#include "config.h"
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
static size_t
isprime(size_t p)
{
- int q, i;
+ size_t q, i;
for(i = 2 ; i < p; i++) {
q = p / i;
heim_release(dict);
return NULL;
}
-
+
dict->tab = calloc(dict->size, sizeof(dict->tab[0]));
if (dict->tab == NULL) {
dict->size = 0;
heim_abortv(const char *fmt, va_list ap)
{
static char str[1024];
-
+
vsnprintf(str, sizeof(str), fmt, ap);
syslog(LOG_ERR, "heim_abort: %s", str);
abort();
#define HEIM_BASE_ONCE_INIT 0
typedef long heim_base_once_t; /* XXX arch dependant */
+#if !defined(__has_extension)
+#define __has_extension(x) 0
+#endif
+
+#define HEIM_REQUIRE_GNUC(m,n,p) \
+ (((__GNUC__ * 10000) + (__GNUC_MINOR__ * 100) + __GNUC_PATCHLEVEL__) >= \
+ (((m) * 10000) + ((n) * 100) + (p)))
+
+
+#if __has_extension(__builtin_expect) || HEIM_REQUIRE_GNUC(3,0,0)
+#define heim_builtin_expect(_op,_res) __builtin_expect(_op,_res)
+#else
+#define heim_builtin_expect(_op,_res) (_op)
+#endif
+
+
void * heim_retain(heim_object_t);
void heim_release(heim_object_t);
HEIMDAL_PRINTF_ATTRIBUTE((printf, 1, 0));
#define heim_assert(e,t) \
- (__builtin_expect(!(e), 0) ? heim_abort(t ":" #e) : (void)0)
+ (heim_builtin_expect(!(e), 0) ? heim_abort(t ":" #e) : (void)0)
/*
*
my $debug = 0;
my $oproto = 1;
my $private_func_re = "^_";
+my %depfunction = ();
Getopts('x:m:o:p:dqE:R:P:') || die "foo";
if($opt_R) {
$private_func_re = $opt_R;
}
-%flags = (
+my %flags = (
'multiline-proto' => 1,
'header' => 1,
'function-blocking' => 0,
s/^\s*//;
s/\s*$//;
s/\s+/ /g;
- if($_ =~ /\)$/ or $_ =~ /DEPRECATED$/){
+ if($_ =~ /\)$/){
if(!/^static/ && !/^PRIVATE/){
$attr = "";
if(m/(.*)(__attribute__\s?\(.*\))/) {
$attr .= " $2";
$_ = $1;
}
- if(m/(.*)\s(\w+DEPRECATED)/) {
+ if(m/(.*)\s(\w+DEPRECATED_FUNCTION)\s?(\(.*\))(.*)/) {
+ $depfunction{$2} = 1;
+ $attr .= " $2$3";
+ $_ = "$1 $4";
+ }
+ if(m/(.*)\s(\w+DEPRECATED)(.*)/) {
$attr .= " $2";
- $_ = $1;
+ $_ = "$1 $3";
}
# remove outer ()
s/\s*\(/</;
";
}
}
+
+my $depstr = "";
+my $undepstr = "";
+foreach (keys %depfunction) {
+ $depstr .= "#ifndef $_
+#if defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 )))
+#define $_(X) __attribute__((__deprecated__))
+#else
+#define $_(X)
+#endif
+#endif
+
+
+";
+ $public_h_trailer .= "#undef $_
+
+";
+ $private_h_trailer .= "#undef $_
+#define $_(X)
+
+";
+}
+
+$public_h_header .= $depstr;
+$private_h_header .= $depstr;
+
+
if($flags{"cxx"}) {
$public_h_header .= "#ifdef __cplusplus
extern \"C\" {
#endif
";
- $public_h_trailer .= "#ifdef __cplusplus
+ $public_h_trailer = "#ifdef __cplusplus
}
#endif
-";
+" . $public_h_trailer;
}
if ($opt_E) {
";
}
+$public_h_trailer .= $undepstr;
+$private_h_trailer .= $undepstr;
+
if ($public_h ne "" && $flags{"header"}) {
$public_h = $public_h_header . $public_h .
$public_h_trailer . "#endif /* $block */\n";
#define HEIMDAL_RWLOCK rwlock_t
#define HEIMDAL_RWLOCK_INITIALIZER RWLOCK_INITIALIZER
-#define HEIMDAL_RWLOCK_init(l) rwlock_init(l, NULL)
-#define HEIMDAL_RWLOCK_rdlock(l) rwlock_rdlock(l)
-#define HEIMDAL_RWLOCK_wrlock(l) rwlock_wrlock(l)
-#define HEIMDAL_RWLOCK_tryrdlock(l) rwlock_tryrdlock(l)
-#define HEIMDAL_RWLOCK_trywrlock(l) rwlock_trywrlock(l)
-#define HEIMDAL_RWLOCK_unlock(l) rwlock_unlock(l)
-#define HEIMDAL_RWLOCK_destroy(l) rwlock_destroy(l)
+#define HEIMDAL_RWLOCK_init(l) rwlock_init(l, NULL)
+#define HEIMDAL_RWLOCK_rdlock(l) rwlock_rdlock(l)
+#define HEIMDAL_RWLOCK_wrlock(l) rwlock_wrlock(l)
+#define HEIMDAL_RWLOCK_tryrdlock(l) rwlock_tryrdlock(l)
+#define HEIMDAL_RWLOCK_trywrlock(l) rwlock_trywrlock(l)
+#define HEIMDAL_RWLOCK_unlock(l) rwlock_unlock(l)
+#define HEIMDAL_RWLOCK_destroy(l) rwlock_destroy(l)
#define HEIMDAL_thread_key thread_key_t
#define HEIMDAL_key_create(k,d,r) do { r = thr_keycreate(k,d); } while(0)
#define HEIMDAL_RWLOCK rwlock_t
#define HEIMDAL_RWLOCK_INITIALIZER RWLOCK_INITIALIZER
-#define HEIMDAL_RWLOCK_init(l) pthread_rwlock_init(l, NULL)
-#define HEIMDAL_RWLOCK_rdlock(l) pthread_rwlock_rdlock(l)
-#define HEIMDAL_RWLOCK_wrlock(l) pthread_rwlock_wrlock(l)
-#define HEIMDAL_RWLOCK_tryrdlock(l) pthread_rwlock_tryrdlock(l)
-#define HEIMDAL_RWLOCK_trywrlock(l) pthread_rwlock_trywrlock(l)
-#define HEIMDAL_RWLOCK_unlock(l) pthread_rwlock_unlock(l)
-#define HEIMDAL_RWLOCK_destroy(l) pthread_rwlock_destroy(l)
+#define HEIMDAL_RWLOCK_init(l) pthread_rwlock_init(l, NULL)
+#define HEIMDAL_RWLOCK_rdlock(l) pthread_rwlock_rdlock(l)
+#define HEIMDAL_RWLOCK_wrlock(l) pthread_rwlock_wrlock(l)
+#define HEIMDAL_RWLOCK_tryrdlock(l) pthread_rwlock_tryrdlock(l)
+#define HEIMDAL_RWLOCK_trywrlock(l) pthread_rwlock_trywrlock(l)
+#define HEIMDAL_RWLOCK_unlock(l) pthread_rwlock_unlock(l)
+#define HEIMDAL_RWLOCK_destroy(l) pthread_rwlock_destroy(l)
#define HEIMDAL_thread_key pthread_key_t
#define HEIMDAL_key_create(k,d,r) do { r = pthread_key_create(k,d); } while(0)
c->require_preauth = TRUE;
c->kdc_warn_pwexpire = 0;
c->encode_as_rep_as_tgs_rep = FALSE;
+ c->as_use_strongest_session_key = FALSE;
+ c->preauth_use_strongest_session_key = FALSE;
+ c->tgs_use_strongest_session_key = FALSE;
+ c->use_strongest_server_key = FALSE;
c->check_ticket_addresses = TRUE;
c->allow_null_ticket_addresses = TRUE;
c->allow_anonymous = FALSE;
c->trpolicy = TRPOLICY_ALWAYS_CHECK;
- c->enable_v4 = FALSE;
- c->enable_kaserver = FALSE;
- c->enable_524 = FALSE;
- c->enable_v4_cross_realm = FALSE;
c->enable_pkinit = FALSE;
c->pkinit_princ_in_cert = TRUE;
c->pkinit_require_binding = TRUE;
krb5_config_get_bool_default(context, NULL,
c->require_preauth,
"kdc", "require-preauth", NULL);
- c->enable_v4 =
- krb5_config_get_bool_default(context, NULL,
- c->enable_v4,
- "kdc", "enable-kerberos4", NULL);
- c->enable_v4_cross_realm =
- krb5_config_get_bool_default(context, NULL,
- c->enable_v4_cross_realm,
- "kdc",
- "enable-kerberos4-cross-realm", NULL);
- c->enable_524 =
- krb5_config_get_bool_default(context, NULL,
- c->enable_v4,
- "kdc", "enable-524", NULL);
#ifdef DIGEST
c->enable_digest =
krb5_config_get_bool_default(context, NULL,
}
#endif
+ c->as_use_strongest_session_key =
+ krb5_config_get_bool_default(context, NULL,
+ c->as_use_strongest_session_key,
+ "kdc",
+ "as-use-strongest-session-key", NULL);
+ c->preauth_use_strongest_session_key =
+ krb5_config_get_bool_default(context, NULL,
+ c->preauth_use_strongest_session_key,
+ "kdc",
+ "preauth-use-strongest-session-key", NULL);
+ c->tgs_use_strongest_session_key =
+ krb5_config_get_bool_default(context, NULL,
+ c->tgs_use_strongest_session_key,
+ "kdc",
+ "tgs-use-strongest-session-key", NULL);
+ c->use_strongest_server_key =
+ krb5_config_get_bool_default(context, NULL,
+ c->use_strongest_server_key,
+ "kdc",
+ "use-strongest-server-key", NULL);
+
c->check_ticket_addresses =
krb5_config_get_bool_default(context, NULL,
c->check_ticket_addresses,
}
}
- {
- const char *p;
- p = krb5_config_get_string (context, NULL,
- "kdc",
- "v4-realm",
- NULL);
- if(p != NULL) {
- c->v4_realm = strdup(p);
- if (c->v4_realm == NULL)
- krb5_errx(context, 1, "out of memory");
- } else {
- c->v4_realm = NULL;
- }
- }
-
- c->enable_kaserver =
- krb5_config_get_bool_default(context,
- NULL,
- c->enable_kaserver,
- "kdc", "enable-kaserver", NULL);
-
-
c->encode_as_rep_as_tgs_rep =
krb5_config_get_bool_default(context, NULL,
c->encode_as_rep_as_tgs_rep,
NULL);
- c->pkinit_kdc_identity =
+ c->pkinit_kdc_identity =
krb5_config_get_string(context, NULL,
"kdc", "pkinit_identity", NULL);
c->pkinit_kdc_anchors =
c->pkinit_kdc_revoke =
krb5_config_get_strings(context, NULL,
"kdc", "pkinit_revoke", NULL);
- c->pkinit_kdc_ocsp_file =
+ c->pkinit_kdc_ocsp_file =
krb5_config_get_string(context, NULL,
"kdc", "pkinit_kdc_ocsp", NULL);
c->pkinit_kdc_friendly_name =
if (config->pkinit_kdc_identity == NULL) {
if (config->pkinit_kdc_friendly_name == NULL)
- config->pkinit_kdc_friendly_name =
+ config->pkinit_kdc_friendly_name =
strdup("O=System Identity,CN=com.apple.kerberos.kdc");
config->pkinit_kdc_identity = strdup("KEYCHAIN:");
}
if (config->enable_pkinit) {
if (config->pkinit_kdc_identity == NULL)
krb5_errx(context, 1, "pkinit enabled but no identity");
-
+
if (config->pkinit_kdc_anchors == NULL)
krb5_errx(context, 1, "pkinit enabled but no X509 anchors");
return 0;
#endif /* PKINIT */
-}
+}
/* check the server principal in the ticket matches digest/R@R */
{
krb5_principal principal = NULL;
- const char *p, *r;
+ const char *p, *rr;
ret = krb5_ticket_get_server(context, ticket, &principal);
if (ret)
krb5_free_principal(context, principal);
goto out;
}
- r = krb5_principal_get_realm(context, principal);
- if (r == NULL) {
+ rr = krb5_principal_get_realm(context, principal);
+ if (rr == NULL) {
krb5_free_principal(context, principal);
goto out;
}
- if (strcmp(p, r) != 0) {
+ if (strcmp(p, rr) != 0) {
krb5_free_principal(context, principal);
goto out;
}
crypto = NULL;
if (ret)
goto out;
-
+
ret = decode_DigestReqInner(buf.data, buf.length, &ireq, NULL);
krb5_data_free(&buf);
if (ret) {
free(r.u.initReply.nonce);
r.u.initReply.nonce = s;
}
-
+
ret = krb5_store_stringz(sp, r.u.initReply.nonce);
if (ret) {
krb5_clear_error_message(context);
krb5_data_free(&buf);
if (ret)
goto out;
-
+
ASN1_MALLOC_ENCODE(Checksum, buf.data, buf.length, &res, &size, ret);
free_Checksum(&res);
if (ret) {
"Failed to decode digest Checksum");
goto out;
}
-
+
ret = krb5_storage_to_data(sp, &buf);
if (ret) {
krb5_clear_error_message(context);
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
-
+
/*
* CHAP does the checksum of the raw nonce, but do it for all
* types, since we need to check the timestamp.
*/
{
ssize_t ssize;
-
+
ssize = hex_decode(ireq.u.digestRequest.serverNonce,
serverNonce.data, serverNonce.length);
if (ssize <= 0) {
{
unsigned char *p = serverNonce.data;
uint32_t t;
-
+
if (serverNonce.length < 4) {
ret = EINVAL;
krb5_set_error_message(context, ret, "server nonce too short");
EVP_MD_CTX *ctx;
unsigned char md[MD5_DIGEST_LENGTH];
char *mdx;
- char id;
+ char idx;
if ((config->digests_allowed & CHAP_MD5) == 0) {
kdc_log(context, config, 0, "Digest CHAP MD5 not allowed");
"from CHAP request");
goto out;
}
-
- if (hex_decode(*ireq.u.digestRequest.identifier, &id, 1) != 1) {
+
+ if (hex_decode(*ireq.u.digestRequest.identifier, &idx, 1) != 1) {
ret = EINVAL;
krb5_set_error_message(context, ret, "failed to decode identifier");
goto out;
}
-
+
ret = get_password_entry(context, config,
ireq.u.digestRequest.username,
&password);
ctx = EVP_MD_CTX_create();
EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
- EVP_DigestUpdate(ctx, &id, 1);
+ EVP_DigestUpdate(ctx, &idx, 1);
EVP_DigestUpdate(ctx, password, strlen(password));
EVP_DigestUpdate(ctx, serverNonce.data, serverNonce.length);
EVP_DigestFinal_ex(ctx, md, NULL);
goto out;
if (ireq.u.digestRequest.realm == NULL)
goto out;
-
+
ret = get_password_entry(context, config,
ireq.u.digestRequest.username,
&password);
EVP_DigestUpdate(ctx, ":", 1);
EVP_DigestUpdate(ctx, password, strlen(password));
EVP_DigestFinal_ex(ctx, md, NULL);
-
+
EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
EVP_DigestUpdate(ctx, md, sizeof(md));
EVP_DigestUpdate(ctx, ":", 1);
EVP_MD_CTX_destroy(ctx);
goto failed;
}
-
+
EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
EVP_DigestUpdate(ctx,
"AUTHENTICATE:", sizeof("AUTHENTICATE:") - 1);
EVP_DigestUpdate(ctx, *ireq.u.digestRequest.uri,
strlen(*ireq.u.digestRequest.uri));
-
+
/* conf|int */
if (strcmp(ireq.u.digestRequest.digest, "clear") != 0) {
static char conf_zeros[] = ":00000000000000000000000000000000";
EVP_DigestUpdate(ctx, conf_zeros, sizeof(conf_zeros) - 1);
}
-
+
EVP_DigestFinal_ex(ctx, md, NULL);
hex_encode(md, sizeof(md), &A2);
const char *username;
struct ntlm_buf answer;
Key *key = NULL;
- EVP_MD_CTX *ctx;
+ EVP_MD_CTX *ctp;
if ((config->digests_allowed & MS_CHAP_V2) == 0) {
kdc_log(context, config, 0, "MS-CHAP-V2 not allowed");
krb5_set_error_message(context, ret,
"MS-CHAP-V2 clientNonce missing");
goto failed;
- }
+ }
if (serverNonce.length != 16) {
ret = EINVAL;
krb5_set_error_message(context, ret,
else
username++;
- ctx = EVP_MD_CTX_create();
+ ctp = EVP_MD_CTX_create();
/* ChallangeHash */
- EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
+ EVP_DigestInit_ex(ctp, EVP_sha1(), NULL);
{
ssize_t ssize;
krb5_data clientNonce;
-
+
clientNonce.length = strlen(*ireq.u.digestRequest.clientNonce);
clientNonce.data = malloc(clientNonce.length);
if (clientNonce.data == NULL) {
ret = ENOMEM;
krb5_set_error_message(context, ret,
"malloc: out of memory");
- EVP_MD_CTX_destroy(ctx);
+ EVP_MD_CTX_destroy(ctp);
goto out;
}
ret = ENOMEM;
krb5_set_error_message(context, ret,
"Failed to decode clientNonce");
- EVP_MD_CTX_destroy(ctx);
+ EVP_MD_CTX_destroy(ctp);
goto out;
}
- EVP_DigestUpdate(ctx, clientNonce.data, ssize);
+ EVP_DigestUpdate(ctp, clientNonce.data, ssize);
free(clientNonce.data);
}
- EVP_DigestUpdate(ctx, serverNonce.data, serverNonce.length);
- EVP_DigestUpdate(ctx, username, strlen(username));
+ EVP_DigestUpdate(ctp, serverNonce.data, serverNonce.length);
+ EVP_DigestUpdate(ctp, username, strlen(username));
- EVP_DigestFinal_ex(ctx, challange, NULL);
+ EVP_DigestFinal_ex(ctp, challange, NULL);
- EVP_MD_CTX_destroy(ctx);
+ EVP_MD_CTX_destroy(ctp);
/* NtPasswordHash */
ret = krb5_parse_name(context, username, &clientprincipal);
if (ret)
goto failed;
-
+
ret = _kdc_db_fetch(context, config, clientprincipal,
HDB_F_GET_CLIENT, NULL, NULL, &user);
krb5_free_principal(context, clientprincipal);
krb5_set_error_message(context, ret, "NTLM missing arcfour key");
goto failed;
}
-
+
hex_encode(answer.data, answer.length, &mdx);
if (mdx == NULL) {
free(answer.data);
if (r.u.response.success) {
unsigned char hashhash[MD4_DIGEST_LENGTH];
- EVP_MD_CTX *ctx;
+ EVP_MD_CTX *ctxp;
- ctx = EVP_MD_CTX_create();
+ ctxp = EVP_MD_CTX_create();
/* hashhash */
{
- EVP_DigestInit_ex(ctx, EVP_md4(), NULL);
- EVP_DigestUpdate(ctx,
+ EVP_DigestInit_ex(ctxp, EVP_md4(), NULL);
+ EVP_DigestUpdate(ctxp,
key->key.keyvalue.data,
key->key.keyvalue.length);
- EVP_DigestFinal_ex(ctx, hashhash, NULL);
+ EVP_DigestFinal_ex(ctxp, hashhash, NULL);
}
/* GenerateAuthenticatorResponse */
- EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
- EVP_DigestUpdate(ctx, hashhash, sizeof(hashhash));
- EVP_DigestUpdate(ctx, answer.data, answer.length);
- EVP_DigestUpdate(ctx, ms_chap_v2_magic1,
+ EVP_DigestInit_ex(ctxp, EVP_sha1(), NULL);
+ EVP_DigestUpdate(ctxp, hashhash, sizeof(hashhash));
+ EVP_DigestUpdate(ctxp, answer.data, answer.length);
+ EVP_DigestUpdate(ctxp, ms_chap_v2_magic1,
sizeof(ms_chap_v2_magic1));
- EVP_DigestFinal_ex(ctx, md, NULL);
+ EVP_DigestFinal_ex(ctxp, md, NULL);
- EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
- EVP_DigestUpdate(ctx, md, sizeof(md));
- EVP_DigestUpdate(ctx, challange, 8);
- EVP_DigestUpdate(ctx, ms_chap_v2_magic2,
+ EVP_DigestInit_ex(ctxp, EVP_sha1(), NULL);
+ EVP_DigestUpdate(ctxp, md, sizeof(md));
+ EVP_DigestUpdate(ctxp, challange, 8);
+ EVP_DigestUpdate(ctxp, ms_chap_v2_magic2,
sizeof(ms_chap_v2_magic2));
- EVP_DigestFinal_ex(ctx, md, NULL);
+ EVP_DigestFinal_ex(ctxp, md, NULL);
r.u.response.rsp = calloc(1, sizeof(*r.u.response.rsp));
if (r.u.response.rsp == NULL) {
free(answer.data);
krb5_clear_error_message(context);
- EVP_MD_CTX_destroy(ctx);
+ EVP_MD_CTX_destroy(ctxp);
ret = ENOMEM;
goto out;
}
if (r.u.response.rsp == NULL) {
free(answer.data);
krb5_clear_error_message(context);
- EVP_MD_CTX_destroy(ctx);
+ EVP_MD_CTX_destroy(ctxp);
ret = ENOMEM;
goto out;
}
/* get_master, rfc 3079 3.4 */
- EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
- EVP_DigestUpdate(ctx, hashhash, 16);
- EVP_DigestUpdate(ctx, answer.data, answer.length);
- EVP_DigestUpdate(ctx, ms_rfc3079_magic1,
+ EVP_DigestInit_ex(ctxp, EVP_sha1(), NULL);
+ EVP_DigestUpdate(ctxp, hashhash, 16);
+ EVP_DigestUpdate(ctxp, answer.data, answer.length);
+ EVP_DigestUpdate(ctxp, ms_rfc3079_magic1,
sizeof(ms_rfc3079_magic1));
- EVP_DigestFinal_ex(ctx, md, NULL);
+ EVP_DigestFinal_ex(ctxp, md, NULL);
free(answer.data);
- EVP_MD_CTX_destroy(ctx);
+ EVP_MD_CTX_destroy(ctxp);
r.u.response.session_key =
calloc(1, sizeof(*r.u.response.session_key));
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
-
+
ret = krb5_storage_write(sp, r.u.ntlmInitReply.challange.data, 8);
if (ret != 8) {
ret = ENOMEM;
uint32_t flags;
Key *key = NULL;
int version;
-
+
r.element = choice_DigestRepInner_ntlmResponse;
r.u.ntlmResponse.success = 0;
r.u.ntlmResponse.flags = 0;
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
-
+
ret = krb5_storage_read(sp, challange, sizeof(challange));
if (ret != sizeof(challange)) {
ret = ENOMEM;
if (flags & NTLM_NEG_NTLM2_SESSION) {
unsigned char sessionhash[MD5_DIGEST_LENGTH];
EVP_MD_CTX *ctx;
-
+
if ((config->digests_allowed & NTLM_V1_SESSION) == 0) {
kdc_log(context, config, 0, "NTLM v1-session not allowed");
ret = EINVAL;
"for NTLM session key");
goto failed;
}
-
+
ctx = EVP_MD_CTX_create();
EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
goto failed;
}
}
-
+
ret = heim_ntlm_calculate_ntlm1(key->key.keyvalue.data,
key->key.keyvalue.length,
challange, &answer);
krb5_set_error_message(context, ret, "NTLM missing arcfour key");
goto failed;
}
-
+
if (ireq.u.ntlmRequest.ntlm.length != answer.length ||
memcmp(ireq.u.ntlmRequest.ntlm.data, answer.data, answer.length) != 0)
{
unsigned char masterkey[MD4_DIGEST_LENGTH];
EVP_CIPHER_CTX rc4;
size_t len;
-
+
if ((flags & NTLM_NEG_KEYEX) == 0) {
ret = EINVAL;
krb5_set_error_message(context, ret,
"exchange but still sent key");
goto failed;
}
-
+
len = ireq.u.ntlmRequest.sessionkey->length;
if (len != sizeof(masterkey)){
ret = EINVAL;
(unsigned long)len);
goto failed;
}
-
+
EVP_CIPHER_CTX_init(&rc4);
EVP_CipherInit_ex(&rc4, EVP_rc4(), NULL, sessionkey, NULL, 1);
masterkey, ireq.u.ntlmRequest.sessionkey->data,
sizeof(masterkey));
EVP_CIPHER_CTX_cleanup(&rc4);
-
+
r.u.ntlmResponse.sessionkey =
malloc(sizeof(*r.u.ntlmResponse.sessionkey));
if (r.u.ntlmResponse.sessionkey == NULL) {
krb5_set_error_message(context, ret, "malloc: out of memory");
goto out;
}
-
+
ret = krb5_data_copy(r.u.ntlmResponse.sessionkey,
masterkey, sizeof(masterkey));
if (ret) {
krb5_clear_error_message(context);
goto out;
}
-
+
kdc_log(context, config, 0, "Digest failed with: %s", s);
r.element = choice_DigestRepInner_error;
int num_db;
krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */
-
+
+ krb5_boolean as_use_strongest_session_key;
+ krb5_boolean preauth_use_strongest_session_key;
+ krb5_boolean tgs_use_strongest_session_key;
+ krb5_boolean use_strongest_server_key;
+
krb5_boolean check_ticket_addresses;
krb5_boolean allow_null_ticket_addresses;
krb5_boolean allow_anonymous;
enum krb5_kdc_trpolicy trpolicy;
- char *v4_realm;
- krb5_boolean enable_v4;
- krb5_boolean enable_v4_cross_realm;
- krb5_boolean enable_v4_per_principal;
-
- krb5_boolean enable_kaserver;
-
- krb5_boolean enable_524;
-
krb5_boolean enable_pkinit;
krb5_boolean pkinit_princ_in_cert;
const char *pkinit_kdc_identity;
if (req->padata == NULL)
return NULL;
- while(*start < req->padata->len){
+ while((size_t)*start < req->padata->len){
(*start)++;
- if(req->padata->val[*start - 1].padata_type == type)
+ if(req->padata->val[*start - 1].padata_type == (unsigned)type)
return &req->padata->val[*start - 1];
}
return NULL;
*/
krb5_error_code
-_kdc_find_etype(krb5_context context, const hdb_entry_ex *princ,
+_kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key,
+ krb5_boolean is_preauth, hdb_entry_ex *princ,
krb5_enctype *etypes, unsigned len,
- Key **ret_key)
+ krb5_enctype *ret_enctype, Key **ret_key)
{
- int i;
- krb5_error_code ret = KRB5KDC_ERR_ETYPE_NOSUPP;
+ krb5_error_code ret;
krb5_salt def_salt;
+ krb5_enctype enctype = ETYPE_NULL;
+ Key *key;
+ int i;
- krb5_get_pw_salt (context, princ->entry.principal, &def_salt);
+ /* We'll want to avoid keys with v4 salted keys in the pre-auth case... */
+ ret = krb5_get_pw_salt(context, princ->entry.principal, &def_salt);
+ if (ret)
+ return ret;
- for(i = 0; ret != 0 && i < len ; i++) {
- Key *key = NULL;
+ ret = KRB5KDC_ERR_ETYPE_NOSUPP;
- if (krb5_enctype_valid(context, etypes[i]) != 0 &&
- !_kdc_is_weak_exception(princ->entry.principal, etypes[i]))
- continue;
+ if (use_strongest_session_key) {
+ const krb5_enctype *p;
+ krb5_enctype clientbest = ETYPE_NULL;
+ int j;
- while (hdb_next_enctype2key(context, &princ->entry, etypes[i], &key) == 0) {
- if (key->key.keyvalue.length == 0) {
- ret = KRB5KDC_ERR_NULL_KEY;
+ /*
+ * Pick the strongest key that the KDC, target service, and
+ * client all support, using the local cryptosystem enctype
+ * list in strongest-to-weakest order to drive the search.
+ *
+ * This is not what RFC4120 says to do, but it encourages
+ * adoption of stronger enctypes. This doesn't play well with
+ * clients that have multiple Kerberos client implementations
+ * available with different supported enctype lists.
+ */
+
+ /* drive the search with local supported enctypes list */
+ p = krb5_kerberos_enctypes(context);
+ for (i = 0; p[i] != ETYPE_NULL && enctype == ETYPE_NULL; i++) {
+ if (krb5_enctype_valid(context, p[i]) != 0)
continue;
+
+ /* check that the client supports it too */
+ for (j = 0; j < len && enctype == ETYPE_NULL; j++) {
+ if (p[i] != etypes[j])
+ continue;
+ /* save best of union of { client, crypto system } */
+ if (clientbest == ETYPE_NULL)
+ clientbest = p[i];
+ /* check target princ support */
+ ret = hdb_enctype2key(context, &princ->entry, p[i], &key);
+ if (ret)
+ continue;
+ if (is_preauth && !is_default_salt_p(&def_salt, key))
+ continue;
+ enctype = p[i];
}
- *ret_key = key;
- ret = 0;
- if (is_default_salt_p(&def_salt, key)) {
- krb5_free_salt (context, def_salt);
- return ret;
+ }
+ if (clientbest != ETYPE_NULL && enctype == ETYPE_NULL)
+ enctype = clientbest;
+ else if (enctype == ETYPE_NULL)
+ ret = KRB5KDC_ERR_ETYPE_NOSUPP;
+ if (ret == 0 && ret_enctype != NULL)
+ *ret_enctype = enctype;
+ if (ret == 0 && ret_key != NULL)
+ *ret_key = key;
+ } else {
+ /*
+ * Pick the first key from the client's enctype list that is
+ * supported by the cryptosystem and by the given principal.
+ *
+ * RFC4120 says we SHOULD pick the first _strong_ key from the
+ * client's list... not the first key... If the admin disallows
+ * weak enctypes in krb5.conf and selects this key selection
+ * algorithm, then we get exactly what RFC4120 says.
+ */
+ for(key = NULL, i = 0; ret != 0 && i < len; i++, key = NULL) {
+
+ if (krb5_enctype_valid(context, etypes[i]) != 0 &&
+ !_kdc_is_weak_exception(princ->entry.principal, etypes[i]))
+ continue;
+
+ while (hdb_next_enctype2key(context, &princ->entry, etypes[i], &key) == 0) {
+ if (key->key.keyvalue.length == 0) {
+ ret = KRB5KDC_ERR_NULL_KEY;
+ continue;
+ }
+ if (ret_key != NULL)
+ *ret_key = key;
+ if (ret_enctype != NULL)
+ *ret_enctype = etypes[i];
+ ret = 0;
+ if (is_preauth && is_default_salt_p(&def_salt, key))
+ goto out;
}
}
}
+
+out:
krb5_free_salt (context, def_salt);
return ret;
}
{
struct rk_strpool *p = NULL;
char *str;
- int i;
-
+ size_t i;
+
for (i = 0; i < padata->len; i++) {
switch(padata->val[i].padata_type) {
case KRB5_PADATA_PK_AS_REQ:
}
if (p == NULL)
p = rk_strpoolprintf(p, "none");
-
+
str = rk_strpoolcollect(p);
kdc_log(context, config, 0, "Client sent patypes: %s", str);
free(str);
{
unsigned char *buf;
size_t buf_size;
- size_t len;
+ size_t len = 0;
krb5_error_code ret;
krb5_crypto crypto;
krb5_error_code ret;
struct rk_strpool *p;
char *str;
- int i;
+ size_t i;
p = rk_strpoolprintf(NULL, "%s", "Client supported enctypes: ");
"Client (%s) has invalid bit set", client_name);
return KRB5KDC_ERR_POLICY;
}
-
+
if(!client->flags.client){
kdc_log(context, config, 0,
"Principal may not act as client -- %s", client_name);
return KRB5KDC_ERR_POLICY;
}
-
+
if (client->valid_start && *client->valid_start > kdc_time) {
char starttime_str[100];
krb5_format_time(context, *client->valid_start,
starttime_str, client_name);
return KRB5KDC_ERR_CLIENT_NOTYET;
}
-
+
if (client->valid_end && *client->valid_end < kdc_time) {
char endtime_str[100];
krb5_format_time(context, *client->valid_end,
endtime_str, client_name);
return KRB5KDC_ERR_NAME_EXP;
}
-
+
if (client->pw_end && *client->pw_end < kdc_time
&& (server_ex == NULL || !server_ex->entry.flags.change_pw)) {
char pwend_str[100];
krb5_address addr;
krb5_boolean result;
krb5_boolean only_netbios = TRUE;
- int i;
+ size_t i;
if(config->check_ticket_addresses == 0)
return TRUE;
goto out;
}
} else if (b->kdc_options.request_anonymous) {
- kdc_log(context, config, 0,
+ kdc_log(context, config, 0,
"Request for a anonymous ticket with non "
"anonymous client name: %s", client_name);
ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
memset(&ek, 0, sizeof(ek));
/*
- * Select a session enctype from the list of the crypto systems
- * supported enctype, is supported by the client and is one of the
- * enctype of the enctype of the krbtgt.
+ * Select a session enctype from the list of the crypto system
+ * supported enctypes that is supported by the client and is one of
+ * the enctype of the enctype of the service (likely krbtgt).
*
- * The later is used as a hint what enctype all KDC are supporting
- * to make sure a newer version of KDC wont generate a session
- * enctype that and older version of a KDC in the same realm can't
+ * The latter is used as a hint of what enctypes all KDC support,
+ * to make sure a newer version of KDC won't generate a session
+ * enctype that an older version of a KDC in the same realm can't
* decrypt.
- *
- * But if the KDC admin is paranoid and doesn't want to have "no
+ */
+ ret = _kdc_find_etype(context, config->as_use_strongest_session_key, FALSE,
+ client, b->etype.val, b->etype.len, &sessionetype,
+ NULL);
+ if (ret) {
+ kdc_log(context, config, 0,
+ "Client (%s) from %s has no common enctypes with KDC "
+ "to use for the session key",
+ client_name, from);
+ goto out;
+ }
+ /*
+ * But if the KDC admin is paranoid and doesn't want to have "not
* the best" enctypes on the krbtgt, lets save the best pick from
* the client list and hope that that will work for any other
* KDCs.
*/
- {
- const krb5_enctype *p;
- krb5_enctype clientbest = ETYPE_NULL;
- int i, j;
-
- p = krb5_kerberos_enctypes(context);
-
- sessionetype = ETYPE_NULL;
-
- for (i = 0; p[i] != ETYPE_NULL && sessionetype == ETYPE_NULL; i++) {
- if (krb5_enctype_valid(context, p[i]) != 0)
- continue;
-
- for (j = 0; j < b->etype.len && sessionetype == ETYPE_NULL; j++) {
- Key *dummy;
- /* check with client */
- if (p[i] != b->etype.val[j])
- continue;
- /* save best of union of { client, crypto system } */
- if (clientbest == ETYPE_NULL)
- clientbest = p[i];
- /* check with krbtgt */
- ret = hdb_enctype2key(context, &server->entry, p[i], &dummy);
- if (ret)
- continue;
- sessionetype = p[i];
- }
- }
- /* if krbtgt had no shared keys with client, pick clients best */
- if (clientbest != ETYPE_NULL && sessionetype == ETYPE_NULL) {
- sessionetype = clientbest;
- } else if (sessionetype == ETYPE_NULL) {
- kdc_log(context, config, 0,
- "Client (%s) from %s has no common enctypes with KDC"
- "to use for the session key",
- client_name, from);
- goto out;
- }
- }
/*
* Pre-auth processing
ret = _kdc_pk_check_client(context,
config,
- clientdb,
+ clientdb,
client,
pkp,
&client_cert);
e_text = "PKINIT certificate not allowed to "
"impersonate principal";
_kdc_pk_free_client_param(context, pkp);
-
+
kdc_log(context, config, 0, "%s", e_text);
pkp = NULL;
goto out;
EncryptedData enc_data;
Key *pa_key;
char *str;
-
+
found_pa = 1;
-
+
if (b->kdc_options.request_anonymous) {
ret = KRB5KRB_AP_ERR_BAD_INTEGRITY;
kdc_log(context, config, 0, "ENC-TS doesn't support anon");
client_name);
goto out;
}
-
+
ret = hdb_enctype2key(context, &client->entry,
enc_data.etype, &pa_key);
if(ret){
free_PA_ENC_TS_ENC(&p);
if (abs(kdc_time - p.patimestamp) > context->max_skew) {
char client_time[100];
-
+
krb5_format_time(context, p.patimestamp,
client_time, sizeof(client_time), TRUE);
/*
* If there is a client key, send ETYPE_INFO{,2}
*/
- ret = _kdc_find_etype(context, client, b->etype.val, b->etype.len,
- &ckey);
+ ret = _kdc_find_etype(context,
+ config->preauth_use_strongest_session_key, TRUE,
+ client, b->etype.val, b->etype.len, NULL, &ckey);
if (ret == 0) {
/*
goto out;
}
}
-
+
ASN1_MALLOC_ENCODE(METHOD_DATA, buf, len, &method_data, &len, ret);
free_METHOD_DATA(&method_data);
}
if (clientdb->hdb_auth_status)
- (clientdb->hdb_auth_status)(context, clientdb, client,
+ (clientdb->hdb_auth_status)(context, clientdb, client,
HDB_AUTH_SUCCESS);
/*
{
time_t start;
time_t t;
-
+
start = et.authtime = kdc_time;
if(f.postdated && req->req_body.from){
PA_ClientCanonicalized canon;
krb5_data data;
PA_DATA pa;
- krb5_crypto crypto;
- size_t len;
+ krb5_crypto cryptox;
+ size_t len = 0;
memset(&canon, 0, sizeof(canon));
krb5_abortx(context, "internal asn.1 error");
/* sign using "returned session key" */
- ret = krb5_crypto_init(context, &et.key, 0, &crypto);
+ ret = krb5_crypto_init(context, &et.key, 0, &cryptox);
if (ret) {
free(data.data);
goto out;
}
- ret = krb5_create_checksum(context, crypto,
+ ret = krb5_create_checksum(context, cryptox,
KRB5_KU_CANONICALIZED_NAMES, 0,
data.data, data.length,
&canon.canon_checksum);
free(data.data);
- krb5_crypto_destroy(context, crypto);
+ krb5_crypto_destroy(context, cryptox);
if (ret)
goto out;
-
+
ASN1_MALLOC_ENCODE(PA_ClientCanonicalized, data.data, data.length,
&canon, &len, ret);
free_Checksum(&canon.canon_checksum);
const krb5_data *data)
{
krb5_error_code ret;
- size_t size;
+ size_t size = 0;
if (tkt->authorization_data == NULL) {
tkt->authorization_data = calloc(1, sizeof(*tkt->authorization_data));
return ENOMEM;
}
}
-
+
/* add the entry to the last element */
{
AuthorizationData ad = { 0, NULL };
}
if (ade.ad_data.length != size)
krb5_abortx(context, "internal asn.1 encoder error");
-
+
ret = add_AuthorizationData(tkt->authorization_data, &ade);
der_free_octet_string(&ade.ad_data);
if (ret) {
AuthorizationData child;
krb5_error_code ret;
int pos;
-
+
if (ad == NULL || ad->len == 0)
return KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
KRB5SignedPath sp;
krb5_data data;
krb5_crypto crypto = NULL;
- size_t size;
+ size_t size = 0;
if (server && principals) {
ret = add_Principals(principals, server);
{
KRB5SignedPathData spd;
-
+
spd.client = client;
spd.authtime = tkt->authtime;
spd.delegated = principals;
spd.method_data = NULL;
-
+
ASN1_MALLOC_ENCODE(KRB5SignedPathData, data.data, data.length,
&spd, &size, ret);
if (ret)
if (ret == 0) {
KRB5SignedPathData spd;
KRB5SignedPath sp;
- size_t size;
+ size_t size = 0;
ret = decode_KRB5SignedPath(data.data, data.length, &sp, NULL);
krb5_data_free(&data);
server_sign_key, krbtgt_sign_key, rspac);
}
krb5_pac_free(context, pac);
-
+
return ret;
}
}
KDC_REQ_BODY *b, const EncTicketPart *tgt, EncTicketPart *et)
{
KDCOptions f = b->kdc_options;
-
+
if(f.validate){
if(!tgt->flags.invalid || tgt->starttime == NULL){
kdc_log(context, config, 0,
}
if(tgt->flags.forwarded)
et->flags.forwarded = 1;
-
+
if(f.proxiable){
if(!tgt->flags.proxiable){
kdc_log(context, config, 0,
et->endtime = *et->starttime + old_life;
if (et->renew_till != NULL)
et->endtime = min(*et->renew_till, et->endtime);
- }
+ }
#if 0
/* checks for excess flags */
{
const HDB_Ext_Constrained_delegation_acl *acl;
krb5_error_code ret;
- int i;
+ size_t i;
/*
* constrained_delegation (S4U2Proxy) only works within
krb5_clear_error_message(context);
return ret;
}
-
+
if (acl) {
for (i = 0; i < acl->len; i++) {
if (krb5_principal_compare(context, target, &acl->val[i]) == TRUE)
krb5_error_code ret = 0;
char **realms, **tmp;
unsigned int num_realms;
- int i;
+ size_t i;
switch (tr->tr_type) {
case DOMAIN_X500_COMPRESS:
renew = min(renew, *server->entry.max_renew);
*et.renew_till = et.authtime + renew;
}
-
+
if(et.renew_till){
*et.renew_till = min(*et.renew_till, *tgt->renew_till);
*et.starttime = min(*et.starttime, *et.renew_till);
if (ret)
goto out;
}
-
+
if (auth_data) {
unsigned int i = 0;
goto out;
et.crealm = tgt_name->realm;
et.cname = tgt_name->name;
-
+
ek.key = et.key;
/* MIT must have at least one last_req */
ek.last_req.len = 1;
krb5_keyblock *key)
{
krb5_authenticator auth;
- size_t len;
+ size_t len = 0;
unsigned char *buf;
size_t buf_size;
krb5_error_code ret;
ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
goto out;
}
-
+
/* XXX should not re-encode this */
ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret);
if(ret){
NULL);
return new_realm;
}
-
+
static krb5_boolean
need_referral(krb5_context context, krb5_kdc_configuration *config,
krb5_keyblock **replykey,
int *rk_is_subkey)
{
+ static char failed[] = "<unparse_name failed>";
krb5_ap_req ap_req;
krb5_error_code ret;
krb5_principal princ;
char *p;
ret = krb5_unparse_name(context, princ, &p);
if (ret != 0)
- p = "<unparse_name failed>";
+ p = failed;
krb5_free_principal(context, princ);
kdc_log(context, config, 5, "Ticket-granting ticket account %s does not have secrets at this KDC, need to proxy", p);
if (ret == 0)
char *p;
ret = krb5_unparse_name(context, princ, &p);
if (ret != 0)
- p = "<unparse_name failed>";
+ p = failed;
krb5_free_principal(context, princ);
kdc_log(context, config, 0,
"Ticket-granting ticket not found in database: %s", msg);
}
if(ap_req.ticket.enc_part.kvno &&
- *ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){
+ (unsigned int)*ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){
char *p;
ret = krb5_unparse_name (context, princ, &p);
krb5_free_principal(context, princ);
if (ret != 0)
- p = "<unparse_name failed>";
+ p = failed;
kdc_log(context, config, 0,
"Ticket kvno = %d, DB kvno = %d (%s)",
*ap_req.ticket.enc_part.kvno,
&ap_req_options,
ticket,
KRB5_KU_TGS_REQ_AUTH);
-
+
krb5_free_principal(context, princ);
if(ret) {
const char *msg = krb5_get_error_message(context, ret);
const PrincipalName *true_principal_name,
const PrincipalName *requested_principal,
krb5_data *outdata)
-{
+{
PA_ServerReferralData ref;
krb5_error_code ret;
EncryptedData ed;
krb5_data data;
- size_t size;
+ size_t size = 0;
memset(&ref, 0, sizeof(ref));
hdb_entry_ex *uu;
krb5_principal p;
Key *uukey;
-
+
if(b->additional_tickets == NULL ||
b->additional_tickets->len == 0){
ret = KRB5KDC_ERR_BADOPTION; /* ? */
}
_krb5_principalname2krb5_principal(context, &sp, *s, r);
- ret = krb5_unparse_name(context, sp, &spn);
+ ret = krb5_unparse_name(context, sp, &spn);
if (ret)
goto out;
_krb5_principalname2krb5_principal(context, &cp, tgt->cname, tgt->crealm);
free(spn);
krb5_make_principal(context, &sp, r,
KRB5_TGS_NAME, new_rlm, NULL);
- ret = krb5_unparse_name(context, sp, &spn);
+ ret = krb5_unparse_name(context, sp, &spn);
if (ret)
goto out;
krb5_enctype etype;
if(b->kdc_options.enc_tkt_in_skey) {
- int i;
+ size_t i;
ekey = &adtkt.key;
for(i = 0; i < b->etype.len; i++)
if (b->etype.val[i] == adtkt.key.keytype)
kvno = 0;
} else {
Key *skey;
-
- ret = _kdc_find_etype(context, server,
- b->etype.val, b->etype.len, &skey);
+
+ ret = _kdc_find_etype(context,
+ config->tgs_use_strongest_session_key, FALSE,
+ server, b->etype.val, b->etype.len, NULL,
+ &skey);
if(ret) {
kdc_log(context, config, 0,
"Server (%s) has no support for etypes", spn);
etype = skey->key.keytype;
kvno = server->entry.kvno;
}
-
+
ret = krb5_generate_random_keyblock(context, etype, &sessionkey);
if (ret)
goto out;
/* Now refetch the primary krbtgt, and get the current kvno (the
* sign check may have been on an old kvno, and the server may
* have been an incoming trust) */
- ret = krb5_make_principal(context, &krbtgt_principal,
+ ret = krb5_make_principal(context, &krbtgt_principal,
krb5_principal_get_comp_string(context,
krbtgt->entry.principal,
1),
- KRB5_TGS_NAME,
+ KRB5_TGS_NAME,
krb5_principal_get_comp_string(context,
krbtgt->entry.principal,
1), NULL);
goto out;
}
- ret = check_constrained_delegation(context, config, clientdb,
+ ret = check_constrained_delegation(context, config, clientdb,
client, server, sp);
if (ret) {
kdc_log(context, config, 0,
}
krb5_data_free(&rspac);
+
/*
- * generate the PAC for the user and pass
- * dp for the S4U_DELEGATION_INFO blob in the PAC.
+ * generate the PAC for the user.
+ *
+ * TODO: pass in t->sname and t->realm and build
+ * a S4U_DELEGATION_INFO blob to the PAC.
*/
ret = check_PAC(context, config, tp, dp,
client, server, krbtgt,
&clientkey->key, &tkey_check->key,
ekey, &tkey_sign->key,
&adtkt, &rspac, &ad_signedpath);
- if (ret == 0 && !ad_signedpath)
- ret = KRB5KDC_ERR_BADOPTION;
if (ret) {
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0,
ret = check_KRB5SignedPath(context,
config,
krbtgt,
- tp,
+ cp,
&adtkt,
NULL,
&ad_signedpath);
- if (ret == 0 && !ad_signedpath)
- ret = KRB5KDC_ERR_BADOPTION;
if (ret) {
const char *msg = krb5_get_error_message(context, ret);
kdc_log(context, config, 0,
goto out;
}
+ if (!ad_signedpath) {
+ ret = KRB5KDC_ERR_BADOPTION;
+ kdc_log(context, config, 0,
+ "Ticket not signed with PAC nor SignedPath service %s failed "
+ "for delegation to %s for client %s (%s)"
+ "from %s",
+ spn, tpn, dpn, cpn, from);
+ goto out;
+ }
+
kdc_log(context, config, 0, "constrained delegation for %s "
"from %s (%s) to %s", tpn, cpn, dpn, spn);
}
kdc_log(context, config, 0, "Request from wrong address");
goto out;
}
-
+
/*
* If this is an referral, add server referral data to the
* auth_data reply .
&enc_pa_data,
e_text,
reply);
-
+
out:
if (tpn != cpn)
free(tpn);
if(tgs_req == NULL){
ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP;
-
+
kdc_log(context, config, 0,
"TGS-REQ from %s without PA-TGS-REQ", from);
goto out;
hx509_cert_free(cert);
if (ret)
goto out;
-
+
return 0;
out:
if (env)
krb5_xfree(expected);
goto out;
}
-
+
ret = KRB5KDC_ERR_SERVER_NOMATCH;
krb5_set_error_message(context, ret,
"User %s used wrong Kx509 service "
krb5_addlog_dest(context, config->logf, *p);
krb5_config_free_strings(s);
}else {
- char *s;
- asprintf(&s, "0-1/FILE:%s/%s", hdb_db_dir(context), KDC_LOG_FILE);
- krb5_addlog_dest(context, config->logf, s);
- free(s);
+ char *ss;
+ if (asprintf(&ss, "0-1/FILE:%s/%s", hdb_db_dir(context),
+ KDC_LOG_FILE) < 0)
+ err(1, NULL);
+ krb5_addlog_dest(context, config->logf, ss);
+ free(ss);
}
krb5_set_warn_dest(context, config->logf);
}
for(i = 0; i < config->num_db; i++) {
krb5_principal enterprise_principal = NULL;
- if (!(config->db[i]->hdb_capability_flags & HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL)
+ if (!(config->db[i]->hdb_capability_flags & HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL)
&& principal->name.name_type == KRB5_NT_ENTERPRISE_PRINCIPAL) {
if (principal->name.name_string.len != 1) {
ret = KRB5_PARSE_MALFORMED;
krb5_enctype *enctype,
Key **key)
{
- const krb5_enctype *p;
krb5_error_code ret;
int i;
- p = krb5_kerberos_enctypes(context);
-
- for (i = 0; p[i] != ETYPE_NULL; i++) {
- if (krb5_enctype_valid(context, p[i]) != 0)
- continue;
- ret = hdb_enctype2key(context, &h->entry, p[i], key);
- if (ret == 0) {
- *enctype = p[i];
+ if (config->use_strongest_server_key) {
+ const krb5_enctype *p = krb5_kerberos_enctypes(context);
+
+ for (i = 0; p[i] != ETYPE_NULL; i++) {
+ if (krb5_enctype_valid(context, p[i]) != 0)
+ continue;
+ ret = hdb_enctype2key(context, &h->entry, p[i], key);
+ if (ret != 0)
+ continue;
+ if (enctype != NULL)
+ *enctype = p[i];
+ return 0;
+ }
+ } else {
+ *key = NULL;
+
+ for (i = 0; i < h->entry.keys.len; i++) {
+ if (krb5_enctype_valid(context, h->entry.keys.val[i].key.keytype)
+ != 0)
+ continue;
+ ret = hdb_enctype2key(context, &h->entry,
+ h->entry.keys.val[i].key.keytype, key);
+ if (ret != 0)
+ continue;
+ if (enctype != NULL)
+ *enctype = (*key)->key.keytype;
return 0;
}
}
krb5_set_error_message(context, EINVAL,
"No valid kerberos key found for %s", name);
- return EINVAL;
+ return EINVAL; /* XXX */
}
u_char *buf = NULL;
size_t buf_size;
krb5_error_code ret;
- size_t len;
+ size_t len = 0;
krb5_timestamp now;
Checksum checksum;
krb5_clear_error_message(context);
return ret;
}
-
+
if (a->paChecksum == NULL) {
krb5_clear_error_message(context);
ret = KRB5_KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED;
if (!DH_generate_key(client_params->u.dh.key)) {
ret = KRB5KRB_ERR_GENERIC;
- krb5_set_error_message(context, ret,
+ krb5_set_error_message(context, ret,
"Can't generate Diffie-Hellman keys");
goto out;
}
}
dh_gen_keylen = DH_compute_key(dh_gen_key,client_params->u.dh.public_key, client_params->u.dh.key);
- if (dh_gen_keylen == -1) {
+ if (dh_gen_keylen == (size_t)-1) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
"Can't compute Diffie-Hellman key");
goto out;
}
- dh_gen_keylen = ECDH_compute_key(dh_gen_key, size,
+ dh_gen_keylen = ECDH_compute_key(dh_gen_key, size,
EC_KEY_get0_public_key(client_params->u.ecdh.public_key),
client_params->u.ecdh.key, NULL);
#endif /* HAVE_OPENSSL */
} else {
ret = KRB5KRB_ERR_GENERIC;
- krb5_set_error_message(context, ret,
+ krb5_set_error_message(context, ret,
"Diffie-Hellman not selected keys");
goto out;
}
goto out;
}
- ret = hx509_certs_merge(context->hx509ctx, trust_anchors,
+ ret = hx509_certs_merge(context->hx509ctx, trust_anchors,
kdc_identity->anchors);
if (ret) {
hx509_certs_free(&trust_anchors);
if (ret == 0 && pc != NULL) {
hx509_cert cert;
unsigned int i;
-
+
for (i = 0; i < pc->len; i++) {
ret = hx509_cert_init_data(context->hx509ctx,
pc->val[i].cert.data,
if (req->req_body.kdc_options.request_anonymous) {
ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED;
- krb5_set_error_message(context, ret,
+ krb5_set_error_message(context, ret,
"Anon not supported in RSA mode");
goto out;
}
"PK-AS-REQ-Win2k: %d", ret);
goto out;
}
-
+
ret = hx509_cms_unwrap_ContentInfo(&r.signed_auth_pack,
&contentInfoOid,
&signed_content,
"Can't decode PK-AS-REQ: %d", ret);
goto out;
}
-
+
/* XXX look at r.kdcPkId */
if (r.trustedCertifiers) {
ExternalPrincipalIdentifiers *edi = r.trustedCertifiers;
&cp->client_anchors);
if (ret) {
krb5_set_error_message(context, ret,
- "Can't allocate client anchors: %d",
+ "Can't allocate client anchors: %d",
ret);
goto out;
}
- /*
+ /*
* If the client sent more then 10 EDI, don't bother
* looking more then 10 of performance reasons.
