From: Will Fiveash Date: Wed, 28 Jan 2009 21:15:46 +0000 (+0000) Subject: svn merge -r21791:21820 svn+ssh://wfiveash@svn.mit.edu/krb5/trunk X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d91a7ff0542f620a296e5718c1c5d33240efa67a;p=thirdparty%2Fkrb5.git svn merge -r21791:21820 svn+ssh://wfiveash@svn.mit.edu/krb5/trunk All conflicts resolved, everything builds. Did a quick test, seems to work ok. git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mkey_migrate@21822 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/README b/README index 8b1f996409..a945960f6f 100644 --- a/README +++ b/README @@ -1,26 +1,26 @@ - Kerberos Version 5, Release 1.6 + Kerberos Version 5, Release 1.7 - Release Notes - The MIT Kerberos Team + Release Notes + The MIT Kerberos Team Unpacking the Source Distribution --------------------------------- The source distribution of Kerberos 5 comes in a gzipped tarfile, -krb5-1.6.tar.gz. Instructions on how to extract the entire +krb5-1.7.tar.gz. Instructions on how to extract the entire distribution follow. If you have the GNU tar program and gzip installed, you can simply do: - gtar zxpf krb5-1.6.tar.gz + gtar zxpf krb5-1.7.tar.gz If you don't have GNU tar, you will need to get the FSF gzip distribution and use gzcat: - gzcat krb5-1.6.tar.gz | tar xpf - + gzcat krb5-1.7.tar.gz | tar xpf - -Both of these methods will extract the sources into krb5-1.6/src and -the documentation into krb5-1.6/doc. +Both of these methods will extract the sources into krb5-1.7/src and +the documentation into krb5-1.7/doc. Building and Installing Kerberos 5 ---------------------------------- @@ -59,108 +59,38 @@ http://krbdev.mit.edu/rt/ and logging in as "guest" with password "guest". -Major changes in 1.6 ----------------------- - -* Partial client implementation to handle server name referrals. - -* Pre-authentication plug-in framework, donated by Red Hat. - -* LDAP KDB plug-in, donated by Novell. - -krb5-1.6 changes by ticket ID ------------------------------ - -Listed below are the RT tickets of bugs fixed in krb5-1.6. Please see - -http://krbdev.mit.edu/rt/NoAuth/krb5-1.6/fixed-1.6.html - -for a current listing with links to the complete tickets. - -1204 Unable to get a TGT cross-realm referral -2087 undocumented options for kpropd -2240 krb5-config --cflags gssapi when used by OpenSSH-snap-20040212 -2579 kdc: add_to_transited may reference off end of array... -2652 Add support for referrals -2876 Tree does not compile with GCC 4.0 -2935 KDB/LDAP backend -3089 krb5_verify_init_creds() is not thread safe -3091 add krb5_cc_new_unique() -3276 local array of structures not declared static -3288 NetIdMgr cannot obtain Kerberos 5 tickets containing addresses -3322 get_cred_via_tkt() checks too strict on server principal -3522 Error code definitions are outside macros to prevent multiple - inclusion in public headers -3735 Add TCP change/set password support -3947 allow multiple calls to krb5_get_error_message to retrieve message -3955 check calling conventions specified for Windows -3961 fix stdcc.c to build without USE_CCAPI_V3 -4021 use GSS_C_NO_CHANNEL_BINDINGS not NULL in lib/rpc/auth_gss.c -4023 Turn off KLL automatic prompting support in kadmin -4024 gss_acquire_cred auto prompt support shouldn't break - gss_krb5_ccache_name() -4025 need to look harder for tclConfig.sh -4055 remove unused Metrowerks support from yarrow -4056 g_canon_name.c if-statement warning cleanup -4057 GSSAPI opaque types should be pointers to opaque structs, not void* -4256 Make process error -4292 LDAP error prevents KfM 6.0 from building on Tiger -4294 Bad loop logic in krb5_mcc_generate_new -4304 audit referals merge (R18598) -4389 cursor for iterating over ccaches -4412 Don't segfault if a preauth plugin module fails to load -4455 IRIX build fails w/ GCC 4.0 (really GNU ld) -4482 enabling LDAP mix-in support for kdb5_util load -4488 osf1 -oldstyle_liblookup typo -4495 Avoid segfault in krb5_do_preauth_tryagain -4496 fix invalid access found by valgrind -4501 fix krb5_ldap_iterate to handle NULL match_expr and - open_db_and_mkey to use KRB5_KDB_SRV_TYPE_ADMIN -4534 don't confuse profile iterator in 425 princ conversion -4561 UC Berkeley BSD license change -4562 latest Novell ldap patches and kdb5_util dump support for ldap -4587 Change preauth plugin context scope and lifetimes -4624 remove t_prf and t_prf.o on make clean -4625 Make clean in lib/kdb leaves error table files -4657 krb5.h not C++-safe due to "struct krb5_cccol_cursor" -4683 Remove obsolete/conflicting prototype for krb524_convert_princs -4688 Add public function to get keylenth associated with an enctype -4689 Update minor version numbers for 1.6 -4690 Add "get_data" function to the client preauth plugin interface -4692 Document changing the krbtgt key -4693 Delay kadmind random number initialization until after fork -4735 more Novell ldap patches from Nov 6 and Fix for wrong password - policy reference count -4737 correct client preauth plugin request_context -4738 allow server preauth plugin verify_padata function to return e-data -4739 cccursor backend for CCAPI -4755 update copyrights and acknowledgments -4770 Add macros for __attribute__((deprecated)) for krb4 and des APIs -4771 LDAP patch from Novell, 2006-10-13 -4772 fix some warnings in ldap code -4774 avoid double frees in ccache manipulation around gen_new -4775 include realm in "can't resolve KDC" error message -4784 krb5_stdccv3_generate_new returns NULL ccache -4788 ccache double free in krb5_fcc_read_addrs(). -4799 krb5_c_keylength -> krb5_c_keylengths; add krb5_c_random_to_key -4805 replace existing calls of cc_gen_new() -4841 free error message when freeing context -4846 clean up preauth2 salt debug code -4860 fix LDAP plugin Makefile.in lib frag substitutions -4928 krb5int_copy_data_contents shouldn't free memory it didn't allocate -4941 referrals changes to telnet have unconditional debugging printfs -4942 skip all modules in plugin if init function fails -4955 Referrals code breaks krb5_set_password_using_ccache to Active - Directory -4967 referrals support assumes all rewrites produce TGS principals -4972 return edata from non-PA_REQUIRED preauth types -4973 send a new request with the new padata returned by - krb5_do_preauth_tryagain() +Major changes in 1.7 +-------------------- + +* Remove support for version 4 of the Kerberos protocol (krb4). + +* Client library now follows client principal referrals. + +* KDC can issue realm referrals for service principals based on domain + names. + +* Encryption algorithm negotiation (RFC 4537). + +* In the replay cache, use a hash over the complete ciphertext to + avoid false-positive replay indications. + +* Microsoft GSS_WrapEX, implemented using the gss_iov API, which is + similar to the equivalent SSPI functionality. + +* DCE RPC, including three-leg GSS context setup and unencapsulated + GSS tokens. + +* Microsoft set/change password (RFC 3244) protocol in kadmind. + +* Master key rollover support. + +Changes by ticket ID +-------------------- Copyright and Other Legal Notices --------------------------------- -Copyright (C) 1985-2007 by the Massachusetts Institute of Technology. +Copyright (C) 1985-2009 by the Massachusetts Institute of Technology. All rights reserved. @@ -201,7 +131,7 @@ manner. It does NOT prevent a commercial firm from referring to the MIT trademarks in order to convey information (although in doing so, recognition of their trademark status should be given). - -------------------- + -------------------- Portions of src/lib/crypto have the following copyright: @@ -230,7 +160,7 @@ Portions of src/lib/crypto have the following copyright: WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - -------------------- + -------------------- The following copyright and permission notice applies to the OpenVision Kerberos Administration system located in kadmin/create, @@ -270,14 +200,14 @@ of lib/rpc: and our gratitude for the valuable work which has been performed by MIT and the Kerberos community. - -------------------- + -------------------- Portions contributed by Matt Crawford were work performed at Fermi National Accelerator Laboratory, which is operated by Universities Research Association, Inc., under contract DE-AC02-76CHO3000 with the U.S. Department of Energy. - -------------------- + -------------------- The implementation of the Yarrow pseudo-random number generator in src/lib/crypto/yarrow has the following copyright: @@ -303,7 +233,7 @@ src/lib/crypto/yarrow has the following copyright: ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTUOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - -------------------- + -------------------- The implementation of the AES encryption algorithm in src/lib/crypto/aes has the following copyright: @@ -332,7 +262,7 @@ src/lib/crypto/aes has the following copyright: in respect of any properties, including, but not limited to, correctness and fitness for purpose. - -------------------- + -------------------- Portions contributed by Red Hat, including the pre-authentication plug-ins framework, contain the following copyright: @@ -369,7 +299,7 @@ plug-ins framework, contain the following copyright: NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -------------------- + -------------------- The implementations of GSSAPI mechglue in GSSAPI-SPNEGO in src/lib/gssapi, including the following files: @@ -452,7 +382,7 @@ are subject to the following license: TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - -------------------- + -------------------- MIT Kerberos includes documentation and software developed at the University of California at Berkeley, which includes this copyright @@ -489,7 +419,7 @@ notice: OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -------------------- + -------------------- Portions contributed by Novell, Inc., including the LDAP database backend, are subject to the following license: @@ -501,12 +431,12 @@ backend, are subject to the following license: modification, are permitted provided that the following conditions are met: * Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. + this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. * The copyright holder's name is not used to endorse or promote products - derived from this software without specific prior written permission. + derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -692,5 +622,5 @@ Matt Hancher, Sam Hartman, Paul Hill, Marc Horowitz, Eva Jacobus, Miroslav Jurisic, Barry Jaspan, Geoffrey King, Kevin Koch, John Kohl, Peter Litwack, Scott McGuire, Kevin Mitchell, Cliff Neuman, Paul Park, Ezra Peisach, Chris Provenzano, Ken Raeburn, Jon Rochlis, Jeff -Schiller, Jen Selby, Brad Thompson, Harry Tsai, Ted Ts'o, Marshall -Vale, Tom Yu. +Schiller, Jen Selby, Robert Silk, Brad Thompson, Harry Tsai, Zhanna +Tsitkova, Ted Ts'o, Marshall Vale, Tom Yu. diff --git a/src/appl/gssftp/ftpd/ftpd.M b/src/appl/gssftp/ftpd/ftpd.M index 33fc1d9c78..5cdc9b3537 100644 --- a/src/appl/gssftp/ftpd/ftpd.M +++ b/src/appl/gssftp/ftpd/ftpd.M @@ -122,12 +122,6 @@ file to use. The default value is normally \fB\-u\fP \fIumask\fP Sets the umask for the ftpd process. The default value is normally 027. .TP -\fB\-r\fP \fIrealm-file\fP -Sets the name of the -.I krb.conf -file to use. The default value is normally set by -.IR /etc/krb5.conf . -.TP \fB\-w \fP{\fBip\fP|\fImaxhostlen\fP[\fB,\fP{\fBstriplocal\fP|\fBnostriplocal\fP}]} Controls the form of the remote hostname passed to login(1). Specifying \fBip\fP results in the numeric IP address always being diff --git a/src/appl/gssftp/ftpd/ftpd.c b/src/appl/gssftp/ftpd/ftpd.c index 69f7ac392d..71e9855296 100644 --- a/src/appl/gssftp/ftpd/ftpd.c +++ b/src/appl/gssftp/ftpd/ftpd.c @@ -276,7 +276,7 @@ main(argc, argv, envp) int addrlen, c, on = 1, tos, port = -1; extern char *optarg; extern int optopt; - char *option_string = "AaCcdElp:r:T:t:U:u:vw:"; + char *option_string = "AaCcdElp:T:t:U:u:vw:"; ftpusers = _PATH_FTPUSERS_DEFAULT; debug = 0; @@ -334,10 +334,6 @@ main(argc, argv, envp) port = atoi(optarg); break; - case 'r': - setenv("KRB_CONF", optarg, 1); - break; - case 't': timeout = atoi(optarg); if (maxtimeout < timeout) diff --git a/src/config-files/krb5.conf b/src/config-files/krb5.conf index efc19e45d5..83af7e97ca 100644 --- a/src/config-files/krb5.conf +++ b/src/config-files/krb5.conf @@ -1,7 +1,5 @@ [libdefaults] default_realm = ATHENA.MIT.EDU - krb4_config = /usr/kerberos/lib/krb.conf - krb4_realms = /usr/kerberos/lib/krb.realms [realms] ATHENA.MIT.EDU = { diff --git a/src/config-files/krb5.conf.M b/src/config-files/krb5.conf.M index 1cfb1444ec..9115e32c91 100644 --- a/src/config-files/krb5.conf.M +++ b/src/config-files/krb5.conf.M @@ -176,18 +176,6 @@ do not support the default cache as created by this version of Kerberos. Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on DCE 1.1 systems. -.IP krb4_srvtab -Specifies the location of the Kerberos V4 srvtab file. Default is -"/etc/srvtab". - -.IP krb4_config -Specifies the location of the Kerberos V4 configuration file. Default -is "/etc/krb.conf". - -.IP krb4_realms -Specifies the location of the Kerberos V4 domain/realm translation -file. Default is "/etc/krb.realms". - .IP dns_lookup_kdc Indicate whether DNS SRV records shoud be used to locate the KDCs and other servers for a realm, if they are not listed in the information diff --git a/src/include/adm.h b/src/include/adm.h index 34c195fa24..15b42d9ab8 100644 --- a/src/include/adm.h +++ b/src/include/adm.h @@ -1,7 +1,7 @@ /* * include/krb5/adm.h * - * Copyright 1995,2001 by the Massachusetts Institute of Technology. + * Copyright 1995,2001,2009 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -200,6 +200,8 @@ typedef struct __krb5_realm_params { char * realm_kdc_ports; char * realm_kdc_tcp_ports; char * realm_acl_file; + char * realm_host_based_services; + char * realm_no_host_referral; krb5_int32 realm_kadmind_port; krb5_enctype realm_enctype; krb5_deltat realm_max_life; diff --git a/src/include/adm_proto.h b/src/include/adm_proto.h index 04e6a47916..9d7002027b 100644 --- a/src/include/adm_proto.h +++ b/src/include/adm_proto.h @@ -1,7 +1,7 @@ /* * include/krb5/adm_proto.h * - * Copyright 1995, 2007 by the Massachusetts Institute of Technology. + * Copyright 1995, 2007,2008,2009 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -83,6 +83,8 @@ krb5_error_code krb5_aprof_get_deltat krb5_deltat *); krb5_error_code krb5_aprof_get_string (krb5_pointer, const char **, krb5_boolean, char **); +krb5_error_code krb5_aprof_get_string_all + (krb5_pointer, const char **, char **); krb5_error_code krb5_aprof_get_int32 (krb5_pointer, const char **, diff --git a/src/include/k5-int.h b/src/include/k5-int.h index f3da373bc2..063c303108 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -527,6 +527,9 @@ krb5_error_code os_get_default_config_files krb5_error_code krb5_os_hostaddr (krb5_context, const char *, krb5_address ***); +krb5_error_code krb5int_get_domain_realm_mapping + (krb5_context , const char *, char ***); + /* N.B.: You need to include fake-addrinfo.h *before* k5-int.h if you're going to use this structure. */ struct addrlist { diff --git a/src/include/k5-platform.h b/src/include/k5-platform.h index f4511278e7..23ddf69671 100644 --- a/src/include/k5-platform.h +++ b/src/include/k5-platform.h @@ -1,7 +1,7 @@ /* * k5-platform.h * - * Copyright 2003, 2004, 2005, 2007, 2008 Massachusetts Institute of Technology. + * Copyright 2003, 2004, 2005, 2007, 2008, 2009 Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -534,8 +534,9 @@ static inline unsigned int k5_swap16 (unsigned int x) { #endif static inline void -store_16_be (unsigned int val, unsigned char *p) +store_16_be (unsigned int val, void *vp) { + unsigned char *p = vp; #if defined(__GNUC__) && defined(K5_BE) PUT(16,p,val); #elif defined(__GNUC__) && defined(K5_LE) && defined(SWAP16) @@ -546,8 +547,9 @@ store_16_be (unsigned int val, unsigned char *p) #endif } static inline void -store_32_be (unsigned int val, unsigned char *p) +store_32_be (unsigned int val, void *vp) { + unsigned char *p = vp; #if defined(__GNUC__) && defined(K5_BE) PUT(32,p,val); #elif defined(__GNUC__) && defined(K5_LE) && defined(SWAP32) @@ -560,8 +562,9 @@ store_32_be (unsigned int val, unsigned char *p) #endif } static inline void -store_64_be (UINT64_TYPE val, unsigned char *p) +store_64_be (UINT64_TYPE val, void *vp) { + unsigned char *p = vp; #if defined(__GNUC__) && defined(K5_BE) PUT(64,p,val); #elif defined(__GNUC__) && defined(K5_LE) && defined(SWAP64) @@ -578,8 +581,9 @@ store_64_be (UINT64_TYPE val, unsigned char *p) #endif } static inline unsigned short -load_16_be (const unsigned char *p) +load_16_be (const void *cvp) { + const unsigned char *p = cvp; #if defined(__GNUC__) && defined(K5_BE) return GET(16,p); #elif defined(__GNUC__) && defined(K5_LE) && defined(SWAP16) @@ -589,8 +593,9 @@ load_16_be (const unsigned char *p) #endif } static inline unsigned int -load_32_be (const unsigned char *p) +load_32_be (const void *cvp) { + const unsigned char *p = cvp; #if defined(__GNUC__) && defined(K5_BE) return GET(32,p); #elif defined(__GNUC__) && defined(K5_LE) && defined(SWAP32) @@ -602,8 +607,9 @@ load_32_be (const unsigned char *p) #endif } static inline UINT64_TYPE -load_64_be (const unsigned char *p) +load_64_be (const void *cvp) { + const unsigned char *p = cvp; #if defined(__GNUC__) && defined(K5_BE) return GET(64,p); #elif defined(__GNUC__) && defined(K5_LE) && defined(SWAP64) @@ -613,8 +619,9 @@ load_64_be (const unsigned char *p) #endif } static inline void -store_16_le (unsigned int val, unsigned char *p) +store_16_le (unsigned int val, void *vp) { + unsigned char *p = vp; #if defined(__GNUC__) && defined(K5_LE) PUT(16,p,val); #elif defined(__GNUC__) && defined(K5_BE) && defined(SWAP16) @@ -625,8 +632,9 @@ store_16_le (unsigned int val, unsigned char *p) #endif } static inline void -store_32_le (unsigned int val, unsigned char *p) +store_32_le (unsigned int val, void *vp) { + unsigned char *p = vp; #if defined(__GNUC__) && defined(K5_LE) PUT(32,p,val); #elif defined(__GNUC__) && defined(K5_BE) && defined(SWAP32) @@ -639,8 +647,9 @@ store_32_le (unsigned int val, unsigned char *p) #endif } static inline void -store_64_le (UINT64_TYPE val, unsigned char *p) +store_64_le (UINT64_TYPE val, void *vp) { + unsigned char *p = vp; #if defined(__GNUC__) && defined(K5_LE) PUT(64,p,val); #elif defined(__GNUC__) && defined(K5_BE) && defined(SWAP64) @@ -657,8 +666,9 @@ store_64_le (UINT64_TYPE val, unsigned char *p) #endif } static inline unsigned short -load_16_le (const unsigned char *p) +load_16_le (const void *cvp) { + const unsigned char *p = cvp; #if defined(__GNUC__) && defined(K5_LE) return GET(16,p); #elif defined(__GNUC__) && defined(K5_BE) && defined(SWAP16) @@ -668,8 +678,9 @@ load_16_le (const unsigned char *p) #endif } static inline unsigned int -load_32_le (const unsigned char *p) +load_32_le (const void *cvp) { + const unsigned char *p = cvp; #if defined(__GNUC__) && defined(K5_LE) return GET(32,p); #elif defined(__GNUC__) && defined(K5_BE) && defined(SWAP32) @@ -679,8 +690,9 @@ load_32_le (const unsigned char *p) #endif } static inline UINT64_TYPE -load_64_le (const unsigned char *p) +load_64_le (const void *cvp) { + const unsigned char *p = cvp; #if defined(__GNUC__) && defined(K5_LE) return GET(64,p); #elif defined(__GNUC__) && defined(K5_BE) && defined(SWAP64) @@ -691,7 +703,7 @@ load_64_le (const unsigned char *p) } static inline unsigned short -load_16_n (const unsigned char *p) +load_16_n (const void *p) { #ifdef _WIN32 unsigned __int16 n; @@ -702,7 +714,7 @@ load_16_n (const unsigned char *p) return n; } static inline unsigned int -load_32_n (const unsigned char *p) +load_32_n (const void *p) { #ifdef _WIN32 unsigned __int32 n; @@ -713,7 +725,7 @@ load_32_n (const unsigned char *p) return n; } static inline UINT64_TYPE -load_64_n (const unsigned char *p) +load_64_n (const void *p) { UINT64_TYPE n; memcpy(&n, p, 8); diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c index ab42e9a6a5..69ebec4322 100644 --- a/src/kadmin/dbutil/dump.c +++ b/src/kadmin/dbutil/dump.c @@ -589,8 +589,8 @@ dump_k5beta_iterator(ptr, entry) krb5_dbe_lookup_last_pwd_change(arg->kcontext, entry, &last_pwd_change))) { fprintf(stderr, nokeys_err, arg->programname, name); - krb5_xfree(mod_name); - krb5_xfree(name); + free(mod_name); + free(name); return(retval); } @@ -606,8 +606,8 @@ dump_k5beta_iterator(ptr, entry) KRB5_KDB_SALTTYPE_V4, &akey))) { fprintf(stderr, nokeys_err, arg->programname, name); - krb5_xfree(mod_name); - krb5_xfree(name); + free(mod_name); + free(name); return(retval); } @@ -672,9 +672,9 @@ dump_k5beta_iterator(ptr, entry) /* If we're blabbing, do it */ if (arg->verbose) fprintf(stderr, "%s\n", name); - krb5_xfree(mod_name); + free(mod_name); } - krb5_xfree(name); + free(name); return(0); } @@ -849,7 +849,7 @@ dump_k5beta6_iterator_ext(ptr, entry, kadm) retval = EINVAL; } } - krb5_xfree(name); + free(name); return(retval); } diff --git a/src/kadmin/ktutil/ktutil.c b/src/kadmin/ktutil/ktutil.c index 26a2b9ddb3..5a6ee783be 100644 --- a/src/kadmin/ktutil/ktutil.c +++ b/src/kadmin/ktutil/ktutil.c @@ -265,7 +265,7 @@ void ktutil_list(argc, argv) printf(")"); } printf("\n"); - krb5_xfree(pname); + free(pname); } } diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c index 517ea7d2c2..c3b7fa1e3e 100644 --- a/src/kadmin/server/schpw.c +++ b/src/kadmin/server/schpw.c @@ -251,7 +251,7 @@ process_chpw_request(context, server_handle, realm, keytab, /* zap the password */ memset(clear.data, 0, clear.length); memset(ptr, 0, clear.length); - krb5_xfree(clear.data); + free(clear.data); free(ptr); clear.length = 0; @@ -378,7 +378,7 @@ chpwfail: reply */ if (ap_rep.length) { - krb5_xfree(ap_rep.data); + free(ap_rep.data); ap_rep.length = 0; } @@ -457,13 +457,13 @@ bailout: if (changepw) krb5_free_principal(context, changepw); if (ap_rep.length) - krb5_xfree(ap_rep.data); + free(ap_rep.data); if (ticket) krb5_free_ticket(context, ticket); if (clear.length) - krb5_xfree(clear.data); + free(clear.data); if (cipher.length) - krb5_xfree(cipher.data); + free(cipher.data); if (target) krb5_free_principal(context, target); if (targetstr) diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 74a3899e38..f5bc3de0a3 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -1,3 +1,4 @@ +/* -*- mode: c; indent-tabs-mode: nil -*- */ /* * kdc/do_tgs_req.c * @@ -71,18 +72,25 @@ #include "extern.h" #include "adm_proto.h" +static void +find_alternate_tgs (krb5_kdc_req *, krb5_db_entry *, + krb5_boolean *, int *); + +static krb5_error_code +prepare_error_tgs (krb5_kdc_req *, krb5_ticket *, + int, krb5_principal, + krb5_data **, const char *); -static void find_alternate_tgs (krb5_kdc_req *, krb5_db_entry *, - krb5_boolean *, int *); +static krb5_int32 +is_substr (char *, krb5_data *); -static krb5_error_code prepare_error_tgs (krb5_kdc_req *, krb5_ticket *, - int, krb5_principal, - krb5_data **, const char *); +static krb5_int32 +prep_reprocess_req(krb5_kdc_req *, krb5_principal *); /*ARGSUSED*/ krb5_error_code process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from, - krb5_data **response) + krb5_data **response) { krb5_keyblock * subkey = 0; krb5_kdc_req *request = 0; @@ -105,64 +113,58 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from, krb5_key_data *server_key; char *cname = 0, *sname = 0, *altcname = 0; krb5_last_req_entry *nolrarray[2], nolrentry; -/* krb5_address *noaddrarray[1]; */ krb5_enctype useenctype; - int errcode, errcode2; + int errcode, errcode2; register int i; int firstpass = 1; - const char *status = 0; + const char *status = 0; krb5_enc_tkt_part *header_enc_tkt = NULL; /* ticket granting or evidence ticket */ krb5_db_entry client, krbtgt; int c_nprincs = 0, k_nprincs = 0; - krb5_pa_for_user *for_user = NULL; /* protocol transition request */ - krb5_authdata **kdc_issued_auth_data = NULL; /* auth data issued by KDC */ - unsigned int c_flags = 0, s_flags = 0; /* client/server KDB flags */ + krb5_pa_for_user *for_user = NULL; /* protocol transition request */ + krb5_authdata **kdc_issued_auth_data = NULL; /* auth data issued by KDC */ + unsigned int c_flags = 0, s_flags = 0; /* client/server KDB flags */ char *s4u_name = NULL; - krb5_boolean is_referral; + krb5_boolean is_referral, db_ref_done = FALSE; const char *emsg = NULL; + krb5_data *tgs_1 =NULL, *server_1 = NULL; + krb5_principal krbtgt_princ; + krb5_kvno ticket_kvno = 0; session_key.contents = NULL; retval = decode_krb5_tgs_req(pkt, &request); if (retval) - return retval; + return retval; /* * setup_server_realm() sets up the global realm-specific data pointer. */ if ((retval = setup_server_realm(request->server))) { - krb5_free_kdc_req(kdc_context, request); - return retval; - } - - if ((errcode = krb5_unparse_name(kdc_context, request->server, &sname))) { - status = "UNPARSING SERVER"; - goto cleanup; + krb5_free_kdc_req(kdc_context, request); + return retval; } - limit_string(sname); - - /* errcode = kdc_process_tgs_req(request, from, pkt, &req_authdat); */ errcode = kdc_process_tgs_req(request, from, pkt, &header_ticket, - &krbtgt, &k_nprincs, &subkey); + &krbtgt, &k_nprincs, &subkey); if (header_ticket && header_ticket->enc_part2 && - (errcode2 = krb5_unparse_name(kdc_context, - header_ticket->enc_part2->client, - &cname))) { - status = "UNPARSING CLIENT"; - errcode = errcode2; - goto cleanup; + (errcode2 = krb5_unparse_name(kdc_context, + header_ticket->enc_part2->client, + &cname))) { + status = "UNPARSING CLIENT"; + errcode = errcode2; + goto cleanup; } limit_string(cname); if (errcode) { - status = "PROCESS_TGS"; - goto cleanup; + status = "PROCESS_TGS"; + goto cleanup; } if (!header_ticket) { - errcode = KRB5_NO_TKT_SUPPLIED; /* XXX? */ - status="UNEXPECTED NULL in header_ticket"; - goto cleanup; + errcode = KRB5_NO_TKT_SUPPLIED; /* XXX? */ + status="UNEXPECTED NULL in header_ticket"; + goto cleanup; } /* @@ -182,81 +184,110 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from, /* XXX make sure server here has the proper realm...taken from AP_REQ header? */ - nprincs = 1; if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE)) { - setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE); - setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE); + setflag(c_flags, KRB5_KDB_FLAG_CANONICALIZE); + setflag(s_flags, KRB5_KDB_FLAG_CANONICALIZE); + } + + db_ref_done = FALSE; + +ref_tgt_again: + nprincs = 1; + if ((errcode = krb5_unparse_name(kdc_context, request->server, &sname))) { + status = "UNPARSING SERVER"; + goto cleanup; } + limit_string(sname); errcode = krb5_db_get_principal_ext(kdc_context, - request->server, - s_flags, - &server, - &nprincs, - &more); + request->server, + s_flags, + &server, + &nprincs, + &more); if (errcode) { - status = "LOOKING_UP_SERVER"; - nprincs = 0; - goto cleanup; + status = "LOOKING_UP_SERVER"; + nprincs = 0; + goto cleanup; } tgt_again: if (more) { - status = "NON_UNIQUE_PRINCIPAL"; - errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE; - goto cleanup; + status = "NON_UNIQUE_PRINCIPAL"; + errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE; + goto cleanup; } else if (nprincs != 1) { - /* - * might be a request for a TGT for some other realm; we - * should do our best to find such a TGS in this db - */ - if (firstpass && krb5_is_tgs_principal(request->server) == TRUE) { - if (krb5_princ_size(kdc_context, request->server) == 2) { - krb5_data *server_1 = - krb5_princ_component(kdc_context, request->server, 1); - krb5_data *tgs_1 = - krb5_princ_component(kdc_context, tgs_server, 1); - - if (!tgs_1 || !data_eq(*server_1, *tgs_1)) { - krb5_db_free_principal(kdc_context, &server, nprincs); - find_alternate_tgs(request, &server, &more, &nprincs); - firstpass = 0; - goto tgt_again; - } - } - } - krb5_db_free_principal(kdc_context, &server, nprincs); - status = "UNKNOWN_SERVER"; - errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; - goto cleanup; + /* + * might be a request for a TGT for some other realm; we + * should do our best to find such a TGS in this db + */ + if (firstpass ) { + + if ( krb5_is_tgs_principal(request->server) == TRUE) { /* Principal is a name of krb ticket service */ + if (krb5_princ_size(kdc_context, request->server) == 2) { + + server_1 = krb5_princ_component(kdc_context, request->server, 1); + tgs_1 = krb5_princ_component(kdc_context, tgs_server, 1); + + if (!tgs_1 || !data_eq(*server_1, *tgs_1)) { + krb5_db_free_principal(kdc_context, &server, nprincs); + find_alternate_tgs(request, &server, &more, &nprincs); + firstpass = 0; + goto tgt_again; + } + } + krb5_db_free_principal(kdc_context, &server, nprincs); + status = "UNKNOWN_SERVER"; + errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; + goto cleanup; + + } else if ( db_ref_done == FALSE) { + retval = prep_reprocess_req(request, &krbtgt_princ); + if (!retval) { + krb5_free_principal(kdc_context, request->server); + retval = krb5_copy_principal(kdc_context, krbtgt_princ, &(request->server)); + if (!retval) { + db_ref_done = TRUE; + if (sname != NULL) + free(sname); + goto ref_tgt_again; + } + } + } + } + + krb5_db_free_principal(kdc_context, &server, nprincs); + status = "UNKNOWN_SERVER"; + errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; + goto cleanup; } if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) { - status = "TIME_OF_DAY"; - goto cleanup; + status = "TIME_OF_DAY"; + goto cleanup; } if ((retval = validate_tgs_request(request, server, header_ticket, - kdc_time, &status))) { - if (!status) - status = "UNKNOWN_REASON"; - errcode = retval + ERROR_TABLE_BASE_krb5; - goto cleanup; + kdc_time, &status))) { + if (!status) + status = "UNKNOWN_REASON"; + errcode = retval + ERROR_TABLE_BASE_krb5; + goto cleanup; } if (!is_local_principal(header_enc_tkt->client)) - setflag(c_flags, KRB5_KDB_FLAG_CROSS_REALM); + setflag(c_flags, KRB5_KDB_FLAG_CROSS_REALM); is_referral = krb5_is_tgs_principal(server.princ) && - !krb5_principal_compare(kdc_context, tgs_server, server.princ); + !krb5_principal_compare(kdc_context, tgs_server, server.princ); /* Check for protocol transition */ errcode = kdc_process_s4u2self_req(kdc_context, request, header_enc_tkt->client, - &server, header_enc_tkt->session, kdc_time, - &for_user, &client, &c_nprincs, &status); + &server, header_enc_tkt->session, kdc_time, + &for_user, &client, &c_nprincs, &status); if (errcode) - goto cleanup; + goto cleanup; if (for_user != NULL) - setflag(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION); + setflag(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION); /* * We pick the session keytype here.... @@ -271,114 +302,114 @@ tgt_again: */ useenctype = 0; if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY | - KDC_OPT_CNAME_IN_ADDL_TKT)) { - krb5_keyblock * st_sealing_key; - krb5_kvno st_srv_kvno; - krb5_enctype etype; - krb5_db_entry st_client; - int st_nprincs = 0; - - /* - * Get the key for the second ticket, and decrypt it. - */ - if ((errcode = kdc_get_server_key(request->second_ticket[st_idx], - c_flags, - TRUE, /* match_enctype */ - &st_client, - &st_nprincs, - &st_sealing_key, - &st_srv_kvno))) { - status = "2ND_TKT_SERVER"; - goto cleanup; - } - errcode = krb5_decrypt_tkt_part(kdc_context, st_sealing_key, - request->second_ticket[st_idx]); - krb5_free_keyblock(kdc_context, st_sealing_key); - if (errcode) { - status = "2ND_TKT_DECRYPT"; - krb5_db_free_principal(kdc_context, &st_client, st_nprincs); - goto cleanup; - } - - etype = request->second_ticket[st_idx]->enc_part2->session->enctype; - if (!krb5_c_valid_enctype(etype)) { - status = "BAD_ETYPE_IN_2ND_TKT"; - errcode = KRB5KDC_ERR_ETYPE_NOSUPP; - krb5_db_free_principal(kdc_context, &st_client, st_nprincs); - goto cleanup; - } - - for (i = 0; i < request->nktypes; i++) { - if (request->ktype[i] == etype) { - useenctype = etype; - break; - } - } - - if (isflagset(request->kdc_options, KDC_OPT_CNAME_IN_ADDL_TKT)) { - /* Do constrained delegation protocol and authorization checks */ - errcode = kdc_process_s4u2proxy_req(kdc_context, - request, - request->second_ticket[st_idx]->enc_part2, - &st_client, - header_ticket->enc_part2->client, - request->server, - &status); - if (errcode) - goto cleanup; - - setflag(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION); - - assert(krb5_is_tgs_principal(header_ticket->server)); - - /* From now on, use evidence ticket as header ticket */ - header_enc_tkt = request->second_ticket[st_idx]->enc_part2; - - assert(c_nprincs == 0); /* assured by kdc_process_s4u2self_req() */ - - client = st_client; - c_nprincs = st_nprincs; - } else { - /* "client" is not used for user2user */ - krb5_db_free_principal(kdc_context, &st_client, st_nprincs); - } + KDC_OPT_CNAME_IN_ADDL_TKT)) { + krb5_keyblock * st_sealing_key; + krb5_kvno st_srv_kvno; + krb5_enctype etype; + krb5_db_entry st_client; + int st_nprincs = 0; + + /* + * Get the key for the second ticket, and decrypt it. + */ + if ((errcode = kdc_get_server_key(request->second_ticket[st_idx], + c_flags, + TRUE, /* match_enctype */ + &st_client, + &st_nprincs, + &st_sealing_key, + &st_srv_kvno))) { + status = "2ND_TKT_SERVER"; + goto cleanup; + } + errcode = krb5_decrypt_tkt_part(kdc_context, st_sealing_key, + request->second_ticket[st_idx]); + krb5_free_keyblock(kdc_context, st_sealing_key); + if (errcode) { + status = "2ND_TKT_DECRYPT"; + krb5_db_free_principal(kdc_context, &st_client, st_nprincs); + goto cleanup; + } + + etype = request->second_ticket[st_idx]->enc_part2->session->enctype; + if (!krb5_c_valid_enctype(etype)) { + status = "BAD_ETYPE_IN_2ND_TKT"; + errcode = KRB5KDC_ERR_ETYPE_NOSUPP; + krb5_db_free_principal(kdc_context, &st_client, st_nprincs); + goto cleanup; + } + + for (i = 0; i < request->nktypes; i++) { + if (request->ktype[i] == etype) { + useenctype = etype; + break; + } + } + + if (isflagset(request->kdc_options, KDC_OPT_CNAME_IN_ADDL_TKT)) { + /* Do constrained delegation protocol and authorization checks */ + errcode = kdc_process_s4u2proxy_req(kdc_context, + request, + request->second_ticket[st_idx]->enc_part2, + &st_client, + header_ticket->enc_part2->client, + request->server, + &status); + if (errcode) + goto cleanup; + + setflag(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION); + + assert(krb5_is_tgs_principal(header_ticket->server)); + + /* From now on, use evidence ticket as header ticket */ + header_enc_tkt = request->second_ticket[st_idx]->enc_part2; + + assert(c_nprincs == 0); /* assured by kdc_process_s4u2self_req() */ + + client = st_client; + c_nprincs = st_nprincs; + } else { + /* "client" is not used for user2user */ + krb5_db_free_principal(kdc_context, &st_client, st_nprincs); + } } /* * Select the keytype for the ticket session key. */ if ((useenctype == 0) && - (useenctype = select_session_keytype(kdc_context, &server, - request->nktypes, - request->ktype)) == 0) { - /* unsupported ktype */ - status = "BAD_ENCRYPTION_TYPE"; - errcode = KRB5KDC_ERR_ETYPE_NOSUPP; - goto cleanup; + (useenctype = select_session_keytype(kdc_context, &server, + request->nktypes, + request->ktype)) == 0) { + /* unsupported ktype */ + status = "BAD_ENCRYPTION_TYPE"; + errcode = KRB5KDC_ERR_ETYPE_NOSUPP; + goto cleanup; } errcode = krb5_c_make_random_key(kdc_context, useenctype, &session_key); if (errcode) { - /* random key failed */ - status = "RANDOM_KEY_FAILED"; - goto cleanup; + /* random key failed */ + status = "RANDOM_KEY_FAILED"; + goto cleanup; } authtime = header_enc_tkt->times.authtime; if (is_referral) - ticket_reply.server = server.princ; + ticket_reply.server = server.princ; else - ticket_reply.server = request->server; /* XXX careful for realm... */ + ticket_reply.server = request->server; /* XXX careful for realm... */ enc_tkt_reply.flags = 0; enc_tkt_reply.times.starttime = 0; if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE) && - !is_referral) { - /* Ensure that we are not returning a referral */ - setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE); + !is_referral) { + /* Ensure that we are not returning a referral */ + setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE); } /* @@ -386,13 +417,13 @@ tgt_again: * authtime's value. */ if (!(header_enc_tkt->times.starttime)) - header_enc_tkt->times.starttime = header_enc_tkt->times.authtime; + header_enc_tkt->times.starttime = header_enc_tkt->times.authtime; /* don't use new addresses unless forwarded, see below */ enc_tkt_reply.caddrs = header_enc_tkt->caddrs; /* noaddrarray[0] = 0; */ - reply_encpart.caddrs = 0; /* optional...don't put it in */ + reply_encpart.caddrs = 0;/* optional...don't put it in */ reply_encpart.enc_padata = NULL; /* It should be noted that local policy may affect the */ @@ -400,105 +431,105 @@ tgt_again: /* realms may refuse to issue renewable tickets */ if (isflagset(request->kdc_options, KDC_OPT_FORWARDABLE)) - setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); + setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) { - if (!krb5_is_tgs_principal(server.princ) && - is_local_principal(server.princ)) { - if (isflagset(server.attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE)) - setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); - else - clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); - } - if (isflagset(client.attributes, KRB5_KDB_DISALLOW_FORWARDABLE)) - clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); + if (!krb5_is_tgs_principal(server.princ) && + is_local_principal(server.princ)) { + if (isflagset(server.attributes, KRB5_KDB_OK_TO_AUTH_AS_DELEGATE)) + setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); + else + clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); + } + if (isflagset(client.attributes, KRB5_KDB_DISALLOW_FORWARDABLE)) + clear(enc_tkt_reply.flags, TKT_FLG_FORWARDABLE); } if (isflagset(request->kdc_options, KDC_OPT_FORWARDED)) { - setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDED); + setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDED); - /* include new addresses in ticket & reply */ + /* include new addresses in ticket & reply */ - enc_tkt_reply.caddrs = request->addresses; - reply_encpart.caddrs = request->addresses; - } + enc_tkt_reply.caddrs = request->addresses; + reply_encpart.caddrs = request->addresses; + } if (isflagset(header_enc_tkt->flags, TKT_FLG_FORWARDED)) - setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDED); + setflag(enc_tkt_reply.flags, TKT_FLG_FORWARDED); if (isflagset(request->kdc_options, KDC_OPT_PROXIABLE)) - setflag(enc_tkt_reply.flags, TKT_FLG_PROXIABLE); + setflag(enc_tkt_reply.flags, TKT_FLG_PROXIABLE); if (isflagset(request->kdc_options, KDC_OPT_PROXY)) { - setflag(enc_tkt_reply.flags, TKT_FLG_PROXY); + setflag(enc_tkt_reply.flags, TKT_FLG_PROXY); - /* include new addresses in ticket & reply */ + /* include new addresses in ticket & reply */ - enc_tkt_reply.caddrs = request->addresses; - reply_encpart.caddrs = request->addresses; + enc_tkt_reply.caddrs = request->addresses; + reply_encpart.caddrs = request->addresses; } if (isflagset(request->kdc_options, KDC_OPT_ALLOW_POSTDATE)) - setflag(enc_tkt_reply.flags, TKT_FLG_MAY_POSTDATE); + setflag(enc_tkt_reply.flags, TKT_FLG_MAY_POSTDATE); if (isflagset(request->kdc_options, KDC_OPT_POSTDATED)) { - setflag(enc_tkt_reply.flags, TKT_FLG_POSTDATED); - setflag(enc_tkt_reply.flags, TKT_FLG_INVALID); - enc_tkt_reply.times.starttime = request->from; + setflag(enc_tkt_reply.flags, TKT_FLG_POSTDATED); + setflag(enc_tkt_reply.flags, TKT_FLG_INVALID); + enc_tkt_reply.times.starttime = request->from; } else - enc_tkt_reply.times.starttime = kdc_time; + enc_tkt_reply.times.starttime = kdc_time; if (isflagset(request->kdc_options, KDC_OPT_VALIDATE)) { - assert(isflagset(c_flags, KRB5_KDB_FLAGS_S4U) == 0); - /* BEWARE of allocation hanging off of ticket & enc_part2, it belongs - to the caller */ - ticket_reply = *(header_ticket); - enc_tkt_reply = *(header_ticket->enc_part2); - clear(enc_tkt_reply.flags, TKT_FLG_INVALID); + assert(isflagset(c_flags, KRB5_KDB_FLAGS_S4U) == 0); + /* BEWARE of allocation hanging off of ticket & enc_part2, it belongs + to the caller */ + ticket_reply = *(header_ticket); + enc_tkt_reply = *(header_ticket->enc_part2); + clear(enc_tkt_reply.flags, TKT_FLG_INVALID); } if (isflagset(request->kdc_options, KDC_OPT_RENEW)) { - krb5_deltat old_life; + krb5_deltat old_life; - assert(isflagset(c_flags, KRB5_KDB_FLAGS_S4U) == 0); - /* BEWARE of allocation hanging off of ticket & enc_part2, it belongs - to the caller */ - ticket_reply = *(header_ticket); - enc_tkt_reply = *(header_ticket->enc_part2); + assert(isflagset(c_flags, KRB5_KDB_FLAGS_S4U) == 0); + /* BEWARE of allocation hanging off of ticket & enc_part2, it belongs + to the caller */ + ticket_reply = *(header_ticket); + enc_tkt_reply = *(header_ticket->enc_part2); - old_life = enc_tkt_reply.times.endtime - enc_tkt_reply.times.starttime; + old_life = enc_tkt_reply.times.endtime - enc_tkt_reply.times.starttime; - enc_tkt_reply.times.starttime = kdc_time; - enc_tkt_reply.times.endtime = - min(header_ticket->enc_part2->times.renew_till, - kdc_time + old_life); + enc_tkt_reply.times.starttime = kdc_time; + enc_tkt_reply.times.endtime = + min(header_ticket->enc_part2->times.renew_till, + kdc_time + old_life); } else { - /* not a renew request */ - enc_tkt_reply.times.starttime = kdc_time; - until = (request->till == 0) ? kdc_infinity : request->till; - enc_tkt_reply.times.endtime = - min(until, min(enc_tkt_reply.times.starttime + server.max_life, - min(enc_tkt_reply.times.starttime + max_life_for_realm, - header_enc_tkt->times.endtime))); - if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) && - (enc_tkt_reply.times.endtime < request->till) && - isflagset(header_enc_tkt->flags, TKT_FLG_RENEWABLE)) { - setflag(request->kdc_options, KDC_OPT_RENEWABLE); - request->rtime = - min(request->till, header_enc_tkt->times.renew_till); - } + /* not a renew request */ + enc_tkt_reply.times.starttime = kdc_time; + until = (request->till == 0) ? kdc_infinity : request->till; + enc_tkt_reply.times.endtime = + min(until, min(enc_tkt_reply.times.starttime + server.max_life, + min(enc_tkt_reply.times.starttime + max_life_for_realm, + header_enc_tkt->times.endtime))); + if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) && + (enc_tkt_reply.times.endtime < request->till) && + isflagset(header_enc_tkt->flags, TKT_FLG_RENEWABLE)) { + setflag(request->kdc_options, KDC_OPT_RENEWABLE); + request->rtime = + min(request->till, header_enc_tkt->times.renew_till); + } } rtime = (request->rtime == 0) ? kdc_infinity : request->rtime; if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE)) { - /* already checked above in policy check to reject request for a - renewable ticket using a non-renewable ticket */ - setflag(enc_tkt_reply.flags, TKT_FLG_RENEWABLE); - enc_tkt_reply.times.renew_till = - min(rtime, - min(header_enc_tkt->times.renew_till, - enc_tkt_reply.times.starttime + - min(server.max_renewable_life, - max_renewable_life_for_realm))); + /* already checked above in policy check to reject request for a + renewable ticket using a non-renewable ticket */ + setflag(enc_tkt_reply.flags, TKT_FLG_RENEWABLE); + enc_tkt_reply.times.renew_till = + min(rtime, + min(header_enc_tkt->times.renew_till, + enc_tkt_reply.times.starttime + + min(server.max_renewable_life, + max_renewable_life_for_realm))); } else { - enc_tkt_reply.times.renew_till = 0; + enc_tkt_reply.times.renew_till = 0; } /* @@ -510,43 +541,43 @@ tgt_again: * Propagate the preauthentication flags through to the returned ticket. */ if (isflagset(header_enc_tkt->flags, TKT_FLG_PRE_AUTH)) - setflag(enc_tkt_reply.flags, TKT_FLG_PRE_AUTH); + setflag(enc_tkt_reply.flags, TKT_FLG_PRE_AUTH); if (isflagset(header_enc_tkt->flags, TKT_FLG_HW_AUTH)) - setflag(enc_tkt_reply.flags, TKT_FLG_HW_AUTH); + setflag(enc_tkt_reply.flags, TKT_FLG_HW_AUTH); /* starttime is optional, and treated as authtime if not present. so we can nuke it if it matches */ if (enc_tkt_reply.times.starttime == enc_tkt_reply.times.authtime) - enc_tkt_reply.times.starttime = 0; + enc_tkt_reply.times.starttime = 0; if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) { - errcode = krb5_unparse_name(kdc_context, for_user->user, &s4u_name); + errcode = krb5_unparse_name(kdc_context, for_user->user, &s4u_name); } else if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) { - errcode = krb5_unparse_name(kdc_context, header_enc_tkt->client, &s4u_name); + errcode = krb5_unparse_name(kdc_context, header_enc_tkt->client, &s4u_name); } else { - errcode = 0; + errcode = 0; } if (errcode) { - status = "UNPARSING S4U CLIENT"; - goto cleanup; + status = "UNPARSING S4U CLIENT"; + goto cleanup; } if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) { - krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2; - encrypting_key = *(t2enc->session); + krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2; + encrypting_key = *(t2enc->session); } else { - /* - * Find the server key - */ - if ((errcode = krb5_dbe_find_enctype(kdc_context, &server, - -1, /* ignore keytype */ - -1, /* Ignore salttype */ - 0, /* Get highest kvno */ - &server_key))) { - status = "FINDING_SERVER_KEY"; - goto cleanup; - } + /* + * Find the server key + */ + if ((errcode = krb5_dbe_find_enctype(kdc_context, &server, + -1, /* ignore keytype */ + -1, /* Ignore salttype */ + 0,/* Get highest kvno */ + &server_key))) { + status = "FINDING_SERVER_KEY"; + goto cleanup; + } if ((errcode = krb5_dbe_find_mkey(kdc_context, master_keylist, &server, &mkey_ptr))) { @@ -565,100 +596,100 @@ tgt_again: } } - /* convert server.key into a real key (it may be encrypted - * in the database) */ - if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context, - mkey_ptr, - server_key, &encrypting_key, - NULL))) { - status = "DECRYPT_SERVER_KEY"; - goto cleanup; - } + /* convert server.key into a real key (it may be encrypted + * in the database) */ + if ((errcode = krb5_dbekd_decrypt_key_data(kdc_context, + mkey_ptr, + server_key, &encrypting_key, + NULL))) { + status = "DECRYPT_SERVER_KEY"; + goto cleanup; + } } if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) { - /* - * Don't allow authorization data to be disabled if constrained - * delegation is requested. We don't want to deny the server - * the ability to validate that delegation was used. - */ - clear(server.attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED); + /* + * Don't allow authorization data to be disabled if constrained + * delegation is requested. We don't want to deny the server + * the ability to validate that delegation was used. + */ + clear(server.attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED); } if (isflagset(server.attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED) == 0) { - /* - * If we are not doing protocol transition/constrained delegation - * and there was no authorization data included, try to lookup - * the client principal as it may be mapped to a local account. - * - * Always validate authorization data for constrained delegation - * because we must validate the KDC signatures. - */ - if (!isflagset(c_flags, KRB5_KDB_FLAGS_S4U) && - header_enc_tkt->authorization_data == NULL) { - - /* Generate authorization data so we can include it in ticket */ - setflag(c_flags, KRB5_KDB_FLAG_INCLUDE_PAC); - /* Map principals from foreign (possibly non-AD) realms */ - setflag(c_flags, KRB5_KDB_FLAG_MAP_PRINCIPALS); - - assert(c_nprincs == 0); /* should not have been looked up already */ - - c_nprincs = 1; - errcode = krb5_db_get_principal_ext(kdc_context, - header_enc_tkt->client, - c_flags, - &client, - &c_nprincs, - &more); - /* - * We can ignore errors because the principal may be a - * valid cross-realm principal for which we have no local - * mapping. But we do want to check that at most one entry - * was returned. - */ - if (errcode == 0 && (more || c_nprincs > 1)) { - errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE; - goto cleanup; - } else if (errcode) { - c_nprincs = 0; - } - } + /* + * If we are not doing protocol transition/constrained delegation + * and there was no authorization data included, try to lookup + * the client principal as it may be mapped to a local account. + * + * Always validate authorization data for constrained delegation + * because we must validate the KDC signatures. + */ + if (!isflagset(c_flags, KRB5_KDB_FLAGS_S4U) && + header_enc_tkt->authorization_data == NULL) { + + /* Generate authorization data so we can include it in ticket */ + setflag(c_flags, KRB5_KDB_FLAG_INCLUDE_PAC); + /* Map principals from foreign (possibly non-AD) realms */ + setflag(c_flags, KRB5_KDB_FLAG_MAP_PRINCIPALS); + + assert(c_nprincs == 0); /* should not have been looked up already */ + + c_nprincs = 1; + errcode = krb5_db_get_principal_ext(kdc_context, + header_enc_tkt->client, + c_flags, + &client, + &c_nprincs, + &more); + /* + * We can ignore errors because the principal may be a + * valid cross-realm principal for which we have no local + * mapping. But we do want to check that at most one entry + * was returned. + */ + if (errcode == 0 && (more || c_nprincs > 1)) { + errcode = KRB5KDC_ERR_PRINCIPAL_NOT_UNIQUE; + goto cleanup; + } else if (errcode) { + c_nprincs = 0; + } + } } enc_tkt_reply.authorization_data = NULL; if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) && - is_local_principal(header_enc_tkt->client)) - enc_tkt_reply.client = for_user->user; + is_local_principal(header_enc_tkt->client)) + enc_tkt_reply.client = for_user->user; else - enc_tkt_reply.client = header_enc_tkt->client; + enc_tkt_reply.client = header_enc_tkt->client; errcode = handle_authdata(kdc_context, - c_flags, - (c_nprincs != 0) ? &client : NULL, - &server, - (k_nprincs != 0) ? &krbtgt : NULL, - subkey != NULL ? subkey : - header_ticket->enc_part2->session, - &encrypting_key, /* U2U or server key */ - pkt, - request, - for_user ? for_user->user : NULL, - header_enc_tkt, - &enc_tkt_reply); + c_flags, + (c_nprincs != 0) ? &client : NULL, + &server, + (k_nprincs != 0) ? &krbtgt : NULL, + subkey != NULL ? subkey : + header_ticket->enc_part2->session, + &encrypting_key, /* U2U or server key */ + pkt, + request, + for_user ? for_user->user : NULL, + header_enc_tkt, + &enc_tkt_reply); if (errcode) { - krb5_klog_syslog(LOG_INFO, "TGS_REQ : handle_authdata (%d)", errcode); - status = "HANDLE_AUTHDATA"; - goto cleanup; + krb5_klog_syslog(LOG_INFO, "TGS_REQ : handle_authdata (%d)", errcode); + status = "HANDLE_AUTHDATA"; + goto cleanup; } if (is_referral && isflagset(s_flags, KRB5_KDB_FLAG_CANONICALIZE)) { - errcode = return_svr_referral_data(kdc_context, - &server, &reply_encpart); - if (errcode) { - status = "KDC_RETURN_ENC_PADATA"; - goto cleanup; - } + errcode = return_svr_referral_data(kdc_context, + &server, &reply_encpart); + if (errcode) { + status = "KDC_RETURN_ENC_PADATA"; + goto cleanup; + } } enc_tkt_reply.session = &session_key; @@ -675,87 +706,87 @@ tgt_again: /* realm compare is like strcmp, but knows how to deal with these args */ if (realm_compare(header_ticket->server, tgs_server) || - realm_compare(header_ticket->server, enc_tkt_reply.client)) { - /* tgt issued by local realm or issued by realm of client */ - enc_tkt_reply.transited = header_enc_tkt->transited; + realm_compare(header_ticket->server, enc_tkt_reply.client)) { + /* tgt issued by local realm or issued by realm of client */ + enc_tkt_reply.transited = header_enc_tkt->transited; } else { - /* tgt issued by some other realm and not the realm of the client */ - /* assemble new transited field into allocated storage */ - if (header_enc_tkt->transited.tr_type != - KRB5_DOMAIN_X500_COMPRESS) { - status = "BAD_TRTYPE"; - errcode = KRB5KDC_ERR_TRTYPE_NOSUPP; - goto cleanup; - } - enc_tkt_transited.tr_type = KRB5_DOMAIN_X500_COMPRESS; - enc_tkt_transited.magic = 0; - enc_tkt_transited.tr_contents.magic = 0; - enc_tkt_transited.tr_contents.data = 0; - enc_tkt_transited.tr_contents.length = 0; - enc_tkt_reply.transited = enc_tkt_transited; - if ((errcode = - add_to_transited(&header_enc_tkt->transited.tr_contents, - &enc_tkt_reply.transited.tr_contents, - header_ticket->server, - enc_tkt_reply.client, - request->server))) { - status = "ADD_TR_FAIL"; - goto cleanup; - } - newtransited = 1; + /* tgt issued by some other realm and not the realm of the client */ + /* assemble new transited field into allocated storage */ + if (header_enc_tkt->transited.tr_type != + KRB5_DOMAIN_X500_COMPRESS) { + status = "BAD_TRTYPE"; + errcode = KRB5KDC_ERR_TRTYPE_NOSUPP; + goto cleanup; + } + enc_tkt_transited.tr_type = KRB5_DOMAIN_X500_COMPRESS; + enc_tkt_transited.magic = 0; + enc_tkt_transited.tr_contents.magic = 0; + enc_tkt_transited.tr_contents.data = 0; + enc_tkt_transited.tr_contents.length = 0; + enc_tkt_reply.transited = enc_tkt_transited; + if ((errcode = + add_to_transited(&header_enc_tkt->transited.tr_contents, + &enc_tkt_reply.transited.tr_contents, + header_ticket->server, + enc_tkt_reply.client, + request->server))) { + status = "ADD_TR_FAIL"; + goto cleanup; + } + newtransited = 1; } if (isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM)) { - errcode = validate_transit_path(kdc_context, header_enc_tkt->client, - &server, - (k_nprincs != 0) ? &krbtgt : NULL); - if (errcode) { - status = "NON_TRANSITIVE"; - goto cleanup; - } + errcode = validate_transit_path(kdc_context, header_enc_tkt->client, + &server, + (k_nprincs != 0) ? &krbtgt : NULL); + if (errcode) { + status = "NON_TRANSITIVE"; + goto cleanup; + } } if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) { - unsigned int tlen; - char *tdots; - - errcode = kdc_check_transited_list (kdc_context, - &enc_tkt_reply.transited.tr_contents, - krb5_princ_realm (kdc_context, header_enc_tkt->client), - krb5_princ_realm (kdc_context, request->server)); - tlen = enc_tkt_reply.transited.tr_contents.length; - tdots = tlen > 125 ? "..." : ""; - tlen = tlen > 125 ? 125 : tlen; - - if (errcode == 0) { - setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED); - } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT) - krb5_klog_syslog (LOG_INFO, - "bad realm transit path from '%s' to '%s' " - "via '%.*s%s'", - cname ? cname : "", - sname ? sname : "", - tlen, - enc_tkt_reply.transited.tr_contents.data, - tdots); - else { - emsg = krb5_get_error_message(kdc_context, errcode); - krb5_klog_syslog (LOG_ERR, - "unexpected error checking transit from " - "'%s' to '%s' via '%.*s%s': %s", - cname ? cname : "", - sname ? sname : "", - tlen, - enc_tkt_reply.transited.tr_contents.data, - tdots, emsg); - krb5_free_error_message(kdc_context, emsg); - emsg = NULL; - } + unsigned int tlen; + char *tdots; + + errcode = kdc_check_transited_list (kdc_context, + &enc_tkt_reply.transited.tr_contents, + krb5_princ_realm (kdc_context, header_enc_tkt->client), + krb5_princ_realm (kdc_context, request->server)); + tlen = enc_tkt_reply.transited.tr_contents.length; + tdots = tlen > 125 ? "..." : ""; + tlen = tlen > 125 ? 125 : tlen; + + if (errcode == 0) { + setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED); + } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT) + krb5_klog_syslog (LOG_INFO, + "bad realm transit path from '%s' to '%s' " + "via '%.*s%s'", + cname ? cname : "", + sname ? sname : "", + tlen, + enc_tkt_reply.transited.tr_contents.data, + tdots); + else { + emsg = krb5_get_error_message(kdc_context, errcode); + krb5_klog_syslog (LOG_ERR, + "unexpected error checking transit from " + "'%s' to '%s' via '%.*s%s': %s", + cname ? cname : "", + sname ? sname : "", + tlen, + enc_tkt_reply.transited.tr_contents.data, + tdots, emsg); + krb5_free_error_message(kdc_context, emsg); + emsg = NULL; + } } else - krb5_klog_syslog (LOG_INFO, "not checking transit path"); + krb5_klog_syslog (LOG_INFO, "not checking transit path"); if (reject_bad_transit - && !isflagset (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED)) { - errcode = KRB5KDC_ERR_POLICY; - status = "BAD_TRANSIT"; - goto cleanup; + && !isflagset (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED)) { + errcode = KRB5KDC_ERR_POLICY; + status = "BAD_TRANSIT"; + goto cleanup; } ticket_reply.enc_part2 = &enc_tkt_reply; @@ -767,44 +798,44 @@ tgt_again: * the second ticket. */ if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) { - /* - * Make sure the client for the second ticket matches - * requested server. - */ - krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2; - krb5_principal client2 = t2enc->client; - if (!krb5_principal_compare(kdc_context, request->server, client2)) { - if ((errcode = krb5_unparse_name(kdc_context, client2, &altcname))) - altcname = 0; - if (altcname != NULL) - limit_string(altcname); - - errcode = KRB5KDC_ERR_SERVER_NOMATCH; - status = "2ND_TKT_MISMATCH"; - goto cleanup; - } - - ticket_reply.enc_part.kvno = 0; - ticket_reply.enc_part.enctype = t2enc->session->enctype; - st_idx++; + /* + * Make sure the client for the second ticket matches + * requested server. + */ + krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2; + krb5_principal client2 = t2enc->client; + if (!krb5_principal_compare(kdc_context, request->server, client2)) { + if ((errcode = krb5_unparse_name(kdc_context, client2, &altcname))) + altcname = 0; + if (altcname != NULL) + limit_string(altcname); + + errcode = KRB5KDC_ERR_SERVER_NOMATCH; + status = "2ND_TKT_MISMATCH"; + goto cleanup; + } + + ticket_kvno = 0; + ticket_reply.enc_part.enctype = t2enc->session->enctype; + st_idx++; } else { - ticket_reply.enc_part.kvno = server_key->key_data_kvno; + ticket_kvno = server_key->key_data_kvno; } errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key, - &ticket_reply); + &ticket_reply); if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) - krb5_free_keyblock_contents(kdc_context, &encrypting_key); + krb5_free_keyblock_contents(kdc_context, &encrypting_key); if (errcode) { - status = "TKT_ENCRYPT"; - goto cleanup; + status = "TKT_ENCRYPT"; + goto cleanup; } - + ticket_reply.enc_part.kvno = ticket_kvno; /* Start assembling the response */ reply.msg_type = KRB5_TGS_REP; - reply.padata = 0; /* always */ + reply.padata = 0;/* always */ reply.client = enc_tkt_reply.client; - reply.enc_part.kvno = 0; /* We are using the session key */ + reply.enc_part.kvno = 0;/* We are using the session key */ reply.ticket = &ticket_reply; reply_encpart.session = &session_key; @@ -818,14 +849,14 @@ tgt_again: /* starttime is optional, and treated as authtime if not present. so we can nuke it if it matches */ if (enc_tkt_reply.times.starttime == enc_tkt_reply.times.authtime) - enc_tkt_reply.times.starttime = 0; + enc_tkt_reply.times.starttime = 0; nolrentry.lr_type = KRB5_LRQ_NONE; nolrentry.value = 0; nolrarray[0] = &nolrentry; nolrarray[1] = 0; - reply_encpart.last_req = nolrarray; /* not available for TGS reqs */ - reply_encpart.key_exp = 0; /* ditto */ + reply_encpart.last_req = nolrarray; /* not available for TGS reqs */ + reply_encpart.key_exp = 0;/* ditto */ reply_encpart.flags = enc_tkt_reply.flags; reply_encpart.server = ticket_reply.server; @@ -833,91 +864,91 @@ tgt_again: in the AP_REQ */ reply.enc_part.enctype = subkey ? subkey->enctype : - header_ticket->enc_part2->session->enctype; + header_ticket->enc_part2->session->enctype; errcode = krb5_encode_kdc_rep(kdc_context, KRB5_TGS_REP, &reply_encpart, - subkey ? 1 : 0, - subkey ? subkey : - header_ticket->enc_part2->session, - &reply, response); + subkey ? 