- Kerberos Version 5, Release 1.6
+ Kerberos Version 5, Release 1.7
- Release Notes
- The MIT Kerberos Team
+ Release Notes
+ The MIT Kerberos Team
Unpacking the Source Distribution
---------------------------------
The source distribution of Kerberos 5 comes in a gzipped tarfile,
-krb5-1.6.tar.gz. Instructions on how to extract the entire
+krb5-1.7.tar.gz. Instructions on how to extract the entire
distribution follow.
If you have the GNU tar program and gzip installed, you can simply do:
- gtar zxpf krb5-1.6.tar.gz
+ gtar zxpf krb5-1.7.tar.gz
If you don't have GNU tar, you will need to get the FSF gzip
distribution and use gzcat:
- gzcat krb5-1.6.tar.gz | tar xpf -
+ gzcat krb5-1.7.tar.gz | tar xpf -
-Both of these methods will extract the sources into krb5-1.6/src and
-the documentation into krb5-1.6/doc.
+Both of these methods will extract the sources into krb5-1.7/src and
+the documentation into krb5-1.7/doc.
Building and Installing Kerberos 5
----------------------------------
and logging in as "guest" with password "guest".
-Major changes in 1.6
-----------------------
-
-* Partial client implementation to handle server name referrals.
-
-* Pre-authentication plug-in framework, donated by Red Hat.
-
-* LDAP KDB plug-in, donated by Novell.
-
-krb5-1.6 changes by ticket ID
------------------------------
-
-Listed below are the RT tickets of bugs fixed in krb5-1.6. Please see
-
-http://krbdev.mit.edu/rt/NoAuth/krb5-1.6/fixed-1.6.html
-
-for a current listing with links to the complete tickets.
-
-1204 Unable to get a TGT cross-realm referral
-2087 undocumented options for kpropd
-2240 krb5-config --cflags gssapi when used by OpenSSH-snap-20040212
-2579 kdc: add_to_transited may reference off end of array...
-2652 Add support for referrals
-2876 Tree does not compile with GCC 4.0
-2935 KDB/LDAP backend
-3089 krb5_verify_init_creds() is not thread safe
-3091 add krb5_cc_new_unique()
-3276 local array of structures not declared static
-3288 NetIdMgr cannot obtain Kerberos 5 tickets containing addresses
-3322 get_cred_via_tkt() checks too strict on server principal
-3522 Error code definitions are outside macros to prevent multiple
- inclusion in public headers
-3735 Add TCP change/set password support
-3947 allow multiple calls to krb5_get_error_message to retrieve message
-3955 check calling conventions specified for Windows
-3961 fix stdcc.c to build without USE_CCAPI_V3
-4021 use GSS_C_NO_CHANNEL_BINDINGS not NULL in lib/rpc/auth_gss.c
-4023 Turn off KLL automatic prompting support in kadmin
-4024 gss_acquire_cred auto prompt support shouldn't break
- gss_krb5_ccache_name()
-4025 need to look harder for tclConfig.sh
-4055 remove unused Metrowerks support from yarrow
-4056 g_canon_name.c if-statement warning cleanup
-4057 GSSAPI opaque types should be pointers to opaque structs, not void*
-4256 Make process error
-4292 LDAP error prevents KfM 6.0 from building on Tiger
-4294 Bad loop logic in krb5_mcc_generate_new
-4304 audit referals merge (R18598)
-4389 cursor for iterating over ccaches
-4412 Don't segfault if a preauth plugin module fails to load
-4455 IRIX build fails w/ GCC 4.0 (really GNU ld)
-4482 enabling LDAP mix-in support for kdb5_util load
-4488 osf1 -oldstyle_liblookup typo
-4495 Avoid segfault in krb5_do_preauth_tryagain
-4496 fix invalid access found by valgrind
-4501 fix krb5_ldap_iterate to handle NULL match_expr and
- open_db_and_mkey to use KRB5_KDB_SRV_TYPE_ADMIN
-4534 don't confuse profile iterator in 425 princ conversion
-4561 UC Berkeley BSD license change
-4562 latest Novell ldap patches and kdb5_util dump support for ldap
-4587 Change preauth plugin context scope and lifetimes
-4624 remove t_prf and t_prf.o on make clean
-4625 Make clean in lib/kdb leaves error table files
-4657 krb5.h not C++-safe due to "struct krb5_cccol_cursor"
-4683 Remove obsolete/conflicting prototype for krb524_convert_princs
-4688 Add public function to get keylenth associated with an enctype
-4689 Update minor version numbers for 1.6
-4690 Add "get_data" function to the client preauth plugin interface
-4692 Document changing the krbtgt key
-4693 Delay kadmind random number initialization until after fork
-4735 more Novell ldap patches from Nov 6 and Fix for wrong password
- policy reference count
-4737 correct client preauth plugin request_context
-4738 allow server preauth plugin verify_padata function to return e-data
-4739 cccursor backend for CCAPI
-4755 update copyrights and acknowledgments
-4770 Add macros for __attribute__((deprecated)) for krb4 and des APIs
-4771 LDAP patch from Novell, 2006-10-13
-4772 fix some warnings in ldap code
-4774 avoid double frees in ccache manipulation around gen_new
-4775 include realm in "can't resolve KDC" error message
-4784 krb5_stdccv3_generate_new returns NULL ccache
-4788 ccache double free in krb5_fcc_read_addrs().
-4799 krb5_c_keylength -> krb5_c_keylengths; add krb5_c_random_to_key
-4805 replace existing calls of cc_gen_new()
-4841 free error message when freeing context
-4846 clean up preauth2 salt debug code
-4860 fix LDAP plugin Makefile.in lib frag substitutions
-4928 krb5int_copy_data_contents shouldn't free memory it didn't allocate
-4941 referrals changes to telnet have unconditional debugging printfs
-4942 skip all modules in plugin if init function fails
-4955 Referrals code breaks krb5_set_password_using_ccache to Active
- Directory
-4967 referrals support assumes all rewrites produce TGS principals
-4972 return edata from non-PA_REQUIRED preauth types
-4973 send a new request with the new padata returned by
- krb5_do_preauth_tryagain()
+Major changes in 1.7
+--------------------
+
+* Remove support for version 4 of the Kerberos protocol (krb4).
+
+* Client library now follows client principal referrals.
+
+* KDC can issue realm referrals for service principals based on domain
+ names.
+
+* Encryption algorithm negotiation (RFC 4537).
+
+* In the replay cache, use a hash over the complete ciphertext to
+ avoid false-positive replay indications.
+
+* Microsoft GSS_WrapEX, implemented using the gss_iov API, which is
+ similar to the equivalent SSPI functionality.
+
+* DCE RPC, including three-leg GSS context setup and unencapsulated
+ GSS tokens.
+
+* Microsoft set/change password (RFC 3244) protocol in kadmind.
+
+* Master key rollover support.
+
+Changes by ticket ID
+--------------------
Copyright and Other Legal Notices
---------------------------------
-Copyright (C) 1985-2007 by the Massachusetts Institute of Technology.
+Copyright (C) 1985-2009 by the Massachusetts Institute of Technology.
All rights reserved.
MIT trademarks in order to convey information (although in doing so,
recognition of their trademark status should be given).
- --------------------
+ --------------------
Portions of src/lib/crypto have the following copyright:
WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
- --------------------
+ --------------------
The following copyright and permission notice applies to the
OpenVision Kerberos Administration system located in kadmin/create,
and our gratitude for the valuable work which has been
performed by MIT and the Kerberos community.
- --------------------
+ --------------------
Portions contributed by Matt Crawford <crawdad@fnal.gov> were
work performed at Fermi National Accelerator Laboratory, which is
operated by Universities Research Association, Inc., under
contract DE-AC02-76CHO3000 with the U.S. Department of Energy.
- --------------------
+ --------------------
The implementation of the Yarrow pseudo-random number generator in
src/lib/crypto/yarrow has the following copyright:
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTUOUS ACTION, ARISING OUT
OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- --------------------
+ --------------------
The implementation of the AES encryption algorithm in
src/lib/crypto/aes has the following copyright:
in respect of any properties, including, but not limited to, correctness
and fitness for purpose.
- --------------------
+ --------------------
Portions contributed by Red Hat, including the pre-authentication
plug-ins framework, contain the following copyright:
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- --------------------
+ --------------------
The implementations of GSSAPI mechglue in GSSAPI-SPNEGO in
src/lib/gssapi, including the following files:
TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
- --------------------
+ --------------------
MIT Kerberos includes documentation and software developed at the
University of California at Berkeley, which includes this copyright
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
- --------------------
+ --------------------
Portions contributed by Novell, Inc., including the LDAP database
backend, are subject to the following license:
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
+ this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
* The copyright holder's name is not used to endorse or promote products
- derived from this software without specific prior written permission.
+ derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
Miroslav Jurisic, Barry Jaspan, Geoffrey King, Kevin Koch, John Kohl,
Peter Litwack, Scott McGuire, Kevin Mitchell, Cliff Neuman, Paul Park,
Ezra Peisach, Chris Provenzano, Ken Raeburn, Jon Rochlis, Jeff
-Schiller, Jen Selby, Brad Thompson, Harry Tsai, Ted Ts'o, Marshall
-Vale, Tom Yu.
+Schiller, Jen Selby, Robert Silk, Brad Thompson, Harry Tsai, Zhanna
+Tsitkova, Ted Ts'o, Marshall Vale, Tom Yu.
\fB\-u\fP \fIumask\fP
Sets the umask for the ftpd process. The default value is normally 027.
.TP
-\fB\-r\fP \fIrealm-file\fP
-Sets the name of the
-.I krb.conf
-file to use. The default value is normally set by
-.IR /etc/krb5.conf .
-.TP
\fB\-w \fP{\fBip\fP|\fImaxhostlen\fP[\fB,\fP{\fBstriplocal\fP|\fBnostriplocal\fP}]}
Controls the form of the remote hostname passed to login(1).
Specifying \fBip\fP results in the numeric IP address always being
int addrlen, c, on = 1, tos, port = -1;
extern char *optarg;
extern int optopt;
- char *option_string = "AaCcdElp:r:T:t:U:u:vw:";
+ char *option_string = "AaCcdElp:T:t:U:u:vw:";
ftpusers = _PATH_FTPUSERS_DEFAULT;
debug = 0;
port = atoi(optarg);
break;
- case 'r':
- setenv("KRB_CONF", optarg, 1);
- break;
-
case 't':
timeout = atoi(optarg);
if (maxtimeout < timeout)
[libdefaults]
default_realm = ATHENA.MIT.EDU
- krb4_config = /usr/kerberos/lib/krb.conf
- krb4_realms = /usr/kerberos/lib/krb.realms
[realms]
ATHENA.MIT.EDU = {
Kerberos. Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on
DCE 1.1 systems.
-.IP krb4_srvtab
-Specifies the location of the Kerberos V4 srvtab file. Default is
-"/etc/srvtab".
-
-.IP krb4_config
-Specifies the location of the Kerberos V4 configuration file. Default
-is "/etc/krb.conf".
-
-.IP krb4_realms
-Specifies the location of the Kerberos V4 domain/realm translation
-file. Default is "/etc/krb.realms".
-
.IP dns_lookup_kdc
Indicate whether DNS SRV records shoud be used to locate the KDCs and
other servers for a realm, if they are not listed in the information
/*
* include/krb5/adm.h
*
- * Copyright 1995,2001 by the Massachusetts Institute of Technology.
+ * Copyright 1995,2001,2009 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
char * realm_kdc_ports;
char * realm_kdc_tcp_ports;
char * realm_acl_file;
+ char * realm_host_based_services;
+ char * realm_no_host_referral;
krb5_int32 realm_kadmind_port;
krb5_enctype realm_enctype;
krb5_deltat realm_max_life;
/*
* include/krb5/adm_proto.h
*
- * Copyright 1995, 2007 by the Massachusetts Institute of Technology.
+ * Copyright 1995, 2007,2008,2009 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
krb5_deltat *);
krb5_error_code krb5_aprof_get_string
(krb5_pointer, const char **, krb5_boolean, char **);
+krb5_error_code krb5_aprof_get_string_all
+ (krb5_pointer, const char **, char **);
krb5_error_code krb5_aprof_get_int32
(krb5_pointer,
const char **,
krb5_error_code krb5_os_hostaddr
(krb5_context, const char *, krb5_address ***);
+krb5_error_code krb5int_get_domain_realm_mapping
+ (krb5_context , const char *, char ***);
+
/* N.B.: You need to include fake-addrinfo.h *before* k5-int.h if you're
going to use this structure. */
struct addrlist {
/*
* k5-platform.h
*
- * Copyright 2003, 2004, 2005, 2007, 2008 Massachusetts Institute of Technology.
+ * Copyright 2003, 2004, 2005, 2007, 2008, 2009 Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
#endif
static inline void
-store_16_be (unsigned int val, unsigned char *p)
+store_16_be (unsigned int val, void *vp)
{
+ unsigned char *p = vp;
#if defined(__GNUC__) && defined(K5_BE)
PUT(16,p,val);
#elif defined(__GNUC__) && defined(K5_LE) && defined(SWAP16)
#endif
}
static inline void
-store_32_be (unsigned int val, unsigned char *p)
+store_32_be (unsigned int val, void *vp)
{
+ unsigned char *p = vp;
#if defined(__GNUC__) && defined(K5_BE)
PUT(32,p,val);
#elif defined(__GNUC__) && defined(K5_LE) && defined(SWAP32)
#endif
}
static inline void
-store_64_be (UINT64_TYPE val, unsigned char *p)
+store_64_be (UINT64_TYPE val, void *vp)
{
+ unsigned char *p = vp;
#if defined(__GNUC__) && defined(K5_BE)
PUT(64,p,val);
#elif defined(__GNUC__) && defined(K5_LE) && defined(SWAP64)
#endif
}
static inline unsigned short
-load_16_be (const unsigned char *p)
+load_16_be (const void *cvp)
{
+ const unsigned char *p = cvp;
#if defined(__GNUC__) && defined(K5_BE)
return GET(16,p);
#elif defined(__GNUC__) && defined(K5_LE) && defined(SWAP16)
#endif
}
static inline unsigned int
-load_32_be (const unsigned char *p)
+load_32_be (const void *cvp)
{
+ const unsigned char *p = cvp;
#if defined(__GNUC__) && defined(K5_BE)
return GET(32,p);
#elif defined(__GNUC__) && defined(K5_LE) && defined(SWAP32)
#endif
}
static inline UINT64_TYPE
-load_64_be (const unsigned char *p)
+load_64_be (const void *cvp)
{
+ const unsigned char *p = cvp;
#if defined(__GNUC__) && defined(K5_BE)
return GET(64,p);
#elif defined(__GNUC__) && defined(K5_LE) && defined(SWAP64)
#endif
}
static inline void
-store_16_le (unsigned int val, unsigned char *p)
+store_16_le (unsigned int val, void *vp)
{
+ unsigned char *p = vp;
#if defined(__GNUC__) && defined(K5_LE)
PUT(16,p,val);
#elif defined(__GNUC__) && defined(K5_BE) && defined(SWAP16)
#endif
}
static inline void
-store_32_le (unsigned int val, unsigned char *p)
+store_32_le (unsigned int val, void *vp)
{
+ unsigned char *p = vp;
#if defined(__GNUC__) && defined(K5_LE)
PUT(32,p,val);
#elif defined(__GNUC__) && defined(K5_BE) && defined(SWAP32)
#endif
}
static inline void
-store_64_le (UINT64_TYPE val, unsigned char *p)
+store_64_le (UINT64_TYPE val, void *vp)
{
+ unsigned char *p = vp;
#if defined(__GNUC__) && defined(K5_LE)
PUT(64,p,val);
#elif defined(__GNUC__) && defined(K5_BE) && defined(SWAP64)
#endif
}
static inline unsigned short
-load_16_le (const unsigned char *p)
+load_16_le (const void *cvp)
{
+ const unsigned char *p = cvp;
#if defined(__GNUC__) && defined(K5_LE)
return GET(16,p);
#elif defined(__GNUC__) && defined(K5_BE) && defined(SWAP16)
#endif
}
static inline unsigned int
-load_32_le (const unsigned char *p)
+load_32_le (const void *cvp)
{
+ const unsigned char *p = cvp;
#if defined(__GNUC__) && defined(K5_LE)
return GET(32,p);
#elif defined(__GNUC__) && defined(K5_BE) && defined(SWAP32)
#endif
}
static inline UINT64_TYPE
-load_64_le (const unsigned char *p)
+load_64_le (const void *cvp)
{
+ const unsigned char *p = cvp;
#if defined(__GNUC__) && defined(K5_LE)
return GET(64,p);
#elif defined(__GNUC__) && defined(K5_BE) && defined(SWAP64)
}
static inline unsigned short
-load_16_n (const unsigned char *p)
+load_16_n (const void *p)
{
#ifdef _WIN32
unsigned __int16 n;
return n;
}
static inline unsigned int
-load_32_n (const unsigned char *p)
+load_32_n (const void *p)
{
#ifdef _WIN32
unsigned __int32 n;
return n;
}
static inline UINT64_TYPE
-load_64_n (const unsigned char *p)
+load_64_n (const void *p)
{
UINT64_TYPE n;
memcpy(&n, p, 8);
krb5_dbe_lookup_last_pwd_change(arg->kcontext, entry,
&last_pwd_change))) {
fprintf(stderr, nokeys_err, arg->programname, name);
- krb5_xfree(mod_name);
- krb5_xfree(name);
+ free(mod_name);
+ free(name);
return(retval);
}
KRB5_KDB_SALTTYPE_V4,
&akey))) {
fprintf(stderr, nokeys_err, arg->programname, name);
- krb5_xfree(mod_name);
- krb5_xfree(name);
+ free(mod_name);
+ free(name);
return(retval);
}
/* If we're blabbing, do it */
if (arg->verbose)
fprintf(stderr, "%s\n", name);
- krb5_xfree(mod_name);
+ free(mod_name);
}
- krb5_xfree(name);
+ free(name);
return(0);
}
retval = EINVAL;
}
}
- krb5_xfree(name);
+ free(name);
return(retval);
}
printf(")");
}
printf("\n");
- krb5_xfree(pname);
+ free(pname);
}
}
/* zap the password */
memset(clear.data, 0, clear.length);
memset(ptr, 0, clear.length);
- krb5_xfree(clear.data);
+ free(clear.data);
free(ptr);
clear.length = 0;
reply */
if (ap_rep.length) {
- krb5_xfree(ap_rep.data);
+ free(ap_rep.data);
ap_rep.length = 0;
}
if (changepw)
krb5_free_principal(context, changepw);
if (ap_rep.length)
- krb5_xfree(ap_rep.data);
+ free(ap_rep.data);
if (ticket)
krb5_free_ticket(context, ticket);
if (clear.length)
- krb5_xfree(clear.data);
+ free(clear.data);
if (cipher.length)
- krb5_xfree(cipher.data);
+ free(cipher.data);
if (target)
krb5_free_principal(context, target);
if (targetstr)
+/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
* kdc/do_tgs_req.c
*
#include "extern.h"
#include "adm_proto.h"
+static void
+find_alternate_tgs (krb5_kdc_req *, krb5_db_entry *,
+ krb5_boolean *, int *);
+
+static krb5_error_code
+prepare_error_tgs (krb5_kdc_req *, krb5_ticket *,
+ int, krb5_principal,
+ krb5_data **, const char *);
-static void find_alternate_tgs (krb5_kdc_req *, krb5_db_entry *,
- krb5_boolean *, int *);
+static krb5_int32
+is_substr (char *, krb5_data *);
-static krb5_error_code prepare_error_tgs (krb5_kdc_req *, krb5_ticket *,
- int, krb5_principal,
- krb5_data **, const char *);
+static krb5_int32
+prep_reprocess_req(krb5_kdc_req *, krb5_principal *);
/*ARGSUSED*/
krb5_error_code
process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
- krb5_data **response)
+ krb5_data **response)
{
krb5_keyblock * subkey = 0;
krb5_kdc_req *request = 0;
krb5_key_data *server_key;
char *cname = 0, *sname = 0, *altcname = 0;
krb5_last_req_entry *nolrarray[2], nolrentry;
-/* krb5_address *noaddrarray[1]; */
krb5_enctype useenctype;
- int errcode, errcode2;
+ int errcode, errcode2;
register int i;
int firstpass = 1;
- const char *status = 0;
+ const char *status = 0;
krb5_enc_tkt_part *header_enc_tkt = NULL; /* ticket granting or evidence ticket */
krb5_db_entry client, krbtgt;
int c_nprincs = 0, k_nprincs = 0;
- krb5_pa_for_user *for_user = NULL; /* protocol transition request */
- krb5_authdata **kdc_issued_auth_data = NULL; /* auth data issued by KDC */
- unsigned int c_flags = 0, s_flags = 0; /* client/server KDB flags */
+ krb5_pa_for_user *for_user = NULL; /* protocol transition request */
+ krb5_authdata **kdc_issued_auth_data = NULL; /* auth data issued by KDC */
+ unsigned int c_flags = 0, s_flags = 0; /* client/server KDB flags */
char *s4u_name = NULL;
- krb5_boolean is_referral;
+ krb5_boolean is_referral, db_ref_done = FALSE;
const char *emsg = NULL;
+ krb5_data *tgs_1 =NULL, *server_1 = NULL;
+ krb5_principal krbtgt_princ;
+ krb5_kvno ticket_kvno = 0;
session_key.contents = NULL;
retval = decode_krb5_tgs_req(pkt, &request);
if (retval)
- return retval;
+ return retval;
/*
* setup_server_realm() sets up the global realm-specific data pointer.
*/
if ((retval = setup_server_realm(request->server))) {
- krb5_free_kdc_req(kdc_context, request);
- return retval;
- }
-
- if ((errcode = krb5_unparse_name(kdc_context, request->server, &sname))) {
- status = "UNPARSING SERVER";
- goto cleanup;
+ krb5_free_kdc_req(kdc_context, request);
+ return retval;
}
- limit_string(sname);
-
- /* errcode = kdc_process_tgs_req(request, from, pkt, &req_authdat); */
errcode = kdc_process_tgs_req(request, from, pkt, &header_ticket,
- &krbtgt, &k_nprincs, &subkey);
+ &krbtgt, &k_nprincs, &subkey);
if (header_ticket && header_ticket->enc_part2 &&
- (errcode2 = krb5_unparse_name(kdc_context,
- header_ticket->enc_part2->client,
- &cname))) {
- status = "UNPARSING CLIENT";
- errcode = errcode2;
- goto cleanup;
+ (errcode2 = krb5_unparse_name(kdc_context,
+ header_ticket->enc_part2->client,
+ &cname))) {
+ status = "UNPARSING CLIENT";
+ errcode = errcode2;
+ goto cleanup;
}
limit_string(cname);
if (errcode) {
- status = "PROCESS_TGS";
- goto cleanup;
+ status = "PROCESS_TGS";
+ goto cleanup;
}
if (!header_ticket) {
- errcode = KRB5_NO_TKT_SUPPLIED; /* XXX? */
- status="UNEXPECTED NULL in header_ticket";
- goto cleanup;
+ errcode = KRB5_NO_TKT_SUPPLIED; /* XXX? */
+ status="UNEXPECTED NULL in header_ticket";
+ goto cleanup;
}
/*
/* XXX make sure server here has the proper realm...taken from AP_REQ
header? */
- nprincs = 1;
if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) {
- setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE);
- setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
+ setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE);
+ setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE);
+ }
+
+ db_ref_done = FALSE;
+
+ref_tgt_again:
+ nprincs = 1;
+ if ((errcode = krb5_unparse_name(kdc_context, request->server, &sname))) {
+ status = "UNPARSING SERVER";
+ goto cleanup;
}
+ limit_string(sname);
errcode = krb5_db_get_principal_ext(kdc_context,
- request->server,
- s_flags,
- &server,
- &nprincs,
- &more);
+ request->server,
+ s_flags,
+ &server,
+ &nprincs,
+ &more);
if (errcode) {
- status = "LOOKING_UP_SERVER";
- nprincs = 0;
- goto cleanup;
+ status = "LOOKING_UP_SERVER";
+ nprincs = 0;
+ goto cleanup;
}
tgt_again:
if (more) {
- status = "NON_UNIQUE_PRINCIPAL";
- errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
- goto cleanup;
+ status = "NON_UNIQUE_PRINCIPAL";
+ errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
+ goto cleanup;
} else if (nprincs != 1) {
- /*
- * might be a request for a TGT for some other realm; we
- * should do our best to find such a TGS in this db
- */
- if (firstpass && krb5_is_tgs_principal(request->server) == TRUE) {
- if (krb5_princ_size(kdc_context, request->server) == 2) {
- krb5_data *server_1 =
- krb5_princ_component(kdc_context, request->server, 1);
- krb5_data *tgs_1 =
- krb5_princ_component(kdc_context, tgs_server, 1);
-
- if (!tgs_1 || !data_eq(*server_1, *tgs_1)) {
- krb5_db_free_principal(kdc_context, &server, nprincs);
- find_alternate_tgs(request, &server, &more, &nprincs);
- firstpass = 0;
- goto tgt_again;
- }
- }
- }
- krb5_db_free_principal(kdc_context, &server, nprincs);
- status = "UNKNOWN_SERVER";
- errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
- goto cleanup;
+ /*
+ * might be a request for a TGT for some other realm; we
+ * should do our best to find such a TGS in this db
+ */
+ if (firstpass ) {
+
+ if ( krb5_is_tgs_principal(request->server) == TRUE) { /* Principal is a name of krb ticket service */
+ if (krb5_princ_size(kdc_context, request->server) == 2) {
+
+ server_1 = krb5_princ_component(kdc_context, request->server, 1);
+ tgs_1 = krb5_princ_component(kdc_context, tgs_server, 1);
+
+ if (!tgs_1 || !data_eq(*server_1, *tgs_1)) {
+ krb5_db_free_principal(kdc_context, &server, nprincs);
+ find_alternate_tgs(request, &server, &more, &nprincs);
+ firstpass = 0;
+ goto tgt_again;
+ }
+ }
+ krb5_db_free_principal(kdc_context, &server, nprincs);
+ status = "UNKNOWN_SERVER";
+ errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+ goto cleanup;
+
+ } else if ( db_ref_done == FALSE) {
+ retval = prep_reprocess_req(request, &krbtgt_princ);
+ if (!retval) {
+ krb5_free_principal(kdc_context, request->server);
+ retval = krb5_copy_principal(kdc_context, krbtgt_princ, &(request->server));
+ if (!retval) {
+ db_ref_done = TRUE;
+ if (sname != NULL)
+ free(sname);
+ goto ref_tgt_again;
+ }
+ }
+ }
+ }
+
+ krb5_db_free_principal(kdc_context, &server, nprincs);
+ status = "UNKNOWN_SERVER";
+ errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+ goto cleanup;
}
if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) {
- status = "TIME_OF_DAY";
- goto cleanup;
+ status = "TIME_OF_DAY";
+ goto cleanup;
}
if ((retval = validate_tgs_request(request, server, header_ticket,
- kdc_time, &status))) {
- if (!status)
- status = "UNKNOWN_REASON";
- errcode = retval + ERROR_TABLE_BASE_krb5;
- goto cleanup;
+ kdc_time, &status))) {
+ if (!status)
+ status = "UNKNOWN_REASON";
+ errcode = retval + ERROR_TABLE_BASE_krb5;
+ goto cleanup;
}
if (!is_local_principal(header_enc_tkt->client))
- setflag(c_flags, KRB5_KDB_FLAG_CROSS_REALM);
+ setflag(c_flags, KRB5_KDB_FLAG_CROSS_REALM);
is_referral = krb5_is_tgs_principal(server.princ) &&
- !krb5_principal_compare(kdc_context, tgs_server, server.princ);
+ !krb5_principal_compare(kdc_context, tgs_server, server.princ);
/* Check for protocol transition */
errcode = kdc_process_s4u2self_req(kdc_context, request, header_enc_tkt->client,
- &server, header_enc_tkt->session, kdc_time,
- &for_user, &client, &c_nprincs, &status);
+ &server, header_enc_tkt->session, kdc_time,
+ &for_user, &client, &c_nprincs, &status);
if (errcode)
- goto cleanup;
+ goto cleanup;
if (for_user != NULL)
- setflag(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION);
+ setflag(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION);
/*
* We pick the session keytype here....
*/
useenctype = 0;
if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY |
- KDC_OPT_CNAME_IN_ADDL_TKT)) {
- krb5_keyblock * st_sealing_key;
- krb5_kvno st_srv_kvno;
- krb5_enctype etype;
- krb5_db_entry st_client;
- int st_nprincs = 0;
-
- /*
- * Get the key for the second ticket, and decrypt it.
