diff options
Diffstat (limited to 'src/lib/krb5')
225 files changed, 23391 insertions, 23259 deletions
diff --git a/src/lib/krb5/asn.1/asn1_k_decode.c b/src/lib/krb5/asn.1/asn1_k_decode.c index 1a46894482..e6682b5412 100644 --- a/src/lib/krb5/asn.1/asn1_k_decode.c +++ b/src/lib/krb5/asn.1/asn1_k_decode.c @@ -1774,7 +1774,7 @@ error_out: asn1_error_code asn1_decode_external_principal_identifier_ptr - (asn1buf *buf, + (asn1buf *buf, krb5_external_principal_identifier **valptr) { decode_ptr(krb5_external_principal_identifier *, diff --git a/src/lib/krb5/asn.1/asn1_k_decode.h b/src/lib/krb5/asn.1/asn1_k_decode.h index f0d99dcc0d..4cf7e080f5 100644 --- a/src/lib/krb5/asn.1/asn1_k_decode.h +++ b/src/lib/krb5/asn.1/asn1_k_decode.h @@ -109,7 +109,7 @@ asn1_error_code asn1_decode_checksum_ptr asn1_error_code asn1_decode_encryption_key (asn1buf *buf, krb5_keyblock *val); asn1_error_code asn1_decode_encryption_key_ptr - (asn1buf *buf, krb5_keyblock **valptr); + (asn1buf *buf, krb5_keyblock **valptr); asn1_error_code asn1_decode_encrypted_data (asn1buf *buf, krb5_enc_data *val); asn1_error_code asn1_decode_ticket_flags @@ -127,7 +127,7 @@ asn1_error_code asn1_decode_kdc_options asn1_error_code asn1_decode_ticket (asn1buf *buf, krb5_ticket *val); asn1_error_code asn1_decode_ticket_ptr - (asn1buf *buf, krb5_ticket **valptr); + (asn1buf *buf, krb5_ticket **valptr); asn1_error_code asn1_decode_kdc_req (asn1buf *buf, krb5_kdc_req *val); asn1_error_code asn1_decode_kdc_req_body @@ -137,7 +137,7 @@ asn1_error_code asn1_decode_krb_safe_body asn1_error_code asn1_decode_host_address (asn1buf *buf, krb5_address *val); asn1_error_code asn1_decode_host_address_ptr - (asn1buf *buf, krb5_address **valptr); + (asn1buf *buf, krb5_address **valptr); asn1_error_code asn1_decode_kdc_rep (asn1buf *buf, krb5_kdc_rep *val); asn1_error_code asn1_decode_last_req_entry @@ -155,7 +155,7 @@ asn1_error_code asn1_decode_krb_cred_info_ptr asn1_error_code asn1_decode_pa_data (asn1buf *buf, krb5_pa_data *val); asn1_error_code asn1_decode_pa_data_ptr - (asn1buf *buf, krb5_pa_data **valptr); + (asn1buf *buf, krb5_pa_data **valptr); asn1_error_code asn1_decode_passwdsequence (asn1buf *buf, passwd_phrase_element *val); asn1_error_code asn1_decode_passwdsequence_ptr diff --git a/src/lib/krb5/asn.1/krb5_decode.c b/src/lib/krb5/asn.1/krb5_decode.c index 215608d33a..fa835feba1 100644 --- a/src/lib/krb5/asn.1/krb5_decode.c +++ b/src/lib/krb5/asn.1/krb5_decode.c @@ -1191,7 +1191,7 @@ krb5_error_code decode_krb5_ad_kdcissued cleanup(free); } - + #ifndef DISABLE_PKINIT krb5_error_code decode_krb5_pa_pk_as_req(const krb5_data *code, krb5_pa_pk_as_req **repptr) diff --git a/src/lib/krb5/asn.1/krb5_encode.c b/src/lib/krb5/asn.1/krb5_encode.c index 5834e8ae84..144b726b6a 100644 --- a/src/lib/krb5/asn.1/krb5_encode.c +++ b/src/lib/krb5/asn.1/krb5_encode.c @@ -171,4 +171,3 @@ krb5_error_code encode_krb5_typed_data(const krb5_typed_data **rep, krb5_data ** sum += length; krb5_cleanup(); } - diff --git a/src/lib/krb5/ccache/cc-int.h b/src/lib/krb5/ccache/cc-int.h index 84b100286a..6854265463 100644 --- a/src/lib/krb5/ccache/cc-int.h +++ b/src/lib/krb5/ccache/cc-int.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/file/cc-int.h * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * This file contains constant and function declarations used in the * file-based credential cache routines. @@ -71,8 +72,8 @@ typedef struct _k5_cc_mutex { krb5_int32 refcount; } k5_cc_mutex; -#define K5_CC_MUTEX_PARTIAL_INITIALIZER \ - { K5_MUTEX_PARTIAL_INITIALIZER, NULL, 0 } +#define K5_CC_MUTEX_PARTIAL_INITIALIZER \ + { K5_MUTEX_PARTIAL_INITIALIZER, NULL, 0 } krb5_error_code k5_cc_mutex_init(k5_cc_mutex *m); @@ -80,8 +81,8 @@ k5_cc_mutex_init(k5_cc_mutex *m); krb5_error_code k5_cc_mutex_finish_init(k5_cc_mutex *m); -#define k5_cc_mutex_destroy(M) \ -k5_mutex_destroy(&(M)->lock); +#define k5_cc_mutex_destroy(M) \ + k5_mutex_destroy(&(M)->lock); void k5_cc_mutex_assert_locked(krb5_context context, k5_cc_mutex *m); @@ -101,7 +102,7 @@ extern k5_cc_mutex krb5int_cc_file_mutex; #ifdef USE_CCAPI_V3 extern krb5_error_code KRB5_CALLCONV krb5_stdccv3_context_lock -(krb5_context context); +(krb5_context context); extern krb5_error_code KRB5_CALLCONV krb5_stdccv3_context_unlock (krb5_context context); diff --git a/src/lib/krb5/ccache/cc_file.c b/src/lib/krb5/ccache/cc_file.c index 32564a04eb..d1499bc756 100644 --- a/src/lib/krb5/ccache/cc_file.c +++ b/src/lib/krb5/ccache/cc_file.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/cc_file.c * @@ -10,7 +11,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -24,46 +25,46 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * implementation of file-based credentials cache */ /* -If OPENCLOSE is defined, each of the functions opens and closes the -file whenever it needs to access it. Otherwise, the file is opened -once in initialize and closed once is close. - -This library depends on UNIX-like file descriptors, and UNIX-like -behavior from the functions: open, close, read, write, lseek. - -The quasi-BNF grammar for a credentials cache: - -file ::= - principal list-of-credentials - -credential ::= - client (principal) - server (principal) - keyblock (keyblock) - times (ticket_times) - is_skey (boolean) - ticket_flags (flags) - ticket (data) - second_ticket (data) - -principal ::= - number of components (int32) - component 1 (data) - component 2 (data) - ... - -data ::= - length (int32) - string of length bytes - -etc. - */ + If OPENCLOSE is defined, each of the functions opens and closes the + file whenever it needs to access it. Otherwise, the file is opened + once in initialize and closed once is close. + + This library depends on UNIX-like file descriptors, and UNIX-like + behavior from the functions: open, close, read, write, lseek. + + The quasi-BNF grammar for a credentials cache: + + file ::= + principal list-of-credentials + + credential ::= + client (principal) + server (principal) + keyblock (keyblock) + times (ticket_times) + is_skey (boolean) + ticket_flags (flags) + ticket (data) + second_ticket (data) + + principal ::= + number of components (int32) + component 1 (data) + component 2 (data) + ... + + data ::= + length (int32) + string of length bytes + + etc. +*/ /* todo: Make sure that each time a function returns KRB5_NOMEM, everything allocated earlier in the function and stack tree is freed. @@ -74,7 +75,7 @@ etc. simultaneously. (That may require reader/writer locks.) fcc_nseq.c and fcc_read don't check return values a lot. - */ +*/ #include "k5-int.h" #include "cc-int.h" @@ -96,93 +97,93 @@ etc. #endif static krb5_error_code KRB5_CALLCONV krb5_fcc_close - (krb5_context, krb5_ccache id); +(krb5_context, krb5_ccache id); static krb5_error_code KRB5_CALLCONV krb5_fcc_destroy - (krb5_context, krb5_ccache id); +(krb5_context, krb5_ccache id); static krb5_error_code KRB5_CALLCONV krb5_fcc_end_seq_get - (krb5_context, krb5_ccache id, krb5_cc_cursor *cursor); +(krb5_context, krb5_ccache id, krb5_cc_cursor *cursor); static krb5_error_code KRB5_CALLCONV krb5_fcc_generate_new - (krb5_context, krb5_ccache *id); +(krb5_context, krb5_ccache *id); static const char * KRB5_CALLCONV krb5_fcc_get_name - (krb5_context, krb5_ccache id); +(krb5_context, krb5_ccache id); static krb5_error_code KRB5_CALLCONV krb5_fcc_get_principal - (krb5_context, krb5_ccache id, krb5_principal *princ); +(krb5_context, krb5_ccache id, krb5_principal *princ); static krb5_error_code KRB5_CALLCONV krb5_fcc_initialize - (krb5_context, krb5_ccache id, krb5_principal princ); +(krb5_context, krb5_ccache id, krb5_principal princ); static krb5_error_code KRB5_CALLCONV krb5_fcc_next_cred - (krb5_context, krb5_ccache id, krb5_cc_cursor *cursor, - krb5_creds *creds); +(krb5_context, krb5_ccache id, krb5_cc_cursor *cursor, + krb5_creds *creds); static krb5_error_code krb5_fcc_read - (krb5_context, krb5_ccache id, krb5_pointer buf, unsigned int len); +(krb5_context, krb5_ccache id, krb5_pointer buf, unsigned int len); static krb5_error_code krb5_fcc_read_principal - (krb5_context, krb5_ccache id, krb5_principal *princ); +(krb5_context, krb5_ccache id, krb5_principal *princ); static krb5_error_code krb5_fcc_read_keyblock - (krb5_context, krb5_ccache id, krb5_keyblock *keyblock); +(krb5_context, krb5_ccache id, krb5_keyblock *keyblock); static krb5_error_code krb5_fcc_read_data - (krb5_context, krb5_ccache id, krb5_data *data); +(krb5_context, krb5_ccache id, krb5_data *data); static krb5_error_code krb5_fcc_read_int32 - (krb5_context, krb5_ccache id, krb5_int32 *i); +(krb5_context, krb5_ccache id, krb5_int32 *i); static krb5_error_code krb5_fcc_read_ui_2 - (krb5_context, krb5_ccache id, krb5_ui_2 *i); +(krb5_context, krb5_ccache id, krb5_ui_2 *i); static krb5_error_code krb5_fcc_read_octet - (krb5_context, krb5_ccache id, krb5_octet *i); +(krb5_context, krb5_ccache id, krb5_octet *i); static krb5_error_code krb5_fcc_read_times - (krb5_context, krb5_ccache id, krb5_ticket_times *t); +(krb5_context, krb5_ccache id, krb5_ticket_times *t); static krb5_error_code krb5_fcc_read_addrs - (krb5_context, krb5_ccache, krb5_address ***); +(krb5_context, krb5_ccache, krb5_address ***); static krb5_error_code krb5_fcc_read_addr - (krb5_context, krb5_ccache, krb5_address *); +(krb5_context, krb5_ccache, krb5_address *); static krb5_error_code krb5_fcc_read_authdata - (krb5_context, krb5_ccache, krb5_authdata ***); +(krb5_context, krb5_ccache, krb5_authdata ***); static krb5_error_code krb5_fcc_read_authdatum - (krb5_context, krb5_ccache, krb5_authdata *); +(krb5_context, krb5_ccache, krb5_authdata *); static krb5_error_code KRB5_CALLCONV krb5_fcc_resolve - (krb5_context, krb5_ccache *id, const char *residual); +(krb5_context, krb5_ccache *id, const char *residual); static krb5_error_code KRB5_CALLCONV krb5_fcc_retrieve - (krb5_context, krb5_ccache id, krb5_flags whichfields, - krb5_creds *mcreds, krb5_creds *creds); +(krb5_context, krb5_ccache id, krb5_flags whichfields, + krb5_creds *mcreds, krb5_creds *creds); static krb5_error_code KRB5_CALLCONV krb5_fcc_start_seq_get - (krb5_context, krb5_ccache id, krb5_cc_cursor *cursor); +(krb5_context, krb5_ccache id, krb5_cc_cursor *cursor); static krb5_error_code KRB5_CALLCONV krb5_fcc_store - (krb5_context, krb5_ccache id, krb5_creds *creds); +(krb5_context, krb5_ccache id, krb5_creds *creds); static krb5_error_code krb5_fcc_skip_header - (krb5_context, krb5_ccache); +(krb5_context, krb5_ccache); static krb5_error_code krb5_fcc_skip_principal - (krb5_context, krb5_ccache id); +(krb5_context, krb5_ccache id); static krb5_error_code KRB5_CALLCONV krb5_fcc_set_flags - (krb5_context, krb5_ccache id, krb5_flags flags); +(krb5_context, krb5_ccache id, krb5_flags flags); static krb5_error_code KRB5_CALLCONV krb5_fcc_ptcursor_new - (krb5_context context, krb5_cc_ptcursor *cursor); +(krb5_context context, krb5_cc_ptcursor *cursor); static krb5_error_code KRB5_CALLCONV krb5_fcc_ptcursor_next - (krb5_context context, krb5_cc_ptcursor cursor, krb5_ccache *ccache); +(krb5_context context, krb5_cc_ptcursor cursor, krb5_ccache *ccache); static krb5_error_code KRB5_CALLCONV krb5_fcc_ptcursor_free - (krb5_context context, krb5_cc_ptcursor *cursor); +(krb5_context context, krb5_cc_ptcursor *cursor); static krb5_error_code KRB5_CALLCONV krb5_fcc_last_change_time - (krb5_context context, krb5_ccache id, krb5_timestamp *change_time); +(krb5_context context, krb5_ccache id, krb5_timestamp *change_time); static krb5_error_code KRB5_CALLCONV krb5_fcc_lock - (krb5_context context, krb5_ccache id); +(krb5_context context, krb5_ccache id); static krb5_error_code KRB5_CALLCONV krb5_fcc_unlock - (krb5_context context, krb5_ccache id); +(krb5_context context, krb5_ccache id); extern const krb5_cc_ops krb5_cc_file_ops; @@ -190,43 +191,43 @@ extern const krb5_cc_ops krb5_cc_file_ops; krb5_error_code krb5_change_cache (void); static krb5_error_code krb5_fcc_write - (krb5_context, krb5_ccache id, krb5_pointer buf, unsigned int len); +(krb5_context, krb5_ccache id, krb5_pointer buf, unsigned int len); static krb5_error_code krb5_fcc_store_principal - (krb5_context, krb5_ccache id, krb5_principal princ); +(krb5_context, krb5_ccache id, krb5_principal princ); static krb5_error_code krb5_fcc_store_keyblock - (krb5_context, krb5_ccache id, krb5_keyblock *keyblock); +(krb5_context, krb5_ccache id, krb5_keyblock *keyblock); static krb5_error_code krb5_fcc_store_data - (krb5_context, krb5_ccache id, krb5_data *data); +(krb5_context, krb5_ccache id, krb5_data *data); static krb5_error_code krb5_fcc_store_int32 - (krb5_context, krb5_ccache id, krb5_int32 i); +(krb5_context, krb5_ccache id, krb5_int32 i); static krb5_error_code krb5_fcc_store_ui_4 - (krb5_context, krb5_ccache id, krb5_ui_4 i); +(krb5_context, krb5_ccache id, krb5_ui_4 i); static krb5_error_code krb5_fcc_store_ui_2 - (krb5_context, krb5_ccache id, krb5_int32 i); +(krb5_context, krb5_ccache id, krb5_int32 i); static krb5_error_code krb5_fcc_store_octet - (krb5_context, krb5_ccache id, krb5_int32 i); +(krb5_context, krb5_ccache id, krb5_int32 i); static krb5_error_code krb5_fcc_store_times - (krb5_context, krb5_ccache id, krb5_ticket_times *t); +(krb5_context, krb5_ccache id, krb5_ticket_times *t); static krb5_error_code krb5_fcc_store_addrs - (krb5_context, krb5_ccache, krb5_address **); +(krb5_context, krb5_ccache, krb5_address **); static krb5_error_code krb5_fcc_store_addr - (krb5_context, krb5_ccache, krb5_address *); +(krb5_context, krb5_ccache, krb5_address *); static krb5_error_code krb5_fcc_store_authdata - (krb5_context, krb5_ccache, krb5_authdata **); +(krb5_context, krb5_ccache, krb5_authdata **); static krb5_error_code krb5_fcc_store_authdatum - (krb5_context, krb5_ccache, krb5_authdata *); +(krb5_context, krb5_ccache, krb5_authdata *); static krb5_error_code krb5_fcc_interpret - (krb5_context, int); +(krb5_context, int); struct _krb5_fcc_data; static krb5_error_code krb5_fcc_close_file - (krb5_context, struct _krb5_fcc_data *data); +(krb5_context, struct _krb5_fcc_data *data); static krb5_error_code krb5_fcc_open_file - (krb5_context, krb5_ccache, int); +(krb5_context, krb5_ccache, int); static krb5_error_code krb5_fcc_data_last_change_time - (krb5_context context, struct _krb5_fcc_data *data, - krb5_timestamp *change_time); +(krb5_context context, struct _krb5_fcc_data *data, + krb5_timestamp *change_time); #define KRB5_OK 0 @@ -236,11 +237,11 @@ static krb5_error_code krb5_fcc_data_last_change_time /* * FCC version 2 contains type information for principals. FCC * version 1 does not. - * + * * FCC version 3 contains keyblock encryption type information, and is * architecture independent. Previous versions are not. * - * The code will accept version 1, 2, and 3 ccaches, and depending + * The code will accept version 1, 2, and 3 ccaches, and depending * what KRB5_FCC_DEFAULT_FVNO is set to, it will create version 1, 2, * or 3 FCC caches. * @@ -248,24 +249,24 @@ static krb5_error_code krb5_fcc_data_last_change_time * init_ctx.c). */ -#define KRB5_FCC_FVNO_1 0x0501 /* krb v5, fcc v1 */ -#define KRB5_FCC_FVNO_2 0x0502 /* krb v5, fcc v2 */ -#define KRB5_FCC_FVNO_3 0x0503 /* krb v5, fcc v3 */ -#define KRB5_FCC_FVNO_4 0x0504 /* krb v5, fcc v4 */ +#define KRB5_FCC_FVNO_1 0x0501 /* krb v5, fcc v1 */ +#define KRB5_FCC_FVNO_2 0x0502 /* krb v5, fcc v2 */ +#define KRB5_FCC_FVNO_3 0x0503 /* krb v5, fcc v3 */ +#define KRB5_FCC_FVNO_4 0x0504 /* krb v5, fcc v4 */ -#define FCC_OPEN_AND_ERASE 1 -#define FCC_OPEN_RDWR 2 -#define FCC_OPEN_RDONLY 3 +#define FCC_OPEN_AND_ERASE 1 +#define FCC_OPEN_RDWR 2 +#define FCC_OPEN_RDONLY 3 /* Credential file header tags. * The header tags are constructed as: - * krb5_ui_2 tag - * krb5_ui_2 len - * krb5_octet data[len] + * krb5_ui_2 tag + * krb5_ui_2 len + * krb5_octet data[len] * This format allows for older versions of the fcc processing code to skip * past unrecognized tag formats. */ -#define FCC_TAG_DELTATIME 1 +#define FCC_TAG_DELTATIME 1 #ifndef TKT_ROOT #ifdef MSDOS_FILESYSTEM @@ -286,8 +287,8 @@ typedef struct _krb5_fcc_data { k5_cc_mutex lock; int file; krb5_flags flags; - int mode; /* needed for locking code */ - int version; /* version number of the file */ + int mode; /* needed for locking code */ + int version; /* version number of the file */ /* Buffer data on reading, for performance. We used to have a stdio option, but we get more precise control @@ -308,10 +309,10 @@ static off_t fcc_lseek(krb5_fcc_data *data, off_t offset, int whence) /* If we read some extra data in advance, and then want to know or use our "current" position, we need to back up a little. */ if (whence == SEEK_CUR && data->valid_bytes) { - assert(data->valid_bytes > 0); - assert(data->cur_offset > 0); - assert(data->cur_offset <= data->valid_bytes); - offset -= (data->valid_bytes - data->cur_offset); + assert(data->valid_bytes > 0); + assert(data->cur_offset > 0); + assert(data->cur_offset <= data->valid_bytes); + offset -= (data->valid_bytes - data->cur_offset); } invalidate_cache(data); return lseek(data->file, offset, whence); @@ -336,31 +337,31 @@ typedef struct _krb5_fcc_cursor { off_t pos; } krb5_fcc_cursor; -#define MAYBE_OPEN(CONTEXT, ID, MODE) \ -{ \ - k5_cc_mutex_assert_locked(CONTEXT, &((krb5_fcc_data *)(ID)->data)->lock); \ - if (OPENCLOSE (ID)) { \ - krb5_error_code maybe_open_ret; \ - maybe_open_ret = krb5_fcc_open_file (CONTEXT,ID,MODE); \ - if (maybe_open_ret) { \ - k5_cc_mutex_unlock(CONTEXT, &((krb5_fcc_data *)(ID)->data)->lock); \ - return maybe_open_ret; \ - } \ - } \ -} +#define MAYBE_OPEN(CONTEXT, ID, MODE) \ + { \ + k5_cc_mutex_assert_locked(CONTEXT, &((krb5_fcc_data *)(ID)->data)->lock); \ + if (OPENCLOSE (ID)) { \ + krb5_error_code maybe_open_ret; \ + maybe_open_ret = krb5_fcc_open_file (CONTEXT,ID,MODE); \ + if (maybe_open_ret) { \ + k5_cc_mutex_unlock(CONTEXT, &((krb5_fcc_data *)(ID)->data)->lock); \ + return maybe_open_ret; \ + } \ + } \ + } -#define MAYBE_CLOSE(CONTEXT, ID, RET) \ -{ \ - if (OPENCLOSE (ID)) { \ - krb5_error_code maybe_close_ret; \ - maybe_close_ret = krb5_fcc_close_file (CONTEXT, \ - (krb5_fcc_data *)(ID)->data); \ - if (!(RET)) RET = maybe_close_ret; } } +#define MAYBE_CLOSE(CONTEXT, ID, RET) \ + { \ + if (OPENCLOSE (ID)) { \ + krb5_error_code maybe_close_ret; \ + maybe_close_ret = krb5_fcc_close_file (CONTEXT, \ + (krb5_fcc_data *)(ID)->data); \ + if (!(RET)) RET = maybe_close_ret; } } -#define MAYBE_CLOSE_IGNORE(CONTEXT, ID) \ -{ \ - if (OPENCLOSE (ID)) { \ - (void) krb5_fcc_close_file (CONTEXT,(krb5_fcc_data *)(ID)->data); } } +#define MAYBE_CLOSE_IGNORE(CONTEXT, ID) \ + { \ + if (OPENCLOSE (ID)) { \ + (void) krb5_fcc_close_file (CONTEXT,(krb5_fcc_data *)(ID)->data); } } #define CHECK(ret) if (ret != KRB5_OK) goto errout; @@ -381,56 +382,56 @@ static krb5_error_code krb5_fcc_read(krb5_context context, krb5_ccache id, krb5_pointer buf, unsigned int len) { #if 0 - int ret; + int ret; - k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); - ret = read(((krb5_fcc_data *) id->data)->file, (char *) buf, len); - if (ret == -1) - return krb5_fcc_interpret(context, errno); - if (ret != len) - return KRB5_CC_END; - else - return KRB5_OK; + ret = read(((krb5_fcc_data *) id->data)->file, (char *) buf, len); + if (ret == -1) + return krb5_fcc_interpret(context, errno); + if (ret != len) + return KRB5_CC_END; + else + return KRB5_OK; #else - krb5_fcc_data *data = (krb5_fcc_data *) id->data; - - k5_cc_mutex_assert_locked(context, &data->lock); - - while (len > 0) { - int nread, e; - size_t ncopied; - - assert (data->valid_bytes >= 0); - if (data->valid_bytes > 0) - assert(data->cur_offset <= data->valid_bytes); - if (data->valid_bytes == 0 - || data->cur_offset == data->valid_bytes) { - /* Fill buffer from current file position. */ - nread = read(data->file, data->buf, sizeof(data->buf)); - e = errno; - if (nread < 0) - return krb5_fcc_interpret(context, e); - if (nread == 0) - /* EOF */ - return KRB5_CC_END; - data->valid_bytes = nread; - data->cur_offset = 0; - } - assert(data->cur_offset < data->valid_bytes); - ncopied = len; - assert(ncopied == len); - if (data->valid_bytes - data->cur_offset < ncopied) - ncopied = data->valid_bytes - data->cur_offset; - memcpy(buf, data->buf + data->cur_offset, ncopied); - data->cur_offset += ncopied; - assert(data->cur_offset > 0); - assert(data->cur_offset <= data->valid_bytes); - len -= ncopied; - /* Don't do arithmetic on void pointers. */ - buf = (char*)buf + ncopied; - } - return 0; + krb5_fcc_data *data = (krb5_fcc_data *) id->data; + + k5_cc_mutex_assert_locked(context, &data->lock); + + while (len > 0) { + int nread, e; + size_t ncopied; + + assert (data->valid_bytes >= 0); + if (data->valid_bytes > 0) + assert(data->cur_offset <= data->valid_bytes); + if (data->valid_bytes == 0 + || data->cur_offset == data->valid_bytes) { + /* Fill buffer from current file position. */ + nread = read(data->file, data->buf, sizeof(data->buf)); + e = errno; + if (nread < 0) + return krb5_fcc_interpret(context, e); + if (nread == 0) + /* EOF */ + return KRB5_CC_END; + data->valid_bytes = nread; + data->cur_offset = 0; + } + assert(data->cur_offset < data->valid_bytes); + ncopied = len; + assert(ncopied == len); + if (data->valid_bytes - data->cur_offset < ncopied) + ncopied = data->valid_bytes - data->cur_offset; + memcpy(buf, data->buf + data->cur_offset, ncopied); + data->cur_offset += ncopied; + assert(data->cur_offset > 0); + assert(data->cur_offset <= data->valid_bytes); + len -= ncopied; + /* Don't do arithmetic on void pointers. */ + buf = (char*)buf + ncopied; + } + return 0; #endif } @@ -453,9 +454,9 @@ krb5_fcc_read(krb5_context context, krb5_ccache id, krb5_pointer buf, unsigned i * KRB5_CC_NOMEM */ -#define ALLOC(NUM,TYPE) \ - (((NUM) <= (((size_t)0-1)/ sizeof(TYPE))) \ - ? (TYPE *) calloc((NUM), sizeof(TYPE)) \ +#define ALLOC(NUM,TYPE) \ + (((NUM) <= (((size_t)0-1)/ sizeof(TYPE))) \ + ? (TYPE *) calloc((NUM), sizeof(TYPE)) \ : (errno = ENOMEM,(TYPE *) 0)) static krb5_error_code @@ -472,44 +473,44 @@ krb5_fcc_read_principal(krb5_context context, krb5_ccache id, krb5_principal *pr *princ = NULL; if (data->version == KRB5_FCC_FVNO_1) { - type = KRB5_NT_UNKNOWN; + type = KRB5_NT_UNKNOWN; } else { /* Read principal type */ kret = krb5_fcc_read_int32(context, id, &type); if (kret != KRB5_OK) - return kret; + return kret; } /* Read the number of components */ kret = krb5_fcc_read_int32(context, id, &length); if (kret != KRB5_OK) - return kret; + return kret; /* * DCE includes the principal's realm in the count; the new format * does not. */ if (data->version == KRB5_FCC_FVNO_1) - length--; + length--; if (length < 0) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; tmpprinc = (krb5_principal) malloc(sizeof(krb5_principal_data)); if (tmpprinc == NULL) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; if (length) { - size_t msize = length; - if (msize != length) { - free(tmpprinc); - return KRB5_CC_NOMEM; - } - tmpprinc->data = ALLOC (msize, krb5_data); - if (tmpprinc->data == 0) { - free(tmpprinc); - return KRB5_CC_NOMEM; - } + size_t msize = length; + if (msize != length) { + free(tmpprinc); + return KRB5_CC_NOMEM; + } + tmpprinc->data = ALLOC (msize, krb5_data); + if (tmpprinc->data == 0) { + free(tmpprinc); + return KRB5_CC_NOMEM; + } } else - tmpprinc->data = 0; + tmpprinc->data = 0; tmpprinc->magic = KV5M_PRINCIPAL; tmpprinc->length = length; tmpprinc->type = type; @@ -520,15 +521,15 @@ krb5_fcc_read_principal(krb5_context context, krb5_ccache id, krb5_principal *pr CHECK(kret); for (i=0; i < length; i++) { - kret = krb5_fcc_read_data(context, id, krb5_princ_component(context, tmpprinc, i)); - CHECK(kret); + kret = krb5_fcc_read_data(context, id, krb5_princ_component(context, tmpprinc, i)); + CHECK(kret); } *princ = tmpprinc; return KRB5_OK; - errout: +errout: while(--i >= 0) - free(krb5_princ_component(context, tmpprinc, i)->data); + free(krb5_princ_component(context, tmpprinc, i)->data); free(krb5_princ_realm(context, tmpprinc)->data); free(tmpprinc->data); free(tmpprinc); @@ -538,185 +539,185 @@ krb5_fcc_read_principal(krb5_context context, krb5_ccache id, krb5_principal *pr static krb5_error_code krb5_fcc_read_addrs(krb5_context context, krb5_ccache id, krb5_address ***addrs) { - krb5_error_code kret; - krb5_int32 length; - size_t msize; - int i; - - k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); - - *addrs = 0; - - /* Read the number of components */ - kret = krb5_fcc_read_int32(context, id, &length); - CHECK(kret); - - /* Make *addrs able to hold length pointers to krb5_address structs - * Add one extra for a null-terminated list - */ - msize = length; - msize += 1; - if (msize == 0 || msize - 1 != length || length < 0) - return KRB5_CC_NOMEM; - *addrs = ALLOC (msize, krb5_address *); - if (*addrs == NULL) - return KRB5_CC_NOMEM; - - for (i=0; i < length; i++) { - (*addrs)[i] = (krb5_address *) malloc(sizeof(krb5_address)); - if ((*addrs)[i] == NULL) { - krb5_free_addresses(context, *addrs); - *addrs = 0; - return KRB5_CC_NOMEM; - } - (*addrs)[i]->contents = NULL; - kret = krb5_fcc_read_addr(context, id, (*addrs)[i]); - CHECK(kret); - } - - return KRB5_OK; - errout: - if (*addrs) { - krb5_free_addresses(context, *addrs); - *addrs = NULL; - } - return kret; + krb5_error_code kret; + krb5_int32 length; + size_t msize; + int i; + + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); + + *addrs = 0; + + /* Read the number of components */ + kret = krb5_fcc_read_int32(context, id, &length); + CHECK(kret); + + /* Make *addrs able to hold length pointers to krb5_address structs + * Add one extra for a null-terminated list + */ + msize = length; + msize += 1; + if (msize == 0 || msize - 1 != length || length < 0) + return KRB5_CC_NOMEM; + *addrs = ALLOC (msize, krb5_address *); + if (*addrs == NULL) + return KRB5_CC_NOMEM; + + for (i=0; i < length; i++) { + (*addrs)[i] = (krb5_address *) malloc(sizeof(krb5_address)); + if ((*addrs)[i] == NULL) { + krb5_free_addresses(context, *addrs); + *addrs = 0; + return KRB5_CC_NOMEM; + } + (*addrs)[i]->contents = NULL; + kret = krb5_fcc_read_addr(context, id, (*addrs)[i]); + CHECK(kret); + } + + return KRB5_OK; +errout: + if (*addrs) { + krb5_free_addresses(context, *addrs); + *addrs = NULL; + } + return kret; } static krb5_error_code krb5_fcc_read_keyblock(krb5_context context, krb5_ccache id, krb5_keyblock *keyblock) { - krb5_fcc_data *data = (krb5_fcc_data *)id->data; - krb5_error_code kret; - krb5_ui_2 ui2; - krb5_int32 int32; - - k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); - - keyblock->magic = KV5M_KEYBLOCK; - keyblock->contents = 0; - - kret = krb5_fcc_read_ui_2(context, id, &ui2); - keyblock->enctype = ui2; - CHECK(kret); - if (data->version == KRB5_FCC_FVNO_3) { - /* This works because the old etype is the same as the new enctype. */ - kret = krb5_fcc_read_ui_2(context, id, &ui2); - /* keyblock->enctype = ui2; */ - CHECK(kret); - } - - kret = krb5_fcc_read_int32(context, id, &int32); - CHECK(kret); - if (int32 < 0) - return KRB5_CC_NOMEM; - keyblock->length = int32; - /* Overflow check. */ - if (keyblock->length != int32) - return KRB5_CC_NOMEM; - if ( keyblock->length == 0 ) - return KRB5_OK; - keyblock->contents = ALLOC (keyblock->length, krb5_octet); - if (keyblock->contents == NULL) - return KRB5_CC_NOMEM; - - kret = krb5_fcc_read(context, id, keyblock->contents, keyblock->length); - if (kret) - goto errout; - - return KRB5_OK; - errout: - if (keyblock->contents) { - free(keyblock->contents); - keyblock->contents = NULL; - } - return kret; + krb5_fcc_data *data = (krb5_fcc_data *)id->data; + krb5_error_code kret; + krb5_ui_2 ui2; + krb5_int32 int32; + + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); + + keyblock->magic = KV5M_KEYBLOCK; + keyblock->contents = 0; + + kret = krb5_fcc_read_ui_2(context, id, &ui2); + keyblock->enctype = ui2; + CHECK(kret); + if (data->version == KRB5_FCC_FVNO_3) { + /* This works because the old etype is the same as the new enctype. */ + kret = krb5_fcc_read_ui_2(context, id, &ui2); + /* keyblock->enctype = ui2; */ + CHECK(kret); + } + + kret = krb5_fcc_read_int32(context, id, &int32); + CHECK(kret); + if (int32 < 0) + return KRB5_CC_NOMEM; + keyblock->length = int32; + /* Overflow check. */ + if (keyblock->length != int32) + return KRB5_CC_NOMEM; + if ( keyblock->length == 0 ) + return KRB5_OK; + keyblock->contents = ALLOC (keyblock->length, krb5_octet); + if (keyblock->contents == NULL) + return KRB5_CC_NOMEM; + + kret = krb5_fcc_read(context, id, keyblock->contents, keyblock->length); + if (kret) + goto errout; + + return KRB5_OK; +errout: + if (keyblock->contents) { + free(keyblock->contents); + keyblock->contents = NULL; + } + return kret; } static krb5_error_code krb5_fcc_read_data(krb5_context context, krb5_ccache id, krb5_data *data) { - krb5_error_code kret; - krb5_int32 len; + krb5_error_code kret; + krb5_int32 len; - k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); - data->magic = KV5M_DATA; - data->data = 0; + data->magic = KV5M_DATA; + data->data = 0; - kret = krb5_fcc_read_int32(context, id, &len); - CHECK(kret); - if (len < 0) + kret = krb5_fcc_read_int32(context, id, &len); + CHECK(kret); + if (len < 0) return KRB5_CC_NOMEM; - data->length = len; - if (data->length != len || data->length + 1 == 0) - return KRB5_CC_NOMEM; - - if (data->length == 0) { - data->data = 0; - return KRB5_OK; - } - - data->data = (char *) malloc(data->length+1); - if (data->data == NULL) - return KRB5_CC_NOMEM; - - kret = krb5_fcc_read(context, id, data->data, (unsigned) data->length); - CHECK(kret); - - data->data[data->length] = 0; /* Null terminate, just in case.... */ - return KRB5_OK; - errout: - if (data->data) { - free(data->data); - data->data = NULL; - } - return kret; + data->length = len; + if (data->length != len || data->length + 1 == 0) + return KRB5_CC_NOMEM; + + if (data->length == 0) { + data->data = 0; + return KRB5_OK; + } + + data->data = (char *) malloc(data->length+1); + if (data->data == NULL) + return KRB5_CC_NOMEM; + + kret = krb5_fcc_read(context, id, data->data, (unsigned) data->length); + CHECK(kret); + + data->data[data->length] = 0; /* Null terminate, just in case.... */ + return KRB5_OK; +errout: + if (data->data) { + free(data->data); + data->data = NULL; + } + return kret; } static krb5_error_code krb5_fcc_read_addr(krb5_context context, krb5_ccache id, krb5_address *addr) { - krb5_error_code kret; - krb5_ui_2 ui2; - krb5_int32 int32; - - k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); - - addr->magic = KV5M_ADDRESS; - addr->contents = 0; - - kret = krb5_fcc_read_ui_2(context, id, &ui2); - CHECK(kret); - addr->addrtype = ui2; - - kret = krb5_fcc_read_int32(context, id, &int32); - CHECK(kret); - if ((int32 & VALID_INT_BITS) != int32) /* Overflow int??? */ - return KRB5_CC_NOMEM; - addr->length = int32; - /* Length field is "unsigned int", which may be smaller than 32 - bits. */ - if (addr->length != int32) - return KRB5_CC_NOMEM; /* XXX */ - - if (addr->length == 0) - return KRB5_OK; - - addr->contents = (krb5_octet *) malloc(addr->length); - if (addr->contents == NULL) - return KRB5_CC_NOMEM; - - kret = krb5_fcc_read(context, id, addr->contents, addr->length); - CHECK(kret); - - return KRB5_OK; - errout: - if (addr->contents) { - free(addr->contents); - addr->contents = NULL; - } - return kret; + krb5_error_code kret; + krb5_ui_2 ui2; + krb5_int32 int32; + + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); + + addr->magic = KV5M_ADDRESS; + addr->contents = 0; + + kret = krb5_fcc_read_ui_2(context, id, &ui2); + CHECK(kret); + addr->addrtype = ui2; + + kret = krb5_fcc_read_int32(context, id, &int32); + CHECK(kret); + if ((int32 & VALID_INT_BITS) != int32) /* Overflow int??? */ + return KRB5_CC_NOMEM; + addr->length = int32; + /* Length field is "unsigned int", which may be smaller than 32 + bits. */ + if (addr->length != int32) + return KRB5_CC_NOMEM; /* XXX */ + + if (addr->length == 0) + return KRB5_OK; + + addr->contents = (krb5_octet *) malloc(addr->length); + if (addr->contents == NULL) + return KRB5_CC_NOMEM; + + kret = krb5_fcc_read(context, id, addr->contents, addr->length); + CHECK(kret); + + return KRB5_OK; +errout: + if (addr->contents) { + free(addr->contents); + addr->contents = NULL; + } + return kret; } static krb5_error_code @@ -729,14 +730,14 @@ krb5_fcc_read_int32(krb5_context context, krb5_ccache id, krb5_int32 *i) k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); if ((data->version == KRB5_FCC_FVNO_1) || - (data->version == KRB5_FCC_FVNO_2)) - return krb5_fcc_read(context, id, (krb5_pointer) i, sizeof(krb5_int32)); + (data->version == KRB5_FCC_FVNO_2)) + return krb5_fcc_read(context, id, (krb5_pointer) i, sizeof(krb5_int32)); else { - retval = krb5_fcc_read(context, id, buf, 4); - if (retval) - return retval; + retval = krb5_fcc_read(context, id, buf, 4); + if (retval) + return retval; *i = load_32_be (buf); - return 0; + return 0; } } @@ -746,27 +747,27 @@ krb5_fcc_read_ui_2(krb5_context context, krb5_ccache id, krb5_ui_2 *i) krb5_fcc_data *data = (krb5_fcc_data *)id->data; krb5_error_code retval; unsigned char buf[2]; - + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); if ((data->version == KRB5_FCC_FVNO_1) || - (data->version == KRB5_FCC_FVNO_2)) - return krb5_fcc_read(context, id, (krb5_pointer) i, sizeof(krb5_ui_2)); + (data->version == KRB5_FCC_FVNO_2)) + return krb5_fcc_read(context, id, (krb5_pointer) i, sizeof(krb5_ui_2)); else { - retval = krb5_fcc_read(context, id, buf, 2); - if (retval) - return retval; - *i = load_16_be (buf); - return 0; + retval = krb5_fcc_read(context, id, buf, 2); + if (retval) + return retval; + *i = load_16_be (buf); + return 0; } -} +} static krb5_error_code krb5_fcc_read_octet(krb5_context context, krb5_ccache id, krb5_octet *i) { k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); return krb5_fcc_read(context, id, (krb5_pointer) i, 1); -} +} static krb5_error_code @@ -775,28 +776,28 @@ krb5_fcc_read_times(krb5_context context, krb5_ccache id, krb5_ticket_times *t) krb5_fcc_data *data = (krb5_fcc_data *)id->data; krb5_error_code retval; krb5_int32 i; - + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); if ((data->version == KRB5_FCC_FVNO_1) || - (data->version == KRB5_FCC_FVNO_2)) - return krb5_fcc_read(context, id, (krb5_pointer) t, sizeof(krb5_ticket_times)); + (data->version == KRB5_FCC_FVNO_2)) + return krb5_fcc_read(context, id, (krb5_pointer) t, sizeof(krb5_ticket_times)); else { - retval = krb5_fcc_read_int32(context, id, &i); - CHECK(retval); - t->authtime = i; - - retval = krb5_fcc_read_int32(context, id, &i); - CHECK(retval); - t->starttime = i; - - retval = krb5_fcc_read_int32(context, id, &i); - CHECK(retval); - t->endtime = i; - - retval = krb5_fcc_read_int32(context, id, &i); - CHECK(retval); - t->renew_till = i; + retval = krb5_fcc_read_int32(context, id, &i); + CHECK(retval); + t->authtime = i; + + retval = krb5_fcc_read_int32(context, id, &i); + CHECK(retval); + t->starttime = i; + + retval = krb5_fcc_read_int32(context, id, &i); + CHECK(retval); + t->endtime = i; + + retval = krb5_fcc_read_int32(context, id, &i); + CHECK(retval); + t->renew_till = i; } return 0; errout: @@ -806,52 +807,52 @@ errout: static krb5_error_code krb5_fcc_read_authdata(krb5_context context, krb5_ccache id, krb5_authdata ***a) { - krb5_error_code kret; - krb5_int32 length; - size_t msize; - int i; - - k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); - - *a = 0; - - /* Read the number of components */ - kret = krb5_fcc_read_int32(context, id, &length); - CHECK(kret); - - if (length == 0) - return KRB5_OK; - - /* Make *a able to hold length pointers to krb5_authdata structs - * Add one extra for a null-terminated list - */ - msize = length; - msize += 1; - if (msize == 0 || msize - 1 != length || length < 0) - return KRB5_CC_NOMEM; - *a = ALLOC (msize, krb5_authdata *); - if (*a == NULL) - return KRB5_CC_NOMEM; - - for (i=0; i < length; i++) { - (*a)[i] = (krb5_authdata *) malloc(sizeof(krb5_authdata)); - if ((*a)[i] == NULL) { - krb5_free_authdata(context, *a); - *a = NULL; - return KRB5_CC_NOMEM; - } - (*a)[i]->contents = NULL; - kret = krb5_fcc_read_authdatum(context, id, (*a)[i]); - CHECK(kret); - } - - return KRB5_OK; - errout: - if (*a) { - krb5_free_authdata(context, *a); - *a = NULL; - } - return kret; + krb5_error_code kret; + krb5_int32 length; + size_t msize; + int i; + + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); + + *a = 0; + + /* Read the number of components */ + kret = krb5_fcc_read_int32(context, id, &length); + CHECK(kret); + + if (length == 0) + return KRB5_OK; + + /* Make *a able to hold length pointers to krb5_authdata structs + * Add one extra for a null-terminated list + */ + msize = length; + msize += 1; + if (msize == 0 || msize - 1 != length || length < 0) + return KRB5_CC_NOMEM; + *a = ALLOC (msize, krb5_authdata *); + if (*a == NULL) + return KRB5_CC_NOMEM; + + for (i=0; i < length; i++) { + (*a)[i] = (krb5_authdata *) malloc(sizeof(krb5_authdata)); + if ((*a)[i] == NULL) { + krb5_free_authdata(context, *a); + *a = NULL; + return KRB5_CC_NOMEM; + } + (*a)[i]->contents = NULL; + kret = krb5_fcc_read_authdatum(context, id, (*a)[i]); + CHECK(kret); + } + + return KRB5_OK; +errout: + if (*a) { + krb5_free_authdata(context, *a); + *a = NULL; + } + return kret; } static krb5_error_code @@ -860,7 +861,7 @@ krb5_fcc_read_authdatum(krb5_context context, krb5_ccache id, krb5_authdata *a) krb5_error_code kret; krb5_int32 int32; krb5_int16 ui2; /* negative authorization data types are allowed */ - + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); a->magic = KV5M_AUTHDATA; @@ -872,31 +873,31 @@ krb5_fcc_read_authdatum(krb5_context context, krb5_ccache id, krb5_authdata *a) kret = krb5_fcc_read_int32(context, id, &int32); CHECK(kret); if ((int32 & VALID_INT_BITS) != int32) /* Overflow int??? */ - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; a->length = int32; /* Value could have gotten truncated if int is smaller than 32 bits. */ if (a->length != int32) - return KRB5_CC_NOMEM; /* XXX */ - + return KRB5_CC_NOMEM; /* XXX */ + if (a->length == 0 ) - return KRB5_OK; + return KRB5_OK; a->contents = (krb5_octet *) malloc(a->length); if (a->contents == NULL) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; kret = krb5_fcc_read(context, id, a->contents, a->length); CHECK(kret); - - return KRB5_OK; - errout: - if (a->contents) { - free(a->contents); - a->contents = NULL; - } - return kret; - + + return KRB5_OK; +errout: + if (a->contents) { + free(a->contents); + a->contents = NULL; + } + return kret; + } #undef CHECK @@ -915,27 +916,27 @@ krb5_fcc_read_authdatum(krb5_context context, krb5_ccache id, krb5_authdata *a) static krb5_error_code krb5_fcc_write(krb5_context context, krb5_ccache id, krb5_pointer buf, unsigned int len) { - int ret; + int ret; - k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); - invalidate_cache((krb5_fcc_data *) id->data); + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); + invalidate_cache((krb5_fcc_data *) id->data); - ret = write(((krb5_fcc_data *)id->data)->file, (char *) buf, len); - if (ret < 0) - return krb5_fcc_interpret(context, errno); - if (ret != len) - return KRB5_CC_WRITE; - return KRB5_OK; + ret = write(((krb5_fcc_data *)id->data)->file, (char *) buf, len); + if (ret < 0) + return krb5_fcc_interpret(context, errno); + if (ret != len) + return KRB5_CC_WRITE; + return KRB5_OK; } /* * FOR ALL OF THE FOLLOWING FUNCTIONS: - * + * * Requires: * ((krb5_fcc_data *) id->data)->file is open and at the right position. * * mutex is locked - * + * * Effects: * Stores an encoded version of the second argument in the * cache file. @@ -957,17 +958,17 @@ krb5_fcc_store_principal(krb5_context context, krb5_ccache id, krb5_principal pr tmp = length = krb5_princ_size(context, princ); if (data->version == KRB5_FCC_FVNO_1) { - /* - * DCE-compatible format means that the length count - * includes the realm. (It also doesn't include the - * principal type information.) - */ - tmp++; + /* + * DCE-compatible format means that the length count + * includes the realm. (It also doesn't include the + * principal type information.) + */ + tmp++; } else { - ret = krb5_fcc_store_int32(context, id, type); - CHECK(ret); + ret = krb5_fcc_store_int32(context, id, type); + CHECK(ret); } - + ret = krb5_fcc_store_int32(context, id, tmp); CHECK(ret); @@ -975,8 +976,8 @@ krb5_fcc_store_principal(krb5_context context, krb5_ccache id, krb5_principal pr CHECK(ret); for (i=0; i < length; i++) { - ret = krb5_fcc_store_data(context, id, krb5_princ_component(context, princ, i)); - CHECK(ret); + ret = krb5_fcc_store_data(context, id, krb5_princ_component(context, princ, i)); + CHECK(ret); } return KRB5_OK; @@ -985,73 +986,73 @@ krb5_fcc_store_principal(krb5_context context, krb5_ccache id, krb5_principal pr static krb5_error_code krb5_fcc_store_addrs(krb5_context context, krb5_ccache id, krb5_address **addrs) { - krb5_error_code ret; - krb5_address **temp; - krb5_int32 i, length = 0; - - k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); - - /* Count the number of components */ - if (addrs) { - temp = addrs; - while (*temp++) - length += 1; - } - - ret = krb5_fcc_store_int32(context, id, length); - CHECK(ret); - for (i=0; i < length; i++) { - ret = krb5_fcc_store_addr(context, id, addrs[i]); - CHECK(ret); - } - - return KRB5_OK; + krb5_error_code ret; + krb5_address **temp; + krb5_int32 i, length = 0; + + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); + + /* Count the number of components */ + if (addrs) { + temp = addrs; + while (*temp++) + length += 1; + } + + ret = krb5_fcc_store_int32(context, id, length); + CHECK(ret); + for (i=0; i < length; i++) { + ret = krb5_fcc_store_addr(context, id, addrs[i]); + CHECK(ret); + } + + return KRB5_OK; } static krb5_error_code krb5_fcc_store_keyblock(krb5_context context, krb5_ccache id, krb5_keyblock *keyblock) { - krb5_fcc_data *data = (krb5_fcc_data *)id->data; - krb5_error_code ret; - - k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); - - ret = krb5_fcc_store_ui_2(context, id, keyblock->enctype); - CHECK(ret); - if (data->version == KRB5_FCC_FVNO_3) { - ret = krb5_fcc_store_ui_2(context, id, keyblock->enctype); - CHECK(ret); - } - ret = krb5_fcc_store_ui_4(context, id, keyblock->length); - CHECK(ret); - return krb5_fcc_write(context, id, (char *) keyblock->contents, keyblock->length); + krb5_fcc_data *data = (krb5_fcc_data *)id->data; + krb5_error_code ret; + + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); + + ret = krb5_fcc_store_ui_2(context, id, keyblock->enctype); + CHECK(ret); + if (data->version == KRB5_FCC_FVNO_3) { + ret = krb5_fcc_store_ui_2(context, id, keyblock->enctype); + CHECK(ret); + } + ret = krb5_fcc_store_ui_4(context, id, keyblock->length); + CHECK(ret); + return krb5_fcc_write(context, id, (char *) keyblock->contents, keyblock->length); } static krb5_error_code krb5_fcc_store_addr(krb5_context context, krb5_ccache id, krb5_address *addr) { - krb5_error_code ret; + krb5_error_code ret; - k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); - ret = krb5_fcc_store_ui_2(context, id, addr->addrtype); - CHECK(ret); - ret = krb5_fcc_store_ui_4(context, id, addr->length); - CHECK(ret); - return krb5_fcc_write(context, id, (char *) addr->contents, addr->length); + ret = krb5_fcc_store_ui_2(context, id, addr->addrtype); + CHECK(ret); + ret = krb5_fcc_store_ui_4(context, id, addr->length); + CHECK(ret); + return krb5_fcc_write(context, id, (char *) addr->contents, addr->length); } static krb5_error_code krb5_fcc_store_data(krb5_context context, krb5_ccache id, krb5_data *data) { - krb5_error_code ret; + krb5_error_code ret; - k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); - ret = krb5_fcc_store_ui_4(context, id, data->length); - CHECK(ret); - return krb5_fcc_write(context, id, data->data, data->length); + ret = krb5_fcc_store_ui_4(context, id, data->length); + CHECK(ret); + return krb5_fcc_write(context, id, data->data, data->length); } static krb5_error_code @@ -1069,11 +1070,11 @@ krb5_fcc_store_ui_4(krb5_context context, krb5_ccache id, krb5_ui_4 i) k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); if ((data->version == KRB5_FCC_FVNO_1) || - (data->version == KRB5_FCC_FVNO_2)) - return krb5_fcc_write(context, id, (char *) &i, sizeof(krb5_int32)); + (data->version == KRB5_FCC_FVNO_2)) + return krb5_fcc_write(context, id, (char *) &i, sizeof(krb5_int32)); else { - store_32_be (i, buf); - return krb5_fcc_write(context, id, buf, 4); + store_32_be (i, buf); + return krb5_fcc_write(context, id, buf, 4); } } @@ -1083,19 +1084,19 @@ krb5_fcc_store_ui_2(krb5_context context, krb5_ccache id, krb5_int32 i) krb5_fcc_data *data = (krb5_fcc_data *)id->data; krb5_ui_2 ibuf; unsigned char buf[2]; - + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); if ((data->version == KRB5_FCC_FVNO_1) || - (data->version == KRB5_FCC_FVNO_2)) { + (data->version == KRB5_FCC_FVNO_2)) { ibuf = (krb5_ui_2) i; - return krb5_fcc_write(context, id, (char *) &ibuf, sizeof(krb5_ui_2)); + return krb5_fcc_write(context, id, (char *) &ibuf, sizeof(krb5_ui_2)); } else { - store_16_be (i, buf); - return krb5_fcc_write(context, id, buf, 2); + store_16_be (i, buf); + return krb5_fcc_write(context, id, buf, 2); } } - + static krb5_error_code krb5_fcc_store_octet(krb5_context context, krb5_ccache id, krb5_int32 i) { @@ -1106,7 +1107,7 @@ krb5_fcc_store_octet(krb5_context context, krb5_ccache id, krb5_int32 i) ibuf = (krb5_octet) i; return krb5_fcc_write(context, id, (char *) &ibuf, 1); } - + static krb5_error_code krb5_fcc_store_times(krb5_context context, krb5_ccache id, krb5_ticket_times *t) { @@ -1116,21 +1117,21 @@ krb5_fcc_store_times(krb5_context context, krb5_ccache id, krb5_ticket_times *t) k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); if ((data->version == KRB5_FCC_FVNO_1) || - (data->version == KRB5_FCC_FVNO_2)) - return krb5_fcc_write(context, id, (char *) t, sizeof(krb5_ticket_times)); + (data->version == KRB5_FCC_FVNO_2)) + return krb5_fcc_write(context, id, (char *) t, sizeof(krb5_ticket_times)); else { - retval = krb5_fcc_store_int32(context, id, t->authtime); - CHECK(retval); - retval = krb5_fcc_store_int32(context, id, t->starttime); - CHECK(retval); - retval = krb5_fcc_store_int32(context, id, t->endtime); - CHECK(retval); - retval = krb5_fcc_store_int32(context, id, t->renew_till); - CHECK(retval); - return 0; + retval = krb5_fcc_store_int32(context, id, t->authtime); + CHECK(retval); + retval = krb5_fcc_store_int32(context, id, t->starttime); + CHECK(retval); + retval = krb5_fcc_store_int32(context, id, t->endtime); + CHECK(retval); + retval = krb5_fcc_store_int32(context, id, t->renew_till); + CHECK(retval); + return 0; } } - + static krb5_error_code krb5_fcc_store_authdata(krb5_context context, krb5_ccache id, krb5_authdata **a) { @@ -1141,15 +1142,15 @@ krb5_fcc_store_authdata(krb5_context context, krb5_ccache id, krb5_authdata **a) k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); if (a != NULL) { - for (temp=a; *temp; temp++) - length++; + for (temp=a; *temp; temp++) + length++; } ret = krb5_fcc_store_int32(context, id, length); CHECK(ret); for (i=0; i<length; i++) { - ret = krb5_fcc_store_authdatum (context, id, a[i]); - CHECK(ret); + ret = krb5_fcc_store_authdatum (context, id, a[i]); + CHECK(ret); } return KRB5_OK; } @@ -1172,21 +1173,21 @@ krb5_fcc_store_authdatum (krb5_context context, krb5_ccache id, krb5_authdata *a static krb5_error_code krb5_fcc_close_file (krb5_context context, krb5_fcc_data *data) { - int ret; - krb5_error_code retval; + int ret; + krb5_error_code retval; - k5_cc_mutex_assert_locked(context, &data->lock); + k5_cc_mutex_assert_locked(context, &data->lock); - if (data->file == NO_FILE) - return KRB5_FCC_INTERNAL; + if (data->file == NO_FILE) + return KRB5_FCC_INTERNAL; - retval = krb5_unlock_file(context, data->file); - ret = close (data->file); - data->file = NO_FILE; - if (retval) - return retval; + retval = krb5_unlock_file(context, data->file); + ret = close (data->file); + data->file = NO_FILE; + if (retval) + return retval; - return ret ? krb5_fcc_interpret (context, errno) : 0; + return ret ? krb5_fcc_interpret (context, errno) : 0; } #if defined(ANSI_STDIO) || defined(_WIN32) @@ -1197,8 +1198,8 @@ krb5_fcc_close_file (krb5_context context, krb5_fcc_data *data) #ifndef HAVE_SETVBUF #undef setvbuf -#define setvbuf(FILE,BUF,MODE,SIZE) \ - ((SIZE) < BUFSIZE ? (abort(),0) : setbuf(FILE, BUF)) +#define setvbuf(FILE,BUF,MODE,SIZE) \ + ((SIZE) < BUFSIZE ? (abort(),0) : setbuf(FILE, BUF)) #endif static krb5_error_code @@ -1218,211 +1219,211 @@ krb5_fcc_open_file (krb5_context context, krb5_ccache id, int mode) invalidate_cache(data); if (data->file != NO_FILE) { - /* Don't know what state it's in; shut down and start anew. */ - (void) krb5_unlock_file(context, data->file); - (void) close (data->file); - data->file = NO_FILE; + /* Don't know what state it's in; shut down and start anew. */ + (void) krb5_unlock_file(context, data->file); + (void) close (data->file); + data->file = NO_FILE; } switch(mode) { case FCC_OPEN_AND_ERASE: - unlink(data->filename); - open_flag = O_CREAT|O_EXCL|O_TRUNC|O_RDWR; - break; + unlink(data->filename); + open_flag = O_CREAT|O_EXCL|O_TRUNC|O_RDWR; + break; case FCC_OPEN_RDWR: - open_flag = O_RDWR; - break; + open_flag = O_RDWR; + break; case FCC_OPEN_RDONLY: default: - open_flag = O_RDONLY; - break; + open_flag = O_RDONLY; + break; } f = THREEPARAMOPEN (data->filename, open_flag | O_BINARY, 0600); if (f == NO_FILE) { - switch (errno) { - case ENOENT: - retval = KRB5_FCC_NOFILE; - krb5_set_error_message(context, retval, - "Credentials cache file '%s' not found", - data->filename); - return retval; - default: - return krb5_fcc_interpret (context, errno); - } + switch (errno) { + case ENOENT: + retval = KRB5_FCC_NOFILE; + krb5_set_error_message(context, retval, + "Credentials cache file '%s' not found", + data->filename); + return retval; + default: + return krb5_fcc_interpret (context, errno); + } } set_cloexec_fd(f); data->mode = mode; if (data->mode == FCC_OPEN_RDONLY) - lock_flag = KRB5_LOCKMODE_SHARED; - else - lock_flag = KRB5_LOCKMODE_EXCLUSIVE; + lock_flag = KRB5_LOCKMODE_SHARED; + else + lock_flag = KRB5_LOCKMODE_EXCLUSIVE; if ((retval = krb5_lock_file(context, f, lock_flag))) { - (void) close(f); - return retval; + (void) close(f); + return retval; } if (mode == FCC_OPEN_AND_ERASE) { - /* write the version number */ - int cnt; - - fcc_fvno = htons(context->fcc_default_format); - data->version = context->fcc_default_format; - if ((cnt = write(f, (char *)&fcc_fvno, sizeof(fcc_fvno))) != - sizeof(fcc_fvno)) { - retval = ((cnt == -1) ? krb5_fcc_interpret(context, errno) : - KRB5_CC_IO); - goto done; - } - data->file = f; - - if (data->version == KRB5_FCC_FVNO_4) { - /* V4 of the credentials cache format allows for header tags */ - fcc_flen = 0; - - if (os_ctx->os_flags & KRB5_OS_TOFFSET_VALID) - fcc_flen += (2*sizeof(krb5_ui_2) + 2*sizeof(krb5_int32)); - - /* Write header length */ - retval = krb5_fcc_store_ui_2(context, id, (krb5_int32)fcc_flen); - if (retval) goto done; - - if (os_ctx->os_flags & KRB5_OS_TOFFSET_VALID) { - /* Write time offset tag */ - fcc_tag = FCC_TAG_DELTATIME; - fcc_taglen = 2*sizeof(krb5_int32); - - retval = krb5_fcc_store_ui_2(context,id,(krb5_int32)fcc_tag); - if (retval) goto done; - retval = krb5_fcc_store_ui_2(context,id,(krb5_int32)fcc_taglen); - if (retval) goto done; - retval = krb5_fcc_store_int32(context,id,os_ctx->time_offset); - if (retval) goto done; - retval = krb5_fcc_store_int32(context,id,os_ctx->usec_offset); - if (retval) goto done; - } - } - invalidate_cache(data); - goto done; - } - - /* verify a valid version number is there */ + /* write the version number */ + int cnt; + + fcc_fvno = htons(context->fcc_default_format); + data->version = context->fcc_default_format; + if ((cnt = write(f, (char *)&fcc_fvno, sizeof(fcc_fvno))) != + sizeof(fcc_fvno)) { + retval = ((cnt == -1) ? krb5_fcc_interpret(context, errno) : + KRB5_CC_IO); + goto done; + } + data->file = f; + + if (data->version == KRB5_FCC_FVNO_4) { + /* V4 of the credentials cache format allows for header tags */ + fcc_flen = 0; + + if (os_ctx->os_flags & KRB5_OS_TOFFSET_VALID) + fcc_flen += (2*sizeof(krb5_ui_2) + 2*sizeof(krb5_int32)); + + /* Write header length */ + retval = krb5_fcc_store_ui_2(context, id, (krb5_int32)fcc_flen); + if (retval) goto done; + + if (os_ctx->os_flags & KRB5_OS_TOFFSET_VALID) { + /* Write time offset tag */ + fcc_tag = FCC_TAG_DELTATIME; + fcc_taglen = 2*sizeof(krb5_int32); + + retval = krb5_fcc_store_ui_2(context,id,(krb5_int32)fcc_tag); + if (retval) goto done; + retval = krb5_fcc_store_ui_2(context,id,(krb5_int32)fcc_taglen); + if (retval) goto done; + retval = krb5_fcc_store_int32(context,id,os_ctx->time_offset); + if (retval) goto done; + retval = krb5_fcc_store_int32(context,id,os_ctx->usec_offset); + if (retval) goto done; + } + } + invalidate_cache(data); + goto done; + } + + /* verify a valid version number is there */ invalidate_cache(data); - if (read(f, (char *)&fcc_fvno, sizeof(fcc_fvno)) != sizeof(fcc_fvno)) { - retval = KRB5_CC_FORMAT; - goto done; - } - data->version = ntohs(fcc_fvno); + if (read(f, (char *)&fcc_fvno, sizeof(fcc_fvno)) != sizeof(fcc_fvno)) { + retval = KRB5_CC_FORMAT; + goto done; + } + data->version = ntohs(fcc_fvno); if ((data->version != KRB5_FCC_FVNO_4) && - (data->version != KRB5_FCC_FVNO_3) && - (data->version != KRB5_FCC_FVNO_2) && - (data->version != KRB5_FCC_FVNO_1)) { - retval = KRB5_CCACHE_BADVNO; - goto done; + (data->version != KRB5_FCC_FVNO_3) && + (data->version != KRB5_FCC_FVNO_2) && + (data->version != KRB5_FCC_FVNO_1)) { + retval = KRB5_CCACHE_BADVNO; + goto done; } data->file = f; - if (data->version == KRB5_FCC_FVNO_4) { - char buf[1024]; - - if (krb5_fcc_read_ui_2(context, id, &fcc_flen) || - (fcc_flen > sizeof(buf))) - { - retval = KRB5_CC_FORMAT; - goto done; - } - - while (fcc_flen) { - if ((fcc_flen < (2 * sizeof(krb5_ui_2))) || - krb5_fcc_read_ui_2(context, id, &fcc_tag) || - krb5_fcc_read_ui_2(context, id, &fcc_taglen) || - (fcc_taglen > (fcc_flen - 2*sizeof(krb5_ui_2)))) - { - retval = KRB5_CC_FORMAT; - goto done; - } - - switch (fcc_tag) { - case FCC_TAG_DELTATIME: - if (fcc_taglen != 2*sizeof(krb5_int32)) { - retval = KRB5_CC_FORMAT; - goto done; - } - if (!(context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) || - (os_ctx->os_flags & KRB5_OS_TOFFSET_VALID)) - { - if (krb5_fcc_read(context, id, buf, fcc_taglen)) { - retval = KRB5_CC_FORMAT; - goto done; - } - break; - } - if (krb5_fcc_read_int32(context, id, &os_ctx->time_offset) || - krb5_fcc_read_int32(context, id, &os_ctx->usec_offset)) - { - retval = KRB5_CC_FORMAT; - goto done; - } - os_ctx->os_flags = - ((os_ctx->os_flags & ~KRB5_OS_TOFFSET_TIME) | - KRB5_OS_TOFFSET_VALID); - break; - default: - if (fcc_taglen && krb5_fcc_read(context,id,buf,fcc_taglen)) { - retval = KRB5_CC_FORMAT; - goto done; - } - break; - } - fcc_flen -= (2*sizeof(krb5_ui_2) + fcc_taglen); - } - } + if (data->version == KRB5_FCC_FVNO_4) { + char buf[1024]; + + if (krb5_fcc_read_ui_2(context, id, &fcc_flen) || + (fcc_flen > sizeof(buf))) + { + retval = KRB5_CC_FORMAT; + goto done; + } + + while (fcc_flen) { + if ((fcc_flen < (2 * sizeof(krb5_ui_2))) || + krb5_fcc_read_ui_2(context, id, &fcc_tag) || + krb5_fcc_read_ui_2(context, id, &fcc_taglen) || + (fcc_taglen > (fcc_flen - 2*sizeof(krb5_ui_2)))) + { + retval = KRB5_CC_FORMAT; + goto done; + } + + switch (fcc_tag) { + case FCC_TAG_DELTATIME: + if (fcc_taglen != 2*sizeof(krb5_int32)) { + retval = KRB5_CC_FORMAT; + goto done; + } + if (!(context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) || + (os_ctx->os_flags & KRB5_OS_TOFFSET_VALID)) + { + if (krb5_fcc_read(context, id, buf, fcc_taglen)) { + retval = KRB5_CC_FORMAT; + goto done; + } + break; + } + if (krb5_fcc_read_int32(context, id, &os_ctx->time_offset) || + krb5_fcc_read_int32(context, id, &os_ctx->usec_offset)) + { + retval = KRB5_CC_FORMAT; + goto done; + } + os_ctx->os_flags = + ((os_ctx->os_flags & ~KRB5_OS_TOFFSET_TIME) | + KRB5_OS_TOFFSET_VALID); + break; + default: + if (fcc_taglen && krb5_fcc_read(context,id,buf,fcc_taglen)) { + retval = KRB5_CC_FORMAT; + goto done; + } + break; + } + fcc_flen -= (2*sizeof(krb5_ui_2) + fcc_taglen); + } + } done: - if (retval) { - data->file = -1; - (void) krb5_unlock_file(context, f); - (void) close(f); - } - return retval; + if (retval) { + data->file = -1; + (void) krb5_unlock_file(context, f); + (void) close(f); + } + return retval; } static krb5_error_code krb5_fcc_skip_header(krb5_context context, krb5_ccache id) { - krb5_fcc_data *data = (krb5_fcc_data *)id->data; - krb5_error_code kret; - krb5_ui_2 fcc_flen; - - k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); - - fcc_lseek(data, (off_t) sizeof(krb5_ui_2), SEEK_SET); - if (data->version == KRB5_FCC_FVNO_4) { - kret = krb5_fcc_read_ui_2(context, id, &fcc_flen); - if (kret) return kret; - if(fcc_lseek(data, (off_t) fcc_flen, SEEK_CUR) < 0) - return errno; - } - return KRB5_OK; + krb5_fcc_data *data = (krb5_fcc_data *)id->data; + krb5_error_code kret; + krb5_ui_2 fcc_flen; + + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); + + fcc_lseek(data, (off_t) sizeof(krb5_ui_2), SEEK_SET); + if (data->version == KRB5_FCC_FVNO_4) { + kret = krb5_fcc_read_ui_2(context, id, &fcc_flen); + if (kret) return kret; + if(fcc_lseek(data, (off_t) fcc_flen, SEEK_CUR) < 0) + return errno; + } + return KRB5_OK; } static krb5_error_code krb5_fcc_skip_principal(krb5_context context, krb5_ccache id) { - krb5_error_code kret; - krb5_principal princ; + krb5_error_code kret; + krb5_principal princ; - k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); + k5_cc_mutex_assert_locked(context, &((krb5_fcc_data *) id->data)->lock); - kret = krb5_fcc_read_principal(context, id, &princ); - if (kret != KRB5_OK) - return kret; + kret = krb5_fcc_read_principal(context, id, &princ); + if (kret != KRB5_OK) + return kret; - krb5_free_principal(context, princ); - return KRB5_OK; + krb5_free_principal(context, princ); + return KRB5_OK; } @@ -1441,36 +1442,36 @@ krb5_fcc_skip_principal(krb5_context context, krb5_ccache id) static krb5_error_code KRB5_CALLCONV krb5_fcc_initialize(krb5_context context, krb5_ccache id, krb5_principal princ) { - krb5_error_code kret = 0; - int reti = 0; + krb5_error_code kret = 0; + int reti = 0; - kret = k5_cc_mutex_lock(context, &((krb5_fcc_data *) id->data)->lock); - if (kret) - return kret; + kret = k5_cc_mutex_lock(context, &((krb5_fcc_data *) id->data)->lock); + if (kret) + return kret; - MAYBE_OPEN(context, id, FCC_OPEN_AND_ERASE); + MAYBE_OPEN(context, id, FCC_OPEN_AND_ERASE); #if defined(HAVE_FCHMOD) || defined(HAVE_CHMOD) - { + { #ifdef HAVE_FCHMOD - reti = fchmod(((krb5_fcc_data *) id->data)->file, S_IREAD | S_IWRITE); + reti = fchmod(((krb5_fcc_data *) id->data)->file, S_IREAD | S_IWRITE); #else - reti = chmod(((krb5_fcc_data *) id->data)->filename, S_IREAD | S_IWRITE); + reti = chmod(((krb5_fcc_data *) id->data)->filename, S_IREAD | S_IWRITE); #endif - if (reti == -1) { - kret = krb5_fcc_interpret(context, errno); - MAYBE_CLOSE(context, id, kret); - k5_cc_mutex_unlock(context, &((krb5_fcc_data *) id->data)->lock); - return kret; - } - } + if (reti == -1) { + kret = krb5_fcc_interpret(context, errno); + MAYBE_CLOSE(context, id, kret); + k5_cc_mutex_unlock(context, &((krb5_fcc_data *) id->data)->lock); + return kret; + } + } #endif - kret = krb5_fcc_store_principal(context, id, princ); + kret = krb5_fcc_store_principal(context, id, princ); - MAYBE_CLOSE(context, id, kret); - k5_cc_mutex_unlock(context, &((krb5_fcc_data *) id->data)->lock); - krb5_change_cache (); - return kret; + MAYBE_CLOSE(context, id, kret); + k5_cc_mutex_unlock(context, &((krb5_fcc_data *) id->data)->lock); + krb5_change_cache (); + return kret; } /* @@ -1484,34 +1485,34 @@ static krb5_error_code dereference(krb5_context context, krb5_fcc_data *data) kerr = k5_cc_mutex_lock(context, &krb5int_cc_file_mutex); if (kerr) - return kerr; + return kerr; for (fccsp = &fccs; *fccsp != NULL; fccsp = &(*fccsp)->next) - if ((*fccsp)->data == data) - break; + if ((*fccsp)->data == data) + break; assert(*fccsp != NULL); assert((*fccsp)->data == data); (*fccsp)->refcount--; if ((*fccsp)->refcount == 0) { struct fcc_set *temp; - data = (*fccsp)->data; - temp = *fccsp; - *fccsp = (*fccsp)->next; - free(temp); - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - k5_cc_mutex_assert_unlocked(context, &data->lock); - free(data->filename); - zap(data->buf, sizeof(data->buf)); - if (data->file >= 0) { - kerr = k5_cc_mutex_lock(context, &data->lock); - if (kerr) - return kerr; - krb5_fcc_close_file(context, data); - k5_cc_mutex_unlock(context, &data->lock); - } - k5_cc_mutex_destroy(&data->lock); - free(data); + data = (*fccsp)->data; + temp = *fccsp; + *fccsp = (*fccsp)->next; + free(temp); + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + k5_cc_mutex_assert_unlocked(context, &data->lock); + free(data->filename); + zap(data->buf, sizeof(data->buf)); + if (data->file >= 0) { + kerr = k5_cc_mutex_lock(context, &data->lock); + if (kerr) + return kerr; + krb5_fcc_close_file(context, data); + k5_cc_mutex_unlock(context, &data->lock); + } + k5_cc_mutex_destroy(&data->lock); + free(data); } else - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); return 0; } @@ -1526,9 +1527,9 @@ static krb5_error_code dereference(krb5_context context, krb5_fcc_data *data) static krb5_error_code KRB5_CALLCONV krb5_fcc_close(krb5_context context, krb5_ccache id) { - dereference(context, (krb5_fcc_data *) id->data); - free(id); - return KRB5_OK; + dereference(context, (krb5_fcc_data *) id->data); + free(id); + return KRB5_OK; } /* @@ -1541,32 +1542,32 @@ krb5_fcc_close(krb5_context context, krb5_ccache id) static krb5_error_code KRB5_CALLCONV krb5_fcc_destroy(krb5_context context, krb5_ccache id) { - krb5_error_code kret = 0; - krb5_fcc_data *data = (krb5_fcc_data *) id->data; - register int ret; - - struct stat buf; - unsigned long i, size; - unsigned int wlen; - char zeros[BUFSIZ]; - - kret = k5_cc_mutex_lock(context, &data->lock); - if (kret) - return kret; - - if (OPENCLOSE(id)) { - invalidate_cache(data); - ret = THREEPARAMOPEN(data->filename, - O_RDWR | O_BINARY, 0); - if (ret < 0) { - kret = krb5_fcc_interpret(context, errno); - goto cleanup; - } - set_cloexec_fd(ret); - data->file = ret; - } - else - fcc_lseek(data, (off_t) 0, SEEK_SET); + krb5_error_code kret = 0; + krb5_fcc_data *data = (krb5_fcc_data *) id->data; + register int ret; + + struct stat buf; + unsigned long i, size; + unsigned int wlen; + char zeros[BUFSIZ]; + + kret = k5_cc_mutex_lock(context, &data->lock); + if (kret) + return kret; + + if (OPENCLOSE(id)) { + invalidate_cache(data); + ret = THREEPARAMOPEN(data->filename, + O_RDWR | O_BINARY, 0); + if (ret < 0) { + kret = krb5_fcc_interpret(context, errno); + goto cleanup; + } + set_cloexec_fd(ret); + data->file = ret; + } + else + fcc_lseek(data, (off_t) 0, SEEK_SET); #ifdef MSDOS_FILESYSTEM /* "disgusting bit of UNIX trivia" - that's how the writers of NFS describe @@ -1607,65 +1608,65 @@ krb5_fcc_destroy(krb5_context context, krb5_ccache id) #else /* MSDOS_FILESYSTEM */ - ret = unlink(data->filename); - if (ret < 0) { - kret = krb5_fcc_interpret(context, errno); - if (OPENCLOSE(id)) { - (void) close(((krb5_fcc_data *)id->data)->file); - data->file = -1; - kret = ret; - } - goto cleanup; - } - - ret = fstat(data->file, &buf); - if (ret < 0) { - kret = krb5_fcc_interpret(context, errno); - if (OPENCLOSE(id)) { - (void) close(((krb5_fcc_data *)id->data)->file); - data->file = -1; - } - goto cleanup; - } - - /* XXX This may not be legal XXX */ - size = (unsigned long) buf.st_size; - memset(zeros, 0, BUFSIZ); - for (i=0; i < size / BUFSIZ; i++) - if (write(data->file, zeros, BUFSIZ) < 0) { - kret = krb5_fcc_interpret(context, errno); - if (OPENCLOSE(id)) { - (void) close(((krb5_fcc_data *)id->data)->file); - data->file = -1; - } - goto cleanup; - } - - wlen = (unsigned int) (size % BUFSIZ); - if (write(data->file, zeros, wlen) < 0) { - kret = krb5_fcc_interpret(context, errno); - if (OPENCLOSE(id)) { - (void) close(((krb5_fcc_data *)id->data)->file); - data->file = -1; - } - goto cleanup; - } - - ret = close(data->file); - data->file = -1; - - if (ret) - kret = krb5_fcc_interpret(context, errno); + ret = unlink(data->filename); + if (ret < 0) { + kret = krb5_fcc_interpret(context, errno); + if (OPENCLOSE(id)) { + (void) close(((krb5_fcc_data *)id->data)->file); + data->file = -1; + kret = ret; + } + goto cleanup; + } + + ret = fstat(data->file, &buf); + if (ret < 0) { + kret = krb5_fcc_interpret(context, errno); + if (OPENCLOSE(id)) { + (void) close(((krb5_fcc_data *)id->data)->file); + data->file = -1; + } + goto cleanup; + } + + /* XXX This may not be legal XXX */ + size = (unsigned long) buf.st_size; + memset(zeros, 0, BUFSIZ); + for (i=0; i < size / BUFSIZ; i++) + if (write(data->file, zeros, BUFSIZ) < 0) { + kret = krb5_fcc_interpret(context, errno); + if (OPENCLOSE(id)) { + (void) close(((krb5_fcc_data *)id->data)->file); + data->file = -1; + } + goto cleanup; + } + + wlen = (unsigned int) (size % BUFSIZ); + if (write(data->file, zeros, wlen) < 0) { + kret = krb5_fcc_interpret(context, errno); + if (OPENCLOSE(id)) { + (void) close(((krb5_fcc_data *)id->data)->file); + data->file = -1; + } + goto cleanup; + } + + ret = close(data->file); + data->file = -1; + + if (ret) + kret = krb5_fcc_interpret(context, errno); #endif /* MSDOS_FILESYSTEM */ - cleanup: - k5_cc_mutex_unlock(context, &data->lock); - dereference(context, data); - free(id); +cleanup: + k5_cc_mutex_unlock(context, &data->lock); + dereference(context, data); + free(id); - krb5_change_cache (); - return kret; + krb5_change_cache (); + return kret; } extern const krb5_cc_ops krb5_fcc_ops; @@ -1676,109 +1677,109 @@ extern const krb5_cc_ops krb5_fcc_ops; * * Modifies: * id - * + * * Effects: * creates a file-based cred cache that will reside in the file * residual. The cache is not opened, but the filename is reserved. - * + * * Returns: * A filled in krb5_ccache structure "id". * * Errors: * KRB5_CC_NOMEM - there was insufficient memory to allocate the - * krb5_ccache. id is undefined. + * krb5_ccache. id is undefined. * permission errors */ static krb5_error_code KRB5_CALLCONV krb5_fcc_resolve (krb5_context context, krb5_ccache *id, const char *residual) { - krb5_ccache lid; - krb5_error_code kret; - krb5_fcc_data *data; - struct fcc_set *setptr; - - kret = k5_cc_mutex_lock(context, &krb5int_cc_file_mutex); - if (kret) - return kret; - for (setptr = fccs; setptr; setptr = setptr->next) { - if (!strcmp(setptr->data->filename, residual)) - break; - } - if (setptr) { - data = setptr->data; - assert(setptr->refcount != 0); - setptr->refcount++; - assert(setptr->refcount != 0); - kret = k5_cc_mutex_lock(context, &data->lock); - if (kret) { - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - return kret; - } - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - } else { - data = malloc(sizeof(krb5_fcc_data)); - if (data == NULL) { - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - return KRB5_CC_NOMEM; - } - data->filename = strdup(residual); - if (data->filename == NULL) { - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - free(data); - return KRB5_CC_NOMEM; - } - kret = k5_cc_mutex_init(&data->lock); - if (kret) { - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - free(data->filename); - free(data); - return kret; - } - kret = k5_cc_mutex_lock(context, &data->lock); - if (kret) { - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - k5_cc_mutex_destroy(&data->lock); - free(data->filename); - free(data); - return kret; - } - /* data->version,mode filled in for real later */ - data->version = data->mode = 0; - data->flags = KRB5_TC_OPENCLOSE; - data->file = -1; - data->valid_bytes = 0; - setptr = malloc(sizeof(struct fcc_set)); - if (setptr == NULL) { - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - k5_cc_mutex_unlock(context, &data->lock); - k5_cc_mutex_destroy(&data->lock); - free(data->filename); - free(data); - return KRB5_CC_NOMEM; - } - setptr->refcount = 1; - setptr->data = data; - setptr->next = fccs; - fccs = setptr; - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - } - - k5_cc_mutex_assert_locked(context, &data->lock); - k5_cc_mutex_unlock(context, &data->lock); - lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)); - if (lid == NULL) { - dereference(context, data); - return KRB5_CC_NOMEM; - } - - lid->ops = &krb5_fcc_ops; - lid->data = data; - lid->magic = KV5M_CCACHE; - - /* other routines will get errors on open, and callers must expect them, - if cache is non-existent/unusable */ - *id = lid; - return KRB5_OK; + krb5_ccache lid; + krb5_error_code kret; + krb5_fcc_data *data; + struct fcc_set *setptr; + + kret = k5_cc_mutex_lock(context, &krb5int_cc_file_mutex); + if (kret) + return kret; + for (setptr = fccs; setptr; setptr = setptr->next) { + if (!strcmp(setptr->data->filename, residual)) + break; + } + if (setptr) { + data = setptr->data; + assert(setptr->refcount != 0); + setptr->refcount++; + assert(setptr->refcount != 0); + kret = k5_cc_mutex_lock(context, &data->lock); + if (kret) { + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + return kret; + } + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + } else { + data = malloc(sizeof(krb5_fcc_data)); + if (data == NULL) { + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + return KRB5_CC_NOMEM; + } + data->filename = strdup(residual); + if (data->filename == NULL) { + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + free(data); + return KRB5_CC_NOMEM; + } + kret = k5_cc_mutex_init(&data->lock); + if (kret) { + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + free(data->filename); + free(data); + return kret; + } + kret = k5_cc_mutex_lock(context, &data->lock); + if (kret) { + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + k5_cc_mutex_destroy(&data->lock); + free(data->filename); + free(data); + return kret; + } + /* data->version,mode filled in for real later */ + data->version = data->mode = 0; + data->flags = KRB5_TC_OPENCLOSE; + data->file = -1; + data->valid_bytes = 0; + setptr = malloc(sizeof(struct fcc_set)); + if (setptr == NULL) { + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + k5_cc_mutex_unlock(context, &data->lock); + k5_cc_mutex_destroy(&data->lock); + free(data->filename); + free(data); + return KRB5_CC_NOMEM; + } + setptr->refcount = 1; + setptr->data = data; + setptr->next = fccs; + fccs = setptr; + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + } + + k5_cc_mutex_assert_locked(context, &data->lock); + k5_cc_mutex_unlock(context, &data->lock); + lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)); + if (lid == NULL) { + dereference(context, data); + return KRB5_CC_NOMEM; + } + + lid->ops = &krb5_fcc_ops; + lid->data = data; + lid->magic = KV5M_CCACHE; + + /* other routines will get errors on open, and callers must expect them, + if cache is non-existent/unusable */ + *id = lid; + return KRB5_OK; } /* @@ -1796,49 +1797,49 @@ krb5_fcc_resolve (krb5_context context, krb5_ccache *id, const char *residual) */ static krb5_error_code KRB5_CALLCONV krb5_fcc_start_seq_get(krb5_context context, krb5_ccache id, - krb5_cc_cursor *cursor) + krb5_cc_cursor *cursor) { - krb5_fcc_cursor *fcursor; - krb5_error_code kret = KRB5_OK; - krb5_fcc_data *data = (krb5_fcc_data *)id->data; - - kret = k5_cc_mutex_lock(context, &data->lock); - if (kret) - return kret; - - fcursor = (krb5_fcc_cursor *) malloc(sizeof(krb5_fcc_cursor)); - if (fcursor == NULL) { - k5_cc_mutex_unlock(context, &data->lock); - return KRB5_CC_NOMEM; - } - if (OPENCLOSE(id)) { - kret = krb5_fcc_open_file(context, id, FCC_OPEN_RDONLY); - if (kret) { - free(fcursor); - k5_cc_mutex_unlock(context, &data->lock); - return kret; - } - } - - /* Make sure we start reading right after the primary principal */ - kret = krb5_fcc_skip_header(context, id); - if (kret) { - free(fcursor); - goto done; - } - kret = krb5_fcc_skip_principal(context, id); - if (kret) { - free(fcursor); - goto done; - } - - fcursor->pos = fcc_lseek(data, (off_t) 0, SEEK_CUR); - *cursor = (krb5_cc_cursor) fcursor; + krb5_fcc_cursor *fcursor; + krb5_error_code kret = KRB5_OK; + krb5_fcc_data *data = (krb5_fcc_data *)id->data; + + kret = k5_cc_mutex_lock(context, &data->lock); + if (kret) + return kret; + + fcursor = (krb5_fcc_cursor *) malloc(sizeof(krb5_fcc_cursor)); + if (fcursor == NULL) { + k5_cc_mutex_unlock(context, &data->lock); + return KRB5_CC_NOMEM; + } + if (OPENCLOSE(id)) { + kret = krb5_fcc_open_file(context, id, FCC_OPEN_RDONLY); + if (kret) { + free(fcursor); + k5_cc_mutex_unlock(context, &data->lock); + return kret; + } + } + + /* Make sure we start reading right after the primary principal */ + kret = krb5_fcc_skip_header(context, id); + if (kret) { + free(fcursor); + goto done; + } + kret = krb5_fcc_skip_principal(context, id); + if (kret) { + free(fcursor); + goto done; + } + + fcursor->pos = fcc_lseek(data, (off_t) 0, SEEK_CUR); + *cursor = (krb5_cc_cursor) fcursor; done: - MAYBE_CLOSE(context, id, kret); - k5_cc_mutex_unlock(context, &data->lock); - return kret; + MAYBE_CLOSE(context, id, kret); + k5_cc_mutex_unlock(context, &data->lock); + return kret; } @@ -1849,7 +1850,7 @@ done: * * Modifes: * cursor, creds - * + * * Effects: * Fills in creds with the "next" credentals structure from the cache * id. The actual order the creds are returned in is arbitrary. @@ -1864,62 +1865,62 @@ done: */ static krb5_error_code KRB5_CALLCONV krb5_fcc_next_cred(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor, - krb5_creds *creds) + krb5_creds *creds) { #define TCHECK(ret) if (ret != KRB5_OK) goto lose; - krb5_error_code kret; - krb5_fcc_cursor *fcursor; - krb5_int32 int32; - krb5_octet octet; - krb5_fcc_data *d = (krb5_fcc_data *) id->data; - - kret = k5_cc_mutex_lock(context, &d->lock); - if (kret) - return kret; - - memset(creds, 0, sizeof(*creds)); - MAYBE_OPEN(context, id, FCC_OPEN_RDONLY); - fcursor = (krb5_fcc_cursor *) *cursor; - - kret = (fcc_lseek(d, fcursor->pos, SEEK_SET) == (off_t) -1); - if (kret) { - kret = krb5_fcc_interpret(context, errno); - MAYBE_CLOSE(context, id, kret); - k5_cc_mutex_unlock(context, &d->lock); - return kret; - } - - kret = krb5_fcc_read_principal(context, id, &creds->client); - TCHECK(kret); - kret = krb5_fcc_read_principal(context, id, &creds->server); - TCHECK(kret); - kret = krb5_fcc_read_keyblock(context, id, &creds->keyblock); - TCHECK(kret); - kret = krb5_fcc_read_times(context, id, &creds->times); - TCHECK(kret); - kret = krb5_fcc_read_octet(context, id, &octet); - TCHECK(kret); - creds->is_skey = octet; - kret = krb5_fcc_read_int32(context, id, &int32); - TCHECK(kret); - creds->ticket_flags = int32; - kret = krb5_fcc_read_addrs(context, id, &creds->addresses); - TCHECK(kret); - kret = krb5_fcc_read_authdata(context, id, &creds->authdata); - TCHECK(kret); - kret = krb5_fcc_read_data(context, id, &creds->ticket); - TCHECK(kret); - kret = krb5_fcc_read_data(context, id, &creds->second_ticket); - TCHECK(kret); - - fcursor->pos = fcc_lseek(d, (off_t) 0, SEEK_CUR); + krb5_error_code kret; + krb5_fcc_cursor *fcursor; + krb5_int32 int32; + krb5_octet octet; + krb5_fcc_data *d = (krb5_fcc_data *) id->data; + + kret = k5_cc_mutex_lock(context, &d->lock); + if (kret) + return kret; + + memset(creds, 0, sizeof(*creds)); + MAYBE_OPEN(context, id, FCC_OPEN_RDONLY); + fcursor = (krb5_fcc_cursor *) *cursor; + + kret = (fcc_lseek(d, fcursor->pos, SEEK_SET) == (off_t) -1); + if (kret) { + kret = krb5_fcc_interpret(context, errno); + MAYBE_CLOSE(context, id, kret); + k5_cc_mutex_unlock(context, &d->lock); + return kret; + } + + kret = krb5_fcc_read_principal(context, id, &creds->client); + TCHECK(kret); + kret = krb5_fcc_read_principal(context, id, &creds->server); + TCHECK(kret); + kret = krb5_fcc_read_keyblock(context, id, &creds->keyblock); + TCHECK(kret); + kret = krb5_fcc_read_times(context, id, &creds->times); + TCHECK(kret); + kret = krb5_fcc_read_octet(context, id, &octet); + TCHECK(kret); + creds->is_skey = octet; + kret = krb5_fcc_read_int32(context, id, &int32); + TCHECK(kret); + creds->ticket_flags = int32; + kret = krb5_fcc_read_addrs(context, id, &creds->addresses); + TCHECK(kret); + kret = krb5_fcc_read_authdata(context, id, &creds->authdata); + TCHECK(kret); + kret = krb5_fcc_read_data(context, id, &creds->ticket); + TCHECK(kret); + kret = krb5_fcc_read_data(context, id, &creds->second_ticket); + TCHECK(kret); + + fcursor->pos = fcc_lseek(d, (off_t) 0, SEEK_CUR); lose: - MAYBE_CLOSE (context, id, kret); - k5_cc_mutex_unlock(context, &d->lock); - if (kret != KRB5_OK) - krb5_free_cred_contents(context, creds); - return kret; + MAYBE_CLOSE (context, id, kret); + k5_cc_mutex_unlock(context, &d->lock); + if (kret != KRB5_OK) + krb5_free_cred_contents(context, creds); + return kret; } /* @@ -1938,15 +1939,15 @@ lose: static krb5_error_code KRB5_CALLCONV krb5_fcc_end_seq_get(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor) { - /* We don't do anything with the file cache itself, so - no need to lock anything. */ - - /* don't close; it may be left open by the caller, - and if not, fcc_start_seq_get and/or fcc_next_cred will do the - MAYBE_CLOSE. - MAYBE_CLOSE(context, id, kret); */ - free((krb5_fcc_cursor *) *cursor); - return 0; + /* We don't do anything with the file cache itself, so + no need to lock anything. */ + + /* don't close; it may be left open by the caller, + and if not, fcc_start_seq_get and/or fcc_next_cred will do the + MAYBE_CLOSE. + MAYBE_CLOSE(context, id, kret); */ + free((krb5_fcc_cursor *) *cursor); + return 0; } @@ -1955,184 +1956,184 @@ krb5_fcc_end_seq_get(krb5_context context, krb5_ccache id, krb5_cc_cursor *curso * Creates a new file cred cache whose name is guaranteed to be * unique. The name begins with the string TKT_ROOT (from fcc.h). * The cache is not opened, but the new filename is reserved. - * + * * Returns: * The filled in krb5_ccache id. * * Errors: * KRB5_CC_NOMEM - there was insufficient memory to allocate the - * krb5_ccache. id is undefined. + * krb5_ccache. id is undefined. * system errors (from open) */ static krb5_error_code KRB5_CALLCONV krb5_fcc_generate_new (krb5_context context, krb5_ccache *id) { - krb5_ccache lid; - int ret; - krb5_error_code kret = 0; - char scratch[sizeof(TKT_ROOT)+6+1]; /* +6 for the scratch part, +1 for - NUL */ - krb5_fcc_data *data; - krb5_int16 fcc_fvno = htons(context->fcc_default_format); - krb5_int16 fcc_flen = 0; - int errsave, cnt; - struct fcc_set *setptr; - - /* Set master lock */ - kret = k5_cc_mutex_lock(context, &krb5int_cc_file_mutex); - if (kret) - return kret; - - (void) snprintf(scratch, sizeof(scratch), "%sXXXXXX", TKT_ROOT); - ret = mkstemp(scratch); - if (ret == -1) { - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - return krb5_fcc_interpret(context, errno); - } - set_cloexec_fd(ret); - - /* Allocate memory */ - data = (krb5_pointer) malloc(sizeof(krb5_fcc_data)); - if (data == NULL) { - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - close(ret); - unlink(scratch); - return KRB5_CC_NOMEM; - } - - data->filename = strdup(scratch); - if (data->filename == NULL) { - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - free(data); - close(ret); - unlink(scratch); - return KRB5_CC_NOMEM; - } - - kret = k5_cc_mutex_init(&data->lock); - if (kret) { - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - free(data->filename); - free(data); - close(ret); - unlink(scratch); - return kret; - } - kret = k5_cc_mutex_lock(context, &data->lock); - if (kret) { - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - k5_cc_mutex_destroy(&data->lock); - free(data->filename); - free(data); - close(ret); - unlink(scratch); - return kret; - } - - /* - * The file is initially closed at the end of this call... - */ - data->flags = 0; - data->file = -1; - data->valid_bytes = 0; - /* data->version,mode filled in for real later */ - data->version = data->mode = 0; - - - /* Ignore user's umask, set mode = 0600 */ + krb5_ccache lid; + int ret; + krb5_error_code kret = 0; + char scratch[sizeof(TKT_ROOT)+6+1]; /* +6 for the scratch part, +1 for + NUL */ + krb5_fcc_data *data; + krb5_int16 fcc_fvno = htons(context->fcc_default_format); + krb5_int16 fcc_flen = 0; + int errsave, cnt; + struct fcc_set *setptr; + + /* Set master lock */ + kret = k5_cc_mutex_lock(context, &krb5int_cc_file_mutex); + if (kret) + return kret; + + (void) snprintf(scratch, sizeof(scratch), "%sXXXXXX", TKT_ROOT); + ret = mkstemp(scratch); + if (ret == -1) { + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + return krb5_fcc_interpret(context, errno); + } + set_cloexec_fd(ret); + + /* Allocate memory */ + data = (krb5_pointer) malloc(sizeof(krb5_fcc_data)); + if (data == NULL) { + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + close(ret); + unlink(scratch); + return KRB5_CC_NOMEM; + } + + data->filename = strdup(scratch); + if (data->filename == NULL) { + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + free(data); + close(ret); + unlink(scratch); + return KRB5_CC_NOMEM; + } + + kret = k5_cc_mutex_init(&data->lock); + if (kret) { + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + free(data->filename); + free(data); + close(ret); + unlink(scratch); + return kret; + } + kret = k5_cc_mutex_lock(context, &data->lock); + if (kret) { + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + k5_cc_mutex_destroy(&data->lock); + free(data->filename); + free(data); + close(ret); + unlink(scratch); + return kret; + } + + /* + * The file is initially closed at the end of this call... + */ + data->flags = 0; + data->file = -1; + data->valid_bytes = 0; + /* data->version,mode filled in for real later */ + data->version = data->mode = 0; + + + /* Ignore user's umask, set mode = 0600 */ #ifndef HAVE_FCHMOD #ifdef HAVE_CHMOD - chmod(data->filename, S_IRUSR | S_IWUSR); + chmod(data->filename, S_IRUSR | S_IWUSR); #endif #else - fchmod(ret, S_IRUSR | S_IWUSR); + fchmod(ret, S_IRUSR | S_IWUSR); #endif - if ((cnt = write(ret, (char *)&fcc_fvno, sizeof(fcc_fvno))) - != sizeof(fcc_fvno)) { - errsave = errno; - (void) close(ret); - (void) unlink(data->filename); - kret = (cnt == -1) ? krb5_fcc_interpret(context, errsave) : KRB5_CC_IO; - goto err_out; - } - /* For version 4 we save a length for the rest of the header */ - if (context->fcc_default_format == KRB5_FCC_FVNO_4) { - if ((cnt = write(ret, (char *)&fcc_flen, sizeof(fcc_flen))) - != sizeof(fcc_flen)) { - errsave = errno; - (void) close(ret); - (void) unlink(data->filename); - kret = (cnt == -1) ? krb5_fcc_interpret(context, errsave) : KRB5_CC_IO; - goto err_out; - } - } - if (close(ret) == -1) { - errsave = errno; - (void) unlink(data->filename); - kret = krb5_fcc_interpret(context, errsave); - goto err_out; - } - - - setptr = malloc(sizeof(struct fcc_set)); - if (setptr == NULL) { - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - k5_cc_mutex_unlock(context, &data->lock); - k5_cc_mutex_destroy(&data->lock); - free(data->filename); - free(data); - (void) close(ret); - (void) unlink(scratch); - return KRB5_CC_NOMEM; - } - setptr->refcount = 1; - setptr->data = data; - setptr->next = fccs; - fccs = setptr; - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - - k5_cc_mutex_assert_locked(context, &data->lock); - k5_cc_mutex_unlock(context, &data->lock); - lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)); - if (lid == NULL) { - dereference(context, data); - return KRB5_CC_NOMEM; - } - - lid->ops = &krb5_fcc_ops; - lid->data = data; - lid->magic = KV5M_CCACHE; - - /* default to open/close on every trn - otherwise destroy - will get as to state confused */ - ((krb5_fcc_data *) lid->data)->flags = KRB5_TC_OPENCLOSE; - - *id = lid; - - - krb5_change_cache (); - return KRB5_OK; + if ((cnt = write(ret, (char *)&fcc_fvno, sizeof(fcc_fvno))) + != sizeof(fcc_fvno)) { + errsave = errno; + (void) close(ret); + (void) unlink(data->filename); + kret = (cnt == -1) ? krb5_fcc_interpret(context, errsave) : KRB5_CC_IO; + goto err_out; + } + /* For version 4 we save a length for the rest of the header */ + if (context->fcc_default_format == KRB5_FCC_FVNO_4) { + if ((cnt = write(ret, (char *)&fcc_flen, sizeof(fcc_flen))) + != sizeof(fcc_flen)) { + errsave = errno; + (void) close(ret); + (void) unlink(data->filename); + kret = (cnt == -1) ? krb5_fcc_interpret(context, errsave) : KRB5_CC_IO; + goto err_out; + } + } + if (close(ret) == -1) { + errsave = errno; + (void) unlink(data->filename); + kret = krb5_fcc_interpret(context, errsave); + goto err_out; + } + + + setptr = malloc(sizeof(struct fcc_set)); + if (setptr == NULL) { + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + k5_cc_mutex_unlock(context, &data->lock); + k5_cc_mutex_destroy(&data->lock); + free(data->filename); + free(data); + (void) close(ret); + (void) unlink(scratch); + return KRB5_CC_NOMEM; + } + setptr->refcount = 1; + setptr->data = data; + setptr->next = fccs; + fccs = setptr; + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + + k5_cc_mutex_assert_locked(context, &data->lock); + k5_cc_mutex_unlock(context, &data->lock); + lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)); + if (lid == NULL) { + dereference(context, data); + return KRB5_CC_NOMEM; + } + + lid->ops = &krb5_fcc_ops; + lid->data = data; + lid->magic = KV5M_CCACHE; + + /* default to open/close on every trn - otherwise destroy + will get as to state confused */ + ((krb5_fcc_data *) lid->data)->flags = KRB5_TC_OPENCLOSE; + + *id = lid; + + + krb5_change_cache (); + return KRB5_OK; err_out: - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - k5_cc_mutex_unlock(context, &data->lock); - k5_cc_mutex_destroy(&data->lock); - free(data->filename); - free(data); - return kret; + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + k5_cc_mutex_unlock(context, &data->lock); + k5_cc_mutex_destroy(&data->lock); + free(data->filename); + free(data); + return kret; } /* * Requires: * id is a file credential cache - * + * * Returns: * The name of the file cred cache id. */ static const char * KRB5_CALLCONV krb5_fcc_get_name (krb5_context context, krb5_ccache id) { - return (char *) ((krb5_fcc_data *) id->data)->filename; + return (char *) ((krb5_fcc_data *) id->data)->filename; } /* @@ -2151,31 +2152,31 @@ krb5_fcc_get_name (krb5_context context, krb5_ccache id) static krb5_error_code KRB5_CALLCONV krb5_fcc_get_principal(krb5_context context, krb5_ccache id, krb5_principal *princ) { - krb5_error_code kret = KRB5_OK; + krb5_error_code kret = KRB5_OK; + + kret = k5_cc_mutex_lock(context, &((krb5_fcc_data *) id->data)->lock); + if (kret) + return kret; - kret = k5_cc_mutex_lock(context, &((krb5_fcc_data *) id->data)->lock); - if (kret) - return kret; + MAYBE_OPEN(context, id, FCC_OPEN_RDONLY); - MAYBE_OPEN(context, id, FCC_OPEN_RDONLY); - - /* make sure we're beyond the header */ - kret = krb5_fcc_skip_header(context, id); - if (kret) goto done; - kret = krb5_fcc_read_principal(context, id, princ); + /* make sure we're beyond the header */ + kret = krb5_fcc_skip_header(context, id); + if (kret) goto done; + kret = krb5_fcc_read_principal(context, id, princ); done: - MAYBE_CLOSE(context, id, kret); - k5_cc_mutex_unlock(context, &((krb5_fcc_data *) id->data)->lock); - return kret; + MAYBE_CLOSE(context, id, kret); + k5_cc_mutex_unlock(context, &((krb5_fcc_data *) id->data)->lock); + return kret; } - + static krb5_error_code KRB5_CALLCONV krb5_fcc_retrieve(krb5_context context, krb5_ccache id, krb5_flags whichfields, krb5_creds *mcreds, krb5_creds *creds) { return krb5_cc_retrieve_cred_default (context, id, whichfields, - mcreds, creds); + mcreds, creds); } @@ -2194,55 +2195,55 @@ static krb5_error_code KRB5_CALLCONV krb5_fcc_store(krb5_context context, krb5_ccache id, krb5_creds *creds) { #define TCHECK(ret) if (ret != KRB5_OK) goto lose; - krb5_error_code ret; - - ret = k5_cc_mutex_lock(context, &((krb5_fcc_data *) id->data)->lock); - if (ret) - return ret; - - /* Make sure we are writing to the end of the file */ - MAYBE_OPEN(context, id, FCC_OPEN_RDWR); - - /* Make sure we are writing to the end of the file */ - ret = fcc_lseek((krb5_fcc_data *) id->data, (off_t) 0, SEEK_END); - if (ret < 0) { - MAYBE_CLOSE_IGNORE(context, id); - k5_cc_mutex_unlock(context, &((krb5_fcc_data *) id->data)->lock); - return krb5_fcc_interpret(context, errno); - } - - ret = krb5_fcc_store_principal(context, id, creds->client); - TCHECK(ret); - ret = krb5_fcc_store_principal(context, id, creds->server); - TCHECK(ret); - ret = krb5_fcc_store_keyblock(context, id, &creds->keyblock); - TCHECK(ret); - ret = krb5_fcc_store_times(context, id, &creds->times); - TCHECK(ret); - ret = krb5_fcc_store_octet(context, id, (krb5_int32) creds->is_skey); - TCHECK(ret); - ret = krb5_fcc_store_int32(context, id, creds->ticket_flags); - TCHECK(ret); - ret = krb5_fcc_store_addrs(context, id, creds->addresses); - TCHECK(ret); - ret = krb5_fcc_store_authdata(context, id, creds->authdata); - TCHECK(ret); - ret = krb5_fcc_store_data(context, id, &creds->ticket); - TCHECK(ret); - ret = krb5_fcc_store_data(context, id, &creds->second_ticket); - TCHECK(ret); + krb5_error_code ret; + + ret = k5_cc_mutex_lock(context, &((krb5_fcc_data *) id->data)->lock); + if (ret) + return ret; + + /* Make sure we are writing to the end of the file */ + MAYBE_OPEN(context, id, FCC_OPEN_RDWR); + + /* Make sure we are writing to the end of the file */ + ret = fcc_lseek((krb5_fcc_data *) id->data, (off_t) 0, SEEK_END); + if (ret < 0) { + MAYBE_CLOSE_IGNORE(context, id); + k5_cc_mutex_unlock(context, &((krb5_fcc_data *) id->data)->lock); + return krb5_fcc_interpret(context, errno); + } + + ret = krb5_fcc_store_principal(context, id, creds->client); + TCHECK(ret); + ret = krb5_fcc_store_principal(context, id, creds->server); + TCHECK(ret); + ret = krb5_fcc_store_keyblock(context, id, &creds->keyblock); + TCHECK(ret); + ret = krb5_fcc_store_times(context, id, &creds->times); + TCHECK(ret); + ret = krb5_fcc_store_octet(context, id, (krb5_int32) creds->is_skey); + TCHECK(ret); + ret = krb5_fcc_store_int32(context, id, creds->ticket_flags); + TCHECK(ret); + ret = krb5_fcc_store_addrs(context, id, creds->addresses); + TCHECK(ret); + ret = krb5_fcc_store_authdata(context, id, creds->authdata); + TCHECK(ret); + ret = krb5_fcc_store_data(context, id, &creds->ticket); + TCHECK(ret); + ret = krb5_fcc_store_data(context, id, &creds->second_ticket); + TCHECK(ret); lose: - MAYBE_CLOSE(context, id, ret); - k5_cc_mutex_unlock(context, &((krb5_fcc_data *) id->data)->lock); - krb5_change_cache (); - return ret; + MAYBE_CLOSE(context, id, ret); + k5_cc_mutex_unlock(context, &((krb5_fcc_data *) id->data)->lock); + krb5_change_cache (); + return ret; #undef TCHECK } -/* +/* * Non-functional stub implementation for krb5_fcc_remove - * + * * Errors: * KRB5_CC_NOSUPP - not implemented */ @@ -2260,7 +2261,7 @@ krb5_fcc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags, * * Modifies: * id - * + * * Effects: * Sets the operational flags of id to flags. */ @@ -2271,18 +2272,18 @@ krb5_fcc_set_flags(krb5_context context, krb5_ccache id, krb5_flags flags) ret = k5_cc_mutex_lock(context, &((krb5_fcc_data *) id->data)->lock); if (ret) - return ret; + return ret; /* XXX This should check for illegal combinations, if any.. */ if (flags & KRB5_TC_OPENCLOSE) { - /* asking to turn on OPENCLOSE mode */ - if (!OPENCLOSE(id) - /* XXX Is this test necessary? */ - && ((krb5_fcc_data *) id->data)->file != NO_FILE) + /* asking to turn on OPENCLOSE mode */ + if (!OPENCLOSE(id) + /* XXX Is this test necessary? */ + && ((krb5_fcc_data *) id->data)->file != NO_FILE) (void) krb5_fcc_close_file (context, ((krb5_fcc_data *) id->data)); } else { - /* asking to turn off OPENCLOSE mode, meaning it must be - left open. We open if it's not yet open */ + /* asking to turn off OPENCLOSE mode, meaning it must be + left open. We open if it's not yet open */ MAYBE_OPEN(context, id, FCC_OPEN_RDONLY); } @@ -2298,7 +2299,7 @@ krb5_fcc_set_flags(krb5_context context, krb5_ccache id, krb5_flags flags) * * Modifies: * id (mutex only; temporary) - * + * * Effects: * Returns the operational flags of id. */ @@ -2309,7 +2310,7 @@ krb5_fcc_get_flags(krb5_context context, krb5_ccache id, krb5_flags *flags) ret = k5_cc_mutex_lock(context, &((krb5_fcc_data *) id->data)->lock); if (ret) - return ret; + return ret; *flags = ((krb5_fcc_data *) id->data)->flags; k5_cc_mutex_unlock(context, &((krb5_fcc_data *) id->data)->lock); return ret; @@ -2321,9 +2322,9 @@ krb5_fcc_ptcursor_new(krb5_context context, krb5_cc_ptcursor *cursor) krb5_error_code ret = 0; krb5_cc_ptcursor n = NULL; struct krb5_fcc_ptcursor_data *cdata = NULL; - + *cursor = NULL; - + n = malloc(sizeof(*n)); if (n == NULL) return ENOMEM; @@ -2341,11 +2342,11 @@ krb5_fcc_ptcursor_new(krb5_context context, krb5_cc_ptcursor *cursor) ret = k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); if (ret) goto errout; - + errout: - if (ret) { - krb5_fcc_ptcursor_free(context, &n); - } + if (ret) { + krb5_fcc_ptcursor_free(context, &n); + } *cursor = n; return ret; } @@ -2358,39 +2359,39 @@ krb5_fcc_ptcursor_next(krb5_context context, krb5_error_code ret = 0; struct krb5_fcc_ptcursor_data *cdata = NULL; krb5_ccache n; - + *ccache = NULL; n = malloc(sizeof(*n)); if (n == NULL) return ENOMEM; - + cdata = cursor->data; ret = k5_cc_mutex_lock(context, &krb5int_cc_file_mutex); if (ret) goto errout; - + if (cdata->cur == NULL) { k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); free(n); n = NULL; goto errout; } - + n->ops = &krb5_fcc_ops; n->data = cdata->cur->data; cdata->cur->refcount++; - + cdata->cur = cdata->cur->next; - + ret = k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); if (ret) goto errout; errout: - if (ret && n != NULL) { - free(n); - n = NULL; - } + if (ret && n != NULL) { + free(n); + n = NULL; + } *ccache = n; return ret; } @@ -2411,14 +2412,14 @@ krb5_fcc_ptcursor_free(krb5_context context, /* * Modifies: * change_time - * + * * Effects: * Returns the timestamp of id's file modification date. * If an error occurs, change_time is set to 0. */ static krb5_error_code KRB5_CALLCONV krb5_fcc_last_change_time(krb5_context context, krb5_ccache id, - krb5_timestamp *change_time) + krb5_timestamp *change_time) { krb5_error_code kret = KRB5_OK; krb5_fcc_data *data = (krb5_fcc_data *) id->data; @@ -2429,7 +2430,7 @@ krb5_fcc_last_change_time(krb5_context context, krb5_ccache id, } static krb5_error_code KRB5_CALLCONV krb5_fcc_lock(krb5_context context, - krb5_ccache id) + krb5_ccache id) { krb5_error_code ret = 0; krb5_fcc_data *data = (krb5_fcc_data *) id->data; @@ -2438,7 +2439,7 @@ static krb5_error_code KRB5_CALLCONV krb5_fcc_lock(krb5_context context, } static krb5_error_code KRB5_CALLCONV krb5_fcc_unlock(krb5_context context, - krb5_ccache id) + krb5_ccache id) { krb5_error_code ret = 0; krb5_fcc_data *data = (krb5_fcc_data *) id->data; @@ -2448,7 +2449,7 @@ static krb5_error_code KRB5_CALLCONV krb5_fcc_unlock(krb5_context context, static krb5_error_code krb5_fcc_data_last_change_time(krb5_context context, krb5_fcc_data *data, - krb5_timestamp *change_time) + krb5_timestamp *change_time) { krb5_error_code kret = KRB5_OK; register int ret; @@ -2480,8 +2481,8 @@ krb5_fcc_interpret(krb5_context context, int errnum) register krb5_error_code retval; switch (errnum) { case ENOENT: - retval = KRB5_FCC_NOFILE; - break; + retval = KRB5_FCC_NOFILE; + break; case EPERM: case EACCES: #ifdef EISDIR @@ -2496,10 +2497,10 @@ krb5_fcc_interpret(krb5_context context, int errnum) #endif case EBUSY: case EROFS: - retval = KRB5_FCC_PERM; - break; + retval = KRB5_FCC_PERM; + break; case EINVAL: - case EEXIST: /* XXX */ + case EEXIST: /* XXX */ case EFAULT: case EBADF: #ifdef ENAMETOOLONG @@ -2508,8 +2509,8 @@ krb5_fcc_interpret(krb5_context context, int errnum) #ifdef EWOULDBLOCK case EWOULDBLOCK: #endif - retval = KRB5_FCC_INTERNAL; - break; + retval = KRB5_FCC_INTERNAL; + break; #ifdef EDQUOT case EDQUOT: #endif @@ -2519,40 +2520,40 @@ krb5_fcc_interpret(krb5_context context, int errnum) case EMFILE: case ENXIO: default: - retval = KRB5_CC_IO; /* XXX */ - krb5_set_error_message(context, retval, - "Credentials cache I/O operation failed (%s)", - strerror(errnum)); + retval = KRB5_CC_IO; /* XXX */ + krb5_set_error_message(context, retval, + "Credentials cache I/O operation failed (%s)", + strerror(errnum)); } return retval; } const krb5_cc_ops krb5_fcc_ops = { - 0, - "FILE", - krb5_fcc_get_name, - krb5_fcc_resolve, - krb5_fcc_generate_new, - krb5_fcc_initialize, - krb5_fcc_destroy, - krb5_fcc_close, - krb5_fcc_store, - krb5_fcc_retrieve, - krb5_fcc_get_principal, - krb5_fcc_start_seq_get, - krb5_fcc_next_cred, - krb5_fcc_end_seq_get, - krb5_fcc_remove_cred, - krb5_fcc_set_flags, - krb5_fcc_get_flags, - krb5_fcc_ptcursor_new, - krb5_fcc_ptcursor_next, - krb5_fcc_ptcursor_free, - NULL, /* move */ - krb5_fcc_last_change_time, - NULL, /* wasdefault */ - krb5_fcc_lock, - krb5_fcc_unlock, + 0, + "FILE", + krb5_fcc_get_name, + krb5_fcc_resolve, + krb5_fcc_generate_new, + krb5_fcc_initialize, + krb5_fcc_destroy, + krb5_fcc_close, + krb5_fcc_store, + krb5_fcc_retrieve, + krb5_fcc_get_principal, + krb5_fcc_start_seq_get, + krb5_fcc_next_cred, + krb5_fcc_end_seq_get, + krb5_fcc_remove_cred, + krb5_fcc_set_flags, + krb5_fcc_get_flags, + krb5_fcc_ptcursor_new, + krb5_fcc_ptcursor_next, + krb5_fcc_ptcursor_free, + NULL, /* move */ + krb5_fcc_last_change_time, + NULL, /* wasdefault */ + krb5_fcc_lock, + krb5_fcc_unlock, }; #if defined(_WIN32) @@ -2561,10 +2562,10 @@ const krb5_cc_ops krb5_fcc_ops = { * A notification message is is posted out to all top level * windows so that they may recheck the cache based on the * changes made. We register a unique message type with which - * we'll communicate to all other processes. + * we'll communicate to all other processes. */ -krb5_error_code +krb5_error_code krb5_change_cache (void) { PostMessage(HWND_BROADCAST, krb5_get_notification_message(), 0, 0); @@ -2597,29 +2598,29 @@ krb5_get_notification_message (void) #endif /* _WIN32 */ const krb5_cc_ops krb5_cc_file_ops = { - 0, - "FILE", - krb5_fcc_get_name, - krb5_fcc_resolve, - krb5_fcc_generate_new, - krb5_fcc_initialize, - krb5_fcc_destroy, - krb5_fcc_close, - krb5_fcc_store, - krb5_fcc_retrieve, - krb5_fcc_get_principal, - krb5_fcc_start_seq_get, - krb5_fcc_next_cred, - krb5_fcc_end_seq_get, - krb5_fcc_remove_cred, - krb5_fcc_set_flags, - krb5_fcc_get_flags, - krb5_fcc_ptcursor_new, - krb5_fcc_ptcursor_next, - krb5_fcc_ptcursor_free, - NULL, /* move */ - krb5_fcc_last_change_time, - NULL, /* wasdefault */ - krb5_fcc_lock, - krb5_fcc_unlock, + 0, + "FILE", + krb5_fcc_get_name, + krb5_fcc_resolve, + krb5_fcc_generate_new, + krb5_fcc_initialize, + krb5_fcc_destroy, + krb5_fcc_close, + krb5_fcc_store, + krb5_fcc_retrieve, + krb5_fcc_get_principal, + krb5_fcc_start_seq_get, + krb5_fcc_next_cred, + krb5_fcc_end_seq_get, + krb5_fcc_remove_cred, + krb5_fcc_set_flags, + krb5_fcc_get_flags, + krb5_fcc_ptcursor_new, + krb5_fcc_ptcursor_next, + krb5_fcc_ptcursor_free, + NULL, /* move */ + krb5_fcc_last_change_time, + NULL, /* wasdefault */ + krb5_fcc_lock, + krb5_fcc_unlock, }; diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c index 9353fd4979..9841ed5fc4 100644 --- a/src/lib/krb5/ccache/cc_keyring.c +++ b/src/lib/krb5/ccache/cc_keyring.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/cc_keyring.c * @@ -40,7 +41,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -61,13 +62,13 @@ * * Some assumptions: * - * - A credentials cache "file" == a keyring with separate keys - * for the information in the ccache (see below) - * - A credentials cache keyring will contain only keys, - * not other keyrings - * - Each Kerberos ticket will have its own key within the ccache keyring - * - The principal information for the ccache is stored in a - * special key, which is not counted in the 'numkeys' count + * - A credentials cache "file" == a keyring with separate keys + * for the information in the ccache (see below) + * - A credentials cache keyring will contain only keys, + * not other keyrings + * - Each Kerberos ticket will have its own key within the ccache keyring + * - The principal information for the ccache is stored in a + * special key, which is not counted in the 'numkeys' count */ #include "cc-int.h" @@ -78,24 +79,24 @@ #include <keyutils.h> #ifdef DEBUG -#define KRCC_DEBUG 1 +#define KRCC_DEBUG 1 #endif #if KRCC_DEBUG -void debug_print(char *fmt, ...); /* prototype to silence warning */ +void debug_print(char *fmt, ...); /* prototype to silence warning */ #include <syslog.h> #define DEBUG_PRINT(x) debug_print x void debug_print(char *fmt, ...) { - va_list ap; - va_start(ap, fmt); + va_list ap; + va_start(ap, fmt); #ifdef DEBUG_STDERR - vfprintf(stderr, fmt, ap); + vfprintf(stderr, fmt, ap); #else - vsyslog(LOG_ERR, fmt, ap); + vsyslog(LOG_ERR, fmt, ap); #endif - va_end(ap); + va_end(ap); } #else #define DEBUG_PRINT(x) @@ -145,9 +146,9 @@ debug_print(char *fmt, ...) /* Hopefully big enough to hold a serialized credential */ #define GUESS_CRED_SIZE 4096 -#define ALLOC(NUM,TYPE) \ - (((NUM) <= (((size_t)0-1)/ sizeof(TYPE))) \ - ? (TYPE *) calloc((NUM), sizeof(TYPE)) \ +#define ALLOC(NUM,TYPE) \ + (((NUM) <= (((size_t)0-1)/ sizeof(TYPE))) \ + ? (TYPE *) calloc((NUM), sizeof(TYPE)) \ : (errno = ENOMEM,(TYPE *) 0)) #define CHECK_N_GO(ret, errdest) if (ret != KRB5_OK) goto errdest @@ -155,9 +156,9 @@ debug_print(char *fmt, ...) #define CHECK_OUT(ret) if (ret != KRB5_OK) return ret typedef struct krb5_krcc_ring_ids { - key_serial_t session; - key_serial_t process; - key_serial_t thread; + key_serial_t session; + key_serial_t process; + key_serial_t thread; } krb5_krcc_ring_ids_t; typedef struct _krb5_krcc_cursor @@ -176,13 +177,13 @@ typedef struct _krb5_krcc_cursor */ typedef struct _krb5_krcc_data { - char *name; /* Name for this credentials cache */ - k5_cc_mutex lock; /* synchronization */ - key_serial_t parent_id; /* parent keyring of this ccache keyring */ - key_serial_t ring_id; /* keyring representing ccache */ - key_serial_t princ_id; /* key holding principal info */ - int numkeys; /* # of keys in this ring - * (does NOT include principal info) */ + char *name; /* Name for this credentials cache */ + k5_cc_mutex lock; /* synchronization */ + key_serial_t parent_id; /* parent keyring of this ccache keyring */ + key_serial_t ring_id; /* keyring representing ccache */ + key_serial_t princ_id; /* key holding principal info */ + int numkeys; /* # of keys in this ring + * (does NOT include principal info) */ krb5_timestamp changetime; } krb5_krcc_data; @@ -203,154 +204,154 @@ k5_cc_mutex krb5int_krcc_mutex = K5_CC_MUTEX_PARTIAL_INITIALIZER; extern const krb5_cc_ops krb5_krcc_ops; static const char *KRB5_CALLCONV krb5_krcc_get_name - (krb5_context, krb5_ccache id); +(krb5_context, krb5_ccache id); static krb5_error_code KRB5_CALLCONV krb5_krcc_resolve - (krb5_context, krb5_ccache * id, const char *residual); +(krb5_context, krb5_ccache * id, const char *residual); static krb5_error_code KRB5_CALLCONV krb5_krcc_generate_new - (krb5_context, krb5_ccache * id); +(krb5_context, krb5_ccache * id); static krb5_error_code KRB5_CALLCONV krb5_krcc_initialize - (krb5_context, krb5_ccache id, krb5_principal princ); +(krb5_context, krb5_ccache id, krb5_principal princ); static krb5_error_code KRB5_CALLCONV krb5_krcc_destroy - (krb5_context, krb5_ccache id); +(krb5_context, krb5_ccache id); static krb5_error_code KRB5_CALLCONV krb5_krcc_close - (krb5_context, krb5_ccache id); +(krb5_context, krb5_ccache id); static krb5_error_code KRB5_CALLCONV krb5_krcc_store - (krb5_context, krb5_ccache id, krb5_creds * creds); +(krb5_context, krb5_ccache id, krb5_creds * creds); static krb5_error_code KRB5_CALLCONV krb5_krcc_retrieve - (krb5_context, krb5_ccache id, krb5_flags whichfields, - krb5_creds * mcreds, krb5_creds * creds); +(krb5_context, krb5_ccache id, krb5_flags whichfields, + krb5_creds * mcreds, krb5_creds * creds); static krb5_error_code KRB5_CALLCONV krb5_krcc_get_principal - (krb5_context, krb5_ccache id, krb5_principal * princ); +(krb5_context, krb5_ccache id, krb5_principal * princ); static krb5_error_code KRB5_CALLCONV krb5_krcc_start_seq_get - (krb5_context, krb5_ccache id, krb5_cc_cursor * cursor); +(krb5_context, krb5_ccache id, krb5_cc_cursor * cursor); static krb5_error_code KRB5_CALLCONV krb5_krcc_next_cred - (krb5_context, krb5_ccache id, krb5_cc_cursor * cursor, - krb5_creds * creds); +(krb5_context, krb5_ccache id, krb5_cc_cursor * cursor, + krb5_creds * creds); static krb5_error_code KRB5_CALLCONV krb5_krcc_end_seq_get - (krb5_context, krb5_ccache id, krb5_cc_cursor * cursor); +(krb5_context, krb5_ccache id, krb5_cc_cursor * cursor); static krb5_error_code KRB5_CALLCONV krb5_krcc_remove_cred - (krb5_context context, krb5_ccache cache, krb5_flags flags, - krb5_creds * creds); +(krb5_context context, krb5_ccache cache, krb5_flags flags, + krb5_creds * creds); static krb5_error_code KRB5_CALLCONV krb5_krcc_set_flags - (krb5_context, krb5_ccache id, krb5_flags flags); +(krb5_context, krb5_ccache id, krb5_flags flags); static krb5_error_code KRB5_CALLCONV krb5_krcc_get_flags - (krb5_context context, krb5_ccache id, krb5_flags * flags); +(krb5_context context, krb5_ccache id, krb5_flags * flags); static krb5_error_code KRB5_CALLCONV krb5_krcc_last_change_time - (krb5_context, krb5_ccache, krb5_timestamp *); +(krb5_context, krb5_ccache, krb5_timestamp *); static krb5_error_code KRB5_CALLCONV krb5_krcc_lock - (krb5_context context, krb5_ccache id); +(krb5_context context, krb5_ccache id); static krb5_error_code KRB5_CALLCONV krb5_krcc_unlock - (krb5_context context, krb5_ccache id); +(krb5_context context, krb5_ccache id); /* * Internal utility functions */ static krb5_error_code krb5_krcc_clearcache - (krb5_context context, krb5_ccache id); +(krb5_context context, krb5_ccache id); static krb5_error_code krb5_krcc_new_data - (const char *, key_serial_t ring, key_serial_t parent_ring, - krb5_krcc_data **); +(const char *, key_serial_t ring, key_serial_t parent_ring, + krb5_krcc_data **); static krb5_error_code krb5_krcc_save_principal - (krb5_context context, krb5_ccache id, krb5_principal princ); +(krb5_context context, krb5_ccache id, krb5_principal princ); static krb5_error_code krb5_krcc_retrieve_principal - (krb5_context context, krb5_ccache id, krb5_principal * princ); +(krb5_context context, krb5_ccache id, krb5_principal * princ); static int krb5_krcc_get_ring_ids(krb5_krcc_ring_ids_t *p); /* Routines to parse a key from a keyring into a cred structure */ static krb5_error_code krb5_krcc_parse - (krb5_context, krb5_ccache id, krb5_pointer buf, unsigned int len, - krb5_krcc_bc * bc); +(krb5_context, krb5_ccache id, krb5_pointer buf, unsigned int len, + krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_parse_cred - (krb5_context context, krb5_ccache id, krb5_creds * creds, - char *payload, int psize); +(krb5_context context, krb5_ccache id, krb5_creds * creds, + char *payload, int psize); static krb5_error_code krb5_krcc_parse_principal - (krb5_context context, krb5_ccache id, krb5_principal * princ, - krb5_krcc_bc * bc); +(krb5_context context, krb5_ccache id, krb5_principal * princ, + krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_parse_keyblock - (krb5_context context, krb5_ccache id, krb5_keyblock * keyblock, - krb5_krcc_bc * bc); +(krb5_context context, krb5_ccache id, krb5_keyblock * keyblock, + krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_parse_times - (krb5_context context, krb5_ccache id, krb5_ticket_times * t, - krb5_krcc_bc * bc); +(krb5_context context, krb5_ccache id, krb5_ticket_times * t, + krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_parse_krb5data - (krb5_context context, krb5_ccache id, krb5_data * data, - krb5_krcc_bc * bc); +(krb5_context context, krb5_ccache id, krb5_data * data, + krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_parse_int32 - (krb5_context context, krb5_ccache id, krb5_int32 * i, krb5_krcc_bc * bc); +(krb5_context context, krb5_ccache id, krb5_int32 * i, krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_parse_octet - (krb5_context context, krb5_ccache id, krb5_octet * octet, - krb5_krcc_bc * bc); +(krb5_context context, krb5_ccache id, krb5_octet * octet, + krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_parse_addrs - (krb5_context context, krb5_ccache id, krb5_address *** a, - krb5_krcc_bc * bc); +(krb5_context context, krb5_ccache id, krb5_address *** a, + krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_parse_addr - (krb5_context context, krb5_ccache id, krb5_address * a, - krb5_krcc_bc * bc); +(krb5_context context, krb5_ccache id, krb5_address * a, + krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_parse_authdata - (krb5_context context, krb5_ccache id, krb5_authdata *** ad, - krb5_krcc_bc * bc); +(krb5_context context, krb5_ccache id, krb5_authdata *** ad, + krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_parse_authdatum - (krb5_context context, krb5_ccache id, krb5_authdata * ad, - krb5_krcc_bc * bc); +(krb5_context context, krb5_ccache id, krb5_authdata * ad, + krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_parse_ui_2 - (krb5_context, krb5_ccache id, krb5_ui_2 * i, krb5_krcc_bc * bc); +(krb5_context, krb5_ccache id, krb5_ui_2 * i, krb5_krcc_bc * bc); /* Routines to unparse a cred structure into keyring key */ static krb5_error_code krb5_krcc_unparse - (krb5_context, krb5_ccache id, krb5_pointer buf, unsigned int len, - krb5_krcc_bc * bc); +(krb5_context, krb5_ccache id, krb5_pointer buf, unsigned int len, + krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_unparse_cred - (krb5_context context, krb5_ccache id, krb5_creds * creds, - char **datapp, unsigned int *lenptr); +(krb5_context context, krb5_ccache id, krb5_creds * creds, + char **datapp, unsigned int *lenptr); static krb5_error_code krb5_krcc_unparse_principal - (krb5_context, krb5_ccache id, krb5_principal princ, krb5_krcc_bc * bc); +(krb5_context, krb5_ccache id, krb5_principal princ, krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_unparse_keyblock - (krb5_context, krb5_ccache id, krb5_keyblock * keyblock, - krb5_krcc_bc * bc); +(krb5_context, krb5_ccache id, krb5_keyblock * keyblock, + krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_unparse_times - (krb5_context, krb5_ccache id, krb5_ticket_times * t, krb5_krcc_bc * bc); +(krb5_context, krb5_ccache id, krb5_ticket_times * t, krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_unparse_krb5data - (krb5_context, krb5_ccache id, krb5_data * data, krb5_krcc_bc * bc); +(krb5_context, krb5_ccache id, krb5_data * data, krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_unparse_int32 - (krb5_context, krb5_ccache id, krb5_int32 i, krb5_krcc_bc * bc); +(krb5_context, krb5_ccache id, krb5_int32 i, krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_unparse_octet - (krb5_context, krb5_ccache id, krb5_int32 i, krb5_krcc_bc * bc); +(krb5_context, krb5_ccache id, krb5_int32 i, krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_unparse_addrs - (krb5_context, krb5_ccache, krb5_address ** a, krb5_krcc_bc * bc); +(krb5_context, krb5_ccache, krb5_address ** a, krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_unparse_addr - (krb5_context, krb5_ccache, krb5_address * a, krb5_krcc_bc * bc); +(krb5_context, krb5_ccache, krb5_address * a, krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_unparse_authdata - (krb5_context, krb5_ccache, krb5_authdata ** ad, krb5_krcc_bc * bc); +(krb5_context, krb5_ccache, krb5_authdata ** ad, krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_unparse_authdatum - (krb5_context, krb5_ccache, krb5_authdata * ad, krb5_krcc_bc * bc); +(krb5_context, krb5_ccache, krb5_authdata * ad, krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_unparse_ui_4 - (krb5_context, krb5_ccache id, krb5_ui_4 i, krb5_krcc_bc * bc); +(krb5_context, krb5_ccache id, krb5_ui_4 i, krb5_krcc_bc * bc); static krb5_error_code krb5_krcc_unparse_ui_2 - (krb5_context, krb5_ccache id, krb5_int32 i, krb5_krcc_bc * bc); +(krb5_context, krb5_ccache id, krb5_int32 i, krb5_krcc_bc * bc); static void krb5_krcc_update_change_time - (krb5_krcc_data *); +(krb5_krcc_data *); /* Note the following is a stub function for Linux */ extern krb5_error_code krb5_change_cache(void); @@ -363,12 +364,12 @@ static int KRB5_CALLCONV krb5_krcc_getkeycount(key_serial_t cred_ring) { int res, nkeys; - + res = keyctl_read(cred_ring, NULL, 0); if (res > 0) - nkeys = (res / sizeof(key_serial_t)) - 1; + nkeys = (res / sizeof(key_serial_t)) - 1; else - nkeys = 0; + nkeys = 0; return(nkeys); } @@ -387,7 +388,7 @@ krb5_krcc_getkeycount(key_serial_t cred_ring) static krb5_error_code KRB5_CALLCONV krb5_krcc_initialize(krb5_context context, krb5_ccache id, - krb5_principal princ) + krb5_principal princ) { krb5_error_code kret; @@ -395,15 +396,15 @@ krb5_krcc_initialize(krb5_context context, krb5_ccache id, kret = k5_cc_mutex_lock(context, &((krb5_krcc_data *) id->data)->lock); if (kret) - return kret; + return kret; kret = krb5_krcc_clearcache(context, id); if (kret != KRB5_OK) - goto out; + goto out; kret = krb5_krcc_save_principal(context, id, princ); if (kret == KRB5_OK) - krb5_change_cache(); + krb5_change_cache(); out: k5_cc_mutex_unlock(context, &((krb5_krcc_data *) id->data)->lock); @@ -462,11 +463,11 @@ krb5_krcc_clearcache(krb5_context context, krb5_ccache id) d = (krb5_krcc_data *) id->data; DEBUG_PRINT(("krb5_krcc_clearcache: ring_id %d, princ_id %d, " - "numkeys is %d\n", d->ring_id, d->princ_id, d->numkeys)); + "numkeys is %d\n", d->ring_id, d->princ_id, d->numkeys)); res = keyctl_clear(d->ring_id); if (res != 0) { - return errno; + return errno; } d->numkeys = 0; d->princ_id = 0; @@ -495,16 +496,16 @@ krb5_krcc_destroy(krb5_context context, krb5_ccache id) kret = k5_cc_mutex_lock(context, &d->lock); if (kret) - return kret; + return kret; krb5_krcc_clearcache(context, id); free(d->name); res = keyctl_unlink(d->ring_id, d->parent_id); if (res < 0) { - kret = errno; - DEBUG_PRINT(("krb5_krcc_destroy: unlinking key %d from ring %d: %s", - d->ring_id, d->parent_id, error_message(errno))); - goto cleanup; + kret = errno; + DEBUG_PRINT(("krb5_krcc_destroy: unlinking key %d from ring %d: %s", + d->ring_id, d->parent_id, error_message(errno))); + goto cleanup; } cleanup: k5_cc_mutex_unlock(context, &d->lock); @@ -553,28 +554,28 @@ krb5_krcc_resolve(krb5_context context, krb5_ccache * id, const char *full_resid const char *residual; DEBUG_PRINT(("krb5_krcc_resolve: entered with name '%s'\n", - full_residual)); + full_residual)); res = krb5_krcc_get_ring_ids(&ids); if (res) { - kret = EINVAL; - DEBUG_PRINT(("krb5_krcc_resolve: Error getting ring id values!\n")); - return kret; + kret = EINVAL; + DEBUG_PRINT(("krb5_krcc_resolve: Error getting ring id values!\n")); + return kret; } if (strncmp(full_residual, "thread:", 7) == 0) { - residual = full_residual + 7; - ring_id = ids.thread; + residual = full_residual + 7; + ring_id = ids.thread; } else if (strncmp(full_residual, "process:", 8) == 0) { - residual = full_residual + 8; - ring_id = ids.process; + residual = full_residual + 8; + ring_id = ids.process; } else { - residual = full_residual; - ring_id = ids.session; + residual = full_residual; + ring_id = ids.session; } DEBUG_PRINT(("krb5_krcc_resolve: searching ring %d for residual '%s'\n", - ring_id, residual)); + ring_id, residual)); /* * Use keyctl_search instead of request_key. If we're supposed @@ -587,46 +588,46 @@ krb5_krcc_resolve(krb5_context context, krb5_ccache * id, const char *full_resid */ key = keyctl_search(ring_id, KRCC_KEY_TYPE_KEYRING, residual, 0); if (key < 0) { - key = add_key(KRCC_KEY_TYPE_KEYRING, residual, NULL, 0, ring_id); - if (key < 0) { - kret = errno; - DEBUG_PRINT(("krb5_krcc_resolve: Error adding new " - "keyring '%s': %s\n", residual, strerror(errno))); - return kret; - } - DEBUG_PRINT(("krb5_krcc_resolve: new keyring '%s', " - "key %d, added to keyring %d\n", - residual, key, ring_id)); + key = add_key(KRCC_KEY_TYPE_KEYRING, residual, NULL, 0, ring_id); + if (key < 0) { + kret = errno; + DEBUG_PRINT(("krb5_krcc_resolve: Error adding new " + "keyring '%s': %s\n", residual, strerror(errno))); + return kret; + } + DEBUG_PRINT(("krb5_krcc_resolve: new keyring '%s', " + "key %d, added to keyring %d\n", + residual, key, ring_id)); } else { - DEBUG_PRINT(("krb5_krcc_resolve: found existing " - "key %d, with name '%s' in keyring %d\n", - key, residual, ring_id)); - /* Determine key containing principal information */ - pkey = keyctl_search(key, KRCC_KEY_TYPE_USER, - KRCC_SPEC_PRINC_KEYNAME, 0); - if (pkey < 0) { - DEBUG_PRINT(("krb5_krcc_resolve: Error locating principal " - "info for existing ccache in ring %d: %s\n", - key, strerror(errno))); - pkey = 0; - } - /* Determine how many keys exist */ - nkeys = krb5_krcc_getkeycount(key); + DEBUG_PRINT(("krb5_krcc_resolve: found existing " + "key %d, with name '%s' in keyring %d\n", + key, residual, ring_id)); + /* Determine key containing principal information */ + pkey = keyctl_search(key, KRCC_KEY_TYPE_USER, + KRCC_SPEC_PRINC_KEYNAME, 0); + if (pkey < 0) { + DEBUG_PRINT(("krb5_krcc_resolve: Error locating principal " + "info for existing ccache in ring %d: %s\n", + key, strerror(errno))); + pkey = 0; + } + /* Determine how many keys exist */ + nkeys = krb5_krcc_getkeycount(key); } lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)); if (lid == NULL) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; kret = krb5_krcc_new_data(residual, key, ring_id, &d); if (kret) { - free(lid); - return kret; + free(lid); + return kret; } DEBUG_PRINT(("krb5_krcc_resolve: ring_id %d, princ_id %d, " - "nkeys %d\n", key, pkey, nkeys)); + "nkeys %d\n", key, pkey, nkeys)); d->princ_id = pkey; d->numkeys = nkeys; lid->ops = &krb5_krcc_ops; @@ -651,7 +652,7 @@ krb5_krcc_resolve(krb5_context context, krb5_ccache * id, const char *full_resid */ static krb5_error_code KRB5_CALLCONV krb5_krcc_start_seq_get(krb5_context context, krb5_ccache id, - krb5_cc_cursor * cursor) + krb5_cc_cursor * cursor) { krb5_krcc_cursor krcursor; krb5_error_code kret; @@ -664,7 +665,7 @@ krb5_krcc_start_seq_get(krb5_context context, krb5_ccache id, d = id->data; kret = k5_cc_mutex_lock(context, &d->lock); if (kret) - return kret; + return kret; /* * Determine how many keys currently exist and update numkeys. @@ -677,19 +678,19 @@ krb5_krcc_start_seq_get(krb5_context context, krb5_ccache id, krcursor = (krb5_krcc_cursor) malloc(size); if (krcursor == NULL) { - k5_cc_mutex_unlock(context, &d->lock); - return KRB5_CC_NOMEM; + k5_cc_mutex_unlock(context, &d->lock); + return KRB5_CC_NOMEM; } krcursor->keys = (key_serial_t *) ((char *) krcursor + sizeof(*krcursor)); res = keyctl_read(d->ring_id, (char *) krcursor->keys, - ((d->numkeys + 1) * sizeof(key_serial_t))); + ((d->numkeys + 1) * sizeof(key_serial_t))); if (res < 0 || res > ((d->numkeys + 1) * sizeof(key_serial_t))) { - DEBUG_PRINT(("Read %d bytes from keyring, numkeys %d: %s\n", - res, d->numkeys, strerror(errno))); - free(krcursor); - k5_cc_mutex_unlock(context, &d->lock); - return KRB5_CC_IO; + DEBUG_PRINT(("Read %d bytes from keyring, numkeys %d: %s\n", + res, d->numkeys, strerror(errno))); + free(krcursor); + k5_cc_mutex_unlock(context, &d->lock); + return KRB5_CC_IO; } krcursor->numkeys = d->numkeys; @@ -723,7 +724,7 @@ krb5_krcc_start_seq_get(krb5_context context, krb5_ccache id, */ static krb5_error_code KRB5_CALLCONV krb5_krcc_next_cred(krb5_context context, krb5_ccache id, - krb5_cc_cursor * cursor, krb5_creds * creds) + krb5_cc_cursor * cursor, krb5_creds * creds) { krb5_krcc_cursor krcursor; krb5_error_code kret; @@ -738,35 +739,35 @@ krb5_krcc_next_cred(krb5_context context, krb5_ccache id, */ krcursor = (krb5_krcc_cursor) * cursor; if (krcursor == NULL) - return KRB5_CC_END; + return KRB5_CC_END; memset(creds, 0, sizeof(krb5_creds)); /* If we're pointing past the end of the keys array, there are no more */ if (krcursor->currkey > krcursor->numkeys) - return KRB5_CC_END; + return KRB5_CC_END; /* If we're pointing at the entry with the principal, skip it */ if (krcursor->keys[krcursor->currkey] == krcursor->princ_id) { - krcursor->currkey++; - /* Check if we have now reached the end */ - if (krcursor->currkey > krcursor->numkeys) - return KRB5_CC_END; + krcursor->currkey++; + /* Check if we have now reached the end */ + if (krcursor->currkey > krcursor->numkeys) + return KRB5_CC_END; } /* Read the key, the right size buffer will ba allocated and returned */ psize = keyctl_read_alloc(krcursor->keys[krcursor->currkey], &payload); if (psize == -1) { - DEBUG_PRINT(("Error reading key %d: %s\n", - krcursor->keys[krcursor->currkey], - strerror(errno))); - kret = KRB5_FCC_NOFILE; - goto freepayload; + DEBUG_PRINT(("Error reading key %d: %s\n", + krcursor->keys[krcursor->currkey], + strerror(errno))); + kret = KRB5_FCC_NOFILE; + goto freepayload; } krcursor->currkey++; kret = krb5_krcc_parse_cred(context, id, creds, payload, psize); - freepayload: +freepayload: if (payload) free(payload); return kret; } @@ -786,7 +787,7 @@ krb5_krcc_next_cred(krb5_context context, krb5_ccache id, /* ARGSUSED */ static krb5_error_code KRB5_CALLCONV krb5_krcc_end_seq_get(krb5_context context, krb5_ccache id, - krb5_cc_cursor * cursor) + krb5_cc_cursor * cursor) { DEBUG_PRINT(("krb5_krcc_end_seq_get: entered\n")); @@ -800,26 +801,26 @@ krb5_krcc_end_seq_get(krb5_context context, krb5_ccache id, Call with the global list lock held. */ static krb5_error_code krb5_krcc_new_data(const char *name, key_serial_t ring, - key_serial_t parent_ring, krb5_krcc_data ** datapp) + key_serial_t parent_ring, krb5_krcc_data ** datapp) { krb5_error_code kret; krb5_krcc_data *d; d = malloc(sizeof(krb5_krcc_data)); if (d == NULL) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; kret = k5_cc_mutex_init(&d->lock); if (kret) { - free(d); - return kret; + free(d); + return kret; } d->name = strdup(name); if (d->name == NULL) { - k5_cc_mutex_destroy(&d->lock); - free(d); - return KRB5_CC_NOMEM; + k5_cc_mutex_destroy(&d->lock); + free(d); + return KRB5_CC_NOMEM; } d->princ_id = 0; d->ring_id = ring; @@ -859,14 +860,14 @@ krb5_krcc_generate_new(krb5_context context, krb5_ccache * id) /* Allocate memory */ lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)); if (lid == NULL) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; lid->ops = &krb5_krcc_ops; kret = k5_cc_mutex_lock(context, &krb5int_krcc_mutex); if (kret) { - free(lid); - return kret; + free(lid); + return kret; } /* XXX These values are platform-specific and should not be here! */ @@ -889,36 +890,36 @@ krb5_krcc_generate_new(krb5_context context, krb5_ccache * id) * a unique name, or we get an error. */ while (1) { - kret = krb5int_random_string(context, uniquename, sizeof(uniquename)); + kret = krb5int_random_string(context, uniquename, sizeof(uniquename)); if (kret) { k5_cc_mutex_unlock(context, &krb5int_krcc_mutex); free(lid); return kret; - } - - DEBUG_PRINT(("krb5_krcc_generate_new: searching for name '%s'\n", - uniquename)); - key = keyctl_search(ring_id, KRCC_KEY_TYPE_KEYRING, uniquename, 0); -/*XXX*/ DEBUG_PRINT(("krb5_krcc_generate_new: after searching for '%s', key = %d, errno = %d\n", uniquename, key, errno)); - if (key < 0 && errno == ENOKEY) { - /* name does not already exist, create it to reserve the name */ - key = add_key(KRCC_KEY_TYPE_KEYRING, uniquename, NULL, 0, ring_id); - if (key < 0) { - kret = errno; - DEBUG_PRINT(("krb5_krcc_generate_new: '%s' trying to " - "create '%s'\n", strerror(errno), uniquename)); - k5_cc_mutex_unlock(context, &krb5int_krcc_mutex); - return kret; - } - break; - } + } + + DEBUG_PRINT(("krb5_krcc_generate_new: searching for name '%s'\n", + uniquename)); + key = keyctl_search(ring_id, KRCC_KEY_TYPE_KEYRING, uniquename, 0); + /*XXX*/ DEBUG_PRINT(("krb5_krcc_generate_new: after searching for '%s', key = %d, errno = %d\n", uniquename, key, errno)); + if (key < 0 && errno == ENOKEY) { + /* name does not already exist, create it to reserve the name */ + key = add_key(KRCC_KEY_TYPE_KEYRING, uniquename, NULL, 0, ring_id); + if (key < 0) { + kret = errno; + DEBUG_PRINT(("krb5_krcc_generate_new: '%s' trying to " + "create '%s'\n", strerror(errno), uniquename)); + k5_cc_mutex_unlock(context, &krb5int_krcc_mutex); + return kret; + } + break; + } } - + kret = krb5_krcc_new_data(uniquename, key, ring_id, &d); k5_cc_mutex_unlock(context, &krb5int_krcc_mutex); if (kret) { - free(lid); - return kret; + free(lid); + return kret; } lid->data = d; *id = lid; @@ -955,7 +956,7 @@ krb5_krcc_get_name(krb5_context context, krb5_ccache id) */ static krb5_error_code KRB5_CALLCONV krb5_krcc_get_principal(krb5_context context, krb5_ccache id, - krb5_principal * princ) + krb5_principal * princ) { DEBUG_PRINT(("krb5_krcc_get_principal: entered\n")); @@ -964,13 +965,13 @@ krb5_krcc_get_principal(krb5_context context, krb5_ccache id, static krb5_error_code KRB5_CALLCONV krb5_krcc_retrieve(krb5_context context, krb5_ccache id, - krb5_flags whichfields, krb5_creds * mcreds, - krb5_creds * creds) + krb5_flags whichfields, krb5_creds * mcreds, + krb5_creds * creds) { DEBUG_PRINT(("krb5_krcc_retrieve: entered\n")); return krb5_cc_retrieve_cred_default(context, id, whichfields, - mcreds, creds); + mcreds, creds); } /* @@ -981,7 +982,7 @@ krb5_krcc_retrieve(krb5_context context, krb5_ccache id, */ static krb5_error_code KRB5_CALLCONV krb5_krcc_remove_cred(krb5_context context, krb5_ccache cache, - krb5_flags flags, krb5_creds * creds) + krb5_flags flags, krb5_creds * creds) { DEBUG_PRINT(("krb5_krcc_remove_cred: entered (returning KRB5_CC_NOSUPP)\n")); @@ -1031,54 +1032,54 @@ krb5_krcc_store(krb5_context context, krb5_ccache id, krb5_creds * creds) kret = k5_cc_mutex_lock(context, &d->lock); if (kret) - return kret; + return kret; /* Get the service principal name and use it as the key name */ kret = krb5_unparse_name(context, creds->server, &keyname); if (kret) { - DEBUG_PRINT(("Error unparsing service principal name!\n")); - goto errout; + DEBUG_PRINT(("Error unparsing service principal name!\n")); + goto errout; } /* Serialize credential into memory */ kret = krb5_krcc_unparse_cred(context, id, creds, &payload, &payloadlen); if (kret != KRB5_OK) - goto errout; + goto errout; /* Add new key (credentials) into keyring */ DEBUG_PRINT(("krb5_krcc_store: adding new key '%s' to keyring %d\n", - keyname, d->ring_id)); + keyname, d->ring_id)); newkey = add_key(KRCC_KEY_TYPE_USER, keyname, payload, - payloadlen, d->ring_id); + payloadlen, d->ring_id); if (newkey < 0) { - kret = errno; - DEBUG_PRINT(("Error adding user key '%s': %s\n", - keyname, strerror(kret))); + kret = errno; + DEBUG_PRINT(("Error adding user key '%s': %s\n", + keyname, strerror(kret))); } else { - d->numkeys++; - kret = KRB5_OK; - krb5_krcc_update_change_time(d); + d->numkeys++; + kret = KRB5_OK; + krb5_krcc_update_change_time(d); } - errout: +errout: if (keyname) - krb5_free_unparsed_name(context, keyname); + krb5_free_unparsed_name(context, keyname); if (payload) - free(payload); + free(payload); k5_cc_mutex_unlock(context, &d->lock); return kret; } -static krb5_error_code KRB5_CALLCONV -krb5_krcc_last_change_time(krb5_context context, krb5_ccache id, - krb5_timestamp *change_time) +static krb5_error_code KRB5_CALLCONV +krb5_krcc_last_change_time(krb5_context context, krb5_ccache id, + krb5_timestamp *change_time) { krb5_error_code ret = 0; krb5_krcc_data *data = (krb5_krcc_data *) id->data; - + *change_time = 0; - + ret = k5_cc_mutex_lock(context, &data->lock); if (!ret) { *change_time = data->changetime; @@ -1088,7 +1089,7 @@ krb5_krcc_last_change_time(krb5_context context, krb5_ccache id, return ret; } -static krb5_error_code KRB5_CALLCONV +static krb5_error_code KRB5_CALLCONV krb5_krcc_lock(krb5_context context, krb5_ccache id) { krb5_error_code ret = 0; @@ -1097,7 +1098,7 @@ krb5_krcc_lock(krb5_context context, krb5_ccache id) return ret; } -static krb5_error_code KRB5_CALLCONV +static krb5_error_code KRB5_CALLCONV krb5_krcc_unlock(krb5_context context, krb5_ccache id) { krb5_error_code ret = 0; @@ -1109,7 +1110,7 @@ krb5_krcc_unlock(krb5_context context, krb5_ccache id) static krb5_error_code krb5_krcc_save_principal(krb5_context context, krb5_ccache id, - krb5_principal princ) + krb5_principal princ) { krb5_krcc_data *d; krb5_error_code kret; @@ -1124,7 +1125,7 @@ krb5_krcc_save_principal(krb5_context context, krb5_ccache id, payload = malloc(GUESS_CRED_SIZE); if (payload == NULL) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; bc.bpp = payload; bc.endp = payload + GUESS_CRED_SIZE; @@ -1136,36 +1137,36 @@ krb5_krcc_save_principal(krb5_context context, krb5_ccache id, payloadsize = bc.bpp - payload; #ifdef KRCC_DEBUG { - krb5_error_code rc; - char *princname = NULL; - rc = krb5_unparse_name(context, princ, &princname); - DEBUG_PRINT(("krb5_krcc_save_principal: adding new key '%s' " - "to keyring %d for principal '%s'\n", - KRCC_SPEC_PRINC_KEYNAME, d->ring_id, - rc ? "<unknown>" : princname)); - if (rc == 0) - krb5_free_unparsed_name(context, princname); + krb5_error_code rc; + char *princname = NULL; + rc = krb5_unparse_name(context, princ, &princname); + DEBUG_PRINT(("krb5_krcc_save_principal: adding new key '%s' " + "to keyring %d for principal '%s'\n", + KRCC_SPEC_PRINC_KEYNAME, d->ring_id, + rc ? "<unknown>" : princname)); + if (rc == 0) + krb5_free_unparsed_name(context, princname); } #endif newkey = add_key(KRCC_KEY_TYPE_USER, KRCC_SPEC_PRINC_KEYNAME, payload, - payloadsize, d->ring_id); + payloadsize, d->ring_id); if (newkey < 0) { - kret = errno; - DEBUG_PRINT(("Error adding principal key: %s\n", strerror(kret))); + kret = errno; + DEBUG_PRINT(("Error adding principal key: %s\n", strerror(kret))); } else { - d->princ_id = newkey; - kret = KRB5_OK; - krb5_krcc_update_change_time(d); + d->princ_id = newkey; + kret = KRB5_OK; + krb5_krcc_update_change_time(d); } - errout: +errout: free(payload); return kret; } static krb5_error_code krb5_krcc_retrieve_principal(krb5_context context, krb5_ccache id, - krb5_principal * princ) + krb5_principal * princ) { krb5_krcc_data *d = (krb5_krcc_data *) id->data; krb5_error_code kret; @@ -1175,28 +1176,28 @@ krb5_krcc_retrieve_principal(krb5_context context, krb5_ccache id, kret = k5_cc_mutex_lock(context, &d->lock); if (kret) - return kret; + return kret; if (!d->princ_id) { - princ = 0L; - kret = KRB5_FCC_NOFILE; - goto errout; + princ = 0L; + kret = KRB5_FCC_NOFILE; + goto errout; } psize = keyctl_read_alloc(d->princ_id, &payload); if (psize == -1) { - DEBUG_PRINT(("Reading principal key %d: %s\n", - d->princ_id, strerror(errno))); - kret = KRB5_CC_IO; - goto errout; + DEBUG_PRINT(("Reading principal key %d: %s\n", + d->princ_id, strerror(errno))); + kret = KRB5_CC_IO; + goto errout; } bc.bpp = payload; bc.endp = (char *)payload + psize; kret = krb5_krcc_parse_principal(context, id, princ, &bc); - errout: +errout: if (payload) - free(payload); + free(payload); k5_cc_mutex_unlock(context, &d->lock); return kret; } @@ -1212,7 +1213,7 @@ krb5_krcc_get_ring_ids(krb5_krcc_ring_ids_t *p) DEBUG_PRINT(("krb5_krcc_get_ring_ids: entered\n")); if (!p) - return EINVAL; + return EINVAL; /* Use the defaults in case we find no ids key */ p->session = KEY_SPEC_SESSION_KEYRING; @@ -1226,29 +1227,29 @@ krb5_krcc_get_ring_ids(krb5_krcc_ring_ids_t *p) */ ids_key = request_key(KRCC_KEY_TYPE_USER, KRCC_SPEC_IDS_KEYNAME, NULL, 0); if (ids_key < 0) - goto out; + goto out; DEBUG_PRINT(("krb5_krcc_get_ring_ids: processing '%s' key %d\n", - KRCC_SPEC_IDS_KEYNAME, ids_key)); + KRCC_SPEC_IDS_KEYNAME, ids_key)); /* * Read and parse the ids file */ memset(ids_buf, '\0', sizeof(ids_buf)); val = keyctl_read(ids_key, ids_buf, sizeof(ids_buf)); if (val > sizeof(ids_buf)) - goto out; + goto out; val = sscanf(ids_buf, "%d:%d:%d", &session, &process, &thread); if (val != 3) - goto out; + goto out; p->session = session; p->process = process; p->thread = thread; - out: +out: DEBUG_PRINT(("krb5_krcc_get_ring_ids: returning %d:%d:%d\n", - p->session, p->process, p->thread)); + p->session, p->process, p->thread)); return 0; } @@ -1273,12 +1274,12 @@ krb5_krcc_get_ring_ids(krb5_krcc_ring_ids_t *p) */ static krb5_error_code krb5_krcc_parse(krb5_context context, krb5_ccache id, krb5_pointer buf, - unsigned int len, krb5_krcc_bc * bc) + unsigned int len, krb5_krcc_bc * bc) { DEBUG_PRINT(("krb5_krcc_parse: entered\n")); if ((bc->endp == bc->bpp) || (bc->endp - bc->bpp) < len) - return KRB5_CC_END; + return KRB5_CC_END; memcpy(buf, bc->bpp, len); bc->bpp += len; @@ -1292,7 +1293,7 @@ krb5_krcc_parse(krb5_context context, krb5_ccache id, krb5_pointer buf, */ static krb5_error_code krb5_krcc_parse_cred(krb5_context context, krb5_ccache id, krb5_creds * creds, - char *payload, int psize) + char *payload, int psize) { krb5_error_code kret; krb5_octet octet; @@ -1337,27 +1338,27 @@ krb5_krcc_parse_cred(krb5_context context, krb5_ccache id, krb5_creds * creds, kret = KRB5_OK; goto out; - cleanticket: +cleanticket: memset(creds->ticket.data, 0, (unsigned) creds->ticket.length); free(creds->ticket.data); - cleanauthdata: +cleanauthdata: krb5_free_authdata(context, creds->authdata); - cleanaddrs: +cleanaddrs: krb5_free_addresses(context, creds->addresses); - cleanblock: +cleanblock: free(creds->keyblock.contents); - cleanserver: +cleanserver: krb5_free_principal(context, creds->server); - cleanclient: +cleanclient: krb5_free_principal(context, creds->client); - out: +out: return kret; } static krb5_error_code krb5_krcc_parse_principal(krb5_context context, krb5_ccache id, - krb5_principal * princ, krb5_krcc_bc * bc) + krb5_principal * princ, krb5_krcc_bc * bc) { krb5_error_code kret; register krb5_principal tmpprinc; @@ -1367,53 +1368,53 @@ krb5_krcc_parse_principal(krb5_context context, krb5_ccache id, /* Read principal type */ kret = krb5_krcc_parse_int32(context, id, &type, bc); if (kret != KRB5_OK) - return kret; + return kret; /* Read the number of components */ kret = krb5_krcc_parse_int32(context, id, &length, bc); if (kret != KRB5_OK) - return kret; + return kret; if (length < 0) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; tmpprinc = (krb5_principal) malloc(sizeof(krb5_principal_data)); if (tmpprinc == NULL) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; if (length) { - size_t msize = length; - if (msize != length) { - free(tmpprinc); - return KRB5_CC_NOMEM; - } - tmpprinc->data = ALLOC(msize, krb5_data); - if (tmpprinc->data == 0) { - free(tmpprinc); - return KRB5_CC_NOMEM; - } + size_t msize = length; + if (msize != length) { + free(tmpprinc); + return KRB5_CC_NOMEM; + } + tmpprinc->data = ALLOC(msize, krb5_data); + if (tmpprinc->data == 0) { + free(tmpprinc); + return KRB5_CC_NOMEM; + } } else - tmpprinc->data = 0; + tmpprinc->data = 0; tmpprinc->magic = KV5M_PRINCIPAL; tmpprinc->length = length; tmpprinc->type = type; kret = krb5_krcc_parse_krb5data(context, id, - krb5_princ_realm(context, tmpprinc), bc); + krb5_princ_realm(context, tmpprinc), bc); i = 0; CHECK(kret); for (i = 0; i < length; i++) { - kret = krb5_krcc_parse_krb5data(context, id, - krb5_princ_component(context, tmpprinc, - i), bc); - CHECK(kret); + kret = krb5_krcc_parse_krb5data(context, id, + krb5_princ_component(context, tmpprinc, + i), bc); + CHECK(kret); } *princ = tmpprinc; return KRB5_OK; - errout: +errout: while (--i >= 0) - free(krb5_princ_component(context, tmpprinc, i)->data); + free(krb5_princ_component(context, tmpprinc, i)->data); free(krb5_princ_realm(context, tmpprinc)->data); free(tmpprinc->data); free(tmpprinc); @@ -1422,7 +1423,7 @@ krb5_krcc_parse_principal(krb5_context context, krb5_ccache id, static krb5_error_code krb5_krcc_parse_keyblock(krb5_context context, krb5_ccache id, - krb5_keyblock * keyblock, krb5_krcc_bc * bc) + krb5_keyblock * keyblock, krb5_krcc_bc * bc) { krb5_error_code kret; krb5_ui_2 ui2; @@ -1438,31 +1439,31 @@ krb5_krcc_parse_keyblock(krb5_context context, krb5_ccache id, kret = krb5_krcc_parse_int32(context, id, &int32, bc); CHECK(kret); if (int32 < 0) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; keyblock->length = int32; /* Overflow check. */ if (keyblock->length != int32) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; if (keyblock->length == 0) - return KRB5_OK; + return KRB5_OK; keyblock->contents = ALLOC(keyblock->length, krb5_octet); if (keyblock->contents == NULL) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; kret = krb5_krcc_parse(context, id, keyblock->contents, - keyblock->length, bc); + keyblock->length, bc); CHECK(kret); return KRB5_OK; - errout: +errout: if (keyblock->contents) - free(keyblock->contents); + free(keyblock->contents); return kret; } static krb5_error_code krb5_krcc_parse_times(krb5_context context, krb5_ccache id, - krb5_ticket_times * t, krb5_krcc_bc * bc) + krb5_ticket_times * t, krb5_krcc_bc * bc) { krb5_error_code kret; krb5_int32 i; @@ -1484,13 +1485,13 @@ krb5_krcc_parse_times(krb5_context context, krb5_ccache id, t->renew_till = i; return 0; - errout: +errout: return kret; } static krb5_error_code krb5_krcc_parse_krb5data(krb5_context context, krb5_ccache id, - krb5_data * data, krb5_krcc_bc * bc) + krb5_data * data, krb5_krcc_bc * bc) { krb5_error_code kret; krb5_int32 len; @@ -1501,56 +1502,56 @@ krb5_krcc_parse_krb5data(krb5_context context, krb5_ccache id, kret = krb5_krcc_parse_int32(context, id, &len, bc); CHECK(kret); if (len < 0) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; data->length = len; if (data->length != len || data->length + 1 == 0) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; if (data->length == 0) { - data->data = 0; - return KRB5_OK; + data->data = 0; + return KRB5_OK; } data->data = (char *) malloc(data->length + 1); if (data->data == NULL) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; kret = krb5_krcc_parse(context, id, data->data, (unsigned) data->length, - bc); + bc); CHECK(kret); - data->data[data->length] = 0; /* Null terminate, just in case.... */ + data->data[data->length] = 0; /* Null terminate, just in case.... */ return KRB5_OK; - errout: +errout: if (data->data) - free(data->data); + free(data->data); return kret; } static krb5_error_code krb5_krcc_parse_int32(krb5_context context, krb5_ccache id, krb5_int32 * i, - krb5_krcc_bc * bc) + krb5_krcc_bc * bc) { krb5_error_code kret; unsigned char buf[4]; kret = krb5_krcc_parse(context, id, buf, 4, bc); if (kret) - return kret; + return kret; *i = load_32_be(buf); return 0; } static krb5_error_code krb5_krcc_parse_octet(krb5_context context, krb5_ccache id, krb5_octet * i, - krb5_krcc_bc * bc) + krb5_krcc_bc * bc) { return krb5_krcc_parse(context, id, (krb5_pointer) i, 1, bc); } static krb5_error_code krb5_krcc_parse_addrs(krb5_context context, krb5_ccache id, - krb5_address *** addrs, krb5_krcc_bc * bc) + krb5_address *** addrs, krb5_krcc_bc * bc) { krb5_error_code kret; krb5_int32 length; @@ -1570,31 +1571,31 @@ krb5_krcc_parse_addrs(krb5_context context, krb5_ccache id, msize = length; msize += 1; if (msize == 0 || msize - 1 != length || length < 0) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; *addrs = ALLOC(msize, krb5_address *); if (*addrs == NULL) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; for (i = 0; i < length; i++) { - (*addrs)[i] = (krb5_address *) malloc(sizeof(krb5_address)); - if ((*addrs)[i] == NULL) { - krb5_free_addresses(context, *addrs); - return KRB5_CC_NOMEM; - } - kret = krb5_krcc_parse_addr(context, id, (*addrs)[i], bc); - CHECK(kret); + (*addrs)[i] = (krb5_address *) malloc(sizeof(krb5_address)); + if ((*addrs)[i] == NULL) { + krb5_free_addresses(context, *addrs); + return KRB5_CC_NOMEM; + } + kret = krb5_krcc_parse_addr(context, id, (*addrs)[i], bc); + CHECK(kret); } return KRB5_OK; - errout: +errout: if (*addrs) - krb5_free_addresses(context, *addrs); + krb5_free_addresses(context, *addrs); return kret; } static krb5_error_code krb5_krcc_parse_addr(krb5_context context, krb5_ccache id, krb5_address * addr, - krb5_krcc_bc * bc) + krb5_krcc_bc * bc) { krb5_error_code kret; krb5_ui_2 ui2; @@ -1609,36 +1610,36 @@ krb5_krcc_parse_addr(krb5_context context, krb5_ccache id, krb5_address * addr, kret = krb5_krcc_parse_int32(context, id, &int32, bc); CHECK(kret); - if ((int32 & VALID_INT_BITS) != int32) /* Overflow int??? */ - return KRB5_CC_NOMEM; + if ((int32 & VALID_INT_BITS) != int32) /* Overflow int??? */ + return KRB5_CC_NOMEM; addr->length = int32; /* * Length field is "unsigned int", which may be smaller * than 32 bits. */ if (addr->length != int32) - return KRB5_CC_NOMEM; /* XXX */ + return KRB5_CC_NOMEM; /* XXX */ if (addr->length == 0) - return KRB5_OK; + return KRB5_OK; addr->contents = (krb5_octet *) malloc(addr->length); if (addr->contents == NULL) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; kret = krb5_krcc_parse(context, id, addr->contents, addr->length, bc); CHECK(kret); return KRB5_OK; - errout: +errout: if (addr->contents) - free(addr->contents); + free(addr->contents); return kret; } static krb5_error_code krb5_krcc_parse_authdata(krb5_context context, krb5_ccache id, - krb5_authdata *** a, krb5_krcc_bc * bc) + krb5_authdata *** a, krb5_krcc_bc * bc) { krb5_error_code kret; krb5_int32 length; @@ -1652,7 +1653,7 @@ krb5_krcc_parse_authdata(krb5_context context, krb5_ccache id, CHECK(kret); if (length == 0) - return KRB5_OK; + return KRB5_OK; /* * Make *a able to hold length pointers to krb5_authdata structs @@ -1661,34 +1662,34 @@ krb5_krcc_parse_authdata(krb5_context context, krb5_ccache id, msize = length; msize += 1; if (msize == 0 || msize - 1 != length || length < 0) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; *a = ALLOC(msize, krb5_authdata *); if (*a == NULL) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; for (i = 0; i < length; i++) { - (*a)[i] = (krb5_authdata *) malloc(sizeof(krb5_authdata)); - if ((*a)[i] == NULL) { - krb5_free_authdata(context, *a); - *a = NULL; - return KRB5_CC_NOMEM; - } - kret = krb5_krcc_parse_authdatum(context, id, (*a)[i], bc); - CHECK(kret); + (*a)[i] = (krb5_authdata *) malloc(sizeof(krb5_authdata)); + if ((*a)[i] == NULL) { + krb5_free_authdata(context, *a); + *a = NULL; + return KRB5_CC_NOMEM; + } + kret = krb5_krcc_parse_authdatum(context, id, (*a)[i], bc); + CHECK(kret); } return KRB5_OK; - errout: +errout: if (*a) { - krb5_free_authdata(context, *a); - *a = NULL; + krb5_free_authdata(context, *a); + *a = NULL; } return kret; } static krb5_error_code krb5_krcc_parse_authdatum(krb5_context context, krb5_ccache id, - krb5_authdata * a, krb5_krcc_bc * bc) + krb5_authdata * a, krb5_krcc_bc * bc) { krb5_error_code kret; krb5_int32 int32; @@ -1702,44 +1703,44 @@ krb5_krcc_parse_authdatum(krb5_context context, krb5_ccache id, a->ad_type = (krb5_authdatatype) ui2; kret = krb5_krcc_parse_int32(context, id, &int32, bc); CHECK(kret); - if ((int32 & VALID_INT_BITS) != int32) /* Overflow int??? */ - return KRB5_CC_NOMEM; + if ((int32 & VALID_INT_BITS) != int32) /* Overflow int??? */ + return KRB5_CC_NOMEM; a->length = int32; /* * Value could have gotten truncated if int is * smaller than 32 bits. */ if (a->length != int32) - return KRB5_CC_NOMEM; /* XXX */ + return KRB5_CC_NOMEM; /* XXX */ if (a->length == 0) - return KRB5_OK; + return KRB5_OK; a->contents = (krb5_octet *) malloc(a->length); if (a->contents == NULL) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; kret = krb5_krcc_parse(context, id, a->contents, a->length, bc); CHECK(kret); return KRB5_OK; - errout: +errout: if (a->contents) - free(a->contents); + free(a->contents); return kret; } static krb5_error_code krb5_krcc_parse_ui_2(krb5_context context, krb5_ccache id, krb5_ui_2 * i, - krb5_krcc_bc * bc) + krb5_krcc_bc * bc) { krb5_error_code kret; unsigned char buf[2]; kret = krb5_krcc_parse(context, id, buf, 2, bc); if (kret) - return kret; + return kret; *i = load_16_be(buf); return 0; } @@ -1758,10 +1759,10 @@ krb5_krcc_parse_ui_2(krb5_context context, krb5_ccache id, krb5_ui_2 * i, */ static krb5_error_code krb5_krcc_unparse(krb5_context context, krb5_ccache id, krb5_pointer buf, - unsigned int len, krb5_krcc_bc * bc) + unsigned int len, krb5_krcc_bc * bc) { if (bc->bpp + len > bc->endp) - return KRB5_CC_WRITE; + return KRB5_CC_WRITE; memcpy(bc->bpp, buf, len); bc->bpp += len; @@ -1771,7 +1772,7 @@ krb5_krcc_unparse(krb5_context context, krb5_ccache id, krb5_pointer buf, static krb5_error_code krb5_krcc_unparse_principal(krb5_context context, krb5_ccache id, - krb5_principal princ, krb5_krcc_bc * bc) + krb5_principal princ, krb5_krcc_bc * bc) { krb5_error_code kret; krb5_int32 i, length, tmp, type; @@ -1786,14 +1787,14 @@ krb5_krcc_unparse_principal(krb5_context context, krb5_ccache id, CHECK_OUT(kret); kret = krb5_krcc_unparse_krb5data(context, id, - krb5_princ_realm(context, princ), bc); + krb5_princ_realm(context, princ), bc); CHECK_OUT(kret); for (i = 0; i < length; i++) { - kret = krb5_krcc_unparse_krb5data(context, id, - krb5_princ_component(context, princ, - i), bc); - CHECK_OUT(kret); + kret = krb5_krcc_unparse_krb5data(context, id, + krb5_princ_component(context, princ, + i), bc); + CHECK_OUT(kret); } return KRB5_OK; @@ -1801,7 +1802,7 @@ krb5_krcc_unparse_principal(krb5_context context, krb5_ccache id, static krb5_error_code krb5_krcc_unparse_keyblock(krb5_context context, krb5_ccache id, - krb5_keyblock * keyblock, krb5_krcc_bc * bc) + krb5_keyblock * keyblock, krb5_krcc_bc * bc) { krb5_error_code kret; @@ -1810,12 +1811,12 @@ krb5_krcc_unparse_keyblock(krb5_context context, krb5_ccache id, kret = krb5_krcc_unparse_ui_4(context, id, keyblock->length, bc); CHECK_OUT(kret); return krb5_krcc_unparse(context, id, (char *) keyblock->contents, - keyblock->length, bc); + keyblock->length, bc); } static krb5_error_code krb5_krcc_unparse_times(krb5_context context, krb5_ccache id, - krb5_ticket_times * t, krb5_krcc_bc * bc) + krb5_ticket_times * t, krb5_krcc_bc * bc) { krb5_error_code kret; @@ -1832,7 +1833,7 @@ krb5_krcc_unparse_times(krb5_context context, krb5_ccache id, static krb5_error_code krb5_krcc_unparse_krb5data(krb5_context context, krb5_ccache id, - krb5_data * data, krb5_krcc_bc * bc) + krb5_data * data, krb5_krcc_bc * bc) { krb5_error_code kret; @@ -1843,14 +1844,14 @@ krb5_krcc_unparse_krb5data(krb5_context context, krb5_ccache id, static krb5_error_code krb5_krcc_unparse_int32(krb5_context context, krb5_ccache id, krb5_int32 i, - krb5_krcc_bc * bc) + krb5_krcc_bc * bc) { return krb5_krcc_unparse_ui_4(context, id, (krb5_ui_4) i, bc); } static krb5_error_code krb5_krcc_unparse_octet(krb5_context context, krb5_ccache id, krb5_int32 i, - krb5_krcc_bc * bc) + krb5_krcc_bc * bc) { krb5_octet ibuf; @@ -1860,7 +1861,7 @@ krb5_krcc_unparse_octet(krb5_context context, krb5_ccache id, krb5_int32 i, static krb5_error_code krb5_krcc_unparse_addrs(krb5_context context, krb5_ccache id, - krb5_address ** addrs, krb5_krcc_bc * bc) + krb5_address ** addrs, krb5_krcc_bc * bc) { krb5_error_code kret; krb5_address **temp; @@ -1868,16 +1869,16 @@ krb5_krcc_unparse_addrs(krb5_context context, krb5_ccache id, /* Count the number of components */ if (addrs) { - temp = addrs; - while (*temp++) - length += 1; + temp = addrs; + while (*temp++) + length += 1; } kret = krb5_krcc_unparse_int32(context, id, length, bc); CHECK_OUT(kret); for (i = 0; i < length; i++) { - kret = krb5_krcc_unparse_addr(context, id, addrs[i], bc); - CHECK_OUT(kret); + kret = krb5_krcc_unparse_addr(context, id, addrs[i], bc); + CHECK_OUT(kret); } return KRB5_OK; @@ -1885,7 +1886,7 @@ krb5_krcc_unparse_addrs(krb5_context context, krb5_ccache id, static krb5_error_code krb5_krcc_unparse_addr(krb5_context context, krb5_ccache id, - krb5_address * addr, krb5_krcc_bc * bc) + krb5_address * addr, krb5_krcc_bc * bc) { krb5_error_code kret; @@ -1894,34 +1895,34 @@ krb5_krcc_unparse_addr(krb5_context context, krb5_ccache id, kret = krb5_krcc_unparse_ui_4(context, id, addr->length, bc); CHECK_OUT(kret); return krb5_krcc_unparse(context, id, (char *) addr->contents, - addr->length, bc); + addr->length, bc); } static krb5_error_code krb5_krcc_unparse_authdata(krb5_context context, krb5_ccache id, - krb5_authdata ** a, krb5_krcc_bc * bc) + krb5_authdata ** a, krb5_krcc_bc * bc) { krb5_error_code kret; krb5_authdata **temp; krb5_int32 i, length = 0; if (a != NULL) { - for (temp = a; *temp; temp++) - length++; + for (temp = a; *temp; temp++) + length++; } kret = krb5_krcc_unparse_int32(context, id, length, bc); CHECK_OUT(kret); for (i = 0; i < length; i++) { - kret = krb5_krcc_unparse_authdatum(context, id, a[i], bc); - CHECK_OUT(kret); + kret = krb5_krcc_unparse_authdatum(context, id, a[i], bc); + CHECK_OUT(kret); } return KRB5_OK; } static krb5_error_code krb5_krcc_unparse_authdatum(krb5_context context, krb5_ccache id, - krb5_authdata * a, krb5_krcc_bc * bc) + krb5_authdata * a, krb5_krcc_bc * bc) { krb5_error_code kret; @@ -1930,12 +1931,12 @@ krb5_krcc_unparse_authdatum(krb5_context context, krb5_ccache id, kret = krb5_krcc_unparse_ui_4(context, id, a->length, bc); CHECK_OUT(kret); return krb5_krcc_unparse(context, id, (krb5_pointer) a->contents, - a->length, bc); + a->length, bc); } static krb5_error_code krb5_krcc_unparse_ui_4(krb5_context context, krb5_ccache id, krb5_ui_4 i, - krb5_krcc_bc * bc) + krb5_krcc_bc * bc) { unsigned char buf[4]; @@ -1945,7 +1946,7 @@ krb5_krcc_unparse_ui_4(krb5_context context, krb5_ccache id, krb5_ui_4 i, static krb5_error_code krb5_krcc_unparse_ui_2(krb5_context context, krb5_ccache id, krb5_int32 i, - krb5_krcc_bc * bc) + krb5_krcc_bc * bc) { unsigned char buf[2]; @@ -1967,21 +1968,21 @@ krb5_krcc_unparse_ui_2(krb5_context context, krb5_ccache id, krb5_int32 i, */ static krb5_error_code krb5_krcc_unparse_cred(krb5_context context, krb5_ccache id, - krb5_creds * creds, char **datapp, unsigned int *lenptr) + krb5_creds * creds, char **datapp, unsigned int *lenptr) { krb5_error_code kret; char *buf; krb5_krcc_bc bc; if (!creds || !datapp || !lenptr) - return EINVAL; + return EINVAL; *datapp = NULL; *lenptr = 0; buf = malloc(GUESS_CRED_SIZE); if (buf == NULL) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; bc.bpp = buf; bc.endp = buf + GUESS_CRED_SIZE; @@ -1999,7 +2000,7 @@ krb5_krcc_unparse_cred(krb5_context context, krb5_ccache id, CHECK_N_GO(kret, errout); kret = krb5_krcc_unparse_octet(context, id, (krb5_int32) creds->is_skey, - &bc); + &bc); CHECK_N_GO(kret, errout); kret = krb5_krcc_unparse_int32(context, id, creds->ticket_flags, &bc); @@ -2022,23 +2023,23 @@ krb5_krcc_unparse_cred(krb5_context context, krb5_ccache id, *lenptr = bc.bpp - buf; kret = KRB5_OK; - errout: +errout: return kret; } /* - * Utility routine: called by krb5_krcc_* functions to keep + * Utility routine: called by krb5_krcc_* functions to keep * result of krb5_krcc_last_change_time up to date. - * Value monotonically increases -- based on but not guaranteed to be actual + * Value monotonically increases -- based on but not guaranteed to be actual * system time. */ static void krb5_krcc_update_change_time(krb5_krcc_data *d) { - krb5_timestamp now_time = time(NULL); - d->changetime = (d->changetime >= now_time) ? - d->changetime + 1 : now_time; + krb5_timestamp now_time = time(NULL); + d->changetime = (d->changetime >= now_time) ? + d->changetime + 1 : now_time; } @@ -2065,7 +2066,7 @@ const krb5_cc_ops krb5_krcc_ops = { krb5_krcc_end_seq_get, krb5_krcc_remove_cred, krb5_krcc_set_flags, - krb5_krcc_get_flags, /* added after 1.4 release */ + krb5_krcc_get_flags, /* added after 1.4 release */ NULL, NULL, NULL, @@ -2098,7 +2099,7 @@ const krb5_cc_ops krb5_krcc_ops = { NULL, NULL, NULL, - NULL, /* added after 1.4 release */ + NULL, /* added after 1.4 release */ NULL, NULL, NULL, @@ -2108,4 +2109,4 @@ const krb5_cc_ops krb5_krcc_ops = { NULL, NULL, }; -#endif /* USE_KEYRING_CCACHE */ +#endif /* USE_KEYRING_CCACHE */ diff --git a/src/lib/krb5/ccache/cc_memory.c b/src/lib/krb5/ccache/cc_memory.c index 076f7ebd08..578b5ddc58 100644 --- a/src/lib/krb5/ccache/cc_memory.c +++ b/src/lib/krb5/ccache/cc_memory.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/cc_memory.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * implementation of memory-based credentials cache */ @@ -30,68 +31,68 @@ #include <errno.h> static krb5_error_code KRB5_CALLCONV krb5_mcc_close - (krb5_context, krb5_ccache id ); +(krb5_context, krb5_ccache id ); -static krb5_error_code KRB5_CALLCONV krb5_mcc_destroy - (krb5_context, krb5_ccache id ); +static krb5_error_code KRB5_CALLCONV krb5_mcc_destroy +(krb5_context, krb5_ccache id ); -static krb5_error_code KRB5_CALLCONV krb5_mcc_end_seq_get - (krb5_context, krb5_ccache id , krb5_cc_cursor *cursor ); +static krb5_error_code KRB5_CALLCONV krb5_mcc_end_seq_get +(krb5_context, krb5_ccache id , krb5_cc_cursor *cursor ); -static krb5_error_code KRB5_CALLCONV krb5_mcc_generate_new - (krb5_context, krb5_ccache *id ); +static krb5_error_code KRB5_CALLCONV krb5_mcc_generate_new +(krb5_context, krb5_ccache *id ); -static const char * KRB5_CALLCONV krb5_mcc_get_name - (krb5_context, krb5_ccache id ); +static const char * KRB5_CALLCONV krb5_mcc_get_name +(krb5_context, krb5_ccache id ); -static krb5_error_code KRB5_CALLCONV krb5_mcc_get_principal - (krb5_context, krb5_ccache id , krb5_principal *princ ); +static krb5_error_code KRB5_CALLCONV krb5_mcc_get_principal +(krb5_context, krb5_ccache id , krb5_principal *princ ); -static krb5_error_code KRB5_CALLCONV krb5_mcc_initialize - (krb5_context, krb5_ccache id , krb5_principal princ ); +static krb5_error_code KRB5_CALLCONV krb5_mcc_initialize +(krb5_context, krb5_ccache id , krb5_principal princ ); -static krb5_error_code KRB5_CALLCONV krb5_mcc_next_cred - (krb5_context, - krb5_ccache id , - krb5_cc_cursor *cursor , - krb5_creds *creds ); +static krb5_error_code KRB5_CALLCONV krb5_mcc_next_cred +(krb5_context, + krb5_ccache id , + krb5_cc_cursor *cursor , + krb5_creds *creds ); -static krb5_error_code KRB5_CALLCONV krb5_mcc_resolve - (krb5_context, krb5_ccache *id , const char *residual ); +static krb5_error_code KRB5_CALLCONV krb5_mcc_resolve +(krb5_context, krb5_ccache *id , const char *residual ); -static krb5_error_code KRB5_CALLCONV krb5_mcc_retrieve - (krb5_context, - krb5_ccache id , - krb5_flags whichfields , - krb5_creds *mcreds , - krb5_creds *creds ); +static krb5_error_code KRB5_CALLCONV krb5_mcc_retrieve +(krb5_context, + krb5_ccache id , + krb5_flags whichfields , + krb5_creds *mcreds , + krb5_creds *creds ); -static krb5_error_code KRB5_CALLCONV krb5_mcc_start_seq_get - (krb5_context, krb5_ccache id , krb5_cc_cursor *cursor ); +static krb5_error_code KRB5_CALLCONV krb5_mcc_start_seq_get +(krb5_context, krb5_ccache id , krb5_cc_cursor *cursor ); -static krb5_error_code KRB5_CALLCONV krb5_mcc_store - (krb5_context, krb5_ccache id , krb5_creds *creds ); +static krb5_error_code KRB5_CALLCONV krb5_mcc_store +(krb5_context, krb5_ccache id , krb5_creds *creds ); -static krb5_error_code KRB5_CALLCONV krb5_mcc_set_flags - (krb5_context, krb5_ccache id , krb5_flags flags ); +static krb5_error_code KRB5_CALLCONV krb5_mcc_set_flags +(krb5_context, krb5_ccache id , krb5_flags flags ); static krb5_error_code KRB5_CALLCONV krb5_mcc_ptcursor_new - (krb5_context, krb5_cc_ptcursor *); +(krb5_context, krb5_cc_ptcursor *); static krb5_error_code KRB5_CALLCONV krb5_mcc_ptcursor_next - (krb5_context, krb5_cc_ptcursor, krb5_ccache *); +(krb5_context, krb5_cc_ptcursor, krb5_ccache *); static krb5_error_code KRB5_CALLCONV krb5_mcc_ptcursor_free - (krb5_context, krb5_cc_ptcursor *); +(krb5_context, krb5_cc_ptcursor *); static krb5_error_code KRB5_CALLCONV krb5_mcc_last_change_time - (krb5_context, krb5_ccache, krb5_timestamp *); +(krb5_context, krb5_ccache, krb5_timestamp *); static krb5_error_code KRB5_CALLCONV krb5_mcc_lock - (krb5_context context, krb5_ccache id); +(krb5_context context, krb5_ccache id); static krb5_error_code KRB5_CALLCONV krb5_mcc_unlock - (krb5_context context, krb5_ccache id); +(krb5_context context, krb5_ccache id); extern const krb5_cc_ops krb5_mcc_ops; @@ -146,7 +147,7 @@ static void krb5_mcc_free (krb5_context context, krb5_ccache id); krb5_error_code KRB5_CALLCONV krb5_mcc_initialize(krb5_context context, krb5_ccache id, krb5_principal princ) { - krb5_error_code ret; + krb5_error_code ret; krb5_mcc_data *d; d = (krb5_mcc_data *)id->data; @@ -155,10 +156,10 @@ krb5_mcc_initialize(krb5_context context, krb5_ccache id, krb5_principal princ) return ret; krb5_mcc_free(context, id); - + d = (krb5_mcc_data *)id->data; ret = krb5_copy_principal(context, princ, - &d->prin); + &d->prin); update_mcc_change_time(d); k5_cc_mutex_unlock(context, &d->lock); @@ -178,8 +179,8 @@ krb5_mcc_initialize(krb5_context context, krb5_ccache id, krb5_principal princ) krb5_error_code KRB5_CALLCONV krb5_mcc_close(krb5_context context, krb5_ccache id) { - free(id); - return KRB5_OK; + free(id); + return KRB5_OK; } static void @@ -190,10 +191,10 @@ krb5_mcc_free(krb5_context context, krb5_ccache id) d = (krb5_mcc_data *) id->data; for (curr = d->link; curr;) { - krb5_free_creds(context, curr->creds); - next = curr->next; - free(curr); - curr = next; + krb5_free_creds(context, curr->creds); + next = curr->next; + free(curr); + curr = next; } d->link = NULL; krb5_free_principal(context, d->prin); @@ -215,16 +216,16 @@ krb5_mcc_destroy(krb5_context context, krb5_ccache id) err = k5_cc_mutex_lock(context, &krb5int_mcc_mutex); if (err) - return err; + return err; d = (krb5_mcc_data *)id->data; for (curr = &mcc_head; *curr; curr = &(*curr)->next) { - if ((*curr)->cache == d) { - node = *curr; - *curr = node->next; - free(node); - break; - } + if ((*curr)->cache == d) { + node = *curr; + *curr = node->next; + free(node); + break; + } } k5_cc_mutex_unlock(context, &krb5int_mcc_mutex); @@ -236,7 +237,7 @@ krb5_mcc_destroy(krb5_context context, krb5_ccache id) free(d->name); k5_cc_mutex_unlock(context, &d->lock); k5_cc_mutex_destroy(&d->lock); - free(d); + free(d); free(id); krb5_change_cache (); @@ -249,11 +250,11 @@ krb5_mcc_destroy(krb5_context context, krb5_ccache id) * * Modifies: * id - * + * * Effects: - * creates or accesses a memory-based cred cache that is referenced by - * residual. - * + * creates or accesses a memory-based cred cache that is referenced by + * residual. + * * Returns: * A filled in krb5_ccache structure "id". * @@ -274,28 +275,28 @@ krb5_mcc_resolve (krb5_context context, krb5_ccache *id, const char *residual) err = k5_cc_mutex_lock(context, &krb5int_mcc_mutex); if (err) - return err; + return err; for (ptr = mcc_head; ptr; ptr=ptr->next) - if (!strcmp(ptr->cache->name, residual)) - break; + if (!strcmp(ptr->cache->name, residual)) + break; if (ptr) - d = ptr->cache; + d = ptr->cache; else { - err = new_mcc_data(residual, &d); - if (err) { - k5_cc_mutex_unlock(context, &krb5int_mcc_mutex); - return err; - } + err = new_mcc_data(residual, &d); + if (err) { + k5_cc_mutex_unlock(context, &krb5int_mcc_mutex); + return err; + } } k5_cc_mutex_unlock(context, &krb5int_mcc_mutex); lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)); if (lid == NULL) - return KRB5_CC_NOMEM; - + return KRB5_CC_NOMEM; + lid->ops = &krb5_mcc_ops; lid->data = d; - *id = lid; + *id = lid; return KRB5_OK; } @@ -314,20 +315,20 @@ krb5_mcc_resolve (krb5_context context, krb5_ccache *id, const char *residual) */ krb5_error_code KRB5_CALLCONV krb5_mcc_start_seq_get(krb5_context context, krb5_ccache id, - krb5_cc_cursor *cursor) + krb5_cc_cursor *cursor) { - krb5_mcc_cursor mcursor; - krb5_error_code err; - krb5_mcc_data *d; - - d = id->data; - err = k5_cc_mutex_lock(context, &d->lock); - if (err) - return err; - mcursor = d->link; - k5_cc_mutex_unlock(context, &d->lock); - *cursor = (krb5_cc_cursor) mcursor; - return KRB5_OK; + krb5_mcc_cursor mcursor; + krb5_error_code err; + krb5_mcc_data *d; + + d = id->data; + err = k5_cc_mutex_lock(context, &d->lock); + if (err) + return err; + mcursor = d->link; + k5_cc_mutex_unlock(context, &d->lock); + *cursor = (krb5_cc_cursor) mcursor; + return KRB5_OK; } /* @@ -337,7 +338,7 @@ krb5_mcc_start_seq_get(krb5_context context, krb5_ccache id, * * Modifes: * cursor, creds - * + * * Effects: * Fills in creds with the "next" credentals structure from the cache * id. The actual order the creds are returned in is arbitrary. @@ -352,25 +353,25 @@ krb5_mcc_start_seq_get(krb5_context context, krb5_ccache id, */ krb5_error_code KRB5_CALLCONV krb5_mcc_next_cred(krb5_context context, krb5_ccache id, - krb5_cc_cursor *cursor, krb5_creds *creds) + krb5_cc_cursor *cursor, krb5_creds *creds) { - krb5_mcc_cursor mcursor; - krb5_error_code retval; - - /* Once the node in the linked list is created, it's never - modified, so we don't need to worry about locking here. (Note - that we don't support _remove_cred.) */ - mcursor = (krb5_mcc_cursor) *cursor; - if (mcursor == NULL) - return KRB5_CC_END; - memset(creds, 0, sizeof(krb5_creds)); - if (mcursor->creds) { - retval = krb5int_copy_creds_contents(context, mcursor->creds, creds); - if (retval) - return retval; - } - *cursor = (krb5_cc_cursor)mcursor->next; - return KRB5_OK; + krb5_mcc_cursor mcursor; + krb5_error_code retval; + + /* Once the node in the linked list is created, it's never + modified, so we don't need to worry about locking here. (Note + that we don't support _remove_cred.) */ + mcursor = (krb5_mcc_cursor) *cursor; + if (mcursor == NULL) + return KRB5_CC_END; + memset(creds, 0, sizeof(krb5_creds)); + if (mcursor->creds) { + retval = krb5int_copy_creds_contents(context, mcursor->creds, creds); + if (retval) + return retval; + } + *cursor = (krb5_cc_cursor)mcursor->next; + return KRB5_OK; } /* @@ -389,8 +390,8 @@ krb5_mcc_next_cred(krb5_context context, krb5_ccache id, krb5_error_code KRB5_CALLCONV krb5_mcc_end_seq_get(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor) { - *cursor = 0L; - return KRB5_OK; + *cursor = 0L; + return KRB5_OK; } /* Utility routine: Creates the back-end data for a memory cache, and @@ -406,19 +407,19 @@ new_mcc_data (const char *name, krb5_mcc_data **dataptr) d = malloc(sizeof(krb5_mcc_data)); if (d == NULL) - return KRB5_CC_NOMEM; - + return KRB5_CC_NOMEM; + err = k5_cc_mutex_init(&d->lock); if (err) { - free(d); - return err; + free(d); + return err; } d->name = strdup(name); if (d->name == NULL) { - k5_cc_mutex_destroy(&d->lock); - free(d); - return KRB5_CC_NOMEM; + k5_cc_mutex_destroy(&d->lock); + free(d); + return KRB5_CC_NOMEM; } d->link = NULL; d->prin = NULL; @@ -427,10 +428,10 @@ new_mcc_data (const char *name, krb5_mcc_data **dataptr) n = malloc(sizeof(krb5_mcc_list_node)); if (n == NULL) { - free(d->name); - k5_cc_mutex_destroy(&d->lock); - free(d); - return KRB5_CC_NOMEM; + free(d->name); + k5_cc_mutex_destroy(&d->lock); + free(d); + return KRB5_CC_NOMEM; } n->cache = d; @@ -445,7 +446,7 @@ new_mcc_data (const char *name, krb5_mcc_data **dataptr) * Effects: * Creates a new memory cred cache whose name is guaranteed to be * unique. The name begins with the string TKT_ROOT (from mcc.h). - * + * * Returns: * The filled in krb5_ccache id. * @@ -466,41 +467,41 @@ krb5_mcc_generate_new (krb5_context context, krb5_ccache *id) /* Allocate memory */ lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)); if (lid == NULL) - return KRB5_CC_NOMEM; + return KRB5_CC_NOMEM; lid->ops = &krb5_mcc_ops; - + err = k5_cc_mutex_lock(context, &krb5int_mcc_mutex); if (err) { - free(lid); - return err; + free(lid); + return err; } - + /* Check for uniqueness with mutex locked to avoid race conditions */ while (1) { krb5_mcc_list_node *ptr; err = krb5int_random_string (context, uniquename, sizeof (uniquename)); if (err) { - k5_cc_mutex_unlock(context, &krb5int_mcc_mutex); - free(lid); - return err; + k5_cc_mutex_unlock(context, &krb5int_mcc_mutex); + free(lid); + return err; } - - for (ptr = mcc_head; ptr; ptr=ptr->next) { + + for (ptr = mcc_head; ptr; ptr=ptr->next) { if (!strcmp(ptr->cache->name, uniquename)) { - break; /* got a match, loop again */ + break; /* got a match, loop again */ } - } + } if (!ptr) break; /* got to the end without finding a match */ } - + err = new_mcc_data(uniquename, &d); k5_cc_mutex_unlock(context, &krb5int_mcc_mutex); if (err) { - free(lid); - return err; + free(lid); + return err; } lid->data = d; *id = lid; @@ -508,8 +509,8 @@ krb5_mcc_generate_new (krb5_context context, krb5_ccache *id) return KRB5_OK; } -/* Utility routine: Creates a random memory ccache name. - * This algorithm was selected because it creates readable +/* Utility routine: Creates a random memory ccache name. + * This algorithm was selected because it creates readable * random ccache names in a fixed size buffer. */ krb5_error_code @@ -520,19 +521,19 @@ krb5int_random_string (krb5_context context, char *string, unsigned int length) krb5_error_code err = 0; unsigned char *bytes = NULL; unsigned int bytecount = length - 1; - + if (!err) { bytes = malloc (bytecount); if (bytes == NULL) { err = ENOMEM; } } - + if (!err) { krb5_data data; data.length = bytecount; data.data = (char *) bytes; err = krb5_c_random_make_octets (context, &data); } - + if (!err) { unsigned int i; for (i = 0; i < bytecount; i++) { @@ -540,23 +541,23 @@ krb5int_random_string (krb5_context context, char *string, unsigned int length) } string[length - 1] = '\0'; } - + if (bytes != NULL) { free (bytes); } - + return err; } /* * Requires: * id is a file credential cache - * + * * Returns: * A pointer to the name of the file cred cache id. */ const char * KRB5_CALLCONV krb5_mcc_get_name (krb5_context context, krb5_ccache id) { - return (char *) ((krb5_mcc_data *) id->data)->name; + return (char *) ((krb5_mcc_data *) id->data)->name; } /* @@ -575,25 +576,25 @@ krb5_mcc_get_name (krb5_context context, krb5_ccache id) krb5_error_code KRB5_CALLCONV krb5_mcc_get_principal(krb5_context context, krb5_ccache id, krb5_principal *princ) { - krb5_mcc_data *ptr = (krb5_mcc_data *)id->data; - if (!ptr->prin) { + krb5_mcc_data *ptr = (krb5_mcc_data *)id->data; + if (!ptr->prin) { *princ = 0L; return KRB5_FCC_NOFILE; - } - return krb5_copy_principal(context, ptr->prin, princ); + } + return krb5_copy_principal(context, ptr->prin, princ); } krb5_error_code KRB5_CALLCONV krb5_mcc_retrieve(krb5_context context, krb5_ccache id, krb5_flags whichfields, - krb5_creds *mcreds, krb5_creds *creds) + krb5_creds *mcreds, krb5_creds *creds) { return krb5_cc_retrieve_cred_default (context, id, whichfields, - mcreds, creds); + mcreds, creds); } -/* +/* * Non-functional stub implementation for krb5_mcc_remove - * + * * Errors: * KRB5_CC_NOSUPP - not implemented */ @@ -612,7 +613,7 @@ krb5_mcc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags, * * Modifies: * id - * + * * Effects: * Sets the operational flags of id to flags. */ @@ -649,13 +650,13 @@ krb5_mcc_store(krb5_context ctx, krb5_ccache id, krb5_creds *creds) new_node = malloc(sizeof(krb5_mcc_link)); if (new_node == NULL) - return ENOMEM; + return ENOMEM; err = krb5_copy_creds(ctx, creds, &new_node->creds); if (err) - goto cleanup; + goto cleanup; err = k5_cc_mutex_lock(ctx, &mptr->lock); if (err) - goto cleanup; + goto cleanup; new_node->next = mptr->link; mptr->link = new_node; update_mcc_change_time(mptr); @@ -679,25 +680,25 @@ krb5_mcc_ptcursor_new( n = malloc(sizeof(*n)); if (n == NULL) - return ENOMEM; + return ENOMEM; n->ops = &krb5_mcc_ops; cdata = malloc(sizeof(struct krb5_mcc_ptcursor_data)); if (cdata == NULL) { - ret = ENOMEM; - goto errout; + ret = ENOMEM; + goto errout; } n->data = cdata; ret = k5_cc_mutex_lock(context, &krb5int_mcc_mutex); if (ret) - goto errout; + goto errout; cdata->cur = mcc_head; ret = k5_cc_mutex_unlock(context, &krb5int_mcc_mutex); if (ret) - goto errout; + goto errout; errout: if (ret) { - krb5_mcc_ptcursor_free(context, &n); + krb5_mcc_ptcursor_free(context, &n); } *cursor = n; return ret; @@ -715,25 +716,25 @@ krb5_mcc_ptcursor_next( *ccache = NULL; cdata = cursor->data; if (cdata->cur == NULL) - return 0; + return 0; *ccache = malloc(sizeof(**ccache)); if (*ccache == NULL) - return ENOMEM; + return ENOMEM; (*ccache)->ops = &krb5_mcc_ops; (*ccache)->data = cdata->cur->cache; ret = k5_cc_mutex_lock(context, &krb5int_mcc_mutex); if (ret) - goto errout; + goto errout; cdata->cur = cdata->cur->next; ret = k5_cc_mutex_unlock(context, &krb5int_mcc_mutex); if (ret) - goto errout; + goto errout; errout: if (ret && *ccache != NULL) { - free(*ccache); - *ccache = NULL; + free(*ccache); + *ccache = NULL; } return ret; } @@ -744,25 +745,25 @@ krb5_mcc_ptcursor_free( krb5_cc_ptcursor *cursor) { if (*cursor == NULL) - return 0; + return 0; if ((*cursor)->data != NULL) - free((*cursor)->data); + free((*cursor)->data); free(*cursor); *cursor = NULL; return 0; } -static krb5_error_code KRB5_CALLCONV +static krb5_error_code KRB5_CALLCONV krb5_mcc_last_change_time( krb5_context context, - krb5_ccache id, + krb5_ccache id, krb5_timestamp *change_time) { krb5_error_code ret = 0; krb5_mcc_data *data = (krb5_mcc_data *) id->data; - + *change_time = 0; - + ret = k5_cc_mutex_lock(context, &data->lock); if (!ret) { *change_time = data->changetime; @@ -773,19 +774,19 @@ krb5_mcc_last_change_time( } /* - Utility routine: called by krb5_mcc_* functions to keep - result of krb5_mcc_last_change_time up to date - */ + Utility routine: called by krb5_mcc_* functions to keep + result of krb5_mcc_last_change_time up to date +*/ static void update_mcc_change_time(krb5_mcc_data *d) { krb5_timestamp now_time = time(NULL); - d->changetime = (d->changetime >= now_time) ? - d->changetime + 1 : now_time; + d->changetime = (d->changetime >= now_time) ? + d->changetime + 1 : now_time; } -static krb5_error_code KRB5_CALLCONV +static krb5_error_code KRB5_CALLCONV krb5_mcc_lock(krb5_context context, krb5_ccache id) { krb5_error_code ret = 0; @@ -794,7 +795,7 @@ krb5_mcc_lock(krb5_context context, krb5_ccache id) return ret; } -static krb5_error_code KRB5_CALLCONV +static krb5_error_code KRB5_CALLCONV krb5_mcc_unlock(krb5_context context, krb5_ccache id) { krb5_error_code ret = 0; @@ -804,29 +805,29 @@ krb5_mcc_unlock(krb5_context context, krb5_ccache id) } const krb5_cc_ops krb5_mcc_ops = { - 0, - "MEMORY", - krb5_mcc_get_name, - krb5_mcc_resolve, - krb5_mcc_generate_new, - krb5_mcc_initialize, - krb5_mcc_destroy, - krb5_mcc_close, - krb5_mcc_store, - krb5_mcc_retrieve, - krb5_mcc_get_principal, - krb5_mcc_start_seq_get, - krb5_mcc_next_cred, - krb5_mcc_end_seq_get, - krb5_mcc_remove_cred, - krb5_mcc_set_flags, - krb5_mcc_get_flags, - krb5_mcc_ptcursor_new, - krb5_mcc_ptcursor_next, - krb5_mcc_ptcursor_free, - NULL, /* move */ - krb5_mcc_last_change_time, - NULL, /* wasdefault */ - krb5_mcc_lock, - krb5_mcc_unlock, + 0, + "MEMORY", + krb5_mcc_get_name, + krb5_mcc_resolve, + krb5_mcc_generate_new, + krb5_mcc_initialize, + krb5_mcc_destroy, + krb5_mcc_close, + krb5_mcc_store, + krb5_mcc_retrieve, + krb5_mcc_get_principal, + krb5_mcc_start_seq_get, + krb5_mcc_next_cred, + krb5_mcc_end_seq_get, + krb5_mcc_remove_cred, + krb5_mcc_set_flags, + krb5_mcc_get_flags, + krb5_mcc_ptcursor_new, + krb5_mcc_ptcursor_next, + krb5_mcc_ptcursor_free, + NULL, /* move */ + krb5_mcc_last_change_time, + NULL, /* wasdefault */ + krb5_mcc_lock, + krb5_mcc_unlock, }; diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c index db74828f35..826794f893 100644 --- a/src/lib/krb5/ccache/cc_mslsa.c +++ b/src/lib/krb5/ccache/cc_mslsa.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/cc_mslsa.c * @@ -10,7 +11,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -24,11 +25,11 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * Copyright 2000 by Carnegie Mellon University * * All Rights Reserved - * + * * Permission to use, copy, modify, and distribute this software and its * documentation for any purpose and without fee is hereby granted, * provided that the above copyright notice appear in all copies and that @@ -37,7 +38,7 @@ * University not be used in advertising or publicity pertaining to * distribution of the software without specific, written prior * permission. - * + * * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND * FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR @@ -88,63 +89,63 @@ #define MAX_MSG_SIZE 256 #define MAX_MSPRINC_SIZE 1024 -/* THREAD SAFETY - * The functions is_windows_2000(), is_windows_xp(), - * does_retrieve_ticket_cache_ticket() and does_query_ticket_cache_ex2() - * contain static variables to cache the responses of the tests being - * performed. There is no harm in the test being performed more than +/* THREAD SAFETY + * The functions is_windows_2000(), is_windows_xp(), + * does_retrieve_ticket_cache_ticket() and does_query_ticket_cache_ex2() + * contain static variables to cache the responses of the tests being + * performed. There is no harm in the test being performed more than * once since the result will always be the same. */ -static BOOL +static BOOL is_windows_2000 (void) { - static BOOL fChecked = FALSE; - static BOOL fIsWin2K = FALSE; + static BOOL fChecked = FALSE; + static BOOL fIsWin2K = FALSE; - if (!fChecked) - { - OSVERSIONINFO Version; + if (!fChecked) + { + OSVERSIONINFO Version; - memset (&Version, 0x00, sizeof(Version)); - Version.dwOSVersionInfoSize = sizeof(Version); + memset (&Version, 0x00, sizeof(Version)); + Version.dwOSVersionInfoSize = sizeof(Version); - if (GetVersionEx (&Version)) - { - if (Version.dwPlatformId == VER_PLATFORM_WIN32_NT && + if (GetVersionEx (&Version)) + { + if (Version.dwPlatformId == VER_PLATFORM_WIN32_NT && Version.dwMajorVersion >= 5) - fIsWin2K = TRUE; - } - fChecked = TRUE; - } + fIsWin2K = TRUE; + } + fChecked = TRUE; + } - return fIsWin2K; + return fIsWin2K; } -static BOOL +static BOOL is_windows_xp (void) { - static BOOL fChecked = FALSE; - static BOOL fIsWinXP = FALSE; + static BOOL fChecked = FALSE; + static BOOL fIsWinXP = FALSE; - if (!fChecked) - { - OSVERSIONINFO Version; + if (!fChecked) + { + OSVERSIONINFO Version; - memset (&Version, 0x00, sizeof(Version)); - Version.dwOSVersionInfoSize = sizeof(Version); + memset (&Version, 0x00, sizeof(Version)); + Version.dwOSVersionInfoSize = sizeof(Version); - if (GetVersionEx (&Version)) - { - if (Version.dwPlatformId == VER_PLATFORM_WIN32_NT && + if (GetVersionEx (&Version)) + { + if (Version.dwPlatformId == VER_PLATFORM_WIN32_NT && (Version.dwMajorVersion > 5 || Version.dwMajorVersion == 5 && Version.dwMinorVersion >= 1) ) - fIsWinXP = TRUE; - } - fChecked = TRUE; - } + fIsWinXP = TRUE; + } + fChecked = TRUE; + } - return fIsWinXP; + return fIsWinXP; } static BOOL @@ -155,17 +156,17 @@ is_windows_vista (void) if (!fChecked) { - OSVERSIONINFO Version; + OSVERSIONINFO Version; - memset (&Version, 0x00, sizeof(Version)); - Version.dwOSVersionInfoSize = sizeof(Version); + memset (&Version, 0x00, sizeof(Version)); + Version.dwOSVersionInfoSize = sizeof(Version); - if (GetVersionEx (&Version)) - { - if (Version.dwPlatformId == VER_PLATFORM_WIN32_NT && Version.dwMajorVersion >= 6) - fIsVista = TRUE; - } - fChecked = TRUE; + if (GetVersionEx (&Version)) + { + if (Version.dwPlatformId == VER_PLATFORM_WIN32_NT && Version.dwMajorVersion >= 6) + fIsVista = TRUE; + } + fChecked = TRUE; } return fIsVista; @@ -179,24 +180,24 @@ is_process_uac_limited (void) if (!fChecked) { - NTSTATUS Status = 0; - HANDLE TokenHandle; - DWORD ElevationLevel; - DWORD ReqLen; - BOOL Success; - - if (is_windows_vista()) { - Success = OpenProcessToken( GetCurrentProcess(), TOKEN_QUERY, &TokenHandle ); - if ( Success ) { - Success = GetTokenInformation( TokenHandle, - TokenOrigin+1 /* ElevationLevel */, - &ElevationLevel, sizeof(DWORD), &ReqLen ); - CloseHandle( TokenHandle ); - if ( Success && ElevationLevel == 3 /* Limited */ ) - fIsUAC = TRUE; - } - } - fChecked = TRUE; + NTSTATUS Status = 0; + HANDLE TokenHandle; + DWORD ElevationLevel; + DWORD ReqLen; + BOOL Success; + + if (is_windows_vista()) { + Success = OpenProcessToken( GetCurrentProcess(), TOKEN_QUERY, &TokenHandle ); + if ( Success ) { + Success = GetTokenInformation( TokenHandle, + TokenOrigin+1 /* ElevationLevel */, + &ElevationLevel, sizeof(DWORD), &ReqLen ); + CloseHandle( TokenHandle ); + if ( Success && ElevationLevel == 3 /* Limited */ ) + fIsUAC = TRUE; + } + } + fChecked = TRUE; } return fIsUAC; @@ -212,31 +213,31 @@ is_broken_wow64(void) if (!fChecked) { - BOOL isWow64 = FALSE; - OSVERSIONINFO Version; - HANDLE h1 = NULL; - LPFN_ISWOW64PROCESS fnIsWow64Process = NULL; - - h1 = GetModuleHandle(L"kernel32.dll"); - fnIsWow64Process = - (LPFN_ISWOW64PROCESS)GetProcAddress(h1, "IsWow64Process"); - - /* If we don't find the fnIsWow64Process function then we - * are not running in a broken Wow64 - */ - if (fnIsWow64Process) { - memset (&Version, 0x00, sizeof(Version)); - Version.dwOSVersionInfoSize = sizeof(Version); - - if (fnIsWow64Process(GetCurrentProcess(), &isWow64) && - GetVersionEx (&Version)) { - if (isWow64 && - Version.dwPlatformId == VER_PLATFORM_WIN32_NT && - Version.dwMajorVersion < 6) - fIsBrokenWow64 = TRUE; - } - } - fChecked = TRUE; + BOOL isWow64 = FALSE; + OSVERSIONINFO Version; + HANDLE h1 = NULL; + LPFN_ISWOW64PROCESS fnIsWow64Process = NULL; + + h1 = GetModuleHandle(L"kernel32.dll"); + fnIsWow64Process = + (LPFN_ISWOW64PROCESS)GetProcAddress(h1, "IsWow64Process"); + + /* If we don't find the fnIsWow64Process function then we + * are not running in a broken Wow64 + */ + if (fnIsWow64Process) { + memset (&Version, 0x00, sizeof(Version)); + Version.dwOSVersionInfoSize = sizeof(Version); + + if (fnIsWow64Process(GetCurrentProcess(), &isWow64) && + GetVersionEx (&Version)) { + if (isWow64 && + Version.dwPlatformId == VER_PLATFORM_WIN32_NT && + Version.dwMajorVersion < 6) + fIsBrokenWow64 = TRUE; + } + } + fChecked = TRUE; } return fIsBrokenWow64; @@ -244,7 +245,7 @@ is_broken_wow64(void) /* This flag is only supported by versions of Windows which have obtained * a code change from Microsoft. When the code change is installed, - * setting this flag will cause all retrieved credentials to be stored + * setting this flag will cause all retrieved credentials to be stored * in the LSA cache. */ #ifndef KERB_RETRIEVE_TICKET_CACHE_TICKET @@ -308,27 +309,27 @@ UnicodeToANSI(LPTSTR lpInputString, LPSTR lpszOutputString, int nOutStringLen) // Only supporting non-Unicode strings int reqLen = WideCharToMultiByte(CP_ACP, 0, (LPCWSTR) lpInputString, -1, NULL, 0, NULL, NULL); - if ( reqLen > nOutStringLen) + if ( reqLen > nOutStringLen) { return FALSE; } else { - if (WideCharToMultiByte(CP_ACP, - /* WC_NO_BEST_FIT_CHARS | */ WC_COMPOSITECHECK, - (LPCWSTR) lpInputString, -1, - lpszOutputString, - nOutStringLen, NULL, NULL) == 0) - return FALSE; + if (WideCharToMultiByte(CP_ACP, + /* WC_NO_BEST_FIT_CHARS | */ WC_COMPOSITECHECK, + (LPCWSTR) lpInputString, -1, + lpszOutputString, + nOutStringLen, NULL, NULL) == 0) + return FALSE; } - } + } else { // Looks like unicode, better translate it - if (WideCharToMultiByte(CP_ACP, - /* WC_NO_BEST_FIT_CHARS | */ WC_COMPOSITECHECK, - (LPCWSTR) lpInputString, -1, - lpszOutputString, - nOutStringLen, NULL, NULL) == 0) - return FALSE; + if (WideCharToMultiByte(CP_ACP, + /* WC_NO_BEST_FIT_CHARS | */ WC_COMPOSITECHECK, + (LPCWSTR) lpInputString, -1, + lpszOutputString, + nOutStringLen, NULL, NULL) == 0) + return FALSE; } return TRUE; @@ -365,14 +366,14 @@ MITPrincToMSPrinc(krb5_context context, krb5_principal principal, UNICODE_STRING msprinc->Length = strlen(aname) * sizeof(WCHAR); if ( msprinc->Length <= msprinc->MaximumLength ) ANSIToUnicode(aname, msprinc->Buffer, msprinc->MaximumLength); - else + else msprinc->Length = 0; krb5_free_unparsed_name(context,aname); } } static BOOL -UnicodeStringToMITPrinc(UNICODE_STRING *service, WCHAR *realm, krb5_context context, +UnicodeStringToMITPrinc(UNICODE_STRING *service, WCHAR *realm, krb5_context context, krb5_principal *principal) { WCHAR princbuf[512]; @@ -385,14 +386,14 @@ UnicodeStringToMITPrinc(UNICODE_STRING *service, WCHAR *realm, krb5_context cont wcscat(princbuf, realm); if (UnicodeToANSI(princbuf, aname, sizeof(aname))) { if (krb5_parse_name(context, aname, principal) == 0) - return TRUE; + return TRUE; } return FALSE; } static BOOL -KerbExternalNameToMITPrinc(KERB_EXTERNAL_NAME *msprinc, WCHAR *realm, krb5_context context, +KerbExternalNameToMITPrinc(KERB_EXTERNAL_NAME *msprinc, WCHAR *realm, krb5_context context, krb5_principal *principal) { WCHAR princbuf[512],tmpbuf[128]; @@ -411,7 +412,7 @@ KerbExternalNameToMITPrinc(KERB_EXTERNAL_NAME *msprinc, WCHAR *realm, krb5_conte wcscat(princbuf, realm); if (UnicodeToANSI(princbuf, aname, sizeof(aname))) { if (krb5_parse_name(context, aname, principal) == 0) - return TRUE; + return TRUE; } return FALSE; } @@ -451,16 +452,16 @@ static BOOL IsMSSessionKeyNull(KERB_CRYPTO_KEY *mskey) { DWORD i; - + if (is_process_uac_limited()) - return TRUE; + return TRUE; if (mskey->KeyType == KERB_ETYPE_NULL) - return TRUE; + return TRUE; for ( i=0; i<mskey->Length; i++ ) { - if (mskey->Value[i]) - return FALSE; + if (mskey->Value[i]) + return FALSE; } return TRUE; @@ -482,12 +483,12 @@ MSTicketToMITTicket(KERB_EXTERNAL_TICKET *msticket, krb5_context context, krb5_d tmpdata.length=msticket->EncodedTicketSize; tmpdata.data=msticket->EncodedTicket; - // this is ugly and will break krb5_free_data() + // this is ugly and will break krb5_free_data() // now that this is being done within the library it won't break krb5_free_data() rc = krb5_copy_data(context, &tmpdata, &newdata); if (rc) return FALSE; - + memcpy(ticket, newdata, sizeof(krb5_data)); free(newdata); return TRUE; @@ -496,7 +497,7 @@ MSTicketToMITTicket(KERB_EXTERNAL_TICKET *msticket, krb5_context context, krb5_d /* * PreserveInitialTicketIdentity() * - * This will find the "PreserveInitialTicketIdentity" key in the registry. + * This will find the "PreserveInitialTicketIdentity" key in the registry. * Returns 1 to preserve and 0 to not. */ @@ -520,7 +521,7 @@ PreserveInitialTicketIdentity(void) RegCloseKey(hKey); goto done; - syskey: +syskey: if (RegOpenKeyExA(HKEY_LOCAL_MACHINE, key_path, 0, KEY_QUERY_VALUE, &hKey) != ERROR_SUCCESS) goto done; if (RegQueryValueExA(hKey, value_name, 0, &type, (LPBYTE)&retval, &size) != ERROR_SUCCESS) @@ -530,13 +531,13 @@ PreserveInitialTicketIdentity(void) } RegCloseKey(hKey); - done: +done: return retval; } static BOOL -MSCredToMITCred(KERB_EXTERNAL_TICKET *msticket, UNICODE_STRING ClientRealm, +MSCredToMITCred(KERB_EXTERNAL_TICKET *msticket, UNICODE_STRING ClientRealm, krb5_context context, krb5_creds *creds) { WCHAR wrealm[128]; @@ -555,7 +556,7 @@ MSCredToMITCred(KERB_EXTERNAL_TICKET *msticket, UNICODE_STRING ClientRealm, wrealm[msticket->DomainName.Length/sizeof(WCHAR)]=0; if (!KerbExternalNameToMITPrinc(msticket->ServiceName, wrealm, context, &creds->server)) return FALSE; - MSSessionKeyToMITKeyblock(&msticket->SessionKey, context, + MSSessionKeyToMITKeyblock(&msticket->SessionKey, context, &creds->keyblock); MSFlagsToMITFlags(msticket->TicketFlags, &creds->ticket_flags); creds->times.starttime=FileTimeToUnixTime(&msticket->StartTime); @@ -581,14 +582,14 @@ CacheInfoEx2ToMITCred(KERB_TICKET_CACHE_INFO_EX2 *info, wcsncpy(wrealm, info->ClientRealm.Buffer, info->ClientRealm.Length/sizeof(WCHAR)); wrealm[info->ClientRealm.Length/sizeof(WCHAR)]=0; if (!UnicodeStringToMITPrinc(&info->ClientName, wrealm, context, &creds->client)) - return FALSE; + return FALSE; // construct Service Principal wcsncpy(wrealm, info->ServerRealm.Buffer, info->ServerRealm.Length/sizeof(WCHAR)); wrealm[info->ServerRealm.Length/sizeof(WCHAR)]=0; if (!UnicodeStringToMITPrinc(&info->ServerName, wrealm, context, &creds->server)) - return FALSE; + return FALSE; creds->keyblock.magic = KV5M_KEYBLOCK; creds->keyblock.enctype = info->SessionKeyType; @@ -616,7 +617,7 @@ PackageConnectLookup(HANDLE *pLogonHandle, ULONG *pPackageId) Status = LsaConnectUntrusted( pLogonHandle - ); + ); if (FAILED(Status)) { @@ -632,7 +633,7 @@ PackageConnectLookup(HANDLE *pLogonHandle, ULONG *pPackageId) *pLogonHandle, &Name, pPackageId - ); + ); if (FAILED(Status)) { @@ -644,123 +645,123 @@ PackageConnectLookup(HANDLE *pLogonHandle, ULONG *pPackageId) } -static BOOL +static BOOL does_retrieve_ticket_cache_ticket (void) { - static BOOL fChecked = FALSE; - static BOOL fCachesTicket = FALSE; - - if (!fChecked) - { - NTSTATUS Status = 0; - NTSTATUS SubStatus = 0; - HANDLE LogonHandle; - ULONG PackageId; - ULONG RequestSize; - PKERB_RETRIEVE_TKT_REQUEST pTicketRequest = NULL; - PKERB_RETRIEVE_TKT_RESPONSE pTicketResponse = NULL; - ULONG ResponseSize; - - RequestSize = sizeof(*pTicketRequest) + 1; - - if (!PackageConnectLookup(&LogonHandle, &PackageId)) - return FALSE; - - pTicketRequest = (PKERB_RETRIEVE_TKT_REQUEST) LocalAlloc(LMEM_ZEROINIT, RequestSize); - if (!pTicketRequest) { - CloseHandle(LogonHandle); - return FALSE; - } - - pTicketRequest->MessageType = KerbRetrieveEncodedTicketMessage; - pTicketRequest->LogonId.LowPart = 0; - pTicketRequest->LogonId.HighPart = 0; - pTicketRequest->TargetName.Length = 0; - pTicketRequest->TargetName.MaximumLength = 0; - pTicketRequest->TargetName.Buffer = (PWSTR) (pTicketRequest + 1); - pTicketRequest->CacheOptions = - KERB_RETRIEVE_TICKET_DONT_USE_CACHE | KERB_RETRIEVE_TICKET_CACHE_TICKET; - pTicketRequest->EncryptionType = 0; - pTicketRequest->TicketFlags = 0; - - Status = LsaCallAuthenticationPackage( LogonHandle, - PackageId, - pTicketRequest, - RequestSize, - &pTicketResponse, - &ResponseSize, - &SubStatus - ); - - LocalFree(pTicketRequest); - CloseHandle(LogonHandle); - - if (FAILED(Status) || FAILED(SubStatus)) { - if ( SubStatus == STATUS_NOT_SUPPORTED ) - /* The combination of the two CacheOption flags - * is not supported; therefore, the new flag is supported - */ - fCachesTicket = TRUE; - } - fChecked = TRUE; - } - - return fCachesTicket; + static BOOL fChecked = FALSE; + static BOOL fCachesTicket = FALSE; + + if (!fChecked) + { + NTSTATUS Status = 0; + NTSTATUS SubStatus = 0; + HANDLE LogonHandle; + ULONG PackageId; + ULONG RequestSize; + PKERB_RETRIEVE_TKT_REQUEST pTicketRequest = NULL; + PKERB_RETRIEVE_TKT_RESPONSE pTicketResponse = NULL; + ULONG ResponseSize; + + RequestSize = sizeof(*pTicketRequest) + 1; + + if (!PackageConnectLookup(&LogonHandle, &PackageId)) + return FALSE; + + pTicketRequest = (PKERB_RETRIEVE_TKT_REQUEST) LocalAlloc(LMEM_ZEROINIT, RequestSize); + if (!pTicketRequest) { + CloseHandle(LogonHandle); + return FALSE; + } + + pTicketRequest->MessageType = KerbRetrieveEncodedTicketMessage; + pTicketRequest->LogonId.LowPart = 0; + pTicketRequest->LogonId.HighPart = 0; + pTicketRequest->TargetName.Length = 0; + pTicketRequest->TargetName.MaximumLength = 0; + pTicketRequest->TargetName.Buffer = (PWSTR) (pTicketRequest + 1); + pTicketRequest->CacheOptions = + KERB_RETRIEVE_TICKET_DONT_USE_CACHE | KERB_RETRIEVE_TICKET_CACHE_TICKET; + pTicketRequest->EncryptionType = 0; + pTicketRequest->TicketFlags = 0; + + Status = LsaCallAuthenticationPackage( LogonHandle, + PackageId, + pTicketRequest, + RequestSize, + &pTicketResponse, + &ResponseSize, + &SubStatus + ); + + LocalFree(pTicketRequest); + CloseHandle(LogonHandle); + + if (FAILED(Status) || FAILED(SubStatus)) { + if ( SubStatus == STATUS_NOT_SUPPORTED ) + /* The combination of the two CacheOption flags + * is not supported; therefore, the new flag is supported + */ + fCachesTicket = TRUE; + } + fChecked = TRUE; + } + + return fCachesTicket; } #ifdef HAVE_CACHE_INFO_EX2 -static BOOL +static BOOL does_query_ticket_cache_ex2 (void) { - static BOOL fChecked = FALSE; - static BOOL fEx2Response = FALSE; - - if (!fChecked) - { - NTSTATUS Status = 0; - NTSTATUS SubStatus = 0; - HANDLE LogonHandle; - ULONG PackageId; - ULONG RequestSize; - PKERB_QUERY_TKT_CACHE_REQUEST pCacheRequest = NULL; - PKERB_QUERY_TKT_CACHE_EX2_RESPONSE pCacheResponse = NULL; - ULONG ResponseSize; - - RequestSize = sizeof(*pCacheRequest) + 1; - - if (!PackageConnectLookup(&LogonHandle, &PackageId)) - return FALSE; - - pCacheRequest = (PKERB_QUERY_TKT_CACHE_REQUEST) LocalAlloc(LMEM_ZEROINIT, RequestSize); - if (!pCacheRequest) { - CloseHandle(LogonHandle); - return FALSE; - } - - pCacheRequest->MessageType = KerbQueryTicketCacheEx2Message; - pCacheRequest->LogonId.LowPart = 0; - pCacheRequest->LogonId.HighPart = 0; - - Status = LsaCallAuthenticationPackage( LogonHandle, - PackageId, - pCacheRequest, - RequestSize, - &pCacheResponse, - &ResponseSize, - &SubStatus - ); - - LocalFree(pCacheRequest); - CloseHandle(LogonHandle); - - if (!(FAILED(Status) || FAILED(SubStatus))) { - LsaFreeReturnBuffer(pCacheResponse); - fEx2Response = TRUE; - } - fChecked = TRUE; - } - - return fEx2Response; + static BOOL fChecked = FALSE; + static BOOL fEx2Response = FALSE; + + if (!fChecked) + { + NTSTATUS Status = 0; + NTSTATUS SubStatus = 0; + HANDLE LogonHandle; + ULONG PackageId; + ULONG RequestSize; + PKERB_QUERY_TKT_CACHE_REQUEST pCacheRequest = NULL; + PKERB_QUERY_TKT_CACHE_EX2_RESPONSE pCacheResponse = NULL; + ULONG ResponseSize; + + RequestSize = sizeof(*pCacheRequest) + 1; + + if (!PackageConnectLookup(&LogonHandle, &PackageId)) + return FALSE; + + pCacheRequest = (PKERB_QUERY_TKT_CACHE_REQUEST) LocalAlloc(LMEM_ZEROINIT, RequestSize); + if (!pCacheRequest) { + CloseHandle(LogonHandle); + return FALSE; + } + + pCacheRequest->MessageType = KerbQueryTicketCacheEx2Message; + pCacheRequest->LogonId.LowPart = 0; + pCacheRequest->LogonId.HighPart = 0; + + Status = LsaCallAuthenticationPackage( LogonHandle, + PackageId, + pCacheRequest, + RequestSize, + &pCacheResponse, + &ResponseSize, + &SubStatus + ); + + LocalFree(pCacheRequest); + CloseHandle(LogonHandle); + + if (!(FAILED(Status) || FAILED(SubStatus))) { + LsaFreeReturnBuffer(pCacheResponse); + fEx2Response = TRUE; + } + fChecked = TRUE; + } + + return fEx2Response; } #endif /* HAVE_CACHE_INFO_EX2 */ @@ -794,8 +795,8 @@ get_STRING_from_registry(HKEY hBaseKey, char * key, char * value, char * outbuf, DWORD dwCount; LONG rc; - if (!outbuf || outlen == 0) - return FALSE; + if (!outbuf || outlen == 0) + return FALSE; rc = RegOpenKeyExA(hBaseKey, key, 0, KEY_QUERY_VALUE, &hKey); if (rc) @@ -838,11 +839,11 @@ GetSecurityLogonSessionData(PSECURITY_LOGON_SESSION_DATA * ppSessionData) } // -// IsKerberosLogon() does not validate whether or not there are valid tickets in the -// cache. It validates whether or not it is reasonable to assume that if we -// attempted to retrieve valid tickets we could do so. Microsoft does not +// IsKerberosLogon() does not validate whether or not there are valid tickets in the +// cache. It validates whether or not it is reasonable to assume that if we +// attempted to retrieve valid tickets we could do so. Microsoft does not // automatically renew expired tickets. Therefore, the cache could contain -// expired or invalid tickets. Microsoft also caches the user's password +// expired or invalid tickets. Microsoft also caches the user's password // and will use it to retrieve new TGTs if the cache is empty and tickets // are requested. @@ -896,7 +897,7 @@ ConstructTicketRequest(UNICODE_STRING DomainName, PKERB_RETRIEVE_TKT_REQUEST * o TargetPrefix.MaximumLength = TargetPrefix.Length; // - // We will need to concatenate the "krbtgt/" prefix and the + // We will need to concatenate the "krbtgt/" prefix and the // Logon Session's DnsDomainName into our request's target name. // // Therefore, first compute the necessary buffer size for that. @@ -930,8 +931,8 @@ ConstructTicketRequest(UNICODE_STRING DomainName, PKERB_RETRIEVE_TKT_REQUEST * o pTicketRequest->TargetName.MaximumLength = TargetSize; pTicketRequest->TargetName.Buffer = (PWSTR) (pTicketRequest + 1); Error = ConcatenateUnicodeStrings(&(pTicketRequest->TargetName), - TargetPrefix, - DomainName); + TargetPrefix, + DomainName); *outRequest = pTicketRequest; *outSize = RequestSize; return Error; @@ -954,20 +955,20 @@ PurgeAllTickets(HANDLE LogonHandle, ULONG PackageId) PurgeRequest.RealmName.Length = 0; PurgeRequest.RealmName.MaximumLength = 0; Status = LsaCallAuthenticationPackage(LogonHandle, - PackageId, - &PurgeRequest, - sizeof(PurgeRequest), - NULL, - NULL, - &SubStatus - ); + PackageId, + &PurgeRequest, + sizeof(PurgeRequest), + NULL, + NULL, + &SubStatus + ); if (FAILED(Status) || FAILED(SubStatus)) return FALSE; return TRUE; } static BOOL -PurgeTicket2000( HANDLE LogonHandle, ULONG PackageId, +PurgeTicket2000( HANDLE LogonHandle, ULONG PackageId, krb5_context context, krb5_creds *cred ) { NTSTATUS Status = 0; @@ -1009,7 +1010,7 @@ PurgeTicket2000( HANDLE LogonHandle, ULONG PackageId, NULL, NULL, &SubStatus - ); + ); free(pPurgeRequest); krb5_free_unparsed_name(context, sname); @@ -1021,7 +1022,7 @@ PurgeTicket2000( HANDLE LogonHandle, ULONG PackageId, static BOOL -PurgeTicketXP( HANDLE LogonHandle, ULONG PackageId, +PurgeTicketXP( HANDLE LogonHandle, ULONG PackageId, krb5_context context, krb5_flags flags, krb5_creds *cred) { NTSTATUS Status = 0; @@ -1033,7 +1034,7 @@ PurgeTicketXP( HANDLE LogonHandle, ULONG PackageId, if (krb5_unparse_name(context, cred->client, &cname)) return FALSE; - + if (krb5_unparse_name(context, cred->server, &sname)) { krb5_free_unparsed_name(context, cname); return FALSE; @@ -1093,7 +1094,7 @@ PurgeTicketXP( HANDLE LogonHandle, ULONG PackageId, NULL, NULL, &SubStatus - ); + ); free(pPurgeRequest); krb5_free_unparsed_name(context,cname); krb5_free_unparsed_name(context,sname); @@ -1105,7 +1106,7 @@ PurgeTicketXP( HANDLE LogonHandle, ULONG PackageId, #ifdef KERB_SUBMIT_TICKET static BOOL -KerbSubmitTicket( HANDLE LogonHandle, ULONG PackageId, +KerbSubmitTicket( HANDLE LogonHandle, ULONG PackageId, krb5_context context, krb5_creds *cred) { NTSTATUS Status = 0; @@ -1126,14 +1127,14 @@ KerbSubmitTicket( HANDLE LogonHandle, ULONG PackageId, KRB5_AUTH_CONTEXT_RET_TIME)) { return FALSE; } - + krb5_auth_con_getsendsubkey(context, auth_context, &keyblock); if (keyblock == NULL) krb5_auth_con_getkey(context, auth_context, &keyblock); - /* make up a key, any key, that can be used to generate the - * encrypted KRB_CRED pdu. The Vista release LSA requires - * that an enctype other than NULL be used. */ + /* make up a key, any key, that can be used to generate the + * encrypted KRB_CRED pdu. The Vista release LSA requires + * that an enctype other than NULL be used. */ if (keyblock == NULL) { keyblock = (krb5_keyblock *)malloc(sizeof(krb5_keyblock)); keyblock->enctype = ENCTYPE_ARCFOUR_HMAC; @@ -1176,7 +1177,7 @@ KerbSubmitTicket( HANDLE LogonHandle, ULONG PackageId, pSubmitRequest->LogonId.LowPart = 0; pSubmitRequest->LogonId.HighPart = 0; pSubmitRequest->Flags = 0; - + if (keyblock) { pSubmitRequest->Key.KeyType = keyblock->enctype; pSubmitRequest->Key.Length = keyblock->length; @@ -1192,7 +1193,7 @@ KerbSubmitTicket( HANDLE LogonHandle, ULONG PackageId, krb_cred->data, krb_cred->length); if (keyblock) memcpy(((CHAR *)pSubmitRequest)+sizeof(KERB_SUBMIT_TKT_REQUEST)+krb_cred->length, - keyblock->contents, keyblock->length); + keyblock->contents, keyblock->length); krb5_free_data(context, krb_cred); Status = LsaCallAuthenticationPackage( LogonHandle, @@ -1202,20 +1203,20 @@ KerbSubmitTicket( HANDLE LogonHandle, ULONG PackageId, NULL, NULL, &SubStatus - ); + ); free(pSubmitRequest); if (keyblock) krb5_free_keyblock(context, keyblock); krb5_auth_con_free(context, auth_context); if (FAILED(Status) || FAILED(SubStatus)) { - return FALSE; + return FALSE; } return TRUE; } #endif /* KERB_SUBMIT_TICKET */ -/* +/* * A simple function to determine if there is an exact match between two tickets * We rely on the fact that the external tickets contain the raw Kerberos ticket. * If the EncodedTicket fields match, the KERB_EXTERNAL_TICKETs must be the same. @@ -1227,7 +1228,7 @@ KerbExternalTicketMatch( PKERB_EXTERNAL_TICKET one, PKERB_EXTERNAL_TICKET two ) return FALSE; if ( memcmp(one->EncodedTicket, two->EncodedTicket, one->EncodedTicketSize) ) - return FALSE; + return FALSE; return TRUE; } @@ -1240,12 +1241,12 @@ krb5_is_permitted_tgs_enctype(krb5_context context, krb5_const_principal princ, if (krb5_get_tgs_ktypes(context, princ, &list)) return(0); - + ret = 0; for (ptr = list; *ptr; ptr++) - if (*ptr == etype) - ret = 1; + if (*ptr == etype) + ret = 1; krb5_free_ktypes (context, list); @@ -1256,7 +1257,7 @@ krb5_is_permitted_tgs_enctype(krb5_context context, krb5_const_principal princ, // to allow the purging of expired tickets from LSA cache. This is necessary // to force the retrieval of new TGTs. Microsoft does not appear to retrieve // new tickets when they expire. Instead they continue to accept the expired -// tickets. This is safe to do because the LSA purges its cache when it +// tickets. This is safe to do because the LSA purges its cache when it // retrieves a new TGT (ms calls this renew) but not when it renews the TGT // (ms calls this refresh). @@ -1287,7 +1288,7 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA krb5_enctype *etype_list = NULL, *ptr = NULL, etype = 0; if (is_process_uac_limited()) { - Status = STATUS_ACCESS_DENIED; + Status = STATUS_ACCESS_DENIED; goto cleanup; } @@ -1304,12 +1305,12 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA &pTicketResponse, &ResponseSize, &SubStatus - ); + ); if (FAILED(Status)) { // if the call to LsaCallAuthenticationPackage failed we cannot - // perform any queries most likely because the Kerberos package + // perform any queries most likely because the Kerberos package // is not available or we do not have access bIsLsaError = TRUE; goto cleanup; @@ -1330,7 +1331,7 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA verinfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX); GetVersionEx((OSVERSIONINFO *)&verinfo); - supported = (verinfo.dwMajorVersion > 5) || + supported = (verinfo.dwMajorVersion > 5) || (verinfo.dwMajorVersion == 5 && verinfo.dwMinorVersion >= 1); // If we could not get a TGT from the cache we won't know what the @@ -1340,7 +1341,7 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA if ( supported && GetSecurityLogonSessionData(&pSessionData) ) { if ( pSessionData->DnsDomainName.Buffer ) { Error = ConstructTicketRequest(pSessionData->DnsDomainName, - &pTicketRequest, &RequestSize); + &pTicketRequest, &RequestSize); LsaFreeReturnBuffer(pSessionData); if ( Error ) goto cleanup; @@ -1354,11 +1355,11 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA WCHAR UnicodeUserDnsDomain[256]; UNICODE_STRING wrapper; if ( !get_STRING_from_registry(HKEY_CURRENT_USER, - "Volatile Environment", - "USERDNSDOMAIN", + "Volatile Environment", + "USERDNSDOMAIN", UserDnsDomain, sizeof(UserDnsDomain) - ) ) + ) ) { goto cleanup; } @@ -1369,16 +1370,16 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA wrapper.MaximumLength = 256; Error = ConstructTicketRequest(wrapper, - &pTicketRequest, &RequestSize); + &pTicketRequest, &RequestSize); if ( Error ) goto cleanup; } } else { - /* We have succeeded in obtaining a credential from the cache. + /* We have succeeded in obtaining a credential from the cache. * Assuming the enctype is one that we support and the ticket * has not expired and is not marked invalid we will use it. * Otherwise, we must create a new ticket request and obtain - * a credential we can use. + * a credential we can use. */ #ifdef PURGE_ALL @@ -1386,7 +1387,7 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA #else /* Check Supported Enctypes */ if ( !enforce_tgs_enctypes || - IsMSSessionKeyNull(&pTicketResponse->Ticket.SessionKey) || + IsMSSessionKeyNull(&pTicketResponse->Ticket.SessionKey) || krb5_is_permitted_tgs_enctype(context, NULL, pTicketResponse->Ticket.SessionKey.KeyType) ) { FILETIME Now, MinLife, EndTime, LocalEndTime; __int64 temp; @@ -1421,7 +1422,7 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA #endif /* PURGE_ALL */ Error = ConstructTicketRequest(pTicketResponse->Ticket.TargetDomainName, - &pTicketRequest, &RequestSize); + &pTicketRequest, &RequestSize); if ( Error ) { goto cleanup; } @@ -1439,7 +1440,7 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA #ifdef ENABLE_PURGING if ( purge_cache ) { // - // Purge the existing tickets which we cannot use so new ones can + // Purge the existing tickets which we cannot use so new ones can // be requested. It is not possible to purge just the TGT. All // service tickets must be purged. // @@ -1447,7 +1448,7 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA } #endif /* ENABLE_PURGING */ } - + // // Intialize the request of the request. // @@ -1457,8 +1458,8 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA pTicketRequest->LogonId.HighPart = 0; // Note: pTicketRequest->TargetName set up above #ifdef ENABLE_PURGING - pTicketRequest->CacheOptions = ((ignore_cache || !purge_cache) ? - KERB_RETRIEVE_TICKET_DONT_USE_CACHE : 0L); + pTicketRequest->CacheOptions = ((ignore_cache || !purge_cache) ? + KERB_RETRIEVE_TICKET_DONT_USE_CACHE : 0L); #else pTicketRequest->CacheOptions = (ignore_cache ? KERB_RETRIEVE_TICKET_DONT_USE_CACHE : 0L); #endif /* ENABLE_PURGING */ @@ -1472,7 +1473,7 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA &pTicketResponse, &ResponseSize, &SubStatus - ); + ); if (FAILED(Status) || FAILED(SubStatus)) { @@ -1520,7 +1521,7 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA &pTicketResponse, &ResponseSize, &SubStatus - ); + ); if (FAILED(Status) || FAILED(SubStatus)) { @@ -1528,9 +1529,9 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA goto cleanup; } - if ( pTicketResponse->Ticket.SessionKey.KeyType == etype && + if ( pTicketResponse->Ticket.SessionKey.KeyType == etype && (!enforce_tgs_enctypes || - krb5_is_permitted_tgs_enctype(context, NULL, pTicketResponse->Ticket.SessionKey.KeyType)) ) { + krb5_is_permitted_tgs_enctype(context, NULL, pTicketResponse->Ticket.SessionKey.KeyType)) ) { goto cleanup; // we have a valid ticket, all done } @@ -1541,7 +1542,7 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA } } - cleanup: +cleanup: if ( etype_list ) krb5_free_ktypes(context, etype_list); @@ -1585,7 +1586,7 @@ GetQueryTktCacheResponseW2K( HANDLE LogonHandle, ULONG PackageId, KERB_QUERY_TKT_CACHE_REQUEST CacheRequest; PKERB_QUERY_TKT_CACHE_RESPONSE pQueryResponse = NULL; ULONG ResponseSize; - + CacheRequest.MessageType = KerbQueryTicketCacheMessage; CacheRequest.LogonId.LowPart = 0; CacheRequest.LogonId.HighPart = 0; @@ -1598,7 +1599,7 @@ GetQueryTktCacheResponseW2K( HANDLE LogonHandle, ULONG PackageId, &pQueryResponse, &ResponseSize, &SubStatus - ); + ); if ( !(FAILED(Status) || FAILED(SubStatus)) ) { *ppResponse = pQueryResponse; @@ -1618,7 +1619,7 @@ GetQueryTktCacheResponseXP( HANDLE LogonHandle, ULONG PackageId, KERB_QUERY_TKT_CACHE_REQUEST CacheRequest; PKERB_QUERY_TKT_CACHE_EX_RESPONSE pQueryResponse = NULL; ULONG ResponseSize; - + CacheRequest.MessageType = KerbQueryTicketCacheExMessage; CacheRequest.LogonId.LowPart = 0; CacheRequest.LogonId.HighPart = 0; @@ -1631,7 +1632,7 @@ GetQueryTktCacheResponseXP( HANDLE LogonHandle, ULONG PackageId, &pQueryResponse, &ResponseSize, &SubStatus - ); + ); if ( !(FAILED(Status) || FAILED(SubStatus)) ) { *ppResponse = pQueryResponse; @@ -1652,7 +1653,7 @@ GetQueryTktCacheResponseEX2( HANDLE LogonHandle, ULONG PackageId, KERB_QUERY_TKT_CACHE_REQUEST CacheRequest; PKERB_QUERY_TKT_CACHE_EX2_RESPONSE pQueryResponse = NULL; ULONG ResponseSize; - + CacheRequest.MessageType = KerbQueryTicketCacheEx2Message; CacheRequest.LogonId.LowPart = 0; CacheRequest.LogonId.HighPart = 0; @@ -1665,7 +1666,7 @@ GetQueryTktCacheResponseEX2( HANDLE LogonHandle, ULONG PackageId, &pQueryResponse, &ResponseSize, &SubStatus - ); + ); if ( !(FAILED(Status) || FAILED(SubStatus)) ) { *ppResponse = pQueryResponse; @@ -1678,7 +1679,7 @@ GetQueryTktCacheResponseEX2( HANDLE LogonHandle, ULONG PackageId, static BOOL GetMSCacheTicketFromMITCred( HANDLE LogonHandle, ULONG PackageId, - krb5_context context, krb5_creds *creds, + krb5_context context, krb5_creds *creds, PKERB_EXTERNAL_TICKET *ticket) { NTSTATUS Status = 0; @@ -1715,7 +1716,7 @@ GetMSCacheTicketFromMITCred( HANDLE LogonHandle, ULONG PackageId, &pTicketResponse, &ResponseSize, &SubStatus - ); + ); LocalFree(pTicketRequest); @@ -1729,7 +1730,7 @@ GetMSCacheTicketFromMITCred( HANDLE LogonHandle, ULONG PackageId, static BOOL GetMSCacheTicketFromCacheInfoW2K( HANDLE LogonHandle, ULONG PackageId, - PKERB_TICKET_CACHE_INFO tktinfo, PKERB_EXTERNAL_TICKET *ticket) + PKERB_TICKET_CACHE_INFO tktinfo, PKERB_EXTERNAL_TICKET *ticket) { NTSTATUS Status = 0; NTSTATUS SubStatus = 0; @@ -1773,13 +1774,13 @@ GetMSCacheTicketFromCacheInfoW2K( HANDLE LogonHandle, ULONG PackageId, &pTicketResponse, &ResponseSize, &SubStatus - ); + ); LocalFree(pTicketRequest); if (FAILED(Status) || FAILED(SubStatus)) return(FALSE); - + /* otherwise return ticket */ *ticket = &(pTicketResponse->Ticket); @@ -1795,7 +1796,7 @@ GetMSCacheTicketFromCacheInfoW2K( HANDLE LogonHandle, ULONG PackageId, static BOOL GetMSCacheTicketFromCacheInfoXP( HANDLE LogonHandle, ULONG PackageId, - PKERB_TICKET_CACHE_INFO_EX tktinfo, PKERB_EXTERNAL_TICKET *ticket) + PKERB_TICKET_CACHE_INFO_EX tktinfo, PKERB_EXTERNAL_TICKET *ticket) { NTSTATUS Status = 0; NTSTATUS SubStatus = 0; @@ -1837,16 +1838,16 @@ GetMSCacheTicketFromCacheInfoXP( HANDLE LogonHandle, ULONG PackageId, &pTicketResponse, &ResponseSize, &SubStatus - ); + ); LocalFree(pTicketRequest); if (FAILED(Status) || FAILED(SubStatus)) return(FALSE); - + /* otherwise return ticket */ *ticket = &(pTicketResponse->Ticket); - + /* set the initial flag if we were attempting to retrieve one * because Windows won't necessarily return the initial ticket * to us. @@ -1860,7 +1861,7 @@ GetMSCacheTicketFromCacheInfoXP( HANDLE LogonHandle, ULONG PackageId, #ifdef HAVE_CACHE_INFO_EX2 static BOOL GetMSCacheTicketFromCacheInfoEX2( HANDLE LogonHandle, ULONG PackageId, - PKERB_TICKET_CACHE_INFO_EX2 tktinfo, PKERB_EXTERNAL_TICKET *ticket) + PKERB_TICKET_CACHE_INFO_EX2 tktinfo, PKERB_EXTERNAL_TICKET *ticket) { NTSTATUS Status = 0; NTSTATUS SubStatus = 0; @@ -1902,71 +1903,71 @@ GetMSCacheTicketFromCacheInfoEX2( HANDLE LogonHandle, ULONG PackageId, &pTicketResponse, &ResponseSize, &SubStatus - ); + ); LocalFree(pTicketRequest); if (FAILED(Status) || FAILED(SubStatus)) return(FALSE); - + /* otherwise return ticket */ *ticket = &(pTicketResponse->Ticket); - + /* set the initial flag if we were attempting to retrieve one - * because Windows won't necessarily return the initial ticket - * to us. - */ - if ( tktinfo->TicketFlags & KERB_TICKET_FLAGS_initial ) - (*ticket)->TicketFlags |= KERB_TICKET_FLAGS_initial; + * because Windows won't necessarily return the initial ticket + * to us. + */ + if ( tktinfo->TicketFlags & KERB_TICKET_FLAGS_initial ) + (*ticket)->TicketFlags |= KERB_TICKET_FLAGS_initial; return(TRUE); } #endif /* HAVE_CACHE_INFO_EX2 */ static krb5_error_code KRB5_CALLCONV krb5_lcc_close - (krb5_context, krb5_ccache id); +(krb5_context, krb5_ccache id); static krb5_error_code KRB5_CALLCONV krb5_lcc_destroy - (krb5_context, krb5_ccache id); +(krb5_context, krb5_ccache id); static krb5_error_code KRB5_CALLCONV krb5_lcc_end_seq_get - (krb5_context, krb5_ccache id, krb5_cc_cursor *cursor); +(krb5_context, krb5_ccache id, krb5_cc_cursor *cursor); static krb5_error_code KRB5_CALLCONV krb5_lcc_generate_new - (krb5_context, krb5_ccache *id); +(krb5_context, krb5_ccache *id); static const char * KRB5_CALLCONV krb5_lcc_get_name - (krb5_context, krb5_ccache id); +(krb5_context, krb5_ccache id); static krb5_error_code KRB5_CALLCONV krb5_lcc_get_principal - (krb5_context, krb5_ccache id, krb5_principal *princ); +(krb5_context, krb5_ccache id, krb5_principal *princ); static krb5_error_code KRB5_CALLCONV krb5_lcc_initialize - (krb5_context, krb5_ccache id, krb5_principal princ); +(krb5_context, krb5_ccache id, krb5_principal princ); static krb5_error_code KRB5_CALLCONV krb5_lcc_next_cred - (krb5_context, krb5_ccache id, krb5_cc_cursor *cursor, - krb5_creds *creds); +(krb5_context, krb5_ccache id, krb5_cc_cursor *cursor, + krb5_creds *creds); static krb5_error_code KRB5_CALLCONV krb5_lcc_resolve - (krb5_context, krb5_ccache *id, const char *residual); +(krb5_context, krb5_ccache *id, const char *residual); static krb5_error_code KRB5_CALLCONV krb5_lcc_retrieve - (krb5_context, krb5_ccache id, krb5_flags whichfields, - krb5_creds *mcreds, krb5_creds *creds); +(krb5_context, krb5_ccache id, krb5_flags whichfields, + krb5_creds *mcreds, krb5_creds *creds); static krb5_error_code KRB5_CALLCONV krb5_lcc_start_seq_get - (krb5_context, krb5_ccache id, krb5_cc_cursor *cursor); +(krb5_context, krb5_ccache id, krb5_cc_cursor *cursor); static krb5_error_code KRB5_CALLCONV krb5_lcc_store - (krb5_context, krb5_ccache id, krb5_creds *creds); +(krb5_context, krb5_ccache id, krb5_creds *creds); static krb5_error_code KRB5_CALLCONV krb5_lcc_set_flags - (krb5_context, krb5_ccache id, krb5_flags flags); +(krb5_context, krb5_ccache id, krb5_flags flags); static krb5_error_code KRB5_CALLCONV krb5_lcc_get_flags - (krb5_context, krb5_ccache id, krb5_flags *flags); +(krb5_context, krb5_ccache id, krb5_flags *flags); extern const krb5_cc_ops krb5_lcc_ops; @@ -2004,18 +2005,18 @@ typedef struct _krb5_lcc_cursor { * * Modifies: * id - * + * * Effects: * Acccess the MS Kerberos LSA cache in the current logon session * Ignore the residual. - * + * * Returns: * A filled in krb5_ccache structure "id". * * Errors: * KRB5_CC_NOMEM - there was insufficient memory to allocate the - * - * krb5_ccache. id is undefined. + * + * krb5_ccache. id is undefined. * permission errors */ static krb5_error_code KRB5_CALLCONV @@ -2032,7 +2033,7 @@ krb5_lcc_resolve (krb5_context context, krb5_ccache *id, const char *residual) return KRB5_FCC_NOFILE; #ifdef COMMENT - /* In at least one case on Win2003 it appears that it is possible + /* In at least one case on Win2003 it appears that it is possible * for the logon session to be authenticated via NTLM and yet for * there to be Kerberos credentials obtained by the LSA on behalf * of the logged in user. Therefore, we are removing this test @@ -2062,7 +2063,7 @@ krb5_lcc_resolve (krb5_context context, krb5_ccache *id, const char *residual) } lid->magic = KV5M_CCACHE; - data = (krb5_lcc_data *)lid->data; + data = (krb5_lcc_data *)lid->data; data->LogonHandle = LogonHandle; data->PackageId = PackageId; data->princ = 0; @@ -2099,16 +2100,16 @@ krb5_lcc_resolve (krb5_context context, krb5_ccache *id, const char *residual) /* * other routines will get errors on open, and callers must expect them, - * if cache is non-existent/unusable + * if cache is non-existent/unusable */ *id = lid; return retval; } /* -* return success although we do not do anything -* We should delete all tickets belonging to the specified principal -*/ + * return success although we do not do anything + * We should delete all tickets belonging to the specified principal + */ static krb5_error_code KRB5_CALLCONV krb5_lcc_remove_cred(krb5_context context, krb5_ccache id, krb5_flags flags, @@ -2160,7 +2161,7 @@ krb5_lcc_close(krb5_context context, krb5_ccache id) { register int closeval = KRB5_OK; register krb5_lcc_data *data; - + if (!is_windows_2000()) return KRB5_FCC_NOFILE; @@ -2187,15 +2188,15 @@ static krb5_error_code KRB5_CALLCONV krb5_lcc_destroy(krb5_context context, krb5_ccache id) { register krb5_lcc_data *data; - + if (!is_windows_2000()) return KRB5_FCC_NOFILE; - if (id) { + if (id) { data = (krb5_lcc_data *) id->data; return PurgeAllTickets(data->LogonHandle, data->PackageId) ? KRB5_OK : KRB5_FCC_INTERNAL; - } + } return KRB5_FCC_INTERNAL; } @@ -2244,23 +2245,23 @@ krb5_lcc_start_seq_get(krb5_context context, krb5_ccache id, krb5_cc_cursor *cur *cursor = 0; return KRB5_FCC_INTERNAL; } - } else + } else #endif /* HAVE_CACHE_INFO_EX2 */ - if ( is_windows_xp() ) { - if ( !GetQueryTktCacheResponseXP(data->LogonHandle, data->PackageId, &lcursor->response.xp) ) { - LsaFreeReturnBuffer(lcursor->mstgt); - free(lcursor); - *cursor = 0; - return KRB5_FCC_INTERNAL; - } - } else { - if ( !GetQueryTktCacheResponseW2K(data->LogonHandle, data->PackageId, &lcursor->response.w2k) ) { - LsaFreeReturnBuffer(lcursor->mstgt); - free(lcursor); - *cursor = 0; - return KRB5_FCC_INTERNAL; + if ( is_windows_xp() ) { + if ( !GetQueryTktCacheResponseXP(data->LogonHandle, data->PackageId, &lcursor->response.xp) ) { + LsaFreeReturnBuffer(lcursor->mstgt); + free(lcursor); + *cursor = 0; + return KRB5_FCC_INTERNAL; + } + } else { + if ( !GetQueryTktCacheResponseW2K(data->LogonHandle, data->PackageId, &lcursor->response.w2k) ) { + LsaFreeReturnBuffer(lcursor->mstgt); + free(lcursor); + *cursor = 0; + return KRB5_FCC_INTERNAL; + } } - } lcursor->index = 0; *cursor = (krb5_cc_cursor) lcursor; return KRB5_OK; @@ -2274,7 +2275,7 @@ krb5_lcc_start_seq_get(krb5_context context, krb5_ccache id, krb5_cc_cursor *cur * * Modifes: * cursor - * + * * Effects: * Fills in creds with the TGT obtained from the MS LSA * @@ -2297,7 +2298,7 @@ krb5_lcc_next_cred(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor, data = (krb5_lcc_data *)id->data; - next_cred: +next_cred: #ifdef HAVE_CACHE_INFO_EX2 if ( does_query_ticket_cache_ex2() ) { if ( lcursor->index >= lcursor->response.ex2->CountOfTickets ) { @@ -2313,58 +2314,58 @@ krb5_lcc_next_cred(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor, } if ( data->flags & KRB5_TC_NOTICKET ) { - if (!CacheInfoEx2ToMITCred( &lcursor->response.ex2->Tickets[lcursor->index++], - context, creds)) { + if (!CacheInfoEx2ToMITCred( &lcursor->response.ex2->Tickets[lcursor->index++], + context, creds)) { retval = KRB5_FCC_INTERNAL; goto next_cred; - } + } return KRB5_OK; } else { if (!GetMSCacheTicketFromCacheInfoEX2(data->LogonHandle, data->PackageId, - &lcursor->response.ex2->Tickets[lcursor->index++],&msticket)) { + &lcursor->response.ex2->Tickets[lcursor->index++],&msticket)) { retval = KRB5_FCC_INTERNAL; goto next_cred; } } - } else + } else #endif /* HAVE_CACHE_INFO_EX2 */ - if ( is_windows_xp() ) { - if ( lcursor->index >= lcursor->response.xp->CountOfTickets ) { - if (retval == KRB5_OK) - return KRB5_CC_END; - else { - LsaFreeReturnBuffer(lcursor->mstgt); - LsaFreeReturnBuffer(lcursor->response.xp); - free(*cursor); - *cursor = 0; - return retval; + if ( is_windows_xp() ) { + if ( lcursor->index >= lcursor->response.xp->CountOfTickets ) { + if (retval == KRB5_OK) + return KRB5_CC_END; + else { + LsaFreeReturnBuffer(lcursor->mstgt); + LsaFreeReturnBuffer(lcursor->response.xp); + free(*cursor); + *cursor = 0; + return retval; + } } - } - if (!GetMSCacheTicketFromCacheInfoXP(data->LogonHandle, data->PackageId, - &lcursor->response.xp->Tickets[lcursor->index++],&msticket)) { - retval = KRB5_FCC_INTERNAL; - goto next_cred; - } - } else { - if ( lcursor->index >= lcursor->response.w2k->CountOfTickets ) { - if (retval == KRB5_OK) - return KRB5_CC_END; - else { - LsaFreeReturnBuffer(lcursor->mstgt); - LsaFreeReturnBuffer(lcursor->response.w2k); - free(*cursor); - *cursor = 0; - return retval; + if (!GetMSCacheTicketFromCacheInfoXP(data->LogonHandle, data->PackageId, + &lcursor->response.xp->Tickets[lcursor->index++],&msticket)) { + retval = KRB5_FCC_INTERNAL; + goto next_cred; + } + } else { + if ( lcursor->index >= lcursor->response.w2k->CountOfTickets ) { + if (retval == KRB5_OK) + return KRB5_CC_END; + else { + LsaFreeReturnBuffer(lcursor->mstgt); + LsaFreeReturnBuffer(lcursor->response.w2k); + free(*cursor); + *cursor = 0; + return retval; + } } - } - if (!GetMSCacheTicketFromCacheInfoW2K(data->LogonHandle, data->PackageId, - &lcursor->response.w2k->Tickets[lcursor->index++],&msticket)) { - retval = KRB5_FCC_INTERNAL; - goto next_cred; + if (!GetMSCacheTicketFromCacheInfoW2K(data->LogonHandle, data->PackageId, + &lcursor->response.w2k->Tickets[lcursor->index++],&msticket)) { + retval = KRB5_FCC_INTERNAL; + goto next_cred; + } } - } /* Don't return tickets with NULL Session Keys */ if ( IsMSSessionKeyNull(&msticket->SessionKey) ) { @@ -2377,15 +2378,15 @@ krb5_lcc_next_cred(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor, if ( does_query_ticket_cache_ex2() ) { if (!MSCredToMITCred(msticket, lcursor->response.ex2->Tickets[lcursor->index-1].ClientRealm, context, creds)) retval = KRB5_FCC_INTERNAL; - } else + } else #endif /* HAVE_CACHE_INFO_EX2 */ - if ( is_windows_xp() ) { - if (!MSCredToMITCred(msticket, lcursor->response.xp->Tickets[lcursor->index-1].ClientRealm, context, creds)) - retval = KRB5_FCC_INTERNAL; - } else { - if (!MSCredToMITCred(msticket, lcursor->mstgt->DomainName, context, creds)) - retval = KRB5_FCC_INTERNAL; - } + if ( is_windows_xp() ) { + if (!MSCredToMITCred(msticket, lcursor->response.xp->Tickets[lcursor->index-1].ClientRealm, context, creds)) + retval = KRB5_FCC_INTERNAL; + } else { + if (!MSCredToMITCred(msticket, lcursor->mstgt->DomainName, context, creds)) + retval = KRB5_FCC_INTERNAL; + } LsaFreeReturnBuffer(msticket); return retval; } @@ -2416,12 +2417,12 @@ krb5_lcc_end_seq_get(krb5_context context, krb5_ccache id, krb5_cc_cursor *curso #ifdef HAVE_CACHE_INFO_EX2 if ( does_query_ticket_cache_ex2() ) LsaFreeReturnBuffer(lcursor->response.ex2); - else -#endif /* HAVE_CACHE_INFO_EX2 */ - if ( is_windows_xp() ) - LsaFreeReturnBuffer(lcursor->response.xp); else - LsaFreeReturnBuffer(lcursor->response.w2k); +#endif /* HAVE_CACHE_INFO_EX2 */ + if ( is_windows_xp() ) + LsaFreeReturnBuffer(lcursor->response.xp); + else + LsaFreeReturnBuffer(lcursor->response.w2k); free(*cursor); } *cursor = 0; @@ -2446,7 +2447,7 @@ krb5_lcc_generate_new (krb5_context context, krb5_ccache *id) /* * Requires: * id is a ms lsa credential cache - * + * * Returns: * The ccname specified during the krb5_lcc_resolve call */ @@ -2505,14 +2506,14 @@ krb5_lcc_get_principal(krb5_context context, krb5_ccache id, krb5_principal *pri krb5_copy_principal(context, creds.client, &data->princ); krb5_free_cred_contents(context,&creds); return krb5_copy_principal(context, data->princ, princ); - } + } } return KRB5_CC_NOTFOUND; } - + static krb5_error_code KRB5_CALLCONV -krb5_lcc_retrieve(krb5_context context, krb5_ccache id, krb5_flags whichfields, +krb5_lcc_retrieve(krb5_context context, krb5_ccache id, krb5_flags whichfields, krb5_creds *mcreds, krb5_creds *creds) { krb5_error_code kret = KRB5_OK; @@ -2530,7 +2531,7 @@ krb5_lcc_retrieve(krb5_context context, krb5_ccache id, krb5_flags whichfields, kret = krb5_cc_retrieve_cred_default (context, id, whichfields, mcreds, creds); if ( !kret ) return KRB5_OK; - + /* if not, we must try to get a ticket without specifying any flags or etypes */ kret = krb5_copy_creds(context, mcreds, &mcreds_noflags); if (kret) @@ -2585,7 +2586,7 @@ krb5_lcc_retrieve(krb5_context context, krb5_ccache id, krb5_flags whichfields, for ( i=0; i<pResponse->CountOfTickets; i++ ) { if (!GetMSCacheTicketFromCacheInfoXP(data->LogonHandle, data->PackageId, - &pResponse->Tickets[i],&mstmp)) { + &pResponse->Tickets[i],&mstmp)) { continue; } @@ -2616,7 +2617,7 @@ krb5_lcc_retrieve(krb5_context context, krb5_ccache id, krb5_flags whichfields, kret = KRB5_CC_NOTFOUND; } - cleanup: +cleanup: if ( mstmp ) LsaFreeReturnBuffer(mstmp); if ( mstgt ) @@ -2678,12 +2679,12 @@ krb5_lcc_store(krb5_context context, krb5_ccache id, krb5_creds *creds) return KRB5_CC_READONLY; } -/* +/* * Individual credentials can be implemented differently depending * on the operating system version. (undocumented.) - * + * * Errors: - * KRB5_CC_READONLY: + * KRB5_CC_READONLY: */ static krb5_error_code KRB5_CALLCONV krb5_lcc_remove_cred(krb5_context context, krb5_ccache id, krb5_flags flags, @@ -2735,28 +2736,28 @@ krb5_lcc_get_flags(krb5_context context, krb5_ccache id, krb5_flags *flags) } const krb5_cc_ops krb5_lcc_ops = { - 0, - "MSLSA", - krb5_lcc_get_name, - krb5_lcc_resolve, - krb5_lcc_generate_new, - krb5_lcc_initialize, - krb5_lcc_destroy, - krb5_lcc_close, - krb5_lcc_store, - krb5_lcc_retrieve, - krb5_lcc_get_principal, - krb5_lcc_start_seq_get, - krb5_lcc_next_cred, - krb5_lcc_end_seq_get, - krb5_lcc_remove_cred, - krb5_lcc_set_flags, - krb5_lcc_get_flags, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, + 0, + "MSLSA", + krb5_lcc_get_name, + krb5_lcc_resolve, + krb5_lcc_generate_new, + krb5_lcc_initialize, + krb5_lcc_destroy, + krb5_lcc_close, + krb5_lcc_store, + krb5_lcc_retrieve, + krb5_lcc_get_principal, + krb5_lcc_start_seq_get, + krb5_lcc_next_cred, + krb5_lcc_end_seq_get, + krb5_lcc_remove_cred, + krb5_lcc_set_flags, + krb5_lcc_get_flags, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, }; #endif /* _WIN32 */ diff --git a/src/lib/krb5/ccache/cc_retr.c b/src/lib/krb5/ccache/cc_retr.c index 8d3398b187..1c4b575ba9 100644 --- a/src/lib/krb5/ccache/cc_retr.c +++ b/src/lib/krb5/ccache/cc_retr.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/cc_retr.