1 : 0, + subkey ? subkey : + header_ticket->enc_part2->session, + &reply, response); if (errcode) { - status = "ENCODE_KDC_REP"; + status = "ENCODE_KDC_REP"; } else { - status = "ISSUE"; + status = "ISSUE"; } memset(ticket_reply.enc_part.ciphertext.data, 0, - ticket_reply.enc_part.ciphertext.length); + ticket_reply.enc_part.ciphertext.length); free(ticket_reply.enc_part.ciphertext.data); /* these parts are left on as a courtesy from krb5_encode_kdc_rep so we can use them in raw form if needed. But, we don't... */ memset(reply.enc_part.ciphertext.data, 0, - reply.enc_part.ciphertext.length); + reply.enc_part.ciphertext.length); free(reply.enc_part.ciphertext.data); cleanup: assert(status != NULL); if (errcode) - emsg = krb5_get_error_message (kdc_context, errcode); + emsg = krb5_get_error_message (kdc_context, errcode); log_tgs_req(from, request, &reply, cname, sname, altcname, authtime, - c_flags, s4u_name, status, errcode, emsg); + c_flags, s4u_name, status, errcode, emsg); if (errcode) { - krb5_free_error_message (kdc_context, emsg); - emsg = NULL; + krb5_free_error_message (kdc_context, emsg); + emsg = NULL; } if (errcode) { int got_err = 0; - if (status == 0) { - status = krb5_get_error_message (kdc_context, errcode); - got_err = 1; - } - errcode -= ERROR_TABLE_BASE_krb5; - if (errcode < 0 || errcode > 128) - errcode = KRB_ERR_GENERIC; - - retval = prepare_error_tgs(request, header_ticket, errcode, - nprincs ? server.princ : NULL, - response, status); - if (got_err) { - krb5_free_error_message (kdc_context, status); - status = 0; - } + if (status == 0) { + status = krb5_get_error_message (kdc_context, errcode); + got_err = 1; + } + errcode -= ERROR_TABLE_BASE_krb5; + if (errcode < 0 || errcode > 128) + errcode = KRB_ERR_GENERIC; + + retval = prepare_error_tgs(request, header_ticket, errcode, + nprincs ? server.princ : NULL, + response, status); + if (got_err) { + krb5_free_error_message (kdc_context, status); + status = 0; + } } if (header_ticket != NULL) - krb5_free_ticket(kdc_context, header_ticket); + krb5_free_ticket(kdc_context, header_ticket); if (request != NULL) - krb5_free_kdc_req(kdc_context, request); + krb5_free_kdc_req(kdc_context, request); if (cname != NULL) - free(cname); + free(cname); if (sname != NULL) - free(sname); + free(sname); if (nprincs != 0) - krb5_db_free_principal(kdc_context, &server, 1); + krb5_db_free_principal(kdc_context, &server, 1); if (session_key.contents != NULL) - krb5_free_keyblock_contents(kdc_context, &session_key); + krb5_free_keyblock_contents(kdc_context, &session_key); if (newtransited) - free(enc_tkt_reply.transited.tr_contents.data); + free(enc_tkt_reply.transited.tr_contents.data); if (k_nprincs) - krb5_db_free_principal(kdc_context, &krbtgt, k_nprincs); + krb5_db_free_principal(kdc_context, &krbtgt, k_nprincs); if (c_nprincs) - krb5_db_free_principal(kdc_context, &client, c_nprincs); + krb5_db_free_principal(kdc_context, &client, c_nprincs); if (for_user != NULL) - krb5_free_pa_for_user(kdc_context, for_user); + krb5_free_pa_for_user(kdc_context, for_user); if (kdc_issued_auth_data != NULL) - krb5_free_authdata(kdc_context, kdc_issued_auth_data); + krb5_free_authdata(kdc_context, kdc_issued_auth_data); if (s4u_name != NULL) - free(s4u_name); + free(s4u_name); if (subkey != NULL) - krb5_free_keyblock(kdc_context, subkey); + krb5_free_keyblock(kdc_context, subkey); return retval; } static krb5_error_code prepare_error_tgs (krb5_kdc_req *request, krb5_ticket *ticket, int error, - krb5_principal canon_server, - krb5_data **response, const char *status) + krb5_principal canon_server, + krb5_data **response, const char *status) { krb5_error errpkt; krb5_error_code retval; @@ -927,21 +958,21 @@ prepare_error_tgs (krb5_kdc_req *request, krb5_ticket *ticket, int error, errpkt.cusec = 0; if ((retval = krb5_us_timeofday(kdc_context, &errpkt.stime, - &errpkt.susec))) - return(retval); + &errpkt.susec))) + return(retval); errpkt.error = error; errpkt.server = request->server; if (ticket && ticket->enc_part2) - errpkt.client = ticket->enc_part2->client; + errpkt.client = ticket->enc_part2->client; else - errpkt.client = NULL; + errpkt.client = NULL; errpkt.text.length = strlen(status) + 1; if (!(errpkt.text.data = strdup(status))) - return ENOMEM; + return ENOMEM; if (!(scratch = (krb5_data *)malloc(sizeof(*scratch)))) { - free(errpkt.text.data); - return ENOMEM; + free(errpkt.text.data); + return ENOMEM; } errpkt.e_data.length = 0; errpkt.e_data.data = NULL; @@ -949,9 +980,9 @@ prepare_error_tgs (krb5_kdc_req *request, krb5_ticket *ticket, int error, retval = krb5_mk_error(kdc_context, &errpkt, scratch); free(errpkt.text.data); if (retval) - free(scratch); + free(scratch); else - *response = scratch; + *response = scratch; return retval; } @@ -963,7 +994,7 @@ prepare_error_tgs (krb5_kdc_req *request, krb5_ticket *ticket, int error, */ static void find_alternate_tgs(krb5_kdc_req *request, krb5_db_entry *server, - krb5_boolean *more, int *nprincs) + krb5_boolean *more, int *nprincs) { krb5_error_code retval; krb5_principal *plist, *pl2; @@ -979,10 +1010,10 @@ find_alternate_tgs(krb5_kdc_req *request, krb5_db_entry *server, * the principal. */ if ((retval = krb5_walk_realm_tree(kdc_context, - krb5_princ_realm(kdc_context, request->server), - krb5_princ_component(kdc_context, request->server, 1), - &plist, KRB5_REALM_BRANCH_CHAR))) - return; + krb5_princ_realm(kdc_context, request->server), + krb5_princ_component(kdc_context, request->server, 1), + &plist, KRB5_REALM_BRANCH_CHAR))) + return; /* move to the end */ for (pl2 = plist; *pl2; pl2++); @@ -990,43 +1021,43 @@ find_alternate_tgs(krb5_kdc_req *request, krb5_db_entry *server, /* the first entry in this array is for krbtgt/local@local, so we ignore it */ while (--pl2 > plist) { - *nprincs = 1; - tmp = *krb5_princ_realm(kdc_context, *pl2); - krb5_princ_set_realm(kdc_context, *pl2, - krb5_princ_realm(kdc_context, tgs_server)); - retval = get_principal(kdc_context, *pl2, server, nprincs, more); - krb5_princ_set_realm(kdc_context, *pl2, &tmp); - if (retval) { - *nprincs = 0; - *more = FALSE; - krb5_free_realm_tree(kdc_context, plist); - return; - } - if (*more) { - krb5_db_free_principal(kdc_context, server, *nprincs); - continue; - } else if (*nprincs == 1) { - /* Found it! */ - krb5_principal tmpprinc; - - tmp = *krb5_princ_realm(kdc_context, *pl2); - krb5_princ_set_realm(kdc_context, *pl2, - krb5_princ_realm(kdc_context, tgs_server)); - if ((retval = krb5_copy_principal(kdc_context, *pl2, &tmpprinc))) { - krb5_db_free_principal(kdc_context, server, *nprincs); - krb5_princ_set_realm(kdc_context, *pl2, &tmp); - continue; - } - krb5_princ_set_realm(kdc_context, *pl2, &tmp); - - krb5_free_principal(kdc_context, request->server); - request->server = tmpprinc; - log_tgs_alt_tgt(request->server); - krb5_free_realm_tree(kdc_context, plist); - return; - } - krb5_db_free_principal(kdc_context, server, *nprincs); - continue; + *nprincs = 1; + tmp = *krb5_princ_realm(kdc_context, *pl2); + krb5_princ_set_realm(kdc_context, *pl2, + krb5_princ_realm(kdc_context, tgs_server)); + retval = get_principal(kdc_context, *pl2, server, nprincs, more); + krb5_princ_set_realm(kdc_context, *pl2, &tmp); + if (retval) { + *nprincs = 0; + *more = FALSE; + krb5_free_realm_tree(kdc_context, plist); + return; + } + if (*more) { + krb5_db_free_principal(kdc_context, server, *nprincs); + continue; + } else if (*nprincs == 1) { + /* Found it! */ + krb5_principal tmpprinc; + + tmp = *krb5_princ_realm(kdc_context, *pl2); + krb5_princ_set_realm(kdc_context, *pl2, + krb5_princ_realm(kdc_context, tgs_server)); + if ((retval = krb5_copy_principal(kdc_context, *pl2, &tmpprinc))) { + krb5_db_free_principal(kdc_context, server, *nprincs); + krb5_princ_set_realm(kdc_context, *pl2, &tmp); + continue; + } + krb5_princ_set_realm(kdc_context, *pl2, &tmp); + + krb5_free_principal(kdc_context, request->server); + request->server = tmpprinc; + log_tgs_alt_tgt(request->server); + krb5_free_realm_tree(kdc_context, plist); + return; + } + krb5_db_free_principal(kdc_context, server, *nprincs); + continue; } *nprincs = 0; @@ -1034,3 +1065,122 @@ find_alternate_tgs(krb5_kdc_req *request, krb5_db_entry *server, krb5_free_realm_tree(kdc_context, plist); return; } + +/* is_substr - verfies if d1 contains d2->data with head/trail-ing whitespaces + */ +static krb5_int32 +is_substr ( char *d1, krb5_data *d2) +{ + krb5_boolean ret = FALSE; + char *new_d2 = 0, *d2_formated = 0; + if ( d1 && d2 && d2->data && (d2->length+2 <= strlen(d1))){ + new_d2 = calloc(1,d2->length+1); + if (new_d2 != NULL) { + strlcpy(new_d2,d2->data,d2->length+1); + if (asprintf( &d2_formated, "%c%s%c",' ',new_d2,' ') < 0) + ret = ENOMEM; + else if (d2_formated != 0 && strstr(d1, d2_formated) != NULL) + ret = TRUE; + free(new_d2); + free(d2_formated); + } + } + return ret; +} + +static krb5_int32 +prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ) +{ + krb5_error_code retval = KRB5KRB_AP_ERR_BADMATCH; + char **realms, **cpp, *temp_buf=NULL; + krb5_data *comp1 = NULL, *comp2 = NULL; + krb5_int32 host_based_srv_listed = 0, no_host_referral_listed = 0; + + /* By now we know that server principal name is unknown. + * If CANONICALIZE flag is set in the request + * If req is not U2U authn. req + * the requested server princ. has exactly two components + * either + * the name type is NT-SRV-HST + * or name type is NT-UNKNOWN and + * the 1st component is listed in conf file under host_based_services + * the 1st component is not in a list in conf under "no_host_referral" + * the 2d component looks like fully-qualified domain name (FQDN) + * If all of these conditions are satisfied - try mapping the FQDN and + * re-process the request as if client had asked for cross-realm TGT. + */ + + if (isflagset(request->kdc_options, KDC_OPT_CANONICALIZE) == TRUE && + !isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY) && + krb5_princ_size(kdc_context, request->server) == 2) { + + comp1 = krb5_princ_component(kdc_context, request->server, 0); + comp2 = krb5_princ_component(kdc_context, request->server, 1); + host_based_srv_listed = FALSE; + no_host_referral_listed = TRUE; + if (kdc_active_realm->realm_host_based_services != NULL) { + host_based_srv_listed = is_substr(kdc_active_realm->realm_host_based_services, comp1); + if (host_based_srv_listed == ENOMEM) { + retval = ENOMEM; + goto cleanup; + } + } + if (kdc_active_realm->realm_no_host_referral != NULL) { + no_host_referral_listed = is_substr(kdc_active_realm->realm_no_host_referral,comp1); + if (no_host_referral_listed == ENOMEM) { + retval = ENOMEM; + goto cleanup; + } + } + + if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST || + (krb5_princ_type(kdc_context, request->server) == KRB5_NT_UNKNOWN && + kdc_active_realm->realm_host_based_services != NULL && + (host_based_srv_listed == TRUE || + strchr(kdc_active_realm->realm_host_based_services, '*')))) && + (kdc_active_realm->realm_no_host_referral == NULL || + (!strchr(kdc_active_realm->realm_host_based_services, '*') && + no_host_referral_listed == FALSE))) { + + if (memchr(comp2->data, '.', comp2->length) == NULL) + goto cleanup; + temp_buf = calloc(1, comp2->length+1); + if (!temp_buf){ + retval = ENOMEM; + goto cleanup; + } + strlcpy(temp_buf, comp2->data,comp2->length+1); + retval = krb5int_get_domain_realm_mapping(kdc_context, temp_buf, &realms); + free(temp_buf); + if (retval) { + /* no match found */ + com_err("krb5_get_domain_realm_mapping", retval, 0); + goto cleanup; + } + if (realms == 0) { + printf(" (null)\n"); + goto cleanup; + } + if (realms[0] == 0) { + printf(" (none)\n"); + free(realms); + goto cleanup; + } + /* Modify request. + * Construct cross-realm tgt : krbtgt/REMOTE_REALM@LOCAL_REALM + * and use it as a principal in this req. + */ + retval = krb5_build_principal(kdc_context, krbtgt_princ, + (*request->server).realm.length, + (*request->server).realm.data, + "krbtgt", realms[0], (char *)0); + + for (cpp = realms; *cpp; cpp++) + free(*cpp); + } + } +cleanup: + return retval; +} + + diff --git a/src/kdc/extern.h b/src/kdc/extern.h index 3b67eb8182..88e8b0ddef 100644 --- a/src/kdc/extern.h +++ b/src/kdc/extern.h @@ -1,7 +1,7 @@ /* * kdc/extern.h * - * Copyright 1990,2001,2007 by the Massachusetts Institute of Technology. + * Copyright 1990,2001,2007,2009 by the Massachusetts Institute of Technology. * * Export of this software from the United States of America may * require a specific license from the United States Government. @@ -41,6 +41,11 @@ typedef struct __kdc_realm_data { krb5_context realm_context; /* Context to be used for realm */ krb5_keytab realm_keytab; /* keytab to be used for this realm */ char * realm_profile; /* Profile file for this realm */ + char * realm_host_based_services; /* do referral processing for these services + * If '*' - allow all referrals */ + char * realm_no_host_referral; /* no referral for these services. + * If '*' - disallow all referrals and + * ignore realm_host_based_services */ /* * Database per-realm data. */ diff --git a/src/kdc/main.c b/src/kdc/main.c index 4394b6ddc9..0e9b6910a9 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -1,7 +1,7 @@ /* * kdc/main.c * - * Copyright 1990,2001,2008 by the Massachusetts Institute of Technology. + * Copyright 1990,2001,2008,2009 by the Massachusetts Institute of Technology. * * Export of this software from the United States of America may * require a specific license from the United States Government. @@ -146,6 +146,10 @@ finish_realm(kdc_realm_t *rdp) free(rdp->realm_tcp_ports); if (rdp->realm_keytab) krb5_kt_close(rdp->realm_context, rdp->realm_keytab); + if (rdp->realm_host_based_services) + free(rdp->realm_host_based_services); + if (rdp->realm_no_host_referral) + free(rdp->realm_no_host_referral); if (rdp->realm_context) { if (rdp->realm_mprinc) krb5_free_principal(rdp->realm_context, rdp->realm_mprinc); @@ -165,6 +169,85 @@ finish_realm(kdc_realm_t *rdp) free(rdp); } +static krb5_error_code +handle_referrals(krb5_realm_params *rparams, char *no_refrls, char *host_based_srvcs, kdc_realm_t *rdp ) +{ + int i = 0; + krb5_error_code retval = 0; + if (no_refrls == NULL || strchr(no_refrls, '*') == NULL) { + if (no_refrls != NULL){ + if (rparams && rparams->realm_no_host_referral) { + if (asprintf(&(rdp->realm_no_host_referral), "%s%s%s%s%s", + " ", no_refrls," ",rparams->realm_no_host_referral, " ") < 0) + retval = ENOMEM; + } else { + if(asprintf(&(rdp->realm_no_host_referral),"%s%s%s", " ", no_refrls, " ") < 0) + retval = ENOMEM; + } + } else { + if (rparams && rparams->realm_no_host_referral) { + if (asprintf(&(rdp->realm_no_host_referral),"%s%s%s", " ", + rparams->realm_no_host_referral, " ") < 0) + retval = ENOMEM; + } else + rdp->realm_no_host_referral = NULL; + } + + if (rdp->realm_no_host_referral && + strlen(rdp->realm_no_host_referral) > 1 && strchr(rdp->realm_no_host_referral, '*') != NULL) { + rdp->realm_no_host_referral = strdup("*"); + } else { + /* only if no_host_referral != "*" */ + + if ((host_based_srvcs != NULL && strchr(host_based_srvcs,'*') != NULL) || + (rparams && rparams->realm_host_based_services && + strchr(rparams->realm_host_based_services,'*') != NULL)) { + if (asprintf(&(rdp->realm_host_based_services),"%s", "*") < 0) + retval = ENOMEM; + } else { + if (host_based_srvcs != NULL) { + if (rparams && rparams->realm_host_based_services) { + if (asprintf(&(rdp->realm_host_based_services),"%s%s%s%s%s", + " ", host_based_srvcs," ",rparams->realm_host_based_services," ") < 0) + retval = ENOMEM; + } else + if (asprintf(&(rdp->realm_host_based_services),"%s%s%s", " ", + host_based_srvcs, " ") < 0) + retval = ENOMEM; + } else { + if (rparams && rparams->realm_host_based_services) { + if (asprintf(&(rdp->realm_host_based_services),"%s%s%s", " ", + rparams->realm_host_based_services, " ") < 0) + retval = ENOMEM; + } else + rdp->realm_host_based_services = NULL; + } + } + + /* Walk realm_host_based_services and realm_no_host_referral and replace all ',' with whitespace */ + i = 0; + while (rdp && rdp->realm_host_based_services && (rdp->realm_host_based_services)[i] != 0){ + if ((rdp->realm_host_based_services)[i] == ',') + (rdp->realm_host_based_services)[i] = ' '; + i++; + } + i = 0; + while (rdp && rdp->realm_no_host_referral && ( rdp->realm_no_host_referral)[i] != 0){ + if ((rdp->realm_no_host_referral)[i] == ',') + (rdp->realm_no_host_referral)[i] = ' '; + i++; + } + } + } else { + if (no_refrls != NULL && strchr(no_refrls,'*') != NULL) { + if (asprintf(&(rdp->realm_no_host_referral),"%s", "*") < 0) + retval = ENOMEM; + } else + rdp->realm_no_host_referral = NULL; + } + + return retval; +} /* * Initialize a realm control structure from the alternate profile or from * the specified defaults. @@ -175,7 +258,8 @@ finish_realm(kdc_realm_t *rdp) static krb5_error_code init_realm(char *progname, kdc_realm_t *rdp, char *realm, char *def_mpname, krb5_enctype def_enctype, char *def_udp_ports, - char *def_tcp_ports, krb5_boolean def_manual, char **db_args) + char *def_tcp_ports, krb5_boolean def_manual, char **db_args, + char *no_refrls, char *host_based_srvcs) { krb5_error_code kret; krb5_boolean manual; @@ -243,7 +327,7 @@ init_realm(char *progname, kdc_realm_t *rdp, char *realm, rdp->realm_reject_bad_transit = rparams->realm_reject_bad_transit; else rdp->realm_reject_bad_transit = 1; - + /* Handle ticket maximum life */ rdp->realm_maxlife = (rparams && rparams->realm_max_life_valid) ? rparams->realm_max_life : KRB5_KDB_MAX_LIFE; @@ -252,6 +336,11 @@ init_realm(char *progname, kdc_realm_t *rdp, char *realm, rdp->realm_maxrlife = (rparams && rparams->realm_max_rlife_valid) ? rparams->realm_max_rlife : KRB5_KDB_MAX_RLIFE; + /* Handle KDC referrals */ + kret = handle_referrals(rparams, no_refrls, host_based_srvcs, rdp); + if (kret == ENOMEM) + goto whoops; + if (rparams) krb5_free_realm_params(rdp->realm_context, rparams); @@ -456,6 +545,8 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) krb5_pointer aprof; const char *hierarchy[3]; char **db_args = NULL; + char *no_refrls = NULL; + char *host_based_srvcs = NULL; int db_args_size = 0; extern char *optarg; @@ -472,11 +563,27 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) hierarchy[1] = "kdc_max_dgram_reply_size"; if (krb5_aprof_get_int32(aprof, hierarchy, TRUE, &max_dgram_reply_size)) max_dgram_reply_size = MAX_DGRAM_SIZE; + /* The service name "*" means any service. */ + hierarchy[1] = "no_host_referral"; + if (!krb5_aprof_get_string_all(aprof, hierarchy, &no_refrls)){ + if (no_refrls != NULL && strlen(no_refrls) && strchr(no_refrls, '*')) { + no_refrls = strdup("*"); + } + } + if (no_refrls == 0 || strchr(no_refrls, '*') == NULL) { + hierarchy[1] = "host_based_services"; + if (!krb5_aprof_get_string_all(aprof, hierarchy, &host_based_srvcs)) { + if (strchr(host_based_srvcs, '*')) { + host_based_srvcs = strdup("*"); + } + } + } /* aprof_init can return 0 with aprof == NULL */ if (aprof) krb5_aprof_finish(aprof); } + if (default_udp_ports == 0) default_udp_ports = strdup(DEFAULT_KDC_UDP_PORTLIST); if (default_tcp_ports == 0) @@ -510,7 +617,8 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) if ((retval = init_realm(argv[0], rdatap, optarg, mkey_name, menctype, default_udp_ports, - default_tcp_ports, manual, db_args))) { + default_tcp_ports, manual, db_args, + no_refrls, host_based_srvcs))) { fprintf(stderr,"%s: cannot initialize realm %s - see log file for details\n", argv[0], optarg); exit(1); @@ -607,7 +715,8 @@ initialize_realms(krb5_context kcontext, int argc, char **argv) if ((rdatap = (kdc_realm_t *) malloc(sizeof(kdc_realm_t)))) { if ((retval = init_realm(argv[0], rdatap, lrealm, mkey_name, menctype, default_udp_ports, - default_tcp_ports, manual, db_args))) { + default_tcp_ports, manual, db_args, + no_refrls, host_based_srvcs))) { fprintf(stderr,"%s: cannot initialize realm %s - see log file for details\n", argv[0], lrealm); exit(1); @@ -766,6 +875,3 @@ int main(int argc, char **argv) return errout; } - - - diff --git a/src/lib/crypto/arcfour/arcfour.c b/src/lib/crypto/arcfour/arcfour.c index 8c9e8e1a4e..085c997ed4 100644 --- a/src/lib/crypto/arcfour/arcfour.c +++ b/src/lib/crypto/arcfour/arcfour.c @@ -254,16 +254,10 @@ krb5_arcfour_decrypt(const struct krb5_enc_provider *enc, ms_usage=krb5int_arcfour_translate_usage(usage); if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) { strncpy(salt.data, krb5int_arcfour_l40, salt.length); - salt.data[10]=ms_usage & 0xff; - salt.data[11]=(ms_usage>>8) & 0xff; - salt.data[12]=(ms_usage>>16) & 0xff; - salt.data[13]=(ms_usage>>24) & 0xff; + store_32_le(ms_usage, salt.data+10); } else { salt.length=4; - salt.data[0]=ms_usage & 0xff; - salt.data[1]=(ms_usage>>8) & 0xff; - salt.data[2]=(ms_usage>>16) & 0xff; - salt.data[3]=(ms_usage>>24) & 0xff; + store_32_le(ms_usage, salt.data); } ret=krb5_hmac(hash, key, 1, &salt, &d1); if (ret) diff --git a/src/lib/crypto/arcfour/arcfour_aead.c b/src/lib/crypto/arcfour/arcfour_aead.c index 025118ed7d..cff7d66d65 100644 --- a/src/lib/crypto/arcfour/arcfour_aead.c +++ b/src/lib/crypto/arcfour/arcfour_aead.c @@ -146,10 +146,10 @@ krb5int_arcfour_encrypt_iov(const struct krb5_aead_provider *aead, if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) { strncpy(salt.data, krb5int_arcfour_l40, salt.length); - store_32_le(ms_usage, (unsigned char *)salt.data + 10); + store_32_le(ms_usage, salt.data + 10); } else { salt.length = 4; - store_32_le(ms_usage, (unsigned char *)salt.data); + store_32_le(ms_usage, salt.data); } ret = krb5_hmac(hash, key, 1, &salt, &d1); if (ret != 0) diff --git a/src/lib/crypto/des/afsstring2key.c b/src/lib/crypto/des/afsstring2key.c index 97ec2d8a1e..571dab0070 100644 --- a/src/lib/crypto/des/afsstring2key.c +++ b/src/lib/crypto/des/afsstring2key.c @@ -149,11 +149,11 @@ mit_afs_string_to_key (krb5_keyblock *keyblock, const krb5_data *data, /* clean & free the input string */ memset(password, 0, (size_t) pw_len); - krb5_xfree(password); + free(password); } #if 0 /* must free here because it was copied for this special case */ - krb5_xfree(salt->data); + free(salt->data); #endif return 0; } diff --git a/src/lib/crypto/dk/checksum.c b/src/lib/crypto/dk/checksum.c index b51319b2ea..f4b18bf0c4 100644 --- a/src/lib/crypto/dk/checksum.c +++ b/src/lib/crypto/dk/checksum.c @@ -75,10 +75,7 @@ krb5_dk_make_checksum(const struct krb5_hash_provider *hash, datain.data = (char *) constantdata; datain.length = K5CLENGTH; - datain.data[0] = (usage>>24)&0xff; - datain.data[1] = (usage>>16)&0xff; - datain.data[2] = (usage>>8)&0xff; - datain.data[3] = usage&0xff; + store_32_be(usage, constantdata); datain.data[4] = (char) 0x99; @@ -147,10 +144,7 @@ krb5int_dk_make_checksum_iov(const struct krb5_hash_provider *hash, datain.data = (char *) constantdata; datain.length = K5CLENGTH; - datain.data[0] = (usage>>24)&0xff; - datain.data[1] = (usage>>16)&0xff; - datain.data[2] = (usage>>8)&0xff; - datain.data[3] = usage&0xff; + store_32_be(usage, constantdata); datain.data[4] = (char) 0x99; diff --git a/src/lib/crypto/dk/dk_aead.c b/src/lib/crypto/dk/dk_aead.c index 8abf5af5f4..e995f9ae69 100644 --- a/src/lib/crypto/dk/dk_aead.c +++ b/src/lib/crypto/dk/dk_aead.c @@ -1,7 +1,7 @@ /* * lib/crypto/dk/dk_aead.c * - * Copyright 2008 by the Massachusetts Institute of Technology. + * Copyright 2008, 2009 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -147,10 +147,7 @@ krb5int_dk_encrypt_iov(const struct krb5_aead_provider *aead, d1.data = (char *)constantdata; d1.length = K5CLENGTH; - d1.data[0] = (usage >> 24) & 0xFF; - d1.data[1] = (usage >> 16) & 0xFF; - d1.data[2] = (usage >> 8 ) & 0xFF; - d1.data[3] = (usage ) & 0xFF; + store_32_be(usage, constantdata); d1.data[4] = 0xAA; @@ -298,10 +295,7 @@ krb5int_dk_decrypt_iov(const struct krb5_aead_provider *aead, d1.data = (char *)constantdata; d1.length = K5CLENGTH; - d1.data[0] = (usage >> 24) & 0xFF; - d1.data[1] = (usage >> 16) & 0xFF; - d1.data[2] = (usage >> 8 ) & 0xFF; - d1.data[3] = (usage ) & 0xFF; + store_32_be(usage, constantdata); d1.data[4] = 0xAA; diff --git a/src/lib/crypto/dk/dk_decrypt.c b/src/lib/crypto/dk/dk_decrypt.c index c4397382a7..c38c4d5bf3 100644 --- a/src/lib/crypto/dk/dk_decrypt.c +++ b/src/lib/crypto/dk/dk_decrypt.c @@ -119,10 +119,7 @@ krb5_dk_decrypt_maybe_trunc_hmac(const struct krb5_enc_provider *enc, d1.data = (char *) constantdata; d1.length = K5CLENGTH; - d1.data[0] = (usage>>24)&0xff; - d1.data[1] = (usage>>16)&0xff; - d1.data[2] = (usage>>8)&0xff; - d1.data[3] = usage&0xff; + store_32_be(usage, constantdata); d1.data[4] = (char) 0xAA; diff --git a/src/lib/crypto/dk/dk_encrypt.c b/src/lib/crypto/dk/dk_encrypt.c index 750f43ffed..6596e53ce8 100644 --- a/src/lib/crypto/dk/dk_encrypt.c +++ b/src/lib/crypto/dk/dk_encrypt.c @@ -99,10 +99,7 @@ krb5_dk_encrypt(const struct krb5_enc_provider *enc, d1.data = (char *) constantdata; d1.length = K5CLENGTH; - d1.data[0] = (usage>>24)&0xff; - d1.data[1] = (usage>>16)&0xff; - d1.data[2] = (usage>>8)&0xff; - d1.data[3] = usage&0xff; + store_32_be(usage, constantdata); d1.data[4] = (char) 0xAA; @@ -265,10 +262,7 @@ krb5int_aes_dk_encrypt(const struct krb5_enc_provider *enc, d1.data = (char *) constantdata; d1.length = K5CLENGTH; - d1.data[0] = (usage>>24)&0xff; - d1.data[1] = (usage>>16)&0xff; - d1.data[2] = (usage>>8)&0xff; - d1.data[3] = usage&0xff; + store_32_be(usage, constantdata); d1.data[4] = (char) 0xAA; diff --git a/src/lib/crypto/hash_provider/hash_crc32.c b/src/lib/crypto/hash_provider/hash_crc32.c index 1df182c493..ca26810676 100644 --- a/src/lib/crypto/hash_provider/hash_crc32.c +++ b/src/lib/crypto/hash_provider/hash_crc32.c @@ -44,11 +44,7 @@ k5_crc32_hash(unsigned int icount, const krb5_data *input, c ^= cn; } - output->data[0] = c&0xff; - output->data[1] = (c>>8)&0xff; - output->data[2] = (c>>16)&0xff; - output->data[3] = (c>>24)&0xff; - + store_32_le(c, output->data); return(0); } diff --git a/src/lib/crypto/hash_provider/hash_sha1.c b/src/lib/crypto/hash_provider/hash_sha1.c index cdb309867a..ffc073cf14 100644 --- a/src/lib/crypto/hash_provider/hash_sha1.c +++ b/src/lib/crypto/hash_provider/hash_sha1.c @@ -44,10 +44,7 @@ k5_sha1_hash(unsigned int icount, const krb5_data *input, shsFinal(&ctx); for (i=0; i<(sizeof(ctx.digest)/sizeof(ctx.digest[0])); i++) { - output->data[i*4] = (ctx.digest[i]>>24)&0xff; - output->data[i*4+1] = (ctx.digest[i]>>16)&0xff; - output->data[i*4+2] = (ctx.digest[i]>>8)&0xff; - output->data[i*4+3] = ctx.digest[i]&0xff; + store_32_be(ctx.digest[i], &output->data[i*4]); } return(0); diff --git a/src/lib/crypto/keyblocks.c b/src/lib/crypto/keyblocks.c index 626443c837..5e698cc5a6 100644 --- a/src/lib/crypto/keyblocks.c +++ b/src/lib/crypto/keyblocks.c @@ -65,7 +65,7 @@ void krb5int_c_free_keyblock(krb5_context context, register krb5_keyblock *val) { krb5int_c_free_keyblock_contents(context, val); - krb5_xfree(val); + free(val); } void @@ -73,7 +73,7 @@ krb5int_c_free_keyblock_contents(krb5_context context, register krb5_keyblock *k { if (key->contents) { krb5int_zap_data (key->contents, key->length); - krb5_xfree(key->contents); + free(key->contents); key->contents = 0; } } diff --git a/src/lib/crypto/keyed_checksum_types.c b/src/lib/crypto/keyed_checksum_types.c index 0e46466f27..04aa44757c 100644 --- a/src/lib/crypto/keyed_checksum_types.c +++ b/src/lib/crypto/keyed_checksum_types.c @@ -83,7 +83,7 @@ void KRB5_CALLCONV krb5_free_cksumtypes(krb5_context context, krb5_cksumtype *val) { if (val) - krb5_xfree(val); + free(val); return; } diff --git a/src/lib/crypto/keyhash_provider/hmac_md5.c b/src/lib/crypto/keyhash_provider/hmac_md5.c index 53da03ad41..34ce67169e 100644 --- a/src/lib/crypto/keyhash_provider/hmac_md5.c +++ b/src/lib/crypto/keyhash_provider/hmac_md5.c @@ -1,7 +1,7 @@ /* * lib/crypto/keyhash_provider/hmac_md5.c * - * Copyright 2001 by the Massachusetts Institute of Technology. + * Copyright 2001, 2009 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -65,10 +65,7 @@ k5_hmac_md5_hash (const krb5_keyblock *key, krb5_keyusage usage, krb5_MD5Init (&ctx); ms_usage = krb5int_arcfour_translate_usage (usage); - t[0] = (ms_usage) & 0xff; - t[1] = (ms_usage>>8) & 0xff; - t[2] = (ms_usage >>16) & 0xff; - t[3] = (ms_usage>>24) & 0XFF; + store_32_le(ms_usage, t); krb5_MD5Update (&ctx, (unsigned char * ) &t, 4); krb5_MD5Update (&ctx, (unsigned char *) input-> data, (unsigned int) input->length ); @@ -116,10 +113,7 @@ k5_hmac_md5_hash_iov (const krb5_keyblock *key, krb5_keyusage usage, krb5_MD5Init (&ctx); ms_usage = krb5int_arcfour_translate_usage (usage); - t[0] = (ms_usage) & 0xff; - t[1] = (ms_usage>>8) & 0xff; - t[2] = (ms_usage >>16) & 0xff; - t[3] = (ms_usage>>24) & 0XFF; + store_32_le(ms_usage, t); krb5_MD5Update (&ctx, (unsigned char * ) &t, 4); for (i = 0; i < num_data; i++) { const krb5_crypto_iov *iov = &data[i]; @@ -148,4 +142,3 @@ const struct krb5_keyhash_provider krb5int_keyhash_hmac_md5 = { k5_hmac_md5_hash_iov, NULL /*checksum again */ }; - diff --git a/src/lib/crypto/keyhash_provider/md5_hmac.c b/src/lib/crypto/keyhash_provider/md5_hmac.c index e8aea745cc..d05b97f00d 100644 --- a/src/lib/crypto/keyhash_provider/md5_hmac.c +++ b/src/lib/crypto/keyhash_provider/md5_hmac.c @@ -1,7 +1,7 @@ /* * lib/crypto/keyhash_provider/md5_hmac.c * - * Copyright2001 by the Massachusetts Institute of Technology. + * Copyright 2001, 2009 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -45,11 +45,7 @@ k5_md5_hmac_hash (const krb5_keyblock *key, krb5_keyusage usage, krb5_MD5Init(&ctx); ms_usage = krb5int_arcfour_translate_usage (usage); - t[0] = (ms_usage >> 0) & 0xff; - t[1] = (ms_usage >> 8) & 0xff; - t[2] = (ms_usage >> 16) & 0xff; - t[3] = (ms_usage >> 24) & 0xff; - + store_32_le(ms_usage, t); krb5_MD5Update(&ctx, t, sizeof(t)); krb5_MD5Update(&ctx, (unsigned char *)input->data, input->length); krb5_MD5Final(&ctx); diff --git a/src/lib/crypto/yarrow/yhash.h b/src/lib/crypto/yarrow/yhash.h index aaa739fe1e..ee4f03eb23 100644 --- a/src/lib/crypto/yarrow/yhash.h +++ b/src/lib/crypto/yarrow/yhash.h @@ -19,12 +19,8 @@ unsigned char *out2 = (void *)(tdigest); \ HASH_CTX *ctx = (x); \ shsFinal(ctx); \ -for (loopvar=0; loopvar<(sizeof(ctx->digest)/sizeof(ctx->digest[0])); loopvar++) { \ - out2[loopvar*4] = (ctx->digest[loopvar]>>24)&0xff; \ - out2[loopvar*4+1] = (ctx->digest[loopvar]>>16)&0xff; \ - out2[loopvar*4+2] = (ctx->digest[loopvar]>>8)&0xff; \ - out2[loopvar*4+3] = ctx->digest[loopvar]&0xff; \ -} \ + for (loopvar=0; loopvar<(sizeof(ctx->digest)/sizeof(ctx->digest[0])); loopvar++) \ + store_32_be(ctx->digest[loopvar], &out2[loopvar*4]); \ } while(0) diff --git a/src/lib/gssapi/generic/gssapiP_generic.h b/src/lib/gssapi/generic/gssapiP_generic.h index b84f69e6a5..b684055c49 100644 --- a/src/lib/gssapi/generic/gssapiP_generic.h +++ b/src/lib/gssapi/generic/gssapiP_generic.h @@ -59,27 +59,19 @@ typedef UINT64_TYPE gssint_uint64; things */ #define TWRITE_INT(ptr, num, bigend) \ - (ptr)[0] = (char) ((bigend)?