*/
"Failed to allocate hx509_query");
goto out;
}
-
+
ret = decode_IssuerAndSerialNumber(edi->val[i].issuerAndSerialNumber->data,
edi->val[i].issuerAndSerialNumber->length,
&iasn,
"PK-AS-REQ-Win2k invalid content type oid");
goto out;
}
-
+
if (!have_data) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
ap.clientPublicValue == NULL) {
free_AuthPack(&ap);
ret = KRB5_KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED;
- krb5_set_error_message(context, ret,
+ krb5_set_error_message(context, ret,
"Anon not supported in RSA mode");
goto out;
}
free_AuthPack(&ap);
goto out;
}
-
+
if (ap.supportedCMSTypes) {
ret = hx509_peer_info_set_cms_algs(context->hx509ctx,
cp->peer,
der_free_oid(&contentInfoOid);
if (ret) {
_kdc_pk_free_client_param(context, cp);
- } else
+ } else
*ret_params = cp;
return ret;
}
const heim_oid *envelopedAlg = NULL, *sdAlg = NULL, *evAlg = NULL;
krb5_error_code ret;
krb5_data buf, signed_data;
- size_t size;
+ size_t size = 0;
int do_win2k = 0;
krb5_data_zero(&buf);
break;
default:
krb5_abortx(context, "internal pkinit error");
- }
+ }
if (do_win2k) {
ReplyKeyPack_Win2k kp;
goto out;
}
kp.nonce = cp->nonce;
-
+
ASN1_MALLOC_ENCODE(ReplyKeyPack_Win2k,
buf.data, buf.length,
&kp, &size,ret);
krb5_clear_error_message(context);
goto out;
}
-
+
ret = krb5_crypto_destroy(context, ascrypto);
if (ret) {
krb5_clear_error_message(context);
{
hx509_query *q;
hx509_cert cert;
-
+
ret = hx509_query_alloc(context->hx509ctx, &q);
if (ret)
goto out;
-
+
hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
if (config->pkinit_kdc_friendly_name)
hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
-
+
ret = hx509_certs_find(context->hx509ctx,
kdc_identity->certs,
q,
hx509_query_free(context->hx509ctx, q);
if (ret)
goto out;
-
+
ret = hx509_cms_create_signed_1(context->hx509ctx,
0,
sdAlg,
hx509_cert_free(*kdc_cert);
*kdc_cert = NULL;
}
-
+
krb5_data_free(&buf);
krb5_data_free(&signed_data);
return ret;
krb5_error_code ret;
hx509_cert cert;
hx509_query *q;
- size_t size;
+ size_t size = 0;
memset(&contentinfo, 0, sizeof(contentinfo));
memset(&dh_info, 0, sizeof(dh_info));
ret = BN_to_integer(context, kdc_dh->pub_key, &i);
if (ret)
return ret;
-
+
ASN1_MALLOC_ENCODE(DHPublicKey, buf.data, buf.length, &i, &size, ret);
der_free_heim_integer(&i);
if (ret) {
}
if (buf.length != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
-
+
dh_info.subjectPublicKey.length = buf.length * 8;
dh_info.subjectPublicKey.data = buf.data;
krb5_data_zero(&buf);
} else
krb5_abortx(context, "no keyex selected ?");
-
+
dh_info.nonce = cp->nonce;
ASN1_MALLOC_ENCODE(KDCDHKeyInfo, buf.data, buf.length, &dh_info, &size,
ret = hx509_query_alloc(context->hx509ctx, &q);
if (ret)
goto out;
-
+
hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
if (config->pkinit_kdc_friendly_name)
hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
-
+
ret = hx509_certs_find(context->hx509ctx,
kdc_identity->certs,
q,
hx509_query_free(context->hx509ctx, q);
if (ret)
goto out;
-
+
ret = hx509_cms_create_signed_1(context->hx509ctx,
0,
&asn1_oid_id_pkdhkeydata,
METHOD_DATA *md)
{
krb5_error_code ret;
- void *buf;
- size_t len, size;
+ void *buf = NULL;
+ size_t len = 0, size = 0;
krb5_enctype enctype;
int pa_type;
hx509_cert kdc_cert = NULL;
- int i;
+ size_t i;
if (!config->enable_pkinit) {
krb5_clear_error_message(context);
krb5_set_error_message(context, ret,
"No valid enctype available from client");
goto out;
- }
+ }
enctype = req->req_body.etype.val[i];
} else
enctype = ETYPE_DES3_CBC_SHA1;
if (rep.u.encKeyPack.length != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
- ret = krb5_generate_random_keyblock(context, sessionetype,
+ ret = krb5_generate_random_keyblock(context, sessionetype,
sessionkey);
if (ret) {
free_PA_PK_AS_REP(&rep);
krb5_abortx(context, "Internal ASN.1 encoder error");
/* XXX KRB-FX-CF2 */
- ret = krb5_generate_random_keyblock(context, sessionetype,
+ ret = krb5_generate_random_keyblock(context, sessionetype,
sessionkey);
if (ret) {
free_PA_PK_AS_REP(&rep);
if (len != size)
krb5_abortx(context, "Internal ASN.1 encoder error");
- ret = krb5_generate_random_keyblock(context, sessionetype,
+ ret = krb5_generate_random_keyblock(context, sessionetype,
sessionkey);
if (ret) {
free(buf);
"PK-INIT failed to stat ocsp data %d", ret);
goto out_ocsp;
}
-
+
ret = krb5_data_alloc(&ocsp.data, sb.st_size);
if (ret) {
close(fd);
krb5_const_principal match)
{
hx509_octet_string_list list;
- int ret, i, found = 0;
+ int ret, found = 0;
+ size_t i;
memset(&list, 0 , sizeof(list));
if (clientdb->hdb_check_pkinit_ms_upn_match) {
ret = clientdb->hdb_check_pkinit_ms_upn_match(context, clientdb, client, principal);
} else {
-
+
/*
* This is very wrong, but will do for a fallback
*/
strupr(principal->realm);
-
+
if (krb5_principal_compare(context, principal, client->entry.principal) == FALSE)
ret = KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
}
const HDB_Ext_PKINIT_cert *pc;
krb5_error_code ret;
hx509_name name;
- int i;
+ size_t i;
if (cp->cert == NULL) {
ret = hdb_entry_get_pkinit_cert(&client->entry, &pc);
if (ret == 0 && pc) {
hx509_cert cert;
- unsigned int i;
-
- for (i = 0; i < pc->len; i++) {
+ size_t j;
+
+ for (j = 0; j < pc->len; j++) {
ret = hx509_cert_init_data(context->hx509ctx,
- pc->val[i].cert.data,
- pc->val[i].cert.length,
+ pc->val[j].cert.data,
+ pc->val[j].cert.length,
&cert);
if (ret)
continue;
ret = match_ms_upn_san(context, config,
context->hx509ctx,
cp->cert,
- clientdb,
+ clientdb,
client);
if (ret == 0) {
kdc_log(context, config, 5,
AD_INITIAL_VERIFIED_CAS cas;
krb5_error_code ret;
krb5_data data;
- size_t size;
+ size_t size = 0;
memset(&cas, 0, sizeof(cas));
fclose(f);
}
-
+
/*
*
*/
{
hx509_query *q;
hx509_cert cert;
-
+
ret = hx509_query_alloc(context->hx509ctx, &q);
if (ret) {
krb5_warnx(context, "PKINIT: out of memory");
return ENOMEM;
}
-
+
hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
if (config->pkinit_kdc_friendly_name)
hx509_query_match_friendly_name(q, config->pkinit_kdc_friendly_name);
-
+
ret = hx509_certs_find(context->hx509ctx,
kdc_identity->certs,
q,
_kdc_now = *tv;
}
-static krb5_error_code
+static krb5_error_code
kdc_as_req(krb5_context context,
krb5_kdc_configuration *config,
krb5_data *req_buffer,
}
-static krb5_error_code
+static krb5_error_code
kdc_tgs_req(krb5_context context,
krb5_kdc_configuration *config,
krb5_data *req_buffer,
ret = decode_TGS_REQ(req_buffer->data, req_buffer->length, &req, &len);
if (ret)
return ret;
-
+
*claim = 1;
- ret = _kdc_tgs_rep(context, config, &req, reply,
+ ret = _kdc_tgs_rep(context, config, &req, reply,
from, addr, datagram_reply);
free_TGS_REQ(&req);
return ret;
#ifdef DIGEST
-static krb5_error_code
+static krb5_error_code
kdc_digest(krb5_context context,
krb5_kdc_configuration *config,
krb5_data *req_buffer,
#ifdef KX509
-static krb5_error_code
+static krb5_error_code
kdc_kx509(krb5_context context,
krb5_kdc_configuration *config,
krb5_data *req_buffer,
unsigned int i;
krb5_data req_buffer;
int claim = 0;
-
+
req_buffer.data = buf;
req_buffer.length = len;
unsigned int i;
krb5_data req_buffer;
int claim = 0;
-
+
req_buffer.data = buf;
req_buffer.length = len;
if (claim)
return ret;
}
-
+
return -1;
}
windcft = _krb5_plugin_get_symbol(e);
if (windcft->minor_version < KRB5_WINDC_PLUGIN_MINOR)
continue;
-
+
(*windcft->init)(context, &windcctx);
break;
}
server_ex, server_name,
req->msg_type == krb_as_req);
- return (windcft->client_access)(windcctx,
- context, config,
- client_ex, client_name,
- server_ex, server_name,
+ return (windcft->client_access)(windcctx,
+ context, config,
+ client_ex, client_name,
+ server_ex, server_name,
req, e_data);
}
typedef krb5_error_code
(*krb5plugin_windc_client_access)(
- void *, krb5_context,
+ void *, krb5_context,
krb5_kdc_configuration *config,
- hdb_entry_ex *, const char *,
- hdb_entry_ex *, const char *,
+ hdb_entry_ex *, const char *,
+ hdb_entry_ex *, const char *,
KDC_REQ *, krb5_data *);
static char *cred_cache_str;
static struct getargs args[] = {
- { "admin-principal", 0, arg_string, &admin_principal_str },
- { "cache", 'c', arg_string, &cred_cache_str },
- { "version", 0, arg_flag, &version_flag },
- { "help", 0, arg_flag, &help_flag }
+ { "admin-principal", 0, arg_string, &admin_principal_str, NULL,
+ NULL },
+ { "cache", 'c', arg_string, &cred_cache_str, NULL, NULL },
+ { "version", 0, arg_flag, &version_flag, NULL, NULL },
+ { "help", 0, arg_flag, &help_flag, NULL, NULL }
};
static void
default:
krb5_err(context, 1, ret, "krb5_get_init_creds");
}
-
+
krb5_get_init_creds_opt_free(context, opt);
-
+
ret = krb5_cc_initialize(context, id, admin_principal);
krb5_free_principal(context, admin_principal);
if (ret)
ret = krb5_cc_store_cred(context, id, &cred);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_store_cred");
-
+
krb5_free_cred_contents (context, &cred);
}
* 9:
*/
{ "afslog", 0 , arg_flag, &do_afslog,
- NP_("obtain afs tokens", "") },
+ NP_("obtain afs tokens", ""), NULL },
{ "cache", 'c', arg_string, &cred_cache,
NP_("credentials cache", ""), "cachename" },
{ "forwardable", 0, arg_negative_flag, &forwardable_flag,
- NP_("get tickets not forwardable", "")},
+ NP_("get tickets not forwardable", ""), NULL },
{ NULL, 'f', arg_flag, &forwardable_flag,
- NP_("get forwardable tickets", "")},
+ NP_("get forwardable tickets", ""), NULL },
{ "keytab", 't', arg_string, &keytab_str,
NP_("keytab to use", ""), "keytabname" },
{ "lifetime", 'l', arg_string, &lifetime,
- NP_("lifetime of tickets", ""), "time"},
+ NP_("lifetime of tickets", ""), "time" },
{ "proxiable", 'p', arg_flag, &proxiable_flag,
- NP_("get proxiable tickets", "") },
+ NP_("get proxiable tickets", ""), NULL },
{ "renew", 'R', arg_flag, &renew_flag,
- NP_("renew TGT", "") },
+ NP_("renew TGT", ""), NULL },
{ "renewable", 0, arg_flag, &renewable_flag,
- NP_("get renewable tickets", "") },
+ NP_("get renewable tickets", ""), NULL },
{ "renewable-life", 'r', arg_string, &renew_life,
NP_("renewable lifetime of tickets", ""), "time" },
NP_("when ticket gets valid", ""), "time" },
{ "use-keytab", 'k', arg_flag, &use_keytab,
- NP_("get key from keytab", "") },
+ NP_("get key from keytab", ""), NULL },
{ "validate", 'v', arg_flag, &validate_flag,
- NP_("validate TGT", "") },
+ NP_("validate TGT", ""), NULL },
{ "enctypes", 'e', arg_strings, &etype_str,
NP_("encryption types to use", ""), "enctypes" },
{ "fcache-version", 0, arg_integer, &fcache_version,
- NP_("file cache version to create", "") },
+ NP_("file cache version to create", ""), NULL },
{ "addresses", 'A', arg_negative_flag, &addrs_flag,
- NP_("request a ticket with no addresses", "") },
+ NP_("request a ticket with no addresses", ""), NULL },
{ "extra-addresses",'a', arg_strings, &extra_addresses,
NP_("include these extra addresses", ""), "addresses" },
{ "anonymous", 0, arg_flag, &anonymous_flag,
- NP_("request an anonymous ticket", "") },
+ NP_("request an anonymous ticket", ""), NULL },
{ "request-pac", 0, arg_flag, &pac_flag,
- NP_("request a Windows PAC", "") },
+ NP_("request a Windows PAC", ""), NULL },
{ "password-file", 0, arg_string, &password_file,
- NP_("read the password from a file", "") },
+ NP_("read the password from a file", ""), NULL },
{ "canonicalize",0, arg_flag, &canonicalize_flag,
- NP_("canonicalize client principal", "") },
+ NP_("canonicalize client principal", ""), NULL },
{ "enterprise",0, arg_flag, &enterprise_flag,
- NP_("parse principal as a KRB5-NT-ENTERPRISE name", "") },
+ NP_("parse principal as a KRB5-NT-ENTERPRISE name", ""), NULL },
#ifdef PKINIT
{ "pk-enterprise", 0, arg_flag, &pk_enterprise_flag,
- NP_("use enterprise name from certificate", "") },
+ NP_("use enterprise name from certificate", ""), NULL },
{ "pk-user", 'C', arg_string, &pk_user_id,
NP_("principal's public/private/certificate identifier", ""), "id" },
NP_("directory with CA certificates", ""), "directory" },
{ "pk-use-enckey", 0, arg_flag, &pk_use_enckey,
- NP_("Use RSA encrypted reply (instead of DH)", "") },
+ NP_("Use RSA encrypted reply (instead of DH)", ""), NULL },
#endif
#ifndef NO_NTLM
{ "ntlm-domain", 0, arg_string, &ntlm_domain,
#endif
{ "change-default", 0, arg_negative_flag, &switch_cache_flags,
- NP_("switch the default cache to the new credentials cache", "") },
+ NP_("switch the default cache to the new credentials cache", ""), NULL },
{ "ok-as-delegate", 0, arg_flag, &ok_as_delegate_flag,
- NP_("honor ok-as-delegate on tickets", "") },
+ NP_("honor ok-as-delegate on tickets", ""), NULL },
{ "use-referrals", 0, arg_flag, &use_referrals_flag,
- NP_("only use referrals, no dns canalisation", "") },
+ NP_("only use referrals, no dns canalisation", ""), NULL },
{ "windows", 0, arg_flag, &windows_flag,
- NP_("get windows behavior", "") },
+ NP_("get windows behavior", ""), NULL },
- { "version", 0, arg_flag, &version_flag },
- { "help", 0, arg_flag, &help_flag }
+ { "version", 0, arg_flag, &version_flag, NULL, NULL },
+ { "help", 0, arg_flag, &help_flag, NULL, NULL }
};
static void
char passwd[256];
krb5_deltat start_time = 0;
krb5_deltat renew = 0;
- char *renewstr = NULL;
+ const char *renewstr = NULL;
krb5_enctype *enctype = NULL;
krb5_ccache tempccache;
#ifndef NO_NTLM
renew = parse_time (renewstr, "s");
if (renew < 0)
errx (1, "unparsable time: %s", renewstr);
-
+
krb5_get_init_creds_opt_set_renew_life (opt, renew);
}
if (passwd[0] == '\0') {
char *p, *prompt;
-
+
krb5_unparse_name (context, principal, &p);
asprintf (&prompt, N_("%s's Password: ", ""), p);
free (p);
-
+
if (UI_UTIL_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){
memset(passwd, 0, sizeof(passwd));
exit(1);
free (prompt);
}
-
+
ret = krb5_get_init_creds_password (context,
&cred,
principal,
char life[64];
unparse_time_approx(cred.times.renew_till - cred.times.starttime,
life, sizeof(life));
- krb5_warnx(context,
+ krb5_warnx(context,
N_("NOTICE: ticket renewable lifetime is %s", ""),
life);
}
} else if (anonymous_flag) {
ret = krb5_make_principal(context, &principal, argv[0],
- KRB5_WELLKNOWN_NAME, KRB5_ANON_NAME,
+ KRB5_WELLKNOWN_NAME, KRB5_ANON_NAME,
NULL);
if (ret)
krb5_err(context, 1, ret, "krb5_make_principal");
if (ret)
krb5_err (context, 1, ret, N_("resolving credentials cache", ""));
- /*
+ /*
* Check if the type support switching, and we do,
* then do that instead over overwriting the current
* default credential
krb5_warnx(context, N_("permission denied: %s", ""), argv[1]);
else if(ret == EX_NOTFOUND)
krb5_warnx(context, N_("command not found: %s", ""), argv[1]);
-
+
krb5_cc_destroy(context, ccache);
#ifndef NO_AFS
if(k_hasafs())
#define ASN1EXP
#define ASN1CALL
#endif
-
+
#endif
/* Line 1455 of yacc.c */
#line 368 "asn1parse.c"
- {
+ {
if((yyvsp[(2) - (5)].value)->type != integervalue)
lex_error_message("Non-integer in first part of range");
(yyval.range) = ecalloc(1, sizeof(*(yyval.range)));
/* Line 1455 of yacc.c */
#line 376 "asn1parse.c"
- {
+ {
if((yyvsp[(4) - (5)].value)->type != integervalue)
lex_error_message("Non-integer in second part of range");
(yyval.range) = ecalloc(1, sizeof(*(yyval.range)));
$$->max = $4->u.integervalue;
}
| '(' Value RANGE kw_MAX ')'
- {
+ {
if($2->type != integervalue)
lex_error_message("Non-integer in first part of range");
$$ = ecalloc(1, sizeof(*$$));
$$->max = $2->u.integervalue - 1;
}
| '(' kw_MIN RANGE Value ')'
- {
+ {
if($4->type != integervalue)
lex_error_message("Non-integer in second part of range");
$$ = ecalloc(1, sizeof(*$$));
}
int
-der_printable_string_cmp(const heim_printable_string *p,
+der_printable_string_cmp(const heim_printable_string *p,
const heim_printable_string *q)
{
return der_heim_octet_string_cmp(p, q);
}
int
-der_ia5_string_cmp(const heim_ia5_string *p,
+der_ia5_string_cmp(const heim_ia5_string *p,
const heim_ia5_string *q)
{
return der_heim_octet_string_cmp(p, q);
der_print_heim_oid (const heim_oid *oid, char delim, char **str)
{
struct rk_strpool *p = NULL;
- int i;
+ size_t i;
if (oid->length == 0)
return EINVAL;
* an strings in the NEED_PREAUTH case that includes a
* trailing NUL.
*/
- while (p1 - p < len && *p1 == '\0')
+ while ((size_t)(p1 - p) < len && *p1 == '\0')
p1++;
- if (p1 - p != len)
+ if ((size_t)(p1 - p) != len)
return ASN1_BAD_CHARACTER;
}
if (len > len + 1)
len_oid (const heim_oid *oid)
{
size_t ret = 1;
- int n;
+ size_t n;
for (n = 2; n < oid->length; ++n) {
unsigned u = oid->components[n];
if (s->data == NULL)
return ENOMEM;
s->length = len;
- _der_gmtime(t, &tm);
+ if (_der_gmtime(t, &tm) == NULL)
+ return ASN1_BAD_TIMEFORMAT;
if (gtimep)
snprintf (s->data, len + 1, "%04d%02d%02d%02d%02d%02dZ",
tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday,
if (len < length + len_len + l)
return ASN1_OVERFLOW;
}
-
+
data->data = malloc(length + len_len + l);
if (data->data == NULL)
return ENOMEM;
data->length = length + len_len + l;
memcpy(data->data, p, length + len_len + l);
-
+
if (size)
*size = length + len_len + l;
fprintf (headerfile, "struct %s {\n", newbasename);
ASN1_TAILQ_FOREACH(m, t->members, members) {
char *n = NULL;
-
+
/* pad unused */
while (pos < m->val) {
if (asprintf (&n, "_unused%d:1", pos) < 0 || n == NULL)
h = privheaderfile;
exp = "";
}
-
+
fprintf (h,
"%sint ASN1CALL "
"decode_%s(const unsigned char *, size_t, %s *, size_t *);\n",
"%svoid ASN1CALL free_%s (%s *);\n",
exp,
s->gen_name, s->gen_name);
-
+
fprintf(h, "\n\n");
if (!one_code_file) {
static int
decode_type (const char *name, const Type *t, int optional,
- const char *forwstr, const char *tmpstr, const char *dertype)
+ const char *forwstr, const char *tmpstr, const char *dertype,
+ unsigned int depth)
{
switch (t->type) {
case TType: {
if (asprintf (&s, "%s(%s)->%s", m->optional ? "" : "&",
name, m->gen_name) < 0 || s == NULL)
errx(1, "malloc");
- decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL);
+ decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL,
+ depth + 1);
free (s);
}
"%s = calloc(1, sizeof(*%s));\n"
"if (%s == NULL) { e = ENOMEM; %s; }\n",
s, s, s, forwstr);
- decode_type (s, m->type, 0, forwstr, m->gen_name, NULL);
+ decode_type (s, m->type, 0, forwstr, m->gen_name, NULL, depth + 1);
free (s);
fprintf(codefile, "members |= (1 << %d);\n", memno);
errx(1, "malloc");
if (asprintf (&sname, "%s_s_of", tmpstr) < 0 || sname == NULL)
errx(1, "malloc");
- decode_type (n, t->subtype, 0, forwstr, sname, NULL);
+ decode_type (n, t->subtype, 0, forwstr, sname, NULL, depth + 1);
fprintf (codefile,
"(%s)->len++;\n"
"len = %s_origlen - ret;\n"
tmpstr, tmpstr, typestring);
if(support_ber)
fprintf(codefile,
- "int is_indefinite;\n");
+ "int is_indefinite%u;\n", depth);
fprintf(codefile, "e = der_match_tag_and_length(p, len, %s, &%s, %s, "
"&%s_datalen, &l);\n",
tmpstr);
if(support_ber)
fprintf (codefile,
- "if((is_indefinite = _heim_fix_dce(%s_datalen, &len)) < 0)\n"
+ "if((is_indefinite%u = _heim_fix_dce(%s_datalen, &len)) < 0)\n"
"{ e = ASN1_BAD_FORMAT; %s; }\n"
- "if (is_indefinite) { if (len < 2) { e = ASN1_OVERRUN; %s; } len -= 2; }",
- tmpstr, forwstr, forwstr);
+ "if (is_indefinite%u) { if (len < 2) { e = ASN1_OVERRUN; %s; } len -= 2; }",
+ depth, tmpstr, forwstr, depth, forwstr);
else
fprintf(codefile,
"if (%s_datalen > len) { e = ASN1_OVERRUN; %s; }\n"
"len = %s_datalen;\n", tmpstr, forwstr, tmpstr);
if (asprintf (&tname, "%s_Tag", tmpstr) < 0 || tname == NULL)
errx(1, "malloc");
- decode_type (name, t->subtype, 0, forwstr, tname, ide);
+ decode_type (name, t->subtype, 0, forwstr, tname, ide, depth + 1);
if(support_ber)
fprintf(codefile,
- "if(is_indefinite){\n"
+ "if(is_indefinite%u){\n"
"len += 2;\n"
"e = der_match_tag_and_length(p, len, "
"(Der_class)0, &%s, UT_EndOfContent, "
"p += l; len -= l; ret += l;\n"
"if (%s != (Der_type)0) { e = ASN1_BAD_ID; %s; }\n"
"} else \n",
+ depth,
typestring,
tmpstr,
forwstr,
if (asprintf (&s, "%s(%s)->u.%s", m->optional ? "" : "&",
name, m->gen_name) < 0 || s == NULL)
errx(1, "malloc");
- decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL);
+ decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL,
+ depth + 1);
fprintf(codefile,
"(%s)->element = %s;\n",
name, m->label);
"(%s)->element = %s;\n"
"p += len;\n"
"ret += len;\n"
- "len -= len;\n"
+ "len = 0;\n"
"}\n",
name, have_ellipsis->gen_name,
name, have_ellipsis->gen_name,
int preserve = preserve_type(s->name) ? TRUE : FALSE;
fprintf (codefile, "int ASN1CALL\n"
- "decode_%s(const unsigned char *p,"
- " size_t len, %s *data, size_t *size)\n"
+ "decode_%s(const unsigned char *p HEIMDAL_UNUSED_ATTRIBUTE,"
+ " size_t len HEIMDAL_UNUSED_ATTRIBUTE, %s *data, size_t *size)\n"
"{\n",
s->gen_name, s->gen_name);
case TChoice:
fprintf (codefile,
"size_t ret = 0;\n"
- "size_t l;\n"
- "int e;\n");
+ "size_t l HEIMDAL_UNUSED_ATTRIBUTE;\n"
+ "int e HEIMDAL_UNUSED_ATTRIBUTE;\n");
if (preserve)
fprintf (codefile, "const unsigned char *begin = p;\n");
fprintf (codefile, "\n");
fprintf (codefile, "memset(data, 0, sizeof(*data));\n"); /* hack to avoid `unused variable' */
- decode_type ("data", s->type, 0, "goto fail", "Top", NULL);
+ decode_type ("data", s->type, 0, "goto fail", "Top", NULL, 1);
if (preserve)
fprintf (codefile,
"data->_save.data = calloc(1, ret);\n"
else if(m->defval)
gen_compare_defval(s + 1, m->defval);
fprintf (codefile, "{\n");
- fprintf (codefile, "size_t %s_oldret = ret;\n", tmpstr);
+ fprintf (codefile, "size_t %s_oldret HEIMDAL_UNUSED_ATTRIBUTE = ret;\n", tmpstr);
fprintf (codefile, "ret = 0;\n");
encode_type (s, m->type, m->gen_name);
fprintf (codefile, "ret += %s_oldret;\n", tmpstr);
name, name);
fprintf(codefile,
- "for(i = 0; i < (%s)->len; i++) {\n",
+ "for(i = 0; i < (int)(%s)->len; i++) {\n",
name);
fprintf(codefile,
fprintf(codefile,
"if (totallen > len) {\n"
- "for (i = 0; i < (%s)->len; i++) {\n"
+ "for (i = 0; i < (int)(%s)->len; i++) {\n"
"free(val[i].data);\n"
"}\n"
"free(val);\n"
name);
fprintf (codefile,
- "for(i = (%s)->len - 1; i >= 0; --i) {\n"
+ "for(i = (int)(%s)->len - 1; i >= 0; --i) {\n"
"p -= val[i].length;\n"
"ret += val[i].length;\n"
"memcpy(p + 1, val[i].data, val[i].length);\n"
char *n = NULL;
fprintf (codefile,
- "for(i = (%s)->len - 1; i >= 0; --i) {\n"
+ "for(i = (int)(%s)->len - 1; i >= 0; --i) {\n"
"size_t %s_for_oldret = ret;\n"
"ret = 0;\n",
name, tmpstr);
generate_type_encode (const Symbol *s)
{
fprintf (codefile, "int ASN1CALL\n"
- "encode_%s(unsigned char *p, size_t len,"
+ "encode_%s(unsigned char *p HEIMDAL_UNUSED_ATTRIBUTE, size_t len HEIMDAL_UNUSED_ATTRIBUTE,"
" const %s *data, size_t *size)\n"
"{\n",
s->gen_name, s->gen_name);
case TType:
case TChoice:
fprintf (codefile,
- "size_t ret = 0;\n"
- "size_t l;\n"
- "int i, e;\n\n");
- fprintf(codefile, "i = 0;\n"); /* hack to avoid `unused variable' */
+ "size_t ret HEIMDAL_UNUSED_ATTRIBUTE = 0;\n"
+ "size_t l HEIMDAL_UNUSED_ATTRIBUTE;\n"
+ "int i HEIMDAL_UNUSED_ATTRIBUTE, e HEIMDAL_UNUSED_ATTRIBUTE;\n\n");
encode_type("data", s->type, "Top");
generate_type_free (const Symbol *s)
{
int preserve = preserve_type(s->name) ? TRUE : FALSE;
-
+
fprintf (codefile, "void ASN1CALL\n"
"free_%s(%s *data)\n"
"{\n",
s->gen_name, s->gen_name);
-
+
free_type ("data", s->type, preserve);
fprintf (codefile, "}\n\n");
}
ret = strcmp(tl->header, ql->header);
if (ret) return ret;
-
+
q = ASN1_TAILQ_FIRST(&ql->template);
ASN1_TAILQ_FOREACH(t, &tl->template, members) {
if (q == NULL) return 1;
} else {
ret = strcmp(t->tt, q->tt);
if (ret) return ret;
-
+
ret = strcmp(t->offset, q->offset);
if (ret) return ret;
optional ? "|A1_FLAG_OPTIONAL" : "",
poffset, t->symbol->gen_name);
} else {
- add_line_pointer(temp, t->symbol->gen_name, poffset,
+ add_line_pointer(temp, t->symbol->gen_name, poffset,
"A1_OP_TYPE %s", optional ? "|A1_FLAG_OPTIONAL" : "");
}
break;
case TInteger: {
- char *itype;
+ char *itype = NULL;
if (t->members)
itype = "IMEMBER";
else
errx(1, "%s: unsupported range %d -> %d",
name, t->range->min, t->range->max);
-
+
add_line(temp, "{ A1_PARSE_T(A1T_%s), %s, NULL }", itype, poffset);
break;
}
break;
}
- if (asprintf(&bname, "bmember_%s_%lu", name ? name : "", (unsigned long)t) < 0 || bname == NULL)
+ if (asprintf(&bname, "bmember_%s_%p", name ? name : "", t) < 0 || bname == NULL)
errx(1, "malloc");
output_name(bname);
ASN1_TAILQ_FOREACH(m, t->members, members) {
char *newbasename = NULL;
-
+
if (m->ellipsis)
continue;
else
sename = symbol_name(basetype, t->subtype);
- if (asprintf(&tname, "tag_%s_%lu", name ? name : "", (unsigned long)t) < 0 || tname == NULL)
+ if (asprintf(&tname, "tag_%s_%p", name ? name : "", t) < 0 || tname == NULL)
errx(1, "malloc");
output_name(tname);
}
case TSetOf:
case TSequenceOf: {
- const char *type, *tname, *dupname;
+ const char *type = NULL, *tname, *dupname;
char *sename = NULL, *elname = NULL;
int subtype_is_struct = is_struct(t->subtype, 0);
else if (t->type == TSequenceOf) type = "A1_OP_SEQOF";
else abort();
- if (asprintf(&elname, "%s_%s_%lu", basetype, tname, (unsigned long)t) < 0 || elname == NULL)
+ if (asprintf(&elname, "%s_%s_%p", basetype, tname, t) < 0 || elname == NULL)
errx(1, "malloc");
generate_template_type(elname, &dupname, NULL, sename, NULL, t->subtype,
char *elname = NULL;
char *newbasename = NULL;
int subtype_is_struct;
-
+
if (m->ellipsis) {
ellipsis = 1;
continue;
--enctypes
ENCTYPE ::= INTEGER {
- ETYPE_NULL(0),
- ETYPE_DES_CBC_CRC(1),
- ETYPE_DES_CBC_MD4(2),
- ETYPE_DES_CBC_MD5(3),
- ETYPE_DES3_CBC_MD5(5),
- ETYPE_OLD_DES3_CBC_SHA1(7),
- ETYPE_SIGN_DSA_GENERATE(8),
- ETYPE_ENCRYPT_RSA_PRIV(9),
- ETYPE_ENCRYPT_RSA_PUB(10),
- ETYPE_DES3_CBC_SHA1(16), -- with key derivation
- ETYPE_AES128_CTS_HMAC_SHA1_96(17),
- ETYPE_AES256_CTS_HMAC_SHA1_96(18),
- ETYPE_ARCFOUR_HMAC_MD5(23),
- ETYPE_ARCFOUR_HMAC_MD5_56(24),
- ETYPE_ENCTYPE_PK_CROSS(48),
+ KRB5_ENCTYPE_NULL(0),
+ KRB5_ENCTYPE_DES_CBC_CRC(1),
+ KRB5_ENCTYPE_DES_CBC_MD4(2),
+ KRB5_ENCTYPE_DES_CBC_MD5(3),
+ KRB5_ENCTYPE_DES3_CBC_MD5(5),
+ KRB5_ENCTYPE_OLD_DES3_CBC_SHA1(7),
+ KRB5_ENCTYPE_SIGN_DSA_GENERATE(8),
+ KRB5_ENCTYPE_ENCRYPT_RSA_PRIV(9),
+ KRB5_ENCTYPE_ENCRYPT_RSA_PUB(10),
+ KRB5_ENCTYPE_DES3_CBC_SHA1(16), -- with key derivation
+ KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96(17),
+ KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96(18),
+ KRB5_ENCTYPE_ARCFOUR_HMAC_MD5(23),
+ KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56(24),
+ KRB5_ENCTYPE_ENCTYPE_PK_CROSS(48),
-- some "old" windows types
- ETYPE_ARCFOUR_MD4(-128),
- ETYPE_ARCFOUR_HMAC_OLD(-133),
- ETYPE_ARCFOUR_HMAC_OLD_EXP(-135),
+ KRB5_ENCTYPE_ARCFOUR_MD4(-128),
+ KRB5_ENCTYPE_ARCFOUR_HMAC_OLD(-133),
+ KRB5_ENCTYPE_ARCFOUR_HMAC_OLD_EXP(-135),
-- these are for Heimdal internal use
- ETYPE_DES_CBC_NONE(-0x1000),
- ETYPE_DES3_CBC_NONE(-0x1001),
- ETYPE_DES_CFB64_NONE(-0x1002),
- ETYPE_DES_PCBC_NONE(-0x1003),
- ETYPE_DIGEST_MD5_NONE(-0x1004), -- private use, lukeh@padl.com
- ETYPE_CRAM_MD5_NONE(-0x1005) -- private use, lukeh@padl.com
+ KRB5_ENCTYPE_DES_CBC_NONE(-0x1000),
+ KRB5_ENCTYPE_DES3_CBC_NONE(-0x1001),
+ KRB5_ENCTYPE_DES_CFB64_NONE(-0x1002),
+ KRB5_ENCTYPE_DES_PCBC_NONE(-0x1003),
+ KRB5_ENCTYPE_DIGEST_MD5_NONE(-0x1004), -- private use, lukeh@padl.com
+ KRB5_ENCTYPE_CRAM_MD5_NONE(-0x1005) -- private use, lukeh@padl.com
}
targrealm[2] Realm OPTIONAL
}
-EtypeList ::= SEQUENCE OF krb5int32
+EtypeList ::= SEQUENCE OF ENCTYPE
-- the client's proposed enctype list in
-- decreasing preference order, favorite choice first
char *p = buf;
int f = 0;
int skip_ws = 0;
-
+
while((c = input()) != EOF) {
if(isspace(c) && skip_ws) {
if(c == '\n')
continue;
}
skip_ws = 0;
-
+
if(c == '"') {
if(f) {
*p++ = '"';
char *p = buf;
int f = 0;
int skip_ws = 0;
-
+
while((c = input()) != EOF) {
if(isspace(c) && skip_ws) {
if(c == '\n')
continue;
}
skip_ws = 0;
-
+
if(c == '"') {
if(f) {
*p++ = '"';
free(arg[i]);
free(arg);
}
-
+
return 0;
}
thirtyone(31)
}
+TESTMechType::= OBJECT IDENTIFIER
+TESTMechTypeList ::= SEQUENCE OF TESTMechType
+
END
#include "der_locl.h"
-RCSID("$Id$");
+#define ASN1_MAX_YEAR 2000
static int
is_leap(unsigned y)
_der_timegm (struct tm *tm)
{
time_t res = 0;
- unsigned i;
+ int i;
+
+ /*
+ * See comment in _der_gmtime
+ */
+ if (tm->tm_year > ASN1_MAX_YEAR)
+ return 0;
if (tm->tm_year < 0)
return -1;
if (tm->tm_mon < 0 || tm->tm_mon > 11)
return -1;
- if (tm->tm_mday < 1 || tm->tm_mday > ndays[is_leap(tm->tm_year)][tm->tm_mon])
+ if (tm->tm_mday < 1 || tm->tm_mday > (int)ndays[is_leap(tm->tm_year)][tm->tm_mon])
return -1;
if (tm->tm_hour < 0 || tm->tm_hour > 23)
return -1;
tm->tm_min = (secday % 3600) / 60;
tm->tm_hour = secday / 3600;
+ /*
+ * Refuse to calculate time ~ 2000 years into the future, this is
+ * not possible for systems where time_t is a int32_t, however,
+ * when time_t is a int64_t, that can happen, and this becomes a
+ * denial of sevice.
+ */
+ if (days > (ASN1_MAX_YEAR * 365))
+ return NULL;
+
tm->tm_year = 70;
while(1) {
unsigned dayinyear = (is_leap(tm->tm_year) ? 366 : 365);
fprintf(c_file, "\t/* %03d */ \"Reserved %s error (%d)\",\n",
n, name, n);
n++;
-
+
}
fprintf(c_file, "\t/* %03d */ N_(\"%s\"),\n",
ec->number, ec->string);
yyin = fopen(filename, "r");
if(yyin == NULL)
err(1, "%s", filename);
-
+
p = strrchr(filename, rk_PATH_DELIM);
if(p)
et->next = NULL;
*end = et;
}
-
+
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
free_error_table(struct et_list *et)
#line 118 "parse.c"
{
struct error_code *ec = malloc(sizeof(*ec));
-
+
if (ec == NULL)
errx(1, "malloc");
| EC STRING ',' STRING
{
struct error_code *ec = malloc(sizeof(*ec));
-
+
if (ec == NULL)
errx(1, "malloc");
* SUCH DAMAGE.
*/
-/* $Id$ */
-
#ifndef GSSAPI_GSSAPI_H_
#define GSSAPI_GSSAPI_H_
#endif
#endif
-#ifndef GSSAPI_DEPRECATED
+#ifndef GSSAPI_DEPRECATED_FUNCTION
#if defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 )))
-#define GSSAPI_DEPRECATED __attribute__((deprecated))
-#elif defined(_MSC_VER)
-#define GSSAPI_DEPRECATED __declspec(deprecated)
+#define GSSAPI_DEPRECATED_FUNCTION(X) __attribute__((deprecated))
#else
-#define GSSAPI_DEPRECATED
+#define GSSAPI_DEPRECATED_FUNCTION(X)
#endif
#endif
* to that gss_OID_desc.
*/
extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_nt_export_name_oid_desc;
-#define GSS_C_NT_EXPORT_NAME (&__gss_c_nt_export_name_oid_desc)
+#define GSS_C_NT_EXPORT_NAME (&__gss_c_nt_export_name_oid_desc)
/* Major status codes */
#define GSS_S_NAME_NOT_MN (18ul << GSS_C_ROUTINE_ERROR_OFFSET)
#define GSS_S_BAD_MECH_ATTR (19ul << GSS_C_ROUTINE_ERROR_OFFSET)
+/*
+ * Apparently awating spec fix.
+ */
+#define GSS_S_CRED_UNAVAIL GSS_S_FAILURE
+
/*
* Supplementary info bits:
*/
* Finally, function prototypes for the GSS-API routines.
*/
+#define GSS_C_OPTION_MASK 0xffff
+#define GSS_C_CRED_NO_UI 0x10000
+
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_acquire_cred
(OM_uint32 * /*minor_status*/,
const gss_name_t /*desired_name*/,
size_t blocksize; /**< Specificed optimal size of messages, also
is the maximum padding size
(GSS_IOV_BUFFER_TYPE_PADDING) */
-} gss_context_stream_sizes;
+} gss_context_stream_sizes;
extern gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_attr_stream_sizes_oid_desc;
#define GSS_C_ATTR_STREAM_SIZES (&__gss_c_attr_stream_sizes_oid_desc)
* obsolete versions of these routines and their current forms.
*/
-GSSAPI_DEPRECATED GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_sign
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_sign
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
int /*qop_req*/,
gss_buffer_t /*message_buffer*/,
gss_buffer_t /*message_token*/
- );
+ ) GSSAPI_DEPRECATED_FUNCTION("Use gss_get_mic");
-GSSAPI_DEPRECATED GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_verify
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_verify
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
gss_buffer_t /*message_buffer*/,
gss_buffer_t /*token_buffer*/,
int * /*qop_state*/
- );
+ ) GSSAPI_DEPRECATED_FUNCTION("Use gss_verify_mic");
-GSSAPI_DEPRECATED GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_seal
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_seal
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
int /*conf_req_flag*/,
gss_buffer_t /*input_message_buffer*/,
int * /*conf_state*/,
gss_buffer_t /*output_message_buffer*/
- );
+ ) GSSAPI_DEPRECATED_FUNCTION("Use gss_wrap");
-GSSAPI_DEPRECATED GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_unseal
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_unseal
(OM_uint32 * /*minor_status*/,
gss_ctx_id_t /*context_handle*/,
gss_buffer_t /*input_message_buffer*/,
gss_buffer_t /*output_message_buffer*/,
int * /*conf_state*/,
int * /*qop_state*/
- );
+ ) GSSAPI_DEPRECATED_FUNCTION("Use gss_unwrap");
/**
*
*/
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
-gss_encapsulate_token(const gss_buffer_t /* input_token */,
- const gss_OID /* oid */,
+gss_encapsulate_token(gss_const_buffer_t /* input_token */,
+ gss_const_OID /* oid */,
gss_buffer_t /* output_token */);
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
-gss_decapsulate_token(const gss_buffer_t /* input_token */,
- const gss_OID /* oid */,
+gss_decapsulate_token(gss_const_buffer_t /* input_token */,
+ gss_const_OID /* oid */,
gss_buffer_t /* output_token */);
gss_buffer_t short_desc,
gss_buffer_t long_desc);
+/*
+ * Solaris compat
+ */
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_acquire_cred_with_password
+ (OM_uint32 * /*minor_status*/,
+ const gss_name_t /*desired_name*/,
+ const gss_buffer_t /*password*/,
+ OM_uint32 /*time_req*/,
+ const gss_OID_set /*desired_mechs*/,
+ gss_cred_usage_t /*cred_usage*/,
+ gss_cred_id_t * /*output_cred_handle*/,
+ gss_OID_set * /*actual_mechs*/,
+ OM_uint32 * /*time_rec*/
+ );
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_add_cred_with_password (
+ OM_uint32 * /*minor_status*/,
+ const gss_cred_id_t /*input_cred_handle*/,
+ const gss_name_t /*desired_name*/,
+ const gss_OID /*desired_mech*/,
+ const gss_buffer_t /*password*/,
+ gss_cred_usage_t /*cred_usage*/,
+ OM_uint32 /*initiator_time_req*/,
+ OM_uint32 /*acceptor_time_req*/,
+ gss_cred_id_t * /*output_cred_handle*/,
+ gss_OID_set * /*actual_mechs*/,
+ OM_uint32 * /*initiator_time_rec*/,
+ OM_uint32 * /*acceptor_time_rec*/
+ );
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_pname_to_uid(
+ OM_uint32 *minor,
+ const gss_name_t name,
+ const gss_OID mech_type,
+ uid_t *uidOut);
+
+GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
+gss_authorize_localname(
+ OM_uint32 *minor,
+ const gss_name_t name,
+ const gss_name_t user);
+
+GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL
+gss_userok(const gss_name_t name,
+ const char *user);
+
+extern GSSAPI_LIB_VARIABLE gss_buffer_t GSS_C_ATTR_LOCAL_LOGIN_USER;
+
/*
* Naming extensions
*/
GSSAPI_CPP_END
+#undef GSSAPI_DEPRECATED_FUNCTION
+
#endif /* GSSAPI_GSSAPI_H_ */
extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_ma_mech_description_oid_desc;
#define GSS_C_MA_MECH_DESCRIPTION (&__gss_c_ma_mech_description_oid_desc)
+ /* credential types */
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_cred_password_oid_desc;
+#define GSS_C_CRED_PASSWORD (&__gss_c_cred_password_oid_desc)
+
+extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_c_cred_certificate_oid_desc;
+#define GSS_C_CRED_CERTIFICATE (&__gss_c_cred_certificate_oid_desc)
+
/* Heimdal mechanisms - 1.2.752.43.14 */
extern GSSAPI_LIB_VARIABLE gss_OID_desc __gss_sasl_digest_md5_mechanism_oid_desc;
#define GSS_SASL_DIGEST_MD5_MECHANISM (&__gss_sasl_digest_md5_mechanism_oid_desc)
typedef OM_uint32 GSSAPI_CALLCONV
-_gss_acquire_cred_ex_t(void * /* status */,
- const gss_name_t /* desired_name */,
- OM_uint32 /* flags */,
- OM_uint32 /* time_req */,
- gss_cred_usage_t /* cred_usage */,
- void * /* identity */,
- void * /* ctx */,
- void (* /*complete */)(void *, OM_uint32, void *, gss_cred_id_t, OM_uint32));
+_gss_acquire_cred_ext_t(OM_uint32 * /*minor_status */,
+ const gss_name_t /* desired_name */,
+ gss_const_OID /* credential_type */,
+ const void * /* credential_data */,
+ OM_uint32 /* time_req */,
+ gss_const_OID /* desired_mech */,
+ gss_cred_usage_t /* cred_usage */,
+ gss_cred_id_t * /* output_cred_handle */);
typedef void GSSAPI_CALLCONV
_gss_iter_creds_t(OM_uint32 /* flags */,
int (*set)(gss_const_OID, gss_mo_desc *, int, gss_buffer_t);
};
+typedef OM_uint32 GSSAPI_CALLCONV _gss_pname_to_uid_t (
+ OM_uint32 *, /* minor_status */
+ const gss_name_t, /* name */
+ const gss_OID, /* mech_type */
+ uid_t * /* uidOut */
+ );
+
+typedef OM_uint32 GSSAPI_CALLCONV _gss_authorize_localname_t (
+ OM_uint32 *, /* minor_status */
+ const gss_name_t, /* name */
+ gss_const_buffer_t, /* user */
+ gss_const_OID /* user_name_type */
+ );
+
+/* mechglue internal */
+struct gss_mech_compat_desc_struct;
#define GMI_VERSION 5
/* gm_flags */
#define GM_USE_MG_CRED 1 /* uses mech glue credentials */
-
typedef struct gssapi_mech_interface_desc {
unsigned gm_version;
const char *gm_name;
_gss_store_cred_t *gm_store_cred;
_gss_export_cred_t *gm_export_cred;
_gss_import_cred_t *gm_import_cred;
- _gss_acquire_cred_ex_t *gm_acquire_cred_ex;
+ _gss_acquire_cred_ext_t *gm_acquire_cred_ext;
_gss_iter_creds_t *gm_iter_creds;
_gss_destroy_cred_t *gm_destroy_cred;
_gss_cred_hold_t *gm_cred_hold;
_gss_cred_label_set_t *gm_cred_label_set;
gss_mo_desc *gm_mo;
size_t gm_mo_num;
+ _gss_pname_to_uid_t *gm_pname_to_uid;
+ _gss_authorize_localname_t *gm_authorize_localname;
_gss_display_name_ext_t *gm_display_name_ext;
_gss_inquire_name_t *gm_inquire_name;
_gss_get_name_attribute_t *gm_get_name_attribute;
_gss_set_name_attribute_t *gm_set_name_attribute;
_gss_delete_name_attribute_t *gm_delete_name_attribute;
_gss_export_name_composite_t *gm_export_name_composite;
+ struct gss_mech_compat_desc_struct *gm_compat;
} gssapi_mech_interface_desc, *gssapi_mech_interface;
gssapi_mech_interface
extern struct _gss_oid_name_table _gss_ont_mech[];
extern struct _gss_oid_name_table _gss_ont_ma[];
+/*
+ * Extended credentials acqusition API, not to be exported until
+ * it or something equivalent has been standardised.
+ */
+extern gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_password_oid_desc;
+#define GSS_C_CRED_PASSWORD (&__gss_c_cred_password_oid_desc)
+
+extern gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_certificate_oid_desc;
+#define GSS_C_CRED_CERTIFICATE (&__gss_c_cred_certificate_oid_desc)
+
+OM_uint32 _gss_acquire_cred_ext
+ (OM_uint32 * /*minor_status*/,
+ const gss_name_t /*desired_name*/,
+ gss_const_OID /*credential_type*/,
+ const void * /*credential_data*/,
+ OM_uint32 /*time_req*/,
+ gss_const_OID /*desired_mech*/,
+ gss_cred_usage_t /*cred_usage*/,
+ gss_cred_id_t * /*output_cred_handle*/
+ );
+
#endif /* GSSAPI_MECH_H */
_gsskrb5_encode_om_uint32 (b->acceptor_address.length, num);
EVP_DigestUpdate(ctx, num, sizeof(num));
if (b->acceptor_address.length)
- EVP_DigestUpdate(ctx,
+ EVP_DigestUpdate(ctx,
b->acceptor_address.value,
b->acceptor_address.length);
_gsskrb5_encode_om_uint32 (b->application_data.length, num);
HEIMDAL_MUTEX gssapi_keytab_mutex = HEIMDAL_MUTEX_INITIALIZER;
krb5_keytab _gsskrb5_keytab;
+static krb5_error_code
+validate_keytab(krb5_context context, const char *name, krb5_keytab *id)
+{
+ krb5_error_code ret;
+
+ ret = krb5_kt_resolve(context, name, id);
+ if (ret)
+ return ret;
+
+ ret = krb5_kt_have_content(context, *id);
+ if (ret) {
+ krb5_kt_close(context, *id);
+ *id = NULL;
+ }
+
+ return ret;
+}
+
OM_uint32
-_gsskrb5_register_acceptor_identity (const char *identity)
+_gsskrb5_register_acceptor_identity(OM_uint32 *min_stat, const char *identity)
{
krb5_context context;
krb5_error_code ret;
+ *min_stat = 0;
+
ret = _gsskrb5_init(&context);
if(ret)
return GSS_S_FAILURE;
if (identity == NULL) {
ret = krb5_kt_default(context, &_gsskrb5_keytab);
} else {
- char *p = NULL;
-
- ret = asprintf(&p, "FILE:%s", identity);
- if(ret < 0 || p == NULL) {
- HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
- return GSS_S_FAILURE;
+ /*
+ * First check if we can the keytab as is and if it has content...
+ */
+ ret = validate_keytab(context, identity, &_gsskrb5_keytab);
+ /*
+ * if it doesn't, lets prepend FILE: and try again
+ */
+ if (ret) {
+ char *p = NULL;
+ ret = asprintf(&p, "FILE:%s", identity);
+ if(ret < 0 || p == NULL) {
+ HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
+ return GSS_S_FAILURE;
+ }
+ ret = validate_keytab(context, p, &_gsskrb5_keytab);
+ free(p);
}
- ret = krb5_kt_resolve(context, p, &_gsskrb5_keytab);
- free(p);
}
HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
- if(ret)
+ if(ret) {
+ *min_stat = ret;
return GSS_S_FAILURE;
+ }
return GSS_S_COMPLETE;
}
if (key == NULL)
return;
-
+
switch (key->keytype) {
case ETYPE_DES_CBC_CRC:
case ETYPE_DES_CBC_MD4:
if (delegated_cred_handle) {
gsskrb5_cred handle;
-
+
ret = _gsskrb5_krb5_import_cred(minor_status,
ccache,
NULL,
if(ctx->flags & GSS_C_MUTUAL_FLAG) {
krb5_data outbuf;
int use_subkey = 0;
-
+
_gsskrb5i_is_cfx(context, ctx, 1);
is_cfx = (ctx->more_flags & IS_CFX);
-
+
if (is_cfx || (ap_options & AP_OPTS_USE_SUBKEY)) {
use_subkey = 1;
} else {
KRB5_AUTH_CONTEXT_USE_SUBKEY,
NULL);
}
-
+
kret = krb5_mk_rep(context,
ctx->auth_context,
&outbuf);
*minor_status = kret;
return GSS_S_FAILURE;
}
-
+
if (IS_DCE_STYLE(ctx)) {
output_token->length = outbuf.length;
output_token->value = outbuf.data;
krb5_error_code kret;
krb5_data inbuf;
int32_t r_seq_number, l_seq_number;
-
+
/*
* We know it's GSS_C_DCE_STYLE so we don't need to decapsulate the AP_REP
*/
{
krb5_ap_rep_enc_part *repl;
int32_t auth_flags;
-
+
krb5_auth_con_removeflags(context,
ctx->auth_context,
KRB5_AUTH_CONTEXT_DO_TIME,
if (lifetime_rec == 0) {
return GSS_S_CONTEXT_EXPIRED;
}
-
+
if (time_rec) *time_rec = lifetime_rec;
}
{
kret = krb5_auth_con_setremoteseqnumber(context,
ctx->auth_context,
- r_seq_number);
+ r_seq_number);
if (kret) {
*minor_status = kret;
return GSS_S_FAILURE;
memset(&in_cred, 0, sizeof(in_cred));
in_cred.client = principal;
-
+
realm = krb5_principal_get_realm(context, principal);
if (realm == NULL) {
_gsskrb5_clear_status ();
static krb5_error_code
get_keytab(krb5_context context, krb5_keytab *keytab)
{
- char kt_name[256];
krb5_error_code kret;
HEIMDAL_MUTEX_lock(&gssapi_keytab_mutex);
if (_gsskrb5_keytab != NULL) {
- kret = krb5_kt_get_name(context,
- _gsskrb5_keytab,
- kt_name, sizeof(kt_name));
- if (kret == 0)
- kret = krb5_kt_resolve(context, kt_name, keytab);
+ char *name = NULL;
+
+ kret = krb5_kt_get_full_name(context, _gsskrb5_keytab, &name);
+ if (kret == 0) {
+ kret = krb5_kt_resolve(context, name, keytab);
+ krb5_xfree(name);
+ }
} else
kret = krb5_kt_default(context, keytab);
static OM_uint32 acquire_initiator_cred
(OM_uint32 * minor_status,
krb5_context context,
+ gss_const_OID credential_type,
+ const void *credential_data,
const gss_name_t desired_name,
OM_uint32 time_req,
- const gss_OID_set desired_mechs,
+ gss_const_OID desired_mech,
gss_cred_usage_t cred_usage,
- gsskrb5_cred handle,
- gss_OID_set * actual_mechs,
- OM_uint32 * time_rec
+ gsskrb5_cred handle
)
{
OM_uint32 ret;
* errors while searching.
