oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Merge branch 'master' into lukeh/acquire-cred-ex

Browse Source
This commit is contained in:
Luke Howard
2011-05-14 14:56:16 +02:00
parent d8ff5844f7 d1b553aae2
commit 3069d80734
224 changed files with 2134 additions and 2129 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
admin/add.c
View File

@@ -113,7 +113,7 @@ kt_add(struct add_options *opt, int argc, char **argv)
goto out;
}
if (hex_decode(opt->password_string, data, len) != len) {
if ((size_t)hex_decode(opt->password_string, data, len) != len) {
free(data);
krb5_warn(context, ENOMEM, "hex decode failed");
goto out;

21
admin/get.c
View File

@@ -90,7 +90,8 @@ kt_get(struct get_options *opt, int argc, char **argv)
void *kadm_handle = NULL;
krb5_enctype *etypes = NULL;
size_t netypes = 0;
int i, j;
size_t i;
int a, j;
unsigned int failed = 0;
if((keytab = ktutil_open_keytab()) == NULL)
@@ -120,7 +121,7 @@ kt_get(struct get_options *opt, int argc, char **argv)
}
for(i = 0; i < argc; i++){
for(a = 0; a < argc; a++){
krb5_principal princ_ent;
kadm5_principal_ent_rec princ;
int mask = 0;
@@ -129,9 +130,9 @@ kt_get(struct get_options *opt, int argc, char **argv)
int created = 0;
krb5_keytab_entry entry;
ret = krb5_parse_name(context, argv[i], &princ_ent);
ret = krb5_parse_name(context, argv[a], &princ_ent);
if (ret) {
krb5_warn(context, ret, "can't parse principal %s", argv[i]);
krb5_warn(context, ret, "can't parse principal %s", argv[a]);
failed++;
continue;
}
@@ -161,14 +162,14 @@ kt_get(struct get_options *opt, int argc, char **argv)
if(ret == 0)
created = 1;
else if(ret != KADM5_DUP) {
krb5_warn(context, ret, "kadm5_create_principal(%s)", argv[i]);
krb5_warn(context, ret, "kadm5_create_principal(%s)", argv[a]);
krb5_free_principal(context, princ_ent);
failed++;
continue;
}
ret = kadm5_randkey_principal(kadm_handle, princ_ent, &keys, &n_keys);
if (ret) {
krb5_warn(context, ret, "kadm5_randkey_principal(%s)", argv[i]);
krb5_warn(context, ret, "kadm5_randkey_principal(%s)", argv[a]);
krb5_free_principal(context, princ_ent);
failed++;
continue;
@@ -177,7 +178,7 @@ kt_get(struct get_options *opt, int argc, char **argv)
ret = kadm5_get_principal(kadm_handle, princ_ent, &princ,
KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES);
if (ret) {
krb5_warn(context, ret, "kadm5_get_principal(%s)", argv[i]);
krb5_warn(context, ret, "kadm5_get_principal(%s)", argv[a]);
for (j = 0; j < n_keys; j++)
krb5_free_keyblock_contents(context, &keys[j]);
krb5_free_principal(context, princ_ent);
@@ -185,7 +186,7 @@ kt_get(struct get_options *opt, int argc, char **argv)
continue;
}
if(!created && (princ.attributes & KRB5_KDB_DISALLOW_ALL_TIX))
krb5_warnx(context, "%s: disallow-all-tix flag set - clearing", argv[i]);
krb5_warnx(context, "%s: disallow-all-tix flag set - clearing", argv[a]);
princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX);
mask = KADM5_ATTRIBUTES;
if(created) {
@@ -194,7 +195,7 @@ kt_get(struct get_options *opt, int argc, char **argv)
}
ret = kadm5_modify_principal(kadm_handle, &princ, mask);
if (ret) {
krb5_warn(context, ret, "kadm5_modify_principal(%s)", argv[i]);
krb5_warn(context, ret, "kadm5_modify_principal(%s)", argv[a]);
for (j = 0; j < n_keys; j++)
krb5_free_keyblock_contents(context, &keys[j]);
krb5_free_principal(context, princ_ent);
@@ -205,7 +206,7 @@ kt_get(struct get_options *opt, int argc, char **argv)
int do_add = TRUE;
if (netypes) {
int k;
size_t k;
do_add = FALSE;
for (k = 0; k < netypes; ++k)