((num)>>24):((num)&0xff)); \ - (ptr)[1] = (char) ((bigend)?(((num)>>16)&0xff):(((num)>>8)&0xff)); \ - (ptr)[2] = (char) ((bigend)?(((num)>>8)&0xff):(((num)>>16)&0xff)); \ - (ptr)[3] = (char) ((bigend)?((num)&0xff):((num)>>24)); \ + if (bigend) store_32_be(num, ptr); else store_32_le(num, ptr); \ (ptr) += 4; #define TWRITE_INT16(ptr, num, bigend) \ - (ptr)[0] = (char) ((bigend)?((num)>>24):((num)&0xff)); \ - (ptr)[1] = (char) ((bigend)?(((num)>>16)&0xff):(((num)>>8)&0xff)); \ + if (bigend) store_16_be((num)>>16, ptr); else store_16_le(num, ptr); \ (ptr) += 2; -#define TREAD_INT(ptr, num, bigend) \ - (num) = (((ptr)[0]<<((bigend)?24: 0)) | \ - ((ptr)[1]<<((bigend)?16: 8)) | \ - ((ptr)[2]<<((bigend)? 8:16)) | \ - ((ptr)[3]<<((bigend)? 0:24))); \ +#define TREAD_INT(ptr, num, bigend) \ + (num) = ((bigend) ? load_32_be(ptr) : load_32_le(ptr)); \ (ptr) += 4; -#define TREAD_INT16(ptr, num, bigend) \ - (num) = (((ptr)[0]<<((bigend)?24: 0)) | \ - ((ptr)[1]<<((bigend)?16: 8))); \ +#define TREAD_INT16(ptr, num, bigend) \ + (num) = ((bigend) ? (load_16_be(ptr) << 16) : load_16_le(ptr)); \ (ptr) += 2; #define TWRITE_STR(ptr, str, len) \ diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c index aba8d81d6b..bff1ab1858 100644 --- a/src/lib/gssapi/krb5/k5seal.c +++ b/src/lib/gssapi/krb5/k5seal.c @@ -121,13 +121,11 @@ make_seal_token_v1 (krb5_context context, g_make_token_header(oid, 14+cksum_size+tmsglen, &ptr, toktype); /* 0..1 SIGN_ALG */ - ptr[0] = signalg & 0xff; - ptr[1] = (signalg >> 8) & 0xff; + store_16_le(signalg, &ptr[0]); /* 2..3 SEAL_ALG or Filler */ if ((toktype == KG_TOK_SEAL_MSG) && do_encrypt) { - ptr[2] = sealalg & 0xff; - ptr[3] = (sealalg >> 8) & 0xff; + store_16_le(sealalg, &ptr[2]); } else { /* No seal */ ptr[2] = 0xff; @@ -260,10 +258,7 @@ make_seal_token_v1 (krb5_context context, unsigned char bigend_seqnum[4]; krb5_keyblock *enc_key; int i; - bigend_seqnum[0] = (*seqnum>>24) & 0xff; - bigend_seqnum[1] = (*seqnum>>16) & 0xff; - bigend_seqnum[2] = (*seqnum>>8) & 0xff; - bigend_seqnum[3] = *seqnum & 0xff; + store_32_be(seqnum, bigend_seqnum); code = krb5_copy_keyblock (context, enc, &enc_key); if (code) { diff --git a/src/lib/gssapi/krb5/k5sealiov.c b/src/lib/gssapi/krb5/k5sealiov.c index 1d0c57300d..f4354a9f3d 100644 --- a/src/lib/gssapi/krb5/k5sealiov.c +++ b/src/lib/gssapi/krb5/k5sealiov.c @@ -2,7 +2,7 @@ /* * lib/gssapi/krb5/k5sealiov.c * - * Copyright 2008 by the Massachusetts Institute of Technology. + * Copyright 2008, 2009 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -133,13 +133,11 @@ make_seal_token_v1_iov(krb5_context context, g_make_token_header(ctx->mech_used, 14 + ctx->cksum_size + tmsglen, &ptr, toktype); /* 0..1 SIGN_ALG */ - ptr[0] = (ctx->signalg ) & 0xFF; - ptr[1] = (ctx->signalg >> 8) & 0xFF; + store_16_le(ctx->signalg, &ptr[0]); /* 2..3 SEAL_ALG or Filler */ if (toktype == KG_TOK_WRAP_MSG && conf_req_flag) { - ptr[2] = (ctx->sealalg ) & 0xFF; - ptr[3] = (ctx->sealalg >> 8) & 0xFF; + store_16_le(ctx->sealalg, &ptr[2]); } else { /* No seal */ ptr[2] = 0xFF; @@ -226,10 +224,7 @@ make_seal_token_v1_iov(krb5_context context, krb5_keyblock *enc_key; size_t i; - bigend_seqnum[0] = (ctx->seq_send >> 24) & 0xFF; - bigend_seqnum[1] = (ctx->seq_send >> 16) & 0xFF; - bigend_seqnum[2] = (ctx->seq_send >> 8 ) & 0xFF; - bigend_seqnum[3] = (ctx->seq_send ) & 0xFF; + store_32_be(ctx->seq_send, bigend_seqnum); code = krb5_copy_keyblock(context, ctx->enc, &enc_key); if (code != 0) diff --git a/src/lib/gssapi/krb5/k5sealv3iov.c b/src/lib/gssapi/krb5/k5sealv3iov.c index d8542760dd..98904b62d7 100644 --- a/src/lib/gssapi/krb5/k5sealv3iov.c +++ b/src/lib/gssapi/krb5/k5sealv3iov.c @@ -52,7 +52,7 @@ gss_krb5int_make_seal_token_v3_iov(krb5_context context, unsigned char *tbuf = NULL; int key_usage; size_t rrc = 0; - size_t gss_headerlen, gss_trailerlen; + unsigned int gss_headerlen, gss_trailerlen; krb5_keyblock *key; krb5_cksumtype cksumtype; size_t data_length, assoc_data_length; @@ -130,21 +130,21 @@ gss_krb5int_make_seal_token_v3_iov(krb5_context context, } if (header->type & GSS_IOV_BUFFER_FLAG_ALLOCATE) - code = kg_allocate_iov(header, gss_headerlen); + code = kg_allocate_iov(header, (size_t) gss_headerlen); else if (header->buffer.length < gss_headerlen) code = KRB5_BAD_MSIZE; if (code != 0) goto cleanup; - header->buffer.length = gss_headerlen; + header->buffer.length = (size_t) gss_headerlen; if (trailer != NULL) { if (trailer->type & GSS_IOV_BUFFER_FLAG_ALLOCATE) - code = kg_allocate_iov(trailer, gss_trailerlen); + code = kg_allocate_iov(trailer, (size_t) gss_trailerlen); else if (trailer->buffer.length < gss_trailerlen) code = KRB5_BAD_MSIZE; if (code != 0) goto cleanup; - trailer->buffer.length = gss_trailerlen; + trailer->buffer.length = (size_t) gss_trailerlen; } /* TOK_ID */ @@ -199,21 +199,21 @@ gss_krb5int_make_seal_token_v3_iov(krb5_context context, } if (header->type & GSS_IOV_BUFFER_FLAG_ALLOCATE) - code = kg_allocate_iov(header, gss_headerlen); + code = kg_allocate_iov(header, (size_t) gss_headerlen); else if (header->buffer.length < gss_headerlen) code = KRB5_BAD_MSIZE; if (code != 0) goto cleanup; - header->buffer.length = gss_headerlen; + header->buffer.length = (size_t) gss_headerlen; if (trailer != NULL) { if (trailer->type & GSS_IOV_BUFFER_FLAG_ALLOCATE) - code = kg_allocate_iov(trailer, gss_trailerlen); + code = kg_allocate_iov(trailer, (size_t) gss_trailerlen); else if (trailer->buffer.length < gss_trailerlen) code = KRB5_BAD_MSIZE; if (code != 0) goto cleanup; - trailer->buffer.length = gss_trailerlen; + trailer->buffer.length = (size_t) gss_trailerlen; } /* TOK_ID */ diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c index 8020b15f32..f55180af86 100644 --- a/src/lib/gssapi/krb5/k5unseal.c +++ b/src/lib/gssapi/krb5/k5unseal.c @@ -175,10 +175,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, unsigned char bigend_seqnum[4]; krb5_keyblock *enc_key; int i; - bigend_seqnum[0] = (seqnum>>24) & 0xff; - bigend_seqnum[1] = (seqnum>>16) & 0xff; - bigend_seqnum[2] = (seqnum>>8) & 0xff; - bigend_seqnum[3] = seqnum & 0xff; + store_32_be(seqnum, bigend_seqnum); code = krb5_copy_keyblock (context, ctx->enc, &enc_key); if (code) { diff --git a/src/lib/gssapi/krb5/k5unsealiov.c b/src/lib/gssapi/krb5/k5unsealiov.c index 87a4b20f96..5d2bd1afa5 100644 --- a/src/lib/gssapi/krb5/k5unsealiov.c +++ b/src/lib/gssapi/krb5/k5unsealiov.c @@ -2,7 +2,7 @@ /* * lib/gssapi/krb5/k5unsealiov.c * - * Copyright 2008 by the Massachusetts Institute of Technology. + * Copyright 2008, 2009 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -151,10 +151,7 @@ kg_unseal_v1_iov(krb5_context context, krb5_keyblock *enc_key; size_t i; - bigend_seqnum[0] = (seqnum >> 24) & 0xFF; - bigend_seqnum[1] = (seqnum >> 16) & 0xFF; - bigend_seqnum[2] = (seqnum >> 8 ) & 0xFF; - bigend_seqnum[3] = (seqnum ) & 0xFF; + store_32_be(seqnum, bigend_seqnum); code = krb5_copy_keyblock(context, ctx->enc, &enc_key); if (code != 0) { diff --git a/src/lib/gssapi/krb5/util_crypt.c b/src/lib/gssapi/krb5/util_crypt.c index db38e9eaba..a8558a5944 100644 --- a/src/lib/gssapi/krb5/util_crypt.c +++ b/src/lib/gssapi/krb5/util_crypt.c @@ -317,10 +317,8 @@ kg_arcfour_docrypt (const krb5_keyblock *longterm_key , int ms_usage, memcpy(t, kg_arcfour_l40, sizeof(kg_arcfour_l40)); i += sizeof(kg_arcfour_l40); } - t[i++] = ms_usage &0xff; - t[i++] = (ms_usage>>8) & 0xff; - t[i++] = (ms_usage>>16) & 0xff; - t[i++] = (ms_usage>>24) & 0xff; + store_32_le(ms_usage, &t[i]); + i += 4; input.data = (void *) &t; input.length = i; output.data = (void *) usage_key.contents; @@ -684,10 +682,8 @@ kg_arcfour_docrypt_iov (krb5_context context, memcpy(t, kg_arcfour_l40, sizeof(kg_arcfour_l40)); i += sizeof(kg_arcfour_l40); } - t[i++] = ms_usage &0xff; - t[i++] = (ms_usage>>8) & 0xff; - t[i++] = (ms_usage>>16) & 0xff; - t[i++] = (ms_usage>>24) & 0xff; + store_32_le(ms_usage, &t[i]); + i += 4; input.data = (void *) &t; input.length = i; output.data = (void *) usage_key.contents; diff --git a/src/lib/gssapi/krb5/util_seqnum.c b/src/lib/gssapi/krb5/util_seqnum.c index 372cb62a91..b91dd658c0 100644 --- a/src/lib/gssapi/krb5/util_seqnum.c +++ b/src/lib/gssapi/krb5/util_seqnum.c @@ -1,6 +1,6 @@ /* -*- mode: c; indent-tabs-mode: nil -*- */ /* - * Copyright2001 by the Massachusetts Institute of Technology. + * Copyright 2001, 2009 by the Massachusetts Institute of Technology. * Copyright 1993 by OpenVision Technologies, Inc. * * Permission to use, copy, modify, distribute, and sell this software @@ -47,10 +47,7 @@ kg_make_seq_num(context, key, direction, seqnum, cksum, buf) if (key->enctype == ENCTYPE_ARCFOUR_HMAC || key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) { /* Yes, Microsoft used big-endian sequence number.*/ - plain[0] = (seqnum>>24) & 0xff; - plain[1] = (seqnum>>16) & 0xff; - plain[2] = (seqnum>>8) & 0xff; - plain[3] = seqnum & 0xff; + store_32_be(seqnum, plain); return kg_arcfour_docrypt (key, 0, cksum, 8, &plain[0], 8, @@ -58,11 +55,7 @@ kg_make_seq_num(context, key, direction, seqnum, cksum, buf) } - plain[0] = (unsigned char) (seqnum&0xff); - plain[1] = (unsigned char) ((seqnum>>8)&0xff); - plain[2] = (unsigned char) ((seqnum>>16)&0xff); - plain[3] = (unsigned char) ((seqnum>>24)&0xff); - + store_32_le(seqnum, plain); return(kg_encrypt(context, key, KG_USAGE_SEQ, cksum, plain, buf, 8)); } diff --git a/src/lib/gssapi/mechglue/g_glue.c b/src/lib/gssapi/mechglue/g_glue.c index 8b4070eb4f..5a8ea54b1e 100644 --- a/src/lib/gssapi/mechglue/g_glue.c +++ b/src/lib/gssapi/mechglue/g_glue.c @@ -407,8 +407,8 @@ OM_uint32 gssint_export_internal_name(minor_status, mech_type, /* spec allows only 2 bytes for the mech oid length */ mechOidLen = mechOidDERLen + mechOidTagLen + mech_type->length; - *buf++ = (mechOidLen & 0xFF00) >> 8; - *buf++ = (mechOidLen & 0x00FF); + store_16_be(mechOidLen, buf); + buf += 2; /* * DER Encoding of mech OID contains OID Tag (0x06), length and @@ -427,10 +427,8 @@ OM_uint32 gssint_export_internal_name(minor_status, mech_type, buf += mech_type->length; /* spec designates the next 4 bytes for the name length */ - *buf++ = (dispName.length & 0xFF000000) >> 24; - *buf++ = (dispName.length & 0x00FF0000) >> 16; - *buf++ = (dispName.length & 0x0000FF00) >> 8; - *buf++ = (dispName.length & 0X000000FF); + store_32_be(dispName.length, buf); + buf += 4; /* for the final ingredient - add the name from gss_display_name */ (void) memcpy(buf, dispName.value, dispName.length); diff --git a/src/lib/kadm5/admin.h b/src/lib/kadm5/admin.h index b2d05ad68a..cdf2f4dc8d 100644 --- a/src/lib/kadm5/admin.h +++ b/src/lib/kadm5/admin.h @@ -283,6 +283,8 @@ typedef struct __krb5_realm_params { char * realm_kdc_ports; char * realm_kdc_tcp_ports; char * realm_acl_file; + char * realm_host_based_services; + char * realm_no_host_referral; krb5_int32 realm_kadmind_port; krb5_enctype realm_enctype; krb5_deltat realm_max_life; diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c index 45f748d0f9..2d8ca15a94 100644 --- a/src/lib/kadm5/alt_prof.c +++ b/src/lib/kadm5/alt_prof.c @@ -1,7 +1,7 @@ /* * lib/kadm/alt_prof.c * - * Copyright 1995,2001,2008 by the Massachusetts Institute of Technology. + * Copyright 1995,2001,2008,2009 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -46,95 +46,95 @@ krb5_int32 len; krb5_key_salt_tuple *knew; if((knew = (krb5_key_salt_tuple *) - malloc((len ) * sizeof(krb5_key_salt_tuple)))) { + malloc((len ) * sizeof(krb5_key_salt_tuple)))) { memcpy(knew, ksalt, len * sizeof(krb5_key_salt_tuple)); - return knew; + return knew; } return 0; } /* - * krb5_aprof_init() - Initialize alternate profile context. + * krb5_aprof_init() - Initialize alternate profile context. * * Parameters: - * fname - default file name of the profile. - * envname - environment variable name which can override fname. - * acontextp - Pointer to opaque context for alternate profile. + * fname - default file name of the profile. + * envname - environment variable name which can override fname. + * acontextp - Pointer to opaque context for alternate profile. * * Returns: - * error codes from profile_init() + * error codes from profile_init() */ krb5_error_code krb5_aprof_init(fname, envname, acontextp) - char *fname; - char *envname; - krb5_pointer *acontextp; + char *fname; + char *envname; + krb5_pointer *acontextp; { - krb5_error_code kret; - profile_t profile; - const char *kdc_config; - char *profile_path; - char **filenames; - int i; - struct k5buf buf; + krb5_error_code kret; + profile_t profile; + const char *kdc_config; + char *profile_path; + char **filenames; + int i; + struct k5buf buf; kret = krb5_get_default_config_files (&filenames); if (kret) - return kret; + return kret; if (envname == NULL || (kdc_config = getenv(envname)) == NULL) - kdc_config = fname; + kdc_config = fname; krb5int_buf_init_dynamic(&buf); if (kdc_config) - krb5int_buf_add(&buf, kdc_config); + krb5int_buf_add(&buf, kdc_config); for (i = 0; filenames[i] != NULL; i++) { - if (krb5int_buf_len(&buf) > 0) - krb5int_buf_add(&buf, ":"); - krb5int_buf_add(&buf, filenames[i]); + if (krb5int_buf_len(&buf) > 0) + krb5int_buf_add(&buf, ":"); + krb5int_buf_add(&buf, filenames[i]); } krb5_free_config_files(filenames); profile_path = krb5int_buf_data(&buf); if (profile_path == NULL) - return ENOMEM; + return ENOMEM; profile = (profile_t) NULL; kret = profile_init_path(profile_path, &profile); free(profile_path); if (kret) - return kret; + return kret; *acontextp = profile; return 0; } /* - * krb5_aprof_getvals() - Get values from alternate profile. + * krb5_aprof_getvals() - Get values from alternate profile. * * Parameters: - * acontext - opaque context for alternate profile. - * hierarchy - hierarchy of value to retrieve. - * retdata - Returned data values. + * acontext - opaque context for alternate profile. + * hierarchy - hierarchy of value to retrieve. + * retdata - Returned data values. * * Returns: - * error codes from profile_get_values() + * error codes from profile_get_values() */ krb5_error_code krb5_aprof_getvals(acontext, hierarchy, retdata) - krb5_pointer acontext; - const char **hierarchy; - char ***retdata; + krb5_pointer acontext; + const char **hierarchy; + char ***retdata; { return(profile_get_values((profile_t) acontext, - hierarchy, - retdata)); + hierarchy, + retdata)); } /* * krb5_aprof_get_boolean() * * Parameters: - * acontext - opaque context for alternate profile - * hierarchy - hierarchy of value to retrieve - * retdata - Returned data value + * acontext - opaque context for alternate profile + * hierarchy - hierarchy of value to retrieve + * retdata - Returned data value * Returns: - * error codes + * error codes */ static krb5_error_code @@ -145,21 +145,21 @@ string_to_boolean (const char *string, krb5_boolean *out) unsigned int i; for (i = 0; i < sizeof(yes)/sizeof(yes[0]); i++) - if (!strcasecmp(string, yes[i])) { - *out = 1; - return 0; - } + if (!strcasecmp(string, yes[i])) { + *out = 1; + return 0; + } for (i = 0; i < sizeof(no)/sizeof(no[0]); i++) - if (!strcasecmp(string, no[i])) { - *out = 0; - return 0; - } + if (!strcasecmp(string, no[i])) { + *out = 0; + return 0; + } return PROF_BAD_BOOLEAN; } krb5_error_code krb5_aprof_get_boolean(krb5_pointer acontext, const char **hierarchy, - int uselast, krb5_boolean *retdata) + int uselast, krb5_boolean *retdata) { krb5_error_code kret; char **values; @@ -169,164 +169,217 @@ krb5_aprof_get_boolean(krb5_pointer acontext, const char **hierarchy, kret = krb5_aprof_getvals (acontext, hierarchy, &values); if (kret) - return kret; + return kret; idx = 0; if (uselast) { - while (values[idx]) - idx++; - idx--; + while (values[idx]) + idx++; + idx--; } valp = values[idx]; kret = string_to_boolean (valp, &val); profile_free_list(values); if (kret) - return kret; + return kret; *retdata = val; return 0; } /* - * krb5_aprof_get_deltat() - Get a delta time value from the alternate - * profile. + * krb5_aprof_get_deltat() - Get a delta time value from the alternate + * profile. * * Parameters: - * acontext - opaque context for alternate profile. - * hierarchy - hierarchy of value to retrieve. - * uselast - if true, use last value, otherwise use - * first value found. - * deltatp - returned delta time value. + * acontext - opaque context for alternate profile. + * hierarchy - hierarchy of value to retrieve. + * uselast - if true, use last value, otherwise use + * first value found. + * deltatp - returned delta time value. * * Returns: - * error codes from profile_get_values() - * error codes from krb5_string_to_deltat() + * error codes from profile_get_values() + * error codes from krb5_string_to_deltat() */ krb5_error_code krb5_aprof_get_deltat(acontext, hierarchy, uselast, deltatp) - krb5_pointer acontext; - const char **hierarchy; - krb5_boolean uselast; - krb5_deltat *deltatp; + krb5_pointer acontext; + const char **hierarchy; + krb5_boolean uselast; + krb5_deltat *deltatp; { - krb5_error_code kret; - char **values; - char *valp; - int idx; + krb5_error_code kret; + char **values; + char *valp; + int idx; if (!(kret = krb5_aprof_getvals(acontext, hierarchy, &values))) { - idx = 0; - if (uselast) { - for (idx=0; values[idx]; idx++); - idx--; - } - valp = values[idx]; - kret = krb5_string_to_deltat(valp, deltatp); - - /* Free the string storage */ - profile_free_list(values); + idx = 0; + if (uselast) { + for (idx=0; values[idx]; idx++); + idx--; + } + valp = values[idx]; + kret = krb5_string_to_deltat(valp, deltatp); + + /* Free the string storage */ + profile_free_list(values); } return(kret); } /* - * krb5_aprof_get_string() - Get a string value from the alternate - * profile. + * krb5_aprof_get_string() - Get a string value from the alternate + * profile. * * Parameters: - * acontext - opaque context for alternate profile. - * hierarchy - hierarchy of value to retrieve. - * uselast - if true, use last value, otherwise use - * first value found. - * stringp - returned string value. + * acontext - opaque context for alternate profile. + * hierarchy - hierarchy of value to retrieve. + * uselast - if true, use last value, otherwise use + * first value found. + * stringp - returned string value. * * Returns: - * error codes from profile_get_values() + * error codes from profile_get_values() */ krb5_error_code krb5_aprof_get_string(acontext, hierarchy, uselast, stringp) - krb5_pointer acontext; - const char **hierarchy; - krb5_boolean uselast; - char **stringp; + krb5_pointer acontext; + const char **hierarchy; + krb5_boolean uselast; + char **stringp; { - krb5_error_code kret; - char **values; - int lastidx; + krb5_error_code kret; + char **values; + int lastidx; if (!(kret = krb5_aprof_getvals(acontext, hierarchy, &values))) { - for (lastidx=0; values[lastidx]; lastidx++); - lastidx--; - - /* Excise the entry we want from the null-terminated list, - and free up the rest. */ - if (uselast) { - *stringp = values[lastidx]; - values[lastidx] = NULL; - } else { - *stringp = values[0]; - values[0] = values[lastidx]; - values[lastidx] = NULL; - } - - /* Free the string storage */ - profile_free_list(values); + for (lastidx=0; values[lastidx]; lastidx++); + lastidx--; + + /* Excise the entry we want from the null-terminated list, + and free up the rest. */ + if (uselast) { + *stringp = values[lastidx]; + values[lastidx] = NULL; + } else { + *stringp = values[0]; + values[0] = values[lastidx]; + values[lastidx] = NULL; + } + + /* Free the string storage */ + profile_free_list(values); } return(kret); } /* - * krb5_aprof_get_int32() - Get a 32-bit integer value from the alternate - * profile. + * krb5_aprof_get_string_all() - When the attr identified by "hierarchy" is specified multiple times, + * collect all its string values from the alternate profile. + * + * Parameters: + * acontext - opaque context for alternate profile. + * hierarchy - hierarchy of value to retrieve. + * stringp - Returned string value. + * + * Returns: + * error codes from profile_get_values() or ENOMEM + * Caller is responsible for deallocating stringp buffer + */ +krb5_error_code +krb5_aprof_get_string_all(acontext, hierarchy, stringp) + krb5_pointer acontext; + const char **hierarchy; + char **stringp; +{ + krb5_error_code kret=0; + char **values; + int lastidx; + char *tmp; + size_t buf_size=0; + kret = krb5_aprof_getvals(acontext, hierarchy, &values); + if (!kret) { + for (lastidx=0; values[lastidx]; lastidx++); + lastidx--; + + buf_size = strlen(values[0])+2; + for (lastidx=1; values[lastidx]; lastidx++){ + buf_size += strlen(values[lastidx]+1); + } + } + if (buf_size > 0) { + *stringp = calloc(1,buf_size); + if (stringp == NULL){ + profile_free_list(values); + return ENOMEM; + } + tmp=*stringp; + strlcpy(tmp, values[0], buf_size); + for (lastidx=1; values[lastidx]; lastidx++){ + tmp = strcat(tmp, " "); + tmp = strcat(tmp, values[lastidx]); + } + /* Free the string storage */ + profile_free_list(values); + } + return(kret); +} + + +/* + * krb5_aprof_get_int32() - Get a 32-bit integer value from the alternate + * profile. * * Parameters: - * acontext - opaque context for alternate profile. - * hierarchy - hierarchy of value to retrieve. - * uselast - if true, use last value, otherwise use - * first value found. - * intp - returned 32-bit integer value. + * acontext - opaque context for alternate profile. + * hierarchy - hierarchy of value to retrieve. + * uselast - if true, use last value, otherwise use + * first value found. + * intp - returned 32-bit integer value. * * Returns: - * error codes from profile_get_values() - * EINVAL - value is not an integer + * error codes from profile_get_values() + * EINVAL - value is not an integer */ krb5_error_code krb5_aprof_get_int32(acontext, hierarchy, uselast, intp) - krb5_pointer acontext; - const char **hierarchy; - krb5_boolean uselast; - krb5_int32 *intp; + krb5_pointer acontext; + const char **hierarchy; + krb5_boolean uselast; + krb5_int32 *intp; { - krb5_error_code kret; - char **values; - int idx; + krb5_error_code kret; + char **values; + int idx; if (!(kret = krb5_aprof_getvals(acontext, hierarchy, &values))) { - idx = 0; - if (uselast) { - for (idx=0; values[idx]; idx++); - idx--; - } + idx = 0; + if (uselast) { + for (idx=0; values[idx]; idx++); + idx--; + } - if (sscanf(values[idx], "%d", intp) != 1) - kret = EINVAL; + if (sscanf(values[idx], "%d", intp) != 1) + kret = EINVAL; - /* Free the string storage */ - profile_free_list(values); + /* Free the string storage */ + profile_free_list(values); } return(kret); } /* - * krb5_aprof_finish() - Finish alternate profile context. + * krb5_aprof_finish() - Finish alternate profile context. * * Parameter: - * acontext - opaque context for alternate profile. + * acontext - opaque context for alternate profile. * * Returns: - * 0 on success, something else on failure. + * 0 on success, something else on failure. */ krb5_error_code krb5_aprof_finish(acontext) - krb5_pointer acontext; + krb5_pointer acontext; { profile_release(acontext); return(0); @@ -342,32 +395,32 @@ krb5_aprof_finish(acontext) */ static int get_string_param(char **param_out, char *param_in, - long *mask_out, long mask_in, long mask_bit, - krb5_pointer aprofile, - const char **hierarchy, - const char *config_name, - const char *default_value) + long *mask_out, long mask_in, long mask_bit, + krb5_pointer aprofile, + const char **hierarchy, + const char *config_name, + const char *default_value) { char *svalue; hierarchy[2] = config_name; if (mask_in & mask_bit) { - *param_out = strdup(param_in); - if (*param_out) - *mask_out |= mask_bit; - return 1; + *param_out = strdup(param_in); + if (*param_out) + *mask_out |= mask_bit; + return 1; } else if (aprofile && - !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - *param_out = svalue; - *mask_out |= mask_bit; - return 1; + !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { + *param_out = svalue; + *mask_out |= mask_bit; + return 1; } else if (default_value) { - *param_out = strdup(default_value); - if (*param_out) - *mask_out |= mask_bit; - return 1; + *param_out = strdup(default_value); + if (*param_out) + *mask_out |= mask_bit; + return 1; } else { - return 0; + return 0; } } /* @@ -376,27 +429,27 @@ get_string_param(char **param_out, char *param_in, */ static void get_port_param(int *param_out, int param_in, - long *mask_out, long mask_in, long mask_bit, - krb5_pointer aprofile, - const char **hierarchy, - const char *config_name, - int default_value) + long *mask_out, long mask_in, long mask_bit, + krb5_pointer aprofile, + const char **hierarchy, + const char *config_name, + int default_value) { krb5_int32 ivalue; if (! (*mask_out & mask_bit)) { - hierarchy[2] = config_name; - if (mask_in & mask_bit) { - *mask_out |= mask_bit; - *param_out = param_in; - } else if (aprofile && - !krb5_aprof_get_int32(aprofile, hierarchy, TRUE, &ivalue)) { - *param_out = ivalue; - *mask_out |= mask_bit; - } else if (default_value) { - *param_out = default_value; - *mask_out |= mask_bit; - } + hierarchy[2] = config_name; + if (mask_in & mask_bit) { + *mask_out |= mask_bit; + *param_out = param_in; + } else if (aprofile && + !krb5_aprof_get_int32(aprofile, hierarchy, TRUE, &ivalue)) { + *param_out = ivalue; + *mask_out |= mask_bit; + } else if (default_value) { + *param_out = default_value; + *mask_out |= mask_bit; + } } } /* @@ -404,25 +457,25 @@ get_port_param(int *param_out, int param_in, */ static void get_deltat_param(krb5_deltat *param_out, krb5_deltat param_in, - long *mask_out, long mask_in, long mask_bit, - krb5_pointer aprofile, - const char **hierarchy, - const char *config_name, - krb5_deltat default_value) + long *mask_out, long mask_in, long mask_bit, + krb5_pointer aprofile, + const char **hierarchy, + const char *config_name, + krb5_deltat default_value) { krb5_deltat dtvalue; hierarchy[2] = config_name; if (mask_in & mask_bit) { - *mask_out |= mask_bit; - *param_out = param_in; + *mask_out |= mask_bit; + *param_out = param_in; } else if (aprofile && - !krb5_aprof_get_deltat(aprofile, hierarchy, TRUE, &dtvalue)) { - *param_out = dtvalue; - *mask_out |= mask_bit; + !krb5_aprof_get_deltat(aprofile, hierarchy, TRUE, &dtvalue)) { + *param_out = dtvalue; + *mask_out |= mask_bit; } else { - *param_out = default_value; - *mask_out |= mask_bit; + *param_out = default_value; + *mask_out |= mask_bit; } } @@ -434,13 +487,13 @@ get_deltat_param(krb5_deltat *param_out, krb5_deltat param_in, * * Arguments: * - * context (r) krb5_context to use - * profile (r) profile file to use - * envname (r) envname that contains a profile name to - * override profile - * params_in (r) params structure containing user-supplied - * values, or NULL - * params_out (w) params structure to be filled in + * context (r) krb5_context to use + * profile (r) profile file to use + * envname (r) envname that contains a profile name to + * override profile + * params_in (r) params structure containing user-supplied + * values, or NULL + * params_out (w) params structure to be filled in * * Effects: * @@ -455,21 +508,21 @@ get_deltat_param(krb5_deltat *param_out, krb5_deltat param_in, * versions, overwriting the old pointer value. */ krb5_error_code kadm5_get_config_params(context, use_kdc_config, - params_in, params_out) - krb5_context context; - int use_kdc_config; - kadm5_config_params *params_in, *params_out; + params_in, params_out) + krb5_context context; + int use_kdc_config; + kadm5_config_params *params_in, *params_out; { - char *filename; - char *envname; - char *lrealm; - krb5_pointer aprofile = 0; - const char *hierarchy[4]; - char *svalue; - krb5_int32 ivalue; + char *filename; + char *envname; + char *lrealm; + krb5_pointer aprofile = 0; + const char *hierarchy[4]; + char *svalue; + krb5_int32 ivalue; kadm5_config_params params, empty_params; - krb5_error_code kret = 0; + krb5_error_code kret = 0; memset((char *) ¶ms, 0, sizeof(params)); memset((char *) &empty_params, 0, sizeof(empty_params)); @@ -477,15 +530,15 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config, if (params_in == NULL) params_in = &empty_params; if (params_in->mask & KADM5_CONFIG_REALM) { - lrealm = params.realm = strdup(params_in->realm); - if (params.realm) - params.mask |= KADM5_CONFIG_REALM; + lrealm = params.realm = strdup(params_in->realm); + if (params.realm) + params.mask |= KADM5_CONFIG_REALM; } else { - kret = krb5_get_default_realm(context, &lrealm); - if (kret) - goto cleanup; - params.realm = lrealm; - params.mask |= KADM5_CONFIG_REALM; + kret = krb5_get_default_realm(context, &lrealm); + if (kret) + goto cleanup; + params.realm = lrealm; + params.mask |= KADM5_CONFIG_REALM; } if (params_in->mask & KADM5_CONFIG_KVNO) { @@ -499,45 +552,45 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config, * defaults for NULL values. */ if (use_kdc_config) { - filename = DEFAULT_KDC_PROFILE; - envname = KDC_PROFILE_ENV; + filename = DEFAULT_KDC_PROFILE; + envname = KDC_PROFILE_ENV; } else { - filename = DEFAULT_PROFILE_PATH; - envname = "KRB5_CONFIG"; + filename = DEFAULT_PROFILE_PATH; + envname = "KRB5_CONFIG"; } if (context->profile_secure == TRUE) envname = 0; kret = krb5_aprof_init(filename, envname, &aprofile); if (kret) - goto cleanup; + goto cleanup; /* Initialize realm parameters */ hierarchy[0] = "realms"; hierarchy[1] = lrealm; hierarchy[3] = (char *) NULL; -#define GET_STRING_PARAM(FIELD, BIT, CONFTAG, DEFAULT) \ - get_string_param(¶ms.FIELD, params_in->FIELD, \ - ¶ms.mask, params_in->mask, BIT, \ - aprofile, hierarchy, CONFTAG, DEFAULT) +#define GET_STRING_PARAM(FIELD, BIT, CONFTAG, DEFAULT) \ + get_string_param(¶ms.FIELD, params_in->FIELD, \ + ¶ms.mask, params_in->mask, BIT, \ + aprofile, hierarchy, CONFTAG, DEFAULT) /* Get the value for the admin server */ GET_STRING_PARAM(admin_server, KADM5_CONFIG_ADMIN_SERVER, "admin_server", - NULL); + NULL); if (params.mask & KADM5_CONFIG_ADMIN_SERVER) { - char *p; - p = strchr(params.admin_server, ':'); - if (p) { - params.kadmind_port = atoi(p+1); - params.mask |= KADM5_CONFIG_KADMIND_PORT; - *p = '\0'; - } + char *p; + p = strchr(params.admin_server, ':'); + if (p) { + params.kadmind_port = atoi(p+1); + params.mask |= KADM5_CONFIG_KADMIND_PORT; + *p = '\0'; + } } /* Get the value for the database */ GET_STRING_PARAM(dbname, KADM5_CONFIG_DBNAME, "database_name", - DEFAULT_KDB_FILE); + DEFAULT_KDB_FILE); params.admin_dbname_was_here = NULL; params.admin_lockfile_was_here = NULL; @@ -545,133 +598,133 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config, /* Get the value for the admin (policy) database lock file*/ if (!GET_STRING_PARAM(admin_keytab, KADM5_CONFIG_ADMIN_KEYTAB, - "admin_keytab", NULL)) { - const char *s = getenv("KRB5_KTNAME"); - if (s == NULL) - s = DEFAULT_KADM5_KEYTAB; - params.admin_keytab = strdup(s); - if (params.admin_keytab) - params.mask |= KADM5_CONFIG_ADMIN_KEYTAB; + "admin_keytab", NULL)) { + const char *s = getenv("KRB5_KTNAME"); + if (s == NULL) + s = DEFAULT_KADM5_KEYTAB; + params.admin_keytab = strdup(s); + if (params.admin_keytab) + params.mask |= KADM5_CONFIG_ADMIN_KEYTAB; } /* Get the name of the acl file */ GET_STRING_PARAM(acl_file, KADM5_CONFIG_ACL_FILE, "acl_file", - DEFAULT_KADM5_ACL_FILE); + DEFAULT_KADM5_ACL_FILE); /* Get the name of the dict file */ GET_STRING_PARAM(dict_file, KADM5_CONFIG_DICT_FILE, "dict_file", NULL); -#define GET_PORT_PARAM(FIELD, BIT, CONFTAG, DEFAULT) \ - get_port_param(¶ms.FIELD, params_in->FIELD, \ - ¶ms.mask, params_in->mask, BIT, \ - aprofile, hierarchy, CONFTAG, DEFAULT) +#define GET_PORT_PARAM(FIELD, BIT, CONFTAG, DEFAULT) \ + get_port_param(¶ms.FIELD, params_in->FIELD, \ + ¶ms.mask, params_in->mask, BIT, \ + aprofile, hierarchy, CONFTAG, DEFAULT) /* Get the value for the kadmind port */ GET_PORT_PARAM(kadmind_port, KADM5_CONFIG_KADMIND_PORT, - "kadmind_port", DEFAULT_KADM5_PORT); + "kadmind_port", DEFAULT_KADM5_PORT); /* Get the value for the kpasswd port */ GET_PORT_PARAM(kpasswd_port, KADM5_CONFIG_KPASSWD_PORT, - "kpasswd_port", DEFAULT_KPASSWD_PORT); + "kpasswd_port", DEFAULT_KPASSWD_PORT); /* Get the value for the master key name */ GET_STRING_PARAM(mkey_name, KADM5_CONFIG_MKEY_NAME, - "master_key_name", NULL); + "master_key_name", NULL); /* Get the value for the master key type */ hierarchy[2] = "master_key_type"; if (params_in->mask & KADM5_CONFIG_ENCTYPE) { - params.mask |= KADM5_CONFIG_ENCTYPE; - params.enctype = params_in->enctype; + params.mask |= KADM5_CONFIG_ENCTYPE; + params.enctype = params_in->enctype; } else if (aprofile && - !