*/
+ if (credential_type != GSS_C_NO_OID &&
+ !gss_oid_equal(credential_type, GSS_C_CRED_PASSWORD)) {
+ kret = KRB5_NOCREDS_SUPPLIED; /* XXX */
+ goto end;
+ }
+
if (handle->principal) {
kret = krb5_cc_cache_match (context,
handle->principal,
if (kret)
goto end;
}
- kret = get_keytab(context, &keytab);
- if (kret)
- goto end;
kret = krb5_get_init_creds_opt_alloc(context, &opt);
if (kret)
goto end;
- kret = krb5_get_init_creds_keytab(context, &cred,
- handle->principal, keytab, 0, NULL, opt);
+ if (credential_type != GSS_C_NO_OID &&
+ gss_oid_equal(credential_type, GSS_C_CRED_PASSWORD)) {
+ gss_buffer_t password = (gss_buffer_t)credential_data;
+
+ /* XXX are we requiring password to be NUL terminated? */
+
+ kret = krb5_get_init_creds_password(context, &cred,
+ handle->principal,
+ password->value,
+ NULL, NULL, 0, NULL, opt);
+ } else {
+ kret = get_keytab(context, &keytab);
+ if (kret) {
+ krb5_get_init_creds_opt_free(context, opt);
+ goto end;
+ }
+ kret = krb5_get_init_creds_keytab(context, &cred,
+ handle->principal, keytab,
+ 0, NULL, opt);
+ }
krb5_get_init_creds_opt_free(context, opt);
if (kret)
goto end;
static OM_uint32 acquire_acceptor_cred
(OM_uint32 * minor_status,
krb5_context context,
+ gss_const_OID credential_type,
+ const void *credential_data,
const gss_name_t desired_name,
OM_uint32 time_req,
- const gss_OID_set desired_mechs,
+ gss_const_OID desired_mech,
gss_cred_usage_t cred_usage,
- gsskrb5_cred handle,
- gss_OID_set * actual_mechs,
- OM_uint32 * time_rec
+ gsskrb5_cred handle
)
{
OM_uint32 ret;
krb5_error_code kret;
ret = GSS_S_FAILURE;
+
+ if (credential_type != GSS_C_NO_OID) {
+ kret = EINVAL;
+ goto end;
+ }
+
kret = get_keytab(context, &handle->keytab);
if (kret)
goto end;
OM_uint32 * time_rec
)
{
- krb5_context context;
- gsskrb5_cred handle;
OM_uint32 ret;
- if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) {
- *minor_status = GSS_KRB5_S_G_BAD_USAGE;
- return GSS_S_FAILURE;
- }
-
- GSSAPI_KRB5_INIT(&context);
-
- *output_cred_handle = NULL;
- if (time_rec)
- *time_rec = 0;
- if (actual_mechs)
- *actual_mechs = GSS_C_NO_OID_SET;
-
if (desired_mechs) {
int present = 0;
}
}
+ ret = _gsskrb5_acquire_cred_ext(minor_status,
+ desired_name,
+ GSS_C_NO_OID,
+ NULL,
+ time_req,
+ GSS_KRB5_MECHANISM,
+ cred_usage,
+ output_cred_handle);
+ if (ret)
+ return ret;
+
+
+ ret = _gsskrb5_inquire_cred(minor_status, *output_cred_handle,
+ NULL, time_rec, NULL, actual_mechs);
+ if (ret) {
+ OM_uint32 tmp;
+ _gsskrb5_release_cred(&tmp, output_cred_handle);
+ }
+
+ return ret;
+}
+
+OM_uint32 GSSAPI_CALLCONV _gsskrb5_acquire_cred_ext
+(OM_uint32 * minor_status,
+ const gss_name_t desired_name,
+ gss_const_OID credential_type,
+ const void *credential_data,
+ OM_uint32 time_req,
+ gss_const_OID desired_mech,
+ gss_cred_usage_t cred_usage,
+ gss_cred_id_t * output_cred_handle
+ )
+{
+ krb5_context context;
+ gsskrb5_cred handle;
+ OM_uint32 ret;
+
+ cred_usage &= GSS_C_OPTION_MASK;
+
+ if (cred_usage != GSS_C_ACCEPT && cred_usage != GSS_C_INITIATE && cred_usage != GSS_C_BOTH) {
+ *minor_status = GSS_KRB5_S_G_BAD_USAGE;
+ return GSS_S_FAILURE;
+ }
+
+ GSSAPI_KRB5_INIT(&context);
+
+ *output_cred_handle = NULL;
+
handle = calloc(1, sizeof(*handle));
if (handle == NULL) {
*minor_status = ENOMEM;
HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
if (desired_name != GSS_C_NO_NAME) {
-
ret = _gsskrb5_canon_name(minor_status, context, 1, NULL,
desired_name, &handle->principal);
if (ret) {
}
if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) {
ret = acquire_initiator_cred(minor_status, context,
+ credential_type, credential_data,
desired_name, time_req,
- desired_mechs, cred_usage, handle,
- actual_mechs, time_rec);
+ desired_mech, cred_usage, handle);
if (ret != GSS_S_COMPLETE) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
krb5_free_principal(context, handle->principal);
}
if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) {
ret = acquire_acceptor_cred(minor_status, context,
+ credential_type, credential_data,
desired_name, time_req,
- desired_mechs, cred_usage, handle, actual_mechs, time_rec);
+ desired_mech, cred_usage, handle);
if (ret != GSS_S_COMPLETE) {
HEIMDAL_MUTEX_destroy(&handle->cred_id_mutex);
krb5_free_principal(context, handle->principal);
if (ret == GSS_S_COMPLETE)
ret = gss_add_oid_set_member(minor_status, GSS_KRB5_MECHANISM,
&handle->mechanisms);
- if (ret == GSS_S_COMPLETE)
- ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)handle,
- NULL, time_rec, NULL, actual_mechs);
if (ret != GSS_S_COMPLETE) {
if (handle->mechanisms != NULL)
gss_release_oid_set(NULL, &handle->mechanisms);
free(handle);
return (ret);
}
- *minor_status = 0;
- if (time_rec) {
- ret = _gsskrb5_lifetime_left(minor_status,
- context,
- handle->lifetime,
- time_rec);
-
- if (ret)
- return ret;
- }
handle->usage = cred_usage;
+ *minor_status = 0;
*output_cred_handle = (gss_cred_id_t)handle;
return (GSS_S_COMPLETE);
}
return(GSS_S_FAILURE);
}
}
-
+
/* check that we have the same name */
if (dname != NULL &&
krb5_principal_compare(context, dname,
handle->ccache = NULL;
handle->mechanisms = NULL;
HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
-
+
ret = GSS_S_FAILURE;
kret = krb5_copy_principal(context, cred->principal,
}
if (cred->keytab) {
- char name[KRB5_KT_PREFIX_MAX_LEN + MAXPATHLEN];
- int len;
-
- ret = GSS_S_FAILURE;
+ char *name = NULL;
- kret = krb5_kt_get_type(context, cred->keytab,
- name, KRB5_KT_PREFIX_MAX_LEN);
- if (kret) {
- *minor_status = kret;
- goto failure;
- }
- len = strlen(name);
- name[len++] = ':';
+ ret = GSS_S_FAILURE;
- kret = krb5_kt_get_name(context, cred->keytab,
- name + len,
- sizeof(name) - len);
+ kret = krb5_kt_get_full_name(context, cred->keytab, &name);
if (kret) {
*minor_status = kret;
goto failure;
kret = krb5_kt_resolve(context, name,
&handle->keytab);
+ krb5_xfree(name);
if (kret){
*minor_status = kret;
goto failure;
}
if (strcmp(type, "MEMORY") == 0) {
- ret = krb5_cc_new_unique(context, type,
+ ret = krb5_cc_new_unique(context, type,
NULL, &handle->ccache);
if (ret) {
*minor_status = ret;
*minor_status = ENOMEM;
goto failure;
}
-
+
kret = asprintf(&type_name, "%s:%s", type, name);
if (kret < 0 || type_name == NULL) {
*minor_status = ENOMEM;
goto failure;
}
-
+
kret = krb5_cc_resolve(context, type_name,
&handle->ccache);
free(type_name);
if (kret) {
*minor_status = kret;
goto failure;
- }
+ }
}
}
ret = gss_create_empty_oid_set(minor_status, &handle->mechanisms);
krb5_context context;
GSSAPI_KRB5_INIT (&context);
-
+
if (ctx->more_flags & IS_CFX)
return _gssapi_unwrap_cfx_iov(minor_status, ctx, context,
conf_state, qop_state, iov, iov_count);
-
+
return GSS_S_FAILURE;
}
{
const gsskrb5_ctx ctx = (const gsskrb5_ctx) context_handle;
krb5_context context;
-
+
GSSAPI_KRB5_INIT (&context);
-
+
if (ctx->more_flags & IS_CFX)
return _gssapi_wrap_iov_length_cfx(minor_status, ctx, context,
conf_req_flag, qop_req, conf_state,
iov, iov_count);
-
+
return GSS_S_FAILURE;
}
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
krb5_keyblock *key,
- char *type)
+ const char *type)
{
krb5_error_code ret;
uint32_t seq_number;
p = token_buffer->value;
omret = _gsskrb5_verify_header (&p,
token_buffer->length,
- (u_char *)type,
+ type,
GSS_KRB5_MECHANISM);
if (omret)
return omret;
{
EVP_CIPHER_CTX rc4_key;
-
+
EVP_CIPHER_CTX_init(&rc4_key);
EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, (void *)k6_data, NULL, 0);
EVP_Cipher(&rc4_key, SND_SEQ, p, 8);
if(conf_req_flag) {
EVP_CIPHER_CTX rc4_key;
-
+
EVP_CIPHER_CTX_init(&rc4_key);
EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
EVP_Cipher(&rc4_key, p0 + 24, p0 + 24, 8 + datalen);
{
EVP_CIPHER_CTX rc4_key;
-
+
EVP_CIPHER_CTX_init(&rc4_key);
EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
EVP_Cipher(&rc4_key, p0 + 8, p0 + 8 /* SND_SEQ */, 8);
{
EVP_CIPHER_CTX rc4_key;
-
+
EVP_CIPHER_CTX_init(&rc4_key);
EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
EVP_Cipher(&rc4_key, SND_SEQ, p0 + 8, 8);
if(conf_flag) {
EVP_CIPHER_CTX rc4_key;
-
+
EVP_CIPHER_CTX_init(&rc4_key);
EVP_CipherInit_ex(&rc4_key, EVP_rc4(), NULL, k6_data, NULL, 1);
EVP_Cipher(&rc4_key, Confounder, p0 + 24, 8);
gss_iov_buffer_desc *header, *trailer, *padding;
size_t gsshsize, k5hsize;
size_t gsstsize, k5tsize;
- size_t i, rrc = 0, ec = 0;
+ size_t rrc = 0, ec = 0;
+ int i;
gss_cfx_wrap_token token;
krb5_error_code ret;
int32_t seq_number;
token->Flags = 0;
token->Filler = 0xFF;
+ if ((ctx->more_flags & LOCAL) == 0)
+ token->Flags |= CFXSentByAcceptor;
+
if (ctx->more_flags & ACCEPTOR_SUBKEY)
token->Flags |= CFXAcceptorSubkey;
plain packet:
{data | "header" | gss-trailer (krb5 checksum)
-
+
don't do RRC != 0
*/
GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_PADDING ||
GSS_IOV_BUFFER_TYPE(iov[i].type) == GSS_IOV_BUFFER_TYPE_TRAILER)
len += iov[i].buffer.length;
-
+
p = malloc(len);
if (p == NULL) {
*minor_status = ENOMEM;
q += iov[i].buffer.length;
}
}
- assert((q - p) == len);
+ assert((size_t)(q - p) == len);
/* unrotate first part */
q = p + rrc;
*compat = match_val;
break;
}
-
+
krb5_free_principal(context, match);
match = NULL;
}
if (*time_rec == 0)
return GSS_S_CONTEXT_EXPIRED;
-
+
return GSS_S_COMPLETE;
}
*minor_status = kret;
return GSS_S_FAILURE;
}
-
+
if (keytab_principal) {
krb5_boolean match;
char *str;
GSSAPI_KRB5_INIT (&context);
-
+
if (handle->usage != GSS_C_INITIATE && handle->usage != GSS_C_BOTH) {
*minor_status = GSS_KRB5_S_G_BAD_USAGE;
return GSS_S_FAILURE;
*minor_status = ret;
return GSS_S_FAILURE;
}
-
+
ret = krb5_cc_get_full_name(context, handle->ccache, &str);
if (ret) {
krb5_storage_free(sp);
*minor_status = ret;
return GSS_S_FAILURE;
}
-
+
ret = krb5_store_string(sp, str);
free(str);
if (ret) {
*minor_status = ret;
return GSS_S_FAILURE;
}
-
+
ret = krb5_cc_resolve(context, str, &id);
krb5_xfree(str);
if (ret) {
if (output_token->value == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
- }
+ }
p = _gssapi_make_mech_header (output_token->value, len, mech);
memcpy (p, in_data->data, in_data->length);
if (output_token->value == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
- }
+ }
p = _gsskrb5_make_header (output_token->value, len, type, mech);
memcpy (p, in_data->data, in_data->length);
GSS_C_MA_SASL_MECH_NAME,
GSS_MO_MA,
"SASL mech name",
- "GS2-KRB5",
+ rk_UNCONST("GS2-KRB5"),
_gss_mo_get_ctx_as_string,
NULL
},
GSS_C_MA_MECH_NAME,
GSS_MO_MA,
"Mechanism name",
- "KRB5",
+ rk_UNCONST("KRB5"),
_gss_mo_get_ctx_as_string,
NULL
},
GSS_C_MA_MECH_DESCRIPTION,
GSS_MO_MA,
"Mechanism description",
- "Heimdal Kerberos 5 mech",
+ rk_UNCONST("Heimdal Kerberos 5 mech"),
_gss_mo_get_ctx_as_string,
NULL
},
static gssapi_mech_interface_desc krb5_mech = {
GMI_VERSION,
"kerberos 5",
- {9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" },
+ {9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") },
0,
_gsskrb5_acquire_cred,
_gsskrb5_release_cred,
_gsskrb5_store_cred,
_gsskrb5_export_cred,
_gsskrb5_import_cred,
- NULL,
+ _gsskrb5_acquire_cred_ext,
NULL,
NULL,
NULL,
NULL,
NULL,
krb5_mo,
- sizeof(krb5_mo) / sizeof(krb5_mo[0])
+ sizeof(krb5_mo) / sizeof(krb5_mo[0]),
+ _gsskrb5_pname_to_uid,
+ _gsskrb5_authorize_localname,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL
};
gssapi_mech_interface
return GSS_S_BAD_NAME;
else if (p->name.name_string.len > 1)
hostname = p->name.name_string.val[1];
-
+
service = p->name.name_string.val[0];
-
+
ret = krb5_sname_to_principal(context,
hostname,
service,
static OM_uint32
set_addresses (krb5_context context,
krb5_auth_context ac,
- const gss_channel_bindings_t input_chan_bindings)
+ const gss_channel_bindings_t input_chan_bindings)
{
/* Port numbers are expected to be in application_data.value,
* initator's port first */
goto failure;
}
- ret = _gss_DES3_get_mic_compat(minor_status, ctx, context);
- if (ret)
- goto failure;
-
-
/*
* This is hideous glue for (NFS) clients that wants to limit the
* available enctypes to what it can support (encryption in
* DNS canonicalizion.
*/
ret = gsskrb5_get_creds(minor_status, context, ctx->ccache,
- ctx, name, 0, time_req,
+ ctx, name, 0, time_req,
time_rec);
if (ret && allow_dns)
ret = gsskrb5_get_creds(minor_status, context, ctx->ccache,
- ctx, name, 1, time_req,
+ ctx, name, 1, time_req,
time_rec);
if (ret)
goto failure;
ctx->lifetime = ctx->kcred->times.endtime;
+ ret = _gss_DES3_get_mic_compat(minor_status, ctx, context);
+ if (ret)
+ goto failure;
+
ret = _gsskrb5_lifetime_left(minor_status,
context,
ctx->lifetime,
Checksum cksum;
krb5_enctype enctype;
krb5_data fwd_data, timedata;
- int32_t offset = 0, oldoffset;
+ int32_t offset = 0, oldoffset = 0;
uint32_t flagmask;
krb5_data_zero(&outbuf);
*/
if (!ctx->kcred->flags.b.ok_as_delegate) {
krb5_data data;
-
+
ret = krb5_cc_get_config(context, ctx->ccache, NULL,
"realm-config", &data);
if (ret == 0) {
output_token->length = outbuf.length;
} else {
ret = _gsskrb5_encapsulate (minor_status, &outbuf, output_token,
- (u_char *)"\x01\x00", GSS_KRB5_MECHANISM);
+ (u_char *)(intptr_t)"\x01\x00",
+ GSS_KRB5_MECHANISM);
krb5_data_free (&outbuf);
if (ret)
goto failure;
*minor_status = kret;
return GSS_S_FAILURE;
}
-
+
/* reset local seq number */
- krb5_auth_con_setlocalseqnumber(context, ctx->auth_context, local_seq);
+ krb5_auth_con_setlocalseqnumber(context, ctx->auth_context, local_seq);
output_token->length = outbuf.length;
output_token->value = outbuf.data;
return GSS_S_BAD_MECH;
if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) {
- OM_uint32 ret;
+ OM_uint32 ret1;
if (*context_handle != GSS_C_NO_CONTEXT) {
*minor_status = 0;
return GSS_S_FAILURE | GSS_S_CALL_BAD_STRUCTURE;
}
- ret = _gsskrb5_create_ctx(minor_status,
+ ret1 = _gsskrb5_create_ctx(minor_status,
context_handle,
context,
input_chan_bindings,
INITIATOR_START);
- if (ret)
- return ret;
+ if (ret1)
+ return ret1;
}
if (*context_handle == GSS_C_NO_CONTEXT) {
ret_flags,
time_rec);
if (ret != GSS_S_COMPLETE)
- break;
+ break;
/* FALL THOUGH */
case INITIATOR_RESTART:
ret = init_auth_restart(minor_status,
if (output_name != NULL) {
if (icred && icred->principal != NULL) {
gss_name_t name;
-
+
if (acred && acred->principal)
name = (gss_name_t)acred->principal;
else
name = (gss_name_t)icred->principal;
-
+
ret = _gsskrb5_duplicate_name(minor_status, name, output_name);
if (ret)
goto out;
if (ret != GSS_S_COMPLETE)
gss_release_oid_set(NULL, name_types);
-
+
return GSS_S_COMPLETE;
}
{
gss_buffer_desc value;
-
+
value.length = data.length;
value.value = data.data;
-
+
maj_stat = gss_add_buffer_set_member(minor_status,
&value,
data_set);
return maj_stat;
}
+static OM_uint32 inquire_sec_context_get_sspi_session_key
+ (OM_uint32 *minor_status,
+ const gsskrb5_ctx context_handle,
+ krb5_context context,
+ gss_buffer_set_t *data_set)
+{
+ krb5_keyblock *key;
+ OM_uint32 maj_stat = GSS_S_COMPLETE;
+ krb5_error_code ret;
+ gss_buffer_desc value;
+
+ HEIMDAL_MUTEX_lock(&context_handle->ctx_id_mutex);
+ ret = _gsskrb5i_get_token_key(context_handle, context, &key);
+ HEIMDAL_MUTEX_unlock(&context_handle->ctx_id_mutex);
+
+ if (ret)
+ goto out;
+ if (key == NULL) {
+ ret = EINVAL;
+ goto out;
+ }
+
+ value.length = key->keyvalue.length;
+ value.value = key->keyvalue.data;
+
+ maj_stat = gss_add_buffer_set_member(minor_status,
+ &value,
+ data_set);
+ krb5_free_keyblock(context, key);
+
+ /* MIT also returns the enctype encoded as an OID in data_set[1] */
+
+out:
+ if (ret) {
+ *minor_status = ret;
+ maj_stat = GSS_S_FAILURE;
+ }
+ return maj_stat;
+}
+
static OM_uint32 inquire_sec_context_authz_data
(OM_uint32 *minor_status,
const gsskrb5_ctx context_handle,
{
gss_buffer_desc value;
-
+
value.length = data.length;
value.value = data.data;
-
+
maj_stat = gss_add_buffer_set_member(minor_status,
&value,
data_set);
context,
ACCEPTOR_KEY,
data_set);
+ } else if (gss_oid_equal(desired_object, GSS_C_INQ_SSPI_SESSION_KEY)) {
+ return inquire_sec_context_get_sspi_session_key(minor_status,
+ ctx,
+ context,
+ data_set);
} else if (gss_oid_equal(desired_object, GSS_KRB5_GET_AUTHTIME_X)) {
return get_authtime(minor_status, ctx, data_set);
} else if (oid_prefix_equal(desired_object,
krb5_crypto crypto;
krb5_data input, output;
uint32_t num;
+ OM_uint32 junk;
unsigned char *p;
krb5_keyblock *key = NULL;
+ size_t dol;
if (ctx == NULL) {
*minor_status = 0;
return GSS_S_NO_CONTEXT;
}
- if (desired_output_len <= 0) {
+ if (desired_output_len <= 0 || prf_in->length + 4 < prf_in->length) {
*minor_status = 0;
return GSS_S_FAILURE;
}
+ dol = desired_output_len;
GSSAPI_KRB5_INIT (&context);
return GSS_S_FAILURE;
}
- prf_out->value = malloc(desired_output_len);
+ prf_out->value = malloc(dol);
if (prf_out->value == NULL) {
_gsskrb5_set_status(GSS_KRB5_S_KG_INPUT_TOO_LONG, "Out of memory");
*minor_status = GSS_KRB5_S_KG_INPUT_TOO_LONG;
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
- prf_out->length = desired_output_len;
+ prf_out->length = dol;
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
input.length = prf_in->length + 4;
input.data = malloc(prf_in->length + 4);
if (input.data == NULL) {
- OM_uint32 junk;
_gsskrb5_set_status(GSS_KRB5_S_KG_INPUT_TOO_LONG, "Out of memory");
*minor_status = GSS_KRB5_S_KG_INPUT_TOO_LONG;
gss_release_buffer(&junk, prf_out);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
return GSS_S_FAILURE;
}
- memcpy(((unsigned char *)input.data) + 4, prf_in->value, prf_in->length);
+ memcpy(((uint8_t *)input.data) + 4, prf_in->value, prf_in->length);
num = 0;
p = prf_out->value;
- while(desired_output_len > 0) {
+ while(dol > 0) {
+ size_t tsize;
+
_gsskrb5_encode_om_uint32(num, input.data);
+
ret = krb5_crypto_prf(context, crypto, &input, &output);
if (ret) {
- OM_uint32 junk;
*minor_status = ret;
free(input.data);
gss_release_buffer(&junk, prf_out);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
return GSS_S_FAILURE;
}
- memcpy(p, output.data, min(desired_output_len, output.length));
+
+ tsize = min(dol, output.length);
+ memcpy(p, output.data, tsize);
p += output.length;
- desired_output_len -= output.length;
+ dol -= tsize;
krb5_data_free(&output);
num++;
}
(gsskrb5_ctx)context_handle,
context,
token_buffer, &empty_buffer,
- GSS_C_QOP_DEFAULT, "\x01\x02");
+ GSS_C_QOP_DEFAULT,
+ "\x01\x02");
if (ret == GSS_S_COMPLETE)
ret = _gsskrb5_delete_sec_context(minor_status,
if (*o == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
- }
+ }
*minor_status = 0;
return GSS_S_COMPLETE;
_gssapi_msg_order_check(struct gss_msg_order *o, OM_uint32 seq_num)
{
OM_uint32 r;
- int i;
+ size_t i;
if (o == NULL)
return GSS_S_COMPLETE;
cred = (gsskrb5_cred)*cred_handle;
cred->cred_flags |= GSS_CF_NO_CI_FLAGS;
-
+
*minor_status = 0;
return GSS_S_COMPLETE;
if (gss_oid_equal(desired_object, GSS_KRB5_CRED_NO_CI_FLAGS_X)) {
return no_ci_flags(minor_status, context, cred_handle, value);
}
-
+
*minor_status = EINVAL;
return GSS_S_FAILURE;
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
- _gsskrb5_register_acceptor_identity(str);
+ maj_stat = _gsskrb5_register_acceptor_identity(minor_status, str);
free(str);
- *minor_status = 0;
- return GSS_S_COMPLETE;
+ return maj_stat;
} else if (gss_oid_equal(desired_object, GSS_KRB5_SET_DEFAULT_REALM_X)) {
char *str;
return maj_stat;
t = time(NULL) + offset;
-
+
krb5_set_real_time(context, t, 0);
*minor_status = 0;
*minor_status = ret;
return(GSS_S_FAILURE);
}
-
+
if (default_cred)
krb5_cc_switch(context, id);
DES_key_schedule schedule;
DES_cblock deskey;
DES_cblock zero;
- int i;
+ size_t i;
uint32_t seq_number;
size_t padlength;
OM_uint32 ret;
if(cstate) {
/* decrypt data */
memcpy (&deskey, key->keyvalue.data, sizeof(deskey));
+ memset (&zero, 0, sizeof(zero));
for (i = 0; i < sizeof(deskey); ++i)
deskey[i] ^= 0xf0;
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
krb5_keyblock *key,
- char *type
+ const char *type
)
{
u_char *p;
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
krb5_keyblock *key,
- char *type
+ const char *type
)
{
u_char *p;
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
- char * type
+ const char * type
)
{
krb5_keyblock *key;
(gsskrb5_ctx)context_handle,
context,
message_buffer, token_buffer,
- qop_state, "\x01\x01");
+ qop_state, (void *)(intptr_t)"\x01\x01");
return ret;
}
EVP_CIPHER_CTX des_ctx;
DES_cblock deskey;
DES_cblock zero;
- int i;
+ size_t i;
int32_t seq_number;
size_t len, total_len, padlength, datalen;
struct _gss_mechanism_cred_list gc_mc;
};
+struct _gss_mechanism_cred *
+_gss_copy_cred(struct _gss_mechanism_cred *mc);
+
+struct _gss_mechanism_name;
+
+OM_uint32
+_gss_acquire_mech_cred(OM_uint32 *minor_status,
+ gssapi_mech_interface m,
+ const struct _gss_mechanism_name *mn,
+ gss_const_OID credential_type,
+ const void *credential_data,
+ OM_uint32 time_req,
+ gss_const_OID desired_mech,
+ gss_cred_usage_t cred_usage,
+ struct _gss_mechanism_cred **output_cred_handle);
+
unsigned char *p = input_token->value;
size_t len = input_token->length;
size_t a, b;
-
+
/*
* Token must start with [APPLICATION 0] SEQUENCE.
* But if it doesn't assume it is DCE-STYLE Kerberos!
*/
if (len == 0)
return (GSS_S_DEFECTIVE_TOKEN);
-
+
p++;
len--;
-
+
/*
* Decode the length and make sure it agrees with the
* token length.
}
if (a != len)
return (GSS_S_DEFECTIVE_TOKEN);
-
+
/*
* Decode the OID for the mechanism. Simplify life by
* assuming that the OID length is less than 128 bytes.
p += 2;
len -= 2;
mech_oid->elements = p;
-
+
return GSS_S_COMPLETE;
-}
+}
static gss_OID_desc krb5_mechanism =
{9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02")};
acceptor_mc = GSS_C_NO_CREDENTIAL;
}
delegated_mc = GSS_C_NO_CREDENTIAL;
-
+
mech_ret_flags = 0;
major_status = m->gm_accept_sec_context(minor_status,
&ctx->gc_ctx,
mech_ret_flags &=
~(GSS_C_DELEG_FLAG|GSS_C_DELEG_POLICY_FLAG);
} else if (gss_oid_equal(mech_ret_type, &m->gm_mech_oid) == 0) {
- /*
+ /*
* If the returned mech_type is not the same
* as the mech, assume its pseudo mech type
* and the returned type is already a
struct _gss_cred *cred;
struct _gss_mechanism_cred *mc;
OM_uint32 min_time, cred_time;
- int i;
+ size_t i;
*minor_status = 0;
if (output_cred_handle == NULL)
#include "mech_locl.h"
-static struct _gss_mechanism_cred *
+struct _gss_mechanism_cred *
_gss_copy_cred(struct _gss_mechanism_cred *mc)
{
struct _gss_mechanism_cred *new_mc;
*
* @returns a gss_error code, see gss_display_status() about printing
* the error code.
- *
+ *
* @ingroup gssapi
*/
/*
* AEAD support
- */
+ */
#include "mech_locl.h"
int iov_count)
{
struct _gss_context *ctx = (struct _gss_context *) context_handle;
- gssapi_mech_interface m;
+ gssapi_mech_interface m;
if (minor_status)
*minor_status = 0;
int iov_count)
{
OM_uint32 junk;
- size_t i;
+ int i;
if (minor_status)
*minor_status = 0;
gss_release_buffer_set(OM_uint32 * minor_status,
gss_buffer_set_t *buffer_set)
{
- int i;
+ size_t i;
OM_uint32 minor;
*minor_status = 0;
*
* @returns a gss_error code, see gss_display_status() about printing
* the error code.
- *
+ *
* @ingroup gssapi
*/
}
ret = krb5_storage_write(sp, buffer.value, buffer.length);
- if (ret != buffer.length) {
+ if (ret < 0 || (size_t)ret != buffer.length) {
gss_release_buffer(minor_status, &buffer);
krb5_storage_free(sp);
*minor_status = EINVAL;
buffer.value = data.data;
buffer.length = data.length;
- major = m->gm_import_cred(minor_status,
+ major = m->gm_import_cred(minor_status,
&buffer, &mcred);
krb5_data_free(&data);
if (major) {
#include "mech_locl.h"
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
-gss_decapsulate_token(const gss_buffer_t input_token,
- const gss_OID oid,
+gss_decapsulate_token(gss_const_buffer_t input_token,
+ gss_const_OID oid,
gss_buffer_t output_token)
{
GSSAPIContextToken ct;
if (ret) {
der_free_oid(&o);
return GSS_S_FAILURE;
- }
+ }
if (der_heim_oid_cmp(&ct.thisMech, &o) == 0) {
status = GSS_S_COMPLETE;
oid.value = rk_UNCONST("unknown");
oid.length = 7;
}
-
+
e = asprintf (&buf, "unknown mech-code %lu for mech %.*s",
(unsigned long)status_value,
(int)oid.length, (char *)oid.value);
if (major_status != GSS_S_COMPLETE)
return (major_status);
new_name = (struct _gss_name *) *dest_name;
-
+
HEIM_SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
struct _gss_mechanism_name *mn2;
_gss_find_mn(minor_status, new_name,
memset(new_name, 0, sizeof(struct _gss_name));
HEIM_SLIST_INIT(&new_name->gn_mn);
*dest_name = (gss_name_t) new_name;
-
+
HEIM_SLIST_FOREACH(mn, &name->gn_mn, gmn_link) {
struct _gss_mechanism_name *new_mn;
-
+
new_mn = malloc(sizeof(*new_mn));
if (!new_mn) {
*minor_status = ENOMEM;
}
new_mn->gmn_mech = mn->gmn_mech;
new_mn->gmn_mech_oid = mn->gmn_mech_oid;
-
+
major_status =
mn->gmn_mech->gm_duplicate_name(minor_status,
mn->gmn_name, &new_mn->gmn_name);
#include "mech_locl.h"
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
-gss_encapsulate_token(const gss_buffer_t input_token,
- const gss_OID oid,
+gss_encapsulate_token(gss_const_buffer_t input_token,
+ gss_const_OID oid,
gss_buffer_t output_token)
{
GSSAPIContextToken ct;
if (ret) {
_mg_buffer_zero(output_token);
return GSS_S_FAILURE;
- }
+ }
if (output_token->length != size)
abort();
major_status = m->gm_export_sec_context(minor_status,
&ctx->gc_ctx, &buf);
-
+
if (major_status == GSS_S_COMPLETE) {
unsigned char *p;
gssapi_mech_interface m;
struct _gss_name *name;
gss_name_t new_canonical_name;
+ int composite = 0;
*minor_status = 0;
*output_name = 0;
*/
if (len < 2)
return (GSS_S_BAD_NAME);
- if (p[0] != 4 || p[1] != 1)
+ if (p[0] != 4)
return (GSS_S_BAD_NAME);
+ switch (p[1]) {
+ case 1: /* non-composite name */
+ break;
+ case 2: /* composite name */
+ composite = 1;
+ break;
+ default:
+ return (GSS_S_BAD_NAME);
+ }
p += 2;
len -= 2;
p += 4;
len -= 4;
- if (len != t)
+ if (!composite && len != t)
return (GSS_S_BAD_NAME);
m = __gss_get_mechanism(&mech_oid);
*
* @returns a gss_error code, see gss_display_status() about printing
* the error code.
- *
+ *
* @ingroup gssapi
*/
HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
int present = 0;
- major_status = gss_test_oid_set_member(minor_status,
+ major_status = gss_test_oid_set_member(minor_status,
name_type, m->gm_name_types, &present);
if (major_status || present == 0)
mech_oid.elements = p + 2;
buf.length = len - 2 - mech_oid.length;
buf.value = p + 2 + mech_oid.length;
-
+
m = __gss_get_mechanism(&mech_oid);
if (!m)
return (GSS_S_DEFECTIVE_TOKEN);
struct _gss_mech_switch *m;
OM_uint32 major_status;
gss_OID_set set;
- int i;
+ size_t i;
_gss_load_mech();
major_status = gss_create_empty_oid_set(minor_status, mech_set);
if (major_status)
return (major_status);
-
+
HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
if (m->gm_mech.gm_indicate_mechs) {
major_status = m->gm_mech.gm_indicate_mechs(
*
* @returns a gss_error code, see gss_display_status() about printing
* the error code.
- *
+ *
* @ingroup gssapi
*/
gss_OID *mech_type,
OM_uint32 *ctx_flags,
int *locally_initiated,
- int *open)
+ int *xopen)
{
OM_uint32 major_status;
struct _gss_context *ctx = (struct _gss_context *) context_handle;
if (locally_initiated)
*locally_initiated = 0;
- if (open)
- *open = 0;
+ if (xopen)
+ *xopen = 0;
if (lifetime_rec)
*lifetime_rec = 0;
mech_type,
ctx_flags,
locally_initiated,
- open);
+ xopen);
if (major_status != GSS_S_COMPLETE) {
_gss_mg_error(m, major_status, *minor_status);
HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) {
gss_buffer_set_t rset = GSS_C_NO_BUFFER_SET;
- int i;
+ size_t i;
m = mc->gmc_mech;
if (m == NULL) {
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gsskrb5_register_acceptor_identity(const char *identity)
{
- struct _gss_mech_switch *m;
+ gssapi_mech_interface m;
gss_buffer_desc buffer;
OM_uint32 junk;
buffer.value = rk_UNCONST(identity);
buffer.length = strlen(identity);
- HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
- if (m->gm_mech.gm_set_sec_context_option == NULL)
- continue;
- m->gm_mech.gm_set_sec_context_option(&junk, NULL,
- GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X, &buffer);
- }
+ m = __gss_get_mechanism(GSS_KRB5_MECHANISM);
+ if (m == NULL || m->gm_set_sec_context_option == NULL)
+ return GSS_S_FAILURE;
- return (GSS_S_COMPLETE);
+ return m->gm_set_sec_context_option(&junk, NULL,
+ GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X, &buffer);
}
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_buffer_desc buffer;
krb5_storage *sp;
krb5_data data;
- int i;
+ size_t i;
sp = krb5_storage_emem();
if (sp == NULL) {
if (q) q = q + 1;
number_count++;
}
-
+
/*
* The first two numbers are in the first byte and each
* subsequent number is encoded in a variable byte sequence.
while (bytes) {
if (res) {
int bit = 7*(bytes-1);
-
+
*res = (number >> bit) & 0x7f;
if (bytes != 1)
*res |= 0x80;
#define SYM(name) \
do { \
m->gm_mech.gm_ ## name = dlsym(so, "gss_" #name); \
- if (!m->gm_mech.gm_ ## name) { \
+ if (!m->gm_mech.gm_ ## name || \
+ m->gm_mech.gm_ ##name == gss_ ## name) { \
fprintf(stderr, "can't find symbol gss_" #name "\n"); \
goto bad; \
} \
#define OPTSYM(name) \
do { \
- m->gm_mech.gm_ ## name = dlsym(so, "gss_" #name); \
+ m->gm_mech.gm_ ## name = dlsym(so, "gss_" #name); \
+ if (m->gm_mech.gm_ ## name == gss_ ## name) \
+ m->gm_mech.gm_ ## name = NULL; \
+} while (0)
+
+#define OPTSPISYM(name) \
+do { \
+ m->gm_mech.gm_ ## name = dlsym(so, "gssspi_" #name); \
+} while (0)
+
+#define COMPATSYM(name) \
+do { \
+ m->gm_mech.gm_compat->gmc_ ## name = dlsym(so, "gss_" #name); \
+ if (m->gm_mech.gm_compat->gmc_ ## name == gss_ ## name) \
+ m->gm_mech.gm_compat->gmc_ ## name = NULL; \
+} while (0)
+
+#define COMPATSPISYM(name) \
+do { \
+ m->gm_mech.gm_compat->gmc_ ## name = dlsym(so, "gssspi_" #name);\
+ if (m->gm_mech.gm_compat->gmc_ ## name == gss_ ## name) \
+ m->gm_mech.gm_compat->gmc_ ## name = NULL; \
} while (0)
/*
#endif
so = dlopen(lib, RTLD_LAZY | RTLD_LOCAL | RTLD_GROUP);
- if (!so) {
+ if (so == NULL) {
/* fprintf(stderr, "dlopen: %s\n", dlerror()); */
- free(mech_oid.elements);
- continue;
+ goto bad;
}
- m = malloc(sizeof(*m));
- if (!m) {
- free(mech_oid.elements);
- break;
- }
+ m = calloc(1, sizeof(*m));
+ if (m == NULL)
+ goto bad;
+
m->gm_so = so;
m->gm_mech.gm_mech_oid = mech_oid;
m->gm_mech.gm_flags = 0;
-
+ m->gm_mech.gm_compat = calloc(1, sizeof(struct gss_mech_compat_desc_struct));
+ if (m->gm_mech.gm_compat == NULL)
+ goto bad;
+
major_status = gss_add_oid_set_member(&minor_status,
&m->gm_mech.gm_mech_oid, &_gss_mech_oids);
- if (major_status) {
- free(m->gm_mech.gm_mech_oid.elements);
- free(m);
- continue;
- }
+ if (GSS_ERROR(major_status))
+ goto bad;
SYM(acquire_cred);
SYM(release_cred);
OPTSYM(inquire_cred_by_oid);
OPTSYM(inquire_sec_context_by_oid);
OPTSYM(set_sec_context_option);
- OPTSYM(set_cred_option);
+ OPTSPISYM(set_cred_option);
OPTSYM(pseudo_random);
OPTSYM(wrap_iov);
OPTSYM(unwrap_iov);
OPTSYM(wrap_iov_length);
+ OPTSYM(store_cred);
+ OPTSYM(export_cred);
+ OPTSYM(import_cred);
+#if 0
+ OPTSYM(acquire_cred_ext);
+ OPTSYM(iter_creds);
+ OPTSYM(destroy_cred);
+ OPTSYM(cred_hold);
+ OPTSYM(cred_unhold);
+ OPTSYM(cred_label_get);
+ OPTSYM(cred_label_set);
+#endif
OPTSYM(display_name_ext);
OPTSYM(inquire_name);
OPTSYM(get_name_attribute);
OPTSYM(set_name_attribute);
OPTSYM(delete_name_attribute);
OPTSYM(export_name_composite);
+ OPTSYM(pname_to_uid);
+ OPTSPISYM(authorize_localname);
mi = dlsym(so, "gss_mo_init");
if (mi != NULL) {
- major_status = mi(&minor_status,
- &mech_oid,
- &m->gm_mech.gm_mo,
- &m->gm_mech.gm_mo_num);
+ major_status = mi(&minor_status, &mech_oid,
+ &m->gm_mech.gm_mo, &m->gm_mech.gm_mo_num);
if (GSS_ERROR(major_status))
goto bad;
+ } else {
+ /* API-as-SPI compatibility */
+ COMPATSYM(inquire_saslname_for_mech);
+ COMPATSYM(inquire_mech_for_saslname);
+ COMPATSYM(inquire_attrs_for_mech);
+ COMPATSPISYM(acquire_cred_with_password);
}
+ /* pick up the oid sets of names */
+
+ if (m->gm_mech.gm_inquire_names_for_mech)
+ (*m->gm_mech.gm_inquire_names_for_mech)(&minor_status,
+ &m->gm_mech.gm_mech_oid, &m->gm_name_types);
+
+ if (m->gm_name_types == NULL)
+ gss_create_empty_oid_set(&minor_status, &m->gm_name_types);
+
HEIM_SLIST_INSERT_HEAD(&_gss_mechs, m, gm_link);
continue;
bad:
- free(m->gm_mech.gm_mech_oid.elements);
- free(m);
+ if (m != NULL) {
+ free(m->gm_mech.gm_compat);
+ free(m->gm_mech.gm_mech_oid.elements);
+ free(m);
+ }
dlclose(so);
continue;
}
* All rights reserved.
*
* Portions Copyright (c) 2010 Apple Inc. All rights reserved.
+ * Portions Copyright (c) 2010 PADL Software Pty Ltd. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
#include "mech_locl.h"
+#include <crypto-headers.h>
+
static int
get_option_def(int def, gss_const_OID mech, gss_mo_desc *mo, gss_buffer_t value)
{
return def;
}
-
int
_gss_mo_get_option_1(gss_const_OID mech, gss_mo_desc *mo, gss_buffer_t value)
{
if (value) {
value->value = strdup((char *)mo->ctx);
if (value->value == NULL)
- return 1;
+ return GSS_S_FAILURE;
value->length = strlen((char *)mo->ctx);
}
- return 0;
+ return GSS_S_COMPLETE;
}
GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL
for (n = 0; n < m->gm_mo_num; n++)
if (gss_oid_equal(option, m->gm_mo[n].option) && m->gm_mo[n].set)
return m->gm_mo[n].set(mech, &m->gm_mo[n], enable, value);
- return 0;
+
+ return GSS_S_UNAVAILABLE;
}
GSSAPI_LIB_FUNCTION int GSSAPI_LIB_CALL
_mg_buffer_zero(value);
if ((m = __gss_get_mechanism(mech)) == NULL)
- return 0;
+ return GSS_S_BAD_MECH;
for (n = 0; n < m->gm_mo_num; n++)
if (gss_oid_equal(option, m->gm_mo[n].option) && m->gm_mo[n].get)
return m->gm_mo[n].get(mech, &m->gm_mo[n], value);
- return 0;
+ return GSS_S_UNAVAILABLE;
}
static void
for (n = 0; n < m->gm_mo_num; n++) {
if (gss_oid_equal(option, m->gm_mo[n].option)) {
/*
- * If ther is no name, its because its a GSS_C_MA and there is already a table for that.
+ * If there is no name, its because its a GSS_C_MA and
+ * there is already a table for that.
*/
if (m->gm_mo[n].name) {
name->value = strdup(m->gm_mo[n].name);
if (name == NULL)
return GSS_S_COMPLETE;
- if (gss_mo_get(mech, option, name) != 0 && name->length == 0)
- return GSS_S_FAILURE;
+ return gss_mo_get(mech, option, name);
+}
+
+/* code derived from draft-ietf-cat-sasl-gssapi-01 */
+static char basis_32[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+
+static OM_uint32
+make_sasl_name(OM_uint32 *minor, const gss_OID mech, char sasl_name[16])
+{
+ EVP_MD_CTX *ctx;
+ char *p = sasl_name;
+ u_char hdr[2], hash[20], *h = hash;
+
+ if (mech->length > 127)
+ return GSS_S_BAD_MECH;
+
+ hdr[0] = 0x06;
+ hdr[1] = mech->length;
+
+ ctx = EVP_MD_CTX_create();
+ EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
+ EVP_DigestUpdate(ctx, hdr, 2);
+ EVP_DigestUpdate(ctx, mech->elements, mech->length);
+ EVP_DigestFinal_ex(ctx, hash, NULL);
+
+ memcpy(p, "GS2-", 4);
+ p += 4;
+
+ *p++ = basis_32[(h[0] >> 3)];
+ *p++ = basis_32[((h[0] & 7) << 2) | (h[1] >> 6)];
+ *p++ = basis_32[(h[1] & 0x3f) >> 1];
+ *p++ = basis_32[((h[1] & 1) << 4) | (h[2] >> 4)];
+ *p++ = basis_32[((h[2] & 0xf) << 1) | (h[3] >> 7)];
+ *p++ = basis_32[(h[3] & 0x7f) >> 2];
+ *p++ = basis_32[((h[3] & 3) << 3) | (h[4] >> 5)];
+ *p++ = basis_32[(h[4] & 0x1f)];
+ *p++ = basis_32[(h[5] >> 3)];
+ *p++ = basis_32[((h[5] & 7) << 2) | (h[6] >> 6)];
+ *p++ = basis_32[(h[6] & 0x3f) >> 1];
+
+ *p = '\0';
return GSS_S_COMPLETE;
}
+/*
+ * gss_inquire_saslname_for_mech() wrapper that uses MIT SPI
+ */
+static OM_uint32
+inquire_saslname_for_mech_compat(OM_uint32 *minor,
+ const gss_OID desired_mech,
+ gss_buffer_t sasl_mech_name,
+ gss_buffer_t mech_name,
+ gss_buffer_t mech_description)
+{
+ struct gss_mech_compat_desc_struct *gmc;
+ gssapi_mech_interface m;
+ OM_uint32 major;
+
+ m = __gss_get_mechanism(desired_mech);
+ if (m == NULL)
+ return GSS_S_BAD_MECH;
+
+ gmc = m->gm_compat;
+
+ if (gmc != NULL && gmc->gmc_inquire_saslname_for_mech != NULL) {
+ major = gmc->gmc_inquire_saslname_for_mech(minor,
+ desired_mech,
+ sasl_mech_name,
+ mech_name,
+ mech_description);
+ } else {
+ major = GSS_S_UNAVAILABLE;
+ }
+
+ return major;
+}
+
/**
- * Returns differnt protocol names and description of the mechanism.
+ * Returns different protocol names and description of the mechanism.
*
* @param minor_status minor status code
* @param desired_mech mech list query
return GSS_S_BAD_MECH;
major = mo_value(desired_mech, GSS_C_MA_SASL_MECH_NAME, sasl_mech_name);
- if (major) return major;
+ if (major == GSS_S_COMPLETE) {
+ /* Native SPI */
+ major = mo_value(desired_mech, GSS_C_MA_MECH_NAME, mech_name);
+ if (GSS_ERROR(major))
+ return major;
+
+ major = mo_value(desired_mech, GSS_C_MA_MECH_DESCRIPTION, mech_description);
+ if (GSS_ERROR(major))
+ return major;
+ }
- major = mo_value(desired_mech, GSS_C_MA_MECH_NAME, mech_name);
- if (major) return major;
+ if (GSS_ERROR(major)) {
+ /* API-as-SPI compatibility */
+ major = inquire_saslname_for_mech_compat(minor_status,
+ desired_mech,
+ sasl_mech_name,
+ mech_name,
+ mech_description);
+ }
- major = mo_value(desired_mech, GSS_C_MA_MECH_DESCRIPTION, mech_description);
- if (major) return major;
+ if (GSS_ERROR(major)) {
+ /* Algorithmically dervied SASL mechanism name */
+ char buf[16];
+ gss_buffer_desc tmp = { sizeof(buf) - 1, buf };
- return GSS_S_COMPLETE;
+ major = make_sasl_name(minor_status, desired_mech, buf);
+ if (GSS_ERROR(major))
+ return major;
+
+ major = _gss_copy_buffer(minor_status, &tmp, sasl_mech_name);
+ if (GSS_ERROR(major))
+ return major;
+ }
+
+ return major;
}
/**
{
struct _gss_mech_switch *m;
gss_buffer_desc name;
- OM_uint32 major;
+ OM_uint32 major, junk;
+ char buf[16];
_gss_load_mech();
*mech_type = NULL;
HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) {
-
- major = mo_value(&m->gm_mech_oid, GSS_C_MA_SASL_MECH_NAME, &name);
- if (major)
- continue;
- if (name.length == sasl_mech_name->length &&
- memcmp(name.value, sasl_mech_name->value, name.length) == 0) {
- gss_release_buffer(&major, &name);
- *mech_type = &m->gm_mech_oid;
- return 0;
+ struct gss_mech_compat_desc_struct *gmc;
+
+ /* Native SPI */
+ major = mo_value(&m->gm_mech_oid, GSS_C_MA_SASL_MECH_NAME, &name);
+ if (major == GSS_S_COMPLETE &&
+ name.length == sasl_mech_name->length &&
+ memcmp(name.value, sasl_mech_name->value, name.length) == 0) {
+ gss_release_buffer(&junk, &name);
+ *mech_type = &m->gm_mech_oid;
+ return GSS_S_COMPLETE;
}
- gss_release_buffer(&major, &name);
+ gss_release_buffer(&junk, &name);
+
+ if (GSS_ERROR(major)) {
+ /* API-as-SPI compatibility */
+ gmc = m->gm_mech.gm_compat;
+ if (gmc && gmc->gmc_inquire_mech_for_saslname) {
+ major = gmc->gmc_inquire_mech_for_saslname(minor_status,
+ sasl_mech_name,
+ mech_type);
+ if (major == GSS_S_COMPLETE)
+ return GSS_S_COMPLETE;
+ }
+ }
+
+ if (GSS_ERROR(major)) {
+ /* Algorithmically dervied SASL mechanism name */
+ if (sasl_mech_name->length == 16 &&
+ make_sasl_name(minor_status, &m->gm_mech_oid, buf) == GSS_S_COMPLETE &&
+ memcmp(buf, sasl_mech_name->value, 16) == 0) {
+ *mech_type = &m->gm_mech_oid;
+ return GSS_S_COMPLETE;
+ }
+ }
}
return GSS_S_BAD_MECH;
}
+/*
+ * Test mechanism against indicated attributes using both Heimdal and
+ * MIT SPIs.
+ */
+static int
+test_mech_attrs(gssapi_mech_interface mi,
+ gss_const_OID_set mech_attrs,
+ gss_const_OID_set against_attrs,
+ int except)
+{
+ size_t n, m;
+ int eq = 0;
+
+ if (against_attrs == GSS_C_NO_OID_SET)
+ return 1;
+
+ for (n = 0; n < against_attrs->count; n++) {
+ for (m = 0; m < mi->gm_mo_num; m++) {
+ eq = gss_oid_equal(mi->gm_mo[m].option,
+ &against_attrs->elements[n]);
+ if (eq)
+ break;
+ }
+ if (mech_attrs != GSS_C_NO_OID_SET) {
+ for (m = 0; m < mech_attrs->count; m++) {
+ eq = gss_oid_equal(&mech_attrs->elements[m],
+ &against_attrs->elements[n]);
+ if (eq)
+ break;
+ }
+ }
+ if (!eq ^ except)
+ return 0;
+ }
+
+ return 1;
+}
+
/**
* Return set of mechanism that fullfill the criteria
*
gss_OID_set *mechs)
{
struct _gss_mech_switch *ms;
+ gss_OID_set mech_attrs = GSS_C_NO_OID_SET;
+ gss_OID_set known_mech_attrs = GSS_C_NO_OID_SET;
OM_uint32 major;
- size_t n, m;
major = gss_create_empty_oid_set(minor_status, mechs);
- if (major)
+ if (GSS_ERROR(major))
return major;
_gss_load_mech();
HEIM_SLIST_FOREACH(ms, &_gss_mechs, gm_link) {
gssapi_mech_interface mi = &ms->gm_mech;
-
- if (desired_mech_attrs) {
- for (n = 0; n < desired_mech_attrs->count; n++) {
- for (m = 0; m < mi->gm_mo_num; m++)
- if (gss_oid_equal(mi->gm_mo[m].option, &desired_mech_attrs->elements[n]))
- break;
- if (m == mi->gm_mo_num)
- goto next;
- }
- }
-
- if (except_mech_attrs) {
- for (n = 0; n < desired_mech_attrs->count; n++) {
- for (m = 0; m < mi->gm_mo_num; m++) {
- if (gss_oid_equal(mi->gm_mo[m].option, &desired_mech_attrs->elements[n]))
- goto next;
- }
- }
- }
-
- if (critical_mech_attrs) {
- for (n = 0; n < desired_mech_attrs->count; n++) {
- for (m = 0; m < mi->gm_mo_num; m++) {
- if (mi->gm_mo[m].flags & GSS_MO_MA_CRITICAL)
- continue;
- if (gss_oid_equal(mi->gm_mo[m].option, &desired_mech_attrs->elements[n]))
- break;
- }
- if (m == mi->gm_mo_num)
- goto next;
- }
- }
-
-
- next:
- do { } while(0);
+ struct gss_mech_compat_desc_struct *gmc = mi->gm_compat;
+ OM_uint32 tmp;
+
+ if (gmc && gmc->gmc_inquire_attrs_for_mech) {
+ major = gmc->gmc_inquire_attrs_for_mech(minor_status,
+ &mi->gm_mech_oid,
+ &mech_attrs,
+ &known_mech_attrs);
+ if (GSS_ERROR(major))
+ continue;
+ }
+
+ /*
+ * Test mechanism supports all of desired_mech_attrs;
+ * none of except_mech_attrs;
+ * and knows of all critical_mech_attrs.
+ */
+ if (test_mech_attrs(mi, mech_attrs, desired_mech_attrs, 0) &&
+ test_mech_attrs(mi, mech_attrs, except_mech_attrs, 1) &&
+ test_mech_attrs(mi, known_mech_attrs, critical_mech_attrs, 0)) {
+ major = gss_add_oid_set_member(minor_status, &mi->gm_mech_oid, mechs);
+ }
+
+ gss_release_oid_set(&tmp, &mech_attrs);
+ gss_release_oid_set(&tmp, &known_mech_attrs);
+
+ if (GSS_ERROR(major))
+ break;
}
-
- return GSS_S_FAILURE;
+ return major;
}
/**
{
OM_uint32 major, junk;
+ if (known_mech_attrs)
+ *known_mech_attrs = GSS_C_NO_OID_SET;
+
if (mech_attr && mech) {
gssapi_mech_interface m;
+ struct gss_mech_compat_desc_struct *gmc;
if ((m = __gss_get_mechanism(mech)) == NULL) {
*minor_status = 0;
return GSS_S_BAD_MECH;
}
- major = gss_create_empty_oid_set(minor_status, mech_attr);
- if (major != GSS_S_COMPLETE)
+ gmc = m->gm_compat;
+
+ if (gmc && gmc->gmc_inquire_attrs_for_mech) {
+ major = gmc->gmc_inquire_attrs_for_mech(minor_status,
+ mech,
+ mech_attr,
+ known_mech_attrs);
+ } else {
+ major = gss_create_empty_oid_set(minor_status, mech_attr);
+ if (major == GSS_S_COMPLETE)
+ add_all_mo(m, mech_attr, GSS_MO_MA);
+ }
+ if (GSS_ERROR(major))
return major;
-
- add_all_mo(m, mech_attr, GSS_MO_MA);
- }
+ }
if (known_mech_attrs) {
struct _gss_mech_switch *m;
- major = gss_create_empty_oid_set(minor_status, known_mech_attrs);
- if (major) {
- if (mech_attr)
- gss_release_oid_set(&junk, mech_attr);
- return major;
- }
+ if (*known_mech_attrs == GSS_C_NO_OID_SET) {
+ major = gss_create_empty_oid_set(minor_status, known_mech_attrs);
+ if (GSS_ERROR(major)) {
+ if (mech_attr)
+ gss_release_oid_set(&junk, mech_attr);
+ return major;
+ }
+ }
_gss_load_mech();
return GSS_S_BAD_MECH_ATTR;
if (name) {
- gss_buffer_desc n;
- n.value = rk_UNCONST(ma->name);
- n.length = strlen(ma->name);
- major = _gss_copy_buffer(minor_status, &n, name);
+ gss_buffer_desc bd;
+ bd.value = rk_UNCONST(ma->name);
+ bd.length = strlen(ma->name);
+ major = _gss_copy_buffer(minor_status, &bd, name);
if (major != GSS_S_COMPLETE)
return major;
}
if (short_desc) {
- gss_buffer_desc n;
- n.value = rk_UNCONST(ma->short_desc);
- n.length = strlen(ma->short_desc);
- major = _gss_copy_buffer(minor_status, &n, short_desc);
+ gss_buffer_desc bd;
+ bd.value = rk_UNCONST(ma->short_desc);
+ bd.length = strlen(ma->short_desc);
+ major = _gss_copy_buffer(minor_status, &bd, short_desc);
if (major != GSS_S_COMPLETE)
return major;
}
if (long_desc) {
- gss_buffer_desc n;
- n.value = rk_UNCONST(ma->long_desc);
- n.length = strlen(ma->long_desc);
- major = _gss_copy_buffer(minor_status, &n, long_desc);
+ gss_buffer_desc bd;
+ bd.value = rk_UNCONST(ma->long_desc);
+ bd.length = strlen(ma->long_desc);
+ major = _gss_copy_buffer(minor_status, &bd, long_desc);
if (major != GSS_S_COMPLETE)
return major;
}
mn = malloc(sizeof(struct _gss_mechanism_name));
if (!mn)
return GSS_S_FAILURE;
-
+
major_status = m->gm_import_name(minor_status,
&name->gn_value,
(name->gn_type.elements
#include "mech_locl.h"
/* GSS_KRB5_COPY_CCACHE_X - 1.2.752.43.13.1 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_copy_ccache_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x01" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_copy_ccache_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x01") };
/* GSS_KRB5_GET_TKT_FLAGS_X - 1.2.752.43.13.2 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_tkt_flags_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x02" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_tkt_flags_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x02") };
/* GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X - 1.2.752.43.13.3 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_extract_authz_data_from_sec_context_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x03" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_extract_authz_data_from_sec_context_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x03") };
/* GSS_KRB5_COMPAT_DES3_MIC_X - 1.2.752.43.13.4 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_compat_des3_mic_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x04" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_compat_des3_mic_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x04") };
/* GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X - 1.2.752.43.13.5 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_register_acceptor_identity_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x05" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_register_acceptor_identity_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x05") };
/* GSS_KRB5_EXPORT_LUCID_CONTEXT_X - 1.2.752.43.13.6 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x06" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06") };
/* GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X - 1.2.752.43.13.6.1 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_v1_x_oid_desc = { 7, "\x2a\x85\x70\x2b\x0d\x06\x01" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_v1_x_oid_desc = { 7, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06\x01") };
/* GSS_KRB5_SET_DNS_CANONICALIZE_X - 1.2.752.43.13.7 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_dns_canonicalize_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x07" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_dns_canonicalize_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x07") };
/* GSS_KRB5_GET_SUBKEY_X - 1.2.752.43.13.8 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_subkey_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x08" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_subkey_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x08") };
/* GSS_KRB5_GET_INITIATOR_SUBKEY_X - 1.2.752.43.13.9 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_initiator_subkey_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x09" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_initiator_subkey_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x09") };
/* GSS_KRB5_GET_ACCEPTOR_SUBKEY_X - 1.2.752.43.13.10 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_acceptor_subkey_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0a" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_acceptor_subkey_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0a") };
/* GSS_KRB5_SEND_TO_KDC_X - 1.2.752.43.13.11 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_send_to_kdc_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0b" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_send_to_kdc_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0b") };
/* GSS_KRB5_GET_AUTHTIME_X - 1.2.752.43.13.12 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_authtime_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0c" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_authtime_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0c") };
/* GSS_KRB5_GET_SERVICE_KEYBLOCK_X - 1.2.752.43.13.13 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_service_keyblock_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0d" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_service_keyblock_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0d") };
/* GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X - 1.2.752.43.13.14 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_allowable_enctypes_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0e" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_allowable_enctypes_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0e") };
/* GSS_KRB5_SET_DEFAULT_REALM_X - 1.2.752.43.13.15 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_default_realm_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0f" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_default_realm_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0f") };
/* GSS_KRB5_CCACHE_NAME_X - 1.2.752.43.13.16 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_ccache_name_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x10" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_ccache_name_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x10") };
/* GSS_KRB5_SET_TIME_OFFSET_X - 1.2.752.43.13.17 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_time_offset_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x11" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_time_offset_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x11") };
/* GSS_KRB5_GET_TIME_OFFSET_X - 1.2.752.43.13.18 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_time_offset_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x12" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_time_offset_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x12") };
/* GSS_KRB5_PLUGIN_REGISTER_X - 1.2.752.43.13.19 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_plugin_register_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x13" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_plugin_register_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x13") };
/* GSS_NTLM_GET_SESSION_KEY_X - 1.2.752.43.13.20 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_get_session_key_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x14" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_get_session_key_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x14") };
/* GSS_C_NT_NTLM - 1.2.752.43.13.21 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_ntlm_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x15" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_ntlm_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x15") };
/* GSS_C_NT_DN - 1.2.752.43.13.22 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_dn_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x16" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_dn_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x16") };
/* GSS_KRB5_NT_PRINCIPAL_NAME_REFERRAL - 1.2.752.43.13.23 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_nt_principal_name_referral_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x17" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_nt_principal_name_referral_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x17") };
/* GSS_C_NTLM_AVGUEST - 1.2.752.43.13.24 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_avguest_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x18" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_avguest_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x18") };
/* GSS_C_NTLM_V1 - 1.2.752.43.13.25 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_v1_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x19" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_v1_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x19") };
/* GSS_C_NTLM_V2 - 1.2.752.43.13.26 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_v2_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1a" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_v2_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1a") };
/* GSS_C_NTLM_SESSION_KEY - 1.2.752.43.13.27 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_session_key_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1b" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_session_key_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1b") };
/* GSS_C_NTLM_FORCE_V1 - 1.2.752.43.13.28 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_force_v1_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1c" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_force_v1_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1c") };
/* GSS_KRB5_CRED_NO_CI_FLAGS_X - 1.2.752.43.13.29 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_cred_no_ci_flags_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1d" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_cred_no_ci_flags_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1d") };
/* GSS_KRB5_IMPORT_CRED_X - 1.2.752.43.13.30 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_import_cred_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1e" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_import_cred_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1e") };
/* GSS_C_MA_SASL_MECH_NAME - 1.2.752.43.13.100 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_sasl_mech_name_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x64" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_sasl_mech_name_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x64") };
/* GSS_C_MA_MECH_NAME - 1.2.752.43.13.101 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_name_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x65" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_name_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x65") };
/* GSS_C_MA_MECH_DESCRIPTION - 1.2.752.43.13.102 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_description_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x66" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_description_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x66") };
+
+/* GSS_C_CRED_PASSWORD - 1.2.752.43.13.200 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_password_oid_desc = { 7, "\x2a\x85\x70\x2b\x0d\x81\x48" };
+
+/* GSS_C_CRED_CERTIFICATE - 1.2.752.43.13.201 */
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_cred_certificate_oid_desc = { 7, "\x2a\x85\x70\x2b\x0d\x81\x49" };
/* GSS_SASL_DIGEST_MD5_MECHANISM - 1.2.752.43.14.1 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_sasl_digest_md5_mechanism_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x01" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_sasl_digest_md5_mechanism_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") };
/* GSS_NETLOGON_MECHANISM - 1.2.752.43.14.2 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_mechanism_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x02" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_mechanism_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x02") };
/* GSS_NETLOGON_SET_SESSION_KEY_X - 1.2.752.43.14.3 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_set_session_key_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x03" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_set_session_key_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x03") };
/* GSS_NETLOGON_SET_SIGN_ALGORITHM_X - 1.2.752.43.14.4 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_set_sign_algorithm_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x04" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_set_sign_algorithm_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x04") };
/* GSS_NETLOGON_NT_NETBIOS_DNS_NAME - 1.2.752.43.14.5 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_nt_netbios_dns_name_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x05" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_nt_netbios_dns_name_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x05") };
/* GSS_C_INQ_WIN2K_PAC_X - 1.2.752.43.13.3.128 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_inq_win2k_pac_x_oid_desc = { 8, "\x2a\x85\x70\x2b\x0d\x03\x81\x00" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_inq_win2k_pac_x_oid_desc = { 8, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x03\x81\x00") };
/* GSS_C_INQ_SSPI_SESSION_KEY - 1.2.840.113554.1.2.2.5.5 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_inq_sspi_session_key_oid_desc = { 11, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_inq_sspi_session_key_oid_desc = { 11, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05") };
/* GSS_KRB5_MECHANISM - 1.2.840.113554.1.2.2 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_mechanism_oid_desc = { 9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_mechanism_oid_desc = { 9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") };
/* GSS_NTLM_MECHANISM - 1.3.6.1.4.1.311.2.2.10 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_mechanism_oid_desc = { 10, "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_mechanism_oid_desc = { 10, rk_UNCONST("\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a") };
/* GSS_SPNEGO_MECHANISM - 1.3.6.1.5.5.2 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_spnego_mechanism_oid_desc = { 6, "\x2b\x06\x01\x05\x05\x02" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_spnego_mechanism_oid_desc = { 6, rk_UNCONST("\x2b\x06\x01\x05\x05\x02") };
/* GSS_C_PEER_HAS_UPDATED_SPNEGO - 1.3.6.1.4.1.9513.19.5 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_peer_has_updated_spnego_oid_desc = { 9, "\x2b\x06\x01\x04\x01\xca\x29\x13\x05" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_peer_has_updated_spnego_oid_desc = { 9, rk_UNCONST("\x2b\x06\x01\x04\x01\xca\x29\x13\x05") };
/* GSS_C_MA_MECH_CONCRETE - 1.3.6.1.5.5.13.1 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_concrete_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x01" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_concrete_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x01") };
/* GSS_C_MA_MECH_PSEUDO - 1.3.6.1.5.5.13.2 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_pseudo_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x02" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_pseudo_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x02") };
/* GSS_C_MA_MECH_COMPOSITE - 1.3.6.1.5.5.13.3 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_composite_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x03" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_composite_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x03") };
/* GSS_C_MA_MECH_NEGO - 1.3.6.1.5.5.13.4 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_nego_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x04" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_nego_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x04") };
/* GSS_C_MA_MECH_GLUE - 1.3.6.1.5.5.13.5 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_glue_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x05" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_glue_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x05") };
/* GSS_C_MA_NOT_MECH - 1.3.6.1.5.5.13.6 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_not_mech_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x06" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_not_mech_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x06") };
/* GSS_C_MA_DEPRECATED - 1.3.6.1.5.5.13.7 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_deprecated_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x07" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_deprecated_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x07") };
/* GSS_C_MA_NOT_DFLT_MECH - 1.3.6.1.5.5.13.8 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_not_dflt_mech_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x08" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_not_dflt_mech_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x08") };
/* GSS_C_MA_ITOK_FRAMED - 1.3.6.1.5.5.13.9 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_itok_framed_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x09" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_itok_framed_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x09") };
/* GSS_C_MA_AUTH_INIT - 1.3.6.1.5.5.13.10 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0a" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0a") };
/* GSS_C_MA_AUTH_TARG - 1.3.6.1.5.5.13.11 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0b" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0b") };
/* GSS_C_MA_AUTH_INIT_INIT - 1.3.6.1.5.5.13.12 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_init_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0c" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_init_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0c") };
/* GSS_C_MA_AUTH_TARG_INIT - 1.3.6.1.5.5.13.13 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_init_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0d" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_init_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0d") };
/* GSS_C_MA_AUTH_INIT_ANON - 1.3.6.1.5.5.13.14 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_anon_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0e" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_anon_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0e") };
/* GSS_C_MA_AUTH_TARG_ANON - 1.3.6.1.5.5.13.15 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_anon_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0f" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_anon_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0f") };
/* GSS_C_MA_DELEG_CRED - 1.3.6.1.5.5.13.16 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_deleg_cred_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x10" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_deleg_cred_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x10") };
/* GSS_C_MA_INTEG_PROT - 1.3.6.1.5.5.13.17 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_integ_prot_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x11" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_integ_prot_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x11") };
/* GSS_C_MA_CONF_PROT - 1.3.6.1.5.5.13.18 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_conf_prot_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x12" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_conf_prot_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x12") };
/* GSS_C_MA_MIC - 1.3.6.1.5.5.13.19 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mic_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x13" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mic_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x13") };
/* GSS_C_MA_WRAP - 1.3.6.1.5.5.13.20 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_wrap_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x14" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_wrap_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x14") };
/* GSS_C_MA_PROT_READY - 1.3.6.1.5.5.13.21 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_prot_ready_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x15" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_prot_ready_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x15") };
/* GSS_C_MA_REPLAY_DET - 1.3.6.1.5.5.13.22 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_replay_det_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x16" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_replay_det_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x16") };
/* GSS_C_MA_OOS_DET - 1.3.6.1.5.5.13.23 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_oos_det_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x17" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_oos_det_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x17") };
/* GSS_C_MA_CBINDINGS - 1.3.6.1.5.5.13.24 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_cbindings_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x18" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_cbindings_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x18") };
/* GSS_C_MA_PFS - 1.3.6.1.5.5.13.25 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_pfs_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x19" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_pfs_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x19") };
/* GSS_C_MA_COMPRESS - 1.3.6.1.5.5.13.26 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_compress_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x1a" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_compress_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x1a") };
/* GSS_C_MA_CTX_TRANS - 1.3.6.1.5.5.13.27 */
-gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_ctx_trans_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x1b" };
+gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_ctx_trans_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x1b") };
struct _gss_oid_name_table _gss_ont_ma[] = {
{ GSS_C_MA_COMPRESS, "GSS_C_MA_COMPRESS", "compress", "" },
*
* @return non-zero when both oid are the same OID, zero when they are
* not the same.
