypt_ticket ( EncTicketPart */*out*/, krb5_flags /*flags*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_derive_key ( krb5_context /*context*/, const krb5_keyblock */*key*/, @@ -981,7 +1205,7 @@ krb5_derive_key ( size_t /*constant_len*/, krb5_keyblock **/*derived_key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_domain_x500_decode ( krb5_context /*context*/, krb5_data /*tr*/, @@ -990,18 +1214,18 @@ krb5_domain_x500_decode ( const char */*client_realm*/, const char */*server_realm*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_domain_x500_encode ( char **/*realms*/, int /*num_realms*/, krb5_data */*encoding*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_eai_to_heim_errno ( int /*eai_errno*/, int /*system_error*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encode_Authenticator ( krb5_context /*context*/, void */*data*/, @@ -1009,7 +1233,7 @@ krb5_encode_Authenticator ( Authenticator */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encode_ETYPE_INFO ( krb5_context /*context*/, void */*data*/, @@ -1017,7 +1241,15 @@ krb5_encode_ETYPE_INFO ( ETYPE_INFO */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_encode_ETYPE_INFO2 ( + krb5_context /*context*/, + void */*data*/, + size_t /*length*/, + ETYPE_INFO2 */*t*/, + size_t */*len*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_encode_EncAPRepPart ( krb5_context /*context*/, void */*data*/, @@ -1025,7 +1257,7 @@ krb5_encode_EncAPRepPart ( EncAPRepPart */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encode_EncASRepPart ( krb5_context /*context*/, void */*data*/, @@ -1033,7 +1265,7 @@ krb5_encode_EncASRepPart ( EncASRepPart */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encode_EncKrbCredPart ( krb5_context /*context*/, void */*data*/, @@ -1041,7 +1273,7 @@ krb5_encode_EncKrbCredPart ( EncKrbCredPart */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encode_EncTGSRepPart ( krb5_context /*context*/, void */*data*/, @@ -1049,7 +1281,7 @@ krb5_encode_EncTGSRepPart ( EncTGSRepPart */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encode_EncTicketPart ( krb5_context /*context*/, void */*data*/, @@ -1057,7 +1289,7 @@ krb5_encode_EncTicketPart ( EncTicketPart */*t*/, size_t */*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encrypt ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -1066,7 +1298,7 @@ krb5_encrypt ( size_t /*len*/, krb5_data */*result*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encrypt_EncryptedData ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -1076,7 +1308,7 @@ krb5_encrypt_EncryptedData ( int /*kvno*/, EncryptedData */*result*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_encrypt_ivec ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -1086,36 +1318,47 @@ krb5_encrypt_ivec ( krb5_data */*result*/, void */*ivec*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_enctype_disable ( + krb5_context /*context*/, + krb5_enctype /*enctype*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_enctype_keysize ( krb5_context /*context*/, krb5_enctype /*type*/, size_t */*keysize*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_enctype_to_keytype ( krb5_context /*context*/, krb5_enctype /*etype*/, krb5_keytype */*keytype*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_enctype_to_oid ( + krb5_context /*context*/, + krb5_enctype /*etype*/, + heim_oid */*oid*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_enctype_to_string ( krb5_context /*context*/, krb5_enctype /*etype*/, char **/*string*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_enctype_valid ( krb5_context /*context*/, krb5_enctype /*etype*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_enctypes_compatible_keys ( krb5_context /*context*/, krb5_enctype /*etype1*/, krb5_enctype /*etype2*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_err ( krb5_context /*context*/, int /*eval*/, @@ -1124,13 +1367,13 @@ krb5_err ( ...) __attribute__ ((noreturn, format (printf, 4, 5))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_error_from_rd_error ( krb5_context /*context*/, const krb5_error */*error*/, const krb5_creds */*creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_errx ( krb5_context /*context*/, int /*eval*/, @@ -1138,13 +1381,13 @@ krb5_errx ( ...) __attribute__ ((noreturn, format (printf, 3, 4))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_expand_hostname ( krb5_context /*context*/, const char */*orig_hostname*/, char **/*new_hostname*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_expand_hostname_realms ( krb5_context /*context*/, const char */*orig_hostname*/, @@ -1158,7 +1401,7 @@ krb5_find_padata ( int /*type*/, int */*index*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_format_time ( krb5_context /*context*/, time_t /*t*/, @@ -1166,113 +1409,123 @@ krb5_format_time ( size_t /*len*/, krb5_boolean /*include_time*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_address ( krb5_context /*context*/, krb5_address */*address*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_addresses ( krb5_context /*context*/, krb5_addresses */*addresses*/); -void +void KRB5_LIB_FUNCTION krb5_free_ap_rep_enc_part ( krb5_context /*context*/, krb5_ap_rep_enc_part */*val*/); -void +void KRB5_LIB_FUNCTION krb5_free_authenticator ( krb5_context /*context*/, krb5_authenticator */*authenticator*/); -void +void KRB5_LIB_FUNCTION +krb5_free_checksum ( + krb5_context /*context*/, + krb5_checksum */*cksum*/); + +void KRB5_LIB_FUNCTION +krb5_free_checksum_contents ( + krb5_context /*context*/, + krb5_checksum */*cksum*/); + +void KRB5_LIB_FUNCTION krb5_free_config_files (char **/*filenames*/); -void +void KRB5_LIB_FUNCTION krb5_free_context (krb5_context /*context*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_cred_contents ( krb5_context /*context*/, krb5_creds */*c*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_creds ( krb5_context /*context*/, krb5_creds */*c*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_creds_contents ( krb5_context /*context*/, krb5_creds */*c*/); -void +void KRB5_LIB_FUNCTION krb5_free_data ( krb5_context /*context*/, krb5_data */*p*/); -void +void KRB5_LIB_FUNCTION krb5_free_data_contents ( krb5_context /*context*/, krb5_data */*data*/); -void +void KRB5_LIB_FUNCTION krb5_free_error ( krb5_context /*context*/, krb5_error */*error*/); -void +void KRB5_LIB_FUNCTION krb5_free_error_contents ( krb5_context /*context*/, krb5_error */*error*/); -void +void KRB5_LIB_FUNCTION krb5_free_error_string ( krb5_context /*context*/, char */*str*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_host_realm ( krb5_context /*context*/, krb5_realm */*realmlist*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_kdc_rep ( krb5_context /*context*/, krb5_kdc_rep */*rep*/); -void +void KRB5_LIB_FUNCTION krb5_free_keyblock ( krb5_context /*context*/, krb5_keyblock */*keyblock*/); -void +void KRB5_LIB_FUNCTION krb5_free_keyblock_contents ( krb5_context /*context*/, krb5_keyblock */*keyblock*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_krbhst ( krb5_context /*context*/, char **/*hostlist*/); -void +void KRB5_LIB_FUNCTION krb5_free_principal ( krb5_context /*context*/, krb5_principal /*p*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_salt ( krb5_context /*context*/, krb5_salt /*salt*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_ticket ( krb5_context /*context*/, krb5_ticket */*ticket*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_fwd_tgt_creds ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, @@ -1283,40 +1536,47 @@ krb5_fwd_tgt_creds ( int /*forwardable*/, krb5_data */*out_data*/); -void +void KRB5_LIB_FUNCTION krb5_generate_random_block ( void */*buf*/, size_t /*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_generate_random_keyblock ( krb5_context /*context*/, krb5_enctype /*type*/, krb5_keyblock */*key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_generate_seq_number ( krb5_context /*context*/, const krb5_keyblock */*key*/, u_int32_t */*seqno*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_generate_subkey ( krb5_context /*context*/, const krb5_keyblock */*key*/, krb5_keyblock **/*subkey*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_generate_subkey_extended ( + krb5_context /*context*/, + const krb5_keyblock */*key*/, + krb5_enctype /*etype*/, + krb5_keyblock **/*subkey*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_get_all_client_addrs ( krb5_context /*context*/, krb5_addresses */*res*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_all_server_addrs ( krb5_context /*context*/, krb5_addresses */*res*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_cred_from_kdc ( krb5_context /*context*/, krb5_ccache /*ccache*/, @@ -1324,7 +1584,7 @@ krb5_get_cred_from_kdc ( krb5_creds **/*out_creds*/, krb5_creds ***/*ret_tgts*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_cred_from_kdc_opt ( krb5_context /*context*/, krb5_ccache /*ccache*/, @@ -1333,7 +1593,7 @@ krb5_get_cred_from_kdc_opt ( krb5_creds ***/*ret_tgts*/, krb5_flags /*flags*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_credentials ( krb5_context /*context*/, krb5_flags /*options*/, @@ -1341,7 +1601,7 @@ krb5_get_credentials ( krb5_creds */*in_creds*/, krb5_creds **/*out_creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_credentials_with_flags ( krb5_context /*context*/, krb5_flags /*options*/, @@ -1350,48 +1610,48 @@ krb5_get_credentials_with_flags ( krb5_creds */*in_creds*/, krb5_creds **/*out_creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_default_config_files (char ***/*pfilenames*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_default_in_tkt_etypes ( krb5_context /*context*/, krb5_enctype **/*etypes*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_default_principal ( krb5_context /*context*/, krb5_principal */*princ*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_default_realm ( krb5_context /*context*/, krb5_realm */*realm*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_default_realms ( krb5_context /*context*/, krb5_realm **/*realms*/); -const char * +const char* KRB5_LIB_FUNCTION krb5_get_err_text ( krb5_context /*context*/, krb5_error_code /*code*/); -char* +char * KRB5_LIB_FUNCTION krb5_get_error_string (krb5_context /*context*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_extra_addresses ( krb5_context /*context*/, krb5_addresses */*addresses*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_fcache_version ( krb5_context /*context*/, int */*version*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_forwarded_creds ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, @@ -1401,25 +1661,18 @@ krb5_get_forwarded_creds ( krb5_creds */*in_creds*/, krb5_data */*out_data*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_host_realm ( krb5_context /*context*/, const char */*host*/, krb5_realm **/*realms*/); -krb5_error_code -krb5_get_host_realm_int ( - krb5_context /*context*/, - const char */*host*/, - krb5_boolean /*use_dns*/, - krb5_realm **/*realms*/); - -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_ignore_addresses ( krb5_context /*context*/, krb5_addresses */*addresses*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_in_cred ( krb5_context /*context*/, krb5_flags /*options*/, @@ -1434,7 +1687,7 @@ krb5_get_in_cred ( krb5_creds */*creds*/, krb5_kdc_rep */*ret_as_reply*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_in_tkt ( krb5_context /*context*/, krb5_flags /*options*/, @@ -1449,7 +1702,7 @@ krb5_get_in_tkt ( krb5_ccache /*ccache*/, krb5_kdc_rep */*ret_as_reply*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_in_tkt_with_keytab ( krb5_context /*context*/, krb5_flags /*options*/, @@ -1461,7 +1714,7 @@ krb5_get_in_tkt_with_keytab ( krb5_creds */*creds*/, krb5_kdc_rep */*ret_as_reply*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_in_tkt_with_password ( krb5_context /*context*/, krb5_flags /*options*/, @@ -1473,7 +1726,7 @@ krb5_get_in_tkt_with_password ( krb5_creds */*creds*/, krb5_kdc_rep */*ret_as_reply*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_in_tkt_with_skey ( krb5_context /*context*/, krb5_flags /*options*/, @@ -1485,7 +1738,28 @@ krb5_get_in_tkt_with_skey ( krb5_creds */*creds*/, krb5_kdc_rep */*ret_as_reply*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds ( + krb5_context /*context*/, + krb5_creds */*creds*/, + krb5_principal /*client*/, + krb5_prompter_fct /*prompter*/, + void */*data*/, + krb5_deltat /*start_time*/, + const char */*in_tkt_service*/, + krb5_get_init_creds_opt */*options*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_keyblock ( + krb5_context /*context*/, + krb5_creds */*creds*/, + krb5_principal /*client*/, + krb5_keyblock */*keyblock*/, + krb5_deltat /*start_time*/, + const char */*in_tkt_service*/, + krb5_get_init_creds_opt */*options*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_get_init_creds_keytab ( krb5_context /*context*/, krb5_creds */*creds*/, @@ -1495,64 +1769,97 @@ krb5_get_init_creds_keytab ( const char */*in_tkt_service*/, krb5_get_init_creds_opt */*options*/); -void +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_alloc ( + krb5_context /*context*/, + krb5_get_init_creds_opt **/*opt*/); + +void KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_free (krb5_get_init_creds_opt */*opt*/); + +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_init (krb5_get_init_creds_opt */*opt*/); -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_address_list ( krb5_get_init_creds_opt */*opt*/, krb5_addresses */*addresses*/); -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_anonymous ( krb5_get_init_creds_opt */*opt*/, int /*anonymous*/); -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_default_flags ( krb5_context /*context*/, const char */*appname*/, krb5_const_realm /*realm*/, krb5_get_init_creds_opt */*opt*/); -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_etype_list ( krb5_get_init_creds_opt */*opt*/, krb5_enctype */*etype_list*/, int /*etype_list_length*/); -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_forwardable ( krb5_get_init_creds_opt */*opt*/, int /*forwardable*/); -void +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_set_pa_password ( + krb5_context /*context*/, + krb5_get_init_creds_opt */*opt*/, + const char */*password*/, + krb5_s2k_proc /*key_proc*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_set_pac_request ( + krb5_context /*context*/, + krb5_get_init_creds_opt */*opt*/, + krb5_boolean /*req_pac*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_get_init_creds_opt_set_pkinit ( + krb5_context /*context*/, + krb5_get_init_creds_opt */*opt*/, + krb5_principal /*principal*/, + const char */*user_id*/, + const char */*x509_anchors*/, + int /*flags*/, + krb5_prompter_fct /*prompter*/, + void */*prompter_data*/, + char */*password*/); + +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_preauth_list ( krb5_get_init_creds_opt */*opt*/, krb5_preauthtype */*preauth_list*/, int /*preauth_list_length*/); -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_proxiable ( krb5_get_init_creds_opt */*opt*/, int /*proxiable*/); -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_renew_life ( krb5_get_init_creds_opt */*opt*/, krb5_deltat /*renew_life*/); -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_salt ( krb5_get_init_creds_opt */*opt*/, krb5_data */*salt*/); -void +void KRB5_LIB_FUNCTION krb5_get_init_creds_opt_set_tkt_life ( krb5_get_init_creds_opt */*opt*/, krb5_deltat /*tkt_life*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_init_creds_password ( krb5_context /*context*/, krb5_creds */*creds*/, @@ -1562,9 +1869,9 @@ krb5_get_init_creds_password ( void */*data*/, krb5_deltat /*start_time*/, const char */*in_tkt_service*/, - krb5_get_init_creds_opt */*options*/); + krb5_get_init_creds_opt */*in_options*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_kdc_cred ( krb5_context /*context*/, krb5_ccache /*id*/, @@ -1574,43 +1881,43 @@ krb5_get_kdc_cred ( krb5_creds */*in_creds*/, krb5_creds **out_creds ); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_krb524hst ( krb5_context /*context*/, const krb5_realm */*realm*/, char ***/*hostlist*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_krb_admin_hst ( krb5_context /*context*/, const krb5_realm */*realm*/, char ***/*hostlist*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_krb_changepw_hst ( krb5_context /*context*/, const krb5_realm */*realm*/, char ***/*hostlist*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_krbhst ( krb5_context /*context*/, const krb5_realm */*realm*/, char ***/*hostlist*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_pw_salt ( krb5_context /*context*/, krb5_const_principal /*principal*/, krb5_salt */*salt*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_server_rcache ( krb5_context /*context*/, const krb5_data */*piece*/, krb5_rcache */*id*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_get_use_admin_kdc (krb5_context /*context*/); size_t @@ -1619,21 +1926,21 @@ krb5_get_wrapped_length ( krb5_crypto /*crypto*/, size_t /*data_len*/); -int +int KRB5_LIB_FUNCTION krb5_getportbyname ( krb5_context /*context*/, const char */*service*/, const char */*proto*/, int /*default_port*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_h_addr2addr ( krb5_context /*context*/, int /*af*/, const char */*haddr*/, krb5_address */*addr*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_h_addr2sockaddr ( krb5_context /*context*/, int /*af*/, @@ -1642,13 +1949,13 @@ krb5_h_addr2sockaddr ( krb5_socklen_t */*sa_size*/, int /*port*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_h_errno_to_heim_errno (int /*eai_errno*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_have_error_string (krb5_context /*context*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_hmac ( krb5_context /*context*/, krb5_cksumtype /*cktype*/, @@ -1658,26 +1965,40 @@ krb5_hmac ( krb5_keyblock */*key*/, Checksum */*result*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_init_context (krb5_context */*context*/); -void +void KRB5_LIB_FUNCTION krb5_init_ets (krb5_context /*context*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_init_etype ( krb5_context /*context*/, unsigned */*len*/, krb5_enctype **/*val*/, const krb5_enctype */*etypes*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_initlog ( krb5_context /*context*/, const char */*program*/, krb5_log_facility **/*fac*/); -krb5_error_code +krb5_boolean KRB5_LIB_FUNCTION +krb5_is_thread_safe (void); + +krb5_enctype +krb5_keyblock_get_enctype (const krb5_keyblock */*block*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_keyblock_init ( + krb5_context /*context*/, + krb5_enctype /*type*/, + const void */*data*/, + size_t /*size*/, + krb5_keyblock */*key*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_keyblock_key_proc ( krb5_context /*context*/, krb5_keytype /*type*/, @@ -1685,7 +2006,10 @@ krb5_keyblock_key_proc ( krb5_const_pointer /*keyseed*/, krb5_keyblock **/*key*/); -krb5_error_code +void KRB5_LIB_FUNCTION +krb5_keyblock_zero (krb5_keyblock */*keyblock*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_keytab_key_proc ( krb5_context /*context*/, krb5_enctype /*enctype*/, @@ -1693,81 +2017,89 @@ krb5_keytab_key_proc ( krb5_const_pointer /*keyseed*/, krb5_keyblock **/*key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_keytype_to_enctypes ( krb5_context /*context*/, krb5_keytype /*keytype*/, unsigned */*len*/, krb5_enctype **/*val*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_keytype_to_enctypes_default ( krb5_context /*context*/, krb5_keytype /*keytype*/, unsigned */*len*/, krb5_enctype **/*val*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_keytype_to_string ( krb5_context /*context*/, krb5_keytype /*keytype*/, char **/*string*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_krbhst_format_string ( krb5_context /*context*/, const krb5_krbhst_info */*host*/, char */*hostname*/, size_t /*hostlen*/); -void +void KRB5_LIB_FUNCTION krb5_krbhst_free ( krb5_context /*context*/, krb5_krbhst_handle /*handle*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_krbhst_get_addrinfo ( krb5_context /*context*/, krb5_krbhst_info */*host*/, struct addrinfo **/*ai*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_krbhst_init ( krb5_context /*context*/, const char */*realm*/, unsigned int /*type*/, krb5_krbhst_handle */*handle*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_krbhst_init_flags ( + krb5_context /*context*/, + const char */*realm*/, + unsigned int /*type*/, + int /*flags*/, + krb5_krbhst_handle */*handle*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_krbhst_next ( krb5_context /*context*/, krb5_krbhst_handle /*handle*/, krb5_krbhst_info **/*host*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_krbhst_next_as_string ( krb5_context /*context*/, krb5_krbhst_handle /*handle*/, char */*hostname*/, size_t /*hostlen*/); -void +void KRB5_LIB_FUNCTION krb5_krbhst_reset ( krb5_context /*context*/, krb5_krbhst_handle /*handle*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_add_entry ( krb5_context /*context*/, krb5_keytab /*id*/, krb5_keytab_entry */*entry*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_close ( krb5_context /*context*/, krb5_keytab /*id*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_kt_compare ( krb5_context /*context*/, krb5_keytab_entry */*entry*/, @@ -1775,41 +2107,41 @@ krb5_kt_compare ( krb5_kvno /*vno*/, krb5_enctype /*enctype*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_copy_entry_contents ( krb5_context /*context*/, const krb5_keytab_entry */*in*/, krb5_keytab_entry */*out*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_default ( krb5_context /*context*/, krb5_keytab */*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_default_modify_name ( krb5_context /*context*/, char */*name*/, size_t /*namesize*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_default_name ( krb5_context /*context*/, char */*name*/, size_t /*namesize*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_end_seq_get ( krb5_context /*context*/, krb5_keytab /*id*/, krb5_kt_cursor */*cursor*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_free_entry ( krb5_context /*context*/, krb5_keytab_entry */*entry*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_get_entry ( krb5_context /*context*/, krb5_keytab /*id*/, @@ -1818,28 +2150,28 @@ krb5_kt_get_entry ( krb5_enctype /*enctype*/, krb5_keytab_entry */*entry*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_get_name ( krb5_context /*context*/, krb5_keytab /*keytab*/, char */*name*/, size_t /*namesize*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_get_type ( krb5_context /*context*/, krb5_keytab /*keytab*/, char */*prefix*/, size_t /*prefixsize*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_next_entry ( krb5_context /*context*/, krb5_keytab /*id*/, krb5_keytab_entry */*entry*/, krb5_kt_cursor */*cursor*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_read_service_key ( krb5_context /*context*/, krb5_pointer /*keyprocarg*/, @@ -1848,36 +2180,36 @@ krb5_kt_read_service_key ( krb5_enctype /*enctype*/, krb5_keyblock **/*key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_register ( krb5_context /*context*/, const krb5_kt_ops */*ops*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_remove_entry ( krb5_context /*context*/, krb5_keytab /*id*/, krb5_keytab_entry */*entry*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_resolve ( krb5_context /*context*/, const char */*name*/, krb5_keytab */*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_kt_start_seq_get ( krb5_context /*context*/, krb5_keytab /*id*/, krb5_kt_cursor */*cursor*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_kuserok ( krb5_context /*context*/, krb5_principal /*principal*/, const char */*luser*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_log ( krb5_context /*context*/, krb5_log_facility */*fac*/, @@ -1886,7 +2218,7 @@ krb5_log ( ...) __attribute__((format (printf, 4, 5))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_log_msg ( krb5_context /*context*/, krb5_log_facility */*fac*/, @@ -1896,24 +2228,24 @@ krb5_log_msg ( ...) __attribute__((format (printf, 5, 6))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_make_addrport ( krb5_context /*context*/, krb5_address **/*res*/, const krb5_address */*addr*/, int16_t /*port*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_make_principal ( krb5_context /*context*/, krb5_principal */*principal*/, krb5_const_realm /*realm*/, ...); -size_t +size_t KRB5_LIB_FUNCTION krb5_max_sockaddr_size (void); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_mk_error ( krb5_context /*context*/, krb5_error_code /*error_code*/, @@ -1925,21 +2257,21 @@ krb5_mk_error ( int */*client_usec*/, krb5_data */*reply*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_mk_priv ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, const krb5_data */*userdata*/, krb5_data */*outbuf*/, - void */*outdata*/); + krb5_replay_data */*outdata*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_mk_rep ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_data */*outbuf*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_mk_req ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -1950,7 +2282,7 @@ krb5_mk_req ( krb5_ccache /*ccache*/, krb5_data */*outbuf*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_mk_req_exact ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -1960,7 +2292,7 @@ krb5_mk_req_exact ( krb5_ccache /*ccache*/, krb5_data */*outbuf*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_mk_req_extended ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -1969,63 +2301,68 @@ krb5_mk_req_extended ( krb5_creds */*in_creds*/, krb5_data */*outbuf*/); -krb5_error_code -krb5_mk_req_internal ( - krb5_context /*context*/, - krb5_auth_context */*auth_context*/, - const krb5_flags /*ap_req_options*/, - krb5_data */*in_data*/, - krb5_creds */*in_creds*/, - krb5_data */*outbuf*/, - krb5_key_usage /*checksum_usage*/, - krb5_key_usage /*encrypt_usage*/); - -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_mk_safe ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, const krb5_data */*userdata*/, krb5_data */*outbuf*/, - void */*outdata*/); + krb5_replay_data */*outdata*/); -krb5_ssize_t +krb5_ssize_t KRB5_LIB_FUNCTION krb5_net_read ( krb5_context /*context*/, void */*p_fd*/, void */*buf*/, size_t /*len*/); -krb5_ssize_t +krb5_ssize_t KRB5_LIB_FUNCTION krb5_net_write ( krb5_context /*context*/, void */*p_fd*/, const void */*buf*/, size_t /*len*/); -krb5_error_code +krb5_ssize_t KRB5_LIB_FUNCTION +krb5_net_write_block ( + krb5_context /*context*/, + void */*p_fd*/, + const void */*buf*/, + size_t /*len*/, + time_t /*timeout*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_openlog ( krb5_context /*context*/, const char */*program*/, krb5_log_facility **/*fac*/); -krb5_error_code +int KRB5_LIB_FUNCTION +krb5_padata_add ( + krb5_context /*context*/, + METHOD_DATA */*md*/, + int /*type*/, + void */*buf*/, + size_t /*len*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_parse_address ( krb5_context /*context*/, const char */*string*/, krb5_addresses */*addresses*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_parse_name ( krb5_context /*context*/, const char */*name*/, krb5_principal */*principal*/); -const char* +const char* KRB5_LIB_FUNCTION krb5_passwd_result_to_string ( krb5_context /*context*/, int /*result*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_password_key_proc ( krb5_context /*context*/, krb5_enctype /*type*/, @@ -2033,64 +2370,76 @@ krb5_password_key_proc ( krb5_const_pointer /*keyseed*/, krb5_keyblock **/*key*/); +krb5_error_code KRB5_LIB_FUNCTION +krb5_prepend_config_files ( + const char */*filelist*/, + char **/*pq*/, + char ***/*ret_pp*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_prepend_config_files_default ( + const char */*filelist*/, + char ***/*pfilenames*/); + krb5_realm* krb5_princ_realm ( krb5_context /*context*/, krb5_principal /*principal*/); -void +void KRB5_LIB_FUNCTION krb5_princ_set_realm ( krb5_context /*context*/, krb5_principal /*principal*/, krb5_realm */*realm*/); -krb5_error_code -krb5_principal2principalname ( - PrincipalName */*p*/, - const krb5_principal /*from*/); - -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_principal_compare ( krb5_context /*context*/, krb5_const_principal /*princ1*/, krb5_const_principal /*princ2*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_principal_compare_any_realm ( krb5_context /*context*/, krb5_const_principal /*princ1*/, krb5_const_principal /*princ2*/); -const char * +const char* KRB5_LIB_FUNCTION krb5_principal_get_comp_string ( krb5_context /*context*/, krb5_principal /*principal*/, unsigned int /*component*/); -const char * +const char* KRB5_LIB_FUNCTION krb5_principal_get_realm ( krb5_context /*context*/, krb5_principal /*principal*/); -int +int KRB5_LIB_FUNCTION krb5_principal_get_type ( krb5_context /*context*/, krb5_principal /*principal*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_principal_match ( krb5_context /*context*/, krb5_const_principal /*princ*/, krb5_const_principal /*pattern*/); -krb5_error_code +void KRB5_LIB_FUNCTION +krb5_principal_set_type ( + krb5_context /*context*/, + krb5_principal /*principal*/, + int /*type*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_print_address ( const krb5_address */*addr*/, char */*str*/, size_t /*len*/, size_t */*ret_len*/); -int +int KRB5_LIB_FUNCTION krb5_program_setup ( krb5_context */*context*/, int /*argc*/, @@ -2099,7 +2448,7 @@ krb5_program_setup ( int /*num_args*/, void (*/*usage*/)(int, struct getargs*, int)); -int +int KRB5_LIB_FUNCTION krb5_prompter_posix ( krb5_context /*context*/, void */*data*/, @@ -2108,120 +2457,128 @@ krb5_prompter_posix ( int /*num_prompts*/, krb5_prompt prompts[]); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_random_to_key ( + krb5_context /*context*/, + krb5_enctype /*type*/, + const void */*data*/, + size_t /*size*/, + krb5_keyblock */*key*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_close ( krb5_context /*context*/, krb5_rcache /*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_default ( krb5_context /*context*/, krb5_rcache */*id*/); -const char * +const char* KRB5_LIB_FUNCTION krb5_rc_default_name (krb5_context /*context*/); -const char * +const char* KRB5_LIB_FUNCTION krb5_rc_default_type (krb5_context /*context*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_destroy ( krb5_context /*context*/, krb5_rcache /*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_expunge ( krb5_context /*context*/, krb5_rcache /*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_get_lifespan ( krb5_context /*context*/, krb5_rcache /*id*/, krb5_deltat */*auth_lifespan*/); -const char* +const char* KRB5_LIB_FUNCTION krb5_rc_get_name ( krb5_context /*context*/, krb5_rcache /*id*/); -const char* +const char* KRB5_LIB_FUNCTION krb5_rc_get_type ( krb5_context /*context*/, krb5_rcache /*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_initialize ( krb5_context /*context*/, krb5_rcache /*id*/, krb5_deltat /*auth_lifespan*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_recover ( krb5_context /*context*/, krb5_rcache /*id*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_resolve ( krb5_context /*context*/, krb5_rcache /*id*/, const char */*name*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_resolve_full ( krb5_context /*context*/, krb5_rcache */*id*/, const char */*string_name*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_resolve_type ( krb5_context /*context*/, krb5_rcache */*id*/, const char */*type*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rc_store ( krb5_context /*context*/, krb5_rcache /*id*/, krb5_donot_replay */*rep*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_cred ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_data */*in_data*/, krb5_creds ***/*ret_creds*/, - krb5_replay_data */*out_data*/); + krb5_replay_data */*outdata*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_cred2 ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, krb5_ccache /*ccache*/, krb5_data */*in_data*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_error ( krb5_context /*context*/, krb5_data */*msg*/, KRB_ERROR */*result*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_priv ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, const krb5_data */*inbuf*/, krb5_data */*outbuf*/, - void */*outdata*/); + krb5_replay_data */*outdata*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_rep ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, const krb5_data */*inbuf*/, krb5_ap_rep_enc_part **/*repl*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_req ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -2231,7 +2588,7 @@ krb5_rd_req ( krb5_flags */*ap_req_options*/, krb5_ticket **/*ticket*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_req_with_keyblock ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -2241,41 +2598,41 @@ krb5_rd_req_with_keyblock ( krb5_flags */*ap_req_options*/, krb5_ticket **/*ticket*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_safe ( krb5_context /*context*/, krb5_auth_context /*auth_context*/, const krb5_data */*inbuf*/, krb5_data */*outbuf*/, - void */*outdata*/); + krb5_replay_data */*outdata*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_read_message ( krb5_context /*context*/, krb5_pointer /*p_fd*/, krb5_data */*data*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_read_priv_message ( krb5_context /*context*/, krb5_auth_context /*ac*/, krb5_pointer /*p_fd*/, krb5_data */*data*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_read_safe_message ( krb5_context /*context*/, krb5_auth_context /*ac*/, krb5_pointer /*p_fd*/, krb5_data */*data*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_realm_compare ( krb5_context /*context*/, krb5_const_principal /*princ1*/, krb5_const_principal /*princ2*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_recvauth ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -2286,7 +2643,7 @@ krb5_recvauth ( krb5_keytab /*keytab*/, krb5_ticket **/*ticket*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_recvauth_match_version ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -2298,79 +2655,84 @@ krb5_recvauth_match_version ( krb5_keytab /*keytab*/, krb5_ticket **/*ticket*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_address ( krb5_storage */*sp*/, krb5_address */*adr*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_addrs ( krb5_storage */*sp*/, krb5_addresses */*adr*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_authdata ( krb5_storage */*sp*/, krb5_authdata */*auth*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_creds ( krb5_storage */*sp*/, krb5_creds */*creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_ret_creds_tag ( + krb5_storage */*sp*/, + krb5_creds */*creds*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_data ( krb5_storage */*sp*/, krb5_data */*data*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_int16 ( krb5_storage */*sp*/, int16_t */*value*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_int32 ( krb5_storage */*sp*/, int32_t */*value*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_int8 ( krb5_storage */*sp*/, int8_t */*value*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_keyblock ( krb5_storage */*sp*/, krb5_keyblock */*p*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_principal ( krb5_storage */*sp*/, krb5_principal */*princ*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_string ( krb5_storage */*sp*/, char **/*string*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_stringz ( krb5_storage */*sp*/, char **/*string*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_ret_times ( krb5_storage */*sp*/, krb5_times */*times*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_salttype_to_string ( krb5_context /*context*/, krb5_enctype /*etype*/, krb5_salttype /*stype*/, char **/*string*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_sendauth ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -2386,66 +2748,66 @@ krb5_sendauth ( krb5_ap_rep_enc_part **/*rep_result*/, krb5_creds **/*out_creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_sendto ( krb5_context /*context*/, const krb5_data */*send_data*/, krb5_krbhst_handle /*handle*/, krb5_data */*receive*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_sendto_kdc ( krb5_context /*context*/, const krb5_data */*send_data*/, const krb5_realm */*realm*/, krb5_data */*receive*/); -krb5_error_code -krb5_sendto_kdc2 ( +krb5_error_code KRB5_LIB_FUNCTION +krb5_sendto_kdc_flags ( krb5_context /*context*/, const krb5_data */*send_data*/, const krb5_realm */*realm*/, krb5_data */*receive*/, - krb5_boolean /*master*/); + int /*flags*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_config_files ( krb5_context /*context*/, char **/*filenames*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_default_in_tkt_etypes ( krb5_context /*context*/, const krb5_enctype */*etypes*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_default_realm ( krb5_context /*context*/, const char */*realm*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_error_string ( krb5_context /*context*/, const char */*fmt*/, ...) __attribute__((format (printf, 2, 3))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_extra_addresses ( krb5_context /*context*/, const krb5_addresses */*addresses*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_fcache_version ( krb5_context /*context*/, int /*version*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_ignore_addresses ( krb5_context /*context*/, const krb5_addresses */*addresses*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_password ( krb5_context /*context*/, krb5_creds */*creds*/, @@ -2455,7 +2817,7 @@ krb5_set_password ( krb5_data */*result_code_string*/, krb5_data */*result_string*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_password_using_ccache ( krb5_context /*context*/, krb5_ccache /*ccache*/, @@ -2465,17 +2827,23 @@ krb5_set_password_using_ccache ( krb5_data */*result_code_string*/, krb5_data */*result_string*/); -void +krb5_error_code KRB5_LIB_FUNCTION +krb5_set_real_time ( + krb5_context /*context*/, + krb5_timestamp /*sec*/, + int32_t /*usec*/); + +void KRB5_LIB_FUNCTION krb5_set_use_admin_kdc ( krb5_context /*context*/, krb5_boolean /*flag*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_warn_dest ( krb5_context /*context*/, krb5_log_facility */*fac*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_sname_to_principal ( krb5_context /*context*/, const char */*hostname*/, @@ -2483,7 +2851,7 @@ krb5_sname_to_principal ( int32_t /*type*/, krb5_principal */*ret_princ*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_sock_to_principal ( krb5_context /*context*/, int /*sock*/, @@ -2491,174 +2859,179 @@ krb5_sock_to_principal ( int32_t /*type*/, krb5_principal */*ret_princ*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_sockaddr2address ( krb5_context /*context*/, const struct sockaddr */*sa*/, krb5_address */*addr*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_sockaddr2port ( krb5_context /*context*/, const struct sockaddr */*sa*/, int16_t */*port*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_sockaddr_uninteresting (const struct sockaddr */*sa*/); -void +void KRB5_LIB_FUNCTION krb5_std_usage ( int /*code*/, struct getargs */*args*/, int /*num_args*/); -void +void KRB5_LIB_FUNCTION krb5_storage_clear_flags ( krb5_storage */*sp*/, krb5_flags /*flags*/); -krb5_storage * +krb5_storage * KRB5_LIB_FUNCTION krb5_storage_emem (void); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_storage_free (krb5_storage */*sp*/); -krb5_storage * +krb5_storage * KRB5_LIB_FUNCTION krb5_storage_from_data (krb5_data */*data*/); -krb5_storage * +krb5_storage * KRB5_LIB_FUNCTION krb5_storage_from_fd (int /*fd*/); -krb5_storage * +krb5_storage * KRB5_LIB_FUNCTION krb5_storage_from_mem ( void */*buf*/, size_t /*len*/); -krb5_flags +krb5_flags KRB5_LIB_FUNCTION krb5_storage_get_byteorder ( krb5_storage */*sp*/, krb5_flags /*byteorder*/); -krb5_boolean +krb5_boolean KRB5_LIB_FUNCTION krb5_storage_is_flags ( krb5_storage */*sp*/, krb5_flags /*flags*/); -krb5_ssize_t +krb5_ssize_t KRB5_LIB_FUNCTION krb5_storage_read ( krb5_storage */*sp*/, void */*buf*/, size_t /*len*/); -off_t +off_t KRB5_LIB_FUNCTION krb5_storage_seek ( krb5_storage */*sp*/, off_t /*offset*/, int /*whence*/); -void +void KRB5_LIB_FUNCTION krb5_storage_set_byteorder ( krb5_storage */*sp*/, krb5_flags /*byteorder*/); -void +void KRB5_LIB_FUNCTION krb5_storage_set_eof_code ( krb5_storage */*sp*/, int /*code*/); -void +void KRB5_LIB_FUNCTION krb5_storage_set_flags ( krb5_storage */*sp*/, krb5_flags /*flags*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_storage_to_data ( krb5_storage */*sp*/, krb5_data */*data*/); -krb5_ssize_t +krb5_ssize_t KRB5_LIB_FUNCTION krb5_storage_write ( krb5_storage */*sp*/, const void */*buf*/, size_t /*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_address ( krb5_storage */*sp*/, krb5_address /*p*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_addrs ( krb5_storage */*sp*/, krb5_addresses /*p*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_authdata ( krb5_storage */*sp*/, krb5_authdata /*auth*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_creds ( krb5_storage */*sp*/, krb5_creds */*creds*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_store_creds_tag ( + krb5_storage */*sp*/, + krb5_creds */*creds*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_store_data ( krb5_storage */*sp*/, krb5_data /*data*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_int16 ( krb5_storage */*sp*/, int16_t /*value*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_int32 ( krb5_storage */*sp*/, int32_t /*value*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_int8 ( krb5_storage */*sp*/, int8_t /*value*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_keyblock ( krb5_storage */*sp*/, krb5_keyblock /*p*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_principal ( krb5_storage */*sp*/, krb5_principal /*p*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_string ( krb5_storage */*sp*/, const char */*s*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_stringz ( krb5_storage */*sp*/, const char */*s*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_store_times ( krb5_storage */*sp*/, krb5_times /*times*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_deltat ( const char */*string*/, krb5_deltat */*deltat*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_enctype ( krb5_context /*context*/, const char */*string*/, krb5_enctype */*etype*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key ( krb5_context /*context*/, krb5_enctype /*enctype*/, @@ -2666,7 +3039,7 @@ krb5_string_to_key ( krb5_principal /*principal*/, krb5_keyblock */*key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_data ( krb5_context /*context*/, krb5_enctype /*enctype*/, @@ -2674,7 +3047,7 @@ krb5_string_to_key_data ( krb5_principal /*principal*/, krb5_keyblock */*key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_data_salt ( krb5_context /*context*/, krb5_enctype /*enctype*/, @@ -2682,7 +3055,7 @@ krb5_string_to_key_data_salt ( krb5_salt /*salt*/, krb5_keyblock */*key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_data_salt_opaque ( krb5_context /*context*/, krb5_enctype /*enctype*/, @@ -2691,7 +3064,7 @@ krb5_string_to_key_data_salt_opaque ( krb5_data /*opaque*/, krb5_keyblock */*key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_derived ( krb5_context /*context*/, const void */*str*/, @@ -2699,7 +3072,7 @@ krb5_string_to_key_derived ( krb5_enctype /*etype*/, krb5_keyblock */*key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_key_salt ( krb5_context /*context*/, krb5_enctype /*enctype*/, @@ -2707,57 +3080,85 @@ krb5_string_to_key_salt ( krb5_salt /*salt*/, krb5_keyblock */*key*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_string_to_key_salt_opaque ( + krb5_context /*context*/, + krb5_enctype /*enctype*/, + const char */*password*/, + krb5_salt /*salt*/, + krb5_data /*opaque*/, + krb5_keyblock */*key*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_keytype ( krb5_context /*context*/, const char */*string*/, krb5_keytype */*keytype*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_string_to_salttype ( krb5_context /*context*/, krb5_enctype /*etype*/, const char */*string*/, krb5_salttype */*salttype*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION +krb5_ticket_get_authorization_data_type ( + krb5_context /*context*/, + krb5_ticket */*ticket*/, + int /*type*/, + krb5_data */*data*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_ticket_get_client ( + krb5_context /*context*/, + const krb5_ticket */*ticket*/, + krb5_principal */*client*/); + +krb5_error_code KRB5_LIB_FUNCTION +krb5_ticket_get_server ( + krb5_context /*context*/, + const krb5_ticket */*ticket*/, + krb5_principal */*server*/); + +krb5_error_code KRB5_LIB_FUNCTION krb5_timeofday ( krb5_context /*context*/, krb5_timestamp */*timeret*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_unparse_name ( krb5_context /*context*/, krb5_const_principal /*principal*/, char **/*name*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_unparse_name_fixed ( krb5_context /*context*/, krb5_const_principal /*principal*/, char */*name*/, size_t /*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_unparse_name_fixed_short ( krb5_context /*context*/, krb5_const_principal /*principal*/, char */*name*/, size_t /*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_unparse_name_short ( krb5_context /*context*/, krb5_const_principal /*principal*/, char **/*name*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_us_timeofday ( krb5_context /*context*/, - int32_t */*sec*/, + krb5_timestamp */*sec*/, int32_t */*usec*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vabort ( krb5_context /*context*/, krb5_error_code /*code*/, @@ -2765,14 +3166,14 @@ krb5_vabort ( va_list /*ap*/) __attribute__ ((noreturn, format (printf, 3, 0))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vabortx ( krb5_context /*context*/, const char */*fmt*/, va_list /*ap*/) __attribute__ ((noreturn, format (printf, 2, 0))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_ap_req ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -2783,7 +3184,7 @@ krb5_verify_ap_req ( krb5_flags */*ap_req_options*/, krb5_ticket **/*ticket*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_ap_req2 ( krb5_context /*context*/, krb5_auth_context */*auth_context*/, @@ -2795,14 +3196,14 @@ krb5_verify_ap_req2 ( krb5_ticket **/*ticket*/, krb5_key_usage /*usage*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_authenticator_checksum ( krb5_context /*context*/, krb5_auth_context /*ac*/, void */*data*/, size_t /*len*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_checksum ( krb5_context /*context*/, krb5_crypto /*crypto*/, @@ -2811,7 +3212,7 @@ krb5_verify_checksum ( size_t /*len*/, Checksum */*cksum*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_init_creds ( krb5_context /*context*/, krb5_creds */*creds*/, @@ -2820,43 +3221,43 @@ krb5_verify_init_creds ( krb5_ccache */*ccache*/, krb5_verify_init_creds_opt */*options*/); -void +void KRB5_LIB_FUNCTION krb5_verify_init_creds_opt_init (krb5_verify_init_creds_opt */*options*/); -void +void KRB5_LIB_FUNCTION krb5_verify_init_creds_opt_set_ap_req_nofail ( krb5_verify_init_creds_opt */*options*/, int /*ap_req_nofail*/); -void +void KRB5_LIB_FUNCTION krb5_verify_opt_init (krb5_verify_opt */*opt*/); -void +void KRB5_LIB_FUNCTION krb5_verify_opt_set_ccache ( krb5_verify_opt */*opt*/, krb5_ccache /*ccache*/); -void +void KRB5_LIB_FUNCTION krb5_verify_opt_set_flags ( krb5_verify_opt */*opt*/, unsigned int /*flags*/); -void +void KRB5_LIB_FUNCTION krb5_verify_opt_set_keytab ( krb5_verify_opt */*opt*/, krb5_keytab /*keytab*/); -void +void KRB5_LIB_FUNCTION krb5_verify_opt_set_secure ( krb5_verify_opt */*opt*/, krb5_boolean /*secure*/); -void +void KRB5_LIB_FUNCTION krb5_verify_opt_set_service ( krb5_verify_opt */*opt*/, const char */*service*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_user ( krb5_context /*context*/, krb5_principal /*principal*/, @@ -2865,7 +3266,7 @@ krb5_verify_user ( krb5_boolean /*secure*/, const char */*service*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_user_lrealm ( krb5_context /*context*/, krb5_principal /*principal*/, @@ -2874,14 +3275,14 @@ krb5_verify_user_lrealm ( krb5_boolean /*secure*/, const char */*service*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_user_opt ( krb5_context /*context*/, krb5_principal /*principal*/, const char */*password*/, krb5_verify_opt */*opt*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verr ( krb5_context /*context*/, int /*eval*/, @@ -2890,7 +3291,7 @@ krb5_verr ( va_list /*ap*/) __attribute__ ((noreturn, format (printf, 4, 0))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verrx ( krb5_context /*context*/, int /*eval*/, @@ -2898,7 +3299,7 @@ krb5_verrx ( va_list /*ap*/) __attribute__ ((noreturn, format (printf, 3, 0))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vlog ( krb5_context /*context*/, krb5_log_facility */*fac*/, @@ -2907,7 +3308,7 @@ krb5_vlog ( va_list /*ap*/) __attribute__((format (printf, 4, 0))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vlog_msg ( krb5_context /*context*/, krb5_log_facility */*fac*/, @@ -2917,14 +3318,14 @@ krb5_vlog_msg ( va_list /*ap*/) __attribute__((format (printf, 5, 0))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vset_error_string ( krb5_context /*context*/, const char */*fmt*/, va_list /*args*/) __attribute__ ((format (printf, 2, 0))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vwarn ( krb5_context /*context*/, krb5_error_code /*code*/, @@ -2932,14 +3333,14 @@ krb5_vwarn ( va_list /*ap*/) __attribute__ ((format (printf, 3, 0))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vwarnx ( krb5_context /*context*/, const char */*fmt*/, va_list /*ap*/) __attribute__ ((format (printf, 2, 0))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_warn ( krb5_context /*context*/, krb5_error_code /*code*/, @@ -2947,40 +3348,38 @@ krb5_warn ( ...) __attribute__ ((format (printf, 3, 4))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_warnx ( krb5_context /*context*/, const char */*fmt*/, ...) __attribute__ ((format (printf, 2, 3))); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_write_message ( krb5_context /*context*/, krb5_pointer /*p_fd*/, krb5_data */*data*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_write_priv_message ( krb5_context /*context*/, krb5_auth_context /*ac*/, krb5_pointer /*p_fd*/, krb5_data */*data*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_write_safe_message ( krb5_context /*context*/, krb5_auth_context /*ac*/, krb5_pointer /*p_fd*/, krb5_data */*data*/); -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_xfree (void */*ptr*/); -krb5_error_code -principalname2krb5_principal ( - krb5_principal */*principal*/, - const PrincipalName /*from*/, - const Realm /*realm*/); +#ifdef __cplusplus +} +#endif #endif /* __krb5_protos_h__ */ diff --git a/kerberosV/src/lib/krb5/krb5.3 b/kerberosV/src/lib/krb5/krb5.3 index 7ac783646b5..c04c7cc4ac5 100644 --- a/kerberosV/src/lib/krb5/krb5.3 +++ b/kerberosV/src/lib/krb5/krb5.3 @@ -1,35 +1,37 @@ -.\" Copyright (c) 2001, 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2001, 2003 - 2005 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.Dd March 20, 2003 +.\" $KTH: krb5.3,v 1.35 2005/05/25 13:18:33 lha Exp $ +.\" +.Dd March 21, 2004 .Dt KRB5 3 .Os .Sh NAME @@ -37,21 +39,30 @@ .Nd kerberos 5 library .