diff options
| author | Tom Yu <tlyu@mit.edu> | 2009-10-31 00:48:38 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2009-10-31 00:48:38 +0000 |
| commit | 02d6bcbc98a214e7aeaaa9f45f0db8784a7b743b (patch) | |
| tree | 61b9147863cd8be3eff63903dc36cae168254bd5 /src/lib/krb5/krb | |
| parent | 162ab371748cba0cc6f172419bd6e71fa04bb878 (diff) | |
| download | krb5-02d6bcbc98a214e7aeaaa9f45f0db8784a7b743b.tar.gz krb5-02d6bcbc98a214e7aeaaa9f45f0db8784a7b743b.tar.xz krb5-02d6bcbc98a214e7aeaaa9f45f0db8784a7b743b.zip | |
make mark-cstyle
make reindent
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23100 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/krb5/krb')
112 files changed, 12684 insertions, 12620 deletions
diff --git a/src/lib/krb5/krb/addr_comp.c b/src/lib/krb5/krb/addr_comp.c index 16ab03bbf..194fc2bb6 100644 --- a/src/lib/krb5/krb/addr_comp.c +++ b/src/lib/krb5/krb/addr_comp.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/addr_comp.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_address_compare() */ @@ -36,13 +37,13 @@ krb5_boolean KRB5_CALLCONV krb5_address_compare(krb5_context context, const krb5_address *addr1, const krb5_address *addr2) { if (addr1->addrtype != addr2->addrtype) - return(FALSE); + return(FALSE); if (addr1->length != addr2->length) - return(FALSE); + return(FALSE); if (memcmp((char *)addr1->contents, (char *)addr2->contents, - addr1->length)) - return FALSE; + addr1->length)) + return FALSE; else - return TRUE; + return TRUE; } diff --git a/src/lib/krb5/krb/addr_order.c b/src/lib/krb5/krb/addr_order.c index 2f01e1fbc..b742d01ec 100644 --- a/src/lib/krb5/krb/addr_order.c +++ b/src/lib/krb5/krb/addr_order.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/addr_order.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_address_order() */ @@ -45,18 +46,18 @@ krb5_address_order(krb5_context context, const krb5_address *addr1, const krb5_a const int minlen = min(addr1->length, addr2->length); if (addr1->addrtype != addr2->addrtype) - return(FALSE); + return(FALSE); dir = addr1->length - addr2->length; - + for (i = 0; i < minlen; i++) { - if ((unsigned char) addr1->contents[i] < - (unsigned char) addr2->contents[i]) - return -1; - else if ((unsigned char) addr1->contents[i] > - (unsigned char) addr2->contents[i]) - return 1; + if ((unsigned char) addr1->contents[i] < + (unsigned char) addr2->contents[i]) + return -1; + else if ((unsigned char) addr1->contents[i] > + (unsigned char) addr2->contents[i]) + return 1; } /* compared equal so far...which is longer? */ return dir; diff --git a/src/lib/krb5/krb/addr_srch.c b/src/lib/krb5/krb/addr_srch.c index 11a3ce0bb..7a6030490 100644 --- a/src/lib/krb5/krb/addr_srch.c +++ b/src/lib/krb5/krb/addr_srch.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/addr_srch.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_address_search() */ @@ -35,10 +36,10 @@ address_count(krb5_address *const *addrlist) unsigned int i; if (addrlist == NULL) - return 0; + return 0; for (i = 0; addrlist[i]; i++) - ; + ; return i; } @@ -57,12 +58,12 @@ krb5_address_search(krb5_context context, const krb5_address *addr, krb5_address */ if (address_count(addrlist) == 1 && addrlist[0]->addrtype == ADDRTYPE_NETBIOS) - return TRUE; + return TRUE; if (!addrlist) - return TRUE; + return TRUE; for (; *addrlist; addrlist++) { - if (krb5_address_compare(context, addr, *addrlist)) - return TRUE; + if (krb5_address_compare(context, addr, *addrlist)) + return TRUE; } return FALSE; } diff --git a/src/lib/krb5/krb/appdefault.c b/src/lib/krb5/krb/appdefault.c index 94788899b..6fa8cd365 100644 --- a/src/lib/krb5/krb/appdefault.c +++ b/src/lib/krb5/krb/appdefault.c @@ -1,6 +1,7 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * appdefault - routines designed to be called from applications to - * handle the [appdefaults] profile section + * handle the [appdefaults] profile section */ #include <stdio.h> @@ -9,158 +10,158 @@ - /*xxx Duplicating this is annoying; try to work on a better way.*/ +/*xxx Duplicating this is annoying; try to work on a better way.*/ static const char *const conf_yes[] = { - "y", "yes", "true", "t", "1", "on", - 0, + "y", "yes", "true", "t", "1", "on", + 0, }; static const char *const conf_no[] = { - "n", "no", "false", "nil", "0", "off", - 0, + "n", "no", "false", "nil", "0", "off", + 0, }; static int conf_boolean(char *s) { - const char * const *p; - for(p=conf_yes; *p; p++) { - if (!strcasecmp(*p,s)) - return 1; - } - for(p=conf_no; *p; p++) { - if (!strcasecmp(*p,s)) - return 0; - } - /* Default to "no" */ - return 0; + const char * const *p; + for(p=conf_yes; *p; p++) { + if (!strcasecmp(*p,s)) + return 1; + } + for(p=conf_no; *p; p++) { + if (!strcasecmp(*p,s)) + return 0; + } + /* Default to "no" */ + return 0; } static krb5_error_code appdefault_get(krb5_context context, const char *appname, const krb5_data *realm, const char *option, char **ret_value) { - profile_t profile; - const char *names[5]; - char **nameval = NULL; - krb5_error_code retval; - const char * realmstr = realm?realm->data:NULL; - - if (!context || (context->magic != KV5M_CONTEXT)) - return KV5M_CONTEXT; - - profile = context->profile; - - /* - * Try number one: - * - * [appdefaults] - * app = { - * SOME.REALM = { - * option = <boolean> - * } - * } - */ - - names[0] = "appdefaults"; - names[1] = appname; - - if (realmstr) { - names[2] = realmstr; - names[3] = option; - names[4] = 0; - retval = profile_get_values(profile, names, &nameval); - if (retval == 0 && nameval && nameval[0]) { - *ret_value = strdup(nameval[0]); - goto goodbye; - } - } - - /* - * Try number two: - * - * [appdefaults] - * app = { - * option = <boolean> - * } - */ - - names[2] = option; - names[3] = 0; - retval = profile_get_values(profile, names, &nameval); - if (retval == 0 && nameval && nameval[0]) { - *ret_value = strdup(nameval[0]); - goto goodbye; - } - - /* - * Try number three: - * - * [appdefaults] - * realm = { - * option = <boolean> - */ - - if (realmstr) { - names[1] = realmstr; - names[2] = option; - names[3] = 0; - retval = profile_get_values(profile, names, &nameval); - if (retval == 0 && nameval && nameval[0]) { - *ret_value = strdup(nameval[0]); - goto goodbye; - } - } - - /* - * Try number four: - * - * [appdefaults] - * option = <boolean> - */ - - names[1] = option; - names[2] = 0; - retval = profile_get_values(profile, names, &nameval); - if (retval == 0 && nameval && nameval[0]) { - *ret_value = strdup(nameval[0]); - } else { - return retval; - } + profile_t profile; + const char *names[5]; + char **nameval = NULL; + krb5_error_code retval; + const char * realmstr = realm?realm->data:NULL; + + if (!context || (context->magic != KV5M_CONTEXT)) + return KV5M_CONTEXT; + + profile = context->profile; + + /* + * Try number one: + * + * [appdefaults] + * app = { + * SOME.REALM = { + * option = <boolean> + * } + * } + */ + + names[0] = "appdefaults"; + names[1] = appname; + + if (realmstr) { + names[2] = realmstr; + names[3] = option; + names[4] = 0; + retval = profile_get_values(profile, names, &nameval); + if (retval == 0 && nameval && nameval[0]) { + *ret_value = strdup(nameval[0]); + goto goodbye; + } + } + + /* + * Try number two: + * + * [appdefaults] + * app = { + * option = <boolean> + * } + */ + + names[2] = option; + names[3] = 0; + retval = profile_get_values(profile, names, &nameval); + if (retval == 0 && nameval && nameval[0]) { + *ret_value = strdup(nameval[0]); + goto goodbye; + } + + /* + * Try number three: + * + * [appdefaults] + * realm = { + * option = <boolean> + */ + + if (realmstr) { + names[1] = realmstr; + names[2] = option; + names[3] = 0; + retval = profile_get_values(profile, names, &nameval); + if (retval == 0 && nameval && nameval[0]) { + *ret_value = strdup(nameval[0]); + goto goodbye; + } + } + + /* + * Try number four: + * + * [appdefaults] + * option = <boolean> + */ + + names[1] = option; + names[2] = 0; + retval = profile_get_values(profile, names, &nameval); + if (retval == 0 && nameval && nameval[0]) { + *ret_value = strdup(nameval[0]); + } else { + return retval; + } goodbye: - if (nameval) { - char **cpp; - for (cpp = nameval; *cpp; cpp++) - free(*cpp); - free(nameval); - } - return 0; + if (nameval) { + char **cpp; + for (cpp = nameval; *cpp; cpp++) + free(*cpp); + free(nameval); + } + return 0; } -void KRB5_CALLCONV +void KRB5_CALLCONV krb5_appdefault_boolean(krb5_context context, const char *appname, const krb5_data *realm, const char *option, int default_value, int *ret_value) { - char *string = NULL; - krb5_error_code retval; + char *string = NULL; + krb5_error_code retval; - retval = appdefault_get(context, appname, realm, option, &string); + retval = appdefault_get(context, appname, realm, option, &string); - if (! retval && string) { - *ret_value = conf_boolean(string); - free(string); - } else - *ret_value = default_value; + if (! retval && string) { + *ret_value = conf_boolean(string); + free(string); + } else + *ret_value = default_value; } -void KRB5_CALLCONV +void KRB5_CALLCONV krb5_appdefault_string(krb5_context context, const char *appname, const krb5_data *realm, const char *option, const char *default_value, char **ret_value) { - krb5_error_code retval; - char *string; + krb5_error_code retval; + char *string; - retval = appdefault_get(context, appname, realm, option, &string); + retval = appdefault_get(context, appname, realm, option, &string); - if (! retval && string) { - *ret_value = string; - } else { - *ret_value = strdup(default_value); - } + if (! retval && string) { + *ret_value = string; + } else { + *ret_value = strdup(default_value); + } } diff --git a/src/lib/krb5/krb/auth_con.c b/src/lib/krb5/krb/auth_con.c index ee31fb82b..e6bbac15a 100644 --- a/src/lib/krb5/krb/auth_con.c +++ b/src/lib/krb5/krb/auth_con.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include "k5-int.h" #include "auth_con.h" @@ -9,11 +10,11 @@ actx_copy_addr(krb5_context context, const krb5_address *inad, krb5_address **ou krb5_address *tmpad; if (!(tmpad = (krb5_address *)malloc(sizeof(*tmpad)))) - return ENOMEM; + return ENOMEM; *tmpad = *inad; if (!(tmpad->contents = (krb5_octet *)malloc(inad->length))) { - free(tmpad); - return ENOMEM; + free(tmpad); + return ENOMEM; } memcpy(tmpad->contents, inad->contents, inad->length); *outad = tmpad; @@ -24,13 +25,13 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_init(krb5_context context, krb5_auth_context *auth_context) { *auth_context = - (krb5_auth_context)calloc(1, sizeof(struct _krb5_auth_context)); + (krb5_auth_context)calloc(1, sizeof(struct _krb5_auth_context)); if (!*auth_context) - return ENOMEM; + return ENOMEM; /* Default flags, do time not seq */ - (*auth_context)->auth_context_flags = - KRB5_AUTH_CONTEXT_DO_TIME | KRB5_AUTH_CONN_INITIALIZED; + (*auth_context)->auth_context_flags = + KRB5_AUTH_CONTEXT_DO_TIME | KRB5_AUTH_CONN_INITIALIZED; (*auth_context)->req_cksumtype = context->default_ap_req_sumtype; (*auth_context)->safe_cksumtype = context->default_safe_sumtype; @@ -45,29 +46,29 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context) { if (auth_context == NULL) - return 0; - if (auth_context->local_addr) - krb5_free_address(context, auth_context->local_addr); - if (auth_context->remote_addr) - krb5_free_address(context, auth_context->remote_addr); - if (auth_context->local_port) - krb5_free_address(context, auth_context->local_port); - if (auth_context->remote_port) - krb5_free_address(context, auth_context->remote_port); - if (auth_context->authentp) - krb5_free_authenticator(context, auth_context->authentp); + return 0; + if (auth_context->local_addr) + krb5_free_address(context, auth_context->local_addr); + if (auth_context->remote_addr) + krb5_free_address(context, auth_context->remote_addr); + if (auth_context->local_port) + krb5_free_address(context, auth_context->local_port); + if (auth_context->remote_port) + krb5_free_address(context, auth_context->remote_port); + if (auth_context->authentp) + krb5_free_authenticator(context, auth_context->authentp); if (auth_context->key) - krb5_k_free_key(context, auth_context->key); - if (auth_context->send_subkey) - krb5_k_free_key(context, auth_context->send_subkey); - if (auth_context->recv_subkey) - krb5_k_free_key(context, auth_context->recv_subkey); + krb5_k_free_key(context, auth_context->key); + if (auth_context->send_subkey) + krb5_k_free_key(context, auth_context->send_subkey); + if (auth_context->recv_subkey) + krb5_k_free_key(context, auth_context->recv_subkey); if (auth_context->rcache) - krb5_rc_close(context, auth_context->rcache); + krb5_rc_close(context, auth_context->rcache); if (auth_context->permitted_etypes) - free(auth_context->permitted_etypes); + free(auth_context->permitted_etypes); if (auth_context->ad_context) - krb5_authdata_context_free(context, auth_context->ad_context); + krb5_authdata_context_free(context, auth_context->ad_context); free(auth_context); return 0; } @@ -75,28 +76,28 @@ krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context) krb5_error_code krb5_auth_con_setaddrs(krb5_context context, krb5_auth_context auth_context, krb5_address *local_addr, krb5_address *remote_addr) { - krb5_error_code retval; + krb5_error_code retval; /* Free old addresses */ if (auth_context->local_addr) - (void) krb5_free_address(context, auth_context->local_addr); + (void) krb5_free_address(context, auth_context->local_addr); if (auth_context->remote_addr) - (void) krb5_free_address(context, auth_context->remote_addr); + (void) krb5_free_address(context, auth_context->remote_addr); retval = 0; if (local_addr) - retval = actx_copy_addr(context, - local_addr, - &auth_context->local_addr); + retval = actx_copy_addr(context, + local_addr, + &auth_context->local_addr); else - auth_context->local_addr = NULL; + auth_context->local_addr = NULL; if (!retval && remote_addr) - retval = actx_copy_addr(context, - remote_addr, - &auth_context->remote_addr); + retval = actx_copy_addr(context, + remote_addr, + &auth_context->remote_addr); else - auth_context->remote_addr = NULL; + auth_context->remote_addr = NULL; return retval; } @@ -104,18 +105,18 @@ krb5_auth_con_setaddrs(krb5_context context, krb5_auth_context auth_context, krb krb5_error_code KRB5_CALLCONV krb5_auth_con_getaddrs(krb5_context context, krb5_auth_context auth_context, krb5_address **local_addr, krb5_address **remote_addr) { - krb5_error_code retval; + krb5_error_code retval; retval = 0; if (local_addr && auth_context->local_addr) { - retval = actx_copy_addr(context, - auth_context->local_addr, - local_addr); + retval = actx_copy_addr(context, + auth_context->local_addr, + local_addr); } if (!retval && (remote_addr) && auth_context->remote_addr) { - retval = actx_copy_addr(context, - auth_context->remote_addr, - remote_addr); + retval = actx_copy_addr(context, + auth_context->remote_addr, + remote_addr); } return retval; } @@ -123,28 +124,28 @@ krb5_auth_con_getaddrs(krb5_context context, krb5_auth_context auth_context, krb krb5_error_code KRB5_CALLCONV krb5_auth_con_setports(krb5_context context, krb5_auth_context auth_context, krb5_address *local_port, krb5_address *remote_port) { - krb5_error_code retval; + krb5_error_code retval; /* Free old addresses */ if (auth_context->local_port) - (void) krb5_free_address(context, auth_context->local_port); + (void) krb5_free_address(context, auth_context->local_port); if (auth_context->remote_port) - (void) krb5_free_address(context, auth_context->remote_port); + (void) krb5_free_address(context, auth_context->remote_port); retval = 0; if (local_port) - retval = actx_copy_addr(context, - local_port, - &auth_context->local_port); + retval = actx_copy_addr(context, + local_port, + &auth_context->local_port); else - auth_context->local_port = NULL; + auth_context->local_port = NULL; if (!retval && remote_port) - retval = actx_copy_addr(context, - remote_port, - &auth_context->remote_port); + retval = actx_copy_addr(context, + remote_port, + &auth_context->remote_port); else - auth_context->remote_port = NULL; + auth_context->remote_port = NULL; return retval; } @@ -161,7 +162,7 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *keyblock) { if (auth_context->key) - krb5_k_free_key(context, auth_context->key); + krb5_k_free_key(context, auth_context->key); return(krb5_k_create_key(context, keyblock, &(auth_context->key))); } @@ -169,7 +170,7 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock) { if (auth_context->key) - return krb5_k_key_keyblock(context, auth_context->key, keyblock); + return krb5_k_key_keyblock(context, auth_context->key, keyblock); *keyblock = NULL; return 0; } @@ -190,31 +191,31 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_setsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock *keyblock) { if (ac->send_subkey != NULL) - krb5_k_free_key(ctx, ac->send_subkey); + krb5_k_free_key(ctx, ac->send_subkey); ac->send_subkey = NULL; if (keyblock !=NULL) - return krb5_k_create_key(ctx, keyblock, &ac->send_subkey); + return krb5_k_create_key(ctx, keyblock, &ac->send_subkey); else - return 0; + return 0; } krb5_error_code KRB5_CALLCONV krb5_auth_con_setrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock *keyblock) { if (ac->recv_subkey != NULL) - krb5_k_free_key(ctx, ac->recv_subkey); + krb5_k_free_key(ctx, ac->recv_subkey); ac->recv_subkey = NULL; if (keyblock != NULL) - return krb5_k_create_key(ctx, keyblock, &ac->recv_subkey); + return krb5_k_create_key(ctx, keyblock, &ac->recv_subkey); else - return 0; + return 0; } krb5_error_code KRB5_CALLCONV krb5_auth_con_getsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock) { if (ac->send_subkey != NULL) - return krb5_k_key_keyblock(ctx, ac->send_subkey, keyblock); + return krb5_k_key_keyblock(ctx, ac->send_subkey, keyblock); *keyblock = NULL; return 0; } @@ -223,7 +224,7 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock **keyblock) { if (ac->recv_subkey != NULL) - return krb5_k_key_keyblock(ctx, ac->recv_subkey, keyblock); + return krb5_k_key_keyblock(ctx, ac->recv_subkey, keyblock); *keyblock = NULL; return 0; } @@ -253,7 +254,7 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_getauthenticator(krb5_context context, krb5_auth_context auth_context, krb5_authenticator **authenticator) { return (krb5_copy_authenticator(context, auth_context->authentp, - authenticator)); + authenticator)); } #endif @@ -271,15 +272,15 @@ krb5_auth_con_initivector(krb5_context context, krb5_auth_context auth_context) krb5_enctype enctype; if (auth_context->key) { - size_t blocksize; - - enctype = krb5_k_key_enctype(context, auth_context->key); - if ((ret = krb5_c_block_size(context, enctype, &blocksize))) - return(ret); - if ((auth_context->i_vector = (krb5_pointer)calloc(1,blocksize))) { - return 0; - } - return ENOMEM; + size_t blocksize; + + enctype = krb5_k_key_enctype(context, auth_context->key); + if ((ret = krb5_c_block_size(context, enctype, &blocksize))) + return(ret); + if ((auth_context->i_vector = (krb5_pointer)calloc(1,blocksize))) { + return 0; + } + return ENOMEM; } return EINVAL; /* XXX need an error for no keyblock */ } @@ -318,30 +319,30 @@ krb5_auth_con_setrcache(krb5_context context, krb5_auth_context auth_context, kr auth_context->rcache = rcache; return 0; } - + krb5_error_code krb5_auth_con_getrcache(krb5_context context, krb5_auth_context auth_context, krb5_rcache *rcache) { *rcache = auth_context->rcache; return 0; } - + krb5_error_code krb5_auth_con_setpermetypes(krb5_context context, krb5_auth_context auth_context, const krb5_enctype *permetypes) { - krb5_enctype * newpe; + krb5_enctype * newpe; int i; for (i=0; permetypes[i]; i++) - ; + ; i++; /* include the zero */ if ((newpe = (krb5_enctype *) malloc(i*sizeof(krb5_enctype))) - == NULL) - return(ENOMEM); + == NULL) + return(ENOMEM); if (auth_context->permitted_etypes) - free(auth_context->permitted_etypes); + free(auth_context->permitted_etypes); auth_context->permitted_etypes = newpe; @@ -353,21 +354,21 @@ krb5_auth_con_setpermetypes(krb5_context context, krb5_auth_context auth_context krb5_error_code krb5_auth_con_getpermetypes(krb5_context context, krb5_auth_context auth_context, krb5_enctype **permetypes) { - krb5_enctype * newpe; + krb5_enctype * newpe; int i; if (! auth_context->permitted_etypes) { - *permetypes = NULL; - return(0); + *permetypes = NULL; + return(0); } for (i=0; auth_context->permitted_etypes[i]; i++) - ; + ; i++; /* include the zero */ if ((newpe = (krb5_enctype *) malloc(i*sizeof(krb5_enctype))) - == NULL) - return(ENOMEM); + == NULL) + return(ENOMEM); *permetypes = newpe; @@ -378,24 +379,24 @@ krb5_auth_con_getpermetypes(krb5_context context, krb5_auth_context auth_context krb5_error_code KRB5_CALLCONV krb5_auth_con_set_checksum_func( krb5_context context, - krb5_auth_context auth_context, - krb5_mk_req_checksum_func func, - void *data) + krb5_auth_context auth_context, + krb5_mk_req_checksum_func func, + void *data) { - auth_context->checksum_func = func; - auth_context->checksum_func_data = data; - return 0; + auth_context->checksum_func = func; + auth_context->checksum_func_data = data; + return 0; } krb5_error_code KRB5_CALLCONV krb5_auth_con_get_checksum_func( krb5_context context, - krb5_auth_context auth_context, - krb5_mk_req_checksum_func *func, - void **data) + krb5_auth_context auth_context, + krb5_mk_req_checksum_func *func, + void **data) { - *func = auth_context->checksum_func; - *data = auth_context->checksum_func_data; - return 0; + *func = auth_context->checksum_func; + *data = auth_context->checksum_func_data; + return 0; } /* @@ -425,16 +426,16 @@ krb5_auth_con_get_checksum_func( krb5_context context, * compatibility with our older implementations. This also means that * encodings emitted by Heimdal are ambiguous. * - * Heimdal counter value received uint32 value + * Heimdal counter value received uint32 value * - * 0x00000080 0xFFFFFF80 - * 0x000000FF 0xFFFFFFFF - * 0x00008000 0xFFFF8000 - * 0x0000FFFF 0xFFFFFFFF - * 0x00800000 0xFF800000 - * 0x00FFFFFF 0xFFFFFFFF - * 0xFF800000 0xFF800000 - * 0xFFFFFFFF 0xFFFFFFFF + * 0x00000080 0xFFFFFF80 + * 0x000000FF 0xFFFFFFFF + * 0x00008000 0xFFFF8000 + * 0x0000FFFF 0xFFFFFFFF + * 0x00800000 0xFF800000 + * 0x00FFFFFF 0xFFFFFFFF + * 0xFF800000 0xFF800000 + * 0xFFFFFFFF 0xFFFFFFFF * * We use two auth_context flags, SANE_SEQ and HEIMDAL_SEQ, which are * only set after we can unambiguously determine the sanity of the @@ -474,38 +475,38 @@ krb5int_auth_con_chkseqnum( * If sender is known to be sane, accept _only_ exact matches. */ if (ac->auth_context_flags & KRB5_AUTH_CONN_SANE_SEQ) - return in_seq == exp_seq; + return in_seq == exp_seq; /* * If sender is not known to be sane, first check the ambiguous * range of received values, 0xFF800000..0xFFFFFFFF. */ if ((in_seq & 0xFF800000) == 0xFF800000) { - /* - * If expected sequence number is in the range - * 0xFF800000..0xFFFFFFFF, then we can't make any - * determinations about the sanity of the sending - * implementation. - */ - if ((exp_seq & 0xFF800000) == 0xFF800000 && in_seq == exp_seq) - return 1; - /* - * If sender is not known for certain to be a broken Heimdal - * implementation, check for exact match. - */ - if (!(ac->auth_context_flags & KRB5_AUTH_CONN_HEIMDAL_SEQ) - && in_seq == exp_seq) - return 1; - /* - * Now apply hairy algorithm for matching sequence numbers - * sent by broken Heimdal implementations. If it matches, we - * know for certain it's a broken Heimdal sender. - */ - if (chk_heimdal_seqnum(exp_seq, in_seq)) { - ac->auth_context_flags |= KRB5_AUTH_CONN_HEIMDAL_SEQ; - return 1; - } - return 0; + /* + * If expected sequence number is in the range + * 0xFF800000..0xFFFFFFFF, then we can't make any + * determinations about the sanity of the sending + * implementation. + */ + if ((exp_seq & 0xFF800000) == 0xFF800000 && in_seq == exp_seq) + return 1; + /* + * If sender is not known for certain to be a broken Heimdal + * implementation, check for exact match. + */ + if (!(ac->auth_context_flags & KRB5_AUTH_CONN_HEIMDAL_SEQ) + && in_seq == exp_seq) + return 1; + /* + * Now apply hairy algorithm for matching sequence numbers + * sent by broken Heimdal implementations. If it matches, we + * know for certain it's a broken Heimdal sender. + */ + if (chk_heimdal_seqnum(exp_seq, in_seq)) { + ac->auth_context_flags |= KRB5_AUTH_CONN_HEIMDAL_SEQ; + return 1; + } + return 0; } /* @@ -514,11 +515,11 @@ krb5int_auth_con_chkseqnum( * it matches the received value, sender is known to be sane. */ if (in_seq == exp_seq) { - if (( exp_seq & 0xFFFFFF80) == 0x00000080 - || (exp_seq & 0xFFFF8000) == 0x00008000 - || (exp_seq & 0xFF800000) == 0x00800000) - ac->auth_context_flags |= KRB5_AUTH_CONN_SANE_SEQ; - return 1; + if (( exp_seq & 0xFFFFFF80) == 0x00000080 + || (exp_seq & 0xFFFF8000) == 0x00008000 + || (exp_seq & 0xFF800000) == 0x00800000) + ac->auth_context_flags |= KRB5_AUTH_CONN_SANE_SEQ; + return 1; } /* @@ -528,17 +529,17 @@ krb5int_auth_con_chkseqnum( * and mark the sender as being a broken Heimdal implementation. */ if (exp_seq == 0 - && !(ac->auth_context_flags & KRB5_AUTH_CONN_HEIMDAL_SEQ)) { - switch (in_seq) { - case 0x100: - case 0x10000: - case 0x1000000: - ac->auth_context_flags |= KRB5_AUTH_CONN_HEIMDAL_SEQ; - exp_seq = in_seq; - return 1; - default: - return 0; - } + && !(ac->auth_context_flags & KRB5_AUTH_CONN_HEIMDAL_SEQ)) { + switch (in_seq) { + case 0x100: + case 0x10000: + case 0x1000000: + ac->auth_context_flags |= KRB5_AUTH_CONN_HEIMDAL_SEQ; + exp_seq = in_seq; + return 1; + default: + return 0; + } } return 0; } @@ -547,25 +548,25 @@ static krb5_boolean chk_heimdal_seqnum(krb5_ui_4 exp_seq, krb5_ui_4 in_seq) { if (( exp_seq & 0xFF800000) == 0x00800000 - && (in_seq & 0xFF800000) == 0xFF800000 - && (in_seq & 0x00FFFFFF) == exp_seq) - return 1; + && (in_seq & 0xFF800000) == 0xFF800000 + && (in_seq & 0x00FFFFFF) == exp_seq) + return 1; else if (( exp_seq & 0xFFFF8000) == 0x00008000 - && (in_seq & 0xFFFF8000) == 0xFFFF8000 - && (in_seq & 0x0000FFFF) == exp_seq) - return 1; + && (in_seq & 0xFFFF8000) == 0xFFFF8000 + && (in_seq & 0x0000FFFF) == exp_seq) + return 1; else if (( exp_seq & 0xFFFFFF80) == 0x00000080 - && (in_seq & 0xFFFFFF80) == 0xFFFFFF80 - && (in_seq & 0x000000FF) == exp_seq) - return 1; + && (in_seq & 0xFFFFFF80) == 0xFFFFFF80 + && (in_seq & 0x000000FF) == exp_seq) + return 1; else - return 0; + return 0; } krb5_error_code krb5_auth_con_get_subkey_enctype(krb5_context context, - krb5_auth_context auth_context, - krb5_enctype *etype) + krb5_auth_context auth_context, + krb5_enctype *etype) { *etype = auth_context->negotiated_etype; return 0; @@ -573,8 +574,8 @@ krb5_auth_con_get_subkey_enctype(krb5_context context, krb5_error_code KRB5_CALLCONV krb5_auth_con_get_authdata_context(krb5_context context, - krb5_auth_context auth_context, - krb5_authdata_context *ad_context) + krb5_auth_context auth_context, + krb5_authdata_context *ad_context) { *ad_context = auth_context->ad_context; return 0; @@ -582,10 +583,9 @@ krb5_auth_con_get_authdata_context(krb5_context context, krb5_error_code KRB5_CALLCONV krb5_auth_con_set_authdata_context(krb5_context context, - krb5_auth_context auth_context, - krb5_authdata_context ad_context) + krb5_auth_context auth_context, + krb5_authdata_context ad_context) { auth_context->ad_context = ad_context; return 0; } - diff --git a/src/lib/krb5/krb/auth_con.h b/src/lib/krb5/krb/auth_con.h index 684eb4e40..94d2c51a2 100644 --- a/src/lib/krb5/krb/auth_con.h +++ b/src/lib/krb5/krb/auth_con.h @@ -1,38 +1,39 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #ifndef KRB5_AUTH_CONTEXT #define KRB5_AUTH_CONTEXT struct _krb5_auth_context { - krb5_magic magic; - krb5_address * remote_addr; - krb5_address * remote_port; - krb5_address * local_addr; - krb5_address * local_port; + krb5_magic magic; + krb5_address * remote_addr; + krb5_address * remote_port; + krb5_address * local_addr; + krb5_address * local_port; krb5_key key; krb5_key send_subkey; krb5_key recv_subkey; - krb5_int32 auth_context_flags; - krb5_ui_4 remote_seq_number; - krb5_ui_4 local_seq_number; - krb5_authenticator *authentp; /* mk_req, rd_req, mk_rep, ...*/ - krb5_cksumtype req_cksumtype; /* mk_safe, ... */ - krb5_cksumtype safe_cksumtype; /* mk_safe, ... */ - krb5_pointer i_vector; /* mk_priv, rd_priv only */ - krb5_rcache rcache; - krb5_enctype * permitted_etypes; /* rd_req */ + krb5_int32 auth_context_flags; + krb5_ui_4 remote_seq_number; + krb5_ui_4 local_seq_number; + krb5_authenticator *authentp; /* mk_req, rd_req, mk_rep, ...*/ + krb5_cksumtype req_cksumtype; /* mk_safe, ... */ + krb5_cksumtype safe_cksumtype; /* mk_safe, ... */ + krb5_pointer i_vector; /* mk_priv, rd_priv only */ + krb5_rcache rcache; + krb5_enctype * permitted_etypes; /* rd_req */ krb5_mk_req_checksum_func checksum_func; void *checksum_func_data; - krb5_enctype negotiated_etype; + krb5_enctype negotiated_etype; krb5_authdata_context ad_context; }; /* Internal auth_context_flags */ -#define KRB5_AUTH_CONN_INITIALIZED 0x00010000 -#define KRB5_AUTH_CONN_USED_W_MK_REQ 0x00020000 -#define KRB5_AUTH_CONN_USED_W_RD_REQ 0x00040000 -#define KRB5_AUTH_CONN_SANE_SEQ 0x00080000 -#define KRB5_AUTH_CONN_HEIMDAL_SEQ 0x00100000 +#define KRB5_AUTH_CONN_INITIALIZED 0x00010000 +#define KRB5_AUTH_CONN_USED_W_MK_REQ 0x00020000 +#define KRB5_AUTH_CONN_USED_W_RD_REQ 0x00040000 +#define KRB5_AUTH_CONN_SANE_SEQ 0x00080000 +#define KRB5_AUTH_CONN_HEIMDAL_SEQ 0x00100000 #endif diff --git a/src/lib/krb5/krb/authdata.c b/src/lib/krb5/krb/authdata.c index c5992aded..5430127eb 100644 --- a/src/lib/krb5/krb/authdata.c +++ b/src/lib/krb5/krb/authdata.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 2009 by the Massachusetts Institute of Technology. All * Rights Reserved. @@ -39,7 +39,7 @@ static const char *objdirs[] = { #endif LIBDIR "/krb5/plugins/authdata", NULL - }; /* should be a list */ +}; /* should be a list */ /* Internal authdata systems */ static krb5plugin_authdata_client_ftable_v0 *authdata_systems[] = { @@ -648,10 +648,10 @@ krb5int_authdata_verify(krb5_context kcontext, if (authdata == NULL) { code = krb5int_find_authdata(kcontext, - ticket_authdata, - authen_authdata, - module->ad_type, - &authdata); + ticket_authdata, + authen_authdata, + module->ad_type, + &authdata); if (code != 0) break; } @@ -1244,4 +1244,3 @@ krb5_ser_authdata_context_init(krb5_context kcontext) return krb5_register_serializer(kcontext, &krb5_authdata_context_ser_entry); } - diff --git a/src/lib/krb5/krb/authdata.h b/src/lib/krb5/krb/authdata.h index 9e4dcceb0..39d80d662 100644 --- a/src/lib/krb5/krb/authdata.h +++ b/src/lib/krb5/krb/authdata.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/authdata.h * @@ -35,14 +36,13 @@ /* authdata.c */ krb5_error_code krb5int_authdata_verify(krb5_context context, - krb5_authdata_context, - krb5_flags usage, - const krb5_auth_context *auth_context, - const krb5_keyblock *key, - const krb5_ap_req *ap_req); + krb5_authdata_context, + krb5_flags usage, + const krb5_auth_context *auth_context, + const krb5_keyblock *key, + const krb5_ap_req *ap_req); /* pac.c */ extern krb5plugin_authdata_client_ftable_v0 krb5int_mspac_authdata_client_ftable; #endif /* !KRB_AUTHDATA_H */ - diff --git a/src/lib/krb5/krb/bld_pr_ext.c b/src/lib/krb5/krb/bld_pr_ext.c index 1a288c896..899b9ee3b 100644 --- a/src/lib/krb5/krb/bld_pr_ext.c +++ b/src/lib/krb5/krb/bld_pr_ext.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/bld_pr_ext.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Build a principal from a list of lengths and strings */ @@ -33,7 +34,7 @@ krb5_error_code KRB5_CALLCONV_C krb5_build_principal_ext(krb5_context context, krb5_principal * princ, - unsigned int rlen, const char * realm, ...) + unsigned int rlen, const char * realm, ...) { va_list ap; int i, count = 0; @@ -44,8 +45,8 @@ krb5_build_principal_ext(krb5_context context, krb5_principal * princ, va_start(ap, realm); /* count up */ while (va_arg(ap, int) != 0) { - (void)va_arg(ap, char *); /* pass one up */ - count++; + (void)va_arg(ap, char *); /* pass one up */ + count++; } va_end(ap); @@ -54,30 +55,30 @@ krb5_build_principal_ext(krb5_context context, krb5_principal * princ, /* get space for array */ princ_data = (krb5_data *) malloc(sizeof(krb5_data) * count); if (!princ_data) - return ENOMEM; + return ENOMEM; princ_ret = (krb5_principal) malloc(sizeof(krb5_principal_data)); if (!princ_ret) { - free(princ_data); - return ENOMEM; + free(princ_data); + return ENOMEM; } princ_ret->data = princ_data; princ_ret->length = count; tmpdata.length = rlen; tmpdata.data = (char *) realm; if (krb5int_copy_data_contents_add0(context, &tmpdata, &princ_ret->realm) != 0) { - free(princ_data); - free(princ_ret); - return ENOMEM; - } + free(princ_data); + free(princ_ret); + return ENOMEM; + } /* process rest of components */ va_start(ap, realm); for (i = 0; i < count; i++) { - tmpdata.length = va_arg(ap, unsigned int); - tmpdata.data = va_arg(ap, char *); - if (krb5int_copy_data_contents_add0(context, &tmpdata, - &princ_data[i]) != 0) - goto free_out; + tmpdata.length = va_arg(ap, unsigned int); + tmpdata.data = va_arg(ap, char *); + if (krb5int_copy_data_contents_add0(context, &tmpdata, + &princ_data[i]) != 0) + goto free_out; } va_end(ap); *princ = princ_ret; @@ -86,7 +87,7 @@ krb5_build_principal_ext(krb5_context context, krb5_principal * princ, free_out: while (--i >= 0) - free(princ_data[i].data); + free(princ_data[i].data); free(princ_data); free(princ_ret->realm.data); free(princ_ret); diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c index d3e0d294b..ac2c92a9e 100644 --- a/src/lib/krb5/krb/bld_princ.c +++ b/src/lib/krb5/krb/bld_princ.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/bld_princ.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Build a principal from a list of strings */ @@ -30,13 +31,13 @@ #include <stdarg.h> #include "k5-int.h" -/* Takes first component as argument for KIM API, +/* Takes first component as argument for KIM API, * which does not allow realms with zero components */ static krb5_error_code -krb5int_build_principal_va(krb5_context context, - krb5_principal princ, - unsigned int rlen, - const char *realm, +krb5int_build_principal_va(krb5_context context, + krb5_principal princ, + unsigned int rlen, + const char *realm, const char *first, va_list ap) { @@ -46,26 +47,26 @@ krb5int_build_principal_va(krb5_context context, krb5_int32 count = 0; krb5_int32 size = 2; /* initial guess at needed space */ char *component = NULL; - + data = malloc(size * sizeof(krb5_data)); if (!data) { retval = ENOMEM; } - + if (!retval) { r = strdup(realm); if (!r) { retval = ENOMEM; } } - + if (!retval && first) { data[0].length = strlen(first); data[0].data = strdup(first); if (!data[0].data) { retval = ENOMEM; } count++; - + /* ap is only valid if first is non-NULL */ while (!retval && (component = va_arg(ap, char *))) { if (count == size) { krb5_data *new_data = NULL; - + size *= 2; new_data = realloc ((char *) data, sizeof(krb5_data) * size); if (new_data) { @@ -74,16 +75,16 @@ krb5int_build_principal_va(krb5_context context, retval = ENOMEM; } } - + if (!retval) { data[count].length = strlen(component); - data[count].data = strdup(component); + data[count].data = strdup(component); if (!data[count].data) { retval = ENOMEM; } count++; } } } - + if (!retval) { princ->type = KRB5_NT_UNKNOWN; princ->magic = KV5M_PRINCIPAL; @@ -94,7 +95,7 @@ krb5int_build_principal_va(krb5_context context, r = NULL; /* take ownership */ data = NULL; /* take ownership */ } - + if (data) { while (--count >= 0) { free(data[count].data); @@ -102,68 +103,68 @@ krb5int_build_principal_va(krb5_context context, free(data); } free(r); - + return retval; } krb5_error_code KRB5_CALLCONV -krb5_build_principal_va(krb5_context context, - krb5_principal princ, - unsigned int rlen, - const char *realm, +krb5_build_principal_va(krb5_context context, + krb5_principal princ, + unsigned int rlen, + const char *realm, va_list ap) { char *first = va_arg(ap, char *); - + return krb5int_build_principal_va(context, princ, rlen, realm, first, ap); } -/* Takes first component as argument for KIM API, +/* Takes first component as argument for KIM API, * which does not allow realms with zero components */ krb5_error_code KRB5_CALLCONV -krb5int_build_principal_alloc_va(krb5_context context, - krb5_principal *princ, - unsigned int rlen, - const char *realm, +krb5int_build_principal_alloc_va(krb5_context context, + krb5_principal *princ, + unsigned int rlen, + const char *realm, const char *first, va_list ap) { krb5_error_code retval = 0; - + krb5_principal p = malloc(sizeof(krb5_principal_data)); if (!p) { retval = ENOMEM; } - + if (!retval) { retval = krb5int_build_principal_va(context, p, rlen, realm, first, ap); } - + if (!retval) { - *princ = p; + *princ = p; } else { free(p); } - - return retval; + + return retval; } krb5_error_code KRB5_CALLCONV -krb5_build_principal_alloc_va(krb5_context context, - krb5_principal *princ, - unsigned int rlen, - const char *realm, +krb5_build_principal_alloc_va(krb5_context context, + krb5_principal *princ, + unsigned int rlen, + const char *realm, va_list ap) { krb5_error_code retval = 0; - + krb5_principal p = malloc(sizeof(krb5_principal_data)); if (!p) { retval = ENOMEM; } - + if (!retval) { retval = krb5_build_principal_va(context, p, rlen, realm, ap); } - + if (!retval) { - *princ = p; + *princ = p; } else { free(p); } @@ -172,17 +173,17 @@ krb5_build_principal_alloc_va(krb5_context context, } krb5_error_code KRB5_CALLCONV_C -krb5_build_principal(krb5_context context, - krb5_principal * princ, - unsigned int rlen, - const char * realm, ...) +krb5_build_principal(krb5_context context, + krb5_principal * princ, + unsigned int rlen, + const char * realm, ...) { krb5_error_code retval = 0; va_list ap; - + va_start(ap, realm); retval = krb5_build_principal_alloc_va(context, princ, rlen, realm, ap); va_end(ap); - + return retval; } diff --git a/src/lib/krb5/krb/brand.c b/src/lib/krb5/krb/brand.c index 7e4e0dbd0..fc098ddb5 100644 --- a/src/lib/krb5/krb/brand.c +++ b/src/lib/krb5/krb/brand.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/brand.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright diff --git a/src/lib/krb5/krb/chk_trans.c b/src/lib/krb5/krb/chk_trans.c index 9af063ce3..3c014817c 100644 --- a/src/lib/krb5/krb/chk_trans.c +++ b/src/lib/krb5/krb/chk_trans.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/chk_trans.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_check_transited_list() */ @@ -46,12 +47,12 @@ static int verbose = 0; static krb5_error_code process_intermediates (krb5_error_code (*fn)(krb5_data *, void *), void *data, - const krb5_data *n1, const krb5_data *n2) { + const krb5_data *n1, const krb5_data *n2) { unsigned int len1, len2, i; char *p1, *p2; Tprintf (("process_intermediates(%.*s,%.*s)\n", - (int) n1->length, n1->data, (int) n2->length, n2->data)); + (int) n1->length, n1->data, (int) n2->length, n2->data)); len1 = n1->length; len2 = n2->length; @@ -59,78 +60,78 @@ process_intermediates (krb5_error_code (*fn)(krb5_data *, void *), void *data, Tprintf (("(walking intermediates now)\n")); /* Simplify... */ if (len1 > len2) { - const krb5_data *p; - int tmp = len1; - len1 = len2; - len2 = tmp; - p = n1; - n1 = n2; - n2 = p; + const krb5_data *p; + int tmp = len1; + len1 = len2; + len2 = tmp; + p = n1; + n1 = n2; + n2 = p; } /* Okay, now len1 is always shorter or equal. */ if (len1 == len2) { - if (memcmp (n1->data, n2->data, len1)) { - Tprintf (("equal length but different strings in path: '%.*s' '%.*s'\n", - (int) n1->length, n1->data, (int) n2->length, n2->data)); - return KRB5KRB_AP_ERR_ILL_CR_TKT; - } - Tprintf (("(end intermediates)\n")); - return 0; + if (memcmp (n1->data, n2->data, len1)) { + Tprintf (("equal length but different strings in path: '%.*s' '%.*s'\n", + (int) n1->length, n1->data, (int) n2->length, n2->data)); + return KRB5KRB_AP_ERR_ILL_CR_TKT; + } + Tprintf (("(end intermediates)\n")); + return 0; } /* Now len1 is always shorter. */ if (len1 == 0) - /* Shouldn't be possible. Internal error? */ - return KRB5KRB_AP_ERR_ILL_CR_TKT; + /* Shouldn't be possible. Internal error? */ + return KRB5KRB_AP_ERR_ILL_CR_TKT; p1 = n1->data; p2 = n2->data; if (p1[0] == '/') { - /* X.500 style names, with common prefix. */ - if (p2[0] != '/') { - Tprintf (("mixed name formats in path: x500='%.*s' domain='%.*s'\n", - (int) len1, p1, (int) len2, p2)); - return KRB5KRB_AP_ERR_ILL_CR_TKT; - } - if (memcmp (p1, p2, len1)) { - Tprintf (("x500 names with different prefixes '%.*s' '%.*s'\n", - (int) len1, p1, (int) len2, p2)); - return KRB5KRB_AP_ERR_ILL_CR_TKT; - } - for (i = len1 + 1; i < len2; i++) - if (p2[i] == '/') { - krb5_data d; - krb5_error_code r; - - d.data = p2; - d.length = i; - r = (*fn) (&d, data); - if (r) - return r; - } + /* X.500 style names, with common prefix. */ + if (p2[0] != '/') { + Tprintf (("mixed name formats in path: x500='%.*s' domain='%.*s'\n", + (int) len1, p1, (int) len2, p2)); + return KRB5KRB_AP_ERR_ILL_CR_TKT; + } + if (memcmp (p1, p2, len1)) { + Tprintf (("x500 names with different prefixes '%.*s' '%.*s'\n", + (int) len1, p1, (int) len2, p2)); + return KRB5KRB_AP_ERR_ILL_CR_TKT; + } + for (i = len1 + 1; i < len2; i++) + if (p2[i] == '/') { + krb5_data d; + krb5_error_code r; + + d.data = p2; + d.length = i; + r = (*fn) (&d, data); + if (r) + return r; + } } else { - /* Domain style names, with common suffix. */ - if (p2[0] == '/') { - Tprintf (("mixed name formats in path: domain='%.*s' x500='%.*s'\n", - (int) len1, p1, (int) len2, p2)); - return KRB5KRB_AP_ERR_ILL_CR_TKT; - } - if (memcmp (p1, p2 + (len2 - len1), len1)) { - Tprintf (("domain names with different suffixes '%.*s' '%.*s'\n", - (int) len1, p1, (int) len2, p2)); - return KRB5KRB_AP_ERR_ILL_CR_TKT; - } - for (i = len2 - len1 - 1; i > 0; i--) { - Tprintf (("looking at '%.*s'\n", (int) (len2 - i), p2+i)); - if (p2[i-1] == '.') { - krb5_data d; - krb5_error_code r; - - d.data = p2+i; - d.length = len2 - i; - r = (*fn) (&d, data); - if (r) - return r; - } - } + /* Domain style names, with common suffix. */ + if (p2[0] == '/') { + Tprintf (("mixed name formats in path: domain='%.*s' x500='%.*s'\n", + (int) len1, p1, (int) len2, p2)); + return KRB5KRB_AP_ERR_ILL_CR_TKT; + } + if (memcmp (p1, p2 + (len2 - len1), len1)) { + Tprintf (("domain names with different suffixes '%.*s' '%.*s'\n", + (int) len1, p1, (int) len2, p2)); + return KRB5KRB_AP_ERR_ILL_CR_TKT; + } + for (i = len2 - len1 - 1; i > 0; i--) { + Tprintf (("looking at '%.*s'\n", (int) (len2 - i), p2+i)); + if (p2[i-1] == '.') { + krb5_data d; + krb5_error_code r; + + d.data = p2+i; + d.length = len2 - i; + r = (*fn) (&d, data); + if (r) + return r; + } + } } Tprintf (("(end intermediates)\n")); return 0; @@ -140,25 +141,25 @@ static krb5_error_code maybe_join (krb5_data *last, krb5_data *buf, unsigned int bufsiz) { if (buf->length == 0) - return 0; + return 0; if (buf->data[0] == '/') { - if (last->length + buf->length > bufsiz) { - Tprintf (("too big: last=%d cur=%d max=%d\n", last->length, buf->length, bufsiz)); - return KRB5KRB_AP_ERR_ILL_CR_TKT; - } - memmove (buf->data+last->length, buf->data, buf->length); - memcpy (buf->data, last->data, last->length); - buf->length += last->length; + if (last->length + buf->length > bufsiz) { + Tprintf (("too big: last=%d cur=%d max=%d\n", last->length, buf->length, bufsiz)); + return KRB5KRB_AP_ERR_ILL_CR_TKT; + } + memmove (buf->data+last->length, buf->data, buf->length); + memcpy (buf->data, last->data, last->length); + buf->length += last->length; } else if (buf->data[buf->length-1] == '.') { - /* We can ignore the case where the previous component was - empty; the strcat will be a no-op. It should probably - be an error case, but let's be flexible. */ - if (last->length+buf->length > bufsiz) { - Tprintf (("too big\n")); - return KRB5KRB_AP_ERR_ILL_CR_TKT; - } - memcpy (buf->data + buf->length, last->data, last->length); - buf->length += last->length; + /* We can ignore the case where the previous component was + empty; the strcat will be a no-op. It should probably + be an error case, but let's be flexible. */ + if (last->length+buf->length > bufsiz) { + Tprintf (("too big\n")); + return KRB5KRB_AP_ERR_ILL_CR_TKT; + } + memcpy (buf->data + buf->length, last->data, last->length); + buf->length += last->length; } /* Otherwise, do nothing. */ return 0; @@ -170,8 +171,8 @@ maybe_join (krb5_data *last, krb5_data *buf, unsigned int bufsiz) of C strings. */ static krb5_error_code foreach_realm (krb5_error_code (*fn)(krb5_data *comp,void *data), void *data, - const krb5_data *crealm, const krb5_data *srealm, - const krb5_data *transit) + const krb5_data *crealm, const krb5_data *srealm, + const krb5_data *transit) { char buf[MAXLEN], last[MAXLEN]; char *p, *bufp; @@ -201,88 +202,88 @@ foreach_realm (krb5_error_code (*fn)(krb5_data *comp,void *data), void *data, print_data ("transit enc.: %.*s\n", transit); if (transit->length == 0) { - Tprintf (("no other realms transited\n")); - return 0; + Tprintf (("no other realms transited\n")); + return 0; } bufp = buf; for (p = transit->data, l = transit->length; l; p++, l--) { - if (next_lit) { - *bufp++ = *p; - if (bufp == buf+sizeof(buf)) - return KRB5KRB_AP_ERR_ILL_CR_TKT; - next_lit = 0; - } else if (*p == '\\') { - next_lit = 1; - } else if (*p == ',') { - if (bufp != buf) { - this_component.length = bufp - buf; - r = maybe_join (&last_component, &this_component, sizeof(buf)); - if (r) - return r; - r = (*fn) (&this_component, data); - if (r) - return r; - if (intermediates) { - if (p == transit->data) - r = process_intermediates (fn, data, - &this_component, crealm); - else { - r = process_intermediates (fn, data, &this_component, - &last_component); - } - if (r) - return r; - } - intermediates = 0; - memcpy (last, buf, sizeof (buf)); - last_component.length = this_component.length; - memset (buf, 0, sizeof (buf)); - bufp = buf; - } else { - intermediates = 1; - if (p == transit->data) { - if (crealm->length >= MAXLEN) - return KRB5KRB_AP_ERR_ILL_CR_TKT; - memcpy (last, crealm->data, crealm->length); - last[crealm->length] = '\0'; - last_component.length = crealm->length; - } - } - } else if (*p == ' ' && bufp == buf) { - /* This next component stands alone, even if it has a - trailing dot or leading slash. */ - memset (last, 0, sizeof (last)); - last_component.length = 0; - } else { - /* Not a special character; literal. */ - *bufp++ = *p; - if (bufp == buf+sizeof(buf)) - return KRB5KRB_AP_ERR_ILL_CR_TKT; - } + if (next_lit) { + *bufp++ = *p; + if (bufp == buf+sizeof(buf)) + return KRB5KRB_AP_ERR_ILL_CR_TKT; + next_lit = 0; + } else if (*p == '\\') { + next_lit = 1; + } else if (*p == ',') { + if (bufp != buf) { + this_component.length = bufp - buf; + r = maybe_join (&last_component, &this_component, sizeof(buf)); + if (r) + return r; + r = (*fn) (&this_component, data); + if (r) + return r; + if (intermediates) { + if (p == transit->data) + r = process_intermediates (fn, data, + &this_component, crealm); + else { + r = process_intermediates (fn, data, &this_component, + &last_component); + } + if (r) + return r; + } + intermediates = 0; + memcpy (last, buf, sizeof (buf)); + last_component.length = this_component.length; + memset (buf, 0, sizeof (buf)); + bufp = buf; + } else { + intermediates = 1; + if (p == transit->data) { + if (crealm->length >= MAXLEN) + return KRB5KRB_AP_ERR_ILL_CR_TKT; + memcpy (last, crealm->data, crealm->length); + last[crealm->length] = '\0'; + last_component.length = crealm->length; + } + } + } else if (*p == ' ' && bufp == buf) { + /* This next component stands alone, even if it has a + trailing dot or leading slash. */ + memset (last, 0, sizeof (last)); + last_component.length = 0; + } else { + /* Not a special character; literal. */ + *bufp++ = *p; + if (bufp == buf+sizeof(buf)) + return KRB5KRB_AP_ERR_ILL_CR_TKT; + } } /* At end. Must be normal state. */ if (next_lit) - Tprintf (("ending in next-char-literal state\n")); + Tprintf (("ending in next-char-literal state\n")); /* Process trailing element or comma. */ if (bufp == buf) { - /* Trailing comma. */ - r = process_intermediates (fn, data, &last_component, srealm); + /* Trailing comma. */ + r = process_intermediates (fn, data, &last_component, srealm); } else { - /* Trailing component. */ - this_component.length = bufp - buf; - r = maybe_join (&last_component, &this_component, sizeof(buf)); - if (r) - return r; - r = (*fn) (&this_component, data); - if (r) - return r; - if (intermediates) - r = process_intermediates (fn, data, &this_component, - &last_component); + /* Trailing component. */ + this_component.length = bufp - buf; + r = maybe_join (&last_component, &this_component, sizeof(buf)); + if (r) + return r; + r = (*fn) (&this_component, data); + if (r) + return r; + if (intermediates) + r = process_intermediates (fn, data, &this_component, + &last_component); } if (r != 0) - return r; + return r; return 0; } @@ -300,8 +301,8 @@ check_realm_in_list (krb5_data *realm, void *data) Tprintf ((".. checking '%.*s'\n", (int) realm->length, realm->data)); for (i = 0; cdata->tgs[i]; i++) { - if (data_eq (*krb5_princ_realm (cdata->ctx, cdata->tgs[i]), *realm)) - return 0; + if (data_eq (*krb5_princ_realm (cdata->ctx, cdata->tgs[i]), *realm)) + return 0; } Tprintf (("BAD!\n")); return KRB5KRB_AP_ERR_ILL_CR_TKT; @@ -309,7 +310,7 @@ check_realm_in_list (krb5_data *realm, void *data) krb5_error_code krb5_check_transited_list (krb5_context ctx, const krb5_data *trans_in, - const krb5_data *crealm, const krb5_data *srealm) + const krb5_data *crealm, const krb5_data *srealm) { krb5_data trans; struct check_data cdata; @@ -318,31 +319,31 @@ krb5_check_transited_list (krb5_context ctx, const krb5_data *trans_in, trans.length = trans_in->length; trans.data = (char *) trans_in->data; if (trans.length && (trans.data[trans.length-1] == '\0')) - trans.length--; + trans.length--; Tprintf (("krb5_check_transited_list(trans=\"%.*s\", crealm=\"%.*s\", srealm=\"%.*s\")\n", - (int) trans.length, trans.data, - (int) crealm->length, crealm->data, - (int) srealm->length, srealm->data)); + (int) trans.length, trans.data, + (int) crealm->length, crealm->data, + (int) srealm->length, srealm->data)); if (trans.length == 0) - return 0; + return 0; r = krb5_walk_realm_tree (ctx, crealm, srealm, &cdata.tgs, - KRB5_REALM_BRANCH_CHAR); + KRB5_REALM_BRANCH_CHAR); if (r) { - Tprintf (("error %ld\n", (long) r)); - return r; + Tprintf (("error %ld\n", (long) r)); + return r; } #ifdef DEBUG /* avoid compiler warning about 'd' unused */ { - int i; - Tprintf (("tgs list = {\n")); - for (i = 0; cdata.tgs[i]; i++) { - char *name; - r = krb5_unparse_name (ctx, cdata.tgs[i], &name); - Tprintf (("\t'%s'\n", name)); - free (name); - } - Tprintf (("}\n")); + int i; + Tprintf (("tgs list = {\n")); + for (i = 0; cdata.tgs[i]; i++) { + char *name; + r = krb5_unparse_name (ctx, cdata.tgs[i], &name); + Tprintf (("\t'%s'\n", name)); + free (name); + } + Tprintf (("}\n")); } #endif cdata.ctx = ctx; @@ -370,19 +371,19 @@ int main (int argc, char *argv[]) { me = me ? me+1 : argv[0]; while (argc > 3 && argv[1][0] == '-') { - if (!strcmp ("-v", argv[1])) - verbose++, argc--, argv++; - else if (!strcmp ("-x", argv[1])) - expand_only++, argc--, argv++; - else - goto usage; + if (!strcmp ("-v", argv[1])) + verbose++, argc--, argv++; + else if (!strcmp ("-x", argv[1])) + expand_only++, argc--, argv++; + else + goto usage; } if (argc != 4) { usage: - printf ("usage: %s [-v] [-x] clientRealm serverRealm transitEncoding\n", - me); - return 1; + printf ("usage: %s [-v] [-x] clientRealm serverRealm transitEncoding\n", + me); + return 1; } crealm.data = argv[1]; @@ -394,40 +395,40 @@ int main (int argc, char *argv[]) { if (expand_only) { - printf ("client realm: %s\n", argv[1]); - printf ("server realm: %s\n", argv[2]); - printf ("transit enc.: %s\n", argv[3]); + printf ("client realm: %s\n", argv[1]); + printf ("server realm: %s\n", argv[2]); + printf ("transit enc.: %s\n", argv[3]); - if (argv[3][0] == 0) { - printf ("no other realms transited\n"); - return 0; - } + if (argv[3][0] == 0) { + printf ("no other realms transited\n"); + return 0; + } - r = foreach_realm (print_a_realm, NULL, &crealm, &srealm, &transit); - if (r) - printf ("--> returned error %ld\n", (long) r); - return r != 0; + r = foreach_realm (print_a_realm, NULL, &crealm, &srealm, &transit); + if (r) + printf ("--> returned error %ld\n", (long) r); + return r != 0; } else { - /* Actually check the values against the supplied krb5.conf file. */ - krb5_context ctx; - r = krb5_init_context (&ctx); - if (r) { - com_err (me, r, "initializing krb5 context"); - return 1; - } - r = krb5_check_transited_list (ctx, &transit, &crealm, &srealm); - if (r == KRB5KRB_AP_ERR_ILL_CR_TKT) { - printf ("NO\n"); - } else if (r == 0) { - printf ("YES\n"); - } else { - printf ("kablooey!\n"); - com_err (me, r, "checking transited-realm list"); - return 1; - } - return 0; + /* Actually check the values against the supplied krb5.conf file. */ + krb5_context ctx; + r = krb5_init_context (&ctx); + if (r) { + com_err (me, r, "initializing krb5 context"); + return 1; + } + r = krb5_check_transited_list (ctx, &transit, &crealm, &srealm); + if (r == KRB5KRB_AP_ERR_ILL_CR_TKT) { + printf ("NO\n"); + } else if (r == 0) { + printf ("YES\n"); + } else { + printf ("kablooey!\n"); + com_err (me, r, "checking transited-realm list"); + return 1; + } + return 0; } } diff --git a/src/lib/krb5/krb/chpw.c b/src/lib/krb5/krb/chpw.c index d38a7ef39..1488f627e 100644 --- a/src/lib/krb5/krb/chpw.c +++ b/src/lib/krb5/krb/chpw.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* ** set password functions added by Paul W. Nelson, Thursby Software Systems, Inc. */ @@ -7,12 +8,12 @@ #include "auth_con.h" -krb5_error_code -krb5int_mk_chpw_req(krb5_context context, - krb5_auth_context auth_context, - krb5_data *ap_req, - char *passwd, - krb5_data *packet) +krb5_error_code +krb5int_mk_chpw_req(krb5_context context, + krb5_auth_context auth_context, + krb5_data *ap_req, + char *passwd, + krb5_data *packet) { krb5_error_code ret = 0; krb5_data clearpw; @@ -23,21 +24,21 @@ krb5int_mk_chpw_req(krb5_context context, cipherpw.data = NULL; if ((ret = krb5_auth_con_setflags(context, auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE))) - goto cleanup; + KRB5_AUTH_CONTEXT_DO_SEQUENCE))) + goto cleanup; clearpw.length = strlen(passwd); clearpw.data = passwd; if ((ret = krb5_mk_priv(context, auth_context, - &clearpw, &cipherpw, &replay))) - goto cleanup; + &clearpw, &cipherpw, &replay))) + goto cleanup; packet->length = 6 + ap_req->length + cipherpw.length; packet->data = (char *) malloc(packet->length); if (packet->data == NULL) { - ret = ENOMEM; - goto cleanup; + ret = ENOMEM; + goto cleanup; } ptr = packet->data; @@ -67,14 +68,14 @@ krb5int_mk_chpw_req(krb5_context context, cleanup: if (cipherpw.data != NULL) /* allocated by krb5_mk_priv */ - free(cipherpw.data); - + free(cipherpw.data); + return(ret); } -krb5_error_code +krb5_error_code krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, - krb5_data *packet, int *result_code, krb5_data *result_data) + krb5_data *packet, int *result_code, krb5_data *result_data) { char *ptr; int plen, vno; @@ -88,9 +89,9 @@ krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, krb5_keyblock *tmp; if (packet->length < 4) - /* either this, or the server is printing bad messages, - or the caller passed in garbage */ - return(KRB5KRB_AP_ERR_MODIFIED); + /* either this, or the server is printing bad messages, + or the caller passed in garbage */ + return(KRB5KRB_AP_ERR_MODIFIED); ptr = packet->data; @@ -100,27 +101,27 @@ krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, plen = (plen<<8) | (*ptr++ & 0xff); if (plen != packet->length) { - /* - * MS KDCs *may* send back a KRB_ERROR. Although - * not 100% correct via RFC3244, it's something - * we can workaround here. - */ - if (krb5_is_krb_error(packet)) { - - if ((ret = krb5_rd_error(context, packet, &krberror))) - return(ret); - - if (krberror->e_data.data == NULL) - ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error; - else - ret = KRB5KRB_AP_ERR_MODIFIED; - krb5_free_error(context, krberror); - return(ret); - } else { - return(KRB5KRB_AP_ERR_MODIFIED); - } + /* + * MS KDCs *may* send back a KRB_ERROR. Although + * not 100% correct via RFC3244, it's something + * we can workaround here. + */ + if (krb5_is_krb_error(packet)) { + + if ((ret = krb5_rd_error(context, packet, &krberror))) + return(ret); + + if (krberror->e_data.data == NULL) + ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error; + else + ret = KRB5KRB_AP_ERR_MODIFIED; + krb5_free_error(context, krberror); + return(ret); + } else { + return(KRB5KRB_AP_ERR_MODIFIED); + } } - + /* verify version number */ @@ -128,7 +129,7 @@ krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, vno = (vno<<8) | (*ptr++ & 0xff); if (vno != 1) - return(KRB5KDC_ERR_BAD_PVNO); + return(KRB5KDC_ERR_BAD_PVNO); /* read, check ap-rep length */ @@ -136,59 +137,59 @@ krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, ap_rep.length = (ap_rep.length<<8) | (*ptr++ & 0xff); if (ptr + ap_rep.length >= packet->data + packet->length) - return(KRB5KRB_AP_ERR_MODIFIED); + return(KRB5KRB_AP_ERR_MODIFIED); if (ap_rep.length) { - /* verify ap_rep */ - ap_rep.data = ptr; - ptr += ap_rep.length; - - /* - * Save send_subkey to later smash recv_subkey. - */ - ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmp); - if (ret) - return ret; - - ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc); - if (ret) { - krb5_free_keyblock(context, tmp); - return(ret); - } - - krb5_free_ap_rep_enc_part(context, ap_rep_enc); - - /* extract and decrypt the result */ - - cipherresult.data = ptr; - cipherresult.length = (packet->data + packet->length) - ptr; - - /* - * Smash recv_subkey to be send_subkey, per spec. - */ - ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmp); - krb5_free_keyblock(context, tmp); - if (ret) - return ret; - - ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult, - &replay); - - if (ret) - return(ret); + /* verify ap_rep */ + ap_rep.data = ptr; + ptr += ap_rep.length; + + /* + * Save send_subkey to later smash recv_subkey. + */ + ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmp); + if (ret) + return ret; + + ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc); + if (ret) { + krb5_free_keyblock(context, tmp); + return(ret); + } + + krb5_free_ap_rep_enc_part(context, ap_rep_enc); + + /* extract and decrypt the result */ + + cipherresult.data = ptr; + cipherresult.length = (packet->data + packet->length) - ptr; + + /* + * Smash recv_subkey to be send_subkey, per spec. + */ + ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmp); + krb5_free_keyblock(context, tmp); + if (ret) + return ret; + + ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult, + &replay); + + if (ret) + return(ret); } else { - cipherresult.data = ptr; - cipherresult.length = (packet->data + packet->length) - ptr; + cipherresult.data = ptr; + cipherresult.length = (packet->data + packet->length) - ptr; - if ((ret = krb5_rd_error(context, &cipherresult, &krberror))) - return(ret); + if ((ret = krb5_rd_error(context, &cipherresult, &krberror))) + return(ret); - clearresult = krberror->e_data; + clearresult = krberror->e_data; } if (clearresult.length < 2) { - ret = KRB5KRB_AP_ERR_MODIFIED; - goto cleanup; + ret = KRB5KRB_AP_ERR_MODIFIED; + goto cleanup; } ptr = clearresult.data; @@ -197,38 +198,38 @@ krb5int_rd_chpw_rep(krb5_context context, krb5_auth_context auth_context, *result_code = (*result_code<<8) | (*ptr++ & 0xff); if ((*result_code < KRB5_KPASSWD_SUCCESS) || - (*result_code > KRB5_KPASSWD_INITIAL_FLAG_NEEDED)) { - ret = KRB5KRB_AP_ERR_MODIFIED; - goto cleanup; + (*result_code > KRB5_KPASSWD_INITIAL_FLAG_NEEDED)) { + ret = KRB5KRB_AP_ERR_MODIFIED; + goto cleanup; } /* all success replies should be authenticated/encrypted */ if ((ap_rep.length == 0) && (*result_code == KRB5_KPASSWD_SUCCESS)) { - ret = KRB5KRB_AP_ERR_MODIFIED; - goto cleanup; + ret = KRB5KRB_AP_ERR_MODIFIED; + goto cleanup; } result_data->length = (clearresult.data + clearresult.length) - ptr; if (result_data->length) { - result_data->data = (char *) malloc(result_data->length); - if (result_data->data == NULL) { - ret = ENOMEM; - goto cleanup; - } - memcpy(result_data->data, ptr, result_data->length); + result_data->data = (char *) malloc(result_data->length); + if (result_data->data == NULL) { + ret = ENOMEM; + goto cleanup; + } + memcpy(result_data->data, ptr, result_data->length); } else { - result_data->data = NULL; + result_data->data = NULL; } ret = 0; cleanup: if (ap_rep.length) { - free(clearresult.data); + free(clearresult.data); } else { - krb5_free_error(context, krberror); + krb5_free_error(context, krberror); } return(ret); @@ -236,71 +237,71 @@ cleanup: krb5_error_code KRB5_CALLCONV krb5_chpw_result_code_string(krb5_context context, int result_code, - char **code_string) + char **code_string) { switch (result_code) { case KRB5_KPASSWD_MALFORMED: - *code_string = "Malformed request error"; - break; + *code_string = "Malformed request error"; + break; case KRB5_KPASSWD_HARDERROR: - *code_string = "Server error"; - break; + *code_string = "Server error"; + break; case KRB5_KPASSWD_AUTHERROR: - *code_string = "Authentication error"; - break; + *code_string = "Authentication error"; + break; case KRB5_KPASSWD_SOFTERROR: - *code_string = "Password change rejected"; - break; + *code_string = "Password change rejected"; + break; default: - *code_string = "Password change failed"; - break; + *code_string = "Password change failed"; + break; } return(0); } -krb5_error_code +krb5_error_code krb5int_mk_setpw_req(krb5_context context, - krb5_auth_context auth_context, - krb5_data *ap_req, - krb5_principal targprinc, - char *passwd, - krb5_data *packet) + krb5_auth_context auth_context, + krb5_data *ap_req, + krb5_principal targprinc, + char *passwd, + krb5_data *packet) { krb5_error_code ret; - krb5_data cipherpw; - krb5_data *encoded_setpw; + krb5_data cipherpw; + krb5_data *encoded_setpw; struct krb5_setpw_req req; char *ptr; cipherpw.data = NULL; cipherpw.length = 0; - + if ((ret = krb5_auth_con_setflags(context, auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE))) - return(ret); + KRB5_AUTH_CONTEXT_DO_SEQUENCE))) + return(ret); req.target = targprinc; req.password.data = passwd; req.password.length = strlen(passwd); ret = encode_krb5_setpw_req(&req, &encoded_setpw); if (ret) { - return ret; + return ret; } if ((ret = krb5_mk_priv(context, auth_context, encoded_setpw, &cipherpw, NULL)) != 0) { - krb5_free_data(context, encoded_setpw); - return(ret); + krb5_free_data(context, encoded_setpw); + return(ret); } krb5_free_data(context, encoded_setpw); - + packet->length = 6 + ap_req->length + cipherpw.length; packet->data = (char *) malloc(packet->length); if (packet->data == NULL) { - ret = ENOMEM; - goto cleanup; + ret = ENOMEM; + goto cleanup; } ptr = packet->data; /* @@ -325,18 +326,18 @@ krb5int_mk_setpw_req(krb5_context context, ret = 0; cleanup: if (cipherpw.data) - krb5_free_data_contents(context, &cipherpw); + krb5_free_data_contents(context, &cipherpw); if ((ret != 0) && packet->data) { - free(packet->data); - packet->data = NULL; + free(packet->data); + packet->data = NULL; } return ret; } -krb5_error_code +krb5_error_code krb5int_rd_setpw_rep(krb5_context context, krb5_auth_context auth_context, - krb5_data *packet, - int *result_code, krb5_data *result_data) + krb5_data *packet, + int *result_code, krb5_data *result_data) { char *ptr; unsigned int message_length, version_number; @@ -350,7 +351,7 @@ krb5int_rd_setpw_rep(krb5_context context, krb5_auth_context auth_context, ** validate the packet length - */ if (packet->length < 4) - return(KRB5KRB_AP_ERR_MODIFIED); + return(KRB5KRB_AP_ERR_MODIFIED); ptr = packet->data; @@ -358,109 +359,109 @@ krb5int_rd_setpw_rep(krb5_context context, krb5_auth_context auth_context, ** see if it is an error */ if (krb5_is_krb_error(packet)) { - krb5_error *krberror; - if ((ret = krb5_rd_error(context, packet, &krberror))) - return(ret); - if (krberror->e_data.data == NULL) { - ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error; - krb5_free_error(context, krberror); - return (ret); - } - clearresult = krberror->e_data; - krberror->e_data.data = NULL; /*So we can free it later*/ - krberror->e_data.length = 0; - krb5_free_error(context, krberror); - ap_rep.length = 0; + krb5_error *krberror; + if ((ret = krb5_rd_error(context, packet, &krberror))) + return(ret); + if (krberror->e_data.data == NULL) { + ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error; + krb5_free_error(context, krberror); + return (ret); + } + clearresult = krberror->e_data; + krberror->e_data.data = NULL; /*So we can free it later*/ + krberror->e_data.length = 0; + krb5_free_error(context, krberror); + ap_rep.length = 0; } else { /* Not an error*/ - /* - ** validate the message length - - ** length is big endian - */ - message_length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff)); - ptr += 2; - /* - ** make sure the message length and packet length agree - - */ - if (message_length != packet->length) - return(KRB5KRB_AP_ERR_MODIFIED); - /* - ** get the version number - - */ - version_number = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff)); - ptr += 2; - /* - ** make sure we support the version returned - - */ - /* - ** set password version is 0xff80, change password version is 1 - */ - if (version_number != 1 && version_number != 0xff80) - return(KRB5KDC_ERR_BAD_PVNO); - /* - ** now fill in ap_rep with the reply - - */ - /* - ** get the reply length - - */ - ap_rep.length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff)); - ptr += 2; - /* - ** validate ap_rep length agrees with the packet length - - */ - if (ptr + ap_rep.length >= packet->data + packet->length) - return(KRB5KRB_AP_ERR_MODIFIED); - /* - ** if data was returned, set the ap_rep ptr - - */ - if (ap_rep.length) { - ap_rep.data = ptr; - ptr += ap_rep.length; - - /* - * Save send_subkey to later smash recv_subkey. - */ - ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmpkey); - if (ret) - return ret; - - ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc); - if (ret) { - krb5_free_keyblock(context, tmpkey); - return(ret); - } - - krb5_free_ap_rep_enc_part(context, ap_rep_enc); - /* - ** now decrypt the result - - */ - cipherresult.data = ptr; - cipherresult.length = (packet->data + packet->length) - ptr; - - /* - * Smash recv_subkey to be send_subkey, per spec. - */ - ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmpkey); - krb5_free_keyblock(context, tmpkey); - if (ret) - return ret; - - ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult, - NULL); - if (ret) - return(ret); - } /*We got an ap_rep*/ - else - return (KRB5KRB_AP_ERR_MODIFIED); + /* + ** validate the message length - + ** length is big endian + */ + message_length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff)); + ptr += 2; + /* + ** make sure the message length and packet length agree - + */ + if (message_length != packet->length) + return(KRB5KRB_AP_ERR_MODIFIED); + /* + ** get the version number - + */ + version_number = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff)); + ptr += 2; + /* + ** make sure we support the version returned - + */ + /* + ** set password version is 0xff80, change password version is 1 + */ + if (version_number != 1 && version_number != 0xff80) + return(KRB5KDC_ERR_BAD_PVNO); + /* + ** now fill in ap_rep with the reply - + */ + /* + ** get the reply length - + */ + ap_rep.length = (((ptr[0] << 8)&0xff) | (ptr[1]&0xff)); + ptr += 2; + /* + ** validate ap_rep length agrees with the packet length - + */ + if (ptr + ap_rep.length >= packet->data + packet->length) + return(KRB5KRB_AP_ERR_MODIFIED); + /* + ** if data was returned, set the ap_rep ptr - + */ + if (ap_rep.length) { + ap_rep.data = ptr; + ptr += ap_rep.length; + + /* + * Save send_subkey to later smash recv_subkey. + */ + ret = krb5_auth_con_getsendsubkey(context, auth_context, &tmpkey); + if (ret) + return ret; + + ret = krb5_rd_rep(context, auth_context, &ap_rep, &ap_rep_enc); + if (ret) { + krb5_free_keyblock(context, tmpkey); + return(ret); + } + + krb5_free_ap_rep_enc_part(context, ap_rep_enc); + /* + ** now decrypt the result - + */ + cipherresult.data = ptr; + cipherresult.length = (packet->data + packet->length) - ptr; + + /* + * Smash recv_subkey to be send_subkey, per spec. + */ + ret = krb5_auth_con_setrecvsubkey(context, auth_context, tmpkey); + krb5_free_keyblock(context, tmpkey); + if (ret) + return ret; + + ret = krb5_rd_priv(context, auth_context, &cipherresult, &clearresult, + NULL); + if (ret) + return(ret); + } /*We got an ap_rep*/ + else + return (KRB5KRB_AP_ERR_MODIFIED); } /*Response instead of error*/ /* - ** validate the cleartext length + ** validate the cleartext length */ if (clearresult.length < 2) { - ret = KRB5KRB_AP_ERR_MODIFIED; - goto cleanup; + ret = KRB5KRB_AP_ERR_MODIFIED; + goto cleanup; } /* ** now decode the result - @@ -474,68 +475,67 @@ krb5int_rd_setpw_rep(krb5_context context, krb5_auth_context auth_context, ** result code 5 is access denied */ if ((*result_code < KRB5_KPASSWD_SUCCESS) || (*result_code > 5)) { - ret = KRB5KRB_AP_ERR_MODIFIED; - goto cleanup; + ret = KRB5KRB_AP_ERR_MODIFIED; + goto cleanup; } /* ** all success replies should be authenticated/encrypted */ if ((ap_rep.length == 0) && (*result_code == KRB5_KPASSWD_SUCCESS)) { - ret = KRB5KRB_AP_ERR_MODIFIED; - goto cleanup; + ret = KRB5KRB_AP_ERR_MODIFIED; + goto cleanup; } if (result_data) { - result_data->length = (clearresult.data + clearresult.length) - ptr; - - if (result_data->length) { - result_data->data = (char *) malloc(result_data->length); - if (result_data->data) - memcpy(result_data->data, ptr, result_data->length); - } else - result_data->data = NULL; + result_data->length = (clearresult.data + clearresult.length) - ptr; + + if (result_data->length) { + result_data->data = (char *) malloc(result_data->length); + if (result_data->data) + memcpy(result_data->data, ptr, result_data->length); + } else + result_data->data = NULL; } ret = 0; - cleanup: +cleanup: krb5_free_data_contents(context, &clearresult); return(ret); } -krb5_error_code +krb5_error_code krb5int_setpw_result_code_string(krb5_context context, int result_code, - const char **code_string) + const char **code_string) { switch (result_code) { case KRB5_KPASSWD_MALFORMED: - *code_string = "Malformed request error"; - break; + *code_string = "Malformed request error"; + break; case KRB5_KPASSWD_HARDERROR: - *code_string = "Server error"; - break; + *code_string = "Server error"; + break; case KRB5_KPASSWD_AUTHERROR: - *code_string = "Authentication error"; - break; + *code_string = "Authentication error"; + break; case KRB5_KPASSWD_SOFTERROR: - *code_string = "Password change rejected"; - break; + *code_string = "Password change rejected"; + break; case 5: /* access denied */ - *code_string = "Access denied"; - break; - case 6: /* bad version */ - *code_string = "Wrong protocol version"; - break; + *code_string = "Access denied"; + break; + case 6: /* bad version */ + *code_string = "Wrong protocol version"; + break; case 7: /* initial flag is needed */ - *code_string = "Initial password required"; - break; + *code_string = "Initial password required"; + break; case 0: - *code_string = "Success"; - break; + *code_string = "Success"; + break; default: - *code_string = "Password change failed"; - break; + *code_string = "Password change failed"; + break; } return(0); } - diff --git a/src/lib/krb5/krb/cleanup.h b/src/lib/krb5/krb/cleanup.h index 94b39f757..3a018330a 100644 --- a/src/lib/krb5/krb/cleanup.h +++ b/src/lib/krb5/krb/cleanup.h @@ -1,29 +1,30 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #ifndef KRB5_CLEANUP #define KRB5_CLEANUP struct cleanup { - void * arg; - void (*func)(void *); + void * arg; + void (*func)(void *); }; -#define CLEANUP_INIT(x) \ - struct cleanup cleanup_data[x]; \ - int cleanup_count = 0; +#define CLEANUP_INIT(x) \ + struct cleanup cleanup_data[x]; \ + int cleanup_count = 0; -#define CLEANUP_PUSH(x, y) \ - cleanup_data[cleanup_count].arg = x; \ - cleanup_data[cleanup_count].func = y; \ +#define CLEANUP_PUSH(x, y) \ + cleanup_data[cleanup_count].arg = x; \ + cleanup_data[cleanup_count].func = y; \ cleanup_count++; -#define CLEANUP_POP(x) \ - if ((--cleanup_count) && x && (cleanup_data[cleanup_count].func)) \ - cleanup_data[cleanup_count].func(cleanup_data[cleanup_count].arg); - -#define CLEANUP_DONE() \ - while(cleanup_count--) \ - if (cleanup_data[cleanup_count].func) \ - cleanup_data[cleanup_count].func(cleanup_data[cleanup_count].arg); - +#define CLEANUP_POP(x) \ + if ((--cleanup_count) && x && (cleanup_data[cleanup_count].func)) \ + cleanup_data[cleanup_count].func(cleanup_data[cleanup_count].arg); + +#define CLEANUP_DONE() \ + while(cleanup_count--) \ + if (cleanup_data[cleanup_count].func) \ + cleanup_data[cleanup_count].func(cleanup_data[cleanup_count].arg); + #endif diff --git a/src/lib/krb5/krb/conv_creds.c b/src/lib/krb5/krb/conv_creds.c index b6c610842..6f4608817 100644 --- a/src/lib/krb5/krb/conv_creds.c +++ b/src/lib/krb5/krb/conv_creds.c @@ -1,6 +1,7 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1994 by OpenVision Technologies, Inc. - * + * * Permission to use, copy, modify, distribute, and sell this software * and its documentation for any purpose is hereby granted without fee, * provided that the above copyright notice appears in all copies and @@ -10,7 +11,7 @@ * without specific, written prior permission. OpenVision makes no * representations about the suitability of this software for any * purpose. It is provided "as is" without express or implied warranty. - * + * * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR @@ -29,7 +30,7 @@ krb5_error_code KRB5_CALLCONV krb5_524_convert_creds(krb5_context context, krb5_creds *v5creds, - struct credentials *v4creds) + struct credentials *v4creds) { return KRB524_KRB4_DISABLED; } @@ -45,11 +46,11 @@ krb5_524_convert_creds(krb5_context context, krb5_creds *v5creds, void KRB5_CALLCONV krb524_init_ets (void); krb5_error_code KRB5_CALLCONV krb524_convert_creds_kdc(krb5_context context, krb5_creds *v5creds, - struct credentials *v4creds); + struct credentials *v4creds); krb5_error_code KRB5_CALLCONV krb524_convert_creds_kdc(krb5_context context, krb5_creds *v5creds, - struct credentials *v4creds) + struct credentials *v4creds) { return KRB524_KRB4_DISABLED; } diff --git a/src/lib/krb5/krb/conv_princ.c b/src/lib/krb5/krb/conv_princ.c index 43c588f0f..5f63f465a 100644 --- a/src/lib/krb5/krb/conv_princ.c +++ b/src/lib/krb5/krb/conv_princ.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/conv_princ.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,10 +23,10 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * Build a principal from a V4 specification, or separate a V5 * principal into name, instance, and realm. - * + * * NOTE: This is highly site specific, and is only really necessary * for sites who need to convert from V4 to V5. It is used by both * the KDC and the kdb5_convert program. Since its use is highly @@ -39,16 +40,16 @@ /* The maximum sizes for V4 aname, realm, sname, and instance +1 */ /* Taken from krb.h */ -#define ANAME_SZ 40 -#define REALM_SZ 40 -#define SNAME_SZ 40 -#define INST_SZ 40 +#define ANAME_SZ 40 +#define REALM_SZ 40 +#define SNAME_SZ 40 +#define INST_SZ 40 struct krb_convert { - char *v4_str; - char *v5_str; - unsigned int flags : 8; - unsigned int len : 8; + char *v4_str; + char *v5_str; + unsigned int flags : 8; + unsigned int len : 8; }; #define DO_REALM_CONVERSION 0x00000001 @@ -71,9 +72,9 @@ static const struct krb_convert sconv_list[] = { /* Realm conversion, Change service name */ #define RC(V5NAME,V4NAME) { V5NAME, V4NAME, DO_REALM_CONVERSION, sizeof(V5NAME)-1 } /* Realm conversion */ -#define R(NAME) { NAME, NAME, DO_REALM_CONVERSION, sizeof(NAME)-1 } +#define R(NAME) { NAME, NAME, DO_REALM_CONVERSION, sizeof(NAME)-1 } /* No Realm conversion */ -#define NR(NAME) { NAME, NAME, 0, sizeof(NAME)-1 } +#define NR(NAME) { NAME, NAME, 0, sizeof(NAME)-1 } NR("kadmin"), RC("rcmd", "host"), @@ -128,18 +129,18 @@ static const struct krb_convert sconv_list[] = { * This falls in the "should have been in the ANSI C library" * category. :-) */ -static char *strnchr(register char *s, register int c, - register unsigned int n) +static char *strnchr(register char *s, register int c, + register unsigned int n) { - if (n < 1) - return 0; - - while (n-- && *s) { - if (*s == c) - return s; - s++; - } - return 0; + if (n < 1) + return 0; + + while (n-- && *s) { + if (*s == c) + return s; + s++; + } + return 0; } @@ -148,207 +149,207 @@ static char *strnchr(register char *s, register int c, krb5_error_code KRB5_CALLCONV krb5_524_conv_principal(krb5_context context, krb5_const_principal princ, - char *name, char *inst, char *realm) + char *name, char *inst, char *realm) { - const struct krb_convert *p; - const krb5_data *compo; - char *c, *tmp_realm, *tmp_prealm; - unsigned int tmp_realm_len; - int retval; + const struct krb_convert *p; + const krb5_data *compo; + char *c, *tmp_realm, *tmp_prealm; + unsigned int tmp_realm_len; + int retval; - if (context->profile == 0) - return KRB5_CONFIG_CANTOPEN; + if (context->profile == 0) + return KRB5_CONFIG_CANTOPEN; - *name = *inst = '\0'; - switch (krb5_princ_size(context, princ)) { - case 2: - /* Check if this principal is listed in the table */ - compo = krb5_princ_component(context, princ, 0); - p = sconv_list; - while (p->v4_str) { - if (p->len == compo->length - && memcmp(p->v5_str, compo->data, compo->length) == 0) { - /* - * It is, so set the new name now, and chop off - * instance's domain name if requested. - */ - if (strlcpy(name, p->v4_str, ANAME_SZ) >= ANAME_SZ) - return KRB5_INVALID_PRINCIPAL; - if (p->flags & DO_REALM_CONVERSION) { - compo = krb5_princ_component(context, princ, 1); - c = strnchr(compo->data, '.', compo->length); - if (!c || (c - compo->data) >= INST_SZ - 1) - return KRB5_INVALID_PRINCIPAL; - memcpy(inst, compo->data, (size_t) (c - compo->data)); - inst[c - compo->data] = '\0'; - } - break; - } - p++; - } - /* If inst isn't set, the service isn't listed in the table, */ - /* so just copy it. */ - if (*inst == '\0') { - compo = krb5_princ_component(context, princ, 1); - if (compo->length >= INST_SZ - 1) - return KRB5_INVALID_PRINCIPAL; - memcpy(inst, compo->data, compo->length); - inst[compo->length] = '\0'; - } - /* fall through */ - case 1: - /* name may have been set above; otherwise, just copy it */ - if (*name == '\0') { - compo = krb5_princ_component(context, princ, 0); - if (compo->length >= ANAME_SZ) - return KRB5_INVALID_PRINCIPAL; - memcpy(name, compo->data, compo->length); - name[compo->length] = '\0'; - } - break; - default: - return KRB5_INVALID_PRINCIPAL; - } + *name = *inst = '\0'; + switch (krb5_princ_size(context, princ)) { + case 2: + /* Check if this principal is listed in the table */ + compo = krb5_princ_component(context, princ, 0); + p = sconv_list; + while (p->v4_str) { + if (p->len == compo->length + && memcmp(p->v5_str, compo->data, compo->length) == 0) { + /* + * It is, so set the new name now, and chop off + * instance's domain name if requested. + */ + if (strlcpy(name, p->v4_str, ANAME_SZ) >= ANAME_SZ) + return KRB5_INVALID_PRINCIPAL; + if (p->flags & DO_REALM_CONVERSION) { + compo = krb5_princ_component(context, princ, 1); + c = strnchr(compo->data, '.', compo->length); + if (!c || (c - compo->data) >= INST_SZ - 1) + return KRB5_INVALID_PRINCIPAL; + memcpy(inst, compo->data, (size_t) (c - compo->data)); + inst[c - compo->data] = '\0'; + } + break; + } + p++; + } + /* If inst isn't set, the service isn't listed in the table, */ + /* so just copy it. */ + if (*inst == '\0') { + compo = krb5_princ_component(context, princ, 1); + if (compo->length >= INST_SZ - 1) + return KRB5_INVALID_PRINCIPAL; + memcpy(inst, compo->data, compo->length); + inst[compo->length] = '\0'; + } + /* fall through */ + case 1: + /* name may have been set above; otherwise, just copy it */ + if (*name == '\0') { + compo = krb5_princ_component(context, princ, 0); + if (compo->length >= ANAME_SZ) + return KRB5_INVALID_PRINCIPAL; + memcpy(name, compo->data, compo->length); + name[compo->length] = '\0'; + } + break; + default: + return KRB5_INVALID_PRINCIPAL; + } - compo = krb5_princ_realm(context, princ); + compo = krb5_princ_realm(context, princ); - tmp_prealm = malloc(compo->length + 1); - if (tmp_prealm == NULL) - return ENOMEM; - strncpy(tmp_prealm, compo->data, compo->length); - tmp_prealm[compo->length] = '\0'; + tmp_prealm = malloc(compo->length + 1); + if (tmp_prealm == NULL) + return ENOMEM; + strncpy(tmp_prealm, compo->data, compo->length); + tmp_prealm[compo->length] = '\0'; - /* Ask for v4_realm corresponding to - krb5 principal realm from krb5.conf realms stanza */ + /* Ask for v4_realm corresponding to + krb5 principal realm from krb5.conf realms stanza */ - retval = profile_get_string(context->profile, KRB5_CONF_REALMS, - tmp_prealm, KRB5_CONF_V4_REALM, 0, - &tmp_realm); - free(tmp_prealm); - if (retval) { - return retval; - } else { - if (tmp_realm == 0) { - if (compo->length > REALM_SZ - 1) - return KRB5_INVALID_PRINCIPAL; - strncpy(realm, compo->data, compo->length); - realm[compo->length] = '\0'; - } else { - tmp_realm_len = strlen(tmp_realm); - if (tmp_realm_len > REALM_SZ - 1) - return KRB5_INVALID_PRINCIPAL; - strncpy(realm, tmp_realm, tmp_realm_len); - realm[tmp_realm_len] = '\0'; - profile_release_string(tmp_realm); - } - } - return 0; + retval = profile_get_string(context->profile, KRB5_CONF_REALMS, + tmp_prealm, KRB5_CONF_V4_REALM, 0, + &tmp_realm); + free(tmp_prealm); + if (retval) { + return retval; + } else { + if (tmp_realm == 0) { + if (compo->length > REALM_SZ - 1) + return KRB5_INVALID_PRINCIPAL; + strncpy(realm, compo->data, compo->length); + realm[compo->length] = '\0'; + } else { + tmp_realm_len = strlen(tmp_realm); + if (tmp_realm_len > REALM_SZ - 1) + return KRB5_INVALID_PRINCIPAL; + strncpy(realm, tmp_realm, tmp_realm_len); + realm[tmp_realm_len] = '\0'; + profile_release_string(tmp_realm); + } + } + return 0; } krb5_error_code KRB5_CALLCONV krb5_425_conv_principal(krb5_context context, const char *name, - const char *instance, const char *realm, - krb5_principal *princ) + const char *instance, const char *realm, + krb5_principal *princ) { - const struct krb_convert *p; - char buf[256]; /* V4 instances are limited to 40 characters */ - krb5_error_code retval; - char *domain, *cp; - char **full_name = 0; - const char *names[5], *names2[2]; - void* iterator = NULL; - char** v4realms = NULL; - char* realm_name = NULL; - char* dummy_value = NULL; - - /* First, convert the realm, since the v4 realm is not necessarily the same as the v5 realm - To do that, iterate over all the realms in the config file, looking for a matching - v4_realm line */ - names2 [0] = KRB5_CONF_REALMS; - names2 [1] = NULL; - retval = profile_iterator_create (context -> profile, names2, PROFILE_ITER_LIST_SECTION | PROFILE_ITER_SECTIONS_ONLY, &iterator); - while (retval == 0) { - retval = profile_iterator (&iterator, &realm_name, &dummy_value); - if ((retval == 0) && (realm_name != NULL)) { - names [0] = KRB5_CONF_REALMS; - names [1] = realm_name; - names [2] = KRB5_CONF_V4_REALM; - names [3] = NULL; + const struct krb_convert *p; + char buf[256]; /* V4 instances are limited to 40 characters */ + krb5_error_code retval; + char *domain, *cp; + char **full_name = 0; + const char *names[5], *names2[2]; + void* iterator = NULL; + char** v4realms = NULL; + char* realm_name = NULL; + char* dummy_value = NULL; + + /* First, convert the realm, since the v4 realm is not necessarily the same as the v5 realm + To do that, iterate over all the realms in the config file, looking for a matching + v4_realm line */ + names2 [0] = KRB5_CONF_REALMS; + names2 [1] = NULL; + retval = profile_iterator_create (context -> profile, names2, PROFILE_ITER_LIST_SECTION | PROFILE_ITER_SECTIONS_ONLY, &iterator); + while (retval == 0) { + retval = profile_iterator (&iterator, &realm_name, &dummy_value); + if ((retval == 0) && (realm_name != NULL)) { + names [0] = KRB5_CONF_REALMS; + names [1] = realm_name; + names [2] = KRB5_CONF_V4_REALM; + names [3] = NULL; + + retval = profile_get_values (context -> profile, names, &v4realms); + if ((retval == 0) && (v4realms != NULL) && (v4realms [0] != NULL) && (strcmp (v4realms [0], realm) == 0)) { + realm = realm_name; + break; + } else if (retval == PROF_NO_RELATION) { + /* If it's not found, just keep going */ + retval = 0; + } + } else if ((retval == 0) && (realm_name == NULL)) { + break; + } + if (v4realms != NULL) { + profile_free_list(v4realms); + v4realms = NULL; + } + if (realm_name != NULL) { + profile_release_string (realm_name); + realm_name = NULL; + } + if (dummy_value != NULL) { + profile_release_string (dummy_value); + dummy_value = NULL; + } + } + + if (instance) { + if (instance[0] == '\0') { + instance = 0; + goto not_service; + } + p = sconv_list; + while (1) { + if (!p->v4_str) + goto not_service; + if (!strcmp(p->v4_str, name)) + break; + p++; + } + name = p->v5_str; + if ((p->flags & DO_REALM_CONVERSION) && !strchr(instance, '.')) { + names[0] = KRB5_CONF_REALMS; + names[1] = realm; + names[2] = KRB5_CONF_V4_INSTANCE_CONVERT; + names[3] = instance; + names[4] = 0; + retval = profile_get_values(context->profile, names, &full_name); + if (retval == 0 && full_name && full_name[0]) { + instance = full_name[0]; + } else { + strncpy(buf, instance, sizeof(buf)); + buf[sizeof(buf) - 1] = '\0'; + retval = krb5_get_realm_domain(context, realm, &domain); + if (retval) + return retval; + if (domain) { + for (cp = domain; *cp; cp++) + if (isupper((unsigned char) (*cp))) + *cp = tolower((unsigned char) *cp); + strncat(buf, ".", sizeof(buf) - 1 - strlen(buf)); + strncat(buf, domain, sizeof(buf) - 1 - strlen(buf)); + free(domain); + } + instance = buf; + } + } + } - retval = profile_get_values (context -> profile, names, &v4realms); - if ((retval == 0) && (v4realms != NULL) && (v4realms [0] != NULL) && (strcmp (v4realms [0], realm) == 0)) { - realm = realm_name; - break; - } else if (retval == PROF_NO_RELATION) { - /* If it's not found, just keep going */ - retval = 0; - } - } else if ((retval == 0) && (realm_name == NULL)) { - break; - } - if (v4realms != NULL) { - profile_free_list(v4realms); - v4realms = NULL; - } - if (realm_name != NULL) { - profile_release_string (realm_name); - realm_name = NULL; - } - if (dummy_value != NULL) { - profile_release_string (dummy_value); - dummy_value = NULL; - } - } - - if (instance) { - if (instance[0] == '\0') { - instance = 0; - goto not_service; - } - p = sconv_list; - while (1) { - if (!p->v4_str) - goto not_service; - if (!strcmp(p->v4_str, name)) - break; - p++; - } - name = p->v5_str; - if ((p->flags & DO_REALM_CONVERSION) && !strchr(instance, '.')) { - names[0] = KRB5_CONF_REALMS; - names[1] = realm; - names[2] = KRB5_CONF_V4_INSTANCE_CONVERT; - names[3] = instance; - names[4] = 0; - retval = profile_get_values(context->profile, names, &full_name); - if (retval == 0 && full_name && full_name[0]) { - instance = full_name[0]; - } else { - strncpy(buf, instance, sizeof(buf)); - buf[sizeof(buf) - 1] = '\0'; - retval = krb5_get_realm_domain(context, realm, &domain); - if (retval) - return retval; - if (domain) { - for (cp = domain; *cp; cp++) - if (isupper((unsigned char) (*cp))) - *cp = tolower((unsigned char) *cp); - strncat(buf, ".", sizeof(buf) - 1 - strlen(buf)); - strncat(buf, domain, sizeof(buf) - 1 - strlen(buf)); - free(domain); - } - instance = buf; - } - } - } - not_service: - retval = krb5_build_principal(context, princ, strlen(realm), realm, name, - instance, NULL); - if (iterator) profile_iterator_free (&iterator); - if (full_name) profile_free_list(full_name); - if (v4realms) profile_free_list(v4realms); - if (realm_name) profile_release_string (realm_name); - if (dummy_value) profile_release_string (dummy_value); - return retval; + retval = krb5_build_principal(context, princ, strlen(realm), realm, name, + instance, NULL); + if (iterator) profile_iterator_free (&iterator); + if (full_name) profile_free_list(full_name); + if (v4realms) profile_free_list(v4realms); + if (realm_name) profile_release_string (realm_name); + if (dummy_value) profile_release_string (dummy_value); + return retval; } diff --git a/src/lib/krb5/krb/copy_addrs.c b/src/lib/krb5/krb/copy_addrs.c index c3dcd57d0..7207c4c27 100644 --- a/src/lib/krb5/krb/copy_addrs.c +++ b/src/lib/krb5/krb/copy_addrs.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/copy_addrs.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_copy_addresses() */ @@ -35,11 +36,11 @@ krb5_copy_addr(krb5_context context, const krb5_address *inad, krb5_address **ou krb5_address *tmpad; if (!(tmpad = (krb5_address *)malloc(sizeof(*tmpad)))) - return ENOMEM; + return ENOMEM; *tmpad = *inad; if (!(tmpad->contents = (krb5_octet *)malloc(inad->length))) { - free(tmpad); - return ENOMEM; + free(tmpad); + return ENOMEM; } memcpy(tmpad->contents, inad->contents, inad->length); *outad = tmpad; @@ -57,22 +58,22 @@ krb5_copy_addresses(krb5_context context, krb5_address *const *inaddr, krb5_addr register unsigned int nelems = 0; if (!inaddr) { - *outaddr = 0; - return 0; + *outaddr = 0; + return 0; } - + while (inaddr[nelems]) nelems++; /* one more for a null terminated list */ if (!(tempaddr = (krb5_address **) calloc(nelems+1, sizeof(*tempaddr)))) - return ENOMEM; + return ENOMEM; for (nelems = 0; inaddr[nelems]; nelems++) { - retval = krb5_copy_addr(context, inaddr[nelems], &tempaddr[nelems]); + retval = krb5_copy_addr(context, inaddr[nelems], &tempaddr[nelems]); if (retval) { - krb5_free_addresses(context, tempaddr); - return retval; - } + krb5_free_addresses(context, tempaddr); + return retval; + } } *outaddr = tempaddr; @@ -88,8 +89,8 @@ krb5_copy_addresses(krb5_context context, krb5_address *const *inaddr, krb5_addr krb5_error_code krb5_append_addresses(context, inaddr, outaddr) krb5_context context; - krb5_address * const * inaddr; - krb5_address ***outaddr; + krb5_address * const * inaddr; + krb5_address ***outaddr; { krb5_error_code retval; krb5_address ** tempaddr; @@ -98,7 +99,7 @@ krb5_append_addresses(context, inaddr, outaddr) register int norigelems = 0; if (!inaddr) - return 0; + return 0; tempaddr2 = *outaddr; @@ -106,34 +107,33 @@ krb5_append_addresses(context, inaddr, outaddr) while (tempaddr2[norigelems]) norigelems++; tempaddr = (krb5_address **) realloc((char *)*outaddr, - (nelems + norigelems + 1) * sizeof(*tempaddr)); + (nelems + norigelems + 1) * sizeof(*tempaddr)); if (!tempaddr) - return ENOMEM; + return ENOMEM; /* The old storage has been freed. */ *outaddr = tempaddr; for (nelems = 0; inaddr[nelems]; nelems++) { - retval = krb5_copy_addr(context, inaddr[nelems], - &tempaddr[norigelems + nelems]); - if (retval) - goto cleanup; + retval = krb5_copy_addr(context, inaddr[nelems], + &tempaddr[norigelems + nelems]); + if (retval) + goto cleanup; } tempaddr[norigelems + nelems] = 0; return 0; - cleanup: +cleanup: while (--nelems >= 0) - krb5_free_address(context, tempaddr[norigelems + nelems]); + krb5_free_address(context, tempaddr[norigelems + nelems]); /* Try to allocate a smaller amount of memory for *outaddr. */ tempaddr = (krb5_address **) realloc((char *)tempaddr, - (norigelems + 1) * sizeof(*tempaddr)); + (norigelems + 1) * sizeof(*tempaddr)); if (tempaddr) - *outaddr = tempaddr; + *outaddr = tempaddr; return retval; } #endif - diff --git a/src/lib/krb5/krb/copy_athctr.c b/src/lib/krb5/krb/copy_athctr.c index c356fbf78..3345486e4 100644 --- a/src/lib/krb5/krb/copy_athctr.c +++ b/src/lib/krb5/krb/copy_athctr.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/copy_athctr.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_copy_authenticator() */ @@ -36,48 +37,47 @@ krb5_copy_authenticator(krb5_context context, const krb5_authenticator *authfrom krb5_authenticator *tempto; if (!(tempto = (krb5_authenticator *)malloc(sizeof(*tempto)))) - return ENOMEM; + return ENOMEM; *tempto = *authfrom; retval = krb5_copy_principal(context, authfrom->client, &tempto->client); if (retval) { - free(tempto); - return retval; + free(tempto); + return retval; } - + if (authfrom->checksum && - (retval = krb5_copy_checksum(context, authfrom->checksum, &tempto->checksum))) { - krb5_free_principal(context, tempto->client); - free(tempto); - return retval; + (retval = krb5_copy_checksum(context, authfrom->checksum, &tempto->checksum))) { + krb5_free_principal(context, tempto->client); + free(tempto); + return retval; } - + if (authfrom->subkey) { - retval = krb5_copy_keyblock(context, authfrom->subkey, &tempto->subkey); - if (retval) { - free(tempto->subkey); - krb5_free_checksum(context, tempto->checksum); - krb5_free_principal(context, tempto->client); - free(tempto); - return retval; - } + retval = krb5_copy_keyblock(context, authfrom->subkey, &tempto->subkey); + if (retval) { + free(tempto->subkey); + krb5_free_checksum(context, tempto->checksum); + krb5_free_principal(context, tempto->client); + free(tempto); + return retval; + } } - + if (authfrom->authorization_data) { - retval = krb5_copy_authdata(context, authfrom->authorization_data, - &tempto->authorization_data); - if (retval) { - free(tempto->subkey); - krb5_free_checksum(context, tempto->checksum); - krb5_free_principal(context, tempto->client); - krb5_free_authdata(context, tempto->authorization_data); - free(tempto); - return retval; - } + retval = krb5_copy_authdata(context, authfrom->authorization_data, + &tempto->authorization_data); + if (retval) { + free(tempto->subkey); + krb5_free_checksum(context, tempto->checksum); + krb5_free_principal(context, tempto->client); + krb5_free_authdata(context, tempto->authorization_data); + free(tempto); + return retval; + } } *authto = tempto; return 0; } #endif - diff --git a/src/lib/krb5/krb/copy_auth.c b/src/lib/krb5/krb/copy_auth.c index 6f36b2698..303badd2f 100644 --- a/src/lib/krb5/krb/copy_auth.c +++ b/src/lib/krb5/krb/copy_auth.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/copy_auth.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_copy_authdata() */ @@ -62,11 +63,11 @@ krb5_copy_authdatum(krb5_context context, const krb5_authdata *inad, krb5_authda krb5_authdata *tmpad; if (!(tmpad = (krb5_authdata *)malloc(sizeof(*tmpad)))) - return ENOMEM; + return ENOMEM; *tmpad = *inad; if (!(tmpad->contents = (krb5_octet *)malloc(inad->length))) { - free(tmpad); - return ENOMEM; + free(tmpad); + return ENOMEM; } memcpy(tmpad->contents, inad->contents, inad->length); *outad = tmpad; @@ -78,7 +79,7 @@ krb5_copy_authdatum(krb5_context context, const krb5_authdata *inad, krb5_authda */ krb5_error_code KRB5_CALLCONV krb5_merge_authdata(krb5_context context, krb5_authdata *const *inauthdat1, krb5_authdata * const *inauthdat2, - krb5_authdata ***outauthdat) + krb5_authdata ***outauthdat) { krb5_error_code retval; krb5_authdata ** tempauthdat; @@ -86,40 +87,40 @@ krb5_merge_authdata(krb5_context context, krb5_authdata *const *inauthdat1, krb5 *outauthdat = NULL; if (!inauthdat1 && !inauthdat2) { - *outauthdat = 0; - return 0; + *outauthdat = 0; + return 0; } - if (inauthdat1) - while (inauthdat1[nelems]) nelems++; - if (inauthdat2) - while (inauthdat2[nelems2]) nelems2++; + if (inauthdat1) + while (inauthdat1[nelems]) nelems++; + if (inauthdat2) + while (inauthdat2[nelems2]) nelems2++; /* one more for a null terminated list */ if (!(tempauthdat = (krb5_authdata **) calloc(nelems+nelems2+1, - sizeof(*tempauthdat)))) - return ENOMEM; + sizeof(*tempauthdat)))) + return ENOMEM; if (inauthdat1) { - for (nelems = 0; inauthdat1[nelems]; nelems++) { - retval = krb5_copy_authdatum(context, inauthdat1[nelems], - &tempauthdat[nelems]); - if (retval) { - krb5_free_authdata(context, tempauthdat); - return retval; - } - } + for (nelems = 0; inauthdat1[nelems]; nelems++) { + retval = krb5_copy_authdatum(context, inauthdat1[nelems], + &tempauthdat[nelems]); + if (retval) { + krb5_free_authdata(context, tempauthdat); + return retval; + } + } } if (inauthdat2) { - for (nelems2 = 0; inauthdat2[nelems2]; nelems2++) { - retval = krb5_copy_authdatum(context, inauthdat2[nelems2], - &tempauthdat[nelems++]); - if (retval) { - krb5_free_authdata(context, tempauthdat); - return retval; - } - } + for (nelems2 = 0; inauthdat2[nelems2]; nelems2++) { + retval = krb5_copy_authdatum(context, inauthdat2[nelems2], + &tempauthdat[nelems++]); + if (retval) { + krb5_free_authdata(context, tempauthdat); + return retval; + } + } } *outauthdat = tempauthdat; @@ -128,16 +129,16 @@ krb5_merge_authdata(krb5_context context, krb5_authdata *const *inauthdat1, krb5 krb5_error_code KRB5_CALLCONV krb5_copy_authdata(krb5_context context, - krb5_authdata *const *in_authdat, krb5_authdata ***out) + krb5_authdata *const *in_authdat, krb5_authdata ***out) { return krb5_merge_authdata(context, in_authdat, NULL, out); } krb5_error_code KRB5_CALLCONV krb5_decode_authdata_container(krb5_context context, - krb5_authdatatype type, - const krb5_authdata *container, - krb5_authdata ***authdata) + krb5_authdatatype type, + const krb5_authdata *container, + krb5_authdata ***authdata) { krb5_error_code code; krb5_data data; @@ -145,23 +146,23 @@ krb5_decode_authdata_container(krb5_context context, *authdata = NULL; if ((container->ad_type & AD_TYPE_FIELD_TYPE_MASK) != type) - return EINVAL; + return EINVAL; data.length = container->length; data.data = (char *)container->contents; code = decode_krb5_authdata(&data, authdata); if (code) - return code; + return code; return 0; } krb5_error_code KRB5_CALLCONV krb5_encode_authdata_container(krb5_context context, - krb5_authdatatype type, - krb5_authdata *const*authdata, - krb5_authdata ***container) + krb5_authdatatype type, + krb5_authdata *const*authdata, + krb5_authdata ***container) { krb5_error_code code; krb5_data *data; @@ -172,7 +173,7 @@ krb5_encode_authdata_container(krb5_context context, code = encode_krb5_authdata((krb5_authdata * const *)authdata, &data); if (code) - return code; + return code; ad_datum.ad_type = type & AD_TYPE_FIELD_TYPE_MASK; ad_datum.length = data->length; @@ -189,67 +190,67 @@ krb5_encode_authdata_container(krb5_context context, } struct find_authdata_context { - krb5_authdata **out; - size_t space; - size_t length; + krb5_authdata **out; + size_t space; + size_t length; }; static krb5_error_code grow_find_authdata (krb5_context context, struct find_authdata_context *fctx, krb5_authdata *elem) { - krb5_error_code retval = 0; - if (fctx->length == fctx->space) { - krb5_authdata **new; - if (fctx->space >= 256) { - krb5_set_error_message(context, ERANGE, "More than 256 authdata matched a query"); - return ERANGE; + krb5_error_code retval = 0; + if (fctx->length == fctx->space) { + krb5_authdata **new; + if (fctx->space >= 256) { + krb5_set_error_message(context, ERANGE, "More than 256 authdata matched a query"); + return ERANGE; + } + new = realloc(fctx->out, + sizeof (krb5_authdata *)*(2*fctx->space+1)); + if (new == NULL) + return ENOMEM; + fctx->out = new; + fctx->space *=2; } - new = realloc(fctx->out, - sizeof (krb5_authdata *)*(2*fctx->space+1)); - if (new == NULL) - return ENOMEM; - fctx->out = new; - fctx->space *=2; - } - fctx->out[fctx->length+1] = NULL; - retval = krb5_copy_authdatum(context, elem, - &fctx->out[fctx->length]); - if (retval == 0) - fctx->length++; - return retval; + fctx->out[fctx->length+1] = NULL; + retval = krb5_copy_authdatum(context, elem, + &fctx->out[fctx->length]); + if (retval == 0) + fctx->length++; + return retval; } - - + + static krb5_error_code find_authdata_1 (krb5_context context, krb5_authdata *const *in_authdat, krb5_authdatatype ad_type, struct find_authdata_context *fctx) { - int i = 0; - krb5_error_code retval=0; - - for (i = 0; in_authdat[i]; i++) { - krb5_authdata *ad = in_authdat[i]; - if (ad->ad_type == ad_type && retval ==0) - retval = grow_find_authdata(context, fctx, ad); - else switch (ad->ad_type) { - krb5_authdata **decoded_container; - case KRB5_AUTHDATA_IF_RELEVANT: - if (retval == 0) - retval = krb5_decode_authdata_container( context, ad->ad_type, ad, &decoded_container); - if (retval == 0) { - retval = find_authdata_1(context, - decoded_container, ad_type, fctx); - krb5_free_authdata(context, decoded_container); - } - break; - default: - break; + int i = 0; + krb5_error_code retval=0; + + for (i = 0; in_authdat[i]; i++) { + krb5_authdata *ad = in_authdat[i]; + if (ad->ad_type == ad_type && retval ==0) + retval = grow_find_authdata(context, fctx, ad); + else switch (ad->ad_type) { + krb5_authdata **decoded_container; + case KRB5_AUTHDATA_IF_RELEVANT: + if (retval == 0) + retval = krb5_decode_authdata_container( context, ad->ad_type, ad, &decoded_container); + if (retval == 0) { + retval = find_authdata_1(context, + decoded_container, ad_type, fctx); + krb5_free_authdata(context, decoded_container); + } + break; + default: + break; + } } - } - return retval; + return retval; } @@ -259,30 +260,30 @@ krb5_error_code krb5int_find_authdata krb5_authdatatype ad_type, krb5_authdata ***results) { - krb5_error_code retval = 0; - struct find_authdata_context fctx; - fctx.length = 0; - fctx.space = 2; - fctx.out = calloc(fctx.space+1, sizeof (krb5_authdata *)); - *results = NULL; - if (fctx.out == NULL) - return ENOMEM; - if (ticket_authdata) - retval = find_authdata_1( context, ticket_authdata, ad_type, &fctx); - if ((retval==0) && ap_req_authdata) - retval = find_authdata_1( context, ap_req_authdata, ad_type, &fctx); - if ((retval== 0) && fctx.length) - *results = fctx.out; - else krb5_free_authdata(context, fctx.out); - return retval; + krb5_error_code retval = 0; + struct find_authdata_context fctx; + fctx.length = 0; + fctx.space = 2; + fctx.out = calloc(fctx.space+1, sizeof (krb5_authdata *)); + *results = NULL; + if (fctx.out == NULL) + return ENOMEM; + if (ticket_authdata) + retval = find_authdata_1( context, ticket_authdata, ad_type, &fctx); + if ((retval==0) && ap_req_authdata) + retval = find_authdata_1( context, ap_req_authdata, ad_type, &fctx); + if ((retval== 0) && fctx.length) + *results = fctx.out; + else krb5_free_authdata(context, fctx.out); + return retval; } krb5_error_code KRB5_CALLCONV krb5_make_authdata_kdc_issued(krb5_context context, - const krb5_keyblock *key, - krb5_const_principal issuer, - krb5_authdata *const *authdata, - krb5_authdata ***ad_kdcissued) + const krb5_keyblock *key, + krb5_const_principal issuer, + krb5_authdata *const *authdata, + krb5_authdata ***ad_kdcissued) { krb5_error_code code; krb5_ad_kdcissued ad_kdci; @@ -337,10 +338,10 @@ krb5_make_authdata_kdc_issued(krb5_context context, krb5_error_code KRB5_CALLCONV krb5_verify_authdata_kdc_issued(krb5_context context, - const krb5_keyblock *key, - const krb5_authdata *ad_kdcissued, - krb5_principal *issuer, - krb5_authdata ***authdata) + const krb5_keyblock *key, + const krb5_authdata *ad_kdcissued, + krb5_principal *issuer, + krb5_authdata ***authdata) { krb5_error_code code; krb5_ad_kdcissued *ad_kdci; @@ -348,8 +349,8 @@ krb5_verify_authdata_kdc_issued(krb5_context context, krb5_boolean valid = FALSE; if ((ad_kdcissued->ad_type & AD_TYPE_FIELD_TYPE_MASK) != - KRB5_AUTHDATA_KDC_ISSUED) - return EINVAL; + KRB5_AUTHDATA_KDC_ISSUED) + return EINVAL; if (issuer != NULL) *issuer = NULL; @@ -399,4 +400,3 @@ krb5_verify_authdata_kdc_issued(krb5_context context, return 0; } - diff --git a/src/lib/krb5/krb/copy_cksum.c b/src/lib/krb5/krb/copy_cksum.c index c7c1b161c..68822d213 100644 --- a/src/lib/krb5/krb/copy_cksum.c +++ b/src/lib/krb5/krb/copy_cksum.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/copy_cksum.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_copy_checksum() */ @@ -35,12 +36,12 @@ krb5_copy_checksum(krb5_context context, const krb5_checksum *ckfrom, krb5_check krb5_checksum *tempto; if (!(tempto = (krb5_checksum *)malloc(sizeof(*tempto)))) - return ENOMEM; + return ENOMEM; *tempto = *ckfrom; if (!(tempto->contents = (krb5_octet *)malloc(tempto->length))) { - free(tempto); - return ENOMEM; + free(tempto); + return ENOMEM; } memcpy(tempto->contents, ckfrom->contents, ckfrom->length); diff --git a/src/lib/krb5/krb/copy_creds.c b/src/lib/krb5/krb/copy_creds.c index e6fece383..0e1a814cc 100644 --- a/src/lib/krb5/krb/copy_creds.c +++ b/src/lib/krb5/krb/copy_creds.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/copy_creds.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_copy_cred() */ @@ -40,13 +41,13 @@ krb5_copy_creds(krb5_context context, const krb5_creds *incred, krb5_creds **out krb5_error_code retval; if (!(tempcred = (krb5_creds *)malloc(sizeof(*tempcred)))) - return ENOMEM; + return ENOMEM; retval = krb5int_copy_creds_contents(context, incred, tempcred); if (retval) - free(tempcred); + free(tempcred); else - *outcred = tempcred; + *outcred = tempcred; return retval; } @@ -58,7 +59,7 @@ krb5_copy_creds(krb5_context context, const krb5_creds *incred, krb5_creds **out */ krb5_error_code krb5int_copy_creds_contents(krb5_context context, const krb5_creds *incred, - krb5_creds *tempcred) + krb5_creds *tempcred) { krb5_error_code retval; krb5_data *scratch; @@ -66,25 +67,25 @@ krb5int_copy_creds_contents(krb5_context context, const krb5_creds *incred, *tempcred = *incred; retval = krb5_copy_principal(context, incred->client, &tempcred->client); if (retval) - goto cleanlast; + goto cleanlast; retval = krb5_copy_principal(context, incred->server, &tempcred->server); if (retval) - goto cleanclient; + goto cleanclient; retval = krb5_copy_keyblock_contents(context, &incred->keyblock, - &tempcred->keyblock); + &tempcred->keyblock); if (retval) - goto cleanserver; + goto cleanserver; retval = krb5_copy_addresses(context, incred->addresses, &tempcred->addresses); if (retval) - goto cleanblock; + goto cleanblock; retval = krb5_copy_data(context, &incred->ticket, &scratch); if (retval) - goto cleanaddrs; + goto cleanaddrs; tempcred->ticket = *scratch; free(scratch); retval = krb5_copy_data(context, &incred->second_ticket, &scratch); if (retval) - goto clearticket; + goto clearticket; tempcred->second_ticket = *scratch; free(scratch); @@ -95,22 +96,22 @@ krb5int_copy_creds_contents(krb5_context context, const krb5_creds *incred, return 0; - clearsecondticket: +clearsecondticket: memset(tempcred->second_ticket.data,0,tempcred->second_ticket.length); free(tempcred->second_ticket.data); - clearticket: +clearticket: memset(tempcred->ticket.data,0,tempcred->ticket.length); free(tempcred->ticket.data); - cleanaddrs: +cleanaddrs: krb5_free_addresses(context, tempcred->addresses); - cleanblock: +cleanblock: free(tempcred->keyblock.contents); - cleanserver: +cleanserver: krb5_free_principal(context, tempcred->server); - cleanclient: +cleanclient: krb5_free_principal(context, tempcred->client); - cleanlast: - /* Do not free tempcred - we did not allocate it - its contents are +cleanlast: + /* Do not free tempcred - we did not allocate it - its contents are garbage - but we should not free it */ return retval; } diff --git a/src/lib/krb5/krb/copy_data.c b/src/lib/krb5/krb/copy_data.c index 4896e8804..fa4b6ed7c 100644 --- a/src/lib/krb5/krb/copy_data.c +++ b/src/lib/krb5/krb/copy_data.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/copy_data.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_copy_data() */ @@ -39,38 +40,38 @@ krb5_copy_data(krb5_context context, const krb5_data *indata, krb5_data **outdat krb5_error_code retval; if (!indata) { - *outdata = 0; - return 0; + *outdata = 0; + return 0; } - + if (!(tempdata = (krb5_data *)malloc(sizeof(*tempdata)))) - return ENOMEM; + return ENOMEM; retval = krb5int_copy_data_contents(context, indata, tempdata); if (retval) { - free(tempdata); - return retval; + free(tempdata); + return retval; } *outdata = tempdata; return 0; } -krb5_error_code +krb5_error_code krb5int_copy_data_contents(krb5_context context, const krb5_data *indata, krb5_data *outdata) { if (!indata) { - return EINVAL; + return EINVAL; } outdata->length = indata->length; if (outdata->length) { - if (!(outdata->data = malloc(outdata->length))) { - return ENOMEM; - } - memcpy(outdata->data, indata->data, outdata->length); + if (!(outdata->data = malloc(outdata->length))) { + return ENOMEM; + } + memcpy(outdata->data, indata->data, outdata->length); } else - outdata->data = 0; + outdata->data = 0; outdata->magic = KV5M_DATA; return 0; @@ -79,16 +80,16 @@ krb5int_copy_data_contents(krb5_context context, const krb5_data *indata, krb5_d /* As above, but add an (uncounted) extra byte at the end to null-terminate the data so it can be used as a standard C string. */ -krb5_error_code +krb5_error_code krb5int_copy_data_contents_add0(krb5_context context, const krb5_data *indata, krb5_data *outdata) { if (!indata) - return EINVAL; + return EINVAL; outdata->length = indata->length; if (!(outdata->data = malloc(outdata->length + 1))) - return ENOMEM; + return ENOMEM; if (outdata->length) - memcpy(outdata->data, indata->data, outdata->length); + memcpy(outdata->data, indata->data, outdata->length); outdata->data[outdata->length] = 0; outdata->magic = KV5M_DATA; diff --git a/src/lib/krb5/krb/copy_key.c b/src/lib/krb5/krb/copy_key.c index 4772c58c1..532cced46 100644 --- a/src/lib/krb5/krb/copy_key.c +++ b/src/lib/krb5/krb/copy_key.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/copy_key.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_copy_keyblock() */ diff --git a/src/lib/krb5/krb/copy_princ.c b/src/lib/krb5/krb/copy_princ.c index 4e168b002..b7badefa2 100644 --- a/src/lib/krb5/krb/copy_princ.c +++ b/src/lib/krb5/krb/copy_princ.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/copy_princ.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_copy_principal() */ @@ -41,7 +42,7 @@ krb5_copy_principal(krb5_context context, krb5_const_principal inprinc, krb5_pri tempprinc = (krb5_principal)malloc(sizeof(krb5_principal_data)); if (tempprinc == 0) - return ENOMEM; + return ENOMEM; *tempprinc = *inprinc; @@ -49,29 +50,29 @@ krb5_copy_principal(krb5_context context, krb5_const_principal inprinc, krb5_pri tempprinc->data = malloc(nelems * sizeof(krb5_data)); if (tempprinc->data == 0) { - free(tempprinc); - return ENOMEM; + free(tempprinc); + return ENOMEM; } for (i = 0; i < nelems; i++) { - if (krb5int_copy_data_contents(context, - krb5_princ_component(context, inprinc, i), - krb5_princ_component(context, tempprinc, i)) != 0) { - while (--i >= 0) - free(krb5_princ_component(context, tempprinc, i)->data); - free (tempprinc->data); - free (tempprinc); - return ENOMEM; + if (krb5int_copy_data_contents(context, + krb5_princ_component(context, inprinc, i), + krb5_princ_component(context, tempprinc, i)) != 0) { + while (--i >= 0) + free(krb5_princ_component(context, tempprinc, i)->data); + free (tempprinc->data); + free (tempprinc); + return ENOMEM; } } if (krb5int_copy_data_contents_add0(context, &inprinc->realm, - &tempprinc->realm) != 0) { + &tempprinc->realm) != 0) { for (i = 0; i < nelems; i++) - free(krb5_princ_component(context, tempprinc, i)->data); - free(tempprinc->data); - free(tempprinc); - return ENOMEM; + free(krb5_princ_component(context, tempprinc, i)->data); + free(tempprinc->data); + free(tempprinc); + return ENOMEM; } *outprinc = tempprinc; diff --git a/src/lib/krb5/krb/copy_tick.c b/src/lib/krb5/krb/copy_tick.c index 1dc3362d0..1fd3e681c 100644 --- a/src/lib/krb5/krb/copy_tick.c +++ b/src/lib/krb5/krb/copy_tick.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/copy_tick.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_copy_ticket() */ @@ -36,56 +37,56 @@ krb5_copy_enc_tkt_part(krb5_context context, const krb5_enc_tkt_part *partfrom, krb5_enc_tkt_part *tempto; if (!(tempto = (krb5_enc_tkt_part *)malloc(sizeof(*tempto)))) - return ENOMEM; + return ENOMEM; *tempto = *partfrom; retval = krb5_copy_keyblock(context, partfrom->session, - &tempto->session); + &tempto->session); if (retval) { - free(tempto); - return retval; + free(tempto); + return retval; } retval = krb5_copy_principal(context, partfrom->client, &tempto->client); if (retval) { - krb5_free_keyblock(context, tempto->session); - free(tempto); - return retval; + krb5_free_keyblock(context, tempto->session); + free(tempto); + return retval; } tempto->transited = partfrom->transited; if (tempto->transited.tr_contents.length == 0) { - tempto->transited.tr_contents.data = 0; + tempto->transited.tr_contents.data = 0; } else { - tempto->transited.tr_contents.data = - malloc(partfrom->transited.tr_contents.length); - if (!tempto->transited.tr_contents.data) { - krb5_free_principal(context, tempto->client); - krb5_free_keyblock(context, tempto->session); - free(tempto); - return ENOMEM; - } - memcpy(tempto->transited.tr_contents.data, - (char *)partfrom->transited.tr_contents.data, - partfrom->transited.tr_contents.length); + tempto->transited.tr_contents.data = + malloc(partfrom->transited.tr_contents.length); + if (!tempto->transited.tr_contents.data) { + krb5_free_principal(context, tempto->client); + krb5_free_keyblock(context, tempto->session); + free(tempto); + return ENOMEM; + } + memcpy(tempto->transited.tr_contents.data, + (char *)partfrom->transited.tr_contents.data, + partfrom->transited.tr_contents.length); } retval = krb5_copy_addresses(context, partfrom->caddrs, &tempto->caddrs); if (retval) { - free(tempto->transited.tr_contents.data); - krb5_free_principal(context, tempto->client); - krb5_free_keyblock(context, tempto->session); - free(tempto); - return retval; + free(tempto->transited.tr_contents.data); + krb5_free_principal(context, tempto->client); + krb5_free_keyblock(context, tempto->session); + free(tempto); + return retval; } if (partfrom->authorization_data) { - retval = krb5_copy_authdata(context, partfrom->authorization_data, - &tempto->authorization_data); - if (retval) { - krb5_free_addresses(context, tempto->caddrs); - free(tempto->transited.tr_contents.data); - krb5_free_principal(context, tempto->client); - krb5_free_keyblock(context, tempto->session); - free(tempto); - return retval; - } + retval = krb5_copy_authdata(context, partfrom->authorization_data, + &tempto->authorization_data); + if (retval) { + krb5_free_addresses(context, tempto->caddrs); + free(tempto->transited.tr_contents.data); + krb5_free_principal(context, tempto->client); + krb5_free_keyblock(context, tempto->session); + free(tempto); + return retval; + } } *partto = tempto; return 0; @@ -99,28 +100,28 @@ krb5_copy_ticket(krb5_context context, const krb5_ticket *from, krb5_ticket **pt krb5_data *scratch; if (!(tempto = (krb5_ticket *)malloc(sizeof(*tempto)))) - return ENOMEM; + return ENOMEM; *tempto = *from; retval = krb5_copy_principal(context, from->server, &tempto->server); if (retval) { - free(tempto); - return retval; + free(tempto); + return retval; } retval = krb5_copy_data(context, &from->enc_part.ciphertext, &scratch); if (retval) { - krb5_free_principal(context, tempto->server); - free(tempto); - return retval; + krb5_free_principal(context, tempto->server); + free(tempto); + return retval; } tempto->enc_part.ciphertext = *scratch; free(scratch); retval = krb5_copy_enc_tkt_part(context, from->enc_part2, &tempto->enc_part2); if (retval) { - free(tempto->enc_part.ciphertext.data); - krb5_free_principal(context, tempto->server); - free(tempto); - return retval; - } + free(tempto->enc_part.ciphertext.data); + krb5_free_principal(context, tempto->server); + free(tempto); + return retval; + } *pto = tempto; return 0; } diff --git a/src/lib/krb5/krb/cp_key_cnt.c b/src/lib/krb5/krb/cp_key_cnt.c index 74efb5ef1..2f97dbd0c 100644 --- a/src/lib/krb5/krb/cp_key_cnt.c +++ b/src/lib/krb5/krb/cp_key_cnt.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/cp_key_cnt.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_copy_keyblock() */ diff --git a/src/lib/krb5/krb/decode_kdc.c b/src/lib/krb5/krb/decode_kdc.c index 689e2a241..19451eea4 100644 --- a/src/lib/krb5/krb/decode_kdc.c +++ b/src/lib/krb5/krb/decode_kdc.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/decode_kdc.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_decode_kdc_rep() function. */ @@ -30,41 +31,40 @@ #include "k5-int.h" /* - Takes a KDC_REP message and decrypts encrypted part using etype and - *key, putting result in *rep. - dec_rep->client,ticket,session,last_req,server,caddrs - are all set to allocated storage which should be freed by the caller - when finished with the response. + Takes a KDC_REP message and decrypts encrypted part using etype and + *key, putting result in *rep. + dec_rep->client,ticket,session,last_req,server,caddrs + are all set to allocated storage which should be freed by the caller + when finished with the response. - If the response isn't a KDC_REP (tgs or as), it returns an error from - the decoding routines. + If the response isn't a KDC_REP (tgs or as), it returns an error from + the decoding routines. - returns errors from encryption routines, system errors - */ + returns errors from encryption routines, system errors +*/ krb5_error_code krb5int_decode_tgs_rep(krb5_context context, krb5_data *enc_rep, const krb5_keyblock *key, - krb5_keyusage usage, krb5_kdc_rep **dec_rep) + krb5_keyusage usage, krb5_kdc_rep **dec_rep) { krb5_error_code retval; krb5_kdc_rep *local_dec_rep; if (krb5_is_as_rep(enc_rep)) { - retval = decode_krb5_as_rep(enc_rep, &local_dec_rep); + retval = decode_krb5_as_rep(enc_rep, &local_dec_rep); } else if (krb5_is_tgs_rep(enc_rep)) { - retval = decode_krb5_tgs_rep(enc_rep, &local_dec_rep); + retval = decode_krb5_tgs_rep(enc_rep, &local_dec_rep); } else { - return KRB5KRB_AP_ERR_MSG_TYPE; + return KRB5KRB_AP_ERR_MSG_TYPE; } if (retval) - return retval; + return retval; if ((retval = krb5_kdc_rep_decrypt_proc(context, key, &usage, - local_dec_rep))) - krb5_free_kdc_rep(context, local_dec_rep); + local_dec_rep))) + krb5_free_kdc_rep(context, local_dec_rep); else - *dec_rep = local_dec_rep; + *dec_rep = local_dec_rep; return(retval); } - diff --git a/src/lib/krb5/krb/decrypt_tk.c b/src/lib/krb5/krb/decrypt_tk.c index 36ecbb45b..c06353b9e 100644 --- a/src/lib/krb5/krb/decrypt_tk.c +++ b/src/lib/krb5/krb/decrypt_tk.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/decrypt_tk.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_decrypt_tkt_part() function. */ @@ -30,11 +31,11 @@ #include "k5-int.h" /* - Decrypts dec_ticket->enc_part - using *srv_key, and places result in dec_ticket->enc_part2. - The storage of dec_ticket->enc_part2 will be allocated before return. + Decrypts dec_ticket->enc_part + using *srv_key, and places result in dec_ticket->enc_part2. + The storage of dec_ticket->enc_part2 will be allocated before return. - returns errors from encryption routines, system errors + returns errors from encryption routines, system errors */ @@ -46,27 +47,27 @@ krb5_decrypt_tkt_part(krb5_context context, const krb5_keyblock *srv_key, regist krb5_error_code retval; if (!krb5_c_valid_enctype(ticket->enc_part.enctype)) - return KRB5_PROG_ETYPE_NOSUPP; + return KRB5_PROG_ETYPE_NOSUPP; scratch.length = ticket->enc_part.ciphertext.length; if (!(scratch.data = malloc(ticket->enc_part.ciphertext.length))) - return(ENOMEM); + return(ENOMEM); /* call the encryption routine */ if ((retval = krb5_c_decrypt(context, srv_key, - KRB5_KEYUSAGE_KDC_REP_TICKET, 0, - &ticket->enc_part, &scratch))) { - free(scratch.data); - return retval; + KRB5_KEYUSAGE_KDC_REP_TICKET, 0, + &ticket->enc_part, &scratch))) { + free(scratch.data); + return retval; } -#define clean_scratch() {memset(scratch.data, 0, scratch.length); \ -free(scratch.data);} +#define clean_scratch() {memset(scratch.data, 0, scratch.length); \ + free(scratch.data);} /* now decode the decrypted stuff */ retval = decode_krb5_enc_tkt_part(&scratch, &dec_tkt_part); if (!retval) { - ticket->enc_part2 = dec_tkt_part; + ticket->enc_part2 = dec_tkt_part; } clean_scratch(); return retval; diff --git a/src/lib/krb5/krb/deltat.c b/src/lib/krb5/krb/deltat.c index 2541591f8..36c0d0e95 100644 --- a/src/lib/krb5/krb/deltat.c +++ b/src/lib/krb5/krb/deltat.c @@ -95,14 +95,14 @@ struct param { #define MAX_MIN (MAX_TIME / 60) #define MIN_MIN (MIN_TIME / 60) -/* An explanation of the tests being performed. - We do not want to overflow a 32 bit integer with out manipulations, +/* An explanation of the tests being performed. + We do not want to overflow a 32 bit integer with out manipulations, even for testing for overflow. Therefore we rely on the following: The lex parser will not return a number > MAX_TIME (which is out 32 bit limit). - Therefore, seconds (s) will require + Therefore, seconds (s) will require MIN_TIME < s < MAX_TIME For subsequent tests, the logic is as follows: @@ -110,7 +110,7 @@ struct param { If A < MAX_TIME and B < MAX_TIME If we want to test if A+B < MAX_TIME, there are two cases - if (A > 0) + if (A > 0) then A + B < MAX_TIME if B < MAX_TIME - A else A + B < MAX_TIME always. @@ -131,7 +131,7 @@ struct param { res = (a) + (b) -#define OUT_D ((struct param *)tmv)->delta +#define OUT_D ((struct param *)tmv)->delta #define DO(D,H,M,S) \ { \ /* Overflow testing - this does not handle negative values well.. */ \ @@ -1420,10 +1420,10 @@ mylex (krb5_int32 *intp, char **pp) /* XXX assumes ASCII */ num = c - '0'; while (isdigit ((int) *P)) { - if (num > MAX_TIME / 10) + if (num > MAX_TIME / 10) return OVERFLOW; num *= 10; - if (num > MAX_TIME - (*P - '0')) + if (num > MAX_TIME - (*P - '0')) return OVERFLOW; num += *P++ - '0'; } @@ -1451,5 +1451,3 @@ krb5_string_to_deltat(char *string, krb5_deltat *deltatp) *deltatp = p.delta; return 0; } - - diff --git a/src/lib/krb5/krb/enc_helper.c b/src/lib/krb5/krb/enc_helper.c index 01324d014..41d2f00f7 100644 --- a/src/lib/krb5/krb/enc_helper.c +++ b/src/lib/krb5/krb/enc_helper.c @@ -1,13 +1,14 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -18,7 +19,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -33,24 +34,24 @@ krb5_encrypt_helper(krb5_context context, const krb5_keyblock *key, krb5_keyusag size_t enclen; if ((ret = krb5_c_encrypt_length(context, key->enctype, plain->length, - &enclen))) - return(ret); + &enclen))) + return(ret); cipher->ciphertext.length = enclen; if ((cipher->ciphertext.data = (char *) malloc(enclen)) == NULL) - return(ENOMEM); + return(ENOMEM); ret = krb5_c_encrypt(context, key, usage, 0, plain, cipher); if (ret) { - free(cipher->ciphertext.data); - cipher->ciphertext.data = NULL; + free(cipher->ciphertext.data); + cipher->ciphertext.data = NULL; } return(ret); } - + krb5_error_code krb5_encrypt_keyhelper(krb5_context context, krb5_key key, krb5_keyusage usage, - const krb5_data *plain, krb5_enc_data *cipher) + const krb5_data *plain, krb5_enc_data *cipher) { krb5_enctype enctype; krb5_error_code ret; @@ -59,16 +60,16 @@ krb5_encrypt_keyhelper(krb5_context context, krb5_key key, krb5_keyusage usage, enctype = krb5_k_key_enctype(context, key); ret = krb5_c_encrypt_length(context, enctype, plain->length, &enclen); if (ret != 0) - return ret; + return ret; cipher->ciphertext.length = enclen; cipher->ciphertext.data = malloc(enclen); if (cipher->ciphertext.data == NULL) - return ENOMEM; + return ENOMEM; ret = krb5_k_encrypt(context, key, usage, 0, plain, cipher); if (ret) { - free(cipher->ciphertext.data); - cipher->ciphertext.data = NULL; + free(cipher->ciphertext.data); + cipher->ciphertext.data = NULL; } return ret; diff --git a/src/lib/krb5/krb/encode_kdc.c b/src/lib/krb5/krb/encode_kdc.c index 8b879c015..c86bd4cd5 100644 --- a/src/lib/krb5/krb/encode_kdc.c +++ b/src/lib/krb5/krb/encode_kdc.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/encode_kdc.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_encode_kdc_rep() function. */ @@ -30,24 +31,24 @@ #include "k5-int.h" /* - Takes KDC rep parts in *rep and *encpart, and formats it into *enc_rep, - using message type type and encryption key client_key and encryption type - etype. + Takes KDC rep parts in *rep and *encpart, and formats it into *enc_rep, + using message type type and encryption key client_key and encryption type + etype. - The string *enc_rep will be allocated before formatting; the caller should - free when finished. + The string *enc_rep will be allocated before formatting; the caller should + free when finished. - returns system errors + returns system errors - dec_rep->enc_part.ciphertext is allocated and filled in. + dec_rep->enc_part.ciphertext is allocated and filled in. */ /* due to argument promotion rules, we need to use the DECLARG/OLDDECLARG stuff... */ krb5_error_code krb5_encode_kdc_rep(krb5_context context, krb5_msgtype type, - const krb5_enc_kdc_rep_part *encpart, - int using_subkey, const krb5_keyblock *client_key, - krb5_kdc_rep *dec_rep, krb5_data **enc_rep) + const krb5_enc_kdc_rep_part *encpart, + int using_subkey, const krb5_keyblock *client_key, + krb5_kdc_rep *dec_rep, krb5_data **enc_rep) { krb5_data *scratch; krb5_error_code retval; @@ -55,27 +56,27 @@ krb5_encode_kdc_rep(krb5_context context, krb5_msgtype type, krb5_keyusage usage; if (!krb5_c_valid_enctype(dec_rep->enc_part.enctype)) - return KRB5_PROG_ETYPE_NOSUPP; + return KRB5_PROG_ETYPE_NOSUPP; switch (type) { case KRB5_AS_REP: - usage = KRB5_KEYUSAGE_AS_REP_ENCPART; - break; + usage = KRB5_KEYUSAGE_AS_REP_ENCPART; + break; case KRB5_TGS_REP: - if (using_subkey) - usage = KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY; - else - usage = KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY; - break; + if (using_subkey) + usage = KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY; + else + usage = KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY; + break; default: - return KRB5_BADMSGTYPE; + return KRB5_BADMSGTYPE; } /* * We don't want to modify encpart, but we need to be able to pass * in the message type to the encoder, so it can set the ASN.1 * type correct. - * + * * Although note that it may be doing nothing with the message * type, to be compatible with old versions of Kerberos that always * encode this as a TGS_REP regardly of what it really should be; @@ -88,41 +89,41 @@ krb5_encode_kdc_rep(krb5_context context, krb5_msgtype type, tmp_encpart.msg_type = type; retval = encode_krb5_enc_kdc_rep_part(&tmp_encpart, &scratch); if (retval) { - return retval; + return retval; } memset(&tmp_encpart, 0, sizeof(tmp_encpart)); #define cleanup_scratch() { (void) memset(scratch->data, 0, scratch->length); \ -krb5_free_data(context, scratch); } + krb5_free_data(context, scratch); } retval = krb5_encrypt_helper(context, client_key, usage, scratch, - &dec_rep->enc_part); + &dec_rep->enc_part); -#define cleanup_encpart() { \ -(void) memset(dec_rep->enc_part.ciphertext.data, 0, \ - dec_rep->enc_part.ciphertext.length); \ -free(dec_rep->enc_part.ciphertext.data); \ -dec_rep->enc_part.ciphertext.length = 0; \ -dec_rep->enc_part.ciphertext.data = 0;} +#define cleanup_encpart() { \ + (void) memset(dec_rep->enc_part.ciphertext.data, 0, \ + dec_rep->enc_part.ciphertext.length); \ + free(dec_rep->enc_part.ciphertext.data); \ + dec_rep->enc_part.ciphertext.length = 0; \ + dec_rep->enc_part.ciphertext.data = 0;} cleanup_scratch(); if (retval) - return(retval); + return(retval); /* now it's ready to be encoded for the wire! */ switch (type) { case KRB5_AS_REP: - retval = encode_krb5_as_rep(dec_rep, enc_rep); - break; + retval = encode_krb5_as_rep(dec_rep, enc_rep); + break; case KRB5_TGS_REP: - retval = encode_krb5_tgs_rep(dec_rep, enc_rep); - break; + retval = encode_krb5_tgs_rep(dec_rep, enc_rep); + break; } if (retval) - cleanup_encpart(); + cleanup_encpart(); return retval; } diff --git a/src/lib/krb5/krb/encrypt_tk.c b/src/lib/krb5/krb/encrypt_tk.c index ed2b8c1b8..acf9c6fa4 100644 --- a/src/lib/krb5/krb/encrypt_tk.c +++ b/src/lib/krb5/krb/encrypt_tk.