/aclocal.m4
/autom4te.cache
/compile
+/confdefs.h
/config.guess
/config.log
/config.status
/config.sub
/configure
+/conftest.c
+/conftest.err
/depcomp
/install-sh
/libtool
/stage1.diff
/stage2.diff
/test-driver
+/tmp.h
/ylwrap
/lib/libedit/aclocal.m4
#include "resolve.h"
#include "roken.h"
+#if (__STDC_VERSION__ - 0) < 199901L
+# define restrict /* empty */
+#endif
+
struct rk_dns_reply *
rk_dns_lookup(const char *domain, const char *type_name)
{
*) ac_lib="-l$ac_lib" ;;
esac
LIBS="$6 $ac_lib $5 $ac_save_LIBS"
- AC_LINK_IFELSE([AC_LANG_PROGRAM([[$3]],[[$1($4)]])],[eval "if test -n \"$ac_lib\";then ac_cv_funclib_$1=$ac_lib; else ac_cv_funclib_$1=yes; fi";break])
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[char $1 (void);]],[[$1()]])],[eval "if test -n \"$ac_lib\";then ac_cv_funclib_$1=$ac_lib; else ac_cv_funclib_$1=yes; fi";break])
done
eval "ac_cv_funclib_$1=\${ac_cv_funclib_$1-no}"
LIBS="$ac_save_LIBS"
AC_DEFUN([AC_HAVE_STRUCT_FIELD], [
define(cache_val, translit(ac_cv_type_$1_$2, [A-Z ], [a-z_]))
AC_CACHE_CHECK([for $2 in $1], cache_val,[
-AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[$3]],
+AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include <string.h>
+$3]],
[[$1 x; memset(&x, 0, sizeof(x)); x.$2]])],
[cache_val=yes],
[cache_val=no])
if (r->req.req_body.kdc_options.canonicalize)
flags |= HDB_F_CANON;
+ if (krb5_principal_is_krbtgt(r->context, r->armor_server->principal) &&
+ !krb5_principal_is_root_krbtgt(r->context, r->armor_server->principal)) {
+ flags |= HDB_F_CROSS_REALM_PRINCIPAL;
+ }
+
ret = _krb5_principalname2krb5_principal(r->context,
&armor_client_principal,
r->armor_ticket->ticket.cname,
r->armor_clientdb = armor_db;
armor_db = NULL;
+ r->armor_client_principal = armor_client_principal;
+ armor_client_principal = NULL;
+
r->armor_client = armor_client;
armor_client = NULL;
KDC_LIB_FUNCTION const hdb_entry * KDC_LIB_CALL
kdc_request_get_explicit_armor_client(astgs_request_t);
+KDC_LIB_FUNCTION const Principal * KDC_LIB_CALL
+kdc_request_get_explicit_armor_client_principal(astgs_request_t);
+
KDC_LIB_FUNCTION const hdb_entry * KDC_LIB_CALL
kdc_request_get_explicit_armor_server(astgs_request_t);
*/
ASTGS_REQUEST_GET_ACCESSOR_PTR(hdb_entry *, armor_client);
+/*
+ * const Principal *
+ * kdc_request_get_armor_client_principal(astgs_request_t);
+ */
+
+ASTGS_REQUEST_GET_ACCESSOR_PTR(Principal *, armor_client_principal)
+
/*
* const hdb_entry *
* kdc_request_get_armor_server(astgs_request_t);
return r->explicit_armor_present ? r->armor_client : NULL;
}
+KDC_LIB_FUNCTION const Principal * KDC_LIB_CALL
+kdc_request_get_explicit_armor_client_principal(astgs_request_t r)
+{
+ return r->explicit_armor_present ? r->armor_client_principal : NULL;
+}
+
KDC_LIB_FUNCTION const hdb_entry * KDC_LIB_CALL
kdc_request_get_explicit_armor_server(astgs_request_t r)
{
enum krb5_kdc_trpolicy {
TRPOLICY_ALWAYS_CHECK,
TRPOLICY_ALLOW_PER_PRINCIPAL,
- TRPOLICY_ALWAYS_HONOUR_REQUEST
+ TRPOLICY_ALWAYS_HONOUR_REQUEST,
+ TRPOLICY_NEVER_CHECK,
};
struct krb5_kdc_configuration;
unsigned int require_pac : 1; \
unsigned int enable_fast : 1; \
unsigned int enable_fast_cookie : 1; \