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h .Sh DESCRIPTION These functions constitute the Kerberos 5 library, .Em libkrb5 . -Declarations for these functions may be obtained from the include file -.Pa krb5.h . .Sh LIST OF FUNCTIONS .sp 2 .nf -.ta \w'krb5_checksum_is_collision_proof.3'u+2n +\w'Description goes here'u +.ta \w'krb5_ticket_get_authorization_data_type.3'u+2n +\w'Description goes here'u \fIName/Page\fP \fIDescription\fP -.ta \w'krb5_checksum_is_collision_proof.3'u+2n +\w'Description goes here'u+6nC +.ta \w'krb5_ticket_get_authorization_data_type.3'u+2n +\w'Description goes here'u+6nC .sp 5p +krb524_convert_creds_kdc.3 +krb524_convert_creds_kdc_cache.3 krb5_425_conv_principal.3 krb5_425_conv_principal_ext.3 krb5_524_conv_principal.3 +krb5_abort.3 +krb5_abortx.3 +krb5_acl_match_file.3 +krb5_acl_match_string.3 +krb5_add_et_list.3 +krb5_add_extra_addresses.3 +krb5_add_ignore_addresses.3 krb5_addlog_dest.3 krb5_addlog_func.3 krb5_addr2sockaddr.3 @@ -60,45 +71,64 @@ krb5_address_compare.3 krb5_address_order.3 krb5_address_search.3 krb5_addresses.3 +krb5_aname_to_localname.3 krb5_anyaddr.3 krb5_appdefault_boolean.3 krb5_appdefault_string.3 krb5_appdefault_time.3 krb5_append_addresses.3 +krb5_auth_con_addflags.3 krb5_auth_con_free.3 krb5_auth_con_genaddrs.3 +krb5_auth_con_generatelocalsubkey.3 krb5_auth_con_getaddrs.3 +krb5_auth_con_getauthenticator.3 +krb5_auth_con_getcksumtype.3 krb5_auth_con_getflags.3 krb5_auth_con_getkey.3 +krb5_auth_con_getkeytype.3 +krb5_auth_con_getlocalseqnumber.3 krb5_auth_con_getlocalsubkey.3 krb5_auth_con_getrcache.3 krb5_auth_con_getremotesubkey.3 krb5_auth_con_getuserkey.3 krb5_auth_con_init.3 krb5_auth_con_initivector.3 +krb5_auth_con_removeflags.3 krb5_auth_con_setaddrs.3 krb5_auth_con_setaddrs_from_fd.3 +krb5_auth_con_setcksumtype.3 krb5_auth_con_setflags.3 krb5_auth_con_setivector.3 krb5_auth_con_setkey.3 +krb5_auth_con_setkeytype.3 +krb5_auth_con_setlocalseqnumber.3 krb5_auth_con_setlocalsubkey.3 krb5_auth_con_setrcache.3 +krb5_auth_con_setremoteseqnumber.3 krb5_auth_con_setremotesubkey.3 krb5_auth_con_setuserkey.3 krb5_auth_context.3 -krb5_auth_getauthenticator.3 -krb5_auth_getcksumtype.3 -krb5_auth_getkeytype.3 -krb5_auth_getlocalseqnumber.3 krb5_auth_getremoteseqnumber.3 -krb5_auth_setcksumtype.3 -krb5_auth_setkeytype.3 -krb5_auth_setlocalseqnumber.3 -krb5_auth_setremoteseqnumber.3 krb5_build_principal.3 krb5_build_principal_ext.3 krb5_build_principal_va.3 krb5_build_principal_va_ext.3 +krb5_c_block_size.3 +krb5_c_checksum_length.3 +krb5_c_decrypt.3 +krb5_c_encrypt.3 +krb5_c_encrypt_length.3 +krb5_c_enctype_compare.3 +krb5_c_get_checksum.3 +krb5_c_is_coll_proof_cksum.3 +krb5_c_is_keyed_cksum.3 +krb5_c_make_checksum.3 +krb5_c_make_random_key.3 +krb5_c_set_checksum.3 +krb5_c_valid_cksumtype.3 +krb5_c_valid_enctype.3 +krb5_c_verify_checksum.3 krb5_cc_close.3 krb5_cc_copy_cache.3 krb5_cc_default.3 @@ -107,10 +137,12 @@ krb5_cc_destroy.3 krb5_cc_end_seq_get.3 krb5_cc_gen_new.3 krb5_cc_get_name.3 +krb5_cc_get_ops.3 krb5_cc_get_principal.3 krb5_cc_get_type.3 krb5_cc_get_version.3 krb5_cc_initialize.3 +krb5_cc_new_unique.3 krb5_cc_next_cred.3 krb5_cc_register.3 krb5_cc_remove_cred.3 @@ -119,20 +151,62 @@ krb5_cc_retrieve_cred.3 krb5_cc_set_default_name.3 krb5_cc_set_flags.3 krb5_cc_store_cred.3 +krb5_change_password.3 +krb5_check_transited.3 +krb5_check_transited_realms.3 +krb5_checksum_disable.3 +krb5_checksum_free.3 krb5_checksum_is_collision_proof.3 krb5_checksum_is_keyed.3 krb5_checksumsize.3 +krb5_clear_error_string.3 krb5_closelog.3 +krb5_config_file_free.3 +krb5_config_free_strings.3 +krb5_config_get.3 +krb5_config_get_bool.3 krb5_config_get_bool_default.3 +krb5_config_get_int.3 krb5_config_get_int_default.3 +krb5_config_get_list.3 +krb5_config_get_next.3 +krb5_config_get_string.3 krb5_config_get_string_default.3 +krb5_config_get_strings.3 +krb5_config_get_time.3 krb5_config_get_time_default.3 +krb5_config_parse_file.3 +krb5_config_parse_file_multi.3 +krb5_config_vget.3 +krb5_config_vget_bool.3 +krb5_config_vget_bool_default.3 +krb5_config_vget_int.3 +krb5_config_vget_int_default.3 +krb5_config_vget_list.3 +krb5_config_vget_next.3 +krb5_config_vget_string.3 +krb5_config_vget_string_default.3 +krb5_config_vget_strings.3 +krb5_config_vget_time.3 +krb5_config_vget_time_default.3 krb5_context.3 krb5_copy_address.3 krb5_copy_addresses.3 +krb5_copy_checksum.3 krb5_copy_data.3 +krb5_copy_host_realm.3 +krb5_copy_keyblock.3 +krb5_copy_keyblock_contents.3 +krb5_copy_principal.3 +krb5_copy_ticket.3 krb5_create_checksum.3 +krb5_creds.3 krb5_crypto_destroy.3 +krb5_crypto_get_checksum_type.3 +krb5_crypto_getblocksize.3 +krb5_crypto_getconfoundersize.3 +krb5_crypto_getenctype.3 +krb5_crypto_getpadsize.3 krb5_crypto_init.3 krb5_data_alloc.3 krb5_data_copy.3 @@ -141,36 +215,110 @@ krb5_data_realloc.3 krb5_data_zero.3 krb5_decrypt.3 krb5_decrypt_EncryptedData.3 +krb5_domain_x500_decode.3 +krb5_domain_x500_encode.3 +krb5_eai_to_heim_errno.3 krb5_encrypt.3 krb5_encrypt_EncryptedData.3 +krb5_enctype_disable.3 +krb5_enctype_to_string.3 +krb5_enctype_valid.3 krb5_err.3 krb5_errx.3 +krb5_expand_hostname.3 +krb5_expand_hostname_realms.3 +krb5_find_padata.3 +krb5_format_time.3 krb5_free_address.3 krb5_free_addresses.3 +krb5_free_authenticator.3 +krb5_free_checksum.3 +krb5_free_checksum_contents.3 +krb5_free_config_files.3 krb5_free_context.3 krb5_free_data.3 krb5_free_data_contents.3 +krb5_free_error_string.3 krb5_free_host_realm.3 +krb5_free_kdc_rep.3 +krb5_free_keyblock.3 +krb5_free_keyblock_contents.3 krb5_free_krbhst.3 krb5_free_principal.3 +krb5_free_ticket.3 +krb5_free_salt.3 +krb5_fwd_tgt_creds.3 +krb5_generate_random_block.3 +krb5_generate_random_keyblock.3 +krb5_generate_subkey.3 krb5_get_all_client_addrs.3 krb5_get_all_server_addrs.3 +krb5_get_cred_from_kdc.3 +krb5_get_cred_from_kdc_opt.3 +krb5_get_credentials.3 +krb5_get_credentials_with_flags.3 +krb5_get_default_config_files.3 +krb5_get_default_principal.3 krb5_get_default_realm.3 krb5_get_default_realms.3 +krb5_get_err_text.3 +krb5_get_error_string.3 +krb5_get_extra_addresses.3 +krb5_get_fcache_version.3 +krb5_get_forwarded_creds.3 krb5_get_host_realm.3 +krb5_get_ignore_addresses.3 +krb5_get_in_cred.3 +krb5_get_in_tkt.3 +krb5_get_in_tkt_with_keytab.3 +krb5_get_in_tkt_with_password.3 +krb5_get_in_tkt_with_skey.3 +krb5_get_init_creds.3 +krb5_get_init_creds_keytab.3 +krb5_get_init_creds_opt_alloc.3 +krb5_get_init_creds_opt_free.3 +krb5_get_init_creds_opt_free_pkinit.3 +krb5_get_init_creds_opt_init.3 +krb5_get_init_creds_opt_set_address_list.3 +krb5_get_init_creds_opt_set_anonymous.3 +krb5_get_init_creds_opt_set_default_flags.3 +krb5_get_init_creds_opt_set_etype_list.3 +krb5_get_init_creds_opt_set_forwardable.3 +krb5_get_init_creds_opt_set_pa_password.3 +krb5_get_init_creds_opt_set_paq_request.3 +krb5_get_init_creds_opt_set_pkinit.3 +krb5_get_init_creds_opt_set_preauth_list.3 +krb5_get_init_creds_opt_set_proxiable.3 +krb5_get_init_creds_opt_set_renew_life.3 +krb5_get_init_creds_opt_set_salt.3 +krb5_get_init_creds_opt_set_tkt_life.3 +krb5_get_init_creds_password.3 +krb5_get_kdc_cred.3 krb5_get_krb524hst.3 krb5_get_krb_admin_hst.3 krb5_get_krb_changepw_hst.3 krb5_get_krbhst.3 +krb5_get_pw_salt.3 +krb5_get_server_rcache.3 +krb5_get_use_admin_kdc.3 +krb5_get_wrapped_length.3 +krb5_getportbyname.3 krb5_h_addr2addr.3 krb5_h_addr2sockaddr.3 +krb5_h_errno_to_heim_errno.3 +krb5_have_error_string.3 +krb5_hmac.3 krb5_init_context.3 +krb5_init_ets.3 krb5_initlog.3 +krb5_keyblock_get_enctype.3 +krb5_keyblock_zero.3 krb5_keytab_entry.3 krb5_krbhst_format_string.3 krb5_krbhst_free.3 krb5_krbhst_get_addrinfo.3 krb5_krbhst_init.3 +krb5_krbhst_init_flags.3 krb5_krbhst_next.3 krb5_krbhst_next_as_string.3 krb5_krbhst_reset.3 @@ -179,13 +327,14 @@ krb5_kt_close.3 krb5_kt_compare.3 krb5_kt_copy_entry_contents.3 krb5_kt_cursor.3 -krb5_kt_cursor.3 krb5_kt_default.3 +krb5_kt_default_modify_name.3 krb5_kt_default_name.3 krb5_kt_end_seq_get.3 krb5_kt_free_entry.3 krb5_kt_get_entry.3 krb5_kt_get_name.3 +krb5_kt_get_type.3 krb5_kt_next_entry.3 krb5_kt_ops.3 krb5_kt_read_service_key.3 @@ -193,30 +342,133 @@ krb5_kt_register.3 krb5_kt_remove_entry.3 krb5_kt_resolve.3.3 krb5_kt_start_seq_get +krb5_kuserok.3 krb5_log.3 krb5_log_msg.3 krb5_make_addrport.3 krb5_make_principal.3 krb5_max_sockaddr_size.3 krb5_openlog.3 +krb5_padata_add.3 krb5_parse_address.3 krb5_parse_name.3 +krb5_passwd_result_to_string.3 +krb5_password_key_proc.3 +krb5_prepend_config_files.3 +krb5_prepend_config_files_default.3 +krb5_princ_realm.3 +krb5_princ_set_realm.3 krb5_principal.3 +krb5_principal_compare.3 +krb5_principal_compare_any_realm.3 krb5_principal_get_comp_string.3 krb5_principal_get_realm.3 +krb5_principal_get_type.3 +krb5_principal_match.3 +krb5_principal_set_type.3 krb5_print_address.3 +krb5_rc_close.3 +krb5_rc_default.3 +krb5_rc_default_name.3 +krb5_rc_default_type.3 +krb5_rc_destroy.3 +krb5_rc_expunge.3 +krb5_rc_get_lifespan.3 +krb5_rc_get_name.3 +krb5_rc_get_type.3 +krb5_rc_initialize.3 +krb5_rc_recover.3 +krb5_rc_resolve.3 +krb5_rc_resolve_full.3 +krb5_rc_resolve_type.3 +krb5_rc_store.3 +krb5_rcache.3 +krb5_realm_compare.3 +krb5_ret_address.3 +krb5_ret_addrs.3 +krb5_ret_authdata.3 +krb5_ret_creds.3 +krb5_ret_data.3 +krb5_ret_int16.3 +krb5_ret_int32.3 +krb5_ret_int8.3 +krb5_ret_keyblock.3 +krb5_ret_principal.3 +krb5_ret_string.3 +krb5_ret_stringz.3 +krb5_ret_times.3 +krb5_set_config_files.3 krb5_set_default_realm.3 +krb5_set_error_string.3 +krb5_set_extra_addresses.3 +krb5_set_fcache_version.3 +krb5_set_ignore_addresses.3 +krb5_set_password.3 +krb5_set_password_using_ccache.3 +krb5_set_real_time.3 +krb5_set_use_admin_kdc.3 krb5_set_warn_dest.3 krb5_sname_to_principal.3 krb5_sock_to_principal.3 krb5_sockaddr2address.3 krb5_sockaddr2port.3 krb5_sockaddr_uninteresting.3 +krb5_storage.3 +krb5_storage_clear_flags.3 +krb5_storage_emem.3 +krb5_storage_free.3 +krb5_storage_from_data.3 +krb5_storage_from_fd.3 +krb5_storage_from_mem.3 +krb5_storage_get_byteorder.3 +krb5_storage_is_flags.3 +krb5_storage_read.3 +krb5_storage_seek.3 +krb5_storage_set_byteorder.3 +krb5_storage_set_eof_code.3 +krb5_storage_set_flags.3 +krb5_storage_to_data.3 +krb5_storage_write.3 +krb5_store_address.3 +krb5_store_addrs.3 +krb5_store_authdata.3 +krb5_store_creds.3 +krb5_store_data.3 +krb5_store_int16.3 +krb5_store_int32.3 +krb5_store_int8.3 +krb5_store_keyblock.3 +krb5_store_principal.3 +krb5_store_string.3 +krb5_store_stringz.3 +krb5_store_times.3 +krb5_string_to_deltat.3 +krb5_string_to_enctype.3 +krb5_string_to_key.3 +krb5_string_to_key_data.3 +krb5_string_to_key_data_salt.3 +krb5_string_to_key_data_salt_opaque.3 +krb5_string_to_key_derived.3 +krb5_string_to_key_salt.3 +krb5_string_to_key_salt_opaque.3 +krb5_ticket.3 +krb5_ticket_get_authorization_data_type.3 +krb5_ticket_get_client.3 +krb5_ticket_get_server.3 krb5_timeofday.3 krb5_unparse_name.3 +krb5_unparse_name_fixed.3 +krb5_unparse_name_fixed_short.3 +krb5_unparse_name_short.3 krb5_us_timeofday.3 +krb5_vabort.3 +krb5_vabortx.3 krb5_verify_checksum.3 +krb5_verify_init_creds.3 +krb5_verify_init_creds_opt_init.3 +krb5_verify_init_creds_opt_set_ap_req_nofail.3 krb5_verify_opt_init.3 +krb5_verify_opt_set_ccache.3 krb5_verify_opt_set_flags.3 krb5_verify_opt_set_keytab.3 krb5_verify_opt_set_secure.3 @@ -228,11 +480,11 @@ krb5_verr.3 krb5_verrx.3 krb5_vlog.3 krb5_vlog_msg.3 +krb5_vset_error_string.3 krb5_vwarn.3 krb5_vwarnx.3 krb5_warn.3 krb5_warnx.3 -krb5_kuserok.3 .ta .Fi .Sh SEE ALSO diff --git a/kerberosV/src/lib/krb5/krb5.conf.5 b/kerberosV/src/lib/krb5/krb5.conf.5 index 50192f0f418..c071edb3645 100644 --- a/kerberosV/src/lib/krb5/krb5.conf.5 +++ b/kerberosV/src/lib/krb5/krb5.conf.5 @@ -1,4 +1,4 @@ -.\" Copyright (c) 1999 - 2004 Kungliga Tekniska Högskolan +.\" Copyright (c) 1999 - 2005 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,9 +29,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $KTH: krb5.conf.5,v 1.35.2.2 2004/03/09 19:52:07 lha Exp $ +.\" $KTH: krb5.conf.5,v 1.60 2005/05/29 13:14:50 lha Exp $ .\" -.Dd March 9, 2004 +.Dd May 4, 2005 .Dt KRB5.CONF 5 .Os HEIMDAL .Sh NAME @@ -88,6 +88,7 @@ values can be either yes/true or no/false. .It time values can be a list of year, month, day, hour, min, second. Example: 1 month 2 days 30 min. +If no unit is given, seconds is assumed. .It etypes valid encryption types are: des-cbc-crc, des-cbc-md4, des-cbc-md5, des3-cbc-sha1, arcfour-hmac-md5, aes128-cts-hmac-sha1-96, and @@ -148,8 +149,8 @@ times. Default is 300 seconds (five minutes). .It Li kdc_timeout = Va time Maximum time to wait for a reply from the kdc, default is 3 seconds. -.It v4_name_convert -.It v4_instance_resolve +.It Li v4_name_convert +.It Li v4_instance_resolve These are described in the .Xr krb5_425_conv_principal 3 manual page. @@ -162,6 +163,12 @@ manual page. This is deprecated, see the .Li capaths section below. +.It Li default_cc_name = Va ccname +the default credentials cache name. +The string can contain variables that are expanded on runtime. +Only support variable now is +.Li %{uid} +that expands to the current user id. .It Li default_etypes = Va etypes ... A list of default encryption types to use. .It Li default_etypes_des = Va etypes ... @@ -178,6 +185,9 @@ Try to keep track of the time differential between the local machine and the KDC, and then compensate for that when issuing requests. .It Li max_retries = Va number The max number of times to try to contact each KDC. +.It Li large_msg_size = Va number +The threshold where protocols with tiny maximum message sizes are not +considered usable to send messages to the KDC. .It Li ticket_lifetime = Va time Default ticket lifetime. .It Li renew_lifetime = Va time @@ -203,8 +213,8 @@ Default is seven days. A HTTP-proxy to use when talking to the KDC via HTTP. .It Li dns_proxy = Va proxy-spec Enable using DNS via HTTP. -.It Li extra_addresses = Va address... -A list of addresses to get tickets for, along with all local addresses. +.It Li extra_addresses = Va address ... +A list of addresses to get tickets for along with all local addresses. .It Li time_format = Va string How to print time strings in logs, this string is passed to .Xr strftime 3 . @@ -241,6 +251,13 @@ Each binding in this section looks like: The domain can be either a full name of a host or a trailing component, in the latter case the domain-string should start with a period. +The trailing component only matches hosts that are in the same domain, ie +.Dq .example.com +matches +.Dq foo.example.com , +but not +.Dq foo.test.example.com . +.Pp The realm may be the token `dns_locate', in which case the actual realm will be determined using DNS (independently of the setting of the `dns_lookup_realm' option). @@ -330,71 +347,93 @@ manual page for a list of defined destinations. .El .It Li [kdc] .Bl -tag -width "xxx" -offset indent -.It database Li = { +.It Li database Li = { .Bl -tag -width "xxx" -offset indent -.It dbname Li = Va DATABASENAME +.It Li dbname Li = Va DATABASENAME Use this database for this realm. -.It realm Li = Va REALM +See the info documetation how to configure diffrent database backends. +.It Li realm Li = Va REALM Specifies the realm that will be stored in this database. -.It mkey_file Li = Pa FILENAME +It realm isn't set, it will used as the default database, there can +only be one entry that doesn't have a +.Li realm +stanza. +.It Li mkey_file Li = Pa FILENAME Use this keytab file for the master key of this database. If not specified .Va DATABASENAME Ns .mkey will be used. -.It acl_file Li = PA FILENAME +.It Li acl_file Li = PA FILENAME Use this file for the ACL list of this database. -.It log_file Li = Pa FILENAME +.It Li log_file Li = Pa FILENAME Use this file as the log of changes performed to the database. This file is used by .Nm ipropd-master for propagating changes to slaves. .El .It Li } -.It max-request = Va SIZE +.It Li max-request = Va SIZE Maximum size of a kdc request. -.It require-preauth = Va BOOL +.It Li require-preauth = Va BOOL If set pre-authentication is required. Since krb4 requests are not pre-authenticated they will be rejected. -.It ports = Va "list of ports" +.It Li ports = Va "list of ports" List of ports the kdc should listen to. -.It addresses = Va "list of interfaces" +.It Li addresses = Va "list of interfaces" List of addresses the kdc should bind to. -.It enable-kerberos4 = Va BOOL +.It Li enable-kerberos4 = Va BOOL Turn on Kerberos 4 support. -.It v4-realm = Va REALM +.It Li v4-realm = Va REALM To what realm v4 requests should be mapped. -.It enable-524 = Va BOOL +.It Li enable-524 = Va BOOL Should the Kerberos 524 converting facility be turned on. Default is the same as .Va enable-kerberos4 . -.It enable-http = Va BOOL +.It Li enable-http = Va BOOL Should the kdc answer kdc-requests over http. -.It enable-kaserver = Va BOOL +.It Li enable-kaserver = Va BOOL If this kdc should emulate the AFS kaserver. -.It check-ticket-addresses = Va BOOL +.It Li check-ticket-addresses = Va BOOL Verify the addresses in the tickets used in tgs requests. .\" XXX -.It allow-null-ticket-addresses = Va BOOL +.It Li allow-null-ticket-addresses = Va BOOL Allow address-less tickets. -.\" XXX -.It allow-anonymous = Va BOOL +.\" XXX +.It Li allow-anonymous = Va BOOL If the kdc is allowed to hand out anonymous tickets. -.It encode_as_rep_as_tgs_rep = Va BOOL +.It Li encode_as_rep_as_tgs_rep = Va BOOL Encode as-rep as tgs-rep tobe compatible with mistakes older DCE secd did. .\" XXX -.It kdc_warn_pwexpire = Va TIME +.It Li kdc_warn_pwexpire = Va TIME The time before expiration that the user should be warned that her password is about to expire. -.It logging = Va Logging +.It Li logging = Va Logging What type of logging the kdc should use, see also [logging]/kdc. -.It use_2b = Va principal list -List of principals to use AFS 2b tokens for. +.It Li use_2b = { +.Bl -tag -width "xxx" -offset indent +.It Va principal Li = Va BOOL +boolean value if the 524 daemon should return AFS 2b tokens for +.Fa principal . +.It ... +.El +.It Li } +.It Li hdb-ldap-structural-object Va structural object +If the LDAP backend is used for storing principals, this is the +structural object that will be used when creating and when reading +objects. +The default value is account . +.It Li hdb-ldap-create-base Va creation dn +is the dn that will be appended to the principal when creating entries. +Default value is the search dn. .El .It Li [kadmin] .Bl -tag -width "xxx" -offset indent -.It require-preauth = Va BOOL +.It Li require-preauth = Va BOOL If pre-authentication is required to talk to the kadmin server. -.It default_keys = Va keytypes... +.It Li password_lifetime = Va time +If a principal already have its password set for expiration, this is +the time it will be valid for after a change. +.It Li default_keys = Va keytypes... For each entry in .Va default_keys try to parse it as a sequence of @@ -409,14 +448,14 @@ is omitted it means everything, and if string is omitted it means the default salt string (for that principal and encryption type). Additional special values of keytypes are: .Bl -tag -width "xxx" -offset indent -.It v5 +.It Li v5 The Kerberos 5 salt .Va pw-salt -.It v4 +.It Li v4 The Kerberos 4 salt .Va des:pw-salt: .El -.It use_v4_salt = Va BOOL +.It Li use_v4_salt = Va BOOL When true, this is the same as .Pp .Va default_keys = Va des3:pw-salt Va v4 diff --git a/kerberosV/src/lib/krb5/krb5.h b/kerberosV/src/lib/krb5/krb5.h index 543d2e858ac..d7f07ad9036 100644 --- a/kerberosV/src/lib/krb5/krb5.h +++ b/kerberosV/src/lib/krb5/krb5.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $KTH: krb5.h,v 1.209.2.2 2004/06/21 08:32:00 lha Exp $ */ +/* $KTH: krb5.h,v 1.236.2.1 2005/10/12 12:42:09 lha Exp $ */ #ifndef __KRB5_H__ #define __KRB5_H__ @@ -69,8 +69,6 @@ typedef u_int32_t krb5_flags; typedef void *krb5_pointer; typedef const void *krb5_const_pointer; -typedef octet_string krb5_data; - struct krb5_crypto_data; typedef struct krb5_crypto_data *krb5_crypto; @@ -80,6 +78,20 @@ typedef Checksum krb5_checksum; typedef ENCTYPE krb5_enctype; +typedef heim_octet_string krb5_data; + +/* PKINIT related forward declarations */ +struct ContentInfo; +struct krb5_pk_identity; +struct krb5_pk_cert; + +/* krb5_enc_data is a mit compat structure */ +typedef struct krb5_enc_data { + krb5_enctype enctype; + krb5_kvno kvno; + krb5_data ciphertext; +} krb5_enc_data; + /* alternative names */ enum { ENCTYPE_NULL = ETYPE_NULL, @@ -92,6 +104,9 @@ enum { ENCTYPE_ENCRYPT_RSA_PRIV = ETYPE_ENCRYPT_RSA_PRIV, ENCTYPE_ENCRYPT_RSA_PUB = ETYPE_ENCRYPT_RSA_PUB, ENCTYPE_DES3_CBC_SHA1 = ETYPE_DES3_CBC_SHA1, + ENCTYPE_AES128_CTS_HMAC_SHA1_96 = ETYPE_AES128_CTS_HMAC_SHA1_96, + ENCTYPE_AES256_CTS_HMAC_SHA1_96 = ETYPE_AES256_CTS_HMAC_SHA1_96, + ENCTYPE_ARCFOUR_HMAC = ETYPE_ARCFOUR_HMAC_MD5, ENCTYPE_ARCFOUR_HMAC_MD5 = ETYPE_ARCFOUR_HMAC_MD5, ENCTYPE_ARCFOUR_HMAC_MD5_56 = ETYPE_ARCFOUR_HMAC_MD5_56, ENCTYPE_ENCTYPE_PK_CROSS = ETYPE_ENCTYPE_PK_CROSS, @@ -170,8 +185,26 @@ typedef enum krb5_key_usage { /* seal in GSSAPI krb5 mechanism */ KRB5_KU_USAGE_SIGN = 23, /* sign in GSSAPI krb5 mechanism */ - KRB5_KU_USAGE_SEQ = 24 + KRB5_KU_USAGE_SEQ = 24, /* SEQ in GSSAPI krb5 mechanism */ + KRB5_KU_USAGE_ACCEPTOR_SEAL = 22, + /* acceptor sign in GSSAPI CFX krb5 mechanism */ + KRB5_KU_USAGE_ACCEPTOR_SIGN = 23, + /* acceptor seal in GSSAPI CFX krb5 mechanism */ + KRB5_KU_USAGE_INITIATOR_SEAL = 24, + /* initiator sign in GSSAPI CFX krb5 mechanism */ + KRB5_KU_USAGE_INITIATOR_SIGN = 25, + /* initiator seal in GSSAPI CFX krb5 mechanism */ + KRB5_KU_PA_SERVER_REFERRAL_DATA = 22, + /* encrypted server referral data */ + KRB5_KU_SAM_CHECKSUM = 25, + /* Checksum for the SAM-CHECKSUM field */ + KRB5_KU_SAM_ENC_TRACK_ID = 26, + /* Encryption of the SAM-TRACK-ID field */ + KRB5_KU_PA_SERVER_REFERRAL = 26, + /* Keyusage for the server referral in a TGS req */ + KRB5_KU_SAM_ENC_NONCE_SAD = 27 + /* Encryption of the SAM-NONCE-OR-SAD field */ } krb5_key_usage; typedef krb5_key_usage krb5_keyusage; @@ -222,7 +255,9 @@ typedef enum krb5_keytype { KEYTYPE_AES128 = 17, KEYTYPE_AES256 = 18, KEYTYPE_ARCFOUR = 23, - KEYTYPE_ARCFOUR_56 = 24 + KEYTYPE_ARCFOUR_56 = 24, + KEYTYPE_RC2 = -0x1005, + KEYTYPE_AES192 = -0x1006 } krb5_keytype; typedef EncryptionKey krb5_keyblock; @@ -302,10 +337,20 @@ typedef union { #define KRB5_GC_CACHED (1U << 0) #define KRB5_GC_USER_USER (1U << 1) +#define KRB5_GC_EXPIRED_OK (1U << 2) /* constants for compare_creds (and cc_retrieve_cred) */ #define KRB5_TC_DONT_MATCH_REALM (1U << 31) #define KRB5_TC_MATCH_KEYTYPE (1U << 30) +#define KRB5_TC_MATCH_KTYPE KRB5_TC_MATCH_KEYTYPE /* MIT name */ +#define KRB5_TC_MATCH_SRV_NAMEONLY (1 << 29) +#define KRB5_TC_MATCH_FLAGS_EXACT (1 << 28) +#define KRB5_TC_MATCH_FLAGS (1 << 27) +#define KRB5_TC_MATCH_TIMES_EXACT (1 << 26) +#define KRB5_TC_MATCH_TIMES (1 << 25) +#define KRB5_TC_MATCH_AUTHDATA (1 << 24) +#define KRB5_TC_MATCH_2ND_TKT (1 << 23) +#define KRB5_TC_MATCH_IS_SKEY (1 << 22) typedef AuthorizationData krb5_authdata; @@ -333,7 +378,7 @@ typedef struct krb5_cc_ops { krb5_error_code (*close)(krb5_context, krb5_ccache); krb5_error_code (*store)(krb5_context, krb5_ccache, krb5_creds*); krb5_error_code (*retrieve)(krb5_context, krb5_ccache, - krb5_flags, krb5_creds*, krb5_creds); + krb5_flags, const krb5_creds*, krb5_creds *); krb5_error_code (*get_princ)(krb5_context, krb5_ccache, krb5_principal*); krb5_error_code (*get_first)(krb5_context, krb5_ccache, krb5_cc_cursor *); krb5_error_code (*get_next)(krb5_context, krb5_ccache, @@ -395,8 +440,16 @@ typedef struct krb5_context_data { char error_buf[256]; krb5_addresses *ignore_addresses; char *default_cc_name; + int pkinit_flags; + void *mutex; /* protects error_string/error_buf */ + int large_msg_size; } krb5_context_data; +enum { + KRB5_PKINIT_WIN2K = 1, /* wire compatible with Windows 2k */ + KRB5_PKINIT_PACKET_CABLE = 2 /* use packet cable standard */ +}; + typedef struct krb5_ticket { EncTicketPart ticket; krb5_principal client; @@ -419,6 +472,7 @@ typedef Authenticator krb5_donot_replay; #define KRB5_STORAGE_BYTEORDER_BE 0x00 /* default */ #define KRB5_STORAGE_BYTEORDER_LE 0x20 #define KRB5_STORAGE_BYTEORDER_HOST 0x40 +#define KRB5_STORAGE_CREDS_FLAGS_WRONG_BITORDER 0x80 struct krb5_storage_data; typedef struct krb5_storage_data krb5_storage; @@ -470,17 +524,19 @@ typedef struct krb5_keytab_key_proc_args krb5_keytab_key_proc_args; typedef struct krb5_replay_data { krb5_timestamp timestamp; - u_int32_t usec; + int32_t usec; u_int32_t seq; } krb5_replay_data; /* flags for krb5_auth_con_setflags */ enum { - KRB5_AUTH_CONTEXT_DO_TIME = 1, - KRB5_AUTH_CONTEXT_RET_TIME = 2, - KRB5_AUTH_CONTEXT_DO_SEQUENCE = 4, - KRB5_AUTH_CONTEXT_RET_SEQUENCE = 8, - KRB5_AUTH_CONTEXT_PERMIT_ALL = 16 + KRB5_AUTH_CONTEXT_DO_TIME = 1, + KRB5_AUTH_CONTEXT_RET_TIME = 2, + KRB5_AUTH_CONTEXT_DO_SEQUENCE = 4, + KRB5_AUTH_CONTEXT_RET_SEQUENCE = 8, + KRB5_AUTH_CONTEXT_PERMIT_ALL = 16, + KRB5_AUTH_CONTEXT_USE_SUBKEY = 32, + KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED = 64 }; /* flags for krb5_auth_con_genaddrs */ @@ -528,7 +584,7 @@ typedef void (*krb5_log_log_func_t)(const char*, const char*, void*); typedef void (*krb5_log_close_func_t)(void*); typedef struct krb5_log_facility { - const char *program; + char *program; int len; struct facility *val; } krb5_log_facility; @@ -567,7 +623,6 @@ typedef int (*krb5_prompter_fct)(krb5_context context, const char *banner, int num_prompts, krb5_prompt prompts[]); - typedef krb5_error_code (*krb5_key_proc)(krb5_context context, krb5_enctype type, krb5_salt salt, @@ -578,7 +633,14 @@ typedef krb5_error_code (*krb5_decrypt_proc)(krb5_context context, krb5_key_usage usage, krb5_const_pointer decrypt_arg, krb5_kdc_rep *dec_rep); +typedef krb5_error_code (*krb5_s2k_proc)(krb5_context context, + krb5_enctype type, + krb5_const_pointer keyseed, + krb5_salt salt, + krb5_data *s2kparms, + krb5_keyblock **key); +struct _krb5_get_init_creds_opt_private; typedef struct _krb5_get_init_creds_opt { krb5_flags flags; @@ -590,14 +652,12 @@ typedef struct _krb5_get_init_creds_opt { krb5_enctype *etype_list; int etype_list_length; krb5_addresses *address_list; -#if 0 /* this is the MIT-way */ - krb5_address **address_list; -#endif /* XXX the next three should not be used, as they may be removed later */ krb5_preauthtype *preauth_list; int preauth_list_length; krb5_data *salt; + struct _krb5_get_init_creds_opt_private *opt_private; } krb5_get_init_creds_opt; #define KRB5_GET_INIT_CREDS_OPT_TKT_LIFE 0x0001 @@ -609,6 +669,7 @@ typedef struct _krb5_get_init_creds_opt { #define KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST 0x0040 #define KRB5_GET_INIT_CREDS_OPT_SALT 0x0080 #define KRB5_GET_INIT_CREDS_OPT_ANONYMOUS 0x0100 +#define KRB5_GET_INIT_CREDS_OPT_DISABLE_TRANSITED_CHECK 0x0200 typedef struct _krb5_verify_init_creds_opt { krb5_flags flags; @@ -628,10 +689,14 @@ typedef struct krb5_verify_opt { #define KRB5_VERIFY_LREALMS 1 #define KRB5_VERIFY_NO_ADDRESSES 2 +extern const krb5_cc_ops krb5_acc_ops; extern const krb5_cc_ops krb5_fcc_ops; extern const krb5_cc_ops krb5_mcc_ops; +extern const krb5_cc_ops krb5_kcm_ops; extern const krb5_kt_ops krb5_fkt_ops; +extern const krb5_kt_ops krb5_wrfkt_ops; +extern const krb5_kt_ops krb5_javakt_ops; extern const krb5_kt_ops krb5_mkt_ops; extern const krb5_kt_ops krb5_akf_ops; extern const krb5_kt_ops krb4_fkt_ops; @@ -672,6 +737,11 @@ typedef struct krb5_krbhst_info { char hostname[1]; /* has to come last */ } krb5_krbhst_info; +/* flags for krb5_krbhst_init_flags (and krb5_send_to_kdc_flags) */ +enum { + KRB5_KRBHST_FLAGS_MASTER = 1, + KRB5_KRBHST_FLAGS_LARGE_MSG = 2 +}; struct credentials; /* this is to keep the compiler happy */ struct getargs; diff --git a/kerberosV/src/lib/krb5/krb5_address.3 b/kerberosV/src/lib/krb5/krb5_address.3 index cbd262ac353..62adccc8c96 100644 --- a/kerberosV/src/lib/krb5/krb5_address.3 +++ b/kerberosV/src/lib/krb5/krb5_address.3 @@ -1,37 +1,37 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2003, 2005 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $KTH: krb5_address.3,v 1.4 2003/04/16 13:58:12 lha Exp $ -.