86
admin/ktutil.8
View File

@@ -53,72 +53,43 @@
is a program for managing keytabs.
Supported options:
.Bl -tag -width Ds
.It Xo
.Fl v ,
.Fl -verbose
.Xc
.It Fl v , Fl -verbose
Verbose output.
.El
.Pp
.Ar command
can be one of the following:
.Bl -tag -width srvconvert
.It add Xo
.Op Fl p Ar principal
.Op Fl -principal= Ns Ar principal
.Op Fl V Ar kvno
.Op Fl -kvno= Ns Ar kvno
.Op Fl e Ar enctype
.Op Fl -enctype= Ns Ar enctype
.Op Fl w Ar password
.Op Fl -password= Ns Ar password
.Op Fl r
.Op Fl -random
.Op Fl s
.Op Fl -no-salt
.Op Fl H
.Op Fl -hex
.Xc
.It add Oo Fl p Ar principal Oc Oo Fl -principal= Ns Ar principal Oc \
Oo Fl V Ar kvno Oc Oo Fl -kvno= Ns Ar kvno Oc Oo Fl e Ar enctype Oc \
Oo Fl -enctype= Ns Ar enctype Oc Oo Fl w Ar password Oc \
Oo Fl -password= Ns Ar password Oc Oo Fl r Oc Oo Fl -random Oc \
Oo Fl s Oc Oo Fl -no-salt Oc Oo Fl H Oc Op Fl -hex
Adds a key to the keytab. Options that are not specified will be
prompted for. This requires that you know the password or the hex key of the
principal to add; if what you really want is to add a new principal to
the keytab, you should consider the
.Ar get
command, which talks to the kadmin server.
.It change Xo
.Op Fl r Ar realm
.Op Fl -realm= Ns Ar realm
.Op Fl -a Ar host
.Op Fl -admin-server= Ns Ar host
.Op Fl -s Ar port
.Op Fl -server-port= Ns Ar port
.Xc
.It change Oo Fl r Ar realm Oc Oo Fl -realm= Ns Ar realm Oc \
Oo Fl -a Ar host Oc Oo Fl -admin-server= Ns Ar host Oc \
Oo Fl -s Ar port Oc Op Fl -server-port= Ns Ar port
Update one or several keys to new versions. By default, use the admin
server for the realm of a keytab entry. Otherwise it will use the
values specified by the options.
.Pp
If no principals are given, all the ones in the keytab are updated.
.It copy Xo
.Ar keytab-src
.Ar keytab-dest
.Xc
.It copy Ar keytab-src Ar keytab-dest
Copies all the entries from
.Ar keytab-src
to
.Ar keytab-dest .
.It get Xo
.Op Fl p Ar admin principal
.Op Fl -principal= Ns Ar admin principal
.Op Fl e Ar enctype
.Op Fl -enctypes= Ns Ar enctype
.Op Fl r Ar realm
.Op Fl -realm= Ns Ar realm
.Op Fl a Ar admin server
.Op Fl -admin-server= Ns Ar admin server
.Op Fl s Ar server port
.Op Fl -server-port= Ns Ar server port
.Ar principal ...
.Xc
.It get Oo Fl p Ar admin principal Oc \
Oo Fl -principal= Ns Ar admin principal Oc Oo Fl e Ar enctype Oc \
Oo Fl -enctypes= Ns Ar enctype Oc Oo Fl r Ar realm Oc \
Oo Fl -realm= Ns Ar realm Oc Oo Fl a Ar admin server Oc \
Oo Fl -admin-server= Ns Ar admin server Oc Oo Fl s Ar server port Oc \
Oo Fl -server-port= Ns Ar server port Oc Ar principal ...
For each
.Ar principal ,
generate a new key for it (creating it if it doesn't already exist),
@@ -128,35 +99,22 @@ If no
.Ar realm
is specified, the realm to operate on is taken from the first
principal.
.It list Xo
.Op Fl -keys
.Op Fl -timestamp
.Xc
.It list Oo Fl -keys Oc Op Fl -timestamp
List the keys stored in the keytab.
.It remove Xo
.Op Fl p Ar principal
.Op Fl -principal= Ns Ar principal
.Op Fl V kvno
.Op Fl -kvno= Ns Ar kvno
.Op Fl e enctype
.Op Fl -enctype= Ns Ar enctype
.Xc
.It remove Oo Fl p Ar principal Oc Oo Fl -principal= Ns Ar principal Oc \
Oo Fl V kvno Oc Oo Fl -kvno= Ns Ar kvno Oc Oo Fl e enctype Oc \
Oo Fl -enctype= Ns Ar enctype Oc
Removes the specified key or keys. Not specifying a
.Ar kvno
removes keys with any version number. Not specifying an
.Ar enctype
removes keys of any type.
.It rename Xo
.Ar from-principal
.Ar to-principal
.Xc
.It rename Ar from-principal Ar to-principal
Renames all entries in the keytab that match the
.Ar from-principal
to
.Ar to-principal .
.It purge Xo
.Op Fl -age= Ns Ar age
.Xc
.It purge Op Fl -age= Ns Ar age
Removes all old versions of a key for which there is a newer version
that is at least
.Ar age