- *
+ *
* @ingroup gssapi
*/
*
* @returns a gss_error code, see gss_display_status() about printing
* the error code.
- *
+ *
* @ingroup gssapi
*/
GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) {
m = mc->gmc_mech;
-
+
if (m == NULL)
return GSS_S_BAD_MECH;
-
+
if (m->gm_set_cred_option == NULL)
continue;
-
+
major_status = m->gm_set_cred_option(minor_status,
&mc->gmc_cred, object, value);
if (major_status == GSS_S_COMPLETE)
const gss_OID_set set,
int *present)
{
- int i;
+ size_t i;
*present = 0;
for (i = 0; i < set->count; i++)
{
struct _gss_context *ctx = (struct _gss_context *) context_handle;
gssapi_mech_interface m;
-
+
*max_input_size = 0;
if (ctx == NULL) {
*minor_status = 0;
#include "mech_switch.h"
#include "name.h"
#include "utils.h"
+#include "compat.h"
#define _mg_buffer_zero(buffer) \
do { \
gss_buffer_t output_token)
{
NegotiationTokenWin nt;
- size_t buf_len;
+ size_t buf_len = 0;
gss_buffer_desc data;
OM_uint32 ret;
*minor_status = ret;
return GSS_S_FAILURE;
}
- if (data.length != buf_len)
+ if (data.length != buf_len) {
abort();
+ UNREACHABLE(return GSS_S_FAILURE);
+ }
ret = gss_encapsulate_token(&data, GSS_SPNEGO_MECHANISM, output_token);
gss_OID_desc oid;
gss_OID oidp;
gss_OID_set mechs;
- int i;
+ size_t i;
OM_uint32 ret, junk;
ret = der_put_oid ((unsigned char *)mechbuf + sizeof(mechbuf) - 1,
host = getenv("GSSAPI_SPNEGO_NAME");
if (host == NULL || issuid()) {
+ int rv;
if (gethostname(hostname, sizeof(hostname)) != 0) {
*minor_status = errno;
return GSS_S_FAILURE;
}
- i = asprintf(&str, "host@%s", hostname);
- if (i < 0 || str == NULL) {
+ rv = asprintf(&str, "host@%s", hostname);
+ if (rv < 0 || str == NULL) {
*minor_status = ENOMEM;
return GSS_S_FAILURE;
}
{
OM_uint32 ret;
int require_mic, verify_mic;
- gss_buffer_desc buf;
-
- buf.length = 0;
- buf.value = NULL;
ret = _gss_spnego_require_mechlist_mic(minor_status, ctx, &require_mic);
if (ret)
verify_mic = 0;
*get_mic = 1;
}
-
+
if (verify_mic || *get_mic) {
int eret;
- size_t buf_len;
-
+ size_t buf_len = 0;
+
ASN1_MALLOC_ENCODE(MechTypeList,
mech_buf->value, mech_buf->length,
&ctx->initiator_mech_types, &buf_len, eret);
*minor_status = eret;
return GSS_S_FAILURE;
}
- if (buf.length != buf_len)
- abort();
+ heim_assert(mech_buf->length == buf_len, "Internal ASN.1 error");
+ UNREACHABLE(return GSS_S_FAILURE);
}
-
+
if (verify_mic) {
ret = verify_mechlist_mic(minor_status, ctx, mech_buf, mic);
if (ret) {
if (*get_mic)
send_reject (minor_status, output_token);
- if (buf.value)
- free(buf.value);
return ret;
}
ctx->verified_mic = 1;
}
- if (buf.value)
- free(buf.value);
-
} else
*get_mic = 0;
NegotiationToken nt;
size_t nt_len;
NegTokenInit *ni;
- int i;
gss_buffer_desc data;
gss_buffer_t mech_input_token = GSS_C_NO_BUFFER;
gss_buffer_desc mech_output_token;
if (input_token_buffer->length == 0)
return send_supported_mechs (minor_status, output_token);
-
+
ret = _gss_spnego_alloc_sec_context(minor_status, context_handle);
if (ret != GSS_S_COMPLETE)
return ret;
if (ctx->mech_src_name != GSS_C_NO_NAME)
gss_release_name(&junk, &ctx->mech_src_name);
-
+
ret = gss_accept_sec_context(minor_status,
&ctx->negotiated_ctx_id,
acceptor_cred_handle,
*/
if (!first_ok && ni->mechToken != NULL) {
+ size_t j;
preferred_mech_type = GSS_C_NO_OID;
/* Call glue layer to find first mech we support */
- for (i = 1; i < ni->mechTypes.len; ++i) {
+ for (j = 1; j < ni->mechTypes.len; ++j) {
ret = select_mech(minor_status,
- &ni->mechTypes.val[i],
+ &ni->mechTypes.val[j],
1,
&preferred_mech_type);
if (ret == 0)
* Kerberos mechanism.
*/
gss_OID_desc _gss_spnego_mskrb_mechanism_oid_desc =
- {9, (void *)"\x2a\x86\x48\x82\xf7\x12\x01\x02\x02"};
+ {9, rk_UNCONST("\x2a\x86\x48\x82\xf7\x12\x01\x02\x02")};
gss_OID_desc _gss_spnego_krb5_mechanism_oid_desc =
- {9, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"};
+ {9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02")};
/*
* Allocate a SPNEGO context handle
gss_OID_set supported_mechs = GSS_C_NO_OID_SET;
gss_OID first_mech = GSS_C_NO_OID;
OM_uint32 ret;
- int i;
+ size_t i;
mechtypelist->len = 0;
mechtypelist->val = NULL;
{
OM_uint32 ret, junk;
gss_OID_set m;
- int i;
+ size_t i;
ret = gss_indicate_mechs(minor_status, &m);
if (ret != GSS_S_COMPLETE)
{
gss_OID_set mechs, names, n;
OM_uint32 ret, junk;
- int i, j;
+ size_t i, j;
*name_types = NULL;
OM_uint32 ret, tmp;
gss_OID_set_desc actual_desired_mechs;
gss_OID_set mechs;
- int i, j;
+ size_t i, j;
*output_cred_handle = GSS_C_NO_CREDENTIAL;
* negotiation token is identified by the Object Identifier
* iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2).
*/
-
static gss_mo_desc spnego_mo[] = {
{
GSS_C_MA_SASL_MECH_NAME,
GSS_MO_MA,
"SASL mech name",
- "SPNEGO",
+ rk_UNCONST("SPNEGO"),
_gss_mo_get_ctx_as_string,
NULL
},
GSS_C_MA_MECH_NAME,
GSS_MO_MA,
"Mechanism name",
- "SPNEGO",
+ rk_UNCONST("SPNEGO"),
_gss_mo_get_ctx_as_string,
NULL
},
GSS_C_MA_MECH_DESCRIPTION,
GSS_MO_MA,
"Mechanism description",
- "Heimdal SPNEGO Mechanism",
+ rk_UNCONST("Heimdal SPNEGO Mechanism"),
_gss_mo_get_ctx_as_string,
NULL
},
static gssapi_mech_interface_desc spnego_mech = {
GMI_VERSION,
"spnego",
- {6, (void *)"\x2b\x06\x01\x05\x05\x02"},
+ {6, rk_UNCONST("\x2b\x06\x01\x05\x05\x02") },
0,
_gss_spnego_acquire_cred,
_gss_spnego_release_cred,
NULL,
NULL,
spnego_mo,
- sizeof(spnego_mo) / sizeof(spnego_mo[0])
+ sizeof(spnego_mo) / sizeof(spnego_mo[0]),
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
};
gssapi_mech_interface
NegotiationToken resp;
gss_OID_desc mech;
int require_mic;
- size_t buf_len;
+ size_t buf_len = 0;
gss_buffer_desc mic_buf, mech_buf;
gss_buffer_desc mech_output_token;
gssspnego_ctx ctx;
*minor_status = ret;
return GSS_S_FAILURE;
}
- if (mech_buf.length != buf_len)
+ if (mech_buf.length != buf_len) {
abort();
+ UNREACHABLE(return GSS_S_FAILURE);
+ }
if (resp.u.negTokenResp.mechListMIC == NULL) {
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
#include "utils.h"
#include <der.h>
+#include <heimbase.h>
+
#define ALLOC(X, N) (X) = calloc((N), sizeof(*(X)))
typedef struct {
HEIMDAL_GSS_2.0 {
global:
- __gss_c_nt_anonymous;
+# __gss_c_nt_anonymous;
+ __gss_c_nt_anonymous_oid_desc;
__gss_c_nt_export_name_oid_desc;
__gss_c_nt_hostbased_service_oid_desc;
__gss_c_nt_hostbased_service_x_oid_desc;
__gss_c_nt_user_name_oid_desc;
__gss_krb5_nt_principal_name_oid_desc;
__gss_c_attr_stream_sizes_oid_desc;
+ __gss_c_cred_password_oid_desc;
+ __gss_c_cred_certificate_oid_desc;
+ GSS_C_ATTR_LOCAL_LOGIN_USER;
gss_accept_sec_context;
gss_acquire_cred;
+ gss_acquire_cred_with_password;
gss_add_buffer_set_member;
gss_add_cred;
+ gss_add_cred_with_password;
gss_add_oid_set_member;
+ gss_authorize_localname;
gss_canonicalize_name;
gss_compare_name;
gss_context_query_attributes;
gss_mg_collect_error;
gss_oid_equal;
gss_oid_to_str;
+ gss_pname_to_uid;
gss_process_context_token;
gss_pseudo_random;
gss_release_buffer;
gss_set_name_attribute;
gss_set_sec_context_option;
gss_sign;
+ gss_store_cred;
gss_test_oid_set_member;
gss_unseal;
gss_unwrap;
gss_unwrap_iov;
+ gss_userok;
gss_verify;
gss_verify_mic;
gss_wrap;
io[1] = io[3];
io[2] = t0;
io[3] = t1;
-
+
return;
}
/* pre whitening but absorb kw2*/
io[0] ^= CamelliaSubkeyL(32);
io[1] ^= CamelliaSubkeyR(32);
-
+
/* main iteration */
CAMELLIA_ROUNDSM(io[0],io[1],
CamelliaSubkeyL(31),CamelliaSubkeyR(31),
for (i = 0; i < 16; i++) {
uint32_t kc, kd;
-
+
ROTATE_LEFT28(c, shifts[i]);
ROTATE_LEFT28(d, shifts[i]);
-
+
kc = pc2_c_1[(c >> 22) & 0x3f] |
pc2_c_2[((c >> 16) & 0x30) | ((c >> 15) & 0xf)] |
pc2_c_3[((c >> 9 ) & 0x3c) | ((c >> 8 ) & 0x3)] |
u[0] ^= uiv[0]; u[1] ^= uiv[1];
DES_encrypt(u, ks, 1);
uiv[0] = u[0]; uiv[1] = u[1];
-
+
length -= DES_CBLOCK_LEN;
input += DES_CBLOCK_LEN;
}
#ifndef HC_DEPRECATED
#if defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 )))
#define HC_DEPRECATED __attribute__((deprecated))
-#elif defined(_MSC_VER) && (_MSC_VER>1200)
+#elif defined(_MSC_VER) && (_MSC_VER>1200)
#define HC_DEPRECATED __declspec(deprecated)
#else
#define HC_DEPRECATED
BN_free(dh->pub_key);
mp_init_multi(&pub, &priv_key, &g, &p, NULL);
-
+
BN2mpz(&priv_key, dh->priv_key);
BN2mpz(&g, dh->g);
BN2mpz(&p, dh->p);
-
+
res = mp_exptmod(&g, &priv_key, &p, &pub);
mp_clear_multi(&priv_key, &g, &p, NULL);
mp_clear(&pub);
if (dh->pub_key == NULL)
return 0;
-
+
if (DH_check_pubkey(dh, dh->pub_key, &codes) && codes == 0)
break;
if (have_private_key)
free_DHParameter(&data);
if (ret)
return -1;
- if (len != size)
+ if (len != size) {
abort();
+ return -1;
+ }
memcpy(*pp, p, size);
free(p);
dlclose(handle);
free(engine);
return NULL;
- }
+ }
}
{
dlclose(handle);
free(engine);
return NULL;
- }
+ }
}
ENGINE_up_ref(engine);
const EVP_MD *
EVP_sha(void) HC_DEPRECATED
-
+
{
hcrypto_validate();
return EVP_sha1();
ctx->buf_len += inlen;
return 1;
}
-
+
/* fill in local buffer and encrypt */
memcpy(ctx->buf + ctx->buf_len, in, left);
ret = (*ctx->cipher->do_cipher)(ctx, out, ctx->buf, blocksize);
if (inlen) {
ctx->buf_len = (inlen & ctx->block_mask);
inlen &= ~ctx->block_mask;
-
+
ret = (*ctx->cipher->do_cipher)(ctx, out, in, inlen);
if (ret != 1)
return ret;
#ifndef HC_DEPRECATED
#if defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 )))
#define HC_DEPRECATED __attribute__((deprecated))
-#elif defined(_MSC_VER) && (_MSC_VER>1200)
+#elif defined(_MSC_VER) && (_MSC_VER>1200)
#define HC_DEPRECATED __declspec(deprecated)
#else
#define HC_DEPRECATED
* Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
-/* computes the modular inverse via binary extended euclidean algorithm,
- * that is c = 1/a mod b
+/* computes the modular inverse via binary extended euclidean algorithm,
+ * that is c = 1/a mod b
*
- * Based on slow invmod except this is optimized for the case where b is
+ * Based on slow invmod except this is optimized for the case where b is
* odd as per HAC Note 14.64 on pp. 610
*/
int fast_mp_invmod (mp_int * a, mp_int * b, mp_int * c)
/* Fast (comba) multiplier
*
- * This is the fast column-array [comba] multiplier. It is
- * designed to compute the columns of the product first
- * then handle the carries afterwards. This has the effect
+ * This is the fast column-array [comba] multiplier. It is
+ * designed to compute the columns of the product first
+ * then handle the carries afterwards. This has the effect
* of making the nested loops that compute the columns very
* simple and schedulable on super-scalar processors.
*
- * This has been modified to produce a variable number of
- * digits of output so if say only a half-product is required
- * you don't have to compute the upper half (a feature
+ * This has been modified to produce a variable number of
+ * digits of output so if say only a half-product is required
+ * you don't have to compute the upper half (a feature
* required for fast Barrett reduction).
*
* Based on Algorithm 14.12 on pp.595 of HAC.
/* clear the carry */
_W = 0;
- for (ix = 0; ix < pa; ix++) {
+ for (ix = 0; ix < pa; ix++) {
int tx, ty;
int iy;
mp_digit *tmpx, *tmpy;
tmpx = a->dp + tx;
tmpy = b->dp + ty;
- /* this is the number of times the loop will iterrate, essentially
+ /* this is the number of times the loop will iterrate, essentially
while (tx++ < a->used && ty-- >= 0) { ... }
*/
iy = MIN(a->used-tx, ty+1);
/* number of output digits to produce */
pa = a->used + b->used;
_W = 0;
- for (ix = digs; ix < pa; ix++) {
+ for (ix = digs; ix < pa; ix++) {
int tx, ty, iy;
mp_digit *tmpx, *tmpy;
tmpx = a->dp + tx;
tmpy = b->dp + ty;
- /* this is the number of times the loop will iterrate, essentially its
+ /* this is the number of times the loop will iterrate, essentially its
while (tx++ < a->used && ty-- >= 0) { ... }
*/
iy = MIN(a->used-tx, ty+1);
/* make next carry */
_W = _W >> ((mp_word)DIGIT_BIT);
}
-
+
/* setup dest */
olduse = c->used;
c->used = pa;
*/
/* the jist of squaring...
- * you do like mult except the offset of the tmpx [one that
- * starts closer to zero] can't equal the offset of tmpy.
+ * you do like mult except the offset of the tmpx [one that
+ * starts closer to zero] can't equal the offset of tmpy.
* So basically you set up iy like before then you min it with
- * (ty-tx) so that it never happens. You double all those
+ * (ty-tx) so that it never happens. You double all those
* you add in the inner loop
After that loop you do the squares and add them in.
/* number of output digits to produce */
W1 = 0;
- for (ix = 0; ix < pa; ix++) {
+ for (ix = 0; ix < pa; ix++) {
int tx, ty, iy;
mp_word _W;
mp_digit *tmpy;
*/
iy = MIN(a->used-tx, ty+1);
- /* now for squaring tx can never equal ty
+ /* now for squaring tx can never equal ty
* we halve the distance since they approach at a rate of 2x
* and we have to round because odd cases need to be executed
*/
* Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
-/* computes a = 2**b
+/* computes a = 2**b
*
* Simple algorithm which zeroes the int, grows it then just sets one bit
* as required.
* Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
-/* b = |a|
+/* b = |a|
*
* Simple function copies the input and fixes the sign to positive
*/
* Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
-/* trim unused digits
+/* trim unused digits
*
* This is used to ensure that leading zero digits are
* trimed and the leading "used" digit will be non-zero
*/
#include <stdarg.h>
-void mp_clear_multi(mp_int *mp, ...)
+void mp_clear_multi(mp_int *mp, ...)
{
mp_int* next_mp = mp;
va_list args;
return MP_GT;
}
}
-
+
/* compare digits */
if (a->sign == MP_NEG) {
/* if negative compare opposite direction */
if (a->used > b->used) {
return MP_GT;
}
-
+
if (a->used < b->used) {
return MP_LT;
}
* Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
-static const int lnz[16] = {
+static const int lnz[16] = {
4, 0, 1, 0, 2, 0, 1, 0, 3, 0, 1, 0, 2, 0, 1, 0
};
/* get number of digits and add that */
r = (a->used - 1) * DIGIT_BIT;
-
+
/* take the last digit and count the bits in it */
q = a->dp[a->used - 1];
while (q > ((mp_digit) 0)) {
}
return res;
}
-
+
/* init our temps */
if ((res = mp_init_multi(&ta, &tb, &tq, &q, NULL) != MP_OKAY)) {
return res;
mp_set(&tq, 1);
n = mp_count_bits(a) - mp_count_bits(b);
if (((res = mp_abs(a, &ta)) != MP_OKAY) ||
- ((res = mp_abs(b, &tb)) != MP_OKAY) ||
+ ((res = mp_abs(b, &tb)) != MP_OKAY) ||
((res = mp_mul_2d(&tb, n, &tb)) != MP_OKAY) ||
((res = mp_mul_2d(&tq, n, &tq)) != MP_OKAY)) {
goto LBL_ERR;
#else
-/* integer signed division.
+/* integer signed division.
* c*b + d == a [e.g. a/b, c=quotient, d=remainder]
* HAC pp.598 Algorithm 14.20
*
- * Note that the description in HAC is horribly
- * incomplete. For example, it doesn't consider
- * the case where digits are removed from 'x' in
- * the inner loop. It also doesn't consider the
+ * Note that the description in HAC is horribly
+ * incomplete. For example, it doesn't consider
+ * the case where digits are removed from 'x' in
+ * the inner loop. It also doesn't consider the
* case that y has fewer than three digits, etc..
*
- * The overall algorithm is as described as
+ * The overall algorithm is as described as
* 14.20 from HAC but fixed to treat these cases.
*/
int mp_div (mp_int * a, mp_int * b, mp_int * c, mp_int * d)
continue;
}
- /* step 3.1 if xi == yt then set q{i-t-1} to b-1,
+ /* step 3.1 if xi == yt then set q{i-t-1} to b-1,
* otherwise set q{i-t-1} to (xi*b + x{i-1})/yt */
if (x.dp[i] == y.dp[t]) {
q.dp[i - t - 1] = ((((mp_digit)1) << DIGIT_BIT) - 1);
q.dp[i - t - 1] = (mp_digit) (tmp & (mp_word) (MP_MASK));
}
- /* while (q{i-t-1} * (yt * b + y{t-1})) >
- xi * b**2 + xi-1 * b + xi-2
-
- do q{i-t-1} -= 1;
+ /* while (q{i-t-1} * (yt * b + y{t-1})) >
+ xi * b**2 + xi-1 * b + xi-2
+
+ do q{i-t-1} -= 1;
*/
q.dp[i - t - 1] = (q.dp[i - t - 1] + 1) & MP_MASK;
do {
}
}
- /* now q is the quotient and x is the remainder
- * [which we have to normalize]
+ /* now q is the quotient and x is the remainder
+ * [which we have to normalize]
*/
-
+
/* get sign before writing to c */
x.sign = x.used == 0 ? MP_ZPOS : a->sign;
mp_word w, t;
mp_digit b;
int res, ix;
-
+
/* b = 2**DIGIT_BIT / 3 */
b = (((mp_word)1) << ((mp_word)DIGIT_BIT)) / ((mp_word)3);
if ((res = mp_init_size(&q, a->used)) != MP_OKAY) {
return res;
}
-
+
q.used = a->used;
q.sign = a->sign;
w = 0;
mp_exch(&q, c);
}
mp_clear(&q);
-
+
return res;
}
if ((res = mp_init_size(&q, a->used)) != MP_OKAY) {
return res;
}
-
+
q.used = a->used;
q.sign = a->sign;
w = 0;
for (ix = a->used - 1; ix >= 0; ix--) {
w = (w << ((mp_word)DIGIT_BIT)) | ((mp_word)a->dp[ix]);
-
+
if (w >= b) {
t = (mp_digit)(w / b);
w -= ((mp_word)t) * ((mp_word)b);
}
q.dp[ix] = (mp_digit)t;
}
-
+
if (d != NULL) {
*d = (mp_digit)w;
}
-
+
if (c != NULL) {
mp_clamp(&q);
mp_exch(&q, c);
}
mp_clear(&q);
-
+
return res;
}
/* the casts are required if DIGIT_BIT is one less than
* the number of bits in a mp_digit [e.g. DIGIT_BIT==31]
*/
- *d = (mp_digit)((((mp_word)1) << ((mp_word)DIGIT_BIT)) -
+ *d = (mp_digit)((((mp_word)1) << ((mp_word)DIGIT_BIT)) -
((mp_word)a->dp[0]));
}
* Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
-/* swap the elements of two integers, for cases where you can't simply swap the
+/* swap the elements of two integers, for cases where you can't simply swap the
* mp_int pointers around
*/
void
err = mp_exptmod(&tmpG, &tmpX, P, Y);
mp_clear_multi(&tmpG, &tmpX, NULL);
return err;
-#else
+#else
/* no invmod */
return MP_VAL;
#endif
dr = mp_reduce_is_2k(P) << 1;
}
#endif
-
+
/* if the modulus is odd or dr != 0 use the montgomery method */
#ifdef BN_MP_EXPTMOD_FAST_C
if (mp_isodd (P) == 1 || dr != 0) {
/* determine and setup reduction code */
if (redmode == 0) {
-#ifdef BN_MP_MONTGOMERY_SETUP_C
+#ifdef BN_MP_MONTGOMERY_SETUP_C
/* now setup montgomery */
if ((err = mp_montgomery_setup (P, &mp)) != MP_OKAY) {
goto LBL_M;
if (((P->used * 2 + 1) < MP_WARRAY) &&
P->used < (1 << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) {
redux = fast_mp_montgomery_reduce;
- } else
+ } else
#endif
{
#ifdef BN_MP_MONTGOMERY_REDUCE_C
if ((err = mp_montgomery_calc_normalization (&res, P)) != MP_OKAY) {
goto LBL_RES;
}
-#else
+#else
err = MP_VAL;
goto LBL_RES;
#endif
* Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
-/* Extended euclidean algorithm of (a, b) produces
+/* Extended euclidean algorithm of (a, b) produces
a*u1 + b*u2 = u3
*/
int mp_exteuclid(mp_int *a, mp_int *b, mp_int *U1, mp_int *U2, mp_int *U3)
/* TomsFastMath, a fast ISO C bignum library.
- *
+ *
* This project is public domain and free for all purposes.
- *
+ *
* Love Hornquist Astrand <lha@h5l.org>
*/
#include <tommath.h>
int mp_fread(mp_int *a, int radix, FILE *stream)
{
int err, ch, neg, y;
-
+
/* clear a */
mp_zero(a);
-
+
/* if first digit is - then set negative */
ch = fgetc(stream);
if (ch == '-') {
} else {
neg = MP_ZPOS;
}
-
+
for (;;) {
/* find y in the radix map */
for (y = 0; y < radix; y++) {
if (y == radix) {
break;
}
-
+
/* shift up and add */
if ((err = mp_mul_d(a, radix, a)) != MP_OKAY) {
return err;
if ((err = mp_add_d(a, y, a)) != MP_OKAY) {
return err;
}
-
+
ch = fgetc(stream);
}
if (mp_cmp_d(a, 0) != MP_EQ) {
a->sign = neg;
}
-
+
return MP_OKAY;
}
{
char *buf;
int err, len, x;
-
+
if ((err = mp_radix_size(a, radix, &len)) != MP_OKAY) {
return err;
}
if (buf == NULL) {
return MP_MEM;
}
-
+
if ((err = mp_toradix(a, buf, radix)) != MP_OKAY) {
XFREE (buf);
return err;
}
-
+
for (x = 0; x < len; x++) {
if (fputc(buf[x], stream) == EOF) {
XFREE (buf);
return MP_VAL;
}
}
-
+
XFREE (buf);
return MP_OKAY;
}
/* swap u and v to make sure v is >= u */
mp_exch(&u, &v);
}
-
+
/* subtract smallest from largest */
if ((res = s_mp_sub(&v, &u, &v)) != MP_OKAY) {
goto LBL_V;
}
-
+
/* Divide out all factors of two */
if ((res = mp_div_2d(&v, mp_cnt_lsb(&v), &v, NULL)) != MP_OKAY) {
goto LBL_V;
- }
- }
+ }
+ }
/* multiply by 2**k which we divided out at the beginning */
if ((res = mp_mul_2d (&u, k, c)) != MP_OKAY) {
*/
/* get the lower 32-bits of an mp_int */
-unsigned long mp_get_int(mp_int * a)
+unsigned long mp_get_int(mp_int * a)
{
int i;
unsigned long res;
/* get most significant digit of result */
res = DIGIT(a,i);
-
+
while (--i >= 0) {
res = (res << DIGIT_BIT) | DIGIT(a,i);
}
*/
#include <stdarg.h>
-int mp_init_multi(mp_int *mp, ...)
+int mp_init_multi(mp_int *mp, ...)
{
mp_err res = MP_OKAY; /* Assume ok until proven otherwise */
int n = 0; /* Number of ok inits */
succeeded in init-ing, then return error.
*/
va_list clean_args;
-
+
/* end the current list */
va_end(args);
-
- /* now start cleaning up */
+
+ /* now start cleaning up */
cur_arg = mp;
va_start(clean_args, mp);
while (n--) {
int x;
/* pad size so there are always extra digits */
- size += (MP_PREC * 2) - (size % MP_PREC);
-
+ size += (MP_PREC * 2) - (size % MP_PREC);
+
/* alloc mem */
a->dp = OPT_CAST(mp_digit) XMALLOC (sizeof (mp_digit) * size);
if (a->dp == NULL) {
#ifdef BN_MP_INVMOD_SLOW_C
return mp_invmod_slow(a, b, c);
-#endif
-
+#else
return MP_VAL;
+#endif
}
#endif
}
/* init temps */
- if ((res = mp_init_multi(&x, &y, &u, &v,
+ if ((res = mp_init_multi(&x, &y, &u, &v,
&A, &B, &C, &D, NULL)) != MP_OKAY) {
return res;
}
goto LBL_ERR;
}
}
-
+
/* too big */
while (mp_cmp_mag(&C, b) != MP_LT) {
if ((res = mp_sub(&C, b, &C)) != MP_OKAY) {
goto LBL_ERR;
}
}
-
+
/* C is now the inverse */
mp_exch (&C, c);
res = MP_OKAY;
};
/* Store non-zero to ret if arg is square, and zero if not */
-int mp_is_square(mp_int *arg,int *ret)
+int mp_is_square(mp_int *arg,int *ret)
{
int res;
mp_digit c;
unsigned long r;
/* Default to Non-square :) */
- *ret = MP_NO;
+ *ret = MP_NO;
if (arg->sign == MP_NEG) {
return MP_VAL;
r = mp_get_int(&t);
/* Check for other prime modules, note it's not an ERROR but we must
* free "t" so the easiest way is to goto ERR. We know that res
- * is already equal to MP_OKAY from the mp_mod call
- */
+ * is already equal to MP_OKAY from the mp_mod call
+ */
if ( (1L<<(r%11)) & 0x5C4L ) goto ERR;
if ( (1L<<(r%13)) & 0x9E4L ) goto ERR;
if ( (1L<<(r%17)) & 0x5CE8L ) goto ERR;
/* TomsFastMath, a fast ISO C bignum library.
- *
+ *
* This project is meant to fill in where LibTomMath
* falls short. That is speed ;-)
*
* This project is public domain and free for all purposes.
- *
+ *
* Tom St Denis, tomstdenis@gmail.com
*/
#include <tommath.h>
* Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
-/* c = |a| * |b| using Karatsuba Multiplication using
+/* c = |a| * |b| using Karatsuba Multiplication using
* three half size multiplications
*
- * Let B represent the radix [e.g. 2**DIGIT_BIT] and
- * let n represent half of the number of digits in
+ * Let B represent the radix [e.g. 2**DIGIT_BIT] and
+ * let n represent half of the number of digits in
* the min(a,b)
*
* a = a1 * B**n + a0
* b = b1 * B**n + b0
*
- * Then, a * b =>
+ * Then, a * b =>
a1b1 * B**2n + ((a1 + a0)(b1 + b0) - (a0b0 + a1b1)) * B + a0b0
*
- * Note that a1b1 and a0b0 are used twice and only need to be
- * computed once. So in total three half size (half # of
- * digit) multiplications are performed, a0b0, a1b1 and
+ * Note that a1b1 and a0b0 are used twice and only need to be
+ * computed once. So in total three half size (half # of
+ * digit) multiplications are performed, a0b0, a1b1 and
* (a1+b1)(a0+b0)
*
* Note that a multiplication of half the digits requires
- * 1/4th the number of single precision multiplications so in
- * total after one call 25% of the single precision multiplications
- * are saved. Note also that the call to mp_mul can end up back
- * in this function if the a0, a1, b0, or b1 are above the threshold.
- * This is known as divide-and-conquer and leads to the famous
- * O(N**lg(3)) or O(N**1.584) work which is asymptopically lower than
- * the standard O(N**2) that the baseline/comba methods use.
- * Generally though the overhead of this method doesn't pay off
+ * 1/4th the number of single precision multiplications so in
+ * total after one call 25% of the single precision multiplications
+ * are saved. Note also that the call to mp_mul can end up back
+ * in this function if the a0, a1, b0, or b1 are above the threshold.
+ * This is known as divide-and-conquer and leads to the famous
+ * O(N**lg(3)) or O(N**1.584) work which is asymptopically lower than
+ * the standard O(N**2) that the baseline/comba methods use.
+ * Generally though the overhead of this method doesn't pay off
* until a certain size (N ~ 80) is reached.
*/
int mp_karatsuba_mul (mp_int * a, mp_int * b, mp_int * c)
}
}
- /* only need to clamp the lower words since by definition the
+ /* only need to clamp the lower words since by definition the
* upper words x1/y1 must have a known number of digits
*/
mp_clamp (&x0);
/* now calc the products x0y0 and x1y1 */
/* after this x0 is no longer required, free temp [x0==t2]! */
- if (mp_mul (&x0, &y0, &x0y0) != MP_OKAY)
+ if (mp_mul (&x0, &y0, &x0y0) != MP_OKAY)
goto X1Y1; /* x0y0 = x0*y0 */
if (mp_mul (&x1, &y1, &x1y1) != MP_OKAY)
goto X1Y1; /* x1y1 = x1*y1 */
* Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
-/* Karatsuba squaring, computes b = a*a using three
+/* Karatsuba squaring, computes b = a*a using three
* half size squarings
*
- * See comments of karatsuba_mul for details. It
- * is essentially the same algorithm but merely
+ * See comments of karatsuba_mul for details. It
+ * is essentially the same algorithm but merely
* tuned to perform recursive squarings.
*/
int mp_karatsuba_sqr (mp_int * a, mp_int * b)
#ifdef BN_MP_TOOM_MUL_C
if (MIN (a->used, b->used) >= TOOM_MUL_CUTOFF) {
res = mp_toom_mul(a, b, c);
- } else
+ } else
#endif
#ifdef BN_MP_KARATSUBA_MUL_C
/* use Karatsuba? */
if (MIN (a->used, b->used) >= KARATSUBA_MUL_CUTOFF) {
res = mp_karatsuba_mul (a, b, c);
- } else
+ } else
#endif
{
/* can we use the fast multiplier?
*
- * The fast multiplier can be used if the output will
- * have less than MP_WARRAY digits and the number of
+ * The fast multiplier can be used if the output will
+ * have less than MP_WARRAY digits and the number of
* digits won't affect carry propagation
*/
int digs = a->used + b->used + 1;
#ifdef BN_FAST_S_MP_MUL_DIGS_C
if ((digs < MP_WARRAY) &&
- MIN(a->used, b->used) <=
+ MIN(a->used, b->used) <=
(1 << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) {
res = fast_s_mp_mul_digs (a, b, c, digs);
- } else
+ } else
#endif
#ifdef BN_S_MP_MUL_DIGS_C
res = s_mp_mul (a, b, c); /* uses s_mp_mul_digs */
/* alias for source */
tmpa = a->dp;
-
+
/* alias for dest */
tmpb = b->dp;
/* carry */
r = 0;
for (x = 0; x < a->used; x++) {
-
- /* get what will be the *next* carry bit from the
- * MSB of the current digit
+
+ /* get what will be the *next* carry bit from the
+ * MSB of the current digit
*/
rr = *tmpa >> ((mp_digit)(DIGIT_BIT - 1));
-
+
/* now shift up this digit, add in the carry [from the previous] */
*tmpb++ = ((*tmpa++ << ((mp_digit)1)) | r) & MP_MASK;
-
- /* copy the carry that would be from the source
- * digit into the next iteration
+
+ /* copy the carry that would be from the source
+ * digit into the next iteration
*/
r = rr;
}
++(b->used);
}
- /* now zero any excess digits on the destination
- * that we didn't write to
+ /* now zero any excess digits on the destination
+ * that we didn't write to
*/
tmpb = b->dp + b->used;
for (x = b->used; x < oldused; x++) {
/* set the carry to the carry bits of the current word */
r = rr;
}
-
+
/* set final carry */
if (r != 0) {
c->dp[(c->used)++] = r;
* Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
-/* find the n'th root of an integer
+/* find the n'th root of an integer
*
- * Result found such that (c)**b <= a and (c+1)**b > a
+ * Result found such that (c)**b <= a and (c+1)**b > a
*
- * This algorithm uses Newton's approximation
- * x[i+1] = x[i] - f(x[i])/f'(x[i])
- * which will find the root in log(N) time where
- * each step involves a fair bit. This is not meant to
+ * This algorithm uses Newton's approximation
+ * x[i+1] = x[i] - f(x[i])/f'(x[i])
+ * which will find the root in log(N) time where
+ * each step involves a fair bit. This is not meant to
* find huge roots [square and cube, etc].
*/
int mp_n_root (mp_int * a, mp_digit b, mp_int * c)
}
/* t2 = t1 - ((t1**b - a) / (b * t1**(b-1))) */
-
+
/* t3 = t1**(b-1) */
- if ((res = mp_expt_d (&t1, b - 1, &t3)) != MP_OKAY) {
+ if ((res = mp_expt_d (&t1, b - 1, &t3)) != MP_OKAY) {
goto LBL_T3;
}
/* numerator */
/* t2 = t1**b */
- if ((res = mp_mul (&t3, &t1, &t2)) != MP_OKAY) {
+ if ((res = mp_mul (&t3, &t1, &t2)) != MP_OKAY) {
goto LBL_T3;
}
/* t2 = t1**b - a */
- if ((res = mp_sub (&t2, a, &t2)) != MP_OKAY) {
+ if ((res = mp_sub (&t2, a, &t2)) != MP_OKAY) {
goto LBL_T3;
}
/* denominator */
/* t3 = t1**(b-1) * b */
- if ((res = mp_mul_d (&t3, b, &t3)) != MP_OKAY) {
+ if ((res = mp_mul_d (&t3, b, &t3)) != MP_OKAY) {
goto LBL_T3;
}
/* t3 = (t1**b - a)/(b * t1**(b-1)) */
- if ((res = mp_div (&t2, &t3, &t3, NULL)) != MP_OKAY) {
+ if ((res = mp_div (&t2, &t3, &t3, NULL)) != MP_OKAY) {
goto LBL_T3;
}
*/
/* performs one Fermat test.
- *
+ *
* If "a" were prime then b**a == b (mod a) since the order of
* the multiplicative sub-group would be phi(a) = a-1. That means
* it would be the same as b**(a mod (a-1)) == b**1 == b (mod a).
* Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
-/* determines if an integers is divisible by one
+/* determines if an integers is divisible by one
* of the first PRIME_SIZE primes or not
*
* sets result to 0 if not, 1 if yes
* Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
-/* Miller-Rabin test of "a" to the base of "b" as described in
+/* Miller-Rabin test of "a" to the base of "b" as described in
* HAC pp. 139 Algorithm 4.24
*
* Sets result to 0 if definitely composite or 1 if probably prime.
- * Randomly the chance of error is no more than 1/4 and often
+ * Randomly the chance of error is no more than 1/4 and often
* very much lower.
*/
int mp_prime_miller_rabin (mp_int * a, mp_int * b, int *result)
/* ensure b > 1 */
if (mp_cmp_d(b, 1) != MP_GT) {
return MP_VAL;
- }
+ }
/* get n1 = a - 1 */
if ((err = mp_init_copy (&n1, a)) != MP_OKAY) {
*/
int mp_prime_next_prime(mp_int *a, int t, int bbs_style)
{
- int err, res, x, y;
+ int err, res = MP_NO, x, y;
mp_digit res_tab[PRIME_SIZE], step, kstep;
mp_int b;
/* makes a truly random prime of a given size (bits),
*
* Flags are as follows:
- *
+ *
* LTM_PRIME_BBS - make prime congruent to 3 mod 4
* LTM_PRIME_SAFE - make sure (p-1)/2 is prime as well (implies LTM_PRIME_BBS)
* LTM_PRIME_2MSB_OFF - make the 2nd highest bit zero
maskOR_msb_offset = ((size & 7) == 1) ? 1 : 0;
if (flags & LTM_PRIME_2MSB_ON) {
maskOR_msb |= 0x80 >> ((9 - size) & 7);
- }
+ }
/* get the maskOR_lsb */
maskOR_lsb = 1;
err = MP_VAL;
goto error;
}
-
+
/* work over the MSbyte */
tmp[0] &= maskAND;
tmp[0] |= 1 << ((size - 1) & 7);
/* is it prime? */
if ((err = mp_prime_is_prime(a, t, &res)) != MP_OKAY) { goto error; }
- if (res == MP_NO) {
+ if (res == MP_NO) {
continue;
}
/* see if (a-1)/2 is prime */
if ((err = mp_sub_d(a, 1, a)) != MP_OKAY) { goto error; }
if ((err = mp_div_2(a, a)) != MP_OKAY) { goto error; }
-
+
/* is it prime? */
if ((err = mp_prime_is_prime(a, t, &res)) != MP_OKAY) { goto error; }
}
}
/* force temp to positive */
- t.sign = MP_ZPOS;
+ t.sign = MP_ZPOS;
/* fetch out all of the digits */
while (mp_iszero (&t) == MP_NO) {
return MP_VAL;
}
- /* if the leading digit is a
- * minus set the sign to negative.
+ /* if the leading digit is a
+ * minus set the sign to negative.
*/
if (*str == '-') {
++str;
/* set the integer to the default of zero */
mp_zero (a);
-
+
/* process each digit of the string */
while (*str) {
/* if the radix < 36 the conversion is case insensitive
}
}
- /* if the char was found in the map
+ /* if the char was found in the map
* and is less than the given radix add it
- * to the number, otherwise exit the loop.
+ * to the number, otherwise exit the loop.
*/
if (y < radix) {
if ((res = mp_mul_d (a, (mp_digit) radix, a)) != MP_OKAY) {
}
++str;
}
-
+
/* set the sign only if a != 0 */
if (mp_iszero(a) != 1) {
a->sign = neg;
* Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
-/* reduces x mod m, assumes 0 < x < m**2, mu is
+/* reduces x mod m, assumes 0 < x < m**2, mu is
* precomputed via mp_reduce_setup.
* From HAC pp.604 Algorithm 14.42
*/
}
/* q1 = x / b**(k-1) */
- mp_rshd (&q, um - 1);
+ mp_rshd (&q, um - 1);
/* according to HAC this optimization is ok */
if (((unsigned long) um) > (((mp_digit)1) << (DIGIT_BIT - 1))) {
if ((res = fast_s_mp_mul_high_digs (&q, mu, &q, um)) != MP_OKAY) {
goto CLEANUP;
}
-#else
- {
+#else
+ {
res = MP_VAL;
goto CLEANUP;
}
}
/* q3 = q2 / b**(k+1) */
- mp_rshd (&q, um + 1);
+ mp_rshd (&q, um + 1);
/* x = x mod b**(k+1), quick (no division) */
if ((res = mp_mod_2d (x, DIGIT_BIT * (um + 1), x)) != MP_OKAY) {
goto CLEANUP;
}
}
-
+
CLEANUP:
mp_clear (&q);
{
mp_int q;
int p, res;
-
+
if ((res = mp_init(&q)) != MP_OKAY) {
return res;
}
-
- p = mp_count_bits(n);
+
+ p = mp_count_bits(n);
top:
/* q = a/2**p, a = a mod 2**p */
if ((res = mp_div_2d(a, p, &q, a)) != MP_OKAY) {
goto ERR;
}
-
+
if (d != 1) {
/* q = q * d */
- if ((res = mp_mul_d(&q, d, &q)) != MP_OKAY) {
+ if ((res = mp_mul_d(&q, d, &q)) != MP_OKAY) {
goto ERR;
}
}
-
+
/* a = a + q */
if ((res = s_mp_add(a, &q, a)) != MP_OKAY) {
goto ERR;
}
-
+
if (mp_cmp_mag(a, n) != MP_LT) {
s_mp_sub(a, n, a);
goto top;
}
-
+
ERR:
mp_clear(&q);
return res;
* Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
-/* reduces a modulo n where n is of the form 2**p - d
+/* reduces a modulo n where n is of the form 2**p - d
This differs from reduce_2k since "d" can be larger
than a single digit.
*/
{
mp_int q;
int p, res;
-
+
if ((res = mp_init(&q)) != MP_OKAY) {
return res;
}
-
- p = mp_count_bits(n);
+
+ p = mp_count_bits(n);
top:
/* q = a/2**p, a = a mod 2**p */
if ((res = mp_div_2d(a, p, &q, a)) != MP_OKAY) {
goto ERR;
}
-
+
/* q = q * d */
- if ((res = mp_mul(&q, d, &q)) != MP_OKAY) {
+ if ((res = mp_mul(&q, d, &q)) != MP_OKAY) {
goto ERR;
}
-
+
/* a = a + q */
if ((res = s_mp_add(a, &q, a)) != MP_OKAY) {
goto ERR;
}
-
+
if (mp_cmp_mag(a, n) != MP_LT) {
s_mp_sub(a, n, a);
goto top;
}
-
+
ERR:
mp_clear(&q);
return res;
{
int res, p;
mp_int tmp;
-
+
if ((res = mp_init(&tmp)) != MP_OKAY) {
return res;
}
-
+
p = mp_count_bits(a);
if ((res = mp_2expt(&tmp, p)) != MP_OKAY) {
mp_clear(&tmp);
return res;
}
-
+
if ((res = s_mp_sub(&tmp, a, &tmp)) != MP_OKAY) {
mp_clear(&tmp);
return res;
}
-
+
*d = tmp.dp[0];
mp_clear(&tmp);
return MP_OKAY;
{
int res;
mp_int tmp;
-
+
if ((res = mp_init(&tmp)) != MP_OKAY) {
return res;
}
-
+
if ((res = mp_2expt(&tmp, mp_count_bits(a))) != MP_OKAY) {
goto ERR;
}
-
+
if ((res = s_mp_sub(&tmp, a, d)) != MP_OKAY) {
goto ERR;
}
-
+
ERR:
mp_clear(&tmp);
return res;
{
int ix, iy, iw;
mp_digit iz;
-
+
if (a->used == 0) {
return MP_NO;
} else if (a->used == 1) {
iy = mp_count_bits(a);
iz = 1;
iw = 1;
-
+
/* Test every bit from the second digit up, must be 1 */
for (ix = DIGIT_BIT; ix < iy; ix++) {
if ((a->dp[iw] & iz) == 0) {
int mp_reduce_is_2k_l(mp_int *a)
{
int ix, iy;
-
+
if (a->used == 0) {
return MP_NO;
} else if (a->used == 1) {
}
}
return (iy >= (a->used/2)) ? MP_YES : MP_NO;
-
+
}
return MP_NO;
}
int mp_reduce_setup (mp_int * a, mp_int * b)
{
int res;
-
+
if ((res = mp_2expt (a, b->used * 2 * DIGIT_BIT)) != MP_OKAY) {
return res;
}
/* top [offset into digits] */
top = a->dp + b;
- /* this is implemented as a sliding window where
- * the window is b-digits long and digits from
+ /* this is implemented as a sliding window where
+ * the window is b-digits long and digits from
* the top of the window are copied to the bottom
*
* e.g.
*bottom++ = 0;
}
}
-
+
/* remove excess digits */
a->used -= b;
}
int x, res;
mp_zero (a);
-
+
/* set four bits at a time */
for (x = 0; x < 8; x++) {
/* shift the number up four bits */
if (a->used >= TOOM_SQR_CUTOFF) {
res = mp_toom_sqr(a, b);
/* Karatsuba? */
- } else
+ } else
#endif
#ifdef BN_MP_KARATSUBA_SQR_C
if (a->used >= KARATSUBA_SQR_CUTOFF) {
res = mp_karatsuba_sqr (a, b);
- } else
+ } else
#endif
{
#ifdef BN_FAST_S_MP_SQR_C
/* can we use the fast comba multiplier? */
- if ((a->used * 2 + 1) < MP_WARRAY &&
- a->used <
+ if ((a->used * 2 + 1) < MP_WARRAY &&
+ a->used <
(1 << (sizeof(mp_word) * CHAR_BIT - 2*DIGIT_BIT - 1))) {
res = fast_s_mp_sqr (a, b);
} else
*/
/* this function is less generic than mp_n_root, simpler and faster */
-int mp_sqrt(mp_int *arg, mp_int *ret)
+int mp_sqrt(mp_int *arg, mp_int *ret)
{
int res;
mp_int t1,t2;
/* First approx. (not very bad for large arg) */
mp_rshd (&t1,t1.used/2);
- /* t1 > 0 */
+ /* t1 > 0 */
if ((res = mp_div(arg,&t1,&t2,NULL)) != MP_OKAY) {
goto E1;
}
goto E1;
}
/* And now t1 > sqrt(arg) */
- do {
+ do {
if ((res = mp_div(arg,&t1,&t2,NULL)) != MP_OKAY) {
goto E1;
}
* Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
-/* multiplication using the Toom-Cook 3-way algorithm
+/* multiplication using the Toom-Cook 3-way algorithm
*
- * Much more complicated than Karatsuba but has a lower
- * asymptotic running time of O(N**1.464). This algorithm is
- * only particularly useful on VERY large inputs
+ * Much more complicated than Karatsuba but has a lower
+ * asymptotic running time of O(N**1.464). This algorithm is
+ * only particularly useful on VERY large inputs
* (we're talking 1000s of digits here...).
*/
int mp_toom_mul(mp_int *a, mp_int *b, mp_int *c)
{
mp_int w0, w1, w2, w3, w4, tmp1, tmp2, a0, a1, a2, b0, b1, b2;
int res, B;
-
+
/* init temps */
- if ((res = mp_init_multi(&w0, &w1, &w2, &w3, &w4,
- &a0, &a1, &a2, &b0, &b1,
+ if ((res = mp_init_multi(&w0, &w1, &w2, &w3, &w4,
+ &a0, &a1, &a2, &b0, &b1,
&b2, &tmp1, &tmp2, NULL)) != MP_OKAY) {
return res;
}
-
+
/* B */
B = MIN(a->used, b->used) / 3;
-
+
/* a = a2 * B**2 + a1 * B + a0 */
if ((res = mp_mod_2d(a, DIGIT_BIT * B, &a0)) != MP_OKAY) {
goto ERR;
goto ERR;
}
mp_rshd(&a2, B*2);
-
+
/* b = b2 * B**2 + b1 * B + b0 */
if ((res = mp_mod_2d(b, DIGIT_BIT * B, &b0)) != MP_OKAY) {
goto ERR;
goto ERR;
}
mp_rshd(&b2, B*2);
-
+
/* w0 = a0*b0 */
if ((res = mp_mul(&a0, &b0, &w0)) != MP_OKAY) {
goto ERR;
}
-
+
/* w4 = a2 * b2 */
if ((res = mp_mul(&a2, &b2, &w4)) != MP_OKAY) {
goto ERR;
}
-
+
/* w1 = (a2 + 2(a1 + 2a0))(b2 + 2(b1 + 2b0)) */
if ((res = mp_mul_2(&a0, &tmp1)) != MP_OKAY) {
goto ERR;
if ((res = mp_add(&tmp1, &a2, &tmp1)) != MP_OKAY) {
goto ERR;
}
-
+
if ((res = mp_mul_2(&b0, &tmp2)) != MP_OKAY) {
goto ERR;
}
if ((res = mp_add(&tmp2, &b2, &tmp2)) != MP_OKAY) {
goto ERR;
}
-
+
if ((res = mp_mul(&tmp1, &tmp2, &w1)) != MP_OKAY) {
goto ERR;
}
-
+
/* w3 = (a0 + 2(a1 + 2a2))(b0 + 2(b1 + 2b2)) */
if ((res = mp_mul_2(&a2, &tmp1)) != MP_OKAY) {
goto ERR;
if ((res = mp_add(&tmp1, &a0, &tmp1)) != MP_OKAY) {
goto ERR;
}
-
+
if ((res = mp_mul_2(&b2, &tmp2)) != MP_OKAY) {
goto ERR;
}
if ((res = mp_add(&tmp2, &b0, &tmp2)) != MP_OKAY) {
goto ERR;
}
-
+
if ((res = mp_mul(&tmp1, &tmp2, &w3)) != MP_OKAY) {
goto ERR;
}
-
+
/* w2 = (a2 + a1 + a0)(b2 + b1 + b0) */
if ((res = mp_add(&a2, &a1, &tmp1)) != MP_OKAY) {
if ((res = mp_mul(&tmp1, &tmp2, &w2)) != MP_OKAY) {
goto ERR;
}
-
- /* now solve the matrix
-
+
+ /* now solve the matrix
+
0 0 0 0 1
1 2 4 8 16
1 1 1 1 1
16 8 4 2 1
1 0 0 0 0
-
- using 12 subtractions, 4 shifts,
- 2 small divisions and 1 small multiplication
+
+ using 12 subtractions, 4 shifts,
+ 2 small divisions and 1 small multiplication
*/
-
+
/* r1 - r4 */
if ((res = mp_sub(&w1, &w4, &w1)) != MP_OKAY) {
goto ERR;
if ((res = mp_div_3(&w3, &w3, NULL)) != MP_OKAY) {
goto ERR;
}
-
+
/* at this point shift W[n] by B*n */
if ((res = mp_lshd(&w1, 1*B)) != MP_OKAY) {
goto ERR;
}
if ((res = mp_lshd(&w4, 4*B)) != MP_OKAY) {
goto ERR;
- }
-
+ }
+
if ((res = mp_add(&w0, &w1, c)) != MP_OKAY) {
goto ERR;
}
}
if ((res = mp_add(&tmp1, c, c)) != MP_OKAY) {
goto ERR;
- }
-
+ }
+
ERR:
- mp_clear_multi(&w0, &w1, &w2, &w3, &w4,
- &a0, &a1, &a2, &b0, &b1,
+ mp_clear_multi(&w0, &w1, &w2, &w3, &w4,
+ &a0, &a1, &a2, &b0, &b1,
&b2, &tmp1, &tmp2, NULL);
return res;
-}
-
+}
+
#endif
/* $Source: /cvs/libtom/libtommath/bn_mp_toom_mul.c,v $ */
* Tom St Denis, tomstdenis@gmail.com, http://libtom.org
*/
-/* stores a bignum as a ASCII string in a given radix (2..64)
+/* stores a bignum as a ASCII string in a given radix (2..64)
*
- * Stores upto maxlen-1 chars and always a NULL byte
+ * Stores upto maxlen-1 chars and always a NULL byte
*/
int mp_toradix_n(mp_int * a, char *str, int radix, int maxlen)
{
/* store the flag and mark the number as positive */
*str++ = '-';
t.sign = MP_ZPOS;
-
+
/* subtract a char */
--maxlen;
}
*tmpc++ &= MP_MASK;
}
- /* now copy higher words if any, that is in A+B
- * if A or B has more digits add those in
+ /* now copy higher words if any, that is in A+B
+ * if A or B has more digits add those in
*/
if (min != max) {
for (; i < max; i++) {
/* init M array */
/* init first cell */
if ((err = mp_init(&M[1])) != MP_OKAY) {
- return err;
+ return err;
}
/* now init the second half of the array */
if ((err = mp_init (&mu)) != MP_OKAY) {
goto LBL_M;
}
-
+
if (redmode == 0) {
if ((err = mp_reduce_setup (&mu, P)) != MP_OKAY) {
goto LBL_MU;
goto LBL_MU;
}
redux = mp_reduce_2k_l;
- }
+ }
/* create M table
*
- * The M table contains powers of the base,
+ * The M table contains powers of the base,
* e.g. M[x] = G**x mod P
*
- * The first half of the table is not
+ * The first half of the table is not
* computed though accept for M[0] and M[1]
*/
if ((err = mp_mod (G, P, &M[1])) != MP_OKAY) {
goto LBL_MU;
}
- /* compute the value at M[1<<(winsize-1)] by squaring
- * M[1] (winsize-1) times
+ /* compute the value at M[1<<(winsize-1)] by squaring
+ * M[1] (winsize-1) times
*/
if ((err = mp_copy (&M[1], &M[1 << (winsize - 1)])) != MP_OKAY) {
goto LBL_MU;
for (x = 0; x < (winsize - 1); x++) {
/* square it */
- if ((err = mp_sqr (&M[1 << (winsize - 1)],
+ if ((err = mp_sqr (&M[1 << (winsize - 1)],
&M[1 << (winsize - 1)])) != MP_OKAY) {
goto LBL_MU;
}
*/
/* multiplies |a| * |b| and only computes upto digs digits of result
- * HAC pp. 595, Algorithm 14.12 Modified so you can control how
+ * HAC pp. 595, Algorithm 14.12 Modified so you can control how
* many digits of output are created.