- unsigned int enable_armored_pa_enc_timestamp : 1
+ unsigned int enable_armored_pa_enc_timestamp : 1; \
+ enum krb5_kdc_trpolicy trpolicy
#ifndef __KDC_LOCL_H__
struct krb5_kdc_configuration {
unsigned int allow_anonymous : 1;
unsigned int historical_anon_realm : 1;
unsigned int strict_nametypes : 1;
- enum krb5_kdc_trpolicy trpolicy;
unsigned int disable_pac : 1;
unsigned int enable_unarmored_pa_enc_timestamp : 1;
krb5_ticket *armor_ticket;
Key *armor_key;
+ krb5_principal armor_client_principal;
hdb_entry *armor_client;
HDB *armor_clientdb;
krb5_pac armor_pac;
#define PA_SYNTHETIC_OK 4
#define PA_REPLACE_REPLY_KEY 8 /* PA mech replaces reply key */
#define PA_USES_LONG_TERM_KEY 16 /* PA mech uses client's long-term key */
-#define PA_USES_FAST_COOKIE 32 /* Multi-step PA mech maintains state in PA-FX-COOKIE */
-#define PA_HARDWARE_AUTH 64 /* PA mech uses hardware authentication */
+#define PA_HARDWARE_AUTH 32 /* PA mech uses hardware authentication */
+#define PA_USES_FAST_COOKIE 64 /* Multi-step PA mech maintains state in PA-FX-COOKIE */
krb5_error_code (*validate)(astgs_request_t, const PA_DATA *pa);
krb5_error_code (*finalize_pac)(astgs_request_t r);
void (*cleanup)(astgs_request_t r);
* Hide client name for privacy reasons
*/
if (r->fast.flags.requested_hidden_names) {
- Realm anon_realm = KRB5_ANON_REALM;
+ const Realm anon_realm = KRB5_ANON_REALM;
free_Realm(&rep->crealm);
ret = copy_Realm(&anon_realm, &rep->crealm);
if (!config->historical_anon_realm &&
_kdc_is_anonymous(r->context, r->client_princ)) {
- Realm anon_realm = KRB5_ANON_REALM;
+ const Realm anon_realm = KRB5_ANON_REALM;
ret = copy_Realm(&anon_realm, &rep->crealm);
} else if (f.canonicalize || r->client->flags.force_canonicalize)
ret = copy_Realm(&r->canon_client_princ->realm, &rep->crealm);
krb5_free_ticket(r->context, r->armor_ticket);
if (r->armor_server)
_kdc_free_ent(r->context, r->armor_serverdb, r->armor_server);
+ if (r->armor_client_principal) {
+ krb5_free_principal(r->context, r->armor_client_principal);
+ r->armor_client_principal = NULL;
+ }
+ if (r->armor_client)
+ _kdc_free_ent(r->context,
+ r->armor_clientdb,
+ r->armor_client);
+ if (r->armor_pac)
+ krb5_pac_free(r->context, r->armor_pac);
krb5_free_keyblock_contents(r->context, &r->reply_key);
krb5_free_keyblock_contents(r->context, &r->enc_ad_key);
krb5_free_keyblock_contents(r->context, &r->session_key);
KDCOptions f = b->kdc_options;
krb5_error_code ret;
int is_weak = 0;
+ krb5_boolean check_policy = FALSE;
heim_assert(r->client_princ != NULL, "invalid client name passed to tgs_make_reply");
(r->config->trpolicy == TRPOLICY_ALLOW_PER_PRINCIPAL)
#define GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK \
(r->config->trpolicy == TRPOLICY_ALWAYS_HONOUR_REQUEST)
+#define GLOBAL_DISABLE_TRANSITED_CHECK \
+ (r->config->trpolicy == TRPOLICY_NEVER_CHECK)
/* these will consult the database in future release */
#define PRINCIPAL_FORCE_TRANSITED_CHECK(P) 0
#define PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(P) 0
+ if (GLOBAL_DISABLE_TRANSITED_CHECK) {
+ check_policy = FALSE;
+ } else if (!f.disable_transited_check) {
+ check_policy = TRUE;
+ } else if (GLOBAL_FORCE_TRANSITED_CHECK) {