- */
- if ((errcode = kdc_get_server_key(request->second_ticket[st_idx],
- c_flags,
- TRUE, /* match_enctype */
- &st_client,
- &st_nprincs,
- &st_sealing_key,
- &st_srv_kvno))) {
- status = "2ND_TKT_SERVER";
- goto cleanup;
- }
- errcode = krb5_decrypt_tkt_part(kdc_context, st_sealing_key,
- request->second_ticket[st_idx]);
- krb5_free_keyblock(kdc_context, st_sealing_key);
- if (errcode) {
- status = "2ND_TKT_DECRYPT";
- krb5_db_free_principal(kdc_context, &st_client, st_nprincs);
- goto cleanup;
- }
-
- etype = request->second_ticket[st_idx]->enc_part2->session->enctype;
- if (!krb5_c_valid_enctype(etype)) {
- status = "BAD_ETYPE_IN_2ND_TKT";
- errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
- krb5_db_free_principal(kdc_context, &st_client, st_nprincs);
- goto cleanup;
- }
-
- for (i = 0; i < request->nktypes; i++) {
- if (request->ktype[i] == etype) {
- useenctype = etype;
- break;
- }
- }
-
- if (isflagset(request->kdc_options, KDC_OPT_CNAME_IN_ADDL_TKT)) {
- /* Do constrained delegation protocol and authorization checks */
- errcode = kdc_process_s4u2proxy_req(kdc_context,
- request,
- request->second_ticket[st_idx]->enc_part2,
- &st_client,
- header_ticket->enc_part2->client,
- request->server,
- &status);
- if (errcode)
- goto cleanup;
-
- setflag(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION);
-
- assert(krb5_is_tgs_principal(header_ticket->server));
-
- /* From now on, use evidence ticket as header ticket */
- header_enc_tkt = request->second_ticket[st_idx]->enc_part2;
-
- assert(c_nprincs == 0); /* assured by kdc_process_s4u2self_req() */
-
- client = st_client;
- c_nprincs = st_nprincs;
- } else {
- /* "client" is not used for user2user */
- krb5_db_free_principal(kdc_context, &st_client, st_nprincs);
- }
+ KDC_OPT_CNAME_IN_ADDL_TKT)) {
+ krb5_keyblock * st_sealing_key;
+ krb5_kvno st_srv_kvno;
+ krb5_enctype etype;
+ krb5_db_entry st_client;
+ int st_nprincs = 0;
+
+ /*
+ * Get the key for the second ticket, and decrypt it.
+ */
+ if ((errcode = kdc_get_server_key(request->second_ticket[st_idx],
+ c_flags,
+ TRUE, /* match_enctype */
+ &st_client,
+ &st_nprincs,
+ &st_sealing_key,
+ &st_srv_kvno))) {
+ status = "2ND_TKT_SERVER";
+ goto cleanup;
+ }
+ errcode = krb5_decrypt_tkt_part(kdc_context, st_sealing_key,
+ request->second_ticket[st_idx]);
+ krb5_free_keyblock(kdc_context, st_sealing_key);
+ if (errcode) {
+ status = "2ND_TKT_DECRYPT";
+ krb5_db_free_principal(kdc_context, &st_client, st_nprincs);
+ goto cleanup;
+ }
+
+ etype = request->second_ticket[st_idx]->enc_part2->session->enctype;
+ if (!krb5_c_valid_enctype(etype)) {
+ status = "BAD_ETYPE_IN_2ND_TKT";
+ errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
+ krb5_db_free_principal(kdc_context, &st_client, st_nprincs);
+ goto cleanup;
+ }
+
+ for (i = 0; i < request->nktypes; i++) {
+ if (request->ktype[i] == etype) {
+ useenctype = etype;
+ break;
+ }
+ }
+
+ if (isflagset(request->kdc_options, KDC_OPT_CNAME_IN_ADDL_TKT)) {
+ /* Do constrained delegation protocol and authorization checks */
+ errcode = kdc_process_s4u2proxy_req(kdc_context,
+ request,
+ request->second_ticket[st_idx]->enc_part2,
+ &st_client,
+ header_ticket->enc_part2->client,
+ request->server,
+ &status);
+ if (errcode)
+ goto cleanup;
+
+ setflag(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION);
+
+ assert(krb5_is_tgs_principal(header_ticket->server));
+
+ /* From now on, use evidence ticket as header ticket */
+ header_enc_tkt = request->second_ticket[st_idx]->enc_part2;
+
+ assert(c_nprincs == 0); /* assured by kdc_process_s4u2self_req() */
+
+ client = st_client;
+ c_nprincs = st_nprincs;
+ } else {
+ /* "client" is not used for user2user */
+ krb5_db_free_principal(kdc_context, &st_client, st_nprincs);
+ }
}
/*
* Select the keytype for the ticket session key.
*/
if ((useenctype == 0) &&
- (useenctype = select_session_keytype(kdc_context, &server,
- request->nktypes,
- request->ktype)) == 0) {
- /* unsupported ktype */
- status = "BAD_ENCRYPTION_TYPE";
- errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
- goto cleanup;
+ (useenctype = select_session_keytype(kdc_context, &server,
+ request->nktypes,
+ request->ktype)) == 0) {
+ /* unsupported ktype */
+ status = "BAD_ENCRYPTION_TYPE";
+ errcode = KRB5KDC_ERR_ETYPE_NOSUPP;
+ goto cleanup;
}
errcode = krb5_c_make_random_key(kdc_context, useenctype, &session_key);
if (errcode) {
- /* random key failed */
- status = "RANDOM_KEY_FAILED";
- goto cleanup;
+ /* random key failed */
+ status = "RANDOM_KEY_FAILED";
+ goto cleanup;
}
authtime = header_enc_tkt->times.authtime;
if (is_referral)
- ticket_reply.server = server.princ;
+ ticket_reply.server = server.princ;
else
- ticket_reply.server = request->server; /* XXX careful for realm... */
+ ticket_reply.server = request->server; /* XXX careful for realm... */
enc_tkt_reply.flags = 0;
enc_tkt_reply.times.starttime = 0;
if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE) &&
- !is_referral) {
- /* Ensure that we are not returning a referral */
- setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
+ !is_referral) {
+ /* Ensure that we are not returning a referral */
+ setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
}
/*
* authtime's value.
*/
if (!(header_enc_tkt->times.starttime))
- header_enc_tkt->times.starttime = header_enc_tkt->times.authtime;
+ header_enc_tkt->times.starttime = header_enc_tkt->times.authtime;
/* don't use new addresses unless forwarded, see below */
enc_tkt_reply.caddrs = header_enc_tkt->caddrs;
/* noaddrarray[0] = 0; */
- reply_encpart.caddrs = 0; /* optional...don't put it in */
+ reply_encpart.caddrs = 0;/* optional...don't put it in */
reply_encpart.enc_padata = NULL;
/* It should be noted that local policy may affect the */
/* realms may refuse to issue renewable tickets */
if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE))
- setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
+ setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) {
- if (!krb5_is_tgs_principal(server.princ) &&
- is_local_principal(server.princ)) {
- if (isflagset(server.attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE))
- setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
- else
- clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
- }
- if (isflagset(client.attributes, KRB5_KDB_DISALLOW_FORWARDABLE))
- clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
+ if (!krb5_is_tgs_principal(server.princ) &&
+ is_local_principal(server.princ)) {
+ if (isflagset(server.attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE))
+ setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
+ else
+ clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
+ }
+ if (isflagset(client.attributes, KRB5_KDB_DISALLOW_FORWARDABLE))
+ clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE);
}
if (isflagset(request->kdc_options, KDC_OPT_FORWARDED)) {
- setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDED);
+ setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDED);
- /* include new addresses in ticket & reply */
+ /* include new addresses in ticket & reply */
- enc_tkt_reply.caddrs = request->addresses;
- reply_encpart.caddrs = request->addresses;
- }
+ enc_tkt_reply.caddrs = request->addresses;
+ reply_encpart.caddrs = request->addresses;
+ }
if (isflagset(header_enc_tkt->flags, TKT_FLG_FORWARDED))
- setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDED);
+ setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDED);
if (isflagset(request->kdc_options, KDC_OPT_PROXIABLE))
- setflag(enc_tkt_reply.flags, TKT_FLG_PROXIABLE);
+ setflag(enc_tkt_reply.flags, TKT_FLG_PROXIABLE);
if (isflagset(request->kdc_options, KDC_OPT_PROXY)) {
- setflag(enc_tkt_reply.flags, TKT_FLG_PROXY);
+ setflag(enc_tkt_reply.flags, TKT_FLG_PROXY);
- /* include new addresses in ticket & reply */
+ /* include new addresses in ticket & reply */
- enc_tkt_reply.caddrs = request->addresses;
- reply_encpart.caddrs = request->addresses;
+ enc_tkt_reply.caddrs = request->addresses;
+ reply_encpart.caddrs = request->addresses;
}
if (isflagset(request->kdc_options, KDC_OPT_ALLOW_POSTDATE))
- setflag(enc_tkt_reply.flags, TKT_FLG_MAY_POSTDATE);
+ setflag(enc_tkt_reply.flags, TKT_FLG_MAY_POSTDATE);
if (isflagset(request->kdc_options, KDC_OPT_POSTDATED)) {
- setflag(enc_tkt_reply.flags, TKT_FLG_POSTDATED);
- setflag(enc_tkt_reply.flags, TKT_FLG_INVALID);
- enc_tkt_reply.times.starttime = request->from;
+ setflag(enc_tkt_reply.flags, TKT_FLG_POSTDATED);
+ setflag(enc_tkt_reply.flags, TKT_FLG_INVALID);
+ enc_tkt_reply.times.starttime = request->from;
} else
- enc_tkt_reply.times.starttime = kdc_time;
+ enc_tkt_reply.times.starttime = kdc_time;
if (isflagset(request->kdc_options, KDC_OPT_VALIDATE)) {
- assert(isflagset(c_flags, KRB5_KDB_FLAGS_S4U) == 0);
- /* BEWARE of allocation hanging off of ticket & enc_part2, it belongs
- to the caller */
- ticket_reply = *(header_ticket);
- enc_tkt_reply = *(header_ticket->enc_part2);
- clear(enc_tkt_reply.flags, TKT_FLG_INVALID);
+ assert(isflagset(c_flags, KRB5_KDB_FLAGS_S4U) == 0);
+ /* BEWARE of allocation hanging off of ticket & enc_part2, it belongs
+ to the caller */
+ ticket_reply = *(header_ticket);
+ enc_tkt_reply = *(header_ticket->enc_part2);
+ clear(enc_tkt_reply.flags, TKT_FLG_INVALID);
}
if (isflagset(request->kdc_options, KDC_OPT_RENEW)) {
- krb5_deltat old_life;
+ krb5_deltat old_life;
- assert(isflagset(c_flags, KRB5_KDB_FLAGS_S4U) == 0);
- /* BEWARE of allocation hanging off of ticket & enc_part2, it belongs
- to the caller */
- ticket_reply = *(header_ticket);
- enc_tkt_reply = *(header_ticket->enc_part2);
+ assert(isflagset(c_flags, KRB5_KDB_FLAGS_S4U) == 0);
+ /* BEWARE of allocation hanging off of ticket & enc_part2, it belongs
+ to the caller */
+ ticket_reply = *(header_ticket);
+ enc_tkt_reply = *(header_ticket->enc_part2);
- old_life = enc_tkt_reply.times.endtime - enc_tkt_reply.times.starttime;
+ old_life = enc_tkt_reply.times.endtime - enc_tkt_reply.times.starttime;
- enc_tkt_reply.times.starttime = kdc_time;
- enc_tkt_reply.times.endtime =
- min(header_ticket->enc_part2->times.renew_till,
- kdc_time + old_life);
+ enc_tkt_reply.times.starttime = kdc_time;
+ enc_tkt_reply.times.endtime =
+ min(header_ticket->enc_part2->times.renew_till,
+ kdc_time + old_life);
} else {
- /* not a renew request */
- enc_tkt_reply.times.starttime = kdc_time;
- until = (request->till == 0) ? kdc_infinity : request->till;
- enc_tkt_reply.times.endtime =
- min(until, min(enc_tkt_reply.times.starttime + server.max_life,
- min(enc_tkt_reply.times.starttime + max_life_for_realm,
- header_enc_tkt->times.endtime)));
- if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) &&
- (enc_tkt_reply.times.endtime < request->till) &&
- isflagset(header_enc_tkt->flags, TKT_FLG_RENEWABLE)) {
- setflag(request->kdc_options, KDC_OPT_RENEWABLE);
- request->rtime =
- min(request->till, header_enc_tkt->times.renew_till);
- }
+ /* not a renew request */
+ enc_tkt_reply.times.starttime = kdc_time;
+ until = (request->till == 0) ? kdc_infinity : request->till;
+ enc_tkt_reply.times.endtime =
+ min(until, min(enc_tkt_reply.times.starttime + server.max_life,
+ min(enc_tkt_reply.times.starttime + max_life_for_realm,
+ header_enc_tkt->times.endtime)));
+ if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) &&
+ (enc_tkt_reply.times.endtime < request->till) &&
+ isflagset(header_enc_tkt->flags, TKT_FLG_RENEWABLE)) {
+ setflag(request->kdc_options, KDC_OPT_RENEWABLE);
+ request->rtime =
+ min(request->till, header_enc_tkt->times.renew_till);
+ }
}
rtime = (request->rtime == 0) ? kdc_infinity : request->rtime;
if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE)) {
- /* already checked above in policy check to reject request for a
- renewable ticket using a non-renewable ticket */
- setflag(enc_tkt_reply.flags, TKT_FLG_RENEWABLE);
- enc_tkt_reply.times.renew_till =
- min(rtime,
- min(header_enc_tkt->times.renew_till,
- enc_tkt_reply.times.starttime +
- min(server.max_renewable_life,
- max_renewable_life_for_realm)));
+ /* already checked above in policy check to reject request for a
+ renewable ticket using a non-renewable ticket */
+ setflag(enc_tkt_reply.flags, TKT_FLG_RENEWABLE);
+ enc_tkt_reply.times.renew_till =
+ min(rtime,
+ min(header_enc_tkt->times.renew_till,
+ enc_tkt_reply.times.starttime +
+ min(server.max_renewable_life,
+ max_renewable_life_for_realm)));
} else {
- enc_tkt_reply.times.renew_till = 0;
+ enc_tkt_reply.times.renew_till = 0;
}
/*
* Propagate the preauthentication flags through to the returned ticket.
*/
if (isflagset(header_enc_tkt->flags, TKT_FLG_PRE_AUTH))
- setflag(enc_tkt_reply.flags, TKT_FLG_PRE_AUTH);
+ setflag(enc_tkt_reply.flags, TKT_FLG_PRE_AUTH);
if (isflagset(header_enc_tkt->flags, TKT_FLG_HW_AUTH))
- setflag(enc_tkt_reply.flags, TKT_FLG_HW_AUTH);
+ setflag(enc_tkt_reply.flags, TKT_FLG_HW_AUTH);
/* starttime is optional, and treated as authtime if not present.
so we can nuke it if it matches */
if (enc_tkt_reply.times.starttime == enc_tkt_reply.times.authtime)
- enc_tkt_reply.times.starttime = 0;
+ enc_tkt_reply.times.starttime = 0;
if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) {
- errcode = krb5_unparse_name(kdc_context, for_user->user, &s4u_name);
+ errcode = krb5_unparse_name(kdc_context, for_user->user, &s4u_name);
} else if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) {
- errcode = krb5_unparse_name(kdc_context, header_enc_tkt->client, &s4u_name);
+ errcode = krb5_unparse_name(kdc_context, header_enc_tkt->client, &s4u_name);
} else {
- errcode = 0;
+ errcode = 0;
}
if (errcode) {
- status = "UNPARSING S4U CLIENT";
- goto cleanup;
+ status = "UNPARSING S4U CLIENT";
+ goto cleanup;
}
if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) {
- krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2;
- encrypting_key = *(t2enc->session);
+ krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2;
+ encrypting_key = *(t2enc->session);
} else {
- /*
- * Find the server key
- */
- if ((errcode = krb5_dbe_find_enctype(kdc_context, &server,
- -1, /* ignore keytype */
- -1, /* Ignore salttype */
- 0, /* Get highest kvno */
- &server_key))) {
- status = "FINDING_SERVER_KEY";
- goto cleanup;
- }
+ /*
+ * Find the server key
+ */
+ if ((errcode = krb5_dbe_find_enctype(kdc_context, &server,
+ -1, /* ignore keytype */
+ -1, /* Ignore salttype */
+ 0,/* Get highest kvno */
+ &server_key))) {
+ status = "FINDING_SERVER_KEY";
+ goto cleanup;
+ }
if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &server,
&mkey_ptr))) {
}
}
- /* convert server.key into a real key (it may be encrypted
- * in the database) */
- if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context,
- mkey_ptr,
- server_key, &encrypting_key,
- NULL))) {
- status = "DECRYPT_SERVER_KEY";
- goto cleanup;
- }
+ /* convert server.key into a real key (it may be encrypted
+ * in the database) */
+ if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context,
+ mkey_ptr,
+ server_key, &encrypting_key,
+ NULL))) {
+ status = "DECRYPT_SERVER_KEY";
+ goto cleanup;
+ }
}
if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) {
- /*
- * Don't allow authorization data to be disabled if constrained
- * delegation is requested. We don't want to deny the server
- * the ability to validate that delegation was used.
- */
- clear(server.attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED);
+ /*
+ * Don't allow authorization data to be disabled if constrained
+ * delegation is requested. We don't want to deny the server
+ * the ability to validate that delegation was used.
+ */
+ clear(server.attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED);
}
if (isflagset(server.attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED) == 0) {
- /*
- * If we are not doing protocol transition/constrained delegation
- * and there was no authorization data included, try to lookup
- * the client principal as it may be mapped to a local account.
- *
- * Always validate authorization data for constrained delegation
- * because we must validate the KDC signatures.
- */
- if (!isflagset(c_flags, KRB5_KDB_FLAGS_S4U) &&
- header_enc_tkt->authorization_data == NULL) {
-
- /* Generate authorization data so we can include it in ticket */
- setflag(c_flags, KRB5_KDB_FLAG_INCLUDE_PAC);
- /* Map principals from foreign (possibly non-AD) realms */
- setflag(c_flags, KRB5_KDB_FLAG_MAP_PRINCIPALS);
-
- assert(c_nprincs == 0); /* should not have been looked up already */
-
- c_nprincs = 1;
- errcode = krb5_db_get_principal_ext(kdc_context,
- header_enc_tkt->client,
- c_flags,
- &client,
- &c_nprincs,
- &more);
- /*
- * We can ignore errors because the principal may be a
- * valid cross-realm principal for which we have no local
- * mapping. But we do want to check that at most one entry
- * was returned.
- */
- if (errcode == 0 && (more || c_nprincs > 1)) {
- errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
- goto cleanup;
- } else if (errcode) {
- c_nprincs = 0;
- }
- }
+ /*
+ * If we are not doing protocol transition/constrained delegation
+ * and there was no authorization data included, try to lookup
+ * the client principal as it may be mapped to a local account.
+ *
+ * Always validate authorization data for constrained delegation
+ * because we must validate the KDC signatures.
+ */
+ if (!isflagset(c_flags, KRB5_KDB_FLAGS_S4U) &&
+ header_enc_tkt->authorization_data == NULL) {
+
+ /* Generate authorization data so we can include it in ticket */
+ setflag(c_flags, KRB5_KDB_FLAG_INCLUDE_PAC);
+ /* Map principals from foreign (possibly non-AD) realms */
+ setflag(c_flags, KRB5_KDB_FLAG_MAP_PRINCIPALS);
+
+ assert(c_nprincs == 0); /* should not have been looked up already */
+
+ c_nprincs = 1;
+ errcode = krb5_db_get_principal_ext(kdc_context,
+ header_enc_tkt->client,
+ c_flags,
+ &client,
+ &c_nprincs,
+ &more);
+ /*
+ * We can ignore errors because the principal may be a
+ * valid cross-realm principal for which we have no local
+ * mapping. But we do want to check that at most one entry
+ * was returned.
+ */
+ if (errcode == 0 && (more || c_nprincs > 1)) {
+ errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE;
+ goto cleanup;
+ } else if (errcode) {
+ c_nprincs = 0;
+ }
+ }
}
enc_tkt_reply.authorization_data = NULL;
if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) &&
- is_local_principal(header_enc_tkt->client))
- enc_tkt_reply.client = for_user->user;
+ is_local_principal(header_enc_tkt->client))
+ enc_tkt_reply.client = for_user->user;
else
- enc_tkt_reply.client = header_enc_tkt->client;
+ enc_tkt_reply.client = header_enc_tkt->client;
errcode = handle_authdata(kdc_context,
- c_flags,
- (c_nprincs != 0) ? &client : NULL,
- &server,
- (k_nprincs != 0) ? &krbtgt : NULL,
- subkey != NULL ? subkey :
- header_ticket->enc_part2->session,
- &encrypting_key, /* U2U or server key */
- pkt,
- request,
- for_user ? for_user->user : NULL,
- header_enc_tkt,
- &enc_tkt_reply);
+ c_flags,
+ (c_nprincs != 0) ? &client : NULL,
+ &server,
+ (k_nprincs != 0) ? &krbtgt : NULL,
+ subkey != NULL ? subkey :
+ header_ticket->enc_part2->session,
+ &encrypting_key, /* U2U or server key */
+ pkt,
+ request,
+ for_user ? for_user->user : NULL,
+ header_enc_tkt,
+ &enc_tkt_reply);
if (errcode) {
- krb5_klog_syslog(LOG_INFO, "TGS_REQ : handle_authdata (%d)", errcode);
- status = "HANDLE_AUTHDATA";
- goto cleanup;
+ krb5_klog_syslog(LOG_INFO, "TGS_REQ : handle_authdata (%d)", errcode);
+ status = "HANDLE_AUTHDATA";
+ goto cleanup;
}
if (is_referral && isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE)) {
- errcode = return_svr_referral_data(kdc_context,
- &server, &reply_encpart);
- if (errcode) {
- status = "KDC_RETURN_ENC_PADATA";
- goto cleanup;
- }
+ errcode = return_svr_referral_data(kdc_context,
+ &server, &reply_encpart);
+ if (errcode) {
+ status = "KDC_RETURN_ENC_PADATA";
+ goto cleanup;
+ }
}
enc_tkt_reply.session = &session_key;
/* realm compare is like strcmp, but knows how to deal with these args */
if (realm_compare(header_ticket->server, tgs_server) ||
- realm_compare(header_ticket->server, enc_tkt_reply.client)) {
- /* tgt issued by local realm or issued by realm of client */
- enc_tkt_reply.transited = header_enc_tkt->transited;
+ realm_compare(header_ticket->server, enc_tkt_reply.client)) {
+ /* tgt issued by local realm or issued by realm of client */
+ enc_tkt_reply.transited = header_enc_tkt->transited;
} else {
- /* tgt issued by some other realm and not the realm of the client */
- /* assemble new transited field into allocated storage */
- if (header_enc_tkt->transited.tr_type !=
- KRB5_DOMAIN_X500_COMPRESS) {
- status = "BAD_TRTYPE";
- errcode = KRB5KDC_ERR_TRTYPE_NOSUPP;
- goto cleanup;
- }
- enc_tkt_transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
- enc_tkt_transited.magic = 0;
- enc_tkt_transited.tr_contents.magic = 0;
- enc_tkt_transited.tr_contents.data = 0;
- enc_tkt_transited.tr_contents.length = 0;
- enc_tkt_reply.transited = enc_tkt_transited;
- if ((errcode =
- add_to_transited(&header_enc_tkt->transited.tr_contents,
- &enc_tkt_reply.transited.tr_contents,
- header_ticket->server,
- enc_tkt_reply.client,
- request->server))) {
- status = "ADD_TR_FAIL";
- goto cleanup;
- }
- newtransited = 1;
+ /* tgt issued by some other realm and not the realm of the client */
+ /* assemble new transited field into allocated storage */
+ if (header_enc_tkt->transited.tr_type !=
+ KRB5_DOMAIN_X500_COMPRESS) {
+ status = "BAD_TRTYPE";
+ errcode = KRB5KDC_ERR_TRTYPE_NOSUPP;
+ goto cleanup;
+ }
+ enc_tkt_transited.tr_type = KRB5_DOMAIN_X500_COMPRESS;
+ enc_tkt_transited.magic = 0;
+ enc_tkt_transited.tr_contents.magic = 0;
+ enc_tkt_transited.tr_contents.data = 0;
+ enc_tkt_transited.tr_contents.length = 0;
+ enc_tkt_reply.transited = enc_tkt_transited;
+ if ((errcode =
+ add_to_transited(&header_enc_tkt->transited.tr_contents,
+ &enc_tkt_reply.transited.tr_contents,
+ header_ticket->server,
+ enc_tkt_reply.client,
+ request->server))) {
+ status = "ADD_TR_FAIL";
+ goto cleanup;
+ }
+ newtransited = 1;
}
if (isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM)) {
- errcode = validate_transit_path(kdc_context, header_enc_tkt->client,
- &server,
- (k_nprincs != 0) ? &krbtgt : NULL);
- if (errcode) {
- status = "NON_TRANSITIVE";
- goto cleanup;
- }
+ errcode = validate_transit_path(kdc_context, header_enc_tkt->client,
+ &server,
+ (k_nprincs != 0) ? &krbtgt : NULL);
+ if (errcode) {
+ status = "NON_TRANSITIVE";
+ goto cleanup;
+ }
}
if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
- unsigned int tlen;
- char *tdots;
-
- errcode = kdc_check_transited_list (kdc_context,
- &enc_tkt_reply.transited.tr_contents,
- krb5_princ_realm (kdc_context, header_enc_tkt->client),
- krb5_princ_realm (kdc_context, request->server));
- tlen = enc_tkt_reply.transited.tr_contents.length;
- tdots = tlen > 125 ? "..." : "";
- tlen = tlen > 125 ? 125 : tlen;
-
- if (errcode == 0) {
- setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
- } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
- krb5_klog_syslog (LOG_INFO,
- "bad realm transit path from '%s' to '%s' "
- "via '%.*s%s'",
- cname ? cname : "<unknown client>",
- sname ? sname : "<unknown server>",
- tlen,
- enc_tkt_reply.transited.tr_contents.data,
- tdots);
- else {
- emsg = krb5_get_error_message(kdc_context, errcode);
- krb5_klog_syslog (LOG_ERR,
- "unexpected error checking transit from "
- "'%s' to '%s' via '%.*s%s': %s",
- cname ? cname : "<unknown client>",
- sname ? sname : "<unknown server>",
- tlen,
- enc_tkt_reply.transited.tr_contents.data,
- tdots, emsg);
- krb5_free_error_message(kdc_context, emsg);
- emsg = NULL;
- }
+ unsigned int tlen;
+ char *tdots;
+
+ errcode = kdc_check_transited_list (kdc_context,
+ &enc_tkt_reply.transited.tr_contents,
+ krb5_princ_realm (kdc_context, header_enc_tkt->client),
+ krb5_princ_realm (kdc_context, request->server));
+ tlen = enc_tkt_reply.transited.tr_contents.length;
+ tdots = tlen > 125 ? "..." : "";
+ tlen = tlen > 125 ? 125 : tlen;
+
+ if (errcode == 0) {
+ setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
+ } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
+ krb5_klog_syslog (LOG_INFO,
+ "bad realm transit path from '%s' to '%s' "
+ "via '%.*s%s'",
+ cname ? cname : "<unknown client>",
+ sname ? sname : "<unknown server>",
+ tlen,
+ enc_tkt_reply.transited.tr_contents.data,
+ tdots);
+ else {
+ emsg = krb5_get_error_message(kdc_context, errcode);
+ krb5_klog_syslog (LOG_ERR,
+ "unexpected error checking transit from "
+ "'%s' to '%s' via '%.*s%s': %s",
+ cname ? cname : "<unknown client>",
+ sname ? sname : "<unknown server>",
+ tlen,
+ enc_tkt_reply.transited.tr_contents.data,
+ tdots, emsg);
+ krb5_free_error_message(kdc_context, emsg);
+ emsg = NULL;
+ }
} else
- krb5_klog_syslog (LOG_INFO, "not checking transit path");
+ krb5_klog_syslog (LOG_INFO, "not checking transit path");
if (reject_bad_transit
- && !isflagset (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED)) {
- errcode = KRB5KDC_ERR_POLICY;
- status = "BAD_TRANSIT";
- goto cleanup;
+ && !isflagset (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED)) {
+ errcode = KRB5KDC_ERR_POLICY;
+ status = "BAD_TRANSIT";
+ goto cleanup;
}
ticket_reply.enc_part2 = &enc_tkt_reply;
* the second ticket.
*/
if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) {
- /*
- * Make sure the client for the second ticket matches
- * requested server.
- */
- krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2;
- krb5_principal client2 = t2enc->client;
- if (!krb5_principal_compare(kdc_context, request->server, client2)) {
- if ((errcode = krb5_unparse_name(kdc_context, client2, &altcname)))
- altcname = 0;
- if (altcname != NULL)
- limit_string(altcname);
-
- errcode = KRB5KDC_ERR_SERVER_NOMATCH;
- status = "2ND_TKT_MISMATCH";
- goto cleanup;
- }
-
- ticket_reply.enc_part.kvno = 0;
- ticket_reply.enc_part.enctype = t2enc->session->enctype;
- st_idx++;
+ /*
+ * Make sure the client for the second ticket matches
+ * requested server.
