diff options
| -rw-r--r-- | src/lib/krb5/krb/Makefile.in | 8 | ||||
| -rw-r--r-- | src/lib/krb5/krb/gen_save_subkey.c | 74 | ||||
| -rw-r--r-- | src/lib/krb5/krb/get_in_tkt.c | 201 | ||||
| -rw-r--r-- | src/lib/krb5/krb/gic_pwd.c | 48 | ||||
| -rw-r--r-- | src/lib/krb5/krb/init_ctx.c | 6 | ||||
| -rw-r--r-- | src/lib/krb5/krb/int-proto.h | 8 | ||||
| -rw-r--r-- | src/lib/krb5/krb/libdef_parse.c | 149 | ||||
| -rw-r--r-- | src/lib/krb5/krb/mk_req_ext.c | 42 | ||||
| -rw-r--r-- | src/lib/krb5/krb/vfy_increds.c | 8 | ||||
| -rw-r--r-- | src/lib/krb5/libkrb5.exports | 1 | ||||
| -rw-r--r-- | src/lib/krb5/os/dnsglue.c | 74 | ||||
| -rw-r--r-- | src/lib/krb5/os/hst_realm.c | 74 | ||||
| -rw-r--r-- | src/lib/krb5/os/init_os_ctx.c | 6 |
13 files changed, 383 insertions, 316 deletions
diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in index a8377971d..507be6e80 100644 --- a/src/lib/krb5/krb/Makefile.in +++ b/src/lib/krb5/krb/Makefile.in @@ -46,6 +46,7 @@ STLIBOBJS= \ gc_via_tkt.o \ gen_seqnum.o \ gen_subkey.o \ + gen_save_subkey.o \ get_creds.o \ get_in_tkt.o \ gic_keytab.o \ @@ -57,6 +58,7 @@ STLIBOBJS= \ kdc_rep_dc.o \ kerrs.o \ kfree.o \ + libdef_parse.o \ mk_cred.o \ mk_error.o \ mk_priv.o \ @@ -136,6 +138,7 @@ OBJS= $(OUTPRE)addr_comp.$(OBJEXT) \ $(OUTPRE)gc_via_tkt.$(OBJEXT) \ $(OUTPRE)gen_seqnum.$(OBJEXT) \ $(OUTPRE)gen_subkey.$(OBJEXT) \ + $(OUTPRE)gen_save_subkey.$(OBJEXT) \ $(OUTPRE)get_creds.$(OBJEXT) \ $(OUTPRE)get_in_tkt.$(OBJEXT) \ $(OUTPRE)gic_keytab.$(OBJEXT) \ @@ -145,8 +148,9 @@ OBJS= $(OUTPRE)addr_comp.$(OBJEXT) \ $(OUTPRE)init_ctx.$(OBJEXT) \ $(OUTPRE)init_keyblock.$(OBJEXT) \ $(OUTPRE)kdc_rep_dc.$(OBJEXT) \ - $(OUTPRE)kerrs.$(OBJEXT) \ + $(OUTPRE)kerrs.$(OBJEXT) \ $(OUTPRE)kfree.$(OBJEXT) \ + $(OUTPRE)libdef_parse.$(OBJEXT) \ $(OUTPRE)mk_cred.$(OBJEXT) \ $(OUTPRE)mk_error.$(OBJEXT) \ $(OUTPRE)mk_priv.$(OBJEXT) \ @@ -227,6 +231,7 @@ SRCS= $(srcdir)/addr_comp.c \ $(srcdir)/gc_via_tkt.c \ $(srcdir)/gen_seqnum.c \ $(srcdir)/gen_subkey.c \ + $(srcdir)/gen_save_subkey.c \ $(srcdir)/get_creds.c \ $(srcdir)/get_in_tkt.c \ $(srcdir)/gic_keytab.c \ @@ -238,6 +243,7 @@ SRCS= $(srcdir)/addr_comp.c \ $(srcdir)/kdc_rep_dc.c \ $(srcdir)/kerrs.c \ $(srcdir)/kfree.c \ + $(srcdir)/libdef_parse.c \ $(srcdir)/mk_cred.c \ $(srcdir)/mk_error.c \ $(srcdir)/mk_priv.c \ diff --git a/src/lib/krb5/krb/gen_save_subkey.c b/src/lib/krb5/krb/gen_save_subkey.c new file mode 100644 index 000000000..b7f63d2d9 --- /dev/null +++ b/src/lib/krb5/krb/gen_save_subkey.c @@ -0,0 +1,74 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* + * lib/krb5/krb/gen_save_subkey.c + * + * Copyright 2009 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * krb5int_generate_and_save_subkey() + */ + +#include "k5-int.h" +#include "auth_con.h" + +krb5_error_code +krb5int_generate_and_save_subkey(krb5_context context, + krb5_auth_context auth_context, + krb5_keyblock *keyblock, + krb5_enctype enctype) +{ + /* Provide some more fodder for random number code. + This isn't strong cryptographically; the point here is not + to guarantee randomness, but to make it less likely that multiple + sessions could pick the same subkey. */ + struct { + krb5_int32 sec, usec; + } rnd_data; + krb5_data d; + krb5_error_code retval; + krb5_keyblock *kb = NULL; + + if (krb5_crypto_us_timeofday(&rnd_data.sec, &rnd_data.usec) == 0) { + d.length = sizeof(rnd_data); + d.data = (char *) &rnd_data; + krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_TIMING, &d); + } + + retval = krb5_generate_subkey_extended(context, keyblock, enctype, &kb); + if (retval) + return retval; + retval = krb5_auth_con_setsendsubkey(context, auth_context, kb); + if (retval) + goto cleanup; + retval = krb5_auth_con_setrecvsubkey(context, auth_context, kb); + if (retval) + goto cleanup; + +cleanup: + if (retval) { + (void) krb5_auth_con_setsendsubkey(context, auth_context, NULL); + (void) krb5_auth_con_setrecvsubkey(context, auth_context, NULL); + } + krb5_free_keyblock(context, kb); + return retval; +} diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index 15c67b85e..06b3c3874 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -839,130 +839,6 @@ cleanup: return (retval); } -/* begin libdefaults parsing code. This should almost certainly move - somewhere else, but I don't know where the correct somewhere else - is yet. */ - -/* XXX Duplicating this is annoying; try to work on a better way.*/ -static const char *const conf_yes[] = { - "y", "yes", "true", "t", "1", "on", - 0, -}; - -static const char *const conf_no[] = { - "n", "no", "false", "nil", "0", "off", - 0, -}; - -int -_krb5_conf_boolean(const char *s) -{ - const char *const *p; - - for(p=conf_yes; *p; p++) { - if (!strcasecmp(*p,s)) - return 1; - } - - for(p=conf_no; *p; p++) { - if (!strcasecmp(*p,s)) - return 0; - } - - /* Default to "no" */ - return 0; -} - -static krb5_error_code -krb5_libdefault_string(krb5_context context, const krb5_data *realm, - const char *option, char **ret_value) -{ - profile_t profile; - const char *names[5]; - char **nameval = NULL; - krb5_error_code retval; - char realmstr[1024]; - - if (realm->length > sizeof(realmstr)-1) - return(EINVAL); - - strncpy(realmstr, realm->data, realm->length); - realmstr[realm->length] = '\0'; - - if (!context || (context->magic != KV5M_CONTEXT)) - return KV5M_CONTEXT; - - profile = context->profile; - - names[0] = KRB5_CONF_LIBDEFAULTS; - - /* - * Try number one: - * - * [libdefaults] - * REALM = { - * option = <boolean> - * } - */ - - names[1] = realmstr; - names[2] = option; - names[3] = 0; - retval = profile_get_values(profile, names, &nameval); - if (retval == 0 && nameval && nameval[0]) - goto goodbye; - - /* - * Try number two: - * - * [libdefaults] - * option = <boolean> - */ - - names[1] = option; - names[2] = 0; - retval = profile_get_values(profile, names, &nameval); - if (retval == 0 && nameval && nameval[0]) - goto goodbye; - -goodbye: - if (!nameval) - return(ENOENT); - - if (!nameval[0]) { - retval = ENOENT; - } else { - *ret_value = strdup(nameval[0]); - if (!*ret_value) - retval = ENOMEM; - } - - profile_free_list(nameval); - - return retval; -} - -/* not static so verify_init_creds() can call it */ -/* as well as the DNS code */ - -krb5_error_code -krb5_libdefault_boolean(krb5_context context, const krb5_data *realm, - const char *option, int *ret_value) -{ - char *string = NULL; - krb5_error_code retval; - - retval = krb5_libdefault_string(context, realm, option, &string); - - if (retval) - return(retval); - - *ret_value = _krb5_conf_boolean(string); - free(string); - - return(0); -} - /* Sort a pa_data sequence so that types named in the "preferred_preauth_types" * libdefaults entry are listed before any others. */ static krb5_error_code @@ -981,8 +857,8 @@ sort_krb5_padata_sequence(krb5_context context, krb5_data *realm, return 0; } - ret = krb5_libdefault_string(context, realm, KRB5_CONF_PREFERRED_PREAUTH_TYPES, - &preauth_types); + ret = krb5int_libdefault_string(context, realm, KRB5_CONF_PREFERRED_PREAUTH_TYPES, + &preauth_types); if ((ret != 0) || (preauth_types == NULL)) { /* Try to use PKINIT first. */ preauth_types = "17, 16, 15, 14"; @@ -1408,8 +1284,8 @@ krb5_init_creds_init(krb5_context context, /* forwaradble */ if (opte->flags & KRB5_GET_INIT_CREDS_OPT_FORWARDABLE) tmp = opte->forwardable; - else if (krb5_libdefault_boolean(context, &ctx->request->client->realm, - KRB5_CONF_FORWARDABLE, &tmp) == 0) + else if (krb5int_libdefault_boolean(context, &ctx->request->client->realm, + KRB5_CONF_FORWARDABLE, &tmp) == 0) ; else tmp = 0; @@ -1419,8 +1295,8 @@ krb5_init_creds_init(krb5_context context, /* proxiable */ if (opte->flags & KRB5_GET_INIT_CREDS_OPT_PROXIABLE) tmp = opte->proxiable; - else if (krb5_libdefault_boolean(context, &ctx->request->client->realm, - KRB5_CONF_PROXIABLE, &tmp) == 0) + else if (krb5int_libdefault_boolean(context, &ctx->request->client->realm, + KRB5_CONF_PROXIABLE, &tmp) == 0) ; else tmp = 0; @@ -1430,8 +1306,8 @@ krb5_init_creds_init(krb5_context context, /* canonicalize */ if (opte->flags & KRB5_GET_INIT_CREDS_OPT_CANONICALIZE) tmp = 1; - else if (krb5_libdefault_boolean(context, &ctx->request->client->realm, - KRB5_CONF_CANONICALIZE, &tmp) == 0) + else if (krb5int_libdefault_boolean(context, &ctx->request->client->realm, + KRB5_CONF_CANONICALIZE, &tmp) == 0) ; else tmp = 0; @@ -1445,8 +1321,8 @@ krb5_init_creds_init(krb5_context context, /* ticket lifetime */ if (opte->flags & KRB5_GET_INIT_CREDS_OPT_TKT_LIFE) ctx->tkt_life = options->tkt_life; - else if (krb5_libdefault_string(context, &ctx->request->client->realm, - KRB5_CONF_TICKET_LIFETIME, &str) == 0) { + else if (krb5int_libdefault_string(context, &ctx->request->client->realm, + KRB5_CONF_TICKET_LIFETIME, &str) == 0) { code = krb5_string_to_deltat(str, &ctx->tkt_life); if (code != 0) goto cleanup; @@ -1458,8 +1334,8 @@ krb5_init_creds_init(krb5_context context, /* renewable lifetime */ if (opte->flags & KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE) ctx->renew_life = options->renew_life; - else if (krb5_libdefault_string(context, &ctx->request->client->realm, - KRB5_CONF_RENEW_LIFETIME, &str) == 0) { + else if (krb5int_libdefault_string(context, &ctx->request->client->realm, + KRB5_CONF_RENEW_LIFETIME, &str) == 0) { code = krb5_string_to_deltat(str, &ctx->renew_life); if (code != 0) goto cleanup; @@ -1499,8 +1375,8 @@ krb5_init_creds_init(krb5_context context, &ctx->request->addresses); if (code != 0) goto cleanup; - } else if (krb5_libdefault_boolean(context, &ctx->request->client->realm, - KRB5_CONF_NOADDRESSES, &tmp) != 0 + } else if (krb5int_libdefault_boolean(context, &ctx->request->client->realm, + KRB5_CONF_NOADDRESSES, &tmp) != 0 || tmp) { ctx->request->addresses = NULL; } else { @@ -2132,3 +2008,52 @@ cleanup: return code; } + +krb5_error_code +krb5int_populate_gic_opt(krb5_context context, krb5_get_init_creds_opt **out, + krb5_flags options, krb5_address *const *addrs, + krb5_enctype *ktypes, + krb5_preauthtype *pre_auth_types, krb5_creds *creds) +{ + int i; + krb5_int32 starttime; + krb5_get_init_creds_opt *opt; + krb5_error_code retval; + + *out = NULL; + retval = krb5_get_init_creds_opt_alloc(context, &opt); + if (retval) + return(retval); + + if (addrs) + krb5_get_init_creds_opt_set_address_list(opt, (krb5_address **) addrs); + if (ktypes) { + for (i=0; ktypes[i]; i++); + if (i) + krb5_get_init_creds_opt_set_etype_list(opt, ktypes, i); + } + if (pre_auth_types) { + for (i=0; pre_auth_types[i]; i++); + if (i) + krb5_get_init_creds_opt_set_preauth_list(opt, pre_auth_types, i); + } + if (options&KDC_OPT_FORWARDABLE) + krb5_get_init_creds_opt_set_forwardable(opt, 1); + else krb5_get_init_creds_opt_set_forwardable(opt, 0); + if (options&KDC_OPT_PROXIABLE) + krb5_get_init_creds_opt_set_proxiable(opt, 1); + else krb5_get_init_creds_opt_set_proxiable(opt, 0); + if (creds && creds->times.endtime) { + retval = krb5_timeofday(context, &starttime); + if (retval) + goto cleanup; + if (creds->times.starttime) starttime = creds->times.starttime; + krb5_get_init_creds_opt_set_tkt_life(opt, creds->times.endtime - starttime); + } + *out = opt; + return 0; + +cleanup: + krb5_get_init_creds_opt_free(context, opt); + return retval; +} diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c index 4d2875f34..cadd7ad35 100644 --- a/src/lib/krb5/krb/gic_pwd.c +++ b/src/lib/krb5/krb/gic_pwd.c @@ -419,54 +419,6 @@ cleanup: return(ret); } -krb5_error_code -krb5int_populate_gic_opt(krb5_context context, krb5_get_init_creds_opt **out, - krb5_flags options, krb5_address *const *addrs, - krb5_enctype *ktypes, - krb5_preauthtype *pre_auth_types, krb5_creds *creds) -{ - int i; - krb5_int32 starttime; - krb5_get_init_creds_opt *opt; - krb5_error_code retval; - - *out = NULL; - retval = krb5_get_init_creds_opt_alloc(context, &opt); - if (retval) - return(retval); - - if (addrs) - krb5_get_init_creds_opt_set_address_list(opt, (krb5_address **) addrs); - if (ktypes) { - for (i=0; ktypes[i]; i++); - if (i) - krb5_get_init_creds_opt_set_etype_list(opt, ktypes, i); - } - if (pre_auth_types) { - for (i=0; pre_auth_types[i]; i++); - if (i) - krb5_get_init_creds_opt_set_preauth_list(opt, pre_auth_types, i); - } - if (options&KDC_OPT_FORWARDABLE) - krb5_get_init_creds_opt_set_forwardable(opt, 1); - else krb5_get_init_creds_opt_set_forwardable(opt, 0); - if (options&KDC_OPT_PROXIABLE) - krb5_get_init_creds_opt_set_proxiable(opt, 1); - else krb5_get_init_creds_opt_set_proxiable(opt, 0); - if (creds && creds->times.endtime) { - retval = krb5_timeofday(context, &starttime); - if (retval) - goto cleanup; - if (creds->times.starttime) starttime = creds->times.starttime; - krb5_get_init_creds_opt_set_tkt_life(opt, creds->times.endtime - starttime); - } - *out = opt; - return 0; -cleanup: - krb5_get_init_creds_opt_free(context, opt); - return retval; -} - /* Rewrites get_in_tkt in terms of newer get_init_creds API. Attempts to get an initial ticket for creds->client to use server diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c index 6ffee90bb..3bdbdd508 100644 --- a/src/lib/krb5/krb/init_ctx.c +++ b/src/lib/krb5/krb/init_ctx.c @@ -647,3 +647,9 @@ errout: } return ret; } + +krb5_error_code KRB5_CALLCONV +krb5_get_profile (krb5_context ctx, profile_t *profile) +{ + return profile_copy (ctx->profile, profile); +} diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h index 47555d678..4450bfcf1 100644 --- a/src/lib/krb5/krb/int-proto.h +++ b/src/lib/krb5/krb/int-proto.h @@ -37,8 +37,12 @@ krb5_tgtname(krb5_context context, const krb5_data *, const krb5_data *, krb5_principal *); krb5_error_code -krb5_libdefault_boolean(krb5_context, const krb5_data *, const char *, - int *); +krb5int_libdefault_boolean(krb5_context, const krb5_data *, const char *, + int *); +krb5_error_code +krb5int_libdefault_string(krb5_context context, const krb5_data *realm, + const char *option, char **ret_value); + krb5_error_code krb5_ser_authdata_init (krb5_context); krb5_error_code krb5_ser_address_init (krb5_context); diff --git a/src/lib/krb5/krb/libdef_parse.c b/src/lib/krb5/krb/libdef_parse.c new file mode 100644 index 000000000..84485a803 --- /dev/null +++ b/src/lib/krb5/krb/libdef_parse.c @@ -0,0 +1,149 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* + * lib/krb5/krb/libdef_parse.c + * + * Copyright 2009 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * krb5int_libdefault_string() + * krb5int_libdefault_boolean() + * + */ +#include "k5-int.h" +#include "int-proto.h" + +static const char *const conf_yes[] = { + "y", "yes", "true", "t", "1", "on", + 0, +}; + +static const char *const conf_no[] = { + "n", "no", "false", "nil", "0", "off", + 0, +}; + +int +_krb5_conf_boolean(const char *s) +{ + const char *const *p; + + for(p=conf_yes; *p; p++) { + if (!strcasecmp(*p,s)) + return 1; + } + + for(p=conf_no; *p; p++) { + if (!strcasecmp(*p,s)) + return 0; + } + + /* Default to "no" */ + return 0; +} + +krb5_error_code +krb5int_libdefault_string(krb5_context context, const krb5_data *realm, + const char *option, char **ret_value) +{ + profile_t profile; + const char *names[5]; + char **nameval = NULL; + krb5_error_code retval; + char realmstr[1024]; + + if (realm->length > sizeof(realmstr)-1) + return(EINVAL); + + strncpy(realmstr, realm->data, realm->length); + realmstr[realm->length] = '\0'; + + if (!context || (context->magic != KV5M_CONTEXT)) + return KV5M_CONTEXT; + + profile = context->profile; + + names[0] = KRB5_CONF_LIBDEFAULTS; + + /* + * Try number one: + * + * [libdefaults] + * REALM = { + * option = <boolean> + * } + */ + + names[1] = realmstr; + names[2] = option; + names[3] = 0; + retval = profile_get_values(profile, names, &nameval); + if (retval == 0 && nameval && nameval[0]) + goto goodbye; + + + /* + * Try number two: + * + * [libdefaults] + * option = <boolean> + */ + + names[1] = option; + names[2] = 0; + retval = profile_get_values(profile, names, &nameval); + if (retval == 0 && nameval && nameval[0]) + goto goodbye; + +goodbye: + if (!nameval) + return(ENOENT); + + if (!nameval[0]) { + retval = ENOENT; + } else { + *ret_value = strdup(nameval[0]); + if (!*ret_value) + retval = ENOMEM; + } + + profile_free_list(nameval); + + return retval; +} + +krb5_error_code +krb5int_libdefault_boolean(krb5_context context, const krb5_data *realm, + const char *option, int *ret_value) +{ + char *string = NULL; + krb5_error_code retval; + + retval = krb5int_libdefault_string(context, realm, option, &string); + + if (retval) + return(retval); + + *ret_value = _krb5_conf_boolean(string); + free(string); + + return(0); +} diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c index 17e05c805..4eba01638 100644 --- a/src/lib/krb5/krb/mk_req_ext.c +++ b/src/lib/krb5/krb/mk_req_ext.c @@ -80,48 +80,6 @@ generate_authenticator(krb5_context, krb5_enctype *desired_etypes, krb5_enctype tkt_enctype); -krb5_error_code -krb5int_generate_and_save_subkey(krb5_context context, - krb5_auth_context auth_context, - krb5_keyblock *keyblock, - krb5_enctype enctype) -{ - /* Provide some more fodder for random number code. - This isn't strong cryptographically; the point here is not - to guarantee randomness, but to make it less likely that multiple - sessions could pick the same subkey. */ - struct { - krb5_int32 sec, usec; - } rnd_data; - krb5_data d; - krb5_error_code