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * */ @@ -38,21 +39,21 @@ static int times_match_exact(const krb5_ticket_times *t1, const krb5_ticket_times *t2) { return (t1->authtime == t2->authtime && - t1->starttime == t2->starttime && - t1->endtime == t2->endtime && - t1->renew_till == t2->renew_till); + t1->starttime == t2->starttime && + t1->endtime == t2->endtime && + t1->renew_till == t2->renew_till); } static krb5_boolean times_match(const krb5_ticket_times *t1, const krb5_ticket_times *t2) { if (t1->renew_till) { - if (t1->renew_till > t2->renew_till) - return FALSE; /* this one expires too late */ + if (t1->renew_till > t2->renew_till) + return FALSE; /* this one expires too late */ } if (t1->endtime) { - if (t1->endtime > t2->endtime) - return FALSE; /* this one expires too late */ + if (t1->endtime > t2->endtime) + return FALSE; /* this one expires too late */ } /* only care about expiration on a times_match */ return TRUE; @@ -61,8 +62,8 @@ times_match(const krb5_ticket_times *t1, const krb5_ticket_times *t2) static krb5_boolean standard_fields_match(krb5_context context, const krb5_creds *mcreds, const krb5_creds *creds) { - return (krb5_principal_compare(context, mcreds->client,creds->client) - && krb5_principal_compare(context, mcreds->server,creds->server)); + return (krb5_principal_compare(context, mcreds->client,creds->client) + && krb5_principal_compare(context, mcreds->server,creds->server)); } /* only match the server name portion, not the server realm portion */ @@ -72,10 +73,10 @@ srvname_match(krb5_context context, const krb5_creds *mcreds, const krb5_creds * { krb5_boolean retval; krb5_principal_data p1, p2; - + retval = krb5_principal_compare(context, mcreds->client,creds->client); if (retval != TRUE) - return retval; + return retval; /* * Hack to ignore the server realm for the purposes of the compare. */ @@ -91,22 +92,22 @@ authdata_match(krb5_authdata *const *mdata, krb5_authdata *const *data) const krb5_authdata *mdatap, *datap; if (mdata == data) - return TRUE; + return TRUE; if (mdata == NULL) - return *data == NULL; - + return *data == NULL; + if (data == NULL) - return *mdata == NULL; - + return *mdata == NULL; + while ((mdatap = *mdata) && (datap = *data)) { - if ((mdatap->ad_type != datap->ad_type) || - (mdatap->length != datap->length) || - (memcmp ((char *)mdatap->contents, - (char *)datap->contents, (unsigned) mdatap->length) != 0)) - return FALSE; - mdata++; - data++; + if ((mdatap->ad_type != datap->ad_type) || + (mdatap->length != datap->length) || + (memcmp ((char *)mdatap->contents, + (char *)datap->contents, (unsigned) mdatap->length) != 0)) + return FALSE; + mdata++; + data++; } return (*mdata == NULL) && (*data == NULL); } @@ -115,10 +116,10 @@ static krb5_boolean data_match(const krb5_data *data1, const krb5_data *data2) { if (!data1) { - if (!data2) - return TRUE; - else - return FALSE; + if (!data2) + return TRUE; + else + return FALSE; } if (!data2) return FALSE; @@ -128,11 +129,11 @@ data_match(const krb5_data *data1, const krb5_data *data2) static int pref (krb5_enctype my_ktype, int nktypes, krb5_enctype *ktypes) { - int i; - for (i = 0; i < nktypes; i++) - if (my_ktype == ktypes[i]) - return i; - return -1; + int i; + for (i = 0; i < nktypes; i++) + if (my_ktype == ktypes[i]) + return i; + return -1; } /* @@ -141,7 +142,7 @@ pref (krb5_enctype my_ktype, int nktypes, krb5_enctype *ktypes) * with the fields specified by whichfields. If one if found, it is * returned in creds, which should be freed by the caller with * krb5_free_credentials(). - * + * * The fields are interpreted in the following way (all constants are * preceded by KRB5_TC_). MATCH_IS_SKEY requires the is_skey field to * match exactly. MATCH_TIMES requires the requested lifetime to be @@ -166,105 +167,105 @@ krb5_boolean krb5int_cc_creds_match_request(krb5_context context, krb5_flags whichfields, krb5_creds *mcreds, krb5_creds *creds) { if (((set(KRB5_TC_MATCH_SRV_NAMEONLY) && - srvname_match(context, mcreds, creds)) || - standard_fields_match(context, mcreds, creds)) - && - (! set(KRB5_TC_MATCH_IS_SKEY) || - mcreds->is_skey == creds->is_skey) - && - (! set(KRB5_TC_MATCH_FLAGS_EXACT) || - mcreds->ticket_flags == creds->ticket_flags) - && - (! set(KRB5_TC_MATCH_FLAGS) || - flags_match(mcreds->ticket_flags, creds->ticket_flags)) - && - (! set(KRB5_TC_MATCH_TIMES_EXACT) || - times_match_exact(&mcreds->times, &creds->times)) - && - (! set(KRB5_TC_MATCH_TIMES) || - times_match(&mcreds->times, &creds->times)) - && - ( ! set(KRB5_TC_MATCH_AUTHDATA) || - authdata_match(mcreds->authdata, creds->authdata)) - && - (! set(KRB5_TC_MATCH_2ND_TKT) || - data_match (&mcreds->second_ticket, &creds->second_ticket)) - && - ((! set(KRB5_TC_MATCH_KTYPE))|| - (mcreds->keyblock.enctype == creds->keyblock.enctype))) + srvname_match(context, mcreds, creds)) || + standard_fields_match(context, mcreds, creds)) + && + (! set(KRB5_TC_MATCH_IS_SKEY) || + mcreds->is_skey == creds->is_skey) + && + (! set(KRB5_TC_MATCH_FLAGS_EXACT) || + mcreds->ticket_flags == creds->ticket_flags) + && + (! set(KRB5_TC_MATCH_FLAGS) || + flags_match(mcreds->ticket_flags, creds->ticket_flags)) + && + (! set(KRB5_TC_MATCH_TIMES_EXACT) || + times_match_exact(&mcreds->times, &creds->times)) + && + (! set(KRB5_TC_MATCH_TIMES) || + times_match(&mcreds->times, &creds->times)) + && + ( ! set(KRB5_TC_MATCH_AUTHDATA) || + authdata_match(mcreds->authdata, creds->authdata)) + && + (! set(KRB5_TC_MATCH_2ND_TKT) || + data_match (&mcreds->second_ticket, &creds->second_ticket)) + && + ((! set(KRB5_TC_MATCH_KTYPE))|| + (mcreds->keyblock.enctype == creds->keyblock.enctype))) return TRUE; return FALSE; } static krb5_error_code krb5_cc_retrieve_cred_seq (krb5_context context, krb5_ccache id, - krb5_flags whichfields, krb5_creds *mcreds, - krb5_creds *creds, int nktypes, krb5_enctype *ktypes) + krb5_flags whichfields, krb5_creds *mcreds, + krb5_creds *creds, int nktypes, krb5_enctype *ktypes) { - /* This function could be considerably faster if it kept indexing */ - /* information.. sounds like a "next version" idea to me. :-) */ - - krb5_cc_cursor cursor; - krb5_error_code kret; - krb5_error_code nomatch_err = KRB5_CC_NOTFOUND; - struct { - krb5_creds creds; - int pref; - } fetched, best; - int have_creds = 0; - krb5_flags oflags = 0; + /* This function could be considerably faster if it kept indexing */ + /* information.. sounds like a "next version" idea to me. :-) */ + + krb5_cc_cursor cursor; + krb5_error_code kret; + krb5_error_code nomatch_err = KRB5_CC_NOTFOUND; + struct { + krb5_creds creds; + int pref; + } fetched, best; + int have_creds = 0; + krb5_flags oflags = 0; #define fetchcreds (fetched.creds) - kret = krb5_cc_get_flags(context, id, &oflags); - if (kret != KRB5_OK) - return kret; - if (oflags & KRB5_TC_OPENCLOSE) - (void) krb5_cc_set_flags(context, id, oflags & ~KRB5_TC_OPENCLOSE); - kret = krb5_cc_start_seq_get(context, id, &cursor); - if (kret != KRB5_OK) { - if (oflags & KRB5_TC_OPENCLOSE) - krb5_cc_set_flags(context, id, oflags); - return kret; - } - - while (krb5_cc_next_cred(context, id, &cursor, &fetchcreds) == KRB5_OK) { - if (krb5int_cc_creds_match_request(context, whichfields, mcreds, &fetchcreds)) - { - if (ktypes) { - fetched.pref = pref (fetchcreds.keyblock.enctype, - nktypes, ktypes); - if (fetched.pref < 0) - nomatch_err = KRB5_CC_NOT_KTYPE; - else if (!have_creds || fetched.pref < best.pref) { - if (have_creds) - krb5_free_cred_contents (context, &best.creds); - else - have_creds = 1; - best = fetched; - continue; - } - } else { - krb5_cc_end_seq_get(context, id, &cursor); - *creds = fetchcreds; - if (oflags & KRB5_TC_OPENCLOSE) - krb5_cc_set_flags(context, id, oflags); - return KRB5_OK; - } - } - - /* This one doesn't match */ - krb5_free_cred_contents(context, &fetchcreds); - } - - /* If we get here, a match wasn't found */ - krb5_cc_end_seq_get(context, id, &cursor); - if (oflags & KRB5_TC_OPENCLOSE) - krb5_cc_set_flags(context, id, oflags); - if (have_creds) { - *creds = best.creds; - return KRB5_OK; - } else - return nomatch_err; + kret = krb5_cc_get_flags(context, id, &oflags); + if (kret != KRB5_OK) + return kret; + if (oflags & KRB5_TC_OPENCLOSE) + (void) krb5_cc_set_flags(context, id, oflags & ~KRB5_TC_OPENCLOSE); + kret = krb5_cc_start_seq_get(context, id, &cursor); + if (kret != KRB5_OK) { + if (oflags & KRB5_TC_OPENCLOSE) + krb5_cc_set_flags(context, id, oflags); + return kret; + } + + while (krb5_cc_next_cred(context, id, &cursor, &fetchcreds) == KRB5_OK) { + if (krb5int_cc_creds_match_request(context, whichfields, mcreds, &fetchcreds)) + { + if (ktypes) { + fetched.pref = pref (fetchcreds.keyblock.enctype, + nktypes, ktypes); + if (fetched.pref < 0) + nomatch_err = KRB5_CC_NOT_KTYPE; + else if (!have_creds || fetched.pref < best.pref) { + if (have_creds) + krb5_free_cred_contents (context, &best.creds); + else + have_creds = 1; + best = fetched; + continue; + } + } else { + krb5_cc_end_seq_get(context, id, &cursor); + *creds = fetchcreds; + if (oflags & KRB5_TC_OPENCLOSE) + krb5_cc_set_flags(context, id, oflags); + return KRB5_OK; + } + } + + /* This one doesn't match */ + krb5_free_cred_contents(context, &fetchcreds); + } + + /* If we get here, a match wasn't found */ + krb5_cc_end_seq_get(context, id, &cursor); + if (oflags & KRB5_TC_OPENCLOSE) + krb5_cc_set_flags(context, id, oflags); + if (have_creds) { + *creds = best.creds; + return KRB5_OK; + } else + return nomatch_err; } krb5_error_code KRB5_CALLCONV @@ -275,20 +276,20 @@ krb5_cc_retrieve_cred_default (krb5_context context, krb5_ccache id, krb5_flags krb5_error_code ret; if (flags & KRB5_TC_SUPPORTED_KTYPES) { - ret = krb5_get_tgs_ktypes (context, mcreds->server, &ktypes); - if (ret) - return ret; - nktypes = 0; - while (ktypes[nktypes]) - nktypes++; - - ret = krb5_cc_retrieve_cred_seq (context, id, flags, mcreds, creds, - nktypes, ktypes); - free (ktypes); - return ret; + ret = krb5_get_tgs_ktypes (context, mcreds->server, &ktypes); + if (ret) + return ret; + nktypes = 0; + while (ktypes[nktypes]) + nktypes++; + + ret = krb5_cc_retrieve_cred_seq (context, id, flags, mcreds, creds, + nktypes, ktypes); + free (ktypes); + return ret; } else { - return krb5_cc_retrieve_cred_seq (context, id, flags, mcreds, creds, - 0, 0); + return krb5_cc_retrieve_cred_seq (context, id, flags, mcreds, creds, + 0, 0); } } @@ -298,24 +299,24 @@ krb5_cc_retrieve_cred_default (krb5_context context, krb5_ccache id, krb5_flags /* returned by the CCAPI is the same creds as the caller passed in. */ /* Unlike the code above it requires that all structures be identical. */ -krb5_boolean KRB5_CALLCONV +krb5_boolean KRB5_CALLCONV krb5_creds_compare (krb5_context in_context, krb5_creds *in_creds, krb5_creds *in_compare_creds) { /* Set to 0 when we hit the first mismatch and then fall through */ int equal = 1; - + if (equal) { - equal = krb5_principal_compare (in_context, in_creds->client, + equal = krb5_principal_compare (in_context, in_creds->client, in_compare_creds->client); } - + if (equal) { - equal = krb5_principal_compare (in_context, in_creds->server, + equal = krb5_principal_compare (in_context, in_creds->server, in_compare_creds->server); } - + if (equal) { equal = (in_creds->keyblock.enctype == in_compare_creds->keyblock.enctype && in_creds->keyblock.length == in_compare_creds->keyblock.length && @@ -323,27 +324,27 @@ krb5_creds_compare (krb5_context in_context, !memcmp (in_creds->keyblock.contents, in_compare_creds->keyblock.contents, in_creds->keyblock.length))); } - - if (equal) { + + if (equal) { equal = (in_creds->times.authtime == in_compare_creds->times.authtime && in_creds->times.starttime == in_compare_creds->times.starttime && in_creds->times.endtime == in_compare_creds->times.endtime && in_creds->times.renew_till == in_compare_creds->times.renew_till); } - + if (equal) { equal = (in_creds->is_skey == in_compare_creds->is_skey); - } - + } + if (equal) { equal = (in_creds->ticket_flags == in_compare_creds->ticket_flags); } - + if (equal) { krb5_address **addresses = in_creds->addresses; krb5_address **compare_addresses = in_compare_creds->addresses; unsigned int i; - + if (addresses && compare_addresses) { for (i = 0; (equal && addresses[i] && compare_addresses[i]); i++) { equal = krb5_address_compare (in_context, addresses[i], @@ -354,29 +355,29 @@ krb5_creds_compare (krb5_context in_context, if (equal) { equal = (!addresses && !compare_addresses); } } } - + if (equal) { - equal = data_eq(in_creds->ticket, in_compare_creds->ticket); + equal = data_eq(in_creds->ticket, in_compare_creds->ticket); } - + if (equal) { - equal = data_eq(in_creds->second_ticket, in_compare_creds->second_ticket); + equal = data_eq(in_creds->second_ticket, in_compare_creds->second_ticket); } - + if (equal) { krb5_authdata **authdata = in_creds->authdata; krb5_authdata **compare_authdata = in_compare_creds->authdata; unsigned int i; - - if (authdata && compare_authdata) { + + if (authdata && compare_authdata) { for (i = 0; (equal && authdata[i] && compare_authdata[i]); i++) { - equal = authdata_eq(*authdata[i], *compare_authdata[i]); + equal = authdata_eq(*authdata[i], *compare_authdata[i]); } if (equal) { equal = (!authdata[i] && !compare_authdata[i]); } } else { if (equal) { equal = (!authdata && !compare_authdata); } } } - + return equal; } diff --git a/src/lib/krb5/ccache/ccapi/stdcc.c b/src/lib/krb5/ccache/ccapi/stdcc.c index 14569fb596..33fb97c76d 100644 --- a/src/lib/krb5/ccache/ccapi/stdcc.c +++ b/src/lib/krb5/ccache/ccapi/stdcc.c @@ -1,7 +1,8 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * stdcc.c - additions to the Kerberos 5 library to support the memory - * credentical cache API - * + * credentical cache API + * * Written by Frank Dabek July 1998 * Updated by Jeffrey Altman June 2006 * @@ -12,7 +13,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -26,7 +27,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ #if defined(_WIN32) || defined(USE_CCAPI) @@ -38,7 +39,7 @@ #include <stdio.h> #if defined(_WIN32) -#include "winccld.h" +#include "winccld.h" #endif #ifndef CC_API_VER2 @@ -50,8 +51,8 @@ #include <io.h> #define SHOW_DEBUG(buf) MessageBox((HWND)NULL, (buf), "ccapi debug", MB_OK) #endif - /* XXX need macintosh debugging statement if we want to debug */ - /* on the mac */ +/* XXX need macintosh debugging statement if we want to debug */ +/* on the mac */ #else #define SHOW_DEBUG(buf) #endif @@ -69,54 +70,54 @@ apiCB *gCntrlBlock = NULL; */ krb5_cc_ops krb5_cc_stdcc_ops = { - 0, - "API", + 0, + "API", #ifdef USE_CCAPI_V3 - krb5_stdccv3_get_name, - krb5_stdccv3_resolve, - krb5_stdccv3_generate_new, - krb5_stdccv3_initialize, - krb5_stdccv3_destroy, - krb5_stdccv3_close, - krb5_stdccv3_store, - krb5_stdccv3_retrieve, - krb5_stdccv3_get_principal, - krb5_stdccv3_start_seq_get, - krb5_stdccv3_next_cred, - krb5_stdccv3_end_seq_get, - krb5_stdccv3_remove, - krb5_stdccv3_set_flags, - krb5_stdccv3_get_flags, - krb5_stdccv3_ptcursor_new, - krb5_stdccv3_ptcursor_next, - krb5_stdccv3_ptcursor_free, - NULL, /* move */ - krb5_stdccv3_last_change_time, /* lastchange */ - NULL, /* wasdefault */ - krb5_stdccv3_lock, - krb5_stdccv3_unlock, + krb5_stdccv3_get_name, + krb5_stdccv3_resolve, + krb5_stdccv3_generate_new, + krb5_stdccv3_initialize, + krb5_stdccv3_destroy, + krb5_stdccv3_close, + krb5_stdccv3_store, + krb5_stdccv3_retrieve, + krb5_stdccv3_get_principal, + krb5_stdccv3_start_seq_get, + krb5_stdccv3_next_cred, + krb5_stdccv3_end_seq_get, + krb5_stdccv3_remove, + krb5_stdccv3_set_flags, + krb5_stdccv3_get_flags, + krb5_stdccv3_ptcursor_new, + krb5_stdccv3_ptcursor_next, + krb5_stdccv3_ptcursor_free, + NULL, /* move */ + krb5_stdccv3_last_change_time, /* lastchange */ + NULL, /* wasdefault */ + krb5_stdccv3_lock, + krb5_stdccv3_unlock, #else - krb5_stdcc_get_name, - krb5_stdcc_resolve, - krb5_stdcc_generate_new, - krb5_stdcc_initialize, - krb5_stdcc_destroy, - krb5_stdcc_close, - krb5_stdcc_store, - krb5_stdcc_retrieve, - krb5_stdcc_get_principal, - krb5_stdcc_start_seq_get, - krb5_stdcc_next_cred, - krb5_stdcc_end_seq_get, - krb5_stdcc_remove, - krb5_stdcc_set_flags, - krb5_stdcc_get_flags, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, + krb5_stdcc_get_name, + krb5_stdcc_resolve, + krb5_stdcc_generate_new, + krb5_stdcc_initialize, + krb5_stdcc_destroy, + krb5_stdcc_close, + krb5_stdcc_store, + krb5_stdcc_retrieve, + krb5_stdcc_get_principal, + krb5_stdcc_start_seq_get, + krb5_stdcc_next_cred, + krb5_stdcc_end_seq_get, + krb5_stdcc_remove, + krb5_stdcc_set_flags, + krb5_stdcc_get_flags, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, #endif }; @@ -126,89 +127,89 @@ krb5_cc_ops krb5_cc_stdcc_ops = { * A notification message is is posted out to all top level * windows so that they may recheck the cache based on the * changes made. We register a unique message type with which - * we'll communicate to all other processes. + * we'll communicate to all other processes. */ static void cache_changed() { - static unsigned int message = 0; - - if (message == 0) - message = RegisterWindowMessage(WM_KERBEROS5_CHANGED); + static unsigned int message = 0; - PostMessage(HWND_BROADCAST, message, 0, 0); + if (message == 0) + message = RegisterWindowMessage(WM_KERBEROS5_CHANGED); + + PostMessage(HWND_BROADCAST, message, 0, 0); } #else /* _WIN32 */ static void cache_changed() { - return; + return; } #endif /* _WIN32 */ struct err_xlate { - int cc_err; - krb5_error_code krb5_err; + int cc_err; + krb5_error_code krb5_err; }; static const struct err_xlate err_xlate_table[] = { #ifdef USE_CCAPI_V3 - { ccIteratorEnd, KRB5_CC_END }, - { ccErrBadParam, KRB5_FCC_INTERNAL }, - { ccErrNoMem, KRB5_CC_NOMEM }, - { ccErrInvalidContext, KRB5_FCC_NOFILE }, - { ccErrInvalidCCache, KRB5_FCC_NOFILE }, - { ccErrInvalidString, KRB5_FCC_INTERNAL }, - { ccErrInvalidCredentials, KRB5_FCC_INTERNAL }, - { ccErrInvalidCCacheIterator, KRB5_FCC_INTERNAL }, - { ccErrInvalidCredentialsIterator, KRB5_FCC_INTERNAL }, - { ccErrInvalidLock, KRB5_FCC_INTERNAL }, - { ccErrBadName, KRB5_CC_BADNAME }, - { ccErrBadCredentialsVersion, KRB5_FCC_INTERNAL }, - { ccErrBadAPIVersion, KRB5_FCC_INTERNAL }, - { ccErrContextLocked, KRB5_FCC_INTERNAL }, - { ccErrContextUnlocked, KRB5_FCC_INTERNAL }, - { ccErrCCacheLocked, KRB5_FCC_INTERNAL }, - { ccErrCCacheUnlocked, KRB5_FCC_INTERNAL }, - { ccErrBadLockType, KRB5_FCC_INTERNAL }, - { ccErrNeverDefault, KRB5_FCC_INTERNAL }, - { ccErrCredentialsNotFound, KRB5_CC_NOTFOUND }, - { ccErrCCacheNotFound, KRB5_FCC_NOFILE }, - { ccErrContextNotFound, KRB5_FCC_NOFILE }, - { ccErrServerUnavailable, KRB5_CC_IO }, - { ccErrServerInsecure, KRB5_CC_IO }, - { ccErrServerCantBecomeUID, KRB5_CC_IO }, - { ccErrTimeOffsetNotSet, KRB5_FCC_INTERNAL }, - { ccErrBadInternalMessage, KRB5_FCC_INTERNAL }, - { ccErrNotImplemented, KRB5_FCC_INTERNAL }, + { ccIteratorEnd, KRB5_CC_END }, + { ccErrBadParam, KRB5_FCC_INTERNAL }, + { ccErrNoMem, KRB5_CC_NOMEM }, + { ccErrInvalidContext, KRB5_FCC_NOFILE }, + { ccErrInvalidCCache, KRB5_FCC_NOFILE }, + { ccErrInvalidString, KRB5_FCC_INTERNAL }, + { ccErrInvalidCredentials, KRB5_FCC_INTERNAL }, + { ccErrInvalidCCacheIterator, KRB5_FCC_INTERNAL }, + { ccErrInvalidCredentialsIterator, KRB5_FCC_INTERNAL }, + { ccErrInvalidLock, KRB5_FCC_INTERNAL }, + { ccErrBadName, KRB5_CC_BADNAME }, + { ccErrBadCredentialsVersion, KRB5_FCC_INTERNAL }, + { ccErrBadAPIVersion, KRB5_FCC_INTERNAL }, + { ccErrContextLocked, KRB5_FCC_INTERNAL }, + { ccErrContextUnlocked, KRB5_FCC_INTERNAL }, + { ccErrCCacheLocked, KRB5_FCC_INTERNAL }, + { ccErrCCacheUnlocked, KRB5_FCC_INTERNAL }, + { ccErrBadLockType, KRB5_FCC_INTERNAL }, + { ccErrNeverDefault, KRB5_FCC_INTERNAL }, + { ccErrCredentialsNotFound, KRB5_CC_NOTFOUND }, + { ccErrCCacheNotFound, KRB5_FCC_NOFILE }, + { ccErrContextNotFound, KRB5_FCC_NOFILE }, + { ccErrServerUnavailable, KRB5_CC_IO }, + { ccErrServerInsecure, KRB5_CC_IO }, + { ccErrServerCantBecomeUID, KRB5_CC_IO }, + { ccErrTimeOffsetNotSet, KRB5_FCC_INTERNAL }, + { ccErrBadInternalMessage, KRB5_FCC_INTERNAL }, + { ccErrNotImplemented, KRB5_FCC_INTERNAL }, #else - { CC_BADNAME, KRB5_CC_BADNAME }, - { CC_NOTFOUND, KRB5_CC_NOTFOUND }, - { CC_END, KRB5_CC_END }, - { CC_IO, KRB5_CC_IO }, - { CC_WRITE, KRB5_CC_WRITE }, - { CC_NOMEM, KRB5_CC_NOMEM }, - { CC_FORMAT, KRB5_CC_FORMAT }, - { CC_WRITE, KRB5_CC_WRITE }, - { CC_LOCKED, KRB5_FCC_INTERNAL /* XXX */ }, - { CC_BAD_API_VERSION, KRB5_FCC_INTERNAL /* XXX */ }, - { CC_NO_EXIST, KRB5_FCC_NOFILE }, - { CC_NOT_SUPP, KRB5_FCC_INTERNAL /* XXX */ }, - { CC_BAD_PARM, KRB5_FCC_INTERNAL /* XXX */ }, - { CC_ERR_CACHE_ATTACH, KRB5_FCC_INTERNAL /* XXX */ }, - { CC_ERR_CACHE_RELEASE, KRB5_FCC_INTERNAL /* XXX */ }, - { CC_ERR_CACHE_FULL, KRB5_FCC_INTERNAL /* XXX */ }, - { CC_ERR_CRED_VERSION, KRB5_FCC_INTERNAL /* XXX */ }, + { CC_BADNAME, KRB5_CC_BADNAME }, + { CC_NOTFOUND, KRB5_CC_NOTFOUND }, + { CC_END, KRB5_CC_END }, + { CC_IO, KRB5_CC_IO }, + { CC_WRITE, KRB5_CC_WRITE }, + { CC_NOMEM, KRB5_CC_NOMEM }, + { CC_FORMAT, KRB5_CC_FORMAT }, + { CC_WRITE, KRB5_CC_WRITE }, + { CC_LOCKED, KRB5_FCC_INTERNAL /* XXX */ }, + { CC_BAD_API_VERSION, KRB5_FCC_INTERNAL /* XXX */ }, + { CC_NO_EXIST, KRB5_FCC_NOFILE }, + { CC_NOT_SUPP, KRB5_FCC_INTERNAL /* XXX */ }, + { CC_BAD_PARM, KRB5_FCC_INTERNAL /* XXX */ }, + { CC_ERR_CACHE_ATTACH, KRB5_FCC_INTERNAL /* XXX */ }, + { CC_ERR_CACHE_RELEASE, KRB5_FCC_INTERNAL /* XXX */ }, + { CC_ERR_CACHE_FULL, KRB5_FCC_INTERNAL /* XXX */ }, + { CC_ERR_CRED_VERSION, KRB5_FCC_INTERNAL /* XXX */ }, #endif - { 0, 0 } + { 0, 0 } }; /* Note: cc_err_xlate is NOT idempotent. Don't call it multiple times. */ static krb5_error_code cc_err_xlate(int err) { const struct err_xlate *p; - + #ifdef USE_CCAPI_V3 if (err == ccNoError) return 0; @@ -216,12 +217,12 @@ static krb5_error_code cc_err_xlate(int err) if (err == CC_NOERROR) return 0; #endif - + for (p = err_xlate_table; p->cc_err; p++) { if (err == p->cc_err) return p->krb5_err; } - + return KRB5_FCC_INTERNAL; } @@ -232,26 +233,26 @@ static krb5_error_code stdccv3_get_timeoffset (krb5_context in_context, cc_ccache_t in_ccache) { krb5_error_code err = 0; - + if (gCCVersion >= ccapi_version_5) { krb5_os_context os_ctx = (krb5_os_context) &in_context->os_context; cc_time_t time_offset = 0; - + err = cc_ccache_get_kdc_time_offset (in_ccache, cc_credentials_v5, &time_offset); - + if (!err) { os_ctx->time_offset = time_offset; os_ctx->usec_offset = 0; os_ctx->os_flags = ((os_ctx->os_flags & ~KRB5_OS_TOFFSET_TIME) | KRB5_OS_TOFFSET_VALID); } - + if (err == ccErrTimeOffsetNotSet) { err = 0; /* okay if there is no time offset */ } } - + return err; /* Don't translate. Callers will translate for us */ } @@ -259,17 +260,17 @@ static krb5_error_code stdccv3_set_timeoffset (krb5_context in_context, cc_ccache_t in_ccache) { krb5_error_code err = 0; - + if (gCCVersion >= ccapi_version_5) { krb5_os_context os_ctx = (krb5_os_context) &in_context->os_context; - + if (!err && os_ctx->os_flags & KRB5_OS_TOFFSET_VALID) { - err = cc_ccache_set_kdc_time_offset (in_ccache, + err = cc_ccache_set_kdc_time_offset (in_ccache, cc_credentials_v5, os_ctx->time_offset); } } - + return err; /* Don't translate. Callers will translate for us */ } @@ -277,21 +278,21 @@ static krb5_error_code stdccv3_setup (krb5_context context, stdccCacheDataPtr ccapi_data) { krb5_error_code err = 0; - + if (!err && !gCntrlBlock) { err = cc_initialize (&gCntrlBlock, ccapi_version_max, &gCCVersion, NULL); } - + if (!err && ccapi_data && !ccapi_data->NamedCache) { - /* ccache has not been opened yet. open it. */ + /* ccache has not been opened yet. open it. */ err = cc_context_open_ccache (gCntrlBlock, ccapi_data->cache_name, &ccapi_data->NamedCache); } - + if (!err && ccapi_data && ccapi_data->NamedCache) { err = stdccv3_get_timeoffset (context, ccapi_data->NamedCache); } - + return err; /* Don't translate. Callers will translate for us */ } @@ -305,12 +306,12 @@ void krb5_stdcc_shutdown() /* * -- generate_new -------------------------------- - * + * * create a new cache with a unique name, corresponds to creating a * named cache initialize the API here if we have to. */ -krb5_error_code KRB5_CALLCONV -krb5_stdccv3_generate_new (krb5_context context, krb5_ccache *id ) +krb5_error_code KRB5_CALLCONV +krb5_stdccv3_generate_new (krb5_context context, krb5_ccache *id ) { krb5_error_code err = 0; krb5_ccache newCache = NULL; @@ -318,98 +319,98 @@ krb5_stdccv3_generate_new (krb5_context context, krb5_ccache *id ) cc_ccache_t ccache = NULL; cc_string_t ccstring = NULL; char *name = NULL; - + if (!err) { err = stdccv3_setup(context, NULL); } - + if (!err) { newCache = (krb5_ccache) malloc (sizeof (*newCache)); if (!newCache) { err = KRB5_CC_NOMEM; } } - + if (!err) { ccapi_data = (stdccCacheDataPtr) malloc (sizeof (*ccapi_data)); if (!ccapi_data) { err = KRB5_CC_NOMEM; } } - + if (!err) { err = cc_context_create_new_ccache (gCntrlBlock, cc_credentials_v5, "", &ccache); } - + if (!err) { err = stdccv3_set_timeoffset (context, ccache); } - + if (!err) { err = cc_ccache_get_name (ccache, &ccstring); } - + if (!err) { name = strdup (ccstring->data); if (!name) { err = KRB5_CC_NOMEM; } } - + if (!err) { ccapi_data->cache_name = name; name = NULL; /* take ownership */ - + ccapi_data->NamedCache = ccache; ccache = NULL; /* take ownership */ - + newCache->ops = &krb5_cc_stdcc_ops; newCache->data = ccapi_data; ccapi_data = NULL; /* take ownership */ - + /* return a pointer to the new cache */ *id = newCache; newCache = NULL; } - + if (ccstring) { cc_string_release (ccstring); } if (name) { free (name); } if (ccache) { cc_ccache_release (ccache); } if (ccapi_data) { free (ccapi_data); } if (newCache) { free (newCache); } - + return cc_err_xlate (err); } - + /* * resolve * * create a new cache with the name stored in residual */ -krb5_error_code KRB5_CALLCONV -krb5_stdccv3_resolve (krb5_context context, krb5_ccache *id , const char *residual ) +krb5_error_code KRB5_CALLCONV +krb5_stdccv3_resolve (krb5_context context, krb5_ccache *id , const char *residual ) { krb5_error_code err = 0; stdccCacheDataPtr ccapi_data = NULL; krb5_ccache ccache = NULL; char *name = NULL; - + if (id == NULL) { err = KRB5_CC_NOMEM; } - + if (!err) { err = stdccv3_setup (context, NULL); } - + if (!err) { ccapi_data = (stdccCacheDataPtr) malloc (sizeof (*ccapi_data)); if (!ccapi_data) { err = KRB5_CC_NOMEM; } } - + if (!err) { ccache = (krb5_ccache ) malloc (sizeof (*ccache)); if (!ccache) { err = KRB5_CC_NOMEM; } } - + if (!err) { name = strdup (residual); if (!name) { err = KRB5_CC_NOMEM; } } - + if (!err) { err = cc_context_open_ccache (gCntrlBlock, residual, &ccapi_data->NamedCache); @@ -420,24 +421,24 @@ krb5_stdccv3_resolve (krb5_context context, krb5_ccache *id , const char *residu } if (!err) { - ccapi_data->cache_name = name; + ccapi_data->cache_name = name; name = NULL; /* take ownership */ - ccache->ops = &krb5_cc_stdcc_ops; - ccache->data = ccapi_data; + ccache->ops = &krb5_cc_stdcc_ops; + ccache->data = ccapi_data; ccapi_data = NULL; /* take ownership */ - + *id = ccache; ccache = NULL; /* take ownership */ } - + if (ccache) { free (ccache); } if (ccapi_data) { free (ccapi_data); } if (name) { free (name); } - + return cc_err_xlate (err); } - + /* * initialize * @@ -445,36 +446,36 @@ krb5_stdccv3_resolve (krb5_context context, krb5_ccache *id , const char *residu * principal if not set our principal to this principal. This * searching enables ticket sharing */ -krb5_error_code KRB5_CALLCONV -krb5_stdccv3_initialize (krb5_context context, - krb5_ccache id, - krb5_principal princ) +krb5_error_code KRB5_CALLCONV +krb5_stdccv3_initialize (krb5_context context, + krb5_ccache id, + krb5_principal princ) { krb5_error_code err = 0; stdccCacheDataPtr ccapi_data = id->data; char *name = NULL; cc_ccache_t ccache = NULL; - + if (id == NULL) { err = KRB5_CC_NOMEM; } - + if (!err) { err = stdccv3_setup (context, NULL); } - + if (!err) { err = krb5_unparse_name(context, princ, &name); } - + if (!err) { - err = cc_context_create_ccache (gCntrlBlock, ccapi_data->cache_name, + err = cc_context_create_ccache (gCntrlBlock, ccapi_data->cache_name, cc_credentials_v5, name, &ccache); } - + if (!err) { err = stdccv3_set_timeoffset (context, ccache); } - + if (!err) { if (ccapi_data->NamedCache) { err = cc_ccache_release (ccapi_data->NamedCache); @@ -483,10 +484,10 @@ krb5_stdccv3_initialize (krb5_context context, ccache = NULL; /* take ownership */ cache_changed (); } - + if (ccache) { cc_ccache_release (ccache); } if (name ) { krb5_free_unparsed_name(context, name); } - + return cc_err_xlate(err); } @@ -495,32 +496,32 @@ krb5_stdccv3_initialize (krb5_context context, * * store some credentials in our cache */ -krb5_error_code KRB5_CALLCONV +krb5_error_code KRB5_CALLCONV krb5_stdccv3_store (krb5_context context, krb5_ccache id, krb5_creds *creds ) { krb5_error_code err = 0; stdccCacheDataPtr ccapi_data = id->data; cc_credentials_union *cred_union = NULL; - + if (!err) { err = stdccv3_setup (context, ccapi_data); } - + if (!err) { /* copy the fields from the almost identical structures */ err = copy_krb5_creds_to_cc_cred_union (context, creds, &cred_union); } - + if (!err) { err = cc_ccache_store_credentials (ccapi_data->NamedCache, cred_union); } - + if (!err) { cache_changed(); } - + if (cred_union) { cred_union_release (cred_union); } - + return cc_err_xlate (err); } @@ -529,54 +530,54 @@ krb5_stdccv3_store (krb5_context context, krb5_ccache id, krb5_creds *creds ) * * begin an iterator call to get all of the credentials in the cache */ -krb5_error_code KRB5_CALLCONV -krb5_stdccv3_start_seq_get (krb5_context context, - krb5_ccache id, +krb5_error_code KRB5_CALLCONV +krb5_stdccv3_start_seq_get (krb5_context context, + krb5_ccache id, krb5_cc_cursor *cursor ) { krb5_error_code err = 0; stdccCacheDataPtr ccapi_data = id->data; cc_credentials_iterator_t iterator = NULL; - + if (!err) { err = stdccv3_setup (context, ccapi_data); } - + if (!err) { err = cc_ccache_new_credentials_iterator(ccapi_data->NamedCache, &iterator); } - + if (!err) { *cursor = iterator; } - + return cc_err_xlate (err); } /* * next cred - * + * * - get the next credential in the cache as part of an iterator call * - this maps to call to cc_seq_fetch_creds */ -krb5_error_code KRB5_CALLCONV -krb5_stdccv3_next_cred (krb5_context context, - krb5_ccache id, - krb5_cc_cursor *cursor, +krb5_error_code KRB5_CALLCONV +krb5_stdccv3_next_cred (krb5_context context, + krb5_ccache id, + krb5_cc_cursor *cursor, krb5_creds *creds) { krb5_error_code err = 0; stdccCacheDataPtr ccapi_data = id->data; cc_credentials_t credentials = NULL; cc_credentials_iterator_t iterator = *cursor; - + if (!iterator) { err = KRB5_CC_END; } - + if (!err) { err = stdccv3_setup (context, ccapi_data); } - + /* Note: CCAPI v3 ccaches can contain both v4 and v5 creds */ while (!err) { err = cc_credentials_iterator_next (iterator, &credentials); @@ -586,13 +587,13 @@ krb5_stdccv3_next_cred (krb5_context context, break; } } - + if (credentials) { cc_credentials_release (credentials); } if (err == ccIteratorEnd) { cc_credentials_iterator_release (iterator); *cursor = 0; - } - + } + return cc_err_xlate (err); } @@ -603,14 +604,14 @@ krb5_stdccv3_next_cred (krb5_context context, * - try to find a matching credential in the cache */ krb5_error_code KRB5_CALLCONV -krb5_stdccv3_retrieve (krb5_context context, - krb5_ccache id, - krb5_flags whichfields, - krb5_creds *mcreds, +krb5_stdccv3_retrieve (krb5_context context, + krb5_ccache id, + krb5_flags whichfields, + krb5_creds *mcreds, krb5_creds *creds) { return krb5_cc_retrieve_cred_default (context, id, whichfields, - mcreds, creds); + mcreds, creds); } /* @@ -618,58 +619,58 @@ krb5_stdccv3_retrieve (krb5_context context, * * just free up the storage assoicated with the cursor (if we can) */ -krb5_error_code KRB5_CALLCONV -krb5_stdccv3_end_seq_get (krb5_context context, - krb5_ccache id, +krb5_error_code KRB5_CALLCONV +krb5_stdccv3_end_seq_get (krb5_context context, + krb5_ccache id, krb5_cc_cursor *cursor) { krb5_error_code err = 0; stdccCacheDataPtr ccapi_data = id->data; cc_credentials_iterator_t iterator = *cursor; - + if (!iterator) { return 0; } - + if (!err) { err = stdccv3_setup (context, ccapi_data); } - + if (!err) { err = cc_credentials_iterator_release(iterator); } - + return cc_err_xlate(err); } - + /* * close * * - free our pointers to the NC */ -krb5_error_code KRB5_CALLCONV -krb5_stdccv3_close(krb5_context context, +krb5_error_code KRB5_CALLCONV +krb5_stdccv3_close(krb5_context context, krb5_ccache id) { krb5_error_code err = 0; stdccCacheDataPtr ccapi_data = id->data; - + if (!err) { err = stdccv3_setup (context, NULL); } - + if (!err) { - if (ccapi_data) { - if (ccapi_data->cache_name) { - free (ccapi_data->cache_name); + if (ccapi_data) { + if (ccapi_data->cache_name) { + free (ccapi_data->cache_name); } - if (ccapi_data->NamedCache) { - err = cc_ccache_release (ccapi_data->NamedCache); + if (ccapi_data->NamedCache) { + err = cc_ccache_release (ccapi_data->NamedCache); } free (ccapi_data); id->data = NULL; - } - free (id); + } + free (id); } - + return cc_err_xlate(err); } @@ -679,35 +680,35 @@ krb5_stdccv3_close(krb5_context context, * - free our storage and the cache */ krb5_error_code KRB5_CALLCONV -krb5_stdccv3_destroy (krb5_context context, +krb5_stdccv3_destroy (krb5_context context, krb5_ccache id) { krb5_error_code err = 0; stdccCacheDataPtr ccapi_data = id->data; - + if (!err) { err = stdccv3_setup(context, ccapi_data); } - + if (!err) { - if (ccapi_data) { - if (ccapi_data->cache_name) { - free(ccapi_data->cache_name); + if (ccapi_data) { + if (ccapi_data->cache_name) { + free(ccapi_data->cache_name); } if (ccapi_data->NamedCache) { /* destroy the named cache */ err = cc_ccache_destroy(ccapi_data->NamedCache); - if (err == ccErrCCacheNotFound) { + if (err == ccErrCCacheNotFound) { err = 0; /* ccache maybe already destroyed */ } cache_changed(); } free(ccapi_data); id->data = NULL; - } - free(id); + } + free(id); } - + return cc_err_xlate(err); } @@ -716,12 +717,12 @@ krb5_stdccv3_destroy (krb5_context context, * * - return the name of the named cache */ -const char * KRB5_CALLCONV -krb5_stdccv3_get_name (krb5_context context, +const char * KRB5_CALLCONV +krb5_stdccv3_get_name (krb5_context context, krb5_ccache id ) { stdccCacheDataPtr ccapi_data = id->data; - + if (!ccapi_data) { return NULL; } else { @@ -734,29 +735,29 @@ krb5_stdccv3_get_name (krb5_context context, * * - return the principal associated with the named cache */ -krb5_error_code KRB5_CALLCONV -krb5_stdccv3_get_principal (krb5_context context, - krb5_ccache id , - krb5_principal *princ) +krb5_error_code KRB5_CALLCONV +krb5_stdccv3_get_principal (krb5_context context, + krb5_ccache id , + krb5_principal *princ) { krb5_error_code err = 0; stdccCacheDataPtr ccapi_data = id->data; cc_string_t name = NULL; - + if (!err) { err = stdccv3_setup(context, ccapi_data); } - + if (!err) { err = cc_ccache_get_principal (ccapi_data->NamedCache, cc_credentials_v5, &name); } - + if (!err) { err = krb5_parse_name (context, name->data, princ); } - + if (name) { cc_string_release (name); } - + return cc_err_xlate (err); } @@ -765,16 +766,16 @@ krb5_stdccv3_get_principal (krb5_context context, * * - currently a NOP since we don't store any flags in the NC */ -krb5_error_code KRB5_CALLCONV -krb5_stdccv3_set_flags (krb5_context context, - krb5_ccache id, +krb5_error_code KRB5_CALLCONV +krb5_stdccv3_set_flags (krb5_context context, + krb5_ccache id, krb5_flags flags) { krb5_error_code err = 0; stdccCacheDataPtr ccapi_data = id->data; - + err = stdccv3_setup (context, ccapi_data); - + return cc_err_xlate (err); } @@ -783,16 +784,16 @@ krb5_stdccv3_set_flags (krb5_context context, * * - currently a NOP since we don't store any flags in the NC */ -krb5_error_code KRB5_CALLCONV -krb5_stdccv3_get_flags (krb5_context context, - krb5_ccache id, +krb5_error_code KRB5_CALLCONV +krb5_stdccv3_get_flags (krb5_context context, + krb5_ccache id, krb5_flags *flags) { krb5_error_code err = 0; stdccCacheDataPtr ccapi_data = id->data; - + err = stdccv3_setup (context, ccapi_data); - + return cc_err_xlate (err); } @@ -801,22 +802,22 @@ krb5_stdccv3_get_flags (krb5_context context, * * - remove the specified credentials from the NC */ -krb5_error_code KRB5_CALLCONV -krb5_stdccv3_remove (krb5_context context, +krb5_error_code KRB5_CALLCONV +krb5_stdccv3_remove (krb5_context context, krb5_ccache id, - krb5_flags flags, + krb5_flags flags, krb5_creds *in_creds) { krb5_error_code err = 0; stdccCacheDataPtr ccapi_data = id->data; cc_credentials_iterator_t iterator = NULL; int found = 0; - + if (!err) { err = stdccv3_setup(context, ccapi_data); } - - + + if (!err) { err = cc_ccache_new_credentials_iterator(ccapi_data->NamedCache, &iterator); @@ -825,28 +826,28 @@ krb5_stdccv3_remove (krb5_context context, /* Note: CCAPI v3 ccaches can contain both v4 and v5 creds */ while (!err && !found) { cc_credentials_t credentials = NULL; - + err = cc_credentials_iterator_next (iterator, &credentials); - + if (!err && (credentials->data->version == cc_credentials_v5)) { krb5_creds creds; - - err = copy_cc_cred_union_to_krb5_creds(context, + + err = copy_cc_cred_union_to_krb5_creds(context, credentials->data, &creds); if (!err) { found = krb5_creds_compare (context, in_creds, &creds); krb5_free_cred_contents (context, &creds); } - + if (!err && found) { err = cc_ccache_remove_credentials (ccapi_data->NamedCache, credentials); } } - + if (credentials) { cc_credentials_release (credentials); } } - if (err == ccIteratorEnd) { err = ccErrCredentialsNotFound; } + if (err == ccIteratorEnd) { err = ccErrCredentialsNotFound; } if (iterator) { err = cc_credentials_iterator_release(iterator); @@ -855,7 +856,7 @@ krb5_stdccv3_remove (krb5_context context, if (!err) { cache_changed (); } - + return cc_err_xlate (err); } @@ -863,38 +864,38 @@ krb5_error_code KRB5_CALLCONV krb5_stdccv3_ptcursor_new(krb5_context context, krb5_cc_ptcursor *cursor) { - krb5_error_code err = 0; - krb5_cc_ptcursor ptcursor = NULL; - cc_ccache_iterator_t iterator = NULL; - - ptcursor = malloc(sizeof(*ptcursor)); - if (ptcursor == NULL) { - err = ENOMEM; - } - else { - memset(ptcursor, 0, sizeof(*ptcursor)); - } - - if (!err) { - err = stdccv3_setup(context, NULL); - } - if (!err) { - ptcursor->ops = &krb5_cc_stdcc_ops; - err = cc_context_new_ccache_iterator(gCntrlBlock, &iterator); - } - - if (!err) { - ptcursor->data = iterator; - } - - if (err) { - if (ptcursor) { krb5_stdccv3_ptcursor_free(context, &ptcursor); } - // krb5_stdccv3_ptcursor_free sets ptcursor to NULL for us - } - - *cursor = ptcursor; - - return err; + krb5_error_code err = 0; + krb5_cc_ptcursor ptcursor = NULL; + cc_ccache_iterator_t iterator = NULL; + + ptcursor = malloc(sizeof(*ptcursor)); + if (ptcursor == NULL) { + err = ENOMEM; + } + else { + memset(ptcursor, 0, sizeof(*ptcursor)); + } + + if (!err) { + err = stdccv3_setup(context, NULL); + } + if (!err) { + ptcursor->ops = &krb5_cc_stdcc_ops; + err = cc_context_new_ccache_iterator(gCntrlBlock, &iterator); + } + + if (!err) { + ptcursor->data = iterator; + } + + if (err) { + if (ptcursor) { krb5_stdccv3_ptcursor_free(context, &ptcursor); } + // krb5_stdccv3_ptcursor_free sets ptcursor to NULL for us + } + + *cursor = ptcursor; + + return err; } krb5_error_code KRB5_CALLCONV @@ -903,72 +904,72 @@ krb5_stdccv3_ptcursor_next( krb5_cc_ptcursor cursor, krb5_ccache *ccache) { - krb5_error_code err = 0; - cc_ccache_iterator_t iterator = NULL; - - krb5_ccache newCache = NULL; - stdccCacheDataPtr ccapi_data = NULL; - cc_ccache_t ccCache = NULL; - cc_string_t ccstring = NULL; - char *name = NULL; - - if (!cursor || !cursor->data) { - err = ccErrInvalidContext; - } - - *ccache = NULL; - - if (!err) { - newCache = (krb5_ccache) malloc (sizeof (*newCache)); - if (!newCache) { err = KRB5_CC_NOMEM; } - } - - if (!err) { - ccapi_data = (stdccCacheDataPtr) malloc (sizeof (*ccapi_data)); - if (!ccapi_data) { err = KRB5_CC_NOMEM; } - } - - if (!err) { - iterator = cursor->data; - err = cc_ccache_iterator_next(iterator, &ccCache); - } - - if (!err) { - err = cc_ccache_get_name (ccCache, &ccstring); - } - - if (!err) { - name = strdup (ccstring->data); - if (!name) { err = KRB5_CC_NOMEM; } - } - - if (!err) { - ccapi_data->cache_name = name; - name = NULL; /* take ownership */ - - ccapi_data->NamedCache = ccCache; - ccCache = NULL; /* take ownership */ - - newCache->ops = &krb5_cc_stdcc_ops; - newCache->data = ccapi_data; - ccapi_data = NULL; /* take ownership */ - - /* return a pointer to the new cache */ - *ccache = newCache; - newCache = NULL; - } - - if (name) { free (name); } - if (ccstring) { cc_string_release (ccstring); } - if (ccCache) { cc_ccache_release (ccCache); } - if (ccapi_data) { free (ccapi_data); } - if (newCache) { free (newCache); } - - if (err == ccIteratorEnd) { - err = ccNoError; - } - - return err; + krb5_error_code err = 0; + cc_ccache_iterator_t iterator = NULL; + + krb5_ccache newCache = NULL; + stdccCacheDataPtr ccapi_data = NULL; + cc_ccache_t ccCache = NULL; + cc_string_t ccstring = NULL; + char *name = NULL; + + if (!cursor || !cursor->data) { + err = ccErrInvalidContext; + } + + *ccache = NULL; + + if (!err) { + newCache = (krb5_ccache) malloc (sizeof (*newCache)); + if (!newCache) { err = KRB5_CC_NOMEM; } + } + + if (!err) { + ccapi_data = (stdccCacheDataPtr) malloc (sizeof (*ccapi_data)); + if (!ccapi_data) { err = KRB5_CC_NOMEM; } + } + + if (!err) { + iterator = cursor->data; + err = cc_ccache_iterator_next(iterator, &ccCache); + } + + if (!err) { + err = cc_ccache_get_name (ccCache, &ccstring); + } + + if (!err) { + name = strdup (ccstring->data); + if (!name) { err = KRB5_CC_NOMEM; } + } + + if (!err) { + ccapi_data->cache_name = name; + name = NULL; /* take ownership */ + + ccapi_data->NamedCache = ccCache; + ccCache = NULL; /* take ownership */ + + newCache->ops = &krb5_cc_stdcc_ops; + newCache->data = ccapi_data; + ccapi_data = NULL; /* take ownership */ + + /* return a pointer to the new cache */ + *ccache = newCache; + newCache = NULL; + } + + if (name) { free (name); } + if (ccstring) { cc_string_release (ccstring); } + if (ccCache) { cc_ccache_release (ccCache); } + if (ccapi_data) { free (ccapi_data); } + if (newCache) { free (newCache); } + + if (err == ccIteratorEnd) { + err = ccNoError; + } + + return err; } krb5_error_code KRB5_CALLCONV @@ -977,25 +978,25 @@ krb5_stdccv3_ptcursor_free( krb5_cc_ptcursor *cursor) { if (*cursor != NULL) { - if ((*cursor)->data != NULL) { - cc_ccache_iterator_release((cc_ccache_iterator_t)((*cursor)->data)); - } - free(*cursor); - *cursor = NULL; - } + if ((*cursor)->data != NULL) { + cc_ccache_iterator_release((cc_ccache_iterator_t)((*cursor)->data)); + } + free(*cursor); + *cursor = NULL; + } return 0; } krb5_error_code KRB5_CALLCONV krb5_stdccv3_last_change_time - (krb5_context context, krb5_ccache id, - krb5_timestamp *change_time) +(krb5_context context, krb5_ccache id, + krb5_timestamp *change_time) { krb5_error_code err = 0; stdccCacheDataPtr ccapi_data = id->data; cc_time_t ccapi_change_time = 0; *change_time = 0; - + if (!err) { err = stdccv3_setup(context, ccapi_data); } @@ -1005,7 +1006,7 @@ krb5_error_code KRB5_CALLCONV krb5_stdccv3_last_change_time if (!err) { *change_time = ccapi_change_time; } - + return cc_err_xlate (err); } @@ -1014,14 +1015,14 @@ krb5_error_code KRB5_CALLCONV krb5_stdccv3_lock { krb5_error_code err = 0; stdccCacheDataPtr ccapi_data = id->data; - + if (!err) { err = stdccv3_setup(context, ccapi_data); } if (!err) { err = cc_ccache_lock(ccapi_data->NamedCache, cc_lock_write, cc_lock_block); } - return cc_err_xlate(err); + return cc_err_xlate(err); } krb5_error_code KRB5_CALLCONV krb5_stdccv3_unlock @@ -1029,14 +1030,14 @@ krb5_error_code KRB5_CALLCONV krb5_stdccv3_unlock { krb5_error_code err = 0; stdccCacheDataPtr ccapi_data = id->data; - + if (!err) { err = stdccv3_setup(context, ccapi_data); } if (!err) { err = cc_ccache_unlock(ccapi_data->NamedCache); } - return cc_err_xlate(err); + return cc_err_xlate(err); } krb5_error_code KRB5_CALLCONV krb5_stdccv3_context_lock @@ -1050,7 +1051,7 @@ krb5_error_code KRB5_CALLCONV krb5_stdccv3_context_lock if (!err) { err = cc_context_lock(gCntrlBlock, cc_lock_write, cc_lock_block); } - return cc_err_xlate(err); + return cc_err_xlate(err); } krb5_error_code KRB5_CALLCONV krb5_stdccv3_context_unlock @@ -1064,173 +1065,173 @@ krb5_error_code KRB5_CALLCONV krb5_stdccv3_context_unlock if (!err) { err = cc_context_unlock(gCntrlBlock); } - return cc_err_xlate(err); + return cc_err_xlate(err); } #else /* !USE_CCAPI_V3 */ static krb5_error_code stdcc_setup(krb5_context context, - stdccCacheDataPtr ccapi_data) + stdccCacheDataPtr ccapi_data) { - int err; + int err; - /* make sure the API has been intialized */ - if (gCntrlBlock == NULL) { + /* make sure the API has been intialized */ + if (gCntrlBlock == NULL) { #ifdef CC_API_VER2 - err = cc_initialize(&gCntrlBlock, CC_API_VER_2, NULL, NULL); + err = cc_initialize(&gCntrlBlock, CC_API_VER_2, NULL, NULL); #else - err = cc_initialize(&gCntrlBlock, CC_API_VER_1, NULL, NULL); + err = cc_initialize(&gCntrlBlock, CC_API_VER_1, NULL, NULL); #endif - if (err != CC_NOERROR) - return cc_err_xlate(err); - } - - /* - * No ccapi_data structure, so we don't need to make sure the - * ccache exists. - */ - if (!ccapi_data) - return 0; - - /* - * The ccache already exists - */ - if (ccapi_data->NamedCache) - return 0; - - err = cc_open(gCntrlBlock, ccapi_data->cache_name, - CC_CRED_V5, 0L, &ccapi_data->NamedCache); - if (err == CC_NOTFOUND) - err = CC_NO_EXIST; - if (err == CC_NOERROR) - return 0; - - ccapi_data->NamedCache = NULL; - return cc_err_xlate(err); + if (err != CC_NOERROR) + return cc_err_xlate(err); + } + + /* + * No ccapi_data structure, so we don't need to make sure the + * ccache exists. + */ + if (!ccapi_data) + return 0; + + /* + * The ccache already exists + */ + if (ccapi_data->NamedCache) + return 0; + + err = cc_open(gCntrlBlock, ccapi_data->cache_name, + CC_CRED_V5, 0L, &ccapi_data->NamedCache); + if (err == CC_NOTFOUND) + err = CC_NO_EXIST; + if (err == CC_NOERROR) + return 0; + + ccapi_data->NamedCache = NULL; + return cc_err_xlate(err); } void krb5_stdcc_shutdown() { - if (gCntrlBlock) - cc_shutdown(&gCntrlBlock); - gCntrlBlock = NULL; + if (gCntrlBlock) + cc_shutdown(&gCntrlBlock); + gCntrlBlock = NULL; } /* * -- generate_new -------------------------------- - * + * * create a new cache with a unique name, corresponds to creating a * named cache iniitialize the API here if we have to. */ -krb5_error_code KRB5_CALLCONV krb5_stdcc_generate_new - (krb5_context context, krb5_ccache *id ) +krb5_error_code KRB5_CALLCONV krb5_stdcc_generate_new +(krb5_context context, krb5_ccache *id ) { - krb5_ccache newCache = NULL; - krb5_error_code retval; - stdccCacheDataPtr ccapi_data = NULL; - char *name = NULL; - cc_time_t change_time; - int err; - - if ((retval = stdcc_setup(context, NULL))) - return retval; - - retval = KRB5_CC_NOMEM; - if (!(newCache = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)))) - goto errout; - if (!(ccapi_data = (stdccCacheDataPtr)malloc(sizeof(stdccCacheData)))) - goto errout; - if (!(name = malloc(256))) - goto errout; - - /* create a unique name */ - cc_get_change_time(gCntrlBlock, &change_time); - snprintf(name, 256, "gen_new_cache%d", change_time); - - /* create the new cache */ - err = cc_create(gCntrlBlock, name, name, CC_CRED_V5, 0L, - &ccapi_data->NamedCache); - if (err != CC_NOERROR) { - retval = cc_err_xlate(err); - goto errout; - } - - /* setup some fields */ - newCache->ops = &krb5_cc_stdcc_ops; - newCache->data = ccapi_data; - ccapi_data->cache_name = name; - - /* return a pointer to the new cache */ - *id = newCache; - - return 0; + krb5_ccache newCache = NULL; + krb5_error_code retval; + stdccCacheDataPtr ccapi_data = NULL; + char *name = NULL; + cc_time_t change_time; + int err; + + if ((retval = stdcc_setup(context, NULL))) + return retval; + + retval = KRB5_CC_NOMEM; + if (!(newCache = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)))) + goto errout; + if (!(ccapi_data = (stdccCacheDataPtr)malloc(sizeof(stdccCacheData)))) + goto errout; + if (!(name = malloc(256))) + goto errout; + + /* create a unique name */ + cc_get_change_time(gCntrlBlock, &change_time); + snprintf(name, 256, "gen_new_cache%d", change_time); + + /* create the new cache */ + err = cc_create(gCntrlBlock, name, name, CC_CRED_V5, 0L, + &ccapi_data->NamedCache); + if (err != CC_NOERROR) { + retval = cc_err_xlate(err); + goto errout; + } + + /* setup some fields */ + newCache->ops = &krb5_cc_stdcc_ops; + newCache->data = ccapi_data; + ccapi_data->cache_name = name; + + /* return a pointer to the new cache */ + *id = newCache; + + return 0; errout: - if (newCache) - free(newCache); - if (ccapi_data) - free(ccapi_data); - if (name) - free(name); - return retval; + if (newCache) + free(newCache); + if (ccapi_data) + free(ccapi_data); + if (name) + free(name); + return retval; } - + /* * resolve * * create a new cache with the name stored in residual */ -krb5_error_code KRB5_CALLCONV krb5_stdcc_resolve - (krb5_context context, krb5_ccache *id , const char *residual ) +krb5_error_code KRB5_CALLCONV krb5_stdcc_resolve +(krb5_context context, krb5_ccache *id , const char *residual ) { - krb5_ccache newCache = NULL; - stdccCacheDataPtr ccapi_data = NULL; - int err; - krb5_error_code retval; - char *cName = NULL; - - if ((retval = stdcc_setup(context, NULL))) - return retval; - - retval = KRB5_CC_NOMEM; - if (!(newCache = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)))) - goto errout; - - if (!(ccapi_data = (stdccCacheDataPtr)malloc(sizeof(stdccCacheData)))) - goto errout; - - if (!(cName = strdup(residual))) - goto errout; - - newCache->ops = &krb5_cc_stdcc_ops; - newCache->data = ccapi_data; - ccapi_data->cache_name = cName; - - err = cc_open(gCntrlBlock, cName, CC_CRED_V5, 0L, - &ccapi_data->NamedCache); - if (err != CC_NOERROR) { - ccapi_data->NamedCache = NULL; - if (err != CC_NO_EXIST) { - retval = cc_err_xlate(err); - goto errout; - } + krb5_ccache newCache = NULL; + stdccCacheDataPtr ccapi_data = NULL; + int err; + krb5_error_code retval; + char *cName = NULL; + + if ((retval = stdcc_setup(context, NULL))) + return retval; + + retval = KRB5_CC_NOMEM; + if (!(newCache = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)))) + goto errout; + + if (!(ccapi_data = (stdccCacheDataPtr)malloc(sizeof(stdccCacheData)))) + goto errout; + + if (!(cName = strdup(residual))) + goto errout; + + newCache->ops = &krb5_cc_stdcc_ops; + newCache->data = ccapi_data; + ccapi_data->cache_name = cName; + + err = cc_open(gCntrlBlock, cName, CC_CRED_V5, 0L, + &ccapi_data->NamedCache); + if (err != CC_NOERROR) { + ccapi_data->NamedCache = NULL; + if (err != CC_NO_EXIST) { + retval = cc_err_xlate(err); + goto errout; } - - /* return new cache structure */ - *id = newCache; - - return 0; - + } + + /* return new cache structure */ + *id = newCache; + + return 0; + errout: - if (newCache) - free(newCache); - if (ccapi_data) - free(ccapi_data); - if (cName) - free(cName); - return retval; + if (newCache) + free(newCache); + if (ccapi_data) + free(ccapi_data); + if (cName) + free(cName); + return retval; } - + /* * initialize * @@ -1238,48 +1239,48 @@ errout: * principal if not set our principal to this principal. This * searching enables ticket sharing */ -krb5_error_code KRB5_CALLCONV krb5_stdcc_initialize - (krb5_context context, krb5_ccache id, krb5_principal princ) +krb5_error_code KRB5_CALLCONV krb5_stdcc_initialize +(krb5_context context, krb5_ccache id, krb5_principal princ) { - stdccCacheDataPtr ccapi_data = NULL; - int err; - char *cName = NULL; - krb5_error_code retval; - - if ((retval = stdcc_setup(context, NULL))) - return retval; - - /* test id for null */ - if (id == NULL) return KRB5_CC_NOMEM; - - if ((retval = krb5_unparse_name(context, princ, &cName))) - return retval; - - ccapi_data = id->data; - - - if (ccapi_data->NamedCache) - cc_close(gCntrlBlock, &ccapi_data->NamedCache); - - err = cc_create(gCntrlBlock, ccapi_data->cache_name, cName, - CC_CRED_V5, 0L, &ccapi_data->NamedCache); - if (err != CC_NOERROR) { - krb5_free_unparsed_name(context, cName); - return cc_err_xlate(err); - } + stdccCacheDataPtr ccapi_data = NULL; + int err; + char *cName = NULL; + krb5_error_code retval; + + if ((retval = stdcc_setup(context, NULL))) + return retval; + + /* test id for null */ + if (id == NULL) return KRB5_CC_NOMEM; + + if ((retval = krb5_unparse_name(context, princ, &cName))) + return retval; + + ccapi_data = id->data; + + + if (ccapi_data->NamedCache) + cc_close(gCntrlBlock, &ccapi_data->NamedCache); + + err = cc_create(gCntrlBlock, ccapi_data->cache_name, cName, + CC_CRED_V5, 0L, &ccapi_data->NamedCache); + if (err != CC_NOERROR) { + krb5_free_unparsed_name(context, cName); + return cc_err_xlate(err); + } #if 0 - /* - * Some implementations don't set the principal name - * correctly, so we force set it to the correct value. - */ - err = cc_set_principal(gCntrlBlock, ccapi_data->NamedCache, - CC_CRED_V5, cName); + /* + * Some implementations don't set the principal name + * correctly, so we force set it to the correct value. + */ + err = cc_set_principal(gCntrlBlock, ccapi_data->NamedCache, + CC_CRED_V5, cName); #endif - krb5_free_unparsed_name(context, cName); - cache_changed(); - - return cc_err_xlate(err); + krb5_free_unparsed_name(context, cName); + cache_changed(); + + return cc_err_xlate(err); } /* @@ -1287,35 +1288,35 @@ krb5_error_code KRB5_CALLCONV krb5_stdcc_initialize * * store some credentials in our cache */ -krb5_error_code KRB5_CALLCONV krb5_stdcc_store - (krb5_context context, krb5_ccache id, krb5_creds *creds ) +krb5_error_code KRB5_CALLCONV krb5_stdcc_store +(krb5_context context, krb5_ccache id, krb5_creds *creds ) { - krb5_error_code retval; - stdccCacheDataPtr ccapi_data = id->data; - cred_union *cu = NULL; - int err; - - if ((retval = stdcc_setup(context, ccapi_data))) - return retval; - - /* copy the fields from the almost identical structures */ - dupK5toCC(context, creds, &cu); - - /* - * finally store the credential - * store will copy (that is duplicate) everything - */ - err = cc_store(gCntrlBlock, - ((stdccCacheDataPtr)(id->data))->NamedCache, *cu); - if (err != CC_NOERROR) - return cc_err_xlate(err); - - /* free the cred union using our local version of cc_free_creds() - since we allocated it locally */ - err = krb5int_free_cc_cred_union(&cu); - - cache_changed(); - return err; + krb5_error_code retval; + stdccCacheDataPtr ccapi_data = id->data; + cred_union *cu = NULL; + int err; + + if ((retval = stdcc_setup(context, ccapi_data))) + return retval; + + /* copy the fields from the almost identical structures */ + dupK5toCC(context, creds, &cu); + + /* + * finally store the credential + * store will copy (that is duplicate) everything + */ + err = cc_store(gCntrlBlock, + ((stdccCacheDataPtr)(id->data))->NamedCache, *cu); + if (err != CC_NOERROR) + return cc_err_xlate(err); + + /* free the cred union using our local version of cc_free_creds() + since we allocated it locally */ + err = krb5int_free_cc_cred_union(&cu); + + cache_changed(); + return err; } /* @@ -1323,75 +1324,75 @@ krb5_error_code KRB5_CALLCONV krb5_stdcc_store * * begin an iterator call to get all of the credentials in the cache */ -krb5_error_code KRB5_CALLCONV krb5_stdcc_start_seq_get +krb5_error_code KRB5_CALLCONV krb5_stdcc_start_seq_get (krb5_context context, krb5_ccache id , krb5_cc_cursor *cursor ) { - stdccCacheDataPtr ccapi_data = id->data; - krb5_error_code retval; - int err; - ccache_cit *iterator; + stdccCacheDataPtr ccapi_data = id->data; + krb5_error_code retval; + int err; + ccache_cit *iterator; - if ((retval = stdcc_setup(context, ccapi_data))) - return retval; + if ((retval = stdcc_setup(context, ccapi_data))) + return retval; #ifdef CC_API_VER2 - err = cc_seq_fetch_creds_begin(gCntrlBlock, ccapi_data->NamedCache, - &iterator); - if (err != CC_NOERROR) - return cc_err_xlate(err); - *cursor = iterator; + err = cc_seq_fetch_creds_begin(gCntrlBlock, ccapi_data->NamedCache, + &iterator); + if (err != CC_NOERROR) + return cc_err_xlate(err); + *cursor = iterator; #else - /* all we have to do is initialize the cursor */ - *cursor = NULL; + /* all we have to do is initialize the cursor */ + *cursor = NULL; #endif - return 0; + return 0; } /* * next cred - * + * * - get the next credential in the cache as part of an iterator call * - this maps to call to cc_seq_fetch_creds */ -krb5_error_code KRB5_CALLCONV krb5_stdcc_next_cred - (krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor, - krb5_creds *creds) +krb5_error_code KRB5_CALLCONV krb5_stdcc_next_cred +(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor, + krb5_creds *creds) { - krb5_error_code retval; - stdccCacheDataPtr ccapi_data = id->data; - int err; - cred_union *credU = NULL; - ccache_cit *iterator; - - if ((retval = stdcc_setup(context, ccapi_data))) - return retval; - + krb5_error_code retval; + stdccCacheDataPtr ccapi_data = id->data; + int err; + cred_union *credU = NULL; + ccache_cit *iterator; + + if ((retval = stdcc_setup(context, ccapi_data))) + return retval; + #ifdef CC_API_VER2 - iterator = *cursor; - if (iterator == 0) - return KRB5_CC_END; - err = cc_seq_fetch_creds_next(gCntrlBlock, &credU, iterator); - - if (err == CC_END) { - cc_seq_fetch_creds_end(gCntrlBlock, &iterator); - *cursor = 0; - } + iterator = *cursor; + if (iterator == 0) + return KRB5_CC_END; + err = cc_seq_fetch_creds_next(gCntrlBlock, &credU, iterator); + + if (err == CC_END) { + cc_seq_fetch_creds_end(gCntrlBlock, &iterator); + *cursor = 0; + } #else - err = cc_seq_fetch_creds(gCntrlBlock, ccapi_data->NamedCache, - &credU, (ccache_cit **)cursor); + err = cc_seq_fetch_creds(gCntrlBlock, ccapi_data->NamedCache, + &credU, (ccache_cit **)cursor); #endif - if (err != CC_NOERROR) - return cc_err_xlate(err); - - /* copy data (with translation) */ - dupCCtoK5(context, credU->cred.pV5Cred, creds); - - /* free our version of the cred - okay to use cc_free_creds() here - because we got it from the CCache library */ - cc_free_creds(gCntrlBlock, &credU); - - return 0; + if (err != CC_NOERROR) + return cc_err_xlate(err); + + /* copy data (with translation) */ + dupCCtoK5(context, credU->cred.pV5Cred, creds); + + /* free our version of the cred - okay to use cc_free_creds() here + because we got it from the CCache library */ + cc_free_creds(gCntrlBlock, &credU); + + return 0; } @@ -1401,63 +1402,63 @@ krb5_error_code KRB5_CALLCONV krb5_stdcc_next_cred * - try to find a matching credential in the cache */ #if 0 -krb5_error_code KRB5_CALLCONV krb5_stdcc_retrieve - (krb5_context context, - krb5_ccache id, - krb5_flags whichfields, - krb5_creds *mcreds, - krb5_creds *creds ) +krb5_error_code KRB5_CALLCONV krb5_stdcc_retrieve +(krb5_context context, + krb5_ccache id, + krb5_flags whichfields, + krb5_creds *mcreds, + krb5_creds *creds ) { - krb5_error_code retval; - krb5_cc_cursor curs = NULL; - krb5_creds *fetchcreds; - - if ((retval = stdcc_setup(context, NULL))) - return retval; - - fetchcreds = (krb5_creds *)malloc(sizeof(krb5_creds)); - if (fetchcreds == NULL) return KRB5_CC_NOMEM; - - /* we're going to use the iterators */ - krb5_stdcc_start_seq_get(context, id, &curs); - - while (!krb5_stdcc_next_cred(context, id, &curs, fetchcreds)) { - /* - * look at each credential for a match - * use this match routine since it takes the - * whichfields and the API doesn't - */ - if (stdccCredsMatch(context, fetchcreds, - mcreds, whichfields)) { - /* we found it, copy and exit */ - *creds = *fetchcreds; - krb5_stdcc_end_seq_get(context, id, &curs); - return 0; - } - /* free copy allocated by next_cred */ - krb5_free_cred_contents(context, fetchcreds); - } - - /* no luck, end get and exit */ - krb5_stdcc_end_seq_get(context, id, &curs); - - /* we're not using this anymore so we should get rid of it! */ - free(fetchcreds); - - return KRB5_CC_NOTFOUND; + krb5_error_code retval; + krb5_cc_cursor curs = NULL; + krb5_creds *fetchcreds; + + if ((retval = stdcc_setup(context, NULL))) + return retval; + + fetchcreds = (krb5_creds *)malloc(sizeof(krb5_creds)); + if (fetchcreds == NULL) return KRB5_CC_NOMEM; + + /* we're going to use the iterators */ + krb5_stdcc_start_seq_get(context, id, &curs); + + while (!krb5_stdcc_next_cred(context, id, &curs, fetchcreds)) { + /* + * look at each credential for a match + * use this match routine since it takes the + * whichfields and the API doesn't + */ + if (stdccCredsMatch(context, fetchcreds, + mcreds, whichfields)) { + /* we found it, copy and exit */ + *creds = *fetchcreds; + krb5_stdcc_end_seq_get(context, id, &curs); + return 0; + } + /* free copy allocated by next_cred */ + krb5_free_cred_contents(context, fetchcreds); + } + + /* no luck, end get and exit */ + krb5_stdcc_end_seq_get(context, id, &curs); + + /* we're not using this anymore so we should get rid of it! */ + free(fetchcreds); + + return KRB5_CC_NOTFOUND; } #else krb5_error_code KRB5_CALLCONV krb5_stdcc_retrieve(context, id, whichfields, mcreds, creds) - krb5_context context; - krb5_ccache id; - krb5_flags whichfields; - krb5_creds *mcreds; - krb5_creds *creds; + krb5_context context; + krb5_ccache id; + krb5_flags whichfields; + krb5_creds *mcreds; + krb5_creds *creds; { return krb5_cc_retrieve_cred_default (context, id, whichfields, - mcreds, creds); + mcreds, creds); } #endif @@ -1467,73 +1468,73 @@ krb5_stdcc_retrieve(context, id, whichfields, mcreds, creds) * * just free up the storage assoicated with the cursor (if we could) */ -krb5_error_code KRB5_CALLCONV krb5_stdcc_end_seq_get - (krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor) +krb5_error_code KRB5_CALLCONV krb5_stdcc_end_seq_get +(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor) { - krb5_error_code retval; - stdccCacheDataPtr ccapi_data = NULL; - int err; + krb5_error_code retval; + stdccCacheDataPtr ccapi_data = NULL; + int err; #ifndef CC_API_VER2 - cred_union *credU = NULL; + cred_union *credU = NULL; #endif - ccapi_data = id->data; - - if ((retval = stdcc_setup(context, ccapi_data))) - return retval; + ccapi_data = id->data; - if (*cursor == NULL) - return 0; + if ((retval = stdcc_setup(context, ccapi_data))) + return retval; + + if (*cursor == NULL) + return 0; #ifdef CC_API_VER2 - err = cc_seq_fetch_creds_end(gCntrlBlock, (ccache_cit **)cursor); - if (err != CC_NOERROR) - return cc_err_xlate(err); -#else - /* - * Finish calling cc_seq_fetch_creds to clear out the cursor - */ - while (*cursor) { - err = cc_seq_fetch_creds(gCntrlBlock, ccapi_data->NamedCache, - &credU, (ccache_cit **)cursor); - if (err) - break; - - /* okay to call cc_free_creds() here because we got credU from CCache lib */ - cc_free_creds(gCntrlBlock, &credU); - } + err = cc_seq_fetch_creds_end(gCntrlBlock, (ccache_cit **)cursor); + if (err != CC_NOERROR) + return cc_err_xlate(err); +#else + /* + * Finish calling cc_seq_fetch_creds to clear out the cursor + */ + while (*cursor) { + err = cc_seq_fetch_creds(gCntrlBlock, ccapi_data->NamedCache, + &credU, (ccache_cit **)cursor); + if (err) + break; + + /* okay to call cc_free_creds() here because we got credU from CCache lib */ + cc_free_creds(gCntrlBlock, &credU); + } #endif - - return(0); + + return(0); } - + /* * close * * - free our pointers to the NC */ -krb5_error_code KRB5_CALLCONV +krb5_error_code KRB5_CALLCONV krb5_stdcc_close(krb5_context context, krb5_ccache id) { - krb5_error_code retval; - stdccCacheDataPtr ccapi_data = id->data; - - if ((retval = stdcc_setup(context, NULL))) - return retval; - - /* free it */ - - if (ccapi_data) { - if (ccapi_data->cache_name) - free(ccapi_data->cache_name); - if (ccapi_data->NamedCache) - cc_close(gCntrlBlock, &ccapi_data->NamedCache); - free(ccapi_data); - id->data = NULL; - } - free(id); - - return 0; + krb5_error_code retval; + stdccCacheDataPtr ccapi_data = id->data; + + if ((retval = stdcc_setup(context, NULL))) + return retval; + + /* free it */ + + if (ccapi_data) { + if (ccapi_data->cache_name) + free(ccapi_data->cache_name); + if (ccapi_data->NamedCache) + cc_close(gCntrlBlock, &ccapi_data->NamedCache); + free(ccapi_data); + id->data = NULL; + } + free(id); + + return 0; } /* @@ -1544,35 +1545,35 @@ krb5_stdcc_close(krb5_context context, krb5_ccache id) krb5_error_code KRB5_CALLCONV krb5_stdcc_destroy (krb5_context context, krb5_ccache id) { - int err; - krb5_error_code retval; - stdccCacheDataPtr ccapi_data = id->data; - - if ((retval = stdcc_setup(context, ccapi_data))) { - return retval; - } - - /* free memory associated with the krb5_ccache */ - if (ccapi_data) { - if (ccapi_data->cache_name) - free(ccapi_data->cache_name); - if (ccapi_data->NamedCache) { - /* destroy the named cache */ - err = cc_destroy(gCntrlBlock, &ccapi_data->NamedCache); - retval = cc_err_xlate(err); - cache_changed(); - } - free(ccapi_data); - id->data = NULL; - } - free(id); - - /* If the cache does not exist when we tried to destroy it, - that's fine. That means someone else destryoed it since - we resolved it. */ - if (retval == KRB5_FCC_NOFILE) - return 0; - return retval; + int err; + krb5_error_code retval; + stdccCacheDataPtr ccapi_data = id->data; + + if ((retval = stdcc_setup(context, ccapi_data))) { + return retval; + } + + /* free memory associated with the krb5_ccache */ + if (ccapi_data) { + if (ccapi_data->cache_name) + free(ccapi_data->cache_name); + if (ccapi_data->NamedCache) { + /* destroy the named cache */ + err = cc_destroy(gCntrlBlock, &ccapi_data->NamedCache); + retval = cc_err_xlate(err); + cache_changed(); + } + free(ccapi_data); + id->data = NULL; + } + free(id); + + /* If the cache does not exist when we tried to destroy it, + that's fine. That means someone else destryoed it since + we resolved it. */ + if (retval == KRB5_FCC_NOFILE) + return 0; + return retval; } /* @@ -1580,15 +1581,15 @@ krb5_stdcc_destroy (krb5_context context, krb5_ccache id) * * - return the name of the named cache */ -const char * KRB5_CALLCONV krb5_stdcc_get_name - (krb5_context context, krb5_ccache id ) +const char * KRB5_CALLCONV krb5_stdcc_get_name +(krb5_context context, krb5_ccache id ) { - stdccCacheDataPtr ccapi_data = id->data; + stdccCacheDataPtr ccapi_data = id->data; - if (!ccapi_data) - return 0; + if (!ccapi_data) + return 0; - return (ccapi_data->cache_name); + return (ccapi_data->cache_name); } @@ -1597,29 +1598,29 @@ const char * KRB5_CALLCONV krb5_stdcc_get_name * - return the principal associated with the named cache */ krb5_error_code KRB5_CALLCONV krb5_stdcc_get_principal - (krb5_context context, krb5_ccache id , krb5_principal *princ) +(krb5_context context, krb5_ccache id , krb5_principal *princ) { - int err; - char *name = NULL; - stdccCacheDataPtr ccapi_data = id->data; - krb5_error_code retval; - - if ((retval = stdcc_setup(context, ccapi_data))) - return retval; - - /* another wrapper */ - err = cc_get_principal(gCntrlBlock, ccapi_data->NamedCache, - &name); - - if (err != CC_NOERROR) - return cc_err_xlate(err); - - /* turn it into a krb principal */ - err = krb5_parse_name(context, name, princ); - - cc_free_principal(gCntrlBlock, &name); - - return err; + int err; + char *name = NULL; + stdccCacheDataPtr ccapi_data = id->data; + krb5_error_code retval; + + if ((retval = stdcc_setup(context, ccapi_data))) + return retval; + + /* another wrapper */ + err = cc_get_principal(gCntrlBlock, ccapi_data->NamedCache, + &name); + + if (err != CC_NOERROR) + return cc_err_xlate(err); + + /* turn it into a krb principal */ + err = krb5_parse_name(context, name, princ); + + cc_free_principal(gCntrlBlock, &name); + + return err; } /* @@ -1627,16 +1628,16 @@ krb5_error_code KRB5_CALLCONV krb5_stdcc_get_principal * * - currently a NOP since we don't store any flags in the NC */ -krb5_error_code KRB5_CALLCONV krb5_stdcc_set_flags - (krb5_context context, krb5_ccache id , krb5_flags flags) +krb5_error_code KRB5_CALLCONV krb5_stdcc_set_flags +(krb5_context context, krb5_ccache id , krb5_flags flags) { - stdccCacheDataPtr ccapi_data = id->data; - krb5_error_code retval; - - if ((retval = stdcc_setup(context, ccapi_data))) - return retval; + stdccCacheDataPtr ccapi_data = id->data; + krb5_error_code retval; + + if ((retval = stdcc_setup(context, ccapi_data))) + return retval; - return 0; + return 0; } /* @@ -1644,16 +1645,16 @@ krb5_error_code KRB5_CALLCONV krb5_stdcc_set_flags * * - currently a NOP since we don't store any flags in the NC */ -krb5_error_code KRB5_CALLCONV krb5_stdcc_get_flags - (krb5_context context, krb5_ccache id , krb5_flags *flags) +krb5_error_code KRB5_CALLCONV krb5_stdcc_get_flags +(krb5_context context, krb5_ccache id , krb5_flags *flags) { - stdccCacheDataPtr ccapi_data = id->data; - krb5_error_code retval; - - if ((retval = stdcc_setup(context, ccapi_data))) - return retval; + stdccCacheDataPtr ccapi_data = id->data; + krb5_error_code retval; + + if ((retval = stdcc_setup(context, ccapi_data))) + return retval; - return 0; + return 0; } /* @@ -1661,39 +1662,38 @@ krb5_error_code KRB5_CALLCONV krb5_stdcc_get_flags * * - remove the specified credentials from the NC */ -krb5_error_code KRB5_CALLCONV krb5_stdcc_remove - (krb5_context context, krb5_ccache id, - krb5_flags flags, krb5_creds *creds) +krb5_error_code KRB5_CALLCONV krb5_stdcc_remove +(krb5_context context, krb5_ccache id, + krb5_flags flags, krb5_creds *creds) { - cred_union *cu = NULL; - int err; - stdccCacheDataPtr ccapi_data = id->data; - krb5_error_code retval; - - if ((retval = stdcc_setup(context, ccapi_data))) { - if (retval == KRB5_FCC_NOFILE) - return 0; - return retval; - } - - /* convert to a cred union */ - dupK5toCC(context, creds, &cu); - - /* remove it */ - err = cc_remove_cred(gCntrlBlock, ccapi_data->NamedCache, *cu); - if (err != CC_NOERROR) - return cc_err_xlate(err); - - /* free the cred union using our local version of cc_free_creds() - since we allocated it locally */ - err = krb5int_free_cc_cred_union(&cu); - cache_changed(); - if (err != CC_NOERROR) - return cc_err_xlate(err); + cred_union *cu = NULL; + int err; + stdccCacheDataPtr ccapi_data = id->data; + krb5_error_code retval; + + if ((retval = stdcc_setup(context, ccapi_data))) { + if (retval == KRB5_FCC_NOFILE) + return 0; + return retval; + } - return 0; + /* convert to a cred union */ + dupK5toCC(context, creds, &cu); + + /* remove it */ + err = cc_remove_cred(gCntrlBlock, ccapi_data->NamedCache, *cu); + if (err != CC_NOERROR) + return cc_err_xlate(err); + + /* free the cred union using our local version of cc_free_creds() + since we allocated it locally */ + err = krb5int_free_cc_cred_union(&cu); + cache_changed(); + if (err != CC_NOERROR) + return cc_err_xlate(err); + + return 0; } #endif /* !USE_CCAPI_V3 */ #endif /* defined(_WIN32) || defined(USE_CCAPI) */ - diff --git a/src/lib/krb5/ccache/ccapi/stdcc.h b/src/lib/krb5/ccache/ccapi/stdcc.h index e9ec085eb3..6550efcb4f 100644 --- a/src/lib/krb5/ccache/ccapi/stdcc.h +++ b/src/lib/krb5/ccache/ccapi/stdcc.h @@ -1,9 +1,10 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #ifndef __KRB5_STDCC_H__ #define __KRB5_STDCC_H__ #if defined(_WIN32) || defined(USE_CCAPI) -#include "k5-int.h" /* loads krb5.h */ +#include "k5-int.h" /* loads krb5.h */ #ifdef USE_CCAPI_V3 #include <CredentialsCache.h> @@ -24,11 +25,11 @@ extern krb5_cc_ops krb5_cc_stdcc_ops; * structure to stash in the cache's data field */ typedef struct _stdccCacheData { - char *cache_name; + char *cache_name; #ifdef USE_CCAPI_V3 - cc_ccache_t NamedCache; + cc_ccache_t NamedCache; #else - ccache_p *NamedCache; + ccache_p *NamedCache; #endif } stdccCacheData, *stdccCacheDataPtr; @@ -40,135 +41,135 @@ void krb5_stdcc_shutdown(void); #ifdef USE_CCAPI_V3 krb5_error_code KRB5_CALLCONV krb5_stdccv3_close - (krb5_context, krb5_ccache id ); +(krb5_context, krb5_ccache id ); -krb5_error_code KRB5_CALLCONV krb5_stdccv3_destroy - (krb5_context, krb5_ccache id ); +krb5_error_code KRB5_CALLCONV krb5_stdccv3_destroy +(krb5_context, krb5_ccache id ); -krb5_error_code KRB5_CALLCONV krb5_stdccv3_end_seq_get - (krb5_context, krb5_ccache id , krb5_cc_cursor *cursor ); +krb5_error_code KRB5_CALLCONV krb5_stdccv3_end_seq_get +(krb5_context, krb5_ccache id , krb5_cc_cursor *cursor ); -krb5_error_code KRB5_CALLCONV krb5_stdccv3_generate_new - (krb5_context, krb5_ccache *id ); +krb5_error_code KRB5_CALLCONV krb5_stdccv3_generate_new +(krb5_context, krb5_ccache *id ); -const char * KRB5_CALLCONV krb5_stdccv3_get_name - (krb5_context, krb5_ccache id ); +const char * KRB5_CALLCONV krb5_stdccv3_get_name +(krb5_context, krb5_ccache id ); -krb5_error_code KRB5_CALLCONV krb5_stdccv3_get_principal - (krb5_context, krb5_ccache id , krb5_principal *princ ); +krb5_error_code KRB5_CALLCONV krb5_stdccv3_get_principal +(krb5_context, krb5_ccache id , krb5_principal *princ ); -krb5_error_code KRB5_CALLCONV krb5_stdccv3_initialize - (krb5_context, krb5_ccache id , krb5_principal princ ); +krb5_error_code KRB5_CALLCONV krb5_stdccv3_initialize +(krb5_context, krb5_ccache id , krb5_principal princ ); -krb5_error_code KRB5_CALLCONV krb5_stdccv3_next_cred - (krb5_context, - krb5_ccache id , - krb5_cc_cursor *cursor , - krb5_creds *creds ); +krb5_error_code KRB5_CALLCONV krb5_stdccv3_next_cred +(krb5_context, + krb5_ccache id , + krb5_cc_cursor *cursor , + krb5_creds *creds ); -krb5_error_code KRB5_CALLCONV krb5_stdccv3_resolve - (krb5_context, krb5_ccache *id , const char *residual ); - -krb5_error_code KRB5_CALLCONV krb5_stdccv3_retrieve - (krb5_context, - krb5_ccache id , - krb5_flags whichfields , - krb5_creds *mcreds , - krb5_creds *creds ); +krb5_error_code KRB5_CALLCONV krb5_stdccv3_resolve +(krb5_context, krb5_ccache *id , const char *residual ); -krb5_error_code KRB5_CALLCONV krb5_stdccv3_start_seq_get - (krb5_context, krb5_ccache id , krb5_cc_cursor *cursor ); +krb5_error_code KRB5_CALLCONV krb5_stdccv3_retrieve +(krb5_context, + krb5_ccache id , + krb5_flags whichfields , + krb5_creds *mcreds , + krb5_creds *creds ); -krb5_error_code KRB5_CALLCONV krb5_stdccv3_store - (krb5_context, krb5_ccache id , krb5_creds *creds ); +krb5_error_code KRB5_CALLCONV krb5_stdccv3_start_seq_get +(krb5_context, krb5_ccache id , krb5_cc_cursor *cursor ); -krb5_error_code KRB5_CALLCONV krb5_stdccv3_set_flags - (krb5_context, krb5_ccache id , krb5_flags flags ); +krb5_error_code KRB5_CALLCONV krb5_stdccv3_store +(krb5_context, krb5_ccache id , krb5_creds *creds ); -krb5_error_code KRB5_CALLCONV krb5_stdccv3_get_flags - (krb5_context, krb5_ccache id , krb5_flags *flags ); +krb5_error_code KRB5_CALLCONV krb5_stdccv3_set_flags +(krb5_context, krb5_ccache id , krb5_flags flags ); -krb5_error_code KRB5_CALLCONV krb5_stdccv3_remove - (krb5_context, krb5_ccache id , krb5_flags flags, krb5_creds *creds); +krb5_error_code KRB5_CALLCONV krb5_stdccv3_get_flags +(krb5_context, krb5_ccache id , krb5_flags *flags ); + +krb5_error_code KRB5_CALLCONV krb5_stdccv3_remove +(krb5_context, krb5_ccache id , krb5_flags flags, krb5_creds *creds); krb5_error_code KRB5_CALLCONV krb5_stdccv3_ptcursor_new - (krb5_context context, krb5_cc_ptcursor *cursor); +(krb5_context context, krb5_cc_ptcursor *cursor); krb5_error_code KRB5_CALLCONV krb5_stdccv3_ptcursor_next - (krb5_context context, krb5_cc_ptcursor cursor, krb5_ccache *ccache); +(krb5_context context, krb5_cc_ptcursor cursor, krb5_ccache *ccache); krb5_error_code KRB5_CALLCONV krb5_stdccv3_ptcursor_free - (krb5_context context, krb5_cc_ptcursor *cursor); +(krb5_context context, krb5_cc_ptcursor *cursor); krb5_error_code KRB5_CALLCONV krb5_stdccv3_last_change_time - (krb5_context context, krb5_ccache id, - krb5_timestamp *change_time); +(krb5_context context, krb5_ccache id, + krb5_timestamp *change_time); -krb5_error_code KRB5_CALLCONV krb5_stdccv3_lock - (krb5_context, krb5_ccache id); +krb5_error_code KRB5_CALLCONV krb5_stdccv3_lock +(krb5_context, krb5_ccache id); krb5_error_code KRB5_CALLCONV krb5_stdccv3_unlock - (krb5_context, krb5_ccache id); +(krb5_context, krb5_ccache id); krb5_error_code KRB5_CALLCONV krb5_stdccv3_context_lock - (krb5_context context); +(krb5_context context); krb5_error_code KRB5_CALLCONV krb5_stdccv3_context_unlock - (krb5_context context); +(krb5_context context); #else krb5_error_code KRB5_CALLCONV krb5_stdcc_close - (krb5_context, krb5_ccache id ); +(krb5_context, krb5_ccache id ); + +krb5_error_code KRB5_CALLCONV krb5_stdcc_destroy +(krb5_context, krb5_ccache id ); -krb5_error_code KRB5_CALLCONV krb5_stdcc_destroy - (krb5_context, krb5_ccache id ); +krb5_error_code KRB5_CALLCONV krb5_stdcc_end_seq_get +(krb5_context, krb5_ccache id , krb5_cc_cursor *cursor ); -krb5_error_code KRB5_CALLCONV krb5_stdcc_end_seq_get - (krb5_context, krb5_ccache id , krb5_cc_cursor *cursor ); +krb5_error_code KRB5_CALLCONV krb5_stdcc_generate_new +(krb5_context, krb5_ccache *id ); -krb5_error_code KRB5_CALLCONV krb5_stdcc_generate_new - (krb5_context, krb5_ccache *id ); +const char * KRB5_CALLCONV krb5_stdcc_get_name +(krb5_context, krb5_ccache id ); -const char * KRB5_CALLCONV krb5_stdcc_get_name - (krb5_context, krb5_ccache id ); +krb5_error_code KRB5_CALLCONV krb5_stdcc_get_principal +(krb5_context, krb5_ccache id , krb5_principal *princ ); -krb5_error_code KRB5_CALLCONV krb5_stdcc_get_principal - (krb5_context, krb5_ccache id , krb5_principal *princ ); +krb5_error_code KRB5_CALLCONV krb5_stdcc_initialize +(krb5_context, krb5_ccache id , krb5_principal princ ); -krb5_error_code KRB5_CALLCONV krb5_stdcc_initialize - (krb5_context, krb5_ccache id , krb5_principal princ ); +krb5_error_code KRB5_CALLCONV krb5_stdcc_next_cred +(krb5_context, + krb5_ccache id , + krb5_cc_cursor *cursor , + krb5_creds *creds ); -krb5_error_code KRB5_CALLCONV krb5_stdcc_next_cred - (krb5_context, - krb5_ccache id , - krb5_cc_cursor *cursor , - krb5_creds *creds ); +krb5_error_code KRB5_CALLCONV krb5_stdcc_resolve +(krb5_context, krb5_ccache *id , const char *residual ); -krb5_error_code KRB5_CALLCONV krb5_stdcc_resolve - (krb5_context, krb5_ccache *id , const char *residual ); - -krb5_error_code KRB5_CALLCONV krb5_stdcc_retrieve - (krb5_context, - krb5_ccache id , - krb5_flags whichfields , - krb5_creds *mcreds , - krb5_creds *creds ); +krb5_error_code KRB5_CALLCONV krb5_stdcc_retrieve +(krb5_context, + krb5_ccache id , + krb5_flags whichfields , + krb5_creds *mcreds , + krb5_creds *creds ); -krb5_error_code KRB5_CALLCONV krb5_stdcc_start_seq_get - (krb5_context, krb5_ccache id , krb5_cc_cursor *cursor ); +krb5_error_code KRB5_CALLCONV krb5_stdcc_start_seq_get +(krb5_context, krb5_ccache id , krb5_cc_cursor *cursor ); -krb5_error_code KRB5_CALLCONV krb5_stdcc_store - (krb5_context, krb5_ccache id , krb5_creds *creds ); +krb5_error_code KRB5_CALLCONV krb5_stdcc_store +(krb5_context, krb5_ccache id , krb5_creds *creds ); -krb5_error_code KRB5_CALLCONV krb5_stdcc_set_flags - (krb5_context, krb5_ccache id , krb5_flags flags ); +krb5_error_code KRB5_CALLCONV krb5_stdcc_set_flags +(krb5_context, krb5_ccache id , krb5_flags flags ); -krb5_error_code KRB5_CALLCONV krb5_stdcc_get_flags - (krb5_context, krb5_ccache id , krb5_flags *flags ); +krb5_error_code KRB5_CALLCONV krb5_stdcc_get_flags +(krb5_context, krb5_ccache id , krb5_flags *flags ); -krb5_error_code KRB5_CALLCONV krb5_stdcc_remove - (krb5_context, krb5_ccache id , krb5_flags flags, krb5_creds *creds); +krb5_error_code KRB5_CALLCONV krb5_stdcc_remove +(krb5_context, krb5_ccache id , krb5_flags flags, krb5_creds *creds); #endif #endif /* defined(_WIN32) || defined(USE_CCAPI) */ diff --git a/src/lib/krb5/ccache/ccapi/stdcc_util.c b/src/lib/krb5/ccache/ccapi/stdcc_util.c index 114e79ed98..9f44af3d08 100644 --- a/src/lib/krb5/ccache/ccapi/stdcc_util.c +++ b/src/lib/krb5/ccache/ccapi/stdcc_util.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * stdcc_util.c * utility functions used in implementing the ccache api for krb5 @@ -17,7 +18,7 @@ #include "stdcc_util.h" #include "krb5.h" -#ifdef _WIN32 /* it's part of krb5.h everywhere else */ +#ifdef _WIN32 /* it's part of krb5.h everywhere else */ #include "kv5m_err.h" #endif @@ -26,30 +27,30 @@ #ifdef USE_CCAPI_V3 -static void +static void free_cc_array (cc_data **io_cc_array) { if (io_cc_array) { unsigned int i; - + for (i = 0; io_cc_array[i]; i++) { if (io_cc_array[i]->data) { free (io_cc_array[i]->data); } free (io_cc_array[i]); } free (io_cc_array); - } + } } -static krb5_error_code -copy_cc_array_to_addresses (krb5_context in_context, - cc_data **in_cc_array, +static krb5_error_code +copy_cc_array_to_addresses (krb5_context in_context, + cc_data **in_cc_array, krb5_address ***out_addresses) { krb5_error_code err = 0; - + if (in_cc_array == NULL) { *out_addresses = NULL; - + } else { unsigned int count, i; krb5_address **addresses = NULL; @@ -58,26 +59,26 @@ copy_cc_array_to_addresses (krb5_context in_context, for (count = 0; in_cc_array[count]; count++); addresses = (krb5_address **) malloc (sizeof (*addresses) * (count + 1)); if (!addresses) { err = KRB5_CC_NOMEM; } - - for (i = 0; !err && i < count; i++) { + + for (i = 0; !err && i < count; i++) { addresses[i] = (krb5_address *) malloc (sizeof (krb5_address)); if (!addresses[i]) { err = KRB5_CC_NOMEM; } - + if (!err) { - addresses[i]->contents = (krb5_octet *) malloc (sizeof (krb5_octet) * - in_cc_array[i]->length); + addresses[i]->contents = (krb5_octet *) malloc (sizeof (krb5_octet) * + in_cc_array[i]->length); if (!addresses[i]->contents) { err = KRB5_CC_NOMEM; } } - + if (!err) { addresses[i]->magic = KV5M_ADDRESS; addresses[i]->addrtype = in_cc_array[i]->type; addresses[i]->length = in_cc_array[i]->length; - memcpy (addresses[i]->contents, + memcpy (addresses[i]->contents, in_cc_array[i]->data, in_cc_array[i]->length); } } - + if (!err) { addresses[i] = NULL; /* terminator */ *out_addresses = addresses; @@ -86,70 +87,70 @@ copy_cc_array_to_addresses (krb5_context in_context, if (addresses) { krb5_free_addresses (in_context, addresses); } } - + return err; } -static krb5_error_code -copy_cc_array_to_authdata (krb5_context in_context, - cc_data **in_cc_array, +static krb5_error_code +copy_cc_array_to_authdata (krb5_context in_context, + cc_data **in_cc_array, krb5_authdata ***out_authdata) { krb5_error_code err = 0; - + if (in_cc_array == NULL) { *out_authdata = NULL; - + } else { unsigned int count, i; krb5_authdata **authdata = NULL; - + /* get length of array */ for (count = 0; in_cc_array[count]; count++); authdata = (krb5_authdata **) malloc (sizeof (*authdata) * (count + 1)); if (!authdata) { err = KRB5_CC_NOMEM; } - - for (i = 0; !err && i < count; i++) { + + for (i = 0; !err && i < count; i++) { authdata[i] = (krb5_authdata *) malloc (sizeof (krb5_authdata)); if (!authdata[i]) { err = KRB5_CC_NOMEM; } - + if (!err) { - authdata[i]->contents = (krb5_octet *) malloc (sizeof (krb5_octet) * - in_cc_array[i]->length); + authdata[i]->contents = (krb5_octet *) malloc (sizeof (krb5_octet) * + in_cc_array[i]->length); if (!authdata[i]->contents) { err = KRB5_CC_NOMEM; } } - + if (!err) { authdata[i]->magic = KV5M_AUTHDATA; authdata[i]->ad_type = in_cc_array[i]->type; authdata[i]->length = in_cc_array[i]->length; - memcpy (authdata[i]->contents, + memcpy (authdata[i]->contents, in_cc_array[i]->data, in_cc_array[i]->length); } } - + if (!err) { authdata[i] = NULL; /* terminator */ *out_authdata = authdata; authdata = NULL; } - + if (authdata) { krb5_free_authdata (in_context, authdata); } } - + return err; } -static krb5_error_code -copy_addresses_to_cc_array (krb5_context in_context, - krb5_address **in_addresses, +static krb5_error_code +copy_addresses_to_cc_array (krb5_context in_context, + krb5_address **in_addresses, cc_data ***out_cc_array) { krb5_error_code err = 0; - + if (in_addresses == NULL) { *out_cc_array = NULL; - + } else { unsigned int count, i; cc_data **cc_array = NULL; @@ -158,23 +159,23 @@ copy_addresses_to_cc_array (krb5_context in_context, for (count = 0; in_addresses[count]; count++); cc_array = (cc_data **) malloc (sizeof (*cc_array) * (count + 1)); if (!cc_array) { err = KRB5_CC_NOMEM; } - - for (i = 0; !err && i < count; i++) { + + for (i = 0; !err && i < count; i++) { cc_array[i] = (cc_data *) malloc (sizeof (cc_data)); if (!cc_array[i]) { err = KRB5_CC_NOMEM; } - + if (!err) { cc_array[i]->data = malloc (in_addresses[i]->length); if (!cc_array[i]->data) { err = KRB5_CC_NOMEM; } } - + if (!err) { cc_array[i]->type = in_addresses[i]->addrtype; cc_array[i]->length = in_addresses[i]->length; memcpy (cc_array[i]->data, in_addresses[i]->contents, in_addresses[i]->length); } } - + if (!err) { cc_array[i] = NULL; /* terminator */ *out_cc_array = cc_array; @@ -183,18 +184,18 @@ copy_addresses_to_cc_array (krb5_context in_context, if (cc_array) { free_cc_array (cc_array); } } - - + + return err; } -static krb5_error_code -copy_authdata_to_cc_array (krb5_context in_context, - krb5_authdata **in_authdata, +static krb5_error_code +copy_authdata_to_cc_array (krb5_context in_context, + krb5_authdata **in_authdata, cc_data ***out_cc_array) { krb5_error_code err = 0; - + if (in_authdata == NULL) { *out_cc_array = NULL; @@ -206,23 +207,23 @@ copy_authdata_to_cc_array (krb5_context in_context, for (count = 0; in_authdata[count]; count++); cc_array = (cc_data **) malloc (sizeof (*cc_array) * (count + 1)); if (!cc_array) { err = KRB5_CC_NOMEM; } - - for (i = 0; !err && i < count; i++) { + + for (i = 0; !err && i < count; i++) { cc_array[i] = (cc_data *) malloc (sizeof (cc_data)); if (!cc_array[i]) { err = KRB5_CC_NOMEM; } - + if (!err) { cc_array[i]->data = malloc (in_authdata[i]->length); if (!cc_array[i]->data) { err = KRB5_CC_NOMEM; } } - + if (!err) { cc_array[i]->type = in_authdata[i]->ad_type; cc_array[i]->length = in_authdata[i]->length; memcpy (cc_array[i]->data, in_authdata[i]->contents, in_authdata[i]->length); } } - + if (!err) { cc_array[i] = NULL; /* terminator */ *out_cc_array = cc_array; @@ -231,8 +232,8 @@ copy_authdata_to_cc_array (krb5_context in_context, if (cc_array) { free_cc_array (cc_array); } } - - + + return err; } @@ -242,9 +243,9 @@ copy_authdata_to_cc_array (krb5_context in_context, * - allocate an empty k5 style ticket and copy info from the cc_creds ticket */ -krb5_error_code -copy_cc_cred_union_to_krb5_creds (krb5_context in_context, - const cc_credentials_union *in_cred_union, +krb5_error_code +copy_cc_cred_union_to_krb5_creds (krb5_context in_context, + const cc_credentials_union *in_cred_union, krb5_creds *out_creds) { krb5_error_code err = 0; @@ -257,59 +258,59 @@ copy_cc_cred_union_to_krb5_creds (krb5_context in_context, unsigned char *keyblock_contents = NULL; krb5_address **addresses = NULL; krb5_authdata **authdata = NULL; - - if (in_cred_union->version != cc_credentials_v5) { - err = KRB5_CC_NOT_KTYPE; + + if (in_cred_union->version != cc_credentials_v5) { + err = KRB5_CC_NOT_KTYPE; } else { cv5 = in_cred_union->credentials.credentials_v5; } - + #if TARGET_OS_MAC if (!err) { err = krb5_get_time_offsets (in_context, &offset_seconds, &offset_microseconds); } #endif - + if (!err) { err = krb5_parse_name (in_context, cv5->client, &client); } - + if (!err) { err = krb5_parse_name (in_context, cv5->server, &server); } - + if (!err && cv5->keyblock.data) { keyblock_contents = (unsigned char *) malloc (cv5->keyblock.length); if (!keyblock_contents) { err = KRB5_CC_NOMEM; } } - + if (!err && cv5->ticket.data) { ticket_data = (char *) malloc (cv5->ticket.length); if (!ticket_data) { err = KRB5_CC_NOMEM; } } - + if (!err && cv5->second_ticket.data) { second_ticket_data = (char *) malloc (cv5->second_ticket.length); if (!second_ticket_data) { err = KRB5_CC_NOMEM; } } - + if (!err) { /* addresses */ err = copy_cc_array_to_addresses (in_context, cv5->addresses, &addresses); } - + if (!err) { /* authdata */ err = copy_cc_array_to_authdata (in_context, cv5->authdata, &authdata); } - + if (!err) { /* principals */ out_creds->client = client; client = NULL; out_creds->server = server; server = NULL; - + /* copy keyblock */ if (cv5->keyblock.data) { memcpy (keyblock_contents, cv5->keyblock.data, cv5->keyblock.length); @@ -334,7 +335,7 @@ copy_cc_cred_union_to_krb5_creds (krb5_context in_context, out_creds->ticket.length = cv5->ticket.length; out_creds->ticket.data = ticket_data; ticket_data = NULL; - + /* second ticket */ if (cv5->second_ticket.data) { memcpy(second_ticket_data, cv5->second_ticket.data, cv5->second_ticket.length); @@ -342,17 +343,17 @@ copy_cc_cred_union_to_krb5_creds (krb5_context in_context, out_creds->second_ticket.length = cv5->second_ticket.length; out_creds->second_ticket.data = second_ticket_data; second_ticket_data = NULL; - + out_creds->addresses = addresses; addresses = NULL; out_creds->authdata = authdata; authdata = NULL; - + /* zero out magic number */ out_creds->magic = 0; } - + if (addresses) { krb5_free_addresses (in_context, addresses); } if (authdata) { krb5_free_authdata (in_context, authdata); } if (keyblock_contents) { free (keyblock_contents); } @@ -360,7 +361,7 @@ copy_cc_cred_union_to_krb5_creds (krb5_context in_context, if (second_ticket_data) { free (second_ticket_data); } if (client) { krb5_free_principal (in_context, client); } if (server) { krb5_free_principal (in_context, server); } - + return err; } @@ -369,8 +370,8 @@ copy_cc_cred_union_to_krb5_creds (krb5_context in_context, * - analagous to above but in the reverse direction */ krb5_error_code -copy_krb5_creds_to_cc_cred_union (krb5_context in_context, - krb5_creds *in_creds, +copy_krb5_creds_to_cc_cred_union (krb5_context in_context, + krb5_creds *in_creds, cc_credentials_union **out_cred_union) { krb5_error_code err = 0; @@ -384,56 +385,56 @@ copy_krb5_creds_to_cc_cred_union (krb5_context in_context, krb5_int32 offset_seconds = 0, offset_microseconds = 0; cc_data **cc_address_array = NULL; cc_data **cc_authdata_array = NULL; - + if (out_cred_union == NULL) { err = KRB5_CC_NOMEM; } - + #if TARGET_OS_MAC if (!err) { err = krb5_get_time_offsets (in_context, &offset_seconds, &offset_microseconds); } #endif - + if (!err) { cred_union = (cc_credentials_union *) malloc (sizeof (*cred_union)); if (!cred_union) { err = KRB5_CC_NOMEM; } } - + if (!err) { cv5 = (cc_credentials_v5_t *) malloc (sizeof (*cv5)); if (!cv5) { err = KRB5_CC_NOMEM; } } - + if (!err) { err = krb5_unparse_name (in_context, in_creds->client, &client); } - + if (!err) { err = krb5_unparse_name (in_context, in_creds->server, &server); } - + if (!err && in_creds->keyblock.contents) { keyblock_data = (unsigned char *) malloc (in_creds->keyblock.length); if (!keyblock_data) { err = KRB5_CC_NOMEM; } } - + if (!err && in_creds->ticket.data) { ticket_data = (unsigned char *) malloc (in_creds->ticket.length); if (!ticket_data) { err = KRB5_CC_NOMEM; } } - + if (!err && in_creds->second_ticket.data) { second_ticket_data = (unsigned char *) malloc (in_creds->second_ticket.length); if (!second_ticket_data) { err = KRB5_CC_NOMEM; } } - + if (!err) { err = copy_addresses_to_cc_array (in_context, in_creds->addresses, &cc_address_array); } - + if (!err) { err = copy_authdata_to_cc_array (in_context, in_creds->authdata, &cc_authdata_array); } - + if (!err) { /* principals */ cv5->client = client; @@ -449,7 +450,7 @@ copy_krb5_creds_to_cc_cred_union (krb5_context in_context, cv5->keyblock.length = in_creds->keyblock.length; cv5->keyblock.data = keyblock_data; keyblock_data = NULL; - + cv5->authtime = in_creds->times.authtime - offset_seconds; cv5->starttime = in_creds->times.starttime - offset_seconds; cv5->endtime = in_creds->times.endtime - offset_seconds; @@ -463,29 +464,29 @@ copy_krb5_creds_to_cc_cred_union (krb5_context in_context, cv5->ticket.length = in_creds->ticket.length; cv5->ticket.data = ticket_data; ticket_data = NULL; - + if (in_creds->second_ticket.data) { memcpy (second_ticket_data, in_creds->second_ticket.data, in_creds->second_ticket.length); } cv5->second_ticket.length = in_creds->second_ticket.length; cv5->second_ticket.data = second_ticket_data; second_ticket_data = NULL; - + cv5->addresses = cc_address_array; cc_address_array = NULL; - + cv5->authdata = cc_authdata_array; - cc_authdata_array = NULL; - + cc_authdata_array = NULL; + /* Set up the structures to return to the caller */ cred_union->version = cc_credentials_v5; cred_union->credentials.credentials_v5 = cv5; cv5 = NULL; - + *out_cred_union = cred_union; cred_union = NULL; } - + if (cc_address_array) { free_cc_array (cc_address_array); } if (cc_authdata_array) { free_cc_array (cc_authdata_array); } if (keyblock_data) { free (keyblock_data); } @@ -495,38 +496,38 @@ copy_krb5_creds_to_cc_cred_union (krb5_context in_context, if (server) { krb5_free_unparsed_name (in_context, server); } if (cv5) { free (cv5); } if (cred_union) { free (cred_union); } - + return err; } -krb5_error_code -cred_union_release (cc_credentials_union *in_cred_union) +krb5_error_code +cred_union_release (cc_credentials_union *in_cred_union) { if (in_cred_union) { if (in_cred_union->version == cc_credentials_v5 && in_cred_union->credentials.credentials_v5) { cc_credentials_v5_t *cv5 = in_cred_union->credentials.credentials_v5; - + /* should use krb5_free_unparsed_name but we have no context */ if (cv5->client) { free (cv5->client); } if (cv5->server) { free (cv5->server); } - + if (cv5->keyblock.data) { free (cv5->keyblock.data); } if (cv5->ticket.data) { free (cv5->ticket.data); } if (cv5->second_ticket.data) { free (cv5->second_ticket.data); } - + free_cc_array (cv5->addresses); free_cc_array (cv5->authdata); - + free (cv5); - + } else if (in_cred_union->version == cc_credentials_v4 && in_cred_union->credentials.credentials_v4) { free (in_cred_union->credentials.credentials_v4); } free ((cc_credentials_union *) in_cred_union); } - + return 0; } @@ -534,85 +535,85 @@ cred_union_release (cc_credentials_union *in_cred_union) /* * CopyCCDataArrayToK5 * - copy and translate the null terminated arrays of data records - * used in k5 tickets + * used in k5 tickets */ int copyCCDataArrayToK5(cc_creds *ccCreds, krb5_creds *v5Creds, char whichArray) { if (whichArray == kAddressArray) { - if (ccCreds->addresses == NULL) { - v5Creds->addresses = NULL; - } else { - - krb5_address **addrPtr, *addr; - cc_data **dataPtr, *data; - unsigned int numRecords = 0; - - /* Allocate the array of pointers: */ - for (dataPtr = ccCreds->addresses; *dataPtr != NULL; numRecords++, dataPtr++) {} - - v5Creds->addresses = (krb5_address **) malloc (sizeof(krb5_address *) * (numRecords + 1)); - if (v5Creds->addresses == NULL) - return ENOMEM; - - /* Fill in the array, allocating the address structures: */ - for (dataPtr = ccCreds->addresses, addrPtr = v5Creds->addresses; *dataPtr != NULL; addrPtr++, dataPtr++) { - - *addrPtr = (krb5_address *) malloc (sizeof(krb5_address)); - if (*addrPtr == NULL) - return ENOMEM; - data = *dataPtr; - addr = *addrPtr; - - addr->addrtype = data->type; - addr->magic = KV5M_ADDRESS; - addr->length = data->length; - addr->contents = (krb5_octet *) malloc (sizeof(krb5_octet) * addr->length); - if (addr->contents == NULL) - return ENOMEM; - memmove(addr->contents, data->data, addr->length); /* copy contents */ - } - - /* Write terminator: */ - *addrPtr = NULL; - } + if (ccCreds->addresses == NULL) { + v5Creds->addresses = NULL; + } else { + + krb5_address **addrPtr, *addr; + cc_data **dataPtr, *data; + unsigned int numRecords = 0; + + /* Allocate the array of pointers: */ + for (dataPtr = ccCreds->addresses; *dataPtr != NULL; numRecords++, dataPtr++) {} + + v5Creds->addresses = (krb5_address **) malloc (sizeof(krb5_address *) * (numRecords + 1)); + if (v5Creds->addresses == NULL) + return ENOMEM; + + /* Fill in the array, allocating the address structures: */ + for (dataPtr = ccCreds->addresses, addrPtr = v5Creds->addresses; *dataPtr != NULL; addrPtr++, dataPtr++) { + + *addrPtr = (krb5_address *) malloc (sizeof(krb5_address)); + if (*addrPtr == NULL) + return ENOMEM; + data = *dataPtr; + addr = *addrPtr; + + addr->addrtype = data->type; + addr->magic = KV5M_ADDRESS; + addr->length = data->length; + addr->contents = (krb5_octet *) malloc (sizeof(krb5_octet) * addr->length); + if (addr->contents == NULL) + return ENOMEM; + memmove(addr->contents, data->data, addr->length); /* copy contents */ + } + + /* Write terminator: */ + *addrPtr = NULL; + } } if (whichArray == kAuthDataArray) { - if (ccCreds->authdata == NULL) { - v5Creds->authdata = NULL; - } else { - krb5_authdata **authPtr, *auth; - cc_data **dataPtr, *data; - unsigned int numRecords = 0; - - /* Allocate the array of pointers: */ - for (dataPtr = ccCreds->authdata; *dataPtr != NULL; numRecords++, dataPtr++) {} - - v5Creds->authdata = (krb5_authdata **) malloc (sizeof(krb5_authdata *) * (numRecords + 1)); - if (v5Creds->authdata == NULL) - return ENOMEM; - - /* Fill in the array, allocating the address structures: */ - for (dataPtr = ccCreds->authdata, authPtr = v5Creds->authdata; *dataPtr != NULL; authPtr++, dataPtr++) { - - *authPtr = (krb5_authdata *) malloc (sizeof(krb5_authdata)); - if (*authPtr == NULL) - return ENOMEM; - data = *dataPtr; - auth = *authPtr; - - auth->ad_type = data->type; - auth->magic = KV5M_AUTHDATA; - auth->length = data->length; - auth->contents = (krb5_octet *) malloc (sizeof(krb5_octet) * auth->length); - if (auth->contents == NULL) - return ENOMEM; - memmove(auth->contents, data->data, auth->length); /* copy contents */ - } - - /* Write terminator: */ - *authPtr = NULL; - } + if (ccCreds->authdata == NULL) { + v5Creds->authdata = NULL; + } else { + krb5_authdata **authPtr, *auth; + cc_data **dataPtr, *data; + unsigned int numRecords = 0; + + /* Allocate the array of pointers: */ + for (dataPtr = ccCreds->authdata; *dataPtr != NULL; numRecords++, dataPtr++) {} + + v5Creds->authdata = (krb5_authdata **) malloc (sizeof(krb5_authdata *) * (numRecords + 1)); + if (v5Creds->authdata == NULL) + return ENOMEM; + + /* Fill in the array, allocating the address structures: */ + for (dataPtr = ccCreds->authdata, authPtr = v5Creds->authdata; *dataPtr != NULL; authPtr++, dataPtr++) { + + *authPtr = (krb5_authdata *) malloc (sizeof(krb5_authdata)); + if (*authPtr == NULL) + return ENOMEM; + data = *dataPtr; + auth = *authPtr; + + auth->ad_type = data->type; + auth->magic = KV5M_AUTHDATA; + auth->length = data->length; + auth->contents = (krb5_octet *) malloc (sizeof(krb5_octet) * auth->length); + if (auth->contents == NULL) + return ENOMEM; + memmove(auth->contents, data->data, auth->length); /* copy contents */ + } + + /* Write terminator: */ + *authPtr = NULL; + } } return 0; @@ -625,78 +626,78 @@ int copyCCDataArrayToK5(cc_creds *ccCreds, krb5_creds *v5Creds, char whichArray) int copyK5DataArrayToCC(krb5_creds *v5Creds, cc_creds *ccCreds, char whichArray) { if (whichArray == kAddressArray) { - if (v5Creds->addresses == NULL) { - ccCreds->addresses = NULL; - } else { - - krb5_address **addrPtr, *addr; - cc_data **dataPtr, *data; - unsigned int numRecords = 0; - - /* Allocate the array of pointers: */ - for (addrPtr = v5Creds->addresses; *addrPtr != NULL; numRecords++, addrPtr++) {} - - ccCreds->addresses = (cc_data **) malloc (sizeof(cc_data *) * (numRecords + 1)); - if (ccCreds->addresses == NULL) - return ENOMEM; - - /* Fill in the array, allocating the address structures: */ - for (dataPtr = ccCreds->addresses, addrPtr = v5Creds->addresses; *addrPtr != NULL; addrPtr++, dataPtr++) { - - *dataPtr = (cc_data *) malloc (sizeof(cc_data)); - if (*dataPtr == NULL) - return ENOMEM; - data = *dataPtr; - addr = *addrPtr; - - data->type = addr->addrtype; - data->length = addr->length; - data->data = malloc (sizeof(char) * data->length); - if (data->data == NULL) - return ENOMEM; - memmove(data->data, addr->contents, data->length); /* copy contents */ - } - - /* Write terminator: */ - *dataPtr = NULL; - } + if (v5Creds->addresses == NULL) { + ccCreds->addresses = NULL; + } else { + + krb5_address **addrPtr, *addr; + cc_data **dataPtr, *data; + unsigned int numRecords = 0; + + /* Allocate the array of pointers: */ + for (addrPtr = v5Creds->addresses; *addrPtr != NULL; numRecords++, addrPtr++) {} + + ccCreds->addresses = (cc_data **) malloc (sizeof(cc_data *) * (numRecords + 1)); + if (ccCreds->addresses == NULL) + return ENOMEM; + + /* Fill in the array, allocating the address structures: */ + for (dataPtr = ccCreds->addresses, addrPtr = v5Creds->addresses; *addrPtr != NULL; addrPtr++, dataPtr++) { + + *dataPtr = (cc_data *) malloc (sizeof(cc_data)); + if (*dataPtr == NULL) + return ENOMEM; + data = *dataPtr; + addr = *addrPtr; + + data->type = addr->addrtype; + data->length = addr->length; + data->data = malloc (sizeof(char) * data->length); + if (data->data == NULL) + return ENOMEM; + memmove(data->data, addr->contents, data->length); /* copy contents */ + } + + /* Write terminator: */ + *dataPtr = NULL; + } } if (whichArray == kAuthDataArray) { - if (v5Creds->authdata == NULL) { - ccCreds->authdata = NULL; - } else { - krb5_authdata **authPtr, *auth; - cc_data **dataPtr, *data; - unsigned int numRecords = 0; - - /* Allocate the array of pointers: */ - for (authPtr = v5Creds->authdata; *authPtr != NULL; numRecords++, authPtr++) {} - - ccCreds->authdata = (cc_data **) malloc (sizeof(cc_data *) * (numRecords + 1)); - if (ccCreds->authdata == NULL) - return ENOMEM; - - /* Fill in the array, allocating the address structures: */ - for (dataPtr = ccCreds->authdata, authPtr = v5Creds->authdata; *authPtr != NULL; authPtr++, dataPtr++) { - - *dataPtr = (cc_data *) malloc (sizeof(cc_data)); - if (*dataPtr == NULL) - return ENOMEM; - data = *dataPtr; - auth = *authPtr; - - data->type = auth->ad_type; - data->length = auth->length; - data->data = malloc (sizeof(char) * data->length); - if (data->data == NULL) - return ENOMEM; - memmove(data->data, auth->contents, data->length); /* copy contents */ - } - - /* Write terminator: */ - *dataPtr = NULL; - } + if (v5Creds->authdata == NULL) { + ccCreds->authdata = NULL; + } else { + krb5_authdata **authPtr, *auth; + cc_data **dataPtr, *data; + unsigned int numRecords = 0; + + /* Allocate the array of pointers: */ + for (authPtr = v5Creds->authdata; *authPtr != NULL; numRecords++, authPtr++) {} + + ccCreds->authdata = (cc_data **) malloc (sizeof(cc_data *) * (numRecords + 1)); + if (ccCreds->authdata == NULL) + return ENOMEM; + + /* Fill in the array, allocating the address structures: */ + for (dataPtr = ccCreds->authdata, authPtr = v5Creds->authdata; *authPtr != NULL; authPtr++, dataPtr++) { + + *dataPtr = (cc_data *) malloc (sizeof(cc_data)); + if (*dataPtr == NULL) + return ENOMEM; + data = *dataPtr; + auth = *authPtr; + + data->type = auth->ad_type; + data->length = auth->length; + data->data = malloc (sizeof(char) * data->length); + if (data->data == NULL) + return ENOMEM; + memmove(data->data, auth->contents, data->length); /* copy contents */ + } + + /* Write terminator: */ + *dataPtr = NULL; + } } return 0; @@ -774,7 +775,7 @@ void dupK5toCC(krb5_context context, krb5_creds *creds, cred_union **cu) /* allocate the cred_union */ *cu = (cred_union *)malloc(sizeof(cred_union)); if ((*cu) == NULL) - return; + return; (*cu)->cred_type = CC_CRED_V5; @@ -793,10 +794,10 @@ void dupK5toCC(krb5_context context, krb5_creds *creds, cred_union **cu) c->keyblock.length = creds->keyblock.length; if (creds->keyblock.contents != NULL) { - c->keyblock.data = (unsigned char *)malloc(creds->keyblock.length); - memcpy(c->keyblock.data, creds->keyblock.contents, creds->keyblock.length); + c->keyblock.data = (unsigned char *)malloc(creds->keyblock.length); + memcpy(c->keyblock.data, creds->keyblock.contents, creds->keyblock.length); } else { - c->keyblock.data = NULL; + c->keyblock.data = NULL; } #if TARGET_OS_MAC @@ -815,18 +816,18 @@ void dupK5toCC(krb5_context context, krb5_creds *creds, cred_union **cu) c->ticket.length = creds->ticket.length; if (creds->ticket.data != NULL) { - c->ticket.data = (unsigned char *)malloc(creds->ticket.length); - memcpy(c->ticket.data, creds->ticket.data, creds->ticket.length); + c->ticket.data = (unsigned char *)malloc(creds->ticket.length); + memcpy(c->ticket.data, creds->ticket.data, creds->ticket.length); } else { - c->ticket.data = NULL; + c->ticket.data = NULL; } c->second_ticket.length = creds->second_ticket.length; if (creds->second_ticket.data != NULL) { - c->second_ticket.data = (unsigned char *)malloc(creds->second_ticket.length); - memcpy(c->second_ticket.data, creds->second_ticket.data, creds->second_ticket.length); + c->second_ticket.data = (unsigned char *)malloc(creds->second_ticket.length); + memcpy(c->second_ticket.data, creds->second_ticket.data, creds->second_ticket.length); } else { - c->second_ticket.data = NULL; + c->second_ticket.data = NULL; } err = copyK5DataArrayToCC(creds, c, kAuthDataArray); @@ -851,7 +852,7 @@ void dupK5toCC(krb5_context context, krb5_creds *creds, cred_union **cu) static void deep_free_cc_data (cc_data data) { if (data.data != NULL) - free (data.data); + free (data.data); } static void deep_free_cc_data_array (cc_data** data) { @@ -859,11 +860,11 @@ static void deep_free_cc_data_array (cc_data** data) { unsigned int i; if (data == NULL) - return; + return; for (i = 0; data [i] != NULL; i++) { - deep_free_cc_data (*(data [i])); - free (data [i]); + deep_free_cc_data (*(data [i])); + free (data [i]); } free (data); @@ -872,12 +873,12 @@ static void deep_free_cc_data_array (cc_data** data) { static void deep_free_cc_v5_creds (cc_creds* creds) { if (creds == NULL) - return; + return; if (creds -> client != NULL) - free (creds -> client); + free (creds -> client); if (creds -> server != NULL) - free (creds -> server); + free (creds -> server); deep_free_cc_data (creds -> keyblock); deep_free_cc_data (creds -> ticket); @@ -892,10 +893,10 @@ static void deep_free_cc_v5_creds (cc_creds* creds) static void deep_free_cc_creds (cred_union creds) { if (creds.cred_type == CC_CRED_V4) { - /* we shouldn't get this, of course */ - free (creds.cred.pV4Cred); + /* we shouldn't get this, of course */ + free (creds.cred.pV4Cred); } else if (creds.cred_type == CC_CRED_V5) { - deep_free_cc_v5_creds (creds.cred.pV5Cred); + deep_free_cc_v5_creds (creds.cred.pV5Cred); } } @@ -903,12 +904,12 @@ static void deep_free_cc_creds (cred_union creds) cc_int32 krb5int_free_cc_cred_union (cred_union** creds) { if (creds == NULL) - return CC_BAD_PARM; + return CC_BAD_PARM; if (*creds != NULL) { - deep_free_cc_creds (**creds); - free (*creds); - *creds = NULL; + deep_free_cc_creds (**creds); + free (*creds); + *creds = NULL; } return CC_NOERROR; @@ -921,15 +922,15 @@ cc_int32 krb5int_free_cc_cred_union (cred_union** creds) static krb5_boolean times_match(t1, t2) register const krb5_ticket_times *t1; -register const krb5_ticket_times *t2; + register const krb5_ticket_times *t2; { if (t1->renew_till) { - if (t1->renew_till > t2->renew_till) - return FALSE; /* this one expires too late */ + if (t1->renew_till > t2->renew_till) + return FALSE; /* this one expires too late */ } if (t1->endtime) { - if (t1->endtime > t2->endtime) - return FALSE; /* this one expires too late */ + if (t1->endtime > t2->endtime) + return FALSE; /* this one expires too late */ } /* only care about expiration on a times_match */ return TRUE; @@ -940,18 +941,18 @@ times_match_exact (t1, t2) register const krb5_ticket_times *t1, *t2; { return (t1->authtime == t2->authtime - && t1->starttime == t2->starttime - && t1->endtime == t2->endtime - && t1->renew_till == t2->renew_till); + && t1->starttime == t2->starttime + && t1->endtime == t2->endtime + && t1->renew_till == t2->renew_till); } static krb5_boolean standard_fields_match(context, mcreds, creds) krb5_context context; -register const krb5_creds *mcreds, *creds; + register const krb5_creds *mcreds, *creds; { return (krb5_principal_compare(context, mcreds->client,creds->client) && - krb5_principal_compare(context, mcreds->server,creds->server)); + krb5_principal_compare(context, mcreds->server,creds->server)); } /* only match the server name portion, not the server realm portion */ @@ -959,14 +960,14 @@ register const krb5_creds *mcreds, *creds; static krb5_boolean srvname_match(context, mcreds, creds) krb5_context context; -register const krb5_creds *mcreds, *creds; + register const krb5_creds *mcreds, *creds; { krb5_boolean retval; krb5_principal_data p1, p2; retval = krb5_principal_compare(context, mcreds->client,creds->client); if (retval != TRUE) - return retval; + return retval; /* * Hack to ignore the server realm for the purposes of the compare. */ @@ -984,22 +985,22 @@ authdata_match(mdata, data) const krb5_authdata *mdatap, *datap; if (mdata == data) - return TRUE; + return TRUE; if (mdata == NULL) - return *data == NULL; + return *data == NULL; if (data == NULL) - return *mdata == NULL; + return *mdata == NULL; while ((mdatap = *mdata) - && (datap = *data) - && mdatap->ad_type == datap->ad_type - && mdatap->length == datap->length - && !memcmp ((char *) mdatap->contents, (char *) datap->contents, - datap->length)) { - mdata++; - data++; + && (datap = *data) + && mdatap->ad_type == datap->ad_type + && mdatap->length == datap->length + && !memcmp ((char *) mdatap->contents, (char *) datap->contents, + datap->length)) { + mdata++; + data++; } return !*mdata && !*data; @@ -1010,17 +1011,17 @@ data_match(data1, data2) register const krb5_data *data1, *data2; { if (!data1) { - if (!data2) - return TRUE; - else - return FALSE; + if (!data2) + return TRUE; + else + return FALSE; } if (!data2) return FALSE; if (data1->length != data2->length) - return FALSE; + return FALSE; else - return memcmp(data1->data, data2->data, data1->length) ? FALSE : TRUE; + return memcmp(data1->data, data2->data, data1->length) ? FALSE : TRUE; } #define MATCH_SET(bits) (whichfields & bits) @@ -1029,41 +1030,41 @@ data_match(data1, data2) /* stdccCredsMatch * - check to see if the creds match based on the whichFields variable * NOTE: if whichfields is zero we are now comparing 'standard fields.' - * This is the bug that was killing fetch for a - * week. The behaviour is what krb5 expects, however. + * This is the bug that was killing fetch for a + * week. The behaviour is what krb5 expects, however. */ int stdccCredsMatch(krb5_context context, krb5_creds *base, - krb5_creds *match, int whichfields) + krb5_creds *match, int whichfields) { if (((MATCH_SET(KRB5_TC_MATCH_SRV_NAMEONLY) && - srvname_match(context, match, base)) || - standard_fields_match(context, match, base)) + srvname_match(context, match, base)) || + standard_fields_match(context, match, base)) + && + (! MATCH_SET(KRB5_TC_MATCH_IS_SKEY) || + match->is_skey == base->is_skey) + && + (! MATCH_SET(KRB5_TC_MATCH_FLAGS_EXACT) || + match->ticket_flags == base->ticket_flags) + && + (! MATCH_SET(KRB5_TC_MATCH_FLAGS) || + flags_match(match->ticket_flags, base->ticket_flags)) + && + (! MATCH_SET(KRB5_TC_MATCH_TIMES_EXACT) || + times_match_exact(&match->times, &base->times)) + && + (! MATCH_SET(KRB5_TC_MATCH_TIMES) || + times_match(&match->times, &base->times)) + && + (! MATCH_SET(KRB5_TC_MATCH_AUTHDATA) || + authdata_match (match->authdata, base->authdata)) + && + (! MATCH_SET(KRB5_TC_MATCH_2ND_TKT) || + data_match (&match->second_ticket, &base->second_ticket)) && - (! MATCH_SET(KRB5_TC_MATCH_IS_SKEY) || - match->is_skey == base->is_skey) - && - (! MATCH_SET(KRB5_TC_MATCH_FLAGS_EXACT) || - match->ticket_flags == base->ticket_flags) - && - (! MATCH_SET(KRB5_TC_MATCH_FLAGS) || - flags_match(match->ticket_flags, base->ticket_flags)) - && - (! MATCH_SET(KRB5_TC_MATCH_TIMES_EXACT) || - times_match_exact(&match->times, &base->times)) - && - (! MATCH_SET(KRB5_TC_MATCH_TIMES) || - times_match(&match->times, &base->times)) - && - (! MATCH_SET(KRB5_TC_MATCH_AUTHDATA) || - authdata_match (match->authdata, base->authdata)) - && - (! MATCH_SET(KRB5_TC_MATCH_2ND_TKT) || - data_match (&match->second_ticket, &base->second_ticket)) - && - ((! MATCH_SET(KRB5_TC_MATCH_KTYPE))|| - (match->keyblock.enctype == base->keyblock.enctype)) - ) - return TRUE; + ((! MATCH_SET(KRB5_TC_MATCH_KTYPE))|| + (match->keyblock.enctype == base->keyblock.enctype)) + ) + return TRUE; return FALSE; } diff --git a/src/lib/krb5/ccache/ccapi/stdcc_util.h b/src/lib/krb5/ccache/ccapi/stdcc_util.h index 2b724eb788..2e5eecc2ba 100644 --- a/src/lib/krb5/ccache/ccapi/stdcc_util.h +++ b/src/lib/krb5/ccache/ccapi/stdcc_util.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* stdcc_util.h * * Frank Dabek, July 1998 @@ -21,16 +22,16 @@ /* protoypes for private functions declared in stdcc_util.c */ #ifdef USE_CCAPI_V3 -krb5_error_code -copy_cc_cred_union_to_krb5_creds (krb5_context in_context, - const cc_credentials_union *in_cred_union, +krb5_error_code +copy_cc_cred_union_to_krb5_creds (krb5_context in_context, + const cc_credentials_union *in_cred_union, krb5_creds *out_creds); krb5_error_code -copy_krb5_creds_to_cc_cred_union (krb5_context in_context, - krb5_creds *in_creds, +copy_krb5_creds_to_cc_cred_union (krb5_context in_context, + krb5_creds *in_creds, cc_credentials_union **out_cred_union); -krb5_error_code +krb5_error_code cred_union_release (cc_credentials_union *in_cred_union); #else int copyCCDataArrayToK5(cc_creds *cc, krb5_creds *kc, char whichArray); @@ -42,7 +43,7 @@ cc_int32 krb5int_free_cc_cred_union (cred_union** creds); int stdccCredsMatch(krb5_context context, krb5_creds *base, krb5_creds *match, int whichfields); int bitTst(int var, int mask); -#define kAddressArray 4 +#define kAddressArray 4 #define kAuthDataArray 5 #endif /* defined(_WIN32) || defined(USE_CCAPI) */ diff --git a/src/lib/krb5/ccache/ccapi/winccld.c b/src/lib/krb5/ccache/ccapi/winccld.c index 22646e1ee1..8b2e90c42f 100644 --- a/src/lib/krb5/ccache/ccapi/winccld.c +++ b/src/lib/krb5/ccache/ccapi/winccld.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #if defined(_WIN32) /* * winccld.c --- routine for dynamically loading the ccache DLL if @@ -23,9 +24,9 @@ extern int krb5_is_ccdll_loaded(); /* * return codes */ -#define LF_OK 0 -#define LF_NODLL 1 -#define LF_NOFUNC 2 +#define LF_OK 0 +#define LF_NODLL 1 +#define LF_NOFUNC 2 #ifdef _WIN64 #define KRBCC_DLL "krbcc64.dll" @@ -34,10 +35,10 @@ extern int krb5_is_ccdll_loaded(); #endif static int LoadFuncs(const char* dll_name, FUNC_INFO fi[], - HINSTANCE* ph, int debug); + HINSTANCE* ph, int debug); static int LoadFuncs(const char* dll_name, FUNC_INFO fi[], - HINSTANCE* ph, int debug) + HINSTANCE* ph, int debug) { HINSTANCE h; int i, n; @@ -46,55 +47,55 @@ static int LoadFuncs(const char* dll_name, FUNC_INFO fi[], if (ph) *ph = 0; for (n = 0; fi[n].func_ptr_var; n++) { - *(fi[n].func_ptr_var) = 0; + *(fi[n].func_ptr_var) = 0; } if (!(h = LoadLibrary(dll_name))) { - /* Get error for source debugging purposes. */ - error = (int)GetLastError(); - return LF_NODLL; + /* Get error for source debugging purposes. */ + error = (int)GetLastError(); + return LF_NODLL; } if (debug) - printf("Loaded %s\n", dll_name); + printf("Loaded %s\n", dll_name); for (i = 0; !error && (i < n); i++) { - void* p = (void*)GetProcAddress(h, fi[i].func_name); - if (!p) { - if (debug) - printf("Could not get function: %s\n", fi[i].func_name); - error = 1; - } else { - *(fi[i].func_ptr_var) = p; - if (debug) - printf("Loaded function %s at 0x%08X\n", fi[i].func_name, p); - } + void* p = (void*)GetProcAddress(h, fi[i].func_name); + if (!p) { + if (debug) + printf("Could not get function: %s\n", fi[i].func_name); + error = 1; + } else { + *(fi[i].func_ptr_var) = p; + if (debug) + printf("Loaded function %s at 0x%08X\n", fi[i].func_name, p); + } } if (error) { - for (i = 0; i < n; i++) { - *(fi[i].func_ptr_var) = 0; - } - FreeLibrary(h); - return LF_NOFUNC; + for (i = 0; i < n; i++) { + *(fi[i].func_ptr_var) = 0; + } + FreeLibrary(h); + return LF_NOFUNC; } if (ph) *ph = h; return LF_OK; } void krb5_win_ccdll_load(context) - krb5_context context; + krb5_context context; { - krb5_cc_register(context, &krb5_fcc_ops, 0); - if (krb5_win_ccdll_loaded) - return; - if (LoadFuncs(KRBCC_DLL, krbcc_fi, 0, 0)) - return; /* Error, give up */ - krb5_win_ccdll_loaded = 1; - krb5_cc_dfl_ops = &krb5_cc_stdcc_ops; /* Use stdcc! */ + krb5_cc_register(context, &krb5_fcc_ops, 0); + if (krb5_win_ccdll_loaded) + return; + if (LoadFuncs(KRBCC_DLL, krbcc_fi, 0, 0)) + return; /* Error, give up */ + krb5_win_ccdll_loaded = 1; + krb5_cc_dfl_ops = &krb5_cc_stdcc_ops; /* Use stdcc! */ } int krb5_is_ccdll_loaded() { - return krb5_win_ccdll_loaded; + return krb5_win_ccdll_loaded; } -#endif /* Windows */ +#endif /* Windows */ diff --git a/src/lib/krb5/ccache/ccapi/winccld.h b/src/lib/krb5/ccache/ccapi/winccld.h index 245ae245e2..85017abbd0 100644 --- a/src/lib/krb5/ccache/ccapi/winccld.h +++ b/src/lib/krb5/ccache/ccapi/winccld.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * winccld.h -- the dynamic loaded version of the ccache DLL */ @@ -19,19 +20,19 @@ #ifdef USE_CCAPI_V3 typedef CCACHE_API cc_int32 (*FP_cc_initialize) ( - cc_context_t* outContext, - cc_int32 inVersion, - cc_int32* outSupportedVersion, - char const** outVendor); + cc_context_t* outContext, + cc_int32 inVersion, + cc_int32* outSupportedVersion, + char const** outVendor); #else -typedef cc_int32 (*FP_cc_initialize)(apiCB**, const cc_int32, - cc_int32*, const char**); -typedef cc_int32 (*FP_cc_shutdown)(apiCB**); -typedef cc_int32 (*FP_cc_get_change_time)(apiCB*, cc_time_t*); +typedef cc_int32 (*FP_cc_initialize)(apiCB**, const cc_int32, + cc_int32*, const char**); +typedef cc_int32 (*FP_cc_shutdown)(apiCB**); +typedef cc_int32 (*FP_cc_get_change_time)(apiCB*, cc_time_t*); typedef cc_int32 (*FP_cc_create)(apiCB*, const char*, const char*, - const enum cc_cred_vers, const cc_int32, ccache_p**); + const enum cc_cred_vers, const cc_int32, ccache_p**); typedef cc_int32 (*FP_cc_open)(apiCB*, const char*, const enum cc_cred_vers, - const cc_int32, ccache_p**); + const cc_int32, ccache_p**); typedef cc_int32 (*FP_cc_close)(apiCB*, ccache_p**); typedef cc_int32 (*FP_cc_destroy)(apiCB*, ccache_p**); typedef cc_int32 (*FP_cc_seq_fetch_NCs)(apiCB*, ccache_p**, ccache_cit**); @@ -42,21 +43,21 @@ typedef cc_int32 (*FP_cc_get_NC_info)(apiCB*, struct _infoNC***); typedef cc_int32 (*FP_cc_free_NC_info)(apiCB*, struct _infoNC***); typedef cc_int32 (*FP_cc_get_name)(apiCB*, const ccache_p*, char**); typedef cc_int32 (*FP_cc_set_principal)(apiCB*, const ccache_p*, - const enum cc_cred_vers, const char*); + const enum cc_cred_vers, const char*); typedef cc_int32 (*FP_cc_get_principal)(apiCB*, ccache_p*, char**); typedef cc_int32 (*FP_cc_get_cred_version)(apiCB*, const ccache_p*, - enum cc_cred_vers*); + enum cc_cred_vers*); typedef cc_int32 (*FP_cc_lock_request)(apiCB*, const ccache_p*, - const cc_int32); + const cc_int32); typedef cc_int32 (*FP_cc_store)(apiCB*, const ccache_p*, const cred_union); typedef cc_int32 (*FP_cc_remove_cred)(apiCB*, const ccache_p*, - const cred_union); -typedef cc_int32 (*FP_cc_seq_fetch_creds)(apiCB*, const ccache_p*, - cred_union**, ccache_cit**); -typedef cc_int32 (*FP_cc_seq_fetch_creds_begin)(apiCB*, const ccache_p*, - ccache_cit**); -typedef cc_int32 (*FP_cc_seq_fetch_creds_next)(apiCB*, cred_union**, - ccache_cit*); + const cred_union); +typedef cc_int32 (*FP_cc_seq_fetch_creds)(apiCB*, const ccache_p*, + cred_union**, ccache_cit**); +typedef cc_int32 (*FP_cc_seq_fetch_creds_begin)(apiCB*, const ccache_p*, + ccache_cit**); +typedef cc_int32 (*FP_cc_seq_fetch_creds_next)(apiCB*, cred_union**, + ccache_cit*); typedef cc_int32 (*FP_cc_seq_fetch_creds_end)(apiCB*, ccache_cit**); typedef cc_int32 (*FP_cc_free_principal)(apiCB*, char**); typedef cc_int32 (*FP_cc_free_name)(apiCB*, char** name); diff --git a/src/lib/krb5/ccache/ccbase.c b/src/lib/krb5/ccache/ccbase.c index f54486f7df..fb3d7ec9d7 100644 --- a/src/lib/krb5/ccache/ccbase.c +++ b/src/lib/krb5/ccache/ccbase.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/ccbase.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Registration functions for ccache. */ @@ -96,22 +97,22 @@ krb5int_cc_initialize(void) err = k5_cc_mutex_finish_init(&cccol_lock); if (err) - return err; + return err; err = k5_cc_mutex_finish_init(&krb5int_mcc_mutex); if (err) - return err; + return err; err = k5_mutex_finish_init(&cc_typelist_lock); if (err) - return err; + return err; #ifndef NO_FILE_CCACHE err = k5_cc_mutex_finish_init(&krb5int_cc_file_mutex); if (err) - return err; + return err; #endif #ifdef USE_KEYRING_CCACHE err = k5_cc_mutex_finish_init(&krb5int_krcc_mutex); if (err) - return err; + return err; #endif return 0; } @@ -131,8 +132,8 @@ krb5int_cc_finalize(void) k5_cc_mutex_destroy(&krb5int_krcc_mutex); #endif for (t = cc_typehead; t != INITIAL_TYPEHEAD; t = t_next) { - t_next = t->next; - free(t); + t_next = t->next; + free(t); } } @@ -143,30 +144,30 @@ krb5int_cc_finalize(void) */ krb5_error_code KRB5_CALLCONV -krb5_cc_register(krb5_context context, const krb5_cc_ops *ops, - krb5_boolean override) +krb5_cc_register(krb5_context context, const krb5_cc_ops *ops, + krb5_boolean override) { struct krb5_cc_typelist *t; krb5_error_code err; err = k5_mutex_lock(&cc_typelist_lock); if (err) - return err; + return err; for (t = cc_typehead;t && strcmp(t->ops->prefix,ops->prefix);t = t->next) - ; + ; if (t) { - if (override) { - t->ops = ops; - k5_mutex_unlock(&cc_typelist_lock); - return 0; - } else { - k5_mutex_unlock(&cc_typelist_lock); - return KRB5_CC_TYPE_EXISTS; - } + if (override) { + t->ops = ops; + k5_mutex_unlock(&cc_typelist_lock); + return 0; + } else { + k5_mutex_unlock(&cc_typelist_lock); + return KRB5_CC_TYPE_EXISTS; + } } if (!(t = (struct krb5_cc_typelist *) malloc(sizeof(*t)))) { - k5_mutex_unlock(&cc_typelist_lock); - return ENOMEM; + k5_mutex_unlock(&cc_typelist_lock); + return ENOMEM; } t->next = cc_typehead; t->ops = ops; @@ -196,14 +197,14 @@ krb5_cc_resolve (krb5_context context, const char *name, krb5_ccache *cache) const krb5_cc_ops *ops; if (name == NULL) - return KRB5_CC_BADNAME; + return KRB5_CC_BADNAME; pfx = NULL; cp = strchr (name, ':'); if (!cp) { - if (krb5_cc_dfl_ops) - return (*krb5_cc_dfl_ops->resolve)(context, cache, name); - else - return KRB5_CC_BADNAME; + if (krb5_cc_dfl_ops) + return (*krb5_cc_dfl_ops->resolve)(context, cache, name); + else + return KRB5_CC_BADNAME; } pfxlen = cp - name; @@ -230,9 +231,9 @@ krb5_cc_resolve (krb5_context context, const char *name, krb5_ccache *cache) err = krb5int_cc_getops(context, pfx, &ops); if (pfx != NULL) - free(pfx); + free(pfx); if (err) - return err; + return err; return ops->resolve(context, cache, resid); } @@ -254,19 +255,19 @@ krb5int_cc_getops( err = k5_mutex_lock(&cc_typelist_lock); if (err) - return err; + return err; for (tlist = cc_typehead; tlist; tlist = tlist->next) { - if (strcmp (tlist->ops->prefix, pfx) == 0) { - *ops = tlist->ops; - k5_mutex_unlock(&cc_typelist_lock); - return 0; - } + if (strcmp (tlist->ops->prefix, pfx) == 0) { + *ops = tlist->ops; + k5_mutex_unlock(&cc_typelist_lock); + return 0; + } } k5_mutex_unlock(&cc_typelist_lock); if (krb5_cc_dfl_ops && !strcmp (pfx, krb5_cc_dfl_ops->prefix)) { - *ops = krb5_cc_dfl_ops; - return 0; + *ops = krb5_cc_dfl_ops; + return 0; } return KRB5_CC_UNKNOWN_TYPE; } @@ -291,7 +292,7 @@ krb5_cc_new_unique( err = krb5int_cc_getops(context, type, &ops); if (err) - return err; + return err; return ops->gen_new(context, id); } @@ -312,20 +313,20 @@ krb5int_cc_typecursor_new(krb5_context context, krb5_cc_typecursor *t) *t = NULL; n = malloc(sizeof(*n)); if (n == NULL) - return ENOMEM; + return ENOMEM; err = k5_mutex_lock(&cc_typelist_lock); if (err) - goto errout; + goto errout; n->tptr = cc_typehead; err = k5_mutex_unlock(&cc_typelist_lock); if (err) - goto errout; + goto errout; *t = n; errout: if (err) - free(n); + free(n); return err; } @@ -339,16 +340,16 @@ krb5int_cc_typecursor_next( *ops = NULL; if (t->tptr == NULL) - return 0; + return 0; err = k5_mutex_lock(&cc_typelist_lock); if (err) - goto errout; + goto errout; *ops = t->tptr->ops; t->tptr = t->tptr->next; err = k5_mutex_unlock(&cc_typelist_lock); if (err) - goto errout; + goto errout; errout: return err; @@ -367,40 +368,40 @@ krb5_cc_move (krb5_context context, krb5_ccache src, krb5_ccache dst) { krb5_error_code ret = 0; krb5_principal princ = NULL; - + ret = krb5_cccol_lock(context); if (ret) { - return ret; + return ret; } - + ret = krb5_cc_lock(context, src); if (ret) { - krb5_cccol_unlock(context); - return ret; + krb5_cccol_unlock(context); + return ret; } - + ret = krb5_cc_get_principal(context, src, &princ); if (!ret) { - ret = krb5_cc_initialize(context, dst, princ); + ret = krb5_cc_initialize(context, dst, princ); } if (!ret) { - ret = krb5_cc_lock(context, dst); + ret = krb5_cc_lock(context, dst); } if (!ret) { - ret = krb5_cc_copy_creds(context, src, dst); - krb5_cc_unlock(context, dst); + ret = krb5_cc_copy_creds(context, src, dst); + krb5_cc_unlock(context, dst); } - + krb5_cc_unlock(context, src); if (!ret) { - ret = krb5_cc_destroy(context, src); + ret = krb5_cc_destroy(context, src); } krb5_cccol_unlock(context); if (princ) { - krb5_free_principal(context, princ); - princ = NULL; - } - + krb5_free_principal(context, princ); + princ = NULL; + } + return ret; } @@ -408,12 +409,12 @@ krb5_error_code k5_cc_mutex_init(k5_cc_mutex *m) { krb5_error_code ret = 0; - + ret = k5_mutex_init(&m->lock); if (ret) return ret; m->owner = NULL; m->refcount = 0; - + return ret; } @@ -421,12 +422,12 @@ krb5_error_code k5_cc_mutex_finish_init(k5_cc_mutex *m) { krb5_error_code ret = 0; - + ret = k5_mutex_finish_init(&m->lock); if (ret) return ret; m->owner = NULL; m->refcount = 0; - + return ret; } @@ -447,42 +448,42 @@ k5_cc_mutex_assert_unlocked(krb5_context context, k5_cc_mutex *m) assert(m->refcount == 0); assert(m->owner == NULL); #endif - k5_assert_unlocked(&m->lock); + k5_assert_unlocked(&m->lock); } krb5_error_code k5_cc_mutex_lock(krb5_context context, k5_cc_mutex *m) { krb5_error_code ret = 0; - + // not locked or already locked by another context if (m->owner != context) { - // acquire lock, blocking until available - ret = k5_mutex_lock(&m->lock); - m->owner = context; - m->refcount = 1; + // acquire lock, blocking until available + ret = k5_mutex_lock(&m->lock); + m->owner = context; + m->refcount = 1; } // already locked by this context, just increase refcount else { - m->refcount++; + m->refcount++; } - return ret; + return ret; } krb5_error_code k5_cc_mutex_unlock(krb5_context context, k5_cc_mutex *m) { krb5_error_code ret = 0; - + /* verify owner and sanity check refcount */ if ((m->owner != context) || (m->refcount < 1)) { - return ret; + return ret; } /* decrement & unlock when count reaches zero */ m->refcount--; if (m->refcount == 0) { - m->owner = NULL; - k5_mutex_unlock(&m->lock); + m->owner = NULL; + k5_mutex_unlock(&m->lock); } return ret; } @@ -492,13 +493,13 @@ krb5_error_code k5_cc_mutex_force_unlock(k5_cc_mutex *m) { krb5_error_code ret = 0; - + m->refcount = 0; m->owner = NULL; if (m->refcount > 0) { - k5_mutex_unlock(&m->lock); + k5_mutex_unlock(&m->lock); } - return ret; + return ret; } /* @@ -509,28 +510,28 @@ krb5_error_code KRB5_CALLCONV krb5_cccol_lock(krb5_context context) { krb5_error_code ret = 0; - + ret = k5_cc_mutex_lock(context, &cccol_lock); if (ret) { - return ret; - } + return ret; + } ret = k5_mutex_lock(&cc_typelist_lock); if (ret) { - k5_cc_mutex_unlock(context, &cccol_lock); - return ret; + k5_cc_mutex_unlock(context, &cccol_lock); + return ret; } ret = k5_cc_mutex_lock(context, &krb5int_cc_file_mutex); if (ret) { - k5_mutex_unlock(&cc_typelist_lock); - k5_cc_mutex_unlock(context, &cccol_lock); - return ret; + k5_mutex_unlock(&cc_typelist_lock); + k5_cc_mutex_unlock(context, &cccol_lock); + return ret; } ret = k5_cc_mutex_lock(context, &krb5int_mcc_mutex); if (ret) { - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - k5_mutex_unlock(&cc_typelist_lock); - k5_cc_mutex_unlock(context, &cccol_lock); - return ret; + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + k5_mutex_unlock(&cc_typelist_lock); + k5_cc_mutex_unlock(context, &cccol_lock); + return ret; } #ifdef USE_CCAPI_V3 ret = krb5_stdccv3_context_lock(context); @@ -539,11 +540,11 @@ krb5_cccol_lock(krb5_context context) ret = k5_cc_mutex_lock(context, &krb5int_krcc_mutex); #endif if (ret) { - k5_cc_mutex_unlock(context, &krb5int_mcc_mutex); - k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); - k5_mutex_unlock(&cc_typelist_lock); - k5_cc_mutex_unlock(context, &cccol_lock); - return ret; + k5_cc_mutex_unlock(context, &krb5int_mcc_mutex); + k5_cc_mutex_unlock(context, &krb5int_cc_file_mutex); + k5_mutex_unlock(&cc_typelist_lock); + k5_cc_mutex_unlock(context, &cccol_lock); + return ret; } k5_mutex_unlock(&cc_typelist_lock); return ret; @@ -553,15 +554,15 @@ krb5_error_code KRB5_CALLCONV krb5_cccol_unlock(krb5_context context) { krb5_error_code ret = 0; - + /* sanity check */ k5_cc_mutex_assert_locked(context, &cccol_lock); - + ret = k5_mutex_lock(&cc_typelist_lock); if (ret) { - k5_cc_mutex_unlock(context, &cccol_lock); - return ret; - } + k5_cc_mutex_unlock(context, &cccol_lock); + return ret; + } // unlock each type in the opposite order #ifdef USE_KEYRING_CCACHE @@ -588,20 +589,20 @@ krb5_error_code k5_cccol_force_unlock() { krb5_error_code ret = 0; - + /* sanity check */ if ((&cccol_lock)->refcount == 0) { - return 0; + return 0; } - + ret = k5_mutex_lock(&cc_typelist_lock); if (ret) { - (&cccol_lock)->refcount = 0; - (&cccol_lock)->owner = NULL; - k5_mutex_unlock(&(&cccol_lock)->lock); - return ret; - } - + (&cccol_lock)->refcount = 0; + (&cccol_lock)->owner = NULL; + k5_mutex_unlock(&(&cccol_lock)->lock); + return ret; + } + // unlock each type in the opposite order #ifdef USE_KEYRING_CCACHE k5_cc_mutex_force_unlock(&krb5int_krcc_mutex); @@ -611,9 +612,9 @@ k5_cccol_force_unlock() #endif k5_cc_mutex_force_unlock(&krb5int_mcc_mutex); k5_cc_mutex_force_unlock(&krb5int_cc_file_mutex); - + k5_mutex_unlock(&cc_typelist_lock); k5_cc_mutex_force_unlock(&cccol_lock); - + return ret; } diff --git a/src/lib/krb5/ccache/cccopy.c b/src/lib/krb5/ccache/cccopy.c index a9a45b501b..36b3f42705 100644 --- a/src/lib/krb5/ccache/cccopy.c +++ b/src/lib/krb5/ccache/cccopy.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include "k5-int.h" krb5_error_code KRB5_CALLCONV @@ -8,29 +9,29 @@ krb5_cc_copy_creds(krb5_context context, krb5_ccache incc, krb5_ccache outcc) krb5_cc_cursor cur = 0; krb5_creds creds; - flags = 0; /* turns off OPENCLOSE mode */ + flags = 0; /* turns off OPENCLOSE mode */ if ((code = krb5_cc_set_flags(context, incc, flags))) - return(code); + return(code); /* the code for this will open the file for reading only, which is not what I had in mind. So I won't turn off OPENCLOSE for the output ccache */ #if 0 if ((code = krb5_cc_set_flags(context, outcc, flags))) - return(code); + return(code); #endif if ((code = krb5_cc_start_seq_get(context, incc, &cur))) - goto cleanup; + goto cleanup; while (!(code = krb5_cc_next_cred(context, incc, &cur, &creds))) { - code = krb5_cc_store_cred(context, outcc, &creds); - krb5_free_cred_contents(context, &creds); - if (code) - goto cleanup; + code = krb5_cc_store_cred(context, outcc, &creds); + krb5_free_cred_contents(context, &creds); + if (code) + goto cleanup; } if (code != KRB5_CC_END) - goto cleanup; + goto cleanup; code = krb5_cc_end_seq_get(context, incc, &cur); cur = 0; @@ -43,19 +44,19 @@ cleanup: flags = KRB5_TC_OPENCLOSE; /* If set then we are in an error pathway */ - if (cur) - krb5_cc_end_seq_get(context, incc, &cur); + if (cur) + krb5_cc_end_seq_get(context, incc, &cur); if (code) - krb5_cc_set_flags(context, incc, flags); + krb5_cc_set_flags(context, incc, flags); else - code = krb5_cc_set_flags(context, incc, flags); + code = krb5_cc_set_flags(context, incc, flags); #if 0 if (code) - krb5_cc_set_flags(context, outcc, flags); + krb5_cc_set_flags(context, outcc, flags); else - code = krb5_cc_set_flags(context, outcc, flags); + code = krb5_cc_set_flags(context, outcc, flags); #endif return(code); diff --git a/src/lib/krb5/ccache/cccursor.c b/src/lib/krb5/ccache/cccursor.c index 5a062d4433..852eff847f 100644 --- a/src/lib/krb5/ccache/cccursor.c +++ b/src/lib/krb5/ccache/cccursor.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/cccursor.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -75,7 +76,7 @@ krb5_cccol_cursor_new( *cursor = NULL; n = malloc(sizeof(*n)); if (n == NULL) - return ENOMEM; + return ENOMEM; n->pos = CCCURSOR_CONTEXT; n->typecursor = NULL; @@ -83,27 +84,27 @@ krb5_cccol_cursor_new( n->ops = NULL; for (i = 0; i < NFULLNAMES; i++) { - n->fullnames[i].pfx = n->fullnames[i].res = NULL; + n->fullnames[i].pfx = n->fullnames[i].res = NULL; } n->cur_fullname = 0; ret = krb5int_cc_typecursor_new(context, &n->typecursor); if (ret) - goto errout; + goto errout; do { - /* Find first backend with ptcursor functionality. */ - ret = krb5int_cc_typecursor_next(context, n->typecursor, &n->ops); - if (ret || n->ops == NULL) - goto errout; + /* Find first backend with ptcursor functionality. */ + ret = krb5int_cc_typecursor_next(context, n->typecursor, &n->ops); + if (ret || n->ops == NULL) + goto errout; } while (n->ops->ptcursor_new == NULL); ret = n->ops->ptcursor_new(context, &n->ptcursor); if (ret) - goto errout; + goto errout; errout: if (ret) { - krb5_cccol_cursor_free(context, &n); + krb5_cccol_cursor_free(context, &n); } *cursor = n; return ret; @@ -124,48 +125,48 @@ krb5_cccol_cursor_next( switch (cursor->pos) { case CCCURSOR_CONTEXT: - name = os_ctx->default_ccname; - if (name != NULL) { - cursor->pos = CCCURSOR_ENV; - ret = cccol_do_resolve(context, cursor, name, ccache); - if (ret) - goto errout; - if (*ccache != NULL) - break; - } - /* fall through */ + name = os_ctx->default_ccname; + if (name != NULL) { + cursor->pos = CCCURSOR_ENV; + ret = cccol_do_resolve(context, cursor, name, ccache); + if (ret) + goto errout; + if (*ccache != NULL) + break; + } + /* fall through */ case CCCURSOR_ENV: - name = getenv(KRB5_ENV_CCNAME); - if (name != NULL) { - cursor->pos = CCCURSOR_OS; - ret = cccol_do_resolve(context, cursor, name, ccache); - if (ret) - goto errout; - if (*ccache != NULL) - break; - } - /* fall through */ + name = getenv(KRB5_ENV_CCNAME); + if (name != NULL) { + cursor->pos = CCCURSOR_OS; + ret = cccol_do_resolve(context, cursor, name, ccache); + if (ret) + goto errout; + if (*ccache != NULL) + break; + } + /* fall through */ case CCCURSOR_OS: - ret = krb5int_cc_os_default_name(context, &name); - if (ret) goto errout; - if (name != NULL) { - cursor->pos = CCCURSOR_PERTYPE; - ret = cccol_do_resolve(context, cursor, name, ccache); - free(name); - if (ret) - goto errout; - if (*ccache != NULL) - break; - } - /* fall through */ + ret = krb5int_cc_os_default_name(context, &name); + if (ret) goto errout; + if (name != NULL) { + cursor->pos = CCCURSOR_PERTYPE; + ret = cccol_do_resolve(context, cursor, name, ccache); + free(name); + if (ret) + goto errout; + if (*ccache != NULL) + break; + } + /* fall through */ case CCCURSOR_PERTYPE: - cursor->pos = CCCURSOR_PERTYPE; - do { - ret = cccol_pertype_next(context, cursor, ccache); - if (ret) - goto errout; - } while (cccol_already(context, cursor, ccache)); - break; + cursor->pos = CCCURSOR_PERTYPE; + do { + ret = cccol_pertype_next(context, cursor, ccache); + if (ret) + goto errout; + } while (cccol_already(context, cursor, ccache)); + break; } errout: return ret; @@ -180,18 +181,18 @@ krb5_cccol_cursor_free( int i; if (c == NULL) - return 0; + return 0; for (i = 0; i < NFULLNAMES; i++) { - if (c->fullnames[i].pfx != NULL) - free(c->fullnames[i].pfx); - if (c->fullnames[i].res != NULL) - free(c->fullnames[i].res); + if (c->fullnames[i].pfx != NULL) + free(c->fullnames[i].pfx); + if (c->fullnames[i].res != NULL) + free(c->fullnames[i].res); } if (c->ptcursor != NULL) - c->ops->ptcursor_free(context, &c->ptcursor); + c->ops->ptcursor_free(context, &c->ptcursor); if (c->typecursor != NULL) - krb5int_cc_typecursor_free(context, &c->typecursor); + krb5int_cc_typecursor_free(context, &c->typecursor); free(c); *cursor = NULL; @@ -200,7 +201,7 @@ krb5_cccol_cursor_free( krb5_error_code KRB5_CALLCONV krb5_cccol_last_change_time( - krb5_context context, + krb5_context context, krb5_timestamp *change_time) { krb5_error_code ret = 0; @@ -208,11 +209,11 @@ krb5_cccol_last_change_time( krb5_ccache ccache = NULL; krb5_timestamp last_time = 0; krb5_timestamp max_change_time = 0; - + *change_time = 0; - + ret = krb5_cccol_cursor_new(context, &c); - + while (!ret) { ret = krb5_cccol_cursor_next(context, c, &ccache); if (ccache) { @@ -248,19 +249,19 @@ cccol_already( int i; if (*ccache == NULL) - return 0; + return 0; name = krb5_cc_get_name(context, *ccache); if (name == NULL) - return 0; + return 0; prefix = krb5_cc_get_type(context, *ccache); assert(c->cur_fullname < NFULLNAMES); for (i = 0; i < c->cur_fullname; i++) { - if (cccol_cmpname(prefix, name, &c->fullnames[i])) { - krb5_cc_close(context, *ccache); - *ccache = NULL; - return 1; - } + if (cccol_cmpname(prefix, name, &c->fullnames[i])) { + krb5_cc_close(context, *ccache); + *ccache = NULL; + return 1; + } } return 0; } @@ -275,11 +276,11 @@ cccol_cmpname( struct cc_fullname *fullname) { if (fullname->pfx == NULL || fullname->res == NULL) - return 0; + return 0; if (strcmp(prefix, fullname->pfx)) - return 0; + return 0; if (strcmp(name, fullname->res)) - return 0; + return 0; return 1; } @@ -303,10 +304,10 @@ cccol_do_resolve( assert(cursor->cur_fullname < NFULLNAMES); ret = krb5_cc_resolve(context, name, ccache); if (ret) - return ret; + return ret; if (cccol_already(context, cursor, ccache)) - return 0; + return 0; fullname = &cursor->fullnames[cursor->cur_fullname]; fullname->pfx = strdup(krb5_cc_get_type(context, *ccache)); @@ -331,35 +332,35 @@ cccol_pertype_next( /* Are we out of backends? */ if (cursor->ops == NULL) - return 0; + return 0; /* * Loop in case there are multiple backends with empty ccache * lists. */ while (*ccache == NULL) { - ret = cursor->ops->ptcursor_next(context, cursor->ptcursor, ccache); - if (ret) - goto errout; - if (*ccache != NULL) - return 0; - - ret = cursor->ops->ptcursor_free(context, &cursor->ptcursor); - if (ret) - goto errout; - - do { - /* Find first backend with ptcursor functionality. */ - ret = krb5int_cc_typecursor_next(context, cursor->typecursor, - &cursor->ops); - if (ret) - goto errout; - if (cursor->ops == NULL) - return 0; - } while (cursor->ops->ptcursor_new == NULL); - - ret = cursor->ops->ptcursor_new(context, &cursor->ptcursor); - if (ret) - goto errout; + ret = cursor->ops->ptcursor_next(context, cursor->ptcursor, ccache); + if (ret) + goto errout; + if (*ccache != NULL) + return 0; + + ret = cursor->ops->ptcursor_free(context, &cursor->ptcursor); + if (ret) + goto errout; + + do { + /* Find first backend with ptcursor functionality. */ + ret = krb5int_cc_typecursor_next(context, cursor->typecursor, + &cursor->ops); + if (ret) + goto errout; + if (cursor->ops == NULL) + return 0; + } while (cursor->ops->ptcursor_new == NULL); + + ret = cursor->ops->ptcursor_new(context, &cursor->ptcursor); + if (ret) + goto errout; } errout: return ret; diff --git a/src/lib/krb5/ccache/ccdefault.c b/src/lib/krb5/ccache/ccdefault.c index c4f9f292e6..a4498d0695 100644 --- a/src/lib/krb5/ccache/ccdefault.c +++ b/src/lib/krb5/ccache/ccdefault.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/ccdefault.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Find default credential cache */ @@ -46,20 +47,20 @@ static HANDLE hLeashDLL = INVALID_HANDLE_VALUE; krb5_error_code KRB5_CALLCONV krb5_cc_default(krb5_context context, krb5_ccache *ccache) { - const char *default_name; - - if (!context || context->magic != KV5M_CONTEXT) - return KV5M_CONTEXT; - - default_name = krb5_cc_default_name(context); - if (default_name == NULL) { - /* Could be a bogus context, or an allocation failure, or - other things. Unfortunately the API doesn't allow us - to find out any specifics. */ - return KRB5_FCC_INTERNAL; - } - - return krb5_cc_resolve(context, default_name, ccache); + const char *default_name; + + if (!context || context->magic != KV5M_CONTEXT) + return KV5M_CONTEXT; + + default_name = krb5_cc_default_name(context); + if (default_name == NULL) { + /* Could be a bogus context, or an allocation failure, or + other things. Unfortunately the API doesn't allow us + to find out any specifics. */ + return KRB5_FCC_INTERNAL; + } + + return krb5_cc_resolve(context, default_name, ccache); } /* This is the internal function which opens the default ccache. On @@ -85,35 +86,35 @@ krb5int_cc_default(krb5_context context, krb5_ccache *ccache) kim_identity identity = KIM_IDENTITY_ANY; kim_credential_state state; kim_string name = NULL; - - err = kim_ccache_create_from_display_name (&kimccache, + + err = kim_ccache_create_from_display_name (&kimccache, krb5_cc_default_name (context)); - + if (!err) { err = kim_ccache_get_client_identity (kimccache, &identity); } - + if (!err) { err = kim_ccache_get_state (kimccache, &state); } - + if (err || state != kim_credentials_state_valid) { /* Either the ccache is does not exist or is invalid. Get new * tickets. Use the identity in the ccache if there was one. */ kim_ccache_free (&kimccache); - err = kim_ccache_create_new (&kimccache, + err = kim_ccache_create_new (&kimccache, identity, KIM_OPTIONS_DEFAULT); } - + if (!err) { err = kim_ccache_get_display_name (kimccache, &name); } - + if (!err) { - krb5_cc_set_default_name (context, name); + krb5_cc_set_default_name (context, name); } - kim_identity_free (&identity); + kim_identity_free (&identity); kim_string_free (&name); kim_ccache_free (&kimccache); } @@ -123,19 +124,19 @@ krb5int_cc_default(krb5_context context, krb5_ccache *ccache) hLeashDLL = LoadLibrary(LEASH_DLL); if ( hLeashDLL != INVALID_HANDLE_VALUE ) { (FARPROC) pLeash_AcquireInitialTicketsIfNeeded = - GetProcAddress(hLeashDLL, "not_an_API_Leash_AcquireInitialTicketsIfNeeded"); + GetProcAddress(hLeashDLL, "not_an_API_Leash_AcquireInitialTicketsIfNeeded"); } } - + if ( pLeash_AcquireInitialTicketsIfNeeded ) { - char ccname[256]=""; + char ccname[256]=""; pLeash_AcquireInitialTicketsIfNeeded(context, NULL, ccname, sizeof(ccname)); - if (ccname[0]) { + if (ccname[0]) { char * ccdefname = krb5_cc_default_name (context); if (!ccdefname || strcmp (ccdefname, ccname) != 0) { krb5_cc_set_default_name (context, ccname); } - } + } } #endif #endif diff --git a/src/lib/krb5/ccache/ccdefops.c b/src/lib/krb5/ccache/ccdefops.c index 949758bdf8..e517a25439 100644 --- a/src/lib/krb5/ccache/ccdefops.c +++ b/src/lib/krb5/ccache/ccdefops.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/ccdefops.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Default credentials cache determination. This is a separate file * so that the user can more easily override it. @@ -35,7 +36,7 @@ /* * Macs use the shared, memory based credentials cache * Windows may also use the ccapi cache, but only if the Krbcc32.dll - * can be found; otherwise it falls back to using the old + * can be found; otherwise it falls back to using the old * file-based ccache. */ #include "stdcc.h" /* from ccapi subdir */ diff --git a/src/lib/krb5/ccache/ccfns.c b/src/lib/krb5/ccache/ccfns.c index abfc037be3..e12dd563fc 100644 --- a/src/lib/krb5/ccache/ccfns.c +++ b/src/lib/krb5/ccache/ccfns.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/ccfns.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -44,7 +45,7 @@ krb5_cc_gen_new (krb5_context context, krb5_ccache *cache) krb5_error_code KRB5_CALLCONV krb5_cc_initialize(krb5_context context, krb5_ccache cache, - krb5_principal principal) + krb5_principal principal) { return cache->ops->init(context, cache, principal); } @@ -63,7 +64,7 @@ krb5_cc_close (krb5_context context, krb5_ccache cache) krb5_error_code KRB5_CALLCONV krb5_cc_store_cred (krb5_context context, krb5_ccache cache, - krb5_creds *creds) + krb5_creds *creds) { krb5_error_code ret; krb5_ticket *tkt; @@ -97,17 +98,17 @@ krb5_cc_store_cred (krb5_context context, krb5_ccache cache, krb5_error_code KRB5_CALLCONV krb5_cc_retrieve_cred (krb5_context context, krb5_ccache cache, - krb5_flags flags, krb5_creds *mcreds, - krb5_creds *creds) + krb5_flags flags, krb5_creds *mcreds, + krb5_creds *creds) { krb5_error_code ret; krb5_data tmprealm; ret = cache->ops->retrieve(context, cache, flags, mcreds, creds); if (ret != KRB5_CC_NOTFOUND) - return ret; + return ret; if (!krb5_is_referral_realm(&mcreds->server->realm)) - return ret; + return ret; /* * Retry using client's realm if service has referral realm. @@ -121,35 +122,35 @@ krb5_cc_retrieve_cred (krb5_context context, krb5_ccache cache, krb5_error_code KRB5_CALLCONV krb5_cc_get_principal (krb5_context context, krb5_ccache cache, - krb5_principal *principal) + krb5_principal *principal) { return cache->ops->get_princ(context, cache, principal); } krb5_error_code KRB5_CALLCONV krb5_cc_start_seq_get (krb5_context context, krb5_ccache cache, - krb5_cc_cursor *cursor) + krb5_cc_cursor *cursor) { return cache->ops->get_first(context, cache, cursor); } krb5_error_code KRB5_CALLCONV krb5_cc_next_cred (krb5_context context, krb5_ccache cache, - krb5_cc_cursor *cursor, krb5_creds *creds) + krb5_cc_cursor *cursor, krb5_creds *creds) { return cache->ops->get_next(context, cache, cursor, creds); } krb5_error_code KRB5_CALLCONV krb5_cc_end_seq_get (krb5_context context, krb5_ccache cache, - krb5_cc_cursor *cursor) + krb5_cc_cursor *cursor) { return cache->ops->end_get(context, cache, cursor); } krb5_error_code KRB5_CALLCONV krb5_cc_remove_cred (krb5_context context, krb5_ccache cache, krb5_flags flags, - krb5_creds *creds) + krb5_creds *creds) { return cache->ops->remove_cred(context, cache, flags, creds); } @@ -173,8 +174,8 @@ krb5_cc_get_type (krb5_context context, krb5_ccache cache) } krb5_error_code KRB5_CALLCONV -krb5_cc_last_change_time (krb5_context context, krb5_ccache ccache, - krb5_timestamp *change_time) +krb5_cc_last_change_time (krb5_context context, krb5_ccache ccache, + krb5_timestamp *change_time) { return ccache->ops->lastchange(context, ccache, change_time); } @@ -190,4 +191,3 @@ krb5_cc_unlock (krb5_context context, krb5_ccache ccache) { return ccache->ops->unlock(context, ccache); } - diff --git a/src/lib/krb5/ccache/fcc.h b/src/lib/krb5/ccache/fcc.h index f349da9980..7ca60da8be 100644 --- a/src/lib/krb5/ccache/fcc.h +++ b/src/lib/krb5/ccache/fcc.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/file/fcc.h * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * This file contains constant and function declarations used in the * file-based credential cache routines. diff --git a/src/lib/krb5/ccache/scc.h b/src/lib/krb5/ccache/scc.h index 98acbc25c3..c6b5254ba7 100644 --- a/src/lib/krb5/ccache/scc.h +++ b/src/lib/krb5/ccache/scc.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/stdio/scc.h * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * This file contains constant and function declarations used in the * file-based credential cache routines. @@ -46,14 +47,14 @@ * */ -#define KRB5_SCC_FVNO_1 0x0501 /* krb v5, scc v1 */ -#define KRB5_SCC_FVNO_2 0x0502 /* krb v5, scc v2 */ -#define KRB5_SCC_FVNO_3 0x0503 /* krb v5, scc v3 */ -#define KRB5_SCC_FVNO_4 0x0504 /* krb v5, scc v4 */ +#define KRB5_SCC_FVNO_1 0x0501 /* krb v5, scc v1 */ +#define KRB5_SCC_FVNO_2 0x0502 /* krb v5, scc v2 */ +#define KRB5_SCC_FVNO_3 0x0503 /* krb v5, scc v3 */ +#define KRB5_SCC_FVNO_4 0x0504 /* krb v5, scc v4 */ -#define SCC_OPEN_AND_ERASE 1 -#define SCC_OPEN_RDWR 2 -#define SCC_OPEN_RDONLY 3 +#define SCC_OPEN_AND_ERASE 1 +#define SCC_OPEN_RDWR 2 +#define SCC_OPEN_RDONLY 3 /* Credential file header tags. * The header tags are constructed as: @@ -63,7 +64,7 @@ * This format allows for older versions of the fcc processing code to skip * past unrecognized tag formats. */ -#define SCC_TAG_DELTATIME 1 +#define SCC_TAG_DELTATIME 1 #ifndef TKT_ROOT #define TKT_ROOT "/tmp/tkt" @@ -73,11 +74,11 @@ #define OPENCLOSE(id) (((krb5_scc_data *)id->data)->flags & KRB5_TC_OPENCLOSE) typedef struct _krb5_scc_data { - char *filename; - FILE *file; - krb5_flags flags; - char stdio_buffer[BUFSIZ]; - int version; + char *filename; + FILE *file; + krb5_flags flags; + char stdio_buffer[BUFSIZ]; + int version; } krb5_scc_data; /* An off_t can be arbitrarily complex */ @@ -85,17 +86,17 @@ typedef struct _krb5_scc_cursor { long pos; } krb5_scc_cursor; -#define MAYBE_OPEN(context, ID, MODE) \ -{ \ - if (OPENCLOSE (ID)) { \ - krb5_error_code maybe_open_ret = krb5_scc_open_file (context, ID,MODE); \ - if (maybe_open_ret) return maybe_open_ret; } } +#define MAYBE_OPEN(context, ID, MODE) \ + { \ + if (OPENCLOSE (ID)) { \ + krb5_error_code maybe_open_ret = krb5_scc_open_file (context, ID,MODE); \ + if (maybe_open_ret) return maybe_open_ret; } } -#define MAYBE_CLOSE(context, ID, RET) \ -{ \ - if (OPENCLOSE (ID)) { \ - krb5_error_code maybe_close_ret = krb5_scc_close_file (context, ID); \ - if (!(RET)) RET = maybe_close_ret; } } +#define MAYBE_CLOSE(context, ID, RET) \ + { \ + if (OPENCLOSE (ID)) { \ + krb5_error_code maybe_close_ret = krb5_scc_close_file (context, ID); \ + if (!(RET)) RET = maybe_close_ret; } } /* DO NOT ADD ANYTHING AFTER THIS #endif */ #endif /* __KRB5_FILE_CCACHE__ */ diff --git a/src/lib/krb5/ccache/ser_cc.c b/src/lib/krb5/ccache/ser_cc.c index 882dbf714d..dfe5e60400 100644 --- a/src/lib/krb5/ccache/ser_cc.c +++ b/src/lib/krb5/ccache/ser_cc.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/ser_rc.c * @@ -32,129 +33,129 @@ /* * Routines to deal with externalizing krb5_ccache. - * krb5_ccache_size(); - * krb5_ccache_externalize(); - * krb5_ccache_internalize(); + * krb5_ccache_size(); + * krb5_ccache_externalize(); + * krb5_ccache_internalize(); */ static krb5_error_code krb5_ccache_size - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_ccache_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_ccache_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* * Serialization entry for this type. */ static const krb5_ser_entry krb5_ccache_ser_entry = { - KV5M_CCACHE, /* Type */ - krb5_ccache_size, /* Sizer routine */ - krb5_ccache_externalize, /* Externalize routine */ - krb5_ccache_internalize /* Internalize routine */ + KV5M_CCACHE, /* Type */ + krb5_ccache_size, /* Sizer routine */ + krb5_ccache_externalize, /* Externalize routine */ + krb5_ccache_internalize /* Internalize routine */ }; /* - * krb5_ccache_size() - Determine the size required to externalize - * this krb5_ccache variant. + * krb5_ccache_size() - Determine the size required to externalize + * this krb5_ccache variant. */ static krb5_error_code krb5_ccache_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_ccache ccache; - size_t required; + krb5_error_code kret; + krb5_ccache ccache; + size_t required; kret = EINVAL; if ((ccache = (krb5_ccache) arg)) { - /* - * Saving FILE: variants of krb5_ccache requires at minimum: - * krb5_int32 for KV5M_CCACHE - * krb5_int32 for length of ccache name. - * krb5_int32 for KV5M_CCACHE - */ - required = sizeof(krb5_int32) * 3; - if (ccache->ops->prefix) - required += (strlen(ccache->ops->prefix)+1); - - /* - * The ccache name is formed as follows: - * <prefix>:<name> - */ - required += strlen(krb5_cc_get_name(kcontext, ccache)); - - kret = 0; - *sizep += required; + /* + * Saving FILE: variants of krb5_ccache requires at minimum: + * krb5_int32 for KV5M_CCACHE + * krb5_int32 for length of ccache name. + * krb5_int32 for KV5M_CCACHE + */ + required = sizeof(krb5_int32) * 3; + if (ccache->ops->prefix) + required += (strlen(ccache->ops->prefix)+1); + + /* + * The ccache name is formed as follows: + * <prefix>:<name> + */ + required += strlen(krb5_cc_get_name(kcontext, ccache)); + + kret = 0; + *sizep += required; } return(kret); } /* - * krb5_ccache_externalize() - Externalize the krb5_ccache. + * krb5_ccache_externalize() - Externalize the krb5_ccache. */ static krb5_error_code krb5_ccache_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_ccache ccache; - size_t required; - krb5_octet *bp; - size_t remain; - char *ccname; - const char *fnamep; + krb5_error_code kret; + krb5_ccache ccache; + size_t required; + krb5_octet *bp; + size_t remain; + char *ccname; + const char *fnamep; required = 0; bp = *buffer; remain = *lenremain; kret = EINVAL; if ((ccache = (krb5_ccache) arg)) { - kret = ENOMEM; - if (!krb5_ccache_size(kcontext, arg, &required) && - (required <= remain)) { - /* Our identifier */ - (void) krb5_ser_pack_int32(KV5M_CCACHE, &bp, &remain); - - fnamep = krb5_cc_get_name(kcontext, ccache); - - if (ccache->ops->prefix) { - if (asprintf(&ccname, "%s:%s", ccache->ops->prefix, fnamep) < 0) - ccname = NULL; - } else - ccname = strdup(fnamep); - - if (ccname) { - /* Put the length of the file name */ - (void) krb5_ser_pack_int32((krb5_int32) strlen(ccname), - &bp, &remain); - - /* Put the name */ - (void) krb5_ser_pack_bytes((krb5_octet *) ccname, - strlen(ccname), - &bp, &remain); - - /* Put the trailer */ - (void) krb5_ser_pack_int32(KV5M_CCACHE, &bp, &remain); - kret = 0; - *buffer = bp; - *lenremain = remain; - free(ccname); - } - } + kret = ENOMEM; + if (!krb5_ccache_size(kcontext, arg, &required) && + (required <= remain)) { + /* Our identifier */ + (void) krb5_ser_pack_int32(KV5M_CCACHE, &bp, &remain); + + fnamep = krb5_cc_get_name(kcontext, ccache); + + if (ccache->ops->prefix) { + if (asprintf(&ccname, "%s:%s", ccache->ops->prefix, fnamep) < 0) + ccname = NULL; + } else + ccname = strdup(fnamep); + + if (ccname) { + /* Put the length of the file name */ + (void) krb5_ser_pack_int32((krb5_int32) strlen(ccname), + &bp, &remain); + + /* Put the name */ + (void) krb5_ser_pack_bytes((krb5_octet *) ccname, + strlen(ccname), + &bp, &remain); + + /* Put the trailer */ + (void) krb5_ser_pack_int32(KV5M_CCACHE, &bp, &remain); + kret = 0; + *buffer = bp; + *lenremain = remain; + free(ccname); + } + } } return(kret); } /* - * krb5_ccache_internalize() - Internalize the krb5_ccache. + * krb5_ccache_internalize() - Internalize the krb5_ccache. */ static krb5_error_code krb5_ccache_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_ccache ccache; - krb5_int32 ibuf; - krb5_octet *bp; - size_t remain; - char *ccname = NULL; + krb5_error_code kret; + krb5_ccache ccache; + krb5_int32 ibuf; + krb5_octet *bp; + size_t remain; + char *ccname = NULL; *argp = NULL; @@ -164,40 +165,40 @@ krb5_ccache_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet ** /* Read our magic number. */ kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); if (kret) - return kret; + return kret; if (ibuf != KV5M_CCACHE) - return EINVAL; + return EINVAL; /* Unpack and validate the length of the ccache name. */ kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); if (kret) - return kret; + return kret; if (ibuf < 0 || ibuf > remain) - return EINVAL; + return EINVAL; /* Allocate and unpack the name. */ ccname = malloc(ibuf + 1); if (!ccname) - return ENOMEM; + return ENOMEM; kret = krb5_ser_unpack_bytes((krb5_octet *) ccname, (size_t) ibuf, - &bp, &remain); + &bp, &remain); if (kret) - goto cleanup; + goto cleanup; ccname[ibuf] = '\0'; /* Read the second magic number. */ kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); if (kret) - goto cleanup; + goto cleanup; if (ibuf != KV5M_CCACHE) { - kret = EINVAL; - goto cleanup; + kret = EINVAL; + goto cleanup; } /* Resolve the named credential cache. */ kret = krb5_cc_resolve(kcontext, ccname, &ccache); if (kret) - goto cleanup; + goto cleanup; *buffer = bp; *lenremain = remain; diff --git a/src/lib/krb5/ccache/t_cc.c b/src/lib/krb5/ccache/t_cc.c index c243809a64..466fa232fb 100644 --- a/src/lib/krb5/ccache/t_cc.c +++ b/src/lib/krb5/ccache/t_cc.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/scc_test.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * */ @@ -44,273 +45,273 @@ int debug=0; static void init_structs(void) { - static int add=0x12345; - - static krb5_address addr; - - static krb5_address *addrs[] = { - &addr, - 0, - }; - - addr.magic = KV5M_ADDRESS; - addr.addrtype = ADDRTYPE_INET; - addr.length = 4; - addr.contents = (krb5_octet *) &add; - - test_creds.magic = KV5M_CREDS; - test_creds.client = NULL; - test_creds.server = NULL; - - test_creds.keyblock.magic = KV5M_KEYBLOCK; - test_creds.keyblock.contents = 0; - test_creds.keyblock.enctype = 1; - test_creds.keyblock.length = 1; - test_creds.keyblock.contents = (unsigned char *) "1"; - test_creds.times.authtime = 1111; - test_creds.times.starttime = 2222; - test_creds.times.endtime = 3333; - test_creds.times.renew_till = 4444; - test_creds.is_skey = 1; - test_creds.ticket_flags = 5555; - test_creds.addresses = addrs; - + static int add=0x12345; + + static krb5_address addr; + + static krb5_address *addrs[] = { + &addr, + 0, + }; + + addr.magic = KV5M_ADDRESS; + addr.addrtype = ADDRTYPE_INET; + addr.length = 4; + addr.contents = (krb5_octet *) &add; + + test_creds.magic = KV5M_CREDS; + test_creds.client = NULL; + test_creds.server = NULL; + + test_creds.keyblock.magic = KV5M_KEYBLOCK; + test_creds.keyblock.contents = 0; + test_creds.keyblock.enctype = 1; + test_creds.keyblock.length = 1; + test_creds.keyblock.contents = (unsigned char *) "1"; + test_creds.times.authtime = 1111; + test_creds.times.starttime = 2222; + test_creds.times.endtime = 3333; + test_creds.times.renew_till = 4444; + test_creds.is_skey = 1; + test_creds.ticket_flags = 5555; + test_creds.addresses = addrs; + #define SET_TICKET(ent, str) {ent.magic = KV5M_DATA; ent.length = sizeof(str); ent.data = str;} - SET_TICKET(test_creds.ticket, "This is ticket 1"); - SET_TICKET(test_creds.second_ticket, "This is ticket 2"); - test_creds.authdata = NULL; + SET_TICKET(test_creds.ticket, "This is ticket 1"); + SET_TICKET(test_creds.second_ticket, "This is ticket 2"); + test_creds.authdata = NULL; } static krb5_error_code init_test_cred(krb5_context context) { - krb5_error_code kret; - unsigned int i; - krb5_authdata *a; + krb5_error_code kret; + unsigned int i; + krb5_authdata *a; #define REALM "REALM" - kret = krb5_build_principal(context, &test_creds.client, sizeof(REALM), REALM, - "client-comp1", "client-comp2", NULL); - if(kret) - return kret; - - kret = krb5_build_principal(context, &test_creds.server, sizeof(REALM), REALM, - "server-comp1", "server-comp2", NULL); - if(kret) { - krb5_free_principal(context, test_creds.client); - test_creds.client = 0; - goto cleanup; - } - - test_creds.authdata = malloc (3 * sizeof(krb5_authdata *)); - if (!test_creds.authdata) { - kret = ENOMEM; - goto cleanup; - } - - for (i = 0 ; i <= 2 ; i++) { - test_creds.authdata[i] = 0; - } - a = (krb5_authdata *) malloc(sizeof(krb5_authdata)); - if(!a) { - kret = ENOMEM; - goto cleanup; - } - a->magic = KV5M_AUTHDATA; - a->ad_type = KRB5_AUTHDATA_IF_RELEVANT; - a->contents = (krb5_octet * ) malloc(1); - if(!a->contents) { - free(a); - kret = ENOMEM; - goto cleanup; - } - a->contents[0]=5; - a->length = 1; - test_creds.authdata[0] = a; - - a = (krb5_authdata *) malloc(sizeof(krb5_authdata)); - if(!a) { - kret = ENOMEM; - goto cleanup; - } - a->magic = KV5M_AUTHDATA; - a->ad_type = KRB5_AUTHDATA_KDC_ISSUED; - a->contents = (krb5_octet * ) malloc(2); - if(!a->contents) { - free(a); - kret = ENOMEM; - goto cleanup; - } - a->contents[0]=4; - a->contents[1]=6; - a->length = 2; - test_creds.authdata[1] = a; - + kret = krb5_build_principal(context, &test_creds.client, sizeof(REALM), REALM, + "client-comp1", "client-comp2", NULL); + if(kret) + return kret; + + kret = krb5_build_principal(context, &test_creds.server, sizeof(REALM), REALM, + "server-comp1", "server-comp2", NULL); + if(kret) { + krb5_free_principal(context, test_creds.client); + test_creds.client = 0; + goto cleanup; + } + + test_creds.authdata = malloc (3 * sizeof(krb5_authdata *)); + if (!test_creds.authdata) { + kret = ENOMEM; + goto cleanup; + } + + for (i = 0 ; i <= 2 ; i++) { + test_creds.authdata[i] = 0; + } + a = (krb5_authdata *) malloc(sizeof(krb5_authdata)); + if(!a) { + kret = ENOMEM; + goto cleanup; + } + a->magic = KV5M_AUTHDATA; + a->ad_type = KRB5_AUTHDATA_IF_RELEVANT; + a->contents = (krb5_octet * ) malloc(1); + if(!a->contents) { + free(a); + kret = ENOMEM; + goto cleanup; + } + a->contents[0]=5; + a->length = 1; + test_creds.authdata[0] = a; + + a = (krb5_authdata *) malloc(sizeof(krb5_authdata)); + if(!a) { + kret = ENOMEM; + goto cleanup; + } + a->magic = KV5M_AUTHDATA; + a->ad_type = KRB5_AUTHDATA_KDC_ISSUED; + a->contents = (krb5_octet * ) malloc(2); + if(!a->contents) { + free(a); + kret = ENOMEM; + goto cleanup; + } + a->contents[0]=4; + a->contents[1]=6; + a->length = 2; + test_creds.authdata[1] = a; + cleanup: - if(kret) { - if (test_creds.client) { - krb5_free_principal(context, test_creds.client); - test_creds.client = 0; - } - if (test_creds.server) { - krb5_free_principal(context, test_creds.server); - test_creds.server = 0; - - } - if (test_creds.authdata) { - krb5_free_authdata(context, test_creds.authdata); - test_creds.authdata = 0; - } - } - - return kret; + if(kret) { + if (test_creds.client) { + krb5_free_principal(context, test_creds.client); + test_creds.client = 0; + } + if (test_creds.server) { + krb5_free_principal(context, test_creds.server); + test_creds.server = 0; + + } + if (test_creds.authdata) { + krb5_free_authdata(context, test_creds.authdata); + test_creds.authdata = 0; + } + } + + return kret; } static void free_test_cred(krb5_context context) { - krb5_free_principal(context, test_creds.client); - - krb5_free_principal(context, test_creds.server); - - if(test_creds.authdata) { - krb5_free_authdata(context, test_creds.authdata); - test_creds.authdata = 0; - } + krb5_free_principal(context, test_creds.client); + + krb5_free_principal(context, test_creds.server); + + if(test_creds.authdata) { + krb5_free_authdata(context, test_creds.authdata); + test_creds.authdata = 0; + } } -#define CHECK(kret,msg) \ - if (kret != KRB5_OK) {\ - com_err(msg, kret, ""); \ - fflush(stderr);\ - exit(1);\ - } else if(debug) printf("%s went ok\n", msg); +#define CHECK(kret,msg) \ + if (kret != KRB5_OK) { \ + com_err(msg, kret, ""); \ + fflush(stderr); \ + exit(1); \ + } else if(debug) printf("%s went ok\n", msg); -#define CHECK_STR(str,msg) \ - if (str == 0) {\ - com_err(msg, kret, "");\ - exit(1);\ - } else if(debug) printf("%s went ok\n", msg); +#define CHECK_STR(str,msg) \ + if (str == 0) { \ + com_err(msg, kret, ""); \ + exit(1); \ + } else if(debug) printf("%s went ok\n", msg); -#define CHECK_BOOL(expr,errstr,msg) \ - if (expr) {\ - fprintf(stderr, "%s %s\n", msg, errstr); \ - exit(1); \ - } else if(debug) printf("%s went ok\n", msg); +#define CHECK_BOOL(expr,errstr,msg) \ + if (expr) { \ + fprintf(stderr, "%s %s\n", msg, errstr); \ + exit(1); \ + } else if(debug) printf("%s went ok\n", msg); -#define CHECK_FAIL(experr, kret, msg) \ - if (experr != kret) { CHECK(kret, msg);} +#define CHECK_FAIL(experr, kret, msg) \ + if (experr != kret) { CHECK(kret, msg);} static void cc_test(krb5_context context, const char *name, krb5_flags flags) { - krb5_ccache id, id2; - krb5_creds creds; - krb5_error_code kret; - krb5_cc_cursor cursor; - krb5_principal tmp; - - const char *c_name; - char newcache[300]; - char *save_type; - - kret = init_test_cred(context); - CHECK(kret, "init_creds"); - - kret = krb5_cc_resolve(context, name, &id); - CHECK(kret, "resolve"); - kret = krb5_cc_initialize(context, id, test_creds.client); - CHECK(kret, "initialize"); - - c_name = krb5_cc_get_name(context, id); - CHECK_STR(c_name, "get_name"); - - c_name = krb5_cc_get_type(context, id); - CHECK_STR(c_name, "get_type"); - save_type=strdup(c_name); - CHECK_STR(save_type, "copying type"); - - kret = krb5_cc_store_cred(context, id, &test_creds); - CHECK(kret, "store"); - - kret = krb5_cc_get_principal(context, id, &tmp); - CHECK(kret, "get_principal"); - - CHECK_BOOL(krb5_realm_compare(context, tmp, test_creds.client) != TRUE, - "realms do not match", "realm_compare"); - - - CHECK_BOOL(krb5_principal_compare(context, tmp, test_creds.client) != TRUE, - "principals do not match", "principal_compare"); - - krb5_free_principal(context, tmp); - - kret = krb5_cc_set_flags (context, id, flags); - CHECK(kret, "set_flags"); - - kret = krb5_cc_start_seq_get(context, id, &cursor); - CHECK(kret, "start_seq_get"); - kret = 0; - while (kret != KRB5_CC_END) { - if(debug) printf("Calling next_cred\n"); - kret = krb5_cc_next_cred(context, id, &cursor, &creds); - if(kret == KRB5_CC_END) { - if(debug) printf("next_cred: ok at end\n"); - } - else { - CHECK(kret, "next_cred"); - krb5_free_cred_contents(context, &creds); - } - - } - kret = krb5_cc_end_seq_get(context, id, &cursor); - CHECK(kret, "end_seq_get"); - - kret = krb5_cc_close(context, id); - CHECK(kret, "close"); - - - /* ------------------------------------------------- */ - kret = krb5_cc_resolve(context, name, &id); - CHECK(kret, "resolve2"); - - { - /* Copy the cache test*/ - snprintf(newcache, sizeof(newcache), "%s.new", name); - kret = krb5_cc_resolve(context, newcache, &id2); - CHECK(kret, "resolve of new cache"); - - /* This should fail as the new creds are not initialized */ - kret = krb5_cc_copy_creds(context, id, id2); - CHECK_FAIL(KRB5_FCC_NOFILE, kret, "copy_creds"); - - kret = krb5_cc_initialize(context, id2, test_creds.client); - CHECK(kret, "initialize of id2"); - - kret = krb5_cc_copy_creds(context, id, id2); - CHECK(kret, "copy_creds"); - - kret = krb5_cc_destroy(context, id2); - CHECK(kret, "destroy new cache"); - } - - /* Destroy the first cache */ - kret = krb5_cc_destroy(context, id); - CHECK(kret, "destroy"); - - /* ----------------------------------------------------- */ - /* Tests the generate new code */ - kret = krb5_cc_new_unique(context, save_type, - NULL, &id2); - CHECK(kret, "new_unique"); - - kret = krb5_cc_initialize(context, id2, test_creds.client); - CHECK(kret, "initialize"); - - kret = krb5_cc_store_cred(context, id2, &test_creds); - CHECK(kret, "store"); - - kret = krb5_cc_destroy(context, id2); - CHECK(kret, "destroy id2"); - - free(save_type); - free_test_cred(context); + krb5_ccache id, id2; + krb5_creds creds; + krb5_error_code kret; + krb5_cc_cursor cursor; + krb5_principal tmp; + + const char *c_name; + char newcache[300]; + char *save_type; + + kret = init_test_cred(context); + CHECK(kret, "init_creds"); + + kret = krb5_cc_resolve(context, name, &id); + CHECK(kret, "resolve"); + kret = krb5_cc_initialize(context, id, test_creds.client); + CHECK(kret, "initialize"); + + c_name = krb5_cc_get_name(context, id); + CHECK_STR(c_name, "get_name"); + + c_name = krb5_cc_get_type(context, id); + CHECK_STR(c_name, "get_type"); + save_type=strdup(c_name); + CHECK_STR(save_type, "copying type"); + + kret = krb5_cc_store_cred(context, id, &test_creds); + CHECK(kret, "store"); + + kret = krb5_cc_get_principal(context, id, &tmp); + CHECK(kret, "get_principal"); + + CHECK_BOOL(krb5_realm_compare(context, tmp, test_creds.client) != TRUE, + "realms do not match", "realm_compare"); + + + CHECK_BOOL(krb5_principal_compare(context, tmp, test_creds.client) != TRUE, + "principals do not match", "principal_compare"); + + krb5_free_principal(context, tmp); + + kret = krb5_cc_set_flags (context, id, flags); + CHECK(kret, "set_flags"); + + kret = krb5_cc_start_seq_get(context, id, &cursor); + CHECK(kret, "start_seq_get"); + kret = 0; + while (kret != KRB5_CC_END) { + if(debug) printf("Calling next_cred\n"); + kret = krb5_cc_next_cred(context, id, &cursor, &creds); + if(kret == KRB5_CC_END) { + if(debug) printf("next_cred: ok at end\n"); + } + else { + CHECK(kret, "next_cred"); + krb5_free_cred_contents(context, &creds); + } + + } + kret = krb5_cc_end_seq_get(context, id, &cursor); + CHECK(kret, "end_seq_get"); + + kret = krb5_cc_close(context, id); + CHECK(kret, "close"); + + + /* ------------------------------------------------- */ + kret = krb5_cc_resolve(context, name, &id); + CHECK(kret, "resolve2"); + + { + /* Copy the cache test*/ + snprintf(newcache, sizeof(newcache), "%s.new", name); + kret = krb5_cc_resolve(context, newcache, &id2); + CHECK(kret, "resolve of new cache"); + + /* This should fail as the new creds are not initialized */ + kret = krb5_cc_copy_creds(context, id, id2); + CHECK_FAIL(KRB5_FCC_NOFILE, kret, "copy_creds"); + + kret = krb5_cc_initialize(context, id2, test_creds.client); + CHECK(kret, "initialize of id2"); + + kret = krb5_cc_copy_creds(context, id, id2); + CHECK(kret, "copy_creds"); + + kret = krb5_cc_destroy(context, id2); + CHECK(kret, "destroy new cache"); + } + + /* Destroy the first cache */ + kret = krb5_cc_destroy(context, id); + CHECK(kret, "destroy"); + + /* ----------------------------------------------------- */ + /* Tests the generate new code */ + kret = krb5_cc_new_unique(context, save_type, + NULL, &id2); + CHECK(kret, "new_unique"); + + kret = krb5_cc_initialize(context, id2, test_creds.client); + CHECK(kret, "initialize"); + + kret = krb5_cc_store_cred(context, id2, &test_creds); + CHECK(kret, "store"); + + kret = krb5_cc_destroy(context, id2); + CHECK(kret, "destroy id2"); + + free(save_type); + free_test_cred(context); } @@ -319,66 +320,66 @@ static void cc_test(krb5_context context, const char *name, krb5_flags flags) */ static int check_registered(krb5_context context, const char *prefix) { - char name[300]; - krb5_error_code kret; - krb5_ccache id; - - snprintf(name, sizeof(name), "%s/tmp/cctest.%ld", prefix, (long) getpid()); - - kret = krb5_cc_resolve(context, name, &id); - if(kret != KRB5_OK) { - if(kret == KRB5_CC_UNKNOWN_TYPE) - return 0; - com_err("Checking on credential type", kret,prefix); - fflush(stderr); - return 0; - } + char name[300]; + krb5_error_code kret; + krb5_ccache id; + + snprintf(name, sizeof(name), "%s/tmp/cctest.%ld", prefix, (long) getpid()); + + kret = krb5_cc_resolve(context, name, &id); + if(kret != KRB5_OK) { + if(kret == KRB5_CC_UNKNOWN_TYPE) + return 0; + com_err("Checking on credential type", kret,prefix); + fflush(stderr); + return 0; + } - kret = krb5_cc_close(context, id); - if(kret != KRB5_OK) { - com_err("Checking on credential type - closing", kret,prefix); - fflush(stderr); - } + kret = krb5_cc_close(context, id); + if(kret != KRB5_OK) { + com_err("Checking on credential type - closing", kret,prefix); + fflush(stderr); + } - return 1; + return 1; } static void do_test(krb5_context context, const char *prefix) { - char name[300]; + char name[300]; - snprintf(name, sizeof(name), "%s/tmp/cctest.%ld", prefix, (long) getpid()); - printf("Starting test on %s\n", name); - cc_test (context, name, 0); - cc_test (context, name, !0); - printf("Test on %s passed\n", name); + snprintf(name, sizeof(name), "%s/tmp/cctest.%ld", prefix, (long) getpid()); + printf("Starting test on %s\n", name); + cc_test (context, name, 0); + cc_test (context, name, !0); + printf("Test on %s passed\n", name); } static void test_misc(krb5_context context) { - /* Tests for certain error returns */ - krb5_error_code kret; - krb5_ccache id; - const krb5_cc_ops *ops_save; + /* Tests for certain error returns */ + krb5_error_code kret; + krb5_ccache id; + const krb5_cc_ops *ops_save; - fprintf(stderr, "Testing miscellaneous error conditions\n"); + fprintf(stderr, "Testing miscellaneous error conditions\n"); - kret = krb5_cc_resolve(context, "unknown_method_ep:/tmp/name", &id); - if (kret != KRB5_CC_UNKNOWN_TYPE) { - CHECK(kret, "resolve unknown type"); - } + kret = krb5_cc_resolve(context, "unknown_method_ep:/tmp/name", &id); + if (kret != KRB5_CC_UNKNOWN_TYPE) { + CHECK(kret, "resolve unknown type"); + } - /* Test for not specifiying a cache type with no defaults */ - ops_save = krb5_cc_dfl_ops; - krb5_cc_dfl_ops = 0; + /* Test for not specifiying a cache type with no defaults */ + ops_save = krb5_cc_dfl_ops; + krb5_cc_dfl_ops = 0; - kret = krb5_cc_resolve(context, "/tmp/e", &id); - if (kret != KRB5_CC_BADNAME) { - CHECK(kret, "resolve no builtin type"); - } + kret = krb5_cc_resolve(context, "/tmp/e", &id); + if (kret != KRB5_CC_BADNAME) { + CHECK(kret, "resolve no builtin type"); + } - krb5_cc_dfl_ops = ops_save; + krb5_cc_dfl_ops = ops_save; } extern const krb5_cc_ops krb5_mcc_ops; @@ -387,28 +388,28 @@ extern const krb5_cc_ops krb5_fcc_ops; int main (void) { krb5_context context; - krb5_error_code kret; + krb5_error_code kret; if ((kret = krb5_init_context(&context))) { - printf("Couldn't initialize krb5 library: %s\n", - error_message(kret)); - exit(1); + printf("Couldn't initialize krb5 library: %s\n", + error_message(kret)); + exit(1); } kret = krb5_cc_register(context, &krb5_mcc_ops,0); if(kret && kret != KRB5_CC_TYPE_EXISTS) { - CHECK(kret, "register_mem"); + CHECK(kret, "register_mem"); } kret = krb5_cc_register(context, &krb5_fcc_ops,0); if(kret && kret != KRB5_CC_TYPE_EXISTS) { - CHECK(kret, "register_mem"); + CHECK(kret, "register_mem"); } /* Registering a second time tests for error return */ kret = krb5_cc_register(context, &krb5_fcc_ops,0); if(kret != KRB5_CC_TYPE_EXISTS) { - CHECK(kret, "register_mem"); + CHECK(kret, "register_mem"); } /* Registering with override should work */ @@ -421,9 +422,9 @@ int main (void) do_test(context, ""); if(check_registered(context, "KEYRING:")) - do_test(context, "KEYRING:"); - else - printf("Skiping KEYRING: test - unregistered type\n"); + do_test(context, "KEYRING:"); + else + printf("Skiping KEYRING: test - unregistered type\n"); do_test(context, "MEMORY:"); do_test(context, "FILE:"); diff --git a/src/lib/krb5/ccache/t_cccursor.c b/src/lib/krb5/ccache/t_cccursor.c index e65beadd01..1e4f4b9e5b 100644 --- a/src/lib/krb5/ccache/t_cccursor.c +++ b/src/lib/krb5/ccache/t_cccursor.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/t_cccursor.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -101,22 +102,22 @@ cr_cache(krb5_context context, const char *ccname, const char *pname) ret = krb5_cc_resolve(context, ccname, &ccache); if (ret) - goto errout; + goto errout; if (pname != NULL) { - ret = krb5_parse_name(context, pname, &princ); - if (ret) - return ret; - ret = krb5_cc_initialize(context, ccache, princ); - if (ret) - goto errout; - printf("created cache %s with principal %s\n", ccname, pname); + ret = krb5_parse_name(context, pname, &princ); + if (ret) + return ret; + ret = krb5_cc_initialize(context, ccache, princ); + if (ret) + goto errout; + printf("created cache %s with principal %s\n", ccname, pname); } else - printf("created cache %s (uninitialized)\n", ccname); + printf("created cache %s (uninitialized)\n", ccname); errout: if (princ != NULL) - krb5_free_principal(context, princ); + krb5_free_principal(context, princ); if (ccache != NULL) - krb5_cc_close(context, ccache); + krb5_cc_close(context, ccache); return ret; } @@ -128,15 +129,15 @@ dest_cache(krb5_context context, const char *ccname, const char *pname) ret = krb5_cc_resolve(context, ccname, &ccache); if (ret) - goto errout; + goto errout; if (pname != NULL) { - ret = krb5_cc_destroy(context, ccache); - if (ret) - return ret; - printf("Destroyed cache %s\n", ccname); + ret = krb5_cc_destroy(context, ccache); + if (ret) + return ret; + printf("Destroyed cache %s\n", ccname); } else { - printf("Closed cache %s (uninitialized)\n", ccname); - ret = krb5_cc_close(context, ccache); + printf("Closed cache %s (uninitialized)\n", ccname); + ret = krb5_cc_close(context, ccache); } errout: return ret; @@ -147,11 +148,11 @@ do_chk_one(const char *prefix, const char *name, struct chklist *chk) { if (chk->pfx == NULL) - return 0; + return 0; if (strcmp(chk->pfx, prefix) || strcmp(chk->res, name)) { - fprintf(stderr, "MATCH FAILED: expected %s:%s\n", - chk->pfx, chk->res); - return 1; + fprintf(stderr, "MATCH FAILED: expected %s:%s\n", + chk->pfx, chk->res); + return 1; } return 0; } @@ -175,33 +176,33 @@ do_chk( i = 0; printf(">>>\n"); for (i = 0; ; i++) { - ret = krb5_cccol_cursor_next(context, cursor, &ccache); - if (ret) goto errout; - if (ccache == NULL) { - printf("<<< end of list\n"); - break; - } - prefix = krb5_cc_get_type(context, ccache); - name = krb5_cc_get_name(context, ccache); - printf("cursor: %s:%s\n", prefix, name); - - if (i < nmax) { - if (do_chk_one(prefix, name, &chklist[i])) { - *good = 0; - } - } - ret = krb5_cc_close(context, ccache); - if (ret) goto errout; + ret = krb5_cccol_cursor_next(context, cursor, &ccache); + if (ret) goto errout; + if (ccache == NULL) { + printf("<<< end of list\n"); + break; + } + prefix = krb5_cc_get_type(context, ccache); + name = krb5_cc_get_name(context, ccache); + printf("cursor: %s:%s\n", prefix, name); + + if (i < nmax) { + if (do_chk_one(prefix, name, &chklist[i])) { + *good = 0; + } + } + ret = krb5_cc_close(context, ccache); + if (ret) goto errout; } if (i != nmax) { - fprintf(stderr, "total ccaches %d != expected ccaches %d\n", i, nmax); - *good = 0; + fprintf(stderr, "total ccaches %d != expected ccaches %d\n", i, nmax); + *good = 0; } errout: if (cursor != NULL) - krb5_cccol_cursor_free(context, &cursor); + krb5_cccol_cursor_free(context, &cursor); return ret; } @@ -216,8 +217,8 @@ main(int argc, char *argv[]) if (ret) exit(1); for (i = 0; i < NCRLIST; i++) { - ret = cr_cache(context, crlist[i].ccname, crlist[i].pname); - if (ret) goto errout; + ret = cr_cache(context, crlist[i].ccname, crlist[i].pname); + if (ret) goto errout; } #ifdef HAVE_SETENV @@ -228,7 +229,7 @@ main(int argc, char *argv[]) printf("KRB5CCNAME=foo\n"); ret = do_chk(context, chklist0, NCHKLIST0, &good); if (ret) - goto errout; + goto errout; #ifdef HAVE_SETENV setenv("KRB5CCNAME", "MEMORY:env", 1); @@ -238,28 +239,28 @@ main(int argc, char *argv[]) printf("KRB5CCNAME=MEMORY:env\n"); ret = do_chk(context, chklist1, NCHKLIST1, &good); if (ret) - goto errout; + goto errout; ret = krb5_cc_set_default_name(context, "MEMORY:env"); if (ret) - goto errout; + goto errout; printf("KRB5CCNAME=MEMORY:env, ccdefname=MEMORY:env\n"); ret = do_chk(context, chklist2, NCHKLIST2, &good); if (ret) - goto errout; + goto errout; for (i = 0; i < NCRLIST; i++) { - ret = dest_cache(context, crlist[i].ccname, crlist[i].pname); - if (ret) goto errout; + ret = dest_cache(context, crlist[i].ccname, crlist[i].pname); + if (ret) goto errout; } errout: krb5_free_context(context); if (ret) { - com_err("main", ret, ""); - exit(1); + com_err("main", ret, ""); + exit(1); } else { - exit(!good); + exit(!good); } } diff --git a/src/lib/krb5/ccache/t_memory.c b/src/lib/krb5/ccache/t_memory.c index b117aed33f..5650280eb4 100644 --- a/src/lib/krb5/ccache/t_memory.c +++ b/src/lib/krb5/ccache/t_memory.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/file/mcc_test.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * */ @@ -31,110 +32,109 @@ krb5_data client1 = { #define DATA "client1-comp1" - sizeof(DATA), - DATA, + sizeof(DATA), + DATA, #undef DATA }; krb5_data client2 = { #define DATA "client1-comp2" - sizeof(DATA), - DATA, + sizeof(DATA), + DATA, #undef DATA }; krb5_data server1 = { #define DATA "server1-comp1" - sizeof(DATA), - DATA, + sizeof(DATA), + DATA, #undef DATA }; krb5_data server2 = { #define DATA "server1-comp2" - sizeof(DATA), - DATA, + sizeof(DATA), + DATA, #undef DATA }; krb5_creds test_creds = { - NULL, - NULL, - { - 1, - 1, - (unsigned char *) "1" - }, - { - 1111, - 2222, - 3333, - 4444 - }, - 1, - 5555, - { + NULL, + NULL, + { + 1, + 1, + (unsigned char *) "1" + }, + { + 1111, + 2222, + 3333, + 4444 + }, + 1, + 5555, + { #define TICKET "This is ticket 1" - sizeof(TICKET), - TICKET, + sizeof(TICKET), + TICKET, #undef TICKET - }, - { + }, + { #define TICKET "This is ticket 2" - sizeof(TICKET), - TICKET, + sizeof(TICKET), + TICKET, #undef TICKET - }, + }, }; void init_test_cred() { - test_creds.client = (krb5_principal) malloc(sizeof(krb5_data *)*3); - test_creds.client[0] = &client1; - test_creds.client[1] = &client2; - test_creds.client[2] = NULL; + test_creds.client = (krb5_principal) malloc(sizeof(krb5_data *)*3); + test_creds.client[0] = &client1; + test_creds.client[1] = &client2; + test_creds.client[2] = NULL; - test_creds.server = (krb5_principal) malloc(sizeof(krb5_data *)*3); - test_creds.server[0] = &server1; - test_creds.server[1] = &server2; - test_creds.server[2] = NULL; + test_creds.server = (krb5_principal) malloc(sizeof(krb5_data *)*3); + test_creds.server[0] = &server1; + test_creds.server[1] = &server2; + test_creds.server[2] = NULL; } -#define CHECK(kret,msg) \ - if (kret != KRB5_OK) {\ - printf("%s returned %d\n", msg, kret);\ - }; - +#define CHECK(kret,msg) \ + if (kret != KRB5_OK) { \ + printf("%s returned %d\n", msg, kret); \ + }; + void mcc_test() { - krb5_ccache id; - krb5_creds creds; - krb5_error_code kret; - krb5_cc_cursor cursor; + krb5_ccache id; + krb5_creds creds; + krb5_error_code kret; + krb5_cc_cursor cursor; - init_test_cred(); + init_test_cred(); - kret = krb5_mcc_resolve(context, &id, "/tmp/tkt_test"); - CHECK(kret, "resolve"); - kret = krb5_mcc_initialize(context, id, test_creds.client); - CHECK(kret, "initialize"); - kret = krb5_mcc_store(context, id, &test_creds); - CHECK(kret, "store"); + kret = krb5_mcc_resolve(context, &id, "/tmp/tkt_test"); + CHECK(kret, "resolve"); + kret = krb5_mcc_initialize(context, id, test_creds.client); + CHECK(kret, "initialize"); + kret = krb5_mcc_store(context, id, &test_creds); + CHECK(kret, "store"); - kret = krb5_mcc_start_seq_get(context, id, &cursor); - CHECK(kret, "start_seq_get"); - kret = 0; - while (kret != KRB5_CC_END) { - printf("Calling next_cred\n"); - kret = krb5_mcc_next_cred(context, id, &cursor, &creds); - CHECK(kret, "next_cred"); - } - kret = krb5_mcc_end_seq_get(context, id, &cursor); - CHECK(kret, "end_seq_get"); + kret = krb5_mcc_start_seq_get(context, id, &cursor); + CHECK(kret, "start_seq_get"); + kret = 0; + while (kret != KRB5_CC_END) { + printf("Calling next_cred\n"); + kret = krb5_mcc_next_cred(context, id, &cursor, &creds); + CHECK(kret, "next_cred"); + } + kret = krb5_mcc_end_seq_get(context, id, &cursor); + CHECK(kret, "end_seq_get"); - kret = krb5_mcc_destroy(context, id); - CHECK(kret, "destroy"); - kret = krb5_mcc_close(context, id); - CHECK(kret, "close"); + kret = krb5_mcc_destroy(context, id); + CHECK(kret, "destroy"); + kret = krb5_mcc_close(context, id); + CHECK(kret, "close"); } - diff --git a/src/lib/krb5/ccache/t_stdio.c b/src/lib/krb5/ccache/t_stdio.c index a76d1fcd7f..f17d50647b 100644 --- a/src/lib/krb5/ccache/t_stdio.c +++ b/src/lib/krb5/ccache/t_stdio.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/ccache/stdio/scc_test.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * */ @@ -31,29 +32,29 @@ krb5_data client1 = { #define DATA "client1-comp1" - sizeof(DATA), - DATA, + sizeof(DATA), + DATA, #undef DATA }; krb5_data client2 = { #define DATA "client1-comp2" - sizeof(DATA), - DATA, + sizeof(DATA), + DATA, #undef DATA }; krb5_data server1 = { #define DATA "server1-comp1" - sizeof(DATA), - DATA, + sizeof(DATA), + DATA, #undef DATA }; krb5_data server2 = { #define DATA "server1-comp2" - sizeof(DATA), - DATA, + sizeof(DATA), + DATA, #undef DATA }; @@ -70,92 +71,92 @@ krb5_address *addrs[] = { }; krb5_creds test_creds = { - NULL, - NULL, - { - 1, - 1, - (unsigned char *) "1" - }, - { - 1111, - 2222, - 3333, - 4444, - }, - 1, - 5555, - addrs, - { + NULL, + NULL, + { + 1, + 1, + (unsigned char *) "1" + }, + { + 1111, + 2222, + 3333, + 4444, + }, + 1, + 5555, + addrs, + { #define TICKET "This is ticket 1" - sizeof(TICKET), - TICKET, + sizeof(TICKET), + TICKET, #undef TICKET - }, - { + }, + { #define TICKET "This is ticket 2" - sizeof(TICKET), - TICKET, + sizeof(TICKET), + TICKET, #undef TICKET - }, + }, }; void init_test_cred() { - test_creds.client = (krb5_principal) malloc(sizeof(krb5_data *)*3); - test_creds.client[0] = &client1; - test_creds.client[1] = &client2; - test_creds.client[2] = NULL; - - test_creds.server = (krb5_principal) malloc(sizeof(krb5_data *)*3); - test_creds.server[0] = &server1; - test_creds.server[1] = &server2; - test_creds.server[2] = NULL; + test_creds.client = (krb5_principal) malloc(sizeof(krb5_data *)*3); + test_creds.client[0] = &client1; + test_creds.client[1] = &client2; + test_creds.client[2] = NULL; + + test_creds.server = (krb5_principal) malloc(sizeof(krb5_data *)*3); + test_creds.server[0] = &server1; + test_creds.server[1] = &server2; + test_creds.server[2] = NULL; } -#define CHECK(kret,msg) \ - if (kret != KRB5_OK) {\ - com_err(msg, kret, "");\ - } else printf("%s went ok\n", msg); - +#define CHECK(kret,msg) \ + if (kret != KRB5_OK) { \ + com_err(msg, kret, ""); \ + } else printf("%s went ok\n", msg); + int flags = 0; void scc_test() { - krb5_ccache id; - krb5_creds creds; - krb5_error_code kret; - krb5_cc_cursor cursor; - - init_test_cred(); - - kret = krb5_scc_resolve(context, &id, "/tmp/tkt_test"); - CHECK(kret, "resolve"); - kret = krb5_scc_initialize(context, id, test_creds.client); - CHECK(kret, "initialize"); - kret = krb5_scc_store(id, &test_creds); - CHECK(kret, "store"); - - kret = krb5_scc_set_flags (id, flags); - CHECK(kret, "set_flags"); - kret = krb5_scc_start_seq_get(id, &cursor); - CHECK(kret, "start_seq_get"); - kret = 0; - while (kret != KRB5_CC_END) { - printf("Calling next_cred\n"); - kret = krb5_scc_next_cred(id, &cursor, &creds); - CHECK(kret, "next_cred"); - } - kret = krb5_scc_end_seq_get(id, &cursor); - CHECK(kret, "end_seq_get"); - - kret = krb5_scc_close(id); - CHECK(kret, "close"); - - - kret = krb5_scc_resolve(&id, "/tmp/tkt_test"); - CHECK(kret, "resolve"); - kret = krb5_scc_destroy(id); - CHECK(kret, "destroy"); + krb5_ccache id; + krb5_creds creds; + krb5_error_code kret; + krb5_cc_cursor cursor; + + init_test_cred(); + + kret = krb5_scc_resolve(context, &id, "/tmp/tkt_test"); + CHECK(kret, "resolve"); + kret = krb5_scc_initialize(context, id, test_creds.client); + CHECK(kret, "initialize"); + kret = krb5_scc_store(id, &test_creds); + CHECK(kret, "store"); + + kret = krb5_scc_set_flags (id, flags); + CHECK(kret, "set_flags"); + kret = krb5_scc_start_seq_get(id, &cursor); + CHECK(kret, "start_seq_get"); + kret = 0; + while (kret != KRB5_CC_END) { + printf("Calling next_cred\n"); + kret = krb5_scc_next_cred(id, &cursor, &creds); + CHECK(kret, "next_cred"); + } + kret = krb5_scc_end_seq_get(id, &cursor); + CHECK(kret, "end_seq_get"); + + kret = krb5_scc_close(id); + CHECK(kret, "close"); + + + kret = krb5_scc_resolve(&id, "/tmp/tkt_test"); + CHECK(kret, "resolve"); + kret = krb5_scc_destroy(id); + CHECK(kret, "destroy"); } int remove (s) char*s; { return unlink(s); } diff --git a/src/lib/krb5/error_tables/init_ets.c b/src/lib/krb5/error_tables/init_ets.c index 56a750e751..f682c8512d 100644 --- a/src/lib/krb5/error_tables/init_ets.c +++ b/src/lib/krb5/error_tables/init_ets.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/error_tables/init_ets.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Initialize Kerberos library error tables. */ @@ -35,12 +36,12 @@ krb5_init_ets (krb5_context context) static int inited = 0; if (inited == 0) { - initialize_krb5_error_table(); - initialize_kv5m_error_table(); - initialize_kdb5_error_table(); - initialize_asn1_error_table(); - initialize_k524_error_table(); - inited++; + initialize_krb5_error_table(); + initialize_kv5m_error_table(); + initialize_kdb5_error_table(); + initialize_asn1_error_table(); + initialize_k524_error_table(); + inited++; } } diff --git a/src/lib/krb5/keytab/kt-int.h b/src/lib/krb5/keytab/kt-int.h index e62b2d3f1b..383d346f75 100644 --- a/src/lib/krb5/keytab/kt-int.h +++ b/src/lib/krb5/keytab/kt-int.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/keytab/kt-int.h * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * This file contains constant and function declarations used in the * file-based credential cache routines. diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c index 4c90b8b47d..c27829ca0c 100644 --- a/src/lib/krb5/keytab/kt_file.c +++ b/src/lib/krb5/keytab/kt_file.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/keytab/kt_file.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ #ifndef LEAN_CLIENT @@ -40,22 +41,22 @@ * Constants */ -#define KRB5_KT_VNO_1 0x0501 /* krb v5, keytab version 1 (DCE compat) */ -#define KRB5_KT_VNO 0x0502 /* krb v5, keytab version 2 (standard) */ +#define KRB5_KT_VNO_1 0x0501 /* krb v5, keytab version 1 (DCE compat) */ +#define KRB5_KT_VNO 0x0502 /* krb v5, keytab version 2 (standard) */ #define KRB5_KT_DEFAULT_VNO KRB5_KT_VNO -/* +/* * Types */ typedef struct _krb5_ktfile_data { - char *name; /* Name of the file */ - FILE *openf; /* open file, if any. */ - char iobuf[BUFSIZ]; /* so we can zap it later */ - int version; /* Version number of keytab */ - unsigned int iter_count; /* Number of active iterators */ - long start_offset; /* Starting offset after version */ - k5_mutex_t lock; /* Protect openf, version */ + char *name; /* Name of the file */ + FILE *openf; /* open file, if any. */ + char iobuf[BUFSIZ]; /* so we can zap it later */ + int version; /* Version number of keytab */ + unsigned int iter_count; /* Number of active iterators */ + long start_offset; /* Starting offset after version */ + k5_mutex_t lock; /* Protect openf, version */ } krb5_ktfile_data; /* @@ -93,114 +94,114 @@ typedef struct _krb5_ktfile_data { extern const struct _krb5_kt_ops krb5_ktf_ops; extern const struct _krb5_kt_ops krb5_ktf_writable_ops; -static krb5_error_code KRB5_CALLCONV krb5_ktfile_resolve - (krb5_context, - const char *, - krb5_keytab *); - -static krb5_error_code KRB5_CALLCONV krb5_ktfile_wresolve - (krb5_context, - const char *, - krb5_keytab *); - -static krb5_error_code KRB5_CALLCONV krb5_ktfile_get_name - (krb5_context, - krb5_keytab, - char *, - unsigned int); - -static krb5_error_code KRB5_CALLCONV krb5_ktfile_close - (krb5_context, - krb5_keytab); - -static krb5_error_code KRB5_CALLCONV krb5_ktfile_get_entry - (krb5_context, - krb5_keytab, - krb5_const_principal, - krb5_kvno, - krb5_enctype, - krb5_keytab_entry *); - -static krb5_error_code KRB5_CALLCONV krb5_ktfile_start_seq_get - (krb5_context, - krb5_keytab, - krb5_kt_cursor *); - -static krb5_error_code KRB5_CALLCONV krb5_ktfile_get_next - (krb5_context, - krb5_keytab, - krb5_keytab_entry *, - krb5_kt_cursor *); - -static krb5_error_code KRB5_CALLCONV krb5_ktfile_end_get - (krb5_context, - krb5_keytab, - krb5_kt_cursor *); +static krb5_error_code KRB5_CALLCONV krb5_ktfile_resolve +(krb5_context, + const char *, + krb5_keytab *); + +static krb5_error_code KRB5_CALLCONV krb5_ktfile_wresolve +(krb5_context, + const char *, + krb5_keytab *); + +static krb5_error_code KRB5_CALLCONV krb5_ktfile_get_name +(krb5_context, + krb5_keytab, + char *, + unsigned int); + +static krb5_error_code KRB5_CALLCONV krb5_ktfile_close +(krb5_context, + krb5_keytab); + +static krb5_error_code KRB5_CALLCONV krb5_ktfile_get_entry +(krb5_context, + krb5_keytab, + krb5_const_principal, + krb5_kvno, + krb5_enctype, + krb5_keytab_entry *); + +static krb5_error_code KRB5_CALLCONV krb5_ktfile_start_seq_get +(krb5_context, + krb5_keytab, + krb5_kt_cursor *); + +static krb5_error_code KRB5_CALLCONV krb5_ktfile_get_next +(krb5_context, + krb5_keytab, + krb5_keytab_entry *, + krb5_kt_cursor *); + +static krb5_error_code KRB5_CALLCONV krb5_ktfile_end_get +(krb5_context, + krb5_keytab, + krb5_kt_cursor *); /* routines to be included on extended version (write routines) */ -static krb5_error_code KRB5_CALLCONV krb5_ktfile_add - (krb5_context, - krb5_keytab, - krb5_keytab_entry *); - -static krb5_error_code KRB5_CALLCONV krb5_ktfile_remove - (krb5_context, - krb5_keytab, - krb5_keytab_entry *); - -static krb5_error_code krb5_ktfileint_openr - (krb5_context, - krb5_keytab); - -static krb5_error_code krb5_ktfileint_openw - (krb5_context, - krb5_keytab); - -static krb5_error_code krb5_ktfileint_close - (krb5_context, - krb5_keytab); - -static krb5_error_code krb5_ktfileint_read_entry - (krb5_context, - krb5_keytab, - krb5_keytab_entry *); - -static krb5_error_code krb5_ktfileint_write_entry - (krb5_context, - krb5_keytab, - krb5_keytab_entry *); - -static krb5_error_code krb5_ktfileint_delete_entry - (krb5_context, - krb5_keytab, - krb5_int32); - -static krb5_error_code krb5_ktfileint_internal_read_entry - (krb5_context, - krb5_keytab, - krb5_keytab_entry *, - krb5_int32 *); - -static krb5_error_code krb5_ktfileint_size_entry - (krb5_context, - krb5_keytab_entry *, - krb5_int32 *); - -static krb5_error_code krb5_ktfileint_find_slot - (krb5_context, - krb5_keytab, - krb5_int32 *, - krb5_int32 *); +static krb5_error_code KRB5_CALLCONV krb5_ktfile_add +(krb5_context, + krb5_keytab, + krb5_keytab_entry *); + +static krb5_error_code KRB5_CALLCONV krb5_ktfile_remove +(krb5_context, + krb5_keytab, + krb5_keytab_entry *); + +static krb5_error_code krb5_ktfileint_openr +(krb5_context, + krb5_keytab); + +static krb5_error_code krb5_ktfileint_openw +(krb5_context, + krb5_keytab); + +static krb5_error_code krb5_ktfileint_close +(krb5_context, + krb5_keytab); + +static krb5_error_code krb5_ktfileint_read_entry +(krb5_context, + krb5_keytab, + krb5_keytab_entry *); + +static krb5_error_code krb5_ktfileint_write_entry +(krb5_context, + krb5_keytab, + krb5_keytab_entry *); + +static krb5_error_code krb5_ktfileint_delete_entry +(krb5_context, + krb5_keytab, + krb5_int32); + +static krb5_error_code krb5_ktfileint_internal_read_entry +(krb5_context, + krb5_keytab, + krb5_keytab_entry *, + krb5_int32 *); + +static krb5_error_code krb5_ktfileint_size_entry +(krb5_context, + krb5_keytab_entry *, + krb5_int32 *); + +static krb5_error_code krb5_ktfileint_find_slot +(krb5_context, + krb5_keytab, + krb5_int32 *, + krb5_int32 *); /* - * This is an implementation specific resolver. It returns a keytab id + * This is an implementation specific resolver. It returns a keytab id * initialized with file keytab routines. */ static krb5_error_code ktfile_common_resolve(krb5_context context, const char *name, - krb5_keytab *idptr, const struct _krb5_kt_ops *ops) + krb5_keytab *idptr, const struct _krb5_kt_ops *ops) { krb5_ktfile_data *data = NULL; krb5_error_code err = ENOMEM; @@ -210,20 +211,20 @@ ktfile_common_resolve(krb5_context context, const char *name, id = calloc(1, sizeof(*id)); if (id == NULL) - return ENOMEM; - + return ENOMEM; + id->ops = ops; data = calloc(1, sizeof(krb5_ktfile_data)); if (data == NULL) - goto cleanup; + goto cleanup; data->name = strdup(name); if (data->name == NULL) - goto cleanup; + goto cleanup; err = k5_mutex_init(&data->lock); if (err) - goto cleanup; + goto cleanup; data->openf = 0; data->version = 0; @@ -235,13 +236,13 @@ ktfile_common_resolve(krb5_context context, const char *name, return 0; cleanup: if (data) - free(data->name); + free(data->name); free(data); free(id); return err; } -static krb5_error_code KRB5_CALLCONV +static krb5_error_code KRB5_CALLCONV krb5_ktfile_resolve(krb5_context context, const char *name, krb5_keytab *id) { return ktfile_common_resolve(context, name, id, &krb5_ktf_writable_ops); @@ -253,15 +254,15 @@ krb5_ktfile_resolve(krb5_context context, const char *name, krb5_keytab *id) * free memory hidden in the structures. */ -static krb5_error_code KRB5_CALLCONV +static krb5_error_code KRB5_CALLCONV krb5_ktfile_close(krb5_context context, krb5_keytab id) - /* - * This routine is responsible for freeing all memory allocated - * for this keytab. There are no system resources that need - * to be freed nor are there any open files. - * - * This routine should undo anything done by krb5_ktfile_resolve(). - */ +/* + * This routine is responsible for freeing all memory allocated + * for this keytab. There are no system resources that need + * to be freed nor are there any open files. + * + * This routine should undo anything done by krb5_ktfile_resolve(). + */ { free(KTFILENAME(id)); zap(KTFILEBUFP(id), BUFSIZ); @@ -280,8 +281,8 @@ krb5_ktfile_close(krb5_context context, krb5_keytab id) static krb5_error_code KRB5_CALLCONV krb5_ktfile_get_entry(krb5_context context, krb5_keytab id, - krb5_const_principal principal, krb5_kvno kvno, - krb5_enctype enctype, krb5_keytab_entry *entry) + krb5_const_principal principal, krb5_kvno kvno, + krb5_enctype enctype, krb5_keytab_entry *entry) { krb5_keytab_entry cur_entry, new_entry; krb5_error_code kerror = 0; @@ -292,27 +293,27 @@ krb5_ktfile_get_entry(krb5_context context, krb5_keytab id, kerror = KTLOCK(id); if (kerror) - return kerror; + return kerror; if (KTFILEP(id) != NULL) { - was_open = 1; + was_open = 1; - if (fseek(KTFILEP(id), KTSTARTOFF(id), SEEK_SET) == -1) { - KTUNLOCK(id); - return errno; - } + if (fseek(KTFILEP(id), KTSTARTOFF(id), SEEK_SET) == -1) { + KTUNLOCK(id); + return errno; + } } else { - was_open = 0; + was_open = 0; - /* Open the keyfile for reading */ - if ((kerror = krb5_ktfileint_openr(context, id))) { - KTUNLOCK(id); - return(kerror); - } + /* Open the keyfile for reading */ + if ((kerror = krb5_ktfileint_openr(context, id))) { + KTUNLOCK(id); + return(kerror); + } } - - /* - * For efficiency and simplicity, we'll use a while true that + + /* + * For efficiency and simplicity, we'll use a while true that * is exited with a break statement. */ cur_entry.principal = 0; @@ -320,111 +321,111 @@ krb5_ktfile_get_entry(krb5_context context, krb5_keytab id, cur_entry.key.contents = 0; while (TRUE) { - if ((kerror = krb5_ktfileint_read_entry(context, id, &new_entry))) - break; - - /* by the time this loop exits, it must either free cur_entry, - and copy new_entry there, or free new_entry. Otherwise, it - leaks. */ - - /* if the principal isn't the one requested, free new_entry - and continue to the next. */ - - if (!krb5_principal_compare(context, principal, new_entry.principal)) { - krb5_kt_free_entry(context, &new_entry); - continue; - } - - /* if the enctype is not ignored and doesn't match, free new_entry - and continue to the next */ - - if (enctype != IGNORE_ENCTYPE) { - if ((kerror = krb5_c_enctype_compare(context, enctype, - new_entry.key.enctype, - &similar))) { - krb5_kt_free_entry(context, &new_entry); - break; - } - - if (!similar) { - krb5_kt_free_entry(context, &new_entry); - continue; - } - /* - * Coerce the enctype of the output keyblock in case we - * got an inexact match on the enctype. - */ - new_entry.key.enctype = enctype; - - } - - if (kvno == IGNORE_VNO) { - /* if this is the first match, or if the new vno is - bigger, free the current and keep the new. Otherwise, - free the new. */ - /* A 1.2.x keytab contains only the low 8 bits of the key - version number. Since it can be much bigger, and thus - the 8-bit value can wrap, we need some heuristics to - figure out the "highest" numbered key if some numbers - close to 255 and some near 0 are used. - - The heuristic here: - - If we have any keys with versions over 240, then assume - that all version numbers 0-127 refer to 256+N instead. - Not perfect, but maybe good enough? */ + if ((kerror = krb5_ktfileint_read_entry(context, id, &new_entry))) + break; + + /* by the time this loop exits, it must either free cur_entry, + and copy new_entry there, or free new_entry. Otherwise, it + leaks. */ + + /* if the principal isn't the one requested, free new_entry + and continue to the next. */ + + if (!krb5_principal_compare(context, principal, new_entry.principal)) { + krb5_kt_free_entry(context, &new_entry); + continue; + } + + /* if the enctype is not ignored and doesn't match, free new_entry + and continue to the next */ + + if (enctype != IGNORE_ENCTYPE) { + if ((kerror = krb5_c_enctype_compare(context, enctype, + new_entry.key.enctype, + &similar))) { + krb5_kt_free_entry(context, &new_entry); + break; + } + + if (!similar) { + krb5_kt_free_entry(context, &new_entry); + continue; + } + /* + * Coerce the enctype of the output keyblock in case we + * got an inexact match on the enctype. + */ + new_entry.key.enctype = enctype; + + } + + if (kvno == IGNORE_VNO) { + /* if this is the first match, or if the new vno is + bigger, free the current and keep the new. Otherwise, + free the new. */ + /* A 1.2.x keytab contains only the low 8 bits of the key + version number. Since it can be much bigger, and thus + the 8-bit value can wrap, we need some heuristics to + figure out the "highest" numbered key if some numbers + close to 255 and some near 0 are used. + + The heuristic here: + + If we have any keys with versions over 240, then assume + that all version numbers 0-127 refer to 256+N instead. + Not perfect, but maybe good enough? */ #define M(VNO) (((VNO) - kvno_offset + 256) % 256) - if (new_entry.vno > 240) - kvno_offset = 128; - if (! cur_entry.principal || - M(new_entry.vno) > M(cur_entry.vno)) { - krb5_kt_free_entry(context, &cur_entry); - cur_entry = new_entry; - } else { - krb5_kt_free_entry(context, &new_entry); - } - } else { - /* if this kvno matches, free the current (will there ever - be one?), keep the new, and break out. Otherwise, remember - that we were here so we can return the right error, and - free the new */ - /* Yuck. The krb5-1.2.x keytab format only stores one byte - for the kvno, so we're toast if the kvno requested is - higher than that. Short-term workaround: only compare - the low 8 bits. */ - - if (new_entry.vno == (kvno & 0xff)) { - krb5_kt_free_entry(context, &cur_entry); - cur_entry = new_entry; - break; - } else { - found_wrong_kvno++; - krb5_kt_free_entry(context, &new_entry); - } - } + if (new_entry.vno > 240) + kvno_offset = 128; + if (! cur_entry.principal || + M(new_entry.vno) > M(cur_entry.vno)) { + krb5_kt_free_entry(context, &cur_entry); + cur_entry = new_entry; + } else { + krb5_kt_free_entry(context, &new_entry); + } + } else { + /* if this kvno matches, free the current (will there ever + be one?), keep the new, and break out. Otherwise, remember + that we were here so we can return the right error, and + free the new */ + /* Yuck. The krb5-1.2.x keytab format only stores one byte + for the kvno, so we're toast if the kvno requested is + higher than that. Short-term workaround: only compare + the low 8 bits. */ + + if (new_entry.vno == (kvno & 0xff)) { + krb5_kt_free_entry(context, &cur_entry); + cur_entry = new_entry; + break; + } else { + found_wrong_kvno++; + krb5_kt_free_entry(context, &new_entry); + } + } } if (kerror == KRB5_KT_END) { - if (cur_entry.principal) - kerror = 0; - else if (found_wrong_kvno) - kerror = KRB5_KT_KVNONOTFOUND; - else - kerror = KRB5_KT_NOTFOUND; + if (cur_entry.principal) + kerror = 0; + else if (found_wrong_kvno) + kerror = KRB5_KT_KVNONOTFOUND; + else + kerror = KRB5_KT_NOTFOUND; } if (kerror) { - if (was_open == 0) - (void) krb5_ktfileint_close(context, id); - KTUNLOCK(id); - krb5_kt_free_entry(context, &cur_entry); - return kerror; + if (was_open == 0) + (void) krb5_ktfileint_close(context, id); + KTUNLOCK(id); + krb5_kt_free_entry(context, &cur_entry); + return kerror; } if (was_open == 0 && (kerror = krb5_ktfileint_close(context, id)) != 0) { - KTUNLOCK(id); - krb5_kt_free_entry(context, &cur_entry); - return kerror; + KTUNLOCK(id); + krb5_kt_free_entry(context, &cur_entry); + return kerror; } KTUNLOCK(id); *entry = cur_entry; @@ -437,19 +438,19 @@ krb5_ktfile_get_entry(krb5_context context, krb5_keytab id, static krb5_error_code KRB5_CALLCONV krb5_ktfile_get_name(krb5_context context, krb5_keytab id, char *name, unsigned int len) - /* - * This routine returns the name of the name of the file associated with - * this file-based keytab. name is zeroed and the filename is truncated - * to fit in name if necessary. The name is prefixed with PREFIX:, so that - * trt will happen if the name is passed back to resolve. - */ +/* + * This routine returns the name of the name of the file associated with + * this file-based keytab. name is zeroed and the filename is truncated + * to fit in name if necessary. The name is prefixed with PREFIX:, so that + * trt will happen if the name is passed back to resolve. + */ { int result; memset(name, 0, len); result = snprintf(name, len, "%s:%s", id->ops->prefix, KTFILENAME(id)); if (SNPRINTF_OVERFLOW(result, len)) - return(KRB5_KT_NAME_TOOLONG); + return(KRB5_KT_NAME_TOOLONG); return(0); } @@ -465,31 +466,31 @@ krb5_ktfile_start_seq_get(krb5_context context, krb5_keytab id, krb5_kt_cursor * retval = KTLOCK(id); if (retval) - return retval; + return retval; if (KTITERS(id) == 0) { - if ((retval = krb5_ktfileint_openr(context, id))) { - KTUNLOCK(id); - return retval; - } + if ((retval = krb5_ktfileint_openr(context, id))) { + KTUNLOCK(id); + return retval; + } } if (!(fileoff = (long *)malloc(sizeof(*fileoff)))) { - if (KTITERS(id) == 0) - krb5_ktfileint_close(context, id); - KTUNLOCK(id); - return ENOMEM; + if (KTITERS(id) == 0) + krb5_ktfileint_close(context, id); + KTUNLOCK(id); + return ENOMEM; } *fileoff = KTSTARTOFF(id); *cursorp = (krb5_kt_cursor)fileoff; KTITERS(id)++; if (KTITERS(id) == 0) { - /* Wrapped?! */ - KTITERS(id)--; - KTUNLOCK(id); - krb5_set_error_message(context, KRB5_KT_IOERR, - "Too many keytab iterators active"); - return KRB5_KT_IOERR; /* XXX */ + /* Wrapped?! */ + KTITERS(id)--; + KTUNLOCK(id); + krb5_set_error_message(context, KRB5_KT_IOERR, + "Too many keytab iterators active"); + return KRB5_KT_IOERR; /* XXX */ } KTUNLOCK(id); @@ -500,7 +501,7 @@ krb5_ktfile_start_seq_get(krb5_context context, krb5_keytab id, krb5_kt_cursor * * krb5_ktfile_get_next() */ -static krb5_error_code KRB5_CALLCONV +static krb5_error_code KRB5_CALLCONV krb5_ktfile_get_next(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry, krb5_kt_cursor *cursor) { long *fileoff = (long *)*cursor; @@ -509,18 +510,18 @@ krb5_ktfile_get_next(krb5_context context, krb5_keytab id, krb5_keytab_entry *en kerror = KTLOCK(id); if (kerror) - return kerror; + return kerror; if (KTFILEP(id) == NULL) { - KTUNLOCK(id); - return KRB5_KT_IOERR; + KTUNLOCK(id); + return KRB5_KT_IOERR; } if (fseek(KTFILEP(id), *fileoff, 0) == -1) { - KTUNLOCK(id); - return KRB5_KT_END; + KTUNLOCK(id); + return KRB5_KT_END; } if ((kerror = krb5_ktfileint_read_entry(context, id, &cur_entry))) { - KTUNLOCK(id); - return kerror; + KTUNLOCK(id); + return kerror; } *fileoff = ftell(KTFILEP(id)); *entry = cur_entry; @@ -532,7 +533,7 @@ krb5_ktfile_get_next(krb5_context context, krb5_keytab id, krb5_keytab_entry *en * krb5_ktfile_end_get() */ -static krb5_error_code KRB5_CALLCONV +static krb5_error_code KRB5_CALLCONV krb5_ktfile_end_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cursor) { krb5_error_code kerror; @@ -540,12 +541,12 @@ krb5_ktfile_end_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cursor free(*cursor); kerror = KTLOCK(id); if (kerror) - return kerror; + return kerror; KTITERS(id)--; if (KTFILEP(id) != NULL && KTITERS(id) == 0) - kerror = krb5_ktfileint_close(context, id); + kerror = krb5_ktfileint_close(context, id); else - kerror = 0; + kerror = 0; KTUNLOCK(id); return kerror; } @@ -558,183 +559,183 @@ static const char ktfile_def_name[] = "."; /* * Routines to deal with externalizing krb5_keytab for [WR]FILE: variants. - * krb5_ktf_keytab_size(); - * krb5_ktf_keytab_externalize(); - * krb5_ktf_keytab_internalize(); + * krb5_ktf_keytab_size(); + * krb5_ktf_keytab_externalize(); + * krb5_ktf_keytab_internalize(); */ static krb5_error_code krb5_ktf_keytab_size - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_ktf_keytab_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_ktf_keytab_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* * Serialization entry for this type. */ const krb5_ser_entry krb5_ktfile_ser_entry = { - KV5M_KEYTAB, /* Type */ - krb5_ktf_keytab_size, /* Sizer routine */ - krb5_ktf_keytab_externalize, /* Externalize routine */ - krb5_ktf_keytab_internalize /* Internalize routine */ + KV5M_KEYTAB, /* Type */ + krb5_ktf_keytab_size, /* Sizer routine */ + krb5_ktf_keytab_externalize, /* Externalize routine */ + krb5_ktf_keytab_internalize /* Internalize routine */ }; /* - * krb5_ktf_keytab_size() - Determine the size required to externalize - * this krb5_keytab variant. + * krb5_ktf_keytab_size() - Determine the size required to externalize + * this krb5_keytab variant. */ static krb5_error_code krb5_ktf_keytab_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_keytab keytab; - size_t required; - krb5_ktfile_data *ktdata; + krb5_error_code kret; + krb5_keytab keytab; + size_t required; + krb5_ktfile_data *ktdata; kret = EINVAL; if ((keytab = (krb5_keytab) arg)) { - /* - * Saving FILE: variants of krb5_keytab requires at minimum: - * krb5_int32 for KV5M_KEYTAB - * krb5_int32 for length of keytab name. - * krb5_int32 for file status. - * krb5_int32 for file position. - * krb5_int32 for file position. - * krb5_int32 for version. - * krb5_int32 for KV5M_KEYTAB - */ - required = sizeof(krb5_int32) * 7; - if (keytab->ops && keytab->ops->prefix) - required += (strlen(keytab->ops->prefix)+1); - - /* - * The keytab name is formed as follows: - * <prefix>:<name> - * If there's no name, we use a default name so that we have something - * to call krb5_keytab_resolve with. - */ - ktdata = (krb5_ktfile_data *) keytab->data; - required += strlen((ktdata && ktdata->name) ? - ktdata->name : ktfile_def_name); - kret = 0; - - if (!kret) - *sizep += required; + /* + * Saving FILE: variants of krb5_keytab requires at minimum: + * krb5_int32 for KV5M_KEYTAB + * krb5_int32 for length of keytab name. + * krb5_int32 for file status. + * krb5_int32 for file position. + * krb5_int32 for file position. + * krb5_int32 for version. + * krb5_int32 for KV5M_KEYTAB + */ + required = sizeof(krb5_int32) * 7; + if (keytab->ops && keytab->ops->prefix) + required += (strlen(keytab->ops->prefix)+1); + + /* + * The keytab name is formed as follows: + * <prefix>:<name> + * If there's no name, we use a default name so that we have something + * to call krb5_keytab_resolve with. + */ + ktdata = (krb5_ktfile_data *) keytab->data; + required += strlen((ktdata && ktdata->name) ? + ktdata->name : ktfile_def_name); + kret = 0; + + if (!kret) + *sizep += required; } return(kret); } /* - * krb5_ktf_keytab_externalize() - Externalize the krb5_keytab. + * krb5_ktf_keytab_externalize() - Externalize the krb5_keytab. */ static krb5_error_code krb5_ktf_keytab_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_keytab keytab; - size_t required; - krb5_octet *bp; - size_t remain; - krb5_ktfile_data *ktdata; - krb5_int32 file_is_open; - krb5_int64 file_pos; - char *ktname; - const char *fnamep; + krb5_error_code kret; + krb5_keytab keytab; + size_t required; + krb5_octet *bp; + size_t remain; + krb5_ktfile_data *ktdata; + krb5_int32 file_is_open; + krb5_int64 file_pos; + char *ktname; + const char *fnamep; required = 0; bp = *buffer; remain = *lenremain; kret = EINVAL; if ((keytab = (krb5_keytab) arg)) { - kret = ENOMEM; - if (!krb5_ktf_keytab_size(kcontext, arg, &required) && - (required <= remain)) { - /* Our identifier */ - (void) krb5_ser_pack_int32(KV5M_KEYTAB, &bp, &remain); - - ktdata = (krb5_ktfile_data *) keytab->data; - file_is_open = 0; - file_pos = 0; - - /* Calculate the length of the name */ - if (ktdata && ktdata->name) - fnamep = ktdata->name; - else - fnamep = ktfile_def_name; - - if (keytab->ops && keytab->ops->prefix) { - if (asprintf(&ktname, "%s:%s", keytab->ops->prefix, fnamep) < 0) - ktname = NULL; - } else - ktname = strdup(fnamep); - - if (ktname) { - /* Fill in the file-specific keytab information. */ - if (ktdata) { - if (ktdata->openf) { - long fpos; - int fflags = 0; - - file_is_open = 1; + kret = ENOMEM; + if (!krb5_ktf_keytab_size(kcontext, arg, &required) && + (required <= remain)) { + /* Our identifier */ + (void) krb5_ser_pack_int32(KV5M_KEYTAB, &bp, &remain); + + ktdata = (krb5_ktfile_data *) keytab->data; + file_is_open = 0; + file_pos = 0; + + /* Calculate the length of the name */ + if (ktdata && ktdata->name) + fnamep = ktdata->name; + else + fnamep = ktfile_def_name; + + if (keytab->ops && keytab->ops->prefix) { + if (asprintf(&ktname, "%s:%s", keytab->ops->prefix, fnamep) < 0) + ktname = NULL; + } else + ktname = strdup(fnamep); + + if (ktname) { + /* Fill in the file-specific keytab information. */ + if (ktdata) { + if (ktdata->openf) { + long fpos; + int fflags = 0; + + file_is_open = 1; #if !defined(_WIN32) - fflags = fcntl(fileno(ktdata->openf), F_GETFL, 0); - if (fflags > 0) - file_is_open |= ((fflags & O_ACCMODE) << 1); + fflags = fcntl(fileno(ktdata->openf), F_GETFL, 0); + if (fflags > 0) + file_is_open |= ((fflags & O_ACCMODE) << 1); #else - file_is_open = 0; + file_is_open = 0; #endif - fpos = ftell(ktdata->openf); - file_pos = fpos; /* XX range check? */ - } - } - - /* Put the length of the file name */ - (void) krb5_ser_pack_int32((krb5_int32) strlen(ktname), - &bp, &remain); - - /* Put the name */ - (void) krb5_ser_pack_bytes((krb5_octet *) ktname, - strlen(ktname), - &bp, &remain); - - /* Put the file open flag */ - (void) krb5_ser_pack_int32(file_is_open, &bp, &remain); - - /* Put the file position */ - (void) krb5_ser_pack_int64(file_pos, &bp, &remain); - - /* Put the version */ - (void) krb5_ser_pack_int32((krb5_int32) ((ktdata) ? - ktdata->version : 0), - &bp, &remain); - - /* Put the trailer */ - (void) krb5_ser_pack_int32(KV5M_KEYTAB, &bp, &remain); - kret = 0; - *buffer = bp; - *lenremain = remain; - free(ktname); - } - } + fpos = ftell(ktdata->openf); + file_pos = fpos; /* XX range check? */ + } + } + + /* Put the length of the file name */ + (void) krb5_ser_pack_int32((krb5_int32) strlen(ktname), + &bp, &remain); + + /* Put the name */ + (void) krb5_ser_pack_bytes((krb5_octet *) ktname, + strlen(ktname), + &bp, &remain); + + /* Put the file open flag */ + (void) krb5_ser_pack_int32(file_is_open, &bp, &remain); + + /* Put the file position */ + (void) krb5_ser_pack_int64(file_pos, &bp, &remain); + + /* Put the version */ + (void) krb5_ser_pack_int32((krb5_int32) ((ktdata) ? + ktdata->version : 0), + &bp, &remain); + + /* Put the trailer */ + (void) krb5_ser_pack_int32(KV5M_KEYTAB, &bp, &remain); + kret = 0; + *buffer = bp; + *lenremain = remain; + free(ktname); + } + } } return(kret); } /* - * krb5_ktf_keytab_internalize() - Internalize the krb5_ktf_keytab. + * krb5_ktf_keytab_internalize() - Internalize the krb5_ktf_keytab. */ static krb5_error_code krb5_ktf_keytab_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_keytab keytab = NULL; - krb5_int32 ibuf; - krb5_octet *bp; - size_t remain; - char *ktname = NULL; - krb5_ktfile_data *ktdata; - krb5_int32 file_is_open; - krb5_int64 foff; + krb5_error_code kret; + krb5_keytab keytab = NULL; + krb5_int32 ibuf; + krb5_octet *bp; + size_t remain; + char *ktname = NULL; + krb5_ktfile_data *ktdata; + krb5_int32 file_is_open; + krb5_int64 foff; *argp = NULL; bp = *buffer; @@ -742,36 +743,36 @@ krb5_ktf_keytab_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octe /* Read our magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain) || ibuf != KV5M_KEYTAB) - return EINVAL; + return EINVAL; /* Read the keytab name */ kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); if (kret) - return kret; + return kret; ktname = malloc(ibuf + 1); if (!ktname) - return ENOMEM; + return ENOMEM; kret = krb5_ser_unpack_bytes((krb5_octet *) ktname, (size_t) ibuf, - &bp, &remain); + &bp, &remain); if (kret) - goto cleanup; + goto cleanup; ktname[ibuf] = '\0'; /* Resolve the keytab. */ kret = krb5_kt_resolve(kcontext, ktname, &keytab); if (kret) - goto cleanup; + goto cleanup; if (keytab->ops != &krb5_ktf_writable_ops - && keytab->ops != &krb5_ktf_ops) { - kret = EINVAL; - goto cleanup; + && keytab->ops != &krb5_ktf_ops) { + kret = EINVAL; + goto cleanup; } ktdata = (krb5_ktfile_data *) keytab->data; if (remain < (sizeof(krb5_int32)*5)) { - kret = EINVAL; - goto cleanup; + kret = EINVAL; + goto cleanup; } (void) krb5_ser_unpack_int32(&file_is_open, &bp, &remain); (void) krb5_ser_unpack_int64(&foff, &bp, &remain); @@ -779,30 +780,30 @@ krb5_ktf_keytab_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octe ktdata->version = (int) ibuf; (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); if (ibuf != KV5M_KEYTAB) { - kret = EINVAL; - goto cleanup; + kret = EINVAL; + goto cleanup; } if (file_is_open) { - int fmode; - long fpos; + int fmode; + long fpos; #if !defined(_WIN32) - fmode = (file_is_open >> 1) & O_ACCMODE; + fmode = (file_is_open >> 1) & O_ACCMODE; #else - fmode = 0; + fmode = 0; #endif - if (fmode) - kret = krb5_ktfileint_openw(kcontext, keytab); - else - kret = krb5_ktfileint_openr(kcontext, keytab); - if (kret) - goto cleanup; - fpos = foff; /* XX range check? */ - if (fseek(KTFILEP(keytab), fpos, SEEK_SET) == -1) { - kret = errno; - goto cleanup; - } + if (fmode) + kret = krb5_ktfileint_openw(kcontext, keytab); + else + kret = krb5_ktfileint_openr(kcontext, keytab); + if (kret) + goto cleanup; + fpos = foff; /* XX range check? */ + if (fseek(KTFILEP(keytab), fpos, SEEK_SET) == -1) { + kret = errno; + goto cleanup; + } } *buffer = bp; @@ -810,13 +811,13 @@ krb5_ktf_keytab_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octe *argp = (krb5_pointer) keytab; cleanup: if (kret != 0 && keytab) - krb5_kt_close(kcontext, keytab); + krb5_kt_close(kcontext, keytab); free(ktname); return kret; } /* - * This is an implementation specific resolver. It returns a keytab id + * This is an implementation specific resolver. It returns a keytab id * initialized with file keytab routines. */ @@ -831,28 +832,28 @@ krb5_ktfile_wresolve(krb5_context context, const char *name, krb5_keytab *id) * krb5_ktfile_add() */ -static krb5_error_code KRB5_CALLCONV +static krb5_error_code KRB5_CALLCONV krb5_ktfile_add(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) { krb5_error_code retval; retval = KTLOCK(id); if (retval) - return retval; + return retval; if (KTFILEP(id)) { - /* Iterator(s) active -- no changes. */ - KTUNLOCK(id); - krb5_set_error_message(context, KRB5_KT_IOERR, - "Cannot change keytab with keytab iterators active"); - return KRB5_KT_IOERR; /* XXX */ + /* Iterator(s) active -- no changes. */ + KTUNLOCK(id); + krb5_set_error_message(context, KRB5_KT_IOERR, + "Cannot change keytab with keytab iterators active"); + return KRB5_KT_IOERR; /* XXX */ } if ((retval = krb5_ktfileint_openw(context, id))) { - KTUNLOCK(id); - return retval; + KTUNLOCK(id); + return retval; } if (fseek(KTFILEP(id), 0, 2) == -1) { - KTUNLOCK(id); - return KRB5_KT_END; + KTUNLOCK(id); + return KRB5_KT_END; } retval = krb5_ktfileint_write_entry(context, id, entry); krb5_ktfileint_close(context, id); @@ -864,7 +865,7 @@ krb5_ktfile_add(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) * krb5_ktfile_remove() */ -static krb5_error_code KRB5_CALLCONV +static krb5_error_code KRB5_CALLCONV krb5_ktfile_remove(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) { krb5_keytab_entry cur_entry; @@ -873,53 +874,53 @@ krb5_ktfile_remove(krb5_context context, krb5_keytab id, krb5_keytab_entry *entr kerror = KTLOCK(id); if (kerror) - return kerror; + return kerror; if (KTFILEP(id)) { - /* Iterator(s) active -- no changes. */ - KTUNLOCK(id); - krb5_set_error_message(context, KRB5_KT_IOERR, - "Cannot change keytab with keytab iterators active"); - return KRB5_KT_IOERR; /* XXX */ + /* Iterator(s) active -- no changes. */ + KTUNLOCK(id); + krb5_set_error_message(context, KRB5_KT_IOERR, + "Cannot change keytab with keytab iterators active"); + return KRB5_KT_IOERR; /* XXX */ } if ((kerror = krb5_ktfileint_openw(context, id))) { - KTUNLOCK(id); - return kerror; + KTUNLOCK(id); + return kerror; } - /* - * For efficiency and simplicity, we'll use a while true that + /* + * For efficiency and simplicity, we'll use a while true that * is exited with a break statement. */ while (TRUE) { - if ((kerror = krb5_ktfileint_internal_read_entry(context, id, - &cur_entry, - &delete_point))) - break; + if ((kerror = krb5_ktfileint_internal_read_entry(context, id, + &cur_entry, + &delete_point))) + break; - if ((entry->vno == cur_entry.vno) && + if ((entry->vno == cur_entry.vno) && (entry->key.enctype == cur_entry.key.enctype) && - krb5_principal_compare(context, entry->principal, cur_entry.principal)) { - /* found a match */ + krb5_principal_compare(context, entry->principal, cur_entry.principal)) { + /* found a match */ krb5_kt_free_entry(context, &cur_entry); - break; - } - krb5_kt_free_entry(context, &cur_entry); + break; + } + krb5_kt_free_entry(context, &cur_entry); } if (kerror == KRB5_KT_END) - kerror = KRB5_KT_NOTFOUND; + kerror = KRB5_KT_NOTFOUND; if (kerror) { - (void) krb5_ktfileint_close(context, id); - KTUNLOCK(id); - return kerror; + (void) krb5_ktfileint_close(context, id); + KTUNLOCK(id); + return kerror; } kerror = krb5_ktfileint_delete_entry(context, id, delete_point); if (kerror) { - (void) krb5_ktfileint_close(context, id); + (void) krb5_ktfileint_close(context, id); } else { kerror = krb5_ktfileint_close(context, id); } @@ -933,9 +934,9 @@ krb5_ktfile_remove(krb5_context context, krb5_keytab id, krb5_keytab_entry *entr const struct _krb5_kt_ops krb5_ktf_ops = { 0, - "FILE", /* Prefix -- this string should not appear anywhere else! */ + "FILE", /* Prefix -- this string should not appear anywhere else! */ krb5_ktfile_resolve, - krb5_ktfile_get_name, + krb5_ktfile_get_name, krb5_ktfile_close, krb5_ktfile_get_entry, krb5_ktfile_start_seq_get, @@ -952,9 +953,9 @@ const struct _krb5_kt_ops krb5_ktf_ops = { const struct _krb5_kt_ops krb5_ktf_writable_ops = { 0, - "WRFILE", /* Prefix -- this string should not appear anywhere else! */ + "WRFILE", /* Prefix -- this string should not appear anywhere else! */ krb5_ktfile_wresolve, - krb5_ktfile_get_name, + krb5_ktfile_get_name, krb5_ktfile_close, krb5_ktfile_get_entry, krb5_ktfile_start_seq_get, @@ -971,9 +972,9 @@ const struct _krb5_kt_ops krb5_ktf_writable_ops = { const krb5_kt_ops krb5_kt_dfl_ops = { 0, - "FILE", /* Prefix -- this string should not appear anywhere else! */ + "FILE", /* Prefix -- this string should not appear anywhere else! */ krb5_ktfile_resolve, - krb5_ktfile_get_name, + krb5_ktfile_get_name, krb5_ktfile_close, krb5_ktfile_get_entry, krb5_ktfile_start_seq_get, @@ -998,7 +999,7 @@ const krb5_kt_ops krb5_kt_dfl_ops = { * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -1012,16 +1013,16 @@ const krb5_kt_ops krb5_kt_dfl_ops = { * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * * - * This function contains utilities for the file based implementation of + * + * This function contains utilities for the file based implementation of * the keytab. There are no public functions in this file. * * This file is the only one that has knowledge of the format of a * keytab file. * * The format is as follows: - * + * * <file format vno> * <record length> * principal timestamp vno key @@ -1031,21 +1032,21 @@ const krb5_kt_ops krb5_kt_dfl_ops = { * * A length field (sizeof(krb5_int32)) exists between entries. When this * length is positive it indicates an active entry, when negative a hole. - * The length indicates the size of the block in the file (this may be + * The length indicates the size of the block in the file (this may be * larger than the size of the next record, since we are using a first * fit algorithm for re-using holes and the first fit may be larger than * the entry we are writing). Another (compatible) implementation could - * break up holes when allocating them to smaller entries to minimize + * break up holes when allocating them to smaller entries to minimize * wasted space. (Such an implementation should also coalesce adjacent * holes to reduce fragmentation). This implementation does neither. * - * There are no separators between fields of an entry. + * There are no separators between fields of an entry. * A principal is a length-encoded array of length-encoded strings. The - * length is a krb5_int16 in each case. The specific format, then, is - * multiple entries concatinated with no separators. An entry has this + * length is a krb5_int16 in each case. The specific format, then, is + * multiple entries concatinated with no separators. An entry has this * exact format: * - * sizeof(krb5_int16) bytes for number of components in the principal; + * sizeof(krb5_int16) bytes for number of components in the principal; * then, each component listed in ordser. * For each component, sizeof(krb5_int16) bytes for the number of bytes * in the component, followed by the component. @@ -1083,73 +1084,73 @@ krb5_ktfileint_open(krb5_context context, krb5_keytab id, int mode) KTCHECKLOCK(id); errno = 0; KTFILEP(id) = fopen(KTFILENAME(id), - (mode == KRB5_LOCKMODE_EXCLUSIVE) ? - fopen_mode_rbplus : fopen_mode_rb); + (mode == KRB5_LOCKMODE_EXCLUSIVE) ? + fopen_mode_rbplus : fopen_mode_rb); if (!KTFILEP(id)) { - if ((mode == KRB5_LOCKMODE_EXCLUSIVE) && (errno == ENOENT)) { - /* try making it first time around */ + if ((mode == KRB5_LOCKMODE_EXCLUSIVE) && (errno == ENOENT)) { + /* try making it first time around */ krb5_create_secure_file(context, KTFILENAME(id)); - errno = 0; - KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus); - if (!KTFILEP(id)) - goto report_errno; - writevno = 1; - } else { - report_errno: - switch (errno) { - case 0: - /* XXX */ - return EMFILE; - case ENOENT: - krb5_set_error_message(context, ENOENT, - "Key table file '%s' not found", - KTFILENAME(id)); - return ENOENT; - default: - return errno; - } - } + errno = 0; + KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus); + if (!KTFILEP(id)) + goto report_errno; + writevno = 1; + } else { + report_errno: + switch (errno) { + case 0: + /* XXX */ + return EMFILE; + case ENOENT: + krb5_set_error_message(context, ENOENT, + "Key table file '%s' not found", + KTFILENAME(id)); + return ENOENT; + default: + return errno; + } + } } set_cloexec_file(KTFILEP(id)); if ((kerror = krb5_lock_file(context, fileno(KTFILEP(id)), mode))) { - (void) fclose(KTFILEP(id)); - KTFILEP(id) = 0; - return kerror; + (void) fclose(KTFILEP(id)); + KTFILEP(id) = 0; + return kerror; } /* assume ANSI or BSD-style stdio */ setbuf(KTFILEP(id), KTFILEBUFP(id)); /* get the vno and verify it */ if (writevno) { - kt_vno = htons(krb5_kt_default_vno); - KTVERSION(id) = krb5_kt_default_vno; - if (!fwrite(&kt_vno, sizeof(kt_vno), 1, KTFILEP(id))) { - kerror = errno; - (void) krb5_unlock_file(context, fileno(KTFILEP(id))); - (void) fclose(KTFILEP(id)); - KTFILEP(id) = 0; - return kerror; - } + kt_vno = htons(krb5_kt_default_vno); + KTVERSION(id) = krb5_kt_default_vno; + if (!fwrite(&kt_vno, sizeof(kt_vno), 1, KTFILEP(id))) { + kerror = errno; + (void) krb5_unlock_file(context, fileno(KTFILEP(id))); + (void) fclose(KTFILEP(id)); + KTFILEP(id) = 0; + return kerror; + } } else { - /* gotta verify it instead... */ - if (!fread(&kt_vno, sizeof(kt_vno), 1, KTFILEP(id))) { - if (feof(KTFILEP(id))) - kerror = KRB5_KEYTAB_BADVNO; - else - kerror = errno; - (void) krb5_unlock_file(context, fileno(KTFILEP(id))); - (void) fclose(KTFILEP(id)); - KTFILEP(id) = 0; - return kerror; - } - kt_vno = KTVERSION(id) = ntohs(kt_vno); - if ((kt_vno != KRB5_KT_VNO) && - (kt_vno != KRB5_KT_VNO_1)) { - (void) krb5_unlock_file(context, fileno(KTFILEP(id))); - (void) fclose(KTFILEP(id)); - KTFILEP(id) = 0; - return KRB5_KEYTAB_BADVNO; - } + /* gotta verify it instead... */ + if (!fread(&kt_vno, sizeof(kt_vno), 1, KTFILEP(id))) { + if (feof(KTFILEP(id))) + kerror = KRB5_KEYTAB_BADVNO; + else + kerror = errno; + (void) krb5_unlock_file(context, fileno(KTFILEP(id))); + (void) fclose(KTFILEP(id)); + KTFILEP(id) = 0; + return kerror; + } + kt_vno = KTVERSION(id) = ntohs(kt_vno); + if ((kt_vno != KRB5_KT_VNO) && + (kt_vno != KRB5_KT_VNO_1)) { + (void) krb5_unlock_file(context, fileno(KTFILEP(id))); + (void) fclose(KTFILEP(id)); + KTFILEP(id) = 0; + return KRB5_KEYTAB_BADVNO; + } } KTSTARTOFF(id) = ftell(KTFILEP(id)); return 0; @@ -1174,7 +1175,7 @@ krb5_ktfileint_close(krb5_context context, krb5_keytab id) KTCHECKLOCK(id); if (!KTFILEP(id)) - return 0; + return 0; kerror = krb5_unlock_file(context, fileno(KTFILEP(id))); (void) fclose(KTFILEP(id)); KTFILEP(id) = 0; @@ -1196,12 +1197,12 @@ krb5_ktfileint_delete_entry(krb5_context context, krb5_keytab id, krb5_int32 del return KRB5_KT_END; } if (KTVERSION(id) != KRB5_KT_VNO_1) - size = ntohl(size); + size = ntohl(size); if (size > 0) { krb5_int32 minus_size = -size; - if (KTVERSION(id) != KRB5_KT_VNO_1) - minus_size = htonl(minus_size); + if (KTVERSION(id) != KRB5_KT_VNO_1) + minus_size = htonl(minus_size); if (fseek(KTFILEP(id), delete_point, SEEK_SET)) { return errno; @@ -1220,8 +1221,8 @@ krb5_ktfileint_delete_entry(krb5_context context, krb5_keytab id, krb5_int32 del memset(iobuf, 0, (size_t) len); while (size > 0) { if (!fwrite(iobuf, 1, (size_t) len, KTFILEP(id))) { - return KRB5_KT_IOERR; - } + return KRB5_KT_IOERR; + } size -= len; if (size < len) { len = size; @@ -1246,8 +1247,8 @@ krb5_ktfileint_internal_read_entry(krb5_context context, krb5_keytab id, krb5_ke krb5_int32 size; krb5_int32 start_pos; krb5_error_code error; - char *tmpdata; - krb5_data *princ; + char *tmpdata; + krb5_data *princ; KTCHECKLOCK(id); memset(ret_entry, 0, sizeof(krb5_keytab_entry)); @@ -1265,8 +1266,8 @@ krb5_ktfileint_internal_read_entry(krb5_context context, krb5_keytab id, krb5_ke if (!fread(&size, sizeof(size), 1, KTFILEP(id))) { return KRB5_KT_END; } - if (KTVERSION(id) != KRB5_KT_VNO_1) - size = ntohl(size); + if (KTVERSION(id) != KRB5_KT_VNO_1) + size = ntohl(size); if (size < 0) { if (fseek(KTFILEP(id), -size, SEEK_CUR)) { @@ -1285,163 +1286,163 @@ krb5_ktfileint_internal_read_entry(krb5_context context, krb5_keytab id, krb5_ke /* first, int16 with #princ components */ if (!fread(&count, sizeof(count), 1, KTFILEP(id))) - return KRB5_KT_END; + return KRB5_KT_END; if (KTVERSION(id) == KRB5_KT_VNO_1) { - count -= 1; /* V1 includes the realm in the count */ + count -= 1; /* V1 includes the realm in the count */ } else { - count = ntohs(count); + count = ntohs(count); } if (!count || (count < 0)) - return KRB5_KT_END; + return KRB5_KT_END; ret_entry->principal = (krb5_principal)malloc(sizeof(krb5_principal_data)); if (!ret_entry->principal) return ENOMEM; - + u_count = count; ret_entry->principal->magic = KV5M_PRINCIPAL; ret_entry->principal->length = u_count; - ret_entry->principal->data = (krb5_data *) - calloc(u_count, sizeof(krb5_data)); + ret_entry->principal->data = (krb5_data *) + calloc(u_count, sizeof(krb5_data)); if (!ret_entry->principal->data) { - free(ret_entry->principal); - ret_entry->principal = 0; - return ENOMEM; + free(ret_entry->principal); + ret_entry->principal = 0; + return ENOMEM; } /* Now, get the realm data */ if (!fread(&princ_size, sizeof(princ_size), 1, KTFILEP(id))) { - error = KRB5_KT_END; - goto fail; + error = KRB5_KT_END; + goto fail; } if (KTVERSION(id) != KRB5_KT_VNO_1) - princ_size = ntohs(princ_size); + princ_size = ntohs(princ_size); if (!princ_size || (princ_size < 0)) { - error = KRB5_KT_END; - goto fail; + error = KRB5_KT_END; + goto fail; } u_princ_size = princ_size; krb5_princ_set_realm_length(context, ret_entry->principal, u_princ_size); tmpdata = malloc(u_princ_size+1); if (!tmpdata) { - error = ENOMEM; - goto fail; + error = ENOMEM; + goto fail; } if (fread(tmpdata, 1, u_princ_size, KTFILEP(id)) != (size_t) princ_size) { - free(tmpdata); - error = KRB5_KT_END; - goto fail; + free(tmpdata); + error = KRB5_KT_END; + goto fail; } - tmpdata[princ_size] = 0; /* Some things might be expecting null */ - /* termination... ``Be conservative in */ - /* what you send out'' */ + tmpdata[princ_size] = 0; /* Some things might be expecting null */ + /* termination... ``Be conservative in */ + /* what you send out'' */ krb5_princ_set_realm_data(context, ret_entry->principal, tmpdata); - + for (i = 0; i < count; i++) { - princ = krb5_princ_component(context, ret_entry->principal, i); - if (!fread(&princ_size, sizeof(princ_size), 1, KTFILEP(id))) { - error = KRB5_KT_END; - goto fail; + princ = krb5_princ_component(context, ret_entry->principal, i); + if (!fread(&princ_size, sizeof(princ_size), 1, KTFILEP(id))) { + error = KRB5_KT_END; + goto fail; } - if (KTVERSION(id) != KRB5_KT_VNO_1) - princ_size = ntohs(princ_size); - if (!princ_size || (princ_size < 0)) { - error = KRB5_KT_END; - goto fail; + if (KTVERSION(id) != KRB5_KT_VNO_1) + princ_size = ntohs(princ_size); + if (!princ_size || (princ_size < 0)) { + error = KRB5_KT_END; + goto fail; } - u_princ_size = princ_size; - princ->length = u_princ_size; - princ->data = malloc(u_princ_size+1); - if (!princ->data) { - error = ENOMEM; - goto fail; + u_princ_size = princ_size; + princ->length = u_princ_size; + princ->data = malloc(u_princ_size+1); + if (!princ->data) { + error = ENOMEM; + goto fail; } - if (!fread(princ->data, sizeof(char), u_princ_size, KTFILEP(id))) { - error = KRB5_KT_END; - goto fail; + if (!fread(princ->data, sizeof(char), u_princ_size, KTFILEP(id))) { + error = KRB5_KT_END; + goto fail; } - princ->data[princ_size] = 0; /* Null terminate */ + princ->data[princ_size] = 0; /* Null terminate */ } /* read in the principal type, if we can get it */ if (KTVERSION(id) != KRB5_KT_VNO_1) { - if (!fread(&ret_entry->principal->type, - sizeof(ret_entry->principal->type), 1, KTFILEP(id))) { - error = KRB5_KT_END; - goto fail; - } - ret_entry->principal->type = ntohl(ret_entry->principal->type); - } - + if (!fread(&ret_entry->principal->type, + sizeof(ret_entry->principal->type), 1, KTFILEP(id))) { + error = KRB5_KT_END; + goto fail; + } + ret_entry->principal->type = ntohl(ret_entry->principal->type); + } + /* read in the timestamp */ if (!fread(&ret_entry->timestamp, sizeof(ret_entry->timestamp), 1, KTFILEP(id))) { - error = KRB5_KT_END; - goto fail; + error = KRB5_KT_END; + goto fail; } if (KTVERSION(id) != KRB5_KT_VNO_1) - ret_entry->timestamp = ntohl(ret_entry->timestamp); - + ret_entry->timestamp = ntohl(ret_entry->timestamp); + /* read in the version number */ if (!fread(&vno, sizeof(vno), 1, KTFILEP(id))) { - error = KRB5_KT_END; - goto fail; + error = KRB5_KT_END; + goto fail; } ret_entry->vno = (krb5_kvno)vno; - + /* key type */ if (!fread(&enctype, sizeof(enctype), 1, KTFILEP(id))) { - error = KRB5_KT_END; - goto fail; + error = KRB5_KT_END; + goto fail; } ret_entry->key.enctype = (krb5_enctype)enctype; if (KTVERSION(id) != KRB5_KT_VNO_1) - ret_entry->key.enctype = ntohs(ret_entry->key.enctype); - + ret_entry->key.enctype = ntohs(ret_entry->key.enctype); + /* key contents */ ret_entry->key.magic = KV5M_KEYBLOCK; - + if (!fread(&count, sizeof(count), 1, KTFILEP(id))) { - error = KRB5_KT_END; - goto fail; + error = KRB5_KT_END; + goto fail; } if (KTVERSION(id) != KRB5_KT_VNO_1) - count = ntohs(count); + count = ntohs(count); if (!count || (count < 0)) { - error = KRB5_KT_END; - goto fail; + error = KRB5_KT_END; + goto fail; } u_count = count; ret_entry->key.length = u_count; - + ret_entry->key.contents = (krb5_octet *)malloc(u_count); if (!ret_entry->key.contents) { - error = ENOMEM; - goto fail; - } + error = ENOMEM; + goto fail; + } if (!fread(ret_entry->key.contents, sizeof(krb5_octet), count, - KTFILEP(id))) { - error = KRB5_KT_END; - goto fail; + KTFILEP(id))) { + error = KRB5_KT_END; + goto fail; } /* * Reposition file pointer to the next inter-record length field. */ if (fseek(KTFILEP(id), start_pos + size, SEEK_SET) == -1) { - error = errno; - goto fail; + error = errno; + goto fail; } return 0; fail: - + for (i = 0; i < krb5_princ_size(context, ret_entry->principal); i++) { - princ = krb5_princ_component(context, ret_entry->principal, i); - if (princ->data) - free(princ->data); + princ = krb5_princ_component(context, ret_entry->principal, i); + if (princ->data) + free(princ->data); } free(ret_entry->principal->data); ret_entry->principal->data = 0; @@ -1466,10 +1467,10 @@ krb5_ktfileint_write_entry(krb5_context context, krb5_keytab id, krb5_keytab_ent krb5_int16 count, size, enctype; krb5_error_code retval = 0; krb5_timestamp timestamp; - krb5_int32 princ_type; + krb5_int32 princ_type; krb5_int32 size_needed; krb5_int32 commit_point = -1; - int i; + int i; KTCHECKLOCK(id); retval = krb5_ktfileint_size_entry(context, entry, &size_needed); @@ -1487,50 +1488,50 @@ krb5_ktfileint_write_entry(krb5_context context, krb5_keytab id, krb5_keytab_ent } if (KTVERSION(id) == KRB5_KT_VNO_1) { - count = (krb5_int16) krb5_princ_size(context, entry->principal) + 1; + count = (krb5_int16) krb5_princ_size(context, entry->principal) + 1; } else { - count = htons((u_short) krb5_princ_size(context, entry->principal)); + count = htons((u_short) krb5_princ_size(context, entry->principal)); } - + if (!fwrite(&count, sizeof(count), 1, KTFILEP(id))) { abend: - return KRB5_KT_IOERR; + return KRB5_KT_IOERR; } size = krb5_princ_realm(context, entry->principal)->length; if (KTVERSION(id) != KRB5_KT_VNO_1) - size = htons(size); + size = htons(size); if (!fwrite(&size, sizeof(size), 1, KTFILEP(id))) { - goto abend; + goto abend; } if (!fwrite(krb5_princ_realm(context, entry->principal)->data, sizeof(char), - krb5_princ_realm(context, entry->principal)->length, KTFILEP(id))) { - goto abend; + krb5_princ_realm(context, entry->principal)->length, KTFILEP(id))) { + goto abend; } count = (krb5_int16) krb5_princ_size(context, entry->principal); for (i = 0; i < count; i++) { - princ = krb5_princ_component(context, entry->principal, i); - size = princ->length; - if (KTVERSION(id) != KRB5_KT_VNO_1) - size = htons(size); - if (!fwrite(&size, sizeof(size), 1, KTFILEP(id))) { - goto abend; - } - if (!fwrite(princ->data, sizeof(char), princ->length, KTFILEP(id))) { - goto abend; - } + princ = krb5_princ_component(context, entry->principal, i); + size = princ->length; + if (KTVERSION(id) != KRB5_KT_VNO_1) + size = htons(size); + if (!fwrite(&size, sizeof(size), 1, KTFILEP(id))) { + goto abend; + } + if (!fwrite(princ->data, sizeof(char), princ->length, KTFILEP(id))) { + goto abend; + } } /* * Write out the principal type */ if (KTVERSION(id) != KRB5_KT_VNO_1) { - princ_type = htonl(krb5_princ_type(context, entry->principal)); - if (!fwrite(&princ_type, sizeof(princ_type), 1, KTFILEP(id))) { - goto abend; - } + princ_type = htonl(krb5_princ_type(context, entry->principal)); + if (!fwrite(&princ_type, sizeof(princ_type), 1, KTFILEP(id))) { + goto abend; + } } - + /* * Fill in the time of day the entry was written to the keytab. */ @@ -1538,41 +1539,41 @@ krb5_ktfileint_write_entry(krb5_context context, krb5_keytab id, krb5_keytab_ent entry->timestamp = 0; } if (KTVERSION(id) == KRB5_KT_VNO_1) - timestamp = entry->timestamp; + timestamp = entry->timestamp; else - timestamp = htonl(entry->timestamp); + timestamp = htonl(entry->timestamp); if (!fwrite(×tamp, sizeof(timestamp), 1, KTFILEP(id))) { - goto abend; + goto abend; } - + /* key version number */ vno = (krb5_octet)entry->vno; if (!fwrite(&vno, sizeof(vno), 1, KTFILEP(id))) { - goto abend; + goto abend; } /* key type */ if (KTVERSION(id) == KRB5_KT_VNO_1) - enctype = entry->key.enctype; + enctype = entry->key.enctype; else - enctype = htons(entry->key.enctype); + enctype = htons(entry->key.enctype); if (!fwrite(&enctype, sizeof(enctype), 1, KTFILEP(id))) { - goto abend; + goto abend; } /* key length */ if (KTVERSION(id) == KRB5_KT_VNO_1) - size = entry->key.length; + size = entry->key.length; else - size = htons(entry->key.length); + size = htons(entry->key.length); if (!fwrite(&size, sizeof(size), 1, KTFILEP(id))) { - goto abend; + goto abend; } if (!fwrite(entry->key.contents, sizeof(krb5_octet), - entry->key.length, KTFILEP(id))) { - goto abend; - } + entry->key.length, KTFILEP(id))) { + goto abend; + } if (fflush(KTFILEP(id))) - goto abend; + goto abend; retval = krb5_sync_disk_file(context, KTFILEP(id)); @@ -1584,12 +1585,12 @@ krb5_ktfileint_write_entry(krb5_context context, krb5_keytab id, krb5_keytab_ent return errno; } if (KTVERSION(id) != KRB5_KT_VNO_1) - size_needed = htonl(size_needed); + size_needed = htonl(size_needed); if (!fwrite(&size_needed, sizeof(size_needed), 1, KTFILEP(id))) { goto abend; } if (fflush(KTFILEP(id))) - goto abend; + goto abend; retval = krb5_sync_disk_file(context, KTFILEP(id)); return retval; @@ -1607,13 +1608,13 @@ krb5_ktfileint_size_entry(krb5_context context, krb5_keytab_entry *entry, krb5_i krb5_error_code retval = 0; count = (krb5_int16) krb5_princ_size(context, entry->principal); - + total_size = sizeof(count); total_size += krb5_princ_realm(context, entry->principal)->length + (sizeof(krb5_int16)); - + for (i = 0; i < count; i++) { - total_size += krb5_princ_component(context, entry->principal,i)->length - + (sizeof(krb5_int16)); + total_size += krb5_princ_component(context, entry->principal,i)->length + + (sizeof(krb5_int16)); } total_size += sizeof(entry->principal->type); @@ -1636,7 +1637,7 @@ krb5_ktfileint_size_entry(krb5_context context, krb5_keytab_entry *entry, krb5_i * The size_needed argument may be adjusted if we find a hole that is * larger than the size needed. (Recall that size_needed will be used * to commit the write, but that this field must indicate the size of the - * block in the file rather than the size of the actual entry) + * block in the file rather than the size of the actual entry) */ static krb5_error_code krb5_ktfileint_find_slot(krb5_context context, krb5_keytab id, krb5_int32 *size_needed, krb5_int32 *commit_point_ptr) @@ -1655,56 +1656,55 @@ krb5_ktfileint_find_slot(krb5_context context, krb5_keytab id, krb5_int32 *size_ for (;;) { commit_point = ftell(fp); - if (commit_point == -1) - return errno; + if (commit_point == -1) + return errno; if (!fread(&size, sizeof(size), 1, fp)) { /* Hit the end of file, reserve this slot. */ /* Necessary to avoid a later fseek failing on Solaris 10. */ - if (fseek(fp, 0, SEEK_CUR)) - return errno; - /* htonl(0) is 0, so no need to worry about byte order */ + if (fseek(fp, 0, SEEK_CUR)) + return errno; + /* htonl(0) is 0, so no need to worry about byte order */ size = 0; if (!fwrite(&size, sizeof(size), 1, fp)) return errno; break; } - if (KTVERSION(id) != KRB5_KT_VNO_1) - size = ntohl(size); + if (KTVERSION(id) != KRB5_KT_VNO_1) + size = ntohl(size); if (size > 0) { - /* Non-empty record; seek past it. */ + /* Non-empty record; seek past it. */ if (fseek(fp, size, SEEK_CUR)) return errno; - } else if (size < 0) { - /* Empty record; use if it's big enough, seek past otherwise. */ - size = -size; + } else if (size < 0) { + /* Empty record; use if it's big enough, seek past otherwise. */ + size = -size; if (size >= *size_needed) { *size_needed = size; - break; - } else { + break; + } else { if (fseek(fp, size, SEEK_CUR)) return errno; - } - } else { - /* Empty record at end of file; use it. */ - /* Ensure the new record will be followed by another 0. */ - zero_point = ftell(fp); - if (zero_point == -1) - return errno; - if (fseek(fp, *size_needed, SEEK_CUR)) - return errno; - /* htonl(0) is 0, so no need to worry about byte order */ + } + } else { + /* Empty record at end of file; use it. */ + /* Ensure the new record will be followed by another 0. */ + zero_point = ftell(fp); + if (zero_point == -1) + return errno; + if (fseek(fp, *size_needed, SEEK_CUR)) + return errno; + /* htonl(0) is 0, so no need to worry about byte order */ if (!fwrite(&size, sizeof(size), 1, fp)) return errno; - if (fseek(fp, zero_point, SEEK_SET)) - return errno; - break; - } + if (fseek(fp, zero_point, SEEK_SET)) + return errno; + break; + } } *commit_point_ptr = commit_point; return 0; } #endif /* LEAN_CLIENT */ - diff --git a/src/lib/krb5/keytab/kt_memory.c b/src/lib/krb5/keytab/kt_memory.c index b78e7064c9..d58ffee5c9 100644 --- a/src/lib/krb5/keytab/kt_memory.c +++ b/src/lib/krb5/keytab/kt_memory.