+ */
+ krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2;
+ krb5_principal client2 = t2enc->client;
+ if (!krb5_principal_compare(kdc_context, request->server, client2)) {
+ if ((errcode = krb5_unparse_name(kdc_context, client2, &altcname)))
+ altcname = 0;
+ if (altcname != NULL)
+ limit_string(altcname);
+
+ errcode = KRB5KDC_ERR_SERVER_NOMATCH;
+ status = "2ND_TKT_MISMATCH";
+ goto cleanup;
+ }
+
+ ticket_kvno = 0;
+ ticket_reply.enc_part.enctype = t2enc->session->enctype;
+ st_idx++;
} else {
- ticket_reply.enc_part.kvno = server_key->key_data_kvno;
+ ticket_kvno = server_key->key_data_kvno;
}
errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key,
- &ticket_reply);
+ &ticket_reply);
if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY))
- krb5_free_keyblock_contents(kdc_context, &encrypting_key);
+ krb5_free_keyblock_contents(kdc_context, &encrypting_key);
if (errcode) {
- status = "TKT_ENCRYPT";
- goto cleanup;
+ status = "TKT_ENCRYPT";
+ goto cleanup;
}
-
+ ticket_reply.enc_part.kvno = ticket_kvno;
/* Start assembling the response */
reply.msg_type = KRB5_TGS_REP;
- reply.padata = 0; /* always */
+ reply.padata = 0;/* always */
reply.client = enc_tkt_reply.client;
- reply.enc_part.kvno = 0; /* We are using the session key */
+ reply.enc_part.kvno = 0;/* We are using the session key */
reply.ticket = &ticket_reply;
reply_encpart.session = &session_key;
/* starttime is optional, and treated as authtime if not present.
so we can nuke it if it matches */
if (enc_tkt_reply.times.starttime == enc_tkt_reply.times.authtime)
- enc_tkt_reply.times.starttime = 0;
+ enc_tkt_reply.times.starttime = 0;
nolrentry.lr_type = KRB5_LRQ_NONE;
nolrentry.value = 0;
nolrarray[0] = &nolrentry;
nolrarray[1] = 0;
- reply_encpart.last_req = nolrarray; /* not available for TGS reqs */
- reply_encpart.key_exp = 0; /* ditto */
+ reply_encpart.last_req = nolrarray; /* not available for TGS reqs */
+ reply_encpart.key_exp = 0;/* ditto */
reply_encpart.flags = enc_tkt_reply.flags;
reply_encpart.server = ticket_reply.server;
in the AP_REQ */
reply.enc_part.enctype = subkey ? subkey->enctype :
- header_ticket->enc_part2->session->enctype;
+ header_ticket->enc_part2->session->enctype;
errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart,
- subkey ? 1 : 0,
- subkey ? subkey :
- header_ticket->enc_part2->session,
- &reply, response);
+ subkey ? 1 : 0,
+ subkey ? subkey :
+ header_ticket->enc_part2->session,
+ &reply, response);
if (errcode) {
- status = "ENCODE_KDC_REP";
+ status = "ENCODE_KDC_REP";
} else {
- status = "ISSUE";
+ status = "ISSUE";
}
memset(ticket_reply.enc_part.ciphertext.data, 0,
- ticket_reply.enc_part.ciphertext.length);
+ ticket_reply.enc_part.ciphertext.length);
free(ticket_reply.enc_part.ciphertext.data);
/* these parts are left on as a courtesy from krb5_encode_kdc_rep so we
can use them in raw form if needed. But, we don't... */
memset(reply.enc_part.ciphertext.data, 0,
- reply.enc_part.ciphertext.length);
+ reply.enc_part.ciphertext.length);
free(reply.enc_part.ciphertext.data);
cleanup:
assert(status != NULL);
if (errcode)
- emsg = krb5_get_error_message (kdc_context, errcode);
+ emsg = krb5_get_error_message (kdc_context, errcode);
log_tgs_req(from, request, &reply, cname, sname, altcname, authtime,
- c_flags, s4u_name, status, errcode, emsg);
+ c_flags, s4u_name, status, errcode, emsg);
if (errcode) {
- krb5_free_error_message (kdc_context, emsg);
- emsg = NULL;
+ krb5_free_error_message (kdc_context, emsg);
+ emsg = NULL;
}
if (errcode) {
int got_err = 0;
- if (status == 0) {
- status = krb5_get_error_message (kdc_context, errcode);
- got_err = 1;
- }
- errcode -= ERROR_TABLE_BASE_krb5;
- if (errcode < 0 || errcode > 128)
- errcode = KRB_ERR_GENERIC;
-
- retval = prepare_error_tgs(request, header_ticket, errcode,
- nprincs ? server.princ : NULL,
- response, status);
- if (got_err) {
- krb5_free_error_message (kdc_context, status);
- status = 0;
- }
+ if (status == 0) {
+ status = krb5_get_error_message (kdc_context, errcode);
+ got_err = 1;
+ }
+ errcode -= ERROR_TABLE_BASE_krb5;
+ if (errcode < 0 || errcode > 128)
+ errcode = KRB_ERR_GENERIC;
+
+ retval = prepare_error_tgs(request, header_ticket, errcode,
+ nprincs ? server.princ : NULL,
+ response, status);
+ if (got_err) {
+ krb5_free_error_message (kdc_context, status);
+ status = 0;
+ }
}
if (header_ticket != NULL)
- krb5_free_ticket(kdc_context, header_ticket);
+ krb5_free_ticket(kdc_context, header_ticket);
if (request != NULL)
- krb5_free_kdc_req(kdc_context, request);
+ krb5_free_kdc_req(kdc_context, request);
if (cname != NULL)
- free(cname);
+ free(cname);
if (sname != NULL)
- free(sname);
+ free(sname);
if (nprincs != 0)
- krb5_db_free_principal(kdc_context, &server, 1);
+ krb5_db_free_principal(kdc_context, &server, 1);
if (session_key.contents != NULL)
- krb5_free_keyblock_contents(kdc_context, &session_key);
+ krb5_free_keyblock_contents(kdc_context, &session_key);
if (newtransited)
- free(enc_tkt_reply.transited.tr_contents.data);
+ free(enc_tkt_reply.transited.tr_contents.data);
if (k_nprincs)
- krb5_db_free_principal(kdc_context, &krbtgt, k_nprincs);
+ krb5_db_free_principal(kdc_context, &krbtgt, k_nprincs);
if (c_nprincs)
- krb5_db_free_principal(kdc_context, &client, c_nprincs);
+ krb5_db_free_principal(kdc_context, &client, c_nprincs);
if (for_user != NULL)
- krb5_free_pa_for_user(kdc_context, for_user);
+ krb5_free_pa_for_user(kdc_context, for_user);
if (kdc_issued_auth_data != NULL)
- krb5_free_authdata(kdc_context, kdc_issued_auth_data);
+ krb5_free_authdata(kdc_context, kdc_issued_auth_data);
if (s4u_name != NULL)
- free(s4u_name);
+ free(s4u_name);
if (subkey != NULL)
- krb5_free_keyblock(kdc_context, subkey);
+ krb5_free_keyblock(kdc_context, subkey);
return retval;
}
static krb5_error_code
prepare_error_tgs (krb5_kdc_req *request, krb5_ticket *ticket, int error,
- krb5_principal canon_server,
- krb5_data **response, const char *status)
+ krb5_principal canon_server,
+ krb5_data **response, const char *status)
{
krb5_error errpkt;
krb5_error_code retval;
errpkt.cusec = 0;
if ((retval = krb5_us_timeofday(kdc_context, &errpkt.stime,
- &errpkt.susec)))
- return(retval);
+ &errpkt.susec)))
+ return(retval);
errpkt.error = error;
errpkt.server = request->server;
if (ticket && ticket->enc_part2)
- errpkt.client = ticket->enc_part2->client;
+ errpkt.client = ticket->enc_part2->client;
else
- errpkt.client = NULL;
+ errpkt.client = NULL;
errpkt.text.length = strlen(status) + 1;
if (!(errpkt.text.data = strdup(status)))
- return ENOMEM;
+ return ENOMEM;
if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) {
- free(errpkt.text.data);
- return ENOMEM;
+ free(errpkt.text.data);
+ return ENOMEM;
}
errpkt.e_data.length = 0;
errpkt.e_data.data = NULL;
retval = krb5_mk_error(kdc_context, &errpkt, scratch);
free(errpkt.text.data);
if (retval)
- free(scratch);
+ free(scratch);
else
- *response = scratch;
+ *response = scratch;
return retval;
}
*/
static void
find_alternate_tgs(krb5_kdc_req *request, krb5_db_entry *server,
- krb5_boolean *more, int *nprincs)
+ krb5_boolean *more, int *nprincs)
{
krb5_error_code retval;
krb5_principal *plist, *pl2;
* the principal.
*/
if ((retval = krb5_walk_realm_tree(kdc_context,
- krb5_princ_realm(kdc_context, request->server),
- krb5_princ_component(kdc_context, request->server, 1),
- &plist, KRB5_REALM_BRANCH_CHAR)))
- return;
+ krb5_princ_realm(kdc_context, request->server),
+ krb5_princ_component(kdc_context, request->server, 1),
+ &plist, KRB5_REALM_BRANCH_CHAR)))
+ return;
/* move to the end */
for (pl2 = plist; *pl2; pl2++);
/* the first entry in this array is for krbtgt/local@local, so we
ignore it */
while (--pl2 > plist) {
- *nprincs = 1;
- tmp = *krb5_princ_realm(kdc_context, *pl2);
- krb5_princ_set_realm(kdc_context, *pl2,
- krb5_princ_realm(kdc_context, tgs_server));
- retval = get_principal(kdc_context, *pl2, server, nprincs, more);
- krb5_princ_set_realm(kdc_context, *pl2, &tmp);
- if (retval) {
- *nprincs = 0;
- *more = FALSE;
- krb5_free_realm_tree(kdc_context, plist);
- return;
- }
- if (*more) {
- krb5_db_free_principal(kdc_context, server, *nprincs);
- continue;
- } else if (*nprincs == 1) {
- /* Found it! */
- krb5_principal tmpprinc;
-
- tmp = *krb5_princ_realm(kdc_context, *pl2);
- krb5_princ_set_realm(kdc_context, *pl2,
- krb5_princ_realm(kdc_context, tgs_server));
- if ((retval = krb5_copy_principal(kdc_context, *pl2, &tmpprinc))) {
- krb5_db_free_principal(kdc_context, server, *nprincs);
- krb5_princ_set_realm(kdc_context, *pl2, &tmp);
- continue;
- }
- krb5_princ_set_realm(kdc_context, *pl2, &tmp);
-
- krb5_free_principal(kdc_context, request->server);
- request->server = tmpprinc;
- log_tgs_alt_tgt(request->server);
- krb5_free_realm_tree(kdc_context, plist);
- return;
- }
- krb5_db_free_principal(kdc_context, server, *nprincs);
- continue;
+ *nprincs = 1;
+ tmp = *krb5_princ_realm(kdc_context, *pl2);
+ krb5_princ_set_realm(kdc_context, *pl2,
+ krb5_princ_realm(kdc_context, tgs_server));
+ retval = get_principal(kdc_context, *pl2, server, nprincs, more);
+ krb5_princ_set_realm(kdc_context, *pl2, &tmp);
+ if (retval) {
+ *nprincs = 0;
+ *more = FALSE;
+ krb5_free_realm_tree(kdc_context, plist);
+ return;
+ }
+ if (*more) {
+ krb5_db_free_principal(kdc_context, server, *nprincs);
+ continue;
+ } else if (*nprincs == 1) {
+ /* Found it! */
+ krb5_principal tmpprinc;
+
+ tmp = *krb5_princ_realm(kdc_context, *pl2);
+ krb5_princ_set_realm(kdc_context, *pl2,
+ krb5_princ_realm(kdc_context, tgs_server));
+ if ((retval = krb5_copy_principal(kdc_context, *pl2, &tmpprinc))) {
+ krb5_db_free_principal(kdc_context, server, *nprincs);
+ krb5_princ_set_realm(kdc_context, *pl2, &tmp);
+ continue;
+ }
+ krb5_princ_set_realm(kdc_context, *pl2, &tmp);
+
+ krb5_free_principal(kdc_context, request->server);
+ request->server = tmpprinc;
+ log_tgs_alt_tgt(request->server);
+ krb5_free_realm_tree(kdc_context, plist);
+ return;
+ }
+ krb5_db_free_principal(kdc_context, server, *nprincs);
+ continue;
}
*nprincs = 0;
krb5_free_realm_tree(kdc_context, plist);
return;
}
+
+/* is_substr - verfies if d1 contains d2->data with head/trail-ing whitespaces
+ */
+static krb5_int32
+is_substr ( char *d1, krb5_data *d2)
+{
+ krb5_boolean ret = FALSE;
+ char *new_d2 = 0, *d2_formated = 0;
+ if ( d1 && d2 && d2->data && (d2->length+2 <= strlen(d1))){
+ new_d2 = calloc(1,d2->length+1);
+ if (new_d2 != NULL) {
+ strlcpy(new_d2,d2->data,d2->length+1);
+ if (asprintf( &d2_formated, "%c%s%c",' ',new_d2,' ') < 0)
+ ret = ENOMEM;
+ else if (d2_formated != 0 && strstr(d1, d2_formated) != NULL)
+ ret = TRUE;
+ free(new_d2);
+ free(d2_formated);
+ }
+ }
+ return ret;
+}
+
+static krb5_int32
+prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ)
+{
+ krb5_error_code retval = KRB5KRB_AP_ERR_BADMATCH;
+ char **realms, **cpp, *temp_buf=NULL;
+ krb5_data *comp1 = NULL, *comp2 = NULL;
+ krb5_int32 host_based_srv_listed = 0, no_host_referral_listed = 0;
+
+ /* By now we know that server principal name is unknown.
+ * If CANONICALIZE flag is set in the request
+ * If req is not U2U authn. req
+ * the requested server princ. has exactly two components
+ * either
+ * the name type is NT-SRV-HST
+ * or name type is NT-UNKNOWN and
+ * the 1st component is listed in conf file under host_based_services
+ * the 1st component is not in a list in conf under "no_host_referral"
+ * the 2d component looks like fully-qualified domain name (FQDN)
+ * If all of these conditions are satisfied - try mapping the FQDN and
+ * re-process the request as if client had asked for cross-realm TGT.
+ */
+
+ if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE) == TRUE &&
+ !isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY) &&
+ krb5_princ_size(kdc_context, request->server) == 2) {
+
+ comp1 = krb5_princ_component(kdc_context, request->server, 0);
+ comp2 = krb5_princ_component(kdc_context, request->server, 1);
+ host_based_srv_listed = FALSE;
+ no_host_referral_listed = TRUE;
+ if (kdc_active_realm->realm_host_based_services != NULL) {
+ host_based_srv_listed = is_substr(kdc_active_realm->realm_host_based_services, comp1);
+ if (host_based_srv_listed == ENOMEM) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ }
+ if (kdc_active_realm->realm_no_host_referral != NULL) {
+ no_host_referral_listed = is_substr(kdc_active_realm->realm_no_host_referral,comp1);
+ if (no_host_referral_listed == ENOMEM) {
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ }
+
+ if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST ||
+ (krb5_princ_type(kdc_context, request->server) == KRB5_NT_UNKNOWN &&
+ kdc_active_realm->realm_host_based_services != NULL &&
+ (host_based_srv_listed == TRUE ||
+ strchr(kdc_active_realm->realm_host_based_services, '*')))) &&
+ (kdc_active_realm->realm_no_host_referral == NULL ||
+ (!strchr(kdc_active_realm->realm_host_based_services, '*') &&
+ no_host_referral_listed == FALSE))) {
+
+ if (memchr(comp2->data, '.', comp2->length) == NULL)
+ goto cleanup;
+ temp_buf = calloc(1, comp2->length+1);
+ if (!temp_buf){
+ retval = ENOMEM;
+ goto cleanup;
+ }
+ strlcpy(temp_buf, comp2->data,comp2->length+1);
+ retval = krb5int_get_domain_realm_mapping(kdc_context, temp_buf, &realms);
+ free(temp_buf);
+ if (retval) {
+ /* no match found */
+ com_err("krb5_get_domain_realm_mapping", retval, 0);
+ goto cleanup;
+ }
+ if (realms == 0) {
+ printf(" (null)\n");
+ goto cleanup;
+ }
+ if (realms[0] == 0) {
+ printf(" (none)\n");
+ free(realms);
+ goto cleanup;
+ }
+ /* Modify request.
+ * Construct cross-realm tgt : krbtgt/REMOTE_REALM@LOCAL_REALM
+ * and use it as a principal in this req.
+ */
+ retval = krb5_build_principal(kdc_context, krbtgt_princ,
+ (*request->server).realm.length,
+ (*request->server).realm.data,
+ "krbtgt", realms[0], (char *)0);
+
+ for (cpp = realms; *cpp; cpp++)
+ free(*cpp);
+ }
+ }
+cleanup:
+ return retval;
+}
+
+
/*
* kdc/extern.h
*
- * Copyright 1990,2001,2007 by the Massachusetts Institute of Technology.
+ * Copyright 1990,2001,2007,2009 by the Massachusetts Institute of Technology.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
krb5_context realm_context; /* Context to be used for realm */
krb5_keytab realm_keytab; /* keytab to be used for this realm */
char * realm_profile; /* Profile file for this realm */
+ char * realm_host_based_services; /* do referral processing for these services
+ * If '*' - allow all referrals */
+ char * realm_no_host_referral; /* no referral for these services.
+ * If '*' - disallow all referrals and
+ * ignore realm_host_based_services */
/*
* Database per-realm data.
*/
/*
* kdc/main.c
*
- * Copyright 1990,2001,2008 by the Massachusetts Institute of Technology.
+ * Copyright 1990,2001,2008,2009 by the Massachusetts Institute of Technology.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
free(rdp->realm_tcp_ports);
if (rdp->realm_keytab)
krb5_kt_close(rdp->realm_context, rdp->realm_keytab);
+ if (rdp->realm_host_based_services)
+ free(rdp->realm_host_based_services);
+ if (rdp->realm_no_host_referral)
+ free(rdp->realm_no_host_referral);
if (rdp->realm_context) {
if (rdp->realm_mprinc)
krb5_free_principal(rdp->realm_context, rdp->realm_mprinc);
free(rdp);
}
+static krb5_error_code
+handle_referrals(krb5_realm_params *rparams, char *no_refrls, char *host_based_srvcs, kdc_realm_t *rdp )
+{
+ int i = 0;
+ krb5_error_code retval = 0;
+ if (no_refrls == NULL || strchr(no_refrls, '*') == NULL) {
+ if (no_refrls != NULL){
+ if (rparams && rparams->realm_no_host_referral) {
+ if (asprintf(&(rdp->realm_no_host_referral), "%s%s%s%s%s",
+ " ", no_refrls," ",rparams->realm_no_host_referral, " ") < 0)
+ retval = ENOMEM;
+ } else {
+ if(asprintf(&(rdp->realm_no_host_referral),"%s%s%s", " ", no_refrls, " ") < 0)
+ retval = ENOMEM;
+ }
+ } else {
+ if (rparams && rparams->realm_no_host_referral) {
+ if (asprintf(&(rdp->realm_no_host_referral),"%s%s%s", " ",
+ rparams->realm_no_host_referral, " ") < 0)
+ retval = ENOMEM;
+ } else
+ rdp->realm_no_host_referral = NULL;
+ }
+
+ if (rdp->realm_no_host_referral &&
+ strlen(rdp->realm_no_host_referral) > 1 && strchr(rdp->realm_no_host_referral, '*') != NULL) {
+ rdp->realm_no_host_referral = strdup("*");
+ } else {
+ /* only if no_host_referral != "*" */
+
+ if ((host_based_srvcs != NULL && strchr(host_based_srvcs,'*') != NULL) ||
+ (rparams && rparams->realm_host_based_services &&
+ strchr(rparams->realm_host_based_services,'*') != NULL)) {
+ if (asprintf(&(rdp->realm_host_based_services),"%s", "*") < 0)
+ retval = ENOMEM;
+ } else {
+ if (host_based_srvcs != NULL) {
+ if (rparams && rparams->realm_host_based_services) {
+ if (asprintf(&(rdp->realm_host_based_services),"%s%s%s%s%s",
+ " ", host_based_srvcs," ",rparams->realm_host_based_services," ") < 0)
+ retval = ENOMEM;
+ } else
+ if (asprintf(&(rdp->realm_host_based_services),"%s%s%s", " ",
+ host_based_srvcs, " ") < 0)
+ retval = ENOMEM;
+ } else {
+ if (rparams && rparams->realm_host_based_services) {
+ if (asprintf(&(rdp->realm_host_based_services),"%s%s%s", " ",
+ rparams->realm_host_based_services, " ") < 0)
+ retval = ENOMEM;
+ } else
+ rdp->realm_host_based_services = NULL;
+ }
+ }
+
+ /* Walk realm_host_based_services and realm_no_host_referral and replace all ',' with whitespace */
+ i = 0;
+ while (rdp && rdp->realm_host_based_services && (rdp->realm_host_based_services)[i] != 0){
+ if ((rdp->realm_host_based_services)[i] == ',')
+ (rdp->realm_host_based_services)[i] = ' ';
+ i++;
+ }
+ i = 0;
+ while (rdp && rdp->realm_no_host_referral && ( rdp->realm_no_host_referral)[i] != 0){
+ if ((rdp->realm_no_host_referral)[i] == ',')
+ (rdp->realm_no_host_referral)[i] = ' ';
+ i++;
+ }
+ }
+ } else {
+ if (no_refrls != NULL && strchr(no_refrls,'*') != NULL) {
+ if (asprintf(&(rdp->realm_no_host_referral),"%s", "*") < 0)
+ retval = ENOMEM;
+ } else
+ rdp->realm_no_host_referral = NULL;
+ }
+
+ return retval;
+}
/*
* Initialize a realm control structure from the alternate profile or from
* the specified defaults.
static krb5_error_code
init_realm(char *progname, kdc_realm_t *rdp, char *realm,
char *def_mpname, krb5_enctype def_enctype, char *def_udp_ports,
- char *def_tcp_ports, krb5_boolean def_manual, char **db_args)
+ char *def_tcp_ports, krb5_boolean def_manual, char **db_args,
+ char *no_refrls, char *host_based_srvcs)
{
krb5_error_code kret;
krb5_boolean manual;
rdp->realm_reject_bad_transit = rparams->realm_reject_bad_transit;
else
rdp->realm_reject_bad_transit = 1;
-
+
/* Handle ticket maximum life */
rdp->realm_maxlife = (rparams && rparams->realm_max_life_valid) ?
rparams->realm_max_life : KRB5_KDB_MAX_LIFE;
rdp->realm_maxrlife = (rparams && rparams->realm_max_rlife_valid) ?
rparams->realm_max_rlife : KRB5_KDB_MAX_RLIFE;
+ /* Handle KDC referrals */
+ kret = handle_referrals(rparams, no_refrls, host_based_srvcs, rdp);
+ if (kret == ENOMEM)
+ goto whoops;
+
if (rparams)
krb5_free_realm_params(rdp->realm_context, rparams);
krb5_pointer aprof;
const char *hierarchy[3];
char **db_args = NULL;
+ char *no_refrls = NULL;
+ char *host_based_srvcs = NULL;
int db_args_size = 0;
extern char *optarg;
hierarchy[1] = "kdc_max_dgram_reply_size";
if (krb5_aprof_get_int32(aprof, hierarchy, TRUE, &max_dgram_reply_size))
max_dgram_reply_size = MAX_DGRAM_SIZE;
+ /* The service name "*" means any service. */
+ hierarchy[1] = "no_host_referral";
+ if (!krb5_aprof_get_string_all(aprof, hierarchy, &no_refrls)){
+ if (no_refrls != NULL && strlen(no_refrls) && strchr(no_refrls, '*')) {
+ no_refrls = strdup("*");
+ }
+ }
+ if (no_refrls == 0 || strchr(no_refrls, '*') == NULL) {
+ hierarchy[1] = "host_based_services";
+ if (!krb5_aprof_get_string_all(aprof, hierarchy, &host_based_srvcs)) {
+ if (strchr(host_based_srvcs, '*')) {
+ host_based_srvcs = strdup("*");
+ }
+ }
+ }
/* aprof_init can return 0 with aprof == NULL */
if (aprof)
krb5_aprof_finish(aprof);
}
+
if (default_udp_ports == 0)
default_udp_ports = strdup(DEFAULT_KDC_UDP_PORTLIST);
if (default_tcp_ports == 0)
if ((retval = init_realm(argv[0], rdatap, optarg,
mkey_name, menctype,
default_udp_ports,
- default_tcp_ports, manual, db_args))) {
+ default_tcp_ports, manual, db_args,
+ no_refrls, host_based_srvcs))) {
fprintf(stderr,"%s: cannot initialize realm %s - see log file for details\n",
argv[0], optarg);
exit(1);
if ((rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t)))) {
if ((retval = init_realm(argv[0], rdatap, lrealm,
mkey_name, menctype, default_udp_ports,
- default_tcp_ports, manual, db_args))) {
+ default_tcp_ports, manual, db_args,
+ no_refrls, host_based_srvcs))) {
fprintf(stderr,"%s: cannot initialize realm %s - see log file for details\n",
argv[0], lrealm);
exit(1);
return errout;
}
-
-
-
ms_usage=krb5int_arcfour_translate_usage(usage);
if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
strncpy(salt.data, krb5int_arcfour_l40, salt.length);
- salt.data[10]=ms_usage & 0xff;
- salt.data[11]=(ms_usage>>8) & 0xff;
- salt.data[12]=(ms_usage>>16) & 0xff;
- salt.data[13]=(ms_usage>>24) & 0xff;
+ store_32_le(ms_usage, salt.data+10);
} else {
salt.length=4;
- salt.data[0]=ms_usage & 0xff;
- salt.data[1]=(ms_usage>>8) & 0xff;
- salt.data[2]=(ms_usage>>16) & 0xff;
- salt.data[3]=(ms_usage>>24) & 0xff;
+ store_32_le(ms_usage, salt.data);
}
ret=krb5_hmac(hash, key, 1, &salt, &d1);
if (ret)
if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
strncpy(salt.data, krb5int_arcfour_l40, salt.length);
- store_32_le(ms_usage, (unsigned char *)salt.data + 10);
+ store_32_le(ms_usage, salt.data + 10);
} else {
salt.length = 4;
- store_32_le(ms_usage, (unsigned char *)salt.data);
+ store_32_le(ms_usage, salt.data);
}
ret = krb5_hmac(hash, key, 1, &salt, &d1);
if (ret != 0)
/* clean & free the input string */
memset(password, 0, (size_t) pw_len);
- krb5_xfree(password);
+ free(password);
}
#if 0
/* must free here because it was copied for this special case */
- krb5_xfree(salt->data);
+ free(salt->data);
#endif
return 0;
}
datain.data = (char *) constantdata;
datain.length = K5CLENGTH;
- datain.data[0] = (usage>>24)&0xff;
- datain.data[1] = (usage>>16)&0xff;
- datain.data[2] = (usage>>8)&0xff;
- datain.data[3] = usage&0xff;
+ store_32_be(usage, constantdata);
datain.data[4] = (char) 0x99;
datain.data = (char *) constantdata;
datain.length = K5CLENGTH;
- datain.data[0] = (usage>>24)&0xff;
- datain.data[1] = (usage>>16)&0xff;
- datain.data[2] = (usage>>8)&0xff;
- datain.data[3] = usage&0xff;
+ store_32_be(usage, constantdata);
datain.data[4] = (char) 0x99;
/*
* lib/crypto/dk/dk_aead.c
*
- * Copyright 2008 by the Massachusetts Institute of Technology.