+ check_policy = TRUE;
+ } else if (PRINCIPAL_FORCE_TRANSITED_CHECK(r->server)) {
+ check_policy = TRUE;
+ } else if (!((GLOBAL_ALLOW_PER_PRINCIPAL &&
+ PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(r->server)) ||
+ GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK))
+ {
+ check_policy = TRUE;
+ }
+
ret = fix_transited_encoding(r->context, r->config,
- !f.disable_transited_check ||
- GLOBAL_FORCE_TRANSITED_CHECK ||
- PRINCIPAL_FORCE_TRANSITED_CHECK(r->server) ||
- !((GLOBAL_ALLOW_PER_PRINCIPAL &&
- PRINCIPAL_ALLOW_DISABLE_TRANSITED_CHECK(r->server)) ||
- GLOBAL_ALLOW_DISABLE_TRANSITED_CHECK),
+ check_policy,
&tgt->transited, et,
krb5_principal_get_realm(r->context, r->client_princ),
krb5_principal_get_realm(r->context, r->server->principal),
et->flags.hw_authent = tgt->flags.hw_authent;
et->flags.ok_as_delegate = r->server->flags.ok_as_delegate;
+ /* See MS-KILE 3.3.5.7.5 Cross-Domain Trust and Referrals */
+ if (!r->krbtgt->flags.ok_as_delegate)
+ et->flags.ok_as_delegate = 0;
+
/* See MS-KILE 3.3.5.1 */
if (!r->server->flags.forwardable)
et->flags.forwardable = 0;
* This is OK, we are just trying to find out if they have
* been disabled or deleted in the meantime; missing secrets
* are OK.
+ *
+ * If HDB_F_CROSS_REALM_PRINCIPAL was passed this
+ * indicates the client is remote.
*/
} else if (ret) {
/*
* proper checks.
*/
ret = _kdc_db_fetch(context, config, user2user_princ,
- HDB_F_GET_CLIENT | flags,
+ HDB_F_GET_CLIENT | HDB_F_USER2USER_PRINCIPAL | flags,
NULL, &user2user_db, &user2user_client);
if (ret == HDB_ERR_NOENTRY)
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
if (_kdc_synthetic_princ_used_p(context, priv->ticket))
flags |= HDB_F_SYNTHETIC_OK;
+ if (!krb5_principal_compare(context, priv->krbtgt->principal, krbtgt_out->principal))
+ flags |= HDB_F_CROSS_REALM_PRINCIPAL;
+
ret = _kdc_db_fetch_client(context, config, flags, priv->client_princ,
cpn, our_realm, &clientdb, &priv->client);
if (ret)
krb5_free_ticket(r->context, r->armor_ticket);
if (r->armor_server)
_kdc_free_ent(r->context, r->armor_serverdb, r->armor_server);
+ if (r->armor_client_principal) {
+ krb5_free_principal(r->context, r->armor_client_principal);
+ r->armor_client_principal = NULL;
+ }
if (r->armor_client)
_kdc_free_ent(r->context,
r->armor_clientdb,
kdc_request_get_addr
kdc_request_get_armor_client
kdc_request_get_armor_clientdb
+ kdc_request_get_armor_client_principal
kdc_request_get_armor_pac
kdc_request_get_armor_server
kdc_request_get_canon_client_princ
kdc_request_get_explicit_armor_pac
kdc_request_get_explicit_armor_clientdb
kdc_request_get_explicit_armor_client
+ kdc_request_get_explicit_armor_client_principal
kdc_request_get_explicit_armor_present
kdc_request_get_explicit_armor_server
kdc_request_get_from
HDB *clientdb,
krb5_const_principal s4u_principal,
const hdb_entry *client_krbtgt,
+ krb5_const_principal client_principal,
const hdb_entry *client,
const hdb_entry *device_krbtgt,
+ krb5_const_principal device_principal,
const hdb_entry *device,
krb5_const_pac client_pac,
krb5_const_pac device_pac,
ret = clientdb->hdb_check_rbcd(context,
clientdb,
client_krbtgt,