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/keytab/kt_memory.c * @@ -42,15 +43,15 @@ * Constants */ -/* +/* * Types */ -/* From krb5.h: +/* From krb5.h: * typedef struct krb5_keytab_entry_st { * krb5_magic magic; * krb5_principal principal; principal of this key - * krb5_timestamp timestamp; time entry written to keytable - * krb5_kvno vno; key version number + * krb5_timestamp timestamp; time entry written to keytable + * krb5_kvno vno; key version number * krb5_keyblock key; the secret key *} krb5_keytab_entry; */ @@ -63,10 +64,10 @@ typedef struct _krb5_mkt_link { /* Per-keytab data header */ typedef struct _krb5_mkt_data { - char *name; /* Name of the keytab */ - k5_mutex_t lock; /* Thread-safety - all but link */ - krb5_int32 refcount; - krb5_mkt_cursor link; + char *name; /* Name of the keytab */ + k5_mutex_t lock; /* Thread-safety - all but link */ + krb5_int32 refcount; + krb5_mkt_cursor link; } krb5_mkt_data; /* List of memory key tables */ @@ -80,8 +81,8 @@ typedef struct _krb5_mkt_ptcursor_data { struct _krb5_mkt_list_node *cur; } krb5_mkt_ptcursor_data; -/* - * Globals +/* + * Globals */ static krb5_mkt_list_node * krb5int_mkt_list = NULL; static k5_mutex_t krb5int_mkt_mutex = K5_MUTEX_PARTIAL_INITIALIZER; @@ -103,55 +104,55 @@ static k5_mutex_t krb5int_mkt_mutex = K5_MUTEX_PARTIAL_INITIALIZER; extern const struct _krb5_kt_ops krb5_mkt_ops; -krb5_error_code KRB5_CALLCONV krb5_mkt_resolve - (krb5_context, - const char *, - krb5_keytab *); - -krb5_error_code KRB5_CALLCONV krb5_mkt_get_name - (krb5_context, - krb5_keytab, - char *, - unsigned int); - -krb5_error_code KRB5_CALLCONV krb5_mkt_close - (krb5_context, - krb5_keytab); - -krb5_error_code KRB5_CALLCONV krb5_mkt_get_entry - (krb5_context, - krb5_keytab, - krb5_const_principal, - krb5_kvno, - krb5_enctype, - krb5_keytab_entry *); - -krb5_error_code KRB5_CALLCONV krb5_mkt_start_seq_get - (krb5_context, - krb5_keytab, - krb5_kt_cursor *); - -krb5_error_code KRB5_CALLCONV krb5_mkt_get_next - (krb5_context, - krb5_keytab, - krb5_keytab_entry *, - krb5_kt_cursor *); - -krb5_error_code KRB5_CALLCONV krb5_mkt_end_get - (krb5_context, - krb5_keytab, - krb5_kt_cursor *); +krb5_error_code KRB5_CALLCONV krb5_mkt_resolve +(krb5_context, + const char *, + krb5_keytab *); + +krb5_error_code KRB5_CALLCONV krb5_mkt_get_name +(krb5_context, + krb5_keytab, + char *, + unsigned int); + +krb5_error_code KRB5_CALLCONV krb5_mkt_close +(krb5_context, + krb5_keytab); + +krb5_error_code KRB5_CALLCONV krb5_mkt_get_entry +(krb5_context, + krb5_keytab, + krb5_const_principal, + krb5_kvno, + krb5_enctype, + krb5_keytab_entry *); + +krb5_error_code KRB5_CALLCONV krb5_mkt_start_seq_get +(krb5_context, + krb5_keytab, + krb5_kt_cursor *); + +krb5_error_code KRB5_CALLCONV krb5_mkt_get_next +(krb5_context, + krb5_keytab, + krb5_keytab_entry *, + krb5_kt_cursor *); + +krb5_error_code KRB5_CALLCONV krb5_mkt_end_get +(krb5_context, + krb5_keytab, + krb5_kt_cursor *); /* routines to be included on extended version (write routines) */ -krb5_error_code KRB5_CALLCONV krb5_mkt_add - (krb5_context, - krb5_keytab, - krb5_keytab_entry *); +krb5_error_code KRB5_CALLCONV krb5_mkt_add +(krb5_context, + krb5_keytab, + krb5_keytab_entry *); -krb5_error_code KRB5_CALLCONV krb5_mkt_remove - (krb5_context, - krb5_keytab, - krb5_keytab_entry *); +krb5_error_code KRB5_CALLCONV krb5_mkt_remove +(krb5_context, + krb5_keytab, + krb5_keytab_entry *); int krb5int_mkt_initialize(void) { return k5_mutex_finish_init(&krb5int_mkt_mutex); @@ -164,33 +165,33 @@ void krb5int_mkt_finalize(void) { k5_mutex_destroy(&krb5int_mkt_mutex); for (node = krb5int_mkt_list; node; node = next_node) { - next_node = node->next; + next_node = node->next; - /* destroy the contents of node->keytab */ - free(KTNAME(node->keytab)); + /* destroy the contents of node->keytab */ + free(KTNAME(node->keytab)); - /* free the keytab entries */ - for (cursor = KTLINK(node->keytab); cursor; cursor = next_cursor) { - next_cursor = cursor->next; - /* the call to krb5_kt_free_entry uses a NULL in place of the - * krb5_context since we know that the context isn't used by - * krb5_kt_free_entry or krb5_free_principal. */ - krb5_kt_free_entry(NULL, cursor->entry); - free(cursor->entry); - free(cursor); - } + /* free the keytab entries */ + for (cursor = KTLINK(node->keytab); cursor; cursor = next_cursor) { + next_cursor = cursor->next; + /* the call to krb5_kt_free_entry uses a NULL in place of the + * krb5_context since we know that the context isn't used by + * krb5_kt_free_entry or krb5_free_principal. */ + krb5_kt_free_entry(NULL, cursor->entry); + free(cursor->entry); + free(cursor); + } - /* destroy the lock */ - k5_mutex_destroy(&(((krb5_mkt_data *)node->keytab->data)->lock)); + /* destroy the lock */ + k5_mutex_destroy(&(((krb5_mkt_data *)node->keytab->data)->lock)); - /* free the private data */ - free(node->keytab->data); + /* free the private data */ + free(node->keytab->data); - /* and the keytab */ - free(node->keytab); + /* and the keytab */ + free(node->keytab); - /* and finally the node */ - free(node); + /* and finally the node */ + free(node); } } @@ -205,34 +206,34 @@ create_list_node(const char *name, krb5_mkt_list_node **listp) list = calloc(1, sizeof(krb5_mkt_list_node)); if (list == NULL) { - err = ENOMEM; - goto cleanup; + err = ENOMEM; + goto cleanup; } list->keytab = calloc(1, sizeof(struct _krb5_kt)); if (list->keytab == NULL) { - err = ENOMEM; - goto cleanup; + err = ENOMEM; + goto cleanup; } list->keytab->ops = &krb5_mkt_ops; data = calloc(1, sizeof(krb5_mkt_data)); if (data == NULL) { - err = ENOMEM; - goto cleanup; + err = ENOMEM; + goto cleanup; } data->link = NULL; data->refcount = 0; data->name = strdup(name); if (data->name == NULL) { - err = ENOMEM; - goto cleanup; + err = ENOMEM; + goto cleanup; } err = k5_mutex_init(&data->lock); if (err) - goto cleanup; + goto cleanup; list->keytab->data = data; list->keytab->magic = KV5M_KEYTAB; @@ -243,20 +244,20 @@ create_list_node(const char *name, krb5_mkt_list_node **listp) cleanup: /* data->lock was initialized last, so no need to destroy. */ if (data) - free(data->name); + free(data->name); free(data); if (list) - free(list->keytab); + free(list->keytab); free(list); return err; } /* - * This is an implementation specific resolver. It returns a keytab + * This is an implementation specific resolver. It returns a keytab * initialized with memory keytab routines. */ -krb5_error_code KRB5_CALLCONV +krb5_error_code KRB5_CALLCONV krb5_mkt_resolve(krb5_context context, const char *name, krb5_keytab *id) { krb5_mkt_list_node *list; @@ -267,29 +268,29 @@ krb5_mkt_resolve(krb5_context context, const char *name, krb5_keytab *id) /* First determine if a memory keytab of this name already exists */ err = KTGLOCK; if (err) - return err; + return err; for (list = krb5int_mkt_list; list; list = list->next) { - if (strcmp(name,KTNAME(list->keytab)) == 0) - break; + if (strcmp(name,KTNAME(list->keytab)) == 0) + break; } if (!list) { - /* We will now create the new key table with the specified name. - * We do not drop the global lock, therefore the name will indeed - * be unique when we add it. - */ - err = create_list_node(name, &list); - if (err) - goto done; - list->next = krb5int_mkt_list; - krb5int_mkt_list = list; + /* We will now create the new key table with the specified name. + * We do not drop the global lock, therefore the name will indeed + * be unique when we add it. + */ + err = create_list_node(name, &list); + if (err) + goto done; + list->next = krb5int_mkt_list; + krb5int_mkt_list = list; } /* Increment the reference count on the keytab we found or created. */ err = KTLOCK(list->keytab); if (err) - goto done; + goto done; KTREFCNT(list->keytab)++; KTUNLOCK(list->keytab); *id = list->keytab; @@ -306,7 +307,7 @@ done: * a memory keytab shouldn't either. */ -krb5_error_code KRB5_CALLCONV +krb5_error_code KRB5_CALLCONV krb5_mkt_close(krb5_context context, krb5_keytab id) { krb5_mkt_list_node **listp; @@ -319,71 +320,71 @@ krb5_mkt_close(krb5_context context, krb5_keytab id) /* First determine if a memory keytab of this name already exists */ err = KTGLOCK; if (err) - return(err); - + return(err); + for (listp = &krb5int_mkt_list; *listp; listp = &((*listp)->next)) { - if (id == (*listp)->keytab) { - /* Found */ - break; - } + if (id == (*listp)->keytab) { + /* Found */ + break; + } } if (*listp == NULL) { - /* The specified keytab could not be found */ - err = KRB5_KT_NOTFOUND; - goto done; + /* The specified keytab could not be found */ + err = KRB5_KT_NOTFOUND; + goto done; } /* reduce the refcount and return */ err = KTLOCK(id); if (err) - goto done; + goto done; KTREFCNT(id)--; KTUNLOCK(id); #ifdef HEIMDAL_COMPATIBLE - /* In Heimdal if the refcount hits 0, the MEMORY keytab is + /* In Heimdal if the refcount hits 0, the MEMORY keytab is * destroyed since there is no krb5_kt_destroy function. - * There is no need to lock the entry while performing + * There is no need to lock the entry while performing * these operations as the refcount will be 0 and we are * holding the global lock. */ data = (krb5_mkt_data *)id->data; if (data->refcount == 0) { - krb5_mkt_cursor cursor, next_cursor; + krb5_mkt_cursor cursor, next_cursor; - node = *listp; - *listp = node->next; + node = *listp; + *listp = node->next; - /* destroy the contents of node->keytab (aka id) */ - free(data->name); + /* destroy the contents of node->keytab (aka id) */ + free(data->name); - /* free the keytab entries */ - for (cursor = KTLINK(node->keytab); cursor; cursor = next_cursor) { - next_cursor = cursor->next; + /* free the keytab entries */ + for (cursor = KTLINK(node->keytab); cursor; cursor = next_cursor) { + next_cursor = cursor->next; - krb5_kt_free_entry(context, cursor->entry); - free(cursor->entry); - free(cursor); - } + krb5_kt_free_entry(context, cursor->entry); + free(cursor->entry); + free(cursor); + } - /* destroy the lock */ - k5_mutex_destroy(&(data->lock)); + /* destroy the lock */ + k5_mutex_destroy(&(data->lock)); - /* free the private data */ - free(data); + /* free the private data */ + free(data); - /* and the keytab */ - free(node->keytab); + /* and the keytab */ + free(node->keytab); - /* and finally the node */ - free(node); + /* and finally the node */ + free(node); } #endif /* HEIMDAL_COMPATIBLE */ - done: +done: KTGUNLOCK; return(err); } @@ -395,8 +396,8 @@ krb5_mkt_close(krb5_context context, krb5_keytab id) krb5_error_code KRB5_CALLCONV krb5_mkt_get_entry(krb5_context context, krb5_keytab id, - krb5_const_principal principal, krb5_kvno kvno, - krb5_enctype enctype, krb5_keytab_entry *out_entry) + krb5_const_principal principal, krb5_kvno kvno, + krb5_enctype enctype, krb5_keytab_entry *out_entry) { krb5_mkt_cursor cursor; krb5_keytab_entry *entry, *match = NULL; @@ -406,67 +407,67 @@ krb5_mkt_get_entry(krb5_context context, krb5_keytab id, err = KTLOCK(id); if (err) - return err; + return err; for (cursor = KTLINK(id); cursor && cursor->entry; cursor = cursor->next) { - entry = cursor->entry; - - /* if the principal isn't the one requested, continue to the next. */ - - if (!krb5_principal_compare(context, principal, entry->principal)) - continue; - - /* if the enctype is not ignored and doesn't match, - and continue to the next */ - if (enctype != IGNORE_ENCTYPE) { - if ((err = krb5_c_enctype_compare(context, enctype, - entry->key.enctype, - &similar))) { - /* we can't determine the enctype of the entry */ - continue; - } - - if (!similar) - continue; - } - - if (kvno == IGNORE_VNO) { - if (match == NULL) - match = entry; - else if (entry->vno > match->vno) - match = entry; - } else { - if (entry->vno == kvno) { - match = entry; - break; - } else { - found_wrong_kvno++; - } - } + entry = cursor->entry; + + /* if the principal isn't the one requested, continue to the next. */ + + if (!krb5_principal_compare(context, principal, entry->principal)) + continue; + + /* if the enctype is not ignored and doesn't match, + and continue to the next */ + if (enctype != IGNORE_ENCTYPE) { + if ((err = krb5_c_enctype_compare(context, enctype, + entry->key.enctype, + &similar))) { + /* we can't determine the enctype of the entry */ + continue; + } + + if (!similar) + continue; + } + + if (kvno == IGNORE_VNO) { + if (match == NULL) + match = entry; + else if (entry->vno > match->vno) + match = entry; + } else { + if (entry->vno == kvno) { + match = entry; + break; + } else { + found_wrong_kvno++; + } + } } /* if we found an entry that matches, ... */ - if (match) { - out_entry->magic = match->magic; - out_entry->timestamp = match->timestamp; - out_entry->vno = match->vno; - out_entry->key = match->key; - err = krb5_copy_keyblock_contents(context, &(match->key), - &(out_entry->key)); - /* - * Coerce the enctype of the output keyblock in case we - * got an inexact match on the enctype. - */ - if(enctype != IGNORE_ENCTYPE) - out_entry->key.enctype = enctype; - if(!err) { - err = krb5_copy_principal(context, - match->principal, - &(out_entry->principal)); - } + if (match) { + out_entry->magic = match->magic; + out_entry->timestamp = match->timestamp; + out_entry->vno = match->vno; + out_entry->key = match->key; + err = krb5_copy_keyblock_contents(context, &(match->key), + &(out_entry->key)); + /* + * Coerce the enctype of the output keyblock in case we + * got an inexact match on the enctype. + */ + if(enctype != IGNORE_ENCTYPE) + out_entry->key.enctype = enctype; + if(!err) { + err = krb5_copy_principal(context, + match->principal, + &(out_entry->principal)); + } } else { - if (!err) - err = found_wrong_kvno ? KRB5_KT_KVNONOTFOUND : KRB5_KT_NOTFOUND; + if (!err) + err = found_wrong_kvno ? KRB5_KT_KVNONOTFOUND : KRB5_KT_NOTFOUND; } KTUNLOCK(id); @@ -485,7 +486,7 @@ krb5_mkt_get_name(krb5_context context, krb5_keytab id, char *name, unsigned int memset(name, 0, len); result = snprintf(name, len, "%s:%s", id->ops->prefix, KTNAME(id)); if (SNPRINTF_OVERFLOW(result, len)) - return(KRB5_KT_NAME_TOOLONG); + return(KRB5_KT_NAME_TOOLONG); return(0); } @@ -500,7 +501,7 @@ krb5_mkt_start_seq_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cur err = KTLOCK(id); if (err) - return(err); + return(err); *cursorp = (krb5_kt_cursor)KTLINK(id); KTUNLOCK(id); @@ -512,7 +513,7 @@ krb5_mkt_start_seq_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cur * krb5_mkt_get_next() */ -krb5_error_code KRB5_CALLCONV +krb5_error_code KRB5_CALLCONV krb5_mkt_get_next(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry, krb5_kt_cursor *cursor) { krb5_mkt_cursor mkt_cursor = (krb5_mkt_cursor)*cursor; @@ -520,24 +521,24 @@ krb5_mkt_get_next(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry err = KTLOCK(id); if (err) - return err; + return err; if (mkt_cursor == NULL) { - KTUNLOCK(id); - return KRB5_KT_END; + KTUNLOCK(id); + return KRB5_KT_END; } entry->magic = mkt_cursor->entry->magic; entry->timestamp = mkt_cursor->entry->timestamp; entry->vno = mkt_cursor->entry->vno; - entry->key = mkt_cursor->entry->key; - err = krb5_copy_keyblock_contents(context, &(mkt_cursor->entry->key), - &(entry->key)); - if (!err) - err = krb5_copy_principal(context, mkt_cursor->entry->principal, - &(entry->principal)); + entry->key = mkt_cursor->entry->key; + err = krb5_copy_keyblock_contents(context, &(mkt_cursor->entry->key), + &(entry->key)); + if (!err) + err = krb5_copy_principal(context, mkt_cursor->entry->principal, + &(entry->principal)); if (!err) - *cursor = (krb5_kt_cursor *)mkt_cursor->next; + *cursor = (krb5_kt_cursor *)mkt_cursor->next; KTUNLOCK(id); return(err); } @@ -546,7 +547,7 @@ krb5_mkt_get_next(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry * krb5_mkt_end_get() */ -krb5_error_code KRB5_CALLCONV +krb5_error_code KRB5_CALLCONV krb5_mkt_end_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cursor) { *cursor = NULL; @@ -558,7 +559,7 @@ krb5_mkt_end_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *cursor) * krb5_mkt_add() */ -krb5_error_code KRB5_CALLCONV +krb5_error_code KRB5_CALLCONV krb5_mkt_add(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) { krb5_error_code err = 0; @@ -566,47 +567,47 @@ krb5_mkt_add(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) err = KTLOCK(id); if (err) - return err; + return err; cursor = (krb5_mkt_cursor)malloc(sizeof(krb5_mkt_link)); if (cursor == NULL) { - err = ENOMEM; - goto done; + err = ENOMEM; + goto done; } cursor->entry = (krb5_keytab_entry *)malloc(sizeof(krb5_keytab_entry)); if (cursor->entry == NULL) { - free(cursor); - err = ENOMEM; - goto done; + free(cursor); + err = ENOMEM; + goto done; } cursor->entry->magic = entry->magic; cursor->entry->timestamp = entry->timestamp; cursor->entry->vno = entry->vno; - err = krb5_copy_keyblock_contents(context, &(entry->key), - &(cursor->entry->key)); + err = krb5_copy_keyblock_contents(context, &(entry->key), + &(cursor->entry->key)); if (err) { - free(cursor->entry); - free(cursor); - goto done; + free(cursor->entry); + free(cursor); + goto done; } err = krb5_copy_principal(context, entry->principal, &(cursor->entry->principal)); if (err) { - krb5_free_keyblock_contents(context, &(cursor->entry->key)); - free(cursor->entry); - free(cursor); - goto done; + krb5_free_keyblock_contents(context, &(cursor->entry->key)); + free(cursor->entry); + free(cursor); + goto done; } if (KTLINK(id) == NULL) { - cursor->next = NULL; - KTLINK(id) = cursor; + cursor->next = NULL; + KTLINK(id) = cursor; } else { - cursor->next = KTLINK(id); - KTLINK(id) = cursor; + cursor->next = KTLINK(id); + KTLINK(id) = cursor; } - done: +done: KTUNLOCK(id); return err; } @@ -615,7 +616,7 @@ krb5_mkt_add(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) * krb5_mkt_remove() */ -krb5_error_code KRB5_CALLCONV +krb5_error_code KRB5_CALLCONV krb5_mkt_remove(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) { krb5_mkt_cursor *pcursor, next; @@ -623,23 +624,23 @@ krb5_mkt_remove(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) err = KTLOCK(id); if (err) - return err; + return err; if ( KTLINK(id) == NULL ) { - err = KRB5_KT_NOTFOUND; - goto done; + err = KRB5_KT_NOTFOUND; + goto done; } - + for ( pcursor = &KTLINK(id); *pcursor; pcursor = &(*pcursor)->next ) { - if ( (*pcursor)->entry->vno == entry->vno && - (*pcursor)->entry->key.enctype == entry->key.enctype && - krb5_principal_compare(context, (*pcursor)->entry->principal, entry->principal)) - break; + if ( (*pcursor)->entry->vno == entry->vno && + (*pcursor)->entry->key.enctype == entry->key.enctype && + krb5_principal_compare(context, (*pcursor)->entry->principal, entry->principal)) + break; } if (!*pcursor) { - err = KRB5_KT_NOTFOUND; - goto done; + err = KRB5_KT_NOTFOUND; + goto done; } krb5_kt_free_entry(context, (*pcursor)->entry); @@ -648,7 +649,7 @@ krb5_mkt_remove(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) free(*pcursor); (*pcursor) = next; - done: +done: KTUNLOCK(id); return err; } @@ -660,9 +661,9 @@ krb5_mkt_remove(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) const struct _krb5_kt_ops krb5_mkt_ops = { 0, - "MEMORY", /* Prefix -- this string should not appear anywhere else! */ + "MEMORY", /* Prefix -- this string should not appear anywhere else! */ krb5_mkt_resolve, - krb5_mkt_get_name, + krb5_mkt_get_name, krb5_mkt_close, krb5_mkt_get_entry, krb5_mkt_start_seq_get, @@ -674,4 +675,3 @@ const struct _krb5_kt_ops krb5_mkt_ops = { }; #endif /* LEAN_CLIENT */ - diff --git a/src/lib/krb5/keytab/kt_srvtab.c b/src/lib/krb5/keytab/kt_srvtab.c index 20ea3d755f..a2e13040bf 100644 --- a/src/lib/krb5/keytab/kt_srvtab.c +++ b/src/lib/krb5/keytab/kt_srvtab.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/keytab/srvtab/kts_resolv.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -27,23 +28,23 @@ #include "k5-int.h" #include <stdio.h> -#ifndef LEAN_CLIENT +#ifndef LEAN_CLIENT /* * Constants */ -#define KRB5_KT_VNO_1 0x0501 /* krb v5, keytab version 1 (DCE compat) */ -#define KRB5_KT_VNO 0x0502 /* krb v5, keytab version 2 (standard) */ +#define KRB5_KT_VNO_1 0x0501 /* krb v5, keytab version 1 (DCE compat) */ +#define KRB5_KT_VNO 0x0502 /* krb v5, keytab version 2 (standard) */ #define KRB5_KT_DEFAULT_VNO KRB5_KT_VNO -/* +/* * Types */ typedef struct _krb5_ktsrvtab_data { - char *name; /* Name of the file */ - FILE *openf; /* open file, if any. */ + char *name; /* Name of the file */ + FILE *openf; /* open file, if any. */ } krb5_ktsrvtab_data; /* @@ -56,59 +57,59 @@ typedef struct _krb5_ktsrvtab_data { extern const struct _krb5_kt_ops krb5_kts_ops; static krb5_error_code KRB5_CALLCONV krb5_ktsrvtab_resolve - (krb5_context, - const char *, - krb5_keytab *); +(krb5_context, + const char *, + krb5_keytab *); static krb5_error_code KRB5_CALLCONV krb5_ktsrvtab_get_name - (krb5_context, - krb5_keytab, - char *, - unsigned int); +(krb5_context, + krb5_keytab, + char *, + unsigned int); static krb5_error_code KRB5_CALLCONV krb5_ktsrvtab_close - (krb5_context, - krb5_keytab); +(krb5_context, + krb5_keytab); static krb5_error_code KRB5_CALLCONV krb5_ktsrvtab_get_entry - (krb5_context, - krb5_keytab, - krb5_const_principal, - krb5_kvno, - krb5_enctype, - krb5_keytab_entry *); +(krb5_context, + krb5_keytab, + krb5_const_principal, + krb5_kvno, + krb5_enctype, + krb5_keytab_entry *); static krb5_error_code KRB5_CALLCONV krb5_ktsrvtab_start_seq_get - (krb5_context, - krb5_keytab, - krb5_kt_cursor *); +(krb5_context, + krb5_keytab, + krb5_kt_cursor *); static krb5_error_code KRB5_CALLCONV krb5_ktsrvtab_get_next - (krb5_context, - krb5_keytab, - krb5_keytab_entry *, - krb5_kt_cursor *); +(krb5_context, + krb5_keytab, + krb5_keytab_entry *, + krb5_kt_cursor *); static krb5_error_code KRB5_CALLCONV krb5_ktsrvtab_end_get - (krb5_context, - krb5_keytab, - krb5_kt_cursor *); +(krb5_context, + krb5_keytab, + krb5_kt_cursor *); static krb5_error_code krb5_ktsrvint_open - (krb5_context, - krb5_keytab); +(krb5_context, + krb5_keytab); static krb5_error_code krb5_ktsrvint_close - (krb5_context, - krb5_keytab); +(krb5_context, + krb5_keytab); -static krb5_error_code krb5_ktsrvint_read_entry - (krb5_context, - krb5_keytab, - krb5_keytab_entry *); +static krb5_error_code krb5_ktsrvint_read_entry +(krb5_context, + krb5_keytab, + krb5_keytab_entry *); /* - * This is an implementation specific resolver. It returns a keytab id + * This is an implementation specific resolver. It returns a keytab id * initialized with srvtab keytab routines. */ @@ -118,20 +119,20 @@ krb5_ktsrvtab_resolve(krb5_context context, const char *name, krb5_keytab *id) krb5_ktsrvtab_data *data; if ((*id = (krb5_keytab) malloc(sizeof(**id))) == NULL) - return(ENOMEM); - + return(ENOMEM); + (*id)->ops = &krb5_kts_ops; data = (krb5_ktsrvtab_data *)malloc(sizeof(krb5_ktsrvtab_data)); if (data == NULL) { - free(*id); - return(ENOMEM); + free(*id); + return(ENOMEM); } data->name = strdup(name); if (data->name == NULL) { - free(data); - free(*id); - return(ENOMEM); + free(data); + free(*id); + return(ENOMEM); } data->openf = 0; @@ -148,13 +149,13 @@ krb5_ktsrvtab_resolve(krb5_context context, const char *name, krb5_keytab *id) krb5_error_code KRB5_CALLCONV krb5_ktsrvtab_close(krb5_context context, krb5_keytab id) - /* - * This routine is responsible for freeing all memory allocated - * for this keytab. There are no system resources that need - * to be freed nor are there any open files. - * - * This routine should undo anything done by krb5_ktsrvtab_resolve(). - */ +/* + * This routine is responsible for freeing all memory allocated + * for this keytab. There are no system resources that need + * to be freed nor are there any open files. + * + * This routine should undo anything done by krb5_ktsrvtab_resolve(). + */ { free(KTFILENAME(id)); free(id->data); @@ -178,7 +179,7 @@ krb5_ktsrvtab_get_entry(krb5_context context, krb5_keytab id, krb5_const_princip /* Open the srvtab. */ if ((kerror = krb5_ktsrvint_open(context, id))) - return(kerror); + return(kerror); /* srvtab files only have DES_CBC_CRC keys. */ switch (enctype) { @@ -187,50 +188,50 @@ krb5_ktsrvtab_get_entry(krb5_context context, krb5_keytab id, krb5_const_princip case ENCTYPE_DES_CBC_MD4: case ENCTYPE_DES_CBC_RAW: case IGNORE_ENCTYPE: - break; + break; default: - return KRB5_KT_NOTFOUND; + return KRB5_KT_NOTFOUND; } best_entry.principal = 0; best_entry.vno = 0; best_entry.key.contents = 0; while ((kerror = krb5_ktsrvint_read_entry(context, id, &ent)) == 0) { - ent.key.enctype = enctype; - if (krb5_principal_compare(context, principal, ent.principal)) { - if (kvno == IGNORE_VNO) { - if (!best_entry.principal || (best_entry.vno < ent.vno)) { - krb5_kt_free_entry(context, &best_entry); - best_entry = ent; - } - } else { - if (ent.vno == kvno) { - best_entry = ent; - break; - } else { - found_wrong_kvno = 1; - } - } - } else { - krb5_kt_free_entry(context, &ent); - } + ent.key.enctype = enctype; + if (krb5_principal_compare(context, principal, ent.principal)) { + if (kvno == IGNORE_VNO) { + if (!best_entry.principal || (best_entry.vno < ent.vno)) { + krb5_kt_free_entry(context, &best_entry); + best_entry = ent; + } + } else { + if (ent.vno == kvno) { + best_entry = ent; + break; + } else { + found_wrong_kvno = 1; + } + } + } else { + krb5_kt_free_entry(context, &ent); + } } if (kerror == KRB5_KT_END) { - if (best_entry.principal) - kerror = 0; - else if (found_wrong_kvno) - kerror = KRB5_KT_KVNONOTFOUND; - else - kerror = KRB5_KT_NOTFOUND; + if (best_entry.principal) + kerror = 0; + else if (found_wrong_kvno) + kerror = KRB5_KT_KVNONOTFOUND; + else + kerror = KRB5_KT_NOTFOUND; } if (kerror) { - (void) krb5_ktsrvint_close(context, id); - krb5_kt_free_entry(context, &best_entry); - return kerror; + (void) krb5_ktsrvint_close(context, id); + krb5_kt_free_entry(context, &best_entry); + return kerror; } if ((kerror = krb5_ktsrvint_close(context, id)) != 0) { - krb5_kt_free_entry(context, &best_entry); - return kerror; + krb5_kt_free_entry(context, &best_entry); + return kerror; } *entry = best_entry; return 0; @@ -242,18 +243,18 @@ krb5_ktsrvtab_get_entry(krb5_context context, krb5_keytab id, krb5_const_princip krb5_error_code KRB5_CALLCONV krb5_ktsrvtab_get_name(krb5_context context, krb5_keytab id, char *name, unsigned int len) - /* - * This routine returns the name of the name of the file associated with - * this srvtab-based keytab. The name is prefixed with PREFIX:, so that - * trt will happen if the name is passed back to resolve. - */ +/* + * This routine returns the name of the name of the file associated with + * this srvtab-based keytab. The name is prefixed with PREFIX:, so that + * trt will happen if the name is passed back to resolve. + */ { int result; memset(name, 0, len); result = snprintf(name, len, "%s:%s", id->ops->prefix, KTFILENAME(id)); if (SNPRINTF_OVERFLOW(result, len)) - return(KRB5_KT_NAME_TOOLONG); + return(KRB5_KT_NAME_TOOLONG); return(0); } @@ -268,11 +269,11 @@ krb5_ktsrvtab_start_seq_get(krb5_context context, krb5_keytab id, krb5_kt_cursor long *fileoff; if ((retval = krb5_ktsrvint_open(context, id))) - return retval; + return retval; if (!(fileoff = (long *)malloc(sizeof(*fileoff)))) { - krb5_ktsrvint_close(context, id); - return ENOMEM; + krb5_ktsrvint_close(context, id); + return ENOMEM; } *fileoff = ftell(KTFILEP(id)); *cursorp = (krb5_kt_cursor)fileoff; @@ -292,9 +293,9 @@ krb5_ktsrvtab_get_next(krb5_context context, krb5_keytab id, krb5_keytab_entry * krb5_error_code kerror; if (fseek(KTFILEP(id), *fileoff, 0) == -1) - return KRB5_KT_END; + return KRB5_KT_END; if ((kerror = krb5_ktsrvint_read_entry(context, id, &cur_entry))) - return kerror; + return kerror; *fileoff = ftell(KTFILEP(id)); *entry = cur_entry; return 0; @@ -317,9 +318,9 @@ krb5_ktsrvtab_end_get(krb5_context context, krb5_keytab id, krb5_kt_cursor *curs const struct _krb5_kt_ops krb5_kts_ops = { 0, - "SRVTAB", /* Prefix -- this string should not appear anywhere else! */ + "SRVTAB", /* Prefix -- this string should not appear anywhere else! */ krb5_ktsrvtab_resolve, - krb5_ktsrvtab_get_name, + krb5_ktsrvtab_get_name, krb5_ktsrvtab_close, krb5_ktsrvtab_get_entry, krb5_ktsrvtab_start_seq_get, @@ -344,7 +345,7 @@ const struct _krb5_kt_ops krb5_kts_ops = { * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -358,7 +359,7 @@ const struct _krb5_kt_ops krb5_kts_ops = { * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * This function contains utilities for the srvtab based implementation * of the keytab. There are no public functions in this file. @@ -367,17 +368,17 @@ const struct _krb5_kt_ops krb5_kts_ops = { #include <stdio.h> #ifdef ANSI_STDIO -#define READ_MODE "rb" +#define READ_MODE "rb" #else -#define READ_MODE "r" +#define READ_MODE "r" #endif /* The maximum sizes for V4 aname, realm, sname, and instance +1 */ /* Taken from krb.h */ -#define ANAME_SZ 40 -#define REALM_SZ 40 -#define SNAME_SZ 40 -#define INST_SZ 40 +#define ANAME_SZ 40 +#define REALM_SZ 40 +#define SNAME_SZ 40 +#define INST_SZ 40 static krb5_error_code read_field(FILE *fp, char *s, int len) @@ -385,11 +386,11 @@ read_field(FILE *fp, char *s, int len) int c; while ((c = getc(fp)) != 0) { - if (c == EOF || len <= 1) - return KRB5_KT_END; - *s = c; - s++; - len--; + if (c == EOF || len <= 1) + return KRB5_KT_END; + *s = c; + s++; + len--; } *s = 0; return 0; @@ -400,7 +401,7 @@ krb5_ktsrvint_open(krb5_context context, krb5_keytab id) { KTFILEP(id) = fopen(KTFILENAME(id), READ_MODE); if (!KTFILEP(id)) - return errno; + return errno; set_cloexec_file(KTFILEP(id)); return 0; } @@ -409,7 +410,7 @@ krb5_error_code krb5_ktsrvint_close(krb5_context context, krb5_keytab id) { if (!KTFILEP(id)) - return 0; + return 0; (void) fclose(KTFILEP(id)); KTFILEP(id) = 0; return 0; @@ -428,18 +429,18 @@ krb5_ktsrvint_read_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry fp = KTFILEP(id); kerror = read_field(fp, name, sizeof(name)); if (kerror != 0) - return kerror; + return kerror; kerror = read_field(fp, instance, sizeof(instance)); if (kerror != 0) - return kerror; + return kerror; kerror = read_field(fp, realm, sizeof(realm)); if (kerror != 0) - return kerror; + return kerror; vno = getc(fp); if (vno == EOF) - return KRB5_KT_END; + return KRB5_KT_END; if (fread(key, 1, sizeof(key), fp) != sizeof(key)) - return KRB5_KT_END; + return KRB5_KT_END; /* Fill in ret_entry with the data we read. Everything maps well * except for the timestamp, which we don't have a value for. For @@ -447,9 +448,9 @@ krb5_ktsrvint_read_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry memset(ret_entry, 0, sizeof(*ret_entry)); ret_entry->magic = KV5M_KEYTAB_ENTRY; kerror = krb5_425_conv_principal(context, name, instance, realm, - &ret_entry->principal); + &ret_entry->principal); if (kerror != 0) - return kerror; + return kerror; ret_entry->vno = vno; ret_entry->timestamp = 0; ret_entry->key.enctype = ENCTYPE_DES_CBC_CRC; @@ -457,12 +458,11 @@ krb5_ktsrvint_read_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry ret_entry->key.length = sizeof(key); ret_entry->key.contents = malloc(sizeof(key)); if (!ret_entry->key.contents) { - krb5_free_principal(context, ret_entry->principal); - return ENOMEM; + krb5_free_principal(context, ret_entry->principal); + return ENOMEM; } memcpy(ret_entry->key.contents, key, sizeof(key)); return 0; } #endif /* LEAN_CLIENT */ - diff --git a/src/lib/krb5/keytab/ktadd.c b/src/lib/krb5/keytab/ktadd.c index 360dd64cd7..10bb246498 100644 --- a/src/lib/krb5/keytab/ktadd.c +++ b/src/lib/krb5/keytab/ktadd.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/keytab/ktadd.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_kt_add_entry() */ @@ -35,9 +36,8 @@ krb5_error_code KRB5_CALLCONV krb5_kt_add_entry (krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) { if (id->ops->add) - return (*id->ops->add)(context, id, entry); + return (*id->ops->add)(context, id, entry); else - return KRB5_KT_NOWRITE; + return KRB5_KT_NOWRITE; } #endif /* LEAN_CLIENT */ - diff --git a/src/lib/krb5/keytab/ktbase.c b/src/lib/krb5/keytab/ktbase.c index b99bee4035..b88380e273 100644 --- a/src/lib/krb5/keytab/ktbase.c +++ b/src/lib/krb5/keytab/ktbase.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/keytab/ktbase.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Copyright 2007 by Secure Endpoints Inc. * @@ -91,12 +92,12 @@ int krb5int_kt_initialize(void) err = k5_mutex_finish_init(&kt_typehead_lock); if (err) - goto done; + goto done; err = krb5int_mkt_initialize(); if (err) - goto done; + goto done; - done: +done: return(err); } @@ -107,8 +108,8 @@ krb5int_kt_finalize(void) k5_mutex_destroy(&kt_typehead_lock); for (t = kt_typehead; t != &krb5_kt_typelist_file; t = t_next) { - t_next = t->next; - free((struct krb5_kt_typelist *)t); + t_next = t->next; + free((struct krb5_kt_typelist *)t); } krb5int_mkt_finalize(); @@ -129,16 +130,16 @@ krb5_kt_register(krb5_context context, const krb5_kt_ops *ops) err = k5_mutex_lock(&kt_typehead_lock); if (err) - return err; + return err; for (t = kt_typehead; t && strcmp(t->ops->prefix,ops->prefix);t = t->next) - ; + ; if (t) { - k5_mutex_unlock(&kt_typehead_lock); - return KRB5_KT_TYPE_EXISTS; + k5_mutex_unlock(&kt_typehead_lock); + return KRB5_KT_TYPE_EXISTS; } if (!(newt = (struct krb5_kt_typelist *) malloc(sizeof(*t)))) { - k5_mutex_unlock(&kt_typehead_lock); - return ENOMEM; + k5_mutex_unlock(&kt_typehead_lock); + return ENOMEM; } newt->next = kt_typehead; newt->ops = ops; @@ -172,7 +173,7 @@ krb5_kt_resolve (krb5_context context, const char *name, krb5_keytab *ktid) cp = strchr (name, ':'); if (!cp) - return (*krb5_kt_dfl_ops.resolve)(context, name, ktid); + return (*krb5_kt_dfl_ops.resolve)(context, name, ktid); pfxlen = cp - name; @@ -184,13 +185,13 @@ krb5_kt_resolve (krb5_context context, const char *name, krb5_keytab *ktid) resid = name; } else if (name[0] == '/') { - pfx = strdup("FILE"); - if (!pfx) - return ENOMEM; - resid = name; + pfx = strdup("FILE"); + if (!pfx) + return ENOMEM; + resid = name; } else { resid = name + pfxlen + 1; - + pfx = malloc (pfxlen+1); if (!pfx) return ENOMEM; @@ -203,19 +204,19 @@ krb5_kt_resolve (krb5_context context, const char *name, krb5_keytab *ktid) err = k5_mutex_lock(&kt_typehead_lock); if (err) - goto cleanup; + goto cleanup; tlist = kt_typehead; /* Don't need to hold the lock, since entries are never modified or removed once they're in the list. Just need to protect access to the list head variable itself. */ k5_mutex_unlock(&kt_typehead_lock); for (; tlist; tlist = tlist->next) { - if (strcmp (tlist->ops->prefix, pfx) == 0) { - err = (*tlist->ops->resolve)(context, resid, &id); - if (!err) - *ktid = id; - goto cleanup; - } + if (strcmp (tlist->ops->prefix, pfx) == 0) { + err = (*tlist->ops->resolve)(context, resid, &id); + if (!err) + *ktid = id; + goto cleanup; + } } err = KRB5_KT_UNKNOWN_TYPE; @@ -226,69 +227,69 @@ cleanup: /* * Routines to deal with externalizingt krb5_keytab. - * krb5_keytab_size(); - * krb5_keytab_externalize(); - * krb5_keytab_internalize(); + * krb5_keytab_size(); + * krb5_keytab_externalize(); + * krb5_keytab_internalize(); */ static krb5_error_code krb5_keytab_size - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_keytab_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_keytab_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* * Serialization entry for this type. */ static const krb5_ser_entry krb5_keytab_ser_entry = { - KV5M_KEYTAB, /* Type */ - krb5_keytab_size, /* Sizer routine */ - krb5_keytab_externalize, /* Externalize routine */ - krb5_keytab_internalize /* Internalize routine */ + KV5M_KEYTAB, /* Type */ + krb5_keytab_size, /* Sizer routine */ + krb5_keytab_externalize, /* Externalize routine */ + krb5_keytab_internalize /* Internalize routine */ }; static krb5_error_code krb5_keytab_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_keytab keytab; - krb5_ser_handle shandle; + krb5_error_code kret; + krb5_keytab keytab; + krb5_ser_handle shandle; kret = EINVAL; if ((keytab = (krb5_keytab) arg) && - keytab->ops && - (shandle = (krb5_ser_handle) keytab->ops->serializer) && - shandle->sizer) - kret = (*shandle->sizer)(kcontext, arg, sizep); + keytab->ops && + (shandle = (krb5_ser_handle) keytab->ops->serializer) && + shandle->sizer) + kret = (*shandle->sizer)(kcontext, arg, sizep); return(kret); } static krb5_error_code krb5_keytab_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_keytab keytab; - krb5_ser_handle shandle; + krb5_error_code kret; + krb5_keytab keytab; + krb5_ser_handle shandle; kret = EINVAL; if ((keytab = (krb5_keytab) arg) && - keytab->ops && - (shandle = (krb5_ser_handle) keytab->ops->serializer) && - shandle->externalizer) - kret = (*shandle->externalizer)(kcontext, arg, buffer, lenremain); + keytab->ops && + (shandle = (krb5_ser_handle) keytab->ops->serializer) && + shandle->externalizer) + kret = (*shandle->externalizer)(kcontext, arg, buffer, lenremain); return(kret); } static krb5_error_code krb5_keytab_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_ser_handle shandle; + krb5_error_code kret; + krb5_ser_handle shandle; kret = EINVAL; if ((shandle = (krb5_ser_handle) krb5_kt_dfl_ops.serializer) && - shandle->internalizer) - kret = (*shandle->internalizer)(kcontext, argp, buffer, lenremain); + shandle->internalizer) + kret = (*shandle->internalizer)(kcontext, argp, buffer, lenremain); return(kret); } @@ -298,4 +299,3 @@ krb5_ser_keytab_init(krb5_context kcontext) return(krb5_register_serializer(kcontext, &krb5_keytab_ser_entry)); } #endif /* LEAN_CLIENT */ - diff --git a/src/lib/krb5/keytab/ktdefault.c b/src/lib/krb5/keytab/ktdefault.c index 3d7ee0946c..7a4d68f1b2 100644 --- a/src/lib/krb5/keytab/ktdefault.c +++ b/src/lib/krb5/keytab/ktdefault.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/keytab/ktdefault.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Get a default keytab. */ @@ -38,9 +39,8 @@ krb5_kt_default(krb5_context context, krb5_keytab *id) krb5_error_code retval; if ((retval = krb5_kt_default_name(context, defname, sizeof(defname)))) - return retval; + return retval; return krb5_kt_resolve(context, defname, id); } #endif /* LEAN_CLIENT */ - diff --git a/src/lib/krb5/keytab/ktfns.c b/src/lib/krb5/keytab/ktfns.c index 9239f3d167..3496c09647 100644 --- a/src/lib/krb5/keytab/ktfns.c +++ b/src/lib/krb5/keytab/ktfns.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/keytab/ktfns.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -28,7 +29,7 @@ * Dispatch methods for keytab code. */ -#ifndef LEAN_CLIENT +#ifndef LEAN_CLIENT #include "k5-int.h" @@ -40,7 +41,7 @@ krb5_kt_get_type (krb5_context context, krb5_keytab keytab) krb5_error_code KRB5_CALLCONV krb5_kt_get_name(krb5_context context, krb5_keytab keytab, char *name, - unsigned int namelen) + unsigned int namelen) { return krb5_x((keytab)->ops->get_name,(context, keytab,name,namelen)); } @@ -53,48 +54,47 @@ krb5_kt_close(krb5_context context, krb5_keytab keytab) krb5_error_code KRB5_CALLCONV krb5_kt_get_entry(krb5_context context, krb5_keytab keytab, - krb5_const_principal principal, krb5_kvno vno, - krb5_enctype enctype, krb5_keytab_entry *entry) + krb5_const_principal principal, krb5_kvno vno, + krb5_enctype enctype, krb5_keytab_entry *entry) { krb5_error_code err; krb5_principal_data princ_data; if (krb5_is_referral_realm(&principal->realm)) { - char *realm; - princ_data = *principal; - principal = &princ_data; - err = krb5_get_default_realm(context, &realm); - if (err) - return err; - princ_data.realm.data = realm; - princ_data.realm.length = strlen(realm); + char *realm; + princ_data = *principal; + principal = &princ_data; + err = krb5_get_default_realm(context, &realm); + if (err) + return err; + princ_data.realm.data = realm; + princ_data.realm.length = strlen(realm); } err = krb5_x((keytab)->ops->get,(context, keytab, principal, vno, enctype, - entry)); + entry)); if (principal == &princ_data) - krb5_free_default_realm(context, princ_data.realm.data); + krb5_free_default_realm(context, princ_data.realm.data); return err; } krb5_error_code KRB5_CALLCONV krb5_kt_start_seq_get(krb5_context context, krb5_keytab keytab, - krb5_kt_cursor *cursor) + krb5_kt_cursor *cursor) { return krb5_x((keytab)->ops->start_seq_get,(context, keytab, cursor)); } krb5_error_code KRB5_CALLCONV krb5_kt_next_entry(krb5_context context, krb5_keytab keytab, - krb5_keytab_entry *entry, krb5_kt_cursor *cursor) + krb5_keytab_entry *entry, krb5_kt_cursor *cursor) { return krb5_x((keytab)->ops->get_next,(context, keytab, entry, cursor)); } krb5_error_code KRB5_CALLCONV krb5_kt_end_seq_get(krb5_context context, krb5_keytab keytab, - krb5_kt_cursor *cursor) + krb5_kt_cursor *cursor) { return krb5_x((keytab)->ops->end_get,(context, keytab, cursor)); } #endif /* LEAN_CLIENT */ - diff --git a/src/lib/krb5/keytab/ktfr_entry.c b/src/lib/krb5/keytab/ktfr_entry.c index 9587efc636..8fdbda2fce 100644 --- a/src/lib/krb5/keytab/ktfr_entry.c +++ b/src/lib/krb5/keytab/ktfr_entry.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/keytab/ktfr_entry.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,11 +23,11 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_kt_free_entry() */ -#ifndef LEAN_CLIENT +#ifndef LEAN_CLIENT #include "k5-int.h" @@ -34,12 +35,12 @@ krb5_error_code KRB5_CALLCONV krb5_free_keytab_entry_contents (krb5_context context, krb5_keytab_entry *entry) { if (!entry) - return 0; - + return 0; + krb5_free_principal(context, entry->principal); if (entry->key.contents) { - zap((char *)entry->key.contents, entry->key.length); - free(entry->key.contents); + zap((char *)entry->key.contents, entry->key.length); + free(entry->key.contents); } return 0; } @@ -50,4 +51,3 @@ krb5_kt_free_entry (krb5_context context, krb5_keytab_entry *entry) return krb5_free_keytab_entry_contents (context, entry); } #endif /* LEAN_CLIENT */ - diff --git a/src/lib/krb5/keytab/ktremove.c b/src/lib/krb5/keytab/ktremove.c index 4ba6063f72..1ccefd842a 100644 --- a/src/lib/krb5/keytab/ktremove.c +++ b/src/lib/krb5/keytab/ktremove.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/keytab/ktremove.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,11 +23,11 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_kt_remove_entry() */ -#ifndef LEAN_CLIENT +#ifndef LEAN_CLIENT #include "k5-int.h" @@ -34,9 +35,8 @@ krb5_error_code KRB5_CALLCONV krb5_kt_remove_entry (krb5_context context, krb5_keytab id, krb5_keytab_entry *entry) { if (id->ops->remove) - return (*id->ops->remove)(context, id, entry); + return (*id->ops->remove)(context, id, entry); else - return KRB5_KT_NOWRITE; + return KRB5_KT_NOWRITE; } #endif /* LEAN_CLIENT */ - diff --git a/src/lib/krb5/keytab/read_servi.c b/src/lib/krb5/keytab/read_servi.c index 6638a5a927..0172edbb06 100644 --- a/src/lib/krb5/keytab/read_servi.c +++ b/src/lib/krb5/keytab/read_servi.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/keytab/read_servi.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,25 +23,25 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * * - * This routine is designed to be passed to krb5_rd_req. + * + * This routine is designed to be passed to krb5_rd_req. * It is a convenience function that reads a key out of a keytab. - * It handles all of the opening and closing of the keytab - * internally. + * It handles all of the opening and closing of the keytab + * internally. */ -#ifndef LEAN_CLIENT +#ifndef LEAN_CLIENT #include "k5-int.h" #define KSUCCESS 0 /* - * effects: If keyprocarg is not NULL, it is taken to be the name of a - * keytab. Otherwise, the default keytab will be used. This - * routine opens the keytab and finds the principal associated with - * principal, vno, and enctype and returns the resulting key in *key - * or returning an error code if it is not found. + * effects: If keyprocarg is not NULL, it is taken to be the name of a + * keytab. Otherwise, the default keytab will be used. This + * routine opens the keytab and finds the principal associated with + * principal, vno, and enctype and returns the resulting key in *key + * or returning an error code if it is not found. * returns: Either KSUCCESS or error code. * errors: error code if not found or keyprocarg is invalid. */ @@ -51,28 +52,28 @@ krb5_kt_read_service_key(krb5_context context, krb5_pointer keyprocarg, krb5_pri char keytabname[MAX_KEYTAB_NAME_LEN + 1]; /* + 1 for NULL termination */ krb5_keytab id; krb5_keytab_entry entry; - + /* - * Get the name of the file that we should use. + * Get the name of the file that we should use. */ if (!keyprocarg) { - if ((kerror = krb5_kt_default_name(context, (char *)keytabname, - sizeof(keytabname) - 1))!= KSUCCESS) - return (kerror); + if ((kerror = krb5_kt_default_name(context, (char *)keytabname, + sizeof(keytabname) - 1))!= KSUCCESS) + return (kerror); } else { - memset(keytabname, 0, sizeof(keytabname)); - (void) strncpy(keytabname, (char *)keyprocarg, - sizeof(keytabname) - 1); + memset(keytabname, 0, sizeof(keytabname)); + (void) strncpy(keytabname, (char *)keyprocarg, + sizeof(keytabname) - 1); } if ((kerror = krb5_kt_resolve(context, (char *)keytabname, &id))) - return (kerror); + return (kerror); kerror = krb5_kt_get_entry(context, id, principal, vno, enctype, &entry); krb5_kt_close(context, id); if (kerror) - return(kerror); + return(kerror); krb5_copy_keyblock(context, &entry.key, key); @@ -81,4 +82,3 @@ krb5_kt_read_service_key(krb5_context context, krb5_pointer keyprocarg, krb5_pri return (KSUCCESS); } #endif /* LEAN_CLIENT */ - diff --git a/src/lib/krb5/keytab/t_keytab.c b/src/lib/krb5/keytab/t_keytab.c index d23502226d..607ce9ffb4 100644 --- a/src/lib/krb5/keytab/t_keytab.c +++ b/src/lib/krb5/keytab/t_keytab.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/keytab/t_keytab.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,8 +23,8 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * - * + * + * * * A set of tests for the keytab interface */ @@ -45,410 +46,410 @@ extern const krb5_kt_ops krb5_ktf_writable_ops; #define KRB5_OK 0 -#define CHECK(kret,msg) \ - if (kret != KRB5_OK) {\ - com_err(msg, kret, ""); \ - fflush(stderr);\ - exit(1);\ - } else if(debug) printf("%s went ok\n", msg); +#define CHECK(kret,msg) \ + if (kret != KRB5_OK) { \ + com_err(msg, kret, ""); \ + fflush(stderr); \ + exit(1); \ + } else if(debug) printf("%s went ok\n", msg); -#define CHECK_STR(str,msg) \ - if (str == 0) {\ - com_err(msg, kret, "");\ - exit(1);\ - } else if(debug) printf("%s went ok\n", msg); +#define CHECK_STR(str,msg) \ + if (str == 0) { \ + com_err(msg, kret, ""); \ + exit(1); \ + } else if(debug) printf("%s went ok\n", msg); static void test_misc(krb5_context context) { - /* Tests for certain error returns */ - krb5_error_code kret; - krb5_keytab ktid; - char defname[BUFSIZ]; - char *name; - - fprintf(stderr, "Testing miscellaneous error conditions\n"); - - kret = krb5_kt_resolve(context, "unknown_method_ep:/tmp/name", &ktid); - if (kret != KRB5_KT_UNKNOWN_TYPE) { - CHECK(kret, "resolve unknown type"); - } - - /* Test length limits on krb5_kt_default_name */ - kret = krb5_kt_default_name(context, defname, sizeof(defname)); - CHECK(kret, "krb5_kt_default_name error"); - - /* Now allocate space - without the null... */ - name = malloc(strlen(defname)); - if(!name) { - fprintf(stderr, "Out of memory in testing\n"); - exit(1); - } - kret = krb5_kt_default_name(context, name, strlen(defname)); - free(name); - if (kret != KRB5_CONFIG_NOTENUFSPACE) { - CHECK(kret, "krb5_kt_default_name limited"); - } + /* Tests for certain error returns */ + krb5_error_code kret; + krb5_keytab ktid; + char defname[BUFSIZ]; + char *name; + + fprintf(stderr, "Testing miscellaneous error conditions\n"); + + kret = krb5_kt_resolve(context, "unknown_method_ep:/tmp/name", &ktid); + if (kret != KRB5_KT_UNKNOWN_TYPE) { + CHECK(kret, "resolve unknown type"); + } + + /* Test length limits on krb5_kt_default_name */ + kret = krb5_kt_default_name(context, defname, sizeof(defname)); + CHECK(kret, "krb5_kt_default_name error"); + + /* Now allocate space - without the null... */ + name = malloc(strlen(defname)); + if(!name) { + fprintf(stderr, "Out of memory in testing\n"); + exit(1); + } + kret = krb5_kt_default_name(context, name, strlen(defname)); + free(name); + if (kret != KRB5_CONFIG_NOTENUFSPACE) { + CHECK(kret, "krb5_kt_default_name limited"); + } } static void kt_test(krb5_context context, const char *name) { - krb5_error_code kret; - krb5_keytab kt; - const char *type; - char buf[BUFSIZ]; - char *p; - krb5_keytab_entry kent, kent2; - krb5_principal princ; - krb5_kt_cursor cursor, cursor2; - int cnt; - - kret = krb5_kt_resolve(context, name, &kt); - CHECK(kret, "resolve"); - - type = krb5_kt_get_type(context, kt); - CHECK_STR(type, "getting kt type"); - printf(" Type is: %s\n", type); - - kret = krb5_kt_get_name(context, kt, buf, sizeof(buf)); - CHECK(kret, "get_name"); - printf(" Name is: %s\n", buf); - - /* Check that length checks fail */ - /* The buffer is allocated too small - to allow for valgrind test of - overflows + krb5_error_code kret; + krb5_keytab kt; + const char *type; + char buf[BUFSIZ]; + char *p; + krb5_keytab_entry kent, kent2; + krb5_principal princ; + krb5_kt_cursor cursor, cursor2; + int cnt; + + kret = krb5_kt_resolve(context, name, &kt); + CHECK(kret, "resolve"); + + type = krb5_kt_get_type(context, kt); + CHECK_STR(type, "getting kt type"); + printf(" Type is: %s\n", type); + + kret = krb5_kt_get_name(context, kt, buf, sizeof(buf)); + CHECK(kret, "get_name"); + printf(" Name is: %s\n", buf); + + /* Check that length checks fail */ + /* The buffer is allocated too small - to allow for valgrind test of + overflows + */ + p = malloc(strlen(buf)); + kret = krb5_kt_get_name(context, kt, p, 1); + if(kret != KRB5_KT_NAME_TOOLONG) { + CHECK(kret, "get_name - size 1"); + } + + + kret = krb5_kt_get_name(context, kt, p, strlen(buf)); + if(kret != KRB5_KT_NAME_TOOLONG) { + CHECK(kret, "get_name"); + } + free(p); + + /* Try to lookup unknown principal - when keytab does not exist*/ + kret = krb5_parse_name(context, "test/test2@TEST.MIT.EDU", &princ); + CHECK(kret, "parsing principal"); + + + kret = krb5_kt_get_entry(context, kt, princ, 0, 0, &kent); + if((kret != KRB5_KT_NOTFOUND) && (kret != ENOENT)) { + CHECK(kret, "Getting non-existant entry"); + } + + + /* =================== Add entries to keytab ================= */ + /* + * Add the following for this principal + * enctype 1, kvno 1, key = "1" + * enctype 2, kvno 1, key = "1" + * enctype 1, kvno 2, key = "2" */ - p = malloc(strlen(buf)); - kret = krb5_kt_get_name(context, kt, p, 1); - if(kret != KRB5_KT_NAME_TOOLONG) { - CHECK(kret, "get_name - size 1"); - } - - - kret = krb5_kt_get_name(context, kt, p, strlen(buf)); - if(kret != KRB5_KT_NAME_TOOLONG) { - CHECK(kret, "get_name"); - } - free(p); - - /* Try to lookup unknown principal - when keytab does not exist*/ - kret = krb5_parse_name(context, "test/test2@TEST.MIT.EDU", &princ); - CHECK(kret, "parsing principal"); - - - kret = krb5_kt_get_entry(context, kt, princ, 0, 0, &kent); - if((kret != KRB5_KT_NOTFOUND) && (kret != ENOENT)) { - CHECK(kret, "Getting non-existant entry"); - } - - - /* =================== Add entries to keytab ================= */ - /* - * Add the following for this principal - * enctype 1, kvno 1, key = "1" - * enctype 2, kvno 1, key = "1" - * enctype 1, kvno 2, key = "2" - */ - memset(&kent, 0, sizeof(kent)); - kent.magic = KV5M_KEYTAB_ENTRY; - kent.principal = princ; - kent.timestamp = 327689; - kent.vno = 1; - kent.key.magic = KV5M_KEYBLOCK; - kent.key.enctype = 1; - kent.key.length = 1; - kent.key.contents = (krb5_octet *) "1"; - - - kret = krb5_kt_add_entry(context, kt, &kent); - CHECK(kret, "Adding initial entry"); - - kent.key.enctype = 2; - kret = krb5_kt_add_entry(context, kt, &kent); - CHECK(kret, "Adding second entry"); - - kent.key.enctype = 1; - kent.vno = 2; - kent.key.contents = (krb5_octet *) "2"; - kret = krb5_kt_add_entry(context, kt, &kent); - CHECK(kret, "Adding third entry"); - - /* Free memory */ - krb5_free_principal(context, princ); - - /* ============== Test iterating over contents of keytab ========= */ - - kret = krb5_kt_start_seq_get(context, kt, &cursor); - CHECK(kret, "Start sequence get"); - - - memset(&kent, 0, sizeof(kent)); - cnt = 0; - while((kret = krb5_kt_next_entry(context, kt, &kent, &cursor)) == 0) { - if(((kent.vno != 1) && (kent.vno != 2)) || - ((kent.key.enctype != 1) && (kent.key.enctype != 2)) || - (kent.key.length != 1) || - (kent.key.contents[0] != kent.vno +'0')) { - fprintf(stderr, "Error in read contents\n"); - exit(1); - } + memset(&kent, 0, sizeof(kent)); + kent.magic = KV5M_KEYTAB_ENTRY; + kent.principal = princ; + kent.timestamp = 327689; + kent.vno = 1; + kent.key.magic = KV5M_KEYBLOCK; + kent.key.enctype = 1; + kent.key.length = 1; + kent.key.contents = (krb5_octet *) "1"; + + + kret = krb5_kt_add_entry(context, kt, &kent); + CHECK(kret, "Adding initial entry"); + + kent.key.enctype = 2; + kret = krb5_kt_add_entry(context, kt, &kent); + CHECK(kret, "Adding second entry"); + + kent.key.enctype = 1; + kent.vno = 2; + kent.key.contents = (krb5_octet *) "2"; + kret = krb5_kt_add_entry(context, kt, &kent); + CHECK(kret, "Adding third entry"); + + /* Free memory */ + krb5_free_principal(context, princ); + + /* ============== Test iterating over contents of keytab ========= */ + + kret = krb5_kt_start_seq_get(context, kt, &cursor); + CHECK(kret, "Start sequence get"); + + + memset(&kent, 0, sizeof(kent)); + cnt = 0; + while((kret = krb5_kt_next_entry(context, kt, &kent, &cursor)) == 0) { + if(((kent.vno != 1) && (kent.vno != 2)) || + ((kent.key.enctype != 1) && (kent.key.enctype != 2)) || + (kent.key.length != 1) || + (kent.key.contents[0] != kent.vno +'0')) { + fprintf(stderr, "Error in read contents\n"); + exit(1); + } + + if((kent.magic != KV5M_KEYTAB_ENTRY) || + (kent.key.magic != KV5M_KEYBLOCK)) { + fprintf(stderr, "Magic number in sequence not proper\n"); + exit(1); + } + + cnt++; + krb5_free_keytab_entry_contents(context, &kent); + } + if (kret != KRB5_KT_END) { + CHECK(kret, "getting next entry"); + } + + if(cnt != 3) { + fprintf(stderr, "Mismatch in number of entries in keytab"); + } + + kret = krb5_kt_end_seq_get(context, kt, &cursor); + CHECK(kret, "End sequence get"); + + + /* ========================== get_entry tests ============== */ + + /* Try to lookup unknown principal - now that keytab exists*/ + kret = krb5_parse_name(context, "test3/test2@TEST.MIT.EDU", &princ); + CHECK(kret, "parsing principal"); + + + kret = krb5_kt_get_entry(context, kt, princ, 0, 0, &kent); + if((kret != KRB5_KT_NOTFOUND)) { + CHECK(kret, "Getting non-existant entry"); + } + + krb5_free_principal(context, princ); + + /* Try to lookup known principal */ + kret = krb5_parse_name(context, "test/test2@TEST.MIT.EDU", &princ); + CHECK(kret, "parsing principal"); + + kret = krb5_kt_get_entry(context, kt, princ, 0, 0, &kent); + CHECK(kret, "looking up principal"); + + /* Ensure a valid answer - we did not specify an enctype or kvno */ + if (!krb5_principal_compare(context, princ, kent.principal) || + ((kent.vno != 1) && (kent.vno != 2)) || + ((kent.key.enctype != 1) && (kent.key.enctype != 2)) || + (kent.key.length != 1) || + (kent.key.contents[0] != kent.vno +'0')) { + fprintf(stderr, "Retrieved principal does not check\n"); + exit(1); + } + + krb5_free_keytab_entry_contents(context, &kent); + + /* Try to lookup a specific enctype - but unspecified kvno - should give + * max kvno + */ + kret = krb5_kt_get_entry(context, kt, princ, 0, 1, &kent); + CHECK(kret, "looking up principal"); + + /* Ensure a valid answer - we did specified an enctype */ + if (!krb5_principal_compare(context, princ, kent.principal) || + (kent.vno != 2) || (kent.key.enctype != 1) || + (kent.key.length != 1) || + (kent.key.contents[0] != kent.vno +'0')) { + fprintf(stderr, "Retrieved principal does not check\n"); + + exit(1); + + } + + krb5_free_keytab_entry_contents(context, &kent); + + /* Try to lookup unspecified enctype, but a specified kvno */ + + kret = krb5_kt_get_entry(context, kt, princ, 2, 0, &kent); + CHECK(kret, "looking up principal"); + + /* Ensure a valid answer - we did not specify a kvno */ + if (!krb5_principal_compare(context, princ, kent.principal) || + (kent.vno != 2) || (kent.key.enctype != 1) || + (kent.key.length != 1) || + (kent.key.contents[0] != kent.vno +'0')) { + fprintf(stderr, "Retrieved principal does not check\n"); + + exit(1); + + } - if((kent.magic != KV5M_KEYTAB_ENTRY) || - (kent.key.magic != KV5M_KEYBLOCK)) { - fprintf(stderr, "Magic number in sequence not proper\n"); - exit(1); - } + krb5_free_keytab_entry_contents(context, &kent); - cnt++; - krb5_free_keytab_entry_contents(context, &kent); - } - if (kret != KRB5_KT_END) { - CHECK(kret, "getting next entry"); - } - if(cnt != 3) { - fprintf(stderr, "Mismatch in number of entries in keytab"); - } - kret = krb5_kt_end_seq_get(context, kt, &cursor); - CHECK(kret, "End sequence get"); + /* Try to lookup specified enctype and kvno */ + kret = krb5_kt_get_entry(context, kt, princ, 1, 1, &kent); + CHECK(kret, "looking up principal"); - /* ========================== get_entry tests ============== */ - - /* Try to lookup unknown principal - now that keytab exists*/ - kret = krb5_parse_name(context, "test3/test2@TEST.MIT.EDU", &princ); - CHECK(kret, "parsing principal"); - - - kret = krb5_kt_get_entry(context, kt, princ, 0, 0, &kent); - if((kret != KRB5_KT_NOTFOUND)) { - CHECK(kret, "Getting non-existant entry"); - } - - krb5_free_principal(context, princ); - - /* Try to lookup known principal */ - kret = krb5_parse_name(context, "test/test2@TEST.MIT.EDU", &princ); - CHECK(kret, "parsing principal"); - - kret = krb5_kt_get_entry(context, kt, princ, 0, 0, &kent); - CHECK(kret, "looking up principal"); - - /* Ensure a valid answer - we did not specify an enctype or kvno */ - if (!krb5_principal_compare(context, princ, kent.principal) || - ((kent.vno != 1) && (kent.vno != 2)) || - ((kent.key.enctype != 1) && (kent.key.enctype != 2)) || - (kent.key.length != 1) || - (kent.key.contents[0] != kent.vno +'0')) { - fprintf(stderr, "Retrieved principal does not check\n"); - exit(1); - } - - krb5_free_keytab_entry_contents(context, &kent); - - /* Try to lookup a specific enctype - but unspecified kvno - should give - * max kvno - */ - kret = krb5_kt_get_entry(context, kt, princ, 0, 1, &kent); - CHECK(kret, "looking up principal"); - - /* Ensure a valid answer - we did specified an enctype */ - if (!krb5_principal_compare(context, princ, kent.principal) || - (kent.vno != 2) || (kent.key.enctype != 1) || - (kent.key.length != 1) || - (kent.key.contents[0] != kent.vno +'0')) { - fprintf(stderr, "Retrieved principal does not check\n"); - - exit(1); - - } - - krb5_free_keytab_entry_contents(context, &kent); - - /* Try to lookup unspecified enctype, but a specified kvno */ - - kret = krb5_kt_get_entry(context, kt, princ, 2, 0, &kent); - CHECK(kret, "looking up principal"); - - /* Ensure a valid answer - we did not specify a kvno */ - if (!krb5_principal_compare(context, princ, kent.principal) || - (kent.vno != 2) || (kent.key.enctype != 1) || - (kent.key.length != 1) || - (kent.key.contents[0] != kent.vno +'0')) { - fprintf(stderr, "Retrieved principal does not check\n"); - - exit(1); - - } - - krb5_free_keytab_entry_contents(context, &kent); - - - - /* Try to lookup specified enctype and kvno */ - - kret = krb5_kt_get_entry(context, kt, princ, 1, 1, &kent); - CHECK(kret, "looking up principal"); - - if (!krb5_principal_compare(context, princ, kent.principal) || - (kent.vno != 1) || (kent.key.enctype != 1) || - (kent.key.length != 1) || - (kent.key.contents[0] != kent.vno +'0')) { - fprintf(stderr, "Retrieved principal does not check\n"); + if (!krb5_principal_compare(context, princ, kent.principal) || + (kent.vno != 1) || (kent.key.enctype != 1) || + (kent.key.length != 1) || + (kent.key.contents[0] != kent.vno +'0')) { + fprintf(stderr, "Retrieved principal does not check\n"); - exit(1); + exit(1); - } + } - krb5_free_keytab_entry_contents(context, &kent); + krb5_free_keytab_entry_contents(context, &kent); - /* Try lookup with active iterators. */ - kret = krb5_kt_start_seq_get(context, kt, &cursor); - CHECK(kret, "Start sequence get(2)"); - kret = krb5_kt_start_seq_get(context, kt, &cursor2); - CHECK(kret, "Start sequence get(3)"); - kret = krb5_kt_next_entry(context, kt, &kent, &cursor); - CHECK(kret, "getting next entry(2)"); - krb5_free_keytab_entry_contents(context, &kent); - kret = krb5_kt_next_entry(context, kt, &kent, &cursor); - CHECK(kret, "getting next entry(3)"); - kret = krb5_kt_next_entry(context, kt, &kent2, &cursor2); - CHECK(kret, "getting next entry(4)"); - krb5_free_keytab_entry_contents(context, &kent2); - kret = krb5_kt_get_entry(context, kt, kent.principal, 0, 0, &kent2); - CHECK(kret, "looking up principal(2)"); - krb5_free_keytab_entry_contents(context, &kent2); - kret = krb5_kt_next_entry(context, kt, &kent2, &cursor2); - CHECK(kret, "getting next entry(5)"); - if (!krb5_principal_compare(context, kent.principal, kent2.principal)) { - fprintf(stderr, "iterators not in sync\n"); - exit(1); - } - krb5_free_keytab_entry_contents(context, &kent); - krb5_free_keytab_entry_contents(context, &kent2); - kret = krb5_kt_next_entry(context, kt, &kent, &cursor); - CHECK(kret, "getting next entry(6)"); - kret = krb5_kt_next_entry(context, kt, &kent2, &cursor2); - CHECK(kret, "getting next entry(7)"); - krb5_free_keytab_entry_contents(context, &kent); - krb5_free_keytab_entry_contents(context, &kent2); - kret = krb5_kt_end_seq_get(context, kt, &cursor); - CHECK(kret, "ending sequence get(1)"); - kret = krb5_kt_end_seq_get(context, kt, &cursor2); - CHECK(kret, "ending sequence get(2)"); + /* Try lookup with active iterators. */ + kret = krb5_kt_start_seq_get(context, kt, &cursor); + CHECK(kret, "Start sequence get(2)"); + kret = krb5_kt_start_seq_get(context, kt, &cursor2); + CHECK(kret, "Start sequence get(3)"); + kret = krb5_kt_next_entry(context, kt, &kent, &cursor); + CHECK(kret, "getting next entry(2)"); + krb5_free_keytab_entry_contents(context, &kent); + kret = krb5_kt_next_entry(context, kt, &kent, &cursor); + CHECK(kret, "getting next entry(3)"); + kret = krb5_kt_next_entry(context, kt, &kent2, &cursor2); + CHECK(kret, "getting next entry(4)"); + krb5_free_keytab_entry_contents(context, &kent2); + kret = krb5_kt_get_entry(context, kt, kent.principal, 0, 0, &kent2); + CHECK(kret, "looking up principal(2)"); + krb5_free_keytab_entry_contents(context, &kent2); + kret = krb5_kt_next_entry(context, kt, &kent2, &cursor2); + CHECK(kret, "getting next entry(5)"); + if (!krb5_principal_compare(context, kent.principal, kent2.principal)) { + fprintf(stderr, "iterators not in sync\n"); + exit(1); + } + krb5_free_keytab_entry_contents(context, &kent); + krb5_free_keytab_entry_contents(context, &kent2); + kret = krb5_kt_next_entry(context, kt, &kent, &cursor); + CHECK(kret, "getting next entry(6)"); + kret = krb5_kt_next_entry(context, kt, &kent2, &cursor2); + CHECK(kret, "getting next entry(7)"); + krb5_free_keytab_entry_contents(context, &kent); + krb5_free_keytab_entry_contents(context, &kent2); + kret = krb5_kt_end_seq_get(context, kt, &cursor); + CHECK(kret, "ending sequence get(1)"); + kret = krb5_kt_end_seq_get(context, kt, &cursor2); + CHECK(kret, "ending sequence get(2)"); - /* Try to lookup specified enctype and kvno - that does not exist*/ + /* Try to lookup specified enctype and kvno - that does not exist*/ - kret = krb5_kt_get_entry(context, kt, princ, 3, 1, &kent); - if(kret != KRB5_KT_KVNONOTFOUND) { - CHECK(kret, "looking up specific principal, kvno, enctype"); - } + kret = krb5_kt_get_entry(context, kt, princ, 3, 1, &kent); + if(kret != KRB5_KT_KVNONOTFOUND) { + CHECK(kret, "looking up specific principal, kvno, enctype"); + } - krb5_free_principal(context, princ); + krb5_free_principal(context, princ); - /* ========================= krb5_kt_remove_entry =========== */ - /* Lookup the keytab entry w/ 2 kvno - and delete version 2 - - ensure gone */ - kret = krb5_parse_name(context, "test/test2@TEST.MIT.EDU", &princ); - CHECK(kret, "parsing principal"); + /* ========================= krb5_kt_remove_entry =========== */ + /* Lookup the keytab entry w/ 2 kvno - and delete version 2 - + ensure gone */ + kret = krb5_parse_name(context, "test/test2@TEST.MIT.EDU", &princ); + CHECK(kret, "parsing principal"); - kret = krb5_kt_get_entry(context, kt, princ, 0, 1, &kent); - CHECK(kret, "looking up principal"); + kret = krb5_kt_get_entry(context, kt, princ, 0, 1, &kent); + CHECK(kret, "looking up principal"); - /* Ensure a valid answer - we are looking for max(kvno) and enc=1 */ - if (!krb5_principal_compare(context, princ, kent.principal) || - (kent.vno != 2) || (kent.key.enctype != 1) || - (kent.key.length != 1) || - (kent.key.contents[0] != kent.vno +'0')) { - fprintf(stderr, "Retrieved principal does not check\n"); + /* Ensure a valid answer - we are looking for max(kvno) and enc=1 */ + if (!krb5_principal_compare(context, princ, kent.principal) || + (kent.vno != 2) || (kent.key.enctype != 1) || + (kent.key.length != 1) || + (kent.key.contents[0] != kent.vno +'0')) { + fprintf(stderr, "Retrieved principal does not check\n"); - exit(1); + exit(1); - } + } - /* Delete it */ - kret = krb5_kt_remove_entry(context, kt, &kent); - CHECK(kret, "Removing entry"); + /* Delete it */ + kret = krb5_kt_remove_entry(context, kt, &kent); + CHECK(kret, "Removing entry"); - krb5_free_keytab_entry_contents(context, &kent); - /* And ensure gone */ + krb5_free_keytab_entry_contents(context, &kent); + /* And ensure gone */ - kret = krb5_kt_get_entry(context, kt, princ, 0, 1, &kent); - CHECK(kret, "looking up principal"); + kret = krb5_kt_get_entry(context, kt, princ, 0, 1, &kent); + CHECK(kret, "looking up principal"); - /* Ensure a valid answer - kvno should now be 1 - we deleted 2 */ - if (!krb5_principal_compare(context, princ, kent.principal) || - (kent.vno != 1) || (kent.key.enctype != 1) || - (kent.key.length != 1) || - (kent.key.contents[0] != kent.vno +'0')) { - fprintf(stderr, "Delete principal check failed\n"); - - exit(1); - - } - krb5_free_keytab_entry_contents(context, &kent); - - krb5_free_principal(context, princ); - - /* ======================= Finally close ======================= */ - - kret = krb5_kt_close(context, kt); - CHECK(kret, "close"); + /* Ensure a valid answer - kvno should now be 1 - we deleted 2 */ + if (!krb5_principal_compare(context, princ, kent.principal) || + (kent.vno != 1) || (kent.key.enctype != 1) || + (kent.key.length != 1) || + (kent.key.contents[0] != kent.vno +'0')) { + fprintf(stderr, "Delete principal check failed\n"); + + exit(1); + + } + krb5_free_keytab_entry_contents(context, &kent); + + krb5_free_principal(context, princ); + + /* ======================= Finally close ======================= */ + + kret = krb5_kt_close(context, kt); + CHECK(kret, "close"); } -static void do_test(krb5_context context, const char *prefix, - krb5_boolean delete) +static void do_test(krb5_context context, const char *prefix, + krb5_boolean delete) { - char *name, *filename; - - if (asprintf(&filename, "/tmp/kttest.%ld", (long) getpid()) < 0) { - perror("asprintf"); - exit(1); - } - if (asprintf(&name, "%s%s", prefix, filename) < 0) { - perror("asprintf"); - exit(1); - } - printf("Starting test on %s\n", name); - kt_test(context, name); - printf("Test on %s passed\n", name); - if(delete) - unlink(filename); - free(filename); - free(name); + char *name, *filename; + + if (asprintf(&filename, "/tmp/kttest.%ld", (long) getpid()) < 0) { + perror("asprintf"); + exit(1); + } + if (asprintf(&name, "%s%s", prefix, filename) < 0) { + perror("asprintf"); + exit(1); + } + printf("Starting test on %s\n", name); + kt_test(context, name); + printf("Test on %s passed\n", name); + if(delete) + unlink(filename); + free(filename); + free(name); } -int +int main (void) { - krb5_context context; - krb5_error_code kret; + krb5_context context; + krb5_error_code kret; - if ((kret = krb5_init_context(&context))) { - printf("Couldn't initialize krb5 library: %s\n", - error_message(kret)); - exit(1); - } + if ((kret = krb5_init_context(&context))) { + printf("Couldn't initialize krb5 library: %s\n", + error_message(kret)); + exit(1); + } - /* All keytab types are registered by default -- test for - redundant error */ - kret = krb5_kt_register(context, &krb5_ktf_writable_ops); - if(kret && kret != KRB5_KT_TYPE_EXISTS) { - CHECK(kret, "register ktf_writable"); - } + /* All keytab types are registered by default -- test for + redundant error */ + kret = krb5_kt_register(context, &krb5_ktf_writable_ops); + if(kret && kret != KRB5_KT_TYPE_EXISTS) { + CHECK(kret, "register ktf_writable"); + } - test_misc(context); - do_test(context, "WRFILE:", FALSE); - do_test(context, "MEMORY:", TRUE); + test_misc(context); + do_test(context, "WRFILE:", FALSE); + do_test(context, "MEMORY:", TRUE); - krb5_free_context(context); - return 0; + krb5_free_context(context); + return 0; } @@ -457,9 +458,9 @@ main (void) /* remove and add are functions, so that they can return NOWRITE if not a writable keytab */ krb5_error_code KRB5_CALLCONV krb5_kt_remove_entry - (krb5_context, - krb5_keytab, - krb5_keytab_entry * ); +(krb5_context, + krb5_keytab, + krb5_keytab_entry * ); diff --git a/src/lib/krb5/krb/addr_comp.c b/src/lib/krb5/krb/addr_comp.c index 16ab03bbf4..194fc2bb67 100644 --- a/src/lib/krb5/krb/addr_comp.c +++ b/src/lib/krb5/krb/addr_comp.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/addr_comp.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_address_compare() */ @@ -36,13 +37,13 @@ krb5_boolean KRB5_CALLCONV krb5_address_compare(krb5_context context, const krb5_address *addr1, const krb5_address *addr2) { if (addr1->addrtype != addr2->addrtype) - return(FALSE); + return(FALSE); if (addr1->length != addr2->length) - return(FALSE); + return(FALSE); if (memcmp((char *)addr1->contents, (char *)addr2->contents, - addr1->length)) - return FALSE; + addr1->length)) + return FALSE; else - return TRUE; + return TRUE; } diff --git a/src/lib/krb5/krb/addr_order.c b/src/lib/krb5/krb/addr_order.c index 2f01e1fbcb..b742d01ec6 100644 --- a/src/lib/krb5/krb/addr_order.c +++ b/src/lib/krb5/krb/addr_order.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/addr_order.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_address_order() */ @@ -45,18 +46,18 @@ krb5_address_order(krb5_context context, const krb5_address *addr1, const krb5_a const int minlen = min(addr1->length, addr2->length); if (addr1->addrtype != addr2->addrtype) - return(FALSE); + return(FALSE); dir = addr1->length - addr2->length; - + for (i = 0; i < minlen; i++) { - if ((unsigned char) addr1->contents[i] < - (unsigned char) addr2->contents[i]) - return -1; - else if ((unsigned char) addr1->contents[i] > - (unsigned char) addr2->contents[i]) - return 1; + if ((unsigned char) addr1->contents[i] < + (unsigned char) addr2->contents[i]) + return -1; + else if ((unsigned char) addr1->contents[i] > + (unsigned char) addr2->contents[i]) + return 1; } /* compared equal so far...which is longer? */ return dir; diff --git a/src/lib/krb5/krb/addr_srch.c b/src/lib/krb5/krb/addr_srch.c index 11a3ce0bb1..7a6030490d 100644 --- a/src/lib/krb5/krb/addr_srch.c +++ b/src/lib/krb5/krb/addr_srch.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/addr_srch.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_address_search() */ @@ -35,10 +36,10 @@ address_count(krb5_address *const *addrlist) unsigned int i; if (addrlist == NULL) - return 0; + return 0; for (i = 0; addrlist[i]; i++) - ; + ; return i; } @@ -57,12 +58,12 @@ krb5_address_search(krb5_context context, const krb5_address *addr, krb5_address */ if (address_count(addrlist) == 1 && addrlist[0]->addrtype == ADDRTYPE_NETBIOS) - return TRUE; + return TRUE; if (!addrlist) - return TRUE; + return TRUE; for (; *addrlist; addrlist++) { - if (krb5_address_compare(context, addr, *addrlist)) - return TRUE; + if (krb5_address_compare(context, addr, *addrlist)) + return TRUE; } return FALSE; } diff --git a/src/lib/krb5/krb/appdefault.c b/src/lib/krb5/krb/appdefault.c index 94788899b6..6fa8cd365c 100644 --- a/src/lib/krb5/krb/appdefault.c +++ b/src/lib/krb5/krb/appdefault.c @@ -1,6 +1,7 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * appdefault - routines designed to be called from applications to - * handle the [appdefaults] profile section + * handle the [appdefaults] profile section */ #include <stdio.h> @@ -9,158 +10,158 @@ - /*xxx Duplicating this is annoying; try to work on a better way.*/ +/*xxx Duplicating this is annoying; try to work on a better way.*/ static const char *const conf_yes[] = { - "y", "yes", "true", "t", "1", "on", - 0, + "y", "yes", "true", "t", "1", "on", + 0, }; static const char *const conf_no[] = { - "n", "no", "false", "nil", "0", "off", - 0, + "n", "no", "false", "nil", "0", "off", + 0, }; static int conf_boolean(char *s) { - const char * const *p; - for(p=conf_yes; *p; p++) { - if (!strcasecmp(*p,s)) - return 1; - } - for(p=conf_no; *p; p++) { - if (!strcasecmp(*p,s)) - return 0; - } - /* Default to "no" */ - return 0; + const char * const *p; + for(p=conf_yes; *p; p++) { + if (!strcasecmp(*p,s)) + return 1; + } + for(p=conf_no; *p; p++) { + if (!strcasecmp(*p,s)) + return 0; + } + /* Default to "no" */ + return 0; } static krb5_error_code appdefault_get(krb5_context context, const char *appname, const krb5_data *realm, const char *option, char **ret_value) { - profile_t profile; - const char *names[5]; - char **nameval = NULL; - krb5_error_code retval; - const char * realmstr = realm?realm->data:NULL; - - if (!context || (context->magic != KV5M_CONTEXT)) - return KV5M_CONTEXT; - - profile = context->profile; - - /* - * Try number one: - * - * [appdefaults] - * app = { - * SOME.REALM = { - * option = <boolean> - * } - * } - */ - - names[0] = "appdefaults"; - names[1] = appname; - - if (realmstr) { - names[2] = realmstr; - names[3] = option; - names[4] = 0; - retval = profile_get_values(profile, names, &nameval); - if (retval == 0 && nameval && nameval[0]) { - *ret_value = strdup(nameval[0]); - goto goodbye; - } - } - - /* - * Try number two: - * - * [appdefaults] - * app = { - * option = <boolean> - * } - */ - - names[2] = option; - names[3] = 0; - retval = profile_get_values(profile, names, &nameval); - if (retval == 0 && nameval && nameval[0]) { - *ret_value = strdup(nameval[0]); - goto goodbye; - } - - /* - * Try number three: - * - * [appdefaults] - * realm = { - * option = <boolean> - */ - - if (realmstr) { - names[1] = realmstr; - names[2] = option; - names[3] = 0; - retval = profile_get_values(profile, names, &nameval); - if (retval == 0 && nameval && nameval[0]) { - *ret_value = strdup(nameval[0]); - goto goodbye; - } - } - - /* - * Try number four: - * - * [appdefaults] - * option = <boolean> - */ - - names[1] = option; - names[2] = 0; - retval = profile_get_values(profile, names, &nameval); - if (retval == 0 && nameval && nameval[0]) { - *ret_value = strdup(nameval[0]); - } else { - return retval; - } + profile_t profile; + const char *names[5]; + char **nameval = NULL; + krb5_error_code retval; + const char * realmstr = realm?realm->data:NULL; + + if (!context || (context->magic != KV5M_CONTEXT)) + return KV5M_CONTEXT; + + profile = context->profile; + + /* + * Try number one: + * + * [appdefaults] + * app = { + * SOME.REALM = { + * option = <boolean> + * } + * } + */ + + names[0] = "appdefaults"; + names[1] = appname; + + if (realmstr) { + names[2] = realmstr; + names[3] = option; + names[4] = 0; + retval = profile_get_values(profile, names, &nameval); + if (retval == 0 && nameval && nameval[0]) { + *ret_value = strdup(nameval[0]); + goto goodbye; + } + } + + /* + * Try number two: + * + * [appdefaults] + * app = { + * option = <boolean> + * } + */ + + names[2] = option; + names[3] = 0; + retval = profile_get_values(profile, names, &nameval); + if (retval == 0 && nameval && nameval[0]) { + *ret_value = strdup(nameval[0]); + goto goodbye; + } + + /* + * Try number three: + * + * [appdefaults] + * realm = { + * option = <boolean> + */ + + if (realmstr) { + names[1] = realmstr; + names[2] = option; + names[3] = 0; + retval = profile_get_values(profile, names, &nameval); + if (retval == 0 && nameval && nameval[0]) { + *ret_value = strdup(nameval[0]); + goto goodbye; + } + } + + /* + * Try number four: + * + * [appdefaults] + * option = <boolean> + */ + + names[1] = option; + names[2] = 0; + retval = profile_get_values(profile, names, &nameval); + if (retval == 0 && nameval && nameval[0]) { + *ret_value = strdup(nameval[0]); + } else { + return retval; + } goodbye: - if (nameval) { - char **cpp; - for (cpp = nameval; *cpp; cpp++) - free(*cpp); - free(nameval); - } - return 0; + if (nameval) { + char **cpp; + for (cpp = nameval; *cpp; cpp++) + free(*cpp); + free(nameval); + } + return 0; } -void KRB5_CALLCONV +void KRB5_CALLCONV krb5_appdefault_boolean(krb5_context context, const char *appname, const krb5_data *realm, const char *option, int default_value, int *ret_value) { - char *string = NULL; - krb5_error_code retval; + char *string = NULL; + krb5_error_code retval; - retval = appdefault_get(context, appname, realm, option, &string); + retval = appdefault_get(context, appname, realm, option, &string); - if (! retval && string) { - *ret_value = conf_boolean(string); - free(string); - } else - *ret_value = default_value; + if (! retval && string) { + *ret_value = conf_boolean(string); + free(string); + } else + *ret_value = default_value; } -void KRB5_CALLCONV +void KRB5_CALLCONV krb5_appdefault_string(krb5_context context, const char *appname, const krb5_data *realm, const char *option, const char *default_value, char **ret_value) { - krb5_error_code retval; - char *string; + krb5_error_code retval; + char *string; - retval = appdefault_get(context, appname, realm, option, &string); + retval = appdefault_get(context, appname, realm, option, &string); - if (! retval && string) { - *ret_value = string; - } else { - *ret_value = strdup(default_value); - } + if (! retval && string) { + *ret_value = string; + } else { + *ret_value = strdup(default_value); + } } diff --git a/src/lib/krb5/krb/auth_con.c b/src/lib/krb5/krb/auth_con.c index ee31fb82b5..e6bbac15af 100644 --- a/src/lib/krb5/krb/auth_con.c +++ b/src/lib/krb5/krb/auth_con.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include "k5-int.h" #include "auth_con.h" @@ -9,11 +10,11 @@ actx_copy_addr(krb5_context context, const krb5_address *inad, krb5_address **ou krb5_address *tmpad; if (!(tmpad = (krb5_address *)malloc(sizeof(*tmpad)))) - return ENOMEM; + return ENOMEM; *tmpad = *inad; if (!(tmpad->contents = (krb5_octet *)malloc(inad->length))) { - free(tmpad); - return ENOMEM; + free(tmpad); + return ENOMEM; } memcpy(tmpad->contents, inad->contents, inad->length); *outad = tmpad; @@ -24,13 +25,13 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_init(krb5_context context, krb5_auth_context *auth_context) { *auth_context = - (krb5_auth_context)calloc(1, sizeof(struct _krb5_auth_context)); + (krb5_auth_context)calloc(1, sizeof(struct _krb5_auth_context)); if (!*auth_context) - return ENOMEM; + return ENOMEM; /* Default flags, do time not seq */ - (*auth_context)->auth_context_flags = - KRB5_AUTH_CONTEXT_DO_TIME | KRB5_AUTH_CONN_INITIALIZED; + (*auth_context)->auth_context_flags = + KRB5_AUTH_CONTEXT_DO_TIME | KRB5_AUTH_CONN_INITIALIZED; (*auth_context)->req_cksumtype = context->default_ap_req_sumtype; (*auth_context)->safe_cksumtype = context->default_safe_sumtype; @@ -45,29 +46,29 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context) { if (auth_context == NULL) - return 0; - if (auth_context->local_addr) - krb5_free_address(context, auth_context->local_addr); - if (auth_context->remote_addr) - krb5_free_address(context, auth_context->remote_addr); - if (auth_context->local_port) - krb5_free_address(context, auth_context->local_port); - if (auth_context->remote_port) - krb5_free_address(context, auth_context->remote_port); - if (auth_context->authentp) - krb5_free_authenticator(context, auth_context->authentp); + return 0; + if (auth_context->local_addr) + krb5_free_address(context, auth_context->local_addr); + if (auth_context->remote_addr) + krb5_free_address(context, auth_context->remote_addr); + if (auth_context->local_port) + krb5_free_address(context, auth_context->local_port); + if (auth_context->remote_port) + krb5_free_address(context, auth_context->remote_port); + if (auth_context->authentp) + krb5_free_authenticator(context, auth_context->authentp); if (auth_context->key) - krb5_k_free_key(context, auth_context->key); - if (auth_context->send_subkey) - krb5_k_free_key(context, auth_context->send_subkey); - if (auth_context->recv_subkey) - krb5_k_free_key(context, auth_context->recv_subkey); + krb5_k_free_key(context, auth_context->key); + if (auth_context->send_subkey) + krb5_k_free_key(context, auth_context->send_subkey); + if (auth_context->recv_subkey) + krb5_k_free_key(context, auth_context->recv_subkey); if (auth_context->rcache) - krb5_rc_close(context, auth_context->rcache); + krb5_rc_close(context, auth_context->rcache); if (auth_context->permitted_etypes) - free(auth_context->permitted_etypes); + free(auth_context->permitted_etypes); if (auth_context->ad_context) - krb5_authdata_context_free(context, auth_context->ad_context); + krb5_authdata_context_free(context, auth_context->ad_context); free(auth_context); return 0; } @@ -75,28 +76,28 @@ krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context) krb5_error_code krb5_auth_con_setaddrs(krb5_context context, krb5_auth_context auth_context, krb5_address *local_addr, krb5_address *remote_addr) { - krb5_error_code retval; + krb5_error_code retval; /* Free old addresses */ if (auth_context->local_addr) - (void) krb5_free_address(context, auth_context->local_addr); + (void) krb5_free_address(context, auth_context->local_addr); if (auth_context->remote_addr) - (void) krb5_free_address(context, auth_context->remote_addr); + (void) krb5_free_address(context, auth_context->remote_addr); retval = 0; if (local_addr) - retval = actx_copy_addr(context, - local_addr, - &auth_context->local_addr); + retval = actx_copy_addr(context, + local_addr, + &auth_context->local_addr); else - auth_context->local_addr = NULL; + auth_context->local_addr = NULL; if (!retval && remote_addr) - retval = actx_copy_addr(context, - remote_addr, - &auth_context->remote_addr); + retval = actx_copy_addr(context, + remote_addr, + &auth_context->remote_addr); else - auth_context->remote_addr = NULL; + auth_context->remote_addr = NULL; return retval; } @@ -104,18 +105,18 @@ krb5_auth_con_setaddrs(krb5_context context, krb5_auth_context auth_context, krb krb5_error_code KRB5_CALLCONV krb5_auth_con_getaddrs(krb5_context context, krb5_auth_context auth_context, krb5_address **local_addr, krb5_address **remote_addr) { - krb5_error_code retval; + krb5_error_code retval; retval = 0; if (local_addr && auth_context->local_addr) { - retval = actx_copy_addr(context, - auth_context->local_addr, - local_addr); + retval = actx_copy_addr(context, + auth_context->local_addr, + local_addr); } if (!retval && (remote_addr) && auth_context->remote_addr) { - retval = actx_copy_addr(context, - auth_context->remote_addr, - remote_addr); + retval = actx_copy_addr(context, + auth_context->remote_addr, + remote_addr); } return retval; } @@ -123,28 +124,28 @@ krb5_auth_con_getaddrs(krb5_context context, krb5_auth_context auth_context, krb krb5_error_code KRB5_CALLCONV krb5_auth_con_setports(krb5_context context, krb5_auth_context auth_context, krb5_address *local_port, krb5_address *remote_port) { - krb5_error_code retval; + krb5_error_code retval; /* Free old addresses */ if (auth_context->local_port) - (void) krb5_free_address(context, auth_context->local_port); + (void) krb5_free_address(context, auth_context->local_port); if (auth_context->remote_port) - (void) krb5_free_address(context, auth_context->remote_port); + (void) krb5_free_address(context, auth_context->remote_port); retval = 0; if (local_port) - retval = actx_copy_addr(context, - local_port, - &auth_context->local_port); + retval = actx_copy_addr(context, + local_port, + &auth_context->local_port); else - auth_context->local_port = NULL; + auth_context->local_port = NULL; if (!retval && remote_port) - retval = actx_copy_addr(context, - remote_port, - &auth_context->remote_port); + retval = actx_copy_addr(context, + remote_port, + &auth_context->remote_port); else - auth_context->remote_port = NULL; + auth_context->remote_port = NULL; return retval; } @@ -161,7 +162,7 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock) { if (auth_context->key) - krb5_k_free_key(context, auth_context->key); + krb5_k_free_key(context, auth_context->key); return(krb5_k_create_key(context, keyblock, &(auth_context->key))); } @@ -169,7 +170,7 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock) { if (auth_context->key) - return krb5_k_key_keyblock(context, auth_context->key, keyblock); + return krb5_k_key_keyblock(context, auth_context->key, keyblock); *keyblock = NULL; return 0; } @@ -190,31 +191,31 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_setsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock *keyblock) { if (ac->send_subkey != NULL) - krb5_k_free_key(ctx, ac->send_subkey); + krb5_k_free_key(ctx, ac->send_subkey); ac->send_subkey = NULL; if (keyblock !=NULL) - return krb5_k_create_key(ctx, keyblock, &ac->send_subkey); + return krb5_k_create_key(ctx, keyblock, &ac->send_subkey); else - return 0; + return 0; } krb5_error_code KRB5_CALLCONV krb5_auth_con_setrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock *keyblock) { if (ac->recv_subkey != NULL) - krb5_k_free_key(ctx, ac->recv_subkey); + krb5_k_free_key(ctx, ac->recv_subkey); ac->recv_subkey = NULL; if (keyblock != NULL) - return krb5_k_create_key(ctx, keyblock, &ac->recv_subkey); + return krb5_k_create_key(ctx, keyblock, &ac->recv_subkey); else - return 0; + return 0; } krb5_error_code KRB5_CALLCONV krb5_auth_con_getsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock) { if (ac->send_subkey != NULL) - return krb5_k_key_keyblock(ctx, ac->send_subkey, keyblock); + return krb5_k_key_keyblock(ctx, ac->send_subkey, keyblock); *keyblock = NULL; return 0; } @@ -223,7 +224,7 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock) { if (ac->recv_subkey != NULL) - return krb5_k_key_keyblock(ctx, ac->recv_subkey, keyblock); + return krb5_k_key_keyblock(ctx, ac->recv_subkey, keyblock); *keyblock = NULL; return 0; } @@ -253,7 +254,7 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_getauthenticator(krb5_context context, krb5_auth_context auth_context, krb5_authenticator **authenticator) { return (krb5_copy_authenticator(context, auth_context->authentp, - authenticator)); + authenticator)); } #endif @@ -271,15 +272,15 @@ krb5_auth_con_initivector(krb5_context context, krb5_auth_context auth_context) krb5_enctype enctype; if (auth_context->key) { - size_t blocksize; - - enctype = krb5_k_key_enctype(context, auth_context->key); - if ((ret = krb5_c_block_size(context, enctype, &blocksize))) - return(ret); - if ((auth_context->i_vector = (krb5_pointer)calloc(1,blocksize))) { - return 0; - } - return ENOMEM; + size_t blocksize; + + enctype = krb5_k_key_enctype(context, auth_context->key); + if ((ret = krb5_c_block_size(context, enctype, &blocksize))) + return(ret); + if ((auth_context->i_vector = (krb5_pointer)calloc(1,blocksize))) { + return 0; + } + return ENOMEM; } return EINVAL; /* XXX need an error for no keyblock */ } @@ -318,30 +319,30 @@ krb5_auth_con_setrcache(krb5_context context, krb5_auth_context auth_context, kr auth_context->rcache = rcache; return 0; } - + krb5_error_code krb5_auth_con_getrcache(krb5_context context, krb5_auth_context auth_context, krb5_rcache *rcache) { *rcache = auth_context->rcache; return 0; } - + krb5_error_code krb5_auth_con_setpermetypes(krb5_context context, krb5_auth_context auth_context, const krb5_enctype *permetypes) { - krb5_enctype * newpe; + krb5_enctype * newpe; int i; for (i=0; permetypes[i]; i++) - ; + ; i++; /* include the zero */ if ((newpe = (krb5_enctype *) malloc(i*sizeof(krb5_enctype))) - == NULL) - return(ENOMEM); + == NULL) + return(ENOMEM); if (auth_context->permitted_etypes) - free(auth_context->permitted_etypes); + free(auth_context->permitted_etypes); auth_context->permitted_etypes = newpe; @@ -353,21 +354,21 @@ krb5_auth_con_setpermetypes(krb5_context context, krb5_auth_context auth_context krb5_error_code krb5_auth_con_getpermetypes(krb5_context context, krb5_auth_context auth_context, krb5_enctype **permetypes) { - krb5_enctype * newpe; + krb5_enctype * newpe; int i; if (! auth_context->permitted_etypes) { - *permetypes = NULL; - return(0); + *permetypes = NULL; + return(0); } for (i=0; auth_context->permitted_etypes[i]; i++) - ; + ; i++; /* include the zero */ if ((newpe = (krb5_enctype *) malloc(i*sizeof(krb5_enctype))) - == NULL) - return(ENOMEM); + == NULL) + return(ENOMEM); *permetypes = newpe; @@ -378,24 +379,24 @@ krb5_auth_con_getpermetypes(krb5_context context, krb5_auth_context auth_context krb5_error_code KRB5_CALLCONV krb5_auth_con_set_checksum_func( krb5_context context, - krb5_auth_context auth_context, - krb5_mk_req_checksum_func func, - void *data) + krb5_auth_context auth_context, + krb5_mk_req_checksum_func func, + void *data) { - auth_context->checksum_func = func; - auth_context->checksum_func_data = data; - return 0; + auth_context->checksum_func = func; + auth_context->checksum_func_data = data; + return 0; } krb5_error_code KRB5_CALLCONV krb5_auth_con_get_checksum_func( krb5_context context, - krb5_auth_context auth_context, - krb5_mk_req_checksum_func *func, - void **data) + krb5_auth_context auth_context, + krb5_mk_req_checksum_func *func, + void **data) { - *func = auth_context->checksum_func; - *data = auth_context->checksum_func_data; - return 0; + *func = auth_context->checksum_func; + *data = auth_context->checksum_func_data; + return 0; } /* @@ -425,16 +426,16 @@ krb5_auth_con_get_checksum_func( krb5_context context, * compatibility with our older implementations. This also means that * encodings emitted by Heimdal are ambiguous. * - * Heimdal counter value received uint32 value + * Heimdal counter value received uint32 value * - * 0x00000080 0xFFFFFF80 - * 0x000000FF 0xFFFFFFFF - * 0x00008000 0xFFFF8000 - * 0x0000FFFF 0xFFFFFFFF - * 0x00800000 0xFF800000 - * 0x00FFFFFF 0xFFFFFFFF - * 0xFF800000 0xFF800000 - * 0xFFFFFFFF 0xFFFFFFFF + * 0x00000080 0xFFFFFF80 + * 0x000000FF 0xFFFFFFFF + * 0x00008000 0xFFFF8000 + * 0x0000FFFF 0xFFFFFFFF + * 0x00800000 0xFF800000 + * 0x00FFFFFF 0xFFFFFFFF + * 0xFF800000 0xFF800000 + * 0xFFFFFFFF 0xFFFFFFFF * * We use two auth_context flags, SANE_SEQ and HEIMDAL_SEQ, which are * only set after we can unambiguously determine the sanity of the @@ -474,38 +475,38 @@ krb5int_auth_con_chkseqnum( * If sender is known to be sane, accept _only_ exact matches. */ if (ac->auth_context_flags & KRB5_AUTH_CONN_SANE_SEQ) - return in_seq == exp_seq; + return in_seq == exp_seq; /* * If sender is not known to be sane, first check the ambiguous * range of received values, 0xFF800000..0xFFFFFFFF. */ if ((in_seq & 0xFF800000) == 0xFF800000) { - /* - * If expected sequence number is in the range - * 0xFF800000..0xFFFFFFFF, then we can't make any - * determinations about the sanity of the sending - * implementation. - */ - if ((exp_seq & 0xFF800000) == 0xFF800000 && in_seq == exp_seq) - return 1; - /* - * If sender is not known for certain to be a broken Heimdal - * implementation, check for exact match. - */ - if (!(ac->auth_context_flags & KRB5_AUTH_CONN_HEIMDAL_SEQ) - && in_seq == exp_seq) - return 1; - /* - * Now apply hairy algorithm for matching sequence numbers - * sent by broken Heimdal implementations. If it matches, we - * know for certain it's a broken Heimdal sender. - */ - if (chk_heimdal_seqnum(exp_seq, in_seq)) { - ac->auth_context_flags |= KRB5_AUTH_CONN_HEIMDAL_SEQ; - return 1; - } - return 0; + /* + * If expected sequence number is in the range + * 0xFF800000..0xFFFFFFFF, then we can't make any + * determinations about the sanity of the sending + * implementation. + */ + if ((exp_seq & 0xFF800000) == 0xFF800000 && in_seq == exp_seq) + return 1; + /* + * If sender is not known for certain to be a broken Heimdal + * implementation, check for exact match. + */ + if (!(ac->auth_context_flags & KRB5_AUTH_CONN_HEIMDAL_SEQ) + && in_seq == exp_seq) + return 1; + /* + * Now apply hairy algorithm for matching sequence numbers + * sent by broken Heimdal implementations. If it matches, we + * know for certain it's a broken Heimdal sender. + */ + if (chk_heimdal_seqnum(exp_seq, in_seq)) { + ac->auth_context_flags |= KRB5_AUTH_CONN_HEIMDAL_SEQ; + return 1; + } + return 0; } /* @@ -514,11 +515,11 @@ krb5int_auth_con_chkseqnum( * it matches the received value, sender is known to be sane. */ if (in_seq == exp_seq) { - if (( exp_seq & 0xFFFFFF80) == 0x00000080 - || (exp_seq & 0xFFFF8000) == 0x00008000 - || (exp_seq & 0xFF800000) == 0x00800000) - ac->auth_context_flags |= KRB5_AUTH_CONN_SANE_SEQ; - return 1; + if (( exp_seq & 0xFFFFFF80) == 0x00000080 + || (exp_seq & 0xFFFF8000) == 0x00008000 + || (exp_seq & 0xFF800000) == 0x00800000) + ac->auth_context_flags |= KRB5_AUTH_CONN_SANE_SEQ; + return 1; } /* @@ -528,17 +529,17 @@ krb5int_auth_con_chkseqnum( * and mark the sender as being a broken Heimdal implementation. */ if (exp_seq == 0 - && !(ac->auth_context_flags & KRB5_AUTH_CONN_HEIMDAL_SEQ)) { - switch (in_seq) { - case 0x100: - case 0x10000: - case 0x1000000: - ac->auth_context_flags |= KRB5_AUTH_CONN_HEIMDAL_SEQ; - exp_seq = in_seq; - return 1; - default: - return 0; - } + && !(ac->auth_context_flags & KRB5_AUTH_CONN_HEIMDAL_SEQ)) { + switch (in_seq) { + case 0x100: + case 0x10000: + case 0x1000000: + ac->auth_context_flags |= KRB5_AUTH_CONN_HEIMDAL_SEQ; + exp_seq = in_seq; + return 1; + default: + return 0; + } } return 0; } @@ -547,25 +548,25 @@ static krb5_boolean chk_heimdal_seqnum(krb5_ui_4 exp_seq, krb5_ui_4 in_seq) { if (( exp_seq & 0xFF800000) == 0x00800000 - && (in_seq & 0xFF800000) == 0xFF800000 - && (in_seq & 0x00FFFFFF) == exp_seq) - return 1; + && (in_seq & 0xFF800000) == 0xFF800000 + && (in_seq & 0x00FFFFFF) == exp_seq) + return 1; else if (( exp_seq & 0xFFFF8000) == 0x00008000 - && (in_seq & 0xFFFF8000) == 0xFFFF8000 - && (in_seq & 0x0000FFFF) == exp_seq) - return 1; + && (in_seq & 0xFFFF8000) == 0xFFFF8000 + && (in_seq & 0x0000FFFF) == exp_seq) + return 1; else if (( exp_seq & 0xFFFFFF80) == 0x00000080 - && (in_seq & 0xFFFFFF80) == 0xFFFFFF80 - && (in_seq & 0x000000FF) == exp_seq) - return 1; + && (in_seq & 0xFFFFFF80) == 0xFFFFFF80 + && (in_seq & 0x000000FF) == exp_seq) + return 1; else - return 0; + return 0; } krb5_error_code krb5_auth_con_get_subkey_enctype(krb5_context context, - krb5_auth_context auth_context, - krb5_enctype *etype) + krb5_auth_context auth_context, + krb5_enctype *etype) { *etype = auth_context->negotiated_etype; return 0; @@ -573,8 +574,8 @@ krb5_auth_con_get_subkey_enctype(krb5_context context, krb5_error_code KRB5_CALLCONV krb5_auth_con_get_authdata_context(krb5_context context, - krb5_auth_context auth_context, - krb5_authdata_context *ad_context) + krb5_auth_context auth_context, + krb5_authdata_context *ad_context) { *ad_context = auth_context->ad_context; return 0; @@ -582,10 +583,9 @@ krb5_auth_con_get_authdata_context(krb5_context context, krb5_error_code KRB5_CALLCONV krb5_auth_con_set_authdata_context(krb5_context context, - krb5_auth_context auth_context, - krb5_authdata_context ad_context) + krb5_auth_context auth_context, + krb5_authdata_context ad_context) { auth_context->ad_context = ad_context; return 0; } - diff --git a/src/lib/krb5/krb/auth_con.h b/src/lib/krb5/krb/auth_con.h index 684eb4e407..94d2c51a2b 100644 --- a/src/lib/krb5/krb/auth_con.h +++ b/src/lib/krb5/krb/auth_con.h @@ -1,38 +1,39 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #ifndef KRB5_AUTH_CONTEXT #define KRB5_AUTH_CONTEXT struct _krb5_auth_context { - krb5_magic magic; - krb5_address * remote_addr; - krb5_address * remote_port; - krb5_address * local_addr; - krb5_address * local_port; + krb5_magic magic; + krb5_address * remote_addr; + krb5_address * remote_port; + krb5_address * local_addr; + krb5_address * local_port; krb5_key key; krb5_key send_subkey; krb5_key recv_subkey; - krb5_int32 auth_context_flags; - krb5_ui_4 remote_seq_number; - krb5_ui_4 local_seq_number; - krb5_authenticator *authentp; /* mk_req, rd_req, mk_rep, ...*/ - krb5_cksumtype req_cksumtype; /* mk_safe, ... */ - krb5_cksumtype safe_cksumtype; /* mk_safe, ... */ - krb5_pointer i_vector; /* mk_priv, rd_priv only */ - krb5_rcache rcache; - krb5_enctype * permitted_etypes; /* rd_req */ + krb5_int32 auth_context_flags; + krb5_ui_4 remote_seq_number; + krb5_ui_4 local_seq_number; + krb5_authenticator *authentp; /* mk_req, rd_req, mk_rep, ...*/ + krb5_cksumtype req_cksumtype; /* mk_safe, ... */ + krb5_cksumtype safe_cksumtype; /* mk_safe, ... */ + krb5_pointer i_vector; /* mk_priv, rd_priv only */ + krb5_rcache rcache; + krb5_enctype * permitted_etypes; /* rd_req */ krb5_mk_req_checksum_func checksum_func; void *checksum_func_data; - krb5_enctype negotiated_etype; + krb5_enctype negotiated_etype; krb5_authdata_context ad_context; }; /* Internal auth_context_flags */ -#define KRB5_AUTH_CONN_INITIALIZED 0x00010000 -#define KRB5_AUTH_CONN_USED_W_MK_REQ 0x00020000 -#define KRB5_AUTH_CONN_USED_W_RD_REQ 0x00040000 -#define KRB5_AUTH_CONN_SANE_SEQ 0x00080000 -#define KRB5_AUTH_CONN_HEIMDAL_SEQ 0x00100000 +#define KRB5_AUTH_CONN_INITIALIZED 0x00010000 +#define KRB5_AUTH_CONN_USED_W_MK_REQ 0x00020000 +#define KRB5_AUTH_CONN_USED_W_RD_REQ 0x00040000 +#define KRB5_AUTH_CONN_SANE_SEQ 0x00080000 +#define KRB5_AUTH_CONN_HEIMDAL_SEQ 0x00100000 #endif diff --git a/src/lib/krb5/krb/authdata.c b/src/lib/krb5/krb/authdata.c index c5992adeda..5430127eb5 100644 --- a/src/lib/krb5/krb/authdata.c +++ b/src/lib/krb5/krb/authdata.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 2009 by the Massachusetts Institute of Technology. All * Rights Reserved. @@ -39,7 +39,7 @@ static const char *objdirs[] = { #endif LIBDIR "/krb5/plugins/authdata", NULL - }; /* should be a list */ +}; /* should be a list */ /* Internal authdata systems */ static krb5plugin_authdata_client_ftable_v0 *authdata_systems[] = { @@ -648,10 +648,10 @@ krb5int_authdata_verify(krb5_context kcontext, if (authdata == NULL) { code = krb5int_find_authdata(kcontext, - ticket_authdata, - authen_authdata, - module->ad_type, - &authdata); + ticket_authdata, + authen_authdata, + module->ad_type, + &authdata); if (code != 0) break; } @@ -1244,4 +1244,3 @@ krb5_ser_authdata_context_init(krb5_context kcontext) return krb5_register_serializer(kcontext, &krb5_authdata_context_ser_entry); } - diff --git a/src/lib/krb5/krb/authdata.h b/src/lib/krb5/krb/authdata.h index 9e4dcceb07..39d80d6621 100644 --- a/src/lib/krb5/krb/authdata.h +++ b/src/lib/krb5/krb/authdata.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/authdata.h * @@ -35,14 +36,13 @@ /* authdata.c */ krb5_error_code krb5int_authdata_verify(krb5_context context, - krb5_authdata_context, - krb5_flags usage, - const krb5_auth_context *auth_context, - const krb5_keyblock *key, - const krb5_ap_req *ap_req); + krb5_authdata_context, + krb5_flags usage, + const krb5_auth_context *auth_context, + const krb5_keyblock *key, + const krb5_ap_req *ap_req); /* pac.c */ extern krb5plugin_authdata_client_ftable_v0 krb5int_mspac_authdata_client_ftable; #endif /* !KRB_AUTHDATA_H */ - diff --git a/src/lib/krb5/krb/bld_pr_ext.c b/src/lib/krb5/krb/bld_pr_ext.c index 1a288c8960..899b9ee3ba 100644 --- a/src/lib/krb5/krb/bld_pr_ext.c +++ b/src/lib/krb5/krb/bld_pr_ext.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/bld_pr_ext.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Build a principal from a list of lengths and strings */ @@ -33,7 +34,7 @@ krb5_error_code KRB5_CALLCONV_C krb5_build_principal_ext(krb5_context context, krb5_principal * princ, - unsigned int rlen, const char * realm, ...) + unsigned int rlen, const char * realm, ...) { va_list ap; int i, count = 0; @@ -44,8 +45,8 @@ krb5_build_principal_ext(krb5_context context, krb5_principal * princ, va_start(ap, realm); /* count up */ while (va_arg(ap, int) != 0) { - (void)va_arg(ap, char *); /* pass one up */ - count++; + (void)va_arg(ap, char *); /* pass one up */ + count++; } va_end(ap); @@ -54,30 +55,30 @@ krb5_build_principal_ext(krb5_context context, krb5_principal * princ, /* get space for array */ princ_data = (krb5_data *) malloc(sizeof(krb5_data) * count); if (!princ_data) - return ENOMEM; + return ENOMEM; princ_ret = (krb5_principal) malloc(sizeof(krb5_principal_data)); if (!princ_ret) { - free(princ_data); - return ENOMEM; + free(princ_data); + return ENOMEM; } princ_ret->data = princ_data; princ_ret->length = count; tmpdata.length = rlen; tmpdata.data = (char *) realm; if (krb5int_copy_data_contents_add0(context, &tmpdata, &princ_ret->realm) != 0) { - free(princ_data); - free(princ_ret); - return ENOMEM; - } + free(princ_data); + free(princ_ret); + return ENOMEM; + } /* process rest of components */ va_start(ap, realm); for (i = 0; i < count; i++) { - tmpdata.length = va_arg(ap, unsigned int); - tmpdata.data = va_arg(ap, char *); - if (krb5int_copy_data_contents_add0(context, &tmpdata, - &princ_data[i]) != 0) - goto free_out; + tmpdata.length = va_arg(ap, unsigned int); + tmpdata.data = va_arg(ap, char *); + if (krb5int_copy_data_contents_add0(context, &tmpdata, + &princ_data[i]) != 0) + goto free_out; } va_end(ap); *princ = princ_ret; @@ -86,7 +87,7 @@ krb5_build_principal_ext(krb5_context context, krb5_principal * princ, free_out: while (--i >= 0) - free(princ_data[i].data); + free(princ_data[i].data); free(princ_data); free(princ_ret->realm.data); free(princ_ret); diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c index d3e0d294b6..ac2c92a9e3 100644 --- a/src/lib/krb5/krb/bld_princ.c +++ b/src/lib/krb5/krb/bld_princ.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/bld_princ.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Build a principal from a list of strings */ @@ -30,13 +31,13 @@ #include <stdarg.h> #include "k5-int.h" -/* Takes first component as argument for KIM API, +/* Takes first component as argument for KIM API, * which does not allow realms with zero components */ static krb5_error_code -krb5int_build_principal_va(krb5_context context, - krb5_principal princ, - unsigned int rlen, - const char *realm, +krb5int_build_principal_va(krb5_context context, + krb5_principal princ, + unsigned int rlen, + const char *realm, const char *first, va_list ap) { @@ -46,26 +47,26 @@ krb5int_build_principal_va(krb5_context context, krb5_int32 count = 0; krb5_int32 size = 2; /* initial guess at needed space */ char *component = NULL; - + data = malloc(size * sizeof(krb5_data)); if (!data) { retval = ENOMEM; } - + if (!retval) { r = strdup(realm); if (!r) { retval = ENOMEM; } } - + if (!retval && first) { data[0].length = strlen(first); data[0].data = strdup(first); if (!data[0].data) { retval = ENOMEM; } count++; - + /* ap is only valid if first is non-NULL */ while (!retval && (component = va_arg(ap, char *))) { if (count == size) { krb5_data *new_data = NULL; - + size *= 2; new_data = realloc ((char *) data, sizeof(krb5_data) * size); if (new_data) { @@ -74,16 +75,16 @@ krb5int_build_principal_va(krb5_context context, retval = ENOMEM; } } - + if (!retval) { data[count].length = strlen(component); - data[count].data = strdup(component); + data[count].data = strdup(component); if (!data[count].data) { retval = ENOMEM; } count++; } } } - + if (!retval) { princ->type = KRB5_NT_UNKNOWN; princ->magic = KV5M_PRINCIPAL; @@ -94,7 +95,7 @@ krb5int_build_principal_va(krb5_context context, r = NULL; /* take ownership */ data = NULL; /* take ownership */ } - + if (data) { while (--count >= 0) { free(data[count].data); @@ -102,68 +103,68 @@ krb5int_build_principal_va(krb5_context context, free(data); } free(r); - + return retval; } krb5_error_code KRB5_CALLCONV -krb5_build_principal_va(krb5_context context, - krb5_principal princ, - unsigned int rlen, - const char *realm, +krb5_build_principal_va(krb5_context context, + krb5_principal princ, + unsigned int rlen, + const char *realm, va_list ap) { char *first = va_arg(ap, char *); - + return krb5int_build_principal_va(context, princ, rlen, realm, first, ap); } -/* Takes first component as argument for KIM API, +/* Takes first component as argument for KIM API, * which does not allow realms with zero components */ krb5_error_code KRB5_CALLCONV -krb5int_build_principal_alloc_va(krb5_context context, - krb5_principal *princ, - unsigned int rlen, - const char *realm, +krb5int_build_principal_alloc_va(krb5_context context, + krb5_principal *princ, + unsigned int rlen, + const char *realm, const char *first, va_list ap) { krb5_error_code retval = 0; - + krb5_principal p = malloc(sizeof(krb5_principal_data)); if (!p) { retval = ENOMEM; } - + if (!retval) { retval = krb5int_build_principal_va(context, p, rlen, realm, first, ap); } - + if (!retval) { - *princ = p; + *princ = p; } else { free(p); } - - return retval; + + return retval; } krb5_error_code KRB5_CALLCONV -krb5_build_principal_alloc_va(krb5_context context, - krb5_principal *princ, - unsigned int rlen, - const char *realm, +krb5_build_principal_alloc_va(krb5_context context, + krb5_principal *princ, + unsigned int rlen, + const char *realm, va_list ap) { krb5_error_code retval = 0; - + krb5_principal p = malloc(sizeof(krb5_principal_data)); if (!p) { retval = ENOMEM; } - + if (!retval) { retval = krb5_build_principal_va(context, p, rlen, realm, ap); } - + if (!retval) { - *princ = p; + *princ = p; } else { free(p); } @@ -172,17 +173,17 @@ krb5_build_principal_alloc_va(krb5_context context, } krb5_error_code KRB5_CALLCONV_C -krb5_build_principal(krb5_context context, - krb5_principal * princ, - unsigned int rlen, - const char * realm, ...) +krb5_build_principal(krb5_context context, + krb5_principal * princ, + unsigned int rlen, + const char * realm, ...) { krb5_error_code retval = 0; va_list ap; - + va_start(ap, realm); retval = krb5_build_principal_alloc_va(context, princ, rlen, realm, ap); va_end(ap); - + return retval; } diff --git a/src/lib/krb5/krb/brand.c b/src/lib/krb5/krb/brand.c index 7e4e0dbd00..fc098ddb51 100644 --- a/src/lib/krb5/krb/brand.c +++ b/src/lib/krb5/krb/brand.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/brand.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright diff --git a/src/lib/krb5/krb/chk_trans.c b/src/lib/krb5/krb/chk_trans.c index 9af063ce3e..3c014817c4 100644 --- a/src/lib/krb5/krb/chk_trans.c +++ b/src/lib/krb5/krb/chk_trans.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/chk_trans.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_check_transited_list() */ @@ -46,12 +47,12 @@ static int verbose = 0; static krb5_error_code process_intermediates (krb5_error_code (*fn)(krb5_data *, void *), void *data, - const krb5_data *n1, const krb5_data *n2) { + const krb5_data *n1, const krb5_data *n2) { unsigned int len1, len2, i; char *p1, *p2; Tprintf (("process_intermediates(%.*s,%.*s)\n", - (int) n1->length, n1->data, (int) n2->length, n2->data)); + (int) n1->length, n1->data, (int) n2->length, n2->data)); len1 = n1->length; len2 = n2->length; @@ -59,78 +60,78 @@ process_intermediates (krb5_error_code (*fn)(krb5_data *, void *), void *data, Tprintf (("(walking intermediates now)\n")); /* Simplify... */ if (len1 > len2) { - const krb5_data *p; - int tmp = len1; - len1 = len2; - len2 = tmp; - p = n1; - n1 = n2; - n2 = p; + const krb5_data *p; + int tmp = len1; + len1 = len2; + len2 = tmp; + p = n1; + n1 = n2; + n2 = p; } /* Okay, now len1 is always shorter or equal. */ if (len1 == len2) { - if (memcmp (n1->data, n2->data, len1)) { - Tprintf (("equal length but different strings in path: '%.*s' '%.*s'\n", - (int) n1->length, n1->data, (int) n2->length, n2->data)); - return KRB5KRB_AP_ERR_ILL_CR_TKT; - } - Tprintf (("(end intermediates)\n")); - return 0; + if (memcmp (n1->data, n2->data, len1)) { + Tprintf (("equal length but different strings in path: '%.*s' '%.*s'\n", + (int) n1->length, n1->data, (int) n2->length, n2->data)); + return KRB5KRB_AP_ERR_ILL_CR_TKT; + } + Tprintf (("(end intermediates)\n")); + return 0; } /* Now len1 is always shorter. */ if (len1 == 0) - /* Shouldn't be possible. Internal error? */ - return KRB5KRB_AP_ERR_ILL_CR_TKT; + /* Shouldn't be possible. Internal error? */ + return KRB5KRB_AP_ERR_ILL_CR_TKT; p1 = n1->data; p2 = n2->data; if (p1[0] == '/') { - /* X.500 style names, with common prefix. */ - if (p2[0] != '/') { - Tprintf (("mixed name formats in path: x500='%.*s' domain='%.*s'\n", - (int) len1, p1, (int) len2, p2)); - return KRB5KRB_AP_ERR_ILL_CR_TKT; - } - if (memcmp (p1, p2, len1)) { - Tprintf (("x500 names with different prefixes '%.*s' '%.*s'\n", - (int) len1, p1, (int) len2, p2)); - return KRB5KRB_AP_ERR_ILL_CR_TKT; - } - for (i = len1 + 1; i < len2; i++) - if (p2[i] == '/') { - krb5_data d; - krb5_error_code r; - - d.data = p2; - d.length = i; - r = (*fn) (&d, data); - if (r) - return r; - } + /* X.500 style names, with common prefix. */ + if (p2[0] != '/') { + Tprintf (("mixed name formats in path: x500='%.*s' domain='%.*s'\n", + (int) len1, p1, (int) len2, p2)); + return KRB5KRB_AP_ERR_ILL_CR_TKT; + } + if (memcmp (p1, p2, len1)) { + Tprintf (("x500 names with different prefixes '%.*s' '%.*s'\n", + (int) len1, p1, (int) len2, p2)); + return KRB5KRB_AP_ERR_ILL_CR_TKT; + } + for (i = len1 + 1; i < len2; i++) + if (p2[i] == '/') { + krb5_data d; + krb5_error_code r; + + d.data = p2; + d.length = i; + r = (*fn) (&d, data); + if (r) + return r; + } } else { - /* Domain style names, with common suffix. */ - if (p2[0] == '/') { - Tprintf (("mixed name formats in path: domain='%.*s' x500='%.*s'\n", - (int) len1, p1, (int) len2, p2)); - return KRB5KRB_AP_ERR_ILL_CR_TKT; - } - if (memcmp (p1, p2 + (len2 - len1), len1)) { - Tprintf (("domain names with different suffixes '%.*s' '%.*s'\n", - (int) len1, p1, (int) len2, p2)); - return KRB5KRB_AP_ERR_ILL_CR_TKT; - } - for (i = len2 - len1 - 1; i > 0; i--) { - Tprintf (("looking at '%.*s'\n", (int) (len2 - i), p2+i)); - if (p2[i-1] == '.') { - krb5_data d; - krb5_error_code r; - - d.data = p2+i; - d.length = len2 - i; - r = (*fn) (&d, data); - if (r) - return r; - } - } + /* Domain style names, with common suffix. */ + if (p2[0] == '/') { + Tprintf (("mixed name formats in path: domain='%.*s' x500='%.*s'\n", + (int) len1, p1, (int) len2, p2)); + return KRB5KRB_AP_ERR_ILL_CR_TKT; + } + if (memcmp (p1, p2 + (len2 - len1), len1)) { + Tprintf (("domain names with different suffixes '%.*s' '%.*s'\n", + (int) len1, p1, (int) len2, p2)); + return KRB5KRB_AP_ERR_ILL_CR_TKT; + } + for (i = len2 - len1 - 1; i > 0; i--) { + Tprintf (("looking at '%.*s'\n", (int) (len2 - i), p2+i)); + if (p2[i-1] == '.') { + krb5_data d; + krb5_error_code r; + + d.data = p2+i; + d.length = len2 - i; + r = (*fn) (&d, data); + if (r) + return r; + } + } } Tprintf (("(end intermediates)\n")); return 0; @@ -140,25 +141,25 @@ static krb5_error_code maybe_join (krb5_data *last, krb5_data *buf, unsigned int bufsiz) { if (buf->length == 0) - return 0; + return 0; if (buf->data[0] == '/') { - if (last->length + buf->length > bufsiz) { - Tprintf (("too big: last=%d cur=%d max=%d\n", last->length, buf->length, bufsiz)); - return KRB5KRB_AP_ERR_ILL_CR_TKT; - } - memmove (buf->data+last->length, buf->data, buf->length); - memcpy (buf->data, last->data, last->length); - buf->length += last->length; + if (last->length + buf->length > bufsiz) { + Tprintf (("too big: last=%d cur=%d max=%d\n", last->length, buf->length, bufsiz)); + return KRB5KRB_AP_ERR_ILL_CR_TKT; + } + memmove (buf->data+last->length, buf->data, buf->length); + memcpy (buf->data, last->data, last->length); + buf->length += last->length; } else if (buf->data[buf->length-1] == '.') { - /* We can ignore the case where the previous component was - empty; the strcat will be a no-op. It should probably - be an error case, but let's be flexible. */ - if (last->length+buf->length > bufsiz) { - Tprintf (("too big\n")); - return KRB5KRB_AP_ERR_ILL_CR_TKT; - } - memcpy (buf->data + buf->length, last->data, last->length); - buf->length += last->length; + /* We can ignore the case where the previous component was + empty; the strcat will be a no-op. It should probably + be an error case, but let's be flexible. */ + if (last->length+buf->length > bufsiz) { + Tprintf (("too big\n")); + return KRB5KRB_AP_ERR_ILL_CR_TKT; + } + memcpy (buf->data + buf->length, last->data, last->length); + buf->length += last->length; } /* Otherwise, do nothing. */ return 0; @@ -170,8 +171,8 @@ maybe_join (krb5_data *last, krb5_data *buf, unsigned int bufsiz) of C strings. */ static krb5_error_code foreach_realm (krb5_error_code (*fn)(krb5_data *comp,void *data), void *data, - const krb5_data *crealm, const krb5_data *srealm, - const krb5_data *transit) + const krb5_data *crealm, const krb5_data *srealm, + const krb5_data *transit) { char buf[MAXLEN], last[MAXLEN]; char *p, *bufp; @@ -201,88 +202,88 @@ foreach_realm (krb5_error_code (*fn)(krb5_data *comp,void *data), void *data, print_data ("transit enc.: %.*s\n", transit); if (transit->length == 0) { - Tprintf (("no other realms transited\n")); - return 0; + Tprintf (("no other realms transited\n")); + return 0; } bufp = buf; for (p = transit->data, l = transit->length; l; p++, l--) { - if (next_lit) { - *bufp++ = *p; - if (bufp == buf+sizeof(buf)) - return KRB5KRB_AP_ERR_ILL_CR_TKT; - next_lit = 0; - } else if (*p == '\\') { - next_lit = 1; - } else if (*p == ',') { - if (bufp != buf) { - this_component.length = bufp - buf; - r = maybe_join (&last_component, &this_component, sizeof(buf)); - if (r) - return r; - r = (*fn) (&this_component, data); - if (r) - return r; - if (intermediates) { - if (p == transit->data) - r = process_intermediates (fn, data, - &this_component, crealm); - else { - r = process_intermediates (fn, data, &this_component, - &last_component); - } - if (r) - return r; - } - intermediates = 0; - memcpy (last, buf, sizeof (buf)); - last_component.length = this_component.length; - memset (buf, 0, sizeof (buf)); - bufp = buf; - } else { - intermediates = 1; - if (p == transit->data) { - if (crealm->length >= MAXLEN) - return KRB5KRB_AP_ERR_ILL_CR_TKT; - memcpy (last, crealm->data, crealm->length); - last[crealm->length] = '\0'; - last_component.length = crealm->length; - } - } - } else if (*p == ' ' && bufp == buf) { - /* This next component stands alone, even if it has a - trailing dot or leading slash. */ - memset (last, 0, sizeof (last)); - last_component.length = 0; - } else { - /* Not a special character; literal. */ - *bufp++ = *p; - if (bufp == buf+sizeof(buf)) - return KRB5KRB_AP_ERR_ILL_CR_TKT; - } + if (next_lit) { + *bufp++ = *p; + if (bufp == buf+sizeof(buf)) + return KRB5KRB_AP_ERR_ILL_CR_TKT; + next_lit = 0; + } else if (*p == '\\') { + next_lit = 1; + } else if (*p == ',') { + if (bufp != buf) { + this_component.length = bufp - buf; + r = maybe_join (&last_component, &this_component, sizeof(buf)); + if (r) + return r; + r = (*fn) (&this_component, data); + if (r) + return r; + if (intermediates) { + if (p == transit->data) + r = process_intermediates (fn, data, + &this_component, crealm); + else { + r = process_intermediates (fn, data, &this_component, + &last_component); + } + if (r) + return r; + } + intermediates = 0; + memcpy (last, buf, sizeof (buf)); + last_component.length = this_component.length; + memset (buf, 0, sizeof (buf)); + bufp = buf; + } else { + intermediates = 1; + if (p == transit->data) { + if (crealm->length >= MAXLEN) + return KRB5KRB_AP_ERR_ILL_CR_TKT; + memcpy (last, crealm->data, crealm->length); + last[crealm->length] = '\0'; + last_component.length = crealm->length; + } + } + } else if (*p == ' ' && bufp == buf) { + /* This next component stands alone, even if it has a + trailing dot or leading slash. */ + memset (last, 0, sizeof (last)); + last_component.length = 0; + } else { + /* Not a special character; literal. */ + *bufp++ = *p; + if (bufp == buf+sizeof(buf)) + return KRB5KRB_AP_ERR_ILL_CR_TKT; + } } /* At end. Must be normal state. */ if (next_lit) - Tprintf (("ending in next-char-literal state\n")); + Tprintf (("ending in next-char-literal state\n")); /* Process trailing element or comma. */ if (bufp == buf) { - /* Trailing comma. */ - r = process_intermediates (fn, data, &last_component, srealm); + /* Trailing comma. */ + r = process_intermediates (fn, data, &last_component, srealm); } else { - /* Trailing component. */ - this_component.length = bufp - buf; - r = maybe_join (&last_component, &this_component, sizeof(buf)); - if (r) - return r; - r = (*fn) (&this_component, data); - if (r) - return r; - if (intermediates) - r = process_intermediates (fn, data, &this_component, - &last_component); + /* Trailing component. */ + this_component.length = bufp - buf; + r = maybe_join (&last_component, &this_component, sizeof(buf)); + if (r) + return r; + r = (*fn) (&this_component, data); + if (r) + return r; + if (intermediates) + r = process_intermediates (fn, data, &this_component, + &last_component); } if (r != 0) - return r; + return r; return 0; } @@ -300,8 +301,8 @@ check_realm_in_list (krb5_data *realm, void *data) Tprintf ((".. checking '%.*s'\n", (int) realm->length, realm->data)); for (i = 0; cdata->tgs[i]; i++) { - if (data_eq (*krb5_princ_realm (cdata->ctx, cdata->tgs[i]), *realm)) - return 0; + if (data_eq (*krb5_princ_realm (cdata->ctx, cdata->tgs[i]), *realm)) + return 0; } Tprintf (("BAD!\n")); return KRB5KRB_AP_ERR_ILL_CR_TKT; @@ -309,7 +310,7 @@ check_realm_in_list (krb5_data *realm, void *data) krb5_error_code krb5_check_transited_list (krb5_context ctx, const krb5_data *trans_in, - const krb5_data *crealm, const krb5_data *srealm) + const krb5_data *crealm, const krb5_data *srealm) { krb5_data trans; struct check_data cdata; @@ -318,31 +319,31 @@ krb5_check_transited_list (krb5_context ctx, const krb5_data *trans_in, trans.length = trans_in->length; trans.data = (char *) trans_in->data; if (trans.length && (trans.data[trans.length-1] == '\0')) - trans.length--; + trans.length--; Tprintf (("krb5_check_transited_list(trans=\"%.*s\", crealm=\"%.*s\", srealm=\"%.*s\")\n", - (int) trans.length, trans.data, - (int) crealm->length, crealm->data, - (int) srealm->length, srealm->data)); + (int) trans.length, trans.data, + (int) crealm->length, crealm->data, + (int) srealm->length, srealm->data)); if (trans.length == 0) - return 0; + return 0; r = krb5_walk_realm_tree (ctx, crealm, srealm, &cdata.tgs, - KRB5_REALM_BRANCH_CHAR); + KRB5_REALM_BRANCH_CHAR); if (r) { - Tprintf (("error %ld\n", (long) r)); - return r; + Tprintf (("error %ld\n", (long) r)); + return r; } #ifdef DEBUG /* avoid compiler warning about 'd' unused */ { - int i; - Tprintf (("tgs list = {\n")); - for (i = 0; cdata.tgs[i]; i++) { - char *name; - r = krb5_unparse_name (ctx, cdata.tgs[i], &name); - Tprintf (("\t'%s'\n", name)); - free (name); - } - Tprintf (("}\n")); + int i; + Tprintf (("tgs list = {\n")); + for (i = 0; cdata.tgs[i]; i++) { + char *name; + r = krb5_unparse_name (ctx, cdata.tgs[i], &name); + Tprintf (("\t'%s'\n", name)); + free (name); + } + Tprintf (("}\n")); } #endif cdata.ctx = ctx; @@ -370,19 +371,19 @@ int main (int argc, char *argv[]) { me = me ? me+1 : argv[0]; while (argc > 3 && argv[1][0] == '-') { - if (!strcmp ("-v", argv[1])) - verbose++, argc--, argv++; - else if (!strcmp ("-x", argv[1])) - expand_only++, argc--, argv++; - else - goto usage; + if (!strcmp ("-v", argv[1])) + verbose++, argc--, argv++; + else if (!strcmp ("-x", argv[1])) + expand_only++, argc--, argv++; + else + goto usage; } if (argc != 4) { usage: - printf ("usage: %s [-v] [-x] clientRealm serverRealm transitEncoding\n", - me); - return 1; + printf ("usage: %s [-v] [-x] clientRealm serverRealm transitEncoding\n", + me); + return 1; } crealm.data = argv[1]; @@ -394,40 +395,40 @@ int main (int argc, char *argv[]) { if (expand_only) { - printf ("client realm: %s\n", argv[1]); - printf ("server realm: %s\n", argv[2]); - printf ("transit enc.: %s\n", argv[3]); + printf ("client realm: %s\n", argv[1]); + printf ("server realm: %s\n", argv[2]); + printf ("transit enc.: %s\n", argv[3]); - if (argv[3][0] == 0) { - printf ("no other realms transited\n"); - return 0; - } + if (argv[3][0] == 0) { + printf ("no other realms transited\n"); + return 0; + } - r = foreach_realm (print_a_realm, NULL, &crealm, &srealm, &transit); - if (r) - printf ("--> returned error %ld\n", (long) r); - return r != 0; + r = foreach_realm (print_a_realm, NULL, &crealm, &srealm, &transit); + if (r) + printf ("--> returned error %ld\n", (long) r); + return r != 0; } else { - /* Actually check the values against the supplied krb5.conf file. */ - krb5_context ctx; - r = krb5_init_context (&ctx); - if (r) { - com_err (me, r, "initializing krb5 context"); - return 1; - } - r = krb5_check_transited_list (ctx, &transit, &crealm, &srealm); - if (r == KRB5KRB_AP_ERR_ILL_CR_TKT) { - printf ("NO\n"); - } else if (r == 0) { - printf ("YES\n"); - } else { - printf ("kablooey!\n"); - com_err (me, r, "checking transited-realm list"); - return 1; - } - return 0; + /* Actually check the values against the supplied krb5.conf file. */ + krb5_context ctx; + r = krb5_init_context (&ctx); + if (r) { + com_err (me, r, "initializing krb5 context"); + return 1; + } + r = krb5_check_transited_list (ctx, &transit, &crealm, &srealm); + if (r == KRB5KRB_AP_ERR_ILL_CR_TKT) { + printf ("NO\n"); + } else if (r == 0) { + printf ("YES\n"); + } else { + printf ("kablooey!\n"); + com_err (me, r, "checking transited-realm list"); + return 1; + } + return 0; } } diff --git a/src/lib/krb5/krb/chpw.c b/src/lib/krb5/krb/chpw.c index d38a7ef397..1488f627ea 100644 --- a/src/lib/krb5/krb/chpw.c +++ b/src/lib/krb5/krb/chpw.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* ** set password functions added by Paul W. Nelson, Thursby Software Systems, Inc. */ @@ -7,12 +8,12 @@ #include "auth_con.h" -krb5_error_code -krb5int_mk_chpw_req(krb5_context context, - krb5_auth_context auth_context, - krb5_data *ap_req, - char *passwd, - krb5_data *packet) +krb5_error_code +krb5int_mk_chpw_req(krb5_context context, + krb5_auth_context auth_context, + krb5_data *ap_req, + char *passwd, + krb5_data *packet) { krb5_error_code ret = 0; krb5_data clearpw; @@ -23,21 +24,21 @@ krb5int_mk_chpw_req(krb5_context context, cipherpw.data = NULL; if ((ret = krb5_auth_con_setflags(context, auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE))) - goto cleanup; + KRB5_AUTH_CONTEXT_DO_SEQUENCE))) + goto cleanup; clearpw.length = strlen(passwd); clearpw.data = passwd; if ((ret = krb5_mk_priv(context, auth_context, - &clearpw, &cipherpw, &replay))) - goto cleanup; + &clearpw, &cipherpw, &replay))) + goto cleanup; packet->length = 6 + ap_req->length + cipherpw.length; packet->data = (char *) malloc(packet->length); if (packet->data == NULL) { - ret = ENOMEM; - goto cleanup; + ret = ENOMEM; + goto cleanup; } ptr = packet->data; @@ -67,14 +68,14 @@ krb5int_mk_chpw_req(krb5_context context, cleanup: if (cipherpw.data != NULL) /* allocated by krb5_mk_priv */ - free(cipherpw.data); - + free(cipherpw.data); + return(ret); } -krb5_error_code +krb5_error_code krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, - krb5_data *packet, int *result_code, krb5_data *result_data) + krb5_data *packet, int *result_code, krb5_data *result_data) { char *ptr; int plen, vno; @@ -88,9 +89,9 @@ krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *tmp; if (packet->length < 4) - /* either this, or the server is printing bad messages, - or the caller passed in garbage */ - return(KRB5KRB_AP_ERR_MODIFIED); + /* either this, or the server is printing bad messages, + or the caller passed in garbage */ + return(KRB5KRB_AP_ERR_MODIFIED); ptr = packet->data; @@ -100,27 +101,27 @@ krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, plen = (plen<<8) | (*ptr++ & 0xff); if (plen != packet->length) { - /* - * MS KDCs *may* send back a KRB_ERROR. Although - * not 100% correct via RFC3244, it's something - * we can workaround here. - */ - if (krb5_is_krb_error(packet)) { - - if ((ret = krb5_rd_error(context, packet, &krberror))) - return(ret); - - if (krberror->e_data.data == NULL) - ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error; - else - ret = KRB5KRB_AP_ERR_MODIFIED; - krb5_free_error(context, krberror); - return(ret); - } else { - return(KRB5KRB_AP_ERR_MODIFIED); - } + /* + * MS KDCs *may* send back a KRB_ERROR. Although + * not 100% correct via RFC3244, it's something + * we can workaround here. + */ + if (krb5_is_krb_error(packet)) { + + if ((ret = krb5_rd_error(context, packet, &krberror))) + return(ret); + + if (krberror->e_data.data == NULL) + ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error; + else + ret = KRB5KRB_AP_ERR_MODIFIED; + krb5_free_error(context, krberror); + return(ret); + } else { + return(KRB5KRB_AP_ERR_MODIFIED); + } } - + /* verify version number */ @@ -128,7 +129,7 @@ krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, vno = (vno<<8) | (*ptr++ & 0xff); if (vno != 1) - return(KRB5KDC_ERR_BAD_PVNO); + return(KRB5KDC_ERR_BAD_PVNO); /* read, check ap-rep length */ @@ -136,59 +137,59 @@ krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, ap_rep.length = (ap_rep.length<<8) | (*ptr++ & 0xff); if (ptr + ap_rep.length >= packet->data + packet->length) - return(KRB5KRB_AP_ERR_MODIFIED); + return(KRB5KRB_AP_ERR_MODIFIED); if (ap_rep.length) { - /* verify ap_rep */ - ap_rep.data = ptr; - ptr += ap_rep.length; - - /* - * Save send_subkey to later smash recv_subkey. - */ - ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmp); - if (ret) - return ret; - - ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc); - if (ret) { - krb5_free_keyblock(context, tmp); - return(ret); - } - - krb5_free_ap_rep_enc_part(context, ap_rep_enc); - - /* extract and decrypt the result */ - - cipherresult.data = ptr; - cipherresult.length = (packet->data + packet->length) - ptr; - - /* - * Smash recv_subkey to be send_subkey, per spec. - */ - ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmp); - krb5_free_keyblock(context, tmp); - if (ret) - return ret; - - ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult, - &replay); - - if (ret) - return(ret); + /* verify ap_rep */ + ap_rep.data = ptr; + ptr += ap_rep.length; + + /* + * Save send_subkey to later smash recv_subkey. + */ + ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmp); + if (ret) + return ret; + + ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc); + if (ret) { + krb5_free_keyblock(context, tmp); + return(ret); + } + + krb5_free_ap_rep_enc_part(context, ap_rep_enc); + + /* extract and decrypt the result */ + + cipherresult.data = ptr; + cipherresult.length = (packet->data + packet->length) - ptr; + + /* + * Smash recv_subkey to be send_subkey, per spec. + */ + ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmp); + krb5_free_keyblock(context, tmp); + if (ret) + return ret; + + ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult, + &replay); + + if (ret) + return(ret); } else { - cipherresult.data = ptr; - cipherresult.length = (packet->data + packet->length) - ptr; + cipherresult.data = ptr; + cipherresult.length = (packet->data + packet->length) - ptr; - if ((ret = krb5_rd_error(context, &cipherresult, &krberror))) - return(ret); + if ((ret = krb5_rd_error(context, &cipherresult, &krberror))) + return(ret); - clearresult = krberror->e_data; + clearresult = krberror->e_data; } if (clearresult.length < 2) { - ret = KRB5KRB_AP_ERR_MODIFIED; - goto cleanup; + ret = KRB5KRB_AP_ERR_MODIFIED; + goto cleanup; } ptr = clearresult.data; @@ -197,38 +198,38 @@ krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, *result_code = (*result_code<<8) | (*ptr++ & 0xff); if ((*result_code < KRB5_KPASSWD_SUCCESS) || - (*result_code > KRB5_KPASSWD_INITIAL_FLAG_NEEDED)) { - ret = KRB5KRB_AP_ERR_MODIFIED; - goto cleanup; + (*result_code > KRB5_KPASSWD_INITIAL_FLAG_NEEDED)) { + ret = KRB5KRB_AP_ERR_MODIFIED; + goto cleanup; } /* all success replies should be authenticated/encrypted */ if ((ap_rep.length == 0) && (*result_code == KRB5_KPASSWD_SUCCESS)) { - ret = KRB5KRB_AP_ERR_MODIFIED; - goto cleanup; + ret = KRB5KRB_AP_ERR_MODIFIED; + goto cleanup; } result_data->length = (clearresult.data + clearresult.length) - ptr; if (result_data->length) { - result_data->data = (char *) malloc(result_data->length); - if (result_data->data == NULL) { - ret = ENOMEM; - goto cleanup; - } - memcpy(result_data->data, ptr, result_data->length); + result_data->data = (char *) malloc(result_data->length); + if (result_data->data == NULL) { + ret = ENOMEM; + goto cleanup; + } + memcpy(result_data->data, ptr, result_data->length); } else { - result_data->data = NULL; + result_data->data = NULL; } ret = 0; cleanup: if (ap_rep.length) { - free(clearresult.data); + free(clearresult.data); } else { - krb5_free_error(context, krberror); + krb5_free_error(context, krberror); } return(ret); @@ -236,71 +237,71 @@ cleanup: krb5_error_code KRB5_CALLCONV krb5_chpw_result_code_string(krb5_context context, int result_code, - char **code_string) + char **code_string) { switch (result_code) { case KRB5_KPASSWD_MALFORMED: - *code_string = "Malformed request error"; - break; + *code_string = "Malformed request error"; + break; case KRB5_KPASSWD_HARDERROR: - *code_string = "Server error"; - break; + *code_string = "Server error"; + break; case KRB5_KPASSWD_AUTHERROR: - *code_string = "Authentication error"; - break; + *code_string = "Authentication error"; + break; case KRB5_KPASSWD_SOFTERROR: - *code_string = "Password change rejected"; - break; + *code_string = "Password change rejected"; + break; default: - *code_string = "Password change failed"; - break; + *code_string = "Password change failed"; + break; } return(0); } -krb5_error_code +krb5_error_code krb5int_mk_setpw_req(krb5_context context, - krb5_auth_context auth_context, - krb5_data *ap_req, - krb5_principal targprinc, - char *passwd, - krb5_data *packet) + krb5_auth_context auth_context, + krb5_data *ap_req, + krb5_principal targprinc, + char *passwd, + krb5_data *packet) { krb5_error_code ret; - krb5_data cipherpw; - krb5_data *encoded_setpw; + krb5_data cipherpw; + krb5_data *encoded_setpw; struct krb5_setpw_req req; char *ptr; cipherpw.data = NULL; cipherpw.length = 0; - + if ((ret = krb5_auth_con_setflags(context, auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE))) - return(ret); + KRB5_AUTH_CONTEXT_DO_SEQUENCE))) + return(ret); req.target = targprinc; req.password.data = passwd; req.password.length = strlen(passwd); ret = encode_krb5_setpw_req(&req, &encoded_setpw); if (ret) { - return ret; + return ret; } if ((ret = krb5_mk_priv(context, auth_context, encoded_setpw, &cipherpw, NULL)) != 0) { - krb5_free_data(context, encoded_setpw); - return(ret); + krb5_free_data(context, encoded_setpw); + return(ret); } krb5_free_data(context, encoded_setpw); - + packet->length = 6 + ap_req->length + cipherpw.length; packet->data = (char *) malloc(packet->length); if (packet->data == NULL) { - ret = ENOMEM; - goto cleanup; + ret = ENOMEM; + goto cleanup; } ptr = packet->data; /* @@ -325,18 +326,18 @@ krb5int_mk_setpw_req(krb5_context context, ret = 0; cleanup: if (cipherpw.data) - krb5_free_data_contents(context, &cipherpw); + krb5_free_data_contents(context, &cipherpw); if ((ret != 0) && packet->data) { - free(packet->data); - packet->data = NULL; + free(packet->data); + packet->data = NULL; } return ret; } -krb5_error_code +krb5_error_code krb5int_rd_setpw_rep(krb5_context context, krb5_auth_context auth_context, - krb5_data *packet, - int *result_code, krb5_data *result_data) + krb5_data *packet, + int *result_code, krb5_data *result_data) { char *ptr; unsigned int message_length, version_number; @@ -350,7 +351,7 @@ krb5int_rd_setpw_rep(krb5_context context, krb5_auth_context auth_context, ** validate the packet length - */ if (packet->length < 4) - return(KRB5KRB_AP_ERR_MODIFIED); + return(KRB5KRB_AP_ERR_MODIFIED); ptr = packet->data; @@ -358,109 +359,109 @@ krb5int_rd_setpw_rep(krb5_context context, krb5_auth_context auth_context, ** see if it is an error */ if (krb5_is_krb_error(packet)) { - krb5_error *krberror; - if ((ret = krb5_rd_error(context, packet, &krberror))) - return(ret); - if (krberror->e_data.data == NULL) { - ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error; - krb5_free_error(context, krberror); - return (ret); - } - clearresult = krberror->e_data; - krberror->e_data.data = NULL; /*So we can free it later*/ - krberror->e_data.length = 0; - krb5_free_error(context, krberror); - ap_rep.length = 0; + krb5_error *krberror; + if ((ret = krb5_rd_error(context, packet, &krberror))) + return(ret); + if (krberror->e_data.data == NULL) { + ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error; + krb5_free_error(context, krberror); + return (ret); + } + clearresult = krberror->e_data; + krberror->e_data.data = NULL; /*So we can free it later*/ + krberror->e_data.length = 0; + krb5_free_error(context, krberror); + ap_rep.length = 0; } else { /* Not an error*/ - /* - ** validate the message length - - ** length is big endian - */ - message_length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff)); - ptr += 2; - /* - ** make sure the message length and packet length agree - - */ - if (message_length != packet->length) - return(KRB5KRB_AP_ERR_MODIFIED); - /* - ** get the version number - - */ - version_number = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff)); - ptr += 2; - /* - ** make sure we support the version returned - - */ - /* - ** set password version is 0xff80, change password version is 1 - */ - if (version_number != 1 && version_number != 0xff80) - return(KRB5KDC_ERR_BAD_PVNO); - /* - ** now fill in ap_rep with the reply - - */ - /* - ** get the reply length - - */ - ap_rep.length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff)); - ptr += 2; - /* - ** validate ap_rep length agrees with the packet length - - */ - if (ptr + ap_rep.length >= packet->data + packet->length) - return(KRB5KRB_AP_ERR_MODIFIED); - /* - ** if data was returned, set the ap_rep ptr - - */ - if (ap_rep.length) { - ap_rep.data = ptr; - ptr += ap_rep.length; - - /* - * Save send_subkey to later smash recv_subkey. - */ - ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmpkey); - if (ret) - return ret; - - ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc); - if (ret) { - krb5_free_keyblock(context, tmpkey); - return(ret); - } - - krb5_free_ap_rep_enc_part(context, ap_rep_enc); - /* - ** now decrypt the result - - */ - cipherresult.data = ptr; - cipherresult.length = (packet->data + packet->length) - ptr; - - /* - * Smash recv_subkey to be send_subkey, per spec. - */ - ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmpkey); - krb5_free_keyblock(context, tmpkey); - if (ret) - return ret; - - ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult, - NULL); - if (ret) - return(ret); - } /*We got an ap_rep*/ - else - return (KRB5KRB_AP_ERR_MODIFIED); + /* + ** validate the message length - + ** length is big endian + */ + message_length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff)); + ptr += 2; + /* + ** make sure the message length and packet length agree - + */ + if (message_length != packet->length) + return(KRB5KRB_AP_ERR_MODIFIED); + /* + ** get the version number - + */ + version_number = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff)); + ptr += 2; + /* + ** make sure we support the version returned - + */ + /* + ** set password version is 0xff80, change password version is 1 + */ + if (version_number != 1 && version_number != 0xff80) + return(KRB5KDC_ERR_BAD_PVNO); + /* + ** now fill in ap_rep with the reply - + */ + /* + ** get the reply length - + */ + ap_rep.length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff)); + ptr += 2; + /* + ** validate ap_rep length agrees with the packet length - + */ + if (ptr + ap_rep.length >= packet->data + packet->length) + return(KRB5KRB_AP_ERR_MODIFIED); + /* + ** if data was returned, set the ap_rep ptr - + */ + if (ap_rep.length) { + ap_rep.data = ptr; + ptr += ap_rep.length; + + /* + * Save send_subkey to later smash recv_subkey. + */ + ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmpkey); + if (ret) + return ret; + + ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc); + if (ret) { + krb5_free_keyblock(context, tmpkey); + return(ret); + } + + krb5_free_ap_rep_enc_part(context, ap_rep_enc); + /* + ** now decrypt the result - + */ + cipherresult.data = ptr; + cipherresult.length = (packet->data + packet->length) - ptr; + + /* + * Smash recv_subkey to be send_subkey, per spec. + */ + ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmpkey); + krb5_free_keyblock(context, tmpkey); + if (ret) + return ret; + + ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult, + NULL); + if (ret) + return(ret); + } /*We got an ap_rep*/ + else + return (KRB5KRB_AP_ERR_MODIFIED); } /*Response instead of error*/ /* - ** validate the cleartext length + ** validate the cleartext length */ if (clearresult.length < 2) { - ret = KRB5KRB_AP_ERR_MODIFIED; - goto cleanup; + ret = KRB5KRB_AP_ERR_MODIFIED; + goto cleanup; } /* ** now decode the result - @@ -474,68 +475,67 @@ krb5int_rd_setpw_rep(krb5_context context, krb5_auth_context auth_context, ** result code 5 is access denied */ if ((*result_code < KRB5_KPASSWD_SUCCESS) || (*result_code > 5)) { - ret = KRB5KRB_AP_ERR_MODIFIED; - goto cleanup; + ret = KRB5KRB_AP_ERR_MODIFIED; + goto cleanup; } /* ** all success replies should be authenticated/encrypted */ if ((ap_rep.length == 0) && (*result_code == KRB5_KPASSWD_SUCCESS)) { - ret = KRB5KRB_AP_ERR_MODIFIED; - goto cleanup; + ret = KRB5KRB_AP_ERR_MODIFIED; + goto cleanup; } if (result_data) { - result_data->length = (clearresult.data + clearresult.length) - ptr; - - if (result_data->length) { - result_data->data = (char *) malloc(result_data->length); - if (result_data->data) - memcpy(result_data->data, ptr, result_data->length); - } else - result_data->data = NULL; + result_data->length = (clearresult.data + clearresult.length) - ptr; + + if (result_data->length) { + result_data->data = (char *) malloc(result_data->length); + if (result_data->data) + memcpy(result_data->data, ptr, result_data->length); + } else + result_data->data = NULL; } ret = 0; - cleanup: +cleanup: krb5_free_data_contents(context, &clearresult); return(ret); } -krb5_error_code +krb5_error_code krb5int_setpw_result_code_string(krb5_context context, int result_code, - const char **code_string) + const char **code_string) { switch (result_code) { case KRB5_KPASSWD_MALFORMED: - *code_string = "Malformed request error"; - break; + *code_string = "Malformed request error"; + break; case KRB5_KPASSWD_HARDERROR: - *code_string = "Server error"; - break; + *code_string = "Server error"; + break; case KRB5_KPASSWD_AUTHERROR: - *code_string = "Authentication error"; - break; + *code_string = "Authentication error"; + break; case KRB5_KPASSWD_SOFTERROR: - *code_string = "Password change rejected"; - break; + *code_string = "Password change rejected"; + break; case 5: /* access denied */ - *code_string = "Access denied"; - break; - case 6: /* bad version */ - *code_string = "Wrong protocol version"; - break; + *code_string = "Access denied"; + break; + case 6: /* bad version */ + *code_string = "Wrong protocol version"; + break; case 7: /* initial flag is needed */ - *code_string = "Initial password required"; - break; + *code_string = "Initial password required"; + break; case 0: - *code_string = "Success"; - break; + *code_string = "Success"; + break; default: - *code_string = "Password change failed"; - break; + *code_string = "Password change failed"; + break; } return(0); } - diff --git a/src/lib/krb5/krb/cleanup.h b/src/lib/krb5/krb/cleanup.h index 94b39f757b..3a018330ab 100644 --- a/src/lib/krb5/krb/cleanup.h +++ b/src/lib/krb5/krb/cleanup.h @@ -1,29 +1,30 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #ifndef KRB5_CLEANUP #define KRB5_CLEANUP struct cleanup { - void * arg; - void (*func)(void *); + void * arg; + void (*func)(void *); }; -#define CLEANUP_INIT(x) \ - struct cleanup cleanup_data[x]; \ - int cleanup_count = 0; +#define CLEANUP_INIT(x) \ + struct cleanup cleanup_data[x]; \ + int cleanup_count = 0; -#define CLEANUP_PUSH(x, y) \ - cleanup_data[cleanup_count].arg = x; \ - cleanup_data[cleanup_count].func = y; \ +#define CLEANUP_PUSH(x, y) \ + cleanup_data[cleanup_count].arg = x; \ + cleanup_data[cleanup_count].func = y; \ cleanup_count++; -#define CLEANUP_POP(x) \ - if ((--cleanup_count) && x && (cleanup_data[cleanup_count].func)) \ - cleanup_data[cleanup_count].func(cleanup_data[cleanup_count].arg); - -#define CLEANUP_DONE() \ - while(cleanup_count--) \ - if (cleanup_data[cleanup_count].func) \ - cleanup_data[cleanup_count].func(cleanup_data[cleanup_count].arg); - +#define CLEANUP_POP(x) \ + if ((--cleanup_count) && x && (cleanup_data[cleanup_count].func)) \ + cleanup_data[cleanup_count].func(cleanup_data[cleanup_count].arg); + +#define CLEANUP_DONE() \ + while(cleanup_count--) \ + if (cleanup_data[cleanup_count].func) \ + cleanup_data[cleanup_count].func(cleanup_data[cleanup_count].arg); + #endif diff --git a/src/lib/krb5/krb/conv_creds.c b/src/lib/krb5/krb/conv_creds.c index b6c610842a..6f4608817e 100644 --- a/src/lib/krb5/krb/conv_creds.c +++ b/src/lib/krb5/krb/conv_creds.c @@ -1,6 +1,7 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1994 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -10,7 +11,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -29,7 +30,7 @@ krb5_error_code KRB5_CALLCONV krb5_524_convert_creds(krb5_context context, krb5_creds *v5creds, - struct credentials *v4creds) + struct credentials *v4creds) { return KRB524_KRB4_DISABLED; } @@ -45,11 +46,11 @@ krb5_524_convert_creds(krb5_context context, krb5_creds *v5creds, void KRB5_CALLCONV krb524_init_ets (void); krb5_error_code KRB5_CALLCONV krb524_convert_creds_kdc(krb5_context context, krb5_creds *v5creds, - struct credentials *v4creds); + struct credentials *v4creds); krb5_error_code KRB5_CALLCONV krb524_convert_creds_kdc(krb5_context context, krb5_creds *v5creds, - struct credentials *v4creds) + struct credentials *v4creds) { return KRB524_KRB4_DISABLED; } diff --git a/src/lib/krb5/krb/conv_princ.c b/src/lib/krb5/krb/conv_princ.c index 43c588f0f6..5f63f465a1 100644 --- a/src/lib/krb5/krb/conv_princ.c +++ b/src/lib/krb5/krb/conv_princ.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/conv_princ.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,10 +23,10 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * Build a principal from a V4 specification, or separate a V5 * principal into name, instance, and realm. - * + * * NOTE: This is highly site specific, and is only really necessary * for sites who need to convert from V4 to V5. It is used by both * the KDC and the kdb5_convert program. Since its use is highly @@ -39,16 +40,16 @@ /* The maximum sizes for V4 aname, realm, sname, and instance +1 */ /* Taken from krb.h */ -#define ANAME_SZ 40 -#define REALM_SZ 40 -#define SNAME_SZ 40 -#define INST_SZ 40 +#define ANAME_SZ 40 +#define REALM_SZ 40 +#define SNAME_SZ 40 +#define INST_SZ 40 struct krb_convert { - char *v4_str; - char *v5_str; - unsigned int flags : 8; - unsigned int len : 8; + char *v4_str; + char *v5_str; + unsigned int flags : 8; + unsigned int len : 8; }; #define DO_REALM_CONVERSION 0x00000001 @@ -71,9 +72,9 @@ static const struct krb_convert sconv_list[] = { /* Realm conversion, Change service name */ #define RC(V5NAME,V4NAME) { V5NAME, V4NAME, DO_REALM_CONVERSION, sizeof(V5NAME)-1 } /* Realm conversion */ -#define R(NAME) { NAME, NAME, DO_REALM_CONVERSION, sizeof(NAME)-1 } +#define R(NAME) { NAME, NAME, DO_REALM_CONVERSION, sizeof(NAME)-1 } /* No Realm conversion */ -#define NR(NAME) { NAME, NAME, 0, sizeof(NAME)-1 } +#define NR(NAME) { NAME, NAME, 0, sizeof(NAME)-1 } NR("kadmin"), RC("rcmd", "host"), @@ -128,18 +129,18 @@ static const struct krb_convert sconv_list[] = { * This falls in the "should have been in the ANSI C library" * category. :-) */ -static char *strnchr(register char *s, register int c, - register unsigned int n) +static char *strnchr(register char *s, register int c, + register unsigned int n) { - if (n < 1) - return 0; - - while (n-- && *s) { - if (*s == c) - return s; - s++; - } - return 0; + if (n < 1) + return 0; + + while (n-- && *s) { + if (*s == c) + return s; + s++; + } + return 0; } @@ -148,207 +149,207 @@ static char *strnchr(register char *s, register int c, krb5_error_code KRB5_CALLCONV krb5_524_conv_principal(krb5_context context, krb5_const_principal princ, - char *name, char *inst, char *realm) + char *name, char *inst, char *realm) { - const struct krb_convert *p; - const krb5_data *compo; - char *c, *tmp_realm, *tmp_prealm; - unsigned int tmp_realm_len; - int retval; + const struct krb_convert *p; + const krb5_data *compo; + char *c, *tmp_realm, *tmp_prealm; + unsigned int tmp_realm_len; + int retval; - if (context->profile == 0) - return KRB5_CONFIG_CANTOPEN; + if (context->profile == 0) + return KRB5_CONFIG_CANTOPEN; - *name = *inst = '\0'; - switch (krb5_princ_size(context, princ)) { - case 2: - /* Check if this principal is listed in the table */ - compo = krb5_princ_component(context, princ, 0); - p = sconv_list; - while (p->v4_str) { - if (p->len == compo->length - && memcmp(p->v5_str, compo->data, compo->length) == 0) { - /* - * It is, so set the new name now, and chop off - * instance's domain name if requested. - */ - if (strlcpy(name, p->v4_str, ANAME_SZ) >= ANAME_SZ) - return KRB5_INVALID_PRINCIPAL; - if (p->flags & DO_REALM_CONVERSION) { - compo = krb5_princ_component(context, princ, 1); - c = strnchr(compo->data, '.', compo->length); - if (!c || (c - compo->data) >= INST_SZ - 1) - return KRB5_INVALID_PRINCIPAL; - memcpy(inst, compo->data, (size_t) (c - compo->data)); - inst[c - compo->data] = '\0'; - } - break; - } - p++; - } - /* If inst isn't set, the service isn't listed in the table, */ - /* so just copy it. */ - if (*inst == '\0') { - compo = krb5_princ_component(context, princ, 1); - if (compo->length >= INST_SZ - 1) - return KRB5_INVALID_PRINCIPAL; - memcpy(inst, compo->data, compo->length); - inst[compo->length] = '\0'; - } - /* fall through */ - case 1: - /* name may have been set above; otherwise, just copy it */ - if (*name == '\0') { - compo = krb5_princ_component(context, princ, 0); - if (compo->length >= ANAME_SZ) - return KRB5_INVALID_PRINCIPAL; - memcpy(name, compo->data, compo->length); - name[compo->length] = '\0'; - } - break; - default: - return KRB5_INVALID_PRINCIPAL; - } + *name = *inst = '\0'; + switch (krb5_princ_size(context, princ)) { + case 2: + /* Check if this principal is listed in the table */ + compo = krb5_princ_component(context, princ, 0); + p = sconv_list; + while (p->v4_str) { + if (p->len == compo->length + && memcmp(p->v5_str, compo->data, compo->length) == 0) { + /* + * It is, so set the new name now, and chop off + * instance's domain name if requested. + */ + if (strlcpy(name, p->v4_str, ANAME_SZ) >= ANAME_SZ) + return KRB5_INVALID_PRINCIPAL; + if (p->flags & DO_REALM_CONVERSION) { + compo = krb5_princ_component(context, princ, 1); + c = strnchr(compo->data, '.', compo->length); + if (!c || (c - compo->data) >= INST_SZ - 1) + return KRB5_INVALID_PRINCIPAL; + memcpy(inst, compo->data, (size_t) (c - compo->data)); + inst[c - compo->data] = '\0'; + } + break; + } + p++; + } + /* If inst isn't set, the service isn't listed in the table, */ + /* so just copy it. */ + if (*inst == '\0') { + compo = krb5_princ_component(context, princ, 1); + if (compo->length >= INST_SZ - 1) + return KRB5_INVALID_PRINCIPAL; + memcpy(inst, compo->data, compo->length); + inst[compo->length] = '\0'; + } + /* fall through */ + case 1: + /* name may have been set above; otherwise, just copy it */ + if (*name == '\0') { + compo = krb5_princ_component(context, princ, 0); + if (compo->length >= ANAME_SZ) + return KRB5_INVALID_PRINCIPAL; + memcpy(name, compo->data, compo->length); + name[compo->length] = '\0'; + } + break; + default: + return KRB5_INVALID_PRINCIPAL; + } - compo = krb5_princ_realm(context, princ); + compo = krb5_princ_realm(context, princ); - tmp_prealm = malloc(compo->length + 1); - if (tmp_prealm == NULL) - return ENOMEM; - strncpy(tmp_prealm, compo->data, compo->length); - tmp_prealm[compo->length] = '\0'; + tmp_prealm = malloc(compo->length + 1); + if (tmp_prealm == NULL) + return ENOMEM; + strncpy(tmp_prealm, compo->data, compo->length); + tmp_prealm[compo->length] = '\0'; - /* Ask for v4_realm corresponding to - krb5 principal realm from krb5.conf realms stanza */ + /* Ask for v4_realm corresponding to + krb5 principal realm from krb5.conf realms stanza */ - retval = profile_get_string(context->profile, KRB5_CONF_REALMS, - tmp_prealm, KRB5_CONF_V4_REALM, 0, - &tmp_realm); - free(tmp_prealm); - if (retval) { - return retval; - } else { - if (tmp_realm == 0) { - if (compo->length > REALM_SZ - 1) - return KRB5_INVALID_PRINCIPAL; - strncpy(realm, compo->data, compo->length); - realm[compo->length] = '\0'; - } else { - tmp_realm_len = strlen(tmp_realm); - if (tmp_realm_len > REALM_SZ - 1) - return KRB5_INVALID_PRINCIPAL; - strncpy(realm, tmp_realm, tmp_realm_len); - realm[tmp_realm_len] = '\0'; - profile_release_string(tmp_realm); - } - } - return 0; + retval = profile_get_string(context->profile, KRB5_CONF_REALMS, + tmp_prealm, KRB5_CONF_V4_REALM, 0, + &tmp_realm); + free(tmp_prealm); + if (retval) { + return retval; + } else { + if (tmp_realm == 0) { + if (compo->length > REALM_SZ - 1) + return KRB5_INVALID_PRINCIPAL; + strncpy(realm, compo->data, compo->length); + realm[compo->length] = '\0'; + } else { + tmp_realm_len = strlen(tmp_realm); + if (tmp_realm_len > REALM_SZ - 1) + return KRB5_INVALID_PRINCIPAL; + strncpy(realm, tmp_realm, tmp_realm_len); + realm[tmp_realm_len] = '\0'; + profile_release_string(tmp_realm); + } + } + return 0; } krb5_error_code KRB5_CALLCONV krb5_425_conv_principal(krb5_context context, const char *name, - const char *instance, const char *realm, - krb5_principal *princ) + const char *instance, const char *realm, + krb5_principal *princ) { - const struct krb_convert *p; - char buf[256]; /* V4 instances are limited to 40 characters */ - krb5_error_code retval; - char *domain, *cp; - char **full_name = 0; - const char *names[5], *names2[2]; - void* iterator = NULL; - char** v4realms = NULL; - char* realm_name = NULL; - char* dummy_value = NULL; - - /* First, convert the realm, since the v4 realm is not necessarily the same as the v5 realm - To do that, iterate over all the realms in the config file, looking for a matching - v4_realm line */ - names2 [0] = KRB5_CONF_REALMS; - names2 [1] = NULL; - retval = profile_iterator_create (context -> profile, names2, PROFILE_ITER_LIST_SECTION | PROFILE_ITER_SECTIONS_ONLY, &iterator); - while (retval == 0) { - retval = profile_iterator (&iterator, &realm_name, &dummy_value); - if ((retval == 0) && (realm_name != NULL)) { - names [0] = KRB5_CONF_REALMS; - names [1] = realm_name; - names [2] = KRB5_CONF_V4_REALM; - names [3] = NULL; + const struct krb_convert *p; + char buf[256]; /* V4 instances are limited to 40 characters */ + krb5_error_code retval; + char *domain, *cp; + char **full_name = 0; + const char *names[5], *names2[2]; + void* iterator = NULL; + char** v4realms = NULL; + char* realm_name = NULL; + char* dummy_value = NULL; + + /* First, convert the realm, since the v4 realm is not necessarily the same as the v5 realm + To do that, iterate over all the realms in the config file, looking for a matching + v4_realm line */ + names2 [0] = KRB5_CONF_REALMS; + names2 [1] = NULL; + retval = profile_iterator_create (context -> profile, names2, PROFILE_ITER_LIST_SECTION | PROFILE_ITER_SECTIONS_ONLY, &iterator); + while (retval == 0) { + retval = profile_iterator (&iterator, &realm_name, &dummy_value); + if ((retval == 0) && (realm_name != NULL)) { + names [0] = KRB5_CONF_REALMS; + names [1] = realm_name; + names [2] = KRB5_CONF_V4_REALM; + names [3] = NULL; + + retval = profile_get_values (context -> profile, names, &v4realms); + if ((retval == 0) && (v4realms != NULL) && (v4realms [0] != NULL) && (strcmp (v4realms [0], realm) == 0)) { + realm = realm_name; + break; + } else if (retval == PROF_NO_RELATION) { + /* If it's not found, just keep going */ + retval = 0; + } + } else if ((retval == 0) && (realm_name == NULL)) { + break; + } + if (v4realms != NULL) { + profile_free_list(v4realms); + v4realms = NULL; + } + if (realm_name != NULL) { + profile_release_string (realm_name); + realm_name = NULL; + } + if (dummy_value != NULL) { + profile_release_string (dummy_value); + dummy_value = NULL; + } + } + + if (instance) { + if (instance[0] == '\0') { + instance = 0; + goto not_service; + } + p = sconv_list; + while (1) { + if (!p->v4_str) + goto not_service; + if (!strcmp(p->v4_str, name)) + break; + p++; + } + name = p->v5_str; + if ((p->flags & DO_REALM_CONVERSION) && !strchr(instance, '.')) { + names[0] = KRB5_CONF_REALMS; + names[1] = realm; + names[2] = KRB5_CONF_V4_INSTANCE_CONVERT; + names[3] = instance; + names[4] = 0; + retval = profile_get_values(context->profile, names, &full_name); + if (retval == 0 && full_name && full_name[0]) { + instance = full_name[0]; + } else { + strncpy(buf, instance, sizeof(buf)); + buf[sizeof(buf) - 1] = '\0'; + retval = krb5_get_realm_domain(context, realm, &domain); + if (retval) + return retval; + if (domain) { + for (cp = domain; *cp; cp++) + if (isupper((unsigned char) (*cp))) + *cp = tolower((unsigned char) *cp); + strncat(buf, ".", sizeof(buf) - 1 - strlen(buf)); + strncat(buf, domain, sizeof(buf) - 1 - strlen(buf)); + free(domain); + } + instance = buf; + } + } + } - retval = profile_get_values (context -> profile, names, &v4realms); - if ((retval == 0) && (v4realms != NULL) && (v4realms [0] != NULL) && (strcmp (v4realms [0], realm) == 0)) { - realm = realm_name; - break; - } else if (retval == PROF_NO_RELATION) { - /* If it's not found, just keep going */ - retval = 0; - } - } else if ((retval == 0) && (realm_name == NULL)) { - break; - } - if (v4realms != NULL) { - profile_free_list(v4realms); - v4realms = NULL; - } - if (realm_name != NULL) { - profile_release_string (realm_name); - realm_name = NULL; - } - if (dummy_value != NULL) { - profile_release_string (dummy_value); - dummy_value = NULL; - } - } - - if (instance) { - if (instance[0] == '\0') { - instance = 0; - goto not_service; - } - p = sconv_list; - while (1) { - if (!p->v4_str) - goto not_service; - if (!strcmp(p->v4_str, name)) - break; - p++; - } - name = p->v5_str; - if ((p->flags & DO_REALM_CONVERSION) && !strchr(instance, '.')) { - names[0] = KRB5_CONF_REALMS; - names[1] = realm; - names[2] = KRB5_CONF_V4_INSTANCE_CONVERT; - names[3] = instance; - names[4] = 0; - retval = profile_get_values(context->profile, names, &full_name); - if (retval == 0 && full_name && full_name[0]) { - instance = full_name[0]; - } else { - strncpy(buf, instance, sizeof(buf)); - buf[sizeof(buf) - 1] = '\0'; - retval = krb5_get_realm_domain(context, realm, &domain); - if (retval) - return retval; - if (domain) { - for (cp = domain; *cp; cp++) - if (isupper((unsigned char) (*cp))) - *cp = tolower((unsigned char) *cp); - strncat(buf, ".", sizeof(buf) - 1 - strlen(buf)); - strncat(buf, domain, sizeof(buf) - 1 - strlen(buf)); - free(domain); - } - instance = buf; - } - } - } - not_service: - retval = krb5_build_principal(context, princ, strlen(realm), realm, name, - instance, NULL); - if (iterator) profile_iterator_free (&iterator); - if (full_name) profile_free_list(full_name); - if (v4realms) profile_free_list(v4realms); - if (realm_name) profile_release_string (realm_name); - if (dummy_value) profile_release_string (dummy_value); - return retval; + retval = krb5_build_principal(context, princ, strlen(realm), realm, name, + instance, NULL); + if (iterator) profile_iterator_free (&iterator); + if (full_name) profile_free_list(full_name); + if (v4realms) profile_free_list(v4realms); + if (realm_name) profile_release_string (realm_name); + if (dummy_value) profile_release_string (dummy_value); + return retval; } diff --git a/src/lib/krb5/krb/copy_addrs.c b/src/lib/krb5/krb/copy_addrs.c index c3dcd57d03..7207c4c278 100644 --- a/src/lib/krb5/krb/copy_addrs.c +++ b/src/lib/krb5/krb/copy_addrs.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/copy_addrs.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_copy_addresses() */ @@ -35,11 +36,11 @@ krb5_copy_addr(krb5_context context, const krb5_address *inad, krb5_address **ou krb5_address *tmpad; if (!(tmpad = (krb5_address *)malloc(sizeof(*tmpad)))) - return ENOMEM; + return ENOMEM; *tmpad = *inad; if (!(tmpad->contents = (krb5_octet *)malloc(inad->length))) { - free(tmpad); - return ENOMEM; + free(tmpad); + return ENOMEM; } memcpy(tmpad->contents, inad->contents, inad->length); *outad = tmpad; @@ -57,22 +58,22 @@ krb5_copy_addresses(krb5_context context, krb5_address *const *inaddr, krb5_addr register unsigned int nelems = 0; if (!inaddr) { - *outaddr = 0; - return 0; + *outaddr = 0; + return 0; } - + while (inaddr[nelems]) nelems++; /* one more for a null terminated list */ if (!(tempaddr = (krb5_address **) calloc(nelems+1, sizeof(*tempaddr)))) - return ENOMEM; + return ENOMEM; for (nelems = 0; inaddr[nelems]; nelems++) { - retval = krb5_copy_addr(context, inaddr[nelems], &tempaddr[nelems]); + retval = krb5_copy_addr(context, inaddr[nelems], &tempaddr[nelems]); if (retval) { - krb5_free_addresses(context, tempaddr); - return retval; - } + krb5_free_addresses(context, tempaddr); + return retval; + } } *outaddr = tempaddr; @@ -88,8 +89,8 @@ krb5_copy_addresses(krb5_context context, krb5_address *const *inaddr, krb5_addr krb5_error_code krb5_append_addresses(context, inaddr, outaddr) krb5_context context; - krb5_address * const * inaddr; - krb5_address ***outaddr; + krb5_address * const * inaddr; + krb5_address ***outaddr; { krb5_error_code retval; krb5_address ** tempaddr; @@ -98,7 +99,7 @@ krb5_append_addresses(context, inaddr, outaddr) register int norigelems = 0; if (!inaddr) - return 0; + return 0; tempaddr2 = *outaddr; @@ -106,34 +107,33 @@ krb5_append_addresses(context, inaddr, outaddr) while (tempaddr2[norigelems]) norigelems++; tempaddr = (krb5_address **) realloc((char *)*outaddr, - (nelems + norigelems + 1) * sizeof(*tempaddr)); + (nelems + norigelems + 1) * sizeof(*tempaddr)); if (!tempaddr) - return ENOMEM; + return ENOMEM; /* The old storage has been freed. */ *outaddr = tempaddr; for (nelems = 0; inaddr[nelems]; nelems++) { - retval = krb5_copy_addr(context, inaddr[nelems], - &tempaddr[norigelems + nelems]); - if (retval) - goto cleanup; + retval = krb5_copy_addr(context, inaddr[nelems], + &tempaddr[norigelems + nelems]); + if (retval) + goto cleanup; } tempaddr[norigelems + nelems] = 0; return 0; - cleanup: +cleanup: while (--nelems >= 0) - krb5_free_address(context, tempaddr[norigelems + nelems]); + krb5_free_address(context, tempaddr[norigelems + nelems]); /* Try to allocate a smaller amount of memory for *outaddr. */ tempaddr = (krb5_address **) realloc((char *)tempaddr, - (norigelems + 1) * sizeof(*tempaddr)); + (norigelems + 1) * sizeof(*tempaddr)); if (tempaddr) - *outaddr = tempaddr; + *outaddr = tempaddr; return retval; } #endif - diff --git a/src/lib/krb5/krb/copy_athctr.c b/src/lib/krb5/krb/copy_athctr.c index c356fbf78b..3345486e4e 100644 --- a/src/lib/krb5/krb/copy_athctr.c +++ b/src/lib/krb5/krb/copy_athctr.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/copy_athctr.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_copy_authenticator() */ @@ -36,48 +37,47 @@ krb5_copy_authenticator(krb5_context context, const krb5_authenticator *authfrom krb5_authenticator *tempto; if (!(tempto = (krb5_authenticator *)malloc(sizeof(*tempto)))) - return ENOMEM; + return ENOMEM; *tempto = *authfrom; retval = krb5_copy_principal(context, authfrom->client, &tempto->client); if (retval) { - free(tempto); - return retval; + free(tempto); + return retval; } - + if (authfrom->checksum && - (retval = krb5_copy_checksum(context, authfrom->checksum, &tempto->checksum))) { - krb5_free_principal(context, tempto->client); - free(tempto); - return retval; + (retval = krb5_copy_checksum(context, authfrom->checksum, &tempto->checksum))) { + krb5_free_principal(context, tempto->client); + free(tempto); + return retval; } - + if (authfrom->subkey) { - retval = krb5_copy_keyblock(context, authfrom->subkey, &tempto->subkey); - if (retval) { - free(tempto->subkey); - krb5_free_checksum(context, tempto->checksum); - krb5_free_principal(context, tempto->client); - free(tempto); - return retval; - } + retval = krb5_copy_keyblock(context, authfrom->subkey, &tempto->subkey); + if (retval) { + free(tempto->subkey); + krb5_free_checksum(context, tempto->checksum); + krb5_free_principal(context, tempto->client); + free(tempto); + return retval; + } } - + if (authfrom->authorization_data) { - retval = krb5_copy_authdata(context, authfrom->authorization_data, - &tempto->authorization_data); - if (retval) { - free(tempto->subkey); - krb5_free_checksum(context, tempto->checksum); - krb5_free_principal(context, tempto->client); - krb5_free_authdata(context, tempto->authorization_data); - free(tempto); - return retval; - } + retval = krb5_copy_authdata(context, authfrom->authorization_data, + &tempto->authorization_data); + if (retval) { + free(tempto->subkey); + krb5_free_checksum(context, tempto->checksum); + krb5_free_principal(context, tempto->client); + krb5_free_authdata(context, tempto->authorization_data); + free(tempto); + return retval; + } } *authto = tempto; return 0; } #endif - diff --git a/src/lib/krb5/krb/copy_auth.c b/src/lib/krb5/krb/copy_auth.c index 6f36b26982..303badd2ff 100644 --- a/src/lib/krb5/krb/copy_auth.c +++ b/src/lib/krb5/krb/copy_auth.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/copy_auth.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_copy_authdata() */ @@ -62,11 +63,11 @@ krb5_copy_authdatum(krb5_context context, const krb5_authdata *inad, krb5_authda krb5_authdata *tmpad; if (!(tmpad = (krb5_authdata *)malloc(sizeof(*tmpad)))) - return ENOMEM; + return ENOMEM; *tmpad = *inad; if (!(tmpad->contents = (krb5_octet *)malloc(inad->length))) { - free(tmpad); - return ENOMEM; + free(tmpad); + return ENOMEM; } memcpy(tmpad->contents, inad->contents, inad->length); *outad = tmpad; @@ -78,7 +79,7 @@ krb5_copy_authdatum(krb5_context context, const krb5_authdata *inad, krb5_authda */ krb5_error_code KRB5_CALLCONV krb5_merge_authdata(krb5_context context, krb5_authdata *const *inauthdat1, krb5_authdata * const *inauthdat2, - krb5_authdata ***outauthdat) + krb5_authdata ***outauthdat) { krb5_error_code retval; krb5_authdata ** tempauthdat; @@ -86,40 +87,40 @@ krb5_merge_authdata(krb5_context context, krb5_authdata *const *inauthdat1, krb5 *outauthdat = NULL; if (!inauthdat1 && !inauthdat2) { - *outauthdat = 0; - return 0; + *outauthdat = 0; + return 0; } - if (inauthdat1) - while (inauthdat1[nelems]) nelems++; - if (inauthdat2) - while (inauthdat2[nelems2]) nelems2++; + if (inauthdat1) + while (inauthdat1[nelems]) nelems++; + if (inauthdat2) + while (inauthdat2[nelems2]) nelems2++; /* one more for a null terminated list */ if (!(tempauthdat = (krb5_authdata **) calloc(nelems+nelems2+1, - sizeof(*tempauthdat)))) - return ENOMEM; + sizeof(*tempauthdat)))) + return ENOMEM; if (inauthdat1) { - for (nelems = 0; inauthdat1[nelems]; nelems++) { - retval = krb5_copy_authdatum(context, inauthdat1[nelems], - &tempauthdat[nelems]); - if (retval) { - krb5_free_authdata(context, tempauthdat); - return retval; - } - } + for (nelems = 0; inauthdat1[nelems]; nelems++) { + retval = krb5_copy_authdatum(context, inauthdat1[nelems], + &tempauthdat[nelems]); + if (retval) { + krb5_free_authdata(context, tempauthdat); + return retval; + } + } } if (inauthdat2) { - for (nelems2 = 0; inauthdat2[nelems2]; nelems2++) { - retval = krb5_copy_authdatum(context, inauthdat2[nelems2], - &tempauthdat[nelems++]); - if (retval) { - krb5_free_authdata(context, tempauthdat); - return retval; - } - } + for (nelems2 = 0; inauthdat2[nelems2]; nelems2++) { + retval = krb5_copy_authdatum(context, inauthdat2[nelems2], + &tempauthdat[nelems++]); + if (retval) { + krb5_free_authdata(context, tempauthdat); + return retval; + } + } } *outauthdat = tempauthdat; @@ -128,16 +129,16 @@ krb5_merge_authdata(krb5_context context, krb5_authdata *const *inauthdat1, krb5 krb5_error_code KRB5_CALLCONV krb5_copy_authdata(krb5_context context, - krb5_authdata *const *in_authdat, krb5_authdata ***out) + krb5_authdata *const *in_authdat, krb5_authdata ***out) { return krb5_merge_authdata(context, in_authdat, NULL, out); } krb5_error_code KRB5_CALLCONV krb5_decode_authdata_container(krb5_context context, - krb5_authdatatype type, - const krb5_authdata *container, - krb5_authdata ***authdata) + krb5_authdatatype type, + const krb5_authdata *container, + krb5_authdata ***authdata) { krb5_error_code code; krb5_data data; @@ -145,23 +146,23 @@ krb5_decode_authdata_container(krb5_context context, *authdata = NULL; if ((container->ad_type & AD_TYPE_FIELD_TYPE_MASK) != type) - return EINVAL; + return EINVAL; data.length = container->length; data.data = (char *)container->contents; code = decode_krb5_authdata(&data, authdata); if (code) - return code; + return code; return 0; } krb5_error_code KRB5_CALLCONV krb5_encode_authdata_container(krb5_context context, - krb5_authdatatype type, - krb5_authdata *const*authdata, - krb5_authdata ***container) + krb5_authdatatype type, + krb5_authdata *const*authdata, + krb5_authdata ***container) { krb5_error_code code; krb5_data *data; @@ -172,7 +173,7 @@ krb5_encode_authdata_container(krb5_context context, code = encode_krb5_authdata((krb5_authdata * const *)authdata, &data); if (code) - return code; + return code; ad_datum.ad_type = type & AD_TYPE_FIELD_TYPE_MASK; ad_datum.length = data->length; @@ -189,67 +190,67 @@ krb5_encode_authdata_container(krb5_context context, } struct find_authdata_context { - krb5_authdata **out; - size_t space; - size_t length; + krb5_authdata **out; + size_t space; + size_t length; }; static krb5_error_code grow_find_authdata (krb5_context context, struct find_authdata_context *fctx, krb5_authdata *elem) { - krb5_error_code retval = 0; - if (fctx->length == fctx->space) { - krb5_authdata **new; - if (fctx->space >= 256) { - krb5_set_error_message(context, ERANGE, "More than 256 authdata matched a query"); - return ERANGE; + krb5_error_code retval = 0; + if (fctx->length == fctx->space) { + krb5_authdata **new; + if (fctx->space >= 256) { + krb5_set_error_message(context, ERANGE, "More than 256 authdata matched a query"); + return ERANGE; + } + new = realloc(fctx->out, + sizeof (krb5_authdata *)*(2*fctx->space+1)); + if (new == NULL) + return ENOMEM; + fctx->out = new; + fctx->space *=2; } - new = realloc(fctx->out, - sizeof (krb5_authdata *)*(2*fctx->space+1)); - if (new == NULL) - return ENOMEM; - fctx->out = new; - fctx->space *=2; - } - fctx->out[fctx->length+1] = NULL; - retval = krb5_copy_authdatum(context, elem, - &fctx->out[fctx->length]); - if (retval == 0) - fctx->length++; - return retval; + fctx->out[fctx->length+1] = NULL; + retval = krb5_copy_authdatum(context, elem, + &fctx->out[fctx->length]); + if (retval == 0) + fctx->length++; + return retval; } - - + + static krb5_error_code find_authdata_1 (krb5_context context, krb5_authdata *const *in_authdat, krb5_authdatatype ad_type, struct find_authdata_context *fctx) { - int i = 0; - krb5_error_code retval=0; - - for (i = 0; in_authdat[i]; i++) { - krb5_authdata *ad = in_authdat[i]; - if (ad->ad_type == ad_type && retval ==0) - retval = grow_find_authdata(context, fctx, ad); - else switch (ad->ad_type) { - krb5_authdata **decoded_container; - case KRB5_AUTHDATA_IF_RELEVANT: - if (retval == 0) - retval = krb5_decode_authdata_container( context, ad->ad_type, ad, &decoded_container); - if (retval == 0) { - retval = find_authdata_1(context, - decoded_container, ad_type, fctx); - krb5_free_authdata(context, decoded_container); - } - break; - default: - break; + int i = 0; + krb5_error_code retval=0; + + for (i = 0; in_authdat[i]; i++) { + krb5_authdata *ad = in_authdat[i]; + if (ad->ad_type == ad_type && retval ==0) + retval = grow_find_authdata(context, fctx, ad); + else switch (ad->ad_type) { + krb5_authdata **decoded_container; + case KRB5_AUTHDATA_IF_RELEVANT: + if (retval == 0) + retval = krb5_decode_authdata_container( context, ad->ad_type, ad, &decoded_container); + if (retval == 0) { + retval = find_authdata_1(context, + decoded_container, ad_type, fctx); + krb5_free_authdata(context, decoded_container); + } + break; + default: + break; + } } - } - return retval; + return retval; } @@ -259,30 +260,30 @@ krb5_error_code krb5int_find_authdata krb5_authdatatype ad_type, krb5_authdata ***results) { - krb5_error_code retval = 0; - struct find_authdata_context fctx; - fctx.length = 0; - fctx.space = 2; - fctx.out = calloc(fctx.space+1, sizeof (krb5_authdata *)); - *results = NULL; - if (fctx.out == NULL) - return ENOMEM; - if (ticket_authdata) - retval = find_authdata_1( context, ticket_authdata, ad_type, &fctx); - if ((retval==0) && ap_req_authdata) - retval = find_authdata_1( context, ap_req_authdata, ad_type, &fctx); - if ((retval== 0) && fctx.length) - *results = fctx.out; - else krb5_free_authdata(context, fctx.out); - return retval; + krb5_error_code retval = 0; + struct find_authdata_context fctx; + fctx.length = 0; + fctx.space = 2; + fctx.out = calloc(fctx.space+1, sizeof (krb5_authdata *)); + *results = NULL; + if (fctx.out == NULL) + return ENOMEM; + if (ticket_authdata) + retval = find_authdata_1( context, ticket_authdata, ad_type, &fctx); + if ((retval==0) && ap_req_authdata) + retval = find_authdata_1( context, ap_req_authdata, ad_type, &fctx); + if ((retval== 0) && fctx.length) + *results = fctx.out; + else krb5_free_authdata(context, fctx.out); + return retval; } krb5_error_code KRB5_CALLCONV krb5_make_authdata_kdc_issued(krb5_context context, - const krb5_keyblock *key, - krb5_const_principal issuer, - krb5_authdata *const *authdata, - krb5_authdata ***ad_kdcissued) + const krb5_keyblock *key, + krb5_const_principal issuer, + krb5_authdata *const *authdata, + krb5_authdata ***ad_kdcissued) { krb5_error_code code; krb5_ad_kdcissued ad_kdci; @@ -337,10 +338,10 @@ krb5_make_authdata_kdc_issued(krb5_context context, krb5_error_code KRB5_CALLCONV krb5_verify_authdata_kdc_issued(krb5_context context, - const krb5_keyblock *key, - const krb5_authdata *ad_kdcissued, - krb5_principal *issuer, - krb5_authdata ***authdata) + const krb5_keyblock *key, + const krb5_authdata *ad_kdcissued, + krb5_principal *issuer, + krb5_authdata ***authdata) { krb5_error_code code; krb5_ad_kdcissued *ad_kdci; @@ -348,8 +349,8 @@ krb5_verify_authdata_kdc_issued(krb5_context context, krb5_boolean valid = FALSE; if ((ad_kdcissued->ad_type & AD_TYPE_FIELD_TYPE_MASK) != - KRB5_AUTHDATA_KDC_ISSUED) - return EINVAL; + KRB5_AUTHDATA_KDC_ISSUED) + return EINVAL; if (issuer != NULL) *issuer = NULL; @@ -399,4 +400,3 @@ krb5_verify_authdata_kdc_issued(krb5_context context, return 0; } - diff --git a/src/lib/krb5/krb/copy_cksum.c b/src/lib/krb5/krb/copy_cksum.c index c7c1b161c8..68822d213e 100644 --- a/src/lib/krb5/krb/copy_cksum.c +++ b/src/lib/krb5/krb/copy_cksum.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/copy_cksum.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_copy_checksum() */ @@ -35,12 +36,12 @@ krb5_copy_checksum(krb5_context context, const krb5_checksum *ckfrom, krb5_check krb5_checksum *tempto; if (!(tempto = (krb5_checksum *)malloc(sizeof(*tempto)))) - return ENOMEM; + return ENOMEM; *tempto = *ckfrom; if (!(tempto->contents = (krb5_octet *)malloc(tempto->length))) { - free(tempto); - return ENOMEM; + free(tempto); + return ENOMEM; } memcpy(tempto->contents, ckfrom->contents, ckfrom->length); diff --git a/src/lib/krb5/krb/copy_creds.c b/src/lib/krb5/krb/copy_creds.c index e6fece3839..0e1a814cc3 100644 --- a/src/lib/krb5/krb/copy_creds.c +++ b/src/lib/krb5/krb/copy_creds.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/copy_creds.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_copy_cred() */ @@ -40,13 +41,13 @@ krb5_copy_creds(krb5_context context, const krb5_creds *incred, krb5_creds **out krb5_error_code retval; if (!(tempcred = (krb5_creds *)malloc(sizeof(*tempcred)))) - return ENOMEM; + return ENOMEM; retval = krb5int_copy_creds_contents(context, incred, tempcred); if (retval) - free(tempcred); + free(tempcred); else - *outcred = tempcred; + *outcred = tempcred; return retval; } @@ -58,7 +59,7 @@ krb5_copy_creds(krb5_context context, const krb5_creds *incred, krb5_creds **out */ krb5_error_code krb5int_copy_creds_contents(krb5_context context, const krb5_creds *incred, - krb5_creds *tempcred) + krb5_creds *tempcred) { krb5_error_code retval; krb5_data *scratch; @@ -66,25 +67,25 @@ krb5int_copy_creds_contents(krb5_context context, const krb5_creds *incred, *tempcred = *incred; retval = krb5_copy_principal(context, incred->client, &tempcred->client); if (retval) - goto cleanlast; + goto cleanlast; retval = krb5_copy_principal(context, incred->server, &tempcred->server); if (retval) - goto cleanclient; + goto cleanclient; retval = krb5_copy_keyblock_contents(context, &incred->keyblock, - &tempcred->keyblock); + &tempcred->keyblock); if (retval) - goto cleanserver; + goto cleanserver; retval = krb5_copy_addresses(context, incred->addresses, &tempcred->addresses); if (retval) - goto cleanblock; + goto cleanblock; retval = krb5_copy_data(context, &incred->ticket, &scratch); if (retval) - goto cleanaddrs; + goto cleanaddrs; tempcred->ticket = *scratch; free(scratch); retval = krb5_copy_data(context, &incred->second_ticket, &scratch); if (retval) - goto clearticket; + goto clearticket; tempcred->second_ticket = *scratch; free(scratch); @@ -95,22 +96,22 @@ krb5int_copy_creds_contents(krb5_context context, const krb5_creds *incred, return 0; - clearsecondticket: +clearsecondticket: memset(tempcred->second_ticket.data,0,tempcred->second_ticket.length); free(tempcred->second_ticket.data); - clearticket: +clearticket: memset(tempcred->ticket.data,0,tempcred->ticket.length); free(tempcred->ticket.data); - cleanaddrs: +cleanaddrs: krb5_free_addresses(context, tempcred->addresses); - cleanblock: +cleanblock: free(tempcred->keyblock.contents); - cleanserver: +cleanserver: krb5_free_principal(context, tempcred->server); - cleanclient: +cleanclient: krb5_free_principal(context, tempcred->client); - cleanlast: - /* Do not free tempcred - we did not allocate it - its contents are +cleanlast: + /* Do not free tempcred - we did not allocate it - its contents are garbage - but we should not free it */ return retval; } diff --git a/src/lib/krb5/krb/copy_data.c b/src/lib/krb5/krb/copy_data.c index 4896e8804f..fa4b6ed7cd 100644 --- a/src/lib/krb5/krb/copy_data.c +++ b/src/lib/krb5/krb/copy_data.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/copy_data.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_copy_data() */ @@ -39,38 +40,38 @@ krb5_copy_data(krb5_context context, const krb5_data *indata, krb5_data **outdat krb5_error_code retval; if (!indata) { - *outdata = 0; - return 0; + *outdata = 0; + return 0; } - + if (!(tempdata = (krb5_data *)malloc(sizeof(*tempdata)))) - return ENOMEM; + return ENOMEM; retval = krb5int_copy_data_contents(context, indata, tempdata); if (retval) { - free(tempdata); - return retval; + free(tempdata); + return retval; } *outdata = tempdata; return 0; } -krb5_error_code +krb5_error_code krb5int_copy_data_contents(krb5_context context, const krb5_data *indata, krb5_data *outdata) { if (!indata) { - return EINVAL; + return EINVAL; } outdata->length = indata->length; if (outdata->length) { - if (!(outdata->data = malloc(outdata->length))) { - return ENOMEM; - } - memcpy(outdata->data, indata->data, outdata->length); + if (!(outdata->data = malloc(outdata->length))) { + return ENOMEM; + } + memcpy(outdata->data, indata->data, outdata->length); } else - outdata->data = 0; + outdata->data = 0; outdata->magic = KV5M_DATA; return 0; @@ -79,16 +80,16 @@ krb5int_copy_data_contents(krb5_context context, const krb5_data *indata, krb5_d /* As above, but add an (uncounted) extra byte at the end to null-terminate the data so it can be used as a standard C string. */ -krb5_error_code +krb5_error_code krb5int_copy_data_contents_add0(krb5_context context, const krb5_data *indata, krb5_data *outdata) { if (!indata) - return EINVAL; + return EINVAL; outdata->length = indata->length; if (!(outdata->data = malloc(outdata->length + 1))) - return ENOMEM; + return ENOMEM; if (outdata->length) - memcpy(outdata->data, indata->data, outdata->length); + memcpy(outdata->data, indata->data, outdata->length); outdata->data[outdata->length] = 0; outdata->magic = KV5M_DATA; diff --git a/src/lib/krb5/krb/copy_key.c b/src/lib/krb5/krb/copy_key.c index 4772c58c16..532cced465 100644 --- a/src/lib/krb5/krb/copy_key.c +++ b/src/lib/krb5/krb/copy_key.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/copy_key.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_copy_keyblock() */ diff --git a/src/lib/krb5/krb/copy_princ.c b/src/lib/krb5/krb/copy_princ.c index 4e168b0029..b7badefa2b 100644 --- a/src/lib/krb5/krb/copy_princ.c +++ b/src/lib/krb5/krb/copy_princ.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/copy_princ.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_copy_principal() */ @@ -41,7 +42,7 @@ krb5_copy_principal(krb5_context context, krb5_const_principal inprinc, krb5_pri tempprinc = (krb5_principal)malloc(sizeof(krb5_principal_data)); if (tempprinc == 0) - return ENOMEM; + return ENOMEM; *tempprinc = *inprinc; @@ -49,29 +50,29 @@ krb5_copy_principal(krb5_context context, krb5_const_principal inprinc, krb5_pri tempprinc->data = malloc(nelems * sizeof(krb5_data)); if (tempprinc->data == 0) { - free(tempprinc); - return ENOMEM; + free(tempprinc); + return ENOMEM; } for (i = 0; i < nelems; i++) { - if (krb5int_copy_data_contents(context, - krb5_princ_component(context, inprinc, i), - krb5_princ_component(context, tempprinc, i)) != 0) { - while (--i >= 0) - free(krb5_princ_component(context, tempprinc, i)->data); - free (tempprinc->data); - free (tempprinc); - return ENOMEM; + if (krb5int_copy_data_contents(context, + krb5_princ_component(context, inprinc, i), + krb5_princ_component(context, tempprinc, i)) != 0) { + while (--i >= 0) + free(krb5_princ_component(context, tempprinc, i)->data); + free (tempprinc->data); + free (tempprinc); + return ENOMEM; } } if (krb5int_copy_data_contents_add0(context, &inprinc->realm, - &tempprinc->realm) != 0) { + &tempprinc->realm) != 0) { for (i = 0; i < nelems; i++) - free(krb5_princ_component(context, tempprinc, i)->data); - free(tempprinc->data); - free(tempprinc); - return ENOMEM; + free(krb5_princ_component(context, tempprinc, i)->data); + free(tempprinc->data); + free(tempprinc); + return ENOMEM; } *outprinc = tempprinc; diff --git a/src/lib/krb5/krb/copy_tick.c b/src/lib/krb5/krb/copy_tick.c index 1dc3362d0c..1fd3e681cb 100644 --- a/src/lib/krb5/krb/copy_tick.c +++ b/src/lib/krb5/krb/copy_tick.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/copy_tick.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_copy_ticket() */ @@ -36,56 +37,56 @@ krb5_copy_enc_tkt_part(krb5_context context, const krb5_enc_tkt_part *partfrom, krb5_enc_tkt_part *tempto; if (!(tempto = (krb5_enc_tkt_part *)malloc(sizeof(*tempto)))) - return ENOMEM; + return ENOMEM; *tempto = *partfrom; retval = krb5_copy_keyblock(context, partfrom->session, - &tempto->session); + &tempto->session); if (retval) { - free(tempto); - return retval; + free(tempto); + return retval; } retval = krb5_copy_principal(context, partfrom->client, &tempto->client); if (retval) { - krb5_free_keyblock(context, tempto->session); - free(tempto); - return retval; + krb5_free_keyblock(context, tempto->session); + free(tempto); + return retval; } tempto->transited = partfrom->transited; if (tempto->transited.tr_contents.length == 0) { - tempto->transited.tr_contents.data = 0; + tempto->transited.tr_contents.data = 0; } else { - tempto->transited.tr_contents.data = - malloc(partfrom->transited.tr_contents.length); - if (!tempto->transited.tr_contents.data) { - krb5_free_principal(context, tempto->client); - krb5_free_keyblock(context, tempto->session); - free(tempto); - return ENOMEM; - } - memcpy(tempto->transited.tr_contents.data, - (char *)partfrom->transited.tr_contents.data, - partfrom->transited.tr_contents.length); + tempto->transited.tr_contents.data = + malloc(partfrom->transited.tr_contents.length); + if (!tempto->transited.tr_contents.data) { + krb5_free_principal(context, tempto->client); + krb5_free_keyblock(context, tempto->session); + free(tempto); + return ENOMEM; + } + memcpy(tempto->transited.tr_contents.data, + (char *)partfrom->transited.tr_contents.data, + partfrom->transited.tr_contents.length); } retval = krb5_copy_addresses(context, partfrom->caddrs, &tempto->caddrs); if (retval) { - free(tempto->transited.tr_contents.data); - krb5_free_principal(context, tempto->client); - krb5_free_keyblock(context, tempto->session); - free(tempto); - return retval; + free(tempto->transited.tr_contents.data); + krb5_free_principal(context, tempto->client); + krb5_free_keyblock(context, tempto->session); + free(tempto); + return retval; } if (partfrom->authorization_data) { - retval = krb5_copy_authdata(context, partfrom->authorization_data, - &tempto->authorization_data); - if (retval) { - krb5_free_addresses(context, tempto->caddrs); - free(tempto->transited.tr_contents.data); - krb5_free_principal(context, tempto->client); - krb5_free_keyblock(context, tempto->session); - free(tempto); - return retval; - } + retval = krb5_copy_authdata(context, partfrom->authorization_data, + &tempto->authorization_data); + if (retval) { + krb5_free_addresses(context, tempto->caddrs); + free(tempto->transited.tr_contents.data); + krb5_free_principal(context, tempto->client); + krb5_free_keyblock(context, tempto->session); + free(tempto); + return retval; + } } *partto = tempto; return 0; @@ -99,28 +100,28 @@ krb5_copy_ticket(krb5_context context, const krb5_ticket *from, krb5_ticket **pt krb5_data *scratch; if (!(tempto = (krb5_ticket *)malloc(sizeof(*tempto)))) - return ENOMEM; + return ENOMEM; *tempto = *from; retval = krb5_copy_principal(context, from->server, &tempto->server); if (retval) { - free(tempto); - return retval; + free(tempto); + return retval; } retval = krb5_copy_data(context, &from->enc_part.ciphertext, &scratch); if (retval) { - krb5_free_principal(context, tempto->server); - free(tempto); - return retval; + krb5_free_principal(context, tempto->server); + free(tempto); + return retval; } tempto->enc_part.ciphertext = *scratch; free(scratch); retval = krb5_copy_enc_tkt_part(context, from->enc_part2, &tempto->enc_part2); if (retval) { - free(tempto->enc_part.ciphertext.data); - krb5_free_principal(context, tempto->server); - free(tempto); - return retval; - } + free(tempto->enc_part.ciphertext.data); + krb5_free_principal(context, tempto->server); + free(tempto); + return retval; + } *pto = tempto; return 0; } diff --git a/src/lib/krb5/krb/cp_key_cnt.c b/src/lib/krb5/krb/cp_key_cnt.c index 74efb5ef1d..2f97dbd0cc 100644 --- a/src/lib/krb5/krb/cp_key_cnt.c +++ b/src/lib/krb5/krb/cp_key_cnt.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/cp_key_cnt.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_copy_keyblock() */ diff --git a/src/lib/krb5/krb/decode_kdc.c b/src/lib/krb5/krb/decode_kdc.c index 689e2a2419..19451eea44 100644 --- a/src/lib/krb5/krb/decode_kdc.c +++ b/src/lib/krb5/krb/decode_kdc.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/decode_kdc.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_decode_kdc_rep() function. */ @@ -30,41 +31,40 @@ #include "k5-int.h" /* - Takes a KDC_REP message and decrypts encrypted part using etype and - *key, putting result in *rep. - dec_rep->client,ticket,session,last_req,server,caddrs - are all set to allocated storage which should be freed by the caller - when finished with the response. + Takes a KDC_REP message and decrypts encrypted part using etype and + *key, putting result in *rep. + dec_rep->client,ticket,session,last_req,server,caddrs + are all set to allocated storage which should be freed by the caller + when finished with the response. - If the response isn't a KDC_REP (tgs or as), it returns an error from - the decoding routines. + If the response isn't a KDC_REP (tgs or as), it returns an error from + the decoding routines. - returns errors from encryption routines, system errors - */ + returns errors from encryption routines, system errors +*/ krb5_error_code krb5int_decode_tgs_rep(krb5_context context, krb5_data *enc_rep, const krb5_keyblock *key, - krb5_keyusage usage, krb5_kdc_rep **dec_rep) + krb5_keyusage usage, krb5_kdc_rep **dec_rep) { krb5_error_code retval; krb5_kdc_rep *local_dec_rep; if (krb5_is_as_rep(enc_rep)) { - retval = decode_krb5_as_rep(enc_rep, &local_dec_rep); + retval = decode_krb5_as_rep(enc_rep, &local_dec_rep); } else if (krb5_is_tgs_rep(enc_rep)) { - retval = decode_krb5_tgs_rep(enc_rep, &local_dec_rep); + retval = decode_krb5_tgs_rep(enc_rep, &local_dec_rep); } else { - return KRB5KRB_AP_ERR_MSG_TYPE; + return KRB5KRB_AP_ERR_MSG_TYPE; } if (retval) - return retval; + return retval; if ((retval = krb5_kdc_rep_decrypt_proc(context, key, &usage, - local_dec_rep))) - krb5_free_kdc_rep(context, local_dec_rep); + local_dec_rep))) + krb5_free_kdc_rep(context, local_dec_rep); else - *dec_rep = local_dec_rep; + *dec_rep = local_dec_rep; return(retval); } - diff --git a/src/lib/krb5/krb/decrypt_tk.c b/src/lib/krb5/krb/decrypt_tk.c index 36ecbb45b5..c06353b9ed 100644 --- a/src/lib/krb5/krb/decrypt_tk.c +++ b/src/lib/krb5/krb/decrypt_tk.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/decrypt_tk.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_decrypt_tkt_part() function. */ @@ -30,11 +31,11 @@ #include "k5-int.h" /* - Decrypts dec_ticket->enc_part - using *srv_key, and places result in dec_ticket->enc_part2. - The storage of dec_ticket->enc_part2 will be allocated before return. + Decrypts dec_ticket->enc_part + using *srv_key, and places result in dec_ticket->enc_part2. + The storage of dec_ticket->enc_part2 will be allocated before return. - returns errors from encryption routines, system errors + returns errors from encryption routines, system errors */ @@ -46,27 +47,27 @@ krb5_decrypt_tkt_part(krb5_context context, const krb5_keyblock *srv_key, regist krb5_error_code retval; if (!krb5_c_valid_enctype(ticket->enc_part.enctype)) - return KRB5_PROG_ETYPE_NOSUPP; + return KRB5_PROG_ETYPE_NOSUPP; scratch.length = ticket->enc_part.ciphertext.length; if (!(scratch.data = malloc(ticket->enc_part.ciphertext.length))) - return(ENOMEM); + return(ENOMEM); /* call the encryption routine */ if ((retval = krb5_c_decrypt(context, srv_key, - KRB5_KEYUSAGE_KDC_REP_TICKET, 0, - &ticket->enc_part, &scratch))) { - free(scratch.data); - return retval; + KRB5_KEYUSAGE_KDC_REP_TICKET, 0, + &ticket->enc_part, &scratch))) { + free(scratch.data); + return retval; } -#define clean_scratch() {memset(scratch.data, 0, scratch.length); \ -free(scratch.data);} +#define clean_scratch() {memset(scratch.data, 0, scratch.length); \ + free(scratch.data);} /* now decode the decrypted stuff */ retval = decode_krb5_enc_tkt_part(&scratch, &dec_tkt_part); if (!retval) { - ticket->enc_part2 = dec_tkt_part; + ticket->enc_part2 = dec_tkt_part; } clean_scratch(); return retval; diff --git a/src/lib/krb5/krb/deltat.c b/src/lib/krb5/krb/deltat.c index 2541591f89..36c0d0e95f 100644 --- a/src/lib/krb5/krb/deltat.c +++ b/src/lib/krb5/krb/deltat.c @@ -95,14 +95,14 @@ struct param { #define MAX_MIN (MAX_TIME / 60) #define MIN_MIN (MIN_TIME / 60) -/* An explanation of the tests being performed. - We do not want to overflow a 32 bit integer with out manipulations, +/* An explanation of the tests being performed. + We do not want to overflow a 32 bit integer with out manipulations, even for testing for overflow. Therefore we rely on the following: The lex parser will not return a number > MAX_TIME (which is out 32 bit limit). - Therefore, seconds (s) will require + Therefore, seconds (s) will require MIN_TIME < s < MAX_TIME For subsequent tests, the logic is as follows: @@ -110,7 +110,7 @@ struct param { If A < MAX_TIME and B < MAX_TIME If we want to test if A+B < MAX_TIME, there are two cases - if (A > 0) + if (A > 0) then A + B < MAX_TIME if B < MAX_TIME - A else A + B < MAX_TIME always. @@ -131,7 +131,7 @@ struct param { res = (a) + (b) -#define OUT_D ((struct param *)tmv)->delta +#define OUT_D ((struct param *)tmv)->delta #define DO(D,H,M,S) \ { \ /* Overflow testing - this does not handle negative values well.. */ \ @@ -1420,10 +1420,10 @@ mylex (krb5_int32 *intp, char **pp) /* XXX assumes ASCII */ num = c - '0'; while (isdigit ((int) *P)) { - if (num > MAX_TIME / 10) + if (num > MAX_TIME / 10) return OVERFLOW; num *= 10; - if (num > MAX_TIME - (*P - '0')) + if (num > MAX_TIME - (*P - '0')) return OVERFLOW; num += *P++ - '0'; } @@ -1451,5 +1451,3 @@ krb5_string_to_deltat(char *string, krb5_deltat *deltatp) *deltatp = p.delta; return 0; } - - diff --git a/src/lib/krb5/krb/enc_helper.c b/src/lib/krb5/krb/enc_helper.c index 01324d0147..41d2f00f7c 100644 --- a/src/lib/krb5/krb/enc_helper.c +++ b/src/lib/krb5/krb/enc_helper.c @@ -1,13 +1,14 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +19,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -33,24 +34,24 @@ krb5_encrypt_helper(krb5_context context, const krb5_keyblock *key, krb5_keyusag size_t enclen; if ((ret = krb5_c_encrypt_length(context, key->enctype, plain->length, - &enclen))) - return(ret); + &enclen))) + return(ret); cipher->ciphertext.length = enclen; if ((cipher->ciphertext.data = (char *) malloc(enclen)) == NULL) - return(ENOMEM); + return(ENOMEM); ret = krb5_c_encrypt(context, key, usage, 0, plain, cipher); if (ret) { - free(cipher->ciphertext.data); - cipher->ciphertext.data = NULL; + free(cipher->ciphertext.data); + cipher->ciphertext.data = NULL; } return(ret); } - + krb5_error_code krb5_encrypt_keyhelper(krb5_context context, krb5_key key, krb5_keyusage usage, - const krb5_data *plain, krb5_enc_data *cipher) + const krb5_data *plain, krb5_enc_data *cipher) { krb5_enctype enctype; krb5_error_code ret; @@ -59,16 +60,16 @@ krb5_encrypt_keyhelper(krb5_context context, krb5_key key, krb5_keyusage usage, enctype = krb5_k_key_enctype(context, key); ret = krb5_c_encrypt_length(context, enctype, plain->length, &enclen); if (ret != 0) - return ret; + return ret; cipher->ciphertext.length = enclen; cipher->ciphertext.data = malloc(enclen); if (cipher->ciphertext.data == NULL) - return ENOMEM; + return ENOMEM; ret = krb5_k_encrypt(context, key, usage, 0, plain, cipher); if (ret) { - free(cipher->ciphertext.data); - cipher->ciphertext.data = NULL; + free(cipher->ciphertext.data); + cipher->ciphertext.data = NULL; } return ret; diff --git a/src/lib/krb5/krb/encode_kdc.c b/src/lib/krb5/krb/encode_kdc.c index 8b879c0159..c86bd4cd5b 100644 --- a/src/lib/krb5/krb/encode_kdc.c +++ b/src/lib/krb5/krb/encode_kdc.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/encode_kdc.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_encode_kdc_rep() function. */ @@ -30,24 +31,24 @@ #include "k5-int.h" /* - Takes KDC rep parts in *rep and *encpart, and formats it into *enc_rep, - using message type type and encryption key client_key and encryption type - etype. + Takes KDC rep parts in *rep and *encpart, and formats it into *enc_rep, + using message type type and encryption key client_key and encryption type + etype. - The string *enc_rep will be allocated before formatting; the caller should - free when finished. + The string *enc_rep will be allocated before formatting; the caller should + free when finished. - returns system errors + returns system errors - dec_rep->enc_part.ciphertext is allocated and filled in. + dec_rep->enc_part.ciphertext is allocated and filled in. */ /* due to argument promotion rules, we need to use the DECLARG/OLDDECLARG stuff... */ krb5_error_code krb5_encode_kdc_rep(krb5_context context, krb5_msgtype type, - const krb5_enc_kdc_rep_part *encpart, - int using_subkey, const krb5_keyblock *client_key, - krb5_kdc_rep *dec_rep, krb5_data **enc_rep) + const krb5_enc_kdc_rep_part *encpart, + int using_subkey, const krb5_keyblock *client_key, + krb5_kdc_rep *dec_rep, krb5_data **enc_rep) { krb5_data *scratch; krb5_error_code retval; @@ -55,27 +56,27 @@ krb5_encode_kdc_rep(krb5_context context, krb5_msgtype type, krb5_keyusage usage; if (!krb5_c_valid_enctype(dec_rep->enc_part.enctype)) - return KRB5_PROG_ETYPE_NOSUPP; + return KRB5_PROG_ETYPE_NOSUPP; switch (type) { case KRB5_AS_REP: - usage = KRB5_KEYUSAGE_AS_REP_ENCPART; - break; + usage = KRB5_KEYUSAGE_AS_REP_ENCPART; + break; case KRB5_TGS_REP: - if (using_subkey) - usage = KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY; - else - usage = KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY; - break; + if (using_subkey) + usage = KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY; + else + usage = KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY; + break; default: - return KRB5_BADMSGTYPE; + return KRB5_BADMSGTYPE; } /* * We don't want to modify encpart, but we need to be able to pass * in the message type to the encoder, so it can set the ASN.1 * type correct. - * + * * Although note that it may be doing nothing with the message * type, to be compatible with old versions of Kerberos that always * encode this as a TGS_REP regardly of what it really should be; @@ -88,41 +89,41 @@ krb5_encode_kdc_rep(krb5_context context, krb5_msgtype type, tmp_encpart.msg_type = type; retval = encode_krb5_enc_kdc_rep_part(&tmp_encpart, &scratch); if (retval) { - return retval; + return retval; } memset(&tmp_encpart, 0, sizeof(tmp_encpart)); #define cleanup_scratch() { (void) memset(scratch->data, 0, scratch->length); \ -krb5_free_data(context, scratch); } + krb5_free_data(context, scratch); } retval = krb5_encrypt_helper(context, client_key, usage, scratch, - &dec_rep->enc_part); + &dec_rep->enc_part); -#define cleanup_encpart() { \ -(void) memset(dec_rep->enc_part.ciphertext.data, 0, \ - dec_rep->enc_part.ciphertext.length); \ -free(dec_rep->enc_part.ciphertext.data); \ -dec_rep->enc_part.ciphertext.length = 0; \ -dec_rep->enc_part.ciphertext.data = 0;} +#define cleanup_encpart() { \ + (void) memset(dec_rep->enc_part.ciphertext.data, 0, \ + dec_rep->enc_part.ciphertext.length); \ + free(dec_rep->enc_part.ciphertext.data); \ + dec_rep->enc_part.ciphertext.length = 0; \ + dec_rep->enc_part.ciphertext.data = 0;} cleanup_scratch(); if (retval) - return(retval); + return(retval); /* now it's ready to be encoded for the wire! */ switch (type) { case KRB5_AS_REP: - retval = encode_krb5_as_rep(dec_rep, enc_rep); - break; + retval = encode_krb5_as_rep(dec_rep, enc_rep); + break; case KRB5_TGS_REP: - retval = encode_krb5_tgs_rep(dec_rep, enc_rep); - break; + retval = encode_krb5_tgs_rep(dec_rep, enc_rep); + break; } if (retval) - cleanup_encpart(); + cleanup_encpart(); return retval; } diff --git a/src/lib/krb5/krb/encrypt_tk.c b/src/lib/krb5/krb/encrypt_tk.c index ed2b8c1b80..acf9c6fa40 100644 --- a/src/lib/krb5/krb/encrypt_tk.c +++ b/src/lib/krb5/krb/encrypt_tk.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/encrypt_tk.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_encrypt_tkt_part() routine. */ @@ -30,15 +31,15 @@ #include "k5-int.h" /* - Takes unencrypted dec_ticket & dec_tkt_part, encrypts with - dec_ticket->enc_part.etype - using *srv_key, and places result in dec_ticket->enc_part. - The string dec_ticket->enc_part.ciphertext will be allocated before - formatting. + Takes unencrypted dec_ticket & dec_tkt_part, encrypts with + dec_ticket->enc_part.etype + using *srv_key, and places result in dec_ticket->enc_part. + The string dec_ticket->enc_part.ciphertext will be allocated before + formatting. - returns errors from encryption routines, system errors + returns errors from encryption routines, system errors - enc_part->ciphertext.data allocated & filled in with encrypted stuff + enc_part->ciphertext.data allocated & filled in with encrypted stuff */ krb5_error_code @@ -50,16 +51,16 @@ krb5_encrypt_tkt_part(krb5_context context, const krb5_keyblock *srv_key, regist /* start by encoding the to-be-encrypted part. */ if ((retval = encode_krb5_enc_tkt_part(dec_tkt_part, &scratch))) { - return retval; + return retval; } #define cleanup_scratch() { (void) memset(scratch->data, 0, scratch->length); \ -krb5_free_data(context, scratch); } + krb5_free_data(context, scratch); } /* call the encryption routine */ retval = krb5_encrypt_helper(context, srv_key, - KRB5_KEYUSAGE_KDC_REP_TICKET, scratch, - &dec_ticket->enc_part); + KRB5_KEYUSAGE_KDC_REP_TICKET, scratch, + &dec_ticket->enc_part); cleanup_scratch(); diff --git a/src/lib/krb5/krb/fast.c b/src/lib/krb5/krb/fast.c index 381173d5c8..ae5602cde6 100644 --- a/src/lib/krb5/krb/fast.c +++ b/src/lib/krb5/krb/fast.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/fast.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,8 +23,8 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * - * + * + * * */ @@ -66,65 +67,65 @@ static krb5_error_code fast_armor_ap_request memset(&creds, 0, sizeof(creds)); retval = krb5_tgtname(context, target_realm, target_realm, &creds.server); if (retval ==0) - retval = krb5_cc_get_principal(context, ccache, &creds.client); + retval = krb5_cc_get_principal(context, ccache, &creds.client); if (retval == 0) - retval = krb5_get_credentials(context, 0, ccache, &creds, &out_creds); + retval = krb5_get_credentials(context, 0, ccache, &creds, &out_creds); if (retval == 0) - retval = krb5_mk_req_extended(context, &authcontext, AP_OPTS_USE_SUBKEY, NULL /*data*/, - out_creds, &encoded_authenticator); + retval = krb5_mk_req_extended(context, &authcontext, AP_OPTS_USE_SUBKEY, NULL /*data*/, + out_creds, &encoded_authenticator); if (retval == 0) - retval = krb5_auth_con_getsendsubkey(context, authcontext, &subkey); + retval = krb5_auth_con_getsendsubkey(context, authcontext, &subkey); if (retval == 0) - retval = krb5_c_fx_cf2_simple(context, subkey, "subkeyarmor", - &out_creds->keyblock, "ticketarmor", &armor_key); + retval = krb5_c_fx_cf2_simple(context, subkey, "subkeyarmor", + &out_creds->keyblock, "ticketarmor", &armor_key); if (retval == 0) { - armor = calloc(1, sizeof(krb5_fast_armor)); - if (armor == NULL) - retval = ENOMEM; + armor = calloc(1, sizeof(krb5_fast_armor)); + if (armor == NULL) + retval = ENOMEM; } if (retval == 0) { - armor->armor_type = KRB5_FAST_ARMOR_AP_REQUEST; - armor->armor_value = encoded_authenticator; - encoded_authenticator.data = NULL; - encoded_authenticator.length = 0; - state->armor = armor; - armor = NULL; - state->armor_key = armor_key; - armor_key = NULL; + armor->armor_type = KRB5_FAST_ARMOR_AP_REQUEST; + armor->armor_value = encoded_authenticator; + encoded_authenticator.data = NULL; + encoded_authenticator.length = 0; + state->armor = armor; + armor = NULL; + state->armor_key = armor_key; + armor_key = NULL; } krb5_free_keyblock(context, armor_key); krb5_free_keyblock(context, subkey); if (out_creds) - krb5_free_creds(context, out_creds); + krb5_free_creds(context, out_creds); krb5_free_cred_contents(context, &creds); if (encoded_authenticator.data) - krb5_free_data_contents(context, &encoded_authenticator); + krb5_free_data_contents(context, &encoded_authenticator); krb5_auth_con_free(context, authcontext); return retval; } krb5_error_code krb5int_fast_prep_req_body(krb5_context context, struct krb5int_fast_request_state *state, - krb5_kdc_req *request, krb5_data **encoded_request_body) + krb5_kdc_req *request, krb5_data **encoded_request_body) { krb5_error_code retval = 0; krb5_data *local_encoded_request_body = NULL; assert(state != NULL); *encoded_request_body = NULL; if (state->armor_key == NULL) { - return encode_krb5_kdc_req_body(request, encoded_request_body); + return encode_krb5_kdc_req_body(request, encoded_request_body); } state->fast_outer_request = *request; state->fast_outer_request.padata = NULL; if (retval == 0) - retval = encode_krb5_kdc_req_body(&state->fast_outer_request, - &local_encoded_request_body); + retval = encode_krb5_kdc_req_body(&state->fast_outer_request, + &local_encoded_request_body); if (retval == 0) { - *encoded_request_body = local_encoded_request_body; - local_encoded_request_body = NULL; + *encoded_request_body = local_encoded_request_body; + local_encoded_request_body = NULL; } if (local_encoded_request_body != NULL) - krb5_free_data(context, local_encoded_request_body); + krb5_free_data(context, local_encoded_request_body); return retval; } @@ -137,31 +138,31 @@ krb5_error_code krb5int_fast_as_armor krb5_ccache ccache = NULL; krb5_clear_error_message(context); if (opte->opt_private->fast_ccache_name) { - retval = krb5_cc_resolve(context, opte->opt_private->fast_ccache_name, - &ccache); - if (retval==0) - retval = fast_armor_ap_request(context, state, ccache, - krb5_princ_realm(context, request->server)); - if (retval != 0) { - const char * errmsg; - errmsg = krb5_get_error_message(context, retval); - if (errmsg) { - krb5_set_error_message(context, retval, "%s constructing AP-REQ armor", errmsg); - krb5_free_error_message(context, errmsg); - } - } + retval = krb5_cc_resolve(context, opte->opt_private->fast_ccache_name, + &ccache); + if (retval==0) + retval = fast_armor_ap_request(context, state, ccache, + krb5_princ_realm(context, request->server)); + if (retval != 0) { + const char * errmsg; + errmsg = krb5_get_error_message(context, retval); + if (errmsg) { + krb5_set_error_message(context, retval, "%s constructing AP-REQ armor", errmsg); + krb5_free_error_message(context, errmsg); + } + } } if (ccache) - krb5_cc_close(context, ccache); + krb5_cc_close(context, ccache); return retval; } -krb5_error_code +krb5_error_code krb5int_fast_prep_req (krb5_context context, struct krb5int_fast_request_state *state, - krb5_kdc_req *request, - const krb5_data *to_be_checksummed, kdc_req_encoder_proc encoder, - krb5_data **encoded_request) + krb5_kdc_req *request, + const krb5_data *to_be_checksummed, kdc_req_encoder_proc encoder, + krb5_data **encoded_request) { krb5_error_code retval = 0; krb5_pa_data *pa_array[2]; @@ -180,68 +181,68 @@ krb5int_fast_prep_req (krb5_context context, struct krb5int_fast_request_state * assert(state->fast_outer_request.padata == NULL); memset(pa_array, 0, sizeof pa_array); if (state->armor_key == NULL) { - return encoder(request, encoded_request); + return encoder(request, encoded_request); } /* Fill in a fresh random nonce for each inner request*/ - random_data.length = 4; - random_data.data = (char *)random_buf; - retval = krb5_c_random_make_octets(context, &random_data); - if (retval == 0) { - request->nonce = 0x7fffffff & load_32_n(random_buf); - state->nonce = request->nonce; - } + random_data.length = 4; + random_data.data = (char *)random_buf; + retval = krb5_c_random_make_octets(context, &random_data); + if (retval == 0) { + request->nonce = 0x7fffffff & load_32_n(random_buf); + state->nonce = request->nonce; + } fast_req.req_body = request; if (fast_req.req_body->padata == NULL) { - fast_req.req_body->padata = calloc(1, sizeof(krb5_pa_data *)); - if (fast_req.req_body->padata == NULL) - retval = ENOMEM; + fast_req.req_body->padata = calloc(1, sizeof(krb5_pa_data *)); + if (fast_req.req_body->padata == NULL) + retval = ENOMEM; } fast_req.fast_options = state->fast_options; if (retval == 0) - retval = encode_krb5_fast_req(&fast_req, &encoded_fast_req); + retval = encode_krb5_fast_req(&fast_req, &encoded_fast_req); if (retval == 0) { - armored_req = calloc(1, sizeof(krb5_fast_armored_req)); - if (armored_req == NULL) - retval = ENOMEM; + armored_req = calloc(1, sizeof(krb5_fast_armored_req)); + if (armored_req == NULL) + retval = ENOMEM; } if (retval == 0) - armored_req->armor = state->armor; + armored_req->armor = state->armor; if (retval == 0) - retval = krb5int_c_mandatory_cksumtype(context, state->armor_key->enctype, - &cksumtype); + retval = krb5int_c_mandatory_cksumtype(context, state->armor_key->enctype, + &cksumtype); if (retval ==0) - retval = krb5_c_make_checksum(context, cksumtype, state->armor_key, - KRB5_KEYUSAGE_FAST_REQ_CHKSUM, to_be_checksummed, - &armored_req->req_checksum); + retval = krb5_c_make_checksum(context, cksumtype, state->armor_key, + KRB5_KEYUSAGE_FAST_REQ_CHKSUM, to_be_checksummed, + &armored_req->req_checksum); if (retval == 0) - retval = krb5_encrypt_helper(context, state->armor_key, - KRB5_KEYUSAGE_FAST_ENC, encoded_fast_req, - &armored_req->enc_part); + retval = krb5_encrypt_helper(context, state->armor_key, + KRB5_KEYUSAGE_FAST_ENC, encoded_fast_req, + &armored_req->enc_part); if (retval == 0) - retval = encode_krb5_pa_fx_fast_request(armored_req, &encoded_armored_req); + retval = encode_krb5_pa_fx_fast_request(armored_req, &encoded_armored_req); if (retval==0) { - pa[0].pa_type = KRB5_PADATA_FX_FAST; - pa[0].contents = (unsigned char *) encoded_armored_req->data; - pa[0].length = encoded_armored_req->length; - pa_array[0] = &pa[0]; + pa[0].pa_type = KRB5_PADATA_FX_FAST; + pa[0].contents = (unsigned char *) encoded_armored_req->data; + pa[0].length = encoded_armored_req->length; + pa_array[0] = &pa[0]; } state->fast_outer_request.padata = pa_array; if(retval == 0) - retval = encoder(&state->fast_outer_request, &local_encoded_result); + retval = encoder(&state->fast_outer_request, &local_encoded_result); if (retval == 0) { - *encoded_request = local_encoded_result; - local_encoded_result = NULL; + *encoded_request = local_encoded_result; + local_encoded_result = NULL; } if (encoded_armored_req) - krb5_free_data(context, encoded_armored_req); + krb5_free_data(context, encoded_armored_req); if (armored_req) { - armored_req->armor = NULL; /*owned by state*/ - krb5_free_fast_armored_req(context, armored_req); + armored_req->armor = NULL; /*owned by state*/ + krb5_free_fast_armored_req(context, armored_req); } if (encoded_fast_req) - krb5_free_data(context, encoded_fast_req); + krb5_free_data(context, encoded_fast_req); if (local_encoded_result) - krb5_free_data(context, local_encoded_result); + krb5_free_data(context, local_encoded_result); state->fast_outer_request.padata = NULL; return retval; } @@ -258,49 +259,49 @@ static krb5_error_code decrypt_fast_reply krb5_fast_response *local_resp = NULL; assert(state != NULL); assert(state->armor_key); - fx_reply = krb5int_find_pa_data(context, in_padata, KRB5_PADATA_FX_FAST); + fx_reply = krb5int_find_pa_data(context, in_padata, KRB5_PADATA_FX_FAST); if (fx_reply == NULL) - retval = KRB5_ERR_FAST_REQUIRED; + retval = KRB5_ERR_FAST_REQUIRED; if (retval == 0) { - scratch.data = (char *) fx_reply->contents; - scratch.length = fx_reply->length; - retval = decode_krb5_pa_fx_fast_reply(&scratch, &encrypted_response); + scratch.data = (char *) fx_reply->contents; + scratch.length = fx_reply->length; + retval = decode_krb5_pa_fx_fast_reply(&scratch, &encrypted_response); } scratch.data = NULL; if (retval == 0) { - scratch.data = malloc(encrypted_response->ciphertext.length); - if (scratch.data == NULL) - retval = ENOMEM; - scratch.length = encrypted_response->ciphertext.length; + scratch.data = malloc(encrypted_response->ciphertext.length); + if (scratch.data == NULL) + retval = ENOMEM; + scratch.length = encrypted_response->ciphertext.length; } if (retval == 0) - retval = krb5_c_decrypt(context, state->armor_key, - KRB5_KEYUSAGE_FAST_REP, NULL, - encrypted_response, &scratch); + retval = krb5_c_decrypt(context, state->armor_key, + KRB5_KEYUSAGE_FAST_REP, NULL, + encrypted_response, &scratch); if (retval != 0) { - const char * errmsg; - errmsg = krb5_get_error_message(context, retval); - krb5_set_error_message(context, retval, "%s while decrypting FAST reply", errmsg); - krb5_free_error_message(context, errmsg); + const char * errmsg; + errmsg = krb5_get_error_message(context, retval); + krb5_set_error_message(context, retval, "%s while decrypting FAST reply", errmsg); + krb5_free_error_message(context, errmsg); } if (retval == 0) - retval = decode_krb5_fast_response(&scratch, &local_resp); + retval = decode_krb5_fast_response(&scratch, &local_resp); if (retval == 0) { - if (local_resp->nonce != state->nonce) { - retval = KRB5_KDCREP_MODIFIED; - krb5_set_error_message(context, retval, "nonce modified in FAST response: KDC response modified"); - } + if (local_resp->nonce != state->nonce) { + retval = KRB5_KDCREP_MODIFIED; + krb5_set_error_message(context, retval, "nonce modified in FAST response: KDC response modified"); + } } if (retval == 0) { - *response = local_resp; - local_resp = NULL; + *response = local_resp; + local_resp = NULL; } if (scratch.data) - free(scratch.data); + free(scratch.data); if (encrypted_response) - krb5_free_enc_data(context, encrypted_response); + krb5_free_enc_data(context, encrypted_response); if (local_resp) - krb5_free_fast_response(context, local_resp); + krb5_free_fast_response(context, local_resp); return retval; } @@ -319,91 +320,91 @@ static krb5_error_code decrypt_fast_reply */ krb5_error_code krb5int_fast_process_error(krb5_context context, struct krb5int_fast_request_state *state, - krb5_error **err_replyptr , krb5_pa_data ***out_padata, - krb5_boolean *retry) + krb5_error **err_replyptr , krb5_pa_data ***out_padata, + krb5_boolean *retry) { krb5_error_code retval = 0; krb5_error *err_reply = *err_replyptr; *out_padata = NULL; *retry = 0; if (state->armor_key) { - krb5_pa_data *fx_error_pa; - krb5_pa_data **result = NULL; - krb5_data scratch, *encoded_td = NULL; - krb5_error *fx_error = NULL; - krb5_fast_response *fast_response = NULL; - retval = decode_krb5_padata_sequence(&err_reply->e_data, &result); - if (retval == 0) - retval = decrypt_fast_reply(context, state, result, &fast_response); - if (retval) { - /*This can happen if the KDC does not understand FAST. We - * don't expect that, but treating it as the fatal error - * indicated by the KDC seems reasonable. - */ - *retry = 0; - krb5_free_pa_data(context, result); - return 0; - } - krb5_free_pa_data(context, result); - result = NULL; - if (retval == 0) { - fx_error_pa = krb5int_find_pa_data(context, fast_response->padata, KRB5_PADATA_FX_ERROR); - if (fx_error_pa == NULL) { - krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED, "Expecting FX_ERROR pa-data inside FAST container"); - retval = KRB5KDC_ERR_PREAUTH_FAILED; - } - } - if (retval == 0) { - scratch.data = (char *) fx_error_pa->contents; - scratch.length = fx_error_pa->length; - retval = decode_krb5_error(&scratch, &fx_error); - } - /* - * krb5_pa_data and krb5_typed_data are safe to cast between: - * they have the same type fields in the same order. - * (krb5_preauthtype is a krb5_int32). If krb5_typed_data is - * ever changed then this will need to be a copy not a cast. - */ - if (retval == 0) - retval = encode_krb5_typed_data( (krb5_typed_data **) fast_response->padata, - &encoded_td); - if (retval == 0) { - fx_error->e_data = *encoded_td; - free(encoded_td); /*contents owned by fx_error*/ - encoded_td = NULL; - krb5_free_error(context, err_reply); - *err_replyptr = fx_error; - fx_error = NULL; - *out_padata = fast_response->padata; - fast_response->padata = NULL; - /* - * If there is more than the fx_error padata, then we want - * to retry the error if a cookie is present - */ - *retry = (*out_padata)[1] != NULL; - if (krb5int_find_pa_data(context, *out_padata, KRB5_PADATA_FX_COOKIE) == NULL) - *retry = 0; - } - if (fx_error) - krb5_free_error(context, fx_error); - krb5_free_fast_response(context, fast_response); + krb5_pa_data *fx_error_pa; + krb5_pa_data **result = NULL; + krb5_data scratch, *encoded_td = NULL; + krb5_error *fx_error = NULL; + krb5_fast_response *fast_response = NULL; + retval = decode_krb5_padata_sequence(&err_reply->e_data, &result); + if (retval == 0) + retval = decrypt_fast_reply(context, state, result, &fast_response); + if (retval) { + /*This can happen if the KDC does not understand FAST. We + * don't expect that, but treating it as the fatal error + * indicated by the KDC seems reasonable. + */ + *retry = 0; + krb5_free_pa_data(context, result); + return 0; + } + krb5_free_pa_data(context, result); + result = NULL; + if (retval == 0) { + fx_error_pa = krb5int_find_pa_data(context, fast_response->padata, KRB5_PADATA_FX_ERROR); + if (fx_error_pa == NULL) { + krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED, "Expecting FX_ERROR pa-data inside FAST container"); + retval = KRB5KDC_ERR_PREAUTH_FAILED; + } + } + if (retval == 0) { + scratch.data = (char *) fx_error_pa->contents; + scratch.length = fx_error_pa->length; + retval = decode_krb5_error(&scratch, &fx_error); + } + /* + * krb5_pa_data and krb5_typed_data are safe to cast between: + * they have the same type fields in the same order. + * (krb5_preauthtype is a krb5_int32). If krb5_typed_data is + * ever changed then this will need to be a copy not a cast. + */ + if (retval == 0) + retval = encode_krb5_typed_data( (krb5_typed_data **) fast_response->padata, + &encoded_td); + if (retval == 0) { + fx_error->e_data = *encoded_td; + free(encoded_td); /*contents owned by fx_error*/ + encoded_td = NULL; + krb5_free_error(context, err_reply); + *err_replyptr = fx_error; + fx_error = NULL; + *out_padata = fast_response->padata; + fast_response->padata = NULL; + /* + * If there is more than the fx_error padata, then we want + * to retry the error if a cookie is present + */ + *retry = (*out_padata)[1] != NULL; + if (krb5int_find_pa_data(context, *out_padata, KRB5_PADATA_FX_COOKIE) == NULL) + *retry = 0; + } + if (fx_error) + krb5_free_error(context, fx_error); + krb5_free_fast_response(context, fast_response); } else { /*not FAST*/ - *retry = (err_reply->e_data.length > 0); - if ((err_reply->error == KDC_ERR_PREAUTH_REQUIRED - ||err_reply->error == KDC_ERR_PREAUTH_FAILED) && err_reply->e_data.length) { - krb5_pa_data **result = NULL; - retval = decode_krb5_padata_sequence(&err_reply->e_data, &result); - if (retval == 0) - if (retval == 0) { - *out_padata = result; + *retry = (err_reply->e_data.length > 0); + if ((err_reply->error == KDC_ERR_PREAUTH_REQUIRED + ||err_reply->error == KDC_ERR_PREAUTH_FAILED) && err_reply->e_data.length) { + krb5_pa_data **result = NULL; + retval = decode_krb5_padata_sequence(&err_reply->e_data, &result); + if (retval == 0) + if (retval == 0) { + *out_padata = result; - return 0; - } - krb5_free_pa_data(context, result); - krb5_set_error_message(context, retval, - "Error decoding padata in error reply"); - return retval; - } + return 0; + } + krb5_free_pa_data(context, result); + krb5_set_error_message(context, retval, + "Error decoding padata in error reply"); + return retval; + } } return retval; } @@ -421,61 +422,61 @@ krb5_error_code krb5int_fast_process_response krb5_clear_error_message(context); *strengthen_key = NULL; if (state->armor_key == 0) - return 0; - retval = decrypt_fast_reply(context, state, resp->padata, - &fast_response); + return 0; + retval = decrypt_fast_reply(context, state, resp->padata, + &fast_response); if (retval == 0) { - if (fast_response->finished == 0) { - retval = KRB5_KDCREP_MODIFIED; - krb5_set_error_message(context, retval, "FAST response missing finish message in KDC reply"); - } + if (fast_response->finished == 0) { + retval = KRB5_KDCREP_MODIFIED; + krb5_set_error_message(context, retval, "FAST response missing finish message in KDC reply"); + } } if (retval == 0) - retval = encode_krb5_ticket(resp->ticket, &encoded_ticket); + retval = encode_krb5_ticket(resp->ticket, &encoded_ticket); if (retval == 0) - retval = krb5_c_verify_checksum(context, state->armor_key, - KRB5_KEYUSAGE_FAST_FINISHED, - encoded_ticket, - &fast_response->finished->ticket_checksum, - &cksum_valid); + retval = krb5_c_verify_checksum(context, state->armor_key, + KRB5_KEYUSAGE_FAST_FINISHED, + encoded_ticket, + &fast_response->finished->ticket_checksum, + &cksum_valid); if (retval == 0 && cksum_valid == 0) { - retval = KRB5_KDCREP_MODIFIED; - krb5_set_error_message(context, retval, "ticket modified in KDC reply"); + retval = KRB5_KDCREP_MODIFIED; + krb5_set_error_message(context, retval, "ticket modified in KDC reply"); } if (retval == 0) { - krb5_free_principal(context, resp->client); - resp->client = fast_response->finished->client; - fast_response->finished->client = NULL; - *strengthen_key = fast_response->strengthen_key; - fast_response->strengthen_key = NULL; - krb5_free_pa_data(context, resp->padata); - resp->padata = fast_response->padata; - fast_response->padata = NULL; + krb5_free_principal(context, resp->client); + resp->client = fast_response->finished->client; + fast_response->finished->client = NULL; + *strengthen_key = fast_response->strengthen_key; + fast_response->strengthen_key = NULL; + krb5_free_pa_data(context, resp->padata); + resp->padata = fast_response->padata; + fast_response->padata = NULL; } if (fast_response) - krb5_free_fast_response(context, fast_response); + krb5_free_fast_response(context, fast_response); if (encoded_ticket) - krb5_free_data(context, encoded_ticket); + krb5_free_data(context, encoded_ticket); return retval; } krb5_error_code krb5int_fast_reply_key(krb5_context context, - krb5_keyblock *strengthen_key, - krb5_keyblock *existing_key, - krb5_keyblock *out_key) + krb5_keyblock *strengthen_key, + krb5_keyblock *existing_key, + krb5_keyblock *out_key) { krb5_keyblock *key = NULL; krb5_error_code retval = 0; krb5_free_keyblock_contents(context, out_key); if (strengthen_key) { - retval = krb5_c_fx_cf2_simple(context, strengthen_key, - "strengthenkey", existing_key, "replykey", &key); - if (retval == 0) { - *out_key = *key; - free(key); - } + retval = krb5_c_fx_cf2_simple(context, strengthen_key, + "strengthenkey", existing_key, "replykey", &key); + if (retval == 0) { + *out_key = *key; + free(key); + } } else { - retval = krb5_copy_keyblock_contents(context, existing_key, out_key); + retval = krb5_copy_keyblock_contents(context, existing_key, out_key); } return retval; } @@ -487,7 +488,7 @@ krb5int_fast_make_state( krb5_context context, struct krb5int_fast_request_state struct krb5int_fast_request_state *local_state ; local_state = malloc(sizeof *local_state); if (local_state == NULL) - return ENOMEM; + return ENOMEM; memset(local_state, 0, sizeof(*local_state)); *state = local_state; return 0; @@ -505,16 +506,15 @@ krb5int_fast_free_state( krb5_context context, struct krb5int_fast_request_state krb5_pa_data * krb5int_find_pa_data (krb5_context context, krb5_pa_data *const *padata, krb5_preauthtype pa_type) { - krb5_pa_data * const *tmppa; + krb5_pa_data * const *tmppa; if (padata == NULL) - return NULL; + return NULL; for (tmppa = padata; *tmppa != NULL; tmppa++) { - if ((*tmppa)->pa_type == pa_type) - break; + if ((*tmppa)->pa_type == pa_type) + break; } return *tmppa; } - diff --git a/src/lib/krb5/krb/fast.h b/src/lib/krb5/krb/fast.h index 4cc142335e..443f3e1962 100644 --- a/src/lib/krb5/krb/fast.h +++ b/src/lib/krb5/krb/fast.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/fast.h * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * <<< Description >>> */ @@ -34,7 +35,7 @@ struct krb5int_fast_request_state { krb5_kdc_req fast_outer_request; - krb5_keyblock *armor_key; /*non-null means fast is in use*/ + krb5_keyblock *armor_key; /*non-null means fast is in use*/ krb5_fast_armor *armor; krb5_ui_4 fast_state_flags; krb5_ui_4 fast_options; @@ -43,19 +44,19 @@ struct krb5int_fast_request_state { krb5_error_code krb5int_fast_prep_req_body(krb5_context context, struct krb5int_fast_request_state *state, - krb5_kdc_req *request, krb5_data **encoded_req_body); + krb5_kdc_req *request, krb5_data **encoded_req_body); typedef krb5_error_code(*kdc_req_encoder_proc) (const krb5_kdc_req *, krb5_data **); -krb5_error_code +krb5_error_code krb5int_fast_prep_req (krb5_context context, struct krb5int_fast_request_state *state, - krb5_kdc_req *request, - const krb5_data *to_be_checksummed, kdc_req_encoder_proc encoder, - krb5_data **encoded_request); + krb5_kdc_req *request, + const krb5_data *to_be_checksummed, kdc_req_encoder_proc encoder, + krb5_data **encoded_request); krb5_error_code krb5int_fast_process_error(krb5_context context, struct krb5int_fast_request_state *state, - krb5_error **err_replyptr , krb5_pa_data ***out_padata, - krb5_boolean *retry); + krb5_error **err_replyptr , krb5_pa_data ***out_padata, + krb5_boolean *retry); krb5_error_code krb5int_fast_process_response (krb5_context context, struct krb5int_fast_request_state *state, @@ -73,10 +74,10 @@ krb5_error_code krb5int_fast_as_armor krb5_kdc_req *request); krb5_error_code krb5int_fast_reply_key(krb5_context context, - krb5_keyblock *strengthen_key, - krb5_keyblock *existing_key, - krb5_keyblock *output_key); + krb5_keyblock *strengthen_key, + krb5_keyblock *existing_key, + krb5_keyblock *output_key); + - #endif diff --git a/src/lib/krb5/krb/free_rtree.c b/src/lib/krb5/krb/free_rtree.c index 90c9dd3c8b..951d55dd3d 100644 --- a/src/lib/krb5/krb/free_rtree.c +++ b/src/lib/krb5/krb/free_rtree.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/free_rtree.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_free_realm_tree() */ @@ -34,10 +35,10 @@ krb5_free_realm_tree(krb5_context context, krb5_principal *realms) { register krb5_principal *nrealms = realms; if (realms == NULL) - return; + return; while (*nrealms) { - krb5_free_principal(context, *nrealms); - nrealms++; + krb5_free_principal(context, *nrealms); + nrealms++; } free(realms); } diff --git a/src/lib/krb5/krb/fwd_tgt.c b/src/lib/krb5/krb/fwd_tgt.c index 08646da6e5..5725e4931a 100644 --- a/src/lib/krb5/krb/fwd_tgt.c +++ b/src/lib/krb5/krb/fwd_tgt.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/get_in_tkt.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -35,14 +36,14 @@ /* Get a TGT for use at the remote host */ krb5_error_code KRB5_CALLCONV krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, char *rhost, krb5_principal client, krb5_principal server, krb5_ccache cc, int forwardable, krb5_data *outbuf) - - - - - - - /* Should forwarded TGT also be forwardable? */ - + + + + + + +/* Should forwarded TGT also be forwardable? */ + { krb5_replay_data replaydata; krb5_data * scratch = 0; @@ -61,136 +62,136 @@ krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, char *r memset(&tgt, 0, sizeof(creds)); if (cc == 0) { - if ((retval = krb5int_cc_default(context, &cc))) - goto errout; - close_cc = 1; + if ((retval = krb5int_cc_default(context, &cc))) + goto errout; + close_cc = 1; } retval = krb5_auth_con_getkey (context, auth_context, &session_key); if (retval) - goto errout; + goto errout; if (session_key) { - enctype = session_key->enctype; - krb5_free_keyblock (context, session_key); - session_key = NULL; + enctype = session_key->enctype; + krb5_free_keyblock (context, session_key); + session_key = NULL; } else if (server) { /* must server be non-NULL when rhost is given? */ - /* Try getting credentials to see what the remote side supports. - Not bulletproof, just a heuristic. */ - krb5_creds in, *out = 0; - memset (&in, 0, sizeof(in)); - - retval = krb5_copy_principal (context, server, &in.server); - if (retval) - goto punt; - retval = krb5_copy_principal (context, client, &in.client); - if (retval) - goto punt; - retval = krb5_get_credentials (context, 0, cc, &in, &out); - if (retval) - goto punt; - /* Got the credentials. Okay, now record the enctype and - throw them away. */ - enctype = out->keyblock.enctype; - krb5_free_creds (context, out); + /* Try getting credentials to see what the remote side supports. + Not bulletproof, just a heuristic. */ + krb5_creds in, *out = 0; + memset (&in, 0, sizeof(in)); + + retval = krb5_copy_principal (context, server, &in.server); + if (retval) + goto punt; + retval = krb5_copy_principal (context, client, &in.client); + if (retval) + goto punt; + retval = krb5_get_credentials (context, 0, cc, &in, &out); + if (retval) + goto punt; + /* Got the credentials. Okay, now record the enctype and + throw them away. */ + enctype = out->keyblock.enctype; + krb5_free_creds (context, out); punt: - krb5_free_cred_contents (context, &in); + krb5_free_cred_contents (context, &in); } if ((retval = krb5_copy_principal(context, client, &creds.client))) - goto errout; - + goto errout; + if ((retval = krb5_build_principal_ext(context, &creds.server, - client->realm.length, - client->realm.data, - KRB5_TGS_NAME_SIZE, - KRB5_TGS_NAME, - client->realm.length, - client->realm.data, - 0))) - goto errout; - + client->realm.length, + client->realm.data, + KRB5_TGS_NAME_SIZE, + KRB5_TGS_NAME, + client->realm.length, + client->realm.data, + 0))) + goto errout; + /* fetch tgt directly from cache */ context->use_conf_ktypes = 1; retval = krb5_cc_retrieve_cred (context, cc, KRB5_TC_SUPPORTED_KTYPES, - &creds, &tgt); + &creds, &tgt); context->use_conf_ktypes = old_use_conf_ktypes; if (retval) - goto errout; + goto errout; /* tgt->client must be equal to creds.client */ if (!krb5_principal_compare(context, tgt.client, creds.client)) { - retval = KRB5_PRINC_NOMATCH; - goto errout; + retval = KRB5_PRINC_NOMATCH; + goto errout; } if (!tgt.ticket.length) { - retval = KRB5_NO_TKT_SUPPLIED; - goto errout; + retval = KRB5_NO_TKT_SUPPLIED; + goto errout; } - + if (tgt.addresses && *tgt.addresses) { - if (rhost == NULL) { - if (krb5_princ_type(context, server) != KRB5_NT_SRV_HST) { -retval = KRB5_FWD_BAD_PRINCIPAL; - goto errout; - } - - if (krb5_princ_size(context, server) < 2){ - retval = KRB5_CC_BADNAME; - goto errout; - } - - rhost = malloc(server->data[1].length+1); - if (!rhost) { - retval = ENOMEM; - goto errout; - } - free_rhost = 1; - memcpy(rhost, server->data[1].data, server->data[1].length); - rhost[server->data[1].length] = '\0'; - } - - retval = krb5_os_hostaddr(context, rhost, &addrs); - if (retval) - goto errout; + if (rhost == NULL) { + if (krb5_princ_type(context, server) != KRB5_NT_SRV_HST) { + retval = KRB5_FWD_BAD_PRINCIPAL; + goto errout; + } + + if (krb5_princ_size(context, server) < 2){ + retval = KRB5_CC_BADNAME; + goto errout; + } + + rhost = malloc(server->data[1].length+1); + if (!rhost) { + retval = ENOMEM; + goto errout; + } + free_rhost = 1; + memcpy(rhost, server->data[1].data, server->data[1].length); + rhost[server->data[1].length] = '\0'; + } + + retval = krb5_os_hostaddr(context, rhost, &addrs); + if (retval) + goto errout; } - + creds.keyblock.enctype = enctype; creds.times = tgt.times; creds.times.starttime = 0; kdcoptions = flags2options(tgt.ticket_flags)|KDC_OPT_FORWARDED; if (!forwardable) /* Reset KDC_OPT_FORWARDABLE */ - kdcoptions &= ~(KDC_OPT_FORWARDABLE); + kdcoptions &= ~(KDC_OPT_FORWARDABLE); if ((retval = krb5_get_cred_via_tkt(context, &tgt, kdcoptions, - addrs, &creds, &pcreds))) { - if (enctype) { - creds.keyblock.enctype = 0; - if ((retval = krb5_get_cred_via_tkt(context, &tgt, kdcoptions, - addrs, &creds, &pcreds))) - goto errout; - } - else goto errout; + addrs, &creds, &pcreds))) { + if (enctype) { + creds.keyblock.enctype = 0; + if ((retval = krb5_get_cred_via_tkt(context, &tgt, kdcoptions, + addrs, &creds, &pcreds))) + goto errout; + } + else goto errout; } retval = krb5_mk_1cred(context, auth_context, pcreds, &scratch, &replaydata); krb5_free_creds(context, pcreds); if (retval) { - if (scratch) - krb5_free_data(context, scratch); + if (scratch) + krb5_free_data(context, scratch); } else { - *outbuf = *scratch; - free(scratch); + *outbuf = *scratch; + free(scratch); } - + errout: if (addrs) - krb5_free_addresses(context, addrs); + krb5_free_addresses(context, addrs); if (close_cc) - krb5_cc_close(context, cc); + krb5_cc_close(context, cc); if (free_rhost) - free(rhost); + free(rhost); krb5_free_cred_contents(context, &creds); krb5_free_cred_contents(context, &tgt); return retval; diff --git a/src/lib/krb5/krb/gc_frm_kdc.c b/src/lib/krb5/krb/gc_frm_kdc.c index 4102dd728d..581d89d4dc 100644 --- a/src/lib/krb5/krb/gc_frm_kdc.c +++ b/src/lib/krb5/krb/gc_frm_kdc.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (c) 1994,2003,2005,2007 by the Massachusetts Institute of Technology. * Copyright (c) 1994 CyberSAFE Corporation @@ -9,7 +10,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -20,11 +21,11 @@ * permission. Furthermore if you modify this software you must label * your software as modified software and not distribute it in such a * fashion that it might be confused with the original M.I.T. software. - * Neither M.I.T., the Open Computing Security Group, nor + * Neither M.I.T., the Open Computing Security Group, nor * CyberSAFE Corporation make any representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * krb5_get_cred_from_kdc() and related functions: * * Get credentials from some KDC somewhere, possibly accumulating TGTs @@ -50,13 +51,13 @@ struct cc_tgts { }; /* NOTE: This only checks if NXT_TGT is CUR_CC_TGT. */ -#define NXT_TGT_IS_CACHED(ts) \ - ((ts)->nxt_tgt == (ts)->cur_cc_tgt) +#define NXT_TGT_IS_CACHED(ts) \ + ((ts)->nxt_tgt == (ts)->cur_cc_tgt) -#define MARK_CUR_CC_TGT_CLEAN(ts) \ -do { \ - (ts)->cc_tgts.dirty[(ts)->cc_tgts.cur] = 0; \ -} while (0) +#define MARK_CUR_CC_TGT_CLEAN(ts) \ + do { \ + (ts)->cc_tgts.dirty[(ts)->cc_tgts.cur] = 0; \ + } while (0) static void init_cc_tgts(struct tr_state *); static void shift_cc_tgts(struct tr_state *); @@ -137,8 +138,8 @@ static void tr_dbg_rtree(struct tr_state *, const char *, krb5_principal); * Certain krb5_cc_retrieve_cred() errors are soft errors when looking * for a cross-realm TGT. */ -#define HARD_CC_ERR(r) ((r) && (r) != KRB5_CC_NOTFOUND && \ - (r) != KRB5_CC_NOT_KTYPE) +#define HARD_CC_ERR(r) ((r) && (r) != KRB5_CC_NOTFOUND && \ + (r) != KRB5_CC_NOT_KTYPE) /* * Flags for ccache lookups of cross-realm TGTs. @@ -152,24 +153,24 @@ static void tr_dbg_rtree(struct tr_state *, const char *, krb5_principal); * Prototypes of helper functions */ static krb5_error_code tgt_mcred(krb5_context, krb5_principal, - krb5_principal, krb5_principal, krb5_creds *); + krb5_principal, krb5_principal, krb5_creds *); static krb5_error_code retr_local_tgt(struct tr_state *, krb5_principal); static krb5_error_code try_ccache(struct tr_state *, krb5_creds *); static krb5_error_code find_nxt_kdc(struct tr_state *); static krb5_error_code try_kdc(struct tr_state *, krb5_creds *); static krb5_error_code kdc_mcred(struct tr_state *, krb5_principal, - krb5_creds *mcreds); + krb5_creds *mcreds); static krb5_error_code next_closest_tgt(struct tr_state *, krb5_principal); static krb5_error_code init_rtree(struct tr_state *, - krb5_principal, krb5_principal); + krb5_principal, krb5_principal); static krb5_error_code do_traversal(krb5_context ctx, krb5_ccache, - krb5_principal client, krb5_principal server, - krb5_creds *out_cc_tgt, krb5_creds **out_tgt, - krb5_creds ***out_kdc_tgts, int *tgtptr_isoffpath); + krb5_principal client, krb5_principal server, + krb5_creds *out_cc_tgt, krb5_creds **out_tgt, + krb5_creds ***out_kdc_tgts, int *tgtptr_isoffpath); static krb5_error_code chase_offpath(struct tr_state *, krb5_principal, - krb5_principal); + krb5_principal); static krb5_error_code offpath_loopchk(struct tr_state *ts, - krb5_creds *tgt, krb5_creds *reftgts[], unsigned int rcount); + krb5_creds *tgt, krb5_creds *reftgts[], unsigned int rcount); /* * init_cc_tgts() @@ -210,8 +211,8 @@ shift_cc_tgts(struct tr_state *ts) rb->nxt = i; ts->nxt_cc_tgt = &rb->cred[i]; if (rb->dirty[i]) { - krb5_free_cred_contents(ts->ctx, &rb->cred[i]); - rb->dirty[i] = 0; + krb5_free_cred_contents(ts->ctx, &rb->cred[i]); + rb->dirty[i] = 0; } } @@ -228,10 +229,10 @@ clean_cc_tgts(struct tr_state *ts) rb = &ts->cc_tgts; for (i = 0; i < NCC_TGTS; i++) { - if (rb->dirty[i]) { - krb5_free_cred_contents(ts->ctx, &rb->cred[i]); - rb->dirty[i] = 0; - } + if (rb->dirty[i]) { + krb5_free_cred_contents(ts->ctx, &rb->cred[i]); + rb->dirty[i] = 0; + } } } @@ -257,18 +258,18 @@ tr_dbg(struct tr_state *ts, const char *prog) fprintf(stderr, "%s: nxt_kdc %s\n", prog, nxt_kdc_str); cleanup: if (cur_tgt_str) - krb5_free_unparsed_name(ts->ctx, cur_tgt_str); + krb5_free_unparsed_name(ts->ctx, cur_tgt_str); if (cur_kdc_str) - krb5_free_unparsed_name(ts->ctx, cur_kdc_str); + krb5_free_unparsed_name(ts->ctx, cur_kdc_str); if (nxt_kdc_str) - krb5_free_unparsed_name(ts->ctx, nxt_kdc_str); + krb5_free_unparsed_name(ts->ctx, nxt_kdc_str); } static void tr_dbg_ret(struct tr_state *ts, const char *prog, krb5_error_code ret) { fprintf(stderr, "%s: return %d (%s)\n", prog, (int)ret, - error_message(ret)); + error_message(ret)); } static void @@ -277,7 +278,7 @@ tr_dbg_rtree(struct tr_state *ts, const char *prog, krb5_principal princ) char *str; if (krb5_unparse_name(ts->ctx, princ, &str)) - return; + return; fprintf(stderr, "%s: %s\n", prog, str); krb5_free_unparsed_name(ts->ctx, str); } @@ -296,8 +297,8 @@ tr_dbg_rtree(struct tr_state *ts, const char *prog, krb5_principal princ) */ static krb5_error_code tgt_mcred(krb5_context ctx, krb5_principal client, - krb5_principal dst, krb5_principal src, - krb5_creds *mcreds) + krb5_principal dst, krb5_principal src, + krb5_creds *mcreds) { krb5_error_code retval; @@ -306,16 +307,16 @@ tgt_mcred(krb5_context ctx, krb5_principal client, retval = krb5_copy_principal(ctx, client, &mcreds->client); if (retval) - goto cleanup; + goto cleanup; retval = krb5_tgtname(ctx, krb5_princ_realm(ctx, dst), - krb5_princ_realm(ctx, src), &mcreds->server); + krb5_princ_realm(ctx, src), &mcreds->server); if (retval) - goto cleanup; + goto cleanup; cleanup: if (retval) - krb5_free_cred_contents(ctx, mcreds); + krb5_free_cred_contents(ctx, mcreds); return retval; } @@ -327,27 +328,27 @@ cleanup: */ static krb5_error_code init_rtree(struct tr_state *ts, - krb5_principal client, krb5_principal server) + krb5_principal client, krb5_principal server) { krb5_error_code retval; ts->kdc_list = NULL; retval = krb5_walk_realm_tree(ts->ctx, krb5_princ_realm(ts->ctx, client), - krb5_princ_realm(ts->ctx, server), - &ts->kdc_list, KRB5_REALM_BRANCH_CHAR); + krb5_princ_realm(ts->ctx, server), + &ts->kdc_list, KRB5_REALM_BRANCH_CHAR); if (retval) - return retval; + return retval; for (ts->nkdcs = 0; ts->kdc_list[ts->nkdcs]; ts->nkdcs++) { - assert(krb5_princ_size(ts->ctx, ts->kdc_list[ts->nkdcs]) == 2); - TR_DBG_RTREE(ts, "init_rtree", ts->kdc_list[ts->nkdcs]); + assert(krb5_princ_size(ts->ctx, ts->kdc_list[ts->nkdcs]) == 2); + TR_DBG_RTREE(ts, "init_rtree", ts->kdc_list[ts->nkdcs]); } assert(ts->nkdcs > 1); ts->lst_kdc = ts->kdc_list + ts->nkdcs - 1; ts->kdc_tgts = calloc(ts->nkdcs + 1, sizeof(krb5_creds)); if (ts->kdc_tgts == NULL) - return ENOMEM; + return ENOMEM; return 0; } @@ -366,16 +367,16 @@ retr_local_tgt(struct tr_state *ts, krb5_principal client) memset(&tgtq, 0, sizeof(tgtq)); retval = tgt_mcred(ts->ctx, client, client, client, &tgtq); if (retval) - return retval; + return retval; /* Match realm, unlike other ccache retrievals here. */ retval = krb5_cc_retrieve_cred(ts->ctx, ts->ccache, - KRB5_TC_SUPPORTED_KTYPES, - &tgtq, ts->nxt_cc_tgt); + KRB5_TC_SUPPORTED_KTYPES, + &tgtq, ts->nxt_cc_tgt); krb5_free_cred_contents(ts->ctx, &tgtq); if (!retval) { - shift_cc_tgts(ts); - ts->nxt_tgt = ts->cur_tgt = ts->cur_cc_tgt; + shift_cc_tgts(ts); + ts->nxt_tgt = ts->cur_tgt = ts->cur_cc_tgt; } return retval; } @@ -393,10 +394,10 @@ try_ccache(struct tr_state *ts, krb5_creds *tgtq) TR_DBG(ts, "try_ccache"); retval = krb5_cc_retrieve_cred(ts->ctx, ts->ccache, RETR_FLAGS, - tgtq, ts->nxt_cc_tgt); + tgtq, ts->nxt_cc_tgt); if (!retval) { - shift_cc_tgts(ts); - ts->nxt_tgt = ts->cur_cc_tgt; + shift_cc_tgts(ts); + ts->nxt_tgt = ts->cur_cc_tgt; } TR_DBG_RET(ts, "try_ccache", retval); return retval; @@ -436,31 +437,31 @@ find_nxt_kdc(struct tr_state *ts) assert(ts->ntgts > 0); assert(ts->nxt_tgt == ts->kdc_tgts[ts->ntgts-1]); if (krb5_princ_size(ts->ctx, ts->nxt_tgt->server) != 2) - return KRB5_KDCREP_MODIFIED; + return KRB5_KDCREP_MODIFIED; r1 = krb5_princ_component(ts->ctx, ts->nxt_tgt->server, 1); for (kdcptr = ts->cur_kdc + 1; *kdcptr != NULL; kdcptr++) { - r2 = krb5_princ_component(ts->ctx, *kdcptr, 1); + r2 = krb5_princ_component(ts->ctx, *kdcptr, 1); - if (r1 != NULL && r2 != NULL && data_eq(*r1, *r2)) { - break; - } + if (r1 != NULL && r2 != NULL && data_eq(*r1, *r2)) { + break; + } } if (*kdcptr != NULL) { - ts->nxt_kdc = kdcptr; - TR_DBG_RET(ts, "find_nxt_kdc", 0); - return 0; + ts->nxt_kdc = kdcptr; + TR_DBG_RET(ts, "find_nxt_kdc", 0); + return 0; } r2 = krb5_princ_component(ts->ctx, ts->kdc_list[0], 1); if (r1 != NULL && r2 != NULL && - r1->length == r2->length && - !memcmp(r1->data, r2->data, r1->length)) { - TR_DBG_RET(ts, "find_nxt_kdc: looped back to local", - KRB5_KDCREP_MODIFIED); - return KRB5_KDCREP_MODIFIED; + r1->length == r2->length && + !memcmp(r1->data, r2->data, r1->length)) { + TR_DBG_RET(ts, "find_nxt_kdc: looped back to local", + KRB5_KDCREP_MODIFIED); + return KRB5_KDCREP_MODIFIED; } /* @@ -469,11 +470,11 @@ find_nxt_kdc(struct tr_state *ts) */ ts->offpath_tgt = ts->nxt_tgt; if (ts->cur_kdc == ts->kdc_list) { - /* - * Local KDC referred us off path; trust it for caching - * purposes. - */ - return 0; + /* + * Local KDC referred us off path; trust it for caching + * purposes. + */ + return 0; } /* * Unlink the off-path TGT from KDC_TGTS but don't free it, @@ -500,20 +501,20 @@ try_kdc(struct tr_state *ts, krb5_creds *tgtq) TR_DBG(ts, "try_kdc"); /* This check should probably be in gc_via_tkt. */ if (!krb5_c_valid_enctype(ts->cur_tgt->keyblock.enctype)) - return KRB5_PROG_ETYPE_NOSUPP; + return KRB5_PROG_ETYPE_NOSUPP; ltgtq = *tgtq; ltgtq.is_skey = FALSE; ltgtq.ticket_flags = ts->cur_tgt->ticket_flags; retval = krb5_get_cred_via_tkt(ts->ctx, ts->cur_tgt, - FLAGS2OPTS(ltgtq.ticket_flags), - ts->cur_tgt->addresses, - <gtq, &ts->kdc_tgts[ts->ntgts++]); + FLAGS2OPTS(ltgtq.ticket_flags), + ts->cur_tgt->addresses, + <gtq, &ts->kdc_tgts[ts->ntgts++]); if (retval) { - ts->ntgts--; - ts->nxt_tgt = ts->cur_tgt; - TR_DBG_RET(ts, "try_kdc", retval); - return retval; + ts->ntgts--; + ts->nxt_tgt = ts->cur_tgt; + TR_DBG_RET(ts, "try_kdc", retval); + return retval; } ts->nxt_tgt = ts->kdc_tgts[ts->ntgts-1]; retval = find_nxt_kdc(ts); @@ -544,15 +545,15 @@ kdc_mcred(struct tr_state *ts, krb5_principal client, krb5_creds *mcreds) rsrc = krb5_princ_component(ts->ctx, *ts->cur_kdc, 1); retval = krb5_copy_principal(ts->ctx, client, &mcreds->client); if (retval) - goto cleanup; + goto cleanup; retval = krb5_tgtname(ts->ctx, rdst, rsrc, &mcreds->server); if (retval) - goto cleanup; + goto cleanup; cleanup: if (retval) - krb5_free_cred_contents(ts->ctx, mcreds); + krb5_free_cred_contents(ts->ctx, mcreds); return retval; } @@ -574,30 +575,30 @@ next_closest_tgt(struct tr_state *ts, krb5_principal client) memset(&tgtq, 0, sizeof(tgtq)); for (ts->nxt_kdc = ts->lst_kdc; - ts->nxt_kdc > ts->cur_kdc; - ts->nxt_kdc--) { - - krb5_free_cred_contents(ts->ctx, &tgtq); - retval = kdc_mcred(ts, client, &tgtq); - if (retval) - goto cleanup; - /* Don't waste time retrying ccache for direct path. */ - if (ts->cur_kdc != ts->kdc_list || ts->nxt_kdc != ts->lst_kdc) { - retval = try_ccache(ts, &tgtq); - if (!retval) - break; - if (HARD_CC_ERR(retval)) - goto cleanup; - } - /* Not in the ccache, so talk to a KDC. */ - retval = try_kdc(ts, &tgtq); - if (!retval) { - break; - } - /* - * In case of errors in try_kdc() or find_nxt_kdc(), continue - * looping through the KDC list. - */ + ts->nxt_kdc > ts->cur_kdc; + ts->nxt_kdc--) { + + krb5_free_cred_contents(ts->ctx, &tgtq); + retval = kdc_mcred(ts, client, &tgtq); + if (retval) + goto cleanup; + /* Don't waste time retrying ccache for direct path. */ + if (ts->cur_kdc != ts->kdc_list || ts->nxt_kdc != ts->lst_kdc) { + retval = try_ccache(ts, &tgtq); + if (!retval) + break; + if (HARD_CC_ERR(retval)) + goto cleanup; + } + /* Not in the ccache, so talk to a KDC. */ + retval = try_kdc(ts, &tgtq); + if (!retval) { + break; + } + /* + * In case of errors in try_kdc() or find_nxt_kdc(), continue + * looping through the KDC list. + */ } /* * If we have a non-zero retval, we either have a hard error or we @@ -700,13 +701,13 @@ cleanup: */ static krb5_error_code do_traversal(krb5_context ctx, - krb5_ccache ccache, - krb5_principal client, - krb5_principal server, - krb5_creds *out_cc_tgt, - krb5_creds **out_tgt, - krb5_creds ***out_kdc_tgts, - int *tgtptr_isoffpath) + krb5_ccache ccache, + krb5_principal client, + krb5_principal server, + krb5_creds *out_cc_tgt, + krb5_creds **out_tgt, + krb5_creds ***out_kdc_tgts, + int *tgtptr_isoffpath) { krb5_error_code retval; struct tr_state state, *ts; @@ -721,51 +722,51 @@ do_traversal(krb5_context ctx, retval = init_rtree(ts, client, server); if (retval) - goto cleanup; + goto cleanup; retval = retr_local_tgt(ts, client); if (retval) - goto cleanup; + goto cleanup; for (ts->cur_kdc = ts->kdc_list, ts->nxt_kdc = NULL; - ts->cur_kdc != NULL && ts->cur_kdc < ts->lst_kdc; - ts->cur_kdc = ts->nxt_kdc, ts->cur_tgt = ts->nxt_tgt) { - - retval = next_closest_tgt(ts, client); - if (retval) - goto cleanup; - - if (ts->offpath_tgt != NULL) { - retval = chase_offpath(ts, client, server); - if (retval) - goto cleanup; - break; - } - assert(ts->cur_kdc != ts->nxt_kdc); + ts->cur_kdc != NULL && ts->cur_kdc < ts->lst_kdc; + ts->cur_kdc = ts->nxt_kdc, ts->cur_tgt = ts->nxt_tgt) { + + retval = next_closest_tgt(ts, client); + if (retval) + goto cleanup; + + if (ts->offpath_tgt != NULL) { + retval = chase_offpath(ts, client, server); + if (retval) + goto cleanup; + break; + } + assert(ts->cur_kdc != ts->nxt_kdc); } if (NXT_TGT_IS_CACHED(ts)) { - assert(ts->offpath_tgt == NULL); - *out_cc_tgt = *ts->cur_cc_tgt; - *out_tgt = out_cc_tgt; - MARK_CUR_CC_TGT_CLEAN(ts); + assert(ts->offpath_tgt == NULL); + *out_cc_tgt = *ts->cur_cc_tgt; + *out_tgt = out_cc_tgt; + MARK_CUR_CC_TGT_CLEAN(ts); } else if (ts->offpath_tgt != NULL){ - *out_tgt = ts->offpath_tgt; + *out_tgt = ts->offpath_tgt; } else { - /* CUR_TGT is somewhere in KDC_TGTS; no need to copy. */ - *out_tgt = ts->nxt_tgt; + /* CUR_TGT is somewhere in KDC_TGTS; no need to copy. */ + *out_tgt = ts->nxt_tgt; } cleanup: clean_cc_tgts(ts); if (ts->kdc_list != NULL) - krb5_free_realm_tree(ctx, ts->kdc_list); + krb5_free_realm_tree(ctx, ts->kdc_list); if (ts->ntgts == 0) { - *out_kdc_tgts = NULL; - if (ts->kdc_tgts != NULL) - free(ts->kdc_tgts); + *out_kdc_tgts = NULL; + if (ts->kdc_tgts != NULL) + free(ts->kdc_tgts); } else - *out_kdc_tgts = ts->kdc_tgts; + *out_kdc_tgts = ts->kdc_tgts; *tgtptr_isoffpath = (ts->offpath_tgt != NULL); return retval; } @@ -785,7 +786,7 @@ cleanup: */ static krb5_error_code chase_offpath(struct tr_state *ts, - krb5_principal client, krb5_principal server) + krb5_principal client, krb5_principal server) { krb5_error_code retval; krb5_creds mcred; @@ -797,61 +798,61 @@ chase_offpath(struct tr_state *ts, cur_tgt = ts->offpath_tgt; for (rcount = 0; rcount < KRB5_REFERRAL_MAXHOPS; rcount++) { - nxt_tgt = NULL; - memset(&mcred, 0, sizeof(mcred)); - rsrc = krb5_princ_component(ts->ctx, cur_tgt->server, 1); - retval = krb5_tgtname(ts->ctx, rdst, rsrc, &mcred.server); - if (retval) - goto cleanup; - mcred.client = client; + nxt_tgt = NULL; + memset(&mcred, 0, sizeof(mcred)); + rsrc = krb5_princ_component(ts->ctx, cur_tgt->server, 1); + retval = krb5_tgtname(ts->ctx, rdst, rsrc, &mcred.server); + if (retval) + goto cleanup; + mcred.client = client; retval = krb5_get_cred_via_tkt(ts->ctx, cur_tgt, - FLAGS2OPTS(cur_tgt->ticket_flags), - cur_tgt->addresses, &mcred, &nxt_tgt); - mcred.client = NULL; - krb5_free_principal(ts->ctx, mcred.server); - mcred.server = NULL; - if (retval) - goto cleanup; - if (!IS_TGS_PRINC(ts->ctx, nxt_tgt->server)) { - retval = KRB5_KDCREP_MODIFIED; - goto cleanup; - } - r1 = krb5_princ_component(ts->ctx, nxt_tgt->server, 1); - if (rdst->length == r1->length && - !memcmp(rdst->data, r1->data, rdst->length)) { - retval = 0; - goto cleanup; - } - retval = offpath_loopchk(ts, nxt_tgt, reftgts, rcount); - if (retval) - goto cleanup; - reftgts[rcount] = nxt_tgt; - cur_tgt = nxt_tgt; - nxt_tgt = NULL; + FLAGS2OPTS(cur_tgt->ticket_flags), + cur_tgt->addresses, &mcred, &nxt_tgt); + mcred.client = NULL; + krb5_free_principal(ts->ctx, mcred.server); + mcred.server = NULL; + if (retval) + goto cleanup; + if (!IS_TGS_PRINC(ts->ctx, nxt_tgt->server)) { + retval = KRB5_KDCREP_MODIFIED; + goto cleanup; + } + r1 = krb5_princ_component(ts->ctx, nxt_tgt->server, 1); + if (rdst->length == r1->length && + !memcmp(rdst->data, r1->data, rdst->length)) { + retval = 0; + goto cleanup; + } + retval = offpath_loopchk(ts, nxt_tgt, reftgts, rcount); + if (retval) + goto cleanup; + reftgts[rcount] = nxt_tgt; + cur_tgt = nxt_tgt; + nxt_tgt = NULL; } /* Max hop count exceeded. */ retval = KRB5_KDCREP_MODIFIED; cleanup: if (mcred.server != NULL) { - krb5_free_principal(ts->ctx, mcred.server); + krb5_free_principal(ts->ctx, mcred.server); } /* * Don't free TS->OFFPATH_TGT if it's in the list of cacheable * TGTs to be returned by do_traversal(). */ if (ts->offpath_tgt != ts->nxt_tgt) { - krb5_free_creds(ts->ctx, ts->offpath_tgt); + krb5_free_creds(ts->ctx, ts->offpath_tgt); } ts->offpath_tgt = NULL; if (nxt_tgt != NULL) { - if (retval) - krb5_free_creds(ts->ctx, nxt_tgt); - else - ts->offpath_tgt = nxt_tgt; + if (retval) + krb5_free_creds(ts->ctx, nxt_tgt); + else + ts->offpath_tgt = nxt_tgt; } for (i = 0; i < rcount; i++) { - krb5_free_creds(ts->ctx, reftgts[i]); + krb5_free_creds(ts->ctx, reftgts[i]); } return retval; } @@ -864,23 +865,23 @@ cleanup: */ static krb5_error_code offpath_loopchk(struct tr_state *ts, - krb5_creds *tgt, krb5_creds *reftgts[], unsigned int rcount) + krb5_creds *tgt, krb5_creds *reftgts[], unsigned int rcount) { krb5_data *r1, *r2; unsigned int i; r1 = krb5_princ_component(ts->ctx, tgt->server, 1); for (i = 0; i < rcount; i++) { - r2 = krb5_princ_component(ts->ctx, reftgts[i]->server, 1); - if (r1->length == r2->length && - !memcmp(r1->data, r2->data, r1->length)) - return KRB5_KDCREP_MODIFIED; + r2 = krb5_princ_component(ts->ctx, reftgts[i]->server, 1); + if (r1->length == r2->length && + !memcmp(r1->data, r2->data, r1->length)) + return KRB5_KDCREP_MODIFIED; } for (i = 0; i < ts->ntgts; i++) { - r2 = krb5_princ_component(ts->ctx, ts->kdc_tgts[i]->server, 1); - if (r1->length == r2->length && - !memcmp(r1->data, r2->data, r1->length)) - return KRB5_KDCREP_MODIFIED; + r2 = krb5_princ_component(ts->ctx, ts->kdc_tgts[i]->server, 1); + if (r1->length == r2->length && + !memcmp(r1->data, r2->data, r1->length)) + return KRB5_KDCREP_MODIFIED; } return 0; } @@ -923,8 +924,8 @@ offpath_loopchk(struct tr_state *ts, krb5_error_code krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, - krb5_creds *in_cred, krb5_creds **out_cred, - krb5_creds ***tgts, int kdcopt) + krb5_creds *in_cred, krb5_creds **out_cred, + krb5_creds ***tgts, int kdcopt) { krb5_error_code retval, subretval; krb5_principal client, server, supplied_server, out_supplied_server; @@ -936,7 +937,7 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, unsigned int referral_count, i; krb5_authdata **supplied_authdata, **out_supplied_authdata = NULL; - /* + /* * Set up client and server pointers. Make a fresh and modifyable * copy of the in_cred server and save the supplied version. */ @@ -945,17 +946,17 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, return retval; /* We need a second copy for the output creds. */ if ((retval = krb5_copy_principal(context, server, - &out_supplied_server)) != 0 ) { - krb5_free_principal(context, server); - return retval; + &out_supplied_server)) != 0 ) { + krb5_free_principal(context, server); + return retval; } if (in_cred->authdata != NULL) { - if ((retval = krb5_copy_authdata(context, in_cred->authdata, - &out_supplied_authdata)) != 0) { - krb5_free_principal(context, out_supplied_server); - krb5_free_principal(context, server); - return retval; - } + if ((retval = krb5_copy_authdata(context, in_cred->authdata, + &out_supplied_authdata)) != 0) { + krb5_free_principal(context, out_supplied_server); + krb5_free_principal(context, server); + return retval; + } } supplied_server = in_cred->server; @@ -977,16 +978,16 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, if (krb5_is_referral_realm(&server->realm)) { /* Use the client realm. */ DPRINTF(("gc_from_kdc: no server realm supplied, " - "using client realm.