+ * Copyright 2008, 2009 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
d1.data = (char *)constantdata;
d1.length = K5CLENGTH;
- d1.data[0] = (usage >> 24) & 0xFF;
- d1.data[1] = (usage >> 16) & 0xFF;
- d1.data[2] = (usage >> 8 ) & 0xFF;
- d1.data[3] = (usage ) & 0xFF;
+ store_32_be(usage, constantdata);
d1.data[4] = 0xAA;
d1.data = (char *)constantdata;
d1.length = K5CLENGTH;
- d1.data[0] = (usage >> 24) & 0xFF;
- d1.data[1] = (usage >> 16) & 0xFF;
- d1.data[2] = (usage >> 8 ) & 0xFF;
- d1.data[3] = (usage ) & 0xFF;
+ store_32_be(usage, constantdata);
d1.data[4] = 0xAA;
d1.data = (char *) constantdata;
d1.length = K5CLENGTH;
- d1.data[0] = (usage>>24)&0xff;
- d1.data[1] = (usage>>16)&0xff;
- d1.data[2] = (usage>>8)&0xff;
- d1.data[3] = usage&0xff;
+ store_32_be(usage, constantdata);
d1.data[4] = (char) 0xAA;
d1.data = (char *) constantdata;
d1.length = K5CLENGTH;
- d1.data[0] = (usage>>24)&0xff;
- d1.data[1] = (usage>>16)&0xff;
- d1.data[2] = (usage>>8)&0xff;
- d1.data[3] = usage&0xff;
+ store_32_be(usage, constantdata);
d1.data[4] = (char) 0xAA;
d1.data = (char *) constantdata;
d1.length = K5CLENGTH;
- d1.data[0] = (usage>>24)&0xff;
- d1.data[1] = (usage>>16)&0xff;
- d1.data[2] = (usage>>8)&0xff;
- d1.data[3] = usage&0xff;
+ store_32_be(usage, constantdata);
d1.data[4] = (char) 0xAA;
c ^= cn;
}
- output->data[0] = c&0xff;
- output->data[1] = (c>>8)&0xff;
- output->data[2] = (c>>16)&0xff;
- output->data[3] = (c>>24)&0xff;
-
+ store_32_le(c, output->data);
return(0);
}
shsFinal(&ctx);
for (i=0; i<(sizeof(ctx.digest)/sizeof(ctx.digest[0])); i++) {
- output->data[i*4] = (ctx.digest[i]>>24)&0xff;
- output->data[i*4+1] = (ctx.digest[i]>>16)&0xff;
- output->data[i*4+2] = (ctx.digest[i]>>8)&0xff;
- output->data[i*4+3] = ctx.digest[i]&0xff;
+ store_32_be(ctx.digest[i], &output->data[i*4]);
}
return(0);
krb5int_c_free_keyblock(krb5_context context, register krb5_keyblock *val)
{
krb5int_c_free_keyblock_contents(context, val);
- krb5_xfree(val);
+ free(val);
}
void
{
if (key->contents) {
krb5int_zap_data (key->contents, key->length);
- krb5_xfree(key->contents);
+ free(key->contents);
key->contents = 0;
}
}
krb5_free_cksumtypes(krb5_context context, krb5_cksumtype *val)
{
if (val)
- krb5_xfree(val);
+ free(val);
return;
}
/*
* lib/crypto/keyhash_provider/hmac_md5.c
*
- * Copyright 2001 by the Massachusetts Institute of Technology.
+ * Copyright 2001, 2009 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
krb5_MD5Init (&ctx);
ms_usage = krb5int_arcfour_translate_usage (usage);
- t[0] = (ms_usage) & 0xff;
- t[1] = (ms_usage>>8) & 0xff;
- t[2] = (ms_usage >>16) & 0xff;
- t[3] = (ms_usage>>24) & 0XFF;
+ store_32_le(ms_usage, t);
krb5_MD5Update (&ctx, (unsigned char * ) &t, 4);
krb5_MD5Update (&ctx, (unsigned char *) input-> data,
(unsigned int) input->length );
krb5_MD5Init (&ctx);
ms_usage = krb5int_arcfour_translate_usage (usage);
- t[0] = (ms_usage) & 0xff;
- t[1] = (ms_usage>>8) & 0xff;
- t[2] = (ms_usage >>16) & 0xff;
- t[3] = (ms_usage>>24) & 0XFF;
+ store_32_le(ms_usage, t);
krb5_MD5Update (&ctx, (unsigned char * ) &t, 4);
for (i = 0; i < num_data; i++) {
const krb5_crypto_iov *iov = &data[i];
k5_hmac_md5_hash_iov,
NULL /*checksum again */
};
-
/*
* lib/crypto/keyhash_provider/md5_hmac.c
*
- * Copyright2001 by the Massachusetts Institute of Technology.
+ * Copyright 2001, 2009 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
krb5_MD5Init(&ctx);
ms_usage = krb5int_arcfour_translate_usage (usage);
- t[0] = (ms_usage >> 0) & 0xff;
- t[1] = (ms_usage >> 8) & 0xff;
- t[2] = (ms_usage >> 16) & 0xff;
- t[3] = (ms_usage >> 24) & 0xff;
-
+ store_32_le(ms_usage, t);
krb5_MD5Update(&ctx, t, sizeof(t));
krb5_MD5Update(&ctx, (unsigned char *)input->data, input->length);
krb5_MD5Final(&ctx);
unsigned char *out2 = (void *)(tdigest); \
HASH_CTX *ctx = (x); \
shsFinal(ctx); \
-for (loopvar=0; loopvar<(sizeof(ctx->digest)/sizeof(ctx->digest[0])); loopvar++) { \
- out2[loopvar*4] = (ctx->digest[loopvar]>>24)&0xff; \
- out2[loopvar*4+1] = (ctx->digest[loopvar]>>16)&0xff; \
- out2[loopvar*4+2] = (ctx->digest[loopvar]>>8)&0xff; \
- out2[loopvar*4+3] = ctx->digest[loopvar]&0xff; \
-} \
+ for (loopvar=0; loopvar<(sizeof(ctx->digest)/sizeof(ctx->digest[0])); loopvar++) \
+ store_32_be(ctx->digest[loopvar], &out2[loopvar*4]); \
} while(0)
things */
#define TWRITE_INT(ptr, num, bigend) \
- (ptr)[0] = (char) ((bigend)?((num)>>24):((num)&0xff)); \
- (ptr)[1] = (char) ((bigend)?(((num)>>16)&0xff):(((num)>>8)&0xff)); \
- (ptr)[2] = (char) ((bigend)?(((num)>>8)&0xff):(((num)>>16)&0xff)); \
- (ptr)[3] = (char) ((bigend)?((num)&0xff):((num)>>24)); \
+ if (bigend) store_32_be(num, ptr); else store_32_le(num, ptr); \
(ptr) += 4;
#define TWRITE_INT16(ptr, num, bigend) \
- (ptr)[0] = (char) ((bigend)?((num)>>24):((num)&0xff)); \
- (ptr)[1] = (char) ((bigend)?(((num)>>16)&0xff):(((num)>>8)&0xff)); \
+ if (bigend) store_16_be((num)>>16, ptr); else store_16_le(num, ptr); \
(ptr) += 2;
-#define TREAD_INT(ptr, num, bigend) \
- (num) = (((ptr)[0]<<((bigend)?24: 0)) | \
- ((ptr)[1]<<((bigend)?16: 8)) | \
- ((ptr)[2]<<((bigend)? 8:16)) | \
- ((ptr)[3]<<((bigend)? 0:24))); \
+#define TREAD_INT(ptr, num, bigend) \
+ (num) = ((bigend) ? load_32_be(ptr) : load_32_le(ptr)); \
(ptr) += 4;
-#define TREAD_INT16(ptr, num, bigend) \
- (num) = (((ptr)[0]<<((bigend)?24: 0)) | \
- ((ptr)[1]<<((bigend)?16: 8))); \
+#define TREAD_INT16(ptr, num, bigend) \
+ (num) = ((bigend) ? (load_16_be(ptr) << 16) : load_16_le(ptr)); \
(ptr) += 2;
#define TWRITE_STR(ptr, str, len) \
g_make_token_header(oid, 14+cksum_size+tmsglen, &ptr, toktype);
/* 0..1 SIGN_ALG */
- ptr[0] = signalg & 0xff;
- ptr[1] = (signalg >> 8) & 0xff;
+ store_16_le(signalg, &ptr[0]);
/* 2..3 SEAL_ALG or Filler */
if ((toktype == KG_TOK_SEAL_MSG) && do_encrypt) {
- ptr[2] = sealalg & 0xff;
- ptr[3] = (sealalg >> 8) & 0xff;
+ store_16_le(sealalg, &ptr[2]);
} else {
/* No seal */
ptr[2] = 0xff;
unsigned char bigend_seqnum[4];
krb5_keyblock *enc_key;
int i;
- bigend_seqnum[0] = (*seqnum>>24) & 0xff;
- bigend_seqnum[1] = (*seqnum>>16) & 0xff;
- bigend_seqnum[2] = (*seqnum>>8) & 0xff;
- bigend_seqnum[3] = *seqnum & 0xff;
+ store_32_be(seqnum, bigend_seqnum);
code = krb5_copy_keyblock (context, enc, &enc_key);
if (code)
{
/*
* lib/gssapi/krb5/k5sealiov.c
*
- * Copyright 2008 by the Massachusetts Institute of Technology.
+ * Copyright 2008, 2009 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
g_make_token_header(ctx->mech_used, 14 + ctx->cksum_size + tmsglen, &ptr, toktype);
/* 0..1 SIGN_ALG */
- ptr[0] = (ctx->signalg ) & 0xFF;
- ptr[1] = (ctx->signalg >> 8) & 0xFF;
+ store_16_le(ctx->signalg, &ptr[0]);
/* 2..3 SEAL_ALG or Filler */
if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) {
- ptr[2] = (ctx->sealalg ) & 0xFF;
- ptr[3] = (ctx->sealalg >> 8) & 0xFF;
+ store_16_le(ctx->sealalg, &ptr[2]);
} else {
/* No seal */
ptr[2] = 0xFF;
krb5_keyblock *enc_key;
size_t i;
- bigend_seqnum[0] = (ctx->seq_send >> 24) & 0xFF;
- bigend_seqnum[1] = (ctx->seq_send >> 16) & 0xFF;
- bigend_seqnum[2] = (ctx->seq_send >> 8 ) & 0xFF;
- bigend_seqnum[3] = (ctx->seq_send ) & 0xFF;
+ store_32_be(ctx->seq_send, bigend_seqnum);
code = krb5_copy_keyblock(context, ctx->enc, &enc_key);
if (code != 0)
unsigned char *tbuf = NULL;
int key_usage;
size_t rrc = 0;
- size_t gss_headerlen, gss_trailerlen;
+ unsigned int gss_headerlen, gss_trailerlen;
krb5_keyblock *key;
krb5_cksumtype cksumtype;
size_t data_length, assoc_data_length;
}
if (header->type & GSS_IOV_BUFFER_FLAG_ALLOCATE)
- code = kg_allocate_iov(header, gss_headerlen);
+ code = kg_allocate_iov(header, (size_t) gss_headerlen);
else if (header->buffer.length < gss_headerlen)
code = KRB5_BAD_MSIZE;
if (code != 0)
goto cleanup;
- header->buffer.length = gss_headerlen;
+ header->buffer.length = (size_t) gss_headerlen;
if (trailer != NULL) {
if (trailer->type & GSS_IOV_BUFFER_FLAG_ALLOCATE)
- code = kg_allocate_iov(trailer, gss_trailerlen);
+ code = kg_allocate_iov(trailer, (size_t) gss_trailerlen);
else if (trailer->buffer.length < gss_trailerlen)
code = KRB5_BAD_MSIZE;
if (code != 0)
goto cleanup;
- trailer->buffer.length = gss_trailerlen;
+ trailer->buffer.length = (size_t) gss_trailerlen;
}
/* TOK_ID */
}
if (header->type & GSS_IOV_BUFFER_FLAG_ALLOCATE)
- code = kg_allocate_iov(header, gss_headerlen);
+ code = kg_allocate_iov(header, (size_t) gss_headerlen);
else if (header->buffer.length < gss_headerlen)
code = KRB5_BAD_MSIZE;
if (code != 0)
goto cleanup;
- header->buffer.length = gss_headerlen;
+ header->buffer.length = (size_t) gss_headerlen;
if (trailer != NULL) {
if (trailer->type & GSS_IOV_BUFFER_FLAG_ALLOCATE)
- code = kg_allocate_iov(trailer, gss_trailerlen);
+ code = kg_allocate_iov(trailer, (size_t) gss_trailerlen);
else if (trailer->buffer.length < gss_trailerlen)
code = KRB5_BAD_MSIZE;
if (code != 0)
goto cleanup;
- trailer->buffer.length = gss_trailerlen;
+ trailer->buffer.length = (size_t) gss_trailerlen;
}
/* TOK_ID */
unsigned char bigend_seqnum[4];
krb5_keyblock *enc_key;
int i;
- bigend_seqnum[0] = (seqnum>>24) & 0xff;
- bigend_seqnum[1] = (seqnum>>16) & 0xff;
- bigend_seqnum[2] = (seqnum>>8) & 0xff;
- bigend_seqnum[3] = seqnum & 0xff;
+ store_32_be(seqnum, bigend_seqnum);
code = krb5_copy_keyblock (context, ctx->enc, &enc_key);
if (code)
{
/*
* lib/gssapi/krb5/k5unsealiov.c
*
- * Copyright 2008 by the Massachusetts Institute of Technology.
+ * Copyright 2008, 2009 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
krb5_keyblock *enc_key;
size_t i;
- bigend_seqnum[0] = (seqnum >> 24) & 0xFF;
- bigend_seqnum[1] = (seqnum >> 16) & 0xFF;
- bigend_seqnum[2] = (seqnum >> 8 ) & 0xFF;
- bigend_seqnum[3] = (seqnum ) & 0xFF;
+ store_32_be(seqnum, bigend_seqnum);
code = krb5_copy_keyblock(context, ctx->enc, &enc_key);
if (code != 0) {
memcpy(t, kg_arcfour_l40, sizeof(kg_arcfour_l40));
i += sizeof(kg_arcfour_l40);
}
- t[i++] = ms_usage &0xff;
- t[i++] = (ms_usage>>8) & 0xff;
- t[i++] = (ms_usage>>16) & 0xff;
- t[i++] = (ms_usage>>24) & 0xff;
+ store_32_le(ms_usage, &t[i]);
+ i += 4;
input.data = (void *) &t;
input.length = i;
output.data = (void *) usage_key.contents;
memcpy(t, kg_arcfour_l40, sizeof(kg_arcfour_l40));
i += sizeof(kg_arcfour_l40);
}
- t[i++] = ms_usage &0xff;
- t[i++] = (ms_usage>>8) & 0xff;
- t[i++] = (ms_usage>>16) & 0xff;
- t[i++] = (ms_usage>>24) & 0xff;
+ store_32_le(ms_usage, &t[i]);
+ i += 4;
input.data = (void *) &t;
input.length = i;
output.data = (void *) usage_key.contents;
/* -*- mode: c; indent-tabs-mode: nil -*- */
/*
- * Copyright2001 by the Massachusetts Institute of Technology.
+ * Copyright 2001, 2009 by the Massachusetts Institute of Technology.
* Copyright 1993 by OpenVision Technologies, Inc.
*
* Permission to use, copy, modify, distribute, and sell this software
if (key->enctype == ENCTYPE_ARCFOUR_HMAC ||
key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) {
/* Yes, Microsoft used big-endian sequence number.*/
- plain[0] = (seqnum>>24) & 0xff;
- plain[1] = (seqnum>>16) & 0xff;
- plain[2] = (seqnum>>8) & 0xff;
- plain[3] = seqnum & 0xff;
+ store_32_be(seqnum, plain);
return kg_arcfour_docrypt (key, 0,
cksum, 8,
&plain[0], 8,
}
- plain[0] = (unsigned char) (seqnum&0xff);
- plain[1] = (unsigned char) ((seqnum>>8)&0xff);
- plain[2] = (unsigned char) ((seqnum>>16)&0xff);
- plain[3] = (unsigned char) ((seqnum>>24)&0xff);
-
+ store_32_le(seqnum, plain);
return(kg_encrypt(context, key, KG_USAGE_SEQ, cksum, plain, buf, 8));
}
/* spec allows only 2 bytes for the mech oid length */
mechOidLen = mechOidDERLen + mechOidTagLen + mech_type->length;
- *buf++ = (mechOidLen & 0xFF00) >> 8;
- *buf++ = (mechOidLen & 0x00FF);
+ store_16_be(mechOidLen, buf);
+ buf += 2;
/*
* DER Encoding of mech OID contains OID Tag (0x06), length and
buf += mech_type->length;
/* spec designates the next 4 bytes for the name length */
- *buf++ = (dispName.length & 0xFF000000) >> 24;
- *buf++ = (dispName.length & 0x00FF0000) >> 16;
- *buf++ = (dispName.length & 0x0000FF00) >> 8;
- *buf++ = (dispName.length & 0X000000FF);
+ store_32_be(dispName.length, buf);
+ buf += 4;
/* for the final ingredient - add the name from gss_display_name */
(void) memcpy(buf, dispName.value, dispName.length);
char * realm_kdc_ports;
char * realm_kdc_tcp_ports;
char * realm_acl_file;
+ char * realm_host_based_services;
+ char * realm_no_host_referral;
krb5_int32 realm_kadmind_port;
krb5_enctype realm_enctype;
krb5_deltat realm_max_life;
/*
* lib/kadm/alt_prof.c
*
- * Copyright 1995,2001,2008 by the Massachusetts Institute of Technology.
+ * Copyright 1995,2001,2008,2009 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
krb5_key_salt_tuple *knew;
if((knew = (krb5_key_salt_tuple *)
- malloc((len ) * sizeof(krb5_key_salt_tuple)))) {
+ malloc((len ) * sizeof(krb5_key_salt_tuple)))) {
memcpy(knew, ksalt, len * sizeof(krb5_key_salt_tuple));
- return knew;
+ return knew;
}
return 0;
}
/*
- * krb5_aprof_init() - Initialize alternate profile context.
+ * krb5_aprof_init() - Initialize alternate profile context.
*
* Parameters:
- * fname - default file name of the profile.
- * envname - environment variable name which can override fname.
- * acontextp - Pointer to opaque context for alternate profile.
+ * fname - default file name of the profile.
+ * envname - environment variable name which can override fname.
+ * acontextp - Pointer to opaque context for alternate profile.
*
* Returns:
- * error codes from profile_init()
+ * error codes from profile_init()
*/
krb5_error_code
krb5_aprof_init(fname, envname, acontextp)
- char *fname;
- char *envname;
- krb5_pointer *acontextp;
+ char *fname;
+ char *envname;
+ krb5_pointer *acontextp;
{
- krb5_error_code kret;
- profile_t profile;
- const char *kdc_config;
- char *profile_path;
- char **filenames;
- int i;
- struct k5buf buf;
+ krb5_error_code kret;
+ profile_t profile;
+ const char *kdc_config;
+ char *profile_path;
+ char **filenames;
+ int i;
+ struct k5buf buf;
kret = krb5_get_default_config_files (&filenames);
if (kret)
- return kret;
+ return kret;
if (envname == NULL || (kdc_config = getenv(envname)) == NULL)
- kdc_config = fname;
+ kdc_config = fname;
krb5int_buf_init_dynamic(&buf);
if (kdc_config)
- krb5int_buf_add(&buf, kdc_config);
+ krb5int_buf_add(&buf, kdc_config);
for (i = 0; filenames[i] != NULL; i++) {
- if (krb5int_buf_len(&buf) > 0)
- krb5int_buf_add(&buf, ":");
- krb5int_buf_add(&buf, filenames[i]);
+ if (krb5int_buf_len(&buf) > 0)
+ krb5int_buf_add(&buf, ":");
+ krb5int_buf_add(&buf, filenames[i]);
}
krb5_free_config_files(filenames);
profile_path = krb5int_buf_data(&buf);
if (profile_path == NULL)
- return ENOMEM;
+ return ENOMEM;
profile = (profile_t) NULL;
kret = profile_init_path(profile_path, &profile);
free(profile_path);
if (kret)
- return kret;
+ return kret;
*acontextp = profile;
return 0;
}
/*
- * krb5_aprof_getvals() - Get values from alternate profile.
+ * krb5_aprof_getvals() - Get values from alternate profile.
*
* Parameters:
- * acontext - opaque context for alternate profile.
- * hierarchy - hierarchy of value to retrieve.
- * retdata - Returned data values.
+ * acontext - opaque context for alternate profile.
+ * hierarchy - hierarchy of value to retrieve.
+ * retdata - Returned data values.
*
* Returns:
- * error codes from profile_get_values()
+ * error codes from profile_get_values()
*/
krb5_error_code
krb5_aprof_getvals(acontext, hierarchy, retdata)
- krb5_pointer acontext;
- const char **hierarchy;
- char ***retdata;
+ krb5_pointer acontext;
+ const char **hierarchy;
+ char ***retdata;
{
return(profile_get_values((profile_t) acontext,
- hierarchy,
- retdata));
+ hierarchy,
+ retdata));
}
/*
* krb5_aprof_get_boolean()
*
* Parameters:
- * acontext - opaque context for alternate profile
- * hierarchy - hierarchy of value to retrieve
- * retdata - Returned data value
+ * acontext - opaque context for alternate profile
+ * hierarchy - hierarchy of value to retrieve
+ * retdata - Returned data value
* Returns:
- * error codes
+ * error codes
*/
static krb5_error_code
unsigned int i;
for (i = 0; i < sizeof(yes)/sizeof(yes[0]); i++)
- if (!strcasecmp(string, yes[i])) {
- *out = 1;
- return 0;
- }
+ if (!strcasecmp(string, yes[i])) {
+ *out = 1;
+ return 0;
+ }
for (i = 0; i < sizeof(no)/sizeof(no[0]); i++)
- if (!strcasecmp(string, no[i])) {
- *out = 0;
- return 0;
- }
+ if (!strcasecmp(string, no[i])) {
+ *out = 0;
+ return 0;
+ }
return PROF_BAD_BOOLEAN;
}
krb5_error_code
krb5_aprof_get_boolean(krb5_pointer acontext, const char **hierarchy,
- int uselast, krb5_boolean *retdata)
+ int uselast, krb5_boolean *retdata)
{
krb5_error_code kret;
char **values;
kret = krb5_aprof_getvals (acontext, hierarchy, &values);
if (kret)
- return kret;
+ return kret;
idx = 0;
if (uselast) {
- while (values[idx])
- idx++;
- idx--;
+ while (values[idx])
+ idx++;
+ idx--;
}
valp = values[idx];
kret = string_to_boolean (valp, &val);
profile_free_list(values);
if (kret)
- return kret;
+ return kret;
*retdata = val;
return 0;
}
/*
- * krb5_aprof_get_deltat() - Get a delta time value from the alternate
- * profile.
+ * krb5_aprof_get_deltat() - Get a delta time value from the alternate
+ * profile.
*
* Parameters:
- * acontext - opaque context for alternate profile.
- * hierarchy - hierarchy of value to retrieve.
- * uselast - if true, use last value, otherwise use
- * first value found.
- * deltatp - returned delta time value.
+ * acontext - opaque context for alternate profile.
+ * hierarchy - hierarchy of value to retrieve.
+ * uselast - if true, use last value, otherwise use
+ * first value found.
+ * deltatp - returned delta time value.
*
* Returns:
- * error codes from profile_get_values()
- * error codes from krb5_string_to_deltat()
+ * error codes from profile_get_values()
+ * error codes from krb5_string_to_deltat()
*/
krb5_error_code
krb5_aprof_get_deltat(acontext, hierarchy, uselast, deltatp)
- krb5_pointer acontext;
- const char **hierarchy;
- krb5_boolean uselast;
- krb5_deltat *deltatp;
+ krb5_pointer acontext;
+ const char **hierarchy;
+ krb5_boolean uselast;
+ krb5_deltat *deltatp;
{
- krb5_error_code kret;
- char **values;
- char *valp;
- int idx;
+ krb5_error_code kret;
+ char **values;
+ char *valp;
+ int idx;
if (!(kret = krb5_aprof_getvals(acontext, hierarchy, &values))) {
- idx = 0;
- if (uselast) {
- for (idx=0; values[idx]; idx++);
- idx--;
- }
- valp = values[idx];
- kret = krb5_string_to_deltat(valp, deltatp);
-
- /* Free the string storage */
- profile_free_list(values);
+ idx = 0;
+ if (uselast) {
+ for (idx=0; values[idx]; idx++);
+ idx--;
+ }
+ valp = values[idx];
+ kret = krb5_string_to_deltat(valp, deltatp);
+
+ /* Free the string storage */
+ profile_free_list(values);
}
return(kret);
}
/*
- * krb5_aprof_get_string() - Get a string value from the alternate
- * profile.
+ * krb5_aprof_get_string() - Get a string value from the alternate
+ * profile.
*
* Parameters:
- * acontext - opaque context for alternate profile.
- * hierarchy - hierarchy of value to retrieve.
- * uselast - if true, use last value, otherwise use
- * first value found.
- * stringp - returned string value.
+ * acontext - opaque context for alternate profile.
+ * hierarchy - hierarchy of value to retrieve.
+ * uselast - if true, use last value, otherwise use
+ * first value found.
+ * stringp - returned string value.
*
* Returns:
- * error codes from profile_get_values()
+ * error codes from profile_get_values()
*/
krb5_error_code
krb5_aprof_get_string(acontext, hierarchy, uselast, stringp)
- krb5_pointer acontext;
- const char **hierarchy;
- krb5_boolean uselast;
- char **stringp;
+ krb5_pointer acontext;
+ const char **hierarchy;
+ krb5_boolean uselast;
+ char **stringp;
{
- krb5_error_code kret;
- char **values;
- int lastidx;
+ krb5_error_code kret;
+ char **values;
+ int lastidx;
if (!(kret = krb5_aprof_getvals(acontext, hierarchy, &values))) {
- for (lastidx=0; values[lastidx]; lastidx++);
- lastidx--;
-
- /* Excise the entry we want from the null-terminated list,
- and free up the rest. */
- if (uselast) {
- *stringp = values[lastidx];
- values[lastidx] = NULL;
- } else {
- *stringp = values[0];
- values[0] = values[lastidx];
- values[lastidx] = NULL;
- }
-
- /* Free the string storage */
- profile_free_list(values);
+ for (lastidx=0; values[lastidx]; lastidx++);
+ lastidx--;
+
+ /* Excise the entry we want from the null-terminated list,
+ and free up the rest. */
+ if (uselast) {
+ *stringp = values[lastidx];
+ values[lastidx] = NULL;
+ } else {
+ *stringp = values[0];
+ values[0] = values[lastidx];
+ values[lastidx] = NULL;
+ }
+
+ /* Free the string storage */
+ profile_free_list(values);
}
return(kret);
}
/*
- * krb5_aprof_get_int32() - Get a 32-bit integer value from the alternate
- * profile.
+ * krb5_aprof_get_string_all() - When the attr identified by "hierarchy" is specified multiple times,
+ * collect all its string values from the alternate profile.
+ *
+ * Parameters:
+ * acontext - opaque context for alternate profile.
+ * hierarchy - hierarchy of value to retrieve.
+ * stringp - Returned string value.
+ *
+ * Returns:
+ * error codes from profile_get_values() or ENOMEM
+ * Caller is responsible for deallocating stringp buffer
+ */
+krb5_error_code
+krb5_aprof_get_string_all(acontext, hierarchy, stringp)
+ krb5_pointer acontext;
+ const char **hierarchy;
+ char **stringp;
+{
+ krb5_error_code kret=0;
+ char **values;
+ int lastidx;
+ char *tmp;
+ size_t buf_size=0;
+ kret = krb5_aprof_getvals(acontext, hierarchy, &values);
+ if (!kret) {
+ for (lastidx=0; values[lastidx]; lastidx++);
+ lastidx--;
+
+ buf_size = strlen(values[0])+2;
+ for (lastidx=1; values[lastidx]; lastidx++){
+ buf_size += strlen(values[lastidx]+1);
+ }
+ }
+ if (buf_size > 0) {
+ *stringp = calloc(1,buf_size);
+ if (stringp == NULL){
+ profile_free_list(values);
+ return ENOMEM;
+ }
+ tmp=*stringp;
+ strlcpy(tmp, values[0], buf_size);
+ for (lastidx=1; values[lastidx]; lastidx++){
+ tmp = strcat(tmp, " ");
+ tmp = strcat(tmp, values[lastidx]);
+ }
+ /* Free the string storage */
+ profile_free_list(values);
+ }
+ return(kret);
+}
+
+
+/*
+ * krb5_aprof_get_int32() - Get a 32-bit integer value from the alternate
+ * profile.
*
* Parameters:
- * acontext - opaque context for alternate profile.
- * hierarchy - hierarchy of value to retrieve.
- * uselast - if true, use last value, otherwise use
- * first value found.
- * intp - returned 32-bit integer value.
+ * acontext - opaque context for alternate profile.
+ * hierarchy - hierarchy of value to retrieve.
+ * uselast - if true, use last value, otherwise use
+ * first value found.
+ * intp - returned 32-bit integer value.