retval; - krb5_keyblock *kb = NULL; - - if (krb5_crypto_us_timeofday(&rnd_data.sec, &rnd_data.usec) == 0) { - d.length = sizeof(rnd_data); - d.data = (char *) &rnd_data; - krb5_c_random_add_entropy(context, KRB5_C_RANDSOURCE_TIMING, &d); - } - - retval = krb5_generate_subkey_extended(context, keyblock, enctype, &kb); - if (retval) - return retval; - retval = krb5_auth_con_setsendsubkey(context, auth_context, kb); - if (retval) - goto cleanup; - retval = krb5_auth_con_setrecvsubkey(context, auth_context, kb); - if (retval) - goto cleanup; - -cleanup: - if (retval) { - (void) krb5_auth_con_setsendsubkey(context, auth_context, NULL); - (void) krb5_auth_con_setrecvsubkey(context, auth_context, NULL); - } - krb5_free_keyblock(context, kb); - return retval; -} - krb5_error_code KRB5_CALLCONV krb5_mk_req_extended(krb5_context context, krb5_auth_context *auth_context, krb5_flags ap_req_options, krb5_data *in_data, diff --git a/src/lib/krb5/krb/vfy_increds.c b/src/lib/krb5/krb/vfy_increds.c index f71e7a909..5eeda426b 100644 --- a/src/lib/krb5/krb/vfy_increds.c +++ b/src/lib/krb5/krb/vfy_increds.c @@ -115,10 +115,10 @@ krb5_verify_init_creds(krb5_context context, (options->flags & KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL)) { if (options->ap_req_nofail) goto cleanup; - } else if (krb5_libdefault_boolean(context, - &creds->client->realm, - KRB5_CONF_VERIFY_AP_REQ_NOFAIL, - &nofail) == 0) { + } else if (krb5int_libdefault_boolean(context, + &creds->client->realm, + KRB5_CONF_VERIFY_AP_REQ_NOFAIL, + &nofail) == 0) { if (nofail) goto cleanup; } diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports index a1dfd940d..1c35c4592 100644 --- a/src/lib/krb5/libkrb5.exports +++ b/src/lib/krb5/libkrb5.exports @@ -401,7 +401,6 @@ krb5_ktf_ops krb5_ktf_writable_ops krb5_kts_ops krb5_kuserok -krb5_libdefault_boolean krb5_locate_kdc krb5_lock_file krb5_make_authdata_kdc_issued diff --git a/src/lib/krb5/os/dnsglue.c b/src/lib/krb5/os/dnsglue.c index 47b455a96..4742c0a12 100644 --- a/src/lib/krb5/os/dnsglue.c +++ b/src/lib/krb5/os/dnsglue.c @@ -2,7 +2,7 @@ /* * lib/krb5/os/dnsglue.c * - * Copyright 2004 by the Massachusetts Institute of Technology. + * Copyright 2004, 2009 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -333,4 +333,76 @@ out: #endif +/* + * Try to look up a TXT record pointing to a Kerberos realm + */ + +krb5_error_code +krb5_try_realm_txt_rr(const char *prefix, const char *name, char **realm) +{ + krb5_error_code retval = KRB5_ERR_HOST_REALM_UNKNOWN; + const unsigned char *p, *base; + char host[MAXDNAME]; + int ret, rdlen, len; + struct krb5int_dns_state *ds = NULL; + struct k5buf buf; + + /* + * Form our query, and send it via DNS + */ + + krb5int_buf_init_fixed(&buf, host, sizeof(host)); + if (name == NULL || name[0] == '\0') { + krb5int_buf_add(&buf, prefix); + } else { + krb5int_buf_add_fmt(&buf, "%s.%s", prefix, name); + + /* Realm names don't (normally) end with ".", but if the query + doesn't end with "." and doesn't get an answer as is, the + resolv code will try appending the local domain. Since the + realm names are absolutes, let's stop that. + + But only if a name has been specified. If we are performing + a search on the prefix alone then the intention is to allow + the local domain or domain search lists to be expanded. + */ + + len = krb5int_buf_len(&buf); + if (len > 0 && host[len - 1] != '.') + krb5int_buf_add(&buf, "."); + } + if (krb5int_buf_data(&buf) == NULL) + return