\n")); - krb5_free_data_contents(context, &server->realm); - server->realm.data = malloc(client->realm.length + 1); - if (server->realm.data == NULL) { - retval = ENOMEM; - goto cleanup; - } - memcpy(server->realm.data, client->realm.data, client->realm.length); - server->realm.length = client->realm.length; - server->realm.data[server->realm.length] = 0; + "using client realm.\n")); + krb5_free_data_contents(context, &server->realm); + server->realm.data = malloc(client->realm.length + 1); + if (server->realm.data == NULL) { + retval = ENOMEM; + goto cleanup; + } + memcpy(server->realm.data, client->realm.data, client->realm.length); + server->realm.length = client->realm.length; + server->realm.data[server->realm.length] = 0; } /* * Retreive initial TGT to match the specified server, either for the @@ -995,21 +996,21 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, */ retval = tgt_mcred(context, client, server, client, &tgtq); if (retval) - goto cleanup; + goto cleanup; /* Fast path: Is it in the ccache? */ context->use_conf_ktypes = 1; retval = krb5_cc_retrieve_cred(context, ccache, RETR_FLAGS, - &tgtq, &cc_tgt); + &tgtq, &cc_tgt); if (!retval) { - tgtptr = &cc_tgt; + tgtptr = &cc_tgt; } else if (!HARD_CC_ERR(retval)) { DPRINTF(("gc_from_kdc: starting do_traversal to find " - "initial TGT for referral\n")); - tgtptr_isoffpath = 0; - otgtptr = NULL; - retval = do_traversal(context, ccache, client, server, - &cc_tgt, &tgtptr, tgts, &tgtptr_isoffpath); + "initial TGT for referral\n")); + tgtptr_isoffpath = 0; + otgtptr = NULL; + retval = do_traversal(context, ccache, client, server, + &cc_tgt, &tgtptr, tgts, &tgtptr_isoffpath); } if (retval) { DPRINTF(("gc_from_kdc: failed to find initial TGT for referral\n")); @@ -1019,8 +1020,8 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, DUMP_PRINC("gc_from_kdc: server as requested", supplied_server); if (in_cred->second_ticket.length != 0 && - (kdcopt & KDC_OPT_CNAME_IN_ADDL_TKT) == 0) { - kdcopt |= KDC_OPT_ENC_TKT_IN_SKEY; + (kdcopt & KDC_OPT_CNAME_IN_ADDL_TKT) == 0) { + kdcopt |= KDC_OPT_ENC_TKT_IN_SKEY; } /* @@ -1035,152 +1036,152 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, */ otgtptr = tgtptr; for (referral_count = 0; - referral_count < KRB5_REFERRAL_MAXHOPS; - referral_count++) { + referral_count < KRB5_REFERRAL_MAXHOPS; + referral_count++) { #if 0 DUMP_PRINC("gc_from_kdc: referral loop: tgt in use", tgtptr->server); DUMP_PRINC("gc_from_kdc: referral loop: request is for", server); #endif retval = krb5_get_cred_via_tkt(context, tgtptr, - KDC_OPT_CANONICALIZE | - FLAGS2OPTS(tgtptr->ticket_flags) | - kdcopt, - tgtptr->addresses, in_cred, out_cred); - if (retval) { - DPRINTF(("gc_from_kdc: referral TGS-REQ request failed: <%s>\n", - error_message(retval))); - /* If we haven't gone anywhere yet, fail through to the - non-referral case. */ - if (referral_count==0) { - DPRINTF(("gc_from_kdc: initial referral failed; " - "punting to fallback.\n")); - break; - } - /* Otherwise, try the same query without canonicalization - set, and fail hard if that doesn't work. */ - DPRINTF(("gc_from_kdc: referral #%d failed; " - "retrying without option.\n", referral_count + 1)); - retval = krb5_get_cred_via_tkt(context, tgtptr, - FLAGS2OPTS(tgtptr->ticket_flags) | - kdcopt, - tgtptr->addresses, - in_cred, out_cred); - /* Whether or not that succeeded, we're done. */ - goto cleanup; - } - /* Referral request succeeded; let's see what it is. */ - if (krb5_principal_compare(context, in_cred->server, - (*out_cred)->server)) { - DPRINTF(("gc_from_kdc: request generated ticket " - "for requested server principal\n")); - DUMP_PRINC("gc_from_kdc final referred reply", - in_cred->server); - - /* - * Check if the return enctype is one that we requested if - * needed. - */ - if (old_use_conf_ktypes || !context->tgs_etypes) - goto cleanup; - for (i = 0; context->tgs_etypes[i]; i++) { - if ((*out_cred)->keyblock.enctype == context->tgs_etypes[i]) { - /* Found an allowable etype, so we're done */ - goto cleanup; - } - } - /* - * We need to try again, but this time use the - * tgs_ktypes in the context. At this point we should - * have all the tgts to succeed. - */ - - /* Free "wrong" credential */ - krb5_free_creds(context, *out_cred); - *out_cred = NULL; - /* Re-establish tgs etypes */ - context->use_conf_ktypes = old_use_conf_ktypes; - retval = krb5_get_cred_via_tkt(context, tgtptr, - KDC_OPT_CANONICALIZE | - FLAGS2OPTS(tgtptr->ticket_flags) | - kdcopt, - tgtptr->addresses, - in_cred, out_cred); - goto cleanup; - } - else if (IS_TGS_PRINC(context, (*out_cred)->server)) { - krb5_data *r1, *r2; - - DPRINTF(("gc_from_kdc: request generated referral tgt\n")); - DUMP_PRINC("gc_from_kdc credential received", - (*out_cred)->server); - - if (referral_count == 0) - r1 = &tgtptr->server->data[1]; - else - r1 = &referral_tgts[referral_count-1]->server->data[1]; - - r2 = &(*out_cred)->server->data[1]; - if (data_eq(*r1, *r2)) { - DPRINTF(("gc_from_kdc: referred back to " - "previous realm; fall back\n")); - krb5_free_creds(context, *out_cred); - *out_cred = NULL; - break; - } - /* Check for referral routing loop. */ - for (i=0;i<referral_count;i++) { + KDC_OPT_CANONICALIZE | + FLAGS2OPTS(tgtptr->ticket_flags) | + kdcopt, + tgtptr->addresses, in_cred, out_cred); + if (retval) { + DPRINTF(("gc_from_kdc: referral TGS-REQ request failed: <%s>\n", + error_message(retval))); + /* If we haven't gone anywhere yet, fail through to the + non-referral case. */ + if (referral_count==0) { + DPRINTF(("gc_from_kdc: initial referral failed; " + "punting to fallback.\n")); + break; + } + /* Otherwise, try the same query without canonicalization + set, and fail hard if that doesn't work. */ + DPRINTF(("gc_from_kdc: referral #%d failed; " + "retrying without option.\n", referral_count + 1)); + retval = krb5_get_cred_via_tkt(context, tgtptr, + FLAGS2OPTS(tgtptr->ticket_flags) | + kdcopt, + tgtptr->addresses, + in_cred, out_cred); + /* Whether or not that succeeded, we're done. */ + goto cleanup; + } + /* Referral request succeeded; let's see what it is. */ + if (krb5_principal_compare(context, in_cred->server, + (*out_cred)->server)) { + DPRINTF(("gc_from_kdc: request generated ticket " + "for requested server principal\n")); + DUMP_PRINC("gc_from_kdc final referred reply", + in_cred->server); + + /* + * Check if the return enctype is one that we requested if + * needed. + */ + if (old_use_conf_ktypes || !context->tgs_etypes) + goto cleanup; + for (i = 0; context->tgs_etypes[i]; i++) { + if ((*out_cred)->keyblock.enctype == context->tgs_etypes[i]) { + /* Found an allowable etype, so we're done */ + goto cleanup; + } + } + /* + * We need to try again, but this time use the + * tgs_ktypes in the context. At this point we should + * have all the tgts to succeed. + */ + + /* Free "wrong" credential */ + krb5_free_creds(context, *out_cred); + *out_cred = NULL; + /* Re-establish tgs etypes */ + context->use_conf_ktypes = old_use_conf_ktypes; + retval = krb5_get_cred_via_tkt(context, tgtptr, + KDC_OPT_CANONICALIZE | + FLAGS2OPTS(tgtptr->ticket_flags) | + kdcopt, + tgtptr->addresses, + in_cred, out_cred); + goto cleanup; + } + else if (IS_TGS_PRINC(context, (*out_cred)->server)) { + krb5_data *r1, *r2; + + DPRINTF(("gc_from_kdc: request generated referral tgt\n")); + DUMP_PRINC("gc_from_kdc credential received", + (*out_cred)->server); + + if (referral_count == 0) + r1 = &tgtptr->server->data[1]; + else + r1 = &referral_tgts[referral_count-1]->server->data[1]; + + r2 = &(*out_cred)->server->data[1]; + if (data_eq(*r1, *r2)) { + DPRINTF(("gc_from_kdc: referred back to " + "previous realm; fall back\n")); + krb5_free_creds(context, *out_cred); + *out_cred = NULL; + break; + } + /* Check for referral routing loop. */ + for (i=0;i<referral_count;i++) { #if 0 - DUMP_PRINC("gc_from_kdc: loop compare #1", - (*out_cred)->server); - DUMP_PRINC("gc_from_kdc: loop compare #2", - referral_tgts[i]->server); + DUMP_PRINC("gc_from_kdc: loop compare #1", + (*out_cred)->server); + DUMP_PRINC("gc_from_kdc: loop compare #2", + referral_tgts[i]->server); #endif - if (krb5_principal_compare(context, - (*out_cred)->server, - referral_tgts[i]->server)) { - DFPRINTF((stderr, - "krb5_get_cred_from_kdc_opt: " - "referral routing loop - " - "got referral back to hop #%d\n", i)); - retval=KRB5_KDC_UNREACH; - goto cleanup; - } - } - /* Point current tgt pointer at newly-received TGT. */ - if (tgtptr == &cc_tgt) - krb5_free_cred_contents(context, tgtptr); - tgtptr=*out_cred; - /* Save requested auth data with TGT in case it ends up stored */ - if (supplied_authdata != NULL) { - /* Ensure we note TGT contains authorization data */ - retval = krb5_copy_authdata(context, - supplied_authdata, - &(*out_cred)->authdata); - if (retval) - goto cleanup; - } - /* Save pointer to tgt in referral_tgts. */ - referral_tgts[referral_count]=*out_cred; - *out_cred = NULL; - /* Copy krbtgt realm to server principal. */ - krb5_free_data_contents(context, &server->realm); - retval = krb5int_copy_data_contents(context, - &tgtptr->server->data[1], - &server->realm); - if (retval) - goto cleanup; - /* Don't ask for KDC to add auth data multiple times */ - in_cred->authdata = NULL; - /* - * Future work: rewrite server principal per any - * supplied padata. - */ - } else { - /* Not a TGT; punt to fallback. */ - krb5_free_creds(context, *out_cred); - *out_cred = NULL; - break; - } + if (krb5_principal_compare(context, + (*out_cred)->server, + referral_tgts[i]->server)) { + DFPRINTF((stderr, + "krb5_get_cred_from_kdc_opt: " + "referral routing loop - " + "got referral back to hop #%d\n", i)); + retval=KRB5_KDC_UNREACH; + goto cleanup; + } + } + /* Point current tgt pointer at newly-received TGT. */ + if (tgtptr == &cc_tgt) + krb5_free_cred_contents(context, tgtptr); + tgtptr=*out_cred; + /* Save requested auth data with TGT in case it ends up stored */ + if (supplied_authdata != NULL) { + /* Ensure we note TGT contains authorization data */ + retval = krb5_copy_authdata(context, + supplied_authdata, + &(*out_cred)->authdata); + if (retval) + goto cleanup; + } + /* Save pointer to tgt in referral_tgts. */ + referral_tgts[referral_count]=*out_cred; + *out_cred = NULL; + /* Copy krbtgt realm to server principal. */ + krb5_free_data_contents(context, &server->realm); + retval = krb5int_copy_data_contents(context, + &tgtptr->server->data[1], + &server->realm); + if (retval) + goto cleanup; + /* Don't ask for KDC to add auth data multiple times */ + in_cred->authdata = NULL; + /* + * Future work: rewrite server principal per any + * supplied padata. + */ + } else { + /* Not a TGT; punt to fallback. */ + krb5_free_creds(context, *out_cred); + *out_cred = NULL; + break; + } } DUMP_PRINC("gc_from_kdc client at fallback", client); @@ -1198,33 +1199,33 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, */ if (krb5_is_referral_realm(&supplied_server->realm)) { if (server->length >= 2) { - retval=krb5_get_fallback_host_realm(context, &server->data[1], - &hrealms); - if (retval) goto cleanup; + retval=krb5_get_fallback_host_realm(context, &server->data[1], + &hrealms); + if (retval) goto cleanup; #if 0 - DPRINTF(("gc_from_kdc: using fallback realm of %s\n", - hrealms[0])); + DPRINTF(("gc_from_kdc: using fallback realm of %s\n", + hrealms[0])); #endif - krb5_free_data_contents(context,&in_cred->server->realm); - server->realm.data=hrealms[0]; - server->realm.length=strlen(hrealms[0]); - free(hrealms); - } - else { - /* - * Problem case: Realm tagged for referral but apparently not - * in a <type>/<host> format that - * krb5_get_fallback_host_realm can deal with. - */ - DPRINTF(("gc_from_kdc: referral specified " - "but no fallback realm avaiable!\n")); - retval = KRB5_ERR_HOST_REALM_UNKNOWN; - goto cleanup; - } + krb5_free_data_contents(context,&in_cred->server->realm); + server->realm.data=hrealms[0]; + server->realm.length=strlen(hrealms[0]); + free(hrealms); + } + else { + /* + * Problem case: Realm tagged for referral but apparently not + * in a <type>/<host> format that + * krb5_get_fallback_host_realm can deal with. + */ + DPRINTF(("gc_from_kdc: referral specified " + "but no fallback realm avaiable!\n")); + retval = KRB5_ERR_HOST_REALM_UNKNOWN; + goto cleanup; + } } DUMP_PRINC("gc_from_kdc server at fallback after fallback rewrite", - server); + server); /* * Get a TGT for the target realm. @@ -1233,37 +1234,37 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_free_cred_contents(context, &tgtq); retval = tgt_mcred(context, client, server, client, &tgtq); if (retval) - goto cleanup; + goto cleanup; /* Fast path: Is it in the ccache? */ /* Free tgtptr data if reused from above. */ if (tgtptr == &cc_tgt) - krb5_free_cred_contents(context, tgtptr); + krb5_free_cred_contents(context, tgtptr); tgtptr = NULL; /* Free saved TGT in OTGTPTR if it was off-path. */ if (tgtptr_isoffpath) - krb5_free_creds(context, otgtptr); + krb5_free_creds(context, otgtptr); otgtptr = NULL; /* Free TGTS if previously filled by do_traversal() */ if (*tgts != NULL) { - for (i = 0; (*tgts)[i] != NULL; i++) { - krb5_free_creds(context, (*tgts)[i]); - } - free(*tgts); - *tgts = NULL; + for (i = 0; (*tgts)[i] != NULL; i++) { + krb5_free_creds(context, (*tgts)[i]); + } + free(*tgts); + *tgts = NULL; } context->use_conf_ktypes = 1; retval = krb5_cc_retrieve_cred(context, ccache, RETR_FLAGS, - &tgtq, &cc_tgt); + &tgtq, &cc_tgt); if (!retval) { - tgtptr = &cc_tgt; + tgtptr = &cc_tgt; } else if (!HARD_CC_ERR(retval)) { - tgtptr_isoffpath = 0; - retval = do_traversal(context, ccache, client, server, - &cc_tgt, &tgtptr, tgts, &tgtptr_isoffpath); + tgtptr_isoffpath = 0; + retval = do_traversal(context, ccache, client, server, + &cc_tgt, &tgtptr, tgts, &tgtptr_isoffpath); } if (retval) - goto cleanup; + goto cleanup; otgtptr = tgtptr; /* @@ -1271,44 +1272,44 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, */ if (!krb5_c_valid_enctype(tgtptr->keyblock.enctype)) { - retval = KRB5_PROG_ETYPE_NOSUPP; - goto cleanup; + retval = KRB5_PROG_ETYPE_NOSUPP; + goto cleanup; } context->use_conf_ktypes = old_use_conf_ktypes; retval = krb5_get_cred_via_tkt(context, tgtptr, - FLAGS2OPTS(tgtptr->ticket_flags) | - kdcopt, - tgtptr->addresses, in_cred, out_cred); + FLAGS2OPTS(tgtptr->ticket_flags) | + kdcopt, + tgtptr->addresses, in_cred, out_cred); cleanup: krb5_free_cred_contents(context, &tgtq); if (tgtptr == &cc_tgt) - krb5_free_cred_contents(context, tgtptr); + krb5_free_cred_contents(context, tgtptr); if (tgtptr_isoffpath) - krb5_free_creds(context, otgtptr); + krb5_free_creds(context, otgtptr); context->use_conf_ktypes = old_use_conf_ktypes; /* Drop the original principal back into in_cred so that it's cached in the expected format. */ DUMP_PRINC("gc_from_kdc: final hacked server principal at cleanup", - server); + server); krb5_free_principal(context, server); in_cred->server = supplied_server; in_cred->authdata = supplied_authdata; if (*out_cred && !retval) { /* Success: free server, swap supplied server back in. */ krb5_free_principal (context, (*out_cred)->server); - (*out_cred)->server = out_supplied_server; - assert((*out_cred)->authdata == NULL); - (*out_cred)->authdata = out_supplied_authdata; + (*out_cred)->server = out_supplied_server; + assert((*out_cred)->authdata == NULL); + (*out_cred)->authdata = out_supplied_authdata; } else { - /* - * Failure: free out_supplied_server. Don't free out_cred here - * since it's either null or a referral TGT that we free below, - * and we may need it to return. - */ + /* + * Failure: free out_supplied_server. Don't free out_cred here + * since it's either null or a referral TGT that we free below, + * and we may need it to return. + */ krb5_free_principal(context, out_supplied_server); - krb5_free_authdata(context, out_supplied_authdata); + krb5_free_authdata(context, out_supplied_authdata); } DUMP_PRINC("gc_from_kdc: final server after reversion", in_cred->server); /* @@ -1323,74 +1324,74 @@ cleanup: if (*tgts == NULL) { if (referral_tgts[0]) { #if 0 - /* - * This should possibly be a check on the candidate return - * credential against the cache, in the circumstance where we - * don't want to clutter the cache with near-duplicate - * credentials on subsequent iterations. For now, it is - * disabled. - */ - subretval=...?; - if (subretval) { + /* + * This should possibly be a check on the candidate return + * credential against the cache, in the circumstance where we + * don't want to clutter the cache with near-duplicate + * credentials on subsequent iterations. For now, it is + * disabled. + */ + subretval=...?; + if (subretval) { #endif - /* Allocate returnable TGT list. */ - *tgts = calloc(2, sizeof (krb5_creds *)); - if (*tgts == NULL && retval == 0) - retval = ENOMEM; - if (*tgts) { - subretval = krb5_copy_creds(context, referral_tgts[0], - &((*tgts)[0])); - if (subretval) { - if (retval == 0) - retval = subretval; - free(*tgts); - *tgts = NULL; - } else { - (*tgts)[1] = NULL; - DUMP_PRINC("gc_from_kdc: referral TGT for ccache", - (*tgts)[0]->server); - } - } + /* Allocate returnable TGT list. */ + *tgts = calloc(2, sizeof (krb5_creds *)); + if (*tgts == NULL && retval == 0) + retval = ENOMEM; + if (*tgts) { + subretval = krb5_copy_creds(context, referral_tgts[0], + &((*tgts)[0])); + if (subretval) { + if (retval == 0) + retval = subretval; + free(*tgts); + *tgts = NULL; + } else { + (*tgts)[1] = NULL; + DUMP_PRINC("gc_from_kdc: referral TGT for ccache", + (*tgts)[0]->server); + } + } #if 0 - } + } #endif - } + } } /* Free referral TGTs list. */ for (i=0;i<KRB5_REFERRAL_MAXHOPS;i++) { if(referral_tgts[i]) { - krb5_free_creds(context, referral_tgts[i]); - } + krb5_free_creds(context, referral_tgts[i]); + } } DPRINTF(("gc_from_kdc finishing with %s\n", - retval ? error_message(retval) : "no error")); + retval ? error_message(retval) : "no error")); return retval; } krb5_error_code krb5_get_cred_from_kdc(krb5_context context, krb5_ccache ccache, - krb5_creds *in_cred, krb5_creds **out_cred, - krb5_creds ***tgts) + krb5_creds *in_cred, krb5_creds **out_cred, + krb5_creds ***tgts) { return krb5_get_cred_from_kdc_opt(context, ccache, in_cred, out_cred, tgts, - 0); + 0); } krb5_error_code krb5_get_cred_from_kdc_validate(krb5_context context, krb5_ccache ccache, - krb5_creds *in_cred, krb5_creds **out_cred, - krb5_creds ***tgts) + krb5_creds *in_cred, krb5_creds **out_cred, + krb5_creds ***tgts) { return krb5_get_cred_from_kdc_opt(context, ccache, in_cred, out_cred, tgts, - KDC_OPT_VALIDATE); + KDC_OPT_VALIDATE); } krb5_error_code krb5_get_cred_from_kdc_renew(krb5_context context, krb5_ccache ccache, - krb5_creds *in_cred, krb5_creds **out_cred, - krb5_creds ***tgts) + krb5_creds *in_cred, krb5_creds **out_cred, + krb5_creds ***tgts) { return krb5_get_cred_from_kdc_opt(context, ccache, in_cred, out_cred, tgts, - KDC_OPT_RENEW); + KDC_OPT_RENEW); } diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c index 273655ab5d..bea435bc97 100644 --- a/src/lib/krb5/krb/gc_via_tkt.c +++ b/src/lib/krb5/krb/gc_via_tkt.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/gc_via_tgt.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Given a tkt, and a target cred, get it. * Assumes that the kdc_rep has been decrypted. @@ -34,28 +35,28 @@ static krb5_error_code krb5_kdcrep2creds(krb5_context context, krb5_kdc_rep *pkdcrep, krb5_address *const *address, krb5_data *psectkt, krb5_creds **ppcreds) { - krb5_error_code retval; + krb5_error_code retval; krb5_data *pdata; - + if ((*ppcreds = (krb5_creds *)calloc(1,sizeof(krb5_creds))) == NULL) { return ENOMEM; } if ((retval = krb5_copy_principal(context, pkdcrep->client, - &(*ppcreds)->client))) + &(*ppcreds)->client))) goto cleanup; if ((retval = krb5_copy_principal(context, pkdcrep->enc_part2->server, - &(*ppcreds)->server))) + &(*ppcreds)->server))) goto cleanup; - if ((retval = krb5_copy_keyblock_contents(context, - pkdcrep->enc_part2->session, - &(*ppcreds)->keyblock))) + if ((retval = krb5_copy_keyblock_contents(context, + pkdcrep->enc_part2->session, + &(*ppcreds)->keyblock))) goto cleanup; if ((retval = krb5_copy_data(context, psectkt, &pdata))) - goto cleanup_keyblock; + goto cleanup_keyblock; (*ppcreds)->second_ticket = *pdata; free(pdata); @@ -63,22 +64,22 @@ krb5_kdcrep2creds(krb5_context context, krb5_kdc_rep *pkdcrep, krb5_address *con (*ppcreds)->times = pkdcrep->enc_part2->times; (*ppcreds)->magic = KV5M_CREDS; - (*ppcreds)->authdata = NULL; /* not used */ + (*ppcreds)->authdata = NULL; /* not used */ (*ppcreds)->is_skey = psectkt->length != 0; if (pkdcrep->enc_part2->caddrs) { - if ((retval = krb5_copy_addresses(context, pkdcrep->enc_part2->caddrs, - &(*ppcreds)->addresses))) - goto cleanup_keyblock; + if ((retval = krb5_copy_addresses(context, pkdcrep->enc_part2->caddrs, + &(*ppcreds)->addresses))) + goto cleanup_keyblock; } else { - /* no addresses in the list means we got what we had */ - if ((retval = krb5_copy_addresses(context, address, - &(*ppcreds)->addresses))) - goto cleanup_keyblock; + /* no addresses in the list means we got what we had */ + if ((retval = krb5_copy_addresses(context, address, + &(*ppcreds)->addresses))) + goto cleanup_keyblock; } if ((retval = encode_krb5_ticket(pkdcrep->ticket, &pdata))) - goto cleanup_keyblock; + goto cleanup_keyblock; (*ppcreds)->ticket = *pdata; free(pdata); @@ -92,43 +93,43 @@ cleanup: *ppcreds = NULL; return retval; } - + static krb5_error_code check_reply_server(krb5_context context, krb5_flags kdcoptions, - krb5_creds *in_cred, krb5_kdc_rep *dec_rep) + krb5_creds *in_cred, krb5_kdc_rep *dec_rep) { if (!krb5_principal_compare(context, dec_rep->ticket->server, - dec_rep->enc_part2->server)) - return KRB5_KDCREP_MODIFIED; + dec_rep->enc_part2->server)) + return KRB5_KDCREP_MODIFIED; /* Reply is self-consistent. */ if (krb5_principal_compare(context, dec_rep->ticket->server, - in_cred->server)) - return 0; + in_cred->server)) + return 0; /* Server in reply differs from what we requested. */ if (kdcoptions & KDC_OPT_CANONICALIZE) { - /* in_cred server differs from ticket returned, but ticket - returned is consistent and we requested canonicalization. */ + /* in_cred server differs from ticket returned, but ticket + returned is consistent and we requested canonicalization. */ #if 0 #ifdef DEBUG_REFERRALS - printf("gc_via_tkt: in_cred and encoding don't match but referrals requested\n"); - krb5int_dbgref_dump_principal("gc_via_tkt: in_cred",in_cred->server); - krb5int_dbgref_dump_principal("gc_via_tkt: encoded server",dec_rep->enc_part2->server); + printf("gc_via_tkt: in_cred and encoding don't match but referrals requested\n"); + krb5int_dbgref_dump_principal("gc_via_tkt: in_cred",in_cred->server); + krb5int_dbgref_dump_principal("gc_via_tkt: encoded server",dec_rep->enc_part2->server); #endif #endif - return 0; + return 0; } /* We didn't request canonicalization. */ if (!IS_TGS_PRINC(context, in_cred->server) || - !IS_TGS_PRINC(context, dec_rep->ticket->server)) { - /* Canonicalization not requested, and not a TGS referral. */ - return KRB5_KDCREP_MODIFIED; + !IS_TGS_PRINC(context, dec_rep->ticket->server)) { + /* Canonicalization not requested, and not a TGS referral. */ + return KRB5_KDCREP_MODIFIED; } #if 0 /* @@ -136,288 +137,288 @@ check_reply_server(krb5_context context, krb5_flags kdcoptions, * effectively checks this. */ if (krb5_realm_compare(context, in_cred->client, in_cred->server) && - data_eq(*in_cred->server->data[1], *in_cred->client->realm) { - /* Attempted to rewrite local TGS. */ - return KRB5_KDCREP_MODIFIED; - } + data_eq(*in_cred->server->data[1], *in_cred->client->realm) { + /* Attempted to rewrite local TGS. */ + return KRB5_KDCREP_MODIFIED; + } #endif - return 0; -} + return 0; + } /* Return true if a TGS credential is for the client's local realm. */ -static inline int -tgt_is_local_realm(krb5_creds *tgt) -{ - return (tgt->server->length == 2 - && data_eq_string(tgt->server->data[0], KRB5_TGS_NAME) - && data_eq(tgt->server->data[1], tgt->client->realm) - && data_eq(tgt->server->realm, tgt->client->realm)); -} + static inline int + tgt_is_local_realm(krb5_creds *tgt) + { + return (tgt->server->length == 2 + && data_eq_string(tgt->server->data[0], KRB5_TGS_NAME) + && data_eq(tgt->server->data[1], tgt->client->realm) + && data_eq(tgt->server->realm, tgt->client->realm)); + } -krb5_error_code -krb5_get_cred_via_tkt (krb5_context context, krb5_creds *tkt, - krb5_flags kdcoptions, krb5_address *const *address, - krb5_creds *in_cred, krb5_creds **out_cred) -{ - return krb5_get_cred_via_tkt_ext (context, tkt, - kdcoptions, address, - NULL, in_cred, NULL, NULL, - NULL, NULL, out_cred, NULL); -} + krb5_error_code + krb5_get_cred_via_tkt (krb5_context context, krb5_creds *tkt, + krb5_flags kdcoptions, krb5_address *const *address, + krb5_creds *in_cred, krb5_creds **out_cred) + { + return krb5_get_cred_via_tkt_ext (context, tkt, + kdcoptions, address, + NULL, in_cred, NULL, NULL, + NULL, NULL, out_cred, NULL); + } -krb5_error_code -krb5_get_cred_via_tkt_ext (krb5_context context, krb5_creds *tkt, - krb5_flags kdcoptions, krb5_address *const *address, - krb5_pa_data **in_padata, - krb5_creds *in_cred, - krb5_error_code (*pacb_fct)(krb5_context, - krb5_keyblock *, - krb5_kdc_req *, - void *), - void *pacb_data, - krb5_pa_data ***out_padata, - krb5_pa_data ***out_enc_padata, - krb5_creds **out_cred, - krb5_keyblock **out_subkey) -{ - krb5_error_code retval; - krb5_kdc_rep *dec_rep; - krb5_error *err_reply; - krb5_response tgsrep; - krb5_enctype *enctypes = 0; - krb5_keyblock *subkey = NULL; - krb5_boolean s4u2self = FALSE, second_tkt; + krb5_error_code + krb5_get_cred_via_tkt_ext (krb5_context context, krb5_creds *tkt, + krb5_flags kdcoptions, krb5_address *const *address, + krb5_pa_data **in_padata, + krb5_creds *in_cred, + krb5_error_code (*pacb_fct)(krb5_context, + krb5_keyblock *, + krb5_kdc_req *, + void *), + void *pacb_data, + krb5_pa_data ***out_padata, + krb5_pa_data ***out_enc_padata, + krb5_creds **out_cred, + krb5_keyblock **out_subkey) + { + krb5_error_code retval; + krb5_kdc_rep *dec_rep; + krb5_error *err_reply; + krb5_response tgsrep; + krb5_enctype *enctypes = 0; + krb5_keyblock *subkey = NULL; + krb5_boolean s4u2self = FALSE, second_tkt; #ifdef DEBUG_REFERRALS - printf("krb5_get_cred_via_tkt starting; referral flag is %s\n", kdcoptions&KDC_OPT_CANONICALIZE?"on":"off"); - krb5int_dbgref_dump_principal("krb5_get_cred_via_tkt requested ticket", in_cred->server); - krb5int_dbgref_dump_principal("krb5_get_cred_via_tkt TGT in use", tkt->server); + printf("krb5_get_cred_via_tkt starting; referral flag is %s\n", kdcoptions&KDC_OPT_CANONICALIZE?"on":"off"); + krb5int_dbgref_dump_principal("krb5_get_cred_via_tkt requested ticket", in_cred->server); + krb5int_dbgref_dump_principal("krb5_get_cred_via_tkt TGT in use", tkt->server); #endif - /* tkt->client must be equal to in_cred->client */ - if (!krb5_principal_compare(context, tkt->client, in_cred->client)) - return KRB5_PRINC_NOMATCH; + /* tkt->client must be equal to in_cred->client */ + if (!krb5_principal_compare(context, tkt->client, in_cred->client)) + return KRB5_PRINC_NOMATCH; - if (!tkt->ticket.length) - return KRB5_NO_TKT_SUPPLIED; + if (!tkt->ticket.length) + return KRB5_NO_TKT_SUPPLIED; - second_tkt = ((kdcoptions & (KDC_OPT_ENC_TKT_IN_SKEY | KDC_OPT_CNAME_IN_ADDL_TKT)) != 0); + second_tkt = ((kdcoptions & (KDC_OPT_ENC_TKT_IN_SKEY | KDC_OPT_CNAME_IN_ADDL_TKT)) != 0); - if (second_tkt && !in_cred->second_ticket.length) - return(KRB5_NO_2ND_TKT); + if (second_tkt && !in_cred->second_ticket.length) + return(KRB5_NO_2ND_TKT); - s4u2self = krb5int_find_pa_data(context, in_padata, KRB5_PADATA_S4U_X509_USER) || - krb5int_find_pa_data(context, in_padata, KRB5_PADATA_FOR_USER); + s4u2self = krb5int_find_pa_data(context, in_padata, KRB5_PADATA_S4U_X509_USER) || + krb5int_find_pa_data(context, in_padata, KRB5_PADATA_FOR_USER); - /* check if we have the right TGT */ - /* tkt->server must be equal to */ - /* krbtgt/realmof(cred->server)@realmof(tgt->server) */ + /* check if we have the right TGT */ + /* tkt->server must be equal to */ + /* krbtgt/realmof(cred->server)@realmof(tgt->server) */ /* - { - krb5_principal tempprinc; - if (retval = krb5_tgtname(context, - krb5_princ_realm(context, in_cred->server), - krb5_princ_realm(context, tkt->server), &tempprinc)) - return(retval); - - if (!krb5_principal_compare(context, tempprinc, tkt->server)) { - krb5_free_principal(context, tempprinc); - return (KRB5_PRINC_NOMATCH); - } - krb5_free_principal(context, tempprinc); - } + { + krb5_principal tempprinc; + if (retval = krb5_tgtname(context, + krb5_princ_realm(context, in_cred->server), + krb5_princ_realm(context, tkt->server), &tempprinc)) + return(retval); + + if (!krb5_principal_compare(context, tempprinc, tkt->server)) { + krb5_free_principal(context, tempprinc); + return (KRB5_PRINC_NOMATCH); + } + krb5_free_principal(context, tempprinc); + } */ - if (in_cred->keyblock.enctype) { - enctypes = (krb5_enctype *) malloc(sizeof(krb5_enctype)*2); - if (!enctypes) - return ENOMEM; - enctypes[0] = in_cred->keyblock.enctype; - enctypes[1] = 0; - } + if (in_cred->keyblock.enctype) { + enctypes = (krb5_enctype *) malloc(sizeof(krb5_enctype)*2); + if (!enctypes) + return ENOMEM; + enctypes[0] = in_cred->keyblock.enctype; + enctypes[1] = 0; + } - retval = krb5int_send_tgs(context, kdcoptions, &in_cred->times, enctypes, - in_cred->server, address, in_cred->authdata, - in_padata, - second_tkt ? &in_cred->second_ticket : NULL, - tkt, pacb_fct, pacb_data, &tgsrep, &subkey); - if (enctypes) - free(enctypes); - if (retval) { + retval = krb5int_send_tgs(context, kdcoptions, &in_cred->times, enctypes, + in_cred->server, address, in_cred->authdata, + in_padata, + second_tkt ? &in_cred->second_ticket : NULL, + tkt, pacb_fct, pacb_data, &tgsrep, &subkey); + if (enctypes) + free(enctypes); + if (retval) { #ifdef DEBUG_REFERRALS - printf("krb5_get_cred_via_tkt ending early after send_tgs with: %s\n", - error_message(retval)); + printf("krb5_get_cred_via_tkt ending early after send_tgs with: %s\n", + error_message(retval)); #endif - return retval; - } + return retval; + } - switch (tgsrep.message_type) { - case KRB5_TGS_REP: - break; - case KRB5_ERROR: - default: - if (krb5_is_krb_error(&tgsrep.response)) - retval = decode_krb5_error(&tgsrep.response, &err_reply); - else - retval = KRB5KRB_AP_ERR_MSG_TYPE; - - if (retval) /* neither proper reply nor error! */ - goto error_4; - - retval = (krb5_error_code) err_reply->error + ERROR_TABLE_BASE_krb5; - if (err_reply->text.length > 0) { + switch (tgsrep.message_type) { + case KRB5_TGS_REP: + break; + case KRB5_ERROR: + default: + if (krb5_is_krb_error(&tgsrep.response)) + retval = decode_krb5_error(&tgsrep.response, &err_reply); + else + retval = KRB5KRB_AP_ERR_MSG_TYPE; + + if (retval) /* neither proper reply nor error! */ + goto error_4; + + retval = (krb5_error_code) err_reply->error + ERROR_TABLE_BASE_krb5; + if (err_reply->text.length > 0) { #if 0 - const char *m; + const char *m; #endif - switch (err_reply->error) { - case KRB_ERR_GENERIC: - krb5_set_error_message(context, retval, - "KDC returned error string: %.*s", - err_reply->text.length, - err_reply->text.data); - break; - case KDC_ERR_S_PRINCIPAL_UNKNOWN: - { - char *s_name; - if (krb5_unparse_name(context, in_cred->server, &s_name) == 0) { - krb5_set_error_message(context, retval, - "Server %s not found in Kerberos database", - s_name); - krb5_free_unparsed_name(context, s_name); - } else - /* In case there's a stale S_PRINCIPAL_UNKNOWN - report already noted. */ - krb5_clear_error_message(context); - } - break; - default: + switch (err_reply->error) { + case KRB_ERR_GENERIC: + krb5_set_error_message(context, retval, + "KDC returned error string: %.*s", + err_reply->text.length, + err_reply->text.data); + break; + case KDC_ERR_S_PRINCIPAL_UNKNOWN: + { + char *s_name; + if (krb5_unparse_name(context, in_cred->server, &s_name) == 0) { + krb5_set_error_message(context, retval, + "Server %s not found in Kerberos database", + s_name); + krb5_free_unparsed_name(context, s_name); + } else + /* In case there's a stale S_PRINCIPAL_UNKNOWN + report already noted. */ + krb5_clear_error_message(context); + } + break; + default: #if 0 /* We should stop the KDC from sending back this text, because - if the local language doesn't match the KDC's language, we'd - just wind up printing out the error message in two languages. - Well, when we get some localization. Which is already - happening in KfM. */ - m = error_message(retval); - /* Special case: MIT KDC may return this same string - in the e-text field. */ - if (strlen (m) == err_reply->text.length-1 - && !strcmp(m, err_reply->text.data)) - break; - krb5_set_error_message(context, retval, - "%s (KDC supplied additional data: %s)", - m, err_reply->text.data); + if the local language doesn't match the KDC's language, we'd + just wind up printing out the error message in two languages. + Well, when we get some localization. Which is already + happening in KfM. */ + m = error_message(retval); + /* Special case: MIT KDC may return this same string + in the e-text field. */ + if (strlen (m) == err_reply->text.length-1 + && !strcmp(m, err_reply->text.data)) + break; + krb5_set_error_message(context, retval, + "%s (KDC supplied additional data: %s)", + m, err_reply->text.data); #endif - break; - } - } + break; + } + } - krb5_free_error(context, err_reply); - goto error_4; - } + krb5_free_error(context, err_reply); + goto error_4; + } - /* Unfortunately, Heimdal at least up through 1.2 encrypts using - the session key not the subsession key. So we try both. */ - if ((retval = krb5int_decode_tgs_rep(context, &tgsrep.response, - subkey, - KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY, &dec_rep))) { - if ((krb5int_decode_tgs_rep(context, &tgsrep.response, - &tkt->keyblock, - KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY, &dec_rep)) == 0) - retval = 0; - else goto error_4; - } + /* Unfortunately, Heimdal at least up through 1.2 encrypts using + the session key not the subsession key. So we try both. */ + if ((retval = krb5int_decode_tgs_rep(context, &tgsrep.response, + subkey, + KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY, &dec_rep))) { + if ((krb5int_decode_tgs_rep(context, &tgsrep.response, + &tkt->keyblock, + KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY, &dec_rep)) == 0) + retval = 0; + else goto error_4; + } - if (dec_rep->msg_type != KRB5_TGS_REP) { - retval = KRB5KRB_AP_ERR_MSG_TYPE; - goto error_3; - } - - /* - * Don't trust the ok-as-delegate flag from foreign KDCs unless the - * cross-realm TGT also had the ok-as-delegate flag set. - */ - if (!tgt_is_local_realm(tkt) - && !(tkt->ticket_flags & TKT_FLG_OK_AS_DELEGATE)) - dec_rep->enc_part2->flags &= ~TKT_FLG_OK_AS_DELEGATE; - - /* make sure the response hasn't been tampered with..... */ - retval = 0; - - if (s4u2self && !IS_TGS_PRINC(context, dec_rep->ticket->server)) { - /* Final hop, check whether KDC supports S4U2Self */ - if (krb5_principal_compare(context, dec_rep->client, in_cred->server)) - retval = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; - } else if ((kdcoptions & KDC_OPT_CNAME_IN_ADDL_TKT) == 0) { - /* XXX for constrained delegation this check must be performed by caller - * as we don't have access to the key to decrypt the evidence ticket. - */ - if (!krb5_principal_compare(context, dec_rep->client, tkt->client)) - retval = KRB5_KDCREP_MODIFIED; - } + if (dec_rep->msg_type != KRB5_TGS_REP) { + retval = KRB5KRB_AP_ERR_MSG_TYPE; + goto error_3; + } - if (retval == 0) - retval = check_reply_server(context, kdcoptions, in_cred, dec_rep); + /* + * Don't trust the ok-as-delegate flag from foreign KDCs unless the + * cross-realm TGT also had the ok-as-delegate flag set. + */ + if (!tgt_is_local_realm(tkt) + && !(tkt->ticket_flags & TKT_FLG_OK_AS_DELEGATE)) + dec_rep->enc_part2->flags &= ~TKT_FLG_OK_AS_DELEGATE; + + /* make sure the response hasn't been tampered with..... */ + retval = 0; + + if (s4u2self && !IS_TGS_PRINC(context, dec_rep->ticket->server)) { + /* Final hop, check whether KDC supports S4U2Self */ + if (krb5_principal_compare(context, dec_rep->client, in_cred->server)) + retval = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; + } else if ((kdcoptions & KDC_OPT_CNAME_IN_ADDL_TKT) == 0) { + /* XXX for constrained delegation this check must be performed by caller + * as we don't have access to the key to decrypt the evidence ticket. + */ + if (!krb5_principal_compare(context, dec_rep->client, tkt->client)) + retval = KRB5_KDCREP_MODIFIED; + } - if (dec_rep->enc_part2->nonce != tgsrep.expected_nonce) - retval = KRB5_KDCREP_MODIFIED; + if (retval == 0) + retval = check_reply_server(context, kdcoptions, in_cred, dec_rep); - if ((kdcoptions & KDC_OPT_POSTDATED) && - (in_cred->times.starttime != 0) && - (in_cred->times.starttime != dec_rep->enc_part2->times.starttime)) - retval = KRB5_KDCREP_MODIFIED; + if (dec_rep->enc_part2->nonce != tgsrep.expected_nonce) + retval = KRB5_KDCREP_MODIFIED; - if ((in_cred->times.endtime != 0) && - (dec_rep->enc_part2->times.endtime > in_cred->times.endtime)) - retval = KRB5_KDCREP_MODIFIED; + if ((kdcoptions & KDC_OPT_POSTDATED) && + (in_cred->times.starttime != 0) && + (in_cred->times.starttime != dec_rep->enc_part2->times.starttime)) + retval = KRB5_KDCREP_MODIFIED; - if ((kdcoptions & KDC_OPT_RENEWABLE) && - (in_cred->times.renew_till != 0) && - (dec_rep->enc_part2->times.renew_till > in_cred->times.renew_till)) - retval = KRB5_KDCREP_MODIFIED; + if ((in_cred->times.endtime != 0) && + (dec_rep->enc_part2->times.endtime > in_cred->times.endtime)) + retval = KRB5_KDCREP_MODIFIED; - if ((kdcoptions & KDC_OPT_RENEWABLE_OK) && - (dec_rep->enc_part2->flags & KDC_OPT_RENEWABLE) && - (in_cred->times.endtime != 0) && - (dec_rep->enc_part2->times.renew_till > in_cred->times.endtime)) - retval = KRB5_KDCREP_MODIFIED; + if ((kdcoptions & KDC_OPT_RENEWABLE) && + (in_cred->times.renew_till != 0) && + (dec_rep->enc_part2->times.renew_till > in_cred->times.renew_till)) + retval = KRB5_KDCREP_MODIFIED; - if (retval != 0) - goto error_3; + if ((kdcoptions & KDC_OPT_RENEWABLE_OK) && + (dec_rep->enc_part2->flags & KDC_OPT_RENEWABLE) && + (in_cred->times.endtime != 0) && + (dec_rep->enc_part2->times.renew_till > in_cred->times.endtime)) + retval = KRB5_KDCREP_MODIFIED; - if (!in_cred->times.starttime && - !in_clock_skew(dec_rep->enc_part2->times.starttime, - tgsrep.request_time)) { - retval = KRB5_KDCREP_SKEW; - goto error_3; - } + if (retval != 0) + goto error_3; - if (out_padata != NULL) { - *out_padata = dec_rep->padata; - dec_rep->padata = NULL; - } - if (out_enc_padata != NULL) { - *out_enc_padata = dec_rep->enc_part2->enc_padata; - dec_rep->enc_part2->enc_padata = NULL; - } - - retval = krb5_kdcrep2creds(context, dec_rep, address, - &in_cred->second_ticket, out_cred); - -error_3:; - if (subkey != NULL) { - if (retval == 0 && out_subkey != NULL) - *out_subkey = subkey; - else - krb5_free_keyblock(context, subkey); - } - - memset(dec_rep->enc_part2->session->contents, 0, - dec_rep->enc_part2->session->length); - krb5_free_kdc_rep(context, dec_rep); + if (!in_cred->times.starttime && + !in_clock_skew(dec_rep->enc_part2->times.starttime, + tgsrep.request_time)) { + retval = KRB5_KDCREP_SKEW; + goto error_3; + } + + if (out_padata != NULL) { + *out_padata = dec_rep->padata; + dec_rep->padata = NULL; + } + if (out_enc_padata != NULL) { + *out_enc_padata = dec_rep->enc_part2->enc_padata; + dec_rep->enc_part2->enc_padata = NULL; + } + + retval = krb5_kdcrep2creds(context, dec_rep, address, + &in_cred->second_ticket, out_cred); -error_4:; - free(tgsrep.response.data); + error_3:; + if (subkey != NULL) { + if (retval == 0 && out_subkey != NULL) + *out_subkey = subkey; + else + krb5_free_keyblock(context, subkey); + } + + memset(dec_rep->enc_part2->session->contents, 0, + dec_rep->enc_part2->session->length); + krb5_free_kdc_rep(context, dec_rep); + + error_4:; + free(tgsrep.response.data); #ifdef DEBUG_REFERRALS - printf("krb5_get_cred_via_tkt ending; %s\n", retval?error_message(retval):"no error"); + printf("krb5_get_cred_via_tkt ending; %s\n", retval?error_message(retval):"no error"); #endif - return retval; -} + return retval; + } diff --git a/src/lib/krb5/krb/gen_seqnum.c b/src/lib/krb5/krb/gen_seqnum.c index 06564ee4a1..8703457be1 100644 --- a/src/lib/krb5/krb/gen_seqnum.c +++ b/src/lib/krb5/krb/gen_seqnum.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/gen_seqnum.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Routine to automatically generate a starting sequence number. * We do this by getting a random key and encrypting something with it, @@ -53,13 +54,13 @@ krb5_generate_seq_number(krb5_context context, const krb5_keyblock *key, krb5_ui seed = key2data(*key); if ((retval = krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_TRUSTEDPARTY, &seed))) - return(retval); + return(retval); seed.length = sizeof(*seqno); seed.data = (char *) seqno; retval = krb5_c_random_make_octets(context, &seed); if (retval) - return retval; + return retval; /* * Work around implementation incompatibilities by not generating * initial sequence numbers greater than 2^30. Previous MIT @@ -71,6 +72,6 @@ krb5_generate_seq_number(krb5_context context, const krb5_keyblock *key, krb5_ui */ *seqno &= 0x3fffffff; if (*seqno == 0) - *seqno = 1; + *seqno = 1; return 0; } diff --git a/src/lib/krb5/krb/gen_subkey.c b/src/lib/krb5/krb/gen_subkey.c index 501428b1de..7739f04ef4 100644 --- a/src/lib/krb5/krb/gen_subkey.c +++ b/src/lib/krb5/krb/gen_subkey.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/gen_subkey.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Routine to automatically generate a subsession key based on an input key. */ @@ -41,9 +42,9 @@ key2data (krb5_keyblock k) krb5_error_code krb5_generate_subkey_extended(krb5_context context, - const krb5_keyblock *key, - krb5_enctype enctype, - krb5_keyblock **subkey) + const krb5_keyblock *key, + krb5_enctype enctype, + krb5_keyblock **subkey) { krb5_error_code retval; krb5_data seed; @@ -53,18 +54,18 @@ krb5_generate_subkey_extended(krb5_context context, seed = key2data(*key); retval = krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_TRUSTEDPARTY, - &seed); + &seed); if (retval) - return retval; + return retval; keyblock = malloc(sizeof(krb5_keyblock)); if (!keyblock) - return ENOMEM; + return ENOMEM; retval = krb5_c_make_random_key(context, enctype, keyblock); if (retval) { - free(*subkey); - return retval; + free(*subkey); + return retval; } *subkey = keyblock; diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c index 88148d772f..491f864520 100644 --- a/src/lib/krb5/krb/get_creds.c +++ b/src/lib/krb5/krb/get_creds.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/get_creds.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_get_credentials() */ @@ -30,18 +31,18 @@ /* - Attempts to use the credentials cache or TGS exchange to get an additional - ticket for the - client identified by in_creds->client, the server identified by - in_creds->server, with options options, expiration date specified in - in_creds->times.endtime (0 means as long as possible), session key type - specified in in_creds->keyblock.enctype (if non-zero) + Attempts to use the credentials cache or TGS exchange to get an additional + ticket for the + client identified by in_creds->client, the server identified by + in_creds->server, with options options, expiration date specified in + in_creds->times.endtime (0 means as long as possible), session key type + specified in in_creds->keyblock.enctype (if non-zero) - Any returned ticket and intermediate ticket-granting tickets are - stored in ccache. + Any returned ticket and intermediate ticket-granting tickets are + stored in ccache. - returns errors from encryption routines, system errors - */ + returns errors from encryption routines, system errors +*/ #include "k5-int.h" #include "int-proto.h" @@ -54,8 +55,8 @@ */ krb5_error_code krb5int_construct_matching_creds(krb5_context context, krb5_flags options, - krb5_creds *in_creds, krb5_creds *mcreds, - krb5_flags *fields) + krb5_creds *in_creds, krb5_creds *mcreds, + krb5_flags *fields) { if (!in_creds || !in_creds->server || !in_creds->client) return EINVAL; @@ -63,47 +64,47 @@ krb5int_construct_matching_creds(krb5_context context, krb5_flags options, memset(mcreds, 0, sizeof(krb5_creds)); mcreds->magic = KV5M_CREDS; if (in_creds->times.endtime != 0) { - mcreds->times.endtime = in_creds->times.endtime; + mcreds->times.endtime = in_creds->times.endtime; } else { - krb5_error_code retval; - retval = krb5_timeofday(context, &mcreds->times.endtime); - if (retval != 0) return retval; + krb5_error_code retval; + retval = krb5_timeofday(context, &mcreds->times.endtime); + if (retval != 0) return retval; } mcreds->keyblock = in_creds->keyblock; mcreds->authdata = in_creds->authdata; mcreds->server = in_creds->server; mcreds->client = in_creds->client; - + *fields = KRB5_TC_MATCH_TIMES /*XXX |KRB5_TC_MATCH_SKEY_TYPE */ - | KRB5_TC_MATCH_AUTHDATA - | KRB5_TC_SUPPORTED_KTYPES; + | KRB5_TC_MATCH_AUTHDATA + | KRB5_TC_SUPPORTED_KTYPES; if (mcreds->keyblock.enctype) { - krb5_enctype *ktypes; - krb5_error_code ret; - int i; - - *fields |= KRB5_TC_MATCH_KTYPE; - ret = krb5_get_tgs_ktypes(context, mcreds->server, &ktypes); - for (i = 0; ktypes[i]; i++) - if (ktypes[i] == mcreds->keyblock.enctype) - break; - if (ktypes[i] == 0) - ret = KRB5_CC_NOT_KTYPE; - free (ktypes); - if (ret) - return ret; + krb5_enctype *ktypes; + krb5_error_code ret; + int i; + + *fields |= KRB5_TC_MATCH_KTYPE; + ret = krb5_get_tgs_ktypes(context, mcreds->server, &ktypes); + for (i = 0; ktypes[i]; i++) + if (ktypes[i] == mcreds->keyblock.enctype) + break; + if (ktypes[i] == 0) + ret = KRB5_CC_NOT_KTYPE; + free (ktypes); + if (ret) + return ret; } if (options & (KRB5_GC_USER_USER | KRB5_GC_CONSTRAINED_DELEGATION)) { - /* also match on identical 2nd tkt and tkt encrypted in a - session key */ - *fields |= KRB5_TC_MATCH_2ND_TKT; - if (options & KRB5_GC_USER_USER) { - *fields |= KRB5_TC_MATCH_IS_SKEY; - mcreds->is_skey = TRUE; - } - mcreds->second_ticket = in_creds->second_ticket; - if (!in_creds->second_ticket.length) - return KRB5_NO_2ND_TKT; + /* also match on identical 2nd tkt and tkt encrypted in a + session key */ + *fields |= KRB5_TC_MATCH_2ND_TKT; + if (options & KRB5_GC_USER_USER) { + *fields |= KRB5_TC_MATCH_IS_SKEY; + mcreds->is_skey = TRUE; + } + mcreds->second_ticket = in_creds->second_ticket; + if (!in_creds->second_ticket.length) + return KRB5_NO_2ND_TKT; } return 0; @@ -111,8 +112,8 @@ krb5int_construct_matching_creds(krb5_context context, krb5_flags options, krb5_error_code KRB5_CALLCONV krb5_get_credentials(krb5_context context, krb5_flags options, - krb5_ccache ccache, krb5_creds *in_creds, - krb5_creds **out_creds) + krb5_ccache ccache, krb5_creds *in_creds, + krb5_creds **out_creds) { krb5_error_code retval; krb5_creds mcreds, *ncreds, **tgts, **tgts_iter; @@ -128,53 +129,53 @@ krb5_get_credentials(krb5_context context, krb5_flags options, * second_ticket, which we can't do. */ if ((options & KRB5_GC_CONSTRAINED_DELEGATION) == 0) { - retval = krb5int_construct_matching_creds(context, options, in_creds, - &mcreds, &fields); - - if (retval) - return retval; - - ncreds = malloc(sizeof(krb5_creds)); - if (!ncreds) - return ENOMEM; - - memset(ncreds, 0, sizeof(krb5_creds)); - ncreds->magic = KV5M_CREDS; - - retval = krb5_cc_retrieve_cred(context, ccache, fields, &mcreds, - ncreds); - if (retval == 0) { - *out_creds = ncreds; - return 0; - } - free(ncreds); - ncreds = NULL; - if ((retval != KRB5_CC_NOTFOUND && retval != KRB5_CC_NOT_KTYPE) - || options & KRB5_GC_CACHED) - return retval; - not_ktype = (retval == KRB5_CC_NOT_KTYPE); + retval = krb5int_construct_matching_creds(context, options, in_creds, + &mcreds, &fields); + + if (retval) + return retval; + + ncreds = malloc(sizeof(krb5_creds)); + if (!ncreds) + return ENOMEM; + + memset(ncreds, 0, sizeof(krb5_creds)); + ncreds->magic = KV5M_CREDS; + + retval = krb5_cc_retrieve_cred(context, ccache, fields, &mcreds, + ncreds); + if (retval == 0) { + *out_creds = ncreds; + return 0; + } + free(ncreds); + ncreds = NULL; + if ((retval != KRB5_CC_NOTFOUND && retval != KRB5_CC_NOT_KTYPE) + || options & KRB5_GC_CACHED) + return retval; + not_ktype = (retval == KRB5_CC_NOT_KTYPE); } else if (options & KRB5_GC_CACHED) - return KRB5_CC_NOTFOUND; + return KRB5_CC_NOTFOUND; if (options & KRB5_GC_CANONICALIZE) - kdcopt |= KDC_OPT_CANONICALIZE; + kdcopt |= KDC_OPT_CANONICALIZE; if (options & KRB5_GC_FORWARDABLE) - kdcopt |= KDC_OPT_FORWARDABLE; + kdcopt |= KDC_OPT_FORWARDABLE; if (options & KRB5_GC_NO_TRANSIT_CHECK) - kdcopt |= KDC_OPT_DISABLE_TRANSITED_CHECK; + kdcopt |= KDC_OPT_DISABLE_TRANSITED_CHECK; if (options & KRB5_GC_CONSTRAINED_DELEGATION) { - if (options & KRB5_GC_USER_USER) - return EINVAL; - kdcopt |= KDC_OPT_FORWARDABLE | KDC_OPT_CNAME_IN_ADDL_TKT; + if (options & KRB5_GC_USER_USER) + return EINVAL; + kdcopt |= KDC_OPT_FORWARDABLE | KDC_OPT_CNAME_IN_ADDL_TKT; } retval = krb5_get_cred_from_kdc_opt(context, ccache, in_creds, - &ncreds, &tgts, kdcopt); + &ncreds, &tgts, kdcopt); if (tgts) { - /* Attempt to cache intermediate ticket-granting tickets. */ - for (tgts_iter = tgts; *tgts_iter; tgts_iter++) - (void) krb5_cc_store_cred(context, ccache, *tgts_iter); - krb5_free_tgt_creds(context, tgts); + /* Attempt to cache intermediate ticket-granting tickets. */ + for (tgts_iter = tgts; *tgts_iter; tgts_iter++) + (void) krb5_cc_store_cred(context, ccache, *tgts_iter); + krb5_free_tgt_creds(context, tgts); } /* @@ -189,21 +190,21 @@ krb5_get_credentials(krb5_context context, krb5_flags options, * enctype rather than the missing TGT. */ if ((retval == KRB5_CC_NOTFOUND || retval == KRB5_CC_NOT_KTYPE) - && not_ktype) - return KRB5_CC_NOT_KTYPE; + && not_ktype) + return KRB5_CC_NOT_KTYPE; else if (retval) - return retval; + return retval; if ((options & KRB5_GC_CONSTRAINED_DELEGATION) - && (ncreds->ticket_flags & TKT_FLG_FORWARDABLE) == 0) { - /* This ticket won't work for constrained delegation. */ - krb5_free_creds(context, ncreds); - return KRB5_TKT_NOT_FORWARDABLE; + && (ncreds->ticket_flags & TKT_FLG_FORWARDABLE) == 0) { + /* This ticket won't work for constrained delegation. */ + krb5_free_creds(context, ncreds); + return KRB5_TKT_NOT_FORWARDABLE; } /* Attempt to cache the returned ticket. */ if (!(options & KRB5_GC_NO_STORE)) - (void) krb5_cc_store_cred(context, ccache, ncreds); + (void) krb5_cc_store_cred(context, ccache, ncreds); *out_creds = ncreds; return 0; @@ -212,10 +213,10 @@ krb5_get_credentials(krb5_context context, krb5_flags options, #define INT_GC_VALIDATE 1 #define INT_GC_RENEW 2 -static krb5_error_code +static krb5_error_code krb5_get_credentials_val_renew_core(krb5_context context, krb5_flags options, - krb5_ccache ccache, krb5_creds *in_creds, - krb5_creds **out_creds, int which) + krb5_ccache ccache, krb5_creds *in_creds, + krb5_creds **out_creds, int which) { krb5_error_code retval; krb5_principal tmp; @@ -223,17 +224,17 @@ krb5_get_credentials_val_renew_core(krb5_context context, krb5_flags options, switch(which) { case INT_GC_VALIDATE: - retval = krb5_get_cred_from_kdc_validate(context, ccache, - in_creds, out_creds, &tgts); - break; + retval = krb5_get_cred_from_kdc_validate(context, ccache, + in_creds, out_creds, &tgts); + break; case INT_GC_RENEW: - retval = krb5_get_cred_from_kdc_renew(context, ccache, - in_creds, out_creds, &tgts); - break; + retval = krb5_get_cred_from_kdc_renew(context, ccache, + in_creds, out_creds, &tgts); + break; default: - /* Should never happen */ - retval = 255; - break; + /* Should never happen */ + retval = 255; + break; } /* * Callers to krb5_get_cred_blah... must free up tgts even in @@ -244,39 +245,39 @@ krb5_get_credentials_val_renew_core(krb5_context context, krb5_flags options, retval = krb5_cc_get_principal(context, ccache, &tmp); if (retval) return retval; - + retval = krb5_cc_initialize(context, ccache, tmp); if (retval) return retval; - + retval = krb5_cc_store_cred(context, ccache, *out_creds); return retval; } krb5_error_code KRB5_CALLCONV krb5_get_credentials_validate(krb5_context context, krb5_flags options, - krb5_ccache ccache, krb5_creds *in_creds, - krb5_creds **out_creds) + krb5_ccache ccache, krb5_creds *in_creds, + krb5_creds **out_creds) { - return(krb5_get_credentials_val_renew_core(context, options, ccache, - in_creds, out_creds, - INT_GC_VALIDATE)); + return(krb5_get_credentials_val_renew_core(context, options, ccache, + in_creds, out_creds, + INT_GC_VALIDATE)); } krb5_error_code KRB5_CALLCONV krb5_get_credentials_renew(krb5_context context, krb5_flags options, - krb5_ccache ccache, krb5_creds *in_creds, - krb5_creds **out_creds) + krb5_ccache ccache, krb5_creds *in_creds, + krb5_creds **out_creds) { - return(krb5_get_credentials_val_renew_core(context, options, ccache, - in_creds, out_creds, - INT_GC_RENEW)); + return(krb5_get_credentials_val_renew_core(context, options, ccache, + in_creds, out_creds, + INT_GC_RENEW)); } static krb5_error_code krb5_validate_or_renew_creds(krb5_context context, krb5_creds *creds, - krb5_principal client, krb5_ccache ccache, - char *in_tkt_service, int validate) + krb5_principal client, krb5_ccache ccache, + char *in_tkt_service, int validate) { krb5_error_code ret; krb5_creds in_creds; /* only client and server need to be filled in */ @@ -291,57 +292,57 @@ krb5_validate_or_renew_creds(krb5_context context, krb5_creds *creds, in_creds.client = client; if (in_tkt_service) { - /* this is ugly, because so are the data structures involved. I'm - in the library, so I'm going to manipulate the data structures - directly, otherwise, it will be worse. */ + /* this is ugly, because so are the data structures involved. I'm + in the library, so I'm going to manipulate the data structures + directly, otherwise, it will be worse. */ if ((ret = krb5_parse_name(context, in_tkt_service, &in_creds.server))) - goto cleanup; - - /* stuff the client realm into the server principal. - realloc if necessary */ - if (in_creds.server->realm.length < in_creds.client->realm.length) - if ((in_creds.server->realm.data = - (char *) realloc(in_creds.server->realm.data, - in_creds.client->realm.length)) == NULL) { - ret = ENOMEM; - goto cleanup; - } - - in_creds.server->realm.length = in_creds.client->realm.length; - memcpy(in_creds.server->realm.data, in_creds.client->realm.data, - in_creds.client->realm.length); + goto cleanup; + + /* stuff the client realm into the server principal. + realloc if necessary */ + if (in_creds.server->realm.length < in_creds.client->realm.length) + if ((in_creds.server->realm.data = + (char *) realloc(in_creds.server->realm.data, + in_creds.client->realm.length)) == NULL) { + ret = ENOMEM; + goto cleanup; + } + + in_creds.server->realm.length = in_creds.client->realm.length; + memcpy(in_creds.server->realm.data, in_creds.client->realm.data, + in_creds.client->realm.length); } else { - if ((ret = krb5_build_principal_ext(context, &in_creds.server, - in_creds.client->realm.length, - in_creds.client->realm.data, - KRB5_TGS_NAME_SIZE, - KRB5_TGS_NAME, - in_creds.client->realm.length, - in_creds.client->realm.data, - 0))) - goto cleanup; + if ((ret = krb5_build_principal_ext(context, &in_creds.server, + in_creds.client->realm.length, + in_creds.client->realm.data, + KRB5_TGS_NAME_SIZE, + KRB5_TGS_NAME, + in_creds.client->realm.length, + in_creds.client->realm.data, + 0))) + goto cleanup; } if (validate) - ret = krb5_get_cred_from_kdc_validate(context, ccache, - &in_creds, &out_creds, &tgts); + ret = krb5_get_cred_from_kdc_validate(context, ccache, + &in_creds, &out_creds, &tgts); else - ret = krb5_get_cred_from_kdc_renew(context, ccache, - &in_creds, &out_creds, &tgts); - + ret = krb5_get_cred_from_kdc_renew(context, ccache, + &in_creds, &out_creds, &tgts); + /* ick. copy the struct contents, free the container */ if (out_creds) { - *creds = *out_creds; - free(out_creds); + *creds = *out_creds; + free(out_creds); } cleanup: if (in_creds.server) - krb5_free_principal(context, in_creds.server); + krb5_free_principal(context, in_creds.server); if (tgts) - krb5_free_tgt_creds(context, tgts); + krb5_free_tgt_creds(context, tgts); return(ret); } @@ -350,13 +351,12 @@ krb5_error_code KRB5_CALLCONV krb5_get_validated_creds(krb5_context context, krb5_creds *creds, krb5_principal client, krb5_ccache ccache, char *in_tkt_service) { return(krb5_validate_or_renew_creds(context, creds, client, ccache, - in_tkt_service, 1)); + in_tkt_service, 1)); } krb5_error_code KRB5_CALLCONV krb5_get_renewed_creds(krb5_context context, krb5_creds *creds, krb5_principal client, krb5_ccache ccache, char *in_tkt_service) { return(krb5_validate_or_renew_creds(context, creds, client, ccache, - in_tkt_service, 0)); + in_tkt_service, 0)); } - diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index a381c5c7e2..40afea56d5 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/get_in_tkt.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_get_in_tkt() */ @@ -36,7 +37,7 @@ #if APPLE_PKINIT #define IN_TKT_DEBUG 0 -#if IN_TKT_DEBUG +#if IN_TKT_DEBUG #define inTktDebug(args...) printf(args) #else #define inTktDebug(args...) @@ -44,53 +45,53 @@ #endif /* APPLE_PKINIT */ /* - All-purpose initial ticket routine, usually called via - krb5_get_in_tkt_with_password or krb5_get_in_tkt_with_skey. + All-purpose initial ticket routine, usually called via + krb5_get_in_tkt_with_password or krb5_get_in_tkt_with_skey. - Attempts to get an initial ticket for creds->client to use server - creds->server, (realm is taken from creds->client), with options - options, and using creds->times.starttime, creds->times.endtime, - creds->times.renew_till as from, till, and rtime. - creds->times.renew_till is ignored unless the RENEWABLE option is requested. + Attempts to get an initial ticket for creds->client to use server + creds->server, (realm is taken from creds->client), with options + options, and using creds->times.starttime, creds->times.endtime, + creds->times.renew_till as from, till, and rtime. + creds->times.renew_till is ignored unless the RENEWABLE option is requested. - key_proc is called to fill in the key to be used for decryption. - keyseed is passed on to key_proc. + key_proc is called to fill in the key to be used for decryption. + keyseed is passed on to key_proc. - decrypt_proc is called to perform the decryption of the response (the - encrypted part is in dec_rep->enc_part; the decrypted part should be - allocated and filled into dec_rep->enc_part2 - arg is passed on to decrypt_proc. + decrypt_proc is called to perform the decryption of the response (the + encrypted part is in dec_rep->enc_part; the decrypted part should be + allocated and filled into dec_rep->enc_part2 + arg is passed on to decrypt_proc. - If addrs is non-NULL, it is used for the addresses requested. If it is - null, the system standard addresses are used. + If addrs is non-NULL, it is used for the addresses requested. If it is + null, the system standard addresses are used. - A succesful call will place the ticket in the credentials cache ccache - and fill in creds with the ticket information used/returned.. + A succesful call will place the ticket in the credentials cache ccache + and fill in creds with the ticket information used/returned.. - returns system errors, encryption errors + returns system errors, encryption errors - */ +*/ /* some typedef's for the function args to make things look a bit cleaner */ typedef krb5_error_code (*git_key_proc) (krb5_context, - krb5_enctype, - krb5_data *, - krb5_const_pointer, - krb5_keyblock **); + krb5_enctype, + krb5_data *, + krb5_const_pointer, + krb5_keyblock **); typedef krb5_error_code (*git_decrypt_proc) (krb5_context, - const krb5_keyblock *, - krb5_const_pointer, - krb5_kdc_rep * ); + const krb5_keyblock *, + krb5_const_pointer, + krb5_kdc_rep * ); -static krb5_error_code make_preauth_list (krb5_context, - krb5_preauthtype *, - int, krb5_pa_data ***); +static krb5_error_code make_preauth_list (krb5_context, + krb5_preauthtype *, + int, krb5_pa_data ***); static krb5_error_code sort_krb5_padata_sequence(krb5_context context, - krb5_data *realm, - krb5_pa_data **padata); + krb5_data *realm, + krb5_pa_data **padata); /* * This function performs 32 bit bounded addition so we can generate @@ -105,7 +106,7 @@ static krb5_int32 krb5int_addint32 (krb5_int32 x, krb5_int32 y) /* sum will be less than KRB5_INT32_MIN */ return KRB5_INT32_MIN; } - + return x + y; } @@ -115,14 +116,14 @@ static krb5_int32 krb5int_addint32 (krb5_int32 x, krb5_int32 y) * just uses krb5_timeofday(); it should use a PRNG. Even more unfortunately this * value is used interchangeably with an explicit now_time throughout this module... */ -static krb5_error_code +static krb5_error_code gen_nonce(krb5_context context, krb5_int32 *nonce) { krb5_int32 time_now; krb5_error_code retval = krb5_timeofday(context, &time_now); if(retval) { - return retval; + return retval; } *nonce = time_now; return 0; @@ -136,16 +137,16 @@ gen_nonce(krb5_context context, * unexpected response, an error is returned. */ static krb5_error_code -send_as_request(krb5_context context, - krb5_data *packet, const krb5_data *realm, - krb5_error ** ret_err_reply, - krb5_kdc_rep ** ret_as_reply, - int *use_master) +send_as_request(krb5_context context, + krb5_data *packet, const krb5_data *realm, + krb5_error ** ret_err_reply, + krb5_kdc_rep ** ret_as_reply, + int *use_master) { krb5_kdc_rep *as_reply = 0; krb5_error_code retval; krb5_data reply; - char k4_version; /* same type as *(krb5_data::data) */ + char k4_version; /* same type as *(krb5_data::data) */ int tcp_only = 0; reply.data = 0; @@ -154,37 +155,37 @@ send_as_request(krb5_context context, k4_version = packet->data[0]; send_again: - retval = krb5_sendto_kdc(context, packet, - realm, - &reply, use_master, tcp_only); + retval = krb5_sendto_kdc(context, packet, + realm, + &reply, use_master, tcp_only); #if APPLE_PKINIT inTktDebug("krb5_sendto_kdc returned %d\n", (int)retval); #endif /* APPLE_PKINIT */ if (retval) - goto cleanup; + goto cleanup; /* now decode the reply...could be error or as_rep */ if (krb5_is_krb_error(&reply)) { - krb5_error *err_reply; - - if ((retval = decode_krb5_error(&reply, &err_reply))) - /* some other error code--??? */ - goto cleanup; - - if (ret_err_reply) { - if (err_reply->error == KRB_ERR_RESPONSE_TOO_BIG - && tcp_only == 0) { - tcp_only = 1; - krb5_free_error(context, err_reply); - free(reply.data); - reply.data = 0; - goto send_again; - } - *ret_err_reply = err_reply; - } else - krb5_free_error(context, err_reply); - goto cleanup; + krb5_error *err_reply; + + if ((retval = decode_krb5_error(&reply, &err_reply))) + /* some other error code--??? */ + goto cleanup; + + if (ret_err_reply) { + if (err_reply->error == KRB_ERR_RESPONSE_TOO_BIG + && tcp_only == 0) { + tcp_only = 1; + krb5_free_error(context, err_reply); + free(reply.data); + reply.data = 0; + goto send_again; + } + *ret_err_reply = err_reply; + } else + krb5_free_error(context, err_reply); + goto cleanup; } /* @@ -192,108 +193,108 @@ send_again: */ if (!krb5_is_as_rep(&reply)) { /* these are in <kerberosIV/prot.h> as well but it isn't worth including. */ -#define V4_KRB_PROT_VERSION 4 -#define V4_AUTH_MSG_ERR_REPLY (5<<1) - /* check here for V4 reply */ - unsigned int t_switch; - - /* From v4 g_in_tkt.c: This used to be - switch (pkt_msg_type(rpkt) & ~1) { - but SCO 3.2v4 cc compiled that incorrectly. */ - t_switch = reply.data[1]; - t_switch &= ~1; - - if (t_switch == V4_AUTH_MSG_ERR_REPLY - && (reply.data[0] == V4_KRB_PROT_VERSION - || reply.data[0] == k4_version)) { - retval = KRB5KRB_AP_ERR_V4_REPLY; - } else { - retval = KRB5KRB_AP_ERR_MSG_TYPE; - } - goto cleanup; +#define V4_KRB_PROT_VERSION 4 +#define V4_AUTH_MSG_ERR_REPLY (5<<1) + /* check here for V4 reply */ + unsigned int t_switch; + + /* From v4 g_in_tkt.c: This used to be + switch (pkt_msg_type(rpkt) & ~1) { + but SCO 3.2v4 cc compiled that incorrectly. */ + t_switch = reply.data[1]; + t_switch &= ~1; + + if (t_switch == V4_AUTH_MSG_ERR_REPLY + && (reply.data[0] == V4_KRB_PROT_VERSION + || reply.data[0] == k4_version)) { + retval = KRB5KRB_AP_ERR_V4_REPLY; + } else { + retval = KRB5KRB_AP_ERR_MSG_TYPE; + } + goto cleanup; } /* It must be a KRB_AS_REP message, or an bad returned packet */ if ((retval = decode_krb5_as_rep(&reply, &as_reply))) - /* some other error code ??? */ - goto cleanup; + /* some other error code ??? */ + goto cleanup; if (as_reply->msg_type != KRB5_AS_REP) { - retval = KRB5KRB_AP_ERR_MSG_TYPE; - krb5_free_kdc_rep(context, as_reply); - goto cleanup; + retval = KRB5KRB_AP_ERR_MSG_TYPE; + krb5_free_kdc_rep(context, as_reply); + goto cleanup; } if (ret_as_reply) - *ret_as_reply = as_reply; + *ret_as_reply = as_reply; else - krb5_free_kdc_rep(context, as_reply); + krb5_free_kdc_rep(context, as_reply); cleanup: if (reply.data) - free(reply.data); + free(reply.data); return retval; } static krb5_error_code -decrypt_as_reply(krb5_context context, - krb5_kdc_req *request, - krb5_kdc_rep *as_reply, - git_key_proc key_proc, - krb5_const_pointer keyseed, - krb5_keyblock * key, - git_decrypt_proc decrypt_proc, - krb5_const_pointer decryptarg) +decrypt_as_reply(krb5_context context, + krb5_kdc_req *request, + krb5_kdc_rep *as_reply, + git_key_proc key_proc, + krb5_const_pointer keyseed, + krb5_keyblock * key, + git_decrypt_proc decrypt_proc, + krb5_const_pointer decryptarg) { - krb5_error_code retval; - krb5_keyblock * decrypt_key = 0; - krb5_data salt; - + krb5_error_code retval; + krb5_keyblock * decrypt_key = 0; + krb5_data salt; + if (as_reply->enc_part2) - return 0; + return 0; if (key) - decrypt_key = key; + decrypt_key = key; else { - /* - * Use salt corresponding to the client principal supplied by - * the KDC, which may differ from the requested principal if - * canonicalization is in effect. We will check - * as_reply->client later in verify_as_reply. - */ - if ((retval = krb5_principal2salt(context, as_reply->client, &salt))) - return(retval); - - retval = (*key_proc)(context, as_reply->enc_part.enctype, - &salt, keyseed, &decrypt_key); - free(salt.data); - if (retval) - goto cleanup; + /* + * Use salt corresponding to the client principal supplied by + * the KDC, which may differ from the requested principal if + * canonicalization is in effect. We will check + * as_reply->client later in verify_as_reply. + */ + if ((retval = krb5_principal2salt(context, as_reply->client, &salt))) + return(retval); + + retval = (*key_proc)(context, as_reply->enc_part.enctype, + &salt, keyseed, &decrypt_key); + free(salt.data); + if (retval) + goto cleanup; } - + if ((retval = (*decrypt_proc)(context, decrypt_key, decryptarg, as_reply))) - goto cleanup; + goto cleanup; cleanup: if (!key && decrypt_key) - krb5_free_keyblock(context, decrypt_key); + krb5_free_keyblock(context, decrypt_key); return (retval); } static krb5_error_code -verify_as_reply(krb5_context context, - krb5_timestamp time_now, - krb5_kdc_req *request, - krb5_kdc_rep *as_reply) +verify_as_reply(krb5_context context, + krb5_timestamp time_now, + krb5_kdc_req *request, + krb5_kdc_rep *as_reply) { - krb5_error_code retval; - int canon_req; - int canon_ok; + krb5_error_code retval; + int canon_req; + int canon_ok; /* check the contents for sanity: */ if (!as_reply->enc_part2->times.starttime) - as_reply->enc_part2->times.starttime = - as_reply->enc_part2->times.authtime; + as_reply->enc_part2->times.starttime = + as_reply->enc_part2->times.authtime; /* * We only allow the AS-REP server name to be changed if the @@ -301,184 +302,184 @@ verify_as_reply(krb5_context context, * principal) and we requested (and received) a TGT. */ canon_req = ((request->kdc_options & KDC_OPT_CANONICALIZE) != 0) || - (krb5_princ_type(context, request->client) == KRB5_NT_ENTERPRISE_PRINCIPAL); + (krb5_princ_type(context, request->client) == KRB5_NT_ENTERPRISE_PRINCIPAL); if (canon_req) { - canon_ok = IS_TGS_PRINC(context, request->server) && - IS_TGS_PRINC(context, as_reply->enc_part2->server); + canon_ok = IS_TGS_PRINC(context, request->server) && + IS_TGS_PRINC(context, as_reply->enc_part2->server); } else - canon_ok = 0; - + canon_ok = 0; + if ((!canon_ok && - (!krb5_principal_compare(context, as_reply->client, request->client) || - !krb5_principal_compare(context, as_reply->enc_part2->server, request->server))) - || !krb5_principal_compare(context, as_reply->enc_part2->server, as_reply->ticket->server) - || (request->nonce != as_reply->enc_part2->nonce) - /* XXX check for extraneous flags */ - /* XXX || (!krb5_addresses_compare(context, addrs, as_reply->enc_part2->caddrs)) */ - || ((request->kdc_options & KDC_OPT_POSTDATED) && - (request->from != 0) && - (request->from != as_reply->enc_part2->times.starttime)) - || ((request->till != 0) && - (as_reply->enc_part2->times.endtime > request->till)) - || ((request->kdc_options & KDC_OPT_RENEWABLE) && - (request->rtime != 0) && - (as_reply->enc_part2->times.renew_till > request->rtime)) - || ((request->kdc_options & KDC_OPT_RENEWABLE_OK) && - !(request->kdc_options & KDC_OPT_RENEWABLE) && - (as_reply->enc_part2->flags & KDC_OPT_RENEWABLE) && - (request->till != 0) && - (as_reply->enc_part2->times.renew_till > request->till)) - ) { + (!krb5_principal_compare(context, as_reply->client, request->client) || + !krb5_principal_compare(context, as_reply->enc_part2->server, request->server))) + || !krb5_principal_compare(context, as_reply->enc_part2->server, as_reply->ticket->server) + || (request->nonce != as_reply->enc_part2->nonce) + /* XXX check for extraneous flags */ + /* XXX || (!krb5_addresses_compare(context, addrs, as_reply->enc_part2->caddrs)) */ + || ((request->kdc_options & KDC_OPT_POSTDATED) && + (request->from != 0) && + (request->from != as_reply->enc_part2->times.starttime)) + || ((request->till != 0) && + (as_reply->enc_part2->times.endtime > request->till)) + || ((request->kdc_options & KDC_OPT_RENEWABLE) && + (request->rtime != 0) && + (as_reply->enc_part2->times.renew_till > request->rtime)) + || ((request->kdc_options & KDC_OPT_RENEWABLE_OK) && + !(request->kdc_options & KDC_OPT_RENEWABLE) && + (as_reply->enc_part2->flags & KDC_OPT_RENEWABLE) && + (request->till != 0) && + (as_reply->enc_part2->times.renew_till > request->till)) + ) { #if APPLE_PKINIT - inTktDebug("verify_as_reply: KDCREP_MODIFIED\n"); - #if IN_TKT_DEBUG - if(request->client->realm.length && request->client->data->length) - inTktDebug("request: name %s realm %s\n", - request->client->realm.data, request->client->data->data); - if(as_reply->client->realm.length && as_reply->client->data->length) - inTktDebug("reply : name %s realm %s\n", - as_reply->client->realm.data, as_reply->client->data->data); - #endif + inTktDebug("verify_as_reply: KDCREP_MODIFIED\n"); +#if IN_TKT_DEBUG + if(request->client->realm.length && request->client->data->length) + inTktDebug("request: name %s realm %s\n", + request->client->realm.data, request->client->data->data); + if(as_reply->client->realm.length && as_reply->client->data->length) + inTktDebug("reply : name %s realm %s\n", + as_reply->client->realm.data, as_reply->client->data->data); +#endif #endif /* APPLE_PKINIT */ - return KRB5_KDCREP_MODIFIED; + return KRB5_KDCREP_MODIFIED; } if (context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) { - retval = krb5_set_real_time(context, - as_reply->enc_part2->times.authtime, -1); - if (retval) - return retval; + retval = krb5_set_real_time(context, + as_reply->enc_part2->times.authtime, -1); + if (retval) + return retval; } else { - if ((request->from == 0) && - (labs(as_reply->enc_part2->times.starttime - time_now) - > context->clockskew)) - return (KRB5_KDCREP_SKEW); + if ((request->from == 0) && + (labs(as_reply->enc_part2->times.starttime - time_now) + > context->clockskew)) + return (KRB5_KDCREP_SKEW); } return 0; } static krb5_error_code -stash_as_reply(krb5_context context, - krb5_timestamp time_now, - krb5_kdc_req *request, - krb5_kdc_rep *as_reply, - krb5_creds * creds, - krb5_ccache ccache) +stash_as_reply(krb5_context context, + krb5_timestamp time_now, + krb5_kdc_req *request, + krb5_kdc_rep *as_reply, + krb5_creds * creds, + krb5_ccache ccache) { - krb5_error_code retval; - krb5_data * packet; - krb5_principal client; - krb5_principal server; + krb5_error_code retval; + krb5_data * packet; + krb5_principal client; + krb5_principal server; client = NULL; server = NULL; if (!creds->client) if ((retval = krb5_copy_principal(context, as_reply->client, &client))) - goto cleanup; + goto cleanup; if (!creds->server) - if ((retval = krb5_copy_principal(context, as_reply->enc_part2->server, - &server))) - goto cleanup; + if ((retval = krb5_copy_principal(context, as_reply->enc_part2->server, + &server))) + goto cleanup; /* fill in the credentials */ - if ((retval = krb5_copy_keyblock_contents(context, - as_reply->enc_part2->session, - &creds->keyblock))) - goto cleanup; + if ((retval = krb5_copy_keyblock_contents(context, + as_reply->enc_part2->session, + &creds->keyblock))) + goto cleanup; creds->times = as_reply->enc_part2->times; - creds->is_skey = FALSE; /* this is an AS_REQ, so cannot - be encrypted in skey */ + creds->is_skey = FALSE; /* this is an AS_REQ, so cannot + be encrypted in skey */ creds->ticket_flags = as_reply->enc_part2->flags; if ((retval = krb5_copy_addresses(context, as_reply->enc_part2->caddrs, - &creds->addresses))) - goto cleanup; + &creds->addresses))) + goto cleanup; creds->second_ticket.length = 0; creds->second_ticket.data = 0; if ((retval = encode_krb5_ticket(as_reply->ticket, &packet))) - goto cleanup; + goto cleanup; creds->ticket = *packet; free(packet); /* store it in the ccache! */ if (ccache) - if ((retval = krb5_cc_store_cred(context, ccache, creds))) - goto cleanup; + if ((retval = krb5_cc_store_cred(context, ccache, creds))) + goto cleanup; if (!creds->client) - creds->client = client; + creds->client = client; if (!creds->server) - creds->server = server; + creds->server = server; cleanup: if (retval) { - if (client) - krb5_free_principal(context, client); - if (server) - krb5_free_principal(context, server); - if (creds->keyblock.contents) { - memset(creds->keyblock.contents, 0, - creds->keyblock.length); - free(creds->keyblock.contents); - creds->keyblock.contents = 0; - creds->keyblock.length = 0; - } - if (creds->ticket.data) { - free(creds->ticket.data); - creds->ticket.data = 0; - } - if (creds->addresses) { - krb5_free_addresses(context, creds->addresses); - creds->addresses = 0; - } + if (client) + krb5_free_principal(context, client); + if (server) + krb5_free_principal(context, server); + if (creds->keyblock.contents) { + memset(creds->keyblock.contents, 0, + creds->keyblock.length); + free(creds->keyblock.contents); + creds->keyblock.contents = 0; + creds->keyblock.length = 0; + } + if (creds->ticket.data) { + free(creds->ticket.data); + creds->ticket.data = 0; + } + if (creds->addresses) { + krb5_free_addresses(context, creds->addresses); + creds->addresses = 0; + } } return (retval); } static krb5_error_code -make_preauth_list(krb5_context context, - krb5_preauthtype * ptypes, - int nptypes, - krb5_pa_data *** ret_list) +make_preauth_list(krb5_context context, + krb5_preauthtype * ptypes, + int nptypes, + krb5_pa_data *** ret_list) { - krb5_preauthtype * ptypep; - krb5_pa_data ** preauthp; - int i; + krb5_preauthtype * ptypep; + krb5_pa_data ** preauthp; + int i; if (nptypes < 0) { - for (nptypes=0, ptypep = ptypes; *ptypep; ptypep++, nptypes++) - ; + for (nptypes=0, ptypep = ptypes; *ptypep; ptypep++, nptypes++) + ; } - + /* allocate space for a NULL to terminate the list */ - + if ((preauthp = - (krb5_pa_data **) malloc((nptypes+1)*sizeof(krb5_pa_data *))) == NULL) - return(ENOMEM); - + (krb5_pa_data **) malloc((nptypes+1)*sizeof(krb5_pa_data *))) == NULL) + return(ENOMEM); + for (i=0; i<nptypes; i++) { - if ((preauthp[i] = - (krb5_pa_data *) malloc(sizeof(krb5_pa_data))) == NULL) { - for (; i>=0; i--) - free(preauthp[i]); - free(preauthp); - return (ENOMEM); - } - preauthp[i]->magic = KV5M_PA_DATA; - preauthp[i]->pa_type = ptypes[i]; - preauthp[i]->length = 0; - preauthp[i]->contents = 0; + if ((preauthp[i] = + (krb5_pa_data *) malloc(sizeof(krb5_pa_data))) == NULL) { + for (; i>=0; i--) + free(preauthp[i]); + free(preauthp); + return (ENOMEM); + } + preauthp[i]->magic = KV5M_PA_DATA; + preauthp[i]->pa_type = ptypes[i]; + preauthp[i]->length = 0; + preauthp[i]->contents = 0; } - + /* fill in the terminating NULL */ - + preauthp[nptypes] = NULL; - + *ret_list = preauthp; return 0; } @@ -495,10 +496,10 @@ static const krb5_enctype get_in_tkt_enctypes[] = { static krb5_error_code rewrite_server_realm(krb5_context context, - krb5_const_principal old_server, - const krb5_data *realm, - krb5_boolean tgs, - krb5_principal *server) + krb5_const_principal old_server, + const krb5_data *realm, + krb5_boolean tgs, + krb5_principal *server) { krb5_error_code retval; @@ -506,28 +507,28 @@ rewrite_server_realm(krb5_context context, retval = krb5_copy_principal(context, old_server, server); if (retval) - return retval; + return retval; krb5_free_data_contents(context, &(*server)->realm); (*server)->realm.data = NULL; retval = krb5int_copy_data_contents(context, realm, &(*server)->realm); if (retval) - goto cleanup; + goto cleanup; if (tgs) { - krb5_free_data_contents(context, &(*server)->data[1]); - (*server)->data[1].data = NULL; + krb5_free_data_contents(context, &(*server)->data[1]); + (*server)->data[1].data = NULL; - retval = krb5int_copy_data_contents(context, realm, &(*server)->data[1]); - if (retval) - goto cleanup; + retval = krb5int_copy_data_contents(context, realm, &(*server)->data[1]); + if (retval) + goto cleanup; } cleanup: if (retval) { - krb5_free_principal(context, *server); - *server = NULL; + krb5_free_principal(context, *server); + *server = NULL; } return retval; @@ -544,44 +545,44 @@ tgt_is_local_realm(krb5_creds *tgt) krb5_error_code KRB5_CALLCONV krb5_get_in_tkt(krb5_context context, - krb5_flags options, - krb5_address * const * addrs, - krb5_enctype * ktypes, - krb5_preauthtype * ptypes, - git_key_proc key_proc, - krb5_const_pointer keyseed, - git_decrypt_proc decrypt_proc, - krb5_const_pointer decryptarg, - krb5_creds * creds, - krb5_ccache ccache, - krb5_kdc_rep ** ret_as_reply) + krb5_flags options, + krb5_address * const * addrs, + krb5_enctype * ktypes, + krb5_preauthtype * ptypes, + git_key_proc key_proc, + krb5_const_pointer keyseed, + git_decrypt_proc decrypt_proc, + krb5_const_pointer decryptarg, + krb5_creds * creds, + krb5_ccache ccache, + krb5_kdc_rep ** ret_as_reply) { - krb5_error_code retval; - krb5_timestamp time_now; - krb5_keyblock * decrypt_key = 0; - krb5_kdc_req request; + krb5_error_code retval; + krb5_timestamp time_now; + krb5_keyblock * decrypt_key = 0; + krb5_kdc_req request; krb5_data *encoded_request; - krb5_error * err_reply; - krb5_kdc_rep * as_reply = 0; - krb5_pa_data ** preauth_to_use = 0; - int loopcount = 0; - krb5_int32 do_more = 0; - int canon_flag; + krb5_error * err_reply; + krb5_kdc_rep * as_reply = 0; + krb5_pa_data ** preauth_to_use = 0; + int loopcount = 0; + krb5_int32 do_more = 0; + int canon_flag; int use_master = 0; - int referral_count = 0; - krb5_principal_data referred_client; - krb5_principal referred_server = NULL; - krb5_boolean is_tgt_req; + int referral_count = 0; + krb5_principal_data referred_client; + krb5_principal referred_server = NULL; + krb5_boolean is_tgt_req; #if APPLE_PKINIT inTktDebug("krb5_get_in_tkt top\n"); #endif /* APPLE_PKINIT */ if (! krb5_realm_compare(context, creds->client, creds->server)) - return KRB5_IN_TKT_REALM_MISMATCH; + return KRB5_IN_TKT_REALM_MISMATCH; if (ret_as_reply) - *ret_as_reply = 0; + *ret_as_reply = 0; referred_client = *(creds->client); referred_client.realm.data = NULL; @@ -589,8 +590,8 @@ krb5_get_in_tkt(krb5_context context, /* per referrals draft, enterprise principals imply canonicalization */ canon_flag = ((options & KDC_OPT_CANONICALIZE) != 0) || - creds->client->type == KRB5_NT_ENTERPRISE_PRINCIPAL; - + creds->client->type == KRB5_NT_ENTERPRISE_PRINCIPAL; + /* * Set up the basic request structure */ @@ -600,10 +601,10 @@ krb5_get_in_tkt(krb5_context context, request.ktype = 0; request.padata = 0; if (addrs) - request.addresses = (krb5_address **) addrs; + request.addresses = (krb5_address **) addrs; else - if ((retval = krb5_os_localaddr(context, &request.addresses))) - goto cleanup; + if ((retval = krb5_os_localaddr(context, &request.addresses))) + goto cleanup; request.kdc_options = options; request.client = creds->client; request.server = creds->server; @@ -614,43 +615,43 @@ krb5_get_in_tkt(krb5_context context, #if APPLE_PKINIT retval = gen_nonce(context, (krb5_int32 *)&time_now); if(retval) { - goto cleanup; + goto cleanup; } request.nonce = time_now; #endif /* APPLE_PKINIT */ request.ktype = malloc (sizeof(get_in_tkt_enctypes)); if (request.ktype == NULL) { - retval = ENOMEM; - goto cleanup; + retval = ENOMEM; + goto cleanup; } memcpy(request.ktype, get_in_tkt_enctypes, sizeof(get_in_tkt_enctypes)); for (request.nktypes = 0;request.ktype[request.nktypes];request.nktypes++); if (ktypes) { - int i, req, next = 0; - for (req = 0; ktypes[req]; req++) { - if (ktypes[req] == request.ktype[next]) { - next++; - continue; - } - for (i = next + 1; i < request.nktypes; i++) - if (ktypes[req] == request.ktype[i]) { - /* Found the enctype we want, but not in the - position we want. Move it, but keep the old - one from the desired slot around in case it's - later in our requested-ktypes list. */ - krb5_enctype t; - t = request.ktype[next]; - request.ktype[next] = request.ktype[i]; - request.ktype[i] = t; - next++; - break; - } - /* If we didn't find it, don't do anything special, just - drop it. */ - } - request.ktype[next] = 0; - request.nktypes = next; + int i, req, next = 0; + for (req = 0; ktypes[req]; req++) { + if (ktypes[req] == request.ktype[next]) { + next++; + continue; + } + for (i = next + 1; i < request.nktypes; i++) + if (ktypes[req] == request.ktype[i]) { + /* Found the enctype we want, but not in the + position we want. Move it, but keep the old + one from the desired slot around in case it's + later in our requested-ktypes list. */ + krb5_enctype t; + t = request.ktype[next]; + request.ktype[next] = request.ktype[i]; + request.ktype[i] = t; + next++; + break; + } + /* If we didn't find it, don't do anything special, just + drop it. */ + } + request.ktype[next] = 0; + request.nktypes = next; } request.authorization_data.ciphertext.length = 0; request.authorization_data.ciphertext.data = 0; @@ -662,153 +663,153 @@ krb5_get_in_tkt(krb5_context context, * preauth_to_use list. */ if (ptypes) { - retval = make_preauth_list(context, ptypes, -1, &preauth_to_use); - if (retval) - goto cleanup; + retval = make_preauth_list(context, ptypes, -1, &preauth_to_use); + if (retval) + goto cleanup; } - + is_tgt_req = tgt_is_local_realm(creds); while (1) { - if (loopcount++ > MAX_IN_TKT_LOOPS) { - retval = KRB5_GET_IN_TKT_LOOP; - goto cleanup; - } + if (loopcount++ > MAX_IN_TKT_LOOPS) { + retval = KRB5_GET_IN_TKT_LOOP; + goto cleanup; + } #if APPLE_PKINIT - inTktDebug("krb5_get_in_tkt calling krb5_obtain_padata\n"); + inTktDebug("krb5_get_in_tkt calling krb5_obtain_padata\n"); #endif /* APPLE_PKINIT */ - if ((retval = krb5_obtain_padata(context, preauth_to_use, key_proc, - keyseed, creds, &request)) != 0) - goto cleanup; - if (preauth_to_use) - krb5_free_pa_data(context, preauth_to_use); - preauth_to_use = 0; - - err_reply = 0; - as_reply = 0; + if ((retval = krb5_obtain_padata(context, preauth_to_use, key_proc, + keyseed, creds, &request)) != 0) + goto cleanup; + if (preauth_to_use) + krb5_free_pa_data(context, preauth_to_use); + preauth_to_use = 0; + + err_reply = 0; + as_reply = 0; if ((retval = krb5_timeofday(context, &time_now))) - goto cleanup; + goto cleanup; /* * XXX we know they are the same size... and we should do * something better than just the current time */ - request.nonce = (krb5_int32) time_now; - - if ((retval = encode_krb5_as_req(&request, &encoded_request)) != 0) - goto cleanup; - retval = send_as_request(context, encoded_request, - krb5_princ_realm(context, request.client), &err_reply, - &as_reply, &use_master); - krb5_free_data(context, encoded_request); - if (retval != 0) - goto cleanup; - - if (err_reply) { - if (err_reply->error == KDC_ERR_PREAUTH_REQUIRED && - err_reply->e_data.length > 0) { - retval = decode_krb5_padata_sequence(&err_reply->e_data, - &preauth_to_use); - krb5_free_error(context, err_reply); - if (retval) - goto cleanup; + request.nonce = (krb5_int32) time_now; + + if ((retval = encode_krb5_as_req(&request, &encoded_request)) != 0) + goto cleanup; + retval = send_as_request(context, encoded_request, + krb5_princ_realm(context, request.client), &err_reply, + &as_reply, &use_master); + krb5_free_data(context, encoded_request); + if (retval != 0) + goto cleanup; + + if (err_reply) { + if (err_reply->error == KDC_ERR_PREAUTH_REQUIRED && + err_reply->e_data.length > 0) { + retval = decode_krb5_padata_sequence(&err_reply->e_data, + &preauth_to_use); + krb5_free_error(context, err_reply); + if (retval) + goto cleanup; retval = sort_krb5_padata_sequence(context, - &request.server->realm, - preauth_to_use); - if (retval) - goto cleanup; - continue; - } else if (canon_flag && err_reply->error == KDC_ERR_WRONG_REALM) { - if (++referral_count > KRB5_REFERRAL_MAXHOPS || - err_reply->client == NULL || - err_reply->client->realm.length == 0) { - retval = KRB5KDC_ERR_WRONG_REALM; - krb5_free_error(context, err_reply); - goto cleanup; - } - /* Rewrite request.client with realm from error reply */ - if (referred_client.realm.data) { - krb5_free_data_contents(context, &referred_client.realm); - referred_client.realm.data = NULL; - } - retval = krb5int_copy_data_contents(context, - &err_reply->client->realm, - &referred_client.realm); - krb5_free_error(context, err_reply); - if (retval) - goto cleanup; - request.client = &referred_client; - - if (referred_server != NULL) { - krb5_free_principal(context, referred_server); - referred_server = NULL; - } - - retval = rewrite_server_realm(context, - creds->server, - &referred_client.realm, - is_tgt_req, - &referred_server); - if (retval) - goto cleanup; - request.server = referred_server; - - continue; - } else { - retval = (krb5_error_code) err_reply->error - + ERROR_TABLE_BASE_krb5; - krb5_free_error(context, err_reply); - goto cleanup; - } - } else if (!as_reply) { - retval = KRB5KRB_AP_ERR_MSG_TYPE; - goto cleanup; - } - if ((retval = krb5_process_padata(context, &request, as_reply, - key_proc, keyseed, decrypt_proc, - &decrypt_key, creds, - &do_more)) != 0) - goto cleanup; - - if (!do_more) - break; + &request.server->realm, + preauth_to_use); + if (retval) + goto cleanup; + continue; + } else if (canon_flag && err_reply->error == KDC_ERR_WRONG_REALM) { + if (++referral_count > KRB5_REFERRAL_MAXHOPS || + err_reply->client == NULL || + err_reply->client->realm.length == 0) { + retval = KRB5KDC_ERR_WRONG_REALM; + krb5_free_error(context, err_reply); + goto cleanup; + } + /* Rewrite request.client with realm from error reply */ + if (referred_client.realm.data) { + krb5_free_data_contents(context, &referred_client.realm); + referred_client.realm.data = NULL; + } + retval = krb5int_copy_data_contents(context, + &err_reply->client->realm, + &referred_client.realm); + krb5_free_error(context, err_reply); + if (retval) + goto cleanup; + request.client = &referred_client; + + if (referred_server != NULL) { + krb5_free_principal(context, referred_server); + referred_server = NULL; + } + + retval = rewrite_server_realm(context, + creds->server, + &referred_client.realm, + is_tgt_req, + &referred_server); + if (retval) + goto cleanup; + request.server = referred_server; + + continue; + } else { + retval = (krb5_error_code) err_reply->error + + ERROR_TABLE_BASE_krb5; + krb5_free_error(context, err_reply); + goto cleanup; + } + } else if (!as_reply) { + retval = KRB5KRB_AP_ERR_MSG_TYPE; + goto cleanup; + } + if ((retval = krb5_process_padata(context, &request, as_reply, + key_proc, keyseed, decrypt_proc, + &decrypt_key, creds, + &do_more)) != 0) + goto cleanup; + + if (!do_more) + break; } - + if ((retval = decrypt_as_reply(context, &request, as_reply, key_proc, - keyseed, decrypt_key, decrypt_proc, - decryptarg))) - goto cleanup; + keyseed, decrypt_key, decrypt_proc, + decryptarg))) + goto cleanup; if ((retval = verify_as_reply(context, time_now, &request, as_reply))) - goto cleanup; + goto cleanup; if ((retval = stash_as_reply(context, time_now, &request, as_reply, - creds, ccache))) - goto cleanup; + creds, ccache))) + goto cleanup; cleanup: if (request.ktype) - free(request.ktype); + free(request.ktype); if (!addrs && request.addresses) - krb5_free_addresses(context, request.addresses); + krb5_free_addresses(context, request.addresses); if (request.padata) - krb5_free_pa_data(context, request.padata); + krb5_free_pa_data(context, request.padata); if (preauth_to_use) - krb5_free_pa_data(context, preauth_to_use); + krb5_free_pa_data(context, preauth_to_use); if (decrypt_key) - krb5_free_keyblock(context, decrypt_key); + krb5_free_keyblock(context, decrypt_key); if (as_reply) { - if (ret_as_reply) - *ret_as_reply = as_reply; - else - krb5_free_kdc_rep(context, as_reply); + if (ret_as_reply) + *ret_as_reply = as_reply; + else + krb5_free_kdc_rep(context, as_reply); } if (referred_client.realm.data) - krb5_free_data_contents(context, &referred_client.realm); + krb5_free_data_contents(context, &referred_client.realm); if (referred_server) - krb5_free_principal(context, referred_server); + krb5_free_principal(context, referred_server); return (retval); } @@ -833,13 +834,13 @@ _krb5_conf_boolean(const char *s) const char *const *p; for(p=conf_yes; *p; p++) { - if (!strcasecmp(*p,s)) - return 1; + if (!strcasecmp(*p,s)) + return 1; } for(p=conf_no; *p; p++) { - if (!strcasecmp(*p,s)) - return 0; + if (!strcasecmp(*p,s)) + return 0; } /* Default to "no" */ @@ -848,7 +849,7 @@ _krb5_conf_boolean(const char *s) static krb5_error_code krb5_libdefault_string(krb5_context context, const krb5_data *realm, - const char *option, char **ret_value) + const char *option, char **ret_value) { profile_t profile; const char *names[5]; @@ -857,25 +858,25 @@ krb5_libdefault_string(krb5_context context, const krb5_data *realm, char realmstr[1024]; if (realm->length > sizeof(realmstr)-1) - return(EINVAL); + return(EINVAL); strncpy(realmstr, realm->data, realm->length); realmstr[realm->length] = '\0'; - if (!context || (context->magic != KV5M_CONTEXT)) - return KV5M_CONTEXT; + if (!context || (context->magic != KV5M_CONTEXT)) + return KV5M_CONTEXT; profile = context->profile; - + names[0] = KRB5_CONF_LIBDEFAULTS; /* * Try number one: * * [libdefaults] - * REALM = { - * option = <boolean> - * } + * REALM = { + * option = <boolean> + * } */ names[1] = realmstr; @@ -883,24 +884,24 @@ krb5_libdefault_string(krb5_context context, const krb5_data *realm, names[3] = 0; retval = profile_get_values(profile, names, &nameval); if (retval == 0 && nameval && nameval[0]) - goto goodbye; + goto goodbye; /* * Try number two: * * [libdefaults] - * option = <boolean> + * option = <boolean> */ - + names[1] = option; names[2] = 0; retval = profile_get_values(profile, names, &nameval); if (retval == 0 && nameval && nameval[0]) - goto goodbye; + goto goodbye; goodbye: - if (!nameval) - return(ENOENT); + if (!nameval) + return(ENOENT); if (!nameval[0]) { retval = ENOENT; @@ -920,7 +921,7 @@ goodbye: krb5_error_code krb5_libdefault_boolean(krb5_context context, const krb5_data *realm, - const char *option, int *ret_value) + const char *option, int *ret_value) { char *string = NULL; krb5_error_code retval; @@ -928,7 +929,7 @@ krb5_libdefault_boolean(krb5_context context, const krb5_data *realm, retval = krb5_libdefault_string(context, realm, option, &string); if (retval) - return(retval); + return(retval); *ret_value = _krb5_conf_boolean(string); free(string); @@ -940,7 +941,7 @@ krb5_libdefault_boolean(krb5_context context, const krb5_data *realm, * libdefaults entry are listed before any others. */ static krb5_error_code sort_krb5_padata_sequence(krb5_context context, krb5_data *realm, - krb5_pa_data **padata) + krb5_pa_data **padata) { int i, j, base; krb5_error_code ret; @@ -951,58 +952,58 @@ sort_krb5_padata_sequence(krb5_context context, krb5_data *realm, int need_free_string = 1; if ((padata == NULL) || (padata[0] == NULL)) { - return 0; + return 0; } ret = krb5_libdefault_string(context, realm, KRB5_CONF_PREFERRED_PREAUTH_TYPES, - &preauth_types); + &preauth_types); if ((ret != 0) || (preauth_types == NULL)) { - /* Try to use PKINIT first. */ - preauth_types = "17, 16, 15, 14"; - need_free_string = 0; + /* Try to use PKINIT first. */ + preauth_types = "17, 16, 15, 14"; + need_free_string = 0; } #ifdef DEBUG fprintf (stderr, "preauth data types before sorting:"); for (i = 0; padata[i]; i++) { - fprintf (stderr, " %d", padata[i]->pa_type); + fprintf (stderr, " %d", padata[i]->pa_type); } fprintf (stderr, "\n"); #endif base = 0; for (p = preauth_types; *p != '\0';) { - /* skip whitespace to find an entry */ - p += strspn(p, ", "); - if (*p != '\0') { - /* see if we can extract a number */ - l = strtol(p, &q, 10); - if ((q != NULL) && (q > p)) { - /* got a valid number; search for a matchin entry */ - for (i = base; padata[i] != NULL; i++) { - /* bubble the matching entry to the front of the list */ - if (padata[i]->pa_type == l) { - tmp = padata[i]; - for (j = i; j > base; j--) - padata[j] = padata[j - 1]; - padata[base] = tmp; - base++; - break; - } - } - p = q; - } else { - break; - } - } + /* skip whitespace to find an entry */ + p += strspn(p, ", "); + if (*p != '\0') { + /* see if we can extract a number */ + l = strtol(p, &q, 10); + if ((q != NULL) && (q > p)) { + /* got a valid number; search for a matchin entry */ + for (i = base; padata[i] != NULL; i++) { + /* bubble the matching entry to the front of the list */ + if (padata[i]->pa_type == l) { + tmp = padata[i]; + for (j = i; j > base; j--) + padata[j] = padata[j - 1]; + padata[base] = tmp; + base++; + break; + } + } + p = q; + } else { + break; + } + } } if (need_free_string) - free(preauth_types); + free(preauth_types); #ifdef DEBUG fprintf (stderr, "preauth data types after sorting:"); for (i = 0; padata[i]; i++) - fprintf (stderr, " %d", padata[i]->pa_type); + fprintf (stderr, " %d", padata[i]->pa_type); fprintf (stderr, "\n"); #endif @@ -1011,46 +1012,46 @@ sort_krb5_padata_sequence(krb5_context context, krb5_data *realm, static krb5_error_code build_in_tkt_name(krb5_context context, - char *in_tkt_service, - krb5_const_principal client, - krb5_principal *server) + char *in_tkt_service, + krb5_const_principal client, + krb5_principal *server) { krb5_error_code ret; *server = NULL; if (in_tkt_service) { - /* this is ugly, because so are the data structures involved. I'm - in the library, so I'm going to manipulate the data structures - directly, otherwise, it will be worse. */ + /* this is ugly, because so are the data structures involved. I'm + in the library, so I'm going to manipulate the data structures + directly, otherwise, it will be worse. */ if ((ret = krb5_parse_name(context, in_tkt_service, server))) - return ret; - - /* stuff the client realm into the server principal. - realloc if necessary */ - if ((*server)->realm.length < client->realm.length) { - char *p = realloc((*server)->realm.data, - client->realm.length); - if (p == NULL) { - krb5_free_principal(context, *server); - *server = NULL; - return ENOMEM; - } - (*server)->realm.data = p; - } - - (*server)->realm.length = client->realm.length; - memcpy((*server)->realm.data, client->realm.data, client->realm.length); + return ret; + + /* stuff the client realm into the server principal. + realloc if necessary */ + if ((*server)->realm.length < client->realm.length) { + char *p = realloc((*server)->realm.data, + client->realm.length); + if (p == NULL) { + krb5_free_principal(context, *server); + *server = NULL; + return ENOMEM; + } + (*server)->realm.data = p; + } + + (*server)->realm.length = client->realm.length; + memcpy((*server)->realm.data, client->realm.data, client->realm.length); } else { - ret = krb5_build_principal_ext(context, server, - client->realm.length, - client->realm.data, - KRB5_TGS_NAME_SIZE, - KRB5_TGS_NAME, - client->realm.length, - client->realm.data, - 0); + ret = krb5_build_principal_ext(context, server, + client->realm.length, + client->realm.data, + KRB5_TGS_NAME_SIZE, + KRB5_TGS_NAME, + client->realm.length, + client->realm.data, + 0); } return ret; } @@ -1067,22 +1068,22 @@ should_continue_preauth(krb5_ui_4 error, int loopcount) * currently it does not do so for built-in mechanisms. */ return (error == KDC_ERR_PREAUTH_REQUIRED || - (error == KDC_ERR_PREAUTH_FAILED && loopcount == 0)); + (error == KDC_ERR_PREAUTH_FAILED && loopcount == 0)); } krb5_error_code KRB5_CALLCONV krb5_get_init_creds(krb5_context context, - krb5_creds *creds, - krb5_principal client, - krb5_prompter_fct prompter, - void *prompter_data, - krb5_deltat start_time, - char *in_tkt_service, - krb5_gic_opt_ext *options, - krb5_gic_get_as_key_fct gak_fct, - void *gak_data, - int *use_master, - krb5_kdc_rep **as_reply) + krb5_creds *creds, + krb5_principal client, + krb5_prompter_fct prompter, + void *prompter_data, + krb5_deltat start_time, + char *in_tkt_service, + krb5_gic_opt_ext *options, + krb5_gic_get_as_key_fct gak_fct, + void *gak_data, + int *use_master, + krb5_kdc_rep **as_reply) { krb5_error_code ret; krb5_kdc_req request; @@ -1107,7 +1108,7 @@ krb5_get_init_creds(krb5_context context, krb5_boolean retry = 0; struct krb5int_fast_request_state *fast_state = NULL; krb5_pa_data **out_padata = NULL; - + /* initialize everything which will be freed at cleanup */ @@ -1124,14 +1125,14 @@ krb5_get_init_creds(krb5_context context, as_key.length = 0; encrypting_key.length = 0; encrypting_key.contents = NULL; - salt.length = 0; + salt.length = 0; salt.data = NULL; - local_as_reply = 0; + local_as_reply = 0; #if APPLE_PKINIT inTktDebug("krb5_get_init_creds top\n"); #endif /* APPLE_PKINIT */ - + err_reply = NULL; /* referred_client is used to rewrite the client realm for referrals */ @@ -1140,7 +1141,7 @@ krb5_get_init_creds(krb5_context context, referred_client.realm.length = 0; ret = krb5int_fast_make_state(context, &fast_state); if (ret) - goto cleanup; + goto cleanup; /* * Set up the basic request structure @@ -1158,137 +1159,137 @@ krb5_get_init_creds(krb5_context context, /* forwardable */ if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_FORWARDABLE)) - tempint = options->forwardable; + tempint = options->forwardable; else if ((ret = krb5_libdefault_boolean(context, &client->realm, - KRB5_CONF_FORWARDABLE, &tempint)) == 0) - ; + KRB5_CONF_FORWARDABLE, &tempint)) == 0) + ; else - tempint = 0; + tempint = 0; if (tempint) - request.kdc_options |= KDC_OPT_FORWARDABLE; + request.kdc_options |= KDC_OPT_FORWARDABLE; /* proxiable */ if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_PROXIABLE)) - tempint = options->proxiable; + tempint = options->proxiable; else if ((ret = krb5_libdefault_boolean(context, &client->realm, - KRB5_CONF_PROXIABLE, &tempint)) == 0) - ; + KRB5_CONF_PROXIABLE, &tempint)) == 0) + ; else - tempint = 0; + tempint = 0; if (tempint) - request.kdc_options |= KDC_OPT_PROXIABLE; + request.kdc_options |= KDC_OPT_PROXIABLE; /* canonicalize */ if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_CANONICALIZE)) - tempint = 1; + tempint = 1; else if ((ret = krb5_libdefault_boolean(context, &client->realm, - KRB5_CONF_CANONICALIZE, &tempint)) == 0) - ; + KRB5_CONF_CANONICALIZE, &tempint)) == 0) + ; else - tempint = 0; + tempint = 0; if (tempint) - request.kdc_options |= KDC_OPT_CANONICALIZE; + request.kdc_options |= KDC_OPT_CANONICALIZE; /* allow_postdate */ - + if (start_time > 0) - request.kdc_options |= (KDC_OPT_ALLOW_POSTDATE|KDC_OPT_POSTDATED); - + request.kdc_options |= (KDC_OPT_ALLOW_POSTDATE|KDC_OPT_POSTDATED); + /* ticket lifetime */ - + if ((ret = krb5_timeofday(context, &request.from))) - goto cleanup; + goto cleanup; request.from = krb5int_addint32(request.from, start_time); - + if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE)) { tkt_life = options->tkt_life; } else if ((ret = krb5_libdefault_string(context, &client->realm, - KRB5_CONF_TICKET_LIFETIME, &tempstr)) - == 0) { - ret = krb5_string_to_deltat(tempstr, &tkt_life); - free(tempstr); - if (ret) { - goto cleanup; - } + KRB5_CONF_TICKET_LIFETIME, &tempstr)) + == 0) { + ret = krb5_string_to_deltat(tempstr, &tkt_life); + free(tempstr); + if (ret) { + goto cleanup; + } } else { - /* this used to be hardcoded in kinit.c */ - tkt_life = 24*60*60; + /* this used to be hardcoded in kinit.c */ + tkt_life = 24*60*60; } request.till = krb5int_addint32(request.from, tkt_life); - + /* renewable lifetime */ - + if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE)) { - renew_life = options->renew_life; + renew_life = options->renew_life; } else if ((ret = krb5_libdefault_string(context, &client->realm, - KRB5_CONF_RENEW_LIFETIME, &tempstr)) - == 0) { - ret = krb5_string_to_deltat(tempstr, &renew_life); - free(tempstr); - if (ret) { - goto cleanup; - } + KRB5_CONF_RENEW_LIFETIME, &tempstr)) + == 0) { + ret = krb5_string_to_deltat(tempstr, &renew_life); + free(tempstr); + if (ret) { + goto cleanup; + } } else { - renew_life = 0; + renew_life = 0; } if (renew_life > 0) - request.kdc_options |= KDC_OPT_RENEWABLE; - + request.kdc_options |= KDC_OPT_RENEWABLE; + if (renew_life > 0) { - request.rtime = krb5int_addint32(request.from, renew_life); + request.rtime = krb5int_addint32(request.from, renew_life); if (request.rtime < request.till) { /* don't ask for a smaller renewable time than the lifetime */ request.rtime = request.till; } /* we are already asking for renewable tickets so strip this option */ - request.kdc_options &= ~(KDC_OPT_RENEWABLE_OK); + request.kdc_options &= ~(KDC_OPT_RENEWABLE_OK); } else { - request.rtime = 0; + request.rtime = 0; } - + /* client */ request.client = client; /* per referrals draft, enterprise principals imply canonicalization */ canon_flag = ((request.kdc_options & KDC_OPT_CANONICALIZE) != 0) || - client->type == KRB5_NT_ENTERPRISE_PRINCIPAL; + client->type == KRB5_NT_ENTERPRISE_PRINCIPAL; /* service */ if ((ret = build_in_tkt_name(context, in_tkt_service, - request.client, &request.server))) - goto cleanup; + request.client, &request.server))) + goto cleanup; krb5_preauth_request_context_init(context); if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST)) { - request.ktype = options->etype_list; - request.nktypes = options->etype_list_length; + request.ktype = options->etype_list; + request.nktypes = options->etype_list_length; } else if ((ret = krb5_get_default_in_tkt_ktypes(context, - &request.ktype)) == 0) { - for (request.nktypes = 0; - request.ktype[request.nktypes]; - request.nktypes++) - ; + &request.ktype)) == 0) { + for (request.nktypes = 0; + request.ktype[request.nktypes]; + request.nktypes++) + ; } else { - /* there isn't any useful default here. ret is set from above */ - goto cleanup; + /* there isn't any useful default here. ret is set from above */ + goto cleanup; } if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST)) { - request.addresses = options->address_list; + request.addresses = options->address_list; } /* it would be nice if this parsed out an address list, but that would be work. */ else if (((ret = krb5_libdefault_boolean(context, &client->realm, - KRB5_CONF_NOADDRESSES, &tempint)) != 0) - || (tempint == 1)) { - ; + KRB5_CONF_NOADDRESSES, &tempint)) != 0) + || (tempint == 1)) { + ; } else { - if ((ret = krb5_os_localaddr(context, &request.addresses))) - goto cleanup; + if ((ret = krb5_os_localaddr(context, &request.addresses))) + goto cleanup; } request.authorization_data.ciphertext.length = 0; @@ -1299,228 +1300,228 @@ krb5_get_init_creds(krb5_context context, /* set up the other state. */ if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST)) { - if ((ret = make_preauth_list(context, options->preauth_list, - options->preauth_list_length, - &preauth_to_use))) - goto cleanup; + if ((ret = make_preauth_list(context, options->preauth_list, + options->preauth_list_length, + &preauth_to_use))) + goto cleanup; } /* the salt is allocated from somewhere, unless it is from the caller, then it is a reference */ if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_SALT)) { - salt = *options->salt; + salt = *options->salt; } else { - salt.length = SALT_TYPE_AFS_LENGTH; - salt.data = NULL; + salt.length = SALT_TYPE_AFS_LENGTH; + salt.data = NULL; } /* set the request nonce */ if ((ret = krb5_timeofday(context, &time_now))) - goto cleanup; + goto cleanup; /* * XXX we know they are the same size... and we should do * something better than just the current time */ { - unsigned char random_buf[4]; - krb5_data random_data; - - random_data.length = 4; - random_data.data = (char *)random_buf; - if (krb5_c_random_make_octets(context, &random_data) == 0) - /* See RT ticket 3196 at MIT. If we set the high bit, we - may have compatibility problems with Heimdal, because - we (incorrectly) encode this value as signed. */ - request.nonce = 0x7fffffff & load_32_n(random_buf); - else - /* XXX Yuck. Old version. */ - request.nonce = (krb5_int32) time_now; + unsigned char random_buf[4]; + krb5_data random_data; + + random_data.length = 4; + random_data.data = (char *)random_buf; + if (krb5_c_random_make_octets(context, &random_data) == 0) + /* See RT ticket 3196 at MIT. If we set the high bit, we + may have compatibility problems with Heimdal, because + we (incorrectly) encode this value as signed. */ + request.nonce = 0x7fffffff & load_32_n(random_buf); + else + /* XXX Yuck. Old version. */ + request.nonce = (krb5_int32) time_now; } ret = krb5int_fast_as_armor(context, fast_state, options, &request); if (ret != 0) - goto cleanup; + goto cleanup; /* give the preauth plugins a chance to prep the request body */ krb5_preauth_prepare_request(context, options, &request); ret = krb5int_fast_prep_req_body(context, fast_state, - &request, &encoded_request_body); + &request, &encoded_request_body); if (ret) goto cleanup; get_data_rock.magic = CLIENT_ROCK_MAGIC; get_data_rock.etype = &etype; get_data_rock.fast_state = fast_state; - + /* now, loop processing preauth data and talking to the kdc */ for (loopcount = 0; loopcount < MAX_IN_TKT_LOOPS; loopcount++) { - if (request.padata) { - krb5_free_pa_data(context, request.padata); - request.padata = NULL; - } - if (!err_reply) { + if (request.padata) { + krb5_free_pa_data(context, request.padata); + request.padata = NULL; + } + if (!err_reply) { /* either our first attempt, or retrying after PREAUTH_NEEDED */ - if ((ret = krb5_do_preauth(context, - &request, - encoded_request_body, - encoded_previous_request, - preauth_to_use, &request.padata, - &salt, &s2kparams, &etype, &as_key, - prompter, prompter_data, - gak_fct, gak_data, - &get_data_rock, options))) - goto cleanup; - if (out_padata) { - krb5_free_pa_data(context, out_padata); - out_padata = NULL; - } - } else { - if (preauth_to_use != NULL) { - /* - * Retry after an error other than PREAUTH_NEEDED, - * using e-data to figure out what to change. - */ - ret = krb5_do_preauth_tryagain(context, - &request, - encoded_request_body, - encoded_previous_request, - preauth_to_use, &request.padata, - err_reply, - &salt, &s2kparams, &etype, - &as_key, - prompter, prompter_data, - gak_fct, gak_data, - &get_data_rock, options); - } else { - /* No preauth supplied, so can't query the plug-ins. */ - ret = KRB5KRB_ERR_GENERIC; - } - if (ret) { - /* couldn't come up with anything better */ - ret = err_reply->error + ERROR_TABLE_BASE_krb5; - } - krb5_free_error(context, err_reply); - err_reply = NULL; - if (ret) - goto cleanup; - } + if ((ret = krb5_do_preauth(context, + &request, + encoded_request_body, + encoded_previous_request, + preauth_to_use, &request.padata, + &salt, &s2kparams, &etype, &as_key, + prompter, prompter_data, + gak_fct, gak_data, + &get_data_rock, options))) + goto cleanup; + if (out_padata) { + krb5_free_pa_data(context, out_padata); + out_padata = NULL; + } + } else { + if (preauth_to_use != NULL) { + /* + * Retry after an error other than PREAUTH_NEEDED, + * using e-data to figure out what to change. + */ + ret = krb5_do_preauth_tryagain(context, + &request, + encoded_request_body, + encoded_previous_request, + preauth_to_use, &request.padata, + err_reply, + &salt, &s2kparams, &etype, + &as_key, + prompter, prompter_data, + gak_fct, gak_data, + &get_data_rock, options); + } else { + /* No preauth supplied, so can't query the plug-ins. */ + ret = KRB5KRB_ERR_GENERIC; + } + if (ret) { + /* couldn't come up with anything better */ + ret = err_reply->error + ERROR_TABLE_BASE_krb5; + } + krb5_free_error(context, err_reply); + err_reply = NULL; + if (ret) + goto cleanup; + } if (encoded_previous_request != NULL) { - krb5_free_data(context, encoded_previous_request); - encoded_previous_request = NULL; + krb5_free_data(context, encoded_previous_request); + encoded_previous_request = NULL; + } + ret = krb5int_fast_prep_req(context, fast_state, + &request, encoded_request_body, + encode_krb5_as_req, &encoded_previous_request); + if (ret) + goto cleanup; + + err_reply = 0; + local_as_reply = 0; + if ((ret = send_as_request(context, encoded_previous_request, + krb5_princ_realm(context, request.client), &err_reply, + &local_as_reply, use_master))) + goto cleanup; + + if (err_reply) { + ret = krb5int_fast_process_error(context, fast_state, &err_reply, + &out_padata, &retry); + if (ret !=0) + goto cleanup; + if (should_continue_preauth(err_reply->error, loopcount) && retry) { + /* reset the list of preauth types to try */ + if (preauth_to_use) { + krb5_free_pa_data(context, preauth_to_use); + preauth_to_use = NULL; + } + preauth_to_use = out_padata; + out_padata = NULL; + krb5_free_error(context, err_reply); + err_reply = NULL; + ret = sort_krb5_padata_sequence(context, + &request.server->realm, + preauth_to_use); + if (ret) + goto cleanup; + /* continue to next iteration */ + } else if (canon_flag && err_reply->error == KDC_ERR_WRONG_REALM) { + if (err_reply->client == NULL || + err_reply->client->realm.length == 0) { + ret = KRB5KDC_ERR_WRONG_REALM; + krb5_free_error(context, err_reply); + goto cleanup; + } + /* Rewrite request.client with realm from error reply */ + if (referred_client.realm.data) { + krb5_free_data_contents(context, &referred_client.realm); + referred_client.realm.data = NULL; + } + ret = krb5int_copy_data_contents(context, + &err_reply->client->realm, + &referred_client.realm); + krb5_free_error(context, err_reply); + err_reply = NULL; + if (ret) + goto cleanup; + request.client = &referred_client; + + krb5_free_principal(context, request.server); + request.server = NULL; + + ret = build_in_tkt_name(context, in_tkt_service, + request.client, &request.server); + if (ret) + goto cleanup; + } else { + if (retry) { + /* continue to next iteration */ + } else { + /* error + no hints = give up */ + ret = (krb5_error_code) err_reply->error + + ERROR_TABLE_BASE_krb5; + krb5_free_error(context, err_reply); + goto cleanup; + } + } + } else if (local_as_reply) { + break; + } else { + ret = KRB5KRB_AP_ERR_MSG_TYPE; + goto cleanup; } - ret = krb5int_fast_prep_req(context, fast_state, - &request, encoded_request_body, - encode_krb5_as_req, &encoded_previous_request); - if (ret) - goto cleanup; - - err_reply = 0; - local_as_reply = 0; - if ((ret = send_as_request(context, encoded_previous_request, - krb5_princ_realm(context, request.client), &err_reply, - &local_as_reply, use_master))) - goto cleanup; - - if (err_reply) { - ret = krb5int_fast_process_error(context, fast_state, &err_reply, - &out_padata, &retry); - if (ret !=0) - goto cleanup; - if (should_continue_preauth(err_reply->error, loopcount) && retry) { - /* reset the list of preauth types to try */ - if (preauth_to_use) { - krb5_free_pa_data(context, preauth_to_use); - preauth_to_use = NULL; - } - preauth_to_use = out_padata; - out_padata = NULL; - krb5_free_error(context, err_reply); - err_reply = NULL; - ret = sort_krb5_padata_sequence(context, - &request.server->realm, - preauth_to_use); - if (ret) - goto cleanup; - /* continue to next iteration */ - } else if (canon_flag && err_reply->error == KDC_ERR_WRONG_REALM) { - if (err_reply->client == NULL || - err_reply->client->realm.length == 0) { - ret = KRB5KDC_ERR_WRONG_REALM; - krb5_free_error(context, err_reply); - goto cleanup; - } - /* Rewrite request.client with realm from error reply */ - if (referred_client.realm.data) { - krb5_free_data_contents(context, &referred_client.realm); - referred_client.realm.data = NULL; - } - ret = krb5int_copy_data_contents(context, - &err_reply->client->realm, - &referred_client.realm); - krb5_free_error(context, err_reply); - err_reply = NULL; - if (ret) - goto cleanup; - request.client = &referred_client; - - krb5_free_principal(context, request.server); - request.server = NULL; - - ret = build_in_tkt_name(context, in_tkt_service, - request.client, &request.server); - if (ret) - goto cleanup; - } else { - if (retry) { - /* continue to next iteration */ - } else { - /* error + no hints = give up */ - ret = (krb5_error_code) err_reply->error - + ERROR_TABLE_BASE_krb5; - krb5_free_error(context, err_reply); - goto cleanup; - } - } - } else if (local_as_reply) { - break; - } else { - ret = KRB5KRB_AP_ERR_MSG_TYPE; - goto cleanup; - } } #if APPLE_PKINIT inTktDebug("krb5_get_init_creds done with send_as_request loop lc %d\n", - (int)loopcount); + (int)loopcount); #endif /* APPLE_PKINIT */ if (loopcount == MAX_IN_TKT_LOOPS) { - ret = KRB5_GET_IN_TKT_LOOP; - goto cleanup; + ret = KRB5_GET_IN_TKT_LOOP; + goto cleanup; } /* process any preauth data in the as_reply */ krb5_clear_preauth_context_use_counts(context); ret = krb5int_fast_process_response(context, fast_state, - local_as_reply, &strengthen_key); + local_as_reply, &strengthen_key); if (ret) - goto cleanup; + goto cleanup; if ((ret = sort_krb5_padata_sequence(context, &request.server->realm, - local_as_reply->padata))) - goto cleanup; + local_as_reply->padata))) + goto cleanup; etype = local_as_reply->enc_part.enctype; if ((ret = krb5_do_preauth(context, - &request, - encoded_request_body, encoded_previous_request, - local_as_reply->padata, &kdc_padata, - &salt, &s2kparams, &etype, &as_key, prompter, - prompter_data, gak_fct, gak_data, - &get_data_rock, options))) { + &request, + encoded_request_body, encoded_previous_request, + local_as_reply->padata, &kdc_padata, + &salt, &s2kparams, &etype, &as_key, prompter, + prompter_data, gak_fct, gak_data, + &get_data_rock, options))) { #if APPLE_PKINIT inTktDebug("krb5_get_init_creds krb5_do_preauth returned %d\n", (int)ret); #endif /* APPLE_PKINIT */ - goto cleanup; - } + goto cleanup; + } /* * If we haven't gotten a salt from another source yet, set up one @@ -1533,9 +1534,9 @@ krb5_get_init_creds(krb5_context context, * verify_as_reply. */ if (salt.length == SALT_TYPE_AFS_LENGTH && salt.data == NULL) { - ret = krb5_principal2salt(context, local_as_reply->client, &salt); - if (ret) - goto cleanup; + ret = krb5_principal2salt(context, local_as_reply->client, &salt); + if (ret) + goto cleanup; } /* XXX For 1.1.1 and prior KDC's, when SAM is used w/ USE_SAD_AS_KEY, @@ -1543,7 +1544,7 @@ krb5_get_init_creds(krb5_context context, instead of in the SAD. If there was a SAM preauth, there will be an as_key here which will be the SAD. If that fails, use the gak_fct to get the password, and try again. */ - + /* XXX because etypes are handled poorly (particularly wrt SAM, where the etype is fixed by the kdc), we may want to try decrypt_as_reply twice. If there's an as_key available, try @@ -1551,37 +1552,37 @@ krb5_get_init_creds(krb5_context context, as_key at all yet, then use the gak_fct to get one, and try again. */ if (as_key.length) { - ret = krb5int_fast_reply_key(context, strengthen_key, &as_key, - &encrypting_key); - if (ret) - goto cleanup; - ret = decrypt_as_reply(context, NULL, local_as_reply, NULL, - NULL, &encrypting_key, krb5_kdc_rep_decrypt_proc, - NULL); + ret = krb5int_fast_reply_key(context, strengthen_key, &as_key, + &encrypting_key); + if (ret) + goto cleanup; + ret = decrypt_as_reply(context, NULL, local_as_reply, NULL, + NULL, &encrypting_key, krb5_kdc_rep_decrypt_proc, + NULL); } else - ret = -1; - + ret = -1; + if (ret) { - /* if we haven't get gotten a key, get it now */ - - if ((ret = ((*gak_fct)(context, request.client, - local_as_reply->enc_part.enctype, - prompter, prompter_data, &salt, &s2kparams, - &as_key, gak_data)))) - goto cleanup; - - ret = krb5int_fast_reply_key(context, strengthen_key, &as_key, - &encrypting_key); - if (ret) - goto cleanup; - if ((ret = decrypt_as_reply(context, NULL, local_as_reply, NULL, - NULL, &encrypting_key, krb5_kdc_rep_decrypt_proc, - NULL))) - goto cleanup; + /* if we haven't get gotten a key, get it now */ + + if ((ret = ((*gak_fct)(context, request.client, + local_as_reply->enc_part.enctype, + prompter, prompter_data, &salt, &s2kparams, + &as_key, gak_data)))) + goto cleanup; + + ret = krb5int_fast_reply_key(context, strengthen_key, &as_key, + &encrypting_key); + if (ret) + goto cleanup; + if ((ret = decrypt_as_reply(context, NULL, local_as_reply, NULL, + NULL, &encrypting_key, krb5_kdc_rep_decrypt_proc, + NULL))) + goto cleanup; } if ((ret = verify_as_reply(context, time_now, &request, local_as_reply))) - goto cleanup; + goto cleanup; /* XXX this should be inside stash_as_reply, but as long as get_in_tkt is still around using that arg as an in/out, I can't @@ -1589,8 +1590,8 @@ krb5_get_init_creds(krb5_context context, memset(creds, 0, sizeof(*creds)); if ((ret = stash_as_reply(context, time_now, &request, local_as_reply, - creds, NULL))) - goto cleanup; + creds, NULL))) + goto cleanup; /* success */ @@ -1598,65 +1599,65 @@ krb5_get_init_creds(krb5_context context, cleanup: if (ret != 0) { - char *client_name; - /* See if we can produce a more detailed error message. */ - switch (ret) { - case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN: - client_name = NULL; - if (krb5_unparse_name(context, client, &client_name) == 0) { - krb5_set_error_message(context, ret, - "Client '%s' not found in Kerberos database", - client_name); - free(client_name); - } - break; - default: - break; - } + char *client_name; + /* See if we can produce a more detailed error message. */ + switch (ret) { + case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN: + client_name = NULL; + if (krb5_unparse_name(context, client, &client_name) == 0) { + krb5_set_error_message(context, ret, + "Client '%s' not found in Kerberos database", + client_name); + free(client_name); + } + break; + default: + break; + } } krb5_preauth_request_context_fini(context); - krb5_free_keyblock(context, strengthen_key); - if (encrypting_key.contents) - krb5_free_keyblock_contents(context, &encrypting_key); - if (fast_state) - krb5int_fast_free_state(context, fast_state); + krb5_free_keyblock(context, strengthen_key); + if (encrypting_key.contents) + krb5_free_keyblock_contents(context, &encrypting_key); + if (fast_state) + krb5int_fast_free_state(context, fast_state); if (out_padata) - krb5_free_pa_data(context, out_padata); + krb5_free_pa_data(context, out_padata); if (encoded_previous_request != NULL) { - krb5_free_data(context, encoded_previous_request); - encoded_previous_request = NULL; + krb5_free_data(context, encoded_previous_request); + encoded_previous_request = NULL; } if (encoded_request_body != NULL) { - krb5_free_data(context, encoded_request_body); - encoded_request_body = NULL; + krb5_free_data(context, encoded_request_body); + encoded_request_body = NULL; } if (request.server) - krb5_free_principal(context, request.server); + krb5_free_principal(context, request.server); if (request.ktype && - (!(options && (options->flags & KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST)))) - free(request.ktype); + (!(options && (options->flags & KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST)))) + free(request.ktype); if (request.addresses && - (!(options && - (options->flags & KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST)))) - krb5_free_addresses(context, request.addresses); + (!(options && + (options->flags & KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST)))) + krb5_free_addresses(context, request.addresses); if (preauth_to_use) - krb5_free_pa_data(context, preauth_to_use); + krb5_free_pa_data(context, preauth_to_use); if (kdc_padata) - krb5_free_pa_data(context, kdc_padata); + krb5_free_pa_data(context, kdc_padata); if (request.padata) - krb5_free_pa_data(context, request.padata); + krb5_free_pa_data(context, request.padata); if (as_key.length) - krb5_free_keyblock_contents(context, &as_key); + krb5_free_keyblock_contents(context, &as_key); if (salt.data && - (!(options && (options->flags & KRB5_GET_INIT_CREDS_OPT_SALT)))) - free(salt.data); + (!(options && (options->flags & KRB5_GET_INIT_CREDS_OPT_SALT)))) + free(salt.data); krb5_free_data_contents(context, &s2kparams); if (as_reply) - *as_reply = local_as_reply; + *as_reply = local_as_reply; else if (local_as_reply) - krb5_free_kdc_rep(context, local_as_reply); + krb5_free_kdc_rep(context, local_as_reply); if (referred_client.realm.data) - krb5_free_data_contents(context, &referred_client.realm); + krb5_free_data_contents(context, &referred_client.realm); return(ret); } diff --git a/src/lib/krb5/krb/gic_keytab.c b/src/lib/krb5/krb/gic_keytab.c index 33db552781..ab064ebcd3 100644 --- a/src/lib/krb5/krb/gic_keytab.c +++ b/src/lib/krb5/krb/gic_keytab.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/gic_keytab.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -23,7 +24,7 @@ * this software for any purpose. It is provided "as is" without express * or implied warranty. */ -#ifndef LEAN_CLIENT +#ifndef LEAN_CLIENT #include "k5-int.h" @@ -49,20 +50,20 @@ krb5_get_as_key_keytab( a new one. */ if (as_key->length) { - if (as_key->enctype == etype) - return(0); + if (as_key->enctype == etype) + return(0); - krb5_free_keyblock_contents(context, as_key); - as_key->length = 0; + krb5_free_keyblock_contents(context, as_key); + as_key->length = 0; } if (!krb5_c_valid_enctype(etype)) - return(KRB5_PROG_ETYPE_NOSUPP); + return(KRB5_PROG_ETYPE_NOSUPP); if ((ret = krb5_kt_get_entry(context, keytab, client, - 0, /* don't have vno available */ - etype, &kt_ent))) - return(ret); + 0, /* don't have vno available */ + etype, &kt_ent))) + return(ret); ret = krb5_copy_keyblock(context, &kt_ent.key, &kt_key); @@ -78,93 +79,93 @@ krb5_get_as_key_keytab( krb5_error_code KRB5_CALLCONV krb5_get_init_creds_keytab(krb5_context context, - krb5_creds *creds, - krb5_principal client, - krb5_keytab arg_keytab, - krb5_deltat start_time, - char *in_tkt_service, - krb5_get_init_creds_opt *options) + krb5_creds *creds, + krb5_principal client, + krb5_keytab arg_keytab, + krb5_deltat start_time, + char *in_tkt_service, + krb5_get_init_creds_opt *options) { - krb5_error_code ret, ret2; - int use_master; - krb5_keytab keytab; - krb5_gic_opt_ext *opte = NULL; + krb5_error_code ret, ret2; + int use_master; + krb5_keytab keytab; + krb5_gic_opt_ext *opte = NULL; + + if (arg_keytab == NULL) { + if ((ret = krb5_kt_default(context, &keytab))) + return ret; + } else { + keytab = arg_keytab; + } - if (arg_keytab == NULL) { - if ((ret = krb5_kt_default(context, &keytab))) - return ret; - } else { - keytab = arg_keytab; - } + ret = krb5int_gic_opt_to_opte(context, options, &opte, 1, + "krb5_get_init_creds_keytab"); + if (ret) + return ret; - ret = krb5int_gic_opt_to_opte(context, options, &opte, 1, - "krb5_get_init_creds_keytab"); - if (ret) - return ret; + use_master = 0; - use_master = 0; + /* first try: get the requested tkt from any kdc */ - /* first try: get the requested tkt from any kdc */ + ret = krb5_get_init_creds(context, creds, client, NULL, NULL, + start_time, in_tkt_service, opte, + krb5_get_as_key_keytab, (void *) keytab, + &use_master,NULL); - ret = krb5_get_init_creds(context, creds, client, NULL, NULL, - start_time, in_tkt_service, opte, - krb5_get_as_key_keytab, (void *) keytab, - &use_master,NULL); + /* check for success */ - /* check for success */ + if (ret == 0) + goto cleanup; - if (ret == 0) - goto cleanup; + /* If all the kdc's are unavailable fail */ - /* If all the kdc's are unavailable fail */ + if ((ret == KRB5_KDC_UNREACH) || (ret == KRB5_REALM_CANT_RESOLVE)) + goto cleanup; - if ((ret == KRB5_KDC_UNREACH) || (ret == KRB5_REALM_CANT_RESOLVE)) - goto cleanup; + /* if the reply did not come from the master kdc, try again with + the master kdc */ - /* if the reply did not come from the master kdc, try again with - the master kdc */ + if (!use_master) { + use_master = 1; - if (!use_master) { - use_master = 1; + ret2 = krb5_get_init_creds(context, creds, client, NULL, NULL, + start_time, in_tkt_service, opte, + krb5_get_as_key_keytab, (void *) keytab, + &use_master, NULL); - ret2 = krb5_get_init_creds(context, creds, client, NULL, NULL, - start_time, in_tkt_service, opte, - krb5_get_as_key_keytab, (void *) keytab, - &use_master, NULL); - - if (ret2 == 0) { - ret = 0; - goto cleanup; - } + if (ret2 == 0) { + ret = 0; + goto cleanup; + } - /* if the master is unreachable, return the error from the - slave we were able to contact */ + /* if the master is unreachable, return the error from the + slave we were able to contact */ - if ((ret2 == KRB5_KDC_UNREACH) || - (ret2 == KRB5_REALM_CANT_RESOLVE) || - (ret2 == KRB5_REALM_UNKNOWN)) - goto cleanup; + if ((ret2 == KRB5_KDC_UNREACH) || + (ret2 == KRB5_REALM_CANT_RESOLVE) || + (ret2 == KRB5_REALM_UNKNOWN)) + goto cleanup; - ret = ret2; - } + ret = ret2; + } - /* at this point, we have a response from the master. Since we don't - do any prompting or changing for keytabs, that's it. */ + /* at this point, we have a response from the master. Since we don't + do any prompting or changing for keytabs, that's it. */ cleanup: - if (opte && krb5_gic_opt_is_shadowed(opte)) - krb5_get_init_creds_opt_free(context, (krb5_get_init_creds_opt *)opte); - if (arg_keytab == NULL) - krb5_kt_close(context, keytab); + if (opte && krb5_gic_opt_is_shadowed(opte)) + krb5_get_init_creds_opt_free(context, (krb5_get_init_creds_opt *)opte); + if (arg_keytab == NULL) + krb5_kt_close(context, keytab); - return(ret); + return(ret); } krb5_error_code KRB5_CALLCONV krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options, - krb5_address *const *addrs, krb5_enctype *ktypes, - krb5_preauthtype *pre_auth_types, - krb5_keytab arg_keytab, krb5_ccache ccache, - krb5_creds *creds, krb5_kdc_rep **ret_as_reply) + krb5_address *const *addrs, krb5_enctype *ktypes, + krb5_preauthtype *pre_auth_types, + krb5_keytab arg_keytab, krb5_ccache ccache, + krb5_creds *creds, krb5_kdc_rep **ret_as_reply) { krb5_error_code retval; krb5_gic_opt_ext *opte; @@ -172,49 +173,48 @@ krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options, krb5_keytab keytab; krb5_principal client_princ, server_princ; int use_master = 0; - + retval = krb5int_populate_gic_opt(context, &opte, - options, addrs, ktypes, - pre_auth_types, creds); + options, addrs, ktypes, + pre_auth_types, creds); if (retval) - return retval; + return retval; if (arg_keytab == NULL) { - retval = krb5_kt_default(context, &keytab); - if (retval) - return retval; + retval = krb5_kt_default(context, &keytab); + if (retval) + return retval; } else keytab = arg_keytab; - + retval = krb5_unparse_name( context, creds->server, &server); if (retval) - goto cleanup; + goto cleanup; server_princ = creds->server; client_princ = creds->client; retval = krb5_get_init_creds (context, - creds, creds->client, - krb5_prompter_posix, NULL, - 0, server, opte, - krb5_get_as_key_keytab, (void *)keytab, - &use_master, ret_as_reply); + creds, creds->client, + krb5_prompter_posix, NULL, + 0, server, opte, + krb5_get_as_key_keytab, (void *)keytab, + &use_master, ret_as_reply); krb5_free_unparsed_name( context, server); krb5_get_init_creds_opt_free(context, (krb5_get_init_creds_opt *)opte); if (retval) { - goto cleanup; + goto cleanup; } krb5_free_principal(context, creds->server); krb5_free_principal(context, creds->client); - creds->client = client_princ; - creds->server = server_princ; - + creds->client = client_princ; + creds->server = server_princ; + /* store it in the ccache! */ if (ccache) - if ((retval = krb5_cc_store_cred(context, ccache, creds))) - goto cleanup; - cleanup: if (arg_keytab == NULL) - krb5_kt_close(context, keytab); + if ((retval = krb5_cc_store_cred(context, ccache, creds))) + goto cleanup; +cleanup: if (arg_keytab == NULL) + krb5_kt_close(context, keytab); return retval; } #endif /* LEAN_CLIENT */ - diff --git a/src/lib/krb5/krb/gic_opt.c b/src/lib/krb5/krb/gic_opt.c index 72203f0e70..bff45392f1 100644 --- a/src/lib/krb5/krb/gic_opt.c +++ b/src/lib/krb5/krb/gic_opt.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include "k5-int.h" #include "int-proto.h" @@ -17,77 +18,77 @@ krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt) void KRB5_CALLCONV krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt, krb5_deltat tkt_life) { - opt->flags |= KRB5_GET_INIT_CREDS_OPT_TKT_LIFE; - opt->tkt_life = tkt_life; + opt->flags |= KRB5_GET_INIT_CREDS_OPT_TKT_LIFE; + opt->tkt_life = tkt_life; } void KRB5_CALLCONV krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt, krb5_deltat renew_life) { - opt->flags |= KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE; - opt->renew_life = renew_life; + opt->flags |= KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE; + opt->renew_life = renew_life; } void KRB5_CALLCONV krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt, int forwardable) { - opt->flags |= KRB5_GET_INIT_CREDS_OPT_FORWARDABLE; - opt->forwardable = forwardable; + opt->flags |= KRB5_GET_INIT_CREDS_OPT_FORWARDABLE; + opt->forwardable = forwardable; } void KRB5_CALLCONV krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt, int proxiable) { - opt->flags |= KRB5_GET_INIT_CREDS_OPT_PROXIABLE; - opt->proxiable = proxiable; + opt->flags |= KRB5_GET_INIT_CREDS_OPT_PROXIABLE; + opt->proxiable = proxiable; } void KRB5_CALLCONV krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opt, int canonicalize) { if (canonicalize) - opt->flags |= KRB5_GET_INIT_CREDS_OPT_CANONICALIZE; + opt->flags |= KRB5_GET_INIT_CREDS_OPT_CANONICALIZE; else - opt->flags &= ~(KRB5_GET_INIT_CREDS_OPT_CANONICALIZE); + opt->flags &= ~(KRB5_GET_INIT_CREDS_OPT_CANONICALIZE); } void KRB5_CALLCONV krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt, krb5_enctype *etype_list, int etype_list_length) { - opt->flags |= KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST; - opt->etype_list = etype_list; - opt->etype_list_length = etype_list_length; + opt->flags |= KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST; + opt->etype_list = etype_list; + opt->etype_list_length = etype_list_length; } void KRB5_CALLCONV krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt, krb5_address **addresses) { - opt->flags |= KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST; - opt->address_list = addresses; + opt->flags |= KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST; + opt->address_list = addresses; } void KRB5_CALLCONV krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt, krb5_preauthtype *preauth_list, int preauth_list_length) { - opt->flags |= KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST; - opt->preauth_list = preauth_list; - opt->preauth_list_length = preauth_list_length; + opt->flags |= KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST; + opt->preauth_list = preauth_list; + opt->preauth_list_length = preauth_list_length; } void KRB5_CALLCONV krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt, krb5_data *salt) { - opt->flags |= KRB5_GET_INIT_CREDS_OPT_SALT; - opt->salt = salt; + opt->flags |= KRB5_GET_INIT_CREDS_OPT_SALT; + opt->salt = salt; } void KRB5_CALLCONV krb5_get_init_creds_opt_set_change_password_prompt(krb5_get_init_creds_opt *opt, int prompt) { - if (prompt) - opt->flags |= KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT; - else - opt->flags &= ~KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT; + if (prompt) + opt->flags |= KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT; + else + opt->flags &= ~KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT; } /* @@ -109,7 +110,7 @@ krb5_get_init_creds_opt_set_change_password_prompt(krb5_get_init_creds_opt *opt, * with the new krb5_get_init_creds_opt_alloc() function. * KRB5_GET_INIT_CREDS_OPT_SHADOWED is set to indicate that the extended * structure is a shadow copy of an original krb5_get_init_creds_opt - * structure. + * structure. * If KRB5_GET_INIT_CREDS_OPT_SHADOWED is set after a call to * krb5int_gic_opt_to_opte(), the resulting extended structure should be * freed (using krb5_get_init_creds_free). Otherwise, the original @@ -119,17 +120,17 @@ krb5_get_init_creds_opt_set_change_password_prompt(krb5_get_init_creds_opt *opt, /* Forward prototype */ static void free_gic_opt_ext_preauth_data(krb5_context context, - krb5_gic_opt_ext *opte); + krb5_gic_opt_ext *opte); static krb5_error_code krb5int_gic_opte_private_alloc(krb5_context context, krb5_gic_opt_ext *opte) { if (NULL == opte || !krb5_gic_opt_is_extended(opte)) - return EINVAL; + return EINVAL; opte->opt_private = calloc(1, sizeof(*opte->opt_private)); if (NULL == opte->opt_private) { - return ENOMEM; + return ENOMEM; } /* Allocate any private stuff */ opte->opt_private->num_preauth_data = 0; @@ -141,13 +142,13 @@ static krb5_error_code krb5int_gic_opte_private_free(krb5_context context, krb5_gic_opt_ext *opte) { if (NULL == opte || !krb5_gic_opt_is_extended(opte)) - return EINVAL; - + return EINVAL; + /* Free up any private stuff */ if (opte->opt_private->preauth_data != NULL) - free_gic_opt_ext_preauth_data(context, opte); + free_gic_opt_ext_preauth_data(context, opte); if (opte->opt_private->fast_ccache_name) - free(opte->opt_private->fast_ccache_name); + free(opte->opt_private->fast_ccache_name); free(opte->opt_private); opte->opt_private = NULL; return 0; @@ -161,27 +162,27 @@ krb5int_gic_opte_alloc(krb5_context context) opte = calloc(1, sizeof(*opte)); if (NULL == opte) - return NULL; + return NULL; opte->flags = KRB5_GET_INIT_CREDS_OPT_EXTENDED; code = krb5int_gic_opte_private_alloc(context, opte); if (code) { - krb5int_set_error(&context->err, code, - "krb5int_gic_opte_alloc: krb5int_gic_opte_private_alloc failed"); - free(opte); - return NULL; + krb5int_set_error(&context->err, code, + "krb5int_gic_opte_alloc: krb5int_gic_opte_private_alloc failed"); + free(opte); + return NULL; } return(opte); } krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_alloc(krb5_context context, - krb5_get_init_creds_opt **opt) + krb5_get_init_creds_opt **opt) { krb5_gic_opt_ext *opte; if (NULL == opt) - return EINVAL; + return EINVAL; *opt = NULL; /* @@ -189,7 +190,7 @@ krb5_get_init_creds_opt_alloc(krb5_context context, */ opte = krb5int_gic_opte_alloc(context); if (NULL == opte) - return ENOMEM; + return ENOMEM; *opt = (krb5_get_init_creds_opt *) opte; init_common(*opt); @@ -198,47 +199,47 @@ krb5_get_init_creds_opt_alloc(krb5_context context, void KRB5_CALLCONV krb5_get_init_creds_opt_free(krb5_context context, - krb5_get_init_creds_opt *opt) + krb5_get_init_creds_opt *opt) { krb5_gic_opt_ext *opte; if (NULL == opt) - return; + return; /* Don't touch it if we didn't allocate it */ if (!krb5_gic_opt_is_extended(opt)) - return; - + return; + opte = (krb5_gic_opt_ext *)opt; if (opte->opt_private) - krb5int_gic_opte_private_free(context, opte); + krb5int_gic_opte_private_free(context, opte); free(opte); } static krb5_error_code krb5int_gic_opte_copy(krb5_context context, - krb5_get_init_creds_opt *opt, - krb5_gic_opt_ext **opte) + krb5_get_init_creds_opt *opt, + krb5_gic_opt_ext **opte) { krb5_gic_opt_ext *oe; oe = krb5int_gic_opte_alloc(context); if (NULL == oe) - return ENOMEM; + return ENOMEM; if (opt) { - oe->flags = opt->flags; - oe->tkt_life = opt->tkt_life; - oe->renew_life = opt->renew_life; - oe->forwardable = opt->forwardable; - oe->proxiable = opt->proxiable; - oe->etype_list = opt->etype_list; - oe->etype_list_length = opt->etype_list_length; - oe->address_list = opt->address_list; - oe->preauth_list = opt->preauth_list; - oe->preauth_list_length = opt->preauth_list_length; - oe->salt = opt->salt; + oe->flags = opt->flags; + oe->tkt_life = opt->tkt_life; + oe->renew_life = opt->renew_life; + oe->forwardable = opt->forwardable; + oe->proxiable = opt->proxiable; + oe->etype_list = opt->etype_list; + oe->etype_list_length = opt->etype_list_length; + oe->address_list = opt->address_list; + oe->preauth_list = opt->preauth_list; + oe->preauth_list_length = opt->preauth_list_length; + oe->salt = opt->salt; } /* @@ -250,7 +251,7 @@ krb5int_gic_opte_copy(krb5_context context, * application is unaware of its existence. */ oe->flags |= ( KRB5_GET_INIT_CREDS_OPT_EXTENDED | - KRB5_GET_INIT_CREDS_OPT_SHADOWED); + KRB5_GET_INIT_CREDS_OPT_SHADOWED); *opte = oe; return 0; @@ -268,20 +269,20 @@ krb5int_gic_opte_copy(krb5_context context, */ krb5_error_code krb5int_gic_opt_to_opte(krb5_context context, - krb5_get_init_creds_opt *opt, - krb5_gic_opt_ext **opte, - unsigned int force, - const char *where) + krb5_get_init_creds_opt *opt, + krb5_gic_opt_ext **opte, + unsigned int force, + const char *where) { if (!krb5_gic_opt_is_extended(opt)) { - if (force) { - return krb5int_gic_opte_copy(context, opt, opte); - } else { - krb5int_set_error(&context->err, EINVAL, - "%s: attempt to convert non-extended krb5_get_init_creds_opt", - where); - return EINVAL; - } + if (force) { + return krb5int_gic_opte_copy(context, opt, opte); + } else { + krb5int_set_error(&context->err, EINVAL, + "%s: attempt to convert non-extended krb5_get_init_creds_opt", + where); + return EINVAL; + } } /* If it is already extended, just return it */ *opte = (krb5_gic_opt_ext *)opt; @@ -290,20 +291,20 @@ krb5int_gic_opt_to_opte(krb5_context context, static void free_gic_opt_ext_preauth_data(krb5_context context, - krb5_gic_opt_ext *opte) + krb5_gic_opt_ext *opte) { int i; if (NULL == opte || !krb5_gic_opt_is_extended(opte)) - return; + return; if (NULL == opte->opt_private || NULL == opte->opt_private->preauth_data) - return; + return; for (i = 0; i < opte->opt_private->num_preauth_data; i++) { - if (opte->opt_private->preauth_data[i].attr != NULL) - free(opte->opt_private->preauth_data[i].attr); - if (opte->opt_private->preauth_data[i].value != NULL) - free(opte->opt_private->preauth_data[i].value); + if (opte->opt_private->preauth_data[i].attr != NULL) + free(opte->opt_private->preauth_data[i].attr); + if (opte->opt_private->preauth_data[i].value != NULL) + free(opte->opt_private->preauth_data[i].value); } free(opte->opt_private->preauth_data); opte->opt_private->preauth_data = NULL; @@ -312,9 +313,9 @@ free_gic_opt_ext_preauth_data(krb5_context context, static krb5_error_code add_gic_opt_ext_preauth_data(krb5_context context, - krb5_gic_opt_ext *opte, - const char *attr, - const char *value) + krb5_gic_opt_ext *opte, + const char *attr, + const char *value) { size_t newsize; int i; @@ -323,21 +324,21 @@ add_gic_opt_ext_preauth_data(krb5_context context, newsize = opte->opt_private->num_preauth_data + 1; newsize = newsize * sizeof(*opte->opt_private->preauth_data); if (opte->opt_private->preauth_data == NULL) - newpad = malloc(newsize); + newpad = malloc(newsize); else - newpad = realloc(opte->opt_private->preauth_data, newsize); + newpad = realloc(opte->opt_private->preauth_data, newsize); if (newpad == NULL) - return ENOMEM; + return ENOMEM; opte->opt_private->preauth_data = newpad; i = opte->opt_private->num_preauth_data; newpad[i].attr = strdup(attr); if (newpad[i].attr == NULL) - return ENOMEM; + return ENOMEM; newpad[i].value = strdup(value); if (newpad[i].value == NULL) { - free(newpad[i].attr); - return ENOMEM; + free(newpad[i].attr); + return ENOMEM; } opte->opt_private->num_preauth_data += 1; return 0; @@ -353,24 +354,24 @@ add_gic_opt_ext_preauth_data(krb5_context context, */ krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_set_pa(krb5_context context, - krb5_get_init_creds_opt *opt, - const char *attr, - const char *value) + krb5_get_init_creds_opt *opt, + const char *attr, + const char *value) { krb5_error_code retval; krb5_gic_opt_ext *opte; retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0, - "krb5_get_init_creds_opt_set_pa"); + "krb5_get_init_creds_opt_set_pa"); if (retval) - return retval; + return retval; /* * Copy the option into the extended get_init_creds_opt structure */ retval = add_gic_opt_ext_preauth_data(context, opte, attr, value); if (retval) - return retval; + return retval; /* * Give the plugins a chance to look at the option now. @@ -389,9 +390,9 @@ krb5_get_init_creds_opt_set_pa(krb5_context context, */ krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_get_pa(krb5_context context, - krb5_get_init_creds_opt *opt, - int *num_preauth_data, - krb5_gic_opt_pa_data **preauth_data) + krb5_get_init_creds_opt *opt, + int *num_preauth_data, + krb5_gic_opt_pa_data **preauth_data) { krb5_error_code retval; krb5_gic_opt_ext *opte; @@ -400,70 +401,70 @@ krb5_get_init_creds_opt_get_pa(krb5_context context, size_t allocsize; retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0, - "krb5_get_init_creds_opt_get_pa"); + "krb5_get_init_creds_opt_get_pa"); if (retval) - return retval; + return retval; if (num_preauth_data == NULL || preauth_data == NULL) - return EINVAL; + return EINVAL; *num_preauth_data = 0; *preauth_data = NULL; if (opte->opt_private->num_preauth_data == 0) - return 0; + return 0; allocsize = - opte->opt_private->num_preauth_data * sizeof(krb5_gic_opt_pa_data); + opte->opt_private->num_preauth_data * sizeof(krb5_gic_opt_pa_data); p = malloc(allocsize); if (p == NULL) - return ENOMEM; + return ENOMEM; /* Init these to make cleanup easier */ for (i = 0; i < opte->opt_private->num_preauth_data; i++) { - p[i].attr = NULL; - p[i].value = NULL; + p[i].attr = NULL; + p[i].value = NULL; } for (i = 0; i < opte->opt_private->num_preauth_data; i++) { - p[i].attr = strdup(opte->opt_private->preauth_data[i].attr); - p[i].value = strdup(opte->opt_private->preauth_data[i].value); - if (p[i].attr == NULL || p[i].value == NULL) - goto cleanup; + p[i].attr = strdup(opte->opt_private->preauth_data[i].attr); + p[i].value = strdup(opte->opt_private->preauth_data[i].value); + if (p[i].attr == NULL || p[i].value == NULL) + goto cleanup; } *num_preauth_data = i; *preauth_data = p; return 0; cleanup: for (i = 0; i < opte->opt_private->num_preauth_data; i++) { - if (p[i].attr != NULL) - free(p[i].attr); - if (p[i].value != NULL) - free(p[i].value); + if (p[i].attr != NULL) + free(p[i].attr); + if (p[i].value != NULL) + free(p[i].value); } free(p); return ENOMEM; } /* - * This function frees the preauth_data that was returned by + * This function frees the preauth_data that was returned by * krb5_get_init_creds_opt_get_pa(). */ void KRB5_CALLCONV krb5_get_init_creds_opt_free_pa(krb5_context context, - int num_preauth_data, - krb5_gic_opt_pa_data *preauth_data) + int num_preauth_data, + krb5_gic_opt_pa_data *preauth_data) { int i; if (num_preauth_data <= 0 || preauth_data == NULL) - return; + return; for (i = 0; i < num_preauth_data; i++) { - if (preauth_data[i].attr != NULL) - free(preauth_data[i].attr); - if (preauth_data[i].value != NULL) - free(preauth_data[i].value); + if (preauth_data[i].attr != NULL) + free(preauth_data[i].attr); + if (preauth_data[i].value != NULL) + free(preauth_data[i].value); } free(preauth_data); } @@ -474,14 +475,14 @@ krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_set_fast_ccache_name krb5_gic_opt_ext *opte; retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0, - "krb5_get_init_creds_opt_set_fast_ccache_name"); + "krb5_get_init_creds_opt_set_fast_ccache_name"); if (retval) - return retval; + return retval; if (opte->opt_private->fast_ccache_name) { - free(opte->opt_private->fast_ccache_name); + free(opte->opt_private->fast_ccache_name); } opte->opt_private->fast_ccache_name = strdup(ccache_name); if (opte->opt_private->fast_ccache_name == NULL) - retval = ENOMEM; + retval = ENOMEM; return retval; } diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c index 0109104df8..fa0c1739a0 100644 --- a/src/lib/krb5/krb/gic_pwd.c +++ b/src/lib/krb5/krb/gic_pwd.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include "k5-int.h" #include "com_err.h" @@ -32,168 +33,168 @@ krb5_get_as_key_password( cases? */ if (as_key->length) { - if (as_key->enctype != etype) { - krb5_free_keyblock_contents (context, as_key); - as_key->length = 0; - } + if (as_key->enctype != etype) { + krb5_free_keyblock_contents (context, as_key); + as_key->length = 0; + } } if (password->data[0] == '\0') { - if (prompter == NULL) - return(EIO); - - if ((ret = krb5_unparse_name(context, client, &clientstr))) - return(ret); - - snprintf(promptstr, sizeof(promptstr), "Password for %s", clientstr); - free(clientstr); - - prompt.prompt = promptstr; - prompt.hidden = 1; - prompt.reply = password; - prompt_type = KRB5_PROMPT_TYPE_PASSWORD; - - /* PROMPTER_INVOCATION */ - krb5int_set_prompt_types(context, &prompt_type); - if ((ret = (((*prompter)(context, prompter_data, NULL, NULL, - 1, &prompt))))) { - krb5int_set_prompt_types(context, 0); - return(ret); - } - krb5int_set_prompt_types(context, 0); + if (prompter == NULL) + return(EIO); + + if ((ret = krb5_unparse_name(context, client, &clientstr))) + return(ret); + + snprintf(promptstr, sizeof(promptstr), "Password for %s", clientstr); + free(clientstr); + + prompt.prompt = promptstr; + prompt.hidden = 1; + prompt.reply = password; + prompt_type = KRB5_PROMPT_TYPE_PASSWORD; + + /* PROMPTER_INVOCATION */ + krb5int_set_prompt_types(context, &prompt_type); + if ((ret = (((*prompter)(context, prompter_data, NULL, NULL, + 1, &prompt))))) { + krb5int_set_prompt_types(context, 0); + return(ret); + } + krb5int_set_prompt_types(context, 0); } if ((salt->length == -1 || salt->length == SALT_TYPE_AFS_LENGTH) && (salt->data == NULL)) { - if ((ret = krb5_principal2salt(context, client, &defsalt))) - return(ret); + if ((ret = krb5_principal2salt(context, client, &defsalt))) + return(ret); - salt = &defsalt; + salt = &defsalt; } else { - defsalt.length = 0; + defsalt.length = 0; } ret = krb5_c_string_to_key_with_params(context, etype, password, salt, - params->data?params:NULL, as_key); + params->data?params:NULL, as_key); if (defsalt.length) - free(defsalt.data); + free(defsalt.data); return(ret); } krb5_error_code KRB5_CALLCONV krb5_get_init_creds_password(krb5_context context, - krb5_creds *creds, - krb5_principal client, - char *password, - krb5_prompter_fct prompter, - void *data, - krb5_deltat start_time, - char *in_tkt_service, - krb5_get_init_creds_opt *options) + krb5_creds *creds, + krb5_principal client, + char *password, + krb5_prompter_fct prompter, + void *data, + krb5_deltat start_time, + char *in_tkt_service, + krb5_get_init_creds_opt *options) { - krb5_error_code ret, ret2; - int use_master; - krb5_kdc_rep *as_reply; - int tries; - krb5_creds chpw_creds; - krb5_get_init_creds_opt *chpw_opts = NULL; - krb5_data pw0, pw1; - char banner[1024], pw0array[1024], pw1array[1024]; - krb5_prompt prompt[2]; - krb5_prompt_type prompt_types[sizeof(prompt)/sizeof(prompt[0])]; - krb5_gic_opt_ext *opte = NULL; - krb5_gic_opt_ext *chpw_opte = NULL; - - use_master = 0; - as_reply = NULL; - memset(&chpw_creds, 0, sizeof(chpw_creds)); - - pw0.data = pw0array; - - if (password && password[0]) { - if (strlcpy(pw0.data, password, sizeof(pw0array)) >= sizeof(pw0array)) { - ret = EINVAL; - goto cleanup; - } - pw0.length = strlen(password); - } else { - pw0.data[0] = '\0'; - pw0.length = sizeof(pw0array); - } - - pw1.data = pw1array; - pw1.data[0] = '\0'; - pw1.length = sizeof(pw1array); - - ret = krb5int_gic_opt_to_opte(context, options, &opte, 1, - "krb5_get_init_creds_password"); - if (ret) - goto cleanup; - - /* first try: get the requested tkt from any kdc */ - - ret = krb5_get_init_creds(context, creds, client, prompter, data, - start_time, in_tkt_service, opte, - krb5_get_as_key_password, (void *) &pw0, - &use_master, &as_reply); - - /* check for success */ - - if (ret == 0) - goto cleanup; - - /* If all the kdc's are unavailable, or if the error was due to a - user interrupt, fail */ - - if ((ret == KRB5_KDC_UNREACH) || - (ret == KRB5_LIBOS_PWDINTR) || - (ret == KRB5_REALM_CANT_RESOLVE)) - goto cleanup; - - /* if the reply did not come from the master kdc, try again with - the master kdc */ - - if (!use_master) { - use_master = 1; - - if (as_reply) { - krb5_free_kdc_rep( context, as_reply); - as_reply = NULL; - } - ret2 = krb5_get_init_creds(context, creds, client, prompter, data, - start_time, in_tkt_service, opte, - krb5_get_as_key_password, (void *) &pw0, - &use_master, &as_reply); - - if (ret2 == 0) { - ret = 0; - goto cleanup; - } - - /* if the master is unreachable, return the error from the - slave we were able to contact or reset the use_master flag */ - - if ((ret2 != KRB5_KDC_UNREACH) && - (ret2 != KRB5_REALM_CANT_RESOLVE) && - (ret2 != KRB5_REALM_UNKNOWN)) - ret = ret2; - else - use_master = 0; - } + krb5_error_code ret, ret2; + int use_master; + krb5_kdc_rep *as_reply; + int tries; + krb5_creds chpw_creds; + krb5_get_init_creds_opt *chpw_opts = NULL; + krb5_data pw0, pw1; + char banner[1024], pw0array[1024], pw1array[1024]; + krb5_prompt prompt[2]; + krb5_prompt_type prompt_types[sizeof(prompt)/sizeof(prompt[0])]; + krb5_gic_opt_ext *opte = NULL; + krb5_gic_opt_ext *chpw_opte = NULL; + + use_master = 0; + as_reply = NULL; + memset(&chpw_creds, 0, sizeof(chpw_creds)); + + pw0.data = pw0array; + + if (password && password[0]) { + if (strlcpy(pw0.data, password, sizeof(pw0array)) >= sizeof(pw0array)) { + ret = EINVAL; + goto cleanup; + } + pw0.length = strlen(password); + } else { + pw0.data[0] = '\0'; + pw0.length = sizeof(pw0array); + } + + pw1.data = pw1array; + pw1.data[0] = '\0'; + pw1.length = sizeof(pw1array); + + ret = krb5int_gic_opt_to_opte(context, options, &opte, 1, + "krb5_get_init_creds_password"); + if (ret) + goto cleanup; + + /* first try: get the requested tkt from any kdc */ + + ret = krb5_get_init_creds(context, creds, client, prompter, data, + start_time, in_tkt_service, opte, + krb5_get_as_key_password, (void *) &pw0, + &use_master, &as_reply); + + /* check for success */ + + if (ret == 0) + goto cleanup; + + /* If all the kdc's are unavailable, or if the error was due to a + user interrupt, fail */ + + if ((ret == KRB5_KDC_UNREACH) || + (ret == KRB5_LIBOS_PWDINTR) || + (ret == KRB5_REALM_CANT_RESOLVE)) + goto cleanup; + + /* if the reply did not come from the master kdc, try again with + the master kdc */ + + if (!use_master) { + use_master = 1; + + if (as_reply) { + krb5_free_kdc_rep( context, as_reply); + as_reply = NULL; + } + ret2 = krb5_get_init_creds(context, creds, client, prompter, data, + start_time, in_tkt_service, opte, + krb5_get_as_key_password, (void *) &pw0, + &use_master, &as_reply); + + if (ret2 == 0) { + ret = 0; + goto cleanup; + } + + /* if the master is unreachable, return the error from the + slave we were able to contact or reset the use_master flag */ + + if ((ret2 != KRB5_KDC_UNREACH) && + (ret2 != KRB5_REALM_CANT_RESOLVE) && + (ret2 != KRB5_REALM_UNKNOWN)) + ret = ret2; + else + use_master = 0; + } #ifdef USE_KIM - if (ret == KRB5KDC_ERR_KEY_EXP) - goto cleanup; /* Login library will deal appropriately with this error */ + if (ret == KRB5KDC_ERR_KEY_EXP) + goto cleanup; /* Login library will deal appropriately with this error */ #endif - /* at this point, we have an error from the master. if the error - is not password expired, or if it is but there's no prompter, - return this error */ + /* at this point, we have an error from the master. if the error + is not password expired, or if it is but there's no prompter, + return this error */ - if ((ret != KRB5KDC_ERR_KEY_EXP) || - (prompter == NULL)) - goto cleanup; + if ((ret != KRB5KDC_ERR_KEY_EXP) || + (prompter == NULL)) + goto cleanup; /* historically the default has been to prompt for password change. * if the change password prompt option has not been set, we continue @@ -201,253 +202,253 @@ krb5_get_init_creds_password(krb5_context context, * and the value has been set to false. */ if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) - goto cleanup; + goto cleanup; /* ok, we have an expired password. Give the user a few chances - to change it */ - - /* use a minimal set of options */ - - ret = krb5_get_init_creds_opt_alloc(context, &chpw_opts); - if (ret) - goto cleanup; - krb5_get_init_creds_opt_set_tkt_life(chpw_opts, 5*60); - krb5_get_init_creds_opt_set_renew_life(chpw_opts, 0); - krb5_get_init_creds_opt_set_forwardable(chpw_opts, 0); - krb5_get_init_creds_opt_set_proxiable(chpw_opts, 0); - ret = krb5int_gic_opt_to_opte(context, chpw_opts, &chpw_opte, 0, - "krb5_get_init_creds_password (changing password)"); - if (ret) - goto cleanup; - - if ((ret = krb5_get_init_creds(context, &chpw_creds, client, - prompter, data, - start_time, "kadmin/changepw", chpw_opte, - krb5_get_as_key_password, (void *) &pw0, - &use_master, NULL))) - goto cleanup; - - prompt[0].prompt = "Enter new password"; - prompt[0].hidden = 1; - prompt[0].reply = &pw0; - prompt_types[0] = KRB5_PROMPT_TYPE_NEW_PASSWORD; - - prompt[1].prompt = "Enter it again"; - prompt[1].hidden = 1; - prompt[1].reply = &pw1; - prompt_types[1] = KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN; - - strlcpy(banner, "Password expired. You must change it now.", - sizeof(banner)); - - for (tries = 3; tries; tries--) { - pw0.length = sizeof(pw0array); - pw1.length = sizeof(pw1array); - - /* PROMPTER_INVOCATION */ - krb5int_set_prompt_types(context, prompt_types); - if ((ret = ((*prompter)(context, data, 0, banner, - sizeof(prompt)/sizeof(prompt[0]), prompt)))) - goto cleanup; - krb5int_set_prompt_types(context, 0); - - - if (strcmp(pw0.data, pw1.data) != 0) { - ret = KRB5_LIBOS_BADPWDMATCH; - snprintf(banner, sizeof(banner), - "%s. Please try again.", error_message(ret)); - } else if (pw0.length == 0) { - ret = KRB5_CHPW_PWDNULL; - snprintf(banner, sizeof(banner), - "%s. Please try again.", error_message(ret)); - } else { - int result_code; - krb5_data code_string; - krb5_data result_string; - - if ((ret = krb5_change_password(context, &chpw_creds, pw0array, - &result_code, &code_string, - &result_string))) - goto cleanup; - - /* the change succeeded. go on */ - - if (result_code == 0) { - free(result_string.data); - break; - } - - /* set this in case the retry loop falls through */ - - ret = KRB5_CHPW_FAIL; - - if (result_code != KRB5_KPASSWD_SOFTERROR) { - free(result_string.data); - goto cleanup; - } - - /* the error was soft, so try again */ - - /* 100 is I happen to know that no code_string will be longer - than 100 chars */ - - if (result_string.length > (sizeof(banner)-100)) - result_string.length = sizeof(banner)-100; - - snprintf(banner, sizeof(banner), "%.*s%s%.*s. Please try again.\n", - (int) code_string.length, code_string.data, - result_string.length ? ": " : "", - (int) result_string.length, - result_string.data ? result_string.data : ""); - - free(code_string.data); - free(result_string.data); - } - } - - if (ret) - goto cleanup; - - /* the password change was successful. Get an initial ticket - from the master. this is the last try. the return from this - is final. */ - - ret = krb5_get_init_creds(context, creds, client, prompter, data, - start_time, in_tkt_service, opte, - krb5_get_as_key_password, (void *) &pw0, - &use_master, &as_reply); + to change it */ + + /* use a minimal set of options */ + + ret = krb5_get_init_creds_opt_alloc(context, &chpw_opts); + if (ret) + goto cleanup; + krb5_get_init_creds_opt_set_tkt_life(chpw_opts, 5*60); + krb5_get_init_creds_opt_set_renew_life(chpw_opts, 0); + krb5_get_init_creds_opt_set_forwardable(chpw_opts, 0); + krb5_get_init_creds_opt_set_proxiable(chpw_opts, 0); + ret = krb5int_gic_opt_to_opte(context, chpw_opts, &chpw_opte, 0, + "krb5_get_init_creds_password (changing password)"); + if (ret) + goto cleanup; + + if ((ret = krb5_get_init_creds(context, &chpw_creds, client, + prompter, data, + start_time, "kadmin/changepw", chpw_opte, + krb5_get_as_key_password, (void *) &pw0, + &use_master, NULL))) + goto cleanup; + + prompt[0].prompt = "Enter new password"; + prompt[0].hidden = 1; + prompt[0].reply = &pw0; + prompt_types[0] = KRB5_PROMPT_TYPE_NEW_PASSWORD; + + prompt[1].prompt = "Enter it again"; + prompt[1].hidden = 1; + prompt[1].reply = &pw1; + prompt_types[1] = KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN; + + strlcpy(banner, "Password expired. You must change it now.", + sizeof(banner)); + + for (tries = 3; tries; tries--) { + pw0.length = sizeof(pw0array); + pw1.length = sizeof(pw1array); + + /* PROMPTER_INVOCATION */ + krb5int_set_prompt_types(context, prompt_types); + if ((ret = ((*prompter)(context, data, 0, banner, + sizeof(prompt)/sizeof(prompt[0]), prompt)))) + goto cleanup; + krb5int_set_prompt_types(context, 0); + + + if (strcmp(pw0.data, pw1.data) != 0) { + ret = KRB5_LIBOS_BADPWDMATCH; + snprintf(banner, sizeof(banner), + "%s. Please try again.", error_message(ret)); + } else if (pw0.length == 0) { + ret = KRB5_CHPW_PWDNULL; + snprintf(banner, sizeof(banner), + "%s. Please try again.", error_message(ret)); + } else { + int result_code; + krb5_data code_string; + krb5_data result_string; + + if ((ret = krb5_change_password(context, &chpw_creds, pw0array, + &result_code, &code_string, + &result_string))) + goto cleanup; + + /* the change succeeded. go on */ + + if (result_code == 0) { + free(result_string.data); + break; + } + + /* set this in case the retry loop falls through */ + + ret = KRB5_CHPW_FAIL; + + if (result_code != KRB5_KPASSWD_SOFTERROR) { + free(result_string.data); + goto cleanup; + } + + /* the error was soft, so try again */ + + /* 100 is I happen to know that no code_string will be longer + than 100 chars */ + + if (result_string.length > (sizeof(banner)-100)) + result_string.length = sizeof(banner)-100; + + snprintf(banner, sizeof(banner), "%.*s%s%.*s. Please try again.\n", + (int) code_string.length, code_string.data, + result_string.length ? ": " : "", + (int) result_string.length, + result_string.data ? result_string.data : ""); + + free(code_string.data); + free(result_string.data); + } + } + + if (ret) + goto cleanup; + + /* the password change was successful. Get an initial ticket + from the master. this is the last try. the return from this + is final. */ + + ret = krb5_get_init_creds(context, creds, client, prompter, data, + start_time, in_tkt_service, opte, + krb5_get_as_key_password, (void *) &pw0, + &use_master, &as_reply); cleanup: - krb5int_set_prompt_types(context, 0); - /* if getting the password was successful, then check to see if the - password is about to expire, and warn if so */ - - if (ret == 0) { - krb5_timestamp now; - krb5_last_req_entry **last_req; - int hours; - - /* XXX 7 days should be configurable. This is all pretty ad hoc, - and could probably be improved if I was willing to screw around - with timezones, etc. */ - - if (prompter && - (!in_tkt_service || - (strcmp(in_tkt_service, "kadmin/changepw") != 0)) && - ((ret = krb5_timeofday(context, &now)) == 0) && - as_reply->enc_part2->key_exp && - ((hours = ((as_reply->enc_part2->key_exp-now)/(60*60))) <= 7*24) && - (hours >= 0)) { - if (hours < 1) - snprintf(banner, sizeof(banner), - "Warning: Your password will expire in less than one hour."); - else if (hours <= 48) - snprintf(banner, sizeof(banner), - "Warning: Your password will expire in %d hour%s.", - hours, (hours == 1)?"":"s"); - else - snprintf(banner, sizeof(banner), - "Warning: Your password will expire in %d days.", - hours/24); - - /* ignore an error here */ - /* PROMPTER_INVOCATION */ - (*prompter)(context, data, 0, banner, 0, 0); - } else if (prompter && - (!in_tkt_service || - (strcmp(in_tkt_service, "kadmin/changepw") != 0)) && - as_reply->enc_part2 && as_reply->enc_part2->last_req) { - /* - * Check the last_req fields - */ - - for (last_req = as_reply->enc_part2->last_req; *last_req; last_req++) - if ((*last_req)->lr_type == KRB5_LRQ_ALL_PW_EXPTIME || - (*last_req)->lr_type == KRB5_LRQ_ONE_PW_EXPTIME) { - krb5_deltat delta; - char ts[256]; - - if ((ret = krb5_timeofday(context, &now))) - break; - - if ((ret = krb5_timestamp_to_string((*last_req)->value, - ts, sizeof(ts)))) - break; - - delta = (*last_req)->value - now; - if (delta < 3600) - snprintf(banner, sizeof(banner), - "Warning: Your password will expire in less than one hour on %s", - ts); - else if (delta < 86400*2) - snprintf(banner, sizeof(banner), - "Warning: Your password will expire in %d hour%s on %s", - delta / 3600, delta < 7200 ? "" : "s", ts); - else - snprintf(banner, sizeof(banner), - "Warning: Your password will expire in %d days on %s", - delta / 86400, ts); - /* ignore an error here */ - /* PROMPTER_INVOCATION */ - (*prompter)(context, data, 0, banner, 0, 0); - } - } - } - - if (chpw_opts) - krb5_get_init_creds_opt_free(context, chpw_opts); - if (opte && krb5_gic_opt_is_shadowed(opte)) - krb5_get_init_creds_opt_free(context, (krb5_get_init_creds_opt *)opte); - memset(pw0array, 0, sizeof(pw0array)); - memset(pw1array, 0, sizeof(pw1array)); - krb5_free_cred_contents(context, &chpw_creds); - if (as_reply) - krb5_free_kdc_rep(context, as_reply); - - return(ret); + krb5int_set_prompt_types(context, 0); + /* if getting the password was successful, then check to see if the + password is about to expire, and warn if so */ + + if (ret == 0) { + krb5_timestamp now; + krb5_last_req_entry **last_req; + int hours; + + /* XXX 7 days should be configurable. This is all pretty ad hoc, + and could probably be improved if I was willing to screw around + with timezones, etc. */ + + if (prompter && + (!in_tkt_service || + (strcmp(in_tkt_service, "kadmin/changepw") != 0)) && + ((ret = krb5_timeofday(context, &now)) == 0) && + as_reply->enc_part2->key_exp && + ((hours = ((as_reply->enc_part2->key_exp-now)/(60*60))) <= 7*24) && + (hours >= 0)) { + if (hours < 1) + snprintf(banner, sizeof(banner), + "Warning: Your password will expire in less than one hour."); + else if (hours <= 48) + snprintf(banner, sizeof(banner), + "Warning: Your password will expire in %d hour%s.", + hours, (hours == 1)?"":"s"); + else + snprintf(banner, sizeof(banner), + "Warning: Your password will expire in %d days.", + hours/24); + + /* ignore an error here */ + /* PROMPTER_INVOCATION */ + (*prompter)(context, data, 0, banner, 0, 0); + } else if (prompter && + (!in_tkt_service || + (strcmp(in_tkt_service, "kadmin/changepw") != 0)) && + as_reply->enc_part2 && as_reply->enc_part2->last_req) { + /* + * Check the last_req fields + */ + + for (last_req = as_reply->enc_part2->last_req; *last_req; last_req++) + if ((*last_req)->lr_type == KRB5_LRQ_ALL_PW_EXPTIME || + (*last_req)->lr_type == KRB5_LRQ_ONE_PW_EXPTIME) { + krb5_deltat delta; + char ts[256]; + + if ((ret = krb5_timeofday(context, &now))) + break; + + if ((ret = krb5_timestamp_to_string((*last_req)->value, + ts, sizeof(ts)))) + break; + + delta = (*last_req)->value - now; + if (delta < 3600) + snprintf(banner, sizeof(banner), + "Warning: Your password will expire in less than one hour on %s", + ts); + else if (delta < 86400*2) + snprintf(banner, sizeof(banner), + "Warning: Your password will expire in %d hour%s on %s", + delta / 3600, delta < 7200 ? "" : "s", ts); + else + snprintf(banner, sizeof(banner), + "Warning: Your password will expire in %d days on %s", + delta / 86400, ts); + /* ignore an error here */ + /* PROMPTER_INVOCATION */ + (*prompter)(context, data, 0, banner, 0, 0); + } + } + } + + if (chpw_opts) + krb5_get_init_creds_opt_free(context, chpw_opts); + if (opte && krb5_gic_opt_is_shadowed(opte)) + krb5_get_init_creds_opt_free(context, (krb5_get_init_creds_opt *)opte); + memset(pw0array, 0, sizeof(pw0array)); + memset(pw1array, 0, sizeof(pw1array)); + krb5_free_cred_contents(context, &chpw_creds); + if (as_reply) + krb5_free_kdc_rep(context, as_reply); + + return(ret); } krb5_error_code krb5int_populate_gic_opt ( krb5_context context, krb5_gic_opt_ext **opte, krb5_flags options, krb5_address * const *addrs, krb5_enctype *ktypes, krb5_preauthtype *pre_auth_types, krb5_creds *creds) { - int i; - krb5_int32 starttime; - krb5_get_init_creds_opt *opt; - krb5_error_code retval; + int i; + krb5_int32 starttime; + krb5_get_init_creds_opt *opt; + krb5_error_code retval; *opte = NULL; retval = krb5_get_init_creds_opt_alloc(context, &opt); if (retval) - return(retval); + return(retval); if (addrs) - krb5_get_init_creds_opt_set_address_list(opt, (krb5_address **) addrs); + krb5_get_init_creds_opt_set_address_list(opt, (krb5_address **) addrs); if (ktypes) { - for (i=0; ktypes[i]; i++); - if (i) - krb5_get_init_creds_opt_set_etype_list(opt, ktypes, i); + for (i=0; ktypes[i]; i++); + if (i) + krb5_get_init_creds_opt_set_etype_list(opt, ktypes, i); } if (pre_auth_types) { - for (i=0; pre_auth_types[i]; i++); - if (i) - krb5_get_init_creds_opt_set_preauth_list(opt, pre_auth_types, i); + for (i=0; pre_auth_types[i]; i++); + if (i) + krb5_get_init_creds_opt_set_preauth_list(opt, pre_auth_types, i); } if (options&KDC_OPT_FORWARDABLE) - krb5_get_init_creds_opt_set_forwardable(opt, 1); + krb5_get_init_creds_opt_set_forwardable(opt, 1); else krb5_get_init_creds_opt_set_forwardable(opt, 0); if (options&KDC_OPT_PROXIABLE) - krb5_get_init_creds_opt_set_proxiable(opt, 1); + krb5_get_init_creds_opt_set_proxiable(opt, 1); else krb5_get_init_creds_opt_set_proxiable(opt, 0); if (creds && creds->times.endtime) { - retval = krb5_timeofday(context, &starttime); - if (retval) - goto cleanup; + retval = krb5_timeofday(context, &starttime); + if (retval) + goto cleanup; if (creds->times.starttime) starttime = creds->times.starttime; krb5_get_init_creds_opt_set_tkt_life(opt, creds->times.endtime - starttime); } return krb5int_gic_opt_to_opte(context, opt, opte, 0, - "krb5int_populate_gic_opt"); + "krb5int_populate_gic_opt"); cleanup: krb5_get_init_creds_opt_free(context, opt); return retval; @@ -455,30 +456,30 @@ cleanup: /* Rewrites get_in_tkt in terms of newer get_init_creds API. - Attempts to get an initial ticket for creds->client to use server - creds->server, (realm is taken from creds->client), with options - options, and using creds->times.starttime, creds->times.endtime, - creds->times.renew_till as from, till, and rtime. - creds->times.renew_till is ignored unless the RENEWABLE option is requested. + Attempts to get an initial ticket for creds->client to use server + creds->server, (realm is taken from creds->client), with options + options, and using creds->times.starttime, creds->times.endtime, + creds->times.renew_till as from, till, and rtime. + creds->times.renew_till is ignored unless the RENEWABLE option is requested. - If addrs is non-NULL, it is used for the addresses requested. If it is - null, the system standard addresses are used. + If addrs is non-NULL, it is used for the addresses requested. If it is + null, the system standard addresses are used. - If password is non-NULL, it is converted using the cryptosystem entry - point for a string conversion routine, seeded with the client's name. - If password is passed as NULL, the password is read from the terminal, - and then converted into a key. + If password is non-NULL, it is converted using the cryptosystem entry + point for a string conversion routine, seeded with the client's name. + If password is passed as NULL, the password is read from the terminal, + and then converted into a key. - A succesful call will place the ticket in the credentials cache ccache. + A succesful call will place the ticket in the credentials cache ccache. - returns system errors, encryption errors - */ + returns system errors, encryption errors +*/ krb5_error_code KRB5_CALLCONV krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options, - krb5_address *const *addrs, krb5_enctype *ktypes, - krb5_preauthtype *pre_auth_types, - const char *password, krb5_ccache ccache, - krb5_creds *creds, krb5_kdc_rep **ret_as_reply) + krb5_address *const *addrs, krb5_enctype *ktypes, + krb5_preauthtype *pre_auth_types, + const char *password, krb5_ccache ccache, + krb5_creds *creds, krb5_kdc_rep **ret_as_reply) { krb5_error_code retval; krb5_data pw0; @@ -490,44 +491,43 @@ krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options, pw0.data = pw0array; if (password && password[0]) { - if (strlcpy(pw0.data, password, sizeof(pw0array)) >= sizeof(pw0array)) - return EINVAL; - pw0.length = strlen(password); + if (strlcpy(pw0.data, password, sizeof(pw0array)) >= sizeof(pw0array)) + return EINVAL; + pw0.length = strlen(password); } else { - pw0.data[0] = '\0'; - pw0.length = sizeof(pw0array); + pw0.data[0] = '\0'; + pw0.length = sizeof(pw0array); } retval = krb5int_populate_gic_opt(context, &opte, - options, addrs, ktypes, - pre_auth_types, creds); + options, addrs, ktypes, + pre_auth_types, creds); if (retval) - return (retval); + return (retval); retval = krb5_unparse_name( context, creds->server, &server); if (retval) { - krb5_get_init_creds_opt_free(context, (krb5_get_init_creds_opt *)opte); - return (retval); + krb5_get_init_creds_opt_free(context, (krb5_get_init_creds_opt *)opte); + return (retval); } server_princ = creds->server; client_princ = creds->client; - retval = krb5_get_init_creds (context, - creds, creds->client, - krb5_prompter_posix, NULL, - 0, server, opte, - krb5_get_as_key_password, &pw0, - &use_master, ret_as_reply); - krb5_free_unparsed_name( context, server); - krb5_get_init_creds_opt_free(context, (krb5_get_init_creds_opt *)opte); - if (retval) { - return (retval); - } - krb5_free_principal( context, creds->server); - krb5_free_principal( context, creds->client); - creds->client = client_princ; - creds->server = server_princ; - /* store it in the ccache! */ - if (ccache) - if ((retval = krb5_cc_store_cred(context, ccache, creds))) - return (retval); - return retval; - } - + retval = krb5_get_init_creds (context, + creds, creds->client, + krb5_prompter_posix, NULL, + 0, server, opte, + krb5_get_as_key_password, &pw0, + &use_master, ret_as_reply); + krb5_free_unparsed_name( context, server); + krb5_get_init_creds_opt_free(context, (krb5_get_init_creds_opt *)opte); + if (retval) { + return (retval); + } + krb5_free_principal( context, creds->server); + krb5_free_principal( context, creds->client); + creds->client = client_princ; + creds->server = server_princ; + /* store it in the ccache! */ + if (ccache) + if ((retval = krb5_cc_store_cred(context, ccache, creds))) + return (retval); + return retval; +} diff --git a/src/lib/krb5/krb/in_tkt_sky.c b/src/lib/krb5/krb/in_tkt_sky.c index d98411fd7a..01c8905f8b 100644 --- a/src/lib/krb5/krb/in_tkt_sky.c +++ b/src/lib/krb5/krb/in_tkt_sky.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/in_tkt_sky.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,17 +23,17 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_get_in_tkt_with_skey() - * + * */ #include "k5-int.h" struct skey_keyproc_arg { const krb5_keyblock *key; - krb5_principal client; /* it's a pointer, really! */ + krb5_principal client; /* it's a pointer, really! */ }; /* @@ -42,7 +43,7 @@ struct skey_keyproc_arg { */ static krb5_error_code skey_keyproc(krb5_context context, krb5_enctype type, krb5_data *salt, - krb5_const_pointer keyseed, krb5_keyblock **key) + krb5_const_pointer keyseed, krb5_keyblock **key) { krb5_keyblock *realkey; krb5_error_code retval; @@ -51,57 +52,57 @@ skey_keyproc(krb5_context context, krb5_enctype type, krb5_data *salt, keyblock = (const krb5_keyblock *)keyseed; if (!krb5_c_valid_enctype(type)) - return KRB5_PROG_ETYPE_NOSUPP; + return KRB5_PROG_ETYPE_NOSUPP; if ((retval = krb5_copy_keyblock(context, keyblock, &realkey))) - return retval; - + return retval; + if (realkey->enctype != type) { - krb5_free_keyblock(context, realkey); - return KRB5_PROG_ETYPE_NOSUPP; - } + krb5_free_keyblock(context, realkey); + return KRB5_PROG_ETYPE_NOSUPP; + } *key = realkey; return 0; } /* - Similar to krb5_get_in_tkt_with_password. + Similar to krb5_get_in_tkt_with_password. - Attempts to get an initial ticket for creds->client to use server - creds->server, (realm is taken from creds->client), with options - options, and using creds->times.starttime, creds->times.endtime, - creds->times.renew_till as from, till, and rtime. - creds->times.renew_till is ignored unless the RENEWABLE option is requested. + Attempts to get an initial ticket for creds->client to use server + creds->server, (realm is taken from creds->client), with options + options, and using creds->times.starttime, creds->times.endtime, + creds->times.renew_till as from, till, and rtime. + creds->times.renew_till is ignored unless the RENEWABLE option is requested. - If addrs is non-NULL, it is used for the addresses requested. If it is - null, the system standard addresses are used. + If addrs is non-NULL, it is used for the addresses requested. If it is + null, the system standard addresses are used. - If keyblock is NULL, an appropriate key for creds->client is retrieved - from the system key store (e.g. /etc/srvtab). If keyblock is non-NULL, - it is used as the decryption key. + If keyblock is NULL, an appropriate key for creds->client is retrieved + from the system key store (e.g. /etc/srvtab). If keyblock is non-NULL, + it is used as the decryption key. - A succesful call will place the ticket in the credentials cache ccache. + A succesful call will place the ticket in the credentials cache ccache. - returns system errors, encryption errors + returns system errors, encryption errors - */ +*/ krb5_error_code KRB5_CALLCONV krb5_get_in_tkt_with_skey(krb5_context context, krb5_flags options, - krb5_address *const *addrs, krb5_enctype *ktypes, - krb5_preauthtype *pre_auth_types, - const krb5_keyblock *key, krb5_ccache ccache, - krb5_creds *creds, krb5_kdc_rep **ret_as_reply) + krb5_address *const *addrs, krb5_enctype *ktypes, + krb5_preauthtype *pre_auth_types, + const krb5_keyblock *key, krb5_ccache ccache, + krb5_creds *creds, krb5_kdc_rep **ret_as_reply) { - if (key) - return krb5_get_in_tkt(context, options, addrs, ktypes, pre_auth_types, - skey_keyproc, (krb5_const_pointer)key, - krb5_kdc_rep_decrypt_proc, 0, creds, - ccache, ret_as_reply); -#ifndef LEAN_CLIENT - else - return krb5_get_in_tkt_with_keytab(context, options, addrs, ktypes, - pre_auth_types, NULL, ccache, - creds, ret_as_reply); + if (key) + return krb5_get_in_tkt(context, options, addrs, ktypes, pre_auth_types, + skey_keyproc, (krb5_const_pointer)key, + krb5_kdc_rep_decrypt_proc, 0, creds, + ccache, ret_as_reply); +#ifndef LEAN_CLIENT + else + return krb5_get_in_tkt_with_keytab(context, options, addrs, ktypes, + pre_auth_types, NULL, ccache, + creds, ret_as_reply); #endif /* LEAN_CLIENT */ } diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c index ea78e0da7c..8667897b94 100644 --- a/src/lib/krb5/krb/init_ctx.c +++ b/src/lib/krb5/krb/init_ctx.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/init_ctx.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -28,14 +29,14 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -46,7 +47,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -86,16 +87,16 @@ krb5_error_code KRB5_CALLCONV krb5_init_context(krb5_context *context) { - return init_common (context, FALSE, FALSE); + return init_common (context, FALSE, FALSE); } krb5_error_code KRB5_CALLCONV krb5_init_secure_context(krb5_context *context) { - /* This is to make gcc -Wall happy */ - if(0) krb5_brand[0] = krb5_brand[0]; - return init_common (context, TRUE, FALSE); + /* This is to make gcc -Wall happy */ + if(0) krb5_brand[0] = krb5_brand[0]; + return init_common (context, TRUE, FALSE); } krb5_error_code @@ -107,179 +108,179 @@ krb5int_init_context_kdc(krb5_context *context) static krb5_error_code init_common (krb5_context *context, krb5_boolean secure, krb5_boolean kdc) { - krb5_context ctx = 0; - krb5_error_code retval; - struct { - krb5_int32 now, now_usec; - long pid; - } seed_data; - krb5_data seed; - int tmp; - - /* Verify some assumptions. If the assumptions hold and the - compiler is optimizing, this should result in no code being - executed. If we're guessing "unsigned long long" instead - of using uint64_t, the possibility does exist that we're - wrong. */ - { - krb5_ui_8 i64; - assert(sizeof(i64) == 8); - i64 = 0, i64--, i64 >>= 62; - assert(i64 == 3); - i64 = 1, i64 <<= 31, i64 <<= 31, i64 <<= 1; - assert(i64 != 0); - i64 <<= 1; - assert(i64 == 0); - } - - retval = krb5int_initialize_library(); - if (retval) - return retval; + krb5_context ctx = 0; + krb5_error_code retval; + struct { + krb5_int32 now, now_usec; + long pid; + } seed_data; + krb5_data seed; + int tmp; + + /* Verify some assumptions. If the assumptions hold and the + compiler is optimizing, this should result in no code being + executed. If we're guessing "unsigned long long" instead + of using uint64_t, the possibility does exist that we're + wrong. */ + { + krb5_ui_8 i64; + assert(sizeof(i64) == 8); + i64 = 0, i64--, i64 >>= 62; + assert(i64 == 3); + i64 = 1, i64 <<= 31, i64 <<= 31, i64 <<= 1; + assert(i64 != 0); + i64 <<= 1; + assert(i64 == 0); + } + + retval = krb5int_initialize_library(); + if (retval) + return retval; #if (defined(_WIN32)) - /* - * Load the krbcc32.dll if necessary. We do this here so that - * we know to use API: later on during initialization. - * The context being NULL is ok. - */ - krb5_win_ccdll_load(ctx); - - /* - * krb5_vercheck() is defined in win_glue.c, and this is - * where we handle the timebomb and version server checks. - */ - retval = krb5_vercheck(); - if (retval) - return retval; + /* + * Load the krbcc32.dll if necessary. We do this here so that + * we know to use API: later on during initialization. + * The context being NULL is ok. + */ + krb5_win_ccdll_load(ctx); + + /* + * krb5_vercheck() is defined in win_glue.c, and this is + * where we handle the timebomb and version server checks. + */ + retval = krb5_vercheck(); + if (retval) + return retval; #endif - *context = 0; + *context = 0; - ctx = calloc(1, sizeof(struct _krb5_context)); - if (!ctx) - return ENOMEM; - ctx->magic = KV5M_CONTEXT; + ctx = calloc(1, sizeof(struct _krb5_context)); + if (!ctx) + return ENOMEM; + ctx->magic = KV5M_CONTEXT; - ctx->profile_secure = secure; + ctx->profile_secure = secure; - /* Set the default encryption types, possible defined in krb5/conf */ - if ((retval = krb5_set_default_in_tkt_ktypes(ctx, NULL))) - goto cleanup; + /* Set the default encryption types, possible defined in krb5/conf */ + if ((retval = krb5_set_default_in_tkt_ktypes(ctx, NULL))) + goto cleanup; - if ((retval = krb5_set_default_tgs_ktypes(ctx, NULL))) - goto cleanup; + if ((retval = krb5_set_default_tgs_ktypes(ctx, NULL))) + goto cleanup; - if ((retval = krb5_os_init_context(ctx, kdc))) - goto cleanup; + if ((retval = krb5_os_init_context(ctx, kdc))) + goto cleanup; - retval = profile_get_boolean(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_ALLOW_WEAK_CRYPTO, NULL, 1, &tmp); - if (retval) - goto cleanup; - ctx->allow_weak_crypto = tmp; + retval = profile_get_boolean(ctx->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_ALLOW_WEAK_CRYPTO, NULL, 1, &tmp); + if (retval) + goto cleanup; + ctx->allow_weak_crypto = tmp; - /* initialize the prng (not well, but passable) */ - if ((retval = krb5_c_random_os_entropy( ctx, 0, NULL)) !=0) - goto cleanup; - if ((retval = krb5_crypto_us_timeofday(&seed_data.now, &seed_data.now_usec))) - goto cleanup; - seed_data.pid = getpid (); - seed.length = sizeof(seed_data); - seed.data = (char *) &seed_data; - if ((retval = krb5_c_random_add_entropy(ctx, KRB5_C_RANDSOURCE_TIMING, &seed))) - goto cleanup; + /* initialize the prng (not well, but passable) */ + if ((retval = krb5_c_random_os_entropy( ctx, 0, NULL)) !=0) + goto cleanup; + if ((retval = krb5_crypto_us_timeofday(&seed_data.now, &seed_data.now_usec))) + goto cleanup; + seed_data.pid = getpid (); + seed.length = sizeof(seed_data); + seed.data = (char *) &seed_data; + if ((retval = krb5_c_random_add_entropy(ctx, KRB5_C_RANDSOURCE_TIMING, &seed))) + goto cleanup; - ctx->default_realm = 0; - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, KRB5_CONF_CLOCKSKEW, - 0, 5 * 60, &tmp); - ctx->clockskew = tmp; + ctx->default_realm = 0; + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, KRB5_CONF_CLOCKSKEW, + 0, 5 * 60, &tmp); + ctx->clockskew = tmp; #if 0 - /* Default ticket lifetime is currently not supported */ - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, "tkt_lifetime", - 0, 10 * 60 * 60, &tmp); - ctx->tkt_lifetime = tmp; + /* Default ticket lifetime is currently not supported */ + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, "tkt_lifetime", + 0, 10 * 60 * 60, &tmp); + ctx->tkt_lifetime = tmp; #endif - /* DCE 1.1 and below only support CKSUMTYPE_RSA_MD4 (2) */ - /* DCE add kdc_req_checksum_type = 2 to krb5.conf */ - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_KDC_REQ_CHECKSUM_TYPE, 0, CKSUMTYPE_RSA_MD5, - &tmp); - ctx->kdc_req_sumtype = tmp; - - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_AP_REQ_CHECKSUM_TYPE, 0, 0, - &tmp); - ctx->default_ap_req_sumtype = tmp; - - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_SAFE_CHECKSUM_TYPE, 0, - CKSUMTYPE_RSA_MD5_DES, &tmp); - ctx->default_safe_sumtype = tmp; - - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_KDC_DEFAULT_OPTIONS, 0, - KDC_OPT_RENEWABLE_OK, &tmp); - ctx->kdc_default_options = tmp; + /* DCE 1.1 and below only support CKSUMTYPE_RSA_MD4 (2) */ + /* DCE add kdc_req_checksum_type = 2 to krb5.conf */ + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_KDC_REQ_CHECKSUM_TYPE, 0, CKSUMTYPE_RSA_MD5, + &tmp); + ctx->kdc_req_sumtype = tmp; + + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_AP_REQ_CHECKSUM_TYPE, 0, 0, + &tmp); + ctx->default_ap_req_sumtype = tmp; + + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_SAFE_CHECKSUM_TYPE, 0, + CKSUMTYPE_RSA_MD5_DES, &tmp); + ctx->default_safe_sumtype = tmp; + + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_KDC_DEFAULT_OPTIONS, 0, + KDC_OPT_RENEWABLE_OK, &tmp); + ctx->kdc_default_options = tmp; #define DEFAULT_KDC_TIMESYNC 1 - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_KDC_TIMESYNC, 0, DEFAULT_KDC_TIMESYNC, - &tmp); - ctx->library_options = tmp ? KRB5_LIBOPT_SYNC_KDCTIME : 0; - - /* - * We use a default file credentials cache of 3. See - * lib/krb5/krb/ccache/file/fcc.h for a description of the - * credentials cache types. - * - * Note: DCE 1.0.3a only supports a cache type of 1 - * DCE 1.1 supports a cache type of 2. - */ + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_KDC_TIMESYNC, 0, DEFAULT_KDC_TIMESYNC, + &tmp); + ctx->library_options = tmp ? KRB5_LIBOPT_SYNC_KDCTIME : 0; + + /* + * We use a default file credentials cache of 3. See + * lib/krb5/krb/ccache/file/fcc.h for a description of the + * credentials cache types. + * + * Note: DCE 1.0.3a only supports a cache type of 1 + * DCE 1.1 supports a cache type of 2. + */ #define DEFAULT_CCACHE_TYPE 4 - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, KRB5_CONF_CCACHE_TYPE, - 0, DEFAULT_CCACHE_TYPE, &tmp); - ctx->fcc_default_format = tmp + 0x0500; - ctx->prompt_types = 0; - ctx->use_conf_ktypes = 0; - - ctx->udp_pref_limit = -1; - *context = ctx; - return 0; + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, KRB5_CONF_CCACHE_TYPE, + 0, DEFAULT_CCACHE_TYPE, &tmp); + ctx->fcc_default_format = tmp + 0x0500; + ctx->prompt_types = 0; + ctx->use_conf_ktypes = 0; + + ctx->udp_pref_limit = -1; + *context = ctx; + return 0; cleanup: - krb5_free_context(ctx); - return retval; + krb5_free_context(ctx); + return retval; } void KRB5_CALLCONV krb5_free_context(krb5_context ctx) { - if (ctx == NULL) - return; - krb5_os_free_context(ctx); - - free(ctx->in_tkt_etypes); - ctx->in_tkt_etypes = NULL; - free(ctx->tgs_etypes); - ctx->tgs_etypes = NULL; - free(ctx->default_realm); - ctx->default_realm = 0; - if (ctx->ser_ctx_count && ctx->ser_ctx) { - free(ctx->ser_ctx); - ctx->ser_ctx = 0; - } - - krb5_clear_error_message(ctx); - - ctx->magic = 0; - free(ctx); + if (ctx == NULL) + return; + krb5_os_free_context(ctx); + + free(ctx->in_tkt_etypes); + ctx->in_tkt_etypes = NULL; + free(ctx->tgs_etypes); + ctx->tgs_etypes = NULL; + free(ctx->default_realm); + ctx->default_realm = 0; + if (ctx->ser_ctx_count && ctx->ser_ctx) { + free(ctx->ser_ctx); + ctx->ser_ctx = 0; + } + + krb5_clear_error_message(ctx); + + ctx->magic = 0; + free(ctx); } /* Copy the zero-terminated enctype list old_list into *new_list. */ static krb5_error_code copy_enctypes(krb5_context context, const krb5_enctype *old_list, - krb5_enctype **new_list) + krb5_enctype **new_list) { unsigned int count; krb5_enctype *list; @@ -288,7 +289,7 @@ copy_enctypes(krb5_context context, const krb5_enctype *old_list, for (count = 0; old_list[count]; count++); list = malloc(sizeof(krb5_enctype) * (count + 1)); if (list == NULL) - return ENOMEM; + return ENOMEM; memcpy(list, old_list, sizeof(krb5_enctype) * (count + 1)); *new_list = list; return 0; @@ -299,25 +300,25 @@ copy_enctypes(krb5_context context, const krb5_enctype *old_list, */ static krb5_error_code set_default_etype_var(krb5_context context, const krb5_enctype *etypes, - krb5_enctype **var) + krb5_enctype **var) { krb5_error_code code; krb5_enctype *list; int i; if (etypes) { - for (i = 0; etypes[i]; i++) { - if (!krb5_c_valid_enctype(etypes[i])) - return KRB5_PROG_ETYPE_NOSUPP; - if (!context->allow_weak_crypto && krb5int_c_weak_enctype(etypes[i])) - return KRB5_PROG_ETYPE_NOSUPP; - } - - code = copy_enctypes(context, etypes, &list); - if (code) - return code; + for (i = 0; etypes[i]; i++) { + if (!krb5_c_valid_enctype(etypes[i])) + return KRB5_PROG_ETYPE_NOSUPP; + if (!context->allow_weak_crypto && krb5int_c_weak_enctype(etypes[i])) + return KRB5_PROG_ETYPE_NOSUPP; + } + + code = copy_enctypes(context, etypes, &list); + if (code) + return code; } else { - list = NULL; + list = NULL; } free(*var); @@ -327,7 +328,7 @@ set_default_etype_var(krb5_context context, const krb5_enctype *etypes, krb5_error_code krb5_set_default_in_tkt_ktypes(krb5_context context, - const krb5_enctype *etypes) + const krb5_enctype *etypes) { return set_default_etype_var(context, etypes, &context->in_tkt_etypes); } @@ -352,26 +353,26 @@ krb5_set_default_tgs_ktypes(krb5_context context, const krb5_enctype *etypes) */ static void mod_list(krb5_enctype etype, krb5_boolean add, krb5_boolean allow_weak, - krb5_enctype *list, unsigned int *count) + krb5_enctype *list, unsigned int *count) { unsigned int i; assert(etype > 0 && etype <= MAX_ENCTYPE); if (!allow_weak && krb5int_c_weak_enctype(etype)) - return; + return; for (i = 0; i < *count; i++) { - if (list[i] == etype) { - if (!add) { - for (; i < *count - 1; i++) - list[i] = list[i + 1]; - (*count)--; - } - return; - } + if (list[i] == etype) { + if (!add) { + for (; i < *count - 1; i++) + list[i] = list[i + 1]; + (*count)--; + } + return; + } } if (add) { - assert(*count < MAX_ENCTYPE); - list[(*count)++] = etype; + assert(*count < MAX_ENCTYPE); + list[(*count)++] = etype; } } @@ -381,7 +382,7 @@ mod_list(krb5_enctype etype, krb5_boolean add, krb5_boolean allow_weak, */ krb5_error_code krb5int_parse_enctype_list(krb5_context context, char *profstr, - krb5_enctype *default_list, krb5_enctype **result) + krb5_enctype *default_list, krb5_enctype **result) { char *token, *delim = " \t\r\n,", *save = NULL; krb5_boolean sel, weak = context->allow_weak_crypto; @@ -392,31 +393,31 @@ krb5int_parse_enctype_list(krb5_context context, char *profstr, /* Walk through the words in profstr. */ for (token = strtok_r(profstr, delim, &save); token; - token = strtok_r(NULL, delim, &save)) { - /* Determine if we are adding or removing enctypes. */ - sel = TRUE; - if (*token == '+' || *token == '-') - sel = (*token++ == '+'); - - if (strcasecmp(token, "DEFAULT") == 0) { - /* Set all enctypes in the default list. */ - for (i = 0; default_list[i]; i++) - mod_list(default_list[i], sel, weak, list, &count); - } else if (strcasecmp(token, "des") == 0) { - mod_list(ENCTYPE_DES_CBC_CRC, sel, weak, list, &count); - mod_list(ENCTYPE_DES_CBC_MD5, sel, weak, list, &count); - mod_list(ENCTYPE_DES_CBC_MD4, sel, weak, list, &count); - } else if (strcasecmp(token, "des3") == 0) { - mod_list(ENCTYPE_DES3_CBC_SHA1, sel, weak, list, &count); - } else if (strcasecmp(token, "aes") == 0) { - mod_list(ENCTYPE_AES256_CTS_HMAC_SHA1_96, sel, weak, list, &count); - mod_list(ENCTYPE_AES128_CTS_HMAC_SHA1_96, sel, weak, list, &count); - } else if (strcasecmp(token, "rc4") == 0) { - mod_list(ENCTYPE_ARCFOUR_HMAC, sel, weak, list, &count); - } else if (krb5_string_to_enctype(token, &etype) == 0) { - /* Set a specific enctype. */ - mod_list(etype, sel, weak, list, &count); - } + token = strtok_r(NULL, delim, &save)) { + /* Determine if we are adding or removing enctypes. */ + sel = TRUE; + if (*token == '+' || *token == '-') + sel = (*token++ == '+'); + + if (strcasecmp(token, "DEFAULT") == 0) { + /* Set all enctypes in the default list. */ + for (i = 0; default_list[i]; i++) + mod_list(default_list[i], sel, weak, list, &count); + } else if (strcasecmp(token, "des") == 0) { + mod_list(ENCTYPE_DES_CBC_CRC, sel, weak, list, &count); + mod_list(ENCTYPE_DES_CBC_MD5, sel, weak, list, &count); + mod_list(ENCTYPE_DES_CBC_MD4, sel, weak, list, &count); + } else if (strcasecmp(token, "des3") == 0) { + mod_list(ENCTYPE_DES3_CBC_SHA1, sel, weak, list, &count); + } else if (strcasecmp(token, "aes") == 0) { + mod_list(ENCTYPE_AES256_CTS_HMAC_SHA1_96, sel, weak, list, &count); + mod_list(ENCTYPE_AES128_CTS_HMAC_SHA1_96, sel, weak, list, &count); + } else if (strcasecmp(token, "rc4") == 0) { + mod_list(ENCTYPE_ARCFOUR_HMAC, sel, weak, list, &count); + } else if (krb5_string_to_enctype(token, &etype) == 0) { + /* Set a specific enctype. */ + mod_list(etype, sel, weak, list, &count); + } } list[count] = 0; @@ -433,8 +434,8 @@ krb5int_parse_enctype_list(krb5_context context, char *profstr, */ static krb5_error_code get_profile_etype_list(krb5_context context, krb5_enctype **etypes_ptr, - char *profkey, krb5_enctype *ctx_list, - krb5_enctype *default_list) + char *profkey, krb5_enctype *ctx_list, + krb5_enctype *default_list) { krb5_enctype *etypes; krb5_error_code code; @@ -443,26 +444,26 @@ get_profile_etype_list(krb5_context context, krb5_enctype **etypes_ptr, *etypes_ptr = NULL; if (ctx_list) { - /* Use application defaults. */ - code = copy_enctypes(context, ctx_list, &etypes); - if (code) - return code; + /* Use application defaults. */ + code = copy_enctypes(context, ctx_list, &etypes); + if (code) + return code; } else { - /* Parse profile setting, or "DEFAULT" if not specified. */ - code = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS, - profkey, NULL, "DEFAULT", &profstr); - if (code) - return code; - code = krb5int_parse_enctype_list(context, profstr, default_list, - &etypes); - profile_release_string(profstr); - if (code) - return code; + /* Parse profile setting, or "DEFAULT" if not specified. */ + code = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS, + profkey, NULL, "DEFAULT", &profstr); + if (code) + return code; + code = krb5int_parse_enctype_list(context, profstr, default_list, + &etypes); + profile_release_string(profstr); + if (code) + return code; } if (etypes[0] == 0) { - free(etypes); - return KRB5_CONFIG_ETYPE_NOSUPP; + free(etypes); + return KRB5_CONFIG_ETYPE_NOSUPP; } *etypes_ptr = etypes; @@ -473,9 +474,9 @@ krb5_error_code krb5_get_default_in_tkt_ktypes(krb5_context context, krb5_enctype **ktypes) { return get_profile_etype_list(context, ktypes, - KRB5_CONF_DEFAULT_TKT_ENCTYPES, - context->in_tkt_etypes, - default_enctype_list); + KRB5_CONF_DEFAULT_TKT_ENCTYPES, + context->in_tkt_etypes, + default_enctype_list); } void @@ -490,24 +491,24 @@ KRB5_CALLCONV krb5_get_tgs_ktypes(krb5_context context, krb5_const_principal princ, krb5_enctype **ktypes) { if (context->use_conf_ktypes) - /* This one is set *only* by reading the config file; it's not - set by the application. */ - return get_profile_etype_list(context, ktypes, - KRB5_CONF_DEFAULT_TKT_ENCTYPES, NULL, - default_enctype_list); + /* This one is set *only* by reading the config file; it's not + set by the application. */ + return get_profile_etype_list(context, ktypes, + KRB5_CONF_DEFAULT_TKT_ENCTYPES, NULL, + default_enctype_list); else - return get_profile_etype_list(context, ktypes, - KRB5_CONF_DEFAULT_TGS_ENCTYPES, - context->tgs_etypes, - default_enctype_list); + return get_profile_etype_list(context, ktypes, + KRB5_CONF_DEFAULT_TGS_ENCTYPES, + context->tgs_etypes, + default_enctype_list); } krb5_error_code KRB5_CALLCONV krb5_get_permitted_enctypes(krb5_context context, krb5_enctype **ktypes) { return get_profile_etype_list(context, ktypes, - KRB5_CONF_PERMITTED_ENCTYPES, - context->tgs_etypes, default_enctype_list); + KRB5_CONF_PERMITTED_ENCTYPES, + context->tgs_etypes, default_enctype_list); } krb5_boolean @@ -517,14 +518,14 @@ krb5_is_permitted_enctype(krb5_context context, krb5_enctype etype) krb5_boolean ret; if (krb5_get_permitted_enctypes(context, &list)) - return(0); + return(0); + - ret = 0; for (ptr = list; *ptr; ptr++) - if (*ptr == etype) - ret = 1; + if (*ptr == etype) + ret = 1; krb5_free_ktypes (context, list); @@ -571,11 +572,11 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out) *nctx_out = NULL; if (ctx == NULL) - return EINVAL; /* XXX */ + return EINVAL; /* XXX */ nctx = malloc(sizeof(*nctx)); if (nctx == NULL) - return ENOMEM; + return ENOMEM; *nctx = *ctx; @@ -600,28 +601,28 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out) ret = copy_enctypes(nctx, ctx->in_tkt_etypes, &nctx->in_tkt_etypes); if (ret) - goto errout; + goto errout; ret = copy_enctypes(nctx, ctx->tgs_etypes, &nctx->tgs_etypes); if (ret) - goto errout; + goto errout; if (ctx->os_context.default_ccname != NULL) { - nctx->os_context.default_ccname = - strdup(ctx->os_context.default_ccname); - if (nctx->os_context.default_ccname == NULL) { - ret = ENOMEM; - goto errout; - } + nctx->os_context.default_ccname = + strdup(ctx->os_context.default_ccname); + if (nctx->os_context.default_ccname == NULL) { + ret = ENOMEM; + goto errout; + } } ret = krb5_get_profile(ctx, &nctx->profile); if (ret) - goto errout; + goto errout; errout: if (ret) { - krb5_free_context(nctx); + krb5_free_context(nctx); } else { - *nctx_out = nctx; + *nctx_out = nctx; } return ret; } diff --git a/src/lib/krb5/krb/init_keyblock.c b/src/lib/krb5/krb/init_keyblock.c index 3be842ac86..baf7dabece 100644 --- a/src/lib/krb5/krb/init_keyblock.c +++ b/src/lib/krb5/krb/init_keyblock.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/init_keyblock.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,10 +23,10 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * - * * - * krb5_init_keyblock- a function to set up + * + * + * krb5_init_keyblock- a function to set up * an empty keyblock */ @@ -34,8 +35,8 @@ #include <assert.h> krb5_error_code KRB5_CALLCONV krb5_init_keyblock - (krb5_context context, krb5_enctype enctype, - size_t length, krb5_keyblock **out) +(krb5_context context, krb5_enctype enctype, + size_t length, krb5_keyblock **out) { - return krb5int_c_init_keyblock (context, enctype, length, out); + return krb5int_c_init_keyblock (context, enctype, length, out); } diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h index 724e18bf8b..081a8a34ba 100644 --- a/src/lib/krb5/krb/int-proto.h +++ b/src/lib/krb5/krb/int-proto.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/int-proto.h * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Function prototypes for Kerberos V5 library internal functions. */ @@ -32,14 +33,14 @@ #define KRB5_INT_FUNC_PROTO__ krb5_error_code krb5_tgtname - (krb5_context context, - const krb5_data *, - const krb5_data *, - krb5_principal *); +(krb5_context context, + const krb5_data *, + const krb5_data *, + krb5_principal *); krb5_error_code krb5_libdefault_boolean - (krb5_context, const krb5_data *, const char *, - int *); +(krb5_context, const krb5_data *, const char *, + int *); krb5_error_code krb5_ser_authdata_init (krb5_context); krb5_error_code krb5_ser_address_init (krb5_context); @@ -51,40 +52,39 @@ krb5_error_code krb5_ser_authdata_context_init (krb5_context); krb5_error_code krb5_preauth_supply_preauth_data(krb5_context context, - krb5_gic_opt_ext *opte, - const char *attr, - const char *value); + krb5_gic_opt_ext *opte, + const char *attr, + const char *value); krb5_error_code krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, - krb5_creds *in_cred, krb5_creds **out_cred, - krb5_creds ***tgts, int kdcopt); + krb5_creds *in_cred, krb5_creds **out_cred, + krb5_creds ***tgts, int kdcopt); krb5_error_code krb5int_construct_matching_creds(krb5_context context, krb5_flags options, - krb5_creds *in_creds, krb5_creds *mcreds, - krb5_flags *fields); + krb5_creds *in_creds, krb5_creds *mcreds, + krb5_flags *fields); #define in_clock_skew(date, now) (labs((date)-(now)) < context->clockskew) -#define IS_TGS_PRINC(c, p) \ - (krb5_princ_size((c), (p)) == 2 && \ +#define IS_TGS_PRINC(c, p) \ + (krb5_princ_size((c), (p)) == 2 && \ data_eq_string(*krb5_princ_component((c), (p), 0), KRB5_TGS_NAME)) krb5_error_code krb5_get_cred_via_tkt_ext (krb5_context context, krb5_creds *tkt, - krb5_flags kdcoptions, krb5_address *const *address, - krb5_pa_data **in_padata, - krb5_creds *in_cred, - krb5_error_code (*gcvt_fct)(krb5_context, - krb5_keyblock *, - krb5_kdc_req *, - void *), - void *gcvt_data, - krb5_pa_data ***out_padata, - krb5_pa_data ***enc_padata, - krb5_creds **out_cred, - krb5_keyblock **out_subkey); + krb5_flags kdcoptions, krb5_address *const *address, + krb5_pa_data **in_padata, + krb5_creds *in_cred, + krb5_error_code (*gcvt_fct)(krb5_context, + krb5_keyblock *, + krb5_kdc_req *, + void *), + void *gcvt_data, + krb5_pa_data ***out_padata, + krb5_pa_data ***enc_padata, + krb5_creds **out_cred, + krb5_keyblock **out_subkey); #endif /* KRB5_INT_FUNC_PROTO__ */ - diff --git a/src/lib/krb5/krb/kdc_rep_dc.c b/src/lib/krb5/krb/kdc_rep_dc.c index 42559b2f17..dfd3ba29fc 100644 --- a/src/lib/krb5/krb/kdc_rep_dc.c +++ b/src/lib/krb5/krb/kdc_rep_dc.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/kdc_rep_dc.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_kdc_rep_decrypt_proc() */ @@ -45,34 +46,34 @@ krb5_kdc_rep_decrypt_proc(krb5_context context, const krb5_keyblock *key, krb5_c krb5_keyusage usage; if (decryptarg) { - usage = *(const krb5_keyusage *) decryptarg; + usage = *(const krb5_keyusage *) decryptarg; } else { - usage = KRB5_KEYUSAGE_AS_REP_ENCPART; + usage = KRB5_KEYUSAGE_AS_REP_ENCPART; } /* set up scratch decrypt/decode area */ scratch.length = dec_rep->enc_part.ciphertext.length; if (!(scratch.data = malloc(dec_rep->enc_part.ciphertext.length))) { - return(ENOMEM); + return(ENOMEM); } /*dec_rep->enc_part.enctype;*/ if ((retval = krb5_c_decrypt(context, key, usage, 0, &dec_rep->enc_part, - &scratch))) { - free(scratch.data); - return(retval); + &scratch))) { + free(scratch.data); + return(retval); } -#define clean_scratch() {memset(scratch.data, 0, scratch.length); \ -free(scratch.data);} +#define clean_scratch() {memset(scratch.data, 0, scratch.length); \ + free(scratch.data);} /* and do the decode */ retval = decode_krb5_enc_kdc_rep_part(&scratch, &local_encpart); clean_scratch(); if (retval) - return retval; + return retval; dec_rep->enc_part2 = local_encpart; diff --git a/src/lib/krb5/krb/kerrs.c b/src/lib/krb5/krb/kerrs.c index 51f1eca97e..7525e29a1f 100644 --- a/src/lib/krb5/krb/kerrs.c +++ b/src/lib/krb5/krb/kerrs.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/kerrs.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -38,63 +39,63 @@ static int error_message_debug = 0; #undef krb5_set_error_message void KRB5_CALLCONV_C krb5_set_error_message (krb5_context ctx, krb5_error_code code, - const char *fmt, ...) + const char *fmt, ...) { va_list args; if (ctx == NULL) - return; + return; va_start (args, fmt); #ifdef DEBUG if (ERROR_MESSAGE_DEBUG()) - fprintf(stderr, - "krb5_set_error_message(ctx=%p/err=%p, code=%ld, ...)\n", - ctx, &ctx->err, (long) code); + fprintf(stderr, + "krb5_set_error_message(ctx=%p/err=%p, code=%ld, ...)\n", + ctx, &ctx->err, (long) code); #endif krb5int_vset_error (&ctx->err, code, fmt, args); #ifdef DEBUG if (ERROR_MESSAGE_DEBUG()) - fprintf(stderr, "->%s\n", ctx->err.msg); + fprintf(stderr, "->%s\n", ctx->err.msg); #endif va_end (args); } void KRB5_CALLCONV_C krb5_set_error_message_fl (krb5_context ctx, krb5_error_code code, - const char *file, int line, const char *fmt, ...) + const char *file, int line, const char *fmt, ...) { va_list args; if (ctx == NULL) - return; + return; va_start (args, fmt); #ifdef DEBUG if (ERROR_MESSAGE_DEBUG()) - fprintf(stderr, - "krb5_set_error_message(ctx=%p/err=%p, code=%ld, ...)\n", - ctx, &ctx->err, (long) code); + fprintf(stderr, + "krb5_set_error_message(ctx=%p/err=%p, code=%ld, ...)\n", + ctx, &ctx->err, (long) code); #endif krb5int_vset_error_fl (&ctx->err, code, file, line, fmt, args); #ifdef DEBUG if (ERROR_MESSAGE_DEBUG()) - fprintf(stderr, "->%s\n", ctx->err.msg); + fprintf(stderr, "->%s\n", ctx->err.msg); #endif va_end (args); } void KRB5_CALLCONV krb5_vset_error_message (krb5_context ctx, krb5_error_code code, - const char *fmt, va_list args) + const char *fmt, va_list args) { #ifdef DEBUG if (ERROR_MESSAGE_DEBUG()) - fprintf(stderr, "krb5_vset_error_message(ctx=%p, code=%ld, ...)\n", - ctx, (long) code); + fprintf(stderr, "krb5_vset_error_message(ctx=%p, code=%ld, ...)\n", + ctx, (long) code); #endif if (ctx == NULL) - return; + return; krb5int_vset_error (&ctx->err, code, fmt, args); #ifdef DEBUG if (ERROR_MESSAGE_DEBUG()) - fprintf(stderr, "->%s\n", ctx->err.msg); + fprintf(stderr, "->%s\n", ctx->err.msg); #endif } @@ -103,12 +104,12 @@ void KRB5_CALLCONV krb5_copy_error_message (krb5_context dest_ctx, krb5_context src_ctx) { if (dest_ctx == src_ctx) - return; + return; if (src_ctx->err.msg) { - krb5int_set_error(&dest_ctx->err, src_ctx->err.code, "%s", - src_ctx->err.msg); + krb5int_set_error(&dest_ctx->err, src_ctx->err.code, "%s", + src_ctx->err.msg); } else { - krb5int_clear_error(&dest_ctx->err); + krb5int_clear_error(&dest_ctx->err); } } @@ -117,10 +118,10 @@ krb5_get_error_message (krb5_context ctx, krb5_error_code code) { #ifdef DEBUG if (ERROR_MESSAGE_DEBUG()) - fprintf(stderr, "krb5_get_error_message(%p, %ld)\n", ctx, (long) code); + fprintf(stderr, "krb5_get_error_message(%p, %ld)\n", ctx, (long) code); #endif if (ctx == NULL) - return error_message(code); + return error_message(code); return krb5int_get_error (&ctx->err, code); } @@ -129,10 +130,10 @@ krb5_free_error_message (krb5_context ctx, const char *msg) { #ifdef DEBUG if (ERROR_MESSAGE_DEBUG()) - fprintf(stderr, "krb5_free_error_message(%p, %p)\n", ctx, msg); + fprintf(stderr, "krb5_free_error_message(%p, %p)\n", ctx, msg); #endif if (ctx == NULL) - return; + return; krb5int_free_error (&ctx->err, msg); } @@ -141,9 +142,9 @@ krb5_clear_error_message (krb5_context ctx) { #ifdef DEBUG if (ERROR_MESSAGE_DEBUG()) - fprintf(stderr, "krb5_clear_error_message(%p)\n", ctx); + fprintf(stderr, "krb5_clear_error_message(%p)\n", ctx); #endif if (ctx == NULL) - return; + return; krb5int_clear_error (&ctx->err); } diff --git a/src/lib/krb5/krb/kfree.c b/src/lib/krb5/krb/kfree.c index 801eed0da7..c372e70b6c 100644 --- a/src/lib/krb5/krb/kfree.c +++ b/src/lib/krb5/krb/kfree.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/free/f_addr.c * @@ -7,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -21,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_free_address() */ @@ -60,7 +61,7 @@ void KRB5_CALLCONV krb5_free_address(krb5_context context, krb5_address *val) { if (val == NULL) - return; + return; free(val->contents); free(val); } @@ -71,10 +72,10 @@ krb5_free_addresses(krb5_context context, krb5_address **val) register krb5_address **temp; if (val == NULL) - return; + return; for (temp = val; *temp; temp++) { - free((*temp)->contents); - free(*temp); + free((*temp)->contents); + free(*temp); } free(val); } @@ -82,18 +83,18 @@ krb5_free_addresses(krb5_context context, krb5_address **val) void KRB5_CALLCONV krb5_free_alt_method(krb5_context context, - krb5_alt_method *alt) + krb5_alt_method *alt) { if (alt) { - free(alt->data); - free(alt); + free(alt->data); + free(alt); } } void KRB5_CALLCONV krb5_free_ap_rep(krb5_context context, register krb5_ap_rep *val) { if (val == NULL) - return; + return; free(val->enc_part.ciphertext.data); free(val); } @@ -102,7 +103,7 @@ void KRB5_CALLCONV krb5_free_ap_req(krb5_context context, register krb5_ap_req *val) { if (val == NULL) - return; + return; krb5_free_ticket(context, val->ticket); free(val->authenticator.ciphertext.data); free(val); @@ -112,7 +113,7 @@ void KRB5_CALLCONV krb5_free_ap_rep_enc_part(krb5_context context, krb5_ap_rep_enc_part *val) { if (val == NULL) - return; + return; krb5_free_keyblock(context, val->subkey); free(val); } @@ -121,7 +122,7 @@ void KRB5_CALLCONV krb5_free_authenticator_contents(krb5_context context, krb5_authenticator *val) { if (val == NULL) - return; + return; krb5_free_checksum(context, val->checksum); val->checksum = 0; krb5_free_principal(context, val->client); @@ -138,10 +139,10 @@ krb5_free_authdata(krb5_context context, krb5_authdata **val) register krb5_authdata **temp; if (val == NULL) - return; + return; for (temp = val; *temp; temp++) { - free((*temp)->contents); - free(*temp); + free((*temp)->contents); + free(*temp); } free(val); } @@ -150,7 +151,7 @@ void KRB5_CALLCONV krb5_free_authenticator(krb5_context context, krb5_authenticator *val) { if (val == NULL) - return; + return; krb5_free_authenticator_contents(context, val); free(val); } @@ -159,7 +160,7 @@ void KRB5_CALLCONV krb5_free_checksum(krb5_context context, register krb5_checksum *val) { if (val == NULL) - return; + return; krb5_free_checksum_contents(context, val); free(val); } @@ -168,7 +169,7 @@ void KRB5_CALLCONV krb5_free_checksum_contents(krb5_context context, register krb5_checksum *val) { if (val == NULL) - return; + return; free(val->contents); val->contents = NULL; } @@ -177,7 +178,7 @@ void KRB5_CALLCONV krb5_free_cred(krb5_context context, register krb5_cred *val) { if (val == NULL) - return; + return; krb5_free_tickets(context, val->tickets); free(val->enc_part.ciphertext.data); free(val); @@ -185,14 +186,14 @@ krb5_free_cred(krb5_context context, register krb5_cred *val) /* * krb5_free_cred_contents zeros out the session key, and then frees - * the credentials structures + * the credentials structures */ void KRB5_CALLCONV krb5_free_cred_contents(krb5_context context, krb5_creds *val) { if (val == NULL) - return; + return; krb5_free_principal(context, val->client); val->client = 0; krb5_free_principal(context, val->server); @@ -208,28 +209,28 @@ krb5_free_cred_contents(krb5_context context, krb5_creds *val) val->authdata = 0; } -void KRB5_CALLCONV +void KRB5_CALLCONV krb5_free_cred_enc_part(krb5_context context, register krb5_cred_enc_part *val) { register krb5_cred_info **temp; - + if (val == NULL) - return; + return; krb5_free_address(context, val->r_address); val->r_address = 0; krb5_free_address(context, val->s_address); val->s_address = 0; if (val->ticket_info) { - for (temp = val->ticket_info; *temp; temp++) { - krb5_free_keyblock(context, (*temp)->session); - krb5_free_principal(context, (*temp)->client); - krb5_free_principal(context, (*temp)->server); - krb5_free_addresses(context, (*temp)->caddrs); - free(*temp); - } - free(val->ticket_info); - val->ticket_info = 0; + for (temp = val->ticket_info; *temp; temp++) { + krb5_free_keyblock(context, (*temp)->session); + krb5_free_principal(context, (*temp)->client); + krb5_free_principal(context, (*temp)->server); + krb5_free_addresses(context, (*temp)->caddrs); + free(*temp); + } + free(val->ticket_info); + val->ticket_info = 0; } } @@ -238,7 +239,7 @@ void KRB5_CALLCONV krb5_free_creds(krb5_context context, krb5_creds *val) { if (val == NULL) - return; + return; krb5_free_cred_contents(context, val); free(val); } @@ -248,7 +249,7 @@ void KRB5_CALLCONV krb5_free_data(krb5_context context, krb5_data *val) { if (val == NULL) - return; + return; free(val->data); free(val); } @@ -257,10 +258,10 @@ void KRB5_CALLCONV krb5_free_data_contents(krb5_context context, krb5_data *val) { if (val == NULL) - return; + return; if (val->data) { - free(val->data); - val->data = 0; + free(val->data); + val->data = 0; } } @@ -268,7 +269,7 @@ void KRB5_CALLCONV krb5_free_enc_data(krb5_context context, krb5_enc_data *val) { if (val == NULL) - return; + return; krb5_free_data_contents(context, &val->ciphertext); free(val); } @@ -278,21 +279,21 @@ void krb5_free_etype_info(krb5_context context, krb5_etype_info info) int i; if (info == NULL) - return; + return; for (i=0; info[i] != NULL; i++) { - free(info[i]->salt); - krb5_free_data_contents(context, &info[i]->s2kparams); - free(info[i]); + free(info[i]->salt); + krb5_free_data_contents(context, &info[i]->s2kparams); + free(info[i]); } free(info); } - + void KRB5_CALLCONV krb5_free_enc_kdc_rep_part(krb5_context context, register krb5_enc_kdc_rep_part *val) { if (val == NULL) - return; + return; krb5_free_keyblock(context, val->session); krb5_free_last_req(context, val->last_req); krb5_free_principal(context, val->server); @@ -305,7 +306,7 @@ void KRB5_CALLCONV krb5_free_enc_tkt_part(krb5_context context, krb5_enc_tkt_part *val) { if (val == NULL) - return; + return; krb5_free_keyblock(context, val->session); krb5_free_principal(context, val->client); free(val->transited.tr_contents.data); @@ -319,7 +320,7 @@ void KRB5_CALLCONV krb5_free_error(krb5_context context, register krb5_error *val) { if (val == NULL) - return; + return; krb5_free_principal(context, val->client); krb5_free_principal(context, val->server); free(val->text.data); @@ -331,7 +332,7 @@ void KRB5_CALLCONV krb5_free_kdc_rep(krb5_context context, krb5_kdc_rep *val) { if (val == NULL) - return; + return; krb5_free_pa_data(context, val->padata); krb5_free_principal(context, val->client); krb5_free_ticket(context, val->ticket); @@ -345,7 +346,7 @@ void KRB5_CALLCONV krb5_free_kdc_req(krb5_context context, krb5_kdc_req *val) { if (val == NULL) - return; + return; assert( val->kdc_state == NULL); krb5_free_pa_data(context, val->padata); krb5_free_principal(context, val->client); @@ -378,9 +379,9 @@ krb5_free_last_req(krb5_context context, krb5_last_req_entry **val) register krb5_last_req_entry **temp; if (val == NULL) - return; + return; for (temp = val; *temp; temp++) - free(*temp); + free(*temp); free(val); } @@ -390,10 +391,10 @@ krb5_free_pa_data(krb5_context context, krb5_pa_data **val) register krb5_pa_data **temp; if (val == NULL) - return; + return; for (temp = val; *temp; temp++) { - free((*temp)->contents); - free(*temp); + free((*temp)->contents); + free(*temp); } free(val); } @@ -404,13 +405,13 @@ krb5_free_principal(krb5_context context, krb5_principal val) register krb5_int32 i; if (!val) - return; - + return; + if (val->data) { - i = krb5_princ_size(context, val); - while(--i >= 0) - free(krb5_princ_component(context, val, i)->data); - free(val->data); + i = krb5_princ_size(context, val); + while(--i >= 0) + free(krb5_princ_component(context, val, i)->data); + free(val->data); } free(val->realm.data); free(val); @@ -420,7 +421,7 @@ void KRB5_CALLCONV krb5_free_priv(krb5_context context, register krb5_priv *val) { if (val == NULL) - return; + return; free(val->enc_part.ciphertext.data); free(val); } @@ -429,7 +430,7 @@ void KRB5_CALLCONV krb5_free_priv_enc_part(krb5_context context, register krb5_priv_enc_part *val) { if (val == NULL) - return; + return; free(val->user_data.data); krb5_free_address(context, val->r_address); krb5_free_address(context, val->s_address); @@ -440,7 +441,7 @@ void KRB5_CALLCONV krb5_free_pwd_data(krb5_context context, krb5_pwd_data *val) { if (val == NULL) - return; + return; krb5_free_pwd_sequences(context, val->element); free(val); } @@ -448,10 +449,10 @@ krb5_free_pwd_data(krb5_context context, krb5_pwd_data *val) void KRB5_CALLCONV krb5_free_passwd_phrase_element(krb5_context context, - passwd_phrase_element *val) + passwd_phrase_element *val) { if (val == NULL) - return; + return; krb5_free_data(context, val->passwd); val->passwd = NULL; krb5_free_data(context, val->phrase); @@ -466,9 +467,9 @@ krb5_free_pwd_sequences(krb5_context context, passwd_phrase_element **val) register passwd_phrase_element **temp; if (val == NULL) - return; + return; for (temp = val; *temp; temp++) - krb5_free_passwd_phrase_element(context, *temp); + krb5_free_passwd_phrase_element(context, *temp); free(val); } @@ -477,7 +478,7 @@ void KRB5_CALLCONV krb5_free_safe(krb5_context context, register krb5_safe *val) { if (val == NULL) - return; + return; free(val->user_data.data); krb5_free_address(context, val->r_address); krb5_free_address(context, val->s_address); @@ -490,7 +491,7 @@ void KRB5_CALLCONV krb5_free_ticket(krb5_context context, krb5_ticket *val) { if (val == NULL) - return; + return; krb5_free_principal(context, val->server); free(val->enc_part.ciphertext.data); krb5_free_enc_tkt_part(context, val->enc_part2); @@ -503,7 +504,7 @@ krb5_free_tickets(krb5_context context, krb5_ticket **val) register krb5_ticket **temp; if (val == NULL) - return; + return; for (temp = val; *temp; temp++) krb5_free_ticket(context, *temp); free(val); @@ -515,9 +516,9 @@ krb5_free_tgt_creds(krb5_context context, krb5_creds **tgts) { register krb5_creds **tgtpp; if (tgts == NULL) - return; + return; for (tgtpp = tgts; *tgtpp; tgtpp++) - krb5_free_creds(context, *tgtpp); + krb5_free_creds(context, *tgtpp); free(tgts); } @@ -525,7 +526,7 @@ void KRB5_CALLCONV krb5_free_tkt_authent(krb5_context context, krb5_tkt_authent *val) { if (val == NULL) - return; + return; krb5_free_ticket(context, val->ticket); krb5_free_authenticator(context, val->authenticator); free(val); @@ -535,14 +536,14 @@ void KRB5_CALLCONV krb5_free_unparsed_name(krb5_context context, char *val) { if (val != NULL) - free(val); + free(val); } void KRB5_CALLCONV krb5_free_sam_challenge(krb5_context ctx, krb5_sam_challenge *sc) { if (!sc) - return; + return; krb5_free_sam_challenge_contents(ctx, sc); free(sc); } @@ -551,7 +552,7 @@ void KRB5_CALLCONV krb5_free_sam_challenge_2(krb5_context ctx, krb5_sam_challenge_2 *sc2) { if (!sc2) - return; + return; krb5_free_sam_challenge_2_contents(ctx, sc2); free(sc2); } @@ -560,79 +561,79 @@ void KRB5_CALLCONV krb5_free_sam_challenge_contents(krb5_context ctx, krb5_sam_challenge *sc) { if (!sc) - return; + return; if (sc->sam_type_name.data) - krb5_free_data_contents(ctx, &sc->sam_type_name); + krb5_free_data_contents(ctx, &sc->sam_type_name); if (sc->sam_track_id.data) - krb5_free_data_contents(ctx, &sc->sam_track_id); + krb5_free_data_contents(ctx, &sc->sam_track_id); if (sc->sam_challenge_label.data) - krb5_free_data_contents(ctx, &sc->sam_challenge_label); + krb5_free_data_contents(ctx, &sc->sam_challenge_label); if (sc->sam_challenge.data) - krb5_free_data_contents(ctx, &sc->sam_challenge); + krb5_free_data_contents(ctx, &sc->sam_challenge); if (sc->sam_response_prompt.data) - krb5_free_data_contents(ctx, &sc->sam_response_prompt); + krb5_free_data_contents(ctx, &sc->sam_response_prompt); if (sc->sam_pk_for_sad.data) - krb5_free_data_contents(ctx, &sc->sam_pk_for_sad); + krb5_free_data_contents(ctx, &sc->sam_pk_for_sad); free(sc->sam_cksum.contents); sc->sam_cksum.contents = 0; } void KRB5_CALLCONV krb5_free_sam_challenge_2_contents(krb5_context ctx, - krb5_sam_challenge_2 *sc2) + krb5_sam_challenge_2 *sc2) { krb5_checksum **cksump; if (!sc2) - return; + return; if (sc2->sam_challenge_2_body.data) - krb5_free_data_contents(ctx, &sc2->sam_challenge_2_body); + krb5_free_data_contents(ctx, &sc2->sam_challenge_2_body); if (sc2->sam_cksum) { - cksump = sc2->sam_cksum; - while (*cksump) { - krb5_free_checksum(ctx, *cksump); - cksump++; - } - free(sc2->sam_cksum); - sc2->sam_cksum = 0; + cksump = sc2->sam_cksum; + while (*cksump) { + krb5_free_checksum(ctx, *cksump); + cksump++; + } + free(sc2->sam_cksum); + sc2->sam_cksum = 0; } } void KRB5_CALLCONV krb5_free_sam_challenge_2_body(krb5_context ctx, - krb5_sam_challenge_2_body *sc2) + krb5_sam_challenge_2_body *sc2) { if (!sc2) - return; + return; krb5_free_sam_challenge_2_body_contents(ctx, sc2); free(sc2); } void KRB5_CALLCONV krb5_free_sam_challenge_2_body_contents(krb5_context ctx, - krb5_sam_challenge_2_body *sc2) + krb5_sam_challenge_2_body *sc2) { if (!sc2) - return; - if (sc2->sam_type_name.data) - krb5_free_data_contents(ctx, &sc2->sam_type_name); + return; + if (sc2->sam_type_name.data) + krb5_free_data_contents(ctx, &sc2->sam_type_name); if (sc2->sam_track_id.data) - krb5_free_data_contents(ctx, &sc2->sam_track_id); + krb5_free_data_contents(ctx, &sc2->sam_track_id); if (sc2->sam_challenge_label.data) - krb5_free_data_contents(ctx, &sc2->sam_challenge_label); + krb5_free_data_contents(ctx, &sc2->sam_challenge_label); if (sc2->sam_challenge.data) - krb5_free_data_contents(ctx, &sc2->sam_challenge); + krb5_free_data_contents(ctx, &sc2->sam_challenge); if (sc2->sam_response_prompt.data) - krb5_free_data_contents(ctx, &sc2->sam_response_prompt); + krb5_free_data_contents(ctx, &sc2->sam_response_prompt); if (sc2->sam_pk_for_sad.data) - krb5_free_data_contents(ctx, &sc2->sam_pk_for_sad); + krb5_free_data_contents(ctx, &sc2->sam_pk_for_sad); } void KRB5_CALLCONV krb5_free_sam_response(krb5_context ctx, krb5_sam_response *sr) { if (!sr) - return; + return; krb5_free_sam_response_contents(ctx, sr); free(sr); } @@ -641,7 +642,7 @@ void KRB5_CALLCONV krb5_free_sam_response_2(krb5_context ctx, krb5_sam_response_2 *sr2) { if (!sr2) - return; + return; krb5_free_sam_response_2_contents(ctx, sr2); free(sr2); } @@ -650,95 +651,95 @@ void KRB5_CALLCONV krb5_free_sam_response_contents(krb5_context ctx, krb5_sam_response *sr) { if (!sr) - return; + return; if (sr->sam_track_id.data) - krb5_free_data_contents(ctx, &sr->sam_track_id); + krb5_free_data_contents(ctx, &sr->sam_track_id); if (sr->sam_enc_key.ciphertext.data) - krb5_free_data_contents(ctx, &sr->sam_enc_key.ciphertext); + krb5_free_data_contents(ctx, &sr->sam_enc_key.ciphertext); if (sr->sam_enc_nonce_or_ts.ciphertext.data) - krb5_free_data_contents(ctx, &sr->sam_enc_nonce_or_ts.ciphertext); + krb5_free_data_contents(ctx, &sr->sam_enc_nonce_or_ts.ciphertext); } void KRB5_CALLCONV krb5_free_sam_response_2_contents(krb5_context ctx, krb5_sam_response_2 *sr2) { if (!sr2) - return; + return; if (sr2->sam_track_id.data) - krb5_free_data_contents(ctx, &sr2->sam_track_id); + krb5_free_data_contents(ctx, &sr2->sam_track_id); if (sr2->sam_enc_nonce_or_sad.ciphertext.data) - krb5_free_data_contents(ctx, &sr2->sam_enc_nonce_or_sad.ciphertext); + krb5_free_data_contents(ctx, &sr2->sam_enc_nonce_or_sad.ciphertext); } void KRB5_CALLCONV krb5_free_predicted_sam_response(krb5_context ctx, - krb5_predicted_sam_response *psr) + krb5_predicted_sam_response *psr) { if (!psr) - return; + return; krb5_free_predicted_sam_response_contents(ctx, psr); free(psr); } void KRB5_CALLCONV krb5_free_predicted_sam_response_contents(krb5_context ctx, - krb5_predicted_sam_response *psr) + krb5_predicted_sam_response *psr) { if (!psr) - return; + return; if (psr->sam_key.contents) - krb5_free_keyblock_contents(ctx, &psr->sam_key); + krb5_free_keyblock_contents(ctx, &psr->sam_key); krb5_free_principal(ctx, psr->client); psr->client = 0; if (psr->msd.data) - krb5_free_data_contents(ctx, &psr->msd); + krb5_free_data_contents(ctx, &psr->msd); } void KRB5_CALLCONV krb5_free_enc_sam_response_enc(krb5_context ctx, - krb5_enc_sam_response_enc *esre) + krb5_enc_sam_response_enc *esre) { if (!esre) - return; + return; krb5_free_enc_sam_response_enc_contents(ctx, esre); free(esre); } -void KRB5_CALLCONV +void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2(krb5_context ctx, - krb5_enc_sam_response_enc_2 *esre2) + krb5_enc_sam_response_enc_2 *esre2) { if (!esre2) - return; + return; krb5_free_enc_sam_response_enc_2_contents(ctx, esre2); free(esre2); } void KRB5_CALLCONV krb5_free_enc_sam_response_enc_contents(krb5_context ctx, - krb5_enc_sam_response_enc *esre) + krb5_enc_sam_response_enc *esre) { if (!esre) - return; + return; if (esre->sam_sad.data) - krb5_free_data_contents(ctx, &esre->sam_sad); + krb5_free_data_contents(ctx, &esre->sam_sad); } void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2_contents(krb5_context ctx, - krb5_enc_sam_response_enc_2 *esre2) + krb5_enc_sam_response_enc_2 *esre2) { if (!esre2) - return; + return; if (esre2->sam_sad.data) - krb5_free_data_contents(ctx, &esre2->sam_sad); + krb5_free_data_contents(ctx, &esre2->sam_sad); } void KRB5_CALLCONV krb5_free_pa_enc_ts(krb5_context ctx, krb5_pa_enc_ts *pa_enc_ts) { if (!pa_enc_ts) - return; + return; free(pa_enc_ts); } @@ -746,7 +747,7 @@ void KRB5_CALLCONV krb5_free_pa_for_user(krb5_context context, krb5_pa_for_user *req) { if (req == NULL) - return; + return; krb5_free_principal(context, req->user); req->user = NULL; krb5_free_checksum_contents(context, &req->cksum); @@ -758,7 +759,7 @@ void KRB5_CALLCONV krb5_free_s4u_userid_contents(krb5_context context, krb5_s4u_userid *user_id) { if (user_id == NULL) - return; + return; user_id->nonce = 0; krb5_free_principal(context, user_id->user); user_id->user = NULL; @@ -772,7 +773,7 @@ void KRB5_CALLCONV krb5_free_pa_s4u_x509_user(krb5_context context, krb5_pa_s4u_x509_user *req) { if (req == NULL) - return; + return; krb5_free_s4u_userid_contents(context, &req->user_id); krb5_free_checksum_contents(context, &req->cksum); free(req); @@ -780,26 +781,26 @@ krb5_free_pa_s4u_x509_user(krb5_context context, krb5_pa_s4u_x509_user *req) void KRB5_CALLCONV krb5_free_pa_server_referral_data(krb5_context context, - krb5_pa_server_referral_data *ref) + krb5_pa_server_referral_data *ref) { if (ref == NULL) - return; + return; krb5_free_data(context, ref->referred_realm); ref->referred_realm = NULL; krb5_free_principal(context, ref->true_principal_name); ref->true_principal_name = NULL; krb5_free_principal(context, ref->requested_principal_name); ref->requested_principal_name = NULL; - krb5_free_checksum_contents(context, &ref->rep_cksum); + krb5_free_checksum_contents(context, &ref->rep_cksum); free(ref); } void KRB5_CALLCONV krb5_free_pa_svr_referral_data(krb5_context context, - krb5_pa_svr_referral_data *ref) + krb5_pa_svr_referral_data *ref) { if (ref == NULL) - return; + return; krb5_free_principal(context, ref->principal); ref->principal = NULL; free(ref); @@ -807,79 +808,79 @@ krb5_free_pa_svr_referral_data(krb5_context context, void KRB5_CALLCONV krb5_free_pa_pac_req(krb5_context context, - krb5_pa_pac_req *req) + krb5_pa_pac_req *req) { free(req); } void KRB5_CALLCONV krb5_free_etype_list(krb5_context context, - krb5_etype_list *etypes) + krb5_etype_list *etypes) { if (etypes != NULL) { - free(etypes->etypes); - free(etypes); + free(etypes->etypes); + free(etypes); } } void krb5_free_fast_req(krb5_context context, krb5_fast_req *val) { - if (val == NULL) - return; - krb5_free_kdc_req(context, val->req_body); - free(val); + if (val == NULL) + return; + krb5_free_kdc_req(context, val->req_body); + free(val); } void krb5_free_fast_armor(krb5_context context, krb5_fast_armor *val) { - if (val == NULL) - return; - krb5_free_data_contents(context, &val->armor_value); - free(val); + if (val == NULL) + return; + krb5_free_data_contents(context, &val->armor_value); + free(val); } void krb5_free_fast_response(krb5_context context, krb5_fast_response *val) { - if (!val) - return; - krb5_free_pa_data(context, val->padata); - krb5_free_fast_finished(context, val->finished); - krb5_free_keyblock(context, val->strengthen_key); - free(val); + if (!val) + return; + krb5_free_pa_data(context, val->padata); + krb5_free_fast_finished(context, val->finished); + krb5_free_keyblock(context, val->strengthen_key); + free(val); } void krb5_free_fast_finished (krb5_context context, krb5_fast_finished *val) { - if (!val) - return; - krb5_free_principal(context, val->client); - krb5_free_checksum_contents(context, &val->ticket_checksum); - free(val); + if (!val) + return; + krb5_free_principal(context, val->client); + krb5_free_checksum_contents(context, &val->ticket_checksum); + free(val); } void krb5_free_typed_data(krb5_context context, krb5_typed_data **in) { - int i = 0; - if (in == NULL) return; - while (in[i] != NULL) { - if (in[i]->data != NULL) - free(in[i]->data); - free(in[i]); - i++; - } - free(in); + int i = 0; + if (in == NULL) return; + while (in[i] != NULL) { + if (in[i]->data != NULL) + free(in[i]->data); + free(in[i]); + i++; + } + free(in); } void krb5_free_fast_armored_req(krb5_context context, - krb5_fast_armored_req *val) + krb5_fast_armored_req *val) { if (val == NULL) - return; + return; if (val->armor) - krb5_free_fast_armor(context, val->armor); + krb5_free_fast_armor(context, val->armor); krb5_free_data_contents(context, &val->enc_part.ciphertext); if (val->req_checksum.contents) - krb5_free_checksum_contents(context, &val->req_checksum); + krb5_free_checksum_contents(context, &val->req_checksum); free(val); } @@ -908,4 +909,3 @@ krb5_free_ad_kdcissued(krb5_context context, krb5_ad_kdcissued *val) krb5_free_authdata(context, val->elements); free(val); } - diff --git a/src/lib/krb5/krb/mk_cred.c b/src/lib/krb5/krb/mk_cred.c index 6ce0e354e5..4c95accd03 100644 --- a/src/lib/krb5/krb/mk_cred.c +++ b/src/lib/krb5/krb/mk_cred.c @@ -1,7 +1,8 @@ -/* +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* * NAME * cred.c - * + * * DESCRIPTION * Provide an interface to assemble and disassemble krb5_cred * structures. @@ -20,41 +21,41 @@ /* * encrypt the enc_part of krb5_cred */ -static krb5_error_code +static krb5_error_code encrypt_credencpart(krb5_context context, krb5_cred_enc_part *pcredpart, - krb5_key pkey, krb5_enc_data *pencdata) + krb5_key pkey, krb5_enc_data *pencdata) { - krb5_error_code retval; - krb5_data * scratch; + krb5_error_code retval; + krb5_data * scratch; /* start by encoding to-be-encrypted part of the message */ if ((retval = encode_krb5_enc_cred_part(pcredpart, &scratch))) - return retval; + return retval; /* * If the keyblock is NULL, just copy the data from the encoded * data to the ciphertext area. */ if (pkey == NULL) { - pencdata->ciphertext.data = scratch->data; - pencdata->ciphertext.length = scratch->length; - free(scratch); - return 0; + pencdata->ciphertext.data = scratch->data; + pencdata->ciphertext.length = scratch->length; + free(scratch); + return 0; } /* call the encryption routine */ retval = krb5_encrypt_keyhelper(context, pkey, - KRB5_KEYUSAGE_KRB_CRED_ENCPART, - scratch, pencdata); + KRB5_KEYUSAGE_KRB_CRED_ENCPART, + scratch, pencdata); if (retval) { - memset(pencdata->ciphertext.data, 0, pencdata->ciphertext.length); + memset(pencdata->ciphertext.data, 0, pencdata->ciphertext.length); free(pencdata->ciphertext.data); pencdata->ciphertext.length = 0; pencdata->ciphertext.data = 0; } - memset(scratch->data, 0, scratch->length); + memset(scratch->data, 0, scratch->length); krb5_free_data(context, scratch); return retval; @@ -64,15 +65,15 @@ encrypt_credencpart(krb5_context context, krb5_cred_enc_part *pcredpart, static krb5_error_code krb5_mk_ncred_basic(krb5_context context, - krb5_creds **ppcreds, krb5_int32 nppcreds, - krb5_key key, krb5_replay_data *replaydata, - krb5_address *local_addr, krb5_address *remote_addr, - krb5_cred *pcred) + krb5_creds **ppcreds, krb5_int32 nppcreds, + krb5_key key, krb5_replay_data *replaydata, + krb5_address *local_addr, krb5_address *remote_addr, + krb5_cred *pcred) { - krb5_cred_enc_part credenc; - krb5_error_code retval; - size_t size; - int i; + krb5_cred_enc_part credenc; + krb5_error_code retval; + size_t size; + int i; credenc.magic = KV5M_CRED_ENC_PART; @@ -89,42 +90,42 @@ krb5_mk_ncred_basic(krb5_context context, size = sizeof(krb5_cred_info *) * (nppcreds + 1); credenc.ticket_info = (krb5_cred_info **) calloc(1, size); if (credenc.ticket_info == NULL) - return ENOMEM; + return ENOMEM; /* * For each credential in the list, initialize a cred info * structure and copy the ticket into the ticket list. */ for (i = 0; i < nppcreds; i++) { - credenc.ticket_info[i] = malloc(sizeof(krb5_cred_info)); - if (credenc.ticket_info[i] == NULL) { - retval = ENOMEM; - goto cleanup; - } - credenc.ticket_info[i+1] = NULL; - + credenc.ticket_info[i] = malloc(sizeof(krb5_cred_info)); + if (credenc.ticket_info[i] == NULL) { + retval = ENOMEM; + goto cleanup; + } + credenc.ticket_info[i+1] = NULL; + credenc.ticket_info[i]->magic = KV5M_CRED_INFO; credenc.ticket_info[i]->times = ppcreds[i]->times; credenc.ticket_info[i]->flags = ppcreds[i]->ticket_flags; - if ((retval = decode_krb5_ticket(&ppcreds[i]->ticket, - &pcred->tickets[i]))) - goto cleanup; + if ((retval = decode_krb5_ticket(&ppcreds[i]->ticket, + &pcred->tickets[i]))) + goto cleanup; - if ((retval = krb5_copy_keyblock(context, &ppcreds[i]->keyblock, - &credenc.ticket_info[i]->session))) + if ((retval = krb5_copy_keyblock(context, &ppcreds[i]->keyblock, + &credenc.ticket_info[i]->session))) goto cleanup; if ((retval = krb5_copy_principal(context, ppcreds[i]->client, - &credenc.ticket_info[i]->client))) + &credenc.ticket_info[i]->client))) goto cleanup; - if ((retval = krb5_copy_principal(context, ppcreds[i]->server, - &credenc.ticket_info[i]->server))) + if ((retval = krb5_copy_principal(context, ppcreds[i]->server, + &credenc.ticket_info[i]->server))) goto cleanup; - if ((retval = krb5_copy_addresses(context, ppcreds[i]->addresses, - &credenc.ticket_info[i]->caddrs))) + if ((retval = krb5_copy_addresses(context, ppcreds[i]->addresses, + &credenc.ticket_info[i]->caddrs))) goto cleanup; } @@ -149,18 +150,18 @@ cleanup: */ krb5_error_code KRB5_CALLCONV krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, - krb5_creds **ppcreds, krb5_data **ppdata, - krb5_replay_data *outdata) + krb5_creds **ppcreds, krb5_data **ppdata, + krb5_replay_data *outdata) { krb5_address * premote_fulladdr = NULL; krb5_address * plocal_fulladdr = NULL; krb5_address remote_fulladdr; krb5_address local_fulladdr; - krb5_error_code retval; - krb5_key key; + krb5_error_code retval; + krb5_key key; krb5_replay_data replaydata; - krb5_cred * pcred; - krb5_int32 ncred; + krb5_cred * pcred; + krb5_int32 ncred; krb5_boolean increased_sequence = FALSE; local_fulladdr.contents = 0; @@ -168,94 +169,94 @@ krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, memset(&replaydata, 0, sizeof(krb5_replay_data)); if (ppcreds == NULL) - return KRB5KRB_AP_ERR_BADADDR; + return KRB5KRB_AP_ERR_BADADDR; /* * Allocate memory for a NULL terminated list of tickets. */ for (ncred = 0; ppcreds[ncred]; ncred++) - ; + ; - if ((pcred = (krb5_cred *)calloc(1, sizeof(krb5_cred))) == NULL) + if ((pcred = (krb5_cred *)calloc(1, sizeof(krb5_cred))) == NULL) return ENOMEM; - if ((pcred->tickets - = (krb5_ticket **)calloc((size_t)ncred+1, - sizeof(krb5_ticket *))) == NULL) { - retval = ENOMEM; - goto error; + if ((pcred->tickets + = (krb5_ticket **)calloc((size_t)ncred+1, + sizeof(krb5_ticket *))) == NULL) { + retval = ENOMEM; + goto error; } /* Get keyblock */ if ((key = auth_context->send_subkey) == NULL) - key = auth_context->key; + key = auth_context->key; /* Get replay info */ if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && - (auth_context->rcache == NULL)) { - retval = KRB5_RC_REQUIRED; - goto error; + (auth_context->rcache == NULL)) { + retval = KRB5_RC_REQUIRED; + goto error; } if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) - && (outdata == NULL)) { + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) + && (outdata == NULL)) { /* Need a better error */ - retval = KRB5_RC_REQUIRED; - goto error; + retval = KRB5_RC_REQUIRED; + goto error; } if ((retval = krb5_us_timeofday(context, &replaydata.timestamp, - &replaydata.usec))) - goto error; + &replaydata.usec))) + goto error; if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) { - outdata->timestamp = replaydata.timestamp; - outdata->usec = replaydata.usec; + outdata->timestamp = replaydata.timestamp; + outdata->usec = replaydata.usec; } if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { replaydata.seq = auth_context->local_seq_number++; - increased_sequence = TRUE; + increased_sequence = TRUE; if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) outdata->seq = replaydata.seq; } if (auth_context->local_addr) { - if (auth_context->local_port) { + if (auth_context->local_port) { if ((retval = krb5_make_fulladdr(context, auth_context->local_addr, - auth_context->local_port, - &local_fulladdr))) - goto error; - plocal_fulladdr = &local_fulladdr; - } else { + auth_context->local_port, + &local_fulladdr))) + goto error; + plocal_fulladdr = &local_fulladdr; + } else { plocal_fulladdr = auth_context->local_addr; } } if (auth_context->remote_addr) { - if (auth_context->remote_port) { + if (auth_context->remote_port) { if ((retval = krb5_make_fulladdr(context,auth_context->remote_addr, - auth_context->remote_port, - &remote_fulladdr))) - goto error; - premote_fulladdr = &remote_fulladdr; - } else { + auth_context->remote_port, + &remote_fulladdr))) + goto error; + premote_fulladdr = &remote_fulladdr; + } else { premote_fulladdr = auth_context->remote_addr; } } /* Setup creds structure */ if ((retval = krb5_mk_ncred_basic(context, ppcreds, ncred, key, - &replaydata, plocal_fulladdr, - premote_fulladdr, pcred))) { - goto error; + &replaydata, plocal_fulladdr, + premote_fulladdr, pcred))) { + goto error; } if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { krb5_donot_replay replay; if ((retval = krb5_gen_replay_name(context, auth_context->local_addr, - "_forw", &replay.client))) + "_forw", &replay.client))) goto error; replay.server = ""; /* XXX */ @@ -279,7 +280,7 @@ error: krb5_free_cred(context, pcred); if (retval) { - if (increased_sequence) + if (increased_sequence) auth_context->local_seq_number--; } return retval; @@ -292,23 +293,22 @@ error: */ krb5_error_code KRB5_CALLCONV krb5_mk_1cred(krb5_context context, krb5_auth_context auth_context, - krb5_creds *pcreds, krb5_data **ppdata, - krb5_replay_data *outdata) + krb5_creds *pcreds, krb5_data **ppdata, + krb5_replay_data *outdata) { krb5_error_code retval; krb5_creds **ppcreds; if ((ppcreds = (krb5_creds **)malloc(sizeof(*ppcreds) * 2)) == NULL) { - return ENOMEM; + return ENOMEM; } ppcreds[0] = pcreds; ppcreds[1] = NULL; retval = krb5_mk_ncred(context, auth_context, ppcreds, - ppdata, outdata); - + ppdata, outdata); + free(ppcreds); return retval; } - diff --git a/src/lib/krb5/krb/mk_error.c b/src/lib/krb5/krb/mk_error.c index 75cdc9b5be..44fd3b4c2b 100644 --- a/src/lib/krb5/krb/mk_error.c +++ b/src/lib/krb5/krb/mk_error.