\" -.Dd March 11, 2002 +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $KTH: krb5_address.3,v 1.10 2005/04/24 07:52:03 lha Exp $ +.\" +.Dd April 24, 2005 .Dt KRB5_ADDRESS 3 .Os HEIMDAL .Sh NAME @@ -192,7 +192,7 @@ The structure holds a set of krb5_address:es. .Pp .Fn krb5_sockaddr2address -stores a address a +stores a address a .Li "struct sockaddr" .Fa sa in the krb5_address @@ -213,8 +213,9 @@ from .Fa addr and .Fa port . +The argument .Fa sa_size -should be initially contain the size of the +should initially contain the size of the .Fa sa , and after the call, it will contain the actual length of the address. .Pp @@ -241,8 +242,9 @@ and the .Li "struct hostent" (see .Xr gethostbyname 3 ) -.Fa h_addr_list +.Fa h_addr_list component. +The argument .Fa sa_size should initially contain the size of the .Fa sa , @@ -263,8 +265,9 @@ fills in a that can be used to .Xr bind 2 to. +The argument .Fa sa_size -should be initially contain the size of the +should initially contain the size of the .Fa sa , and after the call, it will contain the actual length of the address. .Pp @@ -279,7 +282,9 @@ If .Fa ret_len is not .Dv NULL , -it will be filled with the length of the string. +it will be filled with the length of the string if size where unlimited (not +included the final +.Ql \e0 ) . .Pp .Fn krb5_parse_address Returns the resolved hostname in @@ -343,7 +348,7 @@ to While copying the addresses, duplicates are also sorted out. .Pp .Fn krb5_make_addrport -allocates and creates an +allocates and creates an krb5_address in .Fa res of type KRB5_ADDRESS_ADDRPORT from diff --git a/kerberosV/src/lib/krb5/krb5_aname_to_localname.3 b/kerberosV/src/lib/krb5/krb5_aname_to_localname.3 index 88694c46237..5edc7b2c85a 100644 --- a/kerberosV/src/lib/krb5/krb5_aname_to_localname.3 +++ b/kerberosV/src/lib/krb5/krb5_aname_to_localname.3 @@ -1,37 +1,37 @@ .\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $KTH: krb5_aname_to_localname.3,v 1.2 2003/04/16 13:58:13 lha Exp $ +.\" $KTH: krb5_aname_to_localname.3,v 1.4 2005/04/24 07:37:52 lha Exp $ .\" -.Dd March 17, 2003 +.Dd April 24, 2005 .Dt KRB5_ANAME_TO_LOCALNAME 3 .Os HEIMDAL .Sh NAME diff --git a/kerberosV/src/lib/krb5/krb5_ccache.3 b/kerberosV/src/lib/krb5/krb5_ccache.3 index bd2fdd5783a..409e454bf1b 100644 --- a/kerberosV/src/lib/krb5/krb5_ccache.3 +++ b/kerberosV/src/lib/krb5/krb5_ccache.3 @@ -1,37 +1,37 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2003-2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $KTH: krb5_ccache.3,v 1.7 2003/04/16 13:58:12 lha Exp $ -.\" -.Dd March 16, 2003 +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $KTH: krb5_ccache.3,v 1.13 2005/04/24 13:57:33 lha Exp $ +.\" +.Dd April 24, 2005 .Dt KRB5_CCACHE 3 .Os HEIMDAL .Sh NAME @@ -40,6 +40,7 @@ .Nm krb5_cc_ops , .Nm krb5_fcc_ops , .Nm krb5_mcc_ops , +.Nm krb5_cc_clear_mcred , .Nm krb5_cc_close , .Nm krb5_cc_copy_cache , .Nm krb5_cc_default , @@ -48,19 +49,22 @@ .Nm krb5_cc_end_seq_get , .Nm krb5_cc_gen_new , .Nm krb5_cc_get_name , +.Nm krb5_cc_get_ops , +.Nm krb5_cc_get_prefix_ops , .Nm krb5_cc_get_principal , .Nm krb5_cc_get_type , -.Nm krb5_cc_get_ops , .Nm krb5_cc_get_version , .Nm krb5_cc_initialize , +.Nm krb5_cc_next_cred , +.Nm krb5_cc_next_cred_match , +.Nm krb5_cc_new_unique , .Nm krb5_cc_register , +.Nm krb5_cc_remove_cred , .Nm krb5_cc_resolve , .Nm krb5_cc_retrieve_cred , -.Nm krb5_cc_remove_cred , .Nm krb5_cc_set_default_name , -.Nm krb5_cc_store_cred , .Nm krb5_cc_set_flags , -.Nm krb5_cc_next_cred +.Nm krb5_cc_store_cred .Nd mange credential cache .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) @@ -77,6 +81,10 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Pp .Li "struct krb5_cc_ops *krb5_mcc_ops;" .Pp +.Ft void +.Fo krb5_cc_clear_mcred +.Fa "krb5_creds *mcred" +.Fc .Ft krb5_error_code .Fo krb5_cc_close .Fa "krb5_context *context" @@ -135,6 +143,11 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Fa "krb5_context *context" .Fa "krb5_ccache id" .Fc +.Ft "const krb5_cc_ops *" +.Fo krb5_cc_get_prefix_ops +.Fa "krb5_context context" +.Fa "const char *prefix" +.Fc .Ft krb5_error_code .Fo krb5_cc_get_version .Fa "krb5_context *context" @@ -197,6 +210,22 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Fa "krb5_cc_cursor *cursor" .Fa "krb5_creds *creds" .Fc +.Ft krb5_error_code +.Fo krb5_cc_next_cred_match +.Fa "krb5_context *context" +.Fa "const krb5_ccache id" +.Fa "krb5_cc_cursor *cursor" +.Fa "krb5_creds *creds" +.Fa "krb5_flags whichfields" +.Fa "const krb5_creds *mcreds" +.Fc +.Ft krb5_error_code +.Fo krb5_cc_new_unique +.Fa "krb5_context context" +.Fa "const char *type" +.Fa "const char *hint" +.Fa "krb5_ccache *id" +.Fc .Sh DESCRIPTION The .Li krb5_ccache @@ -231,68 +260,95 @@ gets and sets the default name for the .Fa context . .Pp .Fn krb5_cc_default -opens the default ccache in +opens the default credential cache in .Fa id . Return 0 or an error code. .Pp .Fn krb5_cc_gen_new -generates a new ccache of type +generates a new credential cache of type .Fa ops in .Fa id . Return 0 or an error code. +The Heimdal version of this function also runs +.Fn krb5_cc_initialize +on the credential cache, but since the MIT version doesn't, portable +code must call krb5_cc_initialize. +.Pp +.Fn krb5_cc_new_unique +generates a new unique credential cache of +.Fa type +in +.Fa id . +If type is +.Dv NULL , +the library chooses the default credential cache type. +The supplied +.Fa hint +(that can be +.Dv NULL ) +is a string that the credential cache type can use to base the name of +the credential on, this is to make its easier for the user to +differentiate the credentials. +The returned credential cache +.Fa id +should be freed using +.Fn krb5_cc_close +or +.Fn krb5_cc_destroy . +Returns 0 or an error code. .Pp .Fn krb5_cc_resolve -finds and allocates a ccache in +finds and allocates a credential cache in .Fa id -from the specification in +from the specification in .Fa residual . -If the ccache name doesn't contain any colon (:), interpret it as a +If the credential cache name doesn't contain any colon (:), interpret it as a file name. Return 0 or an error code. .Pp .Fn krb5_cc_initialize -creates a new ccache in +creates a new credential cache in .Fa id for .Fa primary_principal . Return 0 or an error code. .Pp .Fn krb5_cc_close -stops using the ccache +stops using the credential cache .Fa id and frees the related resources. Return 0 or an error code. .Fn krb5_cc_destroy -removes the ccache +removes the credential cache and closes (by calling .Fn krb5_cc_close ) .Fa id . Return 0 or an error code. .Pp .Fn krb5_cc_copy_cache -copys the contents of +copys the contents of .Fa from -to +to .Fa to . .Pp .Fn krb5_cc_get_name -returns the name of the ccache +returns the name of the credential cache .Fa id . .Pp .Fn krb5_cc_get_principal -returns the principal of +returns the principal of .Fa id in .Fa principal . Return 0 or an error code. .Pp .Fn krb5_cc_get_type -returns the type of the ccache +returns the type of the credential cache .Fa id . .Pp .Fn krb5_cc_get_ops -returns the ops of the ccache +returns the ops of the credential cache .Fa id . .Pp .Fn krb5_cc_get_version @@ -300,23 +356,32 @@ returns the version of .Fa id . .Pp .Fn krb5_cc_register -Adds a new ccache type with operations +Adds a new credential cache type with operations .Fa ops , overwriting any existing one if .Fa override . Return an error code or 0. .Pp +.Fn krb5_cc_get_prefix_ops +Get the cc ops that is registered in +.Fa context +to handle the +.Fa prefix . +Returns +.Dv NULL +if ops not found. +.Pp .Fn krb5_cc_remove_cred removes the credential identified by .Fa ( cred , .Fa which ) -from +from .Fa id . .Pp .Fn krb5_cc_store_cred stores .Fa creds -in the ccache +in the credential cache .Fa id . Return 0 or an error code. .Pp @@ -326,8 +391,14 @@ sets the flags of to .Fa flags . .Pp +.Fn krb5_cc_clear_mcred +clears the +.Fa mcreds +argument so its reset and can be used with +.Fa krb5_cc_retrieve_cred . +.Pp .Fn krb5_cc_retrieve_cred , -retrieves the credential identified by +retrieves the credential identified by .Fa mcreds (and .Fa whichfields ) @@ -347,6 +418,16 @@ and advance .Fa cursor . Return 0 or an error code. .Pp +.Fn krb5_cc_next_cred_match +is similar to +.Fn krb5_cc_next_cred +except that it will only return creds matching +.Fa whichfields +and +.Fa mcreds +(as interpreted by +.Xr krb5_compare_creds 3 . ) +.Pp .Fn krb5_cc_end_seq_get Destroys the cursor .Fa cursor . diff --git a/kerberosV/src/lib/krb5/krb5_context.3 b/kerberosV/src/lib/krb5/krb5_context.3 index 228ce5bf52d..bf8b17ccc46 100644 --- a/kerberosV/src/lib/krb5/krb5_context.3 +++ b/kerberosV/src/lib/krb5/krb5_context.3 @@ -1,35 +1,35 @@ -.\" Copyright (c) 2001 - 200 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2001 - 2003 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $KTH: krb5_context.3,v 1.5 2003/03/10 02:19:28 lha Exp $ +.\" $KTH: krb5_context.3,v 1.7 2003/05/26 14:08:54 lha Exp $ .\" .Dd January 21, 2001 .Dt KRB5_CONTEXT 3 @@ -37,6 +37,10 @@ .Sh NAME .Nm krb5_context .Nd krb5 state structure +.Sh LIBRARY +Kerberos 5 Library (libkrb5, -lkrb5) +.Sh SYNOPSIS +.In krb5.h .Sh DESCRIPTION The .Nm diff --git a/kerberosV/src/lib/krb5/krb5_create_checksum.3 b/kerberosV/src/lib/krb5/krb5_create_checksum.3 index e9e5170aab5..0eacfa33dd6 100644 --- a/kerberosV/src/lib/krb5/krb5_create_checksum.3 +++ b/kerberosV/src/lib/krb5/krb5_create_checksum.3 @@ -1,60 +1,145 @@ -.\" Copyright (c) 1999 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 1999-2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $KTH: krb5_create_checksum.3,v 1.6 2003/04/16 13:58:14 lha Exp $ +.\" $KTH: krb5_create_checksum.3,v 1.13 2005/01/08 20:52:19 lha Exp $ .\" -.Dd April 7, 1999 +.Dd March 20, 2004 .Dt NAME 3 .Os HEIMDAL .Sh NAME +.Nm krb5_checksum , +.Nm krb5_checksum_disable , .Nm krb5_checksum_is_collision_proof , .Nm krb5_checksum_is_keyed , .Nm krb5_checksumsize , +.Nm krb5_cksumtype_valid , +.Nm krb5_copy_checksum , .Nm krb5_create_checksum , +.Nm krb5_crypto_get_checksum_type +.Nm krb5_free_checksum , +.Nm krb5_free_checksum_contents , +.Nm krb5_hmac , .Nm krb5_verify_checksum -.Nd creates and verifies checksums +.Nd creates, handles and verifies checksums .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) .Sh SYNOPSIS .In krb5.h -.Ft krb5_error_code -.Fn krb5_create_checksum "krb5_context context" "krb5_crypto crypto" "unsigned usage_or_type" "void *data" "size_t len" "Checksum *result" -.Ft krb5_error_code -.Fn krb5_verify_checksum "krb5_context context" "krb5_crypto crypto" "krb5_key_usage usage" "void *data" "size_t len" "Checksum *cksum" +.Pp +.Li "typedef Checksum krb5_checksum;" +.Ft void +.Fo krb5_checksum_disable +.Fa "krb5_context context" +.Fa "krb5_cksumtype type" +.Fc .Ft krb5_boolean -.Fn krb5_checksum_is_collision_proof "krb5_context context" "krb5_cksumtype type" +.Fo krb5_checksum_is_collision_proof +.Fa "krb5_context context" +.Fa "krb5_cksumtype type" +.Fc .Ft krb5_boolean -.Fn krb5_checksum_is_keyed "krb5_context context" "krb5_cksumtype type" +.Fo krb5_checksum_is_keyed +.Fa "krb5_context context" +.Fa "krb5_cksumtype type" +.Fc +.Ft krb5_error_code +.Fo krb5_cksumtype_valid +.Fa "krb5_context context" +.Fa "krb5_cksumtype ctype" +.Fc +.Ft krb5_error_code +.Fo krb5_checksumsize +.Fa "krb5_context context" +.Fa "krb5_cksumtype type" +.Fa "size_t *size" +.Fc +.Ft krb5_error_code +.Fo krb5_create_checksum +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "unsigned usage_or_type" +.Fa "void *data" +.Fa "size_t len" +.Fa "Checksum *result" +.Fc +.Ft krb5_error_code +.Fo krb5_verify_checksum +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "krb5_key_usage usage" +.Fa "void *data" +.Fa "size_t len" +.Fa "Checksum *cksum" +.Fc +.Ft krb5_error_code +.Fo krb5_crypto_get_checksum_type +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "krb5_cksumtype *type" +.Fc +.Ft void +.Fo krb5_free_checksum +.Fa "krb5_context context" +.Fa "krb5_checksum *cksum" +.Fc +.Ft void +.Fo krb5_free_checksum_contents +.Fa "krb5_context context" +.Fa "krb5_checksum *cksum" +.Fc +.Ft krb5_error_code +.Fo krb5_hmac +.Fa "krb5_context context" +.Fa "krb5_cksumtype cktype" +.Fa "const void *data" +.Fa "size_t len" +.Fa "unsigned usage" +.Fa "krb5_keyblock *key" +.Fa "Checksum *result" +.Fc +.Ft krb5_error_code +.Fo krb5_copy_checksum +.Fa "krb5_context context" +.Fa "const krb5_checksum *old" +.Fa "krb5_checksum **new" +.Fc .Sh DESCRIPTION -These functions are used to create and verify checksums. +The +.Li krb5_checksum +structure holds a Kerberos checksum. +There is no component inside +.Li krb5_checksum +that is directly referable. +.Pp +The functions are used to create and verify checksums. .Fn krb5_create_checksum creates a checksum of the specified data, and puts it in .Fa result . @@ -73,7 +158,7 @@ specifies a key-usage. .Pp .Fn krb5_verify_checksum verifies the -.Fa checksum , +.Fa checksum against the provided data. .Pp .Fn krb5_checksum_is_collision_proof @@ -88,6 +173,50 @@ value is a function of both the data, and a separate key). Examples of keyed hash algorithms are HMAC-SHA1-DES3, and RSA-MD5-DES. The .Dq plain hash functions MD5, and SHA1 are not keyed. +.Pp +.Fn krb5_crypto_get_checksum_type +returns the checksum type that will be used when creating a checksum for the given +.Fa crypto +context. +This function is useful in combination with +.Fn krb5_checksumsize +when you want to know the size a checksum will +use when you create it. +.Pp +.Fn krb5_cksumtype_valid +returns 0 or an error if the checksumtype is implemented and not +currently disabled in this kerberos library. +.Pp +.Fn krb5_checksumsize +returns the size of the outdata of checksum function. +.Pp +.Fn krb5_copy_checksum +returns a copy of the checksum +.Fn krb5_free_checksum +should use used to free the +.Fa new +checksum. +.Pp +.Fn krb5_free_checksum +free the checksum and the content of the checksum. +.Pp +.Fn krb5_free_checksum_contents +frees the content of checksum in +.Fa cksum . +.Pp +.Fn krb5_hmac +calculates the HMAC over +.Fa data +(with length +.Fa len ) +using the keyusage +.Fa usage +and keyblock +.Fa key . +Note that keyusage is not always used in checksums. +.Pp +.Nm krb5_checksum_disable +globally disables the checksum type. .\" .Sh EXAMPLE .\" .Sh BUGS .Sh SEE ALSO diff --git a/kerberosV/src/lib/krb5/krb5_crypto_init.3 b/kerberosV/src/lib/krb5/krb5_crypto_init.3 index 397120ad7ff..e5476a72cfb 100644 --- a/kerberosV/src/lib/krb5/krb5_crypto_init.3 +++ b/kerberosV/src/lib/krb5/krb5_crypto_init.3 @@ -1,43 +1,43 @@ .\" Copyright (c) 1999 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $KTH: krb5_crypto_init.3,v 1.6 2003/04/16 13:58:15 lha Exp $ +.\" $KTH: krb5_crypto_init.3,v 1.9 2004/03/20 12:00:01 lha Exp $ .\" .Dd April 7, 1999 .Dt NAME 3 .Os HEIMDAL .Sh NAME -.Nm krb5_crypto_init , -.Nm krb5_crypto_destroy -.Nd initialize encryption context +.Nm krb5_crypto_destroy , +.Nm krb5_crypto_init +.Nd encryption support in krb5 .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) .Sh SYNOPSIS @@ -47,22 +47,19 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Ft krb5_error_code .Fn krb5_crypto_destroy "krb5_context context" "krb5_crypto crypto" .Sh DESCRIPTION -These functions are used to initialize an encryption context that can -be used to encrypt or checksum data. +Heimdal exports parts of the Kerberos crypto interface for applications. .Pp -The -.Fn krb5_crypt_init -initializes the encrytion context -.Fa crypto . -The -.Fa key -parameter is the key to use for encryption, and checksums. The -encryption type to use is taken from the key, but can be overridden +Each kerberos encrytion/checksum function takes a crypto context. +.Pp +To setup and destroy crypto contextes there are two functions +.Fn krb5_crypto_init +and +.Fn krb5_crypto_destroy . +The encryption type to use is taken from the key, but can be overridden with the .Fa enctype parameter . -.Pp -.Fn krb5_crypto_destroy -frees a previously allocated encrypion context. +This can be useful for encryptions types which is compatiable (DES for +example). .\" .Sh EXAMPLE .\" .Sh BUGS .Sh SEE ALSO diff --git a/kerberosV/src/lib/krb5/krb5_data.3 b/kerberosV/src/lib/krb5/krb5_data.3 index c0e999a779a..6664b84405a 100644 --- a/kerberosV/src/lib/krb5/krb5_data.3 +++ b/kerberosV/src/lib/krb5/krb5_data.3 @@ -1,37 +1,37 @@ .\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $KTH: krb5_data.3,v 1.4 2003/04/16 13:58:13 lha Exp $ -.\" -.Dd March 20, 2003 +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $KTH: krb5_data.3,v 1.7 2005/04/24 07:40:35 lha Exp $ +.\" +.Dd April 24, 2005 .Dt KRB5_DATA 3 .Os HEIMDAL .Sh NAME @@ -86,7 +86,9 @@ resets the content of .Pp .Fn krb5_data_free free the data in -.Fa p . +.Fa p +and reset the content of the structure with +.Fn krb5_data_zero . .Pp .Fn krb5_free_data_contents works the same way as @@ -105,7 +107,7 @@ itself. allocates .Fa len bytes in -.Fa p . +.Fa p . Returns 0 or an error. .Pp .Fn krb5_data_realloc diff --git a/kerberosV/src/lib/krb5/krb5_encrypt.3 b/kerberosV/src/lib/krb5/krb5_encrypt.3 index b64ed57c045..159f685b921 100644 --- a/kerberosV/src/lib/krb5/krb5_encrypt.3 +++ b/kerberosV/src/lib/krb5/krb5_encrypt.3 @@ -1,61 +1,186 @@ -.\" Copyright (c) 1999 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 1999 - 2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $KTH: krb5_encrypt.3,v 1.7 2003/04/16 13:58:15 lha Exp $ +.\" $KTH: krb5_encrypt.3,v 1.15.4.1 2005/10/26 10:06:18 lha Exp $ .\" -.Dd April 7, 1999 +.Dd March 20, 2004 .Dt KRB5_ENCRYPT 3 .Os HEIMDAL .Sh NAME +.Nm krb5_crypto_getblocksize , +.Nm krb5_crypto_getconfoundersize +.Nm krb5_crypto_getenctype , +.Nm krb5_crypto_getpadsize , .Nm krb5_decrypt , .Nm krb5_decrypt_EncryptedData , +.Nm krb5_decrypt_ivec , +.Nm krb5_decrypt_ticket , .Nm krb5_encrypt , -.Nm krb5_encrypt_EncryptedData -.Nd encrypt and decrypt data +.Nm krb5_encrypt_EncryptedData , +.Nm krb5_encrypt_ivec , +.Nm krb5_enctype_disable , +.Nm krb5_enctype_keysize , +.Nm krb5_enctype_to_string , +.Nm krb5_enctype_valid , +.Nm krb5_get_wrapped_length , +.Nm krb5_string_to_enctype +.Nd encrypt and decrypt data, set and get encryption type parameters .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) .Sh SYNOPSIS .In krb5.h .Ft krb5_error_code -.Fn krb5_encrypt "krb5_context context" "krb5_crypto crypto" "unsigned usage" "void *data" "size_t len" "krb5_data *result" +.Fo krb5_encrypt +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "unsigned usage" +.Fa "void *data" +.Fa "size_t len" +.Fa "krb5_data *result" +.Fc .Ft krb5_error_code -.Fn krb5_encrypt_EncryptedData "krb5_context context" "krb5_crypto crypto" "unsigned usage" "void *data" "size_t len" "int kvno" "EncryptedData *result" +.Fo krb5_encrypt_EncryptedData +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "unsigned usage" +.Fa "void *data" +.Fa "size_t len" +.Fa "int kvno" +.Fa "EncryptedData *result" +.Fc .Ft krb5_error_code -.Fn krb5_decrypt "krb5_context context" "krb5_crypto crypto" "unsigned usage" "void *data" "size_t len" "krb5_data *result" +.Fo krb5_encrypt_ivec +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "unsigned usage" +.Fa "void *data" +.Fa "size_t len" +.Fa "krb5_data *result" +.Fa "void *ivec" +.Fc .Ft krb5_error_code -.Fn krb5_decrypt_EncryptedData "krb5_context context" "krb5_crypto crypto" "unsigned usage" "EncryptedData *e" "krb5_data *result" +.Fo krb5_decrypt +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "unsigned usage" +.Fa "void *data" +.Fa "size_t len" +.Fa "krb5_data *result" +.Fc +.Ft krb5_error_code +.Fo krb5_decrypt_EncryptedData +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "unsigned usage" +.Fa "EncryptedData *e" +.Fa "krb5_data *result" +.Fc +.Ft krb5_error_code +.Fo krb5_decrypt_ivec +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "unsigned usage" +.Fa "void *data" +.Fa "size_t len" +.Fa "krb5_data *result" +.Fa "void *ivec" +.Fc +.Ft krb5_error_code +.Fo krb5_decrypt_ticket +.Fa "krb5_context context" +.Fa "Ticket *ticket" +.Fa "krb5_keyblock *key" +.Fa "EncTicketPart *out" +.Fa "krb5_flags flags" +.Fc +.Ft krb5_error_code +.Fo krb5_crypto_getblocksize +.Fa "krb5_context context" +.Fa "size_t *blocksize" +.Fc +.Ft krb5_error_code +.Fo krb5_crypto_getenctype +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "krb5_enctype *enctype" +.Fc +.Ft krb5_error_code +.Fo krb5_crypto_getpadsize +.Fa "krb5_context context" +.Fa size_t *padsize" +.Fc +.Ft krb5_error_code +.Fo krb5_crypto_getconfoundersize +.Fa "krb5_context context" +.Fa "krb5_crypto crypto +.Fa size_t *confoundersize" +.Fc +.Ft krb5_error_code +.Fo krb5_enctype_keysize +.Fa "krb5_context context" +.Fa "krb5_enctype type" +.Fa "size_t *keysize" +.Fc +.Ft krb5_error_code +.Fo krb5_string_to_enctype +.Fa "krb5_context context" +.Fa "const char *string" +.Fa "krb5_enctype *etype" +.Fc +.Ft krb5_error_code +.Fo krb5_enctype_to_string +.Fa "krb5_context context" +.Fa "krb5_enctype etype" +.Fa "char **string" +.Fc +.Ft krb5_error_code +.Fo krb5_enctype_valid +.Fa "krb5_context context" +.Fa "krb5_enctype etype" +.Fc +.Ft void +.Fo krb5_enctype_disable +.Fa "krb5_context context" +.Fa "krb5_enctype etype" +.Fc +.Ft size_t +.Fo krb5_get_wrapped_length +.Fa "krb5_context context" +.Fa "krb5_crypto crypto" +.Fa "size_t data_len" +.Fc .Sh DESCRIPTION These functions are used to encrypt and decrypt data. .Pp -.Fn krb5_encrypt +.Fn krb5_encrypt_ivec puts the encrypted version of .Fa data (of size @@ -65,6 +190,20 @@ in If the encryption type supports using derived keys, .Fa usage should be the appropriate key-usage. +.Fa ivec +is a pointer to a initial IV, its modified to the end IV at the end of +the round. +Ivec should be the size of +If +.Dv NULL +is passed in, the default IV is used. +.Fn krb5_encrypt +does the same as +.Fn krb5_encrypt_ivec +but with +.Fa ivec +being +.Dv NULL . .Fn krb5_encrypt_EncryptedData does the same as .Fn krb5_encrypt , @@ -72,14 +211,55 @@ but it puts the encrypted data in a .Fa EncryptedData structure instead. If .Fa kvno -is not zero, it will be put in the -.Fa kvno field in the +is not zero, it will be put in the (optional) +.Fa kvno +field in the .Fa EncryptedData . .Pp +.Fn krb5_decrypt_ivec , .Fn krb5_decrypt , and .Fn krb5_decrypt_EncryptedData works similarly. +.Pp +.Fn krb5_decrypt_ticket +decrypts the encrypted part of +.Fa ticket +with +.Fa key . +.Fn krb5_decrypt_ticket +also verifies the timestamp in the ticket, invalid flag and if the KDC +haven't verified the transited path, the transit path. +.Pp +.Fn krb5_enctype_keysize , +.Fn krb5_crypto_getconfoundersize , +.Fn krb5_crypto_getblocksize , +.Fn krb5_crypto_getenctype , +.Fn krb5_crypto_getpadsize +all returns various (sometimes) useful information from a crypto context. +.Pp +.Fn krb5_enctype_to_string +converts a encryption type number to a string that can be printable +and stored. The strings returned should be freed with +.Xr free 3 . +.Pp +.Fn krb5_string_to_enctype +converts a encryption type strings to a encryption type number that +can use used for other Kerberos crypto functions. +.Pp +.Fn krb5_enctype_valid +returns 0 if the encrypt is supported and not disabled, otherwise and +error code is returned. +.Pp +.Fn krb5_enctype_disable +(globally, for all contextes) disables the +.Fa enctype . +.Pp +.Fn krb5_get_wrapped_length +returns the size of an encrypted packet by +.Fa crypto +of length +.Fa data_len . .\" .Sh EXAMPLE .\" .Sh BUGS .Sh SEE ALSO diff --git a/kerberosV/src/lib/krb5/krb5_get_all_client_addrs.3 b/kerberosV/src/lib/krb5/krb5_get_all_client_addrs.3 index 4560c41abb6..23c4542eabd 100644 --- a/kerberosV/src/lib/krb5/krb5_get_all_client_addrs.3 +++ b/kerberosV/src/lib/krb5/krb5_get_all_client_addrs.3 @@ -1,38 +1,39 @@ .\" Copyright (c) 2001 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $KTH: krb5_get_all_client_addrs.3,v 1.6 2003/04/16 13:58:16 lha Exp $ +.\" $KTH: krb5_get_all_client_addrs.3,v 1.8 2003/05/26 14:08:56 lha Exp $ .\" .Dd July 1, 2001 .Dt KRB5_GET_ADDRS 3 +.Os HEIMDAL .Sh NAME .Nm krb5_get_all_client_addrs , .Nm krb5_get_all_server_addrs diff --git a/kerberosV/src/lib/krb5/krb5_get_krbhst.3 b/kerberosV/src/lib/krb5/krb5_get_krbhst.3 index 1f876b386a0..5e772750da4 100644 --- a/kerberosV/src/lib/krb5/krb5_get_krbhst.3 +++ b/kerberosV/src/lib/krb5/krb5_get_krbhst.3 @@ -1,37 +1,37 @@ .\" Copyright (c) 2001 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $KTH: krb5_get_krbhst.3,v 1.6 2003/04/16 13:58:16 lha Exp $ +.\" $KTH: krb5_get_krbhst.3,v 1.9 2005/04/24 07:42:27 lha Exp $ .\" -.Dd June 17, 2001 +.Dd April 24, 2005 .Dt KRB5_GET_KRBHST 3 .Os HEIMDAL .Sh NAME diff --git a/kerberosV/src/lib/krb5/krb5_init_context.3 b/kerberosV/src/lib/krb5/krb5_init_context.3 index 1ffabc220ae..3b9809d13d1 100644 --- a/kerberosV/src/lib/krb5/krb5_init_context.3 +++ b/kerberosV/src/lib/krb5/krb5_init_context.3 @@ -1,51 +1,158 @@ -.\" Copyright (c) 2001 - 2002 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2001 - 2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $KTH: krb5_init_context.3,v 1.9 2003/04/16 13:58:11 lha Exp $ -.\" -.Dd January 21, 2001 +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $KTH: krb5_init_context.3,v 1.15 2004/12/08 17:50:00 lha Exp $ +.