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/encrypt_tk.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_encrypt_tkt_part() routine. */ @@ -30,15 +31,15 @@ #include "k5-int.h" /* - Takes unencrypted dec_ticket & dec_tkt_part, encrypts with - dec_ticket->enc_part.etype - using *srv_key, and places result in dec_ticket->enc_part. - The string dec_ticket->enc_part.ciphertext will be allocated before - formatting. + Takes unencrypted dec_ticket & dec_tkt_part, encrypts with + dec_ticket->enc_part.etype + using *srv_key, and places result in dec_ticket->enc_part. + The string dec_ticket->enc_part.ciphertext will be allocated before + formatting. - returns errors from encryption routines, system errors + returns errors from encryption routines, system errors - enc_part->ciphertext.data allocated & filled in with encrypted stuff + enc_part->ciphertext.data allocated & filled in with encrypted stuff */ krb5_error_code @@ -50,16 +51,16 @@ krb5_encrypt_tkt_part(krb5_context context, const krb5_keyblock *srv_key, regist /* start by encoding the to-be-encrypted part. */ if ((retval = encode_krb5_enc_tkt_part(dec_tkt_part, &scratch))) { - return retval; + return retval; } #define cleanup_scratch() { (void) memset(scratch->data, 0, scratch->length); \ -krb5_free_data(context, scratch); } + krb5_free_data(context, scratch); } /* call the encryption routine */ retval = krb5_encrypt_helper(context, srv_key, - KRB5_KEYUSAGE_KDC_REP_TICKET, scratch, - &dec_ticket->enc_part); + KRB5_KEYUSAGE_KDC_REP_TICKET, scratch, + &dec_ticket->enc_part); cleanup_scratch(); diff --git a/src/lib/krb5/krb/fast.c b/src/lib/krb5/krb/fast.c index 381173d5c..ae5602cde 100644 --- a/src/lib/krb5/krb/fast.c +++ b/src/lib/krb5/krb/fast.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/fast.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,8 +23,8 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * - * + * + * * */ @@ -66,65 +67,65 @@ static krb5_error_code fast_armor_ap_request memset(&creds, 0, sizeof(creds)); retval = krb5_tgtname(context, target_realm, target_realm, &creds.server); if (retval ==0) - retval = krb5_cc_get_principal(context, ccache, &creds.client); + retval = krb5_cc_get_principal(context, ccache, &creds.client); if (retval == 0) - retval = krb5_get_credentials(context, 0, ccache, &creds, &out_creds); + retval = krb5_get_credentials(context, 0, ccache, &creds, &out_creds); if (retval == 0) - retval = krb5_mk_req_extended(context, &authcontext, AP_OPTS_USE_SUBKEY, NULL /*data*/, - out_creds, &encoded_authenticator); + retval = krb5_mk_req_extended(context, &authcontext, AP_OPTS_USE_SUBKEY, NULL /*data*/, + out_creds, &encoded_authenticator); if (retval == 0) - retval = krb5_auth_con_getsendsubkey(context, authcontext, &subkey); + retval = krb5_auth_con_getsendsubkey(context, authcontext, &subkey); if (retval == 0) - retval = krb5_c_fx_cf2_simple(context, subkey, "subkeyarmor", - &out_creds->keyblock, "ticketarmor", &armor_key); + retval = krb5_c_fx_cf2_simple(context, subkey, "subkeyarmor", + &out_creds->keyblock, "ticketarmor", &armor_key); if (retval == 0) { - armor = calloc(1, sizeof(krb5_fast_armor)); - if (armor == NULL) - retval = ENOMEM; + armor = calloc(1, sizeof(krb5_fast_armor)); + if (armor == NULL) + retval = ENOMEM; } if (retval == 0) { - armor->armor_type = KRB5_FAST_ARMOR_AP_REQUEST; - armor->armor_value = encoded_authenticator; - encoded_authenticator.data = NULL; - encoded_authenticator.length = 0; - state->armor = armor; - armor = NULL; - state->armor_key = armor_key; - armor_key = NULL; + armor->armor_type = KRB5_FAST_ARMOR_AP_REQUEST; + armor->armor_value = encoded_authenticator; + encoded_authenticator.data = NULL; + encoded_authenticator.length = 0; + state->armor = armor; + armor = NULL; + state->armor_key = armor_key; + armor_key = NULL; } krb5_free_keyblock(context, armor_key); krb5_free_keyblock(context, subkey); if (out_creds) - krb5_free_creds(context, out_creds); + krb5_free_creds(context, out_creds); krb5_free_cred_contents(context, &creds); if (encoded_authenticator.data) - krb5_free_data_contents(context, &encoded_authenticator); + krb5_free_data_contents(context, &encoded_authenticator); krb5_auth_con_free(context, authcontext); return retval; } krb5_error_code krb5int_fast_prep_req_body(krb5_context context, struct krb5int_fast_request_state *state, - krb5_kdc_req *request, krb5_data **encoded_request_body) + krb5_kdc_req *request, krb5_data **encoded_request_body) { krb5_error_code retval = 0; krb5_data *local_encoded_request_body = NULL; assert(state != NULL); *encoded_request_body = NULL; if (state->armor_key == NULL) { - return encode_krb5_kdc_req_body(request, encoded_request_body); + return encode_krb5_kdc_req_body(request, encoded_request_body); } state->fast_outer_request = *request; state->fast_outer_request.padata = NULL; if (retval == 0) - retval = encode_krb5_kdc_req_body(&state->fast_outer_request, - &local_encoded_request_body); + retval = encode_krb5_kdc_req_body(&state->fast_outer_request, + &local_encoded_request_body); if (retval == 0) { - *encoded_request_body = local_encoded_request_body; - local_encoded_request_body = NULL; + *encoded_request_body = local_encoded_request_body; + local_encoded_request_body = NULL; } if (local_encoded_request_body != NULL) - krb5_free_data(context, local_encoded_request_body); + krb5_free_data(context, local_encoded_request_body); return retval; } @@ -137,31 +138,31 @@ krb5_error_code krb5int_fast_as_armor krb5_ccache ccache = NULL; krb5_clear_error_message(context); if (opte->opt_private->fast_ccache_name) { - retval = krb5_cc_resolve(context, opte->opt_private->fast_ccache_name, - &ccache); - if (retval==0) - retval = fast_armor_ap_request(context, state, ccache, - krb5_princ_realm(context, request->server)); - if (retval != 0) { - const char * errmsg; - errmsg = krb5_get_error_message(context, retval); - if (errmsg) { - krb5_set_error_message(context, retval, "%s constructing AP-REQ armor", errmsg); - krb5_free_error_message(context, errmsg); - } - } + retval = krb5_cc_resolve(context, opte->opt_private->fast_ccache_name, + &ccache); + if (retval==0) + retval = fast_armor_ap_request(context, state, ccache, + krb5_princ_realm(context, request->server)); + if (retval != 0) { + const char * errmsg; + errmsg = krb5_get_error_message(context, retval); + if (errmsg) { + krb5_set_error_message(context, retval, "%s constructing AP-REQ armor", errmsg); + krb5_free_error_message(context, errmsg); + } + } } if (ccache) - krb5_cc_close(context, ccache); + krb5_cc_close(context, ccache); return retval; } -krb5_error_code +krb5_error_code krb5int_fast_prep_req (krb5_context context, struct krb5int_fast_request_state *state, - krb5_kdc_req *request, - const krb5_data *to_be_checksummed, kdc_req_encoder_proc encoder, - krb5_data **encoded_request) + krb5_kdc_req *request, + const krb5_data *to_be_checksummed, kdc_req_encoder_proc encoder, + krb5_data **encoded_request) { krb5_error_code retval = 0; krb5_pa_data *pa_array[2]; @@ -180,68 +181,68 @@ krb5int_fast_prep_req (krb5_context context, struct krb5int_fast_request_state * assert(state->fast_outer_request.padata == NULL); memset(pa_array, 0, sizeof pa_array); if (state->armor_key == NULL) { - return encoder(request, encoded_request); + return encoder(request, encoded_request); } /* Fill in a fresh random nonce for each inner request*/ - random_data.length = 4; - random_data.data = (char *)random_buf; - retval = krb5_c_random_make_octets(context, &random_data); - if (retval == 0) { - request->nonce = 0x7fffffff & load_32_n(random_buf); - state->nonce = request->nonce; - } + random_data.length = 4; + random_data.data = (char *)random_buf; + retval = krb5_c_random_make_octets(context, &random_data); + if (retval == 0) { + request->nonce = 0x7fffffff & load_32_n(random_buf); + state->nonce = request->nonce; + } fast_req.req_body = request; if (fast_req.req_body->padata == NULL) { - fast_req.req_body->padata = calloc(1, sizeof(krb5_pa_data *)); - if (fast_req.req_body->padata == NULL) - retval = ENOMEM; + fast_req.req_body->padata = calloc(1, sizeof(krb5_pa_data *)); + if (fast_req.req_body->padata == NULL) + retval = ENOMEM; } fast_req.fast_options = state->fast_options; if (retval == 0) - retval = encode_krb5_fast_req(&fast_req, &encoded_fast_req); + retval = encode_krb5_fast_req(&fast_req, &encoded_fast_req); if (retval == 0) { - armored_req = calloc(1, sizeof(krb5_fast_armored_req)); - if (armored_req == NULL) - retval = ENOMEM; + armored_req = calloc(1, sizeof(krb5_fast_armored_req)); + if (armored_req == NULL) + retval = ENOMEM; } if (retval == 0) - armored_req->armor = state->armor; + armored_req->armor = state->armor; if (retval == 0) - retval = krb5int_c_mandatory_cksumtype(context, state->armor_key->enctype, - &cksumtype); + retval = krb5int_c_mandatory_cksumtype(context, state->armor_key->enctype, + &cksumtype); if (retval ==0) - retval = krb5_c_make_checksum(context, cksumtype, state->armor_key, - KRB5_KEYUSAGE_FAST_REQ_CHKSUM, to_be_checksummed, - &armored_req->req_checksum); + retval = krb5_c_make_checksum(context, cksumtype, state->armor_key, + KRB5_KEYUSAGE_FAST_REQ_CHKSUM, to_be_checksummed, + &armored_req->req_checksum); if (retval == 0) - retval = krb5_encrypt_helper(context, state->armor_key, - KRB5_KEYUSAGE_FAST_ENC, encoded_fast_req, - &armored_req->enc_part); + retval = krb5_encrypt_helper(context, state->armor_key, + KRB5_KEYUSAGE_FAST_ENC, encoded_fast_req, + &armored_req->enc_part); if (retval == 0) - retval = encode_krb5_pa_fx_fast_request(armored_req, &encoded_armored_req); + retval = encode_krb5_pa_fx_fast_request(armored_req, &encoded_armored_req); if (retval==0) { - pa[0].pa_type = KRB5_PADATA_FX_FAST; - pa[0].contents = (unsigned char *) encoded_armored_req->data; - pa[0].length = encoded_armored_req->length; - pa_array[0] = &pa[0]; + pa[0].pa_type = KRB5_PADATA_FX_FAST; + pa[0].contents = (unsigned char *) encoded_armored_req->data; + pa[0].length = encoded_armored_req->length; + pa_array[0] = &pa[0]; } state->fast_outer_request.padata = pa_array; if(retval == 0) - retval = encoder(&state->fast_outer_request, &local_encoded_result); + retval = encoder(&state->fast_outer_request, &local_encoded_result); if (retval == 0) { - *encoded_request = local_encoded_result; - local_encoded_result = NULL; + *encoded_request = local_encoded_result; + local_encoded_result = NULL; } if (encoded_armored_req) - krb5_free_data(context, encoded_armored_req); + krb5_free_data(context, encoded_armored_req); if (armored_req) { - armored_req->armor = NULL; /*owned by state*/ - krb5_free_fast_armored_req(context, armored_req); + armored_req->armor = NULL; /*owned by state*/ + krb5_free_fast_armored_req(context, armored_req); } if (encoded_fast_req) - krb5_free_data(context, encoded_fast_req); + krb5_free_data(context, encoded_fast_req); if (local_encoded_result) - krb5_free_data(context, local_encoded_result); + krb5_free_data(context, local_encoded_result); state->fast_outer_request.padata = NULL; return retval; } @@ -258,49 +259,49 @@ static krb5_error_code decrypt_fast_reply krb5_fast_response *local_resp = NULL; assert(state != NULL); assert(state->armor_key); - fx_reply = krb5int_find_pa_data(context, in_padata, KRB5_PADATA_FX_FAST); + fx_reply = krb5int_find_pa_data(context, in_padata, KRB5_PADATA_FX_FAST); if (fx_reply == NULL) - retval = KRB5_ERR_FAST_REQUIRED; + retval = KRB5_ERR_FAST_REQUIRED; if (retval == 0) { - scratch.data = (char *) fx_reply->contents; - scratch.length = fx_reply->length; - retval = decode_krb5_pa_fx_fast_reply(&scratch, &encrypted_response); + scratch.data = (char *) fx_reply->contents; + scratch.length = fx_reply->length; + retval = decode_krb5_pa_fx_fast_reply(&scratch, &encrypted_response); } scratch.data = NULL; if (retval == 0) { - scratch.data = malloc(encrypted_response->ciphertext.length); - if (scratch.data == NULL) - retval = ENOMEM; - scratch.length = encrypted_response->ciphertext.length; + scratch.data = malloc(encrypted_response->ciphertext.length); + if (scratch.data == NULL) + retval = ENOMEM; + scratch.length = encrypted_response->ciphertext.length; } if (retval == 0) - retval = krb5_c_decrypt(context, state->armor_key, - KRB5_KEYUSAGE_FAST_REP, NULL, - encrypted_response, &scratch); + retval = krb5_c_decrypt(context, state->armor_key, + KRB5_KEYUSAGE_FAST_REP, NULL, + encrypted_response, &scratch); if (retval != 0) { - const char * errmsg; - errmsg = krb5_get_error_message(context, retval); - krb5_set_error_message(context, retval, "%s while decrypting FAST reply", errmsg); - krb5_free_error_message(context, errmsg); + const char * errmsg; + errmsg = krb5_get_error_message(context, retval); + krb5_set_error_message(context, retval, "%s while decrypting FAST reply", errmsg); + krb5_free_error_message(context, errmsg); } if (retval == 0) - retval = decode_krb5_fast_response(&scratch, &local_resp); + retval = decode_krb5_fast_response(&scratch, &local_resp); if (retval == 0) { - if (local_resp->nonce != state->nonce) { - retval = KRB5_KDCREP_MODIFIED; - krb5_set_error_message(context, retval, "nonce modified in FAST response: KDC response modified"); - } + if (local_resp->nonce != state->nonce) { + retval = KRB5_KDCREP_MODIFIED; + krb5_set_error_message(context, retval, "nonce modified in FAST response: KDC response modified"); + } } if (retval == 0) { - *response = local_resp; - local_resp = NULL; + *response = local_resp; + local_resp = NULL; } if (scratch.data) - free(scratch.data); + free(scratch.data); if (encrypted_response) - krb5_free_enc_data(context, encrypted_response); + krb5_free_enc_data(context, encrypted_response); if (local_resp) - krb5_free_fast_response(context, local_resp); + krb5_free_fast_response(context, local_resp); return retval; } @@ -319,91 +320,91 @@ static krb5_error_code decrypt_fast_reply */ krb5_error_code krb5int_fast_process_error(krb5_context context, struct krb5int_fast_request_state *state, - krb5_error **err_replyptr , krb5_pa_data ***out_padata, - krb5_boolean *retry) + krb5_error **err_replyptr , krb5_pa_data ***out_padata, + krb5_boolean *retry) { krb5_error_code retval = 0; krb5_error *err_reply = *err_replyptr; *out_padata = NULL; *retry = 0; if (state->armor_key) { - krb5_pa_data *fx_error_pa; - krb5_pa_data **result = NULL; - krb5_data scratch, *encoded_td = NULL; - krb5_error *fx_error = NULL; - krb5_fast_response *fast_response = NULL; - retval = decode_krb5_padata_sequence(&err_reply->e_data, &result); - if (retval == 0) - retval = decrypt_fast_reply(context, state, result, &fast_response); - if (retval) { - /*This can happen if the KDC does not understand FAST. We - * don't expect that, but treating it as the fatal error - * indicated by the KDC seems reasonable. - */ - *retry = 0; - krb5_free_pa_data(context, result); - return 0; - } - krb5_free_pa_data(context, result); - result = NULL; - if (retval == 0) { - fx_error_pa = krb5int_find_pa_data(context, fast_response->padata, KRB5_PADATA_FX_ERROR); - if (fx_error_pa == NULL) { - krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED, "Expecting FX_ERROR pa-data inside FAST container"); - retval = KRB5KDC_ERR_PREAUTH_FAILED; - } - } - if (retval == 0) { - scratch.data = (char *) fx_error_pa->contents; - scratch.length = fx_error_pa->length; - retval = decode_krb5_error(&scratch, &fx_error); - } - /* - * krb5_pa_data and krb5_typed_data are safe to cast between: - * they have the same type fields in the same order. - * (krb5_preauthtype is a krb5_int32). If krb5_typed_data is - * ever changed then this will need to be a copy not a cast. - */ - if (retval == 0) - retval = encode_krb5_typed_data( (krb5_typed_data **) fast_response->padata, - &encoded_td); - if (retval == 0) { - fx_error->e_data = *encoded_td; - free(encoded_td); /*contents owned by fx_error*/ - encoded_td = NULL; - krb5_free_error(context, err_reply); - *err_replyptr = fx_error; - fx_error = NULL; - *out_padata = fast_response->padata; - fast_response->padata = NULL; - /* - * If there is more than the fx_error padata, then we want - * to retry the error if a cookie is present - */ - *retry = (*out_padata)[1] != NULL; - if (krb5int_find_pa_data(context, *out_padata, KRB5_PADATA_FX_COOKIE) == NULL) - *retry = 0; - } - if (fx_error) - krb5_free_error(context, fx_error); - krb5_free_fast_response(context, fast_response); + krb5_pa_data *fx_error_pa; + krb5_pa_data **result = NULL; + krb5_data scratch, *encoded_td = NULL; + krb5_error *fx_error = NULL; + krb5_fast_response *fast_response = NULL; + retval = decode_krb5_padata_sequence(&err_reply->e_data, &result); + if (retval == 0) + retval = decrypt_fast_reply(context, state, result, &fast_response); + if (retval) { + /*This can happen if the KDC does not understand FAST. We + * don't expect that, but treating it as the fatal error + * indicated by the KDC seems reasonable. + */ + *retry = 0; + krb5_free_pa_data(context, result); + return 0; + } + krb5_free_pa_data(context, result); + result = NULL; + if (retval == 0) { + fx_error_pa = krb5int_find_pa_data(context, fast_response->padata, KRB5_PADATA_FX_ERROR); + if (fx_error_pa == NULL) { + krb5_set_error_message(context, KRB5KDC_ERR_PREAUTH_FAILED, "Expecting FX_ERROR pa-data inside FAST container"); + retval = KRB5KDC_ERR_PREAUTH_FAILED; + } + } + if (retval == 0) { + scratch.data = (char *) fx_error_pa->contents; + scratch.length = fx_error_pa->length; + retval = decode_krb5_error(&scratch, &fx_error); + } + /* + * krb5_pa_data and krb5_typed_data are safe to cast between: + * they have the same type fields in the same order. + * (krb5_preauthtype is a krb5_int32). If krb5_typed_data is + * ever changed then this will need to be a copy not a cast. + */ + if (retval == 0) + retval = encode_krb5_typed_data( (krb5_typed_data **) fast_response->padata, + &encoded_td); + if (retval == 0) { + fx_error->e_data = *encoded_td; + free(encoded_td); /*contents owned by fx_error*/ + encoded_td = NULL; + krb5_free_error(context, err_reply); + *err_replyptr = fx_error; + fx_error = NULL; + *out_padata = fast_response->padata; + fast_response->padata = NULL; + /* + * If there is more than the fx_error padata, then we want + * to retry the error if a cookie is present + */ + *retry = (*out_padata)[1] != NULL; + if (krb5int_find_pa_data(context, *out_padata, KRB5_PADATA_FX_COOKIE) == NULL) + *retry = 0; + } + if (fx_error) + krb5_free_error(context, fx_error); + krb5_free_fast_response(context, fast_response); } else { /*not FAST*/ - *retry = (err_reply->e_data.length > 0); - if ((err_reply->error == KDC_ERR_PREAUTH_REQUIRED - ||err_reply->error == KDC_ERR_PREAUTH_FAILED) && err_reply->e_data.length) { - krb5_pa_data **result = NULL; - retval = decode_krb5_padata_sequence(&err_reply->e_data, &result); - if (retval == 0) - if (retval == 0) { - *out_padata = result; + *retry = (err_reply->e_data.length > 0); + if ((err_reply->error == KDC_ERR_PREAUTH_REQUIRED + ||err_reply->error == KDC_ERR_PREAUTH_FAILED) && err_reply->e_data.length) { + krb5_pa_data **result = NULL; + retval = decode_krb5_padata_sequence(&err_reply->e_data, &result); + if (retval == 0) + if (retval == 0) { + *out_padata = result; - return 0; - } - krb5_free_pa_data(context, result); - krb5_set_error_message(context, retval, - "Error decoding padata in error reply"); - return retval; - } + return 0; + } + krb5_free_pa_data(context, result); + krb5_set_error_message(context, retval, + "Error decoding padata in error reply"); + return retval; + } } return retval; } @@ -421,61 +422,61 @@ krb5_error_code krb5int_fast_process_response krb5_clear_error_message(context); *strengthen_key = NULL; if (state->armor_key == 0) - return 0; - retval = decrypt_fast_reply(context, state, resp->padata, - &fast_response); + return 0; + retval = decrypt_fast_reply(context, state, resp->padata, + &fast_response); if (retval == 0) { - if (fast_response->finished == 0) { - retval = KRB5_KDCREP_MODIFIED; - krb5_set_error_message(context, retval, "FAST response missing finish message in KDC reply"); - } + if (fast_response->finished == 0) { + retval = KRB5_KDCREP_MODIFIED; + krb5_set_error_message(context, retval, "FAST response missing finish message in KDC reply"); + } } if (retval == 0) - retval = encode_krb5_ticket(resp->ticket, &encoded_ticket); + retval = encode_krb5_ticket(resp->ticket, &encoded_ticket); if (retval == 0) - retval = krb5_c_verify_checksum(context, state->armor_key, - KRB5_KEYUSAGE_FAST_FINISHED, - encoded_ticket, - &fast_response->finished->ticket_checksum, - &cksum_valid); + retval = krb5_c_verify_checksum(context, state->armor_key, + KRB5_KEYUSAGE_FAST_FINISHED, + encoded_ticket, + &fast_response->finished->ticket_checksum, + &cksum_valid); if (retval == 0 && cksum_valid == 0) { - retval = KRB5_KDCREP_MODIFIED; - krb5_set_error_message(context, retval, "ticket modified in KDC reply"); + retval = KRB5_KDCREP_MODIFIED; + krb5_set_error_message(context, retval, "ticket modified in KDC reply"); } if (retval == 0) { - krb5_free_principal(context, resp->client); - resp->client = fast_response->finished->client; - fast_response->finished->client = NULL; - *strengthen_key = fast_response->strengthen_key; - fast_response->strengthen_key = NULL; - krb5_free_pa_data(context, resp->padata); - resp->padata = fast_response->padata; - fast_response->padata = NULL; + krb5_free_principal(context, resp->client); + resp->client = fast_response->finished->client; + fast_response->finished->client = NULL; + *strengthen_key = fast_response->strengthen_key; + fast_response->strengthen_key = NULL; + krb5_free_pa_data(context, resp->padata); + resp->padata = fast_response->padata; + fast_response->padata = NULL; } if (fast_response) - krb5_free_fast_response(context, fast_response); + krb5_free_fast_response(context, fast_response); if (encoded_ticket) - krb5_free_data(context, encoded_ticket); + krb5_free_data(context, encoded_ticket); return retval; } krb5_error_code krb5int_fast_reply_key(krb5_context context, - krb5_keyblock *strengthen_key, - krb5_keyblock *existing_key, - krb5_keyblock *out_key) + krb5_keyblock *strengthen_key, + krb5_keyblock *existing_key, + krb5_keyblock *out_key) { krb5_keyblock *key = NULL; krb5_error_code retval = 0; krb5_free_keyblock_contents(context, out_key); if (strengthen_key) { - retval = krb5_c_fx_cf2_simple(context, strengthen_key, - "strengthenkey", existing_key, "replykey", &key); - if (retval == 0) { - *out_key = *key; - free(key); - } + retval = krb5_c_fx_cf2_simple(context, strengthen_key, + "strengthenkey", existing_key, "replykey", &key); + if (retval == 0) { + *out_key = *key; + free(key); + } } else { - retval = krb5_copy_keyblock_contents(context, existing_key, out_key); + retval = krb5_copy_keyblock_contents(context, existing_key, out_key); } return retval; } @@ -487,7 +488,7 @@ krb5int_fast_make_state( krb5_context context, struct krb5int_fast_request_state struct krb5int_fast_request_state *local_state ; local_state = malloc(sizeof *local_state); if (local_state == NULL) - return ENOMEM; + return ENOMEM; memset(local_state, 0, sizeof(*local_state)); *state = local_state; return 0; @@ -505,16 +506,15 @@ krb5int_fast_free_state( krb5_context context, struct krb5int_fast_request_state krb5_pa_data * krb5int_find_pa_data (krb5_context context, krb5_pa_data *const *padata, krb5_preauthtype pa_type) { - krb5_pa_data * const *tmppa; + krb5_pa_data * const *tmppa; if (padata == NULL) - return NULL; + return NULL; for (tmppa = padata; *tmppa != NULL; tmppa++) { - if ((*tmppa)->pa_type == pa_type) - break; + if ((*tmppa)->pa_type == pa_type) + break; } return *tmppa; } - diff --git a/src/lib/krb5/krb/fast.h b/src/lib/krb5/krb/fast.h index 4cc142335..443f3e196 100644 --- a/src/lib/krb5/krb/fast.h +++ b/src/lib/krb5/krb/fast.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/fast.h * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * <<< Description >>> */ @@ -34,7 +35,7 @@ struct krb5int_fast_request_state { krb5_kdc_req fast_outer_request; - krb5_keyblock *armor_key; /*non-null means fast is in use*/ + krb5_keyblock *armor_key; /*non-null means fast is in use*/ krb5_fast_armor *armor; krb5_ui_4 fast_state_flags; krb5_ui_4 fast_options; @@ -43,19 +44,19 @@ struct krb5int_fast_request_state { krb5_error_code krb5int_fast_prep_req_body(krb5_context context, struct krb5int_fast_request_state *state, - krb5_kdc_req *request, krb5_data **encoded_req_body); + krb5_kdc_req *request, krb5_data **encoded_req_body); typedef krb5_error_code(*kdc_req_encoder_proc) (const krb5_kdc_req *, krb5_data **); -krb5_error_code +krb5_error_code krb5int_fast_prep_req (krb5_context context, struct krb5int_fast_request_state *state, - krb5_kdc_req *request, - const krb5_data *to_be_checksummed, kdc_req_encoder_proc encoder, - krb5_data **encoded_request); + krb5_kdc_req *request, + const krb5_data *to_be_checksummed, kdc_req_encoder_proc encoder, + krb5_data **encoded_request); krb5_error_code krb5int_fast_process_error(krb5_context context, struct krb5int_fast_request_state *state, - krb5_error **err_replyptr , krb5_pa_data ***out_padata, - krb5_boolean *retry); + krb5_error **err_replyptr , krb5_pa_data ***out_padata, + krb5_boolean *retry); krb5_error_code krb5int_fast_process_response (krb5_context context, struct krb5int_fast_request_state *state, @@ -73,10 +74,10 @@ krb5_error_code krb5int_fast_as_armor krb5_kdc_req *request); krb5_error_code krb5int_fast_reply_key(krb5_context context, - krb5_keyblock *strengthen_key, - krb5_keyblock *existing_key, - krb5_keyblock *output_key); + krb5_keyblock *strengthen_key, + krb5_keyblock *existing_key, + krb5_keyblock *output_key); + - #endif diff --git a/src/lib/krb5/krb/free_rtree.c b/src/lib/krb5/krb/free_rtree.c index 90c9dd3c8..951d55dd3 100644 --- a/src/lib/krb5/krb/free_rtree.c +++ b/src/lib/krb5/krb/free_rtree.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/free_rtree.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_free_realm_tree() */ @@ -34,10 +35,10 @@ krb5_free_realm_tree(krb5_context context, krb5_principal *realms) { register krb5_principal *nrealms = realms; if (realms == NULL) - return; + return; while (*nrealms) { - krb5_free_principal(context, *nrealms); - nrealms++; + krb5_free_principal(context, *nrealms); + nrealms++; } free(realms); } diff --git a/src/lib/krb5/krb/fwd_tgt.c b/src/lib/krb5/krb/fwd_tgt.c index 08646da6e..5725e4931 100644 --- a/src/lib/krb5/krb/fwd_tgt.c +++ b/src/lib/krb5/krb/fwd_tgt.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/get_in_tkt.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -35,14 +36,14 @@ /* Get a TGT for use at the remote host */ krb5_error_code KRB5_CALLCONV krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, char *rhost, krb5_principal client, krb5_principal server, krb5_ccache cc, int forwardable, krb5_data *outbuf) - - - - - - - /* Should forwarded TGT also be forwardable? */ - + + + + + + +/* Should forwarded TGT also be forwardable? */ + { krb5_replay_data replaydata; krb5_data * scratch = 0; @@ -61,136 +62,136 @@ krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, char *r memset(&tgt, 0, sizeof(creds)); if (cc == 0) { - if ((retval = krb5int_cc_default(context, &cc))) - goto errout; - close_cc = 1; + if ((retval = krb5int_cc_default(context, &cc))) + goto errout; + close_cc = 1; } retval = krb5_auth_con_getkey (context, auth_context, &session_key); if (retval) - goto errout; + goto errout; if (session_key) { - enctype = session_key->enctype; - krb5_free_keyblock (context, session_key); - session_key = NULL; + enctype = session_key->enctype; + krb5_free_keyblock (context, session_key); + session_key = NULL; } else if (server) { /* must server be non-NULL when rhost is given? */ - /* Try getting credentials to see what the remote side supports. - Not bulletproof, just a heuristic. */ - krb5_creds in, *out = 0; - memset (&in, 0, sizeof(in)); - - retval = krb5_copy_principal (context, server, &in.server); - if (retval) - goto punt; - retval = krb5_copy_principal (context, client, &in.client); - if (retval) - goto punt; - retval = krb5_get_credentials (context, 0, cc, &in, &out); - if (retval) - goto punt; - /* Got the credentials. Okay, now record the enctype and - throw them away. */ - enctype = out->keyblock.enctype; - krb5_free_creds (context, out); + /* Try getting credentials to see what the remote side supports. + Not bulletproof, just a heuristic. */ + krb5_creds in, *out = 0; + memset (&in, 0, sizeof(in)); + + retval = krb5_copy_principal (context, server, &in.server); + if (retval) + goto punt; + retval = krb5_copy_principal (context, client, &in.client); + if (retval) + goto punt; + retval = krb5_get_credentials (context, 0, cc, &in, &out); + if (retval) + goto punt; + /* Got the credentials. Okay, now record the enctype and + throw them away. */ + enctype = out->keyblock.enctype; + krb5_free_creds (context, out); punt: - krb5_free_cred_contents (context, &in); + krb5_free_cred_contents (context, &in); } if ((retval = krb5_copy_principal(context, client, &creds.client))) - goto errout; - + goto errout; + if ((retval = krb5_build_principal_ext(context, &creds.server, - client->realm.length, - client->realm.data, - KRB5_TGS_NAME_SIZE, - KRB5_TGS_NAME, - client->realm.length, - client->realm.data, - 0))) - goto errout; - + client->realm.length, + client->realm.data, + KRB5_TGS_NAME_SIZE, + KRB5_TGS_NAME, + client->realm.length, + client->realm.data, + 0))) + goto errout; + /* fetch tgt directly from cache */ context->use_conf_ktypes = 1; retval = krb5_cc_retrieve_cred (context, cc, KRB5_TC_SUPPORTED_KTYPES, - &creds, &tgt); + &creds, &tgt); context->use_conf_ktypes = old_use_conf_ktypes; if (retval) - goto errout; + goto errout; /* tgt->client must be equal to creds.client */ if (!krb5_principal_compare(context, tgt.client, creds.client)) { - retval = KRB5_PRINC_NOMATCH; - goto errout; + retval = KRB5_PRINC_NOMATCH; + goto errout; } if (!tgt.ticket.length) { - retval = KRB5_NO_TKT_SUPPLIED; - goto errout; + retval = KRB5_NO_TKT_SUPPLIED; + goto errout; } - + if (tgt.addresses && *tgt.addresses) { - if (rhost == NULL) { - if (krb5_princ_type(context, server) != KRB5_NT_SRV_HST) { -retval = KRB5_FWD_BAD_PRINCIPAL; - goto errout; - } - - if (krb5_princ_size(context, server) < 2){ - retval = KRB5_CC_BADNAME; - goto errout; - } - - rhost = malloc(server->data[1].length+1); - if (!rhost) { - retval = ENOMEM; - goto errout; - } - free_rhost = 1; - memcpy(rhost, server->data[1].data, server->data[1].length); - rhost[server->data[1].length] = '\0'; - } - - retval = krb5_os_hostaddr(context, rhost, &addrs); - if (retval) - goto errout; + if (rhost == NULL) { + if (krb5_princ_type(context, server) != KRB5_NT_SRV_HST) { + retval = KRB5_FWD_BAD_PRINCIPAL; + goto errout; + } + + if (krb5_princ_size(context, server) < 2){ + retval = KRB5_CC_BADNAME; + goto errout; + } + + rhost = malloc(server->data[1].length+1); + if (!rhost) { + retval = ENOMEM; + goto errout; + } + free_rhost = 1; + memcpy(rhost, server->data[1].data, server->data[1].length); + rhost[server->data[1].length] = '\0'; + } + + retval = krb5_os_hostaddr(context, rhost, &addrs); + if (retval) + goto errout; } - + creds.keyblock.enctype = enctype; creds.times = tgt.times; creds.times.starttime = 0; kdcoptions = flags2options(tgt.ticket_flags)|KDC_OPT_FORWARDED; if (!forwardable) /* Reset KDC_OPT_FORWARDABLE */ - kdcoptions &= ~(KDC_OPT_FORWARDABLE); + kdcoptions &= ~(KDC_OPT_FORWARDABLE); if ((retval = krb5_get_cred_via_tkt(context, &tgt, kdcoptions, - addrs, &creds, &pcreds))) { - if (enctype) { - creds.keyblock.enctype = 0; - if ((retval = krb5_get_cred_via_tkt(context, &tgt, kdcoptions, - addrs, &creds, &pcreds))) - goto errout; - } - else goto errout; + addrs, &creds, &pcreds))) { + if (enctype) { + creds.keyblock.enctype = 0; + if ((retval = krb5_get_cred_via_tkt(context, &tgt, kdcoptions, + addrs, &creds, &pcreds))) + goto errout; + } + else goto errout; } retval = krb5_mk_1cred(context, auth_context, pcreds, &scratch, &replaydata); krb5_free_creds(context, pcreds); if (retval) { - if (scratch) - krb5_free_data(context, scratch); + if (scratch) + krb5_free_data(context, scratch); } else { - *outbuf = *scratch; - free(scratch); + *outbuf = *scratch; + free(scratch); } - + errout: if (addrs) - krb5_free_addresses(context, addrs); + krb5_free_addresses(context, addrs); if (close_cc) - krb5_cc_close(context, cc); + krb5_cc_close(context, cc); if (free_rhost) - free(rhost); + free(rhost); krb5_free_cred_contents(context, &creds); krb5_free_cred_contents(context, &tgt); return retval; diff --git a/src/lib/krb5/krb/gc_frm_kdc.c b/src/lib/krb5/krb/gc_frm_kdc.c index 4102dd728..581d89d4d 100644 --- a/src/lib/krb5/krb/gc_frm_kdc.c +++ b/src/lib/krb5/krb/gc_frm_kdc.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (c) 1994,2003,2005,2007 by the Massachusetts Institute of Technology. * Copyright (c) 1994 CyberSAFE Corporation @@ -9,7 +10,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -20,11 +21,11 @@ * permission. Furthermore if you modify this software you must label * your software as modified software and not distribute it in such a * fashion that it might be confused with the original M.I.T. software. - * Neither M.I.T., the Open Computing Security Group, nor + * Neither M.I.T., the Open Computing Security Group, nor * CyberSAFE Corporation make any representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * krb5_get_cred_from_kdc() and related functions: * * Get credentials from some KDC somewhere, possibly accumulating TGTs @@ -50,13 +51,13 @@ struct cc_tgts { }; /* NOTE: This only checks if NXT_TGT is CUR_CC_TGT. */ -#define NXT_TGT_IS_CACHED(ts) \ - ((ts)->nxt_tgt == (ts)->cur_cc_tgt) +#define NXT_TGT_IS_CACHED(ts) \ + ((ts)->nxt_tgt == (ts)->cur_cc_tgt) -#define MARK_CUR_CC_TGT_CLEAN(ts) \ -do { \ - (ts)->cc_tgts.dirty[(ts)->cc_tgts.cur] = 0; \ -} while (0) +#define MARK_CUR_CC_TGT_CLEAN(ts) \ + do { \ + (ts)->cc_tgts.dirty[(ts)->cc_tgts.cur] = 0; \ + } while (0) static void init_cc_tgts(struct tr_state *); static void shift_cc_tgts(struct tr_state *); @@ -137,8 +138,8 @@ static void tr_dbg_rtree(struct tr_state *, const char *, krb5_principal); * Certain krb5_cc_retrieve_cred() errors are soft errors when looking * for a cross-realm TGT. */ -#define HARD_CC_ERR(r) ((r) && (r) != KRB5_CC_NOTFOUND && \ - (r) != KRB5_CC_NOT_KTYPE) +#define HARD_CC_ERR(r) ((r) && (r) != KRB5_CC_NOTFOUND && \ + (r) != KRB5_CC_NOT_KTYPE) /* * Flags for ccache lookups of cross-realm TGTs. @@ -152,24 +153,24 @@ static void tr_dbg_rtree(struct tr_state *, const char *, krb5_principal); * Prototypes of helper functions */ static krb5_error_code tgt_mcred(krb5_context, krb5_principal, - krb5_principal, krb5_principal, krb5_creds *); + krb5_principal, krb5_principal, krb5_creds *); static krb5_error_code retr_local_tgt(struct tr_state *, krb5_principal); static krb5_error_code try_ccache(struct tr_state *, krb5_creds *); static krb5_error_code find_nxt_kdc(struct tr_state *); static krb5_error_code try_kdc(struct tr_state *, krb5_creds *); static krb5_error_code kdc_mcred(struct tr_state *, krb5_principal, - krb5_creds *mcreds); + krb5_creds *mcreds); static krb5_error_code next_closest_tgt(struct tr_state *, krb5_principal); static krb5_error_code init_rtree(struct tr_state *, - krb5_principal, krb5_principal); + krb5_principal, krb5_principal); static krb5_error_code do_traversal(krb5_context ctx, krb5_ccache, - krb5_principal client, krb5_principal server, - krb5_creds *out_cc_tgt, krb5_creds **out_tgt, - krb5_creds ***out_kdc_tgts, int *tgtptr_isoffpath); + krb5_principal client, krb5_principal server, + krb5_creds *out_cc_tgt, krb5_creds **out_tgt, + krb5_creds ***out_kdc_tgts, int *tgtptr_isoffpath); static krb5_error_code chase_offpath(struct tr_state *, krb5_principal, - krb5_principal); + krb5_principal); static krb5_error_code offpath_loopchk(struct tr_state *ts, - krb5_creds *tgt, krb5_creds *reftgts[], unsigned int rcount); + krb5_creds *tgt, krb5_creds *reftgts[], unsigned int rcount); /* * init_cc_tgts() @@ -210,8 +211,8 @@ shift_cc_tgts(struct tr_state *ts) rb->nxt = i; ts->nxt_cc_tgt = &rb->cred[i]; if (rb->dirty[i]) { - krb5_free_cred_contents(ts->ctx, &rb->cred[i]); - rb->dirty[i] = 0; + krb5_free_cred_contents(ts->ctx, &rb->cred[i]); + rb->dirty[i] = 0; } } @@ -228,10 +229,10 @@ clean_cc_tgts(struct tr_state *ts) rb = &ts->cc_tgts; for (i = 0; i < NCC_TGTS; i++) { - if (rb->dirty[i]) { - krb5_free_cred_contents(ts->ctx, &rb->cred[i]); - rb->dirty[i] = 0; - } + if (rb->dirty[i]) { + krb5_free_cred_contents(ts->ctx, &rb->cred[i]); + rb->dirty[i] = 0; + } } } @@ -257,18 +258,18 @@ tr_dbg(struct tr_state *ts, const char *prog) fprintf(stderr, "%s: nxt_kdc %s\n", prog, nxt_kdc_str); cleanup: if (cur_tgt_str) - krb5_free_unparsed_name(ts->ctx, cur_tgt_str); + krb5_free_unparsed_name(ts->ctx, cur_tgt_str); if (cur_kdc_str) - krb5_free_unparsed_name(ts->ctx, cur_kdc_str); + krb5_free_unparsed_name(ts->ctx, cur_kdc_str); if (nxt_kdc_str) - krb5_free_unparsed_name(ts->ctx, nxt_kdc_str); + krb5_free_unparsed_name(ts->ctx, nxt_kdc_str); } static void tr_dbg_ret(struct tr_state *ts, const char *prog, krb5_error_code ret) { fprintf(stderr, "%s: return %d (%s)\n", prog, (int)ret, - error_message(ret)); + error_message(ret)); } static void @@ -277,7 +278,7 @@ tr_dbg_rtree(struct tr_state *ts, const char *prog, krb5_principal princ) char *str; if (krb5_unparse_name(ts->ctx, princ, &str)) - return; + return; fprintf(stderr, "%s: %s\n", prog, str); krb5_free_unparsed_name(ts->ctx, str); } @@ -296,8 +297,8 @@ tr_dbg_rtree(struct tr_state *ts, const char *prog, krb5_principal princ) */ static krb5_error_code tgt_mcred(krb5_context ctx, krb5_principal client, - krb5_principal dst, krb5_principal src, - krb5_creds *mcreds) + krb5_principal dst, krb5_principal src, + krb5_creds *mcreds) { krb5_error_code retval; @@ -306,16 +307,16 @@ tgt_mcred(krb5_context ctx, krb5_principal client, retval = krb5_copy_principal(ctx, client, &mcreds->client); if (retval) - goto cleanup; + goto cleanup; retval = krb5_tgtname(ctx, krb5_princ_realm(ctx, dst), - krb5_princ_realm(ctx, src), &mcreds->server); + krb5_princ_realm(ctx, src), &mcreds->server); if (retval) - goto cleanup; + goto cleanup; cleanup: if (retval) - krb5_free_cred_contents(ctx, mcreds); + krb5_free_cred_contents(ctx, mcreds); return retval; } @@ -327,27 +328,27 @@ cleanup: */ static krb5_error_code init_rtree(struct tr_state *ts, - krb5_principal client, krb5_principal server) + krb5_principal client, krb5_principal server) { krb5_error_code retval; ts->kdc_list = NULL; retval = krb5_walk_realm_tree(ts->ctx, krb5_princ_realm(ts->ctx, client), - krb5_princ_realm(ts->ctx, server), - &ts->kdc_list, KRB5_REALM_BRANCH_CHAR); + krb5_princ_realm(ts->ctx, server), + &ts->kdc_list, KRB5_REALM_BRANCH_CHAR); if (retval) - return retval; + return retval; for (ts->nkdcs = 0; ts->kdc_list[ts->nkdcs]; ts->nkdcs++) { - assert(krb5_princ_size(ts->ctx, ts->kdc_list[ts->nkdcs]) == 2); - TR_DBG_RTREE(ts, "init_rtree", ts->kdc_list[ts->nkdcs]); + assert(krb5_princ_size(ts->ctx, ts->kdc_list[ts->nkdcs]) == 2); + TR_DBG_RTREE(ts, "init_rtree", ts->kdc_list[ts->nkdcs]); } assert(ts->nkdcs > 1); ts->lst_kdc = ts->kdc_list + ts->nkdcs - 1; ts->kdc_tgts = calloc(ts->nkdcs + 1, sizeof(krb5_creds)); if (ts->kdc_tgts == NULL) - return ENOMEM; + return ENOMEM; return 0; } @@ -366,16 +367,16 @@ retr_local_tgt(struct tr_state *ts, krb5_principal client) memset(&tgtq, 0, sizeof(tgtq)); retval = tgt_mcred(ts->ctx, client, client, client, &tgtq); if (retval) - return retval; + return retval; /* Match realm, unlike other ccache retrievals here. */ retval = krb5_cc_retrieve_cred(ts->ctx, ts->ccache, - KRB5_TC_SUPPORTED_KTYPES, - &tgtq, ts->nxt_cc_tgt); + KRB5_TC_SUPPORTED_KTYPES, + &tgtq, ts->nxt_cc_tgt); krb5_free_cred_contents(ts->ctx, &tgtq); if (!retval) { - shift_cc_tgts(ts); - ts->nxt_tgt = ts->cur_tgt = ts->cur_cc_tgt; + shift_cc_tgts(ts); + ts->nxt_tgt = ts->cur_tgt = ts->cur_cc_tgt; } return retval; } @@ -393,10 +394,10 @@ try_ccache(struct tr_state *ts, krb5_creds *tgtq) TR_DBG(ts, "try_ccache"); retval = krb5_cc_retrieve_cred(ts->ctx, ts->ccache, RETR_FLAGS, - tgtq, ts->nxt_cc_tgt); + tgtq, ts->nxt_cc_tgt); if (!retval) { - shift_cc_tgts(ts); - ts->nxt_tgt = ts->cur_cc_tgt; + shift_cc_tgts(ts); + ts->nxt_tgt = ts->cur_cc_tgt; } TR_DBG_RET(ts, "try_ccache", retval); return retval; @@ -436,31 +437,31 @@ find_nxt_kdc(struct tr_state *ts) assert(ts->ntgts > 0); assert(ts->nxt_tgt == ts->kdc_tgts[ts->ntgts-1]); if (krb5_princ_size(ts->ctx, ts->nxt_tgt->server) != 2) - return KRB5_KDCREP_MODIFIED; + return KRB5_KDCREP_MODIFIED; r1 = krb5_princ_component(ts->ctx, ts->nxt_tgt->server, 1); for (kdcptr = ts->cur_kdc + 1; *kdcptr != NULL; kdcptr++) { - r2 = krb5_princ_component(ts->ctx, *kdcptr, 1); + r2 = krb5_princ_component(ts->ctx, *kdcptr, 1); - if (r1 != NULL && r2 != NULL && data_eq(*r1, *r2)) { - break; - } + if (r1 != NULL && r2 != NULL && data_eq(*r1, *r2)) { + break; + } } if (*kdcptr != NULL) { - ts->nxt_kdc = kdcptr; - TR_DBG_RET(ts, "find_nxt_kdc", 0); - return 0; + ts->nxt_kdc = kdcptr; + TR_DBG_RET(ts, "find_nxt_kdc", 0); + return 0; } r2 = krb5_princ_component(ts->ctx, ts->kdc_list[0], 1); if (r1 != NULL && r2 != NULL && - r1->length == r2->length && - !memcmp(r1->data, r2->data, r1->length)) { - TR_DBG_RET(ts, "find_nxt_kdc: looped back to local", - KRB5_KDCREP_MODIFIED); - return KRB5_KDCREP_MODIFIED; + r1->length == r2->length && + !memcmp(r1->data, r2->data, r1->length)) { + TR_DBG_RET(ts, "find_nxt_kdc: looped back to local", + KRB5_KDCREP_MODIFIED); + return KRB5_KDCREP_MODIFIED; } /* @@ -469,11 +470,11 @@ find_nxt_kdc(struct tr_state *ts) */ ts->offpath_tgt = ts->nxt_tgt; if (ts->cur_kdc == ts->kdc_list) { - /* - * Local KDC referred us off path; trust it for caching - * purposes. - */ - return 0; + /* + * Local KDC referred us off path; trust it for caching + * purposes. + */ + return 0; } /* * Unlink the off-path TGT from KDC_TGTS but don't free it, @@ -500,20 +501,20 @@ try_kdc(struct tr_state *ts, krb5_creds *tgtq) TR_DBG(ts, "try_kdc"); /* This check should probably be in gc_via_tkt. */ if (!krb5_c_valid_enctype(ts->cur_tgt->keyblock.enctype)) - return KRB5_PROG_ETYPE_NOSUPP; + return KRB5_PROG_ETYPE_NOSUPP; ltgtq = *tgtq; ltgtq.is_skey = FALSE; ltgtq.ticket_flags = ts->cur_tgt->ticket_flags; retval = krb5_get_cred_via_tkt(ts->ctx, ts->cur_tgt, - FLAGS2OPTS(ltgtq.ticket_flags), - ts->cur_tgt->addresses, - <gtq, &ts->kdc_tgts[ts->ntgts++]); + FLAGS2OPTS(ltgtq.ticket_flags), + ts->cur_tgt->addresses, + <gtq, &ts->kdc_tgts[ts->ntgts++]); if (retval) { - ts->ntgts--; - ts->nxt_tgt = ts->cur_tgt; - TR_DBG_RET(ts, "try_kdc", retval); - return retval; + ts->ntgts--; + ts->nxt_tgt = ts->cur_tgt; + TR_DBG_RET(ts, "try_kdc", retval); + return retval; } ts->nxt_tgt = ts->kdc_tgts[ts->ntgts-1]; retval = find_nxt_kdc(ts); @@ -544,15 +545,15 @@ kdc_mcred(struct tr_state *ts, krb5_principal client, krb5_creds *mcreds) rsrc = krb5_princ_component(ts->ctx, *ts->cur_kdc, 1); retval = krb5_copy_principal(ts->ctx, client, &mcreds->client); if (retval) - goto cleanup; + goto cleanup; retval = krb5_tgtname(ts->ctx, rdst, rsrc, &mcreds->server); if (retval) - goto cleanup; + goto cleanup; cleanup: if (retval) - krb5_free_cred_contents(ts->ctx, mcreds); + krb5_free_cred_contents(ts->ctx, mcreds); return retval; } @@ -574,30 +575,30 @@ next_closest_tgt(struct tr_state *ts, krb5_principal client) memset(&tgtq, 0, sizeof(tgtq)); for (ts->nxt_kdc = ts->lst_kdc; - ts->nxt_kdc > ts->cur_kdc; - ts->nxt_kdc--) { - - krb5_free_cred_contents(ts->ctx, &tgtq); - retval = kdc_mcred(ts, client, &tgtq); - if (retval) - goto cleanup; - /* Don't waste time retrying ccache for direct path. */ - if (ts->cur_kdc != ts->kdc_list || ts->nxt_kdc != ts->lst_kdc) { - retval = try_ccache(ts, &tgtq); - if (!retval) - break; - if (HARD_CC_ERR(retval)) - goto cleanup; - } - /* Not in the ccache, so talk to a KDC. */ - retval = try_kdc(ts, &tgtq); - if (!retval) { - break; - } - /* - * In case of errors in try_kdc() or find_nxt_kdc(), continue - * looping through the KDC list. - */ + ts->nxt_kdc > ts->cur_kdc; + ts->nxt_kdc--) { + + krb5_free_cred_contents(ts->ctx, &tgtq); + retval = kdc_mcred(ts, client, &tgtq); + if (retval) + goto cleanup; + /* Don't waste time retrying ccache for direct path. */ + if (ts->cur_kdc != ts->kdc_list || ts->nxt_kdc != ts->lst_kdc) { + retval = try_ccache(ts, &tgtq); + if (!retval) + break; + if (HARD_CC_ERR(retval)) + goto cleanup; + } + /* Not in the ccache, so talk to a KDC. */ + retval = try_kdc(ts, &tgtq); + if (!retval) { + break; + } + /* + * In case of errors in try_kdc() or find_nxt_kdc(), continue + * looping through the KDC list. + */ } /* * If we have a non-zero retval, we either have a hard error or we @@ -700,13 +701,13 @@ cleanup: */ static krb5_error_code do_traversal(krb5_context ctx, - krb5_ccache ccache, - krb5_principal client, - krb5_principal server, - krb5_creds *out_cc_tgt, - krb5_creds **out_tgt, - krb5_creds ***out_kdc_tgts, - int *tgtptr_isoffpath) + krb5_ccache ccache, + krb5_principal client, + krb5_principal server, + krb5_creds *out_cc_tgt, + krb5_creds **out_tgt, + krb5_creds ***out_kdc_tgts, + int *tgtptr_isoffpath) { krb5_error_code retval; struct tr_state state, *ts; @@ -721,51 +722,51 @@ do_traversal(krb5_context ctx, retval = init_rtree(ts, client, server); if (retval) - goto cleanup; + goto cleanup; retval = retr_local_tgt(ts, client); if (retval) - goto cleanup; + goto cleanup; for (ts->cur_kdc = ts->kdc_list, ts->nxt_kdc = NULL; - ts->cur_kdc != NULL && ts->cur_kdc < ts->lst_kdc; - ts->cur_kdc = ts->nxt_kdc, ts->cur_tgt = ts->nxt_tgt) { - - retval = next_closest_tgt(ts, client); - if (retval) - goto cleanup; - - if (ts->offpath_tgt != NULL) { - retval = chase_offpath(ts, client, server); - if (retval) - goto cleanup; - break; - } - assert(ts->cur_kdc != ts->nxt_kdc); + ts->cur_kdc != NULL && ts->cur_kdc < ts->lst_kdc; + ts->cur_kdc = ts->nxt_kdc, ts->cur_tgt = ts->nxt_tgt) { + + retval = next_closest_tgt(ts, client); + if (retval) + goto cleanup; + + if (ts->offpath_tgt != NULL) { + retval = chase_offpath(ts, client, server); + if (retval) + goto cleanup; + break; + } + assert(ts->cur_kdc != ts->nxt_kdc); } if (NXT_TGT_IS_CACHED(ts)) { - assert(ts->offpath_tgt == NULL); - *out_cc_tgt = *ts->cur_cc_tgt; - *out_tgt = out_cc_tgt; - MARK_CUR_CC_TGT_CLEAN(ts); + assert(ts->offpath_tgt == NULL); + *out_cc_tgt = *ts->cur_cc_tgt; + *out_tgt = out_cc_tgt; + MARK_CUR_CC_TGT_CLEAN(ts); } else if (ts->offpath_tgt != NULL){ - *out_tgt = ts->offpath_tgt; + *out_tgt = ts->offpath_tgt; } else { - /* CUR_TGT is somewhere in KDC_TGTS; no need to copy. */ - *out_tgt = ts->nxt_tgt; + /* CUR_TGT is somewhere in KDC_TGTS; no need to copy. */ + *out_tgt = ts->nxt_tgt; } cleanup: clean_cc_tgts(ts); if (ts->kdc_list != NULL) - krb5_free_realm_tree(ctx, ts->kdc_list); + krb5_free_realm_tree(ctx, ts->kdc_list); if (ts->ntgts == 0) { - *out_kdc_tgts = NULL; - if (ts->kdc_tgts != NULL) - free(ts->kdc_tgts); + *out_kdc_tgts = NULL; + if (ts->kdc_tgts != NULL) + free(ts->kdc_tgts); } else - *out_kdc_tgts = ts->kdc_tgts; + *out_kdc_tgts = ts->kdc_tgts; *tgtptr_isoffpath = (ts->offpath_tgt != NULL); return retval; } @@ -785,7 +786,7 @@ cleanup: */ static krb5_error_code chase_offpath(struct tr_state *ts, - krb5_principal client, krb5_principal server) + krb5_principal client, krb5_principal server) { krb5_error_code retval; krb5_creds mcred; @@ -797,61 +798,61 @@ chase_offpath(struct tr_state *ts, cur_tgt = ts->offpath_tgt; for (rcount = 0; rcount < KRB5_REFERRAL_MAXHOPS; rcount++) { - nxt_tgt = NULL; - memset(&mcred, 0, sizeof(mcred)); - rsrc = krb5_princ_component(ts->ctx, cur_tgt->server, 1); - retval = krb5_tgtname(ts->ctx, rdst, rsrc, &mcred.server); - if (retval) - goto cleanup; - mcred.client = client; + nxt_tgt = NULL; + memset(&mcred, 0, sizeof(mcred)); + rsrc = krb5_princ_component(ts->ctx, cur_tgt->server, 1); + retval = krb5_tgtname(ts->ctx, rdst, rsrc, &mcred.server); + if (retval) + goto cleanup; + mcred.client = client; retval = krb5_get_cred_via_tkt(ts->ctx, cur_tgt, - FLAGS2OPTS(cur_tgt->ticket_flags), - cur_tgt->addresses, &mcred, &nxt_tgt); - mcred.client = NULL; - krb5_free_principal(ts->ctx, mcred.server); - mcred.server = NULL; - if (retval) - goto cleanup; - if (!IS_TGS_PRINC(ts->ctx, nxt_tgt->server)) { - retval = KRB5_KDCREP_MODIFIED; - goto cleanup; - } - r1 = krb5_princ_component(ts->ctx, nxt_tgt->server, 1); - if (rdst->length == r1->length && - !memcmp(rdst->data, r1->data, rdst->length)) { - retval = 0; - goto cleanup; - } - retval = offpath_loopchk(ts, nxt_tgt, reftgts, rcount); - if (retval) - goto cleanup; - reftgts[rcount] = nxt_tgt; - cur_tgt = nxt_tgt; - nxt_tgt = NULL; + FLAGS2OPTS(cur_tgt->ticket_flags), + cur_tgt->addresses, &mcred, &nxt_tgt); + mcred.client = NULL; + krb5_free_principal(ts->ctx, mcred.server); + mcred.server = NULL; + if (retval) + goto cleanup; + if (!IS_TGS_PRINC(ts->ctx, nxt_tgt->server)) { + retval = KRB5_KDCREP_MODIFIED; + goto cleanup; + } + r1 = krb5_princ_component(ts->ctx, nxt_tgt->server, 1); + if (rdst->length == r1->length && + !memcmp(rdst->data, r1->data, rdst->length)) { + retval = 0; + goto cleanup; + } + retval = offpath_loopchk(ts, nxt_tgt, reftgts, rcount); + if (retval) + goto cleanup; + reftgts[rcount] = nxt_tgt; + cur_tgt = nxt_tgt; + nxt_tgt = NULL; } /* Max hop count exceeded. */ retval = KRB5_KDCREP_MODIFIED; cleanup: if (mcred.server != NULL) { - krb5_free_principal(ts->ctx, mcred.server); + krb5_free_principal(ts->ctx, mcred.server); } /* * Don't free TS->OFFPATH_TGT if it's in the list of cacheable * TGTs to be returned by do_traversal(). */ if (ts->offpath_tgt != ts->nxt_tgt) { - krb5_free_creds(ts->ctx, ts->offpath_tgt); + krb5_free_creds(ts->ctx, ts->offpath_tgt); } ts->offpath_tgt = NULL; if (nxt_tgt != NULL) { - if (retval) - krb5_free_creds(ts->ctx, nxt_tgt); - else - ts->offpath_tgt = nxt_tgt; + if (retval) + krb5_free_creds(ts->ctx, nxt_tgt); + else + ts->offpath_tgt = nxt_tgt; } for (i = 0; i < rcount; i++) { - krb5_free_creds(ts->ctx, reftgts[i]); + krb5_free_creds(ts->ctx, reftgts[i]); } return retval; } @@ -864,23 +865,23 @@ cleanup: */ static krb5_error_code offpath_loopchk(struct tr_state *ts, - krb5_creds *tgt, krb5_creds *reftgts[], unsigned int rcount) + krb5_creds *tgt, krb5_creds *reftgts[], unsigned int rcount) { krb5_data *r1, *r2; unsigned int i; r1 = krb5_princ_component(ts->ctx, tgt->server, 1); for (i = 0; i < rcount; i++) { - r2 = krb5_princ_component(ts->ctx, reftgts[i]->server, 1); - if (r1->length == r2->length && - !memcmp(r1->data, r2->data, r1->length)) - return KRB5_KDCREP_MODIFIED; + r2 = krb5_princ_component(ts->ctx, reftgts[i]->server, 1); + if (r1->length == r2->length && + !memcmp(r1->data, r2->data, r1->length)) + return KRB5_KDCREP_MODIFIED; } for (i = 0; i < ts->ntgts; i++) { - r2 = krb5_princ_component(ts->ctx, ts->kdc_tgts[i]->server, 1); - if (r1->length == r2->length && - !memcmp(r1->data, r2->data, r1->length)) - return KRB5_KDCREP_MODIFIED; + r2 = krb5_princ_component(ts->ctx, ts->kdc_tgts[i]->server, 1); + if (r1->length == r2->length && + !memcmp(r1->data, r2->data, r1->length)) + return KRB5_KDCREP_MODIFIED; } return 0; } @@ -923,8 +924,8 @@ offpath_loopchk(struct tr_state *ts, krb5_error_code krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, - krb5_creds *in_cred, krb5_creds **out_cred, - krb5_creds ***tgts, int kdcopt) + krb5_creds *in_cred, krb5_creds **out_cred, + krb5_creds ***tgts, int kdcopt) { krb5_error_code retval, subretval; krb5_principal client, server, supplied_server, out_supplied_server; @@ -936,7 +937,7 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, unsigned int referral_count, i; krb5_authdata **supplied_authdata, **out_supplied_authdata = NULL; - /* + /* * Set up client and server pointers. Make a fresh and modifyable * copy of the in_cred server and save the supplied version. */ @@ -945,17 +946,17 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, return retval; /* We need a second copy for the output creds. */ if ((retval = krb5_copy_principal(context, server, - &out_supplied_server)) != 0 ) { - krb5_free_principal(context, server); - return retval; + &out_supplied_server)) != 0 ) { + krb5_free_principal(context, server); + return retval; } if (in_cred->authdata != NULL) { - if ((retval = krb5_copy_authdata(context, in_cred->authdata, - &out_supplied_authdata)) != 0) { - krb5_free_principal(context, out_supplied_server); - krb5_free_principal(context, server); - return retval; - } + if ((retval = krb5_copy_authdata(context, in_cred->authdata, + &out_supplied_authdata)) != 0) { + krb5_free_principal(context, out_supplied_server); + krb5_free_principal(context, server); + return retval; + } } supplied_server = in_cred->server; @@ -977,16 +978,16 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, if (krb5_is_referral_realm(&server->realm)) { /* Use the client realm. */ DPRINTF(("gc_from_kdc: no server realm supplied, " - "using client realm.\n")); - krb5_free_data_contents(context, &server->realm); - server->realm.data = malloc(client->realm.length + 1); - if (server->realm.data == NULL) { - retval = ENOMEM; - goto cleanup; - } - memcpy(server->realm.data, client->realm.data, client->realm.length); - server->realm.length = client->realm.length; - server->realm.data[server->realm.length] = 0; + "using client realm.\n")); + krb5_free_data_contents(context, &server->realm); + server->realm.data = malloc(client->realm.length + 1); + if (server->realm.data == NULL) { + retval = ENOMEM; + goto cleanup; + } + memcpy(server->realm.data, client->realm.data, client->realm.length); + server->realm.length = client->realm.length; + server->realm.data[server->realm.length] = 0; } /* * Retreive initial TGT to match the specified server, either for the @@ -995,21 +996,21 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, */ retval = tgt_mcred(context, client, server, client, &tgtq); if (retval) - goto cleanup; + goto cleanup; /* Fast path: Is it in the ccache? */ context->use_conf_ktypes = 1; retval = krb5_cc_retrieve_cred(context, ccache, RETR_FLAGS, - &tgtq, &cc_tgt); + &tgtq, &cc_tgt); if (!retval) { - tgtptr = &cc_tgt; + tgtptr = &cc_tgt; } else if (!HARD_CC_ERR(retval)) { DPRINTF(("gc_from_kdc: starting do_traversal to find " - "initial TGT for referral\n")); - tgtptr_isoffpath = 0; - otgtptr = NULL; - retval = do_traversal(context, ccache, client, server, - &cc_tgt, &tgtptr, tgts, &tgtptr_isoffpath); + "initial TGT for referral\n")); + tgtptr_isoffpath = 0; + otgtptr = NULL; + retval = do_traversal(context, ccache, client, server, + &cc_tgt, &tgtptr, tgts, &tgtptr_isoffpath); } if (retval) { DPRINTF(("gc_from_kdc: failed to find initial TGT for referral\n")); @@ -1019,8 +1020,8 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, DUMP_PRINC("gc_from_kdc: server as requested", supplied_server); if (in_cred->second_ticket.length != 0 && - (kdcopt & KDC_OPT_CNAME_IN_ADDL_TKT) == 0) { - kdcopt |= KDC_OPT_ENC_TKT_IN_SKEY; + (kdcopt & KDC_OPT_CNAME_IN_ADDL_TKT) == 0) { + kdcopt |= KDC_OPT_ENC_TKT_IN_SKEY; } /* @@ -1035,152 +1036,152 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, */ otgtptr = tgtptr; for (referral_count = 0; - referral_count < KRB5_REFERRAL_MAXHOPS; - referral_count++) { + referral_count < KRB5_REFERRAL_MAXHOPS; + referral_count++) { #if 0 DUMP_PRINC("gc_from_kdc: referral loop: tgt in use", tgtptr->server); DUMP_PRINC("gc_from_kdc: referral loop: request is for", server); #endif retval = krb5_get_cred_via_tkt(context, tgtptr, - KDC_OPT_CANONICALIZE | - FLAGS2OPTS(tgtptr->ticket_flags) | - kdcopt, - tgtptr->addresses, in_cred, out_cred); - if (retval) { - DPRINTF(("gc_from_kdc: referral TGS-REQ request failed: <%s>\n", - error_message(retval))); - /* If we haven't gone anywhere yet, fail through to the - non-referral case. */ - if (referral_count==0) { - DPRINTF(("gc_from_kdc: initial referral failed; " - "punting to fallback.\n")); - break; - } - /* Otherwise, try the same query without canonicalization - set, and fail hard if that doesn't work. */ - DPRINTF(("gc_from_kdc: referral #%d failed; " - "retrying without option.\n", referral_count + 1)); - retval = krb5_get_cred_via_tkt(context, tgtptr, - FLAGS2OPTS(tgtptr->ticket_flags) | - kdcopt, - tgtptr->addresses, - in_cred, out_cred); - /* Whether or not that succeeded, we're done. */ - goto cleanup; - } - /* Referral request succeeded; let's see what it is. */ - if (krb5_principal_compare(context, in_cred->server, - (*out_cred)->server)) { - DPRINTF(("gc_from_kdc: request generated ticket " - "for requested server principal\n")); - DUMP_PRINC("gc_from_kdc final referred reply", - in_cred->server); - - /* - * Check if the return enctype is one that we requested if - * needed. - */ - if (old_use_conf_ktypes || !context->tgs_etypes) - goto cleanup; - for (i = 0; context->tgs_etypes[i]; i++) { - if ((*out_cred)->keyblock.enctype == context->tgs_etypes[i]) { - /* Found an allowable etype, so we're done */ - goto cleanup; - } - } - /* - * We need to try again, but this time use the - * tgs_ktypes in the context. At this point we should - * have all the tgts to succeed. - */ - - /* Free "wrong" credential */ - krb5_free_creds(context, *out_cred); - *out_cred = NULL; - /* Re-establish tgs etypes */ - context->use_conf_ktypes = old_use_conf_ktypes; - retval = krb5_get_cred_via_tkt(context, tgtptr, - KDC_OPT_CANONICALIZE | - FLAGS2OPTS(tgtptr->ticket_flags) | - kdcopt, - tgtptr->addresses, - in_cred, out_cred); - goto cleanup; - } - else if (IS_TGS_PRINC(context, (*out_cred)->server)) { - krb5_data *r1, *r2; - - DPRINTF(("gc_from_kdc: request generated referral tgt\n")); - DUMP_PRINC("gc_from_kdc credential received", - (*out_cred)->server); - - if (referral_count == 0) - r1 = &tgtptr->server->data[1]; - else - r1 = &referral_tgts[referral_count-1]->server->data[1]; - - r2 = &(*out_cred)->server->data[1]; - if (data_eq(*r1, *r2)) { - DPRINTF(("gc_from_kdc: referred back to " - "previous realm; fall back\n")); - krb5_free_creds(context, *out_cred); - *out_cred = NULL; - break; - } - /* Check for referral routing loop. */ - for (i=0;i<referral_count;i++) { + KDC_OPT_CANONICALIZE | + FLAGS2OPTS(tgtptr->ticket_flags) | + kdcopt, + tgtptr->addresses, in_cred, out_cred); + if (retval) { + DPRINTF(("gc_from_kdc: referral TGS-REQ request failed: <%s>\n", + error_message(retval))); + /* If we haven't gone anywhere yet, fail through to the + non-referral case. */ + if (referral_count==0) { + DPRINTF(("gc_from_kdc: initial referral failed; " + "punting to fallback.\n")); + break; + } + /* Otherwise, try the same query without canonicalization + set, and fail hard if that doesn't work. */ + DPRINTF(("gc_from_kdc: referral #%d failed; " + "retrying without option.\n", referral_count + 1)); + retval = krb5_get_cred_via_tkt(context, tgtptr, + FLAGS2OPTS(tgtptr->ticket_flags) | + kdcopt, + tgtptr->addresses, + in_cred, out_cred); + /* Whether or not that succeeded, we're done. */ + goto cleanup; + } + /* Referral request succeeded; let's see what it is. */ + if (krb5_principal_compare(context, in_cred->server, + (*out_cred)->server)) { + DPRINTF(("gc_from_kdc: request generated ticket " + "for requested server principal\n")); + DUMP_PRINC("gc_from_kdc final referred reply", + in_cred->server); + + /* + * Check if the return enctype is one that we requested if + * needed. + */ + if (old_use_conf_ktypes || !context->tgs_etypes) + goto cleanup; + for (i = 0; context->tgs_etypes[i]; i++) { + if ((*out_cred)->keyblock.enctype == context->tgs_etypes[i]) { + /* Found an allowable etype, so we're done */ + goto cleanup; + } + } + /* + * We need to try again, but this time use the + * tgs_ktypes in the context. At this point we should + * have all the tgts to succeed. + */ + + /* Free "wrong" credential */ + krb5_free_creds(context, *out_cred); + *out_cred = NULL; + /* Re-establish tgs etypes */ + context->use_conf_ktypes = old_use_conf_ktypes; + retval = krb5_get_cred_via_tkt(context, tgtptr, + KDC_OPT_CANONICALIZE | + FLAGS2OPTS(tgtptr->ticket_flags) | + kdcopt, + tgtptr->addresses, + in_cred, out_cred); + goto cleanup; + } + else if (IS_TGS_PRINC(context, (*out_cred)->server)) { + krb5_data *r1, *r2; + + DPRINTF(("gc_from_kdc: request generated referral tgt\n")); + DUMP_PRINC("gc_from_kdc credential received", + (*out_cred)->server); + + if (referral_count == 0) + r1 = &tgtptr->server->data[1]; + else + r1 = &referral_tgts[referral_count-1]->server->data[1]; + + r2 = &(*out_cred)->server->data[1]; + if (data_eq(*r1, *r2)) { + DPRINTF(("gc_from_kdc: referred back to " + "previous realm; fall back\n")); + krb5_free_creds(context, *out_cred); + *out_cred = NULL; + break; + } + /* Check for referral routing loop. */ + for (i=0;i<referral_count;i++) { #if 0 - DUMP_PRINC("gc_from_kdc: loop compare #1", - (*out_cred)->server); - DUMP_PRINC("gc_from_kdc: loop compare #2", - referral_tgts[i]->server); + DUMP_PRINC("gc_from_kdc: loop compare #1", + (*out_cred)->server); + DUMP_PRINC("gc_from_kdc: loop compare #2", + referral_tgts[i]->server); #endif - if (krb5_principal_compare(context, - (*out_cred)->server, - referral_tgts[i]->server)) { - DFPRINTF((stderr, - "krb5_get_cred_from_kdc_opt: " - "referral routing loop - " - "got referral back to hop #%d\n", i)); - retval=KRB5_KDC_UNREACH; - goto cleanup; - } - } - /* Point current tgt pointer at newly-received TGT. */ - if (tgtptr == &cc_tgt) - krb5_free_cred_contents(context, tgtptr); - tgtptr=*out_cred; - /* Save requested auth data with TGT in case it ends up stored */ - if (supplied_authdata != NULL) { - /* Ensure we note TGT contains authorization data */ - retval = krb5_copy_authdata(context, - supplied_authdata, - &(*out_cred)->authdata); - if (retval) - goto cleanup; - } - /* Save pointer to tgt in referral_tgts. */ - referral_tgts[referral_count]=*out_cred; - *out_cred = NULL; - /* Copy krbtgt realm to server principal. */ - krb5_free_data_contents(context, &server->realm); - retval = krb5int_copy_data_contents(context, - &tgtptr->server->data[1], - &server->realm); - if (retval) - goto cleanup; - /* Don't ask for KDC to add auth data multiple times */ - in_cred->authdata = NULL; - /* - * Future work: rewrite server principal per any - * supplied padata. - */ - } else { - /* Not a TGT; punt to fallback. */ - krb5_free_creds(context, *out_cred); - *out_cred = NULL; - break; - } + if (krb5_principal_compare(context, + (*out_cred)->server, + referral_tgts[i]->server)) { + DFPRINTF((stderr, + "krb5_get_cred_from_kdc_opt: " + "referral routing loop - " + "got referral back to hop #%d\n", i)); + retval=KRB5_KDC_UNREACH; + goto cleanup; + } + } + /* Point current tgt pointer at newly-received TGT. */ + if (tgtptr == &cc_tgt) + krb5_free_cred_contents(context, tgtptr); + tgtptr=*out_cred; + /* Save requested auth data with TGT in case it ends up stored */ + if (supplied_authdata != NULL) { + /* Ensure we note TGT contains authorization data */ + retval = krb5_copy_authdata(context, + supplied_authdata, + &(*out_cred)->authdata); + if (retval) + goto cleanup; + } + /* Save pointer to tgt in referral_tgts. */ + referral_tgts[referral_count]=*out_cred; + *out_cred = NULL; + /* Copy krbtgt realm to server principal. */ + krb5_free_data_contents(context, &server->realm); + retval = krb5int_copy_data_contents(context, + &tgtptr->server->data[1], + &server->realm); + if (retval) + goto cleanup; + /* Don't ask for KDC to add auth data multiple times */ + in_cred->authdata = NULL; + /* + * Future work: rewrite server principal per any + * supplied padata. + */ + } else { + /* Not a TGT; punt to fallback. */ + krb5_free_creds(context, *out_cred); + *out_cred = NULL; + break; + } } DUMP_PRINC("gc_from_kdc client at fallback", client); @@ -1198,33 +1199,33 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, */ if (krb5_is_referral_realm(&supplied_server->realm)) { if (server->length >= 2) { - retval=krb5_get_fallback_host_realm(context, &server->data[1], - &hrealms); - if (retval) goto cleanup; + retval=krb5_get_fallback_host_realm(context, &server->data[1], + &hrealms); + if (retval) goto cleanup; #if 0 - DPRINTF(("gc_from_kdc: using fallback realm of %s\n", - hrealms[0])); + DPRINTF(("gc_from_kdc: using fallback realm of %s\n", + hrealms[0])); #endif - krb5_free_data_contents(context,&in_cred->server->realm); - server->realm.data=hrealms[0]; - server->realm.length=strlen(hrealms[0]); - free(hrealms); - } - else { - /* - * Problem case: Realm tagged for referral but apparently not - * in a <type>/<host> format that - * krb5_get_fallback_host_realm can deal with. - */ - DPRINTF(("gc_from_kdc: referral specified " - "but no fallback realm avaiable!\n")); - retval = KRB5_ERR_HOST_REALM_UNKNOWN; - goto cleanup; - } + krb5_free_data_contents(context,&in_cred->server->realm); + server->realm.data=hrealms[0]; + server->realm.length=strlen(hrealms[0]); + free(hrealms); + } + else { + /* + * Problem case: Realm tagged for referral but apparently not + * in a <type>/<host> format that + * krb5_get_fallback_host_realm can deal with. + */ + DPRINTF(("gc_from_kdc: referral specified " + "but no fallback realm avaiable!\n")); + retval = KRB5_ERR_HOST_REALM_UNKNOWN; + goto cleanup; + } } DUMP_PRINC("gc_from_kdc server at fallback after fallback rewrite", - server); + server); /* * Get a TGT for the target realm. @@ -1233,37 +1234,37 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, krb5_free_cred_contents(context, &tgtq); retval = tgt_mcred(context, client, server, client, &tgtq); if (retval) - goto cleanup; + goto cleanup; /* Fast path: Is it in the ccache? */ /* Free tgtptr data if reused from above. */ if (tgtptr == &cc_tgt) - krb5_free_cred_contents(context, tgtptr); + krb5_free_cred_contents(context, tgtptr); tgtptr = NULL; /* Free saved TGT in OTGTPTR if it was off-path. */ if (tgtptr_isoffpath) - krb5_free_creds(context, otgtptr); + krb5_free_creds(context, otgtptr); otgtptr = NULL; /* Free TGTS if previously filled by do_traversal() */ if (*tgts != NULL) { - for (i = 0; (*tgts)[i] != NULL; i++) { - krb5_free_creds(context, (*tgts)[i]); - } - free(*tgts); - *tgts = NULL; + for (i = 0; (*tgts)[i] != NULL; i++) { + krb5_free_creds(context, (*tgts)[i]); + } + free(*tgts); + *tgts = NULL; } context->use_conf_ktypes = 1; retval = krb5_cc_retrieve_cred(context, ccache, RETR_FLAGS, - &tgtq, &cc_tgt); + &tgtq, &cc_tgt); if (!retval) { - tgtptr = &cc_tgt; + tgtptr = &cc_tgt; } else if (!HARD_CC_ERR(retval)) { - tgtptr_isoffpath = 0; - retval = do_traversal(context, ccache, client, server, - &cc_tgt, &tgtptr, tgts, &tgtptr_isoffpath); + tgtptr_isoffpath = 0; + retval = do_traversal(context, ccache, client, server, + &cc_tgt, &tgtptr, tgts, &tgtptr_isoffpath); } if (retval) - goto cleanup; + goto cleanup; otgtptr = tgtptr; /* @@ -1271,44 +1272,44 @@ krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, */ if (!krb5_c_valid_enctype(tgtptr->keyblock.enctype)) { - retval = KRB5_PROG_ETYPE_NOSUPP; - goto cleanup; + retval = KRB5_PROG_ETYPE_NOSUPP; + goto cleanup; } context->use_conf_ktypes = old_use_conf_ktypes; retval = krb5_get_cred_via_tkt(context, tgtptr, - FLAGS2OPTS(tgtptr->ticket_flags) | - kdcopt, - tgtptr->addresses, in_cred, out_cred); + FLAGS2OPTS(tgtptr->ticket_flags) | + kdcopt, + tgtptr->addresses, in_cred, out_cred); cleanup: krb5_free_cred_contents(context, &tgtq); if (tgtptr == &cc_tgt) - krb5_free_cred_contents(context, tgtptr); + krb5_free_cred_contents(context, tgtptr); if (tgtptr_isoffpath) - krb5_free_creds(context, otgtptr); + krb5_free_creds(context, otgtptr); context->use_conf_ktypes = old_use_conf_ktypes; /* Drop the original principal back into in_cred so that it's cached in the expected format. */ DUMP_PRINC("gc_from_kdc: final hacked server principal at cleanup", - server); + server); krb5_free_principal(context, server); in_cred->server = supplied_server; in_cred->authdata = supplied_authdata; if (*out_cred && !retval) { /* Success: free server, swap supplied server back in. */ krb5_free_principal (context, (*out_cred)->server); - (*out_cred)->server = out_supplied_server; - assert((*out_cred)->authdata == NULL); - (*out_cred)->authdata = out_supplied_authdata; + (*out_cred)->server = out_supplied_server; + assert((*out_cred)->authdata == NULL); + (*out_cred)->authdata = out_supplied_authdata; } else { - /* - * Failure: free out_supplied_server. Don't free out_cred here - * since it's either null or a referral TGT that we free below, - * and we may need it to return. - */ + /* + * Failure: free out_supplied_server. Don't free out_cred here + * since it's either null or a referral TGT that we free below, + * and we may need it to return. + */ krb5_free_principal(context, out_supplied_server); - krb5_free_authdata(context, out_supplied_authdata); + krb5_free_authdata(context, out_supplied_authdata); } DUMP_PRINC("gc_from_kdc: final server after reversion", in_cred->server); /* @@ -1323,74 +1324,74 @@ cleanup: if (*tgts == NULL) { if (referral_tgts[0]) { #if 0 - /* - * This should possibly be a check on the candidate return - * credential against the cache, in the circumstance where we - * don't want to clutter the cache with near-duplicate - * credentials on subsequent iterations. For now, it is - * disabled. - */ - subretval=...?; - if (subretval) { + /* + * This should possibly be a check on the candidate return + * credential against the cache, in the circumstance where we + * don't want to clutter the cache with near-duplicate + * credentials on subsequent iterations. For now, it is + * disabled. + */ + subretval=...?; + if (subretval) { #endif - /* Allocate returnable TGT list. */ - *tgts = calloc(2, sizeof (krb5_creds *)); - if (*tgts == NULL && retval == 0) - retval = ENOMEM; - if (*tgts) { - subretval = krb5_copy_creds(context, referral_tgts[0], - &((*tgts)[0])); - if (subretval) { - if (retval == 0) - retval = subretval; - free(*tgts); - *tgts = NULL; - } else { - (*tgts)[1] = NULL; - DUMP_PRINC("gc_from_kdc: referral TGT for ccache", - (*tgts)[0]->server); - } - } + /* Allocate returnable TGT list. */ + *tgts = calloc(2, sizeof (krb5_creds *)); + if (*tgts == NULL && retval == 0) + retval = ENOMEM; + if (*tgts) { + subretval = krb5_copy_creds(context, referral_tgts[0], + &((*tgts)[0])); + if (subretval) { + if (retval == 0) + retval = subretval; + free(*tgts); + *tgts = NULL; + } else { + (*tgts)[1] = NULL; + DUMP_PRINC("gc_from_kdc: referral TGT for ccache", + (*tgts)[0]->server); + } + } #if 0 - } + } #endif - } + } } /* Free referral TGTs list. */ for (i=0;i<KRB5_REFERRAL_MAXHOPS;i++) { if(referral_tgts[i]) { - krb5_free_creds(context, referral_tgts[i]); - } + krb5_free_creds(context, referral_tgts[i]); + } } DPRINTF(("gc_from_kdc finishing with %s\n", - retval ? error_message(retval) : "no error")); + retval ? error_message(retval) : "no error")); return retval; } krb5_error_code krb5_get_cred_from_kdc(krb5_context context, krb5_ccache ccache, - krb5_creds *in_cred, krb5_creds **out_cred, - krb5_creds ***tgts) + krb5_creds *in_cred, krb5_creds **out_cred, + krb5_creds ***tgts) { return krb5_get_cred_from_kdc_opt(context, ccache, in_cred, out_cred, tgts, - 0); + 0); } krb5_error_code krb5_get_cred_from_kdc_validate(krb5_context context, krb5_ccache ccache, - krb5_creds *in_cred, krb5_creds **out_cred, - krb5_creds ***tgts) + krb5_creds *in_cred, krb5_creds **out_cred, + krb5_creds ***tgts) { return krb5_get_cred_from_kdc_opt(context, ccache, in_cred, out_cred, tgts, - KDC_OPT_VALIDATE); + KDC_OPT_VALIDATE); } krb5_error_code krb5_get_cred_from_kdc_renew(krb5_context context, krb5_ccache ccache, - krb5_creds *in_cred, krb5_creds **out_cred, - krb5_creds ***tgts) + krb5_creds *in_cred, krb5_creds **out_cred, + krb5_creds ***tgts) { return krb5_get_cred_from_kdc_opt(context, ccache, in_cred, out_cred, tgts, - KDC_OPT_RENEW); + KDC_OPT_RENEW); } diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c index 273655ab5..bea435bc9 100644 --- a/src/lib/krb5/krb/gc_via_tkt.c +++ b/src/lib/krb5/krb/gc_via_tkt.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/gc_via_tgt.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Given a tkt, and a target cred, get it. * Assumes that the kdc_rep has been decrypted. @@ -34,28 +35,28 @@ static krb5_error_code krb5_kdcrep2creds(krb5_context context, krb5_kdc_rep *pkdcrep, krb5_address *const *address, krb5_data *psectkt, krb5_creds **ppcreds) { - krb5_error_code retval; + krb5_error_code retval; krb5_data *pdata; - + if ((*ppcreds = (krb5_creds *)calloc(1,sizeof(krb5_creds))) == NULL) { return ENOMEM; } if ((retval = krb5_copy_principal(context, pkdcrep->client, - &(*ppcreds)->client))) + &(*ppcreds)->client))) goto cleanup; if ((retval = krb5_copy_principal(context, pkdcrep->enc_part2->server, - &(*ppcreds)->server))) + &(*ppcreds)->server))) goto cleanup; - if ((retval = krb5_copy_keyblock_contents(context, - pkdcrep->enc_part2->session, - &(*ppcreds)->keyblock))) + if ((retval = krb5_copy_keyblock_contents(context, + pkdcrep->enc_part2->session, + &(*ppcreds)->keyblock))) goto cleanup; if ((retval = krb5_copy_data(context, psectkt, &pdata))) - goto cleanup_keyblock; + goto cleanup_keyblock; (*ppcreds)->second_ticket = *pdata; free(pdata); @@ -63,22 +64,22 @@ krb5_kdcrep2creds(krb5_context context, krb5_kdc_rep *pkdcrep, krb5_address *con (*ppcreds)->times = pkdcrep->enc_part2->times; (*ppcreds)->magic = KV5M_CREDS; - (*ppcreds)->authdata = NULL; /* not used */ + (*ppcreds)->authdata = NULL; /* not used */ (*ppcreds)->is_skey = psectkt->length != 0; if (pkdcrep->enc_part2->caddrs) { - if ((retval = krb5_copy_addresses(context, pkdcrep->enc_part2->caddrs, - &(*ppcreds)->addresses))) - goto cleanup_keyblock; + if ((retval = krb5_copy_addresses(context, pkdcrep->enc_part2->caddrs, + &(*ppcreds)->addresses))) + goto cleanup_keyblock; } else { - /* no addresses in the list means we got what we had */ - if ((retval = krb5_copy_addresses(context, address, - &(*ppcreds)->addresses))) - goto cleanup_keyblock; + /* no addresses in the list means we got what we had */ + if ((retval = krb5_copy_addresses(context, address, + &(*ppcreds)->addresses))) + goto cleanup_keyblock; } if ((retval = encode_krb5_ticket(pkdcrep->ticket, &pdata))) - goto cleanup_keyblock; + goto cleanup_keyblock; (*ppcreds)->ticket = *pdata; free(pdata); @@ -92,43 +93,43 @@ cleanup: *ppcreds = NULL; return retval; } - + static krb5_error_code check_reply_server(krb5_context context, krb5_flags kdcoptions, - krb5_creds *in_cred, krb5_kdc_rep *dec_rep) + krb5_creds *in_cred, krb5_kdc_rep *dec_rep) { if (!krb5_principal_compare(context, dec_rep->ticket->server, - dec_rep->enc_part2->server)) - return KRB5_KDCREP_MODIFIED; + dec_rep->enc_part2->server)) + return KRB5_KDCREP_MODIFIED; /* Reply is self-consistent. */ if (krb5_principal_compare(context, dec_rep->ticket->server, - in_cred->server)) - return 0; + in_cred->server)) + return 0; /* Server in reply differs from what we requested. */ if (kdcoptions & KDC_OPT_CANONICALIZE) { - /* in_cred server differs from ticket returned, but ticket - returned is consistent and we requested canonicalization. */ + /* in_cred server differs from ticket returned, but ticket + returned is consistent and we requested canonicalization. */ #if 0 #ifdef DEBUG_REFERRALS - printf("gc_via_tkt: in_cred and encoding don't match but referrals requested\n"); - krb5int_dbgref_dump_principal("gc_via_tkt: in_cred",in_cred->server); - krb5int_dbgref_dump_principal("gc_via_tkt: encoded server",dec_rep->enc_part2->server); + printf("gc_via_tkt: in_cred and encoding don't match but referrals requested\n"); + krb5int_dbgref_dump_principal("gc_via_tkt: in_cred",in_cred->server); + krb5int_dbgref_dump_principal("gc_via_tkt: encoded server",dec_rep->enc_part2->server); #endif #endif - return 0; + return 0; } /* We didn't request canonicalization. */ if (!IS_TGS_PRINC(context, in_cred->server) || - !IS_TGS_PRINC(context, dec_rep->ticket->server)) { - /* Canonicalization not requested, and not a TGS referral. */ - return KRB5_KDCREP_MODIFIED; + !IS_TGS_PRINC(context, dec_rep->ticket->server)) { + /* Canonicalization not requested, and not a TGS referral. */ + return KRB5_KDCREP_MODIFIED; } #if 0 /* @@ -136,288 +137,288 @@ check_reply_server(krb5_context context, krb5_flags kdcoptions, * effectively checks this. */ if (krb5_realm_compare(context, in_cred->client, in_cred->server) && - data_eq(*in_cred->server->data[1], *in_cred->client->realm) { - /* Attempted to rewrite local TGS. */ - return KRB5_KDCREP_MODIFIED; - } + data_eq(*in_cred->server->data[1], *in_cred->client->realm) { + /* Attempted to rewrite local TGS. */ + return KRB5_KDCREP_MODIFIED; + } #endif - return 0; -} + return 0; + } /* Return true if a TGS credential is for the client's local realm. */ -static inline int -tgt_is_local_realm(krb5_creds *tgt) -{ - return (tgt->server->length == 2 - && data_eq_string(tgt->server->data[0], KRB5_TGS_NAME) - && data_eq(tgt->server->data[1], tgt->client->realm) - && data_eq(tgt->server->realm, tgt->client->realm)); -} + static inline int + tgt_is_local_realm(krb5_creds *tgt) + { + return (tgt->server->length == 2 + && data_eq_string(tgt->server->data[0], KRB5_TGS_NAME) + && data_eq(tgt->server->data[1], tgt->client->realm) + && data_eq(tgt->server->realm, tgt->client->realm)); + } -krb5_error_code -krb5_get_cred_via_tkt (krb5_context context, krb5_creds *tkt, - krb5_flags kdcoptions, krb5_address *const *address, - krb5_creds *in_cred, krb5_creds **out_cred) -{ - return krb5_get_cred_via_tkt_ext (context, tkt, - kdcoptions, address, - NULL, in_cred, NULL, NULL, - NULL, NULL, out_cred, NULL); -} + krb5_error_code + krb5_get_cred_via_tkt (krb5_context context, krb5_creds *tkt, + krb5_flags kdcoptions, krb5_address *const *address, + krb5_creds *in_cred, krb5_creds **out_cred) + { + return krb5_get_cred_via_tkt_ext (context, tkt, + kdcoptions, address, + NULL, in_cred, NULL, NULL, + NULL, NULL, out_cred, NULL); + } -krb5_error_code -krb5_get_cred_via_tkt_ext (krb5_context context, krb5_creds *tkt, - krb5_flags kdcoptions, krb5_address *const *address, - krb5_pa_data **in_padata, - krb5_creds *in_cred, - krb5_error_code (*pacb_fct)(krb5_context, - krb5_keyblock *, - krb5_kdc_req *, - void *), - void *pacb_data, - krb5_pa_data ***out_padata, - krb5_pa_data ***out_enc_padata, - krb5_creds **out_cred, - krb5_keyblock **out_subkey) -{ - krb5_error_code retval; - krb5_kdc_rep *dec_rep; - krb5_error *err_reply; - krb5_response tgsrep; - krb5_enctype *enctypes = 0; - krb5_keyblock *subkey = NULL; - krb5_boolean s4u2self = FALSE, second_tkt; + krb5_error_code + krb5_get_cred_via_tkt_ext (krb5_context context, krb5_creds *tkt, + krb5_flags kdcoptions, krb5_address *const *address, + krb5_pa_data **in_padata, + krb5_creds *in_cred, + krb5_error_code (*pacb_fct)(krb5_context, + krb5_keyblock *, + krb5_kdc_req *, + void *), + void *pacb_data, + krb5_pa_data ***out_padata, + krb5_pa_data ***out_enc_padata, + krb5_creds **out_cred, + krb5_keyblock **out_subkey) + { + krb5_error_code retval; + krb5_kdc_rep *dec_rep; + krb5_error *err_reply; + krb5_response tgsrep; + krb5_enctype *enctypes = 0; + krb5_keyblock *subkey = NULL; + krb5_boolean s4u2self = FALSE, second_tkt; #ifdef DEBUG_REFERRALS - printf("krb5_get_cred_via_tkt starting; referral flag is %s\n", kdcoptions&KDC_OPT_CANONICALIZE?"on":"off"); - krb5int_dbgref_dump_principal("krb5_get_cred_via_tkt requested ticket", in_cred->server); - krb5int_dbgref_dump_principal("krb5_get_cred_via_tkt TGT in use", tkt->server); + printf("krb5_get_cred_via_tkt starting; referral flag is %s\n", kdcoptions&KDC_OPT_CANONICALIZE?"on":"off"); + krb5int_dbgref_dump_principal("krb5_get_cred_via_tkt requested ticket", in_cred->server); + krb5int_dbgref_dump_principal("krb5_get_cred_via_tkt TGT in use", tkt->server); #endif - /* tkt->client must be equal to in_cred->client */ - if (!krb5_principal_compare(context, tkt->client, in_cred->client)) - return KRB5_PRINC_NOMATCH; + /* tkt->client must be equal to in_cred->client */ + if (!krb5_principal_compare(context, tkt->client, in_cred->client)) + return KRB5_PRINC_NOMATCH; - if (!tkt->ticket.length) - return KRB5_NO_TKT_SUPPLIED; + if (!tkt->ticket.length) + return KRB5_NO_TKT_SUPPLIED; - second_tkt = ((kdcoptions & (KDC_OPT_ENC_TKT_IN_SKEY | KDC_OPT_CNAME_IN_ADDL_TKT)) != 0); + second_tkt = ((kdcoptions & (KDC_OPT_ENC_TKT_IN_SKEY | KDC_OPT_CNAME_IN_ADDL_TKT)) != 0); - if (second_tkt && !in_cred->second_ticket.length) - return(KRB5_NO_2ND_TKT); + if (second_tkt && !in_cred->second_ticket.length) + return(KRB5_NO_2ND_TKT); - s4u2self = krb5int_find_pa_data(context, in_padata, KRB5_PADATA_S4U_X509_USER) || - krb5int_find_pa_data(context, in_padata, KRB5_PADATA_FOR_USER); + s4u2self = krb5int_find_pa_data(context, in_padata, KRB5_PADATA_S4U_X509_USER) || + krb5int_find_pa_data(context, in_padata, KRB5_PADATA_FOR_USER); - /* check if we have the right TGT */ - /* tkt->server must be equal to */ - /* krbtgt/realmof(cred->server)@realmof(tgt->server) */ + /* check if we have the right TGT */ + /* tkt->server must be equal to */ + /* krbtgt/realmof(cred->server)@realmof(tgt->server) */ /* - { - krb5_principal tempprinc; - if (retval = krb5_tgtname(context, - krb5_princ_realm(context, in_cred->server), - krb5_princ_realm(context, tkt->server), &tempprinc)) - return(retval); - - if (!krb5_principal_compare(context, tempprinc, tkt->server)) { - krb5_free_principal(context, tempprinc); - return (KRB5_PRINC_NOMATCH); - } - krb5_free_principal(context, tempprinc); - } + { + krb5_principal tempprinc; + if (retval = krb5_tgtname(context, + krb5_princ_realm(context, in_cred->server), + krb5_princ_realm(context, tkt->server), &tempprinc)) + return(retval); + + if (!krb5_principal_compare(context, tempprinc, tkt->server)) { + krb5_free_principal(context, tempprinc); + return (KRB5_PRINC_NOMATCH); + } + krb5_free_principal(context, tempprinc); + } */ - if (in_cred->keyblock.enctype) { - enctypes = (krb5_enctype *) malloc(sizeof(krb5_enctype)*2); - if (!enctypes) - return ENOMEM; - enctypes[0] = in_cred->keyblock.enctype; - enctypes[1] = 0; - } + if (in_cred->keyblock.enctype) { + enctypes = (krb5_enctype *) malloc(sizeof(krb5_enctype)*2); + if (!enctypes) + return ENOMEM; + enctypes[0] = in_cred->keyblock.enctype; + enctypes[1] = 0; + } - retval = krb5int_send_tgs(context, kdcoptions, &in_cred->times, enctypes, - in_cred->server, address, in_cred->authdata, - in_padata, - second_tkt ? &in_cred->second_ticket : NULL, - tkt, pacb_fct, pacb_data, &tgsrep, &subkey); - if (enctypes) - free(enctypes); - if (retval) { + retval = krb5int_send_tgs(context, kdcoptions, &in_cred->times, enctypes, + in_cred->server, address, in_cred->authdata, + in_padata, + second_tkt ? &in_cred->second_ticket : NULL, + tkt, pacb_fct, pacb_data, &tgsrep, &subkey); + if (enctypes) + free(enctypes); + if (retval) { #ifdef DEBUG_REFERRALS - printf("krb5_get_cred_via_tkt ending early after send_tgs with: %s\n", - error_message(retval)); + printf("krb5_get_cred_via_tkt ending early after send_tgs with: %s\n", + error_message(retval)); #endif - return retval; - } + return retval; + } - switch (tgsrep.message_type) { - case KRB5_TGS_REP: - break; - case KRB5_ERROR: - default: - if (krb5_is_krb_error(&tgsrep.response)) - retval = decode_krb5_error(&tgsrep.response, &err_reply); - else - retval = KRB5KRB_AP_ERR_MSG_TYPE; - - if (retval) /* neither proper reply nor error! */ - goto error_4; - - retval = (krb5_error_code) err_reply->error + ERROR_TABLE_BASE_krb5; - if (err_reply->text.length > 0) { + switch (tgsrep.message_type) { + case KRB5_TGS_REP: + break; + case KRB5_ERROR: + default: + if (krb5_is_krb_error(&tgsrep.response)) + retval = decode_krb5_error(&tgsrep.response, &err_reply); + else + retval = KRB5KRB_AP_ERR_MSG_TYPE; + + if (retval) /* neither proper reply nor error! */ + goto error_4; + + retval = (krb5_error_code) err_reply->error + ERROR_TABLE_BASE_krb5; + if (err_reply->text.length > 0) { #if 0 - const char *m; + const char *m; #endif - switch (err_reply->error) { - case KRB_ERR_GENERIC: - krb5_set_error_message(context, retval, - "KDC returned error string: %.*s", - err_reply->text.length, - err_reply->text.data); - break; - case KDC_ERR_S_PRINCIPAL_UNKNOWN: - { - char *s_name; - if (krb5_unparse_name(context, in_cred->server, &s_name) == 0) { - krb5_set_error_message(context, retval, - "Server %s not found in Kerberos database", - s_name); - krb5_free_unparsed_name(context, s_name); - } else - /* In case there's a stale S_PRINCIPAL_UNKNOWN - report already noted. */ - krb5_clear_error_message(context); - } - break; - default: + switch (err_reply->error) { + case KRB_ERR_GENERIC: + krb5_set_error_message(context, retval, + "KDC returned error string: %.*s", + err_reply->text.length, + err_reply->text.data); + break; + case KDC_ERR_S_PRINCIPAL_UNKNOWN: + { + char *s_name; + if (krb5_unparse_name(context, in_cred->server, &s_name) == 0) { + krb5_set_error_message(context, retval, + "Server %s not found in Kerberos database", + s_name); + krb5_free_unparsed_name(context, s_name); + } else + /* In case there's a stale S_PRINCIPAL_UNKNOWN + report already noted. */ + krb5_clear_error_message(context); + } + break; + default: #if 0 /* We should stop the KDC from sending back this text, because - if the local language doesn't match the KDC's language, we'd - just wind up printing out the error message in two languages. - Well, when we get some localization. Which is already - happening in KfM. */ - m = error_message(retval); - /* Special case: MIT KDC may return this same string - in the e-text field. */ - if (strlen (m) == err_reply->text.length-1 - && !strcmp(m, err_reply->text.data)) - break; - krb5_set_error_message(context, retval, - "%s (KDC supplied additional data: %s)", - m, err_reply->text.data); + if the local language doesn't match the KDC's language, we'd + just wind up printing out the error message in two languages. + Well, when we get some localization. Which is already + happening in KfM. */ + m = error_message(retval); + /* Special case: MIT KDC may return this same string + in the e-text field. */ + if (strlen (m) == err_reply->text.length-1 + && !strcmp(m, err_reply->text.data)) + break; + krb5_set_error_message(context, retval, + "%s (KDC supplied additional data: %s)", + m, err_reply->text.data); #endif - break; - } - } + break; + } + } - krb5_free_error(context, err_reply); - goto error_4; - } + krb5_free_error(context, err_reply); + goto error_4; + } - /* Unfortunately, Heimdal at least up through 1.2 encrypts using - the session key not the subsession key. So we try both. */ - if ((retval = krb5int_decode_tgs_rep(context, &tgsrep.response, - subkey, - KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY, &dec_rep))) { - if ((krb5int_decode_tgs_rep(context, &tgsrep.response, - &tkt->keyblock, - KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY, &dec_rep)) == 0) - retval = 0; - else goto error_4; - } + /* Unfortunately, Heimdal at least up through 1.2 encrypts using + the session key not the subsession key. So we try both. */ + if ((retval = krb5int_decode_tgs_rep(context, &tgsrep.response, + subkey, + KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY, &dec_rep))) { + if ((krb5int_decode_tgs_rep(context, &tgsrep.response, + &tkt->keyblock, + KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY, &dec_rep)) == 0) + retval = 0; + else goto error_4; + } - if (dec_rep->msg_type != KRB5_TGS_REP) { - retval = KRB5KRB_AP_ERR_MSG_TYPE; - goto error_3; - } - - /* - * Don't trust the ok-as-delegate flag from foreign KDCs unless the - * cross-realm TGT also had the ok-as-delegate flag set. - */ - if (!tgt_is_local_realm(tkt) - && !(tkt->ticket_flags & TKT_FLG_OK_AS_DELEGATE)) - dec_rep->enc_part2->flags &= ~TKT_FLG_OK_AS_DELEGATE; - - /* make sure the response hasn't been tampered with..... */ - retval = 0; - - if (s4u2self && !IS_TGS_PRINC(context, dec_rep->ticket->server)) { - /* Final hop, check whether KDC supports S4U2Self */ - if (krb5_principal_compare(context, dec_rep->client, in_cred->server)) - retval = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; - } else if ((kdcoptions & KDC_OPT_CNAME_IN_ADDL_TKT) == 0) { - /* XXX for constrained delegation this check must be performed by caller - * as we don't have access to the key to decrypt the evidence ticket. - */ - if (!krb5_principal_compare(context, dec_rep->client, tkt->client)) - retval = KRB5_KDCREP_MODIFIED; - } + if (dec_rep->msg_type != KRB5_TGS_REP) { + retval = KRB5KRB_AP_ERR_MSG_TYPE; + goto error_3; + } - if (retval == 0) - retval = check_reply_server(context, kdcoptions, in_cred, dec_rep); + /* + * Don't trust the ok-as-delegate flag from foreign KDCs unless the + * cross-realm TGT also had the ok-as-delegate flag set. + */ + if (!tgt_is_local_realm(tkt) + && !(tkt->ticket_flags & TKT_FLG_OK_AS_DELEGATE)) + dec_rep->enc_part2->flags &= ~TKT_FLG_OK_AS_DELEGATE; + + /* make sure the response hasn't been tampered with..... */ + retval = 0; + + if (s4u2self && !IS_TGS_PRINC(context, dec_rep->ticket->server)) { + /* Final hop, check whether KDC supports S4U2Self */ + if (krb5_principal_compare(context, dec_rep->client, in_cred->server)) + retval = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; + } else if ((kdcoptions & KDC_OPT_CNAME_IN_ADDL_TKT) == 0) { + /* XXX for constrained delegation this check must be performed by caller + * as we don't have access to the key to decrypt the evidence ticket. + */ + if (!krb5_principal_compare(context, dec_rep->client, tkt->client)) + retval = KRB5_KDCREP_MODIFIED; + } - if (dec_rep->enc_part2->nonce != tgsrep.expected_nonce) - retval = KRB5_KDCREP_MODIFIED; + if (retval == 0) + retval = check_reply_server(context, kdcoptions, in_cred, dec_rep); - if ((kdcoptions & KDC_OPT_POSTDATED) && - (in_cred->times.starttime != 0) && - (in_cred->times.starttime != dec_rep->enc_part2->times.starttime)) - retval = KRB5_KDCREP_MODIFIED; + if (dec_rep->enc_part2->nonce != tgsrep.expected_nonce) + retval = KRB5_KDCREP_MODIFIED; - if ((in_cred->times.endtime != 0) && - (dec_rep->enc_part2->times.endtime > in_cred->times.endtime)) - retval = KRB5_KDCREP_MODIFIED; + if ((kdcoptions & KDC_OPT_POSTDATED) && + (in_cred->times.starttime != 0) && + (in_cred->times.starttime != dec_rep->enc_part2->times.starttime)) + retval = KRB5_KDCREP_MODIFIED; - if ((kdcoptions & KDC_OPT_RENEWABLE) && - (in_cred->times.renew_till != 0) && - (dec_rep->enc_part2->times.renew_till > in_cred->times.renew_till)) - retval = KRB5_KDCREP_MODIFIED; + if ((in_cred->times.endtime != 0) && + (dec_rep->enc_part2->times.endtime > in_cred->times.endtime)) + retval = KRB5_KDCREP_MODIFIED; - if ((kdcoptions & KDC_OPT_RENEWABLE_OK) && - (dec_rep->enc_part2->flags & KDC_OPT_RENEWABLE) && - (in_cred->times.endtime != 0) && - (dec_rep->enc_part2->times.renew_till > in_cred->times.endtime)) - retval = KRB5_KDCREP_MODIFIED; + if ((kdcoptions & KDC_OPT_RENEWABLE) && + (in_cred->times.renew_till != 0) && + (dec_rep->enc_part2->times.renew_till > in_cred->times.renew_till)) + retval = KRB5_KDCREP_MODIFIED; - if (retval != 0) - goto error_3; + if ((kdcoptions & KDC_OPT_RENEWABLE_OK) && + (dec_rep->enc_part2->flags & KDC_OPT_RENEWABLE) && + (in_cred->times.endtime != 0) && + (dec_rep->enc_part2->times.renew_till > in_cred->times.endtime)) + retval = KRB5_KDCREP_MODIFIED; - if (!in_cred->times.starttime && - !in_clock_skew(dec_rep->enc_part2->times.starttime, - tgsrep.request_time)) { - retval = KRB5_KDCREP_SKEW; - goto error_3; - } + if (retval != 0) + goto error_3; - if (out_padata != NULL) { - *out_padata = dec_rep->padata; - dec_rep->padata = NULL; - } - if (out_enc_padata != NULL) { - *out_enc_padata = dec_rep->enc_part2->enc_padata; - dec_rep->enc_part2->enc_padata = NULL; - } - - retval = krb5_kdcrep2creds(context, dec_rep, address, - &in_cred->second_ticket, out_cred); - -error_3:; - if (subkey != NULL) { - if (retval == 0 && out_subkey != NULL) - *out_subkey = subkey; - else - krb5_free_keyblock(context, subkey); - } - - memset(dec_rep->enc_part2->session->contents, 0, - dec_rep->enc_part2->session->length); - krb5_free_kdc_rep(context, dec_rep); + if (!in_cred->times.starttime && + !in_clock_skew(dec_rep->enc_part2->times.starttime, + tgsrep.request_time)) { + retval = KRB5_KDCREP_SKEW; + goto error_3; + } + + if (out_padata != NULL) { + *out_padata = dec_rep->padata; + dec_rep->padata = NULL; + } + if (out_enc_padata != NULL) { + *out_enc_padata = dec_rep->enc_part2->enc_padata; + dec_rep->enc_part2->enc_padata = NULL; + } + + retval = krb5_kdcrep2creds(context, dec_rep, address, + &in_cred->second_ticket, out_cred); -error_4:; - free(tgsrep.response.data); + error_3:; + if (subkey != NULL) { + if (retval == 0 && out_subkey != NULL) + *out_subkey = subkey; + else + krb5_free_keyblock(context, subkey); + } + + memset(dec_rep->enc_part2->session->contents, 0, + dec_rep->enc_part2->session->length); + krb5_free_kdc_rep(context, dec_rep); + + error_4:; + free(tgsrep.response.data); #ifdef DEBUG_REFERRALS - printf("krb5_get_cred_via_tkt ending; %s\n", retval?error_message(retval):"no error"); + printf("krb5_get_cred_via_tkt ending; %s\n", retval?error_message(retval):"no error"); #endif - return retval; -} + return retval; + } diff --git a/src/lib/krb5/krb/gen_seqnum.c b/src/lib/krb5/krb/gen_seqnum.c index 06564ee4a..8703457be 100644 --- a/src/lib/krb5/krb/gen_seqnum.c +++ b/src/lib/krb5/krb/gen_seqnum.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/gen_seqnum.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Routine to automatically generate a starting sequence number. * We do this by getting a random key and encrypting something with it, @@ -53,13 +54,13 @@ krb5_generate_seq_number(krb5_context context, const krb5_keyblock *key, krb5_ui seed = key2data(*key); if ((retval = krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_TRUSTEDPARTY, &seed))) - return(retval); + return(retval); seed.length = sizeof(*seqno); seed.data = (char *) seqno; retval = krb5_c_random_make_octets(context, &seed); if (retval) - return retval; + return retval; /* * Work around implementation incompatibilities by not generating * initial sequence numbers greater than 2^30. Previous MIT @@ -71,6 +72,6 @@ krb5_generate_seq_number(krb5_context context, const krb5_keyblock *key, krb5_ui */ *seqno &= 0x3fffffff; if (*seqno == 0) - *seqno = 1; + *seqno = 1; return 0; } diff --git a/src/lib/krb5/krb/gen_subkey.c b/src/lib/krb5/krb/gen_subkey.c index 501428b1d..7739f04ef 100644 --- a/src/lib/krb5/krb/gen_subkey.c +++ b/src/lib/krb5/krb/gen_subkey.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/gen_subkey.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Routine to automatically generate a subsession key based on an input key. */ @@ -41,9 +42,9 @@ key2data (krb5_keyblock k) krb5_error_code krb5_generate_subkey_extended(krb5_context context, - const krb5_keyblock *key, - krb5_enctype enctype, - krb5_keyblock **subkey) + const krb5_keyblock *key, + krb5_enctype enctype, + krb5_keyblock **subkey) { krb5_error_code retval; krb5_data seed; @@ -53,18 +54,18 @@ krb5_generate_subkey_extended(krb5_context context, seed = key2data(*key); retval = krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_TRUSTEDPARTY, - &seed); + &seed); if (retval) - return retval; + return retval; keyblock = malloc(sizeof(krb5_keyblock)); if (!keyblock) - return ENOMEM; + return ENOMEM; retval = krb5_c_make_random_key(context, enctype, keyblock); if (retval) { - free(*subkey); - return retval; + free(*subkey); + return retval; } *subkey = keyblock; diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c index 88148d772..491f86452 100644 --- a/src/lib/krb5/krb/get_creds.c +++ b/src/lib/krb5/krb/get_creds.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/get_creds.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_get_credentials() */ @@ -30,18 +31,18 @@ /* - Attempts to use the credentials cache or TGS exchange to get an additional - ticket for the - client identified by in_creds->client, the server identified by - in_creds->server, with options options, expiration date specified in - in_creds->times.endtime (0 means as long as possible), session key type - specified in in_creds->keyblock.enctype (if non-zero) + Attempts to use the credentials cache or TGS exchange to get an additional + ticket for the + client identified by in_creds->client, the server identified by + in_creds->server, with options options, expiration date specified in + in_creds->times.endtime (0 means as long as possible), session key type + specified in in_creds->keyblock.enctype (if non-zero) - Any returned ticket and intermediate ticket-granting tickets are - stored in ccache. + Any returned ticket and intermediate ticket-granting tickets are + stored in ccache. - returns errors from encryption routines, system errors - */ + returns errors from encryption routines, system errors +*/ #include "k5-int.h" #include "int-proto.h" @@ -54,8 +55,8 @@ */ krb5_error_code krb5int_construct_matching_creds(krb5_context context, krb5_flags options, - krb5_creds *in_creds, krb5_creds *mcreds, - krb5_flags *fields) + krb5_creds *in_creds, krb5_creds *mcreds, + krb5_flags *fields) { if (!in_creds || !in_creds->server || !in_creds->client) return EINVAL; @@ -63,47 +64,47 @@ krb5int_construct_matching_creds(krb5_context context, krb5_flags options, memset(mcreds, 0, sizeof(krb5_creds)); mcreds->magic = KV5M_CREDS; if (in_creds->times.endtime != 0) { - mcreds->times.endtime = in_creds->times.endtime; + mcreds->times.endtime = in_creds->times.endtime; } else { - krb5_error_code retval; - retval = krb5_timeofday(context, &mcreds->times.endtime); - if (retval != 0) return retval; + krb5_error_code retval; + retval = krb5_timeofday(context, &mcreds->times.endtime); + if (retval != 0) return retval; } mcreds->keyblock = in_creds->keyblock; mcreds->authdata = in_creds->authdata; mcreds->server = in_creds->server; mcreds->client = in_creds->client; - + *fields = KRB5_TC_MATCH_TIMES /*XXX |KRB5_TC_MATCH_SKEY_TYPE */ - | KRB5_TC_MATCH_AUTHDATA - | KRB5_TC_SUPPORTED_KTYPES; + | KRB5_TC_MATCH_AUTHDATA + | KRB5_TC_SUPPORTED_KTYPES; if (mcreds->keyblock.enctype) { - krb5_enctype *ktypes; - krb5_error_code ret; - int i; - - *fields |= KRB5_TC_MATCH_KTYPE; - ret = krb5_get_tgs_ktypes(context, mcreds->server, &ktypes); - for (i = 0; ktypes[i]; i++) - if (ktypes[i] == mcreds->keyblock.enctype) - break; - if (ktypes[i] == 0) - ret = KRB5_CC_NOT_KTYPE; - free (ktypes); - if (ret) - return ret; + krb5_enctype *ktypes; + krb5_error_code ret; + int i; + + *fields |= KRB5_TC_MATCH_KTYPE; + ret = krb5_get_tgs_ktypes(context, mcreds->server, &ktypes); + for (i = 0; ktypes[i]; i++) + if (ktypes[i] == mcreds->keyblock.enctype) + break; + if (ktypes[i] == 0) + ret = KRB5_CC_NOT_KTYPE; + free (ktypes); + if (ret) + return ret; } if (options & (KRB5_GC_USER_USER | KRB5_GC_CONSTRAINED_DELEGATION)) { - /* also match on identical 2nd tkt and tkt encrypted in a - session key */ - *fields |= KRB5_TC_MATCH_2ND_TKT; - if (options & KRB5_GC_USER_USER) { - *fields |= KRB5_TC_MATCH_IS_SKEY; - mcreds->is_skey = TRUE; - } - mcreds->second_ticket = in_creds->second_ticket; - if (!in_creds->second_ticket.length) - return KRB5_NO_2ND_TKT; + /* also match on identical 2nd tkt and tkt encrypted in a + session key */ + *fields |= KRB5_TC_MATCH_2ND_TKT; + if (options & KRB5_GC_USER_USER) { + *fields |= KRB5_TC_MATCH_IS_SKEY; + mcreds->is_skey = TRUE; + } + mcreds->second_ticket = in_creds->second_ticket; + if (!in_creds->second_ticket.length) + return KRB5_NO_2ND_TKT; } return 0; @@ -111,8 +112,8 @@ krb5int_construct_matching_creds(krb5_context context, krb5_flags options, krb5_error_code KRB5_CALLCONV krb5_get_credentials(krb5_context context, krb5_flags options, - krb5_ccache ccache, krb5_creds *in_creds, - krb5_creds **out_creds) + krb5_ccache ccache, krb5_creds *in_creds, + krb5_creds **out_creds) { krb5_error_code retval; krb5_creds mcreds, *ncreds, **tgts, **tgts_iter; @@ -128,53 +129,53 @@ krb5_get_credentials(krb5_context context, krb5_flags options, * second_ticket, which we can't do. */ if ((options & KRB5_GC_CONSTRAINED_DELEGATION) == 0) { - retval = krb5int_construct_matching_creds(context, options, in_creds, - &mcreds, &fields); - - if (retval) - return retval; - - ncreds = malloc(sizeof(krb5_creds)); - if (!ncreds) - return ENOMEM; - - memset(ncreds, 0, sizeof(krb5_creds)); - ncreds->magic = KV5M_CREDS; - - retval = krb5_cc_retrieve_cred(context, ccache, fields, &mcreds, - ncreds); - if (retval == 0) { - *out_creds = ncreds; - return 0; - } - free(ncreds); - ncreds = NULL; - if ((retval != KRB5_CC_NOTFOUND && retval != KRB5_CC_NOT_KTYPE) - || options & KRB5_GC_CACHED) - return retval; - not_ktype = (retval == KRB5_CC_NOT_KTYPE); + retval = krb5int_construct_matching_creds(context, options, in_creds, + &mcreds, &fields); + + if (retval) + return retval; + + ncreds = malloc(sizeof(krb5_creds)); + if (!ncreds) + return ENOMEM; + + memset(ncreds, 0, sizeof(krb5_creds)); + ncreds->magic = KV5M_CREDS; + + retval = krb5_cc_retrieve_cred(context, ccache, fields, &mcreds, + ncreds); + if (retval == 0) { + *out_creds = ncreds; + return 0; + } + free(ncreds); + ncreds = NULL; + if ((retval != KRB5_CC_NOTFOUND && retval != KRB5_CC_NOT_KTYPE) + || options & KRB5_GC_CACHED) + return retval; + not_ktype = (retval == KRB5_CC_NOT_KTYPE); } else if (options & KRB5_GC_CACHED) - return KRB5_CC_NOTFOUND; + return KRB5_CC_NOTFOUND; if (options & KRB5_GC_CANONICALIZE) - kdcopt |= KDC_OPT_CANONICALIZE; + kdcopt |= KDC_OPT_CANONICALIZE; if (options & KRB5_GC_FORWARDABLE) - kdcopt |= KDC_OPT_FORWARDABLE; + kdcopt |= KDC_OPT_FORWARDABLE; if (options & KRB5_GC_NO_TRANSIT_CHECK) - kdcopt |= KDC_OPT_DISABLE_TRANSITED_CHECK; + kdcopt |= KDC_OPT_DISABLE_TRANSITED_CHECK; if (options & KRB5_GC_CONSTRAINED_DELEGATION) { - if (options & KRB5_GC_USER_USER) - return EINVAL; - kdcopt |= KDC_OPT_FORWARDABLE | KDC_OPT_CNAME_IN_ADDL_TKT; + if (options & KRB5_GC_USER_USER) + return EINVAL; + kdcopt |= KDC_OPT_FORWARDABLE | KDC_OPT_CNAME_IN_ADDL_TKT; } retval = krb5_get_cred_from_kdc_opt(context, ccache, in_creds, - &ncreds, &tgts, kdcopt); + &ncreds, &tgts, kdcopt); if (tgts) { - /* Attempt to cache intermediate ticket-granting tickets. */ - for (tgts_iter = tgts; *tgts_iter; tgts_iter++) - (void) krb5_cc_store_cred(context, ccache, *tgts_iter); - krb5_free_tgt_creds(context, tgts); + /* Attempt to cache intermediate ticket-granting tickets. */ + for (tgts_iter = tgts; *tgts_iter; tgts_iter++) + (void) krb5_cc_store_cred(context, ccache, *tgts_iter); + krb5_free_tgt_creds(context, tgts); } /* @@ -189,21 +190,21 @@ krb5_get_credentials(krb5_context context, krb5_flags options, * enctype rather than the missing TGT. */ if ((retval == KRB5_CC_NOTFOUND || retval == KRB5_CC_NOT_KTYPE) - && not_ktype) - return KRB5_CC_NOT_KTYPE; + && not_ktype) + return KRB5_CC_NOT_KTYPE; else if (retval) - return retval; + return retval; if ((options & KRB5_GC_CONSTRAINED_DELEGATION) - && (ncreds->ticket_flags & TKT_FLG_FORWARDABLE) == 0) { - /* This ticket won't work for constrained delegation. */ - krb5_free_creds(context, ncreds); - return KRB5_TKT_NOT_FORWARDABLE; + && (ncreds->ticket_flags & TKT_FLG_FORWARDABLE) == 0) { + /* This ticket won't work for constrained delegation. */ + krb5_free_creds(context, ncreds); + return KRB5_TKT_NOT_FORWARDABLE; } /* Attempt to cache the returned ticket. */ if (!(options & KRB5_GC_NO_STORE)) - (void) krb5_cc_store_cred(context, ccache, ncreds); + (void) krb5_cc_store_cred(context, ccache, ncreds); *out_creds = ncreds; return 0; @@ -212,10 +213,10 @@ krb5_get_credentials(krb5_context context, krb5_flags options, #define INT_GC_VALIDATE 1 #define INT_GC_RENEW 2 -static krb5_error_code +static krb5_error_code krb5_get_credentials_val_renew_core(krb5_context context, krb5_flags options, - krb5_ccache ccache, krb5_creds *in_creds, - krb5_creds **out_creds, int which) + krb5_ccache ccache, krb5_creds *in_creds, + krb5_creds **out_creds, int which) { krb5_error_code retval; krb5_principal tmp; @@ -223,17 +224,17 @@ krb5_get_credentials_val_renew_core(krb5_context context, krb5_flags options, switch(which) { case INT_GC_VALIDATE: - retval = krb5_get_cred_from_kdc_validate(context, ccache, - in_creds, out_creds, &tgts); - break; + retval = krb5_get_cred_from_kdc_validate(context, ccache, + in_creds, out_creds, &tgts); + break; case INT_GC_RENEW: - retval = krb5_get_cred_from_kdc_renew(context, ccache, - in_creds, out_creds, &tgts); - break; + retval = krb5_get_cred_from_kdc_renew(context, ccache, + in_creds, out_creds, &tgts); + break; default: - /* Should never happen */ - retval = 255; - break; + /* Should never happen */ + retval = 255; + break; } /* * Callers to krb5_get_cred_blah... must free up tgts even in @@ -244,39 +245,39 @@ krb5_get_credentials_val_renew_core(krb5_context context, krb5_flags options, retval = krb5_cc_get_principal(context, ccache, &tmp); if (retval) return retval; - + retval = krb5_cc_initialize(context, ccache, tmp); if (retval) return retval; - + retval = krb5_cc_store_cred(context, ccache, *out_creds); return retval; } krb5_error_code KRB5_CALLCONV krb5_get_credentials_validate(krb5_context context, krb5_flags options, - krb5_ccache ccache, krb5_creds *in_creds, - krb5_creds **out_creds) + krb5_ccache ccache, krb5_creds *in_creds, + krb5_creds **out_creds) { - return(krb5_get_credentials_val_renew_core(context, options, ccache, - in_creds, out_creds, - INT_GC_VALIDATE)); + return(krb5_get_credentials_val_renew_core(context, options, ccache, + in_creds, out_creds, + INT_GC_VALIDATE)); } krb5_error_code KRB5_CALLCONV krb5_get_credentials_renew(krb5_context context, krb5_flags options, - krb5_ccache ccache, krb5_creds *in_creds, - krb5_creds **out_creds) + krb5_ccache ccache, krb5_creds *in_creds, + krb5_creds **out_creds) { - return(krb5_get_credentials_val_renew_core(context, options, ccache, - in_creds, out_creds, - INT_GC_RENEW)); + return(krb5_get_credentials_val_renew_core(context, options, ccache, + in_creds, out_creds, + INT_GC_RENEW)); } static krb5_error_code krb5_validate_or_renew_creds(krb5_context context, krb5_creds *creds, - krb5_principal client, krb5_ccache ccache, - char *in_tkt_service, int validate) + krb5_principal client, krb5_ccache ccache, + char *in_tkt_service, int validate) { krb5_error_code ret; krb5_creds in_creds; /* only client and server need to be filled in */ @@ -291,57 +292,57 @@ krb5_validate_or_renew_creds(krb5_context context, krb5_creds *creds, in_creds.client = client; if (in_tkt_service) { - /* this is ugly, because so are the data structures involved. I'm - in the library, so I'm going to manipulate the data structures - directly, otherwise, it will be worse. */ + /* this is ugly, because so are the data structures involved. I'm + in the library, so I'm going to manipulate the data structures + directly, otherwise, it will be worse. */ if ((ret = krb5_parse_name(context, in_tkt_service, &in_creds.server))) - goto cleanup; - - /* stuff the client realm into the server principal. - realloc if necessary */ - if (in_creds.server->realm.length < in_creds.client->realm.length) - if ((in_creds.server->realm.data = - (char *) realloc(in_creds.server->realm.data, - in_creds.client->realm.length)) == NULL) { - ret = ENOMEM; - goto cleanup; - } - - in_creds.server->realm.length = in_creds.client->realm.length; - memcpy(in_creds.server->realm.data, in_creds.client->realm.data, - in_creds.client->realm.length); + goto cleanup; + + /* stuff the client realm into the server principal. + realloc if necessary */ + if (in_creds.server->realm.length < in_creds.client->realm.length) + if ((in_creds.server->realm.data = + (char *) realloc(in_creds.server->realm.data, + in_creds.client->realm.length)) == NULL) { + ret = ENOMEM; + goto cleanup; + } + + in_creds.server->realm.length = in_creds.client->realm.length; + memcpy(in_creds.server->realm.data, in_creds.client->realm.data, + in_creds.client->realm.length); } else { - if ((ret = krb5_build_principal_ext(context, &in_creds.server, - in_creds.client->realm.length, - in_creds.client->realm.data, - KRB5_TGS_NAME_SIZE, - KRB5_TGS_NAME, - in_creds.client->realm.length, - in_creds.client->realm.data, - 0))) - goto cleanup; + if ((ret = krb5_build_principal_ext(context, &in_creds.server, + in_creds.client->realm.length, + in_creds.client->realm.data, + KRB5_TGS_NAME_SIZE, + KRB5_TGS_NAME, + in_creds.client->realm.length, + in_creds.client->realm.data, + 0))) + goto cleanup; } if (validate) - ret = krb5_get_cred_from_kdc_validate(context, ccache, - &in_creds, &out_creds, &tgts); + ret = krb5_get_cred_from_kdc_validate(context, ccache, + &in_creds, &out_creds, &tgts); else - ret = krb5_get_cred_from_kdc_renew(context, ccache, - &in_creds, &out_creds, &tgts); - + ret = krb5_get_cred_from_kdc_renew(context, ccache, + &in_creds, &out_creds, &tgts); + /* ick. copy the struct contents, free the container */ if (out_creds) { - *creds = *out_creds; - free(out_creds); + *creds = *out_creds; + free(out_creds); } cleanup: if (in_creds.server) - krb5_free_principal(context, in_creds.server); + krb5_free_principal(context, in_creds.server); if (tgts) - krb5_free_tgt_creds(context, tgts); + krb5_free_tgt_creds(context, tgts); return(ret); } @@ -350,13 +351,12 @@ krb5_error_code KRB5_CALLCONV krb5_get_validated_creds(krb5_context context, krb5_creds *creds, krb5_principal client, krb5_ccache ccache, char *in_tkt_service) { return(krb5_validate_or_renew_creds(context, creds, client, ccache, - in_tkt_service, 1)); + in_tkt_service, 1)); } krb5_error_code KRB5_CALLCONV krb5_get_renewed_creds(krb5_context context, krb5_creds *creds, krb5_principal client, krb5_ccache ccache, char *in_tkt_service) { return(krb5_validate_or_renew_creds(context, creds, client, ccache, - in_tkt_service, 0)); + in_tkt_service, 0)); } - diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index a381c5c7e..40afea56d 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/get_in_tkt.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_get_in_tkt() */ @@ -36,7 +37,7 @@ #if APPLE_PKINIT #define IN_TKT_DEBUG 0 -#if IN_TKT_DEBUG +#if IN_TKT_DEBUG #define inTktDebug(args...) printf(args) #else #define inTktDebug(args...) @@ -44,53 +45,53 @@ #endif /* APPLE_PKINIT */ /* - All-purpose initial ticket routine, usually called via - krb5_get_in_tkt_with_password or krb5_get_in_tkt_with_skey. + All-purpose initial ticket routine, usually called via + krb5_get_in_tkt_with_password or krb5_get_in_tkt_with_skey. - Attempts to get an initial ticket for creds->client to use server - creds->server, (realm is taken from creds->client), with options - options, and using creds->times.starttime, creds->times.endtime, - creds->times.renew_till as from, till, and rtime. - creds->times.renew_till is ignored unless the RENEWABLE option is requested. + Attempts to get an initial ticket for creds->client to use server + creds->server, (realm is taken from creds->client), with options + options, and using creds->times.starttime, creds->times.endtime, + creds->times.renew_till as from, till, and rtime. + creds->times.renew_till is ignored unless the RENEWABLE option is requested. - key_proc is called to fill in the key to be used for decryption. - keyseed is passed on to key_proc. + key_proc is called to fill in the key to be used for decryption. + keyseed is passed on to key_proc. - decrypt_proc is called to perform the decryption of the response (the - encrypted part is in dec_rep->enc_part; the decrypted part should be - allocated and filled into dec_rep->enc_part2 - arg is passed on to decrypt_proc. + decrypt_proc is called to perform the decryption of the response (the + encrypted part is in dec_rep->enc_part; the decrypted part should be + allocated and filled into dec_rep->enc_part2 + arg is passed on to decrypt_proc. - If addrs is non-NULL, it is used for the addresses requested. If it is - null, the system standard addresses are used. + If addrs is non-NULL, it is used for the addresses requested. If it is + null, the system standard addresses are used. - A succesful call will place the ticket in the credentials cache ccache - and fill in creds with the ticket information used/returned.. + A succesful call will place the ticket in the credentials cache ccache + and fill in creds with the ticket information used/returned.. - returns system errors, encryption errors + returns system errors, encryption errors - */ +*/ /* some typedef's for the function args to make things look a bit cleaner */ typedef krb5_error_code (*git_key_proc) (krb5_context, - krb5_enctype, - krb5_data *, - krb5_const_pointer, - krb5_keyblock **); + krb5_enctype, + krb5_data *, + krb5_const_pointer, + krb5_keyblock **); typedef krb5_error_code (*git_decrypt_proc) (krb5_context, - const krb5_keyblock *, - krb5_const_pointer, - krb5_kdc_rep * ); + const krb5_keyblock *, + krb5_const_pointer, + krb5_kdc_rep * ); -static krb5_error_code make_preauth_list (krb5_context, - krb5_preauthtype *, - int, krb5_pa_data ***); +static krb5_error_code make_preauth_list (krb5_context, + krb5_preauthtype *, + int, krb5_pa_data ***); static krb5_error_code sort_krb5_padata_sequence(krb5_context context, - krb5_data *realm, - krb5_pa_data **padata); + krb5_data *realm, + krb5_pa_data **padata); /* * This function performs 32 bit bounded addition so we can generate @@ -105,7 +106,7 @@ static krb5_int32 krb5int_addint32 (krb5_int32 x, krb5_int32 y) /* sum will be less than KRB5_INT32_MIN */ return KRB5_INT32_MIN; } - + return x + y; } @@ -115,14 +116,14 @@ static krb5_int32 krb5int_addint32 (krb5_int32 x, krb5_int32 y) * just uses krb5_timeofday(); it should use a PRNG. Even more unfortunately this * value is used interchangeably with an explicit now_time throughout this module... */ -static krb5_error_code +static krb5_error_code gen_nonce(krb5_context context, krb5_int32 *nonce) { krb5_int32 time_now; krb5_error_code retval = krb5_timeofday(context, &time_now); if(retval) { - return retval; + return retval; } *nonce = time_now; return 0; @@ -136,16 +137,16 @@ gen_nonce(krb5_context context, * unexpected response, an error is returned. */ static krb5_error_code -send_as_request(krb5_context context, - krb5_data *packet, const krb5_data *realm, - krb5_error ** ret_err_reply, - krb5_kdc_rep ** ret_as_reply, - int *use_master) +send_as_request(krb5_context context, + krb5_data *packet, const krb5_data *realm, + krb5_error ** ret_err_reply, + krb5_kdc_rep ** ret_as_reply, + int *use_master) { krb5_kdc_rep *as_reply = 0; krb5_error_code retval; krb5_data reply; - char k4_version; /* same type as *(krb5_data::data) */ + char k4_version; /* same type as *(krb5_data::data) */ int tcp_only = 0; reply.data = 0; @@ -154,37 +155,37 @@ send_as_request(krb5_context context, k4_version = packet->data[0]; send_again: - retval = krb5_sendto_kdc(context, packet, - realm, - &reply, use_master, tcp_only); + retval = krb5_sendto_kdc(context, packet, + realm, + &reply, use_master, tcp_only); #if APPLE_PKINIT inTktDebug("krb5_sendto_kdc returned %d\n", (int)retval); #endif /* APPLE_PKINIT */ if (retval) - goto cleanup; + goto cleanup; /* now decode the reply...could be error or as_rep */ if (krb5_is_krb_error(&reply)) { - krb5_error *err_reply; - - if ((retval = decode_krb5_error(&reply, &err_reply))) - /* some other error code--??? */ - goto cleanup; - - if (ret_err_reply) { - if (err_reply->error == KRB_ERR_RESPONSE_TOO_BIG - && tcp_only == 0) { - tcp_only = 1; - krb5_free_error(context, err_reply); - free(reply.data); - reply.data = 0; - goto send_again; - } - *ret_err_reply = err_reply; - } else - krb5_free_error(context, err_reply); - goto cleanup; + krb5_error *err_reply; + + if ((retval = decode_krb5_error(&reply, &err_reply))) + /* some other error code--??? */ + goto cleanup; + + if (ret_err_reply) { + if (err_reply->error == KRB_ERR_RESPONSE_TOO_BIG + && tcp_only == 0) { + tcp_only = 1; + krb5_free_error(context, err_reply); + free(reply.data); + reply.data = 0; + goto send_again; + } + *ret_err_reply = err_reply; + } else + krb5_free_error(context, err_reply); + goto cleanup; } /* @@ -192,108 +193,108 @@ send_again: */ if (!krb5_is_as_rep(&reply)) { /* these are in <kerberosIV/prot.h> as well but it isn't worth including. */ -#define V4_KRB_PROT_VERSION 4 -#define V4_AUTH_MSG_ERR_REPLY (5<<1) - /* check here for V4 reply */ - unsigned int t_switch; - - /* From v4 g_in_tkt.c: This used to be - switch (pkt_msg_type(rpkt) & ~1) { - but SCO 3.2v4 cc compiled that incorrectly. */ - t_switch = reply.data[1]; - t_switch &= ~1; - - if (t_switch == V4_AUTH_MSG_ERR_REPLY - && (reply.data[0] == V4_KRB_PROT_VERSION - || reply.data[0] == k4_version)) { - retval = KRB5KRB_AP_ERR_V4_REPLY; - } else { - retval = KRB5KRB_AP_ERR_MSG_TYPE; - } - goto cleanup; +#define V4_KRB_PROT_VERSION 4 +#define V4_AUTH_MSG_ERR_REPLY (5<<1) + /* check here for V4 reply */ + unsigned int t_switch; + + /* From v4 g_in_tkt.c: This used to be + switch (pkt_msg_type(rpkt) & ~1) { + but SCO 3.2v4 cc compiled that incorrectly. */ + t_switch = reply.data[1]; + t_switch &= ~1; + + if (t_switch == V4_AUTH_MSG_ERR_REPLY + && (reply.data[0] == V4_KRB_PROT_VERSION + || reply.data[0] == k4_version)) { + retval = KRB5KRB_AP_ERR_V4_REPLY; + } else { + retval = KRB5KRB_AP_ERR_MSG_TYPE; + } + goto cleanup; } /* It must be a KRB_AS_REP message, or an bad returned packet */ if ((retval = decode_krb5_as_rep(&reply, &as_reply))) - /* some other error code ??? */ - goto cleanup; + /* some other error code ??? */ + goto cleanup; if (as_reply->msg_type != KRB5_AS_REP) { - retval = KRB5KRB_AP_ERR_MSG_TYPE; - krb5_free_kdc_rep(context, as_reply); - goto cleanup; + retval = KRB5KRB_AP_ERR_MSG_TYPE; + krb5_free_kdc_rep(context, as_reply); + goto cleanup; } if (ret_as_reply) - *ret_as_reply = as_reply; + *ret_as_reply = as_reply; else - krb5_free_kdc_rep(context, as_reply); + krb5_free_kdc_rep(context, as_reply); cleanup: if (reply.data) - free(reply.data); + free(reply.data); return retval; } static krb5_error_code -decrypt_as_reply(krb5_context context, - krb5_kdc_req *request, - krb5_kdc_rep *as_reply, - git_key_proc key_proc, - krb5_const_pointer keyseed, - krb5_keyblock * key, - git_decrypt_proc decrypt_proc, - krb5_const_pointer decryptarg) +decrypt_as_reply(krb5_context context, + krb5_kdc_req *request, + krb5_kdc_rep *as_reply, + git_key_proc key_proc, + krb5_const_pointer keyseed, + krb5_keyblock * key, + git_decrypt_proc decrypt_proc, + krb5_const_pointer decryptarg) { - krb5_error_code retval; - krb5_keyblock * decrypt_key = 0; - krb5_data salt; - + krb5_error_code retval; + krb5_keyblock * decrypt_key = 0; + krb5_data salt; + if (as_reply->enc_part2) - return 0; + return 0; if (key) - decrypt_key = key; + decrypt_key = key; else { - /* - * Use salt corresponding to the client principal supplied by - * the KDC, which may differ from the requested principal if - * canonicalization is in effect. We will check - * as_reply->client later in verify_as_reply. - */ - if ((retval = krb5_principal2salt(context, as_reply->client, &salt))) - return(retval); - - retval = (*key_proc)(context, as_reply->enc_part.enctype, - &salt, keyseed, &decrypt_key); - free(salt.data); - if (retval) - goto cleanup; + /* + * Use salt corresponding to the client principal supplied by + * the KDC, which may differ from the requested principal if + * canonicalization is in effect. We will check + * as_reply->client later in verify_as_reply. + */ + if ((retval = krb5_principal2salt(context, as_reply->client, &salt))) + return(retval); + + retval = (*key_proc)(context, as_reply->enc_part.enctype, + &salt, keyseed, &decrypt_key); + free(salt.data); + if (retval) + goto cleanup; } - + if ((retval = (*decrypt_proc)(context, decrypt_key, decryptarg, as_reply))) - goto cleanup; + goto cleanup; cleanup: if (!key && decrypt_key) - krb5_free_keyblock(context, decrypt_key); + krb5_free_keyblock(context, decrypt_key); return (retval); } static krb5_error_code -verify_as_reply(krb5_context context, - krb5_timestamp time_now, - krb5_kdc_req *request, - krb5_kdc_rep *as_reply) +verify_as_reply(krb5_context context, + krb5_timestamp time_now, + krb5_kdc_req *request, + krb5_kdc_rep *as_reply) { - krb5_error_code retval; - int canon_req; - int canon_ok; + krb5_error_code retval; + int canon_req; + int canon_ok; /* check the contents for sanity: */ if (!as_reply->enc_part2->times.starttime) - as_reply->enc_part2->times.starttime = - as_reply->enc_part2->times.authtime; + as_reply->enc_part2->times.starttime = + as_reply->enc_part2->times.authtime; /* * We only allow the AS-REP server name to be changed if the @@ -301,184 +302,184 @@ verify_as_reply(krb5_context context, * principal) and we requested (and received) a TGT. */ canon_req = ((request->kdc_options & KDC_OPT_CANONICALIZE) != 0) || - (krb5_princ_type(context, request->client) == KRB5_NT_ENTERPRISE_PRINCIPAL); + (krb5_princ_type(context, request->client) == KRB5_NT_ENTERPRISE_PRINCIPAL); if (canon_req) { - canon_ok = IS_TGS_PRINC(context, request->server) && - IS_TGS_PRINC(context, as_reply->enc_part2->server); + canon_ok = IS_TGS_PRINC(context, request->server) && + IS_TGS_PRINC(context, as_reply->enc_part2->server); } else - canon_ok = 0; - + canon_ok = 0; + if ((!canon_ok && - (!krb5_principal_compare(context, as_reply->client, request->client) || - !krb5_principal_compare(context, as_reply->enc_part2->server, request->server))) - || !krb5_principal_compare(context, as_reply->enc_part2->server, as_reply->ticket->server) - || (request->nonce != as_reply->enc_part2->nonce) - /* XXX check for extraneous flags */ - /* XXX || (!krb5_addresses_compare(context, addrs, as_reply->enc_part2->caddrs)) */ - || ((request->kdc_options & KDC_OPT_POSTDATED) && - (request->from != 0) && - (request->from != as_reply->enc_part2->times.starttime)) - || ((request->till != 0) && - (as_reply->enc_part2->times.endtime > request->till)) - || ((request->kdc_options & KDC_OPT_RENEWABLE) && - (request->rtime != 0) && - (as_reply->enc_part2->times.renew_till > request->rtime)) - || ((request->kdc_options & KDC_OPT_RENEWABLE_OK) && - !(request->kdc_options & KDC_OPT_RENEWABLE) && - (as_reply->enc_part2->flags & KDC_OPT_RENEWABLE) && - (request->till != 0) && - (as_reply->enc_part2->times.renew_till > request->till)) - ) { + (!krb5_principal_compare(context, as_reply->client, request->client) || + !krb5_principal_compare(context, as_reply->enc_part2->server, request->server))) + || !krb5_principal_compare(context, as_reply->enc_part2->server, as_reply->ticket->server) + || (request->nonce != as_reply->enc_part2->nonce) + /* XXX check for extraneous flags */ + /* XXX || (!krb5_addresses_compare(context, addrs, as_reply->enc_part2->caddrs)) */ + || ((request->kdc_options & KDC_OPT_POSTDATED) && + (request->from != 0) && + (request->from != as_reply->enc_part2->times.starttime)) + || ((request->till != 0) && + (as_reply->enc_part2->times.endtime > request->till)) + || ((request->kdc_options & KDC_OPT_RENEWABLE) && + (request->rtime != 0) && + (as_reply->enc_part2->times.renew_till > request->rtime)) + || ((request->kdc_options & KDC_OPT_RENEWABLE_OK) && + !