+ client_principal,
client,
device_krbtgt,
+ device_principal,
device,
s4u_principal,
client_pac,
EncTicketPart *ticket = &r->ticket->ticket;
hdb_entry *s4u_client = NULL;
HDB *s4u_clientdb;
- int flags = HDB_F_FOR_TGS_REQ;
+ int flags = HDB_F_FOR_TGS_REQ | HDB_F_S4U2SELF_PRINCIPAL;
krb5_principal s4u_client_name = NULL, s4u_canon_client_name = NULL;
krb5_pac s4u_pac = NULL;
char *s4ucname = NULL;
{
krb5_error_code ret;
KDC_REQ_BODY *b = &r->req.req_body;
- int flags = HDB_F_FOR_TGS_REQ;
+ int flags = HDB_F_FOR_TGS_REQ | HDB_F_S4U2PROXY_PRINCIPAL;
krb5_principal s4u_client_name = NULL, s4u_server_name = NULL;
krb5_principal s4u_canon_client_name = NULL;
krb5_pac s4u_pac = NULL;
if (rbcd_support) {
ret = check_rbcd(r->context, r->config, r->clientdb,
s4u_client_name,
- r->krbtgt, r->client,
- r->armor_server, r->armor_client,
- r->pac, r->armor_pac,
+ r->krbtgt,
+ r->client_princ,
+ r->client,
+ r->armor_server,
+ r->armor_client_principal,
+ r->armor_client,
+ r->pac,
+ r->armor_pac,
r->server);
} else {
ret = KRB5KDC_ERR_BADOPTION;
goto out;
}
+ /* s4u_client_name can be remote */
+ if (!krb5_realm_compare(r->context, s4u_client_name, s4u_server_name))
+ flags |= HDB_F_CROSS_REALM_PRINCIPAL;
+
/* Try lookup the delegated client in DB */
ret = _kdc_db_fetch_client(r->context, r->config, flags,
s4u_client_name, s4ucname, local_realm,
kdc_request_get_addr;
kdc_request_get_armor_client;
kdc_request_get_armor_clientdb;
+ kdc_request_get_armor_client_principal;
kdc_request_get_armor_pac;
kdc_request_get_armor_server;
kdc_request_get_canon_client_princ;
kdc_request_get_explicit_armor_pac;
kdc_request_get_explicit_armor_clientdb;
kdc_request_get_explicit_armor_client;
+ kdc_request_get_explicit_armor_client_principal;
kdc_request_get_explicit_armor_present;
kdc_request_get_explicit_armor_server;
kdc_request_get_from;
return GSS_S_BAD_MIC;
}
+ if (conf_state)
+ *conf_state = conf_flag;
+
HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
omret = _gssapi_msg_order_check(context_handle->order, seq_number);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
if (omret)
return omret;
- if (conf_state)
- *conf_state = conf_flag;
-
*minor_status = 0;
return GSS_S_COMPLETE;
}
}
}
+ if (pconf_state) {
+ *pconf_state = conf_state;
+ }
+
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
ret = _gssapi_msg_order_check(ctx->order, seq_number);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
return ret;
}
- if (pconf_state) {
- *pconf_state = conf_state;
- }
-
*minor_status = 0;
return GSS_S_COMPLETE;
}
gss_iov_buffer_desc *header, *trailer, *padding;
gss_cfx_wrap_token token, ttoken;
u_char token_flags;
- krb5_error_code ret;
+ krb5_error_code ret, seq_err;
unsigned usage;
uint16_t ec, rrc;
krb5_crypto_iov *data = NULL;
if (seq_number_hi) {
/* no support for 64-bit sequence numbers */
*minor_status = ERANGE;
- return GSS_S_UNSEQ_TOKEN;
+ return GSS_S_FAILURE | GSS_S_UNSEQ_TOKEN;
}
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
- ret = _gssapi_msg_order_check(ctx->order, seq_number_lo);
- if (ret != 0) {
- *minor_status = 0;
- HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
- return ret;
- }