5
admin/ktutil.c
View File

@@ -118,8 +118,11 @@ help(void *opt, int argc, char **argv)
argv[0]);
} else {
if(c->func) {
char *fake[] = { NULL, "--help", NULL };
char shelp[] = "--help";
char *fake[3];
fake[0] = argv[0];
fake[1] = shelp;
fake[2] = NULL;
(*c->func)(2, fake);
fprintf(stderr, "\n");
}

2
admin/list.c
View File

@@ -113,7 +113,7 @@ do_list(struct list_options *opt, const char *keytab_str)
rtbl_add_column_entry_by_id(table, 3, buf);
}
if(opt->keys_flag) {
int i;
size_t i;
s = malloc(2 * entry.keyblock.keyvalue.length + 1);
if (s == NULL) {
krb5_warnx(context, "malloc failed");

8
appl/telnet/telnet/sys_bsd.c
View File

@@ -608,11 +608,11 @@ TerminalSpeeds(long *input_speed, long *output_speed)
int
TerminalWindowSize(long *rows, long *cols)
{
struct winsize ws;
int irows, icols;
if (get_window_size (STDIN_FILENO, &ws) == 0) {
*rows = ws.ws_row;
*cols = ws.ws_col;
if (get_window_size(STDIN_FILENO, &irows, &icols) == 0) {
*rows = irows;
*cols = icols;
return 1;
} else
return 0;

8
appl/test/http_client.c
View File

@@ -237,12 +237,16 @@ http_query(const char *host, const char *page,
in_ptr -= 2;
break;
} else if (state == RESPONSE) {
req->response = strndup(in_buf, p - in_buf);
req->response = emalloc(p - in_buf + 1);
memcpy(req->response, in_buf, p - in_buf);
req->response[p - in_buf] = '\0';
state = HEADER;
} else {
req->headers = realloc(req->headers,
(req->num_headers + 1) * sizeof(req->headers[0]));
req->headers[req->num_headers] = strndup(in_buf, p - in_buf);
req->headers[req->num_headers] = emalloc(p - in_buf + 1);
memcpy(req->headers[req->num_headers], in_buf, p - in_buf);
req->headers[req->num_headers][p - in_buf] = '\0';
if (req->headers[req->num_headers] == NULL)
errx(1, "strdup");
req->num_headers++;