*/
int s_mp_mul_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
/* can we use the fast multiplier? */
if (((digs) < MP_WARRAY) &&
- MIN (a->used, b->used) <
+ MIN (a->used, b->used) <
(1 << ((CHAR_BIT * sizeof (mp_word)) - (2 * DIGIT_BIT)))) {
return fast_s_mp_mul_digs (a, b, c, digs);
}
/* setup some aliases */
/* copy of the digit from a used within the nested loop */
tmpx = a->dp[ix];
-
+
/* an alias for the destination shifted ix places */
tmpt = t.dp + ix;
-
+
/* an alias for the digits of b */
tmpy = b->dp;
/* alias for where to store the results */
tmpt = t.dp + (2*ix + 1);
-
+
for (iy = ix + 1; iy < pa; iy++) {
/* first calculate the product */
r = ((mp_word)tmpx) * ((mp_word)a->dp[iy]);
-------------------------------------------------------------
Intel P4 Northwood /GCC v3.4.1 / 88/ 128/LTM 0.32 ;-)
AMD Athlon64 /GCC v3.4.4 / 80/ 120/LTM 0.35
-
+
*/
int KARATSUBA_MUL_CUTOFF = 80, /* Min. number of digits before Karatsuba multiplication is used. */
KARATSUBA_SQR_CUTOFF = 120, /* Min. number of digits before Karatsuba squaring is used. */
-
+
TOOM_MUL_CUTOFF = 350, /* no optimal values of these are known yet so set em high */
- TOOM_SQR_CUTOFF = 400;
+ TOOM_SQR_CUTOFF = 400;
#endif
/* $Source: /cvs/libtom/libtommath/bncore.c,v $ */
#define MPI_CONFIG_H_
/*
- For boolean options,
+ For boolean options,
0 = no
1 = yes
#define DIAG(T,V)
#endif
-/*
+/*
If MP_LOGTAB is not defined, use the math library to compute the
logarithms on the fly. Otherwise, use the static table below.
Pick which works best for your system.
/*
A table of the logs of 2 for various bases (the 0 and 1 entries of
- this table are meaningless and should not be referenced).
+ this table are meaningless and should not be referenced).
This table is used to compute output lengths for the mp_toradix()
function. Since a number n in radix r takes up about log_r(n)
log_r(n) = log_2(n) * log_r(2)
This table, therefore, is a table of log_r(2) for 2 <= r <= 36,
- which are the output bases supported.
+ which are the output bases supported.
*/
#include "logtab.h"
/* Value to digit maps for radix conversion */
/* s_dmap_1 - standard digits and letters */
-static const char *s_dmap_1 =
+static const char *s_dmap_1 =
"0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/";
#if 0
/* {{{ Static function declarations */
-/*
+/*
If MP_MACRO is false, these will be defined as actual functions;
otherwise, suitable macro definitions will be used. This works
around the fact that ANSI C89 doesn't support an 'inline' keyword
return MP_OKAY;
CLEANUP:
- while(--pos >= 0)
+ while(--pos >= 0)
mp_clear(&mp[pos]);
return res;
if(ALLOC(to) >= USED(from)) {
s_mp_setz(DIGITS(to) + USED(from), ALLOC(to) - USED(from));
s_mp_copy(DIGITS(from), DIGITS(to), USED(from));
-
+
} else {
if((tmp = s_mp_alloc(USED(from), sizeof(mp_digit))) == NULL)
return MP_MEM;
{
ARGCHK(mp != NULL && count > 0, MP_BADARG);
- while(--count >= 0)
+ while(--count >= 0)
mp_clear(&mp[count]);
} /* end mp_clear_array() */
/* {{{ mp_zero(mp) */
/*
- mp_zero(mp)
+ mp_zero(mp)
Set mp to zero. Does not change the allocated size of the structure,
and therefore cannot fail (except on a bad argument, which we ignore)
if((res = s_mp_mul_2d(mp, CHAR_BIT)) != MP_OKAY)
return res;
- res = s_mp_add_d(mp,
+ res = s_mp_add_d(mp,
(mp_digit)((v >> (ix * CHAR_BIT)) & UCHAR_MAX));
if(res != MP_OKAY)
return res;
if((res = mp_copy(a, b)) != MP_OKAY)
return res;
- if(s_mp_cmp_d(b, 0) == MP_EQ)
+ if(s_mp_cmp_d(b, 0) == MP_EQ)
SIGN(b) = MP_ZPOS;
- else
+ else
SIGN(b) = (SIGN(b) == MP_NEG) ? MP_ZPOS : MP_NEG;
return MP_OKAY;
if(SIGN(a) == SIGN(b)) { /* same sign: add values, keep sign */
/* Commutativity of addition lets us do this in either order,
- so we avoid having to use a temporary even if the result
+ so we avoid having to use a temporary even if the result
is supposed to replace the output
*/
if(c == b) {
if(c != a && (res = mp_copy(a, c)) != MP_OKAY)
return res;
- if((res = s_mp_add(c, b)) != MP_OKAY)
+ if((res = s_mp_add(c, b)) != MP_OKAY)
return res;
}
} else if((cmp = s_mp_cmp(a, b)) > 0) { /* different sign: a > b */
/* If the output is going to be clobbered, we will use a temporary
- variable; otherwise, we'll do it without touching the memory
+ variable; otherwise, we'll do it without touching the memory
allocator at all, if possible
*/
if(c == b) {
mp_clear(&tmp);
} else {
- if(c != b && ((res = mp_copy(b, c)) != MP_OKAY))
+ if(c != b && ((res = mp_copy(b, c)) != MP_OKAY))
return res;
if((res = s_mp_sub(c, a)) != MP_OKAY)
if((res = s_mp_mul(c, b)) != MP_OKAY)
return res;
}
-
+
if(sgn == MP_ZPOS || s_mp_cmp_d(c, 0) == MP_EQ)
SIGN(c) = MP_ZPOS;
else
SIGN(c) = sgn;
-
+
return MP_OKAY;
} /* end mp_mul() */
return res;
}
- if(q)
+ if(q)
mp_zero(q);
return MP_OKAY;
SIGN(&rtmp) = MP_ZPOS;
/* Copy output, if it is needed */
- if(q)
+ if(q)
s_mp_exch(&qtmp, q);
- if(r)
+ if(r)
s_mp_exch(&rtmp, r);
CLEANUP:
/* Loop over bits of each non-maximal digit */
for(bit = 0; bit < DIGIT_BIT; bit++) {
if(d & 1) {
- if((res = s_mp_mul(&s, &x)) != MP_OKAY)
+ if((res = s_mp_mul(&s, &x)) != MP_OKAY)
goto CLEANUP;
}
d >>= 1;
-
+
if((res = s_mp_sqr(&x)) != MP_OKAY)
goto CLEANUP;
}
if((res = s_mp_sqr(&x)) != MP_OKAY)
goto CLEANUP;
}
-
+
if(mp_iseven(b))
SIGN(&s) = SIGN(a);
/*
If |a| > m, we need to divide to get the remainder and take the
- absolute value.
+ absolute value.
If |a| < m, we don't need to do any division, just copy and adjust
the sign (if a is negative).
if((mag = s_mp_cmp(a, m)) > 0) {
if((res = mp_div(a, m, NULL, c)) != MP_OKAY)
return res;
-
+
if(SIGN(c) == MP_NEG) {
if((res = mp_add(c, m, c)) != MP_OKAY)
return res;
return res;
}
-
+
} else {
mp_zero(c);
return MP_RANGE;
/* Special cases for zero and one, trivial */
- if(mp_cmp_d(a, 0) == MP_EQ || mp_cmp_d(a, 1) == MP_EQ)
+ if(mp_cmp_d(a, 0) == MP_EQ || mp_cmp_d(a, 1) == MP_EQ)
return mp_copy(a, b);
-
+
/* Initialize the temporaries we'll use below */
if((res = mp_init_size(&t, USED(a))) != MP_OKAY)
return res;
CLEANUP:
mp_clear(&x);
X:
- mp_clear(&t);
+ mp_clear(&t);
return res;
Compute c = (a ** b) mod m. Uses a standard square-and-multiply
method with modular reductions at each step. (This is basically the
same code as mp_expt(), except for the addition of the reductions)
-
+
The modular reductions are done using Barrett's algorithm (see
s_mp_reduce() below for details)
*/
mp_set(&s, 1);
/* mu = b^2k / m */
- s_mp_add_d(&mu, 1);
+ s_mp_add_d(&mu, 1);
s_mp_lshd(&mu, 2 * USED(m));
if((res = mp_div(&mu, m, &mu, NULL)) != MP_OKAY)
goto CLEANUP;
int out;
ARGCHK(a != NULL, MP_EQ);
-
+
mp_init(&tmp); mp_set_int(&tmp, z);
out = mp_cmp(a, &tmp);
mp_clear(&tmp);
if(mp_isodd(&u)) {
if((res = mp_copy(&v, &t)) != MP_OKAY)
goto CLEANUP;
-
+
/* t = -v */
if(SIGN(&v) == MP_ZPOS)
SIGN(&t) = MP_NEG;
else
SIGN(&t) = MP_ZPOS;
-
+
} else {
if((res = mp_copy(&u, &t)) != MP_OKAY)
goto CLEANUP;
if(y)
if((res = mp_copy(&D, y)) != MP_OKAY) goto CLEANUP;
-
+
if(g)
if((res = mp_mul(&gx, &v, g)) != MP_OKAY) goto CLEANUP;
/* {{{ mp_read_signed_bin(mp, str, len) */
-/*
+/*
mp_read_signed_bin(mp, str, len)
Read in a raw value (base 256) into the given mp_int
if((res = mp_add_d(mp, str[ix], mp)) != MP_OKAY)
return res;
}
-
+
return MP_OKAY;
-
+
} /* end mp_read_unsigned_bin() */
/* }}} */
/* {{{ mp_unsigned_bin_size(mp) */
-int mp_unsigned_bin_size(mp_int *mp)
+int mp_unsigned_bin_size(mp_int *mp)
{
mp_digit topdig;
int count;
}
return len;
-
+
} /* end mp_count_bits() */
/* }}} */
mp_err res;
mp_sign sig = MP_ZPOS;
- ARGCHK(mp != NULL && str != NULL && radix >= 2 && radix <= MAX_RADIX,
+ ARGCHK(mp != NULL && str != NULL && radix >= 2 && radix <= MAX_RADIX,
MP_BADARG);
mp_zero(mp);
/* Skip leading non-digit characters until a digit or '-' or '+' */
- while(str[ix] &&
- (s_mp_tovalue(str[ix], radix) < 0) &&
+ while(str[ix] &&
+ (s_mp_tovalue(str[ix], radix) < 0) &&
str[ix] != '-' &&
str[ix] != '+') {
++ix;
/* num = number of digits
qty = number of bits per digit
radix = target base
-
+
Return the number of digits in the specified radix that would be
needed to express 'num' digits of 'qty' bits each.
*/
++ix;
--pos;
}
-
+
mp_clear(&tmp);
}
/* {{{ s_mp_lshd(mp, p) */
-/*
+/*
Shift mp leftward by p digits, growing if needed, and zero-filling
the in-shifted digits at the right end. This is a convenient
alternative to multiplication by powers of the radix
- */
+ */
mp_err s_mp_lshd(mp_int *mp, mp_size p)
{
dp = DIGITS(mp);
/* Shift all the significant figures over as needed */
- for(ix = pos - p; ix >= 0; ix--)
+ for(ix = pos - p; ix >= 0; ix--)
dp[ix + p] = dp[ix];
/* Fill the bottom digits with zeroes */
/* {{{ s_mp_rshd(mp, p) */
-/*
+/*
Shift mp rightward by p digits. Maintains the invariant that
digits above the precision are all zero. Digits shifted off the
end are lost. Cannot fail.
end of the division process).
We multiply by the smallest power of 2 that gives us a leading digit
- at least half the radix. By choosing a power of 2, we simplify the
+ at least half the radix. By choosing a power of 2, we simplify the
multiplication and division steps to simple shifts.
*/
mp_digit s_mp_norm(mp_int *a, mp_int *b)
t <<= 1;
++d;
}
-
+
if(d != 0) {
s_mp_mul_2d(a, d);
s_mp_mul_2d(b, d);
test guarantees we have enough storage to do this safely.
*/
if(k) {
- dp[max] = k;
+ dp[max] = k;
USED(a) = max + 1;
}
s_mp_clamp(a);
return MP_OKAY;
-
+
} /* end s_mp_mul_d() */
/* }}} */
}
/* If we run out of 'b' digits before we're actually done, make
- sure the carries get propagated upward...
+ sure the carries get propagated upward...
*/
used = USED(a);
while(w && ix < used) {
/* Clobber any leading zeroes we created */
s_mp_clamp(a);
- /*
+ /*
If there was a borrow out, then |b| > |a| in violation
of our input invariant. We've already done the work,
but we'll at least complain about it...
s_mp_mod_2d(&q, (mp_digit)(DIGIT_BIT * (um + 1)));
#else
s_mp_mul_dig(&q, m, um + 1);
-#endif
+#endif
/* x = x - q */
if((res = mp_sub(x, &q, x)) != MP_OKAY)
pb = DIGITS(b);
for(ix = 0; ix < ub; ++ix, ++pb) {
- if(*pb == 0)
+ if(*pb == 0)
continue;
/* Inner product: Digits of a */
for(ix = 0; ix < len; ++ix, ++b) {
if(*b == 0)
continue;
-
+
pa = a;
for(jx = 0; jx < len; ++jx, ++pa) {
pt = out + ix + jx;
*/
for(jx = ix + 1, pa2 = DIGITS(a) + jx; jx < used; ++jx, ++pa2) {
mp_word u = 0, v;
-
+
/* Store this in a temporary to avoid indirections later */
pt = pbt + ix + jx;
v = *pt + k;
/* If we do not already have an overflow carry, check to see
- if the addition will cause one, and set the carry out if so
+ if the addition will cause one, and set the carry out if so
*/
u |= ((MP_WORD_MAX - v) < w);
/* If we are carrying out, propagate the carry to the next digit
in the output. This may cascade, so we have to be somewhat
circumspect -- but we will have enough precision in the output
- that we won't overflow
+ that we won't overflow
*/
kx = 1;
while(k) {
while(ix >= 0) {
/* Find a partial substring of a which is at least b */
while(s_mp_cmp(&rem, b) < 0 && ix >= 0) {
- if((res = s_mp_lshd(&rem, 1)) != MP_OKAY)
+ if((res = s_mp_lshd(&rem, 1)) != MP_OKAY)
goto CLEANUP;
if((res = s_mp_lshd(", 1)) != MP_OKAY)
}
/* If we didn't find one, we're finished dividing */
- if(s_mp_cmp(&rem, b) < 0)
- break;
+ if(s_mp_cmp(&rem, b) < 0)
+ break;
/* Compute a guess for the next quotient digit */
q = DIGIT(&rem, USED(&rem) - 1);
if((res = s_mp_mul_d(&t, q)) != MP_OKAY)
goto CLEANUP;
- /*
+ /*
If it's too big, back it off. We should not have to do this
more than once, or, in rare cases, twice. Knuth describes a
method by which this could be reduced to a maximum of once, but
}
/* Denormalize remainder */
- if(d != 0)
+ if(d != 0)
s_mp_div_2d(&rem, d);
s_mp_clamp(");
/* Copy quotient back to output */
s_mp_exch(", a);
-
+
/* Copy remainder back to output */
s_mp_exch(&rem, b);
mp_zero(a);
if((res = s_mp_pad(a, dig + 1)) != MP_OKAY)
return res;
-
+
DIGIT(a, dig) |= (1 << bit);
return MP_OKAY;
if(ua > 1)
return MP_GT;
- if(*ap < d)
+ if(*ap < d)
return MP_LT;
else if(*ap > d)
return MP_GT;
}
return ((uv - 1) * DIGIT_BIT) + extra;
- }
+ }
return -1;
int s_mp_tovalue(char ch, int r)
{
int val, xch;
-
+
if(r > 36)
xch = ch;
else
val = 62;
else if(xch == '/')
val = 63;
- else
+ else
return -1;
if(val < 0 || val >= r)
The results may be odd if you use a radix < 2 or > 64, you are
expected to know what you're doing.
*/
-
+
char s_mp_todigit(int val, int r, int low)
{
char ch;
/* {{{ s_mp_outlen(bits, radix) */
-/*
+/*
Return an estimate for how long a string is needed to hold a radix
r representation of a number with 'bits' significant bits.
/* detect 64-bit mode if possible */
-#if defined(__x86_64__)
+#if defined(__x86_64__)
#if !(defined(MP_64BIT) && defined(MP_16BIT) && defined(MP_8BIT))
#define MP_64BIT
#endif
/* this is to make porting into LibTomCrypt easier :-) */
#ifndef CRYPT
- #if defined(_MSC_VER) || defined(__BORLANDC__)
+ #if defined(_MSC_VER) || defined(__BORLANDC__)
typedef unsigned __int64 ulong64;
typedef signed __int64 long64;
#else
typedef unsigned long mp_digit;
typedef ulong64 mp_word;
-#ifdef MP_31BIT
+#ifdef MP_31BIT
/* this is an extension that uses 31-bit digits */
#define DIGIT_BIT 31
#else
/* default case is 28-bit digits, defines MP_28BIT as a handy macro to test */
#define DIGIT_BIT 28
#define MP_28BIT
-#endif
+#endif
#endif
/* define heap macros */
#ifndef CRYPT
/* default to libc stuff */
- #ifndef XMALLOC
+ #ifndef XMALLOC
#define XMALLOC malloc
#define XFREE free
#define XREALLOC realloc
#define MP_PREC 32 /* default digits of precision */
#else
#define MP_PREC 8 /* default digits of precision */
- #endif
+ #endif
#endif
/* size of comba arrays, should be at least 2 * 2**(BITS_PER_WORD - BITS_PER_DIGIT*2) */
int mp_prime_miller_rabin(mp_int *a, mp_int *b, int *result);
/* This gives [for a given bit size] the number of trials required
- * such that Miller-Rabin gives a prob of failure lower than 2^-96
+ * such that Miller-Rabin gives a prob of failure lower than 2^-96
*/
int mp_prime_rabin_miller_trials(int size);
int mp_prime_next_prime(mp_int *a, int t, int bbs_style);
/* makes a truly random prime of a given size (bytes),
- * call with bbs = 1 if you want it to be congruent to 3 mod 4
+ * call with bbs = 1 if you want it to be congruent to 3 mod 4
*
* You have to supply a callback which fills in a buffer with random bytes. "dat" is a parameter you can
* have passed to the callback (e.g. a state or something). This function doesn't use "dat" itself
/* makes a truly random prime of a given size (bits),
*
* Flags are as follows:
- *
+ *
* LTM_PRIME_BBS - make prime congruent to 3 mod 4
* LTM_PRIME_SAFE - make sure (p-1)/2 is prime as well (implies LTM_PRIME_BBS)
* LTM_PRIME_2MSB_OFF - make the 2nd highest bit zero
#undef BN_FAST_MP_INVMOD_C
/* To safely undefine these you have to make sure your RSA key won't exceed the Comba threshold
- * which is roughly 255 digits [7140 bits for 32-bit machines, 15300 bits for 64-bit machines]
+ * which is roughly 255 digits [7140 bits for 32-bit machines, 15300 bits for 64-bit machines]
* which means roughly speaking you can handle upto 2536-bit RSA keys with these defined without
- * trouble.
+ * trouble.
*/
#undef BN_S_MP_MUL_DIGS_C
#undef BN_S_MP_SQR_C
BN_bn2bin(bnI, I + i + vlen - j);
}
BN_free(bnI);
- }
+ }
BN_free(bnB);
BN_free(bnOne);
size_I = vlen * 2;
break;
indata = ((unsigned char *)indata) + len;
size -= len;
- }
+ }
close(fd);
}
break;
outdata += len;
size -= len;
- }
+ }
close(fd);
return ret;
k[j] = Sbox[k[j + 1] ^ k[j + T8]];
for (j = 0; j < 64; j++)
- key->data[j] = k[(j * 2) + 0] | (k[(j * 2) + 1] << 8);
+ key->data[j] = k[(j * 2) + 0] | (k[(j * 2) + 1] << 8);
memset(k, 0, sizeof(k));
}
memcpy(p, from, flen);
p += flen;
assert((p - p0) == size - 1);
-
+
mp_read_unsigned_bin(&dec, p0, size - 1);
free(p0);
*
* Speed for RSA in seconds
* no key blinding
- * 1000 iteration,
+ * 1000 iteration,
* same rsa keys (1024 and 2048)
* operation performed each eteration sign, verify, encrypt, decrypt on a random bit pattern
*
* name 1024 2048 4098
- * =================================
+ * =================================
* gmp: 0.73 6.60 44.80
* tfm: 2.45 -- --
* ltm: 3.79 20.74 105.41 (default in hcrypto)
free_DigestInfo(&di);
return -1;
}
-
+
ret = der_heim_oid_cmp(&digest_alg->algorithm,
&di.digestAlgorithm.algorithm);
free_DigestInfo(&di);
-
+
if (ret != 0)
return 0;
return 1;
RSA_free(k);
return NULL;
}
-
+
return k;
}
RSA_free(k);
return NULL;
}
-
+
return k;
}
T1 = HH + Sigma1(EE) + Ch(EE, FF, GG) + constant_256[i] + data[i];
T2 = Sigma0(AA) + Maj(AA,BB,CC);
-
+
HH = GG;
GG = FF;
FF = EE;
T1 = HH + Sigma1(EE) + Ch(EE, FF, GG) + constant_512[i] + data[i];
T2 = Sigma0(AA) + Maj(AA,BB,CC);
-
+
HH = GG;
GG = FF;
FF = EE;
*/
static int
-read_string(const char *preprompt, const char *prompt,
+read_string(const char *preprompt, const char *prompt,
char *buf, size_t len, int echo)
{
int of = 0;
if(of)
p--;
*p = 0;
-
+
if(echo == 0){
printf("\n");
}
signal(SIGINT, oldsigintr);
-
+
if(intr_flag)
return -2;
if(of)
"\xdc\x95\xc0\x78\xa2\x40\x89\x89\xad\x48\xa2\x14\x92\x84\x20\x87"
},
#if 0
- {
+ {
EVP_aes_128_cfb8,
"aes-cfb8-128",
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
"\x55\x95\x97\x76\xa9\x6c\x66\x40\x64\xc7\xf4\x1c\x21\xb7\x14\x1b"
},
#if 0
- {
+ {
EVP_camellia_128_cbc,
"camellia128",
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
NULL
},
#endif
- {
+ {
EVP_rc4,
"rc4 8",
"\x01\x23\x45\x67\x89\xAB\xCD\xEF",
if (ret == 0 && di) {
databases = di;
dt = &di->next;
- }
+ }
for ( ; db_binding != NULL; db_binding = db_binding->next) {
krb5_error_code
hdb_entry_check_mandatory(krb5_context context, const hdb_entry *ent)
{
- int i;
+ size_t i;
if (ent->extensions == NULL)
return 0;
HDB_extension *
hdb_find_extension(const hdb_entry *entry, int type)
{
- int i;
+ size_t i;
if (entry->extensions == NULL)
return NULL;
for (i = 0; i < entry->extensions->len; i++)
- if (entry->extensions->val[i].data.element == type)
+ if (entry->extensions->val[i].data.element == (unsigned)type)
return &entry->extensions->val[i];
return NULL;
}
Der_type replace_type, list_type;
unsigned int replace_tag, list_tag;
size_t size;
- int i;
+ size_t i;
ret = der_get_tag(ext->data.u.asn1_ellipsis.data,
ext->data.u.asn1_ellipsis.length,
hdb_entry *entry,
int type)
{
- int i;
+ size_t i;
if (entry->extensions == NULL)
return 0;
for (i = 0; i < entry->extensions->len; i++) {
- if (entry->extensions->val[i].data.element == type) {
+ if (entry->extensions->val[i].data.element == (unsigned)type) {
free_HDB_extension(&entry->extensions->val[i]);
memmove(&entry->extensions->val[i],
&entry->extensions->val[i + 1],
ext = hdb_find_extension(entry, choice_HDB_extension_data_password);
if (ext) {
- heim_utf8_string str;
+ heim_utf8_string xstr;
heim_octet_string pw;
if (db->hdb_master_key_set && ext->data.u.password.mkvno) {
return ret;
}
- str = pw.data;
- if (str[pw.length - 1] != '\0') {
+ xstr = pw.data;
+ if (xstr[pw.length - 1] != '\0') {
krb5_set_error_message(context, EINVAL, "malformed password");
return EINVAL;
}
- *p = strdup(str);
+ *p = strdup(xstr);
der_free_octet_string(&pw);
if (*p == NULL) {
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
return ENOMEM;
}
-
+
(*db)->hdb_db = k;
{ HDB_INTERFACE_VERSION, "ldap:", hdb_ldap_create},
{ HDB_INTERFACE_VERSION, "ldapi:", hdb_ldapi_create},
#endif
+#ifdef HAVE_SQLITE3
{ HDB_INTERFACE_VERSION, "sqlite:", hdb_sqlite_create},
+#endif
{0, NULL, NULL}
};
void
hdb_free_entry(krb5_context context, hdb_entry_ex *ent)
{
- int i;
+ size_t i;
if (ent->free_entry)
(*ent->free_entry)(context, ent);
if (ret)
return ret;
- tag.data = HDB_DB_FORMAT_ENTRY;
+ tag.data = (void *)(intptr_t)HDB_DB_FORMAT_ENTRY;
tag.length = strlen(tag.data);
ret = (*db->hdb__get)(context, db, tag, &version);
ret2 = db->hdb_unlock(context, db);
if (ret)
return ret;
- tag.data = HDB_DB_FORMAT_ENTRY;
+ tag.data = (void *)(intptr_t)HDB_DB_FORMAT_ENTRY;
tag.length = strlen(tag.data);
snprintf(ver, sizeof(ver), "%u", HDB_DB_FORMAT);
version.data = ver;
if (asprintf(&symbol, "hdb_%s_interface", prefix) == -1)
krb5_errx(context, 1, "out of memory");
-
+
mso = (struct hdb_so_method *) dlsym(dl, symbol);
if (mso == NULL) {
krb5_warnx(context, "error finding symbol %s in %s: %s\n",
entry->entry.keys.val[0].mkvno = NULL;
entry->entry.keys.val[0].salt = NULL;
-
+
return krb5_copy_keyblock_contents(context,
&ktentry->keyblock,
&entry->entry.keys.val[0].key);
/**
* As part of iteration, fetch next entry
*/
- krb5_error_code (*hdb_nextkey)(krb5_context, struct HDB*,
+ krb5_error_code (*hdb_nextkey)(krb5_context, struct HDB*,
unsigned, hdb_entry_ex*);
/**
* Lock database
* ->hdb_store() into the database. The backend will still perform
* all other operations, increasing the kvno, and update
* modification timestamp.
- *
+ *
* The backend needs to call _kadm5_set_keys() and perform password
* quality checks.
*/
free_Key(&key);
return ENOMEM;
}
-
+
key.salt->type = salt->salttype;
krb5_data_zero (&key.salt->salt);
-
+
ret = krb5_data_copy(&key.salt->salt,
salt->saltvalue.data,
salt->saltvalue.length);
char **ktypes, **kp;
krb5_error_code ret;
Key *k, *key_set;
- int i, j;
- char *default_keytypes[] = {
+ size_t i, j;
+ static const char *default_keytypes[] = {
"aes256-cts-hmac-sha1-96:pw-salt",
"des3-cbc-sha1:pw-salt",
"arcfour-hmac-md5:pw-salt",
ktypes = krb5_config_get_strings(context, NULL, "kadmin",
"default_keys", NULL);
if (ktypes == NULL)
- ktypes = default_keytypes;
+ ktypes = (char **)(intptr_t)default_keytypes;
*ret_key_set = key_set = NULL;
*nkeyset = 0;
p = "des:afs3-salt";
else if (strcmp(p, "arcfour-hmac-md5") == 0)
p = "arcfour-hmac-md5:pw-salt";
-
+
memset(&salt, 0, sizeof(salt));
ret = parse_key_set(context, p,
*ret_key_set = key_set;
out:
- if (ktypes != default_keytypes)
+ if (ktypes != (char **)(intptr_t)default_keytypes)
krb5_config_free_strings(ktypes);
if (ret) {
Key **keys, size_t *num_keys)
{
krb5_error_code ret;
- int i;
+ size_t i;
ret = hdb_generate_key_set(context, principal,
keys, num_keys, 0);
struct hdb_data {
char *dbname;
- char *mkey;
+ char *mkey;
};
struct hdb_cursor {
const char *mkey = d->mkey;
char *fdbname = NULL, *fmkey = NULL;
HDB *db;
- int i;
+ size_t i;
memset(&ent, 0, sizeof(ent));
(*db->hdb_destroy)(context, db);
goto out2;
}
-
+
ret = (*db->hdb_open)(context, db, O_RDONLY, 0);
if (ret) {
(*db->hdb_destroy)(context, db);
goto out2;
}
-
+
ret = (*db->hdb_fetch_kvno)(context, db, principal,
HDB_F_DECRYPT|HDB_F_KVNO_SPECIFIED|
HDB_F_GET_CLIENT|HDB_F_GET_SERVER|HDB_F_GET_KRBTGT,
}else if(ret)
goto out;
- if(kvno && ent.entry.kvno != kvno) {
+ if(kvno && (krb5_kvno)ent.entry.kvno != kvno) {
hdb_free_entry(context, &ent);
ret = KRB5_KT_NOTFOUND;
goto out;
const char *dbname = d->dbname;
const char *mkey = d->mkey;
HDB *db;
-
+
if (dbname == NULL) {
/*
- * We don't support enumerating without being told what
+ * We don't support enumerating without being told what
* backend to enumerate on
*/
ret = KRB5_KT_NOTFOUND;
(*db->hdb_destroy)(context, db);
return ret;
}
-
+
ret = (*db->hdb_open)(context, db, O_RDONLY, 0);
if (ret) {
(*db->hdb_destroy)(context, db);
hdb_next_entry(krb5_context context,
krb5_keytab id,
krb5_keytab_entry *entry,
- krb5_kt_cursor *cursor)
+ krb5_kt_cursor *cursor)
{
struct hdb_cursor *c = cursor->data;
krb5_error_code ret;
-
+
memset(entry, 0, sizeof(*entry));
if (c->first) {
c->first = FALSE;
- ret = (c->db->hdb_firstkey)(context, c->db,
+ ret = (c->db->hdb_firstkey)(context, c->db,
HDB_F_DECRYPT|
HDB_F_GET_CLIENT|HDB_F_GET_SERVER|HDB_F_GET_KRBTGT,
&c->hdb_entry);
return KRB5_KT_END;
else if (ret)
return ret;
-
+
if (c->hdb_entry.entry.keys.len == 0)
hdb_free_entry(context, &c->hdb_entry);
else
c->next = FALSE;
- }
-
+ }
+
while (c->next) {
- ret = (c->db->hdb_nextkey)(context, c->db,
+ ret = (c->db->hdb_nextkey)(context, c->db,
HDB_F_DECRYPT|
HDB_F_GET_CLIENT|HDB_F_GET_SERVER|HDB_F_GET_KRBTGT,
&c->hdb_entry);
return KRB5_KT_END;
else if (ret)
return ret;
-
+
/* If no keys on this entry, try again */
if (c->hdb_entry.entry.keys.len == 0)
hdb_free_entry(context, &c->hdb_entry);
else
c->next = FALSE;
}
-
+
/*
* Return next enc type (keytabs are one slot per key, while
* hdb is one record per principal.
*/
-
- ret = krb5_copy_principal(context,
- c->hdb_entry.entry.principal,
+
+ ret = krb5_copy_principal(context,
+ c->hdb_entry.entry.principal,
&entry->principal);
if (ret)
return ret;
return ret;
}
c->key_idx++;
-
- /*
+
+ /*
* Once we get to the end of the list, signal that we want the
* next entry
*/
-
- if (c->key_idx == c->hdb_entry.entry.keys.len) {
+
+ if ((size_t)c->key_idx == c->hdb_entry.entry.keys.len) {
hdb_free_entry(context, &c->hdb_entry);
c->next = TRUE;
c->key_idx = 0;
krb5_storage *sp;
int16_t enctype;
krb5_keyblock key;
-
+
fd = open(filename, O_RDONLY | O_BINARY);
if(fd < 0) {
int save_errno = errno;
unsigned char buf[256];
ssize_t len;
size_t ret_len;
-
+
fd = open(filename, O_RDONLY | O_BINARY);
if(fd < 0) {
int save_errno = errno;
krb5_error_code ret;
unsigned char buf[256];
ssize_t len;
-
+
fd = open(filename, O_RDONLY | O_BINARY);
if(fd < 0) {
int save_errno = errno;
if(mkvno == NULL) {
if(ret == NULL || mkey->keytab.vno > ret->keytab.vno)
ret = mkey;
- } else if(mkey->keytab.vno == *mkvno)
+ } else if((uint32_t)mkey->keytab.vno == *mkvno)
return mkey;
mkey = mkey->next;
}
krb5_error_code
hdb_unseal_key_mkey(krb5_context context, Key *k, hdb_master_key mkey)
{
-
+
krb5_error_code ret;
krb5_data res;
size_t keysize;
if(k->mkvno == NULL)
return 0;
-
+
key = _hdb_find_master_key(k->mkvno, mkey);
if (key == NULL)
krb5_error_code
hdb_unseal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey)
{
- int i;
+ size_t i;
for(i = 0; i < ent->keys.len; i++){
krb5_error_code ret;
return ENOMEM;
}
*k->mkvno = key->keytab.vno;
-
+
return 0;
}
krb5_error_code
hdb_seal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey)
{
- int i;
+ size_t i;
for(i = 0; i < ent->keys.len; i++){
krb5_error_code ret;
}
if (flags & HX509_CA_TEMPLATE_EKU) {
ExtKeyUsage eku;
- int i;
+ size_t i;
ret = _hx509_cert_get_eku(context, cert, &eku);
if (ret)
return ret;
const char *str;
char *q;
int n;
-
+
/* count number of component */
n = 1;
for(str = principal; *str != '\0' && *str != '@'; str++){
goto out;
}
p.principalName.name_string.len = n;
-
+
p.principalName.name_type = KRB5_NT_PRINCIPAL;
q = s = strdup(principal);
if (q == NULL) {
const heim_oid *oid,
const char *string)
{
- const PKIXXmppAddr ustring = (const PKIXXmppAddr)string;
+ const PKIXXmppAddr ustring = (const PKIXXmppAddr)(intptr_t)string;
heim_octet_string os;
size_t size;
int ret;
der_free_bit_string(&tbs->subjectUniqueID);
der_free_bit_string(&tbs->issuerUniqueID);
-
+
if (subjectUniqueID) {
ret = der_copy_bit_string(subjectUniqueID, &tbs->subjectUniqueID);
if (ret)
void
hx509_cert_free(hx509_cert cert)
{
- int i;
+ size_t i;
if (cert == NULL)
return;
free(cert->friendlyname);
if (cert->basename)
hx509_name_free(&cert->basename);
- memset(cert, 0, sizeof(cert));
+ memset(cert, 0, sizeof(*cert));
free(cert);
}
}
void
-hx509_verify_ctx_f_allow_best_before_signature_algs(hx509_context ctx,
+hx509_verify_ctx_f_allow_best_before_signature_algs(hx509_context ctx,
int boolean)
{
if (boolean)
}
static const Extension *
-find_extension(const Certificate *cert, const heim_oid *oid, int *idx)
+find_extension(const Certificate *cert, const heim_oid *oid, size_t *idx)
{
const TBSCertificate *c = &cert->tbsCertificate;
{
const Extension *e;
size_t size;
- int i = 0;
+ size_t i = 0;
memset(ai, 0, sizeof(*ai));
{
const Extension *e;
size_t size;
- int i = 0;
+ size_t i = 0;
memset(si, 0, sizeof(*si));
{
const Extension *e;
size_t size;
- int i = 0;
+ size_t i = 0;
memset(nc, 0, sizeof(*nc));
}
static int
-find_extension_subject_alt_name(const Certificate *cert, int *i,
+find_extension_subject_alt_name(const Certificate *cert, size_t *i,
GeneralNames *sa)
{
const Extension *e;
{
const Extension *e;
size_t size;
- int i = 0;
+ size_t i = 0;
memset(eku, 0, sizeof(*eku));
void
hx509_free_octet_string_list(hx509_octet_string_list *list)
{
- int i;
+ size_t i;
for (i = 0; i < list->len; i++)
der_free_octet_string(&list->val[i]);
free(list->val);
hx509_octet_string_list *list)
{
GeneralNames sa;
- int ret, i, j;
+ int ret;
+ size_t i, j;
list->val = NULL;
list->len = 0;
const Extension *e;
KeyUsage ku;
size_t size;
- int ret, i = 0;
+ int ret;
+ size_t i = 0;
unsigned ku_flags;
if (_hx509_cert_get_version(cert) < 3)
static int
check_basic_constraints(hx509_context context, const Certificate *cert,
- enum certtype type, int depth)
+ enum certtype type, size_t depth)
{
BasicConstraints bc;
const Extension *e;
size_t size;
- int ret, i = 0;
+ int ret;
+ size_t i = 0;
if (_hx509_cert_get_version(cert) < 3)
return 0;
return -1;
if (ai.authorityCertIssuer->val[0].element != choice_GeneralName_directoryName)
return -1;
-
+
name.element =
ai.authorityCertIssuer->val[0].u.directoryName.element;
name.u.rdnSequence =
hx509_clear_error_string(context);
return HX509_ISSUER_NOT_FOUND;
}
-
+
hx509_set_error_string(context, 0, HX509_ISSUER_NOT_FOUND,
"Failed to find issuer for "
"certificate with subject: '%s'", str);
ProxyCertInfo info;
const Extension *e;
size_t size;
- int ret, i = 0;
+ int ret;
+ size_t i = 0;
if (rinfo)
memset(rinfo, 0, sizeof(*rinfo));
}
static int
-get_x_unique_id(hx509_context context, const char *name,
+get_x_unique_id(hx509_context context, const char *name,
const heim_bit_string *cert, heim_bit_string *subject)
{
int ret;
match_RDN(const RelativeDistinguishedName *c,
const RelativeDistinguishedName *n)
{
- int i;
+ size_t i;
if (c->len != n->len)
return HX509_NAME_CONSTRAINT_ERROR;
static int
match_X501Name(const Name *c, const Name *n)
{
- int i, ret;
+ size_t i;
+ int ret;
if (c->element != choice_Name_rdnSequence
|| n->element != choice_Name_rdnSequence)
int *same, int *match)
{
GeneralNames sa;
- int ret, i, j;
+ int ret;
+ size_t i, j;
i = 0;
do {
&& !subject_null_p(c))
{
GeneralName certname;
-
+
memset(&certname, 0, sizeof(certname));
certname.element = choice_GeneralName_directoryName;
certname.u.directoryName.element =
const Certificate *c)
{
int match, ret;
- int i;
+ size_t i;
for (i = 0 ; i < nc->len; i++) {
GeneralSubtrees gs;
static void
free_name_constraints(hx509_name_constraints *nc)
{
- int i;
+ size_t i;
for (i = 0 ; i < nc->len; i++)
free_NameConstraints(&nc->val[i]);
{
hx509_name_constraints nc;
hx509_path path;
- int ret, i, proxy_cert_depth, selfsigned_depth, diff;
+ int ret, proxy_cert_depth, selfsigned_depth, diff;
+ size_t i, k;
enum certtype type;
Name proxy_issuer;
hx509_certs anchors = NULL;
memset(&proxy_issuer, 0, sizeof(proxy_issuer));
ret = init_name_constraints(&nc);
- if (ret)
+ if (ret)
return ret;
path.val = NULL;
time_t t;
c = _hx509_get_cert(path.val[i]);
-
+
/*
* Lets do some basic check on issuer like
* keyUsage.keyCertSign and basicConstraints.cA bit depending
break;
case PROXY_CERT: {
- ProxyCertInfo info;
+ ProxyCertInfo info;
if (is_proxy_cert(context, c, &info) == 0) {
- int j;
+ size_t j;
if (info.pCPathLenConstraint != NULL &&
*info.pCPathLenConstraint < i)
}
/* XXX MUST check info.proxyPolicy */
free_ProxyCertInfo(&info);
-
+
j = 0;
if (find_extension(c, &asn1_oid_id_x509_ce_subjectAltName, &j)) {
ret = HX509_PROXY_CERT_INVALID;
"forbidden issuerAltName");
goto out;
}
-
+
/*
* The subject name of the proxy certificate should be
* CN=XXX,<proxy issuer>, prune of CN and check if its
}
if (cert->basename)
hx509_name_free(&cert->basename);
-
+
ret = _hx509_name_from_Name(&proxy_issuer, &cert->basename);
if (ret) {
hx509_clear_error_string(context);
i - proxy_cert_depth - selfsigned_depth);
if (ret)
goto out;
-
+
/*
* Don't check the trust anchors expiration time since they
* are transported out of band, from RFC3820.
* checked in the right order.
*/
- for (ret = 0, i = path.len - 1; i >= 0; i--) {
+ for (ret = 0, k = path.len; k > 0; k--) {
Certificate *c;
int selfsigned;
+ i = k - 1;
c = _hx509_get_cert(path.val[i]);
}
for (i = 0; i < path.len - 1; i++) {
- int parent = (i < path.len - 1) ? i + 1 : i;
+ size_t parent = (i < path.len - 1) ? i + 1 : i;
ret = hx509_revoke_verify(context,
ctx->revoke_ctx,
* parameter is passed up from the anchor up though the chain.
*/
- for (i = path.len - 1; i >= 0; i--) {
+ for (k = path.len; k > 0; k--) {
hx509_cert signer;
Certificate *c;
+ i = k - 1;
c = _hx509_get_cert(path.val[i]);
"Failed to verify signature of certificate");
goto out;
}
- /*
+ /*
* Verify that the sigature algorithm "best-before" date is
* before the creation date of the certificate, do this for
* trust anchors too, since any trust anchor that is created
*/
if (i != 0 && (ctx->flags & HX509_VERIFY_CTX_F_NO_BEST_BEFORE_CHECK) == 0) {
- time_t notBefore =
+ time_t notBefore =
_hx509_Time2time_t(&c->tbsCertificate.validity.notBefore);
ret = _hx509_signature_best_before(context,
&c->signatureAlgorithm,
{
GeneralNames san;
const Name *name;
- int ret, i, j;
+ int ret;
+ size_t i, j, k;
if (sa && sa_size <= 0)
return EINVAL;
heim_printable_string hn;
hn.data = rk_UNCONST(hostname);
hn.length = strlen(hostname);
-
+
if (der_printable_string_cmp(&san.val[j].u.dNSName, &hn) == 0) {
free_GeneralNames(&san);
return 0;
name = &cert->data->tbsCertificate.subject;
/* Find first CN= in the name, and try to match the hostname on that */
- for (ret = 0, i = name->u.rdnSequence.len - 1; ret == 0 && i >= 0; i--) {
+ for (ret = 0, k = name->u.rdnSequence.len; ret == 0 && k > 0; k--) {
+ i = k - 1;
for (j = 0; ret == 0 && j < name->u.rdnSequence.val[i].len; j++) {
AttributeTypeAndValue *n = &name->u.rdnSequence.val[i].val[j];
hx509_cert_attribute
hx509_cert_get_attribute(hx509_cert cert, const heim_oid *oid)
{
- int i;
+ size_t i;
for (i = 0; i < cert->attrs.len; i++)
if (der_heim_oid_cmp(oid, &cert->attrs.val[i]->oid) == 0)
return cert->attrs.val[i];
hx509_cert_attribute a;
PKCS9_friendlyName n;
size_t sz;
- int ret, i;
+ int ret;
+ size_t i;
if (cert->friendlyname)
return cert->friendlyname;
ret = decode_PKCS9_friendlyName(a->data.data, a->data.length, &n, &sz);
if (ret)
return NULL;
-
+
if (n.len != 1) {
free_PKCS9_friendlyName(&n);
return NULL;
{
rtbl_t t;
FILE *f;
- int type, mask, i, num;
+ int type, mask, num;
+ size_t i;
unsigned long multiqueries = 0, totalqueries = 0;
struct stat_el stats[32];
const heim_oid *eku, int allow_any_eku)
{
ExtKeyUsage e;
- int ret, i;
+ int ret;
+ size_t i;
ret = find_extension_eku(_hx509_get_cert(cert), &e);
if (ret) {
Certificate *cert;
const Extension *e;
size_t size;
- int ret, i = 0;
+ int ret;
+ size_t i = 0;
memset(ku, 0, sizeof(*ku));
else if (ret != 0)
goto out;
else {
- int i;
+ size_t i;
hx509_env enveku = NULL;
for (i = 0; i < eku.len; i++) {
"Out of memory");
goto out;
}
-
+
ret = hx509_env_add(context, &envhash, "sha1", buf);
free(buf);
- if (ret)
+ if (ret)
goto out;
ret = hx509_env_add_binding(context, &envcert, "hash", envhash);
unsigned char char_map[] = {
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x06 , 0x00 , 0x00 , 0x10 , 0x00 , 0x00 , 0x00 , 0x00 ,
- 0x00 , 0x00 , 0x00 , 0x12 , 0x12 , 0x02 , 0x02 , 0x02 ,
- 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
- 0x02 , 0x02 , 0x02 , 0x10 , 0x10 , 0x12 , 0x10 , 0x02 ,
- 0x00 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
- 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
- 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
- 0x02 , 0x02 , 0x02 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 ,
- 0x00 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
- 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
- 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
- 0x02 , 0x02 , 0x02 , 0x00 , 0x00 , 0x00 , 0x00 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
- 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x06 , 0x00 , 0x00 , 0x10 , 0x00 , 0x00 , 0x00 , 0x00 ,
+ 0x00 , 0x00 , 0x00 , 0x12 , 0x12 , 0x02 , 0x02 , 0x02 ,
+ 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
+ 0x02 , 0x02 , 0x02 , 0x10 , 0x10 , 0x12 , 0x10 , 0x02 ,
+ 0x00 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
+ 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
+ 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
+ 0x02 , 0x02 , 0x02 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 ,
+ 0x00 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
+ 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
+ 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 , 0x02 ,
+ 0x02 , 0x02 , 0x02 , 0x00 , 0x00 , 0x00 , 0x00 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 ,
+ 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21 , 0x21
};
heim_octet_string *params, params_data;
heim_octet_string ivec;
size_t size;
- int ret, i, matched = 0, findflags = 0;
+ int ret, matched = 0, findflags = 0;
+ size_t i;
memset(&key, 0, sizeof(key));
ret = hx509_crypto_init(context, NULL, &ai->algorithm, &crypto);
if (ret)
goto out;
-
+
if (flags & HX509_CMS_UE_ALLOW_WEAK)
hx509_crypto_allow_weak(crypto);
"of EnvelopedData");
goto out;
}
-
+
ret = hx509_crypto_decrypt(crypto,
enccontent->data,
enccontent->length,
"Failed to set crypto oid "
"for EnvelopedData");
goto out;
- }
+ }
ALLOC(enc_alg->parameters, 1);
if (enc_alg->parameters == NULL) {
ret = ENOMEM;
ri->version = 2;
cmsidflag = CMS_ID_SKI;
}
-
+
ret = fill_CMSIdentifier(cert, cmsidflag, &ri->rid);
if (ret) {
hx509_set_error_string(context, 0, ret,
static int
any_to_certs(hx509_context context, const SignedData *sd, hx509_certs certs)
{
- int ret, i;
+ int ret;
+ size_t i;
if (sd->certificates == NULL)
return 0;
static const Attribute *
find_attribute(const CMSAttributes *attr, const heim_oid *oid)
{
- int i;
+ size_t i;
for (i = 0; i < attr->len; i++)
if (der_heim_oid_cmp(&attr->val[i].type, oid) == 0)
return &attr->val[i];
hx509_certs certs = NULL;
SignedData sd;
size_t size;
- int ret, i, found_valid_sig;
+ int ret, found_valid_sig;
+ size_t i;
*signer_certs = NULL;
content->data = NULL;
if (signer_info->signedAttrs) {
const Attribute *attr;
-
+
CMSAttributes sa;
heim_octet_string os;
"messageDigest (signature)");
goto next_sigature;
}
-
+
ret = decode_MessageDigest(attr->value.val[0].data,
attr->value.val[0].length,
&os,
if (ret)
goto next_sigature;
- /**
+ /**
* If HX509_CMS_VS_NO_VALIDATE flags is set, do not verify the
* signing certificates and leave that up to the caller.
*/
return 0;
}
-
+
/**
* Decode SignedData and verify that the signature is correct.
*
hx509_clear_error_string(context);
} else {
ret = hx509_crypto_select(context, HX509_SELECT_DIGEST,
- _hx509_cert_private_key(cert),
+ _hx509_cert_private_key(cert),
sigctx->peer, &digest);
}
if (ret)
if (ret) {
hx509_clear_error_string(context);
goto out;
- }
+ }
signer_info->signedAttrs = NULL;
signer_info->unsignedAttrs = NULL;
*/
if (der_heim_oid_cmp(sigctx->eContentType, &asn1_oid_id_pkcs7_data) != 0) {
- CMSAttributes sa;
+ CMSAttributes sa;
heim_octet_string sig;
ALLOC(signer_info->signedAttrs, 1);
sa.val = signer_info->signedAttrs->val;
sa.len = signer_info->signedAttrs->len;
-
+
ASN1_MALLOC_ENCODE(CMSAttributes,
sigdata.data,
sigdata.length,
const unsigned int i = sigctx->sd.certificates->len;
void *ptr;
int ret;
-
+
ptr = realloc(sigctx->sd.certificates->val,
(i + 1) * sizeof(sigctx->sd.certificates->val[0]));
if (ptr == NULL)
ret = ENOMEM;
goto out;
}
-
+
sigctx.sd.encapContentInfo.eContent->data = malloc(length);
if (sigctx.sd.encapContentInfo.eContent->data == NULL) {
hx509_clear_error_string(context);
}
if (sigctx.sd.signerInfos.len) {
+
+ /*
+ * For each signerInfo, collect all different digest types.