(request->kdc_options & KDC_OPT_RENEWABLE) && + (as_reply->enc_part2->flags & KDC_OPT_RENEWABLE) && + (request->till != 0) && + (as_reply->enc_part2->times.renew_till > request->till)) + ) { #if APPLE_PKINIT - inTktDebug("verify_as_reply: KDCREP_MODIFIED\n"); - #if IN_TKT_DEBUG - if(request->client->realm.length && request->client->data->length) - inTktDebug("request: name %s realm %s\n", - request->client->realm.data, request->client->data->data); - if(as_reply->client->realm.length && as_reply->client->data->length) - inTktDebug("reply : name %s realm %s\n", - as_reply->client->realm.data, as_reply->client->data->data); - #endif + inTktDebug("verify_as_reply: KDCREP_MODIFIED\n"); +#if IN_TKT_DEBUG + if(request->client->realm.length && request->client->data->length) + inTktDebug("request: name %s realm %s\n", + request->client->realm.data, request->client->data->data); + if(as_reply->client->realm.length && as_reply->client->data->length) + inTktDebug("reply : name %s realm %s\n", + as_reply->client->realm.data, as_reply->client->data->data); +#endif #endif /* APPLE_PKINIT */ - return KRB5_KDCREP_MODIFIED; + return KRB5_KDCREP_MODIFIED; } if (context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) { - retval = krb5_set_real_time(context, - as_reply->enc_part2->times.authtime, -1); - if (retval) - return retval; + retval = krb5_set_real_time(context, + as_reply->enc_part2->times.authtime, -1); + if (retval) + return retval; } else { - if ((request->from == 0) && - (labs(as_reply->enc_part2->times.starttime - time_now) - > context->clockskew)) - return (KRB5_KDCREP_SKEW); + if ((request->from == 0) && + (labs(as_reply->enc_part2->times.starttime - time_now) + > context->clockskew)) + return (KRB5_KDCREP_SKEW); } return 0; } static krb5_error_code -stash_as_reply(krb5_context context, - krb5_timestamp time_now, - krb5_kdc_req *request, - krb5_kdc_rep *as_reply, - krb5_creds * creds, - krb5_ccache ccache) +stash_as_reply(krb5_context context, + krb5_timestamp time_now, + krb5_kdc_req *request, + krb5_kdc_rep *as_reply, + krb5_creds * creds, + krb5_ccache ccache) { - krb5_error_code retval; - krb5_data * packet; - krb5_principal client; - krb5_principal server; + krb5_error_code retval; + krb5_data * packet; + krb5_principal client; + krb5_principal server; client = NULL; server = NULL; if (!creds->client) if ((retval = krb5_copy_principal(context, as_reply->client, &client))) - goto cleanup; + goto cleanup; if (!creds->server) - if ((retval = krb5_copy_principal(context, as_reply->enc_part2->server, - &server))) - goto cleanup; + if ((retval = krb5_copy_principal(context, as_reply->enc_part2->server, + &server))) + goto cleanup; /* fill in the credentials */ - if ((retval = krb5_copy_keyblock_contents(context, - as_reply->enc_part2->session, - &creds->keyblock))) - goto cleanup; + if ((retval = krb5_copy_keyblock_contents(context, + as_reply->enc_part2->session, + &creds->keyblock))) + goto cleanup; creds->times = as_reply->enc_part2->times; - creds->is_skey = FALSE; /* this is an AS_REQ, so cannot - be encrypted in skey */ + creds->is_skey = FALSE; /* this is an AS_REQ, so cannot + be encrypted in skey */ creds->ticket_flags = as_reply->enc_part2->flags; if ((retval = krb5_copy_addresses(context, as_reply->enc_part2->caddrs, - &creds->addresses))) - goto cleanup; + &creds->addresses))) + goto cleanup; creds->second_ticket.length = 0; creds->second_ticket.data = 0; if ((retval = encode_krb5_ticket(as_reply->ticket, &packet))) - goto cleanup; + goto cleanup; creds->ticket = *packet; free(packet); /* store it in the ccache! */ if (ccache) - if ((retval = krb5_cc_store_cred(context, ccache, creds))) - goto cleanup; + if ((retval = krb5_cc_store_cred(context, ccache, creds))) + goto cleanup; if (!creds->client) - creds->client = client; + creds->client = client; if (!creds->server) - creds->server = server; + creds->server = server; cleanup: if (retval) { - if (client) - krb5_free_principal(context, client); - if (server) - krb5_free_principal(context, server); - if (creds->keyblock.contents) { - memset(creds->keyblock.contents, 0, - creds->keyblock.length); - free(creds->keyblock.contents); - creds->keyblock.contents = 0; - creds->keyblock.length = 0; - } - if (creds->ticket.data) { - free(creds->ticket.data); - creds->ticket.data = 0; - } - if (creds->addresses) { - krb5_free_addresses(context, creds->addresses); - creds->addresses = 0; - } + if (client) + krb5_free_principal(context, client); + if (server) + krb5_free_principal(context, server); + if (creds->keyblock.contents) { + memset(creds->keyblock.contents, 0, + creds->keyblock.length); + free(creds->keyblock.contents); + creds->keyblock.contents = 0; + creds->keyblock.length = 0; + } + if (creds->ticket.data) { + free(creds->ticket.data); + creds->ticket.data = 0; + } + if (creds->addresses) { + krb5_free_addresses(context, creds->addresses); + creds->addresses = 0; + } } return (retval); } static krb5_error_code -make_preauth_list(krb5_context context, - krb5_preauthtype * ptypes, - int nptypes, - krb5_pa_data *** ret_list) +make_preauth_list(krb5_context context, + krb5_preauthtype * ptypes, + int nptypes, + krb5_pa_data *** ret_list) { - krb5_preauthtype * ptypep; - krb5_pa_data ** preauthp; - int i; + krb5_preauthtype * ptypep; + krb5_pa_data ** preauthp; + int i; if (nptypes < 0) { - for (nptypes=0, ptypep = ptypes; *ptypep; ptypep++, nptypes++) - ; + for (nptypes=0, ptypep = ptypes; *ptypep; ptypep++, nptypes++) + ; } - + /* allocate space for a NULL to terminate the list */ - + if ((preauthp = - (krb5_pa_data **) malloc((nptypes+1)*sizeof(krb5_pa_data *))) == NULL) - return(ENOMEM); - + (krb5_pa_data **) malloc((nptypes+1)*sizeof(krb5_pa_data *))) == NULL) + return(ENOMEM); + for (i=0; i<nptypes; i++) { - if ((preauthp[i] = - (krb5_pa_data *) malloc(sizeof(krb5_pa_data))) == NULL) { - for (; i>=0; i--) - free(preauthp[i]); - free(preauthp); - return (ENOMEM); - } - preauthp[i]->magic = KV5M_PA_DATA; - preauthp[i]->pa_type = ptypes[i]; - preauthp[i]->length = 0; - preauthp[i]->contents = 0; + if ((preauthp[i] = + (krb5_pa_data *) malloc(sizeof(krb5_pa_data))) == NULL) { + for (; i>=0; i--) + free(preauthp[i]); + free(preauthp); + return (ENOMEM); + } + preauthp[i]->magic = KV5M_PA_DATA; + preauthp[i]->pa_type = ptypes[i]; + preauthp[i]->length = 0; + preauthp[i]->contents = 0; } - + /* fill in the terminating NULL */ - + preauthp[nptypes] = NULL; - + *ret_list = preauthp; return 0; } @@ -495,10 +496,10 @@ static const krb5_enctype get_in_tkt_enctypes[] = { static krb5_error_code rewrite_server_realm(krb5_context context, - krb5_const_principal old_server, - const krb5_data *realm, - krb5_boolean tgs, - krb5_principal *server) + krb5_const_principal old_server, + const krb5_data *realm, + krb5_boolean tgs, + krb5_principal *server) { krb5_error_code retval; @@ -506,28 +507,28 @@ rewrite_server_realm(krb5_context context, retval = krb5_copy_principal(context, old_server, server); if (retval) - return retval; + return retval; krb5_free_data_contents(context, &(*server)->realm); (*server)->realm.data = NULL; retval = krb5int_copy_data_contents(context, realm, &(*server)->realm); if (retval) - goto cleanup; + goto cleanup; if (tgs) { - krb5_free_data_contents(context, &(*server)->data[1]); - (*server)->data[1].data = NULL; + krb5_free_data_contents(context, &(*server)->data[1]); + (*server)->data[1].data = NULL; - retval = krb5int_copy_data_contents(context, realm, &(*server)->data[1]); - if (retval) - goto cleanup; + retval = krb5int_copy_data_contents(context, realm, &(*server)->data[1]); + if (retval) + goto cleanup; } cleanup: if (retval) { - krb5_free_principal(context, *server); - *server = NULL; + krb5_free_principal(context, *server); + *server = NULL; } return retval; @@ -544,44 +545,44 @@ tgt_is_local_realm(krb5_creds *tgt) krb5_error_code KRB5_CALLCONV krb5_get_in_tkt(krb5_context context, - krb5_flags options, - krb5_address * const * addrs, - krb5_enctype * ktypes, - krb5_preauthtype * ptypes, - git_key_proc key_proc, - krb5_const_pointer keyseed, - git_decrypt_proc decrypt_proc, - krb5_const_pointer decryptarg, - krb5_creds * creds, - krb5_ccache ccache, - krb5_kdc_rep ** ret_as_reply) + krb5_flags options, + krb5_address * const * addrs, + krb5_enctype * ktypes, + krb5_preauthtype * ptypes, + git_key_proc key_proc, + krb5_const_pointer keyseed, + git_decrypt_proc decrypt_proc, + krb5_const_pointer decryptarg, + krb5_creds * creds, + krb5_ccache ccache, + krb5_kdc_rep ** ret_as_reply) { - krb5_error_code retval; - krb5_timestamp time_now; - krb5_keyblock * decrypt_key = 0; - krb5_kdc_req request; + krb5_error_code retval; + krb5_timestamp time_now; + krb5_keyblock * decrypt_key = 0; + krb5_kdc_req request; krb5_data *encoded_request; - krb5_error * err_reply; - krb5_kdc_rep * as_reply = 0; - krb5_pa_data ** preauth_to_use = 0; - int loopcount = 0; - krb5_int32 do_more = 0; - int canon_flag; + krb5_error * err_reply; + krb5_kdc_rep * as_reply = 0; + krb5_pa_data ** preauth_to_use = 0; + int loopcount = 0; + krb5_int32 do_more = 0; + int canon_flag; int use_master = 0; - int referral_count = 0; - krb5_principal_data referred_client; - krb5_principal referred_server = NULL; - krb5_boolean is_tgt_req; + int referral_count = 0; + krb5_principal_data referred_client; + krb5_principal referred_server = NULL; + krb5_boolean is_tgt_req; #if APPLE_PKINIT inTktDebug("krb5_get_in_tkt top\n"); #endif /* APPLE_PKINIT */ if (! krb5_realm_compare(context, creds->client, creds->server)) - return KRB5_IN_TKT_REALM_MISMATCH; + return KRB5_IN_TKT_REALM_MISMATCH; if (ret_as_reply) - *ret_as_reply = 0; + *ret_as_reply = 0; referred_client = *(creds->client); referred_client.realm.data = NULL; @@ -589,8 +590,8 @@ krb5_get_in_tkt(krb5_context context, /* per referrals draft, enterprise principals imply canonicalization */ canon_flag = ((options & KDC_OPT_CANONICALIZE) != 0) || - creds->client->type == KRB5_NT_ENTERPRISE_PRINCIPAL; - + creds->client->type == KRB5_NT_ENTERPRISE_PRINCIPAL; + /* * Set up the basic request structure */ @@ -600,10 +601,10 @@ krb5_get_in_tkt(krb5_context context, request.ktype = 0; request.padata = 0; if (addrs) - request.addresses = (krb5_address **) addrs; + request.addresses = (krb5_address **) addrs; else - if ((retval = krb5_os_localaddr(context, &request.addresses))) - goto cleanup; + if ((retval = krb5_os_localaddr(context, &request.addresses))) + goto cleanup; request.kdc_options = options; request.client = creds->client; request.server = creds->server; @@ -614,43 +615,43 @@ krb5_get_in_tkt(krb5_context context, #if APPLE_PKINIT retval = gen_nonce(context, (krb5_int32 *)&time_now); if(retval) { - goto cleanup; + goto cleanup; } request.nonce = time_now; #endif /* APPLE_PKINIT */ request.ktype = malloc (sizeof(get_in_tkt_enctypes)); if (request.ktype == NULL) { - retval = ENOMEM; - goto cleanup; + retval = ENOMEM; + goto cleanup; } memcpy(request.ktype, get_in_tkt_enctypes, sizeof(get_in_tkt_enctypes)); for (request.nktypes = 0;request.ktype[request.nktypes];request.nktypes++); if (ktypes) { - int i, req, next = 0; - for (req = 0; ktypes[req]; req++) { - if (ktypes[req] == request.ktype[next]) { - next++; - continue; - } - for (i = next + 1; i < request.nktypes; i++) - if (ktypes[req] == request.ktype[i]) { - /* Found the enctype we want, but not in the - position we want. Move it, but keep the old - one from the desired slot around in case it's - later in our requested-ktypes list. */ - krb5_enctype t; - t = request.ktype[next]; - request.ktype[next] = request.ktype[i]; - request.ktype[i] = t; - next++; - break; - } - /* If we didn't find it, don't do anything special, just - drop it. */ - } - request.ktype[next] = 0; - request.nktypes = next; + int i, req, next = 0; + for (req = 0; ktypes[req]; req++) { + if (ktypes[req] == request.ktype[next]) { + next++; + continue; + } + for (i = next + 1; i < request.nktypes; i++) + if (ktypes[req] == request.ktype[i]) { + /* Found the enctype we want, but not in the + position we want. Move it, but keep the old + one from the desired slot around in case it's + later in our requested-ktypes list. */ + krb5_enctype t; + t = request.ktype[next]; + request.ktype[next] = request.ktype[i]; + request.ktype[i] = t; + next++; + break; + } + /* If we didn't find it, don't do anything special, just + drop it. */ + } + request.ktype[next] = 0; + request.nktypes = next; } request.authorization_data.ciphertext.length = 0; request.authorization_data.ciphertext.data = 0; @@ -662,153 +663,153 @@ krb5_get_in_tkt(krb5_context context, * preauth_to_use list. */ if (ptypes) { - retval = make_preauth_list(context, ptypes, -1, &preauth_to_use); - if (retval) - goto cleanup; + retval = make_preauth_list(context, ptypes, -1, &preauth_to_use); + if (retval) + goto cleanup; } - + is_tgt_req = tgt_is_local_realm(creds); while (1) { - if (loopcount++ > MAX_IN_TKT_LOOPS) { - retval = KRB5_GET_IN_TKT_LOOP; - goto cleanup; - } + if (loopcount++ > MAX_IN_TKT_LOOPS) { + retval = KRB5_GET_IN_TKT_LOOP; + goto cleanup; + } #if APPLE_PKINIT - inTktDebug("krb5_get_in_tkt calling krb5_obtain_padata\n"); + inTktDebug("krb5_get_in_tkt calling krb5_obtain_padata\n"); #endif /* APPLE_PKINIT */ - if ((retval = krb5_obtain_padata(context, preauth_to_use, key_proc, - keyseed, creds, &request)) != 0) - goto cleanup; - if (preauth_to_use) - krb5_free_pa_data(context, preauth_to_use); - preauth_to_use = 0; - - err_reply = 0; - as_reply = 0; + if ((retval = krb5_obtain_padata(context, preauth_to_use, key_proc, + keyseed, creds, &request)) != 0) + goto cleanup; + if (preauth_to_use) + krb5_free_pa_data(context, preauth_to_use); + preauth_to_use = 0; + + err_reply = 0; + as_reply = 0; if ((retval = krb5_timeofday(context, &time_now))) - goto cleanup; + goto cleanup; /* * XXX we know they are the same size... and we should do * something better than just the current time */ - request.nonce = (krb5_int32) time_now; - - if ((retval = encode_krb5_as_req(&request, &encoded_request)) != 0) - goto cleanup; - retval = send_as_request(context, encoded_request, - krb5_princ_realm(context, request.client), &err_reply, - &as_reply, &use_master); - krb5_free_data(context, encoded_request); - if (retval != 0) - goto cleanup; - - if (err_reply) { - if (err_reply->error == KDC_ERR_PREAUTH_REQUIRED && - err_reply->e_data.length > 0) { - retval = decode_krb5_padata_sequence(&err_reply->e_data, - &preauth_to_use); - krb5_free_error(context, err_reply); - if (retval) - goto cleanup; + request.nonce = (krb5_int32) time_now; + + if ((retval = encode_krb5_as_req(&request, &encoded_request)) != 0) + goto cleanup; + retval = send_as_request(context, encoded_request, + krb5_princ_realm(context, request.client), &err_reply, + &as_reply, &use_master); + krb5_free_data(context, encoded_request); + if (retval != 0) + goto cleanup; + + if (err_reply) { + if (err_reply->error == KDC_ERR_PREAUTH_REQUIRED && + err_reply->e_data.length > 0) { + retval = decode_krb5_padata_sequence(&err_reply->e_data, + &preauth_to_use); + krb5_free_error(context, err_reply); + if (retval) + goto cleanup; retval = sort_krb5_padata_sequence(context, - &request.server->realm, - preauth_to_use); - if (retval) - goto cleanup; - continue; - } else if (canon_flag && err_reply->error == KDC_ERR_WRONG_REALM) { - if (++referral_count > KRB5_REFERRAL_MAXHOPS || - err_reply->client == NULL || - err_reply->client->realm.length == 0) { - retval = KRB5KDC_ERR_WRONG_REALM; - krb5_free_error(context, err_reply); - goto cleanup; - } - /* Rewrite request.client with realm from error reply */ - if (referred_client.realm.data) { - krb5_free_data_contents(context, &referred_client.realm); - referred_client.realm.data = NULL; - } - retval = krb5int_copy_data_contents(context, - &err_reply->client->realm, - &referred_client.realm); - krb5_free_error(context, err_reply); - if (retval) - goto cleanup; - request.client = &referred_client; - - if (referred_server != NULL) { - krb5_free_principal(context, referred_server); - referred_server = NULL; - } - - retval = rewrite_server_realm(context, - creds->server, - &referred_client.realm, - is_tgt_req, - &referred_server); - if (retval) - goto cleanup; - request.server = referred_server; - - continue; - } else { - retval = (krb5_error_code) err_reply->error - + ERROR_TABLE_BASE_krb5; - krb5_free_error(context, err_reply); - goto cleanup; - } - } else if (!as_reply) { - retval = KRB5KRB_AP_ERR_MSG_TYPE; - goto cleanup; - } - if ((retval = krb5_process_padata(context, &request, as_reply, - key_proc, keyseed, decrypt_proc, - &decrypt_key, creds, - &do_more)) != 0) - goto cleanup; - - if (!do_more) - break; + &request.server->realm, + preauth_to_use); + if (retval) + goto cleanup; + continue; + } else if (canon_flag && err_reply->error == KDC_ERR_WRONG_REALM) { + if (++referral_count > KRB5_REFERRAL_MAXHOPS || + err_reply->client == NULL || + err_reply->client->realm.length == 0) { + retval = KRB5KDC_ERR_WRONG_REALM; + krb5_free_error(context, err_reply); + goto cleanup; + } + /* Rewrite request.client with realm from error reply */ + if (referred_client.realm.data) { + krb5_free_data_contents(context, &referred_client.realm); + referred_client.realm.data = NULL; + } + retval = krb5int_copy_data_contents(context, + &err_reply->client->realm, + &referred_client.realm); + krb5_free_error(context, err_reply); + if (retval) + goto cleanup; + request.client = &referred_client; + + if (referred_server != NULL) { + krb5_free_principal(context, referred_server); + referred_server = NULL; + } + + retval = rewrite_server_realm(context, + creds->server, + &referred_client.realm, + is_tgt_req, + &referred_server); + if (retval) + goto cleanup; + request.server = referred_server; + + continue; + } else { + retval = (krb5_error_code) err_reply->error + + ERROR_TABLE_BASE_krb5; + krb5_free_error(context, err_reply); + goto cleanup; + } + } else if (!as_reply) { + retval = KRB5KRB_AP_ERR_MSG_TYPE; + goto cleanup; + } + if ((retval = krb5_process_padata(context, &request, as_reply, + key_proc, keyseed, decrypt_proc, + &decrypt_key, creds, + &do_more)) != 0) + goto cleanup; + + if (!do_more) + break; } - + if ((retval = decrypt_as_reply(context, &request, as_reply, key_proc, - keyseed, decrypt_key, decrypt_proc, - decryptarg))) - goto cleanup; + keyseed, decrypt_key, decrypt_proc, + decryptarg))) + goto cleanup; if ((retval = verify_as_reply(context, time_now, &request, as_reply))) - goto cleanup; + goto cleanup; if ((retval = stash_as_reply(context, time_now, &request, as_reply, - creds, ccache))) - goto cleanup; + creds, ccache))) + goto cleanup; cleanup: if (request.ktype) - free(request.ktype); + free(request.ktype); if (!addrs && request.addresses) - krb5_free_addresses(context, request.addresses); + krb5_free_addresses(context, request.addresses); if (request.padata) - krb5_free_pa_data(context, request.padata); + krb5_free_pa_data(context, request.padata); if (preauth_to_use) - krb5_free_pa_data(context, preauth_to_use); + krb5_free_pa_data(context, preauth_to_use); if (decrypt_key) - krb5_free_keyblock(context, decrypt_key); + krb5_free_keyblock(context, decrypt_key); if (as_reply) { - if (ret_as_reply) - *ret_as_reply = as_reply; - else - krb5_free_kdc_rep(context, as_reply); + if (ret_as_reply) + *ret_as_reply = as_reply; + else + krb5_free_kdc_rep(context, as_reply); } if (referred_client.realm.data) - krb5_free_data_contents(context, &referred_client.realm); + krb5_free_data_contents(context, &referred_client.realm); if (referred_server) - krb5_free_principal(context, referred_server); + krb5_free_principal(context, referred_server); return (retval); } @@ -833,13 +834,13 @@ _krb5_conf_boolean(const char *s) const char *const *p; for(p=conf_yes; *p; p++) { - if (!strcasecmp(*p,s)) - return 1; + if (!strcasecmp(*p,s)) + return 1; } for(p=conf_no; *p; p++) { - if (!strcasecmp(*p,s)) - return 0; + if (!strcasecmp(*p,s)) + return 0; } /* Default to "no" */ @@ -848,7 +849,7 @@ _krb5_conf_boolean(const char *s) static krb5_error_code krb5_libdefault_string(krb5_context context, const krb5_data *realm, - const char *option, char **ret_value) + const char *option, char **ret_value) { profile_t profile; const char *names[5]; @@ -857,25 +858,25 @@ krb5_libdefault_string(krb5_context context, const krb5_data *realm, char realmstr[1024]; if (realm->length > sizeof(realmstr)-1) - return(EINVAL); + return(EINVAL); strncpy(realmstr, realm->data, realm->length); realmstr[realm->length] = '\0'; - if (!context || (context->magic != KV5M_CONTEXT)) - return KV5M_CONTEXT; + if (!context || (context->magic != KV5M_CONTEXT)) + return KV5M_CONTEXT; profile = context->profile; - + names[0] = KRB5_CONF_LIBDEFAULTS; /* * Try number one: * * [libdefaults] - * REALM = { - * option = <boolean> - * } + * REALM = { + * option = <boolean> + * } */ names[1] = realmstr; @@ -883,24 +884,24 @@ krb5_libdefault_string(krb5_context context, const krb5_data *realm, names[3] = 0; retval = profile_get_values(profile, names, &nameval); if (retval == 0 && nameval && nameval[0]) - goto goodbye; + goto goodbye; /* * Try number two: * * [libdefaults] - * option = <boolean> + * option = <boolean> */ - + names[1] = option; names[2] = 0; retval = profile_get_values(profile, names, &nameval); if (retval == 0 && nameval && nameval[0]) - goto goodbye; + goto goodbye; goodbye: - if (!nameval) - return(ENOENT); + if (!nameval) + return(ENOENT); if (!nameval[0]) { retval = ENOENT; @@ -920,7 +921,7 @@ goodbye: krb5_error_code krb5_libdefault_boolean(krb5_context context, const krb5_data *realm, - const char *option, int *ret_value) + const char *option, int *ret_value) { char *string = NULL; krb5_error_code retval; @@ -928,7 +929,7 @@ krb5_libdefault_boolean(krb5_context context, const krb5_data *realm, retval = krb5_libdefault_string(context, realm, option, &string); if (retval) - return(retval); + return(retval); *ret_value = _krb5_conf_boolean(string); free(string); @@ -940,7 +941,7 @@ krb5_libdefault_boolean(krb5_context context, const krb5_data *realm, * libdefaults entry are listed before any others. */ static krb5_error_code sort_krb5_padata_sequence(krb5_context context, krb5_data *realm, - krb5_pa_data **padata) + krb5_pa_data **padata) { int i, j, base; krb5_error_code ret; @@ -951,58 +952,58 @@ sort_krb5_padata_sequence(krb5_context context, krb5_data *realm, int need_free_string = 1; if ((padata == NULL) || (padata[0] == NULL)) { - return 0; + return 0; } ret = krb5_libdefault_string(context, realm, KRB5_CONF_PREFERRED_PREAUTH_TYPES, - &preauth_types); + &preauth_types); if ((ret != 0) || (preauth_types == NULL)) { - /* Try to use PKINIT first. */ - preauth_types = "17, 16, 15, 14"; - need_free_string = 0; + /* Try to use PKINIT first. */ + preauth_types = "17, 16, 15, 14"; + need_free_string = 0; } #ifdef DEBUG fprintf (stderr, "preauth data types before sorting:"); for (i = 0; padata[i]; i++) { - fprintf (stderr, " %d", padata[i]->pa_type); + fprintf (stderr, " %d", padata[i]->pa_type); } fprintf (stderr, "\n"); #endif base = 0; for (p = preauth_types; *p != '\0';) { - /* skip whitespace to find an entry */ - p += strspn(p, ", "); - if (*p != '\0') { - /* see if we can extract a number */ - l = strtol(p, &q, 10); - if ((q != NULL) && (q > p)) { - /* got a valid number; search for a matchin entry */ - for (i = base; padata[i] != NULL; i++) { - /* bubble the matching entry to the front of the list */ - if (padata[i]->pa_type == l) { - tmp = padata[i]; - for (j = i; j > base; j--) - padata[j] = padata[j - 1]; - padata[base] = tmp; - base++; - break; - } - } - p = q; - } else { - break; - } - } + /* skip whitespace to find an entry */ + p += strspn(p, ", "); + if (*p != '\0') { + /* see if we can extract a number */ + l = strtol(p, &q, 10); + if ((q != NULL) && (q > p)) { + /* got a valid number; search for a matchin entry */ + for (i = base; padata[i] != NULL; i++) { + /* bubble the matching entry to the front of the list */ + if (padata[i]->pa_type == l) { + tmp = padata[i]; + for (j = i; j > base; j--) + padata[j] = padata[j - 1]; + padata[base] = tmp; + base++; + break; + } + } + p = q; + } else { + break; + } + } } if (need_free_string) - free(preauth_types); + free(preauth_types); #ifdef DEBUG fprintf (stderr, "preauth data types after sorting:"); for (i = 0; padata[i]; i++) - fprintf (stderr, " %d", padata[i]->pa_type); + fprintf (stderr, " %d", padata[i]->pa_type); fprintf (stderr, "\n"); #endif @@ -1011,46 +1012,46 @@ sort_krb5_padata_sequence(krb5_context context, krb5_data *realm, static krb5_error_code build_in_tkt_name(krb5_context context, - char *in_tkt_service, - krb5_const_principal client, - krb5_principal *server) + char *in_tkt_service, + krb5_const_principal client, + krb5_principal *server) { krb5_error_code ret; *server = NULL; if (in_tkt_service) { - /* this is ugly, because so are the data structures involved. I'm - in the library, so I'm going to manipulate the data structures - directly, otherwise, it will be worse. */ + /* this is ugly, because so are the data structures involved. I'm + in the library, so I'm going to manipulate the data structures + directly, otherwise, it will be worse. */ if ((ret = krb5_parse_name(context, in_tkt_service, server))) - return ret; - - /* stuff the client realm into the server principal. - realloc if necessary */ - if ((*server)->realm.length < client->realm.length) { - char *p = realloc((*server)->realm.data, - client->realm.length); - if (p == NULL) { - krb5_free_principal(context, *server); - *server = NULL; - return ENOMEM; - } - (*server)->realm.data = p; - } - - (*server)->realm.length = client->realm.length; - memcpy((*server)->realm.data, client->realm.data, client->realm.length); + return ret; + + /* stuff the client realm into the server principal. + realloc if necessary */ + if ((*server)->realm.length < client->realm.length) { + char *p = realloc((*server)->realm.data, + client->realm.length); + if (p == NULL) { + krb5_free_principal(context, *server); + *server = NULL; + return ENOMEM; + } + (*server)->realm.data = p; + } + + (*server)->realm.length = client->realm.length; + memcpy((*server)->realm.data, client->realm.data, client->realm.length); } else { - ret = krb5_build_principal_ext(context, server, - client->realm.length, - client->realm.data, - KRB5_TGS_NAME_SIZE, - KRB5_TGS_NAME, - client->realm.length, - client->realm.data, - 0); + ret = krb5_build_principal_ext(context, server, + client->realm.length, + client->realm.data, + KRB5_TGS_NAME_SIZE, + KRB5_TGS_NAME, + client->realm.length, + client->realm.data, + 0); } return ret; } @@ -1067,22 +1068,22 @@ should_continue_preauth(krb5_ui_4 error, int loopcount) * currently it does not do so for built-in mechanisms. */ return (error == KDC_ERR_PREAUTH_REQUIRED || - (error == KDC_ERR_PREAUTH_FAILED && loopcount == 0)); + (error == KDC_ERR_PREAUTH_FAILED && loopcount == 0)); } krb5_error_code KRB5_CALLCONV krb5_get_init_creds(krb5_context context, - krb5_creds *creds, - krb5_principal client, - krb5_prompter_fct prompter, - void *prompter_data, - krb5_deltat start_time, - char *in_tkt_service, - krb5_gic_opt_ext *options, - krb5_gic_get_as_key_fct gak_fct, - void *gak_data, - int *use_master, - krb5_kdc_rep **as_reply) + krb5_creds *creds, + krb5_principal client, + krb5_prompter_fct prompter, + void *prompter_data, + krb5_deltat start_time, + char *in_tkt_service, + krb5_gic_opt_ext *options, + krb5_gic_get_as_key_fct gak_fct, + void *gak_data, + int *use_master, + krb5_kdc_rep **as_reply) { krb5_error_code ret; krb5_kdc_req request; @@ -1107,7 +1108,7 @@ krb5_get_init_creds(krb5_context context, krb5_boolean retry = 0; struct krb5int_fast_request_state *fast_state = NULL; krb5_pa_data **out_padata = NULL; - + /* initialize everything which will be freed at cleanup */ @@ -1124,14 +1125,14 @@ krb5_get_init_creds(krb5_context context, as_key.length = 0; encrypting_key.length = 0; encrypting_key.contents = NULL; - salt.length = 0; + salt.length = 0; salt.data = NULL; - local_as_reply = 0; + local_as_reply = 0; #if APPLE_PKINIT inTktDebug("krb5_get_init_creds top\n"); #endif /* APPLE_PKINIT */ - + err_reply = NULL; /* referred_client is used to rewrite the client realm for referrals */ @@ -1140,7 +1141,7 @@ krb5_get_init_creds(krb5_context context, referred_client.realm.length = 0; ret = krb5int_fast_make_state(context, &fast_state); if (ret) - goto cleanup; + goto cleanup; /* * Set up the basic request structure @@ -1158,137 +1159,137 @@ krb5_get_init_creds(krb5_context context, /* forwardable */ if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_FORWARDABLE)) - tempint = options->forwardable; + tempint = options->forwardable; else if ((ret = krb5_libdefault_boolean(context, &client->realm, - KRB5_CONF_FORWARDABLE, &tempint)) == 0) - ; + KRB5_CONF_FORWARDABLE, &tempint)) == 0) + ; else - tempint = 0; + tempint = 0; if (tempint) - request.kdc_options |= KDC_OPT_FORWARDABLE; + request.kdc_options |= KDC_OPT_FORWARDABLE; /* proxiable */ if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_PROXIABLE)) - tempint = options->proxiable; + tempint = options->proxiable; else if ((ret = krb5_libdefault_boolean(context, &client->realm, - KRB5_CONF_PROXIABLE, &tempint)) == 0) - ; + KRB5_CONF_PROXIABLE, &tempint)) == 0) + ; else - tempint = 0; + tempint = 0; if (tempint) - request.kdc_options |= KDC_OPT_PROXIABLE; + request.kdc_options |= KDC_OPT_PROXIABLE; /* canonicalize */ if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_CANONICALIZE)) - tempint = 1; + tempint = 1; else if ((ret = krb5_libdefault_boolean(context, &client->realm, - KRB5_CONF_CANONICALIZE, &tempint)) == 0) - ; + KRB5_CONF_CANONICALIZE, &tempint)) == 0) + ; else - tempint = 0; + tempint = 0; if (tempint) - request.kdc_options |= KDC_OPT_CANONICALIZE; + request.kdc_options |= KDC_OPT_CANONICALIZE; /* allow_postdate */ - + if (start_time > 0) - request.kdc_options |= (KDC_OPT_ALLOW_POSTDATE|KDC_OPT_POSTDATED); - + request.kdc_options |= (KDC_OPT_ALLOW_POSTDATE|KDC_OPT_POSTDATED); + /* ticket lifetime */ - + if ((ret = krb5_timeofday(context, &request.from))) - goto cleanup; + goto cleanup; request.from = krb5int_addint32(request.from, start_time); - + if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE)) { tkt_life = options->tkt_life; } else if ((ret = krb5_libdefault_string(context, &client->realm, - KRB5_CONF_TICKET_LIFETIME, &tempstr)) - == 0) { - ret = krb5_string_to_deltat(tempstr, &tkt_life); - free(tempstr); - if (ret) { - goto cleanup; - } + KRB5_CONF_TICKET_LIFETIME, &tempstr)) + == 0) { + ret = krb5_string_to_deltat(tempstr, &tkt_life); + free(tempstr); + if (ret) { + goto cleanup; + } } else { - /* this used to be hardcoded in kinit.c */ - tkt_life = 24*60*60; + /* this used to be hardcoded in kinit.c */ + tkt_life = 24*60*60; } request.till = krb5int_addint32(request.from, tkt_life); - + /* renewable lifetime */ - + if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE)) { - renew_life = options->renew_life; + renew_life = options->renew_life; } else if ((ret = krb5_libdefault_string(context, &client->realm, - KRB5_CONF_RENEW_LIFETIME, &tempstr)) - == 0) { - ret = krb5_string_to_deltat(tempstr, &renew_life); - free(tempstr); - if (ret) { - goto cleanup; - } + KRB5_CONF_RENEW_LIFETIME, &tempstr)) + == 0) { + ret = krb5_string_to_deltat(tempstr, &renew_life); + free(tempstr); + if (ret) { + goto cleanup; + } } else { - renew_life = 0; + renew_life = 0; } if (renew_life > 0) - request.kdc_options |= KDC_OPT_RENEWABLE; - + request.kdc_options |= KDC_OPT_RENEWABLE; + if (renew_life > 0) { - request.rtime = krb5int_addint32(request.from, renew_life); + request.rtime = krb5int_addint32(request.from, renew_life); if (request.rtime < request.till) { /* don't ask for a smaller renewable time than the lifetime */ request.rtime = request.till; } /* we are already asking for renewable tickets so strip this option */ - request.kdc_options &= ~(KDC_OPT_RENEWABLE_OK); + request.kdc_options &= ~(KDC_OPT_RENEWABLE_OK); } else { - request.rtime = 0; + request.rtime = 0; } - + /* client */ request.client = client; /* per referrals draft, enterprise principals imply canonicalization */ canon_flag = ((request.kdc_options & KDC_OPT_CANONICALIZE) != 0) || - client->type == KRB5_NT_ENTERPRISE_PRINCIPAL; + client->type == KRB5_NT_ENTERPRISE_PRINCIPAL; /* service */ if ((ret = build_in_tkt_name(context, in_tkt_service, - request.client, &request.server))) - goto cleanup; + request.client, &request.server))) + goto cleanup; krb5_preauth_request_context_init(context); if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST)) { - request.ktype = options->etype_list; - request.nktypes = options->etype_list_length; + request.ktype = options->etype_list; + request.nktypes = options->etype_list_length; } else if ((ret = krb5_get_default_in_tkt_ktypes(context, - &request.ktype)) == 0) { - for (request.nktypes = 0; - request.ktype[request.nktypes]; - request.nktypes++) - ; + &request.ktype)) == 0) { + for (request.nktypes = 0; + request.ktype[request.nktypes]; + request.nktypes++) + ; } else { - /* there isn't any useful default here. ret is set from above */ - goto cleanup; + /* there isn't any useful default here. ret is set from above */ + goto cleanup; } if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST)) { - request.addresses = options->address_list; + request.addresses = options->address_list; } /* it would be nice if this parsed out an address list, but that would be work. */ else if (((ret = krb5_libdefault_boolean(context, &client->realm, - KRB5_CONF_NOADDRESSES, &tempint)) != 0) - || (tempint == 1)) { - ; + KRB5_CONF_NOADDRESSES, &tempint)) != 0) + || (tempint == 1)) { + ; } else { - if ((ret = krb5_os_localaddr(context, &request.addresses))) - goto cleanup; + if ((ret = krb5_os_localaddr(context, &request.addresses))) + goto cleanup; } request.authorization_data.ciphertext.length = 0; @@ -1299,228 +1300,228 @@ krb5_get_init_creds(krb5_context context, /* set up the other state. */ if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST)) { - if ((ret = make_preauth_list(context, options->preauth_list, - options->preauth_list_length, - &preauth_to_use))) - goto cleanup; + if ((ret = make_preauth_list(context, options->preauth_list, + options->preauth_list_length, + &preauth_to_use))) + goto cleanup; } /* the salt is allocated from somewhere, unless it is from the caller, then it is a reference */ if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_SALT)) { - salt = *options->salt; + salt = *options->salt; } else { - salt.length = SALT_TYPE_AFS_LENGTH; - salt.data = NULL; + salt.length = SALT_TYPE_AFS_LENGTH; + salt.data = NULL; } /* set the request nonce */ if ((ret = krb5_timeofday(context, &time_now))) - goto cleanup; + goto cleanup; /* * XXX we know they are the same size... and we should do * something better than just the current time */ { - unsigned char random_buf[4]; - krb5_data random_data; - - random_data.length = 4; - random_data.data = (char *)random_buf; - if (krb5_c_random_make_octets(context, &random_data) == 0) - /* See RT ticket 3196 at MIT. If we set the high bit, we - may have compatibility problems with Heimdal, because - we (incorrectly) encode this value as signed. */ - request.nonce = 0x7fffffff & load_32_n(random_buf); - else - /* XXX Yuck. Old version. */ - request.nonce = (krb5_int32) time_now; + unsigned char random_buf[4]; + krb5_data random_data; + + random_data.length = 4; + random_data.data = (char *)random_buf; + if (krb5_c_random_make_octets(context, &random_data) == 0) + /* See RT ticket 3196 at MIT. If we set the high bit, we + may have compatibility problems with Heimdal, because + we (incorrectly) encode this value as signed. */ + request.nonce = 0x7fffffff & load_32_n(random_buf); + else + /* XXX Yuck. Old version. */ + request.nonce = (krb5_int32) time_now; } ret = krb5int_fast_as_armor(context, fast_state, options, &request); if (ret != 0) - goto cleanup; + goto cleanup; /* give the preauth plugins a chance to prep the request body */ krb5_preauth_prepare_request(context, options, &request); ret = krb5int_fast_prep_req_body(context, fast_state, - &request, &encoded_request_body); + &request, &encoded_request_body); if (ret) goto cleanup; get_data_rock.magic = CLIENT_ROCK_MAGIC; get_data_rock.etype = &etype; get_data_rock.fast_state = fast_state; - + /* now, loop processing preauth data and talking to the kdc */ for (loopcount = 0; loopcount < MAX_IN_TKT_LOOPS; loopcount++) { - if (request.padata) { - krb5_free_pa_data(context, request.padata); - request.padata = NULL; - } - if (!err_reply) { + if (request.padata) { + krb5_free_pa_data(context, request.padata); + request.padata = NULL; + } + if (!err_reply) { /* either our first attempt, or retrying after PREAUTH_NEEDED */ - if ((ret = krb5_do_preauth(context, - &request, - encoded_request_body, - encoded_previous_request, - preauth_to_use, &request.padata, - &salt, &s2kparams, &etype, &as_key, - prompter, prompter_data, - gak_fct, gak_data, - &get_data_rock, options))) - goto cleanup; - if (out_padata) { - krb5_free_pa_data(context, out_padata); - out_padata = NULL; - } - } else { - if (preauth_to_use != NULL) { - /* - * Retry after an error other than PREAUTH_NEEDED, - * using e-data to figure out what to change. - */ - ret = krb5_do_preauth_tryagain(context, - &request, - encoded_request_body, - encoded_previous_request, - preauth_to_use, &request.padata, - err_reply, - &salt, &s2kparams, &etype, - &as_key, - prompter, prompter_data, - gak_fct, gak_data, - &get_data_rock, options); - } else { - /* No preauth supplied, so can't query the plug-ins. */ - ret = KRB5KRB_ERR_GENERIC; - } - if (ret) { - /* couldn't come up with anything better */ - ret = err_reply->error + ERROR_TABLE_BASE_krb5; - } - krb5_free_error(context, err_reply); - err_reply = NULL; - if (ret) - goto cleanup; - } + if ((ret = krb5_do_preauth(context, + &request, + encoded_request_body, + encoded_previous_request, + preauth_to_use, &request.padata, + &salt, &s2kparams, &etype, &as_key, + prompter, prompter_data, + gak_fct, gak_data, + &get_data_rock, options))) + goto cleanup; + if (out_padata) { + krb5_free_pa_data(context, out_padata); + out_padata = NULL; + } + } else { + if (preauth_to_use != NULL) { + /* + * Retry after an error other than PREAUTH_NEEDED, + * using e-data to figure out what to change. + */ + ret = krb5_do_preauth_tryagain(context, + &request, + encoded_request_body, + encoded_previous_request, + preauth_to_use, &request.padata, + err_reply, + &salt, &s2kparams, &etype, + &as_key, + prompter, prompter_data, + gak_fct, gak_data, + &get_data_rock, options); + } else { + /* No preauth supplied, so can't query the plug-ins. */ + ret = KRB5KRB_ERR_GENERIC; + } + if (ret) { + /* couldn't come up with anything better */ + ret = err_reply->error + ERROR_TABLE_BASE_krb5; + } + krb5_free_error(context, err_reply); + err_reply = NULL; + if (ret) + goto cleanup; + } if (encoded_previous_request != NULL) { - krb5_free_data(context, encoded_previous_request); - encoded_previous_request = NULL; + krb5_free_data(context, encoded_previous_request); + encoded_previous_request = NULL; + } + ret = krb5int_fast_prep_req(context, fast_state, + &request, encoded_request_body, + encode_krb5_as_req, &encoded_previous_request); + if (ret) + goto cleanup; + + err_reply = 0; + local_as_reply = 0; + if ((ret = send_as_request(context, encoded_previous_request, + krb5_princ_realm(context, request.client), &err_reply, + &local_as_reply, use_master))) + goto cleanup; + + if (err_reply) { + ret = krb5int_fast_process_error(context, fast_state, &err_reply, + &out_padata, &retry); + if (ret !=0) + goto cleanup; + if (should_continue_preauth(err_reply->error, loopcount) && retry) { + /* reset the list of preauth types to try */ + if (preauth_to_use) { + krb5_free_pa_data(context, preauth_to_use); + preauth_to_use = NULL; + } + preauth_to_use = out_padata; + out_padata = NULL; + krb5_free_error(context, err_reply); + err_reply = NULL; + ret = sort_krb5_padata_sequence(context, + &request.server->realm, + preauth_to_use); + if (ret) + goto cleanup; + /* continue to next iteration */ + } else if (canon_flag && err_reply->error == KDC_ERR_WRONG_REALM) { + if (err_reply->client == NULL || + err_reply->client->realm.length == 0) { + ret = KRB5KDC_ERR_WRONG_REALM; + krb5_free_error(context, err_reply); + goto cleanup; + } + /* Rewrite request.client with realm from error reply */ + if (referred_client.realm.data) { + krb5_free_data_contents(context, &referred_client.realm); + referred_client.realm.data = NULL; + } + ret = krb5int_copy_data_contents(context, + &err_reply->client->realm, + &referred_client.realm); + krb5_free_error(context, err_reply); + err_reply = NULL; + if (ret) + goto cleanup; + request.client = &referred_client; + + krb5_free_principal(context, request.server); + request.server = NULL; + + ret = build_in_tkt_name(context, in_tkt_service, + request.client, &request.server); + if (ret) + goto cleanup; + } else { + if (retry) { + /* continue to next iteration */ + } else { + /* error + no hints = give up */ + ret = (krb5_error_code) err_reply->error + + ERROR_TABLE_BASE_krb5; + krb5_free_error(context, err_reply); + goto cleanup; + } + } + } else if (local_as_reply) { + break; + } else { + ret = KRB5KRB_AP_ERR_MSG_TYPE; + goto cleanup; } - ret = krb5int_fast_prep_req(context, fast_state, - &request, encoded_request_body, - encode_krb5_as_req, &encoded_previous_request); - if (ret) - goto cleanup; - - err_reply = 0; - local_as_reply = 0; - if ((ret = send_as_request(context, encoded_previous_request, - krb5_princ_realm(context, request.client), &err_reply, - &local_as_reply, use_master))) - goto cleanup; - - if (err_reply) { - ret = krb5int_fast_process_error(context, fast_state, &err_reply, - &out_padata, &retry); - if (ret !=0) - goto cleanup; - if (should_continue_preauth(err_reply->error, loopcount) && retry) { - /* reset the list of preauth types to try */ - if (preauth_to_use) { - krb5_free_pa_data(context, preauth_to_use); - preauth_to_use = NULL; - } - preauth_to_use = out_padata; - out_padata = NULL; - krb5_free_error(context, err_reply); - err_reply = NULL; - ret = sort_krb5_padata_sequence(context, - &request.server->realm, - preauth_to_use); - if (ret) - goto cleanup; - /* continue to next iteration */ - } else if (canon_flag && err_reply->error == KDC_ERR_WRONG_REALM) { - if (err_reply->client == NULL || - err_reply->client->realm.length == 0) { - ret = KRB5KDC_ERR_WRONG_REALM; - krb5_free_error(context, err_reply); - goto cleanup; - } - /* Rewrite request.client with realm from error reply */ - if (referred_client.realm.data) { - krb5_free_data_contents(context, &referred_client.realm); - referred_client.realm.data = NULL; - } - ret = krb5int_copy_data_contents(context, - &err_reply->client->realm, - &referred_client.realm); - krb5_free_error(context, err_reply); - err_reply = NULL; - if (ret) - goto cleanup; - request.client = &referred_client; - - krb5_free_principal(context, request.server); - request.server = NULL; - - ret = build_in_tkt_name(context, in_tkt_service, - request.client, &request.server); - if (ret) - goto cleanup; - } else { - if (retry) { - /* continue to next iteration */ - } else { - /* error + no hints = give up */ - ret = (krb5_error_code) err_reply->error - + ERROR_TABLE_BASE_krb5; - krb5_free_error(context, err_reply); - goto cleanup; - } - } - } else if (local_as_reply) { - break; - } else { - ret = KRB5KRB_AP_ERR_MSG_TYPE; - goto cleanup; - } } #if APPLE_PKINIT inTktDebug("krb5_get_init_creds done with send_as_request loop lc %d\n", - (int)loopcount); + (int)loopcount); #endif /* APPLE_PKINIT */ if (loopcount == MAX_IN_TKT_LOOPS) { - ret = KRB5_GET_IN_TKT_LOOP; - goto cleanup; + ret = KRB5_GET_IN_TKT_LOOP; + goto cleanup; } /* process any preauth data in the as_reply */ krb5_clear_preauth_context_use_counts(context); ret = krb5int_fast_process_response(context, fast_state, - local_as_reply, &strengthen_key); + local_as_reply, &strengthen_key); if (ret) - goto cleanup; + goto cleanup; if ((ret = sort_krb5_padata_sequence(context, &request.server->realm, - local_as_reply->padata))) - goto cleanup; + local_as_reply->padata))) + goto cleanup; etype = local_as_reply->enc_part.enctype; if ((ret = krb5_do_preauth(context, - &request, - encoded_request_body, encoded_previous_request, - local_as_reply->padata, &kdc_padata, - &salt, &s2kparams, &etype, &as_key, prompter, - prompter_data, gak_fct, gak_data, - &get_data_rock, options))) { + &request, + encoded_request_body, encoded_previous_request, + local_as_reply->padata, &kdc_padata, + &salt, &s2kparams, &etype, &as_key, prompter, + prompter_data, gak_fct, gak_data, + &get_data_rock, options))) { #if APPLE_PKINIT inTktDebug("krb5_get_init_creds krb5_do_preauth returned %d\n", (int)ret); #endif /* APPLE_PKINIT */ - goto cleanup; - } + goto cleanup; + } /* * If we haven't gotten a salt from another source yet, set up one @@ -1533,9 +1534,9 @@ krb5_get_init_creds(krb5_context context, * verify_as_reply. */ if (salt.length == SALT_TYPE_AFS_LENGTH && salt.data == NULL) { - ret = krb5_principal2salt(context, local_as_reply->client, &salt); - if (ret) - goto cleanup; + ret = krb5_principal2salt(context, local_as_reply->client, &salt); + if (ret) + goto cleanup; } /* XXX For 1.1.1 and prior KDC's, when SAM is used w/ USE_SAD_AS_KEY, @@ -1543,7 +1544,7 @@ krb5_get_init_creds(krb5_context context, instead of in the SAD. If there was a SAM preauth, there will be an as_key here which will be the SAD. If that fails, use the gak_fct to get the password, and try again. */ - + /* XXX because etypes are handled poorly (particularly wrt SAM, where the etype is fixed by the kdc), we may want to try decrypt_as_reply twice. If there's an as_key available, try @@ -1551,37 +1552,37 @@ krb5_get_init_creds(krb5_context context, as_key at all yet, then use the gak_fct to get one, and try again. */ if (as_key.length) { - ret = krb5int_fast_reply_key(context, strengthen_key, &as_key, - &encrypting_key); - if (ret) - goto cleanup; - ret = decrypt_as_reply(context, NULL, local_as_reply, NULL, - NULL, &encrypting_key, krb5_kdc_rep_decrypt_proc, - NULL); + ret = krb5int_fast_reply_key(context, strengthen_key, &as_key, + &encrypting_key); + if (ret) + goto cleanup; + ret = decrypt_as_reply(context, NULL, local_as_reply, NULL, + NULL, &encrypting_key, krb5_kdc_rep_decrypt_proc, + NULL); } else - ret = -1; - + ret = -1; + if (ret) { - /* if we haven't get gotten a key, get it now */ - - if ((ret = ((*gak_fct)(context, request.client, - local_as_reply->enc_part.enctype, - prompter, prompter_data, &salt, &s2kparams, - &as_key, gak_data)))) - goto cleanup; - - ret = krb5int_fast_reply_key(context, strengthen_key, &as_key, - &encrypting_key); - if (ret) - goto cleanup; - if ((ret = decrypt_as_reply(context, NULL, local_as_reply, NULL, - NULL, &encrypting_key, krb5_kdc_rep_decrypt_proc, - NULL))) - goto cleanup; + /* if we haven't get gotten a key, get it now */ + + if ((ret = ((*gak_fct)(context, request.client, + local_as_reply->enc_part.enctype, + prompter, prompter_data, &salt, &s2kparams, + &as_key, gak_data)))) + goto cleanup; + + ret = krb5int_fast_reply_key(context, strengthen_key, &as_key, + &encrypting_key); + if (ret) + goto cleanup; + if ((ret = decrypt_as_reply(context, NULL, local_as_reply, NULL, + NULL, &encrypting_key, krb5_kdc_rep_decrypt_proc, + NULL))) + goto cleanup; } if ((ret = verify_as_reply(context, time_now, &request, local_as_reply))) - goto cleanup; + goto cleanup; /* XXX this should be inside stash_as_reply, but as long as get_in_tkt is still around using that arg as an in/out, I can't @@ -1589,8 +1590,8 @@ krb5_get_init_creds(krb5_context context, memset(creds, 0, sizeof(*creds)); if ((ret = stash_as_reply(context, time_now, &request, local_as_reply, - creds, NULL))) - goto cleanup; + creds, NULL))) + goto cleanup; /* success */ @@ -1598,65 +1599,65 @@ krb5_get_init_creds(krb5_context context, cleanup: if (ret != 0) { - char *client_name; - /* See if we can produce a more detailed error message. */ - switch (ret) { - case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN: - client_name = NULL; - if (krb5_unparse_name(context, client, &client_name) == 0) { - krb5_set_error_message(context, ret, - "Client '%s' not found in Kerberos database", - client_name); - free(client_name); - } - break; - default: - break; - } + char *client_name; + /* See if we can produce a more detailed error message. */ + switch (ret) { + case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN: + client_name = NULL; + if (krb5_unparse_name(context, client, &client_name) == 0) { + krb5_set_error_message(context, ret, + "Client '%s' not found in Kerberos database", + client_name); + free(client_name); + } + break; + default: + break; + } } krb5_preauth_request_context_fini(context); - krb5_free_keyblock(context, strengthen_key); - if (encrypting_key.contents) - krb5_free_keyblock_contents(context, &encrypting_key); - if (fast_state) - krb5int_fast_free_state(context, fast_state); + krb5_free_keyblock(context, strengthen_key); + if (encrypting_key.contents) + krb5_free_keyblock_contents(context, &encrypting_key); + if (fast_state) + krb5int_fast_free_state(context, fast_state); if (out_padata) - krb5_free_pa_data(context, out_padata); + krb5_free_pa_data(context, out_padata); if (encoded_previous_request != NULL) { - krb5_free_data(context, encoded_previous_request); - encoded_previous_request = NULL; + krb5_free_data(context, encoded_previous_request); + encoded_previous_request = NULL; } if (encoded_request_body != NULL) { - krb5_free_data(context, encoded_request_body); - encoded_request_body = NULL; + krb5_free_data(context, encoded_request_body); + encoded_request_body = NULL; } if (request.server) - krb5_free_principal(context, request.server); + krb5_free_principal(context, request.server); if (request.ktype && - (!(options && (options->flags & KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST)))) - free(request.ktype); + (!(options && (options->flags & KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST)))) + free(request.ktype); if (request.addresses && - (!(options && - (options->flags & KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST)))) - krb5_free_addresses(context, request.addresses); + (!(options && + (options->flags & KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST)))) + krb5_free_addresses(context, request.addresses); if (preauth_to_use) - krb5_free_pa_data(context, preauth_to_use); + krb5_free_pa_data(context, preauth_to_use); if (kdc_padata) - krb5_free_pa_data(context, kdc_padata); + krb5_free_pa_data(context, kdc_padata); if (request.padata) - krb5_free_pa_data(context, request.padata); + krb5_free_pa_data(context, request.padata); if (as_key.length) - krb5_free_keyblock_contents(context, &as_key); + krb5_free_keyblock_contents(context, &as_key); if (salt.data && - (!(options && (options->flags & KRB5_GET_INIT_CREDS_OPT_SALT)))) - free(salt.data); + (!(options && (options->flags & KRB5_GET_INIT_CREDS_OPT_SALT)))) + free(salt.data); krb5_free_data_contents(context, &s2kparams); if (as_reply) - *as_reply = local_as_reply; + *as_reply = local_as_reply; else if (local_as_reply) - krb5_free_kdc_rep(context, local_as_reply); + krb5_free_kdc_rep(context, local_as_reply); if (referred_client.realm.data) - krb5_free_data_contents(context, &referred_client.realm); + krb5_free_data_contents(context, &referred_client.realm); return(ret); } diff --git a/src/lib/krb5/krb/gic_keytab.c b/src/lib/krb5/krb/gic_keytab.c index 33db55278..ab064ebcd 100644 --- a/src/lib/krb5/krb/gic_keytab.c +++ b/src/lib/krb5/krb/gic_keytab.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/gic_keytab.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -23,7 +24,7 @@ * this software for any purpose. It is provided "as is" without express * or implied warranty. */ -#ifndef LEAN_CLIENT +#ifndef LEAN_CLIENT #include "k5-int.h" @@ -49,20 +50,20 @@ krb5_get_as_key_keytab( a new one. */ if (as_key->length) { - if (as_key->enctype == etype) - return(0); + if (as_key->enctype == etype) + return(0); - krb5_free_keyblock_contents(context, as_key); - as_key->length = 0; + krb5_free_keyblock_contents(context, as_key); + as_key->length = 0; } if (!krb5_c_valid_enctype(etype)) - return(KRB5_PROG_ETYPE_NOSUPP); + return(KRB5_PROG_ETYPE_NOSUPP); if ((ret = krb5_kt_get_entry(context, keytab, client, - 0, /* don't have vno available */ - etype, &kt_ent))) - return(ret); + 0, /* don't have vno available */ + etype, &kt_ent))) + return(ret); ret = krb5_copy_keyblock(context, &kt_ent.key, &kt_key); @@ -78,93 +79,93 @@ krb5_get_as_key_keytab( krb5_error_code KRB5_CALLCONV krb5_get_init_creds_keytab(krb5_context context, - krb5_creds *creds, - krb5_principal client, - krb5_keytab arg_keytab, - krb5_deltat start_time, - char *in_tkt_service, - krb5_get_init_creds_opt *options) + krb5_creds *creds, + krb5_principal client, + krb5_keytab arg_keytab, + krb5_deltat start_time, + char *in_tkt_service, + krb5_get_init_creds_opt *options) { - krb5_error_code ret, ret2; - int use_master; - krb5_keytab keytab; - krb5_gic_opt_ext *opte = NULL; + krb5_error_code ret, ret2; + int use_master; + krb5_keytab keytab; + krb5_gic_opt_ext *opte = NULL; + + if (arg_keytab == NULL) { + if ((ret = krb5_kt_default(context, &keytab))) + return ret; + } else { + keytab = arg_keytab; + } - if (arg_keytab == NULL) { - if ((ret = krb5_kt_default(context, &keytab))) - return ret; - } else { - keytab = arg_keytab; - } + ret = krb5int_gic_opt_to_opte(context, options, &opte, 1, + "krb5_get_init_creds_keytab"); + if (ret) + return ret; - ret = krb5int_gic_opt_to_opte(context, options, &opte, 1, - "krb5_get_init_creds_keytab"); - if (ret) - return ret; + use_master = 0; - use_master = 0; + /* first try: get the requested tkt from any kdc */ - /* first try: get the requested tkt from any kdc */ + ret = krb5_get_init_creds(context, creds, client, NULL, NULL, + start_time, in_tkt_service, opte, + krb5_get_as_key_keytab, (void *) keytab, + &use_master,NULL); - ret = krb5_get_init_creds(context, creds, client, NULL, NULL, - start_time, in_tkt_service, opte, - krb5_get_as_key_keytab, (void *) keytab, - &use_master,NULL); + /* check for success */ - /* check for success */ + if (ret == 0) + goto cleanup; - if (ret == 0) - goto cleanup; + /* If all the kdc's are unavailable fail */ - /* If all the kdc's are unavailable fail */ + if ((ret == KRB5_KDC_UNREACH) || (ret == KRB5_REALM_CANT_RESOLVE)) + goto cleanup; - if ((ret == KRB5_KDC_UNREACH) || (ret == KRB5_REALM_CANT_RESOLVE)) - goto cleanup; + /* if the reply did not come from the master kdc, try again with + the master kdc */ - /* if the reply did not come from the master kdc, try again with - the master kdc */ + if (!use_master) { + use_master = 1; - if (!use_master) { - use_master = 1; + ret2 = krb5_get_init_creds(context, creds, client, NULL, NULL, + start_time, in_tkt_service, opte, + krb5_get_as_key_keytab, (void *) keytab, + &use_master, NULL); - ret2 = krb5_get_init_creds(context, creds, client, NULL, NULL, - start_time, in_tkt_service, opte, - krb5_get_as_key_keytab, (void *) keytab, - &use_master, NULL); - - if (ret2 == 0) { - ret = 0; - goto cleanup; - } + if (ret2 == 0) { + ret = 0; + goto cleanup; + } - /* if the master is unreachable, return the error from the - slave we were able to contact */ + /* if the master is unreachable, return the error from the + slave we were able to contact */ - if ((ret2 == KRB5_KDC_UNREACH) || - (ret2 == KRB5_REALM_CANT_RESOLVE) || - (ret2 == KRB5_REALM_UNKNOWN)) - goto cleanup; + if ((ret2 == KRB5_KDC_UNREACH) || + (ret2 == KRB5_REALM_CANT_RESOLVE) || + (ret2 == KRB5_REALM_UNKNOWN)) + goto cleanup; - ret = ret2; - } + ret = ret2; + } - /* at this point, we have a response from the master. Since we don't - do any prompting or changing for keytabs, that's it. */ + /* at this point, we have a response from the master. Since we don't + do any prompting or changing for keytabs, that's it. */ cleanup: - if (opte && krb5_gic_opt_is_shadowed(opte)) - krb5_get_init_creds_opt_free(context, (krb5_get_init_creds_opt *)opte); - if (arg_keytab == NULL) - krb5_kt_close(context, keytab); + if (opte && krb5_gic_opt_is_shadowed(opte)) + krb5_get_init_creds_opt_free(context, (krb5_get_init_creds_opt *)opte); + if (arg_keytab == NULL) + krb5_kt_close(context, keytab); - return(ret); + return(ret); } krb5_error_code KRB5_CALLCONV krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options, - krb5_address *const *addrs, krb5_enctype *ktypes, - krb5_preauthtype *pre_auth_types, - krb5_keytab arg_keytab, krb5_ccache ccache, - krb5_creds *creds, krb5_kdc_rep **ret_as_reply) + krb5_address *const *addrs, krb5_enctype *ktypes, + krb5_preauthtype *pre_auth_types, + krb5_keytab arg_keytab, krb5_ccache ccache, + krb5_creds *creds, krb5_kdc_rep **ret_as_reply) { krb5_error_code retval; krb5_gic_opt_ext *opte; @@ -172,49 +173,48 @@ krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options, krb5_keytab keytab; krb5_principal client_princ, server_princ; int use_master = 0; - + retval = krb5int_populate_gic_opt(context, &opte, - options, addrs, ktypes, - pre_auth_types, creds); + options, addrs, ktypes, + pre_auth_types, creds); if (retval) - return retval; + return retval; if (arg_keytab == NULL) { - retval = krb5_kt_default(context, &keytab); - if (retval) - return retval; + retval = krb5_kt_default(context, &keytab); + if (retval) + return retval; } else keytab = arg_keytab; - + retval = krb5_unparse_name( context, creds->server, &server); if (retval) - goto cleanup; + goto cleanup; server_princ = creds->server; client_princ = creds->client; retval = krb5_get_init_creds (context, - creds, creds->client, - krb5_prompter_posix, NULL, - 0, server, opte, - krb5_get_as_key_keytab, (void *)keytab, - &use_master, ret_as_reply); + creds, creds->client, + krb5_prompter_posix, NULL, + 0, server, opte, + krb5_get_as_key_keytab, (void *)keytab, + &use_master, ret_as_reply); krb5_free_unparsed_name( context, server); krb5_get_init_creds_opt_free(context, (krb5_get_init_creds_opt *)opte); if (retval) { - goto cleanup; + goto cleanup; } krb5_free_principal(context, creds->server); krb5_free_principal(context, creds->client); - creds->client = client_princ; - creds->server = server_princ; - + creds->client = client_princ; + creds->server = server_princ; + /* store it in the ccache! */ if (ccache) - if ((retval = krb5_cc_store_cred(context, ccache, creds))) - goto cleanup; - cleanup: if (arg_keytab == NULL) - krb5_kt_close(context, keytab); + if ((retval = krb5_cc_store_cred(context, ccache, creds))) + goto cleanup; +cleanup: if (arg_keytab == NULL) + krb5_kt_close(context, keytab); return retval; } #endif /* LEAN_CLIENT */ - diff --git a/src/lib/krb5/krb/gic_opt.c b/src/lib/krb5/krb/gic_opt.c index 72203f0e7..bff45392f 100644 --- a/src/lib/krb5/krb/gic_opt.c +++ b/src/lib/krb5/krb/gic_opt.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include "k5-int.h" #include "int-proto.h" @@ -17,77 +18,77 @@ krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt) void KRB5_CALLCONV krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt, krb5_deltat tkt_life) { - opt->flags |= KRB5_GET_INIT_CREDS_OPT_TKT_LIFE; - opt->tkt_life = tkt_life; + opt->flags |= KRB5_GET_INIT_CREDS_OPT_TKT_LIFE; + opt->tkt_life = tkt_life; } void KRB5_CALLCONV krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt, krb5_deltat renew_life) { - opt->flags |= KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE; - opt->renew_life = renew_life; + opt->flags |= KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE; + opt->renew_life = renew_life; } void KRB5_CALLCONV krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt, int forwardable) { - opt->flags |= KRB5_GET_INIT_CREDS_OPT_FORWARDABLE; - opt->forwardable = forwardable; + opt->flags |= KRB5_GET_INIT_CREDS_OPT_FORWARDABLE; + opt->forwardable = forwardable; } void KRB5_CALLCONV krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt, int proxiable) { - opt->flags |= KRB5_GET_INIT_CREDS_OPT_PROXIABLE; - opt->proxiable = proxiable; + opt->flags |= KRB5_GET_INIT_CREDS_OPT_PROXIABLE; + opt->proxiable = proxiable; } void KRB5_CALLCONV krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt *opt, int canonicalize) { if (canonicalize) - opt->flags |= KRB5_GET_INIT_CREDS_OPT_CANONICALIZE; + opt->flags |= KRB5_GET_INIT_CREDS_OPT_CANONICALIZE; else - opt->flags &= ~(KRB5_GET_INIT_CREDS_OPT_CANONICALIZE); + opt->flags &= ~(KRB5_GET_INIT_CREDS_OPT_CANONICALIZE); } void KRB5_CALLCONV krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt, krb5_enctype *etype_list, int etype_list_length) { - opt->flags |= KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST; - opt->etype_list = etype_list; - opt->etype_list_length = etype_list_length; + opt->flags |= KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST; + opt->etype_list = etype_list; + opt->etype_list_length = etype_list_length; } void KRB5_CALLCONV krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt, krb5_address **addresses) { - opt->flags |= KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST; - opt->address_list = addresses; + opt->flags |= KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST; + opt->address_list = addresses; } void KRB5_CALLCONV krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt, krb5_preauthtype *preauth_list, int preauth_list_length) { - opt->flags |= KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST; - opt->preauth_list = preauth_list; - opt->preauth_list_length = preauth_list_length; + opt->flags |= KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST; + opt->preauth_list = preauth_list; + opt->preauth_list_length = preauth_list_length; } void KRB5_CALLCONV krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt, krb5_data *salt) { - opt->flags |= KRB5_GET_INIT_CREDS_OPT_SALT; - opt->salt = salt; + opt->flags |= KRB5_GET_INIT_CREDS_OPT_SALT; + opt->salt = salt; } void KRB5_CALLCONV krb5_get_init_creds_opt_set_change_password_prompt(krb5_get_init_creds_opt *opt, int prompt) { - if (prompt) - opt->flags |= KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT; - else - opt->flags &= ~KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT; + if (prompt) + opt->flags |= KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT; + else + opt->flags &= ~KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT; } /* @@ -109,7 +110,7 @@ krb5_get_init_creds_opt_set_change_password_prompt(krb5_get_init_creds_opt *opt, * with the new krb5_get_init_creds_opt_alloc() function. * KRB5_GET_INIT_CREDS_OPT_SHADOWED is set to indicate that the extended * structure is a shadow copy of an original krb5_get_init_creds_opt - * structure. + * structure. * If KRB5_GET_INIT_CREDS_OPT_SHADOWED is set after a call to * krb5int_gic_opt_to_opte(), the resulting extended structure should be * freed (using krb5_get_init_creds_free). Otherwise, the original @@ -119,17 +120,17 @@ krb5_get_init_creds_opt_set_change_password_prompt(krb5_get_init_creds_opt *opt, /* Forward prototype */ static void free_gic_opt_ext_preauth_data(krb5_context context, - krb5_gic_opt_ext *opte); + krb5_gic_opt_ext *opte); static krb5_error_code krb5int_gic_opte_private_alloc(krb5_context context, krb5_gic_opt_ext *opte) { if (NULL == opte || !krb5_gic_opt_is_extended(opte)) - return EINVAL; + return EINVAL; opte->opt_private = calloc(1, sizeof(*opte->opt_private)); if (NULL == opte->opt_private) { - return ENOMEM; + return ENOMEM; } /* Allocate any private stuff */ opte->opt_private->num_preauth_data = 0; @@ -141,13 +142,13 @@ static krb5_error_code krb5int_gic_opte_private_free(krb5_context context, krb5_gic_opt_ext *opte) { if (NULL == opte || !krb5_gic_opt_is_extended(opte)) - return EINVAL; - + return EINVAL; + /* Free up any private stuff */ if (opte->opt_private->preauth_data != NULL) - free_gic_opt_ext_preauth_data(context, opte); + free_gic_opt_ext_preauth_data(context, opte); if (opte->opt_private->fast_ccache_name) - free(opte->opt_private->fast_ccache_name); + free(opte->opt_private->fast_ccache_name); free(opte->opt_private); opte->opt_private = NULL; return 0; @@ -161,27 +162,27 @@ krb5int_gic_opte_alloc(krb5_context context) opte = calloc(1, sizeof(*opte)); if (NULL == opte) - return NULL; + return NULL; opte->flags = KRB5_GET_INIT_CREDS_OPT_EXTENDED; code = krb5int_gic_opte_private_alloc(context, opte); if (code) { - krb5int_set_error(&context->err, code, - "krb5int_gic_opte_alloc: krb5int_gic_opte_private_alloc failed"); - free(opte); - return NULL; + krb5int_set_error(&context->err, code, + "krb5int_gic_opte_alloc: krb5int_gic_opte_private_alloc failed"); + free(opte); + return NULL; } return(opte); } krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_alloc(krb5_context context, - krb5_get_init_creds_opt **opt) + krb5_get_init_creds_opt **opt) { krb5_gic_opt_ext *opte; if (NULL == opt) - return EINVAL; + return EINVAL; *opt = NULL; /* @@ -189,7 +190,7 @@ krb5_get_init_creds_opt_alloc(krb5_context context, */ opte = krb5int_gic_opte_alloc(context); if (NULL == opte) - return ENOMEM; + return ENOMEM; *opt = (krb5_get_init_creds_opt *) opte; init_common(*opt); @@ -198,47 +199,47 @@ krb5_get_init_creds_opt_alloc(krb5_context context, void KRB5_CALLCONV krb5_get_init_creds_opt_free(krb5_context context, - krb5_get_init_creds_opt *opt) + krb5_get_init_creds_opt *opt) { krb5_gic_opt_ext *opte; if (NULL == opt) - return; + return; /* Don't touch it if we didn't allocate it */ if (!krb5_gic_opt_is_extended(opt)) - return; - + return; + opte = (krb5_gic_opt_ext *)opt; if (opte->opt_private) - krb5int_gic_opte_private_free(context, opte); + krb5int_gic_opte_private_free(context, opte); free(opte); } static krb5_error_code krb5int_gic_opte_copy(krb5_context context, - krb5_get_init_creds_opt *opt, - krb5_gic_opt_ext **opte) + krb5_get_init_creds_opt *opt, + krb5_gic_opt_ext **opte) { krb5_gic_opt_ext *oe; oe = krb5int_gic_opte_alloc(context); if (NULL == oe) - return ENOMEM; + return ENOMEM; if (opt) { - oe->flags = opt->flags; - oe->tkt_life = opt->tkt_life; - oe->renew_life = opt->renew_life; - oe->forwardable = opt->forwardable; - oe->proxiable = opt->proxiable; - oe->etype_list = opt->etype_list; - oe->etype_list_length = opt->etype_list_length; - oe->address_list = opt->address_list; - oe->preauth_list = opt->preauth_list; - oe->preauth_list_length = opt->preauth_list_length; - oe->salt = opt->salt; + oe->flags = opt->flags; + oe->tkt_life = opt->tkt_life; + oe->renew_life = opt->renew_life; + oe->forwardable = opt->forwardable; + oe->proxiable = opt->proxiable; + oe->etype_list = opt->etype_list; + oe->etype_list_length = opt->etype_list_length; + oe->address_list = opt->address_list; + oe->preauth_list = opt->preauth_list; + oe->preauth_list_length = opt->preauth_list_length; + oe->salt = opt->salt; } /* @@ -250,7 +251,7 @@ krb5int_gic_opte_copy(krb5_context context, * application is unaware of its existence. */ oe->flags |= ( KRB5_GET_INIT_CREDS_OPT_EXTENDED | - KRB5_GET_INIT_CREDS_OPT_SHADOWED); + KRB5_GET_INIT_CREDS_OPT_SHADOWED); *opte = oe; return 0; @@ -268,20 +269,20 @@ krb5int_gic_opte_copy(krb5_context context, */ krb5_error_code krb5int_gic_opt_to_opte(krb5_context context, - krb5_get_init_creds_opt *opt, - krb5_gic_opt_ext **opte, - unsigned int force, - const char *where) + krb5_get_init_creds_opt *opt, + krb5_gic_opt_ext **opte, + unsigned int force, + const char *where) { if (!krb5_gic_opt_is_extended(opt)) { - if (force) { - return krb5int_gic_opte_copy(context, opt, opte); - } else { - krb5int_set_error(&context->err, EINVAL, - "%s: attempt to convert non-extended krb5_get_init_creds_opt", - where); - return EINVAL; - } + if (force) { + return krb5int_gic_opte_copy(context, opt, opte); + } else { + krb5int_set_error(&context->err, EINVAL, + "%s: attempt to convert non-extended krb5_get_init_creds_opt", + where); + return EINVAL; + } } /* If it is already extended, just return it */ *opte = (krb5_gic_opt_ext *)opt; @@ -290,20 +291,20 @@ krb5int_gic_opt_to_opte(krb5_context context, static void free_gic_opt_ext_preauth_data(krb5_context context, - krb5_gic_opt_ext *opte) + krb5_gic_opt_ext *opte) { int i; if (NULL == opte || !krb5_gic_opt_is_extended(opte)) - return; + return; if (NULL == opte->opt_private || NULL == opte->opt_private->preauth_data) - return; + return; for (i = 0; i < opte->opt_private->num_preauth_data; i++) { - if (opte->opt_private->preauth_data[i].attr != NULL) - free(opte->opt_private->preauth_data[i].attr); - if (opte->opt_private->preauth_data[i].value != NULL) - free(opte->opt_private->preauth_data[i].value); + if (opte->opt_private->preauth_data[i].attr != NULL) + free(opte->opt_private->preauth_data[i].attr); + if (opte->opt_private->preauth_data[i].value != NULL) + free(opte->opt_private->preauth_data[i].value); } free(opte->opt_private->preauth_data); opte->opt_private->preauth_data = NULL; @@ -312,9 +313,9 @@ free_gic_opt_ext_preauth_data(krb5_context context, static krb5_error_code add_gic_opt_ext_preauth_data(krb5_context context, - krb5_gic_opt_ext *opte, - const char *attr, - const char *value) + krb5_gic_opt_ext *opte, + const char *attr, + const char *value) { size_t newsize; int i; @@ -323,21 +324,21 @@ add_gic_opt_ext_preauth_data(krb5_context context, newsize = opte->opt_private->num_preauth_data + 1; newsize = newsize * sizeof(*opte->opt_private->preauth_data); if (opte->opt_private->preauth_data == NULL) - newpad = malloc(newsize); + newpad = malloc(newsize); else - newpad = realloc(opte->opt_private->preauth_data, newsize); + newpad = realloc(opte->opt_private->preauth_data, newsize); if (newpad == NULL) - return ENOMEM; + return ENOMEM; opte->opt_private->preauth_data = newpad; i = opte->opt_private->num_preauth_data; newpad[i].attr = strdup(attr); if (newpad[i].attr == NULL) - return ENOMEM; + return ENOMEM; newpad[i].value = strdup(value); if (newpad[i].value == NULL) { - free(newpad[i].attr); - return ENOMEM; + free(newpad[i].attr); + return ENOMEM; } opte->opt_private->num_preauth_data += 1; return 0; @@ -353,24 +354,24 @@ add_gic_opt_ext_preauth_data(krb5_context context, */ krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_set_pa(krb5_context context, - krb5_get_init_creds_opt *opt, - const char *attr, - const char *value) + krb5_get_init_creds_opt *opt, + const char *attr, + const char *value) { krb5_error_code retval; krb5_gic_opt_ext *opte; retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0, - "krb5_get_init_creds_opt_set_pa"); + "krb5_get_init_creds_opt_set_pa"); if (retval) - return retval; + return retval; /* * Copy the option into the extended get_init_creds_opt structure */ retval = add_gic_opt_ext_preauth_data(context, opte, attr, value); if (retval) - return retval; + return retval; /* * Give the plugins a chance to look at the option now. @@ -389,9 +390,9 @@ krb5_get_init_creds_opt_set_pa(krb5_context context, */ krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_get_pa(krb5_context context, - krb5_get_init_creds_opt *opt, - int *num_preauth_data, - krb5_gic_opt_pa_data **preauth_data) + krb5_get_init_creds_opt *opt, + int *num_preauth_data, + krb5_gic_opt_pa_data **preauth_data) { krb5_error_code retval; krb5_gic_opt_ext *opte; @@ -400,70 +401,70 @@ krb5_get_init_creds_opt_get_pa(krb5_context context, size_t allocsize; retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0, - "krb5_get_init_creds_opt_get_pa"); + "krb5_get_init_creds_opt_get_pa"); if (retval) - return retval; + return retval; if (num_preauth_data == NULL || preauth_data == NULL) - return EINVAL; + return EINVAL; *num_preauth_data = 0; *preauth_data = NULL; if (opte->opt_private->num_preauth_data == 0) - return 0; + return 0; allocsize = - opte->opt_private->num_preauth_data * sizeof(krb5_gic_opt_pa_data); + opte->opt_private->num_preauth_data * sizeof(krb5_gic_opt_pa_data); p = malloc(allocsize); if (p == NULL) - return ENOMEM; + return ENOMEM; /* Init these to make cleanup easier */ for (i = 0; i < opte->opt_private->num_preauth_data; i++) { - p[i].attr = NULL; - p[i].value = NULL; + p[i].attr = NULL; + p[i].value = NULL; } for (i = 0; i < opte->opt_private->num_preauth_data; i++) { - p[i].attr = strdup(opte->opt_private->preauth_data[i].attr); - p[i].value = strdup(opte->opt_private->preauth_data[i].value); - if (p[i].attr == NULL || p[i].value == NULL) - goto cleanup; + p[i].attr = strdup(opte->opt_private->preauth_data[i].attr); + p[i].value = strdup(opte->opt_private->preauth_data[i].value); + if (p[i].attr == NULL || p[i].value == NULL) + goto cleanup; } *num_preauth_data = i; *preauth_data = p; return 0; cleanup: for (i = 0; i < opte->opt_private->num_preauth_data; i++) { - if (p[i].attr != NULL) - free(p[i].attr); - if (p[i].value != NULL) - free(p[i].value); + if (p[i].attr != NULL) + free(p[i].attr); + if (p[i].value != NULL) + free(p[i].value); } free(p); return ENOMEM; } /* - * This function frees the preauth_data that was returned by + * This function frees the preauth_data that was returned by * krb5_get_init_creds_opt_get_pa(). */ void KRB5_CALLCONV krb5_get_init_creds_opt_free_pa(krb5_context context, - int num_preauth_data, - krb5_gic_opt_pa_data *preauth_data) + int num_preauth_data, + krb5_gic_opt_pa_data *preauth_data) { int i; if (num_preauth_data <= 0 || preauth_data == NULL) - return; + return; for (i = 0; i < num_preauth_data; i++) { - if (preauth_data[i].attr != NULL) - free(preauth_data[i].attr); - if (preauth_data[i].value != NULL) - free(preauth_data[i].value); + if (preauth_data[i].attr != NULL) + free(preauth_data[i].attr); + if (preauth_data[i].value != NULL) + free(preauth_data[i].value); } free(preauth_data); } @@ -474,14 +475,14 @@ krb5_error_code KRB5_CALLCONV krb5_get_init_creds_opt_set_fast_ccache_name krb5_gic_opt_ext *opte; retval = krb5int_gic_opt_to_opte(context, opt, &opte, 0, - "krb5_get_init_creds_opt_set_fast_ccache_name"); + "krb5_get_init_creds_opt_set_fast_ccache_name"); if (retval) - return retval; + return retval; if (opte->opt_private->fast_ccache_name) { - free(opte->opt_private->fast_ccache_name); + free(opte->opt_private->fast_ccache_name); } opte->opt_private->fast_ccache_name = strdup(ccache_name); if (opte->opt_private->fast_ccache_name == NULL) - retval = ENOMEM; + retval = ENOMEM; return retval; } diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c index 0109104df..fa0c1739a 100644 --- a/src/lib/krb5/krb/gic_pwd.c +++ b/src/lib/krb5/krb/gic_pwd.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include "k5-int.h" #include "com_err.h" @@ -32,168 +33,168 @@ krb5_get_as_key_password( cases? */ if (as_key->length) { - if (as_key->enctype != etype) { - krb5_free_keyblock_contents (context, as_key); - as_key->length = 0; - } + if (as_key->enctype != etype) { + krb5_free_keyblock_contents (context, as_key); + as_key->length = 0; + } } if (password->data[0] == '\0') { - if (prompter == NULL) - return(EIO); - - if ((ret = krb5_unparse_name(context, client, &clientstr))) - return(ret); - - snprintf(promptstr, sizeof(promptstr), "Password for %s", clientstr); - free(clientstr); - - prompt.prompt = promptstr; - prompt.hidden = 1; - prompt.reply = password; - prompt_type = KRB5_PROMPT_TYPE_PASSWORD; - - /* PROMPTER_INVOCATION */ - krb5int_set_prompt_types(context, &prompt_type); - if ((ret = (((*prompter)(context, prompter_data, NULL, NULL, - 1, &prompt))))) { - krb5int_set_prompt_types(context, 0); - return(ret); - } - krb5int_set_prompt_types(context, 0); + if (prompter == NULL) + return(EIO); + + if ((ret = krb5_unparse_name(context, client, &clientstr))) + return(ret); + + snprintf(promptstr, sizeof(promptstr), "Password for %s", clientstr); + free(clientstr); + + prompt.prompt = promptstr; + prompt.hidden = 1; + prompt.reply = password; + prompt_type = KRB5_PROMPT_TYPE_PASSWORD; + + /* PROMPTER_INVOCATION */ + krb5int_set_prompt_types(context, &prompt_type); + if ((ret = (((*prompter)(context, prompter_data, NULL, NULL, + 1, &prompt))))) { + krb5int_set_prompt_types(context, 0); + return(ret); + } + krb5int_set_prompt_types(context, 0); } if ((salt->length == -1 || salt->length == SALT_TYPE_AFS_LENGTH) && (salt->data == NULL)) { - if ((ret = krb5_principal2salt(context, client, &defsalt))) - return(ret); + if ((ret = krb5_principal2salt(context, client, &defsalt))) + return(ret); - salt = &defsalt; + salt = &defsalt; } else { - defsalt.length = 0; + defsalt.length = 0; } ret = krb5_c_string_to_key_with_params(context, etype, password, salt, - params->data?params:NULL, as_key); + params->data?params:NULL, as_key); if (defsalt.length) - free(defsalt.data); + free(defsalt.data); return(ret); } krb5_error_code KRB5_CALLCONV krb5_get_init_creds_password(krb5_context context, - krb5_creds *creds, - krb5_principal client, - char *password, - krb5_prompter_fct prompter, - void *data, - krb5_deltat start_time, - char *in_tkt_service, - krb5_get_init_creds_opt *options) + krb5_creds *creds, + krb5_principal client, + char *password, + krb5_prompter_fct prompter, + void *data, + krb5_deltat start_time, + char *in_tkt_service, + krb5_get_init_creds_opt *options) { - krb5_error_code ret, ret2; - int use_master; - krb5_kdc_rep *as_reply; - int tries; - krb5_creds chpw_creds; - krb5_get_init_creds_opt *chpw_opts = NULL; - krb5_data pw0, pw1; - char banner[1024], pw0array[1024], pw1array[1024]; - krb5_prompt prompt[2]; - krb5_prompt_type prompt_types[sizeof(prompt)/sizeof(prompt[0])]; - krb5_gic_opt_ext *opte = NULL; - krb5_gic_opt_ext *chpw_opte = NULL; - - use_master = 0; - as_reply = NULL; - memset(&chpw_creds, 0, sizeof(chpw_creds)); - - pw0.data = pw0array; - - if (password && password[0]) { - if (strlcpy(pw0.data, password, sizeof(pw0array)) >= sizeof(pw0array)) { - ret = EINVAL; - goto cleanup; - } - pw0.length = strlen(password); - } else { - pw0.data[0] = '\0'; - pw0.length = sizeof(pw0array); - } - - pw1.data = pw1array; - pw1.data[0] = '\0'; - pw1.length = sizeof(pw1array); - - ret = krb5int_gic_opt_to_opte(context, options, &opte, 1, - "krb5_get_init_creds_password"); - if (ret) - goto cleanup; - - /* first try: get the requested tkt from any kdc */ - - ret = krb5_get_init_creds(context, creds, client, prompter, data, - start_time, in_tkt_service, opte, - krb5_get_as_key_password, (void *) &pw0, - &use_master, &as_reply); - - /* check for success */ - - if (ret == 0) - goto cleanup; - - /* If all the kdc's are unavailable, or if the error was due to a - user interrupt, fail */ - - if ((ret == KRB5_KDC_UNREACH) || - (ret == KRB5_LIBOS_PWDINTR) || - (ret == KRB5_REALM_CANT_RESOLVE)) - goto cleanup; - - /* if the reply did not come from the master kdc, try again with - the master kdc */ - - if (!use_master) { - use_master = 1; - - if (as_reply) { - krb5_free_kdc_rep( context, as_reply); - as_reply = NULL; - } - ret2 = krb5_get_init_creds(context, creds, client, prompter, data, - start_time, in_tkt_service, opte, - krb5_get_as_key_password, (void *) &pw0, - &use_master, &as_reply); - - if (ret2 == 0) { - ret = 0; - goto cleanup; - } - - /* if the master is unreachable, return the error from the - slave we were able to contact or reset the use_master flag */ - - if ((ret2 != KRB5_KDC_UNREACH) && - (ret2 != KRB5_REALM_CANT_RESOLVE) && - (ret2 != KRB5_REALM_UNKNOWN)) - ret = ret2; - else - use_master = 0; - } + krb5_error_code ret, ret2; + int use_master; + krb5_kdc_rep *as_reply; + int tries; + krb5_creds chpw_creds; + krb5_get_init_creds_opt *chpw_opts = NULL; + krb5_data pw0, pw1; + char banner[1024], pw0array[1024], pw1array[1024]; + krb5_prompt prompt[2]; + krb5_prompt_type prompt_types[sizeof(prompt)/sizeof(prompt[0])]; + krb5_gic_opt_ext *opte = NULL; + krb5_gic_opt_ext *chpw_opte = NULL; + + use_master = 0; + as_reply = NULL; + memset(&chpw_creds, 0, sizeof(chpw_creds)); + + pw0.data = pw0array; + + if (password && password[0]) { + if (strlcpy(pw0.data, password, sizeof(pw0array)) >= sizeof(pw0array)) { + ret = EINVAL; + goto cleanup; + } + pw0.length = strlen(password); + } else { + pw0.data[0] = '\0'; + pw0.length = sizeof(pw0array); + } + + pw1.data = pw1array; + pw1.data[0] = '\0'; + pw1.length = sizeof(pw1array); + + ret = krb5int_gic_opt_to_opte(context, options, &opte, 1, + "krb5_get_init_creds_password"); + if (ret) + goto cleanup; + + /* first try: get the requested tkt from any kdc */ + + ret = krb5_get_init_creds(context, creds, client, prompter, data, + start_time, in_tkt_service, opte, + krb5_get_as_key_password, (void *) &pw0, + &use_master, &as_reply); + + /* check for success */ + + if (ret == 0) + goto cleanup; + + /* If all the kdc's are unavailable, or if the error was due to a + user interrupt, fail */ + + if ((ret == KRB5_KDC_UNREACH) || + (ret == KRB5_LIBOS_PWDINTR) || + (ret == KRB5_REALM_CANT_RESOLVE)) + goto cleanup; + + /* if the reply did not come from the master kdc, try again with + the master kdc */ + + if (!use_master) { + use_master = 1; + + if (as_reply) { + krb5_free_kdc_rep( context, as_reply); + as_reply = NULL; + } + ret2 = krb5_get_init_creds(context, creds, client, prompter, data, + start_time, in_tkt_service, opte, + krb5_get_as_key_password, (void *) &pw0, + &use_master, &as_reply); + + if (ret2 == 0) { + ret = 0; + goto cleanup; + } + + /* if the master is unreachable, return the error from the + slave we were able to contact or reset the use_master flag */ + + if ((ret2 != KRB5_KDC_UNREACH) && + (ret2 != KRB5_REALM_CANT_RESOLVE) && + (ret2 != KRB5_REALM_UNKNOWN)) + ret = ret2; + else + use_master = 0; + } #ifdef USE_KIM - if (ret == KRB5KDC_ERR_KEY_EXP) - goto cleanup; /* Login library will deal appropriately with this error */ + if (ret == KRB5KDC_ERR_KEY_EXP) + goto cleanup; /* Login library will deal appropriately with this error */ #endif - /* at this point, we have an error from the master. if the error - is not password expired, or if it is but there's no prompter, - return this error */ + /* at this point, we have an error from the master. if the error + is not password expired, or if it is but there's no prompter, + return this error */ - if ((ret != KRB5KDC_ERR_KEY_EXP) || - (prompter == NULL)) - goto cleanup; + if ((ret != KRB5KDC_ERR_KEY_EXP) || + (prompter == NULL)) + goto cleanup; /* historically the default has been to prompt for password change. * if the change password prompt option has not been set, we continue @@ -201,253 +202,253 @@ krb5_get_init_creds_password(krb5_context context, * and the value has been set to false. */ if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) - goto cleanup; + goto cleanup; /* ok, we have an expired password. Give the user a few chances - to change it */ - - /* use a minimal set of options */ - - ret = krb5_get_init_creds_opt_alloc(context, &chpw_opts); - if (ret) - goto cleanup; - krb5_get_init_creds_opt_set_tkt_life(chpw_opts, 5*60); - krb5_get_init_creds_opt_set_renew_life(chpw_opts, 0); - krb5_get_init_creds_opt_set_forwardable(chpw_opts, 0); - krb5_get_init_creds_opt_set_proxiable(chpw_opts, 0); - ret = krb5int_gic_opt_to_opte(context, chpw_opts, &chpw_opte, 0, - "krb5_get_init_creds_password (changing password)"); - if (ret) - goto cleanup; - - if ((ret = krb5_get_init_creds(context, &chpw_creds, client, - prompter, data, - start_time, "kadmin/changepw", chpw_opte, - krb5_get_as_key_password, (void *) &pw0, - &use_master, NULL))) - goto cleanup; - - prompt[0].prompt = "Enter new password"; - prompt[0].hidden = 1; - prompt[0].reply = &pw0; - prompt_types[0] = KRB5_PROMPT_TYPE_NEW_PASSWORD; - - prompt[1].prompt = "Enter it again"; - prompt[1].hidden = 1; - prompt[1].reply = &pw1; - prompt_types[1] = KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN; - - strlcpy(banner, "Password expired. You must change it now.", - sizeof(banner)); - - for (tries = 3; tries; tries--) { - pw0.length = sizeof(pw0array); - pw1.length = sizeof(pw1array); - - /* PROMPTER_INVOCATION */ - krb5int_set_prompt_types(context, prompt_types); - if ((ret = ((*prompter)(context, data, 0, banner, - sizeof(prompt)/sizeof(prompt[0]), prompt)))) - goto cleanup; - krb5int_set_prompt_types(context, 0); - - - if (strcmp(pw0.data, pw1.data) != 0) { - ret = KRB5_LIBOS_BADPWDMATCH; - snprintf(banner, sizeof(banner), - "%s. Please try again.", error_message(ret)); - } else if (pw0.length == 0) { - ret = KRB5_CHPW_PWDNULL; - snprintf(banner, sizeof(banner), - "%s. Please try again.", error_message(ret)); - } else { - int result_code; - krb5_data code_string; - krb5_data result_string; - - if ((ret = krb5_change_password(context, &chpw_creds, pw0array, - &result_code, &code_string, - &result_string))) - goto cleanup; - - /* the change succeeded. go on */ - - if (result_code == 0) { - free(result_string.data); - break; - } - - /* set this in case the retry loop falls through */ - - ret = KRB5_CHPW_FAIL; - - if (result_code != KRB5_KPASSWD_SOFTERROR) { - free(result_string.data); - goto cleanup; - } - - /* the error was soft, so try again */ - - /* 100 is I happen to know that no code_string will be longer - than 100 chars */ - - if (result_string.length > (sizeof(banner)-100)) - result_string.length = sizeof(banner)-100; - - snprintf(banner, sizeof(banner), "%.*s%s%.*s. Please try again.\n", - (int) code_string.length, code_string.data, - result_string.length ? ": " : "", - (int) result_string.length, - result_string.data ? result_string.data : ""); - - free(code_string.data); - free(result_string.data); - } - } - - if (ret) - goto cleanup; - - /* the password change was successful. Get an initial ticket - from the master. this is the last try. the return from this - is final. */ - - ret = krb5_get_init_creds(context, creds, client, prompter, data, - start_time, in_tkt_service, opte, - krb5_get_as_key_password, (void *) &pw0, - &use_master, &as_reply); + to change it */ + + /* use a minimal set of options */ + + ret = krb5_get_init_creds_opt_alloc(context, &chpw_opts); + if (ret) + goto cleanup; + krb5_get_init_creds_opt_set_tkt_life(chpw_opts, 5*60); + krb5_get_init_creds_opt_set_renew_life(chpw_opts, 0); + krb5_get_init_creds_opt_set_forwardable(chpw_opts, 0); + krb5_get_init_creds_opt_set_proxiable(chpw_opts, 0); + ret = krb5int_gic_opt_to_opte(context, chpw_opts, &chpw_opte, 0, + "krb5_get_init_creds_password (changing password)"); + if (ret) + goto cleanup; + + if ((ret = krb5_get_init_creds(context, &chpw_creds, client, + prompter, data, + start_time, "kadmin/changepw", chpw_opte, + krb5_get_as_key_password, (void *) &pw0, + &use_master, NULL))) + goto cleanup; + + prompt[0].prompt = "Enter new password"; + prompt[0].hidden = 1; + prompt[0].reply = &pw0; + prompt_types[0] = KRB5_PROMPT_TYPE_NEW_PASSWORD; + + prompt[1].prompt = "Enter it again"; + prompt[1].hidden = 1; + prompt[1].reply = &pw1; + prompt_types[1] = KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN; + + strlcpy(banner, "Password expired. You must change it now.", + sizeof(banner)); + + for (tries = 3; tries; tries--) { + pw0.length = sizeof(pw0array); + pw1.length = sizeof(pw1array); + + /* PROMPTER_INVOCATION */ + krb5int_set_prompt_types(context, prompt_types); + if ((ret = ((*prompter)(context, data, 0, banner, + sizeof(prompt)/sizeof(prompt[0]), prompt)))) + goto cleanup; + krb5int_set_prompt_types(context, 0); + + + if (strcmp(pw0.data, pw1.data) != 0) { + ret = KRB5_LIBOS_BADPWDMATCH; + snprintf(banner, sizeof(banner), + "%s. Please try again.", error_message(ret)); + } else if (pw0.length == 0) { + ret = KRB5_CHPW_PWDNULL; + snprintf(banner, sizeof(banner), + "%s. Please try again.", error_message(ret)); + } else { + int result_code; + krb5_data code_string; + krb5_data result_string; + + if ((ret = krb5_change_password(context, &chpw_creds, pw0array, + &result_code, &code_string, + &result_string))) + goto cleanup; + + /* the change succeeded. go on */ + + if (result_code == 0) { + free(result_string.data); + break; + } + + /* set this in case the retry loop falls through */ + + ret = KRB5_CHPW_FAIL; + + if (result_code != KRB5_KPASSWD_SOFTERROR) { + free(result_string.data); + goto cleanup; + } + + /* the error was soft, so try again */ + + /* 100 is I happen to know that no code_string will be longer + than 100 chars */ + + if (result_string.length > (sizeof(banner)-100)) + result_string.length = sizeof(banner)-100; + + snprintf(banner, sizeof(banner), "%.*s%s%.*s. Please try again.\n", + (int) code_string.length, code_string.data, + result_string.length ? ": " : "", + (int) result_string.length, + result_string.data ? result_string.data : ""); + + free(code_string.data); + free(result_string.data); + } + } + + if (ret) + goto cleanup; + + /* the password change was successful. Get an initial ticket + from the master. this is the last try. the return from this + is final. */ + + ret = krb5_get_init_creds(context, creds, client, prompter, data, + start_time, in_tkt_service, opte, + krb5_get_as_key_password, (void *) &pw0, + &use_master, &as_reply); cleanup: - krb5int_set_prompt_types(context, 0); - /* if getting the password was successful, then check to see if the - password is about to expire, and warn if so */ - - if (ret == 0) { - krb5_timestamp now; - krb5_last_req_entry **last_req; - int hours; - - /* XXX 7 days should be configurable. This is all pretty ad hoc, - and could probably be improved if I was willing to screw around - with timezones, etc. */ - - if (prompter && - (!in_tkt_service || - (strcmp(in_tkt_service, "kadmin/changepw") != 0)) && - ((ret = krb5_timeofday(context, &now)) == 0) && - as_reply->enc_part2->key_exp && - ((hours = ((as_reply->enc_part2->key_exp-now)/(60*60))) <= 7*24) && - (hours >= 0)) { - if (hours < 1) - snprintf(banner, sizeof(banner), - "Warning: Your password will expire in less than one hour."); - else if (hours <= 48) - snprintf(banner, sizeof(banner), - "Warning: Your password will expire in %d hour%s.", - hours, (hours == 1)?"":"s"); - else - snprintf(banner, sizeof(banner), - "Warning: Your password will expire in %d days.", - hours/24); - - /* ignore an error here */ - /* PROMPTER_INVOCATION */ - (*prompter)(context, data, 0, banner, 0, 0); - } else if (prompter && - (!in_tkt_service || - (strcmp(in_tkt_service, "kadmin/changepw") != 0)) && - as_reply->enc_part2 && as_reply->enc_part2->last_req) { - /* - * Check the last_req fields - */ - - for (last_req = as_reply->enc_part2->last_req; *last_req; last_req++) - if ((*last_req)->lr_type == KRB5_LRQ_ALL_PW_EXPTIME || - (*last_req)->lr_type == KRB5_LRQ_ONE_PW_EXPTIME) { - krb5_deltat delta; - char ts[256]; - - if ((ret = krb5_timeofday(context, &now))) - break; - - if ((ret = krb5_timestamp_to_string((*last_req)->value, - ts, sizeof(ts)))) - break; - - delta = (*last_req)->value - now; - if (delta < 3600) - snprintf(banner, sizeof(banner), - "Warning: Your password will expire in less than one hour on %s", - ts); - else if (delta < 86400*2) - snprintf(banner, sizeof(banner), - "Warning: Your password will expire in %d hour%s on %s", - delta / 3600, delta < 7200 ? "" : "s", ts); - else - snprintf(banner, sizeof(banner), - "Warning: Your password will expire in %d days on %s", - delta / 86400, ts); - /* ignore an error here */ - /* PROMPTER_INVOCATION */ - (*prompter)(context, data, 0, banner, 0, 0); - } - } - } - - if (chpw_opts) - krb5_get_init_creds_opt_free(context, chpw_opts); - if (opte && krb5_gic_opt_is_shadowed(opte)) - krb5_get_init_creds_opt_free(context, (krb5_get_init_creds_opt *)opte); - memset(pw0array, 0, sizeof(pw0array)); - memset(pw1array, 0, sizeof(pw1array)); - krb5_free_cred_contents(context, &chpw_creds); - if (as_reply) - krb5_free_kdc_rep(context, as_reply); - - return(ret); + krb5int_set_prompt_types(context, 0); + /* if getting the password was successful, then check to see if the + password is about to expire, and warn if so */ + + if (ret == 0) { + krb5_timestamp now; + krb5_last_req_entry **last_req; + int hours; + + /* XXX 7 days should be configurable. This is all pretty ad hoc, + and could probably be improved if I was willing to screw around + with timezones, etc. */ + + if (prompter && + (!in_tkt_service || + (strcmp(in_tkt_service, "kadmin/changepw") != 0)) && + ((ret = krb5_timeofday(context, &now)) == 0) && + as_reply->enc_part2->key_exp && + ((hours = ((as_reply->enc_part2->key_exp-now)/(60*60))) <= 7*24) && + (hours >= 0)) { + if (hours < 1) + snprintf(banner, sizeof(banner), + "Warning: Your password will expire in less than one hour."); + else if (hours <= 48) + snprintf(banner, sizeof(banner), + "Warning: Your password will expire in %d hour%s.", + hours, (hours == 1)?"":"s"); + else + snprintf(banner, sizeof(banner), + "Warning: Your password will expire in %d days.", + hours/24); + + /* ignore an error here */ + /* PROMPTER_INVOCATION */ + (*prompter)(context, data, 0, banner, 0, 0); + } else if (prompter && + (!in_tkt_service || + (strcmp(in_tkt_service, "kadmin/changepw") != 0)) && + as_reply->enc_part2 && as_reply->enc_part2->last_req) { + /* + * Check the last_req fields + */ + + for (last_req = as_reply->enc_part2->last_req; *last_req; last_req++) + if ((*last_req)->lr_type == KRB5_LRQ_ALL_PW_EXPTIME || + (*last_req)->lr_type == KRB5_LRQ_ONE_PW_EXPTIME) { + krb5_deltat delta; + char ts[256]; + + if ((ret = krb5_timeofday(context, &now))) + break; + + if ((ret = krb5_timestamp_to_string((*last_req)->value, + ts, sizeof(ts)))) + break; + + delta = (*last_req)->value - now; + if (delta < 3600) + snprintf(banner, sizeof(banner), + "Warning: Your password will expire in less than one hour on %s", + ts); + else if (delta < 86400*2) + snprintf(banner, sizeof(banner), + "Warning: Your password will expire in %d hour%s on %s", + delta / 3600, delta < 7200 ? "" : "s", ts); + else + snprintf(banner, sizeof(banner), + "Warning: Your password will expire in %d days on %s", + delta / 86400, ts); + /* ignore an error here */ + /* PROMPTER_INVOCATION */ + (*prompter)(context, data, 0, banner, 0, 0); + } + } + } + + if (chpw_opts) + krb5_get_init_creds_opt_free(context, chpw_opts); + if (opte && krb5_gic_opt_is_shadowed(opte)) + krb5_get_init_creds_opt_free(context, (krb5_get_init_creds_opt *)opte); + memset(pw0array, 0, sizeof(pw0array)); + memset(pw1array, 0, sizeof(pw1array)); + krb5_free_cred_contents(context, &chpw_creds); + if (as_reply) + krb5_free_kdc_rep(context, as_reply); + + return(ret); } krb5_error_code krb5int_populate_gic_opt ( krb5_context context, krb5_gic_opt_ext **opte, krb5_flags options, krb5_address * const *addrs, krb5_enctype *ktypes, krb5_preauthtype *pre_auth_types, krb5_creds *creds) { - int i; - krb5_int32 starttime; - krb5_get_init_creds_opt *opt; - krb5_error_code retval; + int i; + krb5_int32 starttime; + krb5_get_init_creds_opt *opt; + krb5_error_code retval; *opte = NULL; retval = krb5_get_init_creds_opt_alloc(context, &opt); if (retval) - return(retval); + return(retval); if (addrs) - krb5_get_init_creds_opt_set_address_list(opt, (krb5_address **) addrs); + krb5_get_init_creds_opt_set_address_list(opt, (krb5_address **) addrs); if (ktypes) { - for (i=0; ktypes[i]; i++); - if (i) - krb5_get_init_creds_opt_set_etype_list(opt, ktypes, i); + for (i=0; ktypes[i]; i++); + if (i) + krb5_get_init_creds_opt_set_etype_list(opt, ktypes, i); } if (pre_auth_types) { - for (i=0; pre_auth_types[i]; i++); - if (i) - krb5_get_init_creds_opt_set_preauth_list(opt, pre_auth_types, i); + for (i=0; pre_auth_types[i]; i++); + if (i) + krb5_get_init_creds_opt_set_preauth_list(opt, pre_auth_types, i); } if (options&KDC_OPT_FORWARDABLE) - krb5_get_init_creds_opt_set_forwardable(opt, 1); + krb5_get_init_creds_opt_set_forwardable(opt, 1); else krb5_get_init_creds_opt_set_forwardable(opt, 0); if (options&KDC_OPT_PROXIABLE) - krb5_get_init_creds_opt_set_proxiable(opt, 1); + krb5_get_init_creds_opt_set_proxiable(opt, 1); else krb5_get_init_creds_opt_set_proxiable(opt, 0); if (creds && creds->times.endtime) { - retval = krb5_timeofday(context, &starttime); - if (retval) - goto cleanup; + retval = krb5_timeofday(context, &starttime); + if (retval) + goto cleanup; if (creds->times.starttime) starttime = creds->times.starttime; krb5_get_init_creds_opt_set_tkt_life(opt, creds->times.endtime - starttime); } return krb5int_gic_opt_to_opte(context, opt, opte, 0, - "krb5int_populate_gic_opt"); + "krb5int_populate_gic_opt"); cleanup: krb5_get_init_creds_opt_free(context, opt); return retval; @@ -455,30 +456,30 @@ cleanup: /* Rewrites get_in_tkt in terms of newer get_init_creds API. - Attempts to get an initial ticket for creds->client to use server - creds->server, (realm is taken from creds->client), with options - options, and using creds->times.starttime, creds->times.endtime, - creds->times.renew_till as from, till, and rtime. - creds->times.renew_till is ignored unless the RENEWABLE option is requested. + Attempts to get an initial ticket for creds->client to use server + creds->server, (realm is taken from creds->client), with options + options, and using creds->times.starttime, creds->times.endtime, + creds->times.renew_till as from, till, and rtime. + creds->times.renew_till is ignored unless the RENEWABLE option is requested. - If addrs is non-NULL, it is used for the addresses requested. If it is - null, the system standard addresses are used. + If addrs is non-NULL, it is used for the addresses requested. If it is + null, the system standard addresses are used. - If password is non-NULL, it is converted using the cryptosystem entry - point for a string conversion routine, seeded with the client's name. - If password is passed as NULL, the password is read from the terminal, - and then converted into a key. + If password is non-NULL, it is converted using the cryptosystem entry + point for a string conversion routine, seeded with the client's name. + If password is passed as NULL, the password is read from the terminal, + and then converted into a key. - A succesful call will place the ticket in the credentials cache ccache. + A succesful call will place the ticket in the credentials cache ccache. - returns system errors, encryption errors - */ + returns system errors, encryption errors +*/ krb5_error_code KRB5_CALLCONV krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options, - krb5_address *const *addrs, krb5_enctype *ktypes, - krb5_preauthtype *pre_auth_types, - const char *password, krb5_ccache ccache, - krb5_creds *creds, krb5_kdc_rep **ret_as_reply) + krb5_address *const *addrs, krb5_enctype *ktypes, + krb5_preauthtype *pre_auth_types, + const char *password, krb5_ccache ccache, + krb5_creds *creds, krb5_kdc_rep **ret_as_reply) { krb5_error_code retval; krb5_data pw0; @@ -490,44 +491,43 @@ krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options, pw0.data = pw0array; if (password && password[0]) { - if (strlcpy(pw0.data, password, sizeof(pw0array)) >= sizeof(pw0array)) - return EINVAL; - pw0.length = strlen(password); + if (strlcpy(pw0.data, password, sizeof(pw0array)) >= sizeof(pw0array)) + return EINVAL; + pw0.length = strlen(password); } else { - pw0.data[0] = '\0'; - pw0.length = sizeof(pw0array); + pw0.data[0] = '\0'; + pw0.length = sizeof(pw0array); } retval = krb5int_populate_gic_opt(context, &opte, - options, addrs, ktypes, - pre_auth_types, creds); + options, addrs, ktypes, + pre_auth_types, creds); if (retval) - return (retval); + return (retval); retval = krb5_unparse_name( context, creds->server, &server); if (retval) { - krb5_get_init_creds_opt_free(context, (krb5_get_init_creds_opt *)opte); - return (retval); + krb5_get_init_creds_opt_free(context, (krb5_get_init_creds_opt *)opte); + return (retval); } server_princ = creds->server; client_princ = creds->client; - retval = krb5_get_init_creds (context, - creds, creds->client, - krb5_prompter_posix, NULL, - 0, server, opte, - krb5_get_as_key_password, &pw0, - &use_master, ret_as_reply); - krb5_free_unparsed_name( context, server); - krb5_get_init_creds_opt_free(context, (krb5_get_init_creds_opt *)opte); - if (retval) { - return (retval); - } - krb5_free_principal( context, creds->server); - krb5_free_principal( context, creds->client); - creds->client = client_princ; - creds->server = server_princ; - /* store it in the ccache! */ - if (ccache) - if ((retval = krb5_cc_store_cred(context, ccache, creds))) - return (retval); - return retval; - } - + retval = krb5_get_init_creds (context, + creds, creds->client, + krb5_prompter_posix, NULL, + 0, server, opte, + krb5_get_as_key_password, &pw0, + &use_master, ret_as_reply); + krb5_free_unparsed_name( context, server); + krb5_get_init_creds_opt_free(context, (krb5_get_init_creds_opt *)opte); + if (retval) { + return (retval); + } + krb5_free_principal( context, creds->server); + krb5_free_principal( context, creds->client); + creds->client = client_princ; + creds->server = server_princ; + /* store it in the ccache! */ + if (ccache) + if ((retval = krb5_cc_store_cred(context, ccache, creds))) + return (retval); + return retval; +} diff --git a/src/lib/krb5/krb/in_tkt_sky.c b/src/lib/krb5/krb/in_tkt_sky.c index d98411fd7..01c8905f8 100644 --- a/src/lib/krb5/krb/in_tkt_sky.c +++ b/src/lib/krb5/krb/in_tkt_sky.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/in_tkt_sky.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,17 +23,17 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_get_in_tkt_with_skey() - * + * */ #include "k5-int.h" struct skey_keyproc_arg { const krb5_keyblock *key; - krb5_principal client; /* it's a pointer, really! */ + krb5_principal client; /* it's a pointer, really! */ }; /* @@ -42,7 +43,7 @@ struct skey_keyproc_arg { */ static krb5_error_code skey_keyproc(krb5_context context, krb5_enctype type, krb5_data *salt, - krb5_const_pointer keyseed, krb5_keyblock **key) + krb5_const_pointer keyseed, krb5_keyblock **key) { krb5_keyblock *realkey; krb5_error_code retval; @@ -51,57 +52,57 @@ skey_keyproc(krb5_context context, krb5_enctype type, krb5_data *salt, keyblock = (const krb5_keyblock *)keyseed; if (!krb5_c_valid_enctype(type)) - return KRB5_PROG_ETYPE_NOSUPP; + return KRB5_PROG_ETYPE_NOSUPP; if ((retval = krb5_copy_keyblock(context, keyblock, &realkey))) - return retval; - + return retval; + if (realkey->enctype != type) { - krb5_free_keyblock(context, realkey); - return KRB5_PROG_ETYPE_NOSUPP; - } + krb5_free_keyblock(context, realkey); + return KRB5_PROG_ETYPE_NOSUPP; + } *key = realkey; return 0; } /* - Similar to krb5_get_in_tkt_with_password. + Similar to krb5_get_in_tkt_with_password. - Attempts to get an initial ticket for creds->client to use server - creds->server, (realm is taken from creds->client), with options - options, and using creds->times.starttime, creds->times.endtime, - creds->times.renew_till as from, till, and rtime. - creds->times.renew_till is ignored unless the RENEWABLE option is requested. + Attempts to get an initial ticket for creds->client to use server + creds->server, (realm is taken from creds->client), with options + options, and using creds->times.starttime, creds->times.endtime, + creds->times.renew_till as from, till, and rtime. + creds->times.renew_till is ignored unless the RENEWABLE option is requested. - If addrs is non-NULL, it is used for the addresses requested. If it is - null, the system standard addresses are used. + If addrs is non-NULL, it is used for the addresses requested. If it is + null, the system standard addresses are used. - If keyblock is NULL, an appropriate key for creds->client is retrieved - from the system key store (e.g. /etc/srvtab). If keyblock is non-NULL, - it is used as the decryption key. + If keyblock is NULL, an appropriate key for creds->client is retrieved + from the system key store (e.g. /etc/srvtab). If keyblock is non-NULL, + it is used as the decryption key. - A succesful call will place the ticket in the credentials cache ccache. + A succesful call will place the ticket in the credentials cache ccache. - returns system errors, encryption errors + returns system errors, encryption errors - */ +*/ krb5_error_code KRB5_CALLCONV krb5_get_in_tkt_with_skey(krb5_context context, krb5_flags options, - krb5_address *const *addrs, krb5_enctype *ktypes, - krb5_preauthtype *pre_auth_types, - const krb5_keyblock *key, krb5_ccache ccache, - krb5_creds *creds, krb5_kdc_rep **ret_as_reply) + krb5_address *const *addrs, krb5_enctype *ktypes, + krb5_preauthtype *pre_auth_types, + const krb5_keyblock *key, krb5_ccache ccache, + krb5_creds *creds, krb5_kdc_rep **ret_as_reply) { - if (key) - return krb5_get_in_tkt(context, options, addrs, ktypes, pre_auth_types, - skey_keyproc, (krb5_const_pointer)key, - krb5_kdc_rep_decrypt_proc, 0, creds, - ccache, ret_as_reply); -#ifndef LEAN_CLIENT - else - return krb5_get_in_tkt_with_keytab(context, options, addrs, ktypes, - pre_auth_types, NULL, ccache, - creds, ret_as_reply); + if (key) + return krb5_get_in_tkt(context, options, addrs, ktypes, pre_auth_types, + skey_keyproc, (krb5_const_pointer)key, + krb5_kdc_rep_decrypt_proc, 0, creds, + ccache, ret_as_reply); +#ifndef LEAN_CLIENT + else + return krb5_get_in_tkt_with_keytab(context, options, addrs, ktypes, + pre_auth_types, NULL, ccache, + creds, ret_as_reply); #endif /* LEAN_CLIENT */ } diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c index ea78e0da7..8667897b9 100644 --- a/src/lib/krb5/krb/init_ctx.c +++ b/src/lib/krb5/krb/init_ctx.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/init_ctx.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -28,14 +29,14 @@ /* * Copyright (C) 1998 by the FundsXpress, INC. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -46,7 +47,7 @@ * permission. FundsXpress makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. @@ -86,16 +87,16 @@ krb5_error_code KRB5_CALLCONV krb5_init_context(krb5_context *context) { - return init_common (context, FALSE, FALSE); + return init_common (context, FALSE, FALSE); } krb5_error_code KRB5_CALLCONV krb5_init_secure_context(krb5_context *context) { - /* This is to make gcc -Wall happy */ - if(0) krb5_brand[0] = krb5_brand[0]; - return init_common (context, TRUE, FALSE); + /* This is to make gcc -Wall happy */ + if(0) krb5_brand[0] = krb5_brand[0]; + return init_common (context, TRUE, FALSE); } krb5_error_code @@ -107,179 +108,179 @@ krb5int_init_context_kdc(krb5_context *context) static krb5_error_code init_common (krb5_context *context, krb5_boolean secure, krb5_boolean kdc) { - krb5_context ctx = 0; - krb5_error_code retval; - struct { - krb5_int32 now, now_usec; - long pid; - } seed_data; - krb5_data seed; - int tmp; - - /* Verify some assumptions. If the assumptions hold and the - compiler is optimizing, this should result in no code being - executed. If we're guessing "unsigned long long" instead - of using uint64_t, the possibility does exist that we're - wrong. */ - { - krb5_ui_8 i64; - assert(sizeof(i64) == 8); - i64 = 0, i64--, i64 >>= 62; - assert(i64 == 3); - i64 = 1, i64 <<= 31, i64 <<= 31, i64 <<= 1; - assert(i64 != 0); - i64 <<= 1; - assert(i64 == 0); - } - - retval = krb5int_initialize_library(); - if (retval) - return retval; + krb5_context ctx = 0; + krb5_error_code retval; + struct { + krb5_int32 now, now_usec; + long pid; + } seed_data; + krb5_data seed; + int tmp; + + /* Verify some assumptions. If the assumptions hold and the + compiler is optimizing, this should result in no code being + executed. If we're guessing "unsigned long long" instead + of using uint64_t, the possibility does exist that we're + wrong. */ + { + krb5_ui_8 i64; + assert(sizeof(i64) == 8); + i64 = 0, i64--, i64 >>= 62; + assert(i64 == 3); + i64 = 1, i64 <<= 31, i64 <<= 31, i64 <<= 1; + assert(i64 != 0); + i64 <<= 1; + assert(i64 == 0); + } + + retval = krb5int_initialize_library(); + if (retval) + return retval; #if (defined(_WIN32)) - /* - * Load the krbcc32.dll if necessary. We do this here so that - * we know to use API: later on during initialization. - * The context being NULL is ok. - */ - krb5_win_ccdll_load(ctx); - - /* - * krb5_vercheck() is defined in win_glue.c, and this is - * where we handle the timebomb and version server checks. - */ - retval = krb5_vercheck(); - if (retval) - return retval; + /* + * Load the krbcc32.dll if necessary. We do this here so that + * we know to use API: later on during initialization. + * The context being NULL is ok. + */ + krb5_win_ccdll_load(ctx); + + /* + * krb5_vercheck() is defined in win_glue.c, and this is + * where we handle the timebomb and version server checks. + */ + retval = krb5_vercheck(); + if (retval) + return retval; #endif - *context = 0; + *context = 0; - ctx = calloc(1, sizeof(struct _krb5_context)); - if (!ctx) - return ENOMEM; - ctx->magic = KV5M_CONTEXT; + ctx = calloc(1, sizeof(struct _krb5_context)); + if (!ctx) + return ENOMEM; + ctx->magic = KV5M_CONTEXT; - ctx->profile_secure = secure; + ctx->profile_secure = secure; - /* Set the default encryption types, possible defined in krb5/conf */ - if ((retval = krb5_set_default_in_tkt_ktypes(ctx, NULL))) - goto cleanup; + /* Set the default encryption types, possible defined in krb5/conf */ + if ((retval = krb5_set_default_in_tkt_ktypes(ctx, NULL))) + goto cleanup; - if ((retval = krb5_set_default_tgs_ktypes(ctx, NULL))) - goto cleanup; + if ((retval = krb5_set_default_tgs_ktypes(ctx, NULL))) + goto cleanup; - if ((retval = krb5_os_init_context(ctx, kdc))) - goto cleanup; + if ((retval = krb5_os_init_context(ctx, kdc))) + goto cleanup; - retval = profile_get_boolean(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_ALLOW_WEAK_CRYPTO, NULL, 1, &tmp); - if (retval) - goto cleanup; - ctx->allow_weak_crypto = tmp; + retval = profile_get_boolean(ctx->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_ALLOW_WEAK_CRYPTO, NULL, 1, &tmp); + if (retval) + goto cleanup; + ctx->allow_weak_crypto = tmp; - /* initialize the prng (not well, but passable) */ - if ((retval = krb5_c_random_os_entropy( ctx, 0, NULL)) !=0) - goto cleanup; - if ((retval = krb5_crypto_us_timeofday(&seed_data.now, &seed_data.now_usec))) - goto cleanup; - seed_data.pid = getpid (); - seed.length = sizeof(seed_data); - seed.data = (char *) &seed_data; - if ((retval = krb5_c_random_add_entropy(ctx, KRB5_C_RANDSOURCE_TIMING, &seed))) - goto cleanup; + /* initialize the prng (not well, but passable) */ + if ((retval = krb5_c_random_os_entropy( ctx, 0, NULL)) !=0) + goto cleanup; + if ((retval = krb5_crypto_us_timeofday(&seed_data.now, &seed_data.now_usec))) + goto cleanup; + seed_data.pid = getpid (); + seed.length = sizeof(seed_data); + seed.data = (char *) &seed_data; + if ((retval = krb5_c_random_add_entropy(ctx, KRB5_C_RANDSOURCE_TIMING, &seed))) + goto cleanup; - ctx->default_realm = 0; - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, KRB5_CONF_CLOCKSKEW, - 0, 5 * 60, &tmp); - ctx->clockskew = tmp; + ctx->default_realm = 0; + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, KRB5_CONF_CLOCKSKEW, + 0, 5 * 60, &tmp); + ctx->clockskew = tmp; #if 0 - /* Default ticket lifetime is currently not supported */ - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, "tkt_lifetime", - 0, 10 * 60 * 60, &tmp); - ctx->tkt_lifetime = tmp; + /* Default ticket lifetime is currently not supported */ + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, "tkt_lifetime", + 0, 10 * 60 * 60, &tmp); + ctx->tkt_lifetime = tmp; #endif - /* DCE 1.1 and below only support CKSUMTYPE_RSA_MD4 (2) */ - /* DCE add kdc_req_checksum_type = 2 to krb5.conf */ - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_KDC_REQ_CHECKSUM_TYPE, 0, CKSUMTYPE_RSA_MD5, - &tmp); - ctx->kdc_req_sumtype = tmp; - - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_AP_REQ_CHECKSUM_TYPE, 0, 0, - &tmp); - ctx->default_ap_req_sumtype = tmp; - - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_SAFE_CHECKSUM_TYPE, 0, - CKSUMTYPE_RSA_MD5_DES, &tmp); - ctx->default_safe_sumtype = tmp; - - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_KDC_DEFAULT_OPTIONS, 0, - KDC_OPT_RENEWABLE_OK, &tmp); - ctx->kdc_default_options = tmp; + /* DCE 1.1 and below only support CKSUMTYPE_RSA_MD4 (2) */ + /* DCE add kdc_req_checksum_type = 2 to krb5.conf */ + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_KDC_REQ_CHECKSUM_TYPE, 0, CKSUMTYPE_RSA_MD5, + &tmp); + ctx->kdc_req_sumtype = tmp; + + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_AP_REQ_CHECKSUM_TYPE, 0, 0, + &tmp); + ctx->default_ap_req_sumtype = tmp; + + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_SAFE_CHECKSUM_TYPE, 0, + CKSUMTYPE_RSA_MD5_DES, &tmp); + ctx->default_safe_sumtype = tmp; + + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_KDC_DEFAULT_OPTIONS, 0, + KDC_OPT_RENEWABLE_OK, &tmp); + ctx->kdc_default_options = tmp; #define DEFAULT_KDC_TIMESYNC 1 - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, - KRB5_CONF_KDC_TIMESYNC, 0, DEFAULT_KDC_TIMESYNC, - &tmp); - ctx->library_options = tmp ? KRB5_LIBOPT_SYNC_KDCTIME : 0; - - /* - * We use a default file credentials cache of 3. See - * lib/krb5/krb/ccache/file/fcc.h for a description of the - * credentials cache types. - * - * Note: DCE 1.0.3a only supports a cache type of 1 - * DCE 1.1 supports a cache type of 2. - */ + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_KDC_TIMESYNC, 0, DEFAULT_KDC_TIMESYNC, + &tmp); + ctx->library_options = tmp ? KRB5_LIBOPT_SYNC_KDCTIME : 0; + + /* + * We use a default file credentials cache of 3. See + * lib/krb5/krb/ccache/file/fcc.h for a description of the + * credentials cache types. + * + * Note: DCE 1.0.3a only supports a cache type of 1 + * DCE 1.1 supports a cache type of 2. + */ #define DEFAULT_CCACHE_TYPE 4 - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, KRB5_CONF_CCACHE_TYPE, - 0, DEFAULT_CCACHE_TYPE, &tmp); - ctx->fcc_default_format = tmp + 0x0500; - ctx->prompt_types = 0; - ctx->use_conf_ktypes = 0; - - ctx->udp_pref_limit = -1; - *context = ctx; - return 0; + profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, KRB5_CONF_CCACHE_TYPE, + 0, DEFAULT_CCACHE_TYPE, &tmp); + ctx->fcc_default_format = tmp + 0x0500; + ctx->prompt_types = 0; + ctx->use_conf_ktypes = 0; + + ctx->udp_pref_limit = -1; + *context = ctx; + return 0; cleanup: - krb5_free_context(ctx); - return retval; + krb5_free_context(ctx); + return retval; } void KRB5_CALLCONV krb5_free_context(krb5_context ctx) { - if (ctx == NULL) - return; - krb5_os_free_context(ctx); - - free(ctx->in_tkt_etypes); - ctx->in_tkt_etypes = NULL; - free(ctx->tgs_etypes); - ctx->tgs_etypes = NULL; - free(ctx->default_realm); - ctx->default_realm = 0; - if (ctx->ser_ctx_count && ctx->ser_ctx) { - free(ctx->ser_ctx); - ctx->ser_ctx = 0; - } - - krb5_clear_error_message(ctx); - - ctx->magic = 0; - free(ctx); + if (ctx == NULL) + return; + krb5_os_free_context(ctx); + + free(ctx->in_tkt_etypes); + ctx->in_tkt_etypes = NULL; + free(ctx->tgs_etypes); + ctx->tgs_etypes = NULL; + free(ctx->default_realm); + ctx->default_realm = 0; + if (ctx->ser_ctx_count && ctx->ser_ctx) { + free(ctx->ser_ctx); + ctx->ser_ctx = 0; + } + + krb5_clear_error_message(ctx); + + ctx->magic = 0; + free(ctx); } /* Copy the zero-terminated enctype list old_list into *new_list. */ static krb5_error_code copy_enctypes(krb5_context context, const krb5_enctype *old_list, - krb5_enctype **new_list) + krb5_enctype **new_list) { unsigned int count; krb5_enctype *list; @@ -288,7 +289,7 @@ copy_enctypes(krb5_context context, const krb5_enctype *old_list, for (count = 0; old_list[count]; count++); list = malloc(sizeof(krb5_enctype) * (count + 1)); if (list == NULL) - return ENOMEM; + return ENOMEM; memcpy(list, old_list, sizeof(krb5_enctype) * (count + 1)); *new_list = list; return 0; @@ -299,25 +300,25 @@ copy_enctypes(krb5_context context, const krb5_enctype *old_list, */ static krb5_error_code set_default_etype_var(krb5_context context, const krb5_enctype *etypes, - krb5_enctype **var) + krb5_enctype **var) { krb5_error_code code; krb5_enctype *list; int i; if (etypes) { - for (i = 0; etypes[i]; i++) { - if (!krb5_c_valid_enctype(etypes[i])) - return KRB5_PROG_ETYPE_NOSUPP; - if (!context->allow_weak_crypto && krb5int_c_weak_enctype(etypes[i])) - return KRB5_PROG_ETYPE_NOSUPP; - } - - code = copy_enctypes(context, etypes, &list); - if (code) - return code; + for (i = 0; etypes[i]; i++) { + if (!krb5_c_valid_enctype(etypes[i])) + return KRB5_PROG_ETYPE_NOSUPP; + if (!context->allow_weak_crypto && krb5int_c_weak_enctype(etypes[i])) + return KRB5_PROG_ETYPE_NOSUPP; + } + + code = copy_enctypes(context, etypes, &list); + if (code) + return code; } else { - list = NULL; + list = NULL; } free(*var); @@ -327,7 +328,7 @@ set_default_etype_var(krb5_context context, const krb5_enctype *etypes, krb5_error_code krb5_set_default_in_tkt_ktypes(krb5_context context, - const krb5_enctype *etypes) + const krb5_enctype *etypes) { return set_default_etype_var(context, etypes, &context->in_tkt_etypes); } @@ -352,26 +353,26 @@ krb5_set_default_tgs_ktypes(krb5_context context, const krb5_enctype *etypes) */ static void mod_list(krb5_enctype etype, krb5_boolean add, krb5_boolean allow_weak, - krb5_enctype *list, unsigned int *count) + krb5_enctype *list, unsigned int *count) { unsigned int i; assert(etype > 0 && etype <= MAX_ENCTYPE); if (!allow_weak && krb5int_c_weak_enctype(etype)) - return; + return; for (i = 0; i < *count; i++) { - if (list[i] == etype) { - if (!add) { - for (; i < *count - 1; i++) - list[i] = list[i + 1]; - (*count)--; - } - return; - } + if (list[i] == etype) { + if (!add) { + for (; i < *count - 1; i++) + list[i] = list[i + 1]; + (*count)--; + } + return; + } } if (add) { - assert(*count < MAX_ENCTYPE); - list[(*count)++] = etype; + assert(*count < MAX_ENCTYPE); + list[(*count)++] = etype; } } @@ -381,7 +382,7 @@ mod_list(krb5_enctype etype, krb5_boolean add, krb5_boolean allow_weak, */ krb5_error_code krb5int_parse_enctype_list(krb5_context context, char *profstr, - krb5_enctype *default_list, krb5_enctype **result) + krb5_enctype *default_list, krb5_enctype **result) { char *token, *delim = " \t\r\n,", *save = NULL; krb5_boolean sel, weak = context->allow_weak_crypto; @@ -392,31 +393,31 @@ krb5int_parse_enctype_list(krb5_context context, char *profstr, /* Walk through the words in profstr. */ for (token = strtok_r(profstr, delim, &save); token; - token = strtok_r(NULL, delim, &save)) { - /* Determine if we are adding or removing enctypes. */ - sel = TRUE; - if (*token == '+' || *token == '-') - sel = (*token++ == '+'); - - if (strcasecmp(token, "DEFAULT") == 0) { - /* Set all enctypes in the default list. */ - for (i = 0; default_list[i]; i++) - mod_list(default_list[i], sel, weak, list, &count); - } else if (strcasecmp(token, "des") == 0) { - mod_list(ENCTYPE_DES_CBC_CRC, sel, weak, list, &count); - mod_list(ENCTYPE_DES_CBC_MD5, sel, weak, list, &count); - mod_list(ENCTYPE_DES_CBC_MD4, sel, weak, list, &count); - } else if (strcasecmp(token, "des3") == 0) { - mod_list(ENCTYPE_DES3_CBC_SHA1, sel, weak, list, &count); - } else if (strcasecmp(token, "aes") == 0) { - mod_list(ENCTYPE_AES256_CTS_HMAC_SHA1_96, sel, weak, list, &count); - mod_list(ENCTYPE_AES128_CTS_HMAC_SHA1_96, sel, weak, list, &count); - } else if (strcasecmp(token, "rc4") == 0) { - mod_list(ENCTYPE_ARCFOUR_HMAC, sel, weak, list, &count); - } else if (krb5_string_to_enctype(token, &etype) == 0) { - /* Set a specific enctype. */ - mod_list(etype, sel, weak, list, &count); - } + token = strtok_r(NULL, delim, &save)) { + /* Determine if we are adding or removing enctypes. */ + sel = TRUE; + if (*token == '+' || *token == '-') + sel = (*token++ == '+'); + + if (strcasecmp(token, "DEFAULT") == 0) { + /* Set all enctypes in the default list. */ + for (i = 0; default_list[i]; i++) + mod_list(default_list[i], sel, weak, list, &count); + } else if (strcasecmp(token, "des") == 0) { + mod_list(ENCTYPE_DES_CBC_CRC, sel, weak, list, &count); + mod_list(ENCTYPE_DES_CBC_MD5, sel, weak, list, &count); + mod_list(ENCTYPE_DES_CBC_MD4, sel, weak, list, &count); + } else if (strcasecmp(token, "des3") == 0) { + mod_list(ENCTYPE_DES3_CBC_SHA1, sel, weak, list, &count); + } else if (strcasecmp(token, "aes") == 0) { + mod_list(ENCTYPE_AES256_CTS_HMAC_SHA1_96, sel, weak, list, &count); + mod_list(ENCTYPE_AES128_CTS_HMAC_SHA1_96, sel, weak, list, &count); + } else if (strcasecmp(token, "rc4") == 0) { + mod_list(ENCTYPE_ARCFOUR_HMAC, sel, weak, list, &count); + } else if (krb5_string_to_enctype(token, &etype) == 0) { + /* Set a specific enctype. */ + mod_list(etype, sel, weak, list, &count); + } } list[count] = 0; @@ -433,8 +434,8 @@ krb5int_parse_enctype_list(krb5_context context, char *profstr, */ static krb5_error_code get_profile_etype_list(krb5_context context, krb5_enctype **etypes_ptr, - char *profkey, krb5_enctype *ctx_list, - krb5_enctype *default_list) + char *profkey, krb5_enctype *ctx_list, + krb5_enctype *default_list) { krb5_enctype *etypes; krb5_error_code code; @@ -443,26 +444,26 @@ get_profile_etype_list(krb5_context context, krb5_enctype **etypes_ptr, *etypes_ptr = NULL; if (ctx_list) { - /* Use application defaults. */ - code = copy_enctypes(context, ctx_list, &etypes); - if (code) - return code; + /* Use application defaults. */ + code = copy_enctypes(context, ctx_list, &etypes); + if (code) + return code; } else { - /* Parse profile setting, or "DEFAULT" if not specified. */ - code = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS, - profkey, NULL, "DEFAULT", &profstr); - if (code) - return code; - code = krb5int_parse_enctype_list(context, profstr, default_list, - &etypes); - profile_release_string(profstr); - if (code) - return code; + /* Parse profile setting, or "DEFAULT" if not specified. */ + code = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS, + profkey, NULL, "DEFAULT", &profstr); + if (code) + return code; + code = krb5int_parse_enctype_list(context, profstr, default_list, + &etypes); + profile_release_string(profstr); + if (code) + return code; } if (etypes[0] == 0) { - free(etypes); - return KRB5_CONFIG_ETYPE_NOSUPP; + free(etypes); + return KRB5_CONFIG_ETYPE_NOSUPP; } *etypes_ptr = etypes; @@ -473,9 +474,9 @@ krb5_error_code krb5_get_default_in_tkt_ktypes(krb5_context context, krb5_enctype **ktypes) { return get_profile_etype_list(context, ktypes, - KRB5_CONF_DEFAULT_TKT_ENCTYPES, - context->in_tkt_etypes, - default_enctype_list); + KRB5_CONF_DEFAULT_TKT_ENCTYPES, + context->in_tkt_etypes, + default_enctype_list); } void @@ -490,24 +491,24 @@ KRB5_CALLCONV krb5_get_tgs_ktypes(krb5_context context, krb5_const_principal princ, krb5_enctype **ktypes) { if (context->use_conf_ktypes) - /* This one is set *only* by reading the config file; it's not - set by the application. */ - return get_profile_etype_list(context, ktypes, - KRB5_CONF_DEFAULT_TKT_ENCTYPES, NULL, - default_enctype_list); + /* This one is set *only* by reading the config file; it's not + set by the application. */ + return get_profile_etype_list(context, ktypes, + KRB5_CONF_DEFAULT_TKT_ENCTYPES, NULL, + default_enctype_list); else - return get_profile_etype_list(context, ktypes, - KRB5_CONF_DEFAULT_TGS_ENCTYPES, - context->tgs_etypes, - default_enctype_list); + return get_profile_etype_list(context, ktypes, + KRB5_CONF_DEFAULT_TGS_ENCTYPES, + context->tgs_etypes, + default_enctype_list); } krb5_error_code KRB5_CALLCONV krb5_get_permitted_enctypes(krb5_context context, krb5_enctype **ktypes) { return get_profile_etype_list(context, ktypes, - KRB5_CONF_PERMITTED_ENCTYPES, - context->tgs_etypes, default_enctype_list); + KRB5_CONF_PERMITTED_ENCTYPES, + context->tgs_etypes, default_enctype_list); } krb5_boolean @@ -517,14 +518,14 @@ krb5_is_permitted_enctype(krb5_context context, krb5_enctype etype) krb5_boolean ret; if (krb5_get_permitted_enctypes(context, &list)) - return(0); + return(0); + - ret = 0; for (ptr = list; *ptr; ptr++) - if (*ptr == etype) - ret = 1; + if (*ptr == etype) + ret = 1; krb5_free_ktypes (context, list); @@ -571,11 +572,11 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out) *nctx_out = NULL; if (ctx == NULL) - return EINVAL; /* XXX */ + return EINVAL; /* XXX */ nctx = malloc(sizeof(*nctx)); if (nctx == NULL) - return ENOMEM; + return ENOMEM; *nctx = *ctx; @@ -600,28 +601,28 @@ krb5_copy_context(krb5_context ctx, krb5_context *nctx_out) ret = copy_enctypes(nctx, ctx->in_tkt_etypes, &nctx->in_tkt_etypes); if (ret) - goto errout; + goto errout; ret = copy_enctypes(nctx, ctx->tgs_etypes, &nctx->tgs_etypes); if (ret) - goto errout; + goto errout; if (ctx->os_context.default_ccname != NULL) { - nctx->os_context.default_ccname = - strdup(ctx->os_context.default_ccname); - if (nctx->os_context.default_ccname == NULL) { - ret = ENOMEM; - goto errout; - } + nctx->os_context.default_ccname = + strdup(ctx->os_context.default_ccname); + if (nctx->os_context.default_ccname == NULL) { + ret = ENOMEM; + goto errout; + } } ret = krb5_get_profile(ctx, &nctx->profile); if (ret) - goto errout; + goto errout; errout: if (ret) { - krb5_free_context(nctx); + krb5_free_context(nctx); } else { - *nctx_out = nctx; + *nctx_out = nctx; } return ret; } diff --git a/src/lib/krb5/krb/init_keyblock.c b/src/lib/krb5/krb/init_keyblock.c index 3be842ac8..baf7dabec 100644 --- a/src/lib/krb5/krb/init_keyblock.c +++ b/src/lib/krb5/krb/init_keyblock.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/init_keyblock.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,10 +23,10 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * - * * - * krb5_init_keyblock- a function to set up + * + * + * krb5_init_keyblock- a function to set up * an empty keyblock */ @@ -34,8 +35,8 @@ #include <assert.h> krb5_error_code KRB5_CALLCONV krb5_init_keyblock - (krb5_context context, krb5_enctype enctype, - size_t length, krb5_keyblock **out) +(krb5_context context, krb5_enctype enctype, + size_t length, krb5_keyblock **out) { - return krb5int_c_init_keyblock (context, enctype, length, out); + return krb5int_c_init_keyblock (context, enctype, length, out); } diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h index 724e18bf8..081a8a34b 100644 --- a/src/lib/krb5/krb/int-proto.h +++ b/src/lib/krb5/krb/int-proto.h @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/int-proto.h * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Function prototypes for Kerberos V5 library internal functions. */ @@ -32,14 +33,14 @@ #define KRB5_INT_FUNC_PROTO__ krb5_error_code krb5_tgtname - (krb5_context context, - const krb5_data *, - const krb5_data *, - krb5_principal *); +(krb5_context context, + const krb5_data *, + const krb5_data *, + krb5_principal *); krb5_error_code krb5_libdefault_boolean - (krb5_context, const krb5_data *, const char *, - int *); +(krb5_context, const krb5_data *, const char *, + int *); krb5_error_code krb5_ser_authdata_init (krb5_context); krb5_error_code krb5_ser_address_init (krb5_context); @@ -51,40 +52,39 @@ krb5_error_code krb5_ser_authdata_context_init (krb5_context); krb5_error_code krb5_preauth_supply_preauth_data(krb5_context context, - krb5_gic_opt_ext *opte, - const char *attr, - const char *value); + krb5_gic_opt_ext *opte, + const char *attr, + const char *value); krb5_error_code krb5_get_cred_from_kdc_opt(krb5_context context, krb5_ccache ccache, - krb5_creds *in_cred, krb5_creds **out_cred, - krb5_creds ***tgts, int kdcopt); + krb5_creds *in_cred, krb5_creds **out_cred, + krb5_creds ***tgts, int kdcopt); krb5_error_code krb5int_construct_matching_creds(krb5_context context, krb5_flags options, - krb5_creds *in_creds, krb5_creds *mcreds, - krb5_flags *fields); + krb5_creds *in_creds, krb5_creds *mcreds, + krb5_flags *fields); #define in_clock_skew(date, now) (labs((date)-(now)) < context->clockskew) -#define IS_TGS_PRINC(c, p) \ - (krb5_princ_size((c), (p)) == 2 && \ +#define IS_TGS_PRINC(c, p) \ + (krb5_princ_size((c), (p)) == 2 && \ data_eq_string(*krb5_princ_component((c), (p), 0), KRB5_TGS_NAME)) krb5_error_code krb5_get_cred_via_tkt_ext (krb5_context context, krb5_creds *tkt, - krb5_flags kdcoptions, krb5_address *const *address, - krb5_pa_data **in_padata, - krb5_creds *in_cred, - krb5_error_code (*gcvt_fct)(krb5_context, - krb5_keyblock *, - krb5_kdc_req *, - void *), - void *gcvt_data, - krb5_pa_data ***out_padata, - krb5_pa_data ***enc_padata, - krb5_creds **out_cred, - krb5_keyblock **out_subkey); + krb5_flags kdcoptions, krb5_address *const *address, + krb5_pa_data **in_padata, + krb5_creds *in_cred, + krb5_error_code (*gcvt_fct)(krb5_context, + krb5_keyblock *, + krb5_kdc_req *, + void *), + void *gcvt_data, + krb5_pa_data ***out_padata, + krb5_pa_data ***enc_padata, + krb5_creds **out_cred, + krb5_keyblock **out_subkey); #endif /* KRB5_INT_FUNC_PROTO__ */ - diff --git a/src/lib/krb5/krb/kdc_rep_dc.c b/src/lib/krb5/krb/kdc_rep_dc.c index 42559b2f1..dfd3ba29f 100644 --- a/src/lib/krb5/krb/kdc_rep_dc.c +++ b/src/lib/krb5/krb/kdc_rep_dc.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/kdc_rep_dc.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_kdc_rep_decrypt_proc() */ @@ -45,34 +46,34 @@ krb5_kdc_rep_decrypt_proc(krb5_context context, const krb5_keyblock *key, krb5_c krb5_keyusage usage; if (decryptarg) { - usage = *(const krb5_keyusage *) decryptarg; + usage = *(const krb5_keyusage *) decryptarg; } else { - usage = KRB5_KEYUSAGE_AS_REP_ENCPART; + usage = KRB5_KEYUSAGE_AS_REP_ENCPART; } /* set up scratch decrypt/decode area */ scratch.length = dec_rep->enc_part.ciphertext.length; if (!(scratch.data = malloc(dec_rep->enc_part.ciphertext.length))) { - return(ENOMEM); + return(ENOMEM); } /*dec_rep->enc_part.enctype;*/ if ((retval = krb5_c_decrypt(context, key, usage, 0, &dec_rep->enc_part, - &scratch))) { - free(scratch.data); - return(retval); + &scratch))) { + free(scratch.data); + return(retval); } -#define clean_scratch() {memset(scratch.data, 0, scratch.length); \ -free(scratch.data);} +#define clean_scratch() {memset(scratch.data, 0, scratch.length); \ + free(scratch.data);} /* and do the decode */ retval = decode_krb5_enc_kdc_rep_part(&scratch, &local_encpart); clean_scratch(); if (retval) - return retval; + return retval; dec_rep->enc_part2 = local_encpart; diff --git a/src/lib/krb5/krb/kerrs.c b/src/lib/krb5/krb/kerrs.c index 51f1eca97..7525e29a1 100644 --- a/src/lib/krb5/krb/kerrs.c +++ b/src/lib/krb5/krb/kerrs.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/kerrs.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -38,63 +39,63 @@ static int error_message_debug = 0; #undef krb5_set_error_message void KRB5_CALLCONV_C krb5_set_error_message (krb5_context ctx, krb5_error_code code, - const char *fmt, ...) + const char *fmt, ...) { va_list args; if (ctx == NULL) - return; + return; va_start (args, fmt); #ifdef DEBUG if (ERROR_MESSAGE_DEBUG()) - fprintf(stderr, - "krb5_set_error_message(ctx=%p/err=%p, code=%ld, ...)\n", - ctx, &ctx->err, (long) code); + fprintf(stderr, + "krb5_set_error_message(ctx=%p/err=%p, code=%ld, ...)\n", + ctx, &ctx->err, (long) code); #endif krb5int_vset_error (&ctx->err, code, fmt, args); #ifdef DEBUG if (ERROR_MESSAGE_DEBUG()) - fprintf(stderr, "->%s\n", ctx->err.msg); + fprintf(stderr, "->%s\n", ctx->err.msg); #endif va_end (args); } void KRB5_CALLCONV_C krb5_set_error_message_fl (krb5_context ctx, krb5_error_code code, - const char *file, int line, const char *fmt, ...) + const char *file, int line, const char *fmt, ...) { va_list args; if (ctx == NULL) - return; + return; va_start (args, fmt); #ifdef DEBUG if (ERROR_MESSAGE_DEBUG()) - fprintf(stderr, - "krb5_set_error_message(ctx=%p/err=%p, code=%ld, ...)\n", - ctx, &ctx->err, (long) code); + fprintf(stderr, + "krb5_set_error_message(ctx=%p/err=%p, code=%ld, ...)