\" +.Dd December 8, 2004 .Dt KRB5_CONTEXT 3 .Os HEIMDAL .Sh NAME +.Nm krb5_context , .Nm krb5_init_context , -.Nm krb5_free_context -.Nd create and delete krb5_context structures +.Nm krb5_free_context , +.Nm krb5_init_ets , +.Nm krb5_add_et_list , +.Nm krb5_add_extra_addresses , +.Nm krb5_add_ignore_addresses , +.Nm krb5_get_extra_addresses , +.Nm krb5_get_ignore_addresses , +.Nm krb5_set_extra_addresses , +.Nm krb5_set_ignore_addresses , +.Nm krb5_set_fcache_version , +.Nm krb5_get_fcache_version , +.Nm krb5_set_config_files , +.Nm krb5_prepend_config_files , +.Nm krb5_prepend_config_files_default , +.Nm krb5_get_default_config_files , +.Nm krb5_free_config_files , +.Nm krb5_set_use_admin_kdc , +.Nm krb5_get_use_admin_kdc +.Nd create, modify and delete krb5_context structures .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) .Sh SYNOPSIS .In krb5.h +.Pp +.Li "struct krb5_context;" +.Pp +.Ft krb5_error_code +.Fo krb5_init_context +.Fa "krb5_context *context" +.Fc +.Ft void +.Fo krb5_free_context +.Fa "krb5_context context" +.Fc +.Ft void +.Fo krb5_init_ets +.Fa "krb5_context context" +.Fc +.Ft krb5_error_code +.Fo krb5_add_et_list +.Fa "krb5_context context" +.Fa "void (*func)(struct et_list **)" +.Fc +.Ft krb5_error_code +.Fo krb5_add_extra_addresses +.Fa "krb5_context context" +.Fa "krb5_addresses *addresses" +.Fc .Ft krb5_error_code -.Fn krb5_init_context "krb5_context *context" +.Fo krb5_set_extra_addresses +.Fa "krb5_context context" +.Fa "const krb5_addresses *addresses" +.Fc +.Ft krb5_error_code +.Fo krb5_get_extra_addresses +.Fa "krb5_context context" +.Fa "krb5_addresses *addresses" +.Fc +.Ft krb5_error_code +.Fo krb5_add_ignore_addresses +.Fa "krb5_context context" +.Fa "krb5_addresses *addresses" +.Fc +.Ft krb5_error_code +.Fo krb5_set_ignore_addresses +.Fa "krb5_context context" +.Fa "const krb5_addresses *addresses" +.Fc +.Ft krb5_error_code +.Fo krb5_get_ignore_addresses +.Fa "krb5_context context" +.Fa "krb5_addresses *addresses" +.Fc +.Ft krb5_error_code +.Fo krb5_set_fcache_version +.Fa "krb5_context context" +.Fa "int version" +.Fc +.Ft krb5_error_code +.Fo krb5_get_fcache_version +.Fa "krb5_context context" +.Fa "int *version" +.Fc +.Ft krb5_error_code +.Fo krb5_set_config_files +.Fa "krb5_context context" +.Fa "char **filenames" +.Fc +.Ft krb5_error_code +.Fo krb5_prepend_config_files +.Fa "const char *filelist" +.Fa "char **pq" +.Fa "char ***ret_pp" +.Fc +.ft krb5_error_code +.Fo krb5_prepend_config_files_default +.Fa "const char *filelist" +.Fa "char ***pfilenames" +.Fc +.Ft krb5_error_code +.Fo krb5_get_default_config_files +.Fa "char ***pfilenames" +.Fc +.Ft void +.Fo krb5_free_config_files +.Fa "char **filenames" +.Fc .Ft void -.Fn krb5_free_context "krb5_context context" +.Fo krb5_set_use_admin_kdc +.Fa "krb5_context context" +.Fa "krb5_boolean flag" +.Fc +.Ft krb5_boolean +.Fo krb5_get_use_admin_kdc +.Fa "krb5_context context" +.Fc .Sh DESCRIPTION The .Fn krb5_init_context @@ -57,7 +164,7 @@ structure and reads the configuration file The structure should be freed by calling .Fn krb5_free_context when it is no longer being used. -.Sh RETURN VALUES +.Pp .Fn krb5_init_context returns 0 to indicate success. Otherwise an errno code is returned. @@ -66,7 +173,87 @@ Failure means either that something bad happened during initialization .Bq ENOMEM ) or that Kerberos should not be used .Bq ENXIO . +.Pp +.Fn krb5_init_ets +adds all +.Xr com_err 3 +libs to +.Fa context . +This is done by +.Fn krb5_init_context . +.Pp +.Fn krb5_add_et_list +adds a +.Xr com_err 3 +error-code handler +.Fa func +to the specified +.Fa context . +The error handler must generated by the the re-rentrant version of the +.Xr compile_et 3 +program. +.Fn krb5_add_extra_addresses +add a list of addresses that should be added when requesting tickets. +.Pp +.Fn krb5_add_ignore_addresses +add a list of addresses that should be ignored when requesting tickets. +.Pp +.Fn krb5_get_extra_addresses +get the list of addresses that should be added when requesting tickets. +.Pp +.Fn krb5_get_ignore_addresses +get the list of addresses that should be ignored when requesting tickets. +.Pp +.Fn krb5_set_ignore_addresses +set the list of addresses that should be ignored when requesting tickets. +.Pp +.Fn krb5_set_extra_addresses +set the list of addresses that should be added when requesting tickets. +.Pp +.Fn krb5_set_fcache_version +sets the version of file credentials caches that should be used. +.Pp +.Fn krb5_get_fcache_version +gets the version of file credentials caches that should be used. +.Pp +.Fn krb5_set_config_files +set the list of configuration files to use and re-initialize the +configuration from the files. +.Pp +.Fn krb5_prepend_config_files +parse the +.Fa filelist +and prepend the result to the already existing list +.Fa pq +The result is returned in +.Fa ret_pp +and should be freed with +.Fn krb5_free_config_files . +.Pp +.Fn krb5_prepend_config_files_default +parse the +.Fa filelist +and append that to the default +list of configuration files. +.Pp +.Fn krb5_get_default_config_files +get a list of default configuration files. +.Pp +.Fn krb5_free_config_files +free a list of configuration files returned by +.Fn krb5_get_default_config_files , +.Fn krb5_prepend_config_files_default , +or +.Fn krb5_prepend_config_files . +.Pp +.Fn krb5_set_use_admin_kdc +sets if all KDC requests should go admin KDC. +.Pp +.Fn krb5_get_use_admin_kdc +gets if all KDC requests should go admin KDC. .Sh SEE ALSO .Xr errno 2 , +.Xr krb5 3 , +.Xr krb5_config 3 , .Xr krb5_context 3 , .Xr kerberos 8 diff --git a/kerberosV/src/lib/krb5/krb5_keytab.3 b/kerberosV/src/lib/krb5/krb5_keytab.3 index 9e69e40ed4a..9f0f51af509 100644 --- a/kerberosV/src/lib/krb5/krb5_keytab.3 +++ b/kerberosV/src/lib/krb5/krb5_keytab.3 @@ -1,37 +1,37 @@ .\" Copyright (c) 2001 - 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $KTH: krb5_keytab.3,v 1.9 2003/04/16 13:58:16 lha Exp $ +.\" $KTH: krb5_keytab.3,v 1.16 2005/05/23 14:07:32 lha Exp $ .\" -.Dd February 5, 2001 +.Dd March 28, 2005 .Dt KRB5_KEYTAB 3 .Os HEIMDAL .Sh NAME @@ -43,6 +43,7 @@ .Nm krb5_kt_compare , .Nm krb5_kt_copy_entry_contents , .Nm krb5_kt_default , +.Nm krb5_kt_default_modify_name , .Nm krb5_kt_default_name , .Nm krb5_kt_end_seq_get , .Nm krb5_kt_free_entry , @@ -92,6 +93,12 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Fa "krb5_keytab *id" .Fc .Ft krb5_error_code +.Fo krb5_kt_default_modify_name +.Fa "krb5_context context" +.Fa "char *name" +.Fa "size_t namesize" +.Fc +.Ft krb5_error_code .Fo krb5_kt_default_name .Fa "krb5_context context" .Fa "char *name" @@ -191,8 +198,20 @@ are: .Bl -tag -width Ds .It Nm file store the keytab in a file, the type's name is -.Li KEYFILE . +.Li FILE . The residual part is a filename. +For compatibility with other Kerberos implemtation +.Li WRFILE +and +.LI JAVA14 +is also accepted. +.Li WRFILE +has the same format as +.Li FILE . +.Li JAVA14 +have a format that is compatible with older versions of MIT kerberos +and SUN's Java based installation. They store a truncted kvno, so +when the knvo excess 255, they are truncted in this format. .It Nm keyfile store the keytab in a .Li AFS @@ -244,6 +263,7 @@ Returns 0 or an error. The opposite of .Fn krb5_kt_resolve is .Fn krb5_kt_close . +.Pp .Fn krb5_kt_close frees all resources allocated to the keytab. .Pp @@ -253,15 +273,22 @@ sets the argument to the default keytab. Returns 0 or an error. .Pp +.Fn krb5_kt_default_modify_name +copies the name of the default modify keytab into +.Fa name . +Return 0 or KRB5_CONFIG_NOTENUFSPACE if +.Fa namesize +is too short. +.Pp .Fn krb5_kt_default_name -copy the name of the default keytab into +copies the name of the default keytab into .Fa name . Return 0 or KRB5_CONFIG_NOTENUFSPACE if .Fa namesize is too short. .Pp .Fn krb5_kt_add_entry -Add a new +adds a new .Fa entry to the keytab .Fa id . @@ -306,7 +333,7 @@ and store the prefix/name for type of the keytab into .Fa prefix , .Fa prefixsize . The prefix will have the maximum length of -.Dv KRB5_KT_PREFIX_MAX_LEN +.Dv KRB5_KT_PREFIX_MAX_LEN (including terminating .Dv NUL ) . Returns 0 or an error. @@ -329,6 +356,8 @@ pointed to by .Fa cursor and advance the .Fa cursor . +On success the returne entry must be freed with +.Fn krb5_kt_free_entry . Returns 0 or an error. .Pp .Fn krb5_kt_end_seq_get @@ -338,23 +367,45 @@ releases all resources associated with .Fn krb5_kt_get_entry retrieves the keytab entry for .Fa principal , -.Fa kvno, +.Fa kvno , .Fa enctype into .Fa entry from the keytab .Fa id . +When comparing an entry in the keytab to determine a match, the +function +.Fn krb5_kt_compare +is used, so the wildcard rules applies to the argument of +.F krb5_kt_get_entry +too. +On success the returne entry must be freed with +.Fn krb5_kt_free_entry . Returns 0 or an error. .Pp .Fn krb5_kt_read_service_key reads the key identified by -.Ns ( Fa principal , +.Fa ( principal , .Fa vno , .Fa enctype ) from the keytab in .Fa keyprocarg -(the default if == NULL) into +(the system default keytab if +.Dv NULL +is used) into .Fa *key . +.Fa keyprocarg +is the same argument as to +.Fa name +argument to +.Fn krb5_kt_resolve . +Internal +.Fn krb5_kt_compare +will be used, so the same wildcard rules applies +to +.Fn krb5_kt_read_service_key . +On success the returned key must be freed with +.Fa krb5_free_keyblock . Returns 0 or an error. .Pp .Fn krb5_kt_remove_entry @@ -362,13 +413,20 @@ removes the entry .Fa entry from the keytab .Fa id . -Returns 0 or an error. +When comparing an entry in the keytab to determine a match, the +function +.Fn krb5_kt_compare +is use, so the wildcard rules applies to the argument of +.Fn krb5_kt_remove_entry . +Returns 0, +.Dv KRB5_KT_NOTFOUND +if not entry matched or another error. .Pp .Fn krb5_kt_register registers a new keytab type .Fa ops . Returns 0 or an error. -.Sh EXAMPLE +.Sh EXAMPLES This is a minimalistic version of .Nm ktutil . .Pp @@ -402,6 +460,9 @@ main (int argc, char **argv) ret = krb5_kt_end_seq_get(context, keytab, &cursor); if (ret) krb5_err(context, 1, ret, "krb5_kt_end_seq_get"); + ret = krb5_kt_close(context, keytab); + if (ret) + krb5_err(context, 1, ret, "krb5_kt_close"); krb5_free_context(context); return 0; } diff --git a/kerberosV/src/lib/krb5/krb5_krbhst_init.3 b/kerberosV/src/lib/krb5/krb5_krbhst_init.3 index ca582764c53..0e87719bb2d 100644 --- a/kerberosV/src/lib/krb5/krb5_krbhst_init.3 +++ b/kerberosV/src/lib/krb5/krb5_krbhst_init.3 @@ -1,41 +1,42 @@ -.\" Copyright (c) 2001 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2001-2005 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $KTH: krb5_krbhst_init.3,v 1.7 2003/04/16 13:58:16 lha Exp $ +.\" $KTH: krb5_krbhst_init.3,v 1.12 2005/05/10 09:21:02 lha Exp $ .\" -.Dd June 17, 2001 +.Dd May 10, 2005 .Dt KRB5_KRBHST_INIT 3 .Os HEIMDAL .Sh NAME .Nm krb5_krbhst_init , +.Nm krb5_krbhst_init_flags , .Nm krb5_krbhst_next , .Nm krb5_krbhst_next_as_string , .Nm krb5_krbhst_reset , @@ -50,6 +51,8 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Ft krb5_error_code .Fn krb5_krbhst_init "krb5_context context" "const char *realm" "unsigned int type" "krb5_krbhst_handle *handle" .Ft krb5_error_code +.Fn krb5_krbhst_init_flags "krb5_context context" "const char *realm" "unsigned int type" "int flags" "krb5_krbhst_handle *handle" +.Ft krb5_error_code .Fn "krb5_krbhst_next" "krb5_context context" "krb5_krbhst_handle handle" "krb5_krbhst_info **host" .Ft krb5_error_code .Fn krb5_krbhst_next_as_string "krb5_context context" "krb5_krbhst_handle handle" "char *hostname" "size_t hostlen" @@ -69,13 +72,15 @@ for Kerberos 4 ticket conversion. .Pp First a handle to a particular service is obtained by calling .Fn krb5_krbhst_init +(or +.Fn krb5_krbhst_init_flags ) with the .Fa realm of interest and the type of service to lookup. The .Fa type can be one of: .Pp -.Bl -hang -compact -offset indent +.Bl -tag -width Ds -compact -offset indent .It KRB5_KRBHST_KDC .It KRB5_KRBHST_ADMIN .It KRB5_KRBHST_CHANGEPW @@ -87,6 +92,22 @@ The is returned to the caller, and should be passed to the other functions. .Pp +The +.Fa flag +argument to +.Nm krb5_krbhst_init_flags +is the same flags as +.Fn krb5_send_to_kdc_flags +uses. +Possible values are: +.Pp +.Bl -tag -width KRB5_KRBHST_FLAGS_LARGE_MSG -compact -offset indent +.It KRB5_KRBHST_FLAGS_MASTER +only talk to master (readwrite) KDC +.It KRB5_KRBHST_FLAGS_LARGE_MSG +this is a large message, so use transport that can handle that. +.El +.Pp For each call to .Fn krb5_krbhst_next information on a new host is returned. The former function returns in @@ -107,7 +128,7 @@ typedef struct krb5_krbhst_info { .Pp The related function, .Fn krb5_krbhst_next_as_string , -return the same information as a url-like string. +return the same information as a URL-like string. .Pp When there are no more hosts, these functions return .Dv KRB5_KDC_UNREACH . @@ -132,7 +153,7 @@ and that will return a .Va struct addrinfo that can then be used for communicating with the server mentioned. -.Sh EXAMPLE +.Sh EXAMPLES The following code will print the KDCs of the realm .Dq MY.REALM : .Bd -literal -offset indent @@ -145,8 +166,9 @@ while(krb5_krbhst_next_as_string(context, handle, krb5_krbhst_free(context, handle); .Ed .\" .Sh BUGS -.Sh HISTORY -These functions first appeared in Heimdal 0.3g. .Sh SEE ALSO .Xr getaddrinfo 3 , -.Xr krb5_get_krbhst 3 +.Xr krb5_get_krbhst 3 , +.Xr krb5_send_to_kdc_flags 3 +.Sh HISTORY +These functions first appeared in Heimdal 0.3g. diff --git a/kerberosV/src/lib/krb5/krb5_kuserok.3 b/kerberosV/src/lib/krb5/krb5_kuserok.3 index 21c9f635467..2f9ac18554a 100644 --- a/kerberosV/src/lib/krb5/krb5_kuserok.3 +++ b/kerberosV/src/lib/krb5/krb5_kuserok.3 @@ -1,91 +1,100 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2003-2005 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $KTH: krb5_kuserok.3,v 1.5 2003/04/16 13:58:10 lha Exp $ +.\" $KTH: krb5_kuserok.3,v 1.9 2005/05/04 12:11:22 joda Exp $ .\" -.Dd October 17, 2002 +.Dd May 4, 2005 .Dt KRB5_KUSEROK 3 .Os HEIMDAL .Sh NAME .Nm krb5_kuserok -.Nd "verifies if a principal can log in as a user" +.Nd "checks if a principal is permitted to login as a user" .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) .Sh SYNOPSIS .In krb5.h .Ft krb5_boolean -.Fo krb5_kuserok +.Fo krb5_kuserok .Fa "krb5_context context" .Fa "krb5_principal principal" -.Fa "const char *name" +.Fa "const char *user" .Fc .Sh DESCRIPTION -This function takes a local user -.Fa name -and verifies if +This function takes the name of a local +.Fa user +and checks if .Fa principal is allowed to log in as that user. .Pp -First -.Nm -check if there is a local account name -.Fa username. -If there isn't, -.Nm -returns -.Dv FALSE . +The +.Fa user +may have a +.Pa ~/.k5login +file listing principals that are allowed to login as that user. If +that file does not exist, all principals with a first component +identical to the username, and a realm considered local, are allowed +access. .Pp -Then -.Nm -checks if principal is the same as user@realm in any of the default -realms. If that is the case, +The +.Pa .k5login +file must contain one principal per line, be owned by +.Fa user , +and not be writable by group or other (but must be readable by +anyone). +.Pp +Note that if the file exists, no implicit access rights are given to +.Fa user Ns @ Ns Aq localrealm . +.Pp +Optionally, a set of files may be put in +.Pa ~/.k5login.d ( Ns +a directory), in which case they will all be checked in the same +manner as +.Pa .k5login . +The files may be called anything, but files starting with a hash +.Dq ( # ) , +or ending with a tilde +.Dq ( ~ ) +are ignored. Subdirectories are not traversed. Note that this +directory may not be checked by other implementations. +.Sh RETURN VALUES .Nm returns -.Dv TRUE . -.Pp -After that it reads the file -.Pa .k5login -(if it exists) in the users home directory and checks if -.Fa principal -is in the file. -If it does exists, .Dv TRUE -is returned. -If neither of the above turns out to be true, +if access should be granted, .Dv FALSE -is returned. -.Pp +otherwise. +.Sh HISTORY The -.Pa .k5login -should contain one principal per line. +.Pa ~/.k5login.d +feature appeared in Heimdal 0.7. .Sh SEE ALSO .Xr krb5_get_default_realms 3 , .Xr krb5_verify_user 3 , diff --git a/kerberosV/src/lib/krb5/krb5_locl.h b/kerberosV/src/lib/krb5/krb5_locl.h index 29b50079122..fa45ecda69e 100644 --- a/kerberosV/src/lib/krb5/krb5_locl.h +++ b/kerberosV/src/lib/krb5/krb5_locl.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. */ -/* $KTH: krb5_locl.h,v 1.71 2002/09/10 20:10:45 joda Exp $ */ +/* $KTH: krb5_locl.h,v 1.81 2005/05/29 14:28:39 lha Exp $ */ #ifndef __KRB5_LOCL_H__ #define __KRB5_LOCL_H__ @@ -50,6 +50,9 @@ #ifdef HAVE_SYS_TYPES_H #include <sys/types.h> #endif +#ifdef HAVE_SYS_MMAN_H +#include <sys/mman.h> +#endif #ifdef HAVE_UNISTD_H #include <unistd.h> #endif @@ -61,6 +64,9 @@ #include <sys/ioctl.h> #endif #ifdef HAVE_PWD_H +#undef _POSIX_PTHREAD_SEMANTICS +/* This gets us the 5-arg getpwnam_r on Solaris 9. */ +#define _POSIX_PTHREAD_SEMANTICS #include <pwd.h> #endif @@ -109,13 +115,36 @@ struct sockaddr_dl; #ifdef HAVE_SYS_FILE_H #include <sys/file.h> #endif + +#ifdef HAVE_CRYPT_H +#undef des_encrypt +#define des_encrypt wingless_pigs_mostly_fail_to_fly +#include <crypt.h> +#undef des_encrypt +#endif + +#ifdef HAVE_DOOR_CREATE +#include <door.h> +#endif + #include <roken.h> #include <parse_time.h> #include <base64.h> #include "crypto-headers.h" + #include <krb5_asn1.h> + +/* XXX glue for pkinit */ +struct krb5_pk_identity; +struct krb5_pk_cert; +struct ContentInfo; +typedef struct krb5_pk_init_ctx_data *krb5_pk_init_ctx; + +/* v4 glue */ +struct _krb5_krb_auth_data; + #include <der.h> #include <krb5.h> @@ -123,6 +152,8 @@ struct sockaddr_dl; #include <asn1_err.h> #include <krb5-private.h> +#include "heim_threads.h" + #define ALLOC(X, N) (X) = calloc((N), sizeof(*(X))) #define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0) @@ -135,4 +166,24 @@ struct sockaddr_dl; #define O_BINARY 0 #endif +#define KRB5_BUFSIZ 1024 + +typedef enum { + KRB5_PA_PAC_DONT_CARE = 0, + KRB5_PA_PAC_REQ_TRUE, + KRB5_PA_PAC_REQ_FALSE +} krb5_get_init_creds_req_pac; + +struct _krb5_get_init_creds_opt_private { + int refcount; + /* ENC_TIMESTAMP */ + const char *password; + krb5_s2k_proc key_proc; + /* PA_PAC_REQUEST */ + krb5_get_init_creds_req_pac req_pac; + /* PKINIT */ + krb5_pk_init_ctx pk_init_ctx; + int canonicalize; +}; + #endif /* __KRB5_LOCL_H__ */ diff --git a/kerberosV/src/lib/krb5/krb5_set_default_realm.3 b/kerberosV/src/lib/krb5/krb5_set_default_realm.3 index b2765e77d72..532feb2f05d 100644 --- a/kerberosV/src/lib/krb5/krb5_set_default_realm.3 +++ b/kerberosV/src/lib/krb5/krb5_set_default_realm.3 @@ -1,44 +1,45 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $KTH: krb5_set_default_realm.3,v 1.2 2003/04/16 13:58:11 lha Exp $ +.\" $KTH: krb5_set_default_realm.3,v 1.8 2005/04/24 07:49:34 lha Exp $ .\" -.Dd March 16, 2003 +.Dd April 24, 2005 .Dt KRB5_SET_DEFAULT_REALM 3 .Os HEIMDAL .Sh NAME -.Nm krb5_free_host_realm -.Nm krb5_get_default_realm -.Nm krb5_get_default_realms -.Nm krb5_get_host_realm +.Nm krb5_copy_host_realm , +.Nm krb5_free_host_realm , +.Nm krb5_get_default_realm , +.Nm krb5_get_default_realms , +.Nm krb5_get_host_realm , .Nm krb5_set_default_realm .Nd default and host realm read and manipulation routines .Sh LIBRARY @@ -46,6 +47,12 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Sh SYNOPSIS .In krb5.h .Ft krb5_error_code +.Fo krb5_copy_host_realm +.Fa "krb5_context context" +.Fa "const krb5_realm *from" +.Fa "krb5_realm **to" +.Fc +.Ft krb5_error_code .Fo krb5_free_host_realm .Fa "krb5_context context" .Fa "krb5_realm *realmlist" @@ -72,6 +79,15 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Fa "const char *realm" .Fc .Sh DESCRIPTION +.Fn krb5_copy_host_realm +copies the list of realms from +.Fa from +to +.Fa to . +.Fa to +should be freed by the caller using +.Fa krb5_free_host_realm . +.Pp .Fn krb5_free_host_realm frees all memory allocated by .Fa realmlist . @@ -109,11 +125,11 @@ DNS is used to lookup the realm. .Pp When using .Li DNS -to a resolve the domain for the host a.b.c, +to a resolve the domain for the host a.b.c, .Fn krb5_get_host_realm looks for a .Dv TXT -resource record named +resource record named .Li _kerberos.a.b.c , and if not found, it strips off the first component and tries a again (_kerberos.b.c) until it reaches the root. @@ -123,6 +139,10 @@ If there is no configuration or DNS information found, assumes it can use the domain part of the .Fa host to form a realm. +Caller must free +.Fa realmlist +with +.Fn krb5_free_host_realm . .Pp .Fn krb5_set_default_realm sets the default realm for the diff --git a/kerberosV/src/lib/krb5/krb5_set_password.3 b/kerberosV/src/lib/krb5/krb5_set_password.3 index 9f7cc708f2f..420da69c938 100644 --- a/kerberosV/src/lib/krb5/krb5_set_password.3 +++ b/kerberosV/src/lib/krb5/krb5_set_password.3 @@ -1,4 +1,4 @@ -.\" Copyright (c) 2003 Kungliga Tekniska Högskolan +.\" Copyright (c) 2003 - 2004 Kungliga Tekniska Högskolan .\" (Royal Institute of Technology, Stockholm, Sweden). .\" All rights reserved. .\" @@ -29,15 +29,16 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $KTH: krb5_set_password.3,v 1.3.2.1 2004/06/21 10:51:20 lha Exp $ +.\" $KTH: krb5_set_password.3,v 1.7 2004/07/15 14:39:06 lha Exp $ .\" -.Dd June 2, 2004 +.Dd July 15, 2004 .Dt KRB5_SET_PASSWORD 3 .Os HEIMDAL .Sh NAME .Nm krb5_change_password , .Nm krb5_set_password , -.Nm krb5_set_password_using_ccache +.Nm krb5_set_password_using_ccache , +.Nm krb5_passwd_result_to_string .Nd change password functions .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) @@ -57,7 +58,7 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Fa "krb5_context context" .Fa "krb5_creds *creds" .Fa "char *newpw" -.Fa "krb5_principal targprinc", +.Fa "krb5_principal targprinc" .Fa "int *result_code" .Fa "krb5_data *result_code_string" .Fa "krb5_data *result_string" @@ -72,17 +73,23 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Fa "krb5_data *result_code_string" .Fa "krb5_data *result_string" .Fc +.Ft "const char *" +.Fo krb5_passwd_result_to_string +.Fa "krb5_context context" +.Fa "int result" +.Fc .Sh DESCRIPTION These functions change the password for a given principal. .Pp .Fn krb5_set_password and -.Fa krb5_set_password_using_ccache -is the newer two of the three functions and uses a newer version of the -protocol (and falls back to the older when the newer doesn't work). +.Fn krb5_set_password_using_ccache +are the newer of the three functions, and use a newer version of the +protocol (and also fall back to the older set-password protocol if the +newer protocol doesn't work). .Pp .Fn krb5_change_password -set the password +sets the password .Fa newpasswd for the client principal in .Fa creds . @@ -90,20 +97,47 @@ The server principal of creds must be .Li kadmin/changepw . .Pp .Fn krb5_set_password -changes the password for the principal -.Fa targprinc , -if +and +.Fn krb5_set_password_using_ccache +change the password for the principal +.Fa targprinc . +.Pp +.Fn krb5_set_password +requires that the credential for +.Li kadmin/changepw@REALM +is in +.Fa creds . +If the user caller isn't an administrator, this credential +needs to be an initial credential, see +.Xr krb5_get_init_creds 3 +how to get such credentials. +.Pp +.Fn krb5_set_password_using_ccache +will get the credential from +.Fa ccache . +.Pp +If .Fa targprinc is -.Dv NULL -the default principal in +.Dv NULL , +.Fn krb5_set_password_using_ccache +uses the the default principal in .Fa ccache -is used. +and +.Fn krb5_set_password +uses the global the default principal. .Pp -Both functions returns and error in +All three functions return an error in .Fa result_code -and maybe an error strings to print in +and maybe an error string to print in .Fa result_string . +.Pp +.Fn krb5_passwd_result_to_string +returns an human readable string describing the error code in +.Fa result_code +from the +.Fn krb5_set_password +functions. .Sh SEE ALSO .Xr krb5_ccache 3 , .Xr krb5_init_context 3 diff --git a/kerberosV/src/lib/krb5/krb5_timeofday.3 b/kerberosV/src/lib/krb5/krb5_timeofday.3 index 686270291ba..4658b8612d4 100644 --- a/kerberosV/src/lib/krb5/krb5_timeofday.3 +++ b/kerberosV/src/lib/krb5/krb5_timeofday.3 @@ -1,57 +1,118 @@ -.\" Copyright (c) 2001 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $KTH: krb5_timeofday.3,v 1.5 2003/04/16 13:58:18 lha Exp $ -.\" -.Dd July 1, 2001 +.\" $KTH: krb5_timeofday.3,v 1.8 2003/06/24 05:12:43 lha Exp $ +.\" +.\" Copyright (c) 2001, 2003 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $KTH: krb5_timeofday.3,v 1.8 2003/06/24 05:12:43 lha Exp $ +.\" +.Dd June 17, 2003 .Dt KRB5_TIMEOFDAY 3 +.Os HEIMDAL .Sh NAME -.Nm krb5_timeofday , +.Nm krb5_timeofday +.Nm krb5_set_real_time .Nm krb5_us_timeofday -.Nd whatever these functions do +.Nm krb5_format_time +.Nm krb5_string_to_deltat +.Nd Kerberos 5 time handling functions .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) .Sh SYNOPSIS .In krb5.h -.Ft "krb5_error_code" -.Fn krb5_timeofday "krb5_context context" "krb5_timestamp *timeret" -.Ft "krb5_error_code" -.Fn krb5_us_timeofday "krb5_context context" "int32_t *sec" "int32_t *usec" +.Pp +.Li krb5_timestamp ; +.Pp +.Li krb5_deltat ; +.Ft krb5_error_code +.Fo krb5_set_real_time +.Fa "krb5_context context" +.Fa "krb5_timestamp sec" +.Fa "int32_t usec" +.Fc +.Ft krb5_error_code +.Fo krb5_timeofday +.Fa "krb5_context context" +.Fa "krb5_timestamp *timeret" +.Fc +.Ft krb5_error_code +.Fo krb5_us_timeofday +.Fa "krb5_context context" +.Fa "krb5_timestamp *sec" +.Fa "int32_t *usec" +.Fc +.Ft krb5_error_code +.Fo krb5_format_time +.Fa "krb5_context context" +.Fa "time_t t" +.Fa "char *s" +.Fa "size_t len" +.Fa "krb5_boolean include_time" +.Fc +.Ft krb5_error_code +.Fo krb5_string_to_deltat +.Fa "const char *string" +.Fa "krb5_deltat *deltat" +.Fc .Sh DESCRIPTION +.Nm krb5_set_real_time +sets the absolute time that the caller knows the KDC has. +With this the to the Kerberos library can calculate the relative +diffrence beteen the KDC time and the local system time and store it +in the +.Fa content . +With this information the Kerberos library can adjust all time stamps +Kerberos packages. +.Pp .Fn krb5_timeofday returns the current time, but adjusted with the time difference between the local host and the KDC. .Fn krb5_us_timeofday also returns microseconds. .Pp -.