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - if (!krb5_string_to_enctype(svalue, ¶ms.enctype)) { - params.mask |= KADM5_CONFIG_ENCTYPE; - krb5_xfree(svalue); - } + !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { + if (!krb5_string_to_enctype(svalue, ¶ms.enctype)) { + params.mask |= KADM5_CONFIG_ENCTYPE; + free(svalue); + } } else { - params.mask |= KADM5_CONFIG_ENCTYPE; - params.enctype = DEFAULT_KDC_ENCTYPE; + params.mask |= KADM5_CONFIG_ENCTYPE; + params.enctype = DEFAULT_KDC_ENCTYPE; } /* Get the value for mkey_from_kbd */ if (params_in->mask & KADM5_CONFIG_MKEY_FROM_KBD) { - params.mask |= KADM5_CONFIG_MKEY_FROM_KBD; - params.mkey_from_kbd = params_in->mkey_from_kbd; + params.mask |= KADM5_CONFIG_MKEY_FROM_KBD; + params.mkey_from_kbd = params_in->mkey_from_kbd; } /* Get the value for the stashfile */ GET_STRING_PARAM(stash_file, KADM5_CONFIG_STASH_FILE, - "key_stash_file", NULL); + "key_stash_file", NULL); /* Get the value for maximum ticket lifetime. */ -#define GET_DELTAT_PARAM(FIELD, BIT, CONFTAG, DEFAULT) \ - get_deltat_param(¶ms.FIELD, params_in->FIELD, \ - ¶ms.mask, params_in->mask, BIT, \ - aprofile, hierarchy, CONFTAG, DEFAULT) +#define GET_DELTAT_PARAM(FIELD, BIT, CONFTAG, DEFAULT) \ + get_deltat_param(¶ms.FIELD, params_in->FIELD, \ + ¶ms.mask, params_in->mask, BIT, \ + aprofile, hierarchy, CONFTAG, DEFAULT) GET_DELTAT_PARAM(max_life, KADM5_CONFIG_MAX_LIFE, "max_life", - 24 * 60 * 60); /* 1 day */ + 24 * 60 * 60); /* 1 day */ /* Get the value for maximum renewable ticket lifetime. */ GET_DELTAT_PARAM(max_rlife, KADM5_CONFIG_MAX_RLIFE, "max_renewable_life", - 0); + 0); /* Get the value for the default principal expiration */ hierarchy[2] = "default_principal_expiration"; if (params_in->mask & KADM5_CONFIG_EXPIRATION) { - params.mask |= KADM5_CONFIG_EXPIRATION; - params.expiration = params_in->expiration; + params.mask |= KADM5_CONFIG_EXPIRATION; + params.expiration = params_in->expiration; } else if (aprofile && - !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - if (!krb5_string_to_timestamp(svalue, ¶ms.expiration)) { - params.mask |= KADM5_CONFIG_EXPIRATION; - krb5_xfree(svalue); - } + !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { + if (!krb5_string_to_timestamp(svalue, ¶ms.expiration)) { + params.mask |= KADM5_CONFIG_EXPIRATION; + free(svalue); + } } else { - params.mask |= KADM5_CONFIG_EXPIRATION; - params.expiration = 0; + params.mask |= KADM5_CONFIG_EXPIRATION; + params.expiration = 0; } /* Get the value for the default principal flags */ hierarchy[2] = "default_principal_flags"; if (params_in->mask & KADM5_CONFIG_FLAGS) { - params.mask |= KADM5_CONFIG_FLAGS; - params.flags = params_in->flags; + params.mask |= KADM5_CONFIG_FLAGS; + params.flags = params_in->flags; } else if (aprofile && - !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - char *sp, *ep, *tp; - - sp = svalue; - params.flags = 0; - while (sp) { - if ((ep = strchr(sp, (int) ',')) || - (ep = strchr(sp, (int) ' ')) || - (ep = strchr(sp, (int) '\t'))) { - /* Fill in trailing whitespace of sp */ - tp = ep - 1; - while (isspace((int) *tp) && (tp > sp)) { - *tp = '\0'; - tp--; - } - *ep = '\0'; - ep++; - /* Skip over trailing whitespace of ep */ - while (isspace((int) *ep) && (*ep)) ep++; - } - /* Convert this flag */ - if (krb5_string_to_flags(sp, - "+", - "-", - ¶ms.flags)) - break; - sp = ep; - } - if (!sp) - params.mask |= KADM5_CONFIG_FLAGS; - krb5_xfree(svalue); + !krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { + char *sp, *ep, *tp; + + sp = svalue; + params.flags = 0; + while (sp) { + if ((ep = strchr(sp, (int) ',')) || + (ep = strchr(sp, (int) ' ')) || + (ep = strchr(sp, (int) '\t'))) { + /* Fill in trailing whitespace of sp */ + tp = ep - 1; + while (isspace((int) *tp) && (tp > sp)) { + *tp = '\0'; + tp--; + } + *ep = '\0'; + ep++; + /* Skip over trailing whitespace of ep */ + while (isspace((int) *ep) && (*ep)) ep++; + } + /* Convert this flag */ + if (krb5_string_to_flags(sp, + "+", + "-", + ¶ms.flags)) + break; + sp = ep; + } + if (!sp) + params.mask |= KADM5_CONFIG_FLAGS; + free(svalue); } else { - params.mask |= KADM5_CONFIG_FLAGS; - params.flags = KRB5_KDB_DEF_FLAGS; + params.mask |= KADM5_CONFIG_FLAGS; + params.flags = KRB5_KDB_DEF_FLAGS; } /* Get the value for the supported enctype/salttype matrix */ @@ -679,130 +732,130 @@ krb5_error_code kadm5_get_config_params(context, use_kdc_config, if (params_in->mask & KADM5_CONFIG_ENCTYPES) { /* The following scenario is when the input keysalts are !NULL */ if(params_in->keysalts) { - params.keysalts = copy_key_salt_tuple(params_in->keysalts, - params_in->num_keysalts); - if(params.keysalts) { - params.mask |= KADM5_CONFIG_ENCTYPES; - params.num_keysalts = params_in->num_keysalts; - } - } else { - params.mask |= KADM5_CONFIG_ENCTYPES; - params.keysalts = 0; - params.num_keysalts = params_in->num_keysalts; - } + params.keysalts = copy_key_salt_tuple(params_in->keysalts, + params_in->num_keysalts); + if(params.keysalts) { + params.mask |= KADM5_CONFIG_ENCTYPES; + params.num_keysalts = params_in->num_keysalts; + } + } else { + params.mask |= KADM5_CONFIG_ENCTYPES; + params.keysalts = 0; + params.num_keysalts = params_in->num_keysalts; + } } else { - svalue = NULL; - if (aprofile) - krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue); - if (svalue == NULL) - svalue = strdup("des3-hmac-sha1:normal des-cbc-crc:normal"); - - params.keysalts = NULL; - params.num_keysalts = 0; - krb5_string_to_keysalts(svalue, - ", \t",/* Tuple separators */ - ":.-", /* Key/salt separators */ - 0, /* No duplicates */ - ¶ms.keysalts, - ¶ms.num_keysalts); - if (params.num_keysalts) - params.mask |= KADM5_CONFIG_ENCTYPES; - - krb5_xfree(svalue); + svalue = NULL; + if (aprofile) + krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue); + if (svalue == NULL) + svalue = strdup("des3-hmac-sha1:normal des-cbc-crc:normal"); + + params.keysalts = NULL; + params.num_keysalts = 0; + krb5_string_to_keysalts(svalue, + ", \t",/* Tuple separators */ + ":.-", /* Key/salt separators */ + 0, /* No duplicates */ + ¶ms.keysalts, + ¶ms.num_keysalts); + if (params.num_keysalts) + params.mask |= KADM5_CONFIG_ENCTYPES; + + free(svalue); } - hierarchy[2] = "iprop_enable"; - - params.iprop_enabled = FALSE; - params.mask |= KADM5_CONFIG_IPROP_ENABLED; - - if (params_in->mask & KADM5_CONFIG_IPROP_ENABLED) { - params.mask |= KADM5_CONFIG_IPROP_ENABLED; - params.iprop_enabled = params_in->iprop_enabled; - } else { - krb5_boolean bvalue; - if (aprofile && - !krb5_aprof_get_boolean(aprofile, hierarchy, TRUE, &bvalue)) { - params.iprop_enabled = bvalue; - params.mask |= KADM5_CONFIG_IPROP_ENABLED; - } - } - - if (!GET_STRING_PARAM(iprop_logfile, KADM5_CONFIG_IPROP_LOGFILE, - "iprop_logfile", NULL)) { - if (params.mask & KADM5_CONFIG_DBNAME) { - if (asprintf(¶ms.iprop_logfile, "%s.ulog", params.dbname) >= 0) { - params.mask |= KADM5_CONFIG_IPROP_LOGFILE; - } - } - } - - GET_PORT_PARAM(iprop_port, KADM5_CONFIG_IPROP_PORT, - "iprop_port", 0); - - hierarchy[2] = "iprop_master_ulogsize"; - - params.iprop_ulogsize = DEF_ULOGENTRIES; - params.mask |= KADM5_CONFIG_ULOG_SIZE; - - if (params_in->mask & KADM5_CONFIG_ULOG_SIZE) { - params.mask |= KADM5_CONFIG_ULOG_SIZE; - params.iprop_ulogsize = params_in->iprop_ulogsize; - } else { - if (aprofile && !krb5_aprof_get_int32(aprofile, hierarchy, - TRUE, &ivalue)) { - if (ivalue > MAX_ULOGENTRIES) - params.iprop_ulogsize = MAX_ULOGENTRIES; - else if (ivalue <= 0) - params.iprop_ulogsize = DEF_ULOGENTRIES; - else - params.iprop_ulogsize = ivalue; - params.mask |= KADM5_CONFIG_ULOG_SIZE; - } - } - - GET_DELTAT_PARAM(iprop_poll_time, KADM5_CONFIG_POLL_TIME, - "iprop_slave_poll", 2 * 60); /* 2m */ + hierarchy[2] = "iprop_enable"; + + params.iprop_enabled = FALSE; + params.mask |= KADM5_CONFIG_IPROP_ENABLED; + + if (params_in->mask & KADM5_CONFIG_IPROP_ENABLED) { + params.mask |= KADM5_CONFIG_IPROP_ENABLED; + params.iprop_enabled = params_in->iprop_enabled; + } else { + krb5_boolean bvalue; + if (aprofile && + !krb5_aprof_get_boolean(aprofile, hierarchy, TRUE, &bvalue)) { + params.iprop_enabled = bvalue; + params.mask |= KADM5_CONFIG_IPROP_ENABLED; + } + } + + if (!GET_STRING_PARAM(iprop_logfile, KADM5_CONFIG_IPROP_LOGFILE, + "iprop_logfile", NULL)) { + if (params.mask & KADM5_CONFIG_DBNAME) { + if (asprintf(¶ms.iprop_logfile, "%s.ulog", params.dbname) >= 0) { + params.mask |= KADM5_CONFIG_IPROP_LOGFILE; + } + } + } + + GET_PORT_PARAM(iprop_port, KADM5_CONFIG_IPROP_PORT, + "iprop_port", 0); + + hierarchy[2] = "iprop_master_ulogsize"; + + params.iprop_ulogsize = DEF_ULOGENTRIES; + params.mask |= KADM5_CONFIG_ULOG_SIZE; + + if (params_in->mask & KADM5_CONFIG_ULOG_SIZE) { + params.mask |= KADM5_CONFIG_ULOG_SIZE; + params.iprop_ulogsize = params_in->iprop_ulogsize; + } else { + if (aprofile && !krb5_aprof_get_int32(aprofile, hierarchy, + TRUE, &ivalue)) { + if (ivalue > MAX_ULOGENTRIES) + params.iprop_ulogsize = MAX_ULOGENTRIES; + else if (ivalue <= 0) + params.iprop_ulogsize = DEF_ULOGENTRIES; + else + params.iprop_ulogsize = ivalue; + params.mask |= KADM5_CONFIG_ULOG_SIZE; + } + } + + GET_DELTAT_PARAM(iprop_poll_time, KADM5_CONFIG_POLL_TIME, + "iprop_slave_poll", 2 * 60); /* 2m */ *params_out = params; cleanup: if (aprofile) - krb5_aprof_finish(aprofile); + krb5_aprof_finish(aprofile); if (kret) { - kadm5_free_config_params(context, ¶ms); - params_out->mask = 0; + kadm5_free_config_params(context, ¶ms); + params_out->mask = 0; } return(kret); } /* - * kadm5_free_config_params() - Free data allocated by above. + * kadm5_free_config_params() - Free data allocated by above. */ krb5_error_code kadm5_free_config_params(context, params) - krb5_context context; - kadm5_config_params *params; + krb5_context context; + kadm5_config_params *params; { if (params) { - free(params->dbname); - free(params->mkey_name); - free(params->stash_file); - free(params->keysalts); - free(params->admin_server); - free(params->admin_keytab); - free(params->dict_file); - free(params->acl_file); - free(params->realm); - free(params->iprop_logfile); + free(params->dbname); + free(params->mkey_name); + free(params->stash_file); + free(params->keysalts); + free(params->admin_server); + free(params->admin_keytab); + free(params->dict_file); + free(params->acl_file); + free(params->realm); + free(params->iprop_logfile); } return(0); } krb5_error_code kadm5_get_admin_service_name(krb5_context ctx, - char *realm_in, - char *admin_name, - size_t maxlen) + char *realm_in, + char *admin_name, + size_t maxlen) { krb5_error_code ret; kadm5_config_params params_in, params_out; @@ -815,21 +868,21 @@ kadm5_get_admin_service_name(krb5_context ctx, params_in.realm = realm_in; ret = kadm5_get_config_params(ctx, 0, ¶ms_in, ¶ms_out); if (ret) - return ret; + return ret; if (!(params_out.mask & KADM5_CONFIG_ADMIN_SERVER)) { - ret = KADM5_MISSING_KRB5_CONF_PARAMS; - goto err_params; + ret = KADM5_MISSING_KRB5_CONF_PARAMS; + goto err_params; } hp = gethostbyname(params_out.admin_server); if (hp == NULL) { - ret = errno; - goto err_params; + ret = errno; + goto err_params; } if (strlen(hp->h_name) + sizeof("kadmin/") > maxlen) { - ret = ENOMEM; - goto err_params; + ret = ENOMEM; + goto err_params; } snprintf(admin_name, maxlen, "kadmin/%s", hp->h_name); @@ -844,30 +897,34 @@ err_params: ***********************************************************************/ /* - * krb5_read_realm_params() - Read per-realm parameters from KDC - * alternate profile. + * krb5_read_realm_params() - Read per-realm parameters from KDC + * alternate profile. */ krb5_error_code krb5_read_realm_params(kcontext, realm, rparamp) - krb5_context kcontext; - char *realm; - krb5_realm_params **rparamp; + krb5_context kcontext; + char *realm; + krb5_realm_params **rparamp; { - char *filename; - char *envname; - char *lrealm; - krb5_pointer aprofile = 0; - krb5_realm_params *rparams; - const char *hierarchy[4]; - char *svalue; - krb5_int32 ivalue; - krb5_boolean bvalue; - krb5_deltat dtvalue; - - char *kdcprofile = 0; - char *kdcenv = 0; - - krb5_error_code kret; + char *filename; + char *envname; + char *lrealm; + krb5_pointer aprofile = 0; + krb5_realm_params *rparams; + const char *hierarchy[4]; + char *svalue; + krb5_int32 ivalue; + krb5_boolean bvalue; + krb5_deltat dtvalue; + + char *kdcprofile = 0; + char *kdcenv = 0; + char *no_refrls = 0; + char *host_based_srvcs = 0; + + + + krb5_error_code kret; filename = (kdcprofile) ? kdcprofile : DEFAULT_KDC_PROFILE; envname = (kdcenv) ? kdcenv : KDC_PROFILE_ENV; @@ -876,21 +933,21 @@ krb5_read_realm_params(kcontext, realm, rparamp) rparams = (krb5_realm_params *) NULL; if (realm) - lrealm = strdup(realm); + lrealm = strdup(realm); else { - kret = krb5_get_default_realm(kcontext, &lrealm); - if (kret) - goto cleanup; + kret = krb5_get_default_realm(kcontext, &lrealm); + if (kret) + goto cleanup; } kret = krb5_aprof_init(filename, envname, &aprofile); if (kret) - goto cleanup; + goto cleanup; rparams = (krb5_realm_params *) malloc(sizeof(krb5_realm_params)); if (rparams == 0) { - kret = ENOMEM; - goto cleanup; + kret = ENOMEM; + goto cleanup; } /* Initialize realm parameters */ @@ -902,108 +959,128 @@ krb5_read_realm_params(kcontext, realm, rparamp) hierarchy[2] = "database_name"; hierarchy[3] = (char *) NULL; if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) - rparams->realm_dbname = svalue; - + rparams->realm_dbname = svalue; + /* Get the value for the KDC port list */ hierarchy[2] = "kdc_ports"; if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) - rparams->realm_kdc_ports = svalue; + rparams->realm_kdc_ports = svalue; hierarchy[2] = "kdc_tcp_ports"; if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) - rparams->realm_kdc_tcp_ports = svalue; + rparams->realm_kdc_tcp_ports = svalue; /* Get the name of the acl file */ hierarchy[2] = "acl_file"; if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) - rparams->realm_acl_file = svalue; - + rparams->realm_acl_file = svalue; + /* Get the value for the kadmind port */ hierarchy[2] = "kadmind_port"; if (!krb5_aprof_get_int32(aprofile, hierarchy, TRUE, &ivalue)) { - rparams->realm_kadmind_port = ivalue; - rparams->realm_kadmind_port_valid = 1; + rparams->realm_kadmind_port = ivalue; + rparams->realm_kadmind_port_valid = 1; } - + /* Get the value for the master key name */ hierarchy[2] = "master_key_name"; if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) - rparams->realm_mkey_name = svalue; - + rparams->realm_mkey_name = svalue; + /* Get the value for the master key type */ hierarchy[2] = "master_key_type"; if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - if (!krb5_string_to_enctype(svalue, &rparams->realm_enctype)) - rparams->realm_enctype_valid = 1; - krb5_xfree(svalue); + if (!krb5_string_to_enctype(svalue, &rparams->realm_enctype)) + rparams->realm_enctype_valid = 1; + free(svalue); } - + /* Get the value for the stashfile */ hierarchy[2] = "key_stash_file"; if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) - rparams->realm_stash_file = svalue; - + rparams->realm_stash_file = svalue; + /* Get the value for maximum ticket lifetime. */ hierarchy[2] = "max_life"; if (!krb5_aprof_get_deltat(aprofile, hierarchy, TRUE, &dtvalue)) { - rparams->realm_max_life = dtvalue; - rparams->realm_max_life_valid = 1; + rparams->realm_max_life = dtvalue; + rparams->realm_max_life_valid = 1; } - + /* Get the value for maximum renewable ticket lifetime. */ hierarchy[2] = "max_renewable_life"; if (!krb5_aprof_get_deltat(aprofile, hierarchy, TRUE, &dtvalue)) { - rparams->realm_max_rlife = dtvalue; - rparams->realm_max_rlife_valid = 1; + rparams->realm_max_rlife = dtvalue; + rparams->realm_max_rlife_valid = 1; } - + /* Get the value for the default principal expiration */ hierarchy[2] = "default_principal_expiration"; if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - if (!krb5_string_to_timestamp(svalue, - &rparams->realm_expiration)) - rparams->realm_expiration_valid = 1; - krb5_xfree(svalue); + if (!krb5_string_to_timestamp(svalue, + &rparams->realm_expiration)) + rparams->realm_expiration_valid = 1; + free(svalue); } hierarchy[2] = "reject_bad_transit"; if (!krb5_aprof_get_boolean(aprofile, hierarchy, TRUE, &bvalue)) { - rparams->realm_reject_bad_transit = bvalue; - rparams->realm_reject_bad_transit_valid = 1; + rparams->realm_reject_bad_transit = bvalue; + rparams->realm_reject_bad_transit_valid = 1; } + hierarchy[2] = "no_host_referral"; + if (!krb5_aprof_get_string_all(aprofile, hierarchy, &no_refrls)) { + + if (strchr(no_refrls, '*')) + no_refrls = strdup("*"); + rparams->realm_no_host_referral = no_refrls; + } else + no_refrls = 0; + + if (no_refrls == 0 || strlen(no_refrls) == 0 || strncmp(no_refrls, "*",1) != 0) { + hierarchy[2] = "host_based_services"; + if (!krb5_aprof_get_string_all(aprofile, hierarchy, &host_based_srvcs)){ + if (strchr(host_based_srvcs, '*')) + host_based_srvcs = strdup("*"); + rparams->realm_host_based_services = host_based_srvcs; + } else + host_based_srvcs = 0; + } + + /* Get the value for the default principal flags */ hierarchy[2] = "default_principal_flags"; if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) { - char *sp, *ep, *tp; - - sp = svalue; - rparams->realm_flags = 0; - while (sp) { - if ((ep = strchr(sp, (int) ',')) || - (ep = strchr(sp, (int) ' ')) || - (ep = strchr(sp, (int) '\t'))) { - /* Fill in trailing whitespace of sp */ - tp = ep - 1; - while (isspace((int) *tp) && (tp < sp)) { - *tp = '\0'; - tp--; - } - *ep = '\0'; - ep++; - /* Skip over trailing whitespace of ep */ - while (isspace((int) *ep) && (*ep)) ep++; - } - /* Convert this flag */ - if (krb5_string_to_flags(sp, - "+", - "-", - &rparams->realm_flags)) - break; - sp = ep; - } - if (!sp) - rparams->realm_flags_valid = 1; - krb5_xfree(svalue); + char *sp, *ep, *tp; + + sp = svalue; + rparams->realm_flags = 0; + while (sp) { + if ((ep = strchr(sp, (int) ',')) || + (ep = strchr(sp, (int) ' ')) || + (ep = strchr(sp, (int) '\t'))) { + /* Fill in trailing whitespace of sp */ + tp = ep - 1; + while (isspace((int) *tp) && (tp < sp)) { + *tp = '\0'; + tp--; + } + *ep = '\0'; + ep++; + /* Skip over trailing whitespace of ep */ + while (isspace((int) *ep) && (*ep)) ep++; + } + /* Convert this flag */ + if (krb5_string_to_flags(sp, + "+", + "-", + &rparams->realm_flags)) + break; + sp = ep; + } + if (!sp) + rparams->realm_flags_valid = 1; + free(svalue); } rparams->realm_keysalts = NULL; @@ -1011,35 +1088,37 @@ krb5_read_realm_params(kcontext, realm, rparamp) cleanup: if (aprofile) - krb5_aprof_finish(aprofile); + krb5_aprof_finish(aprofile); free(lrealm); if (kret) { - if (rparams) - krb5_free_realm_params(kcontext, rparams); - rparams = 0; + if (rparams) + krb5_free_realm_params(kcontext, rparams); + rparams = 0; } *rparamp = rparams; return(kret); } /* - * krb5_free_realm_params() - Free data allocated by above. + * krb5_free_realm_params() - Free data allocated by above. */ krb5_error_code krb5_free_realm_params(kcontext, rparams) - krb5_context kcontext; - krb5_realm_params *rparams; + krb5_context kcontext; + krb5_realm_params *rparams; { if (rparams) { - krb5_xfree(rparams->realm_profile); - krb5_xfree(rparams->realm_dbname); - krb5_xfree(rparams->realm_mkey_name); - krb5_xfree(rparams->realm_stash_file); - krb5_xfree(rparams->realm_keysalts); - krb5_xfree(rparams->realm_kdc_ports); - krb5_xfree(rparams->realm_kdc_tcp_ports); - krb5_xfree(rparams->realm_acl_file); - krb5_xfree(rparams); + free(rparams->realm_profile); + free(rparams->realm_dbname); + free(rparams->realm_mkey_name); + free(rparams->realm_stash_file); + free(rparams->realm_keysalts); + free(rparams->realm_kdc_ports); + free(rparams->realm_kdc_tcp_ports); + free(rparams->realm_acl_file); + free(rparams->realm_no_host_referral); + free(rparams->realm_host_based_services); + free(rparams); } return(0); } diff --git a/src/lib/kadm5/srv/libkadm5srv.exports b/src/lib/kadm5/srv/libkadm5srv.exports index 3296d3bb0f..444987130a 100644 --- a/src/lib/kadm5/srv/libkadm5srv.exports +++ b/src/lib/kadm5/srv/libkadm5srv.exports @@ -67,6 +67,7 @@ krb5_aprof_get_boolean krb5_aprof_get_deltat krb5_aprof_get_int32 krb5_aprof_get_string +krb5_aprof_get_string_all krb5_aprof_getvals krb5_aprof_init krb5_copy_key_data_contents diff --git a/src/lib/kadm5/str_conv.c b/src/lib/kadm5/str_conv.c index c35d515217..3d60d7902f 100644 --- a/src/lib/kadm5/str_conv.c +++ b/src/lib/kadm5/str_conv.c @@ -327,7 +327,7 @@ krb5_string_to_keysalts(string, tupleseps, ksaltseps, dups, ksaltp, nksaltp) if (savep) { memcpy(*ksaltp, savep, len * sizeof(krb5_key_salt_tuple)); - krb5_xfree(savep); + free(savep); } /* Save our values */ diff --git a/src/lib/kdb/decrypt_key.c b/src/lib/kdb/decrypt_key.c index 9ab66dfbf5..a564c37b01 100644 --- a/src/lib/kdb/decrypt_key.c +++ b/src/lib/kdb/decrypt_key.c @@ -90,7 +90,7 @@ krb5_dbekd_def_decrypt_key_data( krb5_context context, if ((retval = krb5_c_decrypt(context, mkey, 0 /* XXX */, 0, &cipher, &plain))) { - krb5_xfree(plain.data); + free(plain.data); return retval; } @@ -101,7 +101,7 @@ krb5_dbekd_def_decrypt_key_data( krb5_context context, any better than that. */ if (tmplen > plain.length) { - krb5_xfree(plain.data); + free(plain.data); return(KRB5_CRYPTO_INTERNAL); } @@ -118,7 +118,7 @@ krb5_dbekd_def_decrypt_key_data( krb5_context context, if ((keysalt->data.length = key_data->key_data_length[1])) { if (!(keysalt->data.data=(char *)malloc(keysalt->data.length))){ if (key_data->key_data_contents[0]) { - krb5_xfree(dbkey->contents); + free(dbkey->contents); dbkey->contents = 0; dbkey->length = 0; } diff --git a/src/lib/kdb/encrypt_key.c b/src/lib/kdb/encrypt_key.c index bf778ea858..0db1a029a4 100644 --- a/src/lib/kdb/encrypt_key.c +++ b/src/lib/kdb/encrypt_key.c @@ -79,7 +79,7 @@ krb5_dbekd_def_encrypt_key_data( krb5_context context, for (i = 0; i < key_data->key_data_ver; i++) if (key_data->key_data_contents[i]) - krb5_xfree(key_data->key_data_contents[i]); + free(key_data->key_data_contents[i]); key_data->key_data_ver = 1; key_data->key_data_kvno = keyver; @@ -110,7 +110,7 @@ krb5_dbekd_def_encrypt_key_data( krb5_context context, if ((retval = krb5_c_encrypt(context, mkey, /* XXX */ 0, 0, &plain, &cipher))) { - krb5_xfree(key_data->key_data_contents[0]); + free(key_data->key_data_contents[0]); return retval; } @@ -123,7 +123,7 @@ krb5_dbekd_def_encrypt_key_data( krb5_context context, key_data->key_data_contents[1] = (krb5_octet *)malloc(keysalt->data.length); if (key_data->key_data_contents[1] == NULL) { - krb5_xfree(key_data->key_data_contents[0]); + free(key_data->key_data_contents[0]); return ENOMEM; } memcpy(key_data->key_data_contents[1], keysalt->data.data, diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c index 0f2c6a078a..e3bb509540 100644 --- a/src/lib/kdb/kdb5.c +++ b/src/lib/kdb/kdb5.c @@ -1720,7 +1720,7 @@ krb5_db_fetch_mkey(krb5_context context, } if (!salt) - krb5_xfree(scratch.data); + free(scratch.data); zap(password, sizeof(password)); /* erase it */ } else { diff --git a/src/lib/kdb/kdb_cpw.c b/src/lib/kdb/kdb_cpw.c index de6a34d377..2062055d03 100644 --- a/src/lib/kdb/kdb_cpw.c +++ b/src/lib/kdb/kdb_cpw.c @@ -414,7 +414,7 @@ add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, passwd, return(retval); key_salt.data = *saltdata; - krb5_xfree(saltdata); + free(saltdata); } break; case KRB5_KDB_SALTTYPE_NOREALM: @@ -440,7 +440,7 @@ add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, passwd, key_salt.data = *saltdata; key_salt.data.length = SALT_TYPE_AFS_LENGTH; /*length actually used below...