*
* Returns:
- * error codes from profile_get_values()
- * EINVAL - value is not an integer
+ * error codes from profile_get_values()
+ * EINVAL - value is not an integer
*/
krb5_error_code
krb5_aprof_get_int32(acontext, hierarchy, uselast, intp)
- krb5_pointer acontext;
- const char **hierarchy;
- krb5_boolean uselast;
- krb5_int32 *intp;
+ krb5_pointer acontext;
+ const char **hierarchy;
+ krb5_boolean uselast;
+ krb5_int32 *intp;
{
- krb5_error_code kret;
- char **values;
- int idx;
+ krb5_error_code kret;
+ char **values;
+ int idx;
if (!(kret = krb5_aprof_getvals(acontext, hierarchy, &values))) {
- idx = 0;
- if (uselast) {
- for (idx=0; values[idx]; idx++);
- idx--;
- }
+ idx = 0;
+ if (uselast) {
+ for (idx=0; values[idx]; idx++);
+ idx--;
+ }
- if (sscanf(values[idx], "%d", intp) != 1)
- kret = EINVAL;
+ if (sscanf(values[idx], "%d", intp) != 1)
+ kret = EINVAL;
- /* Free the string storage */
- profile_free_list(values);
+ /* Free the string storage */
+ profile_free_list(values);
}
return(kret);
}
/*
- * krb5_aprof_finish() - Finish alternate profile context.
+ * krb5_aprof_finish() - Finish alternate profile context.
*
* Parameter:
- * acontext - opaque context for alternate profile.
+ * acontext - opaque context for alternate profile.
*
* Returns:
- * 0 on success, something else on failure.
+ * 0 on success, something else on failure.
*/
krb5_error_code
krb5_aprof_finish(acontext)
- krb5_pointer acontext;
+ krb5_pointer acontext;
{
profile_release(acontext);
return(0);
*/
static int
get_string_param(char **param_out, char *param_in,
- long *mask_out, long mask_in, long mask_bit,
- krb5_pointer aprofile,
- const char **hierarchy,
- const char *config_name,
- const char *default_value)
+ long *mask_out, long mask_in, long mask_bit,
+ krb5_pointer aprofile,
+ const char **hierarchy,
+ const char *config_name,
+ const char *default_value)
{
char *svalue;
hierarchy[2] = config_name;
if (mask_in & mask_bit) {
- *param_out = strdup(param_in);
- if (*param_out)
- *mask_out |= mask_bit;
- return 1;
+ *param_out = strdup(param_in);
+ if (*param_out)
+ *mask_out |= mask_bit;
+ return 1;
} else if (aprofile &&
- !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
- *param_out = svalue;
- *mask_out |= mask_bit;
- return 1;
+ !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
+ *param_out = svalue;
+ *mask_out |= mask_bit;
+ return 1;
} else if (default_value) {
- *param_out = strdup(default_value);
- if (*param_out)
- *mask_out |= mask_bit;
- return 1;
+ *param_out = strdup(default_value);
+ if (*param_out)
+ *mask_out |= mask_bit;
+ return 1;
} else {
- return 0;
+ return 0;
}
}
/*
*/
static void
get_port_param(int *param_out, int param_in,
- long *mask_out, long mask_in, long mask_bit,
- krb5_pointer aprofile,
- const char **hierarchy,
- const char *config_name,
- int default_value)
+ long *mask_out, long mask_in, long mask_bit,
+ krb5_pointer aprofile,
+ const char **hierarchy,
+ const char *config_name,
+ int default_value)
{
krb5_int32 ivalue;
if (! (*mask_out & mask_bit)) {
- hierarchy[2] = config_name;
- if (mask_in & mask_bit) {
- *mask_out |= mask_bit;
- *param_out = param_in;
- } else if (aprofile &&
- !krb5_aprof_get_int32(aprofile, hierarchy, TRUE, &ivalue)) {
- *param_out = ivalue;
- *mask_out |= mask_bit;
- } else if (default_value) {
- *param_out = default_value;
- *mask_out |= mask_bit;
- }
+ hierarchy[2] = config_name;
+ if (mask_in & mask_bit) {
+ *mask_out |= mask_bit;
+ *param_out = param_in;
+ } else if (aprofile &&
+ !krb5_aprof_get_int32(aprofile, hierarchy, TRUE, &ivalue)) {
+ *param_out = ivalue;
+ *mask_out |= mask_bit;
+ } else if (default_value) {
+ *param_out = default_value;
+ *mask_out |= mask_bit;
+ }
}
}
/*
*/
static void
get_deltat_param(krb5_deltat *param_out, krb5_deltat param_in,
- long *mask_out, long mask_in, long mask_bit,
- krb5_pointer aprofile,
- const char **hierarchy,
- const char *config_name,
- krb5_deltat default_value)
+ long *mask_out, long mask_in, long mask_bit,
+ krb5_pointer aprofile,
+ const char **hierarchy,
+ const char *config_name,
+ krb5_deltat default_value)
{
krb5_deltat dtvalue;
hierarchy[2] = config_name;
if (mask_in & mask_bit) {
- *mask_out |= mask_bit;
- *param_out = param_in;
+ *mask_out |= mask_bit;
+ *param_out = param_in;
} else if (aprofile &&
- !krb5_aprof_get_deltat(aprofile, hierarchy, TRUE, &dtvalue)) {
- *param_out = dtvalue;
- *mask_out |= mask_bit;
+ !krb5_aprof_get_deltat(aprofile, hierarchy, TRUE, &dtvalue)) {
+ *param_out = dtvalue;
+ *mask_out |= mask_bit;
} else {
- *param_out = default_value;
- *mask_out |= mask_bit;
+ *param_out = default_value;
+ *mask_out |= mask_bit;
}
}
*
* Arguments:
*
- * context (r) krb5_context to use
- * profile (r) profile file to use
- * envname (r) envname that contains a profile name to
- * override profile
- * params_in (r) params structure containing user-supplied
- * values, or NULL
- * params_out (w) params structure to be filled in
+ * context (r) krb5_context to use
+ * profile (r) profile file to use
+ * envname (r) envname that contains a profile name to
+ * override profile
+ * params_in (r) params structure containing user-supplied
+ * values, or NULL
+ * params_out (w) params structure to be filled in
*
* Effects:
*
* versions, overwriting the old pointer value.
*/
krb5_error_code kadm5_get_config_params(context, use_kdc_config,
- params_in, params_out)
- krb5_context context;
- int use_kdc_config;
- kadm5_config_params *params_in, *params_out;
+ params_in, params_out)
+ krb5_context context;
+ int use_kdc_config;
+ kadm5_config_params *params_in, *params_out;
{
- char *filename;
- char *envname;
- char *lrealm;
- krb5_pointer aprofile = 0;
- const char *hierarchy[4];
- char *svalue;
- krb5_int32 ivalue;
+ char *filename;
+ char *envname;
+ char *lrealm;
+ krb5_pointer aprofile = 0;
+ const char *hierarchy[4];
+ char *svalue;
+ krb5_int32 ivalue;
kadm5_config_params params, empty_params;
- krb5_error_code kret = 0;
+ krb5_error_code kret = 0;
memset((char *) ¶ms, 0, sizeof(params));
memset((char *) &empty_params, 0, sizeof(empty_params));
if (params_in == NULL) params_in = &empty_params;
if (params_in->mask & KADM5_CONFIG_REALM) {
- lrealm = params.realm = strdup(params_in->realm);
- if (params.realm)
- params.mask |= KADM5_CONFIG_REALM;
+ lrealm = params.realm = strdup(params_in->realm);
+ if (params.realm)
+ params.mask |= KADM5_CONFIG_REALM;
} else {
- kret = krb5_get_default_realm(context, &lrealm);
- if (kret)
- goto cleanup;
- params.realm = lrealm;
- params.mask |= KADM5_CONFIG_REALM;
+ kret = krb5_get_default_realm(context, &lrealm);
+ if (kret)
+ goto cleanup;
+ params.realm = lrealm;
+ params.mask |= KADM5_CONFIG_REALM;
}
if (params_in->mask & KADM5_CONFIG_KVNO) {
* defaults for NULL values.
*/
if (use_kdc_config) {
- filename = DEFAULT_KDC_PROFILE;
- envname = KDC_PROFILE_ENV;
+ filename = DEFAULT_KDC_PROFILE;
+ envname = KDC_PROFILE_ENV;
} else {
- filename = DEFAULT_PROFILE_PATH;
- envname = "KRB5_CONFIG";
+ filename = DEFAULT_PROFILE_PATH;
+ envname = "KRB5_CONFIG";
}
if (context->profile_secure == TRUE) envname = 0;
kret = krb5_aprof_init(filename, envname, &aprofile);
if (kret)
- goto cleanup;
+ goto cleanup;
/* Initialize realm parameters */
hierarchy[0] = "realms";
hierarchy[1] = lrealm;
hierarchy[3] = (char *) NULL;
-#define GET_STRING_PARAM(FIELD, BIT, CONFTAG, DEFAULT) \
- get_string_param(¶ms.FIELD, params_in->FIELD, \
- ¶ms.mask, params_in->mask, BIT, \
- aprofile, hierarchy, CONFTAG, DEFAULT)
+#define GET_STRING_PARAM(FIELD, BIT, CONFTAG, DEFAULT) \
+ get_string_param(¶ms.FIELD, params_in->FIELD, \
+ ¶ms.mask, params_in->mask, BIT, \
+ aprofile, hierarchy, CONFTAG, DEFAULT)
/* Get the value for the admin server */
GET_STRING_PARAM(admin_server, KADM5_CONFIG_ADMIN_SERVER, "admin_server",
- NULL);
+ NULL);
if (params.mask & KADM5_CONFIG_ADMIN_SERVER) {
- char *p;
- p = strchr(params.admin_server, ':');
- if (p) {
- params.kadmind_port = atoi(p+1);
- params.mask |= KADM5_CONFIG_KADMIND_PORT;
- *p = '\0';
- }
+ char *p;
+ p = strchr(params.admin_server, ':');
+ if (p) {
+ params.kadmind_port = atoi(p+1);
+ params.mask |= KADM5_CONFIG_KADMIND_PORT;
+ *p = '\0';
+ }
}
/* Get the value for the database */
GET_STRING_PARAM(dbname, KADM5_CONFIG_DBNAME, "database_name",
- DEFAULT_KDB_FILE);
+ DEFAULT_KDB_FILE);
params.admin_dbname_was_here = NULL;
params.admin_lockfile_was_here = NULL;
/* Get the value for the admin (policy) database lock file*/
if (!GET_STRING_PARAM(admin_keytab, KADM5_CONFIG_ADMIN_KEYTAB,
- "admin_keytab", NULL)) {
- const char *s = getenv("KRB5_KTNAME");
- if (s == NULL)
- s = DEFAULT_KADM5_KEYTAB;
- params.admin_keytab = strdup(s);
- if (params.admin_keytab)
- params.mask |= KADM5_CONFIG_ADMIN_KEYTAB;
+ "admin_keytab", NULL)) {
+ const char *s = getenv("KRB5_KTNAME");
+ if (s == NULL)
+ s = DEFAULT_KADM5_KEYTAB;
+ params.admin_keytab = strdup(s);
+ if (params.admin_keytab)
+ params.mask |= KADM5_CONFIG_ADMIN_KEYTAB;
}
/* Get the name of the acl file */
GET_STRING_PARAM(acl_file, KADM5_CONFIG_ACL_FILE, "acl_file",
- DEFAULT_KADM5_ACL_FILE);
+ DEFAULT_KADM5_ACL_FILE);
/* Get the name of the dict file */
GET_STRING_PARAM(dict_file, KADM5_CONFIG_DICT_FILE, "dict_file", NULL);
-#define GET_PORT_PARAM(FIELD, BIT, CONFTAG, DEFAULT) \
- get_port_param(¶ms.FIELD, params_in->FIELD, \
- ¶ms.mask, params_in->mask, BIT, \
- aprofile, hierarchy, CONFTAG, DEFAULT)
+#define GET_PORT_PARAM(FIELD, BIT, CONFTAG, DEFAULT) \
+ get_port_param(¶ms.FIELD, params_in->FIELD, \
+ ¶ms.mask, params_in->mask, BIT, \
+ aprofile, hierarchy, CONFTAG, DEFAULT)
/* Get the value for the kadmind port */
GET_PORT_PARAM(kadmind_port, KADM5_CONFIG_KADMIND_PORT,
- "kadmind_port", DEFAULT_KADM5_PORT);
+ "kadmind_port", DEFAULT_KADM5_PORT);
/* Get the value for the kpasswd port */
GET_PORT_PARAM(kpasswd_port, KADM5_CONFIG_KPASSWD_PORT,
- "kpasswd_port", DEFAULT_KPASSWD_PORT);
+ "kpasswd_port", DEFAULT_KPASSWD_PORT);
/* Get the value for the master key name */
GET_STRING_PARAM(mkey_name, KADM5_CONFIG_MKEY_NAME,
- "master_key_name", NULL);
+ "master_key_name", NULL);
/* Get the value for the master key type */
hierarchy[2] = "master_key_type";
if (params_in->mask & KADM5_CONFIG_ENCTYPE) {
- params.mask |= KADM5_CONFIG_ENCTYPE;
- params.enctype = params_in->enctype;
+ params.mask |= KADM5_CONFIG_ENCTYPE;
+ params.enctype = params_in->enctype;
} else if (aprofile &&
- !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
- if (!krb5_string_to_enctype(svalue, ¶ms.enctype)) {
- params.mask |= KADM5_CONFIG_ENCTYPE;
- krb5_xfree(svalue);
- }
+ !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
+ if (!krb5_string_to_enctype(svalue, ¶ms.enctype)) {
+ params.mask |= KADM5_CONFIG_ENCTYPE;
+ free(svalue);
+ }
} else {
- params.mask |= KADM5_CONFIG_ENCTYPE;
- params.enctype = DEFAULT_KDC_ENCTYPE;
+ params.mask |= KADM5_CONFIG_ENCTYPE;
+ params.enctype = DEFAULT_KDC_ENCTYPE;
}
/* Get the value for mkey_from_kbd */
if (params_in->mask & KADM5_CONFIG_MKEY_FROM_KBD) {
- params.mask |= KADM5_CONFIG_MKEY_FROM_KBD;
- params.mkey_from_kbd = params_in->mkey_from_kbd;
+ params.mask |= KADM5_CONFIG_MKEY_FROM_KBD;
+ params.mkey_from_kbd = params_in->mkey_from_kbd;
}
/* Get the value for the stashfile */
GET_STRING_PARAM(stash_file, KADM5_CONFIG_STASH_FILE,
- "key_stash_file", NULL);
+ "key_stash_file", NULL);
/* Get the value for maximum ticket lifetime. */
-#define GET_DELTAT_PARAM(FIELD, BIT, CONFTAG, DEFAULT) \
- get_deltat_param(¶ms.FIELD, params_in->FIELD, \
- ¶ms.mask, params_in->mask, BIT, \
- aprofile, hierarchy, CONFTAG, DEFAULT)
+#define GET_DELTAT_PARAM(FIELD, BIT, CONFTAG, DEFAULT) \
+ get_deltat_param(¶ms.FIELD, params_in->FIELD, \
+ ¶ms.mask, params_in->mask, BIT, \
+ aprofile, hierarchy, CONFTAG, DEFAULT)
GET_DELTAT_PARAM(max_life, KADM5_CONFIG_MAX_LIFE, "max_life",
- 24 * 60 * 60); /* 1 day */
+ 24 * 60 * 60); /* 1 day */
/* Get the value for maximum renewable ticket lifetime. */
GET_DELTAT_PARAM(max_rlife, KADM5_CONFIG_MAX_RLIFE, "max_renewable_life",
- 0);
+ 0);
/* Get the value for the default principal expiration */
hierarchy[2] = "default_principal_expiration";
if (params_in->mask & KADM5_CONFIG_EXPIRATION) {
- params.mask |= KADM5_CONFIG_EXPIRATION;
- params.expiration = params_in->expiration;
+ params.mask |= KADM5_CONFIG_EXPIRATION;
+ params.expiration = params_in->expiration;
} else if (aprofile &&
- !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
- if (!krb5_string_to_timestamp(svalue, ¶ms.expiration)) {
- params.mask |= KADM5_CONFIG_EXPIRATION;
- krb5_xfree(svalue);
- }
+ !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
+ if (!krb5_string_to_timestamp(svalue, ¶ms.expiration)) {
+ params.mask |= KADM5_CONFIG_EXPIRATION;
+ free(svalue);
+ }
} else {
- params.mask |= KADM5_CONFIG_EXPIRATION;
- params.expiration = 0;
+ params.mask |= KADM5_CONFIG_EXPIRATION;
+ params.expiration = 0;
}
/* Get the value for the default principal flags */
hierarchy[2] = "default_principal_flags";
if (params_in->mask & KADM5_CONFIG_FLAGS) {
- params.mask |= KADM5_CONFIG_FLAGS;
- params.flags = params_in->flags;
+ params.mask |= KADM5_CONFIG_FLAGS;
+ params.flags = params_in->flags;
} else if (aprofile &&
- !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
- char *sp, *ep, *tp;
-
- sp = svalue;
- params.flags = 0;
- while (sp) {
- if ((ep = strchr(sp, (int) ',')) ||
- (ep = strchr(sp, (int) ' ')) ||
- (ep = strchr(sp, (int) '\t'))) {
- /* Fill in trailing whitespace of sp */
- tp = ep - 1;
- while (isspace((int) *tp) && (tp > sp)) {
- *tp = '\0';
- tp--;
- }
- *ep = '\0';
- ep++;
- /* Skip over trailing whitespace of ep */
- while (isspace((int) *ep) && (*ep)) ep++;
- }
- /* Convert this flag */
- if (krb5_string_to_flags(sp,
- "+",
- "-",
- ¶ms.flags))
- break;
- sp = ep;
- }
- if (!sp)
- params.mask |= KADM5_CONFIG_FLAGS;
- krb5_xfree(svalue);
+ !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
+ char *sp, *ep, *tp;
+
+ sp = svalue;
+ params.flags = 0;
+ while (sp) {
+ if ((ep = strchr(sp, (int) ',')) ||
+ (ep = strchr(sp, (int) ' ')) ||
+ (ep = strchr(sp, (int) '\t'))) {
+ /* Fill in trailing whitespace of sp */
+ tp = ep - 1;
+ while (isspace((int) *tp) && (tp > sp)) {
+ *tp = '\0';
+ tp--;
+ }
+ *ep = '\0';
+ ep++;
+ /* Skip over trailing whitespace of ep */
+ while (isspace((int) *ep) && (*ep)) ep++;
+ }
+ /* Convert this flag */
+ if (krb5_string_to_flags(sp,
+ "+",
+ "-",
+ ¶ms.flags))
+ break;
+ sp = ep;
+ }
+ if (!sp)
+ params.mask |= KADM5_CONFIG_FLAGS;
+ free(svalue);
} else {
- params.mask |= KADM5_CONFIG_FLAGS;
- params.flags = KRB5_KDB_DEF_FLAGS;
+ params.mask |= KADM5_CONFIG_FLAGS;
+ params.flags = KRB5_KDB_DEF_FLAGS;
}
/* Get the value for the supported enctype/salttype matrix */
if (params_in->mask & KADM5_CONFIG_ENCTYPES) {
/* The following scenario is when the input keysalts are !NULL */
if(params_in->keysalts) {
- params.keysalts = copy_key_salt_tuple(params_in->keysalts,
- params_in->num_keysalts);
- if(params.keysalts) {
- params.mask |= KADM5_CONFIG_ENCTYPES;
- params.num_keysalts = params_in->num_keysalts;
- }
- } else {
- params.mask |= KADM5_CONFIG_ENCTYPES;
- params.keysalts = 0;
- params.num_keysalts = params_in->num_keysalts;
- }
+ params.keysalts = copy_key_salt_tuple(params_in->keysalts,
+ params_in->num_keysalts);
+ if(params.keysalts) {
+ params.mask |= KADM5_CONFIG_ENCTYPES;
+ params.num_keysalts = params_in->num_keysalts;
+ }
+ } else {
+ params.mask |= KADM5_CONFIG_ENCTYPES;
+ params.keysalts = 0;
+ params.num_keysalts = params_in->num_keysalts;
+ }
} else {
- svalue = NULL;
- if (aprofile)
- krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue);
- if (svalue == NULL)
- svalue = strdup("des3-hmac-sha1:normal des-cbc-crc:normal");
-
- params.keysalts = NULL;
- params.num_keysalts = 0;
- krb5_string_to_keysalts(svalue,
- ", \t",/* Tuple separators */
- ":.-", /* Key/salt separators */
- 0, /* No duplicates */
- ¶ms.keysalts,
- ¶ms.num_keysalts);
- if (params.num_keysalts)
- params.mask |= KADM5_CONFIG_ENCTYPES;
-
- krb5_xfree(svalue);
+ svalue = NULL;
+ if (aprofile)
+ krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue);
+ if (svalue == NULL)
+ svalue = strdup("des3-hmac-sha1:normal des-cbc-crc:normal");
+
+ params.keysalts = NULL;
+ params.num_keysalts = 0;
+ krb5_string_to_keysalts(svalue,
+ ", \t",/* Tuple separators */
+ ":.-", /* Key/salt separators */
+ 0, /* No duplicates */
+ ¶ms.keysalts,
+ ¶ms.num_keysalts);
+ if (params.num_keysalts)
+ params.mask |= KADM5_CONFIG_ENCTYPES;
+
+ free(svalue);
}
- hierarchy[2] = "iprop_enable";
-
- params.iprop_enabled = FALSE;
- params.mask |= KADM5_CONFIG_IPROP_ENABLED;
-
- if (params_in->mask & KADM5_CONFIG_IPROP_ENABLED) {
- params.mask |= KADM5_CONFIG_IPROP_ENABLED;
- params.iprop_enabled = params_in->iprop_enabled;
- } else {
- krb5_boolean bvalue;
- if (aprofile &&
- !krb5_aprof_get_boolean(aprofile, hierarchy, TRUE, &bvalue)) {
- params.iprop_enabled = bvalue;
- params.mask |= KADM5_CONFIG_IPROP_ENABLED;
- }
- }
-
- if (!GET_STRING_PARAM(iprop_logfile, KADM5_CONFIG_IPROP_LOGFILE,
- "iprop_logfile", NULL)) {
- if (params.mask & KADM5_CONFIG_DBNAME) {
- if (asprintf(¶ms.iprop_logfile, "%s.ulog", params.dbname) >= 0) {
- params.mask |= KADM5_CONFIG_IPROP_LOGFILE;
- }
- }
- }
-
- GET_PORT_PARAM(iprop_port, KADM5_CONFIG_IPROP_PORT,
- "iprop_port", 0);
-
- hierarchy[2] = "iprop_master_ulogsize";
-
- params.iprop_ulogsize = DEF_ULOGENTRIES;
- params.mask |= KADM5_CONFIG_ULOG_SIZE;
-
- if (params_in->mask & KADM5_CONFIG_ULOG_SIZE) {
- params.mask |= KADM5_CONFIG_ULOG_SIZE;
- params.iprop_ulogsize = params_in->iprop_ulogsize;
- } else {
- if (aprofile && !krb5_aprof_get_int32(aprofile, hierarchy,
- TRUE, &ivalue)) {
- if (ivalue > MAX_ULOGENTRIES)
- params.iprop_ulogsize = MAX_ULOGENTRIES;
- else if (ivalue <= 0)
- params.iprop_ulogsize = DEF_ULOGENTRIES;
- else
- params.iprop_ulogsize = ivalue;
- params.mask |= KADM5_CONFIG_ULOG_SIZE;
- }
- }
-
- GET_DELTAT_PARAM(iprop_poll_time, KADM5_CONFIG_POLL_TIME,
- "iprop_slave_poll", 2 * 60); /* 2m */
+ hierarchy[2] = "iprop_enable";
+
+ params.iprop_enabled = FALSE;
+ params.mask |= KADM5_CONFIG_IPROP_ENABLED;
+
+ if (params_in->mask & KADM5_CONFIG_IPROP_ENABLED) {
+ params.mask |= KADM5_CONFIG_IPROP_ENABLED;
+ params.iprop_enabled = params_in->iprop_enabled;
+ } else {
+ krb5_boolean bvalue;
+ if (aprofile &&
+ !krb5_aprof_get_boolean(aprofile, hierarchy, TRUE, &bvalue)) {
+ params.iprop_enabled = bvalue;
+ params.mask |= KADM5_CONFIG_IPROP_ENABLED;
+ }
+ }
+
+ if (!GET_STRING_PARAM(iprop_logfile, KADM5_CONFIG_IPROP_LOGFILE,
+ "iprop_logfile", NULL)) {
+ if (params.mask & KADM5_CONFIG_DBNAME) {
+ if (asprintf(¶ms.iprop_logfile, "%s.ulog", params.dbname) >= 0) {
+ params.mask |= KADM5_CONFIG_IPROP_LOGFILE;
+ }
+ }
+ }
+
+ GET_PORT_PARAM(iprop_port, KADM5_CONFIG_IPROP_PORT,
+ "iprop_port", 0);
+
+ hierarchy[2] = "iprop_master_ulogsize";
+
+ params.iprop_ulogsize = DEF_ULOGENTRIES;
+ params.mask |= KADM5_CONFIG_ULOG_SIZE;
+
+ if (params_in->mask & KADM5_CONFIG_ULOG_SIZE) {
+ params.mask |= KADM5_CONFIG_ULOG_SIZE;
+ params.iprop_ulogsize = params_in->iprop_ulogsize;
+ } else {
+ if (aprofile && !krb5_aprof_get_int32(aprofile, hierarchy,
+ TRUE, &ivalue)) {
+ if (ivalue > MAX_ULOGENTRIES)
+ params.iprop_ulogsize = MAX_ULOGENTRIES;
+ else if (ivalue <= 0)
+ params.iprop_ulogsize = DEF_ULOGENTRIES;
+ else
+ params.iprop_ulogsize = ivalue;
+ params.mask |= KADM5_CONFIG_ULOG_SIZE;
+ }
+ }
+
+ GET_DELTAT_PARAM(iprop_poll_time, KADM5_CONFIG_POLL_TIME,
+ "iprop_slave_poll", 2 * 60); /* 2m */
*params_out = params;
cleanup:
if (aprofile)
- krb5_aprof_finish(aprofile);
+ krb5_aprof_finish(aprofile);
if (kret) {
- kadm5_free_config_params(context, ¶ms);
- params_out->mask = 0;
+ kadm5_free_config_params(context, ¶ms);
+ params_out->mask = 0;
}
return(kret);
}
/*
- * kadm5_free_config_params() - Free data allocated by above.
+ * kadm5_free_config_params() - Free data allocated by above.
*/
krb5_error_code
kadm5_free_config_params(context, params)
- krb5_context context;
- kadm5_config_params *params;
+ krb5_context context;
+ kadm5_config_params *params;
{
if (params) {
- free(params->dbname);
- free(params->mkey_name);
- free(params->stash_file);
- free(params->keysalts);
- free(params->admin_server);
- free(params->admin_keytab);
- free(params->dict_file);
- free(params->acl_file);
- free(params->realm);
- free(params->iprop_logfile);
+ free(params->dbname);
+ free(params->mkey_name);
+ free(params->stash_file);
+ free(params->keysalts);
+ free(params->admin_server);
+ free(params->admin_keytab);
+ free(params->dict_file);
+ free(params->acl_file);
+ free(params->realm);
+ free(params->iprop_logfile);
}
return(0);
}
krb5_error_code
kadm5_get_admin_service_name(krb5_context ctx,
- char *realm_in,
- char *admin_name,
- size_t maxlen)
+ char *realm_in,
+ char *admin_name,
+ size_t maxlen)
{
krb5_error_code ret;
kadm5_config_params params_in, params_out;
params_in.realm = realm_in;
ret = kadm5_get_config_params(ctx, 0, ¶ms_in, ¶ms_out);
if (ret)
- return ret;
+ return ret;
if (!(params_out.mask & KADM5_CONFIG_ADMIN_SERVER)) {
- ret = KADM5_MISSING_KRB5_CONF_PARAMS;
- goto err_params;
+ ret = KADM5_MISSING_KRB5_CONF_PARAMS;
+ goto err_params;
}
hp = gethostbyname(params_out.admin_server);
if (hp == NULL) {
- ret = errno;
- goto err_params;
+ ret = errno;
+ goto err_params;
}
if (strlen(hp->h_name) + sizeof("kadmin/") > maxlen) {
- ret = ENOMEM;
- goto err_params;
+ ret = ENOMEM;
+ goto err_params;
}
snprintf(admin_name, maxlen, "kadmin/%s", hp->h_name);
***********************************************************************/
/*
- * krb5_read_realm_params() - Read per-realm parameters from KDC
- * alternate profile.
+ * krb5_read_realm_params() - Read per-realm parameters from KDC
+ * alternate profile.