\".Sh EXAMPLE +.Nm krb5_format_time +formats the time +.Fa t +into the string +.Fa s +of length +.Fa len . +If +.Fa include_time +is set, the time is set include_time. +.Pp +.Nm krb5_string_to_deltat +Parses delta time +.Fa string +into +.Fa deltat . .Sh SEE ALSO -.Xr gettimeofday 2 +.Xr gettimeofday 2 , +.Xr krb5 3 diff --git a/kerberosV/src/lib/krb5/krb5_verify_user.3 b/kerberosV/src/lib/krb5/krb5_verify_user.3 index ae8006668a3..a6d5dea8f97 100644 --- a/kerberosV/src/lib/krb5/krb5_verify_user.3 +++ b/kerberosV/src/lib/krb5/krb5_verify_user.3 @@ -1,36 +1,36 @@ .\" Copyright (c) 2001 - 2003 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $KTH: krb5_verify_user.3,v 1.13 2004/03/20 18:36:51 lha Exp $ .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $KTH: krb5_verify_user.3,v 1.10 2003/04/16 13:58:11 lha Exp $ -.\" .Dd March 25, 2003 .Dt KRB5_VERIFY_USER 3 .Os HEIMDAL @@ -39,6 +39,7 @@ .Nm krb5_verify_user_lrealm , .Nm krb5_verify_user_opt , .Nm krb5_verify_opt_init +.Nm krb5_verify_opt_set_ccache , .Nm krb5_verify_opt_set_flags , .Nm krb5_verify_opt_set_service , .Nm krb5_verify_opt_set_secure , @@ -79,7 +80,7 @@ The principal whose password will be verified is specified in .Fa principal . New tickets will be obtained as a side-effect and stored in .Fa ccache -(if +(if .Dv NULL , the default ccache is used). .Fn krb5_verify_user @@ -180,7 +181,7 @@ The principal whose password will be verified is specified in .Fa principal . Options the to the verification process is pass in in .Fa opt . -.Sh EXAMPLE +.Sh EXAMPLES Here is a example program that verifies a password. it uses the .Ql host/`hostname` service principal in @@ -218,6 +219,7 @@ main(int argc, char **argv) .Xr krb5_cc_gen_new 3 , .Xr krb5_cc_initialize 3 , .Xr krb5_cc_resolve 3 , +.Xr krb5_cc_initialize 3 , .Xr krb5_err 3 , .Xr krb5_free_principal 3 , .Xr krb5_init_context 3 , diff --git a/kerberosV/src/lib/krb5/krbhst.c b/kerberosV/src/lib/krb5/krbhst.c index aab044b217f..b563b3e4b53 100644 --- a/kerberosV/src/lib/krb5/krbhst.c +++ b/kerberosV/src/lib/krb5/krbhst.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2001 Kungliga Tekniska Högskolan + * Copyright (c) 2001 - 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -34,7 +34,7 @@ #include "krb5_locl.h" #include <resolve.h> -RCSID("$KTH: krbhst.c,v 1.43.2.1 2003/04/22 15:00:38 lha Exp $"); +RCSID("$KTH: krbhst.c,v 1.51 2005/05/20 09:09:42 lha Exp $"); static int string_to_proto(const char *string) @@ -66,6 +66,9 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count, int proto_num; int def_port; + *res = NULL; + *count = 0; + proto_num = string_to_proto(proto); if(proto_num < 0) { krb5_set_error_string(context, "unknown protocol `%s'", proto); @@ -82,11 +85,8 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count, snprintf(domain, sizeof(domain), "_%s._%s.%s.", service, proto, realm); r = dns_lookup(domain, dns_type); - if(r == NULL) { - *res = NULL; - *count = 0; + if(r == NULL) return KRB5_KDC_UNREACH; - } for(num_srv = 0, rr = r->head; rr; rr = rr->next) if(rr->type == T_SRV) @@ -112,6 +112,7 @@ srv_find_realm(krb5_context context, krb5_krbhst_info ***res, int *count, while(--num_srv >= 0) free((*res)[num_srv]); free(*res); + *res = NULL; return ENOMEM; } (*res)[num_srv++] = hi; @@ -139,13 +140,13 @@ struct krb5_krbhst_data { unsigned int flags; int def_port; int port; /* hardwired port number if != 0 */ -#define KD_CONFIG 1 -#define KD_SRV_UDP 2 -#define KD_SRV_TCP 4 -#define KD_SRV_HTTP 8 -#define KD_FALLBACK 16 -#define KD_CONFIG_EXISTS 32 - +#define KD_CONFIG 1 +#define KD_SRV_UDP 2 +#define KD_SRV_TCP 4 +#define KD_SRV_HTTP 8 +#define KD_FALLBACK 16 +#define KD_CONFIG_EXISTS 32 +#define KD_LARGE_MSG 64 krb5_error_code (*get_next)(krb5_context, struct krb5_krbhst_data *, krb5_krbhst_info**); @@ -161,12 +162,26 @@ krbhst_empty(const struct krb5_krbhst_data *kd) } /* + * Return the default protocol for the `kd' (either TCP or UDP) + */ + +static int +krbhst_get_default_proto(struct krb5_krbhst_data *kd) +{ + if (kd->flags & KD_LARGE_MSG) + return KRB5_KRBHST_TCP; + return KRB5_KRBHST_UDP; +} + + +/* * parse `spec' into a krb5_krbhst_info, defaulting the port to `def_port' * and forcing it to `port' if port != 0 */ static struct krb5_krbhst_info* -parse_hostspec(krb5_context context, const char *spec, int def_port, int port) +parse_hostspec(krb5_context context, struct krb5_krbhst_data *kd, + const char *spec, int def_port, int port) { const char *p = spec; struct krb5_krbhst_info *hi; @@ -175,7 +190,7 @@ parse_hostspec(krb5_context context, const char *spec, int def_port, int port) if(hi == NULL) return NULL; - hi->proto = KRB5_KRBHST_UDP; + hi->proto = krbhst_get_default_proto(kd); if(strncmp(p, "http://", 7) == 0){ hi->proto = KRB5_KRBHST_HTTP; @@ -243,7 +258,7 @@ append_host_string(krb5_context context, struct krb5_krbhst_data *kd, { struct krb5_krbhst_info *hi; - hi = parse_hostspec(context, host, def_port, port); + hi = parse_hostspec(context, kd, host, def_port, port); if(hi == NULL) return ENOMEM; @@ -255,7 +270,7 @@ append_host_string(krb5_context context, struct krb5_krbhst_data *kd, * return a readable representation of `host' in `hostname, hostlen' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_krbhst_format_string(krb5_context context, const krb5_krbhst_info *host, char *hostname, size_t hostlen) { @@ -296,7 +311,7 @@ make_hints(struct addrinfo *hints, int proto) * in `host'. free:ing is handled by krb5_krbhst_free. */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_krbhst_get_addrinfo(krb5_context context, krb5_krbhst_info *host, struct addrinfo **ai) { @@ -329,13 +344,14 @@ get_next(struct krb5_krbhst_data *kd, krb5_krbhst_info **host) static void srv_get_hosts(krb5_context context, struct krb5_krbhst_data *kd, - const char *proto, const char *service) + const char *proto, const char *service) { krb5_krbhst_info **res; int count, i; - srv_find_realm(context, &res, &count, kd->realm, "SRV", proto, service, - kd->port); + if (srv_find_realm(context, &res, &count, kd->realm, "SRV", proto, service, + kd->port)) + return; for(i = 0; i < count; i++) append_host_hostinfo(kd, res[i]); free(res); @@ -438,7 +454,7 @@ kdc_get_next(krb5_context context, return KRB5_KDC_UNREACH; /* XXX */ if(context->srv_lookup) { - if((kd->flags & KD_SRV_UDP) == 0) { + if((kd->flags & KD_SRV_UDP) == 0 && (kd->flags & KD_LARGE_MSG) == 0) { srv_get_hosts(context, kd, "udp", "kerberos"); kd->flags |= KD_SRV_UDP; if(get_next(kd, host)) @@ -461,7 +477,8 @@ kdc_get_next(krb5_context context, while((kd->flags & KD_FALLBACK) == 0) { ret = fallback_get_hosts(context, kd, "kerberos", - kd->def_port, KRB5_KRBHST_UDP); + kd->def_port, + krbhst_get_default_proto(kd)); if(ret) return ret; if(get_next(kd, host)) @@ -500,7 +517,8 @@ admin_get_next(krb5_context context, if (krbhst_empty(kd) && (kd->flags & KD_FALLBACK) == 0) { ret = fallback_get_hosts(context, kd, "kerberos", - kd->def_port, KRB5_KRBHST_UDP); + kd->def_port, + krbhst_get_default_proto(kd)); if(ret) return ret; kd->flags |= KD_FALLBACK; @@ -520,6 +538,7 @@ kpasswd_get_next(krb5_context context, if((kd->flags & KD_CONFIG) == 0) { config_get_hosts(context, kd, "kpasswd_server"); + kd->flags |= KD_CONFIG; if(get_next(kd, host)) return 0; } @@ -534,6 +553,12 @@ kpasswd_get_next(krb5_context context, if(get_next(kd, host)) return 0; } + if((kd->flags & KD_SRV_TCP) == 0) { + srv_get_hosts(context, kd, "tcp", "kpasswd"); + kd->flags |= KD_SRV_TCP; + if(get_next(kd, host)) + return 0; + } } /* no matches -> try admin */ @@ -544,7 +569,7 @@ kpasswd_get_next(krb5_context context, kd->get_next = admin_get_next; ret = (*kd->get_next)(context, kd, host); if (ret == 0) - (*host)->proto = KRB5_KRBHST_UDP; + (*host)->proto = krbhst_get_default_proto(kd); return ret; } @@ -596,7 +621,8 @@ krb524_get_next(krb5_context context, static struct krb5_krbhst_data* common_init(krb5_context context, - const char *realm) + const char *realm, + int flags) { struct krb5_krbhst_data *kd; @@ -608,6 +634,8 @@ common_init(krb5_context context, return NULL; } + if (flags & KRB5_KRBHST_FLAGS_LARGE_MSG) + kd->flags |= KD_LARGE_MSG; kd->end = kd->index = &kd->hosts; return kd; } @@ -616,12 +644,22 @@ common_init(krb5_context context, * initialize `handle' to look for hosts of type `type' in realm `realm' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_krbhst_init(krb5_context context, const char *realm, unsigned int type, krb5_krbhst_handle *handle) { + return krb5_krbhst_init_flags(context, realm, type, 0, handle); +} + +krb5_error_code KRB5_LIB_FUNCTION +krb5_krbhst_init_flags(krb5_context context, + const char *realm, + unsigned int type, + int flags, + krb5_krbhst_handle *handle) +{ struct krb5_krbhst_data *kd; krb5_error_code (*get_next)(krb5_context, struct krb5_krbhst_data *, krb5_krbhst_info **); @@ -650,7 +688,7 @@ krb5_krbhst_init(krb5_context context, krb5_set_error_string(context, "unknown krbhst type (%u)", type); return ENOTTY; } - if((kd = common_init(context, realm)) == NULL) + if((kd = common_init(context, realm, flags)) == NULL) return ENOMEM; kd->get_next = get_next; kd->def_port = def_port; @@ -662,7 +700,7 @@ krb5_krbhst_init(krb5_context context, * return the next host information from `handle' in `host' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_krbhst_next(krb5_context context, krb5_krbhst_handle handle, krb5_krbhst_info **host) @@ -678,7 +716,7 @@ krb5_krbhst_next(krb5_context context, * in `hostname' (or length `hostlen) */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_krbhst_next_as_string(krb5_context context, krb5_krbhst_handle handle, char *hostname, @@ -693,13 +731,13 @@ krb5_krbhst_next_as_string(krb5_context context, } -void +void KRB5_LIB_FUNCTION krb5_krbhst_reset(krb5_context context, krb5_krbhst_handle handle) { handle->index = &handle->hosts; } -void +void KRB5_LIB_FUNCTION krb5_krbhst_free(krb5_context context, krb5_krbhst_handle handle) { krb5_krbhst_info *h, *next; @@ -761,7 +799,7 @@ gethostlist(krb5_context context, const char *realm, * return an malloced list of kadmin-hosts for `realm' in `hostlist' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_krb_admin_hst (krb5_context context, const krb5_realm *realm, char ***hostlist) @@ -773,7 +811,7 @@ krb5_get_krb_admin_hst (krb5_context context, * return an malloced list of changepw-hosts for `realm' in `hostlist' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_krb_changepw_hst (krb5_context context, const krb5_realm *realm, char ***hostlist) @@ -785,7 +823,7 @@ krb5_get_krb_changepw_hst (krb5_context context, * return an malloced list of 524-hosts for `realm' in `hostlist' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_krb524hst (krb5_context context, const krb5_realm *realm, char ***hostlist) @@ -798,7 +836,7 @@ krb5_get_krb524hst (krb5_context context, * return an malloced list of KDC's for `realm' in `hostlist' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_get_krbhst (krb5_context context, const krb5_realm *realm, char ***hostlist) @@ -810,7 +848,7 @@ krb5_get_krbhst (krb5_context context, * free all the memory allocated in `hostlist' */ -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_free_krbhst (krb5_context context, char **hostlist) { diff --git a/kerberosV/src/lib/krb5/log.c b/kerberosV/src/lib/krb5/log.c index 36f5d51f53d..67f21e95933 100644 --- a/kerberosV/src/lib/krb5/log.c +++ b/kerberosV/src/lib/krb5/log.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$KTH: log.c,v 1.31 2002/09/05 14:59:14 joda Exp $"); +RCSID("$KTH: log.c,v 1.34 2005/06/11 00:14:28 lha Exp $"); struct facility { int min; @@ -47,10 +47,10 @@ static struct facility* log_realloc(krb5_log_facility *f) { struct facility *fp; - f->len++; - fp = realloc(f->val, f->len * sizeof(*f->val)); + fp = realloc(f->val, (f->len + 1) * sizeof(*f->val)); if(fp == NULL) return NULL; + f->len++; f->val = fp; fp += f->len - 1; return fp; @@ -114,7 +114,7 @@ find_value(const char *s, struct s2i *table) return table->val; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_initlog(krb5_context context, const char *program, krb5_log_facility **fac) @@ -134,7 +134,7 @@ krb5_initlog(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_addlog_func(krb5_context context, krb5_log_facility *fac, int min, @@ -254,7 +254,7 @@ open_file(krb5_context context, krb5_log_facility *fac, int min, int max, -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_addlog_dest(krb5_context context, krb5_log_facility *f, const char *orig) { krb5_error_code ret = 0; @@ -337,7 +337,7 @@ krb5_addlog_dest(krb5_context context, krb5_log_facility *f, const char *orig) } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_openlog(krb5_context context, const char *program, krb5_log_facility **fac) @@ -361,20 +361,26 @@ krb5_openlog(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_closelog(krb5_context context, krb5_log_facility *fac) { int i; for(i = 0; i < fac->len; i++) (*fac->val[i].close)(fac->val[i].data); + free(fac->val); + free(fac->program); + fac->val = NULL; + fac->len = 0; + fac->program = NULL; + free(fac); return 0; } #undef __attribute__ #define __attribute__(X) -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vlog_msg(krb5_context context, krb5_log_facility *fac, char **reply, @@ -413,7 +419,7 @@ krb5_vlog_msg(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vlog(krb5_context context, krb5_log_facility *fac, int level, @@ -424,7 +430,7 @@ krb5_vlog(krb5_context context, return krb5_vlog_msg(context, fac, NULL, level, fmt, ap); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_log_msg(krb5_context context, krb5_log_facility *fac, int level, @@ -443,7 +449,7 @@ krb5_log_msg(krb5_context context, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_log(krb5_context context, krb5_log_facility *fac, int level, diff --git a/kerberosV/src/lib/krb5/name-45-test.c b/kerberosV/src/lib/krb5/name-45-test.c index 39145824701..04941cbae7e 100644 --- a/kerberosV/src/lib/krb5/name-45-test.c +++ b/kerberosV/src/lib/krb5/name-45-test.c @@ -31,8 +31,9 @@ * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "krb5_locl.h" +#include <err.h> -RCSID("$KTH: name-45-test.c,v 1.3.2.1 2003/05/06 16:49:14 joda Exp $"); +RCSID("$KTH: name-45-test.c,v 1.7 2005/05/29 18:22:59 lha Exp $"); enum { MAX_COMPONENTS = 3 }; @@ -152,8 +153,15 @@ main(int argc, char **argv) struct testcase *t; krb5_context context; krb5_error_code ret; + char hostname[1024]; int val = 0; + setprogname(argv[0]); + + gethostname(hostname, sizeof(hostname)); + if (!(strstr(hostname, "kth.se") != NULL || strstr(hostname, "su.se") != NULL)) + return 0; + for (t = tests; t->v4_name; ++t) { krb5_principal princ; int i; diff --git a/kerberosV/src/lib/krb5/prog_setup.c b/kerberosV/src/lib/krb5/prog_setup.c index fefae4a9f7f..86efa7900a6 100644 --- a/kerberosV/src/lib/krb5/prog_setup.c +++ b/kerberosV/src/lib/krb5/prog_setup.c @@ -35,16 +35,16 @@ #include <getarg.h> #include <err.h> -RCSID("$KTH: prog_setup.c,v 1.9 2001/02/20 01:44:54 assar Exp $"); +RCSID("$KTH: prog_setup.c,v 1.10 2004/05/25 21:37:55 lha Exp $"); -void +void KRB5_LIB_FUNCTION krb5_std_usage(int code, struct getargs *args, int num_args) { arg_printusage(args, num_args, NULL, ""); exit(code); } -int +int KRB5_LIB_FUNCTION krb5_program_setup(krb5_context *context, int argc, char **argv, struct getargs *args, int num_args, void (*usage)(int, struct getargs*, int)) diff --git a/kerberosV/src/lib/krb5/rd_req.c b/kerberosV/src/lib/krb5/rd_req.c index bf9de9c1a23..1ff1ab920bb 100644 --- a/kerberosV/src/lib/krb5/rd_req.c +++ b/kerberosV/src/lib/krb5/rd_req.c @@ -33,7 +33,7 @@ #include <krb5_locl.h> -RCSID("$KTH: rd_req.c,v 1.47.8.3 2003/10/21 20:10:33 lha Exp $"); +RCSID("$KTH: rd_req.c,v 1.57.4.1 2006/02/03 14:38:02 lha Exp $"); static krb5_error_code decrypt_tkt_enc_part (krb5_context context, @@ -101,7 +101,7 @@ decrypt_authenticator (krb5_context context, return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_decode_ap_req(krb5_context context, const krb5_data *inbuf, krb5_ap_req *ap_req) @@ -155,7 +155,58 @@ check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc) return ret; } -krb5_error_code +static krb5_error_code +find_etypelist(krb5_context context, + krb5_auth_context auth_context, + EtypeList *etypes) +{ + krb5_error_code ret; + krb5_authdata *ad; + krb5_authdata adIfRelevant; + unsigned i; + + adIfRelevant.len = 0; + + etypes->len = 0; + etypes->val = NULL; + + ad = auth_context->authenticator->authorization_data; + if (ad == NULL) + return 0; + + for (i = 0; i < ad->len; i++) { + if (ad->val[i].ad_type == KRB5_AUTHDATA_IF_RELEVANT) { + ret = decode_AD_IF_RELEVANT(ad->val[i].ad_data.data, + ad->val[i].ad_data.length, + &adIfRelevant, + NULL); + if (ret) + return ret; + + if (adIfRelevant.len == 1 && + adIfRelevant.val[0].ad_type == + KRB5_AUTHDATA_GSS_API_ETYPE_NEGOTIATION) { + break; + } + free_AD_IF_RELEVANT(&adIfRelevant); + adIfRelevant.len = 0; + } + } + + if (adIfRelevant.len == 0) + return 0; + + ret = decode_EtypeList(adIfRelevant.val[0].ad_data.data, + adIfRelevant.val[0].ad_data.length, + etypes, + NULL); + + free_AD_IF_RELEVANT(&adIfRelevant); + + return ret; +} + +krb5_error_code KRB5_LIB_FUNCTION krb5_decrypt_ticket(krb5_context context, Ticket *ticket, krb5_keyblock *key, @@ -204,7 +255,7 @@ krb5_decrypt_ticket(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_authenticator_checksum(krb5_context context, krb5_auth_context ac, void *data, @@ -244,7 +295,7 @@ out: } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_ap_req(krb5_context context, krb5_auth_context *auth_context, krb5_ap_req *ap_req, @@ -265,7 +316,7 @@ krb5_verify_ap_req(krb5_context context, KRB5_KU_AP_REQ_AUTH); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verify_ap_req2(krb5_context context, krb5_auth_context *auth_context, krb5_ap_req *ap_req, @@ -276,9 +327,10 @@ krb5_verify_ap_req2(krb5_context context, krb5_ticket **ticket, krb5_key_usage usage) { - krb5_ticket t; + krb5_ticket *t; krb5_auth_context ac; krb5_error_code ret; + EtypeList etypes; if (auth_context && *auth_context) { ac = *auth_context; @@ -288,69 +340,90 @@ krb5_verify_ap_req2(krb5_context context, return ret; } + t = malloc(sizeof(*t)); + if (t == NULL) { + ret = ENOMEM; + krb5_clear_error_string (context); + goto out; + } + memset(t, 0, sizeof(*t)); + if (ap_req->ap_options.use_session_key && ac->keyblock){ ret = krb5_decrypt_ticket(context, &ap_req->ticket, ac->keyblock, - &t.ticket, + &t->ticket, flags); krb5_free_keyblock(context, ac->keyblock); ac->keyblock = NULL; }else ret = krb5_decrypt_ticket(context, &ap_req->ticket, keyblock, - &t.ticket, + &t->ticket, flags); if(ret) goto out; - principalname2krb5_principal(&t.server, ap_req->ticket.sname, - ap_req->ticket.realm); - principalname2krb5_principal(&t.client, t.ticket.cname, - t.ticket.crealm); + _krb5_principalname2krb5_principal(&t->server, ap_req->ticket.sname, + ap_req->ticket.realm); + _krb5_principalname2krb5_principal(&t->client, t->ticket.cname, + t->ticket.crealm); /* save key */ - krb5_copy_keyblock(context, &t.ticket.key, &ac->keyblock); + krb5_copy_keyblock(context, &t->ticket.key, &ac->keyblock); ret = decrypt_authenticator (context, - &t.ticket.key, + &t->ticket.key, &ap_req->authenticator, ac->authenticator, usage); if (ret) - goto out2; + goto out; { krb5_principal p1, p2; krb5_boolean res; - principalname2krb5_principal(&p1, - ac->authenticator->cname, - ac->authenticator->crealm); - principalname2krb5_principal(&p2, - t.ticket.cname, - t.ticket.crealm); + _krb5_principalname2krb5_principal(&p1, + ac->authenticator->cname, + ac->authenticator->crealm); + _krb5_principalname2krb5_principal(&p2, + t->ticket.cname, + t->ticket.crealm); res = krb5_principal_compare (context, p1, p2); krb5_free_principal (context, p1); krb5_free_principal (context, p2); if (!res) { ret = KRB5KRB_AP_ERR_BADMATCH; krb5_clear_error_string (context); - goto out2; + goto out; } } /* check addresses */ - if (t.ticket.caddr + if (t->ticket.caddr && ac->remote_address && !krb5_address_search (context, ac->remote_address, - t.ticket.caddr)) { + t->ticket.caddr)) { ret = KRB5KRB_AP_ERR_BADADDR; krb5_clear_error_string (context); - goto out2; + goto out; + } + + /* check timestamp in authenticator */ + { + krb5_timestamp now; + + krb5_timeofday (context, &now); + + if (abs(ac->authenticator->ctime - now) > context->max_skew) { + ret = KRB5KRB_AP_ERR_SKEW; + krb5_clear_error_string (context); + goto out; + } } if (ac->authenticator->seq_number) @@ -363,38 +436,57 @@ krb5_verify_ap_req2(krb5_context context, ret = krb5_auth_con_setremotesubkey(context, ac, ac->authenticator->subkey); if (ret) - goto out2; + goto out; + } + + ret = find_etypelist(context, ac, &etypes); + if (ret) + goto out; + + ac->keytype = ETYPE_NULL; + + if (etypes.val) { + int i; + + for (i = 0; i < etypes.len; i++) { + if (krb5_enctype_valid(context, etypes.val[i]) == 0) { + ac->keytype = etypes.val[i]; + break; + } + } } if (ap_req_options) { *ap_req_options = 0; + if (ac->keytype != ETYPE_NULL) + *ap_req_options |= AP_OPTS_USE_SUBKEY; if (ap_req->ap_options.use_session_key) *ap_req_options |= AP_OPTS_USE_SESSION_KEY; if (ap_req->ap_options.mutual_required) *ap_req_options |= AP_OPTS_MUTUAL_REQUIRED; } - if(ticket){ - *ticket = malloc(sizeof(**ticket)); - **ticket = t; - } else - krb5_free_ticket (context, &t); + if(ticket) + *ticket = t; + else + krb5_free_ticket (context, t); if (auth_context) { if (*auth_context == NULL) *auth_context = ac; } else krb5_auth_con_free (context, ac); + free_EtypeList(&etypes); return 0; - out2: - krb5_free_ticket (context, &t); out: + if (t) + krb5_free_ticket (context, t); if (auth_context == NULL || *auth_context == NULL) krb5_auth_con_free (context, ac); return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_req_with_keyblock(krb5_context context, krb5_auth_context *auth_context, const krb5_data *inbuf, @@ -469,7 +561,7 @@ out: return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_rd_req(krb5_context context, krb5_auth_context *auth_context, const krb5_data *inbuf, @@ -494,9 +586,9 @@ krb5_rd_req(krb5_context context, return ret; if(server == NULL){ - principalname2krb5_principal(&service, - ap_req.ticket.sname, - ap_req.ticket.realm); + _krb5_principalname2krb5_principal(&service, + ap_req.ticket.sname, + ap_req.ticket.realm); server = service; } if (ap_req.ap_options.use_session_key && @@ -533,8 +625,7 @@ krb5_rd_req(krb5_context context, ap_req_options, ticket); - if(keyblock != NULL) - krb5_free_keyblock(context, keyblock); + krb5_free_keyblock(context, keyblock); out: free_AP_REQ(&ap_req); diff --git a/kerberosV/src/lib/krb5/transited.c b/kerberosV/src/lib/krb5/transited.c index 7af9a319b16..4635a7d71d2 100644 --- a/kerberosV/src/lib/krb5/transited.c +++ b/kerberosV/src/lib/krb5/transited.c @@ -33,7 +33,7 @@ #include "krb5_locl.h" -RCSID("$KTH: transited.c,v 1.10.2.3 2003/10/22 06:07:41 lha Exp $"); +RCSID("$KTH: transited.c,v 1.15 2004/05/25 21:45:27 lha Exp $"); /* this is an attempt at one of the most horrible `compression' schemes that has ever been invented; it's so amazingly brain-dead @@ -299,7 +299,7 @@ decode_realms(krb5_context context, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_domain_x500_decode(krb5_context context, krb5_data tr, char ***realms, int *num_realms, const char *client_realm, const char *server_realm) @@ -362,7 +362,7 @@ krb5_domain_x500_decode(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_domain_x500_encode(char **realms, int num_realms, krb5_data *encoding) { char *s = NULL; @@ -393,7 +393,7 @@ krb5_domain_x500_encode(char **realms, int num_realms, krb5_data *encoding) return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_check_transited(krb5_context context, krb5_const_realm client_realm, krb5_const_realm server_realm, @@ -431,7 +431,7 @@ krb5_check_transited(krb5_context context, return 0; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_check_transited_realms(krb5_context context, const char *const *realms, int num_realms, diff --git a/kerberosV/src/lib/krb5/verify_krb5_conf.8 b/kerberosV/src/lib/krb5/verify_krb5_conf.8 index 667d026deef..3a758141636 100644 --- a/kerberosV/src/lib/krb5/verify_krb5_conf.8 +++ b/kerberosV/src/lib/krb5/verify_krb5_conf.8 @@ -1,6 +1,37 @@ -.\" $KTH: verify_krb5_conf.8,v 1.7 2002/08/20 17:07:28 joda Exp $ +.\" Copyright (c) 2000 - 2004 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.Dd August 30, 2001 +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $KTH: verify_krb5_conf.8,v 1.11 2004/12/08 17:52:41 lha Exp $ +.\" +.Dd December 8, 2004 .Dt VERIFY_KRB5_CONF 8 .Os HEIMDAL .Sh NAME @@ -19,11 +50,19 @@ and parses it, thereby verifying that the syntax is correct. If the file is syntactically correct, .Nm tries to verify that the contents of the file is of relevant nature. +.Sh ENVIRONMENT +.Ev KRB5_CONFIG +points to the configuration file to read. +.Sh FILES +.Bl -tag -width /etc/kerberosV/krb5.conf -compact +.It Pa /etc/kerberosV/krb5.conf +Kerberos 5 configuration file +.El .Sh DIAGNOSTICS Possible output from .Nm include: -.Bl -tag -width "<path>" +.Bl -tag -width "FpathF" .It "<path>: failed to parse <something> as size/time/number/boolean" Usually means that <something> is misspelled, or that it contains weird characters. The parsing done by @@ -42,14 +81,6 @@ is confused. Means that <string> is unknown to .Nm Ns . .El -.Sh ENVIRONMENT -.Ev KRB5_CONFIG -points to the configuration file to read. -.Sh FILES -.Bl -tag -width /etc/kerberosV/krb5.conf -compact -.It Pa /etc/kerberosV/krb5.conf -Kerberos 5 configuration file -.El .Sh SEE ALSO .Xr krb5.conf 5 .Sh BUGS diff --git a/kerberosV/src/lib/krb5/verify_krb5_conf.c b/kerberosV/src/lib/krb5/verify_krb5_conf.c index 5a4e9784e19..20a6e515102 100644 --- a/kerberosV/src/lib/krb5/verify_krb5_conf.c +++ b/kerberosV/src/lib/krb5/verify_krb5_conf.