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/mk_error.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_mk_error() routine. */ @@ -30,22 +31,22 @@ #include "k5-int.h" /* - formats the error structure *dec_err into an error buffer *enc_err. + formats the error structure *dec_err into an error buffer *enc_err. - The error buffer storage is allocated, and should be freed by the - caller when finished. + The error buffer storage is allocated, and should be freed by the + caller when finished. - returns system errors - */ + returns system errors +*/ krb5_error_code KRB5_CALLCONV krb5_mk_error(krb5_context context, const krb5_error *dec_err, - krb5_data *enc_err) + krb5_data *enc_err) { krb5_error_code retval; krb5_data *new_enc_err; if ((retval = encode_krb5_error(dec_err, &new_enc_err))) - return(retval); + return(retval); *enc_err = *new_enc_err; free(new_enc_err); return 0; diff --git a/src/lib/krb5/krb/mk_priv.c b/src/lib/krb5/krb/mk_priv.c index 824bfd507c..b3cb297225 100644 --- a/src/lib/krb5/krb/mk_priv.c +++ b/src/lib/krb5/krb/mk_priv.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/mk_priv.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_mk_priv() */ @@ -33,18 +34,18 @@ static krb5_error_code krb5_mk_priv_basic(krb5_context context, const krb5_data *userdata, - krb5_key key, krb5_replay_data *replaydata, - krb5_address *local_addr, krb5_address *remote_addr, - krb5_pointer i_vector, krb5_data *outbuf) + krb5_key key, krb5_replay_data *replaydata, + krb5_address *local_addr, krb5_address *remote_addr, + krb5_pointer i_vector, krb5_data *outbuf) { - krb5_enctype enctype = krb5_k_key_enctype(context, key); - krb5_error_code retval; - krb5_priv privmsg; - krb5_priv_enc_part privmsg_enc_part; - krb5_data *scratch1, *scratch2, ivdata; - size_t blocksize, enclen; - - privmsg.enc_part.kvno = 0; /* XXX allow user-set? */ + krb5_enctype enctype = krb5_k_key_enctype(context, key); + krb5_error_code retval; + krb5_priv privmsg; + krb5_priv_enc_part privmsg_enc_part; + krb5_data *scratch1, *scratch2, ivdata; + size_t blocksize, enclen; + + privmsg.enc_part.kvno = 0; /* XXX allow user-set? */ privmsg.enc_part.enctype = enctype; privmsg_enc_part.user_data = *userdata; @@ -53,39 +54,39 @@ krb5_mk_priv_basic(krb5_context context, const krb5_data *userdata, /* We should check too make sure one exists. */ privmsg_enc_part.timestamp = replaydata->timestamp; - privmsg_enc_part.usec = replaydata->usec; + privmsg_enc_part.usec = replaydata->usec; privmsg_enc_part.seq_number = replaydata->seq; /* start by encoding to-be-encrypted part of the message */ if ((retval = encode_krb5_enc_priv_part(&privmsg_enc_part, &scratch1))) - return retval; + return retval; /* put together an eblock for this encryption */ if ((retval = krb5_c_encrypt_length(context, enctype, - scratch1->length, &enclen))) - goto clean_scratch; + scratch1->length, &enclen))) + goto clean_scratch; privmsg.enc_part.ciphertext.length = enclen; if (!(privmsg.enc_part.ciphertext.data = - malloc(privmsg.enc_part.ciphertext.length))) { + malloc(privmsg.enc_part.ciphertext.length))) { retval = ENOMEM; goto clean_scratch; } /* call the encryption routine */ if (i_vector) { - if ((retval = krb5_c_block_size(context, enctype, &blocksize))) - goto clean_encpart; + if ((retval = krb5_c_block_size(context, enctype, &blocksize))) + goto clean_encpart; - ivdata.length = blocksize; - ivdata.data = i_vector; + ivdata.length = blocksize; + ivdata.data = i_vector; } if ((retval = krb5_k_encrypt(context, key, - KRB5_KEYUSAGE_KRB_PRIV_ENCPART, - i_vector?&ivdata:0, - scratch1, &privmsg.enc_part))) - goto clean_encpart; + KRB5_KEYUSAGE_KRB_PRIV_ENCPART, + i_vector?&ivdata:0, + scratch1, &privmsg.enc_part))) + goto clean_encpart; if ((retval = encode_krb5_priv(&privmsg, &scratch2))) goto clean_encpart; @@ -95,15 +96,15 @@ krb5_mk_priv_basic(krb5_context context, const krb5_data *userdata, retval = 0; clean_encpart: - memset(privmsg.enc_part.ciphertext.data, 0, - privmsg.enc_part.ciphertext.length); - free(privmsg.enc_part.ciphertext.data); + memset(privmsg.enc_part.ciphertext.data, 0, + privmsg.enc_part.ciphertext.length); + free(privmsg.enc_part.ciphertext.data); privmsg.enc_part.ciphertext.length = 0; privmsg.enc_part.ciphertext.data = 0; clean_scratch: memset(scratch1->data, 0, scratch1->length); - krb5_free_data(context, scratch1); + krb5_free_data(context, scratch1); return retval; } @@ -111,10 +112,10 @@ clean_scratch: krb5_error_code KRB5_CALLCONV krb5_mk_priv(krb5_context context, krb5_auth_context auth_context, - const krb5_data *userdata, krb5_data *outbuf, - krb5_replay_data *outdata) + const krb5_data *userdata, krb5_data *outbuf, + krb5_replay_data *outdata) { - krb5_error_code retval; + krb5_error_code retval; krb5_key key; krb5_replay_data replaydata; @@ -123,113 +124,112 @@ krb5_mk_priv(krb5_context context, krb5_auth_context auth_context, /* Get keyblock */ if ((key = auth_context->send_subkey) == NULL) - key = auth_context->key; + key = auth_context->key; /* Get replay info */ if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && - (auth_context->rcache == NULL)) - return KRB5_RC_REQUIRED; + (auth_context->rcache == NULL)) + return KRB5_RC_REQUIRED; if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && - (outdata == NULL)) - /* Need a better error */ - return KRB5_RC_REQUIRED; + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && + (outdata == NULL)) + /* Need a better error */ + return KRB5_RC_REQUIRED; if (!auth_context->local_addr) - return KRB5_LOCAL_ADDR_REQUIRED; + return KRB5_LOCAL_ADDR_REQUIRED; if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME)) { - if ((retval = krb5_us_timeofday(context, &replaydata.timestamp, - &replaydata.usec))) - return retval; - if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) { - outdata->timestamp = replaydata.timestamp; - outdata->usec = replaydata.usec; - } + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME)) { + if ((retval = krb5_us_timeofday(context, &replaydata.timestamp, + &replaydata.usec))) + return retval; + if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) { + outdata->timestamp = replaydata.timestamp; + outdata->usec = replaydata.usec; + } } if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { - replaydata.seq = auth_context->local_seq_number++; - if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) - outdata->seq = replaydata.seq; - } - -{ - krb5_address * premote_fulladdr = NULL; - krb5_address * plocal_fulladdr; - krb5_address remote_fulladdr; - krb5_address local_fulladdr; - CLEANUP_INIT(2); - - if (auth_context->local_port) { - if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, - auth_context->local_port, - &local_fulladdr))) { - CLEANUP_PUSH(local_fulladdr.contents, free); - plocal_fulladdr = &local_fulladdr; - } else { - goto error; - } - } else { - plocal_fulladdr = auth_context->local_addr; - } - - if (auth_context->remote_addr) { - if (auth_context->remote_port) { - if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, - auth_context->remote_port, - &remote_fulladdr))){ - CLEANUP_PUSH(remote_fulladdr.contents, free); - premote_fulladdr = &remote_fulladdr; - } else { - CLEANUP_DONE(); - goto error; - } - } else { - premote_fulladdr = auth_context->remote_addr; - } + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { + replaydata.seq = auth_context->local_seq_number++; + if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) + outdata->seq = replaydata.seq; } - if ((retval = krb5_mk_priv_basic(context, userdata, key, &replaydata, - plocal_fulladdr, premote_fulladdr, - auth_context->i_vector, outbuf))) { - CLEANUP_DONE(); - goto error; + { + krb5_address * premote_fulladdr = NULL; + krb5_address * plocal_fulladdr; + krb5_address remote_fulladdr; + krb5_address local_fulladdr; + CLEANUP_INIT(2); + + if (auth_context->local_port) { + if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, + auth_context->local_port, + &local_fulladdr))) { + CLEANUP_PUSH(local_fulladdr.contents, free); + plocal_fulladdr = &local_fulladdr; + } else { + goto error; + } + } else { + plocal_fulladdr = auth_context->local_addr; + } + + if (auth_context->remote_addr) { + if (auth_context->remote_port) { + if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, + auth_context->remote_port, + &remote_fulladdr))){ + CLEANUP_PUSH(remote_fulladdr.contents, free); + premote_fulladdr = &remote_fulladdr; + } else { + CLEANUP_DONE(); + goto error; + } + } else { + premote_fulladdr = auth_context->remote_addr; + } + } + + if ((retval = krb5_mk_priv_basic(context, userdata, key, &replaydata, + plocal_fulladdr, premote_fulladdr, + auth_context->i_vector, outbuf))) { + CLEANUP_DONE(); + goto error; + } + + CLEANUP_DONE(); } - CLEANUP_DONE(); -} - if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { - krb5_donot_replay replay; - - if ((retval = krb5_gen_replay_name(context, auth_context->local_addr, - "_priv", &replay.client))) { - free(outbuf); - goto error; - } - - replay.server = ""; /* XXX */ - replay.msghash = NULL; - replay.cusec = replaydata.usec; - replay.ctime = replaydata.timestamp; - if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { - /* should we really error out here? XXX */ - free(replay.client); - goto error; - } - free(replay.client); + krb5_donot_replay replay; + + if ((retval = krb5_gen_replay_name(context, auth_context->local_addr, + "_priv", &replay.client))) { + free(outbuf); + goto error; + } + + replay.server = ""; /* XXX */ + replay.msghash = NULL; + replay.cusec = replaydata.usec; + replay.ctime = replaydata.timestamp; + if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { + /* should we really error out here? XXX */ + free(replay.client); + goto error; + } + free(replay.client); } return 0; error: if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) - auth_context->local_seq_number--; + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) + auth_context->local_seq_number--; return retval; } - diff --git a/src/lib/krb5/krb/mk_rep.c b/src/lib/krb5/krb/mk_rep.c index a4dbc467f4..b50c057654 100644 --- a/src/lib/krb5/krb/mk_rep.c +++ b/src/lib/krb5/krb/mk_rep.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/mk_rep.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_mk_rep() */ @@ -58,81 +59,81 @@ #include "auth_con.h" /* - Formats a KRB_AP_REP message into outbuf. + Formats a KRB_AP_REP message into outbuf. - The outbuf buffer storage is allocated, and should be freed by the - caller when finished. + The outbuf buffer storage is allocated, and should be freed by the + caller when finished. - returns system errors + returns system errors */ static krb5_error_code k5_mk_rep(krb5_context context, krb5_auth_context auth_context, - krb5_data *outbuf, int dce_style) + krb5_data *outbuf, int dce_style) { - krb5_error_code retval; + krb5_error_code retval; krb5_ap_rep_enc_part repl; - krb5_ap_rep reply; - krb5_data * scratch; - krb5_data * toutbuf; + krb5_ap_rep reply; + krb5_data * scratch; + krb5_data * toutbuf; /* Make the reply */ if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && - (auth_context->local_seq_number == 0)) { - if ((retval = krb5_generate_seq_number(context, - &auth_context->key->keyblock, - &auth_context->local_seq_number))) + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && + (auth_context->local_seq_number == 0)) { + if ((retval = krb5_generate_seq_number(context, + &auth_context->key->keyblock, + &auth_context->local_seq_number))) return(retval); } if (dce_style) { - krb5_us_timeofday(context, &repl.ctime, &repl.cusec); + krb5_us_timeofday(context, &repl.ctime, &repl.cusec); } else { - repl.ctime = auth_context->authentp->ctime; - repl.cusec = auth_context->authentp->cusec; + repl.ctime = auth_context->authentp->ctime; + repl.cusec = auth_context->authentp->cusec; } if (dce_style) - repl.subkey = NULL; + repl.subkey = NULL; else if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_USE_SUBKEY) { - assert(auth_context->negotiated_etype != ENCTYPE_NULL); - - retval = krb5int_generate_and_save_subkey (context, auth_context, - &auth_context->key->keyblock, - auth_context->negotiated_etype); - if (retval) - return retval; - repl.subkey = &auth_context->send_subkey->keyblock; + assert(auth_context->negotiated_etype != ENCTYPE_NULL); + + retval = krb5int_generate_and_save_subkey (context, auth_context, + &auth_context->key->keyblock, + auth_context->negotiated_etype); + if (retval) + return retval; + repl.subkey = &auth_context->send_subkey->keyblock; } else - repl.subkey = auth_context->authentp->subkey; + repl.subkey = auth_context->authentp->subkey; if (dce_style) - repl.seq_number = auth_context->remote_seq_number; + repl.seq_number = auth_context->remote_seq_number; else - repl.seq_number = auth_context->local_seq_number; + repl.seq_number = auth_context->local_seq_number; /* encode it before encrypting */ if ((retval = encode_krb5_ap_rep_enc_part(&repl, &scratch))) - return retval; + return retval; if ((retval = krb5_encrypt_keyhelper(context, auth_context->key, - KRB5_KEYUSAGE_AP_REP_ENCPART, - scratch, &reply.enc_part))) - goto cleanup_scratch; + KRB5_KEYUSAGE_AP_REP_ENCPART, + scratch, &reply.enc_part))) + goto cleanup_scratch; if (!(retval = encode_krb5_ap_rep(&reply, &toutbuf))) { - *outbuf = *toutbuf; - free(toutbuf); + *outbuf = *toutbuf; + free(toutbuf); } memset(reply.enc_part.ciphertext.data, 0, reply.enc_part.ciphertext.length); - free(reply.enc_part.ciphertext.data); - reply.enc_part.ciphertext.length = 0; + free(reply.enc_part.ciphertext.data); + reply.enc_part.ciphertext.length = 0; reply.enc_part.ciphertext.data = 0; cleanup_scratch: - memset(scratch->data, 0, scratch->length); + memset(scratch->data, 0, scratch->length); krb5_free_data(context, scratch); return retval; diff --git a/src/lib/krb5/krb/mk_req.c b/src/lib/krb5/krb/mk_req.c index 0fc1e7213e..ceb60cbf43 100644 --- a/src/lib/krb5/krb/mk_req.c +++ b/src/lib/krb5/krb/mk_req.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/mk_req.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_mk_req() routine. */ @@ -31,53 +32,53 @@ #include "auth_con.h" /* - Formats a KRB_AP_REQ message into outbuf. + Formats a KRB_AP_REQ message into outbuf. - server specifies the principal of the server to receive the message; if - credentials are not present in the credentials cache for this server, the - TGS request with default parameters is used in an attempt to obtain - such credentials, and they are stored in ccache. + server specifies the principal of the server to receive the message; if + credentials are not present in the credentials cache for this server, the + TGS request with default parameters is used in an attempt to obtain + such credentials, and they are stored in ccache. - kdc_options specifies the options requested for the - ap_req_options specifies the KRB_AP_REQ options desired. + kdc_options specifies the options requested for the + ap_req_options specifies the KRB_AP_REQ options desired. - checksum specifies the checksum to be used in the authenticator. + checksum specifies the checksum to be used in the authenticator. - The outbuf buffer storage is allocated, and should be freed by the - caller when finished. + The outbuf buffer storage is allocated, and should be freed by the + caller when finished. - returns system errors + returns system errors */ krb5_error_code KRB5_CALLCONV krb5_mk_req(krb5_context context, krb5_auth_context *auth_context, - krb5_flags ap_req_options, char *service, char *hostname, - krb5_data *in_data, krb5_ccache ccache, krb5_data *outbuf) + krb5_flags ap_req_options, char *service, char *hostname, + krb5_data *in_data, krb5_ccache ccache, krb5_data *outbuf) { - krb5_error_code retval; - krb5_principal server; - krb5_creds * credsp; - krb5_creds creds; + krb5_error_code retval; + krb5_principal server; + krb5_creds * credsp; + krb5_creds creds; - retval = krb5_sname_to_principal(context, hostname, service, - KRB5_NT_SRV_HST, &server); + retval = krb5_sname_to_principal(context, hostname, service, + KRB5_NT_SRV_HST, &server); if (retval) - return retval; + return retval; /* obtain ticket & session key */ memset(&creds, 0, sizeof(creds)); if ((retval = krb5_copy_principal(context, server, &creds.server))) - goto cleanup_princ; + goto cleanup_princ; if ((retval = krb5_cc_get_principal(context, ccache, &creds.client))) - goto cleanup_creds; + goto cleanup_creds; if ((retval = krb5_get_credentials(context, 0, - ccache, &creds, &credsp))) - goto cleanup_creds; + ccache, &creds, &credsp))) + goto cleanup_creds; - retval = krb5_mk_req_extended(context, auth_context, ap_req_options, - in_data, credsp, outbuf); + retval = krb5_mk_req_extended(context, auth_context, ap_req_options, + in_data, credsp, outbuf); krb5_free_creds(context, credsp); diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c index 4277f1eec8..95f04e9a42 100644 --- a/src/lib/krb5/krb/mk_req_ext.c +++ b/src/lib/krb5/krb/mk_req_ext.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/mk_req_ext.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_mk_req_extended() */ @@ -32,90 +33,90 @@ #include "auth_con.h" /* - Formats a KRB_AP_REQ message into outbuf, with more complete options than - krb_mk_req. + Formats a KRB_AP_REQ message into outbuf, with more complete options than + krb_mk_req. - outbuf, ap_req_options, checksum, and ccache are used in the - same fashion as for krb5_mk_req. + outbuf, ap_req_options, checksum, and ccache are used in the + same fashion as for krb5_mk_req. - creds is used to supply the credentials (ticket and session key) needed - to form the request. + creds is used to supply the credentials (ticket and session key) needed + to form the request. - if creds->ticket has no data (length == 0), then a ticket is obtained - from either the cache or the TGS, passing creds to krb5_get_credentials(). - kdc_options specifies the options requested for the ticket to be used. - If a ticket with appropriate flags is not found in the cache, then these - options are passed on in a request to an appropriate KDC. + if creds->ticket has no data (length == 0), then a ticket is obtained + from either the cache or the TGS, passing creds to krb5_get_credentials(). + kdc_options specifies the options requested for the ticket to be used. + If a ticket with appropriate flags is not found in the cache, then these + options are passed on in a request to an appropriate KDC. - ap_req_options specifies the KRB_AP_REQ options desired. + ap_req_options specifies the KRB_AP_REQ options desired. - if ap_req_options specifies AP_OPTS_USE_SESSION_KEY, then creds->ticket - must contain the appropriate ENC-TKT-IN-SKEY ticket. + if ap_req_options specifies AP_OPTS_USE_SESSION_KEY, then creds->ticket + must contain the appropriate ENC-TKT-IN-SKEY ticket. - checksum specifies the checksum to be used in the authenticator. + checksum specifies the checksum to be used in the authenticator. - The outbuf buffer storage is allocated, and should be freed by the - caller when finished. + The outbuf buffer storage is allocated, and should be freed by the + caller when finished. - On an error return, the credentials pointed to by creds might have been - augmented with additional fields from the obtained credentials; the entire - credentials should be released by calling krb5_free_creds(). + On an error return, the credentials pointed to by creds might have been + augmented with additional fields from the obtained credentials; the entire + credentials should be released by calling krb5_free_creds(). - returns system errors + returns system errors */ static krb5_error_code make_etype_list(krb5_context context, - krb5_enctype *desired_etypes, - krb5_enctype tkt_enctype, - krb5_authdata ***authdata); + krb5_enctype *desired_etypes, + krb5_enctype tkt_enctype, + krb5_authdata ***authdata); -static krb5_error_code +static krb5_error_code krb5_generate_authenticator (krb5_context, - krb5_authenticator *, krb5_principal, - krb5_checksum *, krb5_key, - krb5_ui_4, krb5_authdata **, - krb5_authdata_context ad_context, - krb5_enctype *desired_etypes, - krb5_enctype tkt_enctype); + krb5_authenticator *, krb5_principal, + krb5_checksum *, krb5_key, + krb5_ui_4, krb5_authdata **, + krb5_authdata_context ad_context, + krb5_enctype *desired_etypes, + krb5_enctype tkt_enctype); krb5_error_code krb5int_generate_and_save_subkey (krb5_context context, - krb5_auth_context auth_context, - krb5_keyblock *keyblock, - krb5_enctype enctype) + krb5_auth_context auth_context, + krb5_keyblock *keyblock, + krb5_enctype enctype) { /* Provide some more fodder for random number code. This isn't strong cryptographically; the point here is not to guarantee randomness, but to make it less likely that multiple sessions could pick the same subkey. */ struct { - krb5_int32 sec, usec; + krb5_int32 sec, usec; } rnd_data; krb5_data d; krb5_error_code retval; krb5_keyblock *kb = NULL; if (krb5_crypto_us_timeofday(&rnd_data.sec, &rnd_data.usec) == 0) { - d.length = sizeof(rnd_data); - d.data = (char *) &rnd_data; - krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_TIMING, &d); + d.length = sizeof(rnd_data); + d.data = (char *) &rnd_data; + krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_TIMING, &d); } retval = krb5_generate_subkey_extended(context, keyblock, enctype, &kb); if (retval) - return retval; + return retval; retval = krb5_auth_con_setsendsubkey(context, auth_context, kb); if (retval) - goto cleanup; + goto cleanup; retval = krb5_auth_con_setrecvsubkey(context, auth_context, kb); if (retval) - goto cleanup; + goto cleanup; cleanup: if (retval) { - (void) krb5_auth_con_setsendsubkey(context, auth_context, NULL); - (void) krb5_auth_con_setrecvsubkey(context, auth_context, NULL); + (void) krb5_auth_con_setsendsubkey(context, auth_context, NULL); + (void) krb5_auth_con_setrecvsubkey(context, auth_context, NULL); } krb5_free_keyblock(context, kb); return retval; @@ -123,14 +124,14 @@ cleanup: krb5_error_code KRB5_CALLCONV krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, - krb5_flags ap_req_options, krb5_data *in_data, - krb5_creds *in_creds, krb5_data *outbuf) + krb5_flags ap_req_options, krb5_data *in_data, + krb5_creds *in_creds, krb5_data *outbuf) { - krb5_error_code retval; - krb5_checksum checksum; - krb5_checksum *checksump = 0; - krb5_auth_context new_auth_context; - krb5_enctype *desired_etypes = NULL; + krb5_error_code retval; + krb5_checksum checksum; + krb5_checksum *checksump = 0; + krb5_auth_context new_auth_context; + krb5_enctype *desired_etypes = NULL; krb5_ap_req request; krb5_data *scratch = 0; @@ -139,134 +140,134 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, request.ap_options = ap_req_options & AP_OPTS_WIRE_MASK; request.authenticator.ciphertext.data = NULL; request.ticket = 0; - - if (!in_creds->ticket.length) - return(KRB5_NO_TKT_SUPPLIED); + + if (!in_creds->ticket.length) + return(KRB5_NO_TKT_SUPPLIED); if ((ap_req_options & AP_OPTS_ETYPE_NEGOTIATION) && - !(ap_req_options & AP_OPTS_MUTUAL_REQUIRED)) - return(EINVAL); + !(ap_req_options & AP_OPTS_MUTUAL_REQUIRED)) + return(EINVAL); /* we need a native ticket */ if ((retval = decode_krb5_ticket(&(in_creds)->ticket, &request.ticket))) - return(retval); - + return(retval); + /* verify that the ticket is not expired */ if ((retval = krb5_validate_times(context, &in_creds->times)) != 0) - goto cleanup; + goto cleanup; /* generate auth_context if needed */ if (*auth_context == NULL) { - if ((retval = krb5_auth_con_init(context, &new_auth_context))) - goto cleanup; - *auth_context = new_auth_context; + if ((retval = krb5_auth_con_init(context, &new_auth_context))) + goto cleanup; + *auth_context = new_auth_context; } if ((*auth_context)->key != NULL) { - krb5_k_free_key(context, (*auth_context)->key); - (*auth_context)->key = NULL; + krb5_k_free_key(context, (*auth_context)->key); + (*auth_context)->key = NULL; } /* set auth context keyblock */ if ((retval = krb5_k_create_key(context, &in_creds->keyblock, - &((*auth_context)->key)))) - goto cleanup; + &((*auth_context)->key)))) + goto cleanup; /* generate seq number if needed */ if ((((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) - || ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) - && ((*auth_context)->local_seq_number == 0)) - if ((retval = krb5_generate_seq_number(context, &in_creds->keyblock, - &(*auth_context)->local_seq_number))) - goto cleanup; - + || ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) + && ((*auth_context)->local_seq_number == 0)) + if ((retval = krb5_generate_seq_number(context, &in_creds->keyblock, + &(*auth_context)->local_seq_number))) + goto cleanup; + /* generate subkey if needed */ if (!in_data &&(*auth_context)->checksum_func) { - retval = (*auth_context)->checksum_func( context, - *auth_context, - (*auth_context)->checksum_func_data, - &in_data); - if (retval) - goto cleanup; + retval = (*auth_context)->checksum_func( context, + *auth_context, + (*auth_context)->checksum_func_data, + &in_data); + if (retval) + goto cleanup; } if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->send_subkey)) { - retval = krb5int_generate_and_save_subkey (context, *auth_context, - &in_creds->keyblock, - in_creds->keyblock.enctype); - if (retval) - goto cleanup; + retval = krb5int_generate_and_save_subkey (context, *auth_context, + &in_creds->keyblock, + in_creds->keyblock.enctype); + if (retval) + goto cleanup; } if (in_data) { - if ((*auth_context)->req_cksumtype == 0x8003) { - /* XXX Special hack for GSSAPI */ - checksum.checksum_type = 0x8003; - checksum.length = in_data->length; - checksum.contents = (krb5_octet *) in_data->data; - } else { - krb5_enctype enctype = krb5_k_key_enctype(context, - (*auth_context)->key); - krb5_cksumtype cksumtype; - retval = krb5int_c_mandatory_cksumtype(context, enctype, - &cksumtype); - if (retval) - goto cleanup_cksum; - if ((*auth_context)->req_cksumtype) - cksumtype = (*auth_context)->req_cksumtype; - if ((retval = krb5_k_make_checksum(context, - cksumtype, - (*auth_context)->key, - KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM, - in_data, &checksum))) - goto cleanup_cksum; - } - checksump = &checksum; + if ((*auth_context)->req_cksumtype == 0x8003) { + /* XXX Special hack for GSSAPI */ + checksum.checksum_type = 0x8003; + checksum.length = in_data->length; + checksum.contents = (krb5_octet *) in_data->data; + } else { + krb5_enctype enctype = krb5_k_key_enctype(context, + (*auth_context)->key); + krb5_cksumtype cksumtype; + retval = krb5int_c_mandatory_cksumtype(context, enctype, + &cksumtype); + if (retval) + goto cleanup_cksum; + if ((*auth_context)->req_cksumtype) + cksumtype = (*auth_context)->req_cksumtype; + if ((retval = krb5_k_make_checksum(context, + cksumtype, + (*auth_context)->key, + KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM, + in_data, &checksum))) + goto cleanup_cksum; + } + checksump = &checksum; } /* Generate authenticator */ if (((*auth_context)->authentp = (krb5_authenticator *)malloc(sizeof( - krb5_authenticator))) == NULL) { - retval = ENOMEM; - goto cleanup_cksum; + krb5_authenticator))) == NULL) { + retval = ENOMEM; + goto cleanup_cksum; } if (ap_req_options & AP_OPTS_ETYPE_NEGOTIATION) { - if ((*auth_context)->permitted_etypes == NULL) { - retval = krb5_get_tgs_ktypes(context, in_creds->server, &desired_etypes); - if (retval) - goto cleanup_cksum; - } else - desired_etypes = (*auth_context)->permitted_etypes; + if ((*auth_context)->permitted_etypes == NULL) { + retval = krb5_get_tgs_ktypes(context, in_creds->server, &desired_etypes); + if (retval) + goto cleanup_cksum; + } else + desired_etypes = (*auth_context)->permitted_etypes; } if ((retval = krb5_generate_authenticator(context, - (*auth_context)->authentp, - in_creds->client, checksump, - (*auth_context)->send_subkey, - (*auth_context)->local_seq_number, - in_creds->authdata, - (*auth_context)->ad_context, - desired_etypes, - in_creds->keyblock.enctype))) - goto cleanup_cksum; - + (*auth_context)->authentp, + in_creds->client, checksump, + (*auth_context)->send_subkey, + (*auth_context)->local_seq_number, + in_creds->authdata, + (*auth_context)->ad_context, + desired_etypes, + in_creds->keyblock.enctype))) + goto cleanup_cksum; + /* encode the authenticator */ if ((retval = encode_krb5_authenticator((*auth_context)->authentp, - &scratch))) - goto cleanup_cksum; - + &scratch))) + goto cleanup_cksum; + /* call the encryption routine */ if ((retval = krb5_encrypt_helper(context, &in_creds->keyblock, - KRB5_KEYUSAGE_AP_REQ_AUTH, - scratch, &request.authenticator))) - goto cleanup_cksum; + KRB5_KEYUSAGE_AP_REQ_AUTH, + scratch, &request.authenticator))) + goto cleanup_cksum; if ((retval = encode_krb5_ap_req(&request, &toutbuf))) - goto cleanup_cksum; + goto cleanup_cksum; *outbuf = *toutbuf; free(toutbuf); @@ -276,39 +277,39 @@ cleanup_cksum: * they were supplied by the caller */ if ((*auth_context)->authentp != NULL) { - (*auth_context)->authentp->client = NULL; - (*auth_context)->authentp->checksum = NULL; + (*auth_context)->authentp->client = NULL; + (*auth_context)->authentp->checksum = NULL; } if (checksump && checksump->checksum_type != 0x8003) - free(checksump->contents); + free(checksump->contents); cleanup: if (desired_etypes && - desired_etypes != (*auth_context)->permitted_etypes) - free(desired_etypes); + desired_etypes != (*auth_context)->permitted_etypes) + free(desired_etypes); if (request.ticket) - krb5_free_ticket(context, request.ticket); + krb5_free_ticket(context, request.ticket); if (request.authenticator.ciphertext.data) { - (void) memset(request.authenticator.ciphertext.data, 0, - request.authenticator.ciphertext.length); - free(request.authenticator.ciphertext.data); + (void) memset(request.authenticator.ciphertext.data, 0, + request.authenticator.ciphertext.length); + free(request.authenticator.ciphertext.data); } if (scratch) { - memset(scratch->data, 0, scratch->length); + memset(scratch->data, 0, scratch->length); free(scratch->data); - free(scratch); + free(scratch); } return retval; } static krb5_error_code krb5_generate_authenticator(krb5_context context, krb5_authenticator *authent, - krb5_principal client, krb5_checksum *cksum, - krb5_key key, krb5_ui_4 seq_number, - krb5_authdata **authorization, - krb5_authdata_context ad_context, - krb5_enctype *desired_etypes, - krb5_enctype tkt_enctype) + krb5_principal client, krb5_checksum *cksum, + krb5_key key, krb5_ui_4 seq_number, + krb5_authdata **authorization, + krb5_authdata_context ad_context, + krb5_enctype *desired_etypes, + krb5_enctype tkt_enctype) { krb5_error_code retval; krb5_authdata **ext_authdata = NULL; @@ -316,41 +317,41 @@ krb5_generate_authenticator(krb5_context context, krb5_authenticator *authent, authent->client = client; authent->checksum = cksum; if (key) { - retval = krb5_k_key_keyblock(context, key, &authent->subkey); - if (retval) - return retval; + retval = krb5_k_key_keyblock(context, key, &authent->subkey); + if (retval) + return retval; } else - authent->subkey = 0; + authent->subkey = 0; authent->seq_number = seq_number; authent->authorization_data = NULL; if (ad_context != NULL) { - retval = krb5_authdata_export_authdata(context, - ad_context, - AD_USAGE_AP_REQ, - &ext_authdata); - if (retval) - return retval; + retval = krb5_authdata_export_authdata(context, + ad_context, + AD_USAGE_AP_REQ, + &ext_authdata); + if (retval) + return retval; } if (authorization != NULL || ext_authdata != NULL) { - retval = krb5_merge_authdata(context, - authorization, - ext_authdata, - &authent->authorization_data); - if (retval) { - krb5_free_authdata(context, ext_authdata); - return retval; - } - krb5_free_authdata(context, ext_authdata); + retval = krb5_merge_authdata(context, + authorization, + ext_authdata, + &authent->authorization_data); + if (retval) { + krb5_free_authdata(context, ext_authdata); + return retval; + } + krb5_free_authdata(context, ext_authdata); } - /* Only send EtypeList if we prefer another enctype to tkt_enctype */ + /* Only send EtypeList if we prefer another enctype to tkt_enctype */ if (desired_etypes != NULL && desired_etypes[0] != tkt_enctype) { - retval = make_etype_list(context, desired_etypes, tkt_enctype, - &authent->authorization_data); - if (retval) - return retval; + retval = make_etype_list(context, desired_etypes, tkt_enctype, + &authent->authorization_data); + if (retval) + return retval; } return(krb5_us_timeofday(context, &authent->ctime, &authent->cusec)); @@ -359,9 +360,9 @@ krb5_generate_authenticator(krb5_context context, krb5_authenticator *authent, /* RFC 4537 */ static krb5_error_code make_etype_list(krb5_context context, - krb5_enctype *desired_etypes, - krb5_enctype tkt_enctype, - krb5_authdata ***authdata) + krb5_enctype *desired_etypes, + krb5_enctype tkt_enctype, + krb5_authdata ***authdata) { krb5_error_code code; krb5_etype_list etypes; @@ -373,22 +374,22 @@ make_etype_list(krb5_context context, etypes.etypes = desired_etypes; for (etypes.length = 0; - etypes.etypes[etypes.length] != ENCTYPE_NULL; - etypes.length++) + etypes.etypes[etypes.length] != ENCTYPE_NULL; + etypes.length++) { - /* - * RFC 4537: - * - * If the enctype of the ticket session key is included in the enctype - * list sent by the client, it SHOULD be the last on the list; - */ - if (etypes.length && etypes.etypes[etypes.length - 1] == tkt_enctype) - break; + /* + * RFC 4537: + * + * If the enctype of the ticket session key is included in the enctype + * list sent by the client, it SHOULD be the last on the list; + */ + if (etypes.length && etypes.etypes[etypes.length - 1] == tkt_enctype) + break; } code = encode_krb5_etype_list(&etypes, &enc_etype_list); if (code) { - return code; + return code; } etype_adatum.magic = KV5M_AUTHDATA; @@ -402,33 +403,33 @@ make_etype_list(krb5_context context, /* Wrap in AD-IF-RELEVANT container */ code = encode_krb5_authdata(etype_adata, &ad_if_relevant); if (code) { - krb5_free_data(context, enc_etype_list); - return code; + krb5_free_data(context, enc_etype_list); + return code; } krb5_free_data(context, enc_etype_list); adata = *authdata; if (adata == NULL) { - adata = (krb5_authdata **)calloc(2, sizeof(krb5_authdata *)); - i = 0; + adata = (krb5_authdata **)calloc(2, sizeof(krb5_authdata *)); + i = 0; } else { - for (i = 0; adata[i] != NULL; i++) - ; + for (i = 0; adata[i] != NULL; i++) + ; - adata = (krb5_authdata **)realloc(*authdata, - (i + 2) * sizeof(krb5_authdata *)); + adata = (krb5_authdata **)realloc(*authdata, + (i + 2) * sizeof(krb5_authdata *)); } if (adata == NULL) { - krb5_free_data(context, ad_if_relevant); - return ENOMEM; + krb5_free_data(context, ad_if_relevant); + return ENOMEM; } *authdata = adata; adata[i] = (krb5_authdata *)malloc(sizeof(krb5_authdata)); if (adata[i] == NULL) { - krb5_free_data(context, ad_if_relevant); - return ENOMEM; + krb5_free_data(context, ad_if_relevant); + return ENOMEM; } adata[i]->magic = KV5M_AUTHDATA; adata[i]->ad_type = KRB5_AUTHDATA_IF_RELEVANT; @@ -440,4 +441,3 @@ make_etype_list(krb5_context context, return 0; } - diff --git a/src/lib/krb5/krb/mk_safe.c b/src/lib/krb5/krb/mk_safe.c index f3bfde390e..eaa3add828 100644 --- a/src/lib/krb5/krb/mk_safe.c +++ b/src/lib/krb5/krb/mk_safe.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/mk_safe.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_mk_safe() */ @@ -32,25 +33,25 @@ #include "auth_con.h" /* - Formats a KRB_SAFE message into outbuf. + Formats a KRB_SAFE message into outbuf. - userdata is formatted as the user data in the message. - sumtype specifies the encryption type; key specifies the key which - might be used to seed the checksum; sender_addr and recv_addr specify - the full addresses (host and port) of the sender and receiver. - The host portion of sender_addr is used to form the addresses used in the - KRB_SAFE message. + userdata is formatted as the user data in the message. + sumtype specifies the encryption type; key specifies the key which + might be used to seed the checksum; sender_addr and recv_addr specify + the full addresses (host and port) of the sender and receiver. + The host portion of sender_addr is used to form the addresses used in the + KRB_SAFE message. - The outbuf buffer storage is allocated, and should be freed by the - caller when finished. + The outbuf buffer storage is allocated, and should be freed by the + caller when finished. - returns system errors + returns system errors */ static krb5_error_code krb5_mk_safe_basic(krb5_context context, const krb5_data *userdata, - krb5_key key, krb5_replay_data *replaydata, - krb5_address *local_addr, krb5_address *remote_addr, - krb5_cksumtype sumtype, krb5_data *outbuf) + krb5_key key, krb5_replay_data *replaydata, + krb5_address *local_addr, krb5_address *remote_addr, + krb5_cksumtype sumtype, krb5_data *outbuf) { krb5_error_code retval; krb5_safe safemsg; @@ -59,10 +60,10 @@ krb5_mk_safe_basic(krb5_context context, const krb5_data *userdata, krb5_data *scratch1, *scratch2; if (!krb5_c_valid_cksumtype(sumtype)) - return KRB5_PROG_SUMTYPE_NOSUPP; + return KRB5_PROG_SUMTYPE_NOSUPP; if (!krb5_c_is_coll_proof_cksum(sumtype) - || !krb5_c_is_keyed_cksum(sumtype)) - return KRB5KRB_AP_ERR_INAPP_CKSUM; + || !krb5_c_is_keyed_cksum(sumtype)) + return KRB5KRB_AP_ERR_INAPP_CKSUM; safemsg.user_data = *userdata; safemsg.s_address = (krb5_address *) local_addr; @@ -73,10 +74,10 @@ krb5_mk_safe_basic(krb5_context context, const krb5_data *userdata, safemsg.usec = replaydata->usec; safemsg.seq_number = replaydata->seq; - /* + /* * To do the checksum stuff, we need to encode the message with a * zero-length zero-type checksum, then checksum the encoding, then - * re-encode with the checksum. + * re-encode with the checksum. */ safe_checksum.length = 0; @@ -86,16 +87,16 @@ krb5_mk_safe_basic(krb5_context context, const krb5_data *userdata, safemsg.checksum = &safe_checksum; if ((retval = encode_krb5_safe(&safemsg, &scratch1))) - return retval; + return retval; if ((retval = krb5_k_make_checksum(context, sumtype, key, - KRB5_KEYUSAGE_KRB_SAFE_CKSUM, - scratch1, &safe_checksum))) - goto cleanup_checksum; + KRB5_KEYUSAGE_KRB_SAFE_CKSUM, + scratch1, &safe_checksum))) + goto cleanup_checksum; safemsg.checksum = &safe_checksum; if ((retval = encode_krb5_safe(&safemsg, &scratch2))) { - goto cleanup_checksum; + goto cleanup_checksum; } *outbuf = *scratch2; free(scratch2); @@ -104,17 +105,17 @@ krb5_mk_safe_basic(krb5_context context, const krb5_data *userdata, cleanup_checksum: free(safe_checksum.contents); - memset(scratch1->data, 0, scratch1->length); + memset(scratch1->data, 0, scratch1->length); krb5_free_data(context, scratch1); return retval; } krb5_error_code KRB5_CALLCONV krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, - const krb5_data *userdata, krb5_data *outbuf, - krb5_replay_data *outdata) + const krb5_data *userdata, krb5_data *outbuf, + krb5_replay_data *outdata) { - krb5_error_code retval; + krb5_error_code retval; krb5_key key; krb5_replay_data replaydata; @@ -123,140 +124,139 @@ krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, /* Get key */ if ((key = auth_context->send_subkey) == NULL) - key = auth_context->key; + key = auth_context->key; /* Get replay info */ if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && - (auth_context->rcache == NULL)) - return KRB5_RC_REQUIRED; + (auth_context->rcache == NULL)) + return KRB5_RC_REQUIRED; if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && - (outdata == NULL)) - /* Need a better error */ - return KRB5_RC_REQUIRED; + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && + (outdata == NULL)) + /* Need a better error */ + return KRB5_RC_REQUIRED; if (!auth_context->local_addr) - return KRB5_LOCAL_ADDR_REQUIRED; + return KRB5_LOCAL_ADDR_REQUIRED; if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME)) { - if ((retval = krb5_us_timeofday(context, &replaydata.timestamp, - &replaydata.usec))) - return retval; - if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) { - outdata->timestamp = replaydata.timestamp; - outdata->usec = replaydata.usec; - } + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME)) { + if ((retval = krb5_us_timeofday(context, &replaydata.timestamp, + &replaydata.usec))) + return retval; + if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) { + outdata->timestamp = replaydata.timestamp; + outdata->usec = replaydata.usec; + } } if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { - replaydata.seq = auth_context->local_seq_number++; - if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) - outdata->seq = replaydata.seq; - } - -{ - krb5_address * premote_fulladdr = NULL; - krb5_address * plocal_fulladdr; - krb5_address remote_fulladdr; - krb5_address local_fulladdr; - krb5_cksumtype sumtype; - - CLEANUP_INIT(2); - - if (auth_context->local_port) { - if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, - auth_context->local_port, - &local_fulladdr))){ - CLEANUP_PUSH(local_fulladdr.contents, free); - plocal_fulladdr = &local_fulladdr; - } else { - goto error; - } - } else { - plocal_fulladdr = auth_context->local_addr; + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { + replaydata.seq = auth_context->local_seq_number++; + if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) + outdata->seq = replaydata.seq; } - if (auth_context->remote_addr) { - if (auth_context->remote_port) { - if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, - auth_context->remote_port, - &remote_fulladdr))){ - CLEANUP_PUSH(remote_fulladdr.contents, free); - premote_fulladdr = &remote_fulladdr; + { + krb5_address * premote_fulladdr = NULL; + krb5_address * plocal_fulladdr; + krb5_address remote_fulladdr; + krb5_address local_fulladdr; + krb5_cksumtype sumtype; + + CLEANUP_INIT(2); + + if (auth_context->local_port) { + if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, + auth_context->local_port, + &local_fulladdr))){ + CLEANUP_PUSH(local_fulladdr.contents, free); + plocal_fulladdr = &local_fulladdr; } else { - CLEANUP_DONE(); goto error; } - } else { - premote_fulladdr = auth_context->remote_addr; + } else { + plocal_fulladdr = auth_context->local_addr; } - } - { - krb5_enctype enctype = krb5_k_key_enctype(context, key); - unsigned int nsumtypes; - unsigned int i; - krb5_cksumtype *sumtypes; - retval = krb5_c_keyed_checksum_types (context, enctype, - &nsumtypes, &sumtypes); - if (retval) { - CLEANUP_DONE (); - goto error; - } - if (nsumtypes == 0) { - retval = KRB5_BAD_ENCTYPE; - krb5_free_cksumtypes (context, sumtypes); - CLEANUP_DONE (); - goto error; - } - for (i = 0; i < nsumtypes; i++) - if (auth_context->safe_cksumtype == sumtypes[i]) - break; - if (i == nsumtypes) - i = 0; - sumtype = sumtypes[i]; - krb5_free_cksumtypes (context, sumtypes); - } - if ((retval = krb5_mk_safe_basic(context, userdata, key, &replaydata, - plocal_fulladdr, premote_fulladdr, - sumtype, outbuf))) { - CLEANUP_DONE(); - goto error; - } + if (auth_context->remote_addr) { + if (auth_context->remote_port) { + if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, + auth_context->remote_port, + &remote_fulladdr))){ + CLEANUP_PUSH(remote_fulladdr.contents, free); + premote_fulladdr = &remote_fulladdr; + } else { + CLEANUP_DONE(); + goto error; + } + } else { + premote_fulladdr = auth_context->remote_addr; + } + } - CLEANUP_DONE(); -} + { + krb5_enctype enctype = krb5_k_key_enctype(context, key); + unsigned int nsumtypes; + unsigned int i; + krb5_cksumtype *sumtypes; + retval = krb5_c_keyed_checksum_types (context, enctype, + &nsumtypes, &sumtypes); + if (retval) { + CLEANUP_DONE (); + goto error; + } + if (nsumtypes == 0) { + retval = KRB5_BAD_ENCTYPE; + krb5_free_cksumtypes (context, sumtypes); + CLEANUP_DONE (); + goto error; + } + for (i = 0; i < nsumtypes; i++) + if (auth_context->safe_cksumtype == sumtypes[i]) + break; + if (i == nsumtypes) + i = 0; + sumtype = sumtypes[i]; + krb5_free_cksumtypes (context, sumtypes); + } + if ((retval = krb5_mk_safe_basic(context, userdata, key, &replaydata, + plocal_fulladdr, premote_fulladdr, + sumtype, outbuf))) { + CLEANUP_DONE(); + goto error; + } + + CLEANUP_DONE(); + } if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { - krb5_donot_replay replay; - - if ((retval = krb5_gen_replay_name(context, auth_context->local_addr, - "_safe", &replay.client))) { - free(outbuf); - goto error; - } - - replay.server = ""; /* XXX */ - replay.msghash = NULL; - replay.cusec = replaydata.usec; - replay.ctime = replaydata.timestamp; - if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { - /* should we really error out here? XXX */ - free(outbuf); - goto error; - } - free(replay.client); + krb5_donot_replay replay; + + if ((retval = krb5_gen_replay_name(context, auth_context->local_addr, + "_safe", &replay.client))) { + free(outbuf); + goto error; + } + + replay.server = ""; /* XXX */ + replay.msghash = NULL; + replay.cusec = replaydata.usec; + replay.ctime = replaydata.timestamp; + if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { + /* should we really error out here? XXX */ + free(outbuf); + goto error; + } + free(replay.client); } return 0; error: if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) - auth_context->local_seq_number--; + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) + auth_context->local_seq_number--; return retval; } - diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c index 3fcdaea1cb..cda09b2555 100644 --- a/src/lib/krb5/krb/pac.c +++ b/src/lib/krb5/krb/pac.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/pac.c * @@ -43,16 +44,16 @@ typedef struct _PAC_INFO_BUFFER { krb5_ui_8 Offset; } PAC_INFO_BUFFER; -#define PAC_INFO_BUFFER_LENGTH 16 +#define PAC_INFO_BUFFER_LENGTH 16 /* ulType */ -#define PAC_LOGON_INFO 1 -#define PAC_CREDENTIALS_INFO 2 -#define PAC_SERVER_CHECKSUM 6 -#define PAC_PRIVSVR_CHECKSUM 7 -#define PAC_CLIENT_INFO 10 -#define PAC_DELEGATION_INFO 11 -#define PAC_UPN_DNS_INFO 12 +#define PAC_LOGON_INFO 1 +#define PAC_CREDENTIALS_INFO 2 +#define PAC_SERVER_CHECKSUM 6 +#define PAC_PRIVSVR_CHECKSUM 7 +#define PAC_CLIENT_INFO 10 +#define PAC_DELEGATION_INFO 11 +#define PAC_UPN_DNS_INFO 12 typedef struct _PACTYPE { krb5_ui_4 cBuffers; @@ -60,35 +61,35 @@ typedef struct _PACTYPE { PAC_INFO_BUFFER Buffers[1]; } PACTYPE; -#define PAC_ALIGNMENT 8 -#define PACTYPE_LENGTH 8U +#define PAC_ALIGNMENT 8 +#define PACTYPE_LENGTH 8U #define PAC_SIGNATURE_DATA_LENGTH 4U -#define PAC_CLIENT_INFO_LENGTH 10U +#define PAC_CLIENT_INFO_LENGTH 10U -#define NT_TIME_EPOCH 11644473600LL +#define NT_TIME_EPOCH 11644473600LL struct krb5_pac_data { - PACTYPE *pac; /* PAC header + info buffer array */ - krb5_data data; /* PAC data (including uninitialised header) */ + PACTYPE *pac; /* PAC header + info buffer array */ + krb5_data data; /* PAC data (including uninitialised header) */ krb5_boolean verified; }; static krb5_error_code k5_pac_locate_buffer(krb5_context context, - const krb5_pac pac, - krb5_ui_4 type, - krb5_data *data); + const krb5_pac pac, + krb5_ui_4 type, + krb5_data *data); /* * Add a buffer to the provided PAC and update header. */ static krb5_error_code k5_pac_add_buffer(krb5_context context, - krb5_pac pac, - krb5_ui_4 type, - const krb5_data *data, - krb5_boolean zerofill, - krb5_data *out_data) + krb5_pac pac, + krb5_ui_4 type, + const krb5_data *data, + krb5_boolean zerofill, + krb5_data *out_data) { PACTYPE *header; size_t header_len, i, pad = 0; @@ -98,37 +99,37 @@ k5_pac_add_buffer(krb5_context context, /* Check there isn't already a buffer of this type */ if (k5_pac_locate_buffer(context, pac, type, NULL) == 0) { - return EEXIST; + return EEXIST; } header = (PACTYPE *)realloc(pac->pac, - sizeof(PACTYPE) + - (pac->pac->cBuffers * sizeof(PAC_INFO_BUFFER))); + sizeof(PACTYPE) + + (pac->pac->cBuffers * sizeof(PAC_INFO_BUFFER))); if (header == NULL) { - return ENOMEM; + return ENOMEM; } pac->pac = header; header_len = PACTYPE_LENGTH + (pac->pac->cBuffers * PAC_INFO_BUFFER_LENGTH); if (data->length % PAC_ALIGNMENT) - pad = PAC_ALIGNMENT - (data->length % PAC_ALIGNMENT); + pad = PAC_ALIGNMENT - (data->length % PAC_ALIGNMENT); pac_data = realloc(pac->data.data, - pac->data.length + PAC_INFO_BUFFER_LENGTH + data->length + pad); + pac->data.length + PAC_INFO_BUFFER_LENGTH + data->length + pad); if (pac_data == NULL) { - return ENOMEM; + return ENOMEM; } pac->data.data = pac_data; /* Update offsets of existing buffers */ for (i = 0; i < pac->pac->cBuffers; i++) - pac->pac->Buffers[i].Offset += PAC_INFO_BUFFER_LENGTH; + pac->pac->Buffers[i].Offset += PAC_INFO_BUFFER_LENGTH; /* Make room for new PAC_INFO_BUFFER */ memmove(pac->data.data + header_len + PAC_INFO_BUFFER_LENGTH, - pac->data.data + header_len, - pac->data.length - header_len); + pac->data.data + header_len, + pac->data.length - header_len); memset(pac->data.data + header_len, 0, PAC_INFO_BUFFER_LENGTH); /* Initialise new PAC_INFO_BUFFER */ @@ -139,9 +140,9 @@ k5_pac_add_buffer(krb5_context context, /* Copy in new PAC data and zero padding bytes */ if (zerofill) - memset(pac->data.data + pac->pac->Buffers[i].Offset, 0, data->length); + memset(pac->data.data + pac->pac->Buffers[i].Offset, 0, data->length); else - memcpy(pac->data.data + pac->pac->Buffers[i].Offset, data->data, data->length); + memcpy(pac->data.data + pac->pac->Buffers[i].Offset, data->data, data->length); memset(pac->data.data + pac->pac->Buffers[i].Offset + data->length, 0, pad); @@ -149,8 +150,8 @@ k5_pac_add_buffer(krb5_context context, pac->data.length += PAC_INFO_BUFFER_LENGTH + data->length + pad; if (out_data != NULL) { - out_data->data = pac->data.data + pac->pac->Buffers[i].Offset; - out_data->length = data->length; + out_data->data = pac->data.data + pac->pac->Buffers[i].Offset; + out_data->length = data->length; } pac->verified = FALSE; @@ -160,9 +161,9 @@ k5_pac_add_buffer(krb5_context context, krb5_error_code KRB5_CALLCONV krb5_pac_add_buffer(krb5_context context, - krb5_pac pac, - krb5_ui_4 type, - const krb5_data *data) + krb5_pac pac, + krb5_ui_4 type, + const krb5_data *data) { return k5_pac_add_buffer(context, pac, type, data, FALSE, NULL); } @@ -172,49 +173,49 @@ krb5_pac_add_buffer(krb5_context context, */ void KRB5_CALLCONV krb5_pac_free(krb5_context context, - krb5_pac pac) + krb5_pac pac) { if (pac != NULL) { - if (pac->data.data != NULL) { - memset(pac->data.data, 0, pac->data.length); - free(pac->data.data); - } - if (pac->pac != NULL) - free(pac->pac); - memset(pac, 0, sizeof(*pac)); - free(pac); + if (pac->data.data != NULL) { + memset(pac->data.data, 0, pac->data.length); + free(pac->data.data); + } + if (pac->pac != NULL) + free(pac->pac); + memset(pac, 0, sizeof(*pac)); + free(pac); } } static krb5_error_code k5_pac_locate_buffer(krb5_context context, - const krb5_pac pac, - krb5_ui_4 type, - krb5_data *data) + const krb5_pac pac, + krb5_ui_4 type, + krb5_data *data) { PAC_INFO_BUFFER *buffer = NULL; size_t i; if (pac == NULL) - return EINVAL; + return EINVAL; for (i = 0; i < pac->pac->cBuffers; i++) { - if (pac->pac->Buffers[i].ulType == type) { - if (buffer == NULL) - buffer = &pac->pac->Buffers[i]; - else - return EINVAL; - } + if (pac->pac->Buffers[i].ulType == type) { + if (buffer == NULL) + buffer = &pac->pac->Buffers[i]; + else + return EINVAL; + } } if (buffer == NULL) - return ENOENT; + return ENOENT; assert(buffer->Offset + buffer->cbBufferSize <= pac->data.length); if (data != NULL) { - data->length = buffer->cbBufferSize; - data->data = pac->data.data + buffer->Offset; + data->length = buffer->cbBufferSize; + data->data = pac->data.data + buffer->Offset; } return 0; @@ -225,20 +226,20 @@ k5_pac_locate_buffer(krb5_context context, */ krb5_error_code KRB5_CALLCONV krb5_pac_get_buffer(krb5_context context, - krb5_pac pac, - krb5_ui_4 type, - krb5_data *data) + krb5_pac pac, + krb5_ui_4 type, + krb5_data *data) { krb5_data d; krb5_error_code ret; ret = k5_pac_locate_buffer(context, pac, type, &d); if (ret != 0) - return ret; + return ret; data->data = malloc(d.length); if (data->data == NULL) - return ENOMEM; + return ENOMEM; data->length = d.length; memcpy(data->data, d.data, d.length); @@ -251,20 +252,20 @@ krb5_pac_get_buffer(krb5_context context, */ krb5_error_code KRB5_CALLCONV krb5_pac_get_types(krb5_context context, - krb5_pac pac, - size_t *len, - krb5_ui_4 **types) + krb5_pac pac, + size_t *len, + krb5_ui_4 **types) { size_t i; *types = (krb5_ui_4 *)malloc(pac->pac->cBuffers * sizeof(krb5_ui_4)); if (*types == NULL) - return ENOMEM; + return ENOMEM; *len = pac->pac->cBuffers; for (i = 0; i < pac->pac->cBuffers; i++) - (*types)[i] = pac->pac->Buffers[i].ulType; + (*types)[i] = pac->pac->Buffers[i].ulType; return 0; } @@ -274,18 +275,18 @@ krb5_pac_get_types(krb5_context context, */ krb5_error_code KRB5_CALLCONV krb5_pac_init(krb5_context context, - krb5_pac *ppac) + krb5_pac *ppac) { krb5_pac pac; pac = (krb5_pac)malloc(sizeof(*pac)); if (pac == NULL) - return ENOMEM; + return ENOMEM; pac->pac = (PACTYPE *)malloc(sizeof(PACTYPE)); if (pac->pac == NULL) { - free(pac); - return ENOMEM; + free(pac); + return ENOMEM; } pac->pac->cBuffers = 0; @@ -294,8 +295,8 @@ krb5_pac_init(krb5_context context, pac->data.length = PACTYPE_LENGTH; pac->data.data = calloc(1, pac->data.length); if (pac->data.data == NULL) { - krb5_pac_free(context, pac); - return ENOMEM; + krb5_pac_free(context, pac); + return ENOMEM; } pac->verified = FALSE; @@ -307,8 +308,8 @@ krb5_pac_init(krb5_context context, static krb5_error_code k5_pac_copy(krb5_context context, - krb5_pac src, - krb5_pac *dst) + krb5_pac src, + krb5_pac *dst) { size_t header_len; krb5_ui_4 cbuffers; @@ -317,27 +318,27 @@ k5_pac_copy(krb5_context context, cbuffers = src->pac->cBuffers; if (cbuffers != 0) - cbuffers--; + cbuffers--; header_len = sizeof(PACTYPE) + cbuffers * sizeof(PAC_INFO_BUFFER); pac = (krb5_pac)malloc(sizeof(*pac)); if (pac == NULL) - return ENOMEM; + return ENOMEM; pac->pac = (PACTYPE *)malloc(header_len); if (pac->pac == NULL) { - free(pac); - return ENOMEM; + free(pac); + return ENOMEM; } memcpy(pac->pac, src->pac, header_len); code = krb5int_copy_data_contents(context, &src->data, &pac->data); if (code != 0) { - free(pac->pac); - free(pac); - return ENOMEM; + free(pac->pac); + free(pac); + return ENOMEM; } pac->verified = src->verified; @@ -351,9 +352,9 @@ k5_pac_copy(krb5_context context, */ krb5_error_code KRB5_CALLCONV krb5_pac_parse(krb5_context context, - const void *ptr, - size_t len, - krb5_pac *ppac) + const void *ptr, + size_t len, + krb5_pac *ppac) { krb5_error_code ret; size_t i; @@ -365,7 +366,7 @@ krb5_pac_parse(krb5_context context, *ppac = NULL; if (len < PACTYPE_LENGTH) - return ERANGE; + return ERANGE; cbuffers = load_32_le(p); p += 4; @@ -373,51 +374,51 @@ krb5_pac_parse(krb5_context context, p += 4; if (version != 0) - return EINVAL; + return EINVAL; header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH); if (len < header_len) - return ERANGE; + return ERANGE; ret = krb5_pac_init(context, &pac); if (ret != 0) - return ret; + return ret; pac->pac = (PACTYPE *)realloc(pac->pac, - sizeof(PACTYPE) + ((cbuffers - 1) * sizeof(PAC_INFO_BUFFER))); + sizeof(PACTYPE) + ((cbuffers - 1) * sizeof(PAC_INFO_BUFFER))); if (pac->pac == NULL) { - krb5_pac_free(context, pac); - return ENOMEM; + krb5_pac_free(context, pac); + return ENOMEM; } pac->pac->cBuffers = cbuffers; pac->pac->Version = version; for (i = 0; i < pac->pac->cBuffers; i++) { - PAC_INFO_BUFFER *buffer = &pac->pac->Buffers[i]; - - buffer->ulType = load_32_le(p); - p += 4; - buffer->cbBufferSize = load_32_le(p); - p += 4; - buffer->Offset = load_64_le(p); - p += 8; - - if (buffer->Offset % PAC_ALIGNMENT) { - krb5_pac_free(context, pac); - return EINVAL; - } - if (buffer->Offset < header_len || - buffer->Offset + buffer->cbBufferSize > len) { - krb5_pac_free(context, pac); - return ERANGE; - } + PAC_INFO_BUFFER *buffer = &pac->pac->Buffers[i]; + + buffer->ulType = load_32_le(p); + p += 4; + buffer->cbBufferSize = load_32_le(p); + p += 4; + buffer->Offset = load_64_le(p); + p += 8; + + if (buffer->Offset % PAC_ALIGNMENT) { + krb5_pac_free(context, pac); + return EINVAL; + } + if (buffer->Offset < header_len || + buffer->Offset + buffer->cbBufferSize > len) { + krb5_pac_free(context, pac); + return ERANGE; + } } pac->data.data = realloc(pac->data.data, len); if (pac->data.data == NULL) { - krb5_pac_free(context, pac); - return ENOMEM; + krb5_pac_free(context, pac); + return ENOMEM; } memcpy(pac->data.data, ptr, len); @@ -430,7 +431,7 @@ krb5_pac_parse(krb5_context context, static krb5_error_code k5_time_to_seconds_since_1970(krb5_int64 ntTime, - krb5_timestamp *elapsedSeconds) + krb5_timestamp *elapsedSeconds) { krb5_ui_8 abstime; @@ -439,7 +440,7 @@ k5_time_to_seconds_since_1970(krb5_int64 ntTime, abstime = ntTime > 0 ? ntTime - NT_TIME_EPOCH : -ntTime; if (abstime > KRB5_INT32_MAX) - return ERANGE; + return ERANGE; *elapsedSeconds = abstime; @@ -448,12 +449,12 @@ k5_time_to_seconds_since_1970(krb5_int64 ntTime, static krb5_error_code k5_seconds_since_1970_to_time(krb5_timestamp elapsedSeconds, - krb5_ui_8 *ntTime) + krb5_ui_8 *ntTime) { *ntTime = elapsedSeconds; if (elapsedSeconds > 0) - *ntTime += NT_TIME_EPOCH; + *ntTime += NT_TIME_EPOCH; *ntTime *= 10000000; @@ -462,9 +463,9 @@ k5_seconds_since_1970_to_time(krb5_timestamp elapsedSeconds, static krb5_error_code k5_pac_validate_client(krb5_context context, - const krb5_pac pac, - krb5_timestamp authtime, - krb5_const_principal principal) + const krb5_pac pac, + krb5_timestamp authtime, + krb5_const_principal principal) { krb5_error_code ret; krb5_data client_info; @@ -477,10 +478,10 @@ k5_pac_validate_client(krb5_context context, ret = k5_pac_locate_buffer(context, pac, PAC_CLIENT_INFO, &client_info); if (ret != 0) - return ret; + return ret; if (client_info.length < PAC_CLIENT_INFO_LENGTH) - return ERANGE; + return ERANGE; p = (unsigned char *)client_info.data; pac_nt_authtime = load_64_le(p); @@ -490,31 +491,31 @@ k5_pac_validate_client(krb5_context context, ret = k5_time_to_seconds_since_1970(pac_nt_authtime, &pac_authtime); if (ret != 0) - return ret; + return ret; if (client_info.length < PAC_CLIENT_INFO_LENGTH + pac_princname_length || - pac_princname_length % 2) - return ERANGE; + pac_princname_length % 2) + return ERANGE; ret = krb5int_ucs2lecs_to_utf8s(p, (size_t)pac_princname_length / 2, - &pac_princname, NULL); + &pac_princname, NULL); if (ret != 0) - return ret; + return ret; ret = krb5_parse_name_flags(context, pac_princname, 0, &pac_principal); if (ret != 0) { - free(pac_princname); - return ret; + free(pac_princname); + return ret; } free(pac_princname); if (pac_authtime != authtime || - !krb5_principal_compare_flags(context, - pac_principal, - principal, - KRB5_PRINCIPAL_COMPARE_IGNORE_REALM)) - ret = KRB5KRB_AP_WRONG_PRINC; + !krb5_principal_compare_flags(context, + pac_principal, + principal, + KRB5_PRINCIPAL_COMPARE_IGNORE_REALM)) + ret = KRB5KRB_AP_WRONG_PRINC; krb5_free_principal(context, pac_principal); @@ -523,9 +524,9 @@ k5_pac_validate_client(krb5_context context, static krb5_error_code k5_pac_zero_signature(krb5_context context, - const krb5_pac pac, - krb5_ui_4 type, - krb5_data *data) + const krb5_pac pac, + krb5_ui_4 type, + krb5_data *data) { PAC_INFO_BUFFER *buffer = NULL; size_t i; @@ -534,33 +535,33 @@ k5_pac_zero_signature(krb5_context context, assert(data->length >= pac->data.length); for (i = 0; i < pac->pac->cBuffers; i++) { - if (pac->pac->Buffers[i].ulType == type) { - buffer = &pac->pac->Buffers[i]; - break; - } + if (pac->pac->Buffers[i].ulType == type) { + buffer = &pac->pac->Buffers[i]; + break; + } } if (buffer == NULL) - return ENOENT; + return ENOENT; if (buffer->Offset + buffer->cbBufferSize > pac->data.length) - return ERANGE; + return ERANGE; if (buffer->cbBufferSize < PAC_SIGNATURE_DATA_LENGTH) - return KRB5_BAD_MSIZE; + return KRB5_BAD_MSIZE; /* Zero out the data portion of the checksum only */ memset(data->data + buffer->Offset + PAC_SIGNATURE_DATA_LENGTH, - 0, - buffer->cbBufferSize - PAC_SIGNATURE_DATA_LENGTH); + 0, + buffer->cbBufferSize - PAC_SIGNATURE_DATA_LENGTH); return 0; } static krb5_error_code k5_pac_verify_server_checksum(krb5_context context, - const krb5_pac pac, - const krb5_keyblock *server) + const krb5_pac pac, + const krb5_keyblock *server) { krb5_error_code ret; krb5_data pac_data; /* PAC with zeroed checksums */ @@ -570,12 +571,12 @@ k5_pac_verify_server_checksum(krb5_context context, krb5_octet *p; ret = k5_pac_locate_buffer(context, pac, - PAC_SERVER_CHECKSUM, &checksum_data); + PAC_SERVER_CHECKSUM, &checksum_data); if (ret != 0) - return ret; + return ret; if (checksum_data.length < PAC_SIGNATURE_DATA_LENGTH) - return KRB5_BAD_MSIZE; + return KRB5_BAD_MSIZE; p = (krb5_octet *)checksum_data.data; checksum.checksum_type = load_32_le(p); @@ -585,45 +586,45 @@ k5_pac_verify_server_checksum(krb5_context context, pac_data.length = pac->data.length; pac_data.data = malloc(pac->data.length); if (pac_data.data == NULL) - return ENOMEM; + return ENOMEM; memcpy(pac_data.data, pac->data.data, pac->data.length); /* Zero out both checksum buffers */ ret = k5_pac_zero_signature(context, pac, - PAC_SERVER_CHECKSUM, &pac_data); + PAC_SERVER_CHECKSUM, &pac_data); if (ret != 0) { - free(pac_data.data); - return ret; + free(pac_data.data); + return ret; } ret = k5_pac_zero_signature(context, pac, - PAC_PRIVSVR_CHECKSUM, &pac_data); + PAC_PRIVSVR_CHECKSUM, &pac_data); if (ret != 0) { - free(pac_data.data); - return ret; + free(pac_data.data); + return ret; } ret = krb5_c_verify_checksum(context, server, - KRB5_KEYUSAGE_APP_DATA_CKSUM, - &pac_data, &checksum, &valid); + KRB5_KEYUSAGE_APP_DATA_CKSUM, + &pac_data, &checksum, &valid); free(pac_data.data); if (ret != 0) { - return ret; + return ret; } if (valid == FALSE) - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; return ret; } static krb5_error_code k5_pac_verify_kdc_checksum(krb5_context context, - const krb5_pac pac, - const krb5_keyblock *privsvr) + const krb5_pac pac, + const krb5_keyblock *privsvr) { krb5_error_code ret; krb5_data server_checksum, privsvr_checksum; @@ -632,20 +633,20 @@ k5_pac_verify_kdc_checksum(krb5_context context, krb5_octet *p; ret = k5_pac_locate_buffer(context, pac, - PAC_PRIVSVR_CHECKSUM, &privsvr_checksum); + PAC_PRIVSVR_CHECKSUM, &privsvr_checksum); if (ret != 0) - return ret; + return ret; if (privsvr_checksum.length < PAC_SIGNATURE_DATA_LENGTH) - return KRB5_BAD_MSIZE; + return KRB5_BAD_MSIZE; ret = k5_pac_locate_buffer(context, pac, - PAC_SERVER_CHECKSUM, &server_checksum); + PAC_SERVER_CHECKSUM, &server_checksum); if (ret != 0) - return ret; + return ret; if (server_checksum.length < PAC_SIGNATURE_DATA_LENGTH) - return KRB5_BAD_MSIZE; + return KRB5_BAD_MSIZE; p = (krb5_octet *)privsvr_checksum.data; checksum.checksum_type = load_32_le(p); @@ -656,44 +657,44 @@ k5_pac_verify_kdc_checksum(krb5_context context, server_checksum.length -= PAC_SIGNATURE_DATA_LENGTH; ret = krb5_c_verify_checksum(context, privsvr, - KRB5_KEYUSAGE_APP_DATA_CKSUM, - &server_checksum, &checksum, &valid); + KRB5_KEYUSAGE_APP_DATA_CKSUM, + &server_checksum, &checksum, &valid); if (ret != 0) - return ret; + return ret; if (valid == FALSE) - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; return ret; } krb5_error_code KRB5_CALLCONV krb5_pac_verify(krb5_context context, - const krb5_pac pac, - krb5_timestamp authtime, - krb5_const_principal principal, - const krb5_keyblock *server, - const krb5_keyblock *privsvr) + const krb5_pac pac, + krb5_timestamp authtime, + krb5_const_principal principal, + const krb5_keyblock *server, + const krb5_keyblock *privsvr) { krb5_error_code ret; if (server == NULL) - return EINVAL; + return EINVAL; ret = k5_pac_verify_server_checksum(context, pac, server); if (ret != 0) - return ret; + return ret; if (privsvr != NULL) { - ret = k5_pac_verify_kdc_checksum(context, pac, privsvr); - if (ret != 0) - return ret; + ret = k5_pac_verify_kdc_checksum(context, pac, privsvr); + if (ret != 0) + return ret; } if (principal != NULL) { - ret = k5_pac_validate_client(context, pac, authtime, principal); - if (ret != 0) - return ret; + ret = k5_pac_validate_client(context, pac, authtime, principal); + if (ret != 0) + return ret; } pac->verified = TRUE; @@ -703,9 +704,9 @@ krb5_pac_verify(krb5_context context, static krb5_error_code k5_insert_client_info(krb5_context context, - krb5_pac pac, - krb5_timestamp authtime, - krb5_const_principal principal) + krb5_pac pac, + krb5_timestamp authtime, + krb5_const_principal principal) { krb5_error_code ret; krb5_data client_info; @@ -716,29 +717,29 @@ k5_insert_client_info(krb5_context context, /* If we already have a CLIENT_INFO buffer, then just validate it */ if (k5_pac_locate_buffer(context, pac, - PAC_CLIENT_INFO, &client_info) == 0) { - return k5_pac_validate_client(context, pac, authtime, principal); + PAC_CLIENT_INFO, &client_info) == 0) { + return k5_pac_validate_client(context, pac, authtime, principal); } ret = krb5_unparse_name_flags(context, principal, - KRB5_PRINCIPAL_UNPARSE_NO_REALM, - &princ_name_utf8); + KRB5_PRINCIPAL_UNPARSE_NO_REALM, + &princ_name_utf8); if (ret != 0) - goto cleanup; + goto cleanup; ret = krb5int_utf8s_to_ucs2les(princ_name_utf8, - &princ_name_ucs2, - &princ_name_ucs2_len); + &princ_name_ucs2, + &princ_name_ucs2_len); if (ret != 0) - goto cleanup; + goto cleanup; client_info.length = PAC_CLIENT_INFO_LENGTH + princ_name_ucs2_len; client_info.data = NULL; ret = k5_pac_add_buffer(context, pac, PAC_CLIENT_INFO, - &client_info, TRUE, &client_info); + &client_info, TRUE, &client_info); if (ret != 0) - goto cleanup; + goto cleanup; p = (unsigned char *)client_info.data; @@ -756,7 +757,7 @@ k5_insert_client_info(krb5_context context, cleanup: if (princ_name_ucs2 != NULL) - free(princ_name_ucs2); + free(princ_name_ucs2); krb5_free_unparsed_name(context, princ_name_utf8); return ret; @@ -764,10 +765,10 @@ cleanup: static krb5_error_code k5_insert_checksum(krb5_context context, - krb5_pac pac, - krb5_ui_4 type, - const krb5_keyblock *key, - krb5_cksumtype *cksumtype) + krb5_pac pac, + krb5_ui_4 type, + const krb5_keyblock *key, + krb5_cksumtype *cksumtype) { krb5_error_code ret; size_t len; @@ -775,32 +776,32 @@ k5_insert_checksum(krb5_context context, ret = krb5int_c_mandatory_cksumtype(context, key->enctype, cksumtype); if (ret != 0) - return ret; + return ret; ret = krb5_c_checksum_length(context, *cksumtype, &len); if (ret != 0) - return ret; + return ret; ret = k5_pac_locate_buffer(context, pac, type, &cksumdata); if (ret == 0) { - /* - * If we're resigning PAC, make sure we can fit checksum - * into existing buffer - */ - if (cksumdata.length != PAC_SIGNATURE_DATA_LENGTH + len) - return ERANGE; - - memset(cksumdata.data, 0, cksumdata.length); + /* + * If we're resigning PAC, make sure we can fit checksum + * into existing buffer + */ + if (cksumdata.length != PAC_SIGNATURE_DATA_LENGTH + len) + return ERANGE; + + memset(cksumdata.data, 0, cksumdata.length); } else { - /* Add a zero filled buffer */ - cksumdata.length = PAC_SIGNATURE_DATA_LENGTH + len; - cksumdata.data = NULL; - - ret = k5_pac_add_buffer(context, pac, - type, &cksumdata, - TRUE, &cksumdata); - if (ret != 0) - return ret; + /* Add a zero filled buffer */ + cksumdata.length = PAC_SIGNATURE_DATA_LENGTH + len; + cksumdata.data = NULL; + + ret = k5_pac_add_buffer(context, pac, + type, &cksumdata, + TRUE, &cksumdata); + if (ret != 0) + return ret; } /* Encode checksum type into buffer */ @@ -818,7 +819,7 @@ k5_pac_encode_header(krb5_context context, krb5_pac pac) size_t header_len; header_len = PACTYPE_LENGTH + - (pac->pac->cBuffers * PAC_INFO_BUFFER_LENGTH); + (pac->pac->cBuffers * PAC_INFO_BUFFER_LENGTH); assert(pac->data.length >= header_len); p = (unsigned char *)pac->data.data; @@ -829,23 +830,23 @@ k5_pac_encode_header(krb5_context context, krb5_pac pac) p += 4; for (i = 0; i < pac->pac->cBuffers; i++) { - PAC_INFO_BUFFER *buffer = &pac->pac->Buffers[i]; - - store_32_le(buffer->ulType, p); - p += 4; - store_32_le(buffer->cbBufferSize, p); - p += 4; - store_64_le(buffer->Offset, p); - p += 8; - - assert((buffer->Offset % PAC_ALIGNMENT) == 0); - assert(buffer->Offset + buffer->cbBufferSize <= pac->data.length); - assert(buffer->Offset >= header_len); - - if (buffer->Offset % PAC_ALIGNMENT || - buffer->Offset + buffer->cbBufferSize > pac->data.length || - buffer->Offset < header_len) - return ERANGE; + PAC_INFO_BUFFER *buffer = &pac->pac->Buffers[i]; + + store_32_le(buffer->ulType, p); + p += 4; + store_32_le(buffer->cbBufferSize, p); + p += 4; + store_64_le(buffer->Offset, p); + p += 8; + + assert((buffer->Offset % PAC_ALIGNMENT) == 0); + assert(buffer->Offset + buffer->cbBufferSize <= pac->data.length); + assert(buffer->Offset >= header_len); + + if (buffer->Offset % PAC_ALIGNMENT || + buffer->Offset + buffer->cbBufferSize > pac->data.length || + buffer->Offset < header_len) + return ERANGE; } return 0; @@ -853,12 +854,12 @@ k5_pac_encode_header(krb5_context context, krb5_pac pac) krb5_error_code KRB5_CALLCONV krb5int_pac_sign(krb5_context context, - krb5_pac pac, - krb5_timestamp authtime, - krb5_const_principal principal, - const krb5_keyblock *server_key, - const krb5_keyblock *privsvr_key, - krb5_data *data) + krb5_pac pac, + krb5_timestamp authtime, + krb5_const_principal principal, + const krb5_keyblock *server_key, + const krb5_keyblock *privsvr_key, + krb5_data *data) { krb5_error_code ret; krb5_data server_cksum, privsvr_cksum; @@ -869,32 +870,32 @@ krb5int_pac_sign(krb5_context context, data->data = NULL; if (principal != NULL) { - ret = k5_insert_client_info(context, pac, authtime, principal); - if (ret != 0) - return ret; + ret = k5_insert_client_info(context, pac, authtime, principal); + if (ret != 0) + return ret; } /* Create zeroed buffers for both checksums */ ret = k5_insert_checksum(context, pac, PAC_SERVER_CHECKSUM, - server_key, &server_cksumtype); + server_key, &server_cksumtype); if (ret != 0) - return ret; + return ret; ret = k5_insert_checksum(context, pac, PAC_PRIVSVR_CHECKSUM, - privsvr_key, &privsvr_cksumtype); + privsvr_key, &privsvr_cksumtype); if (ret != 0) - return ret; + return ret; /* Now, encode the PAC header so that the checksums will include it */ ret = k5_pac_encode_header(context, pac); if (ret != 0) - return ret; + return ret; /* Generate the server checksum over the entire PAC */ ret = k5_pac_locate_buffer(context, pac, - PAC_SERVER_CHECKSUM, &server_cksum); + PAC_SERVER_CHECKSUM, &server_cksum); if (ret != 0) - return ret; + return ret; assert(server_cksum.length > PAC_SIGNATURE_DATA_LENGTH); @@ -906,16 +907,16 @@ krb5int_pac_sign(krb5_context context, iov[1].data.length = server_cksum.length - PAC_SIGNATURE_DATA_LENGTH; ret = krb5_c_make_checksum_iov(context, server_cksumtype, - server_key, KRB5_KEYUSAGE_APP_DATA_CKSUM, - iov, sizeof(iov)/sizeof(iov[0])); + server_key, KRB5_KEYUSAGE_APP_DATA_CKSUM, + iov, sizeof(iov)/sizeof(iov[0])); if (ret != 0) - return ret; + return ret; /* Generate the privsvr checksum over the server checksum buffer */ ret = k5_pac_locate_buffer(context, pac, - PAC_PRIVSVR_CHECKSUM, &privsvr_cksum); + PAC_PRIVSVR_CHECKSUM, &privsvr_cksum); if (ret != 0) - return ret; + return ret; assert(privsvr_cksum.length > PAC_SIGNATURE_DATA_LENGTH); @@ -928,20 +929,20 @@ krb5int_pac_sign(krb5_context context, iov[1].data.length = privsvr_cksum.length - PAC_SIGNATURE_DATA_LENGTH; ret = krb5_c_make_checksum_iov(context, privsvr_cksumtype, - privsvr_key, KRB5_KEYUSAGE_APP_DATA_CKSUM, - iov, sizeof(iov)/sizeof(iov[0])); + privsvr_key, KRB5_KEYUSAGE_APP_DATA_CKSUM, + iov, sizeof(iov)/sizeof(iov[0])); if (ret != 0) - return ret; + return ret; data->data = malloc(pac->data.length); if (data->data == NULL) - return ENOMEM; + return ENOMEM; data->length = pac->data.length; memcpy(data->data, pac->data.data, pac->data.length); memset(pac->data.data, 0, - PACTYPE_LENGTH + (pac->pac->cBuffers * PAC_INFO_BUFFER_LENGTH)); + PACTYPE_LENGTH + (pac->pac->cBuffers * PAC_INFO_BUFFER_LENGTH)); return 0; } @@ -962,9 +963,9 @@ mspac_init(krb5_context kcontext, void **plugin_context) static void mspac_flags(krb5_context kcontext, - void *plugin_context, - krb5_authdatatype ad_type, - krb5_flags *flags) + void *plugin_context, + krb5_authdatatype ad_type, + krb5_flags *flags) { *flags = AD_USAGE_KDC_ISSUED; } @@ -977,15 +978,15 @@ mspac_fini(krb5_context kcontext, void *plugin_context) static krb5_error_code mspac_request_init(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void **request_context) + krb5_authdata_context context, + void *plugin_context, + void **request_context) { struct mspac_context *pacctx; pacctx = (struct mspac_context *)malloc(sizeof(*pacctx)); if (pacctx == NULL) - return ENOMEM; + return ENOMEM; pacctx->pac = NULL; @@ -996,41 +997,41 @@ mspac_request_init(krb5_context kcontext, static krb5_error_code mspac_import_authdata(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - krb5_authdata **authdata, - krb5_boolean kdc_issued, - krb5_const_principal kdc_issuer) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + krb5_authdata **authdata, + krb5_boolean kdc_issued, + krb5_const_principal kdc_issuer) { krb5_error_code code; struct mspac_context *pacctx = (struct mspac_context *)request_context; if (kdc_issued) - return EINVAL; + return EINVAL; if (pacctx->pac != NULL) { - krb5_pac_free(kcontext, pacctx->pac); - pacctx->pac = NULL; + krb5_pac_free(kcontext, pacctx->pac); + pacctx->pac = NULL; } assert(authdata[0] != NULL); assert((authdata[0]->ad_type & AD_TYPE_FIELD_TYPE_MASK) == - KRB5_AUTHDATA_WIN2K_PAC); + KRB5_AUTHDATA_WIN2K_PAC); code = krb5_pac_parse(kcontext, authdata[0]->contents, - authdata[0]->length, &pacctx->pac); + authdata[0]->length, &pacctx->pac); return code; } static krb5_error_code mspac_export_authdata(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - krb5_flags usage, - krb5_authdata ***out_authdata) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + krb5_flags usage, + krb5_authdata ***out_authdata) { struct mspac_context *pacctx = (struct mspac_context *)request_context; krb5_error_code code; @@ -1038,23 +1039,23 @@ mspac_export_authdata(krb5_context kcontext, krb5_data data; if (pacctx->pac == NULL) - return 0; + return 0; authdata = calloc(2, sizeof(krb5_authdata *)); if (authdata == NULL) - return ENOMEM; + return ENOMEM; authdata[0] = calloc(1, sizeof(krb5_authdata)); if (authdata[0] == NULL) { - free(authdata); - return ENOMEM; + free(authdata); + return ENOMEM; } authdata[1] = NULL; code = krb5int_copy_data_contents(kcontext, &pacctx->pac->data, &data); if (code != 0) { - krb5_free_authdata(kcontext, authdata); - return code; + krb5_free_authdata(kcontext, authdata); + return code; } authdata[0]->magic = KV5M_AUTHDATA; @@ -1071,25 +1072,25 @@ mspac_export_authdata(krb5_context kcontext, static krb5_error_code mspac_verify(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - const krb5_auth_context *auth_context, - const krb5_keyblock *key, - const krb5_ap_req *req) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + const krb5_auth_context *auth_context, + const krb5_keyblock *key, + const krb5_ap_req *req) { krb5_error_code code; struct mspac_context *pacctx = (struct mspac_context *)request_context; if (pacctx->pac == NULL) - return EINVAL; + return EINVAL; code = krb5_pac_verify(kcontext, - pacctx->pac, - req->ticket->enc_part2->times.authtime, - req->ticket->enc_part2->client, - key, - NULL); + pacctx->pac, + req->ticket->enc_part2->times.authtime, + req->ticket->enc_part2->client, + key, + NULL); #if 0 /* @@ -1097,8 +1098,8 @@ mspac_verify(krb5_context kcontext, * Thoughts? */ if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) { - assert(pacctx->pac->verified == FALSE); - code = 0; + assert(pacctx->pac->verified == FALSE); + code = 0; } #endif @@ -1107,17 +1108,17 @@ mspac_verify(krb5_context kcontext, static void mspac_request_fini(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context) + krb5_authdata_context context, + void *plugin_context, + void *request_context) { struct mspac_context *pacctx = (struct mspac_context *)request_context; if (pacctx != NULL) { - if (pacctx->pac != NULL) - krb5_pac_free(kcontext, pacctx->pac); + if (pacctx->pac != NULL) + krb5_pac_free(kcontext, pacctx->pac); - free(pacctx); + free(pacctx); } } @@ -1127,17 +1128,17 @@ static struct { krb5_ui_4 type; krb5_data attribute; } mspac_attribute_types[] = { - { (krb5_ui_4)-1, { KV5M_DATA, STRLENOF("urn:mspac:"), "urn:mspac:" } }, - { PAC_LOGON_INFO, { KV5M_DATA, STRLENOF("urn:mspac:logon-info"), "urn:mspac:logon-info" } }, - { PAC_CREDENTIALS_INFO, { KV5M_DATA, STRLENOF("urn:mspac:credentials-info"), "urn:mspac:credentials-info" } }, - { PAC_SERVER_CHECKSUM, { KV5M_DATA, STRLENOF("urn:mspac:server-checksum"), "urn:mspac:server-checksum" } }, - { PAC_PRIVSVR_CHECKSUM, { KV5M_DATA, STRLENOF("urn:mspac:privsvr-checksum"), "urn:mspac:privsvr-checksum" } }, - { PAC_CLIENT_INFO, { KV5M_DATA, STRLENOF("urn:mspac:client-info"), "urn:mspac:client-info" } }, - { PAC_DELEGATION_INFO, { KV5M_DATA, STRLENOF("urn:mspac:delegation-info"), "urn:mspac:delegation-info" } }, - { PAC_UPN_DNS_INFO, { KV5M_DATA, STRLENOF("urn:mspac:upn-dns-info"), "urn:mspac:upn-dns-info" } }, + { (krb5_ui_4)-1, { KV5M_DATA, STRLENOF("urn:mspac:"), "urn:mspac:" } }, + { PAC_LOGON_INFO, { KV5M_DATA, STRLENOF("urn:mspac:logon-info"), "urn:mspac:logon-info" } }, + { PAC_CREDENTIALS_INFO, { KV5M_DATA, STRLENOF("urn:mspac:credentials-info"), "urn:mspac:credentials-info" } }, + { PAC_SERVER_CHECKSUM, { KV5M_DATA, STRLENOF("urn:mspac:server-checksum"), "urn:mspac:server-checksum" } }, + { PAC_PRIVSVR_CHECKSUM, { KV5M_DATA, STRLENOF("urn:mspac:privsvr-checksum"), "urn:mspac:privsvr-checksum" } }, + { PAC_CLIENT_INFO, { KV5M_DATA, STRLENOF("urn:mspac:client-info"), "urn:mspac:client-info" } }, + { PAC_DELEGATION_INFO, { KV5M_DATA, STRLENOF("urn:mspac:delegation-info"), "urn:mspac:delegation-info" } }, + { PAC_UPN_DNS_INFO, { KV5M_DATA, STRLENOF("urn:mspac:upn-dns-info"), "urn:mspac:upn-dns-info" } }, }; -#define MSPAC_ATTRIBUTE_COUNT (sizeof(mspac_attribute_types)/sizeof(mspac_attribute_types[0])) +#define MSPAC_ATTRIBUTE_COUNT (sizeof(mspac_attribute_types)/sizeof(mspac_attribute_types[0])) static krb5_error_code mspac_type2attr(krb5_ui_4 type, krb5_data *attr) @@ -1145,10 +1146,10 @@ mspac_type2attr(krb5_ui_4 type, krb5_data *attr) unsigned int i; for (i = 0; i < MSPAC_ATTRIBUTE_COUNT; i++) { - if (mspac_attribute_types[i].type == type) { - *attr = mspac_attribute_types[i].attribute; - return 0; - } + if (mspac_attribute_types[i].type == type) { + *attr = mspac_attribute_types[i].attribute; + return 0; + } } return ENOENT; @@ -1160,22 +1161,22 @@ mspac_attr2type(const krb5_data *attr, krb5_ui_4 *type) unsigned int i; for (i = 0; i < MSPAC_ATTRIBUTE_COUNT; i++) { - if (attr->length == mspac_attribute_types[i].attribute.length && - strncasecmp(attr->data, mspac_attribute_types[i].attribute.data, attr->length) == 0) { - *type = mspac_attribute_types[i].type; - return 0; - } + if (attr->length == mspac_attribute_types[i].attribute.length && + strncasecmp(attr->data, mspac_attribute_types[i].attribute.data, attr->length) == 0) { + *type = mspac_attribute_types[i].type; + return 0; + } } if (attr->length > STRLENOF("urn:mspac:") && - strncasecmp(attr->data, "urn:mspac:", STRLENOF("urn:mspac:")) == 0) + strncasecmp(attr->data, "urn:mspac:", STRLENOF("urn:mspac:")) == 0) { - char *p = &attr->data[STRLENOF("urn:mspac:")]; - char *endptr; + char *p = &attr->data[STRLENOF("urn:mspac:")]; + char *endptr; - *type = strtoul(p, &endptr, 10); - if (*type != 0 && *endptr == '\0') - return 0; + *type = strtoul(p, &endptr, 10); + if (*type != 0 && *endptr == '\0') + return 0; } return ENOENT; @@ -1183,10 +1184,10 @@ mspac_attr2type(const krb5_data *attr, krb5_ui_4 *type) static krb5_error_code mspac_get_attribute_types(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - krb5_data **out_attrs) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + krb5_data **out_attrs) { struct mspac_context *pacctx = (struct mspac_context *)request_context; unsigned int i, j; @@ -1194,45 +1195,45 @@ mspac_get_attribute_types(krb5_context kcontext, krb5_error_code code; if (pacctx->pac == NULL) - return ENOENT; + return ENOENT; attrs = calloc(1 + pacctx->pac->pac->cBuffers + 1, sizeof(krb5_data)); if (attrs == NULL) - return ENOMEM; + return ENOMEM; j = 0; /* The entire PAC */ code = krb5int_copy_data_contents(kcontext, - &mspac_attribute_types[0].attribute, - &attrs[j++]); + &mspac_attribute_types[0].attribute, + &attrs[j++]); if (code != 0) { - free(attrs); - return code; + free(attrs); + return code; } /* PAC buffers */ for (i = 0; i < pacctx->pac->pac->cBuffers; i++) { - krb5_data attr; - - code = mspac_type2attr(pacctx->pac->pac->Buffers[i].ulType, &attr); - if (code == 0) { - code = krb5int_copy_data_contents(kcontext, &attr, &attrs[j++]); - if (code != 0) { - krb5int_free_data_list(kcontext, attrs); - return code; - } - } else { - int length; - - length = asprintf(&attrs[j].data, "urn:mspac:%d", - pacctx->pac->pac->Buffers[i].ulType); - if (length < 0) { - krb5int_free_data_list(kcontext, attrs); - return ENOMEM; - } - attrs[j++].length = length; - } + krb5_data attr; + + code = mspac_type2attr(pacctx->pac->pac->Buffers[i].ulType, &attr); + if (code == 0) { + code = krb5int_copy_data_contents(kcontext, &attr, &attrs[j++]); + if (code != 0) { + krb5int_free_data_list(kcontext, attrs); + return code; + } + } else { + int length; + + length = asprintf(&attrs[j].data, "urn:mspac:%d", + pacctx->pac->pac->Buffers[i].ulType); + if (length < 0) { + krb5int_free_data_list(kcontext, attrs); + return ENOMEM; + } + attrs[j++].length = length; + } } attrs[j].data = NULL; attrs[j].length = 0; @@ -1244,49 +1245,49 @@ mspac_get_attribute_types(krb5_context kcontext, static krb5_error_code mspac_get_attribute(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - const krb5_data *attribute, - krb5_boolean *authenticated, - krb5_boolean *complete, - krb5_data *value, - krb5_data *display_value, - int *more) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + const krb5_data *attribute, + krb5_boolean *authenticated, + krb5_boolean *complete, + krb5_data *value, + krb5_data *display_value, + int *more) { struct mspac_context *pacctx = (struct mspac_context *)request_context; krb5_error_code code; krb5_ui_4 type; if (display_value != NULL) { - display_value->data = NULL; - display_value->length = 0; + display_value->data = NULL; + display_value->length = 0; } if (*more != -1 || pacctx->pac == NULL) - return ENOENT; + return ENOENT; code = mspac_attr2type(attribute, &type); if (code != 0) - return code; + return code; /* -1 is a magic type that refers to the entire PAC */ if (type == (krb5_ui_4)-1) { - if (value != NULL) - code = krb5int_copy_data_contents(kcontext, - &pacctx->pac->data, - value); - else - code = 0; + if (value != NULL) + code = krb5int_copy_data_contents(kcontext, + &pacctx->pac->data, + value); + else + code = 0; } else { - if (value != NULL) - code = krb5_pac_get_buffer(kcontext, pacctx->pac, type, value); - else - code = k5_pac_locate_buffer(kcontext, pacctx->pac, type, NULL); + if (value != NULL) + code = krb5_pac_get_buffer(kcontext, pacctx->pac, type, value); + else + code = k5_pac_locate_buffer(kcontext, pacctx->pac, type, NULL); } if (code == 0) { - *authenticated = pacctx->pac->verified; - *complete = TRUE; + *authenticated = pacctx->pac->verified; + *complete = TRUE; } *more = 0; @@ -1296,36 +1297,36 @@ mspac_get_attribute(krb5_context kcontext, static krb5_error_code mspac_set_attribute(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - krb5_boolean complete, - const krb5_data *attribute, - const krb5_data *value) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + krb5_boolean complete, + const krb5_data *attribute, + const krb5_data *value) { struct mspac_context *pacctx = (struct mspac_context *)request_context; krb5_error_code code; krb5_ui_4 type; if (pacctx->pac == NULL) - return ENOENT; + return ENOENT; code = mspac_attr2type(attribute, &type); if (code != 0) - return code; + return code; /* -1 is a magic type that refers to the entire PAC */ if (type == (krb5_ui_4)-1) { - krb5_pac newpac; + krb5_pac newpac; - code = krb5_pac_parse(kcontext, value->data, value->length, &newpac); - if (code != 0) - return code; + code = krb5_pac_parse(kcontext, value->data, value->length, &newpac); + if (code != 0) + return code; - krb5_pac_free(kcontext, pacctx->pac); - pacctx->pac = newpac; + krb5_pac_free(kcontext, pacctx->pac); + pacctx->pac = newpac; } else { - code = krb5_pac_add_buffer(kcontext, pacctx->pac, type, value); + code = krb5_pac_add_buffer(kcontext, pacctx->pac, type, value); } return code; @@ -1333,11 +1334,11 @@ mspac_set_attribute(krb5_context kcontext, static krb5_error_code mspac_export_internal(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - krb5_boolean restrict_authenticated, - void **ptr) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + krb5_boolean restrict_authenticated, + void **ptr) { struct mspac_context *pacctx = (struct mspac_context *)request_context; krb5_error_code code; @@ -1346,16 +1347,16 @@ mspac_export_internal(krb5_context kcontext, *ptr = NULL; if (pacctx->pac == NULL) - return 0; + return 0; if (restrict_authenticated && (pacctx->pac->verified) == FALSE) - return 0; + return 0; code = krb5_pac_parse(kcontext, pacctx->pac->data.data, - pacctx->pac->data.length, &pac); + pacctx->pac->data.length, &pac); if (code == 0) { - pac->verified = pacctx->pac->verified; - *ptr = pac; + pac->verified = pacctx->pac->verified; + *ptr = pac; } return code; @@ -1363,30 +1364,30 @@ mspac_export_internal(krb5_context kcontext, static void mspac_free_internal(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - void *ptr) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + void *ptr) { if (ptr != NULL) - krb5_pac_free(kcontext, (krb5_pac)ptr); + krb5_pac_free(kcontext, (krb5_pac)ptr); return; } static krb5_error_code mspac_size(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - size_t *sizep) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + size_t *sizep) { struct mspac_context *pacctx = (struct mspac_context *)request_context; *sizep += sizeof(krb5_int32); if (pacctx->pac != NULL) - *sizep += pacctx->pac->data.length; + *sizep += pacctx->pac->data.length; *sizep += sizeof(krb5_int32); @@ -1395,11 +1396,11 @@ mspac_size(krb5_context kcontext, static krb5_error_code mspac_externalize(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - krb5_octet **buffer, - size_t *lenremain) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + krb5_octet **buffer, + size_t *lenremain) { krb5_error_code code = 0; struct mspac_context *pacctx = (struct mspac_context *)request_context; @@ -1411,23 +1412,23 @@ mspac_externalize(krb5_context kcontext, remain = *lenremain; if (pacctx->pac != NULL) { - mspac_size(kcontext, context, plugin_context, - request_context, &required); - - if (required <= remain) { - krb5_ser_pack_int32((krb5_int32)pacctx->pac->data.length, - &bp, &remain); - krb5_ser_pack_bytes((krb5_octet *)pacctx->pac->data.data, - (size_t)pacctx->pac->data.length, - &bp, &remain); - krb5_ser_pack_int32((krb5_int32)pacctx->pac->verified, - &bp, &remain); - } else { - code = ENOMEM; - } + mspac_size(kcontext, context, plugin_context, + request_context, &required); + + if (required <= remain) { + krb5_ser_pack_int32((krb5_int32)pacctx->pac->data.length, + &bp, &remain); + krb5_ser_pack_bytes((krb5_octet *)pacctx->pac->data.data, + (size_t)pacctx->pac->data.length, + &bp, &remain); + krb5_ser_pack_int32((krb5_int32)pacctx->pac->verified, + &bp, &remain); + } else { + code = ENOMEM; + } } else { - krb5_ser_pack_int32(0, &bp, &remain); /* length */ - krb5_ser_pack_int32(0, &bp, &remain); /* verified */ + krb5_ser_pack_int32(0, &bp, &remain); /* length */ + krb5_ser_pack_int32(0, &bp, &remain); /* verified */ } *buffer = bp; @@ -1438,11 +1439,11 @@ mspac_externalize(krb5_context kcontext, static krb5_error_code mspac_internalize(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - krb5_octet **buffer, - size_t *lenremain) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + krb5_octet **buffer, + size_t *lenremain) { struct mspac_context *pacctx = (struct mspac_context *)request_context; krb5_error_code code; @@ -1457,30 +1458,30 @@ mspac_internalize(krb5_context kcontext, /* length */ code = krb5_ser_unpack_int32(&ibuf, &bp, &remain); if (code != 0) - return code; + return code; if (ibuf != 0) { - code = krb5_pac_parse(kcontext, bp, ibuf, &pac); - if (code != 0) - return code; + code = krb5_pac_parse(kcontext, bp, ibuf, &pac); + if (code != 0) + return code; - bp += ibuf; - remain -= ibuf; + bp += ibuf; + remain -= ibuf; } /* verified */ code = krb5_ser_unpack_int32(&ibuf, &bp, &remain); if (code != 0) { - krb5_pac_free(kcontext, pac); - return code; + krb5_pac_free(kcontext, pac); + return code; } if (pac != NULL) { - pac->verified = (ibuf != 0); + pac->verified = (ibuf != 0); } if (pacctx->pac != NULL) { - krb5_pac_free(kcontext, pacctx->pac); + krb5_pac_free(kcontext, pacctx->pac); } pacctx->pac = pac; @@ -1493,11 +1494,11 @@ mspac_internalize(krb5_context kcontext, static krb5_error_code mspac_copy(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - void *dst_plugin_context, - void *dst_request_context) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + void *dst_plugin_context, + void *dst_request_context) { struct mspac_context *srcctx = (struct mspac_context *)request_context; struct mspac_context *dstctx = (struct mspac_context *)dst_request_context; @@ -1507,7 +1508,7 @@ mspac_copy(krb5_context kcontext, assert(dstctx->pac == NULL); if (srcctx->pac != NULL) - code = k5_pac_copy(kcontext, srcctx->pac, &dstctx->pac); + code = k5_pac_copy(kcontext, srcctx->pac, &dstctx->pac); return code; } @@ -1536,4 +1537,3 @@ krb5plugin_authdata_client_ftable_v0 krb5int_mspac_authdata_client_ftable = { mspac_internalize, mspac_copy }; - diff --git a/src/lib/krb5/krb/parse.c b/src/lib/krb5/krb/parse.c index 5dd29fb434..b78cc4311b 100644 --- a/src/lib/krb5/krb/parse.c +++ b/src/lib/krb5/krb/parse.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/parse.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_parse_name() routine. * @@ -37,27 +38,27 @@ * converts a single-string representation of the name to the * multi-part principal format used in the protocols. * - * principal will point to allocated storage which should be freed by + * principal will point to allocated storage which should be freed by * the caller (using krb5_free_principal) after use. - * + * * Conventions: / is used to separate components. If @ is present in the * string, then the rest of the string after it represents the realm name. * Otherwise the local realm name is used. - * + * * error return: - * KRB5_PARSE_MALFORMED badly formatted string + * KRB5_PARSE_MALFORMED badly formatted string * * also returns system errors: - * ENOMEM malloc failed/out of memory + * ENOMEM malloc failed/out of memory * * get_default_realm() is called; it may return other errors. */ -#define REALM_SEP '@' -#define COMPONENT_SEP '/' -#define QUOTECHAR '\\' +#define REALM_SEP '@' +#define COMPONENT_SEP '/' +#define QUOTECHAR '\\' -#define FCOMPNUM 10 +#define FCOMPNUM 10 /* * May the fleas of a thousand camels infest the ISO, they who think @@ -65,276 +66,276 @@ */ static krb5_error_code k5_parse_name(krb5_context context, const char *name, - int flags, krb5_principal *nprincipal) + int flags, krb5_principal *nprincipal) { - register const char *cp; - register char *q; - register int i,c,size; - int components = 0; - const char *parsed_realm = NULL; - int fcompsize[FCOMPNUM]; - unsigned int realmsize = 0; - char *default_realm = NULL; - int default_realm_size = 0; - char *tmpdata; - krb5_principal principal; - krb5_error_code retval; - unsigned int enterprise = (flags & KRB5_PRINCIPAL_PARSE_ENTERPRISE); - int first_at; + register const char *cp; + register char *q; + register int i,c,size; + int components = 0; + const char *parsed_realm = NULL; + int fcompsize[FCOMPNUM]; + unsigned int realmsize = 0; + char *default_realm = NULL; + int default_realm_size = 0; + char *tmpdata; + krb5_principal principal; + krb5_error_code retval; + unsigned int enterprise = (flags & KRB5_PRINCIPAL_PARSE_ENTERPRISE); + int first_at; - *nprincipal = NULL; + *nprincipal = NULL; - /* - * Pass 1. Find out how many components there are to the name, - * and get string sizes for the first FCOMPNUM components. For - * enterprise principal names (UPNs), there is only a single - * component. - */ - size = 0; - for (i=0,cp = name, first_at = 1; (c = *cp); cp++) { - if (c == QUOTECHAR) { - cp++; - if (!(c = *cp)) - /* - * QUOTECHAR can't be at the last - * character of the name! - */ - return(KRB5_PARSE_MALFORMED); - size++; - continue; - } else if (c == COMPONENT_SEP && !enterprise) { - if (parsed_realm) - /* - * Shouldn't see a component separator - * after we've parsed out the realm name! - */ - return(KRB5_PARSE_MALFORMED); - if (i < FCOMPNUM) { - fcompsize[i] = size; - } - size = 0; - i++; - } else if (c == REALM_SEP && (!enterprise || !first_at)) { - if (parsed_realm) - /* - * Multiple realm separaters - * not allowed; zero-length realms are. - */ - return(KRB5_PARSE_MALFORMED); - parsed_realm = cp + 1; - if (i < FCOMPNUM) { - fcompsize[i] = size; - } - size = 0; - } else { - if (c == REALM_SEP && enterprise && first_at) - first_at = 0; + /* + * Pass 1. Find out how many components there are to the name, + * and get string sizes for the first FCOMPNUM components. For + * enterprise principal names (UPNs), there is only a single + * component. + */ + size = 0; + for (i=0,cp = name, first_at = 1; (c = *cp); cp++) { + if (c == QUOTECHAR) { + cp++; + if (!(c = *cp)) + /* + * QUOTECHAR can't be at the last + * character of the name! + */ + return(KRB5_PARSE_MALFORMED); + size++; + continue; + } else if (c == COMPONENT_SEP && !enterprise) { + if (parsed_realm) + /* + * Shouldn't see a component separator + * after we've parsed out the realm name! + */ + return(KRB5_PARSE_MALFORMED); + if (i < FCOMPNUM) { + fcompsize[i] = size; + } + size = 0; + i++; + } else if (c == REALM_SEP && (!enterprise || !first_at)) { + if (parsed_realm) + /* + * Multiple realm separaters + * not allowed; zero-length realms are. + */ + return(KRB5_PARSE_MALFORMED); + parsed_realm = cp + 1; + if (i < FCOMPNUM) { + fcompsize[i] = size; + } + size = 0; + } else { + if (c == REALM_SEP && enterprise && first_at) + first_at = 0; - size++; - } - } - if (parsed_realm != NULL) - realmsize = size; - else if (i < FCOMPNUM) - fcompsize[i] = size; - components = i + 1; - /* - * Now, we allocate the principal structure and all of its - * component pieces - */ - principal = (krb5_principal)malloc(sizeof(krb5_principal_data)); - if (principal == NULL) { - return(ENOMEM); - } - principal->data = (krb5_data *) malloc(sizeof(krb5_data) * components); - if (principal->data == NULL) { - free(principal); - return ENOMEM; - } - principal->length = components; + size++; + } + } + if (parsed_realm != NULL) + realmsize = size; + else if (i < FCOMPNUM) + fcompsize[i] = size; + components = i + 1; + /* + * Now, we allocate the principal structure and all of its + * component pieces + */ + principal = (krb5_principal)malloc(sizeof(krb5_principal_data)); + if (principal == NULL) { + return(ENOMEM); + } + principal->data = (krb5_data *) malloc(sizeof(krb5_data) * components); + if (principal->data == NULL) { + free(principal); + return ENOMEM; + } + principal->length = components; - /* - * If a realm was not found, then use the default realm, unless - * KRB5_PRINCIPAL_PARSE_NO_REALM was specified in which case the - * realm will be empty. - */ - if (!parsed_realm) { - if (flags & KRB5_PRINCIPAL_PARSE_REQUIRE_REALM) { - krb5_set_error_message(context, KRB5_PARSE_MALFORMED, - "Principal %s is missing required realm", name); - free(principal->data); - free(principal); - return KRB5_PARSE_MALFORMED; - } - if (!default_realm && (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) == 0) { - retval = krb5_get_default_realm(context, &default_realm); - if (retval) { - free(principal->data); - free(principal); - return(retval); - } - default_realm_size = strlen(default_realm); - } - realmsize = default_realm_size; - } else if (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) { - krb5_set_error_message(context, KRB5_PARSE_MALFORMED, - "Principal %s has realm present", name); - free(principal->data); - free(principal); - return KRB5_PARSE_MALFORMED; - } + /* + * If a realm was not found, then use the default realm, unless + * KRB5_PRINCIPAL_PARSE_NO_REALM was specified in which case the + * realm will be empty. + */ + if (!parsed_realm) { + if (flags & KRB5_PRINCIPAL_PARSE_REQUIRE_REALM) { + krb5_set_error_message(context, KRB5_PARSE_MALFORMED, + "Principal %s is missing required realm", name); + free(principal->data); + free(principal); + return KRB5_PARSE_MALFORMED; + } + if (!default_realm && (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) == 0) { + retval = krb5_get_default_realm(context, &default_realm); + if (retval) { + free(principal->data); + free(principal); + return(retval); + } + default_realm_size = strlen(default_realm); + } + realmsize = default_realm_size; + } else if (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) { + krb5_set_error_message(context, KRB5_PARSE_MALFORMED, + "Principal %s has realm present", name); + free(principal->data); + free(principal); + return KRB5_PARSE_MALFORMED; + } - /* - * Pass 2. Happens only if there were more than FCOMPNUM - * component; if this happens, someone should be shot - * immediately. Nevertheless, we will attempt to handle said - * case..... <martyred sigh> - */ - if (components >= FCOMPNUM) { - size = 0; - parsed_realm = NULL; - for (i=0,cp = name; (c = *cp); cp++) { - if (c == QUOTECHAR) { - cp++; - size++; - } else if (c == COMPONENT_SEP) { - if (krb5_princ_size(context, principal) > i) - krb5_princ_component(context, principal, i)->length = size; - size = 0; - i++; - } else if (c == REALM_SEP) { - if (krb5_princ_size(context, principal) > i) - krb5_princ_component(context, principal, i)->length = size; - size = 0; - parsed_realm = cp+1; - } else - size++; - } - if (parsed_realm) - krb5_princ_realm(context, principal)->length = size; - else - if (krb5_princ_size(context, principal) > i) - krb5_princ_component(context, principal, i)->length = size; - if (i + 1 != components) { + /* + * Pass 2. Happens only if there were more than FCOMPNUM + * component; if this happens, someone should be shot + * immediately. Nevertheless, we will attempt to handle said + * case..... <martyred sigh> + */ + if (components >= FCOMPNUM) { + size = 0; + parsed_realm = NULL; + for (i=0,cp = name; (c = *cp); cp++) { + if (c == QUOTECHAR) { + cp++; + size++; + } else if (c == COMPONENT_SEP) { + if (krb5_princ_size(context, principal) > i) + krb5_princ_component(context, principal, i)->length = size; + size = 0; + i++; + } else if (c == REALM_SEP) { + if (krb5_princ_size(context, principal) > i) + krb5_princ_component(context, principal, i)->length = size; + size = 0; + parsed_realm = cp+1; + } else + size++; + } + if (parsed_realm) + krb5_princ_realm(context, principal)->length = size; + else + if (krb5_princ_size(context, principal) > i) + krb5_princ_component(context, principal, i)->length = size; + if (i + 1 != components) { #if !defined(_WIN32) - fprintf(stderr, - "Programming error in krb5_parse_name!"); + fprintf(stderr, + "Programming error in krb5_parse_name!"); #endif - assert(i + 1 == components); - abort(); - } - } else { - /* - * If there were fewer than FCOMPSIZE components (the - * usual case), then just copy the sizes to the - * principal structure - */ - for (i=0; i < components; i++) - krb5_princ_component(context, principal, i)->length = fcompsize[i]; - } - /* - * Now, we need to allocate the space for the strings themselves..... - */ - tmpdata = malloc(realmsize + 1); - if (tmpdata == 0) { - free(principal->data); - free(principal); - free(default_realm); - return ENOMEM; - } - krb5_princ_set_realm_length(context, principal, realmsize); - krb5_princ_set_realm_data(context, principal, tmpdata); - for (i=0; i < components; i++) { - char *tmpdata2 = - malloc(krb5_princ_component(context, principal, i)->length + 1); - if (tmpdata2 == NULL) { - for (i--; i >= 0; i--) - free(krb5_princ_component(context, principal, i)->data); - free(krb5_princ_realm(context, principal)->data); - free(principal->data); - free(principal); - free(default_realm); - return(ENOMEM); - } - krb5_princ_component(context, principal, i)->data = tmpdata2; - krb5_princ_component(context, principal, i)->magic = KV5M_DATA; - } - - /* - * Pass 3. Now we go through the string a *third* time, this - * time filling in the krb5_principal structure which we just - * allocated. - */ - q = krb5_princ_component(context, principal, 0)->data; - for (i=0,cp = name, first_at = 1; (c = *cp); cp++) { - if (c == QUOTECHAR) { - cp++; - switch (c = *cp) { - case 'n': - *q++ = '\n'; - break; - case 't': - *q++ = '\t'; - break; - case 'b': - *q++ = '\b'; - break; - case '0': - *q++ = '\0'; - break; - default: - *q++ = c; - break; - } - } else if (c == COMPONENT_SEP && !enterprise) { - i++; - *q++ = '\0'; - q = krb5_princ_component(context, principal, i)->data; - } else if (c == REALM_SEP && (!enterprise || !first_at)) { - i++; - *q++ = '\0'; - q = krb5_princ_realm(context, principal)->data; - } else { - if (c == REALM_SEP && enterprise && first_at) - first_at = 0; + assert(i + 1 == components); + abort(); + } + } else { + /* + * If there were fewer than FCOMPSIZE components (the + * usual case), then just copy the sizes to the + * principal structure + */ + for (i=0; i < components; i++) + krb5_princ_component(context, principal, i)->length = fcompsize[i]; + } + /* + * Now, we need to allocate the space for the strings themselves..... + */ + tmpdata = malloc(realmsize + 1); + if (tmpdata == 0) { + free(principal->data); + free(principal); + free(default_realm); + return ENOMEM; + } + krb5_princ_set_realm_length(context, principal, realmsize); + krb5_princ_set_realm_data(context, principal, tmpdata); + for (i=0; i < components; i++) { + char *tmpdata2 = + malloc(krb5_princ_component(context, principal, i)->length + 1); + if (tmpdata2 == NULL) { + for (i--; i >= 0; i--) + free(krb5_princ_component(context, principal, i)->data); + free(krb5_princ_realm(context, principal)->data); + free(principal->data); + free(principal); + free(default_realm); + return(ENOMEM); + } + krb5_princ_component(context, principal, i)->data = tmpdata2; + krb5_princ_component(context, principal, i)->magic = KV5M_DATA; + } + + /* + * Pass 3. Now we go through the string a *third* time, this + * time filling in the krb5_principal structure which we just + * allocated. + */ + q = krb5_princ_component(context, principal, 0)->data; + for (i=0,cp = name, first_at = 1; (c = *cp); cp++) { + if (c == QUOTECHAR) { + cp++; + switch (c = *cp) { + case 'n': + *q++ = '\n'; + break; + case 't': + *q++ = '\t'; + break; + case 'b': + *q++ = '\b'; + break; + case '0': + *q++ = '\0'; + break; + default: + *q++ = c; + break; + } + } else if (c == COMPONENT_SEP && !enterprise) { + i++; + *q++ = '\0'; + q = krb5_princ_component(context, principal, i)->data; + } else if (c == REALM_SEP && (!enterprise || !first_at)) { + i++; + *q++ = '\0'; + q = krb5_princ_realm(context, principal)->data; + } else { + if (c == REALM_SEP && enterprise && first_at) + first_at = 0; - *q++ = c; - } - } - *q++ = '\0'; - if (!parsed_realm) { - if (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) - (krb5_princ_realm(context, principal)->data)[0] = '\0'; - else - strlcpy(krb5_princ_realm(context, principal)->data, default_realm, realmsize+1); - } - /* - * Alright, we're done. Now stuff a pointer to this monstrosity - * into the return variable, and let's get out of here. - */ - if (enterprise) - krb5_princ_type(context, principal) = KRB5_NT_ENTERPRISE_PRINCIPAL; - else - krb5_princ_type(context, principal) = KRB5_NT_PRINCIPAL; - principal->magic = KV5M_PRINCIPAL; - principal->realm.magic = KV5M_DATA; - *nprincipal = principal; + *q++ = c; + } + } + *q++ = '\0'; + if (!parsed_realm) { + if (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) + (krb5_princ_realm(context, principal)->data)[0] = '\0'; + else + strlcpy(krb5_princ_realm(context, principal)->data, default_realm, realmsize+1); + } + /* + * Alright, we're done. Now stuff a pointer to this monstrosity + * into the return variable, and let's get out of here. + */ + if (enterprise) + krb5_princ_type(context, principal) = KRB5_NT_ENTERPRISE_PRINCIPAL; + else + krb5_princ_type(context, principal) = KRB5_NT_PRINCIPAL; + principal->magic = KV5M_PRINCIPAL; + principal->realm.magic = KV5M_DATA; + *nprincipal = principal; - if (default_realm != NULL) - free(default_realm); + if (default_realm != NULL) + free(default_realm); - return(0); + return(0); } krb5_error_code KRB5_CALLCONV krb5_parse_name(krb5_context context, const char *name, krb5_principal *nprincipal) { - return k5_parse_name(context, name, 0, nprincipal); + return k5_parse_name(context, name, 0, nprincipal); } krb5_error_code KRB5_CALLCONV krb5_parse_name_flags(krb5_context context, const char *name, - int flags, krb5_principal *nprincipal) + int flags, krb5_principal *nprincipal) { - return k5_parse_name(context, name, flags, nprincipal); + return k5_parse_name(context, name, flags, nprincipal); } diff --git a/src/lib/krb5/krb/pkinit_apple_asn1.c b/src/lib/krb5/krb/pkinit_apple_asn1.c index 9082a314b2..12b5215bea 100644 --- a/src/lib/krb5/krb/pkinit_apple_asn1.c +++ b/src/lib/krb5/krb/pkinit_apple_asn1.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (c) 2004-2008 Apple Inc. All Rights Reserved. * @@ -60,32 +61,32 @@ static void **pkiNssNullArray( #pragma mark ----- pkAuthenticator ----- -/* +/* * There is a unique error code for "missing paChecksum", so we mark it here - * as optional so the decoder can process a pkAuthenticator without the + * as optional so the decoder can process a pkAuthenticator without the * checksum; caller must verify that paChecksum.Data != NULL. */ typedef struct { - CSSM_DATA cusec; /* INTEGER, microseconds */ - CSSM_DATA kctime; /* UTC time (with trailing 'Z') */ - CSSM_DATA nonce; /* INTEGER */ - CSSM_DATA paChecksum; /* OCTET STRING */ + CSSM_DATA cusec; /* INTEGER, microseconds */ + CSSM_DATA kctime; /* UTC time (with trailing 'Z') */ + CSSM_DATA nonce; /* INTEGER */ + CSSM_DATA paChecksum; /* OCTET STRING */ } KRB5_PKAuthenticator; static const SecAsn1Template KRB5_PKAuthenticatorTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(KRB5_PKAuthenticator) }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 0, - offsetof(KRB5_PKAuthenticator,cusec), + offsetof(KRB5_PKAuthenticator,cusec), kSecAsn1IntegerTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 1, - offsetof(KRB5_PKAuthenticator,kctime), + offsetof(KRB5_PKAuthenticator,kctime), kSecAsn1GeneralizedTimeTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 2, - offsetof(KRB5_PKAuthenticator,nonce), + offsetof(KRB5_PKAuthenticator,nonce), kSecAsn1IntegerTemplate }, - { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | - SEC_ASN1_OPTIONAL | 3, - offsetof(KRB5_PKAuthenticator,paChecksum), + { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | + SEC_ASN1_OPTIONAL | 3, + offsetof(KRB5_PKAuthenticator,paChecksum), &kSecAsn1OctetStringTemplate }, { 0 } }; @@ -93,25 +94,25 @@ static const SecAsn1Template KRB5_PKAuthenticatorTemplate[] = { #pragma mark ----- AuthPack ----- typedef struct { - KRB5_PKAuthenticator pkAuth; - CSSM_X509_SUBJECT_PUBLIC_KEY_INFO *pubKeyInfo; /* OPTIONAL */ - CSSM_X509_ALGORITHM_IDENTIFIER **supportedCMSTypes;/* OPTIONAL */ - CSSM_DATA *clientDHNonce; /* OPTIONAL */ + KRB5_PKAuthenticator pkAuth; + CSSM_X509_SUBJECT_PUBLIC_KEY_INFO *pubKeyInfo; /* OPTIONAL */ + CSSM_X509_ALGORITHM_IDENTIFIER **supportedCMSTypes;/* OPTIONAL */ + CSSM_DATA *clientDHNonce; /* OPTIONAL */ } KRB5_AuthPack; -/* +/* * These are copied from keyTemplates.c in the libsecurity_asn1 project; * they aren't public API. */ - + /* AlgorithmIdentifier : CSSM_X509_ALGORITHM_IDENTIFIER */ static const SecAsn1Template AlgorithmIDTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(CSSM_X509_ALGORITHM_IDENTIFIER) }, + 0, NULL, sizeof(CSSM_X509_ALGORITHM_IDENTIFIER) }, { SEC_ASN1_OBJECT_ID, - offsetof(CSSM_X509_ALGORITHM_IDENTIFIER,algorithm), }, + offsetof(CSSM_X509_ALGORITHM_IDENTIFIER,algorithm), }, { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY, - offsetof(CSSM_X509_ALGORITHM_IDENTIFIER,parameters), }, + offsetof(CSSM_X509_ALGORITHM_IDENTIFIER,parameters), }, { 0, } }; @@ -119,12 +120,12 @@ static const SecAsn1Template AlgorithmIDTemplate[] = { /* SubjectPublicKeyInfo : CSSM_X509_SUBJECT_PUBLIC_KEY_INFO */ static const SecAsn1Template SubjectPublicKeyInfoTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(CSSM_X509_SUBJECT_PUBLIC_KEY_INFO) }, + 0, NULL, sizeof(CSSM_X509_SUBJECT_PUBLIC_KEY_INFO) }, { SEC_ASN1_INLINE, - offsetof(CSSM_X509_SUBJECT_PUBLIC_KEY_INFO,algorithm), - AlgorithmIDTemplate }, + offsetof(CSSM_X509_SUBJECT_PUBLIC_KEY_INFO,algorithm), + AlgorithmIDTemplate }, { SEC_ASN1_BIT_STRING, - offsetof(CSSM_X509_SUBJECT_PUBLIC_KEY_INFO,subjectPublicKey), }, + offsetof(CSSM_X509_SUBJECT_PUBLIC_KEY_INFO,subjectPublicKey), }, { 0, } }; @@ -137,34 +138,34 @@ static const SecAsn1Template kSecAsn1SequenceOfAlgIdTemplate[] = { static const SecAsn1Template KRB5_AuthPackTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(KRB5_AuthPack) }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 0, - offsetof(KRB5_AuthPack,pkAuth), + offsetof(KRB5_AuthPack,pkAuth), KRB5_PKAuthenticatorTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL | - SEC_ASN1_EXPLICIT | SEC_ASN1_POINTER | 1, - offsetof(KRB5_AuthPack,pubKeyInfo), + SEC_ASN1_EXPLICIT | SEC_ASN1_POINTER | 1, + offsetof(KRB5_AuthPack,pubKeyInfo), SubjectPublicKeyInfoTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL | - SEC_ASN1_EXPLICIT | SEC_ASN1_POINTER | 2, - offsetof(KRB5_AuthPack,supportedCMSTypes), + SEC_ASN1_EXPLICIT | SEC_ASN1_POINTER | 2, + offsetof(KRB5_AuthPack,supportedCMSTypes), kSecAsn1SequenceOfAlgIdTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL | - SEC_ASN1_EXPLICIT | SEC_ASN1_POINTER | 3, - offsetof(KRB5_AuthPack,clientDHNonce), + SEC_ASN1_EXPLICIT | SEC_ASN1_POINTER | 3, + offsetof(KRB5_AuthPack,clientDHNonce), kSecAsn1OctetStringTemplate }, { 0 } }; -/* +/* * Encode AuthPack, public key version (no Diffie-Hellman components). */ krb5_error_code krb5int_pkinit_auth_pack_encode( - krb5_timestamp kctime, - krb5_int32 cusec, /* microseconds */ - krb5_ui_4 nonce, - const krb5_checksum *pa_checksum, - const krb5int_algorithm_id *cms_types, /* optional */ - krb5_ui_4 num_cms_types, - krb5_data *auth_pack) /* mallocd and RETURNED */ + krb5_timestamp kctime, + krb5_int32 cusec, /* microseconds */ + krb5_ui_4 nonce, + const krb5_checksum *pa_checksum, + const krb5int_algorithm_id *cms_types, /* optional */ + krb5_ui_4 num_cms_types, + krb5_data *auth_pack) /* mallocd and RETURNED */ { KRB5_AuthPack localAuthPack; SecAsn1CoderRef coder; @@ -173,65 +174,65 @@ krb5_error_code krb5int_pkinit_auth_pack_encode( CSSM_DATA ber = {0, NULL}; OSStatus ortn; char *timeStr = NULL; - + if(SecAsn1CoderCreate(&coder)) { - return ENOMEM; + return ENOMEM; } memset(&localAuthPack, 0, sizeof(localAuthPack)); if(pkiKrbTimestampToStr(kctime, &timeStr)) { - ourRtn = -1; - goto errOut; + ourRtn = -1; + goto errOut; } localAuthPack.pkAuth.kctime.Data = (uint8 *)timeStr; localAuthPack.pkAuth.kctime.Length = strlen(timeStr); if(pkiIntToData(cusec, &localAuthPack.pkAuth.cusec, coder)) { - ourRtn = ENOMEM; - goto errOut; + ourRtn = ENOMEM; + goto errOut; } if(pkiIntToData(nonce, &localAuthPack.pkAuth.nonce, coder)) { - ourRtn = ENOMEM; - goto errOut; + ourRtn = ENOMEM; + goto errOut; } cksum->Data = (uint8 *)pa_checksum->contents; cksum->Length = pa_checksum->length; - + if((cms_types != NULL) && (num_cms_types != 0)) { - unsigned dex; - CSSM_X509_ALGORITHM_IDENTIFIER **algIds; - - /* build a NULL_terminated array of CSSM_X509_ALGORITHM_IDENTIFIERs */ - localAuthPack.supportedCMSTypes = (CSSM_X509_ALGORITHM_IDENTIFIER **) - SecAsn1Malloc(coder, - (num_cms_types + 1) * sizeof(CSSM_X509_ALGORITHM_IDENTIFIER *)); - algIds = localAuthPack.supportedCMSTypes; - for(dex=0; dex<num_cms_types; dex++) { - algIds[dex] = (CSSM_X509_ALGORITHM_IDENTIFIER *) - SecAsn1Malloc(coder, sizeof(CSSM_X509_ALGORITHM_IDENTIFIER)); - pkiKrb5DataToCssm(&cms_types[dex].algorithm, - &algIds[dex]->algorithm, coder); - if(cms_types[dex].parameters.data != NULL) { - pkiKrb5DataToCssm(&cms_types[dex].parameters, - &algIds[dex]->parameters, coder); - } - else { - algIds[dex]->parameters.Data = NULL; - algIds[dex]->parameters.Length = 0; - } - } - algIds[num_cms_types] = NULL; + unsigned dex; + CSSM_X509_ALGORITHM_IDENTIFIER **algIds; + + /* build a NULL_terminated array of CSSM_X509_ALGORITHM_IDENTIFIERs */ + localAuthPack.supportedCMSTypes = (CSSM_X509_ALGORITHM_IDENTIFIER **) + SecAsn1Malloc(coder, + (num_cms_types + 1) * sizeof(CSSM_X509_ALGORITHM_IDENTIFIER *)); + algIds = localAuthPack.supportedCMSTypes; + for(dex=0; dex<num_cms_types; dex++) { + algIds[dex] = (CSSM_X509_ALGORITHM_IDENTIFIER *) + SecAsn1Malloc(coder, sizeof(CSSM_X509_ALGORITHM_IDENTIFIER)); + pkiKrb5DataToCssm(&cms_types[dex].algorithm, + &algIds[dex]->algorithm, coder); + if(cms_types[dex].parameters.data != NULL) { + pkiKrb5DataToCssm(&cms_types[dex].parameters, + &algIds[dex]->parameters, coder); + } + else { + algIds[dex]->parameters.Data = NULL; + algIds[dex]->parameters.Length = 0; + } + } + algIds[num_cms_types] = NULL; } ortn = SecAsn1EncodeItem(coder, &localAuthPack, KRB5_AuthPackTemplate, &ber); if(ortn) { - ourRtn = ENOMEM; - goto errOut; + ourRtn = ENOMEM; + goto errOut; } - + if(pkiCssmDataToKrb5Data(&ber, auth_pack)) { - ourRtn = ENOMEM; + ourRtn = ENOMEM; } else { - auth_pack->magic = KV5M_AUTHENTICATOR; - ourRtn = 0; + auth_pack->magic = KV5M_AUTHENTICATOR; + ourRtn = 0; } errOut: SecAsn1CoderRelease(coder); @@ -242,102 +243,102 @@ errOut: * Decode AuthPack, public key version (no Diffie-Hellman components). */ krb5_error_code krb5int_pkinit_auth_pack_decode( - const krb5_data *auth_pack, /* DER encoded */ - krb5_timestamp *kctime, /* RETURNED */ - krb5_ui_4 *cusec, /* microseconds, RETURNED */ - krb5_ui_4 *nonce, /* RETURNED */ - krb5_checksum *pa_checksum, /* contents mallocd and RETURNED */ - krb5int_algorithm_id **cms_types, /* optionally mallocd and RETURNED */ - krb5_ui_4 *num_cms_types) /* optionally RETURNED */ + const krb5_data *auth_pack, /* DER encoded */ + krb5_timestamp *kctime, /* RETURNED */ + krb5_ui_4 *cusec, /* microseconds, RETURNED */ + krb5_ui_4 *nonce, /* RETURNED */ + krb5_checksum *pa_checksum, /* contents mallocd and RETURNED */ + krb5int_algorithm_id **cms_types, /* optionally mallocd and RETURNED */ + krb5_ui_4 *num_cms_types) /* optionally RETURNED */ { KRB5_AuthPack localAuthPack; SecAsn1CoderRef coder; CSSM_DATA der = {0, NULL}; krb5_error_code ourRtn = 0; CSSM_DATA *cksum = &localAuthPack.pkAuth.paChecksum; - + /* Decode --> localAuthPack */ if(SecAsn1CoderCreate(&coder)) { - return ENOMEM; + return ENOMEM; } PKI_KRB_TO_CSSM_DATA(auth_pack, &der); memset(&localAuthPack, 0, sizeof(localAuthPack)); if(SecAsn1DecodeData(coder, &der, KRB5_AuthPackTemplate, &localAuthPack)) { - ourRtn = ASN1_BAD_FORMAT; - goto errOut; + ourRtn = ASN1_BAD_FORMAT; + goto errOut; } - + /* optionally Convert KRB5_AuthPack to caller's params */ if(kctime) { - if((ourRtn = pkiTimeStrToKrbTimestamp((char *)localAuthPack.pkAuth.kctime.Data, - localAuthPack.pkAuth.kctime.Length, kctime))) { - goto errOut; - } + if((ourRtn = pkiTimeStrToKrbTimestamp((char *)localAuthPack.pkAuth.kctime.Data, + localAuthPack.pkAuth.kctime.Length, kctime))) { + goto errOut; + } } if(cusec) { - if((ourRtn = pkiDataToInt(&localAuthPack.pkAuth.cusec, (krb5_int32 *)cusec))) { - goto errOut; - } + if((ourRtn = pkiDataToInt(&localAuthPack.pkAuth.cusec, (krb5_int32 *)cusec))) { + goto errOut; + } } if(nonce) { - if((ourRtn = pkiDataToInt(&localAuthPack.pkAuth.nonce, (krb5_int32 *)nonce))) { - goto errOut; - } + if((ourRtn = pkiDataToInt(&localAuthPack.pkAuth.nonce, (krb5_int32 *)nonce))) { + goto errOut; + } } if(pa_checksum) { - if(cksum->Length == 0) { - /* This is the unique error for "no paChecksum" */ - ourRtn = KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED; - goto errOut; - } - else { - pa_checksum->contents = (krb5_octet *)malloc(cksum->Length); - if(pa_checksum->contents == NULL) { - ourRtn = ENOMEM; - goto errOut; - } - pa_checksum->length = cksum->Length; - memmove(pa_checksum->contents, cksum->Data, pa_checksum->length); - pa_checksum->magic = KV5M_CHECKSUM; - /* This used to be encoded with the checksum but no more... */ - pa_checksum->checksum_type = CKSUMTYPE_NIST_SHA; - } + if(cksum->Length == 0) { + /* This is the unique error for "no paChecksum" */ + ourRtn = KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED; + goto errOut; + } + else { + pa_checksum->contents = (krb5_octet *)malloc(cksum->Length); + if(pa_checksum->contents == NULL) { + ourRtn = ENOMEM; + goto errOut; + } + pa_checksum->length = cksum->Length; + memmove(pa_checksum->contents, cksum->Data, pa_checksum->length); + pa_checksum->magic = KV5M_CHECKSUM; + /* This used to be encoded with the checksum but no more... */ + pa_checksum->checksum_type = CKSUMTYPE_NIST_SHA; + } } if(cms_types) { - if(localAuthPack.supportedCMSTypes == NULL) { - *cms_types = NULL; - *num_cms_types = 0; - } - else { - /* - * Convert NULL-terminated array of CSSM-style algIds to - * krb5int_algorithm_ids. - */ - unsigned dex; - unsigned num_types = 0; - CSSM_X509_ALGORITHM_IDENTIFIER **alg_ids; - krb5int_algorithm_id *kalg_ids; - - for(alg_ids=localAuthPack.supportedCMSTypes; - *alg_ids; - alg_ids++) { - num_types++; - } - *cms_types = kalg_ids = (krb5int_algorithm_id *)calloc(num_types, - sizeof(krb5int_algorithm_id)); - *num_cms_types = num_types; - alg_ids = localAuthPack.supportedCMSTypes; - for(dex=0; dex<num_types; dex++) { - if(alg_ids[dex]->algorithm.Data) { - pkiCssmDataToKrb5Data(&alg_ids[dex]->algorithm, - &kalg_ids[dex].algorithm); - } - if(alg_ids[dex]->parameters.Data) { - pkiCssmDataToKrb5Data(&alg_ids[dex]->parameters, - &kalg_ids[dex].parameters); - } - } - } + if(localAuthPack.supportedCMSTypes == NULL) { + *cms_types = NULL; + *num_cms_types = 0; + } + else { + /* + * Convert NULL-terminated array of CSSM-style algIds to + * krb5int_algorithm_ids. + */ + unsigned dex; + unsigned num_types = 0; + CSSM_X509_ALGORITHM_IDENTIFIER **alg_ids; + krb5int_algorithm_id *kalg_ids; + + for(alg_ids=localAuthPack.supportedCMSTypes; + *alg_ids; + alg_ids++) { + num_types++; + } + *cms_types = kalg_ids = (krb5int_algorithm_id *)calloc(num_types, + sizeof(krb5int_algorithm_id)); + *num_cms_types = num_types; + alg_ids = localAuthPack.supportedCMSTypes; + for(dex=0; dex<num_types; dex++) { + if(alg_ids[dex]->algorithm.Data) { + pkiCssmDataToKrb5Data(&alg_ids[dex]->algorithm, + &kalg_ids[dex].algorithm); + } + if(alg_ids[dex]->parameters.Data) { + pkiCssmDataToKrb5Data(&alg_ids[dex]->parameters, + &kalg_ids[dex].parameters); + } + } + } } ourRtn = 0; errOut: @@ -352,8 +353,8 @@ errOut: * CL in DER-encoded state. */ typedef struct { - CSSM_DATA derIssuer; - CSSM_DATA serialNumber; + CSSM_DATA derIssuer; + CSSM_DATA serialNumber; } KRB5_IssuerAndSerial; static const SecAsn1Template KRB5_IssuerAndSerialTemplate[] = { @@ -364,11 +365,11 @@ static const SecAsn1Template KRB5_IssuerAndSerialTemplate[] = { }; /* - * Given DER-encoded issuer and serial number, create an encoded + * Given DER-encoded issuer and serial number, create an encoded * IssuerAndSerialNumber. */ krb5_error_code krb5int_pkinit_issuer_serial_encode( - const krb5_data *issuer, /* DER encoded */ + const krb5_data *issuer, /* DER encoded */ const krb5_data *serial_num, krb5_data *issuer_and_serial) /* content mallocd and RETURNED */ { @@ -378,14 +379,14 @@ krb5_error_code krb5int_pkinit_issuer_serial_encode( OSStatus ortn; if(SecAsn1CoderCreate(&coder)) { - return ENOMEM; + return ENOMEM; } PKI_KRB_TO_CSSM_DATA(issuer, &issuerSerial.derIssuer); PKI_KRB_TO_CSSM_DATA(serial_num, &issuerSerial.serialNumber); ortn = SecAsn1EncodeItem(coder, &issuerSerial, KRB5_IssuerAndSerialTemplate, &ber); if(ortn) { - ortn = ENOMEM; - goto errOut; + ortn = ENOMEM; + goto errOut; } ortn = pkiCssmDataToKrb5Data(&ber, issuer_and_serial); errOut: @@ -398,31 +399,31 @@ errOut: */ krb5_error_code krb5int_pkinit_issuer_serial_decode( const krb5_data *issuer_and_serial, /* DER encoded */ - krb5_data *issuer, /* DER encoded, RETURNED */ - krb5_data *serial_num) /* RETURNED */ + krb5_data *issuer, /* DER encoded, RETURNED */ + krb5_data *serial_num) /* RETURNED */ { KRB5_IssuerAndSerial issuerSerial; SecAsn1CoderRef coder; CSSM_DATA der = {issuer_and_serial->length, (uint8 *)issuer_and_serial->data}; krb5_error_code ourRtn = 0; - + /* Decode --> issuerSerial */ if(SecAsn1CoderCreate(&coder)) { - return ENOMEM; + return ENOMEM; } memset(&issuerSerial, 0, sizeof(issuerSerial)); if(SecAsn1DecodeData(coder, &der, KRB5_IssuerAndSerialTemplate, &issuerSerial)) { - ourRtn = ASN1_BAD_FORMAT; - goto errOut; + ourRtn = ASN1_BAD_FORMAT; + goto errOut; } - + /* Convert KRB5_IssuerAndSerial to caller's params */ if((ourRtn = pkiCssmDataToKrb5Data(&issuerSerial.derIssuer, issuer))) { - goto errOut; + goto errOut; } if((ourRtn = pkiCssmDataToKrb5Data(&issuerSerial.serialNumber, serial_num))) { - ourRtn = ENOMEM; - goto errOut; + ourRtn = ENOMEM; + goto errOut; } errOut: @@ -432,29 +433,29 @@ errOut: #pragma mark ----- ExternalPrincipalIdentifier ----- -/* - * Shown here for completeness; this module only implements the - * issuerAndSerialNumber option. +/* + * Shown here for completeness; this module only implements the + * issuerAndSerialNumber option. */ typedef struct { - CSSM_DATA subjectName; /* [0] IMPLICIT OCTET STRING OPTIONAL */ - /* contents = encoded Name */ - CSSM_DATA issuerAndSerialNumber; /* [1] IMPLICIT OCTET STRING OPTIONAL */ - /* contents = encoded Issuer&Serial */ - CSSM_DATA subjectKeyIdentifier; /* [2] IMPLICIT OCTET STRING OPTIONAL */ - /* contents = encoded subjectKeyIdentifier extension */ + CSSM_DATA subjectName; /* [0] IMPLICIT OCTET STRING OPTIONAL */ + /* contents = encoded Name */ + CSSM_DATA issuerAndSerialNumber; /* [1] IMPLICIT OCTET STRING OPTIONAL */ + /* contents = encoded Issuer&Serial */ + CSSM_DATA subjectKeyIdentifier; /* [2] IMPLICIT OCTET STRING OPTIONAL */ + /* contents = encoded subjectKeyIdentifier extension */ } KRB5_ExternalPrincipalIdentifier; static const SecAsn1Template KRB5_ExternalPrincipalIdentifierTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(KRB5_ExternalPrincipalIdentifier) }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | 0, - offsetof(KRB5_ExternalPrincipalIdentifier, subjectName), + offsetof(KRB5_ExternalPrincipalIdentifier, subjectName), kSecAsn1OctetStringTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | 1, - offsetof(KRB5_ExternalPrincipalIdentifier, issuerAndSerialNumber), + offsetof(KRB5_ExternalPrincipalIdentifier, issuerAndSerialNumber), kSecAsn1OctetStringTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | 2, - offsetof(KRB5_ExternalPrincipalIdentifier, subjectKeyIdentifier), + offsetof(KRB5_ExternalPrincipalIdentifier, subjectKeyIdentifier), kSecAsn1OctetStringTemplate }, { 0 } }; @@ -466,30 +467,30 @@ static const SecAsn1Template KRB5_SequenceOfExternalPrincipalIdentifierTemplate[ #pragma mark ----- PA-PK-AS-REQ ----- /* - * Top-level PA-PK-AS-REQ. All fields except for trusted_CAs are pre-encoded - * before we encode this and are still DER-encoded after we decode. + * Top-level PA-PK-AS-REQ. All fields except for trusted_CAs are pre-encoded + * before we encode this and are still DER-encoded after we decode. * The signedAuthPack and kdcPkId fields are wrapped in OCTET STRINGs - * during encode; we strip off the OCTET STRING wrappers during decode. + * during encode; we strip off the OCTET STRING wrappers during decode. */ typedef struct { - CSSM_DATA signedAuthPack; /* ContentInfo, SignedData */ - /* Content is KRB5_AuthPack */ + CSSM_DATA signedAuthPack; /* ContentInfo, SignedData */ + /* Content is KRB5_AuthPack */ KRB5_ExternalPrincipalIdentifier - **trusted_CAs; /* optional */ - CSSM_DATA kdcPkId; /* optional */ + **trusted_CAs; /* optional */ + CSSM_DATA kdcPkId; /* optional */ } KRB5_PA_PK_AS_REQ; static const SecAsn1Template KRB5_PA_PK_AS_REQTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(KRB5_PA_PK_AS_REQ) }, { SEC_ASN1_CONTEXT_SPECIFIC | 0, - offsetof(KRB5_PA_PK_AS_REQ, signedAuthPack), + offsetof(KRB5_PA_PK_AS_REQ, signedAuthPack), kSecAsn1OctetStringTemplate }, - { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_EXPLICIT | 1, - offsetof(KRB5_PA_PK_AS_REQ, trusted_CAs), + offsetof(KRB5_PA_PK_AS_REQ, trusted_CAs), KRB5_SequenceOfExternalPrincipalIdentifierTemplate }, { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 2, - offsetof(KRB5_PA_PK_AS_REQ, kdcPkId), + offsetof(KRB5_PA_PK_AS_REQ, kdcPkId), kSecAsn1AnyTemplate }, { 0 } }; @@ -499,58 +500,58 @@ static const SecAsn1Template KRB5_PA_PK_AS_REQTemplate[] = { */ krb5_error_code krb5int_pkinit_pa_pk_as_req_encode( const krb5_data *signed_auth_pack, /* DER encoded ContentInfo */ - const krb5_data *trusted_CAs, /* optional: trustedCertifiers. Contents are - * DER-encoded issuer/serialNumbers. */ - krb5_ui_4 num_trusted_CAs, - const krb5_data *kdc_cert, /* optional kdcPkId, DER encoded issuer/serial */ - krb5_data *pa_pk_as_req) /* mallocd and RETURNED */ + const krb5_data *trusted_CAs, /* optional: trustedCertifiers. Contents are + * DER-encoded issuer/serialNumbers. */ + krb5_ui_4 num_trusted_CAs, + const krb5_data *kdc_cert, /* optional kdcPkId, DER encoded issuer/serial */ + krb5_data *pa_pk_as_req) /* mallocd and RETURNED */ { KRB5_PA_PK_AS_REQ req; SecAsn1CoderRef coder; CSSM_DATA ber = {0, NULL}; OSStatus ortn; unsigned dex; - + assert(signed_auth_pack != NULL); assert(pa_pk_as_req != NULL); if(SecAsn1CoderCreate(&coder)) { - return ENOMEM; + return ENOMEM; } - + /* krb5_data ==> CSSM format */ - + memset(&req, 0, sizeof(req)); PKI_KRB_TO_CSSM_DATA(signed_auth_pack, &req.signedAuthPack); if(num_trusted_CAs) { - /* - * Set up a NULL-terminated array of KRB5_ExternalPrincipalIdentifier - * pointers. We malloc the actual KRB5_ExternalPrincipalIdentifiers as - * a contiguous array; it's in temp SecAsn1CoderRef memory. The referents - * are just dropped in from the caller's krb5_datas. - */ - KRB5_ExternalPrincipalIdentifier *cas = - (KRB5_ExternalPrincipalIdentifier *)SecAsn1Malloc(coder, - num_trusted_CAs * sizeof(KRB5_ExternalPrincipalIdentifier)); - req.trusted_CAs = - (KRB5_ExternalPrincipalIdentifier **) - pkiNssNullArray(num_trusted_CAs, coder); - for(dex=0; dex<num_trusted_CAs; dex++) { - req.trusted_CAs[dex] = &cas[dex]; - memset(&cas[dex], 0, sizeof(KRB5_ExternalPrincipalIdentifier)); - PKI_KRB_TO_CSSM_DATA(&trusted_CAs[dex], - &cas[dex].issuerAndSerialNumber); - } + /* + * Set up a NULL-terminated array of KRB5_ExternalPrincipalIdentifier + * pointers. We malloc the actual KRB5_ExternalPrincipalIdentifiers as + * a contiguous array; it's in temp SecAsn1CoderRef memory. The referents + * are just dropped in from the caller's krb5_datas. + */ + KRB5_ExternalPrincipalIdentifier *cas = + (KRB5_ExternalPrincipalIdentifier *)SecAsn1Malloc(coder, + num_trusted_CAs * sizeof(KRB5_ExternalPrincipalIdentifier)); + req.trusted_CAs = + (KRB5_ExternalPrincipalIdentifier **) + pkiNssNullArray(num_trusted_CAs, coder); + for(dex=0; dex<num_trusted_CAs; dex++) { + req.trusted_CAs[dex] = &cas[dex]; + memset(&cas[dex], 0, sizeof(KRB5_ExternalPrincipalIdentifier)); + PKI_KRB_TO_CSSM_DATA(&trusted_CAs[dex], + &cas[dex].issuerAndSerialNumber); + } } if(kdc_cert) { - PKI_KRB_TO_CSSM_DATA(kdc_cert, &req.kdcPkId); + PKI_KRB_TO_CSSM_DATA(kdc_cert, &req.kdcPkId); } - + /* encode */ ortn = SecAsn1EncodeItem(coder, &req, KRB5_PA_PK_AS_REQTemplate, &ber); if(ortn) { - ortn = ENOMEM; - goto errOut; + ortn = ENOMEM; + goto errOut; } ortn = pkiCssmDataToKrb5Data(&ber, pa_pk_as_req); @@ -558,102 +559,102 @@ errOut: SecAsn1CoderRelease(coder); return ortn; } - + /* * Top-level decode for PA-PK-AS-REQ. */ krb5_error_code krb5int_pkinit_pa_pk_as_req_decode( const krb5_data *pa_pk_as_req, - krb5_data *signed_auth_pack, /* DER encoded ContentInfo, RETURNED */ - /* - * Remainder are optionally RETURNED (specify NULL for pointers to + krb5_data *signed_auth_pack, /* DER encoded ContentInfo, RETURNED */ + /* + * Remainder are optionally RETURNED (specify NULL for pointers to * items you're not interested in). */ krb5_ui_4 *num_trusted_CAs, /* sizeof trusted_CAs */ - krb5_data **trusted_CAs, /* mallocd array of DER-encoded TrustedCAs issuer/serial */ - krb5_data *kdc_cert) /* DER encoded issuer/serial */ + krb5_data **trusted_CAs, /* mallocd array of DER-encoded TrustedCAs issuer/serial */ + krb5_data *kdc_cert) /* DER encoded issuer/serial */ { KRB5_PA_PK_AS_REQ asReq; SecAsn1CoderRef coder; CSSM_DATA der; krb5_error_code ourRtn = 0; - + assert(pa_pk_as_req != NULL); - + /* Decode --> KRB5_PA_PK_AS_REQ */ if(SecAsn1CoderCreate(&coder)) { - return ENOMEM; + return ENOMEM; } PKI_KRB_TO_CSSM_DATA(pa_pk_as_req, &der); memset(&asReq, 0, sizeof(asReq)); if(SecAsn1DecodeData(coder, &der, KRB5_PA_PK_AS_REQTemplate, &asReq)) { - ourRtn = ASN1_BAD_FORMAT; - goto errOut; + ourRtn = ASN1_BAD_FORMAT; + goto errOut; } /* Convert decoded results to caller's args; each is optional */ if(signed_auth_pack != NULL) { - if((ourRtn = pkiCssmDataToKrb5Data(&asReq.signedAuthPack, signed_auth_pack))) { - goto errOut; - } + if((ourRtn = pkiCssmDataToKrb5Data(&asReq.signedAuthPack, signed_auth_pack))) { + goto errOut; + } } if(asReq.trusted_CAs && (trusted_CAs != NULL)) { - /* NULL-terminated array of CSSM_DATA ptrs */ - unsigned numCas = pkiNssArraySize((const void **)asReq.trusted_CAs); - unsigned dex; - krb5_data *kdcCas; - - kdcCas = (krb5_data *)malloc(sizeof(krb5_data) * numCas); - if(kdcCas == NULL) { - ourRtn = ENOMEM; - goto errOut; - } - for(dex=0; dex<numCas; dex++) { - KRB5_ExternalPrincipalIdentifier *epi = asReq.trusted_CAs[dex]; - if(epi->issuerAndSerialNumber.Data) { - /* the only variant we support */ - pkiCssmDataToKrb5Data(&epi->issuerAndSerialNumber, &kdcCas[dex]); - } - } - *trusted_CAs = kdcCas; - *num_trusted_CAs = numCas; + /* NULL-terminated array of CSSM_DATA ptrs */ + unsigned numCas = pkiNssArraySize((const void **)asReq.trusted_CAs); + unsigned dex; + krb5_data *kdcCas; + + kdcCas = (krb5_data *)malloc(sizeof(krb5_data) * numCas); + if(kdcCas == NULL) { + ourRtn = ENOMEM; + goto errOut; + } + for(dex=0; dex<numCas; dex++) { + KRB5_ExternalPrincipalIdentifier *epi = asReq.trusted_CAs[dex]; + if(epi->issuerAndSerialNumber.Data) { + /* the only variant we support */ + pkiCssmDataToKrb5Data(&epi->issuerAndSerialNumber, &kdcCas[dex]); + } + } + *trusted_CAs = kdcCas; + *num_trusted_CAs = numCas; } if(asReq.kdcPkId.Data && kdc_cert) { - if((ourRtn = pkiCssmDataToKrb5Data(&asReq.kdcPkId, kdc_cert))) { - goto errOut; - } + if((ourRtn = pkiCssmDataToKrb5Data(&asReq.kdcPkId, kdc_cert))) { + goto errOut; + } } errOut: SecAsn1CoderRelease(coder); - return ourRtn; + return ourRtn; } #pragma mark ====== begin PA-PK-AS-REP components ====== typedef struct { CSSM_DATA subjectPublicKey; /* BIT STRING */ - CSSM_DATA nonce; /* from KRB5_PKAuthenticator.nonce */ - CSSM_DATA *expiration; /* optional UTC time */ + CSSM_DATA nonce; /* from KRB5_PKAuthenticator.nonce */ + CSSM_DATA *expiration; /* optional UTC time */ } KRB5_KDC_DHKeyInfo; typedef struct { - CSSM_DATA keyType; - CSSM_DATA keyValue; + CSSM_DATA keyType; + CSSM_DATA keyValue; } KRB5_EncryptionKey; static const SecAsn1Template KRB5_EncryptionKeyTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(KRB5_EncryptionKey) }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 0, - offsetof(KRB5_EncryptionKey, keyType), + offsetof(KRB5_EncryptionKey, keyType), kSecAsn1IntegerTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 1, - offsetof(KRB5_EncryptionKey, keyValue), + offsetof(KRB5_EncryptionKey, keyValue), kSecAsn1OctetStringTemplate }, { 0 } }; #pragma mark ----- Checksum ----- - + typedef struct { CSSM_DATA checksumType; CSSM_DATA checksum; @@ -662,37 +663,37 @@ typedef struct { static const SecAsn1Template KRB5_ChecksumTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(KRB5_Checksum) }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 0, - offsetof(KRB5_Checksum,checksumType), + offsetof(KRB5_Checksum,checksumType), kSecAsn1IntegerTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 1, - offsetof(KRB5_Checksum,checksum), + offsetof(KRB5_Checksum,checksum), kSecAsn1OctetStringTemplate }, { 0 } }; typedef struct { KRB5_EncryptionKey encryptionKey; - KRB5_Checksum asChecksum; + KRB5_Checksum asChecksum; } KRB5_ReplyKeyPack; static const SecAsn1Template KRB5_ReplyKeyPackTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(KRB5_ReplyKeyPack) }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 0, - offsetof(KRB5_ReplyKeyPack, encryptionKey), + offsetof(KRB5_ReplyKeyPack, encryptionKey), KRB5_EncryptionKeyTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 1, - offsetof(KRB5_ReplyKeyPack,asChecksum), + offsetof(KRB5_ReplyKeyPack,asChecksum), KRB5_ChecksumTemplate }, { 0 } }; -/* +/* * Encode a ReplyKeyPack. The result is used as the Content of a SignedData. */ krb5_error_code krb5int_pkinit_reply_key_pack_encode( const krb5_keyblock *key_block, const krb5_checksum *checksum, - krb5_data *reply_key_pack) /* mallocd and RETURNED */ + krb5_data *reply_key_pack) /* mallocd and RETURNED */ { KRB5_ReplyKeyPack repKeyPack; SecAsn1CoderRef coder; @@ -701,28 +702,28 @@ krb5_error_code krb5int_pkinit_reply_key_pack_encode( OSStatus ortn; KRB5_EncryptionKey *encryptKey = &repKeyPack.encryptionKey; KRB5_Checksum *cksum = &repKeyPack.asChecksum; - + if(SecAsn1CoderCreate(&coder)) { - return ENOMEM; + return ENOMEM; } memset(&repKeyPack, 0, sizeof(repKeyPack)); - + if((ourRtn = pkiIntToData(key_block->enctype, &encryptKey->keyType, coder))) { - goto errOut; + goto errOut; } encryptKey->keyValue.Length = key_block->length, - encryptKey->keyValue.Data = (uint8 *)key_block->contents; - + encryptKey->keyValue.Data = (uint8 *)key_block->contents; + if((ourRtn = pkiIntToData(checksum->checksum_type, &cksum->checksumType, coder))) { - goto errOut; + goto errOut; } cksum->checksum.Data = (uint8 *)checksum->contents; cksum->checksum.Length = checksum->length; ortn = SecAsn1EncodeItem(coder, &repKeyPack, KRB5_ReplyKeyPackTemplate, &der); if(ortn) { - ourRtn = ENOMEM; - goto errOut; + ourRtn = ENOMEM; + goto errOut; } ourRtn = pkiCssmDataToKrb5Data(&der, reply_key_pack); errOut: @@ -730,13 +731,13 @@ errOut: return ourRtn; } -/* +/* * Decode a ReplyKeyPack. */ krb5_error_code krb5int_pkinit_reply_key_pack_decode( - const krb5_data *reply_key_pack, + const krb5_data *reply_key_pack, krb5_keyblock *key_block, /* RETURNED */ - krb5_checksum *checksum) /* contents mallocd and RETURNED */ + krb5_checksum *checksum) /* contents mallocd and RETURNED */ { KRB5_ReplyKeyPack repKeyPack; SecAsn1CoderRef coder; @@ -745,33 +746,33 @@ krb5_error_code krb5int_pkinit_reply_key_pack_decode( CSSM_DATA der = {reply_key_pack->length, (uint8 *)reply_key_pack->data}; krb5_data tmpData; KRB5_Checksum *cksum = &repKeyPack.asChecksum; - + /* Decode --> KRB5_ReplyKeyPack */ if(SecAsn1CoderCreate(&coder)) { - return ENOMEM; + return ENOMEM; } memset(&repKeyPack, 0, sizeof(repKeyPack)); if(SecAsn1DecodeData(coder, &der, KRB5_ReplyKeyPackTemplate, &repKeyPack)) { - ourRtn = ASN1_BAD_FORMAT; - goto errOut; + ourRtn = ASN1_BAD_FORMAT; + goto errOut; } - + if((ourRtn = pkiDataToInt(&encryptKey->keyType, (krb5_int32 *)&key_block->enctype))) { - goto errOut; + goto errOut; } if((ourRtn = pkiCssmDataToKrb5Data(&encryptKey->keyValue, &tmpData))) { - goto errOut; + goto errOut; } key_block->contents = (krb5_octet *)tmpData.data; key_block->length = tmpData.length; - + if((ourRtn = pkiDataToInt(&cksum->checksumType, &checksum->checksum_type))) { - goto errOut; + goto errOut; } checksum->contents = (krb5_octet *)malloc(cksum->checksum.Length); if(checksum->contents == NULL) { - ourRtn = ENOMEM; - goto errOut; + ourRtn = ENOMEM; + goto errOut; } checksum->length = cksum->checksum.Length; memmove(checksum->contents, cksum->checksum.Data, checksum->length); @@ -788,58 +789,58 @@ errOut: * Top-level PA-PK-AS-REP. Exactly one of the optional fields must be present. */ typedef struct { - CSSM_DATA *dhSignedData; /* ContentInfo, SignedData */ - /* Content is KRB5_KDC_DHKeyInfo */ - CSSM_DATA *encKeyPack; /* ContentInfo, SignedData */ - /* Content is ReplyKeyPack */ + CSSM_DATA *dhSignedData; /* ContentInfo, SignedData */ + /* Content is KRB5_KDC_DHKeyInfo */ + CSSM_DATA *encKeyPack; /* ContentInfo, SignedData */ + /* Content is ReplyKeyPack */ } KRB5_PA_PK_AS_REP; - + static const SecAsn1Template KRB5_PA_PK_AS_REPTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(KRB5_PA_PK_AS_REP) }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | 0, - offsetof(KRB5_PA_PK_AS_REP, dhSignedData), + offsetof(KRB5_PA_PK_AS_REP, dhSignedData), kSecAsn1PointerToAnyTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | 1, - offsetof(KRB5_PA_PK_AS_REP, encKeyPack), + offsetof(KRB5_PA_PK_AS_REP, encKeyPack), kSecAsn1PointerToAnyTemplate }, { 0 } }; -/* +/* * Encode a KRB5_PA_PK_AS_REP. */ krb5_error_code krb5int_pkinit_pa_pk_as_rep_encode( - const krb5_data *dh_signed_data, - const krb5_data *enc_key_pack, + const krb5_data *dh_signed_data, + const krb5_data *enc_key_pack, krb5_data *pa_pk_as_rep) /* mallocd and RETURNED */ { KRB5_PA_PK_AS_REP asRep; SecAsn1CoderRef coder; krb5_error_code ourRtn = 0; - CSSM_DATA der = {0, NULL}; - OSStatus ortn; - CSSM_DATA dhSignedData; - CSSM_DATA encKeyPack; - + CSSM_DATA der = {0, NULL}; + OSStatus ortn; + CSSM_DATA dhSignedData; + CSSM_DATA encKeyPack; + if(SecAsn1CoderCreate(&coder)) { - return ENOMEM; + return ENOMEM; } memset(&asRep, 0, sizeof(asRep)); if(dh_signed_data) { - PKI_KRB_TO_CSSM_DATA(dh_signed_data, &dhSignedData); - asRep.dhSignedData = &dhSignedData; + PKI_KRB_TO_CSSM_DATA(dh_signed_data, &dhSignedData); + asRep.dhSignedData = &dhSignedData; } if(enc_key_pack) { - PKI_KRB_TO_CSSM_DATA(enc_key_pack, &encKeyPack); - asRep.encKeyPack = &encKeyPack; + PKI_KRB_TO_CSSM_DATA(enc_key_pack, &encKeyPack); + asRep.encKeyPack = &encKeyPack; } ortn = SecAsn1EncodeItem(coder, &asRep, KRB5_PA_PK_AS_REPTemplate, &der); if(ortn) { - ourRtn = ENOMEM; - goto errOut; + ourRtn = ENOMEM; + goto errOut; } ourRtn = pkiCssmDataToKrb5Data(&der, pa_pk_as_rep); @@ -848,38 +849,38 @@ errOut: return ourRtn; } -/* +/* * Decode a KRB5_PA_PK_AS_REP. */ krb5_error_code krb5int_pkinit_pa_pk_as_rep_decode( const krb5_data *pa_pk_as_rep, - krb5_data *dh_signed_data, + krb5_data *dh_signed_data, krb5_data *enc_key_pack) { KRB5_PA_PK_AS_REP asRep; SecAsn1CoderRef coder; CSSM_DATA der = {pa_pk_as_rep->length, (uint8 *)pa_pk_as_rep->data}; krb5_error_code ourRtn = 0; - + /* Decode --> KRB5_PA_PK_AS_REP */ if(SecAsn1CoderCreate(&coder)) { - return ENOMEM; + return ENOMEM; } memset(&asRep, 0, sizeof(asRep)); if(SecAsn1DecodeData(coder, &der, KRB5_PA_PK_AS_REPTemplate, &asRep)) { - ourRtn = ASN1_BAD_FORMAT; - goto errOut; + ourRtn = ASN1_BAD_FORMAT; + goto errOut; } - + if(asRep.dhSignedData) { - if((ourRtn = pkiCssmDataToKrb5Data(asRep.dhSignedData, dh_signed_data))) { - goto errOut; - } + if((ourRtn = pkiCssmDataToKrb5Data(asRep.dhSignedData, dh_signed_data))) { + goto errOut; + } } if(asRep.encKeyPack) { - ourRtn = pkiCssmDataToKrb5Data(asRep.encKeyPack, enc_key_pack); + ourRtn = pkiCssmDataToKrb5Data(asRep.encKeyPack, enc_key_pack); } - + errOut: SecAsn1CoderRelease(coder); return ourRtn; @@ -904,51 +905,51 @@ krb5_error_code krb5int_pkinit_get_issuer_serial( krb5_data krb_issuer; uint32 numFields; krb5_error_code ourRtn = 0; - + CSSM_CL_HANDLE clHand = pkiClStartup(); if(clHand == 0) { - return CSSMERR_CSSM_ADDIN_LOAD_FAILED; + return CSSMERR_CSSM_ADDIN_LOAD_FAILED; } /* subsequent errors to errOut: */ - + crtn = CSSM_CL_CertCache(clHand, &certData, &cacheHand); if(crtn) { - pkiCssmErr("CSSM_CL_CertCache", crtn); - ourRtn = ASN1_PARSE_ERROR; - goto errOut; + pkiCssmErr("CSSM_CL_CertCache", crtn); + ourRtn = ASN1_PARSE_ERROR; + goto errOut; } - + /* obtain the two fields; issuer is DER encoded */ crtn = CSSM_CL_CertGetFirstCachedFieldValue(clHand, cacheHand, - &CSSMOID_X509V1IssuerNameStd, &resultHand, &numFields, &derIssuer); + &CSSMOID_X509V1IssuerNameStd, &resultHand, &numFields, &derIssuer); if(crtn) { - pkiCssmErr("CSSM_CL_CertGetFirstCachedFieldValue(issuer)", crtn); - ourRtn = ASN1_PARSE_ERROR; - goto errOut; + pkiCssmErr("CSSM_CL_CertGetFirstCachedFieldValue(issuer)", crtn); + ourRtn = ASN1_PARSE_ERROR; + goto errOut; } crtn = CSSM_CL_CertGetFirstCachedFieldValue(clHand, cacheHand, - &CSSMOID_X509V1SerialNumber, &resultHand, &numFields, &serial); + &CSSMOID_X509V1SerialNumber, &resultHand, &numFields, &serial); if(crtn) { - pkiCssmErr("CSSM_CL_CertGetFirstCachedFieldValue(serial)", crtn); - ourRtn = ASN1_PARSE_ERROR; - goto errOut; + pkiCssmErr("CSSM_CL_CertGetFirstCachedFieldValue(serial)", crtn); + ourRtn = ASN1_PARSE_ERROR; + goto errOut; } PKI_CSSM_TO_KRB_DATA(derIssuer, &krb_issuer); PKI_CSSM_TO_KRB_DATA(serial, &krb_serial); ourRtn = krb5int_pkinit_issuer_serial_encode(&krb_issuer, &krb_serial, issuer_and_serial); - + errOut: if(derIssuer) { - CSSM_CL_FreeFieldValue(clHand, &CSSMOID_X509V1IssuerNameStd, derIssuer); + CSSM_CL_FreeFieldValue(clHand, &CSSMOID_X509V1IssuerNameStd, derIssuer); } if(serial) { - CSSM_CL_FreeFieldValue(clHand, &CSSMOID_X509V1SerialNumber, serial); + CSSM_CL_FreeFieldValue(clHand, &CSSMOID_X509V1SerialNumber, serial); } if(cacheHand) { - CSSM_CL_CertAbortCache(clHand, cacheHand); + CSSM_CL_CertAbortCache(clHand, cacheHand); } if(clHand) { - pkiClDetachUnload(clHand); + pkiClDetachUnload(clHand); } return ourRtn; } diff --git a/src/lib/krb5/krb/pkinit_apple_cert_store.c b/src/lib/krb5/krb/pkinit_apple_cert_store.c index 449f1cc990..2bcbd4458d 100644 --- a/src/lib/krb5/krb/pkinit_apple_cert_store.c +++ b/src/lib/krb5/krb/pkinit_apple_cert_store.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (c) 2004-2008 Apple Inc. All Rights Reserved. * @@ -24,12 +25,12 @@ */ /* - * pkinit_apple_cert_store.c - PKINIT certificate storage/retrieval utilities, - * MAC OS X version + * pkinit_apple_cert_store.c - PKINIT certificate storage/retrieval utilities, + * MAC OS X version * * Created 26 May 2004 by Doug Mitchell at Apple. */ - + #if APPLE_PKINIT #include "pkinit_cert_store.h" @@ -49,24 +50,24 @@ * key = kPkinitClientCertKey * appID = kPkinitClientCertApp * username = kCFPreferencesCurrentUser - * hostname = kCFPreferencesAnyHost + * hostname = kCFPreferencesAnyHost * * The stored property list is a CFDictionary. Keys in the dictionary are - * principal names (e.g. foobar@REALM.LOCAL). + * principal names (e.g. foobar@REALM.LOCAL). * * Values in the dictionary are raw data containing the DER-encoded issuer and - * serial number of the certificate. + * serial number of the certificate. * * When obtaining a PKINIT cert, if an entry in the CFDictionary for the specified * principal is not found, the entry for the default will be used if it's there. */ -/* - * NOTE: ANSI C code requires an Apple-Custom -fconstant-cfstrings CFLAGS to - * use CFSTR in a const declaration so we just declare the C strings here. +/* + * NOTE: ANSI C code requires an Apple-Custom -fconstant-cfstrings CFLAGS to + * use CFSTR in a const declaration so we just declare the C strings here. */ -#define kPkinitClientCertKey "KRBClientCert" -#define kPkinitClientCertApp "edu.mit.Kerberos.pkinit" +#define kPkinitClientCertKey "KRBClientCert" +#define kPkinitClientCertApp "edu.mit.Kerberos.pkinit" /* * KDC cert stored in this keychain. It's linked to systemkeychain so that if @@ -74,43 +75,43 @@ */ #define KDC_KEYCHAIN "/var/db/krb5kdc/kdc.keychain" -/* +/* * Given a certificate, obtain the DER-encoded issuer and serial number. Result - * is mallocd and must be freed by caller. + * is mallocd and must be freed by caller. */ static OSStatus pkinit_get_cert_issuer_sn( - SecCertificateRef certRef, - CSSM_DATA *issuerSerial) /* mallocd and RETURNED */ + SecCertificateRef certRef, + CSSM_DATA *issuerSerial) /* mallocd and RETURNED */ { OSStatus ortn; CSSM_DATA certData; krb5_data INIT_KDATA(issuerSerialKrb); krb5_data certDataKrb; krb5_error_code krtn; - + assert(certRef != NULL); assert(issuerSerial != NULL); - + ortn = SecCertificateGetData(certRef, &certData); if(ortn) { - pkiCssmErr("SecCertificateGetData", ortn); - return ortn; + pkiCssmErr("SecCertificateGetData", ortn); + return ortn; } PKI_CSSM_TO_KRB_DATA(&certData, &certDataKrb); krtn = krb5int_pkinit_get_issuer_serial(&certDataKrb, &issuerSerialKrb); if(krtn) { - return CSSMERR_CL_INVALID_DATA; + return CSSMERR_CL_INVALID_DATA; } PKI_KRB_TO_CSSM_DATA(&issuerSerialKrb, issuerSerial); return noErr; } -/* +/* * Determine if specified identity's cert's issuer and serial number match the * provided issuer and serial number. Returns nonzero on match, else returns zero. */ static int pkinit_issuer_sn_match( - SecIdentityRef idRef, + SecIdentityRef idRef, const CSSM_DATA *matchIssuerSerial) { OSStatus ortn; @@ -120,87 +121,87 @@ static int pkinit_issuer_sn_match( assert(idRef != NULL); assert(matchIssuerSerial != NULL); - + /* Get this cert's issuer/serial number */ ortn = SecIdentityCopyCertificate(idRef, &certRef); if(ortn) { - pkiCssmErr("SecIdentityCopyCertificate", ortn); - return 0; + pkiCssmErr("SecIdentityCopyCertificate", ortn); + return 0; } /* subsequent errors to errOut: */ ortn = pkinit_get_cert_issuer_sn(certRef, &certIssuerSerial); if(ortn) { - pkiCssmErr("SecIdentityCopyCertificate", ortn); - goto errOut; + pkiCssmErr("SecIdentityCopyCertificate", ortn); + goto errOut; } ourRtn = pkiCompareCssmData(matchIssuerSerial, &certIssuerSerial) ? 1 : 0; errOut: if(certRef != NULL) { - CFRelease(certRef); + CFRelease(certRef); } if(certIssuerSerial.Data != NULL) { - free(certIssuerSerial.Data); + free(certIssuerSerial.Data); } return ourRtn; } /* * Search specified keychain/array/NULL (NULL meaning the default search list) for - * an Identity matching specified key usage and optional Issuer/Serial number. + * an Identity matching specified key usage and optional Issuer/Serial number. * If issuer/serial is specified and no identities match, or if no identities found * matching specified Key usage, errSecItemNotFound is returned. * - * Caller must CFRelease a non-NULL returned idRef. + * Caller must CFRelease a non-NULL returned idRef. */ static OSStatus pkinit_search_ident( - CFTypeRef keychainOrArray, - CSSM_KEYUSE keyUsage, + CFTypeRef keychainOrArray, + CSSM_KEYUSE keyUsage, const CSSM_DATA *issuerSerial, /* optional */ - SecIdentityRef *foundId) /* RETURNED */ + SecIdentityRef *foundId) /* RETURNED */ { OSStatus ortn; SecIdentityRef idRef = NULL; SecIdentitySearchRef srchRef = NULL; - + ortn = SecIdentitySearchCreate(keychainOrArray, keyUsage, &srchRef); if(ortn) { - pkiCssmErr("SecIdentitySearchCreate", ortn); - return ortn; + pkiCssmErr("SecIdentitySearchCreate", ortn); + return ortn; } do { - ortn = SecIdentitySearchCopyNext(srchRef, &idRef); - if(ortn != noErr) { - break; - } - if(issuerSerial == NULL) { - /* no match needed, we're done - this is the KDC cert case */ - break; - } - else if(pkinit_issuer_sn_match(idRef, issuerSerial)) { - /* match, we're done */ - break; - } - /* finished with this one */ - CFRelease(idRef); - idRef = NULL; + ortn = SecIdentitySearchCopyNext(srchRef, &idRef); + if(ortn != noErr) { + break; + } + if(issuerSerial == NULL) { + /* no match needed, we're done - this is the KDC cert case */ + break; + } + else if(pkinit_issuer_sn_match(idRef, issuerSerial)) { + /* match, we're done */ + break; + } + /* finished with this one */ + CFRelease(idRef); + idRef = NULL; } while(ortn == noErr); - + CFRelease(srchRef); if(idRef == NULL) { - return errSecItemNotFound; + return errSecItemNotFound; } else { - *foundId = idRef; - return noErr; + *foundId = idRef; + return noErr; } } /* - * In Mac OS terms, get the keychain on which a given identity resides. + * In Mac OS terms, get the keychain on which a given identity resides. */ static krb5_error_code pkinit_cert_to_db( krb5_pkinit_signing_cert_t idRef, - krb5_pkinit_cert_db_t *dbRef) + krb5_pkinit_cert_db_t *dbRef) { SecKeychainRef kcRef = NULL; SecKeyRef keyRef = NULL; @@ -209,38 +210,38 @@ static krb5_error_code pkinit_cert_to_db( /* that's an identity - get the associated key's keychain */ ortn = SecIdentityCopyPrivateKey((SecIdentityRef)idRef, &keyRef); if(ortn) { - pkiCssmErr("SecIdentityCopyPrivateKey", ortn); - return ortn; + pkiCssmErr("SecIdentityCopyPrivateKey", ortn); + return ortn; } ortn = SecKeychainItemCopyKeychain((SecKeychainItemRef)keyRef, &kcRef); if(ortn) { - pkiCssmErr("SecKeychainItemCopyKeychain", ortn); + pkiCssmErr("SecKeychainItemCopyKeychain", ortn); } else { - *dbRef = (krb5_pkinit_cert_db_t)kcRef; + *dbRef = (krb5_pkinit_cert_db_t)kcRef; } CFRelease(keyRef); return ortn; } -/* - * Obtain the CFDictionary representing this user's PKINIT client cert prefs, if it - * exists. Returns noErr or errSecItemNotFound as appropriate. +/* + * Obtain the CFDictionary representing this user's PKINIT client cert prefs, if it + * exists. Returns noErr or errSecItemNotFound as appropriate. */ static OSStatus pkinit_get_pref_dict( CFDictionaryRef *dict) { CFDictionaryRef theDict; theDict = (CFDictionaryRef)CFPreferencesCopyValue(CFSTR(kPkinitClientCertKey), - CFSTR(kPkinitClientCertApp), kCFPreferencesCurrentUser, kCFPreferencesAnyHost); + CFSTR(kPkinitClientCertApp), kCFPreferencesCurrentUser, kCFPreferencesAnyHost); if(theDict == NULL) { - pkiDebug("pkinit_get_pref_dict: no kPkinitClientCertKey\n"); - return errSecItemNotFound; + pkiDebug("pkinit_get_pref_dict: no kPkinitClientCertKey\n"); + return errSecItemNotFound; } if(CFGetTypeID(theDict) != CFDictionaryGetTypeID()) { - pkiDebug("pkinit_get_pref_dict: bad kPkinitClientCertKey pref\n"); - CFRelease(theDict); - return errSecItemNotFound; + pkiDebug("pkinit_get_pref_dict: bad kPkinitClientCertKey pref\n"); + CFRelease(theDict); + return errSecItemNotFound; } *dict = theDict; return noErr; @@ -249,12 +250,12 @@ static OSStatus pkinit_get_pref_dict( #pragma mark --- Public client side functions --- /* - * Obtain signing cert for specified principal. On successful return, + * Obtain signing cert for specified principal. On successful return, * caller must eventually release the cert with krb5_pkinit_release_cert(). */ krb5_error_code krb5_pkinit_get_client_cert( - const char *principal, /* full principal string */ - krb5_pkinit_signing_cert_t *client_cert) + const char *principal, /* full principal string */ + krb5_pkinit_signing_cert_t *client_cert) { CFDataRef issuerSerial = NULL; CSSM_DATA issuerSerialData; @@ -263,74 +264,74 @@ krb5_error_code krb5_pkinit_get_client_cert( CFDictionaryRef theDict = NULL; CFStringRef cfPrinc = NULL; krb5_error_code ourRtn = 0; - + if(principal == NULL) { - return KRB5_PRINC_NOMATCH; + return KRB5_PRINC_NOMATCH; } - + /* Is there a stored preference for PKINIT certs for this user? */ ortn = pkinit_get_pref_dict(&theDict); if(ortn) { - return KRB5_PRINC_NOMATCH; + return KRB5_PRINC_NOMATCH; } - + /* Entry in the dictionary for specified principal? */ - cfPrinc = CFStringCreateWithCString(NULL, principal, + cfPrinc = CFStringCreateWithCString(NULL, principal, kCFStringEncodingASCII); issuerSerial = (CFDataRef)CFDictionaryGetValue(theDict, cfPrinc); CFRelease(cfPrinc); if(issuerSerial == NULL) { - pkiDebug("krb5_pkinit_get_client_cert: no identity found\n"); - ourRtn = KRB5_PRINC_NOMATCH; - goto errOut; + pkiDebug("krb5_pkinit_get_client_cert: no identity found\n"); + ourRtn = KRB5_PRINC_NOMATCH; + goto errOut; } if(CFGetTypeID(issuerSerial) != CFDataGetTypeID()) { - pkiDebug("krb5_pkinit_get_client_cert: bad kPkinitClientCertKey value\n"); - ourRtn = KRB5_PRINC_NOMATCH; - goto errOut; + pkiDebug("krb5_pkinit_get_client_cert: bad kPkinitClientCertKey value\n"); + ourRtn = KRB5_PRINC_NOMATCH; + goto errOut; } - + issuerSerialData.Data = (uint8 *)CFDataGetBytePtr(issuerSerial); issuerSerialData.Length = CFDataGetLength(issuerSerial); - + /* find a cert with that issuer/serial number in default search list */ - ortn = pkinit_search_ident(NULL, CSSM_KEYUSE_SIGN | CSSM_KEYUSE_ENCRYPT, - &issuerSerialData, &idRef); + ortn = pkinit_search_ident(NULL, CSSM_KEYUSE_SIGN | CSSM_KEYUSE_ENCRYPT, + &issuerSerialData, &idRef); if(ortn) { - pkiDebug("krb5_pkinit_get_client_cert: no identity found!\n"); - pkiCssmErr("pkinit_search_ident", ortn); - ourRtn = KRB5_PRINC_NOMATCH; + pkiDebug("krb5_pkinit_get_client_cert: no identity found!\n"); + pkiCssmErr("pkinit_search_ident", ortn); + ourRtn = KRB5_PRINC_NOMATCH; } else { - *client_cert = (krb5_pkinit_signing_cert_t)idRef; + *client_cert = (krb5_pkinit_signing_cert_t)idRef; } errOut: if(theDict) { - CFRelease(theDict); + CFRelease(theDict); } return ourRtn; } -/* +/* * Determine if the specified client has a signing cert. Returns TRUE * if so, else returns FALSE. */ krb5_boolean krb5_pkinit_have_client_cert( - const char *principal) /* full principal string */ + const char *principal) /* full principal string */ { krb5_pkinit_signing_cert_t signing_cert = NULL; krb5_error_code krtn; - + krtn = krb5_pkinit_get_client_cert(principal, &signing_cert); if(krtn) { - return FALSE; + return FALSE; } if(signing_cert != NULL) { - krb5_pkinit_release_cert(signing_cert); - return TRUE; + krb5_pkinit_release_cert(signing_cert); + return TRUE; } else { - return FALSE; + return FALSE; } } @@ -341,8 +342,8 @@ krb5_boolean krb5_pkinit_have_client_cert( * in the cert storage. */ krb5_error_code krb5_pkinit_set_client_cert_from_signing_cert( - const char *principal, /* full principal string */ - krb5_pkinit_signing_cert_t client_cert) + const char *principal, /* full principal string */ + krb5_pkinit_signing_cert_t client_cert) { SecIdentityRef idRef = (SecIdentityRef)client_cert; SecCertificateRef certRef = NULL; @@ -350,22 +351,22 @@ krb5_error_code krb5_pkinit_set_client_cert_from_signing_cert( krb5_error_code ourRtn = 0; if (NULL != idRef) { - if (CFGetTypeID(idRef) != SecIdentityGetTypeID()) { - ourRtn = KRB5KRB_ERR_GENERIC; - goto fin; - } - /* Get the cert */ - ortn = SecIdentityCopyCertificate(idRef, &certRef); - if (ortn) { - pkiCssmErr("SecIdentityCopyCertificate", ortn); - ourRtn = KRB5KRB_ERR_GENERIC; - goto fin; - } + if (CFGetTypeID(idRef) != SecIdentityGetTypeID()) { + ourRtn = KRB5KRB_ERR_GENERIC; + goto fin; + } + /* Get the cert */ + ortn = SecIdentityCopyCertificate(idRef, &certRef); + if (ortn) { + pkiCssmErr("SecIdentityCopyCertificate", ortn); + ourRtn = KRB5KRB_ERR_GENERIC; + goto fin; + } } ourRtn = krb5_pkinit_set_client_cert(principal, (krb5_pkinit_cert_t)certRef); fin: if (certRef) - CFRelease(certRef); + CFRelease(certRef); return ourRtn; } @@ -377,8 +378,8 @@ fin: * in the cert storage. */ krb5_error_code krb5_pkinit_set_client_cert( - const char *principal, /* full principal string */ - krb5_pkinit_cert_t client_cert) + const char *principal, /* full principal string */ + krb5_pkinit_cert_t client_cert) { SecCertificateRef certRef = (SecCertificateRef)client_cert; OSStatus ortn; @@ -388,108 +389,108 @@ krb5_error_code krb5_pkinit_set_client_cert( CFMutableDictionaryRef newDict = NULL; CFStringRef keyStr = NULL; krb5_error_code ourRtn = 0; - + if(certRef != NULL) { - if(CFGetTypeID(certRef) != SecCertificateGetTypeID()) { - return KRB5KRB_ERR_GENERIC; - } - - /* Cook up DER-encoded issuer/serial number */ - ortn = pkinit_get_cert_issuer_sn(certRef, &issuerSerial); - if(ortn) { - ourRtn = KRB5KRB_ERR_GENERIC; - goto errOut; - } - } - - /* + if(CFGetTypeID(certRef) != SecCertificateGetTypeID()) { + return KRB5KRB_ERR_GENERIC; + } + + /* Cook up DER-encoded issuer/serial number */ + ortn = pkinit_get_cert_issuer_sn(certRef, &issuerSerial); + if(ortn) { + ourRtn = KRB5KRB_ERR_GENERIC; + goto errOut; + } + } + + /* * Obtain the existing pref for kPkinitClientCertKey as a CFDictionary, or - * cook up a new one. + * cook up a new one. */ ortn = pkinit_get_pref_dict(&existDict); if(ortn == noErr) { - /* dup to a mutable dictionary */ - newDict = CFDictionaryCreateMutableCopy(NULL, 0, existDict); + /* dup to a mutable dictionary */ + newDict = CFDictionaryCreateMutableCopy(NULL, 0, existDict); } else { - if(certRef == NULL) { - /* no existing entry, nothing to delete, we're done */ - return 0; - } - newDict = CFDictionaryCreateMutable(NULL, 0, - &kCFCopyStringDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); + if(certRef == NULL) { + /* no existing entry, nothing to delete, we're done */ + return 0; + } + newDict = CFDictionaryCreateMutable(NULL, 0, + &kCFCopyStringDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); } if(newDict == NULL) { - ourRtn = ENOMEM; - goto errOut; + ourRtn = ENOMEM; + goto errOut; } /* issuer / serial number ==> that dictionary */ keyStr = CFStringCreateWithCString(NULL, principal, kCFStringEncodingASCII); if(certRef == NULL) { - CFDictionaryRemoveValue(newDict, keyStr); + CFDictionaryRemoveValue(newDict, keyStr); } else { - cfIssuerSerial = CFDataCreate(NULL, issuerSerial.Data, issuerSerial.Length); - CFDictionarySetValue(newDict, keyStr, cfIssuerSerial); + cfIssuerSerial = CFDataCreate(NULL, issuerSerial.Data, issuerSerial.Length); + CFDictionarySetValue(newDict, keyStr, cfIssuerSerial); } - + /* dictionary ==> prefs */ - CFPreferencesSetValue(CFSTR(kPkinitClientCertKey), newDict, - CFSTR(kPkinitClientCertApp), kCFPreferencesCurrentUser, kCFPreferencesAnyHost); - if(CFPreferencesSynchronize(CFSTR(kPkinitClientCertApp), kCFPreferencesCurrentUser, - kCFPreferencesAnyHost)) { - ourRtn = 0; + CFPreferencesSetValue(CFSTR(kPkinitClientCertKey), newDict, + CFSTR(kPkinitClientCertApp), kCFPreferencesCurrentUser, kCFPreferencesAnyHost); + if(CFPreferencesSynchronize(CFSTR(kPkinitClientCertApp), kCFPreferencesCurrentUser, + kCFPreferencesAnyHost)) { + ourRtn = 0; } else { - ourRtn = EACCES; /* any better ideas? */ + ourRtn = EACCES; /* any better ideas? */ } errOut: if(cfIssuerSerial) { - CFRelease(cfIssuerSerial); + CFRelease(cfIssuerSerial); } if(issuerSerial.Data) { - free(issuerSerial.Data); + free(issuerSerial.Data); } if(existDict) { - CFRelease(existDict); + CFRelease(existDict); } if(newDict) { - CFRelease(newDict); + CFRelease(newDict); } if(keyStr) { - CFRelease(keyStr); + CFRelease(keyStr); } return ourRtn; } -/* +/* * Obtain a reference to the client's cert database. Specify either principal * name or client_cert as obtained from krb5_pkinit_get_client_cert(). */ krb5_error_code krb5_pkinit_get_client_cert_db( - const char *principal, /* full principal string */ - krb5_pkinit_signing_cert_t client_cert, /* optional, from krb5_pkinit_get_client_cert() */ - krb5_pkinit_cert_db_t *client_cert_db)/* RETURNED */ + const char *principal, /* full principal string */ + krb5_pkinit_signing_cert_t client_cert, /* optional, from krb5_pkinit_get_client_cert() */ + krb5_pkinit_cert_db_t *client_cert_db)/* RETURNED */ { krb5_error_code krtn; krb5_pkinit_signing_cert_t local_cert; - + assert((client_cert != NULL) || (principal != NULL)); if(client_cert == NULL) { - /* caller didn't provide, look it up */ - krtn = krb5_pkinit_get_client_cert(principal, &local_cert); - if(krtn) { - return krtn; - } + /* caller didn't provide, look it up */ + krtn = krb5_pkinit_get_client_cert(principal, &local_cert); + if(krtn) { + return krtn; + } } else { - /* easy case */ - local_cert = client_cert; + /* easy case */ + local_cert = client_cert; } krtn = pkinit_cert_to_db(local_cert, client_cert_db); if(client_cert == NULL) { - krb5_pkinit_release_cert(local_cert); + krb5_pkinit_release_cert(local_cert); } return krtn; } @@ -503,28 +504,28 @@ krb5_error_code krb5_pkinit_get_client_cert_db( * The client_spec argument is typically provided by the client as kdcPkId. */ krb5_error_code krb5_pkinit_get_kdc_cert( - krb5_ui_4 num_trusted_CAs, /* sizeof *trusted_CAs */ - krb5_data *trusted_CAs, /* optional */ - krb5_data *client_spec, /* optional */ + krb5_ui_4 num_trusted_CAs, /* sizeof *trusted_CAs */ + krb5_data *trusted_CAs, /* optional */ + krb5_data *client_spec, /* optional */ krb5_pkinit_signing_cert_t *kdc_cert) { SecIdentityRef idRef = NULL; OSStatus ortn; krb5_error_code ourRtn = 0; - + /* OS X: trusted_CAs and client_spec ignored */ - + ortn = SecIdentityCopySystemIdentity(kSecIdentityDomainKerberosKDC, - &idRef, NULL); + &idRef, NULL); if(ortn) { - pkiCssmErr("SecIdentityCopySystemIdentity", ortn); - return KRB5_PRINC_NOMATCH; + pkiCssmErr("SecIdentityCopySystemIdentity", ortn); + return KRB5_PRINC_NOMATCH; } *kdc_cert = (krb5_pkinit_signing_cert_t)idRef; return ourRtn; } -/* +/* * Obtain a reference to the KDC's cert database. */ krb5_error_code krb5_pkinit_get_kdc_cert_db( @@ -532,10 +533,10 @@ krb5_error_code krb5_pkinit_get_kdc_cert_db( { krb5_pkinit_signing_cert_t kdcCert = NULL; krb5_error_code krtn; - + krtn = krb5_pkinit_get_kdc_cert(0, NULL, NULL, &kdcCert); if(krtn) { - return krtn; + return krtn; } krtn = pkinit_cert_to_db(kdcCert, kdc_cert_db); krb5_pkinit_release_cert(kdcCert); @@ -550,7 +551,7 @@ void krb5_pkinit_release_cert( krb5_pkinit_signing_cert_t cert) { if(cert == NULL) { - return; + return; } CFRelease((CFTypeRef)cert); } @@ -560,18 +561,18 @@ void krb5_pkinit_release_cert( * krb5_pkinit_get_kdc_cert_db(). */ extern void krb5_pkinit_release_cert_db( - krb5_pkinit_cert_db_t cert_db) + krb5_pkinit_cert_db_t cert_db) { if(cert_db == NULL) { - return; + return; } CFRelease((CFTypeRef)cert_db); } -/* - * Obtain a mallocd C-string representation of a certificate's SHA1 digest. - * Only error is a NULL return indicating memory failure. +/* + * Obtain a mallocd C-string representation of a certificate's SHA1 digest. + * Only error is a NULL return indicating memory failure. * Caller must free the returned string. */ char *krb5_pkinit_cert_hash_str( @@ -582,37 +583,37 @@ char *krb5_pkinit_cert_hash_str( char *cpOut; unsigned char digest[CC_SHA1_DIGEST_LENGTH]; unsigned dex; - + assert(cert != NULL); CC_SHA1_Init(&ctx); CC_SHA1_Update(&ctx, cert->data, cert->length); CC_SHA1_Final(digest, &ctx); - + outstr = (char *)malloc((2 * CC_SHA1_DIGEST_LENGTH) + 1); if(outstr == NULL) { - return NULL; + return NULL; } cpOut = outstr; for(dex=0; dex<CC_SHA1_DIGEST_LENGTH; dex++) { - snprintf(cpOut, 3, "%02X", (unsigned)(digest[dex])); - cpOut += 2; + snprintf(cpOut, 3, "%02X", (unsigned)(digest[dex])); + cpOut += 2; } *cpOut = '\0'; return outstr; } -/* +/* * Obtain a client's optional list of trusted KDC CA certs (trustedCertifiers) - * and/or trusted KDC cert (kdcPkId) for a given client and server. - * All returned values are mallocd and must be freed by caller; the contents - * of the krb5_datas are DER-encoded certificates. + * and/or trusted KDC cert (kdcPkId) for a given client and server. + * All returned values are mallocd and must be freed by caller; the contents + * of the krb5_datas are DER-encoded certificates. */ krb5_error_code krb5_pkinit_get_server_certs( const char *client_principal, const char *server_principal, - krb5_data **trusted_CAs, /* RETURNED, though return value may be NULL */ - krb5_ui_4 *num_trusted_CAs, /* RETURNED */ - krb5_data *kdc_cert) /* RETURNED, though may be 0/NULL */ + krb5_data **trusted_CAs, /* RETURNED, though return value may be NULL */ + krb5_ui_4 *num_trusted_CAs, /* RETURNED */ + krb5_data *kdc_cert) /* RETURNED, though may be 0/NULL */ { /* nothing for now */ *trusted_CAs = NULL; diff --git a/src/lib/krb5/krb/pkinit_apple_client.c b/src/lib/krb5/krb/pkinit_apple_client.c index d98fc76c0d..b2b6cb9906 100644 --- a/src/lib/krb5/krb/pkinit_apple_client.c +++ b/src/lib/krb5/krb/pkinit_apple_client.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (c) 2004-2008 Apple Inc. All Rights Reserved. * @@ -45,131 +46,131 @@ * Create a PA-PK-AS-REQ message. */ krb5_error_code krb5int_pkinit_as_req_create( - krb5_context context, - krb5_timestamp kctime, - krb5_int32 cusec, /* microseconds */ - krb5_ui_4 nonce, - const krb5_checksum *cksum, - krb5_pkinit_signing_cert_t client_cert, /* required */ - const krb5_data *trusted_CAs, /* optional list of CA certs */ - krb5_ui_4 num_trusted_CAs, - const krb5_data *kdc_cert, /* optional KDC cert */ - krb5_data *as_req) /* mallocd and RETURNED */ + krb5_context context, + krb5_timestamp kctime, + krb5_int32 cusec, /* microseconds */ + krb5_ui_4 nonce, + const krb5_checksum *cksum, + krb5_pkinit_signing_cert_t client_cert, /* required */ + const krb5_data *trusted_CAs, /* optional list of CA certs */ + krb5_ui_4 num_trusted_CAs, + const krb5_data *kdc_cert, /* optional KDC cert */ + krb5_data *as_req) /* mallocd and RETURNED */ { krb5_data auth_pack = {0}; krb5_error_code krtn; krb5_data content_info = {0}; krb5int_algorithm_id *cms_types = NULL; krb5_ui_4 num_cms_types = 0; - + /* issuer/serial numbers for trusted_CAs and kdc_cert, if we have them */ - krb5_data *ca_issuer_sn = NULL; /* issuer/serial_num for trusted_CAs */ - krb5_data kdc_issuer_sn = {0}; /* issuer/serial_num for kdc_cert */ + krb5_data *ca_issuer_sn = NULL; /* issuer/serial_num for trusted_CAs */ + krb5_data kdc_issuer_sn = {0}; /* issuer/serial_num for kdc_cert */ krb5_data *kdc_issuer_sn_p = NULL; - + /* optional platform-dependent CMS algorithm preference */ krtn = krb5int_pkinit_get_cms_types(&cms_types, &num_cms_types); if(krtn) { - return krtn; + return krtn; } - + /* encode the core authPack */ - krtn = krb5int_pkinit_auth_pack_encode(kctime, cusec, nonce, cksum, - cms_types, num_cms_types, - &auth_pack); + krtn = krb5int_pkinit_auth_pack_encode(kctime, cusec, nonce, cksum, + cms_types, num_cms_types, + &auth_pack); if(krtn) { - goto errOut; + goto errOut; } /* package the AuthPack up in a SignedData inside a ContentInfo */ - krtn = krb5int_pkinit_create_cms_msg(&auth_pack, - client_cert, - NULL, /* recip_cert */ - ECT_PkAuthData, - 0, NULL, /* cms_types */ - &content_info); + krtn = krb5int_pkinit_create_cms_msg(&auth_pack, + client_cert, + NULL, /* recip_cert */ + ECT_PkAuthData, + 0, NULL, /* cms_types */ + &content_info); if(krtn) { - goto errOut; + goto errOut; } - + /* if we have trusted_CAs, get issuer/serials */ if(trusted_CAs) { - unsigned dex; - ca_issuer_sn = (krb5_data *)malloc(num_trusted_CAs * sizeof(krb5_data)); - if(ca_issuer_sn == NULL) { - krtn = ENOMEM; - goto errOut; - } - for(dex=0; dex<num_trusted_CAs; dex++) { - krtn = krb5int_pkinit_get_issuer_serial(&trusted_CAs[dex], - &ca_issuer_sn[dex]); - if(krtn) { - goto errOut; - } - } + unsigned dex; + ca_issuer_sn = (krb5_data *)malloc(num_trusted_CAs * sizeof(krb5_data)); + if(ca_issuer_sn == NULL) { + krtn = ENOMEM; + goto errOut; + } + for(dex=0; dex<num_trusted_CAs; dex++) { + krtn = krb5int_pkinit_get_issuer_serial(&trusted_CAs[dex], + &ca_issuer_sn[dex]); + if(krtn) { + goto errOut; + } + } } - + /* If we have a KDC cert, get its issuer/serial */ if(kdc_cert) { - krtn = krb5int_pkinit_get_issuer_serial(kdc_cert, &kdc_issuer_sn); - if(krtn) { - goto errOut; - } - kdc_issuer_sn_p = &kdc_issuer_sn; + krtn = krb5int_pkinit_get_issuer_serial(kdc_cert, &kdc_issuer_sn); + if(krtn) { + goto errOut; + } + kdc_issuer_sn_p = &kdc_issuer_sn; } - + /* cook up PA-PK-AS-REQ */ - krtn = krb5int_pkinit_pa_pk_as_req_encode(&content_info, - ca_issuer_sn, num_trusted_CAs, - kdc_issuer_sn_p, - as_req); - + krtn = krb5int_pkinit_pa_pk_as_req_encode(&content_info, + ca_issuer_sn, num_trusted_CAs, + kdc_issuer_sn_p, + as_req); + errOut: if(cms_types) { - krb5int_pkinit_free_cms_types(cms_types, num_cms_types); + krb5int_pkinit_free_cms_types(cms_types, num_cms_types); } if(auth_pack.data) { - free(auth_pack.data); + free(auth_pack.data); } if(content_info.data) { - free(content_info.data); + free(content_info.data); } if(trusted_CAs) { - unsigned dex; - for(dex=0; dex<num_trusted_CAs; dex++) { - free(ca_issuer_sn[dex].data); - } - free(ca_issuer_sn); + unsigned dex; + for(dex=0; dex<num_trusted_CAs; dex++) { + free(ca_issuer_sn[dex].data); + } + free(ca_issuer_sn); } if(kdc_cert) { - free(kdc_issuer_sn.data); + free(kdc_issuer_sn.data); } return krtn; } /* - * Parse PA-PK-AS-REP message. Optionally evaluates the message's certificate chain. - * Optionally returns various components. + * Parse PA-PK-AS-REP message. Optionally evaluates the message's certificate chain. + * Optionally returns various components. */ krb5_error_code krb5int_pkinit_as_rep_parse( - krb5_context context, - const krb5_data *as_rep, - krb5_pkinit_signing_cert_t client_cert, /* required */ - krb5_keyblock *key_block, /* RETURNED */ - krb5_checksum *checksum, /* checksum of corresponding AS-REQ */ - /* contents mallocd and RETURNED */ - krb5int_cert_sig_status *cert_status, /* RETURNED */ + krb5_context context, + const krb5_data *as_rep, + krb5_pkinit_signing_cert_t client_cert, /* required */ + krb5_keyblock *key_block, /* RETURNED */ + krb5_checksum *checksum, /* checksum of corresponding AS-REQ */ + /* contents mallocd and RETURNED */ + krb5int_cert_sig_status *cert_status, /* RETURNED */ /* * Cert fields, all optionally RETURNED. * * signer_cert is the full X.509 leaf cert from the incoming SignedData. * all_certs is an array of all of the certs in the incoming SignedData, - * in full X.509 form. + * in full X.509 form. */ - krb5_data *signer_cert, /* content mallocd */ - unsigned *num_all_certs, /* sizeof *all_certs */ - krb5_data **all_certs) /* krb5_data's and their content mallocd */ + krb5_data *signer_cert, /* content mallocd */ + unsigned *num_all_certs, /* sizeof *all_certs */ + krb5_data **all_certs) /* krb5_data's and their content mallocd */ { krb5_data reply_key_pack = {0, 0, NULL}; krb5_error_code krtn; @@ -179,83 +180,83 @@ krb5_error_code krb5int_pkinit_as_rep_parse( krb5_pkinit_cert_db_t cert_db = NULL; krb5_boolean is_signed; krb5_boolean is_encrypted; - - assert((as_rep != NULL) && (checksum != NULL) && + + assert((as_rep != NULL) && (checksum != NULL) && (key_block != NULL) && (cert_status != NULL)); - - /* + + /* * Decode the top-level PA-PK-AS-REP */ krtn = krb5int_pkinit_pa_pk_as_rep_decode(as_rep, &dh_signed_data, &enc_key_pack); if(krtn) { - pkiCssmErr("krb5int_pkinit_pa_pk_as_rep_decode", krtn); - return krtn; + pkiCssmErr("krb5int_pkinit_pa_pk_as_rep_decode", krtn); + return krtn; } if(dh_signed_data.data) { - /* not for this implementation... */ - pkiDebug("krb5int_pkinit_as_rep_parse: unexpected dh_signed_data\n"); - krtn = ASN1_BAD_FORMAT; - goto err_out; + /* not for this implementation... */ + pkiDebug("krb5int_pkinit_as_rep_parse: unexpected dh_signed_data\n"); + krtn = ASN1_BAD_FORMAT; + goto err_out; } if(enc_key_pack.data == NULL) { - /* REQUIRED for this implementation... */ - pkiDebug("krb5int_pkinit_as_rep_parse: no enc_key_pack\n"); - krtn = ASN1_BAD_FORMAT; - goto err_out; + /* REQUIRED for this implementation... */ + pkiDebug("krb5int_pkinit_as_rep_parse: no enc_key_pack\n"); + krtn = ASN1_BAD_FORMAT; + goto err_out; } - + krtn = krb5_pkinit_get_client_cert_db(NULL, client_cert, &cert_db); if(krtn) { - pkiDebug("krb5int_pkinit_as_rep_parse: error in krb5_pkinit_get_client_cert_db\n"); - goto err_out; + pkiDebug("krb5int_pkinit_as_rep_parse: error in krb5_pkinit_get_client_cert_db\n"); + goto err_out; } /* - * enc_key_pack is an EnvelopedData(SignedData(keyPack), encrypted - * with our cert (which krb5int_pkinit_parse_content_info() finds + * enc_key_pack is an EnvelopedData(SignedData(keyPack), encrypted + * with our cert (which krb5int_pkinit_parse_content_info() finds * implicitly). */ krtn = krb5int_pkinit_parse_cms_msg(&enc_key_pack, cert_db, FALSE, - &is_signed, &is_encrypted, - &reply_key_pack, &content_type, - signer_cert, cert_status, num_all_certs, all_certs); + &is_signed, &is_encrypted, + &reply_key_pack, &content_type, + signer_cert, cert_status, num_all_certs, all_certs); if(krtn) { - pkiDebug("krb5int_pkinit_as_rep_parse: error decoding EnvelopedData\n"); - goto err_out; + pkiDebug("krb5int_pkinit_as_rep_parse: error decoding EnvelopedData\n"); + goto err_out; } if(!is_encrypted || !is_signed) { - pkiDebug("krb5int_pkinit_as_rep_parse: not signed and encrypted!\n"); - krtn = KRB5_PARSE_MALFORMED; - goto err_out; + pkiDebug("krb5int_pkinit_as_rep_parse: not signed and encrypted!\n"); + krtn = KRB5_PARSE_MALFORMED; + goto err_out; } if(content_type != ECT_PkReplyKeyKata) { - pkiDebug("replyKeyPack eContentType %d!\n", (int)content_type); - krtn = KRB5_PARSE_MALFORMED; - goto err_out; + pkiDebug("replyKeyPack eContentType %d!\n", (int)content_type); + krtn = KRB5_PARSE_MALFORMED; + goto err_out; } - - /* + + /* * Finally, decode that inner content as the ReplyKeyPack which contains * the actual key and nonce */ krtn = krb5int_pkinit_reply_key_pack_decode(&reply_key_pack, key_block, checksum); if(krtn) { - pkiDebug("krb5int_pkinit_as_rep_parse: error decoding ReplyKeyPack\n"); + pkiDebug("krb5int_pkinit_as_rep_parse: error decoding ReplyKeyPack\n"); } - + err_out: /* free temp mallocd data that we didn't pass back to caller */ if(reply_key_pack.data) { - free(reply_key_pack.data); + free(reply_key_pack.data); } if(enc_key_pack.data) { - free(enc_key_pack.data); + free(enc_key_pack.data); } if(dh_signed_data.data) { - free(dh_signed_data.data); + free(dh_signed_data.data); } if(cert_db) { - krb5_pkinit_release_cert_db(cert_db); + krb5_pkinit_release_cert_db(cert_db); } return krtn; } diff --git a/src/lib/krb5/krb/pkinit_apple_cms.c b/src/lib/krb5/krb/pkinit_apple_cms.c index 353bcab40d..f11b4ee64e 100644 --- a/src/lib/krb5/krb/pkinit_apple_cms.c +++ b/src/lib/krb5/krb/pkinit_apple_cms.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (c) 2004-2008 Apple Inc. All Rights Reserved. * @@ -42,20 +43,20 @@ #include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h> #include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacTypes.h> -/* - * Custom OIDS to specify as eContentType +/* + * Custom OIDS to specify as eContentType */ -#define OID_PKINIT 0x2B, 6, 1, 5, 2, 3 -#define OID_PKINIT_LEN 6 +#define OID_PKINIT 0x2B, 6, 1, 5, 2, 3 +#define OID_PKINIT_LEN 6 -static const uint8 OID_PKINIT_AUTH_DATA[] = {OID_PKINIT, 1}; -static const uint8 OID_PKINIT_RKEY_DATA[] = {OID_PKINIT, 3}; +static const uint8 OID_PKINIT_AUTH_DATA[] = {OID_PKINIT, 1}; +static const uint8 OID_PKINIT_RKEY_DATA[] = {OID_PKINIT, 3}; /* these may go public so keep these symbols private */ -static const CSSM_OID _CSSMOID_PKINIT_AUTH_DATA = - {OID_PKINIT_LEN+1, (uint8 *)OID_PKINIT_AUTH_DATA}; -static const CSSM_OID _CSSMOID_PKINIT_RKEY_DATA = - {OID_PKINIT_LEN+1, (uint8 *)OID_PKINIT_RKEY_DATA}; +static const CSSM_OID _CSSMOID_PKINIT_AUTH_DATA = +{OID_PKINIT_LEN+1, (uint8 *)OID_PKINIT_AUTH_DATA}; +static const CSSM_OID _CSSMOID_PKINIT_RKEY_DATA = +{OID_PKINIT_LEN+1, (uint8 *)OID_PKINIT_RKEY_DATA}; #pragma mark ----- CMS utilities ---- @@ -69,26 +70,26 @@ static krb5int_cert_sig_status pkiCertSigStatus( OSStatus certStatus) { switch(certStatus) { - case CSSM_OK: - return pki_cs_good; - case CSSMERR_CSP_VERIFY_FAILED: - return pki_cs_sig_verify_fail; - case CSSMERR_TP_NOT_TRUSTED: - return pki_cs_no_root; - case CSSMERR_TP_INVALID_ANCHOR_CERT: - return pki_cs_unknown_root; - case CSSMERR_TP_CERT_EXPIRED: - return pki_cs_expired; - case CSSMERR_TP_CERT_NOT_VALID_YET: - return pki_cs_not_valid_yet; - case CSSMERR_TP_CERT_REVOKED: - return pki_cs_revoked; - case KRB5_KDB_UNAUTH: - return pki_cs_untrusted; - case CSSMERR_TP_INVALID_CERTIFICATE: - return pki_cs_bad_leaf; - default: - return pki_cs_other_err; + case CSSM_OK: + return pki_cs_good; + case CSSMERR_CSP_VERIFY_FAILED: + return pki_cs_sig_verify_fail; + case CSSMERR_TP_NOT_TRUSTED: + return pki_cs_no_root; + case CSSMERR_TP_INVALID_ANCHOR_CERT: + return pki_cs_unknown_root; + case CSSMERR_TP_CERT_EXPIRED: + return pki_cs_expired; + case CSSMERR_TP_CERT_NOT_VALID_YET: + return pki_cs_not_valid_yet; + case CSSMERR_TP_CERT_REVOKED: + return pki_cs_revoked; + case KRB5_KDB_UNAUTH: + return pki_cs_untrusted; + case CSSMERR_TP_INVALID_CERTIFICATE: + return pki_cs_bad_leaf; + default: + return pki_cs_other_err; } } @@ -99,24 +100,24 @@ static krb5int_cert_sig_status pkiCertSigStatus( */ static krb5int_cert_sig_status pkiInferSigStatus( CMSSignerStatus cms_status, - OSStatus tp_status) + OSStatus tp_status) { switch(cms_status) { - case kCMSSignerUnsigned: - return pki_not_signed; - case kCMSSignerValid: - return pki_cs_good; - case kCMSSignerNeedsDetachedContent: - return pki_bad_cms; - case kCMSSignerInvalidSignature: - return pki_cs_sig_verify_fail; - case kCMSSignerInvalidCert: - /* proceed with TP status */ - break; - default: - return pki_cs_other_err; + case kCMSSignerUnsigned: + return pki_not_signed; + case kCMSSignerValid: + return pki_cs_good; + case kCMSSignerNeedsDetachedContent: + return pki_bad_cms; + case kCMSSignerInvalidSignature: + return pki_cs_sig_verify_fail; + case kCMSSignerInvalidCert: + /* proceed with TP status */ + break; + default: + return pki_cs_other_err; } - + /* signature good, infer end status from TP verify */ return pkiCertSigStatus(tp_status); } @@ -130,15 +131,15 @@ static OSStatus pkiKrb5DataToSecCert( { CSSM_DATA certData; OSStatus ortn; - + assert((rawCert != NULL) && (secCert != NULL)); - + certData.Data = (uint8 *)rawCert->data; certData.Length = rawCert->length; - ortn = SecCertificateCreateFromData(&certData, CSSM_CERT_X_509v3, - CSSM_CERT_ENCODING_DER, secCert); + ortn = SecCertificateCreateFromData(&certData, CSSM_CERT_X_509v3, + CSSM_CERT_ENCODING_DER, secCert); if(ortn) { - pkiCssmErr("SecCertificateCreateFromData", ortn); + pkiCssmErr("SecCertificateCreateFromData", ortn); } return ortn; } @@ -148,52 +149,52 @@ static OSStatus pkiKrb5DataToSecCert( */ static krb5_error_code pkiCertArrayToKrb5Data( CFArrayRef cf_certs, - unsigned *num_all_certs, - krb5_data **all_certs) + unsigned *num_all_certs, + krb5_data **all_certs) { CFIndex num_certs; krb5_data *allCerts = NULL; krb5_error_code krtn = 0; CFIndex dex; - + if(cf_certs == NULL) { - *all_certs = NULL; - return 0; + *all_certs = NULL; + return 0; } num_certs = CFArrayGetCount(cf_certs); *num_all_certs = (unsigned)num_certs; if(num_certs == 0) { - *all_certs = NULL; - return 0; + *all_certs = NULL; + return 0; } allCerts = (krb5_data *)malloc(sizeof(krb5_data) * num_certs); if(allCerts == NULL) { - return ENOMEM; + return ENOMEM; } - for(dex=0; dex<num_certs; dex++) { - CSSM_DATA cert_data; - OSStatus ortn; - SecCertificateRef sec_cert; - - sec_cert = (SecCertificateRef)CFArrayGetValueAtIndex(cf_certs, dex); - ortn = SecCertificateGetData(sec_cert, &cert_data); - if(ortn) { - pkiCssmErr("SecCertificateGetData", ortn); - krtn = KRB5_PARSE_MALFORMED; - break; - } - krtn = pkiCssmDataToKrb5Data(&cert_data, &allCerts[dex]); - if(krtn) { - break; - } + for(dex=0; dex<num_certs; dex++) { + CSSM_DATA cert_data; + OSStatus ortn; + SecCertificateRef sec_cert; + + sec_cert = (SecCertificateRef)CFArrayGetValueAtIndex(cf_certs, dex); + ortn = SecCertificateGetData(sec_cert, &cert_data); + if(ortn) { + pkiCssmErr("SecCertificateGetData", ortn); + krtn = KRB5_PARSE_MALFORMED; + break; + } + krtn = pkiCssmDataToKrb5Data(&cert_data, &allCerts[dex]); + if(krtn) { + break; + } } if(krtn) { - if(allCerts) { - free(allCerts); - } + if(allCerts) { + free(allCerts); + } } else { - *all_certs = allCerts; + *all_certs = allCerts; } return krtn; } @@ -201,78 +202,78 @@ static krb5_error_code pkiCertArrayToKrb5Data( #pragma mark ----- Create CMS message ----- /* - * Create a CMS message: either encrypted (EnvelopedData), signed + * Create a CMS message: either encrypted (EnvelopedData), signed * (SignedData), or both (EnvelopedData(SignedData(content)). * * The message is signed iff signing_cert is non-NULL. * The message is encrypted iff recip_cert is non-NULL. * * The content_type argument specifies to the eContentType - * for a SignedData's EncapsulatedContentInfo. + * for a SignedData's EncapsulatedContentInfo. */ krb5_error_code krb5int_pkinit_create_cms_msg( - const krb5_data *content, /* Content */ - krb5_pkinit_signing_cert_t signing_cert, /* optional: signed by this cert */ - const krb5_data *recip_cert, /* optional: encrypted with this cert */ - krb5int_cms_content_type content_type, /* OID for EncapsulatedData */ - krb5_ui_4 num_cms_types, /* optional, unused here */ - const krb5int_algorithm_id *cms_types, /* optional, unused here */ - krb5_data *content_info) /* contents mallocd and RETURNED */ + const krb5_data *content, /* Content */ + krb5_pkinit_signing_cert_t signing_cert, /* optional: signed by this cert */ + const krb5_data *recip_cert, /* optional: encrypted with this cert */ + krb5int_cms_content_type content_type, /* OID for EncapsulatedData */ + krb5_ui_4 num_cms_types, /* optional, unused here */ + const krb5int_algorithm_id *cms_types, /* optional, unused here */ + krb5_data *content_info) /* contents mallocd and RETURNED */ { krb5_error_code krtn; OSStatus ortn; SecCertificateRef sec_recip = NULL; CFDataRef cf_content = NULL; const CSSM_OID *eContentOid = NULL; - + if((signing_cert == NULL) && (recip_cert == NULL)) { - /* must have one or the other */ - pkiDebug("krb5int_pkinit_create_cms_msg: no signer or recipient\n"); - return KRB5_CRYPTO_INTERNAL; + /* must have one or the other */ + pkiDebug("krb5int_pkinit_create_cms_msg: no signer or recipient\n"); + return KRB5_CRYPTO_INTERNAL; } - - /* - * Optional signer cert. Note signing_cert, if present, is - * a SecIdentityRef. + + /* + * Optional signer cert. Note signing_cert, if present, is + * a SecIdentityRef. */ if(recip_cert) { - if(pkiKrb5DataToSecCert(recip_cert, &sec_recip)) { - krtn = ASN1_BAD_FORMAT; - goto errOut; - } + if(pkiKrb5DataToSecCert(recip_cert, &sec_recip)) { + krtn = ASN1_BAD_FORMAT; + goto errOut; + } } - + /* optional eContentType */ if(signing_cert) { - switch(content_type) { - case ECT_PkAuthData: - eContentOid = &_CSSMOID_PKINIT_AUTH_DATA; - break; - case ECT_PkReplyKeyKata: - eContentOid = &_CSSMOID_PKINIT_RKEY_DATA; - break; - case ECT_Data: - /* the only standard/default case we allow */ - break; - default: - /* others: no can do */ - pkiDebug("krb5int_pkinit_create_cms_msg: bad contentType\n"); - krtn = KRB5_CRYPTO_INTERNAL; - goto errOut; - } + switch(content_type) { + case ECT_PkAuthData: + eContentOid = &_CSSMOID_PKINIT_AUTH_DATA; + break; + case ECT_PkReplyKeyKata: + eContentOid = &_CSSMOID_PKINIT_RKEY_DATA; + break; + case ECT_Data: + /* the only standard/default case we allow */ + break; + default: + /* others: no can do */ + pkiDebug("krb5int_pkinit_create_cms_msg: bad contentType\n"); + krtn = KRB5_CRYPTO_INTERNAL; + goto errOut; + } } - + /* GO */ ortn = CMSEncode((SecIdentityRef)signing_cert, sec_recip, - eContentOid, - FALSE, /* detachedContent */ - kCMSAttrNone, /* no signed attributes that I know of */ - content->data, content->length, - &cf_content); + eContentOid, + FALSE, /* detachedContent */ + kCMSAttrNone, /* no signed attributes that I know of */ + content->data, content->length, + &cf_content); if(ortn) { - pkiCssmErr("CMSEncode", ortn); - krtn = KRB5_CRYPTO_INTERNAL; - goto errOut; + pkiCssmErr("CMSEncode", ortn); + krtn = KRB5_CRYPTO_INTERNAL; + goto errOut; } krtn = pkiCfDataToKrb5Data(cf_content, content_info); errOut: @@ -285,22 +286,22 @@ errOut: /* * Parse a ContentInfo as best we can. All return fields are optional. - * If signer_cert_status is NULL on entry, NO signature or cert evaluation - * will be performed. + * If signer_cert_status is NULL on entry, NO signature or cert evaluation + * will be performed. */ krb5_error_code krb5int_pkinit_parse_cms_msg( - const krb5_data *content_info, - krb5_pkinit_cert_db_t cert_db, /* may be required for SignedData */ - krb5_boolean is_client_msg, /* TRUE : msg is from client */ - krb5_boolean *is_signed, /* RETURNED */ - krb5_boolean *is_encrypted, /* RETURNED */ - krb5_data *raw_data, /* RETURNED */ + const krb5_data *content_info, + krb5_pkinit_cert_db_t cert_db, /* may be required for SignedData */ + krb5_boolean is_client_msg, /* TRUE : msg is from client */ + krb5_boolean *is_signed, /* RETURNED */ + krb5_boolean *is_encrypted, /* RETURNED */ + krb5_data *raw_data, /* RETURNED */ krb5int_cms_content_type *inner_content_type,/* Returned, ContentType of */ - /* EncapsulatedData */ - krb5_data *signer_cert, /* RETURNED */ + /* EncapsulatedData */ + krb5_data *signer_cert, /* RETURNED */ krb5int_cert_sig_status *signer_cert_status,/* RETURNED */ - unsigned *num_all_certs, /* size of *all_certs RETURNED */ - krb5_data **all_certs) /* entire cert chain RETURNED */ + unsigned *num_all_certs, /* size of *all_certs RETURNED */ + krb5_data **all_certs) /* entire cert chain RETURNED */ { SecPolicySearchRef policy_search = NULL; SecPolicyRef policy = NULL; @@ -312,219 +313,219 @@ krb5_error_code krb5int_pkinit_parse_cms_msg( OSStatus cert_verify_status; CFArrayRef cf_all_certs = NULL; int msg_is_signed = 0; - + if(content_info == NULL) { - pkiDebug("krb5int_pkinit_parse_cms_msg: no ContentInfo\n"); - return KRB5_CRYPTO_INTERNAL; + pkiDebug("krb5int_pkinit_parse_cms_msg: no ContentInfo\n"); + return KRB5_CRYPTO_INTERNAL; } - + ortn = CMSDecoderCreate(&decoder); if(ortn) { - return ENOMEM; + return ENOMEM; } ortn = CMSDecoderUpdateMessage(decoder, content_info->data, content_info->length); if(ortn) { - /* no verify yet, must be bad message */ - krtn = KRB5_PARSE_MALFORMED; - goto errOut; + /* no verify yet, must be bad message */ + krtn = KRB5_PARSE_MALFORMED; + goto errOut; } ortn = CMSDecoderFinalizeMessage(decoder); if(ortn) { - pkiCssmErr("CMSDecoderFinalizeMessage", ortn); - krtn = KRB5_PARSE_MALFORMED; - goto errOut; + pkiCssmErr("CMSDecoderFinalizeMessage", ortn); + krtn = KRB5_PARSE_MALFORMED; + goto errOut; } /* expect zero or one signers */ ortn = CMSDecoderGetNumSigners(decoder, &num_signers); switch(num_signers) { - case 0: - msg_is_signed = 0; - break; - case 1: - msg_is_signed = 1; - break; - default: - krtn = KRB5_PARSE_MALFORMED; - goto errOut; + case 0: + msg_is_signed = 0; + break; + case 1: + msg_is_signed = 1; + break; + default: + krtn = KRB5_PARSE_MALFORMED; + goto errOut; } /* - * We need a cert verify policy even if we're not actually evaluating + * We need a cert verify policy even if we're not actually evaluating * the cert due to requirements in libsecurity_smime. */ ortn = SecPolicySearchCreate(CSSM_CERT_X_509v3, - is_client_msg ? &CSSMOID_APPLE_TP_PKINIT_CLIENT : &CSSMOID_APPLE_TP_PKINIT_SERVER, - NULL, &policy_search); + is_client_msg ? &CSSMOID_APPLE_TP_PKINIT_CLIENT : &CSSMOID_APPLE_TP_PKINIT_SERVER, + NULL, &policy_search); if(ortn) { - pkiCssmErr("SecPolicySearchCreate", ortn); - krtn = KRB5_CRYPTO_INTERNAL; - goto errOut; + pkiCssmErr("SecPolicySearchCreate", ortn); + krtn = KRB5_CRYPTO_INTERNAL; + goto errOut; } ortn = SecPolicySearchCopyNext(policy_search, &policy); if(ortn) { - pkiCssmErr("SecPolicySearchCopyNext", ortn); - krtn = KRB5_CRYPTO_INTERNAL; - goto errOut; + pkiCssmErr("SecPolicySearchCopyNext", ortn); + krtn = KRB5_CRYPTO_INTERNAL; + goto errOut; } - + /* get some basic status that doesn't need heavyweight evaluation */ if(msg_is_signed) { - if(is_signed) { - *is_signed = TRUE; - } - if(inner_content_type) { - CSSM_OID ec_oid = {0, NULL}; - CFDataRef ec_data = NULL; - - krb5int_cms_content_type ctype; - - ortn = CMSDecoderCopyEncapsulatedContentType(decoder, &ec_data); - if(ortn || (ec_data == NULL)) { - pkiCssmErr("CMSDecoderCopyEncapsulatedContentType", ortn); - krtn = KRB5_CRYPTO_INTERNAL; - goto errOut; - } - ec_oid.Data = (uint8 *)CFDataGetBytePtr(ec_data); - ec_oid.Length = CFDataGetLength(ec_data); - if(pkiCompareCssmData(&ec_oid, &CSSMOID_PKCS7_Data)) { - ctype = ECT_Data; - } - else if(pkiCompareCssmData(&ec_oid, &CSSMOID_PKCS7_SignedData)) { - ctype = ECT_SignedData; - } - else if(pkiCompareCssmData(&ec_oid, &CSSMOID_PKCS7_EnvelopedData)) { - ctype = ECT_EnvelopedData; - } - else if(pkiCompareCssmData(&ec_oid, &CSSMOID_PKCS7_EncryptedData)) { - ctype = ECT_EncryptedData; - } - else if(pkiCompareCssmData(&ec_oid, &_CSSMOID_PKINIT_AUTH_DATA)) { - ctype = ECT_PkAuthData; - } - else if(pkiCompareCssmData(&ec_oid, &_CSSMOID_PKINIT_RKEY_DATA)) { - ctype = ECT_PkReplyKeyKata; - } - else { - ctype = ECT_Other; - } - *inner_content_type = ctype; - CFRelease(ec_data); - } - - /* - * Get SignedData's certs if the caller wants them - */ - if(all_certs) { - ortn = CMSDecoderCopyAllCerts(decoder, &cf_all_certs); - if(ortn) { - pkiCssmErr("CMSDecoderCopyAllCerts", ortn); - krtn = KRB5_CRYPTO_INTERNAL; - goto errOut; - } - krtn = pkiCertArrayToKrb5Data(cf_all_certs, num_all_certs, all_certs); - if(krtn) { - goto errOut; - } - } - - /* optional signer cert */ - if(signer_cert) { - SecCertificateRef sec_signer_cert = NULL; - CSSM_DATA cert_data; - - ortn = CMSDecoderCopySignerCert(decoder, 0, &sec_signer_cert); - if(ortn) { - /* should never happen if it's signed */ - pkiCssmErr("CMSDecoderCopySignerStatus", ortn); - krtn = KRB5_CRYPTO_INTERNAL; - goto errOut; - } - ortn = SecCertificateGetData(sec_signer_cert, &cert_data); - if(ortn) { - pkiCssmErr("SecCertificateGetData", ortn); - CFRelease(sec_signer_cert); - krtn = KRB5_CRYPTO_INTERNAL; - goto errOut; - } - krtn = pkiDataToKrb5Data(cert_data.Data, cert_data.Length, signer_cert); - CFRelease(sec_signer_cert); - if(krtn) { - goto errOut; - } - } + if(is_signed) { + *is_signed = TRUE; + } + if(inner_content_type) { + CSSM_OID ec_oid = {0, NULL}; + CFDataRef ec_data = NULL; + + krb5int_cms_content_type ctype; + + ortn = CMSDecoderCopyEncapsulatedContentType(decoder, &ec_data); + if(ortn || (ec_data == NULL)) { + pkiCssmErr("CMSDecoderCopyEncapsulatedContentType", ortn); + krtn = KRB5_CRYPTO_INTERNAL; + goto errOut; + } + ec_oid.Data = (uint8 *)CFDataGetBytePtr(ec_data); + ec_oid.Length = CFDataGetLength(ec_data); + if(pkiCompareCssmData(&ec_oid, &CSSMOID_PKCS7_Data)) { + ctype = ECT_Data; + } + else if(pkiCompareCssmData(&ec_oid, &CSSMOID_PKCS7_SignedData)) { + ctype = ECT_SignedData; + } + else if(pkiCompareCssmData(&ec_oid, &CSSMOID_PKCS7_EnvelopedData)) { + ctype = ECT_EnvelopedData; + } + else if(pkiCompareCssmData(&ec_oid, &CSSMOID_PKCS7_EncryptedData)) { + ctype = ECT_EncryptedData; + } + else if(pkiCompareCssmData(&ec_oid, &_CSSMOID_PKINIT_AUTH_DATA)) { + ctype = ECT_PkAuthData; + } + else if(pkiCompareCssmData(&ec_oid, &_CSSMOID_PKINIT_RKEY_DATA)) { + ctype = ECT_PkReplyKeyKata; + } + else { + ctype = ECT_Other; + } + *inner_content_type = ctype; + CFRelease(ec_data); + } + + /* + * Get SignedData's certs if the caller wants them + */ + if(all_certs) { + ortn = CMSDecoderCopyAllCerts(decoder, &cf_all_certs); + if(ortn) { + pkiCssmErr("CMSDecoderCopyAllCerts", ortn); + krtn = KRB5_CRYPTO_INTERNAL; + goto errOut; + } + krtn = pkiCertArrayToKrb5Data(cf_all_certs, num_all_certs, all_certs); + if(krtn) { + goto errOut; + } + } + + /* optional signer cert */ + if(signer_cert) { + SecCertificateRef sec_signer_cert = NULL; + CSSM_DATA cert_data; + + ortn = CMSDecoderCopySignerCert(decoder, 0, &sec_signer_cert); + if(ortn) { + /* should never happen if it's signed */ + pkiCssmErr("CMSDecoderCopySignerStatus", ortn); + krtn = KRB5_CRYPTO_INTERNAL; + goto errOut; + } + ortn = SecCertificateGetData(sec_signer_cert, &cert_data); + if(ortn) { + pkiCssmErr("SecCertificateGetData", ortn); + CFRelease(sec_signer_cert); + krtn = KRB5_CRYPTO_INTERNAL; + goto errOut; + } + krtn = pkiDataToKrb5Data(cert_data.Data, cert_data.Length, signer_cert); + CFRelease(sec_signer_cert); + if(krtn) { + goto errOut; + } + } } else { - /* not signed */ - if(is_signed) { - *is_signed = FALSE; - } - if(inner_content_type) { - *inner_content_type = ECT_Other; - } - if(signer_cert) { - signer_cert->data = NULL; - signer_cert->length = 0; - } - if(signer_cert_status) { - *signer_cert_status = pki_not_signed; - } - if(num_all_certs) { - *num_all_certs = 0; - } - if(all_certs) { - *all_certs = NULL; - } + /* not signed */ + if(is_signed) { + *is_signed = FALSE; + } + if(inner_content_type) { + *inner_content_type = ECT_Other; + } + if(signer_cert) { + signer_cert->data = NULL; + signer_cert->length = 0; + } + if(signer_cert_status) { + *signer_cert_status = pki_not_signed; + } + if(num_all_certs) { + *num_all_certs = 0; + } + if(all_certs) { + *all_certs = NULL; + } } if(is_encrypted) { - Boolean bencr; - ortn = CMSDecoderIsContentEncrypted(decoder, &bencr); - if(ortn) { - pkiCssmErr("CMSDecoderCopySignerStatus", ortn); - krtn = KRB5_CRYPTO_INTERNAL; - goto errOut; - } - *is_encrypted = bencr ? TRUE : FALSE; + Boolean bencr; + ortn = CMSDecoderIsContentEncrypted(decoder, &bencr); + if(ortn) { + pkiCssmErr("CMSDecoderCopySignerStatus", ortn); + krtn = KRB5_CRYPTO_INTERNAL; + goto errOut; + } + *is_encrypted = bencr ? TRUE : FALSE; } - - /* + + /* * Verify signature and cert. The actual verify operation is optional, * per our signer_cert_status argument, but we do this anyway if we need * to get the signer cert. */ if((signer_cert_status != NULL) || (signer_cert != NULL)) { - - ortn = CMSDecoderCopySignerStatus(decoder, - 0, /* signerIndex */ - policy, - signer_cert_status ? TRUE : FALSE, /* evaluateSecTrust */ - &signer_status, - NULL, /* secTrust - not needed */ - &cert_verify_status); - if(ortn) { - /* gross error - subsequent processing impossible */ - pkiCssmErr("CMSDecoderCopySignerStatus", ortn); - krtn = KRB5_PARSE_MALFORMED; - goto errOut; - } + + ortn = CMSDecoderCopySignerStatus(decoder, + 0, /* signerIndex */ + policy, + signer_cert_status ? TRUE : FALSE, /* evaluateSecTrust */ + &signer_status, + NULL, /* secTrust - not needed */ + &cert_verify_status); + if(ortn) { + /* gross error - subsequent processing impossible */ + pkiCssmErr("CMSDecoderCopySignerStatus", ortn); + krtn = KRB5_PARSE_MALFORMED; + goto errOut; + } } /* obtain & return status */ if(signer_cert_status) { - *signer_cert_status = pkiInferSigStatus(signer_status, cert_verify_status); + *signer_cert_status = pkiInferSigStatus(signer_status, cert_verify_status); } - + /* finally, the payload */ if(raw_data) { - CFDataRef cf_content = NULL; - - ortn = CMSDecoderCopyContent(decoder, &cf_content); - if(ortn) { - pkiCssmErr("CMSDecoderCopyContent", ortn); - krtn = KRB5_PARSE_MALFORMED; - goto errOut; - } - krtn = pkiCfDataToKrb5Data(cf_content, raw_data); - CFRELEASE(cf_content); + CFDataRef cf_content = NULL; + + ortn = CMSDecoderCopyContent(decoder, &cf_content); + if(ortn) { + pkiCssmErr("CMSDecoderCopyContent", ortn); + krtn = KRB5_PARSE_MALFORMED; + goto errOut; + } + krtn = pkiCfDataToKrb5Data(cf_content, raw_data); + CFRELEASE(cf_content); } errOut: CFRELEASE(policy_search); @@ -535,8 +536,8 @@ errOut: } krb5_error_code krb5int_pkinit_get_cms_types( - krb5int_algorithm_id **supported_cms_types, /* RETURNED */ - krb5_ui_4 *num_supported_cms_types) /* RETURNED */ + krb5int_algorithm_id **supported_cms_types, /* RETURNED */ + krb5_ui_4 *num_supported_cms_types) /* RETURNED */ { /* no preference */ *supported_cms_types = NULL; @@ -546,12 +547,12 @@ krb5_error_code krb5int_pkinit_get_cms_types( krb5_error_code krb5int_pkinit_free_cms_types( krb5int_algorithm_id *supported_cms_types, - krb5_ui_4 num_supported_cms_types) + krb5_ui_4 num_supported_cms_types) { - /* + /* * We don't return anything from krb5int_pkinit_get_cms_types(), and * if we did, it would be a pointer to a statically declared array, - * so this is a nop. + * so this is a nop. */ return 0; } diff --git a/src/lib/krb5/krb/pkinit_apple_utils.c b/src/lib/krb5/krb/pkinit_apple_utils.c index f539693fdc..83b5922187 100644 --- a/src/lib/krb5/krb/pkinit_apple_utils.c +++ b/src/lib/krb5/krb/pkinit_apple_utils.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (c) 2004-2008 Apple Inc. All Rights Reserved. * @@ -28,7 +29,7 @@ * * Created 19 May 2004 by Doug Mitchell at Apple. */ - + #if APPLE_PKINIT #include "pkinit_apple_utils.h" @@ -41,7 +42,7 @@ #include <ctype.h> #include <Security/Security.h> -/* +/* * Cruft needed to attach to a module */ static CSSM_VERSION vers = {2, 0}; @@ -51,28 +52,28 @@ static const CSSM_GUID testGuid = { 0xFADE, 0, 0, { 1,2,3,4,5,6,7,0 }}; * Standard app-level memory functions required by CDSA. */ static void * cuAppMalloc (CSSM_SIZE size, void *allocRef) { - return( malloc(size) ); + return( malloc(size) ); } static void cuAppFree (void *mem_ptr, void *allocRef) { - free(mem_ptr); - return; + free(mem_ptr); + return; } static void * cuAppRealloc (void *ptr, CSSM_SIZE size, void *allocRef) { - return( realloc( ptr, size ) ); + return( realloc( ptr, size ) ); } static void * cuAppCalloc (uint32 num, CSSM_SIZE size, void *allocRef) { - return( calloc( num, size ) ); + return( calloc( num, size ) ); } static CSSM_API_MEMORY_FUNCS memFuncs = { - cuAppMalloc, - cuAppFree, - cuAppRealloc, - cuAppCalloc, - NULL + cuAppMalloc, + cuAppFree, + cuAppRealloc, + cuAppCalloc, + NULL }; /* @@ -84,23 +85,23 @@ static CSSM_BOOL cuCssmStartup() { CSSM_RETURN crtn; CSSM_PVC_MODE pvcPolicy = CSSM_PVC_NONE; - + if(cssmInitd) { - return CSSM_TRUE; - } - crtn = CSSM_Init (&vers, - CSSM_PRIVILEGE_SCOPE_NONE, - &testGuid, - CSSM_KEY_HIERARCHY_NONE, - &pvcPolicy, - NULL /* reserved */); - if(crtn != CSSM_OK) + return CSSM_TRUE; + } + crtn = CSSM_Init (&vers, + CSSM_PRIVILEGE_SCOPE_NONE, + &testGuid, + CSSM_KEY_HIERARCHY_NONE, + &pvcPolicy, + NULL /* reserved */); + if(crtn != CSSM_OK) { - return CSSM_FALSE; + return CSSM_FALSE; } else { - cssmInitd = CSSM_TRUE; - return CSSM_TRUE; + cssmInitd = CSSM_TRUE; + return CSSM_TRUE; } } @@ -108,42 +109,42 @@ CSSM_CL_HANDLE pkiClStartup(void) { CSSM_CL_HANDLE clHand; CSSM_RETURN crtn; - + if(cuCssmStartup() == CSSM_FALSE) { - return 0; + return 0; } crtn = CSSM_ModuleLoad(&gGuidAppleX509CL, - CSSM_KEY_HIERARCHY_NONE, - NULL, /* eventHandler */ - NULL); /* AppNotifyCallbackCtx */ + CSSM_KEY_HIERARCHY_NONE, + NULL, /* eventHandler */ + NULL); /* AppNotifyCallbackCtx */ if(crtn) { - return 0; + return 0; } crtn = CSSM_ModuleAttach (&gGuidAppleX509CL, - &vers, - &memFuncs, /* memFuncs */ - 0, /* SubserviceID */ - CSSM_SERVICE_CL, /* SubserviceFlags - Where is this used? */ - 0, /* AttachFlags */ - CSSM_KEY_HIERARCHY_NONE, - NULL, /* FunctionTable */ - 0, /* NumFuncTable */ - NULL, /* reserved */ - &clHand); + &vers, + &memFuncs, /* memFuncs */ + 0, /* SubserviceID */ + CSSM_SERVICE_CL, /* SubserviceFlags - Where is this used? */ + 0, /* AttachFlags */ + CSSM_KEY_HIERARCHY_NONE, + NULL, /* FunctionTable */ + 0, /* NumFuncTable */ + NULL, /* reserved */ + &clHand); if(crtn) { - return 0; + return 0; } else { - return clHand; + return clHand; } } CSSM_RETURN pkiClDetachUnload( - CSSM_CL_HANDLE clHand) + CSSM_CL_HANDLE clHand) { CSSM_RETURN crtn = CSSM_ModuleDetach(clHand); if(crtn) { - return crtn; + return crtn; } return CSSM_ModuleUnload(&gGuidAppleX509CL, NULL, NULL); } @@ -152,33 +153,33 @@ CSSM_RETURN pkiClDetachUnload( * CSSM_DATA <--> krb5_ui_4 */ krb5_error_code pkiDataToInt( - const CSSM_DATA *cdata, - krb5_int32 *i) /* RETURNED */ + const CSSM_DATA *cdata, + krb5_int32 *i) /* RETURNED */ { krb5_ui_4 len; krb5_int32 rtn = 0; krb5_ui_4 dex; uint8 *cp = NULL; - + if((cdata->Length == 0) || (cdata->Data == NULL)) { - *i = 0; - return 0; + *i = 0; + return 0; } len = cdata->Length; if(len > sizeof(krb5_int32)) { - return ASN1_BAD_LENGTH; + return ASN1_BAD_LENGTH; } - + cp = cdata->Data; for(dex=0; dex<len; dex++) { - rtn = (rtn << 8) | *cp++; + rtn = (rtn << 8) | *cp++; } *i = rtn; return 0; } krb5_error_code pkiIntToData( - krb5_int32 num, + krb5_int32 num, CSSM_DATA *cdata, SecAsn1CoderRef coder) { @@ -186,26 +187,26 @@ krb5_error_code pkiIntToData( uint32 len = 0; uint8 *cp = NULL; unsigned i; - + if(unum < 0x100) { - len = 1; + len = 1; } else if(unum < 0x10000) { - len = 2; + len = 2; } else if(unum < 0x1000000) { - len = 3; + len = 3; } else { - len = 4; + len = 4; } if(SecAsn1AllocItem(coder, cdata, len)) { - return ENOMEM; + return ENOMEM; } cp = &cdata->Data[len - 1]; for(i=0; i<len; i++) { - *cp-- = unum & 0xff; - unum >>= 8; + *cp-- = unum & 0xff; + unum >>= 8; } return 0; } @@ -222,14 +223,14 @@ krb5_error_code pkiDataToKrb5Data( assert(kd != NULL); kd->data = (char *)malloc(dataLen); if(kd->data == NULL) { - return ENOMEM; + return ENOMEM; } kd->length = dataLen; memmove(kd->data, data, dataLen); return 0; } -/* +/* * CSSM_DATA <--> krb5_data * * CSSM_DATA data is managed by a SecAsn1CoderRef; krb5_data data is mallocd. @@ -237,7 +238,7 @@ krb5_error_code pkiDataToKrb5Data( * Both return nonzero on error. */ krb5_error_code pkiCssmDataToKrb5Data( - const CSSM_DATA *cd, + const CSSM_DATA *cd, krb5_data *kd) { assert(cd != NULL); @@ -251,20 +252,20 @@ krb5_error_code pkiKrb5DataToCssm( { assert((cd != NULL) && (kd != NULL)); if(SecAsn1AllocCopy(coder, kd->data, kd->length, cd)) { - return ENOMEM; + return ENOMEM; } return 0; } -/* +/* * CFDataRef --> krb5_data, mallocing the destination contents. */ krb5_error_code pkiCfDataToKrb5Data( - CFDataRef cfData, - krb5_data *kd) /* content mallocd and RETURNED */ + CFDataRef cfData, + krb5_data *kd) /* content mallocd and RETURNED */ { return pkiDataToKrb5Data(CFDataGetBytePtr(cfData), - CFDataGetLength(cfData), kd); + CFDataGetLength(cfData), kd); } krb5_boolean pkiCompareCssmData( @@ -272,79 +273,79 @@ krb5_boolean pkiCompareCssmData( const CSSM_DATA *d2) { if((d1 == NULL) || (d2 == NULL)) { - return FALSE; + return FALSE; } if(d1->Length != d2->Length) { - return FALSE; + return FALSE; } if(memcmp(d1->Data, d2->Data, d1->Length)) { - return FALSE; + return FALSE; } else { - return TRUE; + return TRUE; } } -/* +/* * krb5_timestamp --> a mallocd string in generalized format */ krb5_error_code pkiKrbTimestampToStr( krb5_timestamp kts, - char **str) /* mallocd and RETURNED */ + char **str) /* mallocd and RETURNED */ { char *outStr = NULL; time_t gmt_time = kts; struct tm *utc = gmtime(&gmt_time); if (utc == NULL || - utc->tm_year > 8099 || utc->tm_mon > 11 || - utc->tm_mday > 31 || utc->tm_hour > 23 || - utc->tm_min > 59 || utc->tm_sec > 59) { - return ASN1_BAD_GMTIME; + utc->tm_year > 8099 || utc->tm_mon > 11 || + utc->tm_mday > 31 || utc->tm_hour > 23 || + utc->tm_min > 59 || utc->tm_sec > 59) { + return ASN1_BAD_GMTIME; } if (asprintf(&outStr, "%04d%02d%02d%02d%02d%02dZ", - utc->tm_year + 1900, utc->tm_mon + 1, - utc->tm_mday, utc->tm_hour, utc->tm_min, utc->tm_sec) < 0) { - return ENOMEM; + utc->tm_year + 1900, utc->tm_mon + 1, + utc->tm_mday, utc->tm_hour, utc->tm_min, utc->tm_sec) < 0) { + return ENOMEM; } *str = outStr; return 0; } krb5_error_code pkiTimeStrToKrbTimestamp( - const char *str, - unsigned len, + const char *str, + unsigned len, krb5_timestamp *kts) /* RETURNED */ { - char szTemp[5]; - unsigned x; - unsigned i; - char *cp; - struct tm tmp; + char szTemp[5]; + unsigned x; + unsigned i; + char *cp; + struct tm tmp; time_t t; - + if(len != 15) { - return ASN1_BAD_LENGTH; + return ASN1_BAD_LENGTH; } if((str == NULL) || (kts == NULL)) { - return KRB5_CRYPTO_INTERNAL; + return KRB5_CRYPTO_INTERNAL; } - + cp = (char *)str; memset(&tmp, 0, sizeof(tmp)); - + /* check that all characters except last are digits */ for(i=0; i<(len - 1); i++) { - if ( !(isdigit(cp[i])) ) { - return ASN1_BAD_TIMEFORMAT; - } + if ( !(isdigit(cp[i])) ) { + return ASN1_BAD_TIMEFORMAT; + } } /* check last character is a 'Z' */ - if(cp[len - 1] != 'Z' ) { - return ASN1_BAD_TIMEFORMAT; + if(cp[len - 1] != 'Z' ) { + return ASN1_BAD_TIMEFORMAT; } - + /* YEAR */ szTemp[0] = *cp++; szTemp[1] = *cp++; @@ -362,7 +363,7 @@ krb5_error_code pkiTimeStrToKrbTimestamp( x = atoi( szTemp ); /* in the string, months are from 1 to 12 */ if((x > 12) || (x <= 0)) { - return ASN1_BAD_TIMEFORMAT; + return ASN1_BAD_TIMEFORMAT; } /* in a tm, 0 to 11 */ tmp.tm_mon = x - 1; @@ -374,7 +375,7 @@ krb5_error_code pkiTimeStrToKrbTimestamp( x = atoi( szTemp ); /* 1..31 */ if((x > 31) || (x <= 0)) { - return ASN1_BAD_TIMEFORMAT; + return ASN1_BAD_TIMEFORMAT; } tmp.tm_mday = x; @@ -384,7 +385,7 @@ krb5_error_code pkiTimeStrToKrbTimestamp( szTemp[2] = '\0'; x = atoi( szTemp ); if((x > 23) || (x < 0)) { - return ASN1_BAD_TIMEFORMAT; + return ASN1_BAD_TIMEFORMAT; } tmp.tm_hour = x; @@ -394,7 +395,7 @@ krb5_error_code pkiTimeStrToKrbTimestamp( szTemp[2] = '\0'; x = atoi( szTemp ); if((x > 59) || (x < 0)) { - return ASN1_BAD_TIMEFORMAT; + return ASN1_BAD_TIMEFORMAT; } tmp.tm_min = x; @@ -404,12 +405,12 @@ krb5_error_code pkiTimeStrToKrbTimestamp( szTemp[2] = '\0'; x = atoi( szTemp ); if((x > 59) || (x < 0)) { - return ASN1_BAD_TIMEFORMAT; + return ASN1_BAD_TIMEFORMAT; } tmp.tm_sec = x; t = timegm(&tmp); if(t == -1) { - return ASN1_BAD_TIMEFORMAT; + return ASN1_BAD_TIMEFORMAT; } *kts = t; return 0; @@ -423,9 +424,9 @@ unsigned pkiNssArraySize( { unsigned count = 0; if (array) { - while (*array++) { - count++; - } + while (*array++) { + count++; + } } return count; } diff --git a/src/lib/krb5/krb/pr_to_salt.c b/src/lib/krb5/krb/pr_to_salt.c index 545d86fb1c..5d57bc5997 100644 --- a/src/lib/krb5/krb/pr_to_salt.c +++ b/src/lib/krb5/krb/pr_to_salt.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/pr_to_salt.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_principal2salt() */ @@ -30,7 +31,7 @@ #include "k5-int.h" static krb5_error_code krb5_principal2salt_internal - (krb5_context, krb5_const_principal, krb5_data *ret, int); +(krb5_context, krb5_const_principal, krb5_data *ret, int); /* * Convert a krb5_principal into the default salt for that principal. @@ -43,32 +44,32 @@ krb5_principal2salt_internal(krb5_context context, register krb5_const_principal register int i; if (pr == 0) { - ret->length = 0; - ret->data = 0; - return 0; + ret->length = 0; + ret->data = 0; + return 0; } nelem = krb5_princ_size(context, pr); if (use_realm) - size += krb5_princ_realm(context, pr)->length; + size += krb5_princ_realm(context, pr)->length; for (i = 0; i < (int) nelem; i++) - size += krb5_princ_component(context, pr, i)->length; + size += krb5_princ_component(context, pr, i)->length; ret->length = size; if (!(ret->data = malloc (size))) - return ENOMEM; + return ENOMEM; if (use_realm) { - offset = krb5_princ_realm(context, pr)->length; - memcpy(ret->data, krb5_princ_realm(context, pr)->data, offset); + offset = krb5_princ_realm(context, pr)->length; + memcpy(ret->data, krb5_princ_realm(context, pr)->data, offset); } for (i = 0; i < (int) nelem; i++) { - memcpy(&ret->data[offset], krb5_princ_component(context, pr, i)->data, - krb5_princ_component(context, pr, i)->length); - offset += krb5_princ_component(context, pr, i)->length; + memcpy(&ret->data[offset], krb5_princ_component(context, pr, i)->data, + krb5_princ_component(context, pr, i)->length); + offset += krb5_princ_component(context, pr, i)->length; } return 0; } @@ -76,11 +77,11 @@ krb5_principal2salt_internal(krb5_context context, register krb5_const_principal krb5_error_code krb5_principal2salt(krb5_context context, register krb5_const_principal pr, krb5_data *ret) { - return krb5_principal2salt_internal(context, pr, ret, 1); + return krb5_principal2salt_internal(context, pr, ret, 1); } krb5_error_code krb5_principal2salt_norealm(krb5_context context, register krb5_const_principal pr, krb5_data *ret) { - return krb5_principal2salt_internal(context, pr, ret, 0); + return krb5_principal2salt_internal(context, pr, ret, 0); } diff --git a/src/lib/krb5/krb/preauth.c b/src/lib/krb5/krb/preauth.c index 06b2f50b8f..9061aa9b69 100644 --- a/src/lib/krb5/krb/preauth.c +++ b/src/lib/krb5/krb/preauth.c @@ -25,7 +25,7 @@ /* * This file contains routines for establishing, verifying, and any other - * necessary functions, for utilizing the pre-authentication field of the + * necessary functions, for utilizing the pre-authentication field of the * kerberos kdc request, with various hardware/software verification devices. */ @@ -72,7 +72,7 @@ static krb5_error_code obtain_sam_padata (krb5_context, krb5_pa_data *, krb5_etype_info, - krb5_keyblock *, + krb5_keyblock *, krb5_error_code ( * )(krb5_context, const krb5_enctype, krb5_data *, @@ -179,24 +179,24 @@ krb5_error_code krb5_obtain_padata(krb5_context context, krb5_pa_data **preauth_ if (etype_info) { enctype = etype_info[0]->etype; salt.data = (char *) etype_info[0]->salt; - if(etype_info[0]->length == KRB5_ETYPE_NO_SALT) + if(etype_info[0]->length == KRB5_ETYPE_NO_SALT) salt.length = SALT_TYPE_NO_LENGTH; /* XXX */ - else + else salt.length = etype_info[0]->length; } if (salt.length == SALT_TYPE_NO_LENGTH) { /* - * This will set the salt length + * This will set the salt length */ if ((retval = krb5_principal2salt(context, request->client, &salt))) goto cleanup; f_salt = 1; } - + if ((retval = (*key_proc)(context, enctype, &salt, key_seed, &def_enc_key))) goto cleanup; - + for (pa = preauth_to_use; *pa; pa++) { if (find_pa_system((*pa)->pa_type, &ops)) @@ -204,7 +204,7 @@ krb5_error_code krb5_obtain_padata(krb5_context context, krb5_pa_data **preauth_ if (ops->obtain == 0) continue; - + retval = ((ops)->obtain)(context, *pa, etype_info, def_enc_key, key_proc, key_seed, creds, request, send_pa); @@ -233,7 +233,7 @@ cleanup: if (def_enc_key) krb5_free_keyblock(context, def_enc_key); return retval; - + } krb5_error_code @@ -243,7 +243,7 @@ krb5_process_padata(krb5_context context, krb5_kdc_req *request, krb5_kdc_rep *a const krb5_preauth_ops * ops; krb5_pa_data ** pa; krb5_int32 done = 0; - + *do_more = 0; /* By default, we don't need to repeat... */ if (as_reply->padata == 0) return 0; @@ -254,7 +254,7 @@ krb5_process_padata(krb5_context context, krb5_kdc_req *request, krb5_kdc_rep *a if (ops->process == 0) continue; - + retval = ((ops)->process)(context, *pa, request, as_reply, key_proc, keyseed, decrypt_proc, decrypt_key, creds, do_more, &done); @@ -298,7 +298,7 @@ obtain_enc_ts_padata(krb5_context context, krb5_pa_data *in_padata, krb5_etype_i krb5_free_data(context, scratch); scratch = 0; - + if ((retval = encode_krb5_enc_data(&enc_data, &scratch)) != 0) goto cleanup; @@ -318,7 +318,7 @@ obtain_enc_ts_padata(krb5_context context, krb5_pa_data *in_padata, krb5_etype_i scratch = 0; retval = 0; - + cleanup: if (scratch) krb5_free_data(context, scratch); @@ -332,14 +332,14 @@ process_pw_salt(krb5_context context, krb5_pa_data *padata, krb5_kdc_req *reques { krb5_error_code retval; krb5_data salt; - + if (*decrypt_key != 0) return 0; salt.data = (char *) padata->contents; - salt.length = + salt.length = (padata->pa_type == KRB5_PADATA_AFS3_SALT)?(SALT_TYPE_AFS_LENGTH):(padata->length); - + if ((retval = (*key_proc)(context, as_reply->enc_part.enctype, &salt, keyseed, decrypt_key))) { *decrypt_key = 0; @@ -348,19 +348,19 @@ process_pw_salt(krb5_context context, krb5_pa_data *padata, krb5_kdc_req *reques return 0; } - + static krb5_error_code find_pa_system(krb5_preauthtype type, const krb5_preauth_ops **preauth) { const krb5_preauth_ops *ap = preauth_systems; - + while ((ap->type != -1) && (ap->type != type)) ap++; if (ap->type == -1) return(KRB5_PREAUTH_BAD_TYPE); *preauth = ap; return 0; -} +} extern const char *krb5_default_pwd_prompt1; @@ -381,14 +381,14 @@ sam_get_pass_from_user(krb5_context context, krb5_etype_info etype_info, git_key krb5_data newpw; newpw.data = 0; newpw.length = 0; /* we don't keep the new password, just the key... */ - retval = (*key_proc)(context, enctype, 0, + retval = (*key_proc)(context, enctype, 0, (krb5_const_pointer)&newpw, new_enc_key); free(newpw.data); } krb5_default_pwd_prompt1 = oldprompt; return retval; } -static +static char *handle_sam_labels(krb5_sam_challenge *sc) { char *label = sc->sam_challenge_label.data; @@ -433,7 +433,7 @@ char *handle_sam_labels(krb5_sam_challenge *sc) /* example: Challenge for Digital Pathways mechanism: [134591] - Passcode: + Passcode: */ krb5int_buf_init_dynamic(&buf); if (challenge_len) { @@ -511,7 +511,7 @@ obtain_sam_padata(krb5_context context, krb5_pa_data *in_padata, krb5_etype_info retval = ENOMEM; goto cleanup; } - retval = sam_get_pass_from_user(context, etype_info, key_proc, + retval = sam_get_pass_from_user(context, etype_info, key_proc, key_seed, request, &sam_use_key, prompt); if (retval) @@ -524,15 +524,15 @@ obtain_sam_padata(krb5_context context, krb5_pa_data *in_padata, krb5_etype_info } /* so at this point, either sam_use_key is generated from the passcode - * or enc_sam_response_enc.sam_sad is set to it, and we use + * or enc_sam_response_enc.sam_sad is set to it, and we use * def_enc_key instead. */ /* encode the encoded part of the response */ if ((retval = encode_krb5_enc_sam_response_enc(&enc_sam_response_enc, &scratch)) != 0) goto cleanup; - if ((retval = krb5_encrypt_data(context, - sam_use_key?sam_use_key:def_enc_key, + if ((retval = krb5_encrypt_data(context, + sam_use_key?sam_use_key:def_enc_key, 0, scratch, &sam_response.sam_enc_nonce_or_ts))) goto cleanup; @@ -552,7 +552,7 @@ obtain_sam_padata(krb5_context context, krb5_pa_data *in_padata, krb5_etype_info if ((retval = encode_krb5_sam_response(&sam_response, &scratch)) != 0) goto cleanup; - + if ((pa = malloc(sizeof(krb5_pa_data))) == NULL) { retval = ENOMEM; goto cleanup; @@ -567,7 +567,7 @@ obtain_sam_padata(krb5_context context, krb5_pa_data *in_padata, krb5_etype_info *out_padata = pa; retval = 0; - + cleanup: krb5_free_data(context, scratch); krb5_free_sam_challenge(context, sam_challenge); diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c index 996cbfd364..7ee086037c 100644 --- a/src/lib/krb5/krb/preauth2.c +++ b/src/lib/krb5/krb/preauth2.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1995, 2003, 2008 by the Massachusetts Institute of Technology. All * Rights Reserved. @@ -25,7 +26,7 @@ /* * This file contains routines for establishing, verifying, and any other - * necessary functions, for utilizing the pre-authentication field of the + * necessary functions, for utilizing the pre-authentication field of the * kerberos kdc request, with various hardware/software verification devices. */ @@ -50,17 +51,17 @@ static const char *objdirs[] = { LIBDIR "/krb5/plugins/preauth", NULL }; #endif typedef krb5_error_code (*pa_function)(krb5_context, - krb5_kdc_req *request, - krb5_pa_data *in_padata, - krb5_pa_data **out_padata, - krb5_data *salt, krb5_data *s2kparams, - krb5_enctype *etype, - krb5_keyblock *as_key, - krb5_prompter_fct prompter_fct, - void *prompter_data, - krb5_gic_get_as_key_fct gak_fct, - void *gak_data); - + krb5_kdc_req *request, + krb5_pa_data *in_padata, + krb5_pa_data **out_padata, + krb5_data *salt, krb5_data *s2kparams, + krb5_enctype *etype, + krb5_keyblock *as_key, + krb5_prompter_fct prompter_fct, + void *prompter_data, + krb5_gic_get_as_key_fct gak_fct, + void *gak_data); + typedef struct _pa_types_t { krb5_preauthtype type; pa_function fct; @@ -85,27 +86,27 @@ krb5_init_preauth_context(krb5_context kcontext) /* Only do this once for each krb5_context */ if (kcontext->preauth_context != NULL) - return; + return; /* load the plugins for the current context */ if (PLUGIN_DIR_OPEN(&kcontext->preauth_plugins) == 0) { - if (krb5int_open_plugin_dirs(objdirs, NULL, - &kcontext->preauth_plugins, - &kcontext->err) != 0) { - return; - } + if (krb5int_open_plugin_dirs(objdirs, NULL, + &kcontext->preauth_plugins, + &kcontext->err) != 0) { + return; + } } /* pull out the module function tables for all of the modules */ tables = NULL; if (krb5int_get_plugin_dir_data(&kcontext->preauth_plugins, - "preauthentication_client_1", - &tables, - &kcontext->err) != 0) { - return; + "preauthentication_client_1", + &tables, + &kcontext->err) != 0) { + return; } if (tables == NULL) { - return; + return; } /* count how many modules we ended up loading, and how many preauth @@ -114,23 +115,23 @@ krb5_init_preauth_context(krb5_context kcontext) for (n_tables = 0; (tables != NULL) && (tables[n_tables] != NULL); n_tables++) { - table = tables[n_tables]; - if ((table->pa_type_list != NULL) && (table->process != NULL)) { - for (j = 0; table->pa_type_list[j] > 0; j++) { - n_modules++; - } - } + table = tables[n_tables]; + if ((table->pa_type_list != NULL) && (table->process != NULL)) { + for (j = 0; table->pa_type_list[j] > 0; j++) { + n_modules++; + } + } } /* allocate the space we need */ context = malloc(sizeof(*context)); if (context == NULL) { - krb5int_free_plugin_dir_data(tables); + krb5int_free_plugin_dir_data(tables); return; } context->modules = calloc(n_modules, sizeof(context->modules[0])); if (context->modules == NULL) { - krb5int_free_plugin_dir_data(tables); + krb5int_free_plugin_dir_data(tables); free(context); return; } @@ -141,64 +142,64 @@ krb5_init_preauth_context(krb5_context kcontext) for (i = 0; i < n_tables; i++) { table = tables[i]; if ((table->pa_type_list != NULL) && (table->process != NULL)) { - plugin_context = NULL; - if ((table->init != NULL) && - ((*table->init)(kcontext, &plugin_context) != 0)) { + plugin_context = NULL; + if ((table->init != NULL) && + ((*table->init)(kcontext, &plugin_context) != 0)) { #ifdef DEBUG - fprintf (stderr, "init err, skipping module \"%s\"\n", - table->name); + fprintf (stderr, "init err, skipping module \"%s\"\n", + table->name); #endif - continue; - } - - rcpp = NULL; - for (j = 0; table->pa_type_list[j] > 0; j++) { - pa_type = table->pa_type_list[j]; - context->modules[k].pa_type = pa_type; - context->modules[k].enctypes = table->enctype_list; - context->modules[k].plugin_context = plugin_context; - /* Only call client_fini once per plugin */ - if (j == 0) - context->modules[k].client_fini = table->fini; - else - context->modules[k].client_fini = NULL; - context->modules[k].ftable = table; - context->modules[k].name = table->name; - context->modules[k].flags = (*table->flags)(kcontext, pa_type); - context->modules[k].use_count = 0; - context->modules[k].client_process = table->process; - context->modules[k].client_tryagain = table->tryagain; - if (j == 0) - context->modules[k].client_supply_gic_opts = table->gic_opts; - else - context->modules[k].client_supply_gic_opts = NULL; - context->modules[k].request_context = NULL; - /* - * Only call request_init and request_fini once per plugin. - * Only the first module within each plugin will ever - * have request_context filled in. Every module within - * the plugin will have its request_context_pp pointing - * to that entry's request_context. That way all the - * modules within the plugin share the same request_context - */ - if (j == 0) { - context->modules[k].client_req_init = table->request_init; - context->modules[k].client_req_fini = table->request_fini; - rcpp = &context->modules[k].request_context; - } else { - context->modules[k].client_req_init = NULL; - context->modules[k].client_req_fini = NULL; - } - context->modules[k].request_context_pp = rcpp; + continue; + } + + rcpp = NULL; + for (j = 0; table->pa_type_list[j] > 0; j++) { + pa_type = table->pa_type_list[j]; + context->modules[k].pa_type = pa_type; + context->modules[k].enctypes = table->enctype_list; + context->modules[k].plugin_context = plugin_context; + /* Only call client_fini once per plugin */ + if (j == 0) + context->modules[k].client_fini = table->fini; + else + context->modules[k].client_fini = NULL; + context->modules[k].ftable = table; + context->modules[k].name = table->name; + context->modules[k].flags = (*table->flags)(kcontext, pa_type); + context->modules[k].use_count = 0; + context->modules[k].client_process = table->process; + context->modules[k].client_tryagain = table->tryagain; + if (j == 0) + context->modules[k].client_supply_gic_opts = table->gic_opts; + else + context->modules[k].client_supply_gic_opts = NULL; + context->modules[k].request_context = NULL; + /* + * Only call request_init and request_fini once per plugin. + * Only the first module within each plugin will ever + * have request_context filled in. Every module within + * the plugin will have its request_context_pp pointing + * to that entry's request_context. That way all the + * modules within the plugin share the same request_context + */ + if (j == 0) { + context->modules[k].client_req_init = table->request_init; + context->modules[k].client_req_fini = table->request_fini; + rcpp = &context->modules[k].request_context; + } else { + context->modules[k].client_req_init = NULL; + context->modules[k].client_req_fini = NULL; + } + context->modules[k].request_context_pp = rcpp; #ifdef DEBUG - fprintf (stderr, "init module \"%s\", pa_type %d, flag %d\n", - context->modules[k].name, - context->modules[k].pa_type, - context->modules[k].flags); + fprintf (stderr, "init module \"%s\", pa_type %d, flag %d\n", + context->modules[k].name, + context->modules[k].pa_type, + context->modules[k].flags); #endif - k++; - } - } + k++; + } + } } krb5int_free_plugin_dir_data(tables); @@ -214,9 +215,9 @@ krb5_clear_preauth_context_use_counts(krb5_context context) { int i; if (context->preauth_context != NULL) { - for (i = 0; i < context->preauth_context->n_modules; i++) { - context->preauth_context->modules[i].use_count = 0; - } + for (i = 0; i < context->preauth_context->n_modules; i++) { + context->preauth_context->modules[i].use_count = 0; + } } } @@ -226,9 +227,9 @@ krb5_clear_preauth_context_use_counts(krb5_context context) */ krb5_error_code krb5_preauth_supply_preauth_data(krb5_context context, - krb5_gic_opt_ext *opte, - const char *attr, - const char *value) + krb5_gic_opt_ext *opte, + const char *attr, + const char *value) { krb5_error_code retval = 0; int i; @@ -236,13 +237,13 @@ krb5_preauth_supply_preauth_data(krb5_context context, const char *emsg = NULL; if (context->preauth_context == NULL) - krb5_init_preauth_context(context); + krb5_init_preauth_context(context); if (context->preauth_context == NULL) { - retval = EINVAL; - krb5int_set_error(&context->err, retval, - "krb5_preauth_supply_preauth_data: " - "Unable to initialize preauth context"); - return retval; + retval = EINVAL; + krb5int_set_error(&context->err, retval, + "krb5_preauth_supply_preauth_data: " + "Unable to initialize preauth context"); + return retval; } /* @@ -250,19 +251,19 @@ krb5_preauth_supply_preauth_data(krb5_context context, * attribute/value pair. */ for (i = 0; i < context->preauth_context->n_modules; i++) { - if (context->preauth_context->modules[i].client_supply_gic_opts == NULL) - continue; - pctx = context->preauth_context->modules[i].plugin_context; - retval = (*context->preauth_context->modules[i].client_supply_gic_opts) - (context, pctx, - (krb5_get_init_creds_opt *)opte, attr, value); - if (retval) { - emsg = krb5_get_error_message(context, retval); - krb5int_set_error(&context->err, retval, "Preauth plugin %s: %s", - context->preauth_context->modules[i].name, emsg); - krb5_free_error_message(context, emsg); - break; - } + if (context->preauth_context->modules[i].client_supply_gic_opts == NULL) + continue; + pctx = context->preauth_context->modules[i].plugin_context; + retval = (*context->preauth_context->modules[i].client_supply_gic_opts) + (context, pctx, + (krb5_get_init_creds_opt *)opte, attr, value); + if (retval) { + emsg = krb5_get_error_message(context, retval); + krb5int_set_error(&context->err, retval, "Preauth plugin %s: %s", + context->preauth_context->modules[i].name, emsg); + krb5_free_error_message(context, emsg); + break; + } } return retval; } @@ -276,20 +277,20 @@ krb5_free_preauth_context(krb5_context context) int i; void *pctx; if (context && context->preauth_context != NULL) { - for (i = 0; i < context->preauth_context->n_modules; i++) { - pctx = context->preauth_context->modules[i].plugin_context; - if (context->preauth_context->modules[i].client_fini != NULL) { - (*context->preauth_context->modules[i].client_fini)(context, pctx); - } - memset(&context->preauth_context->modules[i], 0, - sizeof(context->preauth_context->modules[i])); - } - if (context->preauth_context->modules != NULL) { - free(context->preauth_context->modules); - context->preauth_context->modules = NULL; - } - free(context->preauth_context); - context->preauth_context = NULL; + for (i = 0; i < context->preauth_context->n_modules; i++) { + pctx = context->preauth_context->modules[i].plugin_context; + if (context->preauth_context->modules[i].client_fini != NULL) { + (*context->preauth_context->modules[i].client_fini)(context, pctx); + } + memset(&context->preauth_context->modules[i], 0, + sizeof(context->preauth_context->modules[i])); + } + if (context->preauth_context->modules != NULL) { + free(context->preauth_context->modules); + context->preauth_context->modules = NULL; + } + free(context->preauth_context); + context->preauth_context = NULL; } } @@ -303,15 +304,15 @@ krb5_preauth_request_context_init(krb5_context context) /* Limit this to only one attempt per context? */ if (context->preauth_context == NULL) - krb5_init_preauth_context(context); + krb5_init_preauth_context(context); if (context->preauth_context != NULL) { - for (i = 0; i < context->preauth_context->n_modules; i++) { - pctx = context->preauth_context->modules[i].plugin_context; - if (context->preauth_context->modules[i].client_req_init != NULL) { - rctx = context->preauth_context->modules[i].request_context_pp; - (*context->preauth_context->modules[i].client_req_init) (context, pctx, rctx); - } - } + for (i = 0; i < context->preauth_context->n_modules; i++) { + pctx = context->preauth_context->modules[i].plugin_context; + if (context->preauth_context->modules[i].client_req_init != NULL) { + rctx = context->preauth_context->modules[i].request_context_pp; + (*context->preauth_context->modules[i].client_req_init) (context, pctx, rctx); + } + } } } @@ -323,16 +324,16 @@ krb5_preauth_request_context_fini(krb5_context context) int i; void *rctx, *pctx; if (context->preauth_context != NULL) { - for (i = 0; i < context->preauth_context->n_modules; i++) { - pctx = context->preauth_context->modules[i].plugin_context; - rctx = context->preauth_context->modules[i].request_context; - if (rctx != NULL) { - if (context->preauth_context->modules[i].client_req_fini != NULL) { - (*context->preauth_context->modules[i].client_req_fini)(context, pctx, rctx); - } - context->preauth_context->modules[i].request_context = NULL; - } - } + for (i = 0; i < context->preauth_context->n_modules; i++) { + pctx = context->preauth_context->modules[i].plugin_context; + rctx = context->preauth_context->modules[i].request_context; + if (rctx != NULL) { + if (context->preauth_context->modules[i].client_req_fini != NULL) { + (*context->preauth_context->modules[i].client_req_fini)(context, pctx, rctx); + } + context->preauth_context->modules[i].request_context = NULL; + } + } } } @@ -343,18 +344,18 @@ grow_ktypes(krb5_enctype **out_ktypes, int *out_nktypes, krb5_enctype ktype) int i; krb5_enctype *ktypes; for (i = 0; i < *out_nktypes; i++) { - if ((*out_ktypes)[i] == ktype) - return; + if ((*out_ktypes)[i] == ktype) + return; } ktypes = malloc((*out_nktypes + 2) * sizeof(ktype)); if (ktypes) { - for (i = 0; i < *out_nktypes; i++) - ktypes[i] = (*out_ktypes)[i]; - ktypes[i++] = ktype; - ktypes[i] = 0; - free(*out_ktypes); - *out_ktypes = ktypes; - *out_nktypes = i; + for (i = 0; i < *out_nktypes; i++) + ktypes[i] = (*out_ktypes)[i]; + ktypes[i++] = ktype; + ktypes[i] = 0; + free(*out_ktypes); + *out_ktypes = ktypes; + *out_nktypes = i; } } @@ -364,42 +365,42 @@ grow_ktypes(krb5_enctype **out_ktypes, int *out_nktypes, krb5_enctype ktype) */ static int grow_pa_list(krb5_pa_data ***out_pa_list, int *out_pa_list_size, - krb5_pa_data **addition, int num_addition) + krb5_pa_data **addition, int num_addition) { krb5_pa_data **pa_list; int i, j; if (out_pa_list == NULL || addition == NULL) { - return EINVAL; + return EINVAL; } if (*out_pa_list == NULL) { - /* Allocate room for the new additions and a NULL terminator. */ - pa_list = malloc((num_addition + 1) * sizeof(krb5_pa_data *)); - if (pa_list == NULL) - return ENOMEM; - for (i = 0; i < num_addition; i++) - pa_list[i] = addition[i]; - pa_list[i] = NULL; - *out_pa_list = pa_list; - *out_pa_list_size = num_addition; + /* Allocate room for the new additions and a NULL terminator. */ + pa_list = malloc((num_addition + 1) * sizeof(krb5_pa_data *)); + if (pa_list == NULL) + return ENOMEM; + for (i = 0; i < num_addition; i++) + pa_list[i] = addition[i]; + pa_list[i] = NULL; + *out_pa_list = pa_list; + *out_pa_list_size = num_addition; } else { - /* - * Allocate room for the existing entries plus - * the new additions and a NULL terminator. - */ - pa_list = malloc((*out_pa_list_size + num_addition + 1) - * sizeof(krb5_pa_data *)); - if (pa_list == NULL) - return ENOMEM; - for (i = 0; i < *out_pa_list_size; i++) - pa_list[i] = (*out_pa_list)[i]; - for (j = 0; j < num_addition;) - pa_list[i++] = addition[j++]; - pa_list[i] = NULL; - free(*out_pa_list); - *out_pa_list = pa_list; - *out_pa_list_size = i; + /* + * Allocate room for the existing entries plus + * the new additions and a NULL terminator. + */ + pa_list = malloc((*out_pa_list_size + num_addition + 1) + * sizeof(krb5_pa_data *)); + if (pa_list == NULL) + return ENOMEM; + for (i = 0; i < *out_pa_list_size; i++) + pa_list[i] = (*out_pa_list)[i]; + for (j = 0; j < num_addition;) + pa_list[i++] = addition[j++]; + pa_list[i] = NULL; + free(*out_pa_list); + *out_pa_list = pa_list; + *out_pa_list_size = i; } return 0; } @@ -416,81 +417,81 @@ grow_pa_list(krb5_pa_data ***out_pa_list, int *out_pa_list_size, static krb5_error_code client_data_proc(krb5_context kcontext, - krb5_preauth_client_rock *rock, - krb5_int32 request_type, - krb5_data **retdata) + krb5_preauth_client_rock *rock, + krb5_int32 request_type, + krb5_data **retdata) { krb5_data *ret; krb5_error_code retval; char *data; if (rock->magic != CLIENT_ROCK_MAGIC) - return EINVAL; + return EINVAL; if (retdata == NULL) - return EINVAL; + return EINVAL; switch (request_type) { case krb5plugin_preauth_client_get_etype: - { - krb5_enctype *eptr; - ret = malloc(sizeof(krb5_data)); - if (ret == NULL) - return ENOMEM; - data = malloc(sizeof(krb5_enctype)); - if (data == NULL) { - free(ret); - return ENOMEM; - } - ret->data = data; - ret->length = sizeof(krb5_enctype); - eptr = (krb5_enctype *)data; - *eptr = *rock->etype; - *retdata = ret; - return 0; - } - break; + { + krb5_enctype *eptr; + ret = malloc(sizeof(krb5_data)); + if (ret == NULL) + return ENOMEM; + data = malloc(sizeof(krb5_enctype)); + if (data == NULL) { + free(ret); + return ENOMEM; + } + ret->data = data; + ret->length = sizeof(krb5_enctype); + eptr = (krb5_enctype *)data; + *eptr = *rock->etype; + *retdata = ret; + return 0; + } + break; case krb5plugin_preauth_client_free_etype: - ret = *retdata; - if (ret == NULL) - return 0; - if (ret->data) - free(ret->data); - free(ret); - return 0; - break; + ret = *retdata; + if (ret == NULL) + return 0; + if (ret->data) + free(ret->data); + free(ret); + return 0; + break; case krb5plugin_preauth_client_fast_armor: { - krb5_keyblock *key = NULL; - ret = calloc(1, sizeof(krb5_data)); - if (ret == NULL) - return ENOMEM; - retval = 0; - if (rock->fast_state->armor_key) - retval = krb5_copy_keyblock(kcontext, rock->fast_state->armor_key, - &key); - if (retval == 0) { - ret->data = (char *) key; - ret->length = key?sizeof(krb5_keyblock):0; - key = NULL; - } - if (retval == 0) { - *retdata = ret; - ret = NULL; - } - if (ret) - free(ret); - return retval; + krb5_keyblock *key = NULL; + ret = calloc(1, sizeof(krb5_data)); + if (ret == NULL) + return ENOMEM; + retval = 0; + if (rock->fast_state->armor_key) + retval = krb5_copy_keyblock(kcontext, rock->fast_state->armor_key, + &key); + if (retval == 0) { + ret->data = (char *) key; + ret->length = key?sizeof(krb5_keyblock):0; + key = NULL; + } + if (retval == 0) { + *retdata = ret; + ret = NULL; + } + if (ret) + free(ret); + return retval; } case krb5plugin_preauth_client_free_fast_armor: - ret = *retdata; - if (ret) { - if (ret->data) - krb5_free_keyblock(kcontext, (krb5_keyblock *) ret->data); - free(ret); - *retdata = NULL; - } - return 0; - default: - return EINVAL; + ret = *retdata; + if (ret) { + if (ret->data) + krb5_free_keyblock(kcontext, (krb5_keyblock *) ret->data); + free(ret); + *retdata = NULL; + } + return 0; + default: + return EINVAL; } } @@ -499,25 +500,25 @@ client_data_proc(krb5_context kcontext, * involved things. */ void KRB5_CALLCONV krb5_preauth_prepare_request(krb5_context kcontext, - krb5_gic_opt_ext *opte, - krb5_kdc_req *request) + krb5_gic_opt_ext *opte, + krb5_kdc_req *request) { int i, j; if (kcontext->preauth_context == NULL) { - return; + return; } /* Add the module-specific enctype list to the request, but only if * it's something we can safely modify. */ if (!