+ seq_err = _gssapi_msg_order_check(ctx->order, seq_number_lo);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+ if (seq_err == GSS_S_FAILURE) {
+ *minor_status = 0;
+ return seq_err;
+ }
/*
* Decrypt and/or verify checksum
free(data);
*minor_status = 0;
- return GSS_S_COMPLETE;
+ return GSS_S_COMPLETE | seq_err;
failure:
if (data)
{
gss_cfx_wrap_token token;
u_char token_flags;
- krb5_error_code ret;
+ krb5_error_code ret, seq_err;
unsigned usage;
krb5_data data;
uint16_t ec, rrc;
if (seq_number_hi) {
/* no support for 64-bit sequence numbers */
*minor_status = ERANGE;
- return GSS_S_UNSEQ_TOKEN;
+ return GSS_S_FAILURE | GSS_S_UNSEQ_TOKEN;
}
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
- ret = _gssapi_msg_order_check(ctx->order, seq_number_lo);
- if (ret != 0) {
- *minor_status = 0;
- HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
- _gsskrb5_release_buffer(minor_status, output_message_buffer);
- return ret;
- }
+ seq_err = _gssapi_msg_order_check(ctx->order, seq_number_lo);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+ if (seq_err == GSS_S_FAILURE) {
+ *minor_status = 0;
+ return seq_err;
+ }
/*
* Decrypt and/or verify checksum
}
*minor_status = 0;
- return GSS_S_COMPLETE;
+ return GSS_S_COMPLETE | seq_err;
}
OM_uint32 _gssapi_mic_cfx(OM_uint32 *minor_status,
{
gss_cfx_mic_token token;
u_char token_flags;
- krb5_error_code ret;
+ krb5_error_code ret, seq_err;
unsigned usage;
OM_uint32 seq_number_lo, seq_number_hi;
u_char *buf, *p;
_gss_mg_decode_be_uint32(&token->SND_SEQ[4], &seq_number_lo);
if (seq_number_hi) {
*minor_status = ERANGE;
- return GSS_S_UNSEQ_TOKEN;
+ return GSS_S_UNSEQ_TOKEN | GSS_S_FAILURE;
}
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
- ret = _gssapi_msg_order_check(ctx->order, seq_number_lo);
- if (ret != 0) {
- *minor_status = 0;
- HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
- return ret;
- }
+ seq_err = _gssapi_msg_order_check(ctx->order, seq_number_lo);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+ if (seq_err == GSS_S_FAILURE) {
+ *minor_status = 0;
+ return seq_err;
+ }
/*
* Verify checksum
*qop_state = GSS_C_QOP_DEFAULT;
}
- return GSS_S_COMPLETE;
+ return GSS_S_COMPLETE | seq_err;
}
for (i = 0; i < o->length - 1; i++) {
if (o->elem[i] == seq_num)
return GSS_S_DUPLICATE_TOKEN;
- if (o->elem[i + 1] < seq_num && o->elem[i] < seq_num) {
+ if (o->elem[i + 1] < seq_num && o->elem[i] > seq_num) {
elem_insert(o, i, seq_num);
if (r)
return GSS_S_COMPLETE;
size_t i;
uint32_t seq_number;
size_t padlength;
- OM_uint32 ret;
+ OM_uint32 ret, seq_err;
int cstate;
int cmp;
int token_len;
return GSS_S_BAD_MIC;
}
- ret = _gssapi_msg_order_check(context_handle->order, seq_number);
- if (ret) {
+ seq_err = _gssapi_msg_order_check(context_handle->order, seq_number);
+ if (seq_err == GSS_S_FAILURE) {
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
- return ret;
+ return seq_err;
}
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
memcpy (output_message_buffer->value,
p + 24,
output_message_buffer->length);
- return GSS_S_COMPLETE;
+ return GSS_S_COMPLETE | seq_err;
}
#endif
u_char cksum[20];
uint32_t seq_number;
size_t padlength;
- OM_uint32 ret;