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999 - 2003 Kungliga Tekniska Högskolan + * Copyright (c) 1999 - 2005 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -35,17 +35,20 @@ #include <getarg.h> #include <parse_bytes.h> #include <err.h> -RCSID("$KTH: verify_krb5_conf.c,v 1.17.2.2 2004/02/13 16:19:44 lha Exp $"); +RCSID("$KTH: verify_krb5_conf.c,v 1.33 2005/06/14 00:06:17 lha Exp $"); /* verify krb5.conf */ static int dumpconfig_flag = 0; static int version_flag = 0; static int help_flag = 0; +static int warn_mit_syntax_flag = 0; static struct getargs args[] = { {"dumpconfig", 0, arg_flag, &dumpconfig_flag, "show the parsed config files", NULL }, + {"warn-mit-syntax", 0, arg_flag, &warn_mit_syntax_flag, + "show the parsed config files", NULL }, {"version", 0, arg_flag, &version_flag, "print version", NULL }, {"help", 0, arg_flag, &help_flag, @@ -138,23 +141,68 @@ check_host(krb5_context context, const char *path, char *data) int ret; char hostname[128]; const char *p = data; + struct addrinfo hints; + char service[32]; + int defport; struct addrinfo *ai; + + hints.ai_flags = 0; + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = 0; + hints.ai_protocol = 0; + + hints.ai_addrlen = 0; + hints.ai_canonname = NULL; + hints.ai_addr = NULL; + hints.ai_next = NULL; + /* XXX data could be a list of hosts that this code can't handle */ /* XXX copied from krbhst.c */ if(strncmp(p, "http://", 7) == 0){ p += 7; + hints.ai_socktype = SOCK_STREAM; + strlcpy(service, "http", sizeof(service)); + defport = 80; } else if(strncmp(p, "http/", 5) == 0) { p += 5; + hints.ai_socktype = SOCK_STREAM; + strlcpy(service, "http", sizeof(service)); + defport = 80; }else if(strncmp(p, "tcp/", 4) == 0){ p += 4; + hints.ai_socktype = SOCK_STREAM; + strlcpy(service, "kerberos", sizeof(service)); + defport = 88; } else if(strncmp(p, "udp/", 4) == 0) { p += 4; + hints.ai_socktype = SOCK_DGRAM; + strlcpy(service, "kerberos", sizeof(service)); + defport = 88; + } else { + hints.ai_socktype = SOCK_DGRAM; + strlcpy(service, "kerberos", sizeof(service)); + defport = 88; } if(strsep_copy(&p, ":", hostname, sizeof(hostname)) < 0) { return 1; } hostname[strcspn(hostname, "/")] = '\0'; - ret = getaddrinfo(hostname, "telnet" /* XXX */, NULL, &ai); + if(p != NULL) { + char *end; + int tmp = strtol(p, &end, 0); + if(end == p) { + krb5_warnx(context, "%s: failed to parse port number in %s", + path, data); + return 1; + } + defport = tmp; + snprintf(service, sizeof(service), "%u", defport); + } + ret = getaddrinfo(hostname, service, &hints, &ai); + if(ret == EAI_SERVICE && !isdigit((unsigned char)service[0])) { + snprintf(service, sizeof(service), "%u", defport); + ret = getaddrinfo(hostname, service, &hints, &ai); + } if(ret != 0) { krb5_warnx(context, "%s: %s (%s)", path, gai_strerror(ret), hostname); return 1; @@ -162,17 +210,16 @@ check_host(krb5_context context, const char *path, char *data) return 0; } -#if 0 static int mit_entry(krb5_context context, const char *path, char *data) { - krb5_warnx(context, "%s is only used by MIT Kerberos", path); + if (warn_mit_syntax_flag) + krb5_warnx(context, "%s is only used by MIT Kerberos", path); return 0; } -#endif struct s2i { - char *s; + const char *s; int val; }; @@ -304,6 +351,12 @@ struct entry all_strings[] = { { NULL } }; +struct entry all_boolean[] = { + { "", krb5_config_string, check_boolean }, + { NULL } +}; + + struct entry v4_name_convert_entries[] = { { "host", krb5_config_list, all_strings }, { "plain", krb5_config_list, all_strings }, @@ -328,6 +381,7 @@ struct entry libdefaults_entries[] = { { "encrypt", krb5_config_string, check_boolean }, { "extra_addresses", krb5_config_string, NULL }, { "fcache_version", krb5_config_string, check_numeric }, + { "fcc-mit-ticketflags", krb5_config_string, check_boolean }, { "forward", krb5_config_string, check_boolean }, { "forwardable", krb5_config_string, check_boolean }, { "http_proxy", krb5_config_string, check_host /* XXX */ }, @@ -342,21 +396,34 @@ struct entry libdefaults_entries[] = { { "ticket_lifetime", krb5_config_string, check_time }, { "time_format", krb5_config_string, NULL }, { "transited_realms_reject", krb5_config_string, NULL }, + { "no-addresses", krb5_config_string, check_boolean }, { "v4_instance_resolve", krb5_config_string, check_boolean }, { "v4_name_convert", krb5_config_list, v4_name_convert_entries }, { "verify_ap_req_nofail", krb5_config_string, check_boolean }, + { "pkinit-openssl-engine", krb5_config_string, NULL }, + { "max_retries", krb5_config_string, check_time }, + { "renew_lifetime", krb5_config_string, check_time }, + { "proxiable", krb5_config_string, check_boolean }, + { "warn_pwexpire", krb5_config_string, check_time }, + /* MIT stuff */ + { "permitted_enctypes", krb5_config_string, mit_entry }, + { "default_tgs_enctypes", krb5_config_string, mit_entry }, + { "default_tkt_enctypes", krb5_config_string, mit_entry }, { NULL } }; struct entry appdefaults_entries[] = { { "afslog", krb5_config_string, check_boolean }, { "afs-use-524", krb5_config_string, check_524 }, + { "encrypt", krb5_config_string, check_boolean }, + { "forward", krb5_config_string, check_boolean }, { "forwardable", krb5_config_string, check_boolean }, { "proxiable", krb5_config_string, check_boolean }, { "ticket_lifetime", krb5_config_string, check_time }, { "renew_lifetime", krb5_config_string, check_time }, { "no-addresses", krb5_config_string, check_boolean }, { "krb4_get_tickets", krb5_config_string, check_boolean }, + { "pkinit-anchors", krb5_config_string, NULL }, #if 0 { "anonymous", krb5_config_string, check_boolean }, #endif @@ -378,7 +445,7 @@ struct entry realms_entries[] = { { "v4_instance_convert", krb5_config_list, all_strings }, { "v4_domains", krb5_config_string, NULL }, { "default_domain", krb5_config_string, NULL }, -#if 0 + { "win2k_pkinit", krb5_config_string, NULL }, /* MIT stuff */ { "admin_keytab", krb5_config_string, mit_entry }, { "acl_file", krb5_config_string, mit_entry }, @@ -394,7 +461,6 @@ struct entry realms_entries[] = { { "default_principal_flags", krb5_config_string, mit_entry }, { "supported_enctypes", krb5_config_string, mit_entry }, { "database_name", krb5_config_string, mit_entry }, -#endif { NULL } }; @@ -408,6 +474,8 @@ struct entry kdc_database_entries[] = { { "realm", krb5_config_string, NULL }, { "dbname", krb5_config_string, NULL }, { "mkey_file", krb5_config_string, NULL }, + { "acl_file", krb5_config_string, NULL }, + { "log_file", krb5_config_string, NULL }, { NULL } }; @@ -422,13 +490,19 @@ struct entry kdc_entries[] = { { "enable-kerberos4", krb5_config_string, check_boolean }, { "enable-524", krb5_config_string, check_boolean }, { "enable-http", krb5_config_string, check_boolean }, - { "check_ticket-addresses", krb5_config_string, check_boolean }, - { "allow-null-addresses", krb5_config_string, check_boolean }, + { "check-ticket-addresses", krb5_config_string, check_boolean }, + { "allow-null-ticket-addresses", krb5_config_string, check_boolean }, { "allow-anonymous", krb5_config_string, check_boolean }, { "v4_realm", krb5_config_string, NULL }, { "enable-kaserver", krb5_config_string, check_boolean }, { "encode_as_rep_as_tgs_rep", krb5_config_string, check_boolean }, { "kdc_warn_pwexpire", krb5_config_string, check_time }, + { "use_2b", krb5_config_list, NULL }, + { "enable-pkinit", krb5_config_string, check_boolean }, + { "pki-identity", krb5_config_string, NULL }, + { "pki-anchors", krb5_config_string, NULL }, + { "hdb-ldap-create-base", krb5_config_string, NULL }, + { "v4-realm", krb5_config_string, NULL }, { NULL } }; @@ -436,6 +510,7 @@ struct entry kadmin_entries[] = { { "password_lifetime", krb5_config_string, check_time }, { "default_keys", krb5_config_string, NULL }, { "use_v4_salt", krb5_config_string, NULL }, + { "require-preauth", krb5_config_string, check_boolean }, { NULL } }; struct entry log_strings[] = { @@ -444,13 +519,24 @@ struct entry log_strings[] = { }; -#if 0 +/* MIT stuff */ struct entry kdcdefaults_entries[] = { { "kdc_ports", krb5_config_string, mit_entry }, { "v4_mode", krb5_config_string, mit_entry }, { NULL } }; -#endif + +struct entry capaths_entries[] = { + { "", krb5_config_list, all_strings }, + { NULL } +}; + +struct entry password_quality_entries[] = { + { "policies", krb5_config_string, NULL }, + { "external_program", krb5_config_string, NULL }, + { "", krb5_config_list, all_strings }, + { NULL } +}; struct entry toplevel_sections[] = { { "libdefaults" , krb5_config_list, libdefaults_entries }, @@ -460,10 +546,11 @@ struct entry toplevel_sections[] = { { "kdc", krb5_config_list, kdc_entries }, { "kadmin", krb5_config_list, kadmin_entries }, { "appdefaults", krb5_config_list, appdefaults_entries }, -#if 0 + { "gssapi", krb5_config_list, NULL }, + { "capaths", krb5_config_list, capaths_entries }, + { "password_quality", krb5_config_list, password_quality_entries }, /* MIT stuff */ { "kdcdefaults", krb5_config_list, kdcdefaults_entries }, -#endif { NULL } }; @@ -535,8 +622,10 @@ main(int argc, char **argv) int optind = 0; ret = krb5_init_context(&context); - if (ret) - errx (1, "krb5_init_context failed"); + if (ret == KRB5_CONFIG_BADFORMAT) + errx (1, "krb5_init_context failed to parse configuration file"); + else if (ret) + errx (1, "krb5_init_context failed with %d", ret); if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) usage(1); diff --git a/kerberosV/src/lib/krb5/warn.c b/kerberosV/src/lib/krb5/warn.c index 91b4375a7d5..be4980d8dfa 100644 --- a/kerberosV/src/lib/krb5/warn.c +++ b/kerberosV/src/lib/krb5/warn.c @@ -34,7 +34,7 @@ #include "krb5_locl.h" #include <err.h> -RCSID("$KTH: warn.c,v 1.14 2003/04/16 16:13:08 lha Exp $"); +RCSID("$KTH: warn.c,v 1.15 2004/05/25 21:46:26 lha Exp $"); static krb5_error_code _warnerr(krb5_context context, int do_errtext, krb5_error_code code, int level, const char *fmt, va_list ap) @@ -96,7 +96,7 @@ _warnerr(krb5_context context, int do_errtext, #undef __attribute__ #define __attribute__(X) -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vwarn(krb5_context context, krb5_error_code code, const char *fmt, va_list ap) __attribute__ ((format (printf, 3, 0))) @@ -105,7 +105,7 @@ krb5_vwarn(krb5_context context, krb5_error_code code, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_warn(krb5_context context, krb5_error_code code, const char *fmt, ...) __attribute__ ((format (printf, 3, 4))) { @@ -113,14 +113,14 @@ krb5_warn(krb5_context context, krb5_error_code code, const char *fmt, ...) return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vwarnx(krb5_context context, const char *fmt, va_list ap) __attribute__ ((format (printf, 2, 0))) { return _warnerr(context, 0, 0, 1, fmt, ap); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_warnx(krb5_context context, const char *fmt, ...) __attribute__ ((format (printf, 2, 3))) { @@ -128,7 +128,7 @@ krb5_warnx(krb5_context context, const char *fmt, ...) return ret; } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verr(krb5_context context, int eval, krb5_error_code code, const char *fmt, va_list ap) __attribute__ ((noreturn, format (printf, 4, 0))) @@ -138,7 +138,7 @@ krb5_verr(krb5_context context, int eval, krb5_error_code code, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_err(krb5_context context, int eval, krb5_error_code code, const char *fmt, ...) __attribute__ ((noreturn, format (printf, 4, 5))) @@ -147,7 +147,7 @@ krb5_err(krb5_context context, int eval, krb5_error_code code, exit(eval); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_verrx(krb5_context context, int eval, const char *fmt, va_list ap) __attribute__ ((noreturn, format (printf, 3, 0))) { @@ -155,7 +155,7 @@ krb5_verrx(krb5_context context, int eval, const char *fmt, va_list ap) exit(eval); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_errx(krb5_context context, int eval, const char *fmt, ...) __attribute__ ((noreturn, format (printf, 3, 4))) { @@ -163,7 +163,7 @@ krb5_errx(krb5_context context, int eval, const char *fmt, ...) exit(eval); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vabort(krb5_context context, krb5_error_code code, const char *fmt, va_list ap) __attribute__ ((noreturn, format (printf, 3, 0))) @@ -173,7 +173,7 @@ krb5_vabort(krb5_context context, krb5_error_code code, } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_abort(krb5_context context, krb5_error_code code, const char *fmt, ...) __attribute__ ((noreturn, format (printf, 3, 4))) { @@ -181,7 +181,7 @@ krb5_abort(krb5_context context, krb5_error_code code, const char *fmt, ...) abort(); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_vabortx(krb5_context context, const char *fmt, va_list ap) __attribute__ ((noreturn, format (printf, 2, 0))) { @@ -189,7 +189,7 @@ krb5_vabortx(krb5_context context, const char *fmt, va_list ap) abort(); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_abortx(krb5_context context, const char *fmt, ...) __attribute__ ((noreturn, format (printf, 2, 3))) { @@ -197,7 +197,7 @@ krb5_abortx(krb5_context context, const char *fmt, ...) abort(); } -krb5_error_code +krb5_error_code KRB5_LIB_FUNCTION krb5_set_warn_dest(krb5_context context, krb5_log_facility *fac) { context->warn_dest = fac; diff --git a/kerberosV/src/lib/roken/daemon.c b/kerberosV/src/lib/roken/daemon.c index 072e8d29156..bafb9513b83 100644 --- a/kerberosV/src/lib/roken/daemon.c +++ b/kerberosV/src/lib/roken/daemon.c @@ -35,7 +35,7 @@ static char sccsid[] = "@(#)daemon.c 8.1 (Berkeley) 6/4/93"; #include <config.h> #endif -RCSID("$KTH: daemon.c,v 1.3 1997/10/04 21:55:48 joda Exp $"); +RCSID("$KTH: daemon.c,v 1.5 2005/04/12 11:28:36 lha Exp $"); #ifndef HAVE_DAEMON @@ -51,7 +51,7 @@ RCSID("$KTH: daemon.c,v 1.3 1997/10/04 21:55:48 joda Exp $"); #include "roken.h" -int +int ROKEN_LIB_FUNCTION daemon(int nochdir, int noclose) { int fd; diff --git a/kerberosV/src/lib/roken/fnmatch.c b/kerberosV/src/lib/roken/fnmatch.c index e8bb44c876f..d3620cac058 100644 --- a/kerberosV/src/lib/roken/fnmatch.c +++ b/kerberosV/src/lib/roken/fnmatch.c @@ -52,7 +52,7 @@ static char rcsid[] = "$NetBSD: fnmatch.c,v 1.11 1995/02/27 03:43:06 cgd Exp $"; static const char *rangematch (const char *, int, int); -int +int ROKEN_LIB_FUNCTION fnmatch(const char *pattern, const char *string, int flags) { const char *stringstart; diff --git a/kerberosV/src/lib/roken/fnmatch.hin b/kerberosV/src/lib/roken/fnmatch.hin index 41df392c23b..47beb8d495b 100644 --- a/kerberosV/src/lib/roken/fnmatch.hin +++ b/kerberosV/src/lib/roken/fnmatch.hin @@ -34,12 +34,21 @@ #ifndef _FNMATCH_H_ #define _FNMATCH_H_ +#ifndef ROKEN_LIB_FUNCTION +#ifdef _WIN32 +#define ROKEN_LIB_FUNCTION _stdcall +#else +#define ROKEN_LIB_FUNCTION +#endif +#endif + #define FNM_NOMATCH 1 /* Match failed. */ #define FNM_NOESCAPE 0x01 /* Disable backslash escaping. */ #define FNM_PATHNAME 0x02 /* Slash must be matched by slash. */ #define FNM_PERIOD 0x04 /* Period must be matched by period. */ -int fnmatch (const char *, const char *, int); +int ROKEN_LIB_FUNCTION +fnmatch (const char *, const char *, int); #endif /* !_FNMATCH_H_ */ diff --git a/kerberosV/src/lib/roken/getaddrinfo-test.c b/kerberosV/src/lib/roken/getaddrinfo-test.c index 93844250f82..3cdc8dd57c4 100644 --- a/kerberosV/src/lib/roken/getaddrinfo-test.c +++ b/kerberosV/src/lib/roken/getaddrinfo-test.c @@ -33,7 +33,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: getaddrinfo-test.c,v 1.4 2001/02/20 01:44:54 assar Exp $"); +RCSID("$KTH: getaddrinfo-test.c,v 1.5 2005/03/02 22:51:36 lha Exp $"); #endif #include "roken.h" @@ -96,7 +96,7 @@ doit (const char *nodename, const char *servname) printf ("\tbad address?\n"); continue; } - printf ("\t(family = %d, socktype = %d, protocol = %d, " + printf ("\tfamily = %d, socktype = %d, protocol = %d, " "address = \"%s\", port = %d", r->ai_family, r->ai_socktype, r->ai_protocol, addrstr, diff --git a/kerberosV/src/lib/roken/getarg.c b/kerberosV/src/lib/roken/getarg.c index 383803b4ba2..03633fca755 100644 --- a/kerberosV/src/lib/roken/getarg.c +++ b/kerberosV/src/lib/roken/getarg.c @@ -33,7 +33,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: getarg.c,v 1.46 2002/08/20 16:23:07 joda Exp $"); +RCSID("$KTH: getarg.c,v 1.48 2005/04/12 11:28:43 lha Exp $"); #endif #include <stdio.h> @@ -200,7 +200,7 @@ check_column(FILE *f, int col, int len, int columns) return col; } -void +void ROKEN_LIB_FUNCTION arg_printusage (struct getargs *args, size_t num_args, const char *progname, @@ -309,12 +309,22 @@ arg_printusage (struct getargs *args, } } -static void +static int add_string(getarg_strings *s, char *value) { - s->strings = realloc(s->strings, (s->num_strings + 1) * sizeof(*s->strings)); + char **strings; + + strings = realloc(s->strings, (s->num_strings + 1) * sizeof(*s->strings)); + if (strings == NULL) { + free(s->strings); + s->strings = NULL; + s->num_strings = 0; + return ENOMEM; + } + s->strings = strings; s->strings[s->num_strings] = value; s->num_strings++; + return 0; } static int @@ -392,8 +402,7 @@ arg_match_long(struct getargs *args, size_t num_args, } case arg_strings: { - add_string((getarg_strings*)current->value, goptarg + 1); - return 0; + return add_string((getarg_strings*)current->value, goptarg + 1); } case arg_flag: case arg_negative_flag: @@ -499,8 +508,7 @@ arg_match_short (struct getargs *args, size_t num_args, *(char**)args[k].value = goptarg; return 0; } else if(args[k].type == arg_strings) { - add_string((getarg_strings*)args[k].value, goptarg); - return 0; + return add_string((getarg_strings*)args[k].value, goptarg); } else if(args[k].type == arg_double) { double tmp; if(sscanf(goptarg, "%lf", &tmp) != 1) @@ -517,7 +525,7 @@ arg_match_short (struct getargs *args, size_t num_args, return 0; } -int +int ROKEN_LIB_FUNCTION getarg(struct getargs *args, size_t num_args, int argc, char **argv, int *goptind) { @@ -553,7 +561,7 @@ getarg(struct getargs *args, size_t num_args, return ret; } -void +void ROKEN_LIB_FUNCTION free_getarg_strings (getarg_strings *s) { free (s->strings); diff --git a/kerberosV/src/lib/roken/getcap.c b/kerberosV/src/lib/roken/getcap.c index 04989a76933..0bc2af20b34 100644 --- a/kerberosV/src/lib/roken/getcap.c +++ b/kerberosV/src/lib/roken/getcap.c @@ -36,7 +36,7 @@ #include <config.h> #endif #include "roken.h" -RCSID("$KTH: getcap.c,v 1.8 2003/04/16 16:23:36 lha Exp $"); +RCSID("$KTH: getcap.c,v 1.10 2005/04/12 11:28:44 lha Exp $"); #include <sys/types.h> #include <ctype.h> @@ -80,24 +80,24 @@ static int getent (char **, size_t *, char **, int, const char *, int, char *); static int nfcmp (char *, char *); -int cgetset(const char *ent); -char *cgetcap(char *buf, const char *cap, int type); -int cgetent(char **buf, char **db_array, const char *name); -int cgetmatch(const char *buf, const char *name); -int cgetclose(void); +int ROKEN_LIB_FUNCTION cgetset(const char *ent); +char *ROKEN_LIB_FUNCTION cgetcap(char *buf, const char *cap, int type); +int ROKEN_LIB_FUNCTION cgetent(char **buf, char **db_array, const char *name); +int ROKEN_LIB_FUNCTION cgetmatch(const char *buf, const char *name); +int ROKEN_LIB_FUNCTION cgetclose(void); #if 0 int cgetfirst(char **buf, char **db_array); int cgetnext(char **bp, char **db_array); #endif -int cgetstr(char *buf, const char *cap, char **str); -int cgetustr(char *buf, const char *cap, char **str); -int cgetnum(char *buf, const char *cap, long *num); +int ROKEN_LIB_FUNCTION cgetstr(char *buf, const char *cap, char **str); +int ROKEN_LIB_FUNCTION cgetustr(char *buf, const char *cap, char **str); +int ROKEN_LIB_FUNCTION cgetnum(char *buf, const char *cap, long *num); /* * Cgetset() allows the addition of a user specified buffer to be added * to the database array, in effect "pushing" the buffer on top of the * virtual database. 0 is returned on success, -1 on failure. */ -int +int ROKEN_LIB_FUNCTION cgetset(const char *ent) { const char *source, *check; @@ -150,7 +150,7 @@ cgetset(const char *ent) * If (cap, '@') or (cap, terminator, '@') is found before (cap, terminator) * return NULL. */ -char * +char * ROKEN_LIB_FUNCTION cgetcap(char *buf, const char *cap, int type) { char *bp; @@ -201,7 +201,7 @@ cgetcap(char *buf, const char *cap, int type) * encountered (couldn't open/read a file, etc.), and -3 if a potential * reference loop is detected. */ -int +int ROKEN_LIB_FUNCTION cgetent(char **buf, char **db_array, const char *name) { size_t dummy; @@ -695,7 +695,7 @@ static FILE *pfp; static int slash; static char **dbp; -int +int ROKEN_LIB_FUNCTION cgetclose(void) { if (pfp != NULL) { @@ -842,7 +842,7 @@ cgetnext(char **bp, char **db_array) * couldn't be found, -2 if a system error was encountered (storage * allocation failure). */ -int +int ROKEN_LIB_FUNCTION cgetstr(char *buf, const char *cap, char **str) { u_int m_room; @@ -966,7 +966,7 @@ cgetstr(char *buf, const char *cap, char **str) * -1 if the requested string capability couldn't be found, -2 if a system * error was encountered (storage allocation failure). */ -int +int ROKEN_LIB_FUNCTION cgetustr(char *buf, const char *cap, char **str) { u_int m_room; @@ -1035,7 +1035,7 @@ cgetustr(char *buf, const char *cap, char **str) * the long pointed to by num. 0 is returned on success, -1 if the requested * numeric capability couldn't be found. */ -int +int ROKEN_LIB_FUNCTION cgetnum(char *buf, const char *cap, long *num) { long n; diff --git a/kerberosV/src/lib/roken/getopt.c b/kerberosV/src/lib/roken/getopt.c index d935c655506..12bf138d026 100644 --- a/kerberosV/src/lib/roken/getopt.c +++ b/kerberosV/src/lib/roken/getopt.c @@ -51,7 +51,7 @@ char *optarg; /* argument associated with option */ #define BADARG (int)':' #define EMSG "" -int +int ROKEN_LIB_FUNCTION getopt(nargc, nargv, ostr) int nargc; char * const *nargv; diff --git a/kerberosV/src/lib/roken/getprogname.c b/kerberosV/src/lib/roken/getprogname.c index 5cf6b0e21d9..547c9f3ee8d 100644 --- a/kerberosV/src/lib/roken/getprogname.c +++ b/kerberosV/src/lib/roken/getprogname.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1995-2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: getprogname.c,v 1.1 2001/07/09 14:56:51 assar Exp $"); +RCSID("$KTH: getprogname.c,v 1.3 2005/04/12 11:28:48 lha Exp $"); #endif #include "roken.h" @@ -41,16 +41,9 @@ RCSID("$KTH: getprogname.c,v 1.1 2001/07/09 14:56:51 assar Exp $"); extern char *__progname; #ifndef HAVE_GETPROGNAME -const char * +const char * ROKEN_LIB_FUNCTION getprogname(void) { return __progname; } #endif /* HAVE_GETPROGNAME */ - -const char * -get_progname (void) -{ - return getprogname (); -} - diff --git a/kerberosV/src/lib/roken/getusershell.c b/kerberosV/src/lib/roken/getusershell.c index bf878776dd5..aed746cac3f 100644 --- a/kerberosV/src/lib/roken/getusershell.c +++ b/kerberosV/src/lib/roken/getusershell.c @@ -31,13 +31,14 @@ #include <config.h> #endif -RCSID("$KTH: getusershell.c,v 1.10 2000/05/22 09:11:59 joda Exp $"); +RCSID("$KTH: getusershell.c,v 1.14 2005/04/27 08:05:00 lha Exp $"); #ifndef HAVE_GETUSERSHELL #include <stdio.h> #include <stdlib.h> #include <string.h> +#include <ctype.h> #ifdef HAVE_PATHS_H #include <paths.h> #endif @@ -58,6 +59,7 @@ struct aud_rec; #ifdef HAVE_USERCONF_H #include <userconf.h> #endif +#include <roken.h> #ifndef _PATH_SHELLS #define _PATH_SHELLS "/etc/shells" @@ -83,7 +85,7 @@ static char **initshells (void); /* * Get a list of shells from _PATH_SHELLS, if it exists. */ -char * +char * ROKEN_LIB_FUNCTION getusershell() { char *ret; @@ -96,7 +98,7 @@ getusershell() return (ret); } -void +void ROKEN_LIB_FUNCTION endusershell() { if (shells != NULL) @@ -108,7 +110,7 @@ endusershell() curshell = NULL; } -void +void ROKEN_LIB_FUNCTION setusershell() { curshell = initshells(); @@ -175,7 +177,7 @@ initshells() if (*cp == '#' || *cp == '\0') continue; *sp++ = cp; - while (!isspace(*cp) && *cp != '#' && *cp != '\0') + while (!isspace((unsigned char)*cp) && *cp != '#' && *cp != '\0') cp++; *cp++ = '\0'; } diff --git a/kerberosV/src/lib/roken/glob.c b/kerberosV/src/lib/roken/glob.c index 55767ce7846..803eda17d1e 100644 --- a/kerberosV/src/lib/roken/glob.c +++ b/kerberosV/src/lib/roken/glob.c @@ -166,7 +166,7 @@ static int match (Char *, Char *, Char *); static void qprintf (const char *, Char *); #endif -int +int ROKEN_LIB_FUNCTION glob(const char *pattern, int flags, int (*errfunc)(const char *, int), @@ -741,7 +741,7 @@ match(Char *name, Char *pat, Char *patend) } /* Free allocated data belonging to a glob_t structure. */ -void +void ROKEN_LIB_FUNCTION globfree(glob_t *pglob) { int i; diff --git a/kerberosV/src/lib/roken/glob.hin b/kerberosV/src/lib/roken/glob.hin index 660d1edca31..fb6b5398615 100644 --- a/kerberosV/src/lib/roken/glob.hin +++ b/kerberosV/src/lib/roken/glob.hin @@ -35,6 +35,18 @@ #ifndef _GLOB_H_ #define _GLOB_H_ +#ifndef ROKEN_LIB_FUNCTION +#ifdef _WIN32 +#define ROKEN_LIB_FUNCTION _stdcall +#else +#define ROKEN_LIB_FUNCTION +#endif +#endif + +#define glob_t rk_glob_t +#define glob rk_glob +#define globfree rk_globfree + struct stat; typedef struct { int gl_pathc; /* Count of total paths so far. */ @@ -75,7 +87,10 @@ typedef struct { #define GLOB_NOSPACE (-1) /* Malloc call failed. */ #define GLOB_ABEND (-2) /* Unignored error. */ -int glob (const char *, int, int (*)(const char *, int), glob_t *); -void globfree (glob_t *); +int ROKEN_LIB_FUNCTION +glob (const char *, int, int (*)(const char *, int), glob_t *); + +void ROKEN_LIB_FUNCTION +globfree (glob_t *); #endif /* !