(opte && (opte->flags & KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST))) { - for (i = 0; i < kcontext->preauth_context->n_modules; i++) { - if (kcontext->preauth_context->modules[i].enctypes == NULL) - continue; - for (j = 0; kcontext->preauth_context->modules[i].enctypes[j] != 0; j++) { - grow_ktypes(&request->ktype, &request->nktypes, - kcontext->preauth_context->modules[i].enctypes[j]); - } - } + for (i = 0; i < kcontext->preauth_context->n_modules; i++) { + if (kcontext->preauth_context->modules[i].enctypes == NULL) + continue; + for (j = 0; kcontext->preauth_context->modules[i].enctypes[j] != 0; j++) { + grow_ktypes(&request->ktype, &request->nktypes, + kcontext->preauth_context->modules[i].enctypes[j]); + } + } } } @@ -526,24 +527,24 @@ krb5_preauth_prepare_request(krb5_context kcontext, * they don't generate preauth data), and run it. */ static krb5_error_code krb5_run_preauth_plugins(krb5_context kcontext, - int module_required_flags, - krb5_kdc_req *request, - krb5_data *encoded_request_body, - krb5_data *encoded_previous_request, - krb5_pa_data *in_padata, - krb5_prompter_fct prompter, - void *prompter_data, - preauth_get_as_key_proc gak_fct, - krb5_data *salt, - krb5_data *s2kparams, - void *gak_data, - krb5_preauth_client_rock *get_data_rock, - krb5_keyblock *as_key, - krb5_pa_data ***out_pa_list, - int *out_pa_list_size, - int *module_ret, - int *module_flags, - krb5_gic_opt_ext *opte) + int module_required_flags, + krb5_kdc_req *request, + krb5_data *encoded_request_body, + krb5_data *encoded_previous_request, + krb5_pa_data *in_padata, + krb5_prompter_fct prompter, + void *prompter_data, + preauth_get_as_key_proc gak_fct, + krb5_data *salt, + krb5_data *s2kparams, + void *gak_data, + krb5_preauth_client_rock *get_data_rock, + krb5_keyblock *as_key, + krb5_pa_data ***out_pa_list, + int *out_pa_list_size, + int *module_ret, + int *module_flags, + krb5_gic_opt_ext *opte) { int i; krb5_pa_data **out_pa_data; @@ -551,64 +552,64 @@ krb5_run_preauth_plugins(krb5_context kcontext, struct _krb5_preauth_context_module *module; if (kcontext->preauth_context == NULL) { - return ENOENT; + return ENOENT; } /* iterate over all loaded modules */ for (i = 0; i < kcontext->preauth_context->n_modules; i++) { - module = &kcontext->preauth_context->modules[i]; - /* skip over those which don't match the preauth type */ - if (module->pa_type != in_padata->pa_type) - continue; - /* skip over those which don't match the flags (INFO vs REAL, mainly) */ - if ((module->flags & module_required_flags) == 0) - continue; - /* if it's a REAL module, try to call it only once per library call */ - if (module_required_flags & PA_REAL) { - if (module->use_count > 0) { + module = &kcontext->preauth_context->modules[i]; + /* skip over those which don't match the preauth type */ + if (module->pa_type != in_padata->pa_type) + continue; + /* skip over those which don't match the flags (INFO vs REAL, mainly) */ + if ((module->flags & module_required_flags) == 0) + continue; + /* if it's a REAL module, try to call it only once per library call */ + if (module_required_flags & PA_REAL) { + if (module->use_count > 0) { #ifdef DEBUG - fprintf(stderr, "skipping already-used module \"%s\"(%d)\n", - module->name, module->pa_type); + fprintf(stderr, "skipping already-used module \"%s\"(%d)\n", + module->name, module->pa_type); #endif - continue; - } - module->use_count++; - } - /* run the module's callback function */ - out_pa_data = NULL; + continue; + } + module->use_count++; + } + /* run the module's callback function */ + out_pa_data = NULL; #ifdef DEBUG - fprintf(stderr, "using module \"%s\" (%d), flags = %d\n", - module->name, module->pa_type, module->flags); + fprintf(stderr, "using module \"%s\" (%d), flags = %d\n", + module->name, module->pa_type, module->flags); #endif - ret = module->client_process(kcontext, - module->plugin_context, - *module->request_context_pp, - (krb5_get_init_creds_opt *)opte, - client_data_proc, - get_data_rock, - request, - encoded_request_body, - encoded_previous_request, - in_padata, - prompter, prompter_data, - gak_fct, gak_data, salt, s2kparams, - as_key, - &out_pa_data); - /* Make note of the module's flags and status. */ - *module_flags = module->flags; - *module_ret = ret; - /* Save the new preauth data item. */ - if (out_pa_data != NULL) { - int j; - for (j = 0; out_pa_data[j] != NULL; j++); - ret = grow_pa_list(out_pa_list, out_pa_list_size, out_pa_data, j); - free(out_pa_data); - if (ret != 0) - return ret; - } - break; + ret = module->client_process(kcontext, + module->plugin_context, + *module->request_context_pp, + (krb5_get_init_creds_opt *)opte, + client_data_proc, + get_data_rock, + request, + encoded_request_body, + encoded_previous_request, + in_padata, + prompter, prompter_data, + gak_fct, gak_data, salt, s2kparams, + as_key, + &out_pa_data); + /* Make note of the module's flags and status. */ + *module_flags = module->flags; + *module_ret = ret; + /* Save the new preauth data item. */ + if (out_pa_data != NULL) { + int j; + for (j = 0; out_pa_data[j] != NULL; j++); + ret = grow_pa_list(out_pa_list, out_pa_list_size, out_pa_data, j); + free(out_pa_data); + if (ret != 0) + return ret; + } + break; } if (i >= kcontext->preauth_context->n_modules) { - return ENOENT; + return ENOENT; } return 0; } @@ -625,14 +626,14 @@ padata2data(krb5_pa_data p) static krb5_error_code pa_salt(krb5_context context, - krb5_kdc_req *request, - krb5_pa_data *in_padata, - krb5_pa_data **out_padata, - krb5_data *salt, krb5_data *s2kparams, - krb5_enctype *etype, - krb5_keyblock *as_key, - krb5_prompter_fct prompter, void *prompter_data, - krb5_gic_get_as_key_fct gak_fct, void *gak_data) + krb5_kdc_req *request, + krb5_pa_data *in_padata, + krb5_pa_data **out_padata, + krb5_data *salt, krb5_data *s2kparams, + krb5_enctype *etype, + krb5_keyblock *as_key, + krb5_prompter_fct prompter, void *prompter_data, + krb5_gic_get_as_key_fct gak_fct, void *gak_data) { krb5_data tmp; krb5_error_code retval; @@ -641,36 +642,36 @@ krb5_error_code pa_salt(krb5_context context, krb5_free_data_contents(context, salt); retval = krb5int_copy_data_contents(context, &tmp, salt); if (retval) - return retval; + return retval; if (in_padata->pa_type == KRB5_PADATA_AFS3_SALT) - salt->length = SALT_TYPE_AFS_LENGTH; + salt->length = SALT_TYPE_AFS_LENGTH; return(0); } static krb5_error_code pa_fx_cookie(krb5_context context, - krb5_kdc_req *request, - krb5_pa_data *in_padata, - krb5_pa_data **out_padata, - krb5_data *salt, - krb5_data *s2kparams, - krb5_enctype *etype, - krb5_keyblock *as_key, - krb5_prompter_fct prompter, - void *prompter_data, - krb5_gic_get_as_key_fct gak_fct, - void *gak_data) + krb5_kdc_req *request, + krb5_pa_data *in_padata, + krb5_pa_data **out_padata, + krb5_data *salt, + krb5_data *s2kparams, + krb5_enctype *etype, + krb5_keyblock *as_key, + krb5_prompter_fct prompter, + void *prompter_data, + krb5_gic_get_as_key_fct gak_fct, + void *gak_data) { krb5_pa_data *pa = calloc(1, sizeof(krb5_pa_data)); krb5_octet *contents; if (pa == NULL) - return ENOMEM; + return ENOMEM; contents = malloc(in_padata->length); if (contents == NULL) { - free(pa); - return ENOMEM; + free(pa); + return ENOMEM; } *pa = *in_padata; pa->contents = contents; @@ -681,68 +682,68 @@ krb5_error_code pa_fx_cookie(krb5_context context, static krb5_error_code pa_enc_timestamp(krb5_context context, - krb5_kdc_req *request, - krb5_pa_data *in_padata, - krb5_pa_data **out_padata, - krb5_data *salt, - krb5_data *s2kparams, - krb5_enctype *etype, - krb5_keyblock *as_key, - krb5_prompter_fct prompter, - void *prompter_data, - krb5_gic_get_as_key_fct gak_fct, - void *gak_data) + krb5_kdc_req *request, + krb5_pa_data *in_padata, + krb5_pa_data **out_padata, + krb5_data *salt, + krb5_data *s2kparams, + krb5_enctype *etype, + krb5_keyblock *as_key, + krb5_prompter_fct prompter, + void *prompter_data, + krb5_gic_get_as_key_fct gak_fct, + void *gak_data) { krb5_error_code ret; krb5_pa_enc_ts pa_enc; krb5_data *tmp; krb5_enc_data enc_data; krb5_pa_data *pa; - + if (as_key->length == 0) { #ifdef DEBUG - fprintf (stderr, "%s:%d: salt len=%d", __FILE__, __LINE__, - salt->length); - if ((int) salt->length > 0) - fprintf (stderr, " '%.*s'", salt->length, salt->data); - fprintf (stderr, "; *etype=%d request->ktype[0]=%d\n", - *etype, request->ktype[0]); + fprintf (stderr, "%s:%d: salt len=%d", __FILE__, __LINE__, + salt->length); + if ((int) salt->length > 0) + fprintf (stderr, " '%.*s'", salt->length, salt->data); + fprintf (stderr, "; *etype=%d request->ktype[0]=%d\n", + *etype, request->ktype[0]); #endif - if ((ret = ((*gak_fct)(context, request->client, - *etype ? *etype : request->ktype[0], - prompter, prompter_data, - salt, s2kparams, as_key, gak_data)))) - return(ret); + if ((ret = ((*gak_fct)(context, request->client, + *etype ? *etype : request->ktype[0], + prompter, prompter_data, + salt, s2kparams, as_key, gak_data)))) + return(ret); } /* now get the time of day, and encrypt it accordingly */ if ((ret = krb5_us_timeofday(context, &pa_enc.patimestamp, &pa_enc.pausec))) - return(ret); + return(ret); if ((ret = encode_krb5_pa_enc_ts(&pa_enc, &tmp))) - return(ret); + return(ret); #ifdef DEBUG fprintf (stderr, "key type %d bytes %02x %02x ...\n", - as_key->enctype, - as_key->contents[0], as_key->contents[1]); + as_key->enctype, + as_key->contents[0], as_key->contents[1]); #endif ret = krb5_encrypt_helper(context, as_key, - KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS, - tmp, &enc_data); + KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS, + tmp, &enc_data); #ifdef DEBUG fprintf (stderr, "enc data { type=%d kvno=%d data=%02x %02x ... }\n", - enc_data.enctype, enc_data.kvno, - 0xff & enc_data.ciphertext.data[0], - 0xff & enc_data.ciphertext.data[1]); + enc_data.enctype, enc_data.kvno, + 0xff & enc_data.ciphertext.data[0], + 0xff & enc_data.ciphertext.data[1]); #endif krb5_free_data(context, tmp); if (ret) { - free(enc_data.ciphertext.data); - return(ret); + free(enc_data.ciphertext.data); + return(ret); } ret = encode_krb5_enc_data(&enc_data, &tmp); @@ -750,11 +751,11 @@ krb5_error_code pa_enc_timestamp(krb5_context context, free(enc_data.ciphertext.data); if (ret) - return(ret); + return(ret); if ((pa = (krb5_pa_data *) malloc(sizeof(krb5_pa_data))) == NULL) { - krb5_free_data(context, tmp); - return(ENOMEM); + krb5_free_data(context, tmp); + return(ENOMEM); } pa->magic = KV5M_PA_DATA; @@ -769,38 +770,38 @@ krb5_error_code pa_enc_timestamp(krb5_context context, return(0); } -static +static char *sam_challenge_banner(krb5_int32 sam_type) { char *label; switch (sam_type) { - case PA_SAM_TYPE_ENIGMA: /* Enigma Logic */ - label = "Challenge for Enigma Logic mechanism"; - break; + case PA_SAM_TYPE_ENIGMA: /* Enigma Logic */ + label = "Challenge for Enigma Logic mechanism"; + break; case PA_SAM_TYPE_DIGI_PATH: /* Digital Pathways */ case PA_SAM_TYPE_DIGI_PATH_HEX: /* Digital Pathways */ - label = "Challenge for Digital Pathways mechanism"; - break; + label = "Challenge for Digital Pathways mechanism"; + break; case PA_SAM_TYPE_ACTIVCARD_DEC: /* Digital Pathways */ case PA_SAM_TYPE_ACTIVCARD_HEX: /* Digital Pathways */ - label = "Challenge for Activcard mechanism"; - break; - case PA_SAM_TYPE_SKEY_K0: /* S/key where KDC has key 0 */ - label = "Challenge for Enhanced S/Key mechanism"; - break; - case PA_SAM_TYPE_SKEY: /* Traditional S/Key */ - label = "Challenge for Traditional S/Key mechanism"; - break; - case PA_SAM_TYPE_SECURID: /* Security Dynamics */ - label = "Challenge for Security Dynamics mechanism"; - break; - case PA_SAM_TYPE_SECURID_PREDICT: /* predictive Security Dynamics */ - label = "Challenge for Security Dynamics mechanism"; - break; + label = "Challenge for Activcard mechanism"; + break; + case PA_SAM_TYPE_SKEY_K0: /* S/key where KDC has key 0 */ + label = "Challenge for Enhanced S/Key mechanism"; + break; + case PA_SAM_TYPE_SKEY: /* Traditional S/Key */ + label = "Challenge for Traditional S/Key mechanism"; + break; + case PA_SAM_TYPE_SECURID: /* Security Dynamics */ + label = "Challenge for Security Dynamics mechanism"; + break; + case PA_SAM_TYPE_SECURID_PREDICT: /* predictive Security Dynamics */ + label = "Challenge for Security Dynamics mechanism"; + break; default: - label = "Challenge from authentication server"; - break; + label = "Challenge from authentication server"; + break; } return(label); @@ -808,12 +809,12 @@ char *sam_challenge_banner(krb5_int32 sam_type) /* this macro expands to the int,ptr necessary for "%.*s" in an sprintf */ -#define SAMDATA(kdata, str, maxsize) \ - (int)((kdata.length)? \ - ((((kdata.length)<=(maxsize))?(kdata.length):strlen(str))): \ - strlen(str)), \ - (kdata.length)? \ - ((((kdata.length)<=(maxsize))?(kdata.data):(str))):(str) +#define SAMDATA(kdata, str, maxsize) \ + (int)((kdata.length)? \ + ((((kdata.length)<=(maxsize))?(kdata.length):strlen(str))): \ + strlen(str)), \ + (kdata.length)? \ + ((((kdata.length)<=(maxsize))?(kdata.data):(str))):(str) /* XXX Danger! This code is not in sync with the kerberos-password-02 draft. This draft cannot be implemented as written. This code is @@ -821,82 +822,82 @@ char *sam_challenge_banner(krb5_int32 sam_type) static krb5_error_code pa_sam(krb5_context context, - krb5_kdc_req *request, - krb5_pa_data *in_padata, - krb5_pa_data **out_padata, - krb5_data *salt, - krb5_data *s2kparams, - krb5_enctype *etype, - krb5_keyblock *as_key, - krb5_prompter_fct prompter, - void *prompter_data, - krb5_gic_get_as_key_fct gak_fct, - void *gak_data) + krb5_kdc_req *request, + krb5_pa_data *in_padata, + krb5_pa_data **out_padata, + krb5_data *salt, + krb5_data *s2kparams, + krb5_enctype *etype, + krb5_keyblock *as_key, + krb5_prompter_fct prompter, + void *prompter_data, + krb5_gic_get_as_key_fct gak_fct, + void *gak_data) { - krb5_error_code ret; - krb5_data tmpsam; - char name[100], banner[100]; - char prompt[100], response[100]; - krb5_data response_data; - krb5_prompt kprompt; - krb5_prompt_type prompt_type; - krb5_data defsalt; - krb5_sam_challenge *sam_challenge = 0; - krb5_sam_response sam_response; + krb5_error_code ret; + krb5_data tmpsam; + char name[100], banner[100]; + char prompt[100], response[100]; + krb5_data response_data; + krb5_prompt kprompt; + krb5_prompt_type prompt_type; + krb5_data defsalt; + krb5_sam_challenge *sam_challenge = 0; + krb5_sam_response sam_response; /* these two get encrypted and stuffed in to sam_response */ - krb5_enc_sam_response_enc enc_sam_response_enc; - krb5_data * scratch; - krb5_pa_data * pa; + krb5_enc_sam_response_enc enc_sam_response_enc; + krb5_data * scratch; + krb5_pa_data * pa; if (prompter == NULL) - return EIO; + return EIO; tmpsam.length = in_padata->length; tmpsam.data = (char *) in_padata->contents; if ((ret = decode_krb5_sam_challenge(&tmpsam, &sam_challenge))) - return(ret); + return(ret); if (sam_challenge->sam_flags & KRB5_SAM_MUST_PK_ENCRYPT_SAD) { - krb5_free_sam_challenge(context, sam_challenge); - return(KRB5_SAM_UNSUPPORTED); + krb5_free_sam_challenge(context, sam_challenge); + return(KRB5_SAM_UNSUPPORTED); } - /* If we need the password from the user (USE_SAD_AS_KEY not set), */ - /* then get it here. Exception for "old" KDCs with CryptoCard */ - /* support which uses the USE_SAD_AS_KEY flag, but still needs pwd */ + /* If we need the password from the user (USE_SAD_AS_KEY not set), */ + /* then get it here. Exception for "old" KDCs with CryptoCard */ + /* support which uses the USE_SAD_AS_KEY flag, but still needs pwd */ if (!(sam_challenge->sam_flags & KRB5_SAM_USE_SAD_AS_KEY) || - (sam_challenge->sam_type == PA_SAM_TYPE_CRYPTOCARD)) { + (sam_challenge->sam_type == PA_SAM_TYPE_CRYPTOCARD)) { - /* etype has either been set by caller or by KRB5_PADATA_ETYPE_INFO */ - /* message from the KDC. If it is not set, pick an enctype that we */ - /* think the KDC will have for us. */ + /* etype has either been set by caller or by KRB5_PADATA_ETYPE_INFO */ + /* message from the KDC. If it is not set, pick an enctype that we */ + /* think the KDC will have for us. */ - if (*etype == 0) - *etype = ENCTYPE_DES_CBC_CRC; + if (*etype == 0) + *etype = ENCTYPE_DES_CBC_CRC; - if ((ret = (gak_fct)(context, request->client, *etype, prompter, - prompter_data, salt, s2kparams, as_key, - gak_data))) { - krb5_free_sam_challenge(context, sam_challenge); - return(ret); - } + if ((ret = (gak_fct)(context, request->client, *etype, prompter, + prompter_data, salt, s2kparams, as_key, + gak_data))) { + krb5_free_sam_challenge(context, sam_challenge); + return(ret); + } } snprintf(name, sizeof(name), "%.*s", - SAMDATA(sam_challenge->sam_type_name, "SAM Authentication", - sizeof(name) - 1)); + SAMDATA(sam_challenge->sam_type_name, "SAM Authentication", + sizeof(name) - 1)); snprintf(banner, sizeof(banner), "%.*s", - SAMDATA(sam_challenge->sam_challenge_label, - sam_challenge_banner(sam_challenge->sam_type), - sizeof(banner)-1)); + SAMDATA(sam_challenge->sam_challenge_label, + sam_challenge_banner(sam_challenge->sam_type), + sizeof(banner)-1)); /* sprintf(prompt, "Challenge is [%s], %s: ", challenge, prompt); */ snprintf(prompt, sizeof(prompt), "%s%.*s%s%.*s", - sam_challenge->sam_challenge.length?"Challenge is [":"", - SAMDATA(sam_challenge->sam_challenge, "", 20), - sam_challenge->sam_challenge.length?"], ":"", - SAMDATA(sam_challenge->sam_response_prompt, "passcode", 55)); + sam_challenge->sam_challenge.length?"Challenge is [":"", + SAMDATA(sam_challenge->sam_challenge, "", 20), + sam_challenge->sam_challenge.length?"], ":"", + SAMDATA(sam_challenge->sam_response_prompt, "passcode", 55)); response_data.data = response; response_data.length = sizeof(response); @@ -909,115 +910,115 @@ krb5_error_code pa_sam(krb5_context context, /* PROMPTER_INVOCATION */ krb5int_set_prompt_types(context, &prompt_type); if ((ret = ((*prompter)(context, prompter_data, name, - banner, 1, &kprompt)))) { - krb5_free_sam_challenge(context, sam_challenge); - krb5int_set_prompt_types(context, 0); - return(ret); + banner, 1, &kprompt)))) { + krb5_free_sam_challenge(context, sam_challenge); + krb5int_set_prompt_types(context, 0); + return(ret); } krb5int_set_prompt_types(context, 0); enc_sam_response_enc.sam_nonce = sam_challenge->sam_nonce; if (sam_challenge->sam_nonce == 0) { - if ((ret = krb5_us_timeofday(context, - &enc_sam_response_enc.sam_timestamp, - &enc_sam_response_enc.sam_usec))) { - krb5_free_sam_challenge(context,sam_challenge); - return(ret); - } + if ((ret = krb5_us_timeofday(context, + &enc_sam_response_enc.sam_timestamp, + &enc_sam_response_enc.sam_usec))) { + krb5_free_sam_challenge(context,sam_challenge); + return(ret); + } - sam_response.sam_patimestamp = enc_sam_response_enc.sam_timestamp; + sam_response.sam_patimestamp = enc_sam_response_enc.sam_timestamp; } /* XXX What if more than one flag is set? */ if (sam_challenge->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD) { - /* Most of this should be taken care of before we get here. We */ - /* will need the user's password and as_key to encrypt the SAD */ - /* and we want to preserve ordering of user prompts (first */ - /* password, then SAM data) so that user's won't be confused. */ + /* Most of this should be taken care of before we get here. We */ + /* will need the user's password and as_key to encrypt the SAD */ + /* and we want to preserve ordering of user prompts (first */ + /* password, then SAM data) so that user's won't be confused. */ - if (as_key->length) { - krb5_free_keyblock_contents(context, as_key); - as_key->length = 0; - } + if (as_key->length) { + krb5_free_keyblock_contents(context, as_key); + as_key->length = 0; + } - /* generate a salt using the requested principal */ + /* generate a salt using the requested principal */ - if ((salt->length == -1 || salt->length == SALT_TYPE_AFS_LENGTH) && (salt->data == NULL)) { - if ((ret = krb5_principal2salt(context, request->client, - &defsalt))) { - krb5_free_sam_challenge(context, sam_challenge); - return(ret); - } + if ((salt->length == -1 || salt->length == SALT_TYPE_AFS_LENGTH) && (salt->data == NULL)) { + if ((ret = krb5_principal2salt(context, request->client, + &defsalt))) { + krb5_free_sam_challenge(context, sam_challenge); + return(ret); + } - salt = &defsalt; - } else { - defsalt.length = 0; - } + salt = &defsalt; + } else { + defsalt.length = 0; + } - /* generate a key using the supplied password */ + /* generate a key using the supplied password */ - ret = krb5_c_string_to_key(context, ENCTYPE_DES_CBC_MD5, - (krb5_data *)gak_data, salt, as_key); + ret = krb5_c_string_to_key(context, ENCTYPE_DES_CBC_MD5, + (krb5_data *)gak_data, salt, as_key); - if (defsalt.length) - free(defsalt.data); + if (defsalt.length) + free(defsalt.data); - if (ret) { - krb5_free_sam_challenge(context, sam_challenge); - return(ret); - } + if (ret) { + krb5_free_sam_challenge(context, sam_challenge); + return(ret); + } - /* encrypt the passcode with the key from above */ + /* encrypt the passcode with the key from above */ - enc_sam_response_enc.sam_sad = response_data; + enc_sam_response_enc.sam_sad = response_data; } else if (sam_challenge->sam_flags & KRB5_SAM_USE_SAD_AS_KEY) { - /* process the key as password */ + /* process the key as password */ - if (as_key->length) { - krb5_free_keyblock_contents(context, as_key); - as_key->length = 0; - } + if (as_key->length) { + krb5_free_keyblock_contents(context, as_key); + as_key->length = 0; + } #if 0 - if ((salt->length == SALT_TYPE_AFS_LENGTH) && (salt->data == NULL)) { - if (ret = krb5_principal2salt(context, request->client, - &defsalt)) { - krb5_free_sam_challenge(context, sam_challenge); - return(ret); - } - - salt = &defsalt; - } else { - defsalt.length = 0; - } + if ((salt->length == SALT_TYPE_AFS_LENGTH) && (salt->data == NULL)) { + if (ret = krb5_principal2salt(context, request->client, + &defsalt)) { + krb5_free_sam_challenge(context, sam_challenge); + return(ret); + } + + salt = &defsalt; + } else { + defsalt.length = 0; + } #else - defsalt.length = 0; - salt = NULL; + defsalt.length = 0; + salt = NULL; #endif - - /* XXX As of the passwords-04 draft, no enctype is specified, - the server uses ENCTYPE_DES_CBC_MD5. In the future the - server should send a PA-SAM-ETYPE-INFO containing the enctype. */ - ret = krb5_c_string_to_key(context, ENCTYPE_DES_CBC_MD5, - &response_data, salt, as_key); + /* XXX As of the passwords-04 draft, no enctype is specified, + the server uses ENCTYPE_DES_CBC_MD5. In the future the + server should send a PA-SAM-ETYPE-INFO containing the enctype. */ + + ret = krb5_c_string_to_key(context, ENCTYPE_DES_CBC_MD5, + &response_data, salt, as_key); - if (defsalt.length) - free(defsalt.data); + if (defsalt.length) + free(defsalt.data); - if (ret) { - krb5_free_sam_challenge(context, sam_challenge); - return(ret); - } + if (ret) { + krb5_free_sam_challenge(context, sam_challenge); + return(ret); + } - enc_sam_response_enc.sam_sad.length = 0; + enc_sam_response_enc.sam_sad.length = 0; } else { - /* Eventually, combine SAD with long-term key to get - encryption key. */ - krb5_free_sam_challenge(context, sam_challenge); - return KRB5_PREAUTH_BAD_TYPE; + /* Eventually, combine SAD with long-term key to get + encryption key. */ + krb5_free_sam_challenge(context, sam_challenge); + return KRB5_PREAUTH_BAD_TYPE; } /* copy things from the challenge */ @@ -1031,26 +1032,26 @@ krb5_error_code pa_sam(krb5_context context, /* encode the encoded part of the response */ if ((ret = encode_krb5_enc_sam_response_enc(&enc_sam_response_enc, - &scratch))) - return(ret); + &scratch))) + return(ret); ret = krb5_encrypt_data(context, as_key, 0, scratch, - &sam_response.sam_enc_nonce_or_ts); + &sam_response.sam_enc_nonce_or_ts); krb5_free_data(context, scratch); if (ret) - return(ret); + return(ret); /* sam_enc_key is reserved for future use */ sam_response.sam_enc_key.ciphertext.length = 0; if ((pa = malloc(sizeof(krb5_pa_data))) == NULL) - return(ENOMEM); + return(ENOMEM); if ((ret = encode_krb5_sam_response(&sam_response, &scratch))) { - free(pa); - return(ret); + free(pa); + return(ret); } pa->magic = KV5M_PA_DATA; @@ -1066,7 +1067,7 @@ krb5_error_code pa_sam(krb5_context context, } #if APPLE_PKINIT -/* +/* * PKINIT. One function to generate AS-REQ, one to parse AS-REP */ #define PKINIT_DEBUG 0 @@ -1081,32 +1082,32 @@ static krb5_error_code pa_pkinit_gen_req( krb5_kdc_req *request, krb5_pa_data *in_padata, krb5_pa_data **out_padata, - krb5_data *salt, + krb5_data *salt, krb5_data *s2kparams, krb5_enctype *etype, krb5_keyblock *as_key, - krb5_prompter_fct prompter, + krb5_prompter_fct prompter, void *prompter_data, - krb5_gic_get_as_key_fct gak_fct, + krb5_gic_get_as_key_fct gak_fct, void *gak_data) { - krb5_error_code krtn; - krb5_data out_data = {0, 0, NULL}; - krb5_timestamp kctime = 0; - krb5_int32 cusec = 0; - krb5_ui_4 nonce = 0; - krb5_checksum cksum; - krb5_pkinit_signing_cert_t client_cert; - krb5_data *der_req = NULL; - char *client_principal = NULL; - char *server_principal = NULL; - unsigned char nonce_bytes[4]; - krb5_data nonce_data = {0, 4, (char *)nonce_bytes}; - int dex; - - /* + krb5_error_code krtn; + krb5_data out_data = {0, 0, NULL}; + krb5_timestamp kctime = 0; + krb5_int32 cusec = 0; + krb5_ui_4 nonce = 0; + krb5_checksum cksum; + krb5_pkinit_signing_cert_t client_cert; + krb5_data *der_req = NULL; + char *client_principal = NULL; + char *server_principal = NULL; + unsigned char nonce_bytes[4]; + krb5_data nonce_data = {0, 4, (char *)nonce_bytes}; + int dex; + + /* * Trusted CA list and specific KC cert optionally obtained via - * krb5_pkinit_get_server_certs(). All are DER-encoded certs. + * krb5_pkinit_get_server_certs(). All are DER-encoded certs. */ krb5_data *trusted_CAs = NULL; krb5_ui_4 num_trusted_CAs; @@ -1116,72 +1117,72 @@ static krb5_error_code pa_pkinit_gen_req( /* If we don't have a client cert, we're done */ if(request->client == NULL) { - kdcPkinitDebug("No request->client; aborting PKINIT\n"); - return KRB5KDC_ERR_PREAUTH_FAILED; + kdcPkinitDebug("No request->client; aborting PKINIT\n"); + return KRB5KDC_ERR_PREAUTH_FAILED; } krtn = krb5_unparse_name(context, request->client, &client_principal); if(krtn) { - return krtn; + return krtn; } krtn = krb5_pkinit_get_client_cert(client_principal, &client_cert); free(client_principal); if(krtn) { - kdcPkinitDebug("No client cert; aborting PKINIT\n"); - return krtn; + kdcPkinitDebug("No client cert; aborting PKINIT\n"); + return krtn; } - + /* optional platform-dependent CA list and KDC cert */ krtn = krb5_unparse_name(context, request->server, &server_principal); if(krtn) { - goto cleanup; + goto cleanup; } krtn = krb5_pkinit_get_server_certs(client_principal, server_principal, - &trusted_CAs, &num_trusted_CAs, &kdc_cert); + &trusted_CAs, &num_trusted_CAs, &kdc_cert); if(krtn) { - goto cleanup; + goto cleanup; } - + /* checksum of the encoded KDC-REQ-BODY */ krtn = encode_krb5_kdc_req_body(request, &der_req); if(krtn) { - kdcPkinitDebug("encode_krb5_kdc_req_body returned %d\n", (int)krtn); - goto cleanup; + kdcPkinitDebug("encode_krb5_kdc_req_body returned %d\n", (int)krtn); + goto cleanup; } krtn = krb5_c_make_checksum(context, CKSUMTYPE_NIST_SHA, NULL, 0, der_req, &cksum); if(krtn) { - goto cleanup; + goto cleanup; } krtn = krb5_us_timeofday(context, &kctime, &cusec); if(krtn) { - goto cleanup; + goto cleanup; } - + /* cook up a random 4-byte nonce */ krtn = krb5_c_random_make_octets(context, &nonce_data); if(krtn) { - goto cleanup; + goto cleanup; } for(dex=0; dex<4; dex++) { - nonce <<= 8; - nonce |= nonce_bytes[dex]; + nonce <<= 8; + nonce |= nonce_bytes[dex]; } - krtn = krb5int_pkinit_as_req_create(context, - kctime, cusec, nonce, &cksum, - client_cert, - trusted_CAs, num_trusted_CAs, - (kdc_cert.data ? &kdc_cert : NULL), - &out_data); + krtn = krb5int_pkinit_as_req_create(context, + kctime, cusec, nonce, &cksum, + client_cert, + trusted_CAs, num_trusted_CAs, + (kdc_cert.data ? &kdc_cert : NULL), + &out_data); if(krtn) { - kdcPkinitDebug("error %d on pkinit_as_req_create; aborting PKINIT\n", (int)krtn); - goto cleanup; + kdcPkinitDebug("error %d on pkinit_as_req_create; aborting PKINIT\n", (int)krtn); + goto cleanup; } *out_padata = (krb5_pa_data *)malloc(sizeof(krb5_pa_data)); if(*out_padata == NULL) { - krtn = ENOMEM; - free(out_data.data); - goto cleanup; + krtn = ENOMEM; + free(out_data.data); + goto cleanup; } (*out_padata)->magic = KV5M_PA_DATA; (*out_padata)->pa_type = KRB5_PADATA_PK_AS_REQ; @@ -1190,27 +1191,27 @@ static krb5_error_code pa_pkinit_gen_req( krtn = 0; cleanup: if(client_cert) { - krb5_pkinit_release_cert(client_cert); + krb5_pkinit_release_cert(client_cert); } if(cksum.contents) { - free(cksum.contents); + free(cksum.contents); } if (der_req) { - krb5_free_data(context, der_req); + krb5_free_data(context, der_req); } if(server_principal) { - free(server_principal); + free(server_principal); } /* free data mallocd by krb5_pkinit_get_server_certs() */ if(trusted_CAs) { - unsigned udex; - for(udex=0; udex<num_trusted_CAs; udex++) { - free(trusted_CAs[udex].data); - } - free(trusted_CAs); + unsigned udex; + for(udex=0; udex<num_trusted_CAs; udex++) { + free(trusted_CAs[udex].data); + } + free(trusted_CAs); } if(kdc_cert.data) { - free(kdc_cert.data); + free(kdc_cert.data); } return krtn; @@ -1234,17 +1235,17 @@ static krb5_boolean local_kdc_cert_match( if (client->realm.length <= sizeof(lkdcprefix) || 0 != memcmp(lkdcprefix, client->realm.data, sizeof(lkdcprefix)-1)) - return match; + return match; realm_hash = &client->realm.data[sizeof(lkdcprefix)-1]; realm_hash_len = client->realm.length - sizeof(lkdcprefix) + 1; kdcPkinitDebug("checking realm versus certificate hash\n"); if (NULL != (cert_hash = krb5_pkinit_cert_hash_str(signer_cert))) { - kdcPkinitDebug("hash = %s\n", cert_hash); - cert_hash_len = strlen(cert_hash); - if (cert_hash_len == realm_hash_len && - 0 == memcmp(cert_hash, realm_hash, cert_hash_len)) - match = TRUE; - free(cert_hash); + kdcPkinitDebug("hash = %s\n", cert_hash); + cert_hash_len = strlen(cert_hash); + if (cert_hash_len == realm_hash_len && + 0 == memcmp(cert_hash, realm_hash, cert_hash_len)) + match = TRUE; + free(cert_hash); } kdcPkinitDebug("result: %s\n", match ? "matches" : "does not match"); return match; @@ -1255,125 +1256,125 @@ static krb5_error_code pa_pkinit_parse_rep( krb5_kdc_req *request, krb5_pa_data *in_padata, krb5_pa_data **out_padata, - krb5_data *salt, + krb5_data *salt, krb5_data *s2kparams, krb5_enctype *etype, krb5_keyblock *as_key, - krb5_prompter_fct prompter, + krb5_prompter_fct prompter, void *prompter_data, - krb5_gic_get_as_key_fct gak_fct, + krb5_gic_get_as_key_fct gak_fct, void *gak_data) { - krb5int_cert_sig_status sig_status = (krb5int_cert_sig_status)-999; - krb5_error_code krtn; - krb5_data asRep; - krb5_keyblock local_key = {0}; - krb5_pkinit_signing_cert_t client_cert; - char *princ_name = NULL; - krb5_checksum as_req_checksum_rcd = {0}; /* received checksum */ - krb5_checksum as_req_checksum_gen = {0}; /* calculated checksum */ - krb5_data *encoded_as_req = NULL; - krb5_data signer_cert = {0}; + krb5int_cert_sig_status sig_status = (krb5int_cert_sig_status)-999; + krb5_error_code krtn; + krb5_data asRep; + krb5_keyblock local_key = {0}; + krb5_pkinit_signing_cert_t client_cert; + char *princ_name = NULL; + krb5_checksum as_req_checksum_rcd = {0}; /* received checksum */ + krb5_checksum as_req_checksum_gen = {0}; /* calculated checksum */ + krb5_data *encoded_as_req = NULL; + krb5_data signer_cert = {0}; *out_padata = NULL; kdcPkinitDebug("pa_pkinit_parse_rep\n"); if((in_padata == NULL) || (in_padata->length== 0)) { - kdcPkinitDebug("pa_pkinit_parse_rep: no in_padata\n"); - return KRB5KDC_ERR_PREAUTH_FAILED; + kdcPkinitDebug("pa_pkinit_parse_rep: no in_padata\n"); + return KRB5KDC_ERR_PREAUTH_FAILED; } /* If we don't have a client cert, we're done */ if(request->client == NULL) { - kdcPkinitDebug("No request->client; aborting PKINIT\n"); - return KRB5KDC_ERR_PREAUTH_FAILED; + kdcPkinitDebug("No request->client; aborting PKINIT\n"); + return KRB5KDC_ERR_PREAUTH_FAILED; } krtn = krb5_unparse_name(context, request->client, &princ_name); if(krtn) { - return krtn; + return krtn; } krtn = krb5_pkinit_get_client_cert(princ_name, &client_cert); free(princ_name); if(krtn) { - kdcPkinitDebug("No client cert; aborting PKINIT\n"); - return krtn; + kdcPkinitDebug("No client cert; aborting PKINIT\n"); + return krtn; } - + memset(&local_key, 0, sizeof(local_key)); asRep.data = (char *)in_padata->contents; asRep.length = in_padata->length; - krtn = krb5int_pkinit_as_rep_parse(context, &asRep, client_cert, - &local_key, &as_req_checksum_rcd, &sig_status, - &signer_cert, NULL, NULL); + krtn = krb5int_pkinit_as_rep_parse(context, &asRep, client_cert, + &local_key, &as_req_checksum_rcd, &sig_status, + &signer_cert, NULL, NULL); if(krtn) { - kdcPkinitDebug("pkinit_as_rep_parse returned %d\n", (int)krtn); - return krtn; + kdcPkinitDebug("pkinit_as_rep_parse returned %d\n", (int)krtn); + return krtn; } switch(sig_status) { - case pki_cs_good: - break; - case pki_cs_unknown_root: - if (local_kdc_cert_match(context, &signer_cert, request->client)) - break; - /* FALLTHROUGH */ - default: - kdcPkinitDebug("pa_pkinit_parse_rep: bad cert/sig status %d\n", - (int)sig_status); - krtn = KRB5KDC_ERR_PREAUTH_FAILED; - goto error_out; - } - - /* calculate checksum of incoming AS-REQ using the decryption key + case pki_cs_good: + break; + case pki_cs_unknown_root: + if (local_kdc_cert_match(context, &signer_cert, request->client)) + break; + /* FALLTHROUGH */ + default: + kdcPkinitDebug("pa_pkinit_parse_rep: bad cert/sig status %d\n", + (int)sig_status); + krtn = KRB5KDC_ERR_PREAUTH_FAILED; + goto error_out; + } + + /* calculate checksum of incoming AS-REQ using the decryption key * we just got from the ReplyKeyPack */ krtn = encode_krb5_as_req(request, &encoded_as_req); if(krtn) { - goto error_out; + goto error_out; } - krtn = krb5_c_make_checksum(context, context->kdc_req_sumtype, - &local_key, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, - encoded_as_req, &as_req_checksum_gen); + krtn = krb5_c_make_checksum(context, context->kdc_req_sumtype, + &local_key, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, + encoded_as_req, &as_req_checksum_gen); if(krtn) { - goto error_out; + goto error_out; } if((as_req_checksum_gen.length != as_req_checksum_rcd.length) || memcmp(as_req_checksum_gen.contents, - as_req_checksum_rcd.contents, - as_req_checksum_gen.length)) { - kdcPkinitDebug("pa_pkinit_parse_rep: checksum miscompare\n"); - krtn = KRB5KDC_ERR_PREAUTH_FAILED; - goto error_out; + as_req_checksum_rcd.contents, + as_req_checksum_gen.length)) { + kdcPkinitDebug("pa_pkinit_parse_rep: checksum miscompare\n"); + krtn = KRB5KDC_ERR_PREAUTH_FAILED; + goto error_out; } - + /* We have the key; transfer to caller */ if (as_key->length) { - krb5_free_keyblock_contents(context, as_key); + krb5_free_keyblock_contents(context, as_key); } *as_key = local_key; - - #if PKINIT_DEBUG + +#if PKINIT_DEBUG fprintf(stderr, "pa_pkinit_parse_rep: SUCCESS\n"); fprintf(stderr, "enctype %d keylen %d keydata %02x %02x %02x %02x...\n", - (int)as_key->enctype, (int)as_key->length, - as_key->contents[0], as_key->contents[1], - as_key->contents[2], as_key->contents[3]); - #endif - + (int)as_key->enctype, (int)as_key->length, + as_key->contents[0], as_key->contents[1], + as_key->contents[2], as_key->contents[3]); +#endif + krtn = 0; - + error_out: if (signer_cert.data) { - free(signer_cert.data); + free(signer_cert.data); } if(as_req_checksum_rcd.contents) { - free(as_req_checksum_rcd.contents); + free(as_req_checksum_rcd.contents); } if(as_req_checksum_gen.contents) { - free(as_req_checksum_gen.contents); + free(as_req_checksum_gen.contents); } if(encoded_as_req) { - krb5_free_data(context, encoded_as_req); + krb5_free_data(context, encoded_as_req); } if(krtn && (local_key.contents != NULL)) { - krb5_free_keyblock_contents(context, &local_key); + krb5_free_keyblock_contents(context, &local_key); } return krtn; } @@ -1381,329 +1382,329 @@ error_out: static krb5_error_code pa_sam_2(krb5_context context, - krb5_kdc_req *request, - krb5_pa_data *in_padata, - krb5_pa_data **out_padata, - krb5_data *salt, - krb5_data *s2kparams, - krb5_enctype *etype, - krb5_keyblock *as_key, - krb5_prompter_fct prompter, - void *prompter_data, - krb5_gic_get_as_key_fct gak_fct, - void *gak_data) { - - krb5_error_code retval; - krb5_sam_challenge_2 *sc2 = NULL; - krb5_sam_challenge_2_body *sc2b = NULL; - krb5_data tmp_data; - krb5_data response_data; - char name[100], banner[100], prompt[100], response[100]; - krb5_prompt kprompt; - krb5_prompt_type prompt_type; - krb5_data defsalt; - krb5_checksum **cksum; - krb5_data *scratch = NULL; - krb5_boolean valid_cksum = 0; - krb5_enc_sam_response_enc_2 enc_sam_response_enc_2; - krb5_sam_response_2 sr2; - size_t ciph_len; - krb5_pa_data *sam_padata; - - if (prompter == NULL) - return KRB5_LIBOS_CANTREADPWD; - - tmp_data.length = in_padata->length; - tmp_data.data = (char *)in_padata->contents; - - if ((retval = decode_krb5_sam_challenge_2(&tmp_data, &sc2))) - return(retval); - - retval = decode_krb5_sam_challenge_2_body(&sc2->sam_challenge_2_body, &sc2b); - - if (retval) { - krb5_free_sam_challenge_2(context, sc2); - return(retval); - } - - if (!sc2->sam_cksum || ! *sc2->sam_cksum) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - return(KRB5_SAM_NO_CHECKSUM); - } - - if (sc2b->sam_flags & KRB5_SAM_MUST_PK_ENCRYPT_SAD) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - return(KRB5_SAM_UNSUPPORTED); - } - - if (!krb5_c_valid_enctype(sc2b->sam_etype)) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - return(KRB5_SAM_INVALID_ETYPE); - } - - /* All of the above error checks are KDC-specific, that is, they */ - /* assume a failure in the KDC reply. By returning anything other */ - /* than KRB5_KDC_UNREACH, KRB5_PREAUTH_FAILED, */ - /* KRB5_LIBOS_PWDINTR, or KRB5_REALM_CANT_RESOLVE, the client will */ - /* most likely go on to try the AS_REQ against master KDC */ - - if (!(sc2b->sam_flags & KRB5_SAM_USE_SAD_AS_KEY)) { - /* We will need the password to obtain the key used for */ - /* the checksum, and encryption of the sam_response. */ - /* Go ahead and get it now, preserving the ordering of */ - /* prompts for the user. */ - - retval = (gak_fct)(context, request->client, - sc2b->sam_etype, prompter, - prompter_data, salt, s2kparams, as_key, gak_data); - if (retval) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - return(retval); - } - } - - snprintf(name, sizeof(name), "%.*s", - SAMDATA(sc2b->sam_type_name, "SAM Authentication", - sizeof(name) - 1)); - - snprintf(banner, sizeof(banner), "%.*s", - SAMDATA(sc2b->sam_challenge_label, - sam_challenge_banner(sc2b->sam_type), - sizeof(banner)-1)); - - snprintf(prompt, sizeof(prompt), "%s%.*s%s%.*s", - sc2b->sam_challenge.length?"Challenge is [":"", - SAMDATA(sc2b->sam_challenge, "", 20), - sc2b->sam_challenge.length?"], ":"", - SAMDATA(sc2b->sam_response_prompt, "passcode", 55)); - - response_data.data = response; - response_data.length = sizeof(response); - kprompt.prompt = prompt; - kprompt.hidden = 1; - kprompt.reply = &response_data; - - prompt_type = KRB5_PROMPT_TYPE_PREAUTH; - krb5int_set_prompt_types(context, &prompt_type); - - if ((retval = ((*prompter)(context, prompter_data, name, - banner, 1, &kprompt)))) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - krb5int_set_prompt_types(context, 0); - return(retval); - } - - krb5int_set_prompt_types(context, (krb5_prompt_type *)NULL); - - /* Generate salt used by string_to_key() */ - if ((salt->length == -1) && (salt->data == NULL)) { - if ((retval = - krb5_principal2salt(context, request->client, &defsalt))) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - return(retval); - } - salt = &defsalt; - } else { - defsalt.length = 0; - } - - /* Get encryption key to be used for checksum and sam_response */ - if (!(sc2b->sam_flags & KRB5_SAM_USE_SAD_AS_KEY)) { - /* as_key = string_to_key(password) */ - - if (as_key->length) { - krb5_free_keyblock_contents(context, as_key); - as_key->length = 0; - } - - /* generate a key using the supplied password */ - retval = krb5_c_string_to_key(context, sc2b->sam_etype, - (krb5_data *)gak_data, salt, as_key); + krb5_kdc_req *request, + krb5_pa_data *in_padata, + krb5_pa_data **out_padata, + krb5_data *salt, + krb5_data *s2kparams, + krb5_enctype *etype, + krb5_keyblock *as_key, + krb5_prompter_fct prompter, + void *prompter_data, + krb5_gic_get_as_key_fct gak_fct, + void *gak_data) { - if (retval) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - if (defsalt.length) free(defsalt.data); - return(retval); - } - - if (!(sc2b->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD)) { - /* as_key = combine_key (as_key, string_to_key(SAD)) */ - krb5_keyblock tmp_kb; - - retval = krb5_c_string_to_key(context, sc2b->sam_etype, - &response_data, salt, &tmp_kb); - - if (retval) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - if (defsalt.length) free(defsalt.data); - return(retval); - } - - /* This should be a call to the crypto library some day */ - /* key types should already match the sam_etype */ - retval = krb5int_c_combine_keys(context, as_key, &tmp_kb, as_key); - - if (retval) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - if (defsalt.length) free(defsalt.data); - return(retval); - } - krb5_free_keyblock_contents(context, &tmp_kb); - } - - if (defsalt.length) - free(defsalt.data); - - } else { - /* as_key = string_to_key(SAD) */ - - if (as_key->length) { - krb5_free_keyblock_contents(context, as_key); - as_key->length = 0; - } - - /* generate a key using the supplied password */ - retval = krb5_c_string_to_key(context, sc2b->sam_etype, - &response_data, salt, as_key); - - if (defsalt.length) - free(defsalt.data); - - if (retval) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - return(retval); - } - } - - /* Now we have a key, verify the checksum on the sam_challenge */ - - cksum = sc2->sam_cksum; - - while (*cksum) { - /* Check this cksum */ - retval = krb5_c_verify_checksum(context, as_key, - KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM, - &sc2->sam_challenge_2_body, - *cksum, &valid_cksum); - if (retval) { - krb5_free_data(context, scratch); - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - return(retval); - } - if (valid_cksum) - break; - cksum++; - } - - if (!valid_cksum) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - /* - * Note: We return AP_ERR_BAD_INTEGRITY so upper-level applications - * can interpret that as "password incorrect", which is probably - * the best error we can return in this situation. - */ - return(KRB5KRB_AP_ERR_BAD_INTEGRITY); - } - - /* fill in enc_sam_response_enc_2 */ - enc_sam_response_enc_2.magic = KV5M_ENC_SAM_RESPONSE_ENC_2; - enc_sam_response_enc_2.sam_nonce = sc2b->sam_nonce; - if (sc2b->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD) { - enc_sam_response_enc_2.sam_sad = response_data; - } else { - enc_sam_response_enc_2.sam_sad.data = NULL; - enc_sam_response_enc_2.sam_sad.length = 0; - } - - /* encode and encrypt enc_sam_response_enc_2 with as_key */ - retval = encode_krb5_enc_sam_response_enc_2(&enc_sam_response_enc_2, - &scratch); - if (retval) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - return(retval); - } - - /* Fill in sam_response_2 */ - memset(&sr2, 0, sizeof(sr2)); - sr2.sam_type = sc2b->sam_type; - sr2.sam_flags = sc2b->sam_flags; - sr2.sam_track_id = sc2b->sam_track_id; - sr2.sam_nonce = sc2b->sam_nonce; - - /* Now take care of sr2.sam_enc_nonce_or_sad by encrypting encoded */ - /* enc_sam_response_enc_2 from above */ - - retval = krb5_c_encrypt_length(context, as_key->enctype, scratch->length, - &ciph_len); - if (retval) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - krb5_free_data(context, scratch); - return(retval); - } - sr2.sam_enc_nonce_or_sad.ciphertext.length = ciph_len; - - sr2.sam_enc_nonce_or_sad.ciphertext.data = - (char *)malloc(sr2.sam_enc_nonce_or_sad.ciphertext.length); - - if (!sr2.sam_enc_nonce_or_sad.ciphertext.data) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - krb5_free_data(context, scratch); - return(ENOMEM); - } - - retval = krb5_c_encrypt(context, as_key, KRB5_KEYUSAGE_PA_SAM_RESPONSE, - NULL, scratch, &sr2.sam_enc_nonce_or_sad); - if (retval) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - krb5_free_data(context, scratch); - krb5_free_data_contents(context, &sr2.sam_enc_nonce_or_sad.ciphertext); - return(retval); - } - krb5_free_data(context, scratch); - scratch = NULL; - - /* Encode the sam_response_2 */ - retval = encode_krb5_sam_response_2(&sr2, &scratch); - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - krb5_free_data_contents(context, &sr2.sam_enc_nonce_or_sad.ciphertext); - - if (retval) { - return (retval); - } - - /* Almost there, just need to make padata ! */ - sam_padata = malloc(sizeof(krb5_pa_data)); - if (sam_padata == NULL) { - krb5_free_data(context, scratch); - return(ENOMEM); - } - - sam_padata->magic = KV5M_PA_DATA; - sam_padata->pa_type = KRB5_PADATA_SAM_RESPONSE_2; - sam_padata->length = scratch->length; - sam_padata->contents = (krb5_octet *) scratch->data; - free(scratch); - - *out_padata = sam_padata; - - return(0); + krb5_error_code retval; + krb5_sam_challenge_2 *sc2 = NULL; + krb5_sam_challenge_2_body *sc2b = NULL; + krb5_data tmp_data; + krb5_data response_data; + char name[100], banner[100], prompt[100], response[100]; + krb5_prompt kprompt; + krb5_prompt_type prompt_type; + krb5_data defsalt; + krb5_checksum **cksum; + krb5_data *scratch = NULL; + krb5_boolean valid_cksum = 0; + krb5_enc_sam_response_enc_2 enc_sam_response_enc_2; + krb5_sam_response_2 sr2; + size_t ciph_len; + krb5_pa_data *sam_padata; + + if (prompter == NULL) + return KRB5_LIBOS_CANTREADPWD; + + tmp_data.length = in_padata->length; + tmp_data.data = (char *)in_padata->contents; + + if ((retval = decode_krb5_sam_challenge_2(&tmp_data, &sc2))) + return(retval); + + retval = decode_krb5_sam_challenge_2_body(&sc2->sam_challenge_2_body, &sc2b); + + if (retval) { + krb5_free_sam_challenge_2(context, sc2); + return(retval); + } + + if (!sc2->sam_cksum || ! *sc2->sam_cksum) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + return(KRB5_SAM_NO_CHECKSUM); + } + + if (sc2b->sam_flags & KRB5_SAM_MUST_PK_ENCRYPT_SAD) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + return(KRB5_SAM_UNSUPPORTED); + } + + if (!krb5_c_valid_enctype(sc2b->sam_etype)) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + return(KRB5_SAM_INVALID_ETYPE); + } + + /* All of the above error checks are KDC-specific, that is, they */ + /* assume a failure in the KDC reply. By returning anything other */ + /* than KRB5_KDC_UNREACH, KRB5_PREAUTH_FAILED, */ + /* KRB5_LIBOS_PWDINTR, or KRB5_REALM_CANT_RESOLVE, the client will */ + /* most likely go on to try the AS_REQ against master KDC */ + + if (!(sc2b->sam_flags & KRB5_SAM_USE_SAD_AS_KEY)) { + /* We will need the password to obtain the key used for */ + /* the checksum, and encryption of the sam_response. */ + /* Go ahead and get it now, preserving the ordering of */ + /* prompts for the user. */ + + retval = (gak_fct)(context, request->client, + sc2b->sam_etype, prompter, + prompter_data, salt, s2kparams, as_key, gak_data); + if (retval) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + return(retval); + } + } + + snprintf(name, sizeof(name), "%.*s", + SAMDATA(sc2b->sam_type_name, "SAM Authentication", + sizeof(name) - 1)); + + snprintf(banner, sizeof(banner), "%.*s", + SAMDATA(sc2b->sam_challenge_label, + sam_challenge_banner(sc2b->sam_type), + sizeof(banner)-1)); + + snprintf(prompt, sizeof(prompt), "%s%.*s%s%.*s", + sc2b->sam_challenge.length?"Challenge is [":"", + SAMDATA(sc2b->sam_challenge, "", 20), + sc2b->sam_challenge.length?"], ":"", + SAMDATA(sc2b->sam_response_prompt, "passcode", 55)); + + response_data.data = response; + response_data.length = sizeof(response); + kprompt.prompt = prompt; + kprompt.hidden = 1; + kprompt.reply = &response_data; + + prompt_type = KRB5_PROMPT_TYPE_PREAUTH; + krb5int_set_prompt_types(context, &prompt_type); + + if ((retval = ((*prompter)(context, prompter_data, name, + banner, 1, &kprompt)))) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + krb5int_set_prompt_types(context, 0); + return(retval); + } + + krb5int_set_prompt_types(context, (krb5_prompt_type *)NULL); + + /* Generate salt used by string_to_key() */ + if ((salt->length == -1) && (salt->data == NULL)) { + if ((retval = + krb5_principal2salt(context, request->client, &defsalt))) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + return(retval); + } + salt = &defsalt; + } else { + defsalt.length = 0; + } + + /* Get encryption key to be used for checksum and sam_response */ + if (!(sc2b->sam_flags & KRB5_SAM_USE_SAD_AS_KEY)) { + /* as_key = string_to_key(password) */ + + if (as_key->length) { + krb5_free_keyblock_contents(context, as_key); + as_key->length = 0; + } + + /* generate a key using the supplied password */ + retval = krb5_c_string_to_key(context, sc2b->sam_etype, + (krb5_data *)gak_data, salt, as_key); + + if (retval) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + if (defsalt.length) free(defsalt.data); + return(retval); + } + + if (!(sc2b->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD)) { + /* as_key = combine_key (as_key, string_to_key(SAD)) */ + krb5_keyblock tmp_kb; + + retval = krb5_c_string_to_key(context, sc2b->sam_etype, + &response_data, salt, &tmp_kb); + + if (retval) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + if (defsalt.length) free(defsalt.data); + return(retval); + } + + /* This should be a call to the crypto library some day */ + /* key types should already match the sam_etype */ + retval = krb5int_c_combine_keys(context, as_key, &tmp_kb, as_key); + + if (retval) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + if (defsalt.length) free(defsalt.data); + return(retval); + } + krb5_free_keyblock_contents(context, &tmp_kb); + } + + if (defsalt.length) + free(defsalt.data); + + } else { + /* as_key = string_to_key(SAD) */ + + if (as_key->length) { + krb5_free_keyblock_contents(context, as_key); + as_key->length = 0; + } + + /* generate a key using the supplied password */ + retval = krb5_c_string_to_key(context, sc2b->sam_etype, + &response_data, salt, as_key); + + if (defsalt.length) + free(defsalt.data); + + if (retval) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + return(retval); + } + } + + /* Now we have a key, verify the checksum on the sam_challenge */ + + cksum = sc2->sam_cksum; + + while (*cksum) { + /* Check this cksum */ + retval = krb5_c_verify_checksum(context, as_key, + KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM, + &sc2->sam_challenge_2_body, + *cksum, &valid_cksum); + if (retval) { + krb5_free_data(context, scratch); + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + return(retval); + } + if (valid_cksum) + break; + cksum++; + } + + if (!valid_cksum) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + /* + * Note: We return AP_ERR_BAD_INTEGRITY so upper-level applications + * can interpret that as "password incorrect", which is probably + * the best error we can return in this situation. + */ + return(KRB5KRB_AP_ERR_BAD_INTEGRITY); + } + + /* fill in enc_sam_response_enc_2 */ + enc_sam_response_enc_2.magic = KV5M_ENC_SAM_RESPONSE_ENC_2; + enc_sam_response_enc_2.sam_nonce = sc2b->sam_nonce; + if (sc2b->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD) { + enc_sam_response_enc_2.sam_sad = response_data; + } else { + enc_sam_response_enc_2.sam_sad.data = NULL; + enc_sam_response_enc_2.sam_sad.length = 0; + } + + /* encode and encrypt enc_sam_response_enc_2 with as_key */ + retval = encode_krb5_enc_sam_response_enc_2(&enc_sam_response_enc_2, + &scratch); + if (retval) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + return(retval); + } + + /* Fill in sam_response_2 */ + memset(&sr2, 0, sizeof(sr2)); + sr2.sam_type = sc2b->sam_type; + sr2.sam_flags = sc2b->sam_flags; + sr2.sam_track_id = sc2b->sam_track_id; + sr2.sam_nonce = sc2b->sam_nonce; + + /* Now take care of sr2.sam_enc_nonce_or_sad by encrypting encoded */ + /* enc_sam_response_enc_2 from above */ + + retval = krb5_c_encrypt_length(context, as_key->enctype, scratch->length, + &ciph_len); + if (retval) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + krb5_free_data(context, scratch); + return(retval); + } + sr2.sam_enc_nonce_or_sad.ciphertext.length = ciph_len; + + sr2.sam_enc_nonce_or_sad.ciphertext.data = + (char *)malloc(sr2.sam_enc_nonce_or_sad.ciphertext.length); + + if (!sr2.sam_enc_nonce_or_sad.ciphertext.data) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + krb5_free_data(context, scratch); + return(ENOMEM); + } + + retval = krb5_c_encrypt(context, as_key, KRB5_KEYUSAGE_PA_SAM_RESPONSE, + NULL, scratch, &sr2.sam_enc_nonce_or_sad); + if (retval) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + krb5_free_data(context, scratch); + krb5_free_data_contents(context, &sr2.sam_enc_nonce_or_sad.ciphertext); + return(retval); + } + krb5_free_data(context, scratch); + scratch = NULL; + + /* Encode the sam_response_2 */ + retval = encode_krb5_sam_response_2(&sr2, &scratch); + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + krb5_free_data_contents(context, &sr2.sam_enc_nonce_or_sad.ciphertext); + + if (retval) { + return (retval); + } + + /* Almost there, just need to make padata ! */ + sam_padata = malloc(sizeof(krb5_pa_data)); + if (sam_padata == NULL) { + krb5_free_data(context, scratch); + return(ENOMEM); + } + + sam_padata->magic = KV5M_PA_DATA; + sam_padata->pa_type = KRB5_PADATA_SAM_RESPONSE_2; + sam_padata->length = scratch->length; + sam_padata->contents = (krb5_octet *) scratch->data; + free(scratch); + + *out_padata = sam_padata; + + return(0); } static krb5_error_code pa_s4u_x509_user( @@ -1728,32 +1729,32 @@ static krb5_error_code pa_s4u_x509_user( *out_padata = NULL; if (userid == NULL) - return EINVAL; + return EINVAL; code = krb5_copy_principal(context, request->client, &client); if (code != 0) - return code; + return code; if (userid->user != NULL) - krb5_free_principal(context, userid->user); + krb5_free_principal(context, userid->user); userid->user = client; if (userid->subject_cert.length != 0) { - s4u_padata = malloc(sizeof(*s4u_padata)); - if (s4u_padata == NULL) - return ENOMEM; + s4u_padata = malloc(sizeof(*s4u_padata)); + if (s4u_padata == NULL) + return ENOMEM; - s4u_padata->magic = KV5M_PA_DATA; - s4u_padata->pa_type = KRB5_PADATA_S4U_X509_USER; - s4u_padata->contents = malloc(userid->subject_cert.length); - if (s4u_padata->contents == NULL) { - free(s4u_padata); - return ENOMEM; - } - memcpy(s4u_padata->contents, userid->subject_cert.data, userid->subject_cert.length); - s4u_padata->length = userid->subject_cert.length; + s4u_padata->magic = KV5M_PA_DATA; + s4u_padata->pa_type = KRB5_PADATA_S4U_X509_USER; + s4u_padata->contents = malloc(userid->subject_cert.length); + if (s4u_padata->contents == NULL) { + free(s4u_padata); + return ENOMEM; + } + memcpy(s4u_padata->contents, userid->subject_cert.data, userid->subject_cert.length); + s4u_padata->length = userid->subject_cert.length; - *out_padata = s4u_padata; + *out_padata = s4u_padata; } return 0; @@ -1762,56 +1763,56 @@ static krb5_error_code pa_s4u_x509_user( /* FIXME - order significant? */ static const pa_types_t pa_types[] = { { - KRB5_PADATA_PW_SALT, - pa_salt, - PA_INFO, + KRB5_PADATA_PW_SALT, + pa_salt, + PA_INFO, }, { - KRB5_PADATA_AFS3_SALT, - pa_salt, - PA_INFO, + KRB5_PADATA_AFS3_SALT, + pa_salt, + PA_INFO, }, #if APPLE_PKINIT { - KRB5_PADATA_PK_AS_REQ, - pa_pkinit_gen_req, - PA_INFO, + KRB5_PADATA_PK_AS_REQ, + pa_pkinit_gen_req, + PA_INFO, }, { - KRB5_PADATA_PK_AS_REP, - pa_pkinit_parse_rep, - PA_REAL, + KRB5_PADATA_PK_AS_REP, + pa_pkinit_parse_rep, + PA_REAL, }, #endif /* APPLE_PKINIT */ { - KRB5_PADATA_ENC_TIMESTAMP, - pa_enc_timestamp, - PA_REAL, + KRB5_PADATA_ENC_TIMESTAMP, + pa_enc_timestamp, + PA_REAL, }, { - KRB5_PADATA_SAM_CHALLENGE_2, - pa_sam_2, - PA_REAL, + KRB5_PADATA_SAM_CHALLENGE_2, + pa_sam_2, + PA_REAL, }, { - KRB5_PADATA_SAM_CHALLENGE, - pa_sam, - PA_REAL, + KRB5_PADATA_SAM_CHALLENGE, + pa_sam, + PA_REAL, }, { - KRB5_PADATA_FX_COOKIE, - pa_fx_cookie, - PA_INFO, + KRB5_PADATA_FX_COOKIE, + pa_fx_cookie, + PA_INFO, }, { - KRB5_PADATA_S4U_X509_USER, - pa_s4u_x509_user, - PA_INFO, + KRB5_PADATA_S4U_X509_USER, + pa_s4u_x509_user, + PA_INFO, }, { - -1, - NULL, - 0, + -1, + NULL, + 0, }, }; @@ -1822,19 +1823,19 @@ static const pa_types_t pa_types[] = { */ krb5_error_code KRB5_CALLCONV krb5_do_preauth_tryagain(krb5_context kcontext, - krb5_kdc_req *request, - krb5_data *encoded_request_body, - krb5_data *encoded_previous_request, - krb5_pa_data **padata, - krb5_pa_data ***return_padata, - krb5_error *err_reply, - krb5_data *salt, krb5_data *s2kparams, - krb5_enctype *etype, - krb5_keyblock *as_key, - krb5_prompter_fct prompter, void *prompter_data, - krb5_gic_get_as_key_fct gak_fct, void *gak_data, - krb5_preauth_client_rock *get_data_rock, - krb5_gic_opt_ext *opte) + krb5_kdc_req *request, + krb5_data *encoded_request_body, + krb5_data *encoded_previous_request, + krb5_pa_data **padata, + krb5_pa_data ***return_padata, + krb5_error *err_reply, + krb5_data *salt, krb5_data *s2kparams, + krb5_enctype *etype, + krb5_keyblock *as_key, + krb5_prompter_fct prompter, void *prompter_data, + krb5_gic_get_as_key_fct gak_fct, void *gak_data, + krb5_preauth_client_rock *get_data_rock, + krb5_gic_opt_ext *opte) { krb5_error_code ret; krb5_pa_data **out_padata; @@ -1845,65 +1846,65 @@ krb5_do_preauth_tryagain(krb5_context kcontext, ret = KRB5KRB_ERR_GENERIC; if (kcontext->preauth_context == NULL) { - return KRB5KRB_ERR_GENERIC; + return KRB5KRB_ERR_GENERIC; } context = kcontext->preauth_context; if (context == NULL) { - return KRB5KRB_ERR_GENERIC; + return KRB5KRB_ERR_GENERIC; } for (i = 0; padata[i] != NULL && padata[i]->pa_type != 0; i++) { - out_padata = NULL; - for (j = 0; j < context->n_modules; j++) { - module = &context->modules[j]; - if (module->pa_type != padata[i]->pa_type) { - continue; - } - if (module->client_tryagain == NULL) { - continue; - } - if ((*module->client_tryagain)(kcontext, - module->plugin_context, - *module->request_context_pp, - (krb5_get_init_creds_opt *)opte, - client_data_proc, - get_data_rock, - request, - encoded_request_body, - encoded_previous_request, - padata[i], - err_reply, - prompter, prompter_data, - gak_fct, gak_data, salt, s2kparams, - as_key, - &out_padata) == 0) { - if (out_padata != NULL) { - int k; - for (k = 0; out_padata[k] != NULL; k++); - grow_pa_list(return_padata, &out_pa_list_size, - out_padata, k); - free(out_padata); - return 0; - } - } - } + out_padata = NULL; + for (j = 0; j < context->n_modules; j++) { + module = &context->modules[j]; + if (module->pa_type != padata[i]->pa_type) { + continue; + } + if (module->client_tryagain == NULL) { + continue; + } + if ((*module->client_tryagain)(kcontext, + module->plugin_context, + *module->request_context_pp, + (krb5_get_init_creds_opt *)opte, + client_data_proc, + get_data_rock, + request, + encoded_request_body, + encoded_previous_request, + padata[i], + err_reply, + prompter, prompter_data, + gak_fct, gak_data, salt, s2kparams, + as_key, + &out_padata) == 0) { + if (out_padata != NULL) { + int k; + for (k = 0; out_padata[k] != NULL; k++); + grow_pa_list(return_padata, &out_pa_list_size, + out_padata, k); + free(out_padata); + return 0; + } + } + } } return ret; } krb5_error_code KRB5_CALLCONV krb5_do_preauth(krb5_context context, - krb5_kdc_req *request, - krb5_data *encoded_request_body, - krb5_data *encoded_previous_request, - krb5_pa_data **in_padata, krb5_pa_data ***out_padata, - krb5_data *salt, krb5_data *s2kparams, - krb5_enctype *etype, - krb5_keyblock *as_key, - krb5_prompter_fct prompter, void *prompter_data, - krb5_gic_get_as_key_fct gak_fct, void *gak_data, - krb5_preauth_client_rock *get_data_rock, - krb5_gic_opt_ext *opte) + krb5_kdc_req *request, + krb5_data *encoded_request_body, + krb5_data *encoded_previous_request, + krb5_pa_data **in_padata, krb5_pa_data ***out_padata, + krb5_data *salt, krb5_data *s2kparams, + krb5_enctype *etype, + krb5_keyblock *as_key, + krb5_prompter_fct prompter, void *prompter_data, + krb5_gic_get_as_key_fct gak_fct, void *gak_data, + krb5_preauth_client_rock *get_data_rock, + krb5_gic_opt_ext *opte) { unsigned int h; int i, j, out_pa_list_size; @@ -1916,17 +1917,17 @@ krb5_do_preauth(krb5_context context, int realdone; if (in_padata == NULL) { - *out_padata = NULL; - return(0); + *out_padata = NULL; + return(0); } #ifdef DEBUG fprintf (stderr, "salt len=%d", (int) salt->length); if ((int) salt->length > 0) - fprintf (stderr, " '%.*s'", salt->length, salt->data); + fprintf (stderr, " '%.*s'", salt->length, salt->data); fprintf (stderr, "; preauth data types:"); for (i = 0; in_padata[i]; i++) { - fprintf (stderr, " %d", in_padata[i]->pa_type); + fprintf (stderr, " %d", in_padata[i]->pa_type); } fprintf (stderr, "\n"); #endif @@ -1937,202 +1938,202 @@ krb5_do_preauth(krb5_context context, /* first do all the informational preauths, then the first real one */ for (h=0; h<(sizeof(paorder)/sizeof(paorder[0])); h++) { - realdone = 0; - for (i=0; in_padata[i] && !realdone; i++) { - int k, l, etype_found, valid_etype_found; - /* - * This is really gross, but is necessary to prevent - * lossage when talking to a 1.0.x KDC, which returns an - * erroneous PA-PW-SALT when it returns a KRB-ERROR - * requiring additional preauth. - */ - switch (in_padata[i]->pa_type) { - case KRB5_PADATA_ETYPE_INFO: - case KRB5_PADATA_ETYPE_INFO2: - { - krb5_preauthtype pa_type = in_padata[i]->pa_type; - if (etype_info) { - if (seen_etype_info2 || pa_type != KRB5_PADATA_ETYPE_INFO2) - continue; - if (pa_type == KRB5_PADATA_ETYPE_INFO2) { - krb5_free_etype_info( context, etype_info); - etype_info = NULL; - } - } - - scratch.length = in_padata[i]->length; - scratch.data = (char *) in_padata[i]->contents; - if (pa_type == KRB5_PADATA_ETYPE_INFO2) { - seen_etype_info2++; - ret = decode_krb5_etype_info2(&scratch, &etype_info); - } - else ret = decode_krb5_etype_info(&scratch, &etype_info); - if (ret) { - ret = 0; /*Ignore error and etype_info element*/ - if (etype_info) - krb5_free_etype_info( context, etype_info); - etype_info = NULL; - continue; - } - if (etype_info[0] == NULL) { - krb5_free_etype_info(context, etype_info); - etype_info = NULL; - break; - } - /* - * Select first etype in our request which is also in - * etype-info (preferring client request ktype order). - */ - for (etype_found = 0, valid_etype_found = 0, k = 0; - !etype_found && k < request->nktypes; k++) { - for (l = 0; etype_info[l]; l++) { - if (etype_info[l]->etype == request->ktype[k]) { - etype_found++; - break; - } - /* check if program has support for this etype for more - * precise error reporting. - */ - if (krb5_c_valid_enctype(etype_info[l]->etype)) - valid_etype_found++; - } - } - if (!etype_found) { - if (valid_etype_found) { - /* supported enctype but not requested */ - ret = KRB5_CONFIG_ETYPE_NOSUPP; - goto cleanup; - } - else { - /* unsupported enctype */ - ret = KRB5_PROG_ETYPE_NOSUPP; - goto cleanup; - } - - } - scratch.data = (char *) etype_info[l]->salt; - scratch.length = etype_info[l]->length; - krb5_free_data_contents(context, salt); - if (scratch.length == KRB5_ETYPE_NO_SALT) - salt->data = NULL; - else - if ((ret = krb5int_copy_data_contents( context, &scratch, salt)) != 0) - goto cleanup; - *etype = etype_info[l]->etype; - krb5_free_data_contents(context, s2kparams); - if ((ret = krb5int_copy_data_contents(context, - &etype_info[l]->s2kparams, - s2kparams)) != 0) - goto cleanup; + realdone = 0; + for (i=0; in_padata[i] && !realdone; i++) { + int k, l, etype_found, valid_etype_found; + /* + * This is really gross, but is necessary to prevent + * lossage when talking to a 1.0.x KDC, which returns an + * erroneous PA-PW-SALT when it returns a KRB-ERROR + * requiring additional preauth. + */ + switch (in_padata[i]->pa_type) { + case KRB5_PADATA_ETYPE_INFO: + case KRB5_PADATA_ETYPE_INFO2: + { + krb5_preauthtype pa_type = in_padata[i]->pa_type; + if (etype_info) { + if (seen_etype_info2 || pa_type != KRB5_PADATA_ETYPE_INFO2) + continue; + if (pa_type == KRB5_PADATA_ETYPE_INFO2) { + krb5_free_etype_info( context, etype_info); + etype_info = NULL; + } + } + + scratch.length = in_padata[i]->length; + scratch.data = (char *) in_padata[i]->contents; + if (pa_type == KRB5_PADATA_ETYPE_INFO2) { + seen_etype_info2++; + ret = decode_krb5_etype_info2(&scratch, &etype_info); + } + else ret = decode_krb5_etype_info(&scratch, &etype_info); + if (ret) { + ret = 0; /*Ignore error and etype_info element*/ + if (etype_info) + krb5_free_etype_info( context, etype_info); + etype_info = NULL; + continue; + } + if (etype_info[0] == NULL) { + krb5_free_etype_info(context, etype_info); + etype_info = NULL; + break; + } + /* + * Select first etype in our request which is also in + * etype-info (preferring client request ktype order). + */ + for (etype_found = 0, valid_etype_found = 0, k = 0; + !etype_found && k < request->nktypes; k++) { + for (l = 0; etype_info[l]; l++) { + if (etype_info[l]->etype == request->ktype[k]) { + etype_found++; + break; + } + /* check if program has support for this etype for more + * precise error reporting. + */ + if (krb5_c_valid_enctype(etype_info[l]->etype)) + valid_etype_found++; + } + } + if (!etype_found) { + if (valid_etype_found) { + /* supported enctype but not requested */ + ret = KRB5_CONFIG_ETYPE_NOSUPP; + goto cleanup; + } + else { + /* unsupported enctype */ + ret = KRB5_PROG_ETYPE_NOSUPP; + goto cleanup; + } + + } + scratch.data = (char *) etype_info[l]->salt; + scratch.length = etype_info[l]->length; + krb5_free_data_contents(context, salt); + if (scratch.length == KRB5_ETYPE_NO_SALT) + salt->data = NULL; + else + if ((ret = krb5int_copy_data_contents( context, &scratch, salt)) != 0) + goto cleanup; + *etype = etype_info[l]->etype; + krb5_free_data_contents(context, s2kparams); + if ((ret = krb5int_copy_data_contents(context, + &etype_info[l]->s2kparams, + s2kparams)) != 0) + goto cleanup; #ifdef DEBUG - for (j = 0; etype_info[j]; j++) { - krb5_etype_info_entry *e = etype_info[j]; - fprintf (stderr, "etype info %d: etype %d salt len=%d", - j, e->etype, e->length); - if (e->length > 0 && e->length != KRB5_ETYPE_NO_SALT) - fprintf (stderr, " '%.*s'", e->length, e->salt); - fprintf (stderr, "\n"); - } + for (j = 0; etype_info[j]; j++) { + krb5_etype_info_entry *e = etype_info[j]; + fprintf (stderr, "etype info %d: etype %d salt len=%d", + j, e->etype, e->length); + if (e->length > 0 && e->length != KRB5_ETYPE_NO_SALT) + fprintf (stderr, " '%.*s'", e->length, e->salt); + fprintf (stderr, "\n"); + } #endif - break; - } - case KRB5_PADATA_PW_SALT: - case KRB5_PADATA_AFS3_SALT: - if (etype_info) - continue; - break; - default: - ; - } - /* Try the internally-provided preauth type list. */ - if (!realdone) for (j=0; pa_types[j].type >= 0; j++) { - if ((in_padata[i]->pa_type == pa_types[j].type) && - (pa_types[j].flags & paorder[h])) { + break; + } + case KRB5_PADATA_PW_SALT: + case KRB5_PADATA_AFS3_SALT: + if (etype_info) + continue; + break; + default: + ; + } + /* Try the internally-provided preauth type list. */ + if (!realdone) for (j=0; pa_types[j].type >= 0; j++) { + if ((in_padata[i]->pa_type == pa_types[j].type) && + (pa_types[j].flags & paorder[h])) { #ifdef DEBUG - fprintf (stderr, "calling internal function for pa_type " - "%d, flag %d\n", pa_types[j].type, paorder[h]); + fprintf (stderr, "calling internal function for pa_type " + "%d, flag %d\n", pa_types[j].type, paorder[h]); #endif - out_pa = NULL; - - if ((ret = ((*pa_types[j].fct)(context, request, - in_padata[i], &out_pa, - salt, s2kparams, etype, as_key, - prompter, prompter_data, - gak_fct, gak_data)))) { - if (paorder[h] == PA_INFO) { + out_pa = NULL; + + if ((ret = ((*pa_types[j].fct)(context, request, + in_padata[i], &out_pa, + salt, s2kparams, etype, as_key, + prompter, prompter_data, + gak_fct, gak_data)))) { + if (paorder[h] == PA_INFO) { #ifdef DEBUG - fprintf (stderr, - "internal function for type %d, flag %d " - "failed with err %d\n", - in_padata[i]->pa_type, paorder[h], ret); + fprintf (stderr, + "internal function for type %d, flag %d " + "failed with err %d\n", + in_padata[i]->pa_type, paorder[h], ret); #endif - ret = 0; - continue; /* PA_INFO type failed, ignore */ + ret = 0; + continue; /* PA_INFO type failed, ignore */ + } + + goto cleanup; } - - goto cleanup; - } - - ret = grow_pa_list(&out_pa_list, &out_pa_list_size, - &out_pa, 1); - if (ret != 0) { - goto cleanup; - } - if (paorder[h] == PA_REAL) - realdone = 1; - } - } - - /* Try to use plugins now. */ - if (!realdone) { - krb5_init_preauth_context(context); - if (context->preauth_context != NULL) { - int module_ret = 0, module_flags; + + ret = grow_pa_list(&out_pa_list, &out_pa_list_size, + &out_pa, 1); + if (ret != 0) { + goto cleanup; + } + if (paorder[h] == PA_REAL) + realdone = 1; + } + } + + /* Try to use plugins now. */ + if (!realdone) { + krb5_init_preauth_context(context); + if (context->preauth_context != NULL) { + int module_ret = 0, module_flags; #ifdef DEBUG - fprintf (stderr, "trying modules for pa_type %d, flag %d\n", - in_padata[i]->pa_type, paorder[h]); + fprintf (stderr, "trying modules for pa_type %d, flag %d\n", + in_padata[i]->pa_type, paorder[h]); #endif - ret = krb5_run_preauth_plugins(context, - paorder[h], - request, - encoded_request_body, - encoded_previous_request, - in_padata[i], - prompter, - prompter_data, - gak_fct, - salt, s2kparams, - gak_data, - get_data_rock, - as_key, - &out_pa_list, - &out_pa_list_size, - &module_ret, - &module_flags, - opte); - if (ret == 0) { - if (module_ret == 0) { - if (paorder[h] == PA_REAL) { - realdone = 1; - } - } - } - } - } - } + ret = krb5_run_preauth_plugins(context, + paorder[h], + request, + encoded_request_body, + encoded_previous_request, + in_padata[i], + prompter, + prompter_data, + gak_fct, + salt, s2kparams, + gak_data, + get_data_rock, + as_key, + &out_pa_list, + &out_pa_list_size, + &module_ret, + &module_flags, + opte); + if (ret == 0) { + if (module_ret == 0) { + if (paorder[h] == PA_REAL) { + realdone = 1; + } + } + } + } + } + } } *out_padata = out_pa_list; if (etype_info) - krb5_free_etype_info(context, etype_info); - + krb5_free_etype_info(context, etype_info); + return(0); - cleanup: +cleanup: if (out_pa_list) { - out_pa_list[out_pa_list_size++] = NULL; - krb5_free_pa_data(context, out_pa_list); + out_pa_list[out_pa_list_size++] = NULL; + krb5_free_pa_data(context, out_pa_list); } if (etype_info) - krb5_free_etype_info(context, etype_info); + krb5_free_etype_info(context, etype_info); return (ret); } diff --git a/src/lib/krb5/krb/princ_comp.c b/src/lib/krb5/krb/princ_comp.c index 367c11e3da..3565f2c821 100644 --- a/src/lib/krb5/krb/princ_comp.c +++ b/src/lib/krb5/krb/princ_comp.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/princ_comp.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * compare two principals, returning a krb5_boolean true if equal, false if * not. @@ -33,19 +34,19 @@ static krb5_boolean realm_compare_flags(krb5_context context, - krb5_const_principal princ1, - krb5_const_principal princ2, - int flags) + krb5_const_principal princ1, + krb5_const_principal princ2, + int flags) { const krb5_data *realm1 = krb5_princ_realm(context, princ1); const krb5_data *realm2 = krb5_princ_realm(context, princ2); if (realm1->length != realm2->length) - return FALSE; + return FALSE; return (flags & KRB5_PRINCIPAL_COMPARE_CASEFOLD) ? - (strncasecmp(realm1->data, realm2->data, realm2->length) == 0) : - (memcmp(realm1->data, realm2->data, realm2->length) == 0); + (strncasecmp(realm1->data, realm2->data, realm2->length) == 0) : + (memcmp(realm1->data, realm2->data, realm2->length) == 0); } krb5_boolean KRB5_CALLCONV @@ -56,18 +57,18 @@ krb5_realm_compare(krb5_context context, krb5_const_principal princ1, krb5_const static krb5_error_code upn_to_principal(krb5_context context, - krb5_const_principal princ, - krb5_principal *upn) + krb5_const_principal princ, + krb5_principal *upn) { char *unparsed_name; krb5_error_code code; code = krb5_unparse_name_flags(context, princ, - KRB5_PRINCIPAL_UNPARSE_NO_REALM, - &unparsed_name); + KRB5_PRINCIPAL_UNPARSE_NO_REALM, + &unparsed_name); if (code) { - *upn = NULL; - return code; + *upn = NULL; + return code; } code = krb5_parse_name(context, unparsed_name, upn); @@ -79,9 +80,9 @@ upn_to_principal(krb5_context context, krb5_boolean KRB5_CALLCONV krb5_principal_compare_flags(krb5_context context, - krb5_const_principal princ1, - krb5_const_principal princ2, - int flags) + krb5_const_principal princ1, + krb5_const_principal princ2, + int flags) { register int i; krb5_int32 nelem; @@ -92,50 +93,50 @@ krb5_principal_compare_flags(krb5_context context, krb5_boolean ret = FALSE; if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) { - /* Treat UPNs as if they were real principals */ - if (krb5_princ_type(context, princ1) == KRB5_NT_ENTERPRISE_PRINCIPAL) { - if (upn_to_principal(context, princ1, &upn1) == 0) - princ1 = upn1; - } - if (krb5_princ_type(context, princ2) == KRB5_NT_ENTERPRISE_PRINCIPAL) { - if (upn_to_principal(context, princ2, &upn2) == 0) - princ2 = upn2; - } + /* Treat UPNs as if they were real principals */ + if (krb5_princ_type(context, princ1) == KRB5_NT_ENTERPRISE_PRINCIPAL) { + if (upn_to_principal(context, princ1, &upn1) == 0) + princ1 = upn1; + } + if (krb5_princ_type(context, princ2) == KRB5_NT_ENTERPRISE_PRINCIPAL) { + if (upn_to_principal(context, princ2, &upn2) == 0) + princ2 = upn2; + } } nelem = krb5_princ_size(context, princ1); if (nelem != krb5_princ_size(context, princ2)) - goto out; + goto out; if ((flags & KRB5_PRINCIPAL_COMPARE_IGNORE_REALM) == 0 && - !realm_compare_flags(context, princ1, princ2, flags)) - goto out; + !realm_compare_flags(context, princ1, princ2, flags)) + goto out; for (i = 0; i < (int) nelem; i++) { - const krb5_data *p1 = krb5_princ_component(context, princ1, i); - const krb5_data *p2 = krb5_princ_component(context, princ2, i); - krb5_boolean eq; - - if (casefold) { - if (utf8) - eq = (krb5int_utf8_normcmp(p1, p2, KRB5_UTF8_CASEFOLD) == 0); - else - eq = (p1->length == p2->length - && strncasecmp(p1->data, p2->data, p2->length) == 0); - } else - eq = data_eq(*p1, *p2); - - if (!eq) - goto out; + const krb5_data *p1 = krb5_princ_component(context, princ1, i); + const krb5_data *p2 = krb5_princ_component(context, princ2, i); + krb5_boolean eq; + + if (casefold) { + if (utf8) + eq = (krb5int_utf8_normcmp(p1, p2, KRB5_UTF8_CASEFOLD) == 0); + else + eq = (p1->length == p2->length + && strncasecmp(p1->data, p2->data, p2->length) == 0); + } else + eq = data_eq(*p1, *p2); + + if (!eq) + goto out; } ret = TRUE; out: if (upn1 != NULL) - krb5_free_principal(context, upn1); + krb5_free_principal(context, upn1); if (upn2 != NULL) - krb5_free_principal(context, upn2); + krb5_free_principal(context, upn2); return ret; } @@ -150,7 +151,7 @@ krb5_boolean KRB5_CALLCONV krb5_is_referral_realm(const krb5_data *r) #ifdef DEBUG_REFERRALS #if 0 printf("krb5_is_ref_realm: checking <%s> for referralness: %s\n", - r->data,(r->length==0)?"true":"false"); + r->data,(r->length==0)?"true":"false"); #endif #endif assert(strlen(KRB5_REFERRAL_REALM)==0); @@ -162,17 +163,16 @@ krb5_boolean KRB5_CALLCONV krb5_is_referral_realm(const krb5_data *r) krb5_boolean KRB5_CALLCONV krb5_principal_compare(krb5_context context, - krb5_const_principal princ1, - krb5_const_principal princ2) + krb5_const_principal princ1, + krb5_const_principal princ2) { return krb5_principal_compare_flags(context, princ1, princ2, 0); } krb5_boolean KRB5_CALLCONV krb5_principal_compare_any_realm(krb5_context context, - krb5_const_principal princ1, - krb5_const_principal princ2) + krb5_const_principal princ1, + krb5_const_principal princ2) { return krb5_principal_compare_flags(context, princ1, princ2, KRB5_PRINCIPAL_COMPARE_IGNORE_REALM); } - diff --git a/src/lib/krb5/krb/rd_cred.c b/src/lib/krb5/krb/rd_cred.c index a5d00dc4ea..30ce4255f1 100644 --- a/src/lib/krb5/krb/rd_cred.c +++ b/src/lib/krb5/krb/rd_cred.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include "k5-int.h" #include "cleanup.h" #include "auth_con.h" @@ -11,38 +12,38 @@ /* * decrypt the enc_part of a krb5_cred */ -static krb5_error_code +static krb5_error_code decrypt_credencdata(krb5_context context, krb5_cred *pcred, - krb5_key pkey, krb5_cred_enc_part *pcredenc) + krb5_key pkey, krb5_cred_enc_part *pcredenc) { krb5_cred_enc_part * ppart = NULL; - krb5_error_code retval; - krb5_data scratch; + krb5_error_code retval; + krb5_data scratch; scratch.length = pcred->enc_part.ciphertext.length; - if (!(scratch.data = (char *)malloc(scratch.length))) - return ENOMEM; + if (!(scratch.data = (char *)malloc(scratch.length))) + return ENOMEM; if (pkey != NULL) { - if ((retval = krb5_k_decrypt(context, pkey, - KRB5_KEYUSAGE_KRB_CRED_ENCPART, 0, - &pcred->enc_part, &scratch))) - goto cleanup; + if ((retval = krb5_k_decrypt(context, pkey, + KRB5_KEYUSAGE_KRB_CRED_ENCPART, 0, + &pcred->enc_part, &scratch))) + goto cleanup; } else { - memcpy(scratch.data, pcred->enc_part.ciphertext.data, scratch.length); + memcpy(scratch.data, pcred->enc_part.ciphertext.data, scratch.length); } /* now decode the decrypted stuff */ if ((retval = decode_krb5_enc_cred_part(&scratch, &ppart))) - goto cleanup; + goto cleanup; *pcredenc = *ppart; retval = 0; cleanup: if (ppart != NULL) { - memset(ppart, 0, sizeof(*ppart)); - free(ppart); + memset(ppart, 0, sizeof(*ppart)); + free(ppart); } memset(scratch.data, 0, scratch.length); free(scratch.data); @@ -51,40 +52,40 @@ cleanup: } /*----------------------- krb5_rd_cred_basic -----------------------*/ -static krb5_error_code +static krb5_error_code krb5_rd_cred_basic(krb5_context context, krb5_data *pcreddata, - krb5_key pkey, krb5_replay_data *replaydata, - krb5_creds ***pppcreds) + krb5_key pkey, krb5_replay_data *replaydata, + krb5_creds ***pppcreds) { krb5_error_code retval; - krb5_cred * pcred; - krb5_int32 ncreds; - krb5_int32 i = 0; - krb5_cred_enc_part encpart; + krb5_cred * pcred; + krb5_int32 ncreds; + krb5_int32 i = 0; + krb5_cred_enc_part encpart; /* decode cred message */ if ((retval = decode_krb5_cred(pcreddata, &pcred))) - return retval; + return retval; memset(&encpart, 0, sizeof(encpart)); if ((retval = decrypt_credencdata(context, pcred, pkey, &encpart))) - goto cleanup_cred; + goto cleanup_cred; replaydata->timestamp = encpart.timestamp; replaydata->usec = encpart.usec; replaydata->seq = encpart.nonce; - /* - * Allocate the list of creds. The memory is allocated so that - * krb5_free_tgt_creds can be used to free the list. - */ + /* + * Allocate the list of creds. The memory is allocated so that + * krb5_free_tgt_creds can be used to free the list. + */ for (ncreds = 0; pcred->tickets[ncreds]; ncreds++); - - if ((*pppcreds = - (krb5_creds **)malloc((size_t)(sizeof(krb5_creds *) * - (ncreds + 1)))) == NULL) { + + if ((*pppcreds = + (krb5_creds **)malloc((size_t)(sizeof(krb5_creds *) * + (ncreds + 1)))) == NULL) { retval = ENOMEM; goto cleanup_cred; } @@ -95,13 +96,13 @@ krb5_rd_cred_basic(krb5_context context, krb5_data *pcreddata, * credentials and copy the information. */ while (i < ncreds) { - krb5_cred_info * pinfo; - krb5_creds * pcur; - krb5_data * pdata; + krb5_cred_info * pinfo; + krb5_creds * pcur; + krb5_data * pdata; if ((pcur = (krb5_creds *)calloc(1, sizeof(krb5_creds))) == NULL) { - retval = ENOMEM; - goto cleanup; + retval = ENOMEM; + goto cleanup; } (*pppcreds)[i] = pcur; @@ -109,26 +110,26 @@ krb5_rd_cred_basic(krb5_context context, krb5_data *pcreddata, pinfo = encpart.ticket_info[i++]; if ((retval = krb5_copy_principal(context, pinfo->client, - &pcur->client))) - goto cleanup; + &pcur->client))) + goto cleanup; if ((retval = krb5_copy_principal(context, pinfo->server, - &pcur->server))) - goto cleanup; + &pcur->server))) + goto cleanup; - if ((retval = krb5_copy_keyblock_contents(context, pinfo->session, - &pcur->keyblock))) - goto cleanup; + if ((retval = krb5_copy_keyblock_contents(context, pinfo->session, + &pcur->keyblock))) + goto cleanup; - if ((retval = krb5_copy_addresses(context, pinfo->caddrs, - &pcur->addresses))) - goto cleanup; + if ((retval = krb5_copy_addresses(context, pinfo->caddrs, + &pcur->addresses))) + goto cleanup; if ((retval = encode_krb5_ticket(pcred->tickets[i - 1], &pdata))) - goto cleanup; + goto cleanup; - pcur->ticket = *pdata; - free(pdata); + pcur->ticket = *pdata; + free(pdata); pcur->is_skey = FALSE; @@ -146,7 +147,7 @@ krb5_rd_cred_basic(krb5_context context, krb5_data *pcreddata, cleanup: if (retval) - krb5_free_tgt_creds(context, *pppcreds); + krb5_free_tgt_creds(context, *pppcreds); cleanup_cred: krb5_free_cred(context, pcred); @@ -163,8 +164,8 @@ cleanup_cred: */ krb5_error_code KRB5_CALLCONV krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, - krb5_data *pcreddata, krb5_creds ***pppcreds, - krb5_replay_data *outdata) + krb5_data *pcreddata, krb5_creds ***pppcreds, + krb5_replay_data *outdata) { krb5_error_code retval; krb5_key key; @@ -172,16 +173,16 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, /* Get key */ if ((key = auth_context->recv_subkey) == NULL) - key = auth_context->key; + key = auth_context->key; if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && - (outdata == NULL)) + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && + (outdata == NULL)) /* Need a better error */ return KRB5_RC_REQUIRED; if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && - (auth_context->rcache == NULL)) + (auth_context->rcache == NULL)) return KRB5_RC_REQUIRED; @@ -191,12 +192,12 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, * that. */ if ((retval = krb5_rd_cred_basic(context, pcreddata, key, - &replaydata, pppcreds))) { - if ((retval = krb5_rd_cred_basic(context, pcreddata, - auth_context->key, - &replaydata, pppcreds))) { - return retval; - } + &replaydata, pppcreds))) { + if ((retval = krb5_rd_cred_basic(context, pcreddata, + auth_context->key, + &replaydata, pppcreds))) { + return retval; + } } if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { @@ -206,7 +207,7 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, goto error; if ((retval = krb5_gen_replay_name(context, auth_context->remote_addr, - "_forw", &replay.client))) + "_forw", &replay.client))) goto error; replay.server = ""; /* XXX */ @@ -229,7 +230,7 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, } if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { outdata->timestamp = replaydata.timestamp; outdata->usec = replaydata.usec; outdata->seq = replaydata.seq; @@ -237,9 +238,8 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, error:; if (retval) { - krb5_free_tgt_creds(context, *pppcreds); - *pppcreds = NULL; + krb5_free_tgt_creds(context, *pppcreds); + *pppcreds = NULL; } return retval; } - diff --git a/src/lib/krb5/krb/rd_error.c b/src/lib/krb5/krb/rd_error.c index 2c617154b0..39d9acdebc 100644 --- a/src/lib/krb5/krb/rd_error.c +++ b/src/lib/krb5/krb/rd_error.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/rd_error.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_rd_error() routine */ @@ -35,16 +36,15 @@ * * Upon return dec_error will point to allocated storage which the * caller should free when finished. - * + * * returns system errors */ krb5_error_code KRB5_CALLCONV krb5_rd_error(krb5_context context, const krb5_data *enc_errbuf, - krb5_error **dec_error) + krb5_error **dec_error) { if (!krb5_is_krb_error(enc_errbuf)) - return KRB5KRB_AP_ERR_MSG_TYPE; + return KRB5KRB_AP_ERR_MSG_TYPE; return(decode_krb5_error(enc_errbuf, dec_error)); } - diff --git a/src/lib/krb5/krb/rd_priv.c b/src/lib/krb5/krb/rd_priv.c index 9b84ad87ae..a6c79300c5 100644 --- a/src/lib/krb5/krb/rd_priv.c +++ b/src/lib/krb5/krb/rd_priv.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/rd_priv.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_rd_priv() */ @@ -33,97 +34,97 @@ /* -Parses a KRB_PRIV message from inbuf, placing the confidential user -data in *outbuf. + Parses a KRB_PRIV message from inbuf, placing the confidential user + data in *outbuf. + + key specifies the key to be used for decryption of the message. -key specifies the key to be used for decryption of the message. - -remote_addr and local_addr specify the full -addresses (host and port) of the sender and receiver. + remote_addr and local_addr specify the full + addresses (host and port) of the sender and receiver. -outbuf points to allocated storage which the caller should -free when finished. + outbuf points to allocated storage which the caller should + free when finished. -i_vector is used as an initialization vector for the -encryption, and if non-NULL its contents are replaced with the last -block of the encrypted data upon exit. + i_vector is used as an initialization vector for the + encryption, and if non-NULL its contents are replaced with the last + block of the encrypted data upon exit. -Returns system errors, integrity errors. + Returns system errors, integrity errors. */ static krb5_error_code krb5_rd_priv_basic(krb5_context context, const krb5_data *inbuf, - const krb5_key key, const krb5_address *local_addr, - const krb5_address *remote_addr, krb5_pointer i_vector, - krb5_replay_data *replaydata, krb5_data *outbuf) + const krb5_key key, const krb5_address *local_addr, + const krb5_address *remote_addr, krb5_pointer i_vector, + krb5_replay_data *replaydata, krb5_data *outbuf) { - krb5_error_code retval; - krb5_priv * privmsg; - krb5_data scratch; + krb5_error_code retval; + krb5_priv * privmsg; + krb5_data scratch; krb5_priv_enc_part * privmsg_enc_part; - size_t blocksize; - krb5_data ivdata; - krb5_enctype enctype; + size_t blocksize; + krb5_data ivdata; + krb5_enctype enctype; if (!krb5_is_krb_priv(inbuf)) - return KRB5KRB_AP_ERR_MSG_TYPE; + return KRB5KRB_AP_ERR_MSG_TYPE; /* decode private message */ if ((retval = decode_krb5_priv(inbuf, &privmsg))) - return retval; - + return retval; + if (i_vector) { - enctype = krb5_k_key_enctype(context, key); - if ((retval = krb5_c_block_size(context, enctype, &blocksize))) - goto cleanup_privmsg; + enctype = krb5_k_key_enctype(context, key); + if ((retval = krb5_c_block_size(context, enctype, &blocksize))) + goto cleanup_privmsg; - ivdata.length = blocksize; - ivdata.data = i_vector; + ivdata.length = blocksize; + ivdata.data = i_vector; } scratch.length = privmsg->enc_part.ciphertext.length; if (!(scratch.data = malloc(scratch.length))) { - retval = ENOMEM; - goto cleanup_privmsg; + retval = ENOMEM; + goto cleanup_privmsg; } if ((retval = krb5_k_decrypt(context, key, - KRB5_KEYUSAGE_KRB_PRIV_ENCPART, - i_vector?&ivdata:0, - &privmsg->enc_part, &scratch))) - goto cleanup_scratch; + KRB5_KEYUSAGE_KRB_PRIV_ENCPART, + i_vector?&ivdata:0, + &privmsg->enc_part, &scratch))) + goto cleanup_scratch; /* now decode the decrypted stuff */ if ((retval = decode_krb5_enc_priv_part(&scratch, &privmsg_enc_part))) goto cleanup_scratch; if (!krb5_address_compare(context,remote_addr,privmsg_enc_part->s_address)){ - retval = KRB5KRB_AP_ERR_BADADDR; - goto cleanup_data; + retval = KRB5KRB_AP_ERR_BADADDR; + goto cleanup_data; } - + if (privmsg_enc_part->r_address) { - if (local_addr) { - if (!krb5_address_compare(context, local_addr, - privmsg_enc_part->r_address)) { - retval = KRB5KRB_AP_ERR_BADADDR; - goto cleanup_data; - } - } else { - krb5_address **our_addrs; - - if ((retval = krb5_os_localaddr(context, &our_addrs))) { - goto cleanup_data; - } - if (!krb5_address_search(context, privmsg_enc_part->r_address, - our_addrs)) { - krb5_free_addresses(context, our_addrs); - retval = KRB5KRB_AP_ERR_BADADDR; - goto cleanup_data; - } - krb5_free_addresses(context, our_addrs); - } + if (local_addr) { + if (!krb5_address_compare(context, local_addr, + privmsg_enc_part->r_address)) { + retval = KRB5KRB_AP_ERR_BADADDR; + goto cleanup_data; + } + } else { + krb5_address **our_addrs; + + if ((retval = krb5_os_localaddr(context, &our_addrs))) { + goto cleanup_data; + } + if (!krb5_address_search(context, privmsg_enc_part->r_address, + our_addrs)) { + krb5_free_addresses(context, our_addrs); + retval = KRB5KRB_AP_ERR_BADADDR; + goto cleanup_data; + } + krb5_free_addresses(context, our_addrs); + } } replaydata->timestamp = privmsg_enc_part->timestamp; @@ -136,15 +137,15 @@ krb5_rd_priv_basic(krb5_context context, const krb5_data *inbuf, cleanup_data:; if (retval == 0) - privmsg_enc_part->user_data.data = 0; + privmsg_enc_part->user_data.data = 0; krb5_free_priv_enc_part(context, privmsg_enc_part); cleanup_scratch:; - memset(scratch.data, 0, scratch.length); + memset(scratch.data, 0, scratch.length); free(scratch.data); cleanup_privmsg:; - free(privmsg->enc_part.ciphertext.data); + free(privmsg->enc_part.ciphertext.data); free(privmsg); return retval; @@ -152,116 +153,116 @@ cleanup_privmsg:; krb5_error_code KRB5_CALLCONV krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, - const krb5_data *inbuf, krb5_data *outbuf, - krb5_replay_data *outdata) + const krb5_data *inbuf, krb5_data *outbuf, + krb5_replay_data *outdata) { - krb5_error_code retval; + krb5_error_code retval; krb5_key key; - krb5_replay_data replaydata; + krb5_replay_data replaydata; /* Get key */ if ((key = auth_context->recv_subkey) == NULL) - key = auth_context->key; + key = auth_context->key; if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && - (outdata == NULL)) - /* Need a better error */ - return KRB5_RC_REQUIRED; + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && + (outdata == NULL)) + /* Need a better error */ + return KRB5_RC_REQUIRED; if (!auth_context->remote_addr) - return KRB5_REMOTE_ADDR_REQUIRED; + return KRB5_REMOTE_ADDR_REQUIRED; if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && - (auth_context->rcache == NULL)) - return KRB5_RC_REQUIRED; + (auth_context->rcache == NULL)) + return KRB5_RC_REQUIRED; + + { + krb5_address * premote_fulladdr; + krb5_address * plocal_fulladdr = NULL; + krb5_address remote_fulladdr; + krb5_address local_fulladdr; + CLEANUP_INIT(2); + + if (auth_context->local_addr) { + if (auth_context->local_port) { + if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, + auth_context->local_port, + &local_fulladdr))){ + CLEANUP_PUSH(local_fulladdr.contents, free); + plocal_fulladdr = &local_fulladdr; + } else { + return retval; + } + } else { + plocal_fulladdr = auth_context->local_addr; + } + } -{ - krb5_address * premote_fulladdr; - krb5_address * plocal_fulladdr = NULL; - krb5_address remote_fulladdr; - krb5_address local_fulladdr; - CLEANUP_INIT(2); - - if (auth_context->local_addr) { - if (auth_context->local_port) { - if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, - auth_context->local_port, - &local_fulladdr))){ - CLEANUP_PUSH(local_fulladdr.contents, free); - plocal_fulladdr = &local_fulladdr; + if (auth_context->remote_port) { + if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, + auth_context->remote_port, + &remote_fulladdr))){ + CLEANUP_PUSH(remote_fulladdr.contents, free); + premote_fulladdr = &remote_fulladdr; } else { - return retval; + CLEANUP_DONE(); + return retval; } - } else { - plocal_fulladdr = auth_context->local_addr; + } else { + premote_fulladdr = auth_context->remote_addr; } - } - if (auth_context->remote_port) { - if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, - auth_context->remote_port, - &remote_fulladdr))){ - CLEANUP_PUSH(remote_fulladdr.contents, free); - premote_fulladdr = &remote_fulladdr; - } else { - CLEANUP_DONE(); - return retval; - } - } else { - premote_fulladdr = auth_context->remote_addr; - } + memset(&replaydata, 0, sizeof(replaydata)); + if ((retval = krb5_rd_priv_basic(context, inbuf, key, + plocal_fulladdr, + premote_fulladdr, + auth_context->i_vector, + &replaydata, outbuf))) { + CLEANUP_DONE(); + return retval; + } - memset(&replaydata, 0, sizeof(replaydata)); - if ((retval = krb5_rd_priv_basic(context, inbuf, key, - plocal_fulladdr, - premote_fulladdr, - auth_context->i_vector, - &replaydata, outbuf))) { - CLEANUP_DONE(); - return retval; + CLEANUP_DONE(); } - CLEANUP_DONE(); -} - if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { - krb5_donot_replay replay; - - if ((retval = krb5int_check_clockskew(context, replaydata.timestamp))) - goto error; - - if ((retval = krb5_gen_replay_name(context, auth_context->remote_addr, - "_priv", &replay.client))) - goto error; - - replay.server = ""; /* XXX */ - replay.msghash = NULL; - replay.cusec = replaydata.usec; - replay.ctime = replaydata.timestamp; - if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { - free(replay.client); - goto error; - } - free(replay.client); + krb5_donot_replay replay; + + if ((retval = krb5int_check_clockskew(context, replaydata.timestamp))) + goto error; + + if ((retval = krb5_gen_replay_name(context, auth_context->remote_addr, + "_priv", &replay.client))) + goto error; + + replay.server = ""; /* XXX */ + replay.msghash = NULL; + replay.cusec = replaydata.usec; + replay.ctime = replaydata.timestamp; + if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { + free(replay.client); + goto error; + } + free(replay.client); } if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - if (!krb5int_auth_con_chkseqnum(context, auth_context, - replaydata.seq)) { - retval = KRB5KRB_AP_ERR_BADORDER; - goto error; - } - auth_context->remote_seq_number++; + if (!krb5int_auth_con_chkseqnum(context, auth_context, + replaydata.seq)) { + retval = KRB5KRB_AP_ERR_BADORDER; + goto error; + } + auth_context->remote_seq_number++; } if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { - outdata->timestamp = replaydata.timestamp; - outdata->usec = replaydata.usec; - outdata->seq = replaydata.seq; + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { + outdata->timestamp = replaydata.timestamp; + outdata->usec = replaydata.usec; + outdata->seq = replaydata.seq; } - + /* everything is ok - return data to the user */ return 0; @@ -272,4 +273,3 @@ error:; return retval; } - diff --git a/src/lib/krb5/krb/rd_rep.c b/src/lib/krb5/krb/rd_rep.c index 6e9cb08088..45c9901875 100644 --- a/src/lib/krb5/krb/rd_rep.c +++ b/src/lib/krb5/krb/rd_rep.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/rd_rep.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_rd_rep() */ @@ -59,74 +60,74 @@ /* * Parses a KRB_AP_REP message, returning its contents. - * + * * repl is filled in with with a pointer to allocated memory containing - * the fields from the encrypted response. - * + * the fields from the encrypted response. + * * the key in kblock is used to decrypt the message. - * + * * returns system errors, encryption errors, replay errors */ krb5_error_code KRB5_CALLCONV krb5_rd_rep(krb5_context context, krb5_auth_context auth_context, - const krb5_data *inbuf, krb5_ap_rep_enc_part **repl) + const krb5_data *inbuf, krb5_ap_rep_enc_part **repl) { - krb5_error_code retval; - krb5_ap_rep *reply = NULL; + krb5_error_code retval; + krb5_ap_rep *reply = NULL; krb5_ap_rep_enc_part *enc = NULL; - krb5_data scratch; + krb5_data scratch; *repl = NULL; if (!krb5_is_ap_rep(inbuf)) - return KRB5KRB_AP_ERR_MSG_TYPE; + return KRB5KRB_AP_ERR_MSG_TYPE; /* Decode inbuf. */ retval = decode_krb5_ap_rep(inbuf, &reply); if (retval) - return retval; + return retval; /* Put together an eblock for this encryption. */ scratch.length = reply->enc_part.ciphertext.length; scratch.data = malloc(scratch.length); if (scratch.data == NULL) { - retval = ENOMEM; - goto clean_scratch; + retval = ENOMEM; + goto clean_scratch; } retval = krb5_k_decrypt(context, auth_context->key, - KRB5_KEYUSAGE_AP_REP_ENCPART, 0, - &reply->enc_part, &scratch); + KRB5_KEYUSAGE_AP_REP_ENCPART, 0, + &reply->enc_part, &scratch); if (retval) - goto clean_scratch; + goto clean_scratch; /* Now decode the decrypted stuff. */ retval = decode_krb5_ap_rep_enc_part(&scratch, &enc); if (retval) - goto clean_scratch; + goto clean_scratch; /* Check reply fields. */ if ((enc->ctime != auth_context->authentp->ctime) - || (enc->cusec != auth_context->authentp->cusec)) { - retval = KRB5_MUTUAL_FAILED; - goto clean_scratch; + || (enc->cusec != auth_context->authentp->cusec)) { + retval = KRB5_MUTUAL_FAILED; + goto clean_scratch; } /* Set auth subkey. */ if (enc->subkey) { - retval = krb5_auth_con_setrecvsubkey(context, auth_context, - enc->subkey); - if (retval) - goto clean_scratch; - retval = krb5_auth_con_setsendsubkey(context, auth_context, - enc->subkey); - if (retval) { - (void) krb5_auth_con_setrecvsubkey(context, auth_context, NULL); - goto clean_scratch; - } - /* Not used for anything yet. */ - auth_context->negotiated_etype = enc->subkey->enctype; + retval = krb5_auth_con_setrecvsubkey(context, auth_context, + enc->subkey); + if (retval) + goto clean_scratch; + retval = krb5_auth_con_setsendsubkey(context, auth_context, + enc->subkey); + if (retval) { + (void) krb5_auth_con_setrecvsubkey(context, auth_context, NULL); + goto clean_scratch; + } + /* Not used for anything yet. */ + auth_context->negotiated_etype = enc->subkey->enctype; } /* Get remote sequence number. */ @@ -137,7 +138,7 @@ krb5_rd_rep(krb5_context context, krb5_auth_context auth_context, clean_scratch: if (scratch.data) - memset(scratch.data, 0, scratch.length); + memset(scratch.data, 0, scratch.length); free(scratch.data); krb5_free_ap_rep(context, reply); krb5_free_ap_rep_enc_part(context, enc); @@ -146,56 +147,56 @@ clean_scratch: krb5_error_code KRB5_CALLCONV krb5_rd_rep_dce(krb5_context context, krb5_auth_context auth_context, - const krb5_data *inbuf, krb5_ui_4 *nonce) + const krb5_data *inbuf, krb5_ui_4 *nonce) { - krb5_error_code retval; - krb5_ap_rep * reply; - krb5_data scratch; + krb5_error_code retval; + krb5_ap_rep * reply; + krb5_data scratch; krb5_ap_rep_enc_part *repl = NULL; if (!krb5_is_ap_rep(inbuf)) - return KRB5KRB_AP_ERR_MSG_TYPE; + return KRB5KRB_AP_ERR_MSG_TYPE; /* decode it */ if ((retval = decode_krb5_ap_rep(inbuf, &reply))) - return retval; + return retval; /* put together an eblock for this encryption */ scratch.length = reply->enc_part.ciphertext.length; if (!(scratch.data = malloc(scratch.length))) { - krb5_free_ap_rep(context, reply); - return(ENOMEM); + krb5_free_ap_rep(context, reply); + return(ENOMEM); } if ((retval = krb5_k_decrypt(context, auth_context->key, - KRB5_KEYUSAGE_AP_REP_ENCPART, 0, - &reply->enc_part, &scratch))) - goto clean_scratch; + KRB5_KEYUSAGE_AP_REP_ENCPART, 0, + &reply->enc_part, &scratch))) + goto clean_scratch; /* now decode the decrypted stuff */ retval = decode_krb5_ap_rep_enc_part(&scratch, &repl); if (retval) - goto clean_scratch; + goto clean_scratch; *nonce = repl->seq_number; if (*nonce != auth_context->local_seq_number) { - retval = KRB5_MUTUAL_FAILED; - goto clean_scratch; + retval = KRB5_MUTUAL_FAILED; + goto clean_scratch; } /* Must be NULL to prevent echoing for client AP-REP */ if (repl->subkey != NULL) { - retval = KRB5_MUTUAL_FAILED; - goto clean_scratch; + retval = KRB5_MUTUAL_FAILED; + goto clean_scratch; } clean_scratch: - memset(scratch.data, 0, scratch.length); + memset(scratch.data, 0, scratch.length); if (repl != NULL) - krb5_free_ap_rep_enc_part(context, repl); + krb5_free_ap_rep_enc_part(context, repl); krb5_free_ap_rep(context, reply); free(scratch.data); return retval; diff --git a/src/lib/krb5/krb/rd_req.c b/src/lib/krb5/krb/rd_req.c index 50c3a90111..4e12e5b36f 100644 --- a/src/lib/krb5/krb/rd_req.c +++ b/src/lib/krb5/krb/rd_req.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/rd_req.c * @@ -47,33 +48,33 @@ krb5_error_code KRB5_CALLCONV krb5_rd_req(krb5_context context, krb5_auth_context *auth_context, - const krb5_data *inbuf, krb5_const_principal server, - krb5_keytab keytab, krb5_flags *ap_req_options, - krb5_ticket **ticket) + const krb5_data *inbuf, krb5_const_principal server, + krb5_keytab keytab, krb5_flags *ap_req_options, + krb5_ticket **ticket) { - krb5_error_code retval; - krb5_ap_req * request; - krb5_auth_context new_auth_context; + krb5_error_code retval; + krb5_ap_req * request; + krb5_auth_context new_auth_context; krb5_keytab new_keytab = NULL; if (!krb5_is_ap_req(inbuf)) - return KRB5KRB_AP_ERR_MSG_TYPE; + return KRB5KRB_AP_ERR_MSG_TYPE; #ifndef LEAN_CLIENT if ((retval = decode_krb5_ap_req(inbuf, &request))) { - switch (retval) { - case KRB5_BADMSGTYPE: - return KRB5KRB_AP_ERR_BADVERSION; - default: - return(retval); - } + switch (retval) { + case KRB5_BADMSGTYPE: + return KRB5KRB_AP_ERR_BADVERSION; + default: + return(retval); + } } #endif /* LEAN_CLIENT */ /* Get an auth context if necessary. */ new_auth_context = NULL; if (*auth_context == NULL) { - if ((retval = krb5_auth_con_init(context, &new_auth_context))) - goto cleanup_request; + if ((retval = krb5_auth_con_init(context, &new_auth_context))) + goto cleanup_request; *auth_context = new_auth_context; } @@ -81,14 +82,14 @@ krb5_rd_req(krb5_context context, krb5_auth_context *auth_context, #ifndef LEAN_CLIENT /* Get a keytab if necessary. */ if (keytab == NULL) { - if ((retval = krb5_kt_default(context, &new_keytab))) - goto cleanup_auth_context; - keytab = new_keytab; + if ((retval = krb5_kt_default(context, &new_keytab))) + goto cleanup_auth_context; + keytab = new_keytab; } #endif /* LEAN_CLIENT */ retval = krb5_rd_req_decoded(context, auth_context, request, server, - keytab, ap_req_options, ticket); + keytab, ap_req_options, ticket); #ifndef LEAN_CLIENT if (new_keytab != NULL) @@ -97,12 +98,11 @@ krb5_rd_req(krb5_context context, krb5_auth_context *auth_context, cleanup_auth_context: if (new_auth_context && retval) { - krb5_auth_con_free(context, new_auth_context); - *auth_context = NULL; + krb5_auth_con_free(context, new_auth_context); + *auth_context = NULL; } cleanup_request: krb5_free_ap_req(context, request); return retval; } - diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c index 8516c7e43f..adfa4de66a 100644 --- a/src/lib/krb5/krb/rd_req_dec.c +++ b/src/lib/krb5/krb/rd_req_dec.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/rd_req_dec.c * @@ -9,7 +10,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -24,7 +25,7 @@ * CyberSAFE Corporation make any representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_rd_req_decoded() */ @@ -40,43 +41,43 @@ */ /* * Parses a KRB_AP_REQ message, returning its contents. - * + * * server specifies the expected server's name for the ticket; if NULL, then * any server will be accepted if the key can be found, and the caller should * verify that the principal is something it trusts. - * + * * rcache specifies a replay detection cache used to store authenticators and * server names - * + * * keyproc specifies a procedure to generate a decryption key for the * ticket. If keyproc is non-NULL, keyprocarg is passed to it, and the result * used as a decryption key. If keyproc is NULL, then fetchfrom is checked; * if it is non-NULL, it specifies a parameter name from which to retrieve the * decryption key. If fetchfrom is NULL, then the default key store is * consulted. - * + * * authdat is set to point at allocated storage structures; the caller - * should free them when finished. - * + * should free them when finished. + * * returns system errors, encryption errors, replay errors */ static krb5_error_code decrypt_authenticator - (krb5_context, const krb5_ap_req *, krb5_authenticator **, - int); +(krb5_context, const krb5_ap_req *, krb5_authenticator **, + int); static krb5_error_code decode_etype_list(krb5_context context, - const krb5_authenticator *authp, - krb5_enctype **desired_etypes, - int *desired_etypes_len); + const krb5_authenticator *authp, + krb5_enctype **desired_etypes, + int *desired_etypes_len); static krb5_error_code negotiate_etype(krb5_context context, - const krb5_enctype *desired_etypes, - int desired_etypes_len, - int mandatory_etypes_index, - const krb5_enctype *permitted_etypes, - int permitted_etypes_len, - krb5_enctype *negotiated_etype); + const krb5_enctype *desired_etypes, + int desired_etypes_len, + int mandatory_etypes_index, + const krb5_enctype *permitted_etypes, + int permitted_etypes_len, + krb5_enctype *negotiated_etype); krb5_error_code krb5int_check_clockskew(krb5_context context, krb5_timestamp date) @@ -86,86 +87,86 @@ krb5int_check_clockskew(krb5_context context, krb5_timestamp date) retval = krb5_timeofday(context, ¤ttime); if (retval) - return retval; + return retval; if (!(labs((date)-currenttime) < context->clockskew)) - return KRB5KRB_AP_ERR_SKEW; + return KRB5KRB_AP_ERR_SKEW; return 0; } static krb5_error_code krb5_rd_req_decrypt_tkt_part(krb5_context context, const krb5_ap_req *req, - krb5_const_principal server, krb5_keytab keytab, - krb5_keyblock *key) + krb5_const_principal server, krb5_keytab keytab, + krb5_keyblock *key) { - krb5_error_code retval; - krb5_keytab_entry ktent; + krb5_error_code retval; + krb5_keytab_entry ktent; retval = KRB5_KT_NOTFOUND; -#ifndef LEAN_CLIENT +#ifndef LEAN_CLIENT if (server != NULL || keytab->ops->start_seq_get == NULL) { - retval = krb5_kt_get_entry(context, keytab, - server != NULL ? server : req->ticket->server, - req->ticket->enc_part.kvno, - req->ticket->enc_part.enctype, &ktent); - if (retval == 0) { - retval = krb5_decrypt_tkt_part(context, &ktent.key, req->ticket); - if (retval == 0 && key != NULL) - retval = krb5_copy_keyblock_contents(context, &ktent.key, key); - - (void) krb5_free_keytab_entry_contents(context, &ktent); - } + retval = krb5_kt_get_entry(context, keytab, + server != NULL ? server : req->ticket->server, + req->ticket->enc_part.kvno, + req->ticket->enc_part.enctype, &ktent); + if (retval == 0) { + retval = krb5_decrypt_tkt_part(context, &ktent.key, req->ticket); + if (retval == 0 && key != NULL) + retval = krb5_copy_keyblock_contents(context, &ktent.key, key); + + (void) krb5_free_keytab_entry_contents(context, &ktent); + } } else { - krb5_error_code code; - krb5_kt_cursor cursor; - - code = krb5_kt_start_seq_get(context, keytab, &cursor); - if (code != 0) { - retval = code; - goto map_error; - } - - while ((code = krb5_kt_next_entry(context, keytab, - &ktent, &cursor)) == 0) { - if (ktent.key.enctype != req->ticket->enc_part.enctype) - continue; - - retval = krb5_decrypt_tkt_part(context, &ktent.key, - req->ticket); - - if (retval == 0) { - krb5_principal tmp = NULL; - - /* - * We overwrite ticket->server to be the principal - * that we match in the keytab. The reason for doing - * this is that GSS-API and other consumers look at - * that principal to make authorization decisions - * about whether the appropriate server is contacted. - * It might be cleaner to create a new API and store - * the server in the auth_context, but doing so would - * probably miss existing uses of the server. Instead, - * perhaps an API should be created to retrieve the - * server as it appeared in the ticket. - */ - retval = krb5_copy_principal(context, ktent.principal, &tmp); - if (retval == 0 && key != NULL) - retval = krb5_copy_keyblock_contents(context, &ktent.key, key); - if (retval == 0) { - krb5_free_principal(context, req->ticket->server); - req->ticket->server = tmp; - } else { - krb5_free_principal(context, tmp); - } - (void) krb5_free_keytab_entry_contents(context, &ktent); - break; - } - (void) krb5_free_keytab_entry_contents(context, &ktent); - } - - code = krb5_kt_end_seq_get(context, keytab, &cursor); - if (code != 0) - retval = code; + krb5_error_code code; + krb5_kt_cursor cursor; + + code = krb5_kt_start_seq_get(context, keytab, &cursor); + if (code != 0) { + retval = code; + goto map_error; + } + + while ((code = krb5_kt_next_entry(context, keytab, + &ktent, &cursor)) == 0) { + if (ktent.key.enctype != req->ticket->enc_part.enctype) + continue; + + retval = krb5_decrypt_tkt_part(context, &ktent.key, + req->ticket); + + if (retval == 0) { + krb5_principal tmp = NULL; + + /* + * We overwrite ticket->server to be the principal + * that we match in the keytab. The reason for doing + * this is that GSS-API and other consumers look at + * that principal to make authorization decisions + * about whether the appropriate server is contacted. + * It might be cleaner to create a new API and store + * the server in the auth_context, but doing so would + * probably miss existing uses of the server. Instead, + * perhaps an API should be created to retrieve the + * server as it appeared in the ticket. + */ + retval = krb5_copy_principal(context, ktent.principal, &tmp); + if (retval == 0 && key != NULL) + retval = krb5_copy_keyblock_contents(context, &ktent.key, key); + if (retval == 0) { + krb5_free_principal(context, req->ticket->server); + req->ticket->server = tmp; + } else { + krb5_free_principal(context, tmp); + } + (void) krb5_free_keytab_entry_contents(context, &ktent); + break; + } + (void) krb5_free_keytab_entry_contents(context, &ktent); + } + + code = krb5_kt_end_seq_get(context, keytab, &cursor); + if (code != 0) + retval = code; } #endif /* LEAN_CLIENT */ @@ -174,10 +175,10 @@ map_error: case KRB5_KT_KVNONOTFOUND: case KRB5_KT_NOTFOUND: case KRB5KRB_AP_ERR_BAD_INTEGRITY: - retval = KRB5KRB_AP_WRONG_PRINC; - break; + retval = KRB5KRB_AP_WRONG_PRINC; + break; default: - break; + break; } return retval; @@ -189,16 +190,16 @@ static void debug_log_authz_data(const char *which, krb5_authdata **a) { if (a) { - syslog(LOG_ERR|LOG_DAEMON, "%s authz data:", which); - while (*a) { - syslog(LOG_ERR|LOG_DAEMON, " ad_type:%d length:%d '%.*s'", - (*a)->ad_type, (*a)->length, (*a)->length, - (char *) (*a)->contents); - a++; - } - syslog(LOG_ERR|LOG_DAEMON, " [end]"); + syslog(LOG_ERR|LOG_DAEMON, "%s authz data:", which); + while (*a) { + syslog(LOG_ERR|LOG_DAEMON, " ad_type:%d length:%d '%.*s'", + (*a)->ad_type, (*a)->length, (*a)->length, + (char *) (*a)->contents); + a++; + } + syslog(LOG_ERR|LOG_DAEMON, " [end]"); } else - syslog(LOG_ERR|LOG_DAEMON, "no %s authz data", which); + syslog(LOG_ERR|LOG_DAEMON, "no %s authz data", which); } #else static void @@ -209,91 +210,91 @@ debug_log_authz_data(const char *which, krb5_authdata **a) static krb5_error_code krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, - const krb5_ap_req *req, krb5_const_principal server, - krb5_keytab keytab, krb5_flags *ap_req_options, - krb5_ticket **ticket, int check_valid_flag) + const krb5_ap_req *req, krb5_const_principal server, + krb5_keytab keytab, krb5_flags *ap_req_options, + krb5_ticket **ticket, int check_valid_flag) { - krb5_error_code retval = 0; - krb5_principal_data princ_data; - krb5_enctype *desired_etypes = NULL; - int desired_etypes_len = 0; - int rfc4537_etypes_len = 0; - krb5_enctype *permitted_etypes = NULL; - int permitted_etypes_len = 0; - krb5_keyblock decrypt_key; + krb5_error_code retval = 0; + krb5_principal_data princ_data; + krb5_enctype *desired_etypes = NULL; + int desired_etypes_len = 0; + int rfc4537_etypes_len = 0; + krb5_enctype *permitted_etypes = NULL; + int permitted_etypes_len = 0; + krb5_keyblock decrypt_key; decrypt_key.enctype = ENCTYPE_NULL; decrypt_key.contents = NULL; - + req->ticket->enc_part2 = NULL; if (server && krb5_is_referral_realm(&server->realm)) { - char *realm; - princ_data = *server; - server = &princ_data; - retval = krb5_get_default_realm(context, &realm); - if (retval) - return retval; - princ_data.realm.data = realm; - princ_data.realm.length = strlen(realm); + char *realm; + princ_data = *server; + server = &princ_data; + retval = krb5_get_default_realm(context, &realm); + if (retval) + return retval; + princ_data.realm.data = realm; + princ_data.realm.length = strlen(realm); } /* if (req->ap_options & AP_OPTS_USE_SESSION_KEY) - do we need special processing here ? */ + do we need special processing here ? */ /* decrypt the ticket */ if ((*auth_context)->key) { /* User to User authentication */ - if ((retval = krb5_decrypt_tkt_part(context, - &(*auth_context)->key->keyblock, - req->ticket))) - goto cleanup; - if (check_valid_flag) { - decrypt_key = (*auth_context)->key->keyblock; - (*auth_context)->key->keyblock.contents = NULL; - } - krb5_k_free_key(context, (*auth_context)->key); - (*auth_context)->key = NULL; + if ((retval = krb5_decrypt_tkt_part(context, + &(*auth_context)->key->keyblock, + req->ticket))) + goto cleanup; + if (check_valid_flag) { + decrypt_key = (*auth_context)->key->keyblock; + (*auth_context)->key->keyblock.contents = NULL; + } + krb5_k_free_key(context, (*auth_context)->key); + (*auth_context)->key = NULL; } else { - if ((retval = krb5_rd_req_decrypt_tkt_part(context, req, - server, keytab, - check_valid_flag ? &decrypt_key : NULL))) - goto cleanup; + if ((retval = krb5_rd_req_decrypt_tkt_part(context, req, + server, keytab, + check_valid_flag ? &decrypt_key : NULL))) + goto cleanup; } - /* XXX this is an evil hack. check_valid_flag is set iff the call + /* XXX this is an evil hack. check_valid_flag is set iff the call is not from inside the kdc. we can use this to determine which key usage to use */ #ifndef LEAN_CLIENT - if ((retval = decrypt_authenticator(context, req, - &((*auth_context)->authentp), - check_valid_flag))) - goto cleanup; + if ((retval = decrypt_authenticator(context, req, + &((*auth_context)->authentp), + check_valid_flag))) + goto cleanup; #endif if (!krb5_principal_compare(context, (*auth_context)->authentp->client, - req->ticket->enc_part2->client)) { - retval = KRB5KRB_AP_ERR_BADMATCH; - goto cleanup; + req->ticket->enc_part2->client)) { + retval = KRB5KRB_AP_ERR_BADMATCH; + goto cleanup; } - if ((*auth_context)->remote_addr && - !krb5_address_search(context, (*auth_context)->remote_addr, - req->ticket->enc_part2->caddrs)) { - retval = KRB5KRB_AP_ERR_BADADDR; - goto cleanup; + if ((*auth_context)->remote_addr && + !krb5_address_search(context, (*auth_context)->remote_addr, + req->ticket->enc_part2->caddrs)) { + retval = KRB5KRB_AP_ERR_BADADDR; + goto cleanup; } if (!server) { - server = req->ticket->server; + server = req->ticket->server; } /* Get an rcache if necessary. */ if (((*auth_context)->rcache == NULL) - && ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) - && server) { - if ((retval = krb5_get_server_rcache(context, - krb5_princ_component(context, - server,0), - &(*auth_context)->rcache))) - goto cleanup; + && ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) + && server) { + if ((retval = krb5_get_server_rcache(context, + krb5_princ_component(context, + server,0), + &(*auth_context)->rcache))) + goto cleanup; } /* okay, now check cross-realm policy */ @@ -301,60 +302,60 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, /* Single hop cross-realm tickets only */ - { - krb5_transited *trans = &(req->ticket->enc_part2->transited); + { + krb5_transited *trans = &(req->ticket->enc_part2->transited); - /* If the transited list is empty, then we have at most one hop */ - if (trans->tr_contents.data && trans->tr_contents.data[0]) - retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + /* If the transited list is empty, then we have at most one hop */ + if (trans->tr_contents.data && trans->tr_contents.data[0]) + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; } #elif defined(_NO_CROSS_REALM) /* No cross-realm tickets */ - { - char * lrealm; - krb5_data * realm; - krb5_transited * trans; - - realm = krb5_princ_realm(context, req->ticket->enc_part2->client); - trans = &(req->ticket->enc_part2->transited); - - /* - * If the transited list is empty, then we have at most one hop - * So we also have to check that the client's realm is the local one - */ - krb5_get_default_realm(context, &lrealm); - if ((trans->tr_contents.data && trans->tr_contents.data[0]) || - !data_eq_string(*realm, lrealm)) { - retval = KRB5KRB_AP_ERR_ILL_CR_TKT; - } - free(lrealm); + { + char * lrealm; + krb5_data * realm; + krb5_transited * trans; + + realm = krb5_princ_realm(context, req->ticket->enc_part2->client); + trans = &(req->ticket->enc_part2->transited); + + /* + * If the transited list is empty, then we have at most one hop + * So we also have to check that the client's realm is the local one + */ + krb5_get_default_realm(context, &lrealm); + if ((trans->tr_contents.data && trans->tr_contents.data[0]) || + !data_eq_string(*realm, lrealm)) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + } + free(lrealm); } #else /* Hierarchical Cross-Realm */ - + { - krb5_data * realm; - krb5_transited * trans; - - realm = krb5_princ_realm(context, req->ticket->enc_part2->client); - trans = &(req->ticket->enc_part2->transited); - - /* - * If the transited list is not empty, then check that all realms - * transited are within the hierarchy between the client's realm - * and the local realm. - */ - if (trans->tr_contents.data && trans->tr_contents.data[0]) { - retval = krb5_check_transited_list(context, &(trans->tr_contents), - realm, - krb5_princ_realm (context, - server)); - } + krb5_data * realm; + krb5_transited * trans; + + realm = krb5_princ_realm(context, req->ticket->enc_part2->client); + trans = &(req->ticket->enc_part2->transited); + + /* + * If the transited list is not empty, then check that all realms + * transited are within the hierarchy between the client's realm + * and the local realm. + */ + if (trans->tr_contents.data && trans->tr_contents.data[0]) { + retval = krb5_check_transited_list(context, &(trans->tr_contents), + realm, + krb5_princ_realm (context, + server)); + } } #endif @@ -365,69 +366,69 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, may not be able to use replay caches (such as datagram servers) */ if ((*auth_context)->rcache) { - krb5_donot_replay rep; - krb5_tkt_authent tktauthent; - - tktauthent.ticket = req->ticket; - tktauthent.authenticator = (*auth_context)->authentp; - if (!(retval = krb5_auth_to_rep(context, &tktauthent, &rep))) { - retval = krb5_rc_hash_message(context, - &req->authenticator.ciphertext, - &rep.msghash); - if (!retval) { - retval = krb5_rc_store(context, (*auth_context)->rcache, &rep); - free(rep.msghash); - } - free(rep.server); - free(rep.client); - } - - if (retval) - goto cleanup; + krb5_donot_replay rep; + krb5_tkt_authent tktauthent; + + tktauthent.ticket = req->ticket; + tktauthent.authenticator = (*auth_context)->authentp; + if (!(retval = krb5_auth_to_rep(context, &tktauthent, &rep))) { + retval = krb5_rc_hash_message(context, + &req->authenticator.ciphertext, + &rep.msghash); + if (!retval) { + retval = krb5_rc_store(context, (*auth_context)->rcache, &rep); + free(rep.msghash); + } + free(rep.server); + free(rep.client); + } + + if (retval) + goto cleanup; } retval = krb5_validate_times(context, &req->ticket->enc_part2->times); if (retval != 0) - goto cleanup; + goto cleanup; if ((retval = krb5int_check_clockskew(context, (*auth_context)->authentp->ctime))) - goto cleanup; + goto cleanup; if (check_valid_flag) { - if (req->ticket->enc_part2->flags & TKT_FLG_INVALID) { - retval = KRB5KRB_AP_ERR_TKT_INVALID; - goto cleanup; - } - - if ((retval = krb5_authdata_context_init(context, - &(*auth_context)->ad_context))) - goto cleanup; - if ((retval = krb5int_authdata_verify(context, - (*auth_context)->ad_context, - AD_USAGE_MASK, - auth_context, - &decrypt_key, - req))) - goto cleanup; + if (req->ticket->enc_part2->flags & TKT_FLG_INVALID) { + retval = KRB5KRB_AP_ERR_TKT_INVALID; + goto cleanup; + } + + if ((retval = krb5_authdata_context_init(context, + &(*auth_context)->ad_context))) + goto cleanup; + if ((retval = krb5int_authdata_verify(context, + (*auth_context)->ad_context, + AD_USAGE_MASK, + auth_context, + &decrypt_key, + req))) + goto cleanup; } /* read RFC 4537 etype list from sender */ retval = decode_etype_list(context, - (*auth_context)->authentp, - &desired_etypes, - &rfc4537_etypes_len); + (*auth_context)->authentp, + &desired_etypes, + &rfc4537_etypes_len); if (retval != 0) - goto cleanup; + goto cleanup; if (desired_etypes == NULL) - desired_etypes = (krb5_enctype *)calloc(4, sizeof(krb5_enctype)); + desired_etypes = (krb5_enctype *)calloc(4, sizeof(krb5_enctype)); else - desired_etypes = (krb5_enctype *)realloc(desired_etypes, - (rfc4537_etypes_len + 4) * - sizeof(krb5_enctype)); + desired_etypes = (krb5_enctype *)realloc(desired_etypes, + (rfc4537_etypes_len + 4) * + sizeof(krb5_enctype)); if (desired_etypes == NULL) { - retval = ENOMEM; - goto cleanup; + retval = ENOMEM; + goto cleanup; } desired_etypes_len = rfc4537_etypes_len; @@ -457,105 +458,105 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, */ if ((*auth_context)->authentp->subkey != NULL) { - desired_etypes[desired_etypes_len++] = (*auth_context)->authentp->subkey->enctype; + desired_etypes[desired_etypes_len++] = (*auth_context)->authentp->subkey->enctype; } desired_etypes[desired_etypes_len++] = req->ticket->enc_part2->session->enctype; desired_etypes[desired_etypes_len] = ENCTYPE_NULL; if (((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_PERMIT_ALL) == 0) { - if ((*auth_context)->permitted_etypes != NULL) { - permitted_etypes = (*auth_context)->permitted_etypes; - } else { - retval = krb5_get_permitted_enctypes(context, &permitted_etypes); - if (retval != 0) - goto cleanup; - } - for (permitted_etypes_len = 0; - permitted_etypes[permitted_etypes_len] != ENCTYPE_NULL; - permitted_etypes_len++) - ; + if ((*auth_context)->permitted_etypes != NULL) { + permitted_etypes = (*auth_context)->permitted_etypes; + } else { + retval = krb5_get_permitted_enctypes(context, &permitted_etypes); + if (retval != 0) + goto cleanup; + } + for (permitted_etypes_len = 0; + permitted_etypes[permitted_etypes_len] != ENCTYPE_NULL; + permitted_etypes_len++) + ; } else { - permitted_etypes = NULL; - permitted_etypes_len = 0; + permitted_etypes = NULL; + permitted_etypes_len = 0; } /* check if the various etypes are permitted */ retval = negotiate_etype(context, - desired_etypes, desired_etypes_len, - rfc4537_etypes_len, - permitted_etypes, permitted_etypes_len, - &(*auth_context)->negotiated_etype); + desired_etypes, desired_etypes_len, + rfc4537_etypes_len, + permitted_etypes, permitted_etypes_len, + &(*auth_context)->negotiated_etype); if (retval != 0) - goto cleanup; + goto cleanup; assert((*auth_context)->negotiated_etype != ENCTYPE_NULL); (*auth_context)->remote_seq_number = (*auth_context)->authentp->seq_number; if ((*auth_context)->authentp->subkey) { - if ((retval = krb5_k_create_key(context, - (*auth_context)->authentp->subkey, - &((*auth_context)->recv_subkey)))) - goto cleanup; - retval = krb5_k_create_key(context, (*auth_context)->authentp->subkey, - &((*auth_context)->send_subkey)); - if (retval) { - krb5_k_free_key(context, (*auth_context)->recv_subkey); - (*auth_context)->recv_subkey = NULL; - goto cleanup; - } + if ((retval = krb5_k_create_key(context, + (*auth_context)->authentp->subkey, + &((*auth_context)->recv_subkey)))) + goto cleanup; + retval = krb5_k_create_key(context, (*auth_context)->authentp->subkey, + &((*auth_context)->send_subkey)); + if (retval) { + krb5_k_free_key(context, (*auth_context)->recv_subkey); + (*auth_context)->recv_subkey = NULL; + goto cleanup; + } } else { - (*auth_context)->recv_subkey = 0; - (*auth_context)->send_subkey = 0; + (*auth_context)->recv_subkey = 0; + (*auth_context)->send_subkey = 0; } if ((retval = krb5_k_create_key(context, req->ticket->enc_part2->session, - &((*auth_context)->key)))) - goto cleanup; + &((*auth_context)->key)))) + goto cleanup; debug_log_authz_data("ticket", req->ticket->enc_part2->authorization_data); /* - * If not AP_OPTS_MUTUAL_REQUIRED then and sequence numbers are used + * If not AP_OPTS_MUTUAL_REQUIRED then and sequence numbers are used * then the default sequence number is the one's complement of the * sequence number sent ot us. */ - if ((!(req->ap_options & AP_OPTS_MUTUAL_REQUIRED)) && - (*auth_context)->remote_seq_number) { - (*auth_context)->local_seq_number ^= - (*auth_context)->remote_seq_number; + if ((!(req->ap_options & AP_OPTS_MUTUAL_REQUIRED)) && + (*auth_context)->remote_seq_number) { + (*auth_context)->local_seq_number ^= + (*auth_context)->remote_seq_number; } if (ticket) - if ((retval = krb5_copy_ticket(context, req->ticket, ticket))) - goto cleanup; + if ((retval = krb5_copy_ticket(context, req->ticket, ticket))) + goto cleanup; if (ap_req_options) { - *ap_req_options = req->ap_options & AP_OPTS_WIRE_MASK; - if (rfc4537_etypes_len != 0) - *ap_req_options |= AP_OPTS_ETYPE_NEGOTIATION; - if ((*auth_context)->negotiated_etype != - krb5_k_key_enctype(context, (*auth_context)->key)) - *ap_req_options |= AP_OPTS_USE_SUBKEY; + *ap_req_options = req->ap_options & AP_OPTS_WIRE_MASK; + if (rfc4537_etypes_len != 0) + *ap_req_options |= AP_OPTS_ETYPE_NEGOTIATION; + if ((*auth_context)->negotiated_etype != + krb5_k_key_enctype(context, (*auth_context)->key)) + *ap_req_options |= AP_OPTS_USE_SUBKEY; } retval = 0; - + cleanup: if (desired_etypes != NULL) - free(desired_etypes); + free(desired_etypes); if (permitted_etypes != NULL && - permitted_etypes != (*auth_context)->permitted_etypes) - free(permitted_etypes); + permitted_etypes != (*auth_context)->permitted_etypes) + free(permitted_etypes); if (server == &princ_data) - krb5_free_default_realm(context, princ_data.realm.data); + krb5_free_default_realm(context, princ_data.realm.data); if (retval) { - /* only free if we're erroring out...otherwise some - applications will need the output. */ - if (req->ticket->enc_part2) - krb5_free_enc_tkt_part(context, req->ticket->enc_part2); - req->ticket->enc_part2 = NULL; + /* only free if we're erroring out...otherwise some + applications will need the output. */ + if (req->ticket->enc_part2) + krb5_free_enc_tkt_part(context, req->ticket->enc_part2); + req->ticket->enc_part2 = NULL; } if (check_valid_flag) - krb5_free_keyblock_contents(context, &decrypt_key); + krb5_free_keyblock_contents(context, &decrypt_key); return retval; } @@ -566,12 +567,12 @@ krb5_rd_req_decoded(krb5_context context, krb5_auth_context *auth_context, krb5_keytab keytab, krb5_flags *ap_req_options, krb5_ticket **ticket) { - krb5_error_code retval; - retval = krb5_rd_req_decoded_opt(context, auth_context, - req, server, keytab, - ap_req_options, ticket, - 1); /* check_valid_flag */ - return retval; + krb5_error_code retval; + retval = krb5_rd_req_decoded_opt(context, auth_context, + req, server, keytab, + ap_req_options, ticket, + 1); /* check_valid_flag */ + return retval; } krb5_error_code @@ -581,18 +582,18 @@ krb5_rd_req_decoded_anyflag(krb5_context context, krb5_const_principal server, krb5_keytab keytab, krb5_flags *ap_req_options, krb5_ticket **ticket) { - krb5_error_code retval; - retval = krb5_rd_req_decoded_opt(context, auth_context, - req, server, keytab, - ap_req_options, ticket, - 0); /* don't check_valid_flag */ - return retval; + krb5_error_code retval; + retval = krb5_rd_req_decoded_opt(context, auth_context, + req, server, keytab, + ap_req_options, ticket, + 0); /* don't check_valid_flag */ + return retval; } #ifndef LEAN_CLIENT static krb5_error_code decrypt_authenticator(krb5_context context, const krb5_ap_req *request, - krb5_authenticator **authpp, int is_ap_req) + krb5_authenticator **authpp, int is_ap_req) { krb5_authenticator *local_auth; krb5_error_code retval; @@ -603,23 +604,23 @@ decrypt_authenticator(krb5_context context, const krb5_ap_req *request, scratch.length = request->authenticator.ciphertext.length; if (!(scratch.data = malloc(scratch.length))) - return(ENOMEM); + return(ENOMEM); if ((retval = krb5_c_decrypt(context, sesskey, - is_ap_req?KRB5_KEYUSAGE_AP_REQ_AUTH: - KRB5_KEYUSAGE_TGS_REQ_AUTH, 0, - &request->authenticator, &scratch))) { - free(scratch.data); - return(retval); + is_ap_req?KRB5_KEYUSAGE_AP_REQ_AUTH: + KRB5_KEYUSAGE_TGS_REQ_AUTH, 0, + &request->authenticator, &scratch))) { + free(scratch.data); + return(retval); } -#define clean_scratch() {memset(scratch.data, 0, scratch.length); \ -free(scratch.data);} +#define clean_scratch() {memset(scratch.data, 0, scratch.length); \ + free(scratch.data);} /* now decode the decrypted stuff */ if (!(retval = decode_krb5_authenticator(&scratch, &local_auth))) { - *authpp = local_auth; - debug_log_authz_data("authenticator", local_auth->authorization_data); + *authpp = local_auth; + debug_log_authz_data("authenticator", local_auth->authorization_data); } clean_scratch(); return retval; @@ -628,12 +629,12 @@ free(scratch.data);} static krb5_error_code negotiate_etype(krb5_context context, - const krb5_enctype *desired_etypes, - int desired_etypes_len, - int mandatory_etypes_index, - const krb5_enctype *permitted_etypes, - int permitted_etypes_len, - krb5_enctype *negotiated_etype) + const krb5_enctype *desired_etypes, + int desired_etypes_len, + int mandatory_etypes_index, + const krb5_enctype *permitted_etypes, + int permitted_etypes_len, + krb5_enctype *negotiated_etype) { int i, j; @@ -641,26 +642,26 @@ negotiate_etype(krb5_context context, /* mandatory segment of desired_etypes must be permitted */ for (i = mandatory_etypes_index; i < desired_etypes_len; i++) { - krb5_boolean permitted = FALSE; - - for (j = 0; j < permitted_etypes_len; j++) { - if (desired_etypes[i] == permitted_etypes[j]) { - permitted = TRUE; - break; - } - } - - if (permitted == FALSE) { - char enctype_name[30]; - - if (krb5_enctype_to_string(desired_etypes[i], - enctype_name, - sizeof(enctype_name)) == 0) - krb5_set_error_message(context, KRB5_NOPERM_ETYPE, - "Encryption type %s not permitted", - enctype_name); - return KRB5_NOPERM_ETYPE; - } + krb5_boolean permitted = FALSE; + + for (j = 0; j < permitted_etypes_len; j++) { + if (desired_etypes[i] == permitted_etypes[j]) { + permitted = TRUE; + break; + } + } + + if (permitted == FALSE) { + char enctype_name[30]; + + if (krb5_enctype_to_string(desired_etypes[i], + enctype_name, + sizeof(enctype_name)) == 0) + krb5_set_error_message(context, KRB5_NOPERM_ETYPE, + "Encryption type %s not permitted", + enctype_name); + return KRB5_NOPERM_ETYPE; + } } /* @@ -668,12 +669,12 @@ negotiate_etype(krb5_context context, * find first desired_etype that matches. */ for (j = 0; j < permitted_etypes_len; j++) { - for (i = 0; i < desired_etypes_len; i++) { - if (desired_etypes[i] == permitted_etypes[j]) { - *negotiated_etype = permitted_etypes[j]; - return 0; - } - } + for (i = 0; i < desired_etypes_len; i++) { + if (desired_etypes[i] == permitted_etypes[j]) { + *negotiated_etype = permitted_etypes[j]; + return 0; + } + } } /*NOTREACHED*/ @@ -682,9 +683,9 @@ negotiate_etype(krb5_context context, static krb5_error_code decode_etype_list(krb5_context context, - const krb5_authenticator *authp, - krb5_enctype **desired_etypes, - int *desired_etypes_len) + const krb5_authenticator *authp, + krb5_enctype **desired_etypes, + int *desired_etypes_len) { krb5_error_code code; krb5_authdata **ad_if_relevant = NULL; @@ -696,59 +697,58 @@ decode_etype_list(krb5_context context, *desired_etypes = NULL; if (authp->authorization_data == NULL) - return 0; + return 0; /* * RFC 4537 says that ETYPE_NEGOTIATION auth data should be wrapped * in AD_IF_RELEVANT, but we handle the case where it is mandatory. */ for (i = 0; authp->authorization_data[i] != NULL; i++) { - switch (authp->authorization_data[i]->ad_type) { - case KRB5_AUTHDATA_IF_RELEVANT: - code = krb5_decode_authdata_container(context, - KRB5_AUTHDATA_IF_RELEVANT, - authp->authorization_data[i], - &ad_if_relevant); - if (code != 0) - continue; - - for (j = 0; ad_if_relevant[j] != NULL; j++) { - if (ad_if_relevant[j]->ad_type == KRB5_AUTHDATA_ETYPE_NEGOTIATION) { - etype_adata = ad_if_relevant[j]; - break; - } - } - if (etype_adata == NULL) { - krb5_free_authdata(context, ad_if_relevant); - ad_if_relevant = NULL; - } - break; - case KRB5_AUTHDATA_ETYPE_NEGOTIATION: - etype_adata = authp->authorization_data[i]; - break; - default: - break; - } - if (etype_adata != NULL) - break; + switch (authp->authorization_data[i]->ad_type) { + case KRB5_AUTHDATA_IF_RELEVANT: + code = krb5_decode_authdata_container(context, + KRB5_AUTHDATA_IF_RELEVANT, + authp->authorization_data[i], + &ad_if_relevant); + if (code != 0) + continue; + + for (j = 0; ad_if_relevant[j] != NULL; j++) { + if (ad_if_relevant[j]->ad_type == KRB5_AUTHDATA_ETYPE_NEGOTIATION) { + etype_adata = ad_if_relevant[j]; + break; + } + } + if (etype_adata == NULL) { + krb5_free_authdata(context, ad_if_relevant); + ad_if_relevant = NULL; + } + break; + case KRB5_AUTHDATA_ETYPE_NEGOTIATION: + etype_adata = authp->authorization_data[i]; + break; + default: + break; + } + if (etype_adata != NULL) + break; } if (etype_adata == NULL) - return 0; + return 0; data.data = (char *)etype_adata->contents; data.length = etype_adata->length; code = decode_krb5_etype_list(&data, &etype_list); if (code == 0) { - *desired_etypes = etype_list->etypes; - *desired_etypes_len = etype_list->length; - free(etype_list); + *desired_etypes = etype_list->etypes; + *desired_etypes_len = etype_list->length; + free(etype_list); } if (ad_if_relevant != NULL) - krb5_free_authdata(context, ad_if_relevant); + krb5_free_authdata(context, ad_if_relevant); return code; } - diff --git a/src/lib/krb5/krb/rd_safe.c b/src/lib/krb5/krb/rd_safe.c index 68c13317c5..924cb9fc26 100644 --- a/src/lib/krb5/krb/rd_safe.c +++ b/src/lib/krb5/krb/rd_safe.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/rd_safe.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_rd_safe() */ @@ -32,27 +33,27 @@ #include "auth_con.h" /* - parses a KRB_SAFE message from inbuf, placing the integrity-protected user - data in *outbuf. + parses a KRB_SAFE message from inbuf, placing the integrity-protected user + data in *outbuf. - key specifies the key to be used for decryption of the message. - - sender_addr and recv_addr specify the full addresses (host and port) of - the sender and receiver. + key specifies the key to be used for decryption of the message. - outbuf points to allocated storage which the caller should free when finished. + sender_addr and recv_addr specify the full addresses (host and port) of + the sender and receiver. - returns system errors, integrity errors - */ + outbuf points to allocated storage which the caller should free when finished. + + returns system errors, integrity errors +*/ static krb5_error_code krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf, - krb5_key key, - const krb5_address *recv_addr, - const krb5_address *sender_addr, - krb5_replay_data *replaydata, krb5_data *outbuf) + krb5_key key, + const krb5_address *recv_addr, + const krb5_address *sender_addr, + krb5_replay_data *replaydata, krb5_data *outbuf) { - krb5_error_code retval; - krb5_safe * message; + krb5_error_code retval; + krb5_safe * message; krb5_data safe_body; krb5_checksum our_cksum, *his_cksum; krb5_octet zero_octet = 0; @@ -61,45 +62,45 @@ krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf, struct krb5_safe_with_body swb; if (!krb5_is_krb_safe(inbuf)) - return KRB5KRB_AP_ERR_MSG_TYPE; + return KRB5KRB_AP_ERR_MSG_TYPE; if ((retval = decode_krb5_safe_with_body(inbuf, &message, &safe_body))) - return retval; + return retval; if (!krb5_c_valid_cksumtype(message->checksum->checksum_type)) { - retval = KRB5_PROG_SUMTYPE_NOSUPP; - goto cleanup; + retval = KRB5_PROG_SUMTYPE_NOSUPP; + goto cleanup; } if (!krb5_c_is_coll_proof_cksum(message->checksum->checksum_type) || - !krb5_c_is_keyed_cksum(message->checksum->checksum_type)) { - retval = KRB5KRB_AP_ERR_INAPP_CKSUM; - goto cleanup; + !krb5_c_is_keyed_cksum(message->checksum->checksum_type)) { + retval = KRB5KRB_AP_ERR_INAPP_CKSUM; + goto cleanup; } if (!krb5_address_compare(context, sender_addr, message->s_address)) { - retval = KRB5KRB_AP_ERR_BADADDR; - goto cleanup; + retval = KRB5KRB_AP_ERR_BADADDR; + goto cleanup; } if (message->r_address) { - if (recv_addr) { - if (!krb5_address_compare(context, recv_addr, message->r_address)) { - retval = KRB5KRB_AP_ERR_BADADDR; - goto cleanup; - } - } else { - krb5_address **our_addrs; - - if ((retval = krb5_os_localaddr(context, &our_addrs))) - goto cleanup; - - if (!krb5_address_search(context, message->r_address, our_addrs)) { - krb5_free_addresses(context, our_addrs); - retval = KRB5KRB_AP_ERR_BADADDR; - goto cleanup; - } - krb5_free_addresses(context, our_addrs); - } + if (recv_addr) { + if (!krb5_address_compare(context, recv_addr, message->r_address)) { + retval = KRB5KRB_AP_ERR_BADADDR; + goto cleanup; + } + } else { + krb5_address **our_addrs; + + if ((retval = krb5_os_localaddr(context, &our_addrs))) + goto cleanup; + + if (!krb5_address_search(context, message->r_address, our_addrs)) { + krb5_free_addresses(context, our_addrs); + retval = KRB5KRB_AP_ERR_BADADDR; + goto cleanup; + } + krb5_free_addresses(context, our_addrs); + } } /* verify the checksum */ @@ -122,27 +123,27 @@ krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf, retval = encode_krb5_safe_with_body(&swb, &scratch); message->checksum = his_cksum; if (retval) - goto cleanup; + goto cleanup; retval = krb5_k_verify_checksum(context, key, - KRB5_KEYUSAGE_KRB_SAFE_CKSUM, - scratch, his_cksum, &valid); + KRB5_KEYUSAGE_KRB_SAFE_CKSUM, + scratch, his_cksum, &valid); (void) memset(scratch->data, 0, scratch->length); krb5_free_data(context, scratch); - + if (!valid) { - /* - * Checksum over only the KRB-SAFE-BODY, like RFC 1510 says, in - * case someone actually implements it correctly. - */ - retval = krb5_k_verify_checksum(context, key, - KRB5_KEYUSAGE_KRB_SAFE_CKSUM, - &safe_body, his_cksum, &valid); - if (!valid) { - retval = KRB5KRB_AP_ERR_MODIFIED; - goto cleanup; - } + /* + * Checksum over only the KRB-SAFE-BODY, like RFC 1510 says, in + * case someone actually implements it correctly. + */ + retval = krb5_k_verify_checksum(context, key, + KRB5_KEYUSAGE_KRB_SAFE_CKSUM, + &safe_body, his_cksum, &valid); + if (!valid) { + retval = KRB5KRB_AP_ERR_MODIFIED; + goto cleanup; + } } replaydata->timestamp = message->timestamp; @@ -152,7 +153,7 @@ krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf, *outbuf = message->user_data; message->user_data.data = NULL; retval = 0; - + cleanup: krb5_free_safe(context, message); return retval; @@ -160,114 +161,114 @@ cleanup: krb5_error_code KRB5_CALLCONV krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, - const krb5_data *inbuf, krb5_data *outbuf, - krb5_replay_data *outdata) + const krb5_data *inbuf, krb5_data *outbuf, + krb5_replay_data *outdata) { - krb5_error_code retval; - krb5_key key; - krb5_replay_data replaydata; + krb5_error_code retval; + krb5_key key; + krb5_replay_data replaydata; if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && - (outdata == NULL)) - /* Need a better error */ - return KRB5_RC_REQUIRED; + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && + (outdata == NULL)) + /* Need a better error */ + return KRB5_RC_REQUIRED; if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && - (auth_context->rcache == NULL)) - return KRB5_RC_REQUIRED; + (auth_context->rcache == NULL)) + return KRB5_RC_REQUIRED; if (!auth_context->remote_addr) - return KRB5_REMOTE_ADDR_REQUIRED; + return KRB5_REMOTE_ADDR_REQUIRED; /* Get key */ if ((key = auth_context->recv_subkey) == NULL) - key = auth_context->key; + key = auth_context->key; + + { + krb5_address * premote_fulladdr; + krb5_address * plocal_fulladdr = NULL; + krb5_address remote_fulladdr; + krb5_address local_fulladdr; + CLEANUP_INIT(2); + + if (auth_context->local_addr) { + if (auth_context->local_port) { + if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, + auth_context->local_port, + &local_fulladdr))){ + CLEANUP_PUSH(local_fulladdr.contents, free); + plocal_fulladdr = &local_fulladdr; + } else { + return retval; + } + } else { + plocal_fulladdr = auth_context->local_addr; + } + } -{ - krb5_address * premote_fulladdr; - krb5_address * plocal_fulladdr = NULL; - krb5_address remote_fulladdr; - krb5_address local_fulladdr; - CLEANUP_INIT(2); - - if (auth_context->local_addr) { - if (auth_context->local_port) { - if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, - auth_context->local_port, - &local_fulladdr))){ - CLEANUP_PUSH(local_fulladdr.contents, free); - plocal_fulladdr = &local_fulladdr; + if (auth_context->remote_port) { + if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, + auth_context->remote_port, + &remote_fulladdr))){ + CLEANUP_PUSH(remote_fulladdr.contents, free); + premote_fulladdr = &remote_fulladdr; } else { - return retval; + return retval; } - } else { - plocal_fulladdr = auth_context->local_addr; + } else { + premote_fulladdr = auth_context->remote_addr; } - } - if (auth_context->remote_port) { - if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, - auth_context->remote_port, - &remote_fulladdr))){ - CLEANUP_PUSH(remote_fulladdr.contents, free); - premote_fulladdr = &remote_fulladdr; - } else { - return retval; - } - } else { - premote_fulladdr = auth_context->remote_addr; - } + memset(&replaydata, 0, sizeof(replaydata)); + if ((retval = krb5_rd_safe_basic(context, inbuf, key, + plocal_fulladdr, premote_fulladdr, + &replaydata, outbuf))) { + CLEANUP_DONE(); + return retval; + } - memset(&replaydata, 0, sizeof(replaydata)); - if ((retval = krb5_rd_safe_basic(context, inbuf, key, - plocal_fulladdr, premote_fulladdr, - &replaydata, outbuf))) { - CLEANUP_DONE(); - return retval; + CLEANUP_DONE(); } - CLEANUP_DONE(); -} - if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { - krb5_donot_replay replay; - - if ((retval = krb5int_check_clockskew(context, replaydata.timestamp))) - goto error; - - if ((retval = krb5_gen_replay_name(context, auth_context->remote_addr, - "_safe", &replay.client))) - goto error; - - replay.server = ""; /* XXX */ - replay.msghash = NULL; - replay.cusec = replaydata.usec; - replay.ctime = replaydata.timestamp; - if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { - free(replay.client); - goto error; - } - free(replay.client); + krb5_donot_replay replay; + + if ((retval = krb5int_check_clockskew(context, replaydata.timestamp))) + goto error; + + if ((retval = krb5_gen_replay_name(context, auth_context->remote_addr, + "_safe", &replay.client))) + goto error; + + replay.server = ""; /* XXX */ + replay.msghash = NULL; + replay.cusec = replaydata.usec; + replay.ctime = replaydata.timestamp; + if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { + free(replay.client); + goto error; + } + free(replay.client); } if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - if (!krb5int_auth_con_chkseqnum(context, auth_context, - replaydata.seq)) { - retval = KRB5KRB_AP_ERR_BADORDER; - goto error; - } - auth_context->remote_seq_number++; + if (!krb5int_auth_con_chkseqnum(context, auth_context, + replaydata.seq)) { + retval = KRB5KRB_AP_ERR_BADORDER; + goto error; + } + auth_context->remote_seq_number++; } if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { - outdata->timestamp = replaydata.timestamp; - outdata->usec = replaydata.usec; - outdata->seq = replaydata.seq; + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { + outdata->timestamp = replaydata.timestamp; + outdata->usec = replaydata.usec; + outdata->seq = replaydata.seq; } - + /* everything is ok - return data to the user */ return 0; @@ -276,4 +277,3 @@ error: return retval; } - diff --git a/src/lib/krb5/krb/recvauth.c b/src/lib/krb5/krb/recvauth.c index 611546aa5b..90746ba5c3 100644 --- a/src/lib/krb5/krb/recvauth.c +++ b/src/lib/krb5/krb/recvauth.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/recvauth.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * convenience sendauth/recvauth functions */ @@ -38,79 +39,79 @@ static const char sendauth_version[] = "KRB5_SENDAUTH_V1.0"; static krb5_error_code recvauth_common(krb5_context context, - krb5_auth_context * auth_context, - /* IN */ - krb5_pointer fd, - char *appl_version, - krb5_principal server, - krb5_int32 flags, - krb5_keytab keytab, - /* OUT */ - krb5_ticket ** ticket, - krb5_data *version) + krb5_auth_context * auth_context, + /* IN */ + krb5_pointer fd, + char *appl_version, + krb5_principal server, + krb5_int32 flags, + krb5_keytab keytab, + /* OUT */ + krb5_ticket ** ticket, + krb5_data *version) { - krb5_auth_context new_auth_context; - krb5_flags ap_option = 0; - krb5_error_code retval, problem; - krb5_data inbuf; - krb5_data outbuf; - krb5_rcache rcache = 0; - krb5_octet response; - krb5_data null_server; + krb5_auth_context new_auth_context; + krb5_flags ap_option = 0; + krb5_error_code retval, problem; + krb5_data inbuf; + krb5_data outbuf; + krb5_rcache rcache = 0; + krb5_octet response; + krb5_data null_server; int need_error_free = 0; - int local_rcache = 0, local_authcon = 0; - - /* - * Zero out problem variable. If problem is set at the end of - * the intial version negotiation section, it means that we - * need to send an error code back to the client application - * and exit. - */ - problem = 0; - response = 0; - - if (!(flags & KRB5_RECVAUTH_SKIP_VERSION)) { - /* - * First read the sendauth version string and check it. - */ - if ((retval = krb5_read_message(context, fd, &inbuf))) - return(retval); - if (strcmp(inbuf.data, sendauth_version)) { - problem = KRB5_SENDAUTH_BADAUTHVERS; - response = 1; - } - free(inbuf.data); - } - if (flags & KRB5_RECVAUTH_BADAUTHVERS) { - problem = KRB5_SENDAUTH_BADAUTHVERS; - response = 1; - } - - /* - * Do the same thing for the application version string. - */ - if ((retval = krb5_read_message(context, fd, &inbuf))) - return(retval); - if (appl_version && strcmp(inbuf.data, appl_version)) { - if (!problem) { - problem = KRB5_SENDAUTH_BADAPPLVERS; - response = 2; - } - } - if (version && !problem) - *version = inbuf; - else - free(inbuf.data); - - /* - * Now we actually write the response. If the response is non-zero, - * exit with a return value of problem - */ - if ((krb5_net_write(context, *((int *)fd), (char *)&response, 1)) < 0) { - return(problem); /* We'll return the top-level problem */ - } - if (problem) - return(problem); + int local_rcache = 0, local_authcon = 0; + + /* + * Zero out problem variable. If problem is set at the end of + * the intial version negotiation section, it means that we + * need to send an error code back to the client application + * and exit. + */ + problem = 0; + response = 0; + + if (!(flags & KRB5_RECVAUTH_SKIP_VERSION)) { + /* + * First read the sendauth version string and check it. + */ + if ((retval = krb5_read_message(context, fd, &inbuf))) + return(retval); + if (strcmp(inbuf.data, sendauth_version)) { + problem = KRB5_SENDAUTH_BADAUTHVERS; + response = 1; + } + free(inbuf.data); + } + if (flags & KRB5_RECVAUTH_BADAUTHVERS) { + problem = KRB5_SENDAUTH_BADAUTHVERS; + response = 1; + } + + /* + * Do the same thing for the application version string. + */ + if ((retval = krb5_read_message(context, fd, &inbuf))) + return(retval); + if (appl_version && strcmp(inbuf.data, appl_version)) { + if (!problem) { + problem = KRB5_SENDAUTH_BADAPPLVERS; + response = 2; + } + } + if (version && !problem) + *version = inbuf; + else + free(inbuf.data); + + /* + * Now we actually write the response. If the response is non-zero, + * exit with a return value of problem + */ + if ((krb5_net_write(context, *((int *)fd), (char *)&response, 1)) < 0) { + return(problem); /* We'll return the top-level problem */ + } + if (problem) + return(problem); /* We are clear of errors here */ @@ -121,9 +122,9 @@ recvauth_common(krb5_context context, return retval; if (*auth_context == NULL) { - problem = krb5_auth_con_init(context, &new_auth_context); - *auth_context = new_auth_context; - local_authcon = 1; + problem = krb5_auth_con_init(context, &new_auth_context); + *auth_context = new_auth_context; + local_authcon = 1; } krb5_auth_con_getrcache(context, *auth_context, &rcache); if ((!problem) && rcache == NULL) { @@ -131,93 +132,93 @@ recvauth_common(krb5_context context, * Setup the replay cache. */ if (server) { - problem = krb5_get_server_rcache(context, - krb5_princ_component(context, server, 0), &rcache); + problem = krb5_get_server_rcache(context, + krb5_princ_component(context, server, 0), &rcache); } else { - null_server.length = 7; - null_server.data = "default"; - problem = krb5_get_server_rcache(context, &null_server, &rcache); + null_server.length = 7; + null_server.data = "default"; + problem = krb5_get_server_rcache(context, &null_server, &rcache); } - if (!problem) - problem = krb5_auth_con_setrcache(context, *auth_context, rcache); - local_rcache = 1; + if (!problem) + problem = krb5_auth_con_setrcache(context, *auth_context, rcache); + local_rcache = 1; } if (!problem) { - problem = krb5_rd_req(context, auth_context, &inbuf, server, - keytab, &ap_option, ticket); - free(inbuf.data); + problem = krb5_rd_req(context, auth_context, &inbuf, server, + keytab, &ap_option, ticket); + free(inbuf.data); } - + /* * If there was a problem, send back a krb5_error message, * preceeded by the length of the krb5_error message. If * everything's ok, send back 0 for the length. */ if (problem) { - krb5_error error; - const char *message; - - memset(&error, 0, sizeof(error)); - krb5_us_timeofday(context, &error.stime, &error.susec); - if(server) - error.server = server; - else { - /* If this fails - ie. ENOMEM we are hosed - we cannot even send the error if we wanted to... */ - (void) krb5_parse_name(context, "????", &error.server); - need_error_free = 1; - } - - error.error = problem - ERROR_TABLE_BASE_krb5; - if (error.error > 127) - error.error = KRB_ERR_GENERIC; - message = error_message(problem); - error.text.length = strlen(message) + 1; - error.text.data = strdup(message); - if (!error.text.data) { - retval = ENOMEM; - goto cleanup; - } - if ((retval = krb5_mk_error(context, &error, &outbuf))) { - free(error.text.data); - goto cleanup; - } - free(error.text.data); - if(need_error_free) - krb5_free_principal(context, error.server); + krb5_error error; + const char *message; + + memset(&error, 0, sizeof(error)); + krb5_us_timeofday(context, &error.stime, &error.susec); + if(server) + error.server = server; + else { + /* If this fails - ie. ENOMEM we are hosed + we cannot even send the error if we wanted to... */ + (void) krb5_parse_name(context, "????", &error.server); + need_error_free = 1; + } + + error.error = problem - ERROR_TABLE_BASE_krb5; + if (error.error > 127) + error.error = KRB_ERR_GENERIC; + message = error_message(problem); + error.text.length = strlen(message) + 1; + error.text.data = strdup(message); + if (!error.text.data) { + retval = ENOMEM; + goto cleanup; + } + if ((retval = krb5_mk_error(context, &error, &outbuf))) { + free(error.text.data); + goto cleanup; + } + free(error.text.data); + if(need_error_free) + krb5_free_principal(context, error.server); } else { - outbuf.length = 0; - outbuf.data = 0; + outbuf.length = 0; + outbuf.data = 0; } retval = krb5_write_message(context, fd, &outbuf); if (outbuf.data) { - free(outbuf.data); - /* We sent back an error, we need cleanup then return */ - retval = problem; - goto cleanup; + free(outbuf.data); + /* We sent back an error, we need cleanup then return */ + retval = problem; + goto cleanup; } if (retval) - goto cleanup; + goto cleanup; /* Here lies the mutual authentication stuff... */ if ((ap_option & AP_OPTS_MUTUAL_REQUIRED)) { - if ((retval = krb5_mk_rep(context, *auth_context, &outbuf))) { - return(retval); - } - retval = krb5_write_message(context, fd, &outbuf); - free(outbuf.data); + if ((retval = krb5_mk_rep(context, *auth_context, &outbuf))) { + return(retval); + } + retval = krb5_write_message(context, fd, &outbuf); + free(outbuf.data); } cleanup:; if (retval) { - if (local_authcon) { - krb5_auth_con_free(context, *auth_context); - } else if (local_rcache && rcache != NULL) { - krb5_rc_close(context, rcache); - krb5_auth_con_setrcache(context, *auth_context, NULL); - } + if (local_authcon) { + krb5_auth_con_free(context, *auth_context); + } else if (local_rcache && rcache != NULL) { + krb5_rc_close(context, rcache); + krb5_auth_con_setrcache(context, *auth_context, NULL); + } } return retval; } @@ -226,21 +227,21 @@ krb5_error_code KRB5_CALLCONV krb5_recvauth(krb5_context context, krb5_auth_context *auth_context, krb5_pointer fd, char *appl_version, krb5_principal server, krb5_int32 flags, krb5_keytab keytab, krb5_ticket **ticket) { return recvauth_common (context, auth_context, fd, appl_version, - server, flags, keytab, ticket, 0); + server, flags, keytab, ticket, 0); } krb5_error_code KRB5_CALLCONV krb5_recvauth_version(krb5_context context, - krb5_auth_context *auth_context, - /* IN */ - krb5_pointer fd, - krb5_principal server, - krb5_int32 flags, - krb5_keytab keytab, - /* OUT */ - krb5_ticket **ticket, - krb5_data *version) + krb5_auth_context *auth_context, + /* IN */ + krb5_pointer fd, + krb5_principal server, + krb5_int32 flags, + krb5_keytab keytab, + /* OUT */ + krb5_ticket **ticket, + krb5_data *version) { return recvauth_common (context, auth_context, fd, 0, - server, flags, keytab, ticket, version); + server, flags, keytab, ticket, version); } diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c index a7e5199026..4733865767 100644 --- a/src/lib/krb5/krb/s4u_creds.c +++ b/src/lib/krb5/krb/s4u_creds.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/s4u_creds.c * @@ -79,7 +79,7 @@ s4u_identify_user(krb5_context context, if (in_creds->client != NULL && krb5_princ_type(context, in_creds->client) != - KRB5_NT_ENTERPRISE_PRINCIPAL) + KRB5_NT_ENTERPRISE_PRINCIPAL) /* we already know the realm of the user */ return krb5_copy_principal(context, in_creds->client, canon_user); @@ -420,7 +420,7 @@ verify_s4u2self_reply(krb5_context context, if (not_newer) { if (enc_s4u_padata == NULL) { if (rep_s4u_user->user_id.options & - KRB5_S4U_OPTS_USE_REPLY_KEY_USAGE) { + KRB5_S4U_OPTS_USE_REPLY_KEY_USAGE) { code = KRB5_KDCREP_MODIFIED; goto cleanup; } diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c index eee47ed570..398855009d 100644 --- a/src/lib/krb5/krb/send_tgs.c +++ b/src/lib/krb5/krb/send_tgs.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/send_tgs.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_send_tgs() */ @@ -30,27 +31,27 @@ #include "k5-int.h" /* -Constructs a TGS request - options is used for the options in the KRB_TGS_REQ. - timestruct values are used for from, till, rtime " " " - enctype is used for enctype " " ", and to encrypt the authorization data, - sname is used for sname " " " - addrs, if non-NULL, is used for addresses " " " - authorization_dat, if non-NULL, is used for authorization_dat " " " - second_ticket, if required by options, is used for the 2nd ticket in the req. - in_cred is used for the ticket & session key in the KRB_AP_REQ header " " " - (the KDC realm is extracted from in_cred->server's realm) - - The response is placed into *rep. - rep->response.data is set to point at allocated storage which should be - freed by the caller when finished. - - returns system errors - */ -static krb5_error_code + Constructs a TGS request + options is used for the options in the KRB_TGS_REQ. + timestruct values are used for from, till, rtime " " " + enctype is used for enctype " " ", and to encrypt the authorization data, + sname is used for sname " " " + addrs, if non-NULL, is used for addresses " " " + authorization_dat, if non-NULL, is used for authorization_dat " " " + second_ticket, if required by options, is used for the 2nd ticket in the req. + in_cred is used for the ticket & session key in the KRB_AP_REQ header " " " + (the KDC realm is extracted from in_cred->server's realm) + + The response is placed into *rep. + rep->response.data is set to point at allocated storage which should be + freed by the caller when finished. + + returns system errors +*/ +static krb5_error_code tgs_construct_tgsreq(krb5_context context, krb5_data *in_data, - krb5_creds *in_cred, krb5_data *outbuf, krb5_keyblock *subkey) -{ + krb5_creds *in_cred, krb5_data *outbuf, krb5_keyblock *subkey) +{ krb5_cksumtype cksumtype; krb5_error_code retval; krb5_checksum checksum; @@ -70,19 +71,19 @@ tgs_construct_tgsreq(krb5_context context, krb5_data *in_data, case ENCTYPE_DES_CBC_MD5: case ENCTYPE_ARCFOUR_HMAC: case ENCTYPE_ARCFOUR_HMAC_EXP: - cksumtype = context->kdc_req_sumtype; - break; + cksumtype = context->kdc_req_sumtype; + break; default: - retval = krb5int_c_mandatory_cksumtype(context, in_cred->keyblock.enctype, &cksumtype); - if (retval) - goto cleanup; + retval = krb5int_c_mandatory_cksumtype(context, in_cred->keyblock.enctype, &cksumtype); + if (retval) + goto cleanup; } /* Generate checksum */ if ((retval = krb5_c_make_checksum(context, cksumtype, - &in_cred->keyblock, - KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, - in_data, &checksum))) { + &in_cred->keyblock, + KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, + in_data, &checksum))) { free(checksum.contents); goto cleanup; } @@ -94,7 +95,7 @@ tgs_construct_tgsreq(krb5_context context, krb5_data *in_data, authent.client = in_cred->client; authent.authorization_data = in_cred->authdata; if ((retval = krb5_us_timeofday(context, &authent.ctime, - &authent.cusec))) + &authent.cusec))) goto cleanup; @@ -110,10 +111,10 @@ tgs_construct_tgsreq(krb5_context context, krb5_data *in_data, /* Cleanup scratch and scratch data */ goto cleanup; - /* call the encryption routine */ + /* call the encryption routine */ if ((retval = krb5_encrypt_helper(context, &in_cred->keyblock, - KRB5_KEYUSAGE_TGS_REQ_AUTH, - scratch, &request.authenticator))) + KRB5_KEYUSAGE_TGS_REQ_AUTH, + scratch, &request.authenticator))) goto cleanup; if (!(retval = encode_krb5_ap_req(&request, &toutbuf))) { @@ -132,7 +133,7 @@ cleanup: if (request.ticket) krb5_free_ticket(context, request.ticket); - if (scratch != NULL && scratch->data != NULL) { + if (scratch != NULL && scratch->data != NULL) { zap(scratch->data, scratch->length); free(scratch->data); } @@ -148,17 +149,17 @@ cleanup: */ krb5_error_code krb5int_send_tgs(krb5_context context, krb5_flags kdcoptions, - const krb5_ticket_times *timestruct, const krb5_enctype *ktypes, - krb5_const_principal sname, krb5_address *const *addrs, - krb5_authdata *const *authorization_data, - krb5_pa_data *const *padata, const krb5_data *second_ticket, - krb5_creds *in_cred, - krb5_error_code (*pacb_fct)(krb5_context, - krb5_keyblock *, - krb5_kdc_req *, - void *), - void *pacb_data, - krb5_response *rep, krb5_keyblock **subkey) + const krb5_ticket_times *timestruct, const krb5_enctype *ktypes, + krb5_const_principal sname, krb5_address *const *addrs, + krb5_authdata *const *authorization_data, + krb5_pa_data *const *padata, const krb5_data *second_ticket, + krb5_creds *in_cred, + krb5_error_code (*pacb_fct)(krb5_context, + krb5_keyblock *, + krb5_kdc_req *, + void *), + void *pacb_data, + krb5_response *rep, krb5_keyblock **subkey) { krb5_error_code retval; krb5_kdc_req tgsreq; @@ -174,7 +175,7 @@ krb5int_send_tgs(krb5_context context, krb5_flags kdcoptions, assert (subkey != NULL); *subkey = NULL; - /* + /* * in_creds MUST be a valid credential NOT just a partially filled in * place holder for us to get credentials for the caller. */ @@ -196,31 +197,31 @@ krb5int_send_tgs(krb5_context context, krb5_flags kdcoptions, rep->expected_nonce = tgsreq.nonce = (krb5_int32) time_now; rep->request_time = time_now; rep->message_type = KRB5_ERROR; /*caller only uses the response - * element on successful return*/ + * element on successful return*/ tgsreq.addresses = (krb5_address **) addrs; /* Generate subkey*/ if ((retval = krb5_generate_subkey( context, &in_cred->keyblock, - &local_subkey)) != 0) + &local_subkey)) != 0) return retval; if (authorization_data) { - /* need to encrypt it in the request */ + /* need to encrypt it in the request */ - if ((retval = encode_krb5_authdata(authorization_data, &scratch))) - goto send_tgs_error_1; + if ((retval = encode_krb5_authdata(authorization_data, &scratch))) + goto send_tgs_error_1; - if ((retval = krb5_encrypt_helper(context, local_subkey, - KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY, - scratch, - &tgsreq.authorization_data))) { - free(tgsreq.authorization_data.ciphertext.data); - krb5_free_data(context, scratch); - goto send_tgs_error_1; - } + if ((retval = krb5_encrypt_helper(context, local_subkey, + KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY, + scratch, + &tgsreq.authorization_data))) { + free(tgsreq.authorization_data.ciphertext.data); + krb5_free_data(context, scratch); + goto send_tgs_error_1; + } - krb5_free_data(context, scratch); + krb5_free_data(context, scratch); } /* Get the encryption types list */ @@ -255,7 +256,7 @@ krb5int_send_tgs(krb5_context context, krb5_flags kdcoptions, /* * Get an ap_req. */ - if ((retval = tgs_construct_tgsreq(context, scratch, in_cred, + if ((retval = tgs_construct_tgsreq(context, scratch, in_cred, &scratch2, local_subkey))) { krb5_free_data(context, scratch); goto send_tgs_error_2; @@ -332,41 +333,41 @@ krb5int_send_tgs(krb5_context context, krb5_flags kdcoptions, send_again: use_master = 0; - retval = krb5_sendto_kdc(context, scratch, - krb5_princ_realm(context, sname), - &rep->response, &use_master, tcp_only); + retval = krb5_sendto_kdc(context, scratch, + krb5_princ_realm(context, sname), + &rep->response, &use_master, tcp_only); if (retval == 0) { if (krb5_is_krb_error(&rep->response)) { if (!tcp_only) { krb5_error *err_reply; retval = decode_krb5_error(&rep->response, &err_reply); - if (retval) - goto send_tgs_error_3; - if (err_reply->error == KRB_ERR_RESPONSE_TOO_BIG) { - tcp_only = 1; + if (retval) + goto send_tgs_error_3; + if (err_reply->error == KRB_ERR_RESPONSE_TOO_BIG) { + tcp_only = 1; + krb5_free_error(context, err_reply); + free(rep->response.data); + rep->response.data = NULL; + goto send_again; + } krb5_free_error(context, err_reply); - free(rep->response.data); - rep->response.data = NULL; - goto send_again; - } - krb5_free_error(context, err_reply); send_tgs_error_3: ; - } - rep->message_type = KRB5_ERROR; - } else if (krb5_is_tgs_rep(&rep->response)) { - rep->message_type = KRB5_TGS_REP; - *subkey = local_subkey; - } else /* XXX: assume it's an error */ - rep->message_type = KRB5_ERROR; + } + rep->message_type = KRB5_ERROR; + } else if (krb5_is_tgs_rep(&rep->response)) { + rep->message_type = KRB5_TGS_REP; + *subkey = local_subkey; + } else /* XXX: assume it's an error */ + rep->message_type = KRB5_ERROR; } krb5_free_data(context, scratch); - + send_tgs_error_2:; if (tgsreq.padata) krb5_free_pa_data(context, tgsreq.padata); - if (sec_ticket) + if (sec_ticket) krb5_free_ticket(context, sec_ticket); send_tgs_error_1:; @@ -374,13 +375,12 @@ send_tgs_error_1:; free(tgsreq.ktype); if (tgsreq.authorization_data.ciphertext.data) { memset(tgsreq.authorization_data.ciphertext.data, 0, - tgsreq.authorization_data.ciphertext.length); + tgsreq.authorization_data.ciphertext.length); free(tgsreq.authorization_data.ciphertext.data); } if (rep->message_type != KRB5_TGS_REP && local_subkey){ krb5_free_keyblock(context, *subkey); - } + } return retval; } - diff --git a/src/lib/krb5/krb/sendauth.c b/src/lib/krb5/krb/sendauth.c index 67b9adde06..30b72b9375 100644 --- a/src/lib/krb5/krb/sendauth.c +++ b/src/lib/krb5/krb/sendauth.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/sendauth.c * diff --git a/src/lib/krb5/krb/ser_actx.c b/src/lib/krb5/krb/ser_actx.c index 65b7e27291..ccd1e2df71 100644 --- a/src/lib/krb5/krb/ser_actx.c +++ b/src/lib/krb5/krb/ser_actx.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/ser_actx.c * @@ -32,26 +33,26 @@ #include "int-proto.h" #include "auth_con.h" -#define TOKEN_RADDR 950916 -#define TOKEN_RPORT 950917 -#define TOKEN_LADDR 950918 -#define TOKEN_LPORT 950919 -#define TOKEN_KEYBLOCK 950920 -#define TOKEN_LSKBLOCK 950921 -#define TOKEN_RSKBLOCK 950922 +#define TOKEN_RADDR 950916 +#define TOKEN_RPORT 950917 +#define TOKEN_LADDR 950918 +#define TOKEN_LPORT 950919 +#define TOKEN_KEYBLOCK 950920 +#define TOKEN_LSKBLOCK 950921 +#define TOKEN_RSKBLOCK 950922 /* * Routines to deal with externalizing the krb5_auth_context: - * krb5_auth_context_size(); - * krb5_auth_context_externalize(); - * krb5_auth_context_internalize(); + * krb5_auth_context_size(); + * krb5_auth_context_externalize(); + * krb5_auth_context_internalize(); */ static krb5_error_code krb5_auth_context_size - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_auth_context_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_auth_context_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* * Other metadata serialization initializers. @@ -59,289 +60,289 @@ static krb5_error_code krb5_auth_context_internalize /* Local data */ static const krb5_ser_entry krb5_auth_context_ser_entry = { - KV5M_AUTH_CONTEXT, /* Type */ - krb5_auth_context_size, /* Sizer routine */ - krb5_auth_context_externalize, /* Externalize routine */ - krb5_auth_context_internalize /* Internalize routine */ + KV5M_AUTH_CONTEXT, /* Type */ + krb5_auth_context_size, /* Sizer routine */ + krb5_auth_context_externalize, /* Externalize routine */ + krb5_auth_context_internalize /* Internalize routine */ }; /* - * krb5_auth_context_size() - Determine the size required to externalize - * the krb5_auth_context. + * krb5_auth_context_size() - Determine the size required to externalize + * the krb5_auth_context. */ static krb5_error_code krb5_auth_context_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_auth_context auth_context; - size_t required; - krb5_enctype enctype; + krb5_error_code kret; + krb5_auth_context auth_context; + size_t required; + krb5_enctype enctype; /* * krb5_auth_context requires at minimum: - * krb5_int32 for KV5M_AUTH_CONTEXT - * krb5_int32 for auth_context_flags - * krb5_int32 for remote_seq_number - * krb5_int32 for local_seq_number - * krb5_int32 for req_cksumtype - * krb5_int32 for safe_cksumtype - * krb5_int32 for size of i_vector - * krb5_int32 for KV5M_AUTH_CONTEXT + * krb5_int32 for KV5M_AUTH_CONTEXT + * krb5_int32 for auth_context_flags + * krb5_int32 for remote_seq_number + * krb5_int32 for local_seq_number + * krb5_int32 for req_cksumtype + * krb5_int32 for safe_cksumtype + * krb5_int32 for size of i_vector + * krb5_int32 for KV5M_AUTH_CONTEXT */ kret = EINVAL; if ((auth_context = (krb5_auth_context) arg)) { - kret = 0; - - /* Calculate size required by i_vector - ptooey */ - if (auth_context->i_vector && auth_context->key) { - enctype = krb5_k_key_enctype(kcontext, auth_context->key); - kret = krb5_c_block_size(kcontext, enctype, &required); - } else { - required = 0; - } - - required += sizeof(krb5_int32)*8; - - /* Calculate size required by remote_addr, if appropriate */ - if (!kret && auth_context->remote_addr) { - kret = krb5_size_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer) auth_context->remote_addr, - &required); - if (!kret) - required += sizeof(krb5_int32); - } - - /* Calculate size required by remote_port, if appropriate */ - if (!kret && auth_context->remote_port) { - kret = krb5_size_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer) auth_context->remote_port, - &required); - if (!kret) - required += sizeof(krb5_int32); - } - - /* Calculate size required by local_addr, if appropriate */ - if (!kret && auth_context->local_addr) { - kret = krb5_size_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer) auth_context->local_addr, - &required); - if (!kret) - required += sizeof(krb5_int32); - } - - /* Calculate size required by local_port, if appropriate */ - if (!kret && auth_context->local_port) { - kret = krb5_size_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer) auth_context->local_port, - &required); - if (!kret) - required += sizeof(krb5_int32); - } - - /* Calculate size required by key, if appropriate */ - if (!kret && auth_context->key) { - kret = krb5_size_opaque(kcontext, - KV5M_KEYBLOCK, (krb5_pointer) - &auth_context->key->keyblock, - &required); - if (!kret) - required += sizeof(krb5_int32); - } - - /* Calculate size required by send_subkey, if appropriate */ - if (!kret && auth_context->send_subkey) { - kret = krb5_size_opaque(kcontext, - KV5M_KEYBLOCK, (krb5_pointer) - &auth_context->send_subkey->keyblock, - &required); - if (!kret) - required += sizeof(krb5_int32); - } - - /* Calculate size required by recv_subkey, if appropriate */ - if (!kret && auth_context->recv_subkey) { - kret = krb5_size_opaque(kcontext, - KV5M_KEYBLOCK, (krb5_pointer) - &auth_context->recv_subkey->keyblock, - &required); - if (!kret) - required += sizeof(krb5_int32); - } - - /* Calculate size required by authentp, if appropriate */ - if (!kret && auth_context->authentp) - kret = krb5_size_opaque(kcontext, - KV5M_AUTHENTICATOR, - (krb5_pointer) auth_context->authentp, - &required); + kret = 0; + + /* Calculate size required by i_vector - ptooey */ + if (auth_context->i_vector && auth_context->key) { + enctype = krb5_k_key_enctype(kcontext, auth_context->key); + kret = krb5_c_block_size(kcontext, enctype, &required); + } else { + required = 0; + } + + required += sizeof(krb5_int32)*8; + + /* Calculate size required by remote_addr, if appropriate */ + if (!kret && auth_context->remote_addr) { + kret = krb5_size_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer) auth_context->remote_addr, + &required); + if (!kret) + required += sizeof(krb5_int32); + } + + /* Calculate size required by remote_port, if appropriate */ + if (!kret && auth_context->remote_port) { + kret = krb5_size_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer) auth_context->remote_port, + &required); + if (!kret) + required += sizeof(krb5_int32); + } + + /* Calculate size required by local_addr, if appropriate */ + if (!kret && auth_context->local_addr) { + kret = krb5_size_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer) auth_context->local_addr, + &required); + if (!kret) + required += sizeof(krb5_int32); + } + + /* Calculate size required by local_port, if appropriate */ + if (!kret && auth_context->local_port) { + kret = krb5_size_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer) auth_context->local_port, + &required); + if (!kret) + required += sizeof(krb5_int32); + } + + /* Calculate size required by key, if appropriate */ + if (!kret && auth_context->key) { + kret = krb5_size_opaque(kcontext, + KV5M_KEYBLOCK, (krb5_pointer) + &auth_context->key->keyblock, + &required); + if (!kret) + required += sizeof(krb5_int32); + } + + /* Calculate size required by send_subkey, if appropriate */ + if (!kret && auth_context->send_subkey) { + kret = krb5_size_opaque(kcontext, + KV5M_KEYBLOCK, (krb5_pointer) + &auth_context->send_subkey->keyblock, + &required); + if (!kret) + required += sizeof(krb5_int32); + } + + /* Calculate size required by recv_subkey, if appropriate */ + if (!kret && auth_context->recv_subkey) { + kret = krb5_size_opaque(kcontext, + KV5M_KEYBLOCK, (krb5_pointer) + &auth_context->recv_subkey->keyblock, + &required); + if (!kret) + required += sizeof(krb5_int32); + } + + /* Calculate size required by authentp, if appropriate */ + if (!kret && auth_context->authentp) + kret = krb5_size_opaque(kcontext, + KV5M_AUTHENTICATOR, + (krb5_pointer) auth_context->authentp, + &required); } if (!kret) - *sizep += required; + *sizep += required; return(kret); } /* - * krb5_auth_context_externalize() - Externalize the krb5_auth_context. + * krb5_auth_context_externalize() - Externalize the krb5_auth_context. */ static krb5_error_code krb5_auth_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_auth_context auth_context; - size_t required; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_auth_context auth_context; + size_t required; + krb5_octet *bp; + size_t remain; size_t obuf; - krb5_int32 obuf32; - krb5_enctype enctype; + krb5_int32 obuf32; + krb5_enctype enctype; required = 0; bp = *buffer; remain = *lenremain; kret = EINVAL; if ((auth_context = (krb5_auth_context) arg)) { - kret = ENOMEM; - if (!krb5_auth_context_size(kcontext, arg, &required) && - (required <= remain)) { - - /* Write fixed portion */ - (void) krb5_ser_pack_int32(KV5M_AUTH_CONTEXT, &bp, &remain); - (void) krb5_ser_pack_int32(auth_context->auth_context_flags, - &bp, &remain); - (void) krb5_ser_pack_int32(auth_context->remote_seq_number, - &bp, &remain); - (void) krb5_ser_pack_int32(auth_context->local_seq_number, - &bp, &remain); - (void) krb5_ser_pack_int32((krb5_int32) auth_context->req_cksumtype, - &bp, &remain); - (void) krb5_ser_pack_int32((krb5_int32) auth_context->safe_cksumtype, - &bp, &remain); - - kret = 0; - - /* Now figure out the number of bytes for i_vector and write it */ - if (auth_context->i_vector) { - enctype = krb5_k_key_enctype(kcontext, auth_context->key); - kret = krb5_c_block_size(kcontext, enctype, &obuf); - } else { - obuf = 0; - } - - /* Convert to signed 32 bit integer */ - obuf32 = obuf; - if (kret == 0 && obuf != obuf32) - kret = EINVAL; - if (!kret) - (void) krb5_ser_pack_int32(obuf32, &bp, &remain); - - /* Now copy i_vector */ - if (!kret && auth_context->i_vector) - (void) krb5_ser_pack_bytes(auth_context->i_vector, - obuf, - &bp, &remain); - - /* Now handle remote_addr, if appropriate */ - if (!kret && auth_context->remote_addr) { - (void) krb5_ser_pack_int32(TOKEN_RADDR, &bp, &remain); - kret = krb5_externalize_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer) - auth_context->remote_addr, - &bp, - &remain); - } - - /* Now handle remote_port, if appropriate */ - if (!kret && auth_context->remote_port) { - (void) krb5_ser_pack_int32(TOKEN_RPORT, &bp, &remain); - kret = krb5_externalize_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer) - auth_context->remote_addr, - &bp, - &remain); - } - - /* Now handle local_addr, if appropriate */ - if (!kret && auth_context->local_addr) { - (void) krb5_ser_pack_int32(TOKEN_LADDR, &bp, &remain); - kret = krb5_externalize_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer) - auth_context->local_addr, - &bp, - &remain); - } - - /* Now handle local_port, if appropriate */ - if (!kret && auth_context->local_port) { - (void) krb5_ser_pack_int32(TOKEN_LPORT, &bp, &remain); - kret = krb5_externalize_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer) - auth_context->local_addr, - &bp, - &remain); - } - - /* Now handle keyblock, if appropriate */ - if (!kret && auth_context->key) { - (void) krb5_ser_pack_int32(TOKEN_KEYBLOCK, &bp, &remain); - kret = krb5_externalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) - &auth_context->key->keyblock, - &bp, - &remain); - } - - /* Now handle subkey, if appropriate */ - if (!kret && auth_context->send_subkey) { - (void) krb5_ser_pack_int32(TOKEN_LSKBLOCK, &bp, &remain); - kret = krb5_externalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) &auth_context-> - send_subkey->keyblock, - &bp, - &remain); - } - - /* Now handle subkey, if appropriate */ - if (!kret && auth_context->recv_subkey) { - (void) krb5_ser_pack_int32(TOKEN_RSKBLOCK, &bp, &remain); - kret = krb5_externalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) &auth_context-> - recv_subkey->keyblock, - &bp, - &remain); - } - - /* Now handle authentp, if appropriate */ - if (!kret && auth_context->authentp) - kret = krb5_externalize_opaque(kcontext, - KV5M_AUTHENTICATOR, - (krb5_pointer) - auth_context->authentp, - &bp, - &remain); - - /* - * If we were successful, write trailer then update the pointer and - * remaining length; - */ - if (!kret) { - /* Write our trailer */ - (void) krb5_ser_pack_int32(KV5M_AUTH_CONTEXT, &bp, &remain); - *buffer = bp; - *lenremain = remain; - } - } + kret = ENOMEM; + if (!krb5_auth_context_size(kcontext, arg, &required) && + (required <= remain)) { + + /* Write fixed portion */ + (void) krb5_ser_pack_int32(KV5M_AUTH_CONTEXT, &bp, &remain); + (void) krb5_ser_pack_int32(auth_context->auth_context_flags, + &bp, &remain); + (void) krb5_ser_pack_int32(auth_context->remote_seq_number, + &bp, &remain); + (void) krb5_ser_pack_int32(auth_context->local_seq_number, + &bp, &remain); + (void) krb5_ser_pack_int32((krb5_int32) auth_context->req_cksumtype, + &bp, &remain); + (void) krb5_ser_pack_int32((krb5_int32) auth_context->safe_cksumtype, + &bp, &remain); + + kret = 0; + + /* Now figure out the number of bytes for i_vector and write it */ + if (auth_context->i_vector) { + enctype = krb5_k_key_enctype(kcontext, auth_context->key); + kret = krb5_c_block_size(kcontext, enctype, &obuf); + } else { + obuf = 0; + } + + /* Convert to signed 32 bit integer */ + obuf32 = obuf; + if (kret == 0 && obuf != obuf32) + kret = EINVAL; + if (!kret) + (void) krb5_ser_pack_int32(obuf32, &bp, &remain); + + /* Now copy i_vector */ + if (!kret && auth_context->i_vector) + (void) krb5_ser_pack_bytes(auth_context->i_vector, + obuf, + &bp, &remain); + + /* Now handle remote_addr, if appropriate */ + if (!kret && auth_context->remote_addr) { + (void) krb5_ser_pack_int32(TOKEN_RADDR, &bp, &remain); + kret = krb5_externalize_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer) + auth_context->remote_addr, + &bp, + &remain); + } + + /* Now handle remote_port, if appropriate */ + if (!kret && auth_context->remote_port) { + (void) krb5_ser_pack_int32(TOKEN_RPORT, &bp, &remain); + kret = krb5_externalize_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer) + auth_context->remote_addr, + &bp, + &remain); + } + + /* Now handle local_addr, if appropriate */ + if (!kret && auth_context->local_addr) { + (void) krb5_ser_pack_int32(TOKEN_LADDR, &bp, &remain); + kret = krb5_externalize_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer) + auth_context->local_addr, + &bp, + &remain); + } + + /* Now handle local_port, if appropriate */ + if (!kret && auth_context->local_port) { + (void) krb5_ser_pack_int32(TOKEN_LPORT, &bp, &remain); + kret = krb5_externalize_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer) + auth_context->local_addr, + &bp, + &remain); + } + + /* Now handle keyblock, if appropriate */ + if (!kret && auth_context->key) { + (void) krb5_ser_pack_int32(TOKEN_KEYBLOCK, &bp, &remain); + kret = krb5_externalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) + &auth_context->key->keyblock, + &bp, + &remain); + } + + /* Now handle subkey, if appropriate */ + if (!kret && auth_context->send_subkey) { + (void) krb5_ser_pack_int32(TOKEN_LSKBLOCK, &bp, &remain); + kret = krb5_externalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) &auth_context-> + send_subkey->keyblock, + &bp, + &remain); + } + + /* Now handle subkey, if appropriate */ + if (!kret && auth_context->recv_subkey) { + (void) krb5_ser_pack_int32(TOKEN_RSKBLOCK, &bp, &remain); + kret = krb5_externalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) &auth_context-> + recv_subkey->keyblock, + &bp, + &remain); + } + + /* Now handle authentp, if appropriate */ + if (!kret && auth_context->authentp) + kret = krb5_externalize_opaque(kcontext, + KV5M_AUTHENTICATOR, + (krb5_pointer) + auth_context->authentp, + &bp, + &remain); + + /* + * If we were successful, write trailer then update the pointer and + * remaining length; + */ + if (!kret) { + /* Write our trailer */ + (void) krb5_ser_pack_int32(KV5M_AUTH_CONTEXT, &bp, &remain); + *buffer = bp; + *lenremain = remain; + } + } } return(kret); } @@ -354,195 +355,195 @@ intern_key(krb5_context ctx, krb5_key *key, krb5_octet **bp, size_t *sp) krb5_error_code ret; ret = krb5_internalize_opaque(ctx, KV5M_KEYBLOCK, - (krb5_pointer *) &keyblock, bp, sp); + (krb5_pointer *) &keyblock, bp, sp); if (ret != 0) - return ret; + return ret; ret = krb5_k_create_key(ctx, keyblock, key); krb5_free_keyblock(ctx, keyblock); return ret; } /* - * krb5_auth_context_internalize() - Internalize the krb5_auth_context. + * krb5_auth_context_internalize() - Internalize the krb5_auth_context. */ static krb5_error_code krb5_auth_context_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_auth_context auth_context; - krb5_int32 ibuf; - krb5_octet *bp; - size_t remain; - krb5_int32 ivlen; - krb5_int32 tag; + krb5_error_code kret; + krb5_auth_context auth_context; + krb5_int32 ibuf; + krb5_octet *bp; + size_t remain; + krb5_int32 ivlen; + krb5_int32 tag; bp = *buffer; remain = *lenremain; kret = EINVAL; /* Read our magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) - ibuf = 0; + ibuf = 0; if (ibuf == KV5M_AUTH_CONTEXT) { - kret = ENOMEM; - - /* Get memory for the auth_context */ - if ((remain >= (5*sizeof(krb5_int32))) && - (auth_context = (krb5_auth_context) - calloc(1, sizeof(struct _krb5_auth_context)))) { - - /* Get auth_context_flags */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - auth_context->auth_context_flags = ibuf; - - /* Get remote_seq_number */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - auth_context->remote_seq_number = ibuf; - - /* Get local_seq_number */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - auth_context->local_seq_number = ibuf; - - /* Get req_cksumtype */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - auth_context->req_cksumtype = (krb5_cksumtype) ibuf; - - /* Get safe_cksumtype */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - auth_context->safe_cksumtype = (krb5_cksumtype) ibuf; - - /* Get length of i_vector */ - (void) krb5_ser_unpack_int32(&ivlen, &bp, &remain); - - if (ivlen) { - if ((auth_context->i_vector = - (krb5_pointer) malloc((size_t)ivlen))) - kret = krb5_ser_unpack_bytes(auth_context->i_vector, - (size_t) ivlen, - &bp, - &remain); - else - kret = ENOMEM; - } - else - kret = 0; - - /* Peek at next token */ - tag = 0; - if (!kret) - kret = krb5_ser_unpack_int32(&tag, &bp, &remain); - - /* This is the remote_addr */ - if (!kret && (tag == TOKEN_RADDR)) { - if (!(kret = krb5_internalize_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer *) - &auth_context-> - remote_addr, - &bp, - &remain))) - kret = krb5_ser_unpack_int32(&tag, &bp, &remain); - } - - /* This is the remote_port */ - if (!kret && (tag == TOKEN_RPORT)) { - if (!(kret = krb5_internalize_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer *) - &auth_context-> - remote_port, - &bp, - &remain))) - kret = krb5_ser_unpack_int32(&tag, &bp, &remain); - } - - /* This is the local_addr */ - if (!kret && (tag == TOKEN_LADDR)) { - if (!(kret = krb5_internalize_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer *) - &auth_context-> - local_addr, - &bp, - &remain))) - kret = krb5_ser_unpack_int32(&tag, &bp, &remain); - } - - /* This is the local_port */ - if (!kret && (tag == TOKEN_LPORT)) { - if (!(kret = krb5_internalize_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer *) - &auth_context-> - local_port, - &bp, - &remain))) - kret = krb5_ser_unpack_int32(&tag, &bp, &remain); - } - - /* This is the keyblock */ - if (!kret && (tag == TOKEN_KEYBLOCK)) { - if (!(kret = intern_key(kcontext, - &auth_context->key, - &bp, - &remain))) - kret = krb5_ser_unpack_int32(&tag, &bp, &remain); - } - - /* This is the send_subkey */ - if (!kret && (tag == TOKEN_LSKBLOCK)) { - if (!(kret = intern_key(kcontext, - &auth_context->send_subkey, - &bp, - &remain))) - kret = krb5_ser_unpack_int32(&tag, &bp, &remain); - } - - /* This is the recv_subkey */ - if (!kret) { - if (tag == TOKEN_RSKBLOCK) { - kret = intern_key(kcontext, - &auth_context->recv_subkey, - &bp, - &remain); - } - else { - /* - * We read the next tag, but it's not of any use here, so - * we effectively 'unget' it here. - */ - bp -= sizeof(krb5_int32); - remain += sizeof(krb5_int32); - } - } - - /* Now find the authentp */ - if (!kret) { - if ((kret = krb5_internalize_opaque(kcontext, - KV5M_AUTHENTICATOR, - (krb5_pointer *) - &auth_context->authentp, - &bp, - &remain))) { - if (kret == EINVAL) - kret = 0; - } - } - - /* Finally, find the trailer */ - if (!kret) { - kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); - if (!kret && (ibuf != KV5M_AUTH_CONTEXT)) - kret = EINVAL; - } - if (!kret) { - *buffer = bp; - *lenremain = remain; - auth_context->magic = KV5M_AUTH_CONTEXT; - *argp = (krb5_pointer) auth_context; - } - else - krb5_auth_con_free(kcontext, auth_context); - } + kret = ENOMEM; + + /* Get memory for the auth_context */ + if ((remain >= (5*sizeof(krb5_int32))) && + (auth_context = (krb5_auth_context) + calloc(1, sizeof(struct _krb5_auth_context)))) { + + /* Get auth_context_flags */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + auth_context->auth_context_flags = ibuf; + + /* Get remote_seq_number */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + auth_context->remote_seq_number = ibuf; + + /* Get local_seq_number */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + auth_context->local_seq_number = ibuf; + + /* Get req_cksumtype */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + auth_context->req_cksumtype = (krb5_cksumtype) ibuf; + + /* Get safe_cksumtype */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + auth_context->safe_cksumtype = (krb5_cksumtype) ibuf; + + /* Get length of i_vector */ + (void) krb5_ser_unpack_int32(&ivlen, &bp, &remain); + + if (ivlen) { + if ((auth_context->i_vector = + (krb5_pointer) malloc((size_t)ivlen))) + kret = krb5_ser_unpack_bytes(auth_context->i_vector, + (size_t) ivlen, + &bp, + &remain); + else + kret = ENOMEM; + } + else + kret = 0; + + /* Peek at next token */ + tag = 0; + if (!kret) + kret = krb5_ser_unpack_int32(&tag, &bp, &remain); + + /* This is the remote_addr */ + if (!kret && (tag == TOKEN_RADDR)) { + if (!(kret = krb5_internalize_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer *) + &auth_context-> + remote_addr, + &bp, + &remain))) + kret = krb5_ser_unpack_int32(&tag, &bp, &remain); + } + + /* This is the remote_port */ + if (!kret && (tag == TOKEN_RPORT)) { + if (!(kret = krb5_internalize_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer *) + &auth_context-> + remote_port, + &bp, + &remain))) + kret = krb5_ser_unpack_int32(&tag, &bp, &remain); + } + + /* This is the local_addr */ + if (!kret && (tag == TOKEN_LADDR)) { + if (!(kret = krb5_internalize_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer *) + &auth_context-> + local_addr, + &bp, + &remain))) + kret = krb5_ser_unpack_int32(&tag, &bp, &remain); + } + + /* This is the local_port */ + if (!kret && (tag == TOKEN_LPORT)) { + if (!(kret = krb5_internalize_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer *) + &auth_context-> + local_port, + &bp, + &remain))) + kret = krb5_ser_unpack_int32(&tag, &bp, &remain); + } + + /* This is the keyblock */ + if (!kret && (tag == TOKEN_KEYBLOCK)) { + if (!(kret = intern_key(kcontext, + &auth_context->key, + &bp, + &remain))) + kret = krb5_ser_unpack_int32(&tag, &bp, &remain); + } + + /* This is the send_subkey */ + if (!kret && (tag == TOKEN_LSKBLOCK)) { + if (!(kret = intern_key(kcontext, + &auth_context->send_subkey, + &bp, + &remain))) + kret = krb5_ser_unpack_int32(&tag, &bp, &remain); + } + + /* This is the recv_subkey */ + if (!kret) { + if (tag == TOKEN_RSKBLOCK) { + kret = intern_key(kcontext, + &auth_context->recv_subkey, + &bp, + &remain); + } + else { + /* + * We read the next tag, but it's not of any use here, so + * we effectively 'unget' it here. + */ + bp -= sizeof(krb5_int32); + remain += sizeof(krb5_int32); + } + } + + /* Now find the authentp */ + if (!kret) { + if ((kret = krb5_internalize_opaque(kcontext, + KV5M_AUTHENTICATOR, + (krb5_pointer *) + &auth_context->authentp, + &bp, + &remain))) { + if (kret == EINVAL) + kret = 0; + } + } + + /* Finally, find the trailer */ + if (!kret) { + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + if (!kret && (ibuf != KV5M_AUTH_CONTEXT)) + kret = EINVAL; + } + if (!kret) { + *buffer = bp; + *lenremain = remain; + auth_context->magic = KV5M_AUTH_CONTEXT; + *argp = (krb5_pointer) auth_context; + } + else + krb5_auth_con_free(kcontext, auth_context); + } } return(kret); } @@ -553,23 +554,23 @@ krb5_auth_context_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_oc krb5_error_code KRB5_CALLCONV krb5_ser_auth_context_init(krb5_context kcontext) { - krb5_error_code kret; + krb5_error_code kret; kret = krb5_register_serializer(kcontext, &krb5_auth_context_ser_entry); if (!kret) - kret = krb5_ser_authdata_init(kcontext); + kret = krb5_ser_authdata_init(kcontext); if (!kret) - kret = krb5_ser_address_init(kcontext); + kret = krb5_ser_address_init(kcontext); #ifndef LEAN_CLIENT if (!kret) - kret = krb5_ser_authenticator_init(kcontext); + kret = krb5_ser_authenticator_init(kcontext); #endif if (!kret) - kret = krb5_ser_checksum_init(kcontext); + kret = krb5_ser_checksum_init(kcontext); if (!kret) - kret = krb5_ser_keyblock_init(kcontext); + kret = krb5_ser_keyblock_init(kcontext); if (!kret) - kret = krb5_ser_principal_init(kcontext); + kret = krb5_ser_principal_init(kcontext); if (!kret) - kret = krb5_ser_authdata_context_init(kcontext); + kret = krb5_ser_authdata_context_init(kcontext); return(kret); } diff --git a/src/lib/krb5/krb/ser_adata.c b/src/lib/krb5/krb/ser_adata.c index 82d04dce13..77a76fdae9 100644 --- a/src/lib/krb5/krb/ser_adata.c +++ b/src/lib/krb5/krb/ser_adata.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/ser_adata.c * @@ -33,157 +34,157 @@ /* * Routines to deal with externalizing the krb5_authdata: - * krb5_authdata_size(); - * krb5_authdata_externalize(); - * krb5_authdata_internalize(); + * krb5_authdata_size(); + * krb5_authdata_externalize(); + * krb5_authdata_internalize(); */ static krb5_error_code krb5_authdata_size - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_authdata_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_authdata_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* Local data */ static const krb5_ser_entry krb5_authdata_ser_entry = { - KV5M_AUTHDATA, /* Type */ - krb5_authdata_size, /* Sizer routine */ - krb5_authdata_externalize, /* Externalize routine */ - krb5_authdata_internalize /* Internalize routine */ + KV5M_AUTHDATA, /* Type */ + krb5_authdata_size, /* Sizer routine */ + krb5_authdata_externalize, /* Externalize routine */ + krb5_authdata_internalize /* Internalize routine */ }; /* - * krb5_authdata_esize() - Determine the size required to externalize - * the krb5_authdata. + * krb5_authdata_esize() - Determine the size required to externalize + * the krb5_authdata. */ static krb5_error_code krb5_authdata_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_authdata *authdata; + krb5_error_code kret; + krb5_authdata *authdata; /* * krb5_authdata requires: - * krb5_int32 for KV5M_AUTHDATA - * krb5_int32 for ad_type - * krb5_int32 for length - * authdata->length for contents - * krb5_int32 for KV5M_AUTHDATA + * krb5_int32 for KV5M_AUTHDATA + * krb5_int32 for ad_type + * krb5_int32 for length + * authdata->length for contents + * krb5_int32 for KV5M_AUTHDATA */ kret = EINVAL; if ((authdata = (krb5_authdata *) arg)) { - *sizep += (sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - (size_t) authdata->length); - kret = 0; + *sizep += (sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + (size_t) authdata->length); + kret = 0; } return(kret); } /* - * krb5_authdata_externalize() - Externalize the krb5_authdata. + * krb5_authdata_externalize() - Externalize the krb5_authdata. */ static krb5_error_code krb5_authdata_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_authdata *authdata; - size_t required; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_authdata *authdata; + size_t required; + krb5_octet *bp; + size_t remain; required = 0; bp = *buffer; remain = *lenremain; kret = EINVAL; if ((authdata = (krb5_authdata *) arg)) { - kret = ENOMEM; - if (!krb5_authdata_size(kcontext, arg, &required) && - (required <= remain)) { - /* Our identifier */ - (void) krb5_ser_pack_int32(KV5M_AUTHDATA, &bp, &remain); - - /* Our ad_type */ - (void) krb5_ser_pack_int32((krb5_int32) authdata->ad_type, - &bp, &remain); + kret = ENOMEM; + if (!krb5_authdata_size(kcontext, arg, &required) && + (required <= remain)) { + /* Our identifier */ + (void) krb5_ser_pack_int32(KV5M_AUTHDATA, &bp, &remain); - /* Our length */ - (void) krb5_ser_pack_int32((krb5_int32) authdata->length, - &bp, &remain); + /* Our ad_type */ + (void) krb5_ser_pack_int32((krb5_int32) authdata->ad_type, + &bp, &remain); - /* Our contents */ - (void) krb5_ser_pack_bytes(authdata->contents, - (size_t) authdata->length, - &bp, &remain); + /* Our length */ + (void) krb5_ser_pack_int32((krb5_int32) authdata->length, + &bp, &remain); - /* Finally, our trailer */ - (void) krb5_ser_pack_int32(KV5M_AUTHDATA, &bp, &remain); - kret = 0; - *buffer = bp; - *lenremain = remain; - } + /* Our contents */ + (void) krb5_ser_pack_bytes(authdata->contents, + (size_t) authdata->length, + &bp, &remain); + + /* Finally, our trailer */ + (void) krb5_ser_pack_int32(KV5M_AUTHDATA, &bp, &remain); + kret = 0; + *buffer = bp; + *lenremain = remain; + } } return(kret); } /* - * krb5_authdata_internalize() - Internalize the krb5_authdata. + * krb5_authdata_internalize() - Internalize the krb5_authdata. */ static krb5_error_code krb5_authdata_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_authdata *authdata; - krb5_int32 ibuf; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_authdata *authdata; + krb5_int32 ibuf; + krb5_octet *bp; + size_t remain; bp = *buffer; remain = *lenremain; kret = EINVAL; /* Read our magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) - ibuf = 0; + ibuf = 0; if (ibuf == KV5M_AUTHDATA) { - kret = ENOMEM; + kret = ENOMEM; - /* Get a authdata */ - if ((remain >= (2*sizeof(krb5_int32))) && - (authdata = (krb5_authdata *) calloc(1, sizeof(krb5_authdata)))) { + /* Get a authdata */ + if ((remain >= (2*sizeof(krb5_int32))) && + (authdata = (krb5_authdata *) calloc(1, sizeof(krb5_authdata)))) { - /* Get the ad_type */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - authdata->ad_type = (krb5_authdatatype) ibuf; + /* Get the ad_type */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + authdata->ad_type = (krb5_authdatatype) ibuf; - /* Get the length */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - authdata->length = (int) ibuf; + /* Get the length */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + authdata->length = (int) ibuf; - /* Get the string */ - if ((authdata->contents = (krb5_octet *) - malloc((size_t) (ibuf))) && - !(kret = krb5_ser_unpack_bytes(authdata->contents, - (size_t) ibuf, - &bp, &remain))) { - if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) - ibuf = 0; - if (ibuf == KV5M_AUTHDATA) { - authdata->magic = KV5M_AUTHDATA; - *buffer = bp; - *lenremain = remain; - *argp = (krb5_pointer) authdata; - } - else - kret = EINVAL; - } - if (kret) { - if (authdata->contents) - free(authdata->contents); - free(authdata); - } - } + /* Get the string */ + if ((authdata->contents = (krb5_octet *) + malloc((size_t) (ibuf))) && + !(kret = krb5_ser_unpack_bytes(authdata->contents, + (size_t) ibuf, + &bp, &remain))) { + if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) + ibuf = 0; + if (ibuf == KV5M_AUTHDATA) { + authdata->magic = KV5M_AUTHDATA; + *buffer = bp; + *lenremain = remain; + *argp = (krb5_pointer) authdata; + } + else + kret = EINVAL; + } + if (kret) { + if (authdata->contents) + free(authdata->contents); + free(authdata); + } + } } return(kret); } diff --git a/src/lib/krb5/krb/ser_addr.c b/src/lib/krb5/krb/ser_addr.c index 11b7f6abfc..e7b6421304 100644 --- a/src/lib/krb5/krb/ser_addr.c +++ b/src/lib/krb5/krb/ser_addr.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/ser_addr.c * @@ -33,161 +34,161 @@ /* * Routines to deal with externalizing the krb5_address: - * krb5_address_size(); - * krb5_address_externalize(); - * krb5_address_internalize(); + * krb5_address_size(); + * krb5_address_externalize(); + * krb5_address_internalize(); */ static krb5_error_code krb5_address_size - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_address_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_address_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* Local data */ static const krb5_ser_entry krb5_address_ser_entry = { - KV5M_ADDRESS, /* Type */ - krb5_address_size, /* Sizer routine */ - krb5_address_externalize, /* Externalize routine */ - krb5_address_internalize /* Internalize routine */ + KV5M_ADDRESS, /* Type */ + krb5_address_size, /* Sizer routine */ + krb5_address_externalize, /* Externalize routine */ + krb5_address_internalize /* Internalize routine */ }; /* - * krb5_address_size() - Determine the size required to externalize - * the krb5_address. + * krb5_address_size() - Determine the size required to externalize + * the krb5_address. */ static krb5_error_code krb5_address_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_address *address; + krb5_error_code kret; + krb5_address *address; /* * krb5_address requires: - * krb5_int32 for KV5M_ADDRESS - * krb5_int32 for addrtype - * krb5_int32 for length - * address->length for contents - * krb5_int32 for KV5M_ADDRESS + * krb5_int32 for KV5M_ADDRESS + * krb5_int32 for addrtype + * krb5_int32 for length + * address->length for contents + * krb5_int32 for KV5M_ADDRESS */ kret = EINVAL; if ((address = (krb5_address *) arg)) { - *sizep += (sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - (size_t) address->length); - kret = 0; + *sizep += (sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + (size_t) address->length); + kret = 0; } return(kret); } /* - * krb5_address_externalize() - Externalize the krb5_address. + * krb5_address_externalize() - Externalize the krb5_address. */ static krb5_error_code krb5_address_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_address *address; - size_t required; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_address *address; + size_t required; + krb5_octet *bp; + size_t remain; required = 0; bp = *buffer; remain = *lenremain; kret = EINVAL; if ((address = (krb5_address *) arg)) { - kret = ENOMEM; - if (!krb5_address_size(kcontext, arg, &required) && - (required <= remain)) { - /* Our identifier */ - (void) krb5_ser_pack_int32(KV5M_ADDRESS, &bp, &remain); - - /* Our addrtype */ - (void) krb5_ser_pack_int32((krb5_int32) address->addrtype, - &bp, &remain); - - /* Our length */ - (void) krb5_ser_pack_int32((krb5_int32) address->length, - &bp, &remain); - - /* Our contents */ - (void) krb5_ser_pack_bytes(address->contents, - (size_t) address->length, - &bp, &remain); - - /* Finally, our trailer */ - (void) krb5_ser_pack_int32(KV5M_ADDRESS, &bp, &remain); - - kret = 0; - *buffer = bp; - *lenremain = remain; - } + kret = ENOMEM; + if (!krb5_address_size(kcontext, arg, &required) && + (required <= remain)) { + /* Our identifier */ + (void) krb5_ser_pack_int32(KV5M_ADDRESS, &bp, &remain); + + /* Our addrtype */ + (void) krb5_ser_pack_int32((krb5_int32) address->addrtype, + &bp, &remain); + + /* Our length */ + (void) krb5_ser_pack_int32((krb5_int32) address->length, + &bp, &remain); + + /* Our contents */ + (void) krb5_ser_pack_bytes(address->contents, + (size_t) address->length, + &bp, &remain); + + /* Finally, our trailer */ + (void) krb5_ser_pack_int32(KV5M_ADDRESS, &bp, &remain); + + kret = 0; + *buffer = bp; + *lenremain = remain; + } } return(kret); } /* - * krb5_address_internalize() - Internalize the krb5_address. + * krb5_address_internalize() - Internalize the krb5_address. */ static krb5_error_code krb5_address_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_address *address; - krb5_int32 ibuf; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_address *address; + krb5_int32 ibuf; + krb5_octet *bp; + size_t remain; bp = *buffer; remain = *lenremain; kret = EINVAL; /* Read our magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) - ibuf = 0; + ibuf = 0; if (ibuf == KV5M_ADDRESS) { - kret = ENOMEM; - - /* Get a address */ - if ((remain >= (2*sizeof(krb5_int32))) && - (address = (krb5_address *) calloc(1, sizeof(krb5_address)))) { - - address->magic = KV5M_ADDRESS; - - /* Get the addrtype */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - address->addrtype = (krb5_addrtype) ibuf; - - /* Get the length */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - address->length = (int) ibuf; - - /* Get the string */ - if ((address->contents = (krb5_octet *) malloc((size_t) (ibuf))) && - !(kret = krb5_ser_unpack_bytes(address->contents, - (size_t) ibuf, - &bp, &remain))) { - /* Get the trailer */ - if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) - ibuf = 0; - - if (!kret && (ibuf == KV5M_ADDRESS)) { - address->magic = KV5M_ADDRESS; - *buffer = bp; - *lenremain = remain; - *argp = (krb5_pointer) address; - } - else - kret = EINVAL; - } - if (kret) { - if (address->contents) - free(address->contents); - free(address); - } - } + kret = ENOMEM; + + /* Get a address */ + if ((remain >= (2*sizeof(krb5_int32))) && + (address = (krb5_address *) calloc(1, sizeof(krb5_address)))) { + + address->magic = KV5M_ADDRESS; + + /* Get the addrtype */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + address->addrtype = (krb5_addrtype) ibuf; + + /* Get the length */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + address->length = (int) ibuf; + + /* Get the string */ + if ((address->contents = (krb5_octet *) malloc((size_t) (ibuf))) && + !(kret = krb5_ser_unpack_bytes(address->contents, + (size_t) ibuf, + &bp, &remain))) { + /* Get the trailer */ + if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) + ibuf = 0; + + if (!kret && (ibuf == KV5M_ADDRESS)) { + address->magic = KV5M_ADDRESS; + *buffer = bp; + *lenremain = remain; + *argp = (krb5_pointer) address; + } + else + kret = EINVAL; + } + if (kret) { + if (address->contents) + free(address->contents); + free(address); + } + } } return(kret); } diff --git a/src/lib/krb5/krb/ser_auth.c b/src/lib/krb5/krb/ser_auth.c index 6951f92fa4..23b9b57458 100644 --- a/src/lib/krb5/krb/ser_auth.c +++ b/src/lib/krb5/krb/ser_auth.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/ser_auth.c * @@ -36,305 +37,305 @@ /* * Routines to deal with externalizing the krb5_authenticator: - * krb5_authenticator_size(); - * krb5_authenticator_externalize(); - * krb5_authenticator_internalize(); + * krb5_authenticator_size(); + * krb5_authenticator_externalize(); + * krb5_authenticator_internalize(); */ static krb5_error_code krb5_authenticator_size - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_authenticator_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_authenticator_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* Local data */ static const krb5_ser_entry krb5_authenticator_ser_entry = { - KV5M_AUTHENTICATOR, /* Type */ - krb5_authenticator_size, /* Sizer routine */ - krb5_authenticator_externalize, /* Externalize routine */ - krb5_authenticator_internalize /* Internalize routine */ + KV5M_AUTHENTICATOR, /* Type */ + krb5_authenticator_size, /* Sizer routine */ + krb5_authenticator_externalize, /* Externalize routine */ + krb5_authenticator_internalize /* Internalize routine */ }; /* - * krb5_authenticator_size() - Determine the size required to externalize - * the krb5_authenticator. + * krb5_authenticator_size() - Determine the size required to externalize + * the krb5_authenticator. */ static krb5_error_code krb5_authenticator_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_authenticator *authenticator; - size_t required; + krb5_error_code kret; + krb5_authenticator *authenticator; + size_t required; /* * krb5_authenticator requires at minimum: - * krb5_int32 for KV5M_AUTHENTICATOR - * krb5_int32 for seconds - * krb5_int32 for cusec - * krb5_int32 for seq_number - * krb5_int32 for number in authorization_data array. - * krb5_int32 for KV5M_AUTHENTICATOR + * krb5_int32 for KV5M_AUTHENTICATOR + * krb5_int32 for seconds + * krb5_int32 for cusec + * krb5_int32 for seq_number + * krb5_int32 for number in authorization_data array. + * krb5_int32 for KV5M_AUTHENTICATOR */ kret = EINVAL; if ((authenticator = (krb5_authenticator *) arg)) { - required = sizeof(krb5_int32)*6; - - /* Calculate size required by client, if appropriate */ - if (authenticator->client) - kret = krb5_size_opaque(kcontext, - KV5M_PRINCIPAL, - (krb5_pointer) authenticator->client, - &required); - else - kret = 0; - - /* Calculate size required by checksum, if appropriate */ - if (!kret && authenticator->checksum) - kret = krb5_size_opaque(kcontext, - KV5M_CHECKSUM, - (krb5_pointer) authenticator->checksum, - &required); - - /* Calculate size required by subkey, if appropriate */ - if (!kret && authenticator->subkey) - kret = krb5_size_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) authenticator->subkey, - &required); - - /* Calculate size required by authorization_data, if appropriate */ - if (!kret && authenticator->authorization_data) { - int i; - - for (i=0; !kret && authenticator->authorization_data[i]; i++) { - kret = krb5_size_opaque(kcontext, - KV5M_AUTHDATA, - (krb5_pointer) authenticator-> - authorization_data[i], - &required); - } - } + required = sizeof(krb5_int32)*6; + + /* Calculate size required by client, if appropriate */ + if (authenticator->client) + kret = krb5_size_opaque(kcontext, + KV5M_PRINCIPAL, + (krb5_pointer) authenticator->client, + &required); + else + kret = 0; + + /* Calculate size required by checksum, if appropriate */ + if (!kret && authenticator->checksum) + kret = krb5_size_opaque(kcontext, + KV5M_CHECKSUM, + (krb5_pointer) authenticator->checksum, + &required); + + /* Calculate size required by subkey, if appropriate */ + if (!kret && authenticator->subkey) + kret = krb5_size_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) authenticator->subkey, + &required); + + /* Calculate size required by authorization_data, if appropriate */ + if (!kret && authenticator->authorization_data) { + int i; + + for (i=0; !kret && authenticator->authorization_data[i]; i++) { + kret = krb5_size_opaque(kcontext, + KV5M_AUTHDATA, + (krb5_pointer) authenticator-> + authorization_data[i], + &required); + } + } } if (!kret) - *sizep += required; + *sizep += required; return(kret); } /* - * krb5_authenticator_externalize() - Externalize the krb5_authenticator. + * krb5_authenticator_externalize() - Externalize the krb5_authenticator. */ static krb5_error_code krb5_authenticator_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_authenticator *authenticator; - size_t required; - krb5_octet *bp; - size_t remain; - int i; + krb5_error_code kret; + krb5_authenticator *authenticator; + size_t required; + krb5_octet *bp; + size_t remain; + int i; required = 0; bp = *buffer; remain = *lenremain; kret = EINVAL; if ((authenticator = (krb5_authenticator *) arg)) { - kret = ENOMEM; - if (!krb5_authenticator_size(kcontext, arg, &required) && - (required <= remain)) { - /* First write our magic number */ - (void) krb5_ser_pack_int32(KV5M_AUTHENTICATOR, &bp, &remain); - - /* Now ctime */ - (void) krb5_ser_pack_int32((krb5_int32) authenticator->ctime, - &bp, &remain); - - /* Now cusec */ - (void) krb5_ser_pack_int32((krb5_int32) authenticator->cusec, - &bp, &remain); - - /* Now seq_number */ - (void) krb5_ser_pack_int32(authenticator->seq_number, - &bp, &remain); - - /* Now handle client, if appropriate */ - if (authenticator->client) - kret = krb5_externalize_opaque(kcontext, - KV5M_PRINCIPAL, - (krb5_pointer) - authenticator->client, - &bp, - &remain); - else - kret = 0; - - /* Now handle checksum, if appropriate */ - if (!kret && authenticator->checksum) - kret = krb5_externalize_opaque(kcontext, - KV5M_CHECKSUM, - (krb5_pointer) - authenticator->checksum, - &bp, - &remain); - - /* Now handle subkey, if appropriate */ - if (!kret && authenticator->subkey) - kret = krb5_externalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) - authenticator->subkey, - &bp, - &remain); - - /* Now handle authorization_data, if appropriate */ - if (!kret) { - if (authenticator->authorization_data) - for (i=0; authenticator->authorization_data[i]; i++); - else - i = 0; - (void) krb5_ser_pack_int32((krb5_int32) i, &bp, &remain); - - /* Now pound out the authorization_data */ - if (authenticator->authorization_data) { - for (i=0; !kret && authenticator->authorization_data[i]; - i++) - kret = krb5_externalize_opaque(kcontext, - KV5M_AUTHDATA, - (krb5_pointer) - authenticator-> - authorization_data[i], - &bp, - &remain); - } - } - - /* - * If we were successful, write trailer then update the pointer and - * remaining length; - */ - if (!kret) { - /* Write our trailer */ - (void) krb5_ser_pack_int32(KV5M_AUTHENTICATOR, &bp, &remain); - *buffer = bp; - *lenremain = remain; - } - } + kret = ENOMEM; + if (!krb5_authenticator_size(kcontext, arg, &required) && + (required <= remain)) { + /* First write our magic number */ + (void) krb5_ser_pack_int32(KV5M_AUTHENTICATOR, &bp, &remain); + + /* Now ctime */ + (void) krb5_ser_pack_int32((krb5_int32) authenticator->ctime, + &bp, &remain); + + /* Now cusec */ + (void) krb5_ser_pack_int32((krb5_int32) authenticator->cusec, + &bp, &remain); + + /* Now seq_number */ + (void) krb5_ser_pack_int32(authenticator->seq_number, + &bp, &remain); + + /* Now handle client, if appropriate */ + if (authenticator->client) + kret = krb5_externalize_opaque(kcontext, + KV5M_PRINCIPAL, + (krb5_pointer) + authenticator->client, + &bp, + &remain); + else + kret = 0; + + /* Now handle checksum, if appropriate */ + if (!kret && authenticator->checksum) + kret = krb5_externalize_opaque(kcontext, + KV5M_CHECKSUM, + (krb5_pointer) + authenticator->checksum, + &bp, + &remain); + + /* Now handle subkey, if appropriate */ + if (!kret && authenticator->subkey) + kret = krb5_externalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) + authenticator->subkey, + &bp, + &remain); + + /* Now handle authorization_data, if appropriate */ + if (!kret) { + if (authenticator->authorization_data) + for (i=0; authenticator->authorization_data[i]; i++); + else + i = 0; + (void) krb5_ser_pack_int32((krb5_int32) i, &bp, &remain); + + /* Now pound out the authorization_data */ + if (authenticator->authorization_data) { + for (i=0; !kret && authenticator->authorization_data[i]; + i++) + kret = krb5_externalize_opaque(kcontext, + KV5M_AUTHDATA, + (krb5_pointer) + authenticator-> + authorization_data[i], + &bp, + &remain); + } + } + + /* + * If we were successful, write trailer then update the pointer and + * remaining length; + */ + if (!kret) { + /* Write our trailer */ + (void) krb5_ser_pack_int32(KV5M_AUTHENTICATOR, &bp, &remain); + *buffer = bp; + *lenremain = remain; + } + } } return(kret); } /* - * krb5_authenticator_internalize() - Internalize the krb5_authenticator. + * krb5_authenticator_internalize() - Internalize the krb5_authenticator. */ static krb5_error_code krb5_authenticator_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_authenticator *authenticator; - krb5_int32 ibuf; - krb5_octet *bp; - size_t remain; - int i; - krb5_int32 nadata; - size_t len; + krb5_error_code kret; + krb5_authenticator *authenticator; + krb5_int32 ibuf; + krb5_octet *bp; + size_t remain; + int i; + krb5_int32 nadata; + size_t len; bp = *buffer; remain = *lenremain; kret = EINVAL; /* Read our magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) - ibuf = 0; + ibuf = 0; if (ibuf == KV5M_AUTHENTICATOR) { - kret = ENOMEM; - - /* Get memory for the authenticator */ - if ((remain >= (3*sizeof(krb5_int32))) && - (authenticator = (krb5_authenticator *) - calloc(1, sizeof(krb5_authenticator)))) { - - /* Get ctime */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - authenticator->ctime = (krb5_timestamp) ibuf; - - /* Get cusec */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - authenticator->cusec = ibuf; - - /* Get seq_number */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - authenticator->seq_number = ibuf; - - kret = 0; - - /* Attempt to read in the client */ - kret = krb5_internalize_opaque(kcontext, - KV5M_PRINCIPAL, - (krb5_pointer *) - &authenticator->client, - &bp, - &remain); - if (kret == EINVAL) - kret = 0; - - /* Attempt to read in the checksum */ - if (!kret) { - kret = krb5_internalize_opaque(kcontext, - KV5M_CHECKSUM, - (krb5_pointer *) - &authenticator->checksum, - &bp, - &remain); - if (kret == EINVAL) - kret = 0; - } - - /* Attempt to read in the subkey */ - if (!kret) { - kret = krb5_internalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer *) - &authenticator->subkey, - &bp, - &remain); - if (kret == EINVAL) - kret = 0; - } - - /* Attempt to read in the authorization data count */ - if (!(kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) { - nadata = ibuf; - len = (size_t) (nadata + 1); - - /* Get memory for the authorization data pointers */ - if ((authenticator->authorization_data = (krb5_authdata **) - calloc(len, sizeof(krb5_authdata *)))) { - for (i=0; !kret && (i<nadata); i++) { - kret = krb5_internalize_opaque(kcontext, - KV5M_AUTHDATA, - (krb5_pointer *) - &authenticator-> - authorization_data[i], - &bp, - &remain); - } - - /* Finally, find the trailer */ - if (!kret) { - kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); - if (!kret && (ibuf == KV5M_AUTHENTICATOR)) - authenticator->magic = KV5M_AUTHENTICATOR; - else - kret = EINVAL; - } - } - } - if (!kret) { - *buffer = bp; - *lenremain = remain; - *argp = (krb5_pointer) authenticator; - } - else - krb5_free_authenticator(kcontext, authenticator); - } + kret = ENOMEM; + + /* Get memory for the authenticator */ + if ((remain >= (3*sizeof(krb5_int32))) && + (authenticator = (krb5_authenticator *) + calloc(1, sizeof(krb5_authenticator)))) { + + /* Get ctime */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + authenticator->ctime = (krb5_timestamp) ibuf; + + /* Get cusec */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + authenticator->cusec = ibuf; + + /* Get seq_number */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + authenticator->seq_number = ibuf; + + kret = 0; + + /* Attempt to read in the client */ + kret = krb5_internalize_opaque(kcontext, + KV5M_PRINCIPAL, + (krb5_pointer *) + &authenticator->client, + &bp, + &remain); + if (kret == EINVAL) + kret = 0; + + /* Attempt to read in the checksum */ + if (!kret) { + kret = krb5_internalize_opaque(kcontext, + KV5M_CHECKSUM, + (krb5_pointer *) + &authenticator->checksum, + &bp, + &remain); + if (kret == EINVAL) + kret = 0; + } + + /* Attempt to read in the subkey */ + if (!kret) { + kret = krb5_internalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer *) + &authenticator->subkey, + &bp, + &remain); + if (kret == EINVAL) + kret = 0; + } + + /* Attempt to read in the authorization data count */ + if (!(kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) { + nadata = ibuf; + len = (size_t) (nadata + 1); + + /* Get memory for the authorization data pointers */ + if ((authenticator->authorization_data = (krb5_authdata **) + calloc(len, sizeof(krb5_authdata *)))) { + for (i=0; !kret && (i<nadata); i++) { + kret = krb5_internalize_opaque(kcontext, + KV5M_AUTHDATA, + (krb5_pointer *) + &authenticator-> + authorization_data[i], + &bp, + &remain); + } + + /* Finally, find the trailer */ + if (!kret) { + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + if (!kret && (ibuf == KV5M_AUTHENTICATOR)) + authenticator->magic = KV5M_AUTHENTICATOR; + else + kret = EINVAL; + } + } + } + if (!kret) { + *buffer = bp; + *lenremain = remain; + *argp = (krb5_pointer) authenticator; + } + else + krb5_free_authenticator(kcontext, authenticator); + } } return(kret); } diff --git a/src/lib/krb5/krb/ser_cksum.c b/src/lib/krb5/krb/ser_cksum.c index 8d2870249d..4d194c7d0b 100644 --- a/src/lib/krb5/krb/ser_cksum.c +++ b/src/lib/krb5/krb/ser_cksum.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/ser_cksum.c * @@ -33,159 +34,159 @@ /* * Routines to deal with externalizing the krb5_checksum: - * krb5_checksum_esize(); - * krb5_checksum_externalize(); - * krb5_checksum_internalize(); + * krb5_checksum_esize(); + * krb5_checksum_externalize(); + * krb5_checksum_internalize(); */ static krb5_error_code krb5_checksum_esize - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_checksum_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_checksum_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* Local data */ static const krb5_ser_entry krb5_checksum_ser_entry = { - KV5M_CHECKSUM, /* Type */ - krb5_checksum_esize, /* Sizer routine */ - krb5_checksum_externalize, /* Externalize routine */ - krb5_checksum_internalize /* Internalize routine */ + KV5M_CHECKSUM, /* Type */ + krb5_checksum_esize, /* Sizer routine */ + krb5_checksum_externalize, /* Externalize routine */ + krb5_checksum_internalize /* Internalize routine */ }; /* - * krb5_checksum_esize() - Determine the size required to externalize - * the krb5_checksum. + * krb5_checksum_esize() - Determine the size required to externalize + * the krb5_checksum. */ static krb5_error_code krb5_checksum_esize(krb5_context kcontext, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_checksum *checksum; + krb5_error_code kret; + krb5_checksum *checksum; /* * krb5_checksum requires: - * krb5_int32 for KV5M_CHECKSUM - * krb5_int32 for checksum_type - * krb5_int32 for length - * krb5_int32 for KV5M_CHECKSUM - * checksum->length for contents + * krb5_int32 for KV5M_CHECKSUM + * krb5_int32 for checksum_type + * krb5_int32 for length + * krb5_int32 for KV5M_CHECKSUM + * checksum->length for contents */ kret = EINVAL; if ((checksum = (krb5_checksum *) arg)) { - *sizep += (sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - (size_t) checksum->length); - kret = 0; + *sizep += (sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + (size_t) checksum->length); + kret = 0; } return(kret); } /* - * krb5_checksum_externalize() - Externalize the krb5_checksum. + * krb5_checksum_externalize() - Externalize the krb5_checksum. */ static krb5_error_code krb5_checksum_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_checksum *checksum; - size_t required; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_checksum *checksum; + size_t required; + krb5_octet *bp; + size_t remain; required = 0; bp = *buffer; remain = *lenremain; kret = EINVAL; if ((checksum = (krb5_checksum *) arg)) { - kret = ENOMEM; - if (!krb5_checksum_esize(kcontext, arg, &required) && - (required <= remain)) { - /* Our identifier */ - (void) krb5_ser_pack_int32(KV5M_CHECKSUM, &bp, &remain); - - /* Our checksum_type */ - (void) krb5_ser_pack_int32((krb5_int32) checksum->checksum_type, - &bp, &remain); + kret = ENOMEM; + if (!krb5_checksum_esize(kcontext, arg, &required) && + (required <= remain)) { + /* Our identifier */ + (void) krb5_ser_pack_int32(KV5M_CHECKSUM, &bp, &remain); - /* Our length */ - (void) krb5_ser_pack_int32((krb5_int32) checksum->length, - &bp, &remain); + /* Our checksum_type */ + (void) krb5_ser_pack_int32((krb5_int32) checksum->checksum_type, + &bp, &remain); - /* Our contents */ - (void) krb5_ser_pack_bytes(checksum->contents, - (size_t) checksum->length, - &bp, &remain); + /* Our length */ + (void) krb5_ser_pack_int32((krb5_int32) checksum->length, + &bp, &remain); - /* Finally, our trailer */ - (void) krb5_ser_pack_int32(KV5M_CHECKSUM, &bp, &remain); + /* Our contents */ + (void) krb5_ser_pack_bytes(checksum->contents, + (size_t) checksum->length, + &bp, &remain); - kret = 0; - *buffer = bp; - *lenremain = remain; - } + /* Finally, our trailer */ + (void) krb5_ser_pack_int32(KV5M_CHECKSUM, &bp, &remain); + + kret = 0; + *buffer = bp; + *lenremain = remain; + } } return(kret); } /* - * krb5_checksum_internalize() - Internalize the krb5_checksum. + * krb5_checksum_internalize() - Internalize the krb5_checksum. */ static krb5_error_code krb5_checksum_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_checksum *checksum; - krb5_int32 ibuf; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_checksum *checksum; + krb5_int32 ibuf; + krb5_octet *bp; + size_t remain; bp = *buffer; remain = *lenremain; kret = EINVAL; /* Read our magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) - ibuf = 0; + ibuf = 0; if (ibuf == KV5M_CHECKSUM) { - kret = ENOMEM; + kret = ENOMEM; - /* Get a checksum */ - if ((remain >= (2*sizeof(krb5_int32))) && - (checksum = (krb5_checksum *) calloc(1, sizeof(krb5_checksum)))) { - /* Get the checksum_type */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - checksum->checksum_type = (krb5_cksumtype) ibuf; + /* Get a checksum */ + if ((remain >= (2*sizeof(krb5_int32))) && + (checksum = (krb5_checksum *) calloc(1, sizeof(krb5_checksum)))) { + /* Get the checksum_type */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + checksum->checksum_type = (krb5_cksumtype) ibuf; - /* Get the length */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - checksum->length = (int) ibuf; + /* Get the length */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + checksum->length = (int) ibuf; - /* Get the string */ - if (!ibuf || - ((checksum->contents = (krb5_octet *) - malloc((size_t) (ibuf))) && - !(kret = krb5_ser_unpack_bytes(checksum->contents, - (size_t) ibuf, - &bp, &remain)))) { + /* Get the string */ + if (!ibuf || + ((checksum->contents = (krb5_octet *) + malloc((size_t) (ibuf))) && + !(kret = krb5_ser_unpack_bytes(checksum->contents, + (size_t) ibuf, + &bp, &remain)))) { - /* Get the trailer */ - kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); - if (!kret && (ibuf == KV5M_CHECKSUM)) { - checksum->magic = KV5M_CHECKSUM; - *buffer = bp; - *lenremain = remain; - *argp = (krb5_pointer) checksum; - } - else - kret = EINVAL; - } - if (kret) { - if (checksum->contents) - free(checksum->contents); - free(checksum); - } - } + /* Get the trailer */ + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + if (!kret && (ibuf == KV5M_CHECKSUM)) { + checksum->magic = KV5M_CHECKSUM; + *buffer = bp; + *lenremain = remain; + *argp = (krb5_pointer) checksum; + } + else + kret = EINVAL; + } + if (kret) { + if (checksum->contents) + free(checksum->contents); + free(checksum); + } + } } return(kret); } diff --git a/src/lib/krb5/krb/ser_ctx.c b/src/lib/krb5/krb/ser_ctx.c index c8f673b771..b632ff02c3 100644 --- a/src/lib/krb5/krb/ser_ctx.c +++ b/src/lib/krb5/krb/ser_ctx.c @@ -36,7 +36,7 @@ * krb5_context_size(); * krb5_context_externalize(); * krb5_context_internalize(); - * + * * Routines to deal with externalizing the krb5_os_context: * krb5_oscontext_size(); * krb5_oscontext_externalize(); @@ -197,23 +197,23 @@ krb5_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **b if (required > remain) return (ENOMEM); - + /* First write our magic number */ kret = krb5_ser_pack_int32(KV5M_CONTEXT, &bp, &remain); if (kret) return (kret); - + /* Now sizeof default realm */ kret = krb5_ser_pack_int32((context->default_realm) ? (krb5_int32) strlen(context->default_realm) : 0, &bp, &remain); if (kret) return (kret); - + /* Now default_realm bytes */ if (context->default_realm) { kret = krb5_ser_pack_bytes((krb5_octet *) context->default_realm, - strlen(context->default_realm), + strlen(context->default_realm), &bp, &remain); if (kret) return (kret); @@ -239,7 +239,7 @@ krb5_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **b kret = krb5_ser_pack_int32(etypes_len(context->tgs_etypes), &bp, &remain); if (kret) return (kret); - + /* Now serialize ktypes */ if (context->tgs_etypes) { for (i = 0; context->tgs_etypes[i]; i++) { @@ -248,19 +248,19 @@ krb5_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **b return (kret); } } - + /* Now allowable clockskew */ kret = krb5_ser_pack_int32((krb5_int32) context->clockskew, &bp, &remain); if (kret) return (kret); - + /* Now kdc_req_sumtype */ kret = krb5_ser_pack_int32((krb5_int32) context->kdc_req_sumtype, &bp, &remain); if (kret) return (kret); - + /* Now default ap_req_sumtype */ kret = krb5_ser_pack_int32((krb5_int32) context->default_ap_req_sumtype, &bp, &remain); @@ -284,7 +284,7 @@ krb5_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **b &bp, &remain); if (kret) return (kret); - + /* Now profile_secure */ kret = krb5_ser_pack_int32((krb5_int32) context->profile_secure, &bp, &remain); @@ -321,7 +321,7 @@ krb5_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **b if (kret) return (kret); } - + /* * If we were successful, write trailer then update the pointer and * remaining length; @@ -329,7 +329,7 @@ krb5_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **b kret = krb5_ser_pack_int32(KV5M_CONTEXT, &bp, &remain); if (kret) return (kret); - + *buffer = bp; *lenremain = remain; @@ -379,10 +379,10 @@ krb5_context_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet * (size_t) ibuf, &bp, &remain); if (kret) goto cleanup; - + context->default_realm[ibuf] = '\0'; } - + /* Get the in_tkt_etypes */ if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) goto cleanup; @@ -425,17 +425,17 @@ krb5_context_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet * if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) goto cleanup; context->clockskew = (krb5_deltat) ibuf; - + /* kdc_req_sumtype */ if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) goto cleanup; context->kdc_req_sumtype = (krb5_cksumtype) ibuf; - + /* default ap_req_sumtype */ if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) goto cleanup; context->default_ap_req_sumtype = (krb5_cksumtype) ibuf; - + /* default_safe_sumtype */ if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) goto cleanup; @@ -484,14 +484,14 @@ krb5_context_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet * &bp, &remain); if (kret && (kret != EINVAL) && (kret != ENOENT)) goto cleanup; - + /* Attempt to read in the profile */ kret = krb5_internalize_opaque(kcontext, PROF_MAGIC_PROFILE, (krb5_pointer *) &context->profile, &bp, &remain); if (kret && (kret != EINVAL) && (kret != ENOENT)) goto cleanup; - + /* Finally, find the trailer */ if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) goto cleanup; @@ -590,7 +590,7 @@ krb5_oscontext_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet kret = ENOMEM; /* Get memory for the context */ - if ((os_ctx = (krb5_os_context) + if ((os_ctx = (krb5_os_context) calloc(1, sizeof(struct _krb5_os_context))) && (remain >= 4*sizeof(krb5_int32))) { os_ctx->magic = KV5M_OS_CONTEXT; diff --git a/src/lib/krb5/krb/ser_eblk.c b/src/lib/krb5/krb/ser_eblk.c index 8bce41cf1a..894a43e77c 100644 --- a/src/lib/krb5/krb/ser_eblk.c +++ b/src/lib/krb5/krb/ser_eblk.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/ser_eblk.c * @@ -34,211 +35,211 @@ /* * Routines to deal with externalizing the krb5_encrypt_block: - * krb5_encrypt_block_size(); - * krb5_encrypt_block_externalize(); - * krb5_encrypt_block_internalize(); + * krb5_encrypt_block_size(); + * krb5_encrypt_block_externalize(); + * krb5_encrypt_block_internalize(); */ static krb5_error_code krb5_encrypt_block_size - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_encrypt_block_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_encrypt_block_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* Local data */ static const krb5_ser_entry krb5_encrypt_block_ser_entry = { - KV5M_ENCRYPT_BLOCK, /* Type */ - krb5_encrypt_block_size, /* Sizer routine */ - krb5_encrypt_block_externalize, /* Externalize routine */ - krb5_encrypt_block_internalize /* Internalize routine */ + KV5M_ENCRYPT_BLOCK, /* Type */ + krb5_encrypt_block_size, /* Sizer routine */ + krb5_encrypt_block_externalize, /* Externalize routine */ + krb5_encrypt_block_internalize /* Internalize routine */ }; /* - * krb5_encrypt_block_size() - Determine the size required to externalize - * the krb5_encrypt_block. + * krb5_encrypt_block_size() - Determine the size required to externalize + * the krb5_encrypt_block. */ static krb5_error_code krb5_encrypt_block_size(kcontext, arg, sizep) - krb5_context kcontext; - krb5_pointer arg; - size_t *sizep; + krb5_context kcontext; + krb5_pointer arg; + size_t *sizep; { - krb5_error_code kret; - krb5_encrypt_block *encrypt_block; - size_t required; + krb5_error_code kret; + krb5_encrypt_block *encrypt_block; + size_t required; /* * NOTE: This ASSuMES that enctype are sufficient to recreate * the _krb5_cryptosystem_entry. If this is not true, then something else * had better be encoded here. - * + * * krb5_encrypt_block base requirements: - * krb5_int32 for KV5M_ENCRYPT_BLOCK - * krb5_int32 for enctype - * krb5_int32 for private length - * encrypt_block->priv_size for private contents - * krb5_int32 for KV5M_ENCRYPT_BLOCK + * krb5_int32 for KV5M_ENCRYPT_BLOCK + * krb5_int32 for enctype + * krb5_int32 for private length + * encrypt_block->priv_size for private contents + * krb5_int32 for KV5M_ENCRYPT_BLOCK */ kret = EINVAL; if ((encrypt_block = (krb5_encrypt_block *) arg)) { - required = (sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - (size_t) encrypt_block->priv_size); - if (encrypt_block->key) - kret = krb5_size_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) encrypt_block->key, - &required); - else - kret = 0; - if (!kret) - *sizep += required; + required = (sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + (size_t) encrypt_block->priv_size); + if (encrypt_block->key) + kret = krb5_size_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) encrypt_block->key, + &required); + else + kret = 0; + if (!kret) + *sizep += required; } return(kret); } /* - * krb5_encrypt_block_externalize() - Externalize the krb5_encrypt_block. + * krb5_encrypt_block_externalize() - Externalize the krb5_encrypt_block. */ static krb5_error_code krb5_encrypt_block_externalize(kcontext, arg, buffer, lenremain) - krb5_context kcontext; - krb5_pointer arg; - krb5_octet **buffer; - size_t *lenremain; + krb5_context kcontext; + krb5_pointer arg; + krb5_octet **buffer; + size_t *lenremain; { - krb5_error_code kret; - krb5_encrypt_block *encrypt_block; - size_t required; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_encrypt_block *encrypt_block; + size_t required; + krb5_octet *bp; + size_t remain; required = 0; bp = *buffer; remain = *lenremain; kret = EINVAL; if ((encrypt_block = (krb5_encrypt_block *) arg)) { - kret = ENOMEM; - if (!krb5_encrypt_block_size(kcontext, arg, &required) && - (required <= remain)) { - /* Our identifier */ - (void) krb5_ser_pack_int32(KV5M_ENCRYPT_BLOCK, &bp, &remain); - - /* Our enctype */ - (void) krb5_ser_pack_int32((krb5_int32) encrypt_block-> - crypto_entry->proto_enctype, - &bp, &remain); + kret = ENOMEM; + if (!krb5_encrypt_block_size(kcontext, arg, &required) && + (required <= remain)) { + /* Our identifier */ + (void) krb5_ser_pack_int32(KV5M_ENCRYPT_BLOCK, &bp, &remain); - /* Our length */ - (void) krb5_ser_pack_int32((krb5_int32) encrypt_block->priv_size, - &bp, &remain); + /* Our enctype */ + (void) krb5_ser_pack_int32((krb5_int32) encrypt_block-> + crypto_entry->proto_enctype, + &bp, &remain); - /* Our private data */ - (void) krb5_ser_pack_bytes(encrypt_block->priv, - (size_t) encrypt_block->priv_size, - &bp, &remain); + /* Our length */ + (void) krb5_ser_pack_int32((krb5_int32) encrypt_block->priv_size, + &bp, &remain); - /* Finally, the key data */ - if (encrypt_block->key) - kret = krb5_externalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) - encrypt_block->key, - &bp, - &remain); - else - kret = 0; + /* Our private data */ + (void) krb5_ser_pack_bytes(encrypt_block->priv, + (size_t) encrypt_block->priv_size, + &bp, &remain); - if (!kret) { - /* Write trailer */ - (void) krb5_ser_pack_int32(KV5M_ENCRYPT_BLOCK, &bp, &remain); - *buffer = bp; - *lenremain = remain; - } - } + /* Finally, the key data */ + if (encrypt_block->key) + kret = krb5_externalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) + encrypt_block->key, + &bp, + &remain); + else + kret = 0; + + if (!kret) { + /* Write trailer */ + (void) krb5_ser_pack_int32(KV5M_ENCRYPT_BLOCK, &bp, &remain); + *buffer = bp; + *lenremain = remain; + } + } } return(kret); } /* - * krb5_encrypt_block_internalize() - Internalize the krb5_encrypt_block. + * krb5_encrypt_block_internalize() - Internalize the krb5_encrypt_block. */ static krb5_error_code krb5_encrypt_block_internalize(kcontext, argp, buffer, lenremain) - krb5_context kcontext; - krb5_pointer *argp; - krb5_octet **buffer; - size_t *lenremain; + krb5_context kcontext; + krb5_pointer *argp; + krb5_octet **buffer; + size_t *lenremain; { - krb5_error_code kret; - krb5_encrypt_block *encrypt_block; - krb5_int32 ibuf; - krb5_enctype ktype; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_encrypt_block *encrypt_block; + krb5_int32 ibuf; + krb5_enctype ktype; + krb5_octet *bp; + size_t remain; bp = *buffer; remain = *lenremain; kret = EINVAL; /* Read our magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) - ibuf = 0; + ibuf = 0; if (ibuf == KV5M_ENCRYPT_BLOCK) { - kret = ENOMEM; + kret = ENOMEM; - /* Get an encrypt_block */ - if ((remain >= (3*sizeof(krb5_int32))) && - (encrypt_block = (krb5_encrypt_block *) - calloc(1, sizeof(krb5_encrypt_block)))) { - /* Get the enctype */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - ktype = (krb5_enctype) ibuf; + /* Get an encrypt_block */ + if ((remain >= (3*sizeof(krb5_int32))) && + (encrypt_block = (krb5_encrypt_block *) + calloc(1, sizeof(krb5_encrypt_block)))) { + /* Get the enctype */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + ktype = (krb5_enctype) ibuf; - /* Use the ktype to determine the crypto_system entry. */ - krb5_use_enctype(kcontext, encrypt_block, ktype); + /* Use the ktype to determine the crypto_system entry. */ + krb5_use_enctype(kcontext, encrypt_block, ktype); - /* Get the length */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - encrypt_block->priv_size = (int) ibuf; + /* Get the length */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + encrypt_block->priv_size = (int) ibuf; - /* Get the string */ - if (!ibuf || - ((encrypt_block->priv = (void *) malloc((size_t) (ibuf))) && - !