+ OM_uint32 ret, seq_err;
int cstate;
krb5_crypto crypto;
Checksum csum;
return GSS_S_BAD_MIC;
}
- ret = _gssapi_msg_order_check(context_handle->order, seq_number);
- if (ret) {
+ seq_err = _gssapi_msg_order_check(context_handle->order, seq_number);
+ if (seq_err == GSS_S_FAILURE) {
*minor_status = 0;
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
- return ret;
+ return seq_err;
}
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
memcpy (output_message_buffer->value,
p + 36,
output_message_buffer->length);
- return GSS_S_COMPLETE;
+ return GSS_S_COMPLETE | seq_err;
}
OM_uint32 GSSAPI_CALLCONV _gsskrb5_unwrap
u_char *p;
u_char *seq;
uint32_t seq_number;
- OM_uint32 ret;
+ OM_uint32 ret, seq_err;
krb5_crypto crypto;
krb5_data seq_data;
int cmp, docompat;
return GSS_S_BAD_MIC;
}
- ret = _gssapi_msg_order_check(context_handle->order, seq_number);
- if (ret) {
+ seq_err = _gssapi_msg_order_check(context_handle->order, seq_number);
+ if (seq_err == GSS_S_FAILURE) {
krb5_crypto_destroy (context, crypto);
*minor_status = 0;
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
krb5_crypto_destroy (context, crypto);
- return GSS_S_COMPLETE;
+ return GSS_S_COMPLETE | seq_err;
}
OM_uint32
{
mp_err err;
+ if (b < 0) {
+ return MP_VAL;
+ }
+
/* zero a as per default */
mp_zero(a);
int i;
mp_digit *tmp;
+ if (size < 0) {
+ return MP_VAL;
+ }
+
/* if the alloc size is smaller alloc more ram */
if (a->alloc < size) {
/* reallocate the array a->dp
/* init an mp_init for a given size */
mp_err mp_init_size(mp_int *a, int size)
{
+
+ if (size < 0) {
+ return MP_VAL;
+ }
+
size = MP_MAX(MP_MIN_PREC, size);
/* alloc mem */
mp_digit d;
mp_err err;
+ if (b < 0) {
+ return MP_VAL;
+ }
+
/* copy */
if (a != c) {
if ((err = mp_copy(a, c)) != MP_OKAY) {
mp_word r;
mp_digit tmpx, *tmpt, *tmpy;
+ if (digs < 0) {
+ return MP_VAL;
+ }
+
/* can we use the fast multiplier? */
if ((digs < MP_WARRAY) &&
(MP_MIN(a->used, b->used) < MP_MAXFAST)) {
mp_digit W[MP_WARRAY];
mp_word _W;
+ if (digs < 0) {
+ return MP_VAL;
+ }
+
/* grow the destination as required */
if (c->alloc < digs) {
if ((err = mp_grow(c, digs)) != MP_OKAY) {
mp_word r;
mp_digit tmpx, *tmpt, *tmpy;
+ if (digs < 0) {
+ return MP_VAL;
+ }
+
/* can we use the fast multiplier? */
if (MP_HAS(S_MP_MUL_HIGH_DIGS_FAST)
&& ((a->used + b->used + 1) < MP_WARRAY)
mp_digit W[MP_WARRAY];
mp_word _W;
+ if (digs < 0) {
+ return MP_VAL;
+ }
+
/* grow the destination as required */
pa = a->used + b->used;
if (c->alloc < pa) {
#define HDB_F_GET_FAST_COOKIE 0x20000 /* fetch the FX-COOKIE key (not a normal principal) */
#define HDB_F_ARMOR_PRINCIPAL 0x40000 /* fetch is for the client of an armor ticket */
#define HDB_F_USER2USER_PRINCIPAL 0x80000 /* fetch is for the server of a user2user tgs-req */
+#define HDB_F_CROSS_REALM_PRINCIPAL 0x100000 /* fetch is cross-realm ticket */
+#define HDB_F_S4U2SELF_PRINCIPAL 0x200000 /* fetch is for S4U2Self */
+#define HDB_F_S4U2PROXY_PRINCIPAL 0x400000 /* fetch is for S4U2Proxy */
/* hdb_capability_flags */
#define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1
/**
* Check if resource-based constrained delegation (RBCD) is allowed.