2
base/dict.c
View File

@@ -77,7 +77,7 @@ struct heim_type_data dict_object = {
static size_t
isprime(size_t p)
{
int q, i;
size_t q, i;
for(i = 2 ; i < p; i++) {
q = p / i;

2
configure.ac
View File

@@ -172,6 +172,8 @@ if test "X$with_sqlite3" != Xyes ; then
fi
AM_CONDITIONAL(SQLITE3, test "X$with_sqlite3" = Xyes)
AC_DEFINE(HAVE_SQLITE3, 1, [Define if you want support for sqlite in Heimdal.])
AC_ARG_ENABLE(sqlite-cache,
AS_HELP_STRING([--disable-sqlite-cache],[if you want support for cache in sqlite]))
if test "$enable_sqlite_cache" != no; then

1
doc/ack.texi
View File

@@ -91,6 +91,7 @@ Bugfixes, documentation, encouragement, and code has been contributed by:
@item Sho Hosoda, 細田 将
@item Stefan Metzmacher
@item Ted Percival
@item Tom Payerle
@item Victor Guerra
@item Zeqing Xia
@item Åke Sandgren

2
doc/copyright.texi
View File

@@ -84,7 +84,7 @@ or implied warranty.
@heading The Regents of the University of California
The parts of the libroken, most of libtelnet, libeditline, telnet, ftp,
The parts of the libroken, most of libtelnet, telnet, ftp,
and popper.
@verbatim

10
kadmin/ank.c
View File

@@ -39,21 +39,21 @@
*/
static krb5_error_code
get_default (kadm5_server_context *context,
get_default (kadm5_server_context *contextp,
krb5_principal princ,
kadm5_principal_ent_t default_ent)
{
krb5_error_code ret;
krb5_principal def_principal;
krb5_const_realm realm = krb5_principal_get_realm(context->context, princ);
krb5_const_realm realm = krb5_principal_get_realm(contextp->context, princ);
ret = krb5_make_principal (context->context, &def_principal,
ret = krb5_make_principal (contextp->context, &def_principal,
realm, "default", NULL);
if (ret)
return ret;
ret = kadm5_get_principal (context, def_principal, default_ent,
ret = kadm5_get_principal (contextp, def_principal, default_ent,
KADM5_PRINCIPAL_NORMAL_MASK);
krb5_free_principal (context->context, def_principal);
krb5_free_principal (contextp->context, def_principal);
return ret;
}

2
kadmin/check.c
View File

@@ -86,7 +86,7 @@ do_check_entry(krb5_principal principal, void *data)
ret = krb5_enctype_keysize(context,
princ.key_data[i].key_data_type[0],
&keysize);
if (ret == 0 && keysize != princ.key_data[i].key_data_length[0]) {
if (ret == 0 && keysize != (size_t)princ.key_data[i].key_data_length[0]) {
krb5_warnx(context,
"Principal %s enctype %d, wrong length: %lu\n",
name, princ.key_data[i].key_data_type[0],