\n", + ctx, &ctx->err, (long) code); #endif krb5int_vset_error_fl (&ctx->err, code, file, line, fmt, args); #ifdef DEBUG if (ERROR_MESSAGE_DEBUG()) - fprintf(stderr, "->%s\n", ctx->err.msg); + fprintf(stderr, "->%s\n", ctx->err.msg); #endif va_end (args); } void KRB5_CALLCONV krb5_vset_error_message (krb5_context ctx, krb5_error_code code, - const char *fmt, va_list args) + const char *fmt, va_list args) { #ifdef DEBUG if (ERROR_MESSAGE_DEBUG()) - fprintf(stderr, "krb5_vset_error_message(ctx=%p, code=%ld, ...)\n", - ctx, (long) code); + fprintf(stderr, "krb5_vset_error_message(ctx=%p, code=%ld, ...)\n", + ctx, (long) code); #endif if (ctx == NULL) - return; + return; krb5int_vset_error (&ctx->err, code, fmt, args); #ifdef DEBUG if (ERROR_MESSAGE_DEBUG()) - fprintf(stderr, "->%s\n", ctx->err.msg); + fprintf(stderr, "->%s\n", ctx->err.msg); #endif } @@ -103,12 +104,12 @@ void KRB5_CALLCONV krb5_copy_error_message (krb5_context dest_ctx, krb5_context src_ctx) { if (dest_ctx == src_ctx) - return; + return; if (src_ctx->err.msg) { - krb5int_set_error(&dest_ctx->err, src_ctx->err.code, "%s", - src_ctx->err.msg); + krb5int_set_error(&dest_ctx->err, src_ctx->err.code, "%s", + src_ctx->err.msg); } else { - krb5int_clear_error(&dest_ctx->err); + krb5int_clear_error(&dest_ctx->err); } } @@ -117,10 +118,10 @@ krb5_get_error_message (krb5_context ctx, krb5_error_code code) { #ifdef DEBUG if (ERROR_MESSAGE_DEBUG()) - fprintf(stderr, "krb5_get_error_message(%p, %ld)\n", ctx, (long) code); + fprintf(stderr, "krb5_get_error_message(%p, %ld)\n", ctx, (long) code); #endif if (ctx == NULL) - return error_message(code); + return error_message(code); return krb5int_get_error (&ctx->err, code); } @@ -129,10 +130,10 @@ krb5_free_error_message (krb5_context ctx, const char *msg) { #ifdef DEBUG if (ERROR_MESSAGE_DEBUG()) - fprintf(stderr, "krb5_free_error_message(%p, %p)\n", ctx, msg); + fprintf(stderr, "krb5_free_error_message(%p, %p)\n", ctx, msg); #endif if (ctx == NULL) - return; + return; krb5int_free_error (&ctx->err, msg); } @@ -141,9 +142,9 @@ krb5_clear_error_message (krb5_context ctx) { #ifdef DEBUG if (ERROR_MESSAGE_DEBUG()) - fprintf(stderr, "krb5_clear_error_message(%p)\n", ctx); + fprintf(stderr, "krb5_clear_error_message(%p)\n", ctx); #endif if (ctx == NULL) - return; + return; krb5int_clear_error (&ctx->err); } diff --git a/src/lib/krb5/krb/kfree.c b/src/lib/krb5/krb/kfree.c index 801eed0da..c372e70b6 100644 --- a/src/lib/krb5/krb/kfree.c +++ b/src/lib/krb5/krb/kfree.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/free/f_addr.c * @@ -7,7 +8,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -21,7 +22,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_free_address() */ @@ -60,7 +61,7 @@ void KRB5_CALLCONV krb5_free_address(krb5_context context, krb5_address *val) { if (val == NULL) - return; + return; free(val->contents); free(val); } @@ -71,10 +72,10 @@ krb5_free_addresses(krb5_context context, krb5_address **val) register krb5_address **temp; if (val == NULL) - return; + return; for (temp = val; *temp; temp++) { - free((*temp)->contents); - free(*temp); + free((*temp)->contents); + free(*temp); } free(val); } @@ -82,18 +83,18 @@ krb5_free_addresses(krb5_context context, krb5_address **val) void KRB5_CALLCONV krb5_free_alt_method(krb5_context context, - krb5_alt_method *alt) + krb5_alt_method *alt) { if (alt) { - free(alt->data); - free(alt); + free(alt->data); + free(alt); } } void KRB5_CALLCONV krb5_free_ap_rep(krb5_context context, register krb5_ap_rep *val) { if (val == NULL) - return; + return; free(val->enc_part.ciphertext.data); free(val); } @@ -102,7 +103,7 @@ void KRB5_CALLCONV krb5_free_ap_req(krb5_context context, register krb5_ap_req *val) { if (val == NULL) - return; + return; krb5_free_ticket(context, val->ticket); free(val->authenticator.ciphertext.data); free(val); @@ -112,7 +113,7 @@ void KRB5_CALLCONV krb5_free_ap_rep_enc_part(krb5_context context, krb5_ap_rep_enc_part *val) { if (val == NULL) - return; + return; krb5_free_keyblock(context, val->subkey); free(val); } @@ -121,7 +122,7 @@ void KRB5_CALLCONV krb5_free_authenticator_contents(krb5_context context, krb5_authenticator *val) { if (val == NULL) - return; + return; krb5_free_checksum(context, val->checksum); val->checksum = 0; krb5_free_principal(context, val->client); @@ -138,10 +139,10 @@ krb5_free_authdata(krb5_context context, krb5_authdata **val) register krb5_authdata **temp; if (val == NULL) - return; + return; for (temp = val; *temp; temp++) { - free((*temp)->contents); - free(*temp); + free((*temp)->contents); + free(*temp); } free(val); } @@ -150,7 +151,7 @@ void KRB5_CALLCONV krb5_free_authenticator(krb5_context context, krb5_authenticator *val) { if (val == NULL) - return; + return; krb5_free_authenticator_contents(context, val); free(val); } @@ -159,7 +160,7 @@ void KRB5_CALLCONV krb5_free_checksum(krb5_context context, register krb5_checksum *val) { if (val == NULL) - return; + return; krb5_free_checksum_contents(context, val); free(val); } @@ -168,7 +169,7 @@ void KRB5_CALLCONV krb5_free_checksum_contents(krb5_context context, register krb5_checksum *val) { if (val == NULL) - return; + return; free(val->contents); val->contents = NULL; } @@ -177,7 +178,7 @@ void KRB5_CALLCONV krb5_free_cred(krb5_context context, register krb5_cred *val) { if (val == NULL) - return; + return; krb5_free_tickets(context, val->tickets); free(val->enc_part.ciphertext.data); free(val); @@ -185,14 +186,14 @@ krb5_free_cred(krb5_context context, register krb5_cred *val) /* * krb5_free_cred_contents zeros out the session key, and then frees - * the credentials structures + * the credentials structures */ void KRB5_CALLCONV krb5_free_cred_contents(krb5_context context, krb5_creds *val) { if (val == NULL) - return; + return; krb5_free_principal(context, val->client); val->client = 0; krb5_free_principal(context, val->server); @@ -208,28 +209,28 @@ krb5_free_cred_contents(krb5_context context, krb5_creds *val) val->authdata = 0; } -void KRB5_CALLCONV +void KRB5_CALLCONV krb5_free_cred_enc_part(krb5_context context, register krb5_cred_enc_part *val) { register krb5_cred_info **temp; - + if (val == NULL) - return; + return; krb5_free_address(context, val->r_address); val->r_address = 0; krb5_free_address(context, val->s_address); val->s_address = 0; if (val->ticket_info) { - for (temp = val->ticket_info; *temp; temp++) { - krb5_free_keyblock(context, (*temp)->session); - krb5_free_principal(context, (*temp)->client); - krb5_free_principal(context, (*temp)->server); - krb5_free_addresses(context, (*temp)->caddrs); - free(*temp); - } - free(val->ticket_info); - val->ticket_info = 0; + for (temp = val->ticket_info; *temp; temp++) { + krb5_free_keyblock(context, (*temp)->session); + krb5_free_principal(context, (*temp)->client); + krb5_free_principal(context, (*temp)->server); + krb5_free_addresses(context, (*temp)->caddrs); + free(*temp); + } + free(val->ticket_info); + val->ticket_info = 0; } } @@ -238,7 +239,7 @@ void KRB5_CALLCONV krb5_free_creds(krb5_context context, krb5_creds *val) { if (val == NULL) - return; + return; krb5_free_cred_contents(context, val); free(val); } @@ -248,7 +249,7 @@ void KRB5_CALLCONV krb5_free_data(krb5_context context, krb5_data *val) { if (val == NULL) - return; + return; free(val->data); free(val); } @@ -257,10 +258,10 @@ void KRB5_CALLCONV krb5_free_data_contents(krb5_context context, krb5_data *val) { if (val == NULL) - return; + return; if (val->data) { - free(val->data); - val->data = 0; + free(val->data); + val->data = 0; } } @@ -268,7 +269,7 @@ void KRB5_CALLCONV krb5_free_enc_data(krb5_context context, krb5_enc_data *val) { if (val == NULL) - return; + return; krb5_free_data_contents(context, &val->ciphertext); free(val); } @@ -278,21 +279,21 @@ void krb5_free_etype_info(krb5_context context, krb5_etype_info info) int i; if (info == NULL) - return; + return; for (i=0; info[i] != NULL; i++) { - free(info[i]->salt); - krb5_free_data_contents(context, &info[i]->s2kparams); - free(info[i]); + free(info[i]->salt); + krb5_free_data_contents(context, &info[i]->s2kparams); + free(info[i]); } free(info); } - + void KRB5_CALLCONV krb5_free_enc_kdc_rep_part(krb5_context context, register krb5_enc_kdc_rep_part *val) { if (val == NULL) - return; + return; krb5_free_keyblock(context, val->session); krb5_free_last_req(context, val->last_req); krb5_free_principal(context, val->server); @@ -305,7 +306,7 @@ void KRB5_CALLCONV krb5_free_enc_tkt_part(krb5_context context, krb5_enc_tkt_part *val) { if (val == NULL) - return; + return; krb5_free_keyblock(context, val->session); krb5_free_principal(context, val->client); free(val->transited.tr_contents.data); @@ -319,7 +320,7 @@ void KRB5_CALLCONV krb5_free_error(krb5_context context, register krb5_error *val) { if (val == NULL) - return; + return; krb5_free_principal(context, val->client); krb5_free_principal(context, val->server); free(val->text.data); @@ -331,7 +332,7 @@ void KRB5_CALLCONV krb5_free_kdc_rep(krb5_context context, krb5_kdc_rep *val) { if (val == NULL) - return; + return; krb5_free_pa_data(context, val->padata); krb5_free_principal(context, val->client); krb5_free_ticket(context, val->ticket); @@ -345,7 +346,7 @@ void KRB5_CALLCONV krb5_free_kdc_req(krb5_context context, krb5_kdc_req *val) { if (val == NULL) - return; + return; assert( val->kdc_state == NULL); krb5_free_pa_data(context, val->padata); krb5_free_principal(context, val->client); @@ -378,9 +379,9 @@ krb5_free_last_req(krb5_context context, krb5_last_req_entry **val) register krb5_last_req_entry **temp; if (val == NULL) - return; + return; for (temp = val; *temp; temp++) - free(*temp); + free(*temp); free(val); } @@ -390,10 +391,10 @@ krb5_free_pa_data(krb5_context context, krb5_pa_data **val) register krb5_pa_data **temp; if (val == NULL) - return; + return; for (temp = val; *temp; temp++) { - free((*temp)->contents); - free(*temp); + free((*temp)->contents); + free(*temp); } free(val); } @@ -404,13 +405,13 @@ krb5_free_principal(krb5_context context, krb5_principal val) register krb5_int32 i; if (!val) - return; - + return; + if (val->data) { - i = krb5_princ_size(context, val); - while(--i >= 0) - free(krb5_princ_component(context, val, i)->data); - free(val->data); + i = krb5_princ_size(context, val); + while(--i >= 0) + free(krb5_princ_component(context, val, i)->data); + free(val->data); } free(val->realm.data); free(val); @@ -420,7 +421,7 @@ void KRB5_CALLCONV krb5_free_priv(krb5_context context, register krb5_priv *val) { if (val == NULL) - return; + return; free(val->enc_part.ciphertext.data); free(val); } @@ -429,7 +430,7 @@ void KRB5_CALLCONV krb5_free_priv_enc_part(krb5_context context, register krb5_priv_enc_part *val) { if (val == NULL) - return; + return; free(val->user_data.data); krb5_free_address(context, val->r_address); krb5_free_address(context, val->s_address); @@ -440,7 +441,7 @@ void KRB5_CALLCONV krb5_free_pwd_data(krb5_context context, krb5_pwd_data *val) { if (val == NULL) - return; + return; krb5_free_pwd_sequences(context, val->element); free(val); } @@ -448,10 +449,10 @@ krb5_free_pwd_data(krb5_context context, krb5_pwd_data *val) void KRB5_CALLCONV krb5_free_passwd_phrase_element(krb5_context context, - passwd_phrase_element *val) + passwd_phrase_element *val) { if (val == NULL) - return; + return; krb5_free_data(context, val->passwd); val->passwd = NULL; krb5_free_data(context, val->phrase); @@ -466,9 +467,9 @@ krb5_free_pwd_sequences(krb5_context context, passwd_phrase_element **val) register passwd_phrase_element **temp; if (val == NULL) - return; + return; for (temp = val; *temp; temp++) - krb5_free_passwd_phrase_element(context, *temp); + krb5_free_passwd_phrase_element(context, *temp); free(val); } @@ -477,7 +478,7 @@ void KRB5_CALLCONV krb5_free_safe(krb5_context context, register krb5_safe *val) { if (val == NULL) - return; + return; free(val->user_data.data); krb5_free_address(context, val->r_address); krb5_free_address(context, val->s_address); @@ -490,7 +491,7 @@ void KRB5_CALLCONV krb5_free_ticket(krb5_context context, krb5_ticket *val) { if (val == NULL) - return; + return; krb5_free_principal(context, val->server); free(val->enc_part.ciphertext.data); krb5_free_enc_tkt_part(context, val->enc_part2); @@ -503,7 +504,7 @@ krb5_free_tickets(krb5_context context, krb5_ticket **val) register krb5_ticket **temp; if (val == NULL) - return; + return; for (temp = val; *temp; temp++) krb5_free_ticket(context, *temp); free(val); @@ -515,9 +516,9 @@ krb5_free_tgt_creds(krb5_context context, krb5_creds **tgts) { register krb5_creds **tgtpp; if (tgts == NULL) - return; + return; for (tgtpp = tgts; *tgtpp; tgtpp++) - krb5_free_creds(context, *tgtpp); + krb5_free_creds(context, *tgtpp); free(tgts); } @@ -525,7 +526,7 @@ void KRB5_CALLCONV krb5_free_tkt_authent(krb5_context context, krb5_tkt_authent *val) { if (val == NULL) - return; + return; krb5_free_ticket(context, val->ticket); krb5_free_authenticator(context, val->authenticator); free(val); @@ -535,14 +536,14 @@ void KRB5_CALLCONV krb5_free_unparsed_name(krb5_context context, char *val) { if (val != NULL) - free(val); + free(val); } void KRB5_CALLCONV krb5_free_sam_challenge(krb5_context ctx, krb5_sam_challenge *sc) { if (!sc) - return; + return; krb5_free_sam_challenge_contents(ctx, sc); free(sc); } @@ -551,7 +552,7 @@ void KRB5_CALLCONV krb5_free_sam_challenge_2(krb5_context ctx, krb5_sam_challenge_2 *sc2) { if (!sc2) - return; + return; krb5_free_sam_challenge_2_contents(ctx, sc2); free(sc2); } @@ -560,79 +561,79 @@ void KRB5_CALLCONV krb5_free_sam_challenge_contents(krb5_context ctx, krb5_sam_challenge *sc) { if (!sc) - return; + return; if (sc->sam_type_name.data) - krb5_free_data_contents(ctx, &sc->sam_type_name); + krb5_free_data_contents(ctx, &sc->sam_type_name); if (sc->sam_track_id.data) - krb5_free_data_contents(ctx, &sc->sam_track_id); + krb5_free_data_contents(ctx, &sc->sam_track_id); if (sc->sam_challenge_label.data) - krb5_free_data_contents(ctx, &sc->sam_challenge_label); + krb5_free_data_contents(ctx, &sc->sam_challenge_label); if (sc->sam_challenge.data) - krb5_free_data_contents(ctx, &sc->sam_challenge); + krb5_free_data_contents(ctx, &sc->sam_challenge); if (sc->sam_response_prompt.data) - krb5_free_data_contents(ctx, &sc->sam_response_prompt); + krb5_free_data_contents(ctx, &sc->sam_response_prompt); if (sc->sam_pk_for_sad.data) - krb5_free_data_contents(ctx, &sc->sam_pk_for_sad); + krb5_free_data_contents(ctx, &sc->sam_pk_for_sad); free(sc->sam_cksum.contents); sc->sam_cksum.contents = 0; } void KRB5_CALLCONV krb5_free_sam_challenge_2_contents(krb5_context ctx, - krb5_sam_challenge_2 *sc2) + krb5_sam_challenge_2 *sc2) { krb5_checksum **cksump; if (!sc2) - return; + return; if (sc2->sam_challenge_2_body.data) - krb5_free_data_contents(ctx, &sc2->sam_challenge_2_body); + krb5_free_data_contents(ctx, &sc2->sam_challenge_2_body); if (sc2->sam_cksum) { - cksump = sc2->sam_cksum; - while (*cksump) { - krb5_free_checksum(ctx, *cksump); - cksump++; - } - free(sc2->sam_cksum); - sc2->sam_cksum = 0; + cksump = sc2->sam_cksum; + while (*cksump) { + krb5_free_checksum(ctx, *cksump); + cksump++; + } + free(sc2->sam_cksum); + sc2->sam_cksum = 0; } } void KRB5_CALLCONV krb5_free_sam_challenge_2_body(krb5_context ctx, - krb5_sam_challenge_2_body *sc2) + krb5_sam_challenge_2_body *sc2) { if (!sc2) - return; + return; krb5_free_sam_challenge_2_body_contents(ctx, sc2); free(sc2); } void KRB5_CALLCONV krb5_free_sam_challenge_2_body_contents(krb5_context ctx, - krb5_sam_challenge_2_body *sc2) + krb5_sam_challenge_2_body *sc2) { if (!sc2) - return; - if (sc2->sam_type_name.data) - krb5_free_data_contents(ctx, &sc2->sam_type_name); + return; + if (sc2->sam_type_name.data) + krb5_free_data_contents(ctx, &sc2->sam_type_name); if (sc2->sam_track_id.data) - krb5_free_data_contents(ctx, &sc2->sam_track_id); + krb5_free_data_contents(ctx, &sc2->sam_track_id); if (sc2->sam_challenge_label.data) - krb5_free_data_contents(ctx, &sc2->sam_challenge_label); + krb5_free_data_contents(ctx, &sc2->sam_challenge_label); if (sc2->sam_challenge.data) - krb5_free_data_contents(ctx, &sc2->sam_challenge); + krb5_free_data_contents(ctx, &sc2->sam_challenge); if (sc2->sam_response_prompt.data) - krb5_free_data_contents(ctx, &sc2->sam_response_prompt); + krb5_free_data_contents(ctx, &sc2->sam_response_prompt); if (sc2->sam_pk_for_sad.data) - krb5_free_data_contents(ctx, &sc2->sam_pk_for_sad); + krb5_free_data_contents(ctx, &sc2->sam_pk_for_sad); } void KRB5_CALLCONV krb5_free_sam_response(krb5_context ctx, krb5_sam_response *sr) { if (!sr) - return; + return; krb5_free_sam_response_contents(ctx, sr); free(sr); } @@ -641,7 +642,7 @@ void KRB5_CALLCONV krb5_free_sam_response_2(krb5_context ctx, krb5_sam_response_2 *sr2) { if (!sr2) - return; + return; krb5_free_sam_response_2_contents(ctx, sr2); free(sr2); } @@ -650,95 +651,95 @@ void KRB5_CALLCONV krb5_free_sam_response_contents(krb5_context ctx, krb5_sam_response *sr) { if (!sr) - return; + return; if (sr->sam_track_id.data) - krb5_free_data_contents(ctx, &sr->sam_track_id); + krb5_free_data_contents(ctx, &sr->sam_track_id); if (sr->sam_enc_key.ciphertext.data) - krb5_free_data_contents(ctx, &sr->sam_enc_key.ciphertext); + krb5_free_data_contents(ctx, &sr->sam_enc_key.ciphertext); if (sr->sam_enc_nonce_or_ts.ciphertext.data) - krb5_free_data_contents(ctx, &sr->sam_enc_nonce_or_ts.ciphertext); + krb5_free_data_contents(ctx, &sr->sam_enc_nonce_or_ts.ciphertext); } void KRB5_CALLCONV krb5_free_sam_response_2_contents(krb5_context ctx, krb5_sam_response_2 *sr2) { if (!sr2) - return; + return; if (sr2->sam_track_id.data) - krb5_free_data_contents(ctx, &sr2->sam_track_id); + krb5_free_data_contents(ctx, &sr2->sam_track_id); if (sr2->sam_enc_nonce_or_sad.ciphertext.data) - krb5_free_data_contents(ctx, &sr2->sam_enc_nonce_or_sad.ciphertext); + krb5_free_data_contents(ctx, &sr2->sam_enc_nonce_or_sad.ciphertext); } void KRB5_CALLCONV krb5_free_predicted_sam_response(krb5_context ctx, - krb5_predicted_sam_response *psr) + krb5_predicted_sam_response *psr) { if (!psr) - return; + return; krb5_free_predicted_sam_response_contents(ctx, psr); free(psr); } void KRB5_CALLCONV krb5_free_predicted_sam_response_contents(krb5_context ctx, - krb5_predicted_sam_response *psr) + krb5_predicted_sam_response *psr) { if (!psr) - return; + return; if (psr->sam_key.contents) - krb5_free_keyblock_contents(ctx, &psr->sam_key); + krb5_free_keyblock_contents(ctx, &psr->sam_key); krb5_free_principal(ctx, psr->client); psr->client = 0; if (psr->msd.data) - krb5_free_data_contents(ctx, &psr->msd); + krb5_free_data_contents(ctx, &psr->msd); } void KRB5_CALLCONV krb5_free_enc_sam_response_enc(krb5_context ctx, - krb5_enc_sam_response_enc *esre) + krb5_enc_sam_response_enc *esre) { if (!esre) - return; + return; krb5_free_enc_sam_response_enc_contents(ctx, esre); free(esre); } -void KRB5_CALLCONV +void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2(krb5_context ctx, - krb5_enc_sam_response_enc_2 *esre2) + krb5_enc_sam_response_enc_2 *esre2) { if (!esre2) - return; + return; krb5_free_enc_sam_response_enc_2_contents(ctx, esre2); free(esre2); } void KRB5_CALLCONV krb5_free_enc_sam_response_enc_contents(krb5_context ctx, - krb5_enc_sam_response_enc *esre) + krb5_enc_sam_response_enc *esre) { if (!esre) - return; + return; if (esre->sam_sad.data) - krb5_free_data_contents(ctx, &esre->sam_sad); + krb5_free_data_contents(ctx, &esre->sam_sad); } void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2_contents(krb5_context ctx, - krb5_enc_sam_response_enc_2 *esre2) + krb5_enc_sam_response_enc_2 *esre2) { if (!esre2) - return; + return; if (esre2->sam_sad.data) - krb5_free_data_contents(ctx, &esre2->sam_sad); + krb5_free_data_contents(ctx, &esre2->sam_sad); } void KRB5_CALLCONV krb5_free_pa_enc_ts(krb5_context ctx, krb5_pa_enc_ts *pa_enc_ts) { if (!pa_enc_ts) - return; + return; free(pa_enc_ts); } @@ -746,7 +747,7 @@ void KRB5_CALLCONV krb5_free_pa_for_user(krb5_context context, krb5_pa_for_user *req) { if (req == NULL) - return; + return; krb5_free_principal(context, req->user); req->user = NULL; krb5_free_checksum_contents(context, &req->cksum); @@ -758,7 +759,7 @@ void KRB5_CALLCONV krb5_free_s4u_userid_contents(krb5_context context, krb5_s4u_userid *user_id) { if (user_id == NULL) - return; + return; user_id->nonce = 0; krb5_free_principal(context, user_id->user); user_id->user = NULL; @@ -772,7 +773,7 @@ void KRB5_CALLCONV krb5_free_pa_s4u_x509_user(krb5_context context, krb5_pa_s4u_x509_user *req) { if (req == NULL) - return; + return; krb5_free_s4u_userid_contents(context, &req->user_id); krb5_free_checksum_contents(context, &req->cksum); free(req); @@ -780,26 +781,26 @@ krb5_free_pa_s4u_x509_user(krb5_context context, krb5_pa_s4u_x509_user *req) void KRB5_CALLCONV krb5_free_pa_server_referral_data(krb5_context context, - krb5_pa_server_referral_data *ref) + krb5_pa_server_referral_data *ref) { if (ref == NULL) - return; + return; krb5_free_data(context, ref->referred_realm); ref->referred_realm = NULL; krb5_free_principal(context, ref->true_principal_name); ref->true_principal_name = NULL; krb5_free_principal(context, ref->requested_principal_name); ref->requested_principal_name = NULL; - krb5_free_checksum_contents(context, &ref->rep_cksum); + krb5_free_checksum_contents(context, &ref->rep_cksum); free(ref); } void KRB5_CALLCONV krb5_free_pa_svr_referral_data(krb5_context context, - krb5_pa_svr_referral_data *ref) + krb5_pa_svr_referral_data *ref) { if (ref == NULL) - return; + return; krb5_free_principal(context, ref->principal); ref->principal = NULL; free(ref); @@ -807,79 +808,79 @@ krb5_free_pa_svr_referral_data(krb5_context context, void KRB5_CALLCONV krb5_free_pa_pac_req(krb5_context context, - krb5_pa_pac_req *req) + krb5_pa_pac_req *req) { free(req); } void KRB5_CALLCONV krb5_free_etype_list(krb5_context context, - krb5_etype_list *etypes) + krb5_etype_list *etypes) { if (etypes != NULL) { - free(etypes->etypes); - free(etypes); + free(etypes->etypes); + free(etypes); } } void krb5_free_fast_req(krb5_context context, krb5_fast_req *val) { - if (val == NULL) - return; - krb5_free_kdc_req(context, val->req_body); - free(val); + if (val == NULL) + return; + krb5_free_kdc_req(context, val->req_body); + free(val); } void krb5_free_fast_armor(krb5_context context, krb5_fast_armor *val) { - if (val == NULL) - return; - krb5_free_data_contents(context, &val->armor_value); - free(val); + if (val == NULL) + return; + krb5_free_data_contents(context, &val->armor_value); + free(val); } void krb5_free_fast_response(krb5_context context, krb5_fast_response *val) { - if (!val) - return; - krb5_free_pa_data(context, val->padata); - krb5_free_fast_finished(context, val->finished); - krb5_free_keyblock(context, val->strengthen_key); - free(val); + if (!val) + return; + krb5_free_pa_data(context, val->padata); + krb5_free_fast_finished(context, val->finished); + krb5_free_keyblock(context, val->strengthen_key); + free(val); } void krb5_free_fast_finished (krb5_context context, krb5_fast_finished *val) { - if (!val) - return; - krb5_free_principal(context, val->client); - krb5_free_checksum_contents(context, &val->ticket_checksum); - free(val); + if (!val) + return; + krb5_free_principal(context, val->client); + krb5_free_checksum_contents(context, &val->ticket_checksum); + free(val); } void krb5_free_typed_data(krb5_context context, krb5_typed_data **in) { - int i = 0; - if (in == NULL) return; - while (in[i] != NULL) { - if (in[i]->data != NULL) - free(in[i]->data); - free(in[i]); - i++; - } - free(in); + int i = 0; + if (in == NULL) return; + while (in[i] != NULL) { + if (in[i]->data != NULL) + free(in[i]->data); + free(in[i]); + i++; + } + free(in); } void krb5_free_fast_armored_req(krb5_context context, - krb5_fast_armored_req *val) + krb5_fast_armored_req *val) { if (val == NULL) - return; + return; if (val->armor) - krb5_free_fast_armor(context, val->armor); + krb5_free_fast_armor(context, val->armor); krb5_free_data_contents(context, &val->enc_part.ciphertext); if (val->req_checksum.contents) - krb5_free_checksum_contents(context, &val->req_checksum); + krb5_free_checksum_contents(context, &val->req_checksum); free(val); } @@ -908,4 +909,3 @@ krb5_free_ad_kdcissued(krb5_context context, krb5_ad_kdcissued *val) krb5_free_authdata(context, val->elements); free(val); } - diff --git a/src/lib/krb5/krb/mk_cred.c b/src/lib/krb5/krb/mk_cred.c index 6ce0e354e..4c95accd0 100644 --- a/src/lib/krb5/krb/mk_cred.c +++ b/src/lib/krb5/krb/mk_cred.c @@ -1,7 +1,8 @@ -/* +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* * NAME * cred.c - * + * * DESCRIPTION * Provide an interface to assemble and disassemble krb5_cred * structures. @@ -20,41 +21,41 @@ /* * encrypt the enc_part of krb5_cred */ -static krb5_error_code +static krb5_error_code encrypt_credencpart(krb5_context context, krb5_cred_enc_part *pcredpart, - krb5_key pkey, krb5_enc_data *pencdata) + krb5_key pkey, krb5_enc_data *pencdata) { - krb5_error_code retval; - krb5_data * scratch; + krb5_error_code retval; + krb5_data * scratch; /* start by encoding to-be-encrypted part of the message */ if ((retval = encode_krb5_enc_cred_part(pcredpart, &scratch))) - return retval; + return retval; /* * If the keyblock is NULL, just copy the data from the encoded * data to the ciphertext area. */ if (pkey == NULL) { - pencdata->ciphertext.data = scratch->data; - pencdata->ciphertext.length = scratch->length; - free(scratch); - return 0; + pencdata->ciphertext.data = scratch->data; + pencdata->ciphertext.length = scratch->length; + free(scratch); + return 0; } /* call the encryption routine */ retval = krb5_encrypt_keyhelper(context, pkey, - KRB5_KEYUSAGE_KRB_CRED_ENCPART, - scratch, pencdata); + KRB5_KEYUSAGE_KRB_CRED_ENCPART, + scratch, pencdata); if (retval) { - memset(pencdata->ciphertext.data, 0, pencdata->ciphertext.length); + memset(pencdata->ciphertext.data, 0, pencdata->ciphertext.length); free(pencdata->ciphertext.data); pencdata->ciphertext.length = 0; pencdata->ciphertext.data = 0; } - memset(scratch->data, 0, scratch->length); + memset(scratch->data, 0, scratch->length); krb5_free_data(context, scratch); return retval; @@ -64,15 +65,15 @@ encrypt_credencpart(krb5_context context, krb5_cred_enc_part *pcredpart, static krb5_error_code krb5_mk_ncred_basic(krb5_context context, - krb5_creds **ppcreds, krb5_int32 nppcreds, - krb5_key key, krb5_replay_data *replaydata, - krb5_address *local_addr, krb5_address *remote_addr, - krb5_cred *pcred) + krb5_creds **ppcreds, krb5_int32 nppcreds, + krb5_key key, krb5_replay_data *replaydata, + krb5_address *local_addr, krb5_address *remote_addr, + krb5_cred *pcred) { - krb5_cred_enc_part credenc; - krb5_error_code retval; - size_t size; - int i; + krb5_cred_enc_part credenc; + krb5_error_code retval; + size_t size; + int i; credenc.magic = KV5M_CRED_ENC_PART; @@ -89,42 +90,42 @@ krb5_mk_ncred_basic(krb5_context context, size = sizeof(krb5_cred_info *) * (nppcreds + 1); credenc.ticket_info = (krb5_cred_info **) calloc(1, size); if (credenc.ticket_info == NULL) - return ENOMEM; + return ENOMEM; /* * For each credential in the list, initialize a cred info * structure and copy the ticket into the ticket list. */ for (i = 0; i < nppcreds; i++) { - credenc.ticket_info[i] = malloc(sizeof(krb5_cred_info)); - if (credenc.ticket_info[i] == NULL) { - retval = ENOMEM; - goto cleanup; - } - credenc.ticket_info[i+1] = NULL; - + credenc.ticket_info[i] = malloc(sizeof(krb5_cred_info)); + if (credenc.ticket_info[i] == NULL) { + retval = ENOMEM; + goto cleanup; + } + credenc.ticket_info[i+1] = NULL; + credenc.ticket_info[i]->magic = KV5M_CRED_INFO; credenc.ticket_info[i]->times = ppcreds[i]->times; credenc.ticket_info[i]->flags = ppcreds[i]->ticket_flags; - if ((retval = decode_krb5_ticket(&ppcreds[i]->ticket, - &pcred->tickets[i]))) - goto cleanup; + if ((retval = decode_krb5_ticket(&ppcreds[i]->ticket, + &pcred->tickets[i]))) + goto cleanup; - if ((retval = krb5_copy_keyblock(context, &ppcreds[i]->keyblock, - &credenc.ticket_info[i]->session))) + if ((retval = krb5_copy_keyblock(context, &ppcreds[i]->keyblock, + &credenc.ticket_info[i]->session))) goto cleanup; if ((retval = krb5_copy_principal(context, ppcreds[i]->client, - &credenc.ticket_info[i]->client))) + &credenc.ticket_info[i]->client))) goto cleanup; - if ((retval = krb5_copy_principal(context, ppcreds[i]->server, - &credenc.ticket_info[i]->server))) + if ((retval = krb5_copy_principal(context, ppcreds[i]->server, + &credenc.ticket_info[i]->server))) goto cleanup; - if ((retval = krb5_copy_addresses(context, ppcreds[i]->addresses, - &credenc.ticket_info[i]->caddrs))) + if ((retval = krb5_copy_addresses(context, ppcreds[i]->addresses, + &credenc.ticket_info[i]->caddrs))) goto cleanup; } @@ -149,18 +150,18 @@ cleanup: */ krb5_error_code KRB5_CALLCONV krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, - krb5_creds **ppcreds, krb5_data **ppdata, - krb5_replay_data *outdata) + krb5_creds **ppcreds, krb5_data **ppdata, + krb5_replay_data *outdata) { krb5_address * premote_fulladdr = NULL; krb5_address * plocal_fulladdr = NULL; krb5_address remote_fulladdr; krb5_address local_fulladdr; - krb5_error_code retval; - krb5_key key; + krb5_error_code retval; + krb5_key key; krb5_replay_data replaydata; - krb5_cred * pcred; - krb5_int32 ncred; + krb5_cred * pcred; + krb5_int32 ncred; krb5_boolean increased_sequence = FALSE; local_fulladdr.contents = 0; @@ -168,94 +169,94 @@ krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, memset(&replaydata, 0, sizeof(krb5_replay_data)); if (ppcreds == NULL) - return KRB5KRB_AP_ERR_BADADDR; + return KRB5KRB_AP_ERR_BADADDR; /* * Allocate memory for a NULL terminated list of tickets. */ for (ncred = 0; ppcreds[ncred]; ncred++) - ; + ; - if ((pcred = (krb5_cred *)calloc(1, sizeof(krb5_cred))) == NULL) + if ((pcred = (krb5_cred *)calloc(1, sizeof(krb5_cred))) == NULL) return ENOMEM; - if ((pcred->tickets - = (krb5_ticket **)calloc((size_t)ncred+1, - sizeof(krb5_ticket *))) == NULL) { - retval = ENOMEM; - goto error; + if ((pcred->tickets + = (krb5_ticket **)calloc((size_t)ncred+1, + sizeof(krb5_ticket *))) == NULL) { + retval = ENOMEM; + goto error; } /* Get keyblock */ if ((key = auth_context->send_subkey) == NULL) - key = auth_context->key; + key = auth_context->key; /* Get replay info */ if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && - (auth_context->rcache == NULL)) { - retval = KRB5_RC_REQUIRED; - goto error; + (auth_context->rcache == NULL)) { + retval = KRB5_RC_REQUIRED; + goto error; } if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) - && (outdata == NULL)) { + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) + && (outdata == NULL)) { /* Need a better error */ - retval = KRB5_RC_REQUIRED; - goto error; + retval = KRB5_RC_REQUIRED; + goto error; } if ((retval = krb5_us_timeofday(context, &replaydata.timestamp, - &replaydata.usec))) - goto error; + &replaydata.usec))) + goto error; if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) { - outdata->timestamp = replaydata.timestamp; - outdata->usec = replaydata.usec; + outdata->timestamp = replaydata.timestamp; + outdata->usec = replaydata.usec; } if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { replaydata.seq = auth_context->local_seq_number++; - increased_sequence = TRUE; + increased_sequence = TRUE; if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) outdata->seq = replaydata.seq; } if (auth_context->local_addr) { - if (auth_context->local_port) { + if (auth_context->local_port) { if ((retval = krb5_make_fulladdr(context, auth_context->local_addr, - auth_context->local_port, - &local_fulladdr))) - goto error; - plocal_fulladdr = &local_fulladdr; - } else { + auth_context->local_port, + &local_fulladdr))) + goto error; + plocal_fulladdr = &local_fulladdr; + } else { plocal_fulladdr = auth_context->local_addr; } } if (auth_context->remote_addr) { - if (auth_context->remote_port) { + if (auth_context->remote_port) { if ((retval = krb5_make_fulladdr(context,auth_context->remote_addr, - auth_context->remote_port, - &remote_fulladdr))) - goto error; - premote_fulladdr = &remote_fulladdr; - } else { + auth_context->remote_port, + &remote_fulladdr))) + goto error; + premote_fulladdr = &remote_fulladdr; + } else { premote_fulladdr = auth_context->remote_addr; } } /* Setup creds structure */ if ((retval = krb5_mk_ncred_basic(context, ppcreds, ncred, key, - &replaydata, plocal_fulladdr, - premote_fulladdr, pcred))) { - goto error; + &replaydata, plocal_fulladdr, + premote_fulladdr, pcred))) { + goto error; } if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { krb5_donot_replay replay; if ((retval = krb5_gen_replay_name(context, auth_context->local_addr, - "_forw", &replay.client))) + "_forw", &replay.client))) goto error; replay.server = ""; /* XXX */ @@ -279,7 +280,7 @@ error: krb5_free_cred(context, pcred); if (retval) { - if (increased_sequence) + if (increased_sequence) auth_context->local_seq_number--; } return retval; @@ -292,23 +293,22 @@ error: */ krb5_error_code KRB5_CALLCONV krb5_mk_1cred(krb5_context context, krb5_auth_context auth_context, - krb5_creds *pcreds, krb5_data **ppdata, - krb5_replay_data *outdata) + krb5_creds *pcreds, krb5_data **ppdata, + krb5_replay_data *outdata) { krb5_error_code retval; krb5_creds **ppcreds; if ((ppcreds = (krb5_creds **)malloc(sizeof(*ppcreds) * 2)) == NULL) { - return ENOMEM; + return ENOMEM; } ppcreds[0] = pcreds; ppcreds[1] = NULL; retval = krb5_mk_ncred(context, auth_context, ppcreds, - ppdata, outdata); - + ppdata, outdata); + free(ppcreds); return retval; } - diff --git a/src/lib/krb5/krb/mk_error.c b/src/lib/krb5/krb/mk_error.c index 75cdc9b5b..44fd3b4c2 100644 --- a/src/lib/krb5/krb/mk_error.c +++ b/src/lib/krb5/krb/mk_error.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/mk_error.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_mk_error() routine. */ @@ -30,22 +31,22 @@ #include "k5-int.h" /* - formats the error structure *dec_err into an error buffer *enc_err. + formats the error structure *dec_err into an error buffer *enc_err. - The error buffer storage is allocated, and should be freed by the - caller when finished. + The error buffer storage is allocated, and should be freed by the + caller when finished. - returns system errors - */ + returns system errors +*/ krb5_error_code KRB5_CALLCONV krb5_mk_error(krb5_context context, const krb5_error *dec_err, - krb5_data *enc_err) + krb5_data *enc_err) { krb5_error_code retval; krb5_data *new_enc_err; if ((retval = encode_krb5_error(dec_err, &new_enc_err))) - return(retval); + return(retval); *enc_err = *new_enc_err; free(new_enc_err); return 0; diff --git a/src/lib/krb5/krb/mk_priv.c b/src/lib/krb5/krb/mk_priv.c index 824bfd507..b3cb29722 100644 --- a/src/lib/krb5/krb/mk_priv.c +++ b/src/lib/krb5/krb/mk_priv.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/mk_priv.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_mk_priv() */ @@ -33,18 +34,18 @@ static krb5_error_code krb5_mk_priv_basic(krb5_context context, const krb5_data *userdata, - krb5_key key, krb5_replay_data *replaydata, - krb5_address *local_addr, krb5_address *remote_addr, - krb5_pointer i_vector, krb5_data *outbuf) + krb5_key key, krb5_replay_data *replaydata, + krb5_address *local_addr, krb5_address *remote_addr, + krb5_pointer i_vector, krb5_data *outbuf) { - krb5_enctype enctype = krb5_k_key_enctype(context, key); - krb5_error_code retval; - krb5_priv privmsg; - krb5_priv_enc_part privmsg_enc_part; - krb5_data *scratch1, *scratch2, ivdata; - size_t blocksize, enclen; - - privmsg.enc_part.kvno = 0; /* XXX allow user-set? */ + krb5_enctype enctype = krb5_k_key_enctype(context, key); + krb5_error_code retval; + krb5_priv privmsg; + krb5_priv_enc_part privmsg_enc_part; + krb5_data *scratch1, *scratch2, ivdata; + size_t blocksize, enclen; + + privmsg.enc_part.kvno = 0; /* XXX allow user-set? */ privmsg.enc_part.enctype = enctype; privmsg_enc_part.user_data = *userdata; @@ -53,39 +54,39 @@ krb5_mk_priv_basic(krb5_context context, const krb5_data *userdata, /* We should check too make sure one exists. */ privmsg_enc_part.timestamp = replaydata->timestamp; - privmsg_enc_part.usec = replaydata->usec; + privmsg_enc_part.usec = replaydata->usec; privmsg_enc_part.seq_number = replaydata->seq; /* start by encoding to-be-encrypted part of the message */ if ((retval = encode_krb5_enc_priv_part(&privmsg_enc_part, &scratch1))) - return retval; + return retval; /* put together an eblock for this encryption */ if ((retval = krb5_c_encrypt_length(context, enctype, - scratch1->length, &enclen))) - goto clean_scratch; + scratch1->length, &enclen))) + goto clean_scratch; privmsg.enc_part.ciphertext.length = enclen; if (!(privmsg.enc_part.ciphertext.data = - malloc(privmsg.enc_part.ciphertext.length))) { + malloc(privmsg.enc_part.ciphertext.length))) { retval = ENOMEM; goto clean_scratch; } /* call the encryption routine */ if (i_vector) { - if ((retval = krb5_c_block_size(context, enctype, &blocksize))) - goto clean_encpart; + if ((retval = krb5_c_block_size(context, enctype, &blocksize))) + goto clean_encpart; - ivdata.length = blocksize; - ivdata.data = i_vector; + ivdata.length = blocksize; + ivdata.data = i_vector; } if ((retval = krb5_k_encrypt(context, key, - KRB5_KEYUSAGE_KRB_PRIV_ENCPART, - i_vector?&ivdata:0, - scratch1, &privmsg.enc_part))) - goto clean_encpart; + KRB5_KEYUSAGE_KRB_PRIV_ENCPART, + i_vector?&ivdata:0, + scratch1, &privmsg.enc_part))) + goto clean_encpart; if ((retval = encode_krb5_priv(&privmsg, &scratch2))) goto clean_encpart; @@ -95,15 +96,15 @@ krb5_mk_priv_basic(krb5_context context, const krb5_data *userdata, retval = 0; clean_encpart: - memset(privmsg.enc_part.ciphertext.data, 0, - privmsg.enc_part.ciphertext.length); - free(privmsg.enc_part.ciphertext.data); + memset(privmsg.enc_part.ciphertext.data, 0, + privmsg.enc_part.ciphertext.length); + free(privmsg.enc_part.ciphertext.data); privmsg.enc_part.ciphertext.length = 0; privmsg.enc_part.ciphertext.data = 0; clean_scratch: memset(scratch1->data, 0, scratch1->length); - krb5_free_data(context, scratch1); + krb5_free_data(context, scratch1); return retval; } @@ -111,10 +112,10 @@ clean_scratch: krb5_error_code KRB5_CALLCONV krb5_mk_priv(krb5_context context, krb5_auth_context auth_context, - const krb5_data *userdata, krb5_data *outbuf, - krb5_replay_data *outdata) + const krb5_data *userdata, krb5_data *outbuf, + krb5_replay_data *outdata) { - krb5_error_code retval; + krb5_error_code retval; krb5_key key; krb5_replay_data replaydata; @@ -123,113 +124,112 @@ krb5_mk_priv(krb5_context context, krb5_auth_context auth_context, /* Get keyblock */ if ((key = auth_context->send_subkey) == NULL) - key = auth_context->key; + key = auth_context->key; /* Get replay info */ if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && - (auth_context->rcache == NULL)) - return KRB5_RC_REQUIRED; + (auth_context->rcache == NULL)) + return KRB5_RC_REQUIRED; if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && - (outdata == NULL)) - /* Need a better error */ - return KRB5_RC_REQUIRED; + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && + (outdata == NULL)) + /* Need a better error */ + return KRB5_RC_REQUIRED; if (!auth_context->local_addr) - return KRB5_LOCAL_ADDR_REQUIRED; + return KRB5_LOCAL_ADDR_REQUIRED; if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME)) { - if ((retval = krb5_us_timeofday(context, &replaydata.timestamp, - &replaydata.usec))) - return retval; - if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) { - outdata->timestamp = replaydata.timestamp; - outdata->usec = replaydata.usec; - } + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME)) { + if ((retval = krb5_us_timeofday(context, &replaydata.timestamp, + &replaydata.usec))) + return retval; + if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) { + outdata->timestamp = replaydata.timestamp; + outdata->usec = replaydata.usec; + } } if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { - replaydata.seq = auth_context->local_seq_number++; - if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) - outdata->seq = replaydata.seq; - } - -{ - krb5_address * premote_fulladdr = NULL; - krb5_address * plocal_fulladdr; - krb5_address remote_fulladdr; - krb5_address local_fulladdr; - CLEANUP_INIT(2); - - if (auth_context->local_port) { - if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, - auth_context->local_port, - &local_fulladdr))) { - CLEANUP_PUSH(local_fulladdr.contents, free); - plocal_fulladdr = &local_fulladdr; - } else { - goto error; - } - } else { - plocal_fulladdr = auth_context->local_addr; - } - - if (auth_context->remote_addr) { - if (auth_context->remote_port) { - if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, - auth_context->remote_port, - &remote_fulladdr))){ - CLEANUP_PUSH(remote_fulladdr.contents, free); - premote_fulladdr = &remote_fulladdr; - } else { - CLEANUP_DONE(); - goto error; - } - } else { - premote_fulladdr = auth_context->remote_addr; - } + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { + replaydata.seq = auth_context->local_seq_number++; + if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) + outdata->seq = replaydata.seq; } - if ((retval = krb5_mk_priv_basic(context, userdata, key, &replaydata, - plocal_fulladdr, premote_fulladdr, - auth_context->i_vector, outbuf))) { - CLEANUP_DONE(); - goto error; + { + krb5_address * premote_fulladdr = NULL; + krb5_address * plocal_fulladdr; + krb5_address remote_fulladdr; + krb5_address local_fulladdr; + CLEANUP_INIT(2); + + if (auth_context->local_port) { + if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, + auth_context->local_port, + &local_fulladdr))) { + CLEANUP_PUSH(local_fulladdr.contents, free); + plocal_fulladdr = &local_fulladdr; + } else { + goto error; + } + } else { + plocal_fulladdr = auth_context->local_addr; + } + + if (auth_context->remote_addr) { + if (auth_context->remote_port) { + if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, + auth_context->remote_port, + &remote_fulladdr))){ + CLEANUP_PUSH(remote_fulladdr.contents, free); + premote_fulladdr = &remote_fulladdr; + } else { + CLEANUP_DONE(); + goto error; + } + } else { + premote_fulladdr = auth_context->remote_addr; + } + } + + if ((retval = krb5_mk_priv_basic(context, userdata, key, &replaydata, + plocal_fulladdr, premote_fulladdr, + auth_context->i_vector, outbuf))) { + CLEANUP_DONE(); + goto error; + } + + CLEANUP_DONE(); } - CLEANUP_DONE(); -} - if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { - krb5_donot_replay replay; - - if ((retval = krb5_gen_replay_name(context, auth_context->local_addr, - "_priv", &replay.client))) { - free(outbuf); - goto error; - } - - replay.server = ""; /* XXX */ - replay.msghash = NULL; - replay.cusec = replaydata.usec; - replay.ctime = replaydata.timestamp; - if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { - /* should we really error out here? XXX */ - free(replay.client); - goto error; - } - free(replay.client); + krb5_donot_replay replay; + + if ((retval = krb5_gen_replay_name(context, auth_context->local_addr, + "_priv", &replay.client))) { + free(outbuf); + goto error; + } + + replay.server = ""; /* XXX */ + replay.msghash = NULL; + replay.cusec = replaydata.usec; + replay.ctime = replaydata.timestamp; + if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { + /* should we really error out here? XXX */ + free(replay.client); + goto error; + } + free(replay.client); } return 0; error: if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) - auth_context->local_seq_number--; + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) + auth_context->local_seq_number--; return retval; } - diff --git a/src/lib/krb5/krb/mk_rep.c b/src/lib/krb5/krb/mk_rep.c index a4dbc467f..b50c05765 100644 --- a/src/lib/krb5/krb/mk_rep.c +++ b/src/lib/krb5/krb/mk_rep.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/mk_rep.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_mk_rep() */ @@ -58,81 +59,81 @@ #include "auth_con.h" /* - Formats a KRB_AP_REP message into outbuf. + Formats a KRB_AP_REP message into outbuf. - The outbuf buffer storage is allocated, and should be freed by the - caller when finished. + The outbuf buffer storage is allocated, and should be freed by the + caller when finished. - returns system errors + returns system errors */ static krb5_error_code k5_mk_rep(krb5_context context, krb5_auth_context auth_context, - krb5_data *outbuf, int dce_style) + krb5_data *outbuf, int dce_style) { - krb5_error_code retval; + krb5_error_code retval; krb5_ap_rep_enc_part repl; - krb5_ap_rep reply; - krb5_data * scratch; - krb5_data * toutbuf; + krb5_ap_rep reply; + krb5_data * scratch; + krb5_data * toutbuf; /* Make the reply */ if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && - (auth_context->local_seq_number == 0)) { - if ((retval = krb5_generate_seq_number(context, - &auth_context->key->keyblock, - &auth_context->local_seq_number))) + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && + (auth_context->local_seq_number == 0)) { + if ((retval = krb5_generate_seq_number(context, + &auth_context->key->keyblock, + &auth_context->local_seq_number))) return(retval); } if (dce_style) { - krb5_us_timeofday(context, &repl.ctime, &repl.cusec); + krb5_us_timeofday(context, &repl.ctime, &repl.cusec); } else { - repl.ctime = auth_context->authentp->ctime; - repl.cusec = auth_context->authentp->cusec; + repl.ctime = auth_context->authentp->ctime; + repl.cusec = auth_context->authentp->cusec; } if (dce_style) - repl.subkey = NULL; + repl.subkey = NULL; else if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_USE_SUBKEY) { - assert(auth_context->negotiated_etype != ENCTYPE_NULL); - - retval = krb5int_generate_and_save_subkey (context, auth_context, - &auth_context->key->keyblock, - auth_context->negotiated_etype); - if (retval) - return retval; - repl.subkey = &auth_context->send_subkey->keyblock; + assert(auth_context->negotiated_etype != ENCTYPE_NULL); + + retval = krb5int_generate_and_save_subkey (context, auth_context, + &auth_context->key->keyblock, + auth_context->negotiated_etype); + if (retval) + return retval; + repl.subkey = &auth_context->send_subkey->keyblock; } else - repl.subkey = auth_context->authentp->subkey; + repl.subkey = auth_context->authentp->subkey; if (dce_style) - repl.seq_number = auth_context->remote_seq_number; + repl.seq_number = auth_context->remote_seq_number; else - repl.seq_number = auth_context->local_seq_number; + repl.seq_number = auth_context->local_seq_number; /* encode it before encrypting */ if ((retval = encode_krb5_ap_rep_enc_part(&repl, &scratch))) - return retval; + return retval; if ((retval = krb5_encrypt_keyhelper(context, auth_context->key, - KRB5_KEYUSAGE_AP_REP_ENCPART, - scratch, &reply.enc_part))) - goto cleanup_scratch; + KRB5_KEYUSAGE_AP_REP_ENCPART, + scratch, &reply.enc_part))) + goto cleanup_scratch; if (!(retval = encode_krb5_ap_rep(&reply, &toutbuf))) { - *outbuf = *toutbuf; - free(toutbuf); + *outbuf = *toutbuf; + free(toutbuf); } memset(reply.enc_part.ciphertext.data, 0, reply.enc_part.ciphertext.length); - free(reply.enc_part.ciphertext.data); - reply.enc_part.ciphertext.length = 0; + free(reply.enc_part.ciphertext.data); + reply.enc_part.ciphertext.length = 0; reply.enc_part.ciphertext.data = 0; cleanup_scratch: - memset(scratch->data, 0, scratch->length); + memset(scratch->data, 0, scratch->length); krb5_free_data(context, scratch); return retval; diff --git a/src/lib/krb5/krb/mk_req.c b/src/lib/krb5/krb/mk_req.c index 0fc1e7213..ceb60cbf4 100644 --- a/src/lib/krb5/krb/mk_req.c +++ b/src/lib/krb5/krb/mk_req.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/mk_req.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_mk_req() routine. */ @@ -31,53 +32,53 @@ #include "auth_con.h" /* - Formats a KRB_AP_REQ message into outbuf. + Formats a KRB_AP_REQ message into outbuf. - server specifies the principal of the server to receive the message; if - credentials are not present in the credentials cache for this server, the - TGS request with default parameters is used in an attempt to obtain - such credentials, and they are stored in ccache. + server specifies the principal of the server to receive the message; if + credentials are not present in the credentials cache for this server, the + TGS request with default parameters is used in an attempt to obtain + such credentials, and they are stored in ccache. - kdc_options specifies the options requested for the - ap_req_options specifies the KRB_AP_REQ options desired. + kdc_options specifies the options requested for the + ap_req_options specifies the KRB_AP_REQ options desired. - checksum specifies the checksum to be used in the authenticator. + checksum specifies the checksum to be used in the authenticator. - The outbuf buffer storage is allocated, and should be freed by the - caller when finished. + The outbuf buffer storage is allocated, and should be freed by the + caller when finished. - returns system errors + returns system errors */ krb5_error_code KRB5_CALLCONV krb5_mk_req(krb5_context context, krb5_auth_context *auth_context, - krb5_flags ap_req_options, char *service, char *hostname, - krb5_data *in_data, krb5_ccache ccache, krb5_data *outbuf) + krb5_flags ap_req_options, char *service, char *hostname, + krb5_data *in_data, krb5_ccache ccache, krb5_data *outbuf) { - krb5_error_code retval; - krb5_principal server; - krb5_creds * credsp; - krb5_creds creds; + krb5_error_code retval; + krb5_principal server; + krb5_creds * credsp; + krb5_creds creds; - retval = krb5_sname_to_principal(context, hostname, service, - KRB5_NT_SRV_HST, &server); + retval = krb5_sname_to_principal(context, hostname, service, + KRB5_NT_SRV_HST, &server); if (retval) - return retval; + return retval; /* obtain ticket & session key */ memset(&creds, 0, sizeof(creds)); if ((retval = krb5_copy_principal(context, server, &creds.server))) - goto cleanup_princ; + goto cleanup_princ; if ((retval = krb5_cc_get_principal(context, ccache, &creds.client))) - goto cleanup_creds; + goto cleanup_creds; if ((retval = krb5_get_credentials(context, 0, - ccache, &creds, &credsp))) - goto cleanup_creds; + ccache, &creds, &credsp))) + goto cleanup_creds; - retval = krb5_mk_req_extended(context, auth_context, ap_req_options, - in_data, credsp, outbuf); + retval = krb5_mk_req_extended(context, auth_context, ap_req_options, + in_data, credsp, outbuf); krb5_free_creds(context, credsp); diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c index 4277f1eec..95f04e9a4 100644 --- a/src/lib/krb5/krb/mk_req_ext.c +++ b/src/lib/krb5/krb/mk_req_ext.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/mk_req_ext.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_mk_req_extended() */ @@ -32,90 +33,90 @@ #include "auth_con.h" /* - Formats a KRB_AP_REQ message into outbuf, with more complete options than - krb_mk_req. + Formats a KRB_AP_REQ message into outbuf, with more complete options than + krb_mk_req. - outbuf, ap_req_options, checksum, and ccache are used in the - same fashion as for krb5_mk_req. + outbuf, ap_req_options, checksum, and ccache are used in the + same fashion as for krb5_mk_req. - creds is used to supply the credentials (ticket and session key) needed - to form the request. + creds is used to supply the credentials (ticket and session key) needed + to form the request. - if creds->ticket has no data (length == 0), then a ticket is obtained - from either the cache or the TGS, passing creds to krb5_get_credentials(). - kdc_options specifies the options requested for the ticket to be used. - If a ticket with appropriate flags is not found in the cache, then these - options are passed on in a request to an appropriate KDC. + if creds->ticket has no data (length == 0), then a ticket is obtained + from either the cache or the TGS, passing creds to krb5_get_credentials(). + kdc_options specifies the options requested for the ticket to be used. + If a ticket with appropriate flags is not found in the cache, then these + options are passed on in a request to an appropriate KDC. - ap_req_options specifies the KRB_AP_REQ options desired. + ap_req_options specifies the KRB_AP_REQ options desired. - if ap_req_options specifies AP_OPTS_USE_SESSION_KEY, then creds->ticket - must contain the appropriate ENC-TKT-IN-SKEY ticket. + if ap_req_options specifies AP_OPTS_USE_SESSION_KEY, then creds->ticket + must contain the appropriate ENC-TKT-IN-SKEY ticket. - checksum specifies the checksum to be used in the authenticator. + checksum specifies the checksum to be used in the authenticator. - The outbuf buffer storage is allocated, and should be freed by the - caller when finished. + The outbuf buffer storage is allocated, and should be freed by the + caller when finished. - On an error return, the credentials pointed to by creds might have been - augmented with additional fields from the obtained credentials; the entire - credentials should be released by calling krb5_free_creds(). + On an error return, the credentials pointed to by creds might have been + augmented with additional fields from the obtained credentials; the entire + credentials should be released by calling krb5_free_creds(). - returns system errors + returns system errors */ static krb5_error_code make_etype_list(krb5_context context, - krb5_enctype *desired_etypes, - krb5_enctype tkt_enctype, - krb5_authdata ***authdata); + krb5_enctype *desired_etypes, + krb5_enctype tkt_enctype, + krb5_authdata ***authdata); -static krb5_error_code +static krb5_error_code krb5_generate_authenticator (krb5_context, - krb5_authenticator *, krb5_principal, - krb5_checksum *, krb5_key, - krb5_ui_4, krb5_authdata **, - krb5_authdata_context ad_context, - krb5_enctype *desired_etypes, - krb5_enctype tkt_enctype); + krb5_authenticator *, krb5_principal, + krb5_checksum *, krb5_key, + krb5_ui_4, krb5_authdata **, + krb5_authdata_context ad_context, + krb5_enctype *desired_etypes, + krb5_enctype tkt_enctype); krb5_error_code krb5int_generate_and_save_subkey (krb5_context context, - krb5_auth_context auth_context, - krb5_keyblock *keyblock, - krb5_enctype enctype) + krb5_auth_context auth_context, + krb5_keyblock *keyblock, + krb5_enctype enctype) { /* Provide some more fodder for random number code. This isn't strong cryptographically; the point here is not to guarantee randomness, but to make it less likely that multiple sessions could pick the same subkey. */ struct { - krb5_int32 sec, usec; + krb5_int32 sec, usec; } rnd_data; krb5_data d; krb5_error_code retval; krb5_keyblock *kb = NULL; if (krb5_crypto_us_timeofday(&rnd_data.sec, &rnd_data.usec) == 0) { - d.length = sizeof(rnd_data); - d.data = (char *) &rnd_data; - krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_TIMING, &d); + d.length = sizeof(rnd_data); + d.data = (char *) &rnd_data; + krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_TIMING, &d); } retval = krb5_generate_subkey_extended(context, keyblock, enctype, &kb); if (retval) - return retval; + return retval; retval = krb5_auth_con_setsendsubkey(context, auth_context, kb); if (retval) - goto cleanup; + goto cleanup; retval = krb5_auth_con_setrecvsubkey(context, auth_context, kb); if (retval) - goto cleanup; + goto cleanup; cleanup: if (retval) { - (void) krb5_auth_con_setsendsubkey(context, auth_context, NULL); - (void) krb5_auth_con_setrecvsubkey(context, auth_context, NULL); + (void) krb5_auth_con_setsendsubkey(context, auth_context, NULL); + (void) krb5_auth_con_setrecvsubkey(context, auth_context, NULL); } krb5_free_keyblock(context, kb); return retval; @@ -123,14 +124,14 @@ cleanup: krb5_error_code KRB5_CALLCONV krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, - krb5_flags ap_req_options, krb5_data *in_data, - krb5_creds *in_creds, krb5_data *outbuf) + krb5_flags ap_req_options, krb5_data *in_data, + krb5_creds *in_creds, krb5_data *outbuf) { - krb5_error_code retval; - krb5_checksum checksum; - krb5_checksum *checksump = 0; - krb5_auth_context new_auth_context; - krb5_enctype *desired_etypes = NULL; + krb5_error_code retval; + krb5_checksum checksum; + krb5_checksum *checksump = 0; + krb5_auth_context new_auth_context; + krb5_enctype *desired_etypes = NULL; krb5_ap_req request; krb5_data *scratch = 0; @@ -139,134 +140,134 @@ krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, request.ap_options = ap_req_options & AP_OPTS_WIRE_MASK; request.authenticator.ciphertext.data = NULL; request.ticket = 0; - - if (!in_creds->ticket.length) - return(KRB5_NO_TKT_SUPPLIED); + + if (!in_creds->ticket.length) + return(KRB5_NO_TKT_SUPPLIED); if ((ap_req_options & AP_OPTS_ETYPE_NEGOTIATION) && - !(ap_req_options & AP_OPTS_MUTUAL_REQUIRED)) - return(EINVAL); + !(ap_req_options & AP_OPTS_MUTUAL_REQUIRED)) + return(EINVAL); /* we need a native ticket */ if ((retval = decode_krb5_ticket(&(in_creds)->ticket, &request.ticket))) - return(retval); - + return(retval); + /* verify that the ticket is not expired */ if ((retval = krb5_validate_times(context, &in_creds->times)) != 0) - goto cleanup; + goto cleanup; /* generate auth_context if needed */ if (*auth_context == NULL) { - if ((retval = krb5_auth_con_init(context, &new_auth_context))) - goto cleanup; - *auth_context = new_auth_context; + if ((retval = krb5_auth_con_init(context, &new_auth_context))) + goto cleanup; + *auth_context = new_auth_context; } if ((*auth_context)->key != NULL) { - krb5_k_free_key(context, (*auth_context)->key); - (*auth_context)->key = NULL; + krb5_k_free_key(context, (*auth_context)->key); + (*auth_context)->key = NULL; } /* set auth context keyblock */ if ((retval = krb5_k_create_key(context, &in_creds->keyblock, - &((*auth_context)->key)))) - goto cleanup; + &((*auth_context)->key)))) + goto cleanup; /* generate seq number if needed */ if ((((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) - || ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) - && ((*auth_context)->local_seq_number == 0)) - if ((retval = krb5_generate_seq_number(context, &in_creds->keyblock, - &(*auth_context)->local_seq_number))) - goto cleanup; - + || ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) + && ((*auth_context)->local_seq_number == 0)) + if ((retval = krb5_generate_seq_number(context, &in_creds->keyblock, + &(*auth_context)->local_seq_number))) + goto cleanup; + /* generate subkey if needed */ if (!in_data &&(*auth_context)->checksum_func) { - retval = (*auth_context)->checksum_func( context, - *auth_context, - (*auth_context)->checksum_func_data, - &in_data); - if (retval) - goto cleanup; + retval = (*auth_context)->checksum_func( context, + *auth_context, + (*auth_context)->checksum_func_data, + &in_data); + if (retval) + goto cleanup; } if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->send_subkey)) { - retval = krb5int_generate_and_save_subkey (context, *auth_context, - &in_creds->keyblock, - in_creds->keyblock.enctype); - if (retval) - goto cleanup; + retval = krb5int_generate_and_save_subkey (context, *auth_context, + &in_creds->keyblock, + in_creds->keyblock.enctype); + if (retval) + goto cleanup; } if (in_data) { - if ((*auth_context)->req_cksumtype == 0x8003) { - /* XXX Special hack for GSSAPI */ - checksum.checksum_type = 0x8003; - checksum.length = in_data->length; - checksum.contents = (krb5_octet *) in_data->data; - } else { - krb5_enctype enctype = krb5_k_key_enctype(context, - (*auth_context)->key); - krb5_cksumtype cksumtype; - retval = krb5int_c_mandatory_cksumtype(context, enctype, - &cksumtype); - if (retval) - goto cleanup_cksum; - if ((*auth_context)->req_cksumtype) - cksumtype = (*auth_context)->req_cksumtype; - if ((retval = krb5_k_make_checksum(context, - cksumtype, - (*auth_context)->key, - KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM, - in_data, &checksum))) - goto cleanup_cksum; - } - checksump = &checksum; + if ((*auth_context)->req_cksumtype == 0x8003) { + /* XXX Special hack for GSSAPI */ + checksum.checksum_type = 0x8003; + checksum.length = in_data->length; + checksum.contents = (krb5_octet *) in_data->data; + } else { + krb5_enctype enctype = krb5_k_key_enctype(context, + (*auth_context)->key); + krb5_cksumtype cksumtype; + retval = krb5int_c_mandatory_cksumtype(context, enctype, + &cksumtype); + if (retval) + goto cleanup_cksum; + if ((*auth_context)->req_cksumtype) + cksumtype = (*auth_context)->req_cksumtype; + if ((retval = krb5_k_make_checksum(context, + cksumtype, + (*auth_context)->key, + KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM, + in_data, &checksum))) + goto cleanup_cksum; + } + checksump = &checksum; } /* Generate authenticator */ if (((*auth_context)->authentp = (krb5_authenticator *)malloc(sizeof( - krb5_authenticator))) == NULL) { - retval = ENOMEM; - goto cleanup_cksum; + krb5_authenticator))) == NULL) { + retval = ENOMEM; + goto cleanup_cksum; } if (ap_req_options & AP_OPTS_ETYPE_NEGOTIATION) { - if ((*auth_context)->permitted_etypes == NULL) { - retval = krb5_get_tgs_ktypes(context, in_creds->server, &desired_etypes); - if (retval) - goto cleanup_cksum; - } else - desired_etypes = (*auth_context)->permitted_etypes; + if ((*auth_context)->permitted_etypes == NULL) { + retval = krb5_get_tgs_ktypes(context, in_creds->server, &desired_etypes); + if (retval) + goto cleanup_cksum; + } else + desired_etypes = (*auth_context)->permitted_etypes; } if ((retval = krb5_generate_authenticator(context, - (*auth_context)->authentp, - in_creds->client, checksump, - (*auth_context)->send_subkey, - (*auth_context)->local_seq_number, - in_creds->authdata, - (*auth_context)->ad_context, - desired_etypes, - in_creds->keyblock.enctype))) - goto cleanup_cksum; - + (*auth_context)->authentp, + in_creds->client, checksump, + (*auth_context)->send_subkey, + (*auth_context)->local_seq_number, + in_creds->authdata, + (*auth_context)->ad_context, + desired_etypes, + in_creds->keyblock.enctype))) + goto cleanup_cksum; + /* encode the authenticator */ if ((retval = encode_krb5_authenticator((*auth_context)->authentp, - &scratch))) - goto cleanup_cksum; - + &scratch))) + goto cleanup_cksum; + /* call the encryption routine */ if ((retval = krb5_encrypt_helper(context, &in_creds->keyblock, - KRB5_KEYUSAGE_AP_REQ_AUTH, - scratch, &request.authenticator))) - goto cleanup_cksum; + KRB5_KEYUSAGE_AP_REQ_AUTH, + scratch, &request.authenticator))) + goto cleanup_cksum; if ((retval = encode_krb5_ap_req(&request, &toutbuf))) - goto cleanup_cksum; + goto cleanup_cksum; *outbuf = *toutbuf; free(toutbuf); @@ -276,39 +277,39 @@ cleanup_cksum: * they were supplied by the caller */ if ((*auth_context)->authentp != NULL) { - (*auth_context)->authentp->client = NULL; - (*auth_context)->authentp->checksum = NULL; + (*auth_context)->authentp->client = NULL; + (*auth_context)->authentp->checksum = NULL; } if (checksump && checksump->checksum_type != 0x8003) - free(checksump->contents); + free(checksump->contents); cleanup: if (desired_etypes && - desired_etypes != (*auth_context)->permitted_etypes) - free(desired_etypes); + desired_etypes != (*auth_context)->permitted_etypes) + free(desired_etypes); if (request.ticket) - krb5_free_ticket(context, request.ticket); + krb5_free_ticket(context, request.ticket); if (request.authenticator.ciphertext.data) { - (void) memset(request.authenticator.ciphertext.data, 0, - request.authenticator.ciphertext.length); - free(request.authenticator.ciphertext.data); + (void) memset(request.authenticator.ciphertext.data, 0, + request.authenticator.ciphertext.length); + free(request.authenticator.ciphertext.data); } if (scratch) { - memset(scratch->data, 0, scratch->length); + memset(scratch->data, 0, scratch->length); free(scratch->data); - free(scratch); + free(scratch); } return retval; } static krb5_error_code krb5_generate_authenticator(krb5_context context, krb5_authenticator *authent, - krb5_principal client, krb5_checksum *cksum, - krb5_key key, krb5_ui_4 seq_number, - krb5_authdata **authorization, - krb5_authdata_context ad_context, - krb5_enctype *desired_etypes, - krb5_enctype tkt_enctype) + krb5_principal client, krb5_checksum *cksum, + krb5_key key, krb5_ui_4 seq_number, + krb5_authdata **authorization, + krb5_authdata_context ad_context, + krb5_enctype *desired_etypes, + krb5_enctype tkt_enctype) { krb5_error_code retval; krb5_authdata **ext_authdata = NULL; @@ -316,41 +317,41 @@ krb5_generate_authenticator(krb5_context context, krb5_authenticator *authent, authent->client = client; authent->checksum = cksum; if (key) { - retval = krb5_k_key_keyblock(context, key, &authent->subkey); - if (retval) - return retval; + retval = krb5_k_key_keyblock(context, key, &authent->subkey); + if (retval) + return retval; } else - authent->subkey = 0; + authent->subkey = 0; authent->seq_number = seq_number; authent->authorization_data = NULL; if (ad_context != NULL) { - retval = krb5_authdata_export_authdata(context, - ad_context, - AD_USAGE_AP_REQ, - &ext_authdata); - if (retval) - return retval; + retval = krb5_authdata_export_authdata(context, + ad_context, + AD_USAGE_AP_REQ, + &ext_authdata); + if (retval) + return retval; } if (authorization != NULL || ext_authdata != NULL) { - retval = krb5_merge_authdata(context, - authorization, - ext_authdata, - &authent->authorization_data); - if (retval) { - krb5_free_authdata(context, ext_authdata); - return retval; - } - krb5_free_authdata(context, ext_authdata); + retval = krb5_merge_authdata(context, + authorization, + ext_authdata, + &authent->authorization_data); + if (retval) { + krb5_free_authdata(context, ext_authdata); + return retval; + } + krb5_free_authdata(context, ext_authdata); } - /* Only send EtypeList if we prefer another enctype to tkt_enctype */ + /* Only send EtypeList if we prefer another enctype to tkt_enctype */ if (desired_etypes != NULL && desired_etypes[0] != tkt_enctype) { - retval = make_etype_list(context, desired_etypes, tkt_enctype, - &authent->authorization_data); - if (retval) - return retval; + retval = make_etype_list(context, desired_etypes, tkt_enctype, + &authent->authorization_data); + if (retval) + return retval; } return(krb5_us_timeofday(context, &authent->ctime, &authent->cusec)); @@ -359,9 +360,9 @@ krb5_generate_authenticator(krb5_context context, krb5_authenticator *authent, /* RFC 4537 */ static krb5_error_code make_etype_list(krb5_context context, - krb5_enctype *desired_etypes, - krb5_enctype tkt_enctype, - krb5_authdata ***authdata) + krb5_enctype *desired_etypes, + krb5_enctype tkt_enctype, + krb5_authdata ***authdata) { krb5_error_code code; krb5_etype_list etypes; @@ -373,22 +374,22 @@ make_etype_list(krb5_context context, etypes.etypes = desired_etypes; for (etypes.length = 0; - etypes.etypes[etypes.length] != ENCTYPE_NULL; - etypes.length++) + etypes.etypes[etypes.length] != ENCTYPE_NULL; + etypes.length++) { - /* - * RFC 4537: - * - * If the enctype of the ticket session key is included in the enctype - * list sent by the client, it SHOULD be the last on the list; - */ - if (etypes.length && etypes.etypes[etypes.length - 1] == tkt_enctype) - break; + /* + * RFC 4537: + * + * If the enctype of the ticket session key is included in the enctype + * list sent by the client, it SHOULD be the last on the list; + */ + if (etypes.length && etypes.etypes[etypes.length - 1] == tkt_enctype) + break; } code = encode_krb5_etype_list(&etypes, &enc_etype_list); if (code) { - return code; + return code; } etype_adatum.magic = KV5M_AUTHDATA; @@ -402,33 +403,33 @@ make_etype_list(krb5_context context, /* Wrap in AD-IF-RELEVANT container */ code = encode_krb5_authdata(etype_adata, &ad_if_relevant); if (code) { - krb5_free_data(context, enc_etype_list); - return code; + krb5_free_data(context, enc_etype_list); + return code; } krb5_free_data(context, enc_etype_list); adata = *authdata; if (adata == NULL) { - adata = (krb5_authdata **)calloc(2, sizeof(krb5_authdata *)); - i = 0; + adata = (krb5_authdata **)calloc(2, sizeof(krb5_authdata *)); + i = 0; } else { - for (i = 0; adata[i] != NULL; i++) - ; + for (i = 0; adata[i] != NULL; i++) + ; - adata = (krb5_authdata **)realloc(*authdata, - (i + 2) * sizeof(krb5_authdata *)); + adata = (krb5_authdata **)realloc(*authdata, + (i + 2) * sizeof(krb5_authdata *)); } if (adata == NULL) { - krb5_free_data(context, ad_if_relevant); - return ENOMEM; + krb5_free_data(context, ad_if_relevant); + return ENOMEM; } *authdata = adata; adata[i] = (krb5_authdata *)malloc(sizeof(krb5_authdata)); if (adata[i] == NULL) { - krb5_free_data(context, ad_if_relevant); - return ENOMEM; + krb5_free_data(context, ad_if_relevant); + return ENOMEM; } adata[i]->magic = KV5M_AUTHDATA; adata[i]->ad_type = KRB5_AUTHDATA_IF_RELEVANT; @@ -440,4 +441,3 @@ make_etype_list(krb5_context context, return 0; } - diff --git a/src/lib/krb5/krb/mk_safe.c b/src/lib/krb5/krb/mk_safe.c index f3bfde390..eaa3add82 100644 --- a/src/lib/krb5/krb/mk_safe.c +++ b/src/lib/krb5/krb/mk_safe.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/mk_safe.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_mk_safe() */ @@ -32,25 +33,25 @@ #include "auth_con.h" /* - Formats a KRB_SAFE message into outbuf. + Formats a KRB_SAFE message into outbuf. - userdata is formatted as the user data in the message. - sumtype specifies the encryption type; key specifies the key which - might be used to seed the checksum; sender_addr and recv_addr specify - the full addresses (host and port) of the sender and receiver. - The host portion of sender_addr is used to form the addresses used in the - KRB_SAFE message. + userdata is formatted as the user data in the message. + sumtype specifies the encryption type; key specifies the key which + might be used to seed the checksum; sender_addr and recv_addr specify + the full addresses (host and port) of the sender and receiver. + The host portion of sender_addr is used to form the addresses used in the + KRB_SAFE message. - The outbuf buffer storage is allocated, and should be freed by the - caller when finished. + The outbuf buffer storage is allocated, and should be freed by the + caller when finished. - returns system errors + returns system errors */ static krb5_error_code krb5_mk_safe_basic(krb5_context context, const krb5_data *userdata, - krb5_key key, krb5_replay_data *replaydata, - krb5_address *local_addr, krb5_address *remote_addr, - krb5_cksumtype sumtype, krb5_data *outbuf) + krb5_key key, krb5_replay_data *replaydata, + krb5_address *local_addr, krb5_address *remote_addr, + krb5_cksumtype sumtype, krb5_data *outbuf) { krb5_error_code retval; krb5_safe safemsg; @@ -59,10 +60,10 @@ krb5_mk_safe_basic(krb5_context context, const krb5_data *userdata, krb5_data *scratch1, *scratch2; if (!krb5_c_valid_cksumtype(sumtype)) - return KRB5_PROG_SUMTYPE_NOSUPP; + return KRB5_PROG_SUMTYPE_NOSUPP; if (!krb5_c_is_coll_proof_cksum(sumtype) - || !krb5_c_is_keyed_cksum(sumtype)) - return KRB5KRB_AP_ERR_INAPP_CKSUM; + || !krb5_c_is_keyed_cksum(sumtype)) + return KRB5KRB_AP_ERR_INAPP_CKSUM; safemsg.user_data = *userdata; safemsg.s_address = (krb5_address *) local_addr; @@ -73,10 +74,10 @@ krb5_mk_safe_basic(krb5_context context, const krb5_data *userdata, safemsg.usec = replaydata->usec; safemsg.seq_number = replaydata->seq; - /* + /* * To do the checksum stuff, we need to encode the message with a * zero-length zero-type checksum, then checksum the encoding, then - * re-encode with the checksum. + * re-encode with the checksum. */ safe_checksum.length = 0; @@ -86,16 +87,16 @@ krb5_mk_safe_basic(krb5_context context, const krb5_data *userdata, safemsg.checksum = &safe_checksum; if ((retval = encode_krb5_safe(&safemsg, &scratch1))) - return retval; + return retval; if ((retval = krb5_k_make_checksum(context, sumtype, key, - KRB5_KEYUSAGE_KRB_SAFE_CKSUM, - scratch1, &safe_checksum))) - goto cleanup_checksum; + KRB5_KEYUSAGE_KRB_SAFE_CKSUM, + scratch1, &safe_checksum))) + goto cleanup_checksum; safemsg.checksum = &safe_checksum; if ((retval = encode_krb5_safe(&safemsg, &scratch2))) { - goto cleanup_checksum; + goto cleanup_checksum; } *outbuf = *scratch2; free(scratch2); @@ -104,17 +105,17 @@ krb5_mk_safe_basic(krb5_context context, const krb5_data *userdata, cleanup_checksum: free(safe_checksum.contents); - memset(scratch1->data, 0, scratch1->length); + memset(scratch1->data, 0, scratch1->length); krb5_free_data(context, scratch1); return retval; } krb5_error_code KRB5_CALLCONV krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, - const krb5_data *userdata, krb5_data *outbuf, - krb5_replay_data *outdata) + const krb5_data *userdata, krb5_data *outbuf, + krb5_replay_data *outdata) { - krb5_error_code retval; + krb5_error_code retval; krb5_key key; krb5_replay_data replaydata; @@ -123,140 +124,139 @@ krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, /* Get key */ if ((key = auth_context->send_subkey) == NULL) - key = auth_context->key; + key = auth_context->key; /* Get replay info */ if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && - (auth_context->rcache == NULL)) - return KRB5_RC_REQUIRED; + (auth_context->rcache == NULL)) + return KRB5_RC_REQUIRED; if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && - (outdata == NULL)) - /* Need a better error */ - return KRB5_RC_REQUIRED; + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && + (outdata == NULL)) + /* Need a better error */ + return KRB5_RC_REQUIRED; if (!auth_context->local_addr) - return KRB5_LOCAL_ADDR_REQUIRED; + return KRB5_LOCAL_ADDR_REQUIRED; if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME)) { - if ((retval = krb5_us_timeofday(context, &replaydata.timestamp, - &replaydata.usec))) - return retval; - if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) { - outdata->timestamp = replaydata.timestamp; - outdata->usec = replaydata.usec; - } + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME)) { + if ((retval = krb5_us_timeofday(context, &replaydata.timestamp, + &replaydata.usec))) + return retval; + if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) { + outdata->timestamp = replaydata.timestamp; + outdata->usec = replaydata.usec; + } } if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { - replaydata.seq = auth_context->local_seq_number++; - if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) - outdata->seq = replaydata.seq; - } - -{ - krb5_address * premote_fulladdr = NULL; - krb5_address * plocal_fulladdr; - krb5_address remote_fulladdr; - krb5_address local_fulladdr; - krb5_cksumtype sumtype; - - CLEANUP_INIT(2); - - if (auth_context->local_port) { - if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, - auth_context->local_port, - &local_fulladdr))){ - CLEANUP_PUSH(local_fulladdr.contents, free); - plocal_fulladdr = &local_fulladdr; - } else { - goto error; - } - } else { - plocal_fulladdr = auth_context->local_addr; + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { + replaydata.seq = auth_context->local_seq_number++; + if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) + outdata->seq = replaydata.seq; } - if (auth_context->remote_addr) { - if (auth_context->remote_port) { - if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, - auth_context->remote_port, - &remote_fulladdr))){ - CLEANUP_PUSH(remote_fulladdr.contents, free); - premote_fulladdr = &remote_fulladdr; + { + krb5_address * premote_fulladdr = NULL; + krb5_address * plocal_fulladdr; + krb5_address remote_fulladdr; + krb5_address local_fulladdr; + krb5_cksumtype sumtype; + + CLEANUP_INIT(2); + + if (auth_context->local_port) { + if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, + auth_context->local_port, + &local_fulladdr))){ + CLEANUP_PUSH(local_fulladdr.contents, free); + plocal_fulladdr = &local_fulladdr; } else { - CLEANUP_DONE(); goto error; } - } else { - premote_fulladdr = auth_context->remote_addr; + } else { + plocal_fulladdr = auth_context->local_addr; } - } - { - krb5_enctype enctype = krb5_k_key_enctype(context, key); - unsigned int nsumtypes; - unsigned int i; - krb5_cksumtype *sumtypes; - retval = krb5_c_keyed_checksum_types (context, enctype, - &nsumtypes, &sumtypes); - if (retval) { - CLEANUP_DONE (); - goto error; - } - if (nsumtypes == 0) { - retval = KRB5_BAD_ENCTYPE; - krb5_free_cksumtypes (context, sumtypes); - CLEANUP_DONE (); - goto error; - } - for (i = 0; i < nsumtypes; i++) - if (auth_context->safe_cksumtype == sumtypes[i]) - break; - if (i == nsumtypes) - i = 0; - sumtype = sumtypes[i]; - krb5_free_cksumtypes (context, sumtypes); - } - if ((retval = krb5_mk_safe_basic(context, userdata, key, &replaydata, - plocal_fulladdr, premote_fulladdr, - sumtype, outbuf))) { - CLEANUP_DONE(); - goto error; - } + if (auth_context->remote_addr) { + if (auth_context->remote_port) { + if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, + auth_context->remote_port, + &remote_fulladdr))){ + CLEANUP_PUSH(remote_fulladdr.contents, free); + premote_fulladdr = &remote_fulladdr; + } else { + CLEANUP_DONE(); + goto error; + } + } else { + premote_fulladdr = auth_context->remote_addr; + } + } - CLEANUP_DONE(); -} + { + krb5_enctype enctype = krb5_k_key_enctype(context, key); + unsigned int nsumtypes; + unsigned int i; + krb5_cksumtype *sumtypes; + retval = krb5_c_keyed_checksum_types (context, enctype, + &nsumtypes, &sumtypes); + if (retval) { + CLEANUP_DONE (); + goto error; + } + if (nsumtypes == 0) { + retval = KRB5_BAD_ENCTYPE; + krb5_free_cksumtypes (context, sumtypes); + CLEANUP_DONE (); + goto error; + } + for (i = 0; i < nsumtypes; i++) + if (auth_context->safe_cksumtype == sumtypes[i]) + break; + if (i == nsumtypes) + i = 0; + sumtype = sumtypes[i]; + krb5_free_cksumtypes (context, sumtypes); + } + if ((retval = krb5_mk_safe_basic(context, userdata, key, &replaydata, + plocal_fulladdr, premote_fulladdr, + sumtype, outbuf))) { + CLEANUP_DONE(); + goto error; + } + + CLEANUP_DONE(); + } if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { - krb5_donot_replay replay; - - if ((retval = krb5_gen_replay_name(context, auth_context->local_addr, - "_safe", &replay.client))) { - free(outbuf); - goto error; - } - - replay.server = ""; /* XXX */ - replay.msghash = NULL; - replay.cusec = replaydata.usec; - replay.ctime = replaydata.timestamp; - if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { - /* should we really error out here? XXX */ - free(outbuf); - goto error; - } - free(replay.client); + krb5_donot_replay replay; + + if ((retval = krb5_gen_replay_name(context, auth_context->local_addr, + "_safe", &replay.client))) { + free(outbuf); + goto error; + } + + replay.server = ""; /* XXX */ + replay.msghash = NULL; + replay.cusec = replaydata.usec; + replay.ctime = replaydata.timestamp; + if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { + /* should we really error out here? XXX */ + free(outbuf); + goto error; + } + free(replay.client); } return 0; error: if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) - auth_context->local_seq_number--; + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) + auth_context->local_seq_number--; return retval; } - diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c index 3fcdaea1c..cda09b255 100644 --- a/src/lib/krb5/krb/pac.c +++ b/src/lib/krb5/krb/pac.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/pac.c * @@ -43,16 +44,16 @@ typedef struct _PAC_INFO_BUFFER { krb5_ui_8 Offset; } PAC_INFO_BUFFER; -#define PAC_INFO_BUFFER_LENGTH 16 +#define PAC_INFO_BUFFER_LENGTH 16 /* ulType */ -#define PAC_LOGON_INFO 1 -#define PAC_CREDENTIALS_INFO 2 -#define PAC_SERVER_CHECKSUM 6 -#define PAC_PRIVSVR_CHECKSUM 7 -#define PAC_CLIENT_INFO 10 -#define PAC_DELEGATION_INFO 11 -#define PAC_UPN_DNS_INFO 12 +#define PAC_LOGON_INFO 1 +#define PAC_CREDENTIALS_INFO 2 +#define PAC_SERVER_CHECKSUM 6 +#define PAC_PRIVSVR_CHECKSUM 7 +#define PAC_CLIENT_INFO 10 +#define PAC_DELEGATION_INFO 11 +#define PAC_UPN_DNS_INFO 12 typedef struct _PACTYPE { krb5_ui_4 cBuffers; @@ -60,35 +61,35 @@ typedef struct _PACTYPE { PAC_INFO_BUFFER Buffers[1]; } PACTYPE; -#define PAC_ALIGNMENT 8 -#define PACTYPE_LENGTH 8U +#define PAC_ALIGNMENT 8 +#define PACTYPE_LENGTH 8U #define PAC_SIGNATURE_DATA_LENGTH 4U -#define PAC_CLIENT_INFO_LENGTH 10U +#define PAC_CLIENT_INFO_LENGTH 10U -#define NT_TIME_EPOCH 11644473600LL +#define NT_TIME_EPOCH 11644473600LL struct krb5_pac_data { - PACTYPE *pac; /* PAC header + info buffer array */ - krb5_data data; /* PAC data (including uninitialised header) */ + PACTYPE *pac; /* PAC header + info buffer array */ + krb5_data data; /* PAC data (including uninitialised header) */ krb5_boolean verified; }; static krb5_error_code k5_pac_locate_buffer(krb5_context context, - const krb5_pac pac, - krb5_ui_4 type, - krb5_data *data); + const krb5_pac pac, + krb5_ui_4 type, + krb5_data *data); /* * Add a buffer to the provided PAC and update header. */ static krb5_error_code k5_pac_add_buffer(krb5_context context, - krb5_pac pac, - krb5_ui_4 type, - const krb5_data *data, - krb5_boolean zerofill, - krb5_data *out_data) + krb5_pac pac, + krb5_ui_4 type, + const krb5_data *data, + krb5_boolean zerofill, + krb5_data *out_data) { PACTYPE *header; size_t header_len, i, pad = 0; @@ -98,37 +99,37 @@ k5_pac_add_buffer(krb5_context context, /* Check there isn't already a buffer of this type */ if (k5_pac_locate_buffer(context, pac, type, NULL) == 0) { - return EEXIST; + return EEXIST; } header = (PACTYPE *)realloc(pac->pac, - sizeof(PACTYPE) + - (pac->pac->cBuffers * sizeof(PAC_INFO_BUFFER))); + sizeof(PACTYPE) + + (pac->pac->cBuffers * sizeof(PAC_INFO_BUFFER))); if (header == NULL) { - return ENOMEM; + return ENOMEM; } pac->pac = header; header_len = PACTYPE_LENGTH + (pac->pac->cBuffers * PAC_INFO_BUFFER_LENGTH); if (data->length % PAC_ALIGNMENT) - pad = PAC_ALIGNMENT - (data->length % PAC_ALIGNMENT); + pad = PAC_ALIGNMENT - (data->length % PAC_ALIGNMENT); pac_data = realloc(pac->data.data, - pac->data.length + PAC_INFO_BUFFER_LENGTH + data->length + pad); + pac->data.length + PAC_INFO_BUFFER_LENGTH + data->length + pad); if (pac_data == NULL) { - return ENOMEM; + return ENOMEM; } pac->data.data = pac_data; /* Update offsets of existing buffers */ for (i = 0; i < pac->pac->cBuffers; i++) - pac->pac->Buffers[i].Offset += PAC_INFO_BUFFER_LENGTH; + pac->pac->Buffers[i].Offset += PAC_INFO_BUFFER_LENGTH; /* Make room for new PAC_INFO_BUFFER */ memmove(pac->data.data + header_len + PAC_INFO_BUFFER_LENGTH, - pac->data.data + header_len, - pac->data.length - header_len); + pac->data.data + header_len, + pac->data.length - header_len); memset(pac->data.data + header_len, 0, PAC_INFO_BUFFER_LENGTH); /* Initialise new PAC_INFO_BUFFER */ @@ -139,9 +140,9 @@ k5_pac_add_buffer(krb5_context context, /* Copy in new PAC data and zero padding bytes */ if (zerofill) - memset(pac->data.data + pac->pac->Buffers[i].Offset, 0, data->length); + memset(pac->data.data + pac->pac->Buffers[i].Offset, 0, data->length); else - memcpy(pac->data.data + pac->pac->Buffers[i].Offset, data->data, data->length); + memcpy(pac->data.data + pac->pac->Buffers[i].Offset, data->data, data->length); memset(pac->data.data + pac->pac->Buffers[i].Offset + data->length, 0, pad); @@ -149,8 +150,8 @@ k5_pac_add_buffer(krb5_context context, pac->data.length += PAC_INFO_BUFFER_LENGTH + data->length + pad; if (out_data != NULL) { - out_data->data = pac->data.data + pac->pac->Buffers[i].Offset; - out_data->length = data->length; + out_data->data = pac->data.data + pac->pac->Buffers[i].Offset; + out_data->length = data->length; } pac->verified = FALSE; @@ -160,9 +161,9 @@ k5_pac_add_buffer(krb5_context context, krb5_error_code KRB5_CALLCONV krb5_pac_add_buffer(krb5_context context, - krb5_pac pac, - krb5_ui_4 type, - const krb5_data *data) + krb5_pac pac, + krb5_ui_4 type, + const krb5_data *data) { return k5_pac_add_buffer(context, pac, type, data, FALSE, NULL); } @@ -172,49 +173,49 @@ krb5_pac_add_buffer(krb5_context context, */ void KRB5_CALLCONV krb5_pac_free(krb5_context context, - krb5_pac pac) + krb5_pac pac) { if (pac != NULL) { - if (pac->data.data != NULL) { - memset(pac->data.data, 0, pac->data.length); - free(pac->data.data); - } - if (pac->pac != NULL) - free(pac->pac); - memset(pac, 0, sizeof(*pac)); - free(pac); + if (pac->data.data != NULL) { + memset(pac->data.data, 0, pac->data.length); + free(pac->data.data); + } + if (pac->pac != NULL) + free(pac->pac); + memset(pac, 0, sizeof(*pac)); + free(pac); } } static krb5_error_code k5_pac_locate_buffer(krb5_context context, - const krb5_pac pac, - krb5_ui_4 type, - krb5_data *data) + const krb5_pac pac, + krb5_ui_4 type, + krb5_data *data) { PAC_INFO_BUFFER *buffer = NULL; size_t i; if (pac == NULL) - return EINVAL; + return EINVAL; for (i = 0; i < pac->pac->cBuffers; i++) { - if (pac->pac->Buffers[i].ulType == type) { - if (buffer == NULL) - buffer = &pac->pac->Buffers[i]; - else - return EINVAL; - } + if (pac->pac->Buffers[i].ulType == type) { + if (buffer == NULL) + buffer = &pac->pac->Buffers[i]; + else + return EINVAL; + } } if (buffer == NULL) - return ENOENT; + return ENOENT; assert(buffer->Offset + buffer->cbBufferSize <= pac->data.length); if (data != NULL) { - data->length = buffer->cbBufferSize; - data->data = pac->data.data + buffer->Offset; + data->length = buffer->cbBufferSize; + data->data = pac->data.data + buffer->Offset; } return 0; @@ -225,20 +226,20 @@ k5_pac_locate_buffer(krb5_context context, */ krb5_error_code KRB5_CALLCONV krb5_pac_get_buffer(krb5_context context, - krb5_pac pac, - krb5_ui_4 type, - krb5_data *data) + krb5_pac pac, + krb5_ui_4 type, + krb5_data *data) { krb5_data d; krb5_error_code ret; ret = k5_pac_locate_buffer(context, pac, type, &d); if (ret != 0) - return ret; + return ret; data->data = malloc(d.length); if (data->data == NULL) - return ENOMEM; + return ENOMEM; data->length = d.length; memcpy(data->data, d.data, d.length); @@ -251,20 +252,20 @@ krb5_pac_get_buffer(krb5_context context, */ krb5_error_code KRB5_CALLCONV krb5_pac_get_types(krb5_context context, - krb5_pac pac, - size_t *len, - krb5_ui_4 **types) + krb5_pac pac, + size_t *len, + krb5_ui_4 **types) { size_t i; *types = (krb5_ui_4 *)malloc(pac->pac->cBuffers * sizeof(krb5_ui_4)); if (*types == NULL) - return ENOMEM; + return ENOMEM; *len = pac->pac->cBuffers; for (i = 0; i < pac->pac->cBuffers; i++) - (*types)[i] = pac->pac->Buffers[i].ulType; + (*types)[i] = pac->pac->Buffers[i].ulType; return 0; } @@ -274,18 +275,18 @@ krb5_pac_get_types(krb5_context context, */ krb5_error_code KRB5_CALLCONV krb5_pac_init(krb5_context context, - krb5_pac *ppac) + krb5_pac *ppac) { krb5_pac pac; pac = (krb5_pac)malloc(sizeof(*pac)); if (pac == NULL) - return ENOMEM; + return ENOMEM; pac->pac = (PACTYPE *)malloc(sizeof(PACTYPE)); if (pac->pac == NULL) { - free(pac); - return ENOMEM; + free(pac); + return ENOMEM; } pac->pac->cBuffers = 0; @@ -294,8 +295,8 @@ krb5_pac_init(krb5_context context, pac->data.length = PACTYPE_LENGTH; pac->data.data = calloc(1, pac->data.length); if (pac->data.data == NULL) { - krb5_pac_free(context, pac); - return ENOMEM; + krb5_pac_free(context, pac); + return ENOMEM; } pac->verified = FALSE; @@ -307,8 +308,8 @@ krb5_pac_init(krb5_context context, static krb5_error_code k5_pac_copy(krb5_context context, - krb5_pac src, - krb5_pac *dst) + krb5_pac src, + krb5_pac *dst) { size_t header_len; krb5_ui_4 cbuffers; @@ -317,27 +318,27 @@ k5_pac_copy(krb5_context context, cbuffers = src->pac->cBuffers; if (cbuffers != 0) - cbuffers--; + cbuffers--; header_len = sizeof(PACTYPE) + cbuffers * sizeof(PAC_INFO_BUFFER); pac = (krb5_pac)malloc(sizeof(*pac)); if (pac == NULL) - return ENOMEM; + return ENOMEM; pac->pac = (PACTYPE *)malloc(header_len); if (pac->pac == NULL) { - free(pac); - return ENOMEM; + free(pac); + return ENOMEM; } memcpy(pac->pac, src->pac, header_len); code = krb5int_copy_data_contents(context, &src->data, &pac->data); if (code != 0) { - free(pac->pac); - free(pac); - return ENOMEM; + free(pac->pac); + free(pac); + return ENOMEM; } pac->verified = src->verified; @@ -351,9 +352,9 @@ k5_pac_copy(krb5_context context, */ krb5_error_code KRB5_CALLCONV krb5_pac_parse(krb5_context context, - const void *ptr, - size_t len, - krb5_pac *ppac) + const void *ptr, + size_t len, + krb5_pac *ppac) { krb5_error_code ret; size_t i; @@ -365,7 +366,7 @@ krb5_pac_parse(krb5_context context, *ppac = NULL; if (len < PACTYPE_LENGTH) - return ERANGE; + return ERANGE; cbuffers = load_32_le(p); p += 4; @@ -373,51 +374,51 @@ krb5_pac_parse(krb5_context context, p += 4; if (version != 0) - return EINVAL; + return EINVAL; header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH); if (len < header_len) - return ERANGE; + return ERANGE; ret = krb5_pac_init(context, &pac); if (ret != 0) - return ret; + return ret; pac->pac = (PACTYPE *)realloc(pac->pac, - sizeof(PACTYPE) + ((cbuffers - 1) * sizeof(PAC_INFO_BUFFER))); + sizeof(PACTYPE) + ((cbuffers - 1) * sizeof(PAC_INFO_BUFFER))); if (pac->pac == NULL) { - krb5_pac_free(context, pac); - return ENOMEM; + krb5_pac_free(context, pac); + return ENOMEM; } pac->pac->cBuffers = cbuffers; pac->pac->Version = version; for (i = 0; i < pac->pac->cBuffers; i++) { - PAC_INFO_BUFFER *buffer = &pac->pac->Buffers[i]; - - buffer->ulType = load_32_le(p); - p += 4; - buffer->cbBufferSize = load_32_le(p); - p += 4; - buffer->Offset = load_64_le(p); - p += 8; - - if (buffer->Offset % PAC_ALIGNMENT) { - krb5_pac_free(context, pac); - return EINVAL; - } - if (buffer->Offset < header_len || - buffer->Offset + buffer->cbBufferSize > len) { - krb5_pac_free(context, pac); - return ERANGE; - } + PAC_INFO_BUFFER *buffer = &pac->pac->Buffers[i]; + + buffer->ulType = load_32_le(p); + p += 4; + buffer->cbBufferSize = load_32_le(p); + p += 4; + buffer->Offset = load_64_le(p); + p += 8; + + if (buffer->Offset % PAC_ALIGNMENT) { + krb5_pac_free(context, pac); + return EINVAL; + } + if (buffer->Offset < header_len || + buffer->Offset + buffer->cbBufferSize > len) { + krb5_pac_free(context, pac); + return ERANGE; + } } pac->data.data = realloc(pac->data.data, len); if (pac->data.data == NULL) { - krb5_pac_free(context, pac); - return ENOMEM; + krb5_pac_free(context, pac); + return ENOMEM; } memcpy(pac->data.data, ptr, len); @@ -430,7 +431,7 @@ krb5_pac_parse(krb5_context context, static krb5_error_code k5_time_to_seconds_since_1970(krb5_int64 ntTime, - krb5_timestamp *elapsedSeconds) + krb5_timestamp *elapsedSeconds) { krb5_ui_8 abstime; @@ -439,7 +440,7 @@ k5_time_to_seconds_since_1970(krb5_int64 ntTime, abstime = ntTime > 0 ? ntTime - NT_TIME_EPOCH : -ntTime; if (abstime > KRB5_INT32_MAX) - return ERANGE; + return ERANGE; *elapsedSeconds = abstime; @@ -448,12 +449,12 @@ k5_time_to_seconds_since_1970(krb5_int64 ntTime, static krb5_error_code k5_seconds_since_1970_to_time(krb5_timestamp elapsedSeconds, - krb5_ui_8 *ntTime) + krb5_ui_8 *ntTime) { *ntTime = elapsedSeconds; if (elapsedSeconds > 0) - *ntTime += NT_TIME_EPOCH; + *ntTime += NT_TIME_EPOCH; *ntTime *= 10000000; @@ -462,9 +463,9 @@ k5_seconds_since_1970_to_time(krb5_timestamp elapsedSeconds, static krb5_error_code k5_pac_validate_client(krb5_context context, - const krb5_pac pac, - krb5_timestamp authtime, - krb5_const_principal principal) + const krb5_pac pac, + krb5_timestamp authtime, + krb5_const_principal principal) { krb5_error_code ret; krb5_data client_info; @@ -477,10 +478,10 @@ k5_pac_validate_client(krb5_context context, ret = k5_pac_locate_buffer(context, pac, PAC_CLIENT_INFO, &client_info); if (ret != 0) - return ret; + return ret; if (client_info.length < PAC_CLIENT_INFO_LENGTH) - return ERANGE; + return ERANGE; p = (unsigned char *)client_info.data; pac_nt_authtime = load_64_le(p); @@ -490,31 +491,31 @@ k5_pac_validate_client(krb5_context context, ret = k5_time_to_seconds_since_1970(pac_nt_authtime, &pac_authtime); if (ret != 0) - return ret; + return ret; if (client_info.length < PAC_CLIENT_INFO_LENGTH + pac_princname_length || - pac_princname_length % 2) - return ERANGE; + pac_princname_length % 2) + return ERANGE; ret = krb5int_ucs2lecs_to_utf8s(p, (size_t)pac_princname_length / 2, - &pac_princname, NULL); + &pac_princname, NULL); if (ret != 0) - return ret; + return ret; ret = krb5_parse_name_flags(context, pac_princname, 0, &pac_principal); if (ret != 0) { - free(pac_princname); - return ret; + free(pac_princname); + return ret; } free(pac_princname); if (pac_authtime != authtime || - !krb5_principal_compare_flags(context, - pac_principal, - principal, - KRB5_PRINCIPAL_COMPARE_IGNORE_REALM)) - ret = KRB5KRB_AP_WRONG_PRINC; + !krb5_principal_compare_flags(context, + pac_principal, + principal, + KRB5_PRINCIPAL_COMPARE_IGNORE_REALM)) + ret = KRB5KRB_AP_WRONG_PRINC; krb5_free_principal(context, pac_principal); @@ -523,9 +524,9 @@ k5_pac_validate_client(krb5_context context, static krb5_error_code k5_pac_zero_signature(krb5_context context, - const krb5_pac pac, - krb5_ui_4 type, - krb5_data *data) + const krb5_pac pac, + krb5_ui_4 type, + krb5_data *data) { PAC_INFO_BUFFER *buffer = NULL; size_t i; @@ -534,33 +535,33 @@ k5_pac_zero_signature(krb5_context context, assert(data->length >= pac->data.length); for (i = 0; i < pac->pac->cBuffers; i++) { - if (pac->pac->Buffers[i].ulType == type) { - buffer = &pac->pac->Buffers[i]; - break; - } + if (pac->pac->Buffers[i].ulType == type) { + buffer = &pac->pac->Buffers[i]; + break; + } } if (buffer == NULL) - return ENOENT; + return ENOENT; if (buffer->Offset + buffer->cbBufferSize > pac->data.length) - return ERANGE; + return ERANGE; if (buffer->cbBufferSize < PAC_SIGNATURE_DATA_LENGTH) - return KRB5_BAD_MSIZE; + return KRB5_BAD_MSIZE; /* Zero out the data portion of the checksum only */ memset(data->data + buffer->Offset + PAC_SIGNATURE_DATA_LENGTH, - 0, - buffer->cbBufferSize - PAC_SIGNATURE_DATA_LENGTH); + 0, + buffer->cbBufferSize - PAC_SIGNATURE_DATA_LENGTH); return 0; } static krb5_error_code k5_pac_verify_server_checksum(krb5_context context, - const krb5_pac pac, - const krb5_keyblock *server) + const krb5_pac pac, + const krb5_keyblock *server) { krb5_error_code ret; krb5_data pac_data; /* PAC with zeroed checksums */ @@ -570,12 +571,12 @@ k5_pac_verify_server_checksum(krb5_context context, krb5_octet *p; ret = k5_pac_locate_buffer(context, pac, - PAC_SERVER_CHECKSUM, &checksum_data); + PAC_SERVER_CHECKSUM, &checksum_data); if (ret != 0) - return ret; + return ret; if (checksum_data.length < PAC_SIGNATURE_DATA_LENGTH) - return KRB5_BAD_MSIZE; + return KRB5_BAD_MSIZE; p = (krb5_octet *)checksum_data.data; checksum.checksum_type = load_32_le(p); @@ -585,45 +586,45 @@ k5_pac_verify_server_checksum(krb5_context context, pac_data.length = pac->data.length; pac_data.data = malloc(pac->data.length); if (pac_data.data == NULL) - return ENOMEM; + return ENOMEM; memcpy(pac_data.data, pac->data.data, pac->data.length); /* Zero out both checksum buffers */ ret = k5_pac_zero_signature(context, pac, - PAC_SERVER_CHECKSUM, &pac_data); + PAC_SERVER_CHECKSUM, &pac_data); if (ret != 0) { - free(pac_data.data); - return ret; + free(pac_data.data); + return ret; } ret = k5_pac_zero_signature(context, pac, - PAC_PRIVSVR_CHECKSUM, &pac_data); + PAC_PRIVSVR_CHECKSUM, &pac_data); if (ret != 0) { - free(pac_data.data); - return ret; + free(pac_data.data); + return ret; } ret = krb5_c_verify_checksum(context, server, - KRB5_KEYUSAGE_APP_DATA_CKSUM, - &pac_data, &checksum, &valid); + KRB5_KEYUSAGE_APP_DATA_CKSUM, + &pac_data, &checksum, &valid); free(pac_data.data); if (ret != 0) { - return ret; + return ret; } if (valid == FALSE) - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; return ret; } static krb5_error_code k5_pac_verify_kdc_checksum(krb5_context context, - const krb5_pac pac, - const krb5_keyblock *privsvr) + const krb5_pac pac, + const krb5_keyblock *privsvr) { krb5_error_code ret; krb5_data server_checksum, privsvr_checksum; @@ -632,20 +633,20 @@ k5_pac_verify_kdc_checksum(krb5_context context, krb5_octet *p; ret = k5_pac_locate_buffer(context, pac, - PAC_PRIVSVR_CHECKSUM, &privsvr_checksum); + PAC_PRIVSVR_CHECKSUM, &privsvr_checksum); if (ret != 0) - return ret; + return ret; if (privsvr_checksum.length < PAC_SIGNATURE_DATA_LENGTH) - return KRB5_BAD_MSIZE; + return KRB5_BAD_MSIZE; ret = k5_pac_locate_buffer(context, pac, - PAC_SERVER_CHECKSUM, &server_checksum); + PAC_SERVER_CHECKSUM, &server_checksum); if (ret != 0) - return ret; + return ret; if (server_checksum.length < PAC_SIGNATURE_DATA_LENGTH) - return KRB5_BAD_MSIZE; + return KRB5_BAD_MSIZE; p = (krb5_octet *)privsvr_checksum.data; checksum.checksum_type = load_32_le(p); @@ -656,44 +657,44 @@ k5_pac_verify_kdc_checksum(krb5_context context, server_checksum.length -= PAC_SIGNATURE_DATA_LENGTH; ret = krb5_c_verify_checksum(context, privsvr, - KRB5_KEYUSAGE_APP_DATA_CKSUM, - &server_checksum, &checksum, &valid); + KRB5_KEYUSAGE_APP_DATA_CKSUM, + &server_checksum, &checksum, &valid); if (ret != 0) - return ret; + return ret; if (valid == FALSE) - ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; return ret; } krb5_error_code KRB5_CALLCONV krb5_pac_verify(krb5_context context, - const krb5_pac pac, - krb5_timestamp authtime, - krb5_const_principal principal, - const krb5_keyblock *server, - const krb5_keyblock *privsvr) + const krb5_pac pac, + krb5_timestamp authtime, + krb5_const_principal principal, + const krb5_keyblock *server, + const krb5_keyblock *privsvr) { krb5_error_code ret; if (server == NULL) - return EINVAL; + return EINVAL; ret = k5_pac_verify_server_checksum(context, pac, server); if (ret != 0) - return ret; + return ret; if (privsvr != NULL) { - ret = k5_pac_verify_kdc_checksum(context, pac, privsvr); - if (ret != 0) - return ret; + ret = k5_pac_verify_kdc_checksum(context, pac, privsvr); + if (ret != 0) + return ret; } if (principal != NULL) { - ret = k5_pac_validate_client(context, pac, authtime, principal); - if (ret != 0) - return ret; + ret = k5_pac_validate_client(context, pac, authtime, principal); + if (ret != 0) + return ret; } pac->verified = TRUE; @@ -703,9 +704,9 @@ krb5_pac_verify(krb5_context context, static krb5_error_code k5_insert_client_info(krb5_context context, - krb5_pac pac, - krb5_timestamp authtime, - krb5_const_principal principal) + krb5_pac pac, + krb5_timestamp authtime, + krb5_const_principal principal) { krb5_error_code ret; krb5_data client_info; @@ -716,29 +717,29 @@ k5_insert_client_info(krb5_context context, /* If we already have a CLIENT_INFO buffer, then just validate it */ if (k5_pac_locate_buffer(context, pac, - PAC_CLIENT_INFO, &client_info) == 0) { - return k5_pac_validate_client(context, pac, authtime, principal); + PAC_CLIENT_INFO, &client_info) == 0) { + return k5_pac_validate_client(context, pac, authtime, principal); } ret = krb5_unparse_name_flags(context, principal, - KRB5_PRINCIPAL_UNPARSE_NO_REALM, - &princ_name_utf8); + KRB5_PRINCIPAL_UNPARSE_NO_REALM, + &princ_name_utf8); if (ret != 0) - goto cleanup; + goto cleanup; ret = krb5int_utf8s_to_ucs2les(princ_name_utf8, - &princ_name_ucs2, - &princ_name_ucs2_len); + &princ_name_ucs2, + &princ_name_ucs2_len); if (ret != 0) - goto cleanup; + goto cleanup; client_info.length = PAC_CLIENT_INFO_LENGTH + princ_name_ucs2_len; client_info.data = NULL; ret = k5_pac_add_buffer(context, pac, PAC_CLIENT_INFO, - &client_info, TRUE, &client_info); + &client_info, TRUE, &client_info); if (ret != 0) - goto cleanup; + goto cleanup; p = (unsigned char *)client_info.data; @@ -756,7 +757,7 @@ k5_insert_client_info(krb5_context context, cleanup: if (princ_name_ucs2 != NULL) - free(princ_name_ucs2); + free(princ_name_ucs2); krb5_free_unparsed_name(context, princ_name_utf8); return ret; @@ -764,10 +765,10 @@ cleanup: static krb5_error_code k5_insert_checksum(krb5_context context, - krb5_pac pac, - krb5_ui_4 type, - const krb5_keyblock *key, - krb5_cksumtype *cksumtype) + krb5_pac pac, + krb5_ui_4 type, + const krb5_keyblock *key, + krb5_cksumtype *cksumtype) { krb5_error_code ret; size_t len; @@ -775,32 +776,32 @@ k5_insert_checksum(krb5_context context, ret = krb5int_c_mandatory_cksumtype(context, key->enctype, cksumtype); if (ret != 0) - return ret; + return ret; ret = krb5_c_checksum_length(context, *cksumtype, &len); if (ret != 0) - return ret; + return ret; ret = k5_pac_locate_buffer(context, pac, type, &cksumdata); if (ret == 0) { - /* - * If we're resigning PAC, make sure we can fit checksum - * into existing buffer - */ - if (cksumdata.length != PAC_SIGNATURE_DATA_LENGTH + len) - return ERANGE; - - memset(cksumdata.data, 0, cksumdata.length); + /* + * If we're resigning PAC, make sure we can fit checksum + * into existing buffer + */ + if (cksumdata.length != PAC_SIGNATURE_DATA_LENGTH + len) + return ERANGE; + + memset(cksumdata.data, 0, cksumdata.length); } else { - /* Add a zero filled buffer */ - cksumdata.length = PAC_SIGNATURE_DATA_LENGTH + len; - cksumdata.data = NULL; - - ret = k5_pac_add_buffer(context, pac, - type, &cksumdata, - TRUE, &cksumdata); - if (ret != 0) - return ret; + /* Add a zero filled buffer */ + cksumdata.length = PAC_SIGNATURE_DATA_LENGTH + len; + cksumdata.data = NULL; + + ret = k5_pac_add_buffer(context, pac, + type, &cksumdata, + TRUE, &cksumdata); + if (ret != 0) + return ret; } /* Encode checksum type into buffer */ @@ -818,7 +819,7 @@ k5_pac_encode_header(krb5_context context, krb5_pac pac) size_t header_len; header_len = PACTYPE_LENGTH + - (pac->pac->cBuffers * PAC_INFO_BUFFER_LENGTH); + (pac->pac->cBuffers * PAC_INFO_BUFFER_LENGTH); assert(pac->data.length >= header_len); p = (unsigned char *)pac->data.data; @@ -829,23 +830,23 @@ k5_pac_encode_header(krb5_context context, krb5_pac pac) p += 4; for (i = 0; i < pac->pac->cBuffers; i++) { - PAC_INFO_BUFFER *buffer = &pac->pac->Buffers[i]; - - store_32_le(buffer->ulType, p); - p += 4; - store_32_le(buffer->cbBufferSize, p); - p += 4; - store_64_le(buffer->Offset, p); - p += 8; - - assert((buffer->Offset % PAC_ALIGNMENT) == 0); - assert(buffer->Offset + buffer->cbBufferSize <= pac->data.length); - assert(buffer->Offset >= header_len); - - if (buffer->Offset % PAC_ALIGNMENT || - buffer->Offset + buffer->cbBufferSize > pac->data.length || - buffer->Offset < header_len) - return ERANGE; + PAC_INFO_BUFFER *buffer = &pac->pac->Buffers[i]; + + store_32_le(buffer->ulType, p); + p += 4; + store_32_le(buffer->cbBufferSize, p); + p += 4; + store_64_le(buffer->Offset, p); + p += 8; + + assert((buffer->Offset % PAC_ALIGNMENT) == 0); + assert(buffer->Offset + buffer->cbBufferSize <= pac->data.length); + assert(buffer->Offset >= header_len); + + if (buffer->Offset % PAC_ALIGNMENT || + buffer->Offset + buffer->cbBufferSize > pac->data.length || + buffer->Offset < header_len) + return ERANGE; } return 0; @@ -853,12 +854,12 @@ k5_pac_encode_header(krb5_context context, krb5_pac pac) krb5_error_code KRB5_CALLCONV krb5int_pac_sign(krb5_context context, - krb5_pac pac, - krb5_timestamp authtime, - krb5_const_principal principal, - const krb5_keyblock *server_key, - const krb5_keyblock *privsvr_key, - krb5_data *data) + krb5_pac pac, + krb5_timestamp authtime, + krb5_const_principal principal, + const krb5_keyblock *server_key, + const krb5_keyblock *privsvr_key, + krb5_data *data) { krb5_error_code ret; krb5_data server_cksum, privsvr_cksum; @@ -869,32 +870,32 @@ krb5int_pac_sign(krb5_context context, data->data = NULL; if (principal != NULL) { - ret = k5_insert_client_info(context, pac, authtime, principal); - if (ret != 0) - return ret; + ret = k5_insert_client_info(context, pac, authtime, principal); + if (ret != 0) + return ret; } /* Create zeroed buffers for both checksums */ ret = k5_insert_checksum(context, pac, PAC_SERVER_CHECKSUM, - server_key, &server_cksumtype); + server_key, &server_cksumtype); if (ret != 0) - return ret; + return ret; ret = k5_insert_checksum(context, pac, PAC_PRIVSVR_CHECKSUM, - privsvr_key, &privsvr_cksumtype); + privsvr_key, &privsvr_cksumtype); if (ret != 0) - return ret; + return ret; /* Now, encode the PAC header so that the checksums will include it */ ret = k5_pac_encode_header(context, pac); if (ret != 0) - return ret; + return ret; /* Generate the server checksum over the entire PAC */ ret = k5_pac_locate_buffer(context, pac, - PAC_SERVER_CHECKSUM, &server_cksum); + PAC_SERVER_CHECKSUM, &server_cksum); if (ret != 0) - return ret; + return ret; assert(server_cksum.length > PAC_SIGNATURE_DATA_LENGTH); @@ -906,16 +907,16 @@ krb5int_pac_sign(krb5_context context, iov[1].data.length = server_cksum.length - PAC_SIGNATURE_DATA_LENGTH; ret = krb5_c_make_checksum_iov(context, server_cksumtype, - server_key, KRB5_KEYUSAGE_APP_DATA_CKSUM, - iov, sizeof(iov)/sizeof(iov[0])); + server_key, KRB5_KEYUSAGE_APP_DATA_CKSUM, + iov, sizeof(iov)/sizeof(iov[0])); if (ret != 0) - return ret; + return ret; /* Generate the privsvr checksum over the server checksum buffer */ ret = k5_pac_locate_buffer(context, pac, - PAC_PRIVSVR_CHECKSUM, &privsvr_cksum); + PAC_PRIVSVR_CHECKSUM, &privsvr_cksum); if (ret != 0) - return ret; + return ret; assert(privsvr_cksum.length > PAC_SIGNATURE_DATA_LENGTH); @@ -928,20 +929,20 @@ krb5int_pac_sign(krb5_context context, iov[1].data.length = privsvr_cksum.length - PAC_SIGNATURE_DATA_LENGTH; ret = krb5_c_make_checksum_iov(context, privsvr_cksumtype, - privsvr_key, KRB5_KEYUSAGE_APP_DATA_CKSUM, - iov, sizeof(iov)/sizeof(iov[0])); + privsvr_key, KRB5_KEYUSAGE_APP_DATA_CKSUM, + iov, sizeof(iov)/sizeof(iov[0])); if (ret != 0) - return ret; + return ret; data->data = malloc(pac->data.length); if (data->data == NULL) - return ENOMEM; + return ENOMEM; data->length = pac->data.length; memcpy(data->data, pac->data.data, pac->data.length); memset(pac->data.data, 0, - PACTYPE_LENGTH + (pac->pac->cBuffers * PAC_INFO_BUFFER_LENGTH)); + PACTYPE_LENGTH + (pac->pac->cBuffers * PAC_INFO_BUFFER_LENGTH)); return 0; } @@ -962,9 +963,9 @@ mspac_init(krb5_context kcontext, void **plugin_context) static void mspac_flags(krb5_context kcontext, - void *plugin_context, - krb5_authdatatype ad_type, - krb5_flags *flags) + void *plugin_context, + krb5_authdatatype ad_type, + krb5_flags *flags) { *flags = AD_USAGE_KDC_ISSUED; } @@ -977,15 +978,15 @@ mspac_fini(krb5_context kcontext, void *plugin_context) static krb5_error_code mspac_request_init(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void **request_context) + krb5_authdata_context context, + void *plugin_context, + void **request_context) { struct mspac_context *pacctx; pacctx = (struct mspac_context *)malloc(sizeof(*pacctx)); if (pacctx == NULL) - return ENOMEM; + return ENOMEM; pacctx->pac = NULL; @@ -996,41 +997,41 @@ mspac_request_init(krb5_context kcontext, static krb5_error_code mspac_import_authdata(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - krb5_authdata **authdata, - krb5_boolean kdc_issued, - krb5_const_principal kdc_issuer) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + krb5_authdata **authdata, + krb5_boolean kdc_issued, + krb5_const_principal kdc_issuer) { krb5_error_code code; struct mspac_context *pacctx = (struct mspac_context *)request_context; if (kdc_issued) - return EINVAL; + return EINVAL; if (pacctx->pac != NULL) { - krb5_pac_free(kcontext, pacctx->pac); - pacctx->pac = NULL; + krb5_pac_free(kcontext, pacctx->pac); + pacctx->pac = NULL; } assert(authdata[0] != NULL); assert((authdata[0]->ad_type & AD_TYPE_FIELD_TYPE_MASK) == - KRB5_AUTHDATA_WIN2K_PAC); + KRB5_AUTHDATA_WIN2K_PAC); code = krb5_pac_parse(kcontext, authdata[0]->contents, - authdata[0]->length, &pacctx->pac); + authdata[0]->length, &pacctx->pac); return code; } static krb5_error_code mspac_export_authdata(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - krb5_flags usage, - krb5_authdata ***out_authdata) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + krb5_flags usage, + krb5_authdata ***out_authdata) { struct mspac_context *pacctx = (struct mspac_context *)request_context; krb5_error_code code; @@ -1038,23 +1039,23 @@ mspac_export_authdata(krb5_context kcontext, krb5_data data; if (pacctx->pac == NULL) - return 0; + return 0; authdata = calloc(2, sizeof(krb5_authdata *)); if (authdata == NULL) - return ENOMEM; + return ENOMEM; authdata[0] = calloc(1, sizeof(krb5_authdata)); if (authdata[0] == NULL) { - free(authdata); - return ENOMEM; + free(authdata); + return ENOMEM; } authdata[1] = NULL; code = krb5int_copy_data_contents(kcontext, &pacctx->pac->data, &data); if (code != 0) { - krb5_free_authdata(kcontext, authdata); - return code; + krb5_free_authdata(kcontext, authdata); + return code; } authdata[0]->magic = KV5M_AUTHDATA; @@ -1071,25 +1072,25 @@ mspac_export_authdata(krb5_context kcontext, static krb5_error_code mspac_verify(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - const krb5_auth_context *auth_context, - const krb5_keyblock *key, - const krb5_ap_req *req) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + const krb5_auth_context *auth_context, + const krb5_keyblock *key, + const krb5_ap_req *req) { krb5_error_code code; struct mspac_context *pacctx = (struct mspac_context *)request_context; if (pacctx->pac == NULL) - return EINVAL; + return EINVAL; code = krb5_pac_verify(kcontext, - pacctx->pac, - req->ticket->enc_part2->times.authtime, - req->ticket->enc_part2->client, - key, - NULL); + pacctx->pac, + req->ticket->enc_part2->times.authtime, + req->ticket->enc_part2->client, + key, + NULL); #if 0 /* @@ -1097,8 +1098,8 @@ mspac_verify(krb5_context kcontext, * Thoughts? */ if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) { - assert(pacctx->pac->verified == FALSE); - code = 0; + assert(pacctx->pac->verified == FALSE); + code = 0; } #endif @@ -1107,17 +1108,17 @@ mspac_verify(krb5_context kcontext, static void mspac_request_fini(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context) + krb5_authdata_context context, + void *plugin_context, + void *request_context) { struct mspac_context *pacctx = (struct mspac_context *)request_context; if (pacctx != NULL) { - if (pacctx->pac != NULL) - krb5_pac_free(kcontext, pacctx->pac); + if (pacctx->pac != NULL) + krb5_pac_free(kcontext, pacctx->pac); - free(pacctx); + free(pacctx); } } @@ -1127,17 +1128,17 @@ static struct { krb5_ui_4 type; krb5_data attribute; } mspac_attribute_types[] = { - { (krb5_ui_4)-1, { KV5M_DATA, STRLENOF("urn:mspac:"), "urn:mspac:" } }, - { PAC_LOGON_INFO, { KV5M_DATA, STRLENOF("urn:mspac:logon-info"), "urn:mspac:logon-info" } }, - { PAC_CREDENTIALS_INFO, { KV5M_DATA, STRLENOF("urn:mspac:credentials-info"), "urn:mspac:credentials-info" } }, - { PAC_SERVER_CHECKSUM, { KV5M_DATA, STRLENOF("urn:mspac:server-checksum"), "urn:mspac:server-checksum" } }, - { PAC_PRIVSVR_CHECKSUM, { KV5M_DATA, STRLENOF("urn:mspac:privsvr-checksum"), "urn:mspac:privsvr-checksum" } }, - { PAC_CLIENT_INFO, { KV5M_DATA, STRLENOF("urn:mspac:client-info"), "urn:mspac:client-info" } }, - { PAC_DELEGATION_INFO, { KV5M_DATA, STRLENOF("urn:mspac:delegation-info"), "urn:mspac:delegation-info" } }, - { PAC_UPN_DNS_INFO, { KV5M_DATA, STRLENOF("urn:mspac:upn-dns-info"), "urn:mspac:upn-dns-info" } }, + { (krb5_ui_4)-1, { KV5M_DATA, STRLENOF("urn:mspac:"), "urn:mspac:" } }, + { PAC_LOGON_INFO, { KV5M_DATA, STRLENOF("urn:mspac:logon-info"), "urn:mspac:logon-info" } }, + { PAC_CREDENTIALS_INFO, { KV5M_DATA, STRLENOF("urn:mspac:credentials-info"), "urn:mspac:credentials-info" } }, + { PAC_SERVER_CHECKSUM, { KV5M_DATA, STRLENOF("urn:mspac:server-checksum"), "urn:mspac:server-checksum" } }, + { PAC_PRIVSVR_CHECKSUM, { KV5M_DATA, STRLENOF("urn:mspac:privsvr-checksum"), "urn:mspac:privsvr-checksum" } }, + { PAC_CLIENT_INFO, { KV5M_DATA, STRLENOF("urn:mspac:client-info"), "urn:mspac:client-info" } }, + { PAC_DELEGATION_INFO, { KV5M_DATA, STRLENOF("urn:mspac:delegation-info"), "urn:mspac:delegation-info" } }, + { PAC_UPN_DNS_INFO, { KV5M_DATA, STRLENOF("urn:mspac:upn-dns-info"), "urn:mspac:upn-dns-info" } }, }; -#define MSPAC_ATTRIBUTE_COUNT (sizeof(mspac_attribute_types)/sizeof(mspac_attribute_types[0])) +#define MSPAC_ATTRIBUTE_COUNT (sizeof(mspac_attribute_types)/sizeof(mspac_attribute_types[0])) static krb5_error_code mspac_type2attr(krb5_ui_4 type, krb5_data *attr) @@ -1145,10 +1146,10 @@ mspac_type2attr(krb5_ui_4 type, krb5_data *attr) unsigned int i; for (i = 0; i < MSPAC_ATTRIBUTE_COUNT; i++) { - if (mspac_attribute_types[i].type == type) { - *attr = mspac_attribute_types[i].attribute; - return 0; - } + if (mspac_attribute_types[i].type == type) { + *attr = mspac_attribute_types[i].attribute; + return 0; + } } return ENOENT; @@ -1160,22 +1161,22 @@ mspac_attr2type(const krb5_data *attr, krb5_ui_4 *type) unsigned int i; for (i = 0; i < MSPAC_ATTRIBUTE_COUNT; i++) { - if (attr->length == mspac_attribute_types[i].attribute.length && - strncasecmp(attr->data, mspac_attribute_types[i].attribute.data, attr->length) == 0) { - *type = mspac_attribute_types[i].type; - return 0; - } + if (attr->length == mspac_attribute_types[i].attribute.length && + strncasecmp(attr->data, mspac_attribute_types[i].attribute.data, attr->length) == 0) { + *type = mspac_attribute_types[i].type; + return 0; + } } if (attr->length > STRLENOF("urn:mspac:") && - strncasecmp(attr->data, "urn:mspac:", STRLENOF("urn:mspac:")) == 0) + strncasecmp(attr->data, "urn:mspac:", STRLENOF("urn:mspac:")) == 0) { - char *p = &attr->data[STRLENOF("urn:mspac:")]; - char *endptr; + char *p = &attr->data[STRLENOF("urn:mspac:")]; + char *endptr; - *type = strtoul(p, &endptr, 10); - if (*type != 0 && *endptr == '\0') - return 0; + *type = strtoul(p, &endptr, 10); + if (*type != 0 && *endptr == '\0') + return 0; } return ENOENT; @@ -1183,10 +1184,10 @@ mspac_attr2type(const krb5_data *attr, krb5_ui_4 *type) static krb5_error_code mspac_get_attribute_types(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - krb5_data **out_attrs) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + krb5_data **out_attrs) { struct mspac_context *pacctx = (struct mspac_context *)request_context; unsigned int i, j; @@ -1194,45 +1195,45 @@ mspac_get_attribute_types(krb5_context kcontext, krb5_error_code code; if (pacctx->pac == NULL) - return ENOENT; + return ENOENT; attrs = calloc(1 + pacctx->pac->pac->cBuffers + 1, sizeof(krb5_data)); if (attrs == NULL) - return ENOMEM; + return ENOMEM; j = 0; /* The entire PAC */ code = krb5int_copy_data_contents(kcontext, - &mspac_attribute_types[0].attribute, - &attrs[j++]); + &mspac_attribute_types[0].attribute, + &attrs[j++]); if (code != 0) { - free(attrs); - return code; + free(attrs); + return code; } /* PAC buffers */ for (i = 0; i < pacctx->pac->pac->cBuffers; i++) { - krb5_data attr; - - code = mspac_type2attr(pacctx->pac->pac->Buffers[i].ulType, &attr); - if (code == 0) { - code = krb5int_copy_data_contents(kcontext, &attr, &attrs[j++]); - if (code != 0) { - krb5int_free_data_list(kcontext, attrs); - return code; - } - } else { - int length; - - length = asprintf(&attrs[j].data, "urn:mspac:%d", - pacctx->pac->pac->Buffers[i].ulType); - if (length < 0) { - krb5int_free_data_list(kcontext, attrs); - return ENOMEM; - } - attrs[j++].length = length; - } + krb5_data attr; + + code = mspac_type2attr(pacctx->pac->pac->Buffers[i].ulType, &attr); + if (code == 0) { + code = krb5int_copy_data_contents(kcontext, &attr, &attrs[j++]); + if (code != 0) { + krb5int_free_data_list(kcontext, attrs); + return code; + } + } else { + int length; + + length = asprintf(&attrs[j].data, "urn:mspac:%d", + pacctx->pac->pac->Buffers[i].ulType); + if (length < 0) { + krb5int_free_data_list(kcontext, attrs); + return ENOMEM; + } + attrs[j++].length = length; + } } attrs[j].data = NULL; attrs[j].length = 0; @@ -1244,49 +1245,49 @@ mspac_get_attribute_types(krb5_context kcontext, static krb5_error_code mspac_get_attribute(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - const krb5_data *attribute, - krb5_boolean *authenticated, - krb5_boolean *complete, - krb5_data *value, - krb5_data *display_value, - int *more) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + const krb5_data *attribute, + krb5_boolean *authenticated, + krb5_boolean *complete, + krb5_data *value, + krb5_data *display_value, + int *more) { struct mspac_context *pacctx = (struct mspac_context *)request_context; krb5_error_code code; krb5_ui_4 type; if (display_value != NULL) { - display_value->data = NULL; - display_value->length = 0; + display_value->data = NULL; + display_value->length = 0; } if (*more != -1 || pacctx->pac == NULL) - return ENOENT; + return ENOENT; code = mspac_attr2type(attribute, &type); if (code != 0) - return code; + return code; /* -1 is a magic type that refers to the entire PAC */ if (type == (krb5_ui_4)-1) { - if (value != NULL) - code = krb5int_copy_data_contents(kcontext, - &pacctx->pac->data, - value); - else - code = 0; + if (value != NULL) + code = krb5int_copy_data_contents(kcontext, + &pacctx->pac->data, + value); + else + code = 0; } else { - if (value != NULL) - code = krb5_pac_get_buffer(kcontext, pacctx->pac, type, value); - else - code = k5_pac_locate_buffer(kcontext, pacctx->pac, type, NULL); + if (value != NULL) + code = krb5_pac_get_buffer(kcontext, pacctx->pac, type, value); + else + code = k5_pac_locate_buffer(kcontext, pacctx->pac, type, NULL); } if (code == 0) { - *authenticated = pacctx->pac->verified; - *complete = TRUE; + *authenticated = pacctx->pac->verified; + *complete = TRUE; } *more = 0; @@ -1296,36 +1297,36 @@ mspac_get_attribute(krb5_context kcontext, static krb5_error_code mspac_set_attribute(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - krb5_boolean complete, - const krb5_data *attribute, - const krb5_data *value) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + krb5_boolean complete, + const krb5_data *attribute, + const krb5_data *value) { struct mspac_context *pacctx = (struct mspac_context *)request_context; krb5_error_code code; krb5_ui_4 type; if (pacctx->pac == NULL) - return ENOENT; + return ENOENT; code = mspac_attr2type(attribute, &type); if (code != 0) - return code; + return code; /* -1 is a magic type that refers to the entire PAC */ if (type == (krb5_ui_4)-1) { - krb5_pac newpac; + krb5_pac newpac; - code = krb5_pac_parse(kcontext, value->data, value->length, &newpac); - if (code != 0) - return code; + code = krb5_pac_parse(kcontext, value->data, value->length, &newpac); + if (code != 0) + return code; - krb5_pac_free(kcontext, pacctx->pac); - pacctx->pac = newpac; + krb5_pac_free(kcontext, pacctx->pac); + pacctx->pac = newpac; } else { - code = krb5_pac_add_buffer(kcontext, pacctx->pac, type, value); + code = krb5_pac_add_buffer(kcontext, pacctx->pac, type, value); } return code; @@ -1333,11 +1334,11 @@ mspac_set_attribute(krb5_context kcontext, static krb5_error_code mspac_export_internal(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - krb5_boolean restrict_authenticated, - void **ptr) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + krb5_boolean restrict_authenticated, + void **ptr) { struct mspac_context *pacctx = (struct mspac_context *)request_context; krb5_error_code code; @@ -1346,16 +1347,16 @@ mspac_export_internal(krb5_context kcontext, *ptr = NULL; if (pacctx->pac == NULL) - return 0; + return 0; if (restrict_authenticated && (pacctx->pac->verified) == FALSE) - return 0; + return 0; code = krb5_pac_parse(kcontext, pacctx->pac->data.data, - pacctx->pac->data.length, &pac); + pacctx->pac->data.length, &pac); if (code == 0) { - pac->verified = pacctx->pac->verified; - *ptr = pac; + pac->verified = pacctx->pac->verified; + *ptr = pac; } return code; @@ -1363,30 +1364,30 @@ mspac_export_internal(krb5_context kcontext, static void mspac_free_internal(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - void *ptr) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + void *ptr) { if (ptr != NULL) - krb5_pac_free(kcontext, (krb5_pac)ptr); + krb5_pac_free(kcontext, (krb5_pac)ptr); return; } static krb5_error_code mspac_size(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - size_t *sizep) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + size_t *sizep) { struct mspac_context *pacctx = (struct mspac_context *)request_context; *sizep += sizeof(krb5_int32); if (pacctx->pac != NULL) - *sizep += pacctx->pac->data.length; + *sizep += pacctx->pac->data.length; *sizep += sizeof(krb5_int32); @@ -1395,11 +1396,11 @@ mspac_size(krb5_context kcontext, static krb5_error_code mspac_externalize(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - krb5_octet **buffer, - size_t *lenremain) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + krb5_octet **buffer, + size_t *lenremain) { krb5_error_code code = 0; struct mspac_context *pacctx = (struct mspac_context *)request_context; @@ -1411,23 +1412,23 @@ mspac_externalize(krb5_context kcontext, remain = *lenremain; if (pacctx->pac != NULL) { - mspac_size(kcontext, context, plugin_context, - request_context, &required); - - if (required <= remain) { - krb5_ser_pack_int32((krb5_int32)pacctx->pac->data.length, - &bp, &remain); - krb5_ser_pack_bytes((krb5_octet *)pacctx->pac->data.data, - (size_t)pacctx->pac->data.length, - &bp, &remain); - krb5_ser_pack_int32((krb5_int32)pacctx->pac->verified, - &bp, &remain); - } else { - code = ENOMEM; - } + mspac_size(kcontext, context, plugin_context, + request_context, &required); + + if (required <= remain) { + krb5_ser_pack_int32((krb5_int32)pacctx->pac->data.length, + &bp, &remain); + krb5_ser_pack_bytes((krb5_octet *)pacctx->pac->data.data, + (size_t)pacctx->pac->data.length, + &bp, &remain); + krb5_ser_pack_int32((krb5_int32)pacctx->pac->verified, + &bp, &remain); + } else { + code = ENOMEM; + } } else { - krb5_ser_pack_int32(0, &bp, &remain); /* length */ - krb5_ser_pack_int32(0, &bp, &remain); /* verified */ + krb5_ser_pack_int32(0, &bp, &remain); /* length */ + krb5_ser_pack_int32(0, &bp, &remain); /* verified */ } *buffer = bp; @@ -1438,11 +1439,11 @@ mspac_externalize(krb5_context kcontext, static krb5_error_code mspac_internalize(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - krb5_octet **buffer, - size_t *lenremain) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + krb5_octet **buffer, + size_t *lenremain) { struct mspac_context *pacctx = (struct mspac_context *)request_context; krb5_error_code code; @@ -1457,30 +1458,30 @@ mspac_internalize(krb5_context kcontext, /* length */ code = krb5_ser_unpack_int32(&ibuf, &bp, &remain); if (code != 0) - return code; + return code; if (ibuf != 0) { - code = krb5_pac_parse(kcontext, bp, ibuf, &pac); - if (code != 0) - return code; + code = krb5_pac_parse(kcontext, bp, ibuf, &pac); + if (code != 0) + return code; - bp += ibuf; - remain -= ibuf; + bp += ibuf; + remain -= ibuf; } /* verified */ code = krb5_ser_unpack_int32(&ibuf, &bp, &remain); if (code != 0) { - krb5_pac_free(kcontext, pac); - return code; + krb5_pac_free(kcontext, pac); + return code; } if (pac != NULL) { - pac->verified = (ibuf != 0); + pac->verified = (ibuf != 0); } if (pacctx->pac != NULL) { - krb5_pac_free(kcontext, pacctx->pac); + krb5_pac_free(kcontext, pacctx->pac); } pacctx->pac = pac; @@ -1493,11 +1494,11 @@ mspac_internalize(krb5_context kcontext, static krb5_error_code mspac_copy(krb5_context kcontext, - krb5_authdata_context context, - void *plugin_context, - void *request_context, - void *dst_plugin_context, - void *dst_request_context) + krb5_authdata_context context, + void *plugin_context, + void *request_context, + void *dst_plugin_context, + void *dst_request_context) { struct mspac_context *srcctx = (struct mspac_context *)request_context; struct mspac_context *dstctx = (struct mspac_context *)dst_request_context; @@ -1507,7 +1508,7 @@ mspac_copy(krb5_context kcontext, assert(dstctx->pac == NULL); if (srcctx->pac != NULL) - code = k5_pac_copy(kcontext, srcctx->pac, &dstctx->pac); + code = k5_pac_copy(kcontext, srcctx->pac, &dstctx->pac); return code; } @@ -1536,4 +1537,3 @@ krb5plugin_authdata_client_ftable_v0 krb5int_mspac_authdata_client_ftable = { mspac_internalize, mspac_copy }; - diff --git a/src/lib/krb5/krb/parse.c b/src/lib/krb5/krb/parse.c index 5dd29fb43..b78cc4311 100644 --- a/src/lib/krb5/krb/parse.c +++ b/src/lib/krb5/krb/parse.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/parse.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_parse_name() routine. * @@ -37,27 +38,27 @@ * converts a single-string representation of the name to the * multi-part principal format used in the protocols. * - * principal will point to allocated storage which should be freed by + * principal will point to allocated storage which should be freed by * the caller (using krb5_free_principal) after use. - * + * * Conventions: / is used to separate components. If @ is present in the * string, then the rest of the string after it represents the realm name. * Otherwise the local realm name is used. - * + * * error return: - * KRB5_PARSE_MALFORMED badly formatted string + * KRB5_PARSE_MALFORMED badly formatted string * * also returns system errors: - * ENOMEM malloc failed/out of memory + * ENOMEM malloc failed/out of memory * * get_default_realm() is called; it may return other errors. */ -#define REALM_SEP '@' -#define COMPONENT_SEP '/' -#define QUOTECHAR '\\' +#define REALM_SEP '@' +#define COMPONENT_SEP '/' +#define QUOTECHAR '\\' -#define FCOMPNUM 10 +#define FCOMPNUM 10 /* * May the fleas of a thousand camels infest the ISO, they who think @@ -65,276 +66,276 @@ */ static krb5_error_code k5_parse_name(krb5_context context, const char *name, - int flags, krb5_principal *nprincipal) + int flags, krb5_principal *nprincipal) { - register const char *cp; - register char *q; - register int i,c,size; - int components = 0; - const char *parsed_realm = NULL; - int fcompsize[FCOMPNUM]; - unsigned int realmsize = 0; - char *default_realm = NULL; - int default_realm_size = 0; - char *tmpdata; - krb5_principal principal; - krb5_error_code retval; - unsigned int enterprise = (flags & KRB5_PRINCIPAL_PARSE_ENTERPRISE); - int first_at; + register const char *cp; + register char *q; + register int i,c,size; + int components = 0; + const char *parsed_realm = NULL; + int fcompsize[FCOMPNUM]; + unsigned int realmsize = 0; + char *default_realm = NULL; + int default_realm_size = 0; + char *tmpdata; + krb5_principal principal; + krb5_error_code retval; + unsigned int enterprise = (flags & KRB5_PRINCIPAL_PARSE_ENTERPRISE); + int first_at; - *nprincipal = NULL; + *nprincipal = NULL; - /* - * Pass 1. Find out how many components there are to the name, - * and get string sizes for the first FCOMPNUM components. For - * enterprise principal names (UPNs), there is only a single - * component. - */ - size = 0; - for (i=0,cp = name, first_at = 1; (c = *cp); cp++) { - if (c == QUOTECHAR) { - cp++; - if (!(c = *cp)) - /* - * QUOTECHAR can't be at the last - * character of the name! - */ - return(KRB5_PARSE_MALFORMED); - size++; - continue; - } else if (c == COMPONENT_SEP && !enterprise) { - if (parsed_realm) - /* - * Shouldn't see a component separator - * after we've parsed out the realm name! - */ - return(KRB5_PARSE_MALFORMED); - if (i < FCOMPNUM) { - fcompsize[i] = size; - } - size = 0; - i++; - } else if (c == REALM_SEP && (!enterprise || !first_at)) { - if (parsed_realm) - /* - * Multiple realm separaters - * not allowed; zero-length realms are. - */ - return(KRB5_PARSE_MALFORMED); - parsed_realm = cp + 1; - if (i < FCOMPNUM) { - fcompsize[i] = size; - } - size = 0; - } else { - if (c == REALM_SEP && enterprise && first_at) - first_at = 0; + /* + * Pass 1. Find out how many components there are to the name, + * and get string sizes for the first FCOMPNUM components. For + * enterprise principal names (UPNs), there is only a single + * component. + */ + size = 0; + for (i=0,cp = name, first_at = 1; (c = *cp); cp++) { + if (c == QUOTECHAR) { + cp++; + if (!