*/
- krb5_error_code (*hdb_check_rbcd)(krb5_context, struct HDB *, const hdb_entry *, const hdb_entry *, const hdb_entry *, const hdb_entry *, krb5_const_principal, krb5_const_pac, krb5_const_pac, const hdb_entry *);
+ krb5_error_code (*hdb_check_rbcd)(krb5_context context,
+ struct HDB *clientdb,
+ const hdb_entry *client_krbtgt,
+ krb5_const_principal client_principal,
+ const hdb_entry *client,
+ const hdb_entry *device_krbtgt,
+ krb5_const_principal device_principal,
+ const hdb_entry *device,
+ krb5_const_principal s4u_principal,
+ krb5_const_pac client_pac,
+ krb5_const_pac device_pac,
+ const hdb_entry *target);
/**
* Check if this name is an alias for the supplied client for PKINIT userPrinicpalName logins
krb5_error_code (*hdb_set_sync)(krb5_context, struct HDB *, int);
}HDB;
-#define HDB_INTERFACE_VERSION 11
+#define HDB_INTERFACE_VERSION 12
struct hdb_method {
HEIM_PLUGIN_FTABLE_COMMON_ELEMENTS(krb5_context);
if (ret)
goto out;
- ret = copy_KrbFastArmor(fxarmor, &msg.armor);
+ ret = copy_KrbFastArmor(&msg.armor, fxarmor);
if (ret) {
free_KERB_ARMOR_SERVICE_REPLY(&msg);
goto out;
return 0;
}
+/*
+ * Return true if cred is a removed entry. We assume that any active entry
+ * with endtime=0 (such as a config entry or gssproxy encrypted credential)
+ * will also have authtime=0.
+ */
+static inline krb5_boolean
+cred_removed(krb5_creds *c)
+{
+ return c->times.endtime == 0 && c->times.authtime != 0;
+}
+
static krb5_error_code KRB5_CALLCONV
fcc_get_next (krb5_context context,
krb5_ccache id,
if (FCC_CURSOR(*cursor) == NULL)
return krb5_einval(context, 3);
- FCC_CURSOR(*cursor)->cred_start =
- krb5_storage_seek(FCC_CURSOR(*cursor)->sp, 0, SEEK_CUR);
+ while (1) {
+ FCC_CURSOR(*cursor)->cred_start =
+ krb5_storage_seek(FCC_CURSOR(*cursor)->sp, 0, SEEK_CUR);
- ret = krb5_ret_creds(FCC_CURSOR(*cursor)->sp, creds);
- if (ret)
- krb5_clear_error_message(context);
+ ret = krb5_ret_creds(FCC_CURSOR(*cursor)->sp, creds);
- FCC_CURSOR(*cursor)->cred_end =
- krb5_storage_seek(FCC_CURSOR(*cursor)->sp, 0, SEEK_CUR);
+ FCC_CURSOR(*cursor)->cred_end =
+ krb5_storage_seek(FCC_CURSOR(*cursor)->sp, 0, SEEK_CUR);
+
+ if (ret) {
+ krb5_clear_error_message(context);
+ break;
+ }
+
+ if (!cred_removed(creds))
+ break;
+
+ krb5_free_cred_contents(context, creds);
+ }
return ret;
}
*/
cred->times.endtime = 0;
+ /* For compatibility with MIT d3b39a8bac6206b5ea78b0bf6a2958c1df0b0dd5 */
+ cred->times.authtime = -1;
+
/* ...except for config creds because we don't check their endtimes */
if (srealm && strcmp(srealm, "X-CACHECONF:") == 0) {
ret = krb5_principal_set_realm(context, cred->server, "X-RMED-CONF:");
return -1;
}
+#define YOUR_DNS_NEEDS_IMM_ATTENTION "your-dns-needs-immediate-attention."