*/
krb5_error_code
krb5_read_realm_params(kcontext, realm, rparamp)
- krb5_context kcontext;
- char *realm;
- krb5_realm_params **rparamp;
+ krb5_context kcontext;
+ char *realm;
+ krb5_realm_params **rparamp;
{
- char *filename;
- char *envname;
- char *lrealm;
- krb5_pointer aprofile = 0;
- krb5_realm_params *rparams;
- const char *hierarchy[4];
- char *svalue;
- krb5_int32 ivalue;
- krb5_boolean bvalue;
- krb5_deltat dtvalue;
-
- char *kdcprofile = 0;
- char *kdcenv = 0;
-
- krb5_error_code kret;
+ char *filename;
+ char *envname;
+ char *lrealm;
+ krb5_pointer aprofile = 0;
+ krb5_realm_params *rparams;
+ const char *hierarchy[4];
+ char *svalue;
+ krb5_int32 ivalue;
+ krb5_boolean bvalue;
+ krb5_deltat dtvalue;
+
+ char *kdcprofile = 0;
+ char *kdcenv = 0;
+ char *no_refrls = 0;
+ char *host_based_srvcs = 0;
+
+
+
+ krb5_error_code kret;
filename = (kdcprofile) ? kdcprofile : DEFAULT_KDC_PROFILE;
envname = (kdcenv) ? kdcenv : KDC_PROFILE_ENV;
rparams = (krb5_realm_params *) NULL;
if (realm)
- lrealm = strdup(realm);
+ lrealm = strdup(realm);
else {
- kret = krb5_get_default_realm(kcontext, &lrealm);
- if (kret)
- goto cleanup;
+ kret = krb5_get_default_realm(kcontext, &lrealm);
+ if (kret)
+ goto cleanup;
}
kret = krb5_aprof_init(filename, envname, &aprofile);
if (kret)
- goto cleanup;
+ goto cleanup;
rparams = (krb5_realm_params *) malloc(sizeof(krb5_realm_params));
if (rparams == 0) {
- kret = ENOMEM;
- goto cleanup;
+ kret = ENOMEM;
+ goto cleanup;
}
/* Initialize realm parameters */
hierarchy[2] = "database_name";
hierarchy[3] = (char *) NULL;
if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue))
- rparams->realm_dbname = svalue;
-
+ rparams->realm_dbname = svalue;
+
/* Get the value for the KDC port list */
hierarchy[2] = "kdc_ports";
if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue))
- rparams->realm_kdc_ports = svalue;
+ rparams->realm_kdc_ports = svalue;
hierarchy[2] = "kdc_tcp_ports";
if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue))
- rparams->realm_kdc_tcp_ports = svalue;
+ rparams->realm_kdc_tcp_ports = svalue;
/* Get the name of the acl file */
hierarchy[2] = "acl_file";
if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue))
- rparams->realm_acl_file = svalue;
-
+ rparams->realm_acl_file = svalue;
+
/* Get the value for the kadmind port */
hierarchy[2] = "kadmind_port";
if (!krb5_aprof_get_int32(aprofile, hierarchy, TRUE, &ivalue)) {
- rparams->realm_kadmind_port = ivalue;
- rparams->realm_kadmind_port_valid = 1;
+ rparams->realm_kadmind_port = ivalue;
+ rparams->realm_kadmind_port_valid = 1;
}
-
+
/* Get the value for the master key name */
hierarchy[2] = "master_key_name";
if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue))
- rparams->realm_mkey_name = svalue;
-
+ rparams->realm_mkey_name = svalue;
+
/* Get the value for the master key type */
hierarchy[2] = "master_key_type";
if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
- if (!krb5_string_to_enctype(svalue, &rparams->realm_enctype))
- rparams->realm_enctype_valid = 1;
- krb5_xfree(svalue);
+ if (!krb5_string_to_enctype(svalue, &rparams->realm_enctype))
+ rparams->realm_enctype_valid = 1;
+ free(svalue);
}
-
+
/* Get the value for the stashfile */
hierarchy[2] = "key_stash_file";
if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue))
- rparams->realm_stash_file = svalue;
-
+ rparams->realm_stash_file = svalue;
+
/* Get the value for maximum ticket lifetime. */
hierarchy[2] = "max_life";
if (!krb5_aprof_get_deltat(aprofile, hierarchy, TRUE, &dtvalue)) {
- rparams->realm_max_life = dtvalue;
- rparams->realm_max_life_valid = 1;
+ rparams->realm_max_life = dtvalue;
+ rparams->realm_max_life_valid = 1;
}
-
+
/* Get the value for maximum renewable ticket lifetime. */
hierarchy[2] = "max_renewable_life";
if (!krb5_aprof_get_deltat(aprofile, hierarchy, TRUE, &dtvalue)) {
- rparams->realm_max_rlife = dtvalue;
- rparams->realm_max_rlife_valid = 1;
+ rparams->realm_max_rlife = dtvalue;
+ rparams->realm_max_rlife_valid = 1;
}
-
+
/* Get the value for the default principal expiration */
hierarchy[2] = "default_principal_expiration";
if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
- if (!krb5_string_to_timestamp(svalue,
- &rparams->realm_expiration))
- rparams->realm_expiration_valid = 1;
- krb5_xfree(svalue);
+ if (!krb5_string_to_timestamp(svalue,
+ &rparams->realm_expiration))
+ rparams->realm_expiration_valid = 1;
+ free(svalue);
}
hierarchy[2] = "reject_bad_transit";
if (!krb5_aprof_get_boolean(aprofile, hierarchy, TRUE, &bvalue)) {
- rparams->realm_reject_bad_transit = bvalue;
- rparams->realm_reject_bad_transit_valid = 1;
+ rparams->realm_reject_bad_transit = bvalue;
+ rparams->realm_reject_bad_transit_valid = 1;
}
+ hierarchy[2] = "no_host_referral";
+ if (!krb5_aprof_get_string_all(aprofile, hierarchy, &no_refrls)) {
+
+ if (strchr(no_refrls, '*'))
+ no_refrls = strdup("*");
+ rparams->realm_no_host_referral = no_refrls;
+ } else
+ no_refrls = 0;
+
+ if (no_refrls == 0 || strlen(no_refrls) == 0 || strncmp(no_refrls, "*",1) != 0) {
+ hierarchy[2] = "host_based_services";
+ if (!krb5_aprof_get_string_all(aprofile, hierarchy, &host_based_srvcs)){
+ if (strchr(host_based_srvcs, '*'))
+ host_based_srvcs = strdup("*");
+ rparams->realm_host_based_services = host_based_srvcs;
+ } else
+ host_based_srvcs = 0;
+ }
+
+
/* Get the value for the default principal flags */
hierarchy[2] = "default_principal_flags";
if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
- char *sp, *ep, *tp;
-
- sp = svalue;
- rparams->realm_flags = 0;
- while (sp) {
- if ((ep = strchr(sp, (int) ',')) ||
- (ep = strchr(sp, (int) ' ')) ||
- (ep = strchr(sp, (int) '\t'))) {
- /* Fill in trailing whitespace of sp */
- tp = ep - 1;
- while (isspace((int) *tp) && (tp < sp)) {
- *tp = '\0';
- tp--;
- }
- *ep = '\0';
- ep++;
- /* Skip over trailing whitespace of ep */
- while (isspace((int) *ep) && (*ep)) ep++;
- }
- /* Convert this flag */
- if (krb5_string_to_flags(sp,
- "+",
- "-",
- &rparams->realm_flags))
- break;
- sp = ep;
- }
- if (!sp)
- rparams->realm_flags_valid = 1;
- krb5_xfree(svalue);
+ char *sp, *ep, *tp;
+
+ sp = svalue;
+ rparams->realm_flags = 0;
+ while (sp) {
+ if ((ep = strchr(sp, (int) ',')) ||
+ (ep = strchr(sp, (int) ' ')) ||
+ (ep = strchr(sp, (int) '\t'))) {
+ /* Fill in trailing whitespace of sp */
+ tp = ep - 1;
+ while (isspace((int) *tp) && (tp < sp)) {
+ *tp = '\0';
+ tp--;
+ }
+ *ep = '\0';
+ ep++;
+ /* Skip over trailing whitespace of ep */
+ while (isspace((int) *ep) && (*ep)) ep++;
+ }
+ /* Convert this flag */
+ if (krb5_string_to_flags(sp,
+ "+",
+ "-",
+ &rparams->realm_flags))
+ break;
+ sp = ep;
+ }
+ if (!sp)
+ rparams->realm_flags_valid = 1;
+ free(svalue);
}
rparams->realm_keysalts = NULL;
cleanup:
if (aprofile)
- krb5_aprof_finish(aprofile);
+ krb5_aprof_finish(aprofile);
free(lrealm);
if (kret) {
- if (rparams)
- krb5_free_realm_params(kcontext, rparams);
- rparams = 0;
+ if (rparams)
+ krb5_free_realm_params(kcontext, rparams);
+ rparams = 0;
}
*rparamp = rparams;
return(kret);
}
/*
- * krb5_free_realm_params() - Free data allocated by above.
+ * krb5_free_realm_params() - Free data allocated by above.
*/
krb5_error_code
krb5_free_realm_params(kcontext, rparams)
- krb5_context kcontext;
- krb5_realm_params *rparams;
+ krb5_context kcontext;
+ krb5_realm_params *rparams;
{
if (rparams) {
- krb5_xfree(rparams->realm_profile);
- krb5_xfree(rparams->realm_dbname);
- krb5_xfree(rparams->realm_mkey_name);
- krb5_xfree(rparams->realm_stash_file);
- krb5_xfree(rparams->realm_keysalts);
- krb5_xfree(rparams->realm_kdc_ports);
- krb5_xfree(rparams->realm_kdc_tcp_ports);
- krb5_xfree(rparams->realm_acl_file);
- krb5_xfree(rparams);
+ free(rparams->realm_profile);
+ free(rparams->realm_dbname);
+ free(rparams->realm_mkey_name);
+ free(rparams->realm_stash_file);
+ free(rparams->realm_keysalts);
+ free(rparams->realm_kdc_ports);
+ free(rparams->realm_kdc_tcp_ports);
+ free(rparams->realm_acl_file);
+ free(rparams->realm_no_host_referral);
+ free(rparams->realm_host_based_services);
+ free(rparams);
}
return(0);
}
krb5_aprof_get_deltat
krb5_aprof_get_int32
krb5_aprof_get_string
+krb5_aprof_get_string_all
krb5_aprof_getvals
krb5_aprof_init
krb5_copy_key_data_contents
if (savep) {
memcpy(*ksaltp, savep,
len * sizeof(krb5_key_salt_tuple));
- krb5_xfree(savep);
+ free(savep);
}
/* Save our values */
if ((retval = krb5_c_decrypt(context, mkey, 0 /* XXX */, 0,
&cipher, &plain))) {
- krb5_xfree(plain.data);
+ free(plain.data);
return retval;
}
any better than that. */
if (tmplen > plain.length) {
- krb5_xfree(plain.data);
+ free(plain.data);
return(KRB5_CRYPTO_INTERNAL);
}
if ((keysalt->data.length = key_data->key_data_length[1])) {
if (!(keysalt->data.data=(char *)malloc(keysalt->data.length))){
if (key_data->key_data_contents[0]) {
- krb5_xfree(dbkey->contents);
+ free(dbkey->contents);
dbkey->contents = 0;
dbkey->length = 0;
}
for (i = 0; i < key_data->key_data_ver; i++)
if (key_data->key_data_contents[i])
- krb5_xfree(key_data->key_data_contents[i]);
+ free(key_data->key_data_contents[i]);
key_data->key_data_ver = 1;
key_data->key_data_kvno = keyver;
if ((retval = krb5_c_encrypt(context, mkey, /* XXX */ 0, 0,
&plain, &cipher))) {
- krb5_xfree(key_data->key_data_contents[0]);
+ free(key_data->key_data_contents[0]);
return retval;
}
key_data->key_data_contents[1] =
(krb5_octet *)malloc(keysalt->data.length);
if (key_data->key_data_contents[1] == NULL) {
- krb5_xfree(key_data->key_data_contents[0]);
+ free(key_data->key_data_contents[0]);
return ENOMEM;
}
memcpy(key_data->key_data_contents[1], keysalt->data.data,
}
if (!salt)
- krb5_xfree(scratch.data);
+ free(scratch.data);
zap(password, sizeof(password)); /* erase it */
} else {
return(retval);
key_salt.data = *saltdata;
- krb5_xfree(saltdata);
+ free(saltdata);
}
break;
case KRB5_KDB_SALTTYPE_NOREALM:
key_salt.data = *saltdata;
key_salt.data.length = SALT_TYPE_AFS_LENGTH; /*length actually used below...*/
- krb5_xfree(saltdata);
+ free(saltdata);
#else
/* Why do we do this? Well, the afs_mit_string_to_key needs to
use strlen, and the realm is not NULL terminated.... */
kvno, &tmp_key_data);
if (key_salt.data.data)
free(key_salt.data.data);
- krb5_xfree(key.contents);
+ free(key.contents);
if( retval )
return retval;
}
zap((char *)tempkey.contents, tempkey.length);
- krb5_xfree(tempkey.contents);
+ free(tempkey.contents);
krb5_db_free_principal(context, &master_entry, nprinc);
return retval;
*/
kt->ops = NULL;
- krb5_xfree(kt);
+ free(kt);
return 0;
}
{
setup();
{ begin_structure();
+ alloc_field(val->user, krb5_principal_data);
get_field(val->user,0,asn1_decode_principal_name);
get_field(val->user,1,asn1_decode_realm);
get_field(val->cksum,2,asn1_decode_checksum);
errout:
while(--i >= 0)
free(krb5_princ_component(context, tmpprinc, i)->data);
- krb5_xfree(krb5_princ_realm(context, tmpprinc)->data);
+ free(krb5_princ_realm(context, tmpprinc)->data);
free((char *)tmpprinc->data);
free((char *)tmpprinc);
return kret;
return KRB5_OK;
errout:
if (keyblock->contents) {
- krb5_xfree(keyblock->contents);
+ free(keyblock->contents);
keyblock->contents = NULL;
}
return kret;
return KRB5_OK;
errout:
if (data->data) {
- krb5_xfree(data->data);
+ free(data->data);
data->data = NULL;
}
return kret;
return KRB5_OK;
errout:
if (addr->contents) {
- krb5_xfree(addr->contents);
+ free(addr->contents);
addr->contents = NULL;
}
return kret;
return KRB5_OK;
errout:
if (a->contents) {
- krb5_xfree(a->contents);
+ free(a->contents);
a->contents = NULL;
}
return kret;
krb5_fcc_close(krb5_context context, krb5_ccache id)
{
dereference(context, (krb5_fcc_data *) id->data);
- krb5_xfree(id);
+ free(id);
return KRB5_OK;
}
cleanup:
k5_cc_mutex_unlock(context, &data->lock);
dereference(context, data);
- krb5_xfree(id);
+ free(id);
krb5_change_cache ();
return kret;
if (OPENCLOSE(id)) {
kret = krb5_fcc_open_file(context, id, FCC_OPEN_RDONLY);
if (kret) {
- krb5_xfree(fcursor);
+ free(fcursor);
k5_cc_mutex_unlock(context, &data->lock);
return kret;
}
/* Make sure we start reading right after the primary principal */
kret = krb5_fcc_skip_header(context, id);
if (kret) {
- krb5_xfree(fcursor);
+ free(fcursor);
goto done;
}
kret = krb5_fcc_skip_principal(context, id);
if (kret) {
- krb5_xfree(fcursor);
+ free(fcursor);
goto done;
}
and if not, fcc_start_seq_get and/or fcc_next_cred will do the
MAYBE_CLOSE.
MAYBE_CLOSE(context, id, kret); */
- krb5_xfree((krb5_fcc_cursor *) *cursor);
+ free((krb5_fcc_cursor *) *cursor);
return 0;
}
d = (krb5_krcc_data *) id->data;
- krb5_xfree(d->name);
+ free(d->name);
k5_cc_mutex_destroy(&d->lock);
- krb5_xfree(d);
+ free(d);
- krb5_xfree(id);
+ free(id);
return KRB5_OK;
}
return kret;
krb5_krcc_clearcache(context, id);
- krb5_xfree(d->name);
+ free(d->name);
res = keyctl_unlink(d->ring_id, d->parent_id);
if (res < 0) {
kret = errno;
cleanup:
k5_cc_mutex_unlock(context, &d->lock);
k5_cc_mutex_destroy(&d->lock);
- krb5_xfree(d);
- krb5_xfree(id);
+ free(d);
+ free(id);
krb5_change_cache();
kret = k5_cc_mutex_init(&d->lock);
if (kret) {
- krb5_xfree(d);
+ free(d);
return kret;
}
d->name = strdup(name);
if (d->name == NULL) {
k5_cc_mutex_destroy(&d->lock);
- krb5_xfree(d);
+ free(d);
return KRB5_CC_NOMEM;
}
d->princ_id = 0;
kret = krb5_krcc_new_data(uniquename, key, ring_id, &d);
k5_cc_mutex_unlock(context, &krb5int_krcc_mutex);
if (kret) {
- krb5_xfree(lid);
+ free(lid);
return kret;
}
lid->data = d;
cleanticket:
memset(creds->ticket.data, 0, (unsigned) creds->ticket.length);
- krb5_xfree(creds->ticket.data);
+ free(creds->ticket.data);
cleanauthdata:
krb5_free_authdata(context, creds->authdata);
cleanaddrs:
krb5_free_addresses(context, creds->addresses);
cleanblock:
- krb5_xfree(creds->keyblock.contents);
+ free(creds->keyblock.contents);
cleanserver:
krb5_free_principal(context, creds->server);
cleanclient:
errout:
while (--i >= 0)
free(krb5_princ_component(context, tmpprinc, i)->data);
- krb5_xfree(krb5_princ_realm(context, tmpprinc)->data);
+ free(krb5_princ_realm(context, tmpprinc)->data);
free((char *) tmpprinc->data);
free((char *) tmpprinc);
return kret;
return KRB5_OK;
errout:
if (keyblock->contents)
- krb5_xfree(keyblock->contents);
+ free(keyblock->contents);
return kret;
}
return KRB5_OK;
errout:
if (data->data)
- krb5_xfree(data->data);
+ free(data->data);
return kret;
}
return KRB5_OK;
errout:
if (addr->contents)
- krb5_xfree(addr->contents);
+ free(addr->contents);
return kret;
}
return KRB5_OK;
errout:
if (a->contents)
- krb5_xfree(a->contents);
+ free(a->contents);
return kret;
}
krb5_error_code KRB5_CALLCONV
krb5_mcc_close(krb5_context context, krb5_ccache id)
{
- krb5_xfree(id);
+ free(id);
return KRB5_OK;
}
for (curr = d->link; curr;) {
krb5_free_creds(context, curr->creds);
next = curr->next;
- krb5_xfree(curr);
+ free(curr);
curr = next;
}
d->link = NULL;
return err;
krb5_mcc_free(context, id);
- krb5_xfree(d->name);
+ free(d->name);
k5_cc_mutex_unlock(context, &d->lock);
k5_cc_mutex_destroy(&d->lock);
- krb5_xfree(d);
- krb5_xfree(id);
+ free(d);
+ free(id);
krb5_change_cache ();
return KRB5_OK;
err = k5_cc_mutex_init(&d->lock);
if (err) {
- krb5_xfree(d);
+ free(d);
return err;
}
d->name = strdup(name);
if (d->name == NULL) {
k5_cc_mutex_destroy(&d->lock);
- krb5_xfree(d);
+ free(d);
return KRB5_CC_NOMEM;
}
d->link = NULL;
k5_cc_mutex_unlock(context, &krb5int_mcc_mutex);
if (err) {
- krb5_xfree(lid);
+ free(lid);
return err;
}
lid->data = d;
return FALSE;
memcpy(ticket, newdata, sizeof(krb5_data));
- krb5_xfree(newdata);
+ free(newdata);
return TRUE;
}
lid->data = (krb5_pointer) malloc(sizeof(krb5_lcc_data));
if (lid->data == NULL) {
- krb5_xfree(lid);
+ free(lid);
CloseHandle(LogonHandle);
return KRB5_CC_NOMEM;
}
data->cc_name = (char *)malloc(strlen(residual)+1);
if (data->cc_name == NULL) {
- krb5_xfree(lid->data);
- krb5_xfree(lid);
+ free(lid->data);
+ free(lid);
CloseHandle(LogonHandle);
return KRB5_CC_NOMEM;
}
krb5_copy_principal(context, creds.client, &data->princ);
krb5_free_cred_contents(context,&creds);
} else if (!does_retrieve_ticket_cache_ticket()) {
- krb5_xfree(data->cc_name);
- krb5_xfree(lid->data);
- krb5_xfree(lid);
+ free(data->cc_name);
+ free(lid->data);
+ free(lid);
CloseHandle(LogonHandle);
return KRB5_FCC_NOFILE;
}
if (data) {
CloseHandle(data->LogonHandle);
- krb5_xfree(data);
+ free(data);
}
- krb5_xfree(id);
+ free(id);
}
return closeval;
}
(*id)->ops = ops;
if ((data = (krb5_ktfile_data *)malloc(sizeof(krb5_ktfile_data))) == NULL) {
- krb5_xfree(*id);
+ free(*id);
return(ENOMEM);
}
err = k5_mutex_init(&data->lock);
if (err) {
- krb5_xfree(data);
- krb5_xfree(*id);
+ free(data);
+ free(*id);
return err;
}
if ((data->name = strdup(name)) == NULL) {
k5_mutex_destroy(&data->lock);
- krb5_xfree(data);
- krb5_xfree(*id);
+ free(data);
+ free(*id);
return(ENOMEM);
}
* This routine should undo anything done by krb5_ktfile_resolve().
*/
{
- krb5_xfree(KTFILENAME(id));
+ free(KTFILENAME(id));
zap(KTFILEBUFP(id), BUFSIZ);
k5_mutex_destroy(&((krb5_ktfile_data *)id->data)->lock);
- krb5_xfree(id->data);
+ free(id->data);
id->ops = 0;
- krb5_xfree(id);
+ free(id);
return (0);
}
{
krb5_error_code kerror;
- krb5_xfree(*cursor);
+ free(*cursor);
kerror = KTLOCK(id);
if (kerror)
return kerror;
if (kret) {
if (keytab->data) {
if (KTFILENAME(keytab))
- krb5_xfree(KTFILENAME(keytab));
- krb5_xfree(keytab->data);
+ free(KTFILENAME(keytab));
+ free(keytab->data);
}
- krb5_xfree(keytab);
+ free(keytab);
}
else {
*buffer = bp;
next_node = node->next;
/* destroy the contents of node->keytab */
- krb5_xfree(KTNAME(node->keytab));
+ free(KTNAME(node->keytab));
/* free the keytab entries */
for (cursor = KTLINK(node->keytab); cursor; cursor = next_cursor) {
* krb5_context since we know that the context isn't used by
* krb5_kt_free_entry or krb5_free_principal. */
krb5_kt_free_entry(NULL, cursor->entry);
- krb5_xfree(cursor->entry);
- krb5_xfree(cursor);
+ free(cursor->entry);
+ free(cursor);
}
/* destroy the lock */
k5_mutex_destroy(&(((krb5_mkt_data *)node->keytab->data)->lock));
/* free the private data */
- krb5_xfree(node->keytab->data);
+ free(node->keytab->data);
/* and the keytab */
- krb5_xfree(node->keytab);
+ free(node->keytab);
/* and finally the node */
- krb5_xfree(node);
+ free(node);
}
}
/*
}
if ((list->keytab = (krb5_keytab)malloc(sizeof(struct _krb5_kt))) == NULL) {
- krb5_xfree(list);
+ free(list);
err = ENOMEM;
goto done;
}
list->keytab->ops = &krb5_mkt_ops;
if ((data = (krb5_mkt_data *)malloc(sizeof(krb5_mkt_data))) == NULL) {
- krb5_xfree(list->keytab);
- krb5_xfree(list);
+ free(list->keytab);
+ free(list);
err = ENOMEM;
goto done;
}
err = k5_mutex_init(&data->lock);
if (err) {
- krb5_xfree(data);
- krb5_xfree(list->keytab);
- krb5_xfree(list);
+ free(data);
+ free(list->keytab);
+ free(list);
goto done;
}
if ((data->name = strdup(name)) == NULL) {
k5_mutex_destroy(&data->lock);
- krb5_xfree(data);
- krb5_xfree(list->keytab);
- krb5_xfree(list);
+ free(data);
+ free(list->keytab);
+ free(list);
err = ENOMEM;
goto done;
}
if (err) {
k5_mutex_destroy(&data->lock);
if (data && data->name)
- krb5_xfree(data->name);
- krb5_xfree(data);
+ free(data->name);
+ free(data);
if (list && list->keytab)
- krb5_xfree(list->keytab);
- krb5_xfree(list);
+ free(list->keytab);
+ free(list);
} else {
KTREFCNT(*id)++;
KTUNLOCK(*id);
*listp = node->next;
/* destroy the contents of node->keytab (aka id) */
- krb5_xfree(data->name);
+ free(data->name);
/* free the keytab entries */
for (cursor = KTLINK(node->keytab); cursor; cursor = next_cursor) {
next_cursor = cursor->next;
krb5_kt_free_entry(context, cursor->entry);
- krb5_xfree(cursor->entry);
- krb5_xfree(cursor);
+ free(cursor->entry);
+ free(cursor);
}
/* destroy the lock */
k5_mutex_destroy(&(data->lock));
/* free the private data */
- krb5_xfree(data);
+ free(data);
/* and the keytab */
- krb5_xfree(node->keytab);
+ free(node->keytab);
/* and finally the node */
- krb5_xfree(node);
+ free(node);
}
#endif /* HEIMDAL_COMPATIBLE */
}
cursor->entry = (krb5_keytab_entry *)malloc(sizeof(krb5_keytab_entry));
if (cursor->entry == NULL) {
- krb5_xfree(cursor);
+ free(cursor);
err = ENOMEM;
goto done;
}
err = krb5_copy_keyblock_contents(context, &(entry->key),
&(cursor->entry->key));
if (err) {
- krb5_xfree(cursor->entry);
- krb5_xfree(cursor);
+ free(cursor->entry);
+ free(cursor);
goto done;
}
err = krb5_copy_principal(context, entry->principal, &(cursor->entry->principal));
if (err) {
krb5_free_keyblock_contents(context, &(cursor->entry->key));
- krb5_xfree(cursor->entry);
- krb5_xfree(cursor);
+ free(cursor->entry);
+ free(cursor);
goto done;
}
}
krb5_kt_free_entry(context, (*pcursor)->entry);
- krb5_xfree((*pcursor)->entry);
+ free((*pcursor)->entry);
next = (*pcursor)->next;
- krb5_xfree(*pcursor);
+ free(*pcursor);
(*pcursor) = next;
done:
(*id)->ops = &krb5_kts_ops;
data = (krb5_ktsrvtab_data *)malloc(sizeof(krb5_ktsrvtab_data));
if (data == NULL) {
- krb5_xfree(*id);
+ free(*id);
return(ENOMEM);
}
data->name = strdup(name);
if (data->name == NULL) {
- krb5_xfree(data);
- krb5_xfree(*id);
+ free(data);
+ free(*id);
return(ENOMEM);
}
* This routine should undo anything done by krb5_ktsrvtab_resolve().