+ */
for (i = 0; i < sigctx.sd.signerInfos.len; i++) {
AlgorithmIdentifier *di =
&sigctx.sd.signerInfos.val[i].digestAlgorithm;
for (j = 0; j < sigctx.sd.digestAlgorithms.len; j++)
if (cmp_AlgorithmIdentifier(di, &sigctx.sd.digestAlgorithms.val[j]) == 0)
break;
- if (j < sigctx.sd.digestAlgorithms.len) {
+ if (j == sigctx.sd.digestAlgorithms.len) {
ret = add_DigestAlgorithmIdentifiers(&sigctx.sd.digestAlgorithms, di);
if (ret) {
hx509_clear_error_string(context);
}
}
+ /*
+ * Add certs we think are needed, build as part of sig_process
+ */
if (sigctx.certs) {
ALLOC(sigctx.sd.certificates, 1);
if (sigctx.sd.certificates == NULL) {
return ENOMEM;
}
c->val.data = d;
-
+
ret = copy_AlgorithmIdentifier(alg, &key->alg);
if (ret) {
hx509_set_error_string(context, 0, ret, "Failed to copy "
ret = hx509_certs_find(context, certs, &q, &cert);
if (ret == 0) {
-
+
if (value->private_key)
_hx509_cert_assign_key(cert, value->private_key);
hx509_cert_free(cert);
hx509_certs *ret_certs)
{
hx509_certs certs;
- int ret, i;
+ int ret;
+ size_t i;
*ret_certs = NULL;
struct hx509_collector *c,
hx509_private_key **keys)
{
- int i, nkeys;
+ size_t i, nkeys;
*keys = NULL;
void
_hx509_collector_free(struct hx509_collector *c)
{
- int i;
+ size_t i;
if (c->unenvelop_certs)
hx509_certs_free(&c->unenvelop_certs);
}
static int
-parse_ECParameters(hx509_context context,
+parse_ECParameters(hx509_context context,
heim_octet_string *parameters, int *nid)
{
ECParameters ecparam;
ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
return ret;
}
-
+
return 0;
}
p = spi->subjectPublicKey.data;
size = spi->subjectPublicKey.length / 8;
-
+
rsa = d2i_RSAPublicKey(NULL, &p, size);
if (rsa == NULL) {
ret = ENOMEM;
if (ret) {
goto out;
}
-
+
/* Check for extra data inside the sigature */
- if (size != retsize) {
+ if (size != (size_t)retsize) {
ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
hx509_set_error_string(context, 0, ret, "size from decryption mismatch");
goto out;
}
-
+
if (sig_alg->digest_alg &&
der_heim_oid_cmp(&di.digestAlgorithm.algorithm,
&sig_alg->digest_alg->algorithm) != 0)
hx509_set_error_string(context, 0, ret, "object identifier in RSA sig mismatch");
goto out;
}
-
+
/* verify that the parameters are NULL or the NULL-type */
if (di.digestAlgorithm.parameters != NULL &&
(di.digestAlgorithm.parameters->length != 2 ||
data,
&di.digest);
} else {
- if (retsize != data->length ||
+ if ((size_t)retsize != data->length ||
ct_memcmp(to, data->data, retsize) != 0)
{
ret = HX509_CRYPTO_SIG_INVALID_FORMAT;
"RSA private encrypt failed: %d", ret);
return ret;
}
- if (ret > sig->length)
+ if ((size_t)ret > sig->length)
_hx509_abort("RSA signature prelen longer the output len");
sig->length = ret;
ret = parse_ECParameters(context, keyai->parameters, &groupnid);
if (ret)
return ret;
-
+
key = EC_KEY_new();
if (key == NULL)
return ENOMEM;
-
+
group = EC_GROUP_new_by_curve_name(groupnid);
if (group == NULL) {
EC_KEY_free(key);
}
static BIGNUM *
-ecdsa_get_internal(hx509_context context,
- hx509_private_key key,
+ecdsa_get_internal(hx509_context context,
+ hx509_private_key key,
const char *type)
{
return NULL;
if (ret)
return ret;
}
-
+
sig->data = malloc(sigsize);
if (sig->data == NULL) {
0,
NULL,
rsa_verify_signature,
- rsa_create_signature
+ rsa_create_signature,
+ 0
};
static const struct signature_alg pkcs1_rsa_sha1_alg = {
0,
NULL,
rsa_verify_signature,
- rsa_create_signature
+ rsa_create_signature,
+ 0
};
static const struct signature_alg rsa_with_sha512_alg = {
0,
NULL,
rsa_verify_signature,
- rsa_create_signature
+ rsa_create_signature,
+ 0
};
static const struct signature_alg rsa_with_sha384_alg = {
0,
NULL,
rsa_verify_signature,
- rsa_create_signature
+ rsa_create_signature,
+ 0
};
static const struct signature_alg rsa_with_sha256_alg = {
0,
NULL,
rsa_verify_signature,
- rsa_create_signature
+ rsa_create_signature,
+ 0
};
static const struct signature_alg rsa_with_sha1_alg = {
0,
NULL,
rsa_verify_signature,
- rsa_create_signature
+ rsa_create_signature,
+ 0
};
static const struct signature_alg rsa_with_sha1_alg_secsig = {
0,
NULL,
rsa_verify_signature,
- rsa_create_signature
+ rsa_create_signature,
+ 0
};
static const struct signature_alg rsa_with_md5_alg = {
1230739889,
NULL,
rsa_verify_signature,
- rsa_create_signature
+ rsa_create_signature,
+ 0
};
static const struct signature_alg dsa_sha1_alg = {
NULL,
dsa_verify_signature,
/* create_signature */ NULL,
+ 0
};
static const struct signature_alg sha512_alg = {
0,
EVP_sha512,
evp_md_verify_signature,
- evp_md_create_signature
+ evp_md_create_signature,
+ 0
};
static const struct signature_alg sha384_alg = {
0,
EVP_sha384,
evp_md_verify_signature,
- evp_md_create_signature
+ evp_md_create_signature,
+ 0
};
static const struct signature_alg sha256_alg = {
0,
EVP_sha256,
evp_md_verify_signature,
- evp_md_create_signature
+ evp_md_create_signature,
+ 0
};
static const struct signature_alg sha1_alg = {
0,
EVP_sha1,
evp_md_verify_signature,
- evp_md_create_signature
+ evp_md_create_signature,
+ 0
};
static const struct signature_alg md5_alg = {
0,
EVP_md5,
evp_md_verify_signature,
- NULL
+ NULL,
+ 0
};
/*
continue;
if (der_heim_oid_cmp(sig_algs[i]->key_oid, keytype) != 0)
continue;
- if (pk->ops->available &&
+ if (pk->ops->available &&
pk->ops->available(pk, sig_algs[i]->sig_alg) == 0)
continue;
if (type == HX509_SELECT_PUBLIC_SIG)
p = spi->subjectPublicKey.data;
size = spi->subjectPublicKey.length / 8;
-
+
rsa = d2i_RSAPublicKey(NULL, &p, size);
if (rsa == NULL) {
hx509_set_error_string(context, 0, ENOMEM, "out of memory");
"Failed to decrypt using private key: %d", ret);
return HX509_CRYPTO_RSA_PRIVATE_DECRYPT;
}
- if (cleartext->length < ret)
+ if (cleartext->length < (size_t)ret)
_hx509_abort("internal rsa decryption failure: ret > tosize");
cleartext->length = ret;
static const struct hx509cipher *
find_cipher_by_oid(const heim_oid *oid)
{
- int i;
+ size_t i;
for (i = 0; i < sizeof(ciphers)/sizeof(ciphers[0]); i++)
if (der_heim_oid_cmp(oid, ciphers[i].oid) == 0)
static const struct hx509cipher *
find_cipher_by_name(const char *name)
{
- int i;
+ size_t i;
for (i = 0; i < sizeof(ciphers)/sizeof(ciphers[0]); i++)
if (strcasecmp(name, ciphers[i].name) == 0)
int
hx509_crypto_set_key_data(hx509_crypto crypto, const void *data, size_t length)
{
- if (EVP_CIPHER_key_length(crypto->c) > length)
+ if (EVP_CIPHER_key_length(crypto->c) > (int)length)
return HX509_CRYPTO_INTERNAL_ERROR;
if (crypto->key.data) {
(crypto->flags & ALLOW_WEAK) == 0)
return HX509_CRYPTO_ALGORITHM_BEST_BEFORE;
- assert(EVP_CIPHER_iv_length(crypto->c) == ivec->length);
+ assert(EVP_CIPHER_iv_length(crypto->c) == (int)ivec->length);
EVP_CIPHER_CTX_init(&evp);
ret = ENOMEM;
goto out;
}
-
+
memcpy((*ciphertext)->data, data, length);
if (padsize) {
- int i;
+ size_t i;
unsigned char *p = (*ciphertext)->data;
p += length;
for (i = 0; i < padsize; i++)
(crypto->flags & ALLOW_WEAK) == 0)
return HX509_CRYPTO_ALGORITHM_BEST_BEFORE;
- if (ivec && EVP_CIPHER_iv_length(crypto->c) < ivec->length)
+ if (ivec && EVP_CIPHER_iv_length(crypto->c) < (int)ivec->length)
return HX509_CRYPTO_INTERNAL_ERROR;
if (crypto->key.data == NULL)
unsigned char *p;
int j, bsize = EVP_CIPHER_block_size(crypto->c);
- if (clear->length < bsize) {
+ if ((int)clear->length < bsize) {
ret = HX509_CMS_PADDING_ERROR;
goto out;
}
const EVP_CIPHER *c;
const EVP_MD *md;
PBE_string2key_func s2k;
- int i, ret = 0;
+ int ret = 0;
+ size_t i;
memset(&key, 0, sizeof(key));
memset(&iv, 0, sizeof(iv));
hx509_crypto_destroy(crypto);
if (ret == 0)
goto out;
-
+
}
out:
if (key.data)
if (ptr == NULL)
goto out;
*val = ptr;
-
+
ret = copy_AlgorithmIdentifier((ciphers[i].ai_func)(), &(*val)[len]);
if (ret)
goto out;
while (size > 0) {
ssize_t l;
-
+
length = size;
if (length > ENCODE_LINE_LENGTH)
length = ENCODE_LINE_LENGTH;
-
+
l = base64_encode(p, length, &line);
if (l < 0) {
hx509_set_error_string(context, 0, ENOMEM,
if (i > 0)
i--;
}
-
+
switch (where) {
case BEFORE:
if (strncmp("-----BEGIN ", buf, 11) == 0) {
free(p);
goto out;
}
-
+
data = erealloc(data, len + i);
memcpy(((char *)data) + len, p, i);
free(p);
return func(cert);
}
+/**
+ * Iterate over all certificates in a keystore and call an block
+ * for each fo them.
+ *
+ * @param context a hx509 context.
+ * @param certs certificate store to iterate over.
+ * @param func block to call for each certificate. The function
+ * should return non-zero to abort the iteration, that value is passed
+ * back to the caller of hx509_certs_iter().
+ *
+ * @return Returns an hx509 error code.
+ *
+ * @ingroup hx509_keyset
+ */
+
int
hx509_certs_iter(hx509_context context,
hx509_certs certs,
}
if (strcmp(dir->d_name, ".") == 0 || strcmp(dir->d_name, "..") == 0)
continue;
-
+
if (asprintf(&fn, "FILE:%s/%s", (char *)data, dir->d_name) == -1)
return ENOMEM;
-
+
ret = hx509_certs_init(context, fn, 0, NULL, &d->certs);
if (ret == 0) {
EVP_CipherInit_ex(&ctx, c, NULL, key, ivdata, 0);
EVP_Cipher(&ctx, clear.data, cipher, len);
EVP_CIPHER_CTX_cleanup(&ctx);
- }
+ }
ret = _hx509_collector_private_key_add(context,
collector,
{
PKCS8PrivateKeyInfo ki;
heim_octet_string keydata;
-
+
int ret;
ret = decode_PKCS8PrivateKeyInfo(data, length, &ki, NULL);
const EVP_CIPHER *cipher;
const struct _hx509_password *pw;
hx509_lock lock;
- int i, decrypted = 0;
+ int decrypted = 0;
+ size_t i;
lock = _hx509_collector_get_lock(c);
if (lock == NULL) {
"private key file");
return HX509_PARSING_KEY_FAILED;
}
-
+
pw = _hx509_lock_get_passwords(lock);
if (pw != NULL) {
const void *password;
for (i = 0; i < pw->len; i++) {
password = pw->val[i];
passwordlen = strlen(password);
-
- ret = try_decrypt(context, c, ai, cipher, ivdata,
+
+ ret = try_decrypt(context, c, ai, cipher, ivdata,
password, passwordlen, data, len);
if (ret == 0) {
decrypted = 1;
ret = hx509_lock_prompt(lock, &prompt);
if (ret == 0)
- ret = try_decrypt(context, c, ai, cipher, ivdata, password,
+ ret = try_decrypt(context, c, ai, cipher, ivdata, password,
strlen(password), data, len);
/* XXX add password to lock password collection ? */
memset(password, 0, sizeof(password));
const void *data, size_t len, void *ctx)
{
struct pem_ctx *pem_ctx = (struct pem_ctx*)ctx;
- int ret = 0, j;
+ int ret = 0;
+ size_t j;
for (j = 0; j < sizeof(formats)/sizeof(formats[0]); j++) {
const char *q = formats[j].name;
if (formats[j].ai != NULL)
ai = (*formats[j].ai)();
- ret = (*formats[j].func)(context, NULL, pem_ctx->c,
+ ret = (*formats[j].func)(context, NULL, pem_ctx->c,
header, data, len, ai);
if (ret && (pem_ctx->flags & HX509_CERTS_UNPROTECT_ALL)) {
hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
pnext = strchr(p, ',');
if (pnext)
*pnext++ = '\0';
-
+
if ((f = fopen(p, "r")) == NULL) {
ret = ENOENT;
rk_cloexec_file(f);
ret = hx509_pem_read(context, f, pem_func, &pem_ctx);
- fclose(f);
+ fclose(f);
if (ret != 0 && ret != HX509_PARSING_KEY_FAILED)
goto out;
else if (ret == HX509_PARSING_KEY_FAILED) {
size_t length;
void *ptr;
- int i;
+ size_t i;
ret = rk_undumpdata(p, &ptr, &length);
if (ret) {
static int
getAttribute(SecKeychainItemRef itemRef, SecItemAttr item,
SecKeychainAttributeList **attrs)
-{
+{
SecKeychainAttributeInfo attrInfo;
UInt32 attrFormat = 0;
OSStatus ret;
in.Data = (uint8 *)from;
in.Length = flen;
-
+
sig.Data = (uint8 *)to;
sig.Length = kc->keysize;
-
+
cret = CSSM_SignData(sigHandle, &in, 1, CSSM_ALGID_NONE, &sig);
if(cret) {
/* cssmErrorString(cret); */
in.Data = (uint8 *)from;
in.Length = flen;
-
+
out.Data = (uint8 *)to;
out.Length = kc->keysize;
-
+
rem.Data = (uint8 *)remdata;
rem.Length = sizeof(remdata);
return 0;
else if (ret != 0)
return EINVAL;
-
+
/*
* Pick out certificate and matching "keyid"
*/
attrKeyid.tag = kSecKeyLabel;
attrKeyid.length = attrs->attr[0].length;
attrKeyid.data = attrs->attr[0].data;
-
+
attrList.count = 1;
attrList.attr = &attrKeyid;
hx509_set_error_string(context, 0, ENOMEM, "out of memory");
return ENOMEM;
}
- }
+ }
(*keys)[i] = NULL;
return 0;
}
}
ret = P11FUNC(p11rsa->p, Sign,
- (session, (CK_BYTE *)from, flen, to, &ck_sigsize));
+ (session, (CK_BYTE *)(intptr_t)from, flen, to, &ck_sigsize));
p11_put_session(p11rsa->p, p11rsa->slot, session);
if (ret != CKR_OK)
return -1;
}
ret = P11FUNC(p11rsa->p, Decrypt,
- (session, (CK_BYTE *)from, flen, to, &ck_sigsize));
+ (session, (CK_BYTE *)(intptr_t)from, flen, to, &ck_sigsize));
p11_put_session(p11rsa->p, p11rsa->slot, session);
if (ret != CKR_OK)
return -1;
prompt.type = HX509_PROMPT_TYPE_PASSWORD;
prompt.reply.data = pin;
prompt.reply.length = sizeof(pin);
-
+
ret = hx509_lock_prompt(lock, &prompt);
if (ret) {
free(str);
}
if (object_count == 0)
break;
-
+
for (i = 0; i < num_query; i++)
query[i].pValue = NULL;
ret = -1;
goto out;
}
-
+
ret = (*func)(context, p, slot, session, object, ptr, query, num_query);
if (ret)
goto out;
return ret;
}
-
+
static BIGNUM *
getattr_bn(struct p11_module *p,
struct p11_slot *slot,
{
heim_octet_string data;
-
+
data.data = query[0].pValue;
data.length = query[0].ulValueLen;
-
+
_hx509_set_cert_attribute(context,
cert,
&asn1_oid_id_pkcs_9_at_localKeyId,
{
CK_SLOT_ID_PTR slot_ids;
- int i, num_tokens = 0;
+ int num_tokens = 0;
+ size_t i;
slot_ids = malloc(p->num_slots * sizeof(*slot_ids));
if (slot_ids == NULL) {
ret = ENOMEM;
goto out;
}
-
+
for (i = 0; i < p->num_slots; i++) {
ret = p11_init_slot(context, p, lock, slot_ids[i], i, &p->slot[i]);
if (ret)
static void
p11_release_module(struct p11_module *p)
{
- int i;
+ size_t i;
if (p->ref == 0)
_hx509_abort("pkcs11 ref to low");
free(p->slot[i].mechs.list);
if (p->slot[i].mechs.infos) {
- int j;
+ size_t j;
for (j = 0 ; j < p->slot[i].mechs.num ; j++)
free(p->slot[i].mechs.infos[j]);
p11_free(hx509_certs certs, void *data)
{
struct p11_module *p = data;
- int i;
+ size_t i;
for (i = 0; i < p->num_slots; i++) {
if (p->slot[i].certs)
{
struct p11_module *p = data;
struct p11_cursor *c;
- int ret, i;
+ int ret;
+ size_t i;
c = malloc(sizeof(*c));
if (c == NULL) {
void *ctx)
{
struct p11_module *p = data;
- int i, j;
+ size_t i, j;
_hx509_pi_printf(func, ctx, "pkcs11 driver with %d slot%s",
p->num_slots, p->num_slots > 1 ? "s" : "");
static const PKCS12_Attribute *
find_attribute(const PKCS12_Attributes *attrs, const heim_oid *oid)
{
- int i;
+ size_t i;
if (attrs == NULL)
return NULL;
for (i = 0; i < attrs->len; i++)
const heim_oid *oids[] = {
&asn1_oid_id_pkcs_9_at_localKeyId, &asn1_oid_id_pkcs_9_at_friendlyName
};
- int i;
+ size_t i;
for (i = 0; i < sizeof(oids)/sizeof(oids[0]); i++) {
const heim_oid *oid = oids[i];
if (attr)
_hx509_set_cert_attribute(context, cert, oid,
&attr->attrValues);
- }
+ }
}
hx509_cert_free(cert);
const unsigned char *p, size_t len)
{
PKCS12_SafeContents sc;
- int ret, i;
+ int ret;
+ size_t i;
memset(&sc, 0, sizeof(sc));
heim_octet_string content;
heim_oid contentType;
int ret;
-
+
memset(&contentType, 0, sizeof(contentType));
ret = hx509_cms_decrypt_encrypted(context,
heim_oid contentType;
hx509_lock lock;
int ret;
-
+
memset(&contentType, 0, sizeof(contentType));
lock = _hx509_collector_get_lock(c);
const void *data, size_t length,
const PKCS12_Attributes *attrs)
{
- int i;
+ size_t i;
for (i = 0; i < sizeof(bagtypes)/sizeof(bagtypes[0]); i++)
if (der_heim_oid_cmp(bagtypes[i].oid, oid) == 0)
void *buf;
PKCS12_PFX pfx;
PKCS12_AuthenticatedSafe as;
- int ret, i;
+ int ret;
+ size_t i;
struct hx509_collector *c;
*data = NULL;
free_PKCS12_AuthenticatedSafe(&as);
if (ret)
return ret;
-
+
ret = der_parse_hex_heim_integer("03", &pfx.version);
if (ret) {
free(asdata.data);
void
hx509_lock_reset_passwords(hx509_lock lock)
{
- int i;
+ size_t i;
for (i = 0; i < lock->password.len; i++)
free(lock->password.val[i]);
free(lock->password.val);
const heim_oid *o;
wind_profile_flags flags;
} no[] = {
- { "C", &asn1_oid_id_at_countryName },
- { "CN", &asn1_oid_id_at_commonName },
- { "DC", &asn1_oid_id_domainComponent },
- { "L", &asn1_oid_id_at_localityName },
- { "O", &asn1_oid_id_at_organizationName },
- { "OU", &asn1_oid_id_at_organizationalUnitName },
- { "S", &asn1_oid_id_at_stateOrProvinceName },
- { "STREET", &asn1_oid_id_at_streetAddress },
- { "UID", &asn1_oid_id_Userid },
- { "emailAddress", &asn1_oid_id_pkcs9_emailAddress },
- { "serialNumber", &asn1_oid_id_at_serialNumber }
+ { "C", &asn1_oid_id_at_countryName, 0 },
+ { "CN", &asn1_oid_id_at_commonName, 0 },
+ { "DC", &asn1_oid_id_domainComponent, 0 },
+ { "L", &asn1_oid_id_at_localityName, 0 },
+ { "O", &asn1_oid_id_at_organizationName, 0 },
+ { "OU", &asn1_oid_id_at_organizationalUnitName, 0 },
+ { "S", &asn1_oid_id_at_stateOrProvinceName, 0 },
+ { "STREET", &asn1_oid_id_at_streetAddress, 0 },
+ { "UID", &asn1_oid_id_Userid, 0 },
+ { "emailAddress", &asn1_oid_id_pkcs9_emailAddress, 0 },
+ { "serialNumber", &asn1_oid_id_at_serialNumber, 0 }
};
static char *
static int
stringtooid(const char *name, size_t len, heim_oid *oid)
{
- int i, ret;
+ int ret;
+ size_t i;
char *s;
memset(oid, 0, sizeof(*oid));
_hx509_Name_to_string(const Name *n, char **str)
{
size_t total_len = 0;
- int i, j, ret;
+ size_t i, j, m;
+ int ret;
*str = strdup("");
if (*str == NULL)
return ENOMEM;
- for (i = n->u.rdnSequence.len - 1 ; i >= 0 ; i--) {
+ for (m = n->u.rdnSequence.len; m > 0; m--) {
size_t len;
+ i = m - 1;
for (j = 0; j < n->u.rdnSequence.val[i].len; j++) {
DirectoryString *ds = &n->u.rdnSequence.val[i].val[j].value;
char *oidname;
char *ss;
-
+
oidname = oidtostring(&n->u.rdnSequence.val[i].val[j].type);
switch(ds->element) {
ret = wind_ucs2utf8_length(bmp, bmplen, &k);
if (ret)
return ret;
-
+
ss = malloc(k + 1);
if (ss == NULL)
_hx509_abort("allocation failure"); /* XXX */
int
_hx509_name_cmp(const Name *n1, const Name *n2, int *c)
{
- int ret, i, j;
+ int ret;
+ size_t i, j;
*c = n1->u.rdnSequence.len - n2->u.rdnSequence.len;
if (*c)
&n1->u.rdnSequence.val[i].val[j].type);
if (*c)
return 0;
-
+
ret = _hx509_name_ds_cmp(&n1->u.rdnSequence.val[i].val[j].value,
&n2->u.rdnSequence.val[i].val[j].value,
c);
&name->u.rdnSequence.val[0],
name->u.rdnSequence.len *
sizeof(name->u.rdnSequence.val[0]));
-
+
rdn = &name->u.rdnSequence.val[0];
}
rdn->val = malloc(sizeof(rdn->val[0]));
"missing name before = in %s", p);
goto out;
}
-
- if ((q - p) > len) {
+
+ if ((size_t)(q - p) > len) {
ret = HX509_PARSING_NAME_FAILED;
hx509_set_error_string(context, 0, ret, " = after , in %s", p);
goto out;
"unknown type: %.*s", (int)(q - p), p);
goto out;
}
-
+
{
size_t pstr_len = len - (q - p) - 1;
const char *pstr = p + (q - p) + 1;
char *r;
-
+
r = malloc(pstr_len + 1);
if (r == NULL) {
der_free_oid(&oid);
hx509_env env)
{
Name *n = &name->der_name;
- int i, j;
+ size_t i, j;
if (env == NULL)
return 0;
hx509_bitstring_print(const heim_bit_string *b,
hx509_vprint_func func, void *ctx)
{
- int i;
+ size_t i;
print_func(func, ctx, "\tlength: %d\n\t", b->length);
for (i = 0; i < (b->length + 7) / 8; i++)
print_func(func, ctx, "%02x%s%s",
{
CRLDistributionPoints dp;
size_t size;
- int ret, i;
+ int ret;
+ size_t i;
check_Null(ctx, status, cf, e);
if (dp.val[i].distributionPoint) {
DistributionPointName dpname;
heim_any *data = dp.val[i].distributionPoint;
- int j;
-
+ size_t j;
+
ret = decode_DistributionPointName(data->data, data->length,
&dpname, NULL);
if (ret) {
switch (dpname.element) {
case choice_DistributionPointName_fullName:
validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "Fullname:\n");
-
+
for (j = 0 ; j < dpname.u.fullName.len; j++) {
char *s;
GeneralName *name = &dpname.u.fullName.val[j];
{
GeneralNames gn;
size_t size;
- int ret, i;
+ int ret;
+ size_t i;
check_Null(ctx, status, cf, e);
if (der_heim_oid_cmp(altname_types[j].oid,
&gn.val[i].u.otherName.type_id) != 0)
continue;
-
+
validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "%s: ",
altname_types[j].name);
(*altname_types[j].func)(ctx, &gn.val[i].u.otherName.value);
{
AuthorityInfoAccessSyntax aia;
size_t size;
- int ret, i;
+ int ret;
+ size_t i;
check_Null(ctx, status, cf, e);
{ ext(certificateIssuer, Null), M_C },
{ ext(nameConstraints, Null), M_C },
{ ext(cRLDistributionPoints, CRLDistributionPoints), S_N_C },
- { ext(certificatePolicies, Null) },
+ { ext(certificatePolicies, Null), 0 },
{ ext(policyMappings, Null), M_N_C },
{ ext(authorityKeyIdentifier, authorityKeyIdentifier), M_N_C },
{ ext(policyConstraints, Null), D_C },
check_Null, D_C },
{ "Netscape cert comment", &asn1_oid_id_netscape_cert_comment,
check_Null, D_C },
- { NULL }
+ { NULL, NULL, NULL, 0 }
};
/**
if ((t->version == NULL || *t->version < 2) && t->extensions)
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
"Not version 3 certificate with extensions\n");
-
+
if (_hx509_cert_get_version(c) >= 3 && t->extensions == NULL)
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
"Version 3 certificate without extensions\n");
free(str);
if (t->extensions) {
- int i, j;
+ size_t i, j;
if (t->extensions->len == 0) {
validate_print(ctx,
}
} else
validate_print(ctx, HX509_VALIDATE_F_VERBOSE, "no extentions\n");
-
+
if (status.isca) {
if (!status.haveSKI)
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
"Is not CA and doesn't have "
"AuthorityKeyIdentifier\n");
}
-
+
if (!status.haveSKI)
validate_print(ctx, HX509_VALIDATE_F_VALIDATE,
hx509_cert signer = NULL;
hx509_query q;
int ret;
-
+
_hx509_query_clear(&q);
-
+
/*
* Need to match on issuer too in case there are two CA that have
* issued the same name to a certificate. One example of this is
q.keyhash_sha1 = &ocsp->ocsp.tbsResponseData.responderID.u.byKey;
break;
}
-
+
ret = hx509_certs_find(context, certs, &q, &signer);
if (ret && ocsp->certs)
ret = hx509_certs_find(context, ocsp->certs, &q, &signer);
}
if (basic.certs) {
- int i;
+ size_t i;
ret = hx509_certs_init(context, "MEMORY:ocsp-certs", 0,
NULL, &certs);
for (i = 0; i < basic.certs->len; i++) {
hx509_cert c;
-
+
ret = hx509_cert_init(context, &basic.certs->val[i], &c);
if (ret)
continue;
-
+
ret = hx509_certs_add(context, certs, c);
hx509_cert_free(c);
if (ret)
hx509_query q;
time_t t;
int ret;
-
+
t = _hx509_Time2time_t(&crl->tbsCertList.thisUpdate);
if (t > time_now) {
hx509_set_error_string(context, 0, HX509_CRL_USED_BEFORE_TIME,
}
_hx509_query_clear(&q);
-
+
/*
* If it's the signer have CRLSIGN bit set, use that as the signer
* cert for the certificate, otherwise, search for a certificate.
q.match = HX509_QUERY_MATCH_SUBJECT_NAME;
q.match |= HX509_QUERY_KU_CRLSIGN;
q.subject_name = &crl->tbsCertList.issuer;
-
+
ret = hx509_certs_find(context, certs, &q, &signer);
if (ret) {
hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
hx509_cert crl_parent;
_hx509_query_clear(&q);
-
+
q.match = HX509_QUERY_MATCH_SUBJECT_NAME;
q.match |= HX509_QUERY_KU_CRLSIGN;
q.subject_name = &_hx509_get_cert(signer)->tbsCertificate.issuer;
-
+
ret = hx509_certs_find(context, certs, &q, &crl_parent);
if (ret) {
hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
&c->tbsCertificate.serialNumber);
if (ret != 0)
continue;
-
+
/* verify issuer hashes hash */
ret = _hx509_verify_signature(context,
NULL,
if (ocsp->ocsp.tbsResponseData.responses.val[j].nextUpdate) {
if (*ocsp->ocsp.tbsResponseData.responses.val[j].nextUpdate < now)
continue;
- } else
- /* Should force a refetch, but can we ? */;
+ } /* else should force a refetch, but can we ? */
return 0;
}
t = _hx509_Time2time_t(&crl->crl.tbsCertList.revokedCertificates->val[j].revocationDate);
if (t > now)
continue;
-
+
if (crl->crl.tbsCertList.revokedCertificates->val[j].crlEntryExtensions)
for (k = 0; k < crl->crl.tbsCertList.revokedCertificates->val[j].crlEntryExtensions->len; k++)
if (crl->crl.tbsCertList.revokedCertificates->val[j].crlEntryExtensions->val[k].critical)
return HX509_CRL_UNKNOWN_EXTENSION;
-
+
hx509_set_error_string(context, 0,
HX509_CERT_REVOKED,
"Certificate revoked by issuer in CRL");
}
es = req.tbsRequest.requestExtensions;
-
+
es->val = calloc(es->len, sizeof(es->val[0]));
if (es->val == NULL) {
ret = ENOMEM;
goto out;
}
es->val[0].extnValue.length = 10;
-
+
ret = RAND_bytes(es->val[0].extnValue.data,
es->val[0].extnValue.length);
if (ret != 1) {
printable_time(time_t t)
{
static char s[128];
- strlcpy(s, ctime(&t)+ 4, sizeof(s));
- s[20] = 0;
+ char *p;
+ if ((p = ctime(&t)) == NULL)
+ strlcpy(s, "?", sizeof(s));
+ else {
+ strlcpy(s, p + 4, sizeof(s));
+ s[20] = 0;
+ }
return s;
}
hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out)
{
struct revoke_ocsp ocsp;
- int ret, i;
+ int ret;
+ size_t i;
if (out == NULL)
out = stdout;
status = "element unknown";
}
- fprintf(out, "\t%d. status: %s\n", i, status);
+ fprintf(out, "\t%zu. status: %s\n", i, status);
fprintf(out, "\tthisUpdate: %s\n",
printable_time(ocsp.ocsp.tbsResponseData.responses.val[i].thisUpdate));
{
const Certificate *c = _hx509_get_cert(cert);
OCSPBasicOCSPResponse basic;
- int ret, i;
+ int ret;
+ size_t i;
if (now == 0)
now = time(NULL);
&c->tbsCertificate.serialNumber);
if (ret != 0)
continue;
-
+
/* verify issuer hashes hash */
ret = _hx509_verify_signature(context,
NULL,
{
hx509_name name;
char *subject;
-
+
ret = hx509_cert_get_subject(cert, &name);
if (ret) {
hx509_clear_error_string(context);
if (expr->op == comp_TAILEQ) {
size_t len1 = strlen(s1);
size_t len2 = strlen(s2);
-
+
if (len1 < len2)
return 0;
ret = strcmp(s1 + (len1 - len2), s2) == 0;
subenv = find_variable(context, env, subexpr);
if (subenv == NULL)
return FALSE;
-
+
while (subenv) {
if (subenv->type != env_string)
continue;
}
void
-_hx509_sel_yyerror (char *s)
+_hx509_sel_yyerror (const char *s)
{
if (_hx509_expr_input.error)
free(_hx509_expr_input.error);
int _hx509_sel_yyparse(void);
int _hx509_sel_yylex(void);
-void _hx509_sel_yyerror(char *);
+void _hx509_sel_yyerror(const char *);
if (ret) return 1;
ret = compare_subject(c2, c3, &l3);
if (ret) return 1;
-
+
if (l0 != 0) return 1;
if (l2 < l1) return 1;
if (l3 < l2) return 1;
static krb5_error_code
translate_cc_error(krb5_context context, cc_int32 error)
{
- int i;
+ size_t i;
krb5_clear_error_message(context);
for(i = 0; i < sizeof(cc_errors)/sizeof(cc_errors[0]); i++)
if (cc_errors[i].error == error)
if (cred->addresses.val == NULL)
goto nomem;
cred->addresses.len = i;
-
+
for (i = 0; i < cred->addresses.len; i++) {
cred->addresses.val[i].addr_type = incred->addresses[i]->type;
ret = krb5_data_copy(&cred->addresses.val[i].address,
cc_credentials_v5_t *cred)
{
krb5_error_code ret;
- int i;
+ size_t i;
memset(cred, 0, sizeof(*cred));
error = (*a->ccache->func->get_kdc_time_offset)(a->ccache,
cc_credentials_v5,
&offset);
- if (error == 0)
+ if (error == 0)
context->kdc_sec_offset = offset;
} else if (error == ccErrCCacheNotFound) {
{
return 0;
}
-
+
struct cache_iter {
cc_context_t context;
cc_ccache_iterator_t iter;
acc_close(context, *id);
*id = NULL;
return translate_cc_error(context, error);
- }
+ }
return 0;
}
(*cc->func->release)(cc);
return translate_cc_error(context, error);
}
-
+
error = asprintf(str, "API:%s", name->data);
(*name->func->release)(name);
(*cc->func->release)(cc);
acc_move,
acc_get_default_name,
acc_set_default,
- acc_lastchange
+ acc_lastchange,
+ NULL,
+ NULL,
};
#endif
void (*h_addr2sockaddr)(const char *, struct sockaddr *, krb5_socklen_t *, int);
krb5_error_code (*h_addr2addr)(const char *, krb5_address *);
krb5_boolean (*uninteresting)(const struct sockaddr *);
+ krb5_boolean (*is_loopback)(const struct sockaddr *);
void (*anyaddr)(struct sockaddr *, krb5_socklen_t *, int);
int (*print_addr)(const krb5_address *, char *, size_t);
int (*parse_addr)(krb5_context, const char*, krb5_address *);
return FALSE;
}
+static krb5_boolean
+ipv4_is_loopback (const struct sockaddr *sa)
+{
+ const struct sockaddr_in *sin4 = (const struct sockaddr_in *)sa;
+
+ if ((ntohl(sin4->sin_addr.s_addr) >> 24) == IN_LOOPBACKNET)
+ return TRUE;
+
+ return FALSE;
+}
+
static void
ipv4_anyaddr (struct sockaddr *sa, krb5_socklen_t *sa_size, int port)
{
const struct sockaddr_in6 *sin6 = (const struct sockaddr_in6 *)sa;
const struct in6_addr *in6 = (const struct in6_addr *)&sin6->sin6_addr;
- return
- IN6_IS_ADDR_LINKLOCAL(in6)
+ return IN6_IS_ADDR_LINKLOCAL(in6)
|| IN6_IS_ADDR_V4COMPAT(in6);
}
+static krb5_boolean
+ipv6_is_loopback (const struct sockaddr *sa)
+{
+ const struct sockaddr_in6 *sin6 = (const struct sockaddr_in6 *)sa;
+ const struct in6_addr *in6 = (const struct in6_addr *)&sin6->sin6_addr;
+
+ return (IN6_IS_ADDR_LOOPBACK(in6));
+}
+
static void
ipv6_anyaddr (struct sockaddr *sa, krb5_socklen_t *sa_size, int port)
{
if(inet_ntop(AF_INET6, addr->address.data, buf, sizeof(buf)) == NULL)
{
/* XXX this is pretty ugly, but better than abort() */
- int i;
+ size_t i;
unsigned char *p = addr->address.data;
buf[0] = '\0';
for(i = 0; i < addr->address.length; i++) {
sub_len = min(8, len);
m = 0xff << (8 - sub_len);
-
+
laddr.s6_addr[i] = addr.s6_addr[i] & m;
haddr.s6_addr[i] = (addr.s6_addr[i] & m) | ~m;
krb5_free_addresses(context, &addrmask);
return -1;
}
-
+
address += p - address + 1;
num = strtol(address, &q, 10);
} else {
krb5_addresses low, high;
-
+
strsep_copy(&address, "-", buf, sizeof(buf));
ret = krb5_parse_address(context, buf, &low);
if(ret)
krb5_free_addresses(context, &low);
return -1;
}
-
+
strsep_copy(&address, "-", buf, sizeof(buf));
ret = krb5_parse_address(context, buf, &high);
if(ret) {
krb5_free_addresses(context, &low);
return ret;
}
-
+
if(high.len != 1 && high.val[0].addr_type != low.val[0].addr_type) {
krb5_free_addresses(context, &low);
krb5_free_addresses(context, &high);
if (l > len)
l = len;
size = l;
-
+
ret = krb5_print_address (&a->low, str + size, len - size, &l);
if (ret)
return ret;
a = addr2->address.data;
a2 = addr1;
sign = -1;
- } else
+ } else {
abort();
-
+ UNREACHABLE(return 0);
+ }
+
if(a2->addr_type == KRB5_ADDRESS_ARANGE) {
struct arange *b = a2->address.data;
tmp1 = krb5_address_order(context, &a->low, &b->low);
}
static struct addr_operations at[] = {
- {AF_INET, KRB5_ADDRESS_INET, sizeof(struct sockaddr_in),
- ipv4_sockaddr2addr,
- ipv4_sockaddr2port,
- ipv4_addr2sockaddr,
- ipv4_h_addr2sockaddr,
- ipv4_h_addr2addr,
- ipv4_uninteresting, ipv4_anyaddr, ipv4_print_addr, ipv4_parse_addr,
- NULL, NULL, NULL, ipv4_mask_boundary },
+ {
+ AF_INET, KRB5_ADDRESS_INET, sizeof(struct sockaddr_in),
+ ipv4_sockaddr2addr,
+ ipv4_sockaddr2port,
+ ipv4_addr2sockaddr,
+ ipv4_h_addr2sockaddr,
+ ipv4_h_addr2addr,
+ ipv4_uninteresting,
+ ipv4_is_loopback,
+ ipv4_anyaddr,
+ ipv4_print_addr,
+ ipv4_parse_addr,
+ NULL,
+ NULL,
+ NULL,
+ ipv4_mask_boundary
+ },
#ifdef HAVE_IPV6
- {AF_INET6, KRB5_ADDRESS_INET6, sizeof(struct sockaddr_in6),
- ipv6_sockaddr2addr,
- ipv6_sockaddr2port,
- ipv6_addr2sockaddr,
- ipv6_h_addr2sockaddr,
- ipv6_h_addr2addr,
- ipv6_uninteresting, ipv6_anyaddr, ipv6_print_addr, ipv6_parse_addr,
- NULL, NULL, NULL, ipv6_mask_boundary } ,
+ {
+ AF_INET6, KRB5_ADDRESS_INET6, sizeof(struct sockaddr_in6),
+ ipv6_sockaddr2addr,
+ ipv6_sockaddr2port,
+ ipv6_addr2sockaddr,
+ ipv6_h_addr2sockaddr,
+ ipv6_h_addr2addr,
+ ipv6_uninteresting,
+ ipv6_is_loopback,
+ ipv6_anyaddr,
+ ipv6_print_addr,
+ ipv6_parse_addr,
+ NULL,
+ NULL,
+ NULL,
+ ipv6_mask_boundary
+ } ,
#endif
#ifndef HEIMDAL_SMALLER
/* fake address type */
- {KRB5_ADDRESS_ARANGE, KRB5_ADDRESS_ARANGE, sizeof(struct arange),
- NULL, NULL, NULL, NULL, NULL, NULL, NULL,
- arange_print_addr, arange_parse_addr,
- arange_order_addr, arange_free, arange_copy },
+ {
+ KRB5_ADDRESS_ARANGE, KRB5_ADDRESS_ARANGE, sizeof(struct arange),
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ arange_print_addr,
+ arange_parse_addr,
+ arange_order_addr,
+ arange_free,
+ arange_copy,
+ NULL
+ },
#endif
- {KRB5_ADDRESS_ADDRPORT, KRB5_ADDRESS_ADDRPORT, 0,
- NULL, NULL, NULL, NULL, NULL,
- NULL, NULL, addrport_print_addr, NULL, NULL, NULL, NULL }
+ {
+ KRB5_ADDRESS_ADDRPORT, KRB5_ADDRESS_ADDRPORT, 0,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ NULL,
+ addrport_print_addr,
+ NULL,
+ NULL,
+ NULL,
+ NULL
+ }
};
static int num_addrs = sizeof(at) / sizeof(at[0]);
}
static struct addr_operations *
-find_atype(int atype)
+find_atype(krb5_address_type atype)
{
struct addr_operations *a;
return (*a->uninteresting)(sa);
}
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
+krb5_sockaddr_is_loopback(const struct sockaddr *sa)
+{
+ struct addr_operations *a = find_af(sa->sa_family);
+ if (a == NULL || a->is_loopback == NULL)
+ return TRUE;
+ return (*a->is_loopback)(sa);
+}
+
/**
* krb5_h_addr2sockaddr initializes a "struct sockaddr sa" from af and
* the "struct hostent" (see gethostbyname(3) ) h_addr_list
if (a == NULL || a->print_addr == NULL) {
char *s;
int l;
- int i;
+ size_t i;
s = str;
l = snprintf(s, len, "TYPE_%d:", addr->addr_type);
- if (l < 0 || l >= len)
+ if (l < 0 || (size_t)l >= len)
return EINVAL;
s += l;
len -= l;
for(i = 0; i < addr->address.length; i++) {
l = snprintf(s, len, "%02x", ((char*)addr->address.data)[i]);
- if (l < 0 || l >= len)
+ if (l < 0 || (size_t)l >= len)
return EINVAL;
len -= l;
s += l;
const krb5_address *addr,
const krb5_addresses *addrlist)
{
- int i;
+ size_t i;
for (i = 0; i < addrlist->len; ++i)
if (krb5_address_compare (context, addr, &addrlist->val[i]))
krb5_free_addresses(krb5_context context,
krb5_addresses *addresses)
{
- int i;
+ size_t i;
for(i = 0; i < addresses->len; i++)
krb5_free_address(context, &addresses->val[i]);
free(addresses->val);
const krb5_addresses *inaddr,
krb5_addresses *outaddr)
{
- int i;
+ size_t i;
ALLOC_SEQ(outaddr, inaddr->len);
if(inaddr->len > 0 && outaddr->val == NULL)
return ENOMEM;
{
krb5_address *tmp;
krb5_error_code ret;
- int i;
+ size_t i;
if(source->len > 0) {
tmp = realloc(dest->val, (dest->len + source->len) * sizeof(*tmp));
if(tmp == NULL) {
if(realm != NULL)
def_val = krb5_config_get_bool_default(context, NULL, def_val,
"realms", realm, option, NULL);
-
+
def_val = krb5_config_get_bool_default(context, NULL, def_val,
"appdefaults",
option,
return 0;
}
+/* coverity[+alloc : arg-*2] */
static krb5_error_code
copy_key(krb5_context context,
krb5_keyblock *in,
return copy_key(context, auth_context->local_subkey, keyblock);
}
+/* coverity[+alloc : arg-*2] */
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_auth_con_getremotesubkey(krb5_context context,
krb5_auth_context auth_context,
krb5_error_code ret;
krb5_authdata ad;
u_char *buf;
- size_t len;
+ size_t len = 0;
size_t buf_size;
- ret = krb5_init_etype(context, &etypes.len, &etypes.val, NULL);
+ ret = _krb5_init_etype(context, KRB5_PDU_NONE,
+ &etypes.len, &etypes.val,
+ NULL);
if (ret)
return ret;
Authenticator auth;
u_char *buf = NULL;
size_t buf_size;
- size_t len;
+ size_t len = 0;
krb5_error_code ret;
krb5_crypto crypto;
/**
* @page krb5_ccache_intro The credential cache functions
* @section section_krb5_ccache Kerberos credential caches
- *
+ *
* krb5_ccache structure holds a Kerberos credential cache.
*
* Heimdal support the follow types of credential caches:
{
return (*id->ops->set_flags)(context, id, flags);
}
-
+
/**
* Get the flags of `id', store them in `flags'.
*
ret = krb5_cc_get_principal(context, cache, &principal);
if (ret == 0) {
krb5_boolean match;
-
+
match = krb5_principal_compare(context, principal, client);
krb5_free_principal(context, principal);
if (match)
krb5_free_principal(context, client);
return ret;
}
-
+
/**
* Return TRUE (non zero) if the principal is a configuration
* principal (generated part of krb5_cc_set_config()). Returns FALSE
if (principal->name.name_string.len == 0 ||
strcmp(principal->name.name_string.val[0], KRB5_CONF_NAME) != 0)
return FALSE;
-
+
return TRUE;
}
/* not that anyone care when this expire */
cred.times.authtime = time(NULL);
cred.times.endtime = cred.times.authtime + 3600 * 24 * 30;
-
+
ret = krb5_data_copy(&cred.ticket, data->data, data->length);
if (ret)
goto out;
-
+
ret = krb5_cc_store_cred(context, id, &cred);
}
}
/**
- * Get next credential cache from the iteration.
+ * Get next credential cache from the iteration.
*
* @param context A Kerberos 5 context
* @param cursor the iteration cursor
krb5_ccache *cache)
{
krb5_error_code ret;
-
+
*cache = NULL;
while (cursor->idx < context->num_cc_ops) {
if (cursor->cursor == NULL) {
- ret = krb5_cc_cache_get_first (context,
+ ret = krb5_cc_cache_get_first (context,
context->cc_ops[cursor->idx]->prefix,
&cursor->cursor);
if (ret) {
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_cc_last_change_time(krb5_context context,
- krb5_ccache id,
+ krb5_ccache id,
krb5_timestamp *mtime)
{
*mtime = 0;
*t = 0;
now = time(NULL);
-
+
ret = krb5_cc_start_seq_get(context, id, &cursor);
if (ret)
return ret;
}
krb5_free_cred_contents(context, &cred);
}
-
+
krb5_cc_end_seq_get(context, id, &cursor);
return ret;
* SUCH DAMAGE.
*/
-#define KRB5_DEPRECATED
-
#include "krb5_locl.h"
#undef __attribute__
krb5_data krb_priv_data;
krb5_data pwd_data;
ChangePasswdDataMS chpw;
- size_t len;
+ size_t len = 0;
u_char header[4 + 6];
u_char *p;
struct iovec iov[3];
chpw.targname = NULL;
chpw.targrealm = NULL;
}
-
+
ASN1_MALLOC_ENCODE(ChangePasswdDataMS, pwd_data.data, pwd_data.length,
&chpw, &len, ret);
if (ret) {
{
krb5_error_code ret;
u_char reply[1024 * 3];
- ssize_t len;
+ size_t len;
uint16_t pkt_len, pkt_ver;
krb5_data ap_rep_data;
int save_errno;
_krb5_get_int(reply, &size, 4);
if (size + 4 < len)
continue;
- memmove(reply, reply + 4, size);
+ memmove(reply, reply + 4, size);
len = size;
break;
}
if (len < 6) {
str2data (result_string, "server %s sent to too short message "
- "(%ld bytes)", host, (long)len);
+ "(%zu bytes)", host, len);
*result_code = KRB5_KPASSWD_MALFORMED;
return 0;
}
chgpw_send_request,
process_reply
},
- { NULL }
+ { NULL, 0, NULL, NULL }
};
/*
if (!replied) {
replied = 0;
-
+
ret = (*proc->send_req) (context,
&auth_context,
creds,
* @ingroup @krb5_deprecated
*/
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_change_password (krb5_context context,
krb5_creds *creds,
int *result_code,
krb5_data *result_code_string,
krb5_data *result_string)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
struct kpwd_proc *p = find_chpw_proto("change password");
* SUCH DAMAGE.
*/
-#define KRB5_DEPRECATED
-
#include "krb5_locl.h"
#ifndef HEIMDAL_SMALLER
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_decode_EncTicketPart (krb5_context context,
const void *data,
size_t length,
EncTicketPart *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return decode_EncTicketPart(data, length, t, len);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_encode_EncTicketPart (krb5_context context,
void *data,
size_t length,
EncTicketPart *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return encode_EncTicketPart(data, length, t, len);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_decode_EncASRepPart (krb5_context context,
const void *data,
size_t length,
EncASRepPart *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return decode_EncASRepPart(data, length, t, len);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_encode_EncASRepPart (krb5_context context,
void *data,
size_t length,
EncASRepPart *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return encode_EncASRepPart(data, length, t, len);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_decode_EncTGSRepPart (krb5_context context,
const void *data,
size_t length,
EncTGSRepPart *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return decode_EncTGSRepPart(data, length, t, len);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_encode_EncTGSRepPart (krb5_context context,
void *data,
size_t length,
EncTGSRepPart *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return encode_EncTGSRepPart(data, length, t, len);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_decode_EncAPRepPart (krb5_context context,
const void *data,
size_t length,
EncAPRepPart *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return decode_EncAPRepPart(data, length, t, len);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_encode_EncAPRepPart (krb5_context context,
void *data,
size_t length,
EncAPRepPart *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return encode_EncAPRepPart(data, length, t, len);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_decode_Authenticator (krb5_context context,
const void *data,
size_t length,
Authenticator *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return decode_Authenticator(data, length, t, len);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_encode_Authenticator (krb5_context context,
void *data,
size_t length,
Authenticator *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return encode_Authenticator(data, length, t, len);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_decode_EncKrbCredPart (krb5_context context,
const void *data,
size_t length,
EncKrbCredPart *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return decode_EncKrbCredPart(data, length, t, len);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_encode_EncKrbCredPart (krb5_context context,
void *data,
size_t length,
EncKrbCredPart *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return encode_EncKrbCredPart (data, length, t, len);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_decode_ETYPE_INFO (krb5_context context,
const void *data,
size_t length,
ETYPE_INFO *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return decode_ETYPE_INFO(data, length, t, len);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_encode_ETYPE_INFO (krb5_context context,
void *data,
size_t length,
ETYPE_INFO *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return encode_ETYPE_INFO (data, length, t, len);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_decode_ETYPE_INFO2 (krb5_context context,
const void *data,
size_t length,
ETYPE_INFO2 *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return decode_ETYPE_INFO2(data, length, t, len);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_encode_ETYPE_INFO2 (krb5_context context,
void *data,
size_t length,
ETYPE_INFO2 *t,
size_t *len)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
return encode_ETYPE_INFO2 (data, length, t, len);
}
* SUCH DAMAGE.
*/
-#define KRB5_DEPRECATED
-
#include "krb5_locl.h"
#ifdef __APPLE__
p = ptr->s + strcspn(ptr->s, "\n");
if(*p == '\n')
p++;
- l = min(len, p - ptr->s);
+ l = min(len, (size_t)(p - ptr->s));
if(len > 0) {
memcpy(str, ptr->s, l);
str[l] = '\0';
for(q = parent; *q != NULL; q = &(*q)->next)
if(type == krb5_config_list &&
- type == (*q)->type &&
+ (unsigned)type == (*q)->type &&
strcmp(name, (*q)->name) == 0)
return *q;
*q = calloc(1, sizeof(**q));
{
CFIndex len;
char *str;
-
+
str = (char *) CFStringGetCStringPtr(string, kCFStringEncodingUTF8);
if (str)
return strdup(str);
str = malloc(len);
if (str == NULL)
return NULL;
-
+
if (!CFStringGetCString (string, str, len, kCFStringEncodingUTF8)) {
free (str);
return NULL;
CFReadStreamRef s;
CFDictionaryRef d;
CFURLRef url;
-
+
url = CFURLCreateFromFileSystemRepresentation(kCFAllocatorDefault, (UInt8 *)path, strlen(path), FALSE);
if (url == NULL) {
krb5_clear_error_message(context);
#ifdef HAVE_CFPROPERTYLISTCREATEWITHSTREAM
d = (CFDictionaryRef)CFPropertyListCreateWithStream(NULL, s, 0, kCFPropertyListImmutable, NULL, NULL);
-#else
+#else
d = (CFDictionaryRef)CFPropertyListCreateFromStream(NULL, s, 0, kCFPropertyListImmutable, NULL, NULL);
#endif
CFRelease(s);
home = getenv("HOME");
if (home == NULL) {
- struct passwd *pw = getpwuid(getuid());
+ struct passwd *pw = getpwuid(getuid());
if(pw != NULL)
home = pw->pw_dir;
}
fname = newfname;
}
#else /* KRB5_USE_PATH_TOKENS */
- if (asprintf(&newfname, "%%{USERCONFIG}%s", &fname[1]) < 0 ||
+ if (asprintf(&newfname, "%%{USERCONFIG}%s", &fname[1]) < 0 ||
newfname == NULL)
{
krb5_set_error_message(context, ENOMEM,
return ret;
}
#else
- krb5_set_error_message(context, ENOENT,
+ krb5_set_error_message(context, ENOENT,
"no support for plist configuration files");
return ENOENT;
#endif
free(newfname);
return ret;
}
-
+
if (newfname)
free(newfname);
fname = newfname = exp_fname;
free(newfname);
return ret;
}
-
+
ret = krb5_config_parse_debug (&f, res, &lineno, &str);
fclose(f.f);
if (ret) {
const char *p = va_arg(args, const char *);
while(b != NULL) {
if(strcmp(b->name, name) == 0) {
- if(b->type == type && p == NULL) {
+ if(b->type == (unsigned)type && p == NULL) {
*pointer = b;
return b->u.generic;
} else if(b->type == krb5_config_list && p != NULL) {
/* we were called again, so just look for more entries with the
same name and type */
for (b = (*pointer)->next; b != NULL; b = b->next) {
- if(strcmp(b->name, (*pointer)->name) == 0 && b->type == type) {
+ if(strcmp(b->name, (*pointer)->name) == 0 && b->type == (unsigned)type) {
*pointer = b;
return b->u.generic;
}
*
* @ingroup krb5_support
*/
-
+
KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
krb5_config_get_string (krb5_context context,
const krb5_config_section *c,
}
static char *
-next_component_string(char * begin, char * delims, char **state)
+next_component_string(char * begin, const char * delims, char **state)
{
char * end;
* @ingroup krb5_deprecated
*/
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_config_parse_string_multi(krb5_context context,
const char *string,
krb5_config_section **res)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
const char *str;
unsigned lineno = 0;
*/
#include "krb5_locl.h"
+#include <assert.h>
#include <com_err.h>
#define INIT_FIELD(C, T, E, D, F) \
free(context->etypes_des);
context->etypes_des = tmptypes;
+ ret = set_etypes (context, "default_as_etypes", &tmptypes);
+ if(ret)
+ return ret;
+ free(context->as_etypes);
+ context->as_etypes = tmptypes;
+
+ ret = set_etypes (context, "default_tgs_etypes", &tmptypes);
+ if(ret)
+ return ret;
+ free(context->tgs_etypes);
+ context->tgs_etypes = tmptypes;
+
+ ret = set_etypes (context, "permitted_enctypes", &tmptypes);
+ if(ret)
+ return ret;
+ free(context->permitted_enctypes);
+ context->permitted_enctypes = tmptypes;
+
/* default keytab name */
tmp = NULL;
if(!issuid())
return 0;
}
-static const char *sysplugin_dirs[] = {
+static const char *sysplugin_dirs[] = {
LIBDIR "/plugin/krb5",
#ifdef __APPLE__
"/Library/KerberosPlugins/KerberosFrameworkPlugins",
krb5_context context = ctx;
_krb5_load_plugins(context, "krb5", sysplugin_dirs);
-
+
bindtextdomain(HEIMDAL_TEXTDOMAIN, HEIMDAL_LOCALEDIR);
}
ret = hx509_context_init(&p->hx509ctx);
if (ret)
goto out;
-#endif
+#endif
if (rk_SOCK_INIT())
p->flags |= KRB5_CTX_F_SOCKETS_INITIALIZED;
krb5_get_permitted_enctypes(krb5_context context,
krb5_enctype **etypes)
{
- return krb5_get_default_in_tkt_etypes(context, etypes);
+ return krb5_get_default_in_tkt_etypes(context, KRB5_PDU_NONE, etypes);
}
/*
*ret_enctypes = malloc(sizeof(ret_enctypes[0]) * i);
if (*ret_enctypes == NULL) {
- krb5_set_error_message(context, ENOMEM,
+ krb5_set_error_message(context, ENOMEM,
N_("malloc: out of memory", ""));
return ENOMEM;
}
p->default_cc_name = strdup(context->default_cc_name);
if (context->default_cc_name_env)
p->default_cc_name_env = strdup(context->default_cc_name_env);
-
+
if (context->etypes) {
ret = copy_etypes(context, context->etypes, &p->etypes);
if (ret)
}
if (context->default_realms) {
- ret = krb5_copy_host_realm(context,
+ ret = krb5_copy_host_realm(context,
context->default_realms, &p->default_realms);
if (ret)
goto out;
krb5_free_config_files(defpp);
if (ret) {
return ret;
- }
+ }
*pfilenames = pp;
return 0;
}
}
/*
- * set `etype' to a malloced list of the default enctypes
+ *
*/
static krb5_error_code
-default_etypes(krb5_context context, krb5_enctype **etype)
+copy_enctypes(krb5_context context,
+ const krb5_enctype *in,
+ krb5_enctype **out)
{
- const krb5_enctype *p;
- krb5_enctype *e = NULL, *ep;
- int i, n = 0;
-
- p = krb5_kerberos_enctypes(context);
+ krb5_enctype *p = NULL;
+ size_t m, n;
- for (i = 0; p[i] != ETYPE_NULL; i++) {
- if (krb5_enctype_valid(context, p[i]) != 0)
+ for (n = 0; in[n]; n++)
+ ;
+ n++;
+ ALLOC(p, n);
+ if(p == NULL)
+ return krb5_enomem(context);
+ for (n = 0, m = 0; in[n]; n++) {
+ if (krb5_enctype_valid(context, in[n]) != 0)
continue;
- ep = realloc(e, (n + 2) * sizeof(*e));
- if (ep == NULL) {
- free(e);
- krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
- return ENOMEM;
- }
- e = ep;
- e[n] = p[i];
- e[n + 1] = ETYPE_NULL;
- n++;
+ p[m++] = in[n];
+ }
+ p[m] = KRB5_ENCTYPE_NULL;
+ if (m == 0) {
+ free(p);
+ krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
+ N_("no valid enctype set", ""));
+ return KRB5_PROG_ETYPE_NOSUPP;
}
- *etype = e;
+ *out = p;
return 0;
}
+
+/*
+ * set `etype' to a malloced list of the default enctypes
+ */
+
+static krb5_error_code
+default_etypes(krb5_context context, krb5_enctype **etype)
+{
+ const krb5_enctype *p = krb5_kerberos_enctypes(context);
+ return copy_enctypes(context, p, etype);
+}
+
/**
* Set the default encryption types that will be use in communcation
* with the KDC, clients and servers.
{
krb5_error_code ret;
krb5_enctype *p = NULL;
- unsigned int n, m;
if(etypes) {
- for (n = 0; etypes[n]; n++)
- ;
- n++;
- ALLOC(p, n);
- if(!p) {
- krb5_set_error_message (context, ENOMEM,
- N_("malloc: out of memory", ""));
- return ENOMEM;
- }
- for (n = 0, m = 0; etypes[n]; n++) {
- ret = krb5_enctype_valid(context, etypes[n]);
- if (ret)
- continue;
- p[m++] = etypes[n];
- }
- p[m] = ETYPE_NULL;
- if (m == 0) {
- free(p);
- krb5_set_error_message (context, KRB5_PROG_ETYPE_NOSUPP,
- N_("no valid enctype set", ""));
- return KRB5_PROG_ETYPE_NOSUPP;
- }
+ ret = copy_enctypes(context, etypes, &p);
+ if (ret)
+ return ret;
}
if(context->etypes)
free(context->etypes);
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_default_in_tkt_etypes(krb5_context context,
+ krb5_pdu pdu_type,
krb5_enctype **etypes)
{
- krb5_enctype *p;
- int i;
+ krb5_enctype *enctypes = NULL;
krb5_error_code ret;
+ krb5_enctype *p;
- if(context->etypes) {
- for(i = 0; context->etypes[i]; i++);
- ++i;
- ALLOC(p, i);
- if(!p) {
- krb5_set_error_message (context, ENOMEM, N_("malloc: out of memory", ""));
- return ENOMEM;
- }
- memmove(p, context->etypes, i * sizeof(krb5_enctype));
+ heim_assert(pdu_type == KRB5_PDU_AS_REQUEST ||
+ pdu_type == KRB5_PDU_TGS_REQUEST ||
+ pdu_type == KRB5_PDU_NONE, "pdu contant not as expected");
+
+ if (pdu_type == KRB5_PDU_AS_REQUEST && context->as_etypes != NULL)
+ enctypes = context->as_etypes;
+ else if (pdu_type == KRB5_PDU_TGS_REQUEST && context->tgs_etypes != NULL)
+ enctypes = context->tgs_etypes;
+ else if (context->etypes != NULL)
+ enctypes = context->etypes;
+
+ if (enctypes != NULL) {
+ ret = copy_enctypes(context, enctypes, &p);
+ if (ret)
+ return ret;
} else {
ret = default_etypes(context, &p);
if (ret)
context->max_skew = t;
}
-/**
+/*
* Init encryption types in len, val with etypes.