static int
is_invalid_tld_srv_target(const char *target)
{
- return (strncmp("your-dns-needs-immediate-attention.",
- target, 35) == 0
- && strchr(&target[35], '.') == NULL);
+ if (strncmp(YOUR_DNS_NEEDS_IMM_ATTENTION, target,
+ sizeof(YOUR_DNS_NEEDS_IMM_ATTENTION) - 1) != 0)
+ return 0;
+ target += sizeof(YOUR_DNS_NEEDS_IMM_ATTENTION) - 1;
+ if (target[0] == '\0' || target[0] == '.')
+ return 0; /* malformed; should be followed by a TLD */
+ target = strchr(target, '.');
+ if (target == NULL)
+ return 0; /* malformed; should end in a '.' */
+ if (target[1] != '\0')
+ return 0; /* malformed; should be followed by just one label (the TLD) */
+ return 1;
}
/*
if(rr->type == rk_ns_t_srv) {
krb5_krbhst_info *hi = NULL;
size_t len;
- int invalid_tld = 1;
/* Test for top-level domain controlled interruptions */
- if (!is_invalid_tld_srv_target(rr->u.srv->target)) {
- invalid_tld = 0;
- len = strlen(rr->u.srv->target);
- hi = calloc(1, sizeof(*hi) + len);
+ if (is_invalid_tld_srv_target(rr->u.srv->target)) {
+ krb5_warnx(context,
+ "Domain lookup failed: "
+ "Realm %s needs immediate attention "
+ "see https://icann.org/namecollision",
+ realm);
+ return KRB5_KDC_UNREACH;
}
+
+ len = strlen(rr->u.srv->target);
+ hi = calloc(1, sizeof(*hi) + len);
if(hi == NULL) {
rk_dns_free_data(r);
while(--num_srv >= 0)
free((*res)[num_srv]);
free(*res);
*res = NULL;
- if (invalid_tld) {
- krb5_warnx(context,
- "Domain lookup failed: "
- "Realm %s needs immediate attention "
- "see https://icann.org/namecollision",
- realm);
- return KRB5_KDC_UNREACH;
- }
return krb5_enomem(context);
}
(*res)[num_srv++] = hi;
#ifdef HEIM_WEAK_CRYPTO
+#if !defined(HAVE_CRYPT)
+# undef ENABLE_AFS_STRING_TO_KEY
+#endif
+
#ifdef ENABLE_AFS_STRING_TO_KEY
/* This defines the Andrew string_to_key function. It accepts a password
#include "otp_locl.h"
-#if !defined(HAVE_NDBM) && !defined(HAVE_DB_NDBM)
-#include "ndbm_wrap.h"
+#if defined(HAVE_DB_NDBM)
+# include <ndbm.h>
+#elif !defined(HAVE_NDBM)
+# include "ndbm_wrap.h"
#endif
+
#define RETRIES 5
void *
projects / thirdparty / samba.git / commitdiff