14
kadmin/get.c
View File

@@ -110,9 +110,9 @@ add_column(struct get_entry_data *data, struct field_name *ff, const char *heade
static int
cmp_salt (const krb5_salt *salt, const krb5_key_data *k)
{
if (salt->salttype != k->key_data_type[1])
if (salt->salttype != (size_t)k->key_data_type[1])
return 1;
if (salt->saltvalue.length != k->key_data_length[1])
if (salt->saltvalue.length != (size_t)k->key_data_length[1])
return 1;
return memcmp (salt->saltvalue.data, k->key_data_contents[1],
salt->saltvalue.length);
@@ -245,7 +245,7 @@ format_field(kadm5_principal_ent_t princ, unsigned int field,
krb5_tl_data *tl;
for (tl = princ->tl_data; tl != NULL; tl = tl->tl_data_next)
if (tl->tl_data_type == subfield)
if ((unsigned)tl->tl_data_type == subfield)
break;
if (tl == NULL) {
strlcpy(buf, "", buf_len);
@@ -261,7 +261,8 @@ format_field(kadm5_principal_ent_t princ, unsigned int field,
case KRB5_TL_PKINIT_ACL: {
HDB_Ext_PKINIT_acl acl;
size_t size;
int i, ret;
int ret;
size_t i;
ret = decode_HDB_Ext_PKINIT_acl(tl->tl_data_contents,
tl->tl_data_length,
@@ -293,7 +294,8 @@ format_field(kadm5_principal_ent_t princ, unsigned int field,
case KRB5_TL_ALIASES: {
HDB_Ext_Aliases alias;
size_t size;
int i, ret;
int ret;
size_t i;
ret = decode_HDB_Ext_Aliases(tl->tl_data_contents,
tl->tl_data_length,
@@ -309,7 +311,7 @@ format_field(kadm5_principal_ent_t princ, unsigned int field,
ret = krb5_unparse_name(context, &alias.aliases.val[i], &p);
if (ret)
break;
if (i < 0)
if (i > 0)
strlcat(buf, " ", buf_len);
strlcat(buf, p, buf_len);
free(p);