(kret = krb5_ser_unpack_bytes((krb5_octet *) - encrypt_block->priv, - (size_t) - encrypt_block->priv_size, - &bp, &remain)))) { - kret = krb5_internalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer *) - &encrypt_block->key, - &bp, - &remain); - if (kret == EINVAL) - kret = 0; + /* Get the string */ + if (!ibuf || + ((encrypt_block->priv = (void *) malloc((size_t) (ibuf))) && + !(kret = krb5_ser_unpack_bytes((krb5_octet *) + encrypt_block->priv, + (size_t) + encrypt_block->priv_size, + &bp, &remain)))) { + kret = krb5_internalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer *) + &encrypt_block->key, + &bp, + &remain); + if (kret == EINVAL) + kret = 0; - if (!kret) { - kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); - if (!kret && (ibuf == KV5M_ENCRYPT_BLOCK)) { - *buffer = bp; - *lenremain = remain; - encrypt_block->magic = KV5M_ENCRYPT_BLOCK; - *argp = (krb5_pointer) encrypt_block; - } - else - kret = EINVAL; - } - } - if (kret) { - if (encrypt_block->priv) - free(encrypt_block->priv); - free(encrypt_block); - } - } + if (!kret) { + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + if (!kret && (ibuf == KV5M_ENCRYPT_BLOCK)) { + *buffer = bp; + *lenremain = remain; + encrypt_block->magic = KV5M_ENCRYPT_BLOCK; + *argp = (krb5_pointer) encrypt_block; + } + else + kret = EINVAL; + } + } + if (kret) { + if (encrypt_block->priv) + free(encrypt_block->priv); + free(encrypt_block); + } + } } return(kret); } @@ -248,7 +249,7 @@ krb5_encrypt_block_internalize(kcontext, argp, buffer, lenremain) */ krb5_error_code krb5_ser_encrypt_block_init(kcontext) - krb5_context kcontext; + krb5_context kcontext; { return(krb5_register_serializer(kcontext, &krb5_encrypt_block_ser_entry)); } diff --git a/src/lib/krb5/krb/ser_key.c b/src/lib/krb5/krb/ser_key.c index 25522de7bf..f441e986fb 100644 --- a/src/lib/krb5/krb/ser_key.c +++ b/src/lib/krb5/krb/ser_key.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/ser_key.c * @@ -33,157 +34,157 @@ /* * Routines to deal with externalizing the krb5_keyblock: - * krb5_keyblock_size(); - * krb5_keyblock_externalize(); - * krb5_keyblock_internalize(); + * krb5_keyblock_size(); + * krb5_keyblock_externalize(); + * krb5_keyblock_internalize(); */ static krb5_error_code krb5_keyblock_size - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_keyblock_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_keyblock_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* Local data */ static const krb5_ser_entry krb5_keyblock_ser_entry = { - KV5M_KEYBLOCK, /* Type */ - krb5_keyblock_size, /* Sizer routine */ - krb5_keyblock_externalize, /* Externalize routine */ - krb5_keyblock_internalize /* Internalize routine */ + KV5M_KEYBLOCK, /* Type */ + krb5_keyblock_size, /* Sizer routine */ + krb5_keyblock_externalize, /* Externalize routine */ + krb5_keyblock_internalize /* Internalize routine */ }; /* - * krb5_keyblock_size() - Determine the size required to externalize - * the krb5_keyblock. + * krb5_keyblock_size() - Determine the size required to externalize + * the krb5_keyblock. */ static krb5_error_code krb5_keyblock_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_keyblock *keyblock; + krb5_error_code kret; + krb5_keyblock *keyblock; /* * krb5_keyblock requires: - * krb5_int32 for KV5M_KEYBLOCK - * krb5_int32 for enctype - * krb5_int32 for length - * keyblock->length for contents - * krb5_int32 for KV5M_KEYBLOCK + * krb5_int32 for KV5M_KEYBLOCK + * krb5_int32 for enctype + * krb5_int32 for length + * keyblock->length for contents + * krb5_int32 for KV5M_KEYBLOCK */ kret = EINVAL; if ((keyblock = (krb5_keyblock *) arg)) { - *sizep += (sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - (size_t) keyblock->length); - kret = 0; + *sizep += (sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + (size_t) keyblock->length); + kret = 0; } return(kret); } /* - * krb5_keyblock_externalize() - Externalize the krb5_keyblock. + * krb5_keyblock_externalize() - Externalize the krb5_keyblock. */ static krb5_error_code krb5_keyblock_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_keyblock *keyblock; - size_t required; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_keyblock *keyblock; + size_t required; + krb5_octet *bp; + size_t remain; required = 0; bp = *buffer; remain = *lenremain; kret = EINVAL; if ((keyblock = (krb5_keyblock *) arg)) { - kret = ENOMEM; - if (!krb5_keyblock_size(kcontext, arg, &required) && - (required <= remain)) { - /* Our identifier */ - (void) krb5_ser_pack_int32(KV5M_KEYBLOCK, &bp, &remain); - - /* Our enctype */ - (void) krb5_ser_pack_int32((krb5_int32) keyblock->enctype, - &bp, &remain); + kret = ENOMEM; + if (!krb5_keyblock_size(kcontext, arg, &required) && + (required <= remain)) { + /* Our identifier */ + (void) krb5_ser_pack_int32(KV5M_KEYBLOCK, &bp, &remain); - /* Our length */ - (void) krb5_ser_pack_int32((krb5_int32) keyblock->length, - &bp, &remain); + /* Our enctype */ + (void) krb5_ser_pack_int32((krb5_int32) keyblock->enctype, + &bp, &remain); - /* Our contents */ - (void) krb5_ser_pack_bytes(keyblock->contents, - (size_t) keyblock->length, - &bp, &remain); + /* Our length */ + (void) krb5_ser_pack_int32((krb5_int32) keyblock->length, + &bp, &remain); - /* Finally, our trailer */ - (void) krb5_ser_pack_int32(KV5M_KEYBLOCK, &bp, &remain); + /* Our contents */ + (void) krb5_ser_pack_bytes(keyblock->contents, + (size_t) keyblock->length, + &bp, &remain); - kret = 0; - *buffer = bp; - *lenremain = remain; - } + /* Finally, our trailer */ + (void) krb5_ser_pack_int32(KV5M_KEYBLOCK, &bp, &remain); + + kret = 0; + *buffer = bp; + *lenremain = remain; + } } return(kret); } /* - * krb5_keyblock_internalize() - Internalize the krb5_keyblock. + * krb5_keyblock_internalize() - Internalize the krb5_keyblock. */ static krb5_error_code krb5_keyblock_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_keyblock *keyblock; - krb5_int32 ibuf; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_keyblock *keyblock; + krb5_int32 ibuf; + krb5_octet *bp; + size_t remain; bp = *buffer; remain = *lenremain; kret = EINVAL; /* Read our magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) - ibuf = 0; + ibuf = 0; if (ibuf == KV5M_KEYBLOCK) { - kret = ENOMEM; + kret = ENOMEM; - /* Get a keyblock */ - if ((remain >= (3*sizeof(krb5_int32))) && - (keyblock = (krb5_keyblock *) calloc(1, sizeof(krb5_keyblock)))) { - /* Get the enctype */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - keyblock->enctype = (krb5_enctype) ibuf; + /* Get a keyblock */ + if ((remain >= (3*sizeof(krb5_int32))) && + (keyblock = (krb5_keyblock *) calloc(1, sizeof(krb5_keyblock)))) { + /* Get the enctype */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + keyblock->enctype = (krb5_enctype) ibuf; - /* Get the length */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - keyblock->length = (int) ibuf; + /* Get the length */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + keyblock->length = (int) ibuf; - /* Get the string */ - if ((keyblock->contents = (krb5_octet *) malloc((size_t) (ibuf)))&& - !(kret = krb5_ser_unpack_bytes(keyblock->contents, - (size_t) ibuf, - &bp, &remain))) { - kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); - if (!kret && (ibuf == KV5M_KEYBLOCK)) { - kret = 0; - *buffer = bp; - *lenremain = remain; - keyblock->magic = KV5M_KEYBLOCK; - *argp = (krb5_pointer) keyblock; - } - else - kret = EINVAL; - } - if (kret) { - if (keyblock->contents) - free(keyblock->contents); - free(keyblock); - } - } + /* Get the string */ + if ((keyblock->contents = (krb5_octet *) malloc((size_t) (ibuf)))&& + !(kret = krb5_ser_unpack_bytes(keyblock->contents, + (size_t) ibuf, + &bp, &remain))) { + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + if (!kret && (ibuf == KV5M_KEYBLOCK)) { + kret = 0; + *buffer = bp; + *lenremain = remain; + keyblock->magic = KV5M_KEYBLOCK; + *argp = (krb5_pointer) keyblock; + } + else + kret = EINVAL; + } + if (kret) { + if (keyblock->contents) + free(keyblock->contents); + free(keyblock); + } + } } return(kret); } diff --git a/src/lib/krb5/krb/ser_princ.c b/src/lib/krb5/krb/ser_princ.c index cb90154ffe..d93fbbe7a6 100644 --- a/src/lib/krb5/krb/ser_princ.c +++ b/src/lib/krb5/krb/ser_princ.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/ser_princ.c * @@ -33,103 +34,103 @@ /* * Routines to deal with externalizing the krb5_principal: - * krb5_principal_size(); - * krb5_principal_externalize(); - * krb5_principal_internalize(); + * krb5_principal_size(); + * krb5_principal_externalize(); + * krb5_principal_internalize(); */ static krb5_error_code krb5_principal_size - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_principal_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_principal_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* Local data */ static const krb5_ser_entry krb5_principal_ser_entry = { - KV5M_PRINCIPAL, /* Type */ - krb5_principal_size, /* Sizer routine */ - krb5_principal_externalize, /* Externalize routine */ - krb5_principal_internalize /* Internalize routine */ + KV5M_PRINCIPAL, /* Type */ + krb5_principal_size, /* Sizer routine */ + krb5_principal_externalize, /* Externalize routine */ + krb5_principal_internalize /* Internalize routine */ }; /* - * krb5_principal_size() - Determine the size required to externalize - * the krb5_principal. + * krb5_principal_size() - Determine the size required to externalize + * the krb5_principal. */ static krb5_error_code krb5_principal_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_principal principal; - char *fname; + krb5_error_code kret; + krb5_principal principal; + char *fname; /* * krb5_principal requires: - * krb5_int32 for KV5M_PRINCIPAL - * krb5_int32 for flattened name size - * strlen(name) for name. - * krb5_int32 for KV5M_PRINCIPAL + * krb5_int32 for KV5M_PRINCIPAL + * krb5_int32 for flattened name size + * strlen(name) for name. + * krb5_int32 for KV5M_PRINCIPAL */ kret = EINVAL; if ((principal = (krb5_principal) arg) && - !(kret = krb5_unparse_name(kcontext, principal, &fname))) { - *sizep += (3*sizeof(krb5_int32)) + strlen(fname); - free(fname); + !(kret = krb5_unparse_name(kcontext, principal, &fname))) { + *sizep += (3*sizeof(krb5_int32)) + strlen(fname); + free(fname); } return(kret); } /* - * krb5_principal_externalize() - Externalize the krb5_principal. + * krb5_principal_externalize() - Externalize the krb5_principal. */ static krb5_error_code krb5_principal_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_principal principal; - size_t required; - krb5_octet *bp; - size_t remain; - char *fname; + krb5_error_code kret; + krb5_principal principal; + size_t required; + krb5_octet *bp; + size_t remain; + char *fname; required = 0; bp = *buffer; remain = *lenremain; kret = EINVAL; if ((principal = (krb5_principal) arg)) { - kret = ENOMEM; - if (!krb5_principal_size(kcontext, arg, &required) && - (required <= remain)) { - if (!(kret = krb5_unparse_name(kcontext, principal, &fname))) { + kret = ENOMEM; + if (!krb5_principal_size(kcontext, arg, &required) && + (required <= remain)) { + if (!(kret = krb5_unparse_name(kcontext, principal, &fname))) { - (void) krb5_ser_pack_int32(KV5M_PRINCIPAL, &bp, &remain); - (void) krb5_ser_pack_int32((krb5_int32) strlen(fname), - &bp, &remain); - (void) krb5_ser_pack_bytes((krb5_octet *) fname, - strlen(fname), &bp, &remain); - (void) krb5_ser_pack_int32(KV5M_PRINCIPAL, &bp, &remain); - *buffer = bp; - *lenremain = remain; + (void) krb5_ser_pack_int32(KV5M_PRINCIPAL, &bp, &remain); + (void) krb5_ser_pack_int32((krb5_int32) strlen(fname), + &bp, &remain); + (void) krb5_ser_pack_bytes((krb5_octet *) fname, + strlen(fname), &bp, &remain); + (void) krb5_ser_pack_int32(KV5M_PRINCIPAL, &bp, &remain); + *buffer = bp; + *lenremain = remain; - free(fname); - } - } + free(fname); + } + } } return(kret); } /* - * krb5_principal_internalize() - Internalize the krb5_principal. + * krb5_principal_internalize() - Internalize the krb5_principal. */ static krb5_error_code krb5_principal_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_principal principal = NULL; - krb5_int32 ibuf; - krb5_octet *bp; - size_t remain; - char *tmpname = NULL; + krb5_error_code kret; + krb5_principal principal = NULL; + krb5_int32 ibuf; + krb5_octet *bp; + size_t remain; + char *tmpname = NULL; *argp = NULL; bp = *buffer; @@ -137,28 +138,28 @@ krb5_principal_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet /* Read our magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain) || ibuf != KV5M_PRINCIPAL) - return EINVAL; + return EINVAL; /* Read the principal name */ kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); if (kret) - return kret; + return kret; tmpname = malloc(ibuf + 1); kret = krb5_ser_unpack_bytes((krb5_octet *) tmpname, (size_t) ibuf, - &bp, &remain); + &bp, &remain); if (kret) - goto cleanup; + goto cleanup; tmpname[ibuf] = '\0'; /* Parse the name to a principal structure */ kret = krb5_parse_name(kcontext, tmpname, &principal); if (kret) - goto cleanup; + goto cleanup; /* Read the trailing magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain) || ibuf != KV5M_PRINCIPAL) { - kret = EINVAL; - goto cleanup; + kret = EINVAL; + goto cleanup; } *buffer = bp; @@ -166,7 +167,7 @@ krb5_principal_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet *argp = principal; cleanup: if (kret) - krb5_free_principal(kcontext, principal); + krb5_free_principal(kcontext, principal); free(tmpname); return kret; } diff --git a/src/lib/krb5/krb/serialize.c b/src/lib/krb5/krb/serialize.c index d1edcf239e..4e08aa93e5 100644 --- a/src/lib/krb5/krb/serialize.c +++ b/src/lib/krb5/krb/serialize.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/serialize.c * @@ -31,94 +32,94 @@ #include "k5-int.h" /* - * krb5_find_serializer() - See if a particular type is registered. + * krb5_find_serializer() - See if a particular type is registered. */ krb5_ser_handle krb5_find_serializer(krb5_context kcontext, krb5_magic odtype) { - krb5_ser_handle res; - krb5_ser_handle sctx; - int i; + krb5_ser_handle res; + krb5_ser_handle sctx; + int i; res = (krb5_ser_handle) NULL; sctx = (krb5_ser_handle) kcontext->ser_ctx; for (i=0; i<kcontext->ser_ctx_count; i++) { - if (sctx[i].odtype == odtype) { - res = &sctx[i]; - break; - } + if (sctx[i].odtype == odtype) { + res = &sctx[i]; + break; + } } return(res); } /* - * krb5_register_serializer() - Register a particular serializer. + * krb5_register_serializer() - Register a particular serializer. */ krb5_error_code krb5_register_serializer(krb5_context kcontext, const krb5_ser_entry *entry) { - krb5_error_code kret; - krb5_ser_entry * stable; + krb5_error_code kret; + krb5_ser_entry * stable; kret = 0; /* See if it's already there, if so, we're good to go. */ if (!(stable = (krb5_ser_entry *)krb5_find_serializer(kcontext, - entry->odtype))) { - /* - * Can't find our type. Create a new entry. - */ - if ((stable = (krb5_ser_entry *) malloc(sizeof(krb5_ser_entry) * - (kcontext->ser_ctx_count+1)))) { - /* Copy in old table */ - if (kcontext->ser_ctx_count) - memcpy(stable, kcontext->ser_ctx, - sizeof(krb5_ser_entry) * kcontext->ser_ctx_count); - /* Copy in new entry */ - memcpy(&stable[kcontext->ser_ctx_count], entry, - sizeof(krb5_ser_entry)); - if (kcontext->ser_ctx) free(kcontext->ser_ctx); - kcontext->ser_ctx = (void *) stable; - kcontext->ser_ctx_count++; - } - else - kret = ENOMEM; + entry->odtype))) { + /* + * Can't find our type. Create a new entry. + */ + if ((stable = (krb5_ser_entry *) malloc(sizeof(krb5_ser_entry) * + (kcontext->ser_ctx_count+1)))) { + /* Copy in old table */ + if (kcontext->ser_ctx_count) + memcpy(stable, kcontext->ser_ctx, + sizeof(krb5_ser_entry) * kcontext->ser_ctx_count); + /* Copy in new entry */ + memcpy(&stable[kcontext->ser_ctx_count], entry, + sizeof(krb5_ser_entry)); + if (kcontext->ser_ctx) free(kcontext->ser_ctx); + kcontext->ser_ctx = (void *) stable; + kcontext->ser_ctx_count++; + } + else + kret = ENOMEM; } else - *stable = *entry; + *stable = *entry; return(kret); } /* - * krb5_size_opaque() - Determine the size necessary to serialize a given - * piece of opaque data. + * krb5_size_opaque() - Determine the size necessary to serialize a given + * piece of opaque data. */ krb5_error_code KRB5_CALLCONV krb5_size_opaque(krb5_context kcontext, krb5_magic odtype, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_ser_handle shandle; + krb5_error_code kret; + krb5_ser_handle shandle; kret = ENOENT; /* See if the type is supported, if so, do it */ if ((shandle = krb5_find_serializer(kcontext, odtype))) - kret = (shandle->sizer) ? (*shandle->sizer)(kcontext, arg, sizep) : 0; + kret = (shandle->sizer) ? (*shandle->sizer)(kcontext, arg, sizep) : 0; return(kret); } /* - * krb5_externalize_opaque() - Externalize a piece of opaque data. + * krb5_externalize_opaque() - Externalize a piece of opaque data. */ krb5_error_code KRB5_CALLCONV krb5_externalize_opaque(krb5_context kcontext, krb5_magic odtype, krb5_pointer arg, krb5_octet **bufpp, size_t *sizep) { - krb5_error_code kret; - krb5_ser_handle shandle; + krb5_error_code kret; + krb5_ser_handle shandle; kret = ENOENT; /* See if the type is supported, if so, do it */ if ((shandle = krb5_find_serializer(kcontext, odtype))) - kret = (shandle->externalizer) ? - (*shandle->externalizer)(kcontext, arg, bufpp, sizep) : 0; + kret = (shandle->externalizer) ? + (*shandle->externalizer)(kcontext, arg, bufpp, sizep) : 0; return(kret); } @@ -128,146 +129,146 @@ krb5_externalize_opaque(krb5_context kcontext, krb5_magic odtype, krb5_pointer a krb5_error_code krb5_externalize_data(krb5_context kcontext, krb5_pointer arg, krb5_octet **bufpp, size_t *sizep) { - krb5_error_code kret; - krb5_magic *mp; - krb5_octet *buffer, *bp; - size_t bufsize, bsize; + krb5_error_code kret; + krb5_magic *mp; + krb5_octet *buffer, *bp; + size_t bufsize, bsize; mp = (krb5_magic *) arg; bufsize = 0; if (!(kret = krb5_size_opaque(kcontext, *mp, arg, &bufsize))) { - if ((buffer = (krb5_octet *) malloc(bufsize))) { - bp = buffer; - bsize = bufsize; - if (!(kret = krb5_externalize_opaque(kcontext, - *mp, - arg, - &bp, - &bsize))) { - if (bsize != 0) - bufsize -= bsize; - *bufpp = buffer; - *sizep = bufsize; - } - } - else - kret = ENOMEM; + if ((buffer = (krb5_octet *) malloc(bufsize))) { + bp = buffer; + bsize = bufsize; + if (!(kret = krb5_externalize_opaque(kcontext, + *mp, + arg, + &bp, + &bsize))) { + if (bsize != 0) + bufsize -= bsize; + *bufpp = buffer; + *sizep = bufsize; + } + } + else + kret = ENOMEM; } return(kret); } /* - * krb5_internalize_opaque() - Convert external representation into a data - * structure. + * krb5_internalize_opaque() - Convert external representation into a data + * structure. */ krb5_error_code KRB5_CALLCONV krb5_internalize_opaque(krb5_context kcontext, krb5_magic odtype, krb5_pointer *argp, krb5_octet **bufpp, size_t *sizep) { - krb5_error_code kret; - krb5_ser_handle shandle; + krb5_error_code kret; + krb5_ser_handle shandle; kret = ENOENT; /* See if the type is supported, if so, do it */ if ((shandle = krb5_find_serializer(kcontext, odtype))) - kret = (shandle->internalizer) ? - (*shandle->internalizer)(kcontext, argp, bufpp, sizep) : 0; + kret = (shandle->internalizer) ? + (*shandle->internalizer)(kcontext, argp, bufpp, sizep) : 0; return(kret); } /* - * krb5_ser_pack_int32() - Pack a 4-byte integer if space is available. - * Update buffer pointer and remaining space. + * krb5_ser_pack_int32() - Pack a 4-byte integer if space is available. + * Update buffer pointer and remaining space. */ krb5_error_code KRB5_CALLCONV krb5_ser_pack_int32(krb5_int32 iarg, krb5_octet **bufp, size_t *remainp) { if (*remainp >= sizeof(krb5_int32)) { - store_32_be(iarg, *bufp); - *bufp += sizeof(krb5_int32); - *remainp -= sizeof(krb5_int32); - return(0); + store_32_be(iarg, *bufp); + *bufp += sizeof(krb5_int32); + *remainp -= sizeof(krb5_int32); + return(0); } else - return(ENOMEM); + return(ENOMEM); } /* - * krb5_ser_pack_int64() - Pack an 8-byte integer if space is available. - * Update buffer pointer and remaining space. + * krb5_ser_pack_int64() - Pack an 8-byte integer if space is available. + * Update buffer pointer and remaining space. */ krb5_error_code KRB5_CALLCONV krb5_ser_pack_int64(krb5_int64 iarg, krb5_octet **bufp, size_t *remainp) { if (*remainp >= sizeof(krb5_int64)) { - store_64_be(iarg, (unsigned char *)*bufp); - *bufp += sizeof(krb5_int64); - *remainp -= sizeof(krb5_int64); - return(0); + store_64_be(iarg, (unsigned char *)*bufp); + *bufp += sizeof(krb5_int64); + *remainp -= sizeof(krb5_int64); + return(0); } else - return(ENOMEM); + return(ENOMEM); } /* - * krb5_ser_pack_bytes() - Pack a string of bytes. + * krb5_ser_pack_bytes() - Pack a string of bytes. */ krb5_error_code KRB5_CALLCONV krb5_ser_pack_bytes(krb5_octet *ostring, size_t osize, krb5_octet **bufp, size_t *remainp) { if (*remainp >= osize) { - memcpy(*bufp, ostring, osize); - *bufp += osize; - *remainp -= osize; - return(0); + memcpy(*bufp, ostring, osize); + *bufp += osize; + *remainp -= osize; + return(0); } else - return(ENOMEM); + return(ENOMEM); } /* - * krb5_ser_unpack_int32() - Unpack a 4-byte integer if it's there. + * krb5_ser_unpack_int32() - Unpack a 4-byte integer if it's there. */ krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int32(krb5_int32 *intp, krb5_octet **bufp, size_t *remainp) { if (*remainp >= sizeof(krb5_int32)) { - *intp = load_32_be(*bufp); - *bufp += sizeof(krb5_int32); - *remainp -= sizeof(krb5_int32); - return(0); + *intp = load_32_be(*bufp); + *bufp += sizeof(krb5_int32); + *remainp -= sizeof(krb5_int32); + return(0); } else - return(ENOMEM); + return(ENOMEM); } /* - * krb5_ser_unpack_int64() - Unpack an 8-byte integer if it's there. + * krb5_ser_unpack_int64() - Unpack an 8-byte integer if it's there. */ krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int64(krb5_int64 *intp, krb5_octet **bufp, size_t *remainp) { if (*remainp >= sizeof(krb5_int64)) { - *intp = load_64_be((unsigned char *)*bufp); - *bufp += sizeof(krb5_int64); - *remainp -= sizeof(krb5_int64); - return(0); + *intp = load_64_be((unsigned char *)*bufp); + *bufp += sizeof(krb5_int64); + *remainp -= sizeof(krb5_int64); + return(0); } else - return(ENOMEM); + return(ENOMEM); } /* - * krb5_ser_unpack_bytes() - Unpack a byte string if it's there. + * krb5_ser_unpack_bytes() - Unpack a byte string if it's there. */ krb5_error_code KRB5_CALLCONV krb5_ser_unpack_bytes(krb5_octet *istring, size_t isize, krb5_octet **bufp, size_t *remainp) { if (*remainp >= isize) { - memcpy(istring, *bufp, isize); - *bufp += isize; - *remainp -= isize; - return(0); + memcpy(istring, *bufp, isize); + *bufp += isize; + *remainp -= isize; + return(0); } else - return(ENOMEM); + return(ENOMEM); } diff --git a/src/lib/krb5/krb/set_realm.c b/src/lib/krb5/krb/set_realm.c index 9a96cd1cad..0128f6cb18 100644 --- a/src/lib/krb5/krb/set_realm.c +++ b/src/lib/krb5/krb/set_realm.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/set_realm.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -29,23 +30,21 @@ krb5_error_code KRB5_CALLCONV krb5_set_principal_realm(krb5_context context, krb5_principal principal, const char *realm) { - size_t length; - char *newrealm; - - if (!realm || !*realm) - return -EINVAL; + size_t length; + char *newrealm; - length = strlen(realm); - newrealm = strdup(realm); - if (!newrealm) - return -ENOMEM; - - (void) free(krb5_princ_realm(context,principal)->data); + if (!realm || !*realm) + return -EINVAL; - krb5_princ_realm(context, principal)->length = length; - krb5_princ_realm(context, principal)->data = newrealm; + length = strlen(realm); + newrealm = strdup(realm); + if (!newrealm) + return -ENOMEM; - return 0; -} + (void) free(krb5_princ_realm(context,principal)->data); + krb5_princ_realm(context, principal)->length = length; + krb5_princ_realm(context, principal)->data = newrealm; + return 0; +} diff --git a/src/lib/krb5/krb/srv_dec_tkt.c b/src/lib/krb5/krb/srv_dec_tkt.c index 0934e27e10..f266fa5e97 100644 --- a/src/lib/krb5/krb/srv_dec_tkt.c +++ b/src/lib/krb5/krb/srv_dec_tkt.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/srv_dec_tkt.c * @@ -24,7 +25,7 @@ * or implied warranty. * * - * Server decrypt ticket via keytab or keyblock. + * Server decrypt ticket via keytab or keyblock. * * Different from krb5_rd_req_decoded. (krb5/src/lib/krb5/krb/rd_req_dec.c) * - No krb5_principal_compare or KRB5KRB_AP_ERR_BADMATCH error. @@ -33,94 +34,94 @@ * - No address checking or KRB5KRB_AP_ERR_BADADDR error. * - No time validation. * - No permitted enctype validation or KRB5_NOPERM_ETYPE error. - * - Does not free ticket->enc_part2 on error. + * - Does not free ticket->enc_part2 on error. */ #include <k5-int.h> -#ifndef LEAN_CLIENT +#ifndef LEAN_CLIENT krb5_error_code KRB5_CALLCONV krb5int_server_decrypt_ticket_keyblock(krb5_context context, - const krb5_keyblock *key, - krb5_ticket *ticket) + const krb5_keyblock *key, + krb5_ticket *ticket) { krb5_error_code retval; krb5_data *realm; krb5_transited *trans; retval = krb5_decrypt_tkt_part(context, key, ticket); - if (retval) - goto done; + if (retval) + goto done; trans = &ticket->enc_part2->transited; realm = &ticket->enc_part2->client->realm; if (trans->tr_contents.data && *trans->tr_contents.data) { - retval = krb5_check_transited_list(context, &trans->tr_contents, - realm, &ticket->server->realm); - goto done; + retval = krb5_check_transited_list(context, &trans->tr_contents, + realm, &ticket->server->realm); + goto done; } - if (ticket->enc_part2->flags & TKT_FLG_INVALID) { /* ie, KDC_OPT_POSTDATED */ - retval = KRB5KRB_AP_ERR_TKT_INVALID; - goto done; + if (ticket->enc_part2->flags & TKT_FLG_INVALID) { /* ie, KDC_OPT_POSTDATED */ + retval = KRB5KRB_AP_ERR_TKT_INVALID; + goto done; } - done: +done: return retval; } krb5_error_code KRB5_CALLCONV krb5_server_decrypt_ticket_keytab(krb5_context context, - const krb5_keytab keytab, - krb5_ticket *ticket) + const krb5_keytab keytab, + krb5_ticket *ticket) { - krb5_error_code retval; - krb5_keytab_entry ktent; + krb5_error_code retval; + krb5_keytab_entry ktent; retval = KRB5_KT_NOTFOUND; if (keytab->ops->start_seq_get == NULL) { - retval = krb5_kt_get_entry(context, keytab, - ticket->server, - ticket->enc_part.kvno, - ticket->enc_part.enctype, &ktent); - if (retval == 0) { - retval = krb5int_server_decrypt_ticket_keyblock(context, &ktent.key, ticket); - - (void) krb5_free_keytab_entry_contents(context, &ktent); - } + retval = krb5_kt_get_entry(context, keytab, + ticket->server, + ticket->enc_part.kvno, + ticket->enc_part.enctype, &ktent); + if (retval == 0) { + retval = krb5int_server_decrypt_ticket_keyblock(context, &ktent.key, ticket); + + (void) krb5_free_keytab_entry_contents(context, &ktent); + } } else { - krb5_error_code code; - krb5_kt_cursor cursor; - - retval = krb5_kt_start_seq_get(context, keytab, &cursor); - if (retval != 0) - goto map_error; - - while ((code = krb5_kt_next_entry(context, keytab, - &ktent, &cursor)) == 0) { - if (ktent.key.enctype != ticket->enc_part.enctype) - continue; - - retval = krb5int_server_decrypt_ticket_keyblock(context, &ktent.key, ticket); - if (retval == 0) { - krb5_principal tmp; - - retval = krb5_copy_principal(context, ktent.principal, &tmp); - if (retval == 0) { - krb5_free_principal(context, ticket->server); - ticket->server = tmp; - } - (void) krb5_free_keytab_entry_contents(context, &ktent); - break; - } - (void) krb5_free_keytab_entry_contents(context, &ktent); - } - - code = krb5_kt_end_seq_get(context, keytab, &cursor); - if (code != 0) - retval = code; + krb5_error_code code; + krb5_kt_cursor cursor; + + retval = krb5_kt_start_seq_get(context, keytab, &cursor); + if (retval != 0) + goto map_error; + + while ((code = krb5_kt_next_entry(context, keytab, + &ktent, &cursor)) == 0) { + if (ktent.key.enctype != ticket->enc_part.enctype) + continue; + + retval = krb5int_server_decrypt_ticket_keyblock(context, &ktent.key, ticket); + if (retval == 0) { + krb5_principal tmp; + + retval = krb5_copy_principal(context, ktent.principal, &tmp); + if (retval == 0) { + krb5_free_principal(context, ticket->server); + ticket->server = tmp; + } + (void) krb5_free_keytab_entry_contents(context, &ktent); + break; + } + (void) krb5_free_keytab_entry_contents(context, &ktent); + } + + code = krb5_kt_end_seq_get(context, keytab, &cursor); + if (code != 0) + retval = code; } map_error: @@ -128,13 +129,12 @@ map_error: case KRB5_KT_KVNONOTFOUND: case KRB5_KT_NOTFOUND: case KRB5KRB_AP_ERR_BAD_INTEGRITY: - retval = KRB5KRB_AP_WRONG_PRINC; - break; + retval = KRB5KRB_AP_WRONG_PRINC; + break; default: - break; + break; } return retval; } #endif /* LEAN_CLIENT */ - diff --git a/src/lib/krb5/krb/srv_rcache.c b/src/lib/krb5/krb/srv_rcache.c index 7d6b68a7ee..6730748f34 100644 --- a/src/lib/krb5/krb/srv_rcache.c +++ b/src/lib/krb5/krb/srv_rcache.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/srv_rcache.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Allocate & prepare a default replay cache for a server. */ @@ -35,7 +36,7 @@ #define isvalidrcname(x) ((!ispunct(x))&&isgraph(x)) krb5_error_code KRB5_CALLCONV krb5_get_server_rcache(krb5_context context, const krb5_data *piece, - krb5_rcache *rcptr) + krb5_rcache *rcptr) { krb5_rcache rcache = 0; char *cachename = 0, *cachetype; @@ -45,22 +46,22 @@ krb5_get_server_rcache(krb5_context context, const krb5_data *piece, #ifdef HAVE_GETEUID unsigned long uid = geteuid(); #endif - + if (piece == NULL) - return ENOMEM; - + return ENOMEM; + cachetype = krb5_rc_default_type(context); krb5int_buf_init_dynamic(&buf); krb5int_buf_add(&buf, cachetype); krb5int_buf_add(&buf, ":"); for (i = 0; i < piece->length; i++) { - if (piece->data[i] == '-') - krb5int_buf_add(&buf, "--"); - else if (!isvalidrcname((int) piece->data[i])) - krb5int_buf_add_fmt(&buf, "-%03o", piece->data[i]); - else - krb5int_buf_add_len(&buf, &piece->data[i], 1); + if (piece->data[i] == '-') + krb5int_buf_add(&buf, "--"); + else if (!isvalidrcname((int) piece->data[i])) + krb5int_buf_add_fmt(&buf, "-%03o", piece->data[i]); + else + krb5int_buf_add_len(&buf, &piece->data[i], 1); } #ifdef HAVE_GETEUID krb5int_buf_add_fmt(&buf, "_%lu", uid); @@ -68,16 +69,16 @@ krb5_get_server_rcache(krb5_context context, const krb5_data *piece, cachename = krb5int_buf_data(&buf); if (cachename == NULL) - return ENOMEM; + return ENOMEM; retval = krb5_rc_resolve_full(context, &rcache, cachename); if (retval) - goto cleanup; + goto cleanup; retval = krb5_rc_recover_or_initialize(context, rcache, - context->clockskew); + context->clockskew); if (retval) - goto cleanup; + goto cleanup; *rcptr = rcache; rcache = 0; @@ -85,8 +86,8 @@ krb5_get_server_rcache(krb5_context context, const krb5_data *piece, cleanup: if (rcache) - krb5_rc_close(context, rcache); + krb5_rc_close(context, rcache); if (cachename) - free(cachename); + free(cachename); return retval; } diff --git a/src/lib/krb5/krb/str_conv.c b/src/lib/krb5/krb/str_conv.c index 531eba1264..1f2edcc66f 100644 --- a/src/lib/krb5/krb/str_conv.c +++ b/src/lib/krb5/krb/str_conv.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kadm/str_conv.c * @@ -34,16 +35,16 @@ * * String decoding: * ---------------- - * krb5_string_to_salttype() - Convert string to salttype (krb5_int32) - * krb5_string_to_timestamp() - Convert string to krb5_timestamp. - * krb5_string_to_deltat() - Convert string to krb5_deltat. + * krb5_string_to_salttype() - Convert string to salttype (krb5_int32) + * krb5_string_to_timestamp() - Convert string to krb5_timestamp. + * krb5_string_to_deltat() - Convert string to krb5_deltat. * * String encoding: * ---------------- - * krb5_salttype_to_string() - Convert salttype (krb5_int32) to string. - * krb5_timestamp_to_string() - Convert krb5_timestamp to string. - * krb5_timestamp_to_sfstring() - Convert krb5_timestamp to short filled string - * krb5_deltat_to_string() - Convert krb5_deltat to string. + * krb5_salttype_to_string() - Convert salttype (krb5_int32) to string. + * krb5_timestamp_to_string() - Convert krb5_timestamp to string. + * krb5_timestamp_to_sfstring() - Convert krb5_timestamp to short filled string + * krb5_deltat_to_string() - Convert krb5_deltat to string. */ #include "k5-int.h" @@ -55,9 +56,9 @@ * Local data structures. */ struct salttype_lookup_entry { - krb5_int32 stt_enctype; /* Salt type */ - const char * stt_specifier; /* How to recognize it */ - const char * stt_output; /* How to spit it out */ + krb5_int32 stt_enctype; /* Salt type */ + const char * stt_specifier; /* How to recognize it */ + const char * stt_output; /* How to spit it out */ }; /* @@ -66,20 +67,20 @@ struct salttype_lookup_entry { #include "kdb.h" static const struct salttype_lookup_entry salttype_table[] = { -/* salt type input specifier output string */ -/*----------------------------- --------------- ---------------*/ -{ KRB5_KDB_SALTTYPE_NORMAL, "normal", "Version 5" }, -{ KRB5_KDB_SALTTYPE_V4, "v4", "Version 4" }, -{ KRB5_KDB_SALTTYPE_NOREALM, "norealm", "Version 5 - No Realm" }, -{ KRB5_KDB_SALTTYPE_ONLYREALM, "onlyrealm", "Version 5 - Realm Only" }, -{ KRB5_KDB_SALTTYPE_SPECIAL, "special", "Special" }, -{ KRB5_KDB_SALTTYPE_AFS3, "afs3", "AFS version 3" }, +/* salt type input specifier output string */ +/*----------------------------- --------------- ---------------*/ + { KRB5_KDB_SALTTYPE_NORMAL, "normal", "Version 5" }, + { KRB5_KDB_SALTTYPE_V4, "v4", "Version 4" }, + { KRB5_KDB_SALTTYPE_NOREALM, "norealm", "Version 5 - No Realm" }, + { KRB5_KDB_SALTTYPE_ONLYREALM, "onlyrealm", "Version 5 - Realm Only" }, + { KRB5_KDB_SALTTYPE_SPECIAL, "special", "Special" }, + { KRB5_KDB_SALTTYPE_AFS3, "afs3", "AFS version 3" }, #if PKINIT_APPLE -{ KRB5_KDB_SALTTYPE_CERTHASH, "certhash", "PKINIT Cert Hash" } + { KRB5_KDB_SALTTYPE_CERTHASH, "certhash", "PKINIT Cert Hash" } #endif /* PKINIT_APPLE */ }; static const int salttype_table_nents = sizeof(salttype_table)/ - sizeof(salttype_table[0]); + sizeof(salttype_table[0]); krb5_error_code KRB5_CALLCONV krb5_string_to_salttype(char *string, krb5_int32 *salttypep) @@ -89,11 +90,11 @@ krb5_string_to_salttype(char *string, krb5_int32 *salttypep) found = 0; for (i=0; i<salttype_table_nents; i++) { - if (!strcasecmp(string, salttype_table[i].stt_specifier)) { - found = 1; - *salttypep = salttype_table[i].stt_enctype; - break; - } + if (!strcasecmp(string, salttype_table[i].stt_specifier)) { + found = 1; + *salttypep = salttype_table[i].stt_enctype; + break; + } } return((found) ? 0 : EINVAL); } @@ -112,18 +113,18 @@ krb5_salttype_to_string(krb5_int32 salttype, char *buffer, size_t buflen) out = (char *) NULL; for (i=0; i<salttype_table_nents; i++) { - if (salttype == salttype_table[i].stt_enctype) { - out = salttype_table[i].stt_output; - break; - } + if (salttype == salttype_table[i].stt_enctype) { + out = salttype_table[i].stt_output; + break; + } } if (out) { - if (strlcpy(buffer, out, buflen) >= buflen) - return(ENOMEM); - return(0); + if (strlcpy(buffer, out, buflen) >= buflen) + return(ENOMEM); + return(0); } else - return(EINVAL); + return(EINVAL); } /* (absolute) time conversions */ @@ -137,7 +138,7 @@ static size_t strftime (char *, size_t, const char *, const struct tm *); #ifdef HAVE_STRPTIME #ifdef NEED_STRPTIME_PROTO extern char *strptime (const char *, const char *, - struct tm *) + struct tm *) #ifdef __cplusplus throw() #endif @@ -155,7 +156,7 @@ localtime_r(const time_t *t, struct tm *buf) { struct tm *tm = localtime(t); if (tm == NULL) - return NULL; + return NULL; *buf = *tm; return buf; } @@ -169,47 +170,47 @@ krb5_string_to_timestamp(char *string, krb5_timestamp *timestampp) time_t now, ret_time; char *s; static const char * const atime_format_table[] = { - "%Y%m%d%H%M%S", /* yyyymmddhhmmss */ - "%Y.%m.%d.%H.%M.%S", /* yyyy.mm.dd.hh.mm.ss */ - "%y%m%d%H%M%S", /* yymmddhhmmss */ - "%y.%m.%d.%H.%M.%S", /* yy.mm.dd.hh.mm.ss */ - "%y%m%d%H%M", /* yymmddhhmm */ - "%H%M%S", /* hhmmss */ - "%H%M", /* hhmm */ - "%T", /* hh:mm:ss */ - "%R", /* hh:mm */ - /* The following not really supported unless native strptime present */ - "%x:%X", /* locale-dependent short format */ - "%d-%b-%Y:%T", /* dd-month-yyyy:hh:mm:ss */ - "%d-%b-%Y:%R" /* dd-month-yyyy:hh:mm */ + "%Y%m%d%H%M%S", /* yyyymmddhhmmss */ + "%Y.%m.%d.%H.%M.%S", /* yyyy.mm.dd.hh.mm.ss */ + "%y%m%d%H%M%S", /* yymmddhhmmss */ + "%y.%m.%d.%H.%M.%S", /* yy.mm.dd.hh.mm.ss */ + "%y%m%d%H%M", /* yymmddhhmm */ + "%H%M%S", /* hhmmss */ + "%H%M", /* hhmm */ + "%T", /* hh:mm:ss */ + "%R", /* hh:mm */ + /* The following not really supported unless native strptime present */ + "%x:%X", /* locale-dependent short format */ + "%d-%b-%Y:%T", /* dd-month-yyyy:hh:mm:ss */ + "%d-%b-%Y:%R" /* dd-month-yyyy:hh:mm */ }; static const int atime_format_table_nents = - sizeof(atime_format_table)/sizeof(atime_format_table[0]); + sizeof(atime_format_table)/sizeof(atime_format_table[0]); now = time((time_t *) NULL); if (localtime_r(&now, &timebuf2) == NULL) - return EINVAL; + return EINVAL; for (i=0; i<atime_format_table_nents; i++) { /* We reset every time throughout the loop as the manual page - * indicated that no guarantees are made as to preserving timebuf - * when parsing fails - */ - timebuf = timebuf2; - if ((s = strptime(string, atime_format_table[i], &timebuf)) - && (s != string)) { - /* See if at end of buffer - otherwise partial processing */ - while(*s != 0 && isspace((int) *s)) s++; - if (*s != 0) - continue; - if (timebuf.tm_year <= 0) - continue; /* clearly confused */ - ret_time = mktime(&timebuf); - if (ret_time == (time_t) -1) - continue; /* clearly confused */ - *timestampp = (krb5_timestamp) ret_time; - return 0; - } + * indicated that no guarantees are made as to preserving timebuf + * when parsing fails + */ + timebuf = timebuf2; + if ((s = strptime(string, atime_format_table[i], &timebuf)) + && (s != string)) { + /* See if at end of buffer - otherwise partial processing */ + while(*s != 0 && isspace((int) *s)) s++; + if (*s != 0) + continue; + if (timebuf.tm_year <= 0) + continue; /* clearly confused */ + ret_time = mktime(&timebuf); + if (ret_time == (time_t) -1) + continue; /* clearly confused */ + *timestampp = (krb5_timestamp) ret_time; + return 0; + } } return(EINVAL); } @@ -220,8 +221,8 @@ krb5_timestamp_to_string(krb5_timestamp timestamp, char *buffer, size_t buflen) size_t ret; time_t timestamp2 = timestamp; struct tm tmbuf; - const char *fmt = "%c"; /* This is to get around gcc -Wall warning that - the year returned might be two digits */ + const char *fmt = "%c"; /* This is to get around gcc -Wall warning that + the year returned might be two digits */ #ifdef HAVE_LOCALTIME_R (void) localtime_r(×tamp2, &tmbuf); @@ -230,27 +231,27 @@ krb5_timestamp_to_string(krb5_timestamp timestamp, char *buffer, size_t buflen) #endif ret = strftime(buffer, buflen, fmt, &tmbuf); if (ret == 0 || ret == buflen) - return(ENOMEM); + return(ENOMEM); return(0); } krb5_error_code KRB5_CALLCONV krb5_timestamp_to_sfstring(krb5_timestamp timestamp, char *buffer, size_t buflen, char *pad) { - struct tm *tmp; + struct tm *tmp; size_t i; - size_t ndone; + size_t ndone; time_t timestamp2 = timestamp; struct tm tmbuf; static const char * const sftime_format_table[] = { - "%c", /* Default locale-dependent date and time */ - "%d %b %Y %T", /* dd mon yyyy hh:mm:ss */ - "%x %X", /* locale-dependent short format */ - "%d/%m/%Y %R" /* dd/mm/yyyy hh:mm */ + "%c", /* Default locale-dependent date and time */ + "%d %b %Y %T", /* dd mon yyyy hh:mm:ss */ + "%x %X", /* locale-dependent short format */ + "%d/%m/%Y %R" /* dd/mm/yyyy hh:mm */ }; static const unsigned int sftime_format_table_nents = - sizeof(sftime_format_table)/sizeof(sftime_format_table[0]); + sizeof(sftime_format_table)/sizeof(sftime_format_table[0]); #ifdef HAVE_LOCALTIME_R tmp = localtime_r(×tamp2, &tmbuf); @@ -259,22 +260,22 @@ krb5_timestamp_to_sfstring(krb5_timestamp timestamp, char *buffer, size_t buflen #endif ndone = 0; for (i=0; i<sftime_format_table_nents; i++) { - if ((ndone = strftime(buffer, buflen, sftime_format_table[i], tmp))) - break; + if ((ndone = strftime(buffer, buflen, sftime_format_table[i], tmp))) + break; } if (!ndone) { -#define sftime_default_len 2+1+2+1+4+1+2+1+2+1 - if (buflen >= sftime_default_len) { - snprintf(buffer, buflen, "%02d/%02d/%4d %02d:%02d", - tmp->tm_mday, tmp->tm_mon+1, 1900+tmp->tm_year, - tmp->tm_hour, tmp->tm_min); - ndone = strlen(buffer); - } +#define sftime_default_len 2+1+2+1+4+1+2+1+2+1 + if (buflen >= sftime_default_len) { + snprintf(buffer, buflen, "%02d/%02d/%4d %02d:%02d", + tmp->tm_mday, tmp->tm_mon+1, 1900+tmp->tm_year, + tmp->tm_hour, tmp->tm_min); + ndone = strlen(buffer); + } } if (ndone && pad) { - for (i=ndone; i<buflen-1; i++) - buffer[i] = *pad; - buffer[buflen-1] = '\0'; + for (i=ndone; i<buflen-1; i++) + buffer[i] = *pad; + buffer[buflen-1] = '\0'; } return((ndone) ? 0 : ENOMEM); } @@ -286,8 +287,8 @@ krb5_timestamp_to_sfstring(krb5_timestamp timestamp, char *buffer, size_t buflen krb5_error_code KRB5_CALLCONV krb5_deltat_to_string(krb5_deltat deltat, char *buffer, size_t buflen) { - int days, hours, minutes, seconds; - krb5_deltat dt; + int days, hours, minutes, seconds; + krb5_deltat dt; /* * We want something like ceil(log10(2**(nbits-1))) + 1. That log @@ -298,7 +299,7 @@ krb5_deltat_to_string(krb5_deltat deltat, char *buffer, size_t buflen) * * This will break if bytes are more than 8 bits. */ -#define MAX_CHARS_FOR_INT_TYPE(TYPE) ((int) (2 + 2.408241 * sizeof (TYPE))) +#define MAX_CHARS_FOR_INT_TYPE(TYPE) ((int) (2 + 2.408241 * sizeof (TYPE))) char tmpbuf[MAX_CHARS_FOR_INT_TYPE(int) * 4 + 8]; days = (int) (deltat / (24*3600L)); @@ -310,22 +311,22 @@ krb5_deltat_to_string(krb5_deltat deltat, char *buffer, size_t buflen) memset (tmpbuf, 0, sizeof (tmpbuf)); if (days == 0) - snprintf(buffer, buflen, "%d:%02d:%02d", hours, minutes, seconds); + snprintf(buffer, buflen, "%d:%02d:%02d", hours, minutes, seconds); else if (hours || minutes || seconds) - snprintf(buffer, buflen, "%d %s %02d:%02d:%02d", days, - (days > 1) ? "days" : "day", - hours, minutes, seconds); + snprintf(buffer, buflen, "%d %s %02d:%02d:%02d", days, + (days > 1) ? "days" : "day", + hours, minutes, seconds); else - snprintf(buffer, buflen, "%d %s", days, - (days > 1) ? "days" : "day"); + snprintf(buffer, buflen, "%d %s", days, + (days > 1) ? "days" : "day"); if (tmpbuf[sizeof(tmpbuf)-1] != 0) - /* Something must be very wrong with my math above, or the - assumptions going into it... */ - abort (); + /* Something must be very wrong with my math above, or the + assumptions going into it... */ + abort (); if (strlen (tmpbuf) > buflen) - return ENOMEM; + return ENOMEM; else - strncpy (buffer, tmpbuf, buflen); + strncpy (buffer, tmpbuf, buflen); return 0; } @@ -348,10 +349,10 @@ struct dummy_locale_info_t { char am_pm[2][3]; }; static const struct dummy_locale_info_t dummy_locale_info = { - "%a %b %d %X %Y", /* %c */ - "%I:%M:%S %p", /* %r */ - "%H:%M:%S", /* %X */ - "%m/%d/%y", /* %x */ + "%a %b %d %X %Y", /* %c */ + "%I:%M:%S %p", /* %r */ + "%H:%M:%S", /* %X */ + "%m/%d/%y", /* %x */ { "Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday" }, { "Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat" }, @@ -373,7 +374,7 @@ static const struct dummy_locale_info_t dummy_locale_info = { #undef DAYSPERWEEK #define DAYSPERWEEK 7 #undef isleap -#define isleap(N) ((N % 4) == 0 && (N % 100 != 0 || N % 400 == 0)) +#define isleap(N) ((N % 4) == 0 && (N % 100 != 0 || N % 400 == 0)) #undef tzname #define tzname my_tzname static const char *const tzname[2] = { 0, 0 }; diff --git a/src/lib/krb5/krb/strptime.c b/src/lib/krb5/krb/strptime.c index ac52d5c224..ffe90d4c96 100644 --- a/src/lib/krb5/krb/strptime.c +++ b/src/lib/krb5/krb/strptime.c @@ -82,7 +82,7 @@ strptime(buf, fmt, tm) fmt++; continue; } - + if ((c = *fmt++) != '%') goto literal; @@ -107,7 +107,7 @@ literal: LEGAL_ALT(0); alt_format |= ALT_O; goto again; - + /* * "Complex" conversion rules, implemented through recursion. */ diff --git a/src/lib/krb5/krb/t_ad_fx_armor.c b/src/lib/krb5/krb/t_ad_fx_armor.c index 74d7e5f1ab..73dbb3a6f0 100644 --- a/src/lib/krb5/krb/t_ad_fx_armor.c +++ b/src/lib/krb5/krb/t_ad_fx_armor.c @@ -1,13 +1,14 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include <memory.h> #include <stdio.h> #include <krb5/krb5.h> -#define test(x) do {retval = (x); \ - if(retval != 0) { \ - const char *errmsg = krb5_get_error_message(context, retval); \ - fprintf(stderr, "Error message: %s\n", errmsg); \ - abort(); } \ - } while(0); +#define test(x) do {retval = (x); \ + if(retval != 0) { \ + const char *errmsg = krb5_get_error_message(context, retval); \ + fprintf(stderr, "Error message: %s\n", errmsg); \ + abort(); } \ + } while(0); krb5_authdata ad_fx_armor = {0, KRB5_AUTHDATA_FX_ARMOR, 1, ""}; krb5_authdata *array[] = {&ad_fx_armor, NULL}; @@ -32,5 +33,5 @@ int main( int argc, char **argv) test(krb5_cc_store_cred(context, ccache, out_creds)); test(krb5_cc_close(context,ccache)); return 0; - -} + +} diff --git a/src/lib/krb5/krb/t_authdata.c b/src/lib/krb5/krb/t_authdata.c index 86838cead3..ed847dfbd7 100644 --- a/src/lib/krb5/krb/t_authdata.c +++ b/src/lib/krb5/krb/t_authdata.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/t_authdata.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,8 +23,8 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * - * + * + * * * Test authorization data search */ @@ -34,25 +35,25 @@ #include <memory.h> krb5_authdata ad1 = { - KV5M_AUTHDATA, - 22, - 4, - (unsigned char *) "abcd"}; + KV5M_AUTHDATA, + 22, + 4, + (unsigned char *) "abcd"}; krb5_authdata ad2 = { - KV5M_AUTHDATA, - 23, - 5, - (unsigned char *) "abcde" + KV5M_AUTHDATA, + 23, + 5, + (unsigned char *) "abcde" }; krb5_authdata ad3= { - KV5M_AUTHDATA, - 22, - 3, - (unsigned char *) "ab" + KV5M_AUTHDATA, + 22, + 3, + (unsigned char *) "ab" }; /* we want three results in the return from krb5int_find_authdata so -it has to grow its list. + it has to grow its list. */ krb5_authdata ad4 = { KV5M_AUTHDATA, @@ -73,12 +74,12 @@ krb5_keyblock key = { }; static void compare_authdata(const krb5_authdata *adc1, krb5_authdata *adc2) { - assert(adc1->ad_type == adc2->ad_type); - assert(adc1->length == adc2->length); - assert(memcmp(adc1->contents, adc2->contents, adc1->length) == 0); + assert(adc1->ad_type == adc2->ad_type); + assert(adc1->length == adc2->length); + assert(memcmp(adc1->contents, adc2->contents, adc1->length) == 0); } -int main() +int main() { krb5_context context; krb5_authdata **results; @@ -98,7 +99,7 @@ int main() container[1] = NULL; assert(krb5_encode_authdata_container( context, KRB5_AUTHDATA_IF_RELEVANT, container, &container_out) == 0); assert(krb5int_find_authdata(context, - adseq1, container_out, 22, &results) == 0); + adseq1, container_out, 22, &results) == 0); compare_authdata(&ad1, results[0]); compare_authdata( results[1], &ad4); compare_authdata( results[2], &ad3); diff --git a/src/lib/krb5/krb/t_deltat.c b/src/lib/krb5/krb/t_deltat.c index a07ba42322..dcf14af67f 100644 --- a/src/lib/krb5/krb/t_deltat.c +++ b/src/lib/krb5/krb/t_deltat.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/t_deltat.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ #include "k5-int.h" @@ -31,9 +32,9 @@ int main (void) { struct { - char *string; - krb5_deltat expected; - int is_error; + char *string; + krb5_deltat expected; + int is_error; #define GOOD(STR,VAL) { STR, VAL, 0 } #define BAD(STR) { STR, 0, 1 } #define DAY (24 * 3600) @@ -43,116 +44,116 @@ main (void) #endif #define MIN 60 } values[] = { - /* d-h-m-s patterns */ - GOOD ("3d", 3*DAY), - GOOD ("3h", 3*HOUR), - GOOD ("3m", 3*MIN), - GOOD ("3s", 3), - BAD ("3dd"), - GOOD ("3d4m 42s", 3 * DAY + 4 * MIN + 42), - GOOD ("3d-1h", 3 * DAY - 1 * HOUR), - GOOD ("3d -1h", 3 * DAY - HOUR), - GOOD ("3d4h5m6s", 3 * DAY + 4 * HOUR + 5 * MIN + 6), - BAD ("3d4m5h"), - GOOD ("12345s", 12345), - GOOD ("1m 12345s", MIN + 12345), - GOOD ("1m12345s", MIN + 12345), - GOOD ("3d 0m", 3 * DAY), - GOOD ("3d 0m ", 3 * DAY), - GOOD ("3d \n\t 0m ", 3 * DAY), - /* colon patterns */ - GOOD ("42-13:42:47", 42 * DAY + 13 * HOUR + 42 * MIN + 47), - BAD ("3: 4"), - BAD ("13:0003"), - GOOD ("12:34", 12 * HOUR + 34 * MIN), - GOOD ("1:02:03", 1 * HOUR + 2 * MIN + 3), - BAD ("3:-4"), - /* XX We might want to require exactly two digits after a colon? */ - GOOD ("3:4", 3 * HOUR + 4 * MIN), - /* misc */ - GOOD ("42", 42), - BAD ("1-2"), - /* Test overflow limitations */ - GOOD ("2147483647s", 2147483647), - BAD ("2147483648s"), - GOOD ("24855d", 24855 * DAY), - BAD ("24856d"), - BAD ("24855d 100000000h"), - GOOD ("24855d 3h", 24855 * DAY + 3 * HOUR), - BAD ("24855d 4h"), - GOOD ("24855d 11647s", 24855 * DAY + 11647), - BAD ("24855d 11648s"), - GOOD ("24855d 194m 7s", 24855 * DAY + 194 * MIN + 7), - BAD ("24855d 194m 8s"), - BAD ("24855d 195m"), - BAD ("24855d 19500000000m"), - GOOD ("24855d 3h 14m 7s", 24855 * DAY + 3 * HOUR + 14 * MIN + 7), - BAD ("24855d 3h 14m 8s"), - GOOD ("596523h", 596523 * HOUR), - BAD ("596524h"), - GOOD ("596523h 847s", 596523 * HOUR + 847), - BAD ("596523h 848s"), - GOOD ("596523h 14m 7s", 596523 * HOUR + 14 * MIN + 7), - BAD ("596523h 14m 8s"), - GOOD ("35791394m", 35791394 * MIN), - GOOD ("35791394m7s", 35791394 * MIN + 7), - BAD ("35791394m8s"), - /* Test underflow */ - GOOD ("-2147483647s", -2147483647), - /* This should be valid, but isn't */ - /*BAD ("-2147483648s"),*/ - GOOD ("-24855d", -24855 * DAY), - BAD ("-24856d"), - BAD ("-24855d -100000000h"), - GOOD ("-24855d -3h", -24855 * DAY - 3 * HOUR), - BAD ("-24855d -4h"), - GOOD ("-24855d -11647s", -24855 * DAY - 11647), - BAD ("-24855d -11649s"), - GOOD ("-24855d -194m -7s", -24855 * DAY - 194 * MIN - 7), - BAD ("-24855d -194m -9s"), - BAD ("-24855d -195m"), - BAD ("-24855d -19500000000m"), - GOOD ("-24855d -3h -14m -7s", -24855 * DAY - 3 * HOUR - 14 * MIN - 7), - BAD ("-24855d -3h -14m -9s"), - GOOD ("-596523h", -596523 * HOUR), - BAD ("-596524h"), - GOOD ("-596523h -847s", -596523 * HOUR - 847), - GOOD ("-596523h -848s", -596523 * HOUR - 848), - BAD ("-596523h -849s"), - GOOD ("-596523h -14m -8s", -596523 * HOUR - 14 * MIN - 8), - BAD ("-596523h -14m -9s"), - GOOD ("-35791394m", -35791394 * MIN), - GOOD ("-35791394m7s", -35791394 * MIN + 7), - BAD ("-35791394m-9s"), - + /* d-h-m-s patterns */ + GOOD ("3d", 3*DAY), + GOOD ("3h", 3*HOUR), + GOOD ("3m", 3*MIN), + GOOD ("3s", 3), + BAD ("3dd"), + GOOD ("3d4m 42s", 3 * DAY + 4 * MIN + 42), + GOOD ("3d-1h", 3 * DAY - 1 * HOUR), + GOOD ("3d -1h", 3 * DAY - HOUR), + GOOD ("3d4h5m6s", 3 * DAY + 4 * HOUR + 5 * MIN + 6), + BAD ("3d4m5h"), + GOOD ("12345s", 12345), + GOOD ("1m 12345s", MIN + 12345), + GOOD ("1m12345s", MIN + 12345), + GOOD ("3d 0m", 3 * DAY), + GOOD ("3d 0m ", 3 * DAY), + GOOD ("3d \n\t 0m ", 3 * DAY), + /* colon patterns */ + GOOD ("42-13:42:47", 42 * DAY + 13 * HOUR + 42 * MIN + 47), + BAD ("3: 4"), + BAD ("13:0003"), + GOOD ("12:34", 12 * HOUR + 34 * MIN), + GOOD ("1:02:03", 1 * HOUR + 2 * MIN + 3), + BAD ("3:-4"), + /* XX We might want to require exactly two digits after a colon? */ + GOOD ("3:4", 3 * HOUR + 4 * MIN), + /* misc */ + GOOD ("42", 42), + BAD ("1-2"), + /* Test overflow limitations */ + GOOD ("2147483647s", 2147483647), + BAD ("2147483648s"), + GOOD ("24855d", 24855 * DAY), + BAD ("24856d"), + BAD ("24855d 100000000h"), + GOOD ("24855d 3h", 24855 * DAY + 3 * HOUR), + BAD ("24855d 4h"), + GOOD ("24855d 11647s", 24855 * DAY + 11647), + BAD ("24855d 11648s"), + GOOD ("24855d 194m 7s", 24855 * DAY + 194 * MIN + 7), + BAD ("24855d 194m 8s"), + BAD ("24855d 195m"), + BAD ("24855d 19500000000m"), + GOOD ("24855d 3h 14m 7s", 24855 * DAY + 3 * HOUR + 14 * MIN + 7), + BAD ("24855d 3h 14m 8s"), + GOOD ("596523h", 596523 * HOUR), + BAD ("596524h"), + GOOD ("596523h 847s", 596523 * HOUR + 847), + BAD ("596523h 848s"), + GOOD ("596523h 14m 7s", 596523 * HOUR + 14 * MIN + 7), + BAD ("596523h 14m 8s"), + GOOD ("35791394m", 35791394 * MIN), + GOOD ("35791394m7s", 35791394 * MIN + 7), + BAD ("35791394m8s"), + /* Test underflow */ + GOOD ("-2147483647s", -2147483647), + /* This should be valid, but isn't */ + /*BAD ("-2147483648s"),*/ + GOOD ("-24855d", -24855 * DAY), + BAD ("-24856d"), + BAD ("-24855d -100000000h"), + GOOD ("-24855d -3h", -24855 * DAY - 3 * HOUR), + BAD ("-24855d -4h"), + GOOD ("-24855d -11647s", -24855 * DAY - 11647), + BAD ("-24855d -11649s"), + GOOD ("-24855d -194m -7s", -24855 * DAY - 194 * MIN - 7), + BAD ("-24855d -194m -9s"), + BAD ("-24855d -195m"), + BAD ("-24855d -19500000000m"), + GOOD ("-24855d -3h -14m -7s", -24855 * DAY - 3 * HOUR - 14 * MIN - 7), + BAD ("-24855d -3h -14m -9s"), + GOOD ("-596523h", -596523 * HOUR), + BAD ("-596524h"), + GOOD ("-596523h -847s", -596523 * HOUR - 847), + GOOD ("-596523h -848s", -596523 * HOUR - 848), + BAD ("-596523h -849s"), + GOOD ("-596523h -14m -8s", -596523 * HOUR - 14 * MIN - 8), + BAD ("-596523h -14m -9s"), + GOOD ("-35791394m", -35791394 * MIN), + GOOD ("-35791394m7s", -35791394 * MIN + 7), + BAD ("-35791394m-9s"), + }; int fail = 0; int i; for (i = 0; i < sizeof(values)/sizeof(values[0]); i++) { - krb5_deltat result; - krb5_error_code code; + krb5_deltat result; + krb5_error_code code; - code = krb5_string_to_deltat (values[i].string, &result); - if (code && !values[i].is_error) { - fprintf (stderr, "unexpected error for `%s'\n", values[i].string); - fail++; - } else if (!code && values[i].is_error) { - fprintf (stderr, "expected but didn't get error for `%s'\n", - values[i].string); - fail++; - } else if (code && values[i].is_error) { - /* do nothing */ - } else if (result != values[i].expected) { - fprintf (stderr, "got %ld instead of expected %ld for `%s'\n", - (long) result, (long) values[i].expected, - values[i].string); - fail++; - } + code = krb5_string_to_deltat (values[i].string, &result); + if (code && !values[i].is_error) { + fprintf (stderr, "unexpected error for `%s'\n", values[i].string); + fail++; + } else if (!code && values[i].is_error) { + fprintf (stderr, "expected but didn't get error for `%s'\n", + values[i].string); + fail++; + } else if (code && values[i].is_error) { + /* do nothing */ + } else if (result != values[i].expected) { + fprintf (stderr, "got %ld instead of expected %ld for `%s'\n", + (long) result, (long) values[i].expected, + values[i].string); + fail++; + } } if (fail == 0) - printf ("Passed all %d tests.\n", i); + printf ("Passed all %d tests.\n", i); else - printf ("Failed %d of %d tests.\n", fail, i); + printf ("Failed %d of %d tests.\n", fail, i); return fail; } diff --git a/src/lib/krb5/krb/t_etypes.c b/src/lib/krb5/krb/t_etypes.c index 0d89fd0afd..4af7918e5a 100644 --- a/src/lib/krb5/krb/t_etypes.c +++ b/src/lib/krb5/krb/t_etypes.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * t_etypes.c -- test program for krb5int_parse_enctype_list * @@ -201,4 +201,3 @@ main(int argc, char **argv) return 0; } - diff --git a/src/lib/krb5/krb/t_expand.c b/src/lib/krb5/krb/t_expand.c index a8b2757dfd..b108e4bbd8 100644 --- a/src/lib/krb5/krb/t_expand.c +++ b/src/lib/krb5/krb/t_expand.c @@ -1,2 +1,3 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #define TEST #include "chk_trans.c" diff --git a/src/lib/krb5/krb/t_kerb.c b/src/lib/krb5/krb/t_kerb.c index 8627922b2d..4652825619 100644 --- a/src/lib/krb5/krb/t_kerb.c +++ b/src/lib/krb5/krb/t_kerb.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * This driver routine is used to test many of the standard Kerberos library * routines. @@ -26,14 +27,14 @@ void usage (char *); void test_string_to_timestamp(krb5_context ctx, char *ktime) { - krb5_timestamp timestamp; - time_t t; - krb5_error_code retval; + krb5_timestamp timestamp; + time_t t; + krb5_error_code retval; retval = krb5_string_to_timestamp(ktime, ×tamp); if (retval) { - com_err("krb5_string_to_timestamp", retval, 0); - return; + com_err("krb5_string_to_timestamp", retval, 0); + return; } t = (time_t) timestamp; printf("Parsed time was %s", ctime(&t)); @@ -41,22 +42,22 @@ void test_string_to_timestamp(krb5_context ctx, char *ktime) void test_425_conv_principal(krb5_context ctx, char *name, char *inst, char *realm) { - krb5_error_code retval; - krb5_principal princ; - char *out_name; + krb5_error_code retval; + krb5_principal princ; + char *out_name; retval = krb5_425_conv_principal(ctx, name, inst, realm, &princ); if (retval) { - com_err("krb5_425_conv_principal", retval, 0); - return; + com_err("krb5_425_conv_principal", retval, 0); + return; } retval = krb5_unparse_name(ctx, princ, &out_name); if (retval) { - com_err("krb5_unparse_name", retval, 0); - return; + com_err("krb5_unparse_name", retval, 0); + return; } printf("425_converted principal(%s, %s, %s): '%s'\n", - name, inst, realm, out_name); + name, inst, realm, out_name); free(out_name); krb5_free_principal(ctx, princ); } @@ -73,98 +74,98 @@ void test_524_conv_principal(krb5_context ctx, char *name) aname[ANAME_SZ] = inst[INST_SZ] = realm[REALM_SZ] = 0; retval = krb5_parse_name(ctx, name, &princ); if (retval) { - com_err("krb5_parse_name", retval, 0); - goto fail; + com_err("krb5_parse_name", retval, 0); + goto fail; } retval = krb5_524_conv_principal(ctx, princ, aname, inst, realm); if (retval) { - com_err("krb5_524_conv_principal", retval, 0); - goto fail; + com_err("krb5_524_conv_principal", retval, 0); + goto fail; } printf("524_converted_principal(%s): '%s' '%s' '%s'\n", - name, aname, inst, realm); - fail: + name, aname, inst, realm); +fail: if (princ) - krb5_free_principal (ctx, princ); + krb5_free_principal (ctx, princ); } void test_parse_name(krb5_context ctx, const char *name) { - krb5_error_code retval; - krb5_principal princ = 0, princ2 = 0; - char *outname = 0; - - retval = krb5_parse_name(ctx, name, &princ); - if (retval) { - com_err("krb5_parse_name", retval, 0); - goto fail; - } - retval = krb5_copy_principal(ctx, princ, &princ2); - if (retval) { - com_err("krb5_copy_principal", retval, 0); - goto fail; - } - retval = krb5_unparse_name(ctx, princ2, &outname); - if (retval) { - com_err("krb5_unparse_name", retval, 0); - goto fail; - } - printf("parsed (and unparsed) principal(%s): ", name); - if (strcmp(name, outname) == 0) - printf("MATCH\n"); - else - printf("'%s'\n", outname); + krb5_error_code retval; + krb5_principal princ = 0, princ2 = 0; + char *outname = 0; + + retval = krb5_parse_name(ctx, name, &princ); + if (retval) { + com_err("krb5_parse_name", retval, 0); + goto fail; + } + retval = krb5_copy_principal(ctx, princ, &princ2); + if (retval) { + com_err("krb5_copy_principal", retval, 0); + goto fail; + } + retval = krb5_unparse_name(ctx, princ2, &outname); + if (retval) { + com_err("krb5_unparse_name", retval, 0); + goto fail; + } + printf("parsed (and unparsed) principal(%s): ", name); + if (strcmp(name, outname) == 0) + printf("MATCH\n"); + else + printf("'%s'\n", outname); fail: - if (outname) - free(outname); - if (princ) - krb5_free_principal(ctx, princ); - if (princ2) - krb5_free_principal(ctx, princ2); + if (outname) + free(outname); + if (princ) + krb5_free_principal(ctx, princ); + if (princ2) + krb5_free_principal(ctx, princ2); } void test_set_realm(krb5_context ctx, const char *name, const char *realm) { - krb5_error_code retval; - krb5_principal princ = 0; - char *outname = 0; - - retval = krb5_parse_name(ctx, name, &princ); - if (retval) { - com_err("krb5_parse_name", retval, 0); - goto fail; - } - retval = krb5_set_principal_realm(ctx, princ, realm); - if (retval) { - com_err("krb5_set_principal_realm", retval, 0); - goto fail; - } - retval = krb5_unparse_name(ctx, princ, &outname); - if (retval) { - com_err("krb5_unparse_name", retval, 0); - goto fail; - } - printf("old principal: %s, modified principal: %s\n", name, - outname); + krb5_error_code retval; + krb5_principal princ = 0; + char *outname = 0; + + retval = krb5_parse_name(ctx, name, &princ); + if (retval) { + com_err("krb5_parse_name", retval, 0); + goto fail; + } + retval = krb5_set_principal_realm(ctx, princ, realm); + if (retval) { + com_err("krb5_set_principal_realm", retval, 0); + goto fail; + } + retval = krb5_unparse_name(ctx, princ, &outname); + if (retval) { + com_err("krb5_unparse_name", retval, 0); + goto fail; + } + printf("old principal: %s, modified principal: %s\n", name, + outname); fail: - if (outname) - free(outname); - if (princ) - krb5_free_principal(ctx, princ); + if (outname) + free(outname); + if (princ) + krb5_free_principal(ctx, princ); } void usage(char *progname) { - fprintf(stderr, "%s: Usage: %s 425_conv_principal <name> <inst> <realm\n", - progname, progname); - fprintf(stderr, "\t%s 524_conv_principal <name>\n", progname); - fprintf(stderr, "\t%s parse_name <name>\n", progname); - fprintf(stderr, "\t%s set_realm <name> <realm>\n", progname); - fprintf(stderr, "\t%s string_to_timestamp <time>\n", progname); - exit(1); + fprintf(stderr, "%s: Usage: %s 425_conv_principal <name> <inst> <realm\n", + progname, progname); + fprintf(stderr, "\t%s 524_conv_principal <name>\n", progname); + fprintf(stderr, "\t%s parse_name <name>\n", progname); + fprintf(stderr, "\t%s set_realm <name> <realm>\n", progname); + fprintf(stderr, "\t%s string_to_timestamp <time>\n", progname); + exit(1); } -int +int main(int argc, char **argv) { krb5_context ctx; @@ -174,52 +175,52 @@ main(int argc, char **argv) retval = krb5_init_context(&ctx); if (retval) { - fprintf(stderr, "krb5_init_context returned error %ld\n", - (long) retval); - exit(1); + fprintf(stderr, "krb5_init_context returned error %ld\n", + (long) retval); + exit(1); } progname = argv[0]; - /* Parse arguments. */ - argc--; argv++; - while (argc) { - if (strcmp(*argv, "425_conv_principal") == 0) { - argc--; argv++; - if (!argc) usage(progname); - name = *argv; - argc--; argv++; - if (!argc) usage(progname); - inst = *argv; - argc--; argv++; - if (!argc) usage(progname); - realm = *argv; - test_425_conv_principal(ctx, name, inst, realm); - } else if (strcmp(*argv, "parse_name") == 0) { - argc--; argv++; - if (!argc) usage(progname); - name = *argv; - test_parse_name(ctx, name); - } else if (strcmp(*argv, "set_realm") == 0) { - argc--; argv++; - if (!argc) usage(progname); - name = *argv; - argc--; argv++; - if (!argc) usage(progname); - realm = *argv; - test_set_realm(ctx, name, realm); - } else if (strcmp(*argv, "string_to_timestamp") == 0) { - argc--; argv++; - if (!argc) usage(progname); - test_string_to_timestamp(ctx, *argv); - } else if (strcmp(*argv, "524_conv_principal") == 0) { - argc--; argv++; - if (!argc) usage(progname); - test_524_conv_principal(ctx, *argv); - } - else - usage(progname); - argc--; argv++; - } + /* Parse arguments. */ + argc--; argv++; + while (argc) { + if (strcmp(*argv, "425_conv_principal") == 0) { + argc--; argv++; + if (!argc) usage(progname); + name = *argv; + argc--; argv++; + if (!argc) usage(progname); + inst = *argv; + argc--; argv++; + if (!argc) usage(progname); + realm = *argv; + test_425_conv_principal(ctx, name, inst, realm); + } else if (strcmp(*argv, "parse_name") == 0) { + argc--; argv++; + if (!argc) usage(progname); + name = *argv; + test_parse_name(ctx, name); + } else if (strcmp(*argv, "set_realm") == 0) { + argc--; argv++; + if (!argc) usage(progname); + name = *argv; + argc--; argv++; + if (!argc) usage(progname); + realm = *argv; + test_set_realm(ctx, name, realm); + } else if (strcmp(*argv, "string_to_timestamp") == 0) { + argc--; argv++; + if (!argc) usage(progname); + test_string_to_timestamp(ctx, *argv); + } else if (strcmp(*argv, "524_conv_principal") == 0) { + argc--; argv++; + if (!argc) usage(progname); + test_524_conv_principal(ctx, *argv); + } + else + usage(progname); + argc--; argv++; + } krb5_free_context(ctx); diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c index 503d778a9c..9e96b692e9 100644 --- a/src/lib/krb5/krb/t_pac.c +++ b/src/lib/krb5/krb/t_pac.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (c) 2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). @@ -40,45 +40,45 @@ */ static const unsigned char saved_pac[] = { - 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xd8, 0x01, 0x00, 0x00, - 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, - 0x20, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, - 0x40, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, - 0x58, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, - 0xc8, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x30, 0xdf, 0xa6, 0xcb, - 0x4f, 0x7d, 0xc5, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0x7f, 0xc0, 0x3c, 0x4e, 0x59, 0x62, 0x73, 0xc5, 0x01, 0xc0, 0x3c, 0x4e, 0x59, - 0x62, 0x73, 0xc5, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x16, 0x00, 0x16, 0x00, - 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x0c, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x14, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x02, 0x00, 0x65, 0x00, 0x00, 0x00, - 0xed, 0x03, 0x00, 0x00, 0x04, 0x02, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x02, 0x00, - 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x16, 0x00, 0x20, 0x00, 0x02, 0x00, 0x16, 0x00, 0x18, 0x00, - 0x24, 0x00, 0x02, 0x00, 0x28, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x01, 0x00, 0x00, 0x00, 0x2c, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, - 0x57, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, 0x33, 0x00, 0x46, 0x00, 0x49, 0x00, 0x4e, 0x00, - 0x41, 0x00, 0x4c, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x02, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, - 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x57, 0x00, 0x32, 0x00, - 0x30, 0x00, 0x30, 0x00, 0x33, 0x00, 0x46, 0x00, 0x49, 0x00, 0x4e, 0x00, 0x41, 0x00, 0x4c, 0x00, - 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x57, 0x00, 0x49, 0x00, - 0x4e, 0x00, 0x32, 0x00, 0x4b, 0x00, 0x33, 0x00, 0x54, 0x00, 0x48, 0x00, 0x49, 0x00, 0x4e, 0x00, - 0x4b, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, - 0x15, 0x00, 0x00, 0x00, 0x11, 0x2f, 0xaf, 0xb5, 0x90, 0x04, 0x1b, 0xec, 0x50, 0x3b, 0xec, 0xdc, - 0x01, 0x00, 0x00, 0x00, 0x30, 0x00, 0x02, 0x00, 0x07, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, - 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x80, 0x66, 0x28, 0xea, 0x37, 0x80, 0xc5, 0x01, 0x16, 0x00, 0x77, 0x00, 0x32, 0x00, 0x30, 0x00, - 0x30, 0x00, 0x33, 0x00, 0x66, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x61, 0x00, 0x6c, 0x00, 0x24, 0x00, - 0x76, 0xff, 0xff, 0xff, 0x37, 0xd5, 0xb0, 0xf7, 0x24, 0xf0, 0xd6, 0xd4, 0xec, 0x09, 0x86, 0x5a, - 0xa0, 0xe8, 0xc3, 0xa9, 0x00, 0x00, 0x00, 0x00, 0x76, 0xff, 0xff, 0xff, 0xb4, 0xd8, 0xb8, 0xfe, - 0x83, 0xb3, 0x13, 0x3f, 0xfc, 0x5c, 0x41, 0xad, 0xe2, 0x64, 0x83, 0xe0, 0x00, 0x00, 0x00, 0x00 + 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xd8, 0x01, 0x00, 0x00, + 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, + 0x20, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, + 0x40, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, + 0x58, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, + 0xc8, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x30, 0xdf, 0xa6, 0xcb, + 0x4f, 0x7d, 0xc5, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0x7f, 0xc0, 0x3c, 0x4e, 0x59, 0x62, 0x73, 0xc5, 0x01, 0xc0, 0x3c, 0x4e, 0x59, + 0x62, 0x73, 0xc5, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x16, 0x00, 0x16, 0x00, + 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0c, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x14, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x02, 0x00, 0x65, 0x00, 0x00, 0x00, + 0xed, 0x03, 0x00, 0x00, 0x04, 0x02, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x02, 0x00, + 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x16, 0x00, 0x20, 0x00, 0x02, 0x00, 0x16, 0x00, 0x18, 0x00, + 0x24, 0x00, 0x02, 0x00, 0x28, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x2c, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, + 0x57, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, 0x33, 0x00, 0x46, 0x00, 0x49, 0x00, 0x4e, 0x00, + 0x41, 0x00, 0x4c, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x02, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, + 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x57, 0x00, 0x32, 0x00, + 0x30, 0x00, 0x30, 0x00, 0x33, 0x00, 0x46, 0x00, 0x49, 0x00, 0x4e, 0x00, 0x41, 0x00, 0x4c, 0x00, + 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x57, 0x00, 0x49, 0x00, + 0x4e, 0x00, 0x32, 0x00, 0x4b, 0x00, 0x33, 0x00, 0x54, 0x00, 0x48, 0x00, 0x49, 0x00, 0x4e, 0x00, + 0x4b, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, + 0x15, 0x00, 0x00, 0x00, 0x11, 0x2f, 0xaf, 0xb5, 0x90, 0x04, 0x1b, 0xec, 0x50, 0x3b, 0xec, 0xdc, + 0x01, 0x00, 0x00, 0x00, 0x30, 0x00, 0x02, 0x00, 0x07, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x80, 0x66, 0x28, 0xea, 0x37, 0x80, 0xc5, 0x01, 0x16, 0x00, 0x77, 0x00, 0x32, 0x00, 0x30, 0x00, + 0x30, 0x00, 0x33, 0x00, 0x66, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x61, 0x00, 0x6c, 0x00, 0x24, 0x00, + 0x76, 0xff, 0xff, 0xff, 0x37, 0xd5, 0xb0, 0xf7, 0x24, 0xf0, 0xd6, 0xd4, 0xec, 0x09, 0x86, 0x5a, + 0xa0, 0xe8, 0xc3, 0xa9, 0x00, 0x00, 0x00, 0x00, 0x76, 0xff, 0xff, 0xff, 0xb4, 0xd8, 0xb8, 0xfe, + 0x83, 0xb3, 0x13, 0x3f, 0xfc, 0x5c, 0x41, 0xad, 0xe2, 0x64, 0x83, 0xe0, 0x00, 0x00, 0x00, 0x00 }; static unsigned int type_1_length = 472; @@ -145,12 +145,12 @@ main(int argc, char **argv) err(context, ret, "krb5_pac_parse"); ret = krb5_pac_verify(context, pac, authtime, p, - &member_keyblock, &kdc_keyblock); + &member_keyblock, &kdc_keyblock); if (ret) err(context, ret, "krb5_pac_verify"); ret = krb5int_pac_sign(context, pac, authtime, p, - &member_keyblock, &kdc_keyblock, &data); + &member_keyblock, &kdc_keyblock, &data); if (ret) err(context, ret, "krb5int_pac_sign"); @@ -162,7 +162,7 @@ main(int argc, char **argv) err(context, ret, "krb5_pac_parse 2"); ret = krb5_pac_verify(context, pac, authtime, p, - &member_keyblock, &kdc_keyblock); + &member_keyblock, &kdc_keyblock); if (ret) err(context, ret, "krb5_pac_verify 2"); @@ -203,23 +203,23 @@ main(int argc, char **argv) krb5_free_data_contents(context, &data); } free(list); - + ret = krb5int_pac_sign(context, pac2, authtime, p, &member_keyblock, &kdc_keyblock, &data); if (ret) err(context, ret, "krb5int_pac_sign 4"); - + krb5_pac_free(context, pac2); ret = krb5_pac_parse(context, data.data, data.length, &pac2); if (ret) err(context, ret, "krb5_pac_parse 4"); - + ret = krb5_pac_verify(context, pac2, authtime, p, &member_keyblock, &kdc_keyblock); if (ret) err(context, ret, "krb5_pac_verify 4"); - + krb5_free_data_contents(context, &data); krb5_pac_free(context, pac2); @@ -296,7 +296,7 @@ main(int argc, char **argv) err(context, ret, "krb5_pac_parse 3"); ret = krb5_pac_verify(context, pac, authtime, p, - &member_keyblock, &kdc_keyblock); + &member_keyblock, &kdc_keyblock); if (ret) err(context, ret, "krb5_pac_verify 3"); diff --git a/src/lib/krb5/krb/t_princ.c b/src/lib/krb5/krb/t_princ.c index 688331722e..6664a75d62 100644 --- a/src/lib/krb5/krb/t_princ.c +++ b/src/lib/krb5/krb/t_princ.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (c) 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). @@ -209,7 +209,7 @@ test_princ(krb5_context context) &p2); if (!ret) err(context, ret, "Should have failed to parse %s a " - "short name", princ); + "short name", princ); ret = krb5_parse_name_flags(context, princ_short, KRB5_PRINCIPAL_PARSE_NO_REALM, @@ -233,7 +233,7 @@ test_princ(krb5_context context) &p2); if (!ret) err(context, ret, "Should have failed to parse %s " - "because it lacked a realm", princ_short); + "because it lacked a realm", princ_short); ret = krb5_parse_name_flags(context, princ, KRB5_PRINCIPAL_PARSE_REQUIRE_REALM, @@ -372,7 +372,7 @@ test_enterprise(krb5_context context) err(context, ret, "krb5_parse_name_flags"); ret = krb5_unparse_name_flags(context, p, KRB5_PRINCIPAL_UNPARSE_NO_REALM, - &unparsed); + &unparsed); if (ret) err(context, ret, "krb5_unparse_name"); diff --git a/src/lib/krb5/krb/t_ser.c b/src/lib/krb5/krb/t_ser.c index c92ce50c67..daad0c7d19 100644 --- a/src/lib/krb5/krb/t_ser.c +++ b/src/lib/krb5/krb/t_ser.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/t_ser.c * @@ -48,26 +49,26 @@ print_erep(krb5_octet *erep, size_t elen) int i, j; for (i=0; i<elen; ) { - printf("%08d: ", i); - for (j=0; j<15; j++) { - if ((i+j) < elen) - printf("%02x ", erep[i+j]); - else - printf("-- "); - } - printf("\t"); - for (j=0; j<15; j++) { - if ((i+j) < elen) { - if (isprint(erep[i+j]) && (erep[i+j] != '\n')) - printf("%c", erep[i+j]); - else - printf("."); - } - else - printf("-"); - } - printf("\n"); - i += 15; + printf("%08d: ", i); + for (j=0; j<15; j++) { + if ((i+j) < elen) + printf("%02x ", erep[i+j]); + else + printf("-- "); + } + printf("\t"); + for (j=0; j<15; j++) { + if ((i+j) < elen) { + if (isprint(erep[i+j]) && (erep[i+j] != '\n')) + printf("%c", erep[i+j]); + else + printf("."); + } + else + printf("-"); + } + printf("\n"); + i += 15; } } @@ -77,17 +78,17 @@ print_erep(krb5_octet *erep, size_t elen) static krb5_error_code ser_data(int verbose, char *msg, krb5_pointer ctx, krb5_magic dtype) { - krb5_error_code kret; - krb5_context ser_ctx; - krb5_pointer nctx; - krb5_octet *outrep, *ibuf, *outrep2; - size_t outlen, ilen, outlen2; + krb5_error_code kret; + krb5_context ser_ctx; + krb5_pointer nctx; + krb5_octet *outrep, *ibuf, *outrep2; + size_t outlen, ilen, outlen2; /* Initialize context and initialize all Kerberos serializers */ if ((kret = krb5_init_context(&ser_ctx))) { - printf("Couldn't initialize krb5 library: %s\n", - error_message(kret)); - exit(1); + printf("Couldn't initialize krb5 library: %s\n", + error_message(kret)); + exit(1); } krb5_ser_context_init(ser_ctx); krb5_ser_auth_context_init(ser_ctx); @@ -98,96 +99,96 @@ ser_data(int verbose, char *msg, krb5_pointer ctx, krb5_magic dtype) /* Externalize the data */ kret = krb5_externalize_data(ser_ctx, ctx, &outrep, &outlen); if (!kret) { - if (verbose) { - printf("%s: externalized in %d bytes\n", msg, outlen); - print_erep(outrep, outlen); - } - - /* Now attempt to re-constitute it */ - ibuf = outrep; - ilen = outlen; - kret = krb5_internalize_opaque(ser_ctx, - dtype, - (krb5_pointer *) &nctx, - &ibuf, - &ilen); - if (!kret) { - if (ilen) - printf("%s: %d bytes left over after internalize\n", - msg, ilen); - /* Now attempt to re-externalize it */ - kret = krb5_externalize_data(ser_ctx, nctx, &outrep2, &outlen2); - if (!kret) { - /* Compare the results. */ - if ((outlen2 != outlen) || - memcmp(outrep, outrep2, outlen)) { - printf("%s: comparison failed\n", msg); - print_erep(outrep2, outlen2); - } - else { - if (verbose) - printf("%s: compare succeeded\n", msg); - } - free(outrep2); - } - else - printf("%s: second externalize returned %d\n", msg, kret); - - /* Free the data */ - switch (dtype) { - case KV5M_CONTEXT: - krb5_free_context((krb5_context) nctx); - break; - case KV5M_AUTH_CONTEXT: - if (nctx) { - krb5_auth_context actx; - - actx = (krb5_auth_context) nctx; - if (actx->i_vector) - free(actx->i_vector); - } - krb5_auth_con_free(ser_ctx, (krb5_auth_context) nctx); - break; - case KV5M_CCACHE: - krb5_cc_close(ser_ctx, (krb5_ccache) nctx); - break; - case KV5M_RCACHE: - krb5_rc_close(ser_ctx, (krb5_rcache) nctx); - break; - case KV5M_KEYTAB: - krb5_kt_close(ser_ctx, (krb5_keytab) nctx); - break; - case KV5M_ENCRYPT_BLOCK: - if (nctx) { - krb5_encrypt_block *eblock; - - eblock = (krb5_encrypt_block *) nctx; + if (verbose) { + printf("%s: externalized in %d bytes\n", msg, outlen); + print_erep(outrep, outlen); + } + + /* Now attempt to re-constitute it */ + ibuf = outrep; + ilen = outlen; + kret = krb5_internalize_opaque(ser_ctx, + dtype, + (krb5_pointer *) &nctx, + &ibuf, + &ilen); + if (!kret) { + if (ilen) + printf("%s: %d bytes left over after internalize\n", + msg, ilen); + /* Now attempt to re-externalize it */ + kret = krb5_externalize_data(ser_ctx, nctx, &outrep2, &outlen2); + if (!kret) { + /* Compare the results. */ + if ((outlen2 != outlen) || + memcmp(outrep, outrep2, outlen)) { + printf("%s: comparison failed\n", msg); + print_erep(outrep2, outlen2); + } + else { + if (verbose) + printf("%s: compare succeeded\n", msg); + } + free(outrep2); + } + else + printf("%s: second externalize returned %d\n", msg, kret); + + /* Free the data */ + switch (dtype) { + case KV5M_CONTEXT: + krb5_free_context((krb5_context) nctx); + break; + case KV5M_AUTH_CONTEXT: + if (nctx) { + krb5_auth_context actx; + + actx = (krb5_auth_context) nctx; + if (actx->i_vector) + free(actx->i_vector); + } + krb5_auth_con_free(ser_ctx, (krb5_auth_context) nctx); + break; + case KV5M_CCACHE: + krb5_cc_close(ser_ctx, (krb5_ccache) nctx); + break; + case KV5M_RCACHE: + krb5_rc_close(ser_ctx, (krb5_rcache) nctx); + break; + case KV5M_KEYTAB: + krb5_kt_close(ser_ctx, (krb5_keytab) nctx); + break; + case KV5M_ENCRYPT_BLOCK: + if (nctx) { + krb5_encrypt_block *eblock; + + eblock = (krb5_encrypt_block *) nctx; #if 0 - if (eblock->priv && eblock->priv_size) - free(eblock->priv); + if (eblock->priv && eblock->priv_size) + free(eblock->priv); #endif - if (eblock->key) - krb5_free_keyblock(ser_ctx, eblock->key); - free(eblock); - } - break; - case KV5M_PRINCIPAL: - krb5_free_principal(ser_ctx, (krb5_principal) nctx); - break; - case KV5M_CHECKSUM: - krb5_free_checksum(ser_ctx, (krb5_checksum *) nctx); - break; - default: - printf("don't know how to free %d\n", dtype); - break; - } - } - else - printf("%s: internalize returned %d\n", msg, kret); - free(outrep); + if (eblock->key) + krb5_free_keyblock(ser_ctx, eblock->key); + free(eblock); + } + break; + case KV5M_PRINCIPAL: + krb5_free_principal(ser_ctx, (krb5_principal) nctx); + break; + case KV5M_CHECKSUM: + krb5_free_checksum(ser_ctx, (krb5_checksum *) nctx); + break; + default: + printf("don't know how to free %d\n", dtype); + break; + } + } + else + printf("%s: internalize returned %d\n", msg, kret); + free(outrep); } else - printf("%s: externalize_data returned %d\n", msg, kret); + printf("%s: externalize_data returned %d\n", msg, kret); krb5_free_context(ser_ctx); return(kret); } @@ -198,161 +199,161 @@ ser_data(int verbose, char *msg, krb5_pointer ctx, krb5_magic dtype) static krb5_error_code ser_kcontext_test(krb5_context kcontext, int verbose) { - krb5_error_code kret; - profile_t sprofile; - char dbname[128]; + krb5_error_code kret; + profile_t sprofile; + char dbname[128]; snprintf(dbname, sizeof(dbname), "temp_%d", (int) getpid()); sprofile = kcontext->profile; kcontext->profile = (profile_t) NULL; if (!(kret = ser_data(verbose, "> Context with no profile", - (krb5_pointer) kcontext, - KV5M_CONTEXT))) { - kcontext->profile = sprofile; - if (!(kret = ser_data(verbose, "> Context with no realm", - (krb5_pointer) kcontext, - KV5M_CONTEXT)) && - !(kret = krb5_set_default_realm(kcontext, "this.is.a.test"))) { - if (!(kret = ser_data(verbose, "> Context with default realm", - (krb5_pointer) kcontext, - KV5M_CONTEXT))) { - if (verbose) - printf("* krb5_context test succeeded\n"); - } - } + (krb5_pointer) kcontext, + KV5M_CONTEXT))) { + kcontext->profile = sprofile; + if (!(kret = ser_data(verbose, "> Context with no realm", + (krb5_pointer) kcontext, + KV5M_CONTEXT)) && + !(kret = krb5_set_default_realm(kcontext, "this.is.a.test"))) { + if (!(kret = ser_data(verbose, "> Context with default realm", + (krb5_pointer) kcontext, + KV5M_CONTEXT))) { + if (verbose) + printf("* krb5_context test succeeded\n"); + } + } } if (kret) - printf("* krb5_context test failed\n"); + printf("* krb5_context test failed\n"); return(kret); } -/* +/* * Serialize krb5_auth_context. */ static krb5_error_code ser_acontext_test(krb5_context kcontext, int verbose) { - krb5_error_code kret; - krb5_auth_context actx; - krb5_address local_address; - krb5_address remote_address; - krb5_octet laddr_bytes[16]; - krb5_octet raddr_bytes[16]; - krb5_keyblock ukeyblock; - krb5_octet keydata[8]; - krb5_authenticator aent; - char clname[128]; - krb5_authdata *adatalist[3]; - krb5_authdata adataent; + krb5_error_code kret; + krb5_auth_context actx; + krb5_address local_address; + krb5_address remote_address; + krb5_octet laddr_bytes[16]; + krb5_octet raddr_bytes[16]; + krb5_keyblock ukeyblock; + krb5_octet keydata[8]; + krb5_authenticator aent; + char clname[128]; + krb5_authdata *adatalist[3]; + krb5_authdata adataent; actx = (krb5_auth_context) NULL; if (!(kret = krb5_auth_con_init(kcontext, &actx)) && - !(kret = ser_data(verbose, "> Vanilla auth context", - (krb5_pointer) actx, - KV5M_AUTH_CONTEXT))) { - memset(&local_address, 0, sizeof(local_address)); - memset(&remote_address, 0, sizeof(remote_address)); - memset(laddr_bytes, 0, sizeof(laddr_bytes)); - memset(raddr_bytes, 0, sizeof(raddr_bytes)); - local_address.addrtype = ADDRTYPE_INET; - local_address.length = sizeof(laddr_bytes); - local_address.contents = laddr_bytes; - laddr_bytes[0] = 6; - laddr_bytes[1] = 2; - laddr_bytes[2] = 69; - laddr_bytes[3] = 16; - laddr_bytes[4] = 1; - laddr_bytes[5] = 0; - laddr_bytes[6] = 0; - laddr_bytes[7] = 127; - remote_address.addrtype = ADDRTYPE_INET; - remote_address.length = sizeof(raddr_bytes); - remote_address.contents = raddr_bytes; - raddr_bytes[0] = 6; - raddr_bytes[1] = 2; - raddr_bytes[2] = 70; - raddr_bytes[3] = 16; - raddr_bytes[4] = 1; - raddr_bytes[5] = 0; - raddr_bytes[6] = 0; - raddr_bytes[7] = 127; - if (!(kret = krb5_auth_con_setaddrs(kcontext, actx, - &local_address, - &remote_address)) && - !(kret = krb5_auth_con_setports(kcontext, actx, - &local_address, - &remote_address)) && - !(kret = ser_data(verbose, "> Auth context with addrs/ports", - (krb5_pointer) actx, - KV5M_AUTH_CONTEXT))) { - memset(&ukeyblock, 0, sizeof(ukeyblock)); - memset(keydata, 0, sizeof(keydata)); - ukeyblock.enctype = ENCTYPE_DES_CBC_MD5; - ukeyblock.length = sizeof(keydata); - ukeyblock.contents = keydata; - keydata[0] = 0xde; - keydata[1] = 0xad; - keydata[2] = 0xbe; - keydata[3] = 0xef; - keydata[4] = 0xfe; - keydata[5] = 0xed; - keydata[6] = 0xf0; - keydata[7] = 0xd; - if (!(kret = krb5_auth_con_setuseruserkey(kcontext, actx, - &ukeyblock)) && - !(kret = ser_data(verbose, "> Auth context with user key", - (krb5_pointer) actx, - KV5M_AUTH_CONTEXT)) && - !(kret = krb5_auth_con_initivector(kcontext, actx)) && - !(kret = ser_data(verbose, "> Auth context with new vector", - (krb5_pointer) actx, - KV5M_AUTH_CONTEXT)) && - (free(actx->i_vector), actx->i_vector) && - !(kret = krb5_auth_con_setivector(kcontext, actx, - (krb5_pointer) print_erep) - ) && - !(kret = ser_data(verbose, "> Auth context with set vector", - (krb5_pointer) actx, - KV5M_AUTH_CONTEXT))) { - /* - * Finally, add an authenticator. - */ - memset(&aent, 0, sizeof(aent)); - aent.magic = KV5M_AUTHENTICATOR; - snprintf(clname, sizeof(clname), - "help/me/%d@this.is.a.test", (int) getpid()); - actx->authentp = &aent; - if (!(kret = krb5_parse_name(kcontext, clname, - &aent.client)) && - !(kret = ser_data(verbose, - "> Auth context with authenticator", - (krb5_pointer) actx, - KV5M_AUTH_CONTEXT))) { - adataent.magic = KV5M_AUTHDATA; - adataent.ad_type = 123; - adataent.length = 128; - adataent.contents = (krb5_octet *) stuff; - adatalist[0] = &adataent; - adatalist[1] = &adataent; - adatalist[2] = (krb5_authdata *) NULL; - aent.authorization_data = adatalist; - if (!(kret = ser_data(verbose, - "> Auth context with full auth", - (krb5_pointer) actx, - KV5M_AUTH_CONTEXT))) { - if (verbose) - printf("* krb5_auth_context test succeeded\n"); - } - krb5_free_principal(kcontext, aent.client); - } - actx->authentp = (krb5_authenticator *) NULL; - } - } + !(kret = ser_data(verbose, "> Vanilla auth context", + (krb5_pointer) actx, + KV5M_AUTH_CONTEXT))) { + memset(&local_address, 0, sizeof(local_address)); + memset(&remote_address, 0, sizeof(remote_address)); + memset(laddr_bytes, 0, sizeof(laddr_bytes)); + memset(raddr_bytes, 0, sizeof(raddr_bytes)); + local_address.addrtype = ADDRTYPE_INET; + local_address.length = sizeof(laddr_bytes); + local_address.contents = laddr_bytes; + laddr_bytes[0] = 6; + laddr_bytes[1] = 2; + laddr_bytes[2] = 69; + laddr_bytes[3] = 16; + laddr_bytes[4] = 1; + laddr_bytes[5] = 0; + laddr_bytes[6] = 0; + laddr_bytes[7] = 127; + remote_address.addrtype = ADDRTYPE_INET; + remote_address.length = sizeof(raddr_bytes); + remote_address.contents = raddr_bytes; + raddr_bytes[0] = 6; + raddr_bytes[1] = 2; + raddr_bytes[2] = 70; + raddr_bytes[3] = 16; + raddr_bytes[4] = 1; + raddr_bytes[5] = 0; + raddr_bytes[6] = 0; + raddr_bytes[7] = 127; + if (!(kret = krb5_auth_con_setaddrs(kcontext, actx, + &local_address, + &remote_address)) && + !(kret = krb5_auth_con_setports(kcontext, actx, + &local_address, + &remote_address)) && + !(kret = ser_data(verbose, "> Auth context with addrs/ports", + (krb5_pointer) actx, + KV5M_AUTH_CONTEXT))) { + memset(&ukeyblock, 0, sizeof(ukeyblock)); + memset(keydata, 0, sizeof(keydata)); + ukeyblock.enctype = ENCTYPE_DES_CBC_MD5; + ukeyblock.length = sizeof(keydata); + ukeyblock.contents = keydata; + keydata[0] = 0xde; + keydata[1] = 0xad; + keydata[2] = 0xbe; + keydata[3] = 0xef; + keydata[4] = 0xfe; + keydata[5] = 0xed; + keydata[6] = 0xf0; + keydata[7] = 0xd; + if (!(kret = krb5_auth_con_setuseruserkey(kcontext, actx, + &ukeyblock)) && + !(kret = ser_data(verbose, "> Auth context with user key", + (krb5_pointer) actx, + KV5M_AUTH_CONTEXT)) && + !(kret = krb5_auth_con_initivector(kcontext, actx)) && + !(kret = ser_data(verbose, "> Auth context with new vector", + (krb5_pointer) actx, + KV5M_AUTH_CONTEXT)) && + (free(actx->i_vector), actx->i_vector) && + !(kret = krb5_auth_con_setivector(kcontext, actx, + (krb5_pointer) print_erep) + ) && + !(kret = ser_data(verbose, "> Auth context with set vector", + (krb5_pointer) actx, + KV5M_AUTH_CONTEXT))) { + /* + * Finally, add an authenticator. + */ + memset(&aent, 0, sizeof(aent)); + aent.magic = KV5M_AUTHENTICATOR; + snprintf(clname, sizeof(clname), + "help/me/%d@this.is.a.test", (int) getpid()); + actx->authentp = &aent; + if (!(kret = krb5_parse_name(kcontext, clname, + &aent.client)) && + !(kret = ser_data(verbose, + "> Auth context with authenticator", + (krb5_pointer) actx, + KV5M_AUTH_CONTEXT))) { + adataent.magic = KV5M_AUTHDATA; + adataent.ad_type = 123; + adataent.length = 128; + adataent.contents = (krb5_octet *) stuff; + adatalist[0] = &adataent; + adatalist[1] = &adataent; + adatalist[2] = (krb5_authdata *) NULL; + aent.authorization_data = adatalist; + if (!(kret = ser_data(verbose, + "> Auth context with full auth", + (krb5_pointer) actx, + KV5M_AUTH_CONTEXT))) { + if (verbose) + printf("* krb5_auth_context test succeeded\n"); + } + krb5_free_principal(kcontext, aent.client); + } + actx->authentp = (krb5_authenticator *) NULL; + } + } } if (actx) - krb5_auth_con_free(kcontext, actx); + krb5_auth_con_free(kcontext, actx); if (kret) - printf("* krb5_auth_context test failed\n"); + printf("* krb5_auth_context test failed\n"); return(kret); } @@ -362,44 +363,44 @@ ser_acontext_test(krb5_context kcontext, int verbose) static krb5_error_code ser_ccache_test(krb5_context kcontext, int verbose) { - krb5_error_code kret; - char ccname[128]; - char princname[256]; - krb5_ccache ccache; - krb5_principal principal; + krb5_error_code kret; + char ccname[128]; + char princname[256]; + krb5_ccache ccache; + krb5_principal principal; snprintf(ccname, sizeof(ccname), "temp_cc_%d", (int) getpid()); snprintf(princname, sizeof(princname), - "zowie%d/instance%d@this.is.a.test", - (int) getpid(), (int) getpid()); + "zowie%d/instance%d@this.is.a.test", + (int) getpid(), (int) getpid()); if (!(kret = krb5_cc_resolve(kcontext, ccname, &ccache)) && - !(kret = ser_data(verbose, "> Resolved default ccache", - (krb5_pointer) ccache, KV5M_CCACHE)) && - !(kret = krb5_parse_name(kcontext, princname, &principal)) && - !(kret = krb5_cc_initialize(kcontext, ccache, principal)) && - !(kret = ser_data(verbose, "> Initialized default ccache", - (krb5_pointer) ccache, KV5M_CCACHE)) && - !(kret = krb5_cc_destroy(kcontext, ccache))) { - krb5_free_principal(kcontext, principal); - snprintf(ccname, sizeof(ccname), "FILE:temp_cc_%d", (int) getpid()); - snprintf(princname, sizeof(princname), "xxx%d/i%d@this.is.a.test", - (int) getpid(), (int) getpid()); - if (!(kret = krb5_cc_resolve(kcontext, ccname, &ccache)) && - !(kret = ser_data(verbose, "> Resolved FILE ccache", - (krb5_pointer) ccache, KV5M_CCACHE)) && - !(kret = krb5_parse_name(kcontext, princname, &principal)) && - !(kret = krb5_cc_initialize(kcontext, ccache, principal)) && - !(kret = ser_data(verbose, "> Initialized FILE ccache", - (krb5_pointer) ccache, KV5M_CCACHE)) && - !(kret = krb5_cc_destroy(kcontext, ccache))) { - krb5_free_principal(kcontext, principal); - - if (verbose) - printf("* ccache test succeeded\n"); - } + !(kret = ser_data(verbose, "> Resolved default ccache", + (krb5_pointer) ccache, KV5M_CCACHE)) && + !(kret = krb5_parse_name(kcontext, princname, &principal)) && + !(kret = krb5_cc_initialize(kcontext, ccache, principal)) && + !(kret = ser_data(verbose, "> Initialized default ccache", + (krb5_pointer) ccache, KV5M_CCACHE)) && + !(kret = krb5_cc_destroy(kcontext, ccache))) { + krb5_free_principal(kcontext, principal); + snprintf(ccname, sizeof(ccname), "FILE:temp_cc_%d", (int) getpid()); + snprintf(princname, sizeof(princname), "xxx%d/i%d@this.is.a.test", + (int) getpid(), (int) getpid()); + if (!(kret = krb5_cc_resolve(kcontext, ccname, &ccache)) && + !(kret = ser_data(verbose, "> Resolved FILE ccache", + (krb5_pointer) ccache, KV5M_CCACHE)) && + !(kret = krb5_parse_name(kcontext, princname, &principal)) && + !(kret = krb5_cc_initialize(kcontext, ccache, principal)) && + !(kret = ser_data(verbose, "> Initialized FILE ccache", + (krb5_pointer) ccache, KV5M_CCACHE)) && + !(kret = krb5_cc_destroy(kcontext, ccache))) { + krb5_free_principal(kcontext, principal); + + if (verbose) + printf("* ccache test succeeded\n"); + } } if (kret) - printf("* krb5_ccache test failed\n"); + printf("* krb5_ccache test failed\n"); return(kret); } @@ -409,33 +410,33 @@ ser_ccache_test(krb5_context kcontext, int verbose) static krb5_error_code ser_keytab_test(krb5_context kcontext, int verbose) { - krb5_error_code kret; - char ccname[128]; - krb5_keytab keytab; + krb5_error_code kret; + char ccname[128]; + krb5_keytab keytab; snprintf(ccname, sizeof(ccname), "temp_kt_%d", (int) getpid()); if (!(kret = krb5_kt_resolve(kcontext, ccname, &keytab)) && - !(kret = ser_data(verbose, "> Resolved default keytab", - (krb5_pointer) keytab, KV5M_KEYTAB)) && - !(kret = krb5_kt_close(kcontext, keytab))) { - snprintf(ccname, sizeof(ccname), "FILE:temp_kt_%d", (int) getpid()); - if (!(kret = krb5_kt_resolve(kcontext, ccname, &keytab)) && - !(kret = ser_data(verbose, "> Resolved FILE keytab", - (krb5_pointer) keytab, KV5M_KEYTAB)) && - !(kret = krb5_kt_close(kcontext, keytab))) { - snprintf(ccname, sizeof(ccname), - "WRFILE:temp_kt_%d", (int) getpid()); - if (!(kret = krb5_kt_resolve(kcontext, ccname, &keytab)) && - !(kret = ser_data(verbose, "> Resolved WRFILE keytab", - (krb5_pointer) keytab, KV5M_KEYTAB)) && - !(kret = krb5_kt_close(kcontext, keytab))) { - if (verbose) - printf("* keytab test succeeded\n"); - } - } + !(kret = ser_data(verbose, "> Resolved default keytab", + (krb5_pointer) keytab, KV5M_KEYTAB)) && + !(kret = krb5_kt_close(kcontext, keytab))) { + snprintf(ccname, sizeof(ccname), "FILE:temp_kt_%d", (int) getpid()); + if (!(kret = krb5_kt_resolve(kcontext, ccname, &keytab)) && + !(kret = ser_data(verbose, "> Resolved FILE keytab", + (krb5_pointer) keytab, KV5M_KEYTAB)) && + !(kret = krb5_kt_close(kcontext, keytab))) { + snprintf(ccname, sizeof(ccname), + "WRFILE:temp_kt_%d", (int) getpid()); + if (!(kret = krb5_kt_resolve(kcontext, ccname, &keytab)) && + !(kret = ser_data(verbose, "> Resolved WRFILE keytab", + (krb5_pointer) keytab, KV5M_KEYTAB)) && + !(kret = krb5_kt_close(kcontext, keytab))) { + if (verbose) + printf("* keytab test succeeded\n"); + } + } } if (kret) - printf("* krb5_keytab test failed\n"); + printf("* krb5_keytab test failed\n"); return(kret); } @@ -445,23 +446,23 @@ ser_keytab_test(krb5_context kcontext, int verbose) static krb5_error_code ser_rcache_test(krb5_context kcontext, int verbose) { - krb5_error_code kret; - char rcname[128]; - krb5_rcache rcache; + krb5_error_code kret; + char rcname[128]; + krb5_rcache rcache; snprintf(rcname, sizeof(rcname), "dfl:temp_rc_%d", (int) getpid()); if (!(kret = krb5_rc_resolve_full(kcontext, &rcache, rcname)) && - !(kret = ser_data(verbose, "> Resolved FILE rcache", - (krb5_pointer) rcache, KV5M_RCACHE)) && - !(kret = krb5_rc_initialize(kcontext, rcache, 3600*24)) && - !(kret = ser_data(verbose, "> Initialized FILE rcache", - (krb5_pointer) rcache, KV5M_RCACHE)) && - !(kret = krb5_rc_destroy(kcontext, rcache))) { - if (verbose) - printf("* rcache test succeeded\n"); + !(kret = ser_data(verbose, "> Resolved FILE rcache", + (krb5_pointer) rcache, KV5M_RCACHE)) && + !(kret = krb5_rc_initialize(kcontext, rcache, 3600*24)) && + !(kret = ser_data(verbose, "> Initialized FILE rcache", + (krb5_pointer) rcache, KV5M_RCACHE)) && + !(kret = krb5_rc_destroy(kcontext, rcache))) { + if (verbose) + printf("* rcache test succeeded\n"); } if (kret) - printf("* krb5_rcache test failed\n"); + printf("* krb5_rcache test failed\n"); return(kret); } @@ -471,50 +472,50 @@ ser_rcache_test(krb5_context kcontext, int verbose) */ static krb5_error_code ser_eblock_test(kcontext, verbose) - krb5_context kcontext; - int verbose; + krb5_context kcontext; + int verbose; { - krb5_error_code kret; - krb5_encrypt_block eblock; - krb5_keyblock ukeyblock; - krb5_octet keydata[8]; + krb5_error_code kret; + krb5_encrypt_block eblock; + krb5_keyblock ukeyblock; + krb5_octet keydata[8]; memset(&eblock, 0, sizeof(krb5_encrypt_block)); eblock.magic = KV5M_ENCRYPT_BLOCK; krb5_use_enctype(kcontext, &eblock, DEFAULT_KDC_ENCTYPE); if (!(kret = ser_data(verbose, "> NULL eblock", - (krb5_pointer) &eblock, KV5M_ENCRYPT_BLOCK))) { + (krb5_pointer) &eblock, KV5M_ENCRYPT_BLOCK))) { #if 0 - eblock.priv = (krb5_pointer) stuff; - eblock.priv_size = 8; + eblock.priv = (krb5_pointer) stuff; + eblock.priv_size = 8; #endif - if (!(kret = ser_data(verbose, "> eblock with private data", - (krb5_pointer) &eblock, - KV5M_ENCRYPT_BLOCK))) { - memset(&ukeyblock, 0, sizeof(ukeyblock)); - memset(keydata, 0, sizeof(keydata)); - ukeyblock.enctype = ENCTYPE_DES_CBC_MD5; - ukeyblock.length = sizeof(keydata); - ukeyblock.contents = keydata; - keydata[0] = 0xde; - keydata[1] = 0xad; - keydata[2] = 0xbe; - keydata[3] = 0xef; - keydata[4] = 0xfe; - keydata[5] = 0xed; - keydata[6] = 0xf0; - keydata[7] = 0xd; - eblock.key = &ukeyblock; - if (!(kret = ser_data(verbose, "> eblock with private key", - (krb5_pointer) &eblock, - KV5M_ENCRYPT_BLOCK))) { - if (verbose) - printf("* eblock test succeeded\n"); - } - } + if (!(kret = ser_data(verbose, "> eblock with private data", + (krb5_pointer) &eblock, + KV5M_ENCRYPT_BLOCK))) { + memset(&ukeyblock, 0, sizeof(ukeyblock)); + memset(keydata, 0, sizeof(keydata)); + ukeyblock.enctype = ENCTYPE_DES_CBC_MD5; + ukeyblock.length = sizeof(keydata); + ukeyblock.contents = keydata; + keydata[0] = 0xde; + keydata[1] = 0xad; + keydata[2] = 0xbe; + keydata[3] = 0xef; + keydata[4] = 0xfe; + keydata[5] = 0xed; + keydata[6] = 0xf0; + keydata[7] = 0xd; + eblock.key = &ukeyblock; + if (!(kret = ser_data(verbose, "> eblock with private key", + (krb5_pointer) &eblock, + KV5M_ENCRYPT_BLOCK))) { + if (verbose) + printf("* eblock test succeeded\n"); + } + } } if (kret) - printf("* eblock test failed\n"); + printf("* eblock test failed\n"); return(kret); } #endif @@ -525,23 +526,23 @@ ser_eblock_test(kcontext, verbose) static krb5_error_code ser_princ_test(krb5_context kcontext, int verbose) { - krb5_error_code kret; - krb5_principal princ; - char pname[1024]; + krb5_error_code kret; + krb5_principal princ; + char pname[1024]; snprintf(pname, sizeof(pname), - "the/quick/brown/fox/jumped/over/the/lazy/dog/%d@this.is.a.test", - (int) getpid()); + "the/quick/brown/fox/jumped/over/the/lazy/dog/%d@this.is.a.test", + (int) getpid()); if (!(kret = krb5_parse_name(kcontext, pname, &princ))) { - if (!(kret = ser_data(verbose, "> Principal", - (krb5_pointer) princ, KV5M_PRINCIPAL))) { - if (verbose) - printf("* principal test succeeded\n"); - } - krb5_free_principal(kcontext, princ); + if (!(kret = ser_data(verbose, "> Principal", + (krb5_pointer) princ, KV5M_PRINCIPAL))) { + if (verbose) + printf("* principal test succeeded\n"); + } + krb5_free_principal(kcontext, princ); } if (kret) - printf("* principal test failed\n"); + printf("* principal test failed\n"); return(kret); } @@ -551,26 +552,26 @@ ser_princ_test(krb5_context kcontext, int verbose) static krb5_error_code ser_cksum_test(krb5_context kcontext, int verbose) { - krb5_error_code kret; - krb5_checksum checksum; - krb5_octet ckdata[24]; + krb5_error_code kret; + krb5_checksum checksum; + krb5_octet ckdata[24]; memset(&checksum, 0, sizeof(krb5_checksum)); checksum.magic = KV5M_CHECKSUM; if (!(kret = ser_data(verbose, "> NULL checksum", - (krb5_pointer) &checksum, KV5M_CHECKSUM))) { - checksum.checksum_type = 123; - checksum.length = sizeof(ckdata); - checksum.contents = ckdata; - memcpy(ckdata, &stuff, sizeof(ckdata)); - if (!(kret = ser_data(verbose, "> checksum with data", - (krb5_pointer) &checksum, KV5M_CHECKSUM))) { - if (verbose) - printf("* checksum test succeeded\n"); - } + (krb5_pointer) &checksum, KV5M_CHECKSUM))) { + checksum.checksum_type = 123; + checksum.length = sizeof(ckdata); + checksum.contents = ckdata; + memcpy(ckdata, &stuff, sizeof(ckdata)); + if (!(kret = ser_data(verbose, "> checksum with data", + (krb5_pointer) &checksum, KV5M_CHECKSUM))) { + if (verbose) + printf("* checksum test succeeded\n"); + } } if (kret) - printf("* checksum test failed\n"); + printf("* checksum test failed\n"); return(kret); } @@ -580,14 +581,14 @@ ser_cksum_test(krb5_context kcontext, int verbose) int main(int argc, char **argv) { - krb5_error_code kret; - krb5_context kcontext; - int do_atest, do_ctest, do_ktest, do_rtest, do_xtest; - int do_etest, do_ptest, do_stest; - int verbose; - int option; - extern char *optarg; - char ch_err; + krb5_error_code kret; + krb5_context kcontext; + int do_atest, do_ctest, do_ktest, do_rtest, do_xtest; + int do_etest, do_ptest, do_stest; + int verbose; + int option; + extern char *optarg; + char ch_err; kret = 0; verbose = 0; @@ -600,125 +601,125 @@ main(int argc, char **argv) do_rtest = 1; do_stest = 1; while ((option = getopt(argc, argv, "acekprsxvACEKPRSX")) != -1) { - switch (option) { - case 'a': - do_atest = 0; - break; - case 'c': - do_ctest = 0; - break; - case 'e': - do_etest = 0; - break; - case 'k': - do_ktest = 0; - break; - case 'p': - do_ptest = 0; - break; - case 'r': - do_rtest = 0; - break; - case 's': - do_stest = 0; - break; - case 'x': - do_xtest = 0; - break; - case 'v': - verbose = 1; - break; - case 'A': - do_atest = 1; - break; - case 'C': - do_ctest = 1; - break; + switch (option) { + case 'a': + do_atest = 0; + break; + case 'c': + do_ctest = 0; + break; + case 'e': + do_etest = 0; + break; + case 'k': + do_ktest = 0; + break; + case 'p': + do_ptest = 0; + break; + case 'r': + do_rtest = 0; + break; + case 's': + do_stest = 0; + break; + case 'x': + do_xtest = 0; + break; + case 'v': + verbose = 1; + break; + case 'A': + do_atest = 1; + break; + case 'C': + do_ctest = 1; + break; #if 0 - case 'E': - do_etest = 1; - break; + case 'E': + do_etest = 1; + break; #endif - case 'K': - do_ktest = 1; - break; - case 'P': - do_ptest = 1; - break; - case 'R': - do_rtest = 1; - break; - case 'S': - do_stest = 1; - break; - case 'X': - do_xtest = 1; - break; - default: - fprintf(stderr, - "%s: usage is %s [-acekprsxvACEKPRSX]\n", - argv[0], argv[0]); - exit(1); - break; - } + case 'K': + do_ktest = 1; + break; + case 'P': + do_ptest = 1; + break; + case 'R': + do_rtest = 1; + break; + case 'S': + do_stest = 1; + break; + case 'X': + do_xtest = 1; + break; + default: + fprintf(stderr, + "%s: usage is %s [-acekprsxvACEKPRSX]\n", + argv[0], argv[0]); + exit(1); + break; + } } if ((kret = krb5_init_context(&kcontext))) { - com_err(argv[0], kret, "while initializing krb5"); - exit(1); + com_err(argv[0], kret, "while initializing krb5"); + exit(1); } - + if (do_xtest) { - ch_err = 'x'; - kret = ser_kcontext_test(kcontext, verbose); - if (kret) - goto fail; + ch_err = 'x'; + kret = ser_kcontext_test(kcontext, verbose); + if (kret) + goto fail; } if (do_atest) { - ch_err = 'a'; - kret = ser_acontext_test(kcontext, verbose); - if (kret) - goto fail; + ch_err = 'a'; + kret = ser_acontext_test(kcontext, verbose); + if (kret) + goto fail; } if (do_ctest) { - ch_err = 'c'; - kret = ser_ccache_test(kcontext, verbose); - if (kret) - goto fail; + ch_err = 'c'; + kret = ser_ccache_test(kcontext, verbose); + if (kret) + goto fail; } if (do_ktest) { - ch_err = 'k'; - kret = ser_keytab_test(kcontext, verbose); - if (kret) - goto fail; + ch_err = 'k'; + kret = ser_keytab_test(kcontext, verbose); + if (kret) + goto fail; } if (do_rtest) { - ch_err = 'r'; - kret = ser_rcache_test(kcontext, verbose); - if (kret) - goto fail; + ch_err = 'r'; + kret = ser_rcache_test(kcontext, verbose); + if (kret) + goto fail; } #if 0 /* code to be tested is currently disabled */ if (do_etest) { - ch_err = 'e'; - kret = ser_eblock_test(kcontext, verbose); - if (kret) - goto fail; + ch_err = 'e'; + kret = ser_eblock_test(kcontext, verbose); + if (kret) + goto fail; } #endif if (do_ptest) { - ch_err = 'p'; - kret = ser_princ_test(kcontext, verbose); - if (kret) - goto fail; + ch_err = 'p'; + kret = ser_princ_test(kcontext, verbose); + if (kret) + goto fail; } if (do_stest) { - ch_err = 's'; - kret = ser_cksum_test(kcontext, verbose); - if (kret) - goto fail; + ch_err = 's'; + kret = ser_cksum_test(kcontext, verbose); + if (kret) + goto fail; } krb5_free_context(kcontext); - + exit(0); fail: com_err(argv[0], kret, "--- test %cfailed", ch_err); diff --git a/src/lib/krb5/krb/t_walk_rtree.c b/src/lib/krb5/krb/t_walk_rtree.c index 4661186676..09e71af0fe 100644 --- a/src/lib/krb5/krb/t_walk_rtree.c +++ b/src/lib/krb5/krb/t_walk_rtree.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * t_walk_rtree.c --- test krb5_walk_realm_tree */ @@ -9,50 +10,49 @@ int main(int argc, char **argv) { - krb5_data client, server; - char realm_branch_char = '.'; - krb5_principal *tree, *p; - char *name; - krb5_error_code retval; - krb5_context context; - - krb5_init_context(&context); - - if (argc < 3 || argc > 4) { - fprintf(stderr, - "Usage: %s client-realm server-realm [sep_char]\n", - argv[0]); - exit(99); - } - client.data = argv[1]; - client.length = strlen(client.data); - - server.data = argv[2]; - server.length = strlen(server.data); - - if (argc == 4) - realm_branch_char = argv[3][0]; - - retval = krb5_walk_realm_tree(context, &client, &server, &tree, - realm_branch_char); - if (retval) { - com_err("krb5_walk_realm_tree", retval, " "); - exit(1); - } - - for (p = tree; *p; p++) { - retval = krb5_unparse_name(context, *p, &name); - if (retval) { - com_err("krb5_unprase_name", retval, " "); - exit(2); - } - printf("%s\n", name); - free(name); - } - - krb5_free_realm_tree(context, tree); - krb5_free_context(context); - - exit(0); + krb5_data client, server; + char realm_branch_char = '.'; + krb5_principal *tree, *p; + char *name; + krb5_error_code retval; + krb5_context context; + + krb5_init_context(&context); + + if (argc < 3 || argc > 4) { + fprintf(stderr, + "Usage: %s client-realm server-realm [sep_char]\n", + argv[0]); + exit(99); + } + client.data = argv[1]; + client.length = strlen(client.data); + + server.data = argv[2]; + server.length = strlen(server.data); + + if (argc == 4) + realm_branch_char = argv[3][0]; + + retval = krb5_walk_realm_tree(context, &client, &server, &tree, + realm_branch_char); + if (retval) { + com_err("krb5_walk_realm_tree", retval, " "); + exit(1); + } + + for (p = tree; *p; p++) { + retval = krb5_unparse_name(context, *p, &name); + if (retval) { + com_err("krb5_unprase_name", retval, " "); + exit(2); + } + printf("%s\n", name); + free(name); + } + + krb5_free_realm_tree(context, tree); + krb5_free_context(context); + + exit(0); } - diff --git a/src/lib/krb5/krb/tgtname.c b/src/lib/krb5/krb/tgtname.c index 4ca2416233..cfd01cb0aa 100644 --- a/src/lib/krb5/krb/tgtname.c +++ b/src/lib/krb5/krb/tgtname.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/tgtname.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_tgtname() */ @@ -36,7 +37,7 @@ krb5_error_code krb5_tgtname(krb5_context context, const krb5_data *server, const krb5_data *client, krb5_principal *tgtprinc) { return krb5_build_principal_ext(context, tgtprinc, client->length, client->data, - KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME, - server->length, server->data, - 0); + KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME, + server->length, server->data, + 0); } diff --git a/src/lib/krb5/krb/unparse.c b/src/lib/krb5/krb/unparse.c index ec0976fb22..cb3624295b 100644 --- a/src/lib/krb5/krb/unparse.c +++ b/src/lib/krb5/krb/unparse.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/unparse.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_unparse_name() routine * @@ -37,8 +38,8 @@ /* * converts the multi-part principal format used in the protocols to a - * single-string representation of the name. - * + * single-string representation of the name. + * * The name returned is in allocated storage and should be freed by * the caller when finished. * @@ -48,14 +49,14 @@ * backslash encoding. ("\/", "\@", or '\0', respectively) * * returns error - * KRB_PARSE_MALFORMED principal is invalid (does not contain - * at least 2 components) + * KRB_PARSE_MALFORMED principal is invalid (does not contain + * at least 2 components) * also returns system errors - * ENOMEM unable to allocate memory for string + * ENOMEM unable to allocate memory for string */ -#define REALM_SEP '@' -#define COMPONENT_SEP '/' +#define REALM_SEP '@' +#define COMPONENT_SEP '/' static int component_length_quoted(const krb5_data *src, int flags) @@ -66,15 +67,15 @@ component_length_quoted(const krb5_data *src, int flags) int size = length; if ((flags & KRB5_PRINCIPAL_UNPARSE_DISPLAY) == 0) { - int no_realm = (flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) && - !(flags & KRB5_PRINCIPAL_UNPARSE_SHORT); - - for (j = 0; j < length; j++,cp++) - if ((!no_realm && *cp == REALM_SEP) || - *cp == COMPONENT_SEP || - *cp == '\0' || *cp == '\\' || *cp == '\t' || - *cp == '\n' || *cp == '\b') - size++; + int no_realm = (flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) && + !(flags & KRB5_PRINCIPAL_UNPARSE_SHORT); + + for (j = 0; j < length; j++,cp++) + if ((!no_realm && *cp == REALM_SEP) || + *cp == COMPONENT_SEP || + *cp == '\0' || *cp == '\\' || *cp == '\t' || + *cp == '\n' || *cp == '\b') + size++; } return size; @@ -89,181 +90,180 @@ copy_component_quoting(char *dest, const krb5_data *src, int flags) int length = src->length; if (flags & KRB5_PRINCIPAL_UNPARSE_DISPLAY) { - memcpy(dest, src->data, src->length); - return src->length; + memcpy(dest, src->data, src->length); + return src->length; } for (j=0; j < length; j++,cp++) { - int no_realm = (flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) && - !(flags & KRB5_PRINCIPAL_UNPARSE_SHORT); - - switch (*cp) { - case REALM_SEP: - if (no_realm) { - *q++ = *cp; - break; - } - case COMPONENT_SEP: - case '\\': - *q++ = '\\'; - *q++ = *cp; - break; - case '\t': - *q++ = '\\'; - *q++ = 't'; - break; - case '\n': - *q++ = '\\'; - *q++ = 'n'; - break; - case '\b': - *q++ = '\\'; - *q++ = 'b'; - break; + int no_realm = (flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) && + !(flags & KRB5_PRINCIPAL_UNPARSE_SHORT); + + switch (*cp) { + case REALM_SEP: + if (no_realm) { + *q++ = *cp; + break; + } + case COMPONENT_SEP: + case '\\': + *q++ = '\\'; + *q++ = *cp; + break; + case '\t': + *q++ = '\\'; + *q++ = 't'; + break; + case '\n': + *q++ = '\\'; + *q++ = 'n'; + break; + case '\b': + *q++ = '\\'; + *q++ = 'b'; + break; #if 0 - /* Heimdal escapes spaces in principal names upon unparsing */ - case ' ': - *q++ = '\\'; - *q++ = ' '; - break; + /* Heimdal escapes spaces in principal names upon unparsing */ + case ' ': + *q++ = '\\'; + *q++ = ' '; + break; #endif - case '\0': - *q++ = '\\'; - *q++ = '0'; - break; - default: - *q++ = *cp; - } + case '\0': + *q++ = '\\'; + *q++ = '0'; + break; + default: + *q++ = *cp; + } } return q - dest; } static krb5_error_code k5_unparse_name(krb5_context context, krb5_const_principal principal, - int flags, char **name, unsigned int *size) + int flags, char **name, unsigned int *size) { - char *cp, *q; - int i; - int length; - krb5_int32 nelem; - unsigned int totalsize = 0; - char *default_realm = NULL; - krb5_error_code ret = 0; - - if (!principal || !name) - return KRB5_PARSE_MALFORMED; - - if (flags & KRB5_PRINCIPAL_UNPARSE_SHORT) { - /* omit realm if local realm */ - krb5_principal_data p; - - ret = krb5_get_default_realm(context, &default_realm); - if (ret != 0) - goto cleanup; - - krb5_princ_realm(context, &p)->length = strlen(default_realm); - krb5_princ_realm(context, &p)->data = default_realm; - - if (krb5_realm_compare(context, &p, principal)) - flags |= KRB5_PRINCIPAL_UNPARSE_NO_REALM; - } - - if ((flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) == 0) { - totalsize += component_length_quoted(krb5_princ_realm(context, - principal), - flags); - totalsize++; /* This is for the separator */ - } - - nelem = krb5_princ_size(context, principal); - for (i = 0; i < (int) nelem; i++) { - cp = krb5_princ_component(context, principal, i)->data; - totalsize += component_length_quoted(krb5_princ_component(context, principal, i), flags); - totalsize++; /* This is for the separator */ - } - if (nelem == 0) - totalsize++; - - /* - * Allocate space for the ascii string; if space has been - * provided, use it, realloc'ing it if necessary. - * - * We need only n-1 seperators for n components, but we need - * an extra byte for the NUL at the end. - */ - if (size) { - if (*name && (*size < totalsize)) { - *name = realloc(*name, totalsize); - } else { - *name = malloc(totalsize); - } - *size = totalsize; + char *cp, *q; + int i; + int length; + krb5_int32 nelem; + unsigned int totalsize = 0; + char *default_realm = NULL; + krb5_error_code ret = 0; + + if (!principal || !name) + return KRB5_PARSE_MALFORMED; + + if (flags & KRB5_PRINCIPAL_UNPARSE_SHORT) { + /* omit realm if local realm */ + krb5_principal_data p; + + ret = krb5_get_default_realm(context, &default_realm); + if (ret != 0) + goto cleanup; + + krb5_princ_realm(context, &p)->length = strlen(default_realm); + krb5_princ_realm(context, &p)->data = default_realm; + + if (krb5_realm_compare(context, &p, principal)) + flags |= KRB5_PRINCIPAL_UNPARSE_NO_REALM; + } + + if ((flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) == 0) { + totalsize += component_length_quoted(krb5_princ_realm(context, + principal), + flags); + totalsize++; /* This is for the separator */ + } + + nelem = krb5_princ_size(context, principal); + for (i = 0; i < (int) nelem; i++) { + cp = krb5_princ_component(context, principal, i)->data; + totalsize += component_length_quoted(krb5_princ_component(context, principal, i), flags); + totalsize++; /* This is for the separator */ + } + if (nelem == 0) + totalsize++; + + /* + * Allocate space for the ascii string; if space has been + * provided, use it, realloc'ing it if necessary. + * + * We need only n-1 seperators for n components, but we need + * an extra byte for the NUL at the end. + */ + if (size) { + if (*name && (*size < totalsize)) { + *name = realloc(*name, totalsize); } else { *name = malloc(totalsize); } + *size = totalsize; + } else { + *name = malloc(totalsize); + } - if (!*name) { - ret = ENOMEM; - goto cleanup; - } - - q = *name; - - for (i = 0; i < (int) nelem; i++) { - cp = krb5_princ_component(context, principal, i)->data; - length = krb5_princ_component(context, principal, i)->length; - q += copy_component_quoting(q, - krb5_princ_component(context, - principal, - i), - flags); - *q++ = COMPONENT_SEP; - } - - if (i > 0) - q--; /* Back up last component separator */ - if ((flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) == 0) { - *q++ = REALM_SEP; - q += copy_component_quoting(q, krb5_princ_realm(context, principal), flags); - } - *q++ = '\0'; + if (!*name) { + ret = ENOMEM; + goto cleanup; + } + + q = *name; + + for (i = 0; i < (int) nelem; i++) { + cp = krb5_princ_component(context, principal, i)->data; + length = krb5_princ_component(context, principal, i)->length; + q += copy_component_quoting(q, + krb5_princ_component(context, + principal, + i), + flags); + *q++ = COMPONENT_SEP; + } + + if (i > 0) + q--; /* Back up last component separator */ + if ((flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) == 0) { + *q++ = REALM_SEP; + q += copy_component_quoting(q, krb5_princ_realm(context, principal), flags); + } + *q++ = '\0'; cleanup: - if (default_realm != NULL) - krb5_free_default_realm(context, default_realm); + if (default_realm != NULL) + krb5_free_default_realm(context, default_realm); - return ret; + return ret; } krb5_error_code KRB5_CALLCONV krb5_unparse_name(krb5_context context, krb5_const_principal principal, register char **name) { if (name != NULL) /* name == NULL will return error from _ext */ - *name = NULL; + *name = NULL; return k5_unparse_name(context, principal, 0, name, NULL); } krb5_error_code KRB5_CALLCONV krb5_unparse_name_ext(krb5_context context, krb5_const_principal principal, - char **name, unsigned int *size) + char **name, unsigned int *size) { return k5_unparse_name(context, principal, 0, name, size); } krb5_error_code KRB5_CALLCONV krb5_unparse_name_flags(krb5_context context, krb5_const_principal principal, - int flags, char **name) + int flags, char **name) { if (name != NULL) - *name = NULL; + *name = NULL; return k5_unparse_name(context, principal, flags, name, NULL); } krb5_error_code KRB5_CALLCONV krb5_unparse_name_flags_ext(krb5_context context, krb5_const_principal principal, - int flags, char **name, unsigned int *size) + int flags, char **name, unsigned int *size) { return k5_unparse_name(context, principal, flags, name, size); } - diff --git a/src/lib/krb5/krb/valid_times.c b/src/lib/krb5/krb/valid_times.c index febbc369ff..72304efd7b 100644 --- a/src/lib/krb5/krb/valid_times.c +++ b/src/lib/krb5/krb/valid_times.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/valid_times.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_validate_times() */ @@ -37,26 +38,23 @@ krb5_error_code krb5_validate_times(krb5_context context, krb5_ticket_times *times) { - krb5_timestamp currenttime, starttime; - krb5_error_code retval; + krb5_timestamp currenttime, starttime; + krb5_error_code retval; - if ((retval = krb5_timeofday(context, ¤ttime))) - return retval; + if ((retval = krb5_timeofday(context, ¤ttime))) + return retval; - /* if starttime is not in ticket, then treat it as authtime */ - if (times->starttime != 0) - starttime = times->starttime; - else - starttime = times->authtime; + /* if starttime is not in ticket, then treat it as authtime */ + if (times->starttime != 0) + starttime = times->starttime; + else + starttime = times->authtime; - if (starttime - currenttime > context->clockskew) - return KRB5KRB_AP_ERR_TKT_NYV; /* ticket not yet valid */ + if (starttime - currenttime > context->clockskew) + return KRB5KRB_AP_ERR_TKT_NYV; /* ticket not yet valid */ - if ((currenttime - times->endtime) > context->clockskew) - return KRB5KRB_AP_ERR_TKT_EXPIRED; /* ticket expired */ + if ((currenttime - times->endtime) > context->clockskew) + return KRB5KRB_AP_ERR_TKT_EXPIRED; /* ticket expired */ - return 0; + return 0; } - - - diff --git a/src/lib/krb5/krb/vfy_increds.c b/src/lib/krb5/krb/vfy_increds.c index 6f53f5728b..2b9beeb91f 100644 --- a/src/lib/krb5/krb/vfy_increds.c +++ b/src/lib/krb5/krb/vfy_increds.c @@ -1,232 +1,233 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include "k5-int.h" #include "int-proto.h" static krb5_error_code krb5_cc_copy_creds_except(krb5_context context, krb5_ccache incc, krb5_ccache outcc, krb5_principal princ) { - krb5_error_code code; - krb5_flags flags; - krb5_cc_cursor cur; - krb5_creds creds; + krb5_error_code code; + krb5_flags flags; + krb5_cc_cursor cur; + krb5_creds creds; - flags = 0; /* turns off OPENCLOSE mode */ - if ((code = krb5_cc_set_flags(context, incc, flags))) - return(code); - if ((code = krb5_cc_set_flags(context, outcc, flags))) - return(code); + flags = 0; /* turns off OPENCLOSE mode */ + if ((code = krb5_cc_set_flags(context, incc, flags))) + return(code); + if ((code = krb5_cc_set_flags(context, outcc, flags))) + return(code); - if ((code = krb5_cc_start_seq_get(context, incc, &cur))) - goto cleanup; + if ((code = krb5_cc_start_seq_get(context, incc, &cur))) + goto cleanup; - while (!(code = krb5_cc_next_cred(context, incc, &cur, &creds))) { - if (krb5_principal_compare(context, princ, creds.server)) - continue; + while (!(code = krb5_cc_next_cred(context, incc, &cur, &creds))) { + if (krb5_principal_compare(context, princ, creds.server)) + continue; - code = krb5_cc_store_cred(context, outcc, &creds); - krb5_free_cred_contents(context, &creds); - if (code) - goto cleanup; - } + code = krb5_cc_store_cred(context, outcc, &creds); + krb5_free_cred_contents(context, &creds); + if (code) + goto cleanup; + } - if (code != KRB5_CC_END) - goto cleanup; + if (code != KRB5_CC_END) + goto cleanup; - code = 0; + code = 0; cleanup: - flags = KRB5_TC_OPENCLOSE; + flags = KRB5_TC_OPENCLOSE; - if (code) - krb5_cc_set_flags(context, incc, flags); - else - code = krb5_cc_set_flags(context, incc, flags); + if (code) + krb5_cc_set_flags(context, incc, flags); + else + code = krb5_cc_set_flags(context, incc, flags); - if (code) - krb5_cc_set_flags(context, outcc, flags); - else - code = krb5_cc_set_flags(context, outcc, flags); + if (code) + krb5_cc_set_flags(context, outcc, flags); + else + code = krb5_cc_set_flags(context, outcc, flags); - return(code); + return(code); } krb5_error_code KRB5_CALLCONV krb5_verify_init_creds(krb5_context context, - krb5_creds *creds, - krb5_principal server_arg, - krb5_keytab keytab_arg, - krb5_ccache *ccache_arg, - krb5_verify_init_creds_opt *options) + krb5_creds *creds, + krb5_principal server_arg, + krb5_keytab keytab_arg, + krb5_ccache *ccache_arg, + krb5_verify_init_creds_opt *options) { - krb5_error_code ret; - krb5_principal server; - krb5_keytab keytab; - krb5_ccache ccache; - krb5_keytab_entry kte; - krb5_creds in_creds, *out_creds; - krb5_auth_context authcon; - krb5_data ap_req; - - /* KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN */ - - server = NULL; - keytab = NULL; - ccache = NULL; - out_creds = NULL; - authcon = NULL; - ap_req.data = NULL; - - if (server_arg) { - ret = krb5_copy_principal(context, server_arg, &server); - if (ret) - goto cleanup; - } else { - if ((ret = krb5_sname_to_principal(context, NULL, NULL, - KRB5_NT_SRV_HST, &server))) - goto cleanup; - } - - /* first, check if the server is in the keytab. If not, there's - no reason to continue. rd_req does all this, but there's - no way to know that a given error is caused by a missing - keytab or key, and not by some other problem. */ - - if (keytab_arg) { - keytab = keytab_arg; - } else { - if ((ret = krb5_kt_default(context, &keytab))) - goto cleanup; - } - if (krb5_is_referral_realm(&server->realm)) { - krb5_free_data_contents(context, &server->realm); - ret = krb5_get_default_realm(context, &server->realm.data); - if (ret) goto cleanup; - server->realm.length = strlen(server->realm.data); - } - - if ((ret = krb5_kt_get_entry(context, keytab, server, 0, 0, &kte))) { - /* this means there is no keying material. This is ok, as long as - it is not prohibited by the configuration */ - - int nofail; - - if (options && - (options->flags & KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL)) { - if (options->ap_req_nofail) - goto cleanup; - } else if (krb5_libdefault_boolean(context, - &creds->client->realm, - KRB5_CONF_VERIFY_AP_REQ_NOFAIL, - &nofail) - == 0) { - if (nofail) - goto cleanup; - } - - ret = 0; - goto cleanup; - } - - krb5_kt_free_entry(context, &kte); - - /* If the creds are for the server principal, we're set, just do - a mk_req. Otherwise, do a get_credentials first. */ - - if (krb5_principal_compare(context, server, creds->server)) { - /* make an ap_req */ - if ((ret = krb5_mk_req_extended(context, &authcon, 0, NULL, creds, - &ap_req))) - goto cleanup; - } else { - /* this is unclean, but it's the easiest way without ripping the - library into very small pieces. store the client's initial cred - in a memory ccache, then call the library. Later, we'll copy - everything except the initial cred into the ccache we return to - the user. A clean implementation would involve library - internals with a coherent idea of "in" and "out". */ - - /* insert the initial cred into the ccache */ - - if ((ret = krb5_cc_new_unique(context, "MEMORY", NULL, &ccache))) { - ccache = NULL; - goto cleanup; - } - - if ((ret = krb5_cc_initialize(context, ccache, creds->client))) - goto cleanup; - - if ((ret = krb5_cc_store_cred(context, ccache, creds))) - goto cleanup; - - /* set up for get_creds */ - memset(&in_creds, 0, sizeof(in_creds)); - in_creds.client = creds->client; - in_creds.server = server; - if ((ret = krb5_timeofday(context, &in_creds.times.endtime))) - goto cleanup; - in_creds.times.endtime += 5*60; - - if ((ret = krb5_get_credentials(context, 0, ccache, &in_creds, - &out_creds))) - goto cleanup; - - /* make an ap_req */ - if ((ret = krb5_mk_req_extended(context, &authcon, 0, NULL, out_creds, - &ap_req))) - goto cleanup; - } - - /* wipe the auth context for mk_req */ - if (authcon) { - krb5_auth_con_free(context, authcon); - authcon = NULL; - } - - /* verify the ap_req */ - - if ((ret = krb5_rd_req(context, &authcon, &ap_req, server, keytab, - NULL, NULL))) - goto cleanup; - - /* if we get this far, then the verification succeeded. We can - still fail if the library stuff here fails, but that's it */ - - if (ccache_arg && ccache) { - if (*ccache_arg == NULL) { - krb5_ccache retcc; - - retcc = NULL; - - if ((ret = krb5_cc_resolve(context, "MEMORY:rd_req2", &retcc)) || - (ret = krb5_cc_initialize(context, retcc, creds->client)) || - (ret = krb5_cc_copy_creds_except(context, ccache, retcc, - creds->server))) { - if (retcc) - krb5_cc_destroy(context, retcc); - } else { - *ccache_arg = retcc; - } - } else { - ret = krb5_cc_copy_creds_except(context, ccache, *ccache_arg, - server); - } - } - - /* if any of the above paths returned an errors, then ret is set - accordingly. either that, or it's zero, which is fine, too */ + krb5_error_code ret; + krb5_principal server; + krb5_keytab keytab; + krb5_ccache ccache; + krb5_keytab_entry kte; + krb5_creds in_creds, *out_creds; + krb5_auth_context authcon; + krb5_data ap_req; + + /* KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN */ + + server = NULL; + keytab = NULL; + ccache = NULL; + out_creds = NULL; + authcon = NULL; + ap_req.data = NULL; + + if (server_arg) { + ret = krb5_copy_principal(context, server_arg, &server); + if (ret) + goto cleanup; + } else { + if ((ret = krb5_sname_to_principal(context, NULL, NULL, + KRB5_NT_SRV_HST, &server))) + goto cleanup; + } + + /* first, check if the server is in the keytab. If not, there's + no reason to continue. rd_req does all this, but there's + no way to know that a given error is caused by a missing + keytab or key, and not by some other problem. */ + + if (keytab_arg) { + keytab = keytab_arg; + } else { + if ((ret = krb5_kt_default(context, &keytab))) + goto cleanup; + } + if (krb5_is_referral_realm(&server->realm)) { + krb5_free_data_contents(context, &server->realm); + ret = krb5_get_default_realm(context, &server->realm.data); + if (ret) goto cleanup; + server->realm.length = strlen(server->realm.data); + } + + if ((ret = krb5_kt_get_entry(context, keytab, server, 0, 0, &kte))) { + /* this means there is no keying material. This is ok, as long as + it is not prohibited by the configuration */ + + int nofail; + + if (options && + (options->flags & KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL)) { + if (options->ap_req_nofail) + goto cleanup; + } else if (krb5_libdefault_boolean(context, + &creds->client->realm, + KRB5_CONF_VERIFY_AP_REQ_NOFAIL, + &nofail) + == 0) { + if (nofail) + goto cleanup; + } + + ret = 0; + goto cleanup; + } + + krb5_kt_free_entry(context, &kte); + + /* If the creds are for the server principal, we're set, just do + a mk_req. Otherwise, do a get_credentials first. */ + + if (krb5_principal_compare(context, server, creds->server)) { + /* make an ap_req */ + if ((ret = krb5_mk_req_extended(context, &authcon, 0, NULL, creds, + &ap_req))) + goto cleanup; + } else { + /* this is unclean, but it's the easiest way without ripping the + library into very small pieces. store the client's initial cred + in a memory ccache, then call the library. Later, we'll copy + everything except the initial cred into the ccache we return to + the user. A clean implementation would involve library + internals with a coherent idea of "in" and "out". */ + + /* insert the initial cred into the ccache */ + + if ((ret = krb5_cc_new_unique(context, "MEMORY", NULL, &ccache))) { + ccache = NULL; + goto cleanup; + } + + if ((ret = krb5_cc_initialize(context, ccache, creds->client))) + goto cleanup; + + if ((ret = krb5_cc_store_cred(context, ccache, creds))) + goto cleanup; + + /* set up for get_creds */ + memset(&in_creds, 0, sizeof(in_creds)); + in_creds.client = creds->client; + in_creds.server = server; + if ((ret = krb5_timeofday(context, &in_creds.times.endtime))) + goto cleanup; + in_creds.times.endtime += 5*60; + + if ((ret = krb5_get_credentials(context, 0, ccache, &in_creds, + &out_creds))) + goto cleanup; + + /* make an ap_req */ + if ((ret = krb5_mk_req_extended(context, &authcon, 0, NULL, out_creds, + &ap_req))) + goto cleanup; + } + + /* wipe the auth context for mk_req */ + if (authcon) { + krb5_auth_con_free(context, authcon); + authcon = NULL; + } + + /* verify the ap_req */ + + if ((ret = krb5_rd_req(context, &authcon, &ap_req, server, keytab, + NULL, NULL))) + goto cleanup; + + /* if we get this far, then the verification succeeded. We can + still fail if the library stuff here fails, but that's it */ + + if (ccache_arg && ccache) { + if (*ccache_arg == NULL) { + krb5_ccache retcc; + + retcc = NULL; + + if ((ret = krb5_cc_resolve(context, "MEMORY:rd_req2", &retcc)) || + (ret = krb5_cc_initialize(context, retcc, creds->client)) || + (ret = krb5_cc_copy_creds_except(context, ccache, retcc, + creds->server))) { + if (retcc) + krb5_cc_destroy(context, retcc); + } else { + *ccache_arg = retcc; + } + } else { + ret = krb5_cc_copy_creds_except(context, ccache, *ccache_arg, + server); + } + } + + /* if any of the above paths returned an errors, then ret is set + accordingly. either that, or it's zero, which is fine, too */ cleanup: - if ( server) - krb5_free_principal(context, server); - if (!keytab_arg && keytab) - krb5_kt_close(context, keytab); - if (ccache) - krb5_cc_destroy(context, ccache); - if (out_creds) - krb5_free_creds(context, out_creds); - if (authcon) - krb5_auth_con_free(context, authcon); - if (ap_req.data) - free(ap_req.data); - - return(ret); + if ( server) + krb5_free_principal(context, server); + if (!keytab_arg && keytab) + krb5_kt_close(context, keytab); + if (ccache) + krb5_cc_destroy(context, ccache); + if (out_creds) + krb5_free_creds(context, out_creds); + if (authcon) + krb5_auth_con_free(context, authcon); + if (ap_req.data) + free(ap_req.data); + + return(ret); } diff --git a/src/lib/krb5/krb/vic_opt.c b/src/lib/krb5/krb/vic_opt.c index acdf494061..dfe21e056b 100644 --- a/src/lib/krb5/krb/vic_opt.c +++ b/src/lib/krb5/krb/vic_opt.c @@ -1,14 +1,15 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include "k5-int.h" void KRB5_CALLCONV krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *opt) { - opt->flags = 0; + opt->flags = 0; } void KRB5_CALLCONV krb5_verify_init_creds_opt_set_ap_req_nofail(krb5_verify_init_creds_opt *opt, int ap_req_nofail) { - opt->flags |= KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL; - opt->ap_req_nofail = ap_req_nofail; + opt->flags |= KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL; + opt->ap_req_nofail = ap_req_nofail; } diff --git a/src/lib/krb5/krb/walk_rtree.c b/src/lib/krb5/krb/walk_rtree.c index a22f5864ac..d1be2270f5 100644 --- a/src/lib/krb5/krb/walk_rtree.c +++ b/src/lib/krb5/krb/walk_rtree.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/walk_rtree.c * @@ -107,19 +108,19 @@ krb5_walk_realm_tree( char **capvals; if (client->data == NULL || server->data == NULL) - return KRB5_NO_TKT_IN_RLM; + return KRB5_NO_TKT_IN_RLM; if (client->length == server->length && - memcmp(client->data, server->data, server->length) == 0) { - return KRB5_NO_TKT_IN_RLM; + memcmp(client->data, server->data, server->length) == 0) { + return KRB5_NO_TKT_IN_RLM; } retval = rtree_capath_vals(context, client, server, &capvals); if (retval) - return retval; + return retval; if (capvals != NULL) { - retval = rtree_capath_tree(context, client, server, capvals, tree); - return retval; + retval = rtree_capath_tree(context, client, server, capvals, tree); + return retval; } retval = rtree_hier_tree(context, client, server, tree, realm_sep); @@ -148,24 +149,24 @@ krb5_walk_realm_tree( * * [capaths] * ANL.GOV = { - * NERSC.GOV = ES.NET - * PNL.GOV = ES.NET - * ES.NET = . - * HAL.COM = K5.MOON - * HAL.COM = K5.JUPITER + * NERSC.GOV = ES.NET + * PNL.GOV = ES.NET + * ES.NET = . + * HAL.COM = K5.MOON + * HAL.COM = K5.JUPITER * } * NERSC.GOV = { - * ANL.GOV = ES.NET + * ANL.GOV = ES.NET * } * PNL.GOV = { - * ANL.GOV = ES.NET + * ANL.GOV = ES.NET * } * ES.NET = { - * ANL.GOV = . + * ANL.GOV = . * } * HAL.COM = { - * ANL.GOV = K5.JUPITER - * ANL.GOV = K5.MOON + * ANL.GOV = K5.JUPITER + * ANL.GOV = K5.MOON * } * * In the above a "." is used to mean directly connected since the @@ -202,20 +203,20 @@ rtree_capath_tree( *rettree = NULL; tree = pprinc = NULL; for (nvals = 0; vals[nvals] != NULL; nvals++) - ; + ; if (vals[0] != NULL && *vals[0] == '.') { - nlinks = 0; + nlinks = 0; } else { - nlinks = nvals; + nlinks = nvals; } nprincs = nlinks + 2; tree = calloc(nprincs + 1, sizeof(krb5_principal)); if (tree == NULL) { - retval = ENOMEM; - goto error; + retval = ENOMEM; + goto error; } for (i = 0; i < nprincs + 1; i++) - tree[i] = NULL; + tree[i] = NULL; /* Invariant: PPRINC points one past end of list. */ pprinc = &tree[0]; /* Local TGS name */ @@ -223,11 +224,11 @@ rtree_capath_tree( if (retval) goto error; srcrealm = *client; for (i = 0; i < nlinks; i++) { - dstrealm.data = vals[i]; - dstrealm.length = strcspn(vals[i], "\t "); - retval = krb5_tgtname(context, &dstrealm, &srcrealm, pprinc++); - if (retval) goto error; - srcrealm = dstrealm; + dstrealm.data = vals[i]; + dstrealm.length = strcspn(vals[i], "\t "); + retval = krb5_tgtname(context, &dstrealm, &srcrealm, pprinc++); + if (retval) goto error; + srcrealm = dstrealm; } retval = krb5_tgtname(context, server, &srcrealm, pprinc++); if (retval) goto error; @@ -236,12 +237,12 @@ rtree_capath_tree( error: profile_free_list(vals); if (retval) { - while (pprinc != NULL && pprinc > &tree[0]) { - /* krb5_free_principal() correctly handles null input */ - krb5_free_principal(context, *--pprinc); - *pprinc = NULL; - } - free(tree); + while (pprinc != NULL && pprinc > &tree[0]) { + /* krb5_free_principal() correctly handles null input */ + krb5_free_principal(context, *--pprinc); + *pprinc = NULL; + } + free(tree); } return retval; } @@ -267,15 +268,15 @@ rtree_capath_vals( clientz = calloc(client->length + 1, 1); if (clientz == NULL) { - retval = ENOMEM; - goto error; + retval = ENOMEM; + goto error; } memcpy(clientz, client->data, client->length); serverz = calloc(server->length + 1, 1); if (serverz == NULL) { - retval = ENOMEM; - goto error; + retval = ENOMEM; + goto error; } memcpy(serverz, server->data, server->length); @@ -287,13 +288,13 @@ rtree_capath_vals( switch (retval) { case PROF_NO_SECTION: case PROF_NO_RELATION: - /* - * Not found; don't return an error. - */ - retval = 0; - break; + /* + * Not found; don't return an error. + */ + retval = 0; + break; default: - break; + break; } error: free(clientz); @@ -320,31 +321,31 @@ rtree_hier_tree( *rettree = NULL; retval = rtree_hier_realms(context, client, server, - &realms, &nrealms, sep); + &realms, &nrealms, sep); if (retval) - return retval; + return retval; nprincs = nrealms; pprinc = tree = calloc(nprincs + 1, sizeof(krb5_principal)); if (tree == NULL) { - retval = ENOMEM; - goto error; + retval = ENOMEM; + goto error; } for (i = 0; i < nrealms; i++) - tree[i] = NULL; + tree[i] = NULL; srcrealm = client; for (i = 0; i < nrealms; i++) { - dstrealm = &realms[i]; - retval = krb5_tgtname(context, dstrealm, srcrealm, pprinc++); - if (retval) goto error; - srcrealm = dstrealm; + dstrealm = &realms[i]; + retval = krb5_tgtname(context, dstrealm, srcrealm, pprinc++); + if (retval) goto error; + srcrealm = dstrealm; } *rettree = tree; free_realmlist(context, realms, nrealms); return 0; error: while (pprinc != NULL && pprinc > tree) { - krb5_free_principal(context, *--pprinc); - *pprinc = NULL; + krb5_free_principal(context, *--pprinc); + *pprinc = NULL; } free_realmlist(context, realms, nrealms); free(tree); @@ -389,27 +390,27 @@ rtree_hier_realms( rp = r = calloc(nctween + nstween, sizeof(krb5_data)); if (r == NULL) { - retval = ENOMEM; - goto error; + retval = ENOMEM; + goto error; } /* Copy client realm "tweens" forward. */ for (twp = ctweens; twp < &ctweens[nctween]; twp++) { - retval = krb5int_copy_data_contents(context, twp, rp); - if (retval) goto error; - rp++; + retval = krb5int_copy_data_contents(context, twp, rp); + if (retval) goto error; + rp++; } /* Copy server realm "tweens" backward. */ for (twp = &stweens[nstween]; twp-- > stweens;) { - retval = krb5int_copy_data_contents(context, twp, rp); - if (retval) goto error; - rp++; + retval = krb5int_copy_data_contents(context, twp, rp); + if (retval) goto error; + rp++; } error: free(ctweens); free(stweens); if (retval) { - free_realmlist(context, r, rp - r); - return retval; + free_realmlist(context, r, rp - r); + return retval; } *realms = r; *nrealms = rp - r; @@ -425,7 +426,7 @@ free_realmlist( size_t i; for (i = 0; i < nrealms; i++) - krb5_free_data_contents(context, &realms[i]); + krb5_free_data_contents(context, &realms[i]); free(realms); } @@ -457,22 +458,22 @@ rtree_hier_tweens( *ntweens = n = 0; for (lp = p = r; p < &r[rlen]; p++) { - if (*p != sep && &p[1] != &r[rlen]) - continue; - if (lp == rtail && !dotail) - break; - ntws = realloc(tws, (n + 1) * sizeof(krb5_data)); - if (ntws == NULL) { - free(tws); - return ENOMEM; - } - tws = ntws; - tws[n].data = lp; - tws[n].length = &r[rlen] - lp; - n++; - if (lp == rtail) - break; - lp = &p[1]; + if (*p != sep && &p[1] != &r[rlen]) + continue; + if (lp == rtail && !dotail) + break; + ntws = realloc(tws, (n + 1) * sizeof(krb5_data)); + if (ntws == NULL) { + free(tws); + return ENOMEM; + } + tws = ntws; + tws[n].data = lp; + tws[n].length = &r[rlen] - lp; + n++; + if (lp == rtail) + break; + lp = &p[1]; } *tweens = tws; *ntweens = n; @@ -493,7 +494,7 @@ adjtail(struct hstate *c, struct hstate *s, int sep) cp = c->tail; sp = s->tail; if (cp == NULL || sp == NULL) - return; + return; /* * Is it a full component? Yes, if it's the beginning of the * string or there's a separator to the left. @@ -507,18 +508,18 @@ adjtail(struct hstate *c, struct hstate *s, int sep) * If they're both full components, we're done. */ if (cfull && sfull) { - return; + return; } else if (c->dot != NULL && s->dot != NULL) { - cp = c->dot + 1; - sp = s->dot + 1; - /* - * Out of bounds? Can only happen if there are trailing dots. - */ - if (cp >= &c->str[c->len] || sp >= &s->str[s->len]) { - cp = sp = NULL; - } + cp = c->dot + 1; + sp = s->dot + 1; + /* + * Out of bounds? Can only happen if there are trailing dots. + */ + if (cp >= &c->str[c->len] || sp >= &s->str[s->len]) { + cp = sp = NULL; + } } else { - cp = sp = NULL; + cp = sp = NULL; } c->tail = cp; s->tail = sp; @@ -538,7 +539,7 @@ comtail(struct hstate *c, struct hstate *s, int sep) char *cp, *sp, *cdot, *sdot; if (c->len == 0 || s->len == 0) - return; + return; cdot = sdot = NULL; /* @@ -553,26 +554,26 @@ comtail(struct hstate *c, struct hstate *s, int sep) * style realm), keep pointers to the latest pair. */ while (cp > c->str && sp > s->str) { - if (*--cp != *--sp) { - /* - * Didn't match, so most recent match is one byte to the - * right (or not at all). - */ - cp++; - sp++; - break; - } - /* - * Keep track of matching dots. - */ - if (*cp == sep) { - cdot = cp; - sdot = sp; - } + if (*--cp != *--sp) { + /* + * Didn't match, so most recent match is one byte to the + * right (or not at all). + */ + cp++; + sp++; + break; + } + /* + * Keep track of matching dots. + */ + if (*cp == sep) { + cdot = cp; + sdot = sp; + } } /* No match found at all. */ if (cp == &c->str[c->len]) - return; + return; c->tail = cp; s->tail = sp; c->dot = cdot; diff --git a/src/lib/krb5/krb5_libinit.c b/src/lib/krb5/krb5_libinit.c index c154da81bc..1948b72685 100644 --- a/src/lib/krb5/krb5_libinit.c +++ b/src/lib/krb5/krb5_libinit.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include <assert.h> #include "autoconf.h" @@ -41,18 +42,18 @@ int krb5int_lib_init(void) err = krb5int_rc_finish_init(); if (err) - return err; + return err; #ifndef LEAN_CLIENT err = krb5int_kt_initialize(); if (err) - return err; + return err; #endif /* LEAN_CLIENT */ err = krb5int_cc_initialize(); if (err) - return err; + return err; err = k5_mutex_finish_init(&krb5int_us_time_mutex); if (err) - return err; + return err; return 0; } @@ -71,9 +72,9 @@ void krb5int_lib_fini(void) { if (!INITIALIZER_RAN(krb5int_lib_init) || PROGRAM_EXITING()) { #ifdef SHOW_INITFINI_FUNCS - printf("krb5int_lib_fini: skipping\n"); + printf("krb5int_lib_fini: skipping\n"); #endif - return; + return; } #ifdef SHOW_INITFINI_FUNCS diff --git a/src/lib/krb5/krb5_libinit.h b/src/lib/krb5/krb5_libinit.h index 11d7248fe6..ff8e5d6fd0 100644 --- a/src/lib/krb5/krb5_libinit.h +++ b/src/lib/krb5/krb5_libinit.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #ifndef KRB5_LIBINIT_H #define KRB5_LIBINIT_H diff --git a/src/lib/krb5/os/accessor.c b/src/lib/krb5/os/accessor.c index a051736b58..20fb30d209 100644 --- a/src/lib/krb5/os/accessor.c +++ b/src/lib/krb5/os/accessor.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/accessor.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,19 +23,19 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * -*/ + * + */ #include "k5-int.h" #include "os-proto.h" /* If this trick gets used elsewhere, move it to k5-platform.h. */ #ifndef DESIGNATED_INITIALIZERS -#define DESIGNATED_INITIALIZERS \ - /* ANSI/ISO C 1999 supports this... */ \ - (__STDC_VERSION__ >= 199901L \ - /* ...as does GCC, since version 2.something. */ \ - || (!defined __cplusplus && __GNUC__ >= 3)) +#define DESIGNATED_INITIALIZERS \ + /* ANSI/ISO C 1999 supports this... */ \ + (__STDC_VERSION__ >= 199901L \ + /* ...as does GCC, since version 2.something. */ \ + || (!defined __cplusplus && __GNUC__ >= 3)) #endif krb5_error_code KRB5_CALLCONV @@ -44,105 +45,105 @@ krb5int_accessor(krb5int_access *internals, krb5_int32 version) #if DESIGNATED_INITIALIZERS #define S(FIELD, VAL) .FIELD = VAL #if defined __GNUC__ && __STDC_VERSION__ < 199901L - __extension__ + __extension__ #endif - static const krb5int_access internals_temp = { + static const krb5int_access internals_temp = { #else #define S(FIELD, VAL) internals_temp.FIELD = VAL - krb5int_access internals_temp; + krb5int_access internals_temp; #endif - S (free_addrlist, krb5int_free_addrlist), - S (hmac, krb5int_hmac_keyblock), - S (auth_con_get_subkey_enctype, krb5_auth_con_get_subkey_enctype), - S (md5_hash_provider, &krb5int_hash_md5), - S (arcfour_enc_provider, &krb5int_enc_arcfour), - S (sendto_udp, &krb5int_sendto), - S (add_host_to_list, krb5int_add_host_to_list), + S (free_addrlist, krb5int_free_addrlist), + S (hmac, krb5int_hmac_keyblock), + S (auth_con_get_subkey_enctype, krb5_auth_con_get_subkey_enctype), + S (md5_hash_provider, &krb5int_hash_md5), + S (arcfour_enc_provider, &krb5int_enc_arcfour), + S (sendto_udp, &krb5int_sendto), + S (add_host_to_list, krb5int_add_host_to_list), #ifdef KRB5_DNS_LOOKUP -#define SC(FIELD, VAL) S(FIELD, VAL) +#define SC(FIELD, VAL) S(FIELD, VAL) #else /* disable */ -#define SC(FIELD, VAL) S(FIELD, 0) +#define SC(FIELD, VAL) S(FIELD, 0) #endif - SC (make_srv_query_realm, krb5int_make_srv_query_realm), - SC (free_srv_dns_data, krb5int_free_srv_dns_data), - SC (use_dns_kdc, _krb5_use_dns_kdc), + SC (make_srv_query_realm, krb5int_make_srv_query_realm), + SC (free_srv_dns_data, krb5int_free_srv_dns_data), + SC (use_dns_kdc, _krb5_use_dns_kdc), #undef SC - S (clean_hostname, krb5int_clean_hostname), + S (clean_hostname, krb5int_clean_hostname), - S (mandatory_cksumtype, krb5int_c_mandatory_cksumtype), + S (mandatory_cksumtype, krb5int_c_mandatory_cksumtype), #ifndef LEAN_CLIENT -#define SC(FIELD, VAL) S(FIELD, VAL) +#define SC(FIELD, VAL) S(FIELD, VAL) #else /* disable */ -#define SC(FIELD, VAL) S(FIELD, 0) +#define SC(FIELD, VAL) S(FIELD, 0) #endif - SC (ser_pack_int64, krb5_ser_pack_int64), - SC (ser_unpack_int64, krb5_ser_unpack_int64), + SC (ser_pack_int64, krb5_ser_pack_int64), + SC (ser_unpack_int64, krb5_ser_unpack_int64), #undef SC #ifdef ENABLE_LDAP -#define SC(FIELD, VAL) S(FIELD, VAL) +#define SC(FIELD, VAL) S(FIELD, VAL) #else -#define SC(FIELD, VAL) S(FIELD, 0) +#define SC(FIELD, VAL) S(FIELD, 0) #endif - SC (asn1_ldap_encode_sequence_of_keys, krb5int_ldap_encode_sequence_of_keys), - SC (asn1_ldap_decode_sequence_of_keys, krb5int_ldap_decode_sequence_of_keys), + SC (asn1_ldap_encode_sequence_of_keys, krb5int_ldap_encode_sequence_of_keys), + SC (asn1_ldap_decode_sequence_of_keys, krb5int_ldap_decode_sequence_of_keys), #undef SC #ifndef DISABLE_PKINIT -#define SC(FIELD, VAL) S(FIELD, VAL) +#define SC(FIELD, VAL) S(FIELD, VAL) #else /* disable */ -#define SC(FIELD, VAL) S(FIELD, 0) +#define SC(FIELD, VAL) S(FIELD, 0) #endif - SC (encode_krb5_pa_pk_as_req, encode_krb5_pa_pk_as_req), - SC (encode_krb5_pa_pk_as_req_draft9, encode_krb5_pa_pk_as_req_draft9), + SC (encode_krb5_pa_pk_as_req, encode_krb5_pa_pk_as_req), + SC (encode_krb5_pa_pk_as_req_draft9, encode_krb5_pa_pk_as_req_draft9), SC (encode_krb5_pa_pk_as_rep, encode_krb5_pa_pk_as_rep), - SC (encode_krb5_pa_pk_as_rep_draft9, encode_krb5_pa_pk_as_rep_draft9), - SC (encode_krb5_auth_pack, encode_krb5_auth_pack), - SC (encode_krb5_auth_pack_draft9, encode_krb5_auth_pack_draft9), - SC (encode_krb5_kdc_dh_key_info, encode_krb5_kdc_dh_key_info), - SC (encode_krb5_reply_key_pack, encode_krb5_reply_key_pack), - SC (encode_krb5_reply_key_pack_draft9, encode_krb5_reply_key_pack_draft9), - SC (encode_krb5_typed_data, encode_krb5_typed_data), - SC (encode_krb5_td_trusted_certifiers, encode_krb5_td_trusted_certifiers), - SC (encode_krb5_td_dh_parameters, encode_krb5_td_dh_parameters), - SC (decode_krb5_pa_pk_as_req, decode_krb5_pa_pk_as_req), - SC (decode_krb5_pa_pk_as_req_draft9, decode_krb5_pa_pk_as_req_draft9), - SC (decode_krb5_pa_pk_as_rep, decode_krb5_pa_pk_as_rep), - SC (decode_krb5_pa_pk_as_rep_draft9, decode_krb5_pa_pk_as_rep_draft9), - SC (decode_krb5_auth_pack, decode_krb5_auth_pack), - SC (decode_krb5_auth_pack_draft9, decode_krb5_auth_pack_draft9), - SC (decode_krb5_kdc_dh_key_info, decode_krb5_kdc_dh_key_info), - SC (decode_krb5_principal_name, decode_krb5_principal_name), - SC (decode_krb5_reply_key_pack, decode_krb5_reply_key_pack), - SC (decode_krb5_reply_key_pack_draft9, decode_krb5_reply_key_pack_draft9), - SC (decode_krb5_typed_data, decode_krb5_typed_data), - SC (decode_krb5_td_trusted_certifiers, decode_krb5_td_trusted_certifiers), - SC (decode_krb5_td_dh_parameters, decode_krb5_td_dh_parameters), - SC (decode_krb5_as_req, decode_krb5_as_req), - SC (encode_krb5_kdc_req_body, encode_krb5_kdc_req_body), - SC (free_kdc_req, krb5_free_kdc_req), - SC (set_prompt_types, krb5int_set_prompt_types), - SC (encode_krb5_authdata_elt, encode_krb5_authdata_elt), + SC (encode_krb5_pa_pk_as_rep_draft9, encode_krb5_pa_pk_as_rep_draft9), + SC (encode_krb5_auth_pack, encode_krb5_auth_pack), + SC (encode_krb5_auth_pack_draft9, encode_krb5_auth_pack_draft9), + SC (encode_krb5_kdc_dh_key_info, encode_krb5_kdc_dh_key_info), + SC (encode_krb5_reply_key_pack, encode_krb5_reply_key_pack), + SC (encode_krb5_reply_key_pack_draft9, encode_krb5_reply_key_pack_draft9), + SC (encode_krb5_typed_data, encode_krb5_typed_data), + SC (encode_krb5_td_trusted_certifiers, encode_krb5_td_trusted_certifiers), + SC (encode_krb5_td_dh_parameters, encode_krb5_td_dh_parameters), + SC (decode_krb5_pa_pk_as_req, decode_krb5_pa_pk_as_req), + SC (decode_krb5_pa_pk_as_req_draft9, decode_krb5_pa_pk_as_req_draft9), + SC (decode_krb5_pa_pk_as_rep, decode_krb5_pa_pk_as_rep), + SC (decode_krb5_pa_pk_as_rep_draft9, decode_krb5_pa_pk_as_rep_draft9), + SC (decode_krb5_auth_pack, decode_krb5_auth_pack), + SC (decode_krb5_auth_pack_draft9, decode_krb5_auth_pack_draft9), + SC (decode_krb5_kdc_dh_key_info, decode_krb5_kdc_dh_key_info), + SC (decode_krb5_principal_name, decode_krb5_principal_name), + SC (decode_krb5_reply_key_pack, decode_krb5_reply_key_pack), + SC (decode_krb5_reply_key_pack_draft9, decode_krb5_reply_key_pack_draft9), + SC (decode_krb5_typed_data, decode_krb5_typed_data), + SC (decode_krb5_td_trusted_certifiers, decode_krb5_td_trusted_certifiers), + SC (decode_krb5_td_dh_parameters, decode_krb5_td_dh_parameters), + SC (decode_krb5_as_req, decode_krb5_as_req), + SC (encode_krb5_kdc_req_body, encode_krb5_kdc_req_body), + SC (free_kdc_req, krb5_free_kdc_req), + SC (set_prompt_types, krb5int_set_prompt_types), + SC (encode_krb5_authdata_elt, encode_krb5_authdata_elt), #undef SC - S (encode_krb5_sam_response_2, encode_krb5_sam_response_2), - S (encode_krb5_enc_sam_response_enc_2, encode_krb5_enc_sam_response_enc_2), - S (encode_enc_ts, encode_krb5_pa_enc_ts), - S (decode_enc_ts, decode_krb5_pa_enc_ts), - S (encode_enc_data, encode_krb5_enc_data), - S(decode_enc_data, decode_krb5_enc_data), - S(free_enc_ts, krb5_free_pa_enc_ts), - S(free_enc_data, krb5_free_enc_data), - S(encrypt_helper, krb5_encrypt_helper), + S (encode_krb5_sam_response_2, encode_krb5_sam_response_2), + S (encode_krb5_enc_sam_response_enc_2, encode_krb5_enc_sam_response_enc_2), + S (encode_enc_ts, encode_krb5_pa_enc_ts), + S (decode_enc_ts, decode_krb5_pa_enc_ts), + S (encode_enc_data, encode_krb5_enc_data), + S(decode_enc_data, decode_krb5_enc_data), + S(free_enc_ts, krb5_free_pa_enc_ts), + S(free_enc_data, krb5_free_enc_data), + S(encrypt_helper, krb5_encrypt_helper), #if DESIGNATED_INITIALIZERS - }; + }; #else - 0; + 0; #endif - *internals = internals_temp; - return 0; + *internals = internals_temp; + return 0; } return KRB5_OBSOLETE_FN; } diff --git a/src/lib/krb5/os/an_to_ln.c b/src/lib/krb5/os/an_to_ln.c index 731b76b842..b5ec3a60cf 100644 --- a/src/lib/krb5/os/an_to_ln.c +++ b/src/lib/krb5/os/an_to_ln.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/an_to_ln.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_aname_to_localname() */ @@ -35,29 +36,29 @@ #include "k5-int.h" #include <ctype.h> -#if HAVE_REGEX_H +#if HAVE_REGEX_H #include <regex.h> -#endif /* HAVE_REGEX_H */ +#endif /* HAVE_REGEX_H */ #include <string.h> /* * Use compile(3) if no regcomp present. */ -#if !defined(HAVE_REGCOMP) && defined(HAVE_REGEXPR_H) && defined(HAVE_COMPILE) -#define RE_BUF_SIZE 1024 +#if !defined(HAVE_REGCOMP) && defined(HAVE_REGEXPR_H) && defined(HAVE_COMPILE) +#define RE_BUF_SIZE 1024 #include <regexpr.h> -#endif /* !HAVE_REGCOMP && HAVE_REGEXP_H && HAVE_COMPILE */ +#endif /* !HAVE_REGCOMP && HAVE_REGEXP_H && HAVE_COMPILE */ -#define MAX_FORMAT_BUFFER ((size_t)1024) -#ifndef min -#define min(a,b) ((a>b) ? b : a) -#endif /* min */ +#define MAX_FORMAT_BUFFER ((size_t)1024) +#ifndef min +#define min(a,b) ((a>b) ? b : a) +#endif /* min */ #ifdef ANAME_DB /* * Use standard DBM code. */ -#define KDBM_OPEN(db, fl, mo) dbm_open(db, fl, mo) -#define KDBM_CLOSE(db) dbm_close(db) -#define KDBM_FETCH(db, key) dbm_fetch(db, key) +#define KDBM_OPEN(db, fl, mo) dbm_open(db, fl, mo) +#define KDBM_CLOSE(db) dbm_close(db) +#define KDBM_FETCH(db, key) dbm_fetch(db, key) #endif /*ANAME_DB*/ /* @@ -66,21 +67,21 @@ static char * aname_full_to_mapping_name(char *fprincname) { - char *atp; - size_t mlen; - char *mname; + char *atp; + size_t mlen; + char *mname; mname = (char *) NULL; if (fprincname) { - atp = strrchr(fprincname, '@'); - if (!atp) - atp = &fprincname[strlen(fprincname)]; - mlen = (size_t) (atp - fprincname); - - if ((mname = (char *) malloc(mlen+1))) { - strncpy(mname, fprincname, mlen); - mname[mlen] = '\0'; - } + atp = strrchr(fprincname, '@'); + if (!atp) + atp = &fprincname[strlen(fprincname)]; + mlen = (size_t) (atp - fprincname); + + if ((mname = (char *) malloc(mlen+1))) { + strncpy(mname, fprincname, mlen); + mname[mlen] = '\0'; + } } return(mname); } @@ -108,15 +109,15 @@ db_an_to_ln(context, dbname, aname, lnsize, lname) char *princ_name; if ((retval = krb5_unparse_name(context, aname, &princ_name))) - return(retval); + return(retval); key.dptr = princ_name; - key.dsize = strlen(princ_name)+1; /* need to store the NULL for - decoding */ + key.dsize = strlen(princ_name)+1; /* need to store the NULL for + decoding */ db = KDBM_OPEN(dbname, O_RDONLY, 0600); if (!db) { - free(princ_name); - return KRB5_LNAME_CANTOPEN; + free(princ_name); + return KRB5_LNAME_CANTOPEN; } contents = KDBM_FETCH(db, key); @@ -124,30 +125,30 @@ db_an_to_ln(context, dbname, aname, lnsize, lname) free(princ_name); if (contents.dptr == NULL) { - retval = KRB5_LNAME_NOTRANS; + retval = KRB5_LNAME_NOTRANS; } else { - strncpy(lname, contents.dptr, lnsize); - if (lnsize < contents.dsize) - retval = KRB5_CONFIG_NOTENUFSPACE; - else if (lname[contents.dsize-1] != '\0') - retval = KRB5_LNAME_BADFORMAT; - else - retval = 0; + strncpy(lname, contents.dptr, lnsize); + if (lnsize < contents.dsize) + retval = KRB5_CONFIG_NOTENUFSPACE; + else if (lname[contents.dsize-1] != '\0') + retval = KRB5_LNAME_BADFORMAT; + else + retval = 0; } /* can't close until we copy the contents. */ (void) KDBM_CLOSE(db); return retval; -#else /* !_WIN32 && !MACINTOSH */ +#else /* !_WIN32 && !MACINTOSH */ /* * If we don't have support for a database mechanism, then we can't * translate this now, can we? */ return KRB5_LNAME_NOTRANS; -#endif /* !_WIN32 && !MACINTOSH */ +#endif /* !_WIN32 && !MACINTOSH */ } #endif /*ANAME_DB*/ -#ifdef AN_TO_LN_RULES +#ifdef AN_TO_LN_RULES /* * Format and transform a principal name to a local name. This is particularly * useful when Kerberos principals and local user names are formatted to @@ -157,31 +158,31 @@ db_an_to_ln(context, dbname, aname, lnsize, lname) * First part - formulate the string to perform operations on: If not present * then the string defaults to the fully flattened principal minus the realm * name. Otherwise the syntax is as follows: - * "[" <ncomps> ":" <format> "]" - * Where: - * <ncomps> is the number of expected components for this - * rule. If the particular principal does not have this - * many components, then this rule does not apply. + * "[" <ncomps> ":" <format> "]" + * Where: + * <ncomps> is the number of expected components for this + * rule. If the particular principal does not have this + * many components, then this rule does not apply. * - * <format> is a string of <component> or verbatim - * characters to be inserted. + * <format> is a string of <component> or verbatim + * characters to be inserted. * - * <component> is of the form "$"<number> to select the - * <number>th component. <number> begins from 1. + * <component> is of the form "$"<number> to select the + * <number>th component. <number> begins from 1. * * Second part - select rule validity: If not present, then this rule may * apply to all selections. Otherwise the syntax is as follows: - * "(" <regexp> ")" - * Where: <regexp> is a selector regular expression. If this - * regular expression matches the whole pattern generated - * from the first part, then this rule still applies. + * "(" <regexp> ")" + * Where: <regexp> is a selector regular expression. If this + * regular expression matches the whole pattern generated + * from the first part, then this rule still applies. * * Last part - Transform rule: If not present, then the selection string * is passed verbatim and is matched. Otherwise, the syntax is as follows: - * <rule> ... - * Where: <rule> is of the form: - * "s/" <regexp> "/" <text> "/" ["g"] - * + * <rule> ... + * Where: <rule> is of the form: + * "s/" <regexp> "/" <text> "/" ["g"] + * * In order to be able to select rule validity, the native system must support * one of compile(3), re_comp(3) or regcomp(3). In order to be able to * transform (e.g. substitute), the native system must support regcomp(3) or @@ -189,208 +190,208 @@ db_an_to_ln(context, dbname, aname, lnsize, lname) */ /* - * aname_do_match() - Does our name match the parenthesized regular - * expression? - * + * aname_do_match() - Does our name match the parenthesized regular + * expression? + * * Chew up the match portion of the regular expression and update *contextp. * If no re_comp() or regcomp(), then always return a match. */ static krb5_error_code aname_do_match(char *string, char **contextp) { - krb5_error_code kret; - char *regexp, *startp, *endp = 0; - size_t regexlen; -#if HAVE_REGCOMP - regex_t match_exp; - regmatch_t match_match; -#elif HAVE_REGEXPR_H - char regexp_buffer[RE_BUF_SIZE]; -#endif /* HAVE_REGEXP_H */ + krb5_error_code kret; + char *regexp, *startp, *endp = 0; + size_t regexlen; +#if HAVE_REGCOMP + regex_t match_exp; + regmatch_t match_match; +#elif HAVE_REGEXPR_H + char regexp_buffer[RE_BUF_SIZE]; +#endif /* HAVE_REGEXP_H */ kret = 0; /* * Is this a match expression? */ if (**contextp == '(') { - kret = KRB5_CONFIG_BADFORMAT; - startp = (*contextp) + 1; - endp = strchr(startp, ')'); - /* Find the end of the match expression. */ - if (endp) { - regexlen = (size_t) (endp - startp); - regexp = (char *) malloc((size_t) regexlen+1); - kret = ENOMEM; - if (regexp) { - strncpy(regexp, startp, regexlen); - regexp[regexlen] = '\0'; - kret = KRB5_LNAME_NOTRANS; - /* - * Perform the match. - */ -#if HAVE_REGCOMP - if (!regcomp(&match_exp, regexp, REG_EXTENDED) && - !regexec(&match_exp, string, 1, &match_match, 0)) { - if ((match_match.rm_so == 0) && - (match_match.rm_eo == strlen(string))) - kret = 0; - } - regfree(&match_exp); -#elif HAVE_REGEXPR_H - compile(regexp, - regexp_buffer, - ®exp_buffer[RE_BUF_SIZE]); - if (step(string, regexp_buffer)) { - if ((loc1 == string) && - (loc2 == &string[strlen(string)])) - kret = 0; - } -#elif HAVE_RE_COMP - if (!re_comp(regexp) && re_exec(string)) - kret = 0; -#else /* HAVE_RE_COMP */ - kret = 0; -#endif /* HAVE_RE_COMP */ - free(regexp); - } - endp++; - } - else - endp = startp; + kret = KRB5_CONFIG_BADFORMAT; + startp = (*contextp) + 1; + endp = strchr(startp, ')'); + /* Find the end of the match expression. */ + if (endp) { + regexlen = (size_t) (endp - startp); + regexp = (char *) malloc((size_t) regexlen+1); + kret = ENOMEM; + if (regexp) { + strncpy(regexp, startp, regexlen); + regexp[regexlen] = '\0'; + kret = KRB5_LNAME_NOTRANS; + /* + * Perform the match. + */ +#if HAVE_REGCOMP + if (!regcomp(&match_exp, regexp, REG_EXTENDED) && + !regexec(&match_exp, string, 1, &match_match, 0)) { + if ((match_match.rm_so == 0) && + (match_match.rm_eo == strlen(string))) + kret = 0; + } + regfree(&match_exp); +#elif HAVE_REGEXPR_H + compile(regexp, + regexp_buffer, + ®exp_buffer[RE_BUF_SIZE]); + if (step(string, regexp_buffer)) { + if ((loc1 == string) && + (loc2 == &string[strlen(string)])) + kret = 0; + } +#elif HAVE_RE_COMP + if (!re_comp(regexp) && re_exec(string)) + kret = 0; +#else /* HAVE_RE_COMP */ + kret = 0; +#endif /* HAVE_RE_COMP */ + free(regexp); + } + endp++; + } + else + endp = startp; } *contextp = endp; return(kret); } /* - * do_replacement() - Replace the regular expression with the specified - * replacement. + * do_replacement() - Replace the regular expression with the specified + * replacement. * * If "doall" is set, it's a global replacement, otherwise, just a oneshot * deal. * If no regcomp() then just return the input string verbatim in the output * string. */ -#define use_bytes(x) \ - out_used += (x); \ +#define use_bytes(x) \ + out_used += (x); \ if (out_used > MAX_FORMAT_BUFFER) goto mem_err static int do_replacement(char *regexp, char *repl, int doall, char *in, char *out) { size_t out_used = 0; -#if HAVE_REGCOMP - regex_t match_exp; - regmatch_t match_match; - int matched; - char *cp; - char *op; +#if HAVE_REGCOMP + regex_t match_exp; + regmatch_t match_match; + int matched; + char *cp; + char *op; if (!regcomp(&match_exp, regexp, REG_EXTENDED)) { - cp = in; - op = out; - matched = 0; - do { - if (!regexec(&match_exp, cp, 1, &match_match, 0)) { - if (match_match.rm_so) { - use_bytes(match_match.rm_so); - strncpy(op, cp, match_match.rm_so); - op += match_match.rm_so; - } - use_bytes(strlen(repl)); - strncpy(op, repl, MAX_FORMAT_BUFFER - 1 - (op - out)); - op += strlen(op); - cp += match_match.rm_eo; - if (!doall) { - use_bytes(strlen(cp)); - strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); - } - matched = 1; - } - else { - use_bytes(strlen(cp)); - strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); - matched = 0; - } - } while (doall && matched); - regfree(&match_exp); + cp = in; + op = out; + matched = 0; + do { + if (!regexec(&match_exp, cp, 1, &match_match, 0)) { + if (match_match.rm_so) { + use_bytes(match_match.rm_so); + strncpy(op, cp, match_match.rm_so); + op += match_match.rm_so; + } + use_bytes(strlen(repl)); + strncpy(op, repl, MAX_FORMAT_BUFFER - 1 - (op - out)); + op += strlen(op); + cp += match_match.rm_eo; + if (!doall) { + use_bytes(strlen(cp)); + strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); + } + matched = 1; + } + else { + use_bytes(strlen(cp)); + strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); + matched = 0; + } + } while (doall && matched); + regfree(&match_exp); } -#elif HAVE_REGEXPR_H - int matched; - char *cp; - char *op; - char regexp_buffer[RE_BUF_SIZE]; - size_t sdispl, edispl; +#elif HAVE_REGEXPR_H + int matched; + char *cp; + char *op; + char regexp_buffer[RE_BUF_SIZE]; + size_t sdispl, edispl; compile(regexp, - regexp_buffer, - ®exp_buffer[RE_BUF_SIZE]); + regexp_buffer, + ®exp_buffer[RE_BUF_SIZE]); cp = in; op = out; matched = 0; do { - if (step(cp, regexp_buffer)) { - sdispl = (size_t) (loc1 - cp); - edispl = (size_t) (loc2 - cp); - if (sdispl) { - use_bytes(sdispl); - strncpy(op, cp, sdispl); - op += sdispl; - } - use_bytes(strlen(repl)); - strncpy(op, repl, MAX_FORMAT_BUFFER - 1 - (op - out)); - op += strlen(repl); - cp += edispl; - if (!doall) { - use_bytes(strlen(cp)); - strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); - } - matched = 1; - } - else { - use_bytes(strlen(cp)); - strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); - matched = 0; - } + if (step(cp, regexp_buffer)) { + sdispl = (size_t) (loc1 - cp); + edispl = (size_t) (loc2 - cp); + if (sdispl) { + use_bytes(sdispl); + strncpy(op, cp, sdispl); + op += sdispl; + } + use_bytes(strlen(repl)); + strncpy(op, repl, MAX_FORMAT_BUFFER - 1 - (op - out)); + op += strlen(repl); + cp += edispl; + if (!doall) { + use_bytes(strlen(cp)); + strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); + } + matched = 1; + } + else { + use_bytes(strlen(cp)); + strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out)); + matched = 0; + } } while (doall && matched); -#else /* HAVE_REGEXP_H */ +#else /* HAVE_REGEXP_H */ memcpy(out, in, MAX_FORMAT_BUFFER); -#endif /* HAVE_REGCOMP */ +#endif /* HAVE_REGCOMP */ return 1; - mem_err: +mem_err: #ifdef HAVE_REGCMP - regfree(&match_exp); + regfree(&match_exp); #endif - return 0; - + return 0; + } #undef use_bytes /* - * aname_replacer() - Perform the specified substitutions on the input - * string and return the result. + * aname_replacer() - Perform the specified substitutions on the input + * string and return the result. * * This routine enforces the "s/<pattern>/<replacement>/[g]" syntax. */ static krb5_error_code aname_replacer(char *string, char **contextp, char **result) { - krb5_error_code kret; - char *in = NULL, *out = NULL, *rule = NULL, *repl = NULL; - char *cp, *ep, *tp; - size_t rule_size, repl_size; - int doglobal; + krb5_error_code kret; + char *in = NULL, *out = NULL, *rule = NULL, *repl = NULL; + char *cp, *ep, *tp; + size_t rule_size, repl_size; + int doglobal; *result = NULL; /* Allocate the formatting buffers */ in = malloc(MAX_FORMAT_BUFFER); if (!in) - return ENOMEM; + return ENOMEM; out = malloc(MAX_FORMAT_BUFFER); if (!out) { - kret = ENOMEM; - goto cleanup; + kret = ENOMEM; + goto cleanup; } /* @@ -404,70 +405,70 @@ aname_replacer(char *string, char **contextp, char **result) * Pound through the expression until we're done. */ for (cp = *contextp; *cp; ) { - /* Skip leading whitespace */ - while (isspace((int) (*cp))) - cp++; - - /* - * Find our separators. First two characters must be "s/" - * We must also find another "/" followed by another "/". - */ - if (!((cp[0] == 's') && - (cp[1] == '/') && - (ep = strchr(&cp[2], '/')) && - (tp = strchr(&ep[1], '/')))) { - /* Bad syntax */ - kret = KRB5_CONFIG_BADFORMAT; - goto cleanup; - } - - /* Figure out sizes of strings and allocate them */ - rule_size = (size_t) (ep - &cp[2]); - repl_size = (size_t) (tp - &ep[1]); - rule = malloc(rule_size + 1); - if (!rule) { - kret = ENOMEM; - goto cleanup; - } - repl = malloc(repl_size + 1); - if (!repl) { - kret = ENOMEM; - goto cleanup; - } - - /* Copy the strings */ - memcpy(rule, &cp[2], rule_size); - memcpy(repl, &ep[1], repl_size); - rule[rule_size] = repl[repl_size] = '\0'; - - /* Check for trailing "g" */ - doglobal = (tp[1] == 'g') ? 1 : 0; - if (doglobal) - tp++; - - /* Swap previous in and out buffers */ - ep = in; - in = out; - out = ep; - - /* Do the replacemenbt */ - memset(out, '\0', MAX_FORMAT_BUFFER); - if (!do_replacement(rule, repl, doglobal, in, out)) { - kret = KRB5_LNAME_NOTRANS; - goto cleanup; - } - free(rule); - free(repl); - rule = repl = NULL; - - /* If we have no output buffer left, this can't be good */ - if (strlen(out) == 0) { - kret = KRB5_LNAME_NOTRANS; - goto cleanup; - } - - /* Advance past trailer */ - cp = &tp[1]; + /* Skip leading whitespace */ + while (isspace((int) (*cp))) + cp++; + + /* + * Find our separators. First two characters must be "s/" + * We must also find another "/" followed by another "/". + */ + if (!((cp[0] == 's') && + (cp[1] == '/') && + (ep = strchr(&cp[2], '/')) && + (tp = strchr(&ep[1], '/')))) { + /* Bad syntax */ + kret = KRB5_CONFIG_BADFORMAT; + goto cleanup; + } + + /* Figure out sizes of strings and allocate them */ + rule_size = (size_t) (ep - &cp[2]); + repl_size = (size_t) (tp - &ep[1]); + rule = malloc(rule_size + 1); + if (!rule) { + kret = ENOMEM; + goto cleanup; + } + repl = malloc(repl_size + 1); + if (!repl) { + kret = ENOMEM; + goto cleanup; + } + + /* Copy the strings */ + memcpy(rule, &cp[2], rule_size); + memcpy(repl, &ep[1], repl_size); + rule[rule_size] = repl[repl_size] = '\0'; + + /* Check for trailing "g" */ + doglobal = (tp[1] == 'g') ? 1 : 0; + if (doglobal) + tp++; + + /* Swap previous in and out buffers */ + ep = in; + in = out; + out = ep; + + /* Do the replacemenbt */ + memset(out, '\0', MAX_FORMAT_BUFFER); + if (!do_replacement(rule, repl, doglobal, in, out)) { + kret = KRB5_LNAME_NOTRANS; + goto cleanup; + } + free(rule); + free(repl); + rule = repl = NULL; + + /* If we have no output buffer left, this can't be good */ + if (strlen(out) == 0) { + kret = KRB5_LNAME_NOTRANS; + goto cleanup; + } + + /* Advance past trailer */ + cp = &tp[1]; } free(in); *result = out; @@ -488,7 +489,7 @@ cleanup: */ static krb5_error_code aname_get_selstring(krb5_context context, krb5_const_principal aname, - char **contextp, char **result) + char **contextp, char **result) { krb5_error_code kret; char *fprincname, *current, *str; @@ -499,16 +500,16 @@ aname_get_selstring(krb5_context context, krb5_const_principal aname, *result = NULL; if (**contextp != '[') { - /* No selstring part; use the full flattened principal name. */ - kret = krb5_unparse_name(context, aname, &fprincname); - if (kret) - return kret; - str = aname_full_to_mapping_name(fprincname); - free(fprincname); - if (!str) - return ENOMEM; - *result = str; - return 0; + /* No selstring part; use the full flattened principal name. */ + kret = krb5_unparse_name(context, aname, &fprincname); + if (kret) + return kret; + str = aname_full_to_mapping_name(fprincname); + free(fprincname); + if (!str) + return ENOMEM; + *result = str; + return 0; } /* Advance past the '[' and read the number of components. */ @@ -516,42 +517,42 @@ aname_get_selstring(krb5_context context, krb5_const_principal aname, errno = 0; num_comps = strtol(current, ¤t, 10); if (errno != 0 || num_comps < 0 || *current != ':') - return KRB5_CONFIG_BADFORMAT; + return KRB5_CONFIG_BADFORMAT; if (num_comps != aname->length) - return KRB5_LNAME_NOTRANS; + return KRB5_LNAME_NOTRANS; current++; krb5int_buf_init_dynamic(&selstring); while (1) { - /* Copy in literal characters up to the next $ or ]. */ - nlit = strcspn(current, "$]"); - krb5int_buf_add_len(&selstring, current, nlit); - current += nlit; - if (*current != '$') - break; - - /* Expand $ substitution to a principal component. */ - errno = 0; - compind = strtol(current + 1, ¤t, 10); - if (errno || compind > num_comps) - break; - datap = (compind > 0) - ? krb5_princ_component(context, aname, compind - 1) - : krb5_princ_realm(context, aname); - if (!datap) - break; - krb5int_buf_add_len(&selstring, datap->data, datap->length); + /* Copy in literal characters up to the next $ or ]. */ + nlit = strcspn(current, "$]"); + krb5int_buf_add_len(&selstring, current, nlit); + current += nlit; + if (*current != '$') + break; + + /* Expand $ substitution to a principal component. */ + errno = 0; + compind = strtol(current + 1, ¤t, 10); + if (errno || compind > num_comps) + break; + datap = (compind > 0) + ? krb5_princ_component(context, aname, compind - 1) + : krb5_princ_realm(context, aname); + if (!datap) + break; + krb5int_buf_add_len(&selstring, datap->data, datap->length); } /* Check that we hit a ']' and not the end of the string. */ if (*current != ']') { - krb5int_free_buf(&selstring); - return KRB5_CONFIG_BADFORMAT; + krb5int_free_buf(&selstring); + return KRB5_CONFIG_BADFORMAT; } str = krb5int_buf_data(&selstring); if (str == NULL) - return ENOMEM; + return ENOMEM; *contextp = current + 1; *result = str; @@ -561,7 +562,7 @@ aname_get_selstring(krb5_context context, krb5_const_principal aname, /* Handle aname to lname translations for RULE rules. */ static krb5_error_code rule_an_to_ln(krb5_context context, char *rule, krb5_const_principal aname, - const unsigned int lnsize, char *lname) + const unsigned int lnsize, char *lname) { krb5_error_code kret; char *current, *selstring = 0, *outstring = 0; @@ -570,31 +571,31 @@ rule_an_to_ln(krb5_context context, char *rule, krb5_const_principal aname, current = rule; kret = aname_get_selstring(context, aname, ¤t, &selstring); if (kret) - return kret; + return kret; /* Check the selection string against the regexp, if present. */ if (*current == '(') { - kret = aname_do_match(selstring, ¤t); - if (kret) - goto cleanup; + kret = aname_do_match(selstring, ¤t); + if (kret) + goto cleanup; } /* Perform the substitution. */ outstring = NULL; kret = aname_replacer(selstring, ¤t, &outstring); if (kret) - goto cleanup; + goto cleanup; /* Copy out the value if there's enough room. */ if (strlcpy(lname, outstring, lnsize) >= lnsize) - kret = KRB5_CONFIG_NOTENUFSPACE; + kret = KRB5_CONFIG_NOTENUFSPACE; cleanup: free(selstring); free(outstring); return kret; } -#endif /* AN_TO_LN_RULES */ +#endif /* AN_TO_LN_RULES */ /* * Implementation: This version checks the realm to see if it is the local @@ -609,9 +610,9 @@ default_an_to_ln(krb5_context context, krb5_const_principal aname, const unsigne unsigned int realm_length; realm_length = krb5_princ_realm(context, aname)->length; - + if ((retval = krb5_get_default_realm(context, &def_realm))) { - return(retval); + return(retval); } if (!data_eq_string(*krb5_princ_realm(context, aname), def_realm)) { free(def_realm); @@ -620,58 +621,58 @@ default_an_to_ln(krb5_context context, krb5_const_principal aname, const unsigne if (krb5_princ_size(context, aname) != 1) { if (krb5_princ_size(context, aname) == 2 ) { - /* Check to see if 2nd component is the local realm. */ - if ( strncmp(krb5_princ_component(context, aname,1)->data,def_realm, - realm_length) || - realm_length != krb5_princ_component(context, aname,1)->length) + /* Check to see if 2nd component is the local realm. */ + if ( strncmp(krb5_princ_component(context, aname,1)->data,def_realm, + realm_length) || + realm_length != krb5_princ_component(context, aname,1)->length) return KRB5_LNAME_NOTRANS; } else - /* no components or more than one component to non-realm part of name - --no translation. */ + /* no components or more than one component to non-realm part of name + --no translation. */ return KRB5_LNAME_NOTRANS; } free(def_realm); - strncpy(lname, krb5_princ_component(context, aname,0)->data, - min(krb5_princ_component(context, aname,0)->length,lnsize)); + strncpy(lname, krb5_princ_component(context, aname,0)->data, + min(krb5_princ_component(context, aname,0)->length,lnsize)); if (lnsize <= krb5_princ_component(context, aname,0)->length ) { - retval = KRB5_CONFIG_NOTENUFSPACE; + retval = KRB5_CONFIG_NOTENUFSPACE; } else { - lname[krb5_princ_component(context, aname,0)->length] = '\0'; - retval = 0; + lname[krb5_princ_component(context, aname,0)->length] = '\0'; + retval = 0; } return retval; } /* - Converts an authentication name to a local name suitable for use by - programs wishing a translation to an environment-specific name (e.g. - user account name). + Converts an authentication name to a local name suitable for use by + programs wishing a translation to an environment-specific name (e.g. + user account name). - lnsize specifies the maximum length name that is to be filled into - lname. - The translation will be null terminated in all non-error returns. + lnsize specifies the maximum length name that is to be filled into + lname. + The translation will be null terminated in all non-error returns. - returns system errors, NOT_ENOUGH_SPACE + returns system errors, NOT_ENOUGH_SPACE */ krb5_error_code KRB5_CALLCONV krb5_aname_to_localname(krb5_context context, krb5_const_principal aname, int lnsize_in, char *lname) { - krb5_error_code kret; - char *realm; - char *pname; - char *mname; - const char *hierarchy[5]; - char **mapping_values; - int i, nvalid; - char *cp, *s; - char *typep, *argp; + krb5_error_code kret; + char *realm; + char *pname; + char *mname; + const char *hierarchy[5]; + char **mapping_values; + int i, nvalid; + char *cp, *s; + char *typep, *argp; unsigned int lnsize; if (lnsize_in < 0) - return KRB5_CONFIG_NOTENUFSPACE; + return KRB5_CONFIG_NOTENUFSPACE; lnsize = lnsize_in; /* Unsigned */ @@ -679,134 +680,133 @@ krb5_aname_to_localname(krb5_context context, krb5_const_principal aname, int ln * First get the default realm. */ if (!(kret = krb5_get_default_realm(context, &realm))) { - /* Flatten the name */ - if (!(kret = krb5_unparse_name(context, aname, &pname))) { - if ((mname = aname_full_to_mapping_name(pname))) { - /* - * Search first for explicit mappings of the form: - * - * [realms]->realm->"auth_to_local_names"->mapping_name - */ - hierarchy[0] = KRB5_CONF_REALMS; - hierarchy[1] = realm; - hierarchy[2] = KRB5_CONF_AUTH_TO_LOCAL_NAMES; - hierarchy[3] = mname; - hierarchy[4] = (char *) NULL; - if (!(kret = profile_get_values(context->profile, - hierarchy, - &mapping_values))) { - /* We found one or more explicit mappings. */ - for (nvalid=0; mapping_values[nvalid]; nvalid++); - - /* Just use the last one. */ - /* Trim the value. */ - s = mapping_values[nvalid-1]; - cp = s + strlen(s); - while (cp > s) { - cp--; - if (!isspace((int)(*cp))) - break; - *cp = '\0'; - } - - /* Copy out the value if there's enough room */ - if (strlcpy(lname, mapping_values[nvalid-1], - lnsize) >= lnsize) - kret = KRB5_CONFIG_NOTENUFSPACE; - - /* Free residue */ - profile_free_list(mapping_values); - } - else { - /* - * OK - There's no explicit mapping. Now check for - * general auth_to_local rules of the form: - * - * [realms]->realm->"auth_to_local" - * - * This can have one or more of the following kinds of - * values: - * DB:<filename> - Look up principal in aname database. - * RULE:<sed-exp> - Formulate lname from sed-exp. - * DEFAULT - Use default rule. - * The first rule to find a match is used. - */ - hierarchy[0] = KRB5_CONF_REALMS; - hierarchy[1] = realm; - hierarchy[2] = KRB5_CONF_AUTH_TO_LOCAL; - hierarchy[3] = (char *) NULL; - if (!(kret = profile_get_values(context->profile, - hierarchy, - &mapping_values))) { - /* - * Loop through all the mapping values. - */ - for (i=0; mapping_values[i]; i++) { - typep = mapping_values[i]; - argp = strchr(typep, ':'); - if (argp) { - *argp = '\0'; - argp++; - } + /* Flatten the name */ + if (!(kret = krb5_unparse_name(context, aname, &pname))) { + if ((mname = aname_full_to_mapping_name(pname))) { + /* + * Search first for explicit mappings of the form: + * + * [realms]->realm->"auth_to_local_names"->mapping_name + */ + hierarchy[0] = KRB5_CONF_REALMS; + hierarchy[1] = realm; + hierarchy[2] = KRB5_CONF_AUTH_TO_LOCAL_NAMES; + hierarchy[3] = mname; + hierarchy[4] = (char *) NULL; + if (!(kret = profile_get_values(context->profile, + hierarchy, + &mapping_values))) { + /* We found one or more explicit mappings. */ + for (nvalid=0; mapping_values[nvalid]; nvalid++); + + /* Just use the last one. */ + /* Trim the value. */ + s = mapping_values[nvalid-1]; + cp = s + strlen(s); + while (cp > s) { + cp--; + if (!isspace((int)(*cp))) + break; + *cp = '\0'; + } + + /* Copy out the value if there's enough room */ + if (strlcpy(lname, mapping_values[nvalid-1], + lnsize) >= lnsize) + kret = KRB5_CONFIG_NOTENUFSPACE; + + /* Free residue */ + profile_free_list(mapping_values); + } + else { + /* + * OK - There's no explicit mapping. Now check for + * general auth_to_local rules of the form: + * + * [realms]->realm->"auth_to_local" + * + * This can have one or more of the following kinds of + * values: + * DB:<filename> - Look up principal in aname database. + * RULE:<sed-exp> - Formulate lname from sed-exp. + * DEFAULT - Use default rule. + * The first rule to find a match is used. + */ + hierarchy[0] = KRB5_CONF_REALMS; + hierarchy[1] = realm; + hierarchy[2] = KRB5_CONF_AUTH_TO_LOCAL; + hierarchy[3] = (char *) NULL; + if (!(kret = profile_get_values(context->profile, + hierarchy, + &mapping_values))) { + /* + * Loop through all the mapping values. + */ + for (i=0; mapping_values[i]; i++) { + typep = mapping_values[i]; + argp = strchr(typep, ':'); + if (argp) { + *argp = '\0'; + argp++; + } #ifdef ANAME_DB - if (!strcmp(typep, "DB") && argp) { - kret = db_an_to_ln(context, - argp, - aname, - lnsize, - lname); - if (kret != KRB5_LNAME_NOTRANS) - break; - } - else + if (!strcmp(typep, "DB") && argp) { + kret = db_an_to_ln(context, + argp, + aname, + lnsize, + lname); + if (kret != KRB5_LNAME_NOTRANS) + break; + } + else #endif -#ifdef AN_TO_LN_RULES - if (!strcmp(typep, "RULE") && argp) { - kret = rule_an_to_ln(context, - argp, - aname, - lnsize, - lname); - if (kret != KRB5_LNAME_NOTRANS) - break; - } - else -#endif /* AN_TO_LN_RULES */ - if (!strcmp(typep, "DEFAULT") && !argp) { - kret = default_an_to_ln(context, - aname, - lnsize, - lname); - if (kret != KRB5_LNAME_NOTRANS) - break; - } - else { - kret = KRB5_CONFIG_BADFORMAT; - break; - } - } - - /* We're done, clean up the droppings. */ - profile_free_list(mapping_values); - } - else { - /* - * No profile relation found, try default mapping. - */ - kret = default_an_to_ln(context, - aname, - lnsize, - lname); - } - } - free(mname); - } - else - kret = ENOMEM; - free(pname); - } - free(realm); +#ifdef AN_TO_LN_RULES + if (!strcmp(typep, "RULE") && argp) { + kret = rule_an_to_ln(context, + argp, + aname, + lnsize, + lname); + if (kret != KRB5_LNAME_NOTRANS) + break; + } + else +#endif /* AN_TO_LN_RULES */ + if (!strcmp(typep, "DEFAULT") && !argp) { + kret = default_an_to_ln(context, + aname, + lnsize, + lname); + if (kret != KRB5_LNAME_NOTRANS) + break; + } + else { + kret = KRB5_CONFIG_BADFORMAT; + break; + } + } + + /* We're done, clean up the droppings. */ + profile_free_list(mapping_values); + } + else { + /* + * No profile relation found, try default mapping. + */ + kret = default_an_to_ln(context, + aname, + lnsize, + lname); + } + } + free(mname); + } + else + kret = ENOMEM; + free(pname); + } + free(realm); } return(kret); } - diff --git a/src/lib/krb5/os/c_ustime.c b/src/lib/krb5/os/c_ustime.c index fbb6d61281..1bfdac4af3 100644 --- a/src/lib/krb5/os/c_ustime.c +++ b/src/lib/krb5/os/c_ustime.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/crypto/os/c_ustime.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,11 +23,11 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_mstimeofday for BSD 4.3 */ - + #include "k5-int.h" #include "k5-thread.h" @@ -36,8 +37,8 @@ struct time_now { krb5_int32 sec, usec; }; #if defined(_WIN32) - /* Microsoft Windows NT and 95 (32bit) */ - /* This one works for WOW (Windows on Windows, ntvdm on Win-NT) */ +/* Microsoft Windows NT and 95 (32bit) */ +/* This one works for WOW (Windows on Windows, ntvdm on Win-NT) */ #include <time.h> #include <sys/timeb.h> @@ -64,7 +65,7 @@ get_time_now(struct time_now *n) struct timeval tv; if (gettimeofday(&tv, (struct timezone *)0) == -1) - return errno; + return errno; n->sec = tv.tv_sec; n->usec = tv.tv_usec; @@ -84,11 +85,11 @@ krb5_crypto_us_timeofday(krb5_int32 *seconds, krb5_int32 *microseconds) now.sec = now.usec = 0; err = get_time_now(&now); if (err) - return err; + return err; err = k5_mutex_lock(&krb5int_us_time_mutex); if (err) - return err; + return err; /* Just guessing: If the number of seconds hasn't changed, yet the microseconds are moving backwards, we probably just got a third instance of returning the same clock value from the system, so @@ -98,17 +99,17 @@ krb5_crypto_us_timeofday(krb5_int32 *seconds, krb5_int32 *microseconds) quite likely. On UNIX, it appears that we always get new microsecond values, so this case should never trigger. */ if ((now.sec == last_time.sec) && (now.usec <= last_time.usec)) { - /* Same as last time??? */ - now.usec = ++last_time.usec; - if (now.usec >= 1000000) { - ++now.sec; - now.usec = 0; - } - /* For now, we're not worrying about the case of enough - returns of the same value that we roll over now.sec, and - the next call still gets the previous now.sec value. */ + /* Same as last time??? */ + now.usec = ++last_time.usec; + if (now.usec >= 1000000) { + ++now.sec; + now.usec = 0; + } + /* For now, we're not worrying about the case of enough + returns of the same value that we roll over now.sec, and + the next call still gets the previous now.sec value. */ } - last_time.sec = now.sec; /* Remember for next time */ + last_time.sec = now.sec; /* Remember for next time */ last_time.usec = now.usec; k5_mutex_unlock(&krb5int_us_time_mutex); diff --git a/src/lib/krb5/os/ccdefname.c b/src/lib/krb5/os/ccdefname.c index 7587cb007f..0686e721af 100644 --- a/src/lib/krb5/os/ccdefname.c +++ b/src/lib/krb5/os/ccdefname.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/ccdefname.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Return default cred. cache name. */ @@ -38,50 +39,50 @@ #if defined(_WIN32) static int get_from_registry_indirect(char *name_buf, int name_size) { - /* If the RegKRB5CCNAME variable is set, it will point to - * the registry key that has the name of the cache to use. - * The Gradient PC-DCE sets the registry key - * [HKEY_CURRENT_USER\Software\Gradient\DCE\Default\KRB5CCNAME] - * to point at the cache file name (including the FILE: prefix). - * By indirecting with the RegKRB5CCNAME entry in kerberos.ini, - * we can accomodate other versions that might set a registry - * variable. - */ - char newkey[256]; - - LONG name_buf_size; - HKEY hkey; - int found = 0; - char *cp; - - newkey[0] = 0; - GetPrivateProfileString(INI_FILES, "RegKRB5CCNAME", "", - newkey, sizeof(newkey), KERBEROS_INI); - if (!newkey[0]) - return 0; - - newkey[sizeof(newkey)-1] = 0; - cp = strrchr(newkey,'\\'); - if (cp) { - *cp = '\0'; /* split the string */ - cp++; - } else - cp = ""; - - if (RegOpenKeyEx(HKEY_CURRENT_USER, newkey, 0, - KEY_QUERY_VALUE, &hkey) != ERROR_SUCCESS) - return 0; - - name_buf_size = name_size; - if (RegQueryValueEx(hkey, cp, 0, 0, - name_buf, &name_buf_size) != ERROR_SUCCESS) - { - RegCloseKey(hkey); - return 0; - } - - RegCloseKey(hkey); - return 1; + /* If the RegKRB5CCNAME variable is set, it will point to + * the registry key that has the name of the cache to use. + * The Gradient PC-DCE sets the registry key + * [HKEY_CURRENT_USER\Software\Gradient\DCE\Default\KRB5CCNAME] + * to point at the cache file name (including the FILE: prefix). + * By indirecting with the RegKRB5CCNAME entry in kerberos.ini, + * we can accomodate other versions that might set a registry + * variable. + */ + char newkey[256]; + + LONG name_buf_size; + HKEY hkey; + int found = 0; + char *cp; + + newkey[0] = 0; + GetPrivateProfileString(INI_FILES, "RegKRB5CCNAME", "", + newkey, sizeof(newkey), KERBEROS_INI); + if (!newkey[0]) + return 0; + + newkey[sizeof(newkey)-1] = 0; + cp = strrchr(newkey,'\\'); + if (cp) { + *cp = '\0'; /* split the string */ + cp++; + } else + cp = ""; + + if (RegOpenKeyEx(HKEY_CURRENT_USER, newkey, 0, + KEY_QUERY_VALUE, &hkey) != ERROR_SUCCESS) + return 0; + + name_buf_size = name_size; + if (RegQueryValueEx(hkey, cp, 0, 0, + name_buf, &name_buf_size) != ERROR_SUCCESS) + { + RegCloseKey(hkey); + return 0; + } + + RegCloseKey(hkey); + return 1; } /* @@ -94,19 +95,19 @@ static int get_from_registry_indirect(char *name_buf, int name_size) static int get_from_registry( HKEY hBaseKey, - char *name_buf, + char *name_buf, int name_size - ) +) { HKEY hKey; DWORD name_buf_size = (DWORD)name_size; const char *key_path = "Software\\MIT\\Kerberos5"; const char *value_name = "ccname"; - if (RegOpenKeyEx(hBaseKey, key_path, 0, KEY_QUERY_VALUE, + if (RegOpenKeyEx(hBaseKey, key_path, 0, KEY_QUERY_VALUE, &hKey) != ERROR_SUCCESS) return 0; - if (RegQueryValueEx(hKey, value_name, 0, 0, + if (RegQueryValueEx(hKey, value_name, 0, 0, name_buf, &name_buf_size) != ERROR_SUCCESS) { RegCloseKey(hKey); @@ -123,7 +124,7 @@ try_dir( char* dir, char* buffer, int buf_len - ) +) { struct _stat s; if (!dir) @@ -145,53 +146,53 @@ try_dir( #if defined(_WIN32) static krb5_error_code get_from_os(char *name_buf, unsigned int name_size) { - char *prefix = krb5_cc_dfl_ops->prefix; - int size; - char *p; - DWORD gle; - - SetLastError(0); - GetEnvironmentVariable(KRB5_ENV_CCNAME, name_buf, name_size); - gle = GetLastError(); - if (gle == 0) - return 0; - else if (gle != ERROR_ENVVAR_NOT_FOUND) - return ENOMEM; - - if (get_from_registry(HKEY_CURRENT_USER, - name_buf, name_size) != 0) - return 0; - - if (get_from_registry(HKEY_LOCAL_MACHINE, - name_buf, name_size) != 0) - return 0; - - if (get_from_registry_indirect(name_buf, name_size) != 0) - return 0; - - strncpy(name_buf, prefix, name_size - 1); - name_buf[name_size - 1] = 0; - size = name_size - strlen(prefix); - if (size > 0) - strcat(name_buf, ":"); - size--; - p = name_buf + name_size - size; - if (!strcmp(prefix, "API")) { - strncpy(p, "krb5cc", size); - } else if (!strcmp(prefix, "FILE") || !strcmp(prefix, "STDIO")) { - if (!try_dir(getenv("TEMP"), p, size) && - !try_dir(getenv("TMP"), p, size)) - { - int len = GetWindowsDirectory(p, size); - name_buf[name_size - 1] = 0; - if (len < size - sizeof(APPEND_KRB5CC)) - strcat(p, APPEND_KRB5CC); - } - } else { - strncpy(p, "default_cache_name", size); - } - name_buf[name_size - 1] = 0; - return 0; + char *prefix = krb5_cc_dfl_ops->prefix; + int size; + char *p; + DWORD gle; + + SetLastError(0); + GetEnvironmentVariable(KRB5_ENV_CCNAME, name_buf, name_size); + gle = GetLastError(); + if (gle == 0) + return 0; + else if (gle != ERROR_ENVVAR_NOT_FOUND) + return ENOMEM; + + if (get_from_registry(HKEY_CURRENT_USER, + name_buf, name_size) != 0) + return 0; + + if (get_from_registry(HKEY_LOCAL_MACHINE, + name_buf, name_size) != 0) + return 0; + + if (get_from_registry_indirect(name_buf, name_size) != 0) + return 0; + + strncpy(name_buf, prefix, name_size - 1); + name_buf[name_size - 1] = 0; + size = name_size - strlen(prefix); + if (size > 0) + strcat(name_buf, ":"); + size--; + p = name_buf + name_size - size; + if (!strcmp(prefix, "API")) { + strncpy(p, "krb5cc", size); + } else if (!strcmp(prefix, "FILE") || !strcmp(prefix, "STDIO")) { + if (!try_dir(getenv("TEMP"), p, size) && + !try_dir(getenv("TMP"), p, size)) + { + int len = GetWindowsDirectory(p, size); + name_buf[name_size - 1] = 0; + if (len < size - sizeof(APPEND_KRB5CC)) + strcat(p, APPEND_KRB5CC); + } + } else { + strncpy(p, "default_cache_name", size); + } + name_buf[name_size - 1] = 0; + return 0; } #endif @@ -199,35 +200,35 @@ static krb5_error_code get_from_os(char *name_buf, unsigned int name_size) static krb5_error_code get_from_os(char *name_buf, unsigned int name_size) { - krb5_error_code result = 0; - cc_context_t cc_context = NULL; - cc_string_t default_name = NULL; - - cc_int32 ccerr = cc_initialize (&cc_context, ccapi_version_3, NULL, NULL); - if (ccerr == ccNoError) { - ccerr = cc_context_get_default_ccache_name (cc_context, &default_name); - } - - if (ccerr == ccNoError) { - if (strlen (default_name -> data) + 5 > name_size) { - result = ENOMEM; - goto cleanup; - } else { - snprintf (name_buf, name_size, "API:%s", - default_name -> data); - } - } - + krb5_error_code result = 0; + cc_context_t cc_context = NULL; + cc_string_t default_name = NULL; + + cc_int32 ccerr = cc_initialize (&cc_context, ccapi_version_3, NULL, NULL); + if (ccerr == ccNoError) { + ccerr = cc_context_get_default_ccache_name (cc_context, &default_name); + } + + if (ccerr == ccNoError) { + if (strlen (default_name -> data) + 5 > name_size) { + result = ENOMEM; + goto cleanup; + } else { + snprintf (name_buf, name_size, "API:%s", + default_name -> data); + } + } + cleanup: - if (cc_context != NULL) { - cc_context_release (cc_context); - } - - if (default_name != NULL) { - cc_string_release (default_name); - } - - return result; + if (cc_context != NULL) { + cc_context_release (cc_context); + } + + if (default_name != NULL) { + cc_string_release (default_name); + } + + return result; } #else @@ -245,9 +246,9 @@ krb5_cc_set_default_name(krb5_context context, const char *name) { krb5_error_code err = 0; char *new_ccname = NULL; - + if (!context || context->magic != KV5M_CONTEXT) { err = KV5M_CONTEXT; } - + if (name != NULL) { if (!err) { /* If the name isn't NULL, make a copy of it */ @@ -255,7 +256,7 @@ krb5_cc_set_default_name(krb5_context context, const char *name) if (new_ccname == NULL) { err = ENOMEM; } } } - + if (!err) { /* free the old ccname and store the new one */ krb5_os_context os_ctx = &context->os_context; @@ -263,42 +264,42 @@ krb5_cc_set_default_name(krb5_context context, const char *name) os_ctx->default_ccname = new_ccname; new_ccname = NULL; /* don't free */ } - + return err; } - + const char * KRB5_CALLCONV krb5_cc_default_name(krb5_context context) { krb5_error_code err = 0; krb5_os_context os_ctx = NULL; - + if (!context || context->magic != KV5M_CONTEXT) { err = KV5M_CONTEXT; } - + if (!err) { os_ctx = &context->os_context; - + if (os_ctx->default_ccname == NULL) { /* Default ccache name has not been set yet */ char *new_ccname = NULL; char new_ccbuf[1024]; - + /* try the environment variable first */ new_ccname = getenv(KRB5_ENV_CCNAME); - + if (new_ccname == NULL) { /* fall back on the default ccache name for the OS */ new_ccname = new_ccbuf; err = get_from_os (new_ccbuf, sizeof (new_ccbuf)); } - + if (!err) { err = krb5_cc_set_default_name (context, new_ccname); } } } - + return err ? NULL : os_ctx->default_ccname; } @@ -314,7 +315,7 @@ krb5int_cc_os_default_name(krb5_context context, char **name) *name = NULL; tmpname = malloc(BUFSIZ); if (tmpname == NULL) - return ENOMEM; + return ENOMEM; retval = get_from_os(tmpname, BUFSIZ); *name = tmpname; diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c index 7811387385..10a54d2d78 100644 --- a/src/lib/krb5/os/changepw.c +++ b/src/lib/krb5/os/changepw.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/changepw.c * @@ -44,11 +45,11 @@ #endif struct sendto_callback_context { - krb5_context context; - krb5_auth_context auth_context; - krb5_principal set_password_for; - char *newpw; - krb5_data ap_req; + krb5_context context; + krb5_auth_context auth_context; + krb5_principal set_password_for; + char *newpw; + krb5_data ap_req; krb5_ui_4 remote_seq_num, local_seq_num; }; @@ -58,30 +59,30 @@ struct sendto_callback_context { static krb5_error_code krb5_locate_kpasswd(krb5_context context, const krb5_data *realm, - struct addrlist *addrlist, krb5_boolean useTcp) + struct addrlist *addrlist, krb5_boolean useTcp) { krb5_error_code code; int sockType = (useTcp ? SOCK_STREAM : SOCK_DGRAM); code = krb5int_locate_server (context, realm, addrlist, - locate_service_kpasswd, sockType, AF_INET); + locate_service_kpasswd, sockType, AF_INET); if (code == KRB5_REALM_CANT_RESOLVE || code == KRB5_REALM_UNKNOWN) { - code = krb5int_locate_server (context, realm, addrlist, - locate_service_kadmin, SOCK_STREAM, - AF_INET); - if (!code) { - /* Success with admin_server but now we need to change the - port number to use DEFAULT_KPASSWD_PORT and the socktype. */ - int i; - for (i=0; i<addrlist->naddrs; i++) { - struct addrinfo *a = addrlist->addrs[i].ai; - if (a->ai_family == AF_INET) - sa2sin (a->ai_addr)->sin_port = htons(DEFAULT_KPASSWD_PORT); - if (sockType != SOCK_STREAM) - a->ai_socktype = sockType; - } - } + code = krb5int_locate_server (context, realm, addrlist, + locate_service_kadmin, SOCK_STREAM, + AF_INET); + if (!code) { + /* Success with admin_server but now we need to change the + port number to use DEFAULT_KPASSWD_PORT and the socktype. */ + int i; + for (i=0; i<addrlist->naddrs; i++) { + struct addrinfo *a = addrlist->addrs[i].ai; + if (a->ai_family == AF_INET) + sa2sin (a->ai_addr)->sin_port = htons(DEFAULT_KPASSWD_PORT); + if (sockType != SOCK_STREAM) + a->ai_socktype = sockType; + } + } } return (code); } @@ -91,24 +92,24 @@ krb5_locate_kpasswd(krb5_context context, const krb5_data *realm, * This routine is used for a callback in sendto_kdc.c code. Simply * put, we need the client addr to build the krb_priv portion of the * password request. - */ + */ static void kpasswd_sendto_msg_cleanup (void* callback_context, krb5_data* message) { struct sendto_callback_context *ctx = callback_context; - krb5_free_data_contents(ctx->context, message); + krb5_free_data_contents(ctx->context, message); } - + static int kpasswd_sendto_msg_callback(struct conn_state *conn, void *callback_context, krb5_data* message) { - krb5_error_code code = 0; - struct sockaddr_storage local_addr; - krb5_address local_kaddr; - struct sendto_callback_context *ctx = callback_context; - GETSOCKNAME_ARG3_TYPE addrlen; - krb5_data output; + krb5_error_code code = 0; + struct sockaddr_storage local_addr; + krb5_address local_kaddr; + struct sendto_callback_context *ctx = callback_context; + GETSOCKNAME_ARG3_TYPE addrlen; + krb5_data output; memset (message, 0, sizeof(krb5_data)); @@ -118,37 +119,37 @@ static int kpasswd_sendto_msg_callback(struct conn_state *conn, void *callback_c addrlen = sizeof(local_addr); if (getsockname(conn->fd, ss2sa(&local_addr), &addrlen) < 0) { - code = SOCKET_ERRNO; - goto cleanup; + code = SOCKET_ERRNO; + goto cleanup; } /* some brain-dead OS's don't return useful information from * the getsockname call. Namely, windows and solaris. */ if (ss2sin(&local_addr)->sin_addr.s_addr != 0) { - local_kaddr.addrtype = ADDRTYPE_INET; - local_kaddr.length = sizeof(ss2sin(&local_addr)->sin_addr); - local_kaddr.contents = (krb5_octet *) &ss2sin(&local_addr)->sin_addr; + local_kaddr.addrtype = ADDRTYPE_INET; + local_kaddr.length = sizeof(ss2sin(&local_addr)->sin_addr); + local_kaddr.contents = (krb5_octet *) &ss2sin(&local_addr)->sin_addr; } else { - krb5_address **addrs; - - code = krb5_os_localaddr(ctx->context, &addrs); - if (code) - goto cleanup; - - local_kaddr.magic = addrs[0]->magic; - local_kaddr.addrtype = addrs[0]->addrtype; - local_kaddr.length = addrs[0]->length; - local_kaddr.contents = malloc(addrs[0]->length); - if (local_kaddr.contents == NULL && addrs[0]->length != 0) { - code = ENOMEM; - krb5_free_addresses(ctx->context, addrs); - goto cleanup; - } - if (addrs[0]->length) - memcpy(local_kaddr.contents, addrs[0]->contents, addrs[0]->length); - - krb5_free_addresses(ctx->context, addrs); + krb5_address **addrs; + + code = krb5_os_localaddr(ctx->context, &addrs); + if (code) + goto cleanup; + + local_kaddr.magic = addrs[0]->magic; + local_kaddr.addrtype = addrs[0]->addrtype; + local_kaddr.length = addrs[0]->length; + local_kaddr.contents = malloc(addrs[0]->length); + if (local_kaddr.contents == NULL && addrs[0]->length != 0) { + code = ENOMEM; + krb5_free_addresses(ctx->context, addrs); + goto cleanup; + } + if (addrs[0]->length) + memcpy(local_kaddr.contents, addrs[0]->contents, addrs[0]->length); + + krb5_free_addresses(ctx->context, addrs); } @@ -159,27 +160,27 @@ static int kpasswd_sendto_msg_callback(struct conn_state *conn, void *callback_c if ((code = krb5_auth_con_setaddrs(ctx->context, ctx->auth_context, - &local_kaddr, NULL))) - goto cleanup; + &local_kaddr, NULL))) + goto cleanup; ctx->auth_context->remote_seq_number = ctx->remote_seq_num; ctx->auth_context->local_seq_number = ctx->local_seq_num; if (ctx->set_password_for) - code = krb5int_mk_setpw_req(ctx->context, - ctx->auth_context, - &ctx->ap_req, - ctx->set_password_for, - ctx->newpw, - &output); + code = krb5int_mk_setpw_req(ctx->context, + ctx->auth_context, + &ctx->ap_req, + ctx->set_password_for, + ctx->newpw, + &output); else - code = krb5int_mk_chpw_req(ctx->context, - ctx->auth_context, - &ctx->ap_req, - ctx->newpw, - &output); + code = krb5int_mk_chpw_req(ctx->context, + ctx->auth_context, + &ctx->ap_req, + ctx->newpw, + &output); if (code) - goto cleanup; + goto cleanup; message->length = output.length; message->data = output.data; @@ -191,28 +192,28 @@ cleanup: /* ** The logic for setting and changing a password is mostly the same -** krb5_change_set_password handles both cases -** if set_password_for is NULL, then a password change is performed, +** krb5_change_set_password handles both cases +** if set_password_for is NULL, then a password change is performed, ** otherwise, the password is set for the principal indicated in set_password_for */ static krb5_error_code KRB5_CALLCONV krb5_change_set_password(krb5_context context, krb5_creds *creds, char *newpw, - krb5_principal set_password_for, - int *result_code, krb5_data *result_code_string, - krb5_data *result_string) + krb5_principal set_password_for, + int *result_code, krb5_data *result_code_string, + krb5_data *result_string) { - krb5_data chpw_rep; - krb5_address remote_kaddr; - krb5_boolean useTcp = 0; - GETSOCKNAME_ARG3_TYPE addrlen; - krb5_error_code code = 0; - char *code_string; - int local_result_code; - + krb5_data chpw_rep; + krb5_address remote_kaddr; + krb5_boolean useTcp = 0; + GETSOCKNAME_ARG3_TYPE addrlen; + krb5_error_code code = 0; + char *code_string; + int local_result_code; + struct sendto_callback_context callback_ctx; - struct sendto_callback_info callback_info; - struct sockaddr_storage remote_addr; - struct addrlist al = ADDRLIST_INIT; + struct sendto_callback_info callback_info; + struct sockaddr_storage remote_addr; + struct addrlist al = ADDRLIST_INIT; memset(&chpw_rep, 0, sizeof(krb5_data)); memset( &callback_ctx, 0, sizeof(struct sendto_callback_context)); @@ -220,123 +221,123 @@ krb5_change_set_password(krb5_context context, krb5_creds *creds, char *newpw, callback_ctx.newpw = newpw; callback_ctx.set_password_for = set_password_for; - if ((code = krb5_auth_con_init(callback_ctx.context, - &callback_ctx.auth_context))) - goto cleanup; + if ((code = krb5_auth_con_init(callback_ctx.context, + &callback_ctx.auth_context))) + goto cleanup; - if ((code = krb5_mk_req_extended(callback_ctx.context, - &callback_ctx.auth_context, - AP_OPTS_USE_SUBKEY, - NULL, - creds, - &callback_ctx.ap_req))) - goto cleanup; + if ((code = krb5_mk_req_extended(callback_ctx.context, + &callback_ctx.auth_context, + AP_OPTS_USE_SUBKEY, + NULL, + creds, + &callback_ctx.ap_req))) + goto cleanup; callback_ctx.remote_seq_num = callback_ctx.auth_context->remote_seq_number; callback_ctx.local_seq_num = callback_ctx.auth_context->local_seq_number; do { - if ((code = krb5_locate_kpasswd(callback_ctx.context, - krb5_princ_realm(callback_ctx.context, - creds->server), - &al, useTcp))) - break; - - addrlen = sizeof(remote_addr); - - callback_info.context = (void*) &callback_ctx; - callback_info.pfn_callback = kpasswd_sendto_msg_callback; - callback_info.pfn_cleanup = kpasswd_sendto_msg_cleanup; - - if ((code = krb5int_sendto(callback_ctx.context, - NULL, - &al, - &callback_info, - &chpw_rep, - NULL, - NULL, - ss2sa(&remote_addr), + if ((code = krb5_locate_kpasswd(callback_ctx.context, + krb5_princ_realm(callback_ctx.context, + creds->server), + &al, useTcp))) + break; + + addrlen = sizeof(remote_addr); + + callback_info.context = (void*) &callback_ctx; + callback_info.pfn_callback = kpasswd_sendto_msg_callback; + callback_info.pfn_cleanup = kpasswd_sendto_msg_cleanup; + + if ((code = krb5int_sendto(callback_ctx.context, + NULL, + &al, + &callback_info, + &chpw_rep, + NULL, + NULL, + ss2sa(&remote_addr), &addrlen, - NULL, - NULL, - NULL - ))) { - - /* - * Here we may want to switch to TCP on some errors. - * right? - */ - break; - } - - remote_kaddr.addrtype = ADDRTYPE_INET; - remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr); - remote_kaddr.contents = (krb5_octet *) &ss2sin(&remote_addr)->sin_addr; - - if ((code = krb5_auth_con_setaddrs(callback_ctx.context, - callback_ctx.auth_context, - NULL, - &remote_kaddr))) - break; - - if (set_password_for) - code = krb5int_rd_setpw_rep(callback_ctx.context, - callback_ctx.auth_context, - &chpw_rep, - &local_result_code, - result_string); - else - code = krb5int_rd_chpw_rep(callback_ctx.context, - callback_ctx.auth_context, - &chpw_rep, - &local_result_code, - result_string); - - if (code) { - if (code == KRB5KRB_ERR_RESPONSE_TOO_BIG && !useTcp ) { - krb5int_free_addrlist (&al); - useTcp = 1; - continue; - } - - break; - } - - if (result_code) - *result_code = local_result_code; - - if (result_code_string) { - if (set_password_for) - code = krb5int_setpw_result_code_string(callback_ctx.context, - local_result_code, - (const char **)&code_string); - else - code = krb5_chpw_result_code_string(callback_ctx.context, - local_result_code, - &code_string); - if(code) - goto cleanup; - - result_code_string->length = strlen(code_string); - result_code_string->data = malloc(result_code_string->length); - if (result_code_string->data == NULL) { - code = ENOMEM; - goto cleanup; - } - strncpy(result_code_string->data, code_string, result_code_string->length); - } - - if (code == KRB5KRB_ERR_RESPONSE_TOO_BIG && !useTcp ) { - krb5int_free_addrlist (&al); - useTcp = 1; + NULL, + NULL, + NULL + ))) { + + /* + * Here we may want to switch to TCP on some errors. + * right? + */ + break; + } + + remote_kaddr.addrtype = ADDRTYPE_INET; + remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr); + remote_kaddr.contents = (krb5_octet *) &ss2sin(&remote_addr)->sin_addr; + + if ((code = krb5_auth_con_setaddrs(callback_ctx.context, + callback_ctx.auth_context, + NULL, + &remote_kaddr))) + break; + + if (set_password_for) + code = krb5int_rd_setpw_rep(callback_ctx.context, + callback_ctx.auth_context, + &chpw_rep, + &local_result_code, + result_string); + else + code = krb5int_rd_chpw_rep(callback_ctx.context, + callback_ctx.auth_context, + &chpw_rep, + &local_result_code, + result_string); + + if (code) { + if (code == KRB5KRB_ERR_RESPONSE_TOO_BIG && !useTcp ) { + krb5int_free_addrlist (&al); + useTcp = 1; + continue; + } + + break; + } + + if (result_code) + *result_code = local_result_code; + + if (result_code_string) { + if (set_password_for) + code = krb5int_setpw_result_code_string(callback_ctx.context, + local_result_code, + (const char **)&code_string); + else + code = krb5_chpw_result_code_string(callback_ctx.context, + local_result_code, + &code_string); + if(code) + goto cleanup; + + result_code_string->length = strlen(code_string); + result_code_string->data = malloc(result_code_string->length); + if (result_code_string->data == NULL) { + code = ENOMEM; + goto cleanup; + } + strncpy(result_code_string->data, code_string, result_code_string->length); + } + + if (code == KRB5KRB_ERR_RESPONSE_TOO_BIG && !useTcp ) { + krb5int_free_addrlist (&al); + useTcp = 1; } else { - break; - } + break; + } } while (TRUE); cleanup: if (callback_ctx.auth_context != NULL) - krb5_auth_con_free(callback_ctx.context, callback_ctx.auth_context); + krb5_auth_con_free(callback_ctx.context, callback_ctx.auth_context); krb5int_free_addrlist (&al); krb5_free_data_contents(callback_ctx.context, &callback_ctx.ap_req); @@ -348,8 +349,8 @@ cleanup: krb5_error_code KRB5_CALLCONV krb5_change_password(krb5_context context, krb5_creds *creds, char *newpw, int *result_code, krb5_data *result_code_string, krb5_data *result_string) { - return krb5_change_set_password( - context, creds, newpw, NULL, result_code, result_code_string, result_string ); + return krb5_change_set_password( + context, creds, newpw, NULL, result_code, result_code_string, result_string ); } /* @@ -359,29 +360,29 @@ krb5_change_password(krb5_context context, krb5_creds *creds, char *newpw, int * krb5_error_code KRB5_CALLCONV krb5_set_password( - krb5_context context, - krb5_creds *creds, - char *newpw, - krb5_principal change_password_for, - int *result_code, krb5_data *result_code_string, krb5_data *result_string - ) + krb5_context context, + krb5_creds *creds, + char *newpw, + krb5_principal change_password_for, + int *result_code, krb5_data *result_code_string, krb5_data *result_string +) { - return krb5_change_set_password( - context, creds, newpw, change_password_for, result_code, result_code_string, result_string ); + return krb5_change_set_password( + context, creds, newpw, change_password_for, result_code, result_code_string, result_string ); } krb5_error_code KRB5_CALLCONV krb5_set_password_using_ccache( - krb5_context context, - krb5_ccache ccache, - char *newpw, - krb5_principal change_password_for, - int *result_code, krb5_data *result_code_string, krb5_data *result_string - ) + krb5_context context, + krb5_ccache ccache, + char *newpw, + krb5_principal change_password_for, + int *result_code, krb5_data *result_code_string, krb5_data *result_string +) { - krb5_creds creds; - krb5_creds *credsp; - krb5_error_code code; + krb5_creds creds; + krb5_creds *credsp; + krb5_error_code code; /* ** get the proper creds for use with krb5_set_password - @@ -392,20 +393,20 @@ krb5_set_password_using_ccache( */ code = krb5_cc_get_principal (context, ccache, &creds.client); if (!code) { - code = krb5_build_principal(context, &creds.server, - krb5_princ_realm(context, change_password_for)->length, - krb5_princ_realm(context, change_password_for)->data, - "kadmin", "changepw", NULL); - if (!code) { - code = krb5_get_credentials(context, 0, ccache, &creds, &credsp); - if (!code) { - code = krb5_set_password(context, credsp, newpw, change_password_for, - result_code, result_code_string, - result_string); - krb5_free_creds(context, credsp); - } - } - krb5_free_cred_contents(context, &creds); + code = krb5_build_principal(context, &creds.server, + krb5_princ_realm(context, change_password_for)->length, + krb5_princ_realm(context, change_password_for)->data, + "kadmin", "changepw", NULL); + if (!code) { + code = krb5_get_credentials(context, 0, ccache, &creds, &credsp); + if (!code) { + code = krb5_set_password(context, credsp, newpw, change_password_for, + result_code, result_code_string, + result_string); + krb5_free_creds(context, credsp); + } + } + krb5_free_cred_contents(context, &creds); } return code; } diff --git a/src/lib/krb5/os/def_realm.c b/src/lib/krb5/os/def_realm.c index 998e555d1a..5b6f88d7e4 100644 --- a/src/lib/krb5/os/def_realm.c +++ b/src/lib/krb5/os/def_realm.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/def_realm.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_get_default_realm(), krb5_set_default_realm(), * krb5_free_default_realm() functions. @@ -32,7 +33,7 @@ #include "os-proto.h" #include <stdio.h> -#ifdef KRB5_DNS_LOOKUP +#ifdef KRB5_DNS_LOOKUP #ifdef WSHELPER #include <wshelper.h> #else /* WSHELPER */ @@ -58,9 +59,9 @@ * Retrieves the default realm to be used if no user-specified realm is * available. [e.g. to interpret a user-typed principal name with the * realm omitted for convenience] - * + * * returns system errors, NOT_ENOUGH_SPACE, KV5M_CONTEXT -*/ + */ /* * Implementation: the default realm is stored in a configuration file, @@ -74,8 +75,8 @@ krb5_get_default_realm(krb5_context context, char **lrealm) char *realm = 0; krb5_error_code retval; - if (!context || (context->magic != KV5M_CONTEXT)) - return KV5M_CONTEXT; + if (!context || (context->magic != KV5M_CONTEXT)) + return KV5M_CONTEXT; if (!context->default_realm) { /* @@ -98,7 +99,7 @@ krb5_get_default_realm(krb5_context context, char **lrealm) } } #ifndef KRB5_DNS_LOOKUP - else + else return KRB5_CONFIG_CANTOPEN; #else /* KRB5_DNS_LOOKUP */ if (context->default_realm == 0) { @@ -121,7 +122,7 @@ krb5_get_default_realm(krb5_context context, char **lrealm) if ( localhost[0] ) { p = localhost; do { - retval = krb5_try_realm_txt_rr("_kerberos", p, + retval = krb5_try_realm_txt_rr("_kerberos", p, &context->default_realm); p = strchr(p,'.'); if (p) @@ -129,10 +130,10 @@ krb5_get_default_realm(krb5_context context, char **lrealm) } while (retval && p && p[0]); if (retval) - retval = krb5_try_realm_txt_rr("_kerberos", "", + retval = krb5_try_realm_txt_rr("_kerberos", "", &context->default_realm); } else { - retval = krb5_try_realm_txt_rr("_kerberos", "", + retval = krb5_try_realm_txt_rr("_kerberos", "", &context->default_realm); } if (retval) { @@ -152,7 +153,7 @@ krb5_get_default_realm(krb5_context context, char **lrealm) } realm = context->default_realm; - + if (!(*lrealm = strdup(realm))) return ENOMEM; return(0); @@ -161,22 +162,22 @@ krb5_get_default_realm(krb5_context context, char **lrealm) krb5_error_code KRB5_CALLCONV krb5_set_default_realm(krb5_context context, const char *lrealm) { - if (!context || (context->magic != KV5M_CONTEXT)) - return KV5M_CONTEXT; + if (!context || (context->magic != KV5M_CONTEXT)) + return KV5M_CONTEXT; if (context->default_realm) { - free(context->default_realm); - context->default_realm = 0; + free(context->default_realm); + context->default_realm = 0; } - /* Allow the user to clear the default realm setting by passing in + /* Allow the user to clear the default realm setting by passing in NULL */ if (!lrealm) return 0; context->default_realm = strdup(lrealm); if (!context->default_realm) - return ENOMEM; + return ENOMEM; return(0); @@ -201,10 +202,10 @@ krb5int_get_domain_realm_mapping(krb5_context context, const char *host, char ** if (retval) return retval; /* - Search for the best match for the host or domain. - Example: Given a host a.b.c.d, try to match on: - 1) a.b.c.d 2) .b.c.d. 3) b.c.d 4) .c.d 5) c.d 6) .d 7) d - */ + Search for the best match for the host or domain. + Example: Given a host a.b.c.d, try to match on: + 1) a.b.c.d 2) .b.c.d. 3) b.c.d 4) .c.d 5) c.d 6) .d 7) d + */ cp = temp_host; realm = (char *)NULL; @@ -216,7 +217,7 @@ krb5int_get_domain_realm_mapping(krb5_context context, const char *host, char ** return retval; if (temp_realm != (char *)NULL) break; /* Match found */ - + /* Setup for another test */ if (*cp == '.') { cp++; @@ -244,4 +245,3 @@ krb5int_get_domain_realm_mapping(krb5_context context, const char *host, char ** *realmsp = retrealms; return 0; } - diff --git a/src/lib/krb5/os/dnsglue.c b/src/lib/krb5/os/dnsglue.c index 55e1cd9124..f07f8211c7 100644 --- a/src/lib/krb5/os/dnsglue.c +++ b/src/lib/krb5/os/dnsglue.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/dnsglue.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ #include "autoconf.h" #ifdef KRB5_DNS_LOOKUP @@ -72,7 +73,7 @@ static int initparse(struct krb5int_dns_state *); */ int krb5int_dns_init(struct krb5int_dns_state **dsp, - char *host, int nclass, int ntype) + char *host, int nclass, int ntype) { #if USE_RES_NINIT struct __res_state statbuf; @@ -84,7 +85,7 @@ krb5int_dns_init(struct krb5int_dns_state **dsp, *dsp = ds = malloc(sizeof(*ds)); if (ds == NULL) - return -1; + return -1; ret = -1; ds->nclass = nclass; @@ -106,36 +107,36 @@ krb5int_dns_init(struct krb5int_dns_state **dsp, ret = res_init(); #endif if (ret < 0) - return -1; + return -1; do { - p = (ds->ansp == NULL) - ? malloc(nextincr) : realloc(ds->ansp, nextincr); + p = (ds->ansp == NULL) + ? malloc(nextincr) : realloc(ds->ansp, nextincr); - if (p == NULL) { - ret = -1; - goto errout; - } - ds->ansp = p; - ds->ansmax = nextincr; + if (p == NULL) { + ret = -1; + goto errout; + } + ds->ansp = p; + ds->ansmax = nextincr; #if USE_RES_NINIT - len = res_nsearch(&statbuf, host, ds->nclass, ds->ntype, - ds->ansp, ds->ansmax); + len = res_nsearch(&statbuf, host, ds->nclass, ds->ntype, + ds->ansp, ds->ansmax); #else - len = res_search(host, ds->nclass, ds->ntype, - ds->ansp, ds->ansmax); + len = res_search(host, ds->nclass, ds->ntype, + ds->ansp, ds->ansmax); #endif - if (len > maxincr) { - ret = -1; - goto errout; - } - while (nextincr < len) - nextincr *= 2; - if (len < 0 || nextincr > maxincr) { - ret = -1; - goto errout; - } + if (len > maxincr) { + ret = -1; + goto errout; + } + while (nextincr < len) + nextincr *= 2; + if (len < 0 || nextincr > maxincr) { + ret = -1; + goto errout; + } } while (len > ds->ansmax); ds->anslen = len; @@ -145,7 +146,7 @@ krb5int_dns_init(struct krb5int_dns_state **dsp, ret = initparse(ds); #endif if (ret < 0) - goto errout; + goto errout; ret = 0; @@ -154,10 +155,10 @@ errout: res_ndestroy(&statbuf); #endif if (ret < 0) { - if (ds->ansp != NULL) { - free(ds->ansp); - ds->ansp = NULL; - } + if (ds->ansp != NULL) { + free(ds->ansp); + ds->ansp = NULL; + } } return ret; @@ -172,7 +173,7 @@ errout: */ int krb5int_dns_nextans(struct krb5int_dns_state *ds, - const unsigned char **pp, int *lenp) + const unsigned char **pp, int *lenp) { int len; ns_rr rr; @@ -180,16 +181,16 @@ krb5int_dns_nextans(struct krb5int_dns_state *ds, *pp = NULL; *lenp = 0; while (ds->cur_ans < ns_msg_count(ds->msg, ns_s_an)) { - len = ns_parserr(&ds->msg, ns_s_an, ds->cur_ans, &rr); - if (len < 0) - return -1; - ds->cur_ans++; - if (ds->nclass == ns_rr_class(rr) - && ds->ntype == ns_rr_type(rr)) { - *pp = ns_rr_rdata(rr); - *lenp = ns_rr_rdlen(rr); - return 0; - } + len = ns_parserr(&ds->msg, ns_s_an, ds->cur_ans, &rr); + if (len < 0) + return -1; + ds->cur_ans++; + if (ds->nclass == ns_rr_class(rr) + && ds->ntype == ns_rr_type(rr)) { + *pp = ns_rr_rdata(rr); + *lenp = ns_rr_rdlen(rr); + return 0; + } } return 0; } @@ -199,18 +200,18 @@ krb5int_dns_nextans(struct krb5int_dns_state *ds, * krb5int_dns_expand - wrapper for dn_expand() */ int krb5int_dns_expand(struct krb5int_dns_state *ds, - const unsigned char *p, - char *buf, int len) + const unsigned char *p, + char *buf, int len) { #if HAVE_NS_NAME_UNCOMPRESS return ns_name_uncompress(ds->ansp, - (unsigned char *)ds->ansp + ds->anslen, - p, buf, (size_t)len); + (unsigned char *)ds->ansp + ds->anslen, + p, buf, (size_t)len); #else return dn_expand(ds->ansp, - (unsigned char *)ds->ansp + ds->anslen, - p, buf, len); + (unsigned char *)ds->ansp + ds->anslen, + p, buf, len); #endif } @@ -221,9 +222,9 @@ void krb5int_dns_fini(struct krb5int_dns_state *ds) { if (ds == NULL) - return; + return; if (ds->ansp != NULL) - free(ds->ansp); + free(ds->ansp); free(ds); } @@ -251,7 +252,7 @@ initparse(struct krb5int_dns_state *ds) #endif if (ds->anslen < sizeof(HEADER)) - return -1; + return -1; hdr = (HEADER *)ds->ansp; p = ds->ansp; @@ -264,14 +265,14 @@ initparse(struct krb5int_dns_state *ds) */ while (nqueries--) { #if HAVE_DN_SKIPNAME - len = dn_skipname(p, (unsigned char *)ds->ansp + ds->anslen); + len = dn_skipname(p, (unsigned char *)ds->ansp + ds->anslen); #else - len = dn_expand(ds->ansp, (unsigned char *)ds->ansp + ds->anslen, - p, host, sizeof(host)); + len = dn_expand(ds->ansp, (unsigned char *)ds->ansp + ds->anslen, + p, host, sizeof(host)); #endif - if (len < 0 || !INCR_OK(ds->ansp, ds->anslen, p, len + 4)) - return -1; - p += len + 4; + if (len < 0 || !INCR_OK(ds->ansp, ds->anslen, p, len + 4)) + return -1; + p += len + 4; } ds->ptr = p; ds->nanswers = nanswers; @@ -285,7 +286,7 @@ initparse(struct krb5int_dns_state *ds) */ int krb5int_dns_nextans(struct krb5int_dns_state *ds, - const unsigned char **pp, int *lenp) + const unsigned char **pp, int *lenp) { int len; unsigned char *p; @@ -300,30 +301,30 @@ krb5int_dns_nextans(struct krb5int_dns_state *ds, while (ds->nanswers--) { #if HAVE_DN_SKIPNAME - len = dn_skipname(p, (unsigned char *)ds->ansp + ds->anslen); + len = dn_skipname(p, (unsigned char *)ds->ansp + ds->anslen); #else - len = dn_expand(ds->ansp, (unsigned char *)ds->ansp + ds->anslen, - p, host, sizeof(host)); + len = dn_expand(ds->ansp, (unsigned char *)ds->ansp + ds->anslen, + p, host, sizeof(host)); #endif - if (len < 0 || !INCR_OK(ds->ansp, ds->anslen, p, len)) - return -1; - p += len; - SAFE_GETUINT16(ds->ansp, ds->anslen, p, 2, ntype, out); - /* Also skip 4 bytes of TTL */ - SAFE_GETUINT16(ds->ansp, ds->anslen, p, 6, nclass, out); - SAFE_GETUINT16(ds->ansp, ds->anslen, p, 2, rdlen, out); - - if (!INCR_OK(ds->ansp, ds->anslen, p, rdlen)) - return -1; - if (rdlen > INT_MAX) - return -1; - if (nclass == ds->nclass && ntype == ds->ntype) { - *pp = p; - *lenp = rdlen; - ds->ptr = p + rdlen; - return 0; - } - p += rdlen; + if (len < 0 || !INCR_OK(ds->ansp, ds->anslen, p, len)) + return -1; + p += len; + SAFE_GETUINT16(ds->ansp, ds->anslen, p, 2, ntype, out); + /* Also skip 4 bytes of TTL */ + SAFE_GETUINT16(ds->ansp, ds->anslen, p, 6, nclass, out); + SAFE_GETUINT16(ds->ansp, ds->anslen, p, 2, rdlen, out); + + if (!INCR_OK(ds->ansp, ds->anslen, p, rdlen)) + return -1; + if (rdlen > INT_MAX) + return -1; + if (nclass == ds->nclass && ntype == ds->ntype) { + *pp = p; + *lenp = rdlen; + ds->ptr = p + rdlen; + return 0; + } + p += rdlen; } return 0; out: diff --git a/src/lib/krb5/os/dnsglue.h b/src/lib/krb5/os/dnsglue.h index c73a433056..d8298862a5 100644 --- a/src/lib/krb5/os/dnsglue.h +++ b/src/lib/krb5/os/dnsglue.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/dnsglue.h * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -59,11 +60,11 @@ #endif /* WSHELPER */ #if HAVE_SYS_PARAM_H -#include <sys/param.h> /* for MAXHOSTNAMELEN */ +#include <sys/param.h> /* for MAXHOSTNAMELEN */ #endif #ifndef MAXHOSTNAMELEN -#define MAXHOSTNAMELEN 64 /* if we can't find it elswhere */ +#define MAXHOSTNAMELEN 64 /* if we can't find it elswhere */ #endif #ifndef MAXDNAME @@ -124,9 +125,9 @@ * Given moving pointer PTR offset from BASE, return true if adding * INCR to PTR doesn't move it PTR than MAX bytes from BASE. */ -#define INCR_OK(base, max, ptr, incr) \ - ((incr) <= (max) - ((const unsigned char *)(ptr) \ - - (const unsigned char *)(base))) +#define INCR_OK(base, max, ptr, incr) \ + ((incr) <= (max) - ((const unsigned char *)(ptr) \ + - (const unsigned char *)(base))) /* * SAFE_GETUINT16 @@ -136,21 +137,21 @@ * failure, goto LABEL. */ -#define SAFE_GETUINT16(base, max, ptr, incr, s, label) \ - do { \ - if (!INCR_OK(base, max, ptr, incr)) goto label; \ - (s) = (unsigned short)(p)[0] << 8 \ - | (unsigned short)(p)[1]; \ - (p) += (incr); \ +#define SAFE_GETUINT16(base, max, ptr, incr, s, label) \ + do { \ + if (!INCR_OK(base, max, ptr, incr)) goto label; \ + (s) = (unsigned short)(p)[0] << 8 \ + | (unsigned short)(p)[1]; \ + (p) += (incr); \ } while (0) struct krb5int_dns_state; int krb5int_dns_init(struct krb5int_dns_state **, char *, int, int); int krb5int_dns_nextans(struct krb5int_dns_state *, - const unsigned char **, int *); + const unsigned char **, int *); int krb5int_dns_expand(struct krb5int_dns_state *, - const unsigned char *, char *, int); + const unsigned char *, char *, int); void krb5int_dns_fini(struct krb5int_dns_state *); #endif /* KRB5_DNS_LOOKUP */ diff --git a/src/lib/krb5/os/dnssrv.c b/src/lib/krb5/os/dnssrv.c index 4dcd57cb81..31239f4140 100644 --- a/src/lib/krb5/os/dnssrv.c +++ b/src/lib/krb5/os/dnssrv.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/dnssrv.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * do DNS SRV RR queries */ @@ -40,10 +41,10 @@ void krb5int_free_srv_dns_data (struct srv_dns_entry *p) { struct srv_dns_entry *next; while (p) { - next = p->next; - free(p->host); - free(p); - p = next; + next = p->next; + free(p->host); + free(p); + p = next; } } @@ -55,9 +56,9 @@ void krb5int_free_srv_dns_data (struct srv_dns_entry *p) krb5_error_code krb5int_make_srv_query_realm(const krb5_data *realm, - const char *service, - const char *protocol, - struct srv_dns_entry **answers) + const char *service, + const char *protocol, + struct srv_dns_entry **answers) { const unsigned char *p = NULL, *base = NULL; char host[MAXDNAME]; @@ -81,7 +82,7 @@ krb5int_make_srv_query_realm(const krb5_data *realm, */ if (memchr(realm->data, 0, realm->length)) - return 0; + return 0; krb5int_buf_init_fixed(&buf, host, sizeof(host)); krb5int_buf_add_fmt(&buf, "%s.%s.", service, protocol); krb5int_buf_add_len(&buf, realm->data, realm->length); @@ -89,7 +90,7 @@ krb5int_make_srv_query_realm(const krb5_data *realm, /* Realm names don't (normally) end with ".", but if the query doesn't end with "." and doesn't get an answer as is, the resolv code will try appending the local domain. Since the - realm names are absolutes, let's stop that. + realm names are absolutes, let's stop that. But only if a name has been specified. If we are performing a search on the prefix alone then the intention is to allow @@ -97,10 +98,10 @@ krb5int_make_srv_query_realm(const krb5_data *realm, len = krb5int_buf_len(&buf); if (len > 0 && host[len - 1] != '.') - krb5int_buf_add(&buf, "."); + krb5int_buf_add(&buf, "."); if (krb5int_buf_data(&buf) == NULL) - return 0; + return 0; #ifdef TEST fprintf (stderr, "sending DNS SRV query for %s\n", host); @@ -108,75 +109,75 @@ krb5int_make_srv_query_realm(const krb5_data *realm, size = krb5int_dns_init(&ds, host, C_IN, T_SRV); if (size < 0) - goto out; + goto out; for (;;) { - ret = krb5int_dns_nextans(ds, &base, &rdlen); - if (ret < 0 || base == NULL) - goto out; - - p = base; - - SAFE_GETUINT16(base, rdlen, p, 2, priority, out); - SAFE_GETUINT16(base, rdlen, p, 2, weight, out); - SAFE_GETUINT16(base, rdlen, p, 2, port, out); - - /* - * RFC 2782 says the target is never compressed in the reply; - * do we believe that? We need to flatten it anyway, though. - */ - nlen = krb5int_dns_expand(ds, p, host, sizeof(host)); - if (nlen < 0 || !INCR_OK(base, rdlen, p, nlen)) - goto out; - - /* - * We got everything! Insert it into our list, but make sure - * it's in the right order. Right now we don't do anything - * with the weight field - */ - - srv = (struct srv_dns_entry *) malloc(sizeof(struct srv_dns_entry)); - if (srv == NULL) - goto out; - - srv->priority = priority; - srv->weight = weight; - srv->port = port; - /* The returned names are fully qualified. Don't let the - local resolver code do domain search path stuff. */ - if (asprintf(&srv->host, "%s.", host) < 0) { - free(srv); - goto out; - } - - if (head == NULL || head->priority > srv->priority) { - srv->next = head; - head = srv; - } else { - /* - * This is confusing. Only insert an entry into this - * spot if: - * The next person has a higher priority (lower priorities - * are preferred). - * Or - * There is no next entry (we're at the end) - */ - for (entry = head; entry != NULL; entry = entry->next) { - if ((entry->next && - entry->next->priority > srv->priority) || - entry->next == NULL) { - srv->next = entry->next; - entry->next = srv; - break; - } - } - } + ret = krb5int_dns_nextans(ds, &base, &rdlen); + if (ret < 0 || base == NULL) + goto out; + + p = base; + + SAFE_GETUINT16(base, rdlen, p, 2, priority, out); + SAFE_GETUINT16(base, rdlen, p, 2, weight, out); + SAFE_GETUINT16(base, rdlen, p, 2, port, out); + + /* + * RFC 2782 says the target is never compressed in the reply; + * do we believe that? We need to flatten it anyway, though. + */ + nlen = krb5int_dns_expand(ds, p, host, sizeof(host)); + if (nlen < 0 || !INCR_OK(base, rdlen, p, nlen)) + goto out; + + /* + * We got everything! Insert it into our list, but make sure + * it's in the right order. Right now we don't do anything + * with the weight field + */ + + srv = (struct srv_dns_entry *) malloc(sizeof(struct srv_dns_entry)); + if (srv == NULL) + goto out; + + srv->priority = priority; + srv->weight = weight; + srv->port = port; + /* The returned names are fully qualified. Don't let the + local resolver code do domain search path stuff. */ + if (asprintf(&srv->host, "%s.", host) < 0) { + free(srv); + goto out; + } + + if (head == NULL || head->priority > srv->priority) { + srv->next = head; + head = srv; + } else { + /* + * This is confusing. Only insert an entry into this + * spot if: + * The next person has a higher priority (lower priorities + * are preferred). + * Or + * There is no next entry (we're at the end) + */ + for (entry = head; entry != NULL; entry = entry->next) { + if ((entry->next && + entry->next->priority > srv->priority) || + entry->next == NULL) { + srv->next = entry->next; + entry->next = srv; + break; + } + } + } } out: if (ds != NULL) { - krb5int_dns_fini(ds); - ds = NULL; + krb5int_dns_fini(ds); + ds = NULL; } *answers = head; return 0; diff --git a/src/lib/krb5/os/free_hstrl.c b/src/lib/krb5/os/free_hstrl.c index 4900fce9be..58222a6df8 100644 --- a/src/lib/krb5/os/free_hstrl.c +++ b/src/lib/krb5/os/free_hstrl.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/free_hstrl.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_free_host_realm() */ @@ -31,8 +32,8 @@ #include <stdio.h> /* - Frees the storage taken by a realm list returned by krb5_get_host_realm. - */ + Frees the storage taken by a realm list returned by krb5_get_host_realm. +*/ krb5_error_code KRB5_CALLCONV krb5_free_host_realm(krb5_context context, char *const *realmlist) diff --git a/src/lib/krb5/os/free_krbhs.c b/src/lib/krb5/os/free_krbhs.c index d7776b46b3..ddbbc3bb77 100644 --- a/src/lib/krb5/os/free_krbhs.c +++ b/src/lib/krb5/os/free_krbhs.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/free_krbhs.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_free_krbhst() function */ @@ -30,8 +31,8 @@ #include "k5-int.h" /* - Frees the storage taken by a host list returned by krb5_get_krbhst. - */ + Frees the storage taken by a host list returned by krb5_get_krbhst. +*/ krb5_error_code krb5_free_krbhst(krb5_context context, char *const *hostlist) @@ -39,9 +40,9 @@ krb5_free_krbhst(krb5_context context, char *const *hostlist) register char * const *cp; if (hostlist == NULL) - return 0; + return 0; for (cp = hostlist; *cp; cp++) - free(*cp); + free(*cp); free((char *)hostlist); return 0; } diff --git a/src/lib/krb5/os/full_ipadr.c b/src/lib/krb5/os/full_ipadr.c index 795ce1e011..213e4262b8 100644 --- a/src/lib/krb5/os/full_ipadr.c +++ b/src/lib/krb5/os/full_ipadr.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/full_ipadr.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Take an IP addr & port and generate a full IP address. */ @@ -35,7 +36,7 @@ krb5_error_code krb5_make_full_ipaddr(krb5_context context, krb5_int32 adr, - /*krb5_int16*/int port, krb5_address **outaddr) + /*krb5_int16*/int port, krb5_address **outaddr) { unsigned long smushaddr = (unsigned long) adr; /* already in net order */ unsigned short smushport = (unsigned short) port; /* ditto */ @@ -45,16 +46,16 @@ krb5_make_full_ipaddr(krb5_context context, krb5_int32 adr, krb5_int32 templength; if (!(retaddr = (krb5_address *)malloc(sizeof(*retaddr)))) { - return ENOMEM; + return ENOMEM; } retaddr->magic = KV5M_ADDRESS; retaddr->addrtype = ADDRTYPE_ADDRPORT; retaddr->length = sizeof(smushaddr)+ sizeof(smushport) + - 2*sizeof(temptype) + 2*sizeof(templength); + 2*sizeof(temptype) + 2*sizeof(templength); if (!(retaddr->contents = (krb5_octet *)malloc(retaddr->length))) { - free(retaddr); - return ENOMEM; + free(retaddr); + return ENOMEM; } marshal = retaddr->contents; diff --git a/src/lib/krb5/os/gen_port.c b/src/lib/krb5/os/gen_port.c index 681928aa59..a887408a71 100644 --- a/src/lib/krb5/os/gen_port.c +++ b/src/lib/krb5/os/gen_port.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/gen_port.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Take an IP addr & port and generate a full IP address. */ @@ -38,9 +39,9 @@ krb5_gen_portaddr(krb5_context context, const krb5_address *addr, krb5_const_poi krb5_int16 port; if (addr->addrtype != ADDRTYPE_INET) - return KRB5_PROG_ATYPE_NOSUPP; + return KRB5_PROG_ATYPE_NOSUPP; port = *(const krb5_int16 *)ptr; - + memcpy(&adr, addr->contents, sizeof(adr)); return krb5_make_full_ipaddr(context, adr, port, outaddr); #else diff --git a/src/lib/krb5/os/gen_rname.c b/src/lib/krb5/os/gen_rname.c index a8a07d951d..1d87c2bf08 100644 --- a/src/lib/krb5/os/gen_rname.c +++ b/src/lib/krb5/os/gen_rname.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/gen_rname.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * take a port-style address and unique string, and return * a replay cache tag string. @@ -40,13 +41,13 @@ krb5_gen_replay_name(krb5_context context, const krb5_address *address, const ch len = strlen(uniq) + (address->length * 2) + 1; if ((*string = malloc(len)) == NULL) - return ENOMEM; + return ENOMEM; snprintf(*string, len, "%s", uniq); tmp = *string + strlen(uniq); for (i = 0; i < address->length; i++) { - snprintf(tmp, len - (tmp-*string), "%.2x", address->contents[i] & 0xff); - tmp += 2; + snprintf(tmp, len - (tmp-*string), "%.2x", address->contents[i] & 0xff); + tmp += 2; } return 0; } diff --git a/src/lib/krb5/os/genaddrs.c b/src/lib/krb5/os/genaddrs.c index f3e86a5042..d9028e4fb7 100644 --- a/src/lib/krb5/os/genaddrs.c +++ b/src/lib/krb5/os/genaddrs.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/genaddrs.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Take an IP addr & port and generate a full IP address. */ @@ -38,43 +39,43 @@ struct addrpair { krb5_address addr, port; }; -#define SET(TARG, THING, TYPE) \ - ((TARG).contents = (krb5_octet *) &(THING), \ - (TARG).length = sizeof (THING), \ - (TARG).addrtype = (TYPE)) +#define SET(TARG, THING, TYPE) \ + ((TARG).contents = (krb5_octet *) &(THING), \ + (TARG).length = sizeof (THING), \ + (TARG).addrtype = (TYPE)) static void *cvtaddr (struct sockaddr_storage *a, struct addrpair *ap) { switch (ss2sa(a)->sa_family) { case AF_INET: - SET (ap->port, ss2sin(a)->sin_port, ADDRTYPE_IPPORT); - SET (ap->addr, ss2sin(a)->sin_addr, ADDRTYPE_INET); - return a; + SET (ap->port, ss2sin(a)->sin_port, ADDRTYPE_IPPORT); + SET (ap->addr, ss2sin(a)->sin_addr, ADDRTYPE_INET); + return a; #ifdef KRB5_USE_INET6 case AF_INET6: - SET (ap->port, ss2sin6(a)->sin6_port, ADDRTYPE_IPPORT); - if (IN6_IS_ADDR_V4MAPPED (&ss2sin6(a)->sin6_addr)) { - ap->addr.addrtype = ADDRTYPE_INET; - ap->addr.contents = 12 + (krb5_octet *) &ss2sin6(a)->sin6_addr; - ap->addr.length = 4; - } else - SET (ap->addr, ss2sin6(a)->sin6_addr, ADDRTYPE_INET6); - return a; + SET (ap->port, ss2sin6(a)->sin6_port, ADDRTYPE_IPPORT); + if (IN6_IS_ADDR_V4MAPPED (&ss2sin6(a)->sin6_addr)) { + ap->addr.addrtype = ADDRTYPE_INET; + ap->addr.contents = 12 + (krb5_octet *) &ss2sin6(a)->sin6_addr; + ap->addr.length = 4; + } else + SET (ap->addr, ss2sin6(a)->sin6_addr, ADDRTYPE_INET6); + return a; #endif default: - return 0; + return 0; } } krb5_error_code KRB5_CALLCONV krb5_auth_con_genaddrs(krb5_context context, krb5_auth_context auth_context, int infd, int flags) { - krb5_error_code retval; - krb5_address * laddr; - krb5_address * lport; - krb5_address * raddr; - krb5_address * rport; - SOCKET fd = (SOCKET) infd; + krb5_error_code retval; + krb5_address * laddr; + krb5_address * lport; + krb5_address * raddr; + krb5_address * rport; + SOCKET fd = (SOCKET) infd; struct addrpair laddrs, raddrs; #ifdef HAVE_NETINET_IN_H @@ -83,46 +84,46 @@ krb5_auth_con_genaddrs(krb5_context context, krb5_auth_context auth_context, int ssize = sizeof(struct sockaddr_storage); if ((flags & KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR) || - (flags & KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR)) { - if ((retval = getsockname(fd, (GETSOCKNAME_ARG2_TYPE *) &lsaddr, - &ssize))) - return retval; + (flags & KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR)) { + if ((retval = getsockname(fd, (GETSOCKNAME_ARG2_TYPE *) &lsaddr, + &ssize))) + return retval; - if (cvtaddr (&lsaddr, &laddrs)) { - laddr = &laddrs.addr; - if (flags & KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR) - lport = &laddrs.port; - else - lport = 0; - } else - return KRB5_PROG_ATYPE_NOSUPP; + if (cvtaddr (&lsaddr, &laddrs)) { + laddr = &laddrs.addr; + if (flags & KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR) + lport = &laddrs.port; + else + lport = 0; + } else + return KRB5_PROG_ATYPE_NOSUPP; } else { - laddr = NULL; - lport = NULL; + laddr = NULL; + lport = NULL; } ssize = sizeof(struct sockaddr_storage); if ((flags & KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR) || - (flags & KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR)) { - if ((retval = getpeername(fd, (GETPEERNAME_ARG2_TYPE *) &rsaddr, - &ssize))) - return errno; + (flags & KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR)) { + if ((retval = getpeername(fd, (GETPEERNAME_ARG2_TYPE *) &rsaddr, + &ssize))) + return errno; - if (cvtaddr (&rsaddr, &raddrs)) { - raddr = &raddrs.addr; - if (flags & KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR) - rport = &raddrs.port; - else - rport = 0; - } else - return KRB5_PROG_ATYPE_NOSUPP; + if (cvtaddr (&rsaddr, &raddrs)) { + raddr = &raddrs.addr; + if (flags & KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR) + rport = &raddrs.port; + else + rport = 0; + } else + return KRB5_PROG_ATYPE_NOSUPP; } else { - raddr = NULL; - rport = NULL; + raddr = NULL; + rport = NULL; } if (!(retval = krb5_auth_con_setaddrs(context, auth_context, laddr, raddr))) - return (krb5_auth_con_setports(context, auth_context, lport, rport)); + return (krb5_auth_con_setports(context, auth_context, lport, rport)); return retval; #else return KRB5_PROG_ATYPE_NOSUPP; diff --git a/src/lib/krb5/os/get_krbhst.c b/src/lib/krb5/os/get_krbhst.c index 1cac7514ca..fe287780c5 100644 --- a/src/lib/krb5/os/get_krbhst.c +++ b/src/lib/krb5/os/get_krbhst.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/get_krbhst.