*/ - krb5_xfree(saltdata); + free(saltdata); #else /* Why do we do this? Well, the afs_mit_string_to_key needs to use strlen, and the realm is not NULL terminated.... */ @@ -483,7 +483,7 @@ add_key_pwd(context, master_key, ks_tuple, ks_tuple_count, passwd, kvno, &tmp_key_data); if (key_salt.data.data) free(key_salt.data.data); - krb5_xfree(key.contents); + free(key.contents); if( retval ) return retval; diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c index 7ad847c129..c02778d9bb 100644 --- a/src/lib/kdb/kdb_default.c +++ b/src/lib/kdb/kdb_default.c @@ -472,7 +472,7 @@ krb5_def_verify_master_key(krb5_context context, } zap((char *)tempkey.contents, tempkey.length); - krb5_xfree(tempkey.contents); + free(tempkey.contents); krb5_db_free_principal(context, &master_entry, nprinc); return retval; diff --git a/src/lib/kdb/keytab.c b/src/lib/kdb/keytab.c index 7b241a1332..47626f1521 100644 --- a/src/lib/kdb/keytab.c +++ b/src/lib/kdb/keytab.c @@ -92,7 +92,7 @@ krb5_ktkdb_close(context, kt) */ kt->ops = NULL; - krb5_xfree(kt); + free(kt); return 0; } diff --git a/src/lib/krb5/asn.1/asn1_k_decode.c b/src/lib/krb5/asn.1/asn1_k_decode.c index 035aff17ea..cc3168c005 100644 --- a/src/lib/krb5/asn.1/asn1_k_decode.c +++ b/src/lib/krb5/asn.1/asn1_k_decode.c @@ -1208,6 +1208,7 @@ asn1_error_code asn1_decode_pa_for_user(asn1buf *buf, krb5_pa_for_user *val) { setup(); { begin_structure(); + alloc_field(val->user, krb5_principal_data); get_field(val->user,0,asn1_decode_principal_name); get_field(val->user,1,asn1_decode_realm); get_field(val->cksum,2,asn1_decode_checksum); diff --git a/src/lib/krb5/ccache/cc_file.c b/src/lib/krb5/ccache/cc_file.c index 71476d7788..9e54d1bdd0 100644 --- a/src/lib/krb5/ccache/cc_file.c +++ b/src/lib/krb5/ccache/cc_file.c @@ -530,7 +530,7 @@ krb5_fcc_read_principal(krb5_context context, krb5_ccache id, krb5_principal *pr errout: while(--i >= 0) free(krb5_princ_component(context, tmpprinc, i)->data); - krb5_xfree(krb5_princ_realm(context, tmpprinc)->data); + free(krb5_princ_realm(context, tmpprinc)->data); free((char *)tmpprinc->data); free((char *)tmpprinc); return kret; @@ -628,7 +628,7 @@ krb5_fcc_read_keyblock(krb5_context context, krb5_ccache id, krb5_keyblock *keyb return KRB5_OK; errout: if (keyblock->contents) { - krb5_xfree(keyblock->contents); + free(keyblock->contents); keyblock->contents = NULL; } return kret; @@ -669,7 +669,7 @@ krb5_fcc_read_data(krb5_context context, krb5_ccache id, krb5_data *data) return KRB5_OK; errout: if (data->data) { - krb5_xfree(data->data); + free(data->data); data->data = NULL; } return kret; @@ -714,7 +714,7 @@ krb5_fcc_read_addr(krb5_context context, krb5_ccache id, krb5_address *addr) return KRB5_OK; errout: if (addr->contents) { - krb5_xfree(addr->contents); + free(addr->contents); addr->contents = NULL; } return kret; @@ -898,7 +898,7 @@ krb5_fcc_read_authdatum(krb5_context context, krb5_ccache id, krb5_authdata *a) return KRB5_OK; errout: if (a->contents) { - krb5_xfree(a->contents); + free(a->contents); a->contents = NULL; } return kret; @@ -1541,7 +1541,7 @@ static krb5_error_code KRB5_CALLCONV krb5_fcc_close(krb5_context context, krb5_ccache id) { dereference(context, (krb5_fcc_data *) id->data); - krb5_xfree(id); + free(id); return KRB5_OK; } @@ -1676,7 +1676,7 @@ krb5_fcc_destroy(krb5_context context, krb5_ccache id) cleanup: k5_cc_mutex_unlock(context, &data->lock); dereference(context, data); - krb5_xfree(id); + free(id); krb5_change_cache (); return kret; @@ -1828,7 +1828,7 @@ krb5_fcc_start_seq_get(krb5_context context, krb5_ccache id, if (OPENCLOSE(id)) { kret = krb5_fcc_open_file(context, id, FCC_OPEN_RDONLY); if (kret) { - krb5_xfree(fcursor); + free(fcursor); k5_cc_mutex_unlock(context, &data->lock); return kret; } @@ -1837,12 +1837,12 @@ krb5_fcc_start_seq_get(krb5_context context, krb5_ccache id, /* Make sure we start reading right after the primary principal */ kret = krb5_fcc_skip_header(context, id); if (kret) { - krb5_xfree(fcursor); + free(fcursor); goto done; } kret = krb5_fcc_skip_principal(context, id); if (kret) { - krb5_xfree(fcursor); + free(fcursor); goto done; } @@ -1959,7 +1959,7 @@ krb5_fcc_end_seq_get(krb5_context context, krb5_ccache id, krb5_cc_cursor *curso and if not, fcc_start_seq_get and/or fcc_next_cred will do the MAYBE_CLOSE. MAYBE_CLOSE(context, id, kret); */ - krb5_xfree((krb5_fcc_cursor *) *cursor); + free((krb5_fcc_cursor *) *cursor); return 0; } diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c index f2624ecca4..528f43f061 100644 --- a/src/lib/krb5/ccache/cc_keyring.c +++ b/src/lib/krb5/ccache/cc_keyring.c @@ -427,11 +427,11 @@ krb5_krcc_close(krb5_context context, krb5_ccache id) d = (krb5_krcc_data *) id->data; - krb5_xfree(d->name); + free(d->name); k5_cc_mutex_destroy(&d->lock); - krb5_xfree(d); + free(d); - krb5_xfree(id); + free(id); return KRB5_OK; } @@ -498,7 +498,7 @@ krb5_krcc_destroy(krb5_context context, krb5_ccache id) return kret; krb5_krcc_clearcache(context, id); - krb5_xfree(d->name); + free(d->name); res = keyctl_unlink(d->ring_id, d->parent_id); if (res < 0) { kret = errno; @@ -509,8 +509,8 @@ krb5_krcc_destroy(krb5_context context, krb5_ccache id) cleanup: k5_cc_mutex_unlock(context, &d->lock); k5_cc_mutex_destroy(&d->lock); - krb5_xfree(d); - krb5_xfree(id); + free(d); + free(id); krb5_change_cache(); @@ -811,14 +811,14 @@ krb5_krcc_new_data(const char *name, key_serial_t ring, kret = k5_cc_mutex_init(&d->lock); if (kret) { - krb5_xfree(d); + free(d); return kret; } d->name = strdup(name); if (d->name == NULL) { k5_cc_mutex_destroy(&d->lock); - krb5_xfree(d); + free(d); return KRB5_CC_NOMEM; } d->princ_id = 0; @@ -917,7 +917,7 @@ krb5_krcc_generate_new(krb5_context context, krb5_ccache * id) kret = krb5_krcc_new_data(uniquename, key, ring_id, &d); k5_cc_mutex_unlock(context, &krb5int_krcc_mutex); if (kret) { - krb5_xfree(lid); + free(lid); return kret; } lid->data = d; @@ -1339,13 +1339,13 @@ krb5_krcc_parse_cred(krb5_context context, krb5_ccache id, krb5_creds * creds, cleanticket: memset(creds->ticket.data, 0, (unsigned) creds->ticket.length); - krb5_xfree(creds->ticket.data); + free(creds->ticket.data); cleanauthdata: krb5_free_authdata(context, creds->authdata); cleanaddrs: krb5_free_addresses(context, creds->addresses); cleanblock: - krb5_xfree(creds->keyblock.contents); + free(creds->keyblock.contents); cleanserver: krb5_free_principal(context, creds->server); cleanclient: @@ -1414,7 +1414,7 @@ krb5_krcc_parse_principal(krb5_context context, krb5_ccache id, errout: while (--i >= 0) free(krb5_princ_component(context, tmpprinc, i)->data); - krb5_xfree(krb5_princ_realm(context, tmpprinc)->data); + free(krb5_princ_realm(context, tmpprinc)->data); free((char *) tmpprinc->data); free((char *) tmpprinc); return kret; @@ -1456,7 +1456,7 @@ krb5_krcc_parse_keyblock(krb5_context context, krb5_ccache id, return KRB5_OK; errout: if (keyblock->contents) - krb5_xfree(keyblock->contents); + free(keyblock->contents); return kret; } @@ -1523,7 +1523,7 @@ krb5_krcc_parse_krb5data(krb5_context context, krb5_ccache id, return KRB5_OK; errout: if (data->data) - krb5_xfree(data->data); + free(data->data); return kret; } @@ -1632,7 +1632,7 @@ krb5_krcc_parse_addr(krb5_context context, krb5_ccache id, krb5_address * addr, return KRB5_OK; errout: if (addr->contents) - krb5_xfree(addr->contents); + free(addr->contents); return kret; } @@ -1725,7 +1725,7 @@ krb5_krcc_parse_authdatum(krb5_context context, krb5_ccache id, return KRB5_OK; errout: if (a->contents) - krb5_xfree(a->contents); + free(a->contents); return kret; } diff --git a/src/lib/krb5/ccache/cc_memory.c b/src/lib/krb5/ccache/cc_memory.c index cdddc58f50..2cfd60a10c 100644 --- a/src/lib/krb5/ccache/cc_memory.c +++ b/src/lib/krb5/ccache/cc_memory.c @@ -179,7 +179,7 @@ krb5_mcc_initialize(krb5_context context, krb5_ccache id, krb5_principal princ) krb5_error_code KRB5_CALLCONV krb5_mcc_close(krb5_context context, krb5_ccache id) { - krb5_xfree(id); + free(id); return KRB5_OK; } @@ -193,7 +193,7 @@ krb5_mcc_free(krb5_context context, krb5_ccache id) for (curr = d->link; curr;) { krb5_free_creds(context, curr->creds); next = curr->next; - krb5_xfree(curr); + free(curr); curr = next; } d->link = NULL; @@ -234,11 +234,11 @@ krb5_mcc_destroy(krb5_context context, krb5_ccache id) return err; krb5_mcc_free(context, id); - krb5_xfree(d->name); + free(d->name); k5_cc_mutex_unlock(context, &d->lock); k5_cc_mutex_destroy(&d->lock); - krb5_xfree(d); - krb5_xfree(id); + free(d); + free(id); krb5_change_cache (); return KRB5_OK; @@ -411,14 +411,14 @@ new_mcc_data (const char *name, krb5_mcc_data **dataptr) err = k5_cc_mutex_init(&d->lock); if (err) { - krb5_xfree(d); + free(d); return err; } d->name = strdup(name); if (d->name == NULL) { k5_cc_mutex_destroy(&d->lock); - krb5_xfree(d); + free(d); return KRB5_CC_NOMEM; } d->link = NULL; @@ -501,7 +501,7 @@ krb5_mcc_generate_new (krb5_context context, krb5_ccache *id) k5_cc_mutex_unlock(context, &krb5int_mcc_mutex); if (err) { - krb5_xfree(lid); + free(lid); return err; } lid->data = d; diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c index 80c5b4832a..db74828f35 100644 --- a/src/lib/krb5/ccache/cc_mslsa.c +++ b/src/lib/krb5/ccache/cc_mslsa.c @@ -489,7 +489,7 @@ MSTicketToMITTicket(KERB_EXTERNAL_TICKET *msticket, krb5_context context, krb5_d return FALSE; memcpy(ticket, newdata, sizeof(krb5_data)); - krb5_xfree(newdata); + free(newdata); return TRUE; } @@ -2056,7 +2056,7 @@ krb5_lcc_resolve (krb5_context context, krb5_ccache *id, const char *residual) lid->data = (krb5_pointer) malloc(sizeof(krb5_lcc_data)); if (lid->data == NULL) { - krb5_xfree(lid); + free(lid); CloseHandle(LogonHandle); return KRB5_CC_NOMEM; } @@ -2069,8 +2069,8 @@ krb5_lcc_resolve (krb5_context context, krb5_ccache *id, const char *residual) data->cc_name = (char *)malloc(strlen(residual)+1); if (data->cc_name == NULL) { - krb5_xfree(lid->data); - krb5_xfree(lid); + free(lid->data); + free(lid); CloseHandle(LogonHandle); return KRB5_CC_NOMEM; } @@ -2090,9 +2090,9 @@ krb5_lcc_resolve (krb5_context context, krb5_ccache *id, const char *residual) krb5_copy_principal(context, creds.client, &data->princ); krb5_free_cred_contents(context,&creds); } else if (!does_retrieve_ticket_cache_ticket()) { - krb5_xfree(data->cc_name); - krb5_xfree(lid->data); - krb5_xfree(lid); + free(data->cc_name); + free(lid->data); + free(lid); CloseHandle(LogonHandle); return KRB5_FCC_NOFILE; } @@ -2169,9 +2169,9 @@ krb5_lcc_close(krb5_context context, krb5_ccache id) if (data) { CloseHandle(data->LogonHandle); - krb5_xfree(data); + free(data); } - krb5_xfree(id); + free(id); } return closeval; } diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c index 83fb264852..2e33886a7e 100644 --- a/src/lib/krb5/keytab/kt_file.c +++ b/src/lib/krb5/keytab/kt_file.c @@ -210,21 +210,21 @@ ktfile_common_resolve(krb5_context context, const char *name, (*id)->ops = ops; if ((data = (krb5_ktfile_data *)malloc(sizeof(krb5_ktfile_data))) == NULL) { - krb5_xfree(*id); + free(*id); return(ENOMEM); } err = k5_mutex_init(&data->lock); if (err) { - krb5_xfree(data); - krb5_xfree(*id); + free(data); + free(*id); return err; } if ((data->name = strdup(name)) == NULL) { k5_mutex_destroy(&data->lock); - krb5_xfree(data); - krb5_xfree(*id); + free(data); + free(*id); return(ENOMEM); } @@ -259,12 +259,12 @@ krb5_ktfile_close(krb5_context context, krb5_keytab id) * This routine should undo anything done by krb5_ktfile_resolve(). */ { - krb5_xfree(KTFILENAME(id)); + free(KTFILENAME(id)); zap(KTFILEBUFP(id), BUFSIZ); k5_mutex_destroy(&((krb5_ktfile_data *)id->data)->lock); - krb5_xfree(id->data); + free(id->data); id->ops = 0; - krb5_xfree(id); + free(id); return (0); } @@ -533,7 +533,7 @@ krb5_ktfile_end_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cursor { krb5_error_code kerror; - krb5_xfree(*cursor); + free(*cursor); kerror = KTLOCK(id); if (kerror) return kerror; @@ -807,10 +807,10 @@ krb5_ktf_keytab_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octe if (kret) { if (keytab->data) { if (KTFILENAME(keytab)) - krb5_xfree(KTFILENAME(keytab)); - krb5_xfree(keytab->data); + free(KTFILENAME(keytab)); + free(keytab->data); } - krb5_xfree(keytab); + free(keytab); } else { *buffer = bp; diff --git a/src/lib/krb5/keytab/kt_memory.c b/src/lib/krb5/keytab/kt_memory.c index 53d15edd87..1f77171874 100644 --- a/src/lib/krb5/keytab/kt_memory.c +++ b/src/lib/krb5/keytab/kt_memory.c @@ -167,7 +167,7 @@ void krb5int_mkt_finalize(void) { next_node = node->next; /* destroy the contents of node->keytab */ - krb5_xfree(KTNAME(node->keytab)); + free(KTNAME(node->keytab)); /* free the keytab entries */ for (cursor = KTLINK(node->keytab); cursor; cursor = next_cursor) { @@ -176,21 +176,21 @@ void krb5int_mkt_finalize(void) { * krb5_context since we know that the context isn't used by * krb5_kt_free_entry or krb5_free_principal. */ krb5_kt_free_entry(NULL, cursor->entry); - krb5_xfree(cursor->entry); - krb5_xfree(cursor); + free(cursor->entry); + free(cursor); } /* destroy the lock */ k5_mutex_destroy(&(((krb5_mkt_data *)node->keytab->data)->lock)); /* free the private data */ - krb5_xfree(node->keytab->data); + free(node->keytab->data); /* and the keytab */ - krb5_xfree(node->keytab); + free(node->keytab); /* and finally the node */ - krb5_xfree(node); + free(node); } } /* @@ -230,15 +230,15 @@ krb5_mkt_resolve(krb5_context context, const char *name, krb5_keytab *id) } if ((list->keytab = (krb5_keytab)malloc(sizeof(struct _krb5_kt))) == NULL) { - krb5_xfree(list); + free(list); err = ENOMEM; goto done; } list->keytab->ops = &krb5_mkt_ops; if ((data = (krb5_mkt_data *)malloc(sizeof(krb5_mkt_data))) == NULL) { - krb5_xfree(list->keytab); - krb5_xfree(list); + free(list->keytab); + free(list); err = ENOMEM; goto done; } @@ -246,17 +246,17 @@ krb5_mkt_resolve(krb5_context context, const char *name, krb5_keytab *id) err = k5_mutex_init(&data->lock); if (err) { - krb5_xfree(data); - krb5_xfree(list->keytab); - krb5_xfree(list); + free(data); + free(list->keytab); + free(list); goto done; } if ((data->name = strdup(name)) == NULL) { k5_mutex_destroy(&data->lock); - krb5_xfree(data); - krb5_xfree(list->keytab); - krb5_xfree(list); + free(data); + free(list->keytab); + free(list); err = ENOMEM; goto done; } @@ -276,11 +276,11 @@ krb5_mkt_resolve(krb5_context context, const char *name, krb5_keytab *id) if (err) { k5_mutex_destroy(&data->lock); if (data && data->name) - krb5_xfree(data->name); - krb5_xfree(data); + free(data->name); + free(data); if (list && list->keytab) - krb5_xfree(list->keytab); - krb5_xfree(list); + free(list->keytab); + free(list); } else { KTREFCNT(*id)++; KTUNLOCK(*id); @@ -350,28 +350,28 @@ krb5_mkt_close(krb5_context context, krb5_keytab id) *listp = node->next; /* destroy the contents of node->keytab (aka id) */ - krb5_xfree(data->name); + free(data->name); /* free the keytab entries */ for (cursor = KTLINK(node->keytab); cursor; cursor = next_cursor) { next_cursor = cursor->next; krb5_kt_free_entry(context, cursor->entry); - krb5_xfree(cursor->entry); - krb5_xfree(cursor); + free(cursor->entry); + free(cursor); } /* destroy the lock */ k5_mutex_destroy(&(data->lock)); /* free the private data */ - krb5_xfree(data); + free(data); /* and the keytab */ - krb5_xfree(node->keytab); + free(node->keytab); /* and finally the node */ - krb5_xfree(node); + free(node); } #endif /* HEIMDAL_COMPATIBLE */ @@ -567,7 +567,7 @@ krb5_mkt_add(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) } cursor->entry = (krb5_keytab_entry *)malloc(sizeof(krb5_keytab_entry)); if (cursor->entry == NULL) { - krb5_xfree(cursor); + free(cursor); err = ENOMEM; goto done; } @@ -577,16 +577,16 @@ krb5_mkt_add(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) err = krb5_copy_keyblock_contents(context, &(entry->key), &(cursor->entry->key)); if (err) { - krb5_xfree(cursor->entry); - krb5_xfree(cursor); + free(cursor->entry); + free(cursor); goto done; } err = krb5_copy_principal(context, entry->principal, &(cursor->entry->principal)); if (err) { krb5_free_keyblock_contents(context, &(cursor->entry->key)); - krb5_xfree(cursor->entry); - krb5_xfree(cursor); + free(cursor->entry); + free(cursor); goto done; } @@ -635,9 +635,9 @@ krb5_mkt_remove(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) } krb5_kt_free_entry(context, (*pcursor)->entry); - krb5_xfree((*pcursor)->entry); + free((*pcursor)->entry); next = (*pcursor)->next; - krb5_xfree(*pcursor); + free(*pcursor); (*pcursor) = next; done: diff --git a/src/lib/krb5/keytab/kt_srvtab.c b/src/lib/krb5/keytab/kt_srvtab.c index 4555ca3329..20ea3d755f 100644 --- a/src/lib/krb5/keytab/kt_srvtab.c +++ b/src/lib/krb5/keytab/kt_srvtab.c @@ -123,14 +123,14 @@ krb5_ktsrvtab_resolve(krb5_context context, const char *name, krb5_keytab *id) (*id)->ops = &krb5_kts_ops; data = (krb5_ktsrvtab_data *)malloc(sizeof(krb5_ktsrvtab_data)); if (data == NULL) { - krb5_xfree(*id); + free(*id); return(ENOMEM); } data->name = strdup(name); if (data->name == NULL) { - krb5_xfree(data); - krb5_xfree(*id); + free(data); + free(*id); return(ENOMEM); } @@ -156,10 +156,10 @@ krb5_ktsrvtab_close(krb5_context context, krb5_keytab id) * This routine should undo anything done by krb5_ktsrvtab_resolve(). */ { - krb5_xfree(KTFILENAME(id)); - krb5_xfree(id->data); + free(KTFILENAME(id)); + free(id->data); id->ops = 0; - krb5_xfree(id); + free(id); return (0); } @@ -307,7 +307,7 @@ krb5_ktsrvtab_get_next(krb5_context context, krb5_keytab id, krb5_keytab_entry * krb5_error_code KRB5_CALLCONV krb5_ktsrvtab_end_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cursor) { - krb5_xfree(*cursor); + free(*cursor); return krb5_ktsrvint_close(context, id); } diff --git a/src/lib/krb5/keytab/ktfr_entry.c b/src/lib/krb5/keytab/ktfr_entry.c index e046232546..9587efc636 100644 --- a/src/lib/krb5/keytab/ktfr_entry.c +++ b/src/lib/krb5/keytab/ktfr_entry.c @@ -39,7 +39,7 @@ krb5_free_keytab_entry_contents (krb5_context context, krb5_keytab_entry *entry) krb5_free_principal(context, entry->principal); if (entry->key.contents) { zap((char *)entry->key.contents, entry->key.length); - krb5_xfree(entry->key.contents); + free(entry->key.contents); } return 0; } diff --git a/src/lib/krb5/krb/auth_con.c b/src/lib/krb5/krb/auth_con.c index 7af96403f2..40b3d95d04 100644 --- a/src/lib/krb5/krb/auth_con.c +++ b/src/lib/krb5/krb/auth_con.c @@ -12,7 +12,7 @@ actx_copy_addr(krb5_context context, const krb5_address *inad, krb5_address **ou return ENOMEM; *tmpad = *inad; if (!(tmpad->contents = (krb5_octet *)malloc(inad->length))) { - krb5_xfree(tmpad); + free(tmpad); return ENOMEM; } memcpy((char *)tmpad->contents, (char *)inad->contents, inad->length); @@ -63,7 +63,7 @@ krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context) if (auth_context->rcache) krb5_rc_close(context, auth_context->rcache); if (auth_context->permitted_etypes) - krb5_xfree(auth_context->permitted_etypes); + free(auth_context->permitted_etypes); free(auth_context); return 0; } @@ -336,7 +336,7 @@ krb5_auth_con_setpermetypes(krb5_context context, krb5_auth_context auth_context return(ENOMEM); if (auth_context->permitted_etypes) - krb5_xfree(auth_context->permitted_etypes); + free(auth_context->permitted_etypes); auth_context->permitted_etypes = newpe; diff --git a/src/lib/krb5/krb/bld_pr_ext.c b/src/lib/krb5/krb/bld_pr_ext.c index c1e19ba17f..befa0eee4b 100644 --- a/src/lib/krb5/krb/bld_pr_ext.c +++ b/src/lib/krb5/krb/bld_pr_ext.c @@ -59,15 +59,15 @@ krb5_build_principal_ext(krb5_context context, krb5_principal * princ, return ENOMEM; princ_ret = (krb5_principal) malloc(sizeof(krb5_principal_data)); if (!princ_ret) { - krb5_xfree(princ_data); + free(princ_data); return ENOMEM; } princ_ret->data = princ_data; princ_ret->length = count; tmpdata = malloc(rlen+1); if (!tmpdata) { - krb5_xfree(princ_data); - krb5_xfree(princ_ret); + free(princ_data); + free(princ_ret); return ENOMEM; } krb5_princ_set_realm_length(context, princ_ret, rlen); @@ -94,10 +94,10 @@ krb5_build_principal_ext(krb5_context context, krb5_principal * princ, free_out: while (--i >= 0) - krb5_xfree(princ_data[i].data); - krb5_xfree(princ_data); - krb5_xfree(princ_ret); - krb5_xfree(tmpdata); + free(princ_data[i].data); + free(princ_data); + free(princ_ret); + free(tmpdata); va_end(ap); return ENOMEM; } diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c index c7e996374c..d3e0d294b6 100644 --- a/src/lib/krb5/krb/bld_princ.c +++ b/src/lib/krb5/krb/bld_princ.c @@ -97,11 +97,11 @@ krb5int_build_principal_va(krb5_context context, if (data) { while (--count >= 0) { - krb5_xfree(data[count].data); + free(data[count].data); } - krb5_xfree(data); + free(data); } - krb5_xfree(r); + free(r); return retval; } @@ -140,7 +140,7 @@ krb5int_build_principal_alloc_va(krb5_context context, if (!retval) { *princ = p; } else { - krb5_xfree(p); + free(p); } return retval; @@ -165,7 +165,7 @@ krb5_build_principal_alloc_va(krb5_context context, if (!retval) { *princ = p; } else { - krb5_xfree(p); + free(p); } return retval; diff --git a/src/lib/krb5/krb/chpw.c b/src/lib/krb5/krb/chpw.c index 851a9ecdda..2e675a3912 100644 --- a/src/lib/krb5/krb/chpw.c +++ b/src/lib/krb5/krb/chpw.c @@ -43,8 +43,8 @@ krb5int_mk_chpw_req(krb5_context context, /* length */ - *ptr++ = (packet->length>> 8) & 0xff; - *ptr++ = packet->length & 0xff; + store_16_be(packet->length, ptr); + ptr += 2; /* version == 0x0001 big-endian */ @@ -53,8 +53,8 @@ krb5int_mk_chpw_req(krb5_context context, /* ap_req length, big-endian */ - *ptr++ = (ap_req->length>>8) & 0xff; - *ptr++ = ap_req->length & 0xff; + store_16_be(ap_req->length, ptr); + ptr += 2; /* ap-req data */ @@ -225,7 +225,7 @@ krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, cleanup: if (ap_rep.length) { - krb5_xfree(clearresult.data); + free(clearresult.data); } else { krb5_free_error(context, krberror); } @@ -306,14 +306,14 @@ krb5int_mk_setpw_req(krb5_context context, ** build the packet - */ /* put in the length */ - *ptr++ = (packet->length>>8) & 0xff; - *ptr++ = packet->length & 0xff; + store_16_be(packet->length, ptr); + ptr += 2; /* put in the version */ *ptr++ = (char)0xff; *ptr++ = (char)0x80; /* the ap_req length is big endian */ - *ptr++ = (ap_req->length>>8) & 0xff; - *ptr++ = ap_req->length & 0xff; + store_16_be(ap_req->length, ptr); + ptr += 2; /* put in the request data */ memcpy(ptr, ap_req->data, ap_req->length); ptr += ap_req->length; diff --git a/src/lib/krb5/krb/conv_princ.c b/src/lib/krb5/krb/conv_princ.c index 60c8115133..176b41e350 100644 --- a/src/lib/krb5/krb/conv_princ.c +++ b/src/lib/krb5/krb/conv_princ.c @@ -334,7 +334,7 @@ krb5_425_conv_principal(krb5_context context, const char *name, *cp = tolower((unsigned char) *cp); strncat(buf, ".", sizeof(buf) - 1 - strlen(buf)); strncat(buf, domain, sizeof(buf) - 1 - strlen(buf)); - krb5_xfree(domain); + free(domain); } instance = buf; } diff --git a/src/lib/krb5/krb/copy_addrs.c b/src/lib/krb5/krb/copy_addrs.c index 28f19facc9..f3f75c33b8 100644 --- a/src/lib/krb5/krb/copy_addrs.c +++ b/src/lib/krb5/krb/copy_addrs.c @@ -38,7 +38,7 @@ krb5_copy_addr(krb5_context context, const krb5_address *inad, krb5_address **ou return ENOMEM; *tmpad = *inad; if (!(tmpad->contents = (krb5_octet *)malloc(inad->length))) { - krb5_xfree(tmpad); + free(tmpad); return ENOMEM; } memcpy((char *)tmpad->contents, (char *)inad->contents, inad->length); diff --git a/src/lib/krb5/krb/copy_athctr.c b/src/lib/krb5/krb/copy_athctr.c index 4d23c84701..c356fbf78b 100644 --- a/src/lib/krb5/krb/copy_athctr.c +++ b/src/lib/krb5/krb/copy_athctr.c @@ -41,24 +41,24 @@ krb5_copy_authenticator(krb5_context context, const krb5_authenticator *authfrom retval = krb5_copy_principal(context, authfrom->client, &tempto->client); if (retval) { - krb5_xfree(tempto); + free(tempto); return retval; } if (authfrom->checksum && (retval = krb5_copy_checksum(context, authfrom->checksum, &tempto->checksum))) { krb5_free_principal(context, tempto->client); - krb5_xfree(tempto); + free(tempto); return retval; } if (authfrom->subkey) { retval = krb5_copy_keyblock(context, authfrom->subkey, &tempto->subkey); if (retval) { - krb5_xfree(tempto->subkey); + free(tempto->subkey); krb5_free_checksum(context, tempto->checksum); krb5_free_principal(context, tempto->client); - krb5_xfree(tempto); + free(tempto); return retval; } } @@ -67,11 +67,11 @@ krb5_copy_authenticator(krb5_context context, const krb5_authenticator *authfrom retval = krb5_copy_authdata(context, authfrom->authorization_data, &tempto->authorization_data); if (retval) { - krb5_xfree(tempto->subkey); + free(tempto->subkey); krb5_free_checksum(context, tempto->checksum); krb5_free_principal(context, tempto->client); krb5_free_authdata(context, tempto->authorization_data); - krb5_xfree(tempto); + free(tempto); return retval; } } diff --git a/src/lib/krb5/krb/copy_auth.c b/src/lib/krb5/krb/copy_auth.c index cd27f72b52..9a94cddedd 100644 --- a/src/lib/krb5/krb/copy_auth.c +++ b/src/lib/krb5/krb/copy_auth.c @@ -65,7 +65,7 @@ krb5_copy_authdatum(krb5_context context, const krb5_authdata *inad, krb5_authda return ENOMEM; *tmpad = *inad; if (!(tmpad->contents = (krb5_octet *)malloc(inad->length))) { - krb5_xfree(tmpad); + free(tmpad); return ENOMEM; } memcpy((char *)tmpad->contents, (char *)inad->contents, inad->length); diff --git a/src/lib/krb5/krb/copy_cksum.c b/src/lib/krb5/krb/copy_cksum.c index ce7eb7aa74..2bff2c36eb 100644 --- a/src/lib/krb5/krb/copy_cksum.c +++ b/src/lib/krb5/krb/copy_cksum.c @@ -40,7 +40,7 @@ krb5_copy_checksum(krb5_context context, const krb5_checksum *ckfrom, krb5_check if (!(tempto->contents = (krb5_octet *)malloc(tempto->length))) { - krb5_xfree(tempto); + free(tempto); return ENOMEM; } memcpy((char *) tempto->contents, (char *) ckfrom->contents, diff --git a/src/lib/krb5/krb/copy_creds.c b/src/lib/krb5/krb/copy_creds.c index f011a03cec..e6fece3839 100644 --- a/src/lib/krb5/krb/copy_creds.c +++ b/src/lib/krb5/krb/copy_creds.c @@ -81,13 +81,13 @@ krb5int_copy_creds_contents(krb5_context context, const krb5_creds *incred, if (retval) goto cleanaddrs; tempcred->ticket = *scratch; - krb5_xfree(scratch); + free(scratch); retval = krb5_copy_data(context, &incred->second_ticket, &scratch); if (retval) goto clearticket; tempcred->second_ticket = *scratch; - krb5_xfree(scratch); + free(scratch); retval = krb5_copy_authdata(context, incred->authdata,&tempcred->authdata); if (retval) @@ -104,7 +104,7 @@ krb5int_copy_creds_contents(krb5_context context, const krb5_creds *incred, cleanaddrs: krb5_free_addresses(context, tempcred->addresses); cleanblock: - krb5_xfree(tempcred->keyblock.contents); + free(tempcred->keyblock.contents); cleanserver: krb5_free_principal(context, tempcred->server); cleanclient: diff --git a/src/lib/krb5/krb/copy_data.c b/src/lib/krb5/krb/copy_data.c index ab419f28ab..5ba90c6b90 100644 --- a/src/lib/krb5/krb/copy_data.c +++ b/src/lib/krb5/krb/copy_data.c @@ -48,7 +48,7 @@ krb5_copy_data(krb5_context context, const krb5_data *indata, krb5_data **outdat retval = krb5int_copy_data_contents(context, indata, tempdata); if (retval) { - krb5_xfree(tempdata); + free(tempdata); return retval; } diff --git a/src/lib/krb5/krb/copy_key.c b/src/lib/krb5/krb/copy_key.c index 1bb04c1993..e7fc2772a1 100644 --- a/src/lib/krb5/krb/copy_key.c +++ b/src/lib/krb5/krb/copy_key.c @@ -41,7 +41,7 @@ krb5_copy_keyblock(krb5_context context, const krb5_keyblock *from, krb5_keybloc return ENOMEM; *new_key = *from; if (!(new_key->contents = (krb5_octet *)malloc(new_key->length))) { - krb5_xfree(new_key); + free(new_key); return(ENOMEM); } memcpy((char *)new_key->contents, (char *)from->contents, diff --git a/src/lib/krb5/krb/copy_tick.c b/src/lib/krb5/krb/copy_tick.c index 43268e50f2..76d8bcface 100644 --- a/src/lib/krb5/krb/copy_tick.c +++ b/src/lib/krb5/krb/copy_tick.c @@ -41,13 +41,13 @@ krb5_copy_enc_tkt_part(krb5_context context, const krb5_enc_tkt_part *partfrom, retval = krb5_copy_keyblock(context, partfrom->session, &tempto->session); if (retval) { - krb5_xfree(tempto); + free(tempto); return retval; } retval = krb5_copy_principal(context, partfrom->client, &tempto->client); if (retval) { krb5_free_keyblock(context, tempto->session); - krb5_xfree(tempto); + free(tempto); return retval; } tempto->transited = partfrom->transited; @@ -59,7 +59,7 @@ krb5_copy_enc_tkt_part(krb5_context context, const krb5_enc_tkt_part *partfrom, if (!tempto->transited.tr_contents.data) { krb5_free_principal(context, tempto->client); krb5_free_keyblock(context, tempto->session); - krb5_xfree(tempto); + free(tempto); return ENOMEM; } memcpy((char *)tempto->transited.tr_contents.data, @@ -69,10 +69,10 @@ krb5_copy_enc_tkt_part(krb5_context context, const krb5_enc_tkt_part *partfrom, retval = krb5_copy_addresses(context, partfrom->caddrs, &tempto->caddrs); if (retval) { - krb5_xfree(tempto->transited.tr_contents.data); + free(tempto->transited.tr_contents.data); krb5_free_principal(context, tempto->client); krb5_free_keyblock(context, tempto->session); - krb5_xfree(tempto); + free(tempto); return retval; } if (partfrom->authorization_data) { @@ -80,10 +80,10 @@ krb5_copy_enc_tkt_part(krb5_context context, const krb5_enc_tkt_part *partfrom, &tempto->authorization_data); if (retval) { krb5_free_addresses(context, tempto->caddrs); - krb5_xfree(tempto->transited.tr_contents.data); + free(tempto->transited.tr_contents.data); krb5_free_principal(context, tempto->client); krb5_free_keyblock(context, tempto->session); - krb5_xfree(tempto); + free(tempto); return retval; } } @@ -103,22 +103,22 @@ krb5_copy_ticket(krb5_context context, const krb5_ticket *from, krb5_ticket **pt *tempto = *from; retval = krb5_copy_principal(context, from->server, &tempto->server); if (retval) { - krb5_xfree(tempto); + free(tempto); return retval; } retval = krb5_copy_data(context, &from->enc_part.ciphertext, &scratch); if (retval) { krb5_free_principal(context, tempto->server); - krb5_xfree(tempto); + free(tempto); return retval; } tempto->enc_part.ciphertext = *scratch; - krb5_xfree(scratch); + free(scratch); retval = krb5_copy_enc_tkt_part(context, from->enc_part2, &tempto->enc_part2); if (retval) { - krb5_xfree(tempto->enc_part.ciphertext.data); + free(tempto->enc_part.ciphertext.data); krb5_free_principal(context, tempto->server); - krb5_xfree(tempto); + free(tempto); return retval; } *pto = tempto; diff --git a/src/lib/krb5/krb/free_rtree.c b/src/lib/krb5/krb/free_rtree.c index 7914d3f239..035c3a8217 100644 --- a/src/lib/krb5/krb/free_rtree.c +++ b/src/lib/krb5/krb/free_rtree.c @@ -37,5 +37,5 @@ krb5_free_realm_tree(krb5_context context, krb5_principal *realms) krb5_free_principal(context, *nrealms); nrealms++; } - krb5_xfree(realms); + free(realms); } diff --git a/src/lib/krb5/krb/fwd_tgt.c b/src/lib/krb5/krb/fwd_tgt.c index 2db2c9e00e..ccaef4d881 100644 --- a/src/lib/krb5/krb/fwd_tgt.c +++ b/src/lib/krb5/krb/fwd_tgt.c @@ -181,7 +181,7 @@ retval = KRB5_FWD_BAD_PRINCIPAL; krb5_free_data(context, scratch); } else { *outbuf = *scratch; - krb5_xfree(scratch); + free(scratch); } errout: diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c index c73c6d5296..97e40bf3ca 100644 --- a/src/lib/krb5/krb/gc_via_tkt.c +++ b/src/lib/krb5/krb/gc_via_tkt.c @@ -57,7 +57,7 @@ krb5_kdcrep2creds(krb5_context context, krb5_kdc_rep *pkdcrep, krb5_address *con if ((retval = krb5_copy_data(context, psectkt, &pdata))) goto cleanup; (*ppcreds)->second_ticket = *pdata; - krb5_xfree(pdata); + free(pdata); (*ppcreds)->ticket_flags = pkdcrep->enc_part2->flags; (*ppcreds)->times = pkdcrep->enc_part2->times; diff --git a/src/lib/krb5/krb/gen_subkey.c b/src/lib/krb5/krb/gen_subkey.c index 4d4e7be681..601ab739af 100644 --- a/src/lib/krb5/krb/gen_subkey.c +++ b/src/lib/krb5/krb/gen_subkey.c @@ -56,7 +56,7 @@ krb5_generate_subkey_extended(krb5_context context, return(ENOMEM); if ((retval = krb5_c_make_random_key(context, enctype, *subkey))) { - krb5_xfree(*subkey); + free(*subkey); return(retval); } diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c index 6824a74b22..fff8b903b8 100644 --- a/src/lib/krb5/krb/get_creds.c +++ b/src/lib/krb5/krb/get_creds.c @@ -128,7 +128,7 @@ krb5_get_credentials(krb5_context context, krb5_flags options, /* The caller is now responsible for cleaning up in_creds */ if ((retval = krb5_cc_retrieve_cred(context, ccache, fields, &mcreds, ncreds))) { - krb5_xfree(ncreds); + free(ncreds); ncreds = in_creds; } else { *out_creds = ncreds; @@ -311,7 +311,7 @@ krb5_validate_or_renew_creds(krb5_context context, krb5_creds *creds, /* ick. copy the struct contents, free the container */ if (out_creds) { *creds = *out_creds; - krb5_xfree(out_creds); + free(out_creds); } cleanup: diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index 8a8a9b3c04..52d17e0bb0 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -272,7 +272,7 @@ decrypt_as_reply(krb5_context context, retval = (*key_proc)(context, as_reply->enc_part.enctype, &salt, keyseed, &decrypt_key); - krb5_xfree(salt.data); + free(salt.data); if (retval) goto cleanup; } @@ -409,7 +409,7 @@ stash_as_reply(krb5_context context, goto cleanup; creds->ticket = *packet; - krb5_xfree(packet); + free(packet); /* store it in the ccache! */ if (ccache) @@ -430,12 +430,12 @@ cleanup: if (creds->keyblock.contents) { memset((char *)creds->keyblock.contents, 0, creds->keyblock.length); - krb5_xfree(creds->keyblock.contents); + free(creds->keyblock.contents); creds->keyblock.contents = 0; creds->keyblock.length = 0; } if (creds->ticket.data) { - krb5_xfree(creds->ticket.data); + free(creds->ticket.data); creds->ticket.data = 0; } if (creds->addresses) { @@ -1489,7 +1489,7 @@ cleanup: krb5_free_keyblock_contents(context, &as_key); if (salt.data && (!