*/
{
- krb5_xfree(KTFILENAME(id));
- krb5_xfree(id->data);
+ free(KTFILENAME(id));
+ free(id->data);
id->ops = 0;
- krb5_xfree(id);
+ free(id);
return (0);
}
krb5_error_code KRB5_CALLCONV
krb5_ktsrvtab_end_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cursor)
{
- krb5_xfree(*cursor);
+ free(*cursor);
return krb5_ktsrvint_close(context, id);
}
krb5_free_principal(context, entry->principal);
if (entry->key.contents) {
zap((char *)entry->key.contents, entry->key.length);
- krb5_xfree(entry->key.contents);
+ free(entry->key.contents);
}
return 0;
}
return ENOMEM;
*tmpad = *inad;
if (!(tmpad->contents = (krb5_octet *)malloc(inad->length))) {
- krb5_xfree(tmpad);
+ free(tmpad);
return ENOMEM;
}
memcpy((char *)tmpad->contents, (char *)inad->contents, inad->length);
if (auth_context->rcache)
krb5_rc_close(context, auth_context->rcache);
if (auth_context->permitted_etypes)
- krb5_xfree(auth_context->permitted_etypes);
+ free(auth_context->permitted_etypes);
free(auth_context);
return 0;
}
return(ENOMEM);
if (auth_context->permitted_etypes)
- krb5_xfree(auth_context->permitted_etypes);
+ free(auth_context->permitted_etypes);
auth_context->permitted_etypes = newpe;
return ENOMEM;
princ_ret = (krb5_principal) malloc(sizeof(krb5_principal_data));
if (!princ_ret) {
- krb5_xfree(princ_data);
+ free(princ_data);
return ENOMEM;
}
princ_ret->data = princ_data;
princ_ret->length = count;
tmpdata = malloc(rlen+1);
if (!tmpdata) {
- krb5_xfree(princ_data);
- krb5_xfree(princ_ret);
+ free(princ_data);
+ free(princ_ret);
return ENOMEM;
}
krb5_princ_set_realm_length(context, princ_ret, rlen);
free_out:
while (--i >= 0)
- krb5_xfree(princ_data[i].data);
- krb5_xfree(princ_data);
- krb5_xfree(princ_ret);
- krb5_xfree(tmpdata);
+ free(princ_data[i].data);
+ free(princ_data);
+ free(princ_ret);
+ free(tmpdata);
va_end(ap);
return ENOMEM;
}
if (data) {
while (--count >= 0) {
- krb5_xfree(data[count].data);
+ free(data[count].data);
}
- krb5_xfree(data);
+ free(data);
}
- krb5_xfree(r);
+ free(r);
return retval;
}
if (!retval) {
*princ = p;
} else {
- krb5_xfree(p);
+ free(p);
}
return retval;
if (!retval) {
*princ = p;
} else {
- krb5_xfree(p);
+ free(p);
}
return retval;
/* length */
- *ptr++ = (packet->length>> 8) & 0xff;
- *ptr++ = packet->length & 0xff;
+ store_16_be(packet->length, ptr);
+ ptr += 2;
/* version == 0x0001 big-endian */
/* ap_req length, big-endian */
- *ptr++ = (ap_req->length>>8) & 0xff;
- *ptr++ = ap_req->length & 0xff;
+ store_16_be(ap_req->length, ptr);
+ ptr += 2;
/* ap-req data */
cleanup:
if (ap_rep.length) {
- krb5_xfree(clearresult.data);
+ free(clearresult.data);
} else {
krb5_free_error(context, krberror);
}
** build the packet -
*/
/* put in the length */
- *ptr++ = (packet->length>>8) & 0xff;
- *ptr++ = packet->length & 0xff;
+ store_16_be(packet->length, ptr);
+ ptr += 2;
/* put in the version */
*ptr++ = (char)0xff;
*ptr++ = (char)0x80;
/* the ap_req length is big endian */
- *ptr++ = (ap_req->length>>8) & 0xff;
- *ptr++ = ap_req->length & 0xff;
+ store_16_be(ap_req->length, ptr);
+ ptr += 2;
/* put in the request data */
memcpy(ptr, ap_req->data, ap_req->length);
ptr += ap_req->length;
*cp = tolower((unsigned char) *cp);
strncat(buf, ".", sizeof(buf) - 1 - strlen(buf));
strncat(buf, domain, sizeof(buf) - 1 - strlen(buf));
- krb5_xfree(domain);
+ free(domain);
}
instance = buf;
}
return ENOMEM;
*tmpad = *inad;
if (!(tmpad->contents = (krb5_octet *)malloc(inad->length))) {
- krb5_xfree(tmpad);
+ free(tmpad);
return ENOMEM;
}
memcpy((char *)tmpad->contents, (char *)inad->contents, inad->length);
retval = krb5_copy_principal(context, authfrom->client, &tempto->client);
if (retval) {
- krb5_xfree(tempto);
+ free(tempto);
return retval;
}
if (authfrom->checksum &&
(retval = krb5_copy_checksum(context, authfrom->checksum, &tempto->checksum))) {
krb5_free_principal(context, tempto->client);
- krb5_xfree(tempto);
+ free(tempto);
return retval;
}
if (authfrom->subkey) {
retval = krb5_copy_keyblock(context, authfrom->subkey, &tempto->subkey);
if (retval) {
- krb5_xfree(tempto->subkey);
+ free(tempto->subkey);
krb5_free_checksum(context, tempto->checksum);
krb5_free_principal(context, tempto->client);
- krb5_xfree(tempto);
+ free(tempto);
return retval;
}
}
retval = krb5_copy_authdata(context, authfrom->authorization_data,
&tempto->authorization_data);
if (retval) {
- krb5_xfree(tempto->subkey);
+ free(tempto->subkey);
krb5_free_checksum(context, tempto->checksum);
krb5_free_principal(context, tempto->client);
krb5_free_authdata(context, tempto->authorization_data);
- krb5_xfree(tempto);
+ free(tempto);
return retval;
}
}
return ENOMEM;
*tmpad = *inad;
if (!(tmpad->contents = (krb5_octet *)malloc(inad->length))) {
- krb5_xfree(tmpad);
+ free(tmpad);
return ENOMEM;
}
memcpy((char *)tmpad->contents, (char *)inad->contents, inad->length);
if (!(tempto->contents =
(krb5_octet *)malloc(tempto->length))) {
- krb5_xfree(tempto);
+ free(tempto);
return ENOMEM;
}
memcpy((char *) tempto->contents, (char *) ckfrom->contents,
if (retval)
goto cleanaddrs;
tempcred->ticket = *scratch;
- krb5_xfree(scratch);
+ free(scratch);
retval = krb5_copy_data(context, &incred->second_ticket, &scratch);
if (retval)
goto clearticket;
tempcred->second_ticket = *scratch;
- krb5_xfree(scratch);
+ free(scratch);
retval = krb5_copy_authdata(context, incred->authdata,&tempcred->authdata);
if (retval)
cleanaddrs:
krb5_free_addresses(context, tempcred->addresses);
cleanblock:
- krb5_xfree(tempcred->keyblock.contents);
+ free(tempcred->keyblock.contents);
cleanserver:
krb5_free_principal(context, tempcred->server);
cleanclient:
retval = krb5int_copy_data_contents(context, indata, tempdata);
if (retval) {
- krb5_xfree(tempdata);
+ free(tempdata);
return retval;
}
return ENOMEM;
*new_key = *from;
if (!(new_key->contents = (krb5_octet *)malloc(new_key->length))) {
- krb5_xfree(new_key);
+ free(new_key);
return(ENOMEM);
}
memcpy((char *)new_key->contents, (char *)from->contents,
retval = krb5_copy_keyblock(context, partfrom->session,
&tempto->session);
if (retval) {
- krb5_xfree(tempto);
+ free(tempto);
return retval;
}
retval = krb5_copy_principal(context, partfrom->client, &tempto->client);
if (retval) {
krb5_free_keyblock(context, tempto->session);
- krb5_xfree(tempto);
+ free(tempto);
return retval;
}
tempto->transited = partfrom->transited;
if (!tempto->transited.tr_contents.data) {
krb5_free_principal(context, tempto->client);
krb5_free_keyblock(context, tempto->session);
- krb5_xfree(tempto);
+ free(tempto);
return ENOMEM;
}
memcpy((char *)tempto->transited.tr_contents.data,
retval = krb5_copy_addresses(context, partfrom->caddrs, &tempto->caddrs);
if (retval) {
- krb5_xfree(tempto->transited.tr_contents.data);
+ free(tempto->transited.tr_contents.data);
krb5_free_principal(context, tempto->client);
krb5_free_keyblock(context, tempto->session);
- krb5_xfree(tempto);
+ free(tempto);
return retval;
}
if (partfrom->authorization_data) {
&tempto->authorization_data);
if (retval) {
krb5_free_addresses(context, tempto->caddrs);
- krb5_xfree(tempto->transited.tr_contents.data);
+ free(tempto->transited.tr_contents.data);
krb5_free_principal(context, tempto->client);
krb5_free_keyblock(context, tempto->session);
- krb5_xfree(tempto);
+ free(tempto);
return retval;
}
}
*tempto = *from;
retval = krb5_copy_principal(context, from->server, &tempto->server);
if (retval) {
- krb5_xfree(tempto);
+ free(tempto);
return retval;
}
retval = krb5_copy_data(context, &from->enc_part.ciphertext, &scratch);
if (retval) {
krb5_free_principal(context, tempto->server);
- krb5_xfree(tempto);
+ free(tempto);
return retval;
}
tempto->enc_part.ciphertext = *scratch;
- krb5_xfree(scratch);
+ free(scratch);
retval = krb5_copy_enc_tkt_part(context, from->enc_part2, &tempto->enc_part2);
if (retval) {
- krb5_xfree(tempto->enc_part.ciphertext.data);
+ free(tempto->enc_part.ciphertext.data);
krb5_free_principal(context, tempto->server);
- krb5_xfree(tempto);
+ free(tempto);
return retval;
}
*pto = tempto;
krb5_free_principal(context, *nrealms);
nrealms++;
}
- krb5_xfree(realms);
+ free(realms);
}
krb5_free_data(context, scratch);
} else {
*outbuf = *scratch;
- krb5_xfree(scratch);
+ free(scratch);
}
errout:
if ((retval = krb5_copy_data(context, psectkt, &pdata)))
goto cleanup;
(*ppcreds)->second_ticket = *pdata;
- krb5_xfree(pdata);
+ free(pdata);
(*ppcreds)->ticket_flags = pkdcrep->enc_part2->flags;
(*ppcreds)->times = pkdcrep->enc_part2->times;
return(ENOMEM);
if ((retval = krb5_c_make_random_key(context, enctype, *subkey))) {
- krb5_xfree(*subkey);
+ free(*subkey);
return(retval);
}
/* The caller is now responsible for cleaning up in_creds */
if ((retval = krb5_cc_retrieve_cred(context, ccache, fields, &mcreds,
ncreds))) {
- krb5_xfree(ncreds);
+ free(ncreds);
ncreds = in_creds;
} else {
*out_creds = ncreds;
/* ick. copy the struct contents, free the container */
if (out_creds) {
*creds = *out_creds;
- krb5_xfree(out_creds);
+ free(out_creds);
}
cleanup:
retval = (*key_proc)(context, as_reply->enc_part.enctype,
&salt, keyseed, &decrypt_key);
- krb5_xfree(salt.data);
+ free(salt.data);
if (retval)
goto cleanup;
}
goto cleanup;
creds->ticket = *packet;
- krb5_xfree(packet);
+ free(packet);
/* store it in the ccache! */
if (ccache)
if (creds->keyblock.contents) {
memset((char *)creds->keyblock.contents, 0,
creds->keyblock.length);
- krb5_xfree(creds->keyblock.contents);
+ free(creds->keyblock.contents);
creds->keyblock.contents = 0;
creds->keyblock.length = 0;
}
if (creds->ticket.data) {
- krb5_xfree(creds->ticket.data);
+ free(creds->ticket.data);
creds->ticket.data = 0;
}
if (creds->addresses) {
krb5_free_keyblock_contents(context, &as_key);
if (salt.data &&
(!(options && (options->flags & KRB5_GET_INIT_CREDS_OPT_SALT))))
- krb5_xfree(salt.data);
+ free(salt.data);
krb5_free_data_contents(context, &s2kparams);
if (as_reply)
*as_reply = local_as_reply;
/* again, krb5's memory management is lame... */
*as_key = *kt_key;
- krb5_xfree(kt_key);
+ free(kt_key);
(void) krb5_kt_free_entry(context, &kt_ent);
params->data?params:NULL, as_key);
if (defsalt.length)
- krb5_xfree(defsalt.data);
+ free(defsalt.data);
return(ret);
}
/* the change succeeded. go on */
if (result_code == 0) {
- krb5_xfree(result_string.data);
+ free(result_string.data);
break;
}
ret = KRB5_CHPW_FAIL;
if (result_code != KRB5_KPASSWD_SOFTERROR) {
- krb5_xfree(result_string.data);
+ free(result_string.data);
goto cleanup;
}
(int) result_string.length,
result_string.data ? result_string.data : "");
- krb5_xfree(code_string.data);
- krb5_xfree(result_string.data);
+ free(code_string.data);
+ free(result_string.data);
}
}
krb5_free_address(krb5_context context, krb5_address *val)
{
if (val->contents)
- krb5_xfree(val->contents);
- krb5_xfree(val);
+ free(val->contents);
+ free(val);
}
void KRB5_CALLCONV
for (temp = val; *temp; temp++) {
if ((*temp)->contents)
- krb5_xfree((*temp)->contents);
- krb5_xfree(*temp);
+ free((*temp)->contents);
+ free(*temp);
}
- krb5_xfree(val);
+ free(val);
}
krb5_free_ap_rep(krb5_context context, register krb5_ap_rep *val)
{
if (val->enc_part.ciphertext.data)
- krb5_xfree(val->enc_part.ciphertext.data);
- krb5_xfree(val);
+ free(val->enc_part.ciphertext.data);
+ free(val);
}
void KRB5_CALLCONV
if (val->ticket)
krb5_free_ticket(context, val->ticket);
if (val->authenticator.ciphertext.data)
- krb5_xfree(val->authenticator.ciphertext.data);
- krb5_xfree(val);
+ free(val->authenticator.ciphertext.data);
+ free(val);
}
void KRB5_CALLCONV
{
if (val->subkey)
krb5_free_keyblock(context, val->subkey);
- krb5_xfree(val);
+ free(val);
}
void KRB5_CALLCONV
for (temp = val; *temp; temp++) {
if ((*temp)->contents)
- krb5_xfree((*temp)->contents);
- krb5_xfree(*temp);
+ free((*temp)->contents);
+ free(*temp);
}
- krb5_xfree(val);
+ free(val);
}
void KRB5_CALLCONV
krb5_free_authenticator(krb5_context context, krb5_authenticator *val)
{
krb5_free_authenticator_contents(context, val);
- krb5_xfree(val);
+ free(val);
}
void KRB5_CALLCONV
krb5_free_checksum(krb5_context context, register krb5_checksum *val)
{
krb5_free_checksum_contents(context, val);
- krb5_xfree(val);
+ free(val);
}
void KRB5_CALLCONV
krb5_free_checksum_contents(krb5_context context, register krb5_checksum *val)
{
if (val->contents) {
- krb5_xfree(val->contents);
+ free(val->contents);
val->contents = 0;
}
}
if (val->tickets)
krb5_free_tickets(context, val->tickets);
if (val->enc_part.ciphertext.data)
- krb5_xfree(val->enc_part.ciphertext.data);
- krb5_xfree(val);
+ free(val->enc_part.ciphertext.data);
+ free(val);
}
/*
}
if (val->keyblock.contents) {
memset((char *)val->keyblock.contents, 0, val->keyblock.length);
- krb5_xfree(val->keyblock.contents);
+ free(val->keyblock.contents);
val->keyblock.contents = 0;
}
if (val->ticket.data) {
- krb5_xfree(val->ticket.data);
+ free(val->ticket.data);
val->ticket.data = 0;
}
if (val->second_ticket.data) {
- krb5_xfree(val->second_ticket.data);
+ free(val->second_ticket.data);
val->second_ticket.data = 0;
}
if (val->addresses) {
krb5_free_principal(context, (*temp)->server);
if ((*temp)->caddrs)
krb5_free_addresses(context, (*temp)->caddrs);
- krb5_xfree((*temp));
+ free((*temp));
}
- krb5_xfree(val->ticket_info);
+ free(val->ticket_info);
val->ticket_info = 0;
}
}
krb5_free_creds(krb5_context context, krb5_creds *val)
{
krb5_free_cred_contents(context, val);
- krb5_xfree(val);
+ free(val);
}
krb5_free_data(krb5_context context, krb5_data *val)
{
if (val->data)
- krb5_xfree(val->data);
- krb5_xfree(val);
+ free(val->data);
+ free(val);
}
void KRB5_CALLCONV
krb5_free_data_contents(krb5_context context, krb5_data *val)
{
if (val->data) {
- krb5_xfree(val->data);
+ free(val->data);
val->data = 0;
}
}
krb5_free_principal(context, val->server);
if (val->caddrs)
krb5_free_addresses(context, val->caddrs);
- krb5_xfree(val);
+ free(val);
}
void KRB5_CALLCONV
if (val->client)
krb5_free_principal(context, val->client);
if (val->transited.tr_contents.data)
- krb5_xfree(val->transited.tr_contents.data);
+ free(val->transited.tr_contents.data);
if (val->caddrs)
krb5_free_addresses(context, val->caddrs);
if (val->authorization_data)
krb5_free_authdata(context, val->authorization_data);
- krb5_xfree(val);
+ free(val);
}
if (val->server)
krb5_free_principal(context, val->server);
if (val->text.data)
- krb5_xfree(val->text.data);
+ free(val->text.data);
if (val->e_data.data)
- krb5_xfree(val->e_data.data);
- krb5_xfree(val);
+ free(val->e_data.data);
+ free(val);
}
void KRB5_CALLCONV
if (val->ticket)
krb5_free_ticket(context, val->ticket);
if (val->enc_part.ciphertext.data)
- krb5_xfree(val->enc_part.ciphertext.data);
+ free(val->enc_part.ciphertext.data);
if (val->enc_part2)
krb5_free_enc_kdc_rep_part(context, val->enc_part2);
- krb5_xfree(val);
+ free(val);
}
if (val->server)
krb5_free_principal(context, val->server);
if (val->ktype)
- krb5_xfree(val->ktype);
+ free(val->ktype);
if (val->addresses)
krb5_free_addresses(context, val->addresses);
if (val->authorization_data.ciphertext.data)
- krb5_xfree(val->authorization_data.ciphertext.data);
+ free(val->authorization_data.ciphertext.data);
if (val->unenc_authdata)
krb5_free_authdata(context, val->unenc_authdata);
if (val->second_ticket)
krb5_free_tickets(context, val->second_ticket);
- krb5_xfree(val);
+ free(val);
}
void KRB5_CALLCONV
register krb5_last_req_entry **temp;
for (temp = val; *temp; temp++)
- krb5_xfree(*temp);
- krb5_xfree(val);
+ free(*temp);
+ free(val);
}
void KRB5_CALLCONV
for (temp = val; *temp; temp++) {
if ((*temp)->contents)
- krb5_xfree((*temp)->contents);
- krb5_xfree(*temp);
+ free((*temp)->contents);
+ free(*temp);
}
- krb5_xfree(val);
+ free(val);
}
void KRB5_CALLCONV
i = krb5_princ_size(context, val);
while(--i >= 0)
free(krb5_princ_component(context, val, i)->data);
- krb5_xfree(val->data);
+ free(val->data);
}
if (val->realm.data)
- krb5_xfree(val->realm.data);
- krb5_xfree(val);
+ free(val->realm.data);
+ free(val);
}
void KRB5_CALLCONV
krb5_free_priv(krb5_context context, register krb5_priv *val)
{
if (val->enc_part.ciphertext.data)
- krb5_xfree(val->enc_part.ciphertext.data);
- krb5_xfree(val);
+ free(val->enc_part.ciphertext.data);
+ free(val);
}
void KRB5_CALLCONV
krb5_free_priv_enc_part(krb5_context context, register krb5_priv_enc_part *val)
{
if (val->user_data.data)
- krb5_xfree(val->user_data.data);
+ free(val->user_data.data);
if (val->r_address)
krb5_free_address(context, val->r_address);
if (val->s_address)
krb5_free_address(context, val->s_address);
- krb5_xfree(val);
+ free(val);
}
void KRB5_CALLCONV
{
if (val->element)
krb5_free_pwd_sequences(context, val->element);
- krb5_xfree(val);
+ free(val);
}
krb5_free_data(context, (*temp)->phrase);
(*temp)->phrase = 0;
}
- krb5_xfree(*temp);
+ free(*temp);
}
- krb5_xfree(val);
+ free(val);
}
krb5_free_safe(krb5_context context, register krb5_safe *val)
{
if (val->user_data.data)
- krb5_xfree(val->user_data.data);
+ free(val->user_data.data);
if (val->r_address)
krb5_free_address(context, val->r_address);
if (val->s_address)
krb5_free_address(context, val->s_address);
if (val->checksum)
krb5_free_checksum(context, val->checksum);
- krb5_xfree(val);
+ free(val);
}
if (val->server)
krb5_free_principal(context, val->server);
if (val->enc_part.ciphertext.data)
- krb5_xfree(val->enc_part.ciphertext.data);
+ free(val->enc_part.ciphertext.data);
if (val->enc_part2)
krb5_free_enc_tkt_part(context, val->enc_part2);
- krb5_xfree(val);
+ free(val);
}
void KRB5_CALLCONV
for (temp = val; *temp; temp++)
krb5_free_ticket(context, *temp);
- krb5_xfree(val);
+ free(val);
}
register krb5_creds **tgtpp;
for (tgtpp = tgts; *tgtpp; tgtpp++)
krb5_free_creds(context, *tgtpp);
- krb5_xfree(tgts);
+ free(tgts);
}
void KRB5_CALLCONV
krb5_free_ticket(context, val->ticket);
if (val->authenticator)
krb5_free_authenticator(context, val->authenticator);
- krb5_xfree(val);
+ free(val);
}
void KRB5_CALLCONV
krb5_free_unparsed_name(krb5_context context, char *val)
{
if (val)
- krb5_xfree(val);
+ free(val);
}
void KRB5_CALLCONV
if (!sc)
return;
krb5_free_sam_challenge_contents(ctx, sc);
- krb5_xfree(sc);
+ free(sc);
}
void KRB5_CALLCONV
if (!sc2)
return;
krb5_free_sam_challenge_2_contents(ctx, sc2);
- krb5_xfree(sc2);
+ free(sc2);
}
void KRB5_CALLCONV
if (sc->sam_pk_for_sad.data)
krb5_free_data_contents(ctx, &sc->sam_pk_for_sad);
if (sc->sam_cksum.contents) {
- krb5_xfree(sc->sam_cksum.contents);
+ free(sc->sam_cksum.contents);
sc->sam_cksum.contents = 0;
}
}
krb5_free_checksum(ctx, *cksump);
cksump++;
}
- krb5_xfree(sc2->sam_cksum);
+ free(sc2->sam_cksum);
sc2->sam_cksum = 0;
}
}
if (!sc2)
return;
krb5_free_sam_challenge_2_body_contents(ctx, sc2);
- krb5_xfree(sc2);
+ free(sc2);
}
void KRB5_CALLCONV
if (!sr)
return;
krb5_free_sam_response_contents(ctx, sr);
- krb5_xfree(sr);
+ free(sr);
}
void KRB5_CALLCONV
if (!sr2)
return;
krb5_free_sam_response_2_contents(ctx, sr2);
- krb5_xfree(sr2);
+ free(sr2);
}
void KRB5_CALLCONV
if (!psr)
return;
krb5_free_predicted_sam_response_contents(ctx, psr);
- krb5_xfree(psr);
+ free(psr);
}
void KRB5_CALLCONV
if (!esre)
return;
krb5_free_enc_sam_response_enc_contents(ctx, esre);
- krb5_xfree(esre);
+ free(esre);
}
void KRB5_CALLCONV
if (!esre2)
return;
krb5_free_enc_sam_response_enc_2_contents(ctx, esre2);
- krb5_xfree(esre2);
+ free(esre2);
}
void KRB5_CALLCONV
{
if (!pa_enc_ts)
return;
- krb5_xfree(pa_enc_ts);
+ free(pa_enc_ts);
}
void KRB5_CALLCONV
}
krb5_free_checksum_contents(context, &req->cksum);
krb5_free_data_contents(context, &req->auth_package);
- krb5_xfree(req);
+ free(req);
}
void KRB5_CALLCONV
ref->requested_principal_name = NULL;
}
krb5_free_checksum_contents(context, &ref->rep_cksum);
- krb5_xfree(ref);
+ free(ref);
}
void KRB5_CALLCONV
krb5_free_principal(context, ref->principal);
ref->principal = NULL;
}
- krb5_xfree(ref);
+ free(ref);
}
void KRB5_CALLCONV
{
if (req == NULL)
return;
- krb5_xfree(req);
+ free(req);
}
void KRB5_CALLCONV
{
if (etypes != NULL) {
if (etypes->etypes != NULL)
- krb5_xfree(etypes->etypes);
- krb5_xfree(etypes);
+ free(etypes->etypes);
+ free(etypes);
}
}
if (pkeyblock == NULL) {
pencdata->ciphertext.data = scratch->data;
pencdata->ciphertext.length = scratch->length;
- krb5_xfree(scratch);
+ free(scratch);
return 0;
}
replay.ctime = replaydata.timestamp;
if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) {
/* should we really error out here? XXX */
- krb5_xfree(replay.client);
+ free(replay.client);
goto error;
}
- krb5_xfree(replay.client);
+ free(replay.client);
}
/* Encode creds structure */
if ((retval = encode_krb5_error(dec_err, &new_enc_err)))
return(retval);
*enc_err = *new_enc_err;
- krb5_xfree(new_enc_err);
+ free(new_enc_err);
return 0;
}
goto clean_encpart;
*outbuf = *scratch2;
- krb5_xfree(scratch2);
+ free(scratch2);
retval = 0;
clean_encpart:
if ((retval = krb5_gen_replay_name(context, auth_context->local_addr,
"_priv", &replay.client))) {
- krb5_xfree(outbuf);
+ free(outbuf);
goto error;
}
replay.ctime = replaydata.timestamp;
if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) {
/* should we really error out here? XXX */
- krb5_xfree(replay.client);
+ free(replay.client);
goto error;
}
- krb5_xfree(replay.client);
+ free(replay.client);
}
return 0;
if (!(retval = encode_krb5_ap_rep(&reply, &toutbuf))) {
*outbuf = *toutbuf;
- krb5_xfree(toutbuf);
+ free(toutbuf);
}
memset(reply.enc_part.ciphertext.data, 0, reply.enc_part.ciphertext.length);
goto cleanup_cksum;
*outbuf = *toutbuf;
- krb5_xfree(toutbuf);
+ free(toutbuf);
cleanup_cksum:
if (checksump && checksump->checksum_type != 0x8003)
cleanup:
if (desired_etypes &&
desired_etypes != (*auth_context)->permitted_etypes)
- krb5_xfree(desired_etypes);
+ free(desired_etypes);
if (request.ticket)
krb5_free_ticket(context, request.ticket);
if (request.authenticator.ciphertext.data) {
}
if (scratch) {
memset(scratch->data, 0, scratch->length);
- krb5_xfree(scratch->data);
- krb5_xfree(scratch);
+ free(scratch->data);
+ free(scratch);
}
return retval;
}
adata[i]->ad_type = KRB5_AUTHDATA_IF_RELEVANT;
adata[i]->length = ad_if_relevant->length;
adata[i]->contents = (krb5_octet *)ad_if_relevant->data;
- krb5_xfree(ad_if_relevant); /* contents owned by adata[i] */
+ free(ad_if_relevant); /* contents owned by adata[i] */
adata[i + 1] = NULL;
goto cleanup_checksum;
}
*outbuf = *scratch2;
- krb5_xfree(scratch2);
+ free(scratch2);
retval = 0;
cleanup_checksum:
- krb5_xfree(safe_checksum.contents);
+ free(safe_checksum.contents);
memset((char *)scratch1->data, 0, scratch1->length);
krb5_free_data(context, scratch1);
if ((retval = krb5_gen_replay_name(context, auth_context->local_addr,
"_safe", &replay.client))) {
- krb5_xfree(outbuf);
+ free(outbuf);
goto error;
}
replay.ctime = replaydata.timestamp;
if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) {
/* should we really error out here? XXX */
- krb5_xfree(outbuf);
+ free(outbuf);
goto error;
}
- krb5_xfree(replay.client);
+ free(replay.client);
}
return 0;
}
/* Encode checksum type into buffer */
- store_32_le((krb5_ui_4)*cksumtype, (unsigned char *)cksumdata.data);
+ store_32_le((krb5_ui_4)*cksumtype, cksumdata.data);
return 0;
}
}
principal->data = (krb5_data *) malloc(sizeof(krb5_data) * components);
if (principal->data == NULL) {
- krb5_xfree((char *)principal);
+ free((char *)principal);
return ENOMEM;
}
principal->length = components;
if (flags & KRB5_PRINCIPAL_PARSE_REQUIRE_REALM) {
krb5_set_error_message(context, KRB5_PARSE_MALFORMED,
"Principal %s is missing required realm", name);
- krb5_xfree(principal->data);
- krb5_xfree(principal);
+ free(principal->data);
+ free(principal);
return KRB5_PARSE_MALFORMED;
}
if (!default_realm && (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) == 0) {
retval = krb5_get_default_realm(context, &default_realm);
if (retval) {
- krb5_xfree(principal->data);
- krb5_xfree((char *)principal);
+ free(principal->data);
+ free((char *)principal);
return(retval);
}
default_realm_size = strlen(default_realm);
} else if (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) {
krb5_set_error_message(context, KRB5_PARSE_MALFORMED,
"Principal %s has realm present", name);
- krb5_xfree(principal->data);
- krb5_xfree(principal);
+ free(principal->data);
+ free(principal);
return KRB5_PARSE_MALFORMED;
}
*/
tmpdata = malloc(realmsize + 1);
if (tmpdata == 0) {
- krb5_xfree(principal->data);