_GLOB_H_ */ diff --git a/kerberosV/src/lib/roken/iruserok.c b/kerberosV/src/lib/roken/iruserok.c index ed6046d3864..395b3b9c6a8 100644 --- a/kerberosV/src/lib/roken/iruserok.c +++ b/kerberosV/src/lib/roken/iruserok.c @@ -29,7 +29,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: iruserok.c,v 1.23 1999/12/05 13:27:05 assar Exp $"); +RCSID("$KTH: iruserok.c,v 1.25 2005/04/12 11:28:54 lha Exp $"); #endif #include <stdio.h> @@ -217,7 +217,7 @@ __ivaliduser(FILE *hostf, unsigned raddr, const char *luser, * * Returns 0 if ok, -1 if not ok. */ -int +int ROKEN_LIB_FUNCTION iruserok(unsigned raddr, int superuser, const char *ruser, const char *luser) { char *cp; diff --git a/kerberosV/src/lib/roken/ndbm_wrap.c b/kerberosV/src/lib/roken/ndbm_wrap.c index 4e5d43e6d75..23354071c30 100644 --- a/kerberosV/src/lib/roken/ndbm_wrap.c +++ b/kerberosV/src/lib/roken/ndbm_wrap.c @@ -33,7 +33,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: ndbm_wrap.c,v 1.1.8.1 2003/08/29 17:00:34 lha Exp $"); +RCSID("$KTH: ndbm_wrap.c,v 1.4 2005/04/12 11:28:57 lha Exp $"); #endif #include "ndbm_wrap.h" @@ -50,6 +50,8 @@ RCSID("$KTH: ndbm_wrap.c,v 1.1.8.1 2003/08/29 17:00:34 lha Exp $"); #include <string.h> #include <fcntl.h> +/* XXX undefine open so this works on Solaris with large file support */ +#undef open #define DBT2DATUM(DBT, DATUM) do { (DATUM)->dptr = (DBT)->data; (DATUM)->dsize = (DBT)->size; } while(0) #define DATUM2DBT(DATUM, DBT) do { (DBT)->data = (DATUM)->dptr; (DBT)->size = (DATUM)->dsize; } while(0) @@ -61,7 +63,7 @@ static DBC *cursor; #define D(X) ((DB*)(X)) -void +void ROKEN_LIB_FUNCTION dbm_close (DBM *db) { #ifdef HAVE_DB3 @@ -72,7 +74,7 @@ dbm_close (DBM *db) #endif } -int +int ROKEN_LIB_FUNCTION dbm_delete (DBM *db, datum dkey) { DBT key; @@ -127,19 +129,19 @@ dbm_get (DB *db, int flags) #define DB_KEYEXIST 1 #endif -datum +datum ROKEN_LIB_FUNCTION dbm_firstkey (DBM *db) { return dbm_get(D(db), DB_FIRST); } -datum +datum ROKEN_LIB_FUNCTION dbm_nextkey (DBM *db) { return dbm_get(D(db), DB_NEXT); } -DBM* +DBM* ROKEN_LIB_FUNCTION dbm_open (const char *file, int flags, mode_t mode) { DB *db; @@ -180,7 +182,7 @@ dbm_open (const char *file, int flags, mode_t mode) return (DBM*)db; } -int +int ROKEN_LIB_FUNCTION dbm_store (DBM *db, datum dkey, datum dvalue, int flags) { int ret; @@ -200,13 +202,13 @@ dbm_store (DBM *db, datum dkey, datum dvalue, int flags) RETURN(ret); } -int +int ROKEN_LIB_FUNCTION dbm_error (DBM *db) { return 0; } -int +int ROKEN_LIB_FUNCTION dbm_clearerr (DBM *db) { return 0; diff --git a/kerberosV/src/lib/roken/parse_units.c b/kerberosV/src/lib/roken/parse_units.c index 7955f01dd92..3444c7ee3e7 100644 --- a/kerberosV/src/lib/roken/parse_units.c +++ b/kerberosV/src/lib/roken/parse_units.c @@ -33,7 +33,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: parse_units.c,v 1.14 2001/09/04 09:56:00 assar Exp $"); +RCSID("$KTH: parse_units.c,v 1.18 2005/04/12 11:28:59 lha Exp $"); #endif #include <stdio.h> @@ -152,7 +152,7 @@ acc_units(int res, int val, unsigned mult) return res + val * mult; } -int +int ROKEN_LIB_FUNCTION parse_units (const char *s, const struct units *units, const char *def_unit) { @@ -178,7 +178,7 @@ acc_flags(int res, int val, unsigned mult) return -1; } -int +int ROKEN_LIB_FUNCTION parse_flags (const char *s, const struct units *units, int orig) { @@ -193,9 +193,8 @@ parse_flags (const char *s, const struct units *units, static int unparse_something (int num, const struct units *units, char *s, size_t len, - int (*print) (char *s, size_t len, int div, - const char *name, int rem), - int (*update) (int in, unsigned mult), + int (*print) (char *, size_t, int, const char *, int), + int (*update) (int, unsigned), const char *zero_string) { const struct units *u; @@ -211,17 +210,21 @@ unparse_something (int num, const struct units *units, char *s, size_t len, } for (u = units; num > 0 && u->name; ++u) { - int div; + int divisor; - div = num / u->mult; - if (div) { + divisor = num / u->mult; + if (divisor) { num = (*update) (num, u->mult); - tmp = (*print) (s, len, div, u->name, num); + tmp = (*print) (s, len, divisor, u->name, num); if (tmp < 0) return tmp; - - len -= tmp; - s += tmp; + if (tmp > len) { + len = 0; + s = NULL; + } else { + len -= tmp; + s += tmp; + } ret += tmp; } } @@ -229,13 +232,12 @@ unparse_something (int num, const struct units *units, char *s, size_t len, } static int -print_unit (char *s, size_t len, int div, const char *name, int rem) +print_unit (char *s, size_t len, int divisor, const char *name, int rem) { - if (len == 0) - return(0); - (void) snprintf (s, len, "%u %s%s%s", - div, name, div == 1 ? "" : "s", rem > 0 ? " " : ""); - return(strlen(s)); + return snprintf (s, len, "%u %s%s%s", + divisor, name, + divisor == 1 ? "" : "s", + rem > 0 ? " " : ""); } static int @@ -253,7 +255,7 @@ update_unit_approx (int in, unsigned mult) return update_unit (in, mult); } -int +int ROKEN_LIB_FUNCTION unparse_units (int num, const struct units *units, char *s, size_t len) { return unparse_something (num, units, s, len, @@ -262,7 +264,7 @@ unparse_units (int num, const struct units *units, char *s, size_t len) "0"); } -int +int ROKEN_LIB_FUNCTION unparse_units_approx (int num, const struct units *units, char *s, size_t len) { return unparse_something (num, units, s, len, @@ -271,7 +273,7 @@ unparse_units_approx (int num, const struct units *units, char *s, size_t len) "0"); } -void +void ROKEN_LIB_FUNCTION print_units_table (const struct units *units, FILE *f) { const struct units *u, *u2; @@ -305,7 +307,7 @@ print_units_table (const struct units *units, FILE *f) } static int -print_flag (char *s, size_t len, int div, const char *name, int rem) +print_flag (char *s, size_t len, int divisor, const char *name, int rem) { if (len == 0) return(0); @@ -319,7 +321,7 @@ update_flag (int in, unsigned mult) return in - mult; } -int +int ROKEN_LIB_FUNCTION unparse_flags (int num, const struct units *units, char *s, size_t len) { return unparse_something (num, units, s, len, @@ -328,7 +330,7 @@ unparse_flags (int num, const struct units *units, char *s, size_t len) ""); } -void +void ROKEN_LIB_FUNCTION print_flags_table (const struct units *units, FILE *f) { const struct units *u; diff --git a/kerberosV/src/lib/roken/print_version.c b/kerberosV/src/lib/roken/print_version.c index d46ab992ba2..ffe7f58b419 100644 --- a/kerberosV/src/lib/roken/print_version.c +++ b/kerberosV/src/lib/roken/print_version.c @@ -33,7 +33,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: print_version.c,v 1.8 2001/02/20 01:44:55 assar Exp $"); +RCSID("$KTH: print_version.c,v 1.9 2005/04/12 11:29:00 lha Exp $"); #endif #include "roken.h" @@ -41,7 +41,7 @@ RCSID("$KTH: print_version.c,v 1.8 2001/02/20 01:44:55 assar Exp $"); extern char *__progname; -void +void ROKEN_LIB_FUNCTION print_version(const char *progname) { const char *arg[] = VERSIONLIST; diff --git a/kerberosV/src/lib/roken/resolve.c b/kerberosV/src/lib/roken/resolve.c index 452cd55bc9e..0db6bc31312 100644 --- a/kerberosV/src/lib/roken/resolve.c +++ b/kerberosV/src/lib/roken/resolve.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1995 - 2003 Kungliga Tekniska Högskolan + * Copyright (c) 1995 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -45,35 +45,39 @@ #include <assert.h> -RCSID("$KTH: resolve.c,v 1.38.2.1 2003/04/22 15:02:47 lha Exp $"); +RCSID("$KTH: resolve.c,v 1.50 2005/04/12 11:29:01 lha Exp $"); +#ifdef _AIX /* AIX have broken res_nsearch() in 5.1 (5.0 also ?) */ #undef HAVE_RES_NSEARCH -#if (defined(HAVE_RES_SEARCH) || defined(HAVE_RES_NSEARCH)) && defined(HAVE_DN_EXPAND) +#endif -#define DECL(X) {#X, T_##X} +#define DECL(X) {#X, rk_ns_t_##X} static struct stot{ const char *name; int type; }stot[] = { - DECL(A), - DECL(NS), - DECL(CNAME), - DECL(SOA), - DECL(PTR), - DECL(MX), - DECL(TXT), - DECL(AFSDB), - DECL(SIG), - DECL(KEY), - DECL(SRV), - DECL(NAPTR), + DECL(a), + DECL(aaaa), + DECL(ns), + DECL(cname), + DECL(soa), + DECL(ptr), + DECL(mx), + DECL(txt), + DECL(afsdb), + DECL(sig), + DECL(key), + DECL(srv), + DECL(naptr), + DECL(sshfp), + DECL(ds), {NULL, 0} }; int _resolve_debug = 0; -int +int ROKEN_LIB_FUNCTION dns_string_to_type(const char *name) { struct stot *p = stot; @@ -83,7 +87,7 @@ dns_string_to_type(const char *name) return -1; } -const char * +const char * ROKEN_LIB_FUNCTION dns_type_to_string(int type) { struct stot *p = stot; @@ -93,7 +97,9 @@ dns_type_to_string(int type) return NULL; } -void +#if (defined(HAVE_RES_SEARCH) || defined(HAVE_RES_NSEARCH)) && defined(HAVE_DN_EXPAND) + +void ROKEN_LIB_FUNCTION dns_free_data(struct dns_reply *r) { struct resource_record *rr; @@ -150,9 +156,9 @@ parse_record(const unsigned char *data, const unsigned char *end_data, (*rr)->ttl = ttl; (*rr)->size = size; switch(type){ - case T_NS: - case T_CNAME: - case T_PTR: + case rk_ns_t_ns: + case rk_ns_t_cname: + case rk_ns_t_ptr: status = dn_expand(data, end_data, p, host, sizeof(host)); if(status < 0) { free(*rr); @@ -164,8 +170,8 @@ parse_record(const unsigned char *data, const unsigned char *end_data, return -1; } break; - case T_MX: - case T_AFSDB:{ + case rk_ns_t_mx: + case rk_ns_t_afsdb:{ size_t hostlen; status = dn_expand(data, end_data, p + 2, host, sizeof(host)); @@ -189,7 +195,7 @@ parse_record(const unsigned char *data, const unsigned char *end_data, strlcpy((*rr)->u.mx->domain, host, hostlen + 1); break; } - case T_SRV:{ + case rk_ns_t_srv:{ size_t hostlen; status = dn_expand(data, end_data, p + 6, host, sizeof(host)); if(status < 0){ @@ -215,7 +221,7 @@ parse_record(const unsigned char *data, const unsigned char *end_data, strlcpy((*rr)->u.srv->target, host, hostlen + 1); break; } - case T_TXT:{ + case rk_ns_t_txt:{ if(size == 0 || size < *p + 1) { free(*rr); return -1; @@ -229,7 +235,7 @@ parse_record(const unsigned char *data, const unsigned char *end_data, (*rr)->u.txt[*p] = '\0'; break; } - case T_KEY : { + case rk_ns_t_key : { size_t key_len; if (size < 4) { @@ -251,7 +257,7 @@ parse_record(const unsigned char *data, const unsigned char *end_data, memcpy ((*rr)->u.key->key_data, p + 4, key_len); break; } - case T_SIG : { + case rk_ns_t_sig : { size_t sig_len, hostlen; if(size <= 18) { @@ -298,7 +304,7 @@ parse_record(const unsigned char *data, const unsigned char *end_data, break; } - case T_CERT : { + case rk_ns_t_cert : { size_t cert_len; if (size < 5) { @@ -320,6 +326,51 @@ parse_record(const unsigned char *data, const unsigned char *end_data, memcpy ((*rr)->u.cert->cert_data, p + 5, cert_len); break; } + case rk_ns_t_sshfp : { + size_t sshfp_len; + + if (size < 2) { + free(*rr); + return -1; + } + + sshfp_len = size - 2; + + (*rr)->u.sshfp = malloc (sizeof(*(*rr)->u.sshfp) + sshfp_len - 1); + if ((*rr)->u.sshfp == NULL) { + free(*rr); + return -1; + } + + (*rr)->u.sshfp->algorithm = p[0]; + (*rr)->u.sshfp->type = p[1]; + (*rr)->u.sshfp->sshfp_len = sshfp_len; + memcpy ((*rr)->u.sshfp->sshfp_data, p + 2, sshfp_len); + break; + } + case rk_ns_t_ds: { + size_t digest_len; + + if (size < 4) { + free(*rr); + return -1; + } + + digest_len = size - 4; + + (*rr)->u.ds = malloc (sizeof(*(*rr)->u.ds) + digest_len - 1); + if ((*rr)->u.ds == NULL) { + free(*rr); + return -1; + } + + (*rr)->u.ds->key_tag = (p[0] << 8) | p[1]; + (*rr)->u.ds->algorithm = p[2]; + (*rr)->u.ds->digest_type = p[3]; + (*rr)->u.ds->digest_len = digest_len; + memcpy ((*rr)->u.ds->digest_data, p + 4, digest_len); + break; + } default: (*rr)->u.data = (unsigned char*)malloc(size); if(size != 0 && (*rr)->u.data == NULL) { @@ -351,15 +402,33 @@ parse_reply(const unsigned char *data, size_t len) return NULL; p = data; -#if 0 - /* doesn't work on Crays */ - memcpy(&r->h, p, sizeof(HEADER)); - p += sizeof(HEADER); -#else - memcpy(&r->h, p, 12); /* XXX this will probably be mostly garbage */ + + r->h.id = (p[0] << 8) | p[1]; + r->h.flags = 0; + if (p[2] & 0x01) + r->h.flags |= rk_DNS_HEADER_RESPONSE_FLAG; + r->h.opcode = (p[2] >> 1) & 0xf; + if (p[2] & 0x20) + r->h.flags |= rk_DNS_HEADER_AUTHORITIVE_ANSWER; + if (p[2] & 0x40) + r->h.flags |= rk_DNS_HEADER_TRUNCATED_MESSAGE; + if (p[2] & 0x80) + r->h.flags |= rk_DNS_HEADER_RECURSION_DESIRED; + if (p[3] & 0x01) + r->h.flags |= rk_DNS_HEADER_RECURSION_AVAILABLE; + if (p[3] & 0x04) + r->h.flags |= rk_DNS_HEADER_AUTHORITIVE_ANSWER; + if (p[3] & 0x08) + r->h.flags |= rk_DNS_HEADER_CHECKING_DISABLED; + r->h.response_code = (p[3] >> 4) & 0xf; + r->h.qdcount = (p[4] << 8) | p[5]; + r->h.ancount = (p[6] << 8) | p[7]; + r->h.nscount = (p[8] << 8) | p[9]; + r->h.arcount = (p[10] << 8) | p[11]; + p += 12; -#endif - if(ntohs(r->h.qdcount) != 1) { + + if(r->h.qdcount != 1) { free(r); return NULL; } @@ -384,21 +453,21 @@ parse_reply(const unsigned char *data, size_t len) p += 2; rr = &r->head; - for(i = 0; i < ntohs(r->h.ancount); i++) { + for(i = 0; i < r->h.ancount; i++) { if(parse_record(data, end_data, &p, rr) != 0) { dns_free_data(r); return NULL; } rr = &(*rr)->next; } - for(i = 0; i < ntohs(r->h.nscount); i++) { + for(i = 0; i < r->h.nscount; i++) { if(parse_record(data, end_data, &p, rr) != 0) { dns_free_data(r); return NULL; } rr = &(*rr)->next; } - for(i = 0; i < ntohs(r->h.arcount); i++) { + for(i = 0; i < r->h.arcount; i++) { if(parse_record(data, end_data, &p, rr) != 0) { dns_free_data(r); return NULL; @@ -412,51 +481,76 @@ parse_reply(const unsigned char *data, size_t len) static struct dns_reply * dns_lookup_int(const char *domain, int rr_class, int rr_type) { - unsigned char reply[1024]; + struct dns_reply *r; + unsigned char *reply = NULL; + int size; int len; #ifdef HAVE_RES_NSEARCH - struct __res_state stat; - memset(&stat, 0, sizeof(stat)); - if(res_ninit(&stat)) + struct __res_state state; + memset(&state, 0, sizeof(state)); + if(res_ninit(&state)) return NULL; /* is this the best we can do? */ #elif defined(HAVE__RES) u_long old_options = 0; #endif - if (_resolve_debug) { + size = 0; + len = 1000; + do { + if (reply) { + free(reply); + reply = NULL; + } + if (size <= len) + size = len; + if (_resolve_debug) { #ifdef HAVE_RES_NSEARCH - stat.options |= RES_DEBUG; + state.options |= RES_DEBUG; #elif defined(HAVE__RES) - old_options = _res.options; - _res.options |= RES_DEBUG; + old_options = _res.options; + _res.options |= RES_DEBUG; #endif - fprintf(stderr, "dns_lookup(%s, %d, %s)\n", domain, - rr_class, dns_type_to_string(rr_type)); - } + fprintf(stderr, "dns_lookup(%s, %d, %s), buffer size %d\n", domain, + rr_class, dns_type_to_string(rr_type), size); + } + reply = malloc(size); + if (reply == NULL) { +#ifdef HAVE_RES_NSEARCH + res_nclose(&state); +#endif + return NULL; + } #ifdef HAVE_RES_NSEARCH - len = res_nsearch(&stat, domain, rr_class, rr_type, reply, sizeof(reply)); + len = res_nsearch(&state, domain, rr_class, rr_type, reply, size); #else - len = res_search(domain, rr_class, rr_type, reply, sizeof(reply)); + len = res_search(domain, rr_class, rr_type, reply, size); #endif - if (_resolve_debug) { + if (_resolve_debug) { #if defined(HAVE__RES) && !defined(HAVE_RES_NSEARCH) - _res.options = old_options; + _res.options = old_options; #endif - fprintf(stderr, "dns_lookup(%s, %d, %s) --> %d\n", - domain, rr_class, dns_type_to_string(rr_type), len); - } + fprintf(stderr, "dns_lookup(%s, %d, %s) --> %d\n", + domain, rr_class, dns_type_to_string(rr_type), len); + } + if (len < 0) { #ifdef HAVE_RES_NSEARCH - res_nclose(&stat); -#endif - if(len < 0) { - return NULL; - } else { - len = min(len, sizeof(reply)); - return parse_reply(reply, len); - } + res_nclose(&state); +#endif + free(reply); + return NULL; + } + } while (size < len && len < rk_DNS_MAX_PACKET_SIZE); +#ifdef HAVE_RES_NSEARCH + res_nclose(&state); +#endif + + len = min(len, size); + r = parse_reply(reply, len); + free(reply); + return r; } -struct dns_reply * +struct dns_reply * ROKEN_LIB_FUNCTION dns_lookup(const char *domain, const char *type_name) { int type; @@ -486,7 +580,7 @@ compare_srv(const void *a, const void *b) #endif /* try to rearrange the srv-records by the algorithm in RFC2782 */ -void +void ROKEN_LIB_FUNCTION dns_srv_order(struct dns_reply *r) { struct resource_record **srvs, **ss, **headp; @@ -499,7 +593,7 @@ dns_srv_order(struct dns_reply *r) #endif for(rr = r->head; rr; rr = rr->next) - if(rr->type == T_SRV) + if(rr->type == rk_ns_t_srv) num_srv++; if(num_srv == 0) @@ -512,7 +606,7 @@ dns_srv_order(struct dns_reply *r) /* unlink all srv-records from the linked list and put them in a vector */ for(ss = srvs, headp = &r->head; *headp; ) - if((*headp)->type == T_SRV) { + if((*headp)->type == rk_ns_t_srv) { *ss = *headp; *headp = (*headp)->next; (*ss)->next = NULL; @@ -577,88 +671,20 @@ dns_srv_order(struct dns_reply *r) #else /* NOT defined(HAVE_RES_SEARCH) && defined(HAVE_DN_EXPAND) */ -struct dns_reply * +struct dns_reply * ROKEN_LIB_FUNCTION dns_lookup(const char *domain, const char *type_name) { return NULL; } -void +void ROKEN_LIB_FUNCTION dns_free_data(struct dns_reply *r) { } -void +void ROKEN_LIB_FUNCTION dns_srv_order(struct dns_reply *r) { } #endif - -#ifdef TEST -int -main(int argc, char **argv) -{ - struct dns_reply *r; - struct resource_record *rr; - r = dns_lookup(argv[1], argv[2]); - if(r == NULL){ - printf("No reply.\n"); - return 1; - } - if(r->q.type == T_SRV) - dns_srv_order(r); - - for(rr = r->head; rr;rr=rr->next){ - printf("%-30s %-5s %-6d ", rr->domain, dns_type_to_string(rr->type), rr->ttl); - switch(rr->type){ - case T_NS: - case T_CNAME: - case T_PTR: - printf("%s\n", (char*)rr->u.data); - break; - case T_A: - printf("%s\n", inet_ntoa(*rr->u.a)); - break; - case T_MX: - case T_AFSDB:{ - printf("%d %s\n", rr->u.mx->preference, rr->u.mx->domain); - break; - } - case T_SRV:{ - struct srv_record *srv = rr->u.srv; - printf("%d %d %d %s\n", srv->priority, srv->weight, - srv->port, srv->target); - break; - } - case T_TXT: { - printf("%s\n", rr->u.txt); - break; - } - case T_SIG : { - struct sig_record *sig = rr->u.sig; - const char *type_string = dns_type_to_string (sig->type); - - printf ("type %u (%s), algorithm %u, labels %u, orig_ttl %u, sig_expiration %u, sig_inception %u, key_tag %u, signer %s\n", - sig->type, type_string ? type_string : "", - sig->algorithm, sig->labels, sig->orig_ttl, - sig->sig_expiration, sig->sig_inception, sig->key_tag, - sig->signer); - break; - } - case T_KEY : { - struct key_record *key = rr->u.key; - - printf ("flags %u, protocol %u, algorithm %u\n", - key->flags, key->protocol, key->algorithm); - break; - } - default: - printf("\n"); - break; - } - } - - return 0; -} -#endif diff --git a/kerberosV/src/lib/roken/unvis.c b/kerberosV/src/lib/roken/unvis.c index fc3eaf0b1fb..10df0d77934 100644 --- a/kerberosV/src/lib/roken/unvis.c +++ b/kerberosV/src/lib/roken/unvis.c @@ -32,7 +32,7 @@ #if 1 #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: unvis.c,v 1.2 2000/12/06 21:41:46 joda Exp $"); +RCSID("$KTH: unvis.c,v 1.5 2005/04/18 08:28:35 lha Exp $"); #endif #include <roken.h> #ifndef _DIAGASSERT @@ -86,7 +86,7 @@ __warn_references(unvis, * unvis - decode characters previously encoded by vis */ #ifndef HAVE_UNVIS -int +int ROKEN_LIB_FUNCTION unvis(char *cp, int c, int *astate, int flag) { @@ -250,7 +250,7 @@ unvis(char *cp, int c, int *astate, int flag) */ #ifndef HAVE_STRUNVIS -int +int ROKEN_LIB_FUNCTION strunvis(char *dst, const char *src) { char c; @@ -262,7 +262,7 @@ strunvis(char *dst, const char *src) while ((c = *src++) != '\0') { again: - switch (unvis(dst, c, &state, 0)) { + switch (unvis(dst, (unsigned char)c, &state, 0)) { case UNVIS_VALID: dst++; break; @@ -276,7 +276,7 @@ strunvis(char *dst, const char *src) return (-1); } } - if (unvis(dst, c, &state, UNVIS_END) == UNVIS_VALID) + if (unvis(dst, (unsigned char)c, &state, UNVIS_END) == UNVIS_VALID) dst++; *dst = '\0'; return (dst - start); diff --git a/kerberosV/src/lib/roken/vis.c b/kerberosV/src/lib/roken/vis.c index d2cb1783f58..dc1c2e330a9 100644 --- a/kerberosV/src/lib/roken/vis.c +++ b/kerberosV/src/lib/roken/vis.c @@ -1,7 +1,6 @@ -/* $NetBSD: vis.c,v 1.19 2000/01/22 22:42:45 mycroft Exp $ */ +/* $NetBSD: vis.c,v 1.4 2003/08/07 09:15:32 agc Exp $ */ /*- - * Copyright (c) 1999 The NetBSD Foundation, Inc. * Copyright (c) 1989, 1993 * The Regents of the University of California. All rights reserved. * @@ -30,11 +29,43 @@ * SUCH DAMAGE. */ +/*- + * Copyright (c) 1999 The NetBSD Foundation, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + #if 1 #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: vis.c,v 1.5 2001/09/03 05:37:23 assar Exp $"); +RCSID("$KTH: vis.c,v 1.9 2005/04/12 11:29:15 lha Exp $"); #endif #include <roken.h> #ifndef _DIAGASSERT @@ -43,7 +74,7 @@ RCSID("$KTH: vis.c,v 1.5 2001/09/03 05:37:23 assar Exp $"); #else #include <sys/cdefs.h> #if !defined(lint) -__RCSID("$NetBSD: vis.c,v 1.19 2000/01/22 22:42:45 mycroft Exp $"); +__RCSID("$NetBSD: vis.c,v 1.4 2003/08/07 09:15:32 agc Exp $"); #endif /* not lint */ #endif @@ -178,7 +209,7 @@ do { \ * pointed to by `extra' */ #ifndef HAVE_SVIS -char * +char * ROKEN_LIB_FUNCTION svis(char *dst, int c, int flag, int nextc, const char *extra) { _DIAGASSERT(dst != NULL); @@ -207,7 +238,7 @@ svis(char *dst, int c, int flag, int nextc, const char *extra) * This is useful for encoding a block of data. */ #ifndef HAVE_STRSVIS -int +int ROKEN_LIB_FUNCTION strsvis(char *dst, const char *src, int flag, const char *extra) { char c; @@ -226,7 +257,7 @@ strsvis(char *dst, const char *src, int flag, const char *extra) #ifndef HAVE_STRVISX -int +int ROKEN_LIB_FUNCTION strsvisx(char *dst, const char *src, size_t len, int flag, const char *extra) { char c; @@ -250,7 +281,7 @@ strsvisx(char *dst, const char *src, size_t len, int flag, const char *extra) * vis - visually encode characters */ #ifndef HAVE_VIS -char * +char * ROKEN_LIB_FUNCTION vis(char *dst, int c, int flag, int nextc) { char extra[MAXEXTRAS]; @@ -276,7 +307,7 @@ vis(char *dst, int c, int flag, int nextc) * This is useful for encoding a block of data. */ #ifndef HAVE_STRVIS -int +int ROKEN_LIB_FUNCTION strvis(char *dst, const char *src, int flag) { char extra[MAXEXTRAS]; @@ -288,7 +319,7 @@ strvis(char *dst, const char *src, int flag) #ifndef HAVE_STRVISX -int +int ROKEN_LIB_FUNCTION strvisx(char *dst, const char *src, size_t len, int flag) { char extra[MAXEXTRAS]; diff --git a/kerberosV/src/lib/roken/vis.hin b/kerberosV/src/lib/roken/vis.hin index a2ac48f81d6..c9f3f7cdc17 100644 --- a/kerberosV/src/lib/roken/vis.hin +++ b/kerberosV/src/lib/roken/vis.hin @@ -1,5 +1,5 @@ /* $NetBSD: vis.h,v 1.11 1999/11/25 16:55:50 wennmach Exp $ */ -/* $KTH: vis.hin,v 1.1 2000/12/06 21:35:47 joda Exp $ */ +/* $KTH: vis.hin,v 1.3 2005/04/12 11:29:15 lha Exp $ */ /*- * Copyright (c) 1990, 1993 @@ -35,6 +35,14 @@ #ifndef _VIS_H_ #define _VIS_H_ +#ifndef ROKEN_LIB_FUNCTION +#ifdef _WIN32 +#define ROKEN_LIB_FUNCTION _stdcall +#else +#define ROKEN_LIB_FUNCTION +#endif +#endif + /* * to select alternate encoding format */ @@ -70,13 +78,21 @@ */ #define UNVIS_END 1 /* no more characters */ -char *vis (char *, int, int, int); -char *svis (char *, int, int, int, const char *); -int strvis (char *, const char *, int); -int strsvis (char *, const char *, int, const char *); -int strvisx (char *, const char *, size_t, int); -int strsvisx (char *, const char *, size_t, int, const char *); -int strunvis (char *, const char *); -int unvis (char *, int, int *, int); +char ROKEN_LIB_FUNCTION + *vis (char *, int, int, int); +char ROKEN_LIB_FUNCTION + *svis (char *, int, int, int, const char *); +int ROKEN_LIB_FUNCTION + strvis (char *, const char *, int); +int ROKEN_LIB_FUNCTION + strsvis (char *, const char *, int, const char *); +int ROKEN_LIB_FUNCTION + strvisx (char *, const char *, size_t, int); +int ROKEN_LIB_FUNCTION + strsvisx (char *, const char *, size_t, int, const char *); +int ROKEN_LIB_FUNCTION + strunvis (char *, const char *); +int ROKEN_LIB_FUNCTION + unvis (char *, int, int *, int); #endif /* !_VIS_H_ */ diff --git a/kerberosV/src/lib/roken/warnerr.c b/kerberosV/src/lib/roken/warnerr.c index e37493b2530..0dbfa18a747 100644 --- a/kerberosV/src/lib/roken/warnerr.c +++ b/kerberosV/src/lib/roken/warnerr.c @@ -33,13 +33,13 @@ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: warnerr.c,v 1.15 2001/07/09 14:56:51 assar Exp $"); +RCSID("$KTH: warnerr.c,v 1.16 2005/04/12 11:29:17 lha Exp $"); #endif #include "roken.h" #include "err.h" -void +void ROKEN_LIB_FUNCTION warnerr(int doerrno, const char *fmt, va_list ap) { int sverrno = errno; diff --git a/kerberosV/src/lib/roken/write_pid.c b/kerberosV/src/lib/roken/write_pid.c index 9c7662f80e4..2d5874e7944 100644 --- a/kerberosV/src/lib/roken/write_pid.c +++ b/kerberosV/src/lib/roken/write_pid.c @@ -33,7 +33,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: write_pid.c,v 1.6 2001/09/02 23:58:15 assar Exp $"); +RCSID("$KTH: write_pid.c,v 1.7 2005/04/12 11:29:17 lha Exp $"); #endif #include <stdio.h> @@ -43,7 +43,7 @@ RCSID("$KTH: write_pid.c,v 1.6 2001/09/02 23:58:15 assar Exp $"); #include "roken.h" -char * +char * ROKEN_LIB_FUNCTION pid_file_write (const char *progname) { FILE *fp; @@ -62,7 +62,7 @@ pid_file_write (const char *progname) return ret; } -void +void ROKEN_LIB_FUNCTION pid_file_delete (char **filename) { if (*filename != NULL) { diff --git a/kerberosV/src/lib/sl/sl.c b/kerberosV/src/lib/sl/sl.c index 86e1f7cbccb..c45877f2f1d 100644 --- a/kerberosV/src/lib/sl/sl.c +++ b/kerberosV/src/lib/sl/sl.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan + * Copyright (c) 1995 - 2004 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -33,7 +33,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: sl.c,v 1.29 2001/02/20 01:44:55 assar Exp $"); +RCSID("$KTH: sl.c,v 1.31 2005/05/09 15:31:43 lha Exp $"); #endif #include "sl_locl.h" @@ -131,7 +131,7 @@ mandoc_template(SL_cmd *cmds, printf(".\\\".Sh BUGS\n"); } -static SL_cmd * +SL_cmd * sl_match (SL_cmd *cmds, char *cmd, int exactp) { SL_cmd *c, *current = NULL, *partial_cmd = NULL; @@ -295,7 +295,11 @@ static char *sl_readline(const char *prompt) return s; } -/* return values: 0 on success, -1 on fatal error, or return value of command */ +/* return values: + * 0 on success, + * -1 on fatal error, + * -2 if EOF, or + * return value of command */ int sl_command_loop(SL_cmd *cmds, const char *prompt, void **data) { @@ -307,7 +311,7 @@ sl_command_loop(SL_cmd *cmds, const char *prompt, void **data) ret = 0; buf = sl_readline(prompt); if(buf == NULL) - return 1; + return -2; if(*buf) add_history(buf); @@ -334,7 +338,7 @@ sl_loop(SL_cmd *cmds, const char *prompt) { void *data = NULL; int ret; - while((ret = sl_command_loop(cmds, prompt, &data)) == 0) + while((ret = sl_command_loop(cmds, prompt, &data)) >= 0) ; return ret; } diff --git a/kerberosV/src/lib/vers/print_version.c b/kerberosV/src/lib/vers/print_version.c index a87849ed6ba..499fd5e22b7 100644 --- a/kerberosV/src/lib/vers/print_version.c +++ b/kerberosV/src/lib/vers/print_version.c @@ -33,7 +33,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> -RCSID("$KTH: print_version.c,v 1.6.2.1 2004/02/12 18:31:33 joda Exp $"); +RCSID("$KTH: print_version.c,v 1.9 2005/01/01 14:27:47 lha Exp $"); #endif #include "roken.h" @@ -52,6 +52,6 @@ print_version(const char *progname) if(*package_list == '\0') package_list = "no version information"; fprintf(stderr, "%s (%s)\n", progname, package_list); - fprintf(stderr, "Copyright 1999-2004 Kungliga Tekniska Högskolan\n"); + fprintf(stderr, "Copyright 1999-2005 Kungliga Tekniska Högskolan\n"); fprintf(stderr, "Send bug-reports to %s\n", PACKAGE_BUGREPORT); } |