(c = *cp)) + /* + * QUOTECHAR can't be at the last + * character of the name! + */ + return(KRB5_PARSE_MALFORMED); + size++; + continue; + } else if (c == COMPONENT_SEP && !enterprise) { + if (parsed_realm) + /* + * Shouldn't see a component separator + * after we've parsed out the realm name! + */ + return(KRB5_PARSE_MALFORMED); + if (i < FCOMPNUM) { + fcompsize[i] = size; + } + size = 0; + i++; + } else if (c == REALM_SEP && (!enterprise || !first_at)) { + if (parsed_realm) + /* + * Multiple realm separaters + * not allowed; zero-length realms are. + */ + return(KRB5_PARSE_MALFORMED); + parsed_realm = cp + 1; + if (i < FCOMPNUM) { + fcompsize[i] = size; + } + size = 0; + } else { + if (c == REALM_SEP && enterprise && first_at) + first_at = 0; - size++; - } - } - if (parsed_realm != NULL) - realmsize = size; - else if (i < FCOMPNUM) - fcompsize[i] = size; - components = i + 1; - /* - * Now, we allocate the principal structure and all of its - * component pieces - */ - principal = (krb5_principal)malloc(sizeof(krb5_principal_data)); - if (principal == NULL) { - return(ENOMEM); - } - principal->data = (krb5_data *) malloc(sizeof(krb5_data) * components); - if (principal->data == NULL) { - free(principal); - return ENOMEM; - } - principal->length = components; + size++; + } + } + if (parsed_realm != NULL) + realmsize = size; + else if (i < FCOMPNUM) + fcompsize[i] = size; + components = i + 1; + /* + * Now, we allocate the principal structure and all of its + * component pieces + */ + principal = (krb5_principal)malloc(sizeof(krb5_principal_data)); + if (principal == NULL) { + return(ENOMEM); + } + principal->data = (krb5_data *) malloc(sizeof(krb5_data) * components); + if (principal->data == NULL) { + free(principal); + return ENOMEM; + } + principal->length = components; - /* - * If a realm was not found, then use the default realm, unless - * KRB5_PRINCIPAL_PARSE_NO_REALM was specified in which case the - * realm will be empty. - */ - if (!parsed_realm) { - if (flags & KRB5_PRINCIPAL_PARSE_REQUIRE_REALM) { - krb5_set_error_message(context, KRB5_PARSE_MALFORMED, - "Principal %s is missing required realm", name); - free(principal->data); - free(principal); - return KRB5_PARSE_MALFORMED; - } - if (!default_realm && (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) == 0) { - retval = krb5_get_default_realm(context, &default_realm); - if (retval) { - free(principal->data); - free(principal); - return(retval); - } - default_realm_size = strlen(default_realm); - } - realmsize = default_realm_size; - } else if (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) { - krb5_set_error_message(context, KRB5_PARSE_MALFORMED, - "Principal %s has realm present", name); - free(principal->data); - free(principal); - return KRB5_PARSE_MALFORMED; - } + /* + * If a realm was not found, then use the default realm, unless + * KRB5_PRINCIPAL_PARSE_NO_REALM was specified in which case the + * realm will be empty. + */ + if (!parsed_realm) { + if (flags & KRB5_PRINCIPAL_PARSE_REQUIRE_REALM) { + krb5_set_error_message(context, KRB5_PARSE_MALFORMED, + "Principal %s is missing required realm", name); + free(principal->data); + free(principal); + return KRB5_PARSE_MALFORMED; + } + if (!default_realm && (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) == 0) { + retval = krb5_get_default_realm(context, &default_realm); + if (retval) { + free(principal->data); + free(principal); + return(retval); + } + default_realm_size = strlen(default_realm); + } + realmsize = default_realm_size; + } else if (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) { + krb5_set_error_message(context, KRB5_PARSE_MALFORMED, + "Principal %s has realm present", name); + free(principal->data); + free(principal); + return KRB5_PARSE_MALFORMED; + } - /* - * Pass 2. Happens only if there were more than FCOMPNUM - * component; if this happens, someone should be shot - * immediately. Nevertheless, we will attempt to handle said - * case..... <martyred sigh> - */ - if (components >= FCOMPNUM) { - size = 0; - parsed_realm = NULL; - for (i=0,cp = name; (c = *cp); cp++) { - if (c == QUOTECHAR) { - cp++; - size++; - } else if (c == COMPONENT_SEP) { - if (krb5_princ_size(context, principal) > i) - krb5_princ_component(context, principal, i)->length = size; - size = 0; - i++; - } else if (c == REALM_SEP) { - if (krb5_princ_size(context, principal) > i) - krb5_princ_component(context, principal, i)->length = size; - size = 0; - parsed_realm = cp+1; - } else - size++; - } - if (parsed_realm) - krb5_princ_realm(context, principal)->length = size; - else - if (krb5_princ_size(context, principal) > i) - krb5_princ_component(context, principal, i)->length = size; - if (i + 1 != components) { + /* + * Pass 2. Happens only if there were more than FCOMPNUM + * component; if this happens, someone should be shot + * immediately. Nevertheless, we will attempt to handle said + * case..... <martyred sigh> + */ + if (components >= FCOMPNUM) { + size = 0; + parsed_realm = NULL; + for (i=0,cp = name; (c = *cp); cp++) { + if (c == QUOTECHAR) { + cp++; + size++; + } else if (c == COMPONENT_SEP) { + if (krb5_princ_size(context, principal) > i) + krb5_princ_component(context, principal, i)->length = size; + size = 0; + i++; + } else if (c == REALM_SEP) { + if (krb5_princ_size(context, principal) > i) + krb5_princ_component(context, principal, i)->length = size; + size = 0; + parsed_realm = cp+1; + } else + size++; + } + if (parsed_realm) + krb5_princ_realm(context, principal)->length = size; + else + if (krb5_princ_size(context, principal) > i) + krb5_princ_component(context, principal, i)->length = size; + if (i + 1 != components) { #if !defined(_WIN32) - fprintf(stderr, - "Programming error in krb5_parse_name!"); + fprintf(stderr, + "Programming error in krb5_parse_name!"); #endif - assert(i + 1 == components); - abort(); - } - } else { - /* - * If there were fewer than FCOMPSIZE components (the - * usual case), then just copy the sizes to the - * principal structure - */ - for (i=0; i < components; i++) - krb5_princ_component(context, principal, i)->length = fcompsize[i]; - } - /* - * Now, we need to allocate the space for the strings themselves..... - */ - tmpdata = malloc(realmsize + 1); - if (tmpdata == 0) { - free(principal->data); - free(principal); - free(default_realm); - return ENOMEM; - } - krb5_princ_set_realm_length(context, principal, realmsize); - krb5_princ_set_realm_data(context, principal, tmpdata); - for (i=0; i < components; i++) { - char *tmpdata2 = - malloc(krb5_princ_component(context, principal, i)->length + 1); - if (tmpdata2 == NULL) { - for (i--; i >= 0; i--) - free(krb5_princ_component(context, principal, i)->data); - free(krb5_princ_realm(context, principal)->data); - free(principal->data); - free(principal); - free(default_realm); - return(ENOMEM); - } - krb5_princ_component(context, principal, i)->data = tmpdata2; - krb5_princ_component(context, principal, i)->magic = KV5M_DATA; - } - - /* - * Pass 3. Now we go through the string a *third* time, this - * time filling in the krb5_principal structure which we just - * allocated. - */ - q = krb5_princ_component(context, principal, 0)->data; - for (i=0,cp = name, first_at = 1; (c = *cp); cp++) { - if (c == QUOTECHAR) { - cp++; - switch (c = *cp) { - case 'n': - *q++ = '\n'; - break; - case 't': - *q++ = '\t'; - break; - case 'b': - *q++ = '\b'; - break; - case '0': - *q++ = '\0'; - break; - default: - *q++ = c; - break; - } - } else if (c == COMPONENT_SEP && !enterprise) { - i++; - *q++ = '\0'; - q = krb5_princ_component(context, principal, i)->data; - } else if (c == REALM_SEP && (!enterprise || !first_at)) { - i++; - *q++ = '\0'; - q = krb5_princ_realm(context, principal)->data; - } else { - if (c == REALM_SEP && enterprise && first_at) - first_at = 0; + assert(i + 1 == components); + abort(); + } + } else { + /* + * If there were fewer than FCOMPSIZE components (the + * usual case), then just copy the sizes to the + * principal structure + */ + for (i=0; i < components; i++) + krb5_princ_component(context, principal, i)->length = fcompsize[i]; + } + /* + * Now, we need to allocate the space for the strings themselves..... + */ + tmpdata = malloc(realmsize + 1); + if (tmpdata == 0) { + free(principal->data); + free(principal); + free(default_realm); + return ENOMEM; + } + krb5_princ_set_realm_length(context, principal, realmsize); + krb5_princ_set_realm_data(context, principal, tmpdata); + for (i=0; i < components; i++) { + char *tmpdata2 = + malloc(krb5_princ_component(context, principal, i)->length + 1); + if (tmpdata2 == NULL) { + for (i--; i >= 0; i--) + free(krb5_princ_component(context, principal, i)->data); + free(krb5_princ_realm(context, principal)->data); + free(principal->data); + free(principal); + free(default_realm); + return(ENOMEM); + } + krb5_princ_component(context, principal, i)->data = tmpdata2; + krb5_princ_component(context, principal, i)->magic = KV5M_DATA; + } + + /* + * Pass 3. Now we go through the string a *third* time, this + * time filling in the krb5_principal structure which we just + * allocated. + */ + q = krb5_princ_component(context, principal, 0)->data; + for (i=0,cp = name, first_at = 1; (c = *cp); cp++) { + if (c == QUOTECHAR) { + cp++; + switch (c = *cp) { + case 'n': + *q++ = '\n'; + break; + case 't': + *q++ = '\t'; + break; + case 'b': + *q++ = '\b'; + break; + case '0': + *q++ = '\0'; + break; + default: + *q++ = c; + break; + } + } else if (c == COMPONENT_SEP && !enterprise) { + i++; + *q++ = '\0'; + q = krb5_princ_component(context, principal, i)->data; + } else if (c == REALM_SEP && (!enterprise || !first_at)) { + i++; + *q++ = '\0'; + q = krb5_princ_realm(context, principal)->data; + } else { + if (c == REALM_SEP && enterprise && first_at) + first_at = 0; - *q++ = c; - } - } - *q++ = '\0'; - if (!parsed_realm) { - if (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) - (krb5_princ_realm(context, principal)->data)[0] = '\0'; - else - strlcpy(krb5_princ_realm(context, principal)->data, default_realm, realmsize+1); - } - /* - * Alright, we're done. Now stuff a pointer to this monstrosity - * into the return variable, and let's get out of here. - */ - if (enterprise) - krb5_princ_type(context, principal) = KRB5_NT_ENTERPRISE_PRINCIPAL; - else - krb5_princ_type(context, principal) = KRB5_NT_PRINCIPAL; - principal->magic = KV5M_PRINCIPAL; - principal->realm.magic = KV5M_DATA; - *nprincipal = principal; + *q++ = c; + } + } + *q++ = '\0'; + if (!parsed_realm) { + if (flags & KRB5_PRINCIPAL_PARSE_NO_REALM) + (krb5_princ_realm(context, principal)->data)[0] = '\0'; + else + strlcpy(krb5_princ_realm(context, principal)->data, default_realm, realmsize+1); + } + /* + * Alright, we're done. Now stuff a pointer to this monstrosity + * into the return variable, and let's get out of here. + */ + if (enterprise) + krb5_princ_type(context, principal) = KRB5_NT_ENTERPRISE_PRINCIPAL; + else + krb5_princ_type(context, principal) = KRB5_NT_PRINCIPAL; + principal->magic = KV5M_PRINCIPAL; + principal->realm.magic = KV5M_DATA; + *nprincipal = principal; - if (default_realm != NULL) - free(default_realm); + if (default_realm != NULL) + free(default_realm); - return(0); + return(0); } krb5_error_code KRB5_CALLCONV krb5_parse_name(krb5_context context, const char *name, krb5_principal *nprincipal) { - return k5_parse_name(context, name, 0, nprincipal); + return k5_parse_name(context, name, 0, nprincipal); } krb5_error_code KRB5_CALLCONV krb5_parse_name_flags(krb5_context context, const char *name, - int flags, krb5_principal *nprincipal) + int flags, krb5_principal *nprincipal) { - return k5_parse_name(context, name, flags, nprincipal); + return k5_parse_name(context, name, flags, nprincipal); } diff --git a/src/lib/krb5/krb/pkinit_apple_asn1.c b/src/lib/krb5/krb/pkinit_apple_asn1.c index 9082a314b..12b5215be 100644 --- a/src/lib/krb5/krb/pkinit_apple_asn1.c +++ b/src/lib/krb5/krb/pkinit_apple_asn1.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (c) 2004-2008 Apple Inc. All Rights Reserved. * @@ -60,32 +61,32 @@ static void **pkiNssNullArray( #pragma mark ----- pkAuthenticator ----- -/* +/* * There is a unique error code for "missing paChecksum", so we mark it here - * as optional so the decoder can process a pkAuthenticator without the + * as optional so the decoder can process a pkAuthenticator without the * checksum; caller must verify that paChecksum.Data != NULL. */ typedef struct { - CSSM_DATA cusec; /* INTEGER, microseconds */ - CSSM_DATA kctime; /* UTC time (with trailing 'Z') */ - CSSM_DATA nonce; /* INTEGER */ - CSSM_DATA paChecksum; /* OCTET STRING */ + CSSM_DATA cusec; /* INTEGER, microseconds */ + CSSM_DATA kctime; /* UTC time (with trailing 'Z') */ + CSSM_DATA nonce; /* INTEGER */ + CSSM_DATA paChecksum; /* OCTET STRING */ } KRB5_PKAuthenticator; static const SecAsn1Template KRB5_PKAuthenticatorTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(KRB5_PKAuthenticator) }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 0, - offsetof(KRB5_PKAuthenticator,cusec), + offsetof(KRB5_PKAuthenticator,cusec), kSecAsn1IntegerTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 1, - offsetof(KRB5_PKAuthenticator,kctime), + offsetof(KRB5_PKAuthenticator,kctime), kSecAsn1GeneralizedTimeTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 2, - offsetof(KRB5_PKAuthenticator,nonce), + offsetof(KRB5_PKAuthenticator,nonce), kSecAsn1IntegerTemplate }, - { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | - SEC_ASN1_OPTIONAL | 3, - offsetof(KRB5_PKAuthenticator,paChecksum), + { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | + SEC_ASN1_OPTIONAL | 3, + offsetof(KRB5_PKAuthenticator,paChecksum), &kSecAsn1OctetStringTemplate }, { 0 } }; @@ -93,25 +94,25 @@ static const SecAsn1Template KRB5_PKAuthenticatorTemplate[] = { #pragma mark ----- AuthPack ----- typedef struct { - KRB5_PKAuthenticator pkAuth; - CSSM_X509_SUBJECT_PUBLIC_KEY_INFO *pubKeyInfo; /* OPTIONAL */ - CSSM_X509_ALGORITHM_IDENTIFIER **supportedCMSTypes;/* OPTIONAL */ - CSSM_DATA *clientDHNonce; /* OPTIONAL */ + KRB5_PKAuthenticator pkAuth; + CSSM_X509_SUBJECT_PUBLIC_KEY_INFO *pubKeyInfo; /* OPTIONAL */ + CSSM_X509_ALGORITHM_IDENTIFIER **supportedCMSTypes;/* OPTIONAL */ + CSSM_DATA *clientDHNonce; /* OPTIONAL */ } KRB5_AuthPack; -/* +/* * These are copied from keyTemplates.c in the libsecurity_asn1 project; * they aren't public API. */ - + /* AlgorithmIdentifier : CSSM_X509_ALGORITHM_IDENTIFIER */ static const SecAsn1Template AlgorithmIDTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(CSSM_X509_ALGORITHM_IDENTIFIER) }, + 0, NULL, sizeof(CSSM_X509_ALGORITHM_IDENTIFIER) }, { SEC_ASN1_OBJECT_ID, - offsetof(CSSM_X509_ALGORITHM_IDENTIFIER,algorithm), }, + offsetof(CSSM_X509_ALGORITHM_IDENTIFIER,algorithm), }, { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY, - offsetof(CSSM_X509_ALGORITHM_IDENTIFIER,parameters), }, + offsetof(CSSM_X509_ALGORITHM_IDENTIFIER,parameters), }, { 0, } }; @@ -119,12 +120,12 @@ static const SecAsn1Template AlgorithmIDTemplate[] = { /* SubjectPublicKeyInfo : CSSM_X509_SUBJECT_PUBLIC_KEY_INFO */ static const SecAsn1Template SubjectPublicKeyInfoTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(CSSM_X509_SUBJECT_PUBLIC_KEY_INFO) }, + 0, NULL, sizeof(CSSM_X509_SUBJECT_PUBLIC_KEY_INFO) }, { SEC_ASN1_INLINE, - offsetof(CSSM_X509_SUBJECT_PUBLIC_KEY_INFO,algorithm), - AlgorithmIDTemplate }, + offsetof(CSSM_X509_SUBJECT_PUBLIC_KEY_INFO,algorithm), + AlgorithmIDTemplate }, { SEC_ASN1_BIT_STRING, - offsetof(CSSM_X509_SUBJECT_PUBLIC_KEY_INFO,subjectPublicKey), }, + offsetof(CSSM_X509_SUBJECT_PUBLIC_KEY_INFO,subjectPublicKey), }, { 0, } }; @@ -137,34 +138,34 @@ static const SecAsn1Template kSecAsn1SequenceOfAlgIdTemplate[] = { static const SecAsn1Template KRB5_AuthPackTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(KRB5_AuthPack) }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 0, - offsetof(KRB5_AuthPack,pkAuth), + offsetof(KRB5_AuthPack,pkAuth), KRB5_PKAuthenticatorTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL | - SEC_ASN1_EXPLICIT | SEC_ASN1_POINTER | 1, - offsetof(KRB5_AuthPack,pubKeyInfo), + SEC_ASN1_EXPLICIT | SEC_ASN1_POINTER | 1, + offsetof(KRB5_AuthPack,pubKeyInfo), SubjectPublicKeyInfoTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL | - SEC_ASN1_EXPLICIT | SEC_ASN1_POINTER | 2, - offsetof(KRB5_AuthPack,supportedCMSTypes), + SEC_ASN1_EXPLICIT | SEC_ASN1_POINTER | 2, + offsetof(KRB5_AuthPack,supportedCMSTypes), kSecAsn1SequenceOfAlgIdTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL | - SEC_ASN1_EXPLICIT | SEC_ASN1_POINTER | 3, - offsetof(KRB5_AuthPack,clientDHNonce), + SEC_ASN1_EXPLICIT | SEC_ASN1_POINTER | 3, + offsetof(KRB5_AuthPack,clientDHNonce), kSecAsn1OctetStringTemplate }, { 0 } }; -/* +/* * Encode AuthPack, public key version (no Diffie-Hellman components). */ krb5_error_code krb5int_pkinit_auth_pack_encode( - krb5_timestamp kctime, - krb5_int32 cusec, /* microseconds */ - krb5_ui_4 nonce, - const krb5_checksum *pa_checksum, - const krb5int_algorithm_id *cms_types, /* optional */ - krb5_ui_4 num_cms_types, - krb5_data *auth_pack) /* mallocd and RETURNED */ + krb5_timestamp kctime, + krb5_int32 cusec, /* microseconds */ + krb5_ui_4 nonce, + const krb5_checksum *pa_checksum, + const krb5int_algorithm_id *cms_types, /* optional */ + krb5_ui_4 num_cms_types, + krb5_data *auth_pack) /* mallocd and RETURNED */ { KRB5_AuthPack localAuthPack; SecAsn1CoderRef coder; @@ -173,65 +174,65 @@ krb5_error_code krb5int_pkinit_auth_pack_encode( CSSM_DATA ber = {0, NULL}; OSStatus ortn; char *timeStr = NULL; - + if(SecAsn1CoderCreate(&coder)) { - return ENOMEM; + return ENOMEM; } memset(&localAuthPack, 0, sizeof(localAuthPack)); if(pkiKrbTimestampToStr(kctime, &timeStr)) { - ourRtn = -1; - goto errOut; + ourRtn = -1; + goto errOut; } localAuthPack.pkAuth.kctime.Data = (uint8 *)timeStr; localAuthPack.pkAuth.kctime.Length = strlen(timeStr); if(pkiIntToData(cusec, &localAuthPack.pkAuth.cusec, coder)) { - ourRtn = ENOMEM; - goto errOut; + ourRtn = ENOMEM; + goto errOut; } if(pkiIntToData(nonce, &localAuthPack.pkAuth.nonce, coder)) { - ourRtn = ENOMEM; - goto errOut; + ourRtn = ENOMEM; + goto errOut; } cksum->Data = (uint8 *)pa_checksum->contents; cksum->Length = pa_checksum->length; - + if((cms_types != NULL) && (num_cms_types != 0)) { - unsigned dex; - CSSM_X509_ALGORITHM_IDENTIFIER **algIds; - - /* build a NULL_terminated array of CSSM_X509_ALGORITHM_IDENTIFIERs */ - localAuthPack.supportedCMSTypes = (CSSM_X509_ALGORITHM_IDENTIFIER **) - SecAsn1Malloc(coder, - (num_cms_types + 1) * sizeof(CSSM_X509_ALGORITHM_IDENTIFIER *)); - algIds = localAuthPack.supportedCMSTypes; - for(dex=0; dex<num_cms_types; dex++) { - algIds[dex] = (CSSM_X509_ALGORITHM_IDENTIFIER *) - SecAsn1Malloc(coder, sizeof(CSSM_X509_ALGORITHM_IDENTIFIER)); - pkiKrb5DataToCssm(&cms_types[dex].algorithm, - &algIds[dex]->algorithm, coder); - if(cms_types[dex].parameters.data != NULL) { - pkiKrb5DataToCssm(&cms_types[dex].parameters, - &algIds[dex]->parameters, coder); - } - else { - algIds[dex]->parameters.Data = NULL; - algIds[dex]->parameters.Length = 0; - } - } - algIds[num_cms_types] = NULL; + unsigned dex; + CSSM_X509_ALGORITHM_IDENTIFIER **algIds; + + /* build a NULL_terminated array of CSSM_X509_ALGORITHM_IDENTIFIERs */ + localAuthPack.supportedCMSTypes = (CSSM_X509_ALGORITHM_IDENTIFIER **) + SecAsn1Malloc(coder, + (num_cms_types + 1) * sizeof(CSSM_X509_ALGORITHM_IDENTIFIER *)); + algIds = localAuthPack.supportedCMSTypes; + for(dex=0; dex<num_cms_types; dex++) { + algIds[dex] = (CSSM_X509_ALGORITHM_IDENTIFIER *) + SecAsn1Malloc(coder, sizeof(CSSM_X509_ALGORITHM_IDENTIFIER)); + pkiKrb5DataToCssm(&cms_types[dex].algorithm, + &algIds[dex]->algorithm, coder); + if(cms_types[dex].parameters.data != NULL) { + pkiKrb5DataToCssm(&cms_types[dex].parameters, + &algIds[dex]->parameters, coder); + } + else { + algIds[dex]->parameters.Data = NULL; + algIds[dex]->parameters.Length = 0; + } + } + algIds[num_cms_types] = NULL; } ortn = SecAsn1EncodeItem(coder, &localAuthPack, KRB5_AuthPackTemplate, &ber); if(ortn) { - ourRtn = ENOMEM; - goto errOut; + ourRtn = ENOMEM; + goto errOut; } - + if(pkiCssmDataToKrb5Data(&ber, auth_pack)) { - ourRtn = ENOMEM; + ourRtn = ENOMEM; } else { - auth_pack->magic = KV5M_AUTHENTICATOR; - ourRtn = 0; + auth_pack->magic = KV5M_AUTHENTICATOR; + ourRtn = 0; } errOut: SecAsn1CoderRelease(coder); @@ -242,102 +243,102 @@ errOut: * Decode AuthPack, public key version (no Diffie-Hellman components). */ krb5_error_code krb5int_pkinit_auth_pack_decode( - const krb5_data *auth_pack, /* DER encoded */ - krb5_timestamp *kctime, /* RETURNED */ - krb5_ui_4 *cusec, /* microseconds, RETURNED */ - krb5_ui_4 *nonce, /* RETURNED */ - krb5_checksum *pa_checksum, /* contents mallocd and RETURNED */ - krb5int_algorithm_id **cms_types, /* optionally mallocd and RETURNED */ - krb5_ui_4 *num_cms_types) /* optionally RETURNED */ + const krb5_data *auth_pack, /* DER encoded */ + krb5_timestamp *kctime, /* RETURNED */ + krb5_ui_4 *cusec, /* microseconds, RETURNED */ + krb5_ui_4 *nonce, /* RETURNED */ + krb5_checksum *pa_checksum, /* contents mallocd and RETURNED */ + krb5int_algorithm_id **cms_types, /* optionally mallocd and RETURNED */ + krb5_ui_4 *num_cms_types) /* optionally RETURNED */ { KRB5_AuthPack localAuthPack; SecAsn1CoderRef coder; CSSM_DATA der = {0, NULL}; krb5_error_code ourRtn = 0; CSSM_DATA *cksum = &localAuthPack.pkAuth.paChecksum; - + /* Decode --> localAuthPack */ if(SecAsn1CoderCreate(&coder)) { - return ENOMEM; + return ENOMEM; } PKI_KRB_TO_CSSM_DATA(auth_pack, &der); memset(&localAuthPack, 0, sizeof(localAuthPack)); if(SecAsn1DecodeData(coder, &der, KRB5_AuthPackTemplate, &localAuthPack)) { - ourRtn = ASN1_BAD_FORMAT; - goto errOut; + ourRtn = ASN1_BAD_FORMAT; + goto errOut; } - + /* optionally Convert KRB5_AuthPack to caller's params */ if(kctime) { - if((ourRtn = pkiTimeStrToKrbTimestamp((char *)localAuthPack.pkAuth.kctime.Data, - localAuthPack.pkAuth.kctime.Length, kctime))) { - goto errOut; - } + if((ourRtn = pkiTimeStrToKrbTimestamp((char *)localAuthPack.pkAuth.kctime.Data, + localAuthPack.pkAuth.kctime.Length, kctime))) { + goto errOut; + } } if(cusec) { - if((ourRtn = pkiDataToInt(&localAuthPack.pkAuth.cusec, (krb5_int32 *)cusec))) { - goto errOut; - } + if((ourRtn = pkiDataToInt(&localAuthPack.pkAuth.cusec, (krb5_int32 *)cusec))) { + goto errOut; + } } if(nonce) { - if((ourRtn = pkiDataToInt(&localAuthPack.pkAuth.nonce, (krb5_int32 *)nonce))) { - goto errOut; - } + if((ourRtn = pkiDataToInt(&localAuthPack.pkAuth.nonce, (krb5_int32 *)nonce))) { + goto errOut; + } } if(pa_checksum) { - if(cksum->Length == 0) { - /* This is the unique error for "no paChecksum" */ - ourRtn = KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED; - goto errOut; - } - else { - pa_checksum->contents = (krb5_octet *)malloc(cksum->Length); - if(pa_checksum->contents == NULL) { - ourRtn = ENOMEM; - goto errOut; - } - pa_checksum->length = cksum->Length; - memmove(pa_checksum->contents, cksum->Data, pa_checksum->length); - pa_checksum->magic = KV5M_CHECKSUM; - /* This used to be encoded with the checksum but no more... */ - pa_checksum->checksum_type = CKSUMTYPE_NIST_SHA; - } + if(cksum->Length == 0) { + /* This is the unique error for "no paChecksum" */ + ourRtn = KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED; + goto errOut; + } + else { + pa_checksum->contents = (krb5_octet *)malloc(cksum->Length); + if(pa_checksum->contents == NULL) { + ourRtn = ENOMEM; + goto errOut; + } + pa_checksum->length = cksum->Length; + memmove(pa_checksum->contents, cksum->Data, pa_checksum->length); + pa_checksum->magic = KV5M_CHECKSUM; + /* This used to be encoded with the checksum but no more... */ + pa_checksum->checksum_type = CKSUMTYPE_NIST_SHA; + } } if(cms_types) { - if(localAuthPack.supportedCMSTypes == NULL) { - *cms_types = NULL; - *num_cms_types = 0; - } - else { - /* - * Convert NULL-terminated array of CSSM-style algIds to - * krb5int_algorithm_ids. - */ - unsigned dex; - unsigned num_types = 0; - CSSM_X509_ALGORITHM_IDENTIFIER **alg_ids; - krb5int_algorithm_id *kalg_ids; - - for(alg_ids=localAuthPack.supportedCMSTypes; - *alg_ids; - alg_ids++) { - num_types++; - } - *cms_types = kalg_ids = (krb5int_algorithm_id *)calloc(num_types, - sizeof(krb5int_algorithm_id)); - *num_cms_types = num_types; - alg_ids = localAuthPack.supportedCMSTypes; - for(dex=0; dex<num_types; dex++) { - if(alg_ids[dex]->algorithm.Data) { - pkiCssmDataToKrb5Data(&alg_ids[dex]->algorithm, - &kalg_ids[dex].algorithm); - } - if(alg_ids[dex]->parameters.Data) { - pkiCssmDataToKrb5Data(&alg_ids[dex]->parameters, - &kalg_ids[dex].parameters); - } - } - } + if(localAuthPack.supportedCMSTypes == NULL) { + *cms_types = NULL; + *num_cms_types = 0; + } + else { + /* + * Convert NULL-terminated array of CSSM-style algIds to + * krb5int_algorithm_ids. + */ + unsigned dex; + unsigned num_types = 0; + CSSM_X509_ALGORITHM_IDENTIFIER **alg_ids; + krb5int_algorithm_id *kalg_ids; + + for(alg_ids=localAuthPack.supportedCMSTypes; + *alg_ids; + alg_ids++) { + num_types++; + } + *cms_types = kalg_ids = (krb5int_algorithm_id *)calloc(num_types, + sizeof(krb5int_algorithm_id)); + *num_cms_types = num_types; + alg_ids = localAuthPack.supportedCMSTypes; + for(dex=0; dex<num_types; dex++) { + if(alg_ids[dex]->algorithm.Data) { + pkiCssmDataToKrb5Data(&alg_ids[dex]->algorithm, + &kalg_ids[dex].algorithm); + } + if(alg_ids[dex]->parameters.Data) { + pkiCssmDataToKrb5Data(&alg_ids[dex]->parameters, + &kalg_ids[dex].parameters); + } + } + } } ourRtn = 0; errOut: @@ -352,8 +353,8 @@ errOut: * CL in DER-encoded state. */ typedef struct { - CSSM_DATA derIssuer; - CSSM_DATA serialNumber; + CSSM_DATA derIssuer; + CSSM_DATA serialNumber; } KRB5_IssuerAndSerial; static const SecAsn1Template KRB5_IssuerAndSerialTemplate[] = { @@ -364,11 +365,11 @@ static const SecAsn1Template KRB5_IssuerAndSerialTemplate[] = { }; /* - * Given DER-encoded issuer and serial number, create an encoded + * Given DER-encoded issuer and serial number, create an encoded * IssuerAndSerialNumber. */ krb5_error_code krb5int_pkinit_issuer_serial_encode( - const krb5_data *issuer, /* DER encoded */ + const krb5_data *issuer, /* DER encoded */ const krb5_data *serial_num, krb5_data *issuer_and_serial) /* content mallocd and RETURNED */ { @@ -378,14 +379,14 @@ krb5_error_code krb5int_pkinit_issuer_serial_encode( OSStatus ortn; if(SecAsn1CoderCreate(&coder)) { - return ENOMEM; + return ENOMEM; } PKI_KRB_TO_CSSM_DATA(issuer, &issuerSerial.derIssuer); PKI_KRB_TO_CSSM_DATA(serial_num, &issuerSerial.serialNumber); ortn = SecAsn1EncodeItem(coder, &issuerSerial, KRB5_IssuerAndSerialTemplate, &ber); if(ortn) { - ortn = ENOMEM; - goto errOut; + ortn = ENOMEM; + goto errOut; } ortn = pkiCssmDataToKrb5Data(&ber, issuer_and_serial); errOut: @@ -398,31 +399,31 @@ errOut: */ krb5_error_code krb5int_pkinit_issuer_serial_decode( const krb5_data *issuer_and_serial, /* DER encoded */ - krb5_data *issuer, /* DER encoded, RETURNED */ - krb5_data *serial_num) /* RETURNED */ + krb5_data *issuer, /* DER encoded, RETURNED */ + krb5_data *serial_num) /* RETURNED */ { KRB5_IssuerAndSerial issuerSerial; SecAsn1CoderRef coder; CSSM_DATA der = {issuer_and_serial->length, (uint8 *)issuer_and_serial->data}; krb5_error_code ourRtn = 0; - + /* Decode --> issuerSerial */ if(SecAsn1CoderCreate(&coder)) { - return ENOMEM; + return ENOMEM; } memset(&issuerSerial, 0, sizeof(issuerSerial)); if(SecAsn1DecodeData(coder, &der, KRB5_IssuerAndSerialTemplate, &issuerSerial)) { - ourRtn = ASN1_BAD_FORMAT; - goto errOut; + ourRtn = ASN1_BAD_FORMAT; + goto errOut; } - + /* Convert KRB5_IssuerAndSerial to caller's params */ if((ourRtn = pkiCssmDataToKrb5Data(&issuerSerial.derIssuer, issuer))) { - goto errOut; + goto errOut; } if((ourRtn = pkiCssmDataToKrb5Data(&issuerSerial.serialNumber, serial_num))) { - ourRtn = ENOMEM; - goto errOut; + ourRtn = ENOMEM; + goto errOut; } errOut: @@ -432,29 +433,29 @@ errOut: #pragma mark ----- ExternalPrincipalIdentifier ----- -/* - * Shown here for completeness; this module only implements the - * issuerAndSerialNumber option. +/* + * Shown here for completeness; this module only implements the + * issuerAndSerialNumber option. */ typedef struct { - CSSM_DATA subjectName; /* [0] IMPLICIT OCTET STRING OPTIONAL */ - /* contents = encoded Name */ - CSSM_DATA issuerAndSerialNumber; /* [1] IMPLICIT OCTET STRING OPTIONAL */ - /* contents = encoded Issuer&Serial */ - CSSM_DATA subjectKeyIdentifier; /* [2] IMPLICIT OCTET STRING OPTIONAL */ - /* contents = encoded subjectKeyIdentifier extension */ + CSSM_DATA subjectName; /* [0] IMPLICIT OCTET STRING OPTIONAL */ + /* contents = encoded Name */ + CSSM_DATA issuerAndSerialNumber; /* [1] IMPLICIT OCTET STRING OPTIONAL */ + /* contents = encoded Issuer&Serial */ + CSSM_DATA subjectKeyIdentifier; /* [2] IMPLICIT OCTET STRING OPTIONAL */ + /* contents = encoded subjectKeyIdentifier extension */ } KRB5_ExternalPrincipalIdentifier; static const SecAsn1Template KRB5_ExternalPrincipalIdentifierTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(KRB5_ExternalPrincipalIdentifier) }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | 0, - offsetof(KRB5_ExternalPrincipalIdentifier, subjectName), + offsetof(KRB5_ExternalPrincipalIdentifier, subjectName), kSecAsn1OctetStringTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | 1, - offsetof(KRB5_ExternalPrincipalIdentifier, issuerAndSerialNumber), + offsetof(KRB5_ExternalPrincipalIdentifier, issuerAndSerialNumber), kSecAsn1OctetStringTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_OPTIONAL | 2, - offsetof(KRB5_ExternalPrincipalIdentifier, subjectKeyIdentifier), + offsetof(KRB5_ExternalPrincipalIdentifier, subjectKeyIdentifier), kSecAsn1OctetStringTemplate }, { 0 } }; @@ -466,30 +467,30 @@ static const SecAsn1Template KRB5_SequenceOfExternalPrincipalIdentifierTemplate[ #pragma mark ----- PA-PK-AS-REQ ----- /* - * Top-level PA-PK-AS-REQ. All fields except for trusted_CAs are pre-encoded - * before we encode this and are still DER-encoded after we decode. + * Top-level PA-PK-AS-REQ. All fields except for trusted_CAs are pre-encoded + * before we encode this and are still DER-encoded after we decode. * The signedAuthPack and kdcPkId fields are wrapped in OCTET STRINGs - * during encode; we strip off the OCTET STRING wrappers during decode. + * during encode; we strip off the OCTET STRING wrappers during decode. */ typedef struct { - CSSM_DATA signedAuthPack; /* ContentInfo, SignedData */ - /* Content is KRB5_AuthPack */ + CSSM_DATA signedAuthPack; /* ContentInfo, SignedData */ + /* Content is KRB5_AuthPack */ KRB5_ExternalPrincipalIdentifier - **trusted_CAs; /* optional */ - CSSM_DATA kdcPkId; /* optional */ + **trusted_CAs; /* optional */ + CSSM_DATA kdcPkId; /* optional */ } KRB5_PA_PK_AS_REQ; static const SecAsn1Template KRB5_PA_PK_AS_REQTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(KRB5_PA_PK_AS_REQ) }, { SEC_ASN1_CONTEXT_SPECIFIC | 0, - offsetof(KRB5_PA_PK_AS_REQ, signedAuthPack), + offsetof(KRB5_PA_PK_AS_REQ, signedAuthPack), kSecAsn1OctetStringTemplate }, - { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | + { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_EXPLICIT | 1, - offsetof(KRB5_PA_PK_AS_REQ, trusted_CAs), + offsetof(KRB5_PA_PK_AS_REQ, trusted_CAs), KRB5_SequenceOfExternalPrincipalIdentifierTemplate }, { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 2, - offsetof(KRB5_PA_PK_AS_REQ, kdcPkId), + offsetof(KRB5_PA_PK_AS_REQ, kdcPkId), kSecAsn1AnyTemplate }, { 0 } }; @@ -499,58 +500,58 @@ static const SecAsn1Template KRB5_PA_PK_AS_REQTemplate[] = { */ krb5_error_code krb5int_pkinit_pa_pk_as_req_encode( const krb5_data *signed_auth_pack, /* DER encoded ContentInfo */ - const krb5_data *trusted_CAs, /* optional: trustedCertifiers. Contents are - * DER-encoded issuer/serialNumbers. */ - krb5_ui_4 num_trusted_CAs, - const krb5_data *kdc_cert, /* optional kdcPkId, DER encoded issuer/serial */ - krb5_data *pa_pk_as_req) /* mallocd and RETURNED */ + const krb5_data *trusted_CAs, /* optional: trustedCertifiers. Contents are + * DER-encoded issuer/serialNumbers. */ + krb5_ui_4 num_trusted_CAs, + const krb5_data *kdc_cert, /* optional kdcPkId, DER encoded issuer/serial */ + krb5_data *pa_pk_as_req) /* mallocd and RETURNED */ { KRB5_PA_PK_AS_REQ req; SecAsn1CoderRef coder; CSSM_DATA ber = {0, NULL}; OSStatus ortn; unsigned dex; - + assert(signed_auth_pack != NULL); assert(pa_pk_as_req != NULL); if(SecAsn1CoderCreate(&coder)) { - return ENOMEM; + return ENOMEM; } - + /* krb5_data ==> CSSM format */ - + memset(&req, 0, sizeof(req)); PKI_KRB_TO_CSSM_DATA(signed_auth_pack, &req.signedAuthPack); if(num_trusted_CAs) { - /* - * Set up a NULL-terminated array of KRB5_ExternalPrincipalIdentifier - * pointers. We malloc the actual KRB5_ExternalPrincipalIdentifiers as - * a contiguous array; it's in temp SecAsn1CoderRef memory. The referents - * are just dropped in from the caller's krb5_datas. - */ - KRB5_ExternalPrincipalIdentifier *cas = - (KRB5_ExternalPrincipalIdentifier *)SecAsn1Malloc(coder, - num_trusted_CAs * sizeof(KRB5_ExternalPrincipalIdentifier)); - req.trusted_CAs = - (KRB5_ExternalPrincipalIdentifier **) - pkiNssNullArray(num_trusted_CAs, coder); - for(dex=0; dex<num_trusted_CAs; dex++) { - req.trusted_CAs[dex] = &cas[dex]; - memset(&cas[dex], 0, sizeof(KRB5_ExternalPrincipalIdentifier)); - PKI_KRB_TO_CSSM_DATA(&trusted_CAs[dex], - &cas[dex].issuerAndSerialNumber); - } + /* + * Set up a NULL-terminated array of KRB5_ExternalPrincipalIdentifier + * pointers. We malloc the actual KRB5_ExternalPrincipalIdentifiers as + * a contiguous array; it's in temp SecAsn1CoderRef memory. The referents + * are just dropped in from the caller's krb5_datas. + */ + KRB5_ExternalPrincipalIdentifier *cas = + (KRB5_ExternalPrincipalIdentifier *)SecAsn1Malloc(coder, + num_trusted_CAs * sizeof(KRB5_ExternalPrincipalIdentifier)); + req.trusted_CAs = + (KRB5_ExternalPrincipalIdentifier **) + pkiNssNullArray(num_trusted_CAs, coder); + for(dex=0; dex<num_trusted_CAs; dex++) { + req.trusted_CAs[dex] = &cas[dex]; + memset(&cas[dex], 0, sizeof(KRB5_ExternalPrincipalIdentifier)); + PKI_KRB_TO_CSSM_DATA(&trusted_CAs[dex], + &cas[dex].issuerAndSerialNumber); + } } if(kdc_cert) { - PKI_KRB_TO_CSSM_DATA(kdc_cert, &req.kdcPkId); + PKI_KRB_TO_CSSM_DATA(kdc_cert, &req.kdcPkId); } - + /* encode */ ortn = SecAsn1EncodeItem(coder, &req, KRB5_PA_PK_AS_REQTemplate, &ber); if(ortn) { - ortn = ENOMEM; - goto errOut; + ortn = ENOMEM; + goto errOut; } ortn = pkiCssmDataToKrb5Data(&ber, pa_pk_as_req); @@ -558,102 +559,102 @@ errOut: SecAsn1CoderRelease(coder); return ortn; } - + /* * Top-level decode for PA-PK-AS-REQ. */ krb5_error_code krb5int_pkinit_pa_pk_as_req_decode( const krb5_data *pa_pk_as_req, - krb5_data *signed_auth_pack, /* DER encoded ContentInfo, RETURNED */ - /* - * Remainder are optionally RETURNED (specify NULL for pointers to + krb5_data *signed_auth_pack, /* DER encoded ContentInfo, RETURNED */ + /* + * Remainder are optionally RETURNED (specify NULL for pointers to * items you're not interested in). */ krb5_ui_4 *num_trusted_CAs, /* sizeof trusted_CAs */ - krb5_data **trusted_CAs, /* mallocd array of DER-encoded TrustedCAs issuer/serial */ - krb5_data *kdc_cert) /* DER encoded issuer/serial */ + krb5_data **trusted_CAs, /* mallocd array of DER-encoded TrustedCAs issuer/serial */ + krb5_data *kdc_cert) /* DER encoded issuer/serial */ { KRB5_PA_PK_AS_REQ asReq; SecAsn1CoderRef coder; CSSM_DATA der; krb5_error_code ourRtn = 0; - + assert(pa_pk_as_req != NULL); - + /* Decode --> KRB5_PA_PK_AS_REQ */ if(SecAsn1CoderCreate(&coder)) { - return ENOMEM; + return ENOMEM; } PKI_KRB_TO_CSSM_DATA(pa_pk_as_req, &der); memset(&asReq, 0, sizeof(asReq)); if(SecAsn1DecodeData(coder, &der, KRB5_PA_PK_AS_REQTemplate, &asReq)) { - ourRtn = ASN1_BAD_FORMAT; - goto errOut; + ourRtn = ASN1_BAD_FORMAT; + goto errOut; } /* Convert decoded results to caller's args; each is optional */ if(signed_auth_pack != NULL) { - if((ourRtn = pkiCssmDataToKrb5Data(&asReq.signedAuthPack, signed_auth_pack))) { - goto errOut; - } + if((ourRtn = pkiCssmDataToKrb5Data(&asReq.signedAuthPack, signed_auth_pack))) { + goto errOut; + } } if(asReq.trusted_CAs && (trusted_CAs != NULL)) { - /* NULL-terminated array of CSSM_DATA ptrs */ - unsigned numCas = pkiNssArraySize((const void **)asReq.trusted_CAs); - unsigned dex; - krb5_data *kdcCas; - - kdcCas = (krb5_data *)malloc(sizeof(krb5_data) * numCas); - if(kdcCas == NULL) { - ourRtn = ENOMEM; - goto errOut; - } - for(dex=0; dex<numCas; dex++) { - KRB5_ExternalPrincipalIdentifier *epi = asReq.trusted_CAs[dex]; - if(epi->issuerAndSerialNumber.Data) { - /* the only variant we support */ - pkiCssmDataToKrb5Data(&epi->issuerAndSerialNumber, &kdcCas[dex]); - } - } - *trusted_CAs = kdcCas; - *num_trusted_CAs = numCas; + /* NULL-terminated array of CSSM_DATA ptrs */ + unsigned numCas = pkiNssArraySize((const void **)asReq.trusted_CAs); + unsigned dex; + krb5_data *kdcCas; + + kdcCas = (krb5_data *)malloc(sizeof(krb5_data) * numCas); + if(kdcCas == NULL) { + ourRtn = ENOMEM; + goto errOut; + } + for(dex=0; dex<numCas; dex++) { + KRB5_ExternalPrincipalIdentifier *epi = asReq.trusted_CAs[dex]; + if(epi->issuerAndSerialNumber.Data) { + /* the only variant we support */ + pkiCssmDataToKrb5Data(&epi->issuerAndSerialNumber, &kdcCas[dex]); + } + } + *trusted_CAs = kdcCas; + *num_trusted_CAs = numCas; } if(asReq.kdcPkId.Data && kdc_cert) { - if((ourRtn = pkiCssmDataToKrb5Data(&asReq.kdcPkId, kdc_cert))) { - goto errOut; - } + if((ourRtn = pkiCssmDataToKrb5Data(&asReq.kdcPkId, kdc_cert))) { + goto errOut; + } } errOut: SecAsn1CoderRelease(coder); - return ourRtn; + return ourRtn; } #pragma mark ====== begin PA-PK-AS-REP components ====== typedef struct { CSSM_DATA subjectPublicKey; /* BIT STRING */ - CSSM_DATA nonce; /* from KRB5_PKAuthenticator.nonce */ - CSSM_DATA *expiration; /* optional UTC time */ + CSSM_DATA nonce; /* from KRB5_PKAuthenticator.nonce */ + CSSM_DATA *expiration; /* optional UTC time */ } KRB5_KDC_DHKeyInfo; typedef struct { - CSSM_DATA keyType; - CSSM_DATA keyValue; + CSSM_DATA keyType; + CSSM_DATA keyValue; } KRB5_EncryptionKey; static const SecAsn1Template KRB5_EncryptionKeyTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(KRB5_EncryptionKey) }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 0, - offsetof(KRB5_EncryptionKey, keyType), + offsetof(KRB5_EncryptionKey, keyType), kSecAsn1IntegerTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 1, - offsetof(KRB5_EncryptionKey, keyValue), + offsetof(KRB5_EncryptionKey, keyValue), kSecAsn1OctetStringTemplate }, { 0 } }; #pragma mark ----- Checksum ----- - + typedef struct { CSSM_DATA checksumType; CSSM_DATA checksum; @@ -662,37 +663,37 @@ typedef struct { static const SecAsn1Template KRB5_ChecksumTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(KRB5_Checksum) }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 0, - offsetof(KRB5_Checksum,checksumType), + offsetof(KRB5_Checksum,checksumType), kSecAsn1IntegerTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 1, - offsetof(KRB5_Checksum,checksum), + offsetof(KRB5_Checksum,checksum), kSecAsn1OctetStringTemplate }, { 0 } }; typedef struct { KRB5_EncryptionKey encryptionKey; - KRB5_Checksum asChecksum; + KRB5_Checksum asChecksum; } KRB5_ReplyKeyPack; static const SecAsn1Template KRB5_ReplyKeyPackTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(KRB5_ReplyKeyPack) }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 0, - offsetof(KRB5_ReplyKeyPack, encryptionKey), + offsetof(KRB5_ReplyKeyPack, encryptionKey), KRB5_EncryptionKeyTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | 1, - offsetof(KRB5_ReplyKeyPack,asChecksum), + offsetof(KRB5_ReplyKeyPack,asChecksum), KRB5_ChecksumTemplate }, { 0 } }; -/* +/* * Encode a ReplyKeyPack. The result is used as the Content of a SignedData. */ krb5_error_code krb5int_pkinit_reply_key_pack_encode( const krb5_keyblock *key_block, const krb5_checksum *checksum, - krb5_data *reply_key_pack) /* mallocd and RETURNED */ + krb5_data *reply_key_pack) /* mallocd and RETURNED */ { KRB5_ReplyKeyPack repKeyPack; SecAsn1CoderRef coder; @@ -701,28 +702,28 @@ krb5_error_code krb5int_pkinit_reply_key_pack_encode( OSStatus ortn; KRB5_EncryptionKey *encryptKey = &repKeyPack.encryptionKey; KRB5_Checksum *cksum = &repKeyPack.asChecksum; - + if(SecAsn1CoderCreate(&coder)) { - return ENOMEM; + return ENOMEM; } memset(&repKeyPack, 0, sizeof(repKeyPack)); - + if((ourRtn = pkiIntToData(key_block->enctype, &encryptKey->keyType, coder))) { - goto errOut; + goto errOut; } encryptKey->keyValue.Length = key_block->length, - encryptKey->keyValue.Data = (uint8 *)key_block->contents; - + encryptKey->keyValue.Data = (uint8 *)key_block->contents; + if((ourRtn = pkiIntToData(checksum->checksum_type, &cksum->checksumType, coder))) { - goto errOut; + goto errOut; } cksum->checksum.Data = (uint8 *)checksum->contents; cksum->checksum.Length = checksum->length; ortn = SecAsn1EncodeItem(coder, &repKeyPack, KRB5_ReplyKeyPackTemplate, &der); if(ortn) { - ourRtn = ENOMEM; - goto errOut; + ourRtn = ENOMEM; + goto errOut; } ourRtn = pkiCssmDataToKrb5Data(&der, reply_key_pack); errOut: @@ -730,13 +731,13 @@ errOut: return ourRtn; } -/* +/* * Decode a ReplyKeyPack. */ krb5_error_code krb5int_pkinit_reply_key_pack_decode( - const krb5_data *reply_key_pack, + const krb5_data *reply_key_pack, krb5_keyblock *key_block, /* RETURNED */ - krb5_checksum *checksum) /* contents mallocd and RETURNED */ + krb5_checksum *checksum) /* contents mallocd and RETURNED */ { KRB5_ReplyKeyPack repKeyPack; SecAsn1CoderRef coder; @@ -745,33 +746,33 @@ krb5_error_code krb5int_pkinit_reply_key_pack_decode( CSSM_DATA der = {reply_key_pack->length, (uint8 *)reply_key_pack->data}; krb5_data tmpData; KRB5_Checksum *cksum = &repKeyPack.asChecksum; - + /* Decode --> KRB5_ReplyKeyPack */ if(SecAsn1CoderCreate(&coder)) { - return ENOMEM; + return ENOMEM; } memset(&repKeyPack, 0, sizeof(repKeyPack)); if(SecAsn1DecodeData(coder, &der, KRB5_ReplyKeyPackTemplate, &repKeyPack)) { - ourRtn = ASN1_BAD_FORMAT; - goto errOut; + ourRtn = ASN1_BAD_FORMAT; + goto errOut; } - + if((ourRtn = pkiDataToInt(&encryptKey->keyType, (krb5_int32 *)&key_block->enctype))) { - goto errOut; + goto errOut; } if((ourRtn = pkiCssmDataToKrb5Data(&encryptKey->keyValue, &tmpData))) { - goto errOut; + goto errOut; } key_block->contents = (krb5_octet *)tmpData.data; key_block->length = tmpData.length; - + if((ourRtn = pkiDataToInt(&cksum->checksumType, &checksum->checksum_type))) { - goto errOut; + goto errOut; } checksum->contents = (krb5_octet *)malloc(cksum->checksum.Length); if(checksum->contents == NULL) { - ourRtn = ENOMEM; - goto errOut; + ourRtn = ENOMEM; + goto errOut; } checksum->length = cksum->checksum.Length; memmove(checksum->contents, cksum->checksum.Data, checksum->length); @@ -788,58 +789,58 @@ errOut: * Top-level PA-PK-AS-REP. Exactly one of the optional fields must be present. */ typedef struct { - CSSM_DATA *dhSignedData; /* ContentInfo, SignedData */ - /* Content is KRB5_KDC_DHKeyInfo */ - CSSM_DATA *encKeyPack; /* ContentInfo, SignedData */ - /* Content is ReplyKeyPack */ + CSSM_DATA *dhSignedData; /* ContentInfo, SignedData */ + /* Content is KRB5_KDC_DHKeyInfo */ + CSSM_DATA *encKeyPack; /* ContentInfo, SignedData */ + /* Content is ReplyKeyPack */ } KRB5_PA_PK_AS_REP; - + static const SecAsn1Template KRB5_PA_PK_AS_REPTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(KRB5_PA_PK_AS_REP) }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | 0, - offsetof(KRB5_PA_PK_AS_REP, dhSignedData), + offsetof(KRB5_PA_PK_AS_REP, dhSignedData), kSecAsn1PointerToAnyTemplate }, { SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_CONSTRUCTED | SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | 1, - offsetof(KRB5_PA_PK_AS_REP, encKeyPack), + offsetof(KRB5_PA_PK_AS_REP, encKeyPack), kSecAsn1PointerToAnyTemplate }, { 0 } }; -/* +/* * Encode a KRB5_PA_PK_AS_REP. */ krb5_error_code krb5int_pkinit_pa_pk_as_rep_encode( - const krb5_data *dh_signed_data, - const krb5_data *enc_key_pack, + const krb5_data *dh_signed_data, + const krb5_data *enc_key_pack, krb5_data *pa_pk_as_rep) /* mallocd and RETURNED */ { KRB5_PA_PK_AS_REP asRep; SecAsn1CoderRef coder; krb5_error_code ourRtn = 0; - CSSM_DATA der = {0, NULL}; - OSStatus ortn; - CSSM_DATA dhSignedData; - CSSM_DATA encKeyPack; - + CSSM_DATA der = {0, NULL}; + OSStatus ortn; + CSSM_DATA dhSignedData; + CSSM_DATA encKeyPack; + if(SecAsn1CoderCreate(&coder)) { - return ENOMEM; + return ENOMEM; } memset(&asRep, 0, sizeof(asRep)); if(dh_signed_data) { - PKI_KRB_TO_CSSM_DATA(dh_signed_data, &dhSignedData); - asRep.dhSignedData = &dhSignedData; + PKI_KRB_TO_CSSM_DATA(dh_signed_data, &dhSignedData); + asRep.dhSignedData = &dhSignedData; } if(enc_key_pack) { - PKI_KRB_TO_CSSM_DATA(enc_key_pack, &encKeyPack); - asRep.encKeyPack = &encKeyPack; + PKI_KRB_TO_CSSM_DATA(enc_key_pack, &encKeyPack); + asRep.encKeyPack = &encKeyPack; } ortn = SecAsn1EncodeItem(coder, &asRep, KRB5_PA_PK_AS_REPTemplate, &der); if(ortn) { - ourRtn = ENOMEM; - goto errOut; + ourRtn = ENOMEM; + goto errOut; } ourRtn = pkiCssmDataToKrb5Data(&der, pa_pk_as_rep); @@ -848,38 +849,38 @@ errOut: return ourRtn; } -/* +/* * Decode a KRB5_PA_PK_AS_REP. */ krb5_error_code krb5int_pkinit_pa_pk_as_rep_decode( const krb5_data *pa_pk_as_rep, - krb5_data *dh_signed_data, + krb5_data *dh_signed_data, krb5_data *enc_key_pack) { KRB5_PA_PK_AS_REP asRep; SecAsn1CoderRef coder; CSSM_DATA der = {pa_pk_as_rep->length, (uint8 *)pa_pk_as_rep->data}; krb5_error_code ourRtn = 0; - + /* Decode --> KRB5_PA_PK_AS_REP */ if(SecAsn1CoderCreate(&coder)) { - return ENOMEM; + return ENOMEM; } memset(&asRep, 0, sizeof(asRep)); if(SecAsn1DecodeData(coder, &der, KRB5_PA_PK_AS_REPTemplate, &asRep)) { - ourRtn = ASN1_BAD_FORMAT; - goto errOut; + ourRtn = ASN1_BAD_FORMAT; + goto errOut; } - + if(asRep.dhSignedData) { - if((ourRtn = pkiCssmDataToKrb5Data(asRep.dhSignedData, dh_signed_data))) { - goto errOut; - } + if((ourRtn = pkiCssmDataToKrb5Data(asRep.dhSignedData, dh_signed_data))) { + goto errOut; + } } if(asRep.encKeyPack) { - ourRtn = pkiCssmDataToKrb5Data(asRep.encKeyPack, enc_key_pack); + ourRtn = pkiCssmDataToKrb5Data(asRep.encKeyPack, enc_key_pack); } - + errOut: SecAsn1CoderRelease(coder); return ourRtn; @@ -904,51 +905,51 @@ krb5_error_code krb5int_pkinit_get_issuer_serial( krb5_data krb_issuer; uint32 numFields; krb5_error_code ourRtn = 0; - + CSSM_CL_HANDLE clHand = pkiClStartup(); if(clHand == 0) { - return CSSMERR_CSSM_ADDIN_LOAD_FAILED; + return CSSMERR_CSSM_ADDIN_LOAD_FAILED; } /* subsequent errors to errOut: */ - + crtn = CSSM_CL_CertCache(clHand, &certData, &cacheHand); if(crtn) { - pkiCssmErr("CSSM_CL_CertCache", crtn); - ourRtn = ASN1_PARSE_ERROR; - goto errOut; + pkiCssmErr("CSSM_CL_CertCache", crtn); + ourRtn = ASN1_PARSE_ERROR; + goto errOut; } - + /* obtain the two fields; issuer is DER encoded */ crtn = CSSM_CL_CertGetFirstCachedFieldValue(clHand, cacheHand, - &CSSMOID_X509V1IssuerNameStd, &resultHand, &numFields, &derIssuer); + &CSSMOID_X509V1IssuerNameStd, &resultHand, &numFields, &derIssuer); if(crtn) { - pkiCssmErr("CSSM_CL_CertGetFirstCachedFieldValue(issuer)", crtn); - ourRtn = ASN1_PARSE_ERROR; - goto errOut; + pkiCssmErr("CSSM_CL_CertGetFirstCachedFieldValue(issuer)", crtn); + ourRtn = ASN1_PARSE_ERROR; + goto errOut; } crtn = CSSM_CL_CertGetFirstCachedFieldValue(clHand, cacheHand, - &CSSMOID_X509V1SerialNumber, &resultHand, &numFields, &serial); + &CSSMOID_X509V1SerialNumber, &resultHand, &numFields, &serial); if(crtn) { - pkiCssmErr("CSSM_CL_CertGetFirstCachedFieldValue(serial)", crtn); - ourRtn = ASN1_PARSE_ERROR; - goto errOut; + pkiCssmErr("CSSM_CL_CertGetFirstCachedFieldValue(serial)", crtn); + ourRtn = ASN1_PARSE_ERROR; + goto errOut; } PKI_CSSM_TO_KRB_DATA(derIssuer, &krb_issuer); PKI_CSSM_TO_KRB_DATA(serial, &krb_serial); ourRtn = krb5int_pkinit_issuer_serial_encode(&krb_issuer, &krb_serial, issuer_and_serial); - + errOut: if(derIssuer) { - CSSM_CL_FreeFieldValue(clHand, &CSSMOID_X509V1IssuerNameStd, derIssuer); + CSSM_CL_FreeFieldValue(clHand, &CSSMOID_X509V1IssuerNameStd, derIssuer); } if(serial) { - CSSM_CL_FreeFieldValue(clHand, &CSSMOID_X509V1SerialNumber, serial); + CSSM_CL_FreeFieldValue(clHand, &CSSMOID_X509V1SerialNumber, serial); } if(cacheHand) { - CSSM_CL_CertAbortCache(clHand, cacheHand); + CSSM_CL_CertAbortCache(clHand, cacheHand); } if(clHand) { - pkiClDetachUnload(clHand); + pkiClDetachUnload(clHand); } return ourRtn; } diff --git a/src/lib/krb5/krb/pkinit_apple_cert_store.c b/src/lib/krb5/krb/pkinit_apple_cert_store.c index 449f1cc99..2bcbd4458 100644 --- a/src/lib/krb5/krb/pkinit_apple_cert_store.c +++ b/src/lib/krb5/krb/pkinit_apple_cert_store.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (c) 2004-2008 Apple Inc. All Rights Reserved. * @@ -24,12 +25,12 @@ */ /* - * pkinit_apple_cert_store.c - PKINIT certificate storage/retrieval utilities, - * MAC OS X version + * pkinit_apple_cert_store.c - PKINIT certificate storage/retrieval utilities, + * MAC OS X version * * Created 26 May 2004 by Doug Mitchell at Apple. */ - + #if APPLE_PKINIT #include "pkinit_cert_store.h" @@ -49,24 +50,24 @@ * key = kPkinitClientCertKey * appID = kPkinitClientCertApp * username = kCFPreferencesCurrentUser - * hostname = kCFPreferencesAnyHost + * hostname = kCFPreferencesAnyHost * * The stored property list is a CFDictionary. Keys in the dictionary are - * principal names (e.g. foobar@REALM.LOCAL). + * principal names (e.g. foobar@REALM.LOCAL). * * Values in the dictionary are raw data containing the DER-encoded issuer and - * serial number of the certificate. + * serial number of the certificate. * * When obtaining a PKINIT cert, if an entry in the CFDictionary for the specified * principal is not found, the entry for the default will be used if it's there. */ -/* - * NOTE: ANSI C code requires an Apple-Custom -fconstant-cfstrings CFLAGS to - * use CFSTR in a const declaration so we just declare the C strings here. +/* + * NOTE: ANSI C code requires an Apple-Custom -fconstant-cfstrings CFLAGS to + * use CFSTR in a const declaration so we just declare the C strings here. */ -#define kPkinitClientCertKey "KRBClientCert" -#define kPkinitClientCertApp "edu.mit.Kerberos.pkinit" +#define kPkinitClientCertKey "KRBClientCert" +#define kPkinitClientCertApp "edu.mit.Kerberos.pkinit" /* * KDC cert stored in this keychain. It's linked to systemkeychain so that if @@ -74,43 +75,43 @@ */ #define KDC_KEYCHAIN "/var/db/krb5kdc/kdc.keychain" -/* +/* * Given a certificate, obtain the DER-encoded issuer and serial number. Result - * is mallocd and must be freed by caller. + * is mallocd and must be freed by caller. */ static OSStatus pkinit_get_cert_issuer_sn( - SecCertificateRef certRef, - CSSM_DATA *issuerSerial) /* mallocd and RETURNED */ + SecCertificateRef certRef, + CSSM_DATA *issuerSerial) /* mallocd and RETURNED */ { OSStatus ortn; CSSM_DATA certData; krb5_data INIT_KDATA(issuerSerialKrb); krb5_data certDataKrb; krb5_error_code krtn; - + assert(certRef != NULL); assert(issuerSerial != NULL); - + ortn = SecCertificateGetData(certRef, &certData); if(ortn) { - pkiCssmErr("SecCertificateGetData", ortn); - return ortn; + pkiCssmErr("SecCertificateGetData", ortn); + return ortn; } PKI_CSSM_TO_KRB_DATA(&certData, &certDataKrb); krtn = krb5int_pkinit_get_issuer_serial(&certDataKrb, &issuerSerialKrb); if(krtn) { - return CSSMERR_CL_INVALID_DATA; + return CSSMERR_CL_INVALID_DATA; } PKI_KRB_TO_CSSM_DATA(&issuerSerialKrb, issuerSerial); return noErr; } -/* +/* * Determine if specified identity's cert's issuer and serial number match the * provided issuer and serial number. Returns nonzero on match, else returns zero. */ static int pkinit_issuer_sn_match( - SecIdentityRef idRef, + SecIdentityRef idRef, const CSSM_DATA *matchIssuerSerial) { OSStatus ortn; @@ -120,87 +121,87 @@ static int pkinit_issuer_sn_match( assert(idRef != NULL); assert(matchIssuerSerial != NULL); - + /* Get this cert's issuer/serial number */ ortn = SecIdentityCopyCertificate(idRef, &certRef); if(ortn) { - pkiCssmErr("SecIdentityCopyCertificate", ortn); - return 0; + pkiCssmErr("SecIdentityCopyCertificate", ortn); + return 0; } /* subsequent errors to errOut: */ ortn = pkinit_get_cert_issuer_sn(certRef, &certIssuerSerial); if(ortn) { - pkiCssmErr("SecIdentityCopyCertificate", ortn); - goto errOut; + pkiCssmErr("SecIdentityCopyCertificate", ortn); + goto errOut; } ourRtn = pkiCompareCssmData(matchIssuerSerial, &certIssuerSerial) ? 1 : 0; errOut: if(certRef != NULL) { - CFRelease(certRef); + CFRelease(certRef); } if(certIssuerSerial.Data != NULL) { - free(certIssuerSerial.Data); + free(certIssuerSerial.Data); } return ourRtn; } /* * Search specified keychain/array/NULL (NULL meaning the default search list) for - * an Identity matching specified key usage and optional Issuer/Serial number. + * an Identity matching specified key usage and optional Issuer/Serial number. * If issuer/serial is specified and no identities match, or if no identities found * matching specified Key usage, errSecItemNotFound is returned. * - * Caller must CFRelease a non-NULL returned idRef. + * Caller must CFRelease a non-NULL returned idRef. */ static OSStatus pkinit_search_ident( - CFTypeRef keychainOrArray, - CSSM_KEYUSE keyUsage, + CFTypeRef keychainOrArray, + CSSM_KEYUSE keyUsage, const CSSM_DATA *issuerSerial, /* optional */ - SecIdentityRef *foundId) /* RETURNED */ + SecIdentityRef *foundId) /* RETURNED */ { OSStatus ortn; SecIdentityRef idRef = NULL; SecIdentitySearchRef srchRef = NULL; - + ortn = SecIdentitySearchCreate(keychainOrArray, keyUsage, &srchRef); if(ortn) { - pkiCssmErr("SecIdentitySearchCreate", ortn); - return ortn; + pkiCssmErr("SecIdentitySearchCreate", ortn); + return ortn; } do { - ortn = SecIdentitySearchCopyNext(srchRef, &idRef); - if(ortn != noErr) { - break; - } - if(issuerSerial == NULL) { - /* no match needed, we're done - this is the KDC cert case */ - break; - } - else if(pkinit_issuer_sn_match(idRef, issuerSerial)) { - /* match, we're done */ - break; - } - /* finished with this one */ - CFRelease(idRef); - idRef = NULL; + ortn = SecIdentitySearchCopyNext(srchRef, &idRef); + if(ortn != noErr) { + break; + } + if(issuerSerial == NULL) { + /* no match needed, we're done - this is the KDC cert case */ + break; + } + else if(pkinit_issuer_sn_match(idRef, issuerSerial)) { + /* match, we're done */ + break; + } + /* finished with this one */ + CFRelease(idRef); + idRef = NULL; } while(ortn == noErr); - + CFRelease(srchRef); if(idRef == NULL) { - return errSecItemNotFound; + return errSecItemNotFound; } else { - *foundId = idRef; - return noErr; + *foundId = idRef; + return noErr; } } /* - * In Mac OS terms, get the keychain on which a given identity resides. + * In Mac OS terms, get the keychain on which a given identity resides. */ static krb5_error_code pkinit_cert_to_db( krb5_pkinit_signing_cert_t idRef, - krb5_pkinit_cert_db_t *dbRef) + krb5_pkinit_cert_db_t *dbRef) { SecKeychainRef kcRef = NULL; SecKeyRef keyRef = NULL; @@ -209,38 +210,38 @@ static krb5_error_code pkinit_cert_to_db( /* that's an identity - get the associated key's keychain */ ortn = SecIdentityCopyPrivateKey((SecIdentityRef)idRef, &keyRef); if(ortn) { - pkiCssmErr("SecIdentityCopyPrivateKey", ortn); - return ortn; + pkiCssmErr("SecIdentityCopyPrivateKey", ortn); + return ortn; } ortn = SecKeychainItemCopyKeychain((SecKeychainItemRef)keyRef, &kcRef); if(ortn) { - pkiCssmErr("SecKeychainItemCopyKeychain", ortn); + pkiCssmErr("SecKeychainItemCopyKeychain", ortn); } else { - *dbRef = (krb5_pkinit_cert_db_t)kcRef; + *dbRef = (krb5_pkinit_cert_db_t)kcRef; } CFRelease(keyRef); return ortn; } -/* - * Obtain the CFDictionary representing this user's PKINIT client cert prefs, if it - * exists. Returns noErr or errSecItemNotFound as appropriate. +/* + * Obtain the CFDictionary representing this user's PKINIT client cert prefs, if it + * exists. Returns noErr or errSecItemNotFound as appropriate. */ static OSStatus pkinit_get_pref_dict( CFDictionaryRef *dict) { CFDictionaryRef theDict; theDict = (CFDictionaryRef)CFPreferencesCopyValue(CFSTR(kPkinitClientCertKey), - CFSTR(kPkinitClientCertApp), kCFPreferencesCurrentUser, kCFPreferencesAnyHost); + CFSTR(kPkinitClientCertApp), kCFPreferencesCurrentUser, kCFPreferencesAnyHost); if(theDict == NULL) { - pkiDebug("pkinit_get_pref_dict: no kPkinitClientCertKey\n"); - return errSecItemNotFound; + pkiDebug("pkinit_get_pref_dict: no kPkinitClientCertKey\n"); + return errSecItemNotFound; } if(CFGetTypeID(theDict) != CFDictionaryGetTypeID()) { - pkiDebug("pkinit_get_pref_dict: bad kPkinitClientCertKey pref\n"); - CFRelease(theDict); - return errSecItemNotFound; + pkiDebug("pkinit_get_pref_dict: bad kPkinitClientCertKey pref\n"); + CFRelease(theDict); + return errSecItemNotFound; } *dict = theDict; return noErr; @@ -249,12 +250,12 @@ static OSStatus pkinit_get_pref_dict( #pragma mark --- Public client side functions --- /* - * Obtain signing cert for specified principal. On successful return, + * Obtain signing cert for specified principal. On successful return, * caller must eventually release the cert with krb5_pkinit_release_cert(). */ krb5_error_code krb5_pkinit_get_client_cert( - const char *principal, /* full principal string */ - krb5_pkinit_signing_cert_t *client_cert) + const char *principal, /* full principal string */ + krb5_pkinit_signing_cert_t *client_cert) { CFDataRef issuerSerial = NULL; CSSM_DATA issuerSerialData; @@ -263,74 +264,74 @@ krb5_error_code krb5_pkinit_get_client_cert( CFDictionaryRef theDict = NULL; CFStringRef cfPrinc = NULL; krb5_error_code ourRtn = 0; - + if(principal == NULL) { - return KRB5_PRINC_NOMATCH; + return KRB5_PRINC_NOMATCH; } - + /* Is there a stored preference for PKINIT certs for this user? */ ortn = pkinit_get_pref_dict(&theDict); if(ortn) { - return KRB5_PRINC_NOMATCH; + return KRB5_PRINC_NOMATCH; } - + /* Entry in the dictionary for specified principal? */ - cfPrinc = CFStringCreateWithCString(NULL, principal, + cfPrinc = CFStringCreateWithCString(NULL, principal, kCFStringEncodingASCII); issuerSerial = (CFDataRef)CFDictionaryGetValue(theDict, cfPrinc); CFRelease(cfPrinc); if(issuerSerial == NULL) { - pkiDebug("krb5_pkinit_get_client_cert: no identity found\n"); - ourRtn = KRB5_PRINC_NOMATCH; - goto errOut; + pkiDebug("krb5_pkinit_get_client_cert: no identity found\n"); + ourRtn = KRB5_PRINC_NOMATCH; + goto errOut; } if(CFGetTypeID(issuerSerial) != CFDataGetTypeID()) { - pkiDebug("krb5_pkinit_get_client_cert: bad kPkinitClientCertKey value\n"); - ourRtn = KRB5_PRINC_NOMATCH; - goto errOut; + pkiDebug("krb5_pkinit_get_client_cert: bad kPkinitClientCertKey value\n"); + ourRtn = KRB5_PRINC_NOMATCH; + goto errOut; } - + issuerSerialData.Data = (uint8 *)CFDataGetBytePtr(issuerSerial); issuerSerialData.Length = CFDataGetLength(issuerSerial); - + /* find a cert with that issuer/serial number in default search list */ - ortn = pkinit_search_ident(NULL, CSSM_KEYUSE_SIGN | CSSM_KEYUSE_ENCRYPT, - &issuerSerialData, &idRef); + ortn = pkinit_search_ident(NULL, CSSM_KEYUSE_SIGN | CSSM_KEYUSE_ENCRYPT, + &issuerSerialData, &idRef); if(ortn) { - pkiDebug("krb5_pkinit_get_client_cert: no identity found!\n"); - pkiCssmErr("pkinit_search_ident", ortn); - ourRtn = KRB5_PRINC_NOMATCH; + pkiDebug("krb5_pkinit_get_client_cert: no identity found!\n"); + pkiCssmErr("pkinit_search_ident", ortn); + ourRtn = KRB5_PRINC_NOMATCH; } else { - *client_cert = (krb5_pkinit_signing_cert_t)idRef; + *client_cert = (krb5_pkinit_signing_cert_t)idRef; } errOut: if(theDict) { - CFRelease(theDict); + CFRelease(theDict); } return ourRtn; } -/* +/* * Determine if the specified client has a signing cert. Returns TRUE * if so, else returns FALSE. */ krb5_boolean krb5_pkinit_have_client_cert( - const char *principal) /* full principal string */ + const char *principal) /* full principal string */ { krb5_pkinit_signing_cert_t signing_cert = NULL; krb5_error_code krtn; - + krtn = krb5_pkinit_get_client_cert(principal, &signing_cert); if(krtn) { - return FALSE; + return FALSE; } if(signing_cert != NULL) { - krb5_pkinit_release_cert(signing_cert); - return TRUE; + krb5_pkinit_release_cert(signing_cert); + return TRUE; } else { - return FALSE; + return FALSE; } } @@ -341,8 +342,8 @@ krb5_boolean krb5_pkinit_have_client_cert( * in the cert storage. */ krb5_error_code krb5_pkinit_set_client_cert_from_signing_cert( - const char *principal, /* full principal string */ - krb5_pkinit_signing_cert_t client_cert) + const char *principal, /* full principal string */ + krb5_pkinit_signing_cert_t client_cert) { SecIdentityRef idRef = (SecIdentityRef)client_cert; SecCertificateRef certRef = NULL; @@ -350,22 +351,22 @@ krb5_error_code krb5_pkinit_set_client_cert_from_signing_cert( krb5_error_code ourRtn = 0; if (NULL != idRef) { - if (CFGetTypeID(idRef) != SecIdentityGetTypeID()) { - ourRtn = KRB5KRB_ERR_GENERIC; - goto fin; - } - /* Get the cert */ - ortn = SecIdentityCopyCertificate(idRef, &certRef); - if (ortn) { - pkiCssmErr("SecIdentityCopyCertificate", ortn); - ourRtn = KRB5KRB_ERR_GENERIC; - goto fin; - } + if (CFGetTypeID(idRef) != SecIdentityGetTypeID()) { + ourRtn = KRB5KRB_ERR_GENERIC; + goto fin; + } + /* Get the cert */ + ortn = SecIdentityCopyCertificate(idRef, &certRef); + if (ortn) { + pkiCssmErr("SecIdentityCopyCertificate", ortn); + ourRtn = KRB5KRB_ERR_GENERIC; + goto fin; + } } ourRtn = krb5_pkinit_set_client_cert(principal, (krb5_pkinit_cert_t)certRef); fin: if (certRef) - CFRelease(certRef); + CFRelease(certRef); return ourRtn; } @@ -377,8 +378,8 @@ fin: * in the cert storage. */ krb5_error_code krb5_pkinit_set_client_cert( - const char *principal, /* full principal string */ - krb5_pkinit_cert_t client_cert) + const char *principal, /* full principal string */ + krb5_pkinit_cert_t client_cert) { SecCertificateRef certRef = (SecCertificateRef)client_cert; OSStatus ortn; @@ -388,108 +389,108 @@ krb5_error_code krb5_pkinit_set_client_cert( CFMutableDictionaryRef newDict = NULL; CFStringRef keyStr = NULL; krb5_error_code ourRtn = 0; - + if(certRef != NULL) { - if(CFGetTypeID(certRef) != SecCertificateGetTypeID()) { - return KRB5KRB_ERR_GENERIC; - } - - /* Cook up DER-encoded issuer/serial number */ - ortn = pkinit_get_cert_issuer_sn(certRef, &issuerSerial); - if(ortn) { - ourRtn = KRB5KRB_ERR_GENERIC; - goto errOut; - } - } - - /* + if(CFGetTypeID(certRef) != SecCertificateGetTypeID()) { + return KRB5KRB_ERR_GENERIC; + } + + /* Cook up DER-encoded issuer/serial number */ + ortn = pkinit_get_cert_issuer_sn(certRef, &issuerSerial); + if(ortn) { + ourRtn = KRB5KRB_ERR_GENERIC; + goto errOut; + } + } + + /* * Obtain the existing pref for kPkinitClientCertKey as a CFDictionary, or - * cook up a new one. + * cook up a new one. */ ortn = pkinit_get_pref_dict(&existDict); if(ortn == noErr) { - /* dup to a mutable dictionary */ - newDict = CFDictionaryCreateMutableCopy(NULL, 0, existDict); + /* dup to a mutable dictionary */ + newDict = CFDictionaryCreateMutableCopy(NULL, 0, existDict); } else { - if(certRef == NULL) { - /* no existing entry, nothing to delete, we're done */ - return 0; - } - newDict = CFDictionaryCreateMutable(NULL, 0, - &kCFCopyStringDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); + if(certRef == NULL) { + /* no existing entry, nothing to delete, we're done */ + return 0; + } + newDict = CFDictionaryCreateMutable(NULL, 0, + &kCFCopyStringDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); } if(newDict == NULL) { - ourRtn = ENOMEM; - goto errOut; + ourRtn = ENOMEM; + goto errOut; } /* issuer / serial number ==> that dictionary */ keyStr = CFStringCreateWithCString(NULL, principal, kCFStringEncodingASCII); if(certRef == NULL) { - CFDictionaryRemoveValue(newDict, keyStr); + CFDictionaryRemoveValue(newDict, keyStr); } else { - cfIssuerSerial = CFDataCreate(NULL, issuerSerial.Data, issuerSerial.Length); - CFDictionarySetValue(newDict, keyStr, cfIssuerSerial); + cfIssuerSerial = CFDataCreate(NULL, issuerSerial.Data, issuerSerial.Length); + CFDictionarySetValue(newDict, keyStr, cfIssuerSerial); } - + /* dictionary ==> prefs */ - CFPreferencesSetValue(CFSTR(kPkinitClientCertKey), newDict, - CFSTR(kPkinitClientCertApp), kCFPreferencesCurrentUser, kCFPreferencesAnyHost); - if(CFPreferencesSynchronize(CFSTR(kPkinitClientCertApp), kCFPreferencesCurrentUser, - kCFPreferencesAnyHost)) { - ourRtn = 0; + CFPreferencesSetValue(CFSTR(kPkinitClientCertKey), newDict, + CFSTR(kPkinitClientCertApp), kCFPreferencesCurrentUser, kCFPreferencesAnyHost); + if(CFPreferencesSynchronize(CFSTR(kPkinitClientCertApp), kCFPreferencesCurrentUser, + kCFPreferencesAnyHost)) { + ourRtn = 0; } else { - ourRtn = EACCES; /* any better ideas? */ + ourRtn = EACCES; /* any better ideas? */ } errOut: if(cfIssuerSerial) { - CFRelease(cfIssuerSerial); + CFRelease(cfIssuerSerial); } if(issuerSerial.Data) { - free(issuerSerial.Data); + free(issuerSerial.Data); } if(existDict) { - CFRelease(existDict); + CFRelease(existDict); } if(newDict) { - CFRelease(newDict); + CFRelease(newDict); } if(keyStr) { - CFRelease(keyStr); + CFRelease(keyStr); } return ourRtn; } -/* +/* * Obtain a reference to the client's cert database. Specify either principal * name or client_cert as obtained from krb5_pkinit_get_client_cert(). */ krb5_error_code krb5_pkinit_get_client_cert_db( - const char *principal, /* full principal string */ - krb5_pkinit_signing_cert_t client_cert, /* optional, from krb5_pkinit_get_client_cert() */ - krb5_pkinit_cert_db_t *client_cert_db)/* RETURNED */ + const char *principal, /* full principal string */ + krb5_pkinit_signing_cert_t client_cert, /* optional, from krb5_pkinit_get_client_cert() */ + krb5_pkinit_cert_db_t *client_cert_db)/* RETURNED */ { krb5_error_code krtn; krb5_pkinit_signing_cert_t local_cert; - + assert((client_cert != NULL) || (principal != NULL)); if(client_cert == NULL) { - /* caller didn't provide, look it up */ - krtn = krb5_pkinit_get_client_cert(principal, &local_cert); - if(krtn) { - return krtn; - } + /* caller didn't provide, look it up */ + krtn = krb5_pkinit_get_client_cert(principal, &local_cert); + if(krtn) { + return krtn; + } } else { - /* easy case */ - local_cert = client_cert; + /* easy case */ + local_cert = client_cert; } krtn = pkinit_cert_to_db(local_cert, client_cert_db); if(client_cert == NULL) { - krb5_pkinit_release_cert(local_cert); + krb5_pkinit_release_cert(local_cert); } return krtn; } @@ -503,28 +504,28 @@ krb5_error_code krb5_pkinit_get_client_cert_db( * The client_spec argument is typically provided by the client as kdcPkId. */ krb5_error_code krb5_pkinit_get_kdc_cert( - krb5_ui_4 num_trusted_CAs, /* sizeof *trusted_CAs */ - krb5_data *trusted_CAs, /* optional */ - krb5_data *client_spec, /* optional */ + krb5_ui_4 num_trusted_CAs, /* sizeof *trusted_CAs */ + krb5_data *trusted_CAs, /* optional */ + krb5_data *client_spec, /* optional */ krb5_pkinit_signing_cert_t *kdc_cert) { SecIdentityRef idRef = NULL; OSStatus ortn; krb5_error_code ourRtn = 0; - + /* OS X: trusted_CAs and client_spec ignored */ - + ortn = SecIdentityCopySystemIdentity(kSecIdentityDomainKerberosKDC, - &idRef, NULL); + &idRef, NULL); if(ortn) { - pkiCssmErr("SecIdentityCopySystemIdentity", ortn); - return KRB5_PRINC_NOMATCH; + pkiCssmErr("SecIdentityCopySystemIdentity", ortn); + return KRB5_PRINC_NOMATCH; } *kdc_cert = (krb5_pkinit_signing_cert_t)idRef; return ourRtn; } -/* +/* * Obtain a reference to the KDC's cert database. */ krb5_error_code krb5_pkinit_get_kdc_cert_db( @@ -532,10 +533,10 @@ krb5_error_code krb5_pkinit_get_kdc_cert_db( { krb5_pkinit_signing_cert_t kdcCert = NULL; krb5_error_code krtn; - + krtn = krb5_pkinit_get_kdc_cert(0, NULL, NULL, &kdcCert); if(krtn) { - return krtn; + return krtn; } krtn = pkinit_cert_to_db(kdcCert, kdc_cert_db); krb5_pkinit_release_cert(kdcCert); @@ -550,7 +551,7 @@ void krb5_pkinit_release_cert( krb5_pkinit_signing_cert_t cert) { if(cert == NULL) { - return; + return; } CFRelease((CFTypeRef)cert); } @@ -560,18 +561,18 @@ void krb5_pkinit_release_cert( * krb5_pkinit_get_kdc_cert_db(). */ extern void krb5_pkinit_release_cert_db( - krb5_pkinit_cert_db_t cert_db) + krb5_pkinit_cert_db_t cert_db) { if(cert_db == NULL) { - return; + return; } CFRelease((CFTypeRef)cert_db); } -/* - * Obtain a mallocd C-string representation of a certificate's SHA1 digest. - * Only error is a NULL return indicating memory failure. +/* + * Obtain a mallocd C-string representation of a certificate's SHA1 digest. + * Only error is a NULL return indicating memory failure. * Caller must free the returned string. */ char *krb5_pkinit_cert_hash_str( @@ -582,37 +583,37 @@ char *krb5_pkinit_cert_hash_str( char *cpOut; unsigned char digest[CC_SHA1_DIGEST_LENGTH]; unsigned dex; - + assert(cert != NULL); CC_SHA1_Init(&ctx); CC_SHA1_Update(&ctx, cert->data, cert->length); CC_SHA1_Final(digest, &ctx); - + outstr = (char *)malloc((2 * CC_SHA1_DIGEST_LENGTH) + 1); if(outstr == NULL) { - return NULL; + return NULL; } cpOut = outstr; for(dex=0; dex<CC_SHA1_DIGEST_LENGTH; dex++) { - snprintf(cpOut, 3, "%02X", (unsigned)(digest[dex])); - cpOut += 2; + snprintf(cpOut, 3, "%02X", (unsigned)(digest[dex])); + cpOut += 2; } *cpOut = '\0'; return outstr; } -/* +/* * Obtain a client's optional list of trusted KDC CA certs (trustedCertifiers) - * and/or trusted KDC cert (kdcPkId) for a given client and server. - * All returned values are mallocd and must be freed by caller; the contents - * of the krb5_datas are DER-encoded certificates. + * and/or trusted KDC cert (kdcPkId) for a given client and server. + * All returned values are mallocd and must be freed by caller; the contents + * of the krb5_datas are DER-encoded certificates. */ krb5_error_code krb5_pkinit_get_server_certs( const char *client_principal, const char *server_principal, - krb5_data **trusted_CAs, /* RETURNED, though return value may be NULL */ - krb5_ui_4 *num_trusted_CAs, /* RETURNED */ - krb5_data *kdc_cert) /* RETURNED, though may be 0/NULL */ + krb5_data **trusted_CAs, /* RETURNED, though return value may be NULL */ + krb5_ui_4 *num_trusted_CAs, /* RETURNED */ + krb5_data *kdc_cert) /* RETURNED, though may be 0/NULL */ { /* nothing for now */ *trusted_CAs = NULL; diff --git a/src/lib/krb5/krb/pkinit_apple_client.c b/src/lib/krb5/krb/pkinit_apple_client.c index d98fc76c0..b2b6cb990 100644 --- a/src/lib/krb5/krb/pkinit_apple_client.c +++ b/src/lib/krb5/krb/pkinit_apple_client.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (c) 2004-2008 Apple Inc. All Rights Reserved. * @@ -45,131 +46,131 @@ * Create a PA-PK-AS-REQ message. */ krb5_error_code krb5int_pkinit_as_req_create( - krb5_context context, - krb5_timestamp kctime, - krb5_int32 cusec, /* microseconds */ - krb5_ui_4 nonce, - const krb5_checksum *cksum, - krb5_pkinit_signing_cert_t client_cert, /* required */ - const krb5_data *trusted_CAs, /* optional list of CA certs */ - krb5_ui_4 num_trusted_CAs, - const krb5_data *kdc_cert, /* optional KDC cert */ - krb5_data *as_req) /* mallocd and RETURNED */ + krb5_context context, + krb5_timestamp kctime, + krb5_int32 cusec, /* microseconds */ + krb5_ui_4 nonce, + const krb5_checksum *cksum, + krb5_pkinit_signing_cert_t client_cert, /* required */ + const krb5_data *trusted_CAs, /* optional list of CA certs */ + krb5_ui_4 num_trusted_CAs, + const krb5_data *kdc_cert, /* optional KDC cert */ + krb5_data *as_req) /* mallocd and RETURNED */ { krb5_data auth_pack = {0}; krb5_error_code krtn; krb5_data content_info = {0}; krb5int_algorithm_id *cms_types = NULL; krb5_ui_4 num_cms_types = 0; - + /* issuer/serial numbers for trusted_CAs and kdc_cert, if we have them */ - krb5_data *ca_issuer_sn = NULL; /* issuer/serial_num for trusted_CAs */ - krb5_data kdc_issuer_sn = {0}; /* issuer/serial_num for kdc_cert */ + krb5_data *ca_issuer_sn = NULL; /* issuer/serial_num for trusted_CAs */ + krb5_data kdc_issuer_sn = {0}; /* issuer/serial_num for kdc_cert */ krb5_data *kdc_issuer_sn_p = NULL; - + /* optional platform-dependent CMS algorithm preference */ krtn = krb5int_pkinit_get_cms_types(&cms_types, &num_cms_types); if(krtn) { - return krtn; + return krtn; } - + /* encode the core authPack */ - krtn = krb5int_pkinit_auth_pack_encode(kctime, cusec, nonce, cksum, - cms_types, num_cms_types, - &auth_pack); + krtn = krb5int_pkinit_auth_pack_encode(kctime, cusec, nonce, cksum, + cms_types, num_cms_types, + &auth_pack); if(krtn) { - goto errOut; + goto errOut; } /* package the AuthPack up in a SignedData inside a ContentInfo */ - krtn = krb5int_pkinit_create_cms_msg(&auth_pack, - client_cert, - NULL, /* recip_cert */ - ECT_PkAuthData, - 0, NULL, /* cms_types */ - &content_info); + krtn = krb5int_pkinit_create_cms_msg(&auth_pack, + client_cert, + NULL, /* recip_cert */ + ECT_PkAuthData, + 0, NULL, /* cms_types */ + &content_info); if(krtn) { - goto errOut; + goto errOut; } - + /* if we have trusted_CAs, get issuer/serials */ if(trusted_CAs) { - unsigned dex; - ca_issuer_sn = (krb5_data *)malloc(num_trusted_CAs * sizeof(krb5_data)); - if(ca_issuer_sn == NULL) { - krtn = ENOMEM; - goto errOut; - } - for(dex=0; dex<num_trusted_CAs; dex++) { - krtn = krb5int_pkinit_get_issuer_serial(&trusted_CAs[dex], - &ca_issuer_sn[dex]); - if(krtn) { - goto errOut; - } - } + unsigned dex; + ca_issuer_sn = (krb5_data *)malloc(num_trusted_CAs * sizeof(krb5_data)); + if(ca_issuer_sn == NULL) { + krtn = ENOMEM; + goto errOut; + } + for(dex=0; dex<num_trusted_CAs; dex++) { + krtn = krb5int_pkinit_get_issuer_serial(&trusted_CAs[dex], + &ca_issuer_sn[dex]); + if(krtn) { + goto errOut; + } + } } - + /* If we have a KDC cert, get its issuer/serial */ if(kdc_cert) { - krtn = krb5int_pkinit_get_issuer_serial(kdc_cert, &kdc_issuer_sn); - if(krtn) { - goto errOut; - } - kdc_issuer_sn_p = &kdc_issuer_sn; + krtn = krb5int_pkinit_get_issuer_serial(kdc_cert, &kdc_issuer_sn); + if(krtn) { + goto errOut; + } + kdc_issuer_sn_p = &kdc_issuer_sn; } - + /* cook up PA-PK-AS-REQ */ - krtn = krb5int_pkinit_pa_pk_as_req_encode(&content_info, - ca_issuer_sn, num_trusted_CAs, - kdc_issuer_sn_p, - as_req); - + krtn = krb5int_pkinit_pa_pk_as_req_encode(&content_info, + ca_issuer_sn, num_trusted_CAs, + kdc_issuer_sn_p, + as_req); + errOut: if(cms_types) { - krb5int_pkinit_free_cms_types(cms_types, num_cms_types); + krb5int_pkinit_free_cms_types(cms_types, num_cms_types); } if(auth_pack.data) { - free(auth_pack.data); + free(auth_pack.data); } if(content_info.data) { - free(content_info.data); + free(content_info.data); } if(trusted_CAs) { - unsigned dex; - for(dex=0; dex<num_trusted_CAs; dex++) { - free(ca_issuer_sn[dex].data); - } - free(ca_issuer_sn); + unsigned dex; + for(dex=0; dex<num_trusted_CAs; dex++) { + free(ca_issuer_sn[dex].data); + } + free(ca_issuer_sn); } if(kdc_cert) { - free(kdc_issuer_sn.data); + free(kdc_issuer_sn.data); } return krtn; } /* - * Parse PA-PK-AS-REP message. Optionally evaluates the message's certificate chain. - * Optionally returns various components. + * Parse PA-PK-AS-REP message. Optionally evaluates the message's certificate chain. + * Optionally returns various components. */ krb5_error_code krb5int_pkinit_as_rep_parse( - krb5_context context, - const krb5_data *as_rep, - krb5_pkinit_signing_cert_t client_cert, /* required */ - krb5_keyblock *key_block, /* RETURNED */ - krb5_checksum *checksum, /* checksum of corresponding AS-REQ */ - /* contents mallocd and RETURNED */ - krb5int_cert_sig_status *cert_status, /* RETURNED */ + krb5_context context, + const krb5_data *as_rep, + krb5_pkinit_signing_cert_t client_cert, /* required */ + krb5_keyblock *key_block, /* RETURNED */ + krb5_checksum *checksum, /* checksum of corresponding AS-REQ */ + /* contents mallocd and RETURNED */ + krb5int_cert_sig_status *cert_status, /* RETURNED */ /* * Cert fields, all optionally RETURNED. * * signer_cert is the full X.509 leaf cert from the incoming SignedData. * all_certs is an array of all of the certs in the incoming SignedData, - * in full X.509 form. + * in full X.509 form. */ - krb5_data *signer_cert, /* content mallocd */ - unsigned *num_all_certs, /* sizeof *all_certs */ - krb5_data **all_certs) /* krb5_data's and their content mallocd */ + krb5_data *signer_cert, /* content mallocd */ + unsigned *num_all_certs, /* sizeof *all_certs */ + krb5_data **all_certs) /* krb5_data's and their content mallocd */ { krb5_data reply_key_pack = {0, 0, NULL}; krb5_error_code krtn; @@ -179,83 +180,83 @@ krb5_error_code krb5int_pkinit_as_rep_parse( krb5_pkinit_cert_db_t cert_db = NULL; krb5_boolean is_signed; krb5_boolean is_encrypted; - - assert((as_rep != NULL) && (checksum != NULL) && + + assert((as_rep != NULL) && (checksum != NULL) && (key_block != NULL) && (cert_status != NULL)); - - /* + + /* * Decode the top-level PA-PK-AS-REP */ krtn = krb5int_pkinit_pa_pk_as_rep_decode(as_rep, &dh_signed_data, &enc_key_pack); if(krtn) { - pkiCssmErr("krb5int_pkinit_pa_pk_as_rep_decode", krtn); - return krtn; + pkiCssmErr("krb5int_pkinit_pa_pk_as_rep_decode", krtn); + return krtn; } if(dh_signed_data.data) { - /* not for this implementation... */ - pkiDebug("krb5int_pkinit_as_rep_parse: unexpected dh_signed_data\n"); - krtn = ASN1_BAD_FORMAT; - goto err_out; + /* not for this implementation... */ + pkiDebug("krb5int_pkinit_as_rep_parse: unexpected dh_signed_data\n"); + krtn = ASN1_BAD_FORMAT; + goto err_out; } if(enc_key_pack.data == NULL) { - /* REQUIRED for this implementation... */ - pkiDebug("krb5int_pkinit_as_rep_parse: no enc_key_pack\n"); - krtn = ASN1_BAD_FORMAT; - goto err_out; + /* REQUIRED for this implementation... */ + pkiDebug("krb5int_pkinit_as_rep_parse: no enc_key_pack\n"); + krtn = ASN1_BAD_FORMAT; + goto err_out; } - + krtn = krb5_pkinit_get_client_cert_db(NULL, client_cert, &cert_db); if(krtn) { - pkiDebug("krb5int_pkinit_as_rep_parse: error in krb5_pkinit_get_client_cert_db\n"); - goto err_out; + pkiDebug("krb5int_pkinit_as_rep_parse: error in krb5_pkinit_get_client_cert_db\n"); + goto err_out; } /* - * enc_key_pack is an EnvelopedData(SignedData(keyPack), encrypted - * with our cert (which krb5int_pkinit_parse_content_info() finds + * enc_key_pack is an EnvelopedData(SignedData(keyPack), encrypted + * with our cert (which krb5int_pkinit_parse_content_info() finds * implicitly). */ krtn = krb5int_pkinit_parse_cms_msg(&enc_key_pack, cert_db, FALSE, - &is_signed, &is_encrypted, - &reply_key_pack, &content_type, - signer_cert, cert_status, num_all_certs, all_certs); + &is_signed, &is_encrypted, + &reply_key_pack, &content_type, + signer_cert, cert_status, num_all_certs, all_certs); if(krtn) { - pkiDebug("krb5int_pkinit_as_rep_parse: error decoding EnvelopedData\n"); - goto err_out; + pkiDebug("krb5int_pkinit_as_rep_parse: error decoding EnvelopedData\n"); + goto err_out; } if(!is_encrypted || !is_signed) { - pkiDebug("krb5int_pkinit_as_rep_parse: not signed and encrypted!\n"); - krtn = KRB5_PARSE_MALFORMED; - goto err_out; + pkiDebug("krb5int_pkinit_as_rep_parse: not signed and encrypted!\n"); + krtn = KRB5_PARSE_MALFORMED; + goto err_out; } if(content_type != ECT_PkReplyKeyKata) { - pkiDebug("replyKeyPack eContentType %d!\n", (int)content_type); - krtn = KRB5_PARSE_MALFORMED; - goto err_out; + pkiDebug("replyKeyPack eContentType %d!\n", (int)content_type); + krtn = KRB5_PARSE_MALFORMED; + goto err_out; } - - /* + + /* * Finally, decode that inner content as the ReplyKeyPack which contains * the actual key and nonce */ krtn = krb5int_pkinit_reply_key_pack_decode(&reply_key_pack, key_block, checksum); if(krtn) { - pkiDebug("krb5int_pkinit_as_rep_parse: error decoding ReplyKeyPack\n"); + pkiDebug("krb5int_pkinit_as_rep_parse: error decoding ReplyKeyPack\n"); } - + err_out: /* free temp mallocd data that we didn't pass back to caller */ if(reply_key_pack.data) { - free(reply_key_pack.data); + free(reply_key_pack.data); } if(enc_key_pack.data) { - free(enc_key_pack.data); + free(enc_key_pack.data); } if(dh_signed_data.data) { - free(dh_signed_data.data); + free(dh_signed_data.data); } if(cert_db) { - krb5_pkinit_release_cert_db(cert_db); + krb5_pkinit_release_cert_db(cert_db); } return krtn; } diff --git a/src/lib/krb5/krb/pkinit_apple_cms.c b/src/lib/krb5/krb/pkinit_apple_cms.c index 353bcab40..f11b4ee64 100644 --- a/src/lib/krb5/krb/pkinit_apple_cms.c +++ b/src/lib/krb5/krb/pkinit_apple_cms.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (c) 2004-2008 Apple Inc. All Rights Reserved. * @@ -42,20 +43,20 @@ #include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h> #include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacTypes.h> -/* - * Custom OIDS to specify as eContentType +/* + * Custom OIDS to specify as eContentType */ -#define OID_PKINIT 0x2B, 6, 1, 5, 2, 3 -#define OID_PKINIT_LEN 6 +#define OID_PKINIT 0x2B, 6, 1, 5, 2, 3 +#define OID_PKINIT_LEN 6 -static const uint8 OID_PKINIT_AUTH_DATA[] = {OID_PKINIT, 1}; -static const uint8 OID_PKINIT_RKEY_DATA[] = {OID_PKINIT, 3}; +static const uint8 OID_PKINIT_AUTH_DATA[] = {OID_PKINIT, 1}; +static const uint8 OID_PKINIT_RKEY_DATA[] = {OID_PKINIT, 3}; /* these may go public so keep these symbols private */ -static const CSSM_OID _CSSMOID_PKINIT_AUTH_DATA = - {OID_PKINIT_LEN+1, (uint8 *)OID_PKINIT_AUTH_DATA}; -static const CSSM_OID _CSSMOID_PKINIT_RKEY_DATA = - {OID_PKINIT_LEN+1, (uint8 *)OID_PKINIT_RKEY_DATA}; +static const CSSM_OID _CSSMOID_PKINIT_AUTH_DATA = +{OID_PKINIT_LEN+1, (uint8 *)OID_PKINIT_AUTH_DATA}; +static const CSSM_OID _CSSMOID_PKINIT_RKEY_DATA = +{OID_PKINIT_LEN+1, (uint8 *)OID_PKINIT_RKEY_DATA}; #pragma mark ----- CMS utilities ---- @@ -69,26 +70,26 @@ static krb5int_cert_sig_status pkiCertSigStatus( OSStatus certStatus) { switch(certStatus) { - case CSSM_OK: - return pki_cs_good; - case CSSMERR_CSP_VERIFY_FAILED: - return pki_cs_sig_verify_fail; - case CSSMERR_TP_NOT_TRUSTED: - return pki_cs_no_root; - case CSSMERR_TP_INVALID_ANCHOR_CERT: - return pki_cs_unknown_root; - case CSSMERR_TP_CERT_EXPIRED: - return pki_cs_expired; - case CSSMERR_TP_CERT_NOT_VALID_YET: - return pki_cs_not_valid_yet; - case CSSMERR_TP_CERT_REVOKED: - return pki_cs_revoked; - case KRB5_KDB_UNAUTH: - return pki_cs_untrusted; - case CSSMERR_TP_INVALID_CERTIFICATE: - return pki_cs_bad_leaf; - default: - return pki_cs_other_err; + case CSSM_OK: + return pki_cs_good; + case CSSMERR_CSP_VERIFY_FAILED: + return pki_cs_sig_verify_fail; + case CSSMERR_TP_NOT_TRUSTED: + return pki_cs_no_root; + case CSSMERR_TP_INVALID_ANCHOR_CERT: + return pki_cs_unknown_root; + case CSSMERR_TP_CERT_EXPIRED: + return pki_cs_expired; + case CSSMERR_TP_CERT_NOT_VALID_YET: + return pki_cs_not_valid_yet; + case CSSMERR_TP_CERT_REVOKED: + return pki_cs_revoked; + case KRB5_KDB_UNAUTH: + return pki_cs_untrusted; + case CSSMERR_TP_INVALID_CERTIFICATE: + return pki_cs_bad_leaf; + default: + return pki_cs_other_err; } } @@ -99,24 +100,24 @@ static krb5int_cert_sig_status pkiCertSigStatus( */ static krb5int_cert_sig_status pkiInferSigStatus( CMSSignerStatus cms_status, - OSStatus tp_status) + OSStatus tp_status) { switch(cms_status) { - case kCMSSignerUnsigned: - return pki_not_signed; - case kCMSSignerValid: - return pki_cs_good; - case kCMSSignerNeedsDetachedContent: - return pki_bad_cms; - case kCMSSignerInvalidSignature: - return pki_cs_sig_verify_fail; - case kCMSSignerInvalidCert: - /* proceed with TP status */ - break; - default: - return pki_cs_other_err; + case kCMSSignerUnsigned: + return pki_not_signed; + case kCMSSignerValid: + return pki_cs_good; + case kCMSSignerNeedsDetachedContent: + return pki_bad_cms; + case kCMSSignerInvalidSignature: + return pki_cs_sig_verify_fail; + case kCMSSignerInvalidCert: + /* proceed with TP status */ + break; + default: + return pki_cs_other_err; } - + /* signature good, infer end status from TP verify */ return pkiCertSigStatus(tp_status); } @@ -130,15 +131,15 @@ static OSStatus pkiKrb5DataToSecCert( { CSSM_DATA certData; OSStatus ortn; - + assert((rawCert != NULL) && (secCert != NULL)); - + certData.Data = (uint8 *)rawCert->data; certData.Length = rawCert->length; - ortn = SecCertificateCreateFromData(&certData, CSSM_CERT_X_509v3, - CSSM_CERT_ENCODING_DER, secCert); + ortn = SecCertificateCreateFromData(&certData, CSSM_CERT_X_509v3, + CSSM_CERT_ENCODING_DER, secCert); if(ortn) { - pkiCssmErr("SecCertificateCreateFromData", ortn); + pkiCssmErr("SecCertificateCreateFromData", ortn); } return ortn; } @@ -148,52 +149,52 @@ static OSStatus pkiKrb5DataToSecCert( */ static krb5_error_code pkiCertArrayToKrb5Data( CFArrayRef cf_certs, - unsigned *num_all_certs, - krb5_data **all_certs) + unsigned *num_all_certs, + krb5_data **all_certs) { CFIndex num_certs; krb5_data *allCerts = NULL; krb5_error_code krtn = 0; CFIndex dex; - + if(cf_certs == NULL) { - *all_certs = NULL; - return 0; + *all_certs = NULL; + return 0; } num_certs = CFArrayGetCount(cf_certs); *num_all_certs = (unsigned)num_certs; if(num_certs == 0) { - *all_certs = NULL; - return 0; + *all_certs = NULL; + return 0; } allCerts = (krb5_data *)malloc(sizeof(krb5_data) * num_certs); if(allCerts == NULL) { - return ENOMEM; + return ENOMEM; } - for(dex=0; dex<num_certs; dex++) { - CSSM_DATA cert_data; - OSStatus ortn; - SecCertificateRef sec_cert; - - sec_cert = (SecCertificateRef)CFArrayGetValueAtIndex(cf_certs, dex); - ortn = SecCertificateGetData(sec_cert, &cert_data); - if(ortn) { - pkiCssmErr("SecCertificateGetData", ortn); - krtn = KRB5_PARSE_MALFORMED; - break; - } - krtn = pkiCssmDataToKrb5Data(&cert_data, &allCerts[dex]); - if(krtn) { - break; - } + for(dex=0; dex<num_certs; dex++) { + CSSM_DATA cert_data; + OSStatus ortn; + SecCertificateRef sec_cert; + + sec_cert = (SecCertificateRef)CFArrayGetValueAtIndex(cf_certs, dex); + ortn = SecCertificateGetData(sec_cert, &cert_data); + if(ortn) { + pkiCssmErr("SecCertificateGetData", ortn); + krtn = KRB5_PARSE_MALFORMED; + break; + } + krtn = pkiCssmDataToKrb5Data(&cert_data, &allCerts[dex]); + if(krtn) { + break; + } } if(krtn) { - if(allCerts) { - free(allCerts); - } + if(allCerts) { + free(allCerts); + } } else { - *all_certs = allCerts; + *all_certs = allCerts; } return krtn; } @@ -201,78 +202,78 @@ static krb5_error_code pkiCertArrayToKrb5Data( #pragma mark ----- Create CMS message ----- /* - * Create a CMS message: either encrypted (EnvelopedData), signed + * Create a CMS message: either encrypted (EnvelopedData), signed * (SignedData), or both (EnvelopedData(SignedData(content)). * * The message is signed iff signing_cert is non-NULL. * The message is encrypted iff recip_cert is non-NULL. * * The content_type argument specifies to the eContentType - * for a SignedData's EncapsulatedContentInfo. + * for a SignedData's EncapsulatedContentInfo. */ krb5_error_code krb5int_pkinit_create_cms_msg( - const krb5_data *content, /* Content */ - krb5_pkinit_signing_cert_t signing_cert, /* optional: signed by this cert */ - const krb5_data *recip_cert, /* optional: encrypted with this cert */ - krb5int_cms_content_type content_type, /* OID for EncapsulatedData */ - krb5_ui_4 num_cms_types, /* optional, unused here */ - const krb5int_algorithm_id *cms_types, /* optional, unused here */ - krb5_data *content_info) /* contents mallocd and RETURNED */ + const krb5_data *content, /* Content */ + krb5_pkinit_signing_cert_t signing_cert, /* optional: signed by this cert */ + const krb5_data *recip_cert, /* optional: encrypted with this cert */ + krb5int_cms_content_type content_type, /* OID for EncapsulatedData */ + krb5_ui_4 num_cms_types, /* optional, unused here */ + const krb5int_algorithm_id *cms_types, /* optional, unused here */ + krb5_data *content_info) /* contents mallocd and RETURNED */ { krb5_error_code krtn; OSStatus ortn; SecCertificateRef sec_recip = NULL; CFDataRef cf_content = NULL; const CSSM_OID *eContentOid = NULL; - + if((signing_cert == NULL) && (recip_cert == NULL)) { - /* must have one or the other */ - pkiDebug("krb5int_pkinit_create_cms_msg: no signer or recipient\n"); - return KRB5_CRYPTO_INTERNAL; + /* must have one or the other */ + pkiDebug("krb5int_pkinit_create_cms_msg: no signer or recipient\n"); + return KRB5_CRYPTO_INTERNAL; } - - /* - * Optional signer cert. Note signing_cert, if present, is - * a SecIdentityRef. + + /* + * Optional signer cert. Note signing_cert, if present, is + * a SecIdentityRef. */ if(recip_cert) { - if(pkiKrb5DataToSecCert(recip_cert, &sec_recip)) { - krtn = ASN1_BAD_FORMAT; - goto errOut; - } + if(pkiKrb5DataToSecCert(recip_cert, &sec_recip)) { + krtn = ASN1_BAD_FORMAT; + goto errOut; + } } - + /* optional eContentType */ if(signing_cert) { - switch(content_type) { - case ECT_PkAuthData: - eContentOid = &_CSSMOID_PKINIT_AUTH_DATA; - break; - case ECT_PkReplyKeyKata: - eContentOid = &_CSSMOID_PKINIT_RKEY_DATA; - break; - case ECT_Data: - /* the only standard/default case we allow */ - break; - default: - /* others: no can do */ - pkiDebug("krb5int_pkinit_create_cms_msg: bad contentType\n"); - krtn = KRB5_CRYPTO_INTERNAL; - goto errOut; - } + switch(content_type) { + case ECT_PkAuthData: + eContentOid = &_CSSMOID_PKINIT_AUTH_DATA; + break; + case ECT_PkReplyKeyKata: + eContentOid = &_CSSMOID_PKINIT_RKEY_DATA; + break; + case ECT_Data: + /* the only standard/default case we allow */ + break; + default: + /* others: no can do */ + pkiDebug("krb5int_pkinit_create_cms_msg: bad contentType\n"); + krtn = KRB5_CRYPTO_INTERNAL; + goto errOut; + } } - + /* GO */ ortn = CMSEncode((SecIdentityRef)signing_cert, sec_recip, - eContentOid, - FALSE, /* detachedContent */ - kCMSAttrNone, /* no signed attributes that I know of */ - content->data, content->length, - &cf_content); + eContentOid, + FALSE, /* detachedContent */ + kCMSAttrNone, /* no signed attributes that I know of */ + content->data, content->length, + &cf_content); if(ortn) { - pkiCssmErr("CMSEncode", ortn); - krtn = KRB5_CRYPTO_INTERNAL; - goto errOut; + pkiCssmErr("CMSEncode", ortn); + krtn = KRB5_CRYPTO_INTERNAL; + goto errOut; } krtn = pkiCfDataToKrb5Data(cf_content, content_info); errOut: @@ -285,22 +286,22 @@ errOut: /* * Parse a ContentInfo as best we can. All return fields are optional. - * If signer_cert_status is NULL on entry, NO signature or cert evaluation - * will be performed. + * If signer_cert_status is NULL on entry, NO signature or cert evaluation + * will be performed. */ krb5_error_code krb5int_pkinit_parse_cms_msg( - const krb5_data *content_info, - krb5_pkinit_cert_db_t cert_db, /* may be required for SignedData */ - krb5_boolean is_client_msg, /* TRUE : msg is from client */ - krb5_boolean *is_signed, /* RETURNED */ - krb5_boolean *is_encrypted, /* RETURNED */ - krb5_data *raw_data, /* RETURNED */ + const krb5_data *content_info, + krb5_pkinit_cert_db_t cert_db, /* may be required for SignedData */ + krb5_boolean is_client_msg, /* TRUE : msg is from client */ + krb5_boolean *is_signed, /* RETURNED */ + krb5_boolean *is_encrypted, /* RETURNED */ + krb5_data *raw_data, /* RETURNED */ krb5int_cms_content_type *inner_content_type,/* Returned, ContentType of */ - /* EncapsulatedData */ - krb5_data *signer_cert, /* RETURNED */ + /* EncapsulatedData */ + krb5_data *signer_cert, /* RETURNED */ krb5int_cert_sig_status *signer_cert_status,/* RETURNED */ - unsigned *num_all_certs, /* size of *all_certs RETURNED */ - krb5_data **all_certs) /* entire cert chain RETURNED */ + unsigned *num_all_certs, /* size of *all_certs RETURNED */ + krb5_data **all_certs) /* entire cert chain RETURNED */ { SecPolicySearchRef policy_search = NULL; SecPolicyRef policy = NULL; @@ -312,219 +313,219 @@ krb5_error_code krb5int_pkinit_parse_cms_msg( OSStatus cert_verify_status; CFArrayRef cf_all_certs = NULL; int msg_is_signed = 0; - + if(content_info == NULL) { - pkiDebug("krb5int_pkinit_parse_cms_msg: no ContentInfo\n"); - return KRB5_CRYPTO_INTERNAL; + pkiDebug("krb5int_pkinit_parse_cms_msg: no ContentInfo\n"); + return KRB5_CRYPTO_INTERNAL; } - + ortn = CMSDecoderCreate(&decoder); if(ortn) { - return ENOMEM; + return ENOMEM; } ortn = CMSDecoderUpdateMessage(decoder, content_info->data, content_info->length); if(ortn) { - /* no verify yet, must be bad message */ - krtn = KRB5_PARSE_MALFORMED; - goto errOut; + /* no verify yet, must be bad message */ + krtn = KRB5_PARSE_MALFORMED; + goto errOut; } ortn = CMSDecoderFinalizeMessage(decoder); if(ortn) { - pkiCssmErr("CMSDecoderFinalizeMessage", ortn); - krtn = KRB5_PARSE_MALFORMED; - goto errOut; + pkiCssmErr("CMSDecoderFinalizeMessage", ortn); + krtn = KRB5_PARSE_MALFORMED; + goto errOut; } /* expect zero or one signers */ ortn = CMSDecoderGetNumSigners(decoder, &num_signers); switch(num_signers) { - case 0: - msg_is_signed = 0; - break; - case 1: - msg_is_signed = 1; - break; - default: - krtn = KRB5_PARSE_MALFORMED; - goto errOut; + case 0: + msg_is_signed = 0; + break; + case 1: + msg_is_signed = 1; + break; + default: + krtn = KRB5_PARSE_MALFORMED; + goto errOut; } /* - * We need a cert verify policy even if we're not actually evaluating + * We need a cert verify policy even if we're not actually evaluating * the cert due to requirements in libsecurity_smime. */ ortn = SecPolicySearchCreate(CSSM_CERT_X_509v3, - is_client_msg ? &CSSMOID_APPLE_TP_PKINIT_CLIENT : &CSSMOID_APPLE_TP_PKINIT_SERVER, - NULL, &policy_search); + is_client_msg ? &CSSMOID_APPLE_TP_PKINIT_CLIENT : &CSSMOID_APPLE_TP_PKINIT_SERVER, + NULL, &policy_search); if(ortn) { - pkiCssmErr("SecPolicySearchCreate", ortn); - krtn = KRB5_CRYPTO_INTERNAL; - goto errOut; + pkiCssmErr("SecPolicySearchCreate", ortn); + krtn = KRB5_CRYPTO_INTERNAL; + goto errOut; } ortn = SecPolicySearchCopyNext(policy_search, &policy); if(ortn) { - pkiCssmErr("SecPolicySearchCopyNext", ortn); - krtn = KRB5_CRYPTO_INTERNAL; - goto errOut; + pkiCssmErr("SecPolicySearchCopyNext", ortn); + krtn = KRB5_CRYPTO_INTERNAL; + goto errOut; } - + /* get some basic status that doesn't need heavyweight evaluation */ if(msg_is_signed) { - if(is_signed) { - *is_signed = TRUE; - } - if(inner_content_type) { - CSSM_OID ec_oid = {0, NULL}; - CFDataRef ec_data = NULL; - - krb5int_cms_content_type ctype; - - ortn = CMSDecoderCopyEncapsulatedContentType(decoder, &ec_data); - if(ortn || (ec_data == NULL)) { - pkiCssmErr("CMSDecoderCopyEncapsulatedContentType", ortn); - krtn = KRB5_CRYPTO_INTERNAL; - goto errOut; - } - ec_oid.Data = (uint8 *)CFDataGetBytePtr(ec_data); - ec_oid.Length = CFDataGetLength(ec_data); - if(pkiCompareCssmData(&ec_oid, &CSSMOID_PKCS7_Data)) { - ctype = ECT_Data; - } - else if(pkiCompareCssmData(&ec_oid, &CSSMOID_PKCS7_SignedData)) { - ctype = ECT_SignedData; - } - else if(pkiCompareCssmData(&ec_oid, &CSSMOID_PKCS7_EnvelopedData)) { - ctype = ECT_EnvelopedData; - } - else if(pkiCompareCssmData(&ec_oid, &CSSMOID_PKCS7_EncryptedData)) { - ctype = ECT_EncryptedData; - } - else if(pkiCompareCssmData(&ec_oid, &_CSSMOID_PKINIT_AUTH_DATA)) { - ctype = ECT_PkAuthData; - } - else if(pkiCompareCssmData(&ec_oid, &_CSSMOID_PKINIT_RKEY_DATA)) { - ctype = ECT_PkReplyKeyKata; - } - else { - ctype = ECT_Other; - } - *inner_content_type = ctype; - CFRelease(ec_data); - } - - /* - * Get SignedData's certs if the caller wants them - */ - if(all_certs) { - ortn = CMSDecoderCopyAllCerts(decoder, &cf_all_certs); - if(ortn) { - pkiCssmErr("CMSDecoderCopyAllCerts", ortn); - krtn = KRB5_CRYPTO_INTERNAL; - goto errOut; - } - krtn = pkiCertArrayToKrb5Data(cf_all_certs, num_all_certs, all_certs); - if(krtn) { - goto errOut; - } - } - - /* optional signer cert */ - if(signer_cert) { - SecCertificateRef sec_signer_cert = NULL; - CSSM_DATA cert_data; - - ortn = CMSDecoderCopySignerCert(decoder, 0, &sec_signer_cert); - if(ortn) { - /* should never happen if it's signed */ - pkiCssmErr("CMSDecoderCopySignerStatus", ortn); - krtn = KRB5_CRYPTO_INTERNAL; - goto errOut; - } - ortn = SecCertificateGetData(sec_signer_cert, &cert_data); - if(ortn) { - pkiCssmErr("SecCertificateGetData", ortn); - CFRelease(sec_signer_cert); - krtn = KRB5_CRYPTO_INTERNAL; - goto errOut; - } - krtn = pkiDataToKrb5Data(cert_data.Data, cert_data.Length, signer_cert); - CFRelease(sec_signer_cert); - if(krtn) { - goto errOut; - } - } + if(is_signed) { + *is_signed = TRUE; + } + if(inner_content_type) { + CSSM_OID ec_oid = {0, NULL}; + CFDataRef ec_data = NULL; + + krb5int_cms_content_type ctype; + + ortn = CMSDecoderCopyEncapsulatedContentType(decoder, &ec_data); + if(ortn || (ec_data == NULL)) { + pkiCssmErr("CMSDecoderCopyEncapsulatedContentType", ortn); + krtn = KRB5_CRYPTO_INTERNAL; + goto errOut; + } + ec_oid.Data = (uint8 *)CFDataGetBytePtr(ec_data); + ec_oid.Length = CFDataGetLength(ec_data); + if(pkiCompareCssmData(&ec_oid, &CSSMOID_PKCS7_Data)) { + ctype = ECT_Data; + } + else if(pkiCompareCssmData(&ec_oid, &CSSMOID_PKCS7_SignedData)) { + ctype = ECT_SignedData; + } + else if(pkiCompareCssmData(&ec_oid, &CSSMOID_PKCS7_EnvelopedData)) { + ctype = ECT_EnvelopedData; + } + else if(pkiCompareCssmData(&ec_oid, &CSSMOID_PKCS7_EncryptedData)) { + ctype = ECT_EncryptedData; + } + else if(pkiCompareCssmData(&ec_oid, &_CSSMOID_PKINIT_AUTH_DATA)) { + ctype = ECT_PkAuthData; + } + else if(pkiCompareCssmData(&ec_oid, &_CSSMOID_PKINIT_RKEY_DATA)) { + ctype = ECT_PkReplyKeyKata; + } + else { + ctype = ECT_Other; + } + *inner_content_type = ctype; + CFRelease(ec_data); + } + + /* + * Get SignedData's certs if the caller wants them + */ + if(all_certs) { + ortn = CMSDecoderCopyAllCerts(decoder, &cf_all_certs); + if(ortn) { + pkiCssmErr("CMSDecoderCopyAllCerts", ortn); + krtn = KRB5_CRYPTO_INTERNAL; + goto errOut; + } + krtn = pkiCertArrayToKrb5Data(cf_all_certs, num_all_certs, all_certs); + if(krtn) { + goto errOut; + } + } + + /* optional signer cert */ + if(signer_cert) { + SecCertificateRef sec_signer_cert = NULL; + CSSM_DATA cert_data; + + ortn = CMSDecoderCopySignerCert(decoder, 0, &sec_signer_cert); + if(ortn) { + /* should never happen if it's signed */ + pkiCssmErr("CMSDecoderCopySignerStatus", ortn); + krtn = KRB5_CRYPTO_INTERNAL; + goto errOut; + } + ortn = SecCertificateGetData(sec_signer_cert, &cert_data); + if(ortn) { + pkiCssmErr("SecCertificateGetData", ortn); + CFRelease(sec_signer_cert); + krtn = KRB5_CRYPTO_INTERNAL; + goto errOut; + } + krtn = pkiDataToKrb5Data(cert_data.Data, cert_data.Length, signer_cert); + CFRelease(sec_signer_cert); + if(krtn) { + goto errOut; + } + } } else { - /* not signed */ - if(is_signed) { - *is_signed = FALSE; - } - if(inner_content_type) { - *inner_content_type = ECT_Other; - } - if(signer_cert) { - signer_cert->data = NULL; - signer_cert->length = 0; - } - if(signer_cert_status) { - *signer_cert_status = pki_not_signed; - } - if(num_all_certs) { - *num_all_certs = 0; - } - if(all_certs) { - *all_certs = NULL; - } + /* not signed */ + if(is_signed) { + *is_signed = FALSE; + } + if(inner_content_type) { + *inner_content_type = ECT_Other; + } + if(signer_cert) { + signer_cert->data = NULL; + signer_cert->length = 0; + } + if(signer_cert_status) { + *signer_cert_status = pki_not_signed; + } + if(num_all_certs) { + *num_all_certs = 0; + } + if(all_certs) { + *all_certs = NULL; + } } if(is_encrypted) { - Boolean bencr; - ortn = CMSDecoderIsContentEncrypted(decoder, &bencr); - if(ortn) { - pkiCssmErr("CMSDecoderCopySignerStatus", ortn); - krtn = KRB5_CRYPTO_INTERNAL; - goto errOut; - } - *is_encrypted = bencr ? TRUE : FALSE; + Boolean bencr; + ortn = CMSDecoderIsContentEncrypted(decoder, &bencr); + if(ortn) { + pkiCssmErr("CMSDecoderCopySignerStatus", ortn); + krtn = KRB5_CRYPTO_INTERNAL; + goto errOut; + } + *is_encrypted = bencr ? TRUE : FALSE; } - - /* + + /* * Verify signature and cert. The actual verify operation is optional, * per our signer_cert_status argument, but we do this anyway if we need * to get the signer cert. */ if((signer_cert_status != NULL) || (signer_cert != NULL)) { - - ortn = CMSDecoderCopySignerStatus(decoder, - 0, /* signerIndex */ - policy, - signer_cert_status ? TRUE : FALSE, /* evaluateSecTrust */ - &signer_status, - NULL, /* secTrust - not needed */ - &cert_verify_status); - if(ortn) { - /* gross error - subsequent processing impossible */ - pkiCssmErr("CMSDecoderCopySignerStatus", ortn); - krtn = KRB5_PARSE_MALFORMED; - goto errOut; - } + + ortn = CMSDecoderCopySignerStatus(decoder, + 0, /* signerIndex */ + policy, + signer_cert_status ? TRUE : FALSE, /* evaluateSecTrust */ + &signer_status, + NULL, /* secTrust - not needed */ + &cert_verify_status); + if(ortn) { + /* gross error - subsequent processing impossible */ + pkiCssmErr("CMSDecoderCopySignerStatus", ortn); + krtn = KRB5_PARSE_MALFORMED; + goto errOut; + } } /* obtain & return status */ if(signer_cert_status) { - *signer_cert_status = pkiInferSigStatus(signer_status, cert_verify_status); + *signer_cert_status = pkiInferSigStatus(signer_status, cert_verify_status); } - + /* finally, the payload */ if(raw_data) { - CFDataRef cf_content = NULL; - - ortn = CMSDecoderCopyContent(decoder, &cf_content); - if(ortn) { - pkiCssmErr("CMSDecoderCopyContent", ortn); - krtn = KRB5_PARSE_MALFORMED; - goto errOut; - } - krtn = pkiCfDataToKrb5Data(cf_content, raw_data); - CFRELEASE(cf_content); + CFDataRef cf_content = NULL; + + ortn = CMSDecoderCopyContent(decoder, &cf_content); + if(ortn) { + pkiCssmErr("CMSDecoderCopyContent", ortn); + krtn = KRB5_PARSE_MALFORMED; + goto errOut; + } + krtn = pkiCfDataToKrb5Data(cf_content, raw_data); + CFRELEASE(cf_content); } errOut: CFRELEASE(policy_search); @@ -535,8 +536,8 @@ errOut: } krb5_error_code krb5int_pkinit_get_cms_types( - krb5int_algorithm_id **supported_cms_types, /* RETURNED */ - krb5_ui_4 *num_supported_cms_types) /* RETURNED */ + krb5int_algorithm_id **supported_cms_types, /* RETURNED */ + krb5_ui_4 *num_supported_cms_types) /* RETURNED */ { /* no preference */ *supported_cms_types = NULL; @@ -546,12 +547,12 @@ krb5_error_code krb5int_pkinit_get_cms_types( krb5_error_code krb5int_pkinit_free_cms_types( krb5int_algorithm_id *supported_cms_types, - krb5_ui_4 num_supported_cms_types) + krb5_ui_4 num_supported_cms_types) { - /* + /* * We don't return anything from krb5int_pkinit_get_cms_types(), and * if we did, it would be a pointer to a statically declared array, - * so this is a nop. + * so this is a nop. */ return 0; } diff --git a/src/lib/krb5/krb/pkinit_apple_utils.c b/src/lib/krb5/krb/pkinit_apple_utils.c index f539693fd..83b592218 100644 --- a/src/lib/krb5/krb/pkinit_apple_utils.c +++ b/src/lib/krb5/krb/pkinit_apple_utils.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (c) 2004-2008 Apple Inc. All Rights Reserved. * @@ -28,7 +29,7 @@ * * Created 19 May 2004 by Doug Mitchell at Apple. */ - + #if APPLE_PKINIT #include "pkinit_apple_utils.h" @@ -41,7 +42,7 @@ #include <ctype.h> #include <Security/Security.h> -/* +/* * Cruft needed to attach to a module */ static CSSM_VERSION vers = {2, 0}; @@ -51,28 +52,28 @@ static const CSSM_GUID testGuid = { 0xFADE, 0, 0, { 1,2,3,4,5,6,7,0 }}; * Standard app-level memory functions required by CDSA. */ static void * cuAppMalloc (CSSM_SIZE size, void *allocRef) { - return( malloc(size) ); + return( malloc(size) ); } static void cuAppFree (void *mem_ptr, void *allocRef) { - free(mem_ptr); - return; + free(mem_ptr); + return; } static void * cuAppRealloc (void *ptr, CSSM_SIZE size, void *allocRef) { - return( realloc( ptr, size ) ); + return( realloc( ptr, size ) ); } static void * cuAppCalloc (uint32 num, CSSM_SIZE size, void *allocRef) { - return( calloc( num, size ) ); + return( calloc( num, size ) ); } static CSSM_API_MEMORY_FUNCS memFuncs = { - cuAppMalloc, - cuAppFree, - cuAppRealloc, - cuAppCalloc, - NULL + cuAppMalloc, + cuAppFree, + cuAppRealloc, + cuAppCalloc, + NULL }; /* @@ -84,23 +85,23 @@ static CSSM_BOOL cuCssmStartup() { CSSM_RETURN crtn; CSSM_PVC_MODE pvcPolicy = CSSM_PVC_NONE; - + if(cssmInitd) { - return CSSM_TRUE; - } - crtn = CSSM_Init (&vers, - CSSM_PRIVILEGE_SCOPE_NONE, - &testGuid, - CSSM_KEY_HIERARCHY_NONE, - &pvcPolicy, - NULL /* reserved */); - if(crtn != CSSM_OK) + return CSSM_TRUE; + } + crtn = CSSM_Init (&vers, + CSSM_PRIVILEGE_SCOPE_NONE, + &testGuid, + CSSM_KEY_HIERARCHY_NONE, + &pvcPolicy, + NULL /* reserved */); + if(crtn != CSSM_OK) { - return CSSM_FALSE; + return CSSM_FALSE; } else { - cssmInitd = CSSM_TRUE; - return CSSM_TRUE; + cssmInitd = CSSM_TRUE; + return CSSM_TRUE; } } @@ -108,42 +109,42 @@ CSSM_CL_HANDLE pkiClStartup(void) { CSSM_CL_HANDLE clHand; CSSM_RETURN crtn; - + if(cuCssmStartup() == CSSM_FALSE) { - return 0; + return 0; } crtn = CSSM_ModuleLoad(&gGuidAppleX509CL, - CSSM_KEY_HIERARCHY_NONE, - NULL, /* eventHandler */ - NULL); /* AppNotifyCallbackCtx */ + CSSM_KEY_HIERARCHY_NONE, + NULL, /* eventHandler */ + NULL); /* AppNotifyCallbackCtx */ if(crtn) { - return 0; + return 0; } crtn = CSSM_ModuleAttach (&gGuidAppleX509CL, - &vers, - &memFuncs, /* memFuncs */ - 0, /* SubserviceID */ - CSSM_SERVICE_CL, /* SubserviceFlags - Where is this used? */ - 0, /* AttachFlags */ - CSSM_KEY_HIERARCHY_NONE, - NULL, /* FunctionTable */ - 0, /* NumFuncTable */ - NULL, /* reserved */ - &clHand); + &vers, + &memFuncs, /* memFuncs */ + 0, /* SubserviceID */ + CSSM_SERVICE_CL, /* SubserviceFlags - Where is this used? */ + 0, /* AttachFlags */ + CSSM_KEY_HIERARCHY_NONE, + NULL, /* FunctionTable */ + 0, /* NumFuncTable */ + NULL, /* reserved */ + &clHand); if(crtn) { - return 0; + return 0; } else { - return clHand; + return clHand; } } CSSM_RETURN pkiClDetachUnload( - CSSM_CL_HANDLE clHand) + CSSM_CL_HANDLE clHand) { CSSM_RETURN crtn = CSSM_ModuleDetach(clHand); if(crtn) { - return crtn; + return crtn; } return CSSM_ModuleUnload(&gGuidAppleX509CL, NULL, NULL); } @@ -152,33 +153,33 @@ CSSM_RETURN pkiClDetachUnload( * CSSM_DATA <--> krb5_ui_4 */ krb5_error_code pkiDataToInt( - const CSSM_DATA *cdata, - krb5_int32 *i) /* RETURNED */ + const CSSM_DATA *cdata, + krb5_int32 *i) /* RETURNED */ { krb5_ui_4 len; krb5_int32 rtn = 0; krb5_ui_4 dex; uint8 *cp = NULL; - + if((cdata->Length == 0) || (cdata->Data == NULL)) { - *i = 0; - return 0; + *i = 0; + return 0; } len = cdata->Length; if(len > sizeof(krb5_int32)) { - return ASN1_BAD_LENGTH; + return ASN1_BAD_LENGTH; } - + cp = cdata->Data; for(dex=0; dex<len; dex++) { - rtn = (rtn << 8) | *cp++; + rtn = (rtn << 8) | *cp++; } *i = rtn; return 0; } krb5_error_code pkiIntToData( - krb5_int32 num, + krb5_int32 num, CSSM_DATA *cdata, SecAsn1CoderRef coder) { @@ -186,26 +187,26 @@ krb5_error_code pkiIntToData( uint32 len = 0; uint8 *cp = NULL; unsigned i; - + if(unum < 0x100) { - len = 1; + len = 1; } else if(unum < 0x10000) { - len = 2; + len = 2; } else if(unum < 0x1000000) { - len = 3; + len = 3; } else { - len = 4; + len = 4; } if(SecAsn1AllocItem(coder, cdata, len)) { - return ENOMEM; + return ENOMEM; } cp = &cdata->Data[len - 1]; for(i=0; i<len; i++) { - *cp-- = unum & 0xff; - unum >>= 8; + *cp-- = unum & 0xff; + unum >>= 8; } return 0; } @@ -222,14 +223,14 @@ krb5_error_code pkiDataToKrb5Data( assert(kd != NULL); kd->data = (char *)malloc(dataLen); if(kd->data == NULL) { - return ENOMEM; + return ENOMEM; } kd->length = dataLen; memmove(kd->data, data, dataLen); return 0; } -/* +/* * CSSM_DATA <--> krb5_data * * CSSM_DATA data is managed by a SecAsn1CoderRef; krb5_data data is mallocd. @@ -237,7 +238,7 @@ krb5_error_code pkiDataToKrb5Data( * Both return nonzero on error. */ krb5_error_code pkiCssmDataToKrb5Data( - const CSSM_DATA *cd, + const CSSM_DATA *cd, krb5_data *kd) { assert(cd != NULL); @@ -251,20 +252,20 @@ krb5_error_code pkiKrb5DataToCssm( { assert((cd != NULL) && (kd != NULL)); if(SecAsn1AllocCopy(coder, kd->data, kd->length, cd)) { - return ENOMEM; + return ENOMEM; } return 0; } -/* +/* * CFDataRef --> krb5_data, mallocing the destination contents. */ krb5_error_code pkiCfDataToKrb5Data( - CFDataRef cfData, - krb5_data *kd) /* content mallocd and RETURNED */ + CFDataRef cfData, + krb5_data *kd) /* content mallocd and RETURNED */ { return pkiDataToKrb5Data(CFDataGetBytePtr(cfData), - CFDataGetLength(cfData), kd); + CFDataGetLength(cfData), kd); } krb5_boolean pkiCompareCssmData( @@ -272,79 +273,79 @@ krb5_boolean pkiCompareCssmData( const CSSM_DATA *d2) { if((d1 == NULL) || (d2 == NULL)) { - return FALSE; + return FALSE; } if(d1->Length != d2->Length) { - return FALSE; + return FALSE; } if(memcmp(d1->Data, d2->Data, d1->Length)) { - return FALSE; + return FALSE; } else { - return TRUE; + return TRUE; } } -/* +/* * krb5_timestamp --> a mallocd string in generalized format */ krb5_error_code pkiKrbTimestampToStr( krb5_timestamp kts, - char **str) /* mallocd and RETURNED */ + char **str) /* mallocd and RETURNED */ { char *outStr = NULL; time_t gmt_time = kts; struct tm *utc = gmtime(&gmt_time); if (utc == NULL || - utc->tm_year > 8099 || utc->tm_mon > 11 || - utc->tm_mday > 31 || utc->tm_hour > 23 || - utc->tm_min > 59 || utc->tm_sec > 59) { - return ASN1_BAD_GMTIME; + utc->tm_year > 8099 || utc->tm_mon > 11 || + utc->tm_mday > 31 || utc->tm_hour > 23 || + utc->tm_min > 59 || utc->tm_sec > 59) { + return ASN1_BAD_GMTIME; } if (asprintf(&outStr, "%04d%02d%02d%02d%02d%02dZ", - utc->tm_year + 1900, utc->tm_mon + 1, - utc->tm_mday, utc->tm_hour, utc->tm_min, utc->tm_sec) < 0) { - return ENOMEM; + utc->tm_year + 1900, utc->tm_mon + 1, + utc->tm_mday, utc->tm_hour, utc->tm_min, utc->tm_sec) < 0) { + return ENOMEM; } *str = outStr; return 0; } krb5_error_code pkiTimeStrToKrbTimestamp( - const char *str, - unsigned len, + const char *str, + unsigned len, krb5_timestamp *kts) /* RETURNED */ { - char szTemp[5]; - unsigned x; - unsigned i; - char *cp; - struct tm tmp; + char szTemp[5]; + unsigned x; + unsigned i; + char *cp; + struct tm tmp; time_t t; - + if(len != 15) { - return ASN1_BAD_LENGTH; + return ASN1_BAD_LENGTH; } if((str == NULL) || (kts == NULL)) { - return KRB5_CRYPTO_INTERNAL; + return KRB5_CRYPTO_INTERNAL; } - + cp = (char *)str; memset(&tmp, 0, sizeof(tmp)); - + /* check that all characters except last are digits */ for(i=0; i<(len - 1); i++) { - if ( !(isdigit(cp[i])) ) { - return ASN1_BAD_TIMEFORMAT; - } + if ( !(isdigit(cp[i])) ) { + return ASN1_BAD_TIMEFORMAT; + } } /* check last character is a 'Z' */ - if(cp[len - 1] != 'Z' ) { - return ASN1_BAD_TIMEFORMAT; + if(cp[len - 1] != 'Z' ) { + return ASN1_BAD_TIMEFORMAT; } - + /* YEAR */ szTemp[0] = *cp++; szTemp[1] = *cp++; @@ -362,7 +363,7 @@ krb5_error_code pkiTimeStrToKrbTimestamp( x = atoi( szTemp ); /* in the string, months are from 1 to 12 */ if((x > 12) || (x <= 0)) { - return ASN1_BAD_TIMEFORMAT; + return ASN1_BAD_TIMEFORMAT; } /* in a tm, 0 to 11 */ tmp.tm_mon = x - 1; @@ -374,7 +375,7 @@ krb5_error_code pkiTimeStrToKrbTimestamp( x = atoi( szTemp ); /* 1..31 */ if((x > 31) || (x <= 0)) { - return ASN1_BAD_TIMEFORMAT; + return ASN1_BAD_TIMEFORMAT; } tmp.tm_mday = x; @@ -384,7 +385,7 @@ krb5_error_code pkiTimeStrToKrbTimestamp( szTemp[2] = '\0'; x = atoi( szTemp ); if((x > 23) || (x < 0)) { - return ASN1_BAD_TIMEFORMAT; + return ASN1_BAD_TIMEFORMAT; } tmp.tm_hour = x; @@ -394,7 +395,7 @@ krb5_error_code pkiTimeStrToKrbTimestamp( szTemp[2] = '\0'; x = atoi( szTemp ); if((x > 59) || (x < 0)) { - return ASN1_BAD_TIMEFORMAT; + return ASN1_BAD_TIMEFORMAT; } tmp.tm_min = x; @@ -404,12 +405,12 @@ krb5_error_code pkiTimeStrToKrbTimestamp( szTemp[2] = '\0'; x = atoi( szTemp ); if((x > 59) || (x < 0)) { - return ASN1_BAD_TIMEFORMAT; + return ASN1_BAD_TIMEFORMAT; } tmp.tm_sec = x; t = timegm(&tmp); if(t == -1) { - return ASN1_BAD_TIMEFORMAT; + return ASN1_BAD_TIMEFORMAT; } *kts = t; return 0; @@ -423,9 +424,9 @@ unsigned pkiNssArraySize( { unsigned count = 0; if (array) { - while (*array++) { - count++; - } + while (*array++) { + count++; + } } return count; } diff --git a/src/lib/krb5/krb/pr_to_salt.c b/src/lib/krb5/krb/pr_to_salt.c index 545d86fb1..5d57bc599 100644 --- a/src/lib/krb5/krb/pr_to_salt.c +++ b/src/lib/krb5/krb/pr_to_salt.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/pr_to_salt.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_principal2salt() */ @@ -30,7 +31,7 @@ #include "k5-int.h" static krb5_error_code krb5_principal2salt_internal - (krb5_context, krb5_const_principal, krb5_data *ret, int); +(krb5_context, krb5_const_principal, krb5_data *ret, int); /* * Convert a krb5_principal into the default salt for that principal. @@ -43,32 +44,32 @@ krb5_principal2salt_internal(krb5_context context, register krb5_const_principal register int i; if (pr == 0) { - ret->length = 0; - ret->data = 0; - return 0; + ret->length = 0; + ret->data = 0; + return 0; } nelem = krb5_princ_size(context, pr); if (use_realm) - size += krb5_princ_realm(context, pr)->length; + size += krb5_princ_realm(context, pr)->length; for (i = 0; i < (int) nelem; i++) - size += krb5_princ_component(context, pr, i)->length; + size += krb5_princ_component(context, pr, i)->length; ret->length = size; if (!(ret->data = malloc (size))) - return ENOMEM; + return ENOMEM; if (use_realm) { - offset = krb5_princ_realm(context, pr)->length; - memcpy(ret->data, krb5_princ_realm(context, pr)->data, offset); + offset = krb5_princ_realm(context, pr)->length; + memcpy(ret->data, krb5_princ_realm(context, pr)->data, offset); } for (i = 0; i < (int) nelem; i++) { - memcpy(&ret->data[offset], krb5_princ_component(context, pr, i)->data, - krb5_princ_component(context, pr, i)->length); - offset += krb5_princ_component(context, pr, i)->length; + memcpy(&ret->data[offset], krb5_princ_component(context, pr, i)->data, + krb5_princ_component(context, pr, i)->length); + offset += krb5_princ_component(context, pr, i)->length; } return 0; } @@ -76,11 +77,11 @@ krb5_principal2salt_internal(krb5_context context, register krb5_const_principal krb5_error_code krb5_principal2salt(krb5_context context, register krb5_const_principal pr, krb5_data *ret) { - return krb5_principal2salt_internal(context, pr, ret, 1); + return krb5_principal2salt_internal(context, pr, ret, 1); } krb5_error_code krb5_principal2salt_norealm(krb5_context context, register krb5_const_principal pr, krb5_data *ret) { - return krb5_principal2salt_internal(context, pr, ret, 0); + return krb5_principal2salt_internal(context, pr, ret, 0); } diff --git a/src/lib/krb5/krb/preauth.c b/src/lib/krb5/krb/preauth.c index 06b2f50b8..9061aa9b6 100644 --- a/src/lib/krb5/krb/preauth.c +++ b/src/lib/krb5/krb/preauth.c @@ -25,7 +25,7 @@ /* * This file contains routines for establishing, verifying, and any other - * necessary functions, for utilizing the pre-authentication field of the + * necessary functions, for utilizing the pre-authentication field of the * kerberos kdc request, with various hardware/software verification devices. */ @@ -72,7 +72,7 @@ static krb5_error_code obtain_sam_padata (krb5_context, krb5_pa_data *, krb5_etype_info, - krb5_keyblock *, + krb5_keyblock *, krb5_error_code ( * )(krb5_context, const krb5_enctype, krb5_data *, @@ -179,24 +179,24 @@ krb5_error_code krb5_obtain_padata(krb5_context context, krb5_pa_data **preauth_ if (etype_info) { enctype = etype_info[0]->etype; salt.data = (char *) etype_info[0]->salt; - if(etype_info[0]->length == KRB5_ETYPE_NO_SALT) + if(etype_info[0]->length == KRB5_ETYPE_NO_SALT) salt.length = SALT_TYPE_NO_LENGTH; /* XXX */ - else + else salt.length = etype_info[0]->length; } if (salt.length == SALT_TYPE_NO_LENGTH) { /* - * This will set the salt length + * This will set the salt length */ if ((retval = krb5_principal2salt(context, request->client, &salt))) goto cleanup; f_salt = 1; } - + if ((retval = (*key_proc)(context, enctype, &salt, key_seed, &def_enc_key))) goto cleanup; - + for (pa = preauth_to_use; *pa; pa++) { if (find_pa_system((*pa)->pa_type, &ops)) @@ -204,7 +204,7 @@ krb5_error_code krb5_obtain_padata(krb5_context context, krb5_pa_data **preauth_ if (ops->obtain == 0) continue; - + retval = ((ops)->obtain)(context, *pa, etype_info, def_enc_key, key_proc, key_seed, creds, request, send_pa); @@ -233,7 +233,7 @@ cleanup: if (def_enc_key) krb5_free_keyblock(context, def_enc_key); return retval; - + } krb5_error_code @@ -243,7 +243,7 @@ krb5_process_padata(krb5_context context, krb5_kdc_req *request, krb5_kdc_rep *a const krb5_preauth_ops * ops; krb5_pa_data ** pa; krb5_int32 done = 0; - + *do_more = 0; /* By default, we don't need to repeat... */ if (as_reply->padata == 0) return 0; @@ -254,7 +254,7 @@ krb5_process_padata(krb5_context context, krb5_kdc_req *request, krb5_kdc_rep *a if (ops->process == 0) continue; - + retval = ((ops)->process)(context, *pa, request, as_reply, key_proc, keyseed, decrypt_proc, decrypt_key, creds, do_more, &done); @@ -298,7 +298,7 @@ obtain_enc_ts_padata(krb5_context context, krb5_pa_data *in_padata, krb5_etype_i krb5_free_data(context, scratch); scratch = 0; - + if ((retval = encode_krb5_enc_data(&enc_data, &scratch)) != 0) goto cleanup; @@ -318,7 +318,7 @@ obtain_enc_ts_padata(krb5_context context, krb5_pa_data *in_padata, krb5_etype_i scratch = 0; retval = 0; - + cleanup: if (scratch) krb5_free_data(context, scratch); @@ -332,14 +332,14 @@ process_pw_salt(krb5_context context, krb5_pa_data *padata, krb5_kdc_req *reques { krb5_error_code retval; krb5_data salt; - + if (*decrypt_key != 0) return 0; salt.data = (char *) padata->contents; - salt.length = + salt.length = (padata->pa_type == KRB5_PADATA_AFS3_SALT)?(SALT_TYPE_AFS_LENGTH):(padata->length); - + if ((retval = (*key_proc)(context, as_reply->enc_part.enctype, &salt, keyseed, decrypt_key))) { *decrypt_key = 0; @@ -348,19 +348,19 @@ process_pw_salt(krb5_context context, krb5_pa_data *padata, krb5_kdc_req *reques return 0; } - + static krb5_error_code find_pa_system(krb5_preauthtype type, const krb5_preauth_ops **preauth) { const krb5_preauth_ops *ap = preauth_systems; - + while ((ap->type != -1) && (ap->type != type)) ap++; if (ap->type == -1) return(KRB5_PREAUTH_BAD_TYPE); *preauth = ap; return 0; -} +} extern const char *krb5_default_pwd_prompt1; @@ -381,14 +381,14 @@ sam_get_pass_from_user(krb5_context context, krb5_etype_info etype_info, git_key krb5_data newpw; newpw.data = 0; newpw.length = 0; /* we don't keep the new password, just the key... */ - retval = (*key_proc)(context, enctype, 0, + retval = (*key_proc)(context, enctype, 0, (krb5_const_pointer)&newpw, new_enc_key); free(newpw.data); } krb5_default_pwd_prompt1 = oldprompt; return retval; } -static +static char *handle_sam_labels(krb5_sam_challenge *sc) { char *label = sc->sam_challenge_label.data; @@ -433,7 +433,7 @@ char *handle_sam_labels(krb5_sam_challenge *sc) /* example: Challenge for Digital Pathways mechanism: [134591] - Passcode: + Passcode: */ krb5int_buf_init_dynamic(&buf); if (challenge_len) { @@ -511,7 +511,7 @@ obtain_sam_padata(krb5_context context, krb5_pa_data *in_padata, krb5_etype_info retval = ENOMEM; goto cleanup; } - retval = sam_get_pass_from_user(context, etype_info, key_proc, + retval = sam_get_pass_from_user(context, etype_info, key_proc, key_seed, request, &sam_use_key, prompt); if (retval) @@ -524,15 +524,15 @@ obtain_sam_padata(krb5_context context, krb5_pa_data *in_padata, krb5_etype_info } /* so at this point, either sam_use_key is generated from the passcode - * or enc_sam_response_enc.sam_sad is set to it, and we use + * or enc_sam_response_enc.sam_sad is set to it, and we use * def_enc_key instead. */ /* encode the encoded part of the response */ if ((retval = encode_krb5_enc_sam_response_enc(&enc_sam_response_enc, &scratch)) != 0) goto cleanup; - if ((retval = krb5_encrypt_data(context, - sam_use_key?sam_use_key:def_enc_key, + if ((retval = krb5_encrypt_data(context, + sam_use_key?sam_use_key:def_enc_key, 0, scratch, &sam_response.sam_enc_nonce_or_ts))) goto cleanup; @@ -552,7 +552,7 @@ obtain_sam_padata(krb5_context context, krb5_pa_data *in_padata, krb5_etype_info if ((retval = encode_krb5_sam_response(&sam_response, &scratch)) != 0) goto cleanup; - + if ((pa = malloc(sizeof(krb5_pa_data))) == NULL) { retval = ENOMEM; goto cleanup; @@ -567,7 +567,7 @@ obtain_sam_padata(krb5_context context, krb5_pa_data *in_padata, krb5_etype_info *out_padata = pa; retval = 0; - + cleanup: krb5_free_data(context, scratch); krb5_free_sam_challenge(context, sam_challenge); diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c index 996cbfd36..7ee086037 100644 --- a/src/lib/krb5/krb/preauth2.c +++ b/src/lib/krb5/krb/preauth2.