- krb5_xfree(principal);
- krb5_xfree(default_realm);
+ free(principal->data);
+ free(principal);
+ free(default_realm);
return ENOMEM;
}
krb5_princ_set_realm_length(context, principal, realmsize);
malloc(krb5_princ_component(context, principal, i)->length + 1);
if (tmpdata2 == NULL) {
for (i--; i >= 0; i--)
- krb5_xfree(krb5_princ_component(context, principal, i)->data);
- krb5_xfree(krb5_princ_realm(context, principal)->data);
- krb5_xfree(principal->data);
- krb5_xfree(principal);
- krb5_xfree(default_realm);
+ free(krb5_princ_component(context, principal, i)->data);
+ free(krb5_princ_realm(context, principal)->data);
+ free(principal->data);
+ free(principal);
+ free(default_realm);
return(ENOMEM);
}
krb5_princ_component(context, principal, i)->data = tmpdata2;
*nprincipal = principal;
if (default_realm != NULL)
- krb5_xfree(default_realm);
+ free(default_realm);
return(0);
}
if (etype_info)
krb5_free_etype_info(context, etype_info);
if (f_salt)
- krb5_xfree(salt.data);
+ free(salt.data);
if (send_pa_list)
krb5_free_pa_data(context, send_pa_list);
if (def_enc_key)
*out_padata = pa;
- krb5_xfree(scratch);
+ free(scratch);
scratch = 0;
retval = 0;
if (scratch)
krb5_free_data(context, scratch);
if (enc_data.ciphertext.data)
- krb5_xfree(enc_data.ciphertext.data);
+ free(enc_data.ciphertext.data);
return retval;
}
/* we don't keep the new password, just the key... */
retval = (*key_proc)(context, enctype, 0,
(krb5_const_pointer)&newpw, new_enc_key);
- krb5_xfree(newpw.data);
+ free(newpw.data);
}
krb5_default_pwd_prompt1 = oldprompt;
return retval;
if (scratch)
krb5_free_data(context, scratch);
if (sam_challenge)
- krb5_xfree(sam_challenge);
+ free(sam_challenge);
return retval;
}
krb5_free_data(context, tmp);
if (ret) {
- krb5_xfree(enc_data.ciphertext.data);
+ free(enc_data.ciphertext.data);
return(ret);
}
ret = encode_krb5_enc_data(&enc_data, &tmp);
- krb5_xfree(enc_data.ciphertext.data);
+ free(enc_data.ciphertext.data);
if (ret)
return(ret);
*out_padata = pa;
- krb5_xfree(tmp);
+ free(tmp);
return(0);
}
(krb5_data *)gak_data, salt, as_key);
if (defsalt.length)
- krb5_xfree(defsalt.data);
+ free(defsalt.data);
if (ret) {
krb5_free_sam_challenge(context, sam_challenge);
&response_data, salt, as_key);
if (defsalt.length)
- krb5_xfree(defsalt.data);
+ free(defsalt.data);
if (ret) {
krb5_free_sam_challenge(context, sam_challenge);
sam_response.sam_type = sam_challenge->sam_type;
sam_response.magic = KV5M_SAM_RESPONSE;
- krb5_xfree(sam_challenge);
+ free(sam_challenge);
/* encode the encoded part of the response */
if ((ret = encode_krb5_enc_sam_response_enc(&enc_sam_response_enc,
*out_padata = pa;
- krb5_xfree(scratch);
+ free(scratch);
return(0);
}
if (retval) {
krb5_free_sam_challenge_2(context, sc2);
krb5_free_sam_challenge_2_body(context, sc2b);
- if (defsalt.length) krb5_xfree(defsalt.data);
+ if (defsalt.length) free(defsalt.data);
return(retval);
}
if (retval) {
krb5_free_sam_challenge_2(context, sc2);
krb5_free_sam_challenge_2_body(context, sc2b);
- if (defsalt.length) krb5_xfree(defsalt.data);
+ if (defsalt.length) free(defsalt.data);
return(retval);
}
if (retval) {
krb5_free_sam_challenge_2(context, sc2);
krb5_free_sam_challenge_2_body(context, sc2b);
- if (defsalt.length) krb5_xfree(defsalt.data);
+ if (defsalt.length) free(defsalt.data);
return(retval);
}
krb5_free_keyblock_contents(context, &tmp_kb);
}
if (defsalt.length)
- krb5_xfree(defsalt.data);
+ free(defsalt.data);
} else {
/* as_key = string_to_key(SAD) */
&response_data, salt, as_key);
if (defsalt.length)
- krb5_xfree(defsalt.data);
+ free(defsalt.data);
if (retval) {
krb5_free_sam_challenge_2(context, sc2);
cleanup:
if (ppart != NULL) {
memset(ppart, 0, sizeof(*ppart));
- krb5_xfree(ppart);
+ free(ppart);
}
memset(scratch.data, 0, scratch.length);
- krb5_xfree(scratch.data);
+ free(scratch.data);
return retval;
}
goto cleanup;
pcur->ticket = *pdata;
- krb5_xfree(pdata);
+ free(pdata);
pcur->is_skey = FALSE;
replay.cusec = replaydata.usec;
replay.ctime = replaydata.timestamp;
if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) {
- krb5_xfree(replay.client);
+ free(replay.client);
goto error;
}
- krb5_xfree(replay.client);
+ free(replay.client);
}
if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
cleanup_scratch:;
memset(scratch.data, 0, scratch.length);
- krb5_xfree(scratch.data);
+ free(scratch.data);
cleanup_privmsg:;
- krb5_xfree(privmsg->enc_part.ciphertext.data);
- krb5_xfree(privmsg);
+ free(privmsg->enc_part.ciphertext.data);
+ free(privmsg);
return retval;
}
replay.cusec = replaydata.usec;
replay.ctime = replaydata.timestamp;
if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) {
- krb5_xfree(replay.client);
+ free(replay.client);
goto error;
}
- krb5_xfree(replay.client);
+ free(replay.client);
}
if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
return 0;
error:;
- krb5_xfree(outbuf->data);
+ free(outbuf->data);
outbuf->length = 0;
outbuf->data = NULL;
&rep.msghash);
if (!retval) {
retval = krb5_rc_store(context, (*auth_context)->rcache, &rep);
- krb5_xfree(rep.msghash);
+ free(rep.msghash);
}
- krb5_xfree(rep.server);
- krb5_xfree(rep.client);
+ free(rep.server);
+ free(rep.client);
}
if (retval)
cleanup:
if (desired_etypes != NULL)
- krb5_xfree(desired_etypes);
+ free(desired_etypes);
if (permitted_etypes != NULL &&
permitted_etypes != (*auth_context)->permitted_etypes)
- krb5_xfree(permitted_etypes);
+ free(permitted_etypes);
if (server == &princ_data)
krb5_free_default_realm(context, princ_data.realm.data);
if (retval) {
if (code == 0) {
*desired_etypes = etype_list->etypes;
*desired_etypes_len = etype_list->length;
- krb5_xfree(etype_list);
+ free(etype_list);
}
if (ad_if_relevant != NULL)
replay.cusec = replaydata.usec;
replay.ctime = replaydata.timestamp;
if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) {
- krb5_xfree(replay.client);
+ free(replay.client);
goto error;
}
- krb5_xfree(replay.client);
+ free(replay.client);
}
if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) {
return 0;
error:
- krb5_xfree(outbuf->data);
+ free(outbuf->data);
return retval;
}
if (strcmp(inbuf.data, sendauth_version)) {
problem = KRB5_SENDAUTH_BADAUTHVERS;
}
- krb5_xfree(inbuf.data);
+ free(inbuf.data);
}
if (flags & KRB5_RECVAUTH_BADAUTHVERS)
problem = KRB5_SENDAUTH_BADAUTHVERS;
if (version && !problem)
*version = inbuf;
else
- krb5_xfree(inbuf.data);
+ free(inbuf.data);
/*
* OK, now check the problem variable. If it's zero, we're
* fine and we can continue. Otherwise, we have to signal an
if (!problem) {
problem = krb5_rd_req(context, auth_context, &inbuf, server,
keytab, &ap_option, ticket);
- krb5_xfree(inbuf.data);
+ free(inbuf.data);
}
/*
retval = krb5_write_message(context, fd, &outbuf);
if (outbuf.data) {
- krb5_xfree(outbuf.data);
+ free(outbuf.data);
/* We sent back an error, we need cleanup then return */
retval = problem;
goto cleanup;
return(retval);
}
retval = krb5_write_message(context, fd, &outbuf);
- krb5_xfree(outbuf.data);
+ free(outbuf.data);
}
cleanup:;
retval = encode_krb5_ap_req(&request, &toutbuf);
*outbuf = *toutbuf;
- krb5_xfree(toutbuf);
+ free(toutbuf);
memset(request.authenticator.ciphertext.data, 0,
KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY,
scratch,
&tgsreq.authorization_data))) {
- krb5_xfree(tgsreq.authorization_data.ciphertext.data);
+ free(tgsreq.authorization_data.ciphertext.data);
krb5_free_data(context, scratch);
return retval;
}
for (counter = padata; *counter; counter++, i++);
combined_padata = malloc((i+2) * sizeof(*combined_padata));
if (!combined_padata) {
- krb5_xfree(ap_req_padata.contents);
+ free(ap_req_padata.contents);
retval = ENOMEM;
goto send_tgs_error_2;
}
} else {
combined_padata = (krb5_pa_data **)malloc(2*sizeof(*combined_padata));
if (!combined_padata) {
- krb5_xfree(ap_req_padata.contents);
+ free(ap_req_padata.contents);
retval = ENOMEM;
goto send_tgs_error_2;
}
/* the TGS_REQ is assembled in tgsreq, so encode it */
if ((retval = encode_krb5_tgs_req(&tgsreq, &scratch))) {
- krb5_xfree(ap_req_padata.contents);
- krb5_xfree(combined_padata);
+ free(ap_req_padata.contents);
+ free(combined_padata);
goto send_tgs_error_2;
}
- krb5_xfree(ap_req_padata.contents);
- krb5_xfree(combined_padata);
+ free(ap_req_padata.contents);
+ free(combined_padata);
/* now send request & get response from KDC */
send_again:
send_tgs_error_1:;
if (ktypes == NULL)
- krb5_xfree(tgsreq.ktype);
+ free(tgsreq.ktype);
if (tgsreq.authorization_data.ciphertext.data) {
memset(tgsreq.authorization_data.ciphertext.data, 0,
tgsreq.authorization_data.ciphertext.length);
- krb5_xfree(tgsreq.authorization_data.ciphertext.data);
+ free(tgsreq.authorization_data.ciphertext.data);
}
return retval;
if (inbuf.length) {
if (error) {
if ((retval = krb5_rd_error(context, &inbuf, error))) {
- krb5_xfree(inbuf.data);
+ free(inbuf.data);
goto error_return;
}
}
retval = KRB5_SENDAUTH_REJECTED;
- krb5_xfree(inbuf.data);
+ free(inbuf.data);
goto error_return;
}
&repl))) {
if (repl)
krb5_free_ap_rep_enc_part(context, repl);
- krb5_xfree(inbuf.data);
+ free(inbuf.data);
goto error_return;
}
- krb5_xfree(inbuf.data);
+ free(inbuf.data);
/*
* If the user wants to look at the AP_REP message,
* copy it for him
if ((principal = (krb5_principal) arg) &&
!(kret = krb5_unparse_name(kcontext, principal, &fname))) {
*sizep += (3*sizeof(krb5_int32)) + strlen(fname);
- krb5_xfree(fname);
+ free(fname);
}
return(kret);
}
*buffer = bp;
*lenremain = remain;
- krb5_xfree(fname);
+ free(fname);
}
}
}
/* Copy in new entry */
memcpy(&stable[kcontext->ser_ctx_count], entry,
sizeof(krb5_ser_entry));
- if (kcontext->ser_ctx) krb5_xfree(kcontext->ser_ctx);
+ if (kcontext->ser_ctx) free(kcontext->ser_ctx);
kcontext->ser_ctx = (void *) stable;
kcontext->ser_ctx_count++;
}
if (!newrealm)
return -ENOMEM;
- (void) krb5_xfree(krb5_princ_realm(context,principal)->data);
+ (void) free(krb5_princ_realm(context,principal)->data);
krb5_princ_realm(context, principal)->length = length;
krb5_princ_realm(context, principal)->data = newrealm;
cleanup:
if (rcache)
- krb5_xfree(rcache);
+ free(rcache);
if (cachename)
- krb5_xfree(cachename);
+ free(cachename);
return retval;
}
if (verbose)
printf("%s: compare succeeded\n", msg);
}
- krb5_xfree(outrep2);
+ free(outrep2);
}
else
printf("%s: second externalize returned %d\n", msg, kret);
actx = (krb5_auth_context) nctx;
if (actx->i_vector)
- krb5_xfree(actx->i_vector);
+ free(actx->i_vector);
}
krb5_auth_con_free(ser_ctx, (krb5_auth_context) nctx);
break;
eblock = (krb5_encrypt_block *) nctx;
#if 0
if (eblock->priv && eblock->priv_size)
- krb5_xfree(eblock->priv);
+ free(eblock->priv);
#endif
if (eblock->key)
krb5_free_keyblock(ser_ctx, eblock->key);
- krb5_xfree(eblock);
+ free(eblock);
}
break;
case KV5M_PRINCIPAL:
}
else
printf("%s: internalize returned %d\n", msg, kret);
- krb5_xfree(outrep);
+ free(outrep);
}
else
printf("%s: externalize_data returned %d\n", msg, kret);
!(kret = ser_data(verbose, "> Auth context with new vector",
(krb5_pointer) actx,
KV5M_AUTH_CONTEXT)) &&
- (krb5_xfree(actx->i_vector), actx->i_vector) &&
+ (free(actx->i_vector), actx->i_vector) &&
!(kret = krb5_auth_con_setivector(kcontext, actx,
(krb5_pointer) print_erep)
) &&
if (authcon)
krb5_auth_con_free(context, authcon);
if (ap_req.data)
- krb5_xfree(ap_req.data);
+ free(ap_req.data);
return(ret);
}
krb5_os_hostaddr
krb5_os_init_context
krb5_os_localaddr
+krb5int_get_domain_realm_mapping
krb5_overridekeyname
krb5_pac_add_buffer
krb5_pac_free
db = KDBM_OPEN(dbname, O_RDONLY, 0600);
if (!db) {
- krb5_xfree(princ_name);
+ free(princ_name);
return KRB5_LNAME_CANTOPEN;
}
contents = KDBM_FETCH(db, key);
- krb5_xfree(princ_name);
+ free(princ_name);
if (contents.dptr == NULL) {
retval = KRB5_LNAME_NOTRANS;
if (!(selstring = aname_full_to_mapping_name(fprincname)))
kret = ENOMEM;
}
- krb5_xfree(fprincname);
+ free(fprincname);
}
if (!kret) {
/*
}
else
kret = ENOMEM;
- krb5_xfree(pname);
+ free(pname);
}
- krb5_xfree(realm);
+ free(realm);
}
return(kret);
}
/*
* lib/krb5/os/def_realm.c
*
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991,2009 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
#include "os-proto.h"
#include <stdio.h>
-#ifdef KRB5_DNS_LOOKUP
+#ifdef KRB5_DNS_LOOKUP
#ifdef WSHELPER
#include <wshelper.h>
#else /* WSHELPER */
krb5_error_code retval;
if (!context || (context->magic != KV5M_CONTEXT))
- return KV5M_CONTEXT;
+ return KV5M_CONTEXT;
if (!context->default_realm) {
/*
if (context->default_realm == 0) {
int use_dns = _krb5_use_dns_realm(context);
if ( use_dns ) {
- /*
- * Since this didn't appear in our config file, try looking
- * it up via DNS. Look for a TXT records of the form:
- *
- * _kerberos.<localhost>
- * _kerberos.<domainname>
- * _kerberos.<searchlist>
- *
- */
- char localhost[MAX_DNS_NAMELEN+1];
- char * p;
-
- krb5int_get_fq_local_hostname (localhost, sizeof(localhost));
-
- if ( localhost[0] ) {
- p = localhost;
- do {
- retval = krb5_try_realm_txt_rr("_kerberos", p,
- &context->default_realm);
- p = strchr(p,'.');
- if (p)
- p++;
- } while (retval && p && p[0]);
-
- if (retval)
- retval = krb5_try_realm_txt_rr("_kerberos", "",
- &context->default_realm);
- } else {
- retval = krb5_try_realm_txt_rr("_kerberos", "",
- &context->default_realm);
- }
- if (retval) {
- return(KRB5_CONFIG_NODEFREALM);
- }
+ /*
+ * Since this didn't appear in our config file, try looking
+ * it up via DNS. Look for a TXT records of the form:
+ *
+ * _kerberos.<localhost>
+ * _kerberos.<domainname>
+ * _kerberos.<searchlist>
+ *
+ */
+ char localhost[MAX_DNS_NAMELEN+1];
+ char * p;
+
+ krb5int_get_fq_local_hostname (localhost, sizeof(localhost));
+
+ if ( localhost[0] ) {
+ p = localhost;
+ do {
+ retval = krb5_try_realm_txt_rr("_kerberos", p,
+ &context->default_realm);
+ p = strchr(p,'.');
+ if (p)
+ p++;
+ } while (retval && p && p[0]);
+
+ if (retval)
+ retval = krb5_try_realm_txt_rr("_kerberos", "",
+ &context->default_realm);
+ } else {
+ retval = krb5_try_realm_txt_rr("_kerberos", "",
+ &context->default_realm);
+ }
+ if (retval) {
+ return(KRB5_CONFIG_NODEFREALM);
+ }
}
}
#endif /* KRB5_DNS_LOOKUP */
}
if (context->default_realm == 0)
- return(KRB5_CONFIG_NODEFREALM);
+ return(KRB5_CONFIG_NODEFREALM);
if (context->default_realm[0] == 0) {
free (context->default_realm);
context->default_realm = 0;
krb5_set_default_realm(krb5_context context, const char *lrealm)
{
if (!context || (context->magic != KV5M_CONTEXT))
- return KV5M_CONTEXT;
+ return KV5M_CONTEXT;
if (context->default_realm) {
- free(context->default_realm);
- context->default_realm = 0;
+ free(context->default_realm);
+ context->default_realm = 0;
}
/* Allow the user to clear the default realm setting by passing in
context->default_realm = strdup(lrealm);
if (!context->default_realm)
- return ENOMEM;
+ return ENOMEM;
return(0);
void KRB5_CALLCONV
krb5_free_default_realm(krb5_context context, char *lrealm)
{
- free (lrealm);
+ free (lrealm);
}
+
+krb5_error_code
+krb5int_get_domain_realm_mapping(krb5_context context, const char *host, char ***realmsp)
+{
+ char **retrealms;
+ char *realm, *cp, *temp_realm;
+ krb5_error_code retval;
+ char temp_host[MAX_DNS_NAMELEN+1];
+
+ /* do sanity check and lower-case */
+ retval = krb5int_clean_hostname(context, host, temp_host, sizeof temp_host);
+ if (retval)
+ return retval;
+ /*
+ Search for the best match for the host or domain.
+ Example: Given a host a.b.c.d, try to match on:
+ 1) a.b.c.d 2) .b.c.d. 3) b.c.d 4) .c.d 5) c.d 6) .d 7) d
+ */
+
+ cp = temp_host;
+ realm = (char *)NULL;
+ temp_realm = 0;
+ while (cp ) {
+ retval = profile_get_string(context->profile, "domain_realm", cp,
+ 0, (char *)NULL, &temp_realm);
+ if (retval)
+ return retval;
+ if (temp_realm != (char *)NULL)
+ break; /* Match found */
+
+ /* Setup for another test */
+ if (*cp == '.') {
+ cp++;
+ } else {
+ cp = strchr(cp, '.');
+ }
+ }
+ if (temp_realm != (char*)NULL) {
+ realm = strdup(temp_realm);
+ profile_release_string(temp_realm);
+ if (!realm) {
+ return ENOMEM;
+ }
+ }
+ retrealms = (char **)calloc(2, sizeof(*retrealms));
+ if (!retrealms) {
+ if (realm != (char *)NULL)
+ free(realm);
+ return ENOMEM;
+ }
+
+ retrealms[0] = realm;
+ retrealms[1] = 0;
+
+ *realmsp = retrealms;
+ return 0;
+}
+
for (cp = hostlist; *cp; cp++)
free(*cp);
- krb5_xfree(hostlist);
+ free((char *)hostlist);
return 0;
}
2*sizeof(temptype) + 2*sizeof(templength);
if (!(retaddr->contents = (krb5_octet *)malloc(retaddr->length))) {
- krb5_xfree(retaddr);
+ free(retaddr);
return ENOMEM;
}
marshal = retaddr->contents;
int i;
if (data.addr_temp) {
for (i = 0; i < data.count; i++)
- krb5_xfree (data.addr_temp[i]);
+ free (data.addr_temp[i]);
free (data.addr_temp);
}
if (data.mem_err)
error_message(code));
if (code == PROF_NO_SECTION || code == PROF_NO_RELATION)
code = KRB5_REALM_UNKNOWN;
- krb5_xfree(host);
+ free(host);
return code;
}
if (count == 0) {
profile_free_list(hostlist);
- krb5_xfree(host);
+ free(host);
addrlist->naddrs = 0;
return 0;
}
code = profile_get_values(context->profile, realm_srv_names,
&masterlist);
- krb5_xfree(host);
+ free(host);
if (code == 0) {
for (i=0; masterlist[i]; i++) {
}
}
} else {
- krb5_xfree(host);
+ free(host);
}
/* at this point, if master is non-NULL, then either the master kdc
/*
* lib/krb5/os/full_ipadr.c
*
- * Copyright 1995 by the Massachusetts Institute of Technology.
+ * Copyright 1995, 2009 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
tmp16 = kaddr->addrtype;
*marshal++ = 0x00;
*marshal++ = 0x00;
- *marshal++ = (krb5_octet) (tmp16 & 0xff);
- *marshal++ = (krb5_octet) ((tmp16 >> 8) & 0xff);
+ store_16_le(tmp16, marshal);
+ marshal += 2;
tmp32 = kaddr->length;
store_32_le(tmp32, marshal);
return(ENOMEM);
}
if ((len2 = krb5_net_read(context, fd, buf, ilen)) != ilen) {
- krb5_xfree(buf);
+ free(buf);
return((len2 < 0) ? errno : ECONNABORTED);
}
}
if (!hrealms[0]) {
free(remote_host);
- krb5_xfree(hrealms);
+ free(hrealms);
return KRB5_ERR_HOST_REALM_UNKNOWN;
}
realm = hrealms[0];
cleanup:
if (t) {
if (t->name)
- krb5_xfree(t->name);
+ free(t->name);
if (t->h)
- krb5_xfree(t->h);
- krb5_xfree(t);
+ free(t->h);
+ free(t);
}
return retval;
}
errout:
if (rep->client)
- krb5_xfree(rep->client);
+ free(rep->client);
if (rep->server)
- krb5_xfree(rep->server);
+ free(rep->server);
if (rep->msghash)
- krb5_xfree(rep->msghash);
+ free(rep->msghash);
rep->client = rep->server = 0;
return retval;
}
set dots 0
set server_lines 0
while {1} {
- set oldtimeout $timeout
- set timeout 5
- while {1} {
- expect {
- -i $server_id
- -re $ver_line {
- verbose "Got line from server."
- incr server_lines
- }
- default {
- break
- }
- }
- }
- set timeout $oldtimeout
expect {
+ -i $server_id
+ -re $ver_line {
+ verbose "Got line from server."
+ incr server_lines
+ }
+ default {
+ exp_continue
+ }
+
-i $client_id
. {
incr dots
fail "full run: timeout waiting for dot"
break
}
-
}
}
if {$dots==11} {
setup(krb5_cred_enc_part,"krb5_cred_enc_part",ktest_make_sample_cred_enc_part);
decode_run("enc_cred_part","","7D 82 02 23 30 82 02 1F A0 82 01 DA 30 82 01 D6 30 81 E8 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 07 03 05 00 FE DC BA 98 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A9 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AA 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 81 E8 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 07 03 05 00 FE DC BA 98 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A9 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AA 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A1 03 02 01 2A A2 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A3 05 02 03 01 E2 40 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A5 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_cred_part,ktest_equal_enc_cred_part,krb5_free_cred_enc_part);
/* free_cred_enc_part does not free the pointer */
- krb5_xfree(var);
+ free(var);
ktest_destroy_principal(&(ref.ticket_info[0]->client));
ktest_destroy_principal(&(ref.ticket_info[0]->server));
ref.ticket_info[0]->flags = 0;
ktest_destroy_address(&(ref.r_address));
decode_run("enc_cred_part","(optionals NULL)","7D 82 01 0E 30 82 01 0A A0 82 01 06 30 82 01 02 30 15 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 30 81 E8 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 07 03 05 00 FE DC BA 98 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A9 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AA 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_cred_part,ktest_equal_enc_cred_part,krb5_free_cred_enc_part);
/* free_cred_enc_part does not free the pointer */
- krb5_xfree(var);
+ free(var);
ktest_empty_cred_enc_part(&ref);
}
void krb5_ktest_free_alt_method(krb5_context context, krb5_alt_method *val)
{
if (val->data)
- krb5_xfree(val->data);
- krb5_xfree(val);
+ free(val->data);
+ free(val);
}
void krb5_ktest_free_pwd_sequence(krb5_context context,
{
krb5_free_data(context, val->passwd);
krb5_free_data(context, val->phrase);
- krb5_xfree(val);
+ free(val);
}
void krb5_ktest_free_enc_data(krb5_context context, krb5_enc_data *val)
puts $conffile \
" permitted_enctypes = $permitted_enctypes($type)"
}
- puts $conffile " krb4_config = $tmppwd/krb.conf"
- puts $conffile " krb4_realms = $tmppwd/krb.realms"
if { $mode == "tcp" } {
puts $conffile " udp_preference_limit = 1"
}
#include <gssapi/gssapi_generic.h>
#include "gss-misc.h"
+/* for store_32_be */
+#include "k5-platform.h"
#ifdef HAVE_STDLIB_H
#include <stdlib.h>
}
if (tok->length > 0xffffffffUL)
abort();
- lenbuf[0] = (tok->length >> 24) & 0xff;
- lenbuf[1] = (tok->length >> 16) & 0xff;
- lenbuf[2] = (tok->length >> 8) & 0xff;
- lenbuf[3] = tok->length & 0xff;
-
+ store_32_be(tok->length, lenbuf);
ret = write_all(s, lenbuf, 4);
if (ret < 0) {
perror("sending token length");
#include <unistd.h>
#endif
+#include <netinet/in.h>
#include <netdb.h>
int
{
char myname[MAXHOSTNAMELEN+1];
char *ptr;
- char addrcopy[4];
+ struct in_addr addrcopy;
struct hostent *host;
int quiet = 0;
printf("Host address: %d.%d.%d.%d\n",
UC(ptr[0]), UC(ptr[1]), UC(ptr[2]), UC(ptr[3]));
- memcpy(addrcopy, ptr, 4);
+ memcpy(&addrcopy.s_addr, ptr, 4);
/* Convert back to full name */
- if((host = gethostbyaddr(addrcopy, 4, AF_INET)) == NULL) {
+ if((host = gethostbyaddr(&addrcopy.s_addr, 4, AF_INET)) == NULL) {
fprintf(stderr, "Error looking up IP address - fatal\n");
exit(2);
}
default_realm = ATHENA.MIT.EDU
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
- krb4_config = /etc/athena/krb.conf
- krb4_realms = /etc/athena/krb.realms
default_keytab_name = FILE:/etc/krb5.keytab
kdc_timesync = 1
ccache_type = 4
--- /dev/null
+#!/bin/sh
+
+files=vg.*
+
+logname() {
+# sed -n -e 7p $1 | awk '{print $2}'
+# head -7 $1 | tail -1 | awk '{print $2}'
+ awk '{ if (NR == 9) { print $2; exit 0; } }' $1
+}
+
+show_names() {
+ if test "$*" = "$files" ; then
+ return
+ fi
+ for f in $* ; do
+ echo $f : `logname $f`
+ done
+}
+
+discard_list="/bin/ps /bin/sh /bin/stty /usr/bin/cmp awk cat chmod cmp cp env expr find grep kill mv rev rlogin rm sed sh sleep sort tail test touch wc whoami xargs"
+discard_list="$discard_list tcsh tokens"
+#discard_list="$discard_list ./rtest ./dbtest"
+# The t_inetd program's logs seem to always wind up incomplete for some
+# reason. It's also not terribly important.
+discard_list="$discard_list /path/to/.../t_inetd"
+
+filter() {
+ if test "$*" = "$files" ; then
+ return
+ fi
+ for f in $* ; do
+ n=`logname $f`
+ for d in $discard_list; do
+ if test "$n" = "$d"; then
+ echo rm $f : $n
+ rm $f
+ break
+ fi
+ done
+ done
+}
+
+kill_error_free_logs() {
+ if test "$*" = "$files" ; then
+ return
+ fi
+ grep -l "ERROR SUMMARY: 0 errors" $* | while read name ; do
+ echo rm $name : no errors in `logname $name`
+ rm $name
+ done
+}
+
+kill_no_leak_logs() {
+ if test "$*" = "$files" ; then
+ return
+ fi
+ grep -l "ERROR SUMMARY: 0 errors" $* | \
+ grep -l "definitely lost: 0 bytes" $* | \
+ xargs grep -l "possibly lost: 0 bytes" | \
+ xargs grep -l "still reachable: 0 bytes in 0 blocks" | \
+ while read name ; do
+ echo rm $name : no leaks or errors in `logname $name`
+ rm $name
+ done
+}
+
+filter $files
+kill_error_free_logs $files
+#kill_no_leak_logs $files
+echo Remaining files:
+show_names $files
projects / thirdparty / krb5.git / commitdiff