(options && (options->flags & KRB5_GET_INIT_CREDS_OPT_SALT)))) - krb5_xfree(salt.data); + free(salt.data); krb5_free_data_contents(context, &s2kparams); if (as_reply) *as_reply = local_as_reply; diff --git a/src/lib/krb5/krb/gic_keytab.c b/src/lib/krb5/krb/gic_keytab.c index 7e60b2d198..9235794872 100644 --- a/src/lib/krb5/krb/gic_keytab.c +++ b/src/lib/krb5/krb/gic_keytab.c @@ -69,7 +69,7 @@ krb5_get_as_key_keytab( /* again, krb5's memory management is lame... */ *as_key = *kt_key; - krb5_xfree(kt_key); + free(kt_key); (void) krb5_kt_free_entry(context, &kt_ent); diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c index 716d3cc434..4174f4e668 100644 --- a/src/lib/krb5/krb/gic_pwd.c +++ b/src/lib/krb5/krb/gic_pwd.c @@ -76,7 +76,7 @@ krb5_get_as_key_password( params->data?params:NULL, as_key); if (defsalt.length) - krb5_xfree(defsalt.data); + free(defsalt.data); return(ret); } @@ -274,7 +274,7 @@ krb5_get_init_creds_password(krb5_context context, /* the change succeeded. go on */ if (result_code == 0) { - krb5_xfree(result_string.data); + free(result_string.data); break; } @@ -283,7 +283,7 @@ krb5_get_init_creds_password(krb5_context context, ret = KRB5_CHPW_FAIL; if (result_code != KRB5_KPASSWD_SOFTERROR) { - krb5_xfree(result_string.data); + free(result_string.data); goto cleanup; } @@ -301,8 +301,8 @@ krb5_get_init_creds_password(krb5_context context, (int) result_string.length, result_string.data ? result_string.data : ""); - krb5_xfree(code_string.data); - krb5_xfree(result_string.data); + free(code_string.data); + free(result_string.data); } } diff --git a/src/lib/krb5/krb/kfree.c b/src/lib/krb5/krb/kfree.c index 9e5e192748..6bf20c5a94 100644 --- a/src/lib/krb5/krb/kfree.c +++ b/src/lib/krb5/krb/kfree.c @@ -59,8 +59,8 @@ void KRB5_CALLCONV krb5_free_address(krb5_context context, krb5_address *val) { if (val->contents) - krb5_xfree(val->contents); - krb5_xfree(val); + free(val->contents); + free(val); } void KRB5_CALLCONV @@ -70,10 +70,10 @@ krb5_free_addresses(krb5_context context, krb5_address **val) for (temp = val; *temp; temp++) { if ((*temp)->contents) - krb5_xfree((*temp)->contents); - krb5_xfree(*temp); + free((*temp)->contents); + free(*temp); } - krb5_xfree(val); + free(val); } @@ -81,8 +81,8 @@ void KRB5_CALLCONV krb5_free_ap_rep(krb5_context context, register krb5_ap_rep *val) { if (val->enc_part.ciphertext.data) - krb5_xfree(val->enc_part.ciphertext.data); - krb5_xfree(val); + free(val->enc_part.ciphertext.data); + free(val); } void KRB5_CALLCONV @@ -91,8 +91,8 @@ krb5_free_ap_req(krb5_context context, register krb5_ap_req *val) if (val->ticket) krb5_free_ticket(context, val->ticket); if (val->authenticator.ciphertext.data) - krb5_xfree(val->authenticator.ciphertext.data); - krb5_xfree(val); + free(val->authenticator.ciphertext.data); + free(val); } void KRB5_CALLCONV @@ -100,7 +100,7 @@ krb5_free_ap_rep_enc_part(krb5_context context, krb5_ap_rep_enc_part *val) { if (val->subkey) krb5_free_keyblock(context, val->subkey); - krb5_xfree(val); + free(val); } void KRB5_CALLCONV @@ -131,31 +131,31 @@ krb5_free_authdata(krb5_context context, krb5_authdata **val) for (temp = val; *temp; temp++) { if ((*temp)->contents) - krb5_xfree((*temp)->contents); - krb5_xfree(*temp); + free((*temp)->contents); + free(*temp); } - krb5_xfree(val); + free(val); } void KRB5_CALLCONV krb5_free_authenticator(krb5_context context, krb5_authenticator *val) { krb5_free_authenticator_contents(context, val); - krb5_xfree(val); + free(val); } void KRB5_CALLCONV krb5_free_checksum(krb5_context context, register krb5_checksum *val) { krb5_free_checksum_contents(context, val); - krb5_xfree(val); + free(val); } void KRB5_CALLCONV krb5_free_checksum_contents(krb5_context context, register krb5_checksum *val) { if (val->contents) { - krb5_xfree(val->contents); + free(val->contents); val->contents = 0; } } @@ -166,8 +166,8 @@ krb5_free_cred(krb5_context context, register krb5_cred *val) if (val->tickets) krb5_free_tickets(context, val->tickets); if (val->enc_part.ciphertext.data) - krb5_xfree(val->enc_part.ciphertext.data); - krb5_xfree(val); + free(val->enc_part.ciphertext.data); + free(val); } /* @@ -188,15 +188,15 @@ krb5_free_cred_contents(krb5_context context, krb5_creds *val) } if (val->keyblock.contents) { memset((char *)val->keyblock.contents, 0, val->keyblock.length); - krb5_xfree(val->keyblock.contents); + free(val->keyblock.contents); val->keyblock.contents = 0; } if (val->ticket.data) { - krb5_xfree(val->ticket.data); + free(val->ticket.data); val->ticket.data = 0; } if (val->second_ticket.data) { - krb5_xfree(val->second_ticket.data); + free(val->second_ticket.data); val->second_ticket.data = 0; } if (val->addresses) { @@ -233,9 +233,9 @@ krb5_free_cred_enc_part(krb5_context context, register krb5_cred_enc_part *val) krb5_free_principal(context, (*temp)->server); if ((*temp)->caddrs) krb5_free_addresses(context, (*temp)->caddrs); - krb5_xfree((*temp)); + free((*temp)); } - krb5_xfree(val->ticket_info); + free(val->ticket_info); val->ticket_info = 0; } } @@ -245,7 +245,7 @@ void KRB5_CALLCONV krb5_free_creds(krb5_context context, krb5_creds *val) { krb5_free_cred_contents(context, val); - krb5_xfree(val); + free(val); } @@ -253,15 +253,15 @@ void KRB5_CALLCONV krb5_free_data(krb5_context context, krb5_data *val) { if (val->data) - krb5_xfree(val->data); - krb5_xfree(val); + free(val->data); + free(val); } void KRB5_CALLCONV krb5_free_data_contents(krb5_context context, krb5_data *val) { if (val->data) { - krb5_xfree(val->data); + free(val->data); val->data = 0; } } @@ -291,7 +291,7 @@ krb5_free_enc_kdc_rep_part(krb5_context context, register krb5_enc_kdc_rep_part krb5_free_principal(context, val->server); if (val->caddrs) krb5_free_addresses(context, val->caddrs); - krb5_xfree(val); + free(val); } void KRB5_CALLCONV @@ -302,12 +302,12 @@ krb5_free_enc_tkt_part(krb5_context context, krb5_enc_tkt_part *val) if (val->client) krb5_free_principal(context, val->client); if (val->transited.tr_contents.data) - krb5_xfree(val->transited.tr_contents.data); + free(val->transited.tr_contents.data); if (val->caddrs) krb5_free_addresses(context, val->caddrs); if (val->authorization_data) krb5_free_authdata(context, val->authorization_data); - krb5_xfree(val); + free(val); } @@ -319,10 +319,10 @@ krb5_free_error(krb5_context context, register krb5_error *val) if (val->server) krb5_free_principal(context, val->server); if (val->text.data) - krb5_xfree(val->text.data); + free(val->text.data); if (val->e_data.data) - krb5_xfree(val->e_data.data); - krb5_xfree(val); + free(val->e_data.data); + free(val); } void KRB5_CALLCONV @@ -335,10 +335,10 @@ krb5_free_kdc_rep(krb5_context context, krb5_kdc_rep *val) if (val->ticket) krb5_free_ticket(context, val->ticket); if (val->enc_part.ciphertext.data) - krb5_xfree(val->enc_part.ciphertext.data); + free(val->enc_part.ciphertext.data); if (val->enc_part2) krb5_free_enc_kdc_rep_part(context, val->enc_part2); - krb5_xfree(val); + free(val); } @@ -352,16 +352,16 @@ krb5_free_kdc_req(krb5_context context, krb5_kdc_req *val) if (val->server) krb5_free_principal(context, val->server); if (val->ktype) - krb5_xfree(val->ktype); + free(val->ktype); if (val->addresses) krb5_free_addresses(context, val->addresses); if (val->authorization_data.ciphertext.data) - krb5_xfree(val->authorization_data.ciphertext.data); + free(val->authorization_data.ciphertext.data); if (val->unenc_authdata) krb5_free_authdata(context, val->unenc_authdata); if (val->second_ticket) krb5_free_tickets(context, val->second_ticket); - krb5_xfree(val); + free(val); } void KRB5_CALLCONV @@ -384,8 +384,8 @@ krb5_free_last_req(krb5_context context, krb5_last_req_entry **val) register krb5_last_req_entry **temp; for (temp = val; *temp; temp++) - krb5_xfree(*temp); - krb5_xfree(val); + free(*temp); + free(val); } void KRB5_CALLCONV @@ -395,10 +395,10 @@ krb5_free_pa_data(krb5_context context, krb5_pa_data **val) for (temp = val; *temp; temp++) { if ((*temp)->contents) - krb5_xfree((*temp)->contents); - krb5_xfree(*temp); + free((*temp)->contents); + free(*temp); } - krb5_xfree(val); + free(val); } void KRB5_CALLCONV @@ -413,31 +413,31 @@ krb5_free_principal(krb5_context context, krb5_principal val) i = krb5_princ_size(context, val); while(--i >= 0) free(krb5_princ_component(context, val, i)->data); - krb5_xfree(val->data); + free(val->data); } if (val->realm.data) - krb5_xfree(val->realm.data); - krb5_xfree(val); + free(val->realm.data); + free(val); } void KRB5_CALLCONV krb5_free_priv(krb5_context context, register krb5_priv *val) { if (val->enc_part.ciphertext.data) - krb5_xfree(val->enc_part.ciphertext.data); - krb5_xfree(val); + free(val->enc_part.ciphertext.data); + free(val); } void KRB5_CALLCONV krb5_free_priv_enc_part(krb5_context context, register krb5_priv_enc_part *val) { if (val->user_data.data) - krb5_xfree(val->user_data.data); + free(val->user_data.data); if (val->r_address) krb5_free_address(context, val->r_address); if (val->s_address) krb5_free_address(context, val->s_address); - krb5_xfree(val); + free(val); } void KRB5_CALLCONV @@ -445,7 +445,7 @@ krb5_free_pwd_data(krb5_context context, krb5_pwd_data *val) { if (val->element) krb5_free_pwd_sequences(context, val->element); - krb5_xfree(val); + free(val); } @@ -463,9 +463,9 @@ krb5_free_pwd_sequences(krb5_context context, passwd_phrase_element **val) krb5_free_data(context, (*temp)->phrase); (*temp)->phrase = 0; } - krb5_xfree(*temp); + free(*temp); } - krb5_xfree(val); + free(val); } @@ -473,14 +473,14 @@ void KRB5_CALLCONV krb5_free_safe(krb5_context context, register krb5_safe *val) { if (val->user_data.data) - krb5_xfree(val->user_data.data); + free(val->user_data.data); if (val->r_address) krb5_free_address(context, val->r_address); if (val->s_address) krb5_free_address(context, val->s_address); if (val->checksum) krb5_free_checksum(context, val->checksum); - krb5_xfree(val); + free(val); } @@ -490,10 +490,10 @@ krb5_free_ticket(krb5_context context, krb5_ticket *val) if (val->server) krb5_free_principal(context, val->server); if (val->enc_part.ciphertext.data) - krb5_xfree(val->enc_part.ciphertext.data); + free(val->enc_part.ciphertext.data); if (val->enc_part2) krb5_free_enc_tkt_part(context, val->enc_part2); - krb5_xfree(val); + free(val); } void KRB5_CALLCONV @@ -503,7 +503,7 @@ krb5_free_tickets(krb5_context context, krb5_ticket **val) for (temp = val; *temp; temp++) krb5_free_ticket(context, *temp); - krb5_xfree(val); + free(val); } @@ -513,7 +513,7 @@ krb5_free_tgt_creds(krb5_context context, krb5_creds **tgts) register krb5_creds **tgtpp; for (tgtpp = tgts; *tgtpp; tgtpp++) krb5_free_creds(context, *tgtpp); - krb5_xfree(tgts); + free(tgts); } void KRB5_CALLCONV @@ -523,14 +523,14 @@ krb5_free_tkt_authent(krb5_context context, krb5_tkt_authent *val) krb5_free_ticket(context, val->ticket); if (val->authenticator) krb5_free_authenticator(context, val->authenticator); - krb5_xfree(val); + free(val); } void KRB5_CALLCONV krb5_free_unparsed_name(krb5_context context, char *val) { if (val) - krb5_xfree(val); + free(val); } void KRB5_CALLCONV @@ -539,7 +539,7 @@ krb5_free_sam_challenge(krb5_context ctx, krb5_sam_challenge *sc) if (!sc) return; krb5_free_sam_challenge_contents(ctx, sc); - krb5_xfree(sc); + free(sc); } void KRB5_CALLCONV @@ -548,7 +548,7 @@ krb5_free_sam_challenge_2(krb5_context ctx, krb5_sam_challenge_2 *sc2) if (!sc2) return; krb5_free_sam_challenge_2_contents(ctx, sc2); - krb5_xfree(sc2); + free(sc2); } void KRB5_CALLCONV @@ -569,7 +569,7 @@ krb5_free_sam_challenge_contents(krb5_context ctx, krb5_sam_challenge *sc) if (sc->sam_pk_for_sad.data) krb5_free_data_contents(ctx, &sc->sam_pk_for_sad); if (sc->sam_cksum.contents) { - krb5_xfree(sc->sam_cksum.contents); + free(sc->sam_cksum.contents); sc->sam_cksum.contents = 0; } } @@ -590,7 +590,7 @@ krb5_free_sam_challenge_2_contents(krb5_context ctx, krb5_free_checksum(ctx, *cksump); cksump++; } - krb5_xfree(sc2->sam_cksum); + free(sc2->sam_cksum); sc2->sam_cksum = 0; } } @@ -602,7 +602,7 @@ krb5_free_sam_challenge_2_body(krb5_context ctx, if (!sc2) return; krb5_free_sam_challenge_2_body_contents(ctx, sc2); - krb5_xfree(sc2); + free(sc2); } void KRB5_CALLCONV @@ -631,7 +631,7 @@ krb5_free_sam_response(krb5_context ctx, krb5_sam_response *sr) if (!sr) return; krb5_free_sam_response_contents(ctx, sr); - krb5_xfree(sr); + free(sr); } void KRB5_CALLCONV @@ -640,7 +640,7 @@ krb5_free_sam_response_2(krb5_context ctx, krb5_sam_response_2 *sr2) if (!sr2) return; krb5_free_sam_response_2_contents(ctx, sr2); - krb5_xfree(sr2); + free(sr2); } void KRB5_CALLCONV @@ -674,7 +674,7 @@ krb5_free_predicted_sam_response(krb5_context ctx, if (!psr) return; krb5_free_predicted_sam_response_contents(ctx, psr); - krb5_xfree(psr); + free(psr); } void KRB5_CALLCONV @@ -700,7 +700,7 @@ krb5_free_enc_sam_response_enc(krb5_context ctx, if (!esre) return; krb5_free_enc_sam_response_enc_contents(ctx, esre); - krb5_xfree(esre); + free(esre); } void KRB5_CALLCONV @@ -710,7 +710,7 @@ krb5_free_enc_sam_response_enc_2(krb5_context ctx, if (!esre2) return; krb5_free_enc_sam_response_enc_2_contents(ctx, esre2); - krb5_xfree(esre2); + free(esre2); } void KRB5_CALLCONV @@ -738,7 +738,7 @@ krb5_free_pa_enc_ts(krb5_context ctx, krb5_pa_enc_ts *pa_enc_ts) { if (!pa_enc_ts) return; - krb5_xfree(pa_enc_ts); + free(pa_enc_ts); } void KRB5_CALLCONV @@ -752,7 +752,7 @@ krb5_free_pa_for_user(krb5_context context, krb5_pa_for_user *req) } krb5_free_checksum_contents(context, &req->cksum); krb5_free_data_contents(context, &req->auth_package); - krb5_xfree(req); + free(req); } void KRB5_CALLCONV @@ -774,7 +774,7 @@ krb5_free_pa_server_referral_data(krb5_context context, ref->requested_principal_name = NULL; } krb5_free_checksum_contents(context, &ref->rep_cksum); - krb5_xfree(ref); + free(ref); } void KRB5_CALLCONV @@ -787,7 +787,7 @@ krb5_free_pa_svr_referral_data(krb5_context context, krb5_free_principal(context, ref->principal); ref->principal = NULL; } - krb5_xfree(ref); + free(ref); } void KRB5_CALLCONV @@ -796,7 +796,7 @@ krb5_free_pa_pac_req(krb5_context context, { if (req == NULL) return; - krb5_xfree(req); + free(req); } void KRB5_CALLCONV @@ -805,7 +805,7 @@ krb5_free_etype_list(krb5_context context, { if (etypes != NULL) { if (etypes->etypes != NULL) - krb5_xfree(etypes->etypes); - krb5_xfree(etypes); + free(etypes->etypes); + free(etypes); } } diff --git a/src/lib/krb5/krb/mk_cred.c b/src/lib/krb5/krb/mk_cred.c index a63b07ac69..5618868255 100644 --- a/src/lib/krb5/krb/mk_cred.c +++ b/src/lib/krb5/krb/mk_cred.c @@ -38,7 +38,7 @@ encrypt_credencpart(krb5_context context, krb5_cred_enc_part *pcredpart, if (pkeyblock == NULL) { pencdata->ciphertext.data = scratch->data; pencdata->ciphertext.length = scratch->length; - krb5_xfree(scratch); + free(scratch); return 0; } @@ -263,10 +263,10 @@ krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, replay.ctime = replaydata.timestamp; if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { /* should we really error out here? XXX */ - krb5_xfree(replay.client); + free(replay.client); goto error; } - krb5_xfree(replay.client); + free(replay.client); } /* Encode creds structure */ diff --git a/src/lib/krb5/krb/mk_error.c b/src/lib/krb5/krb/mk_error.c index 819d29dde1..75cdc9b5be 100644 --- a/src/lib/krb5/krb/mk_error.c +++ b/src/lib/krb5/krb/mk_error.c @@ -47,6 +47,6 @@ krb5_mk_error(krb5_context context, const krb5_error *dec_err, if ((retval = encode_krb5_error(dec_err, &new_enc_err))) return(retval); *enc_err = *new_enc_err; - krb5_xfree(new_enc_err); + free(new_enc_err); return 0; } diff --git a/src/lib/krb5/krb/mk_priv.c b/src/lib/krb5/krb/mk_priv.c index 2a56bd0971..e626872a0d 100644 --- a/src/lib/krb5/krb/mk_priv.c +++ b/src/lib/krb5/krb/mk_priv.c @@ -91,7 +91,7 @@ krb5_mk_priv_basic(krb5_context context, const krb5_data *userdata, goto clean_encpart; *outbuf = *scratch2; - krb5_xfree(scratch2); + free(scratch2); retval = 0; clean_encpart: @@ -209,7 +209,7 @@ krb5_mk_priv(krb5_context context, krb5_auth_context auth_context, if ((retval = krb5_gen_replay_name(context, auth_context->local_addr, "_priv", &replay.client))) { - krb5_xfree(outbuf); + free(outbuf); goto error; } @@ -219,10 +219,10 @@ krb5_mk_priv(krb5_context context, krb5_auth_context auth_context, replay.ctime = replaydata.timestamp; if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { /* should we really error out here? XXX */ - krb5_xfree(replay.client); + free(replay.client); goto error; } - krb5_xfree(replay.client); + free(replay.client); } return 0; diff --git a/src/lib/krb5/krb/mk_rep.c b/src/lib/krb5/krb/mk_rep.c index ee4f34ed2f..29155b6e11 100644 --- a/src/lib/krb5/krb/mk_rep.c +++ b/src/lib/krb5/krb/mk_rep.c @@ -122,7 +122,7 @@ k5_mk_rep(krb5_context context, krb5_auth_context auth_context, if (!(retval = encode_krb5_ap_rep(&reply, &toutbuf))) { *outbuf = *toutbuf; - krb5_xfree(toutbuf); + free(toutbuf); } memset(reply.enc_part.ciphertext.data, 0, reply.enc_part.ciphertext.length); diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c index 0d24017ee7..2d700aec89 100644 --- a/src/lib/krb5/krb/mk_req_ext.c +++ b/src/lib/krb5/krb/mk_req_ext.c @@ -261,7 +261,7 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, goto cleanup_cksum; *outbuf = *toutbuf; - krb5_xfree(toutbuf); + free(toutbuf); cleanup_cksum: if (checksump && checksump->checksum_type != 0x8003) @@ -270,7 +270,7 @@ cleanup_cksum: cleanup: if (desired_etypes && desired_etypes != (*auth_context)->permitted_etypes) - krb5_xfree(desired_etypes); + free(desired_etypes); if (request.ticket) krb5_free_ticket(context, request.ticket); if (request.authenticator.ciphertext.data) { @@ -280,8 +280,8 @@ cleanup: } if (scratch) { memset(scratch->data, 0, scratch->length); - krb5_xfree(scratch->data); - krb5_xfree(scratch); + free(scratch->data); + free(scratch); } return retval; } @@ -401,7 +401,7 @@ make_etype_list(krb5_context context, adata[i]->ad_type = KRB5_AUTHDATA_IF_RELEVANT; adata[i]->length = ad_if_relevant->length; adata[i]->contents = (krb5_octet *)ad_if_relevant->data; - krb5_xfree(ad_if_relevant); /* contents owned by adata[i] */ + free(ad_if_relevant); /* contents owned by adata[i] */ adata[i + 1] = NULL; diff --git a/src/lib/krb5/krb/mk_safe.c b/src/lib/krb5/krb/mk_safe.c index 01abfab961..c2937ea039 100644 --- a/src/lib/krb5/krb/mk_safe.c +++ b/src/lib/krb5/krb/mk_safe.c @@ -98,11 +98,11 @@ krb5_mk_safe_basic(krb5_context context, const krb5_data *userdata, goto cleanup_checksum; } *outbuf = *scratch2; - krb5_xfree(scratch2); + free(scratch2); retval = 0; cleanup_checksum: - krb5_xfree(safe_checksum.contents); + free(safe_checksum.contents); memset((char *)scratch1->data, 0, scratch1->length); krb5_free_data(context, scratch1); @@ -234,7 +234,7 @@ krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, if ((retval = krb5_gen_replay_name(context, auth_context->local_addr, "_safe", &replay.client))) { - krb5_xfree(outbuf); + free(outbuf); goto error; } @@ -244,10 +244,10 @@ krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, replay.ctime = replaydata.timestamp; if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { /* should we really error out here? XXX */ - krb5_xfree(outbuf); + free(outbuf); goto error; } - krb5_xfree(replay.client); + free(replay.client); } return 0; diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c index 196b627d8b..30a63bf350 100644 --- a/src/lib/krb5/krb/pac.c +++ b/src/lib/krb5/krb/pac.c @@ -730,7 +730,7 @@ k5_insert_checksum(krb5_context context, } /* Encode checksum type into buffer */ - store_32_le((krb5_ui_4)*cksumtype, (unsigned char *)cksumdata.data); + store_32_le((krb5_ui_4)*cksumtype, cksumdata.data); return 0; } diff --git a/src/lib/krb5/krb/parse.c b/src/lib/krb5/krb/parse.c index 87548097a5..d55a488e32 100644 --- a/src/lib/krb5/krb/parse.c +++ b/src/lib/krb5/krb/parse.c @@ -148,7 +148,7 @@ k5_parse_name(krb5_context context, const char *name, } principal->data = (krb5_data *) malloc(sizeof(krb5_data) * components); if (principal->data == NULL) { - krb5_xfree((char *)principal); + free((char *)principal); return ENOMEM; } principal->length = components; @@ -162,15 +162,15 @@ k5_parse_name(krb5_context context, const char *name, if (flags & KRB5_PRINCIPAL_PARSE_REQUIRE_REALM) { krb5_set_error_message(context, KRB5_PARSE_MALFORMED, "Principal %s is missing required realm", name); - krb5_xfree(principal->data); - krb5_xfree(principal); + free(principal->data); + free(principal); return KRB5_PARSE_MALFORMED; } if (!default_realm && (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) == 0) { retval = krb5_get_default_realm(context, &default_realm); if (retval) { - krb5_xfree(principal->data); - krb5_xfree((char *)principal); + free(principal->data); + free((char *)principal); return(retval); } default_realm_size = strlen(default_realm); @@ -179,8 +179,8 @@ k5_parse_name(krb5_context context, const char *name, } else if (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) { krb5_set_error_message(context, KRB5_PARSE_MALFORMED, "Principal %s has realm present", name); - krb5_xfree(principal->data); - krb5_xfree(principal); + free(principal->data); + free(principal); return KRB5_PARSE_MALFORMED; } @@ -237,9 +237,9 @@ k5_parse_name(krb5_context context, const char *name, */ tmpdata = malloc(realmsize + 1); if (tmpdata == 0) { - krb5_xfree(principal->data); - krb5_xfree(principal); - krb5_xfree(default_realm); + free(principal->data); + free(principal); + free(default_realm); return ENOMEM; } krb5_princ_set_realm_length(context, principal, realmsize); @@ -249,11 +249,11 @@ k5_parse_name(krb5_context context, const char *name, malloc(krb5_princ_component(context, principal, i)->length + 1); if (tmpdata2 == NULL) { for (i--; i >= 0; i--) - krb5_xfree(krb5_princ_component(context, principal, i)->data); - krb5_xfree(krb5_princ_realm(context, principal)->data); - krb5_xfree(principal->data); - krb5_xfree(principal); - krb5_xfree(default_realm); + free(krb5_princ_component(context, principal, i)->data); + free(krb5_princ_realm(context, principal)->data); + free(principal->data); + free(principal); + free(default_realm); return(ENOMEM); } krb5_princ_component(context, principal, i)->data = tmpdata2; @@ -321,7 +321,7 @@ k5_parse_name(krb5_context context, const char *name, *nprincipal = principal; if (default_realm != NULL) - krb5_xfree(default_realm); + free(default_realm); return(0); } diff --git a/src/lib/krb5/krb/preauth.c b/src/lib/krb5/krb/preauth.c index 11574116a3..2ef38c2c5c 100644 --- a/src/lib/krb5/krb/preauth.c +++ b/src/lib/krb5/krb/preauth.c @@ -227,7 +227,7 @@ cleanup: if (etype_info) krb5_free_etype_info(context, etype_info); if (f_salt) - krb5_xfree(salt.data); + free(salt.data); if (send_pa_list) krb5_free_pa_data(context, send_pa_list); if (def_enc_key) @@ -314,7 +314,7 @@ obtain_enc_ts_padata(krb5_context context, krb5_pa_data *in_padata, krb5_etype_i *out_padata = pa; - krb5_xfree(scratch); + free(scratch); scratch = 0; retval = 0; @@ -323,7 +323,7 @@ cleanup: if (scratch) krb5_free_data(context, scratch); if (enc_data.ciphertext.data) - krb5_xfree(enc_data.ciphertext.data); + free(enc_data.ciphertext.data); return retval; } @@ -383,7 +383,7 @@ sam_get_pass_from_user(krb5_context context, krb5_etype_info etype_info, git_key /* we don't keep the new password, just the key... */ retval = (*key_proc)(context, enctype, 0, (krb5_const_pointer)&newpw, new_enc_key); - krb5_xfree(newpw.data); + free(newpw.data); } krb5_default_pwd_prompt1 = oldprompt; return retval; @@ -569,6 +569,6 @@ cleanup: if (scratch) krb5_free_data(context, scratch); if (sam_challenge) - krb5_xfree(sam_challenge); + free(sam_challenge); return retval; } diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c index bcb15d6632..a6182d73f8 100644 --- a/src/lib/krb5/krb/preauth2.c +++ b/src/lib/krb5/krb/preauth2.c @@ -676,13 +676,13 @@ krb5_error_code pa_enc_timestamp(krb5_context context, krb5_free_data(context, tmp); if (ret) { - krb5_xfree(enc_data.ciphertext.data); + free(enc_data.ciphertext.data); return(ret); } ret = encode_krb5_enc_data(&enc_data, &tmp); - krb5_xfree(enc_data.ciphertext.data); + free(enc_data.ciphertext.data); if (ret) return(ret); @@ -699,7 +699,7 @@ krb5_error_code pa_enc_timestamp(krb5_context context, *out_padata = pa; - krb5_xfree(tmp); + free(tmp); return(0); } @@ -893,7 +893,7 @@ krb5_error_code pa_sam(krb5_context context, (krb5_data *)gak_data, salt, as_key); if (defsalt.length) - krb5_xfree(defsalt.data); + free(defsalt.data); if (ret) { krb5_free_sam_challenge(context, sam_challenge); @@ -937,7 +937,7 @@ krb5_error_code pa_sam(krb5_context context, &response_data, salt, as_key); if (defsalt.length) - krb5_xfree(defsalt.data); + free(defsalt.data); if (ret) { krb5_free_sam_challenge(context, sam_challenge); @@ -958,7 +958,7 @@ krb5_error_code pa_sam(krb5_context context, sam_response.sam_type = sam_challenge->sam_type; sam_response.magic = KV5M_SAM_RESPONSE; - krb5_xfree(sam_challenge); + free(sam_challenge); /* encode the encoded part of the response */ if ((ret = encode_krb5_enc_sam_response_enc(&enc_sam_response_enc, @@ -991,7 +991,7 @@ krb5_error_code pa_sam(krb5_context context, *out_padata = pa; - krb5_xfree(scratch); + free(scratch); return(0); } @@ -1458,7 +1458,7 @@ krb5_error_code pa_sam_2(krb5_context context, if (retval) { krb5_free_sam_challenge_2(context, sc2); krb5_free_sam_challenge_2_body(context, sc2b); - if (defsalt.length) krb5_xfree(defsalt.data); + if (defsalt.length) free(defsalt.data); return(retval); } @@ -1472,7 +1472,7 @@ krb5_error_code pa_sam_2(krb5_context context, if (retval) { krb5_free_sam_challenge_2(context, sc2); krb5_free_sam_challenge_2_body(context, sc2b); - if (defsalt.length) krb5_xfree(defsalt.data); + if (defsalt.length) free(defsalt.data); return(retval); } @@ -1483,14 +1483,14 @@ krb5_error_code pa_sam_2(krb5_context context, if (retval) { krb5_free_sam_challenge_2(context, sc2); krb5_free_sam_challenge_2_body(context, sc2b); - if (defsalt.length) krb5_xfree(defsalt.data); + if (defsalt.length) free(defsalt.data); return(retval); } krb5_free_keyblock_contents(context, &tmp_kb); } if (defsalt.length) - krb5_xfree(defsalt.data); + free(defsalt.data); } else { /* as_key = string_to_key(SAD) */ @@ -1505,7 +1505,7 @@ krb5_error_code pa_sam_2(krb5_context context, &response_data, salt, as_key); if (defsalt.length) - krb5_xfree(defsalt.data); + free(defsalt.data); if (retval) { krb5_free_sam_challenge_2(context, sc2); diff --git a/src/lib/krb5/krb/rd_cred.c b/src/lib/krb5/krb/rd_cred.c index 5e159ab802..48637450dc 100644 --- a/src/lib/krb5/krb/rd_cred.c +++ b/src/lib/krb5/krb/rd_cred.c @@ -42,10 +42,10 @@ decrypt_credencdata(krb5_context context, krb5_cred *pcred, cleanup: if (ppart != NULL) { memset(ppart, 0, sizeof(*ppart)); - krb5_xfree(ppart); + free(ppart); } memset(scratch.data, 0, scratch.length); - krb5_xfree(scratch.data); + free(scratch.data); return retval; } @@ -128,7 +128,7 @@ krb5_rd_cred_basic(krb5_context context, krb5_data *pcreddata, goto cleanup; pcur->ticket = *pdata; - krb5_xfree(pdata); + free(pdata); pcur->is_skey = FALSE; @@ -214,10 +214,10 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, replay.cusec = replaydata.usec; replay.ctime = replaydata.timestamp; if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { - krb5_xfree(replay.client); + free(replay.client); goto error; } - krb5_xfree(replay.client); + free(replay.client); } if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { diff --git a/src/lib/krb5/krb/rd_priv.c b/src/lib/krb5/krb/rd_priv.c index 66b29b0fa3..7d1dbc3cae 100644 --- a/src/lib/krb5/krb/rd_priv.c +++ b/src/lib/krb5/krb/rd_priv.c @@ -141,11 +141,11 @@ cleanup_data:; cleanup_scratch:; memset(scratch.data, 0, scratch.length); - krb5_xfree(scratch.data); + free(scratch.data); cleanup_privmsg:; - krb5_xfree(privmsg->enc_part.ciphertext.data); - krb5_xfree(privmsg); + free(privmsg->enc_part.ciphertext.data); + free(privmsg); return retval; } @@ -239,10 +239,10 @@ krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, replay.cusec = replaydata.usec; replay.ctime = replaydata.timestamp; if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { - krb5_xfree(replay.client); + free(replay.client); goto error; } - krb5_xfree(replay.client); + free(replay.client); } if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { @@ -265,7 +265,7 @@ krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, return 0; error:; - krb5_xfree(outbuf->data); + free(outbuf->data); outbuf->length = 0; outbuf->data = NULL; diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c index 618151100a..c618be1eea 100644 --- a/src/lib/krb5/krb/rd_req_dec.c +++ b/src/lib/krb5/krb/rd_req_dec.c @@ -354,10 +354,10 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, &rep.msghash); if (!retval) { retval = krb5_rc_store(context, (*auth_context)->rcache, &rep); - krb5_xfree(rep.msghash); + free(rep.msghash); } - krb5_xfree(rep.server); - krb5_xfree(rep.client); + free(rep.server); + free(rep.client); } if (retval) @@ -507,10 +507,10 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, cleanup: if (desired_etypes != NULL) - krb5_xfree(desired_etypes); + free(desired_etypes); if (permitted_etypes != NULL && permitted_etypes != (*auth_context)->permitted_etypes) - krb5_xfree(permitted_etypes); + free(permitted_etypes); if (server == &princ_data) krb5_free_default_realm(context, princ_data.realm.data); if (retval) { @@ -706,7 +706,7 @@ decode_etype_list(krb5_context context, if (code == 0) { *desired_etypes = etype_list->etypes; *desired_etypes_len = etype_list->length; - krb5_xfree(etype_list); + free(etype_list); } if (ad_if_relevant != NULL) diff --git a/src/lib/krb5/krb/rd_safe.c b/src/lib/krb5/krb/rd_safe.c index d14d9d4287..938b4483d4 100644 --- a/src/lib/krb5/krb/rd_safe.c +++ b/src/lib/krb5/krb/rd_safe.c @@ -245,10 +245,10 @@ krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, replay.cusec = replaydata.usec; replay.ctime = replaydata.timestamp; if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { - krb5_xfree(replay.client); + free(replay.client); goto error; } - krb5_xfree(replay.client); + free(replay.client); } if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { @@ -271,7 +271,7 @@ krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, return 0; error: - krb5_xfree(outbuf->data); + free(outbuf->data); return retval; } diff --git a/src/lib/krb5/krb/recvauth.c b/src/lib/krb5/krb/recvauth.c index 92bcad7a9a..ab3e1e48ae 100644 --- a/src/lib/krb5/krb/recvauth.c +++ b/src/lib/krb5/krb/recvauth.c @@ -77,7 +77,7 @@ recvauth_common(krb5_context context, if (strcmp(inbuf.data, sendauth_version)) { problem = KRB5_SENDAUTH_BADAUTHVERS; } - krb5_xfree(inbuf.data); + free(inbuf.data); } if (flags & KRB5_RECVAUTH_BADAUTHVERS) problem = KRB5_SENDAUTH_BADAUTHVERS; @@ -94,7 +94,7 @@ recvauth_common(krb5_context context, if (version && !problem) *version = inbuf; else - krb5_xfree(inbuf.data); + free(inbuf.data); /* * OK, now check the problem variable. If it's zero, we're * fine and we can continue. Otherwise, we have to signal an @@ -165,7 +165,7 @@ recvauth_common(krb5_context context, if (!problem) { problem = krb5_rd_req(context, auth_context, &inbuf, server, keytab, &ap_option, ticket); - krb5_xfree(inbuf.data); + free(inbuf.data); } /* @@ -213,7 +213,7 @@ recvauth_common(krb5_context context, retval = krb5_write_message(context, fd, &outbuf); if (outbuf.data) { - krb5_xfree(outbuf.data); + free(outbuf.data); /* We sent back an error, we need cleanup then return */ retval = problem; goto cleanup; @@ -227,7 +227,7 @@ recvauth_common(krb5_context context, return(retval); } retval = krb5_write_message(context, fd, &outbuf); - krb5_xfree(outbuf.data); + free(outbuf.data); } cleanup:; diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c index 138599804a..ab136abb78 100644 --- a/src/lib/krb5/krb/send_tgs.c +++ b/src/lib/krb5/krb/send_tgs.c @@ -103,7 +103,7 @@ krb5_send_tgs_basic(krb5_context context, krb5_data *in_data, krb5_creds *in_cre retval = encode_krb5_ap_req(&request, &toutbuf); *outbuf = *toutbuf; - krb5_xfree(toutbuf); + free(toutbuf); memset(request.authenticator.ciphertext.data, 0, @@ -174,7 +174,7 @@ krb5_send_tgs(krb5_context context, krb5_flags kdcoptions, KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY, scratch, &tgsreq.authorization_data))) { - krb5_xfree(tgsreq.authorization_data.ciphertext.data); + free(tgsreq.authorization_data.ciphertext.data); krb5_free_data(context, scratch); return retval; } @@ -229,7 +229,7 @@ krb5_send_tgs(krb5_context context, krb5_flags kdcoptions, for (counter = padata; *counter; counter++, i++); combined_padata = malloc((i+2) * sizeof(*combined_padata)); if (!combined_padata) { - krb5_xfree(ap_req_padata.contents); + free(ap_req_padata.contents); retval = ENOMEM; goto send_tgs_error_2; } @@ -240,7 +240,7 @@ krb5_send_tgs(krb5_context context, krb5_flags kdcoptions, } else { combined_padata = (krb5_pa_data **)malloc(2*sizeof(*combined_padata)); if (!combined_padata) { - krb5_xfree(ap_req_padata.contents); + free(ap_req_padata.contents); retval = ENOMEM; goto send_tgs_error_2; } @@ -251,12 +251,12 @@ krb5_send_tgs(krb5_context context, krb5_flags kdcoptions, /* the TGS_REQ is assembled in tgsreq, so encode it */ if ((retval = encode_krb5_tgs_req(&tgsreq, &scratch))) { - krb5_xfree(ap_req_padata.contents); - krb5_xfree(combined_padata); + free(ap_req_padata.contents); + free(combined_padata); goto send_tgs_error_2; } - krb5_xfree(ap_req_padata.contents); - krb5_xfree(combined_padata); + free(ap_req_padata.contents); + free(combined_padata); /* now send request & get response from KDC */ send_again: @@ -297,11 +297,11 @@ send_tgs_error_2:; send_tgs_error_1:; if (ktypes == NULL) - krb5_xfree(tgsreq.ktype); + free(tgsreq.ktype); if (tgsreq.authorization_data.ciphertext.data) { memset(tgsreq.authorization_data.ciphertext.data, 0, tgsreq.authorization_data.ciphertext.length); - krb5_xfree(tgsreq.authorization_data.ciphertext.data); + free(tgsreq.authorization_data.ciphertext.data); } return retval; diff --git a/src/lib/krb5/krb/sendauth.c b/src/lib/krb5/krb/sendauth.c index 35684bebbe..85d52f171d 100644 --- a/src/lib/krb5/krb/sendauth.c +++ b/src/lib/krb5/krb/sendauth.c @@ -181,12 +181,12 @@ krb5_sendauth(krb5_context context, krb5_auth_context *auth_context, if (inbuf.length) { if (error) { if ((retval = krb5_rd_error(context, &inbuf, error))) { - krb5_xfree(inbuf.data); + free(inbuf.data); goto error_return; } } retval = KRB5_SENDAUTH_REJECTED; - krb5_xfree(inbuf.data); + free(inbuf.data); goto error_return; } @@ -204,11 +204,11 @@ krb5_sendauth(krb5_context context, krb5_auth_context *auth_context, &repl))) { if (repl) krb5_free_ap_rep_enc_part(context, repl); - krb5_xfree(inbuf.data); + free(inbuf.data); goto error_return; } - krb5_xfree(inbuf.data); + free(inbuf.data); /* * If the user wants to look at the AP_REP message, * copy it for him diff --git a/src/lib/krb5/krb/ser_princ.c b/src/lib/krb5/krb/ser_princ.c index a4663c5f8b..b04638de0d 100644 --- a/src/lib/krb5/krb/ser_princ.c +++ b/src/lib/krb5/krb/ser_princ.c @@ -74,7 +74,7 @@ krb5_principal_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) if ((principal = (krb5_principal) arg) && !(kret = krb5_unparse_name(kcontext, principal, &fname))) { *sizep += (3*sizeof(krb5_int32)) + strlen(fname); - krb5_xfree(fname); + free(fname); } return(kret); } @@ -111,7 +111,7 @@ krb5_principal_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet * *buffer = bp; *lenremain = remain; - krb5_xfree(fname); + free(fname); } } } diff --git a/src/lib/krb5/krb/serialize.c b/src/lib/krb5/krb/serialize.c index 9152dba0a7..f78bc16183 100644 --- a/src/lib/krb5/krb/serialize.c +++ b/src/lib/krb5/krb/serialize.c @@ -76,7 +76,7 @@ krb5_register_serializer(krb5_context kcontext, const krb5_ser_entry *entry) /* Copy in new entry */ memcpy(&stable[kcontext->ser_ctx_count], entry, sizeof(krb5_ser_entry)); - if (kcontext->ser_ctx) krb5_xfree(kcontext->ser_ctx); + if (kcontext->ser_ctx) free(kcontext->ser_ctx); kcontext->ser_ctx = (void *) stable; kcontext->ser_ctx_count++; } diff --git a/src/lib/krb5/krb/set_realm.c b/src/lib/krb5/krb/set_realm.c index edb72ae7fb..9a96cd1cad 100644 --- a/src/lib/krb5/krb/set_realm.c +++ b/src/lib/krb5/krb/set_realm.c @@ -40,7 +40,7 @@ krb5_set_principal_realm(krb5_context context, krb5_principal principal, const c if (!newrealm) return -ENOMEM; - (void) krb5_xfree(krb5_princ_realm(context,principal)->data); + (void) free(krb5_princ_realm(context,principal)->data); krb5_princ_realm(context, principal)->length = length; krb5_princ_realm(context, principal)->data = newrealm; diff --git a/src/lib/krb5/krb/srv_rcache.c b/src/lib/krb5/krb/srv_rcache.c index a426881d41..9da6d45ff0 100644 --- a/src/lib/krb5/krb/srv_rcache.c +++ b/src/lib/krb5/krb/srv_rcache.c @@ -93,8 +93,8 @@ krb5_get_server_rcache(krb5_context context, const krb5_data *piece, cleanup: if (rcache) - krb5_xfree(rcache); + free(rcache); if (cachename) - krb5_xfree(cachename); + free(cachename); return retval; } diff --git a/src/lib/krb5/krb/t_ser.c b/src/lib/krb5/krb/t_ser.c index 7c39453235..1776a3f214 100644 --- a/src/lib/krb5/krb/t_ser.c +++ b/src/lib/krb5/krb/t_ser.c @@ -128,7 +128,7 @@ ser_data(int verbose, char *msg, krb5_pointer ctx, krb5_magic dtype) if (verbose) printf("%s: compare succeeded\n", msg); } - krb5_xfree(outrep2); + free(outrep2); } else printf("%s: second externalize returned %d\n", msg, kret); @@ -144,7 +144,7 @@ ser_data(int verbose, char *msg, krb5_pointer ctx, krb5_magic dtype) actx = (krb5_auth_context) nctx; if (actx->i_vector) - krb5_xfree(actx->i_vector); + free(actx->i_vector); } krb5_auth_con_free(ser_ctx, (krb5_auth_context) nctx); break; @@ -164,11 +164,11 @@ ser_data(int verbose, char *msg, krb5_pointer ctx, krb5_magic dtype) eblock = (krb5_encrypt_block *) nctx; #if 0 if (eblock->priv && eblock->priv_size) - krb5_xfree(eblock->priv); + free(eblock->priv); #endif if (eblock->key) krb5_free_keyblock(ser_ctx, eblock->key); - krb5_xfree(eblock); + free(eblock); } break; case KV5M_PRINCIPAL: @@ -184,7 +184,7 @@ ser_data(int verbose, char *msg, krb5_pointer ctx, krb5_magic dtype) } else printf("%s: internalize returned %d\n", msg, kret); - krb5_xfree(outrep); + free(outrep); } else printf("%s: externalize_data returned %d\n", msg, kret); @@ -307,7 +307,7 @@ ser_acontext_test(krb5_context kcontext, int verbose) !(kret = ser_data(verbose, "> Auth context with new vector", (krb5_pointer) actx, KV5M_AUTH_CONTEXT)) && - (krb5_xfree(actx->i_vector), actx->i_vector) && + (free(actx->i_vector), actx->i_vector) && !(kret = krb5_auth_con_setivector(kcontext, actx, (krb5_pointer) print_erep) ) && diff --git a/src/lib/krb5/krb/vfy_increds.c b/src/lib/krb5/krb/vfy_increds.c index f133e2f67d..ba4187ea64 100644 --- a/src/lib/krb5/krb/vfy_increds.c +++ b/src/lib/krb5/krb/vfy_increds.c @@ -226,7 +226,7 @@ cleanup: if (authcon) krb5_auth_con_free(context, authcon); if (ap_req.data) - krb5_xfree(ap_req.data); + free(ap_req.data); return(ret); } diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports index 4a6581fe12..9651f30bc4 100644 --- a/src/lib/krb5/libkrb5.exports +++ b/src/lib/krb5/libkrb5.exports @@ -362,6 +362,7 @@ krb5_os_free_context krb5_os_hostaddr krb5_os_init_context krb5_os_localaddr +krb5int_get_domain_realm_mapping krb5_overridekeyname krb5_pac_add_buffer krb5_pac_free diff --git a/src/lib/krb5/os/an_to_ln.c b/src/lib/krb5/os/an_to_ln.c index 83bce2bab5..b886f17f1a 100644 --- a/src/lib/krb5/os/an_to_ln.c +++ b/src/lib/krb5/os/an_to_ln.c @@ -115,13 +115,13 @@ db_an_to_ln(context, dbname, aname, lnsize, lname) db = KDBM_OPEN(dbname, O_RDONLY, 0600); if (!db) { - krb5_xfree(princ_name); + free(princ_name); return KRB5_LNAME_CANTOPEN; } contents = KDBM_FETCH(db, key); - krb5_xfree(princ_name); + free(princ_name); if (contents.dptr == NULL) { retval = KRB5_LNAME_NOTRANS; @@ -583,7 +583,7 @@ rule_an_to_ln(krb5_context context, char *rule, krb5_const_principal aname, cons if (!(selstring = aname_full_to_mapping_name(fprincname))) kret = ENOMEM; } - krb5_xfree(fprincname); + free(fprincname); } if (!kret) { /* @@ -819,9 +819,9 @@ krb5_aname_to_localname(krb5_context context, krb5_const_principal aname, int ln } else kret = ENOMEM; - krb5_xfree(pname); + free(pname); } - krb5_xfree(realm); + free(realm); } return(kret); } diff --git a/src/lib/krb5/os/def_realm.c b/src/lib/krb5/os/def_realm.c index 13a025d9bb..d30a914cd7 100644 --- a/src/lib/krb5/os/def_realm.c +++ b/src/lib/krb5/os/def_realm.c @@ -1,7 +1,7 @@ /* * lib/krb5/os/def_realm.c * - * Copyright 1990,1991 by the Massachusetts Institute of Technology. + * Copyright 1990,1991,2009 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -32,7 +32,7 @@ #include "os-proto.h" #include -#ifdef KRB5_DNS_LOOKUP +#ifdef KRB5_DNS_LOOKUP #ifdef WSHELPER #include #else /* WSHELPER */ @@ -75,7 +75,7 @@ krb5_get_default_realm(krb5_context context, char **lrealm) krb5_error_code retval; if (!context || (context->magic != KV5M_CONTEXT)) - return KV5M_CONTEXT; + return KV5M_CONTEXT; if (!context->default_realm) { /* @@ -104,47 +104,47 @@ krb5_get_default_realm(krb5_context context, char **lrealm) if (context->default_realm == 0) { int use_dns = _krb5_use_dns_realm(context); if ( use_dns ) { - /* - * Since this didn't appear in our config file, try looking - * it up via DNS. Look for a TXT records of the form: - * - * _kerberos. - * _kerberos. - * _kerberos. - * - */ - char localhost[MAX_DNS_NAMELEN+1]; - char * p; - - krb5int_get_fq_local_hostname (localhost, sizeof(localhost)); - - if ( localhost[0] ) { - p = localhost; - do { - retval = krb5_try_realm_txt_rr("_kerberos", p, - &context->default_realm); - p = strchr(p,'.'); - if (p) - p++; - } while (retval && p && p[0]); - - if (retval) - retval = krb5_try_realm_txt_rr("_kerberos", "", - &context->default_realm); - } else { - retval = krb5_try_realm_txt_rr("_kerberos", "", - &context->default_realm); - } - if (retval) { - return(KRB5_CONFIG_NODEFREALM); - } + /* + * Since this didn't appear in our config file, try looking + * it up via DNS. Look for a TXT records of the form: + * + * _kerberos. + * _kerberos. + * _kerberos. + * + */ + char localhost[MAX_DNS_NAMELEN+1]; + char * p; + + krb5int_get_fq_local_hostname (localhost, sizeof(localhost)); + + if ( localhost[0] ) { + p = localhost; + do { + retval = krb5_try_realm_txt_rr("_kerberos", p, + &context->default_realm); + p = strchr(p,'.'); + if (p) + p++; + } while (retval && p && p[0]); + + if (retval) + retval = krb5_try_realm_txt_rr("_kerberos", "", + &context->default_realm); + } else { + retval = krb5_try_realm_txt_rr("_kerberos", "", + &context->default_realm); + } + if (retval) { + return(KRB5_CONFIG_NODEFREALM); + } } } #endif /* KRB5_DNS_LOOKUP */ } if (context->default_realm == 0) - return(KRB5_CONFIG_NODEFREALM); + return(KRB5_CONFIG_NODEFREALM); if (context->default_realm[0] == 0) { free (context->default_realm); context->default_realm = 0; @@ -162,11 +162,11 @@ krb5_error_code KRB5_CALLCONV krb5_set_default_realm(krb5_context context, const char *lrealm) { if (!context || (context->magic != KV5M_CONTEXT)) - return KV5M_CONTEXT; + return KV5M_CONTEXT; if (context->default_realm) { - free(context->default_realm); - context->default_realm = 0; + free(context->default_realm); + context->default_realm = 0; } /* Allow the user to clear the default realm setting by passing in @@ -176,7 +176,7 @@ krb5_set_default_realm(krb5_context context, const char *lrealm) context->default_realm = strdup(lrealm); if (!context->default_realm) - return ENOMEM; + return ENOMEM; return(0); @@ -185,5 +185,63 @@ krb5_set_default_realm(krb5_context context, const char *lrealm) void KRB5_CALLCONV krb5_free_default_realm(krb5_context context, char *lrealm) { - free (lrealm); + free (lrealm); } + +krb5_error_code +krb5int_get_domain_realm_mapping(krb5_context context, const char *host, char ***realmsp) +{ + char **retrealms; + char *realm, *cp, *temp_realm; + krb5_error_code retval; + char temp_host[MAX_DNS_NAMELEN+1]; + + /* do sanity check and lower-case */ + retval = krb5int_clean_hostname(context, host, temp_host, sizeof temp_host); + if (retval) + return retval; + /* + Search for the best match for the host or domain. + Example: Given a host a.b.c.d, try to match on: + 1) a.b.c.d 2) .b.c.d. 3) b.c.d 4) .c.d 5) c.d 6) .d 7) d + */ + + cp = temp_host; + realm = (char *)NULL; + temp_realm = 0; + while (cp ) { + retval = profile_get_string(context->profile, "domain_realm", cp, + 0, (char *)NULL, &temp_realm); + if (retval) + return retval; + if (temp_realm != (char *)NULL) + break; /* Match found */ + + /* Setup for another test */ + if (*cp == '.') { + cp++; + } else { + cp = strchr(cp, '.'); + } + } + if (temp_realm != (char*)NULL) { + realm = strdup(temp_realm); + profile_release_string(temp_realm); + if (!realm) { + return ENOMEM; + } + } + retrealms = (char **)calloc(2, sizeof(*retrealms)); + if (!retrealms) { + if (realm != (char *)NULL) + free(realm); + return ENOMEM; + } + + retrealms[0] = realm; + retrealms[1] = 0; + + *realmsp = retrealms; + return 0; +} + diff --git a/src/lib/krb5/os/free_krbhs.c b/src/lib/krb5/os/free_krbhs.c index a10db910c9..e7c7116cdc 100644 --- a/src/lib/krb5/os/free_krbhs.c +++ b/src/lib/krb5/os/free_krbhs.c @@ -40,6 +40,6 @@ krb5_free_krbhst(krb5_context context, char *const *hostlist) for (cp = hostlist; *cp; cp++) free(*cp); - krb5_xfree(hostlist); + free((char *)hostlist); return 0; } diff --git a/src/lib/krb5/os/full_ipadr.c b/src/lib/krb5/os/full_ipadr.c index c72daa8c95..309c3b57f4 100644 --- a/src/lib/krb5/os/full_ipadr.c +++ b/src/lib/krb5/os/full_ipadr.c @@ -53,7 +53,7 @@ krb5_make_full_ipaddr(krb5_context context, krb5_int32 adr, 2*sizeof(temptype) + 2*sizeof(templength); if (!(retaddr->contents = (krb5_octet *)malloc(retaddr->length))) { - krb5_xfree(retaddr); + free(retaddr); return ENOMEM; } marshal = retaddr->contents; diff --git a/src/lib/krb5/os/localaddr.c b/src/lib/krb5/os/localaddr.c index d884b8cd47..1007522474 100644 --- a/src/lib/krb5/os/localaddr.c +++ b/src/lib/krb5/os/localaddr.c @@ -1358,7 +1358,7 @@ get_localaddrs (krb5_context context, krb5_address ***addr, int use_profile) int i; if (data.addr_temp) { for (i = 0; i < data.count; i++) - krb5_xfree (data.addr_temp[i]); + free (data.addr_temp[i]); free (data.addr_temp); } if (data.mem_err) diff --git a/src/lib/krb5/os/locate_kdc.c b/src/lib/krb5/os/locate_kdc.c index 4725bf4abd..f10f3af1cd 100644 --- a/src/lib/krb5/os/locate_kdc.c +++ b/src/lib/krb5/os/locate_kdc.c @@ -337,7 +337,7 @@ krb5_locate_srv_conf_1(krb5_context context, const krb5_data *realm, error_message(code)); if (code == PROF_NO_SECTION || code == PROF_NO_RELATION) code = KRB5_REALM_UNKNOWN; - krb5_xfree(host); + free(host); return code; } @@ -348,7 +348,7 @@ krb5_locate_srv_conf_1(krb5_context context, const krb5_data *realm, if (count == 0) { profile_free_list(hostlist); - krb5_xfree(host); + free(host); addrlist->naddrs = 0; return 0; } @@ -362,7 +362,7 @@ krb5_locate_srv_conf_1(krb5_context context, const krb5_data *realm, code = profile_get_values(context->profile, realm_srv_names, &masterlist); - krb5_xfree(host); + free(host); if (code == 0) { for (i=0; masterlist[i]; i++) { @@ -383,7 +383,7 @@ krb5_locate_srv_conf_1(krb5_context context, const krb5_data *realm, } } } else { - krb5_xfree(host); + free(host); } /* at this point, if master is non-NULL, then either the master kdc diff --git a/src/lib/krb5/os/mk_faddr.c b/src/lib/krb5/os/mk_faddr.c index cd243c0223..a5cc99a654 100644 --- a/src/lib/krb5/os/mk_faddr.c +++ b/src/lib/krb5/os/mk_faddr.c @@ -1,7 +1,7 @@ /* * lib/krb5/os/full_ipadr.c * - * Copyright 1995 by the Massachusetts Institute of Technology. + * Copyright 1995, 2009 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -57,8 +57,8 @@ krb5_make_fulladdr(krb5_context context, krb5_address *kaddr, krb5_address *kpor tmp16 = kaddr->addrtype; *marshal++ = 0x00; *marshal++ = 0x00; - *marshal++ = (krb5_octet) (tmp16 & 0xff); - *marshal++ = (krb5_octet) ((tmp16 >> 8) & 0xff); + store_16_le(tmp16, marshal); + marshal += 2; tmp32 = kaddr->length; store_32_le(tmp32, marshal); diff --git a/src/lib/krb5/os/read_msg.c b/src/lib/krb5/os/read_msg.c index 47973bbd8c..82a2573763 100644 --- a/src/lib/krb5/os/read_msg.c +++ b/src/lib/krb5/os/read_msg.c @@ -57,7 +57,7 @@ krb5_read_message(krb5_context context, krb5_pointer fdp, krb5_data *inbuf) return(ENOMEM); } if ((len2 = krb5_net_read(context, fd, buf, ilen)) != ilen) { - krb5_xfree(buf); + free(buf); return((len2 < 0) ? errno : ECONNABORTED); } } diff --git a/src/lib/krb5/os/sn2princ.c b/src/lib/krb5/os/sn2princ.c index cbc6eb1edc..c300e2d42f 100644 --- a/src/lib/krb5/os/sn2princ.c +++ b/src/lib/krb5/os/sn2princ.c @@ -187,7 +187,7 @@ krb5_sname_to_principal(krb5_context context, const char *hostname, const char * if (!hrealms[0]) { free(remote_host); - krb5_xfree(hrealms); + free(hrealms); return KRB5_ERR_HOST_REALM_UNKNOWN; } realm = hrealms[0]; diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c index 0486162083..009edfdadb 100644 --- a/src/lib/krb5/rcache/rc_dfl.c +++ b/src/lib/krb5/rcache/rc_dfl.c @@ -334,10 +334,10 @@ krb5_rc_dfl_resolve(krb5_context context, krb5_rcache id, char *name) cleanup: if (t) { if (t->name) - krb5_xfree(t->name); + free(t->name); if (t->h) - krb5_xfree(t->h); - krb5_xfree(t); + free(t->h); + free(t); } return retval; } @@ -523,11 +523,11 @@ krb5_rc_io_fetch(krb5_context context, struct dfl_data *t, errout: if (rep->client) - krb5_xfree(rep->client); + free(rep->client); if (rep->server) - krb5_xfree(rep->server); + free(rep->server); if (rep->msghash) - krb5_xfree(rep->msghash); + free(rep->msghash); rep->client = rep->server = 0; return retval; } diff --git a/src/lib/rpc/unit-test/rpc_test.0/fullrun.exp b/src/lib/rpc/unit-test/rpc_test.0/fullrun.exp index 7cdda8af13..2b2d205201 100644 --- a/src/lib/rpc/unit-test/rpc_test.0/fullrun.exp +++ b/src/lib/rpc/unit-test/rpc_test.0/fullrun.exp @@ -19,22 +19,16 @@ set ver_line "rpc_test server: bad verifier\[^\r\n\]*\[\r\n]+" set dots 0 set server_lines 0 while {1} { - set oldtimeout $timeout - set timeout 5 - while {1} { - expect { - -i $server_id - -re $ver_line { - verbose "Got line from server." - incr server_lines - } - default { - break - } - } - } - set timeout $oldtimeout expect { + -i $server_id + -re $ver_line { + verbose "Got line from server." + incr server_lines + } + default { + exp_continue + } + -i $client_id . { incr dots @@ -54,7 +48,6 @@ while {1} { fail "full run: timeout waiting for dot" break } - } } if {$dots==11} { diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c index 4afc273c27..68581f103c 100644 --- a/src/tests/asn.1/krb5_decode_test.c +++ b/src/tests/asn.1/krb5_decode_test.c @@ -642,7 +642,7 @@ int main(argc, argv) setup(krb5_cred_enc_part,"krb5_cred_enc_part",ktest_make_sample_cred_enc_part); decode_run("enc_cred_part","","7D 82 02 23 30 82 02 1F A0 82 01 DA 30 82 01 D6 30 81 E8 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 07 03 05 00 FE DC BA 98 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A9 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AA 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 81 E8 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 07 03 05 00 FE DC BA 98 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A9 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AA 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A1 03 02 01 2A A2 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A3 05 02 03 01 E2 40 A4 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 A5 0F 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_cred_part,ktest_equal_enc_cred_part,krb5_free_cred_enc_part); /* free_cred_enc_part does not free the pointer */ - krb5_xfree(var); + free(var); ktest_destroy_principal(&(ref.ticket_info[0]->client)); ktest_destroy_principal(&(ref.ticket_info[0]->server)); ref.ticket_info[0]->flags = 0; @@ -658,7 +658,7 @@ int main(argc, argv) ktest_destroy_address(&(ref.r_address)); decode_run("enc_cred_part","(optionals NULL)","7D 82 01 0E 30 82 01 0A A0 82 01 06 30 82 01 02 30 15 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 30 81 E8 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 07 03 05 00 FE DC BA 98 A4 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A5 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A6 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A7 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A8 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A9 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 AA 20 30 1E 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23 30 0D A0 03 02 01 02 A1 06 04 04 12 D0 00 23",decode_krb5_enc_cred_part,ktest_equal_enc_cred_part,krb5_free_cred_enc_part); /* free_cred_enc_part does not free the pointer */ - krb5_xfree(var); + free(var); ktest_empty_cred_enc_part(&ref); } @@ -895,8 +895,8 @@ int main(argc, argv) void krb5_ktest_free_alt_method(krb5_context context, krb5_alt_method *val) { if (val->data) - krb5_xfree(val->data); - krb5_xfree(val); + free(val->data); + free(val); } void krb5_ktest_free_pwd_sequence(krb5_context context, @@ -904,7 +904,7 @@ void krb5_ktest_free_pwd_sequence(krb5_context context, { krb5_free_data(context, val->passwd); krb5_free_data(context, val->phrase); - krb5_xfree(val); + free(val); } void krb5_ktest_free_enc_data(krb5_context context, krb5_enc_data *val) diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp index d76ad4c116..2c6c56f736 100644 --- a/src/tests/dejagnu/config/default.exp +++ b/src/tests/dejagnu/config/default.exp @@ -1036,8 +1036,6 @@ proc setup_krb5_conf { {type client} } { puts $conffile \ " permitted_enctypes = $permitted_enctypes($type)" } - puts $conffile " krb4_config = $tmppwd/krb.conf" - puts $conffile " krb4_realms = $tmppwd/krb.realms" if { $mode == "tcp" } { puts $conffile " udp_preference_limit = 1" } diff --git a/src/tests/gss-threads/gss-misc.c b/src/tests/gss-threads/gss-misc.c index 3016db2208..27a8af6a5d 100644 --- a/src/tests/gss-threads/gss-misc.c +++ b/src/tests/gss-threads/gss-misc.c @@ -73,6 +73,8 @@ static char *rcsid = "$Header$"; #include #include "gss-misc.h" +/* for store_32_be */ +#include "k5-platform.h" #ifdef HAVE_STDLIB_H #include @@ -175,11 +177,7 @@ int send_token(s, flags, tok) } if (tok->length > 0xffffffffUL) abort(); - lenbuf[0] = (tok->length >> 24) & 0xff; - lenbuf[1] = (tok->length >> 16) & 0xff; - lenbuf[2] = (tok->length >> 8) & 0xff; - lenbuf[3] = tok->length & 0xff; - + store_32_be(tok->length, lenbuf); ret = write_all(s, lenbuf, 4); if (ret < 0) { perror("sending token length"); diff --git a/src/tests/resolve/resolve.c b/src/tests/resolve/resolve.c index 62768af26a..0be8244a23 100644 --- a/src/tests/resolve/resolve.c +++ b/src/tests/resolve/resolve.c @@ -69,6 +69,7 @@ char *strchr(); #include #endif +#include #include int @@ -78,7 +79,7 @@ main(argc, argv) { char myname[MAXHOSTNAMELEN+1]; char *ptr; - char addrcopy[4]; + struct in_addr addrcopy; struct hostent *host; int quiet = 0; @@ -124,10 +125,10 @@ main(argc, argv) printf("Host address: %d.%d.%d.%d\n", UC(ptr[0]), UC(ptr[1]), UC(ptr[2]), UC(ptr[3])); - memcpy(addrcopy, ptr, 4); + memcpy(&addrcopy.s_addr, ptr, 4); /* Convert back to full name */ - if((host = gethostbyaddr(addrcopy, 4, AF_INET)) == NULL) { + if((host = gethostbyaddr(&addrcopy.s_addr, 4, AF_INET)) == NULL) { fprintf(stderr, "Error looking up IP address - fatal\n"); exit(2); } diff --git a/src/util/profile/krb5.conf b/src/util/profile/krb5.conf index 19c59c60d3..73f58b90ca 100644 --- a/src/util/profile/krb5.conf +++ b/src/util/profile/krb5.conf @@ -2,8 +2,6 @@ default_realm = ATHENA.MIT.EDU default_tgs_enctypes = des-cbc-crc default_tkt_enctypes = des-cbc-crc - krb4_config = /etc/athena/krb.conf - krb4_realms = /etc/athena/krb.realms default_keytab_name = FILE:/etc/krb5.keytab kdc_timesync = 1 ccache_type = 4 diff --git a/src/util/trim-valgrind-logs b/src/util/trim-valgrind-logs new file mode 100755 index 0000000000..af6839d918 --- /dev/null +++ b/src/util/trim-valgrind-logs @@ -0,0 +1,71 @@ +#!/bin/sh + +files=vg.* + +logname() { +# sed -n -e 7p $1 | awk '{print $2}' +# head -7 $1 | tail -1 | awk '{print $2}' + awk '{ if (NR == 9) { print $2; exit 0; } }' $1 +} + +show_names() { + if test "$*" = "$files" ; then + return + fi + for f in $* ; do + echo $f : `logname $f` + done +} + +discard_list="/bin/ps /bin/sh /bin/stty /usr/bin/cmp awk cat chmod cmp cp env expr find grep kill mv rev rlogin rm sed sh sleep sort tail test touch wc whoami xargs" +discard_list="$discard_list tcsh tokens" +#discard_list="$discard_list ./rtest ./dbtest" +# The t_inetd program's logs seem to always wind up incomplete for some +# reason. It's also not terribly important. +discard_list="$discard_list /path/to/.../t_inetd" + +filter() { + if test "$*" = "$files" ; then + return + fi + for f in $* ; do + n=`logname $f` + for d in $discard_list; do + if test "$n" = "$d"; then + echo rm $f : $n + rm $f + break + fi + done + done +} + +kill_error_free_logs() { + if test "$*" = "$files" ; then + return + fi + grep -l "ERROR SUMMARY: 0 errors" $* | while read name ; do + echo rm $name : no errors in `logname $name` + rm $name + done +} + +kill_no_leak_logs() { + if test "$*" = "$files" ; then + return + fi + grep -l "ERROR SUMMARY: 0 errors" $* | \ + grep -l "definitely lost: 0 bytes" $* | \ + xargs grep -l "possibly lost: 0 bytes" | \ + xargs grep -l "still reachable: 0 bytes in 0 blocks" | \ + while read name ; do + echo rm $name : no leaks or errors in `logname $name` + rm $name + done +} + +filter $files +kill_error_free_logs $files +#kill_no_leak_logs $files +echo Remaining files: +show_names $files