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_get_krbhst() function. */ @@ -32,23 +33,23 @@ #include <ctype.h> /* - Figures out the Kerberos server names for the given realm, filling in a - pointer to an argv[] style list of names, terminated with a null pointer. - - If the realm is unknown, the filled-in pointer is set to NULL. + Figures out the Kerberos server names for the given realm, filling in a + pointer to an argv[] style list of names, terminated with a null pointer. - The pointer array and strings pointed to are all in allocated storage, - and should be freed by the caller when finished. + If the realm is unknown, the filled-in pointer is set to NULL. - returns system errors + The pointer array and strings pointed to are all in allocated storage, + and should be freed by the caller when finished. + + returns system errors */ /* * Implementation: the server names for given realms are stored in a - * configuration file, + * configuration file, * named by krb5_config_file; the first token (on the first line) in * this file is taken as the default local realm name. - * + * * Each succeeding line has a realm name as the first token, and a server name * as a second token. Additional tokens may be present on the line, but * are ignored by this function. @@ -60,10 +61,10 @@ krb5_error_code krb5_get_krbhst(krb5_context context, const krb5_data *realm, char ***hostlist) { - char **values, **cpp, *cp; - const char *realm_kdc_names[4]; - krb5_error_code retval; - int i, count; + char **values, **cpp, *cp; + const char *realm_kdc_names[4]; + krb5_error_code retval; + int i, count; char **rethosts; rethosts = 0; @@ -74,30 +75,30 @@ krb5_get_krbhst(krb5_context context, const krb5_data *realm, char ***hostlist) realm_kdc_names[3] = 0; if (context->profile == 0) - return KRB5_CONFIG_CANTOPEN; + return KRB5_CONFIG_CANTOPEN; retval = profile_get_values(context->profile, realm_kdc_names, &values); if (retval == PROF_NO_SECTION) - return KRB5_REALM_UNKNOWN; + return KRB5_REALM_UNKNOWN; if (retval == PROF_NO_RELATION) - return KRB5_CONFIG_BADFORMAT; + return KRB5_CONFIG_BADFORMAT; if (retval) - return retval; + return retval; /* * Do cleanup over the list. We allow for some extra field to be * added to the kdc line later (maybe the port number) */ for (cpp = values; *cpp; cpp++) { - cp = strchr(*cpp, ' '); - if (cp) - *cp = 0; - cp = strchr(*cpp, '\t'); - if (cp) - *cp = 0; - cp = strchr(*cpp, ':'); - if (cp) - *cp = 0; + cp = strchr(*cpp, ' '); + if (cp) + *cp = 0; + cp = strchr(*cpp, '\t'); + if (cp) + *cp = 0; + cp = strchr(*cpp, ':'); + if (cp) + *cp = 0; } count = cpp - values; rethosts = malloc(sizeof(char *) * (count + 1)); @@ -106,21 +107,21 @@ krb5_get_krbhst(krb5_context context, const krb5_data *realm, char ***hostlist) goto cleanup; } for (i = 0; i < count; i++) { - unsigned int len = strlen (values[i]) + 1; + unsigned int len = strlen (values[i]) + 1; rethosts[i] = malloc(len); if (!rethosts[i]) { retval = ENOMEM; goto cleanup; } - memcpy (rethosts[i], values[i], len); + memcpy (rethosts[i], values[i], len); } rethosts[count] = 0; - cleanup: +cleanup: if (retval && rethosts) { for (cpp = rethosts; *cpp; cpp++) free(*cpp); free(rethosts); - rethosts = 0; + rethosts = 0; } profile_free_list(values); *hostlist = rethosts; diff --git a/src/lib/krb5/os/hostaddr.c b/src/lib/krb5/os/hostaddr.c index eaef098588..2f4c387dbb 100644 --- a/src/lib/krb5/os/hostaddr.c +++ b/src/lib/krb5/os/hostaddr.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/hostaddr.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * This routine returns a list of krb5 addresses given a hostname. * */ @@ -34,13 +35,13 @@ krb5_error_code krb5_os_hostaddr(krb5_context context, const char *name, krb5_address ***ret_addrs) { - krb5_error_code retval; - krb5_address **addrs; - int i, j, r; + krb5_error_code retval; + krb5_address **addrs; + int i, j, r; struct addrinfo hints, *ai, *aip; if (!name) - return KRB5_ERR_BAD_HOSTNAME; + return KRB5_ERR_BAD_HOSTNAME; memset (&hints, 0, sizeof (hints)); hints.ai_flags = AI_NUMERICHOST; @@ -52,86 +53,85 @@ krb5_os_hostaddr(krb5_context context, const char *name, krb5_address ***ret_add r = getaddrinfo (name, 0, &hints, &ai); if (r && AI_NUMERICHOST != 0) { - hints.ai_flags &= ~AI_NUMERICHOST; - r = getaddrinfo (name, 0, &hints, &ai); + hints.ai_flags &= ~AI_NUMERICHOST; + r = getaddrinfo (name, 0, &hints, &ai); } if (r) - return KRB5_ERR_BAD_HOSTNAME; + return KRB5_ERR_BAD_HOSTNAME; for (i = 0, aip = ai; aip; aip = aip->ai_next) { - switch (aip->ai_addr->sa_family) { - case AF_INET: + switch (aip->ai_addr->sa_family) { + case AF_INET: #ifdef KRB5_USE_INET6 - case AF_INET6: + case AF_INET6: #endif - i++; - default: - /* Ignore addresses of unknown families. */ - ; - } + i++; + default: + /* Ignore addresses of unknown families. */ + ; + } } addrs = malloc ((i+1) * sizeof(*addrs)); if (!addrs) - return ENOMEM; + return ENOMEM; for (j = 0; j < i + 1; j++) - addrs[j] = 0; + addrs[j] = 0; for (i = 0, aip = ai; aip; aip = aip->ai_next) { - void *ptr; - size_t addrlen; - int atype; + void *ptr; + size_t addrlen; + int atype; - switch (aip->ai_addr->sa_family) { - case AF_INET: - addrlen = sizeof (struct in_addr); - ptr = &((struct sockaddr_in *)aip->ai_addr)->sin_addr; - atype = ADDRTYPE_INET; - break; + switch (aip->ai_addr->sa_family) { + case AF_INET: + addrlen = sizeof (struct in_addr); + ptr = &((struct sockaddr_in *)aip->ai_addr)->sin_addr; + atype = ADDRTYPE_INET; + break; #ifdef KRB5_USE_INET6 - case AF_INET6: - addrlen = sizeof (struct in6_addr); - ptr = &((struct sockaddr_in6 *)aip->ai_addr)->sin6_addr; - atype = ADDRTYPE_INET6; - break; + case AF_INET6: + addrlen = sizeof (struct in6_addr); + ptr = &((struct sockaddr_in6 *)aip->ai_addr)->sin6_addr; + atype = ADDRTYPE_INET6; + break; #endif - default: - continue; - } - addrs[i] = (krb5_address *) malloc(sizeof(krb5_address)); - if (!addrs[i]) { - retval = ENOMEM; - goto errout; - } - addrs[i]->magic = KV5M_ADDRESS; - addrs[i]->addrtype = atype; - addrs[i]->length = addrlen; - addrs[i]->contents = malloc(addrs[i]->length); - if (!addrs[i]->contents) { - retval = ENOMEM; - goto errout; - } - memcpy (addrs[i]->contents, ptr, addrs[i]->length); - i++; + default: + continue; + } + addrs[i] = (krb5_address *) malloc(sizeof(krb5_address)); + if (!addrs[i]) { + retval = ENOMEM; + goto errout; + } + addrs[i]->magic = KV5M_ADDRESS; + addrs[i]->addrtype = atype; + addrs[i]->length = addrlen; + addrs[i]->contents = malloc(addrs[i]->length); + if (!addrs[i]->contents) { + retval = ENOMEM; + goto errout; + } + memcpy (addrs[i]->contents, ptr, addrs[i]->length); + i++; } *ret_addrs = addrs; if (ai) - freeaddrinfo(ai); + freeaddrinfo(ai); return 0; errout: if (addrs) { - for (i = 0; addrs[i]; i++) { - free (addrs[i]->contents); - free (addrs[i]); - } - krb5_free_addresses(context, addrs); + for (i = 0; addrs[i]; i++) { + free (addrs[i]->contents); + free (addrs[i]); + } + krb5_free_addresses(context, addrs); } if (ai) - freeaddrinfo(ai); + freeaddrinfo(ai); return retval; - -} +} diff --git a/src/lib/krb5/os/hst_realm.c b/src/lib/krb5/os/hst_realm.c index 380e5ea449..208b932235 100644 --- a/src/lib/krb5/os/hst_realm.c +++ b/src/lib/krb5/os/hst_realm.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/hst_realm.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,25 +23,25 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_get_host_realm() */ /* - Figures out the Kerberos realm names for host, filling in a - pointer to an argv[] style list of names, terminated with a null pointer. - - If host is NULL, the local host's realms are determined. + Figures out the Kerberos realm names for host, filling in a + pointer to an argv[] style list of names, terminated with a null pointer. - If there are no known realms for the host, the filled-in pointer is set - to NULL. + If host is NULL, the local host's realms are determined. - The pointer array and strings pointed to are all in allocated storage, - and should be freed by the caller when finished. + If there are no known realms for the host, the filled-in pointer is set + to NULL. - returns system errors + The pointer array and strings pointed to are all in allocated storage, + and should be freed by the caller when finished. + + returns system errors */ /* @@ -80,7 +81,7 @@ static krb5_error_code domain_heuristic(krb5_context context, const char *domain, - char **realm, int limit); + char **realm, int limit); #ifdef KRB5_DNS_LOOKUP @@ -105,54 +106,54 @@ krb5_try_realm_txt_rr(const char *prefix, const char *name, char **realm) krb5int_buf_init_fixed(&buf, host, sizeof(host)); if (name == NULL || name[0] == '\0') { - krb5int_buf_add(&buf, prefix); + krb5int_buf_add(&buf, prefix); } else { - krb5int_buf_add_fmt(&buf, "%s.%s", prefix, name); + krb5int_buf_add_fmt(&buf, "%s.%s", prefix, name); /* Realm names don't (normally) end with ".", but if the query doesn't end with "." and doesn't get an answer as is, the resolv code will try appending the local domain. Since the - realm names are absolutes, let's stop that. + realm names are absolutes, let's stop that. But only if a name has been specified. If we are performing a search on the prefix alone then the intention is to allow the local domain or domain search lists to be expanded. */ - len = krb5int_buf_len(&buf); - if (len > 0 && host[len - 1] != '.') - krb5int_buf_add(&buf, "."); + len = krb5int_buf_len(&buf); + if (len > 0 && host[len - 1] != '.') + krb5int_buf_add(&buf, "."); } if (krb5int_buf_data(&buf) == NULL) - return KRB5_ERR_HOST_REALM_UNKNOWN; + return KRB5_ERR_HOST_REALM_UNKNOWN; ret = krb5int_dns_init(&ds, host, C_IN, T_TXT); if (ret < 0) - goto errout; + goto errout; ret = krb5int_dns_nextans(ds, &base, &rdlen); if (ret < 0 || base == NULL) - goto errout; + goto errout; p = base; if (!INCR_OK(base, rdlen, p, 1)) - goto errout; + goto errout; len = *p++; *realm = malloc((size_t)len + 1); if (*realm == NULL) { - retval = ENOMEM; - goto errout; + retval = ENOMEM; + goto errout; } strncpy(*realm, (const char *)p, (size_t)len); (*realm)[len] = '\0'; /* Avoid a common error. */ if ( (*realm)[len-1] == '.' ) - (*realm)[len-1] = '\0'; + (*realm)[len-1] = '\0'; retval = 0; errout: if (ds != NULL) { - krb5int_dns_fini(ds); - ds = NULL; + krb5int_dns_fini(ds); + ds = NULL; } return retval; } @@ -174,9 +175,9 @@ krb5int_get_fq_hostname (char *buf, size_t bufsize, const char *name) hints.ai_flags = AI_CANONNAME; err = getaddrinfo (name, 0, &hints, &ai); if (err) - return krb5int_translate_gai_error (err); + return krb5int_translate_gai_error (err); if (ai->ai_canonname == 0) - return KRB5_EAI_FAIL; + return KRB5_EAI_FAIL; strncpy (buf, ai->ai_canonname, bufsize); buf[bufsize-1] = 0; freeaddrinfo (ai); @@ -191,7 +192,7 @@ krb5int_get_fq_local_hostname (char *buf, size_t bufsiz) { buf[0] = 0; if (gethostname (buf, bufsiz) == -1) - return SOCKET_ERRNO; + return SOCKET_ERRNO; buf[bufsiz - 1] = 0; return krb5int_get_fq_hostname (buf, bufsiz, buf); } @@ -213,16 +214,16 @@ krb5_get_host_realm(krb5_context context, const char *host, char ***realmsp) return retval; /* - Search for the best match for the host or domain. - Example: Given a host a.b.c.d, try to match on: - 1) A.B.C.D - 2) .B.C.D - 3) B.C.D - 4) .C.D - 5) C.D - 6) .D - 7) D - */ + Search for the best match for the host or domain. + Example: Given a host a.b.c.d, try to match on: + 1) A.B.C.D + 2) .B.C.D + 3) B.C.D + 4) .C.D + 5) C.D + 6) .D + 7) D + */ cp = local_host; #ifdef DEBUG_REFERRALS @@ -234,26 +235,26 @@ krb5_get_host_realm(krb5_context context, const char *host, char ***realmsp) #ifdef DEBUG_REFERRALS printf(" trying to look up %s in the domain_realm map\n",cp); #endif - retval = profile_get_string(context->profile, KRB5_CONF_DOMAIN_REALM, cp, - 0, (char *)NULL, &temp_realm); - if (retval) - return retval; - if (temp_realm != (char *)NULL) - break; /* Match found */ - - /* Setup for another test */ - if (*cp == '.') { - cp++; - } else { - cp = strchr(cp, '.'); - } + retval = profile_get_string(context->profile, KRB5_CONF_DOMAIN_REALM, cp, + 0, (char *)NULL, &temp_realm); + if (retval) + return retval; + if (temp_realm != (char *)NULL) + break; /* Match found */ + + /* Setup for another test */ + if (*cp == '.') { + cp++; + } else { + cp = strchr(cp, '.'); + } } #ifdef DEBUG_REFERRALS printf(" done searching the domain_realm map\n"); #endif if (temp_realm) { #ifdef DEBUG_REFERRALS - printf(" temp_realm is %s\n",temp_realm); + printf(" temp_realm is %s\n",temp_realm); #endif realm = strdup(temp_realm); if (!realm) { @@ -265,19 +266,19 @@ krb5_get_host_realm(krb5_context context, const char *host, char ***realmsp) if (realm == (char *)NULL) { if (!(cp = strdup(KRB5_REFERRAL_REALM))) - return ENOMEM; - realm = cp; + return ENOMEM; + realm = cp; } - + if (!(retrealms = (char **)calloc(2, sizeof(*retrealms)))) { - if (realm != (char *)NULL) - free(realm); - return ENOMEM; + if (realm != (char *)NULL) + free(realm); + return ENOMEM; } retrealms[0] = realm; retrealms[1] = 0; - + *realmsp = retrealms; return 0; } @@ -294,35 +295,35 @@ krb5int_translate_gai_error (int num) switch (num) { #ifdef EAI_ADDRFAMILY case EAI_ADDRFAMILY: - return EAFNOSUPPORT; + return EAFNOSUPPORT; #endif case EAI_AGAIN: - return EAGAIN; + return EAGAIN; case EAI_BADFLAGS: - return EINVAL; + return EINVAL; case EAI_FAIL: - return KRB5_EAI_FAIL; + return KRB5_EAI_FAIL; case EAI_FAMILY: - return EAFNOSUPPORT; + return EAFNOSUPPORT; case EAI_MEMORY: - return ENOMEM; + return ENOMEM; #if defined(EAI_NODATA) && EAI_NODATA != EAI_NONAME case EAI_NODATA: - return KRB5_EAI_NODATA; + return KRB5_EAI_NODATA; #endif case EAI_NONAME: - return KRB5_EAI_NONAME; + return KRB5_EAI_NONAME; #if defined(EAI_OVERFLOW) case EAI_OVERFLOW: - return EINVAL; /* XXX */ + return EINVAL; /* XXX */ #endif case EAI_SERVICE: - return KRB5_EAI_SERVICE; + return KRB5_EAI_SERVICE; case EAI_SOCKTYPE: - return EINVAL; + return EINVAL; #ifdef EAI_SYSTEM case EAI_SYSTEM: - return errno; + return errno; #endif } abort (); @@ -365,13 +366,13 @@ krb5_get_fallback_host_realm(krb5_context context, krb5_data *hdata, char ***rea realm = (char *)NULL; #ifdef KRB5_DNS_LOOKUP if (_krb5_use_dns_realm(context)) { - cp = local_host; - do { - retval = krb5_try_realm_txt_rr("_kerberos", cp, &realm); - cp = strchr(cp,'.'); - if (cp) - cp++; - } while (retval && cp && cp[0]); + cp = local_host; + do { + retval = krb5_try_realm_txt_rr("_kerberos", cp, &realm); + cp = strchr(cp,'.'); + if (cp) + cp++; + } while (retval && cp && cp[0]); } #endif /* KRB5_DNS_LOOKUP */ @@ -382,16 +383,16 @@ krb5_get_fallback_host_realm(krb5_context context, krb5_data *hdata, char ***rea * control which domain component is used as the realm for a host. */ if (realm == (char *)NULL) { - int limit; - errcode_t code; - - code = profile_get_integer(context->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_REALM_TRY_DOMAINS, 0, -1, &limit); - if (code == 0) { - retval = domain_heuristic(context, local_host, &realm, limit); - if (retval) - return retval; - } + int limit; + errcode_t code; + + code = profile_get_integer(context->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_REALM_TRY_DOMAINS, 0, -1, &limit); + if (code == 0) { + retval = domain_heuristic(context, local_host, &realm, limit); + if (retval) + return retval; + } } /* @@ -401,14 +402,14 @@ krb5_get_fallback_host_realm(krb5_context context, krb5_data *hdata, char ***rea * realm. */ if (realm == (char *)NULL) { - cp = strchr(local_host, '.'); - if (cp) { - if (!(realm = strdup(cp + 1))) - return ENOMEM; + cp = strchr(local_host, '.'); + if (cp) { + if (!(realm = strdup(cp + 1))) + return ENOMEM; for (cp = realm; *cp; cp++) if (islower((int) (*cp))) *cp = toupper((int) *cp); - } + } } /* @@ -416,20 +417,20 @@ krb5_get_fallback_host_realm(krb5_context context, krb5_data *hdata, char ***rea * only one component--is to use the local default realm. */ if (realm == (char *)NULL) { - retval = krb5_get_default_realm(context, &realm); - if (retval) - return retval; + retval = krb5_get_default_realm(context, &realm); + if (retval) + return retval; } if (!(retrealms = (char **)calloc(2, sizeof(*retrealms)))) { - if (realm != (char *)NULL) - free(realm); - return ENOMEM; + if (realm != (char *)NULL) + free(realm); + return ENOMEM; } retrealms[0] = realm; retrealms[1] = 0; - + *realmsp = retrealms; return 0; } @@ -450,46 +451,46 @@ krb5int_clean_hostname(krb5_context context, const char *host, char *local_host, printf("krb5int_clean_hostname called: host<%s>, local_host<%s>, size %d\n",host,local_host,lhsize); #endif if (host) { - /* Filter out numeric addresses if the caller utterly failed to - convert them to names. */ - /* IPv4 - dotted quads only */ - if (strspn(host, "01234567890.") == strlen(host)) { - /* All numbers and dots... if it's three dots, it's an - IP address, and we reject it. But "12345" could be - a local hostname, couldn't it? We'll just assume - that a name with three dots is not meant to be an - all-numeric hostname three all-numeric domains down - from the current domain. */ - int ndots = 0; - const char *p; - for (p = host; *p; p++) - if (*p == '.') - ndots++; - if (ndots == 3) - return KRB5_ERR_NUMERIC_REALM; - } - if (strchr(host, ':')) - /* IPv6 numeric address form? Bye bye. */ - return KRB5_ERR_NUMERIC_REALM; - - /* Should probably error out if strlen(host) > MAXDNAME. */ - strncpy(local_host, host, lhsize); - local_host[lhsize - 1] = '\0'; + /* Filter out numeric addresses if the caller utterly failed to + convert them to names. */ + /* IPv4 - dotted quads only */ + if (strspn(host, "01234567890.") == strlen(host)) { + /* All numbers and dots... if it's three dots, it's an + IP address, and we reject it. But "12345" could be + a local hostname, couldn't it? We'll just assume + that a name with three dots is not meant to be an + all-numeric hostname three all-numeric domains down + from the current domain. */ + int ndots = 0; + const char *p; + for (p = host; *p; p++) + if (*p == '.') + ndots++; + if (ndots == 3) + return KRB5_ERR_NUMERIC_REALM; + } + if (strchr(host, ':')) + /* IPv6 numeric address form? Bye bye. */ + return KRB5_ERR_NUMERIC_REALM; + + /* Should probably error out if strlen(host) > MAXDNAME. */ + strncpy(local_host, host, lhsize); + local_host[lhsize - 1] = '\0'; } else { retval = krb5int_get_fq_local_hostname (local_host, lhsize); - if (retval) - return retval; + if (retval) + return retval; } /* fold to lowercase */ for (cp = local_host; *cp; cp++) { - if (isupper((unsigned char) (*cp))) - *cp = tolower((unsigned char) *cp); + if (isupper((unsigned char) (*cp))) + *cp = tolower((unsigned char) *cp); } l = strlen(local_host); /* strip off trailing dot */ if (l && local_host[l-1] == '.') - local_host[l-1] = 0; + local_host[l-1] = 0; #ifdef DEBUG_REFERRALS printf("krb5int_clean_hostname ending: host<%s>, local_host<%s>, size %d\n",host,local_host,lhsize); @@ -513,7 +514,7 @@ krb5int_clean_hostname(krb5_context context, const char *host, char *local_host, */ static krb5_error_code domain_heuristic(krb5_context context, const char *domain, - char **realm, int limit) + char **realm, int limit) { krb5_error_code retval = 0, r; struct addrlist alist; @@ -522,41 +523,41 @@ domain_heuristic(krb5_context context, const char *domain, *realm = NULL; if (limit < 0) - return 0; + return 0; memset(&drealm, 0, sizeof (drealm)); fqdn = strdup(domain); if (!fqdn) { - retval = ENOMEM; - goto cleanup; + retval = ENOMEM; + goto cleanup; } /* Upper case the domain (for use as a realm) */ for (cp = fqdn; *cp; cp++) { - if (islower((int)(*cp))) - *cp = toupper((int)*cp); + if (islower((int)(*cp))) + *cp = toupper((int)*cp); } /* Search up to limit parents, as long as we have multiple labels. */ cp = fqdn; while (limit-- >= 0 && (dot = strchr(cp, '.')) != NULL) { - drealm.length = strlen(cp); - drealm.data = cp; - - /* Find a kdc based on this part of the domain name. */ - r = krb5_locate_kdc(context, &drealm, &alist, 0, SOCK_DGRAM, 0); - if (!r) { /* Found a KDC! */ - krb5int_free_addrlist(&alist); - *realm = strdup(cp); - if (!*realm) { - retval = ENOMEM; - goto cleanup; - } - break; - } - - cp = dot + 1; + drealm.length = strlen(cp); + drealm.data = cp; + + /* Find a kdc based on this part of the domain name. */ + r = krb5_locate_kdc(context, &drealm, &alist, 0, SOCK_DGRAM, 0); + if (!r) { /* Found a KDC! */ + krb5int_free_addrlist(&alist); + *realm = strdup(cp); + if (!*realm) { + retval = ENOMEM; + goto cleanup; + } + break; + } + + cp = dot + 1; } cleanup: diff --git a/src/lib/krb5/os/init_os_ctx.c b/src/lib/krb5/os/init_os_ctx.c index ffc8d93363..7f2110f8e4 100644 --- a/src/lib/krb5/os/init_os_ctx.c +++ b/src/lib/krb5/os/init_os_ctx.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/init_ctx.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -42,7 +43,7 @@ static krb5_error_code get_from_windows_dir( char **pname - ) +) { UINT size = GetWindowsDirectory(0, 0); *pname = malloc(size + strlen(DEFAULT_PROFILE_FILENAME) + 2); @@ -59,7 +60,7 @@ get_from_windows_dir( static krb5_error_code get_from_module_dir( char **pname - ) +) { const DWORD size = 1024; /* fixed buffer */ int found = 0; @@ -85,7 +86,7 @@ get_from_module_dir( name[size - 1] = 0; found = !_stat(name, &s); - cleanup: +cleanup: if (found) *pname = name; else @@ -99,14 +100,14 @@ get_from_module_dir( * This will find a profile in the registry. *pbuffer != 0 if we * found something. Make sure to free(*pbuffer) when done. It will * return an error code if there is an error the user should know - * about. We maintain the invariant: return value != 0 => + * about. We maintain the invariant: return value != 0 => * *pbuffer == 0. */ static krb5_error_code get_from_registry( char** pbuffer, HKEY hBaseKey - ) +) { HKEY hKey = 0; LONG rc = 0; @@ -124,7 +125,7 @@ get_from_registry( } *pbuffer = 0; - if ((rc = RegOpenKeyEx(hBaseKey, key_path, 0, KEY_QUERY_VALUE, + if ((rc = RegOpenKeyEx(hBaseKey, key_path, 0, KEY_QUERY_VALUE, &hKey)) != ERROR_SUCCESS) { /* not a real error */ goto cleanup; @@ -139,7 +140,7 @@ get_from_registry( retval = ENOMEM; goto cleanup; } - if ((rc = RegQueryValueEx(hKey, value_name, 0, 0, *pbuffer, &size)) != + if ((rc = RegQueryValueEx(hKey, value_name, 0, 0, *pbuffer, &size)) != ERROR_SUCCESS) { /* * Let's not call it a real error in case it disappears, but @@ -149,7 +150,7 @@ get_from_registry( *pbuffer = 0; goto cleanup; } - cleanup: +cleanup: if (hKey) RegCloseKey(hKey); if (retval && *pbuffer) { @@ -169,13 +170,13 @@ free_filespecs(profile_filespec_t *files) if (files == 0) return; - + for (cp = files; *cp; cp++) free(*cp); free(files); } -/* This function is needed by KfM's KerberosPreferences API +/* This function is needed by KfM's KerberosPreferences API * because it needs to be able to specify "secure" */ krb5_error_code os_get_default_config_files(profile_filespec_t **pfiles, krb5_boolean secure) @@ -215,7 +216,7 @@ os_get_default_config_files(profile_filespec_t **pfiles, krb5_boolean secure) return retval; if (!name) return KRB5_CONFIG_CANTOPEN; /* should never happen */ - + files = malloc(2 * sizeof(char *)); if (!files) return ENOMEM; @@ -229,14 +230,14 @@ os_get_default_config_files(profile_filespec_t **pfiles, krb5_boolean secure) #ifdef USE_KIM /* If kim_library_allow_home_directory_access() == FALSE, we are probably - * trying to authenticate to a fileserver for the user's homedir. + * trying to authenticate to a fileserver for the user's homedir. */ if (!kim_library_allow_home_directory_access ()) secure = 1; #endif if (secure) { filepath = DEFAULT_SECURE_PROFILE_PATH; - } else { + } else { filepath = getenv("KRB5_CONFIG"); if (!filepath) filepath = DEFAULT_PROFILE_PATH; } @@ -327,8 +328,8 @@ os_init_paths(krb5_context ctx, krb5_boolean kdc) retval = add_kdc_config_file(&files); if (!retval) { - retval = profile_init((const_profile_filespec_t *) files, - &ctx->profile); + retval = profile_init((const_profile_filespec_t *) files, + &ctx->profile); #ifdef KRB5_DNS_LOOKUP /* if none of the filenames can be opened use an empty profile */ @@ -336,7 +337,7 @@ os_init_paths(krb5_context ctx, krb5_boolean kdc) retval = profile_init(NULL, &ctx->profile); if (!retval) ctx->profile_in_memory = 1; - } + } #endif /* KRB5_DNS_LOOKUP */ } @@ -386,12 +387,12 @@ krb5_os_init_context(krb5_context ctx, krb5_boolean kdc) * If there's an error in the profile, return an error. Just * ignoring the error is a Bad Thing (tm). */ - + if (!retval) { krb5_cc_set_default_name(ctx, NULL); #ifdef _WIN32 - /* We initialize winsock to version 1.1 but + /* We initialize winsock to version 1.1 but * we do not care if we succeed or fail. */ wVersionRequested = 0x0101; @@ -405,14 +406,14 @@ krb5_error_code KRB5_CALLCONV krb5_get_profile (krb5_context ctx, profile_t *profile) { return profile_copy (ctx->profile, profile); -} +} krb5_error_code krb5_set_config_files(krb5_context ctx, const char **filenames) { krb5_error_code retval = 0; profile_t profile; - + retval = profile_init(filenames, &profile); if (retval) return retval; @@ -444,10 +445,10 @@ krb5_secure_config_files(krb5_context ctx) { /* Obsolete interface; always return an error. * This function should be removed next time a major version - * number change happens. + * number change happens. */ krb5_error_code retval = 0; - + if (ctx->profile) { profile_release(ctx->profile); ctx->profile = 0; @@ -467,7 +468,7 @@ krb5_os_free_context(krb5_context ctx) krb5_os_context os_ctx; os_ctx = &ctx->os_context; - + if (os_ctx->default_ccname) { free(os_ctx->default_ccname); os_ctx->default_ccname = 0; @@ -488,6 +489,6 @@ krb5_os_free_context(krb5_context ctx) krb5int_close_plugin_dirs (&ctx->libkrb5_plugins); #ifdef _WIN32 - WSACleanup(); + WSACleanup(); #endif /* _WIN32 */ } diff --git a/src/lib/krb5/os/krbfileio.c b/src/lib/krb5/os/krbfileio.c index 6ef16ebd0c..99703aa357 100644 --- a/src/lib/krb5/os/krbfileio.c +++ b/src/lib/krb5/os/krbfileio.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/krbfileio.c * @@ -12,7 +13,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -26,14 +27,14 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_create_secure_file * krb5_sync_disk_file */ #ifdef MODULE_VERSION_ID -static char *VersionID = "@(#)krbfileio.c 2 - 08/22/91"; +static char *VersionID = "@(#)krbfileio.c 2 - 08/22/91"; #endif @@ -63,7 +64,7 @@ krb5_create_secure_file(krb5_context context, const char *pathname) #ifdef OPEN_MODE_NOT_TRUSTWORTHY /* - * Some systems that support default acl inheritance do not + * Some systems that support default acl inheritance do not * apply ownership information from the process - force the file * to have the proper info. */ @@ -100,4 +101,3 @@ krb5_sync_disk_file(krb5_context context, FILE *fp) return 0; } - diff --git a/src/lib/krb5/os/ktdefname.c b/src/lib/krb5/os/ktdefname.c index 91f65858b5..ce28e30d15 100644 --- a/src/lib/krb5/os/ktdefname.c +++ b/src/lib/krb5/os/ktdefname.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/ktdefname.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Return default keytab file name. */ @@ -44,37 +45,36 @@ krb5_kt_default_name(krb5_context context, char *name, int name_size) unsigned int namesize = (name_size < 0 ? 0 : name_size); if (krb5_overridekeyname) { - if (strlcpy(name, krb5_overridekeyname, namesize) >= namesize) - return KRB5_CONFIG_NOTENUFSPACE; + if (strlcpy(name, krb5_overridekeyname, namesize) >= namesize) + return KRB5_CONFIG_NOTENUFSPACE; } else if ((context->profile_secure == FALSE) && - (cp = getenv("KRB5_KTNAME"))) { - if (strlcpy(name, cp, namesize) >= namesize) - return KRB5_CONFIG_NOTENUFSPACE; + (cp = getenv("KRB5_KTNAME"))) { + if (strlcpy(name, cp, namesize) >= namesize) + return KRB5_CONFIG_NOTENUFSPACE; } else if ((profile_get_string(context->profile, - KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_DEFAULT_KEYTAB_NAME, NULL, - NULL, &retval) == 0) && - retval) { - if (strlcpy(name, retval, namesize) >= namesize) - return KRB5_CONFIG_NOTENUFSPACE; - profile_release_string(retval); + KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_DEFAULT_KEYTAB_NAME, NULL, + NULL, &retval) == 0) && + retval) { + if (strlcpy(name, retval, namesize) >= namesize) + return KRB5_CONFIG_NOTENUFSPACE; + profile_release_string(retval); } else { #if defined(_WIN32) - { - char defname[160]; - int len; + { + char defname[160]; + int len; - len= GetWindowsDirectory( defname, sizeof(defname)-2 ); - defname[len]= '\0'; - if ( (len + strlen(krb5_defkeyname) + 1) > namesize ) - return KRB5_CONFIG_NOTENUFSPACE; - snprintf(name, namesize, krb5_defkeyname, defname); - } + len= GetWindowsDirectory( defname, sizeof(defname)-2 ); + defname[len]= '\0'; + if ( (len + strlen(krb5_defkeyname) + 1) > namesize ) + return KRB5_CONFIG_NOTENUFSPACE; + snprintf(name, namesize, krb5_defkeyname, defname); + } #else - if (strlcpy(name, krb5_defkeyname, namesize) >= namesize) - return KRB5_CONFIG_NOTENUFSPACE; + if (strlcpy(name, krb5_defkeyname, namesize) >= namesize) + return KRB5_CONFIG_NOTENUFSPACE; #endif } return 0; } - diff --git a/src/lib/krb5/os/kuserok.c b/src/lib/krb5/os/kuserok.c index f76010dc9b..1bc7505da6 100644 --- a/src/lib/krb5/os/kuserok.c +++ b/src/lib/krb5/os/kuserok.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/kuserok.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,13 +23,13 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_kuserok() */ #include "k5-int.h" -#if !defined(_WIN32) /* Not yet for Windows */ +#if !defined(_WIN32) /* Not yet for Windows */ #include <stdio.h> #include <pwd.h> @@ -41,7 +42,7 @@ #define MAX_USERNAME 65 #if defined(__APPLE__) && defined(__MACH__) -#include <hfs/hfs_mount.h> /* XXX */ +#include <hfs/hfs_mount.h> /* XXX */ #define FILE_OWNER_OK(UID) ((UID) == 0 || (UID) == UNKNOWNUID) #else #define FILE_OWNER_OK(UID) ((UID) == 0) @@ -85,31 +86,31 @@ krb5_kuserok(krb5_context context, krb5_principal principal, const char *luser) /* no account => no access */ if (k5_getpwnam_r(luser, &pwx, pwbuf, sizeof(pwbuf), &pwd) != 0) - return(FALSE); + return(FALSE); result = snprintf(pbuf, sizeof(pbuf), "%s/.k5login", pwd->pw_dir); if (SNPRINTF_OVERFLOW(result, sizeof(pbuf))) - return(FALSE); + return(FALSE); - if (access(pbuf, F_OK)) { /* not accessible */ - /* - * if he's trying to log in as himself, and there is no .k5login file, - * let him. To find out, call - * krb5_aname_to_localname to convert the principal to a name - * which we can string compare. - */ - if (!(krb5_aname_to_localname(context, principal, - sizeof(kuser), kuser)) - && (strcmp(kuser, luser) == 0)) { - return(TRUE); - } + if (access(pbuf, F_OK)) { /* not accessible */ + /* + * if he's trying to log in as himself, and there is no .k5login file, + * let him. To find out, call + * krb5_aname_to_localname to convert the principal to a name + * which we can string compare. + */ + if (!(krb5_aname_to_localname(context, principal, + sizeof(kuser), kuser)) + && (strcmp(kuser, luser) == 0)) { + return(TRUE); + } } if (krb5_unparse_name(context, principal, &princname)) - return(FALSE); /* no hope of matching */ + return(FALSE); /* no hope of matching */ /* open ~/.k5login */ if ((fp = fopen(pbuf, "r")) == NULL) { - free(princname); - return(FALSE); + free(princname); + return(FALSE); } set_cloexec_file(fp); /* @@ -117,31 +118,31 @@ krb5_kuserok(krb5_context context, krb5_principal principal, const char *luser) * the user himself, or by root. Otherwise, don't grant access. */ if (fstat(fileno(fp), &sbuf)) { - fclose(fp); - free(princname); - return(FALSE); + fclose(fp); + free(princname); + return(FALSE); } if (sbuf.st_uid != pwd->pw_uid && !FILE_OWNER_OK(sbuf.st_uid)) { - fclose(fp); - free(princname); - return(FALSE); + fclose(fp); + free(princname); + return(FALSE); } /* check each line */ while (!isok && (fgets(linebuf, BUFSIZ, fp) != NULL)) { - /* null-terminate the input string */ - linebuf[BUFSIZ-1] = '\0'; - newline = NULL; - /* nuke the newline if it exists */ - if ((newline = strchr(linebuf, '\n'))) - *newline = '\0'; - if (!strcmp(linebuf, princname)) { - isok = TRUE; - continue; - } - /* clean up the rest of the line if necessary */ - if (!newline) - while (((gobble = getc(fp)) != EOF) && gobble != '\n'); + /* null-terminate the input string */ + linebuf[BUFSIZ-1] = '\0'; + newline = NULL; + /* nuke the newline if it exists */ + if ((newline = strchr(linebuf, '\n'))) + *newline = '\0'; + if (!strcmp(linebuf, princname)) { + isok = TRUE; + continue; + } + /* clean up the rest of the line if necessary */ + if (!newline) + while (((gobble = getc(fp)) != EOF) && gobble != '\n'); } free(princname); fclose(fp); @@ -166,7 +167,7 @@ krb5_kuserok(context, principal, luser) return FALSE; if (strcmp(kuser, luser) == 0) - return TRUE; + return TRUE; return FALSE; } diff --git a/src/lib/krb5/os/localaddr.c b/src/lib/krb5/os/localaddr.c index 25079062a7..dd8110c33a 100644 --- a/src/lib/krb5/os/localaddr.c +++ b/src/lib/krb5/os/localaddr.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/localaddr.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Return the protocol addresses supported by this host. * Exports from this file: @@ -105,7 +106,7 @@ #ifndef USE_AF #define USE_AF AF_NS #define USE_TYPE SOCK_DGRAM -#define USE_PROTO 0 /* guess */ +#define USE_PROTO 0 /* guess */ #endif #endif /* @@ -133,15 +134,15 @@ /* * BSD 4.4 defines the size of an ifreq to be * max(sizeof(ifreq), sizeof(ifreq.ifr_name)+ifreq.ifr_addr.sa_len - * However, under earlier systems, sa_len isn't present, so the size is + * However, under earlier systems, sa_len isn't present, so the size is * just sizeof(struct ifreq). */ #ifdef HAVE_SA_LEN #ifndef max #define max(a,b) ((a) > (b) ? (a) : (b)) #endif -#define ifreq_size(i) max(sizeof(struct ifreq),\ - sizeof((i).ifr_name)+(i).ifr_addr.sa_len) +#define ifreq_size(i) max(sizeof(struct ifreq), \ + sizeof((i).ifr_name)+(i).ifr_addr.sa_len) #else #define ifreq_size(i) sizeof(struct ifreq) #endif /* HAVE_SA_LEN*/ @@ -156,20 +157,20 @@ void printaddr (struct sockaddr *); void printaddr (struct sockaddr *sa) - /*@modifies fileSystem@*/ +/*@modifies fileSystem@*/ { char buf[NI_MAXHOST]; int err; printf ("%p ", (void *) sa); err = getnameinfo (sa, socklen (sa), buf, sizeof (buf), 0, 0, - NI_NUMERICHOST); + NI_NUMERICHOST); if (err) - printf ("<getnameinfo error %d: %s> family=%d", - err, gai_strerror (err), - sa->sa_family); + printf ("<getnameinfo error %d: %s> family=%d", + err, gai_strerror (err), + sa->sa_family); else - printf ("%s", buf); + printf ("%s", buf); } #endif @@ -178,15 +179,15 @@ is_loopback_address(struct sockaddr *sa) { switch (sa->sa_family) { case AF_INET: { - struct sockaddr_in *s4 = (struct sockaddr_in *)sa; - return s4->sin_addr.s_addr == htonl(INADDR_LOOPBACK); + struct sockaddr_in *s4 = (struct sockaddr_in *)sa; + return s4->sin_addr.s_addr == htonl(INADDR_LOOPBACK); } case AF_INET6: { - struct sockaddr_in6 *s6 = (struct sockaddr_in6 *)sa; - return IN6_IS_ADDR_LOOPBACK(&s6->sin6_addr); + struct sockaddr_in6 *s6 = (struct sockaddr_in6 *)sa; + return IN6_IS_ADDR_LOOPBACK(&s6->sin6_addr); } default: - return 0; + return 0; } } @@ -201,32 +202,32 @@ void printifaddr (struct ifaddrs *ifp) printf ("\tname=%s\n", ifp->ifa_name); printf ("\tflags="); { - int ch, flags = ifp->ifa_flags; - printf ("%x", flags); - ch = '<'; + int ch, flags = ifp->ifa_flags; + printf ("%x", flags); + ch = '<'; #define X(F) if (flags & IFF_##F) { printf ("%c%s", ch, #F); flags &= ~IFF_##F; ch = ','; } - X (UP); X (BROADCAST); X (DEBUG); X (LOOPBACK); X (POINTOPOINT); - X (NOTRAILERS); X (RUNNING); X (NOARP); X (PROMISC); X (ALLMULTI); + X (UP); X (BROADCAST); X (DEBUG); X (LOOPBACK); X (POINTOPOINT); + X (NOTRAILERS); X (RUNNING); X (NOARP); X (PROMISC); X (ALLMULTI); #ifdef IFF_OACTIVE - X (OACTIVE); + X (OACTIVE); #endif #ifdef IFF_SIMPLE - X (SIMPLEX); + X (SIMPLEX); #endif - X (MULTICAST); - printf (">"); + X (MULTICAST); + printf (">"); #undef X } if (ifp->ifa_addr) - printf ("\n\taddr="), printaddr (ifp->ifa_addr); + printf ("\n\taddr="), printaddr (ifp->ifa_addr); if (ifp->ifa_netmask) - printf ("\n\tnetmask="), printaddr (ifp->ifa_netmask); + printf ("\n\tnetmask="), printaddr (ifp->ifa_netmask); if (ifp->ifa_broadaddr) - printf ("\n\tbroadaddr="), printaddr (ifp->ifa_broadaddr); + printf ("\n\tbroadaddr="), printaddr (ifp->ifa_broadaddr); if (ifp->ifa_dstaddr) - printf ("\n\tdstaddr="), printaddr (ifp->ifa_dstaddr); + printf ("\n\tdstaddr="), printaddr (ifp->ifa_dstaddr); if (ifp->ifa_data) - printf ("\n\tdata=%p", ifp->ifa_data); + printf ("\n\tdata=%p", ifp->ifa_data); printf ("\n}\n"); } #endif /* DEBUG */ @@ -238,21 +239,21 @@ static int addr_eq (const struct sockaddr *s1, const struct sockaddr *s2) { if (s1->sa_family != s2->sa_family) - return 0; + return 0; #ifdef HAVE_SA_LEN if (s1->sa_len != s2->sa_len) - return 0; + return 0; return !memcmp (s1, s2, s1->sa_len); #else #define CMPTYPE(T,F) (!memcmp(&((const T*)s1)->F,&((const T*)s2)->F,sizeof(((const T*)s1)->F))) switch (s1->sa_family) { case AF_INET: - return CMPTYPE (struct sockaddr_in, sin_addr); + return CMPTYPE (struct sockaddr_in, sin_addr); case AF_INET6: - return CMPTYPE (struct sockaddr_in6, sin6_addr); + return CMPTYPE (struct sockaddr_in6, sin6_addr); default: - /* Err on side of duplicate listings. */ - return 0; + /* Err on side of duplicate listings. */ + return 0; } #endif } @@ -262,13 +263,13 @@ addr_eq (const struct sockaddr *s1, const struct sockaddr *s2) /*@-usereleased@*/ /* lclint doesn't understand realloc */ static /*@null@*/ void * grow_or_free (/*@only@*/ void *ptr, size_t newsize) - /*@*/ +/*@*/ { void *newptr; newptr = realloc (ptr, newsize); if (newptr == NULL && newsize != 0) { - free (ptr); /* lclint complains but this is right */ - return NULL; + free (ptr); /* lclint complains but this is right */ + return NULL; } return newptr; } @@ -276,7 +277,7 @@ grow_or_free (/*@only@*/ void *ptr, size_t newsize) static int get_ifconf (int s, size_t *lenp, /*@out@*/ char *buf) - /*@modifies *buf,*lenp@*/ +/*@modifies *buf,*lenp@*/ { int ret; struct ifconf ifc; @@ -304,7 +305,7 @@ get_ifconf (int s, size_t *lenp, /*@out@*/ char *buf) #if defined(SIOCGLIFCONF) && defined(HAVE_STRUCT_LIFCONF) static int get_lifconf (int af, int s, size_t *lenp, /*@out@*/ char *buf) - /*@modifies *buf,*lenp@*/ +/*@modifies *buf,*lenp@*/ { int ret; struct lifconf lifc; @@ -319,7 +320,7 @@ get_lifconf (int af, int s, size_t *lenp, /*@out@*/ char *buf) /*@-moduncon@*/ ret = ioctl (s, SIOCGLIFCONF, (char *)&lifc); if (ret) - Tperror ("SIOCGLIFCONF"); + Tperror ("SIOCGLIFCONF"); /*@=moduncon@*/ /*@+matchanyintegral@*/ *lenp = lifc.lifc_len; @@ -332,7 +333,7 @@ get_lifconf (int af, int s, size_t *lenp, /*@out@*/ char *buf) /* #include <net/if6.h> */ static int get_if_laddrconf (int af, int s, size_t *lenp, /*@out@*/ char *buf) - /*@modifies *buf,*lenp@*/ +/*@modifies *buf,*lenp@*/ { int ret; struct if_laddrconf iflc; @@ -345,7 +346,7 @@ get_if_laddrconf (int af, int s, size_t *lenp, /*@out@*/ char *buf) /*@-moduncon@*/ ret = ioctl (s, SIOCGLIFCONF, (char *)&iflc); if (ret) - Tperror ("SIOCGLIFCONF"); + Tperror ("SIOCGLIFCONF"); /*@=moduncon@*/ /*@+matchanyintegral@*/ *lenp = iflc.iflc_len; @@ -372,51 +373,51 @@ get_linux_ipv6_addrs () /* _PATH_PROCNET_IFINET6 */ f = fopen("/proc/net/if_inet6", "r"); if (f) { - char ifname[21]; - unsigned int idx, pfxlen, scope, dadstat; - struct in6_addr a6; - struct linux_ipv6_addr_list *nw; - int i; - unsigned int addrbyte[16]; - - set_cloexec_file(f); - while (fscanf(f, - "%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x" - " %2x %2x %2x %2x %20s\n", - &addrbyte[0], &addrbyte[1], &addrbyte[2], &addrbyte[3], - &addrbyte[4], &addrbyte[5], &addrbyte[6], &addrbyte[7], - &addrbyte[8], &addrbyte[9], &addrbyte[10], &addrbyte[11], - &addrbyte[12], &addrbyte[13], &addrbyte[14], - &addrbyte[15], - &idx, &pfxlen, &scope, &dadstat, ifname) != EOF) { - for (i = 0; i < 16; i++) - a6.s6_addr[i] = addrbyte[i]; - if (scope != 0) - continue; + char ifname[21]; + unsigned int idx, pfxlen, scope, dadstat; + struct in6_addr a6; + struct linux_ipv6_addr_list *nw; + int i; + unsigned int addrbyte[16]; + + set_cloexec_file(f); + while (fscanf(f, + "%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x%2x" + " %2x %2x %2x %2x %20s\n", + &addrbyte[0], &addrbyte[1], &addrbyte[2], &addrbyte[3], + &addrbyte[4], &addrbyte[5], &addrbyte[6], &addrbyte[7], + &addrbyte[8], &addrbyte[9], &addrbyte[10], &addrbyte[11], + &addrbyte[12], &addrbyte[13], &addrbyte[14], + &addrbyte[15], + &idx, &pfxlen, &scope, &dadstat, ifname) != EOF) { + for (i = 0; i < 16; i++) + a6.s6_addr[i] = addrbyte[i]; + if (scope != 0) + continue; #if 0 /* These symbol names are as used by ifconfig, but none of the - system header files export them. Dig up the kernel versions - someday and see if they're exported. */ - switch (scope) { - case 0: - default: - break; - case IPV6_ADDR_LINKLOCAL: - case IPV6_ADDR_SITELOCAL: - case IPV6_ADDR_COMPATv4: - case IPV6_ADDR_LOOPBACK: - continue; - } + system header files export them. Dig up the kernel versions + someday and see if they're exported. */ + switch (scope) { + case 0: + default: + break; + case IPV6_ADDR_LINKLOCAL: + case IPV6_ADDR_SITELOCAL: + case IPV6_ADDR_COMPATv4: + case IPV6_ADDR_LOOPBACK: + continue; + } #endif - nw = calloc (1, sizeof (struct linux_ipv6_addr_list)); - if (nw == 0) - continue; - nw->addr.sin6_addr = a6; - nw->addr.sin6_family = AF_INET6; - /* Ignore other fields, we don't actually use them here. */ - nw->next = lst; - lst = nw; - } - fclose (f); + nw = calloc (1, sizeof (struct linux_ipv6_addr_list)); + if (nw == 0) + continue; + nw->addr.sin6_addr = a6; + nw->addr.sin6_family = AF_INET6; + /* Ignore other fields, we don't actually use them here. */ + nw->next = lst; + lst = nw; + } + fclose (f); } return lst; } @@ -433,68 +434,68 @@ get_linux_ipv6_addrs () int foreach_localaddr (/*@null@*/ void *data, - int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/, - /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/, - /*@null@*/ int (*pass2fn) (/*@null@*/ void *, - struct sockaddr *) /*@*/) + int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/, + /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/, + /*@null@*/ int (*pass2fn) (/*@null@*/ void *, + struct sockaddr *) /*@*/) #if defined(DEBUG) || defined(TEST) - /*@modifies fileSystem@*/ +/*@modifies fileSystem@*/ #endif { struct ifaddrs *ifp_head, *ifp, *ifp2; int match; if (getifaddrs (&ifp_head) < 0) - return errno; + return errno; for (ifp = ifp_head; ifp; ifp = ifp->ifa_next) { #ifdef DEBUG - printifaddr (ifp); + printifaddr (ifp); #endif - if ((ifp->ifa_flags & IFF_UP) == 0) - continue; - if (ifp->ifa_addr == NULL) { - /* Can't use an interface without an address. Linux - apparently does this sometimes. [RT ticket 1770 from - Maurice Massar, also Debian bug 206851, shows the - problem with a PPP link on a newer kernel than I'm - running.] - - Pretend it's not up, so the second pass will skip - it. */ - ifp->ifa_flags &= ~IFF_UP; - continue; - } - if (is_loopback_address(ifp->ifa_addr)) { - /* Pretend it's not up, so the second pass will skip - it. */ - ifp->ifa_flags &= ~IFF_UP; - continue; - } - /* If this address is a duplicate, punt. */ - match = 0; - for (ifp2 = ifp_head; ifp2 && ifp2 != ifp; ifp2 = ifp2->ifa_next) { - if ((ifp2->ifa_flags & IFF_UP) == 0) - continue; - if (addr_eq (ifp->ifa_addr, ifp2->ifa_addr)) { - match = 1; - ifp->ifa_flags &= ~IFF_UP; - break; - } - } - if (match) - continue; - if ((*pass1fn) (data, ifp->ifa_addr)) - goto punt; + if ((ifp->ifa_flags & IFF_UP) == 0) + continue; + if (ifp->ifa_addr == NULL) { + /* Can't use an interface without an address. Linux + apparently does this sometimes. [RT ticket 1770 from + Maurice Massar, also Debian bug 206851, shows the + problem with a PPP link on a newer kernel than I'm + running.] + + Pretend it's not up, so the second pass will skip + it. */ + ifp->ifa_flags &= ~IFF_UP; + continue; + } + if (is_loopback_address(ifp->ifa_addr)) { + /* Pretend it's not up, so the second pass will skip + it. */ + ifp->ifa_flags &= ~IFF_UP; + continue; + } + /* If this address is a duplicate, punt. */ + match = 0; + for (ifp2 = ifp_head; ifp2 && ifp2 != ifp; ifp2 = ifp2->ifa_next) { + if ((ifp2->ifa_flags & IFF_UP) == 0) + continue; + if (addr_eq (ifp->ifa_addr, ifp2->ifa_addr)) { + match = 1; + ifp->ifa_flags &= ~IFF_UP; + break; + } + } + if (match) + continue; + if ((*pass1fn) (data, ifp->ifa_addr)) + goto punt; } if (betweenfn && (*betweenfn)(data)) - goto punt; + goto punt; if (pass2fn) - for (ifp = ifp_head; ifp; ifp = ifp->ifa_next) { - if (ifp->ifa_flags & IFF_UP) - if ((*pass2fn) (data, ifp->ifa_addr)) - goto punt; - } - punt: + for (ifp = ifp_head; ifp; ifp = ifp->ifa_next) { + if (ifp->ifa_flags & IFF_UP) + if ((*pass2fn) (data, ifp->ifa_addr)) + goto punt; + } +punt: freeifaddrs (ifp_head); return 0; } @@ -503,12 +504,12 @@ foreach_localaddr (/*@null@*/ void *data, int foreach_localaddr (/*@null@*/ void *data, - int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/, - /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/, - /*@null@*/ int (*pass2fn) (/*@null@*/ void *, - struct sockaddr *) /*@*/) + int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/, + /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/, + /*@null@*/ int (*pass2fn) (/*@null@*/ void *, + struct sockaddr *) /*@*/) #if defined(DEBUG) || defined(TEST) - /*@modifies fileSystem@*/ +/*@modifies fileSystem@*/ #endif { /* Okay, this is kind of odd. We have to use each of the address @@ -527,11 +528,11 @@ foreach_localaddr (/*@null@*/ void *data, static const int afs[] = { AF_INET, AF_NS, AF_INET6 }; #define N_AFS (sizeof (afs) / sizeof (afs[0])) struct { - int af; - int sock; - void *buf; - size_t buf_size; - struct lifnum lifnum; + int af; + int sock; + void *buf; + size_t buf_size; + struct lifnum lifnum; } afp[N_AFS]; int code, i, j; int retval = 0, afidx; @@ -543,131 +544,131 @@ foreach_localaddr (/*@null@*/ void *data, /* init */ FOREACH_AF () { - P.af = afs[afidx]; - P.sock = -1; - P.buf = 0; + P.af = afs[afidx]; + P.sock = -1; + P.buf = 0; } /* first pass: get raw data, discard uninteresting addresses, callback */ FOREACH_AF () { - Tprintf (("trying af %d...\n", P.af)); - P.sock = socket (P.af, USE_TYPE, USE_PROTO); - if (P.sock < 0) { - sock_err = SOCKET_ERROR; - Tperror ("socket"); - continue; - } - set_cloexec_fd(P.sock); - - P.lifnum.lifn_family = P.af; - P.lifnum.lifn_flags = 0; - P.lifnum.lifn_count = 0; - code = ioctl (P.sock, SIOCGLIFNUM, &P.lifnum); - if (code) { - Tperror ("ioctl(SIOCGLIFNUM)"); - retval = errno; - goto punt; - } - - P.buf_size = P.lifnum.lifn_count * sizeof (struct lifreq) * 2; - P.buf = malloc (P.buf_size); - if (P.buf == NULL) { - retval = ENOMEM; - goto punt; - } - - code = get_lifconf (P.af, P.sock, &P.buf_size, P.buf); - if (code < 0) { - retval = errno; - goto punt; - } - - for (i = 0; i + sizeof(*lifr) <= P.buf_size; i+= sizeof (*lifr)) { - lifr = (struct lifreq *)((caddr_t) P.buf+i); - - strncpy(lifreq.lifr_name, lifr->lifr_name, - sizeof (lifreq.lifr_name)); - Tprintf (("interface %s\n", lifreq.lifr_name)); - /*@-moduncon@*/ /* ioctl unknown to lclint */ - if (ioctl (P.sock, SIOCGLIFFLAGS, (char *)&lifreq) < 0) { - Tperror ("ioctl(SIOCGLIFFLAGS)"); - skip: - /* mark for next pass */ - lifr->lifr_name[0] = '\0'; - continue; - } - /*@=moduncon@*/ - - /* None of the current callers want loopback addresses. */ - if (is_loopback_address((struct sockaddr *)&lifr->lifr_addr)) { - Tprintf ((" loopback\n")); - goto skip; - } - /* Ignore interfaces that are down. */ - if ((lifreq.lifr_flags & IFF_UP) == 0) { - Tprintf ((" down\n")); - goto skip; - } - - /* Make sure we didn't process this address already. */ - for (j = 0; j < i; j += sizeof (*lifr2)) { - lifr2 = (struct lifreq *)((caddr_t) P.buf+j); - if (lifr2->lifr_name[0] == '\0') - continue; - if (lifr2->lifr_addr.ss_family == lifr->lifr_addr.ss_family - /* Compare address info. If this isn't good enough -- - i.e., if random padding bytes turn out to differ - when the addresses are the same -- then we'll have - to do it on a per address family basis. */ - && !memcmp (&lifr2->lifr_addr, &lifr->lifr_addr, - sizeof (*lifr))) { - Tprintf ((" duplicate addr\n")); - goto skip; - } - } - - /*@-moduncon@*/ - if ((*pass1fn) (data, ss2sa (&lifr->lifr_addr))) - goto punt; - /*@=moduncon@*/ - } + Tprintf (("trying af %d...\n", P.af)); + P.sock = socket (P.af, USE_TYPE, USE_PROTO); + if (P.sock < 0) { + sock_err = SOCKET_ERROR; + Tperror ("socket"); + continue; + } + set_cloexec_fd(P.sock); + + P.lifnum.lifn_family = P.af; + P.lifnum.lifn_flags = 0; + P.lifnum.lifn_count = 0; + code = ioctl (P.sock, SIOCGLIFNUM, &P.lifnum); + if (code) { + Tperror ("ioctl(SIOCGLIFNUM)"); + retval = errno; + goto punt; + } + + P.buf_size = P.lifnum.lifn_count * sizeof (struct lifreq) * 2; + P.buf = malloc (P.buf_size); + if (P.buf == NULL) { + retval = ENOMEM; + goto punt; + } + + code = get_lifconf (P.af, P.sock, &P.buf_size, P.buf); + if (code < 0) { + retval = errno; + goto punt; + } + + for (i = 0; i + sizeof(*lifr) <= P.buf_size; i+= sizeof (*lifr)) { + lifr = (struct lifreq *)((caddr_t) P.buf+i); + + strncpy(lifreq.lifr_name, lifr->lifr_name, + sizeof (lifreq.lifr_name)); + Tprintf (("interface %s\n", lifreq.lifr_name)); + /*@-moduncon@*/ /* ioctl unknown to lclint */ + if (ioctl (P.sock, SIOCGLIFFLAGS, (char *)&lifreq) < 0) { + Tperror ("ioctl(SIOCGLIFFLAGS)"); + skip: + /* mark for next pass */ + lifr->lifr_name[0] = '\0'; + continue; + } + /*@=moduncon@*/ + + /* None of the current callers want loopback addresses. */ + if (is_loopback_address((struct sockaddr *)&lifr->lifr_addr)) { + Tprintf ((" loopback\n")); + goto skip; + } + /* Ignore interfaces that are down. */ + if ((lifreq.lifr_flags & IFF_UP) == 0) { + Tprintf ((" down\n")); + goto skip; + } + + /* Make sure we didn't process this address already. */ + for (j = 0; j < i; j += sizeof (*lifr2)) { + lifr2 = (struct lifreq *)((caddr_t) P.buf+j); + if (lifr2->lifr_name[0] == '\0') + continue; + if (lifr2->lifr_addr.ss_family == lifr->lifr_addr.ss_family + /* Compare address info. If this isn't good enough -- + i.e., if random padding bytes turn out to differ + when the addresses are the same -- then we'll have + to do it on a per address family basis. */ + && !memcmp (&lifr2->lifr_addr, &lifr->lifr_addr, + sizeof (*lifr))) { + Tprintf ((" duplicate addr\n")); + goto skip; + } + } + + /*@-moduncon@*/ + if ((*pass1fn) (data, ss2sa (&lifr->lifr_addr))) + goto punt; + /*@=moduncon@*/ + } } /* Did we actually get any working sockets? */ FOREACH_AF () - if (P.sock != -1) - goto have_working_socket; + if (P.sock != -1) + goto have_working_socket; retval = sock_err; goto punt; have_working_socket: /*@-moduncon@*/ if (betweenfn != NULL && (*betweenfn)(data)) - goto punt; + goto punt; /*@=moduncon@*/ if (pass2fn) - FOREACH_AF () - if (P.sock >= 0) { - for (i = 0; i + sizeof (*lifr) <= P.buf_size; i+= sizeof (*lifr)) { - lifr = (struct lifreq *)((caddr_t) P.buf+i); - - if (lifr->lifr_name[0] == '\0') - /* Marked in first pass to be ignored. */ - continue; - - /*@-moduncon@*/ - if ((*pass2fn) (data, ss2sa (&lifr->lifr_addr))) - goto punt; - /*@=moduncon@*/ - } - } + FOREACH_AF () + if (P.sock >= 0) { + for (i = 0; i + sizeof (*lifr) <= P.buf_size; i+= sizeof (*lifr)) { + lifr = (struct lifreq *)((caddr_t) P.buf+i); + + if (lifr->lifr_name[0] == '\0') + /* Marked in first pass to be ignored. */ + continue; + + /*@-moduncon@*/ + if ((*pass2fn) (data, ss2sa (&lifr->lifr_addr))) + goto punt; + /*@=moduncon@*/ + } + } punt: FOREACH_AF () { - /*@-moduncon@*/ - closesocket(P.sock); - /*@=moduncon@*/ - free (P.buf); + /*@-moduncon@*/ + closesocket(P.sock); + /*@=moduncon@*/ + free (P.buf); } return retval; @@ -677,12 +678,12 @@ punt: int foreach_localaddr (/*@null@*/ void *data, - int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/, - /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/, - /*@null@*/ int (*pass2fn) (/*@null@*/ void *, - struct sockaddr *) /*@*/) + int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/, + /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/, + /*@null@*/ int (*pass2fn) (/*@null@*/ void *, + struct sockaddr *) /*@*/) #if defined(DEBUG) || defined(TEST) - /*@modifies fileSystem@*/ +/*@modifies fileSystem@*/ #endif { /* Okay, this is kind of odd. We have to use each of the address @@ -701,11 +702,11 @@ foreach_localaddr (/*@null@*/ void *data, static const int afs[] = { AF_INET, AF_NS, AF_INET6 }; #define N_AFS (sizeof (afs) / sizeof (afs[0])) struct { - int af; - int sock; - void *buf; - size_t buf_size; - int if_num; + int af; + int sock; + void *buf; + size_t buf_size; + int if_num; } afp[N_AFS]; int code, i, j; int retval = 0, afidx; @@ -717,128 +718,128 @@ foreach_localaddr (/*@null@*/ void *data, /* init */ FOREACH_AF () { - P.af = afs[afidx]; - P.sock = -1; - P.buf = 0; + P.af = afs[afidx]; + P.sock = -1; + P.buf = 0; } /* first pass: get raw data, discard uninteresting addresses, callback */ FOREACH_AF () { - Tprintf (("trying af %d...\n", P.af)); - P.sock = socket (P.af, USE_TYPE, USE_PROTO); - if (P.sock < 0) { - sock_err = SOCKET_ERROR; - Tperror ("socket"); - continue; - } - set_cloexec_fd(P.sock); - - code = ioctl (P.sock, SIOCGLIFNUM, &P.if_num); - if (code) { - Tperror ("ioctl(SIOCGLIFNUM)"); - retval = errno; - goto punt; - } - - P.buf_size = P.if_num * sizeof (struct if_laddrreq) * 2; - P.buf = malloc (P.buf_size); - if (P.buf == NULL) { - retval = ENOMEM; - goto punt; - } - - code = get_if_laddrconf (P.af, P.sock, &P.buf_size, P.buf); - if (code < 0) { - retval = errno; - goto punt; - } - - for (i = 0; i + sizeof(*lifr) <= P.buf_size; i+= sizeof (*lifr)) { - lifr = (struct if_laddrreq *)((caddr_t) P.buf+i); - - strncpy(lifreq.iflr_name, lifr->iflr_name, - sizeof (lifreq.iflr_name)); - Tprintf (("interface %s\n", lifreq.iflr_name)); - /*@-moduncon@*/ /* ioctl unknown to lclint */ - if (ioctl (P.sock, SIOCGLIFFLAGS, (char *)&lifreq) < 0) { - Tperror ("ioctl(SIOCGLIFFLAGS)"); - skip: - /* mark for next pass */ - lifr->iflr_name[0] = '\0'; - continue; - } - /*@=moduncon@*/ - - /* None of the current callers want loopback addresses. */ - if (is_loopback_address(&lifr->iflr_addr)) { - Tprintf ((" loopback\n")); - goto skip; - } - /* Ignore interfaces that are down. */ - if ((lifreq.iflr_flags & IFF_UP) == 0) { - Tprintf ((" down\n")); - goto skip; - } - - /* Make sure we didn't process this address already. */ - for (j = 0; j < i; j += sizeof (*lifr2)) { - lifr2 = (struct if_laddrreq *)((caddr_t) P.buf+j); - if (lifr2->iflr_name[0] == '\0') - continue; - if (lifr2->iflr_addr.sa_family == lifr->iflr_addr.sa_family - /* Compare address info. If this isn't good enough -- - i.e., if random padding bytes turn out to differ - when the addresses are the same -- then we'll have - to do it on a per address family basis. */ - && !memcmp (&lifr2->iflr_addr, &lifr->iflr_addr, - sizeof (*lifr))) { - Tprintf ((" duplicate addr\n")); - goto skip; - } - } - - /*@-moduncon@*/ - if ((*pass1fn) (data, ss2sa (&lifr->iflr_addr))) - goto punt; - /*@=moduncon@*/ - } + Tprintf (("trying af %d...\n", P.af)); + P.sock = socket (P.af, USE_TYPE, USE_PROTO); + if (P.sock < 0) { + sock_err = SOCKET_ERROR; + Tperror ("socket"); + continue; + } + set_cloexec_fd(P.sock); + + code = ioctl (P.sock, SIOCGLIFNUM, &P.if_num); + if (code) { + Tperror ("ioctl(SIOCGLIFNUM)"); + retval = errno; + goto punt; + } + + P.buf_size = P.if_num * sizeof (struct if_laddrreq) * 2; + P.buf = malloc (P.buf_size); + if (P.buf == NULL) { + retval = ENOMEM; + goto punt; + } + + code = get_if_laddrconf (P.af, P.sock, &P.buf_size, P.buf); + if (code < 0) { + retval = errno; + goto punt; + } + + for (i = 0; i + sizeof(*lifr) <= P.buf_size; i+= sizeof (*lifr)) { + lifr = (struct if_laddrreq *)((caddr_t) P.buf+i); + + strncpy(lifreq.iflr_name, lifr->iflr_name, + sizeof (lifreq.iflr_name)); + Tprintf (("interface %s\n", lifreq.iflr_name)); + /*@-moduncon@*/ /* ioctl unknown to lclint */ + if (ioctl (P.sock, SIOCGLIFFLAGS, (char *)&lifreq) < 0) { + Tperror ("ioctl(SIOCGLIFFLAGS)"); + skip: + /* mark for next pass */ + lifr->iflr_name[0] = '\0'; + continue; + } + /*@=moduncon@*/ + + /* None of the current callers want loopback addresses. */ + if (is_loopback_address(&lifr->iflr_addr)) { + Tprintf ((" loopback\n")); + goto skip; + } + /* Ignore interfaces that are down. */ + if ((lifreq.iflr_flags & IFF_UP) == 0) { + Tprintf ((" down\n")); + goto skip; + } + + /* Make sure we didn't process this address already. */ + for (j = 0; j < i; j += sizeof (*lifr2)) { + lifr2 = (struct if_laddrreq *)((caddr_t) P.buf+j); + if (lifr2->iflr_name[0] == '\0') + continue; + if (lifr2->iflr_addr.sa_family == lifr->iflr_addr.sa_family + /* Compare address info. If this isn't good enough -- + i.e., if random padding bytes turn out to differ + when the addresses are the same -- then we'll have + to do it on a per address family basis. */ + && !memcmp (&lifr2->iflr_addr, &lifr->iflr_addr, + sizeof (*lifr))) { + Tprintf ((" duplicate addr\n")); + goto skip; + } + } + + /*@-moduncon@*/ + if ((*pass1fn) (data, ss2sa (&lifr->iflr_addr))) + goto punt; + /*@=moduncon@*/ + } } /* Did we actually get any working sockets? */ FOREACH_AF () - if (P.sock != -1) - goto have_working_socket; + if (P.sock != -1) + goto have_working_socket; retval = sock_err; goto punt; have_working_socket: /*@-moduncon@*/ if (betweenfn != NULL && (*betweenfn)(data)) - goto punt; + goto punt; /*@=moduncon@*/ if (pass2fn) - FOREACH_AF () - if (P.sock >= 0) { - for (i = 0; i + sizeof(*lifr) <= P.buf_size; i+= sizeof (*lifr)) { - lifr = (struct if_laddrreq *)((caddr_t) P.buf+i); - - if (lifr->iflr_name[0] == '\0') - /* Marked in first pass to be ignored. */ - continue; - - /*@-moduncon@*/ - if ((*pass2fn) (data, ss2sa (&lifr->iflr_addr))) - goto punt; - /*@=moduncon@*/ - } - } + FOREACH_AF () + if (P.sock >= 0) { + for (i = 0; i + sizeof(*lifr) <= P.buf_size; i+= sizeof (*lifr)) { + lifr = (struct if_laddrreq *)((caddr_t) P.buf+i); + + if (lifr->iflr_name[0] == '\0') + /* Marked in first pass to be ignored. */ + continue; + + /*@-moduncon@*/ + if ((*pass2fn) (data, ss2sa (&lifr->iflr_addr))) + goto punt; + /*@=moduncon@*/ + } + } punt: FOREACH_AF () { - /*@-moduncon@*/ - closesocket(P.sock); - /*@=moduncon@*/ - free (P.buf); + /*@-moduncon@*/ + closesocket(P.sock); + /*@=moduncon@*/ + free (P.buf); } return retval; @@ -870,27 +871,27 @@ get_ifreq_array(char **bufp, size_t *np, int s) #ifdef SIOCGSIZIFCONF code = ioctl (s, SIOCGSIZIFCONF, &ifconfsize); if (!code) { - current_buf_size = ifconfsize; - est_if_count = ifconfsize / est_ifreq_size; + current_buf_size = ifconfsize; + est_if_count = ifconfsize / est_ifreq_size; } #elif defined (SIOCGIFNUM) code = ioctl (s, SIOCGIFNUM, &numifs); if (!code && numifs > 0) - est_if_count = numifs; + est_if_count = numifs; #endif if (current_buf_size == 0) - current_buf_size = est_ifreq_size * est_if_count + SLOP; + current_buf_size = est_ifreq_size * est_if_count + SLOP; buf = malloc (current_buf_size); if (buf == NULL) - return ENOMEM; + return ENOMEM; ask_again: size = current_buf_size; code = get_ifconf (s, &size, buf); if (code < 0) { - code = errno; - free (buf); - return code; + code = errno; + free (buf); + return code; } /* Test that the buffer was big enough that another ifreq could've fit easily, if the OS wanted to provide one. That seems to be @@ -899,29 +900,29 @@ ask_again: bigger than the size of an ifreq. */ if (current_buf_size - size < SLOP #ifdef SIOCGSIZIFCONF - /* Unless we hear SIOCGSIZIFCONF is broken somewhere, let's - trust the value it returns. */ - && ifconfsize <= 0 + /* Unless we hear SIOCGSIZIFCONF is broken somewhere, let's + trust the value it returns. */ + && ifconfsize <= 0 #elif defined (SIOCGIFNUM) - && numifs <= 0 + && numifs <= 0 #endif - /* And we need *some* sort of bounds. */ - && current_buf_size <= 100000 - ) { - size_t new_size; - - est_if_count *= 2; - new_size = est_ifreq_size * est_if_count + SLOP; - buf = grow_or_free (buf, new_size); - if (buf == 0) - return ENOMEM; - current_buf_size = new_size; - goto ask_again; + /* And we need *some* sort of bounds. */ + && current_buf_size <= 100000 + ) { + size_t new_size; + + est_if_count *= 2; + new_size = est_ifreq_size * est_if_count + SLOP; + buf = grow_or_free (buf, new_size); + if (buf == 0) + return ENOMEM; + current_buf_size = new_size; + goto ask_again; } n = size; if (n > current_buf_size) - n = current_buf_size; + n = current_buf_size; *bufp = buf; *np = n; @@ -930,12 +931,12 @@ ask_again: int foreach_localaddr (/*@null@*/ void *data, - int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/, - /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/, - /*@null@*/ int (*pass2fn) (/*@null@*/ void *, - struct sockaddr *) /*@*/) + int (*pass1fn) (/*@null@*/ void *, struct sockaddr *) /*@*/, + /*@null@*/ int (*betweenfn) (/*@null@*/ void *) /*@*/, + /*@null@*/ int (*pass2fn) (/*@null@*/ void *, + struct sockaddr *) /*@*/) #if defined(DEBUG) || defined(TEST) - /*@modifies fileSystem@*/ +/*@modifies fileSystem@*/ #endif { struct ifreq *ifr, ifreq, *ifr2; @@ -950,15 +951,15 @@ foreach_localaddr (/*@null@*/ void *data, s = socket (USE_AF, USE_TYPE, USE_PROTO); if (s < 0) - return SOCKET_ERRNO; + return SOCKET_ERRNO; set_cloexec_fd(s); retval = get_ifreq_array(&buf, &n, s); if (retval) { - /*@-moduncon@*/ /* close() unknown to lclint */ - closesocket(s); - /*@=moduncon@*/ - return retval; + /*@-moduncon@*/ /* close() unknown to lclint */ + closesocket(s); + /*@=moduncon@*/ + return retval; } /* Note: Apparently some systems put the size (used or wanted?) @@ -968,98 +969,98 @@ foreach_localaddr (/*@null@*/ void *data, size on these systems: *-fujitsu-uxp* *-ncr-sysv4* *-univel-sysv*. */ for (i = 0; i + sizeof(struct ifreq) <= n; i+= ifreq_size(*ifr) ) { - ifr = (struct ifreq *)((caddr_t) buf+i); - /* In case ifreq_size is more than sizeof(). */ - if (i + ifreq_size(*ifr) > n) - break; - - strncpy(ifreq.ifr_name, ifr->ifr_name, sizeof (ifreq.ifr_name)); - Tprintf (("interface %s\n", ifreq.ifr_name)); - /*@-moduncon@*/ /* ioctl unknown to lclint */ - if (ioctl (s, SIOCGIFFLAGS, (char *)&ifreq) < 0) { - skip: - /* mark for next pass */ - ifr->ifr_name[0] = '\0'; - continue; - } - /*@=moduncon@*/ - - /* None of the current callers want loopback addresses. */ - if (is_loopback_address(&ifreq.ifr_addr)) { - Tprintf ((" loopback\n")); - goto skip; - } - /* Ignore interfaces that are down. */ - if ((ifreq.ifr_flags & IFF_UP) == 0) { - Tprintf ((" down\n")); - goto skip; - } - - /* Make sure we didn't process this address already. */ - for (j = 0; j < i; j += ifreq_size(*ifr2)) { - ifr2 = (struct ifreq *)((caddr_t) buf+j); - if (ifr2->ifr_name[0] == '\0') - continue; - if (ifr2->ifr_addr.sa_family == ifr->ifr_addr.sa_family - && ifreq_size (*ifr) == ifreq_size (*ifr2) - /* Compare address info. If this isn't good enough -- - i.e., if random padding bytes turn out to differ - when the addresses are the same -- then we'll have - to do it on a per address family basis. */ - && !memcmp (&ifr2->ifr_addr.sa_data, &ifr->ifr_addr.sa_data, - (ifreq_size (*ifr) - - offsetof (struct ifreq, ifr_addr.sa_data)))) { - Tprintf ((" duplicate addr\n")); - goto skip; - } - } - - /*@-moduncon@*/ - if ((*pass1fn) (data, &ifr->ifr_addr)) - goto punt; - /*@=moduncon@*/ + ifr = (struct ifreq *)((caddr_t) buf+i); + /* In case ifreq_size is more than sizeof(). */ + if (i + ifreq_size(*ifr) > n) + break; + + strncpy(ifreq.ifr_name, ifr->ifr_name, sizeof (ifreq.ifr_name)); + Tprintf (("interface %s\n", ifreq.ifr_name)); + /*@-moduncon@*/ /* ioctl unknown to lclint */ + if (ioctl (s, SIOCGIFFLAGS, (char *)&ifreq) < 0) { + skip: + /* mark for next pass */ + ifr->ifr_name[0] = '\0'; + continue; + } + /*@=moduncon@*/ + + /* None of the current callers want loopback addresses. */ + if (is_loopback_address(&ifreq.ifr_addr)) { + Tprintf ((" loopback\n")); + goto skip; + } + /* Ignore interfaces that are down. */ + if ((ifreq.ifr_flags & IFF_UP) == 0) { + Tprintf ((" down\n")); + goto skip; + } + + /* Make sure we didn't process this address already. */ + for (j = 0; j < i; j += ifreq_size(*ifr2)) { + ifr2 = (struct ifreq *)((caddr_t) buf+j); + if (ifr2->ifr_name[0] == '\0') + continue; + if (ifr2->ifr_addr.sa_family == ifr->ifr_addr.sa_family + && ifreq_size (*ifr) == ifreq_size (*ifr2) + /* Compare address info. If this isn't good enough -- + i.e., if random padding bytes turn out to differ + when the addresses are the same -- then we'll have + to do it on a per address family basis. */ + && !memcmp (&ifr2->ifr_addr.sa_data, &ifr->ifr_addr.sa_data, + (ifreq_size (*ifr) + - offsetof (struct ifreq, ifr_addr.sa_data)))) { + Tprintf ((" duplicate addr\n")); + goto skip; + } + } + + /*@-moduncon@*/ + if ((*pass1fn) (data, &ifr->ifr_addr)) + goto punt; + /*@=moduncon@*/ } #ifdef LINUX_IPV6_HACK for (lx_v6 = linux_ipv6_addrs; lx_v6; lx_v6 = lx_v6->next) - if ((*pass1fn) (data, (struct sockaddr *) &lx_v6->addr)) - goto punt; + if ((*pass1fn) (data, (struct sockaddr *) &lx_v6->addr)) + goto punt; #endif /*@-moduncon@*/ if (betweenfn != NULL && (*betweenfn)(data)) - goto punt; + goto punt; /*@=moduncon@*/ if (pass2fn) { - for (i = 0; i + sizeof(struct ifreq) <= n; i+= ifreq_size(*ifr) ) { - ifr = (struct ifreq *)((caddr_t) buf+i); - - if (ifr->ifr_name[0] == '\0') - /* Marked in first pass to be ignored. */ - continue; - - /*@-moduncon@*/ - if ((*pass2fn) (data, &ifr->ifr_addr)) - goto punt; - /*@=moduncon@*/ - } + for (i = 0; i + sizeof(struct ifreq) <= n; i+= ifreq_size(*ifr) ) { + ifr = (struct ifreq *)((caddr_t) buf+i); + + if (ifr->ifr_name[0] == '\0') + /* Marked in first pass to be ignored. */ + continue; + + /*@-moduncon@*/ + if ((*pass2fn) (data, &ifr->ifr_addr)) + goto punt; + /*@=moduncon@*/ + } #ifdef LINUX_IPV6_HACK - for (lx_v6 = linux_ipv6_addrs; lx_v6; lx_v6 = lx_v6->next) - if ((*pass2fn) (data, (struct sockaddr *) &lx_v6->addr)) - goto punt; + for (lx_v6 = linux_ipv6_addrs; lx_v6; lx_v6 = lx_v6->next) + if ((*pass2fn) (data, (struct sockaddr *) &lx_v6->addr)) + goto punt; #endif } - punt: +punt: /*@-moduncon@*/ closesocket(s); /*@=moduncon@*/ free (buf); #ifdef LINUX_IPV6_HACK while (linux_ipv6_addrs) { - lx_v6 = linux_ipv6_addrs->next; - free (linux_ipv6_addrs); - linux_ipv6_addrs = lx_v6; + lx_v6 = linux_ipv6_addrs->next; + free (linux_ipv6_addrs); + linux_ipv6_addrs = lx_v6; } #endif @@ -1074,7 +1075,7 @@ get_localaddrs (krb5_context context, krb5_address ***addr, int use_profile); #ifdef TEST static int print_addr (/*@unused@*/ void *dataptr, struct sockaddr *sa) - /*@modifies fileSystem@*/ +/*@modifies fileSystem@*/ { char hostbuf[NI_MAXHOST]; int err; @@ -1083,14 +1084,14 @@ static int print_addr (/*@unused@*/ void *dataptr, struct sockaddr *sa) printf (" --> family %2d ", sa->sa_family); len = socklen (sa); err = getnameinfo (sa, len, hostbuf, (socklen_t) sizeof (hostbuf), - (char *) NULL, 0, NI_NUMERICHOST); + (char *) NULL, 0, NI_NUMERICHOST); if (err) { - int e = errno; - printf ("<getnameinfo error %d: %s>\n", err, gai_strerror (err)); - if (err == EAI_SYSTEM) - printf ("\t\t<errno is %d: %s>\n", e, strerror(e)); + int e = errno; + printf ("<getnameinfo error %d: %s>\n", err, gai_strerror (err)); + if (err == EAI_SYSTEM) + printf ("\t\t<errno is %d: %s>\n", e, strerror(e)); } else - printf ("addr %s\n", hostbuf); + printf ("addr %s\n", hostbuf); return 0; } @@ -1113,7 +1114,7 @@ struct localaddr_data { static int count_addrs (void *P_data, struct sockaddr *a) - /*@*/ +/*@*/ { struct localaddr_data *data = P_data; switch (a->sa_family) { @@ -1124,49 +1125,49 @@ count_addrs (void *P_data, struct sockaddr *a) #ifdef KRB5_USE_NS case AF_XNS: #endif - data->count++; - break; + data->count++; + break; default: - break; + break; } return 0; } static int allocate (void *P_data) - /*@*/ +/*@*/ { struct localaddr_data *data = P_data; int i; void *n; n = realloc (data->addr_temp, - (1 + data->count + data->cur_idx) * sizeof (krb5_address *)); + (1 + data->count + data->cur_idx) * sizeof (krb5_address *)); if (n == 0) { - data->mem_err++; - return 1; + data->mem_err++; + return 1; } data->addr_temp = n; data->cur_size = 1 + data->count + data->cur_idx; for (i = data->cur_idx; i <= data->count + data->cur_idx; i++) - data->addr_temp[i] = 0; + data->addr_temp[i] = 0; return 0; } static /*@null@*/ krb5_address * make_addr (int type, size_t length, const void *contents) - /*@*/ +/*@*/ { krb5_address *a; void *data; data = malloc (length); if (data == NULL) - return NULL; + return NULL; a = malloc (sizeof (krb5_address)); if (a == NULL) { - free (data); - return NULL; + free (data); + return NULL; } memcpy (data, contents, length); a->magic = KV5M_ADDRESS; @@ -1178,7 +1179,7 @@ make_addr (int type, size_t length, const void *contents) static int add_addr (void *P_data, struct sockaddr *a) - /*@modifies *P_data@*/ +/*@modifies *P_data@*/ { struct localaddr_data *data = P_data; /*@null@*/ krb5_address *address = 0; @@ -1186,57 +1187,57 @@ add_addr (void *P_data, struct sockaddr *a) switch (a->sa_family) { #ifdef HAVE_NETINET_IN_H case AF_INET: - address = make_addr (ADDRTYPE_INET, sizeof (struct in_addr), - &((const struct sockaddr_in *) a)->sin_addr); - if (address == NULL) - data->mem_err++; - break; + address = make_addr (ADDRTYPE_INET, sizeof (struct in_addr), + &((const struct sockaddr_in *) a)->sin_addr); + if (address == NULL) + data->mem_err++; + break; #ifdef KRB5_USE_INET6 case AF_INET6: { - const struct sockaddr_in6 *in = (const struct sockaddr_in6 *) a; - - if (IN6_IS_ADDR_LINKLOCAL (&in->sin6_addr)) - break; - - address = make_addr (ADDRTYPE_INET6, sizeof (struct in6_addr), - &in->sin6_addr); - if (address == NULL) - data->mem_err++; - break; + const struct sockaddr_in6 *in = (const struct sockaddr_in6 *) a; + + if (IN6_IS_ADDR_LINKLOCAL (&in->sin6_addr)) + break; + + address = make_addr (ADDRTYPE_INET6, sizeof (struct in6_addr), + &in->sin6_addr); + if (address == NULL) + data->mem_err++; + break; } #endif /* KRB5_USE_INET6 */ #endif /* netinet/in.h */ #ifdef KRB5_USE_NS case AF_XNS: - address = make_addr (ADDRTYPE_XNS, sizeof (struct ns_addr), - &((const struct sockaddr_ns *)a)->sns_addr); - if (address == NULL) - data->mem_err++; - break; + address = make_addr (ADDRTYPE_XNS, sizeof (struct ns_addr), + &((const struct sockaddr_ns *)a)->sns_addr); + if (address == NULL) + data->mem_err++; + break; #endif #ifdef AF_LINK - /* Some BSD-based systems (e.g. NetBSD 1.5) and AIX will - include the ethernet address, but we don't want that, at - least for now. */ + /* Some BSD-based systems (e.g. NetBSD 1.5) and AIX will + include the ethernet address, but we don't want that, at + least for now. */ case AF_LINK: - break; + break; #endif - /* - * Add more address families here.. - */ + /* + * Add more address families here.. + */ default: - break; + break; } #ifdef __LCLINT__ /* Redundant but unconditional store un-confuses lclint. */ data->addr_temp[data->cur_idx] = address; #endif if (address) { - data->addr_temp[data->cur_idx++] = address; + data->addr_temp[data->cur_idx++] = address; } return data->mem_err; @@ -1247,7 +1248,7 @@ krb5_os_localaddr_profile (krb5_context context, struct localaddr_data *datap) { krb5_error_code err; static const char *const profile_name[] = { - KRB5_CONF_LIBDEFAULTS, KRB5_CONF_EXTRA_ADDRESSES, 0 + KRB5_CONF_LIBDEFAULTS, KRB5_CONF_EXTRA_ADDRESSES, 0 }; char **values; char **iter; @@ -1260,69 +1261,69 @@ krb5_os_localaddr_profile (krb5_context context, struct localaddr_data *datap) err = profile_get_values (context->profile, profile_name, &values); /* Ignore all errors for now? */ if (err) - return 0; + return 0; for (iter = values; *iter; iter++) { - char *cp = *iter, *next, *current; - int i, count; + char *cp = *iter, *next, *current; + int i, count; #ifdef DEBUG - fprintf (stderr, " found line: '%s'\n", cp); + fprintf (stderr, " found line: '%s'\n", cp); #endif - for (cp = *iter, next = 0; *cp; cp = next) { - while (isspace ((int) *cp) || *cp == ',') - cp++; - if (*cp == 0) - break; - /* Start of an address. */ + for (cp = *iter, next = 0; *cp; cp = next) { + while (isspace ((int) *cp) || *cp == ',') + cp++; + if (*cp == 0) + break; + /* Start of an address. */ #ifdef DEBUG - fprintf (stderr, " addr found in '%s'\n", cp); + fprintf (stderr, " addr found in '%s'\n", cp); #endif - current = cp; - while (*cp != 0 && !isspace((int) *cp) && *cp != ',') - cp++; - if (*cp != 0) { - next = cp + 1; - *cp = 0; - } else - next = cp; - /* Got a single address, process it. */ + current = cp; + while (*cp != 0 && !isspace((int) *cp) && *cp != ',') + cp++; + if (*cp != 0) { + next = cp + 1; + *cp = 0; + } else + next = cp; + /* Got a single address, process it. */ #ifdef DEBUG - fprintf (stderr, " processing '%s'\n", current); + fprintf (stderr, " processing '%s'\n", current); #endif - newaddrs = 0; - err = krb5_os_hostaddr (context, current, &newaddrs); - if (err) - continue; - for (i = 0; newaddrs[i]; i++) { + newaddrs = 0; + err = krb5_os_hostaddr (context, current, &newaddrs); + if (err) + continue; + for (i = 0; newaddrs[i]; i++) { #ifdef DEBUG - fprintf (stderr, " %d: family %d", i, - newaddrs[i]->addrtype); - fprintf (stderr, "\n"); + fprintf (stderr, " %d: family %d", i, + newaddrs[i]->addrtype); + fprintf (stderr, "\n"); #endif - } - count = i; + } + count = i; #ifdef DEBUG - fprintf (stderr, " %d addresses\n", count); + fprintf (stderr, " %d addresses\n", count); #endif - if (datap->cur_idx + count >= datap->cur_size) { - krb5_address **bigger; - bigger = realloc (datap->addr_temp, - sizeof (krb5_address *) * (datap->cur_idx + count)); - if (bigger) { - datap->addr_temp = bigger; - datap->cur_size = datap->cur_idx + count; - } - } - for (i = 0; i < count; i++) { - if (datap->cur_idx < datap->cur_size) - datap->addr_temp[datap->cur_idx++] = newaddrs[i]; - else - free (newaddrs[i]->contents), free (newaddrs[i]); - } - free (newaddrs); - } + if (datap->cur_idx + count >= datap->cur_size) { + krb5_address **bigger; + bigger = realloc (datap->addr_temp, + sizeof (krb5_address *) * (datap->cur_idx + count)); + if (bigger) { + datap->addr_temp = bigger; + datap->cur_size = datap->cur_idx + count; + } + } + for (i = 0; i < count; i++) { + if (datap->cur_idx < datap->cur_size) + datap->addr_temp[datap->cur_idx++] = newaddrs[i]; + else + free (newaddrs[i]->contents), free (newaddrs[i]); + } + free (newaddrs); + } } return 0; } @@ -1349,92 +1350,92 @@ get_localaddrs (krb5_context context, krb5_address ***addr, int use_profile) krb5_error_code err; if (use_profile) { - err = krb5_os_localaddr_profile (context, &data); - /* ignore err for now */ + err = krb5_os_localaddr_profile (context, &data); + /* ignore err for now */ } r = foreach_localaddr (&data, count_addrs, allocate, add_addr); if (r != 0) { - int i; - if (data.addr_temp) { - for (i = 0; i < data.count; i++) - free (data.addr_temp[i]); - free (data.addr_temp); - } - if (data.mem_err) - return ENOMEM; - else - return r; + int i; + if (data.addr_temp) { + for (i = 0; i < data.count; i++) + free (data.addr_temp[i]); + free (data.addr_temp); + } + if (data.mem_err) + return ENOMEM; + else + return r; } data.cur_idx++; /* null termination */ if (data.mem_err) - return ENOMEM; + return ENOMEM; else if (data.cur_idx == data.count) - *addr = data.addr_temp; + *addr = data.addr_temp; else { - /* This can easily happen if we have IPv6 link-local - addresses. Just shorten the array. */ - *addr = (krb5_address **) realloc (data.addr_temp, - (sizeof (krb5_address *) - * data.cur_idx)); - if (*addr == 0) - /* Okay, shortening failed, but the original should still - be intact. */ - *addr = data.addr_temp; + /* This can easily happen if we have IPv6 link-local + addresses. Just shorten the array. */ + *addr = (krb5_address **) realloc (data.addr_temp, + (sizeof (krb5_address *) + * data.cur_idx)); + if (*addr == 0) + /* Okay, shortening failed, but the original should still + be intact. */ + *addr = data.addr_temp; } #ifdef DEBUG { - int j; - fprintf (stderr, "addresses:\n"); - for (j = 0; addr[0][j]; j++) { - struct sockaddr_storage ss; - int err2; - char namebuf[NI_MAXHOST]; - void *addrp = 0; - - fprintf (stderr, "%2d: ", j); - fprintf (stderr, "addrtype %2d, length %2d", addr[0][j]->addrtype, - addr[0][j]->length); - memset (&ss, 0, sizeof (ss)); - switch (addr[0][j]->addrtype) { - case ADDRTYPE_INET: - { - struct sockaddr_in *sinp = ss2sin (&ss); - sinp->sin_family = AF_INET; - addrp = &sinp->sin_addr; + int j; + fprintf (stderr, "addresses:\n"); + for (j = 0; addr[0][j]; j++) { + struct sockaddr_storage ss; + int err2; + char namebuf[NI_MAXHOST]; + void *addrp = 0; + + fprintf (stderr, "%2d: ", j); + fprintf (stderr, "addrtype %2d, length %2d", addr[0][j]->addrtype, + addr[0][j]->length); + memset (&ss, 0, sizeof (ss)); + switch (addr[0][j]->addrtype) { + case ADDRTYPE_INET: + { + struct sockaddr_in *sinp = ss2sin (&ss); + sinp->sin_family = AF_INET; + addrp = &sinp->sin_addr; #ifdef HAVE_SA_LEN - sinp->sin_len = sizeof (struct sockaddr_in); + sinp->sin_len = sizeof (struct sockaddr_in); #endif - break; - } + break; + } #ifdef KRB5_USE_INET6 - case ADDRTYPE_INET6: - { - struct sockaddr_in6 *sin6p = ss2sin6 (&ss); - sin6p->sin6_family = AF_INET6; - addrp = &sin6p->sin6_addr; + case ADDRTYPE_INET6: + { + struct sockaddr_in6 *sin6p = ss2sin6 (&ss); + sin6p->sin6_family = AF_INET6; + addrp = &sin6p->sin6_addr; #ifdef HAVE_SA_LEN - sin6p->sin6_len = sizeof (struct sockaddr_in6); + sin6p->sin6_len = sizeof (struct sockaddr_in6); #endif - break; - } + break; + } #endif - default: - ss2sa(&ss)->sa_family = 0; - break; - } - if (addrp) - memcpy (addrp, addr[0][j]->contents, addr[0][j]->length); - err2 = getnameinfo (ss2sa(&ss), socklen (ss2sa (&ss)), - namebuf, sizeof (namebuf), 0, 0, - NI_NUMERICHOST); - if (err2 == 0) - fprintf (stderr, ": addr %s\n", namebuf); - else - fprintf (stderr, ": getnameinfo error %d\n", err2); - } + default: + ss2sa(&ss)->sa_family = 0; + break; + } + if (addrp) + memcpy (addrp, addr[0][j]->contents, addr[0][j]->length); + err2 = getnameinfo (ss2sa(&ss), socklen (ss2sa (&ss)), + namebuf, sizeof (namebuf), 0, 0, + NI_NUMERICHOST); + if (err2 == 0) + fprintf (stderr, ": addr %s\n", namebuf); + else + fprintf (stderr, ": getnameinfo error %d\n", err2); + } } #endif @@ -1453,47 +1454,47 @@ get_localaddrs (krb5_context context, krb5_address ***addr, int use_profile) #if defined(_WIN32) static struct hostent *local_addr_fallback_kludge() { - static struct hostent host; - static SOCKADDR_IN addr; - static char * ip_ptrs[2]; - SOCKET sock; - int size = sizeof(SOCKADDR); - int err; - - sock = socket(AF_INET, SOCK_DGRAM, 0); - if (sock == INVALID_SOCKET) - return NULL; - set_cloexec_fd(sock); - - /* connect to arbitrary port and address (NOT loopback) */ - addr.sin_family = AF_INET; - addr.sin_port = htons(IPPORT_ECHO); - addr.sin_addr.s_addr = inet_addr("204.137.220.51"); - - err = connect(sock, (LPSOCKADDR) &addr, sizeof(SOCKADDR)); - if (err == SOCKET_ERROR) - return NULL; - - err = getsockname(sock, (LPSOCKADDR) &addr, (int *) size); - if (err == SOCKET_ERROR) - return NULL; - - closesocket(sock); - - host.h_name = 0; - host.h_aliases = 0; - host.h_addrtype = AF_INET; - host.h_length = 4; - host.h_addr_list = ip_ptrs; - ip_ptrs[0] = (char *) &addr.sin_addr.s_addr; - ip_ptrs[1] = NULL; - - return &host; + static struct hostent host; + static SOCKADDR_IN addr; + static char * ip_ptrs[2]; + SOCKET sock; + int size = sizeof(SOCKADDR); + int err; + + sock = socket(AF_INET, SOCK_DGRAM, 0); + if (sock == INVALID_SOCKET) + return NULL; + set_cloexec_fd(sock); + + /* connect to arbitrary port and address (NOT loopback) */ + addr.sin_family = AF_INET; + addr.sin_port = htons(IPPORT_ECHO); + addr.sin_addr.s_addr = inet_addr("204.137.220.51"); + + err = connect(sock, (LPSOCKADDR) &addr, sizeof(SOCKADDR)); + if (err == SOCKET_ERROR) + return NULL; + + err = getsockname(sock, (LPSOCKADDR) &addr, (int *) size); + if (err == SOCKET_ERROR) + return NULL; + + closesocket(sock); + + host.h_name = 0; + host.h_aliases = 0; + host.h_addrtype = AF_INET; + host.h_length = 4; + host.h_addr_list = ip_ptrs; + ip_ptrs[0] = (char *) &addr.sin_addr.s_addr; + ip_ptrs[1] = NULL; + + return &host; } #endif -/* No ioctls in winsock so we just assume there is only one networking - * card per machine, so gethostent is good enough. +/* No ioctls in winsock so we just assume there is only one networking + * card per machine, so gethostent is good enough. */ krb5_error_code KRB5_CALLCONV krb5_os_localaddr (krb5_context context, krb5_address ***addr) { @@ -1505,24 +1506,24 @@ krb5_os_localaddr (krb5_context context, krb5_address ***addr) { *addr = 0; paddr = 0; err = 0; - + if (gethostname (host, sizeof(host))) { err = SOCKET_ERRNO; } if (!err) { - hostrec = gethostbyname (host); - if (hostrec == NULL) { - err = SOCKET_ERRNO; - } + hostrec = gethostbyname (host); + if (hostrec == NULL) { + err = SOCKET_ERRNO; + } } if (err) { - hostrec = local_addr_fallback_kludge(); - if (!hostrec) - return err; - else - err = 0; /* otherwise we will die at cleanup */ + hostrec = local_addr_fallback_kludge(); + if (!hostrec) + return err; + else + err = 0; /* otherwise we will die at cleanup */ } for (count = 0; hostrec->h_addr_list[count]; count++); @@ -1554,7 +1555,7 @@ krb5_os_localaddr (krb5_context context, krb5_address ***addr) { paddr[i]->length); } - cleanup: +cleanup: if (err) { if (paddr) { for (i = 0; i < count; i++) diff --git a/src/lib/krb5/os/locate_kdc.c b/src/lib/krb5/os/locate_kdc.c index 4383fab4b9..df246eff2f 100644 --- a/src/lib/krb5/os/locate_kdc.c +++ b/src/lib/krb5/os/locate_kdc.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/locate_kdc.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * get socket addresses for KDC. */ @@ -73,13 +74,13 @@ maybe_use_dns (krb5_context context, const char *name, int defalt) code = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS, name, 0, 0, &value); if (value == 0 && code == 0) - code = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_DNS_FALLBACK, 0, 0, &value); + code = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_DNS_FALLBACK, 0, 0, &value); if (code) return defalt; if (value == 0) - return defalt; + return defalt; use_dns = _krb5_conf_boolean(value); profile_release_string(value); @@ -110,12 +111,12 @@ krb5int_grow_addrlist (struct addrlist *lp, int nmore) newaddrs = realloc (lp->addrs, newsize); if (newaddrs == NULL) - return ENOMEM; + return ENOMEM; lp->addrs = newaddrs; for (i = lp->space; i < newspace; i++) { - lp->addrs[i].ai = NULL; - lp->addrs[i].freefn = NULL; - lp->addrs[i].data = NULL; + lp->addrs[i].ai = NULL; + lp->addrs[i].freefn = NULL; + lp->addrs[i].data = NULL; } lp->space = newspace; return 0; @@ -129,8 +130,8 @@ krb5int_free_addrlist (struct addrlist *lp) { int i; for (i = 0; i < lp->naddrs; i++) - if (lp->addrs[i].freefn) - (lp->addrs[i].freefn)(lp->addrs[i].data); + if (lp->addrs[i].freefn) + (lp->addrs[i].freefn)(lp->addrs[i].data); free (lp->addrs); lp->addrs = NULL; lp->naddrs = lp->space = 0; @@ -141,19 +142,19 @@ static int translate_ai_error (int err) { switch (err) { case 0: - return 0; + return 0; case EAI_BADFLAGS: case EAI_FAMILY: case EAI_SOCKTYPE: case EAI_SERVICE: - /* All of these indicate bad inputs to getaddrinfo. */ - return EINVAL; + /* All of these indicate bad inputs to getaddrinfo. */ + return EINVAL; case EAI_AGAIN: - /* Translate to standard errno code. */ - return EAGAIN; + /* Translate to standard errno code. */ + return EAGAIN; case EAI_MEMORY: - /* Translate to standard errno code. */ - return ENOMEM; + /* Translate to standard errno code. */ + return ENOMEM; #ifdef EAI_ADDRFAMILY case EAI_ADDRFAMILY: #endif @@ -161,22 +162,22 @@ static int translate_ai_error (int err) case EAI_NODATA: #endif case EAI_NONAME: - /* Name not known or no address data, but no error. Do - nothing more. */ - return 0; + /* Name not known or no address data, but no error. Do + nothing more. */ + return 0; #ifdef EAI_OVERFLOW case EAI_OVERFLOW: - /* An argument buffer overflowed. */ - return EINVAL; /* XXX */ + /* An argument buffer overflowed. */ + return EINVAL; /* XXX */ #endif #ifdef EAI_SYSTEM case EAI_SYSTEM: - /* System error, obviously. */ - return errno; + /* System error, obviously. */ + return errno; #endif default: - /* An error code we haven't handled? */ - return EINVAL; + /* An error code we haven't handled? */ + return EINVAL; } } @@ -202,19 +203,19 @@ static inline void print_addrlist(const struct addrlist *a) { } #endif static int add_addrinfo_to_list (struct addrlist *lp, struct addrinfo *a, - void (*freefn)(void *), void *data) + void (*freefn)(void *), void *data) { int err; dprint("\tadding %p=%A to %p (naddrs=%d space=%d)\n", a, a, lp, - lp->naddrs, lp->space); + lp->naddrs, lp->space); if (lp->naddrs == lp->space) { - err = grow_list (lp, 1); - if (err) { - Tprintf ("grow_list failed %d\n", err); - return err; - } + err = grow_list (lp, 1); + if (err) { + Tprintf ("grow_list failed %d\n", err); + return err; + } } Tprintf("setting element %d\n", lp->naddrs); lp->addrs[lp->naddrs].ai = a; @@ -239,8 +240,8 @@ static void call_freeaddrinfo(void *data) int krb5int_add_host_to_list (struct addrlist *lp, const char *hostname, - int port, int secport, - int socktype, int family) + int port, int secport, + int socktype, int family) { struct addrinfo *addrs, *a, *anext, hint; int err; @@ -248,8 +249,8 @@ krb5int_add_host_to_list (struct addrlist *lp, const char *hostname, void (*freefn)(void *); Tprintf ("adding hostname %s, ports %d,%d, family %d, socktype %d\n", - hostname, ntohs (port), ntohs (secport), - family, socktype); + hostname, ntohs (port), ntohs (secport), + family, socktype); memset(&hint, 0, sizeof(hint)); hint.ai_family = family; @@ -258,38 +259,38 @@ krb5int_add_host_to_list (struct addrlist *lp, const char *hostname, hint.ai_flags = AI_NUMERICSERV; #endif if (snprintf(portbuf, sizeof(portbuf), "%d", ntohs(port)) >= sizeof(portbuf)) - /* XXX */ - return EINVAL; + /* XXX */ + return EINVAL; if (snprintf(secportbuf, sizeof(secportbuf), "%d", ntohs(secport)) >= sizeof(secportbuf)) - return EINVAL; + return EINVAL; err = getaddrinfo (hostname, portbuf, &hint, &addrs); if (err) { - Tprintf ("\tgetaddrinfo(\"%s\", \"%s\", ...)\n\treturns %d: %s\n", - hostname, portbuf, err, gai_strerror (err)); - return translate_ai_error (err); + Tprintf ("\tgetaddrinfo(\"%s\", \"%s\", ...)\n\treturns %d: %s\n", + hostname, portbuf, err, gai_strerror (err)); + return translate_ai_error (err); } freefn = call_freeaddrinfo; anext = 0; for (a = addrs; a != 0 && err == 0; a = anext, freefn = 0) { - anext = a->ai_next; - err = add_addrinfo_to_list (lp, a, freefn, a); + anext = a->ai_next; + err = add_addrinfo_to_list (lp, a, freefn, a); } if (err || secport == 0) - goto egress; + goto egress; if (socktype == 0) - socktype = SOCK_DGRAM; + socktype = SOCK_DGRAM; else if (socktype != SOCK_DGRAM) - goto egress; + goto egress; hint.ai_family = AF_INET; err = getaddrinfo (hostname, secportbuf, &hint, &addrs); if (err) { - err = translate_ai_error (err); - goto egress; + err = translate_ai_error (err); + goto egress; } freefn = call_freeaddrinfo; for (a = addrs; a != 0 && err == 0; a = anext, freefn = 0) { - anext = a->ai_next; - err = add_addrinfo_to_list (lp, a, freefn, a); + anext = a->ai_next; + err = add_addrinfo_to_list (lp, a, freefn, a); } egress: /* XXX Memory leaks possible here if add_addrinfo_to_list fails. */ @@ -304,20 +305,20 @@ egress: static krb5_error_code krb5_locate_srv_conf_1(krb5_context context, const krb5_data *realm, - const char * name, struct addrlist *addrlist, - int get_masters, int socktype, - int udpport, int sec_udpport, int family) + const char * name, struct addrlist *addrlist, + int get_masters, int socktype, + int udpport, int sec_udpport, int family) { - const char *realm_srv_names[4]; + const char *realm_srv_names[4]; char **masterlist, **hostlist, *host, *port, *cp; krb5_error_code code; int i, j, count, ismaster; Tprintf ("looking in krb5.conf for realm %s entry %s; ports %d,%d\n", - realm->data, name, ntohs (udpport), ntohs (sec_udpport)); + realm->data, name, ntohs (udpport), ntohs (sec_udpport)); - if ((host = malloc(realm->length + 1)) == NULL) - return ENOMEM; + if ((host = malloc(realm->length + 1)) == NULL) + return ENOMEM; strncpy(host, realm->data, realm->length); host[realm->length] = '\0'; @@ -333,57 +334,57 @@ krb5_locate_srv_conf_1(krb5_context context, const krb5_data *realm, code = profile_get_values(context->profile, realm_srv_names, &hostlist); if (code) { - Tprintf ("config file lookup failed: %s\n", - error_message(code)); + Tprintf ("config file lookup failed: %s\n", + error_message(code)); if (code == PROF_NO_SECTION || code == PROF_NO_RELATION) - code = KRB5_REALM_UNKNOWN; - free(host); - return code; - } + code = KRB5_REALM_UNKNOWN; + free(host); + return code; + } count = 0; while (hostlist && hostlist[count]) - count++; + count++; Tprintf ("found %d entries under 'kdc'\n", count); - + if (count == 0) { profile_free_list(hostlist); - free(host); - addrlist->naddrs = 0; - return 0; + free(host); + addrlist->naddrs = 0; + return 0; } - + if (get_masters) { - realm_srv_names[0] = KRB5_CONF_REALMS; - realm_srv_names[1] = host; - realm_srv_names[2] = KRB5_CONF_ADMIN_SERVER; - realm_srv_names[3] = 0; - - code = profile_get_values(context->profile, realm_srv_names, - &masterlist); - - free(host); - - if (code == 0) { - for (i=0; masterlist[i]; i++) { - host = masterlist[i]; - - /* - * Strip off excess whitespace - */ - cp = strchr(host, ' '); - if (cp) - *cp = 0; - cp = strchr(host, '\t'); - if (cp) - *cp = 0; - cp = strchr(host, ':'); - if (cp) - *cp = 0; - } - } + realm_srv_names[0] = KRB5_CONF_REALMS; + realm_srv_names[1] = host; + realm_srv_names[2] = KRB5_CONF_ADMIN_SERVER; + realm_srv_names[3] = 0; + + code = profile_get_values(context->profile, realm_srv_names, + &masterlist); + + free(host); + + if (code == 0) { + for (i=0; masterlist[i]; i++) { + host = masterlist[i]; + + /* + * Strip off excess whitespace + */ + cp = strchr(host, ' '); + if (cp) + *cp = 0; + cp = strchr(host, '\t'); + if (cp) + *cp = 0; + cp = strchr(host, ':'); + if (cp) + *cp = 0; + } + } } else { - free(host); + free(host); } /* at this point, if master is non-NULL, then either the master kdc @@ -392,80 +393,80 @@ krb5_locate_srv_conf_1(krb5_context context, const krb5_data *realm, #ifdef HAVE_NETINET_IN_H if (sec_udpport) - count = count * 2; + count = count * 2; #endif for (i=0; hostlist[i]; i++) { - int p1, p2; - - host = hostlist[i]; - Tprintf ("entry %d is '%s'\n", i, host); - /* - * Strip off excess whitespace - */ - cp = strchr(host, ' '); - if (cp) - *cp = 0; - cp = strchr(host, '\t'); - if (cp) - *cp = 0; - port = strchr(host, ':'); - if (port) { - *port = 0; - port++; - } - - ismaster = 0; - if (masterlist) { - for (j=0; masterlist[j]; j++) { - if (strcasecmp(hostlist[i], masterlist[j]) == 0) { - ismaster = 1; - } - } - } - - if (get_masters && !ismaster) - continue; - - if (port) { - unsigned long l; + int p1, p2; + + host = hostlist[i]; + Tprintf ("entry %d is '%s'\n", i, host); + /* + * Strip off excess whitespace + */ + cp = strchr(host, ' '); + if (cp) + *cp = 0; + cp = strchr(host, '\t'); + if (cp) + *cp = 0; + port = strchr(host, ':'); + if (port) { + *port = 0; + port++; + } + + ismaster = 0; + if (masterlist) { + for (j=0; masterlist[j]; j++) { + if (strcasecmp(hostlist[i], masterlist[j]) == 0) { + ismaster = 1; + } + } + } + + if (get_masters && !ismaster) + continue; + + if (port) { + unsigned long l; #ifdef HAVE_STROUL - char *endptr; - l = strtoul (port, &endptr, 10); - if (endptr == NULL || *endptr != 0) - return EINVAL; + char *endptr; + l = strtoul (port, &endptr, 10); + if (endptr == NULL || *endptr != 0) + return EINVAL; #else - l = atoi (port); + l = atoi (port); #endif - /* L is unsigned, don't need to check <0. */ - if (l > 65535) - return EINVAL; - p1 = htons (l); - p2 = 0; - } else { - p1 = udpport; - p2 = sec_udpport; - } - - if (socktype != 0) - code = add_host_to_list (addrlist, hostlist[i], p1, p2, - socktype, family); - else { - code = add_host_to_list (addrlist, hostlist[i], p1, p2, - SOCK_DGRAM, family); - if (code == 0) - code = add_host_to_list (addrlist, hostlist[i], p1, p2, - SOCK_STREAM, family); - } - if (code) { - Tprintf ("error %d (%s) returned from add_host_to_list\n", code, - error_message (code)); - if (hostlist) - profile_free_list (hostlist); - if (masterlist) - profile_free_list (masterlist); - return code; - } + /* L is unsigned, don't need to check <0. */ + if (l > 65535) + return EINVAL; + p1 = htons (l); + p2 = 0; + } else { + p1 = udpport; + p2 = sec_udpport; + } + + if (socktype != 0) + code = add_host_to_list (addrlist, hostlist[i], p1, p2, + socktype, family); + else { + code = add_host_to_list (addrlist, hostlist[i], p1, p2, + SOCK_DGRAM, family); + if (code == 0) + code = add_host_to_list (addrlist, hostlist[i], p1, p2, + SOCK_STREAM, family); + } + if (code) { + Tprintf ("error %d (%s) returned from add_host_to_list\n", code, + error_message (code)); + if (hostlist) + profile_free_list (hostlist); + if (masterlist) + profile_free_list (masterlist); + return code; + } } if (hostlist) @@ -479,17 +480,17 @@ krb5_locate_srv_conf_1(krb5_context context, const krb5_data *realm, #ifdef TEST static krb5_error_code krb5_locate_srv_conf(krb5_context context, const krb5_data *realm, - const char *name, struct addrlist *al, int get_masters, - int udpport, int sec_udpport) + const char *name, struct addrlist *al, int get_masters, + int udpport, int sec_udpport) { krb5_error_code ret; ret = krb5_locate_srv_conf_1 (context, realm, name, al, - get_masters, 0, udpport, sec_udpport, 0); + get_masters, 0, udpport, sec_udpport, 0); if (ret) - return ret; - if (al->naddrs == 0) /* Couldn't resolve any KDC names */ - return KRB5_REALM_CANT_RESOLVE; + return ret; + if (al->naddrs == 0) /* Couldn't resolve any KDC names */ + return KRB5_REALM_CANT_RESOLVE; return 0; } #endif @@ -497,10 +498,10 @@ krb5_locate_srv_conf(krb5_context context, const krb5_data *realm, #ifdef KRB5_DNS_LOOKUP static krb5_error_code krb5_locate_srv_dns_1 (const krb5_data *realm, - const char *service, - const char *protocol, - struct addrlist *addrlist, - int family) + const char *service, + const char *protocol, + struct addrlist *addrlist, + int family) { struct srv_dns_entry *head = NULL; struct srv_dns_entry *entry = NULL, *next; @@ -508,7 +509,7 @@ krb5_locate_srv_dns_1 (const krb5_data *realm, code = krb5int_make_srv_query_realm(realm, service, protocol, &head); if (code) - return 0; + return 0; /* * Okay! Now we've got a linked list of entries sorted by @@ -517,32 +518,32 @@ krb5_locate_srv_dns_1 (const krb5_data *realm, */ if (head == NULL) - return 0; + return 0; /* Check for the "." case indicating no support. */ if (head->next == 0 && head->host[0] == 0) { - free(head->host); - free(head); - return KRB5_ERR_NO_SERVICE; + free(head->host); + free(head); + return KRB5_ERR_NO_SERVICE; } Tprintf ("walking answer list:\n"); for (entry = head; entry != NULL; entry = next) { - Tprintf ("\tport=%d host=%s\n", entry->port, entry->host); - next = entry->next; - code = add_host_to_list (addrlist, entry->host, htons (entry->port), 0, - (strcmp("_tcp", protocol) - ? SOCK_DGRAM - : SOCK_STREAM), family); - if (code) { - break; - } - if (entry == head) { - free(entry->host); - free(entry); - head = next; - entry = 0; - } + Tprintf ("\tport=%d host=%s\n", entry->port, entry->host); + next = entry->next; + code = add_host_to_list (addrlist, entry->host, htons (entry->port), 0, + (strcmp("_tcp", protocol) + ? SOCK_DGRAM + : SOCK_STREAM), family); + if (code) { + break; + } + if (entry == head) { + free(entry->host); + free(entry); + head = next; + entry = 0; + } } Tprintf ("[end]\n"); @@ -569,59 +570,59 @@ module_callback (void *cbdata, int socktype, struct sockaddr *sa) { struct module_callback_data *d = cbdata; struct { - struct addrinfo ai; - union { - struct sockaddr_in sin; + struct addrinfo ai; + union { + struct sockaddr_in sin; #ifdef KRB5_USE_INET6 - struct sockaddr_in6 sin6; + struct sockaddr_in6 sin6; #endif - } u; + } u; } *x; if (socktype != SOCK_STREAM && socktype != SOCK_DGRAM) - return 0; + return 0; if (sa->sa_family != AF_INET #ifdef KRB5_USE_INET6 - && sa->sa_family != AF_INET6 + && sa->sa_family != AF_INET6 #endif - ) - return 0; + ) + return 0; x = calloc (1, sizeof (*x)); if (x == 0) { - d->out_of_mem = 1; - return 1; + d->out_of_mem = 1; + return 1; } x->ai.ai_addr = (struct sockaddr *) &x->u; x->ai.ai_socktype = socktype; x->ai.ai_family = sa->sa_family; if (sa->sa_family == AF_INET) { - x->u.sin = *(struct sockaddr_in *)sa; - x->ai.ai_addrlen = sizeof(struct sockaddr_in); + x->u.sin = *(struct sockaddr_in *)sa; + x->ai.ai_addrlen = sizeof(struct sockaddr_in); } #ifdef KRB5_USE_INET6 if (sa->sa_family == AF_INET6) { - x->u.sin6 = *(struct sockaddr_in6 *)sa; - x->ai.ai_addrlen = sizeof(struct sockaddr_in6); + x->u.sin6 = *(struct sockaddr_in6 *)sa; + x->ai.ai_addrlen = sizeof(struct sockaddr_in6); } #endif if (add_addrinfo_to_list (d->lp, &x->ai, free, x) != 0) { - /* Assumes only error is ENOMEM. */ - d->out_of_mem = 1; - return 1; + /* Assumes only error is ENOMEM. */ + d->out_of_mem = 1; + return 1; } return 0; } static krb5_error_code module_locate_server (krb5_context ctx, const krb5_data *realm, - struct addrlist *addrlist, - enum locate_service_type svc, int socktype, int family) + struct addrlist *addrlist, + enum locate_service_type svc, int socktype, int family) { struct krb5plugin_service_locate_result *res = NULL; krb5_error_code code; struct krb5plugin_service_locate_ftable *vtbl = NULL; void **ptrs; - char *realmz; /* NUL-terminated realm */ + char *realmz; /* NUL-terminated realm */ int i; struct module_callback_data cbdata = { 0, }; const char *msg; @@ -629,69 +630,69 @@ module_locate_server (krb5_context ctx, const krb5_data *realm, Tprintf("in module_locate_server\n"); cbdata.lp = addrlist; if (!PLUGIN_DIR_OPEN (&ctx->libkrb5_plugins)) { - - code = krb5int_open_plugin_dirs (objdirs, NULL, &ctx->libkrb5_plugins, - &ctx->err); - if (code) - return KRB5_PLUGIN_NO_HANDLE; + + code = krb5int_open_plugin_dirs (objdirs, NULL, &ctx->libkrb5_plugins, + &ctx->err); + if (code) + return KRB5_PLUGIN_NO_HANDLE; } code = krb5int_get_plugin_dir_data (&ctx->libkrb5_plugins, - "service_locator", &ptrs, &ctx->err); + "service_locator", &ptrs, &ctx->err); if (code) { - Tprintf("error looking up plugin symbols: %s\n", - (msg = krb5_get_error_message(ctx, code))); - krb5_free_error_message(ctx, msg); - return KRB5_PLUGIN_NO_HANDLE; + Tprintf("error looking up plugin symbols: %s\n", + (msg = krb5_get_error_message(ctx, code))); + krb5_free_error_message(ctx, msg); + return KRB5_PLUGIN_NO_HANDLE; } if (realm->length >= UINT_MAX) { - krb5int_free_plugin_dir_data(ptrs); - return ENOMEM; + krb5int_free_plugin_dir_data(ptrs); + return ENOMEM; } realmz = malloc(realm->length + 1); if (realmz == NULL) { - krb5int_free_plugin_dir_data(ptrs); - return ENOMEM; + krb5int_free_plugin_dir_data(ptrs); + return ENOMEM; } memcpy(realmz, realm->data, realm->length); realmz[realm->length] = '\0'; for (i = 0; ptrs[i]; i++) { - void *blob; - - vtbl = ptrs[i]; - Tprintf("element %d is %p\n", i, ptrs[i]); - - /* For now, don't keep the plugin data alive. For long-lived - contexts, it may be desirable to change that later. */ - code = vtbl->init(ctx, &blob); - if (code) - continue; - - code = vtbl->lookup(blob, svc, realmz, socktype, family, - module_callback, &cbdata); - vtbl->fini(blob); - if (code == KRB5_PLUGIN_NO_HANDLE) { - /* Module passes, keep going. */ - /* XXX */ - Tprintf("plugin doesn't handle this realm (KRB5_PLUGIN_NO_HANDLE)\n"); - continue; - } - if (code != 0) { - /* Module encountered an actual error. */ - Tprintf("plugin lookup routine returned error %d: %s\n", - code, error_message(code)); - free(realmz); - krb5int_free_plugin_dir_data (ptrs); - return code; - } - break; + void *blob; + + vtbl = ptrs[i]; + Tprintf("element %d is %p\n", i, ptrs[i]); + + /* For now, don't keep the plugin data alive. For long-lived + contexts, it may be desirable to change that later. */ + code = vtbl->init(ctx, &blob); + if (code) + continue; + + code = vtbl->lookup(blob, svc, realmz, socktype, family, + module_callback, &cbdata); + vtbl->fini(blob); + if (code == KRB5_PLUGIN_NO_HANDLE) { + /* Module passes, keep going. */ + /* XXX */ + Tprintf("plugin doesn't handle this realm (KRB5_PLUGIN_NO_HANDLE)\n"); + continue; + } + if (code != 0) { + /* Module encountered an actual error. */ + Tprintf("plugin lookup routine returned error %d: %s\n", + code, error_message(code)); + free(realmz); + krb5int_free_plugin_dir_data (ptrs); + return code; + } + break; } if (ptrs[i] == NULL) { - Tprintf("ran off end of plugin list\n"); - free(realmz); - krb5int_free_plugin_dir_data (ptrs); - return KRB5_PLUGIN_NO_HANDLE; + Tprintf("ran off end of plugin list\n"); + free(realmz); + krb5int_free_plugin_dir_data (ptrs); + return KRB5_PLUGIN_NO_HANDLE; } Tprintf("stopped with plugin #%d, res=%p\n", i, res); @@ -705,8 +706,8 @@ module_locate_server (krb5_context ctx, const krb5_data *realm, static krb5_error_code prof_locate_server (krb5_context context, const krb5_data *realm, - struct addrlist *addrlist, - enum locate_service_type svc, int socktype, int family) + struct addrlist *addrlist, + enum locate_service_type svc, int socktype, int family) { const char *profname; int dflport1, dflport2 = 0; @@ -714,81 +715,81 @@ prof_locate_server (krb5_context context, const krb5_data *realm, switch (svc) { case locate_service_kdc: - profname = KRB5_CONF_KDC; - /* We used to use /etc/services for these, but enough systems - have old, crufty, wrong settings that this is probably - better. */ + profname = KRB5_CONF_KDC; + /* We used to use /etc/services for these, but enough systems + have old, crufty, wrong settings that this is probably + better. */ kdc_ports: - dflport1 = htons(KRB5_DEFAULT_PORT); - dflport2 = htons(KRB5_DEFAULT_SEC_PORT); - break; + dflport1 = htons(KRB5_DEFAULT_PORT); + dflport2 = htons(KRB5_DEFAULT_SEC_PORT); + break; case locate_service_master_kdc: - profname = KRB5_CONF_MASTER_KDC; - goto kdc_ports; + profname = KRB5_CONF_MASTER_KDC; + goto kdc_ports; case locate_service_kadmin: - profname = KRB5_CONF_ADMIN_SERVER; - dflport1 = htons(DEFAULT_KADM5_PORT); - break; + profname = KRB5_CONF_ADMIN_SERVER; + dflport1 = htons(DEFAULT_KADM5_PORT); + break; case locate_service_krb524: - profname = KRB5_CONF_KRB524_SERVER; - serv = getservbyname(KRB524_SERVICE, "udp"); - dflport1 = serv ? serv->s_port : htons (KRB524_PORT); - break; + profname = KRB5_CONF_KRB524_SERVER; + serv = getservbyname(KRB524_SERVICE, "udp"); + dflport1 = serv ? serv->s_port : htons (KRB524_PORT); + break; case locate_service_kpasswd: - profname = KRB5_CONF_KPASSWD_SERVER; - dflport1 = htons(DEFAULT_KPASSWD_PORT); - break; + profname = KRB5_CONF_KPASSWD_SERVER; + dflport1 = htons(DEFAULT_KPASSWD_PORT); + break; default: - return EBUSY; /* XXX */ + return EBUSY; /* XXX */ } return krb5_locate_srv_conf_1 (context, realm, profname, addrlist, - 0, socktype, - dflport1, dflport2, family); + 0, socktype, + dflport1, dflport2, family); } static krb5_error_code dns_locate_server (krb5_context context, const krb5_data *realm, - struct addrlist *addrlist, - enum locate_service_type svc, int socktype, int family) + struct addrlist *addrlist, + enum locate_service_type svc, int socktype, int family) { const char *dnsname; int use_dns = _krb5_use_dns_kdc(context); krb5_error_code code; if (!use_dns) - return KRB5_PLUGIN_NO_HANDLE; + return KRB5_PLUGIN_NO_HANDLE; switch (svc) { case locate_service_kdc: - dnsname = "_kerberos"; - break; + dnsname = "_kerberos"; + break; case locate_service_master_kdc: - dnsname = "_kerberos-master"; - break; + dnsname = "_kerberos-master"; + break; case locate_service_kadmin: - dnsname = "_kerberos-adm"; - break; + dnsname = "_kerberos-adm"; + break; case locate_service_krb524: - dnsname = "_krb524"; - break; + dnsname = "_krb524"; + break; case locate_service_kpasswd: - dnsname = "_kpasswd"; - break; + dnsname = "_kpasswd"; + break; default: - return KRB5_PLUGIN_NO_HANDLE; + return KRB5_PLUGIN_NO_HANDLE; } code = 0; if (socktype == SOCK_DGRAM || socktype == 0) { - code = krb5_locate_srv_dns_1(realm, dnsname, "_udp", addrlist, family); - if (code) - Tprintf("dns udp lookup returned error %d\n", code); + code = krb5_locate_srv_dns_1(realm, dnsname, "_udp", addrlist, family); + if (code) + Tprintf("dns udp lookup returned error %d\n", code); } if ((socktype == SOCK_STREAM || socktype == 0) && code == 0) { - code = krb5_locate_srv_dns_1(realm, dnsname, "_tcp", addrlist, family); - if (code) - Tprintf("dns tcp lookup returned error %d\n", code); + code = krb5_locate_srv_dns_1(realm, dnsname, "_tcp", addrlist, family); + if (code) + Tprintf("dns tcp lookup returned error %d\n", code); } return code; } @@ -799,9 +800,9 @@ dns_locate_server (krb5_context context, const krb5_data *realm, krb5_error_code krb5int_locate_server (krb5_context context, const krb5_data *realm, - struct addrlist *addrlist, - enum locate_service_type svc, - int socktype, int family) + struct addrlist *addrlist, + enum locate_service_type svc, + int socktype, int family) { krb5_error_code code; struct addrlist al = ADDRLIST_INIT; @@ -809,54 +810,54 @@ krb5int_locate_server (krb5_context context, const krb5_data *realm, *addrlist = al; if (realm == NULL || realm->data == NULL || realm->data[0] == 0) { - krb5_set_error_message(context, KRB5_REALM_CANT_RESOLVE, - "Cannot find KDC for invalid realm name \"\""); - return KRB5_REALM_CANT_RESOLVE; + krb5_set_error_message(context, KRB5_REALM_CANT_RESOLVE, + "Cannot find KDC for invalid realm name \"\""); + return KRB5_REALM_CANT_RESOLVE; } code = module_locate_server(context, realm, &al, svc, socktype, family); Tprintf("module_locate_server returns %d\n", code); if (code == KRB5_PLUGIN_NO_HANDLE) { - /* - * We always try the local file before DNS. Note that there - * is no way to indicate "service not available" via the - * config file. - */ + /* + * We always try the local file before DNS. Note that there + * is no way to indicate "service not available" via the + * config file. + */ - code = prof_locate_server(context, realm, &al, svc, socktype, family); + code = prof_locate_server(context, realm, &al, svc, socktype, family); #ifdef KRB5_DNS_LOOKUP - if (code) { /* Try DNS for all profile errors? */ - krb5_error_code code2; - code2 = dns_locate_server(context, realm, &al, svc, socktype, - family); - if (code2 != KRB5_PLUGIN_NO_HANDLE) - code = code2; - } + if (code) { /* Try DNS for all profile errors? */ + krb5_error_code code2; + code2 = dns_locate_server(context, realm, &al, svc, socktype, + family); + if (code2 != KRB5_PLUGIN_NO_HANDLE) + code = code2; + } #endif /* KRB5_DNS_LOOKUP */ - /* We could put more heuristics here, like looking up a hostname - of "kerberos."+REALM, etc. */ + /* We could put more heuristics here, like looking up a hostname + of "kerberos."+REALM, etc. */ } if (code == 0) - Tprintf ("krb5int_locate_server found %d addresses\n", - al.naddrs); + Tprintf ("krb5int_locate_server found %d addresses\n", + al.naddrs); else - Tprintf ("krb5int_locate_server returning error code %d/%s\n", - code, error_message(code)); + Tprintf ("krb5int_locate_server returning error code %d/%s\n", + code, error_message(code)); if (code != 0) { - if (al.space) - free_list (&al); - return code; + if (al.space) + free_list (&al); + return code; } - if (al.naddrs == 0) { /* No good servers */ - if (al.space) - free_list (&al); - krb5_set_error_message(context, KRB5_REALM_CANT_RESOLVE, - "Cannot resolve network address for KDC in realm \"%.*s\"", - realm->length, realm->data); - - return KRB5_REALM_CANT_RESOLVE; + if (al.naddrs == 0) { /* No good servers */ + if (al.space) + free_list (&al); + krb5_set_error_message(context, KRB5_REALM_CANT_RESOLVE, + "Cannot resolve network address for KDC in realm \"%.*s\"", + realm->length, realm->data); + + return KRB5_REALM_CANT_RESOLVE; } *addrlist = al; return 0; @@ -864,12 +865,12 @@ krb5int_locate_server (krb5_context context, const krb5_data *realm, krb5_error_code krb5_locate_kdc(krb5_context context, const krb5_data *realm, - struct addrlist *addrlist, - int get_masters, int socktype, int family) + struct addrlist *addrlist, + int get_masters, int socktype, int family) { return krb5int_locate_server(context, realm, addrlist, - (get_masters - ? locate_service_master_kdc - : locate_service_kdc), - socktype, family); + (get_masters + ? locate_service_master_kdc + : locate_service_kdc), + socktype, family); } diff --git a/src/lib/krb5/os/lock_file.c b/src/lib/krb5/os/lock_file.c index 7bbd3e9d65..6565470c05 100644 --- a/src/lib/krb5/os/lock_file.c +++ b/src/lib/krb5/os/lock_file.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/lock_file.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * libos: krb5_lock_file routine */ @@ -64,8 +65,8 @@ krb5_error_code krb5_lock_file(krb5_context context, int fd, int mode) { - int lock_flag = -1; - krb5_error_code retval = 0; + int lock_flag = -1; + krb5_error_code retval = 0; #ifdef POSIX_FILE_LOCKS int lock_cmd = F_SETLKW; struct flock lock_arg = { 0 }; @@ -74,33 +75,33 @@ krb5_lock_file(krb5_context context, int fd, int mode) switch (mode & ~KRB5_LOCKMODE_DONTBLOCK) { case KRB5_LOCKMODE_SHARED: #ifdef POSIX_FILE_LOCKS - lock_arg.l_type = F_RDLCK; + lock_arg.l_type = F_RDLCK; #endif - lock_flag = LOCK_SH; - break; + lock_flag = LOCK_SH; + break; case KRB5_LOCKMODE_EXCLUSIVE: #ifdef POSIX_FILE_LOCKS - lock_arg.l_type = F_WRLCK; + lock_arg.l_type = F_WRLCK; #endif - lock_flag = LOCK_EX; - break; + lock_flag = LOCK_EX; + break; case KRB5_LOCKMODE_UNLOCK: #ifdef POSIX_FILE_LOCKS - lock_arg.l_type = F_UNLCK; + lock_arg.l_type = F_UNLCK; #endif - lock_flag = LOCK_UN; - break; + lock_flag = LOCK_UN; + break; } if (lock_flag == -1) - return(KRB5_LIBOS_BADLOCKFLAG); + return(KRB5_LIBOS_BADLOCKFLAG); if (mode & KRB5_LOCKMODE_DONTBLOCK) { #ifdef POSIX_FILE_LOCKS - lock_cmd = F_SETLK; + lock_cmd = F_SETLK; #endif #ifdef HAVE_FLOCK - lock_flag |= LOCK_NB; + lock_flag |= LOCK_NB; #endif } @@ -109,21 +110,21 @@ krb5_lock_file(krb5_context context, int fd, int mode) lock_arg.l_start = 0; lock_arg.l_len = 0; if (fcntl(fd, lock_cmd, &lock_arg) == -1) { - if (errno == EACCES || errno == EAGAIN) /* see POSIX/IEEE 1003.1-1988, - 6.5.2.4 */ - return(EAGAIN); - if (errno != EINVAL) /* Fall back to flock if we get EINVAL */ - return(errno); - retval = errno; + if (errno == EACCES || errno == EAGAIN) /* see POSIX/IEEE 1003.1-1988, + 6.5.2.4 */ + return(EAGAIN); + if (errno != EINVAL) /* Fall back to flock if we get EINVAL */ + return(errno); + retval = errno; } else - return 0; /* We succeeded. Yay. */ + return 0; /* We succeeded. Yay. */ #endif - + #ifdef HAVE_FLOCK if (flock(fd, lock_flag) == -1) - retval = errno; + retval = errno; #endif - + return retval; } #else /* Windows or Macintosh */ diff --git a/src/lib/krb5/os/mk_faddr.c b/src/lib/krb5/os/mk_faddr.c index d084ded67f..26fb99c843 100644 --- a/src/lib/krb5/os/mk_faddr.c +++ b/src/lib/krb5/os/mk_faddr.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/full_ipadr.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Take an IP addr & port and generate a full IP address. */ @@ -30,7 +31,7 @@ #include "k5-int.h" #ifdef HAVE_NETINET_IN_H - + #include "os-proto.h" #if !defined(_WINSOCKAPI_) @@ -44,12 +45,12 @@ krb5_make_fulladdr(krb5_context context, krb5_address *kaddr, krb5_address *kpor krb5_int32 tmp32; krb5_int16 tmp16; - if ((kport == NULL) || (kport == NULL)) - return EINVAL; + if ((kport == NULL) || (kport == NULL)) + return EINVAL; raddr->length = kaddr->length + kport->length + (4 * sizeof(krb5_int32)); if (!(raddr->contents = (krb5_octet *)malloc(raddr->length))) - return ENOMEM; + return ENOMEM; raddr->addrtype = ADDRTYPE_ADDRPORT; marshal = raddr->contents; diff --git a/src/lib/krb5/os/net_read.c b/src/lib/krb5/os/net_read.c index 1d07a95d9d..fe84192d10 100644 --- a/src/lib/krb5/os/net_read.c +++ b/src/lib/krb5/os/net_read.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/net_read.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ #include "k5-int.h" @@ -43,23 +44,23 @@ krb5_net_read(krb5_context context, int fd, register char *buf, register int len int cc, len2 = 0; do { - cc = SOCKET_READ((SOCKET)fd, buf, len); - if (cc < 0) { - if (SOCKET_ERRNO == SOCKET_EINTR) - continue; - - /* XXX this interface sucks! */ - errno = SOCKET_ERRNO; - - return(cc); /* errno is already set */ - } - else if (cc == 0) { - return(len2); - } else { - buf += cc; - len2 += cc; - len -= cc; - } + cc = SOCKET_READ((SOCKET)fd, buf, len); + if (cc < 0) { + if (SOCKET_ERRNO == SOCKET_EINTR) + continue; + + /* XXX this interface sucks! */ + errno = SOCKET_ERRNO; + + return(cc); /* errno is already set */ + } + else if (cc == 0) { + return(len2); + } else { + buf += cc; + len2 += cc; + len -= cc; + } } while (len > 0); return(len2); } diff --git a/src/lib/krb5/os/net_write.c b/src/lib/krb5/os/net_write.c index 35765fb387..d4bcc148f2 100644 --- a/src/lib/krb5/os/net_write.c +++ b/src/lib/krb5/os/net_write.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/net_write.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ #include "k5-int.h" @@ -52,31 +53,31 @@ krb5int_net_writev(krb5_context context, int fd, sg_buf *sgp, int nsg) SOCKET_WRITEV_TEMP tmp; while (nsg > 0) { - /* Skip any empty data blocks. */ - if (SG_LEN(sgp) == 0) { - sgp++, nsg--; - continue; - } - cc = SOCKET_WRITEV((SOCKET)fd, sgp, nsg, tmp); - if (cc < 0) { - if (SOCKET_ERRNO == SOCKET_EINTR) - continue; + /* Skip any empty data blocks. */ + if (SG_LEN(sgp) == 0) { + sgp++, nsg--; + continue; + } + cc = SOCKET_WRITEV((SOCKET)fd, sgp, nsg, tmp); + if (cc < 0) { + if (SOCKET_ERRNO == SOCKET_EINTR) + continue; - /* XXX this interface sucks! */ - errno = SOCKET_ERRNO; - return -1; - } - len += cc; - while (cc > 0) { - if ((unsigned)cc < SG_LEN(sgp)) { - SG_ADVANCE(sgp, (unsigned)cc); - cc = 0; - } else { - cc -= SG_LEN(sgp); - sgp++, nsg--; - assert(nsg > 0 || cc == 0); - } - } + /* XXX this interface sucks! */ + errno = SOCKET_ERRNO; + return -1; + } + len += cc; + while (cc > 0) { + if ((unsigned)cc < SG_LEN(sgp)) { + SG_ADVANCE(sgp, (unsigned)cc); + cc = 0; + } else { + cc -= SG_LEN(sgp); + sgp++, nsg--; + assert(nsg > 0 || cc == 0); + } + } } return len; } diff --git a/src/lib/krb5/os/os-proto.h b/src/lib/krb5/os/os-proto.h index bb2e00ec20..477ffacb0a 100644 --- a/src/lib/krb5/os/os-proto.h +++ b/src/lib/krb5/os/os-proto.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/os-proto.h * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * LIBOS internal function prototypes. */ @@ -32,26 +33,26 @@ struct addrlist; krb5_error_code krb5_locate_kdc - (krb5_context, const krb5_data *, struct addrlist *, int, int, int); +(krb5_context, const krb5_data *, struct addrlist *, int, int, int); #ifdef HAVE_NETINET_IN_H krb5_error_code krb5_unpack_full_ipaddr - (krb5_context, - const krb5_address *, - krb5_int32 *, - krb5_int16 *); +(krb5_context, + const krb5_address *, + krb5_int32 *, + krb5_int16 *); krb5_error_code krb5_make_full_ipaddr - (krb5_context, - krb5_int32, - int, /* unsigned short promotes to signed - int */ - krb5_address **); +(krb5_context, + krb5_int32, + int, /* unsigned short promotes to signed + int */ + krb5_address **); #endif /* HAVE_NETINET_IN_H */ -krb5_error_code krb5_try_realm_txt_rr(const char *, const char *, - char **realm); +krb5_error_code krb5_try_realm_txt_rr(const char *, const char *, + char **realm); /* Obsolete interface - leave prototype here until code removed */ krb5_error_code krb5_secure_config_files(krb5_context ctx); diff --git a/src/lib/krb5/os/osconfig.c b/src/lib/krb5/os/osconfig.c index 2fe973dcbb..d04e95ba72 100644 --- a/src/lib/krb5/os/osconfig.c +++ b/src/lib/krb5/os/osconfig.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/osconfig.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Definition of default configuration parameters. * @@ -43,4 +44,3 @@ unsigned int krb5_skdc_timeout_1 = SKDC_TIMEOUT_1; const char *krb5_default_pwd_prompt1 = DEFAULT_PWD_STRING1; const char *krb5_default_pwd_prompt2 = DEFAULT_PWD_STRING2; - diff --git a/src/lib/krb5/os/port2ip.c b/src/lib/krb5/os/port2ip.c index 984e65fa34..d4184db112 100644 --- a/src/lib/krb5/os/port2ip.c +++ b/src/lib/krb5/os/port2ip.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/port2ip.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Take an ADDRPORT address and split into IP addr & port. */ @@ -42,23 +43,23 @@ krb5_unpack_full_ipaddr(krb5_context context, const krb5_address *inaddr, krb5_i krb5_ui_4 templength; if (inaddr->addrtype != ADDRTYPE_ADDRPORT) - return KRB5_PROG_ATYPE_NOSUPP; + return KRB5_PROG_ATYPE_NOSUPP; if (inaddr->length != sizeof(smushaddr)+ sizeof(smushport) + - 2*sizeof(temptype) + 2*sizeof(templength)) - return KRB5_PROG_ATYPE_NOSUPP; + 2*sizeof(temptype) + 2*sizeof(templength)) + return KRB5_PROG_ATYPE_NOSUPP; marshal = inaddr->contents; (void) memcpy(&temptype, marshal, sizeof(temptype)); marshal += sizeof(temptype); if (temptype != htons(ADDRTYPE_INET)) - return KRB5_PROG_ATYPE_NOSUPP; + return KRB5_PROG_ATYPE_NOSUPP; (void) memcpy(&templength, marshal, sizeof(templength)); marshal += sizeof(templength); if (templength != htonl(sizeof(smushaddr))) - return KRB5_PROG_ATYPE_NOSUPP; + return KRB5_PROG_ATYPE_NOSUPP; (void) memcpy(&smushaddr, marshal, sizeof(smushaddr)); /* leave in net order */ @@ -67,12 +68,12 @@ krb5_unpack_full_ipaddr(krb5_context context, const krb5_address *inaddr, krb5_i (void) memcpy(&temptype, marshal, sizeof(temptype)); marshal += sizeof(temptype); if (temptype != htons(ADDRTYPE_IPPORT)) - return KRB5_PROG_ATYPE_NOSUPP; + return KRB5_PROG_ATYPE_NOSUPP; (void) memcpy(&templength, marshal, sizeof(templength)); marshal += sizeof(templength); if (templength != htonl(sizeof(smushport))) - return KRB5_PROG_ATYPE_NOSUPP; + return KRB5_PROG_ATYPE_NOSUPP; (void) memcpy(&smushport, marshal, sizeof(smushport)); /* leave in net order */ diff --git a/src/lib/krb5/os/prompter.c b/src/lib/krb5/os/prompter.c index 36803ecaf1..e60403590b 100644 --- a/src/lib/krb5/os/prompter.c +++ b/src/lib/krb5/os/prompter.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include "k5-int.h" #if !defined(_WIN32) || (defined(_WIN32) && defined(__CYGWIN32__)) #include <stdio.h> @@ -17,40 +18,40 @@ typedef struct sigaction osiginfo; typedef struct krb5_sigtype (*osiginfo)(); #endif -static void catch_signals(osiginfo *); -static void restore_signals(osiginfo *); -static krb5_sigtype intrfunc(int sig); +static void catch_signals(osiginfo *); +static void restore_signals(osiginfo *); +static krb5_sigtype intrfunc(int sig); -static krb5_error_code setup_tty(FILE*, int, struct termios *, osiginfo *); -static krb5_error_code restore_tty(FILE*, struct termios *, osiginfo *); +static krb5_error_code setup_tty(FILE*, int, struct termios *, osiginfo *); +static krb5_error_code restore_tty(FILE*, struct termios *, osiginfo *); -static volatile int got_int; /* should be sig_atomic_t */ +static volatile int got_int; /* should be sig_atomic_t */ krb5_error_code KRB5_CALLCONV krb5_prompter_posix( - krb5_context context, - void *data, - const char *name, - const char *banner, - int num_prompts, - krb5_prompt prompts[]) + krb5_context context, + void *data, + const char *name, + const char *banner, + int num_prompts, + krb5_prompt prompts[]) { - int fd, i, scratchchar; - FILE *fp; - char *retp; - krb5_error_code errcode; + int fd, i, scratchchar; + FILE *fp; + char *retp; + krb5_error_code errcode; struct termios saveparm; osiginfo osigint; errcode = KRB5_LIBOS_CANTREADPWD; if (name) { - fputs(name, stdout); - fputs("\n", stdout); + fputs(name, stdout); + fputs("\n", stdout); } if (banner) { - fputs(banner, stdout); - fputs("\n", stdout); + fputs(banner, stdout); + fputs("\n", stdout); } /* @@ -59,65 +60,65 @@ krb5_prompter_posix( fp = NULL; fd = dup(STDIN_FILENO); if (fd < 0) - return KRB5_LIBOS_CANTREADPWD; + return KRB5_LIBOS_CANTREADPWD; set_cloexec_fd(fd); fp = fdopen(fd, "r"); if (fp == NULL) - goto cleanup; + goto cleanup; if (setvbuf(fp, NULL, _IONBF, 0)) - goto cleanup; + goto cleanup; for (i = 0; i < num_prompts; i++) { - errcode = KRB5_LIBOS_CANTREADPWD; - /* fgets() takes int, but krb5_data.length is unsigned. */ - if (prompts[i].reply->length > INT_MAX) - goto cleanup; - - errcode = setup_tty(fp, prompts[i].hidden, &saveparm, &osigint); - if (errcode) - break; - - /* put out the prompt */ - (void)fputs(prompts[i].prompt, stdout); - (void)fputs(": ", stdout); - (void)fflush(stdout); - (void)memset(prompts[i].reply->data, 0, prompts[i].reply->length); - - got_int = 0; - retp = fgets(prompts[i].reply->data, (int)prompts[i].reply->length, - fp); - if (prompts[i].hidden) - putchar('\n'); - if (retp == NULL) { - if (got_int) - errcode = KRB5_LIBOS_PWDINTR; - else - errcode = KRB5_LIBOS_CANTREADPWD; - restore_tty(fp, &saveparm, &osigint); - break; - } - - /* replace newline with null */ - retp = strchr(prompts[i].reply->data, '\n'); - if (retp != NULL) - *retp = '\0'; - else { - /* flush rest of input line */ - do { - scratchchar = getc(fp); - } while (scratchchar != EOF && scratchchar != '\n'); - } - - errcode = restore_tty(fp, &saveparm, &osigint); - if (errcode) - break; - prompts[i].reply->length = strlen(prompts[i].reply->data); + errcode = KRB5_LIBOS_CANTREADPWD; + /* fgets() takes int, but krb5_data.length is unsigned. */ + if (prompts[i].reply->length > INT_MAX) + goto cleanup; + + errcode = setup_tty(fp, prompts[i].hidden, &saveparm, &osigint); + if (errcode) + break; + + /* put out the prompt */ + (void)fputs(prompts[i].prompt, stdout); + (void)fputs(": ", stdout); + (void)fflush(stdout); + (void)memset(prompts[i].reply->data, 0, prompts[i].reply->length); + + got_int = 0; + retp = fgets(prompts[i].reply->data, (int)prompts[i].reply->length, + fp); + if (prompts[i].hidden) + putchar('\n'); + if (retp == NULL) { + if (got_int) + errcode = KRB5_LIBOS_PWDINTR; + else + errcode = KRB5_LIBOS_CANTREADPWD; + restore_tty(fp, &saveparm, &osigint); + break; + } + + /* replace newline with null */ + retp = strchr(prompts[i].reply->data, '\n'); + if (retp != NULL) + *retp = '\0'; + else { + /* flush rest of input line */ + do { + scratchchar = getc(fp); + } while (scratchchar != EOF && scratchchar != '\n'); + } + + errcode = restore_tty(fp, &saveparm, &osigint); + if (errcode) + break; + prompts[i].reply->length = strlen(prompts[i].reply->data); } cleanup: if (fp != NULL) - fclose(fp); + fclose(fp); else if (fd >= 0) - close(fd); + close(fd); return errcode; } @@ -155,33 +156,33 @@ restore_signals(osiginfo *osigint) static krb5_error_code setup_tty(FILE *fp, int hidden, struct termios *saveparm, osiginfo *osigint) { - krb5_error_code ret; - int fd; - struct termios tparm; + krb5_error_code ret; + int fd; + struct termios tparm; ret = KRB5_LIBOS_CANTREADPWD; catch_signals(osigint); fd = fileno(fp); do { - if (!isatty(fd)) { - ret = 0; - break; - } - if (tcgetattr(fd, &tparm) < 0) - break; - *saveparm = tparm; + if (!isatty(fd)) { + ret = 0; + break; + } + if (tcgetattr(fd, &tparm) < 0) + break; + *saveparm = tparm; #ifndef ECHO_PASSWORD - if (hidden) - tparm.c_lflag &= ~(ECHO|ECHONL); + if (hidden) + tparm.c_lflag &= ~(ECHO|ECHONL); #endif - tparm.c_lflag |= ISIG|ICANON; - if (tcsetattr(STDIN_FILENO, TCSANOW, &tparm) < 0) - break; - ret = 0; + tparm.c_lflag |= ISIG|ICANON; + if (tcsetattr(STDIN_FILENO, TCSANOW, &tparm) < 0) + break; + ret = 0; } while (0); /* If we're losing, restore signal handlers. */ if (ret) - restore_signals(osigint); + restore_signals(osigint); return ret; } @@ -193,11 +194,11 @@ restore_tty(FILE* fp, struct termios *saveparm, osiginfo *osigint) ret = 0; fd = fileno(fp); if (isatty(fd)) { - ret = tcsetattr(fd, TCSANOW, saveparm); - if (ret < 0) - ret = KRB5_LIBOS_CANTREADPWD; - else - ret = 0; + ret = tcsetattr(fd, TCSANOW, saveparm); + if (ret < 0) + ret = KRB5_LIBOS_CANTREADPWD; + else + ret = 0; } restore_signals(osigint); return ret; @@ -211,90 +212,90 @@ restore_tty(FILE* fp, struct termios *saveparm, osiginfo *osigint) krb5_error_code KRB5_CALLCONV krb5_prompter_posix(krb5_context context, - void *data, - const char *name, - const char *banner, - int num_prompts, - krb5_prompt prompts[]) + void *data, + const char *name, + const char *banner, + int num_prompts, + krb5_prompt prompts[]) { - HANDLE handle; - DWORD old_mode, new_mode; - char *ptr; - int scratchchar; - krb5_error_code errcode = 0; - int i; + HANDLE handle; + DWORD old_mode, new_mode; + char *ptr; + int scratchchar; + krb5_error_code errcode = 0; + int i; handle = GetStdHandle(STD_INPUT_HANDLE); if (handle == INVALID_HANDLE_VALUE) - return ENOTTY; + return ENOTTY; if (!GetConsoleMode(handle, &old_mode)) - return ENOTTY; + return ENOTTY; new_mode = old_mode; new_mode |= ( ENABLE_LINE_INPUT | ENABLE_PROCESSED_INPUT ); new_mode &= ~( ENABLE_ECHO_INPUT ); if (!SetConsoleMode(handle, new_mode)) - return ENOTTY; + return ENOTTY; if (!SetConsoleMode(handle, old_mode)) - return ENOTTY; + return ENOTTY; if (name) { - fputs(name, stdout); - fputs("\n", stdout); + fputs(name, stdout); + fputs("\n", stdout); } if (banner) { - fputs(banner, stdout); - fputs("\n", stdout); + fputs(banner, stdout); + fputs("\n", stdout); } for (i = 0; i < num_prompts; i++) { - if (prompts[i].hidden) { - if (!SetConsoleMode(handle, new_mode)) { - errcode = ENOTTY; - goto cleanup; - } - } - - fputs(prompts[i].prompt,stdout); - fputs(": ", stdout); - fflush(stdout); - memset(prompts[i].reply->data, 0, prompts[i].reply->length); - - if (fgets(prompts[i].reply->data, prompts[i].reply->length, stdin) - == NULL) { - if (prompts[i].hidden) - putchar('\n'); - errcode = KRB5_LIBOS_CANTREADPWD; - goto cleanup; - } - if (prompts[i].hidden) - putchar('\n'); - /* fgets always null-terminates the returned string */ - - /* replace newline with null */ - if ((ptr = strchr(prompts[i].reply->data, '\n'))) - *ptr = '\0'; - else /* flush rest of input line */ - do { - scratchchar = getchar(); - } while (scratchchar != EOF && scratchchar != '\n'); - - prompts[i].reply->length = strlen(prompts[i].reply->data); - - if (!SetConsoleMode(handle, old_mode)) { - errcode = ENOTTY; - goto cleanup; - } + if (prompts[i].hidden) { + if (!SetConsoleMode(handle, new_mode)) { + errcode = ENOTTY; + goto cleanup; + } + } + + fputs(prompts[i].prompt,stdout); + fputs(": ", stdout); + fflush(stdout); + memset(prompts[i].reply->data, 0, prompts[i].reply->length); + + if (fgets(prompts[i].reply->data, prompts[i].reply->length, stdin) + == NULL) { + if (prompts[i].hidden) + putchar('\n'); + errcode = KRB5_LIBOS_CANTREADPWD; + goto cleanup; + } + if (prompts[i].hidden) + putchar('\n'); + /* fgets always null-terminates the returned string */ + + /* replace newline with null */ + if ((ptr = strchr(prompts[i].reply->data, '\n'))) + *ptr = '\0'; + else /* flush rest of input line */ + do { + scratchchar = getchar(); + } while (scratchchar != EOF && scratchchar != '\n'); + + prompts[i].reply->length = strlen(prompts[i].reply->data); + + if (!SetConsoleMode(handle, old_mode)) { + errcode = ENOTTY; + goto cleanup; + } } - cleanup: +cleanup: if (errcode) { - for (i = 0; i < num_prompts; i++) { - memset(prompts[i].reply->data, 0, prompts[i].reply->length); - } + for (i = 0; i < num_prompts; i++) { + memset(prompts[i].reply->data, 0, prompts[i].reply->length); + } } return errcode; } @@ -303,11 +304,11 @@ krb5_prompter_posix(krb5_context context, krb5_error_code KRB5_CALLCONV krb5_prompter_posix(krb5_context context, - void *data, - const char *name, - const char *banner, - int num_prompts, - krb5_prompt prompts[]) + void *data, + const char *name, + const char *banner, + int num_prompts, + krb5_prompt prompts[]) { return(EINVAL); } diff --git a/src/lib/krb5/os/read_msg.c b/src/lib/krb5/os/read_msg.c index 82a2573763..8d3dfe30c7 100644 --- a/src/lib/krb5/os/read_msg.c +++ b/src/lib/krb5/os/read_msg.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/read_msg.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Write a message to the network */ @@ -33,34 +34,34 @@ krb5_error_code krb5_read_message(krb5_context context, krb5_pointer fdp, krb5_data *inbuf) { - krb5_int32 len; - int len2, ilen; - char *buf = NULL; - int fd = *( (int *) fdp); + krb5_int32 len; + int len2, ilen; + char *buf = NULL; + int fd = *( (int *) fdp); - inbuf->data = NULL; - inbuf->length = 0; + inbuf->data = NULL; + inbuf->length = 0; - if ((len2 = krb5_net_read(context, fd, (char *)&len, 4)) != 4) - return((len2 < 0) ? errno : ECONNABORTED); - len = ntohl(len); + if ((len2 = krb5_net_read(context, fd, (char *)&len, 4)) != 4) + return((len2 < 0) ? errno : ECONNABORTED); + len = ntohl(len); - if ((len & VALID_UINT_BITS) != len) /* Overflow size_t??? */ - return ENOMEM; + if ((len & VALID_UINT_BITS) != len) /* Overflow size_t??? */ + return ENOMEM; - inbuf->length = ilen = (int) len; - if (ilen) { - /* - * We may want to include a sanity check here someday.... - */ - if (!(buf = malloc(inbuf->length))) { - return(ENOMEM); - } - if ((len2 = krb5_net_read(context, fd, buf, ilen)) != ilen) { - free(buf); - return((len2 < 0) ? errno : ECONNABORTED); - } - } - inbuf->data = buf; - return(0); + inbuf->length = ilen = (int) len; + if (ilen) { + /* + * We may want to include a sanity check here someday.... + */ + if (!(buf = malloc(inbuf->length))) { + return(ENOMEM); + } + if ((len2 = krb5_net_read(context, fd, buf, ilen)) != ilen) { + free(buf); + return((len2 < 0) ? errno : ECONNABORTED); + } + } + inbuf->data = buf; + return(0); } diff --git a/src/lib/krb5/os/read_pwd.c b/src/lib/krb5/os/read_pwd.c index 6f2868da7c..3c88a46e6d 100644 --- a/src/lib/krb5/os/read_pwd.c +++ b/src/lib/krb5/os/read_pwd.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/read_pwd.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * libos: krb5_read_password for BSD 4.3 */ @@ -43,7 +44,7 @@ krb5_error_code krb5_read_password(krb5_context context, const char *prompt, const char *prompt2, char *return_pwd, unsigned int *size_return) { - krb5_data reply_data; + krb5_data reply_data; krb5_prompt k5prompt; krb5_error_code retval; reply_data.length = *size_return; /* NB: size_return is also an input */ @@ -52,29 +53,29 @@ krb5_read_password(krb5_context context, const char *prompt, const char *prompt2 k5prompt.hidden = 1; k5prompt.reply = &reply_data; retval = krb5_prompter_posix(NULL, - NULL, NULL, NULL, 1, &k5prompt); + NULL, NULL, NULL, 1, &k5prompt); if ((retval==0) && prompt2) { - krb5_data verify_data; - verify_data.data = malloc(*size_return); - verify_data.length = *size_return; - k5prompt.prompt = (char *)prompt2; - k5prompt.reply = &verify_data; - if (!verify_data.data) - return ENOMEM; - retval = krb5_prompter_posix(NULL, - NULL,NULL, NULL, 1, &k5prompt); - if (retval == 0) { - /* compare */ - if (strncmp(return_pwd, (char *)verify_data.data, *size_return)) - retval = KRB5_LIBOS_BADPWDMATCH; - } - free(verify_data.data); + krb5_data verify_data; + verify_data.data = malloc(*size_return); + verify_data.length = *size_return; + k5prompt.prompt = (char *)prompt2; + k5prompt.reply = &verify_data; + if (!verify_data.data) + return ENOMEM; + retval = krb5_prompter_posix(NULL, + NULL,NULL, NULL, 1, &k5prompt); + if (retval == 0) { + /* compare */ + if (strncmp(return_pwd, (char *)verify_data.data, *size_return)) + retval = KRB5_LIBOS_BADPWDMATCH; + } + free(verify_data.data); } if (!retval) - *size_return = k5prompt.reply->length; + *size_return = k5prompt.reply->length; else - memset(return_pwd, 0, *size_return); + memset(return_pwd, 0, *size_return); return retval; } #endif @@ -97,10 +98,10 @@ void center_dialog(HWND hwnd) int dlgwidth, dlgheight; RECT r; HDC hdc; - + if (hwnd == NULL) - return; - + return; + GetWindowRect(hwnd, &r); dlgwidth = r.right - r.left; dlgheight = r.bottom - r.top ; @@ -116,87 +117,87 @@ void center_dialog(HWND hwnd) #ifdef _WIN32 static krb5_error_code read_console_password( - krb5_context context, - const char * prompt, - const char * prompt2, - char * password, - int * pwsize) + krb5_context context, + const char * prompt, + const char * prompt2, + char * password, + int * pwsize) { - HANDLE handle; - DWORD old_mode, new_mode; - char *tmpstr = 0; - char *ptr; - int scratchchar; - krb5_error_code errcode = 0; + HANDLE handle; + DWORD old_mode, new_mode; + char *tmpstr = 0; + char *ptr; + int scratchchar; + krb5_error_code errcode = 0; handle = GetStdHandle(STD_INPUT_HANDLE); if (handle == INVALID_HANDLE_VALUE) - return ENOTTY; + return ENOTTY; if (!GetConsoleMode(handle, &old_mode)) - return ENOTTY; + return ENOTTY; new_mode = old_mode; new_mode |= ( ENABLE_LINE_INPUT | ENABLE_PROCESSED_INPUT ); new_mode &= ~( ENABLE_ECHO_INPUT ); if (!SetConsoleMode(handle, new_mode)) - return ENOTTY; + return ENOTTY; (void) fputs(prompt, stdout); (void) fflush(stdout); (void) memset(password, 0, *pwsize); if (fgets(password, *pwsize, stdin) == NULL) { - (void) putchar('\n'); - errcode = KRB5_LIBOS_CANTREADPWD; - goto cleanup; + (void) putchar('\n'); + errcode = KRB5_LIBOS_CANTREADPWD; + goto cleanup; } (void) putchar('\n'); if ((ptr = strchr(password, '\n'))) - *ptr = '\0'; + *ptr = '\0'; else /* need to flush */ - do { - scratchchar = getchar(); - } while (scratchchar != EOF && scratchchar != '\n'); + do { + scratchchar = getchar(); + } while (scratchchar != EOF && scratchchar != '\n'); if (prompt2) { - if (! (tmpstr = (char *)malloc(*pwsize))) { - errcode = ENOMEM; - goto cleanup; - } - (void) fputs(prompt2, stdout); - (void) fflush(stdout); - if (fgets(tmpstr, *pwsize, stdin) == NULL) { - (void) putchar('\n'); - errcode = KRB5_LIBOS_CANTREADPWD; - goto cleanup; - } - (void) putchar('\n'); - - if ((ptr = strchr(tmpstr, '\n'))) - *ptr = '\0'; - else /* need to flush */ - do { - scratchchar = getchar(); - } while (scratchchar != EOF && scratchchar != '\n'); - - if (strncmp(password, tmpstr, *pwsize)) { - errcode = KRB5_LIBOS_BADPWDMATCH; - goto cleanup; - } + if (! (tmpstr = (char *)malloc(*pwsize))) { + errcode = ENOMEM; + goto cleanup; + } + (void) fputs(prompt2, stdout); + (void) fflush(stdout); + if (fgets(tmpstr, *pwsize, stdin) == NULL) { + (void) putchar('\n'); + errcode = KRB5_LIBOS_CANTREADPWD; + goto cleanup; + } + (void) putchar('\n'); + + if ((ptr = strchr(tmpstr, '\n'))) + *ptr = '\0'; + else /* need to flush */ + do { + scratchchar = getchar(); + } while (scratchchar != EOF && scratchchar != '\n'); + + if (strncmp(password, tmpstr, *pwsize)) { + errcode = KRB5_LIBOS_BADPWDMATCH; + goto cleanup; + } } cleanup: (void) SetConsoleMode(handle, old_mode); if (tmpstr) { - (void) memset(tmpstr, 0, *pwsize); - (void) free(tmpstr); + (void) memset(tmpstr, 0, *pwsize); + (void) free(tmpstr); } if (errcode) - (void) memset(password, 0, *pwsize); + (void) memset(password, 0, *pwsize); else - *pwsize = strlen(password); + *pwsize = strlen(password); return errcode; } #endif @@ -205,35 +206,35 @@ static int CALLBACK read_pwd_proc(HWND hdlg, UINT msg, WPARAM wParam, LPARAM lParam) { pwd_params *dp; - + switch(msg) { case WM_INITDIALOG: - dp = (pwd_params *) lParam; - SetWindowLongPtr(hdlg, DWLP_USER, lParam); - SetDlgItemText(hdlg, ID_READ_PWD_PROMPT, dp->pwd_prompt); - SetDlgItemText(hdlg, ID_READ_PWD_PROMPT2, dp->pwd_prompt2); - SetDlgItemText(hdlg, ID_READ_PWD_PWD, ""); - center_dialog(hdlg); - return TRUE; + dp = (pwd_params *) lParam; + SetWindowLongPtr(hdlg, DWLP_USER, lParam); + SetDlgItemText(hdlg, ID_READ_PWD_PROMPT, dp->pwd_prompt); + SetDlgItemText(hdlg, ID_READ_PWD_PROMPT2, dp->pwd_prompt2); + SetDlgItemText(hdlg, ID_READ_PWD_PWD, ""); + center_dialog(hdlg); + return TRUE; case WM_COMMAND: - dp = (pwd_params *) GetWindowLongPtr(hdlg, DWLP_USER); + dp = (pwd_params *) GetWindowLongPtr(hdlg, DWLP_USER); switch (wParam) { - case IDOK: - *(dp->pwd_size_return) = - GetDlgItemText(hdlg, ID_READ_PWD_PWD, - dp->pwd_return_pwd, *(dp->pwd_size_return)); - EndDialog(hdlg, TRUE); - break; - - case IDCANCEL: - memset(dp->pwd_return_pwd, 0 , *(dp->pwd_size_return)); - *(dp->pwd_size_return) = 0; - EndDialog(hdlg, FALSE); - break; + case IDOK: + *(dp->pwd_size_return) = + GetDlgItemText(hdlg, ID_READ_PWD_PWD, + dp->pwd_return_pwd, *(dp->pwd_size_return)); + EndDialog(hdlg, TRUE); + break; + + case IDCANCEL: + memset(dp->pwd_return_pwd, 0 , *(dp->pwd_size_return)); + *(dp->pwd_size_return) = 0; + EndDialog(hdlg, FALSE); + break; } return TRUE; - + default: return FALSE; } @@ -254,8 +255,8 @@ krb5_read_password(context, prompt, prompt2, return_pwd, size_return) #ifdef _WIN32 if (_isatty(_fileno(stdin))) - return(read_console_password - (context, prompt, prompt2, return_pwd, size_return)); + return(read_console_password + (context, prompt, prompt2, return_pwd, size_return)); #endif dps.pwd_prompt = prompt; @@ -270,7 +271,7 @@ krb5_read_password(context, prompt, prompt2, return_pwd, size_return) dlgproc = (FARPROC) MakeProcInstance(read_pwd_proc, hinst); #endif rc = DialogBoxParam(hinst, MAKEINTRESOURCE(ID_READ_PWD_DIALOG), 0, - dlgproc, (LPARAM) &dps); + dlgproc, (LPARAM) &dps); #ifndef _WIN32 FreeProcInstance ((FARPROC) dlgproc); #endif @@ -291,7 +292,7 @@ krb5_read_password(context, prompt, prompt2, return_pwd, size_return) char *return_pwd; int *size_return; { - *size_return = 0; - return KRB5_LIBOS_CANTREADPWD; + *size_return = 0; + return KRB5_LIBOS_CANTREADPWD; } #endif diff --git a/src/lib/krb5/os/realm_dom.c b/src/lib/krb5/os/realm_dom.c index ed44e9d592..8f25caf448 100644 --- a/src/lib/krb5/os/realm_dom.c +++ b/src/lib/krb5/os/realm_dom.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/realm_dom.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_get_realm_domain() */ @@ -52,7 +53,7 @@ krb5_get_realm_domain(krb5_context context, const char *realm, char **domain) char *temp_domain = 0; retval = profile_get_string(context->profile, KRB5_CONF_REALMS, realm, - KRB5_CONF_DEFAULT_DOMAIN, realm, &temp_domain); + KRB5_CONF_DEFAULT_DOMAIN, realm, &temp_domain); if (!retval && temp_domain) { *domain = strdup(temp_domain); diff --git a/src/lib/krb5/os/realm_iter.c b/src/lib/krb5/os/realm_iter.c index 0beaa2f464..cfc9e390eb 100644 --- a/src/lib/krb5/os/realm_iter.c +++ b/src/lib/krb5/os/realm_iter.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/realm_init.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * krb5_realm_iterate() */ @@ -34,11 +35,11 @@ krb5_error_code KRB5_CALLCONV krb5_realm_iterator_create(krb5_context context, void **iter_p) { static const char *const names[] = { "realms", 0 }; - + return profile_iterator_create(context->profile, names, - PROFILE_ITER_LIST_SECTION | - PROFILE_ITER_SECTIONS_ONLY, - iter_p); + PROFILE_ITER_LIST_SECTION | + PROFILE_ITER_SECTIONS_ONLY, + iter_p); } krb5_error_code KRB5_CALLCONV diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c index dcf08d996b..f12be79f45 100644 --- a/src/lib/krb5/os/sendto_kdc.c +++ b/src/lib/krb5/os/sendto_kdc.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/sendto_kdc.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Send packet to KDC for realm; wait for response, retransmitting * as necessary. @@ -53,9 +54,9 @@ #endif #endif -#define MAX_PASS 3 -#define DEFAULT_UDP_PREF_LIMIT 1465 -#define HARD_UDP_LIMIT 32700 /* could probably do 64K-epsilon ? */ +#define MAX_PASS 3 +#define DEFAULT_UDP_PREF_LIMIT 1465 +#define HARD_UDP_LIMIT 32700 /* could probably do 64K-epsilon ? */ #undef DEBUG @@ -68,10 +69,10 @@ static void default_debug_handler (const void *data, size_t len) #if 0 static FILE *logfile; if (logfile == NULL) { - logfile = fopen("/tmp/sendto_kdc.log", "a"); - if (logfile == NULL) - return; - setbuf(logfile, NULL); + logfile = fopen("/tmp/sendto_kdc.log", "a"); + if (logfile == NULL) + return; + setbuf(logfile, NULL); } fwrite(data, 1, len, logfile); #else @@ -95,7 +96,7 @@ void (*krb5int_sendtokdc_debug_handler) (const void *, size_t) = 0; #endif #define dprint krb5int_debug_fprint - void +void krb5int_debug_fprint (const char *fmt, ...) { #ifdef DEBUG @@ -119,131 +120,131 @@ krb5int_debug_fprint (const char *fmt, ...) struct k5buf buf; if (!krb5int_debug_sendto_kdc) - return; + return; va_start(args, fmt); -#define putf(FMT,X) (snprintf(tmpbuf,sizeof(tmpbuf),FMT,X),putstr(tmpbuf)) +#define putf(FMT,X) (snprintf(tmpbuf,sizeof(tmpbuf),FMT,X),putstr(tmpbuf)) for (; *fmt; fmt++) { - if (*fmt != '%') { - const char *fmt2; - size_t len; - for (fmt2 = fmt+1; *fmt2; fmt2++) - if (*fmt2 == '%') - break; - len = fmt2 - fmt; - put(fmt, len); - fmt += len - 1; /* then fmt++ in loop header */ - continue; - } - /* After this, always processing a '%' sequence. */ - fmt++; - switch (*fmt) { - case 0: - default: - abort(); - case 'E': - /* %E => krb5_error_code */ - kerr = va_arg(args, krb5_error_code); - snprintf(tmpbuf, sizeof(tmpbuf), "%lu/", (unsigned long) kerr); - putstr(tmpbuf); - p = error_message(kerr); - putstr(p); - break; - case 'm': - /* %m => errno value (int) */ - /* Like syslog's %m except the errno value is passed in - rather than the current value. */ - err = va_arg(args, int); - putf("%d/", err); - p = NULL; + if (*fmt != '%') { + const char *fmt2; + size_t len; + for (fmt2 = fmt+1; *fmt2; fmt2++) + if (*fmt2 == '%') + break; + len = fmt2 - fmt; + put(fmt, len); + fmt += len - 1; /* then fmt++ in loop header */ + continue; + } + /* After this, always processing a '%' sequence. */ + fmt++; + switch (*fmt) { + case 0: + default: + abort(); + case 'E': + /* %E => krb5_error_code */ + kerr = va_arg(args, krb5_error_code); + snprintf(tmpbuf, sizeof(tmpbuf), "%lu/", (unsigned long) kerr); + putstr(tmpbuf); + p = error_message(kerr); + putstr(p); + break; + case 'm': + /* %m => errno value (int) */ + /* Like syslog's %m except the errno value is passed in + rather than the current value. */ + err = va_arg(args, int); + putf("%d/", err); + p = NULL; #ifdef HAVE_STRERROR_R - if (strerror_r(err, tmpbuf, sizeof(tmpbuf)) == 0) - p = tmpbuf; + if (strerror_r(err, tmpbuf, sizeof(tmpbuf)) == 0) + p = tmpbuf; #endif - if (p == NULL) - p = strerror(err); - putstr(p); - break; - case 'F': - /* %F => fd_set *, fd_set *, fd_set *, int */ - rfds = va_arg(args, fd_set *); - wfds = va_arg(args, fd_set *); - xfds = va_arg(args, fd_set *); - maxfd = va_arg(args, int); - - for (i = 0; i < maxfd; i++) { - int r = FD_ISSET(i, rfds); - int w = wfds && FD_ISSET(i, wfds); - int x = xfds && FD_ISSET(i, xfds); - if (r || w || x) { - putf(" %d", i); - if (r) - putstr("r"); - if (w) - putstr("w"); - if (x) - putstr("x"); - } - } - putstr(" "); - break; - case 's': - /* %s => char * */ - p = va_arg(args, const char *); - putstr(p); - break; - case 't': - /* %t => struct timeval * */ - tv = va_arg(args, struct timeval *); - if (tv) { - snprintf(tmpbuf, sizeof(tmpbuf), "%ld.%06ld", - (long) tv->tv_sec, (long) tv->tv_usec); - putstr(tmpbuf); - } else - putstr("never"); - break; - case 'd': - /* %d => int */ - putf("%d", va_arg(args, int)); - break; - case 'p': - /* %p => pointer */ - putf("%p", va_arg(args, void*)); - break; - case 'A': - /* %A => addrinfo */ - ai = va_arg(args, struct addrinfo *); - krb5int_buf_init_dynamic(&buf); - if (ai->ai_socktype == SOCK_DGRAM) - krb5int_buf_add(&buf, "dgram"); - else if (ai->ai_socktype == SOCK_STREAM) - krb5int_buf_add(&buf, "stream"); - else - krb5int_buf_add_fmt(&buf, "socktype%d", ai->ai_socktype); - - if (0 != getnameinfo (ai->ai_addr, ai->ai_addrlen, - addrbuf, sizeof (addrbuf), - portbuf, sizeof (portbuf), - NI_NUMERICHOST | NI_NUMERICSERV)) { - if (ai->ai_addr->sa_family == AF_UNSPEC) - krb5int_buf_add(&buf, " AF_UNSPEC"); - else - krb5int_buf_add_fmt(&buf, " af%d", ai->ai_addr->sa_family); - } else - krb5int_buf_add_fmt(&buf, " %s.%s", addrbuf, portbuf); - if (krb5int_buf_data(&buf)) - putstr(krb5int_buf_data(&buf)); - krb5int_free_buf(&buf); - break; - case 'D': - /* %D => krb5_data * */ - d = va_arg(args, krb5_data *); - /* may not be nul-terminated */ - put(d->data, d->length); - break; - } + if (p == NULL) + p = strerror(err); + putstr(p); + break; + case 'F': + /* %F => fd_set *, fd_set *, fd_set *, int */ + rfds = va_arg(args, fd_set *); + wfds = va_arg(args, fd_set *); + xfds = va_arg(args, fd_set *); + maxfd = va_arg(args, int); + + for (i = 0; i < maxfd; i++) { + int r = FD_ISSET(i, rfds); + int w = wfds && FD_ISSET(i, wfds); + int x = xfds && FD_ISSET(i, xfds); + if (r || w || x) { + putf(" %d", i); + if (r) + putstr("r"); + if (w) + putstr("w"); + if (x) + putstr("x"); + } + } + putstr(" "); + break; + case 's': + /* %s => char * */ + p = va_arg(args, const char *); + putstr(p); + break; + case 't': + /* %t => struct timeval * */ + tv = va_arg(args, struct timeval *); + if (tv) { + snprintf(tmpbuf, sizeof(tmpbuf), "%ld.%06ld", + (long) tv->tv_sec, (long) tv->tv_usec); + putstr(tmpbuf); + } else + putstr("never"); + break; + case 'd': + /* %d => int */ + putf("%d", va_arg(args, int)); + break; + case 'p': + /* %p => pointer */ + putf("%p", va_arg(args, void*)); + break; + case 'A': + /* %A => addrinfo */ + ai = va_arg(args, struct addrinfo *); + krb5int_buf_init_dynamic(&buf); + if (ai->ai_socktype == SOCK_DGRAM) + krb5int_buf_add(&buf, "dgram"); + else if (ai->ai_socktype == SOCK_STREAM) + krb5int_buf_add(&buf, "stream"); + else + krb5int_buf_add_fmt(&buf, "socktype%d", ai->ai_socktype); + + if (0 != getnameinfo (ai->ai_addr, ai->ai_addrlen, + addrbuf, sizeof (addrbuf), + portbuf, sizeof (portbuf), + NI_NUMERICHOST | NI_NUMERICSERV)) { + if (ai->ai_addr->sa_family == AF_UNSPEC) + krb5int_buf_add(&buf, " AF_UNSPEC"); + else + krb5int_buf_add_fmt(&buf, " af%d", ai->ai_addr->sa_family); + } else + krb5int_buf_add_fmt(&buf, " %s.%s", addrbuf, portbuf); + if (krb5int_buf_data(&buf)) + putstr(krb5int_buf_data(&buf)); + krb5int_free_buf(&buf); + break; + case 'D': + /* %D => krb5_data * */ + d = va_arg(args, krb5_data *); + /* may not be nul-terminated */ + put(d->data, d->length); + break; + } } va_end(args); #endif @@ -256,7 +257,7 @@ print_addrlist (const struct addrlist *a) int i; dprint("%d{", a->naddrs); for (i = 0; i < a->naddrs; i++) - dprint("%s%p=%A", i ? "," : "", (void*)a->addrs[i].ai, a->addrs[i].ai); + dprint("%s%p=%A", i ? "," : "", (void*)a->addrs[i].ai, a->addrs[i].ai); dprint("}"); } @@ -269,26 +270,26 @@ merge_addrlists (struct addrlist *dest, struct addrlist *src) dprint("merging addrlists:\n\tlist1: "); for (i = 0; i < dest->naddrs; i++) - dprint(" %A", dest->addrs[i].ai); + dprint(" %A", dest->addrs[i].ai); dprint("\n\tlist2: "); for (i = 0; i < src->naddrs; i++) - dprint(" %A", src->addrs[i].ai); + dprint(" %A", src->addrs[i].ai); dprint("\n"); err = krb5int_grow_addrlist (dest, src->naddrs); if (err) - return err; + return err; for (i = 0; i < src->naddrs; i++) { - dest->addrs[dest->naddrs + i] = src->addrs[i]; - src->addrs[i].ai = 0; - src->addrs[i].freefn = 0; + dest->addrs[dest->naddrs + i] = src->addrs[i]; + src->addrs[i].ai = 0; + src->addrs[i].freefn = 0; } dest->naddrs += i; src->naddrs = 0; dprint("\tout: "); for (i = 0; i < dest->naddrs; i++) - dprint(" %A", dest->addrs[i].ai); + dprint(" %A", dest->addrs[i].ai); dprint("\n"); return 0; @@ -299,33 +300,33 @@ in_addrlist (struct addrinfo *thisaddr, struct addrlist *list) { int i; for (i = 0; i < list->naddrs; i++) { - if (thisaddr->ai_addrlen == list->addrs[i].ai->ai_addrlen - && !memcmp(thisaddr->ai_addr, list->addrs[i].ai->ai_addr, - thisaddr->ai_addrlen)) - return 1; + if (thisaddr->ai_addrlen == list->addrs[i].ai->ai_addrlen + && !memcmp(thisaddr->ai_addr, list->addrs[i].ai->ai_addr, + thisaddr->ai_addrlen)) + return 1; } return 0; } static int check_for_svc_unavailable (krb5_context context, - const krb5_data *reply, - void *msg_handler_data) + const krb5_data *reply, + void *msg_handler_data) { krb5_error_code *retval = (krb5_error_code *)msg_handler_data; *retval = 0; if (krb5_is_krb_error(reply)) { - krb5_error *err_reply; + krb5_error *err_reply; - if (decode_krb5_error(reply, &err_reply) == 0) { - *retval = err_reply->error; - krb5_free_error(context, err_reply); + if (decode_krb5_error(reply, &err_reply) == 0) { + *retval = err_reply->error; + krb5_free_error(context, err_reply); - /* Returning 0 means continue to next KDC */ - return (*retval != KDC_ERR_SVC_UNAVAILABLE); - } + /* Returning 0 means continue to next KDC */ + return (*retval != KDC_ERR_SVC_UNAVAILABLE); + } } return 1; @@ -344,8 +345,8 @@ check_for_svc_unavailable (krb5_context context, krb5_error_code krb5_sendto_kdc (krb5_context context, const krb5_data *message, - const krb5_data *realm, krb5_data *reply, - int *use_master, int tcp_only) + const krb5_data *realm, krb5_data *reply, + int *use_master, int tcp_only) { krb5_error_code retval, retval2; struct addrlist addrs; @@ -365,94 +366,94 @@ krb5_sendto_kdc (krb5_context context, const krb5_data *message, */ dprint("krb5_sendto_kdc(%d@%p, \"%D\", use_master=%d, tcp_only=%d)\n", - message->length, message->data, realm, *use_master, tcp_only); + message->length, message->data, realm, *use_master, tcp_only); if (!tcp_only && context->udp_pref_limit < 0) { - int tmp; - retval = profile_get_integer(context->profile, - KRB5_CONF_LIBDEFAULTS, KRB5_CONF_UDP_PREFERENCE_LIMIT, 0, - DEFAULT_UDP_PREF_LIMIT, &tmp); - if (retval) - return retval; - if (tmp < 0) - tmp = DEFAULT_UDP_PREF_LIMIT; - else if (tmp > HARD_UDP_LIMIT) - /* In the unlikely case that a *really* big value is - given, let 'em use as big as we think we can - support. */ - tmp = HARD_UDP_LIMIT; - context->udp_pref_limit = tmp; + int tmp; + retval = profile_get_integer(context->profile, + KRB5_CONF_LIBDEFAULTS, KRB5_CONF_UDP_PREFERENCE_LIMIT, 0, + DEFAULT_UDP_PREF_LIMIT, &tmp); + if (retval) + return retval; + if (tmp < 0) + tmp = DEFAULT_UDP_PREF_LIMIT; + else if (tmp > HARD_UDP_LIMIT) + /* In the unlikely case that a *really* big value is + given, let 'em use as big as we think we can + support. */ + tmp = HARD_UDP_LIMIT; + context->udp_pref_limit = tmp; } retval = (*use_master ? KRB5_KDC_UNREACH : KRB5_REALM_UNKNOWN); if (tcp_only) - socktype1 = SOCK_STREAM, socktype2 = 0; + socktype1 = SOCK_STREAM, socktype2 = 0; else if (message->length <= context->udp_pref_limit) - socktype1 = SOCK_DGRAM, socktype2 = SOCK_STREAM; + socktype1 = SOCK_DGRAM, socktype2 = SOCK_STREAM; else - socktype1 = SOCK_STREAM, socktype2 = SOCK_DGRAM; + socktype1 = SOCK_STREAM, socktype2 = SOCK_DGRAM; retval = krb5_locate_kdc(context, realm, &addrs, *use_master, socktype1, 0); if (socktype2) { - struct addrlist addrs2; + struct addrlist addrs2; - retval2 = krb5_locate_kdc(context, realm, &addrs2, *use_master, - socktype2, 0); + retval2 = krb5_locate_kdc(context, realm, &addrs2, *use_master, + socktype2, 0); #if 0 - if (retval2 == 0) { - (void) merge_addrlists(&addrs, &addrs2); - krb5int_free_addrlist(&addrs2); - retval = 0; - } else if (retval == KRB5_REALM_CANT_RESOLVE) { - retval = retval2; - } + if (retval2 == 0) { + (void) merge_addrlists(&addrs, &addrs2); + krb5int_free_addrlist(&addrs2); + retval = 0; + } else if (retval == KRB5_REALM_CANT_RESOLVE) { + retval = retval2; + } #else - retval = retval2; - if (retval == 0) { - (void) merge_addrlists(&addrs, &addrs2); - krb5int_free_addrlist(&addrs2); - } + retval = retval2; + if (retval == 0) { + (void) merge_addrlists(&addrs, &addrs2); + krb5int_free_addrlist(&addrs2); + } #endif } if (addrs.naddrs > 0) { - krb5_error_code err = 0; + krb5_error_code err = 0; retval = krb5int_sendto (context, message, &addrs, 0, reply, 0, 0, - 0, 0, &addr_used, check_for_svc_unavailable, &err); - switch (retval) { - case 0: + 0, 0, &addr_used, check_for_svc_unavailable, &err); + switch (retval) { + case 0: /* * Set use_master to 1 if we ended up talking to a master when * we didn't explicitly request to */ if (*use_master == 0) { struct addrlist addrs3; - retval = krb5_locate_kdc(context, realm, &addrs3, 1, + retval = krb5_locate_kdc(context, realm, &addrs3, 1, addrs.addrs[addr_used].ai->ai_socktype, addrs.addrs[addr_used].ai->ai_family); if (retval == 0) { - if (in_addrlist(addrs.addrs[addr_used].ai, &addrs3)) - *use_master = 1; + if (in_addrlist(addrs.addrs[addr_used].ai, &addrs3)) + *use_master = 1; krb5int_free_addrlist (&addrs3); } } krb5int_free_addrlist (&addrs); return 0; - default: - break; - /* Cases here are for constructing useful error messages. */ - case KRB5_KDC_UNREACH: - if (err == KDC_ERR_SVC_UNAVAILABLE) { - retval = KRB5KDC_ERR_SVC_UNAVAILABLE; - } else { - krb5_set_error_message(context, retval, - "Cannot contact any KDC for realm '%.*s'", - realm->length, realm->data); - } - break; - } + default: + break; + /* Cases here are for constructing useful error messages. */ + case KRB5_KDC_UNREACH: + if (err == KDC_ERR_SVC_UNAVAILABLE) { + retval = KRB5KDC_ERR_SVC_UNAVAILABLE; + } else { + krb5_set_error_message(context, retval, + "Cannot contact any KDC for realm '%.*s'", + realm->length, realm->data); + } + break; + } krb5int_free_addrlist (&addrs); } return retval; @@ -461,10 +462,10 @@ krb5_sendto_kdc (krb5_context context, const krb5_data *message, #ifdef DEBUG #ifdef _WIN32 -#define dperror(MSG) \ - dprint("%s: an error occurred ... " \ - "\tline=%d errno=%m socketerrno=%m\n", \ - (MSG), __LINE__, errno, SOCKET_ERRNO) +#define dperror(MSG) \ + dprint("%s: an error occurred ... " \ + "\tline=%d errno=%m socketerrno=%m\n", \ + (MSG), __LINE__, errno, SOCKET_ERRNO) #else #define dperror(MSG) dprint("%s: %m\n", MSG, errno) #endif @@ -510,8 +511,8 @@ static int getcurtime (struct timeval *tvp) return 0; #else if (gettimeofday(tvp, 0)) { - dperror("gettimeofday"); - return errno; + dperror("gettimeofday"); + return errno; } return 0; #endif @@ -525,7 +526,7 @@ static int getcurtime (struct timeval *tvp) */ krb5_error_code krb5int_cm_call_select (const struct select_state *in, - struct select_state *out, int *sret) + struct select_state *out, int *sret) { struct timeval now, *timo; krb5_error_code e; @@ -533,65 +534,65 @@ krb5int_cm_call_select (const struct select_state *in, *out = *in; e = getcurtime(&now); if (e) - return e; + return e; if (out->end_time.tv_sec == 0) - timo = 0; + timo = 0; else { - timo = &out->end_time; - out->end_time.tv_sec -= now.tv_sec; - out->end_time.tv_usec -= now.tv_usec; - if (out->end_time.tv_usec < 0) { - out->end_time.tv_usec += 1000000; - out->end_time.tv_sec--; - } - if (out->end_time.tv_sec < 0) { - *sret = 0; - return 0; - } + timo = &out->end_time; + out->end_time.tv_sec -= now.tv_sec; + out->end_time.tv_usec -= now.tv_usec; + if (out->end_time.tv_usec < 0) { + out->end_time.tv_usec += 1000000; + out->end_time.tv_sec--; + } + if (out->end_time.tv_sec < 0) { + *sret = 0; + return 0; + } } dprint("selecting on max=%d sockets [%F] timeout %t\n", - out->max, - &out->rfds, &out->wfds, &out->xfds, out->max, - timo); + out->max, + &out->rfds, &out->wfds, &out->xfds, out->max, + timo); *sret = select(out->max, &out->rfds, &out->wfds, &out->xfds, timo); e = SOCKET_ERRNO; dprint("select returns %d", *sret); if (*sret < 0) - dprint(", error = %E\n", e); + dprint(", error = %E\n", e); else if (*sret == 0) - dprint(" (timeout)\n"); + dprint(" (timeout)\n"); else - dprint(":%F\n", &out->rfds, &out->wfds, &out->xfds, out->max); + dprint(":%F\n", &out->rfds, &out->wfds, &out->xfds, out->max); if (*sret < 0) - return e; + return e; return 0; } static int service_tcp_fd (struct conn_state *conn, - struct select_state *selstate, int ssflags); + struct select_state *selstate, int ssflags); static int service_udp_fd (struct conn_state *conn, - struct select_state *selstate, int ssflags); + struct select_state *selstate, int ssflags); static void set_conn_state_msg_length (struct conn_state *state, const krb5_data *message) { - if (!message || message->length == 0) - return; + if (!message || message->length == 0) + return; if (!state->is_udp) { - store_32_be(message->length, state->x.out.msg_len_buf); - SG_SET(&state->x.out.sgbuf[0], state->x.out.msg_len_buf, 4); - SG_SET(&state->x.out.sgbuf[1], message->data, message->length); - state->x.out.sg_count = 2; + store_32_be(message->length, state->x.out.msg_len_buf); + SG_SET(&state->x.out.sgbuf[0], state->x.out.msg_len_buf, 4); + SG_SET(&state->x.out.sgbuf[1], message->data, message->length); + state->x.out.sg_count = 2; } else { - SG_SET(&state->x.out.sgbuf[0], message->data, message->length); - SG_SET(&state->x.out.sgbuf[1], 0, 0); - state->x.out.sg_count = 1; + SG_SET(&state->x.out.sgbuf[0], message->data, message->length); + SG_SET(&state->x.out.sgbuf[1], 0, 0); + state->x.out.sg_count = 1; } } @@ -600,7 +601,7 @@ set_conn_state_msg_length (struct conn_state *state, const krb5_data *message) static void setup_connection (struct conn_state *state, struct addrinfo *ai, - const krb5_data *message, char **udpbufp) + const krb5_data *message, char **udpbufp) { state->state = INITIALIZING; state->err = 0; @@ -609,103 +610,103 @@ setup_connection (struct conn_state *state, struct addrinfo *ai, state->fd = INVALID_SOCKET; SG_SET(&state->x.out.sgbuf[1], 0, 0); if (ai->ai_socktype == SOCK_STREAM) { - /* - SG_SET(&state->x.out.sgbuf[0], message_len_buf, 4); - SG_SET(&state->x.out.sgbuf[1], message->data, message->length); - state->x.out.sg_count = 2; - */ - - state->is_udp = 0; - state->service = service_tcp_fd; - set_conn_state_msg_length (state, message); + /* + SG_SET(&state->x.out.sgbuf[0], message_len_buf, 4); + SG_SET(&state->x.out.sgbuf[1], message->data, message->length); + state->x.out.sg_count = 2; + */ + + state->is_udp = 0; + state->service = service_tcp_fd; + set_conn_state_msg_length (state, message); } else { - /* - SG_SET(&state->x.out.sgbuf[0], message->data, message->length); - SG_SET(&state->x.out.sgbuf[1], 0, 0); - state->x.out.sg_count = 1; - */ - - state->is_udp = 1; - state->service = service_udp_fd; - set_conn_state_msg_length (state, message); - - if (*udpbufp == 0) { - *udpbufp = malloc(krb5_max_dgram_size); - if (*udpbufp == 0) { - dperror("malloc(krb5_max_dgram_size)"); - state->state = FAILED; - return; - } - } - state->x.in.buf = *udpbufp; - state->x.in.bufsize = krb5_max_dgram_size; + /* + SG_SET(&state->x.out.sgbuf[0], message->data, message->length); + SG_SET(&state->x.out.sgbuf[1], 0, 0); + state->x.out.sg_count = 1; + */ + + state->is_udp = 1; + state->service = service_udp_fd; + set_conn_state_msg_length (state, message); + + if (*udpbufp == 0) { + *udpbufp = malloc(krb5_max_dgram_size); + if (*udpbufp == 0) { + dperror("malloc(krb5_max_dgram_size)"); + state->state = FAILED; + return; + } + } + state->x.in.buf = *udpbufp; + state->x.in.bufsize = krb5_max_dgram_size; } } static int -start_connection (struct conn_state *state, - struct select_state *selstate, - struct sendto_callback_info* callback_info, +start_connection (struct conn_state *state, + struct select_state *selstate, + struct sendto_callback_info* callback_info, krb5_data* callback_buffer) { int fd, e; struct addrinfo *ai = state->addr; dprint("start_connection(@%p)\ngetting %s socket in family %d...", state, - ai->ai_socktype == SOCK_STREAM ? "stream" : "dgram", ai->ai_family); + ai->ai_socktype == SOCK_STREAM ? "stream" : "dgram", ai->ai_family); fd = socket(ai->ai_family, ai->ai_socktype, 0); if (fd == INVALID_SOCKET) { - state->err = SOCKET_ERRNO; - dprint("socket: %m creating with af %d\n", state->err, ai->ai_family); - return -1; /* try other hosts */ + state->err = SOCKET_ERRNO; + dprint("socket: %m creating with af %d\n", state->err, ai->ai_family); + return -1; /* try other hosts */ } #ifndef _WIN32 /* On Windows FD_SETSIZE is a count, not a max value. */ if (fd >= FD_SETSIZE) { - closesocket(fd); - state->err = EMFILE; - dprint("socket: fd %d too high\n", fd); - return -1; + closesocket(fd); + state->err = EMFILE; + dprint("socket: fd %d too high\n", fd); + return -1; } #endif set_cloexec_fd(fd); /* Make it non-blocking. */ if (ai->ai_socktype == SOCK_STREAM) { - static const int one = 1; - static const struct linger lopt = { 0, 0 }; + static const int one = 1; + static const struct linger lopt = { 0, 0 }; - if (ioctlsocket(fd, FIONBIO, (const void *) &one)) - dperror("sendto_kdc: ioctl(FIONBIO)"); - if (setsockopt(fd, SOL_SOCKET, SO_LINGER, &lopt, sizeof(lopt))) - dperror("sendto_kdc: setsockopt(SO_LINGER)"); + if (ioctlsocket(fd, FIONBIO, (const void *) &one)) + dperror("sendto_kdc: ioctl(FIONBIO)"); + if (setsockopt(fd, SOL_SOCKET, SO_LINGER, &lopt, sizeof(lopt))) + dperror("sendto_kdc: setsockopt(SO_LINGER)"); } /* Start connecting to KDC. */ dprint(" fd %d; connecting to %A...\n", fd, ai); e = connect(fd, ai->ai_addr, ai->ai_addrlen); if (e != 0) { - /* - * This is the path that should be followed for non-blocking - * connections. - */ - if (SOCKET_ERRNO == EINPROGRESS || SOCKET_ERRNO == EWOULDBLOCK) { - state->state = CONNECTING; - state->fd = fd; - } else { - dprint("connect failed: %m\n", SOCKET_ERRNO); - (void) closesocket(fd); - state->err = SOCKET_ERRNO; - state->state = FAILED; - return -2; - } + /* + * This is the path that should be followed for non-blocking + * connections. + */ + if (SOCKET_ERRNO == EINPROGRESS || SOCKET_ERRNO == EWOULDBLOCK) { + state->state = CONNECTING; + state->fd = fd; + } else { + dprint("connect failed: %m\n", SOCKET_ERRNO); + (void) closesocket(fd); + state->err = SOCKET_ERRNO; + state->state = FAILED; + return -2; + } } else { - /* - * Connect returned zero even though we tried to make it - * non-blocking, which should have caused it to return before - * finishing the connection. Oh well. Someone's network - * stack is broken, but if they gave us a connection, use it. - */ - state->state = WRITING; - state->fd = fd; + /* + * Connect returned zero even though we tried to make it + * non-blocking, which should have caused it to return before + * finishing the connection. Oh well. Someone's network + * stack is broken, but if they gave us a connection, use it. + */ + state->state = WRITING; + state->fd = fd; } dprint("new state = %s\n", state_strings[state->state]); @@ -716,68 +717,68 @@ start_connection (struct conn_state *state, */ if (callback_info) { - e = callback_info->pfn_callback(state, - callback_info->context, - callback_buffer); - if (e != 0) { - dprint("callback failed: %m\n", e); - (void) closesocket(fd); - state->err = e; - state->fd = INVALID_SOCKET; - state->state = FAILED; - return -3; - } - - dprint("callback %p (message=%d@%p)\n", - state, - callback_buffer->length, - callback_buffer->data); - - set_conn_state_msg_length( state, callback_buffer ); + e = callback_info->pfn_callback(state, + callback_info->context, + callback_buffer); + if (e != 0) { + dprint("callback failed: %m\n", e); + (void) closesocket(fd); + state->err = e; + state->fd = INVALID_SOCKET; + state->state = FAILED; + return -3; + } + + dprint("callback %p (message=%d@%p)\n", + state, + callback_buffer->length, + callback_buffer->data); + + set_conn_state_msg_length( state, callback_buffer ); } if (ai->ai_socktype == SOCK_DGRAM) { - /* Send it now. */ - int ret; - sg_buf *sg = &state->x.out.sgbuf[0]; - - dprint("sending %d bytes on fd %d\n", SG_LEN(sg), state->fd); - ret = send(state->fd, SG_BUF(sg), SG_LEN(sg), 0); - if (ret != SG_LEN(sg)) { - dperror("sendto"); - (void) closesocket(state->fd); - state->fd = INVALID_SOCKET; - state->state = FAILED; - return -4; - } else { - state->state = READING; - } + /* Send it now. */ + int ret; + sg_buf *sg = &state->x.out.sgbuf[0]; + + dprint("sending %d bytes on fd %d\n", SG_LEN(sg), state->fd); + ret = send(state->fd, SG_BUF(sg), SG_LEN(sg), 0); + if (ret != SG_LEN(sg)) { + dperror("sendto"); + (void) closesocket(state->fd); + state->fd = INVALID_SOCKET; + state->state = FAILED; + return -4; + } else { + state->state = READING; + } } #ifdef DEBUG if (debug) { - struct sockaddr_storage ss; - socklen_t sslen = sizeof(ss); - if (getsockname(state->fd, (struct sockaddr *)&ss, &sslen) == 0) { - struct addrinfo hack_ai; - memset(&hack_ai, 0, sizeof(hack_ai)); - hack_ai.ai_addr = (struct sockaddr *) &ss; - hack_ai.ai_addrlen = sslen; - hack_ai.ai_socktype = SOCK_DGRAM; - hack_ai.ai_family = ai->ai_family; - dprint("local socket address is %A\n", &hack_ai); - } + struct sockaddr_storage ss; + socklen_t sslen = sizeof(ss); + if (getsockname(state->fd, (struct sockaddr *)&ss, &sslen) == 0) { + struct addrinfo hack_ai; + memset(&hack_ai, 0, sizeof(hack_ai)); + hack_ai.ai_addr = (struct sockaddr *) &ss; + hack_ai.ai_addrlen = sslen; + hack_ai.ai_socktype = SOCK_DGRAM; + hack_ai.ai_family = ai->ai_family; + dprint("local socket address is %A\n", &hack_ai); + } } #endif FD_SET(state->fd, &selstate->rfds); if (state->state == CONNECTING || state->state == WRITING) - FD_SET(state->fd, &selstate->wfds); + FD_SET(state->fd, &selstate->wfds); FD_SET(state->fd, &selstate->xfds); if (selstate->max <= state->fd) - selstate->max = state->fd + 1; + selstate->max = state->fd + 1; selstate->nfds++; dprint("new select vectors: %F\n", - &selstate->rfds, &selstate->wfds, &selstate->xfds, selstate->max); + &selstate->rfds, &selstate->wfds, &selstate->xfds, selstate->max); return 0; } @@ -787,30 +788,30 @@ start_connection (struct conn_state *state, Otherwise, the caller should immediately move on to process the next connection. */ static int -maybe_send (struct conn_state *conn, - struct select_state *selstate, - struct sendto_callback_info* callback_info, - krb5_data* callback_buffer) +maybe_send (struct conn_state *conn, + struct select_state *selstate, + struct sendto_callback_info* callback_info, + krb5_data* callback_buffer) { sg_buf *sg; dprint("maybe_send(@%p) state=%s type=%s\n", conn, - state_strings[conn->state], - conn->is_udp ? "udp" : "tcp"); + state_strings[conn->state], + conn->is_udp ? "udp" : "tcp"); if (conn->state == INITIALIZING) - return start_connection(conn, selstate, callback_info, callback_buffer); + return start_connection(conn, selstate, callback_info, callback_buffer); /* Did we already shut down this channel? */ if (conn->state == FAILED) { - dprint("connection already closed\n"); - return -1; + dprint("connection already closed\n"); + return -1; } if (conn->addr->ai_socktype == SOCK_STREAM) { - dprint("skipping stream socket\n"); - /* The select callback will handle flushing any data we - haven't written yet, and we only write it once. */ - return -1; + dprint("skipping stream socket\n"); + /* The select callback will handle flushing any data we + haven't written yet, and we only write it once. */ + return -1; } /* UDP - Send message, possibly for the first time, possibly a @@ -818,12 +819,12 @@ maybe_send (struct conn_state *conn, sg = &conn->x.out.sgbuf[0]; dprint("sending %d bytes on fd %d\n", SG_LEN(sg), conn->fd); if (send(conn->fd, SG_BUF(sg), SG_LEN(sg), 0) != SG_LEN(sg)) { - dperror("send"); - /* Keep connection alive, we'll try again next pass. + dperror("send"); + /* Keep connection alive, we'll try again next pass. - Is this likely to catch any errors we didn't get from the - select callbacks? */ - return -1; + Is this likely to catch any errors we didn't get from the + select callbacks? */ + return -1; } /* Yay, it worked. */ return 0; @@ -841,12 +842,12 @@ kill_conn(struct conn_state *conn, struct select_state *selstate, int err) dprint("abandoning connection %d: %m\n", conn->fd, err); /* Fix up max fd for next select call. */ if (selstate->max == 1 + conn->fd) { - while (selstate->max > 0 - && ! FD_ISSET(selstate->max-1, &selstate->rfds) - && ! FD_ISSET(selstate->max-1, &selstate->wfds) - && ! FD_ISSET(selstate->max-1, &selstate->xfds)) - selstate->max--; - dprint("new max_fd + 1 is %d\n", selstate->max); + while (selstate->max > 0 + && ! FD_ISSET(selstate->max-1, &selstate->rfds) + && ! FD_ISSET(selstate->max-1, &selstate->wfds) + && ! FD_ISSET(selstate->max-1, &selstate->xfds)) + selstate->max--; + dprint("new max_fd + 1 is %d\n", selstate->max); } selstate->nfds--; } @@ -862,10 +863,10 @@ get_so_error(int fd) sockerrlen = sizeof(sockerr); e = getsockopt(fd, SOL_SOCKET, SO_ERROR, &sockerr, &sockerrlen); if (e != 0) { - /* What to do now? */ - e = SOCKET_ERRNO; - dprint("getsockopt(SO_ERROR) on fd failed: %m\n", e); - return e; + /* What to do now? */ + e = SOCKET_ERRNO; + dprint("getsockopt(SO_ERROR) on fd failed: %m\n", e); + return e; } return sockerr; } @@ -876,188 +877,188 @@ get_so_error(int fd) static int service_tcp_fd (struct conn_state *conn, struct select_state *selstate, - int ssflags) + int ssflags) { krb5_error_code e = 0; int nwritten, nread; if (!(ssflags & (SSF_READ|SSF_WRITE|SSF_EXCEPTION))) - abort(); + abort(); switch (conn->state) { - SOCKET_WRITEV_TEMP tmp; + SOCKET_WRITEV_TEMP tmp; case CONNECTING: - if (ssflags & SSF_READ) { - /* Bad -- the KDC shouldn't be sending to us first. */ - e = EINVAL /* ?? */; - kill_conn: - kill_conn(conn, selstate, e); - if (e == EINVAL) { - closesocket(conn->fd); - conn->fd = INVALID_SOCKET; - } - return e == 0; - } - if (ssflags & SSF_EXCEPTION) { - handle_exception: - e = get_so_error(conn->fd); - if (e) - dprint("socket error on exception fd: %m", e); - else - dprint("no socket error info available on exception fd"); - goto kill_conn; - } - - /* - * Connect finished -- but did it succeed or fail? - * UNIX sets can_write if failed. - * Call getsockopt to see if error pending. - * - * (For most UNIX systems it works to just try writing the - * first time and detect an error. But Bill Dodd at IBM - * reports that some version of AIX, SIGPIPE can result.) - */ - e = get_so_error(conn->fd); - if (e) { - dprint("socket error on write fd: %m", e); - goto kill_conn; - } - conn->state = WRITING; - goto try_writing; + if (ssflags & SSF_READ) { + /* Bad -- the KDC shouldn't be sending to us first. */ + e = EINVAL /* ?? */; + kill_conn: + kill_conn(conn, selstate, e); + if (e == EINVAL) { + closesocket(conn->fd); + conn->fd = INVALID_SOCKET; + } + return e == 0; + } + if (ssflags & SSF_EXCEPTION) { + handle_exception: + e = get_so_error(conn->fd); + if (e) + dprint("socket error on exception fd: %m", e); + else + dprint("no socket error info available on exception fd"); + goto kill_conn; + } + + /* + * Connect finished -- but did it succeed or fail? + * UNIX sets can_write if failed. + * Call getsockopt to see if error pending. + * + * (For most UNIX systems it works to just try writing the + * first time and detect an error. But Bill Dodd at IBM + * reports that some version of AIX, SIGPIPE can result.) + */ + e = get_so_error(conn->fd); + if (e) { + dprint("socket error on write fd: %m", e); + goto kill_conn; + } + conn->state = WRITING; + goto try_writing; case WRITING: - if (ssflags & SSF_READ) { - e = E2BIG; - /* Bad -- the KDC shouldn't be sending anything yet. */ - goto kill_conn; - } - if (ssflags & SSF_EXCEPTION) - goto handle_exception; + if (ssflags & SSF_READ) { + e = E2BIG; + /* Bad -- the KDC shouldn't be sending anything yet. */ + goto kill_conn; + } + if (ssflags & SSF_EXCEPTION) + goto handle_exception; try_writing: - dprint("trying to writev %d (%d bytes) to fd %d\n", - conn->x.out.sg_count, - ((conn->x.out.sg_count == 2 ? SG_LEN(&conn->x.out.sgp[1]) : 0) - + SG_LEN(&conn->x.out.sgp[0])), - conn->fd); - nwritten = SOCKET_WRITEV(conn->fd, conn->x.out.sgp, - conn->x.out.sg_count, tmp); - if (nwritten < 0) { - e = SOCKET_ERRNO; - dprint("failed: %m\n", e); - goto kill_conn; - } - dprint("wrote %d bytes\n", nwritten); - while (nwritten) { - sg_buf *sgp = conn->x.out.sgp; - if (nwritten < SG_LEN(sgp)) { - SG_ADVANCE(sgp, nwritten); - nwritten = 0; - } else { - nwritten -= SG_LEN(conn->x.out.sgp); - conn->x.out.sgp++; - conn->x.out.sg_count--; - if (conn->x.out.sg_count == 0 && nwritten != 0) - /* Wrote more than we wanted to? */ - abort(); - } - } - if (conn->x.out.sg_count == 0) { - /* Done writing, switch to reading. */ - /* Don't call shutdown at this point because - * some implementations cannot deal with half-closed connections.*/ - FD_CLR(conn->fd, &selstate->wfds); - /* Q: How do we detect failures to send the remaining data - to the remote side, since we're in non-blocking mode? - Will we always get errors on the reading side? */ - dprint("switching fd %d to READING\n", conn->fd); - conn->state = READING; - conn->x.in.bufsizebytes_read = 0; - conn->x.in.bufsize = 0; - conn->x.in.buf = 0; - conn->x.in.pos = 0; - conn->x.in.n_left = 0; - } - return 0; + dprint("trying to writev %d (%d bytes) to fd %d\n", + conn->x.out.sg_count, + ((conn->x.out.sg_count == 2 ? SG_LEN(&conn->x.out.sgp[1]) : 0) + + SG_LEN(&conn->x.out.sgp[0])), + conn->fd); + nwritten = SOCKET_WRITEV(conn->fd, conn->x.out.sgp, + conn->x.out.sg_count, tmp); + if (nwritten < 0) { + e = SOCKET_ERRNO; + dprint("failed: %m\n", e); + goto kill_conn; + } + dprint("wrote %d bytes\n", nwritten); + while (nwritten) { + sg_buf *sgp = conn->x.out.sgp; + if (nwritten < SG_LEN(sgp)) { + SG_ADVANCE(sgp, nwritten); + nwritten = 0; + } else { + nwritten -= SG_LEN(conn->x.out.sgp); + conn->x.out.sgp++; + conn->x.out.sg_count--; + if (conn->x.out.sg_count == 0 && nwritten != 0) + /* Wrote more than we wanted to? */ + abort(); + } + } + if (conn->x.out.sg_count == 0) { + /* Done writing, switch to reading. */ + /* Don't call shutdown at this point because + * some implementations cannot deal with half-closed connections.*/ + FD_CLR(conn->fd, &selstate->wfds); + /* Q: How do we detect failures to send the remaining data + to the remote side, since we're in non-blocking mode? + Will we always get errors on the reading side? */ + dprint("switching fd %d to READING\n", conn->fd); + conn->state = READING; + conn->x.in.bufsizebytes_read = 0; + conn->x.in.bufsize = 0; + conn->x.in.buf = 0; + conn->x.in.pos = 0; + conn->x.in.n_left = 0; + } + return 0; case READING: - if (ssflags & SSF_EXCEPTION) { - if (conn->x.in.buf) { - free(conn->x.in.buf); - conn->x.in.buf = 0; - } - goto handle_exception; - } - - if (conn->x.in.bufsizebytes_read == 4) { - /* Reading data. */ - dprint("reading %d bytes of data from fd %d\n", - (int) conn->x.in.n_left, conn->fd); - nread = SOCKET_READ(conn->fd, conn->x.in.pos, conn->x.in.n_left); - if (nread <= 0) { - e = nread ? SOCKET_ERRNO : ECONNRESET; - free(conn->x.in.buf); - conn->x.in.buf = 0; - goto kill_conn; - } - conn->x.in.n_left -= nread; - conn->x.in.pos += nread; - if (conn->x.in.n_left <= 0) { - /* We win! */ - return 1; - } - } else { - /* Reading length. */ - nread = SOCKET_READ(conn->fd, - conn->x.in.bufsizebytes + conn->x.in.bufsizebytes_read, - 4 - conn->x.in.bufsizebytes_read); - if (nread < 0) { - e = SOCKET_ERRNO; - goto kill_conn; - } - conn->x.in.bufsizebytes_read += nread; - if (conn->x.in.bufsizebytes_read == 4) { - unsigned long len = load_32_be (conn->x.in.bufsizebytes); - dprint("received length on fd %d is %d\n", conn->fd, (int)len); - /* Arbitrary 1M cap. */ - if (len > 1 * 1024 * 1024) { - e = E2BIG; - goto kill_conn; - } - conn->x.in.bufsize = conn->x.in.n_left = len; - conn->x.in.buf = conn->x.in.pos = malloc(len); - dprint("allocated %d byte buffer at %p\n", (int) len, - conn->x.in.buf); - if (conn->x.in.buf == 0) { - /* allocation failure */ - e = ENOMEM; - goto kill_conn; - } - } - } - break; + if (ssflags & SSF_EXCEPTION) { + if (conn->x.in.buf) { + free(conn->x.in.buf); + conn->x.in.buf = 0; + } + goto handle_exception; + } + + if (conn->x.in.bufsizebytes_read == 4) { + /* Reading data. */ + dprint("reading %d bytes of data from fd %d\n", + (int) conn->x.in.n_left, conn->fd); + nread = SOCKET_READ(conn->fd, conn->x.in.pos, conn->x.in.n_left); + if (nread <= 0) { + e = nread ? SOCKET_ERRNO : ECONNRESET; + free(conn->x.in.buf); + conn->x.in.buf = 0; + goto kill_conn; + } + conn->x.in.n_left -= nread; + conn->x.in.pos += nread; + if (conn->x.in.n_left <= 0) { + /* We win! */ + return 1; + } + } else { + /* Reading length. */ + nread = SOCKET_READ(conn->fd, + conn->x.in.bufsizebytes + conn->x.in.bufsizebytes_read, + 4 - conn->x.in.bufsizebytes_read); + if (nread < 0) { + e = SOCKET_ERRNO; + goto kill_conn; + } + conn->x.in.bufsizebytes_read += nread; + if (conn->x.in.bufsizebytes_read == 4) { + unsigned long len = load_32_be (conn->x.in.bufsizebytes); + dprint("received length on fd %d is %d\n", conn->fd, (int)len); + /* Arbitrary 1M cap. */ + if (len > 1 * 1024 * 1024) { + e = E2BIG; + goto kill_conn; + } + conn->x.in.bufsize = conn->x.in.n_left = len; + conn->x.in.buf = conn->x.in.pos = malloc(len); + dprint("allocated %d byte buffer at %p\n", (int) len, + conn->x.in.buf); + if (conn->x.in.buf == 0) { + /* allocation failure */ + e = ENOMEM; + goto kill_conn; + } + } + } + break; default: - abort(); + abort(); } return 0; } static int service_udp_fd(struct conn_state *conn, struct select_state *selstate, - int ssflags) + int ssflags) { int nread; if (!(ssflags & (SSF_READ|SSF_EXCEPTION))) - abort(); + abort(); if (conn->state != READING) - abort(); + abort(); nread = recv(conn->fd, conn->x.in.buf, conn->x.in.bufsize, 0); if (nread < 0) { - kill_conn(conn, selstate, SOCKET_ERRNO); - return 0; + kill_conn(conn, selstate, SOCKET_ERRNO); + return 0; } conn->x.in.pos = conn->x.in.buf + nread; return 1; @@ -1065,77 +1066,77 @@ service_udp_fd(struct conn_state *conn, struct select_state *selstate, static int service_fds (krb5_context context, - struct select_state *selstate, - struct conn_state *conns, size_t n_conns, int *winning_conn, - struct select_state *seltemp, - int (*msg_handler)(krb5_context, const krb5_data *, void *), - void *msg_handler_data) + struct select_state *selstate, + struct conn_state *conns, size_t n_conns, int *winning_conn, + struct select_state *seltemp, + int (*msg_handler)(krb5_context, const krb5_data *, void *), + void *msg_handler_data) { int e, selret; e = 0; while (selstate->nfds > 0) { - unsigned int i; - - e = krb5int_cm_call_select(selstate, seltemp, &selret); - if (e == EINTR) - continue; - if (e != 0) - break; - - dprint("service_fds examining results, selret=%d\n", selret); - - if (selret == 0) - /* Timeout, return to caller. */ - return 0; - - /* Got something on a socket, process it. */ - for (i = 0; i <= (unsigned int)selstate->max && selret > 0 && i < n_conns; i++) { - int ssflags; - - if (conns[i].fd == INVALID_SOCKET) - continue; - ssflags = 0; - if (FD_ISSET(conns[i].fd, &seltemp->rfds)) - ssflags |= SSF_READ, selret--; - if (FD_ISSET(conns[i].fd, &seltemp->wfds)) - ssflags |= SSF_WRITE, selret--; - if (FD_ISSET(conns[i].fd, &seltemp->xfds)) - ssflags |= SSF_EXCEPTION, selret--; - if (!ssflags) - continue; - - dprint("handling flags '%s%s%s' on fd %d (%A) in state %s\n", - (ssflags & SSF_READ) ? "r" : "", - (ssflags & SSF_WRITE) ? "w" : "", - (ssflags & SSF_EXCEPTION) ? "x" : "", - conns[i].fd, conns[i].addr, - state_strings[(int) conns[i].state]); - - if (conns[i].service (&conns[i], selstate, ssflags)) { - int stop = 1; - - if (msg_handler != NULL) { - krb5_data reply; - - reply.data = conns[i].x.in.buf; - reply.length = conns[i].x.in.pos - conns[i].x.in.buf; - - stop = (msg_handler(context, &reply, msg_handler_data) != 0); - } - - if (stop) { - dprint("fd service routine says we're done\n"); - *winning_conn = i; - return 1; - } - } - } + unsigned int i; + + e = krb5int_cm_call_select(selstate, seltemp, &selret); + if (e == EINTR) + continue; + if (e != 0) + break; + + dprint("service_fds examining results, selret=%d\n", selret); + + if (selret == 0) + /* Timeout, return to caller. */ + return 0; + + /* Got something on a socket, process it. */ + for (i = 0; i <= (unsigned int)selstate->max && selret > 0 && i < n_conns; i++) { + int ssflags; + + if (conns[i].fd == INVALID_SOCKET) + continue; + ssflags = 0; + if (FD_ISSET(conns[i].fd, &seltemp->rfds)) + ssflags |= SSF_READ, selret--; + if (FD_ISSET(conns[i].fd, &seltemp->wfds)) + ssflags |= SSF_WRITE, selret--; + if (FD_ISSET(conns[i].fd, &seltemp->xfds)) + ssflags |= SSF_EXCEPTION, selret--; + if (!ssflags) + continue; + + dprint("handling flags '%s%s%s' on fd %d (%A) in state %s\n", + (ssflags & SSF_READ) ? "r" : "", + (ssflags & SSF_WRITE) ? "w" : "", + (ssflags & SSF_EXCEPTION) ? "x" : "", + conns[i].fd, conns[i].addr, + state_strings[(int) conns[i].state]); + + if (conns[i].service (&conns[i], selstate, ssflags)) { + int stop = 1; + + if (msg_handler != NULL) { + krb5_data reply; + + reply.data = conns[i].x.in.buf; + reply.length = conns[i].x.in.pos - conns[i].x.in.buf; + + stop = (msg_handler(context, &reply, msg_handler_data) != 0); + } + + if (stop) { + dprint("fd service routine says we're done\n"); + *winning_conn = i; + return 1; + } + } + } } if (e != 0) { - dprint("select returned %m\n", e); - *winning_conn = -1; - return 1; + dprint("select returned %m\n", e); + *winning_conn = -1; + return 1; } return 0; } @@ -1165,13 +1166,13 @@ service_fds (krb5_context context, krb5_error_code krb5int_sendto (krb5_context context, const krb5_data *message, const struct addrlist *addrs, - struct sendto_callback_info* callback_info, krb5_data *reply, - struct sockaddr *localaddr, socklen_t *localaddrlen, + struct sendto_callback_info* callback_info, krb5_data *reply, + struct sockaddr *localaddr, socklen_t *localaddrlen, struct sockaddr *remoteaddr, socklen_t *remoteaddrlen, - int *addr_used, - /* return 0 -> keep going, 1 -> quit */ - int (*msg_handler)(krb5_context, const krb5_data *, void *), - void *msg_handler_data) + int *addr_used, + /* return 0 -> keep going, 1 -> quit */ + int (*msg_handler)(krb5_context, const krb5_data *, void *), + void *msg_handler_data) { unsigned int i; int pass; @@ -1186,9 +1187,9 @@ krb5int_sendto (krb5_context context, const krb5_data *message, char *udpbuf = NULL; if (message) - dprint("krb5int_sendto(message=%d@%p, addrlist=", message->length, message->data); + dprint("krb5int_sendto(message=%d@%p, addrlist=", message->length, message->data); else - dprint("krb5int_sendto(callback=%p, addrlist=", callback_info); + dprint("krb5int_sendto(callback=%p, addrlist=", callback_info); print_addrlist(addrs); dprint(")\n"); @@ -1197,25 +1198,25 @@ krb5int_sendto (krb5_context context, const krb5_data *message, conns = calloc(addrs->naddrs, sizeof(struct conn_state)); if (conns == NULL) - return ENOMEM; + return ENOMEM; if (callback_info) { - callback_data = calloc(addrs->naddrs, sizeof(krb5_data)); - if (callback_data == NULL) { - retval = ENOMEM; - goto egress; - } + callback_data = calloc(addrs->naddrs, sizeof(krb5_data)); + if (callback_data == NULL) { + retval = ENOMEM; + goto egress; + } } for (i = 0; i < addrs->naddrs; i++) - conns[i].fd = INVALID_SOCKET; + conns[i].fd = INVALID_SOCKET; /* One for use here, listing all our fds in use, and one for temporary use in service_fds, for the fds of interest. */ sel_state = malloc(2 * sizeof(*sel_state)); if (sel_state == NULL) { - retval = ENOMEM; - goto egress; + retval = ENOMEM; + goto egress; } sel_state->max = 0; sel_state->nfds = 0; @@ -1227,100 +1228,100 @@ krb5int_sendto (krb5_context context, const krb5_data *message, /* Set up connections. */ for (host = 0; host < addrs->naddrs; host++) { - setup_connection(&conns[host], addrs->addrs[host].ai, message, - &udpbuf); + setup_connection(&conns[host], addrs->addrs[host].ai, message, + &udpbuf); } n_conns = addrs->naddrs; for (pass = 0; pass < MAX_PASS; pass++) { - /* Possible optimization: Make only one pass if TCP only. - Stop making passes if all UDP ports are closed down. */ - dprint("pass %d delay=%d\n", pass, delay_this_pass); - for (host = 0; host < n_conns; host++) { - dprint("host %d\n", host); - - /* Send to the host, wait for a response, then move on. */ - if (maybe_send(&conns[host], - sel_state, - callback_info, - (callback_info ? &callback_data[host] : NULL))) - continue; - - retval = getcurtime(&now); - if (retval) - goto egress; - sel_state->end_time = now; - sel_state->end_time.tv_sec += 1; - e = service_fds(context, sel_state, conns, host+1, &winning_conn, - sel_state+1, msg_handler, msg_handler_data); - if (e) - break; - if (pass > 0 && sel_state->nfds == 0) - /* - * After the first pass, if we close all fds, break - * out right away. During the first pass, it's okay, - * we're probably about to open another connection. - */ - break; - } - if (e) - break; - retval = getcurtime(&now); - if (retval) - goto egress; - /* Possible optimization: Find a way to integrate this select - call with the last one from the above loop, if the loop - actually calls select. */ - sel_state->end_time.tv_sec += delay_this_pass; - e = service_fds(context, sel_state, conns, host+1, &winning_conn, - sel_state+1, msg_handler, msg_handler_data); - if (e) - break; - if (sel_state->nfds == 0) - break; - delay_this_pass *= 2; + /* Possible optimization: Make only one pass if TCP only. + Stop making passes if all UDP ports are closed down. */ + dprint("pass %d delay=%d\n", pass, delay_this_pass); + for (host = 0; host < n_conns; host++) { + dprint("host %d\n", host); + + /* Send to the host, wait for a response, then move on. */ + if (maybe_send(&conns[host], + sel_state, + callback_info, + (callback_info ? &callback_data[host] : NULL))) + continue; + + retval = getcurtime(&now); + if (retval) + goto egress; + sel_state->end_time = now; + sel_state->end_time.tv_sec += 1; + e = service_fds(context, sel_state, conns, host+1, &winning_conn, + sel_state+1, msg_handler, msg_handler_data); + if (e) + break; + if (pass > 0 && sel_state->nfds == 0) + /* + * After the first pass, if we close all fds, break + * out right away. During the first pass, it's okay, + * we're probably about to open another connection. + */ + break; + } + if (e) + break; + retval = getcurtime(&now); + if (retval) + goto egress; + /* Possible optimization: Find a way to integrate this select + call with the last one from the above loop, if the loop + actually calls select. */ + sel_state->end_time.tv_sec += delay_this_pass; + e = service_fds(context, sel_state, conns, host+1, &winning_conn, + sel_state+1, msg_handler, msg_handler_data); + if (e) + break; + if (sel_state->nfds == 0) + break; + delay_this_pass *= 2; } if (sel_state->nfds == 0) { - /* No addresses? */ - retval = KRB5_KDC_UNREACH; - goto egress; + /* No addresses? */ + retval = KRB5_KDC_UNREACH; + goto egress; } if (e == 0 || winning_conn < 0) { - retval = KRB5_KDC_UNREACH; - goto egress; + retval = KRB5_KDC_UNREACH; + goto egress; } /* Success! */ reply->data = conns[winning_conn].x.in.buf; reply->length = (conns[winning_conn].x.in.pos - - conns[winning_conn].x.in.buf); + - conns[winning_conn].x.in.buf); dprint("returning %d bytes in buffer %p\n", - (int) reply->length, reply->data); + (int) reply->length, reply->data); retval = 0; conns[winning_conn].x.in.buf = 0; if (addr_used) *addr_used = winning_conn; if (localaddr != 0 && localaddrlen != 0 && *localaddrlen > 0) - (void) getsockname(conns[winning_conn].fd, localaddr, localaddrlen); + (void) getsockname(conns[winning_conn].fd, localaddr, localaddrlen); - if (remoteaddr != 0 && remoteaddrlen != 0 && *remoteaddrlen > 0) - (void) getpeername(conns[winning_conn].fd, remoteaddr, remoteaddrlen); + if (remoteaddr != 0 && remoteaddrlen != 0 && *remoteaddrlen > 0) + (void) getpeername(conns[winning_conn].fd, remoteaddr, remoteaddrlen); egress: for (i = 0; i < n_conns; i++) { - if (conns[i].fd != INVALID_SOCKET) - closesocket(conns[i].fd); - if (conns[i].state == READING && conns[i].x.in.buf != udpbuf) - free(conns[i].x.in.buf); - if (callback_info) { - callback_info->pfn_cleanup(callback_info->context, - &callback_data[i]); - } + if (conns[i].fd != INVALID_SOCKET) + closesocket(conns[i].fd); + if (conns[i].state == READING && conns[i].x.in.buf != udpbuf) + free(conns[i].x.in.buf); + if (callback_info) { + callback_info->pfn_cleanup(callback_info->context, + &callback_data[i]); + } } free(callback_data); free(conns); if (reply->data != udpbuf) - free(udpbuf); + free(udpbuf); free(sel_state); return retval; } diff --git a/src/lib/krb5/os/sn2princ.c b/src/lib/krb5/os/sn2princ.c index ee4f3bc11b..8bd8230905 100644 --- a/src/lib/krb5/os/sn2princ.c +++ b/src/lib/krb5/os/sn2princ.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/sn2princ.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Convert a hostname and service name to a principal in the "standard" * form. @@ -53,7 +54,7 @@ maybe_use_reverse_dns (krb5_context context, int defalt) return defalt; if (value == 0) - return defalt; + return defalt; use_rdns = _krb5_conf_boolean(value); profile_release_string(value); @@ -75,57 +76,57 @@ krb5_sname_to_principal(krb5_context context, const char *hostname, const char * #endif if ((type == KRB5_NT_UNKNOWN) || - (type == KRB5_NT_SRV_HST)) { - - /* if hostname is NULL, use local hostname */ - if (! hostname) { - if (gethostname(localname, MAXHOSTNAMELEN)) - return SOCKET_ERRNO; - hostname = localname; - } - - /* if sname is NULL, use "host" */ - if (! sname) - sname = "host"; - - /* copy the hostname into non-volatile storage */ - - if (type == KRB5_NT_SRV_HST) { - struct addrinfo *ai, hints; - int err; - char hnamebuf[NI_MAXHOST]; - - /* Note that the old code would accept numeric addresses, - and if the gethostbyaddr step could convert them to - real hostnames, you could actually get reasonable - results. If the mapping failed, you'd get dotted - triples as realm names. *sigh* - - The latter has been fixed in hst_realm.c, but we should - keep supporting numeric addresses if they do have - hostnames associated. */ - - memset(&hints, 0, sizeof(hints)); - hints.ai_family = AF_INET; - hints.ai_flags = AI_CANONNAME; - try_getaddrinfo_again: - err = getaddrinfo(hostname, 0, &hints, &ai); - if (err) { + (type == KRB5_NT_SRV_HST)) { + + /* if hostname is NULL, use local hostname */ + if (! hostname) { + if (gethostname(localname, MAXHOSTNAMELEN)) + return SOCKET_ERRNO; + hostname = localname; + } + + /* if sname is NULL, use "host" */ + if (! sname) + sname = "host"; + + /* copy the hostname into non-volatile storage */ + + if (type == KRB5_NT_SRV_HST) { + struct addrinfo *ai, hints; + int err; + char hnamebuf[NI_MAXHOST]; + + /* Note that the old code would accept numeric addresses, + and if the gethostbyaddr step could convert them to + real hostnames, you could actually get reasonable + results. If the mapping failed, you'd get dotted + triples as realm names. *sigh* + + The latter has been fixed in hst_realm.c, but we should + keep supporting numeric addresses if they do have + hostnames associated. */ + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = AF_INET; + hints.ai_flags = AI_CANONNAME; + try_getaddrinfo_again: + err = getaddrinfo(hostname, 0, &hints, &ai); + if (err) { #ifdef DEBUG_REFERRALS - printf("sname_to_princ: probably punting due to bad hostname of %s\n",hostname); + printf("sname_to_princ: probably punting due to bad hostname of %s\n",hostname); #endif - if (hints.ai_family == AF_INET) { - /* Just in case it's an IPv6-only name. */ - hints.ai_family = 0; - goto try_getaddrinfo_again; - } - return KRB5_ERR_BAD_HOSTNAME; - } - remote_host = strdup(ai->ai_canonname ? ai->ai_canonname : hostname); - if (!remote_host) { - freeaddrinfo(ai); - return ENOMEM; - } + if (hints.ai_family == AF_INET) { + /* Just in case it's an IPv6-only name. */ + hints.ai_family = 0; + goto try_getaddrinfo_again; + } + return KRB5_ERR_BAD_HOSTNAME; + } + remote_host = strdup(ai->ai_canonname ? ai->ai_canonname : hostname); + if (!remote_host) { + freeaddrinfo(ai); + return ENOMEM; + } if (maybe_use_reverse_dns(context, DEFAULT_RDNS_LOOKUP)) { /* @@ -140,7 +141,7 @@ krb5_sname_to_principal(krb5_context context, const char *hostname, const char * preserve the current behavior and only shake things up once when it comes time to fix this lossage. */ err = getnameinfo(ai->ai_addr, ai->ai_addrlen, - hnamebuf, sizeof(hnamebuf), 0, 0, NI_NAMEREQD); + hnamebuf, sizeof(hnamebuf), 0, 0, NI_NAMEREQD); freeaddrinfo(ai); if (err == 0) { free(remote_host); @@ -149,68 +150,67 @@ krb5_sname_to_principal(krb5_context context, const char *hostname, const char * return ENOMEM; } } else - freeaddrinfo(ai); - } else /* type == KRB5_NT_UNKNOWN */ { - remote_host = strdup(hostname); - } - if (!remote_host) - return ENOMEM; + freeaddrinfo(ai); + } else /* type == KRB5_NT_UNKNOWN */ { + remote_host = strdup(hostname); + } + if (!remote_host) + return ENOMEM; #ifdef DEBUG_REFERRALS - printf("sname_to_princ: hostname <%s> after rdns processing\n",remote_host); + printf("sname_to_princ: hostname <%s> after rdns processing\n",remote_host); #endif - if (type == KRB5_NT_SRV_HST) - for (cp = remote_host; *cp; cp++) - if (isupper((unsigned char) (*cp))) - *cp = tolower((unsigned char) (*cp)); - - /* - * Windows NT5's broken resolver gratuitously tacks on a - * trailing period to the hostname (at least it does in - * Beta2). Find and remove it. - */ - if (remote_host[0]) { - cp = remote_host + strlen(remote_host)-1; - if (*cp == '.') - *cp = 0; - } - - - if ((retval = krb5_get_host_realm(context, remote_host, &hrealms))) { - free(remote_host); - return retval; - } + if (type == KRB5_NT_SRV_HST) + for (cp = remote_host; *cp; cp++) + if (isupper((unsigned char) (*cp))) + *cp = tolower((unsigned char) (*cp)); + + /* + * Windows NT5's broken resolver gratuitously tacks on a + * trailing period to the hostname (at least it does in + * Beta2). Find and remove it. + */ + if (remote_host[0]) { + cp = remote_host + strlen(remote_host)-1; + if (*cp == '.') + *cp = 0; + } + + + if ((retval = krb5_get_host_realm(context, remote_host, &hrealms))) { + free(remote_host); + return retval; + } #ifdef DEBUG_REFERRALS - printf("sname_to_princ: realm <%s> after krb5_get_host_realm\n",hrealms[0]); + printf("sname_to_princ: realm <%s> after krb5_get_host_realm\n",hrealms[0]); #endif - if (!hrealms[0]) { - free(remote_host); - free(hrealms); - return KRB5_ERR_HOST_REALM_UNKNOWN; - } - realm = hrealms[0]; + if (!hrealms[0]) { + free(remote_host); + free(hrealms); + return KRB5_ERR_HOST_REALM_UNKNOWN; + } + realm = hrealms[0]; - retval = krb5_build_principal(context, ret_princ, strlen(realm), - realm, sname, remote_host, - (char *)0); + retval = krb5_build_principal(context, ret_princ, strlen(realm), + realm, sname, remote_host, + (char *)0); - krb5_princ_type(context, *ret_princ) = type; + krb5_princ_type(context, *ret_princ) = type; #ifdef DEBUG_REFERRALS - printf("krb5_sname_to_principal returning\n"); - printf("realm: <%s>, sname: <%s>, remote_host: <%s>\n", - realm,sname,remote_host); - krb5int_dbgref_dump_principal("krb5_sname_to_principal",*ret_princ); + printf("krb5_sname_to_principal returning\n"); + printf("realm: <%s>, sname: <%s>, remote_host: <%s>\n", + realm,sname,remote_host); + krb5int_dbgref_dump_principal("krb5_sname_to_principal",*ret_princ); #endif - free(remote_host); + free(remote_host); - krb5_free_host_realm(context, hrealms); - return retval; + krb5_free_host_realm(context, hrealms); + return retval; } else { - return KRB5_SNAME_UNSUPP_NAMETYPE; + return KRB5_SNAME_UNSUPP_NAMETYPE; } } - diff --git a/src/lib/krb5/os/t_an_to_ln.c b/src/lib/krb5/os/t_an_to_ln.c index 93933a477a..99ec590cd5 100644 --- a/src/lib/krb5/os/t_an_to_ln.c +++ b/src/lib/krb5/os/t_an_to_ln.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include "krb5.h" #include <stdio.h> @@ -5,36 +6,36 @@ int main(int argc, char **argv) { - krb5_error_code kret; - krb5_context kcontext; - krb5_principal principal; - char *programname; - int i; - char sbuf[1024]; + krb5_error_code kret; + krb5_context kcontext; + krb5_principal principal; + char *programname; + int i; + char sbuf[1024]; programname = argv[0]; krb5_init_context(&kcontext); for (i=1; i < argc; i++) { - if (!(kret = krb5_parse_name(kcontext, argv[i], &principal))) { - if (!(kret = krb5_aname_to_localname(kcontext, - principal, - 1024, - sbuf))) { - printf("%s: aname_to_lname maps %s -> <%s>\n", - programname, argv[i], sbuf); - } - else { - printf("%s: aname to lname returns %s for %s\n", programname, - error_message(kret), argv[i]); - } - krb5_free_principal(kcontext, principal); - } - else { - printf("%s: parse_name returns %s\n", programname, - error_message(kret)); - } - if (kret) - break; + if (!(kret = krb5_parse_name(kcontext, argv[i], &principal))) { + if (!(kret = krb5_aname_to_localname(kcontext, + principal, + 1024, + sbuf))) { + printf("%s: aname_to_lname maps %s -> <%s>\n", + programname, argv[i], sbuf); + } + else { + printf("%s: aname to lname returns %s for %s\n", programname, + error_message(kret), argv[i]); + } + krb5_free_principal(kcontext, principal); + } + else { + printf("%s: parse_name returns %s\n", programname, + error_message(kret)); + } + if (kret) + break; } krb5_free_context(kcontext); return((kret) ? 1 : 0); diff --git a/src/lib/krb5/os/t_gifconf.c b/src/lib/krb5/os/t_gifconf.c index b0d9b7de2b..6ae4b85c4e 100644 --- a/src/lib/krb5/os/t_gifconf.c +++ b/src/lib/krb5/os/t_gifconf.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* SIOCGIFCONF: The behavior of this ioctl varies across systems. @@ -84,49 +85,49 @@ int main (void) { sock = socket (AF_INET, SOCK_DGRAM, 0); if (sock < 0) { - perror ("socket"); - exit (1); + perror ("socket"); + exit (1); } printf ("sizeof(struct if_req)=%d\n", sizeof (struct ifreq)); for (t = 0; t < sizeof (buffer); t++) { - ifc.ifc_len = t; - ifc.ifc_buf = buffer; - memset (buffer, INIT, sizeof (buffer)); - i = ioctl (sock, SIOCGIFCONF, (char *) &ifc); - if (i < 0) { - /* Solaris returns "Invalid argument" if the buffer is too - small. AIX and Linux return no error indication. */ - int e = errno; - snprintf (buffer, sizeof(buffer), "SIOCGIFCONF(%d)", t); - errno = e; - perror (buffer); - if (e == EINVAL) - continue; - fprintf (stderr, "exiting on unexpected error\n"); - exit (1); - } - i = sizeof (buffer) - 1; - while (buffer[i] == ((char)INIT) && i >= 0) - i--; - if (omod != i) { - /* Okay... the gap computed on the *last* iteration is the - largest for that particular size of returned data. - Save it, and then start computing gaps for the next - bigger size of returned data. If we never get anything - bigger back, we discard the newer value and only keep - LASTGAP because all we care about is how much slop we - need to "prove" that there really weren't any more - entries to be returned. */ - if (gap > lastgap) - lastgap = gap; - } - gap = t - i - 1; - if (olen != ifc.ifc_len || omod != i) { - printf ("ifc_len in = %4d, ifc_len out = %4d, last mod = %4d\n", - t, ifc.ifc_len, i); - olen = ifc.ifc_len; - omod = i; - } + ifc.ifc_len = t; + ifc.ifc_buf = buffer; + memset (buffer, INIT, sizeof (buffer)); + i = ioctl (sock, SIOCGIFCONF, (char *) &ifc); + if (i < 0) { + /* Solaris returns "Invalid argument" if the buffer is too + small. AIX and Linux return no error indication. */ + int e = errno; + snprintf (buffer, sizeof(buffer), "SIOCGIFCONF(%d)", t); + errno = e; + perror (buffer); + if (e == EINVAL) + continue; + fprintf (stderr, "exiting on unexpected error\n"); + exit (1); + } + i = sizeof (buffer) - 1; + while (buffer[i] == ((char)INIT) && i >= 0) + i--; + if (omod != i) { + /* Okay... the gap computed on the *last* iteration is the + largest for that particular size of returned data. + Save it, and then start computing gaps for the next + bigger size of returned data. If we never get anything + bigger back, we discard the newer value and only keep + LASTGAP because all we care about is how much slop we + need to "prove" that there really weren't any more + entries to be returned. */ + if (gap > lastgap) + lastgap = gap; + } + gap = t - i - 1; + if (olen != ifc.ifc_len || omod != i) { + printf ("ifc_len in = %4d, ifc_len out = %4d, last mod = %4d\n", + t, ifc.ifc_len, i); + olen = ifc.ifc_len; + omod = i; + } } printf ("finished at ifc_len %d\n", t); printf ("largest gap = %d\n", lastgap); diff --git a/src/lib/krb5/os/t_locate_kdc.c b/src/lib/krb5/os/t_locate_kdc.c index 9cc845a829..45fad01767 100644 --- a/src/lib/krb5/os/t_locate_kdc.c +++ b/src/lib/krb5/os/t_locate_kdc.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include <stdio.h> #include <string.h> #include <sys/types.h> @@ -31,14 +32,14 @@ static const char *stypename (int stype) static char buf[20]; switch (stype) { case SOCK_STREAM: - return "stream"; + return "stream"; case SOCK_DGRAM: - return "dgram"; + return "dgram"; case SOCK_RAW: - return "raw"; + return "raw"; default: - snprintf(buf, sizeof(buf), "?%d", stype); - return buf; + snprintf(buf, sizeof(buf), "?%d", stype); + return buf; } } @@ -50,19 +51,19 @@ static void print_addrs (void) printf ("%d addresses:\n", naddrs); for (i = 0; i < naddrs; i++) { - int err; - struct addrinfo *ai = al.addrs[i].ai; - char hostbuf[NI_MAXHOST], srvbuf[NI_MAXSERV]; - err = getnameinfo (ai->ai_addr, ai->ai_addrlen, - hostbuf, sizeof (hostbuf), - srvbuf, sizeof (srvbuf), - NI_NUMERICHOST | NI_NUMERICSERV); - if (err) - printf ("%2d: getnameinfo returns error %d=%s\n", - i, err, gai_strerror (err)); - else - printf ("%2d: address %s\t%s\tport %s\n", i, hostbuf, - stypename (ai->ai_socktype), srvbuf); + int err; + struct addrinfo *ai = al.addrs[i].ai; + char hostbuf[NI_MAXHOST], srvbuf[NI_MAXSERV]; + err = getnameinfo (ai->ai_addr, ai->ai_addrlen, + hostbuf, sizeof (hostbuf), + srvbuf, sizeof (srvbuf), + NI_NUMERICHOST | NI_NUMERICSERV); + if (err) + printf ("%2d: getnameinfo returns error %d=%s\n", + i, err, gai_strerror (err)); + else + printf ("%2d: address %s\t%s\tport %s\n", i, hostbuf, + stypename (ai->ai_socktype), srvbuf); } } @@ -76,52 +77,52 @@ int main (int argc, char *argv[]) p = strrchr (argv[0], '/'); if (p) - prog = p+1; + prog = p+1; else - prog = argv[0]; + prog = argv[0]; switch (argc) { case 2: - /* foo $realm */ - realmname = argv[1]; - break; + /* foo $realm */ + realmname = argv[1]; + break; case 3: - if (!strcmp (argv[1], "-c")) - how = LOOKUP_CONF; - else if (!strcmp (argv[1], "-d")) - how = LOOKUP_DNS; - else if (!strcmp (argv[1], "-m")) - master = 1; - else - goto usage; - realmname = argv[2]; - break; + if (!strcmp (argv[1], "-c")) + how = LOOKUP_CONF; + else if (!strcmp (argv[1], "-d")) + how = LOOKUP_DNS; + else if (!strcmp (argv[1], "-m")) + master = 1; + else + goto usage; + realmname = argv[2]; + break; default: usage: - fprintf (stderr, "%s: usage: %s [-c | -d | -m] realm\n", prog, prog); - return 1; + fprintf (stderr, "%s: usage: %s [-c | -d | -m] realm\n", prog, prog); + return 1; } err = krb5_init_context (&ctx); if (err) - kfatal (err); + kfatal (err); realm.data = realmname; realm.length = strlen (realmname); switch (how) { case LOOKUP_CONF: - err = krb5_locate_srv_conf (ctx, &realm, "kdc", &al, 0, - htons (88), htons (750)); - break; + err = krb5_locate_srv_conf (ctx, &realm, "kdc", &al, 0, + htons (88), htons (750)); + break; case LOOKUP_DNS: - err = krb5_locate_srv_dns_1 (&realm, "_kerberos", "_udp", &al, 0); - break; + err = krb5_locate_srv_dns_1 (&realm, "_kerberos", "_udp", &al, 0); + break; case LOOKUP_WHATEVER: - err = krb5_locate_kdc (ctx, &realm, &al, master, 0, 0); - break; + err = krb5_locate_kdc (ctx, &realm, &al, master, 0, 0); + break; } if (err) kfatal (err); print_addrs (); diff --git a/src/lib/krb5/os/t_realm_iter.c b/src/lib/krb5/os/t_realm_iter.c index b39693594b..397826940e 100644 --- a/src/lib/krb5/os/t_realm_iter.c +++ b/src/lib/krb5/os/t_realm_iter.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include "krb5.h" #include <stdio.h> @@ -9,19 +10,19 @@ void test_realm_iterator(int ctx) void *iter; if ((retval = krb5_realm_iterator_create(ctx, &iter))) { - com_err("krb5_realm_iterator_create", retval, 0); - return; + com_err("krb5_realm_iterator_create", retval, 0); + return; } while (iter) { - if ((retval = krb5_realm_iterator(ctx, &iter, &realm))) { - com_err("krb5_realm_iterator", retval, 0); - krb5_realm_iterator_free(ctx, &iter); - return; - } - if (realm) { - printf("Realm: '%s'\n", realm); - krb5_free_realm_string(ctx, realm); - } + if ((retval = krb5_realm_iterator(ctx, &iter, &realm))) { + com_err("krb5_realm_iterator", retval, 0); + krb5_realm_iterator_free(ctx, &iter); + return; + } + if (realm) { + printf("Realm: '%s'\n", realm); + krb5_free_realm_string(ctx, realm); + } } } @@ -32,9 +33,9 @@ int main(int argc, char **argv) retval = krb5_init_context(&ctx); if (retval) { - fprintf(stderr, "krb5_init_context returned error %ld\n", - retval); - exit(1); + fprintf(stderr, "krb5_init_context returned error %ld\n", + retval); + exit(1); } test_realm_iterator(ctx); diff --git a/src/lib/krb5/os/t_std_conf.c b/src/lib/krb5/os/t_std_conf.c index 04b75d7b80..a3bd795d4d 100644 --- a/src/lib/krb5/os/t_std_conf.c +++ b/src/lib/krb5/os/t_std_conf.c @@ -1,6 +1,7 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* - * t_std_conf.c --- This program tests standard Krb5 routines which pull - * values from the krb5 config file(s). + * t_std_conf.c --- This program tests standard Krb5 routines which pull + * values from the krb5 config file(s). */ #include "fake-addrinfo.h" @@ -19,229 +20,229 @@ static void test_get_default_realm(krb5_context ctx) { - char *realm; - krb5_error_code retval; - - retval = krb5_get_default_realm(ctx, &realm); - if (retval) { - com_err("krb5_get_default_realm", retval, 0); - return; - } - printf("krb5_get_default_realm() returned '%s'\n", realm); - free(realm); + char *realm; + krb5_error_code retval; + + retval = krb5_get_default_realm(ctx, &realm); + if (retval) { + com_err("krb5_get_default_realm", retval, 0); + return; + } + printf("krb5_get_default_realm() returned '%s'\n", realm); + free(realm); } static void test_set_default_realm(krb5_context ctx, char *realm) { - krb5_error_code retval; - - retval = krb5_set_default_realm(ctx, realm); - if (retval) { - com_err("krb5_set_default_realm", retval, 0); - return; - } - printf("krb5_set_default_realm(%s)\n", realm); + krb5_error_code retval; + + retval = krb5_set_default_realm(ctx, realm); + if (retval) { + com_err("krb5_set_default_realm", retval, 0); + return; + } + printf("krb5_set_default_realm(%s)\n", realm); } static void test_get_default_ccname(krb5_context ctx) { - const char *ccname; + const char *ccname; - ccname = krb5_cc_default_name(ctx); - if (ccname) - printf("krb5_cc_default_name() returned '%s'\n", ccname); - else - printf("krb5_cc_default_name() returned NULL\n"); + ccname = krb5_cc_default_name(ctx); + if (ccname) + printf("krb5_cc_default_name() returned '%s'\n", ccname); + else + printf("krb5_cc_default_name() returned NULL\n"); } static void test_set_default_ccname(krb5_context ctx, char *ccname) { - krb5_error_code retval; - - retval = krb5_cc_set_default_name(ctx, ccname); - if (retval) { - com_err("krb5_set_default_ccname", retval, 0); - return; - } - printf("krb5_set_default_ccname(%s)\n", ccname); + krb5_error_code retval; + + retval = krb5_cc_set_default_name(ctx, ccname); + if (retval) { + com_err("krb5_set_default_ccname", retval, 0); + return; + } + printf("krb5_set_default_ccname(%s)\n", ccname); } static void test_get_krbhst(krb5_context ctx, char *realm) { - char **hostlist, **cpp; - krb5_data rlm; - krb5_error_code retval; - - rlm.data = realm; - rlm.length = strlen(realm); - retval = krb5_get_krbhst(ctx, &rlm, &hostlist); - if (retval) { - com_err("krb5_get_krbhst", retval, 0); - return; - } - printf("krb_get_krbhst(%s) returned:", realm); - if (hostlist == 0) { - printf(" (null)\n"); - return; - } - if (hostlist[0] == 0) { - printf(" (none)\n"); - krb5_free_krbhst(ctx, hostlist); - return; - } - for (cpp = hostlist; *cpp; cpp++) { - printf(" '%s'", *cpp); - } - krb5_free_krbhst(ctx, hostlist); - printf("\n"); + char **hostlist, **cpp; + krb5_data rlm; + krb5_error_code retval; + + rlm.data = realm; + rlm.length = strlen(realm); + retval = krb5_get_krbhst(ctx, &rlm, &hostlist); + if (retval) { + com_err("krb5_get_krbhst", retval, 0); + return; + } + printf("krb_get_krbhst(%s) returned:", realm); + if (hostlist == 0) { + printf(" (null)\n"); + return; + } + if (hostlist[0] == 0) { + printf(" (none)\n"); + krb5_free_krbhst(ctx, hostlist); + return; + } + for (cpp = hostlist; *cpp; cpp++) { + printf(" '%s'", *cpp); + } + krb5_free_krbhst(ctx, hostlist); + printf("\n"); } static void test_locate_kdc(krb5_context ctx, char *realm) { - struct addrlist addrs; - int i; - int get_masters=0; - krb5_data rlm; - krb5_error_code retval; - - rlm.data = realm; - rlm.length = strlen(realm); - retval = krb5_locate_kdc(ctx, &rlm, &addrs, get_masters, 0, 0); - if (retval) { - com_err("krb5_locate_kdc", retval, 0); - return; - } - printf("krb_locate_kdc(%s) returned:", realm); - for (i=0; i < addrs.naddrs; i++) { - struct addrinfo *ai = addrs.addrs[i].ai; - switch (ai->ai_family) { - case AF_INET: - { - struct sockaddr_in *s_sin; - s_sin = (struct sockaddr_in *) ai->ai_addr; - printf(" inet:%s/%d", inet_ntoa(s_sin->sin_addr), - ntohs(s_sin->sin_port)); - } - break; + struct addrlist addrs; + int i; + int get_masters=0; + krb5_data rlm; + krb5_error_code retval; + + rlm.data = realm; + rlm.length = strlen(realm); + retval = krb5_locate_kdc(ctx, &rlm, &addrs, get_masters, 0, 0); + if (retval) { + com_err("krb5_locate_kdc", retval, 0); + return; + } + printf("krb_locate_kdc(%s) returned:", realm); + for (i=0; i < addrs.naddrs; i++) { + struct addrinfo *ai = addrs.addrs[i].ai; + switch (ai->ai_family) { + case AF_INET: + { + struct sockaddr_in *s_sin; + s_sin = (struct sockaddr_in *) ai->ai_addr; + printf(" inet:%s/%d", inet_ntoa(s_sin->sin_addr), + ntohs(s_sin->sin_port)); + } + break; #ifdef KRB5_USE_INET6 - case AF_INET6: - { - struct sockaddr_in6 *s_sin6; - int j; - s_sin6 = (struct sockaddr_in6 *) ai->ai_addr; - printf(" inet6"); - for (j = 0; j < 8; j++) - printf(":%x", - (s_sin6->sin6_addr.s6_addr[2*j] * 256 - + s_sin6->sin6_addr.s6_addr[2*j+1])); - printf("/%d", ntohs(s_sin6->sin6_port)); - break; - } + case AF_INET6: + { + struct sockaddr_in6 *s_sin6; + int j; + s_sin6 = (struct sockaddr_in6 *) ai->ai_addr; + printf(" inet6"); + for (j = 0; j < 8; j++) + printf(":%x", + (s_sin6->sin6_addr.s6_addr[2*j] * 256 + + s_sin6->sin6_addr.s6_addr[2*j+1])); + printf("/%d", ntohs(s_sin6->sin6_port)); + break; + } #endif - default: - printf(" unknown-af-%d", ai->ai_family); - break; - } - } - krb5int_free_addrlist(&addrs); - printf("\n"); + default: + printf(" unknown-af-%d", ai->ai_family); + break; + } + } + krb5int_free_addrlist(&addrs); + printf("\n"); } static void test_get_host_realm(krb5_context ctx, char *host) { - char **realms, **cpp; - krb5_error_code retval; - - retval = krb5_get_host_realm(ctx, host, &realms); - if (retval) { - com_err("krb5_get_host_realm", retval, 0); - return; - } - printf("krb_get_host_realm(%s) returned:", host); - if (realms == 0) { - printf(" (null)\n"); - return; - } - if (realms[0] == 0) { - printf(" (none)\n"); - free(realms); - return; - } - for (cpp = realms; *cpp; cpp++) { - printf(" '%s'", *cpp); - free(*cpp); - } - free(realms); - printf("\n"); + char **realms, **cpp; + krb5_error_code retval; + + retval = krb5_get_host_realm(ctx, host, &realms); + if (retval) { + com_err("krb5_get_host_realm", retval, 0); + return; + } + printf("krb_get_host_realm(%s) returned:", host); + if (realms == 0) { + printf(" (null)\n"); + return; + } + if (realms[0] == 0) { + printf(" (none)\n"); + free(realms); + return; + } + for (cpp = realms; *cpp; cpp++) { + printf(" '%s'", *cpp); + free(*cpp); + } + free(realms); + printf("\n"); } static void test_get_realm_domain(krb5_context ctx, char *realm) { - krb5_error_code retval; - char *domain; - - retval = krb5_get_realm_domain(ctx, realm, &domain); - if (retval) { - com_err("krb5_get_realm_domain", retval, 0); - return; - } - printf("krb5_get_realm_domain(%s) returned '%s'\n", realm, domain); - free(domain); + krb5_error_code retval; + char *domain; + + retval = krb5_get_realm_domain(ctx, realm, &domain); + if (retval) { + com_err("krb5_get_realm_domain", retval, 0); + return; + } + printf("krb5_get_realm_domain(%s) returned '%s'\n", realm, domain); + free(domain); } static void usage(char *progname) { - fprintf(stderr, "%s: Usage: %s [-dc] [-k realm] [-r host] [-C ccname] [-D realm]\n", - progname, progname); - exit(1); + fprintf(stderr, "%s: Usage: %s [-dc] [-k realm] [-r host] [-C ccname] [-D realm]\n", + progname, progname); + exit(1); } int main(int argc, char **argv) { - int c; - krb5_context ctx; - krb5_error_code retval; - extern char *optarg; - - retval = krb5_init_context(&ctx); - if (retval) { - fprintf(stderr, "krb5_init_context returned error %u\n", - retval); - exit(1); - } - - while ((c = getopt(argc, argv, "cdk:r:C:D:l:s:")) != -1) { - switch (c) { - case 'c': /* Get default ccname */ - test_get_default_ccname(ctx); - break; - case 'd': /* Get default realm */ - test_get_default_realm(ctx); - break; - case 'k': /* Get list of KDC's */ - test_get_krbhst(ctx, optarg); - break; - case 'l': - test_locate_kdc(ctx, optarg); - break; - case 'r': - test_get_host_realm(ctx, optarg); - break; - case 's': - test_set_default_realm(ctx, optarg); - break; - case 'C': - test_set_default_ccname(ctx, optarg); - break; - case 'D': - test_get_realm_domain(ctx, optarg); - break; - default: - usage(argv[0]); - } - } - - - krb5_free_context(ctx); - exit(0); + int c; + krb5_context ctx; + krb5_error_code retval; + extern char *optarg; + + retval = krb5_init_context(&ctx); + if (retval) { + fprintf(stderr, "krb5_init_context returned error %u\n", + retval); + exit(1); + } + + while ((c = getopt(argc, argv, "cdk:r:C:D:l:s:")) != -1) { + switch (c) { + case 'c': /* Get default ccname */ + test_get_default_ccname(ctx); + break; + case 'd': /* Get default realm */ + test_get_default_realm(ctx); + break; + case 'k': /* Get list of KDC's */ + test_get_krbhst(ctx, optarg); + break; + case 'l': + test_locate_kdc(ctx, optarg); + break; + case 'r': + test_get_host_realm(ctx, optarg); + break; + case 's': + test_set_default_realm(ctx, optarg); + break; + case 'C': + test_set_default_ccname(ctx, optarg); + break; + case 'D': + test_get_realm_domain(ctx, optarg); + break; + default: + usage(argv[0]); + } + } + + + krb5_free_context(ctx); + exit(0); } diff --git a/src/lib/krb5/os/thread_safe.c b/src/lib/krb5/os/thread_safe.c index faac234f96..acd88ce85e 100644 --- a/src/lib/krb5/os/thread_safe.c +++ b/src/lib/krb5/os/thread_safe.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/thread_safec * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_is_thread_safe() function. */ diff --git a/src/lib/krb5/os/timeofday.c b/src/lib/krb5/os/timeofday.c index 31d803eb55..a711b0493c 100644 --- a/src/lib/krb5/os/timeofday.c +++ b/src/lib/krb5/os/timeofday.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/timeofday.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,9 +23,9 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * * - * libos: krb5_timeofday function for BSD 4.3 + * + * libos: krb5_timeofday function for BSD 4.3 */ @@ -39,18 +40,18 @@ krb5_timeofday(krb5_context context, register krb5_timestamp *timeret) time_t tval; if (context == NULL) - return EINVAL; + return EINVAL; os_ctx = &context->os_context; if (os_ctx->os_flags & KRB5_OS_TOFFSET_TIME) { - *timeret = os_ctx->time_offset; - return 0; + *timeret = os_ctx->time_offset; + return 0; } tval = time(0); if (tval == (time_t) -1) - return (krb5_error_code) errno; + return (krb5_error_code) errno; if (os_ctx->os_flags & KRB5_OS_TOFFSET_VALID) - tval += os_ctx->time_offset; + tval += os_ctx->time_offset; *timeret = tval; return 0; } diff --git a/src/lib/krb5/os/toffset.c b/src/lib/krb5/os/toffset.c index 40bc108afa..a9faec537b 100644 --- a/src/lib/krb5/os/toffset.c +++ b/src/lib/krb5/os/toffset.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/toffset.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -47,13 +48,13 @@ krb5_set_real_time(krb5_context context, krb5_timestamp seconds, krb5_int32 micr retval = krb5_crypto_us_timeofday(&sec, &usec); if (retval) - return retval; + return retval; os_ctx->time_offset = seconds - sec; os_ctx->usec_offset = (microseconds > -1) ? microseconds - usec : 0; os_ctx->os_flags = ((os_ctx->os_flags & ~KRB5_OS_TOFFSET_TIME) | - KRB5_OS_TOFFSET_VALID); + KRB5_OS_TOFFSET_VALID); return 0; } @@ -62,7 +63,7 @@ krb5_set_real_time(krb5_context context, krb5_timestamp seconds, krb5_int32 micr * the seconds and microseconds value as input to this function. This * is useful for running the krb5 routines through test suites */ -krb5_error_code +krb5_error_code krb5_set_debugging_time(krb5_context context, krb5_timestamp seconds, krb5_int32 microseconds) { krb5_os_context os_ctx = &context->os_context; @@ -70,7 +71,7 @@ krb5_set_debugging_time(krb5_context context, krb5_timestamp seconds, krb5_int32 os_ctx->time_offset = seconds; os_ctx->usec_offset = microseconds; os_ctx->os_flags = ((os_ctx->os_flags & ~KRB5_OS_TOFFSET_VALID) | - KRB5_OS_TOFFSET_TIME); + KRB5_OS_TOFFSET_TIME); return 0; } @@ -78,7 +79,7 @@ krb5_set_debugging_time(krb5_context context, krb5_timestamp seconds, krb5_int32 * This routine turns off the time correction fields, so that the krb5 * routines return the "natural" time. */ -krb5_error_code +krb5_error_code krb5_use_natural_time(krb5_context context) { krb5_os_context os_ctx = &context->os_context; @@ -97,9 +98,9 @@ krb5_get_time_offsets(krb5_context context, krb5_timestamp *seconds, krb5_int32 krb5_os_context os_ctx = &context->os_context; if (seconds) - *seconds = os_ctx->time_offset; + *seconds = os_ctx->time_offset; if (microseconds) - *microseconds = os_ctx->usec_offset; + *microseconds = os_ctx->usec_offset; return 0; } @@ -107,7 +108,7 @@ krb5_get_time_offsets(krb5_context context, krb5_timestamp *seconds, krb5_int32 /* * This routine sets the time offsets directly. */ -krb5_error_code +krb5_error_code krb5_set_time_offsets(krb5_context context, krb5_timestamp seconds, krb5_int32 microseconds) { krb5_os_context os_ctx = &context->os_context; @@ -115,6 +116,6 @@ krb5_set_time_offsets(krb5_context context, krb5_timestamp seconds, krb5_int32 m os_ctx->time_offset = seconds; os_ctx->usec_offset = microseconds; os_ctx->os_flags = ((os_ctx->os_flags & ~KRB5_OS_TOFFSET_TIME) | - KRB5_OS_TOFFSET_VALID); + KRB5_OS_TOFFSET_VALID); return 0; } diff --git a/src/lib/krb5/os/unlck_file.c b/src/lib/krb5/os/unlck_file.c index 0bbf7ce316..37233a3371 100644 --- a/src/lib/krb5/os/unlck_file.c +++ b/src/lib/krb5/os/unlck_file.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/unlck_file.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * libos: krb5_lock_file routine */ diff --git a/src/lib/krb5/os/ustime.c b/src/lib/krb5/os/ustime.c index bb34c228e6..34c2fa0892 100644 --- a/src/lib/krb5/os/ustime.c +++ b/src/lib/krb5/os/ustime.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/ustime.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * krb5_crypto_us_timeofday() does all of the real work; however, we * handle the time offset adjustment here, since this is context * specific, and the crypto version of this call doesn't have access @@ -39,26 +40,26 @@ krb5_us_timeofday(krb5_context context, krb5_timestamp *seconds, krb5_int32 *mic krb5_os_context os_ctx = &context->os_context; krb5_int32 sec, usec; krb5_error_code retval; - + if (os_ctx->os_flags & KRB5_OS_TOFFSET_TIME) { - *seconds = os_ctx->time_offset; - *microseconds = os_ctx->usec_offset; - return 0; + *seconds = os_ctx->time_offset; + *microseconds = os_ctx->usec_offset; + return 0; } retval = krb5_crypto_us_timeofday(&sec, &usec); if (retval) - return retval; + return retval; if (os_ctx->os_flags & KRB5_OS_TOFFSET_VALID) { - usec += os_ctx->usec_offset; - if (usec > 1000000) { - usec -= 1000000; - sec++; - } - if (usec < 0) { - usec += 1000000; - sec--; - } - sec += os_ctx->time_offset; + usec += os_ctx->usec_offset; + if (usec > 1000000) { + usec -= 1000000; + sec++; + } + if (usec < 0) { + usec += 1000000; + sec--; + } + sec += os_ctx->time_offset; } *seconds = sec; *microseconds = usec; diff --git a/src/lib/krb5/os/write_msg.c b/src/lib/krb5/os/write_msg.c index e6001e8c67..6a57b1e0cb 100644 --- a/src/lib/krb5/os/write_msg.c +++ b/src/lib/krb5/os/write_msg.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/os/write_msg.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * convenience sendauth/recvauth functions */ @@ -42,29 +43,29 @@ krb5int_write_messages(krb5_context context, krb5_pointer fdp, krb5_data *outbuf int fd = *( (int *) fdp); while (nbufs) { - int nbufs1; - sg_buf sg[4]; - krb5_int32 len[2]; + int nbufs1; + sg_buf sg[4]; + krb5_int32 len[2]; - if (nbufs > 1) - nbufs1 = 2; - else - nbufs1 = 1; - len[0] = htonl(outbuf[0].length); - SG_SET(&sg[0], &len[0], 4); - SG_SET(&sg[1], outbuf[0].length ? outbuf[0].data : NULL, - outbuf[0].length); - if (nbufs1 == 2) { - len[1] = htonl(outbuf[1].length); - SG_SET(&sg[2], &len[1], 4); - SG_SET(&sg[3], outbuf[1].length ? outbuf[1].data : NULL, - outbuf[1].length); - } - if (krb5int_net_writev(context, fd, sg, nbufs1 * 2) < 0) { - return errno; - } - outbuf += nbufs1; - nbufs -= nbufs1; + if (nbufs > 1) + nbufs1 = 2; + else + nbufs1 = 1; + len[0] = htonl(outbuf[0].length); + SG_SET(&sg[0], &len[0], 4); + SG_SET(&sg[1], outbuf[0].length ? outbuf[0].data : NULL, + outbuf[0].length); + if (nbufs1 == 2) { + len[1] = htonl(outbuf[1].length); + SG_SET(&sg[2], &len[1], 4); + SG_SET(&sg[3], outbuf[1].length ? outbuf[1].data : NULL, + outbuf[1].length); + } + if (krb5int_net_writev(context, fd, sg, nbufs1 * 2) < 0) { + return errno; + } + outbuf += nbufs1; + nbufs -= nbufs1; } return(0); } diff --git a/src/lib/krb5/posix/syslog.c b/src/lib/krb5/posix/syslog.c index e1318933ef..418e811d0c 100644 --- a/src/lib/krb5/posix/syslog.c +++ b/src/lib/krb5/posix/syslog.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #if defined(_WIN32) /* Windows doesn't have the concept of a system log, so just ** do nothing here. @@ -5,6 +6,6 @@ void syslog(int pri, const char *fmt, ...) { - return; + return; } #endif diff --git a/src/lib/krb5/rcache/rc-int.h b/src/lib/krb5/rcache/rc-int.h index 5d91d3cc6d..3030f0e5eb 100644 --- a/src/lib/krb5/rcache/rc-int.h +++ b/src/lib/krb5/rcache/rc-int.h @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/keytab/rc-int.h * @@ -47,25 +47,25 @@ struct _krb5_rc_ops { krb5_magic magic; char *type; krb5_error_code (KRB5_CALLCONV *init) - (krb5_context, krb5_rcache,krb5_deltat); /* create */ + (krb5_context, krb5_rcache,krb5_deltat); /* create */ krb5_error_code (KRB5_CALLCONV *recover) - (krb5_context, krb5_rcache); /* open */ + (krb5_context, krb5_rcache); /* open */ krb5_error_code (KRB5_CALLCONV *recover_or_init) - (krb5_context, krb5_rcache,krb5_deltat); + (krb5_context, krb5_rcache,krb5_deltat); krb5_error_code (KRB5_CALLCONV *destroy) - (krb5_context, krb5_rcache); + (krb5_context, krb5_rcache); krb5_error_code (KRB5_CALLCONV *close) - (krb5_context, krb5_rcache); + (krb5_context, krb5_rcache); krb5_error_code (KRB5_CALLCONV *store) - (krb5_context, krb5_rcache,krb5_donot_replay *); + (krb5_context, krb5_rcache,krb5_donot_replay *); krb5_error_code (KRB5_CALLCONV *expunge) - (krb5_context, krb5_rcache); + (krb5_context, krb5_rcache); krb5_error_code (KRB5_CALLCONV *get_span) - (krb5_context, krb5_rcache,krb5_deltat *); + (krb5_context, krb5_rcache,krb5_deltat *); char *(KRB5_CALLCONV *get_name) - (krb5_context, krb5_rcache); + (krb5_context, krb5_rcache); krb5_error_code (KRB5_CALLCONV *resolve) - (krb5_context, krb5_rcache, char *); + (krb5_context, krb5_rcache, char *); }; typedef struct _krb5_rc_ops krb5_rc_ops; diff --git a/src/lib/krb5/rcache/rc_base.c b/src/lib/krb5/rcache/rc_base.c index 43b901fac0..a7c7dd8230 100644 --- a/src/lib/krb5/rcache/rc_base.c +++ b/src/lib/krb5/rcache/rc_base.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/rcache/rc_base.c * diff --git a/src/lib/krb5/rcache/rc_base.h b/src/lib/krb5/rcache/rc_base.h index b8687f2fef..1e0f83a026 100644 --- a/src/lib/krb5/rcache/rc_base.h +++ b/src/lib/krb5/rcache/rc_base.h @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/rcache/rc_base.h * diff --git a/src/lib/krb5/rcache/rc_conv.c b/src/lib/krb5/rcache/rc_conv.c index cda9c91faa..aa4b56a164 100644 --- a/src/lib/krb5/rcache/rc_conv.c +++ b/src/lib/krb5/rcache/rc_conv.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/rcache/rc_conv.c * diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c index c831ba02d6..f19f1cb81c 100644 --- a/src/lib/krb5/rcache/rc_dfl.c +++ b/src/lib/krb5/rcache/rc_dfl.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/rcache/rc_dfl.c * diff --git a/src/lib/krb5/rcache/rc_dfl.h b/src/lib/krb5/rcache/rc_dfl.h index 4a6badafe9..d1dd153f93 100644 --- a/src/lib/krb5/rcache/rc_dfl.h +++ b/src/lib/krb5/rcache/rc_dfl.h @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/rcache/rc_dfl.h * @@ -15,42 +15,42 @@ #define KRB5_RC_DFL_H krb5_error_code KRB5_CALLCONV krb5_rc_dfl_init - (krb5_context, - krb5_rcache, - krb5_deltat); +(krb5_context, + krb5_rcache, + krb5_deltat); krb5_error_code KRB5_CALLCONV krb5_rc_dfl_recover - (krb5_context, - krb5_rcache); +(krb5_context, + krb5_rcache); krb5_error_code KRB5_CALLCONV krb5_rc_dfl_recover_or_init - (krb5_context, krb5_rcache, krb5_deltat); +(krb5_context, krb5_rcache, krb5_deltat); krb5_error_code KRB5_CALLCONV krb5_rc_dfl_destroy - (krb5_context, - krb5_rcache); +(krb5_context, + krb5_rcache); krb5_error_code KRB5_CALLCONV krb5_rc_dfl_close - (krb5_context, - krb5_rcache); +(krb5_context, + krb5_rcache); krb5_error_code KRB5_CALLCONV krb5_rc_dfl_store - (krb5_context, - krb5_rcache, - krb5_donot_replay *); +(krb5_context, + krb5_rcache, + krb5_donot_replay *); krb5_error_code KRB5_CALLCONV krb5_rc_dfl_expunge - (krb5_context, - krb5_rcache); +(krb5_context, + krb5_rcache); krb5_error_code KRB5_CALLCONV krb5_rc_dfl_get_span - (krb5_context, - krb5_rcache, - krb5_deltat *); +(krb5_context, + krb5_rcache, + krb5_deltat *); char * KRB5_CALLCONV krb5_rc_dfl_get_name - (krb5_context, - krb5_rcache); +(krb5_context, + krb5_rcache); krb5_error_code KRB5_CALLCONV krb5_rc_dfl_resolve - (krb5_context, - krb5_rcache, - char *); +(krb5_context, + krb5_rcache, + char *); krb5_error_code krb5_rc_dfl_close_no_free - (krb5_context, - krb5_rcache); +(krb5_context, + krb5_rcache); void krb5_rc_free_entry - (krb5_context, - krb5_donot_replay **); +(krb5_context, + krb5_donot_replay **); #endif diff --git a/src/lib/krb5/rcache/rc_io.c b/src/lib/krb5/rcache/rc_io.c index 8d7d986dad..872b5fdffc 100644 --- a/src/lib/krb5/rcache/rc_io.c +++ b/src/lib/krb5/rcache/rc_io.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/rcache/rc_io.c * @@ -262,12 +262,12 @@ krb5_rc_io_open_internal(krb5_context context, krb5_rc_iostuff *d, char *fn, /* check if someone was playing with symlinks */ if ((sb1.st_dev != sb2.st_dev || sb1.st_ino != sb2.st_ino) || (sb1.st_mode & S_IFMT) != S_IFREG) - { - retval = KRB5_RC_IO_PERM; - krb5_set_error_message(context, retval, - "rcache not a file %s", d->fn); - goto cleanup; - } + { + retval = KRB5_RC_IO_PERM; + krb5_set_error_message(context, retval, + "rcache not a file %s", d->fn); + goto cleanup; + } /* check that non other can read/write/execute the file */ if (sb1.st_mode & 077) { krb5_set_error_message(context, retval, "Insecure file mode " diff --git a/src/lib/krb5/rcache/rc_io.h b/src/lib/krb5/rcache/rc_io.h index a2e13bcc29..e58d850e37 100644 --- a/src/lib/krb5/rcache/rc_io.h +++ b/src/lib/krb5/rcache/rc_io.h @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/rcache/rc_io.h * @@ -15,57 +15,57 @@ #define KRB5_RC_IO_H typedef struct krb5_rc_iostuff - { - int fd; +{ + int fd; #ifdef MSDOS_FILESYSTEM - long mark; + long mark; #else - off_t mark; /* on newer systems, should be pos_t */ + off_t mark; /* on newer systems, should be pos_t */ #endif - char *fn; - } -krb5_rc_iostuff; + char *fn; +} + krb5_rc_iostuff; /* first argument is always iostuff for result file */ krb5_error_code krb5_rc_io_creat - (krb5_context, - krb5_rc_iostuff *, - char **); +(krb5_context, + krb5_rc_iostuff *, + char **); krb5_error_code krb5_rc_io_open - (krb5_context, - krb5_rc_iostuff *, - char *); +(krb5_context, + krb5_rc_iostuff *, + char *); krb5_error_code krb5_rc_io_move - (krb5_context, - krb5_rc_iostuff *, - krb5_rc_iostuff *); +(krb5_context, + krb5_rc_iostuff *, + krb5_rc_iostuff *); krb5_error_code krb5_rc_io_write - (krb5_context, - krb5_rc_iostuff *, - krb5_pointer, - unsigned int); +(krb5_context, + krb5_rc_iostuff *, + krb5_pointer, + unsigned int); krb5_error_code krb5_rc_io_read - (krb5_context, - krb5_rc_iostuff *, - krb5_pointer, - unsigned int); +(krb5_context, + krb5_rc_iostuff *, + krb5_pointer, + unsigned int); krb5_error_code krb5_rc_io_close - (krb5_context, - krb5_rc_iostuff *); +(krb5_context, + krb5_rc_iostuff *); krb5_error_code krb5_rc_io_destroy - (krb5_context, - krb5_rc_iostuff *); +(krb5_context, + krb5_rc_iostuff *); krb5_error_code krb5_rc_io_mark - (krb5_context, - krb5_rc_iostuff *); +(krb5_context, + krb5_rc_iostuff *); krb5_error_code krb5_rc_io_unmark - (krb5_context, - krb5_rc_iostuff *); +(krb5_context, + krb5_rc_iostuff *); krb5_error_code krb5_rc_io_sync - (krb5_context, - krb5_rc_iostuff *); +(krb5_context, + krb5_rc_iostuff *); long krb5_rc_io_size - (krb5_context, - krb5_rc_iostuff *); +(krb5_context, + krb5_rc_iostuff *); #endif diff --git a/src/lib/krb5/rcache/rc_none.c b/src/lib/krb5/rcache/rc_none.c index a0ffed3a4a..77ca83705d 100644 --- a/src/lib/krb5/rcache/rc_none.c +++ b/src/lib/krb5/rcache/rc_none.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/rcache/rc_none.c * diff --git a/src/lib/krb5/rcache/rcdef.c b/src/lib/krb5/rcache/rcdef.c index 5b860f1b3a..c4657b333a 100644 --- a/src/lib/krb5/rcache/rcdef.c +++ b/src/lib/krb5/rcache/rcdef.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/rcache/rcdef.c * diff --git a/src/lib/krb5/rcache/rcfns.c b/src/lib/krb5/rcache/rcfns.c index 6794af6210..52dec4982a 100644 --- a/src/lib/krb5/rcache/rcfns.c +++ b/src/lib/krb5/rcache/rcfns.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/rcache/rcfns.c * diff --git a/src/lib/krb5/rcache/ser_rc.c b/src/lib/krb5/rcache/ser_rc.c index 72bad88f8f..04b969842b 100644 --- a/src/lib/krb5/rcache/ser_rc.c +++ b/src/lib/krb5/rcache/ser_rc.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/rcache/ser_rc.c * @@ -39,11 +39,11 @@ * krb5_rcache_internalize(); */ static krb5_error_code krb5_rcache_size - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_rcache_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_rcache_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* * Serialization entry for this type. diff --git a/src/lib/krb5/rcache/t_replay.c b/src/lib/krb5/rcache/t_replay.c index d32d6547ce..50928c5e81 100644 --- a/src/lib/krb5/rcache/t_replay.c +++ b/src/lib/krb5/rcache/t_replay.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * test/threads/t_replay.c * diff --git a/src/lib/krb5/unicode/ucdata/ucdata.c b/src/lib/krb5/unicode/ucdata/ucdata.c index 590ad2feea..1e46744b64 100644 --- a/src/lib/krb5/unicode/ucdata/ucdata.c +++ b/src/lib/krb5/unicode/ucdata/ucdata.c @@ -59,7 +59,7 @@ typedef struct { krb5_ui_2 cnt; union { krb5_ui_4 bytes; - krb5_ui_2 len[2]; + krb5_ui_2 len[2]; } size; } _ucheader_t; @@ -618,7 +618,7 @@ uccomp_hangul(krb5_ui_4 *str, int len) LCount = 19, VCount = 21, TCount = 28, NCount = VCount * TCount, /* 588 */ SCount = LCount * NCount; /* 11172 */ - + int i, rlen; krb5_ui_4 ch, last, lindex, sindex; @@ -638,7 +638,7 @@ uccomp_hangul(krb5_ui_4 *str, int len) continue; } } - + /* check if two current characters are LV and T */ sindex = last - SBase; if (sindex < (krb5_ui_4) SCount @@ -671,7 +671,7 @@ uccanoncomp(krb5_ui_4 *str, int len) stpos = 0; copos = 1; prevcl = uccombining_class(st) == 0 ? 0 : 256; - + for (i = 1; i < len; i++) { ch = str[i]; cl = uccombining_class(ch); @@ -885,7 +885,7 @@ uckdecomp(krb5_ui_4 code, krb5_ui_4 *num, krb5_ui_4 **decomp) if (code < _uckdcmp_nodes[0]) { return 0; } - + l = 0; r = _uckdcmp_nodes[_uckdcmp_size] - 1; diff --git a/src/lib/krb5/unicode/ucdata/ucdata.h b/src/lib/krb5/unicode/ucdata/ucdata.h index ff3bb34564..00ece35adb 100644 --- a/src/lib/krb5/unicode/ucdata/ucdata.h +++ b/src/lib/krb5/unicode/ucdata/ucdata.h @@ -261,7 +261,7 @@ int uckdecomp(krb5_ui_4 code, krb5_ui_4 *num, krb5_ui_4 **decomp); */ int ucdecomp_hangul(krb5_ui_4 code, krb5_ui_4 *num, krb5_ui_4 decomp[]); -/* +/* * This routine does canonical decomposition of the string in of length * inlen, and returns the decomposed string in out with length outlen. * The memory for out is allocated by this routine. It returns the length @@ -269,14 +269,14 @@ int ucdecomp_hangul(krb5_ui_4 code, krb5_ui_4 *num, krb5_ui_4 decomp[]); */ int uccanondecomp (const krb5_ui_4 *in, int inlen, krb5_ui_4 **out, int *outlen); - -/* + +/* * Equivalent to uccanondecomp() except that it includes compatibility * decompositions. */ int uccompatdecomp(const krb5_ui_4 *in, int inlen, krb5_ui_4 **out, int *outlen); - + /************************************************************************** * * Functions for getting combining classes. diff --git a/src/lib/krb5/unicode/ucdata/ucgendat.c b/src/lib/krb5/unicode/ucdata/ucgendat.c index 42b0ecd034..a6d38fbb91 100644 --- a/src/lib/krb5/unicode/ucdata/ucgendat.c +++ b/src/lib/krb5/unicode/ucdata/ucgendat.c @@ -449,7 +449,7 @@ add_decomp(krb5_ui_4 code, short compat) pdecomps_used = &decomps_used; pdecomps_size = &decomps_size; } - + /* * Add the code to the composite property. */ @@ -953,7 +953,7 @@ read_cdata(FILE *in) i++; } for (e = s; *e && *e != ';'; e++) ; - + ordered_range_insert(code, s, e - s); /* @@ -1125,7 +1125,7 @@ find_decomp(krb5_ui_4 code, short compat) { long l, r, m; _decomp_t *decs; - + l = 0; r = (compat ? kdecomps_used : decomps_used) - 1; decs = compat ? kdecomps : decomps; @@ -1479,12 +1479,12 @@ write_cdata(char *opath) * Generate the composition data. * *****************************************************************/ - + /* * Create compositions from decomposition data */ create_comps(); - + #if HARDCODE_DATA fprintf(out, PREF "krb5_ui_4 _uccomp_size = %ld;\n\n", comps_used * 4L); @@ -1512,28 +1512,28 @@ write_cdata(char *opath) snprintf(path, sizeof path, "%s" LDAP_DIRSEP "comp.dat", opath); if ((out = fopen(path, "wb")) == 0) return; - + /* * Write the header. */ hdr[1] = (krb5_ui_2) comps_used * 4; fwrite((char *) hdr, sizeof(krb5_ui_2), 2, out); - + /* * Write out the byte count to maintain header size. */ bytes = comps_used * sizeof(_comp_t); fwrite((char *) &bytes, sizeof(krb5_ui_4), 1, out); - + /* * Now, if comps exist, write them out. */ if (comps_used > 0) fwrite((char *) comps, sizeof(_comp_t), comps_used, out); - + fclose(out); #endif - + /***************************************************************** * * Generate the decomposition data. diff --git a/src/lib/krb5/unicode/ucdata/uctable.h b/src/lib/krb5/unicode/ucdata/uctable.h index 19d334b4a4..98a8745fab 100644 --- a/src/lib/krb5/unicode/ucdata/uctable.h +++ b/src/lib/krb5/unicode/ucdata/uctable.h @@ -14303,4 +14303,3 @@ static const short _ucnum_vals[] = { 0x002a, 0x0001, 0x002b, 0x0001, 0x002c, 0x0001, 0x002d, 0x0001, 0x002e, 0x0001, 0x002f, 0x0001, 0x0030, 0x0001, 0x0031, 0x0001 }; - diff --git a/src/lib/krb5/unicode/ucstr.c b/src/lib/krb5/unicode/ucstr.c index ec23688201..fa6796f78a 100644 --- a/src/lib/krb5/unicode/ucstr.c +++ b/src/lib/krb5/unicode/ucstr.c @@ -4,13 +4,13 @@ */ /* * This work is part of OpenLDAP Software <http://www.openldap.org/>. - * + * * Copyright 1998-2008 The OpenLDAP Foundation. All rights reserved. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted only as authorized by the OpenLDAP Public * License. - * + * * A copy of this license is available in file LICENSE in the top-level * directory of the distribution or, alternatively, at * <http://www.OpenLDAP.org/license.html>. @@ -23,7 +23,7 @@ #include <ctype.h> -int +int krb5int_ucstrncmp( const krb5_unicode * u1, const krb5_unicode * u2, @@ -40,7 +40,7 @@ krb5int_ucstrncmp( return 0; } -int +int krb5int_ucstrncasecmp( const krb5_unicode * u1, const krb5_unicode * u2, @@ -91,7 +91,7 @@ krb5int_ucstrncasechr( return NULL; } -void +void krb5int_ucstr2upper( krb5_unicode * u, size_t n) @@ -309,7 +309,7 @@ cleanup: /* compare UTF8-strings, optionally ignore casing */ /* slow, should be optimized */ -int +int krb5int_utf8_normcmp( const krb5_data * data1, const krb5_data * data2, diff --git a/src/lib/krb5/unicode/utbm/utbmstub.c b/src/lib/krb5/unicode/utbm/utbmstub.c index 866632807f..51fa673512 100644 --- a/src/lib/krb5/unicode/utbm/utbmstub.c +++ b/src/lib/krb5/unicode/utbm/utbmstub.c @@ -55,7 +55,7 @@ _utbm_isspace(ucs4_t c, int compress) c == 0x2028 || c == 0x2029 || _platform_isspace(c)) ? 1 : 0; return _platform_isspace(c); - + } /* |