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright 1995, 2003, 2008 by the Massachusetts Institute of Technology. All * Rights Reserved. @@ -25,7 +26,7 @@ /* * This file contains routines for establishing, verifying, and any other - * necessary functions, for utilizing the pre-authentication field of the + * necessary functions, for utilizing the pre-authentication field of the * kerberos kdc request, with various hardware/software verification devices. */ @@ -50,17 +51,17 @@ static const char *objdirs[] = { LIBDIR "/krb5/plugins/preauth", NULL }; #endif typedef krb5_error_code (*pa_function)(krb5_context, - krb5_kdc_req *request, - krb5_pa_data *in_padata, - krb5_pa_data **out_padata, - krb5_data *salt, krb5_data *s2kparams, - krb5_enctype *etype, - krb5_keyblock *as_key, - krb5_prompter_fct prompter_fct, - void *prompter_data, - krb5_gic_get_as_key_fct gak_fct, - void *gak_data); - + krb5_kdc_req *request, + krb5_pa_data *in_padata, + krb5_pa_data **out_padata, + krb5_data *salt, krb5_data *s2kparams, + krb5_enctype *etype, + krb5_keyblock *as_key, + krb5_prompter_fct prompter_fct, + void *prompter_data, + krb5_gic_get_as_key_fct gak_fct, + void *gak_data); + typedef struct _pa_types_t { krb5_preauthtype type; pa_function fct; @@ -85,27 +86,27 @@ krb5_init_preauth_context(krb5_context kcontext) /* Only do this once for each krb5_context */ if (kcontext->preauth_context != NULL) - return; + return; /* load the plugins for the current context */ if (PLUGIN_DIR_OPEN(&kcontext->preauth_plugins) == 0) { - if (krb5int_open_plugin_dirs(objdirs, NULL, - &kcontext->preauth_plugins, - &kcontext->err) != 0) { - return; - } + if (krb5int_open_plugin_dirs(objdirs, NULL, + &kcontext->preauth_plugins, + &kcontext->err) != 0) { + return; + } } /* pull out the module function tables for all of the modules */ tables = NULL; if (krb5int_get_plugin_dir_data(&kcontext->preauth_plugins, - "preauthentication_client_1", - &tables, - &kcontext->err) != 0) { - return; + "preauthentication_client_1", + &tables, + &kcontext->err) != 0) { + return; } if (tables == NULL) { - return; + return; } /* count how many modules we ended up loading, and how many preauth @@ -114,23 +115,23 @@ krb5_init_preauth_context(krb5_context kcontext) for (n_tables = 0; (tables != NULL) && (tables[n_tables] != NULL); n_tables++) { - table = tables[n_tables]; - if ((table->pa_type_list != NULL) && (table->process != NULL)) { - for (j = 0; table->pa_type_list[j] > 0; j++) { - n_modules++; - } - } + table = tables[n_tables]; + if ((table->pa_type_list != NULL) && (table->process != NULL)) { + for (j = 0; table->pa_type_list[j] > 0; j++) { + n_modules++; + } + } } /* allocate the space we need */ context = malloc(sizeof(*context)); if (context == NULL) { - krb5int_free_plugin_dir_data(tables); + krb5int_free_plugin_dir_data(tables); return; } context->modules = calloc(n_modules, sizeof(context->modules[0])); if (context->modules == NULL) { - krb5int_free_plugin_dir_data(tables); + krb5int_free_plugin_dir_data(tables); free(context); return; } @@ -141,64 +142,64 @@ krb5_init_preauth_context(krb5_context kcontext) for (i = 0; i < n_tables; i++) { table = tables[i]; if ((table->pa_type_list != NULL) && (table->process != NULL)) { - plugin_context = NULL; - if ((table->init != NULL) && - ((*table->init)(kcontext, &plugin_context) != 0)) { + plugin_context = NULL; + if ((table->init != NULL) && + ((*table->init)(kcontext, &plugin_context) != 0)) { #ifdef DEBUG - fprintf (stderr, "init err, skipping module \"%s\"\n", - table->name); + fprintf (stderr, "init err, skipping module \"%s\"\n", + table->name); #endif - continue; - } - - rcpp = NULL; - for (j = 0; table->pa_type_list[j] > 0; j++) { - pa_type = table->pa_type_list[j]; - context->modules[k].pa_type = pa_type; - context->modules[k].enctypes = table->enctype_list; - context->modules[k].plugin_context = plugin_context; - /* Only call client_fini once per plugin */ - if (j == 0) - context->modules[k].client_fini = table->fini; - else - context->modules[k].client_fini = NULL; - context->modules[k].ftable = table; - context->modules[k].name = table->name; - context->modules[k].flags = (*table->flags)(kcontext, pa_type); - context->modules[k].use_count = 0; - context->modules[k].client_process = table->process; - context->modules[k].client_tryagain = table->tryagain; - if (j == 0) - context->modules[k].client_supply_gic_opts = table->gic_opts; - else - context->modules[k].client_supply_gic_opts = NULL; - context->modules[k].request_context = NULL; - /* - * Only call request_init and request_fini once per plugin. - * Only the first module within each plugin will ever - * have request_context filled in. Every module within - * the plugin will have its request_context_pp pointing - * to that entry's request_context. That way all the - * modules within the plugin share the same request_context - */ - if (j == 0) { - context->modules[k].client_req_init = table->request_init; - context->modules[k].client_req_fini = table->request_fini; - rcpp = &context->modules[k].request_context; - } else { - context->modules[k].client_req_init = NULL; - context->modules[k].client_req_fini = NULL; - } - context->modules[k].request_context_pp = rcpp; + continue; + } + + rcpp = NULL; + for (j = 0; table->pa_type_list[j] > 0; j++) { + pa_type = table->pa_type_list[j]; + context->modules[k].pa_type = pa_type; + context->modules[k].enctypes = table->enctype_list; + context->modules[k].plugin_context = plugin_context; + /* Only call client_fini once per plugin */ + if (j == 0) + context->modules[k].client_fini = table->fini; + else + context->modules[k].client_fini = NULL; + context->modules[k].ftable = table; + context->modules[k].name = table->name; + context->modules[k].flags = (*table->flags)(kcontext, pa_type); + context->modules[k].use_count = 0; + context->modules[k].client_process = table->process; + context->modules[k].client_tryagain = table->tryagain; + if (j == 0) + context->modules[k].client_supply_gic_opts = table->gic_opts; + else + context->modules[k].client_supply_gic_opts = NULL; + context->modules[k].request_context = NULL; + /* + * Only call request_init and request_fini once per plugin. + * Only the first module within each plugin will ever + * have request_context filled in. Every module within + * the plugin will have its request_context_pp pointing + * to that entry's request_context. That way all the + * modules within the plugin share the same request_context + */ + if (j == 0) { + context->modules[k].client_req_init = table->request_init; + context->modules[k].client_req_fini = table->request_fini; + rcpp = &context->modules[k].request_context; + } else { + context->modules[k].client_req_init = NULL; + context->modules[k].client_req_fini = NULL; + } + context->modules[k].request_context_pp = rcpp; #ifdef DEBUG - fprintf (stderr, "init module \"%s\", pa_type %d, flag %d\n", - context->modules[k].name, - context->modules[k].pa_type, - context->modules[k].flags); + fprintf (stderr, "init module \"%s\", pa_type %d, flag %d\n", + context->modules[k].name, + context->modules[k].pa_type, + context->modules[k].flags); #endif - k++; - } - } + k++; + } + } } krb5int_free_plugin_dir_data(tables); @@ -214,9 +215,9 @@ krb5_clear_preauth_context_use_counts(krb5_context context) { int i; if (context->preauth_context != NULL) { - for (i = 0; i < context->preauth_context->n_modules; i++) { - context->preauth_context->modules[i].use_count = 0; - } + for (i = 0; i < context->preauth_context->n_modules; i++) { + context->preauth_context->modules[i].use_count = 0; + } } } @@ -226,9 +227,9 @@ krb5_clear_preauth_context_use_counts(krb5_context context) */ krb5_error_code krb5_preauth_supply_preauth_data(krb5_context context, - krb5_gic_opt_ext *opte, - const char *attr, - const char *value) + krb5_gic_opt_ext *opte, + const char *attr, + const char *value) { krb5_error_code retval = 0; int i; @@ -236,13 +237,13 @@ krb5_preauth_supply_preauth_data(krb5_context context, const char *emsg = NULL; if (context->preauth_context == NULL) - krb5_init_preauth_context(context); + krb5_init_preauth_context(context); if (context->preauth_context == NULL) { - retval = EINVAL; - krb5int_set_error(&context->err, retval, - "krb5_preauth_supply_preauth_data: " - "Unable to initialize preauth context"); - return retval; + retval = EINVAL; + krb5int_set_error(&context->err, retval, + "krb5_preauth_supply_preauth_data: " + "Unable to initialize preauth context"); + return retval; } /* @@ -250,19 +251,19 @@ krb5_preauth_supply_preauth_data(krb5_context context, * attribute/value pair. */ for (i = 0; i < context->preauth_context->n_modules; i++) { - if (context->preauth_context->modules[i].client_supply_gic_opts == NULL) - continue; - pctx = context->preauth_context->modules[i].plugin_context; - retval = (*context->preauth_context->modules[i].client_supply_gic_opts) - (context, pctx, - (krb5_get_init_creds_opt *)opte, attr, value); - if (retval) { - emsg = krb5_get_error_message(context, retval); - krb5int_set_error(&context->err, retval, "Preauth plugin %s: %s", - context->preauth_context->modules[i].name, emsg); - krb5_free_error_message(context, emsg); - break; - } + if (context->preauth_context->modules[i].client_supply_gic_opts == NULL) + continue; + pctx = context->preauth_context->modules[i].plugin_context; + retval = (*context->preauth_context->modules[i].client_supply_gic_opts) + (context, pctx, + (krb5_get_init_creds_opt *)opte, attr, value); + if (retval) { + emsg = krb5_get_error_message(context, retval); + krb5int_set_error(&context->err, retval, "Preauth plugin %s: %s", + context->preauth_context->modules[i].name, emsg); + krb5_free_error_message(context, emsg); + break; + } } return retval; } @@ -276,20 +277,20 @@ krb5_free_preauth_context(krb5_context context) int i; void *pctx; if (context && context->preauth_context != NULL) { - for (i = 0; i < context->preauth_context->n_modules; i++) { - pctx = context->preauth_context->modules[i].plugin_context; - if (context->preauth_context->modules[i].client_fini != NULL) { - (*context->preauth_context->modules[i].client_fini)(context, pctx); - } - memset(&context->preauth_context->modules[i], 0, - sizeof(context->preauth_context->modules[i])); - } - if (context->preauth_context->modules != NULL) { - free(context->preauth_context->modules); - context->preauth_context->modules = NULL; - } - free(context->preauth_context); - context->preauth_context = NULL; + for (i = 0; i < context->preauth_context->n_modules; i++) { + pctx = context->preauth_context->modules[i].plugin_context; + if (context->preauth_context->modules[i].client_fini != NULL) { + (*context->preauth_context->modules[i].client_fini)(context, pctx); + } + memset(&context->preauth_context->modules[i], 0, + sizeof(context->preauth_context->modules[i])); + } + if (context->preauth_context->modules != NULL) { + free(context->preauth_context->modules); + context->preauth_context->modules = NULL; + } + free(context->preauth_context); + context->preauth_context = NULL; } } @@ -303,15 +304,15 @@ krb5_preauth_request_context_init(krb5_context context) /* Limit this to only one attempt per context? */ if (context->preauth_context == NULL) - krb5_init_preauth_context(context); + krb5_init_preauth_context(context); if (context->preauth_context != NULL) { - for (i = 0; i < context->preauth_context->n_modules; i++) { - pctx = context->preauth_context->modules[i].plugin_context; - if (context->preauth_context->modules[i].client_req_init != NULL) { - rctx = context->preauth_context->modules[i].request_context_pp; - (*context->preauth_context->modules[i].client_req_init) (context, pctx, rctx); - } - } + for (i = 0; i < context->preauth_context->n_modules; i++) { + pctx = context->preauth_context->modules[i].plugin_context; + if (context->preauth_context->modules[i].client_req_init != NULL) { + rctx = context->preauth_context->modules[i].request_context_pp; + (*context->preauth_context->modules[i].client_req_init) (context, pctx, rctx); + } + } } } @@ -323,16 +324,16 @@ krb5_preauth_request_context_fini(krb5_context context) int i; void *rctx, *pctx; if (context->preauth_context != NULL) { - for (i = 0; i < context->preauth_context->n_modules; i++) { - pctx = context->preauth_context->modules[i].plugin_context; - rctx = context->preauth_context->modules[i].request_context; - if (rctx != NULL) { - if (context->preauth_context->modules[i].client_req_fini != NULL) { - (*context->preauth_context->modules[i].client_req_fini)(context, pctx, rctx); - } - context->preauth_context->modules[i].request_context = NULL; - } - } + for (i = 0; i < context->preauth_context->n_modules; i++) { + pctx = context->preauth_context->modules[i].plugin_context; + rctx = context->preauth_context->modules[i].request_context; + if (rctx != NULL) { + if (context->preauth_context->modules[i].client_req_fini != NULL) { + (*context->preauth_context->modules[i].client_req_fini)(context, pctx, rctx); + } + context->preauth_context->modules[i].request_context = NULL; + } + } } } @@ -343,18 +344,18 @@ grow_ktypes(krb5_enctype **out_ktypes, int *out_nktypes, krb5_enctype ktype) int i; krb5_enctype *ktypes; for (i = 0; i < *out_nktypes; i++) { - if ((*out_ktypes)[i] == ktype) - return; + if ((*out_ktypes)[i] == ktype) + return; } ktypes = malloc((*out_nktypes + 2) * sizeof(ktype)); if (ktypes) { - for (i = 0; i < *out_nktypes; i++) - ktypes[i] = (*out_ktypes)[i]; - ktypes[i++] = ktype; - ktypes[i] = 0; - free(*out_ktypes); - *out_ktypes = ktypes; - *out_nktypes = i; + for (i = 0; i < *out_nktypes; i++) + ktypes[i] = (*out_ktypes)[i]; + ktypes[i++] = ktype; + ktypes[i] = 0; + free(*out_ktypes); + *out_ktypes = ktypes; + *out_nktypes = i; } } @@ -364,42 +365,42 @@ grow_ktypes(krb5_enctype **out_ktypes, int *out_nktypes, krb5_enctype ktype) */ static int grow_pa_list(krb5_pa_data ***out_pa_list, int *out_pa_list_size, - krb5_pa_data **addition, int num_addition) + krb5_pa_data **addition, int num_addition) { krb5_pa_data **pa_list; int i, j; if (out_pa_list == NULL || addition == NULL) { - return EINVAL; + return EINVAL; } if (*out_pa_list == NULL) { - /* Allocate room for the new additions and a NULL terminator. */ - pa_list = malloc((num_addition + 1) * sizeof(krb5_pa_data *)); - if (pa_list == NULL) - return ENOMEM; - for (i = 0; i < num_addition; i++) - pa_list[i] = addition[i]; - pa_list[i] = NULL; - *out_pa_list = pa_list; - *out_pa_list_size = num_addition; + /* Allocate room for the new additions and a NULL terminator. */ + pa_list = malloc((num_addition + 1) * sizeof(krb5_pa_data *)); + if (pa_list == NULL) + return ENOMEM; + for (i = 0; i < num_addition; i++) + pa_list[i] = addition[i]; + pa_list[i] = NULL; + *out_pa_list = pa_list; + *out_pa_list_size = num_addition; } else { - /* - * Allocate room for the existing entries plus - * the new additions and a NULL terminator. - */ - pa_list = malloc((*out_pa_list_size + num_addition + 1) - * sizeof(krb5_pa_data *)); - if (pa_list == NULL) - return ENOMEM; - for (i = 0; i < *out_pa_list_size; i++) - pa_list[i] = (*out_pa_list)[i]; - for (j = 0; j < num_addition;) - pa_list[i++] = addition[j++]; - pa_list[i] = NULL; - free(*out_pa_list); - *out_pa_list = pa_list; - *out_pa_list_size = i; + /* + * Allocate room for the existing entries plus + * the new additions and a NULL terminator. + */ + pa_list = malloc((*out_pa_list_size + num_addition + 1) + * sizeof(krb5_pa_data *)); + if (pa_list == NULL) + return ENOMEM; + for (i = 0; i < *out_pa_list_size; i++) + pa_list[i] = (*out_pa_list)[i]; + for (j = 0; j < num_addition;) + pa_list[i++] = addition[j++]; + pa_list[i] = NULL; + free(*out_pa_list); + *out_pa_list = pa_list; + *out_pa_list_size = i; } return 0; } @@ -416,81 +417,81 @@ grow_pa_list(krb5_pa_data ***out_pa_list, int *out_pa_list_size, static krb5_error_code client_data_proc(krb5_context kcontext, - krb5_preauth_client_rock *rock, - krb5_int32 request_type, - krb5_data **retdata) + krb5_preauth_client_rock *rock, + krb5_int32 request_type, + krb5_data **retdata) { krb5_data *ret; krb5_error_code retval; char *data; if (rock->magic != CLIENT_ROCK_MAGIC) - return EINVAL; + return EINVAL; if (retdata == NULL) - return EINVAL; + return EINVAL; switch (request_type) { case krb5plugin_preauth_client_get_etype: - { - krb5_enctype *eptr; - ret = malloc(sizeof(krb5_data)); - if (ret == NULL) - return ENOMEM; - data = malloc(sizeof(krb5_enctype)); - if (data == NULL) { - free(ret); - return ENOMEM; - } - ret->data = data; - ret->length = sizeof(krb5_enctype); - eptr = (krb5_enctype *)data; - *eptr = *rock->etype; - *retdata = ret; - return 0; - } - break; + { + krb5_enctype *eptr; + ret = malloc(sizeof(krb5_data)); + if (ret == NULL) + return ENOMEM; + data = malloc(sizeof(krb5_enctype)); + if (data == NULL) { + free(ret); + return ENOMEM; + } + ret->data = data; + ret->length = sizeof(krb5_enctype); + eptr = (krb5_enctype *)data; + *eptr = *rock->etype; + *retdata = ret; + return 0; + } + break; case krb5plugin_preauth_client_free_etype: - ret = *retdata; - if (ret == NULL) - return 0; - if (ret->data) - free(ret->data); - free(ret); - return 0; - break; + ret = *retdata; + if (ret == NULL) + return 0; + if (ret->data) + free(ret->data); + free(ret); + return 0; + break; case krb5plugin_preauth_client_fast_armor: { - krb5_keyblock *key = NULL; - ret = calloc(1, sizeof(krb5_data)); - if (ret == NULL) - return ENOMEM; - retval = 0; - if (rock->fast_state->armor_key) - retval = krb5_copy_keyblock(kcontext, rock->fast_state->armor_key, - &key); - if (retval == 0) { - ret->data = (char *) key; - ret->length = key?sizeof(krb5_keyblock):0; - key = NULL; - } - if (retval == 0) { - *retdata = ret; - ret = NULL; - } - if (ret) - free(ret); - return retval; + krb5_keyblock *key = NULL; + ret = calloc(1, sizeof(krb5_data)); + if (ret == NULL) + return ENOMEM; + retval = 0; + if (rock->fast_state->armor_key) + retval = krb5_copy_keyblock(kcontext, rock->fast_state->armor_key, + &key); + if (retval == 0) { + ret->data = (char *) key; + ret->length = key?sizeof(krb5_keyblock):0; + key = NULL; + } + if (retval == 0) { + *retdata = ret; + ret = NULL; + } + if (ret) + free(ret); + return retval; } case krb5plugin_preauth_client_free_fast_armor: - ret = *retdata; - if (ret) { - if (ret->data) - krb5_free_keyblock(kcontext, (krb5_keyblock *) ret->data); - free(ret); - *retdata = NULL; - } - return 0; - default: - return EINVAL; + ret = *retdata; + if (ret) { + if (ret->data) + krb5_free_keyblock(kcontext, (krb5_keyblock *) ret->data); + free(ret); + *retdata = NULL; + } + return 0; + default: + return EINVAL; } } @@ -499,25 +500,25 @@ client_data_proc(krb5_context kcontext, * involved things. */ void KRB5_CALLCONV krb5_preauth_prepare_request(krb5_context kcontext, - krb5_gic_opt_ext *opte, - krb5_kdc_req *request) + krb5_gic_opt_ext *opte, + krb5_kdc_req *request) { int i, j; if (kcontext->preauth_context == NULL) { - return; + return; } /* Add the module-specific enctype list to the request, but only if * it's something we can safely modify. */ if (!(opte && (opte->flags & KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST))) { - for (i = 0; i < kcontext->preauth_context->n_modules; i++) { - if (kcontext->preauth_context->modules[i].enctypes == NULL) - continue; - for (j = 0; kcontext->preauth_context->modules[i].enctypes[j] != 0; j++) { - grow_ktypes(&request->ktype, &request->nktypes, - kcontext->preauth_context->modules[i].enctypes[j]); - } - } + for (i = 0; i < kcontext->preauth_context->n_modules; i++) { + if (kcontext->preauth_context->modules[i].enctypes == NULL) + continue; + for (j = 0; kcontext->preauth_context->modules[i].enctypes[j] != 0; j++) { + grow_ktypes(&request->ktype, &request->nktypes, + kcontext->preauth_context->modules[i].enctypes[j]); + } + } } } @@ -526,24 +527,24 @@ krb5_preauth_prepare_request(krb5_context kcontext, * they don't generate preauth data), and run it. */ static krb5_error_code krb5_run_preauth_plugins(krb5_context kcontext, - int module_required_flags, - krb5_kdc_req *request, - krb5_data *encoded_request_body, - krb5_data *encoded_previous_request, - krb5_pa_data *in_padata, - krb5_prompter_fct prompter, - void *prompter_data, - preauth_get_as_key_proc gak_fct, - krb5_data *salt, - krb5_data *s2kparams, - void *gak_data, - krb5_preauth_client_rock *get_data_rock, - krb5_keyblock *as_key, - krb5_pa_data ***out_pa_list, - int *out_pa_list_size, - int *module_ret, - int *module_flags, - krb5_gic_opt_ext *opte) + int module_required_flags, + krb5_kdc_req *request, + krb5_data *encoded_request_body, + krb5_data *encoded_previous_request, + krb5_pa_data *in_padata, + krb5_prompter_fct prompter, + void *prompter_data, + preauth_get_as_key_proc gak_fct, + krb5_data *salt, + krb5_data *s2kparams, + void *gak_data, + krb5_preauth_client_rock *get_data_rock, + krb5_keyblock *as_key, + krb5_pa_data ***out_pa_list, + int *out_pa_list_size, + int *module_ret, + int *module_flags, + krb5_gic_opt_ext *opte) { int i; krb5_pa_data **out_pa_data; @@ -551,64 +552,64 @@ krb5_run_preauth_plugins(krb5_context kcontext, struct _krb5_preauth_context_module *module; if (kcontext->preauth_context == NULL) { - return ENOENT; + return ENOENT; } /* iterate over all loaded modules */ for (i = 0; i < kcontext->preauth_context->n_modules; i++) { - module = &kcontext->preauth_context->modules[i]; - /* skip over those which don't match the preauth type */ - if (module->pa_type != in_padata->pa_type) - continue; - /* skip over those which don't match the flags (INFO vs REAL, mainly) */ - if ((module->flags & module_required_flags) == 0) - continue; - /* if it's a REAL module, try to call it only once per library call */ - if (module_required_flags & PA_REAL) { - if (module->use_count > 0) { + module = &kcontext->preauth_context->modules[i]; + /* skip over those which don't match the preauth type */ + if (module->pa_type != in_padata->pa_type) + continue; + /* skip over those which don't match the flags (INFO vs REAL, mainly) */ + if ((module->flags & module_required_flags) == 0) + continue; + /* if it's a REAL module, try to call it only once per library call */ + if (module_required_flags & PA_REAL) { + if (module->use_count > 0) { #ifdef DEBUG - fprintf(stderr, "skipping already-used module \"%s\"(%d)\n", - module->name, module->pa_type); + fprintf(stderr, "skipping already-used module \"%s\"(%d)\n", + module->name, module->pa_type); #endif - continue; - } - module->use_count++; - } - /* run the module's callback function */ - out_pa_data = NULL; + continue; + } + module->use_count++; + } + /* run the module's callback function */ + out_pa_data = NULL; #ifdef DEBUG - fprintf(stderr, "using module \"%s\" (%d), flags = %d\n", - module->name, module->pa_type, module->flags); + fprintf(stderr, "using module \"%s\" (%d), flags = %d\n", + module->name, module->pa_type, module->flags); #endif - ret = module->client_process(kcontext, - module->plugin_context, - *module->request_context_pp, - (krb5_get_init_creds_opt *)opte, - client_data_proc, - get_data_rock, - request, - encoded_request_body, - encoded_previous_request, - in_padata, - prompter, prompter_data, - gak_fct, gak_data, salt, s2kparams, - as_key, - &out_pa_data); - /* Make note of the module's flags and status. */ - *module_flags = module->flags; - *module_ret = ret; - /* Save the new preauth data item. */ - if (out_pa_data != NULL) { - int j; - for (j = 0; out_pa_data[j] != NULL; j++); - ret = grow_pa_list(out_pa_list, out_pa_list_size, out_pa_data, j); - free(out_pa_data); - if (ret != 0) - return ret; - } - break; + ret = module->client_process(kcontext, + module->plugin_context, + *module->request_context_pp, + (krb5_get_init_creds_opt *)opte, + client_data_proc, + get_data_rock, + request, + encoded_request_body, + encoded_previous_request, + in_padata, + prompter, prompter_data, + gak_fct, gak_data, salt, s2kparams, + as_key, + &out_pa_data); + /* Make note of the module's flags and status. */ + *module_flags = module->flags; + *module_ret = ret; + /* Save the new preauth data item. */ + if (out_pa_data != NULL) { + int j; + for (j = 0; out_pa_data[j] != NULL; j++); + ret = grow_pa_list(out_pa_list, out_pa_list_size, out_pa_data, j); + free(out_pa_data); + if (ret != 0) + return ret; + } + break; } if (i >= kcontext->preauth_context->n_modules) { - return ENOENT; + return ENOENT; } return 0; } @@ -625,14 +626,14 @@ padata2data(krb5_pa_data p) static krb5_error_code pa_salt(krb5_context context, - krb5_kdc_req *request, - krb5_pa_data *in_padata, - krb5_pa_data **out_padata, - krb5_data *salt, krb5_data *s2kparams, - krb5_enctype *etype, - krb5_keyblock *as_key, - krb5_prompter_fct prompter, void *prompter_data, - krb5_gic_get_as_key_fct gak_fct, void *gak_data) + krb5_kdc_req *request, + krb5_pa_data *in_padata, + krb5_pa_data **out_padata, + krb5_data *salt, krb5_data *s2kparams, + krb5_enctype *etype, + krb5_keyblock *as_key, + krb5_prompter_fct prompter, void *prompter_data, + krb5_gic_get_as_key_fct gak_fct, void *gak_data) { krb5_data tmp; krb5_error_code retval; @@ -641,36 +642,36 @@ krb5_error_code pa_salt(krb5_context context, krb5_free_data_contents(context, salt); retval = krb5int_copy_data_contents(context, &tmp, salt); if (retval) - return retval; + return retval; if (in_padata->pa_type == KRB5_PADATA_AFS3_SALT) - salt->length = SALT_TYPE_AFS_LENGTH; + salt->length = SALT_TYPE_AFS_LENGTH; return(0); } static krb5_error_code pa_fx_cookie(krb5_context context, - krb5_kdc_req *request, - krb5_pa_data *in_padata, - krb5_pa_data **out_padata, - krb5_data *salt, - krb5_data *s2kparams, - krb5_enctype *etype, - krb5_keyblock *as_key, - krb5_prompter_fct prompter, - void *prompter_data, - krb5_gic_get_as_key_fct gak_fct, - void *gak_data) + krb5_kdc_req *request, + krb5_pa_data *in_padata, + krb5_pa_data **out_padata, + krb5_data *salt, + krb5_data *s2kparams, + krb5_enctype *etype, + krb5_keyblock *as_key, + krb5_prompter_fct prompter, + void *prompter_data, + krb5_gic_get_as_key_fct gak_fct, + void *gak_data) { krb5_pa_data *pa = calloc(1, sizeof(krb5_pa_data)); krb5_octet *contents; if (pa == NULL) - return ENOMEM; + return ENOMEM; contents = malloc(in_padata->length); if (contents == NULL) { - free(pa); - return ENOMEM; + free(pa); + return ENOMEM; } *pa = *in_padata; pa->contents = contents; @@ -681,68 +682,68 @@ krb5_error_code pa_fx_cookie(krb5_context context, static krb5_error_code pa_enc_timestamp(krb5_context context, - krb5_kdc_req *request, - krb5_pa_data *in_padata, - krb5_pa_data **out_padata, - krb5_data *salt, - krb5_data *s2kparams, - krb5_enctype *etype, - krb5_keyblock *as_key, - krb5_prompter_fct prompter, - void *prompter_data, - krb5_gic_get_as_key_fct gak_fct, - void *gak_data) + krb5_kdc_req *request, + krb5_pa_data *in_padata, + krb5_pa_data **out_padata, + krb5_data *salt, + krb5_data *s2kparams, + krb5_enctype *etype, + krb5_keyblock *as_key, + krb5_prompter_fct prompter, + void *prompter_data, + krb5_gic_get_as_key_fct gak_fct, + void *gak_data) { krb5_error_code ret; krb5_pa_enc_ts pa_enc; krb5_data *tmp; krb5_enc_data enc_data; krb5_pa_data *pa; - + if (as_key->length == 0) { #ifdef DEBUG - fprintf (stderr, "%s:%d: salt len=%d", __FILE__, __LINE__, - salt->length); - if ((int) salt->length > 0) - fprintf (stderr, " '%.*s'", salt->length, salt->data); - fprintf (stderr, "; *etype=%d request->ktype[0]=%d\n", - *etype, request->ktype[0]); + fprintf (stderr, "%s:%d: salt len=%d", __FILE__, __LINE__, + salt->length); + if ((int) salt->length > 0) + fprintf (stderr, " '%.*s'", salt->length, salt->data); + fprintf (stderr, "; *etype=%d request->ktype[0]=%d\n", + *etype, request->ktype[0]); #endif - if ((ret = ((*gak_fct)(context, request->client, - *etype ? *etype : request->ktype[0], - prompter, prompter_data, - salt, s2kparams, as_key, gak_data)))) - return(ret); + if ((ret = ((*gak_fct)(context, request->client, + *etype ? *etype : request->ktype[0], + prompter, prompter_data, + salt, s2kparams, as_key, gak_data)))) + return(ret); } /* now get the time of day, and encrypt it accordingly */ if ((ret = krb5_us_timeofday(context, &pa_enc.patimestamp, &pa_enc.pausec))) - return(ret); + return(ret); if ((ret = encode_krb5_pa_enc_ts(&pa_enc, &tmp))) - return(ret); + return(ret); #ifdef DEBUG fprintf (stderr, "key type %d bytes %02x %02x ...\n", - as_key->enctype, - as_key->contents[0], as_key->contents[1]); + as_key->enctype, + as_key->contents[0], as_key->contents[1]); #endif ret = krb5_encrypt_helper(context, as_key, - KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS, - tmp, &enc_data); + KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS, + tmp, &enc_data); #ifdef DEBUG fprintf (stderr, "enc data { type=%d kvno=%d data=%02x %02x ... }\n", - enc_data.enctype, enc_data.kvno, - 0xff & enc_data.ciphertext.data[0], - 0xff & enc_data.ciphertext.data[1]); + enc_data.enctype, enc_data.kvno, + 0xff & enc_data.ciphertext.data[0], + 0xff & enc_data.ciphertext.data[1]); #endif krb5_free_data(context, tmp); if (ret) { - free(enc_data.ciphertext.data); - return(ret); + free(enc_data.ciphertext.data); + return(ret); } ret = encode_krb5_enc_data(&enc_data, &tmp); @@ -750,11 +751,11 @@ krb5_error_code pa_enc_timestamp(krb5_context context, free(enc_data.ciphertext.data); if (ret) - return(ret); + return(ret); if ((pa = (krb5_pa_data *) malloc(sizeof(krb5_pa_data))) == NULL) { - krb5_free_data(context, tmp); - return(ENOMEM); + krb5_free_data(context, tmp); + return(ENOMEM); } pa->magic = KV5M_PA_DATA; @@ -769,38 +770,38 @@ krb5_error_code pa_enc_timestamp(krb5_context context, return(0); } -static +static char *sam_challenge_banner(krb5_int32 sam_type) { char *label; switch (sam_type) { - case PA_SAM_TYPE_ENIGMA: /* Enigma Logic */ - label = "Challenge for Enigma Logic mechanism"; - break; + case PA_SAM_TYPE_ENIGMA: /* Enigma Logic */ + label = "Challenge for Enigma Logic mechanism"; + break; case PA_SAM_TYPE_DIGI_PATH: /* Digital Pathways */ case PA_SAM_TYPE_DIGI_PATH_HEX: /* Digital Pathways */ - label = "Challenge for Digital Pathways mechanism"; - break; + label = "Challenge for Digital Pathways mechanism"; + break; case PA_SAM_TYPE_ACTIVCARD_DEC: /* Digital Pathways */ case PA_SAM_TYPE_ACTIVCARD_HEX: /* Digital Pathways */ - label = "Challenge for Activcard mechanism"; - break; - case PA_SAM_TYPE_SKEY_K0: /* S/key where KDC has key 0 */ - label = "Challenge for Enhanced S/Key mechanism"; - break; - case PA_SAM_TYPE_SKEY: /* Traditional S/Key */ - label = "Challenge for Traditional S/Key mechanism"; - break; - case PA_SAM_TYPE_SECURID: /* Security Dynamics */ - label = "Challenge for Security Dynamics mechanism"; - break; - case PA_SAM_TYPE_SECURID_PREDICT: /* predictive Security Dynamics */ - label = "Challenge for Security Dynamics mechanism"; - break; + label = "Challenge for Activcard mechanism"; + break; + case PA_SAM_TYPE_SKEY_K0: /* S/key where KDC has key 0 */ + label = "Challenge for Enhanced S/Key mechanism"; + break; + case PA_SAM_TYPE_SKEY: /* Traditional S/Key */ + label = "Challenge for Traditional S/Key mechanism"; + break; + case PA_SAM_TYPE_SECURID: /* Security Dynamics */ + label = "Challenge for Security Dynamics mechanism"; + break; + case PA_SAM_TYPE_SECURID_PREDICT: /* predictive Security Dynamics */ + label = "Challenge for Security Dynamics mechanism"; + break; default: - label = "Challenge from authentication server"; - break; + label = "Challenge from authentication server"; + break; } return(label); @@ -808,12 +809,12 @@ char *sam_challenge_banner(krb5_int32 sam_type) /* this macro expands to the int,ptr necessary for "%.*s" in an sprintf */ -#define SAMDATA(kdata, str, maxsize) \ - (int)((kdata.length)? \ - ((((kdata.length)<=(maxsize))?(kdata.length):strlen(str))): \ - strlen(str)), \ - (kdata.length)? \ - ((((kdata.length)<=(maxsize))?(kdata.data):(str))):(str) +#define SAMDATA(kdata, str, maxsize) \ + (int)((kdata.length)? \ + ((((kdata.length)<=(maxsize))?(kdata.length):strlen(str))): \ + strlen(str)), \ + (kdata.length)? \ + ((((kdata.length)<=(maxsize))?(kdata.data):(str))):(str) /* XXX Danger! This code is not in sync with the kerberos-password-02 draft. This draft cannot be implemented as written. This code is @@ -821,82 +822,82 @@ char *sam_challenge_banner(krb5_int32 sam_type) static krb5_error_code pa_sam(krb5_context context, - krb5_kdc_req *request, - krb5_pa_data *in_padata, - krb5_pa_data **out_padata, - krb5_data *salt, - krb5_data *s2kparams, - krb5_enctype *etype, - krb5_keyblock *as_key, - krb5_prompter_fct prompter, - void *prompter_data, - krb5_gic_get_as_key_fct gak_fct, - void *gak_data) + krb5_kdc_req *request, + krb5_pa_data *in_padata, + krb5_pa_data **out_padata, + krb5_data *salt, + krb5_data *s2kparams, + krb5_enctype *etype, + krb5_keyblock *as_key, + krb5_prompter_fct prompter, + void *prompter_data, + krb5_gic_get_as_key_fct gak_fct, + void *gak_data) { - krb5_error_code ret; - krb5_data tmpsam; - char name[100], banner[100]; - char prompt[100], response[100]; - krb5_data response_data; - krb5_prompt kprompt; - krb5_prompt_type prompt_type; - krb5_data defsalt; - krb5_sam_challenge *sam_challenge = 0; - krb5_sam_response sam_response; + krb5_error_code ret; + krb5_data tmpsam; + char name[100], banner[100]; + char prompt[100], response[100]; + krb5_data response_data; + krb5_prompt kprompt; + krb5_prompt_type prompt_type; + krb5_data defsalt; + krb5_sam_challenge *sam_challenge = 0; + krb5_sam_response sam_response; /* these two get encrypted and stuffed in to sam_response */ - krb5_enc_sam_response_enc enc_sam_response_enc; - krb5_data * scratch; - krb5_pa_data * pa; + krb5_enc_sam_response_enc enc_sam_response_enc; + krb5_data * scratch; + krb5_pa_data * pa; if (prompter == NULL) - return EIO; + return EIO; tmpsam.length = in_padata->length; tmpsam.data = (char *) in_padata->contents; if ((ret = decode_krb5_sam_challenge(&tmpsam, &sam_challenge))) - return(ret); + return(ret); if (sam_challenge->sam_flags & KRB5_SAM_MUST_PK_ENCRYPT_SAD) { - krb5_free_sam_challenge(context, sam_challenge); - return(KRB5_SAM_UNSUPPORTED); + krb5_free_sam_challenge(context, sam_challenge); + return(KRB5_SAM_UNSUPPORTED); } - /* If we need the password from the user (USE_SAD_AS_KEY not set), */ - /* then get it here. Exception for "old" KDCs with CryptoCard */ - /* support which uses the USE_SAD_AS_KEY flag, but still needs pwd */ + /* If we need the password from the user (USE_SAD_AS_KEY not set), */ + /* then get it here. Exception for "old" KDCs with CryptoCard */ + /* support which uses the USE_SAD_AS_KEY flag, but still needs pwd */ if (!(sam_challenge->sam_flags & KRB5_SAM_USE_SAD_AS_KEY) || - (sam_challenge->sam_type == PA_SAM_TYPE_CRYPTOCARD)) { + (sam_challenge->sam_type == PA_SAM_TYPE_CRYPTOCARD)) { - /* etype has either been set by caller or by KRB5_PADATA_ETYPE_INFO */ - /* message from the KDC. If it is not set, pick an enctype that we */ - /* think the KDC will have for us. */ + /* etype has either been set by caller or by KRB5_PADATA_ETYPE_INFO */ + /* message from the KDC. If it is not set, pick an enctype that we */ + /* think the KDC will have for us. */ - if (*etype == 0) - *etype = ENCTYPE_DES_CBC_CRC; + if (*etype == 0) + *etype = ENCTYPE_DES_CBC_CRC; - if ((ret = (gak_fct)(context, request->client, *etype, prompter, - prompter_data, salt, s2kparams, as_key, - gak_data))) { - krb5_free_sam_challenge(context, sam_challenge); - return(ret); - } + if ((ret = (gak_fct)(context, request->client, *etype, prompter, + prompter_data, salt, s2kparams, as_key, + gak_data))) { + krb5_free_sam_challenge(context, sam_challenge); + return(ret); + } } snprintf(name, sizeof(name), "%.*s", - SAMDATA(sam_challenge->sam_type_name, "SAM Authentication", - sizeof(name) - 1)); + SAMDATA(sam_challenge->sam_type_name, "SAM Authentication", + sizeof(name) - 1)); snprintf(banner, sizeof(banner), "%.*s", - SAMDATA(sam_challenge->sam_challenge_label, - sam_challenge_banner(sam_challenge->sam_type), - sizeof(banner)-1)); + SAMDATA(sam_challenge->sam_challenge_label, + sam_challenge_banner(sam_challenge->sam_type), + sizeof(banner)-1)); /* sprintf(prompt, "Challenge is [%s], %s: ", challenge, prompt); */ snprintf(prompt, sizeof(prompt), "%s%.*s%s%.*s", - sam_challenge->sam_challenge.length?"Challenge is [":"", - SAMDATA(sam_challenge->sam_challenge, "", 20), - sam_challenge->sam_challenge.length?"], ":"", - SAMDATA(sam_challenge->sam_response_prompt, "passcode", 55)); + sam_challenge->sam_challenge.length?"Challenge is [":"", + SAMDATA(sam_challenge->sam_challenge, "", 20), + sam_challenge->sam_challenge.length?"], ":"", + SAMDATA(sam_challenge->sam_response_prompt, "passcode", 55)); response_data.data = response; response_data.length = sizeof(response); @@ -909,115 +910,115 @@ krb5_error_code pa_sam(krb5_context context, /* PROMPTER_INVOCATION */ krb5int_set_prompt_types(context, &prompt_type); if ((ret = ((*prompter)(context, prompter_data, name, - banner, 1, &kprompt)))) { - krb5_free_sam_challenge(context, sam_challenge); - krb5int_set_prompt_types(context, 0); - return(ret); + banner, 1, &kprompt)))) { + krb5_free_sam_challenge(context, sam_challenge); + krb5int_set_prompt_types(context, 0); + return(ret); } krb5int_set_prompt_types(context, 0); enc_sam_response_enc.sam_nonce = sam_challenge->sam_nonce; if (sam_challenge->sam_nonce == 0) { - if ((ret = krb5_us_timeofday(context, - &enc_sam_response_enc.sam_timestamp, - &enc_sam_response_enc.sam_usec))) { - krb5_free_sam_challenge(context,sam_challenge); - return(ret); - } + if ((ret = krb5_us_timeofday(context, + &enc_sam_response_enc.sam_timestamp, + &enc_sam_response_enc.sam_usec))) { + krb5_free_sam_challenge(context,sam_challenge); + return(ret); + } - sam_response.sam_patimestamp = enc_sam_response_enc.sam_timestamp; + sam_response.sam_patimestamp = enc_sam_response_enc.sam_timestamp; } /* XXX What if more than one flag is set? */ if (sam_challenge->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD) { - /* Most of this should be taken care of before we get here. We */ - /* will need the user's password and as_key to encrypt the SAD */ - /* and we want to preserve ordering of user prompts (first */ - /* password, then SAM data) so that user's won't be confused. */ + /* Most of this should be taken care of before we get here. We */ + /* will need the user's password and as_key to encrypt the SAD */ + /* and we want to preserve ordering of user prompts (first */ + /* password, then SAM data) so that user's won't be confused. */ - if (as_key->length) { - krb5_free_keyblock_contents(context, as_key); - as_key->length = 0; - } + if (as_key->length) { + krb5_free_keyblock_contents(context, as_key); + as_key->length = 0; + } - /* generate a salt using the requested principal */ + /* generate a salt using the requested principal */ - if ((salt->length == -1 || salt->length == SALT_TYPE_AFS_LENGTH) && (salt->data == NULL)) { - if ((ret = krb5_principal2salt(context, request->client, - &defsalt))) { - krb5_free_sam_challenge(context, sam_challenge); - return(ret); - } + if ((salt->length == -1 || salt->length == SALT_TYPE_AFS_LENGTH) && (salt->data == NULL)) { + if ((ret = krb5_principal2salt(context, request->client, + &defsalt))) { + krb5_free_sam_challenge(context, sam_challenge); + return(ret); + } - salt = &defsalt; - } else { - defsalt.length = 0; - } + salt = &defsalt; + } else { + defsalt.length = 0; + } - /* generate a key using the supplied password */ + /* generate a key using the supplied password */ - ret = krb5_c_string_to_key(context, ENCTYPE_DES_CBC_MD5, - (krb5_data *)gak_data, salt, as_key); + ret = krb5_c_string_to_key(context, ENCTYPE_DES_CBC_MD5, + (krb5_data *)gak_data, salt, as_key); - if (defsalt.length) - free(defsalt.data); + if (defsalt.length) + free(defsalt.data); - if (ret) { - krb5_free_sam_challenge(context, sam_challenge); - return(ret); - } + if (ret) { + krb5_free_sam_challenge(context, sam_challenge); + return(ret); + } - /* encrypt the passcode with the key from above */ + /* encrypt the passcode with the key from above */ - enc_sam_response_enc.sam_sad = response_data; + enc_sam_response_enc.sam_sad = response_data; } else if (sam_challenge->sam_flags & KRB5_SAM_USE_SAD_AS_KEY) { - /* process the key as password */ + /* process the key as password */ - if (as_key->length) { - krb5_free_keyblock_contents(context, as_key); - as_key->length = 0; - } + if (as_key->length) { + krb5_free_keyblock_contents(context, as_key); + as_key->length = 0; + } #if 0 - if ((salt->length == SALT_TYPE_AFS_LENGTH) && (salt->data == NULL)) { - if (ret = krb5_principal2salt(context, request->client, - &defsalt)) { - krb5_free_sam_challenge(context, sam_challenge); - return(ret); - } - - salt = &defsalt; - } else { - defsalt.length = 0; - } + if ((salt->length == SALT_TYPE_AFS_LENGTH) && (salt->data == NULL)) { + if (ret = krb5_principal2salt(context, request->client, + &defsalt)) { + krb5_free_sam_challenge(context, sam_challenge); + return(ret); + } + + salt = &defsalt; + } else { + defsalt.length = 0; + } #else - defsalt.length = 0; - salt = NULL; + defsalt.length = 0; + salt = NULL; #endif - - /* XXX As of the passwords-04 draft, no enctype is specified, - the server uses ENCTYPE_DES_CBC_MD5. In the future the - server should send a PA-SAM-ETYPE-INFO containing the enctype. */ - ret = krb5_c_string_to_key(context, ENCTYPE_DES_CBC_MD5, - &response_data, salt, as_key); + /* XXX As of the passwords-04 draft, no enctype is specified, + the server uses ENCTYPE_DES_CBC_MD5. In the future the + server should send a PA-SAM-ETYPE-INFO containing the enctype. */ + + ret = krb5_c_string_to_key(context, ENCTYPE_DES_CBC_MD5, + &response_data, salt, as_key); - if (defsalt.length) - free(defsalt.data); + if (defsalt.length) + free(defsalt.data); - if (ret) { - krb5_free_sam_challenge(context, sam_challenge); - return(ret); - } + if (ret) { + krb5_free_sam_challenge(context, sam_challenge); + return(ret); + } - enc_sam_response_enc.sam_sad.length = 0; + enc_sam_response_enc.sam_sad.length = 0; } else { - /* Eventually, combine SAD with long-term key to get - encryption key. */ - krb5_free_sam_challenge(context, sam_challenge); - return KRB5_PREAUTH_BAD_TYPE; + /* Eventually, combine SAD with long-term key to get + encryption key. */ + krb5_free_sam_challenge(context, sam_challenge); + return KRB5_PREAUTH_BAD_TYPE; } /* copy things from the challenge */ @@ -1031,26 +1032,26 @@ krb5_error_code pa_sam(krb5_context context, /* encode the encoded part of the response */ if ((ret = encode_krb5_enc_sam_response_enc(&enc_sam_response_enc, - &scratch))) - return(ret); + &scratch))) + return(ret); ret = krb5_encrypt_data(context, as_key, 0, scratch, - &sam_response.sam_enc_nonce_or_ts); + &sam_response.sam_enc_nonce_or_ts); krb5_free_data(context, scratch); if (ret) - return(ret); + return(ret); /* sam_enc_key is reserved for future use */ sam_response.sam_enc_key.ciphertext.length = 0; if ((pa = malloc(sizeof(krb5_pa_data))) == NULL) - return(ENOMEM); + return(ENOMEM); if ((ret = encode_krb5_sam_response(&sam_response, &scratch))) { - free(pa); - return(ret); + free(pa); + return(ret); } pa->magic = KV5M_PA_DATA; @@ -1066,7 +1067,7 @@ krb5_error_code pa_sam(krb5_context context, } #if APPLE_PKINIT -/* +/* * PKINIT. One function to generate AS-REQ, one to parse AS-REP */ #define PKINIT_DEBUG 0 @@ -1081,32 +1082,32 @@ static krb5_error_code pa_pkinit_gen_req( krb5_kdc_req *request, krb5_pa_data *in_padata, krb5_pa_data **out_padata, - krb5_data *salt, + krb5_data *salt, krb5_data *s2kparams, krb5_enctype *etype, krb5_keyblock *as_key, - krb5_prompter_fct prompter, + krb5_prompter_fct prompter, void *prompter_data, - krb5_gic_get_as_key_fct gak_fct, + krb5_gic_get_as_key_fct gak_fct, void *gak_data) { - krb5_error_code krtn; - krb5_data out_data = {0, 0, NULL}; - krb5_timestamp kctime = 0; - krb5_int32 cusec = 0; - krb5_ui_4 nonce = 0; - krb5_checksum cksum; - krb5_pkinit_signing_cert_t client_cert; - krb5_data *der_req = NULL; - char *client_principal = NULL; - char *server_principal = NULL; - unsigned char nonce_bytes[4]; - krb5_data nonce_data = {0, 4, (char *)nonce_bytes}; - int dex; - - /* + krb5_error_code krtn; + krb5_data out_data = {0, 0, NULL}; + krb5_timestamp kctime = 0; + krb5_int32 cusec = 0; + krb5_ui_4 nonce = 0; + krb5_checksum cksum; + krb5_pkinit_signing_cert_t client_cert; + krb5_data *der_req = NULL; + char *client_principal = NULL; + char *server_principal = NULL; + unsigned char nonce_bytes[4]; + krb5_data nonce_data = {0, 4, (char *)nonce_bytes}; + int dex; + + /* * Trusted CA list and specific KC cert optionally obtained via - * krb5_pkinit_get_server_certs(). All are DER-encoded certs. + * krb5_pkinit_get_server_certs(). All are DER-encoded certs. */ krb5_data *trusted_CAs = NULL; krb5_ui_4 num_trusted_CAs; @@ -1116,72 +1117,72 @@ static krb5_error_code pa_pkinit_gen_req( /* If we don't have a client cert, we're done */ if(request->client == NULL) { - kdcPkinitDebug("No request->client; aborting PKINIT\n"); - return KRB5KDC_ERR_PREAUTH_FAILED; + kdcPkinitDebug("No request->client; aborting PKINIT\n"); + return KRB5KDC_ERR_PREAUTH_FAILED; } krtn = krb5_unparse_name(context, request->client, &client_principal); if(krtn) { - return krtn; + return krtn; } krtn = krb5_pkinit_get_client_cert(client_principal, &client_cert); free(client_principal); if(krtn) { - kdcPkinitDebug("No client cert; aborting PKINIT\n"); - return krtn; + kdcPkinitDebug("No client cert; aborting PKINIT\n"); + return krtn; } - + /* optional platform-dependent CA list and KDC cert */ krtn = krb5_unparse_name(context, request->server, &server_principal); if(krtn) { - goto cleanup; + goto cleanup; } krtn = krb5_pkinit_get_server_certs(client_principal, server_principal, - &trusted_CAs, &num_trusted_CAs, &kdc_cert); + &trusted_CAs, &num_trusted_CAs, &kdc_cert); if(krtn) { - goto cleanup; + goto cleanup; } - + /* checksum of the encoded KDC-REQ-BODY */ krtn = encode_krb5_kdc_req_body(request, &der_req); if(krtn) { - kdcPkinitDebug("encode_krb5_kdc_req_body returned %d\n", (int)krtn); - goto cleanup; + kdcPkinitDebug("encode_krb5_kdc_req_body returned %d\n", (int)krtn); + goto cleanup; } krtn = krb5_c_make_checksum(context, CKSUMTYPE_NIST_SHA, NULL, 0, der_req, &cksum); if(krtn) { - goto cleanup; + goto cleanup; } krtn = krb5_us_timeofday(context, &kctime, &cusec); if(krtn) { - goto cleanup; + goto cleanup; } - + /* cook up a random 4-byte nonce */ krtn = krb5_c_random_make_octets(context, &nonce_data); if(krtn) { - goto cleanup; + goto cleanup; } for(dex=0; dex<4; dex++) { - nonce <<= 8; - nonce |= nonce_bytes[dex]; + nonce <<= 8; + nonce |= nonce_bytes[dex]; } - krtn = krb5int_pkinit_as_req_create(context, - kctime, cusec, nonce, &cksum, - client_cert, - trusted_CAs, num_trusted_CAs, - (kdc_cert.data ? &kdc_cert : NULL), - &out_data); + krtn = krb5int_pkinit_as_req_create(context, + kctime, cusec, nonce, &cksum, + client_cert, + trusted_CAs, num_trusted_CAs, + (kdc_cert.data ? &kdc_cert : NULL), + &out_data); if(krtn) { - kdcPkinitDebug("error %d on pkinit_as_req_create; aborting PKINIT\n", (int)krtn); - goto cleanup; + kdcPkinitDebug("error %d on pkinit_as_req_create; aborting PKINIT\n", (int)krtn); + goto cleanup; } *out_padata = (krb5_pa_data *)malloc(sizeof(krb5_pa_data)); if(*out_padata == NULL) { - krtn = ENOMEM; - free(out_data.data); - goto cleanup; + krtn = ENOMEM; + free(out_data.data); + goto cleanup; } (*out_padata)->magic = KV5M_PA_DATA; (*out_padata)->pa_type = KRB5_PADATA_PK_AS_REQ; @@ -1190,27 +1191,27 @@ static krb5_error_code pa_pkinit_gen_req( krtn = 0; cleanup: if(client_cert) { - krb5_pkinit_release_cert(client_cert); + krb5_pkinit_release_cert(client_cert); } if(cksum.contents) { - free(cksum.contents); + free(cksum.contents); } if (der_req) { - krb5_free_data(context, der_req); + krb5_free_data(context, der_req); } if(server_principal) { - free(server_principal); + free(server_principal); } /* free data mallocd by krb5_pkinit_get_server_certs() */ if(trusted_CAs) { - unsigned udex; - for(udex=0; udex<num_trusted_CAs; udex++) { - free(trusted_CAs[udex].data); - } - free(trusted_CAs); + unsigned udex; + for(udex=0; udex<num_trusted_CAs; udex++) { + free(trusted_CAs[udex].data); + } + free(trusted_CAs); } if(kdc_cert.data) { - free(kdc_cert.data); + free(kdc_cert.data); } return krtn; @@ -1234,17 +1235,17 @@ static krb5_boolean local_kdc_cert_match( if (client->realm.length <= sizeof(lkdcprefix) || 0 != memcmp(lkdcprefix, client->realm.data, sizeof(lkdcprefix)-1)) - return match; + return match; realm_hash = &client->realm.data[sizeof(lkdcprefix)-1]; realm_hash_len = client->realm.length - sizeof(lkdcprefix) + 1; kdcPkinitDebug("checking realm versus certificate hash\n"); if (NULL != (cert_hash = krb5_pkinit_cert_hash_str(signer_cert))) { - kdcPkinitDebug("hash = %s\n", cert_hash); - cert_hash_len = strlen(cert_hash); - if (cert_hash_len == realm_hash_len && - 0 == memcmp(cert_hash, realm_hash, cert_hash_len)) - match = TRUE; - free(cert_hash); + kdcPkinitDebug("hash = %s\n", cert_hash); + cert_hash_len = strlen(cert_hash); + if (cert_hash_len == realm_hash_len && + 0 == memcmp(cert_hash, realm_hash, cert_hash_len)) + match = TRUE; + free(cert_hash); } kdcPkinitDebug("result: %s\n", match ? "matches" : "does not match"); return match; @@ -1255,125 +1256,125 @@ static krb5_error_code pa_pkinit_parse_rep( krb5_kdc_req *request, krb5_pa_data *in_padata, krb5_pa_data **out_padata, - krb5_data *salt, + krb5_data *salt, krb5_data *s2kparams, krb5_enctype *etype, krb5_keyblock *as_key, - krb5_prompter_fct prompter, + krb5_prompter_fct prompter, void *prompter_data, - krb5_gic_get_as_key_fct gak_fct, + krb5_gic_get_as_key_fct gak_fct, void *gak_data) { - krb5int_cert_sig_status sig_status = (krb5int_cert_sig_status)-999; - krb5_error_code krtn; - krb5_data asRep; - krb5_keyblock local_key = {0}; - krb5_pkinit_signing_cert_t client_cert; - char *princ_name = NULL; - krb5_checksum as_req_checksum_rcd = {0}; /* received checksum */ - krb5_checksum as_req_checksum_gen = {0}; /* calculated checksum */ - krb5_data *encoded_as_req = NULL; - krb5_data signer_cert = {0}; + krb5int_cert_sig_status sig_status = (krb5int_cert_sig_status)-999; + krb5_error_code krtn; + krb5_data asRep; + krb5_keyblock local_key = {0}; + krb5_pkinit_signing_cert_t client_cert; + char *princ_name = NULL; + krb5_checksum as_req_checksum_rcd = {0}; /* received checksum */ + krb5_checksum as_req_checksum_gen = {0}; /* calculated checksum */ + krb5_data *encoded_as_req = NULL; + krb5_data signer_cert = {0}; *out_padata = NULL; kdcPkinitDebug("pa_pkinit_parse_rep\n"); if((in_padata == NULL) || (in_padata->length== 0)) { - kdcPkinitDebug("pa_pkinit_parse_rep: no in_padata\n"); - return KRB5KDC_ERR_PREAUTH_FAILED; + kdcPkinitDebug("pa_pkinit_parse_rep: no in_padata\n"); + return KRB5KDC_ERR_PREAUTH_FAILED; } /* If we don't have a client cert, we're done */ if(request->client == NULL) { - kdcPkinitDebug("No request->client; aborting PKINIT\n"); - return KRB5KDC_ERR_PREAUTH_FAILED; + kdcPkinitDebug("No request->client; aborting PKINIT\n"); + return KRB5KDC_ERR_PREAUTH_FAILED; } krtn = krb5_unparse_name(context, request->client, &princ_name); if(krtn) { - return krtn; + return krtn; } krtn = krb5_pkinit_get_client_cert(princ_name, &client_cert); free(princ_name); if(krtn) { - kdcPkinitDebug("No client cert; aborting PKINIT\n"); - return krtn; + kdcPkinitDebug("No client cert; aborting PKINIT\n"); + return krtn; } - + memset(&local_key, 0, sizeof(local_key)); asRep.data = (char *)in_padata->contents; asRep.length = in_padata->length; - krtn = krb5int_pkinit_as_rep_parse(context, &asRep, client_cert, - &local_key, &as_req_checksum_rcd, &sig_status, - &signer_cert, NULL, NULL); + krtn = krb5int_pkinit_as_rep_parse(context, &asRep, client_cert, + &local_key, &as_req_checksum_rcd, &sig_status, + &signer_cert, NULL, NULL); if(krtn) { - kdcPkinitDebug("pkinit_as_rep_parse returned %d\n", (int)krtn); - return krtn; + kdcPkinitDebug("pkinit_as_rep_parse returned %d\n", (int)krtn); + return krtn; } switch(sig_status) { - case pki_cs_good: - break; - case pki_cs_unknown_root: - if (local_kdc_cert_match(context, &signer_cert, request->client)) - break; - /* FALLTHROUGH */ - default: - kdcPkinitDebug("pa_pkinit_parse_rep: bad cert/sig status %d\n", - (int)sig_status); - krtn = KRB5KDC_ERR_PREAUTH_FAILED; - goto error_out; - } - - /* calculate checksum of incoming AS-REQ using the decryption key + case pki_cs_good: + break; + case pki_cs_unknown_root: + if (local_kdc_cert_match(context, &signer_cert, request->client)) + break; + /* FALLTHROUGH */ + default: + kdcPkinitDebug("pa_pkinit_parse_rep: bad cert/sig status %d\n", + (int)sig_status); + krtn = KRB5KDC_ERR_PREAUTH_FAILED; + goto error_out; + } + + /* calculate checksum of incoming AS-REQ using the decryption key * we just got from the ReplyKeyPack */ krtn = encode_krb5_as_req(request, &encoded_as_req); if(krtn) { - goto error_out; + goto error_out; } - krtn = krb5_c_make_checksum(context, context->kdc_req_sumtype, - &local_key, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, - encoded_as_req, &as_req_checksum_gen); + krtn = krb5_c_make_checksum(context, context->kdc_req_sumtype, + &local_key, KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, + encoded_as_req, &as_req_checksum_gen); if(krtn) { - goto error_out; + goto error_out; } if((as_req_checksum_gen.length != as_req_checksum_rcd.length) || memcmp(as_req_checksum_gen.contents, - as_req_checksum_rcd.contents, - as_req_checksum_gen.length)) { - kdcPkinitDebug("pa_pkinit_parse_rep: checksum miscompare\n"); - krtn = KRB5KDC_ERR_PREAUTH_FAILED; - goto error_out; + as_req_checksum_rcd.contents, + as_req_checksum_gen.length)) { + kdcPkinitDebug("pa_pkinit_parse_rep: checksum miscompare\n"); + krtn = KRB5KDC_ERR_PREAUTH_FAILED; + goto error_out; } - + /* We have the key; transfer to caller */ if (as_key->length) { - krb5_free_keyblock_contents(context, as_key); + krb5_free_keyblock_contents(context, as_key); } *as_key = local_key; - - #if PKINIT_DEBUG + +#if PKINIT_DEBUG fprintf(stderr, "pa_pkinit_parse_rep: SUCCESS\n"); fprintf(stderr, "enctype %d keylen %d keydata %02x %02x %02x %02x...\n", - (int)as_key->enctype, (int)as_key->length, - as_key->contents[0], as_key->contents[1], - as_key->contents[2], as_key->contents[3]); - #endif - + (int)as_key->enctype, (int)as_key->length, + as_key->contents[0], as_key->contents[1], + as_key->contents[2], as_key->contents[3]); +#endif + krtn = 0; - + error_out: if (signer_cert.data) { - free(signer_cert.data); + free(signer_cert.data); } if(as_req_checksum_rcd.contents) { - free(as_req_checksum_rcd.contents); + free(as_req_checksum_rcd.contents); } if(as_req_checksum_gen.contents) { - free(as_req_checksum_gen.contents); + free(as_req_checksum_gen.contents); } if(encoded_as_req) { - krb5_free_data(context, encoded_as_req); + krb5_free_data(context, encoded_as_req); } if(krtn && (local_key.contents != NULL)) { - krb5_free_keyblock_contents(context, &local_key); + krb5_free_keyblock_contents(context, &local_key); } return krtn; } @@ -1381,329 +1382,329 @@ error_out: static krb5_error_code pa_sam_2(krb5_context context, - krb5_kdc_req *request, - krb5_pa_data *in_padata, - krb5_pa_data **out_padata, - krb5_data *salt, - krb5_data *s2kparams, - krb5_enctype *etype, - krb5_keyblock *as_key, - krb5_prompter_fct prompter, - void *prompter_data, - krb5_gic_get_as_key_fct gak_fct, - void *gak_data) { - - krb5_error_code retval; - krb5_sam_challenge_2 *sc2 = NULL; - krb5_sam_challenge_2_body *sc2b = NULL; - krb5_data tmp_data; - krb5_data response_data; - char name[100], banner[100], prompt[100], response[100]; - krb5_prompt kprompt; - krb5_prompt_type prompt_type; - krb5_data defsalt; - krb5_checksum **cksum; - krb5_data *scratch = NULL; - krb5_boolean valid_cksum = 0; - krb5_enc_sam_response_enc_2 enc_sam_response_enc_2; - krb5_sam_response_2 sr2; - size_t ciph_len; - krb5_pa_data *sam_padata; - - if (prompter == NULL) - return KRB5_LIBOS_CANTREADPWD; - - tmp_data.length = in_padata->length; - tmp_data.data = (char *)in_padata->contents; - - if ((retval = decode_krb5_sam_challenge_2(&tmp_data, &sc2))) - return(retval); - - retval = decode_krb5_sam_challenge_2_body(&sc2->sam_challenge_2_body, &sc2b); - - if (retval) { - krb5_free_sam_challenge_2(context, sc2); - return(retval); - } - - if (!sc2->sam_cksum || ! *sc2->sam_cksum) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - return(KRB5_SAM_NO_CHECKSUM); - } - - if (sc2b->sam_flags & KRB5_SAM_MUST_PK_ENCRYPT_SAD) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - return(KRB5_SAM_UNSUPPORTED); - } - - if (!krb5_c_valid_enctype(sc2b->sam_etype)) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - return(KRB5_SAM_INVALID_ETYPE); - } - - /* All of the above error checks are KDC-specific, that is, they */ - /* assume a failure in the KDC reply. By returning anything other */ - /* than KRB5_KDC_UNREACH, KRB5_PREAUTH_FAILED, */ - /* KRB5_LIBOS_PWDINTR, or KRB5_REALM_CANT_RESOLVE, the client will */ - /* most likely go on to try the AS_REQ against master KDC */ - - if (!(sc2b->sam_flags & KRB5_SAM_USE_SAD_AS_KEY)) { - /* We will need the password to obtain the key used for */ - /* the checksum, and encryption of the sam_response. */ - /* Go ahead and get it now, preserving the ordering of */ - /* prompts for the user. */ - - retval = (gak_fct)(context, request->client, - sc2b->sam_etype, prompter, - prompter_data, salt, s2kparams, as_key, gak_data); - if (retval) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - return(retval); - } - } - - snprintf(name, sizeof(name), "%.*s", - SAMDATA(sc2b->sam_type_name, "SAM Authentication", - sizeof(name) - 1)); - - snprintf(banner, sizeof(banner), "%.*s", - SAMDATA(sc2b->sam_challenge_label, - sam_challenge_banner(sc2b->sam_type), - sizeof(banner)-1)); - - snprintf(prompt, sizeof(prompt), "%s%.*s%s%.*s", - sc2b->sam_challenge.length?"Challenge is [":"", - SAMDATA(sc2b->sam_challenge, "", 20), - sc2b->sam_challenge.length?"], ":"", - SAMDATA(sc2b->sam_response_prompt, "passcode", 55)); - - response_data.data = response; - response_data.length = sizeof(response); - kprompt.prompt = prompt; - kprompt.hidden = 1; - kprompt.reply = &response_data; - - prompt_type = KRB5_PROMPT_TYPE_PREAUTH; - krb5int_set_prompt_types(context, &prompt_type); - - if ((retval = ((*prompter)(context, prompter_data, name, - banner, 1, &kprompt)))) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - krb5int_set_prompt_types(context, 0); - return(retval); - } - - krb5int_set_prompt_types(context, (krb5_prompt_type *)NULL); - - /* Generate salt used by string_to_key() */ - if ((salt->length == -1) && (salt->data == NULL)) { - if ((retval = - krb5_principal2salt(context, request->client, &defsalt))) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - return(retval); - } - salt = &defsalt; - } else { - defsalt.length = 0; - } - - /* Get encryption key to be used for checksum and sam_response */ - if (!(sc2b->sam_flags & KRB5_SAM_USE_SAD_AS_KEY)) { - /* as_key = string_to_key(password) */ - - if (as_key->length) { - krb5_free_keyblock_contents(context, as_key); - as_key->length = 0; - } - - /* generate a key using the supplied password */ - retval = krb5_c_string_to_key(context, sc2b->sam_etype, - (krb5_data *)gak_data, salt, as_key); + krb5_kdc_req *request, + krb5_pa_data *in_padata, + krb5_pa_data **out_padata, + krb5_data *salt, + krb5_data *s2kparams, + krb5_enctype *etype, + krb5_keyblock *as_key, + krb5_prompter_fct prompter, + void *prompter_data, + krb5_gic_get_as_key_fct gak_fct, + void *gak_data) { - if (retval) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - if (defsalt.length) free(defsalt.data); - return(retval); - } - - if (!(sc2b->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD)) { - /* as_key = combine_key (as_key, string_to_key(SAD)) */ - krb5_keyblock tmp_kb; - - retval = krb5_c_string_to_key(context, sc2b->sam_etype, - &response_data, salt, &tmp_kb); - - if (retval) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - if (defsalt.length) free(defsalt.data); - return(retval); - } - - /* This should be a call to the crypto library some day */ - /* key types should already match the sam_etype */ - retval = krb5int_c_combine_keys(context, as_key, &tmp_kb, as_key); - - if (retval) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - if (defsalt.length) free(defsalt.data); - return(retval); - } - krb5_free_keyblock_contents(context, &tmp_kb); - } - - if (defsalt.length) - free(defsalt.data); - - } else { - /* as_key = string_to_key(SAD) */ - - if (as_key->length) { - krb5_free_keyblock_contents(context, as_key); - as_key->length = 0; - } - - /* generate a key using the supplied password */ - retval = krb5_c_string_to_key(context, sc2b->sam_etype, - &response_data, salt, as_key); - - if (defsalt.length) - free(defsalt.data); - - if (retval) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - return(retval); - } - } - - /* Now we have a key, verify the checksum on the sam_challenge */ - - cksum = sc2->sam_cksum; - - while (*cksum) { - /* Check this cksum */ - retval = krb5_c_verify_checksum(context, as_key, - KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM, - &sc2->sam_challenge_2_body, - *cksum, &valid_cksum); - if (retval) { - krb5_free_data(context, scratch); - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - return(retval); - } - if (valid_cksum) - break; - cksum++; - } - - if (!valid_cksum) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - /* - * Note: We return AP_ERR_BAD_INTEGRITY so upper-level applications - * can interpret that as "password incorrect", which is probably - * the best error we can return in this situation. - */ - return(KRB5KRB_AP_ERR_BAD_INTEGRITY); - } - - /* fill in enc_sam_response_enc_2 */ - enc_sam_response_enc_2.magic = KV5M_ENC_SAM_RESPONSE_ENC_2; - enc_sam_response_enc_2.sam_nonce = sc2b->sam_nonce; - if (sc2b->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD) { - enc_sam_response_enc_2.sam_sad = response_data; - } else { - enc_sam_response_enc_2.sam_sad.data = NULL; - enc_sam_response_enc_2.sam_sad.length = 0; - } - - /* encode and encrypt enc_sam_response_enc_2 with as_key */ - retval = encode_krb5_enc_sam_response_enc_2(&enc_sam_response_enc_2, - &scratch); - if (retval) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - return(retval); - } - - /* Fill in sam_response_2 */ - memset(&sr2, 0, sizeof(sr2)); - sr2.sam_type = sc2b->sam_type; - sr2.sam_flags = sc2b->sam_flags; - sr2.sam_track_id = sc2b->sam_track_id; - sr2.sam_nonce = sc2b->sam_nonce; - - /* Now take care of sr2.sam_enc_nonce_or_sad by encrypting encoded */ - /* enc_sam_response_enc_2 from above */ - - retval = krb5_c_encrypt_length(context, as_key->enctype, scratch->length, - &ciph_len); - if (retval) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - krb5_free_data(context, scratch); - return(retval); - } - sr2.sam_enc_nonce_or_sad.ciphertext.length = ciph_len; - - sr2.sam_enc_nonce_or_sad.ciphertext.data = - (char *)malloc(sr2.sam_enc_nonce_or_sad.ciphertext.length); - - if (!sr2.sam_enc_nonce_or_sad.ciphertext.data) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - krb5_free_data(context, scratch); - return(ENOMEM); - } - - retval = krb5_c_encrypt(context, as_key, KRB5_KEYUSAGE_PA_SAM_RESPONSE, - NULL, scratch, &sr2.sam_enc_nonce_or_sad); - if (retval) { - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - krb5_free_data(context, scratch); - krb5_free_data_contents(context, &sr2.sam_enc_nonce_or_sad.ciphertext); - return(retval); - } - krb5_free_data(context, scratch); - scratch = NULL; - - /* Encode the sam_response_2 */ - retval = encode_krb5_sam_response_2(&sr2, &scratch); - krb5_free_sam_challenge_2(context, sc2); - krb5_free_sam_challenge_2_body(context, sc2b); - krb5_free_data_contents(context, &sr2.sam_enc_nonce_or_sad.ciphertext); - - if (retval) { - return (retval); - } - - /* Almost there, just need to make padata ! */ - sam_padata = malloc(sizeof(krb5_pa_data)); - if (sam_padata == NULL) { - krb5_free_data(context, scratch); - return(ENOMEM); - } - - sam_padata->magic = KV5M_PA_DATA; - sam_padata->pa_type = KRB5_PADATA_SAM_RESPONSE_2; - sam_padata->length = scratch->length; - sam_padata->contents = (krb5_octet *) scratch->data; - free(scratch); - - *out_padata = sam_padata; - - return(0); + krb5_error_code retval; + krb5_sam_challenge_2 *sc2 = NULL; + krb5_sam_challenge_2_body *sc2b = NULL; + krb5_data tmp_data; + krb5_data response_data; + char name[100], banner[100], prompt[100], response[100]; + krb5_prompt kprompt; + krb5_prompt_type prompt_type; + krb5_data defsalt; + krb5_checksum **cksum; + krb5_data *scratch = NULL; + krb5_boolean valid_cksum = 0; + krb5_enc_sam_response_enc_2 enc_sam_response_enc_2; + krb5_sam_response_2 sr2; + size_t ciph_len; + krb5_pa_data *sam_padata; + + if (prompter == NULL) + return KRB5_LIBOS_CANTREADPWD; + + tmp_data.length = in_padata->length; + tmp_data.data = (char *)in_padata->contents; + + if ((retval = decode_krb5_sam_challenge_2(&tmp_data, &sc2))) + return(retval); + + retval = decode_krb5_sam_challenge_2_body(&sc2->sam_challenge_2_body, &sc2b); + + if (retval) { + krb5_free_sam_challenge_2(context, sc2); + return(retval); + } + + if (!sc2->sam_cksum || ! *sc2->sam_cksum) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + return(KRB5_SAM_NO_CHECKSUM); + } + + if (sc2b->sam_flags & KRB5_SAM_MUST_PK_ENCRYPT_SAD) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + return(KRB5_SAM_UNSUPPORTED); + } + + if (!krb5_c_valid_enctype(sc2b->sam_etype)) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + return(KRB5_SAM_INVALID_ETYPE); + } + + /* All of the above error checks are KDC-specific, that is, they */ + /* assume a failure in the KDC reply. By returning anything other */ + /* than KRB5_KDC_UNREACH, KRB5_PREAUTH_FAILED, */ + /* KRB5_LIBOS_PWDINTR, or KRB5_REALM_CANT_RESOLVE, the client will */ + /* most likely go on to try the AS_REQ against master KDC */ + + if (!(sc2b->sam_flags & KRB5_SAM_USE_SAD_AS_KEY)) { + /* We will need the password to obtain the key used for */ + /* the checksum, and encryption of the sam_response. */ + /* Go ahead and get it now, preserving the ordering of */ + /* prompts for the user. */ + + retval = (gak_fct)(context, request->client, + sc2b->sam_etype, prompter, + prompter_data, salt, s2kparams, as_key, gak_data); + if (retval) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + return(retval); + } + } + + snprintf(name, sizeof(name), "%.*s", + SAMDATA(sc2b->sam_type_name, "SAM Authentication", + sizeof(name) - 1)); + + snprintf(banner, sizeof(banner), "%.*s", + SAMDATA(sc2b->sam_challenge_label, + sam_challenge_banner(sc2b->sam_type), + sizeof(banner)-1)); + + snprintf(prompt, sizeof(prompt), "%s%.*s%s%.*s", + sc2b->sam_challenge.length?"Challenge is [":"", + SAMDATA(sc2b->sam_challenge, "", 20), + sc2b->sam_challenge.length?"], ":"", + SAMDATA(sc2b->sam_response_prompt, "passcode", 55)); + + response_data.data = response; + response_data.length = sizeof(response); + kprompt.prompt = prompt; + kprompt.hidden = 1; + kprompt.reply = &response_data; + + prompt_type = KRB5_PROMPT_TYPE_PREAUTH; + krb5int_set_prompt_types(context, &prompt_type); + + if ((retval = ((*prompter)(context, prompter_data, name, + banner, 1, &kprompt)))) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + krb5int_set_prompt_types(context, 0); + return(retval); + } + + krb5int_set_prompt_types(context, (krb5_prompt_type *)NULL); + + /* Generate salt used by string_to_key() */ + if ((salt->length == -1) && (salt->data == NULL)) { + if ((retval = + krb5_principal2salt(context, request->client, &defsalt))) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + return(retval); + } + salt = &defsalt; + } else { + defsalt.length = 0; + } + + /* Get encryption key to be used for checksum and sam_response */ + if (!(sc2b->sam_flags & KRB5_SAM_USE_SAD_AS_KEY)) { + /* as_key = string_to_key(password) */ + + if (as_key->length) { + krb5_free_keyblock_contents(context, as_key); + as_key->length = 0; + } + + /* generate a key using the supplied password */ + retval = krb5_c_string_to_key(context, sc2b->sam_etype, + (krb5_data *)gak_data, salt, as_key); + + if (retval) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + if (defsalt.length) free(defsalt.data); + return(retval); + } + + if (!(sc2b->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD)) { + /* as_key = combine_key (as_key, string_to_key(SAD)) */ + krb5_keyblock tmp_kb; + + retval = krb5_c_string_to_key(context, sc2b->sam_etype, + &response_data, salt, &tmp_kb); + + if (retval) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + if (defsalt.length) free(defsalt.data); + return(retval); + } + + /* This should be a call to the crypto library some day */ + /* key types should already match the sam_etype */ + retval = krb5int_c_combine_keys(context, as_key, &tmp_kb, as_key); + + if (retval) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + if (defsalt.length) free(defsalt.data); + return(retval); + } + krb5_free_keyblock_contents(context, &tmp_kb); + } + + if (defsalt.length) + free(defsalt.data); + + } else { + /* as_key = string_to_key(SAD) */ + + if (as_key->length) { + krb5_free_keyblock_contents(context, as_key); + as_key->length = 0; + } + + /* generate a key using the supplied password */ + retval = krb5_c_string_to_key(context, sc2b->sam_etype, + &response_data, salt, as_key); + + if (defsalt.length) + free(defsalt.data); + + if (retval) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + return(retval); + } + } + + /* Now we have a key, verify the checksum on the sam_challenge */ + + cksum = sc2->sam_cksum; + + while (*cksum) { + /* Check this cksum */ + retval = krb5_c_verify_checksum(context, as_key, + KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM, + &sc2->sam_challenge_2_body, + *cksum, &valid_cksum); + if (retval) { + krb5_free_data(context, scratch); + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + return(retval); + } + if (valid_cksum) + break; + cksum++; + } + + if (!valid_cksum) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + /* + * Note: We return AP_ERR_BAD_INTEGRITY so upper-level applications + * can interpret that as "password incorrect", which is probably + * the best error we can return in this situation. + */ + return(KRB5KRB_AP_ERR_BAD_INTEGRITY); + } + + /* fill in enc_sam_response_enc_2 */ + enc_sam_response_enc_2.magic = KV5M_ENC_SAM_RESPONSE_ENC_2; + enc_sam_response_enc_2.sam_nonce = sc2b->sam_nonce; + if (sc2b->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD) { + enc_sam_response_enc_2.sam_sad = response_data; + } else { + enc_sam_response_enc_2.sam_sad.data = NULL; + enc_sam_response_enc_2.sam_sad.length = 0; + } + + /* encode and encrypt enc_sam_response_enc_2 with as_key */ + retval = encode_krb5_enc_sam_response_enc_2(&enc_sam_response_enc_2, + &scratch); + if (retval) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + return(retval); + } + + /* Fill in sam_response_2 */ + memset(&sr2, 0, sizeof(sr2)); + sr2.sam_type = sc2b->sam_type; + sr2.sam_flags = sc2b->sam_flags; + sr2.sam_track_id = sc2b->sam_track_id; + sr2.sam_nonce = sc2b->sam_nonce; + + /* Now take care of sr2.sam_enc_nonce_or_sad by encrypting encoded */ + /* enc_sam_response_enc_2 from above */ + + retval = krb5_c_encrypt_length(context, as_key->enctype, scratch->length, + &ciph_len); + if (retval) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + krb5_free_data(context, scratch); + return(retval); + } + sr2.sam_enc_nonce_or_sad.ciphertext.length = ciph_len; + + sr2.sam_enc_nonce_or_sad.ciphertext.data = + (char *)malloc(sr2.sam_enc_nonce_or_sad.ciphertext.length); + + if (!sr2.sam_enc_nonce_or_sad.ciphertext.data) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + krb5_free_data(context, scratch); + return(ENOMEM); + } + + retval = krb5_c_encrypt(context, as_key, KRB5_KEYUSAGE_PA_SAM_RESPONSE, + NULL, scratch, &sr2.sam_enc_nonce_or_sad); + if (retval) { + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + krb5_free_data(context, scratch); + krb5_free_data_contents(context, &sr2.sam_enc_nonce_or_sad.ciphertext); + return(retval); + } + krb5_free_data(context, scratch); + scratch = NULL; + + /* Encode the sam_response_2 */ + retval = encode_krb5_sam_response_2(&sr2, &scratch); + krb5_free_sam_challenge_2(context, sc2); + krb5_free_sam_challenge_2_body(context, sc2b); + krb5_free_data_contents(context, &sr2.sam_enc_nonce_or_sad.ciphertext); + + if (retval) { + return (retval); + } + + /* Almost there, just need to make padata ! */ + sam_padata = malloc(sizeof(krb5_pa_data)); + if (sam_padata == NULL) { + krb5_free_data(context, scratch); + return(ENOMEM); + } + + sam_padata->magic = KV5M_PA_DATA; + sam_padata->pa_type = KRB5_PADATA_SAM_RESPONSE_2; + sam_padata->length = scratch->length; + sam_padata->contents = (krb5_octet *) scratch->data; + free(scratch); + + *out_padata = sam_padata; + + return(0); } static krb5_error_code pa_s4u_x509_user( @@ -1728,32 +1729,32 @@ static krb5_error_code pa_s4u_x509_user( *out_padata = NULL; if (userid == NULL) - return EINVAL; + return EINVAL; code = krb5_copy_principal(context, request->client, &client); if (code != 0) - return code; + return code; if (userid->user != NULL) - krb5_free_principal(context, userid->user); + krb5_free_principal(context, userid->user); userid->user = client; if (userid->subject_cert.length != 0) { - s4u_padata = malloc(sizeof(*s4u_padata)); - if (s4u_padata == NULL) - return ENOMEM; + s4u_padata = malloc(sizeof(*s4u_padata)); + if (s4u_padata == NULL) + return ENOMEM; - s4u_padata->magic = KV5M_PA_DATA; - s4u_padata->pa_type = KRB5_PADATA_S4U_X509_USER; - s4u_padata->contents = malloc(userid->subject_cert.length); - if (s4u_padata->contents == NULL) { - free(s4u_padata); - return ENOMEM; - } - memcpy(s4u_padata->contents, userid->subject_cert.data, userid->subject_cert.length); - s4u_padata->length = userid->subject_cert.length; + s4u_padata->magic = KV5M_PA_DATA; + s4u_padata->pa_type = KRB5_PADATA_S4U_X509_USER; + s4u_padata->contents = malloc(userid->subject_cert.length); + if (s4u_padata->contents == NULL) { + free(s4u_padata); + return ENOMEM; + } + memcpy(s4u_padata->contents, userid->subject_cert.data, userid->subject_cert.length); + s4u_padata->length = userid->subject_cert.length; - *out_padata = s4u_padata; + *out_padata = s4u_padata; } return 0; @@ -1762,56 +1763,56 @@ static krb5_error_code pa_s4u_x509_user( /* FIXME - order significant? */ static const pa_types_t pa_types[] = { { - KRB5_PADATA_PW_SALT, - pa_salt, - PA_INFO, + KRB5_PADATA_PW_SALT, + pa_salt, + PA_INFO, }, { - KRB5_PADATA_AFS3_SALT, - pa_salt, - PA_INFO, + KRB5_PADATA_AFS3_SALT, + pa_salt, + PA_INFO, }, #if APPLE_PKINIT { - KRB5_PADATA_PK_AS_REQ, - pa_pkinit_gen_req, - PA_INFO, + KRB5_PADATA_PK_AS_REQ, + pa_pkinit_gen_req, + PA_INFO, }, { - KRB5_PADATA_PK_AS_REP, - pa_pkinit_parse_rep, - PA_REAL, + KRB5_PADATA_PK_AS_REP, + pa_pkinit_parse_rep, + PA_REAL, }, #endif /* APPLE_PKINIT */ { - KRB5_PADATA_ENC_TIMESTAMP, - pa_enc_timestamp, - PA_REAL, + KRB5_PADATA_ENC_TIMESTAMP, + pa_enc_timestamp, + PA_REAL, }, { - KRB5_PADATA_SAM_CHALLENGE_2, - pa_sam_2, - PA_REAL, + KRB5_PADATA_SAM_CHALLENGE_2, + pa_sam_2, + PA_REAL, }, { - KRB5_PADATA_SAM_CHALLENGE, - pa_sam, - PA_REAL, + KRB5_PADATA_SAM_CHALLENGE, + pa_sam, + PA_REAL, }, { - KRB5_PADATA_FX_COOKIE, - pa_fx_cookie, - PA_INFO, + KRB5_PADATA_FX_COOKIE, + pa_fx_cookie, + PA_INFO, }, { - KRB5_PADATA_S4U_X509_USER, - pa_s4u_x509_user, - PA_INFO, + KRB5_PADATA_S4U_X509_USER, + pa_s4u_x509_user, + PA_INFO, }, { - -1, - NULL, - 0, + -1, + NULL, + 0, }, }; @@ -1822,19 +1823,19 @@ static const pa_types_t pa_types[] = { */ krb5_error_code KRB5_CALLCONV krb5_do_preauth_tryagain(krb5_context kcontext, - krb5_kdc_req *request, - krb5_data *encoded_request_body, - krb5_data *encoded_previous_request, - krb5_pa_data **padata, - krb5_pa_data ***return_padata, - krb5_error *err_reply, - krb5_data *salt, krb5_data *s2kparams, - krb5_enctype *etype, - krb5_keyblock *as_key, - krb5_prompter_fct prompter, void *prompter_data, - krb5_gic_get_as_key_fct gak_fct, void *gak_data, - krb5_preauth_client_rock *get_data_rock, - krb5_gic_opt_ext *opte) + krb5_kdc_req *request, + krb5_data *encoded_request_body, + krb5_data *encoded_previous_request, + krb5_pa_data **padata, + krb5_pa_data ***return_padata, + krb5_error *err_reply, + krb5_data *salt, krb5_data *s2kparams, + krb5_enctype *etype, + krb5_keyblock *as_key, + krb5_prompter_fct prompter, void *prompter_data, + krb5_gic_get_as_key_fct gak_fct, void *gak_data, + krb5_preauth_client_rock *get_data_rock, + krb5_gic_opt_ext *opte) { krb5_error_code ret; krb5_pa_data **out_padata; @@ -1845,65 +1846,65 @@ krb5_do_preauth_tryagain(krb5_context kcontext, ret = KRB5KRB_ERR_GENERIC; if (kcontext->preauth_context == NULL) { - return KRB5KRB_ERR_GENERIC; + return KRB5KRB_ERR_GENERIC; } context = kcontext->preauth_context; if (context == NULL) { - return KRB5KRB_ERR_GENERIC; + return KRB5KRB_ERR_GENERIC; } for (i = 0; padata[i] != NULL && padata[i]->pa_type != 0; i++) { - out_padata = NULL; - for (j = 0; j < context->n_modules; j++) { - module = &context->modules[j]; - if (module->pa_type != padata[i]->pa_type) { - continue; - } - if (module->client_tryagain == NULL) { - continue; - } - if ((*module->client_tryagain)(kcontext, - module->plugin_context, - *module->request_context_pp, - (krb5_get_init_creds_opt *)opte, - client_data_proc, - get_data_rock, - request, - encoded_request_body, - encoded_previous_request, - padata[i], - err_reply, - prompter, prompter_data, - gak_fct, gak_data, salt, s2kparams, - as_key, - &out_padata) == 0) { - if (out_padata != NULL) { - int k; - for (k = 0; out_padata[k] != NULL; k++); - grow_pa_list(return_padata, &out_pa_list_size, - out_padata, k); - free(out_padata); - return 0; - } - } - } + out_padata = NULL; + for (j = 0; j < context->n_modules; j++) { + module = &context->modules[j]; + if (module->pa_type != padata[i]->pa_type) { + continue; + } + if (module->client_tryagain == NULL) { + continue; + } + if ((*module->client_tryagain)(kcontext, + module->plugin_context, + *module->request_context_pp, + (krb5_get_init_creds_opt *)opte, + client_data_proc, + get_data_rock, + request, + encoded_request_body, + encoded_previous_request, + padata[i], + err_reply, + prompter, prompter_data, + gak_fct, gak_data, salt, s2kparams, + as_key, + &out_padata) == 0) { + if (out_padata != NULL) { + int k; + for (k = 0; out_padata[k] != NULL; k++); + grow_pa_list(return_padata, &out_pa_list_size, + out_padata, k); + free(out_padata); + return 0; + } + } + } } return ret; } krb5_error_code KRB5_CALLCONV krb5_do_preauth(krb5_context context, - krb5_kdc_req *request, - krb5_data *encoded_request_body, - krb5_data *encoded_previous_request, - krb5_pa_data **in_padata, krb5_pa_data ***out_padata, - krb5_data *salt, krb5_data *s2kparams, - krb5_enctype *etype, - krb5_keyblock *as_key, - krb5_prompter_fct prompter, void *prompter_data, - krb5_gic_get_as_key_fct gak_fct, void *gak_data, - krb5_preauth_client_rock *get_data_rock, - krb5_gic_opt_ext *opte) + krb5_kdc_req *request, + krb5_data *encoded_request_body, + krb5_data *encoded_previous_request, + krb5_pa_data **in_padata, krb5_pa_data ***out_padata, + krb5_data *salt, krb5_data *s2kparams, + krb5_enctype *etype, + krb5_keyblock *as_key, + krb5_prompter_fct prompter, void *prompter_data, + krb5_gic_get_as_key_fct gak_fct, void *gak_data, + krb5_preauth_client_rock *get_data_rock, + krb5_gic_opt_ext *opte) { unsigned int h; int i, j, out_pa_list_size; @@ -1916,17 +1917,17 @@ krb5_do_preauth(krb5_context context, int realdone; if (in_padata == NULL) { - *out_padata = NULL; - return(0); + *out_padata = NULL; + return(0); } #ifdef DEBUG fprintf (stderr, "salt len=%d", (int) salt->length); if ((int) salt->length > 0) - fprintf (stderr, " '%.*s'", salt->length, salt->data); + fprintf (stderr, " '%.*s'", salt->length, salt->data); fprintf (stderr, "; preauth data types:"); for (i = 0; in_padata[i]; i++) { - fprintf (stderr, " %d", in_padata[i]->pa_type); + fprintf (stderr, " %d", in_padata[i]->pa_type); } fprintf (stderr, "\n"); #endif @@ -1937,202 +1938,202 @@ krb5_do_preauth(krb5_context context, /* first do all the informational preauths, then the first real one */ for (h=0; h<(sizeof(paorder)/sizeof(paorder[0])); h++) { - realdone = 0; - for (i=0; in_padata[i] && !realdone; i++) { - int k, l, etype_found, valid_etype_found; - /* - * This is really gross, but is necessary to prevent - * lossage when talking to a 1.0.x KDC, which returns an - * erroneous PA-PW-SALT when it returns a KRB-ERROR - * requiring additional preauth. - */ - switch (in_padata[i]->pa_type) { - case KRB5_PADATA_ETYPE_INFO: - case KRB5_PADATA_ETYPE_INFO2: - { - krb5_preauthtype pa_type = in_padata[i]->pa_type; - if (etype_info) { - if (seen_etype_info2 || pa_type != KRB5_PADATA_ETYPE_INFO2) - continue; - if (pa_type == KRB5_PADATA_ETYPE_INFO2) { - krb5_free_etype_info( context, etype_info); - etype_info = NULL; - } - } - - scratch.length = in_padata[i]->length; - scratch.data = (char *) in_padata[i]->contents; - if (pa_type == KRB5_PADATA_ETYPE_INFO2) { - seen_etype_info2++; - ret = decode_krb5_etype_info2(&scratch, &etype_info); - } - else ret = decode_krb5_etype_info(&scratch, &etype_info); - if (ret) { - ret = 0; /*Ignore error and etype_info element*/ - if (etype_info) - krb5_free_etype_info( context, etype_info); - etype_info = NULL; - continue; - } - if (etype_info[0] == NULL) { - krb5_free_etype_info(context, etype_info); - etype_info = NULL; - break; - } - /* - * Select first etype in our request which is also in - * etype-info (preferring client request ktype order). - */ - for (etype_found = 0, valid_etype_found = 0, k = 0; - !etype_found && k < request->nktypes; k++) { - for (l = 0; etype_info[l]; l++) { - if (etype_info[l]->etype == request->ktype[k]) { - etype_found++; - break; - } - /* check if program has support for this etype for more - * precise error reporting. - */ - if (krb5_c_valid_enctype(etype_info[l]->etype)) - valid_etype_found++; - } - } - if (!etype_found) { - if (valid_etype_found) { - /* supported enctype but not requested */ - ret = KRB5_CONFIG_ETYPE_NOSUPP; - goto cleanup; - } - else { - /* unsupported enctype */ - ret = KRB5_PROG_ETYPE_NOSUPP; - goto cleanup; - } - - } - scratch.data = (char *) etype_info[l]->salt; - scratch.length = etype_info[l]->length; - krb5_free_data_contents(context, salt); - if (scratch.length == KRB5_ETYPE_NO_SALT) - salt->data = NULL; - else - if ((ret = krb5int_copy_data_contents( context, &scratch, salt)) != 0) - goto cleanup; - *etype = etype_info[l]->etype; - krb5_free_data_contents(context, s2kparams); - if ((ret = krb5int_copy_data_contents(context, - &etype_info[l]->s2kparams, - s2kparams)) != 0) - goto cleanup; + realdone = 0; + for (i=0; in_padata[i] && !realdone; i++) { + int k, l, etype_found, valid_etype_found; + /* + * This is really gross, but is necessary to prevent + * lossage when talking to a 1.0.x KDC, which returns an + * erroneous PA-PW-SALT when it returns a KRB-ERROR + * requiring additional preauth. + */ + switch (in_padata[i]->pa_type) { + case KRB5_PADATA_ETYPE_INFO: + case KRB5_PADATA_ETYPE_INFO2: + { + krb5_preauthtype pa_type = in_padata[i]->pa_type; + if (etype_info) { + if (seen_etype_info2 || pa_type != KRB5_PADATA_ETYPE_INFO2) + continue; + if (pa_type == KRB5_PADATA_ETYPE_INFO2) { + krb5_free_etype_info( context, etype_info); + etype_info = NULL; + } + } + + scratch.length = in_padata[i]->length; + scratch.data = (char *) in_padata[i]->contents; + if (pa_type == KRB5_PADATA_ETYPE_INFO2) { + seen_etype_info2++; + ret = decode_krb5_etype_info2(&scratch, &etype_info); + } + else ret = decode_krb5_etype_info(&scratch, &etype_info); + if (ret) { + ret = 0; /*Ignore error and etype_info element*/ + if (etype_info) + krb5_free_etype_info( context, etype_info); + etype_info = NULL; + continue; + } + if (etype_info[0] == NULL) { + krb5_free_etype_info(context, etype_info); + etype_info = NULL; + break; + } + /* + * Select first etype in our request which is also in + * etype-info (preferring client request ktype order). + */ + for (etype_found = 0, valid_etype_found = 0, k = 0; + !etype_found && k < request->nktypes; k++) { + for (l = 0; etype_info[l]; l++) { + if (etype_info[l]->etype == request->ktype[k]) { + etype_found++; + break; + } + /* check if program has support for this etype for more + * precise error reporting. + */ + if (krb5_c_valid_enctype(etype_info[l]->etype)) + valid_etype_found++; + } + } + if (!etype_found) { + if (valid_etype_found) { + /* supported enctype but not requested */ + ret = KRB5_CONFIG_ETYPE_NOSUPP; + goto cleanup; + } + else { + /* unsupported enctype */ + ret = KRB5_PROG_ETYPE_NOSUPP; + goto cleanup; + } + + } + scratch.data = (char *) etype_info[l]->salt; + scratch.length = etype_info[l]->length; + krb5_free_data_contents(context, salt); + if (scratch.length == KRB5_ETYPE_NO_SALT) + salt->data = NULL; + else + if ((ret = krb5int_copy_data_contents( context, &scratch, salt)) != 0) + goto cleanup; + *etype = etype_info[l]->etype; + krb5_free_data_contents(context, s2kparams); + if ((ret = krb5int_copy_data_contents(context, + &etype_info[l]->s2kparams, + s2kparams)) != 0) + goto cleanup; #ifdef DEBUG - for (j = 0; etype_info[j]; j++) { - krb5_etype_info_entry *e = etype_info[j]; - fprintf (stderr, "etype info %d: etype %d salt len=%d", - j, e->etype, e->length); - if (e->length > 0 && e->length != KRB5_ETYPE_NO_SALT) - fprintf (stderr, " '%.*s'", e->length, e->salt); - fprintf (stderr, "\n"); - } + for (j = 0; etype_info[j]; j++) { + krb5_etype_info_entry *e = etype_info[j]; + fprintf (stderr, "etype info %d: etype %d salt len=%d", + j, e->etype, e->length); + if (e->length > 0 && e->length != KRB5_ETYPE_NO_SALT) + fprintf (stderr, " '%.*s'", e->length, e->salt); + fprintf (stderr, "\n"); + } #endif - break; - } - case KRB5_PADATA_PW_SALT: - case KRB5_PADATA_AFS3_SALT: - if (etype_info) - continue; - break; - default: - ; - } - /* Try the internally-provided preauth type list. */ - if (!realdone) for (j=0; pa_types[j].type >= 0; j++) { - if ((in_padata[i]->pa_type == pa_types[j].type) && - (pa_types[j].flags & paorder[h])) { + break; + } + case KRB5_PADATA_PW_SALT: + case KRB5_PADATA_AFS3_SALT: + if (etype_info) + continue; + break; + default: + ; + } + /* Try the internally-provided preauth type list. */ + if (!realdone) for (j=0; pa_types[j].type >= 0; j++) { + if ((in_padata[i]->pa_type == pa_types[j].type) && + (pa_types[j].flags & paorder[h])) { #ifdef DEBUG - fprintf (stderr, "calling internal function for pa_type " - "%d, flag %d\n", pa_types[j].type, paorder[h]); + fprintf (stderr, "calling internal function for pa_type " + "%d, flag %d\n", pa_types[j].type, paorder[h]); #endif - out_pa = NULL; - - if ((ret = ((*pa_types[j].fct)(context, request, - in_padata[i], &out_pa, - salt, s2kparams, etype, as_key, - prompter, prompter_data, - gak_fct, gak_data)))) { - if (paorder[h] == PA_INFO) { + out_pa = NULL; + + if ((ret = ((*pa_types[j].fct)(context, request, + in_padata[i], &out_pa, + salt, s2kparams, etype, as_key, + prompter, prompter_data, + gak_fct, gak_data)))) { + if (paorder[h] == PA_INFO) { #ifdef DEBUG - fprintf (stderr, - "internal function for type %d, flag %d " - "failed with err %d\n", - in_padata[i]->pa_type, paorder[h], ret); + fprintf (stderr, + "internal function for type %d, flag %d " + "failed with err %d\n", + in_padata[i]->pa_type, paorder[h], ret); #endif - ret = 0; - continue; /* PA_INFO type failed, ignore */ + ret = 0; + continue; /* PA_INFO type failed, ignore */ + } + + goto cleanup; } - - goto cleanup; - } - - ret = grow_pa_list(&out_pa_list, &out_pa_list_size, - &out_pa, 1); - if (ret != 0) { - goto cleanup; - } - if (paorder[h] == PA_REAL) - realdone = 1; - } - } - - /* Try to use plugins now. */ - if (!realdone) { - krb5_init_preauth_context(context); - if (context->preauth_context != NULL) { - int module_ret = 0, module_flags; + + ret = grow_pa_list(&out_pa_list, &out_pa_list_size, + &out_pa, 1); + if (ret != 0) { + goto cleanup; + } + if (paorder[h] == PA_REAL) + realdone = 1; + } + } + + /* Try to use plugins now. */ + if (!realdone) { + krb5_init_preauth_context(context); + if (context->preauth_context != NULL) { + int module_ret = 0, module_flags; #ifdef DEBUG - fprintf (stderr, "trying modules for pa_type %d, flag %d\n", - in_padata[i]->pa_type, paorder[h]); + fprintf (stderr, "trying modules for pa_type %d, flag %d\n", + in_padata[i]->pa_type, paorder[h]); #endif - ret = krb5_run_preauth_plugins(context, - paorder[h], - request, - encoded_request_body, - encoded_previous_request, - in_padata[i], - prompter, - prompter_data, - gak_fct, - salt, s2kparams, - gak_data, - get_data_rock, - as_key, - &out_pa_list, - &out_pa_list_size, - &module_ret, - &module_flags, - opte); - if (ret == 0) { - if (module_ret == 0) { - if (paorder[h] == PA_REAL) { - realdone = 1; - } - } - } - } - } - } + ret = krb5_run_preauth_plugins(context, + paorder[h], + request, + encoded_request_body, + encoded_previous_request, + in_padata[i], + prompter, + prompter_data, + gak_fct, + salt, s2kparams, + gak_data, + get_data_rock, + as_key, + &out_pa_list, + &out_pa_list_size, + &module_ret, + &module_flags, + opte); + if (ret == 0) { + if (module_ret == 0) { + if (paorder[h] == PA_REAL) { + realdone = 1; + } + } + } + } + } + } } *out_padata = out_pa_list; if (etype_info) - krb5_free_etype_info(context, etype_info); - + krb5_free_etype_info(context, etype_info); + return(0); - cleanup: +cleanup: if (out_pa_list) { - out_pa_list[out_pa_list_size++] = NULL; - krb5_free_pa_data(context, out_pa_list); + out_pa_list[out_pa_list_size++] = NULL; + krb5_free_pa_data(context, out_pa_list); } if (etype_info) - krb5_free_etype_info(context, etype_info); + krb5_free_etype_info(context, etype_info); return (ret); } diff --git a/src/lib/krb5/krb/princ_comp.c b/src/lib/krb5/krb/princ_comp.c index 367c11e3d..3565f2c82 100644 --- a/src/lib/krb5/krb/princ_comp.c +++ b/src/lib/krb5/krb/princ_comp.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/princ_comp.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * compare two principals, returning a krb5_boolean true if equal, false if * not. @@ -33,19 +34,19 @@ static krb5_boolean realm_compare_flags(krb5_context context, - krb5_const_principal princ1, - krb5_const_principal princ2, - int flags) + krb5_const_principal princ1, + krb5_const_principal princ2, + int flags) { const krb5_data *realm1 = krb5_princ_realm(context, princ1); const krb5_data *realm2 = krb5_princ_realm(context, princ2); if (realm1->length != realm2->length) - return FALSE; + return FALSE; return (flags & KRB5_PRINCIPAL_COMPARE_CASEFOLD) ? - (strncasecmp(realm1->data, realm2->data, realm2->length) == 0) : - (memcmp(realm1->data, realm2->data, realm2->length) == 0); + (strncasecmp(realm1->data, realm2->data, realm2->length) == 0) : + (memcmp(realm1->data, realm2->data, realm2->length) == 0); } krb5_boolean KRB5_CALLCONV @@ -56,18 +57,18 @@ krb5_realm_compare(krb5_context context, krb5_const_principal princ1, krb5_const static krb5_error_code upn_to_principal(krb5_context context, - krb5_const_principal princ, - krb5_principal *upn) + krb5_const_principal princ, + krb5_principal *upn) { char *unparsed_name; krb5_error_code code; code = krb5_unparse_name_flags(context, princ, - KRB5_PRINCIPAL_UNPARSE_NO_REALM, - &unparsed_name); + KRB5_PRINCIPAL_UNPARSE_NO_REALM, + &unparsed_name); if (code) { - *upn = NULL; - return code; + *upn = NULL; + return code; } code = krb5_parse_name(context, unparsed_name, upn); @@ -79,9 +80,9 @@ upn_to_principal(krb5_context context, krb5_boolean KRB5_CALLCONV krb5_principal_compare_flags(krb5_context context, - krb5_const_principal princ1, - krb5_const_principal princ2, - int flags) + krb5_const_principal princ1, + krb5_const_principal princ2, + int flags) { register int i; krb5_int32 nelem; @@ -92,50 +93,50 @@ krb5_principal_compare_flags(krb5_context context, krb5_boolean ret = FALSE; if (flags & KRB5_PRINCIPAL_COMPARE_ENTERPRISE) { - /* Treat UPNs as if they were real principals */ - if (krb5_princ_type(context, princ1) == KRB5_NT_ENTERPRISE_PRINCIPAL) { - if (upn_to_principal(context, princ1, &upn1) == 0) - princ1 = upn1; - } - if (krb5_princ_type(context, princ2) == KRB5_NT_ENTERPRISE_PRINCIPAL) { - if (upn_to_principal(context, princ2, &upn2) == 0) - princ2 = upn2; - } + /* Treat UPNs as if they were real principals */ + if (krb5_princ_type(context, princ1) == KRB5_NT_ENTERPRISE_PRINCIPAL) { + if (upn_to_principal(context, princ1, &upn1) == 0) + princ1 = upn1; + } + if (krb5_princ_type(context, princ2) == KRB5_NT_ENTERPRISE_PRINCIPAL) { + if (upn_to_principal(context, princ2, &upn2) == 0) + princ2 = upn2; + } } nelem = krb5_princ_size(context, princ1); if (nelem != krb5_princ_size(context, princ2)) - goto out; + goto out; if ((flags & KRB5_PRINCIPAL_COMPARE_IGNORE_REALM) == 0 && - !realm_compare_flags(context, princ1, princ2, flags)) - goto out; + !realm_compare_flags(context, princ1, princ2, flags)) + goto out; for (i = 0; i < (int) nelem; i++) { - const krb5_data *p1 = krb5_princ_component(context, princ1, i); - const krb5_data *p2 = krb5_princ_component(context, princ2, i); - krb5_boolean eq; - - if (casefold) { - if (utf8) - eq = (krb5int_utf8_normcmp(p1, p2, KRB5_UTF8_CASEFOLD) == 0); - else - eq = (p1->length == p2->length - && strncasecmp(p1->data, p2->data, p2->length) == 0); - } else - eq = data_eq(*p1, *p2); - - if (!eq) - goto out; + const krb5_data *p1 = krb5_princ_component(context, princ1, i); + const krb5_data *p2 = krb5_princ_component(context, princ2, i); + krb5_boolean eq; + + if (casefold) { + if (utf8) + eq = (krb5int_utf8_normcmp(p1, p2, KRB5_UTF8_CASEFOLD) == 0); + else + eq = (p1->length == p2->length + && strncasecmp(p1->data, p2->data, p2->length) == 0); + } else + eq = data_eq(*p1, *p2); + + if (!eq) + goto out; } ret = TRUE; out: if (upn1 != NULL) - krb5_free_principal(context, upn1); + krb5_free_principal(context, upn1); if (upn2 != NULL) - krb5_free_principal(context, upn2); + krb5_free_principal(context, upn2); return ret; } @@ -150,7 +151,7 @@ krb5_boolean KRB5_CALLCONV krb5_is_referral_realm(const krb5_data *r) #ifdef DEBUG_REFERRALS #if 0 printf("krb5_is_ref_realm: checking <%s> for referralness: %s\n", - r->data,(r->length==0)?"true":"false"); + r->data,(r->length==0)?"true":"false"); #endif #endif assert(strlen(KRB5_REFERRAL_REALM)==0); @@ -162,17 +163,16 @@ krb5_boolean KRB5_CALLCONV krb5_is_referral_realm(const krb5_data *r) krb5_boolean KRB5_CALLCONV krb5_principal_compare(krb5_context context, - krb5_const_principal princ1, - krb5_const_principal princ2) + krb5_const_principal princ1, + krb5_const_principal princ2) { return krb5_principal_compare_flags(context, princ1, princ2, 0); } krb5_boolean KRB5_CALLCONV krb5_principal_compare_any_realm(krb5_context context, - krb5_const_principal princ1, - krb5_const_principal princ2) + krb5_const_principal princ1, + krb5_const_principal princ2) { return krb5_principal_compare_flags(context, princ1, princ2, KRB5_PRINCIPAL_COMPARE_IGNORE_REALM); } - diff --git a/src/lib/krb5/krb/rd_cred.c b/src/lib/krb5/krb/rd_cred.c index a5d00dc4e..30ce4255f 100644 --- a/src/lib/krb5/krb/rd_cred.c +++ b/src/lib/krb5/krb/rd_cred.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include "k5-int.h" #include "cleanup.h" #include "auth_con.h" @@ -11,38 +12,38 @@ /* * decrypt the enc_part of a krb5_cred */ -static krb5_error_code +static krb5_error_code decrypt_credencdata(krb5_context context, krb5_cred *pcred, - krb5_key pkey, krb5_cred_enc_part *pcredenc) + krb5_key pkey, krb5_cred_enc_part *pcredenc) { krb5_cred_enc_part * ppart = NULL; - krb5_error_code retval; - krb5_data scratch; + krb5_error_code retval; + krb5_data scratch; scratch.length = pcred->enc_part.ciphertext.length; - if (!(scratch.data = (char *)malloc(scratch.length))) - return ENOMEM; + if (!(scratch.data = (char *)malloc(scratch.length))) + return ENOMEM; if (pkey != NULL) { - if ((retval = krb5_k_decrypt(context, pkey, - KRB5_KEYUSAGE_KRB_CRED_ENCPART, 0, - &pcred->enc_part, &scratch))) - goto cleanup; + if ((retval = krb5_k_decrypt(context, pkey, + KRB5_KEYUSAGE_KRB_CRED_ENCPART, 0, + &pcred->enc_part, &scratch))) + goto cleanup; } else { - memcpy(scratch.data, pcred->enc_part.ciphertext.data, scratch.length); + memcpy(scratch.data, pcred->enc_part.ciphertext.data, scratch.length); } /* now decode the decrypted stuff */ if ((retval = decode_krb5_enc_cred_part(&scratch, &ppart))) - goto cleanup; + goto cleanup; *pcredenc = *ppart; retval = 0; cleanup: if (ppart != NULL) { - memset(ppart, 0, sizeof(*ppart)); - free(ppart); + memset(ppart, 0, sizeof(*ppart)); + free(ppart); } memset(scratch.data, 0, scratch.length); free(scratch.data); @@ -51,40 +52,40 @@ cleanup: } /*----------------------- krb5_rd_cred_basic -----------------------*/ -static krb5_error_code +static krb5_error_code krb5_rd_cred_basic(krb5_context context, krb5_data *pcreddata, - krb5_key pkey, krb5_replay_data *replaydata, - krb5_creds ***pppcreds) + krb5_key pkey, krb5_replay_data *replaydata, + krb5_creds ***pppcreds) { krb5_error_code retval; - krb5_cred * pcred; - krb5_int32 ncreds; - krb5_int32 i = 0; - krb5_cred_enc_part encpart; + krb5_cred * pcred; + krb5_int32 ncreds; + krb5_int32 i = 0; + krb5_cred_enc_part encpart; /* decode cred message */ if ((retval = decode_krb5_cred(pcreddata, &pcred))) - return retval; + return retval; memset(&encpart, 0, sizeof(encpart)); if ((retval = decrypt_credencdata(context, pcred, pkey, &encpart))) - goto cleanup_cred; + goto cleanup_cred; replaydata->timestamp = encpart.timestamp; replaydata->usec = encpart.usec; replaydata->seq = encpart.nonce; - /* - * Allocate the list of creds. The memory is allocated so that - * krb5_free_tgt_creds can be used to free the list. - */ + /* + * Allocate the list of creds. The memory is allocated so that + * krb5_free_tgt_creds can be used to free the list. + */ for (ncreds = 0; pcred->tickets[ncreds]; ncreds++); - - if ((*pppcreds = - (krb5_creds **)malloc((size_t)(sizeof(krb5_creds *) * - (ncreds + 1)))) == NULL) { + + if ((*pppcreds = + (krb5_creds **)malloc((size_t)(sizeof(krb5_creds *) * + (ncreds + 1)))) == NULL) { retval = ENOMEM; goto cleanup_cred; } @@ -95,13 +96,13 @@ krb5_rd_cred_basic(krb5_context context, krb5_data *pcreddata, * credentials and copy the information. */ while (i < ncreds) { - krb5_cred_info * pinfo; - krb5_creds * pcur; - krb5_data * pdata; + krb5_cred_info * pinfo; + krb5_creds * pcur; + krb5_data * pdata; if ((pcur = (krb5_creds *)calloc(1, sizeof(krb5_creds))) == NULL) { - retval = ENOMEM; - goto cleanup; + retval = ENOMEM; + goto cleanup; } (*pppcreds)[i] = pcur; @@ -109,26 +110,26 @@ krb5_rd_cred_basic(krb5_context context, krb5_data *pcreddata, pinfo = encpart.ticket_info[i++]; if ((retval = krb5_copy_principal(context, pinfo->client, - &pcur->client))) - goto cleanup; + &pcur->client))) + goto cleanup; if ((retval = krb5_copy_principal(context, pinfo->server, - &pcur->server))) - goto cleanup; + &pcur->server))) + goto cleanup; - if ((retval = krb5_copy_keyblock_contents(context, pinfo->session, - &pcur->keyblock))) - goto cleanup; + if ((retval = krb5_copy_keyblock_contents(context, pinfo->session, + &pcur->keyblock))) + goto cleanup; - if ((retval = krb5_copy_addresses(context, pinfo->caddrs, - &pcur->addresses))) - goto cleanup; + if ((retval = krb5_copy_addresses(context, pinfo->caddrs, + &pcur->addresses))) + goto cleanup; if ((retval = encode_krb5_ticket(pcred->tickets[i - 1], &pdata))) - goto cleanup; + goto cleanup; - pcur->ticket = *pdata; - free(pdata); + pcur->ticket = *pdata; + free(pdata); pcur->is_skey = FALSE; @@ -146,7 +147,7 @@ krb5_rd_cred_basic(krb5_context context, krb5_data *pcreddata, cleanup: if (retval) - krb5_free_tgt_creds(context, *pppcreds); + krb5_free_tgt_creds(context, *pppcreds); cleanup_cred: krb5_free_cred(context, pcred); @@ -163,8 +164,8 @@ cleanup_cred: */ krb5_error_code KRB5_CALLCONV krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, - krb5_data *pcreddata, krb5_creds ***pppcreds, - krb5_replay_data *outdata) + krb5_data *pcreddata, krb5_creds ***pppcreds, + krb5_replay_data *outdata) { krb5_error_code retval; krb5_key key; @@ -172,16 +173,16 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, /* Get key */ if ((key = auth_context->recv_subkey) == NULL) - key = auth_context->key; + key = auth_context->key; if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && - (outdata == NULL)) + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && + (outdata == NULL)) /* Need a better error */ return KRB5_RC_REQUIRED; if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && - (auth_context->rcache == NULL)) + (auth_context->rcache == NULL)) return KRB5_RC_REQUIRED; @@ -191,12 +192,12 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, * that. */ if ((retval = krb5_rd_cred_basic(context, pcreddata, key, - &replaydata, pppcreds))) { - if ((retval = krb5_rd_cred_basic(context, pcreddata, - auth_context->key, - &replaydata, pppcreds))) { - return retval; - } + &replaydata, pppcreds))) { + if ((retval = krb5_rd_cred_basic(context, pcreddata, + auth_context->key, + &replaydata, pppcreds))) { + return retval; + } } if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { @@ -206,7 +207,7 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, goto error; if ((retval = krb5_gen_replay_name(context, auth_context->remote_addr, - "_forw", &replay.client))) + "_forw", &replay.client))) goto error; replay.server = ""; /* XXX */ @@ -229,7 +230,7 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, } if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { outdata->timestamp = replaydata.timestamp; outdata->usec = replaydata.usec; outdata->seq = replaydata.seq; @@ -237,9 +238,8 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, error:; if (retval) { - krb5_free_tgt_creds(context, *pppcreds); - *pppcreds = NULL; + krb5_free_tgt_creds(context, *pppcreds); + *pppcreds = NULL; } return retval; } - diff --git a/src/lib/krb5/krb/rd_error.c b/src/lib/krb5/krb/rd_error.c index 2c617154b..39d9acdeb 100644 --- a/src/lib/krb5/krb/rd_error.c +++ b/src/lib/krb5/krb/rd_error.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/rd_error.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_rd_error() routine */ @@ -35,16 +36,15 @@ * * Upon return dec_error will point to allocated storage which the * caller should free when finished. - * + * * returns system errors */ krb5_error_code KRB5_CALLCONV krb5_rd_error(krb5_context context, const krb5_data *enc_errbuf, - krb5_error **dec_error) + krb5_error **dec_error) { if (!krb5_is_krb_error(enc_errbuf)) - return KRB5KRB_AP_ERR_MSG_TYPE; + return KRB5KRB_AP_ERR_MSG_TYPE; return(decode_krb5_error(enc_errbuf, dec_error)); } - diff --git a/src/lib/krb5/krb/rd_priv.c b/src/lib/krb5/krb/rd_priv.c index 9b84ad87a..a6c79300c 100644 --- a/src/lib/krb5/krb/rd_priv.c +++ b/src/lib/krb5/krb/rd_priv.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/rd_priv.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_rd_priv() */ @@ -33,97 +34,97 @@ /* -Parses a KRB_PRIV message from inbuf, placing the confidential user -data in *outbuf. + Parses a KRB_PRIV message from inbuf, placing the confidential user + data in *outbuf. + + key specifies the key to be used for decryption of the message. -key specifies the key to be used for decryption of the message. - -remote_addr and local_addr specify the full -addresses (host and port) of the sender and receiver. + remote_addr and local_addr specify the full + addresses (host and port) of the sender and receiver. -outbuf points to allocated storage which the caller should -free when finished. + outbuf points to allocated storage which the caller should + free when finished. -i_vector is used as an initialization vector for the -encryption, and if non-NULL its contents are replaced with the last -block of the encrypted data upon exit. + i_vector is used as an initialization vector for the + encryption, and if non-NULL its contents are replaced with the last + block of the encrypted data upon exit. -Returns system errors, integrity errors. + Returns system errors, integrity errors. */ static krb5_error_code krb5_rd_priv_basic(krb5_context context, const krb5_data *inbuf, - const krb5_key key, const krb5_address *local_addr, - const krb5_address *remote_addr, krb5_pointer i_vector, - krb5_replay_data *replaydata, krb5_data *outbuf) + const krb5_key key, const krb5_address *local_addr, + const krb5_address *remote_addr, krb5_pointer i_vector, + krb5_replay_data *replaydata, krb5_data *outbuf) { - krb5_error_code retval; - krb5_priv * privmsg; - krb5_data scratch; + krb5_error_code retval; + krb5_priv * privmsg; + krb5_data scratch; krb5_priv_enc_part * privmsg_enc_part; - size_t blocksize; - krb5_data ivdata; - krb5_enctype enctype; + size_t blocksize; + krb5_data ivdata; + krb5_enctype enctype; if (!krb5_is_krb_priv(inbuf)) - return KRB5KRB_AP_ERR_MSG_TYPE; + return KRB5KRB_AP_ERR_MSG_TYPE; /* decode private message */ if ((retval = decode_krb5_priv(inbuf, &privmsg))) - return retval; - + return retval; + if (i_vector) { - enctype = krb5_k_key_enctype(context, key); - if ((retval = krb5_c_block_size(context, enctype, &blocksize))) - goto cleanup_privmsg; + enctype = krb5_k_key_enctype(context, key); + if ((retval = krb5_c_block_size(context, enctype, &blocksize))) + goto cleanup_privmsg; - ivdata.length = blocksize; - ivdata.data = i_vector; + ivdata.length = blocksize; + ivdata.data = i_vector; } scratch.length = privmsg->enc_part.ciphertext.length; if (!(scratch.data = malloc(scratch.length))) { - retval = ENOMEM; - goto cleanup_privmsg; + retval = ENOMEM; + goto cleanup_privmsg; } if ((retval = krb5_k_decrypt(context, key, - KRB5_KEYUSAGE_KRB_PRIV_ENCPART, - i_vector?&ivdata:0, - &privmsg->enc_part, &scratch))) - goto cleanup_scratch; + KRB5_KEYUSAGE_KRB_PRIV_ENCPART, + i_vector?&ivdata:0, + &privmsg->enc_part, &scratch))) + goto cleanup_scratch; /* now decode the decrypted stuff */ if ((retval = decode_krb5_enc_priv_part(&scratch, &privmsg_enc_part))) goto cleanup_scratch; if (!krb5_address_compare(context,remote_addr,privmsg_enc_part->s_address)){ - retval = KRB5KRB_AP_ERR_BADADDR; - goto cleanup_data; + retval = KRB5KRB_AP_ERR_BADADDR; + goto cleanup_data; } - + if (privmsg_enc_part->r_address) { - if (local_addr) { - if (!krb5_address_compare(context, local_addr, - privmsg_enc_part->r_address)) { - retval = KRB5KRB_AP_ERR_BADADDR; - goto cleanup_data; - } - } else { - krb5_address **our_addrs; - - if ((retval = krb5_os_localaddr(context, &our_addrs))) { - goto cleanup_data; - } - if (!krb5_address_search(context, privmsg_enc_part->r_address, - our_addrs)) { - krb5_free_addresses(context, our_addrs); - retval = KRB5KRB_AP_ERR_BADADDR; - goto cleanup_data; - } - krb5_free_addresses(context, our_addrs); - } + if (local_addr) { + if (!krb5_address_compare(context, local_addr, + privmsg_enc_part->r_address)) { + retval = KRB5KRB_AP_ERR_BADADDR; + goto cleanup_data; + } + } else { + krb5_address **our_addrs; + + if ((retval = krb5_os_localaddr(context, &our_addrs))) { + goto cleanup_data; + } + if (!krb5_address_search(context, privmsg_enc_part->r_address, + our_addrs)) { + krb5_free_addresses(context, our_addrs); + retval = KRB5KRB_AP_ERR_BADADDR; + goto cleanup_data; + } + krb5_free_addresses(context, our_addrs); + } } replaydata->timestamp = privmsg_enc_part->timestamp; @@ -136,15 +137,15 @@ krb5_rd_priv_basic(krb5_context context, const krb5_data *inbuf, cleanup_data:; if (retval == 0) - privmsg_enc_part->user_data.data = 0; + privmsg_enc_part->user_data.data = 0; krb5_free_priv_enc_part(context, privmsg_enc_part); cleanup_scratch:; - memset(scratch.data, 0, scratch.length); + memset(scratch.data, 0, scratch.length); free(scratch.data); cleanup_privmsg:; - free(privmsg->enc_part.ciphertext.data); + free(privmsg->enc_part.ciphertext.data); free(privmsg); return retval; @@ -152,116 +153,116 @@ cleanup_privmsg:; krb5_error_code KRB5_CALLCONV krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, - const krb5_data *inbuf, krb5_data *outbuf, - krb5_replay_data *outdata) + const krb5_data *inbuf, krb5_data *outbuf, + krb5_replay_data *outdata) { - krb5_error_code retval; + krb5_error_code retval; krb5_key key; - krb5_replay_data replaydata; + krb5_replay_data replaydata; /* Get key */ if ((key = auth_context->recv_subkey) == NULL) - key = auth_context->key; + key = auth_context->key; if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && - (outdata == NULL)) - /* Need a better error */ - return KRB5_RC_REQUIRED; + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && + (outdata == NULL)) + /* Need a better error */ + return KRB5_RC_REQUIRED; if (!auth_context->remote_addr) - return KRB5_REMOTE_ADDR_REQUIRED; + return KRB5_REMOTE_ADDR_REQUIRED; if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && - (auth_context->rcache == NULL)) - return KRB5_RC_REQUIRED; + (auth_context->rcache == NULL)) + return KRB5_RC_REQUIRED; + + { + krb5_address * premote_fulladdr; + krb5_address * plocal_fulladdr = NULL; + krb5_address remote_fulladdr; + krb5_address local_fulladdr; + CLEANUP_INIT(2); + + if (auth_context->local_addr) { + if (auth_context->local_port) { + if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, + auth_context->local_port, + &local_fulladdr))){ + CLEANUP_PUSH(local_fulladdr.contents, free); + plocal_fulladdr = &local_fulladdr; + } else { + return retval; + } + } else { + plocal_fulladdr = auth_context->local_addr; + } + } -{ - krb5_address * premote_fulladdr; - krb5_address * plocal_fulladdr = NULL; - krb5_address remote_fulladdr; - krb5_address local_fulladdr; - CLEANUP_INIT(2); - - if (auth_context->local_addr) { - if (auth_context->local_port) { - if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, - auth_context->local_port, - &local_fulladdr))){ - CLEANUP_PUSH(local_fulladdr.contents, free); - plocal_fulladdr = &local_fulladdr; + if (auth_context->remote_port) { + if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, + auth_context->remote_port, + &remote_fulladdr))){ + CLEANUP_PUSH(remote_fulladdr.contents, free); + premote_fulladdr = &remote_fulladdr; } else { - return retval; + CLEANUP_DONE(); + return retval; } - } else { - plocal_fulladdr = auth_context->local_addr; + } else { + premote_fulladdr = auth_context->remote_addr; } - } - if (auth_context->remote_port) { - if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, - auth_context->remote_port, - &remote_fulladdr))){ - CLEANUP_PUSH(remote_fulladdr.contents, free); - premote_fulladdr = &remote_fulladdr; - } else { - CLEANUP_DONE(); - return retval; - } - } else { - premote_fulladdr = auth_context->remote_addr; - } + memset(&replaydata, 0, sizeof(replaydata)); + if ((retval = krb5_rd_priv_basic(context, inbuf, key, + plocal_fulladdr, + premote_fulladdr, + auth_context->i_vector, + &replaydata, outbuf))) { + CLEANUP_DONE(); + return retval; + } - memset(&replaydata, 0, sizeof(replaydata)); - if ((retval = krb5_rd_priv_basic(context, inbuf, key, - plocal_fulladdr, - premote_fulladdr, - auth_context->i_vector, - &replaydata, outbuf))) { - CLEANUP_DONE(); - return retval; + CLEANUP_DONE(); } - CLEANUP_DONE(); -} - if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { - krb5_donot_replay replay; - - if ((retval = krb5int_check_clockskew(context, replaydata.timestamp))) - goto error; - - if ((retval = krb5_gen_replay_name(context, auth_context->remote_addr, - "_priv", &replay.client))) - goto error; - - replay.server = ""; /* XXX */ - replay.msghash = NULL; - replay.cusec = replaydata.usec; - replay.ctime = replaydata.timestamp; - if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { - free(replay.client); - goto error; - } - free(replay.client); + krb5_donot_replay replay; + + if ((retval = krb5int_check_clockskew(context, replaydata.timestamp))) + goto error; + + if ((retval = krb5_gen_replay_name(context, auth_context->remote_addr, + "_priv", &replay.client))) + goto error; + + replay.server = ""; /* XXX */ + replay.msghash = NULL; + replay.cusec = replaydata.usec; + replay.ctime = replaydata.timestamp; + if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { + free(replay.client); + goto error; + } + free(replay.client); } if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - if (!krb5int_auth_con_chkseqnum(context, auth_context, - replaydata.seq)) { - retval = KRB5KRB_AP_ERR_BADORDER; - goto error; - } - auth_context->remote_seq_number++; + if (!krb5int_auth_con_chkseqnum(context, auth_context, + replaydata.seq)) { + retval = KRB5KRB_AP_ERR_BADORDER; + goto error; + } + auth_context->remote_seq_number++; } if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { - outdata->timestamp = replaydata.timestamp; - outdata->usec = replaydata.usec; - outdata->seq = replaydata.seq; + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { + outdata->timestamp = replaydata.timestamp; + outdata->usec = replaydata.usec; + outdata->seq = replaydata.seq; } - + /* everything is ok - return data to the user */ return 0; @@ -272,4 +273,3 @@ error:; return retval; } - diff --git a/src/lib/krb5/krb/rd_rep.c b/src/lib/krb5/krb/rd_rep.c index 6e9cb0808..45c990187 100644 --- a/src/lib/krb5/krb/rd_rep.c +++ b/src/lib/krb5/krb/rd_rep.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/rd_rep.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_rd_rep() */ @@ -59,74 +60,74 @@ /* * Parses a KRB_AP_REP message, returning its contents. - * + * * repl is filled in with with a pointer to allocated memory containing - * the fields from the encrypted response. - * + * the fields from the encrypted response. + * * the key in kblock is used to decrypt the message. - * + * * returns system errors, encryption errors, replay errors */ krb5_error_code KRB5_CALLCONV krb5_rd_rep(krb5_context context, krb5_auth_context auth_context, - const krb5_data *inbuf, krb5_ap_rep_enc_part **repl) + const krb5_data *inbuf, krb5_ap_rep_enc_part **repl) { - krb5_error_code retval; - krb5_ap_rep *reply = NULL; + krb5_error_code retval; + krb5_ap_rep *reply = NULL; krb5_ap_rep_enc_part *enc = NULL; - krb5_data scratch; + krb5_data scratch; *repl = NULL; if (!krb5_is_ap_rep(inbuf)) - return KRB5KRB_AP_ERR_MSG_TYPE; + return KRB5KRB_AP_ERR_MSG_TYPE; /* Decode inbuf. */ retval = decode_krb5_ap_rep(inbuf, &reply); if (retval) - return retval; + return retval; /* Put together an eblock for this encryption. */ scratch.length = reply->enc_part.ciphertext.length; scratch.data = malloc(scratch.length); if (scratch.data == NULL) { - retval = ENOMEM; - goto clean_scratch; + retval = ENOMEM; + goto clean_scratch; } retval = krb5_k_decrypt(context, auth_context->key, - KRB5_KEYUSAGE_AP_REP_ENCPART, 0, - &reply->enc_part, &scratch); + KRB5_KEYUSAGE_AP_REP_ENCPART, 0, + &reply->enc_part, &scratch); if (retval) - goto clean_scratch; + goto clean_scratch; /* Now decode the decrypted stuff. */ retval = decode_krb5_ap_rep_enc_part(&scratch, &enc); if (retval) - goto clean_scratch; + goto clean_scratch; /* Check reply fields. */ if ((enc->ctime != auth_context->authentp->ctime) - || (enc->cusec != auth_context->authentp->cusec)) { - retval = KRB5_MUTUAL_FAILED; - goto clean_scratch; + || (enc->cusec != auth_context->authentp->cusec)) { + retval = KRB5_MUTUAL_FAILED; + goto clean_scratch; } /* Set auth subkey. */ if (enc->subkey) { - retval = krb5_auth_con_setrecvsubkey(context, auth_context, - enc->subkey); - if (retval) - goto clean_scratch; - retval = krb5_auth_con_setsendsubkey(context, auth_context, - enc->subkey); - if (retval) { - (void) krb5_auth_con_setrecvsubkey(context, auth_context, NULL); - goto clean_scratch; - } - /* Not used for anything yet. */ - auth_context->negotiated_etype = enc->subkey->enctype; + retval = krb5_auth_con_setrecvsubkey(context, auth_context, + enc->subkey); + if (retval) + goto clean_scratch; + retval = krb5_auth_con_setsendsubkey(context, auth_context, + enc->subkey); + if (retval) { + (void) krb5_auth_con_setrecvsubkey(context, auth_context, NULL); + goto clean_scratch; + } + /* Not used for anything yet. */ + auth_context->negotiated_etype = enc->subkey->enctype; } /* Get remote sequence number. */ @@ -137,7 +138,7 @@ krb5_rd_rep(krb5_context context, krb5_auth_context auth_context, clean_scratch: if (scratch.data) - memset(scratch.data, 0, scratch.length); + memset(scratch.data, 0, scratch.length); free(scratch.data); krb5_free_ap_rep(context, reply); krb5_free_ap_rep_enc_part(context, enc); @@ -146,56 +147,56 @@ clean_scratch: krb5_error_code KRB5_CALLCONV krb5_rd_rep_dce(krb5_context context, krb5_auth_context auth_context, - const krb5_data *inbuf, krb5_ui_4 *nonce) + const krb5_data *inbuf, krb5_ui_4 *nonce) { - krb5_error_code retval; - krb5_ap_rep * reply; - krb5_data scratch; + krb5_error_code retval; + krb5_ap_rep * reply; + krb5_data scratch; krb5_ap_rep_enc_part *repl = NULL; if (!krb5_is_ap_rep(inbuf)) - return KRB5KRB_AP_ERR_MSG_TYPE; + return KRB5KRB_AP_ERR_MSG_TYPE; /* decode it */ if ((retval = decode_krb5_ap_rep(inbuf, &reply))) - return retval; + return retval; /* put together an eblock for this encryption */ scratch.length = reply->enc_part.ciphertext.length; if (!(scratch.data = malloc(scratch.length))) { - krb5_free_ap_rep(context, reply); - return(ENOMEM); + krb5_free_ap_rep(context, reply); + return(ENOMEM); } if ((retval = krb5_k_decrypt(context, auth_context->key, - KRB5_KEYUSAGE_AP_REP_ENCPART, 0, - &reply->enc_part, &scratch))) - goto clean_scratch; + KRB5_KEYUSAGE_AP_REP_ENCPART, 0, + &reply->enc_part, &scratch))) + goto clean_scratch; /* now decode the decrypted stuff */ retval = decode_krb5_ap_rep_enc_part(&scratch, &repl); if (retval) - goto clean_scratch; + goto clean_scratch; *nonce = repl->seq_number; if (*nonce != auth_context->local_seq_number) { - retval = KRB5_MUTUAL_FAILED; - goto clean_scratch; + retval = KRB5_MUTUAL_FAILED; + goto clean_scratch; } /* Must be NULL to prevent echoing for client AP-REP */ if (repl->subkey != NULL) { - retval = KRB5_MUTUAL_FAILED; - goto clean_scratch; + retval = KRB5_MUTUAL_FAILED; + goto clean_scratch; } clean_scratch: - memset(scratch.data, 0, scratch.length); + memset(scratch.data, 0, scratch.length); if (repl != NULL) - krb5_free_ap_rep_enc_part(context, repl); + krb5_free_ap_rep_enc_part(context, repl); krb5_free_ap_rep(context, reply); free(scratch.data); return retval; diff --git a/src/lib/krb5/krb/rd_req.c b/src/lib/krb5/krb/rd_req.c index 50c3a9011..4e12e5b36 100644 --- a/src/lib/krb5/krb/rd_req.c +++ b/src/lib/krb5/krb/rd_req.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/rd_req.c * @@ -47,33 +48,33 @@ krb5_error_code KRB5_CALLCONV krb5_rd_req(krb5_context context, krb5_auth_context *auth_context, - const krb5_data *inbuf, krb5_const_principal server, - krb5_keytab keytab, krb5_flags *ap_req_options, - krb5_ticket **ticket) + const krb5_data *inbuf, krb5_const_principal server, + krb5_keytab keytab, krb5_flags *ap_req_options, + krb5_ticket **ticket) { - krb5_error_code retval; - krb5_ap_req * request; - krb5_auth_context new_auth_context; + krb5_error_code retval; + krb5_ap_req * request; + krb5_auth_context new_auth_context; krb5_keytab new_keytab = NULL; if (!krb5_is_ap_req(inbuf)) - return KRB5KRB_AP_ERR_MSG_TYPE; + return KRB5KRB_AP_ERR_MSG_TYPE; #ifndef LEAN_CLIENT if ((retval = decode_krb5_ap_req(inbuf, &request))) { - switch (retval) { - case KRB5_BADMSGTYPE: - return KRB5KRB_AP_ERR_BADVERSION; - default: - return(retval); - } + switch (retval) { + case KRB5_BADMSGTYPE: + return KRB5KRB_AP_ERR_BADVERSION; + default: + return(retval); + } } #endif /* LEAN_CLIENT */ /* Get an auth context if necessary. */ new_auth_context = NULL; if (*auth_context == NULL) { - if ((retval = krb5_auth_con_init(context, &new_auth_context))) - goto cleanup_request; + if ((retval = krb5_auth_con_init(context, &new_auth_context))) + goto cleanup_request; *auth_context = new_auth_context; } @@ -81,14 +82,14 @@ krb5_rd_req(krb5_context context, krb5_auth_context *auth_context, #ifndef LEAN_CLIENT /* Get a keytab if necessary. */ if (keytab == NULL) { - if ((retval = krb5_kt_default(context, &new_keytab))) - goto cleanup_auth_context; - keytab = new_keytab; + if ((retval = krb5_kt_default(context, &new_keytab))) + goto cleanup_auth_context; + keytab = new_keytab; } #endif /* LEAN_CLIENT */ retval = krb5_rd_req_decoded(context, auth_context, request, server, - keytab, ap_req_options, ticket); + keytab, ap_req_options, ticket); #ifndef LEAN_CLIENT if (new_keytab != NULL) @@ -97,12 +98,11 @@ krb5_rd_req(krb5_context context, krb5_auth_context *auth_context, cleanup_auth_context: if (new_auth_context && retval) { - krb5_auth_con_free(context, new_auth_context); - *auth_context = NULL; + krb5_auth_con_free(context, new_auth_context); + *auth_context = NULL; } cleanup_request: krb5_free_ap_req(context, request); return retval; } - diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c index 8516c7e43..adfa4de66 100644 --- a/src/lib/krb5/krb/rd_req_dec.c +++ b/src/lib/krb5/krb/rd_req_dec.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/rd_req_dec.c * @@ -9,7 +10,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -24,7 +25,7 @@ * CyberSAFE Corporation make any representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_rd_req_decoded() */ @@ -40,43 +41,43 @@ */ /* * Parses a KRB_AP_REQ message, returning its contents. - * + * * server specifies the expected server's name for the ticket; if NULL, then * any server will be accepted if the key can be found, and the caller should * verify that the principal is something it trusts. - * + * * rcache specifies a replay detection cache used to store authenticators and * server names - * + * * keyproc specifies a procedure to generate a decryption key for the * ticket. If keyproc is non-NULL, keyprocarg is passed to it, and the result * used as a decryption key. If keyproc is NULL, then fetchfrom is checked; * if it is non-NULL, it specifies a parameter name from which to retrieve the * decryption key. If fetchfrom is NULL, then the default key store is * consulted. - * + * * authdat is set to point at allocated storage structures; the caller - * should free them when finished. - * + * should free them when finished. + * * returns system errors, encryption errors, replay errors */ static krb5_error_code decrypt_authenticator - (krb5_context, const krb5_ap_req *, krb5_authenticator **, - int); +(krb5_context, const krb5_ap_req *, krb5_authenticator **, + int); static krb5_error_code decode_etype_list(krb5_context context, - const krb5_authenticator *authp, - krb5_enctype **desired_etypes, - int *desired_etypes_len); + const krb5_authenticator *authp, + krb5_enctype **desired_etypes, + int *desired_etypes_len); static krb5_error_code negotiate_etype(krb5_context context, - const krb5_enctype *desired_etypes, - int desired_etypes_len, - int mandatory_etypes_index, - const krb5_enctype *permitted_etypes, - int permitted_etypes_len, - krb5_enctype *negotiated_etype); + const krb5_enctype *desired_etypes, + int desired_etypes_len, + int mandatory_etypes_index, + const krb5_enctype *permitted_etypes, + int permitted_etypes_len, + krb5_enctype *negotiated_etype); krb5_error_code krb5int_check_clockskew(krb5_context context, krb5_timestamp date) @@ -86,86 +87,86 @@ krb5int_check_clockskew(krb5_context context, krb5_timestamp date) retval = krb5_timeofday(context, ¤ttime); if (retval) - return retval; + return retval; if (!(labs((date)-currenttime) < context->clockskew)) - return KRB5KRB_AP_ERR_SKEW; + return KRB5KRB_AP_ERR_SKEW; return 0; } static krb5_error_code krb5_rd_req_decrypt_tkt_part(krb5_context context, const krb5_ap_req *req, - krb5_const_principal server, krb5_keytab keytab, - krb5_keyblock *key) + krb5_const_principal server, krb5_keytab keytab, + krb5_keyblock *key) { - krb5_error_code retval; - krb5_keytab_entry ktent; + krb5_error_code retval; + krb5_keytab_entry ktent; retval = KRB5_KT_NOTFOUND; -#ifndef LEAN_CLIENT +#ifndef LEAN_CLIENT if (server != NULL || keytab->ops->start_seq_get == NULL) { - retval = krb5_kt_get_entry(context, keytab, - server != NULL ? server : req->ticket->server, - req->ticket->enc_part.kvno, - req->ticket->enc_part.enctype, &ktent); - if (retval == 0) { - retval = krb5_decrypt_tkt_part(context, &ktent.key, req->ticket); - if (retval == 0 && key != NULL) - retval = krb5_copy_keyblock_contents(context, &ktent.key, key); - - (void) krb5_free_keytab_entry_contents(context, &ktent); - } + retval = krb5_kt_get_entry(context, keytab, + server != NULL ? server : req->ticket->server, + req->ticket->enc_part.kvno, + req->ticket->enc_part.enctype, &ktent); + if (retval == 0) { + retval = krb5_decrypt_tkt_part(context, &ktent.key, req->ticket); + if (retval == 0 && key != NULL) + retval = krb5_copy_keyblock_contents(context, &ktent.key, key); + + (void) krb5_free_keytab_entry_contents(context, &ktent); + } } else { - krb5_error_code code; - krb5_kt_cursor cursor; - - code = krb5_kt_start_seq_get(context, keytab, &cursor); - if (code != 0) { - retval = code; - goto map_error; - } - - while ((code = krb5_kt_next_entry(context, keytab, - &ktent, &cursor)) == 0) { - if (ktent.key.enctype != req->ticket->enc_part.enctype) - continue; - - retval = krb5_decrypt_tkt_part(context, &ktent.key, - req->ticket); - - if (retval == 0) { - krb5_principal tmp = NULL; - - /* - * We overwrite ticket->server to be the principal - * that we match in the keytab. The reason for doing - * this is that GSS-API and other consumers look at - * that principal to make authorization decisions - * about whether the appropriate server is contacted. - * It might be cleaner to create a new API and store - * the server in the auth_context, but doing so would - * probably miss existing uses of the server. Instead, - * perhaps an API should be created to retrieve the - * server as it appeared in the ticket. - */ - retval = krb5_copy_principal(context, ktent.principal, &tmp); - if (retval == 0 && key != NULL) - retval = krb5_copy_keyblock_contents(context, &ktent.key, key); - if (retval == 0) { - krb5_free_principal(context, req->ticket->server); - req->ticket->server = tmp; - } else { - krb5_free_principal(context, tmp); - } - (void) krb5_free_keytab_entry_contents(context, &ktent); - break; - } - (void) krb5_free_keytab_entry_contents(context, &ktent); - } - - code = krb5_kt_end_seq_get(context, keytab, &cursor); - if (code != 0) - retval = code; + krb5_error_code code; + krb5_kt_cursor cursor; + + code = krb5_kt_start_seq_get(context, keytab, &cursor); + if (code != 0) { + retval = code; + goto map_error; + } + + while ((code = krb5_kt_next_entry(context, keytab, + &ktent, &cursor)) == 0) { + if (ktent.key.enctype != req->ticket->enc_part.enctype) + continue; + + retval = krb5_decrypt_tkt_part(context, &ktent.key, + req->ticket); + + if (retval == 0) { + krb5_principal tmp = NULL; + + /* + * We overwrite ticket->server to be the principal + * that we match in the keytab. The reason for doing + * this is that GSS-API and other consumers look at + * that principal to make authorization decisions + * about whether the appropriate server is contacted. + * It might be cleaner to create a new API and store + * the server in the auth_context, but doing so would + * probably miss existing uses of the server. Instead, + * perhaps an API should be created to retrieve the + * server as it appeared in the ticket. + */ + retval = krb5_copy_principal(context, ktent.principal, &tmp); + if (retval == 0 && key != NULL) + retval = krb5_copy_keyblock_contents(context, &ktent.key, key); + if (retval == 0) { + krb5_free_principal(context, req->ticket->server); + req->ticket->server = tmp; + } else { + krb5_free_principal(context, tmp); + } + (void) krb5_free_keytab_entry_contents(context, &ktent); + break; + } + (void) krb5_free_keytab_entry_contents(context, &ktent); + } + + code = krb5_kt_end_seq_get(context, keytab, &cursor); + if (code != 0) + retval = code; } #endif /* LEAN_CLIENT */ @@ -174,10 +175,10 @@ map_error: case KRB5_KT_KVNONOTFOUND: case KRB5_KT_NOTFOUND: case KRB5KRB_AP_ERR_BAD_INTEGRITY: - retval = KRB5KRB_AP_WRONG_PRINC; - break; + retval = KRB5KRB_AP_WRONG_PRINC; + break; default: - break; + break; } return retval; @@ -189,16 +190,16 @@ static void debug_log_authz_data(const char *which, krb5_authdata **a) { if (a) { - syslog(LOG_ERR|LOG_DAEMON, "%s authz data:", which); - while (*a) { - syslog(LOG_ERR|LOG_DAEMON, " ad_type:%d length:%d '%.*s'", - (*a)->ad_type, (*a)->length, (*a)->length, - (char *) (*a)->contents); - a++; - } - syslog(LOG_ERR|LOG_DAEMON, " [end]"); + syslog(LOG_ERR|LOG_DAEMON, "%s authz data:", which); + while (*a) { + syslog(LOG_ERR|LOG_DAEMON, " ad_type:%d length:%d '%.*s'", + (*a)->ad_type, (*a)->length, (*a)->length, + (char *) (*a)->contents); + a++; + } + syslog(LOG_ERR|LOG_DAEMON, " [end]"); } else - syslog(LOG_ERR|LOG_DAEMON, "no %s authz data", which); + syslog(LOG_ERR|LOG_DAEMON, "no %s authz data", which); } #else static void @@ -209,91 +210,91 @@ debug_log_authz_data(const char *which, krb5_authdata **a) static krb5_error_code krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, - const krb5_ap_req *req, krb5_const_principal server, - krb5_keytab keytab, krb5_flags *ap_req_options, - krb5_ticket **ticket, int check_valid_flag) + const krb5_ap_req *req, krb5_const_principal server, + krb5_keytab keytab, krb5_flags *ap_req_options, + krb5_ticket **ticket, int check_valid_flag) { - krb5_error_code retval = 0; - krb5_principal_data princ_data; - krb5_enctype *desired_etypes = NULL; - int desired_etypes_len = 0; - int rfc4537_etypes_len = 0; - krb5_enctype *permitted_etypes = NULL; - int permitted_etypes_len = 0; - krb5_keyblock decrypt_key; + krb5_error_code retval = 0; + krb5_principal_data princ_data; + krb5_enctype *desired_etypes = NULL; + int desired_etypes_len = 0; + int rfc4537_etypes_len = 0; + krb5_enctype *permitted_etypes = NULL; + int permitted_etypes_len = 0; + krb5_keyblock decrypt_key; decrypt_key.enctype = ENCTYPE_NULL; decrypt_key.contents = NULL; - + req->ticket->enc_part2 = NULL; if (server && krb5_is_referral_realm(&server->realm)) { - char *realm; - princ_data = *server; - server = &princ_data; - retval = krb5_get_default_realm(context, &realm); - if (retval) - return retval; - princ_data.realm.data = realm; - princ_data.realm.length = strlen(realm); + char *realm; + princ_data = *server; + server = &princ_data; + retval = krb5_get_default_realm(context, &realm); + if (retval) + return retval; + princ_data.realm.data = realm; + princ_data.realm.length = strlen(realm); } /* if (req->ap_options & AP_OPTS_USE_SESSION_KEY) - do we need special processing here ? */ + do we need special processing here ? */ /* decrypt the ticket */ if ((*auth_context)->key) { /* User to User authentication */ - if ((retval = krb5_decrypt_tkt_part(context, - &(*auth_context)->key->keyblock, - req->ticket))) - goto cleanup; - if (check_valid_flag) { - decrypt_key = (*auth_context)->key->keyblock; - (*auth_context)->key->keyblock.contents = NULL; - } - krb5_k_free_key(context, (*auth_context)->key); - (*auth_context)->key = NULL; + if ((retval = krb5_decrypt_tkt_part(context, + &(*auth_context)->key->keyblock, + req->ticket))) + goto cleanup; + if (check_valid_flag) { + decrypt_key = (*auth_context)->key->keyblock; + (*auth_context)->key->keyblock.contents = NULL; + } + krb5_k_free_key(context, (*auth_context)->key); + (*auth_context)->key = NULL; } else { - if ((retval = krb5_rd_req_decrypt_tkt_part(context, req, - server, keytab, - check_valid_flag ? &decrypt_key : NULL))) - goto cleanup; + if ((retval = krb5_rd_req_decrypt_tkt_part(context, req, + server, keytab, + check_valid_flag ? &decrypt_key : NULL))) + goto cleanup; } - /* XXX this is an evil hack. check_valid_flag is set iff the call + /* XXX this is an evil hack. check_valid_flag is set iff the call is not from inside the kdc. we can use this to determine which key usage to use */ #ifndef LEAN_CLIENT - if ((retval = decrypt_authenticator(context, req, - &((*auth_context)->authentp), - check_valid_flag))) - goto cleanup; + if ((retval = decrypt_authenticator(context, req, + &((*auth_context)->authentp), + check_valid_flag))) + goto cleanup; #endif if (!krb5_principal_compare(context, (*auth_context)->authentp->client, - req->ticket->enc_part2->client)) { - retval = KRB5KRB_AP_ERR_BADMATCH; - goto cleanup; + req->ticket->enc_part2->client)) { + retval = KRB5KRB_AP_ERR_BADMATCH; + goto cleanup; } - if ((*auth_context)->remote_addr && - !krb5_address_search(context, (*auth_context)->remote_addr, - req->ticket->enc_part2->caddrs)) { - retval = KRB5KRB_AP_ERR_BADADDR; - goto cleanup; + if ((*auth_context)->remote_addr && + !krb5_address_search(context, (*auth_context)->remote_addr, + req->ticket->enc_part2->caddrs)) { + retval = KRB5KRB_AP_ERR_BADADDR; + goto cleanup; } if (!server) { - server = req->ticket->server; + server = req->ticket->server; } /* Get an rcache if necessary. */ if (((*auth_context)->rcache == NULL) - && ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) - && server) { - if ((retval = krb5_get_server_rcache(context, - krb5_princ_component(context, - server,0), - &(*auth_context)->rcache))) - goto cleanup; + && ((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) + && server) { + if ((retval = krb5_get_server_rcache(context, + krb5_princ_component(context, + server,0), + &(*auth_context)->rcache))) + goto cleanup; } /* okay, now check cross-realm policy */ @@ -301,60 +302,60 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, /* Single hop cross-realm tickets only */ - { - krb5_transited *trans = &(req->ticket->enc_part2->transited); + { + krb5_transited *trans = &(req->ticket->enc_part2->transited); - /* If the transited list is empty, then we have at most one hop */ - if (trans->tr_contents.data && trans->tr_contents.data[0]) - retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + /* If the transited list is empty, then we have at most one hop */ + if (trans->tr_contents.data && trans->tr_contents.data[0]) + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; } #elif defined(_NO_CROSS_REALM) /* No cross-realm tickets */ - { - char * lrealm; - krb5_data * realm; - krb5_transited * trans; - - realm = krb5_princ_realm(context, req->ticket->enc_part2->client); - trans = &(req->ticket->enc_part2->transited); - - /* - * If the transited list is empty, then we have at most one hop - * So we also have to check that the client's realm is the local one - */ - krb5_get_default_realm(context, &lrealm); - if ((trans->tr_contents.data && trans->tr_contents.data[0]) || - !data_eq_string(*realm, lrealm)) { - retval = KRB5KRB_AP_ERR_ILL_CR_TKT; - } - free(lrealm); + { + char * lrealm; + krb5_data * realm; + krb5_transited * trans; + + realm = krb5_princ_realm(context, req->ticket->enc_part2->client); + trans = &(req->ticket->enc_part2->transited); + + /* + * If the transited list is empty, then we have at most one hop + * So we also have to check that the client's realm is the local one + */ + krb5_get_default_realm(context, &lrealm); + if ((trans->tr_contents.data && trans->tr_contents.data[0]) || + !data_eq_string(*realm, lrealm)) { + retval = KRB5KRB_AP_ERR_ILL_CR_TKT; + } + free(lrealm); } #else /* Hierarchical Cross-Realm */ - + { - krb5_data * realm; - krb5_transited * trans; - - realm = krb5_princ_realm(context, req->ticket->enc_part2->client); - trans = &(req->ticket->enc_part2->transited); - - /* - * If the transited list is not empty, then check that all realms - * transited are within the hierarchy between the client's realm - * and the local realm. - */ - if (trans->tr_contents.data && trans->tr_contents.data[0]) { - retval = krb5_check_transited_list(context, &(trans->tr_contents), - realm, - krb5_princ_realm (context, - server)); - } + krb5_data * realm; + krb5_transited * trans; + + realm = krb5_princ_realm(context, req->ticket->enc_part2->client); + trans = &(req->ticket->enc_part2->transited); + + /* + * If the transited list is not empty, then check that all realms + * transited are within the hierarchy between the client's realm + * and the local realm. + */ + if (trans->tr_contents.data && trans->tr_contents.data[0]) { + retval = krb5_check_transited_list(context, &(trans->tr_contents), + realm, + krb5_princ_realm (context, + server)); + } } #endif @@ -365,69 +366,69 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, may not be able to use replay caches (such as datagram servers) */ if ((*auth_context)->rcache) { - krb5_donot_replay rep; - krb5_tkt_authent tktauthent; - - tktauthent.ticket = req->ticket; - tktauthent.authenticator = (*auth_context)->authentp; - if (!