KRB5_ERR_HOST_REALM_UNKNOWN; + ret = krb5int_dns_init(&ds, host, C_IN, T_TXT); + if (ret < 0) + goto errout; + + ret = krb5int_dns_nextans(ds, &base, &rdlen); + if (ret < 0 || base == NULL) + goto errout; + + p = base; + if (!INCR_OK(base, rdlen, p, 1)) + goto errout; + len = *p++; + *realm = malloc((size_t)len + 1); + if (*realm == NULL) { + retval = ENOMEM; + goto errout; + } + strncpy(*realm, (const char *)p, (size_t)len); + (*realm)[len] = '\0'; + /* Avoid a common error. */ + if ( (*realm)[len-1] == '.' ) + (*realm)[len-1] = '\0'; + retval = 0; + +errout: + if (ds != NULL) { + krb5int_dns_fini(ds); + ds = NULL; + } + return retval; +} + #endif /* KRB5_DNS_LOOKUP */ diff --git a/src/lib/krb5/os/hst_realm.c b/src/lib/krb5/os/hst_realm.c index 208b93223..23c7893b6 100644 --- a/src/lib/krb5/os/hst_realm.c +++ b/src/lib/krb5/os/hst_realm.c @@ -84,80 +84,8 @@ domain_heuristic(krb5_context context, const char *domain, char **realm, int limit); #ifdef KRB5_DNS_LOOKUP - #include "dnsglue.h" -/* - * Try to look up a TXT record pointing to a Kerberos realm - */ - -krb5_error_code -krb5_try_realm_txt_rr(const char *prefix, const char *name, char **realm) -{ - krb5_error_code retval = KRB5_ERR_HOST_REALM_UNKNOWN; - const unsigned char *p, *base; - char host[MAXDNAME]; - int ret, rdlen, len; - struct krb5int_dns_state *ds = NULL; - struct k5buf buf; - - /* - * Form our query, and send it via DNS - */ - - krb5int_buf_init_fixed(&buf, host, sizeof(host)); - if (name == NULL || name[0] == '\0') { - krb5int_buf_add(&buf, prefix); - } else { - krb5int_buf_add_fmt(&buf, "%s.%s", prefix, name); - - /* Realm names don't (normally) end with ".", but if the query - doesn't end with "." and doesn't get an answer as is, the - resolv code will try appending the local domain. Since the - realm names are absolutes, let's stop that. - - But only if a name has been specified. If we are performing - a search on the prefix alone then the intention is to allow - the local domain or domain search lists to be expanded. - */ - - len = krb5int_buf_len(&buf); - if (len > 0 && host[len - 1] != '.') - krb5int_buf_add(&buf, "."); - } - if (krb5int_buf_data(&buf) == NULL) - return KRB5_ERR_HOST_REALM_UNKNOWN; - ret = krb5int_dns_init(&ds, host, C_IN, T_TXT); - if (ret < 0) - goto errout; - - ret = krb5int_dns_nextans(ds, &base, &rdlen); - if (ret < 0 || base == NULL) - goto errout; - - p = base; - if (!INCR_OK(base, rdlen, p, 1)) - goto errout; - len = *p++; - *realm = malloc((size_t)len + 1); - if (*realm == NULL) { - retval = ENOMEM; - goto errout; - } - strncpy(*realm, (const char *)p, (size_t)len); - (*realm)[len] = '\0'; - /* Avoid a common error. */ - if ( (*realm)[len-1] == '.' ) - (*realm)[len-1] = '\0'; - retval = 0; - -errout: - if (ds != NULL) { - krb5int_dns_fini(ds); - ds = NULL; - } - return retval; -} -#else /* KRB5_DNS_LOOKUP */ +#else #ifndef MAXDNAME #define MAXDNAME (16 * MAXHOSTNAMELEN) #endif /* MAXDNAME */ diff --git a/src/lib/krb5/os/init_os_ctx.c b/src/lib/krb5/os/init_os_ctx.c index 7f2110f8e..0b89740ed 100644 --- a/src/lib/krb5/os/init_os_ctx.c +++ b/src/lib/krb5/os/init_os_ctx.c @@ -402,12 +402,6 @@ krb5_os_init_context(krb5_context ctx, krb5_boolean kdc) return retval; } -krb5_error_code KRB5_CALLCONV -krb5_get_profile (krb5_context ctx, profile_t *profile) -{ - return profile_copy (ctx->profile, profile); -} - krb5_error_code krb5_set_config_files(krb5_context ctx, const char **filenames) { |