*
* @param context Kerberos 5 context.
+ * @param pdu_type type of pdu
* @param len output length of val.
* @param val output array of enctypes.
* @param etypes etypes to set val and len to, if NULL, use default enctypes.
*/
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
-krb5_init_etype (krb5_context context,
+_krb5_init_etype(krb5_context context,
+ krb5_pdu pdu_type,
unsigned *len,
krb5_enctype **val,
const krb5_enctype *etypes)
{
- unsigned int i;
krb5_error_code ret;
- krb5_enctype *tmp = NULL;
- ret = 0;
- if (etypes == NULL) {
- ret = krb5_get_default_in_tkt_etypes(context, &tmp);
- if (ret)
- return ret;
- etypes = tmp;
- }
+ if (etypes == NULL)
+ ret = krb5_get_default_in_tkt_etypes(context, pdu_type, val);
+ else
+ ret = copy_enctypes(context, etypes, val);
+ if (ret)
+ return ret;
- for (i = 0; etypes[i]; ++i)
- ;
- *len = i;
- *val = malloc(i * sizeof(**val));
- if (i != 0 && *val == NULL) {
- ret = ENOMEM;
- krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
- goto cleanup;
+ if (len) {
+ *len = 0;
+ while ((*val)[*len] != KRB5_ENCTYPE_NULL)
+ (*len)++;
}
- memmove (*val,
- etypes,
- i * sizeof(*tmp));
-cleanup:
- if (tmp != NULL)
- free (tmp);
- return ret;
+ return 0;
}
/*
* SUCH DAMAGE.
*/
-#define KRB5_DEPRECATED
-
#include "krb5_locl.h"
#include "krb5-v4compat.h"
* @ingroup krb5_v4compat
*/
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb524_convert_creds_kdc(krb5_context context,
krb5_creds *in_cred,
struct credentials *v4creds)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
memset(v4creds, 0, sizeof(*v4creds));
krb5_set_error_message(context, EINVAL,
* @ingroup krb5_v4compat
*/
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb524_convert_creds_kdc_ccache(krb5_context context,
krb5_ccache ccache,
krb5_creds *in_cred,
struct credentials *v4creds)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
memset(v4creds, 0, sizeof(*v4creds));
krb5_set_error_message(context, EINVAL,
match = krb5_principal_compare (context, mcreds->client,
creds->client);
}
-
+
if (match && (whichfields & KRB5_TC_MATCH_KEYTYPE))
match = mcreds->session.keytype == creds->session.keytype;
krb5_DES_random_key,
krb5_DES_schedule_old,
_krb5_des_salt,
- krb5_DES_random_to_key
+ krb5_DES_random_to_key,
+ NULL,
+ NULL
};
static struct _krb5_key_type keytype_des = {
DES_cblock *k;
int i, j;
- memset(x, 0, sizeof(x));
+ memset(key->keyvalue.data, 0, key->keyvalue.length);
for (i = 0; i < 3; ++i) {
unsigned char foo;
for (j = 0; j < 7; ++j) {
{
size_t i, blocksize;
struct _krb5_evp_schedule *ctx = key->schedule->data;
- char tmp[EVP_MAX_BLOCK_LENGTH], ivec2[EVP_MAX_BLOCK_LENGTH];
+ unsigned char tmp[EVP_MAX_BLOCK_LENGTH], ivec2[EVP_MAX_BLOCK_LENGTH];
EVP_CIPHER_CTX *c;
unsigned char *p;
if (ivec)
memcpy(ivec, p, blocksize);
} else {
- char tmp2[EVP_MAX_BLOCK_LENGTH], tmp3[EVP_MAX_BLOCK_LENGTH];
+ unsigned char tmp2[EVP_MAX_BLOCK_LENGTH], tmp3[EVP_MAX_BLOCK_LENGTH];
p = data;
if (len > blocksize * 2) {
{
KRB5PrincipalName pn;
krb5_error_code ret;
- size_t size;
+ size_t size = 0;
pn.principalName = p->name;
pn.realm = p->realm;
PkinitSuppPubInfo pubinfo;
krb5_error_code ret;
krb5_data pub;
- size_t size;
+ size_t size = 0;
krb5_data_zero(other);
memset(&otherinfo, 0, sizeof(otherinfo));
return 0;
}
+
+
krb5_error_code
_krb5_pk_kdf(krb5_context context,
const struct AlgorithmIdentifier *ai,
size_t keylen, offset;
uint32_t counter;
unsigned char *keydata;
- unsigned char shaoutput[SHA_DIGEST_LENGTH];
+ unsigned char shaoutput[SHA512_DIGEST_LENGTH];
+ const EVP_MD *md;
EVP_MD_CTX *m;
- if (der_heim_oid_cmp(&asn1_oid_id_pkinit_kdf_ah_sha1, &ai->algorithm) != 0) {
+ if (der_heim_oid_cmp(&asn1_oid_id_pkinit_kdf_ah_sha1, &ai->algorithm) == 0) {
+ md = EVP_sha1();
+ } else if (der_heim_oid_cmp(&asn1_oid_id_pkinit_kdf_ah_sha256, &ai->algorithm) == 0) {
+ md = EVP_sha256();
+ } else if (der_heim_oid_cmp(&asn1_oid_id_pkinit_kdf_ah_sha512, &ai->algorithm) == 0) {
+ md = EVP_sha512();
+ } else {
krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP,
N_("KDF not supported", ""));
return KRB5_PROG_ETYPE_NOSUPP;
do {
unsigned char cdata[4];
- EVP_DigestInit_ex(m, EVP_sha1(), NULL);
+ EVP_DigestInit_ex(m, md, NULL);
_krb5_put_int(cdata, counter, 4);
EVP_DigestUpdate(m, cdata, 4);
EVP_DigestUpdate(m, dhdata, dhsize);
memcpy((unsigned char *)keydata + offset,
shaoutput,
- min(keylen - offset, sizeof(shaoutput)));
+ min(keylen - offset, EVP_MD_CTX_size(m)));
- offset += sizeof(shaoutput);
+ offset += EVP_MD_CTX_size(m);
counter++;
} while(offset < keylen);
memset(shaoutput, 0, sizeof(shaoutput));
* SUCH DAMAGE.
*/
-#define KRB5_DEPRECATED
-
#include "krb5_locl.h"
struct _krb5_key_usage {
unsigned char *ipad, *opad;
unsigned char *key;
size_t key_len;
- int i;
+ size_t i;
ipad = malloc(cm->blocksize + len);
if (ipad == NULL)
if(ct->flags & F_DERIVED)
ret = _get_derived_key(context, crypto, usage, key);
else if(ct->flags & F_VARIANT) {
- int i;
+ size_t i;
*key = _new_derived_key(crypto, 0xff/* KRB5_KU_RFC1510_VARIANT */);
if(*key == NULL) {
if(ct->verify) {
ret = (*ct->verify)(context, dkey, data, len, usage, cksum);
if (ret)
- krb5_set_error_message(context, ret,
+ krb5_set_error_message(context, ret,
N_("Decrypt integrity check failed for checksum "
"type %s, key type %s", ""),
ct->name, (crypto != NULL)? crypto->et->name : "(none)");
}
static krb5_crypto_iov *
-find_iv(krb5_crypto_iov *data, int num_data, int type)
+find_iv(krb5_crypto_iov *data, size_t num_data, unsigned type)
{
- int i;
+ size_t i;
for (i = 0; i < num_data; i++)
if (data[i].flags == type)
return &data[i];
struct _krb5_encryption_type *et = crypto->et;
krb5_crypto_iov *tiv, *hiv;
- if (num_data < 0) {
- krb5_clear_error_message(context);
- return KRB5_CRYPTO_INTERNAL;
- }
-
if(!derived_crypto(context, crypto)) {
krb5_clear_error_message(context);
return KRB5_CRYPTO_INTERNAL;
Checksum cksum;
krb5_crypto_iov *civ;
krb5_error_code ret;
- int i;
+ size_t i;
size_t len;
char *p, *q;
- if (num_data < 0) {
- krb5_clear_error_message(context);
- return KRB5_CRYPTO_INTERNAL;
- }
-
if(!derived_crypto(context, crypto)) {
krb5_clear_error_message(context);
return KRB5_CRYPTO_INTERNAL;
Checksum cksum;
krb5_crypto_iov *civ;
krb5_error_code ret;
- int i;
+ size_t i;
size_t len;
char *p, *q;
- if (num_data < 0) {
- krb5_clear_error_message(context);
- return KRB5_CRYPTO_INTERNAL;
- }
-
if(!derived_crypto(context, crypto)) {
krb5_clear_error_message(context);
return KRB5_CRYPTO_INTERNAL;
krb5_set_error_message(context, EINVAL, "not a derived crypto");
return EINVAL;
}
-
+
switch(type) {
case KRB5_CRYPTO_TYPE_EMPTY:
*len = 0;
unsigned int num_data)
{
krb5_error_code ret;
- int i;
+ size_t i;
for (i = 0; i < num_data; i++) {
ret = krb5_crypto_length(context, crypto,
/**
* Return the blocksize used algorithm referenced by the crypto context
- *
+ *
* @param context Kerberos context
* @param crypto crypto context to query
* @param blocksize the resulting blocksize
/**
* Return the encryption type used by the crypto context
- *
+ *
* @param context Kerberos context
* @param crypto crypto context to query
* @param enctype the resulting encryption type
/**
* Return the padding size used by the crypto context
- *
+ *
* @param context Kerberos context
* @param crypto crypto context to query
* @param padsize the return padding size
/**
* Return the confounder size used by the crypto context
- *
+ *
* @param context Kerberos context
* @param crypto crypto context to query
* @param confoundersize the returned confounder size
* @ingroup krb5_deprecated
*/
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_keytype_to_enctypes (krb5_context context,
krb5_keytype keytype,
unsigned *len,
krb5_enctype **val)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
int i;
unsigned n = 0;
*/
/* if two enctypes have compatible keys */
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
krb5_enctypes_compatible_keys(krb5_context context,
krb5_enctype etype1,
krb5_enctype etype2)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
struct _krb5_encryption_type *e1 = _krb5_find_enctype(etype1);
struct _krb5_encryption_type *e2 = _krb5_find_enctype(etype2);
* @ingroup krb5
*/
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
krb5_get_err_text(krb5_context context, krb5_error_code code)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
const char *p = NULL;
if(context != NULL)
/***********************************************************************
* Copyright (c) 2009, Secure Endpoints Inc.
* All rights reserved.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
- *
+ *
* - Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
- *
+ *
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
- *
+ *
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
- *
+ *
**********************************************************************/
#include "krb5_locl.h"
if (le != 0) {
if (context)
- krb5_set_error_message(context, rv,
+ krb5_set_error_message(context, rv,
"Can't open thread token (GLE=%d)", le);
goto _exit;
}
if (context)
krb5_set_error_message(context, EINVAL, "Unable to determine folder path");
return EINVAL;
- }
+ }
len = strlen(path);
return ENOMEM;
}
-
+
{
size_t append_len = strlen(append);
char * new_str = realloc(*ppath_out, len + append_len + 1);
fcc_get_name(krb5_context context,
krb5_ccache id)
{
+ if (FCACHE(id) == NULL)
+ return NULL;
+
return FILENAME(id);
}
return ret;
}
sret = write(fd, data.data, data.length);
- ret = (sret != data.length);
+ ret = (sret != (ssize_t)data.length);
krb5_data_free(&data);
if (ret) {
ret = errno;
return errno;
memset(buf, 0, sizeof(buf));
while(pos > 0) {
- ssize_t tmp = write(fd, buf, min(sizeof(buf), pos));
+ ssize_t tmp = write(fd, buf, min((off_t)sizeof(buf), pos));
if (tmp < 0)
return errno;
fd = mkstemp(exp_file);
if(fd < 0) {
- int ret = errno;
- krb5_set_error_message(context, ret, N_("mkstemp %s failed", ""), exp_file);
+ int xret = errno;
+ krb5_set_error_message(context, xret, N_("mkstemp %s failed", ""), exp_file);
free(f);
free(exp_file);
- return ret;
+ return xret;
}
close(fd);
f->filename = exp_file;
krb5_boolean exclusive = ((flags | O_WRONLY) == flags ||
(flags | O_RDWR) == flags);
krb5_error_code ret;
- const char *filename = FILENAME(id);
+ const char *filename;
int fd;
+
+ if (FCACHE(id) == NULL)
+ return krb5_einval(context, 2);
+
+ filename = FILENAME(id);
+
fd = open(filename, flags, mode);
if(fd < 0) {
char buf[128];
krb5_fcache *f = FCACHE(id);
int ret = 0;
int fd;
- char *filename = f->filename;
- unlink (filename);
+ if (f == NULL)
+ return krb5_einval(context, 2);
+
+ unlink (f->filename);
ret = fcc_open(context, id, &fd, O_RDWR | O_CREAT | O_EXCL | O_BINARY | O_CLOEXEC, 0600);
if(ret)
}
}
ret |= krb5_store_principal(sp, primary_principal);
-
+
ret |= write_storage(context, sp, fd);
krb5_storage_free(sp);
fcc_close(krb5_context context,
krb5_ccache id)
{
+ if (FCACHE(id) == NULL)
+ return krb5_einval(context, 2);
+
free (FILENAME(id));
krb5_data_free(&id->data);
return 0;
fcc_destroy(krb5_context context,
krb5_ccache id)
{
+ if (FCACHE(id) == NULL)
+ return krb5_einval(context, 2);
+
_krb5_erase_file(context, FILENAME(id));
return 0;
}
krb5_error_code ret;
krb5_principal principal;
+ if (FCACHE(id) == NULL)
+ return krb5_einval(context, 2);
+
*cursor = malloc(sizeof(struct fcc_cursor));
if (*cursor == NULL) {
krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
krb5_creds *creds)
{
krb5_error_code ret;
+
+ if (FCACHE(id) == NULL)
+ return krb5_einval(context, 2);
+
+ if (FCC_CURSOR(*cursor) == NULL)
+ return krb5_einval(context, 3);
+
if((ret = fcc_lock(context, id, FCC_CURSOR(*cursor)->fd, FALSE)) != 0)
return ret;
krb5_ccache id,
krb5_cc_cursor *cursor)
{
+
+ if (FCACHE(id) == NULL)
+ return krb5_einval(context, 2);
+
+ if (FCC_CURSOR(*cursor) == NULL)
+ return krb5_einval(context, 3);
+
krb5_storage_free(FCC_CURSOR(*cursor)->sp);
close (FCC_CURSOR(*cursor)->fd);
free(*cursor);
char *newname = NULL;
int fd;
+ if (FCACHE(id) == NULL)
+ return krb5_einval(context, 2);
+
ret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, ©);
if (ret)
return ret;
krb5_ccache id,
krb5_flags flags)
{
+ if (FCACHE(id) == NULL)
+ return krb5_einval(context, 2);
+
return 0; /* XXX */
}
fcc_get_version(krb5_context context,
krb5_ccache id)
{
+ if (FCACHE(id) == NULL)
+ return -1;
+
return FCACHE(id)->version;
}
-
+
struct fcache_iter {
int first;
};
const char *fn;
char *expandedfn = NULL;
+ if (iter == NULL)
+ return krb5_einval(context, 2);
+
if (!iter->first) {
krb5_clear_error_message(context);
return KRB5_CC_END;
fcc_end_cache_get(krb5_context context, krb5_cc_cursor cursor)
{
struct fcache_iter *iter = cursor;
+
+ if (iter == NULL)
+ return krb5_einval(context, 2);
+
free(iter);
return 0;
}
}
enum {
- LOOP = 1, /* do include loopback interfaces */
- LOOP_IF_NONE = 2, /* include loopback if no other if's */
+ LOOP = 1, /* do include loopback addrs */
+ LOOP_IF_NONE = 2, /* include loopback addrs if no others */
EXTRA_ADDRESSES = 4, /* include extra addresses */
SCAN_INTERFACES = 8 /* scan interfaces for addresses */
};
continue;
if (krb5_sockaddr_uninteresting(ifa->ifa_addr))
continue;
- if ((ifa->ifa_flags & IFF_LOOPBACK) != 0) {
+ if (krb5_sockaddr_is_loopback(ifa->ifa_addr) && (flags & LOOP) == 0)
/* We'll deal with the LOOP_IF_NONE case later. */
- if ((flags & LOOP) == 0)
- continue;
- }
+ continue;
ret = krb5_sockaddr2address(context, ifa->ifa_addr, &res->val[idx]);
if (ret) {
continue;
if (krb5_sockaddr_uninteresting(ifa->ifa_addr))
continue;
-
- if ((ifa->ifa_flags & IFF_LOOPBACK) != 0) {
- ret = krb5_sockaddr2address(context,
- ifa->ifa_addr, &res->val[idx]);
- if (ret) {
- /*
- * See comment above.
- */
- continue;
- }
- if((flags & EXTRA_ADDRESSES) &&
- krb5_address_search(context, &res->val[idx],
- &ignore_addresses)) {
- krb5_free_address(context, &res->val[idx]);
- continue;
- }
- idx++;
+ if (!krb5_sockaddr_is_loopback(ifa->ifa_addr))
+ continue;
+ if ((ifa->ifa_flags & IFF_LOOPBACK) == 0)
+ /* Presumably loopback addrs are only used on loopback ifs! */
+ continue;
+ ret = krb5_sockaddr2address(context,
+ ifa->ifa_addr, &res->val[idx]);
+ if (ret)
+ continue; /* We don't consider this failure fatal */
+ if((flags & EXTRA_ADDRESSES) &&
+ krb5_address_search(context, &res->val[idx],
+ &ignore_addresses)) {
+ krb5_free_address(context, &res->val[idx]);
+ continue;
}
+ idx++;
}
}
{
u_char *buf;
size_t buf_size;
- size_t len;
+ size_t len = 0;
krb5_data in_data;
krb5_error_code ret;
krb5_keyblock *subkey)
{
if(authdata->len) {
- size_t len, buf_size;
+ size_t len = 0, buf_size;
unsigned char *buf;
krb5_crypto crypto;
krb5_error_code ret;
}
t->req_body.etype.val[0] = in_creds->session.keytype;
} else {
- ret = krb5_init_etype(context,
- &t->req_body.etype.len,
- &t->req_body.etype.val,
- NULL);
+ ret = _krb5_init_etype(context,
+ KRB5_PDU_TGS_REQUEST,
+ &t->req_body.etype.len,
+ &t->req_body.etype.val,
+ NULL);
}
if (ret)
goto fail;
goto fail;
}
{
- int i;
+ size_t i;
for (i = 0; i < padata->len; i++) {
ret = copy_PA_DATA(&padata->val[i], &t->padata->val[i + 1]);
if (ret) {
ret = krb5_auth_con_init(context, &ac);
if(ret)
goto fail;
-
+
ret = krb5_auth_con_generatelocalsubkey(context, ac, &krbtgt->session);
if (ret)
goto fail;
-
+
ret = set_auth_data (context, &t->req_body, &in_creds->authdata,
ac->local_subkey);
if (ret)
goto fail;
-
+
ret = make_pa_tgs_req(context,
ac,
&t->req_body,
assert(usage == 0);
+ krb5_data_zero(&data);
+
/*
* start out with trying with subkey if we have one
*/
&dec_rep->enc_part,
&size);
if (ret)
- krb5_set_error_message(context, ret,
+ krb5_set_error_message(context, ret,
N_("Failed to decode encpart in ticket", ""));
krb5_data_free (&data);
return ret;
krb5_error_code ret;
unsigned nonce;
krb5_keyblock *subkey = NULL;
- size_t len;
+ size_t len = 0;
Ticket second_ticket_data;
METHOD_DATA padata;
PA_S4U2Self self;
krb5_data data;
void *buf;
- size_t size;
+ size_t size = 0;
self.name = impersonate_principal->name;
self.realm = impersonate_principal->realm;
self.auth = estrdup("Kerberos");
-
+
ret = _krb5_s4u2self_to_checksumdata(context, &self, &data);
if (ret) {
free(self.auth);
goto out;
if (len != size)
krb5_abortx(context, "internal asn1 error");
-
+
ret = krb5_padata_add(context, &padata, KRB5_PADATA_FOR_USER, buf, len);
if (ret)
goto out;
krb5_appdefault_boolean(context, NULL, krbtgt->server->realm,
"no-addresses", FALSE, &noaddr);
-
+
if (!noaddr) {
krb5_get_all_client_addrs(context, &addresses);
/* XXX this sucks. */
krb5_creds *in_creds,
krb5_const_realm try_realm,
krb5_principal impersonate_principal,
- Ticket *second_ticket,
+ Ticket *second_ticket,
krb5_creds **out_creds,
krb5_creds ***ret_tgts)
{
krb5_free_principal(context, tmp_creds.client);
return ret;
}
- /*
+ /*
* if either of the chain or the ok_as_delegate was stripped
* by the kdc, make sure we strip it too.
*/
return ret;
}
}
-
+
krb5_free_principal(context, tmp_creds.server);
krb5_free_principal(context, tmp_creds.client);
*out_creds = calloc(1, sizeof(**out_creds));
}
krb5_free_creds(context, tgt);
return ret;
-}
+}
/*
get_cred(server)
krb5_ccache ccache,
krb5_creds *in_creds,
krb5_principal impersonate_principal,
- Ticket *second_ticket,
+ Ticket *second_ticket,
krb5_creds **out_creds,
krb5_creds ***ret_tgts)
{
krb5_ccache ccache,
krb5_creds *in_creds,
krb5_principal impersonate_principal,
- Ticket *second_ticket,
+ Ticket *second_ticket,
krb5_creds **out_creds,
krb5_creds ***ret_tgts)
{
/* find tgt for the clients base realm */
{
krb5_principal tgtname;
-
+
ret = krb5_make_principal(context, &tgtname,
client_realm,
KRB5_TGS_NAME,
NULL);
if(ret)
return ret;
-
+
ret = find_cred(context, ccache, tgtname, *ret_tgts, &tgt);
krb5_free_principal(context, tgtname);
if (ret)
goto out;
}
tickets++;
- }
+ }
- /*
+ /*
* if either of the chain or the ok_as_delegate was stripped
* by the kdc, make sure we strip it too.
*/
krb5_ccache ccache,
krb5_creds *in_creds,
krb5_principal impersonate_principal,
- Ticket *second_ticket,
+ Ticket *second_ticket,
krb5_creds **out_creds,
krb5_creds ***ret_tgts)
{
*out_creds = res_creds;
return 0;
}
-
+
krb5_timeofday(context, &timeret);
if(res_creds->times.endtime > timeret) {
*out_creds = res_creds;
krb5_free_principal(context, in_creds.client);
goto out;
}
-
+
krb5_timeofday(context, &timeret);
if(res_creds->times.endtime > timeret) {
*out_creds = res_creds;
}
} else {
const char *realm = krb5_principal_get_realm(context, client);
-
+
ret = krb5_make_principal(context, &in.server, realm, KRB5_TGS_NAME,
realm, NULL);
if (ret) {
else
ret = krb5_make_principal(context, princ, NULL, "root", NULL);
} else {
- struct passwd *pw = getpwuid(uid);
+ struct passwd *pw = getpwuid(uid);
if(pw != NULL)
user = pw->pw_name;
else {
if (!noaddr)
paddrs = &addrs;
}
-
+
/*
* If tickets have addresses, get the address of the remote host.
*/
hostname, gai_strerror(ret));
return ret2;
}
-
+
ret = add_addrs (context, &addrs, ai);
freeaddrinfo (ai);
if (ret)
if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) {
krb5_timestamp sec;
int32_t usec;
-
+
krb5_us_timeofday (context, &sec, &usec);
-
+
ALLOC(enc_krb_cred_part.timestamp, 1);
if (enc_krb_cred_part.timestamp == NULL) {
ret = ENOMEM;
* used. Heimdal 0.7.2 and newer have code to try both in the
* receiving end.
*/
-
+
ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto);
if (ret) {
free(buf);
domain++;
for (i = 0; labels[i] != NULL; i++) {
ret = snprintf(dom, sizeof(dom), "%s.%s.", labels[i], domain);
- if(ret < 0 || ret >= sizeof(dom)) {
+ if(ret < 0 || (size_t)ret >= sizeof(dom)) {
if (config_labels)
krb5_config_free_strings(config_labels);
return -1;
* SUCH DAMAGE.
*/
-#define KRB5_DEPRECATED
-
#include "krb5_locl.h"
#ifndef HEIMDAL_SMALLER
PA_ENC_TS_ENC p;
unsigned char *buf;
size_t buf_size;
- size_t len;
+ size_t len = 0;
EncryptedData encdata;
krb5_error_code ret;
int32_t usec;
krb5_crypto_destroy(context, crypto);
if (ret)
return ret;
-
+
ASN1_MALLOC_ENCODE(EncryptedData, buf, buf_size, &encdata, &len, ret);
free_EncryptedData(&encdata);
if (ret)
PA_DATA *pa2;
krb5_salt salt2;
krb5_enctype *ep;
- int i;
+ size_t i;
if(salt == NULL) {
/* default to standard salt */
*a->req_body.rtime = creds->times.renew_till;
}
a->req_body.nonce = nonce;
- ret = krb5_init_etype (context,
+ ret = _krb5_init_etype(context,
+ KRB5_PDU_AS_REQUEST,
&a->req_body.etype.len,
&a->req_body.etype.val,
etypes);
a->req_body.additional_tickets = NULL;
if(preauth != NULL) {
- int i;
+ size_t i;
ALLOC(a->padata, 1);
if(a->padata == NULL) {
ret = ENOMEM;
a->padata->len = 0;
for(i = 0; i < preauth->len; i++) {
if(preauth->val[i].type == KRB5_PADATA_ENC_TIMESTAMP){
- int j;
+ size_t j;
for(j = 0; j < preauth->val[i].info.len; j++) {
krb5_salt *sp = &salt;
add_padata(context, a->padata, creds->client,
key_proc, keyseed, a->req_body.etype.val,
a->req_body.etype.len, NULL);
-
+
/* make a v4 salted pa-data */
salt.salttype = KRB5_PW_SALT;
krb5_data_zero(&salt.saltvalue);
if(error->e_data) {
METHOD_DATA md;
- int i;
+ size_t i;
decode_METHOD_DATA(error->e_data->data,
error->e_data->length,
&md,
return(1);
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_in_cred(krb5_context context,
krb5_flags options,
krb5_const_pointer decryptarg,
krb5_creds *creds,
krb5_kdc_rep *ret_as_reply)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
krb5_error_code ret;
AS_REQ a;
krb5_kdc_rep rep;
krb5_data req, resp;
- size_t len;
+ size_t len = 0;
krb5_salt salt;
krb5_keyblock *key;
size_t size;
if(pa) {
salt.salttype = pa->padata_type;
salt.saltvalue = pa->padata_value;
-
+
ret = (*key_proc)(context, etype, salt, keyseed, &key);
} else {
/* make a v5 salted pa-data */
ret = krb5_get_pw_salt (context, creds->client, &salt);
-
+
if (ret)
goto out;
ret = (*key_proc)(context, etype, salt, keyseed, &key);
}
if (ret)
goto out;
-
+
{
unsigned flags = EXTRACT_TICKET_TIMESYNC;
if (opts.request_anonymous)
return ret;
}
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_in_tkt(krb5_context context,
krb5_flags options,
krb5_creds *creds,
krb5_ccache ccache,
krb5_kdc_rep *ret_as_reply)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
krb5_error_code ret;
error_code SERVICE_NOMATCH, "Unacceptable service used"
error_code NOT_SEEKABLE, "File descriptor not seekable"
error_code TOO_BIG, "Offset too large"
+error_code BAD_HDBENT_ENCODING, "Invalid HDB entry encoding"
index 64
prefix HEIM_PKINIT
*opt = NULL;
o = calloc(1, sizeof(*o));
if (o == NULL) {
- krb5_set_error_message(context, ENOMEM,
+ krb5_set_error_message(context, ENOMEM,
N_("malloc: out of memory", ""));
return ENOMEM;
}
o->opt_private = calloc(1, sizeof(*o->opt_private));
if (o->opt_private == NULL) {
- krb5_set_error_message(context, ENOMEM,
+ krb5_set_error_message(context, ENOMEM,
N_("malloc: out of memory", ""));
free(o);
return ENOMEM;
* @ingroup krb5_deprecated
*/
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
memset (opt, 0, sizeof(*opt));
}
* @ingroup krb5_deprecated
*/
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_init_creds_opt_get_error(krb5_context context,
krb5_get_init_creds_opt *opt,
KRB_ERROR **error)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
*error = calloc(1, sizeof(**error));
if (*error == NULL) {
KRB_ERROR error;
AS_REP as_rep;
EncKDCRepPart enc_part;
-
+
krb5_prompter_fct prompter;
void *prompter_data;
if (lr->val[i].lr_value <= t) {
switch (abs(lr->val[i].lr_type)) {
case LR_PW_EXPTIME :
- report_expiration(context, ctx->prompter,
+ report_expiration(context, ctx->prompter,
ctx->prompter_data,
"Your password will expire at ",
lr->val[i].lr_value);
reported = TRUE;
break;
case LR_ACCT_EXPTIME :
- report_expiration(context, ctx->prompter,
+ report_expiration(context, ctx->prompter,
ctx->prompter_data,
"Your account will expire at ",
lr->val[i].lr_value);
if (!reported
&& ctx->enc_part.key_expiration
&& *ctx->enc_part.key_expiration <= t) {
- report_expiration(context, ctx->prompter,
+ report_expiration(context, ctx->prompter,
ctx->prompter_data,
"Your password/account will expire at ",
*ctx->enc_part.key_expiration);
if (options->opt_private) {
if (options->opt_private->password) {
- ret = krb5_init_creds_set_password(context, ctx,
+ ret = krb5_init_creds_set_password(context, ctx,
options->opt_private->password);
if (ret)
goto out;
ctx->keyproc = default_s2k_func;
/* Enterprise name implicitly turns on canonicalize */
- if ((ctx->ic_flags & KRB5_INIT_CREDS_CANONICALIZE) ||
+ if ((ctx->ic_flags & KRB5_INIT_CREDS_CANONICALIZE) ||
krb5_principal_get_type(context, client) == KRB5_NT_ENTERPRISE_PRINCIPAL)
ctx->flags.canonicalize = 1;
*a->req_body.rtime = creds->times.renew_till;
}
a->req_body.nonce = 0;
- ret = krb5_init_etype (context,
+ ret = _krb5_init_etype(context,
+ KRB5_PDU_AS_REQUEST,
&a->req_body.etype.len,
&a->req_body.etype.val,
etypes);
krb5_error_code ret;
ETYPE_INFO2 e;
size_t sz;
- int i, j;
+ size_t i, j;
memset(&e, 0, sizeof(e));
ret = decode_ETYPE_INFO2(data->data, data->length, &e, &sz);
krb5_error_code ret;
ETYPE_INFO e;
size_t sz;
- int i, j;
+ size_t i, j;
memset(&e, 0, sizeof(e));
ret = decode_ETYPE_INFO(data->data, data->length, &e, &sz);
};
static PA_DATA *
-find_pa_data(const METHOD_DATA *md, int type)
+find_pa_data(const METHOD_DATA *md, unsigned type)
{
- int i;
+ size_t i;
if (md == NULL)
return NULL;
for (i = 0; i < md->len; i++)
METHOD_DATA *md)
{
struct pa_info_data *p = NULL;
- int i;
+ size_t i;
for (i = 0; p == NULL && i < sizeof(pa_prefs)/sizeof(pa_prefs[0]); i++) {
PA_DATA *pa = find_pa_data(md, pa_prefs[i].type);
PA_ENC_TS_ENC p;
unsigned char *buf;
size_t buf_size;
- size_t len;
+ size_t len = 0;
EncryptedData encdata;
krb5_error_code ret;
int32_t usec;
krb5_error_code ret;
krb5_salt salt2;
krb5_enctype *ep;
- int i;
+ size_t i;
if(salt == NULL) {
/* default to standard salt */
krb5_get_init_creds_ctx *ctx,
METHOD_DATA *md)
{
- size_t len, length;
+ size_t len = 0, length;
krb5_error_code ret;
PA_PAC_REQUEST req;
void *buf;
_krb5_debug(context, 5, "krb5_get_init_creds: "
"prepareing PKINIT padata (%s)",
(ctx->used_pa_types & USED_PKINIT_W2K) ? "win2k" : "ietf");
-
+
if (ctx->used_pa_types & USED_PKINIT_W2K) {
krb5_set_error_message(context, KRB5_GET_IN_TKT_LOOP,
"Already tried pkinit, looping");
return KRB5_GET_IN_TKT_LOOP;
}
- ret = pa_data_to_md_pkinit(context, a, creds->client,
+ ret = pa_data_to_md_pkinit(context, a, creds->client,
(ctx->used_pa_types & USED_PKINIT),
ctx, *out_md);
if (ret)
krb5_error_code ret;
size_t netypes = 0;
int kvno = 0;
-
+
a = malloc(sizeof(*a));
if (a == NULL) {
krb5_set_error_message(context, ENOMEM,
N_("malloc: out of memory", ""));
return ENOMEM;
}
-
+
a->principal = ctx->cred.client;
a->keytab = keytab;
kvno = entry.vno;
} else if (entry.vno != kvno)
goto next;
-
+
/* check if enctype is supported */
if (krb5_enctype_valid(context, entry.keyblock.keytype) != 0)
goto next;
/**
* The core loop if krb5_get_init_creds() function family. Create the
- * packets and have the caller send them off to the KDC.
+ * packets and have the caller send them off to the KDC.
*
* If the caller want all work been done for them, use
* krb5_init_creds_get() instead.
unsigned int *flags)
{
krb5_error_code ret;
- size_t len;
+ size_t len = 0;
size_t size;
krb5_data_zero(out);
"options send by KDC", ""));
}
} else if (ret == KRB5KRB_AP_ERR_SKEW && context->kdc_sec_offset == 0) {
- /*
+ /*
* Try adapt to timeskrew when we are using pre-auth, and
* if there was a time skew, try again.
*/
krb5_set_real_time(context, ctx->error.stime, -1);
if (context->kdc_sec_offset)
- ret = 0;
+ ret = 0;
_krb5_debug(context, 10, "init_creds: err skew updateing kdc offset to %d",
context->kdc_sec_offset);
"krb5_get_init_creds: got referal to realm %s",
*ctx->error.crealm);
- ret = krb5_principal_set_realm(context,
+ ret = krb5_principal_set_realm(context,
ctx->cred.client,
*ctx->error.crealm);
if ((flags & 1) == 0)
break;
- ret = krb5_sendto_context (context, stctx, &out,
+ ret = krb5_sendto_context (context, stctx, &out,
ctx->cred.client->realm, &in);
if (ret)
goto out;
}
ret = krb5_init_creds_get(context, ctx);
-
+
if (ret == 0)
process_last_request(context, options, ctx);
}
} else
k->name = NULL;
-
+
(*id)->data.data = k;
(*id)->data.length = sizeof(*k);
c = calloc(1, sizeof(*c));
if (c == NULL) {
ret = ENOMEM;
- krb5_set_error_message(context, ret,
+ krb5_set_error_message(context, ret,
N_("malloc: out of memory", ""));
return ret;
}
if (ptr == NULL) {
free(c->uuids);
free(c);
- krb5_set_error_message(context, ENOMEM,
+ krb5_set_error_message(context, ENOMEM,
N_("malloc: out of memory", ""));
return ENOMEM;
}
return ret;
}
- sret = krb5_storage_write(request,
+ sret = krb5_storage_write(request,
&c->uuids[c->offset],
sizeof(c->uuids[c->offset]));
c->offset++;
c = calloc(1, sizeof(*c));
if (c == NULL) {
ret = ENOMEM;
- krb5_set_error_message(context, ret,
+ krb5_set_error_message(context, ret,
N_("malloc: out of memory", ""));
goto out;
}
ptr = realloc(c->uuids, sizeof(c->uuids[0]) * (c->length + 1));
if (ptr == NULL) {
ret = ENOMEM;
- krb5_set_error_message(context, ret,
+ krb5_set_error_message(context, ret,
N_("malloc: out of memory", ""));
goto out;
}
if (ret && c) {
free(c->uuids);
free(c);
- } else
+ } else
*cursor = c;
return ret;
if (ret)
return ret;
- sret = krb5_storage_write(request,
+ sret = krb5_storage_write(request,
&c->uuids[c->offset],
sizeof(c->uuids[c->offset]));
c->offset++;
}
static krb5_error_code
-kcm_get_default_name(krb5_context context, const krb5_cc_ops *ops,
+kcm_get_default_name(krb5_context context, const krb5_cc_ops *ops,
const char *defstr, char **str)
{
krb5_error_code ret;
krb5_storage *request, *response;
krb5_data response_data;
char *name;
-
+
*str = NULL;
ret = krb5_kcm_storage_request(context, KCM_OP_GET_DEFAULT_CACHE, &request);
krb5_kcmcache *k = KCMCACHE(id);
krb5_error_code ret;
krb5_storage *request;
-
+
ret = krb5_kcm_storage_request(context, KCM_OP_SET_KDC_OFFSET, &request);
if (ret)
return ret;
krb5_storage *request, *response;
krb5_data response_data;
int32_t offset;
-
+
ret = krb5_kcm_storage_request(context, KCM_OP_GET_KDC_OFFSET, &request);
if (ret)
return ret;
kcm_move,
kcm_get_default_name_api,
kcm_set_default,
- kcm_lastchange
+ kcm_lastchange,
+ NULL,
+ NULL
};
-krb5_boolean
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
_krb5_kcm_is_running(krb5_context context)
{
krb5_error_code ret;
* Response:
*
*/
-krb5_error_code
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_kcm_noop(krb5_context context,
krb5_ccache id)
{
* Repsonse:
*
*/
-krb5_error_code
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_kcm_get_initial_ticket(krb5_context context,
krb5_ccache id,
krb5_principal server,
* Repsonse:
*
*/
-krb5_error_code
+KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_kcm_get_ticket(krb5_context context,
krb5_ccache id,
krb5_kdc_flags flags,
{
krb5_error_code ret;
krb5_keyblock *k;
-
+
*to = NULL;
k = calloc (1, sizeof(*k));
*
* A keytab name is on the form type:residual. The residual part is
* specific to each keytab-type.
- *
+ *
* When a keytab-name is resolved, the type is matched with an internal
* list of keytab types. If there is no matching keytab type,
* the default keytab is used. The current default type is FILE.
* [defaults]default_keytab_name.
*
* The keytab types that are implemented in Heimdal are:
- * - file
+ * - file
* store the keytab in a file, the type's name is FILE . The
* residual part is a filename. For compatibility with other
* Kerberos implemtation WRFILE and JAVA14 is also accepted. WRFILE
}
static const char *
-keytab_name(const char * name, const char ** ptype, size_t * ptype_len)
+keytab_name(const char *name, const char **type, size_t *type_len)
{
- const char * residual;
+ const char *residual;
residual = strchr(name, ':');
- if (residual == NULL
-
+ if (residual == NULL ||
+ name[0] == '/'
#ifdef _WIN32
-
/* Avoid treating <drive>:<path> as a keytab type
* specification */
-
|| name + 1 == residual
#endif
) {
- *ptype = "FILE";
- *ptype_len = strlen(*ptype);
+ *type = "FILE";
+ *type_len = strlen(*type);
residual = name;
} else {
- *ptype = name;
- *ptype_len = residual - name;
+ *type = name;
+ *type_len = residual - name;
residual++;
}
char type[KRB5_KT_PREFIX_MAX_LEN];
char name[MAXPATHLEN];
krb5_error_code ret;
-
+
*str = NULL;
ret = krb5_kt_get_type(context, keytab, type, sizeof(type));
{
char princ[256], kvno_str[25], *kt_name;
char *enctype_str = NULL;
-
+
krb5_unparse_name_fixed (context, principal, princ, sizeof(princ));
krb5_kt_get_full_name (context, id, &kt_name);
krb5_enctype_to_string(context, enctype, &enctype_str);
-
+
if (kvno)
snprintf(kvno_str, sizeof(kvno_str), "(kvno %d)", kvno);
else
kvno_str[0] = '\0';
-
+
krb5_set_error_message (context, ret,
N_("Failed to find %s%s in keytab %s (%s)",
"principal, kvno, keytab file, enctype"),
}
return (*id->remove)(context, id, entry);
}
+
+/**
+ * Return true if the keytab exists and have entries
+ *
+ * @param context a Keberos context.
+ * @param id a keytab.
+ *
+ * @return Return an error code or 0, see krb5_get_error_message().
+ *
+ * @ingroup krb5_keytab
+ */
+
+KRB5_LIB_FUNCTION krb5_boolean KRB5_LIB_CALL
+krb5_kt_have_content(krb5_context context,
+ krb5_keytab id)
+{
+ krb5_keytab_entry entry;
+ krb5_kt_cursor cursor;
+ krb5_error_code ret;
+ char *name;
+
+ ret = krb5_kt_start_seq_get(context, id, &cursor);
+ if (ret)
+ goto notfound;
+
+ ret = krb5_kt_next_entry(context, id, &entry, &cursor);
+ krb5_kt_end_seq_get(context, id, &cursor);
+ if (ret)
+ goto notfound;
+
+ krb5_kt_free_entry(context, &entry);
+
+ return 0;
+
+ notfound:
+ ret = krb5_kt_get_full_name(context, id, &name);
+ if (ret == 0) {
+ krb5_set_error_message(context, KRB5_KT_NOTFOUND,
+ N_("No entry in keytab: %s", ""), name);
+ free(name);
+ }
+ return KRB5_KT_NOTFOUND;
+}
if(ret < 0)
return ret;
ret = krb5_storage_write(sp, data.data, data.length);
- if(ret != data.length){
+ if(ret != (int)data.length){
if(ret < 0)
return errno;
return KRB5_KT_END;
if(ret < 0)
return ret;
ret = krb5_storage_write(sp, data, len);
- if(ret != len){
+ if(ret != (int)len){
if(ret < 0)
return errno;
return KRB5_KT_END;
krb5_storage *sp,
krb5_principal *princ)
{
- int i;
+ size_t i;
int ret;
krb5_principal p;
int16_t len;
krb5_storage *sp,
krb5_principal p)
{
- int i;
+ size_t i;
int ret;
if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS))
id->version = KRB5_KT_VNO;
return krb5_store_int8 (sp, id->version);
}
-
+
static krb5_error_code KRB5_CALLCONV
fkt_add_entry(krb5_context context,
krb5_keytab id,
}
if(len < 0) {
len = -len;
- if(len >= keytab.length) {
+ if(len >= (int)keytab.length) {
krb5_storage_seek(sp, -4, SEEK_CUR);
break;
}
krb5_store_int32(cursor.sp, -len);
memset(buf, 0, sizeof(buf));
while(len > 0) {
- krb5_storage_write(cursor.sp, buf, min(len, sizeof(buf)));
- len -= min(len, sizeof(buf));
+ krb5_storage_write(cursor.sp, buf,
+ min((size_t)len, sizeof(buf)));
+ len -= min((size_t)len, sizeof(buf));
}
}
krb5_kt_free_entry(context, &e);
strerror(ret));
return ret;
}
-
+
ret = krb5_ret_int32(sp, &len);
if(ret) {
krb5_storage_free(sp);
}
len++;
-
+
if(krb5_storage_seek(sp, 0, SEEK_SET) < 0) {
ret = errno;
krb5_set_error_message (context, ret,
strerror(ret));
goto out;
}
-
+
ret = krb5_store_int32(sp, len);
if(ret) {
ret = errno;
N_("seek to end: %s", ""), strerror(ret));
goto out;
}
-
+
ret = krb5_store_int32(sp, entry->vno);
if(ret) {
krb5_set_error_message(context, ret,
#define KRB5KDC_ERR_KEY_EXP KRB5KDC_ERR_KEY_EXPIRED
#endif
-#ifndef KRB5_DEPRECATED
-#if defined(__GNUC__) && ((__GNUC__ > 3) || ((__GNUC__ == 3) && (__GNUC_MINOR__ >= 1 )))
-#define KRB5_DEPRECATED __attribute__((deprecated))
-#elif defined(_MSC_VER) && (_MSC_VER>1200)
-#define KRB5_DEPRECATED __declspec(deprecated)
-#else
-#define KRB5_DEPRECATED
-#endif
-#endif
-
#ifdef _WIN32
#define KRB5_CALLCONV __stdcall
#else
/* alternative names */
enum {
- ENCTYPE_NULL = ETYPE_NULL,
- ENCTYPE_DES_CBC_CRC = ETYPE_DES_CBC_CRC,
- ENCTYPE_DES_CBC_MD4 = ETYPE_DES_CBC_MD4,
- ENCTYPE_DES_CBC_MD5 = ETYPE_DES_CBC_MD5,
- ENCTYPE_DES3_CBC_MD5 = ETYPE_DES3_CBC_MD5,
- ENCTYPE_OLD_DES3_CBC_SHA1 = ETYPE_OLD_DES3_CBC_SHA1,
- ENCTYPE_SIGN_DSA_GENERATE = ETYPE_SIGN_DSA_GENERATE,
- ENCTYPE_ENCRYPT_RSA_PRIV = ETYPE_ENCRYPT_RSA_PRIV,
- ENCTYPE_ENCRYPT_RSA_PUB = ETYPE_ENCRYPT_RSA_PUB,
- ENCTYPE_DES3_CBC_SHA1 = ETYPE_DES3_CBC_SHA1,
- ENCTYPE_AES128_CTS_HMAC_SHA1_96 = ETYPE_AES128_CTS_HMAC_SHA1_96,
- ENCTYPE_AES256_CTS_HMAC_SHA1_96 = ETYPE_AES256_CTS_HMAC_SHA1_96,
- ENCTYPE_ARCFOUR_HMAC = ETYPE_ARCFOUR_HMAC_MD5,
- ENCTYPE_ARCFOUR_HMAC_MD5 = ETYPE_ARCFOUR_HMAC_MD5,
- ENCTYPE_ARCFOUR_HMAC_MD5_56 = ETYPE_ARCFOUR_HMAC_MD5_56,
- ENCTYPE_ENCTYPE_PK_CROSS = ETYPE_ENCTYPE_PK_CROSS,
- ENCTYPE_DES_CBC_NONE = ETYPE_DES_CBC_NONE,
- ENCTYPE_DES3_CBC_NONE = ETYPE_DES3_CBC_NONE,
- ENCTYPE_DES_CFB64_NONE = ETYPE_DES_CFB64_NONE,
- ENCTYPE_DES_PCBC_NONE = ETYPE_DES_PCBC_NONE
+ ENCTYPE_NULL = KRB5_ENCTYPE_NULL,
+ ENCTYPE_DES_CBC_CRC = KRB5_ENCTYPE_DES_CBC_CRC,
+ ENCTYPE_DES_CBC_MD4 = KRB5_ENCTYPE_DES_CBC_MD4,
+ ENCTYPE_DES_CBC_MD5 = KRB5_ENCTYPE_DES_CBC_MD5,
+ ENCTYPE_DES3_CBC_MD5 = KRB5_ENCTYPE_DES3_CBC_MD5,
+ ENCTYPE_OLD_DES3_CBC_SHA1 = KRB5_ENCTYPE_OLD_DES3_CBC_SHA1,
+ ENCTYPE_SIGN_DSA_GENERATE = KRB5_ENCTYPE_SIGN_DSA_GENERATE,
+ ENCTYPE_ENCRYPT_RSA_PRIV = KRB5_ENCTYPE_ENCRYPT_RSA_PRIV,
+ ENCTYPE_ENCRYPT_RSA_PUB = KRB5_ENCTYPE_ENCRYPT_RSA_PUB,
+ ENCTYPE_DES3_CBC_SHA1 = KRB5_ENCTYPE_DES3_CBC_SHA1,
+ ENCTYPE_AES128_CTS_HMAC_SHA1_96 = KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96 = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ ENCTYPE_ARCFOUR_HMAC = KRB5_ENCTYPE_ARCFOUR_HMAC_MD5,
+ ENCTYPE_ARCFOUR_HMAC_MD5 = KRB5_ENCTYPE_ARCFOUR_HMAC_MD5,
+ ENCTYPE_ARCFOUR_HMAC_MD5_56 = KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56,
+ ENCTYPE_ENCTYPE_PK_CROSS = KRB5_ENCTYPE_ENCTYPE_PK_CROSS,
+ ENCTYPE_DES_CBC_NONE = KRB5_ENCTYPE_DES_CBC_NONE,
+ ENCTYPE_DES3_CBC_NONE = KRB5_ENCTYPE_DES3_CBC_NONE,
+ ENCTYPE_DES_CFB64_NONE = KRB5_ENCTYPE_DES_CFB64_NONE,
+ ENCTYPE_DES_PCBC_NONE = KRB5_ENCTYPE_DES_PCBC_NONE,
+ ETYPE_NULL = KRB5_ENCTYPE_NULL,
+ ETYPE_DES_CBC_CRC = KRB5_ENCTYPE_DES_CBC_CRC,
+ ETYPE_DES_CBC_MD4 = KRB5_ENCTYPE_DES_CBC_MD4,
+ ETYPE_DES_CBC_MD5 = KRB5_ENCTYPE_DES_CBC_MD5,
+ ETYPE_DES3_CBC_MD5 = KRB5_ENCTYPE_DES3_CBC_MD5,
+ ETYPE_OLD_DES3_CBC_SHA1 = KRB5_ENCTYPE_OLD_DES3_CBC_SHA1,
+ ETYPE_SIGN_DSA_GENERATE = KRB5_ENCTYPE_SIGN_DSA_GENERATE,
+ ETYPE_ENCRYPT_RSA_PRIV = KRB5_ENCTYPE_ENCRYPT_RSA_PRIV,
+ ETYPE_ENCRYPT_RSA_PUB = KRB5_ENCTYPE_ENCRYPT_RSA_PUB,
+ ETYPE_DES3_CBC_SHA1 = KRB5_ENCTYPE_DES3_CBC_SHA1,
+ ETYPE_AES128_CTS_HMAC_SHA1_96 = KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+ ETYPE_AES256_CTS_HMAC_SHA1_96 = KRB5_ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ ETYPE_ARCFOUR_HMAC_MD5 = KRB5_ENCTYPE_ARCFOUR_HMAC_MD5,
+ ETYPE_ARCFOUR_HMAC_MD5_56 = KRB5_ENCTYPE_ARCFOUR_HMAC_MD5_56,
+ ETYPE_ENCTYPE_PK_CROSS = KRB5_ENCTYPE_ENCTYPE_PK_CROSS,
+ ETYPE_ARCFOUR_MD4 = KRB5_ENCTYPE_ARCFOUR_MD4,
+ ETYPE_ARCFOUR_HMAC_OLD = KRB5_ENCTYPE_ARCFOUR_HMAC_OLD,
+ ETYPE_ARCFOUR_HMAC_OLD_EXP = KRB5_ENCTYPE_ARCFOUR_HMAC_OLD_EXP,
+ ETYPE_DES_CBC_NONE = KRB5_ENCTYPE_DES_CBC_NONE,
+ ETYPE_DES3_CBC_NONE = KRB5_ENCTYPE_DES3_CBC_NONE,
+ ETYPE_DES_CFB64_NONE = KRB5_ENCTYPE_DES_CFB64_NONE,
+ ETYPE_DES_PCBC_NONE = KRB5_ENCTYPE_DES_PCBC_NONE,
+ ETYPE_DIGEST_MD5_NONE = KRB5_ENCTYPE_DIGEST_MD5_NONE,
+ ETYPE_CRAM_MD5_NONE = KRB5_ENCTYPE_CRAM_MD5_NONE
+
};
+/* PDU types */
+typedef enum krb5_pdu {
+ KRB5_PDU_ERROR = 0,
+ KRB5_PDU_TICKET = 1,
+ KRB5_PDU_AS_REQUEST = 2,
+ KRB5_PDU_AS_REPLY = 3,
+ KRB5_PDU_TGS_REQUEST = 4,
+ KRB5_PDU_TGS_REPLY = 5,
+ KRB5_PDU_AP_REQUEST = 6,
+ KRB5_PDU_AP_REPLY = 7,
+ KRB5_PDU_KRB_SAFE = 8,
+ KRB5_PDU_KRB_PRIV = 9,
+ KRB5_PDU_KRB_CRED = 10,
+ KRB5_PDU_NONE = 11 /* See krb5_get_permitted_enctypes() */
+} krb5_pdu;
+
typedef PADATA_TYPE krb5_preauthtype;
typedef enum krb5_key_usage {
#define ALLOC(X, N) (X) = calloc((N), sizeof(*(X)))
#define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0)
+#ifndef __func__
+#define __func__ "unknown-function"
+#endif
+
+#define krb5_einval(context, argnum) _krb5_einval((context), __func__, (argnum))
+
#ifndef PATH_SEP
#define PATH_SEP ":"
#endif
} lr;
};
+typedef uint32_t krb5_enctype_set;
+
typedef struct krb5_context_data {
krb5_enctype *etypes;
- krb5_enctype *etypes_des;
+ krb5_enctype *etypes_des;/* deprecated */
+ krb5_enctype *as_etypes;
+ krb5_enctype *tgs_etypes;
+ krb5_enctype *permitted_enctypes;
char **default_realms;
time_t max_skew;
time_t kdc_timeout;
(*res)[num_srv++] = hi;
hi->proto = proto_num;
-
+
hi->def_port = def_port;
if (port != 0)
hi->port = port;
}
*count = num_srv;
-
+
rk_dns_free_data(r);
return 0;
}
ret = asprintf(&host, "%s.%s.", serv_string, kd->realm);
else
ret = asprintf(&host, "%s-%d.%s.",
- serv_string, kd->fallback_count, kd->realm);
+ serv_string, kd->fallback_count, kd->realm);
if (ret < 0 || host == NULL)
return ENOMEM;
service = _krb5_plugin_get_symbol(e);
if (service->minor_version != 0)
continue;
-
+
(*service->init)(context, &ctx);
ret = (*service->lookup)(ctx, type, kd->realm, 0, 0, add_locate, kd);
(*service->fini)(ctx);
if (context == NULL || context->debug_dest == NULL)
return;
-
+
va_start(ap, fmt);
krb5_vlog(context, context->debug_dest, level, fmt, ap);
va_end(ap);
l = m->creds;
while (l != NULL) {
struct link *old;
-
+
krb5_free_cred_contents (context, &l->cred);
old = l;
l = l->next;
{
return 0; /* XXX */
}
-
+
struct mcache_iter {
krb5_mcache *cache;
};
*/
#include "krb5_locl.h"
+#ifdef HAVE_EXECINFO_H
+#include <execinfo.h>
+#endif
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
_krb5_s4u2self_to_checksumdata(krb5_context context,
krb5_ssize_t ssize;
krb5_storage *sp;
size_t size;
- int i;
+ size_t i;
sp = krb5_storage_emem();
if (sp == NULL) {
for (i = 0; i < self->name.name_string.len; i++) {
size = strlen(self->name.name_string.val[i]);
ssize = krb5_storage_write(sp, self->name.name_string.val[i], size);
- if (ssize != size) {
+ if (ssize != (krb5_ssize_t)size) {
ret = ENOMEM;
goto out;
}
}
size = strlen(self->realm);
ssize = krb5_storage_write(sp, self->realm, size);
- if (ssize != size) {
+ if (ssize != (krb5_ssize_t)size) {
ret = ENOMEM;
goto out;
}
size = strlen(self->auth);
ssize = krb5_storage_write(sp, self->auth, size);
- if (ssize != size) {
+ if (ssize != (krb5_ssize_t)size) {
ret = ENOMEM;
goto out;
}
krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
return ENOMEM;
}
+
+void
+_krb5_debug_backtrace(krb5_context context)
+{
+#if defined(HAVE_BACKTRACE) && !defined(HEIMDAL_SMALLER)
+ void *stack[128];
+ char **strs = NULL;
+ int i, frames = backtrace(stack, sizeof(stack) / sizeof(stack[0]));
+ if (frames > 0)
+ strs = backtrace_symbols(stack, frames);
+ if (strs) {
+ for (i = 0; i < frames; i++)
+ _krb5_debug(context, 10, "frame %d: %s", i, strs[i]);
+ free(strs);
+ }
+#endif
+}
+
+krb5_error_code
+_krb5_einval(krb5_context context, const char *func, unsigned long argn)
+{
+#ifndef HEIMDAL_SMALLER
+ krb5_set_error_message(context, EINVAL,
+ N_("programmer error: invalid argument to %s argument %lu",
+ "function:line"),
+ func, argn);
+ if (_krb5_have_debug(context, 10)) {
+ _krb5_debug(context, 10, "invalid argument to function %s argument %lu",
+ func, argn);
+ _krb5_debug_backtrace(context);
+ }
+#endif
+ return EINVAL;
+}
* SUCH DAMAGE.