(retval = krb5_auth_to_rep(context, &tktauthent, &rep))) { - retval = krb5_rc_hash_message(context, - &req->authenticator.ciphertext, - &rep.msghash); - if (!retval) { - retval = krb5_rc_store(context, (*auth_context)->rcache, &rep); - free(rep.msghash); - } - free(rep.server); - free(rep.client); - } - - if (retval) - goto cleanup; + krb5_donot_replay rep; + krb5_tkt_authent tktauthent; + + tktauthent.ticket = req->ticket; + tktauthent.authenticator = (*auth_context)->authentp; + if (!(retval = krb5_auth_to_rep(context, &tktauthent, &rep))) { + retval = krb5_rc_hash_message(context, + &req->authenticator.ciphertext, + &rep.msghash); + if (!retval) { + retval = krb5_rc_store(context, (*auth_context)->rcache, &rep); + free(rep.msghash); + } + free(rep.server); + free(rep.client); + } + + if (retval) + goto cleanup; } retval = krb5_validate_times(context, &req->ticket->enc_part2->times); if (retval != 0) - goto cleanup; + goto cleanup; if ((retval = krb5int_check_clockskew(context, (*auth_context)->authentp->ctime))) - goto cleanup; + goto cleanup; if (check_valid_flag) { - if (req->ticket->enc_part2->flags & TKT_FLG_INVALID) { - retval = KRB5KRB_AP_ERR_TKT_INVALID; - goto cleanup; - } - - if ((retval = krb5_authdata_context_init(context, - &(*auth_context)->ad_context))) - goto cleanup; - if ((retval = krb5int_authdata_verify(context, - (*auth_context)->ad_context, - AD_USAGE_MASK, - auth_context, - &decrypt_key, - req))) - goto cleanup; + if (req->ticket->enc_part2->flags & TKT_FLG_INVALID) { + retval = KRB5KRB_AP_ERR_TKT_INVALID; + goto cleanup; + } + + if ((retval = krb5_authdata_context_init(context, + &(*auth_context)->ad_context))) + goto cleanup; + if ((retval = krb5int_authdata_verify(context, + (*auth_context)->ad_context, + AD_USAGE_MASK, + auth_context, + &decrypt_key, + req))) + goto cleanup; } /* read RFC 4537 etype list from sender */ retval = decode_etype_list(context, - (*auth_context)->authentp, - &desired_etypes, - &rfc4537_etypes_len); + (*auth_context)->authentp, + &desired_etypes, + &rfc4537_etypes_len); if (retval != 0) - goto cleanup; + goto cleanup; if (desired_etypes == NULL) - desired_etypes = (krb5_enctype *)calloc(4, sizeof(krb5_enctype)); + desired_etypes = (krb5_enctype *)calloc(4, sizeof(krb5_enctype)); else - desired_etypes = (krb5_enctype *)realloc(desired_etypes, - (rfc4537_etypes_len + 4) * - sizeof(krb5_enctype)); + desired_etypes = (krb5_enctype *)realloc(desired_etypes, + (rfc4537_etypes_len + 4) * + sizeof(krb5_enctype)); if (desired_etypes == NULL) { - retval = ENOMEM; - goto cleanup; + retval = ENOMEM; + goto cleanup; } desired_etypes_len = rfc4537_etypes_len; @@ -457,105 +458,105 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, */ if ((*auth_context)->authentp->subkey != NULL) { - desired_etypes[desired_etypes_len++] = (*auth_context)->authentp->subkey->enctype; + desired_etypes[desired_etypes_len++] = (*auth_context)->authentp->subkey->enctype; } desired_etypes[desired_etypes_len++] = req->ticket->enc_part2->session->enctype; desired_etypes[desired_etypes_len] = ENCTYPE_NULL; if (((*auth_context)->auth_context_flags & KRB5_AUTH_CONTEXT_PERMIT_ALL) == 0) { - if ((*auth_context)->permitted_etypes != NULL) { - permitted_etypes = (*auth_context)->permitted_etypes; - } else { - retval = krb5_get_permitted_enctypes(context, &permitted_etypes); - if (retval != 0) - goto cleanup; - } - for (permitted_etypes_len = 0; - permitted_etypes[permitted_etypes_len] != ENCTYPE_NULL; - permitted_etypes_len++) - ; + if ((*auth_context)->permitted_etypes != NULL) { + permitted_etypes = (*auth_context)->permitted_etypes; + } else { + retval = krb5_get_permitted_enctypes(context, &permitted_etypes); + if (retval != 0) + goto cleanup; + } + for (permitted_etypes_len = 0; + permitted_etypes[permitted_etypes_len] != ENCTYPE_NULL; + permitted_etypes_len++) + ; } else { - permitted_etypes = NULL; - permitted_etypes_len = 0; + permitted_etypes = NULL; + permitted_etypes_len = 0; } /* check if the various etypes are permitted */ retval = negotiate_etype(context, - desired_etypes, desired_etypes_len, - rfc4537_etypes_len, - permitted_etypes, permitted_etypes_len, - &(*auth_context)->negotiated_etype); + desired_etypes, desired_etypes_len, + rfc4537_etypes_len, + permitted_etypes, permitted_etypes_len, + &(*auth_context)->negotiated_etype); if (retval != 0) - goto cleanup; + goto cleanup; assert((*auth_context)->negotiated_etype != ENCTYPE_NULL); (*auth_context)->remote_seq_number = (*auth_context)->authentp->seq_number; if ((*auth_context)->authentp->subkey) { - if ((retval = krb5_k_create_key(context, - (*auth_context)->authentp->subkey, - &((*auth_context)->recv_subkey)))) - goto cleanup; - retval = krb5_k_create_key(context, (*auth_context)->authentp->subkey, - &((*auth_context)->send_subkey)); - if (retval) { - krb5_k_free_key(context, (*auth_context)->recv_subkey); - (*auth_context)->recv_subkey = NULL; - goto cleanup; - } + if ((retval = krb5_k_create_key(context, + (*auth_context)->authentp->subkey, + &((*auth_context)->recv_subkey)))) + goto cleanup; + retval = krb5_k_create_key(context, (*auth_context)->authentp->subkey, + &((*auth_context)->send_subkey)); + if (retval) { + krb5_k_free_key(context, (*auth_context)->recv_subkey); + (*auth_context)->recv_subkey = NULL; + goto cleanup; + } } else { - (*auth_context)->recv_subkey = 0; - (*auth_context)->send_subkey = 0; + (*auth_context)->recv_subkey = 0; + (*auth_context)->send_subkey = 0; } if ((retval = krb5_k_create_key(context, req->ticket->enc_part2->session, - &((*auth_context)->key)))) - goto cleanup; + &((*auth_context)->key)))) + goto cleanup; debug_log_authz_data("ticket", req->ticket->enc_part2->authorization_data); /* - * If not AP_OPTS_MUTUAL_REQUIRED then and sequence numbers are used + * If not AP_OPTS_MUTUAL_REQUIRED then and sequence numbers are used * then the default sequence number is the one's complement of the * sequence number sent ot us. */ - if ((!(req->ap_options & AP_OPTS_MUTUAL_REQUIRED)) && - (*auth_context)->remote_seq_number) { - (*auth_context)->local_seq_number ^= - (*auth_context)->remote_seq_number; + if ((!(req->ap_options & AP_OPTS_MUTUAL_REQUIRED)) && + (*auth_context)->remote_seq_number) { + (*auth_context)->local_seq_number ^= + (*auth_context)->remote_seq_number; } if (ticket) - if ((retval = krb5_copy_ticket(context, req->ticket, ticket))) - goto cleanup; + if ((retval = krb5_copy_ticket(context, req->ticket, ticket))) + goto cleanup; if (ap_req_options) { - *ap_req_options = req->ap_options & AP_OPTS_WIRE_MASK; - if (rfc4537_etypes_len != 0) - *ap_req_options |= AP_OPTS_ETYPE_NEGOTIATION; - if ((*auth_context)->negotiated_etype != - krb5_k_key_enctype(context, (*auth_context)->key)) - *ap_req_options |= AP_OPTS_USE_SUBKEY; + *ap_req_options = req->ap_options & AP_OPTS_WIRE_MASK; + if (rfc4537_etypes_len != 0) + *ap_req_options |= AP_OPTS_ETYPE_NEGOTIATION; + if ((*auth_context)->negotiated_etype != + krb5_k_key_enctype(context, (*auth_context)->key)) + *ap_req_options |= AP_OPTS_USE_SUBKEY; } retval = 0; - + cleanup: if (desired_etypes != NULL) - free(desired_etypes); + free(desired_etypes); if (permitted_etypes != NULL && - permitted_etypes != (*auth_context)->permitted_etypes) - free(permitted_etypes); + permitted_etypes != (*auth_context)->permitted_etypes) + free(permitted_etypes); if (server == &princ_data) - krb5_free_default_realm(context, princ_data.realm.data); + krb5_free_default_realm(context, princ_data.realm.data); if (retval) { - /* only free if we're erroring out...otherwise some - applications will need the output. */ - if (req->ticket->enc_part2) - krb5_free_enc_tkt_part(context, req->ticket->enc_part2); - req->ticket->enc_part2 = NULL; + /* only free if we're erroring out...otherwise some + applications will need the output. */ + if (req->ticket->enc_part2) + krb5_free_enc_tkt_part(context, req->ticket->enc_part2); + req->ticket->enc_part2 = NULL; } if (check_valid_flag) - krb5_free_keyblock_contents(context, &decrypt_key); + krb5_free_keyblock_contents(context, &decrypt_key); return retval; } @@ -566,12 +567,12 @@ krb5_rd_req_decoded(krb5_context context, krb5_auth_context *auth_context, krb5_keytab keytab, krb5_flags *ap_req_options, krb5_ticket **ticket) { - krb5_error_code retval; - retval = krb5_rd_req_decoded_opt(context, auth_context, - req, server, keytab, - ap_req_options, ticket, - 1); /* check_valid_flag */ - return retval; + krb5_error_code retval; + retval = krb5_rd_req_decoded_opt(context, auth_context, + req, server, keytab, + ap_req_options, ticket, + 1); /* check_valid_flag */ + return retval; } krb5_error_code @@ -581,18 +582,18 @@ krb5_rd_req_decoded_anyflag(krb5_context context, krb5_const_principal server, krb5_keytab keytab, krb5_flags *ap_req_options, krb5_ticket **ticket) { - krb5_error_code retval; - retval = krb5_rd_req_decoded_opt(context, auth_context, - req, server, keytab, - ap_req_options, ticket, - 0); /* don't check_valid_flag */ - return retval; + krb5_error_code retval; + retval = krb5_rd_req_decoded_opt(context, auth_context, + req, server, keytab, + ap_req_options, ticket, + 0); /* don't check_valid_flag */ + return retval; } #ifndef LEAN_CLIENT static krb5_error_code decrypt_authenticator(krb5_context context, const krb5_ap_req *request, - krb5_authenticator **authpp, int is_ap_req) + krb5_authenticator **authpp, int is_ap_req) { krb5_authenticator *local_auth; krb5_error_code retval; @@ -603,23 +604,23 @@ decrypt_authenticator(krb5_context context, const krb5_ap_req *request, scratch.length = request->authenticator.ciphertext.length; if (!(scratch.data = malloc(scratch.length))) - return(ENOMEM); + return(ENOMEM); if ((retval = krb5_c_decrypt(context, sesskey, - is_ap_req?KRB5_KEYUSAGE_AP_REQ_AUTH: - KRB5_KEYUSAGE_TGS_REQ_AUTH, 0, - &request->authenticator, &scratch))) { - free(scratch.data); - return(retval); + is_ap_req?KRB5_KEYUSAGE_AP_REQ_AUTH: + KRB5_KEYUSAGE_TGS_REQ_AUTH, 0, + &request->authenticator, &scratch))) { + free(scratch.data); + return(retval); } -#define clean_scratch() {memset(scratch.data, 0, scratch.length); \ -free(scratch.data);} +#define clean_scratch() {memset(scratch.data, 0, scratch.length); \ + free(scratch.data);} /* now decode the decrypted stuff */ if (!(retval = decode_krb5_authenticator(&scratch, &local_auth))) { - *authpp = local_auth; - debug_log_authz_data("authenticator", local_auth->authorization_data); + *authpp = local_auth; + debug_log_authz_data("authenticator", local_auth->authorization_data); } clean_scratch(); return retval; @@ -628,12 +629,12 @@ free(scratch.data);} static krb5_error_code negotiate_etype(krb5_context context, - const krb5_enctype *desired_etypes, - int desired_etypes_len, - int mandatory_etypes_index, - const krb5_enctype *permitted_etypes, - int permitted_etypes_len, - krb5_enctype *negotiated_etype) + const krb5_enctype *desired_etypes, + int desired_etypes_len, + int mandatory_etypes_index, + const krb5_enctype *permitted_etypes, + int permitted_etypes_len, + krb5_enctype *negotiated_etype) { int i, j; @@ -641,26 +642,26 @@ negotiate_etype(krb5_context context, /* mandatory segment of desired_etypes must be permitted */ for (i = mandatory_etypes_index; i < desired_etypes_len; i++) { - krb5_boolean permitted = FALSE; - - for (j = 0; j < permitted_etypes_len; j++) { - if (desired_etypes[i] == permitted_etypes[j]) { - permitted = TRUE; - break; - } - } - - if (permitted == FALSE) { - char enctype_name[30]; - - if (krb5_enctype_to_string(desired_etypes[i], - enctype_name, - sizeof(enctype_name)) == 0) - krb5_set_error_message(context, KRB5_NOPERM_ETYPE, - "Encryption type %s not permitted", - enctype_name); - return KRB5_NOPERM_ETYPE; - } + krb5_boolean permitted = FALSE; + + for (j = 0; j < permitted_etypes_len; j++) { + if (desired_etypes[i] == permitted_etypes[j]) { + permitted = TRUE; + break; + } + } + + if (permitted == FALSE) { + char enctype_name[30]; + + if (krb5_enctype_to_string(desired_etypes[i], + enctype_name, + sizeof(enctype_name)) == 0) + krb5_set_error_message(context, KRB5_NOPERM_ETYPE, + "Encryption type %s not permitted", + enctype_name); + return KRB5_NOPERM_ETYPE; + } } /* @@ -668,12 +669,12 @@ negotiate_etype(krb5_context context, * find first desired_etype that matches. */ for (j = 0; j < permitted_etypes_len; j++) { - for (i = 0; i < desired_etypes_len; i++) { - if (desired_etypes[i] == permitted_etypes[j]) { - *negotiated_etype = permitted_etypes[j]; - return 0; - } - } + for (i = 0; i < desired_etypes_len; i++) { + if (desired_etypes[i] == permitted_etypes[j]) { + *negotiated_etype = permitted_etypes[j]; + return 0; + } + } } /*NOTREACHED*/ @@ -682,9 +683,9 @@ negotiate_etype(krb5_context context, static krb5_error_code decode_etype_list(krb5_context context, - const krb5_authenticator *authp, - krb5_enctype **desired_etypes, - int *desired_etypes_len) + const krb5_authenticator *authp, + krb5_enctype **desired_etypes, + int *desired_etypes_len) { krb5_error_code code; krb5_authdata **ad_if_relevant = NULL; @@ -696,59 +697,58 @@ decode_etype_list(krb5_context context, *desired_etypes = NULL; if (authp->authorization_data == NULL) - return 0; + return 0; /* * RFC 4537 says that ETYPE_NEGOTIATION auth data should be wrapped * in AD_IF_RELEVANT, but we handle the case where it is mandatory. */ for (i = 0; authp->authorization_data[i] != NULL; i++) { - switch (authp->authorization_data[i]->ad_type) { - case KRB5_AUTHDATA_IF_RELEVANT: - code = krb5_decode_authdata_container(context, - KRB5_AUTHDATA_IF_RELEVANT, - authp->authorization_data[i], - &ad_if_relevant); - if (code != 0) - continue; - - for (j = 0; ad_if_relevant[j] != NULL; j++) { - if (ad_if_relevant[j]->ad_type == KRB5_AUTHDATA_ETYPE_NEGOTIATION) { - etype_adata = ad_if_relevant[j]; - break; - } - } - if (etype_adata == NULL) { - krb5_free_authdata(context, ad_if_relevant); - ad_if_relevant = NULL; - } - break; - case KRB5_AUTHDATA_ETYPE_NEGOTIATION: - etype_adata = authp->authorization_data[i]; - break; - default: - break; - } - if (etype_adata != NULL) - break; + switch (authp->authorization_data[i]->ad_type) { + case KRB5_AUTHDATA_IF_RELEVANT: + code = krb5_decode_authdata_container(context, + KRB5_AUTHDATA_IF_RELEVANT, + authp->authorization_data[i], + &ad_if_relevant); + if (code != 0) + continue; + + for (j = 0; ad_if_relevant[j] != NULL; j++) { + if (ad_if_relevant[j]->ad_type == KRB5_AUTHDATA_ETYPE_NEGOTIATION) { + etype_adata = ad_if_relevant[j]; + break; + } + } + if (etype_adata == NULL) { + krb5_free_authdata(context, ad_if_relevant); + ad_if_relevant = NULL; + } + break; + case KRB5_AUTHDATA_ETYPE_NEGOTIATION: + etype_adata = authp->authorization_data[i]; + break; + default: + break; + } + if (etype_adata != NULL) + break; } if (etype_adata == NULL) - return 0; + return 0; data.data = (char *)etype_adata->contents; data.length = etype_adata->length; code = decode_krb5_etype_list(&data, &etype_list); if (code == 0) { - *desired_etypes = etype_list->etypes; - *desired_etypes_len = etype_list->length; - free(etype_list); + *desired_etypes = etype_list->etypes; + *desired_etypes_len = etype_list->length; + free(etype_list); } if (ad_if_relevant != NULL) - krb5_free_authdata(context, ad_if_relevant); + krb5_free_authdata(context, ad_if_relevant); return code; } - diff --git a/src/lib/krb5/krb/rd_safe.c b/src/lib/krb5/krb/rd_safe.c index 68c13317c..924cb9fc2 100644 --- a/src/lib/krb5/krb/rd_safe.c +++ b/src/lib/krb5/krb/rd_safe.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/rd_safe.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_rd_safe() */ @@ -32,27 +33,27 @@ #include "auth_con.h" /* - parses a KRB_SAFE message from inbuf, placing the integrity-protected user - data in *outbuf. + parses a KRB_SAFE message from inbuf, placing the integrity-protected user + data in *outbuf. - key specifies the key to be used for decryption of the message. - - sender_addr and recv_addr specify the full addresses (host and port) of - the sender and receiver. + key specifies the key to be used for decryption of the message. - outbuf points to allocated storage which the caller should free when finished. + sender_addr and recv_addr specify the full addresses (host and port) of + the sender and receiver. - returns system errors, integrity errors - */ + outbuf points to allocated storage which the caller should free when finished. + + returns system errors, integrity errors +*/ static krb5_error_code krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf, - krb5_key key, - const krb5_address *recv_addr, - const krb5_address *sender_addr, - krb5_replay_data *replaydata, krb5_data *outbuf) + krb5_key key, + const krb5_address *recv_addr, + const krb5_address *sender_addr, + krb5_replay_data *replaydata, krb5_data *outbuf) { - krb5_error_code retval; - krb5_safe * message; + krb5_error_code retval; + krb5_safe * message; krb5_data safe_body; krb5_checksum our_cksum, *his_cksum; krb5_octet zero_octet = 0; @@ -61,45 +62,45 @@ krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf, struct krb5_safe_with_body swb; if (!krb5_is_krb_safe(inbuf)) - return KRB5KRB_AP_ERR_MSG_TYPE; + return KRB5KRB_AP_ERR_MSG_TYPE; if ((retval = decode_krb5_safe_with_body(inbuf, &message, &safe_body))) - return retval; + return retval; if (!krb5_c_valid_cksumtype(message->checksum->checksum_type)) { - retval = KRB5_PROG_SUMTYPE_NOSUPP; - goto cleanup; + retval = KRB5_PROG_SUMTYPE_NOSUPP; + goto cleanup; } if (!krb5_c_is_coll_proof_cksum(message->checksum->checksum_type) || - !krb5_c_is_keyed_cksum(message->checksum->checksum_type)) { - retval = KRB5KRB_AP_ERR_INAPP_CKSUM; - goto cleanup; + !krb5_c_is_keyed_cksum(message->checksum->checksum_type)) { + retval = KRB5KRB_AP_ERR_INAPP_CKSUM; + goto cleanup; } if (!krb5_address_compare(context, sender_addr, message->s_address)) { - retval = KRB5KRB_AP_ERR_BADADDR; - goto cleanup; + retval = KRB5KRB_AP_ERR_BADADDR; + goto cleanup; } if (message->r_address) { - if (recv_addr) { - if (!krb5_address_compare(context, recv_addr, message->r_address)) { - retval = KRB5KRB_AP_ERR_BADADDR; - goto cleanup; - } - } else { - krb5_address **our_addrs; - - if ((retval = krb5_os_localaddr(context, &our_addrs))) - goto cleanup; - - if (!krb5_address_search(context, message->r_address, our_addrs)) { - krb5_free_addresses(context, our_addrs); - retval = KRB5KRB_AP_ERR_BADADDR; - goto cleanup; - } - krb5_free_addresses(context, our_addrs); - } + if (recv_addr) { + if (!krb5_address_compare(context, recv_addr, message->r_address)) { + retval = KRB5KRB_AP_ERR_BADADDR; + goto cleanup; + } + } else { + krb5_address **our_addrs; + + if ((retval = krb5_os_localaddr(context, &our_addrs))) + goto cleanup; + + if (!krb5_address_search(context, message->r_address, our_addrs)) { + krb5_free_addresses(context, our_addrs); + retval = KRB5KRB_AP_ERR_BADADDR; + goto cleanup; + } + krb5_free_addresses(context, our_addrs); + } } /* verify the checksum */ @@ -122,27 +123,27 @@ krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf, retval = encode_krb5_safe_with_body(&swb, &scratch); message->checksum = his_cksum; if (retval) - goto cleanup; + goto cleanup; retval = krb5_k_verify_checksum(context, key, - KRB5_KEYUSAGE_KRB_SAFE_CKSUM, - scratch, his_cksum, &valid); + KRB5_KEYUSAGE_KRB_SAFE_CKSUM, + scratch, his_cksum, &valid); (void) memset(scratch->data, 0, scratch->length); krb5_free_data(context, scratch); - + if (!valid) { - /* - * Checksum over only the KRB-SAFE-BODY, like RFC 1510 says, in - * case someone actually implements it correctly. - */ - retval = krb5_k_verify_checksum(context, key, - KRB5_KEYUSAGE_KRB_SAFE_CKSUM, - &safe_body, his_cksum, &valid); - if (!valid) { - retval = KRB5KRB_AP_ERR_MODIFIED; - goto cleanup; - } + /* + * Checksum over only the KRB-SAFE-BODY, like RFC 1510 says, in + * case someone actually implements it correctly. + */ + retval = krb5_k_verify_checksum(context, key, + KRB5_KEYUSAGE_KRB_SAFE_CKSUM, + &safe_body, his_cksum, &valid); + if (!valid) { + retval = KRB5KRB_AP_ERR_MODIFIED; + goto cleanup; + } } replaydata->timestamp = message->timestamp; @@ -152,7 +153,7 @@ krb5_rd_safe_basic(krb5_context context, const krb5_data *inbuf, *outbuf = message->user_data; message->user_data.data = NULL; retval = 0; - + cleanup: krb5_free_safe(context, message); return retval; @@ -160,114 +161,114 @@ cleanup: krb5_error_code KRB5_CALLCONV krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, - const krb5_data *inbuf, krb5_data *outbuf, - krb5_replay_data *outdata) + const krb5_data *inbuf, krb5_data *outbuf, + krb5_replay_data *outdata) { - krb5_error_code retval; - krb5_key key; - krb5_replay_data replaydata; + krb5_error_code retval; + krb5_key key; + krb5_replay_data replaydata; if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && - (outdata == NULL)) - /* Need a better error */ - return KRB5_RC_REQUIRED; + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && + (outdata == NULL)) + /* Need a better error */ + return KRB5_RC_REQUIRED; if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && - (auth_context->rcache == NULL)) - return KRB5_RC_REQUIRED; + (auth_context->rcache == NULL)) + return KRB5_RC_REQUIRED; if (!auth_context->remote_addr) - return KRB5_REMOTE_ADDR_REQUIRED; + return KRB5_REMOTE_ADDR_REQUIRED; /* Get key */ if ((key = auth_context->recv_subkey) == NULL) - key = auth_context->key; + key = auth_context->key; + + { + krb5_address * premote_fulladdr; + krb5_address * plocal_fulladdr = NULL; + krb5_address remote_fulladdr; + krb5_address local_fulladdr; + CLEANUP_INIT(2); + + if (auth_context->local_addr) { + if (auth_context->local_port) { + if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, + auth_context->local_port, + &local_fulladdr))){ + CLEANUP_PUSH(local_fulladdr.contents, free); + plocal_fulladdr = &local_fulladdr; + } else { + return retval; + } + } else { + plocal_fulladdr = auth_context->local_addr; + } + } -{ - krb5_address * premote_fulladdr; - krb5_address * plocal_fulladdr = NULL; - krb5_address remote_fulladdr; - krb5_address local_fulladdr; - CLEANUP_INIT(2); - - if (auth_context->local_addr) { - if (auth_context->local_port) { - if (!(retval = krb5_make_fulladdr(context, auth_context->local_addr, - auth_context->local_port, - &local_fulladdr))){ - CLEANUP_PUSH(local_fulladdr.contents, free); - plocal_fulladdr = &local_fulladdr; + if (auth_context->remote_port) { + if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, + auth_context->remote_port, + &remote_fulladdr))){ + CLEANUP_PUSH(remote_fulladdr.contents, free); + premote_fulladdr = &remote_fulladdr; } else { - return retval; + return retval; } - } else { - plocal_fulladdr = auth_context->local_addr; + } else { + premote_fulladdr = auth_context->remote_addr; } - } - if (auth_context->remote_port) { - if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr, - auth_context->remote_port, - &remote_fulladdr))){ - CLEANUP_PUSH(remote_fulladdr.contents, free); - premote_fulladdr = &remote_fulladdr; - } else { - return retval; - } - } else { - premote_fulladdr = auth_context->remote_addr; - } + memset(&replaydata, 0, sizeof(replaydata)); + if ((retval = krb5_rd_safe_basic(context, inbuf, key, + plocal_fulladdr, premote_fulladdr, + &replaydata, outbuf))) { + CLEANUP_DONE(); + return retval; + } - memset(&replaydata, 0, sizeof(replaydata)); - if ((retval = krb5_rd_safe_basic(context, inbuf, key, - plocal_fulladdr, premote_fulladdr, - &replaydata, outbuf))) { - CLEANUP_DONE(); - return retval; + CLEANUP_DONE(); } - CLEANUP_DONE(); -} - if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) { - krb5_donot_replay replay; - - if ((retval = krb5int_check_clockskew(context, replaydata.timestamp))) - goto error; - - if ((retval = krb5_gen_replay_name(context, auth_context->remote_addr, - "_safe", &replay.client))) - goto error; - - replay.server = ""; /* XXX */ - replay.msghash = NULL; - replay.cusec = replaydata.usec; - replay.ctime = replaydata.timestamp; - if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { - free(replay.client); - goto error; - } - free(replay.client); + krb5_donot_replay replay; + + if ((retval = krb5int_check_clockskew(context, replaydata.timestamp))) + goto error; + + if ((retval = krb5_gen_replay_name(context, auth_context->remote_addr, + "_safe", &replay.client))) + goto error; + + replay.server = ""; /* XXX */ + replay.msghash = NULL; + replay.cusec = replaydata.usec; + replay.ctime = replaydata.timestamp; + if ((retval = krb5_rc_store(context, auth_context->rcache, &replay))) { + free(replay.client); + goto error; + } + free(replay.client); } if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - if (!krb5int_auth_con_chkseqnum(context, auth_context, - replaydata.seq)) { - retval = KRB5KRB_AP_ERR_BADORDER; - goto error; - } - auth_context->remote_seq_number++; + if (!krb5int_auth_con_chkseqnum(context, auth_context, + replaydata.seq)) { + retval = KRB5KRB_AP_ERR_BADORDER; + goto error; + } + auth_context->remote_seq_number++; } if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { - outdata->timestamp = replaydata.timestamp; - outdata->usec = replaydata.usec; - outdata->seq = replaydata.seq; + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { + outdata->timestamp = replaydata.timestamp; + outdata->usec = replaydata.usec; + outdata->seq = replaydata.seq; } - + /* everything is ok - return data to the user */ return 0; @@ -276,4 +277,3 @@ error: return retval; } - diff --git a/src/lib/krb5/krb/recvauth.c b/src/lib/krb5/krb/recvauth.c index 611546aa5..90746ba5c 100644 --- a/src/lib/krb5/krb/recvauth.c +++ b/src/lib/krb5/krb/recvauth.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/recvauth.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * convenience sendauth/recvauth functions */ @@ -38,79 +39,79 @@ static const char sendauth_version[] = "KRB5_SENDAUTH_V1.0"; static krb5_error_code recvauth_common(krb5_context context, - krb5_auth_context * auth_context, - /* IN */ - krb5_pointer fd, - char *appl_version, - krb5_principal server, - krb5_int32 flags, - krb5_keytab keytab, - /* OUT */ - krb5_ticket ** ticket, - krb5_data *version) + krb5_auth_context * auth_context, + /* IN */ + krb5_pointer fd, + char *appl_version, + krb5_principal server, + krb5_int32 flags, + krb5_keytab keytab, + /* OUT */ + krb5_ticket ** ticket, + krb5_data *version) { - krb5_auth_context new_auth_context; - krb5_flags ap_option = 0; - krb5_error_code retval, problem; - krb5_data inbuf; - krb5_data outbuf; - krb5_rcache rcache = 0; - krb5_octet response; - krb5_data null_server; + krb5_auth_context new_auth_context; + krb5_flags ap_option = 0; + krb5_error_code retval, problem; + krb5_data inbuf; + krb5_data outbuf; + krb5_rcache rcache = 0; + krb5_octet response; + krb5_data null_server; int need_error_free = 0; - int local_rcache = 0, local_authcon = 0; - - /* - * Zero out problem variable. If problem is set at the end of - * the intial version negotiation section, it means that we - * need to send an error code back to the client application - * and exit. - */ - problem = 0; - response = 0; - - if (!(flags & KRB5_RECVAUTH_SKIP_VERSION)) { - /* - * First read the sendauth version string and check it. - */ - if ((retval = krb5_read_message(context, fd, &inbuf))) - return(retval); - if (strcmp(inbuf.data, sendauth_version)) { - problem = KRB5_SENDAUTH_BADAUTHVERS; - response = 1; - } - free(inbuf.data); - } - if (flags & KRB5_RECVAUTH_BADAUTHVERS) { - problem = KRB5_SENDAUTH_BADAUTHVERS; - response = 1; - } - - /* - * Do the same thing for the application version string. - */ - if ((retval = krb5_read_message(context, fd, &inbuf))) - return(retval); - if (appl_version && strcmp(inbuf.data, appl_version)) { - if (!problem) { - problem = KRB5_SENDAUTH_BADAPPLVERS; - response = 2; - } - } - if (version && !problem) - *version = inbuf; - else - free(inbuf.data); - - /* - * Now we actually write the response. If the response is non-zero, - * exit with a return value of problem - */ - if ((krb5_net_write(context, *((int *)fd), (char *)&response, 1)) < 0) { - return(problem); /* We'll return the top-level problem */ - } - if (problem) - return(problem); + int local_rcache = 0, local_authcon = 0; + + /* + * Zero out problem variable. If problem is set at the end of + * the intial version negotiation section, it means that we + * need to send an error code back to the client application + * and exit. + */ + problem = 0; + response = 0; + + if (!(flags & KRB5_RECVAUTH_SKIP_VERSION)) { + /* + * First read the sendauth version string and check it. + */ + if ((retval = krb5_read_message(context, fd, &inbuf))) + return(retval); + if (strcmp(inbuf.data, sendauth_version)) { + problem = KRB5_SENDAUTH_BADAUTHVERS; + response = 1; + } + free(inbuf.data); + } + if (flags & KRB5_RECVAUTH_BADAUTHVERS) { + problem = KRB5_SENDAUTH_BADAUTHVERS; + response = 1; + } + + /* + * Do the same thing for the application version string. + */ + if ((retval = krb5_read_message(context, fd, &inbuf))) + return(retval); + if (appl_version && strcmp(inbuf.data, appl_version)) { + if (!problem) { + problem = KRB5_SENDAUTH_BADAPPLVERS; + response = 2; + } + } + if (version && !problem) + *version = inbuf; + else + free(inbuf.data); + + /* + * Now we actually write the response. If the response is non-zero, + * exit with a return value of problem + */ + if ((krb5_net_write(context, *((int *)fd), (char *)&response, 1)) < 0) { + return(problem); /* We'll return the top-level problem */ + } + if (problem) + return(problem); /* We are clear of errors here */ @@ -121,9 +122,9 @@ recvauth_common(krb5_context context, return retval; if (*auth_context == NULL) { - problem = krb5_auth_con_init(context, &new_auth_context); - *auth_context = new_auth_context; - local_authcon = 1; + problem = krb5_auth_con_init(context, &new_auth_context); + *auth_context = new_auth_context; + local_authcon = 1; } krb5_auth_con_getrcache(context, *auth_context, &rcache); if ((!problem) && rcache == NULL) { @@ -131,93 +132,93 @@ recvauth_common(krb5_context context, * Setup the replay cache. */ if (server) { - problem = krb5_get_server_rcache(context, - krb5_princ_component(context, server, 0), &rcache); + problem = krb5_get_server_rcache(context, + krb5_princ_component(context, server, 0), &rcache); } else { - null_server.length = 7; - null_server.data = "default"; - problem = krb5_get_server_rcache(context, &null_server, &rcache); + null_server.length = 7; + null_server.data = "default"; + problem = krb5_get_server_rcache(context, &null_server, &rcache); } - if (!problem) - problem = krb5_auth_con_setrcache(context, *auth_context, rcache); - local_rcache = 1; + if (!problem) + problem = krb5_auth_con_setrcache(context, *auth_context, rcache); + local_rcache = 1; } if (!problem) { - problem = krb5_rd_req(context, auth_context, &inbuf, server, - keytab, &ap_option, ticket); - free(inbuf.data); + problem = krb5_rd_req(context, auth_context, &inbuf, server, + keytab, &ap_option, ticket); + free(inbuf.data); } - + /* * If there was a problem, send back a krb5_error message, * preceeded by the length of the krb5_error message. If * everything's ok, send back 0 for the length. */ if (problem) { - krb5_error error; - const char *message; - - memset(&error, 0, sizeof(error)); - krb5_us_timeofday(context, &error.stime, &error.susec); - if(server) - error.server = server; - else { - /* If this fails - ie. ENOMEM we are hosed - we cannot even send the error if we wanted to... */ - (void) krb5_parse_name(context, "????", &error.server); - need_error_free = 1; - } - - error.error = problem - ERROR_TABLE_BASE_krb5; - if (error.error > 127) - error.error = KRB_ERR_GENERIC; - message = error_message(problem); - error.text.length = strlen(message) + 1; - error.text.data = strdup(message); - if (!error.text.data) { - retval = ENOMEM; - goto cleanup; - } - if ((retval = krb5_mk_error(context, &error, &outbuf))) { - free(error.text.data); - goto cleanup; - } - free(error.text.data); - if(need_error_free) - krb5_free_principal(context, error.server); + krb5_error error; + const char *message; + + memset(&error, 0, sizeof(error)); + krb5_us_timeofday(context, &error.stime, &error.susec); + if(server) + error.server = server; + else { + /* If this fails - ie. ENOMEM we are hosed + we cannot even send the error if we wanted to... */ + (void) krb5_parse_name(context, "????", &error.server); + need_error_free = 1; + } + + error.error = problem - ERROR_TABLE_BASE_krb5; + if (error.error > 127) + error.error = KRB_ERR_GENERIC; + message = error_message(problem); + error.text.length = strlen(message) + 1; + error.text.data = strdup(message); + if (!error.text.data) { + retval = ENOMEM; + goto cleanup; + } + if ((retval = krb5_mk_error(context, &error, &outbuf))) { + free(error.text.data); + goto cleanup; + } + free(error.text.data); + if(need_error_free) + krb5_free_principal(context, error.server); } else { - outbuf.length = 0; - outbuf.data = 0; + outbuf.length = 0; + outbuf.data = 0; } retval = krb5_write_message(context, fd, &outbuf); if (outbuf.data) { - free(outbuf.data); - /* We sent back an error, we need cleanup then return */ - retval = problem; - goto cleanup; + free(outbuf.data); + /* We sent back an error, we need cleanup then return */ + retval = problem; + goto cleanup; } if (retval) - goto cleanup; + goto cleanup; /* Here lies the mutual authentication stuff... */ if ((ap_option & AP_OPTS_MUTUAL_REQUIRED)) { - if ((retval = krb5_mk_rep(context, *auth_context, &outbuf))) { - return(retval); - } - retval = krb5_write_message(context, fd, &outbuf); - free(outbuf.data); + if ((retval = krb5_mk_rep(context, *auth_context, &outbuf))) { + return(retval); + } + retval = krb5_write_message(context, fd, &outbuf); + free(outbuf.data); } cleanup:; if (retval) { - if (local_authcon) { - krb5_auth_con_free(context, *auth_context); - } else if (local_rcache && rcache != NULL) { - krb5_rc_close(context, rcache); - krb5_auth_con_setrcache(context, *auth_context, NULL); - } + if (local_authcon) { + krb5_auth_con_free(context, *auth_context); + } else if (local_rcache && rcache != NULL) { + krb5_rc_close(context, rcache); + krb5_auth_con_setrcache(context, *auth_context, NULL); + } } return retval; } @@ -226,21 +227,21 @@ krb5_error_code KRB5_CALLCONV krb5_recvauth(krb5_context context, krb5_auth_context *auth_context, krb5_pointer fd, char *appl_version, krb5_principal server, krb5_int32 flags, krb5_keytab keytab, krb5_ticket **ticket) { return recvauth_common (context, auth_context, fd, appl_version, - server, flags, keytab, ticket, 0); + server, flags, keytab, ticket, 0); } krb5_error_code KRB5_CALLCONV krb5_recvauth_version(krb5_context context, - krb5_auth_context *auth_context, - /* IN */ - krb5_pointer fd, - krb5_principal server, - krb5_int32 flags, - krb5_keytab keytab, - /* OUT */ - krb5_ticket **ticket, - krb5_data *version) + krb5_auth_context *auth_context, + /* IN */ + krb5_pointer fd, + krb5_principal server, + krb5_int32 flags, + krb5_keytab keytab, + /* OUT */ + krb5_ticket **ticket, + krb5_data *version) { return recvauth_common (context, auth_context, fd, 0, - server, flags, keytab, ticket, version); + server, flags, keytab, ticket, version); } diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c index a7e519902..473386576 100644 --- a/src/lib/krb5/krb/s4u_creds.c +++ b/src/lib/krb5/krb/s4u_creds.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/s4u_creds.c * @@ -79,7 +79,7 @@ s4u_identify_user(krb5_context context, if (in_creds->client != NULL && krb5_princ_type(context, in_creds->client) != - KRB5_NT_ENTERPRISE_PRINCIPAL) + KRB5_NT_ENTERPRISE_PRINCIPAL) /* we already know the realm of the user */ return krb5_copy_principal(context, in_creds->client, canon_user); @@ -420,7 +420,7 @@ verify_s4u2self_reply(krb5_context context, if (not_newer) { if (enc_s4u_padata == NULL) { if (rep_s4u_user->user_id.options & - KRB5_S4U_OPTS_USE_REPLY_KEY_USAGE) { + KRB5_S4U_OPTS_USE_REPLY_KEY_USAGE) { code = KRB5_KDCREP_MODIFIED; goto cleanup; } diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c index eee47ed57..398855009 100644 --- a/src/lib/krb5/krb/send_tgs.c +++ b/src/lib/krb5/krb/send_tgs.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/send_tgs.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_send_tgs() */ @@ -30,27 +31,27 @@ #include "k5-int.h" /* -Constructs a TGS request - options is used for the options in the KRB_TGS_REQ. - timestruct values are used for from, till, rtime " " " - enctype is used for enctype " " ", and to encrypt the authorization data, - sname is used for sname " " " - addrs, if non-NULL, is used for addresses " " " - authorization_dat, if non-NULL, is used for authorization_dat " " " - second_ticket, if required by options, is used for the 2nd ticket in the req. - in_cred is used for the ticket & session key in the KRB_AP_REQ header " " " - (the KDC realm is extracted from in_cred->server's realm) - - The response is placed into *rep. - rep->response.data is set to point at allocated storage which should be - freed by the caller when finished. - - returns system errors - */ -static krb5_error_code + Constructs a TGS request + options is used for the options in the KRB_TGS_REQ. + timestruct values are used for from, till, rtime " " " + enctype is used for enctype " " ", and to encrypt the authorization data, + sname is used for sname " " " + addrs, if non-NULL, is used for addresses " " " + authorization_dat, if non-NULL, is used for authorization_dat " " " + second_ticket, if required by options, is used for the 2nd ticket in the req. + in_cred is used for the ticket & session key in the KRB_AP_REQ header " " " + (the KDC realm is extracted from in_cred->server's realm) + + The response is placed into *rep. + rep->response.data is set to point at allocated storage which should be + freed by the caller when finished. + + returns system errors +*/ +static krb5_error_code tgs_construct_tgsreq(krb5_context context, krb5_data *in_data, - krb5_creds *in_cred, krb5_data *outbuf, krb5_keyblock *subkey) -{ + krb5_creds *in_cred, krb5_data *outbuf, krb5_keyblock *subkey) +{ krb5_cksumtype cksumtype; krb5_error_code retval; krb5_checksum checksum; @@ -70,19 +71,19 @@ tgs_construct_tgsreq(krb5_context context, krb5_data *in_data, case ENCTYPE_DES_CBC_MD5: case ENCTYPE_ARCFOUR_HMAC: case ENCTYPE_ARCFOUR_HMAC_EXP: - cksumtype = context->kdc_req_sumtype; - break; + cksumtype = context->kdc_req_sumtype; + break; default: - retval = krb5int_c_mandatory_cksumtype(context, in_cred->keyblock.enctype, &cksumtype); - if (retval) - goto cleanup; + retval = krb5int_c_mandatory_cksumtype(context, in_cred->keyblock.enctype, &cksumtype); + if (retval) + goto cleanup; } /* Generate checksum */ if ((retval = krb5_c_make_checksum(context, cksumtype, - &in_cred->keyblock, - KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, - in_data, &checksum))) { + &in_cred->keyblock, + KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, + in_data, &checksum))) { free(checksum.contents); goto cleanup; } @@ -94,7 +95,7 @@ tgs_construct_tgsreq(krb5_context context, krb5_data *in_data, authent.client = in_cred->client; authent.authorization_data = in_cred->authdata; if ((retval = krb5_us_timeofday(context, &authent.ctime, - &authent.cusec))) + &authent.cusec))) goto cleanup; @@ -110,10 +111,10 @@ tgs_construct_tgsreq(krb5_context context, krb5_data *in_data, /* Cleanup scratch and scratch data */ goto cleanup; - /* call the encryption routine */ + /* call the encryption routine */ if ((retval = krb5_encrypt_helper(context, &in_cred->keyblock, - KRB5_KEYUSAGE_TGS_REQ_AUTH, - scratch, &request.authenticator))) + KRB5_KEYUSAGE_TGS_REQ_AUTH, + scratch, &request.authenticator))) goto cleanup; if (!(retval = encode_krb5_ap_req(&request, &toutbuf))) { @@ -132,7 +133,7 @@ cleanup: if (request.ticket) krb5_free_ticket(context, request.ticket); - if (scratch != NULL && scratch->data != NULL) { + if (scratch != NULL && scratch->data != NULL) { zap(scratch->data, scratch->length); free(scratch->data); } @@ -148,17 +149,17 @@ cleanup: */ krb5_error_code krb5int_send_tgs(krb5_context context, krb5_flags kdcoptions, - const krb5_ticket_times *timestruct, const krb5_enctype *ktypes, - krb5_const_principal sname, krb5_address *const *addrs, - krb5_authdata *const *authorization_data, - krb5_pa_data *const *padata, const krb5_data *second_ticket, - krb5_creds *in_cred, - krb5_error_code (*pacb_fct)(krb5_context, - krb5_keyblock *, - krb5_kdc_req *, - void *), - void *pacb_data, - krb5_response *rep, krb5_keyblock **subkey) + const krb5_ticket_times *timestruct, const krb5_enctype *ktypes, + krb5_const_principal sname, krb5_address *const *addrs, + krb5_authdata *const *authorization_data, + krb5_pa_data *const *padata, const krb5_data *second_ticket, + krb5_creds *in_cred, + krb5_error_code (*pacb_fct)(krb5_context, + krb5_keyblock *, + krb5_kdc_req *, + void *), + void *pacb_data, + krb5_response *rep, krb5_keyblock **subkey) { krb5_error_code retval; krb5_kdc_req tgsreq; @@ -174,7 +175,7 @@ krb5int_send_tgs(krb5_context context, krb5_flags kdcoptions, assert (subkey != NULL); *subkey = NULL; - /* + /* * in_creds MUST be a valid credential NOT just a partially filled in * place holder for us to get credentials for the caller. */ @@ -196,31 +197,31 @@ krb5int_send_tgs(krb5_context context, krb5_flags kdcoptions, rep->expected_nonce = tgsreq.nonce = (krb5_int32) time_now; rep->request_time = time_now; rep->message_type = KRB5_ERROR; /*caller only uses the response - * element on successful return*/ + * element on successful return*/ tgsreq.addresses = (krb5_address **) addrs; /* Generate subkey*/ if ((retval = krb5_generate_subkey( context, &in_cred->keyblock, - &local_subkey)) != 0) + &local_subkey)) != 0) return retval; if (authorization_data) { - /* need to encrypt it in the request */ + /* need to encrypt it in the request */ - if ((retval = encode_krb5_authdata(authorization_data, &scratch))) - goto send_tgs_error_1; + if ((retval = encode_krb5_authdata(authorization_data, &scratch))) + goto send_tgs_error_1; - if ((retval = krb5_encrypt_helper(context, local_subkey, - KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY, - scratch, - &tgsreq.authorization_data))) { - free(tgsreq.authorization_data.ciphertext.data); - krb5_free_data(context, scratch); - goto send_tgs_error_1; - } + if ((retval = krb5_encrypt_helper(context, local_subkey, + KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY, + scratch, + &tgsreq.authorization_data))) { + free(tgsreq.authorization_data.ciphertext.data); + krb5_free_data(context, scratch); + goto send_tgs_error_1; + } - krb5_free_data(context, scratch); + krb5_free_data(context, scratch); } /* Get the encryption types list */ @@ -255,7 +256,7 @@ krb5int_send_tgs(krb5_context context, krb5_flags kdcoptions, /* * Get an ap_req. */ - if ((retval = tgs_construct_tgsreq(context, scratch, in_cred, + if ((retval = tgs_construct_tgsreq(context, scratch, in_cred, &scratch2, local_subkey))) { krb5_free_data(context, scratch); goto send_tgs_error_2; @@ -332,41 +333,41 @@ krb5int_send_tgs(krb5_context context, krb5_flags kdcoptions, send_again: use_master = 0; - retval = krb5_sendto_kdc(context, scratch, - krb5_princ_realm(context, sname), - &rep->response, &use_master, tcp_only); + retval = krb5_sendto_kdc(context, scratch, + krb5_princ_realm(context, sname), + &rep->response, &use_master, tcp_only); if (retval == 0) { if (krb5_is_krb_error(&rep->response)) { if (!tcp_only) { krb5_error *err_reply; retval = decode_krb5_error(&rep->response, &err_reply); - if (retval) - goto send_tgs_error_3; - if (err_reply->error == KRB_ERR_RESPONSE_TOO_BIG) { - tcp_only = 1; + if (retval) + goto send_tgs_error_3; + if (err_reply->error == KRB_ERR_RESPONSE_TOO_BIG) { + tcp_only = 1; + krb5_free_error(context, err_reply); + free(rep->response.data); + rep->response.data = NULL; + goto send_again; + } krb5_free_error(context, err_reply); - free(rep->response.data); - rep->response.data = NULL; - goto send_again; - } - krb5_free_error(context, err_reply); send_tgs_error_3: ; - } - rep->message_type = KRB5_ERROR; - } else if (krb5_is_tgs_rep(&rep->response)) { - rep->message_type = KRB5_TGS_REP; - *subkey = local_subkey; - } else /* XXX: assume it's an error */ - rep->message_type = KRB5_ERROR; + } + rep->message_type = KRB5_ERROR; + } else if (krb5_is_tgs_rep(&rep->response)) { + rep->message_type = KRB5_TGS_REP; + *subkey = local_subkey; + } else /* XXX: assume it's an error */ + rep->message_type = KRB5_ERROR; } krb5_free_data(context, scratch); - + send_tgs_error_2:; if (tgsreq.padata) krb5_free_pa_data(context, tgsreq.padata); - if (sec_ticket) + if (sec_ticket) krb5_free_ticket(context, sec_ticket); send_tgs_error_1:; @@ -374,13 +375,12 @@ send_tgs_error_1:; free(tgsreq.ktype); if (tgsreq.authorization_data.ciphertext.data) { memset(tgsreq.authorization_data.ciphertext.data, 0, - tgsreq.authorization_data.ciphertext.length); + tgsreq.authorization_data.ciphertext.length); free(tgsreq.authorization_data.ciphertext.data); } if (rep->message_type != KRB5_TGS_REP && local_subkey){ krb5_free_keyblock(context, *subkey); - } + } return retval; } - diff --git a/src/lib/krb5/krb/sendauth.c b/src/lib/krb5/krb/sendauth.c index 67b9adde0..30b72b937 100644 --- a/src/lib/krb5/krb/sendauth.c +++ b/src/lib/krb5/krb/sendauth.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/sendauth.c * diff --git a/src/lib/krb5/krb/ser_actx.c b/src/lib/krb5/krb/ser_actx.c index 65b7e2729..ccd1e2df7 100644 --- a/src/lib/krb5/krb/ser_actx.c +++ b/src/lib/krb5/krb/ser_actx.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/ser_actx.c * @@ -32,26 +33,26 @@ #include "int-proto.h" #include "auth_con.h" -#define TOKEN_RADDR 950916 -#define TOKEN_RPORT 950917 -#define TOKEN_LADDR 950918 -#define TOKEN_LPORT 950919 -#define TOKEN_KEYBLOCK 950920 -#define TOKEN_LSKBLOCK 950921 -#define TOKEN_RSKBLOCK 950922 +#define TOKEN_RADDR 950916 +#define TOKEN_RPORT 950917 +#define TOKEN_LADDR 950918 +#define TOKEN_LPORT 950919 +#define TOKEN_KEYBLOCK 950920 +#define TOKEN_LSKBLOCK 950921 +#define TOKEN_RSKBLOCK 950922 /* * Routines to deal with externalizing the krb5_auth_context: - * krb5_auth_context_size(); - * krb5_auth_context_externalize(); - * krb5_auth_context_internalize(); + * krb5_auth_context_size(); + * krb5_auth_context_externalize(); + * krb5_auth_context_internalize(); */ static krb5_error_code krb5_auth_context_size - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_auth_context_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_auth_context_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* * Other metadata serialization initializers. @@ -59,289 +60,289 @@ static krb5_error_code krb5_auth_context_internalize /* Local data */ static const krb5_ser_entry krb5_auth_context_ser_entry = { - KV5M_AUTH_CONTEXT, /* Type */ - krb5_auth_context_size, /* Sizer routine */ - krb5_auth_context_externalize, /* Externalize routine */ - krb5_auth_context_internalize /* Internalize routine */ + KV5M_AUTH_CONTEXT, /* Type */ + krb5_auth_context_size, /* Sizer routine */ + krb5_auth_context_externalize, /* Externalize routine */ + krb5_auth_context_internalize /* Internalize routine */ }; /* - * krb5_auth_context_size() - Determine the size required to externalize - * the krb5_auth_context. + * krb5_auth_context_size() - Determine the size required to externalize + * the krb5_auth_context. */ static krb5_error_code krb5_auth_context_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_auth_context auth_context; - size_t required; - krb5_enctype enctype; + krb5_error_code kret; + krb5_auth_context auth_context; + size_t required; + krb5_enctype enctype; /* * krb5_auth_context requires at minimum: - * krb5_int32 for KV5M_AUTH_CONTEXT - * krb5_int32 for auth_context_flags - * krb5_int32 for remote_seq_number - * krb5_int32 for local_seq_number - * krb5_int32 for req_cksumtype - * krb5_int32 for safe_cksumtype - * krb5_int32 for size of i_vector - * krb5_int32 for KV5M_AUTH_CONTEXT + * krb5_int32 for KV5M_AUTH_CONTEXT + * krb5_int32 for auth_context_flags + * krb5_int32 for remote_seq_number + * krb5_int32 for local_seq_number + * krb5_int32 for req_cksumtype + * krb5_int32 for safe_cksumtype + * krb5_int32 for size of i_vector + * krb5_int32 for KV5M_AUTH_CONTEXT */ kret = EINVAL; if ((auth_context = (krb5_auth_context) arg)) { - kret = 0; - - /* Calculate size required by i_vector - ptooey */ - if (auth_context->i_vector && auth_context->key) { - enctype = krb5_k_key_enctype(kcontext, auth_context->key); - kret = krb5_c_block_size(kcontext, enctype, &required); - } else { - required = 0; - } - - required += sizeof(krb5_int32)*8; - - /* Calculate size required by remote_addr, if appropriate */ - if (!kret && auth_context->remote_addr) { - kret = krb5_size_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer) auth_context->remote_addr, - &required); - if (!kret) - required += sizeof(krb5_int32); - } - - /* Calculate size required by remote_port, if appropriate */ - if (!kret && auth_context->remote_port) { - kret = krb5_size_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer) auth_context->remote_port, - &required); - if (!kret) - required += sizeof(krb5_int32); - } - - /* Calculate size required by local_addr, if appropriate */ - if (!kret && auth_context->local_addr) { - kret = krb5_size_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer) auth_context->local_addr, - &required); - if (!kret) - required += sizeof(krb5_int32); - } - - /* Calculate size required by local_port, if appropriate */ - if (!kret && auth_context->local_port) { - kret = krb5_size_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer) auth_context->local_port, - &required); - if (!kret) - required += sizeof(krb5_int32); - } - - /* Calculate size required by key, if appropriate */ - if (!kret && auth_context->key) { - kret = krb5_size_opaque(kcontext, - KV5M_KEYBLOCK, (krb5_pointer) - &auth_context->key->keyblock, - &required); - if (!kret) - required += sizeof(krb5_int32); - } - - /* Calculate size required by send_subkey, if appropriate */ - if (!kret && auth_context->send_subkey) { - kret = krb5_size_opaque(kcontext, - KV5M_KEYBLOCK, (krb5_pointer) - &auth_context->send_subkey->keyblock, - &required); - if (!kret) - required += sizeof(krb5_int32); - } - - /* Calculate size required by recv_subkey, if appropriate */ - if (!kret && auth_context->recv_subkey) { - kret = krb5_size_opaque(kcontext, - KV5M_KEYBLOCK, (krb5_pointer) - &auth_context->recv_subkey->keyblock, - &required); - if (!kret) - required += sizeof(krb5_int32); - } - - /* Calculate size required by authentp, if appropriate */ - if (!kret && auth_context->authentp) - kret = krb5_size_opaque(kcontext, - KV5M_AUTHENTICATOR, - (krb5_pointer) auth_context->authentp, - &required); + kret = 0; + + /* Calculate size required by i_vector - ptooey */ + if (auth_context->i_vector && auth_context->key) { + enctype = krb5_k_key_enctype(kcontext, auth_context->key); + kret = krb5_c_block_size(kcontext, enctype, &required); + } else { + required = 0; + } + + required += sizeof(krb5_int32)*8; + + /* Calculate size required by remote_addr, if appropriate */ + if (!kret && auth_context->remote_addr) { + kret = krb5_size_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer) auth_context->remote_addr, + &required); + if (!kret) + required += sizeof(krb5_int32); + } + + /* Calculate size required by remote_port, if appropriate */ + if (!kret && auth_context->remote_port) { + kret = krb5_size_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer) auth_context->remote_port, + &required); + if (!kret) + required += sizeof(krb5_int32); + } + + /* Calculate size required by local_addr, if appropriate */ + if (!kret && auth_context->local_addr) { + kret = krb5_size_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer) auth_context->local_addr, + &required); + if (!kret) + required += sizeof(krb5_int32); + } + + /* Calculate size required by local_port, if appropriate */ + if (!kret && auth_context->local_port) { + kret = krb5_size_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer) auth_context->local_port, + &required); + if (!kret) + required += sizeof(krb5_int32); + } + + /* Calculate size required by key, if appropriate */ + if (!kret && auth_context->key) { + kret = krb5_size_opaque(kcontext, + KV5M_KEYBLOCK, (krb5_pointer) + &auth_context->key->keyblock, + &required); + if (!kret) + required += sizeof(krb5_int32); + } + + /* Calculate size required by send_subkey, if appropriate */ + if (!kret && auth_context->send_subkey) { + kret = krb5_size_opaque(kcontext, + KV5M_KEYBLOCK, (krb5_pointer) + &auth_context->send_subkey->keyblock, + &required); + if (!kret) + required += sizeof(krb5_int32); + } + + /* Calculate size required by recv_subkey, if appropriate */ + if (!kret && auth_context->recv_subkey) { + kret = krb5_size_opaque(kcontext, + KV5M_KEYBLOCK, (krb5_pointer) + &auth_context->recv_subkey->keyblock, + &required); + if (!kret) + required += sizeof(krb5_int32); + } + + /* Calculate size required by authentp, if appropriate */ + if (!kret && auth_context->authentp) + kret = krb5_size_opaque(kcontext, + KV5M_AUTHENTICATOR, + (krb5_pointer) auth_context->authentp, + &required); } if (!kret) - *sizep += required; + *sizep += required; return(kret); } /* - * krb5_auth_context_externalize() - Externalize the krb5_auth_context. + * krb5_auth_context_externalize() - Externalize the krb5_auth_context. */ static krb5_error_code krb5_auth_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_auth_context auth_context; - size_t required; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_auth_context auth_context; + size_t required; + krb5_octet *bp; + size_t remain; size_t obuf; - krb5_int32 obuf32; - krb5_enctype enctype; + krb5_int32 obuf32; + krb5_enctype enctype; required = 0; bp = *buffer; remain = *lenremain; kret = EINVAL; if ((auth_context = (krb5_auth_context) arg)) { - kret = ENOMEM; - if (!krb5_auth_context_size(kcontext, arg, &required) && - (required <= remain)) { - - /* Write fixed portion */ - (void) krb5_ser_pack_int32(KV5M_AUTH_CONTEXT, &bp, &remain); - (void) krb5_ser_pack_int32(auth_context->auth_context_flags, - &bp, &remain); - (void) krb5_ser_pack_int32(auth_context->remote_seq_number, - &bp, &remain); - (void) krb5_ser_pack_int32(auth_context->local_seq_number, - &bp, &remain); - (void) krb5_ser_pack_int32((krb5_int32) auth_context->req_cksumtype, - &bp, &remain); - (void) krb5_ser_pack_int32((krb5_int32) auth_context->safe_cksumtype, - &bp, &remain); - - kret = 0; - - /* Now figure out the number of bytes for i_vector and write it */ - if (auth_context->i_vector) { - enctype = krb5_k_key_enctype(kcontext, auth_context->key); - kret = krb5_c_block_size(kcontext, enctype, &obuf); - } else { - obuf = 0; - } - - /* Convert to signed 32 bit integer */ - obuf32 = obuf; - if (kret == 0 && obuf != obuf32) - kret = EINVAL; - if (!kret) - (void) krb5_ser_pack_int32(obuf32, &bp, &remain); - - /* Now copy i_vector */ - if (!kret && auth_context->i_vector) - (void) krb5_ser_pack_bytes(auth_context->i_vector, - obuf, - &bp, &remain); - - /* Now handle remote_addr, if appropriate */ - if (!kret && auth_context->remote_addr) { - (void) krb5_ser_pack_int32(TOKEN_RADDR, &bp, &remain); - kret = krb5_externalize_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer) - auth_context->remote_addr, - &bp, - &remain); - } - - /* Now handle remote_port, if appropriate */ - if (!kret && auth_context->remote_port) { - (void) krb5_ser_pack_int32(TOKEN_RPORT, &bp, &remain); - kret = krb5_externalize_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer) - auth_context->remote_addr, - &bp, - &remain); - } - - /* Now handle local_addr, if appropriate */ - if (!kret && auth_context->local_addr) { - (void) krb5_ser_pack_int32(TOKEN_LADDR, &bp, &remain); - kret = krb5_externalize_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer) - auth_context->local_addr, - &bp, - &remain); - } - - /* Now handle local_port, if appropriate */ - if (!kret && auth_context->local_port) { - (void) krb5_ser_pack_int32(TOKEN_LPORT, &bp, &remain); - kret = krb5_externalize_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer) - auth_context->local_addr, - &bp, - &remain); - } - - /* Now handle keyblock, if appropriate */ - if (!kret && auth_context->key) { - (void) krb5_ser_pack_int32(TOKEN_KEYBLOCK, &bp, &remain); - kret = krb5_externalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) - &auth_context->key->keyblock, - &bp, - &remain); - } - - /* Now handle subkey, if appropriate */ - if (!kret && auth_context->send_subkey) { - (void) krb5_ser_pack_int32(TOKEN_LSKBLOCK, &bp, &remain); - kret = krb5_externalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) &auth_context-> - send_subkey->keyblock, - &bp, - &remain); - } - - /* Now handle subkey, if appropriate */ - if (!kret && auth_context->recv_subkey) { - (void) krb5_ser_pack_int32(TOKEN_RSKBLOCK, &bp, &remain); - kret = krb5_externalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) &auth_context-> - recv_subkey->keyblock, - &bp, - &remain); - } - - /* Now handle authentp, if appropriate */ - if (!kret && auth_context->authentp) - kret = krb5_externalize_opaque(kcontext, - KV5M_AUTHENTICATOR, - (krb5_pointer) - auth_context->authentp, - &bp, - &remain); - - /* - * If we were successful, write trailer then update the pointer and - * remaining length; - */ - if (!kret) { - /* Write our trailer */ - (void) krb5_ser_pack_int32(KV5M_AUTH_CONTEXT, &bp, &remain); - *buffer = bp; - *lenremain = remain; - } - } + kret = ENOMEM; + if (!krb5_auth_context_size(kcontext, arg, &required) && + (required <= remain)) { + + /* Write fixed portion */ + (void) krb5_ser_pack_int32(KV5M_AUTH_CONTEXT, &bp, &remain); + (void) krb5_ser_pack_int32(auth_context->auth_context_flags, + &bp, &remain); + (void) krb5_ser_pack_int32(auth_context->remote_seq_number, + &bp, &remain); + (void) krb5_ser_pack_int32(auth_context->local_seq_number, + &bp, &remain); + (void) krb5_ser_pack_int32((krb5_int32) auth_context->req_cksumtype, + &bp, &remain); + (void) krb5_ser_pack_int32((krb5_int32) auth_context->safe_cksumtype, + &bp, &remain); + + kret = 0; + + /* Now figure out the number of bytes for i_vector and write it */ + if (auth_context->i_vector) { + enctype = krb5_k_key_enctype(kcontext, auth_context->key); + kret = krb5_c_block_size(kcontext, enctype, &obuf); + } else { + obuf = 0; + } + + /* Convert to signed 32 bit integer */ + obuf32 = obuf; + if (kret == 0 && obuf != obuf32) + kret = EINVAL; + if (!kret) + (void) krb5_ser_pack_int32(obuf32, &bp, &remain); + + /* Now copy i_vector */ + if (!kret && auth_context->i_vector) + (void) krb5_ser_pack_bytes(auth_context->i_vector, + obuf, + &bp, &remain); + + /* Now handle remote_addr, if appropriate */ + if (!kret && auth_context->remote_addr) { + (void) krb5_ser_pack_int32(TOKEN_RADDR, &bp, &remain); + kret = krb5_externalize_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer) + auth_context->remote_addr, + &bp, + &remain); + } + + /* Now handle remote_port, if appropriate */ + if (!kret && auth_context->remote_port) { + (void) krb5_ser_pack_int32(TOKEN_RPORT, &bp, &remain); + kret = krb5_externalize_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer) + auth_context->remote_addr, + &bp, + &remain); + } + + /* Now handle local_addr, if appropriate */ + if (!kret && auth_context->local_addr) { + (void) krb5_ser_pack_int32(TOKEN_LADDR, &bp, &remain); + kret = krb5_externalize_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer) + auth_context->local_addr, + &bp, + &remain); + } + + /* Now handle local_port, if appropriate */ + if (!kret && auth_context->local_port) { + (void) krb5_ser_pack_int32(TOKEN_LPORT, &bp, &remain); + kret = krb5_externalize_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer) + auth_context->local_addr, + &bp, + &remain); + } + + /* Now handle keyblock, if appropriate */ + if (!kret && auth_context->key) { + (void) krb5_ser_pack_int32(TOKEN_KEYBLOCK, &bp, &remain); + kret = krb5_externalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) + &auth_context->key->keyblock, + &bp, + &remain); + } + + /* Now handle subkey, if appropriate */ + if (!kret && auth_context->send_subkey) { + (void) krb5_ser_pack_int32(TOKEN_LSKBLOCK, &bp, &remain); + kret = krb5_externalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) &auth_context-> + send_subkey->keyblock, + &bp, + &remain); + } + + /* Now handle subkey, if appropriate */ + if (!kret && auth_context->recv_subkey) { + (void) krb5_ser_pack_int32(TOKEN_RSKBLOCK, &bp, &remain); + kret = krb5_externalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) &auth_context-> + recv_subkey->keyblock, + &bp, + &remain); + } + + /* Now handle authentp, if appropriate */ + if (!kret && auth_context->authentp) + kret = krb5_externalize_opaque(kcontext, + KV5M_AUTHENTICATOR, + (krb5_pointer) + auth_context->authentp, + &bp, + &remain); + + /* + * If we were successful, write trailer then update the pointer and + * remaining length; + */ + if (!kret) { + /* Write our trailer */ + (void) krb5_ser_pack_int32(KV5M_AUTH_CONTEXT, &bp, &remain); + *buffer = bp; + *lenremain = remain; + } + } } return(kret); } @@ -354,195 +355,195 @@ intern_key(krb5_context ctx, krb5_key *key, krb5_octet **bp, size_t *sp) krb5_error_code ret; ret = krb5_internalize_opaque(ctx, KV5M_KEYBLOCK, - (krb5_pointer *) &keyblock, bp, sp); + (krb5_pointer *) &keyblock, bp, sp); if (ret != 0) - return ret; + return ret; ret = krb5_k_create_key(ctx, keyblock, key); krb5_free_keyblock(ctx, keyblock); return ret; } /* - * krb5_auth_context_internalize() - Internalize the krb5_auth_context. + * krb5_auth_context_internalize() - Internalize the krb5_auth_context. */ static krb5_error_code krb5_auth_context_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_auth_context auth_context; - krb5_int32 ibuf; - krb5_octet *bp; - size_t remain; - krb5_int32 ivlen; - krb5_int32 tag; + krb5_error_code kret; + krb5_auth_context auth_context; + krb5_int32 ibuf; + krb5_octet *bp; + size_t remain; + krb5_int32 ivlen; + krb5_int32 tag; bp = *buffer; remain = *lenremain; kret = EINVAL; /* Read our magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) - ibuf = 0; + ibuf = 0; if (ibuf == KV5M_AUTH_CONTEXT) { - kret = ENOMEM; - - /* Get memory for the auth_context */ - if ((remain >= (5*sizeof(krb5_int32))) && - (auth_context = (krb5_auth_context) - calloc(1, sizeof(struct _krb5_auth_context)))) { - - /* Get auth_context_flags */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - auth_context->auth_context_flags = ibuf; - - /* Get remote_seq_number */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - auth_context->remote_seq_number = ibuf; - - /* Get local_seq_number */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - auth_context->local_seq_number = ibuf; - - /* Get req_cksumtype */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - auth_context->req_cksumtype = (krb5_cksumtype) ibuf; - - /* Get safe_cksumtype */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - auth_context->safe_cksumtype = (krb5_cksumtype) ibuf; - - /* Get length of i_vector */ - (void) krb5_ser_unpack_int32(&ivlen, &bp, &remain); - - if (ivlen) { - if ((auth_context->i_vector = - (krb5_pointer) malloc((size_t)ivlen))) - kret = krb5_ser_unpack_bytes(auth_context->i_vector, - (size_t) ivlen, - &bp, - &remain); - else - kret = ENOMEM; - } - else - kret = 0; - - /* Peek at next token */ - tag = 0; - if (!kret) - kret = krb5_ser_unpack_int32(&tag, &bp, &remain); - - /* This is the remote_addr */ - if (!kret && (tag == TOKEN_RADDR)) { - if (!(kret = krb5_internalize_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer *) - &auth_context-> - remote_addr, - &bp, - &remain))) - kret = krb5_ser_unpack_int32(&tag, &bp, &remain); - } - - /* This is the remote_port */ - if (!kret && (tag == TOKEN_RPORT)) { - if (!(kret = krb5_internalize_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer *) - &auth_context-> - remote_port, - &bp, - &remain))) - kret = krb5_ser_unpack_int32(&tag, &bp, &remain); - } - - /* This is the local_addr */ - if (!kret && (tag == TOKEN_LADDR)) { - if (!(kret = krb5_internalize_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer *) - &auth_context-> - local_addr, - &bp, - &remain))) - kret = krb5_ser_unpack_int32(&tag, &bp, &remain); - } - - /* This is the local_port */ - if (!kret && (tag == TOKEN_LPORT)) { - if (!(kret = krb5_internalize_opaque(kcontext, - KV5M_ADDRESS, - (krb5_pointer *) - &auth_context-> - local_port, - &bp, - &remain))) - kret = krb5_ser_unpack_int32(&tag, &bp, &remain); - } - - /* This is the keyblock */ - if (!kret && (tag == TOKEN_KEYBLOCK)) { - if (!(kret = intern_key(kcontext, - &auth_context->key, - &bp, - &remain))) - kret = krb5_ser_unpack_int32(&tag, &bp, &remain); - } - - /* This is the send_subkey */ - if (!kret && (tag == TOKEN_LSKBLOCK)) { - if (!(kret = intern_key(kcontext, - &auth_context->send_subkey, - &bp, - &remain))) - kret = krb5_ser_unpack_int32(&tag, &bp, &remain); - } - - /* This is the recv_subkey */ - if (!kret) { - if (tag == TOKEN_RSKBLOCK) { - kret = intern_key(kcontext, - &auth_context->recv_subkey, - &bp, - &remain); - } - else { - /* - * We read the next tag, but it's not of any use here, so - * we effectively 'unget' it here. - */ - bp -= sizeof(krb5_int32); - remain += sizeof(krb5_int32); - } - } - - /* Now find the authentp */ - if (!kret) { - if ((kret = krb5_internalize_opaque(kcontext, - KV5M_AUTHENTICATOR, - (krb5_pointer *) - &auth_context->authentp, - &bp, - &remain))) { - if (kret == EINVAL) - kret = 0; - } - } - - /* Finally, find the trailer */ - if (!kret) { - kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); - if (!kret && (ibuf != KV5M_AUTH_CONTEXT)) - kret = EINVAL; - } - if (!kret) { - *buffer = bp; - *lenremain = remain; - auth_context->magic = KV5M_AUTH_CONTEXT; - *argp = (krb5_pointer) auth_context; - } - else - krb5_auth_con_free(kcontext, auth_context); - } + kret = ENOMEM; + + /* Get memory for the auth_context */ + if ((remain >= (5*sizeof(krb5_int32))) && + (auth_context = (krb5_auth_context) + calloc(1, sizeof(struct _krb5_auth_context)))) { + + /* Get auth_context_flags */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + auth_context->auth_context_flags = ibuf; + + /* Get remote_seq_number */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + auth_context->remote_seq_number = ibuf; + + /* Get local_seq_number */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + auth_context->local_seq_number = ibuf; + + /* Get req_cksumtype */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + auth_context->req_cksumtype = (krb5_cksumtype) ibuf; + + /* Get safe_cksumtype */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + auth_context->safe_cksumtype = (krb5_cksumtype) ibuf; + + /* Get length of i_vector */ + (void) krb5_ser_unpack_int32(&ivlen, &bp, &remain); + + if (ivlen) { + if ((auth_context->i_vector = + (krb5_pointer) malloc((size_t)ivlen))) + kret = krb5_ser_unpack_bytes(auth_context->i_vector, + (size_t) ivlen, + &bp, + &remain); + else + kret = ENOMEM; + } + else + kret = 0; + + /* Peek at next token */ + tag = 0; + if (!kret) + kret = krb5_ser_unpack_int32(&tag, &bp, &remain); + + /* This is the remote_addr */ + if (!kret && (tag == TOKEN_RADDR)) { + if (!(kret = krb5_internalize_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer *) + &auth_context-> + remote_addr, + &bp, + &remain))) + kret = krb5_ser_unpack_int32(&tag, &bp, &remain); + } + + /* This is the remote_port */ + if (!kret && (tag == TOKEN_RPORT)) { + if (!(kret = krb5_internalize_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer *) + &auth_context-> + remote_port, + &bp, + &remain))) + kret = krb5_ser_unpack_int32(&tag, &bp, &remain); + } + + /* This is the local_addr */ + if (!kret && (tag == TOKEN_LADDR)) { + if (!(kret = krb5_internalize_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer *) + &auth_context-> + local_addr, + &bp, + &remain))) + kret = krb5_ser_unpack_int32(&tag, &bp, &remain); + } + + /* This is the local_port */ + if (!kret && (tag == TOKEN_LPORT)) { + if (!(kret = krb5_internalize_opaque(kcontext, + KV5M_ADDRESS, + (krb5_pointer *) + &auth_context-> + local_port, + &bp, + &remain))) + kret = krb5_ser_unpack_int32(&tag, &bp, &remain); + } + + /* This is the keyblock */ + if (!kret && (tag == TOKEN_KEYBLOCK)) { + if (!(kret = intern_key(kcontext, + &auth_context->key, + &bp, + &remain))) + kret = krb5_ser_unpack_int32(&tag, &bp, &remain); + } + + /* This is the send_subkey */ + if (!kret && (tag == TOKEN_LSKBLOCK)) { + if (!(kret = intern_key(kcontext, + &auth_context->send_subkey, + &bp, + &remain))) + kret = krb5_ser_unpack_int32(&tag, &bp, &remain); + } + + /* This is the recv_subkey */ + if (!kret) { + if (tag == TOKEN_RSKBLOCK) { + kret = intern_key(kcontext, + &auth_context->recv_subkey, + &bp, + &remain); + } + else { + /* + * We read the next tag, but it's not of any use here, so + * we effectively 'unget' it here. + */ + bp -= sizeof(krb5_int32); + remain += sizeof(krb5_int32); + } + } + + /* Now find the authentp */ + if (!kret) { + if ((kret = krb5_internalize_opaque(kcontext, + KV5M_AUTHENTICATOR, + (krb5_pointer *) + &auth_context->authentp, + &bp, + &remain))) { + if (kret == EINVAL) + kret = 0; + } + } + + /* Finally, find the trailer */ + if (!kret) { + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + if (!kret && (ibuf != KV5M_AUTH_CONTEXT)) + kret = EINVAL; + } + if (!kret) { + *buffer = bp; + *lenremain = remain; + auth_context->magic = KV5M_AUTH_CONTEXT; + *argp = (krb5_pointer) auth_context; + } + else + krb5_auth_con_free(kcontext, auth_context); + } } return(kret); } @@ -553,23 +554,23 @@ krb5_auth_context_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_oc krb5_error_code KRB5_CALLCONV krb5_ser_auth_context_init(krb5_context kcontext) { - krb5_error_code kret; + krb5_error_code kret; kret = krb5_register_serializer(kcontext, &krb5_auth_context_ser_entry); if (!kret) - kret = krb5_ser_authdata_init(kcontext); + kret = krb5_ser_authdata_init(kcontext); if (!kret) - kret = krb5_ser_address_init(kcontext); + kret = krb5_ser_address_init(kcontext); #ifndef LEAN_CLIENT if (!kret) - kret = krb5_ser_authenticator_init(kcontext); + kret = krb5_ser_authenticator_init(kcontext); #endif if (!kret) - kret = krb5_ser_checksum_init(kcontext); + kret = krb5_ser_checksum_init(kcontext); if (!kret) - kret = krb5_ser_keyblock_init(kcontext); + kret = krb5_ser_keyblock_init(kcontext); if (!kret) - kret = krb5_ser_principal_init(kcontext); + kret = krb5_ser_principal_init(kcontext); if (!kret) - kret = krb5_ser_authdata_context_init(kcontext); + kret = krb5_ser_authdata_context_init(kcontext); return(kret); } diff --git a/src/lib/krb5/krb/ser_adata.c b/src/lib/krb5/krb/ser_adata.c index 82d04dce1..77a76fdae 100644 --- a/src/lib/krb5/krb/ser_adata.c +++ b/src/lib/krb5/krb/ser_adata.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/ser_adata.c * @@ -33,157 +34,157 @@ /* * Routines to deal with externalizing the krb5_authdata: - * krb5_authdata_size(); - * krb5_authdata_externalize(); - * krb5_authdata_internalize(); + * krb5_authdata_size(); + * krb5_authdata_externalize(); + * krb5_authdata_internalize(); */ static krb5_error_code krb5_authdata_size - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_authdata_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_authdata_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* Local data */ static const krb5_ser_entry krb5_authdata_ser_entry = { - KV5M_AUTHDATA, /* Type */ - krb5_authdata_size, /* Sizer routine */ - krb5_authdata_externalize, /* Externalize routine */ - krb5_authdata_internalize /* Internalize routine */ + KV5M_AUTHDATA, /* Type */ + krb5_authdata_size, /* Sizer routine */ + krb5_authdata_externalize, /* Externalize routine */ + krb5_authdata_internalize /* Internalize routine */ }; /* - * krb5_authdata_esize() - Determine the size required to externalize - * the krb5_authdata. + * krb5_authdata_esize() - Determine the size required to externalize + * the krb5_authdata. */ static krb5_error_code krb5_authdata_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_authdata *authdata; + krb5_error_code kret; + krb5_authdata *authdata; /* * krb5_authdata requires: - * krb5_int32 for KV5M_AUTHDATA - * krb5_int32 for ad_type - * krb5_int32 for length - * authdata->length for contents - * krb5_int32 for KV5M_AUTHDATA + * krb5_int32 for KV5M_AUTHDATA + * krb5_int32 for ad_type + * krb5_int32 for length + * authdata->length for contents + * krb5_int32 for KV5M_AUTHDATA */ kret = EINVAL; if ((authdata = (krb5_authdata *) arg)) { - *sizep += (sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - (size_t) authdata->length); - kret = 0; + *sizep += (sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + (size_t) authdata->length); + kret = 0; } return(kret); } /* - * krb5_authdata_externalize() - Externalize the krb5_authdata. + * krb5_authdata_externalize() - Externalize the krb5_authdata. */ static krb5_error_code krb5_authdata_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_authdata *authdata; - size_t required; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_authdata *authdata; + size_t required; + krb5_octet *bp; + size_t remain; required = 0; bp = *buffer; remain = *lenremain; kret = EINVAL; if ((authdata = (krb5_authdata *) arg)) { - kret = ENOMEM; - if (!krb5_authdata_size(kcontext, arg, &required) && - (required <= remain)) { - /* Our identifier */ - (void) krb5_ser_pack_int32(KV5M_AUTHDATA, &bp, &remain); - - /* Our ad_type */ - (void) krb5_ser_pack_int32((krb5_int32) authdata->ad_type, - &bp, &remain); + kret = ENOMEM; + if (!krb5_authdata_size(kcontext, arg, &required) && + (required <= remain)) { + /* Our identifier */ + (void) krb5_ser_pack_int32(KV5M_AUTHDATA, &bp, &remain); - /* Our length */ - (void) krb5_ser_pack_int32((krb5_int32) authdata->length, - &bp, &remain); + /* Our ad_type */ + (void) krb5_ser_pack_int32((krb5_int32) authdata->ad_type, + &bp, &remain); - /* Our contents */ - (void) krb5_ser_pack_bytes(authdata->contents, - (size_t) authdata->length, - &bp, &remain); + /* Our length */ + (void) krb5_ser_pack_int32((krb5_int32) authdata->length, + &bp, &remain); - /* Finally, our trailer */ - (void) krb5_ser_pack_int32(KV5M_AUTHDATA, &bp, &remain); - kret = 0; - *buffer = bp; - *lenremain = remain; - } + /* Our contents */ + (void) krb5_ser_pack_bytes(authdata->contents, + (size_t) authdata->length, + &bp, &remain); + + /* Finally, our trailer */ + (void) krb5_ser_pack_int32(KV5M_AUTHDATA, &bp, &remain); + kret = 0; + *buffer = bp; + *lenremain = remain; + } } return(kret); } /* - * krb5_authdata_internalize() - Internalize the krb5_authdata. + * krb5_authdata_internalize() - Internalize the krb5_authdata. */ static krb5_error_code krb5_authdata_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_authdata *authdata; - krb5_int32 ibuf; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_authdata *authdata; + krb5_int32 ibuf; + krb5_octet *bp; + size_t remain; bp = *buffer; remain = *lenremain; kret = EINVAL; /* Read our magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) - ibuf = 0; + ibuf = 0; if (ibuf == KV5M_AUTHDATA) { - kret = ENOMEM; + kret = ENOMEM; - /* Get a authdata */ - if ((remain >= (2*sizeof(krb5_int32))) && - (authdata = (krb5_authdata *) calloc(1, sizeof(krb5_authdata)))) { + /* Get a authdata */ + if ((remain >= (2*sizeof(krb5_int32))) && + (authdata = (krb5_authdata *) calloc(1, sizeof(krb5_authdata)))) { - /* Get the ad_type */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - authdata->ad_type = (krb5_authdatatype) ibuf; + /* Get the ad_type */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + authdata->ad_type = (krb5_authdatatype) ibuf; - /* Get the length */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - authdata->length = (int) ibuf; + /* Get the length */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + authdata->length = (int) ibuf; - /* Get the string */ - if ((authdata->contents = (krb5_octet *) - malloc((size_t) (ibuf))) && - !(kret = krb5_ser_unpack_bytes(authdata->contents, - (size_t) ibuf, - &bp, &remain))) { - if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) - ibuf = 0; - if (ibuf == KV5M_AUTHDATA) { - authdata->magic = KV5M_AUTHDATA; - *buffer = bp; - *lenremain = remain; - *argp = (krb5_pointer) authdata; - } - else - kret = EINVAL; - } - if (kret) { - if (authdata->contents) - free(authdata->contents); - free(authdata); - } - } + /* Get the string */ + if ((authdata->contents = (krb5_octet *) + malloc((size_t) (ibuf))) && + !(kret = krb5_ser_unpack_bytes(authdata->contents, + (size_t) ibuf, + &bp, &remain))) { + if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) + ibuf = 0; + if (ibuf == KV5M_AUTHDATA) { + authdata->magic = KV5M_AUTHDATA; + *buffer = bp; + *lenremain = remain; + *argp = (krb5_pointer) authdata; + } + else + kret = EINVAL; + } + if (kret) { + if (authdata->contents) + free(authdata->contents); + free(authdata); + } + } } return(kret); } diff --git a/src/lib/krb5/krb/ser_addr.c b/src/lib/krb5/krb/ser_addr.c index 11b7f6abf..e7b642130 100644 --- a/src/lib/krb5/krb/ser_addr.c +++ b/src/lib/krb5/krb/ser_addr.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/ser_addr.c * @@ -33,161 +34,161 @@ /* * Routines to deal with externalizing the krb5_address: - * krb5_address_size(); - * krb5_address_externalize(); - * krb5_address_internalize(); + * krb5_address_size(); + * krb5_address_externalize(); + * krb5_address_internalize(); */ static krb5_error_code krb5_address_size - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_address_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_address_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* Local data */ static const krb5_ser_entry krb5_address_ser_entry = { - KV5M_ADDRESS, /* Type */ - krb5_address_size, /* Sizer routine */ - krb5_address_externalize, /* Externalize routine */ - krb5_address_internalize /* Internalize routine */ + KV5M_ADDRESS, /* Type */ + krb5_address_size, /* Sizer routine */ + krb5_address_externalize, /* Externalize routine */ + krb5_address_internalize /* Internalize routine */ }; /* - * krb5_address_size() - Determine the size required to externalize - * the krb5_address. + * krb5_address_size() - Determine the size required to externalize + * the krb5_address. */ static krb5_error_code krb5_address_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_address *address; + krb5_error_code kret; + krb5_address *address; /* * krb5_address requires: - * krb5_int32 for KV5M_ADDRESS - * krb5_int32 for addrtype - * krb5_int32 for length - * address->length for contents - * krb5_int32 for KV5M_ADDRESS + * krb5_int32 for KV5M_ADDRESS + * krb5_int32 for addrtype + * krb5_int32 for length + * address->length for contents + * krb5_int32 for KV5M_ADDRESS */ kret = EINVAL; if ((address = (krb5_address *) arg)) { - *sizep += (sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - (size_t) address->length); - kret = 0; + *sizep += (sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + (size_t) address->length); + kret = 0; } return(kret); } /* - * krb5_address_externalize() - Externalize the krb5_address. + * krb5_address_externalize() - Externalize the krb5_address. */ static krb5_error_code krb5_address_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_address *address; - size_t required; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_address *address; + size_t required; + krb5_octet *bp; + size_t remain; required = 0; bp = *buffer; remain = *lenremain; kret = EINVAL; if ((address = (krb5_address *) arg)) { - kret = ENOMEM; - if (!krb5_address_size(kcontext, arg, &required) && - (required <= remain)) { - /* Our identifier */ - (void) krb5_ser_pack_int32(KV5M_ADDRESS, &bp, &remain); - - /* Our addrtype */ - (void) krb5_ser_pack_int32((krb5_int32) address->addrtype, - &bp, &remain); - - /* Our length */ - (void) krb5_ser_pack_int32((krb5_int32) address->length, - &bp, &remain); - - /* Our contents */ - (void) krb5_ser_pack_bytes(address->contents, - (size_t) address->length, - &bp, &remain); - - /* Finally, our trailer */ - (void) krb5_ser_pack_int32(KV5M_ADDRESS, &bp, &remain); - - kret = 0; - *buffer = bp; - *lenremain = remain; - } + kret = ENOMEM; + if (!krb5_address_size(kcontext, arg, &required) && + (required <= remain)) { + /* Our identifier */ + (void) krb5_ser_pack_int32(KV5M_ADDRESS, &bp, &remain); + + /* Our addrtype */ + (void) krb5_ser_pack_int32((krb5_int32) address->addrtype, + &bp, &remain); + + /* Our length */ + (void) krb5_ser_pack_int32((krb5_int32) address->length, + &bp, &remain); + + /* Our contents */ + (void) krb5_ser_pack_bytes(address->contents, + (size_t) address->length, + &bp, &remain); + + /* Finally, our trailer */ + (void) krb5_ser_pack_int32(KV5M_ADDRESS, &bp, &remain); + + kret = 0; + *buffer = bp; + *lenremain = remain; + } } return(kret); } /* - * krb5_address_internalize() - Internalize the krb5_address. + * krb5_address_internalize() - Internalize the krb5_address. */ static krb5_error_code krb5_address_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_address *address; - krb5_int32 ibuf; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_address *address; + krb5_int32 ibuf; + krb5_octet *bp; + size_t remain; bp = *buffer; remain = *lenremain; kret = EINVAL; /* Read our magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) - ibuf = 0; + ibuf = 0; if (ibuf == KV5M_ADDRESS) { - kret = ENOMEM; - - /* Get a address */ - if ((remain >= (2*sizeof(krb5_int32))) && - (address = (krb5_address *) calloc(1, sizeof(krb5_address)))) { - - address->magic = KV5M_ADDRESS; - - /* Get the addrtype */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - address->addrtype = (krb5_addrtype) ibuf; - - /* Get the length */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - address->length = (int) ibuf; - - /* Get the string */ - if ((address->contents = (krb5_octet *) malloc((size_t) (ibuf))) && - !(kret = krb5_ser_unpack_bytes(address->contents, - (size_t) ibuf, - &bp, &remain))) { - /* Get the trailer */ - if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) - ibuf = 0; - - if (!kret && (ibuf == KV5M_ADDRESS)) { - address->magic = KV5M_ADDRESS; - *buffer = bp; - *lenremain = remain; - *argp = (krb5_pointer) address; - } - else - kret = EINVAL; - } - if (kret) { - if (address->contents) - free(address->contents); - free(address); - } - } + kret = ENOMEM; + + /* Get a address */ + if ((remain >= (2*sizeof(krb5_int32))) && + (address = (krb5_address *) calloc(1, sizeof(krb5_address)))) { + + address->magic = KV5M_ADDRESS; + + /* Get the addrtype */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + address->addrtype = (krb5_addrtype) ibuf; + + /* Get the length */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + address->length = (int) ibuf; + + /* Get the string */ + if ((address->contents = (krb5_octet *) malloc((size_t) (ibuf))) && + !(kret = krb5_ser_unpack_bytes(address->contents, + (size_t) ibuf, + &bp, &remain))) { + /* Get the trailer */ + if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) + ibuf = 0; + + if (!kret && (ibuf == KV5M_ADDRESS)) { + address->magic = KV5M_ADDRESS; + *buffer = bp; + *lenremain = remain; + *argp = (krb5_pointer) address; + } + else + kret = EINVAL; + } + if (kret) { + if (address->contents) + free(address->contents); + free(address); + } + } } return(kret); } diff --git a/src/lib/krb5/krb/ser_auth.c b/src/lib/krb5/krb/ser_auth.c index 6951f92fa..23b9b5745 100644 --- a/src/lib/krb5/krb/ser_auth.c +++ b/src/lib/krb5/krb/ser_auth.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/ser_auth.c * @@ -36,305 +37,305 @@ /* * Routines to deal with externalizing the krb5_authenticator: - * krb5_authenticator_size(); - * krb5_authenticator_externalize(); - * krb5_authenticator_internalize(); + * krb5_authenticator_size(); + * krb5_authenticator_externalize(); + * krb5_authenticator_internalize(); */ static krb5_error_code krb5_authenticator_size - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_authenticator_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_authenticator_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* Local data */ static const krb5_ser_entry krb5_authenticator_ser_entry = { - KV5M_AUTHENTICATOR, /* Type */ - krb5_authenticator_size, /* Sizer routine */ - krb5_authenticator_externalize, /* Externalize routine */ - krb5_authenticator_internalize /* Internalize routine */ + KV5M_AUTHENTICATOR, /* Type */ + krb5_authenticator_size, /* Sizer routine */ + krb5_authenticator_externalize, /* Externalize routine */ + krb5_authenticator_internalize /* Internalize routine */ }; /* - * krb5_authenticator_size() - Determine the size required to externalize - * the krb5_authenticator. + * krb5_authenticator_size() - Determine the size required to externalize + * the krb5_authenticator. */ static krb5_error_code krb5_authenticator_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_authenticator *authenticator; - size_t required; + krb5_error_code kret; + krb5_authenticator *authenticator; + size_t required; /* * krb5_authenticator requires at minimum: - * krb5_int32 for KV5M_AUTHENTICATOR - * krb5_int32 for seconds - * krb5_int32 for cusec - * krb5_int32 for seq_number - * krb5_int32 for number in authorization_data array. - * krb5_int32 for KV5M_AUTHENTICATOR + * krb5_int32 for KV5M_AUTHENTICATOR + * krb5_int32 for seconds + * krb5_int32 for cusec + * krb5_int32 for seq_number + * krb5_int32 for number in authorization_data array. + * krb5_int32 for KV5M_AUTHENTICATOR */ kret = EINVAL; if ((authenticator = (krb5_authenticator *) arg)) { - required = sizeof(krb5_int32)*6; - - /* Calculate size required by client, if appropriate */ - if (authenticator->client) - kret = krb5_size_opaque(kcontext, - KV5M_PRINCIPAL, - (krb5_pointer) authenticator->client, - &required); - else - kret = 0; - - /* Calculate size required by checksum, if appropriate */ - if (!kret && authenticator->checksum) - kret = krb5_size_opaque(kcontext, - KV5M_CHECKSUM, - (krb5_pointer) authenticator->checksum, - &required); - - /* Calculate size required by subkey, if appropriate */ - if (!kret && authenticator->subkey) - kret = krb5_size_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) authenticator->subkey, - &required); - - /* Calculate size required by authorization_data, if appropriate */ - if (!kret && authenticator->authorization_data) { - int i; - - for (i=0; !kret && authenticator->authorization_data[i]; i++) { - kret = krb5_size_opaque(kcontext, - KV5M_AUTHDATA, - (krb5_pointer) authenticator-> - authorization_data[i], - &required); - } - } + required = sizeof(krb5_int32)*6; + + /* Calculate size required by client, if appropriate */ + if (authenticator->client) + kret = krb5_size_opaque(kcontext, + KV5M_PRINCIPAL, + (krb5_pointer) authenticator->client, + &required); + else + kret = 0; + + /* Calculate size required by checksum, if appropriate */ + if (!kret && authenticator->checksum) + kret = krb5_size_opaque(kcontext, + KV5M_CHECKSUM, + (krb5_pointer) authenticator->checksum, + &required); + + /* Calculate size required by subkey, if appropriate */ + if (!kret && authenticator->subkey) + kret = krb5_size_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) authenticator->subkey, + &required); + + /* Calculate size required by authorization_data, if appropriate */ + if (!kret && authenticator->authorization_data) { + int i; + + for (i=0; !kret && authenticator->authorization_data[i]; i++) { + kret = krb5_size_opaque(kcontext, + KV5M_AUTHDATA, + (krb5_pointer) authenticator-> + authorization_data[i], + &required); + } + } } if (!kret) - *sizep += required; + *sizep += required; return(kret); } /* - * krb5_authenticator_externalize() - Externalize the krb5_authenticator. + * krb5_authenticator_externalize() - Externalize the krb5_authenticator. */ static krb5_error_code krb5_authenticator_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_authenticator *authenticator; - size_t required; - krb5_octet *bp; - size_t remain; - int i; + krb5_error_code kret; + krb5_authenticator *authenticator; + size_t required; + krb5_octet *bp; + size_t remain; + int i; required = 0; bp = *buffer; remain = *lenremain; kret = EINVAL; if ((authenticator = (krb5_authenticator *) arg)) { - kret = ENOMEM; - if (!krb5_authenticator_size(kcontext, arg, &required) && - (required <= remain)) { - /* First write our magic number */ - (void) krb5_ser_pack_int32(KV5M_AUTHENTICATOR, &bp, &remain); - - /* Now ctime */ - (void) krb5_ser_pack_int32((krb5_int32) authenticator->ctime, - &bp, &remain); - - /* Now cusec */ - (void) krb5_ser_pack_int32((krb5_int32) authenticator->cusec, - &bp, &remain); - - /* Now seq_number */ - (void) krb5_ser_pack_int32(authenticator->seq_number, - &bp, &remain); - - /* Now handle client, if appropriate */ - if (authenticator->client) - kret = krb5_externalize_opaque(kcontext, - KV5M_PRINCIPAL, - (krb5_pointer) - authenticator->client, - &bp, - &remain); - else - kret = 0; - - /* Now handle checksum, if appropriate */ - if (!kret && authenticator->checksum) - kret = krb5_externalize_opaque(kcontext, - KV5M_CHECKSUM, - (krb5_pointer) - authenticator->checksum, - &bp, - &remain); - - /* Now handle subkey, if appropriate */ - if (!kret && authenticator->subkey) - kret = krb5_externalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) - authenticator->subkey, - &bp, - &remain); - - /* Now handle authorization_data, if appropriate */ - if (!kret) { - if (authenticator->authorization_data) - for (i=0; authenticator->authorization_data[i]; i++); - else - i = 0; - (void) krb5_ser_pack_int32((krb5_int32) i, &bp, &remain); - - /* Now pound out the authorization_data */ - if (authenticator->authorization_data) { - for (i=0; !kret && authenticator->authorization_data[i]; - i++) - kret = krb5_externalize_opaque(kcontext, - KV5M_AUTHDATA, - (krb5_pointer) - authenticator-> - authorization_data[i], - &bp, - &remain); - } - } - - /* - * If we were successful, write trailer then update the pointer and - * remaining length; - */ - if (!kret) { - /* Write our trailer */ - (void) krb5_ser_pack_int32(KV5M_AUTHENTICATOR, &bp, &remain); - *buffer = bp; - *lenremain = remain; - } - } + kret = ENOMEM; + if (!krb5_authenticator_size(kcontext, arg, &required) && + (required <= remain)) { + /* First write our magic number */ + (void) krb5_ser_pack_int32(KV5M_AUTHENTICATOR, &bp, &remain); + + /* Now ctime */ + (void) krb5_ser_pack_int32((krb5_int32) authenticator->ctime, + &bp, &remain); + + /* Now cusec */ + (void) krb5_ser_pack_int32((krb5_int32) authenticator->cusec, + &bp, &remain); + + /* Now seq_number */ + (void) krb5_ser_pack_int32(authenticator->seq_number, + &bp, &remain); + + /* Now handle client, if appropriate */ + if (authenticator->client) + kret = krb5_externalize_opaque(kcontext, + KV5M_PRINCIPAL, + (krb5_pointer) + authenticator->client, + &bp, + &remain); + else + kret = 0; + + /* Now handle checksum, if appropriate */ + if (!kret && authenticator->checksum) + kret = krb5_externalize_opaque(kcontext, + KV5M_CHECKSUM, + (krb5_pointer) + authenticator->checksum, + &bp, + &remain); + + /* Now handle subkey, if appropriate */ + if (!kret && authenticator->subkey) + kret = krb5_externalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) + authenticator->subkey, + &bp, + &remain); + + /* Now handle authorization_data, if appropriate */ + if (!kret) { + if (authenticator->authorization_data) + for (i=0; authenticator->authorization_data[i]; i++); + else + i = 0; + (void) krb5_ser_pack_int32((krb5_int32) i, &bp, &remain); + + /* Now pound out the authorization_data */ + if (authenticator->authorization_data) { + for (i=0; !kret && authenticator->authorization_data[i]; + i++) + kret = krb5_externalize_opaque(kcontext, + KV5M_AUTHDATA, + (krb5_pointer) + authenticator-> + authorization_data[i], + &bp, + &remain); + } + } + + /* + * If we were successful, write trailer then update the pointer and + * remaining length; + */ + if (!kret) { + /* Write our trailer */ + (void) krb5_ser_pack_int32(KV5M_AUTHENTICATOR, &bp, &remain); + *buffer = bp; + *lenremain = remain; + } + } } return(kret); } /* - * krb5_authenticator_internalize() - Internalize the krb5_authenticator. + * krb5_authenticator_internalize() - Internalize the krb5_authenticator. */ static krb5_error_code krb5_authenticator_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_authenticator *authenticator; - krb5_int32 ibuf; - krb5_octet *bp; - size_t remain; - int i; - krb5_int32 nadata; - size_t len; + krb5_error_code kret; + krb5_authenticator *authenticator; + krb5_int32 ibuf; + krb5_octet *bp; + size_t remain; + int i; + krb5_int32 nadata; + size_t len; bp = *buffer; remain = *lenremain; kret = EINVAL; /* Read our magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) - ibuf = 0; + ibuf = 0; if (ibuf == KV5M_AUTHENTICATOR) { - kret = ENOMEM; - - /* Get memory for the authenticator */ - if ((remain >= (3*sizeof(krb5_int32))) && - (authenticator = (krb5_authenticator *) - calloc(1, sizeof(krb5_authenticator)))) { - - /* Get ctime */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - authenticator->ctime = (krb5_timestamp) ibuf; - - /* Get cusec */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - authenticator->cusec = ibuf; - - /* Get seq_number */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - authenticator->seq_number = ibuf; - - kret = 0; - - /* Attempt to read in the client */ - kret = krb5_internalize_opaque(kcontext, - KV5M_PRINCIPAL, - (krb5_pointer *) - &authenticator->client, - &bp, - &remain); - if (kret == EINVAL) - kret = 0; - - /* Attempt to read in the checksum */ - if (!kret) { - kret = krb5_internalize_opaque(kcontext, - KV5M_CHECKSUM, - (krb5_pointer *) - &authenticator->checksum, - &bp, - &remain); - if (kret == EINVAL) - kret = 0; - } - - /* Attempt to read in the subkey */ - if (!kret) { - kret = krb5_internalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer *) - &authenticator->subkey, - &bp, - &remain); - if (kret == EINVAL) - kret = 0; - } - - /* Attempt to read in the authorization data count */ - if (!(kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) { - nadata = ibuf; - len = (size_t) (nadata + 1); - - /* Get memory for the authorization data pointers */ - if ((authenticator->authorization_data = (krb5_authdata **) - calloc(len, sizeof(krb5_authdata *)))) { - for (i=0; !kret && (i<nadata); i++) { - kret = krb5_internalize_opaque(kcontext, - KV5M_AUTHDATA, - (krb5_pointer *) - &authenticator-> - authorization_data[i], - &bp, - &remain); - } - - /* Finally, find the trailer */ - if (!kret) { - kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); - if (!kret && (ibuf == KV5M_AUTHENTICATOR)) - authenticator->magic = KV5M_AUTHENTICATOR; - else - kret = EINVAL; - } - } - } - if (!kret) { - *buffer = bp; - *lenremain = remain; - *argp = (krb5_pointer) authenticator; - } - else - krb5_free_authenticator(kcontext, authenticator); - } + kret = ENOMEM; + + /* Get memory for the authenticator */ + if ((remain >= (3*sizeof(krb5_int32))) && + (authenticator = (krb5_authenticator *) + calloc(1, sizeof(krb5_authenticator)))) { + + /* Get ctime */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + authenticator->ctime = (krb5_timestamp) ibuf; + + /* Get cusec */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + authenticator->cusec = ibuf; + + /* Get seq_number */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + authenticator->seq_number = ibuf; + + kret = 0; + + /* Attempt to read in the client */ + kret = krb5_internalize_opaque(kcontext, + KV5M_PRINCIPAL, + (krb5_pointer *) + &authenticator->client, + &bp, + &remain); + if (kret == EINVAL) + kret = 0; + + /* Attempt to read in the checksum */ + if (!kret) { + kret = krb5_internalize_opaque(kcontext, + KV5M_CHECKSUM, + (krb5_pointer *) + &authenticator->checksum, + &bp, + &remain); + if (kret == EINVAL) + kret = 0; + } + + /* Attempt to read in the subkey */ + if (!kret) { + kret = krb5_internalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer *) + &authenticator->subkey, + &bp, + &remain); + if (kret == EINVAL) + kret = 0; + } + + /* Attempt to read in the authorization data count */ + if (!(kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) { + nadata = ibuf; + len = (size_t) (nadata + 1); + + /* Get memory for the authorization data pointers */ + if ((authenticator->authorization_data = (krb5_authdata **) + calloc(len, sizeof(krb5_authdata *)))) { + for (i=0; !kret && (i<nadata); i++) { + kret = krb5_internalize_opaque(kcontext, + KV5M_AUTHDATA, + (krb5_pointer *) + &authenticator-> + authorization_data[i], + &bp, + &remain); + } + + /* Finally, find the trailer */ + if (!kret) { + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + if (!kret && (ibuf == KV5M_AUTHENTICATOR)) + authenticator->magic = KV5M_AUTHENTICATOR; + else + kret = EINVAL; + } + } + } + if (!kret) { + *buffer = bp; + *lenremain = remain; + *argp = (krb5_pointer) authenticator; + } + else + krb5_free_authenticator(kcontext, authenticator); + } } return(kret); } diff --git a/src/lib/krb5/krb/ser_cksum.c b/src/lib/krb5/krb/ser_cksum.c index 8d2870249..4d194c7d0 100644 --- a/src/lib/krb5/krb/ser_cksum.c +++ b/src/lib/krb5/krb/ser_cksum.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/ser_cksum.c * @@ -33,159 +34,159 @@ /* * Routines to deal with externalizing the krb5_checksum: - * krb5_checksum_esize(); - * krb5_checksum_externalize(); - * krb5_checksum_internalize(); + * krb5_checksum_esize(); + * krb5_checksum_externalize(); + * krb5_checksum_internalize(); */ static krb5_error_code krb5_checksum_esize - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_checksum_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_checksum_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* Local data */ static const krb5_ser_entry krb5_checksum_ser_entry = { - KV5M_CHECKSUM, /* Type */ - krb5_checksum_esize, /* Sizer routine */ - krb5_checksum_externalize, /* Externalize routine */ - krb5_checksum_internalize /* Internalize routine */ + KV5M_CHECKSUM, /* Type */ + krb5_checksum_esize, /* Sizer routine */ + krb5_checksum_externalize, /* Externalize routine */ + krb5_checksum_internalize /* Internalize routine */ }; /* - * krb5_checksum_esize() - Determine the size required to externalize - * the krb5_checksum. + * krb5_checksum_esize() - Determine the size required to externalize + * the krb5_checksum. */ static krb5_error_code krb5_checksum_esize(krb5_context kcontext, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_checksum *checksum; + krb5_error_code kret; + krb5_checksum *checksum; /* * krb5_checksum requires: - * krb5_int32 for KV5M_CHECKSUM - * krb5_int32 for checksum_type - * krb5_int32 for length - * krb5_int32 for KV5M_CHECKSUM - * checksum->length for contents + * krb5_int32 for KV5M_CHECKSUM + * krb5_int32 for checksum_type + * krb5_int32 for length + * krb5_int32 for KV5M_CHECKSUM + * checksum->length for contents */ kret = EINVAL; if ((checksum = (krb5_checksum *) arg)) { - *sizep += (sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - (size_t) checksum->length); - kret = 0; + *sizep += (sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + (size_t) checksum->length); + kret = 0; } return(kret); } /* - * krb5_checksum_externalize() - Externalize the krb5_checksum. + * krb5_checksum_externalize() - Externalize the krb5_checksum. */ static krb5_error_code krb5_checksum_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_checksum *checksum; - size_t required; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_checksum *checksum; + size_t required; + krb5_octet *bp; + size_t remain; required = 0; bp = *buffer; remain = *lenremain; kret = EINVAL; if ((checksum = (krb5_checksum *) arg)) { - kret = ENOMEM; - if (!krb5_checksum_esize(kcontext, arg, &required) && - (required <= remain)) { - /* Our identifier */ - (void) krb5_ser_pack_int32(KV5M_CHECKSUM, &bp, &remain); - - /* Our checksum_type */ - (void) krb5_ser_pack_int32((krb5_int32) checksum->checksum_type, - &bp, &remain); + kret = ENOMEM; + if (!krb5_checksum_esize(kcontext, arg, &required) && + (required <= remain)) { + /* Our identifier */ + (void) krb5_ser_pack_int32(KV5M_CHECKSUM, &bp, &remain); - /* Our length */ - (void) krb5_ser_pack_int32((krb5_int32) checksum->length, - &bp, &remain); + /* Our checksum_type */ + (void) krb5_ser_pack_int32((krb5_int32) checksum->checksum_type, + &bp, &remain); - /* Our contents */ - (void) krb5_ser_pack_bytes(checksum->contents, - (size_t) checksum->length, - &bp, &remain); + /* Our length */ + (void) krb5_ser_pack_int32((krb5_int32) checksum->length, + &bp, &remain); - /* Finally, our trailer */ - (void) krb5_ser_pack_int32(KV5M_CHECKSUM, &bp, &remain); + /* Our contents */ + (void) krb5_ser_pack_bytes(checksum->contents, + (size_t) checksum->length, + &bp, &remain); - kret = 0; - *buffer = bp; - *lenremain = remain; - } + /* Finally, our trailer */ + (void) krb5_ser_pack_int32(KV5M_CHECKSUM, &bp, &remain); + + kret = 0; + *buffer = bp; + *lenremain = remain; + } } return(kret); } /* - * krb5_checksum_internalize() - Internalize the krb5_checksum. + * krb5_checksum_internalize() - Internalize the krb5_checksum. */ static krb5_error_code krb5_checksum_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_checksum *checksum; - krb5_int32 ibuf; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_checksum *checksum; + krb5_int32 ibuf; + krb5_octet *bp; + size_t remain; bp = *buffer; remain = *lenremain; kret = EINVAL; /* Read our magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) - ibuf = 0; + ibuf = 0; if (ibuf == KV5M_CHECKSUM) { - kret = ENOMEM; + kret = ENOMEM; - /* Get a checksum */ - if ((remain >= (2*sizeof(krb5_int32))) && - (checksum = (krb5_checksum *) calloc(1, sizeof(krb5_checksum)))) { - /* Get the checksum_type */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - checksum->checksum_type = (krb5_cksumtype) ibuf; + /* Get a checksum */ + if ((remain >= (2*sizeof(krb5_int32))) && + (checksum = (krb5_checksum *) calloc(1, sizeof(krb5_checksum)))) { + /* Get the checksum_type */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + checksum->checksum_type = (krb5_cksumtype) ibuf; - /* Get the length */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - checksum->length = (int) ibuf; + /* Get the length */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + checksum->length = (int) ibuf; - /* Get the string */ - if (!ibuf || - ((checksum->contents = (krb5_octet *) - malloc((size_t) (ibuf))) && - !(kret = krb5_ser_unpack_bytes(checksum->contents, - (size_t) ibuf, - &bp, &remain)))) { + /* Get the string */ + if (!ibuf || + ((checksum->contents = (krb5_octet *) + malloc((size_t) (ibuf))) && + !(kret = krb5_ser_unpack_bytes(checksum->contents, + (size_t) ibuf, + &bp, &remain)))) { - /* Get the trailer */ - kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); - if (!kret && (ibuf == KV5M_CHECKSUM)) { - checksum->magic = KV5M_CHECKSUM; - *buffer = bp; - *lenremain = remain; - *argp = (krb5_pointer) checksum; - } - else - kret = EINVAL; - } - if (kret) { - if (checksum->contents) - free(checksum->contents); - free(checksum); - } - } + /* Get the trailer */ + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + if (!kret && (ibuf == KV5M_CHECKSUM)) { + checksum->magic = KV5M_CHECKSUM; + *buffer = bp; + *lenremain = remain; + *argp = (krb5_pointer) checksum; + } + else + kret = EINVAL; + } + if (kret) { + if (checksum->contents) + free(checksum->contents); + free(checksum); + } + } } return(kret); } diff --git a/src/lib/krb5/krb/ser_ctx.c b/src/lib/krb5/krb/ser_ctx.c index c8f673b77..b632ff02c 100644 --- a/src/lib/krb5/krb/ser_ctx.c +++ b/src/lib/krb5/krb/ser_ctx.c @@ -36,7 +36,7 @@ * krb5_context_size(); * krb5_context_externalize(); * krb5_context_internalize(); - * + * * Routines to deal with externalizing the krb5_os_context: * krb5_oscontext_size(); * krb5_oscontext_externalize(); @@ -197,23 +197,23 @@ krb5_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **b if (required > remain) return (ENOMEM); - + /* First write our magic number */ kret = krb5_ser_pack_int32(KV5M_CONTEXT, &bp, &remain); if (kret) return (kret); - + /* Now sizeof default realm */ kret = krb5_ser_pack_int32((context->default_realm) ? (krb5_int32) strlen(context->default_realm) : 0, &bp, &remain); if (kret) return (kret); - + /* Now default_realm bytes */ if (context->default_realm) { kret = krb5_ser_pack_bytes((krb5_octet *) context->default_realm, - strlen(context->default_realm), + strlen(context->default_realm), &bp, &remain); if (kret) return (kret); @@ -239,7 +239,7 @@ krb5_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **b kret = krb5_ser_pack_int32(etypes_len(context->tgs_etypes), &bp, &remain); if (kret) return (kret); - + /* Now serialize ktypes */ if (context->tgs_etypes) { for (i = 0; context->tgs_etypes[i]; i++) { @@ -248,19 +248,19 @@ krb5_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **b return (kret); } } - + /* Now allowable clockskew */ kret = krb5_ser_pack_int32((krb5_int32) context->clockskew, &bp, &remain); if (kret) return (kret); - + /* Now kdc_req_sumtype */ kret = krb5_ser_pack_int32((krb5_int32) context->kdc_req_sumtype, &bp, &remain); if (kret) return (kret); - + /* Now default ap_req_sumtype */ kret = krb5_ser_pack_int32((krb5_int32) context->default_ap_req_sumtype, &bp, &remain); @@ -284,7 +284,7 @@ krb5_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **b &bp, &remain); if (kret) return (kret); - + /* Now profile_secure */ kret = krb5_ser_pack_int32((krb5_int32) context->profile_secure, &bp, &remain); @@ -321,7 +321,7 @@ krb5_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **b if (kret) return (kret); } - + /* * If we were successful, write trailer then update the pointer and * remaining length; @@ -329,7 +329,7 @@ krb5_context_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **b kret = krb5_ser_pack_int32(KV5M_CONTEXT, &bp, &remain); if (kret) return (kret); - + *buffer = bp; *lenremain = remain; @@ -379,10 +379,10 @@ krb5_context_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet * (size_t) ibuf, &bp, &remain); if (kret) goto cleanup; - + context->default_realm[ibuf] = '\0'; } - + /* Get the in_tkt_etypes */ if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) goto cleanup; @@ -425,17 +425,17 @@ krb5_context_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet * if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) goto cleanup; context->clockskew = (krb5_deltat) ibuf; - + /* kdc_req_sumtype */ if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) goto cleanup; context->kdc_req_sumtype = (krb5_cksumtype) ibuf; - + /* default ap_req_sumtype */ if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) goto cleanup; context->default_ap_req_sumtype = (krb5_cksumtype) ibuf; - + /* default_safe_sumtype */ if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) goto cleanup; @@ -484,14 +484,14 @@ krb5_context_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet * &bp, &remain); if (kret && (kret != EINVAL) && (kret != ENOENT)) goto cleanup; - + /* Attempt to read in the profile */ kret = krb5_internalize_opaque(kcontext, PROF_MAGIC_PROFILE, (krb5_pointer *) &context->profile, &bp, &remain); if (kret && (kret != EINVAL) && (kret != ENOENT)) goto cleanup; - + /* Finally, find the trailer */ if ((kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) goto cleanup; @@ -590,7 +590,7 @@ krb5_oscontext_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet kret = ENOMEM; /* Get memory for the context */ - if ((os_ctx = (krb5_os_context) + if ((os_ctx = (krb5_os_context) calloc(1, sizeof(struct _krb5_os_context))) && (remain >= 4*sizeof(krb5_int32))) { os_ctx->magic = KV5M_OS_CONTEXT; diff --git a/src/lib/krb5/krb/ser_eblk.c b/src/lib/krb5/krb/ser_eblk.c index 8bce41cf1..894a43e77 100644 --- a/src/lib/krb5/krb/ser_eblk.c +++ b/src/lib/krb5/krb/ser_eblk.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/ser_eblk.c * @@ -34,211 +35,211 @@ /* * Routines to deal with externalizing the krb5_encrypt_block: - * krb5_encrypt_block_size(); - * krb5_encrypt_block_externalize(); - * krb5_encrypt_block_internalize(); + * krb5_encrypt_block_size(); + * krb5_encrypt_block_externalize(); + * krb5_encrypt_block_internalize(); */ static krb5_error_code krb5_encrypt_block_size - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_encrypt_block_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_encrypt_block_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* Local data */ static const krb5_ser_entry krb5_encrypt_block_ser_entry = { - KV5M_ENCRYPT_BLOCK, /* Type */ - krb5_encrypt_block_size, /* Sizer routine */ - krb5_encrypt_block_externalize, /* Externalize routine */ - krb5_encrypt_block_internalize /* Internalize routine */ + KV5M_ENCRYPT_BLOCK, /* Type */ + krb5_encrypt_block_size, /* Sizer routine */ + krb5_encrypt_block_externalize, /* Externalize routine */ + krb5_encrypt_block_internalize /* Internalize routine */ }; /* - * krb5_encrypt_block_size() - Determine the size required to externalize - * the krb5_encrypt_block. + * krb5_encrypt_block_size() - Determine the size required to externalize + * the krb5_encrypt_block. */ static krb5_error_code krb5_encrypt_block_size(kcontext, arg, sizep) - krb5_context kcontext; - krb5_pointer arg; - size_t *sizep; + krb5_context kcontext; + krb5_pointer arg; + size_t *sizep; { - krb5_error_code kret; - krb5_encrypt_block *encrypt_block; - size_t required; + krb5_error_code kret; + krb5_encrypt_block *encrypt_block; + size_t required; /* * NOTE: This ASSuMES that enctype are sufficient to recreate * the _krb5_cryptosystem_entry. If this is not true, then something else * had better be encoded here. - * + * * krb5_encrypt_block base requirements: - * krb5_int32 for KV5M_ENCRYPT_BLOCK - * krb5_int32 for enctype - * krb5_int32 for private length - * encrypt_block->priv_size for private contents - * krb5_int32 for KV5M_ENCRYPT_BLOCK + * krb5_int32 for KV5M_ENCRYPT_BLOCK + * krb5_int32 for enctype + * krb5_int32 for private length + * encrypt_block->priv_size for private contents + * krb5_int32 for KV5M_ENCRYPT_BLOCK */ kret = EINVAL; if ((encrypt_block = (krb5_encrypt_block *) arg)) { - required = (sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - (size_t) encrypt_block->priv_size); - if (encrypt_block->key) - kret = krb5_size_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) encrypt_block->key, - &required); - else - kret = 0; - if (!kret) - *sizep += required; + required = (sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + (size_t) encrypt_block->priv_size); + if (encrypt_block->key) + kret = krb5_size_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) encrypt_block->key, + &required); + else + kret = 0; + if (!kret) + *sizep += required; } return(kret); } /* - * krb5_encrypt_block_externalize() - Externalize the krb5_encrypt_block. + * krb5_encrypt_block_externalize() - Externalize the krb5_encrypt_block. */ static krb5_error_code krb5_encrypt_block_externalize(kcontext, arg, buffer, lenremain) - krb5_context kcontext; - krb5_pointer arg; - krb5_octet **buffer; - size_t *lenremain; + krb5_context kcontext; + krb5_pointer arg; + krb5_octet **buffer; + size_t *lenremain; { - krb5_error_code kret; - krb5_encrypt_block *encrypt_block; - size_t required; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_encrypt_block *encrypt_block; + size_t required; + krb5_octet *bp; + size_t remain; required = 0; bp = *buffer; remain = *lenremain; kret = EINVAL; if ((encrypt_block = (krb5_encrypt_block *) arg)) { - kret = ENOMEM; - if (!krb5_encrypt_block_size(kcontext, arg, &required) && - (required <= remain)) { - /* Our identifier */ - (void) krb5_ser_pack_int32(KV5M_ENCRYPT_BLOCK, &bp, &remain); - - /* Our enctype */ - (void) krb5_ser_pack_int32((krb5_int32) encrypt_block-> - crypto_entry->proto_enctype, - &bp, &remain); + kret = ENOMEM; + if (!krb5_encrypt_block_size(kcontext, arg, &required) && + (required <= remain)) { + /* Our identifier */ + (void) krb5_ser_pack_int32(KV5M_ENCRYPT_BLOCK, &bp, &remain); - /* Our length */ - (void) krb5_ser_pack_int32((krb5_int32) encrypt_block->priv_size, - &bp, &remain); + /* Our enctype */ + (void) krb5_ser_pack_int32((krb5_int32) encrypt_block-> + crypto_entry->proto_enctype, + &bp, &remain); - /* Our private data */ - (void) krb5_ser_pack_bytes(encrypt_block->priv, - (size_t) encrypt_block->priv_size, - &bp, &remain); + /* Our length */ + (void) krb5_ser_pack_int32((krb5_int32) encrypt_block->priv_size, + &bp, &remain); - /* Finally, the key data */ - if (encrypt_block->key) - kret = krb5_externalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer) - encrypt_block->key, - &bp, - &remain); - else - kret = 0; + /* Our private data */ + (void) krb5_ser_pack_bytes(encrypt_block->priv, + (size_t) encrypt_block->priv_size, + &bp, &remain); - if (!kret) { - /* Write trailer */ - (void) krb5_ser_pack_int32(KV5M_ENCRYPT_BLOCK, &bp, &remain); - *buffer = bp; - *lenremain = remain; - } - } + /* Finally, the key data */ + if (encrypt_block->key) + kret = krb5_externalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer) + encrypt_block->key, + &bp, + &remain); + else + kret = 0; + + if (!kret) { + /* Write trailer */ + (void) krb5_ser_pack_int32(KV5M_ENCRYPT_BLOCK, &bp, &remain); + *buffer = bp; + *lenremain = remain; + } + } } return(kret); } /* - * krb5_encrypt_block_internalize() - Internalize the krb5_encrypt_block. + * krb5_encrypt_block_internalize() - Internalize the krb5_encrypt_block. */ static krb5_error_code krb5_encrypt_block_internalize(kcontext, argp, buffer, lenremain) - krb5_context kcontext; - krb5_pointer *argp; - krb5_octet **buffer; - size_t *lenremain; + krb5_context kcontext; + krb5_pointer *argp; + krb5_octet **buffer; + size_t *lenremain; { - krb5_error_code kret; - krb5_encrypt_block *encrypt_block; - krb5_int32 ibuf; - krb5_enctype ktype; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_encrypt_block *encrypt_block; + krb5_int32 ibuf; + krb5_enctype ktype; + krb5_octet *bp; + size_t remain; bp = *buffer; remain = *lenremain; kret = EINVAL; /* Read our magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) - ibuf = 0; + ibuf = 0; if (ibuf == KV5M_ENCRYPT_BLOCK) { - kret = ENOMEM; + kret = ENOMEM; - /* Get an encrypt_block */ - if ((remain >= (3*sizeof(krb5_int32))) && - (encrypt_block = (krb5_encrypt_block *) - calloc(1, sizeof(krb5_encrypt_block)))) { - /* Get the enctype */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - ktype = (krb5_enctype) ibuf; + /* Get an encrypt_block */ + if ((remain >= (3*sizeof(krb5_int32))) && + (encrypt_block = (krb5_encrypt_block *) + calloc(1, sizeof(krb5_encrypt_block)))) { + /* Get the enctype */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + ktype = (krb5_enctype) ibuf; - /* Use the ktype to determine the crypto_system entry. */ - krb5_use_enctype(kcontext, encrypt_block, ktype); + /* Use the ktype to determine the crypto_system entry. */ + krb5_use_enctype(kcontext, encrypt_block, ktype); - /* Get the length */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - encrypt_block->priv_size = (int) ibuf; + /* Get the length */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + encrypt_block->priv_size = (int) ibuf; - /* Get the string */ - if (!ibuf || - ((encrypt_block->priv = (void *) malloc((size_t) (ibuf))) && - !(kret = krb5_ser_unpack_bytes((krb5_octet *) - encrypt_block->priv, - (size_t) - encrypt_block->priv_size, - &bp, &remain)))) { - kret = krb5_internalize_opaque(kcontext, - KV5M_KEYBLOCK, - (krb5_pointer *) - &encrypt_block->key, - &bp, - &remain); - if (kret == EINVAL) - kret = 0; + /* Get the string */ + if (!ibuf || + ((encrypt_block->priv = (void *) malloc((size_t) (ibuf))) && + !(kret = krb5_ser_unpack_bytes((krb5_octet *) + encrypt_block->priv, + (size_t) + encrypt_block->priv_size, + &bp, &remain)))) { + kret = krb5_internalize_opaque(kcontext, + KV5M_KEYBLOCK, + (krb5_pointer *) + &encrypt_block->key, + &bp, + &remain); + if (kret == EINVAL) + kret = 0; - if (!kret) { - kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); - if (!kret && (ibuf == KV5M_ENCRYPT_BLOCK)) { - *buffer = bp; - *lenremain = remain; - encrypt_block->magic = KV5M_ENCRYPT_BLOCK; - *argp = (krb5_pointer) encrypt_block; - } - else - kret = EINVAL; - } - } - if (kret) { - if (encrypt_block->priv) - free(encrypt_block->priv); - free(encrypt_block); - } - } + if (!kret) { + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + if (!kret && (ibuf == KV5M_ENCRYPT_BLOCK)) { + *buffer = bp; + *lenremain = remain; + encrypt_block->magic = KV5M_ENCRYPT_BLOCK; + *argp = (krb5_pointer) encrypt_block; + } + else + kret = EINVAL; + } + } + if (kret) { + if (encrypt_block->priv) + free(encrypt_block->priv); + free(encrypt_block); + } + } } return(kret); } @@ -248,7 +249,7 @@ krb5_encrypt_block_internalize(kcontext, argp, buffer, lenremain) */ krb5_error_code krb5_ser_encrypt_block_init(kcontext) - krb5_context kcontext; + krb5_context kcontext; { return(krb5_register_serializer(kcontext, &krb5_encrypt_block_ser_entry)); } diff --git a/src/lib/krb5/krb/ser_key.c b/src/lib/krb5/krb/ser_key.c index 25522de7b..f441e986f 100644 --- a/src/lib/krb5/krb/ser_key.c +++ b/src/lib/krb5/krb/ser_key.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/ser_key.c * @@ -33,157 +34,157 @@ /* * Routines to deal with externalizing the krb5_keyblock: - * krb5_keyblock_size(); - * krb5_keyblock_externalize(); - * krb5_keyblock_internalize(); + * krb5_keyblock_size(); + * krb5_keyblock_externalize(); + * krb5_keyblock_internalize(); */ static krb5_error_code krb5_keyblock_size - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_keyblock_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_keyblock_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* Local data */ static const krb5_ser_entry krb5_keyblock_ser_entry = { - KV5M_KEYBLOCK, /* Type */ - krb5_keyblock_size, /* Sizer routine */ - krb5_keyblock_externalize, /* Externalize routine */ - krb5_keyblock_internalize /* Internalize routine */ + KV5M_KEYBLOCK, /* Type */ + krb5_keyblock_size, /* Sizer routine */ + krb5_keyblock_externalize, /* Externalize routine */ + krb5_keyblock_internalize /* Internalize routine */ }; /* - * krb5_keyblock_size() - Determine the size required to externalize - * the krb5_keyblock. + * krb5_keyblock_size() - Determine the size required to externalize + * the krb5_keyblock. */ static krb5_error_code krb5_keyblock_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_keyblock *keyblock; + krb5_error_code kret; + krb5_keyblock *keyblock; /* * krb5_keyblock requires: - * krb5_int32 for KV5M_KEYBLOCK - * krb5_int32 for enctype - * krb5_int32 for length - * keyblock->length for contents - * krb5_int32 for KV5M_KEYBLOCK + * krb5_int32 for KV5M_KEYBLOCK + * krb5_int32 for enctype + * krb5_int32 for length + * keyblock->length for contents + * krb5_int32 for KV5M_KEYBLOCK */ kret = EINVAL; if ((keyblock = (krb5_keyblock *) arg)) { - *sizep += (sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - sizeof(krb5_int32) + - (size_t) keyblock->length); - kret = 0; + *sizep += (sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + sizeof(krb5_int32) + + (size_t) keyblock->length); + kret = 0; } return(kret); } /* - * krb5_keyblock_externalize() - Externalize the krb5_keyblock. + * krb5_keyblock_externalize() - Externalize the krb5_keyblock. */ static krb5_error_code krb5_keyblock_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_keyblock *keyblock; - size_t required; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_keyblock *keyblock; + size_t required; + krb5_octet *bp; + size_t remain; required = 0; bp = *buffer; remain = *lenremain; kret = EINVAL; if ((keyblock = (krb5_keyblock *) arg)) { - kret = ENOMEM; - if (!krb5_keyblock_size(kcontext, arg, &required) && - (required <= remain)) { - /* Our identifier */ - (void) krb5_ser_pack_int32(KV5M_KEYBLOCK, &bp, &remain); - - /* Our enctype */ - (void) krb5_ser_pack_int32((krb5_int32) keyblock->enctype, - &bp, &remain); + kret = ENOMEM; + if (!krb5_keyblock_size(kcontext, arg, &required) && + (required <= remain)) { + /* Our identifier */ + (void) krb5_ser_pack_int32(KV5M_KEYBLOCK, &bp, &remain); - /* Our length */ - (void) krb5_ser_pack_int32((krb5_int32) keyblock->length, - &bp, &remain); + /* Our enctype */ + (void) krb5_ser_pack_int32((krb5_int32) keyblock->enctype, + &bp, &remain); - /* Our contents */ - (void) krb5_ser_pack_bytes(keyblock->contents, - (size_t) keyblock->length, - &bp, &remain); + /* Our length */ + (void) krb5_ser_pack_int32((krb5_int32) keyblock->length, + &bp, &remain); - /* Finally, our trailer */ - (void) krb5_ser_pack_int32(KV5M_KEYBLOCK, &bp, &remain); + /* Our contents */ + (void) krb5_ser_pack_bytes(keyblock->contents, + (size_t) keyblock->length, + &bp, &remain); - kret = 0; - *buffer = bp; - *lenremain = remain; - } + /* Finally, our trailer */ + (void) krb5_ser_pack_int32(KV5M_KEYBLOCK, &bp, &remain); + + kret = 0; + *buffer = bp; + *lenremain = remain; + } } return(kret); } /* - * krb5_keyblock_internalize() - Internalize the krb5_keyblock. + * krb5_keyblock_internalize() - Internalize the krb5_keyblock. */ static krb5_error_code krb5_keyblock_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_keyblock *keyblock; - krb5_int32 ibuf; - krb5_octet *bp; - size_t remain; + krb5_error_code kret; + krb5_keyblock *keyblock; + krb5_int32 ibuf; + krb5_octet *bp; + size_t remain; bp = *buffer; remain = *lenremain; kret = EINVAL; /* Read our magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) - ibuf = 0; + ibuf = 0; if (ibuf == KV5M_KEYBLOCK) { - kret = ENOMEM; + kret = ENOMEM; - /* Get a keyblock */ - if ((remain >= (3*sizeof(krb5_int32))) && - (keyblock = (krb5_keyblock *) calloc(1, sizeof(krb5_keyblock)))) { - /* Get the enctype */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - keyblock->enctype = (krb5_enctype) ibuf; + /* Get a keyblock */ + if ((remain >= (3*sizeof(krb5_int32))) && + (keyblock = (krb5_keyblock *) calloc(1, sizeof(krb5_keyblock)))) { + /* Get the enctype */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + keyblock->enctype = (krb5_enctype) ibuf; - /* Get the length */ - (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); - keyblock->length = (int) ibuf; + /* Get the length */ + (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain); + keyblock->length = (int) ibuf; - /* Get the string */ - if ((keyblock->contents = (krb5_octet *) malloc((size_t) (ibuf)))&& - !(kret = krb5_ser_unpack_bytes(keyblock->contents, - (size_t) ibuf, - &bp, &remain))) { - kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); - if (!kret && (ibuf == KV5M_KEYBLOCK)) { - kret = 0; - *buffer = bp; - *lenremain = remain; - keyblock->magic = KV5M_KEYBLOCK; - *argp = (krb5_pointer) keyblock; - } - else - kret = EINVAL; - } - if (kret) { - if (keyblock->contents) - free(keyblock->contents); - free(keyblock); - } - } + /* Get the string */ + if ((keyblock->contents = (krb5_octet *) malloc((size_t) (ibuf)))&& + !(kret = krb5_ser_unpack_bytes(keyblock->contents, + (size_t) ibuf, + &bp, &remain))) { + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + if (!kret && (ibuf == KV5M_KEYBLOCK)) { + kret = 0; + *buffer = bp; + *lenremain = remain; + keyblock->magic = KV5M_KEYBLOCK; + *argp = (krb5_pointer) keyblock; + } + else + kret = EINVAL; + } + if (kret) { + if (keyblock->contents) + free(keyblock->contents); + free(keyblock); + } + } } return(kret); } diff --git a/src/lib/krb5/krb/ser_princ.c b/src/lib/krb5/krb/ser_princ.c index cb90154ff..d93fbbe7a 100644 --- a/src/lib/krb5/krb/ser_princ.c +++ b/src/lib/krb5/krb/ser_princ.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/ser_princ.c * @@ -33,103 +34,103 @@ /* * Routines to deal with externalizing the krb5_principal: - * krb5_principal_size(); - * krb5_principal_externalize(); - * krb5_principal_internalize(); + * krb5_principal_size(); + * krb5_principal_externalize(); + * krb5_principal_internalize(); */ static krb5_error_code krb5_principal_size - (krb5_context, krb5_pointer, size_t *); +(krb5_context, krb5_pointer, size_t *); static krb5_error_code krb5_principal_externalize - (krb5_context, krb5_pointer, krb5_octet **, size_t *); +(krb5_context, krb5_pointer, krb5_octet **, size_t *); static krb5_error_code krb5_principal_internalize - (krb5_context,krb5_pointer *, krb5_octet **, size_t *); +(krb5_context,krb5_pointer *, krb5_octet **, size_t *); /* Local data */ static const krb5_ser_entry krb5_principal_ser_entry = { - KV5M_PRINCIPAL, /* Type */ - krb5_principal_size, /* Sizer routine */ - krb5_principal_externalize, /* Externalize routine */ - krb5_principal_internalize /* Internalize routine */ + KV5M_PRINCIPAL, /* Type */ + krb5_principal_size, /* Sizer routine */ + krb5_principal_externalize, /* Externalize routine */ + krb5_principal_internalize /* Internalize routine */ }; /* - * krb5_principal_size() - Determine the size required to externalize - * the krb5_principal. + * krb5_principal_size() - Determine the size required to externalize + * the krb5_principal. */ static krb5_error_code krb5_principal_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_principal principal; - char *fname; + krb5_error_code kret; + krb5_principal principal; + char *fname; /* * krb5_principal requires: - * krb5_int32 for KV5M_PRINCIPAL - * krb5_int32 for flattened name size - * strlen(name) for name. - * krb5_int32 for KV5M_PRINCIPAL + * krb5_int32 for KV5M_PRINCIPAL + * krb5_int32 for flattened name size + * strlen(name) for name. + * krb5_int32 for KV5M_PRINCIPAL */ kret = EINVAL; if ((principal = (krb5_principal) arg) && - !