*/
-#define KRB5_DEPRECATED
-
#include "krb5_locl.h"
#ifndef HEIMDAL_SMALLER
krb5_crypto_destroy(context, crypto);
return ret;
}
-
+
if (blocksize > ivec->length) {
krb5_crypto_destroy(context, crypto);
return KRB5_BAD_MSIZE;
* @ingroup krb5_deprecated
*/
-KRB5_DEPRECATED
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_c_enctype_compare(krb5_context context,
krb5_enctype e1,
krb5_enctype e2,
krb5_boolean *similar)
+ KRB5_DEPRECATED_FUNCTION("Use X instead")
{
*similar = (e1 == e2);
return 0;
KRB_ERROR msg;
krb5_timestamp sec;
int32_t usec;
- size_t len;
+ size_t len = 0;
krb5_error_code ret = 0;
krb5_us_timeofday (context, &sec, &usec);
msg.realm = server->realm;
msg.sname = server->name;
}else{
- msg.realm = "<unspecified realm>";
+ static char unspec[] = "<unspecified realm>";
+ msg.realm = unspec;
}
if(client){
msg.crealm = &client->realm;
EncKrbPrivPart part;
u_char *buf = NULL;
size_t buf_size;
- size_t len;
+ size_t len = 0;
krb5_crypto crypto;
krb5_keyblock *key;
krb5_replay_data rdata;
EncAPRepPart body;
u_char *buf = NULL;
size_t buf_size;
- size_t len;
+ size_t len = 0;
krb5_crypto crypto;
ap.pvno = 5;
/* byte offset and shift count */
b1 = bb / 8;
s1 = bb % 8;
-
+
if(bb + 8 > bytes * 8)
/* watch for wraparound */
s2 = (len + 8 - s1) % 8;
ret = _krb5_HMAC_MD5_checksum(context, &local_key, data, len, usage, result);
if (ret)
krb5_data_free(&result->checksum);
-
+
krb5_free_keyblock(context, local_key.key);
return ret;
}
goto out;
}
ret = krb5_storage_read(sp, cksum.checksum.data, cksum.checksum.length);
- if (ret != cksum.checksum.length) {
+ if (ret != (int)cksum.checksum.length) {
ret = EINVAL;
krb5_set_error_message(context, ret, "PAC checksum missing checksum");
goto out;
* http://blogs.msdn.com/b/openspecification/archive/2010/01/01/verifying-the-server-signature-in-kerberos-privilege-account-certificate.aspx
* for Microsoft's explaination */
- if (cksumtype == CKSUMTYPE_HMAC_MD5) {
+ if (cksumtype == (uint32_t)CKSUMTYPE_HMAC_MD5) {
ret = HMAC_MD5_any_checksum(context, key, data, datalen,
KRB5_KU_OTHER_CKSUM, &cksum);
} else {
ret = krb5_storage_write(sp, s2, len * 2);
free(s2);
- if (ret != len * 2) {
+ if (ret != (int)(len * 2)) {
ret = krb5_enomem(context);
goto out;
}
size_t server_size, priv_size;
uint32_t server_offset = 0, priv_offset = 0;
uint32_t server_cksumtype = 0, priv_cksumtype = 0;
- int i, num = 0;
+ int num = 0;
+ size_t i;
krb5_data logon, d;
krb5_data_zero(&logon);
end += len;
e = ((end + PAC_ALIGNMENT - 1) / PAC_ALIGNMENT) * PAC_ALIGNMENT;
- if (end != e) {
+ if ((int32_t)end != e) {
CHECK(ret, fill_zeros(context, spdata, e - end), out);
}
end = e;
goto out;
}
ret = krb5_storage_write(sp, d.data, d.length);
- if (ret != d.length) {
+ if (ret != (int)d.length) {
krb5_data_free(&d);
ret = krb5_enomem(context);
goto out;
KRB5_LIB_FUNCTION PA_DATA * KRB5_LIB_CALL
krb5_find_padata(PA_DATA *val, unsigned len, int type, int *idx)
{
- for(; *idx < len; (*idx)++)
- if(val[*idx].padata_type == type)
+ for(; *idx < (int)len; (*idx)++)
+ if(val[*idx].padata_type == (unsigned)type)
return val + *idx;
return NULL;
}
{ "MS EKU" },
{ "any (or no)" }
};
- int i, ret, start = 1;
+ int ret = HX509_CERT_NOT_FOUND;
+ size_t i, start = 1;
unsigned oids[] = { 1, 2, 840, 113635, 100, 3, 2, 1 };
const heim_oid mobileMe = { sizeof(oids)/sizeof(oids[0]), oids };
{
IssuerAndSerialNumber iasn;
hx509_name issuer;
- size_t size;
-
+ size_t size = 0;
+
memset(&iasn, 0, sizeof(iasn));
ret = hx509_cert_get_issuer(c, &issuer);
free_ExternalPrincipalIdentifier(&id);
return ret;
}
-
+
ret = hx509_cert_get_serialnumber(c, &iasn.serialNumber);
if (ret) {
free_IssuerAndSerialNumber(&iasn);
const KDC_REQ_BODY *body,
AuthPack *a)
{
- size_t buf_size, len;
+ size_t buf_size, len = 0;
krb5_error_code ret;
void *buf;
krb5_timestamp sec;
const char *moduli_file;
unsigned long dh_min_bits;
krb5_data dhbuf;
- size_t size;
+ size_t size = 0;
krb5_data_zero(&dhbuf);
ret = _krb5_parse_moduli(context, moduli_file, &ctx->m);
if (ret)
return ret;
-
+
ctx->u.dh = DH_new();
if (ctx->u.dh == NULL) {
krb5_set_error_message(context, ENOMEM,
&a->clientPublicValue->algorithm.algorithm);
if (ret)
return ret;
-
+
memset(&dp, 0, sizeof(dp));
-
+
ret = BN_to_integer(context, dh->p, &dp.p);
if (ret) {
free_DomainParameters(&dp);
}
dp.j = NULL;
dp.validationParms = NULL;
-
+
a->clientPublicValue->algorithm.parameters =
malloc(sizeof(*a->clientPublicValue->algorithm.parameters));
if (a->clientPublicValue->algorithm.parameters == NULL) {
free_DomainParameters(&dp);
return ret;
}
-
+
ASN1_MALLOC_ENCODE(DomainParameters,
a->clientPublicValue->algorithm.parameters->data,
a->clientPublicValue->algorithm.parameters->length,
return ret;
if (size != a->clientPublicValue->algorithm.parameters->length)
krb5_abortx(context, "Internal ASN1 encoder error");
-
+
ret = BN_to_integer(context, dh->pub_key, &dh_pub_key);
if (ret)
return ret;
-
+
ASN1_MALLOC_ENCODE(DHPublicKey, dhbuf.data, dhbuf.length,
&dh_pub_key, &size, ret);
der_free_heim_integer(&dh_pub_key);
#ifdef HAVE_OPENSSL
ECParameters ecp;
unsigned char *p;
- int len;
+ int xlen;
/* copy in public key, XXX find the best curve that the server support or use the clients curve if possible */
free_ECParameters(&ecp);
return ENOMEM;
}
- ASN1_MALLOC_ENCODE(ECParameters, p, len, &ecp, &size, ret);
+ ASN1_MALLOC_ENCODE(ECParameters, p, xlen, &ecp, &size, ret);
free_ECParameters(&ecp);
if (ret)
return ret;
- if (size != len)
+ if ((int)size != xlen)
krb5_abortx(context, "asn1 internal error");
-
+
a->clientPublicValue->algorithm.parameters->data = p;
a->clientPublicValue->algorithm.parameters->length = size;
/* encode onto dhkey */
- len = i2o_ECPublicKey(ctx->u.eckey, NULL);
- if (len <= 0)
+ xlen = i2o_ECPublicKey(ctx->u.eckey, NULL);
+ if (xlen <= 0)
abort();
- dhbuf.data = malloc(len);
+ dhbuf.data = malloc(xlen);
if (dhbuf.data == NULL)
abort();
- dhbuf.length = len;
+ dhbuf.length = xlen;
p = dhbuf.data;
- len = i2o_ECPublicKey(ctx->u.eckey, &p);
- if (len <= 0)
+ xlen = i2o_ECPublicKey(ctx->u.eckey, &p);
+ if (xlen <= 0)
abort();
/* XXX verify that this is right with RFC3279 */
a->clientPublicValue->subjectPublicKey.length = dhbuf.length * 8;
a->clientPublicValue->subjectPublicKey.data = dhbuf.data;
}
-
+
{
a->supportedCMSTypes = calloc(1, sizeof(*a->supportedCMSTypes));
if (a->supportedCMSTypes == NULL)
return ENOMEM;
- ret = hx509_crypto_available(context->hx509ctx, HX509_SELECT_ALL, NULL,
+ ret = hx509_crypto_available(context->hx509ctx, HX509_SELECT_ALL,
+ ctx->id->cert,
&a->supportedCMSTypes->val,
&a->supportedCMSTypes->len);
if (ret)
{
struct ContentInfo content_info;
krb5_error_code ret;
- const heim_oid *oid;
- size_t size;
+ const heim_oid *oid = NULL;
+ size_t size = 0;
krb5_data buf, sd_buf;
- int pa_type;
+ int pa_type = -1;
krb5_data_zero(&buf);
krb5_data_zero(&sd_buf);
oid = &asn1_oid_id_pkcs7_data;
} else if (ctx->type == PKINIT_27) {
AuthPack ap;
-
+
memset(&ap, 0, sizeof(ap));
ret = build_auth_pack(context, nonce, ctx, req_body, &ap);
pa_type = KRB5_PADATA_PK_AS_REQ;
memset(&req, 0, sizeof(req));
- req.signedAuthPack = buf;
+ req.signedAuthPack = buf;
if (ctx->trustedCertifiers) {
ret = ENOMEM;
goto out;
}
-
+
ret = hx509_get_one_cert(context->hx509ctx, signer_certs, &(*signer)->cert);
if (ret) {
pk_copy_error(context, context->hx509ctx, ret,
return ret;
}
- if (key_pack.nonce != nonce) {
+ if ((unsigned)key_pack.nonce != nonce) {
krb5_set_error_message(context, ret,
N_("PKINIT enckey nonce is wrong", ""));
free_ReplyKeyPack_Win2k(&key_pack);
}
if (ctx->require_krbtgt_otherName) {
hx509_octet_string_list list;
- int i;
+ size_t i;
ret = hx509_cert_find_subjectAltName_otherName(context->hx509ctx,
host->cert,
size_t ph = 1 + der_length_len(content.length);
unsigned char *ptr = malloc(content.length + ph);
size_t l;
-
+
memcpy(ptr + ph, content.data, content.length);
-
+
ret = der_put_length_and_tag (ptr + ph - 1, ph, content.length,
ASN1_C_UNIV, CONS, UT_Sequence, &l);
if (ret)
krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
goto out;
}
-
+
dh_gen_keylen = DH_compute_key(dh_gen_key, kdc_dh_pubkey, ctx->u.dh);
if (dh_gen_keylen == -1) {
ret = KRB5KRB_ERR_GENERIC;
N_("PKINIT: Can't compute Diffie-Hellman key", ""));
goto out;
}
- if (dh_gen_keylen < size) {
+ if (dh_gen_keylen < (int)size) {
size -= dh_gen_keylen;
memmove(dh_gen_key + size, dh_gen_key, dh_gen_keylen);
memset(dh_gen_key, 0, size);
ret = EINVAL;
#endif
}
-
+
if (dh_gen_keylen <= 0) {
ret = EINVAL;
krb5_set_error_message(context, ret,
PA_PK_AS_REP rep;
heim_octet_string os, data;
heim_oid oid;
-
+
if (pa->padata_type != KRB5_PADATA_PK_AS_REP) {
krb5_set_error_message(context, EINVAL,
N_("PKINIT: wrong padata recv", ""));
PA_PK_AS_REP_BTMM btmm;
free_PA_PK_AS_REP(&rep);
memset(&rep, 0, sizeof(rep));
-
+
_krb5_debug(context, 5, "krb5_get_init_creds: using BTMM kinit enc reply key");
ret = decode_PA_PK_AS_REP_BTMM(pa->padata_value.data,
#endif
memset(&w2krep, 0, sizeof(w2krep));
-
+
ret = decode_PA_PK_AS_REP_Win2k(pa->padata_value.data,
pa->padata_value.length,
&w2krep,
}
krb5_clear_error_message(context);
-
+
switch (w2krep.element) {
case choice_PA_PK_AS_REP_Win2k_encKeyPack: {
heim_octet_string data;
heim_oid oid;
-
+
ret = hx509_cms_unwrap_ContentInfo(&w2krep.u.encKeyPack,
&oid, &data, NULL);
free_PA_PK_AS_REP_Win2k(&w2krep);
default:
prompt.type = KRB5_PROMPT_TYPE_PASSWORD;
break;
- }
+ }
ret = (*p->prompter)(p->context, p->prompter_data, NULL, NULL, 1, &prompt);
if (ret) {
"Allocate query to find signing certificate");
return ret;
}
-
+
hx509_query_match_option(q, HX509_QUERY_OPTION_PRIVATE_KEY);
hx509_query_match_option(q, HX509_QUERY_OPTION_KU_DIGITALSIGNATURE);
-
+
if (principal && strncmp("LKDC:SHA1.", krb5_principal_get_realm(context, principal), 9) == 0) {
ctx->id->flags |= PKINIT_BTMM;
}
ret = hx509_cert_get_subject(ctx->id->cert, &name);
if (ret)
goto out;
-
+
ret = hx509_name_to_string(name, &str);
hx509_name_free(&name);
if (ret)
krb5_set_error_message(context, ENOMEM,
N_("malloc: out of memory", ""));
return ENOMEM;
- }
+ }
if (user_id) {
hx509_lock lock;
pk_copy_error(context, context->hx509ctx, ret, "Failed init lock");
goto out;
}
-
+
if (password && password[0])
hx509_lock_add_password(lock, password);
-
+
if (prompter) {
p.context = context;
p.prompter = prompter;
p.prompter_data = prompter_data;
-
+
ret = hx509_lock_set_prompter(lock, hx_pass_prompter, &p);
if (ret) {
hx509_lock_free(lock);
"bits on line %d", ""), file, lineno);
goto out;
}
-
+
ret = parse_integer(context, &p, file, lineno, "p", &m1->p);
if (ret)
goto out;
return ENOMEM;
}
m = m2;
-
+
m[n] = NULL;
ret = _krb5_parse_moduli_line(context, file, lineno, buf, &element);
break;
case USE_RSA:
break;
- case USE_ECDH:
+ case USE_ECDH:
#ifdef HAVE_OPENSSL
if (ctx->u.eckey)
EC_KEY_free(ctx->u.eckey);
krb5_set_error_message(context, EINVAL,
N_("No anonymous pkinit support in RSA mode", ""));
return EINVAL;
- }
+ }
}
return 0;
N_("PKINIT: on pkinit context", ""));
return EINVAL;
}
-
+
_krb5_pk_set_user_id(context, NULL, opt->opt_private->pk_init_ctx, certs);
return 0;
upn, NULL);
else
ret = 1;
- hx509_free_octet_string_list(&list);
+ hx509_free_octet_string_list(&list);
return ret;
}
#ifdef PKINIT
krb5_error_code ret;
hx509_certs certs, result;
- hx509_cert cert;
+ hx509_cert cert = NULL;
hx509_query *q;
char *name;
*principal = NULL;
if (res)
*res = NULL;
-
+
if (user_id == NULL) {
krb5_set_error_message(context, ENOENT, "no user id");
return ENOENT;
"Failed to find PKINIT certificate");
return ret;
}
-
+
ret = hx509_get_one_cert(context->hx509ctx, result, &cert);
hx509_certs_free(&result);
if (ret) {
if (res) {
ret = hx509_certs_init(context->hx509ctx, "MEMORY:", 0, NULL, res);
- if (ret) {
- hx509_cert_free(cert);
+ if (ret)
goto out;
- }
-
+
ret = hx509_certs_add(context->hx509ctx, *res, cert);
if (ret) {
hx509_certs_free(res);
static struct plugin *registered = NULL;
static int plugins_needs_scan = 1;
-static const char *sysplugin_dirs[] = {
+static const char *sysplugin_dirs[] = {
LIBDIR "/plugin/krb5",
#ifdef __APPLE__
"/System/Library/KerberosPlugins/KerberosFrameworkPlugins",
return !stricmp(ext, ".dll");
}
-#endif
-
+#else
return 1;
+#endif
}
static void
add_symbol(krb5_context context, struct krb5_plugin **list, void *symbol)
{
struct krb5_plugin *e;
-
+
e = calloc(1, sizeof(*e));
if (e == NULL) {
krb5_set_error_message(context, ENOMEM, "malloc: out of memory");
*list = NULL;
HEIMDAL_MUTEX_lock(&plugin_mutex);
-
+
load_plugins(context);
for (ret = 0, e = registered; e != NULL; e = e->next) {
/*
* module - dict of {
* ModuleName = [
- * plugin = object{
+ * plugin = object{
* array = { ptr, ctx }
* }
* ]
return;
pl = heim_alloc(sizeof(*pl), "struct-plug", plug_free);
-
+
cpm = pl->dataptr = dlsym(p->dsohandle, s->name);
if (cpm) {
int ret;
} else {
cpm = pl->dataptr;
}
-
+
if (cpm && cpm->version >= s->min_version)
heim_array_append_value(s->result, pl);
-
+
heim_release(pl);
}
s.userctx = userctx;
heim_dict_iterate_f(dict, search_modules, &s);
-
+
heim_release(dict);
-
+
HEIMDAL_MUTEX_unlock(&plugin_mutex);
-
+
s.ret = KRB5_PLUGIN_NO_HANDLE;
heim_array_iterate_f(s.result, eval_results, &s);
krb5_const_principal principal)
{
return princ_realm(principal);
-}
+}
KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
krb5_principal_get_comp_string(krb5_context context,
int flags)
{
size_t idx = 0;
- int i;
+ size_t i;
int short_form = (flags & KRB5_PRINCIPAL_UNPARSE_SHORT) != 0;
int no_realm = (flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) != 0;
int display = (flags & KRB5_PRINCIPAL_UNPARSE_DISPLAY) != 0;
int flags)
{
size_t len = 0, plen;
- int i;
+ size_t i;
krb5_error_code ret;
/* count length */
if (princ_realm(principal)) {
krb5_const_principal princ1,
krb5_const_principal princ2)
{
- int i;
+ size_t i;
if(princ_num_comp(princ1) != princ_num_comp(princ2))
return FALSE;
for(i = 0; i < princ_num_comp(princ1); i++){
krb5_const_principal princ1,
PrincipalName *princ2)
{
- int i;
+ size_t i;
if (princ_num_comp(princ1) != princ2->name_string.len)
return FALSE;
for(i = 0; i < princ_num_comp(princ1); i++){
krb5_const_principal princ,
krb5_const_principal pattern)
{
- int i;
+ size_t i;
if(princ_num_comp(princ) != princ_num_comp(pattern))
return FALSE;
if(fnmatch(princ_realm(pattern), princ_realm(princ), 0) != 0)
*
* @ingroup krb5_principal
*/
-
+
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_sname_to_principal (krb5_context context,
const char *hostname,
krb5_error_code ret;
char localhost[MAXHOSTNAMELEN];
char **realms, *host = NULL;
-
+
if(type != KRB5_NT_SRV_HST && type != KRB5_NT_UNKNOWN) {
krb5_set_error_message(context, KRB5_SNAME_UNSUPP_NAMETYPE,
N_("unsupported name type %d", ""),
krb5_set_error_message(context, ret,
N_("Failed to get local hostname", ""));
return ret;
- }
+ }
localhost[sizeof(localhost) - 1] = '\0';
hostname = localhost;
}
{ "ENT_PRINCIPAL_AND_ID", KRB5_NT_ENT_PRINCIPAL_AND_ID },
{ "MS_PRINCIPAL", KRB5_NT_MS_PRINCIPAL },
{ "MS_PRINCIPAL_AND_ID", KRB5_NT_MS_PRINCIPAL_AND_ID },
- { NULL }
+ { NULL, 0 }
};
/**
EncKrbCredPart enc_krb_cred_part;
krb5_data enc_krb_cred_part_data;
krb5_crypto crypto;
- int i;
+ size_t i;
memset(&enc_krb_cred_part, 0, sizeof(enc_krb_cred_part));
+ krb5_data_zero(&enc_krb_cred_part_data);
if ((auth_context->flags &
(KRB5_AUTH_CONTEXT_RET_TIME | KRB5_AUTH_CONTEXT_RET_SEQUENCE)) &&
KRB5_KU_KRB_CRED,
&cred.enc_part,
&enc_krb_cred_part_data);
-
+
krb5_crypto_destroy(context, crypto);
}
if (ret)
goto out;
-
+
ret = krb5_decrypt_EncryptedData(context,
crypto,
KRB5_KU_KRB_CRED,
&cred.enc_part,
&enc_krb_cred_part_data);
-
+
krb5_crypto_destroy(context, crypto);
}
if (ret)
auth_context->local_port);
if (ret)
goto out;
-
+
ret = compare_addrs(context, a, enc_krb_cred_part.r_address,
N_("receiver address is wrong "
"in received creds", ""));
krb5_copy_addresses (context,
kci->caddr,
&creds->addresses);
-
+
(*ret_creds)[i] = creds;
-
+
}
(*ret_creds)[i] = NULL;
if (ret)
goto out;
ret = krb5_decrypt_EncryptedData (context,
- crypto,
+ crypto,
KRB5_KU_AP_REQ_ENC_PART,
&ap_rep.enc_part,
&data);
ret = decode_EncTicketPart(plain.data, plain.length, decr_part, &len);
if (ret)
- krb5_set_error_message(context, ret,
+ krb5_set_error_message(context, ret,
N_("Failed to decode encrypted "
"ticket part", ""));
krb5_data_free (&plain);
check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc)
{
char **realms;
- unsigned int num_realms;
+ unsigned int num_realms, n;
krb5_error_code ret;
-
+
/*
* Windows 2000 and 2003 uses this inside their TGT so it's normaly
* not seen by others, however, samba4 joined with a Windows AD as
ret = krb5_check_transited(context, enc->crealm,
ticket->realm,
realms, num_realms, NULL);
+ for (n = 0; n < num_realms; n++)
+ free(realms[n]);
free(realms);
return ret;
}
krb5_authdata adIfRelevant;
unsigned i;
- adIfRelevant.len = 0;
+ memset(&adIfRelevant, 0, sizeof(adIfRelevant));
etypes->len = 0;
etypes->val = NULL;
krb5_clear_error_message (context);
return KRB5KRB_AP_ERR_TKT_EXPIRED;
}
-
+
if(!t.flags.transited_policy_checked) {
ret = check_transited(context, ticket, &t);
if(ret) {
{
krb5_principal p1, p2;
krb5_boolean res;
-
+
_krb5_principalname2krb5_principal(context,
&p1,
ac->authenticator->cname,
ac->keytype = ETYPE_NULL;
if (etypes.val) {
- int i;
+ size_t i;
for (i = 0; i < etypes.len; i++) {
if (krb5_enctype_valid(context, etypes.val[i]) == 0) {
krb5_auth_con_free (context, ac);
return ret;
}
-
+
/*
*
*/
&o->ap_req_options,
&o->ticket,
KRB5_KU_AP_REQ_AUTH);
-
+
if (ret)
goto out;
goto out;
done = 0;
- while (!done) {
+ while (!done) {
krb5_principal p;
ret = krb5_kt_next_entry(context, id, &entry, &cursor);
* and update the service principal in the ticket to match
* whatever is in the keytab.
*/
-
- ret = krb5_copy_keyblock(context,
+
+ ret = krb5_copy_keyblock(context,
&entry.keyblock,
&o->keyblock);
if (ret) {
krb5_kt_free_entry (context, &entry);
goto out;
- }
+ }
ret = krb5_copy_principal(context, entry.principal, &p);
if (ret) {
}
krb5_free_principal(context, o->ticket->server);
o->ticket->server = p;
-
+
krb5_kt_free_entry (context, &entry);
done = 1;
krb5_data_free(&data);
if (ret)
goto out;
-
+
ret = krb5_pac_verify(context,
pac,
o->ticket->ticket.authtime,
{
return id->name;
}
-
+
KRB5_LIB_FUNCTION const char* KRB5_LIB_CALL
krb5_rc_get_type(krb5_context context,
krb5_rcache id)
{
return "FILE";
}
-
+
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_get_server_rcache(krb5_context context,
const krb5_data *piece,
{
krb5_error_code ret;
uint16_t *s = NULL;
- size_t len, i;
+ size_t len = 0, i;
EVP_MD_CTX *m;
m = EVP_MD_CTX_create();
DES_cblock *key)
{
char password[8+1]; /* crypt is limited to 8 chars anyway */
- int i;
+ size_t i;
for(i = 0; i < 8; i++) {
char c = ((i < pw.length) ? ((char*)pw.data)[i] : 0) ^
memcpy(password, pw.data, min(pw.length, sizeof(password)));
if(pw.length < sizeof(password)) {
int len = min(cell.length, sizeof(password) - pw.length);
- int i;
+ size_t i;
memcpy(password + pw.length, cell.data, len);
for (i = pw.length; i < pw.length + len; ++i)
DES_string_to_key_int(unsigned char *data, size_t length, DES_cblock *key)
{
DES_key_schedule schedule;
- int i;
+ size_t i;
int reverse = 0;
unsigned char *p;
#include "krb5_locl.h"
+/* coverity[+alloc : arg-*3] */
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_salttype_to_string (krb5_context context,
krb5_enctype etype,
krb5_salt *salt)
{
size_t len;
- int i;
+ size_t i;
krb5_error_code ret;
char *p;
return 0;
if (limit)
- nbytes = min(nbytes, limit - rep->length);
+ nbytes = min((size_t)nbytes, limit - rep->length);
tmp = realloc (rep->data, rep->length + nbytes);
if (tmp == NULL) {
int ret;
krb5_socket_t s = rk_INVALID_SOCKET;
char portstr[NI_MAXSERV];
-
+
if (proxy == NULL)
return ENOMEM;
if (strncmp (proxy, "http://", 7) == 0)
service = _krb5_plugin_get_symbol(e);
if (service->minor_version != 0)
continue;
-
+
(*service->init)(context, &ctx);
ret = (*service->send_to_kdc)(context, ctx, hi,
timeout, send_data, receive);
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_sendto (krb5_context context,
const krb5_data *send_data,
- krb5_krbhst_handle handle,
+ krb5_krbhst_handle handle,
krb5_data *receive)
{
krb5_error_code ret;
krb5_socket_t fd;
- int i;
+ size_t i;
krb5_data_zero(receive);
{
if (context->send_to_kdc)
return krb5_set_send_to_kdc_func(to,
- context->send_to_kdc->func,
+ context->send_to_kdc->func,
context->send_to_kdc->data);
else
return krb5_set_send_to_kdc_func(to, NULL, NULL);
type = KRB5_KRBHST_KDC;
}
- if (send_data->length > context->large_msg_size)
+ if ((int)send_data->length > context->large_msg_size)
ctx->flags |= KRB5_KRBHST_FLAGS_LARGE_MSG;
/* loop until we get back a appropriate response */
{
unsigned char *p = buffer;
unsigned long v = 0;
- int i;
+ size_t i;
for (i = 0; i < size; i++)
v = (v << 8) + p[i];
*value = v;
void (*free)(struct krb5_storage_data*);
krb5_flags flags;
int eof_code;
+ size_t max_alloc;
};
#endif /* __store_int_h__ */
return sp->flags & KRB5_STORAGE_BYTEORDER_MASK;
}
+/**
+ * Set the max alloc value
+ *
+ * @param sp the storage buffer set the max allow for
+ * @param size maximum size to allocate, use 0 to remove limit
+ *
+ * @ingroup krb5_storage
+ */
+
+KRB5_LIB_FUNCTION void KRB5_LIB_CALL
+krb5_storage_set_max_alloc(krb5_storage *sp, size_t size)
+{
+ sp->max_alloc = size;
+}
+
+/* don't allocate unresonable amount of memory */
+static krb5_error_code
+size_too_large(krb5_storage *sp, size_t size)
+{
+ if (sp->max_alloc && sp->max_alloc < size)
+ return HEIM_ERR_TOO_BIG;
+ return 0;
+}
+
+static krb5_error_code
+size_too_large_num(krb5_storage *sp, size_t count, size_t size)
+{
+ if (sp->max_alloc == 0 || size == 0)
+ return 0;
+ size = sp->max_alloc / size;
+ if (size < count)
+ return HEIM_ERR_TOO_BIG;
+ return 0;
+}
+
/**
* Seek to a new offset.
*
pos = sp->seek(sp, 0, SEEK_CUR);
if (pos < 0)
return HEIM_ERR_NOT_SEEKABLE;
- size = (size_t)sp->seek(sp, 0, SEEK_END);
- if (size > (size_t)-1)
- return HEIM_ERR_TOO_BIG;
- ret = krb5_data_alloc (data, size);
+ size = sp->seek(sp, 0, SEEK_END);
+ ret = size_too_large(sp, size);
+ if (ret)
+ return ret;
+ ret = krb5_data_alloc(data, size);
if (ret) {
sp->seek(sp, pos, SEEK_SET);
return ret;
return EINVAL;
_krb5_put_int(v, value, len);
ret = sp->store(sp, v, len);
- if (ret != len)
- return (ret<0)?errno:sp->eof_code;
+ if (ret < 0)
+ return errno;
+ if ((size_t)ret != len)
+ return sp->eof_code;
return 0;
}
unsigned char v[4];
unsigned long w;
ret = sp->fetch(sp, v, len);
- if(ret != len)
- return (ret<0)?errno:sp->eof_code;
+ if (ret < 0)
+ return errno;
+ if ((size_t)ret != len)
+ return sp->eof_code;
_krb5_get_int(v, &w, len);
*value = w;
return 0;
if(ret < 0)
return ret;
ret = sp->store(sp, data.data, data.length);
- if(ret != data.length){
- if(ret < 0)
- return errno;
+ if(ret < 0)
+ return errno;
+ if((size_t)ret != data.length)
return sp->eof_code;
- }
return 0;
}
ret = krb5_ret_int32(sp, &size);
if(ret)
return ret;
+ ret = size_too_large(sp, size);
+ if (ret)
+ return ret;
ret = krb5_data_alloc (data, size);
if (ret)
return ret;
ssize_t ret;
ret = sp->store(sp, s, len);
- if(ret != len) {
- if(ret < 0)
- return ret;
- else
- return sp->eof_code;
- }
+ if(ret < 0)
+ return ret;
+ if((size_t)ret != len)
+ return sp->eof_code;
return 0;
}
char *tmp;
len++;
+ ret = size_too_large(sp, len);
+ if (ret)
+ break;
tmp = realloc (s, len);
if (tmp == NULL) {
free (s);
ssize_t ret;
ret = sp->store(sp, s, len);
- if(ret != len) {
- if(ret < 0)
- return ret;
- else
- return sp->eof_code;
- }
+ if(ret < 0)
+ return ret;
+ if((size_t)ret != len)
+ return sp->eof_code;
ret = sp->store(sp, "\n", 1);
if(ret != 1) {
if(ret < 0)
}
len++;
+ ret = size_too_large(sp, len);
+ if (ret)
+ break;
tmp = realloc (s, len);
if (tmp == NULL) {
free (s);
krb5_store_principal(krb5_storage *sp,
krb5_const_principal p)
{
- int i;
+ size_t i;
int ret;
if(!krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE)) {
free(p);
return EINVAL;
}
+ ret = size_too_large_num(sp, ncomp, sizeof(p->name.name_string.val[0]));
+ if (ret) {
+ free(p);
+ return ret;
+ }
p->name.name_type = type;
p->name.name_string.len = ncomp;
ret = krb5_ret_string(sp, &p->realm);
free(p);
return ret;
}
- p->name.name_string.val = calloc(ncomp, sizeof(*p->name.name_string.val));
+ p->name.name_string.val = calloc(ncomp, sizeof(p->name.name_string.val[0]));
if(p->name.name_string.val == NULL && ncomp != 0){
free(p->realm);
free(p);
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_store_addrs(krb5_storage *sp, krb5_addresses p)
{
- int i;
+ size_t i;
int ret;
ret = krb5_store_int32(sp, p.len);
if(ret) return ret;
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
krb5_ret_addrs(krb5_storage *sp, krb5_addresses *adr)
{
- int i;
+ size_t i;
int ret;
int32_t tmp;
ret = krb5_ret_int32(sp, &tmp);
if(ret) return ret;
+ ret = size_too_large_num(sp, tmp, sizeof(adr->val[0]));
+ if (ret) return ret;
adr->len = tmp;
ALLOC(adr->val, adr->len);
if (adr->val == NULL && adr->len != 0)
krb5_store_authdata(krb5_storage *sp, krb5_authdata auth)
{
krb5_error_code ret;
- int i;
+ size_t i;
ret = krb5_store_int32(sp, auth.len);
if(ret) return ret;
for(i = 0; i < auth.len; i++){
int i;
ret = krb5_ret_int32(sp, &tmp);
if(ret) return ret;
+ ret = size_too_large_num(sp, tmp, sizeof(auth->val[0]));
+ if (ret) return ret;
ALLOC_SEQ(auth, tmp);
if (auth->val == NULL && tmp != 0)
return ENOMEM;
ret = krb5_ret_data (sp, &creds->second_ticket);
cleanup:
if(ret) {
-#if 0
+#if 0
krb5_free_cred_contents(context, creds); /* XXX */
#endif
}
cleanup:
if(ret) {
-#if 0
+#if 0
krb5_free_cred_contents(context, creds); /* XXX */
#endif
}
emem_fetch(krb5_storage *sp, void *data, size_t size)
{
emem_storage *s = (emem_storage*)sp->data;
- if(s->base + s->len - s->ptr < size)
+ if((size_t)(s->base + s->len - s->ptr) < size)
size = s->base + s->len - s->ptr;
memmove(data, s->ptr, size);
sp->seek(sp, size, SEEK_CUR);
emem_store(krb5_storage *sp, const void *data, size_t size)
{
emem_storage *s = (emem_storage*)sp->data;
- if(size > s->base + s->size - s->ptr){
+ if(size > (size_t)(s->base + s->size - s->ptr)){
void *base;
size_t sz, off;
off = s->ptr - s->base;
emem_storage *s = (emem_storage*)sp->data;
switch(whence){
case SEEK_SET:
- if(offset > s->size)
+ if((size_t)offset > s->size)
offset = s->size;
if(offset < 0)
offset = 0;
s->ptr = s->base + offset;
- if(offset > s->len)
+ if((size_t)offset > s->len)
s->len = offset;
break;
case SEEK_CUR:
s->size = 0;
s->base = NULL;
s->ptr = NULL;
- } else if (offset > s->size || (s->size / 2) > offset) {
+ } else if ((size_t)offset > s->size || (s->size / 2) > (size_t)offset) {
void *base;
size_t off;
off = s->ptr - s->base;
base = realloc(s->base, offset);
if(base == NULL)
return ENOMEM;
- if (offset > s->size)
+ if ((size_t)offset > s->size)
memset((char *)base + s->size, 0, offset - s->size);
s->size = offset;
s->base = base;
sp->seek = emem_seek;
sp->trunc = emem_trunc;
sp->free = emem_free;
+ sp->max_alloc = UINT_MAX/8;
return sp;
}
}
/**
- *
+ *
*
* @return A krb5_storage on success, or NULL on out of memory error.
*
sp->seek = fd_seek;
sp->trunc = fd_trunc;
sp->free = fd_free;
+ sp->max_alloc = UINT_MAX/8;
return sp;
}
mem_fetch(krb5_storage *sp, void *data, size_t size)
{
mem_storage *s = (mem_storage*)sp->data;
- if(size > s->base + s->size - s->ptr)
+ if(size > (size_t)(s->base + s->size - s->ptr))
size = s->base + s->size - s->ptr;
memmove(data, s->ptr, size);
sp->seek(sp, size, SEEK_CUR);
mem_store(krb5_storage *sp, const void *data, size_t size)
{
mem_storage *s = (mem_storage*)sp->data;
- if(size > s->base + s->size - s->ptr)
+ if(size > (size_t)(s->base + s->size - s->ptr))
size = s->base + s->size - s->ptr;
memmove(s->ptr, data, size);
sp->seek(sp, size, SEEK_CUR);
mem_storage *s = (mem_storage*)sp->data;
switch(whence){
case SEEK_SET:
- if(offset > s->size)
+ if((size_t)offset > s->size)
offset = s->size;
if(offset < 0)
offset = 0;
mem_trunc(krb5_storage *sp, off_t offset)
{
mem_storage *s = (mem_storage*)sp->data;
- if(offset > s->size)
+ if((size_t)offset > s->size)
return ERANGE;
s->size = offset;
if ((s->ptr - s->base) > offset)
sp->seek = mem_seek;
sp->trunc = mem_trunc;
sp->free = NULL;
+ sp->max_alloc = UINT_MAX/8;
return sp;
}
sp->seek = mem_seek;
sp->trunc = mem_no_trunc;
sp->free = NULL;
+ sp->max_alloc = UINT_MAX/8;
return sp;
}
int level)
{
krb5_error_code ret = 0;
- int i;
+ size_t i;
if (level > 9) {
ret = ENOENT; /* XXX */
&size);
krb5_data_free (&data);
if (ret) {
- krb5_set_error_message(context, ret,
+ krb5_set_error_message(context, ret,
N_("Failed to decode encpart in ticket", ""));
return ret;
}
{
krb5_error_code ret;
krb5_principal tmp_principal;
- size_t len;
+ size_t len = 0;
time_t tmp_time;
krb5_timestamp sec_now;
/* compare nonces */
- if (nonce != rep->enc_part.nonce) {
+ if (nonce != (unsigned)rep->enc_part.nonce) {
ret = KRB5KRB_AP_ERR_MODIFIED;
krb5_set_error_message(context, ret, N_("malloc: out of memory", ""));
goto out;
creds->addresses.val = NULL;
}
creds->flags.b = rep->enc_part.flags;
-
+
creds->authdata.len = 0;
creds->authdata.val = NULL;
r = r->next;
free(p->realm);
free(p);
- }
+ }
}
static int
from = to;
to = str;
}
-
+
if(strcmp(from + strlen(from) - strlen(to), to) == 0){
p = from;
while(1){
if(strcmp(p, to) == 0)
break;
tmp = calloc(1, sizeof(*tmp));
- if(tmp == NULL){
- krb5_set_error_message(context, ENOMEM,
- N_("malloc: out of memory", ""));
- return ENOMEM;
- }
+ if(tmp == NULL)
+ return krb5_enomem(context);
tmp->next = r->next;
r->next = tmp;
tmp->realm = strdup(p);
if(tmp->realm == NULL){
r->next = tmp->next;
free(tmp);
- krb5_set_error_message(context, ENOMEM,
- N_("malloc: out of memory", ""));
- return ENOMEM;;
+ return krb5_enomem(context);
}
}
}else if(strncmp(from, to, strlen(to)) == 0){
if(strncmp(to, from, p - from) == 0)
break;
tmp = calloc(1, sizeof(*tmp));
- if(tmp == NULL){
- krb5_set_error_message(context, ENOMEM,
- N_("malloc: out of memory", ""));
- return ENOMEM;
- }
+ if(tmp == NULL)
+ return krb5_enomem(context);
tmp->next = r->next;
r->next = tmp;
tmp->realm = malloc(p - from + 1);
if(tmp->realm == NULL){
r->next = tmp->next;
free(tmp);
- krb5_set_error_message(context, ENOMEM,
- N_("malloc: out of memory", ""));
- return ENOMEM;
+ return krb5_enomem(context);
}
memcpy(tmp->realm, from, p - from);
tmp->realm[p - from] = '\0';
tmp = realloc(r->realm, len);
if(tmp == NULL){
free_realms(realms);
- krb5_set_error_message(context, ENOMEM,
- N_("malloc: out of memory", ""));
- return ENOMEM;
+ return krb5_enomem(context);
}
r->realm = tmp;
strlcat(r->realm, prev_realm, len);
tmp = malloc(len);
if(tmp == NULL){
free_realms(realms);
- krb5_set_error_message(context, ENOMEM,
- N_("malloc: out of memory", ""));
- return ENOMEM;
+ return krb5_enomem(context);
}
strlcpy(tmp, prev_realm, len);
strlcat(tmp, r->realm, len);
}
if(tr[i] == ','){
tmp = malloc(tr + i - start + 1);
- if(tmp == NULL){
- krb5_set_error_message(context, ENOMEM,
- N_("malloc: out of memory", ""));
- return ENOMEM;
- }
+ if(tmp == NULL)
+ return krb5_enomem(context);
memcpy(tmp, start, tr + i - start);
tmp[tr + i - start] = '\0';
r = make_realm(tmp);
if(r == NULL){
free_realms(*realms);
- krb5_set_error_message(context, ENOMEM,
- N_("malloc: out of memory", ""));
- return ENOMEM;
+ return krb5_enomem(context);
}
*realms = append_realm(*realms, r);
start = tr + i + 1;
tmp = malloc(tr + i - start + 1);
if(tmp == NULL){
free(*realms);
- krb5_set_error_message(context, ENOMEM,
- N_("malloc: out of memory", ""));
- return ENOMEM;
+ return krb5_enomem(context);
}
memcpy(tmp, start, tr + i - start);
tmp[tr + i - start] = '\0';
r = make_realm(tmp);
if(r == NULL){
free_realms(*realms);
- krb5_set_error_message(context, ENOMEM,
- N_("malloc: out of memory", ""));
- return ENOMEM;
+ return krb5_enomem(context);
}
*realms = append_realm(*realms, r);
(*num_realms)++;
}
}
- if (*num_realms < 0 || *num_realms + 1 > UINT_MAX/sizeof(**realms))
+ if (*num_realms + 1 > UINT_MAX/sizeof(**realms))
return ERANGE;
{
char **R;
R = malloc((*num_realms + 1) * sizeof(*R));
if (R == NULL)
- return ENOMEM;
+ return krb5_enomem(context);
*realms = R;
while(r){
*R++ = r->realm;
return ENOMEM;
*s = '\0';
for(i = 0; i < num_realms; i++){
- if(i && i < num_realms - 1)
+ if(i)
strlcat(s, ",", len + 1);
if(realms[i][0] == '/')
strlcat(s, " ", len + 1);
{
char **tr_realms;
char **p;
- int i;
+ size_t i;
if(num_realms == 0)
return 0;
unsigned int num_realms,
int *bad_realm)
{
- int i;
+ size_t i;
int ret = 0;
char **bad_realms = krb5_config_get_strings(context, NULL,
"libdefaults",
krb5_copy_checksum;
krb5_copy_creds;
krb5_copy_creds_contents;
+ krb5_copy_context;
krb5_copy_data;
krb5_copy_host_realm;
krb5_copy_keyblock;
krb5_hmac;
krb5_init_context;
krb5_init_ets;
- krb5_init_etype;
krb5_initlog;
krb5_is_config_principal;
krb5_is_thread_safe;
+ krb5_kcm_call;
+ krb5_kcm_storage_request;
krb5_kerberos_enctypes;
krb5_keyblock_get_enctype;
krb5_keyblock_init;
krb5_kt_get_full_name;
krb5_kt_get_name;
krb5_kt_get_type;
+ krb5_kt_have_content;
krb5_kt_next_entry;
krb5_kt_read_service_key;
krb5_kt_register;
krb5_storage_set_byteorder;
krb5_storage_set_eof_code;
krb5_storage_set_flags;
+ krb5_storage_set_max_alloc;
krb5_storage_to_data;
krb5_storage_truncate;
krb5_storage_write;
static krb5_error_code _warnerr(krb5_context context, int do_errtext,
krb5_error_code code, int level, const char *fmt, va_list ap)
__attribute__((__format__(__printf__, 5, 0)));
-
+
static krb5_error_code
_warnerr(krb5_context context, int do_errtext,
krb5_error_code code, int level, const char *fmt, va_list ap)
*arg= "<unknown error>";
}
}
-
+
if(context && context->warn_dest)
krb5_log(context, context->warn_dest, level, xfmt, args[0], args[1]);
else
#define CHECK(f, e) \
do { \
- ret = f ; if (ret != (e)) { ret = HNTLM_ERR_DECODE; goto out; } } \
- while(0)
+ ret = f; \
+ if (ret != (ssize_t)(e)) { \
+ ret = HNTLM_ERR_DECODE; \
+ goto out; \
+ } \
+ } while(/*CONSTCOND*/0)
static struct units ntlm_flag_units[] = {
#define ntlm_flag(x) { #x, NTLM_##x }
CHECK(krb5_storage_seek(sp, desc->offset, SEEK_SET), desc->offset);
CHECK(ret_string(sp, ucs2, desc->length, s), 0);
out:
- return ret;
+ return ret;
}
static krb5_error_code
key[7] = (hash[6] << 1);
EVP_CIPHER_CTX_init(&ctx);
-
+
EVP_CipherInit_ex(&ctx, EVP_des_cbc(), NULL, key, NULL, 1);
EVP_Cipher(&ctx, answer, challenge, 8);
EVP_CIPHER_CTX_cleanup(&ctx);
session->length = 0;
return ENOMEM;
}
-
+
m = EVP_MD_CTX_create();
if (m == NULL) {
heim_ntlm_free_buf(session);
nt2unixtime(uint64_t t)
{
t = ((t - (uint64_t)NTTIME_EPOCH) / (uint64_t)10000000);
- if (t > (((time_t)(~(uint64_t)0)) >> 1))
+ if (t > (((uint64_t)(time_t)(~(uint64_t)0)) >> 1))
return 0;
return (time_t)t;
}
sret = net_read(fd, *buf, *size);
if (sret < 0)
ret = errno;
- else if (sret != *size) {
+ else if (sret != (ssize_t)*size) {
ret = EINVAL;
free(*buf);
*buf = NULL;
#include "roken.h"
ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL
-get_window_size(int fd, struct winsize *wp)
+get_window_size(int fd, int *lines, int *columns)
{
- int ret = -1;
-
- memset(wp, 0, sizeof(*wp));
+ char *s;
#if defined(TIOCGWINSZ)
- ret = ioctl(fd, TIOCGWINSZ, wp);
+ {
+ struct winsize ws;
+ int ret;
+ ret = ioctl(fd, TIOCGWINSZ, &ws);
+ if (ret != -1) {
+ if (lines)
+ *lines = ws.ws_row;
+ if (columns)
+ *columns = ws.ws_col;
+ return 0;
+ }
+ }
#elif defined(TIOCGSIZE)
{
struct ttysize ts;
-
+ int ret;
ret = ioctl(fd, TIOCGSIZE, &ts);
- if(ret == 0) {
- wp->ws_row = ts.ts_lines;
- wp->ws_col = ts.ts_cols;
- }
+ if (ret != -1) {
+ if (lines)
+ *lines = ts.ws_lines;
+ if (columns)
+ *columns = ts.ts_cols;
+ return 0;
+ }
}
#elif defined(HAVE__SCRSIZE)
{
int dst[2];
-
- _scrsize(dst);
- wp->ws_row = dst[1];
- wp->ws_col = dst[0];
- ret = 0;
+
+ _scrsize(dst);
+ if (lines)
+ *lines = dst[1];
+ if (columns)
+ *columns = dst[0];
+ return 0;
}
#elif defined(_WIN32)
{
fh = _get_osfhandle(fd);
if (fh != (intptr_t) INVALID_HANDLE_VALUE &&
GetConsoleScreenBufferInfo((HANDLE) fh, &sb_info)) {
- wp->ws_row = 1 + sb_info.srWindow.Bottom - sb_info.srWindow.Top;
- wp->ws_col = 1 + sb_info.srWindow.Right - sb_info.srWindow.Left;
+ if (lines)
+ *lines = 1 + sb_info.srWindow.Bottom - sb_info.srWindow.Top;
+ if (columns)
+ *columns = 1 + sb_info.srWindow.Right - sb_info.srWindow.Left;
- ret = 0;
+ return 0;
}
}
#endif
- if (ret != 0) {
- char *s;
- if((s = getenv("COLUMNS")))
- wp->ws_col = atoi(s);
- if((s = getenv("LINES")))
- wp->ws_row = atoi(s);
- if(wp->ws_col > 0 && wp->ws_row > 0)
- ret = 0;
+ if (columns) {
+ if ((s = getenv("COLUMNS")))
+ *columns = atoi(s);
+ else
+ return -1;
+ }
+ if (lines) {
+ if ((s = getenv("LINES")))
+ *lines = atoi(s);
+ else
+ return -1;
}
- return ret;
+ return 0;
}
printf(".Os OPERATING_SYSTEM\n");
printf(".Sh NAME\n");
printf(".Nm %s\n", p);
- printf(".Nd\n");
- printf("in search of a description\n");
+ printf(".Nd in search of a description\n");
printf(".Sh SYNOPSIS\n");
printf(".Nm\n");
for(i = 0; i < num_args; i++){
}
if(args[i].long_name) {
print_arg(buf, sizeof(buf), 1, 1, args + i, i18n);
- printf("Fl -%s%s%s",
+ printf("Fl Fl %s%s%s",
args[i].type == arg_negative_flag ? "no-" : "",
args[i].long_name, buf);
}
print_arg(buf, sizeof(buf), 1, 0, args + i, i18n);
printf(".Oo Fl %c%s \\*(Ba Xo\n", args[i].short_name, buf);
print_arg(buf, sizeof(buf), 1, 1, args + i, i18n);
- printf(".Fl -%s%s\n.Xc\n.Oc\n", args[i].long_name, buf);
+ printf(".Fl Fl %s%s\n.Xc\n.Oc\n", args[i].long_name, buf);
}
/*
if(args[i].type == arg_strings)
printf("\n");
}
if(args[i].long_name){
- printf(".Fl -%s%s",
+ printf(".Fl Fl %s%s",
args[i].type == arg_negative_flag ? "no-" : "",
args[i].long_name);
print_arg(buf, sizeof(buf), 1, 1, args + i, i18n);
size_t i, max_len = 0;
char buf[128];
int col = 0, columns;
- struct winsize ws;
if (progname == NULL)
progname = getprogname();
mandoc_template(args, num_args, progname, extra_string, i18n);
return;
}
- if(get_window_size(2, &ws) == 0)
- columns = ws.ws_col;
- else
+ if(get_window_size(2, NULL, &columns) == -1)
columns = 80;
col = 0;
col += fprintf (stderr, "%s: %s", usage, progname);
arg_match_long(struct getargs *args, size_t num_args,
char *argv, int argc, char **rargv, int *goptind)
{
- int i;
+ size_t i;
char *goptarg = NULL;
int negate = 0;
int partial_match = 0;
arg_match_short (struct getargs *args, size_t num_args,
char *argv, int argc, char **rargv, int *goptind)
{
- int j, k;
+ size_t j, k;
for(j = 1; j > 0 && j < strlen(rargv[*goptind]); j++) {
for(k = 0; k < num_args; k++) {
}
if(args[k].type == arg_collect) {
struct getarg_collect_info *c = args[k].value;
+ int a = (int)j;
- if((*c->func)(TRUE, argc, rargv, goptind, &j, c->data))
+ if((*c->func)(TRUE, argc, rargv, goptind, &a, c->data))
return ARG_ERR_BAD_ARG;
+ j = a;
break;
}
#include <ctype.h>
#include "hex.h"
-const static char hexchar[] = "0123456789ABCDEF";
+static const char hexchar[16] = "0123456789ABCDEF";
static int
pos(char c)
size_t l;
unsigned char *p = data;
size_t i;
-
+
l = strlen(str);
/* check for overflow, same as (l+1)/2 but overflow safe */
if ((l/2) + (l&1) > len)
return -1;
- i = 0;
if (l & 1) {
p[0] = pos(str[0]);
str++;
print_units_table (const struct units *units, FILE *f)
{
const struct units *u, *u2;
- int max_sz = 0;
+ size_t max_sz = 0;
for (u = units; u->name; ++u) {
max_sz = max(max_sz, strlen(u->name));
if (u2->name == NULL)
--u2;
unparse_units (u->mult, u2, buf, sizeof(buf));
- fprintf (f, "1 %*s = %s\n", max_sz, u->name, buf);
+ fprintf (f, "1 %*s = %s\n", (int)max_sz, u->name, buf);
} else {
fprintf (f, "1 %s\n", u->name);
}
dns_free_rr(rr);
return -1;
}
- if (status + 2 > size) {
+ if ((size_t)status + 2 > size) {
dns_free_rr(rr);
return -1;
}
dns_free_rr(rr);
return -1;
}
- if (status + 6 > size) {
+ if ((size_t)status + 6 > size) {
dns_free_rr(rr);
return -1;
}
break;
}
case rk_ns_t_txt:{
- if(size == 0 || size < *p + 1) {
+ if(size == 0 || size < (unsigned)(*p + 1)) {
dns_free_rr(rr);
return -1;
}
dns_free_rr(rr);
return -1;
}
- if (status + 18 > size) {
+ if ((size_t)status + 18 > size) {
dns_free_rr(rr);
return -1;
}
{
const unsigned char *p;
int status;
- int i;
+ size_t i;
char host[MAXDNAME];
const unsigned char *end_data = data + len;
struct rk_dns_reply *r;
struct sockaddr_storage from;
uint32_t fromsize = sizeof(from);
dns_handle_t handle;
-
+
handle = dns_open(NULL);
if (handle == NULL)
return NULL;
{
char *clone[] = {
"/dev/ptc",
- "/dev/ptmx",
+ "/dev/ptmx",
"/dev/ptm",
- "/dev/ptym/clone",
+ "/dev/ptym/clone",
NULL
};
char **q;
sa.sa_handler = caught_signal;
sa.sa_flags = 0;
sigemptyset (&sa.sa_mask);
-
+
sigaction(SIGALRM, &sa, NULL);
}
#endif
+#ifndef IN_LOOPBACKNET
+#define IN_LOOPBACKNET 127
+#endif
+
#ifdef _MSC_VER
/* Declarations for Microsoft Visual C runtime on Windows */
};
#endif
-ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL get_window_size(int fd, struct winsize *);
+ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL get_window_size(int fd, int *, int *);
#ifndef HAVE_VSYSLOG
#define vsyslog rk_vsyslog
#endif
#ifndef HAVE_GETTIMEOFDAY
+#define gettimeofday rk_gettimeofday
ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL
gettimeofday (struct timeval *, void *);
#endif
#define rk_random() rand()
#endif
+#ifndef HAVE_TDELETE
+#define tdelete(a,b,c) rk_tdelete(a,b,c)
+#endif
+#ifndef HAVE_TFIND
+#define tfind(a,b,c) rk_tfind(a,b,c)
+#endif
+#ifndef HAVE_TSEARCH
+#define tsearch(a,b,c) rk_tsearch(a,b,c)
+#endif
+#ifndef HAVE_TWALK
+#define twalk(a,b) rk_twalk(a,b)
+#endif
#if defined(__linux__) && defined(SOCK_CLOEXEC) && !defined(SOCKET_WRAPPER_REPLACE) && !defined(__SOCKET_WRAPPER_H__)
#undef socket
int offset = 0;
int n;
char *p, *foo;
+ size_t len;
if(dns_addr.sin_family == 0)
return NULL; /* no configured host */
free(request);
return NULL;
}
- if(write(s, request, strlen(request)) != strlen(request)) {
+
+ len = strlen(request);
+ if(write(s, request, len) != (ssize_t)len) {
close(s);
free(request);
return NULL;
static char addrs[4 * MAX_ADDRS];
static char *addr_list[MAX_ADDRS + 1];
int num_addrs = 0;
-
+
he.h_name = p;
he.h_aliases = NULL;
he.h_addrtype = AF_INET;
he.h_length = 4;
-
+
while((p = strtok_r(NULL, " \t\r\n", &foo)) && num_addrs < MAX_ADDRS) {
struct in_addr ip;
inet_aton(p, &ip);
}
#endif
}
-
+
/*
* Enable debug on `sock'.
*/
if(save == NULL)
return -1;
*stringp = *stringp + strcspn(*stringp, delim);
- l = min(len, *stringp - save);
+ l = min(len, (size_t)(*stringp - save));
if(len > 0) {
memcpy(buf, save, l);
buf[l] = '\0';
rk_timevaladd;
rk_timevalfix;
rk_timevalsub;
+ rk_tdelete;
+ rk_tfind;
+ rk_tsearch;
+ rk_twalk;
rk_undumpdata;
rk_unvis;
rk_vasnprintf;
if(*package_list == '\0')
package_list = "no version information";
fprintf(stderr, "%s (%s)\n", progname, package_list);
- fprintf(stderr, "Copyright 1995-2010 Kungliga Tekniska Högskolan\n");
+ fprintf(stderr, "Copyright 1995-2011 Kungliga Tekniska Högskolan\n");
+#ifdef PACKAGE_BUGREPORT
fprintf(stderr, "Send bug-reports to %s\n", PACKAGE_BUGREPORT);
+#endif
}
return WIND_ERR_OVERRUN;
while(i < olen && tmp[i] == 0x20) /* skip initial spaces */
i++;
-
+
while (i < olen) {
if (tmp[i] == 0x20) {
if (put_char(out, &o, 0x20, *out_len) ||
} else {
if (put_char(out, &o, tmp[i++], *out_len))
return WIND_ERR_OVERRUN;
- }
+ }
}
assert(o > 0);
struct translation ts = {in[i]};
size_t sub_len = *out_len - o;
int ret;
-
+
ret = hangul_decomp(in + i, in_len - i,
out + o, &sub_len);
if (ret) {
return ret;
}
-const static struct {
+static const struct {
const char *name;
wind_profile_flags flags;
} profiles[] = {
for (o = 0, i = 0; i < in_len; i++) {
ch = in[i];
-
+
if (ch < 0x80) {
len = 1;
} else if (ch < 0x800) {
len = 4;
} else
return WIND_ERR_INVALID_UTF32;
-
+
o += len;
if (out) {
* first to the output data */
if ((*flags) & WIND_RW_BOM) {
uint16_t bom = 0xfffe;
-
+
if (len < 2)
return WIND_ERR_OVERRUN;
for (o = 0, i = 0; i < in_len; i++) {
ch = in[i];
-
+
if (ch < 0x80) {
len = 1;
} else if (ch < 0x800) {
len = 2;
} else
len = 3;
-
+
o += len;
if (out) {