(kret = krb5_unparse_name(kcontext, principal, &fname))) { - *sizep += (3*sizeof(krb5_int32)) + strlen(fname); - free(fname); + !(kret = krb5_unparse_name(kcontext, principal, &fname))) { + *sizep += (3*sizeof(krb5_int32)) + strlen(fname); + free(fname); } return(kret); } /* - * krb5_principal_externalize() - Externalize the krb5_principal. + * krb5_principal_externalize() - Externalize the krb5_principal. */ static krb5_error_code krb5_principal_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_principal principal; - size_t required; - krb5_octet *bp; - size_t remain; - char *fname; + krb5_error_code kret; + krb5_principal principal; + size_t required; + krb5_octet *bp; + size_t remain; + char *fname; required = 0; bp = *buffer; remain = *lenremain; kret = EINVAL; if ((principal = (krb5_principal) arg)) { - kret = ENOMEM; - if (!krb5_principal_size(kcontext, arg, &required) && - (required <= remain)) { - if (!(kret = krb5_unparse_name(kcontext, principal, &fname))) { + kret = ENOMEM; + if (!krb5_principal_size(kcontext, arg, &required) && + (required <= remain)) { + if (!(kret = krb5_unparse_name(kcontext, principal, &fname))) { - (void) krb5_ser_pack_int32(KV5M_PRINCIPAL, &bp, &remain); - (void) krb5_ser_pack_int32((krb5_int32) strlen(fname), - &bp, &remain); - (void) krb5_ser_pack_bytes((krb5_octet *) fname, - strlen(fname), &bp, &remain); - (void) krb5_ser_pack_int32(KV5M_PRINCIPAL, &bp, &remain); - *buffer = bp; - *lenremain = remain; + (void) krb5_ser_pack_int32(KV5M_PRINCIPAL, &bp, &remain); + (void) krb5_ser_pack_int32((krb5_int32) strlen(fname), + &bp, &remain); + (void) krb5_ser_pack_bytes((krb5_octet *) fname, + strlen(fname), &bp, &remain); + (void) krb5_ser_pack_int32(KV5M_PRINCIPAL, &bp, &remain); + *buffer = bp; + *lenremain = remain; - free(fname); - } - } + free(fname); + } + } } return(kret); } /* - * krb5_principal_internalize() - Internalize the krb5_principal. + * krb5_principal_internalize() - Internalize the krb5_principal. */ static krb5_error_code krb5_principal_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { - krb5_error_code kret; - krb5_principal principal = NULL; - krb5_int32 ibuf; - krb5_octet *bp; - size_t remain; - char *tmpname = NULL; + krb5_error_code kret; + krb5_principal principal = NULL; + krb5_int32 ibuf; + krb5_octet *bp; + size_t remain; + char *tmpname = NULL; *argp = NULL; bp = *buffer; @@ -137,28 +138,28 @@ krb5_principal_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet /* Read our magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain) || ibuf != KV5M_PRINCIPAL) - return EINVAL; + return EINVAL; /* Read the principal name */ kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); if (kret) - return kret; + return kret; tmpname = malloc(ibuf + 1); kret = krb5_ser_unpack_bytes((krb5_octet *) tmpname, (size_t) ibuf, - &bp, &remain); + &bp, &remain); if (kret) - goto cleanup; + goto cleanup; tmpname[ibuf] = '\0'; /* Parse the name to a principal structure */ kret = krb5_parse_name(kcontext, tmpname, &principal); if (kret) - goto cleanup; + goto cleanup; /* Read the trailing magic number */ if (krb5_ser_unpack_int32(&ibuf, &bp, &remain) || ibuf != KV5M_PRINCIPAL) { - kret = EINVAL; - goto cleanup; + kret = EINVAL; + goto cleanup; } *buffer = bp; @@ -166,7 +167,7 @@ krb5_principal_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet *argp = principal; cleanup: if (kret) - krb5_free_principal(kcontext, principal); + krb5_free_principal(kcontext, principal); free(tmpname); return kret; } diff --git a/src/lib/krb5/krb/serialize.c b/src/lib/krb5/krb/serialize.c index d1edcf239..4e08aa93e 100644 --- a/src/lib/krb5/krb/serialize.c +++ b/src/lib/krb5/krb/serialize.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/serialize.c * @@ -31,94 +32,94 @@ #include "k5-int.h" /* - * krb5_find_serializer() - See if a particular type is registered. + * krb5_find_serializer() - See if a particular type is registered. */ krb5_ser_handle krb5_find_serializer(krb5_context kcontext, krb5_magic odtype) { - krb5_ser_handle res; - krb5_ser_handle sctx; - int i; + krb5_ser_handle res; + krb5_ser_handle sctx; + int i; res = (krb5_ser_handle) NULL; sctx = (krb5_ser_handle) kcontext->ser_ctx; for (i=0; i<kcontext->ser_ctx_count; i++) { - if (sctx[i].odtype == odtype) { - res = &sctx[i]; - break; - } + if (sctx[i].odtype == odtype) { + res = &sctx[i]; + break; + } } return(res); } /* - * krb5_register_serializer() - Register a particular serializer. + * krb5_register_serializer() - Register a particular serializer. */ krb5_error_code krb5_register_serializer(krb5_context kcontext, const krb5_ser_entry *entry) { - krb5_error_code kret; - krb5_ser_entry * stable; + krb5_error_code kret; + krb5_ser_entry * stable; kret = 0; /* See if it's already there, if so, we're good to go. */ if (!(stable = (krb5_ser_entry *)krb5_find_serializer(kcontext, - entry->odtype))) { - /* - * Can't find our type. Create a new entry. - */ - if ((stable = (krb5_ser_entry *) malloc(sizeof(krb5_ser_entry) * - (kcontext->ser_ctx_count+1)))) { - /* Copy in old table */ - if (kcontext->ser_ctx_count) - memcpy(stable, kcontext->ser_ctx, - sizeof(krb5_ser_entry) * kcontext->ser_ctx_count); - /* Copy in new entry */ - memcpy(&stable[kcontext->ser_ctx_count], entry, - sizeof(krb5_ser_entry)); - if (kcontext->ser_ctx) free(kcontext->ser_ctx); - kcontext->ser_ctx = (void *) stable; - kcontext->ser_ctx_count++; - } - else - kret = ENOMEM; + entry->odtype))) { + /* + * Can't find our type. Create a new entry. + */ + if ((stable = (krb5_ser_entry *) malloc(sizeof(krb5_ser_entry) * + (kcontext->ser_ctx_count+1)))) { + /* Copy in old table */ + if (kcontext->ser_ctx_count) + memcpy(stable, kcontext->ser_ctx, + sizeof(krb5_ser_entry) * kcontext->ser_ctx_count); + /* Copy in new entry */ + memcpy(&stable[kcontext->ser_ctx_count], entry, + sizeof(krb5_ser_entry)); + if (kcontext->ser_ctx) free(kcontext->ser_ctx); + kcontext->ser_ctx = (void *) stable; + kcontext->ser_ctx_count++; + } + else + kret = ENOMEM; } else - *stable = *entry; + *stable = *entry; return(kret); } /* - * krb5_size_opaque() - Determine the size necessary to serialize a given - * piece of opaque data. + * krb5_size_opaque() - Determine the size necessary to serialize a given + * piece of opaque data. */ krb5_error_code KRB5_CALLCONV krb5_size_opaque(krb5_context kcontext, krb5_magic odtype, krb5_pointer arg, size_t *sizep) { - krb5_error_code kret; - krb5_ser_handle shandle; + krb5_error_code kret; + krb5_ser_handle shandle; kret = ENOENT; /* See if the type is supported, if so, do it */ if ((shandle = krb5_find_serializer(kcontext, odtype))) - kret = (shandle->sizer) ? (*shandle->sizer)(kcontext, arg, sizep) : 0; + kret = (shandle->sizer) ? (*shandle->sizer)(kcontext, arg, sizep) : 0; return(kret); } /* - * krb5_externalize_opaque() - Externalize a piece of opaque data. + * krb5_externalize_opaque() - Externalize a piece of opaque data. */ krb5_error_code KRB5_CALLCONV krb5_externalize_opaque(krb5_context kcontext, krb5_magic odtype, krb5_pointer arg, krb5_octet **bufpp, size_t *sizep) { - krb5_error_code kret; - krb5_ser_handle shandle; + krb5_error_code kret; + krb5_ser_handle shandle; kret = ENOENT; /* See if the type is supported, if so, do it */ if ((shandle = krb5_find_serializer(kcontext, odtype))) - kret = (shandle->externalizer) ? - (*shandle->externalizer)(kcontext, arg, bufpp, sizep) : 0; + kret = (shandle->externalizer) ? + (*shandle->externalizer)(kcontext, arg, bufpp, sizep) : 0; return(kret); } @@ -128,146 +129,146 @@ krb5_externalize_opaque(krb5_context kcontext, krb5_magic odtype, krb5_pointer a krb5_error_code krb5_externalize_data(krb5_context kcontext, krb5_pointer arg, krb5_octet **bufpp, size_t *sizep) { - krb5_error_code kret; - krb5_magic *mp; - krb5_octet *buffer, *bp; - size_t bufsize, bsize; + krb5_error_code kret; + krb5_magic *mp; + krb5_octet *buffer, *bp; + size_t bufsize, bsize; mp = (krb5_magic *) arg; bufsize = 0; if (!(kret = krb5_size_opaque(kcontext, *mp, arg, &bufsize))) { - if ((buffer = (krb5_octet *) malloc(bufsize))) { - bp = buffer; - bsize = bufsize; - if (!(kret = krb5_externalize_opaque(kcontext, - *mp, - arg, - &bp, - &bsize))) { - if (bsize != 0) - bufsize -= bsize; - *bufpp = buffer; - *sizep = bufsize; - } - } - else - kret = ENOMEM; + if ((buffer = (krb5_octet *) malloc(bufsize))) { + bp = buffer; + bsize = bufsize; + if (!(kret = krb5_externalize_opaque(kcontext, + *mp, + arg, + &bp, + &bsize))) { + if (bsize != 0) + bufsize -= bsize; + *bufpp = buffer; + *sizep = bufsize; + } + } + else + kret = ENOMEM; } return(kret); } /* - * krb5_internalize_opaque() - Convert external representation into a data - * structure. + * krb5_internalize_opaque() - Convert external representation into a data + * structure. */ krb5_error_code KRB5_CALLCONV krb5_internalize_opaque(krb5_context kcontext, krb5_magic odtype, krb5_pointer *argp, krb5_octet **bufpp, size_t *sizep) { - krb5_error_code kret; - krb5_ser_handle shandle; + krb5_error_code kret; + krb5_ser_handle shandle; kret = ENOENT; /* See if the type is supported, if so, do it */ if ((shandle = krb5_find_serializer(kcontext, odtype))) - kret = (shandle->internalizer) ? - (*shandle->internalizer)(kcontext, argp, bufpp, sizep) : 0; + kret = (shandle->internalizer) ? + (*shandle->internalizer)(kcontext, argp, bufpp, sizep) : 0; return(kret); } /* - * krb5_ser_pack_int32() - Pack a 4-byte integer if space is available. - * Update buffer pointer and remaining space. + * krb5_ser_pack_int32() - Pack a 4-byte integer if space is available. + * Update buffer pointer and remaining space. */ krb5_error_code KRB5_CALLCONV krb5_ser_pack_int32(krb5_int32 iarg, krb5_octet **bufp, size_t *remainp) { if (*remainp >= sizeof(krb5_int32)) { - store_32_be(iarg, *bufp); - *bufp += sizeof(krb5_int32); - *remainp -= sizeof(krb5_int32); - return(0); + store_32_be(iarg, *bufp); + *bufp += sizeof(krb5_int32); + *remainp -= sizeof(krb5_int32); + return(0); } else - return(ENOMEM); + return(ENOMEM); } /* - * krb5_ser_pack_int64() - Pack an 8-byte integer if space is available. - * Update buffer pointer and remaining space. + * krb5_ser_pack_int64() - Pack an 8-byte integer if space is available. + * Update buffer pointer and remaining space. */ krb5_error_code KRB5_CALLCONV krb5_ser_pack_int64(krb5_int64 iarg, krb5_octet **bufp, size_t *remainp) { if (*remainp >= sizeof(krb5_int64)) { - store_64_be(iarg, (unsigned char *)*bufp); - *bufp += sizeof(krb5_int64); - *remainp -= sizeof(krb5_int64); - return(0); + store_64_be(iarg, (unsigned char *)*bufp); + *bufp += sizeof(krb5_int64); + *remainp -= sizeof(krb5_int64); + return(0); } else - return(ENOMEM); + return(ENOMEM); } /* - * krb5_ser_pack_bytes() - Pack a string of bytes. + * krb5_ser_pack_bytes() - Pack a string of bytes. */ krb5_error_code KRB5_CALLCONV krb5_ser_pack_bytes(krb5_octet *ostring, size_t osize, krb5_octet **bufp, size_t *remainp) { if (*remainp >= osize) { - memcpy(*bufp, ostring, osize); - *bufp += osize; - *remainp -= osize; - return(0); + memcpy(*bufp, ostring, osize); + *bufp += osize; + *remainp -= osize; + return(0); } else - return(ENOMEM); + return(ENOMEM); } /* - * krb5_ser_unpack_int32() - Unpack a 4-byte integer if it's there. + * krb5_ser_unpack_int32() - Unpack a 4-byte integer if it's there. */ krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int32(krb5_int32 *intp, krb5_octet **bufp, size_t *remainp) { if (*remainp >= sizeof(krb5_int32)) { - *intp = load_32_be(*bufp); - *bufp += sizeof(krb5_int32); - *remainp -= sizeof(krb5_int32); - return(0); + *intp = load_32_be(*bufp); + *bufp += sizeof(krb5_int32); + *remainp -= sizeof(krb5_int32); + return(0); } else - return(ENOMEM); + return(ENOMEM); } /* - * krb5_ser_unpack_int64() - Unpack an 8-byte integer if it's there. + * krb5_ser_unpack_int64() - Unpack an 8-byte integer if it's there. */ krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int64(krb5_int64 *intp, krb5_octet **bufp, size_t *remainp) { if (*remainp >= sizeof(krb5_int64)) { - *intp = load_64_be((unsigned char *)*bufp); - *bufp += sizeof(krb5_int64); - *remainp -= sizeof(krb5_int64); - return(0); + *intp = load_64_be((unsigned char *)*bufp); + *bufp += sizeof(krb5_int64); + *remainp -= sizeof(krb5_int64); + return(0); } else - return(ENOMEM); + return(ENOMEM); } /* - * krb5_ser_unpack_bytes() - Unpack a byte string if it's there. + * krb5_ser_unpack_bytes() - Unpack a byte string if it's there. */ krb5_error_code KRB5_CALLCONV krb5_ser_unpack_bytes(krb5_octet *istring, size_t isize, krb5_octet **bufp, size_t *remainp) { if (*remainp >= isize) { - memcpy(istring, *bufp, isize); - *bufp += isize; - *remainp -= isize; - return(0); + memcpy(istring, *bufp, isize); + *bufp += isize; + *remainp -= isize; + return(0); } else - return(ENOMEM); + return(ENOMEM); } diff --git a/src/lib/krb5/krb/set_realm.c b/src/lib/krb5/krb/set_realm.c index 9a96cd1ca..0128f6cb1 100644 --- a/src/lib/krb5/krb/set_realm.c +++ b/src/lib/krb5/krb/set_realm.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/set_realm.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -29,23 +30,21 @@ krb5_error_code KRB5_CALLCONV krb5_set_principal_realm(krb5_context context, krb5_principal principal, const char *realm) { - size_t length; - char *newrealm; - - if (!realm || !*realm) - return -EINVAL; + size_t length; + char *newrealm; - length = strlen(realm); - newrealm = strdup(realm); - if (!newrealm) - return -ENOMEM; - - (void) free(krb5_princ_realm(context,principal)->data); + if (!realm || !*realm) + return -EINVAL; - krb5_princ_realm(context, principal)->length = length; - krb5_princ_realm(context, principal)->data = newrealm; + length = strlen(realm); + newrealm = strdup(realm); + if (!newrealm) + return -ENOMEM; - return 0; -} + (void) free(krb5_princ_realm(context,principal)->data); + krb5_princ_realm(context, principal)->length = length; + krb5_princ_realm(context, principal)->data = newrealm; + return 0; +} diff --git a/src/lib/krb5/krb/srv_dec_tkt.c b/src/lib/krb5/krb/srv_dec_tkt.c index 0934e27e1..f266fa5e9 100644 --- a/src/lib/krb5/krb/srv_dec_tkt.c +++ b/src/lib/krb5/krb/srv_dec_tkt.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/srv_dec_tkt.c * @@ -24,7 +25,7 @@ * or implied warranty. * * - * Server decrypt ticket via keytab or keyblock. + * Server decrypt ticket via keytab or keyblock. * * Different from krb5_rd_req_decoded. (krb5/src/lib/krb5/krb/rd_req_dec.c) * - No krb5_principal_compare or KRB5KRB_AP_ERR_BADMATCH error. @@ -33,94 +34,94 @@ * - No address checking or KRB5KRB_AP_ERR_BADADDR error. * - No time validation. * - No permitted enctype validation or KRB5_NOPERM_ETYPE error. - * - Does not free ticket->enc_part2 on error. + * - Does not free ticket->enc_part2 on error. */ #include <k5-int.h> -#ifndef LEAN_CLIENT +#ifndef LEAN_CLIENT krb5_error_code KRB5_CALLCONV krb5int_server_decrypt_ticket_keyblock(krb5_context context, - const krb5_keyblock *key, - krb5_ticket *ticket) + const krb5_keyblock *key, + krb5_ticket *ticket) { krb5_error_code retval; krb5_data *realm; krb5_transited *trans; retval = krb5_decrypt_tkt_part(context, key, ticket); - if (retval) - goto done; + if (retval) + goto done; trans = &ticket->enc_part2->transited; realm = &ticket->enc_part2->client->realm; if (trans->tr_contents.data && *trans->tr_contents.data) { - retval = krb5_check_transited_list(context, &trans->tr_contents, - realm, &ticket->server->realm); - goto done; + retval = krb5_check_transited_list(context, &trans->tr_contents, + realm, &ticket->server->realm); + goto done; } - if (ticket->enc_part2->flags & TKT_FLG_INVALID) { /* ie, KDC_OPT_POSTDATED */ - retval = KRB5KRB_AP_ERR_TKT_INVALID; - goto done; + if (ticket->enc_part2->flags & TKT_FLG_INVALID) { /* ie, KDC_OPT_POSTDATED */ + retval = KRB5KRB_AP_ERR_TKT_INVALID; + goto done; } - done: +done: return retval; } krb5_error_code KRB5_CALLCONV krb5_server_decrypt_ticket_keytab(krb5_context context, - const krb5_keytab keytab, - krb5_ticket *ticket) + const krb5_keytab keytab, + krb5_ticket *ticket) { - krb5_error_code retval; - krb5_keytab_entry ktent; + krb5_error_code retval; + krb5_keytab_entry ktent; retval = KRB5_KT_NOTFOUND; if (keytab->ops->start_seq_get == NULL) { - retval = krb5_kt_get_entry(context, keytab, - ticket->server, - ticket->enc_part.kvno, - ticket->enc_part.enctype, &ktent); - if (retval == 0) { - retval = krb5int_server_decrypt_ticket_keyblock(context, &ktent.key, ticket); - - (void) krb5_free_keytab_entry_contents(context, &ktent); - } + retval = krb5_kt_get_entry(context, keytab, + ticket->server, + ticket->enc_part.kvno, + ticket->enc_part.enctype, &ktent); + if (retval == 0) { + retval = krb5int_server_decrypt_ticket_keyblock(context, &ktent.key, ticket); + + (void) krb5_free_keytab_entry_contents(context, &ktent); + } } else { - krb5_error_code code; - krb5_kt_cursor cursor; - - retval = krb5_kt_start_seq_get(context, keytab, &cursor); - if (retval != 0) - goto map_error; - - while ((code = krb5_kt_next_entry(context, keytab, - &ktent, &cursor)) == 0) { - if (ktent.key.enctype != ticket->enc_part.enctype) - continue; - - retval = krb5int_server_decrypt_ticket_keyblock(context, &ktent.key, ticket); - if (retval == 0) { - krb5_principal tmp; - - retval = krb5_copy_principal(context, ktent.principal, &tmp); - if (retval == 0) { - krb5_free_principal(context, ticket->server); - ticket->server = tmp; - } - (void) krb5_free_keytab_entry_contents(context, &ktent); - break; - } - (void) krb5_free_keytab_entry_contents(context, &ktent); - } - - code = krb5_kt_end_seq_get(context, keytab, &cursor); - if (code != 0) - retval = code; + krb5_error_code code; + krb5_kt_cursor cursor; + + retval = krb5_kt_start_seq_get(context, keytab, &cursor); + if (retval != 0) + goto map_error; + + while ((code = krb5_kt_next_entry(context, keytab, + &ktent, &cursor)) == 0) { + if (ktent.key.enctype != ticket->enc_part.enctype) + continue; + + retval = krb5int_server_decrypt_ticket_keyblock(context, &ktent.key, ticket); + if (retval == 0) { + krb5_principal tmp; + + retval = krb5_copy_principal(context, ktent.principal, &tmp); + if (retval == 0) { + krb5_free_principal(context, ticket->server); + ticket->server = tmp; + } + (void) krb5_free_keytab_entry_contents(context, &ktent); + break; + } + (void) krb5_free_keytab_entry_contents(context, &ktent); + } + + code = krb5_kt_end_seq_get(context, keytab, &cursor); + if (code != 0) + retval = code; } map_error: @@ -128,13 +129,12 @@ map_error: case KRB5_KT_KVNONOTFOUND: case KRB5_KT_NOTFOUND: case KRB5KRB_AP_ERR_BAD_INTEGRITY: - retval = KRB5KRB_AP_WRONG_PRINC; - break; + retval = KRB5KRB_AP_WRONG_PRINC; + break; default: - break; + break; } return retval; } #endif /* LEAN_CLIENT */ - diff --git a/src/lib/krb5/krb/srv_rcache.c b/src/lib/krb5/krb/srv_rcache.c index 7d6b68a7e..6730748f3 100644 --- a/src/lib/krb5/krb/srv_rcache.c +++ b/src/lib/krb5/krb/srv_rcache.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/srv_rcache.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * Allocate & prepare a default replay cache for a server. */ @@ -35,7 +36,7 @@ #define isvalidrcname(x) ((!ispunct(x))&&isgraph(x)) krb5_error_code KRB5_CALLCONV krb5_get_server_rcache(krb5_context context, const krb5_data *piece, - krb5_rcache *rcptr) + krb5_rcache *rcptr) { krb5_rcache rcache = 0; char *cachename = 0, *cachetype; @@ -45,22 +46,22 @@ krb5_get_server_rcache(krb5_context context, const krb5_data *piece, #ifdef HAVE_GETEUID unsigned long uid = geteuid(); #endif - + if (piece == NULL) - return ENOMEM; - + return ENOMEM; + cachetype = krb5_rc_default_type(context); krb5int_buf_init_dynamic(&buf); krb5int_buf_add(&buf, cachetype); krb5int_buf_add(&buf, ":"); for (i = 0; i < piece->length; i++) { - if (piece->data[i] == '-') - krb5int_buf_add(&buf, "--"); - else if (!isvalidrcname((int) piece->data[i])) - krb5int_buf_add_fmt(&buf, "-%03o", piece->data[i]); - else - krb5int_buf_add_len(&buf, &piece->data[i], 1); + if (piece->data[i] == '-') + krb5int_buf_add(&buf, "--"); + else if (!isvalidrcname((int) piece->data[i])) + krb5int_buf_add_fmt(&buf, "-%03o", piece->data[i]); + else + krb5int_buf_add_len(&buf, &piece->data[i], 1); } #ifdef HAVE_GETEUID krb5int_buf_add_fmt(&buf, "_%lu", uid); @@ -68,16 +69,16 @@ krb5_get_server_rcache(krb5_context context, const krb5_data *piece, cachename = krb5int_buf_data(&buf); if (cachename == NULL) - return ENOMEM; + return ENOMEM; retval = krb5_rc_resolve_full(context, &rcache, cachename); if (retval) - goto cleanup; + goto cleanup; retval = krb5_rc_recover_or_initialize(context, rcache, - context->clockskew); + context->clockskew); if (retval) - goto cleanup; + goto cleanup; *rcptr = rcache; rcache = 0; @@ -85,8 +86,8 @@ krb5_get_server_rcache(krb5_context context, const krb5_data *piece, cleanup: if (rcache) - krb5_rc_close(context, rcache); + krb5_rc_close(context, rcache); if (cachename) - free(cachename); + free(cachename); return retval; } diff --git a/src/lib/krb5/krb/str_conv.c b/src/lib/krb5/krb/str_conv.c index 531eba126..1f2edcc66 100644 --- a/src/lib/krb5/krb/str_conv.c +++ b/src/lib/krb5/krb/str_conv.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/kadm/str_conv.c * @@ -34,16 +35,16 @@ * * String decoding: * ---------------- - * krb5_string_to_salttype() - Convert string to salttype (krb5_int32) - * krb5_string_to_timestamp() - Convert string to krb5_timestamp. - * krb5_string_to_deltat() - Convert string to krb5_deltat. + * krb5_string_to_salttype() - Convert string to salttype (krb5_int32) + * krb5_string_to_timestamp() - Convert string to krb5_timestamp. + * krb5_string_to_deltat() - Convert string to krb5_deltat. * * String encoding: * ---------------- - * krb5_salttype_to_string() - Convert salttype (krb5_int32) to string. - * krb5_timestamp_to_string() - Convert krb5_timestamp to string. - * krb5_timestamp_to_sfstring() - Convert krb5_timestamp to short filled string - * krb5_deltat_to_string() - Convert krb5_deltat to string. + * krb5_salttype_to_string() - Convert salttype (krb5_int32) to string. + * krb5_timestamp_to_string() - Convert krb5_timestamp to string. + * krb5_timestamp_to_sfstring() - Convert krb5_timestamp to short filled string + * krb5_deltat_to_string() - Convert krb5_deltat to string. */ #include "k5-int.h" @@ -55,9 +56,9 @@ * Local data structures. */ struct salttype_lookup_entry { - krb5_int32 stt_enctype; /* Salt type */ - const char * stt_specifier; /* How to recognize it */ - const char * stt_output; /* How to spit it out */ + krb5_int32 stt_enctype; /* Salt type */ + const char * stt_specifier; /* How to recognize it */ + const char * stt_output; /* How to spit it out */ }; /* @@ -66,20 +67,20 @@ struct salttype_lookup_entry { #include "kdb.h" static const struct salttype_lookup_entry salttype_table[] = { -/* salt type input specifier output string */ -/*----------------------------- --------------- ---------------*/ -{ KRB5_KDB_SALTTYPE_NORMAL, "normal", "Version 5" }, -{ KRB5_KDB_SALTTYPE_V4, "v4", "Version 4" }, -{ KRB5_KDB_SALTTYPE_NOREALM, "norealm", "Version 5 - No Realm" }, -{ KRB5_KDB_SALTTYPE_ONLYREALM, "onlyrealm", "Version 5 - Realm Only" }, -{ KRB5_KDB_SALTTYPE_SPECIAL, "special", "Special" }, -{ KRB5_KDB_SALTTYPE_AFS3, "afs3", "AFS version 3" }, +/* salt type input specifier output string */ +/*----------------------------- --------------- ---------------*/ + { KRB5_KDB_SALTTYPE_NORMAL, "normal", "Version 5" }, + { KRB5_KDB_SALTTYPE_V4, "v4", "Version 4" }, + { KRB5_KDB_SALTTYPE_NOREALM, "norealm", "Version 5 - No Realm" }, + { KRB5_KDB_SALTTYPE_ONLYREALM, "onlyrealm", "Version 5 - Realm Only" }, + { KRB5_KDB_SALTTYPE_SPECIAL, "special", "Special" }, + { KRB5_KDB_SALTTYPE_AFS3, "afs3", "AFS version 3" }, #if PKINIT_APPLE -{ KRB5_KDB_SALTTYPE_CERTHASH, "certhash", "PKINIT Cert Hash" } + { KRB5_KDB_SALTTYPE_CERTHASH, "certhash", "PKINIT Cert Hash" } #endif /* PKINIT_APPLE */ }; static const int salttype_table_nents = sizeof(salttype_table)/ - sizeof(salttype_table[0]); + sizeof(salttype_table[0]); krb5_error_code KRB5_CALLCONV krb5_string_to_salttype(char *string, krb5_int32 *salttypep) @@ -89,11 +90,11 @@ krb5_string_to_salttype(char *string, krb5_int32 *salttypep) found = 0; for (i=0; i<salttype_table_nents; i++) { - if (!strcasecmp(string, salttype_table[i].stt_specifier)) { - found = 1; - *salttypep = salttype_table[i].stt_enctype; - break; - } + if (!strcasecmp(string, salttype_table[i].stt_specifier)) { + found = 1; + *salttypep = salttype_table[i].stt_enctype; + break; + } } return((found) ? 0 : EINVAL); } @@ -112,18 +113,18 @@ krb5_salttype_to_string(krb5_int32 salttype, char *buffer, size_t buflen) out = (char *) NULL; for (i=0; i<salttype_table_nents; i++) { - if (salttype == salttype_table[i].stt_enctype) { - out = salttype_table[i].stt_output; - break; - } + if (salttype == salttype_table[i].stt_enctype) { + out = salttype_table[i].stt_output; + break; + } } if (out) { - if (strlcpy(buffer, out, buflen) >= buflen) - return(ENOMEM); - return(0); + if (strlcpy(buffer, out, buflen) >= buflen) + return(ENOMEM); + return(0); } else - return(EINVAL); + return(EINVAL); } /* (absolute) time conversions */ @@ -137,7 +138,7 @@ static size_t strftime (char *, size_t, const char *, const struct tm *); #ifdef HAVE_STRPTIME #ifdef NEED_STRPTIME_PROTO extern char *strptime (const char *, const char *, - struct tm *) + struct tm *) #ifdef __cplusplus throw() #endif @@ -155,7 +156,7 @@ localtime_r(const time_t *t, struct tm *buf) { struct tm *tm = localtime(t); if (tm == NULL) - return NULL; + return NULL; *buf = *tm; return buf; } @@ -169,47 +170,47 @@ krb5_string_to_timestamp(char *string, krb5_timestamp *timestampp) time_t now, ret_time; char *s; static const char * const atime_format_table[] = { - "%Y%m%d%H%M%S", /* yyyymmddhhmmss */ - "%Y.%m.%d.%H.%M.%S", /* yyyy.mm.dd.hh.mm.ss */ - "%y%m%d%H%M%S", /* yymmddhhmmss */ - "%y.%m.%d.%H.%M.%S", /* yy.mm.dd.hh.mm.ss */ - "%y%m%d%H%M", /* yymmddhhmm */ - "%H%M%S", /* hhmmss */ - "%H%M", /* hhmm */ - "%T", /* hh:mm:ss */ - "%R", /* hh:mm */ - /* The following not really supported unless native strptime present */ - "%x:%X", /* locale-dependent short format */ - "%d-%b-%Y:%T", /* dd-month-yyyy:hh:mm:ss */ - "%d-%b-%Y:%R" /* dd-month-yyyy:hh:mm */ + "%Y%m%d%H%M%S", /* yyyymmddhhmmss */ + "%Y.%m.%d.%H.%M.%S", /* yyyy.mm.dd.hh.mm.ss */ + "%y%m%d%H%M%S", /* yymmddhhmmss */ + "%y.%m.%d.%H.%M.%S", /* yy.mm.dd.hh.mm.ss */ + "%y%m%d%H%M", /* yymmddhhmm */ + "%H%M%S", /* hhmmss */ + "%H%M", /* hhmm */ + "%T", /* hh:mm:ss */ + "%R", /* hh:mm */ + /* The following not really supported unless native strptime present */ + "%x:%X", /* locale-dependent short format */ + "%d-%b-%Y:%T", /* dd-month-yyyy:hh:mm:ss */ + "%d-%b-%Y:%R" /* dd-month-yyyy:hh:mm */ }; static const int atime_format_table_nents = - sizeof(atime_format_table)/sizeof(atime_format_table[0]); + sizeof(atime_format_table)/sizeof(atime_format_table[0]); now = time((time_t *) NULL); if (localtime_r(&now, &timebuf2) == NULL) - return EINVAL; + return EINVAL; for (i=0; i<atime_format_table_nents; i++) { /* We reset every time throughout the loop as the manual page - * indicated that no guarantees are made as to preserving timebuf - * when parsing fails - */ - timebuf = timebuf2; - if ((s = strptime(string, atime_format_table[i], &timebuf)) - && (s != string)) { - /* See if at end of buffer - otherwise partial processing */ - while(*s != 0 && isspace((int) *s)) s++; - if (*s != 0) - continue; - if (timebuf.tm_year <= 0) - continue; /* clearly confused */ - ret_time = mktime(&timebuf); - if (ret_time == (time_t) -1) - continue; /* clearly confused */ - *timestampp = (krb5_timestamp) ret_time; - return 0; - } + * indicated that no guarantees are made as to preserving timebuf + * when parsing fails + */ + timebuf = timebuf2; + if ((s = strptime(string, atime_format_table[i], &timebuf)) + && (s != string)) { + /* See if at end of buffer - otherwise partial processing */ + while(*s != 0 && isspace((int) *s)) s++; + if (*s != 0) + continue; + if (timebuf.tm_year <= 0) + continue; /* clearly confused */ + ret_time = mktime(&timebuf); + if (ret_time == (time_t) -1) + continue; /* clearly confused */ + *timestampp = (krb5_timestamp) ret_time; + return 0; + } } return(EINVAL); } @@ -220,8 +221,8 @@ krb5_timestamp_to_string(krb5_timestamp timestamp, char *buffer, size_t buflen) size_t ret; time_t timestamp2 = timestamp; struct tm tmbuf; - const char *fmt = "%c"; /* This is to get around gcc -Wall warning that - the year returned might be two digits */ + const char *fmt = "%c"; /* This is to get around gcc -Wall warning that + the year returned might be two digits */ #ifdef HAVE_LOCALTIME_R (void) localtime_r(×tamp2, &tmbuf); @@ -230,27 +231,27 @@ krb5_timestamp_to_string(krb5_timestamp timestamp, char *buffer, size_t buflen) #endif ret = strftime(buffer, buflen, fmt, &tmbuf); if (ret == 0 || ret == buflen) - return(ENOMEM); + return(ENOMEM); return(0); } krb5_error_code KRB5_CALLCONV krb5_timestamp_to_sfstring(krb5_timestamp timestamp, char *buffer, size_t buflen, char *pad) { - struct tm *tmp; + struct tm *tmp; size_t i; - size_t ndone; + size_t ndone; time_t timestamp2 = timestamp; struct tm tmbuf; static const char * const sftime_format_table[] = { - "%c", /* Default locale-dependent date and time */ - "%d %b %Y %T", /* dd mon yyyy hh:mm:ss */ - "%x %X", /* locale-dependent short format */ - "%d/%m/%Y %R" /* dd/mm/yyyy hh:mm */ + "%c", /* Default locale-dependent date and time */ + "%d %b %Y %T", /* dd mon yyyy hh:mm:ss */ + "%x %X", /* locale-dependent short format */ + "%d/%m/%Y %R" /* dd/mm/yyyy hh:mm */ }; static const unsigned int sftime_format_table_nents = - sizeof(sftime_format_table)/sizeof(sftime_format_table[0]); + sizeof(sftime_format_table)/sizeof(sftime_format_table[0]); #ifdef HAVE_LOCALTIME_R tmp = localtime_r(×tamp2, &tmbuf); @@ -259,22 +260,22 @@ krb5_timestamp_to_sfstring(krb5_timestamp timestamp, char *buffer, size_t buflen #endif ndone = 0; for (i=0; i<sftime_format_table_nents; i++) { - if ((ndone = strftime(buffer, buflen, sftime_format_table[i], tmp))) - break; + if ((ndone = strftime(buffer, buflen, sftime_format_table[i], tmp))) + break; } if (!ndone) { -#define sftime_default_len 2+1+2+1+4+1+2+1+2+1 - if (buflen >= sftime_default_len) { - snprintf(buffer, buflen, "%02d/%02d/%4d %02d:%02d", - tmp->tm_mday, tmp->tm_mon+1, 1900+tmp->tm_year, - tmp->tm_hour, tmp->tm_min); - ndone = strlen(buffer); - } +#define sftime_default_len 2+1+2+1+4+1+2+1+2+1 + if (buflen >= sftime_default_len) { + snprintf(buffer, buflen, "%02d/%02d/%4d %02d:%02d", + tmp->tm_mday, tmp->tm_mon+1, 1900+tmp->tm_year, + tmp->tm_hour, tmp->tm_min); + ndone = strlen(buffer); + } } if (ndone && pad) { - for (i=ndone; i<buflen-1; i++) - buffer[i] = *pad; - buffer[buflen-1] = '\0'; + for (i=ndone; i<buflen-1; i++) + buffer[i] = *pad; + buffer[buflen-1] = '\0'; } return((ndone) ? 0 : ENOMEM); } @@ -286,8 +287,8 @@ krb5_timestamp_to_sfstring(krb5_timestamp timestamp, char *buffer, size_t buflen krb5_error_code KRB5_CALLCONV krb5_deltat_to_string(krb5_deltat deltat, char *buffer, size_t buflen) { - int days, hours, minutes, seconds; - krb5_deltat dt; + int days, hours, minutes, seconds; + krb5_deltat dt; /* * We want something like ceil(log10(2**(nbits-1))) + 1. That log @@ -298,7 +299,7 @@ krb5_deltat_to_string(krb5_deltat deltat, char *buffer, size_t buflen) * * This will break if bytes are more than 8 bits. */ -#define MAX_CHARS_FOR_INT_TYPE(TYPE) ((int) (2 + 2.408241 * sizeof (TYPE))) +#define MAX_CHARS_FOR_INT_TYPE(TYPE) ((int) (2 + 2.408241 * sizeof (TYPE))) char tmpbuf[MAX_CHARS_FOR_INT_TYPE(int) * 4 + 8]; days = (int) (deltat / (24*3600L)); @@ -310,22 +311,22 @@ krb5_deltat_to_string(krb5_deltat deltat, char *buffer, size_t buflen) memset (tmpbuf, 0, sizeof (tmpbuf)); if (days == 0) - snprintf(buffer, buflen, "%d:%02d:%02d", hours, minutes, seconds); + snprintf(buffer, buflen, "%d:%02d:%02d", hours, minutes, seconds); else if (hours || minutes || seconds) - snprintf(buffer, buflen, "%d %s %02d:%02d:%02d", days, - (days > 1) ? "days" : "day", - hours, minutes, seconds); + snprintf(buffer, buflen, "%d %s %02d:%02d:%02d", days, + (days > 1) ? "days" : "day", + hours, minutes, seconds); else - snprintf(buffer, buflen, "%d %s", days, - (days > 1) ? "days" : "day"); + snprintf(buffer, buflen, "%d %s", days, + (days > 1) ? "days" : "day"); if (tmpbuf[sizeof(tmpbuf)-1] != 0) - /* Something must be very wrong with my math above, or the - assumptions going into it... */ - abort (); + /* Something must be very wrong with my math above, or the + assumptions going into it... */ + abort (); if (strlen (tmpbuf) > buflen) - return ENOMEM; + return ENOMEM; else - strncpy (buffer, tmpbuf, buflen); + strncpy (buffer, tmpbuf, buflen); return 0; } @@ -348,10 +349,10 @@ struct dummy_locale_info_t { char am_pm[2][3]; }; static const struct dummy_locale_info_t dummy_locale_info = { - "%a %b %d %X %Y", /* %c */ - "%I:%M:%S %p", /* %r */ - "%H:%M:%S", /* %X */ - "%m/%d/%y", /* %x */ + "%a %b %d %X %Y", /* %c */ + "%I:%M:%S %p", /* %r */ + "%H:%M:%S", /* %X */ + "%m/%d/%y", /* %x */ { "Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday" }, { "Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat" }, @@ -373,7 +374,7 @@ static const struct dummy_locale_info_t dummy_locale_info = { #undef DAYSPERWEEK #define DAYSPERWEEK 7 #undef isleap -#define isleap(N) ((N % 4) == 0 && (N % 100 != 0 || N % 400 == 0)) +#define isleap(N) ((N % 4) == 0 && (N % 100 != 0 || N % 400 == 0)) #undef tzname #define tzname my_tzname static const char *const tzname[2] = { 0, 0 }; diff --git a/src/lib/krb5/krb/strptime.c b/src/lib/krb5/krb/strptime.c index ac52d5c22..ffe90d4c9 100644 --- a/src/lib/krb5/krb/strptime.c +++ b/src/lib/krb5/krb/strptime.c @@ -82,7 +82,7 @@ strptime(buf, fmt, tm) fmt++; continue; } - + if ((c = *fmt++) != '%') goto literal; @@ -107,7 +107,7 @@ literal: LEGAL_ALT(0); alt_format |= ALT_O; goto again; - + /* * "Complex" conversion rules, implemented through recursion. */ diff --git a/src/lib/krb5/krb/t_ad_fx_armor.c b/src/lib/krb5/krb/t_ad_fx_armor.c index 74d7e5f1a..73dbb3a6f 100644 --- a/src/lib/krb5/krb/t_ad_fx_armor.c +++ b/src/lib/krb5/krb/t_ad_fx_armor.c @@ -1,13 +1,14 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include <memory.h> #include <stdio.h> #include <krb5/krb5.h> -#define test(x) do {retval = (x); \ - if(retval != 0) { \ - const char *errmsg = krb5_get_error_message(context, retval); \ - fprintf(stderr, "Error message: %s\n", errmsg); \ - abort(); } \ - } while(0); +#define test(x) do {retval = (x); \ + if(retval != 0) { \ + const char *errmsg = krb5_get_error_message(context, retval); \ + fprintf(stderr, "Error message: %s\n", errmsg); \ + abort(); } \ + } while(0); krb5_authdata ad_fx_armor = {0, KRB5_AUTHDATA_FX_ARMOR, 1, ""}; krb5_authdata *array[] = {&ad_fx_armor, NULL}; @@ -32,5 +33,5 @@ int main( int argc, char **argv) test(krb5_cc_store_cred(context, ccache, out_creds)); test(krb5_cc_close(context,ccache)); return 0; - -} + +} diff --git a/src/lib/krb5/krb/t_authdata.c b/src/lib/krb5/krb/t_authdata.c index 86838cead..ed847dfbd 100644 --- a/src/lib/krb5/krb/t_authdata.c +++ b/src/lib/krb5/krb/t_authdata.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/t_authdata.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,8 +23,8 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * - * + * + * * * Test authorization data search */ @@ -34,25 +35,25 @@ #include <memory.h> krb5_authdata ad1 = { - KV5M_AUTHDATA, - 22, - 4, - (unsigned char *) "abcd"}; + KV5M_AUTHDATA, + 22, + 4, + (unsigned char *) "abcd"}; krb5_authdata ad2 = { - KV5M_AUTHDATA, - 23, - 5, - (unsigned char *) "abcde" + KV5M_AUTHDATA, + 23, + 5, + (unsigned char *) "abcde" }; krb5_authdata ad3= { - KV5M_AUTHDATA, - 22, - 3, - (unsigned char *) "ab" + KV5M_AUTHDATA, + 22, + 3, + (unsigned char *) "ab" }; /* we want three results in the return from krb5int_find_authdata so -it has to grow its list. + it has to grow its list. */ krb5_authdata ad4 = { KV5M_AUTHDATA, @@ -73,12 +74,12 @@ krb5_keyblock key = { }; static void compare_authdata(const krb5_authdata *adc1, krb5_authdata *adc2) { - assert(adc1->ad_type == adc2->ad_type); - assert(adc1->length == adc2->length); - assert(memcmp(adc1->contents, adc2->contents, adc1->length) == 0); + assert(adc1->ad_type == adc2->ad_type); + assert(adc1->length == adc2->length); + assert(memcmp(adc1->contents, adc2->contents, adc1->length) == 0); } -int main() +int main() { krb5_context context; krb5_authdata **results; @@ -98,7 +99,7 @@ int main() container[1] = NULL; assert(krb5_encode_authdata_container( context, KRB5_AUTHDATA_IF_RELEVANT, container, &container_out) == 0); assert(krb5int_find_authdata(context, - adseq1, container_out, 22, &results) == 0); + adseq1, container_out, 22, &results) == 0); compare_authdata(&ad1, results[0]); compare_authdata( results[1], &ad4); compare_authdata( results[2], &ad3); diff --git a/src/lib/krb5/krb/t_deltat.c b/src/lib/krb5/krb/t_deltat.c index a07ba4232..dcf14af67 100644 --- a/src/lib/krb5/krb/t_deltat.c +++ b/src/lib/krb5/krb/t_deltat.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/t_deltat.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * */ #include "k5-int.h" @@ -31,9 +32,9 @@ int main (void) { struct { - char *string; - krb5_deltat expected; - int is_error; + char *string; + krb5_deltat expected; + int is_error; #define GOOD(STR,VAL) { STR, VAL, 0 } #define BAD(STR) { STR, 0, 1 } #define DAY (24 * 3600) @@ -43,116 +44,116 @@ main (void) #endif #define MIN 60 } values[] = { - /* d-h-m-s patterns */ - GOOD ("3d", 3*DAY), - GOOD ("3h", 3*HOUR), - GOOD ("3m", 3*MIN), - GOOD ("3s", 3), - BAD ("3dd"), - GOOD ("3d4m 42s", 3 * DAY + 4 * MIN + 42), - GOOD ("3d-1h", 3 * DAY - 1 * HOUR), - GOOD ("3d -1h", 3 * DAY - HOUR), - GOOD ("3d4h5m6s", 3 * DAY + 4 * HOUR + 5 * MIN + 6), - BAD ("3d4m5h"), - GOOD ("12345s", 12345), - GOOD ("1m 12345s", MIN + 12345), - GOOD ("1m12345s", MIN + 12345), - GOOD ("3d 0m", 3 * DAY), - GOOD ("3d 0m ", 3 * DAY), - GOOD ("3d \n\t 0m ", 3 * DAY), - /* colon patterns */ - GOOD ("42-13:42:47", 42 * DAY + 13 * HOUR + 42 * MIN + 47), - BAD ("3: 4"), - BAD ("13:0003"), - GOOD ("12:34", 12 * HOUR + 34 * MIN), - GOOD ("1:02:03", 1 * HOUR + 2 * MIN + 3), - BAD ("3:-4"), - /* XX We might want to require exactly two digits after a colon? */ - GOOD ("3:4", 3 * HOUR + 4 * MIN), - /* misc */ - GOOD ("42", 42), - BAD ("1-2"), - /* Test overflow limitations */ - GOOD ("2147483647s", 2147483647), - BAD ("2147483648s"), - GOOD ("24855d", 24855 * DAY), - BAD ("24856d"), - BAD ("24855d 100000000h"), - GOOD ("24855d 3h", 24855 * DAY + 3 * HOUR), - BAD ("24855d 4h"), - GOOD ("24855d 11647s", 24855 * DAY + 11647), - BAD ("24855d 11648s"), - GOOD ("24855d 194m 7s", 24855 * DAY + 194 * MIN + 7), - BAD ("24855d 194m 8s"), - BAD ("24855d 195m"), - BAD ("24855d 19500000000m"), - GOOD ("24855d 3h 14m 7s", 24855 * DAY + 3 * HOUR + 14 * MIN + 7), - BAD ("24855d 3h 14m 8s"), - GOOD ("596523h", 596523 * HOUR), - BAD ("596524h"), - GOOD ("596523h 847s", 596523 * HOUR + 847), - BAD ("596523h 848s"), - GOOD ("596523h 14m 7s", 596523 * HOUR + 14 * MIN + 7), - BAD ("596523h 14m 8s"), - GOOD ("35791394m", 35791394 * MIN), - GOOD ("35791394m7s", 35791394 * MIN + 7), - BAD ("35791394m8s"), - /* Test underflow */ - GOOD ("-2147483647s", -2147483647), - /* This should be valid, but isn't */ - /*BAD ("-2147483648s"),*/ - GOOD ("-24855d", -24855 * DAY), - BAD ("-24856d"), - BAD ("-24855d -100000000h"), - GOOD ("-24855d -3h", -24855 * DAY - 3 * HOUR), - BAD ("-24855d -4h"), - GOOD ("-24855d -11647s", -24855 * DAY - 11647), - BAD ("-24855d -11649s"), - GOOD ("-24855d -194m -7s", -24855 * DAY - 194 * MIN - 7), - BAD ("-24855d -194m -9s"), - BAD ("-24855d -195m"), - BAD ("-24855d -19500000000m"), - GOOD ("-24855d -3h -14m -7s", -24855 * DAY - 3 * HOUR - 14 * MIN - 7), - BAD ("-24855d -3h -14m -9s"), - GOOD ("-596523h", -596523 * HOUR), - BAD ("-596524h"), - GOOD ("-596523h -847s", -596523 * HOUR - 847), - GOOD ("-596523h -848s", -596523 * HOUR - 848), - BAD ("-596523h -849s"), - GOOD ("-596523h -14m -8s", -596523 * HOUR - 14 * MIN - 8), - BAD ("-596523h -14m -9s"), - GOOD ("-35791394m", -35791394 * MIN), - GOOD ("-35791394m7s", -35791394 * MIN + 7), - BAD ("-35791394m-9s"), - + /* d-h-m-s patterns */ + GOOD ("3d", 3*DAY), + GOOD ("3h", 3*HOUR), + GOOD ("3m", 3*MIN), + GOOD ("3s", 3), + BAD ("3dd"), + GOOD ("3d4m 42s", 3 * DAY + 4 * MIN + 42), + GOOD ("3d-1h", 3 * DAY - 1 * HOUR), + GOOD ("3d -1h", 3 * DAY - HOUR), + GOOD ("3d4h5m6s", 3 * DAY + 4 * HOUR + 5 * MIN + 6), + BAD ("3d4m5h"), + GOOD ("12345s", 12345), + GOOD ("1m 12345s", MIN + 12345), + GOOD ("1m12345s", MIN + 12345), + GOOD ("3d 0m", 3 * DAY), + GOOD ("3d 0m ", 3 * DAY), + GOOD ("3d \n\t 0m ", 3 * DAY), + /* colon patterns */ + GOOD ("42-13:42:47", 42 * DAY + 13 * HOUR + 42 * MIN + 47), + BAD ("3: 4"), + BAD ("13:0003"), + GOOD ("12:34", 12 * HOUR + 34 * MIN), + GOOD ("1:02:03", 1 * HOUR + 2 * MIN + 3), + BAD ("3:-4"), + /* XX We might want to require exactly two digits after a colon? */ + GOOD ("3:4", 3 * HOUR + 4 * MIN), + /* misc */ + GOOD ("42", 42), + BAD ("1-2"), + /* Test overflow limitations */ + GOOD ("2147483647s", 2147483647), + BAD ("2147483648s"), + GOOD ("24855d", 24855 * DAY), + BAD ("24856d"), + BAD ("24855d 100000000h"), + GOOD ("24855d 3h", 24855 * DAY + 3 * HOUR), + BAD ("24855d 4h"), + GOOD ("24855d 11647s", 24855 * DAY + 11647), + BAD ("24855d 11648s"), + GOOD ("24855d 194m 7s", 24855 * DAY + 194 * MIN + 7), + BAD ("24855d 194m 8s"), + BAD ("24855d 195m"), + BAD ("24855d 19500000000m"), + GOOD ("24855d 3h 14m 7s", 24855 * DAY + 3 * HOUR + 14 * MIN + 7), + BAD ("24855d 3h 14m 8s"), + GOOD ("596523h", 596523 * HOUR), + BAD ("596524h"), + GOOD ("596523h 847s", 596523 * HOUR + 847), + BAD ("596523h 848s"), + GOOD ("596523h 14m 7s", 596523 * HOUR + 14 * MIN + 7), + BAD ("596523h 14m 8s"), + GOOD ("35791394m", 35791394 * MIN), + GOOD ("35791394m7s", 35791394 * MIN + 7), + BAD ("35791394m8s"), + /* Test underflow */ + GOOD ("-2147483647s", -2147483647), + /* This should be valid, but isn't */ + /*BAD ("-2147483648s"),*/ + GOOD ("-24855d", -24855 * DAY), + BAD ("-24856d"), + BAD ("-24855d -100000000h"), + GOOD ("-24855d -3h", -24855 * DAY - 3 * HOUR), + BAD ("-24855d -4h"), + GOOD ("-24855d -11647s", -24855 * DAY - 11647), + BAD ("-24855d -11649s"), + GOOD ("-24855d -194m -7s", -24855 * DAY - 194 * MIN - 7), + BAD ("-24855d -194m -9s"), + BAD ("-24855d -195m"), + BAD ("-24855d -19500000000m"), + GOOD ("-24855d -3h -14m -7s", -24855 * DAY - 3 * HOUR - 14 * MIN - 7), + BAD ("-24855d -3h -14m -9s"), + GOOD ("-596523h", -596523 * HOUR), + BAD ("-596524h"), + GOOD ("-596523h -847s", -596523 * HOUR - 847), + GOOD ("-596523h -848s", -596523 * HOUR - 848), + BAD ("-596523h -849s"), + GOOD ("-596523h -14m -8s", -596523 * HOUR - 14 * MIN - 8), + BAD ("-596523h -14m -9s"), + GOOD ("-35791394m", -35791394 * MIN), + GOOD ("-35791394m7s", -35791394 * MIN + 7), + BAD ("-35791394m-9s"), + }; int fail = 0; int i; for (i = 0; i < sizeof(values)/sizeof(values[0]); i++) { - krb5_deltat result; - krb5_error_code code; + krb5_deltat result; + krb5_error_code code; - code = krb5_string_to_deltat (values[i].string, &result); - if (code && !values[i].is_error) { - fprintf (stderr, "unexpected error for `%s'\n", values[i].string); - fail++; - } else if (!code && values[i].is_error) { - fprintf (stderr, "expected but didn't get error for `%s'\n", - values[i].string); - fail++; - } else if (code && values[i].is_error) { - /* do nothing */ - } else if (result != values[i].expected) { - fprintf (stderr, "got %ld instead of expected %ld for `%s'\n", - (long) result, (long) values[i].expected, - values[i].string); - fail++; - } + code = krb5_string_to_deltat (values[i].string, &result); + if (code && !values[i].is_error) { + fprintf (stderr, "unexpected error for `%s'\n", values[i].string); + fail++; + } else if (!code && values[i].is_error) { + fprintf (stderr, "expected but didn't get error for `%s'\n", + values[i].string); + fail++; + } else if (code && values[i].is_error) { + /* do nothing */ + } else if (result != values[i].expected) { + fprintf (stderr, "got %ld instead of expected %ld for `%s'\n", + (long) result, (long) values[i].expected, + values[i].string); + fail++; + } } if (fail == 0) - printf ("Passed all %d tests.\n", i); + printf ("Passed all %d tests.\n", i); else - printf ("Failed %d of %d tests.\n", fail, i); + printf ("Failed %d of %d tests.\n", fail, i); return fail; } diff --git a/src/lib/krb5/krb/t_etypes.c b/src/lib/krb5/krb/t_etypes.c index 0d89fd0af..4af7918e5 100644 --- a/src/lib/krb5/krb/t_etypes.c +++ b/src/lib/krb5/krb/t_etypes.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * t_etypes.c -- test program for krb5int_parse_enctype_list * @@ -201,4 +201,3 @@ main(int argc, char **argv) return 0; } - diff --git a/src/lib/krb5/krb/t_expand.c b/src/lib/krb5/krb/t_expand.c index a8b2757df..b108e4bbd 100644 --- a/src/lib/krb5/krb/t_expand.c +++ b/src/lib/krb5/krb/t_expand.c @@ -1,2 +1,3 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #define TEST #include "chk_trans.c" diff --git a/src/lib/krb5/krb/t_kerb.c b/src/lib/krb5/krb/t_kerb.c index 8627922b2..465282561 100644 --- a/src/lib/krb5/krb/t_kerb.c +++ b/src/lib/krb5/krb/t_kerb.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * This driver routine is used to test many of the standard Kerberos library * routines. @@ -26,14 +27,14 @@ void usage (char *); void test_string_to_timestamp(krb5_context ctx, char *ktime) { - krb5_timestamp timestamp; - time_t t; - krb5_error_code retval; + krb5_timestamp timestamp; + time_t t; + krb5_error_code retval; retval = krb5_string_to_timestamp(ktime, ×tamp); if (retval) { - com_err("krb5_string_to_timestamp", retval, 0); - return; + com_err("krb5_string_to_timestamp", retval, 0); + return; } t = (time_t) timestamp; printf("Parsed time was %s", ctime(&t)); @@ -41,22 +42,22 @@ void test_string_to_timestamp(krb5_context ctx, char *ktime) void test_425_conv_principal(krb5_context ctx, char *name, char *inst, char *realm) { - krb5_error_code retval; - krb5_principal princ; - char *out_name; + krb5_error_code retval; + krb5_principal princ; + char *out_name; retval = krb5_425_conv_principal(ctx, name, inst, realm, &princ); if (retval) { - com_err("krb5_425_conv_principal", retval, 0); - return; + com_err("krb5_425_conv_principal", retval, 0); + return; } retval = krb5_unparse_name(ctx, princ, &out_name); if (retval) { - com_err("krb5_unparse_name", retval, 0); - return; + com_err("krb5_unparse_name", retval, 0); + return; } printf("425_converted principal(%s, %s, %s): '%s'\n", - name, inst, realm, out_name); + name, inst, realm, out_name); free(out_name); krb5_free_principal(ctx, princ); } @@ -73,98 +74,98 @@ void test_524_conv_principal(krb5_context ctx, char *name) aname[ANAME_SZ] = inst[INST_SZ] = realm[REALM_SZ] = 0; retval = krb5_parse_name(ctx, name, &princ); if (retval) { - com_err("krb5_parse_name", retval, 0); - goto fail; + com_err("krb5_parse_name", retval, 0); + goto fail; } retval = krb5_524_conv_principal(ctx, princ, aname, inst, realm); if (retval) { - com_err("krb5_524_conv_principal", retval, 0); - goto fail; + com_err("krb5_524_conv_principal", retval, 0); + goto fail; } printf("524_converted_principal(%s): '%s' '%s' '%s'\n", - name, aname, inst, realm); - fail: + name, aname, inst, realm); +fail: if (princ) - krb5_free_principal (ctx, princ); + krb5_free_principal (ctx, princ); } void test_parse_name(krb5_context ctx, const char *name) { - krb5_error_code retval; - krb5_principal princ = 0, princ2 = 0; - char *outname = 0; - - retval = krb5_parse_name(ctx, name, &princ); - if (retval) { - com_err("krb5_parse_name", retval, 0); - goto fail; - } - retval = krb5_copy_principal(ctx, princ, &princ2); - if (retval) { - com_err("krb5_copy_principal", retval, 0); - goto fail; - } - retval = krb5_unparse_name(ctx, princ2, &outname); - if (retval) { - com_err("krb5_unparse_name", retval, 0); - goto fail; - } - printf("parsed (and unparsed) principal(%s): ", name); - if (strcmp(name, outname) == 0) - printf("MATCH\n"); - else - printf("'%s'\n", outname); + krb5_error_code retval; + krb5_principal princ = 0, princ2 = 0; + char *outname = 0; + + retval = krb5_parse_name(ctx, name, &princ); + if (retval) { + com_err("krb5_parse_name", retval, 0); + goto fail; + } + retval = krb5_copy_principal(ctx, princ, &princ2); + if (retval) { + com_err("krb5_copy_principal", retval, 0); + goto fail; + } + retval = krb5_unparse_name(ctx, princ2, &outname); + if (retval) { + com_err("krb5_unparse_name", retval, 0); + goto fail; + } + printf("parsed (and unparsed) principal(%s): ", name); + if (strcmp(name, outname) == 0) + printf("MATCH\n"); + else + printf("'%s'\n", outname); fail: - if (outname) - free(outname); - if (princ) - krb5_free_principal(ctx, princ); - if (princ2) - krb5_free_principal(ctx, princ2); + if (outname) + free(outname); + if (princ) + krb5_free_principal(ctx, princ); + if (princ2) + krb5_free_principal(ctx, princ2); } void test_set_realm(krb5_context ctx, const char *name, const char *realm) { - krb5_error_code retval; - krb5_principal princ = 0; - char *outname = 0; - - retval = krb5_parse_name(ctx, name, &princ); - if (retval) { - com_err("krb5_parse_name", retval, 0); - goto fail; - } - retval = krb5_set_principal_realm(ctx, princ, realm); - if (retval) { - com_err("krb5_set_principal_realm", retval, 0); - goto fail; - } - retval = krb5_unparse_name(ctx, princ, &outname); - if (retval) { - com_err("krb5_unparse_name", retval, 0); - goto fail; - } - printf("old principal: %s, modified principal: %s\n", name, - outname); + krb5_error_code retval; + krb5_principal princ = 0; + char *outname = 0; + + retval = krb5_parse_name(ctx, name, &princ); + if (retval) { + com_err("krb5_parse_name", retval, 0); + goto fail; + } + retval = krb5_set_principal_realm(ctx, princ, realm); + if (retval) { + com_err("krb5_set_principal_realm", retval, 0); + goto fail; + } + retval = krb5_unparse_name(ctx, princ, &outname); + if (retval) { + com_err("krb5_unparse_name", retval, 0); + goto fail; + } + printf("old principal: %s, modified principal: %s\n", name, + outname); fail: - if (outname) - free(outname); - if (princ) - krb5_free_principal(ctx, princ); + if (outname) + free(outname); + if (princ) + krb5_free_principal(ctx, princ); } void usage(char *progname) { - fprintf(stderr, "%s: Usage: %s 425_conv_principal <name> <inst> <realm\n", - progname, progname); - fprintf(stderr, "\t%s 524_conv_principal <name>\n", progname); - fprintf(stderr, "\t%s parse_name <name>\n", progname); - fprintf(stderr, "\t%s set_realm <name> <realm>\n", progname); - fprintf(stderr, "\t%s string_to_timestamp <time>\n", progname); - exit(1); + fprintf(stderr, "%s: Usage: %s 425_conv_principal <name> <inst> <realm\n", + progname, progname); + fprintf(stderr, "\t%s 524_conv_principal <name>\n", progname); + fprintf(stderr, "\t%s parse_name <name>\n", progname); + fprintf(stderr, "\t%s set_realm <name> <realm>\n", progname); + fprintf(stderr, "\t%s string_to_timestamp <time>\n", progname); + exit(1); } -int +int main(int argc, char **argv) { krb5_context ctx; @@ -174,52 +175,52 @@ main(int argc, char **argv) retval = krb5_init_context(&ctx); if (retval) { - fprintf(stderr, "krb5_init_context returned error %ld\n", - (long) retval); - exit(1); + fprintf(stderr, "krb5_init_context returned error %ld\n", + (long) retval); + exit(1); } progname = argv[0]; - /* Parse arguments. */ - argc--; argv++; - while (argc) { - if (strcmp(*argv, "425_conv_principal") == 0) { - argc--; argv++; - if (!argc) usage(progname); - name = *argv; - argc--; argv++; - if (!argc) usage(progname); - inst = *argv; - argc--; argv++; - if (!argc) usage(progname); - realm = *argv; - test_425_conv_principal(ctx, name, inst, realm); - } else if (strcmp(*argv, "parse_name") == 0) { - argc--; argv++; - if (!argc) usage(progname); - name = *argv; - test_parse_name(ctx, name); - } else if (strcmp(*argv, "set_realm") == 0) { - argc--; argv++; - if (!argc) usage(progname); - name = *argv; - argc--; argv++; - if (!argc) usage(progname); - realm = *argv; - test_set_realm(ctx, name, realm); - } else if (strcmp(*argv, "string_to_timestamp") == 0) { - argc--; argv++; - if (!argc) usage(progname); - test_string_to_timestamp(ctx, *argv); - } else if (strcmp(*argv, "524_conv_principal") == 0) { - argc--; argv++; - if (!argc) usage(progname); - test_524_conv_principal(ctx, *argv); - } - else - usage(progname); - argc--; argv++; - } + /* Parse arguments. */ + argc--; argv++; + while (argc) { + if (strcmp(*argv, "425_conv_principal") == 0) { + argc--; argv++; + if (!argc) usage(progname); + name = *argv; + argc--; argv++; + if (!argc) usage(progname); + inst = *argv; + argc--; argv++; + if (!argc) usage(progname); + realm = *argv; + test_425_conv_principal(ctx, name, inst, realm); + } else if (strcmp(*argv, "parse_name") == 0) { + argc--; argv++; + if (!argc) usage(progname); + name = *argv; + test_parse_name(ctx, name); + } else if (strcmp(*argv, "set_realm") == 0) { + argc--; argv++; + if (!argc) usage(progname); + name = *argv; + argc--; argv++; + if (!argc) usage(progname); + realm = *argv; + test_set_realm(ctx, name, realm); + } else if (strcmp(*argv, "string_to_timestamp") == 0) { + argc--; argv++; + if (!argc) usage(progname); + test_string_to_timestamp(ctx, *argv); + } else if (strcmp(*argv, "524_conv_principal") == 0) { + argc--; argv++; + if (!argc) usage(progname); + test_524_conv_principal(ctx, *argv); + } + else + usage(progname); + argc--; argv++; + } krb5_free_context(ctx); diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c index 503d778a9..9e96b692e 100644 --- a/src/lib/krb5/krb/t_pac.c +++ b/src/lib/krb5/krb/t_pac.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (c) 2006 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). @@ -40,45 +40,45 @@ */ static const unsigned char saved_pac[] = { - 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xd8, 0x01, 0x00, 0x00, - 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, - 0x20, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, - 0x40, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, - 0x58, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, - 0xc8, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x30, 0xdf, 0xa6, 0xcb, - 0x4f, 0x7d, 0xc5, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0x7f, 0xc0, 0x3c, 0x4e, 0x59, 0x62, 0x73, 0xc5, 0x01, 0xc0, 0x3c, 0x4e, 0x59, - 0x62, 0x73, 0xc5, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x16, 0x00, 0x16, 0x00, - 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x0c, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x14, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x02, 0x00, 0x65, 0x00, 0x00, 0x00, - 0xed, 0x03, 0x00, 0x00, 0x04, 0x02, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x02, 0x00, - 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x16, 0x00, 0x20, 0x00, 0x02, 0x00, 0x16, 0x00, 0x18, 0x00, - 0x24, 0x00, 0x02, 0x00, 0x28, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x01, 0x00, 0x00, 0x00, 0x2c, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, - 0x57, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, 0x33, 0x00, 0x46, 0x00, 0x49, 0x00, 0x4e, 0x00, - 0x41, 0x00, 0x4c, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x02, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, - 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x57, 0x00, 0x32, 0x00, - 0x30, 0x00, 0x30, 0x00, 0x33, 0x00, 0x46, 0x00, 0x49, 0x00, 0x4e, 0x00, 0x41, 0x00, 0x4c, 0x00, - 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x57, 0x00, 0x49, 0x00, - 0x4e, 0x00, 0x32, 0x00, 0x4b, 0x00, 0x33, 0x00, 0x54, 0x00, 0x48, 0x00, 0x49, 0x00, 0x4e, 0x00, - 0x4b, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, - 0x15, 0x00, 0x00, 0x00, 0x11, 0x2f, 0xaf, 0xb5, 0x90, 0x04, 0x1b, 0xec, 0x50, 0x3b, 0xec, 0xdc, - 0x01, 0x00, 0x00, 0x00, 0x30, 0x00, 0x02, 0x00, 0x07, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, - 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x80, 0x66, 0x28, 0xea, 0x37, 0x80, 0xc5, 0x01, 0x16, 0x00, 0x77, 0x00, 0x32, 0x00, 0x30, 0x00, - 0x30, 0x00, 0x33, 0x00, 0x66, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x61, 0x00, 0x6c, 0x00, 0x24, 0x00, - 0x76, 0xff, 0xff, 0xff, 0x37, 0xd5, 0xb0, 0xf7, 0x24, 0xf0, 0xd6, 0xd4, 0xec, 0x09, 0x86, 0x5a, - 0xa0, 0xe8, 0xc3, 0xa9, 0x00, 0x00, 0x00, 0x00, 0x76, 0xff, 0xff, 0xff, 0xb4, 0xd8, 0xb8, 0xfe, - 0x83, 0xb3, 0x13, 0x3f, 0xfc, 0x5c, 0x41, 0xad, 0xe2, 0x64, 0x83, 0xe0, 0x00, 0x00, 0x00, 0x00 + 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xd8, 0x01, 0x00, 0x00, + 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, + 0x20, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, + 0x40, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, + 0x58, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, + 0xc8, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x30, 0xdf, 0xa6, 0xcb, + 0x4f, 0x7d, 0xc5, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0x7f, 0xc0, 0x3c, 0x4e, 0x59, 0x62, 0x73, 0xc5, 0x01, 0xc0, 0x3c, 0x4e, 0x59, + 0x62, 0x73, 0xc5, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x16, 0x00, 0x16, 0x00, + 0x04, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0c, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x14, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x02, 0x00, 0x65, 0x00, 0x00, 0x00, + 0xed, 0x03, 0x00, 0x00, 0x04, 0x02, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x02, 0x00, + 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x14, 0x00, 0x16, 0x00, 0x20, 0x00, 0x02, 0x00, 0x16, 0x00, 0x18, 0x00, + 0x24, 0x00, 0x02, 0x00, 0x28, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x2c, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, + 0x57, 0x00, 0x32, 0x00, 0x30, 0x00, 0x30, 0x00, 0x33, 0x00, 0x46, 0x00, 0x49, 0x00, 0x4e, 0x00, + 0x41, 0x00, 0x4c, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x02, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, + 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x00, 0x00, 0x57, 0x00, 0x32, 0x00, + 0x30, 0x00, 0x30, 0x00, 0x33, 0x00, 0x46, 0x00, 0x49, 0x00, 0x4e, 0x00, 0x41, 0x00, 0x4c, 0x00, + 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00, 0x00, 0x00, 0x57, 0x00, 0x49, 0x00, + 0x4e, 0x00, 0x32, 0x00, 0x4b, 0x00, 0x33, 0x00, 0x54, 0x00, 0x48, 0x00, 0x49, 0x00, 0x4e, 0x00, + 0x4b, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x01, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, + 0x15, 0x00, 0x00, 0x00, 0x11, 0x2f, 0xaf, 0xb5, 0x90, 0x04, 0x1b, 0xec, 0x50, 0x3b, 0xec, 0xdc, + 0x01, 0x00, 0x00, 0x00, 0x30, 0x00, 0x02, 0x00, 0x07, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x80, 0x66, 0x28, 0xea, 0x37, 0x80, 0xc5, 0x01, 0x16, 0x00, 0x77, 0x00, 0x32, 0x00, 0x30, 0x00, + 0x30, 0x00, 0x33, 0x00, 0x66, 0x00, 0x69, 0x00, 0x6e, 0x00, 0x61, 0x00, 0x6c, 0x00, 0x24, 0x00, + 0x76, 0xff, 0xff, 0xff, 0x37, 0xd5, 0xb0, 0xf7, 0x24, 0xf0, 0xd6, 0xd4, 0xec, 0x09, 0x86, 0x5a, + 0xa0, 0xe8, 0xc3, 0xa9, 0x00, 0x00, 0x00, 0x00, 0x76, 0xff, 0xff, 0xff, 0xb4, 0xd8, 0xb8, 0xfe, + 0x83, 0xb3, 0x13, 0x3f, 0xfc, 0x5c, 0x41, 0xad, 0xe2, 0x64, 0x83, 0xe0, 0x00, 0x00, 0x00, 0x00 }; static unsigned int type_1_length = 472; @@ -145,12 +145,12 @@ main(int argc, char **argv) err(context, ret, "krb5_pac_parse"); ret = krb5_pac_verify(context, pac, authtime, p, - &member_keyblock, &kdc_keyblock); + &member_keyblock, &kdc_keyblock); if (ret) err(context, ret, "krb5_pac_verify"); ret = krb5int_pac_sign(context, pac, authtime, p, - &member_keyblock, &kdc_keyblock, &data); + &member_keyblock, &kdc_keyblock, &data); if (ret) err(context, ret, "krb5int_pac_sign"); @@ -162,7 +162,7 @@ main(int argc, char **argv) err(context, ret, "krb5_pac_parse 2"); ret = krb5_pac_verify(context, pac, authtime, p, - &member_keyblock, &kdc_keyblock); + &member_keyblock, &kdc_keyblock); if (ret) err(context, ret, "krb5_pac_verify 2"); @@ -203,23 +203,23 @@ main(int argc, char **argv) krb5_free_data_contents(context, &data); } free(list); - + ret = krb5int_pac_sign(context, pac2, authtime, p, &member_keyblock, &kdc_keyblock, &data); if (ret) err(context, ret, "krb5int_pac_sign 4"); - + krb5_pac_free(context, pac2); ret = krb5_pac_parse(context, data.data, data.length, &pac2); if (ret) err(context, ret, "krb5_pac_parse 4"); - + ret = krb5_pac_verify(context, pac2, authtime, p, &member_keyblock, &kdc_keyblock); if (ret) err(context, ret, "krb5_pac_verify 4"); - + krb5_free_data_contents(context, &data); krb5_pac_free(context, pac2); @@ -296,7 +296,7 @@ main(int argc, char **argv) err(context, ret, "krb5_pac_parse 3"); ret = krb5_pac_verify(context, pac, authtime, p, - &member_keyblock, &kdc_keyblock); + &member_keyblock, &kdc_keyblock); if (ret) err(context, ret, "krb5_pac_verify 3"); diff --git a/src/lib/krb5/krb/t_princ.c b/src/lib/krb5/krb/t_princ.c index 688331722..6664a75d6 100644 --- a/src/lib/krb5/krb/t_princ.c +++ b/src/lib/krb5/krb/t_princ.c @@ -1,4 +1,4 @@ -/* -*- mode: c; indent-tabs-mode: nil -*- */ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * Copyright (c) 2003 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). @@ -209,7 +209,7 @@ test_princ(krb5_context context) &p2); if (!ret) err(context, ret, "Should have failed to parse %s a " - "short name", princ); + "short name", princ); ret = krb5_parse_name_flags(context, princ_short, KRB5_PRINCIPAL_PARSE_NO_REALM, @@ -233,7 +233,7 @@ test_princ(krb5_context context) &p2); if (!ret) err(context, ret, "Should have failed to parse %s " - "because it lacked a realm", princ_short); + "because it lacked a realm", princ_short); ret = krb5_parse_name_flags(context, princ, KRB5_PRINCIPAL_PARSE_REQUIRE_REALM, @@ -372,7 +372,7 @@ test_enterprise(krb5_context context) err(context, ret, "krb5_parse_name_flags"); ret = krb5_unparse_name_flags(context, p, KRB5_PRINCIPAL_UNPARSE_NO_REALM, - &unparsed); + &unparsed); if (ret) err(context, ret, "krb5_unparse_name"); diff --git a/src/lib/krb5/krb/t_ser.c b/src/lib/krb5/krb/t_ser.c index c92ce50c6..daad0c7d1 100644 --- a/src/lib/krb5/krb/t_ser.c +++ b/src/lib/krb5/krb/t_ser.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/t_ser.c * @@ -48,26 +49,26 @@ print_erep(krb5_octet *erep, size_t elen) int i, j; for (i=0; i<elen; ) { - printf("%08d: ", i); - for (j=0; j<15; j++) { - if ((i+j) < elen) - printf("%02x ", erep[i+j]); - else - printf("-- "); - } - printf("\t"); - for (j=0; j<15; j++) { - if ((i+j) < elen) { - if (isprint(erep[i+j]) && (erep[i+j] != '\n')) - printf("%c", erep[i+j]); - else - printf("."); - } - else - printf("-"); - } - printf("\n"); - i += 15; + printf("%08d: ", i); + for (j=0; j<15; j++) { + if ((i+j) < elen) + printf("%02x ", erep[i+j]); + else + printf("-- "); + } + printf("\t"); + for (j=0; j<15; j++) { + if ((i+j) < elen) { + if (isprint(erep[i+j]) && (erep[i+j] != '\n')) + printf("%c", erep[i+j]); + else + printf("."); + } + else + printf("-"); + } + printf("\n"); + i += 15; } } @@ -77,17 +78,17 @@ print_erep(krb5_octet *erep, size_t elen) static krb5_error_code ser_data(int verbose, char *msg, krb5_pointer ctx, krb5_magic dtype) { - krb5_error_code kret; - krb5_context ser_ctx; - krb5_pointer nctx; - krb5_octet *outrep, *ibuf, *outrep2; - size_t outlen, ilen, outlen2; + krb5_error_code kret; + krb5_context ser_ctx; + krb5_pointer nctx; + krb5_octet *outrep, *ibuf, *outrep2; + size_t outlen, ilen, outlen2; /* Initialize context and initialize all Kerberos serializers */ if ((kret = krb5_init_context(&ser_ctx))) { - printf("Couldn't initialize krb5 library: %s\n", - error_message(kret)); - exit(1); + printf("Couldn't initialize krb5 library: %s\n", + error_message(kret)); + exit(1); } krb5_ser_context_init(ser_ctx); krb5_ser_auth_context_init(ser_ctx); @@ -98,96 +99,96 @@ ser_data(int verbose, char *msg, krb5_pointer ctx, krb5_magic dtype) /* Externalize the data */ kret = krb5_externalize_data(ser_ctx, ctx, &outrep, &outlen); if (!kret) { - if (verbose) { - printf("%s: externalized in %d bytes\n", msg, outlen); - print_erep(outrep, outlen); - } - - /* Now attempt to re-constitute it */ - ibuf = outrep; - ilen = outlen; - kret = krb5_internalize_opaque(ser_ctx, - dtype, - (krb5_pointer *) &nctx, - &ibuf, - &ilen); - if (!kret) { - if (ilen) - printf("%s: %d bytes left over after internalize\n", - msg, ilen); - /* Now attempt to re-externalize it */ - kret = krb5_externalize_data(ser_ctx, nctx, &outrep2, &outlen2); - if (!kret) { - /* Compare the results. */ - if ((outlen2 != outlen) || - memcmp(outrep, outrep2, outlen)) { - printf("%s: comparison failed\n", msg); - print_erep(outrep2, outlen2); - } - else { - if (verbose) - printf("%s: compare succeeded\n", msg); - } - free(outrep2); - } - else - printf("%s: second externalize returned %d\n", msg, kret); - - /* Free the data */ - switch (dtype) { - case KV5M_CONTEXT: - krb5_free_context((krb5_context) nctx); - break; - case KV5M_AUTH_CONTEXT: - if (nctx) { - krb5_auth_context actx; - - actx = (krb5_auth_context) nctx; - if (actx->i_vector) - free(actx->i_vector); - } - krb5_auth_con_free(ser_ctx, (krb5_auth_context) nctx); - break; - case KV5M_CCACHE: - krb5_cc_close(ser_ctx, (krb5_ccache) nctx); - break; - case KV5M_RCACHE: - krb5_rc_close(ser_ctx, (krb5_rcache) nctx); - break; - case KV5M_KEYTAB: - krb5_kt_close(ser_ctx, (krb5_keytab) nctx); - break; - case KV5M_ENCRYPT_BLOCK: - if (nctx) { - krb5_encrypt_block *eblock; - - eblock = (krb5_encrypt_block *) nctx; + if (verbose) { + printf("%s: externalized in %d bytes\n", msg, outlen); + print_erep(outrep, outlen); + } + + /* Now attempt to re-constitute it */ + ibuf = outrep; + ilen = outlen; + kret = krb5_internalize_opaque(ser_ctx, + dtype, + (krb5_pointer *) &nctx, + &ibuf, + &ilen); + if (!kret) { + if (ilen) + printf("%s: %d bytes left over after internalize\n", + msg, ilen); + /* Now attempt to re-externalize it */ + kret = krb5_externalize_data(ser_ctx, nctx, &outrep2, &outlen2); + if (!kret) { + /* Compare the results. */ + if ((outlen2 != outlen) || + memcmp(outrep, outrep2, outlen)) { + printf("%s: comparison failed\n", msg); + print_erep(outrep2, outlen2); + } + else { + if (verbose) + printf("%s: compare succeeded\n", msg); + } + free(outrep2); + } + else + printf("%s: second externalize returned %d\n", msg, kret); + + /* Free the data */ + switch (dtype) { + case KV5M_CONTEXT: + krb5_free_context((krb5_context) nctx); + break; + case KV5M_AUTH_CONTEXT: + if (nctx) { + krb5_auth_context actx; + + actx = (krb5_auth_context) nctx; + if (actx->i_vector) + free(actx->i_vector); + } + krb5_auth_con_free(ser_ctx, (krb5_auth_context) nctx); + break; + case KV5M_CCACHE: + krb5_cc_close(ser_ctx, (krb5_ccache) nctx); + break; + case KV5M_RCACHE: + krb5_rc_close(ser_ctx, (krb5_rcache) nctx); + break; + case KV5M_KEYTAB: + krb5_kt_close(ser_ctx, (krb5_keytab) nctx); + break; + case KV5M_ENCRYPT_BLOCK: + if (nctx) { + krb5_encrypt_block *eblock; + + eblock = (krb5_encrypt_block *) nctx; #if 0 - if (eblock->priv && eblock->priv_size) - free(eblock->priv); + if (eblock->priv && eblock->priv_size) + free(eblock->priv); #endif - if (eblock->key) - krb5_free_keyblock(ser_ctx, eblock->key); - free(eblock); - } - break; - case KV5M_PRINCIPAL: - krb5_free_principal(ser_ctx, (krb5_principal) nctx); - break; - case KV5M_CHECKSUM: - krb5_free_checksum(ser_ctx, (krb5_checksum *) nctx); - break; - default: - printf("don't know how to free %d\n", dtype); - break; - } - } - else - printf("%s: internalize returned %d\n", msg, kret); - free(outrep); + if (eblock->key) + krb5_free_keyblock(ser_ctx, eblock->key); + free(eblock); + } + break; + case KV5M_PRINCIPAL: + krb5_free_principal(ser_ctx, (krb5_principal) nctx); + break; + case KV5M_CHECKSUM: + krb5_free_checksum(ser_ctx, (krb5_checksum *) nctx); + break; + default: + printf("don't know how to free %d\n", dtype); + break; + } + } + else + printf("%s: internalize returned %d\n", msg, kret); + free(outrep); } else - printf("%s: externalize_data returned %d\n", msg, kret); + printf("%s: externalize_data returned %d\n", msg, kret); krb5_free_context(ser_ctx); return(kret); } @@ -198,161 +199,161 @@ ser_data(int verbose, char *msg, krb5_pointer ctx, krb5_magic dtype) static krb5_error_code ser_kcontext_test(krb5_context kcontext, int verbose) { - krb5_error_code kret; - profile_t sprofile; - char dbname[128]; + krb5_error_code kret; + profile_t sprofile; + char dbname[128]; snprintf(dbname, sizeof(dbname), "temp_%d", (int) getpid()); sprofile = kcontext->profile; kcontext->profile = (profile_t) NULL; if (!(kret = ser_data(verbose, "> Context with no profile", - (krb5_pointer) kcontext, - KV5M_CONTEXT))) { - kcontext->profile = sprofile; - if (!(kret = ser_data(verbose, "> Context with no realm", - (krb5_pointer) kcontext, - KV5M_CONTEXT)) && - !(kret = krb5_set_default_realm(kcontext, "this.is.a.test"))) { - if (!(kret = ser_data(verbose, "> Context with default realm", - (krb5_pointer) kcontext, - KV5M_CONTEXT))) { - if (verbose) - printf("* krb5_context test succeeded\n"); - } - } + (krb5_pointer) kcontext, + KV5M_CONTEXT))) { + kcontext->profile = sprofile; + if (!(kret = ser_data(verbose, "> Context with no realm", + (krb5_pointer) kcontext, + KV5M_CONTEXT)) && + !(kret = krb5_set_default_realm(kcontext, "this.is.a.test"))) { + if (!(kret = ser_data(verbose, "> Context with default realm", + (krb5_pointer) kcontext, + KV5M_CONTEXT))) { + if (verbose) + printf("* krb5_context test succeeded\n"); + } + } } if (kret) - printf("* krb5_context test failed\n"); + printf("* krb5_context test failed\n"); return(kret); } -/* +/* * Serialize krb5_auth_context. */ static krb5_error_code ser_acontext_test(krb5_context kcontext, int verbose) { - krb5_error_code kret; - krb5_auth_context actx; - krb5_address local_address; - krb5_address remote_address; - krb5_octet laddr_bytes[16]; - krb5_octet raddr_bytes[16]; - krb5_keyblock ukeyblock; - krb5_octet keydata[8]; - krb5_authenticator aent; - char clname[128]; - krb5_authdata *adatalist[3]; - krb5_authdata adataent; + krb5_error_code kret; + krb5_auth_context actx; + krb5_address local_address; + krb5_address remote_address; + krb5_octet laddr_bytes[16]; + krb5_octet raddr_bytes[16]; + krb5_keyblock ukeyblock; + krb5_octet keydata[8]; + krb5_authenticator aent; + char clname[128]; + krb5_authdata *adatalist[3]; + krb5_authdata adataent; actx = (krb5_auth_context) NULL; if (!(kret = krb5_auth_con_init(kcontext, &actx)) && - !(kret = ser_data(verbose, "> Vanilla auth context", - (krb5_pointer) actx, - KV5M_AUTH_CONTEXT))) { - memset(&local_address, 0, sizeof(local_address)); - memset(&remote_address, 0, sizeof(remote_address)); - memset(laddr_bytes, 0, sizeof(laddr_bytes)); - memset(raddr_bytes, 0, sizeof(raddr_bytes)); - local_address.addrtype = ADDRTYPE_INET; - local_address.length = sizeof(laddr_bytes); - local_address.contents = laddr_bytes; - laddr_bytes[0] = 6; - laddr_bytes[1] = 2; - laddr_bytes[2] = 69; - laddr_bytes[3] = 16; - laddr_bytes[4] = 1; - laddr_bytes[5] = 0; - laddr_bytes[6] = 0; - laddr_bytes[7] = 127; - remote_address.addrtype = ADDRTYPE_INET; - remote_address.length = sizeof(raddr_bytes); - remote_address.contents = raddr_bytes; - raddr_bytes[0] = 6; - raddr_bytes[1] = 2; - raddr_bytes[2] = 70; - raddr_bytes[3] = 16; - raddr_bytes[4] = 1; - raddr_bytes[5] = 0; - raddr_bytes[6] = 0; - raddr_bytes[7] = 127; - if (!(kret = krb5_auth_con_setaddrs(kcontext, actx, - &local_address, - &remote_address)) && - !(kret = krb5_auth_con_setports(kcontext, actx, - &local_address, - &remote_address)) && - !(kret = ser_data(verbose, "> Auth context with addrs/ports", - (krb5_pointer) actx, - KV5M_AUTH_CONTEXT))) { - memset(&ukeyblock, 0, sizeof(ukeyblock)); - memset(keydata, 0, sizeof(keydata)); - ukeyblock.enctype = ENCTYPE_DES_CBC_MD5; - ukeyblock.length = sizeof(keydata); - ukeyblock.contents = keydata; - keydata[0] = 0xde; - keydata[1] = 0xad; - keydata[2] = 0xbe; - keydata[3] = 0xef; - keydata[4] = 0xfe; - keydata[5] = 0xed; - keydata[6] = 0xf0; - keydata[7] = 0xd; - if (!(kret = krb5_auth_con_setuseruserkey(kcontext, actx, - &ukeyblock)) && - !(kret = ser_data(verbose, "> Auth context with user key", - (krb5_pointer) actx, - KV5M_AUTH_CONTEXT)) && - !(kret = krb5_auth_con_initivector(kcontext, actx)) && - !(kret = ser_data(verbose, "> Auth context with new vector", - (krb5_pointer) actx, - KV5M_AUTH_CONTEXT)) && - (free(actx->i_vector), actx->i_vector) && - !(kret = krb5_auth_con_setivector(kcontext, actx, - (krb5_pointer) print_erep) - ) && - !(kret = ser_data(verbose, "> Auth context with set vector", - (krb5_pointer) actx, - KV5M_AUTH_CONTEXT))) { - /* - * Finally, add an authenticator. - */ - memset(&aent, 0, sizeof(aent)); - aent.magic = KV5M_AUTHENTICATOR; - snprintf(clname, sizeof(clname), - "help/me/%d@this.is.a.test", (int) getpid()); - actx->authentp = &aent; - if (!(kret = krb5_parse_name(kcontext, clname, - &aent.client)) && - !(kret = ser_data(verbose, - "> Auth context with authenticator", - (krb5_pointer) actx, - KV5M_AUTH_CONTEXT))) { - adataent.magic = KV5M_AUTHDATA; - adataent.ad_type = 123; - adataent.length = 128; - adataent.contents = (krb5_octet *) stuff; - adatalist[0] = &adataent; - adatalist[1] = &adataent; - adatalist[2] = (krb5_authdata *) NULL; - aent.authorization_data = adatalist; - if (!(kret = ser_data(verbose, - "> Auth context with full auth", - (krb5_pointer) actx, - KV5M_AUTH_CONTEXT))) { - if (verbose) - printf("* krb5_auth_context test succeeded\n"); - } - krb5_free_principal(kcontext, aent.client); - } - actx->authentp = (krb5_authenticator *) NULL; - } - } + !(kret = ser_data(verbose, "> Vanilla auth context", + (krb5_pointer) actx, + KV5M_AUTH_CONTEXT))) { + memset(&local_address, 0, sizeof(local_address)); + memset(&remote_address, 0, sizeof(remote_address)); + memset(laddr_bytes, 0, sizeof(laddr_bytes)); + memset(raddr_bytes, 0, sizeof(raddr_bytes)); + local_address.addrtype = ADDRTYPE_INET; + local_address.length = sizeof(laddr_bytes); + local_address.contents = laddr_bytes; + laddr_bytes[0] = 6; + laddr_bytes[1] = 2; + laddr_bytes[2] = 69; + laddr_bytes[3] = 16; + laddr_bytes[4] = 1; + laddr_bytes[5] = 0; + laddr_bytes[6] = 0; + laddr_bytes[7] = 127; + remote_address.addrtype = ADDRTYPE_INET; + remote_address.length = sizeof(raddr_bytes); + remote_address.contents = raddr_bytes; + raddr_bytes[0] = 6; + raddr_bytes[1] = 2; + raddr_bytes[2] = 70; + raddr_bytes[3] = 16; + raddr_bytes[4] = 1; + raddr_bytes[5] = 0; + raddr_bytes[6] = 0; + raddr_bytes[7] = 127; + if (!(kret = krb5_auth_con_setaddrs(kcontext, actx, + &local_address, + &remote_address)) && + !(kret = krb5_auth_con_setports(kcontext, actx, + &local_address, + &remote_address)) && + !(kret = ser_data(verbose, "> Auth context with addrs/ports", + (krb5_pointer) actx, + KV5M_AUTH_CONTEXT))) { + memset(&ukeyblock, 0, sizeof(ukeyblock)); + memset(keydata, 0, sizeof(keydata)); + ukeyblock.enctype = ENCTYPE_DES_CBC_MD5; + ukeyblock.length = sizeof(keydata); + ukeyblock.contents = keydata; + keydata[0] = 0xde; + keydata[1] = 0xad; + keydata[2] = 0xbe; + keydata[3] = 0xef; + keydata[4] = 0xfe; + keydata[5] = 0xed; + keydata[6] = 0xf0; + keydata[7] = 0xd; + if (!(kret = krb5_auth_con_setuseruserkey(kcontext, actx, + &ukeyblock)) && + !(kret = ser_data(verbose, "> Auth context with user key", + (krb5_pointer) actx, + KV5M_AUTH_CONTEXT)) && + !(kret = krb5_auth_con_initivector(kcontext, actx)) && + !(kret = ser_data(verbose, "> Auth context with new vector", + (krb5_pointer) actx, + KV5M_AUTH_CONTEXT)) && + (free(actx->i_vector), actx->i_vector) && + !(kret = krb5_auth_con_setivector(kcontext, actx, + (krb5_pointer) print_erep) + ) && + !(kret = ser_data(verbose, "> Auth context with set vector", + (krb5_pointer) actx, + KV5M_AUTH_CONTEXT))) { + /* + * Finally, add an authenticator. + */ + memset(&aent, 0, sizeof(aent)); + aent.magic = KV5M_AUTHENTICATOR; + snprintf(clname, sizeof(clname), + "help/me/%d@this.is.a.test", (int) getpid()); + actx->authentp = &aent; + if (!(kret = krb5_parse_name(kcontext, clname, + &aent.client)) && + !(kret = ser_data(verbose, + "> Auth context with authenticator", + (krb5_pointer) actx, + KV5M_AUTH_CONTEXT))) { + adataent.magic = KV5M_AUTHDATA; + adataent.ad_type = 123; + adataent.length = 128; + adataent.contents = (krb5_octet *) stuff; + adatalist[0] = &adataent; + adatalist[1] = &adataent; + adatalist[2] = (krb5_authdata *) NULL; + aent.authorization_data = adatalist; + if (!(kret = ser_data(verbose, + "> Auth context with full auth", + (krb5_pointer) actx, + KV5M_AUTH_CONTEXT))) { + if (verbose) + printf("* krb5_auth_context test succeeded\n"); + } + krb5_free_principal(kcontext, aent.client); + } + actx->authentp = (krb5_authenticator *) NULL; + } + } } if (actx) - krb5_auth_con_free(kcontext, actx); + krb5_auth_con_free(kcontext, actx); if (kret) - printf("* krb5_auth_context test failed\n"); + printf("* krb5_auth_context test failed\n"); return(kret); } @@ -362,44 +363,44 @@ ser_acontext_test(krb5_context kcontext, int verbose) static krb5_error_code ser_ccache_test(krb5_context kcontext, int verbose) { - krb5_error_code kret; - char ccname[128]; - char princname[256]; - krb5_ccache ccache; - krb5_principal principal; + krb5_error_code kret; + char ccname[128]; + char princname[256]; + krb5_ccache ccache; + krb5_principal principal; snprintf(ccname, sizeof(ccname), "temp_cc_%d", (int) getpid()); snprintf(princname, sizeof(princname), - "zowie%d/instance%d@this.is.a.test", - (int) getpid(), (int) getpid()); + "zowie%d/instance%d@this.is.a.test", + (int) getpid(), (int) getpid()); if (!(kret = krb5_cc_resolve(kcontext, ccname, &ccache)) && - !(kret = ser_data(verbose, "> Resolved default ccache", - (krb5_pointer) ccache, KV5M_CCACHE)) && - !(kret = krb5_parse_name(kcontext, princname, &principal)) && - !(kret = krb5_cc_initialize(kcontext, ccache, principal)) && - !(kret = ser_data(verbose, "> Initialized default ccache", - (krb5_pointer) ccache, KV5M_CCACHE)) && - !(kret = krb5_cc_destroy(kcontext, ccache))) { - krb5_free_principal(kcontext, principal); - snprintf(ccname, sizeof(ccname), "FILE:temp_cc_%d", (int) getpid()); - snprintf(princname, sizeof(princname), "xxx%d/i%d@this.is.a.test", - (int) getpid(), (int) getpid()); - if (!(kret = krb5_cc_resolve(kcontext, ccname, &ccache)) && - !(kret = ser_data(verbose, "> Resolved FILE ccache", - (krb5_pointer) ccache, KV5M_CCACHE)) && - !(kret = krb5_parse_name(kcontext, princname, &principal)) && - !(kret = krb5_cc_initialize(kcontext, ccache, principal)) && - !(kret = ser_data(verbose, "> Initialized FILE ccache", - (krb5_pointer) ccache, KV5M_CCACHE)) && - !(kret = krb5_cc_destroy(kcontext, ccache))) { - krb5_free_principal(kcontext, principal); - - if (verbose) - printf("* ccache test succeeded\n"); - } + !(kret = ser_data(verbose, "> Resolved default ccache", + (krb5_pointer) ccache, KV5M_CCACHE)) && + !(kret = krb5_parse_name(kcontext, princname, &principal)) && + !(kret = krb5_cc_initialize(kcontext, ccache, principal)) && + !(kret = ser_data(verbose, "> Initialized default ccache", + (krb5_pointer) ccache, KV5M_CCACHE)) && + !(kret = krb5_cc_destroy(kcontext, ccache))) { + krb5_free_principal(kcontext, principal); + snprintf(ccname, sizeof(ccname), "FILE:temp_cc_%d", (int) getpid()); + snprintf(princname, sizeof(princname), "xxx%d/i%d@this.is.a.test", + (int) getpid(), (int) getpid()); + if (!(kret = krb5_cc_resolve(kcontext, ccname, &ccache)) && + !(kret = ser_data(verbose, "> Resolved FILE ccache", + (krb5_pointer) ccache, KV5M_CCACHE)) && + !(kret = krb5_parse_name(kcontext, princname, &principal)) && + !(kret = krb5_cc_initialize(kcontext, ccache, principal)) && + !(kret = ser_data(verbose, "> Initialized FILE ccache", + (krb5_pointer) ccache, KV5M_CCACHE)) && + !(kret = krb5_cc_destroy(kcontext, ccache))) { + krb5_free_principal(kcontext, principal); + + if (verbose) + printf("* ccache test succeeded\n"); + } } if (kret) - printf("* krb5_ccache test failed\n"); + printf("* krb5_ccache test failed\n"); return(kret); } @@ -409,33 +410,33 @@ ser_ccache_test(krb5_context kcontext, int verbose) static krb5_error_code ser_keytab_test(krb5_context kcontext, int verbose) { - krb5_error_code kret; - char ccname[128]; - krb5_keytab keytab; + krb5_error_code kret; + char ccname[128]; + krb5_keytab keytab; snprintf(ccname, sizeof(ccname), "temp_kt_%d", (int) getpid()); if (!(kret = krb5_kt_resolve(kcontext, ccname, &keytab)) && - !(kret = ser_data(verbose, "> Resolved default keytab", - (krb5_pointer) keytab, KV5M_KEYTAB)) && - !(kret = krb5_kt_close(kcontext, keytab))) { - snprintf(ccname, sizeof(ccname), "FILE:temp_kt_%d", (int) getpid()); - if (!(kret = krb5_kt_resolve(kcontext, ccname, &keytab)) && - !(kret = ser_data(verbose, "> Resolved FILE keytab", - (krb5_pointer) keytab, KV5M_KEYTAB)) && - !(kret = krb5_kt_close(kcontext, keytab))) { - snprintf(ccname, sizeof(ccname), - "WRFILE:temp_kt_%d", (int) getpid()); - if (!(kret = krb5_kt_resolve(kcontext, ccname, &keytab)) && - !(kret = ser_data(verbose, "> Resolved WRFILE keytab", - (krb5_pointer) keytab, KV5M_KEYTAB)) && - !(kret = krb5_kt_close(kcontext, keytab))) { - if (verbose) - printf("* keytab test succeeded\n"); - } - } + !(kret = ser_data(verbose, "> Resolved default keytab", + (krb5_pointer) keytab, KV5M_KEYTAB)) && + !(kret = krb5_kt_close(kcontext, keytab))) { + snprintf(ccname, sizeof(ccname), "FILE:temp_kt_%d", (int) getpid()); + if (!(kret = krb5_kt_resolve(kcontext, ccname, &keytab)) && + !(kret = ser_data(verbose, "> Resolved FILE keytab", + (krb5_pointer) keytab, KV5M_KEYTAB)) && + !(kret = krb5_kt_close(kcontext, keytab))) { + snprintf(ccname, sizeof(ccname), + "WRFILE:temp_kt_%d", (int) getpid()); + if (!(kret = krb5_kt_resolve(kcontext, ccname, &keytab)) && + !(kret = ser_data(verbose, "> Resolved WRFILE keytab", + (krb5_pointer) keytab, KV5M_KEYTAB)) && + !(kret = krb5_kt_close(kcontext, keytab))) { + if (verbose) + printf("* keytab test succeeded\n"); + } + } } if (kret) - printf("* krb5_keytab test failed\n"); + printf("* krb5_keytab test failed\n"); return(kret); } @@ -445,23 +446,23 @@ ser_keytab_test(krb5_context kcontext, int verbose) static krb5_error_code ser_rcache_test(krb5_context kcontext, int verbose) { - krb5_error_code kret; - char rcname[128]; - krb5_rcache rcache; + krb5_error_code kret; + char rcname[128]; + krb5_rcache rcache; snprintf(rcname, sizeof(rcname), "dfl:temp_rc_%d", (int) getpid()); if (!(kret = krb5_rc_resolve_full(kcontext, &rcache, rcname)) && - !(kret = ser_data(verbose, "> Resolved FILE rcache", - (krb5_pointer) rcache, KV5M_RCACHE)) && - !(kret = krb5_rc_initialize(kcontext, rcache, 3600*24)) && - !(kret = ser_data(verbose, "> Initialized FILE rcache", - (krb5_pointer) rcache, KV5M_RCACHE)) && - !(kret = krb5_rc_destroy(kcontext, rcache))) { - if (verbose) - printf("* rcache test succeeded\n"); + !(kret = ser_data(verbose, "> Resolved FILE rcache", + (krb5_pointer) rcache, KV5M_RCACHE)) && + !(kret = krb5_rc_initialize(kcontext, rcache, 3600*24)) && + !(kret = ser_data(verbose, "> Initialized FILE rcache", + (krb5_pointer) rcache, KV5M_RCACHE)) && + !(kret = krb5_rc_destroy(kcontext, rcache))) { + if (verbose) + printf("* rcache test succeeded\n"); } if (kret) - printf("* krb5_rcache test failed\n"); + printf("* krb5_rcache test failed\n"); return(kret); } @@ -471,50 +472,50 @@ ser_rcache_test(krb5_context kcontext, int verbose) */ static krb5_error_code ser_eblock_test(kcontext, verbose) - krb5_context kcontext; - int verbose; + krb5_context kcontext; + int verbose; { - krb5_error_code kret; - krb5_encrypt_block eblock; - krb5_keyblock ukeyblock; - krb5_octet keydata[8]; + krb5_error_code kret; + krb5_encrypt_block eblock; + krb5_keyblock ukeyblock; + krb5_octet keydata[8]; memset(&eblock, 0, sizeof(krb5_encrypt_block)); eblock.magic = KV5M_ENCRYPT_BLOCK; krb5_use_enctype(kcontext, &eblock, DEFAULT_KDC_ENCTYPE); if (!(kret = ser_data(verbose, "> NULL eblock", - (krb5_pointer) &eblock, KV5M_ENCRYPT_BLOCK))) { + (krb5_pointer) &eblock, KV5M_ENCRYPT_BLOCK))) { #if 0 - eblock.priv = (krb5_pointer) stuff; - eblock.priv_size = 8; + eblock.priv = (krb5_pointer) stuff; + eblock.priv_size = 8; #endif - if (!(kret = ser_data(verbose, "> eblock with private data", - (krb5_pointer) &eblock, - KV5M_ENCRYPT_BLOCK))) { - memset(&ukeyblock, 0, sizeof(ukeyblock)); - memset(keydata, 0, sizeof(keydata)); - ukeyblock.enctype = ENCTYPE_DES_CBC_MD5; - ukeyblock.length = sizeof(keydata); - ukeyblock.contents = keydata; - keydata[0] = 0xde; - keydata[1] = 0xad; - keydata[2] = 0xbe; - keydata[3] = 0xef; - keydata[4] = 0xfe; - keydata[5] = 0xed; - keydata[6] = 0xf0; - keydata[7] = 0xd; - eblock.key = &ukeyblock; - if (!(kret = ser_data(verbose, "> eblock with private key", - (krb5_pointer) &eblock, - KV5M_ENCRYPT_BLOCK))) { - if (verbose) - printf("* eblock test succeeded\n"); - } - } + if (!(kret = ser_data(verbose, "> eblock with private data", + (krb5_pointer) &eblock, + KV5M_ENCRYPT_BLOCK))) { + memset(&ukeyblock, 0, sizeof(ukeyblock)); + memset(keydata, 0, sizeof(keydata)); + ukeyblock.enctype = ENCTYPE_DES_CBC_MD5; + ukeyblock.length = sizeof(keydata); + ukeyblock.contents = keydata; + keydata[0] = 0xde; + keydata[1] = 0xad; + keydata[2] = 0xbe; + keydata[3] = 0xef; + keydata[4] = 0xfe; + keydata[5] = 0xed; + keydata[6] = 0xf0; + keydata[7] = 0xd; + eblock.key = &ukeyblock; + if (!(kret = ser_data(verbose, "> eblock with private key", + (krb5_pointer) &eblock, + KV5M_ENCRYPT_BLOCK))) { + if (verbose) + printf("* eblock test succeeded\n"); + } + } } if (kret) - printf("* eblock test failed\n"); + printf("* eblock test failed\n"); return(kret); } #endif @@ -525,23 +526,23 @@ ser_eblock_test(kcontext, verbose) static krb5_error_code ser_princ_test(krb5_context kcontext, int verbose) { - krb5_error_code kret; - krb5_principal princ; - char pname[1024]; + krb5_error_code kret; + krb5_principal princ; + char pname[1024]; snprintf(pname, sizeof(pname), - "the/quick/brown/fox/jumped/over/the/lazy/dog/%d@this.is.a.test", - (int) getpid()); + "the/quick/brown/fox/jumped/over/the/lazy/dog/%d@this.is.a.test", + (int) getpid()); if (!(kret = krb5_parse_name(kcontext, pname, &princ))) { - if (!(kret = ser_data(verbose, "> Principal", - (krb5_pointer) princ, KV5M_PRINCIPAL))) { - if (verbose) - printf("* principal test succeeded\n"); - } - krb5_free_principal(kcontext, princ); + if (!(kret = ser_data(verbose, "> Principal", + (krb5_pointer) princ, KV5M_PRINCIPAL))) { + if (verbose) + printf("* principal test succeeded\n"); + } + krb5_free_principal(kcontext, princ); } if (kret) - printf("* principal test failed\n"); + printf("* principal test failed\n"); return(kret); } @@ -551,26 +552,26 @@ ser_princ_test(krb5_context kcontext, int verbose) static krb5_error_code ser_cksum_test(krb5_context kcontext, int verbose) { - krb5_error_code kret; - krb5_checksum checksum; - krb5_octet ckdata[24]; + krb5_error_code kret; + krb5_checksum checksum; + krb5_octet ckdata[24]; memset(&checksum, 0, sizeof(krb5_checksum)); checksum.magic = KV5M_CHECKSUM; if (!(kret = ser_data(verbose, "> NULL checksum", - (krb5_pointer) &checksum, KV5M_CHECKSUM))) { - checksum.checksum_type = 123; - checksum.length = sizeof(ckdata); - checksum.contents = ckdata; - memcpy(ckdata, &stuff, sizeof(ckdata)); - if (!(kret = ser_data(verbose, "> checksum with data", - (krb5_pointer) &checksum, KV5M_CHECKSUM))) { - if (verbose) - printf("* checksum test succeeded\n"); - } + (krb5_pointer) &checksum, KV5M_CHECKSUM))) { + checksum.checksum_type = 123; + checksum.length = sizeof(ckdata); + checksum.contents = ckdata; + memcpy(ckdata, &stuff, sizeof(ckdata)); + if (!(kret = ser_data(verbose, "> checksum with data", + (krb5_pointer) &checksum, KV5M_CHECKSUM))) { + if (verbose) + printf("* checksum test succeeded\n"); + } } if (kret) - printf("* checksum test failed\n"); + printf("* checksum test failed\n"); return(kret); } @@ -580,14 +581,14 @@ ser_cksum_test(krb5_context kcontext, int verbose) int main(int argc, char **argv) { - krb5_error_code kret; - krb5_context kcontext; - int do_atest, do_ctest, do_ktest, do_rtest, do_xtest; - int do_etest, do_ptest, do_stest; - int verbose; - int option; - extern char *optarg; - char ch_err; + krb5_error_code kret; + krb5_context kcontext; + int do_atest, do_ctest, do_ktest, do_rtest, do_xtest; + int do_etest, do_ptest, do_stest; + int verbose; + int option; + extern char *optarg; + char ch_err; kret = 0; verbose = 0; @@ -600,125 +601,125 @@ main(int argc, char **argv) do_rtest = 1; do_stest = 1; while ((option = getopt(argc, argv, "acekprsxvACEKPRSX")) != -1) { - switch (option) { - case 'a': - do_atest = 0; - break; - case 'c': - do_ctest = 0; - break; - case 'e': - do_etest = 0; - break; - case 'k': - do_ktest = 0; - break; - case 'p': - do_ptest = 0; - break; - case 'r': - do_rtest = 0; - break; - case 's': - do_stest = 0; - break; - case 'x': - do_xtest = 0; - break; - case 'v': - verbose = 1; - break; - case 'A': - do_atest = 1; - break; - case 'C': - do_ctest = 1; - break; + switch (option) { + case 'a': + do_atest = 0; + break; + case 'c': + do_ctest = 0; + break; + case 'e': + do_etest = 0; + break; + case 'k': + do_ktest = 0; + break; + case 'p': + do_ptest = 0; + break; + case 'r': + do_rtest = 0; + break; + case 's': + do_stest = 0; + break; + case 'x': + do_xtest = 0; + break; + case 'v': + verbose = 1; + break; + case 'A': + do_atest = 1; + break; + case 'C': + do_ctest = 1; + break; #if 0 - case 'E': - do_etest = 1; - break; + case 'E': + do_etest = 1; + break; #endif - case 'K': - do_ktest = 1; - break; - case 'P': - do_ptest = 1; - break; - case 'R': - do_rtest = 1; - break; - case 'S': - do_stest = 1; - break; - case 'X': - do_xtest = 1; - break; - default: - fprintf(stderr, - "%s: usage is %s [-acekprsxvACEKPRSX]\n", - argv[0], argv[0]); - exit(1); - break; - } + case 'K': + do_ktest = 1; + break; + case 'P': + do_ptest = 1; + break; + case 'R': + do_rtest = 1; + break; + case 'S': + do_stest = 1; + break; + case 'X': + do_xtest = 1; + break; + default: + fprintf(stderr, + "%s: usage is %s [-acekprsxvACEKPRSX]\n", + argv[0], argv[0]); + exit(1); + break; + } } if ((kret = krb5_init_context(&kcontext))) { - com_err(argv[0], kret, "while initializing krb5"); - exit(1); + com_err(argv[0], kret, "while initializing krb5"); + exit(1); } - + if (do_xtest) { - ch_err = 'x'; - kret = ser_kcontext_test(kcontext, verbose); - if (kret) - goto fail; + ch_err = 'x'; + kret = ser_kcontext_test(kcontext, verbose); + if (kret) + goto fail; } if (do_atest) { - ch_err = 'a'; - kret = ser_acontext_test(kcontext, verbose); - if (kret) - goto fail; + ch_err = 'a'; + kret = ser_acontext_test(kcontext, verbose); + if (kret) + goto fail; } if (do_ctest) { - ch_err = 'c'; - kret = ser_ccache_test(kcontext, verbose); - if (kret) - goto fail; + ch_err = 'c'; + kret = ser_ccache_test(kcontext, verbose); + if (kret) + goto fail; } if (do_ktest) { - ch_err = 'k'; - kret = ser_keytab_test(kcontext, verbose); - if (kret) - goto fail; + ch_err = 'k'; + kret = ser_keytab_test(kcontext, verbose); + if (kret) + goto fail; } if (do_rtest) { - ch_err = 'r'; - kret = ser_rcache_test(kcontext, verbose); - if (kret) - goto fail; + ch_err = 'r'; + kret = ser_rcache_test(kcontext, verbose); + if (kret) + goto fail; } #if 0 /* code to be tested is currently disabled */ if (do_etest) { - ch_err = 'e'; - kret = ser_eblock_test(kcontext, verbose); - if (kret) - goto fail; + ch_err = 'e'; + kret = ser_eblock_test(kcontext, verbose); + if (kret) + goto fail; } #endif if (do_ptest) { - ch_err = 'p'; - kret = ser_princ_test(kcontext, verbose); - if (kret) - goto fail; + ch_err = 'p'; + kret = ser_princ_test(kcontext, verbose); + if (kret) + goto fail; } if (do_stest) { - ch_err = 's'; - kret = ser_cksum_test(kcontext, verbose); - if (kret) - goto fail; + ch_err = 's'; + kret = ser_cksum_test(kcontext, verbose); + if (kret) + goto fail; } krb5_free_context(kcontext); - + exit(0); fail: com_err(argv[0], kret, "--- test %cfailed", ch_err); diff --git a/src/lib/krb5/krb/t_walk_rtree.c b/src/lib/krb5/krb/t_walk_rtree.c index 466118667..09e71af0f 100644 --- a/src/lib/krb5/krb/t_walk_rtree.c +++ b/src/lib/krb5/krb/t_walk_rtree.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * t_walk_rtree.c --- test krb5_walk_realm_tree */ @@ -9,50 +10,49 @@ int main(int argc, char **argv) { - krb5_data client, server; - char realm_branch_char = '.'; - krb5_principal *tree, *p; - char *name; - krb5_error_code retval; - krb5_context context; - - krb5_init_context(&context); - - if (argc < 3 || argc > 4) { - fprintf(stderr, - "Usage: %s client-realm server-realm [sep_char]\n", - argv[0]); - exit(99); - } - client.data = argv[1]; - client.length = strlen(client.data); - - server.data = argv[2]; - server.length = strlen(server.data); - - if (argc == 4) - realm_branch_char = argv[3][0]; - - retval = krb5_walk_realm_tree(context, &client, &server, &tree, - realm_branch_char); - if (retval) { - com_err("krb5_walk_realm_tree", retval, " "); - exit(1); - } - - for (p = tree; *p; p++) { - retval = krb5_unparse_name(context, *p, &name); - if (retval) { - com_err("krb5_unprase_name", retval, " "); - exit(2); - } - printf("%s\n", name); - free(name); - } - - krb5_free_realm_tree(context, tree); - krb5_free_context(context); - - exit(0); + krb5_data client, server; + char realm_branch_char = '.'; + krb5_principal *tree, *p; + char *name; + krb5_error_code retval; + krb5_context context; + + krb5_init_context(&context); + + if (argc < 3 || argc > 4) { + fprintf(stderr, + "Usage: %s client-realm server-realm [sep_char]\n", + argv[0]); + exit(99); + } + client.data = argv[1]; + client.length = strlen(client.data); + + server.data = argv[2]; + server.length = strlen(server.data); + + if (argc == 4) + realm_branch_char = argv[3][0]; + + retval = krb5_walk_realm_tree(context, &client, &server, &tree, + realm_branch_char); + if (retval) { + com_err("krb5_walk_realm_tree", retval, " "); + exit(1); + } + + for (p = tree; *p; p++) { + retval = krb5_unparse_name(context, *p, &name); + if (retval) { + com_err("krb5_unprase_name", retval, " "); + exit(2); + } + printf("%s\n", name); + free(name); + } + + krb5_free_realm_tree(context, tree); + krb5_free_context(context); + + exit(0); } - diff --git a/src/lib/krb5/krb/tgtname.c b/src/lib/krb5/krb/tgtname.c index 4ca241623..cfd01cb0a 100644 --- a/src/lib/krb5/krb/tgtname.c +++ b/src/lib/krb5/krb/tgtname.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/tgtname.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_tgtname() */ @@ -36,7 +37,7 @@ krb5_error_code krb5_tgtname(krb5_context context, const krb5_data *server, const krb5_data *client, krb5_principal *tgtprinc) { return krb5_build_principal_ext(context, tgtprinc, client->length, client->data, - KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME, - server->length, server->data, - 0); + KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME, + server->length, server->data, + 0); } diff --git a/src/lib/krb5/krb/unparse.c b/src/lib/krb5/krb/unparse.c index ec0976fb2..cb3624295 100644 --- a/src/lib/krb5/krb/unparse.c +++ b/src/lib/krb5/krb/unparse.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/unparse.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_unparse_name() routine * @@ -37,8 +38,8 @@ /* * converts the multi-part principal format used in the protocols to a - * single-string representation of the name. - * + * single-string representation of the name. + * * The name returned is in allocated storage and should be freed by * the caller when finished. * @@ -48,14 +49,14 @@ * backslash encoding. ("\/", "\@", or '\0', respectively) * * returns error - * KRB_PARSE_MALFORMED principal is invalid (does not contain - * at least 2 components) + * KRB_PARSE_MALFORMED principal is invalid (does not contain + * at least 2 components) * also returns system errors - * ENOMEM unable to allocate memory for string + * ENOMEM unable to allocate memory for string */ -#define REALM_SEP '@' -#define COMPONENT_SEP '/' +#define REALM_SEP '@' +#define COMPONENT_SEP '/' static int component_length_quoted(const krb5_data *src, int flags) @@ -66,15 +67,15 @@ component_length_quoted(const krb5_data *src, int flags) int size = length; if ((flags & KRB5_PRINCIPAL_UNPARSE_DISPLAY) == 0) { - int no_realm = (flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) && - !(flags & KRB5_PRINCIPAL_UNPARSE_SHORT); - - for (j = 0; j < length; j++,cp++) - if ((!no_realm && *cp == REALM_SEP) || - *cp == COMPONENT_SEP || - *cp == '\0' || *cp == '\\' || *cp == '\t' || - *cp == '\n' || *cp == '\b') - size++; + int no_realm = (flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) && + !(flags & KRB5_PRINCIPAL_UNPARSE_SHORT); + + for (j = 0; j < length; j++,cp++) + if ((!no_realm && *cp == REALM_SEP) || + *cp == COMPONENT_SEP || + *cp == '\0' || *cp == '\\' || *cp == '\t' || + *cp == '\n' || *cp == '\b') + size++; } return size; @@ -89,181 +90,180 @@ copy_component_quoting(char *dest, const krb5_data *src, int flags) int length = src->length; if (flags & KRB5_PRINCIPAL_UNPARSE_DISPLAY) { - memcpy(dest, src->data, src->length); - return src->length; + memcpy(dest, src->data, src->length); + return src->length; } for (j=0; j < length; j++,cp++) { - int no_realm = (flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) && - !(flags & KRB5_PRINCIPAL_UNPARSE_SHORT); - - switch (*cp) { - case REALM_SEP: - if (no_realm) { - *q++ = *cp; - break; - } - case COMPONENT_SEP: - case '\\': - *q++ = '\\'; - *q++ = *cp; - break; - case '\t': - *q++ = '\\'; - *q++ = 't'; - break; - case '\n': - *q++ = '\\'; - *q++ = 'n'; - break; - case '\b': - *q++ = '\\'; - *q++ = 'b'; - break; + int no_realm = (flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) && + !(flags & KRB5_PRINCIPAL_UNPARSE_SHORT); + + switch (*cp) { + case REALM_SEP: + if (no_realm) { + *q++ = *cp; + break; + } + case COMPONENT_SEP: + case '\\': + *q++ = '\\'; + *q++ = *cp; + break; + case '\t': + *q++ = '\\'; + *q++ = 't'; + break; + case '\n': + *q++ = '\\'; + *q++ = 'n'; + break; + case '\b': + *q++ = '\\'; + *q++ = 'b'; + break; #if 0 - /* Heimdal escapes spaces in principal names upon unparsing */ - case ' ': - *q++ = '\\'; - *q++ = ' '; - break; + /* Heimdal escapes spaces in principal names upon unparsing */ + case ' ': + *q++ = '\\'; + *q++ = ' '; + break; #endif - case '\0': - *q++ = '\\'; - *q++ = '0'; - break; - default: - *q++ = *cp; - } + case '\0': + *q++ = '\\'; + *q++ = '0'; + break; + default: + *q++ = *cp; + } } return q - dest; } static krb5_error_code k5_unparse_name(krb5_context context, krb5_const_principal principal, - int flags, char **name, unsigned int *size) + int flags, char **name, unsigned int *size) { - char *cp, *q; - int i; - int length; - krb5_int32 nelem; - unsigned int totalsize = 0; - char *default_realm = NULL; - krb5_error_code ret = 0; - - if (!principal || !name) - return KRB5_PARSE_MALFORMED; - - if (flags & KRB5_PRINCIPAL_UNPARSE_SHORT) { - /* omit realm if local realm */ - krb5_principal_data p; - - ret = krb5_get_default_realm(context, &default_realm); - if (ret != 0) - goto cleanup; - - krb5_princ_realm(context, &p)->length = strlen(default_realm); - krb5_princ_realm(context, &p)->data = default_realm; - - if (krb5_realm_compare(context, &p, principal)) - flags |= KRB5_PRINCIPAL_UNPARSE_NO_REALM; - } - - if ((flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) == 0) { - totalsize += component_length_quoted(krb5_princ_realm(context, - principal), - flags); - totalsize++; /* This is for the separator */ - } - - nelem = krb5_princ_size(context, principal); - for (i = 0; i < (int) nelem; i++) { - cp = krb5_princ_component(context, principal, i)->data; - totalsize += component_length_quoted(krb5_princ_component(context, principal, i), flags); - totalsize++; /* This is for the separator */ - } - if (nelem == 0) - totalsize++; - - /* - * Allocate space for the ascii string; if space has been - * provided, use it, realloc'ing it if necessary. - * - * We need only n-1 seperators for n components, but we need - * an extra byte for the NUL at the end. - */ - if (size) { - if (*name && (*size < totalsize)) { - *name = realloc(*name, totalsize); - } else { - *name = malloc(totalsize); - } - *size = totalsize; + char *cp, *q; + int i; + int length; + krb5_int32 nelem; + unsigned int totalsize = 0; + char *default_realm = NULL; + krb5_error_code ret = 0; + + if (!principal || !name) + return KRB5_PARSE_MALFORMED; + + if (flags & KRB5_PRINCIPAL_UNPARSE_SHORT) { + /* omit realm if local realm */ + krb5_principal_data p; + + ret = krb5_get_default_realm(context, &default_realm); + if (ret != 0) + goto cleanup; + + krb5_princ_realm(context, &p)->length = strlen(default_realm); + krb5_princ_realm(context, &p)->data = default_realm; + + if (krb5_realm_compare(context, &p, principal)) + flags |= KRB5_PRINCIPAL_UNPARSE_NO_REALM; + } + + if ((flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) == 0) { + totalsize += component_length_quoted(krb5_princ_realm(context, + principal), + flags); + totalsize++; /* This is for the separator */ + } + + nelem = krb5_princ_size(context, principal); + for (i = 0; i < (int) nelem; i++) { + cp = krb5_princ_component(context, principal, i)->data; + totalsize += component_length_quoted(krb5_princ_component(context, principal, i), flags); + totalsize++; /* This is for the separator */ + } + if (nelem == 0) + totalsize++; + + /* + * Allocate space for the ascii string; if space has been + * provided, use it, realloc'ing it if necessary. + * + * We need only n-1 seperators for n components, but we need + * an extra byte for the NUL at the end. + */ + if (size) { + if (*name && (*size < totalsize)) { + *name = realloc(*name, totalsize); } else { *name = malloc(totalsize); } + *size = totalsize; + } else { + *name = malloc(totalsize); + } - if (!*name) { - ret = ENOMEM; - goto cleanup; - } - - q = *name; - - for (i = 0; i < (int) nelem; i++) { - cp = krb5_princ_component(context, principal, i)->data; - length = krb5_princ_component(context, principal, i)->length; - q += copy_component_quoting(q, - krb5_princ_component(context, - principal, - i), - flags); - *q++ = COMPONENT_SEP; - } - - if (i > 0) - q--; /* Back up last component separator */ - if ((flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) == 0) { - *q++ = REALM_SEP; - q += copy_component_quoting(q, krb5_princ_realm(context, principal), flags); - } - *q++ = '\0'; + if (!*name) { + ret = ENOMEM; + goto cleanup; + } + + q = *name; + + for (i = 0; i < (int) nelem; i++) { + cp = krb5_princ_component(context, principal, i)->data; + length = krb5_princ_component(context, principal, i)->length; + q += copy_component_quoting(q, + krb5_princ_component(context, + principal, + i), + flags); + *q++ = COMPONENT_SEP; + } + + if (i > 0) + q--; /* Back up last component separator */ + if ((flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) == 0) { + *q++ = REALM_SEP; + q += copy_component_quoting(q, krb5_princ_realm(context, principal), flags); + } + *q++ = '\0'; cleanup: - if (default_realm != NULL) - krb5_free_default_realm(context, default_realm); + if (default_realm != NULL) + krb5_free_default_realm(context, default_realm); - return ret; + return ret; } krb5_error_code KRB5_CALLCONV krb5_unparse_name(krb5_context context, krb5_const_principal principal, register char **name) { if (name != NULL) /* name == NULL will return error from _ext */ - *name = NULL; + *name = NULL; return k5_unparse_name(context, principal, 0, name, NULL); } krb5_error_code KRB5_CALLCONV krb5_unparse_name_ext(krb5_context context, krb5_const_principal principal, - char **name, unsigned int *size) + char **name, unsigned int *size) { return k5_unparse_name(context, principal, 0, name, size); } krb5_error_code KRB5_CALLCONV krb5_unparse_name_flags(krb5_context context, krb5_const_principal principal, - int flags, char **name) + int flags, char **name) { if (name != NULL) - *name = NULL; + *name = NULL; return k5_unparse_name(context, principal, flags, name, NULL); } krb5_error_code KRB5_CALLCONV krb5_unparse_name_flags_ext(krb5_context context, krb5_const_principal principal, - int flags, char **name, unsigned int *size) + int flags, char **name, unsigned int *size) { return k5_unparse_name(context, principal, flags, name, size); } - diff --git a/src/lib/krb5/krb/valid_times.c b/src/lib/krb5/krb/valid_times.c index febbc369f..72304efd7 100644 --- a/src/lib/krb5/krb/valid_times.c +++ b/src/lib/krb5/krb/valid_times.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/valid_times.c * @@ -8,7 +9,7 @@ * require a specific license from the United States Government. * It is the responsibility of any person or organization contemplating * export to obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -22,7 +23,7 @@ * M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * * krb5_validate_times() */ @@ -37,26 +38,23 @@ krb5_error_code krb5_validate_times(krb5_context context, krb5_ticket_times *times) { - krb5_timestamp currenttime, starttime; - krb5_error_code retval; + krb5_timestamp currenttime, starttime; + krb5_error_code retval; - if ((retval = krb5_timeofday(context, ¤ttime))) - return retval; + if ((retval = krb5_timeofday(context, ¤ttime))) + return retval; - /* if starttime is not in ticket, then treat it as authtime */ - if (times->starttime != 0) - starttime = times->starttime; - else - starttime = times->authtime; + /* if starttime is not in ticket, then treat it as authtime */ + if (times->starttime != 0) + starttime = times->starttime; + else + starttime = times->authtime; - if (starttime - currenttime > context->clockskew) - return KRB5KRB_AP_ERR_TKT_NYV; /* ticket not yet valid */ + if (starttime - currenttime > context->clockskew) + return KRB5KRB_AP_ERR_TKT_NYV; /* ticket not yet valid */ - if ((currenttime - times->endtime) > context->clockskew) - return KRB5KRB_AP_ERR_TKT_EXPIRED; /* ticket expired */ + if ((currenttime - times->endtime) > context->clockskew) + return KRB5KRB_AP_ERR_TKT_EXPIRED; /* ticket expired */ - return 0; + return 0; } - - - diff --git a/src/lib/krb5/krb/vfy_increds.c b/src/lib/krb5/krb/vfy_increds.c index 6f53f5728..2b9beeb91 100644 --- a/src/lib/krb5/krb/vfy_increds.c +++ b/src/lib/krb5/krb/vfy_increds.c @@ -1,232 +1,233 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include "k5-int.h" #include "int-proto.h" static krb5_error_code krb5_cc_copy_creds_except(krb5_context context, krb5_ccache incc, krb5_ccache outcc, krb5_principal princ) { - krb5_error_code code; - krb5_flags flags; - krb5_cc_cursor cur; - krb5_creds creds; + krb5_error_code code; + krb5_flags flags; + krb5_cc_cursor cur; + krb5_creds creds; - flags = 0; /* turns off OPENCLOSE mode */ - if ((code = krb5_cc_set_flags(context, incc, flags))) - return(code); - if ((code = krb5_cc_set_flags(context, outcc, flags))) - return(code); + flags = 0; /* turns off OPENCLOSE mode */ + if ((code = krb5_cc_set_flags(context, incc, flags))) + return(code); + if ((code = krb5_cc_set_flags(context, outcc, flags))) + return(code); - if ((code = krb5_cc_start_seq_get(context, incc, &cur))) - goto cleanup; + if ((code = krb5_cc_start_seq_get(context, incc, &cur))) + goto cleanup; - while (!(code = krb5_cc_next_cred(context, incc, &cur, &creds))) { - if (krb5_principal_compare(context, princ, creds.server)) - continue; + while (!(code = krb5_cc_next_cred(context, incc, &cur, &creds))) { + if (krb5_principal_compare(context, princ, creds.server)) + continue; - code = krb5_cc_store_cred(context, outcc, &creds); - krb5_free_cred_contents(context, &creds); - if (code) - goto cleanup; - } + code = krb5_cc_store_cred(context, outcc, &creds); + krb5_free_cred_contents(context, &creds); + if (code) + goto cleanup; + } - if (code != KRB5_CC_END) - goto cleanup; + if (code != KRB5_CC_END) + goto cleanup; - code = 0; + code = 0; cleanup: - flags = KRB5_TC_OPENCLOSE; + flags = KRB5_TC_OPENCLOSE; - if (code) - krb5_cc_set_flags(context, incc, flags); - else - code = krb5_cc_set_flags(context, incc, flags); + if (code) + krb5_cc_set_flags(context, incc, flags); + else + code = krb5_cc_set_flags(context, incc, flags); - if (code) - krb5_cc_set_flags(context, outcc, flags); - else - code = krb5_cc_set_flags(context, outcc, flags); + if (code) + krb5_cc_set_flags(context, outcc, flags); + else + code = krb5_cc_set_flags(context, outcc, flags); - return(code); + return(code); } krb5_error_code KRB5_CALLCONV krb5_verify_init_creds(krb5_context context, - krb5_creds *creds, - krb5_principal server_arg, - krb5_keytab keytab_arg, - krb5_ccache *ccache_arg, - krb5_verify_init_creds_opt *options) + krb5_creds *creds, + krb5_principal server_arg, + krb5_keytab keytab_arg, + krb5_ccache *ccache_arg, + krb5_verify_init_creds_opt *options) { - krb5_error_code ret; - krb5_principal server; - krb5_keytab keytab; - krb5_ccache ccache; - krb5_keytab_entry kte; - krb5_creds in_creds, *out_creds; - krb5_auth_context authcon; - krb5_data ap_req; - - /* KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN */ - - server = NULL; - keytab = NULL; - ccache = NULL; - out_creds = NULL; - authcon = NULL; - ap_req.data = NULL; - - if (server_arg) { - ret = krb5_copy_principal(context, server_arg, &server); - if (ret) - goto cleanup; - } else { - if ((ret = krb5_sname_to_principal(context, NULL, NULL, - KRB5_NT_SRV_HST, &server))) - goto cleanup; - } - - /* first, check if the server is in the keytab. If not, there's - no reason to continue. rd_req does all this, but there's - no way to know that a given error is caused by a missing - keytab or key, and not by some other problem. */ - - if (keytab_arg) { - keytab = keytab_arg; - } else { - if ((ret = krb5_kt_default(context, &keytab))) - goto cleanup; - } - if (krb5_is_referral_realm(&server->realm)) { - krb5_free_data_contents(context, &server->realm); - ret = krb5_get_default_realm(context, &server->realm.data); - if (ret) goto cleanup; - server->realm.length = strlen(server->realm.data); - } - - if ((ret = krb5_kt_get_entry(context, keytab, server, 0, 0, &kte))) { - /* this means there is no keying material. This is ok, as long as - it is not prohibited by the configuration */ - - int nofail; - - if (options && - (options->flags & KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL)) { - if (options->ap_req_nofail) - goto cleanup; - } else if (krb5_libdefault_boolean(context, - &creds->client->realm, - KRB5_CONF_VERIFY_AP_REQ_NOFAIL, - &nofail) - == 0) { - if (nofail) - goto cleanup; - } - - ret = 0; - goto cleanup; - } - - krb5_kt_free_entry(context, &kte); - - /* If the creds are for the server principal, we're set, just do - a mk_req. Otherwise, do a get_credentials first. */ - - if (krb5_principal_compare(context, server, creds->server)) { - /* make an ap_req */ - if ((ret = krb5_mk_req_extended(context, &authcon, 0, NULL, creds, - &ap_req))) - goto cleanup; - } else { - /* this is unclean, but it's the easiest way without ripping the - library into very small pieces. store the client's initial cred - in a memory ccache, then call the library. Later, we'll copy - everything except the initial cred into the ccache we return to - the user. A clean implementation would involve library - internals with a coherent idea of "in" and "out". */ - - /* insert the initial cred into the ccache */ - - if ((ret = krb5_cc_new_unique(context, "MEMORY", NULL, &ccache))) { - ccache = NULL; - goto cleanup; - } - - if ((ret = krb5_cc_initialize(context, ccache, creds->client))) - goto cleanup; - - if ((ret = krb5_cc_store_cred(context, ccache, creds))) - goto cleanup; - - /* set up for get_creds */ - memset(&in_creds, 0, sizeof(in_creds)); - in_creds.client = creds->client; - in_creds.server = server; - if ((ret = krb5_timeofday(context, &in_creds.times.endtime))) - goto cleanup; - in_creds.times.endtime += 5*60; - - if ((ret = krb5_get_credentials(context, 0, ccache, &in_creds, - &out_creds))) - goto cleanup; - - /* make an ap_req */ - if ((ret = krb5_mk_req_extended(context, &authcon, 0, NULL, out_creds, - &ap_req))) - goto cleanup; - } - - /* wipe the auth context for mk_req */ - if (authcon) { - krb5_auth_con_free(context, authcon); - authcon = NULL; - } - - /* verify the ap_req */ - - if ((ret = krb5_rd_req(context, &authcon, &ap_req, server, keytab, - NULL, NULL))) - goto cleanup; - - /* if we get this far, then the verification succeeded. We can - still fail if the library stuff here fails, but that's it */ - - if (ccache_arg && ccache) { - if (*ccache_arg == NULL) { - krb5_ccache retcc; - - retcc = NULL; - - if ((ret = krb5_cc_resolve(context, "MEMORY:rd_req2", &retcc)) || - (ret = krb5_cc_initialize(context, retcc, creds->client)) || - (ret = krb5_cc_copy_creds_except(context, ccache, retcc, - creds->server))) { - if (retcc) - krb5_cc_destroy(context, retcc); - } else { - *ccache_arg = retcc; - } - } else { - ret = krb5_cc_copy_creds_except(context, ccache, *ccache_arg, - server); - } - } - - /* if any of the above paths returned an errors, then ret is set - accordingly. either that, or it's zero, which is fine, too */ + krb5_error_code ret; + krb5_principal server; + krb5_keytab keytab; + krb5_ccache ccache; + krb5_keytab_entry kte; + krb5_creds in_creds, *out_creds; + krb5_auth_context authcon; + krb5_data ap_req; + + /* KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN */ + + server = NULL; + keytab = NULL; + ccache = NULL; + out_creds = NULL; + authcon = NULL; + ap_req.data = NULL; + + if (server_arg) { + ret = krb5_copy_principal(context, server_arg, &server); + if (ret) + goto cleanup; + } else { + if ((ret = krb5_sname_to_principal(context, NULL, NULL, + KRB5_NT_SRV_HST, &server))) + goto cleanup; + } + + /* first, check if the server is in the keytab. If not, there's + no reason to continue. rd_req does all this, but there's + no way to know that a given error is caused by a missing + keytab or key, and not by some other problem. */ + + if (keytab_arg) { + keytab = keytab_arg; + } else { + if ((ret = krb5_kt_default(context, &keytab))) + goto cleanup; + } + if (krb5_is_referral_realm(&server->realm)) { + krb5_free_data_contents(context, &server->realm); + ret = krb5_get_default_realm(context, &server->realm.data); + if (ret) goto cleanup; + server->realm.length = strlen(server->realm.data); + } + + if ((ret = krb5_kt_get_entry(context, keytab, server, 0, 0, &kte))) { + /* this means there is no keying material. This is ok, as long as + it is not prohibited by the configuration */ + + int nofail; + + if (options && + (options->flags & KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL)) { + if (options->ap_req_nofail) + goto cleanup; + } else if (krb5_libdefault_boolean(context, + &creds->client->realm, + KRB5_CONF_VERIFY_AP_REQ_NOFAIL, + &nofail) + == 0) { + if (nofail) + goto cleanup; + } + + ret = 0; + goto cleanup; + } + + krb5_kt_free_entry(context, &kte); + + /* If the creds are for the server principal, we're set, just do + a mk_req. Otherwise, do a get_credentials first. */ + + if (krb5_principal_compare(context, server, creds->server)) { + /* make an ap_req */ + if ((ret = krb5_mk_req_extended(context, &authcon, 0, NULL, creds, + &ap_req))) + goto cleanup; + } else { + /* this is unclean, but it's the easiest way without ripping the + library into very small pieces. store the client's initial cred + in a memory ccache, then call the library. Later, we'll copy + everything except the initial cred into the ccache we return to + the user. A clean implementation would involve library + internals with a coherent idea of "in" and "out". */ + + /* insert the initial cred into the ccache */ + + if ((ret = krb5_cc_new_unique(context, "MEMORY", NULL, &ccache))) { + ccache = NULL; + goto cleanup; + } + + if ((ret = krb5_cc_initialize(context, ccache, creds->client))) + goto cleanup; + + if ((ret = krb5_cc_store_cred(context, ccache, creds))) + goto cleanup; + + /* set up for get_creds */ + memset(&in_creds, 0, sizeof(in_creds)); + in_creds.client = creds->client; + in_creds.server = server; + if ((ret = krb5_timeofday(context, &in_creds.times.endtime))) + goto cleanup; + in_creds.times.endtime += 5*60; + + if ((ret = krb5_get_credentials(context, 0, ccache, &in_creds, + &out_creds))) + goto cleanup; + + /* make an ap_req */ + if ((ret = krb5_mk_req_extended(context, &authcon, 0, NULL, out_creds, + &ap_req))) + goto cleanup; + } + + /* wipe the auth context for mk_req */ + if (authcon) { + krb5_auth_con_free(context, authcon); + authcon = NULL; + } + + /* verify the ap_req */ + + if ((ret = krb5_rd_req(context, &authcon, &ap_req, server, keytab, + NULL, NULL))) + goto cleanup; + + /* if we get this far, then the verification succeeded. We can + still fail if the library stuff here fails, but that's it */ + + if (ccache_arg && ccache) { + if (*ccache_arg == NULL) { + krb5_ccache retcc; + + retcc = NULL; + + if ((ret = krb5_cc_resolve(context, "MEMORY:rd_req2", &retcc)) || + (ret = krb5_cc_initialize(context, retcc, creds->client)) || + (ret = krb5_cc_copy_creds_except(context, ccache, retcc, + creds->server))) { + if (retcc) + krb5_cc_destroy(context, retcc); + } else { + *ccache_arg = retcc; + } + } else { + ret = krb5_cc_copy_creds_except(context, ccache, *ccache_arg, + server); + } + } + + /* if any of the above paths returned an errors, then ret is set + accordingly. either that, or it's zero, which is fine, too */ cleanup: - if ( server) - krb5_free_principal(context, server); - if (!keytab_arg && keytab) - krb5_kt_close(context, keytab); - if (ccache) - krb5_cc_destroy(context, ccache); - if (out_creds) - krb5_free_creds(context, out_creds); - if (authcon) - krb5_auth_con_free(context, authcon); - if (ap_req.data) - free(ap_req.data); - - return(ret); + if ( server) + krb5_free_principal(context, server); + if (!keytab_arg && keytab) + krb5_kt_close(context, keytab); + if (ccache) + krb5_cc_destroy(context, ccache); + if (out_creds) + krb5_free_creds(context, out_creds); + if (authcon) + krb5_auth_con_free(context, authcon); + if (ap_req.data) + free(ap_req.data); + + return(ret); } diff --git a/src/lib/krb5/krb/vic_opt.c b/src/lib/krb5/krb/vic_opt.c index acdf49406..dfe21e056 100644 --- a/src/lib/krb5/krb/vic_opt.c +++ b/src/lib/krb5/krb/vic_opt.c @@ -1,14 +1,15 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ #include "k5-int.h" void KRB5_CALLCONV krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *opt) { - opt->flags = 0; + opt->flags = 0; } void KRB5_CALLCONV krb5_verify_init_creds_opt_set_ap_req_nofail(krb5_verify_init_creds_opt *opt, int ap_req_nofail) { - opt->flags |= KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL; - opt->ap_req_nofail = ap_req_nofail; + opt->flags |= KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL; + opt->ap_req_nofail = ap_req_nofail; } diff --git a/src/lib/krb5/krb/walk_rtree.c b/src/lib/krb5/krb/walk_rtree.c index a22f5864a..d1be2270f 100644 --- a/src/lib/krb5/krb/walk_rtree.c +++ b/src/lib/krb5/krb/walk_rtree.c @@ -1,3 +1,4 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* * lib/krb5/krb/walk_rtree.c * @@ -107,19 +108,19 @@ krb5_walk_realm_tree( char **capvals; if (client->data == NULL || server->data == NULL) - return KRB5_NO_TKT_IN_RLM; + return KRB5_NO_TKT_IN_RLM; if (client->length == server->length && - memcmp(client->data, server->data, server->length) == 0) { - return KRB5_NO_TKT_IN_RLM; + memcmp(client->data, server->data, server->length) == 0) { + return KRB5_NO_TKT_IN_RLM; } retval = rtree_capath_vals(context, client, server, &capvals); if (retval) - return retval; + return retval; if (capvals != NULL) { - retval = rtree_capath_tree(context, client, server, capvals, tree); - return retval; + retval = rtree_capath_tree(context, client, server, capvals, tree); + return retval; } retval = rtree_hier_tree(context, client, server, tree, realm_sep); @@ -148,24 +149,24 @@ krb5_walk_realm_tree( * * [capaths] * ANL.GOV = { - * NERSC.GOV = ES.NET - * PNL.GOV = ES.NET - * ES.NET = . - * HAL.COM = K5.MOON - * HAL.COM = K5.JUPITER + * NERSC.GOV = ES.NET + * PNL.GOV = ES.NET + * ES.NET = . + * HAL.COM = K5.MOON + * HAL.COM = K5.JUPITER * } * NERSC.GOV = { - * ANL.GOV = ES.NET + * ANL.GOV = ES.NET * } * PNL.GOV = { - * ANL.GOV = ES.NET + * ANL.GOV = ES.NET * } * ES.NET = { - * ANL.GOV = . + * ANL.GOV = . * } * HAL.COM = { - * ANL.GOV = K5.JUPITER - * ANL.GOV = K5.MOON + * ANL.GOV = K5.JUPITER + * ANL.GOV = K5.MOON * } * * In the above a "." is used to mean directly connected since the @@ -202,20 +203,20 @@ rtree_capath_tree( *rettree = NULL; tree = pprinc = NULL; for (nvals = 0; vals[nvals] != NULL; nvals++) - ; + ; if (vals[0] != NULL && *vals[0] == '.') { - nlinks = 0; + nlinks = 0; } else { - nlinks = nvals; + nlinks = nvals; } nprincs = nlinks + 2; tree = calloc(nprincs + 1, sizeof(krb5_principal)); if (tree == NULL) { - retval = ENOMEM; - goto error; + retval = ENOMEM; + goto error; } for (i = 0; i < nprincs + 1; i++) - tree[i] = NULL; + tree[i] = NULL; /* Invariant: PPRINC points one past end of list. */ pprinc = &tree[0]; /* Local TGS name */ @@ -223,11 +224,11 @@ rtree_capath_tree( if (retval) goto error; srcrealm = *client; for (i = 0; i < nlinks; i++) { - dstrealm.data = vals[i]; - dstrealm.length = strcspn(vals[i], "\t "); - retval = krb5_tgtname(context, &dstrealm, &srcrealm, pprinc++); - if (retval) goto error; - srcrealm = dstrealm; + dstrealm.data = vals[i]; + dstrealm.length = strcspn(vals[i], "\t "); + retval = krb5_tgtname(context, &dstrealm, &srcrealm, pprinc++); + if (retval) goto error; + srcrealm = dstrealm; } retval = krb5_tgtname(context, server, &srcrealm, pprinc++); if (retval) goto error; @@ -236,12 +237,12 @@ rtree_capath_tree( error: profile_free_list(vals); if (retval) { - while (pprinc != NULL && pprinc > &tree[0]) { - /* krb5_free_principal() correctly handles null input */ - krb5_free_principal(context, *--pprinc); - *pprinc = NULL; - } - free(tree); + while (pprinc != NULL && pprinc > &tree[0]) { + /* krb5_free_principal() correctly handles null input */ + krb5_free_principal(context, *--pprinc); + *pprinc = NULL; + } + free(tree); } return retval; } @@ -267,15 +268,15 @@ rtree_capath_vals( clientz = calloc(client->length + 1, 1); if (clientz == NULL) { - retval = ENOMEM; - goto error; + retval = ENOMEM; + goto error; } memcpy(clientz, client->data, client->length); serverz = calloc(server->length + 1, 1); if (serverz == NULL) { - retval = ENOMEM; - goto error; + retval = ENOMEM; + goto error; } memcpy(serverz, server->data, server->length); @@ -287,13 +288,13 @@ rtree_capath_vals( switch (retval) { case PROF_NO_SECTION: case PROF_NO_RELATION: - /* - * Not found; don't return an error. - */ - retval = 0; - break; + /* + * Not found; don't return an error. + */ + retval = 0; + break; default: - break; + break; } error: free(clientz); @@ -320,31 +321,31 @@ rtree_hier_tree( *rettree = NULL; retval = rtree_hier_realms(context, client, server, - &realms, &nrealms, sep); + &realms, &nrealms, sep); if (retval) - return retval; + return retval; nprincs = nrealms; pprinc = tree = calloc(nprincs + 1, sizeof(krb5_principal)); if (tree == NULL) { - retval = ENOMEM; - goto error; + retval = ENOMEM; + goto error; } for (i = 0; i < nrealms; i++) - tree[i] = NULL; + tree[i] = NULL; srcrealm = client; for (i = 0; i < nrealms; i++) { - dstrealm = &realms[i]; - retval = krb5_tgtname(context, dstrealm, srcrealm, pprinc++); - if (retval) goto error; - srcrealm = dstrealm; + dstrealm = &realms[i]; + retval = krb5_tgtname(context, dstrealm, srcrealm, pprinc++); + if (retval) goto error; + srcrealm = dstrealm; } *rettree = tree; free_realmlist(context, realms, nrealms); return 0; error: while (pprinc != NULL && pprinc > tree) { - krb5_free_principal(context, *--pprinc); - *pprinc = NULL; + krb5_free_principal(context, *--pprinc); + *pprinc = NULL; } free_realmlist(context, realms, nrealms); free(tree); @@ -389,27 +390,27 @@ rtree_hier_realms( rp = r = calloc(nctween + nstween, sizeof(krb5_data)); if (r == NULL) { - retval = ENOMEM; - goto error; + retval = ENOMEM; + goto error; } /* Copy client realm "tweens" forward. */ for (twp = ctweens; twp < &ctweens[nctween]; twp++) { - retval = krb5int_copy_data_contents(context, twp, rp); - if (retval) goto error; - rp++; + retval = krb5int_copy_data_contents(context, twp, rp); + if (retval) goto error; + rp++; } /* Copy server realm "tweens" backward. */ for (twp = &stweens[nstween]; twp-- > stweens;) { - retval = krb5int_copy_data_contents(context, twp, rp); - if (retval) goto error; - rp++; + retval = krb5int_copy_data_contents(context, twp, rp); + if (retval) goto error; + rp++; } error: free(ctweens); free(stweens); if (retval) { - free_realmlist(context, r, rp - r); - return retval; + free_realmlist(context, r, rp - r); + return retval; } *realms = r; *nrealms = rp - r; @@ -425,7 +426,7 @@ free_realmlist( size_t i; for (i = 0; i < nrealms; i++) - krb5_free_data_contents(context, &realms[i]); + krb5_free_data_contents(context, &realms[i]); free(realms); } @@ -457,22 +458,22 @@ rtree_hier_tweens( *ntweens = n = 0; for (lp = p = r; p < &r[rlen]; p++) { - if (*p != sep && &p[1] != &r[rlen]) - continue; - if (lp == rtail && !dotail) - break; - ntws = realloc(tws, (n + 1) * sizeof(krb5_data)); - if (ntws == NULL) { - free(tws); - return ENOMEM; - } - tws = ntws; - tws[n].data = lp; - tws[n].length = &r[rlen] - lp; - n++; - if (lp == rtail) - break; - lp = &p[1]; + if (*p != sep && &p[1] != &r[rlen]) + continue; + if (lp == rtail && !dotail) + break; + ntws = realloc(tws, (n + 1) * sizeof(krb5_data)); + if (ntws == NULL) { + free(tws); + return ENOMEM; + } + tws = ntws; + tws[n].data = lp; + tws[n].length = &r[rlen] - lp; + n++; + if (lp == rtail) + break; + lp = &p[1]; } *tweens = tws; *ntweens = n; @@ -493,7 +494,7 @@ adjtail(struct hstate *c, struct hstate *s, int sep) cp = c->tail; sp = s->tail; if (cp == NULL || sp == NULL) - return; + return; /* * Is it a full component? Yes, if it's the beginning of the * string or there's a separator to the left. @@ -507,18 +508,18 @@ adjtail(struct hstate *c, struct hstate *s, int sep) * If they're both full components, we're done. */ if (cfull && sfull) { - return; + return; } else if (c->dot != NULL && s->dot != NULL) { - cp = c->dot + 1; - sp = s->dot + 1; - /* - * Out of bounds? Can only happen if there are trailing dots. - */ - if (cp >= &c->str[c->len] || sp >= &s->str[s->len]) { - cp = sp = NULL; - } + cp = c->dot + 1; + sp = s->dot + 1; + /* + * Out of bounds? Can only happen if there are trailing dots. + */ + if (cp >= &c->str[c->len] || sp >= &s->str[s->len]) { + cp = sp = NULL; + } } else { - cp = sp = NULL; + cp = sp = NULL; } c->tail = cp; s->tail = sp; @@ -538,7 +539,7 @@ comtail(struct hstate *c, struct hstate *s, int sep) char *cp, *sp, *cdot, *sdot; if (c->len == 0 || s->len == 0) - return; + return; cdot = sdot = NULL; /* @@ -553,26 +554,26 @@ comtail(struct hstate *c, struct hstate *s, int sep) * style realm), keep pointers to the latest pair. */ while (cp > c->str && sp > s->str) { - if (*--cp != *--sp) { - /* - * Didn't match, so most recent match is one byte to the - * right (or not at all). - */ - cp++; - sp++; - break; - } - /* - * Keep track of matching dots. - */ - if (*cp == sep) { - cdot = cp; - sdot = sp; - } + if (*--cp != *--sp) { + /* + * Didn't match, so most recent match is one byte to the + * right (or not at all). + */ + cp++; + sp++; + break; + } + /* + * Keep track of matching dots. + */ + if (*cp == sep) { + cdot = cp; + sdot = sp; + } } /* No match found at all. */ if (cp == &c->str[c->len]) - return; + return; c->tail = cp; s->tail = sp; c->dot = cdot; |