57
kadmin/kadm_conn.c
View File

@@ -43,12 +43,12 @@ struct kadm_port {
} *kadm_ports;
static void
add_kadm_port(krb5_context context, const char *service, unsigned int port)
add_kadm_port(krb5_context contextp, const char *service, unsigned int port)
{
struct kadm_port *p;
p = malloc(sizeof(*p));
if(p == NULL) {
krb5_warnx(context, "failed to allocate %lu bytes\n",
krb5_warnx(contextp, "failed to allocate %lu bytes\n",
(unsigned long)sizeof(*p));
return;
}
@@ -61,9 +61,9 @@ add_kadm_port(krb5_context context, const char *service, unsigned int port)
}
static void
add_standard_ports (krb5_context context)
add_standard_ports (krb5_context contextp)
{
add_kadm_port(context, "kerberos-adm", 749);
add_kadm_port(contextp, "kerberos-adm", 749);
}
/*
@@ -73,15 +73,15 @@ add_standard_ports (krb5_context context)
*/
void
parse_ports(krb5_context context, const char *str)
parse_ports(krb5_context contextp, const char *str)
{
char p[128];
while(strsep_copy(&str, " \t", p, sizeof(p)) != -1) {
if(strcmp(p, "+") == 0)
add_standard_ports(context);
add_standard_ports(contextp);
else
add_kadm_port(context, p, 0);
add_kadm_port(contextp, p, 0);
}
}
@@ -120,10 +120,11 @@ terminate(int sig)
}
static int
spawn_child(krb5_context context, int *socks,
spawn_child(krb5_context contextp, int *socks,
unsigned int num_socks, int this_sock)
{
int e, i;
int e;
size_t i;
struct sockaddr_storage __ss;
struct sockaddr *sa = (struct sockaddr *)&__ss;
socklen_t sa_size = sizeof(__ss);
@@ -135,20 +136,20 @@ spawn_child(krb5_context context, int *socks,
s = accept(socks[this_sock], sa, &sa_size);
if(rk_IS_BAD_SOCKET(s)) {
krb5_warn(context, rk_SOCK_ERRNO, "accept");
krb5_warn(contextp, rk_SOCK_ERRNO, "accept");
return 1;
}
e = krb5_sockaddr2address(context, sa, &addr);
e = krb5_sockaddr2address(contextp, sa, &addr);
if(e)
krb5_warn(context, e, "krb5_sockaddr2address");
krb5_warn(contextp, e, "krb5_sockaddr2address");
else {
e = krb5_print_address (&addr, buf, sizeof(buf),
&buf_len);
if(e)
krb5_warn(context, e, "krb5_print_address");
krb5_warn(contextp, e, "krb5_print_address");
else
krb5_warnx(context, "connection from %s", buf);
krb5_free_address(context, &addr);
krb5_warnx(contextp, "connection from %s", buf);
krb5_free_address(contextp, &addr);
}
pid = fork();
@@ -167,7 +168,7 @@ spawn_child(krb5_context context, int *socks,
}
static void
wait_for_connection(krb5_context context,
wait_for_connection(krb5_context contextp,
krb5_socket_t *socks, unsigned int num_socks)
{
unsigned int i;
@@ -200,13 +201,13 @@ wait_for_connection(krb5_context context,
e = select(max_fd + 1, &read_set, NULL, NULL, NULL);
if(rk_IS_SOCKET_ERROR(e)) {
if(rk_SOCK_ERRNO != EINTR)
krb5_warn(context, rk_SOCK_ERRNO, "select");
krb5_warn(contextp, rk_SOCK_ERRNO, "select");
} else if(e == 0)
krb5_warnx(context, "select returned 0");
krb5_warnx(contextp, "select returned 0");
else {
for(i = 0; i < num_socks; i++) {
if(FD_ISSET(socks[i], &read_set))
if(spawn_child(context, socks, num_socks, i) == 0)
if(spawn_child(contextp, socks, num_socks, i) == 0)
return;
}
}
@@ -221,7 +222,7 @@ wait_for_connection(krb5_context context,
void
start_server(krb5_context context, const char *port_str)
start_server(krb5_context contextp, const char *port_str)
{
int e;
struct kadm_port *p;
@@ -233,7 +234,7 @@ start_server(krb5_context context, const char *port_str)
if (port_str == NULL)
port_str = "+";
parse_ports(context, port_str);
parse_ports(contextp, port_str);
for(p = kadm_ports; p; p = p->next) {
struct addrinfo hints, *ai, *ap;
@@ -249,7 +250,7 @@ start_server(krb5_context context, const char *port_str)
}
if(e) {
krb5_warn(context, krb5_eai_to_heim_errno(e, errno),
krb5_warn(contextp, krb5_eai_to_heim_errno(e, errno),
"%s", portstr);
continue;
}
@@ -258,7 +259,7 @@ start_server(krb5_context context, const char *port_str)
i++;
tmp = realloc(socks, (num_socks + i) * sizeof(*socks));
if(tmp == NULL) {
krb5_warnx(context, "failed to reallocate %lu bytes",
krb5_warnx(contextp, "failed to reallocate %lu bytes",
(unsigned long)(num_socks + i) * sizeof(*socks));
continue;
}
@@ -266,7 +267,7 @@ start_server(krb5_context context, const char *port_str)
for(ap = ai; ap; ap = ap->ai_next) {
krb5_socket_t s = socket(ap->ai_family, ap->ai_socktype, ap->ai_protocol);
if(rk_IS_BAD_SOCKET(s)) {
krb5_warn(context, rk_SOCK_ERRNO, "socket");
krb5_warn(contextp, rk_SOCK_ERRNO, "socket");
continue;
}
@@ -274,12 +275,12 @@ start_server(krb5_context context, const char *port_str)
socket_set_ipv6only(s, 1);
if (rk_IS_SOCKET_ERROR(bind (s, ap->ai_addr, ap->ai_addrlen))) {
krb5_warn(context, rk_SOCK_ERRNO, "bind");
krb5_warn(contextp, rk_SOCK_ERRNO, "bind");
rk_closesocket(s);
continue;
}
if (rk_IS_SOCKET_ERROR(listen (s, SOMAXCONN))) {
krb5_warn(context, rk_SOCK_ERRNO, "listen");
krb5_warn(contextp, rk_SOCK_ERRNO, "listen");
rk_closesocket(s);
continue;
}
@@ -288,7 +289,7 @@ start_server(krb5_context context, const char *port_str)
freeaddrinfo (ai);
}
if(num_socks == 0)
krb5_errx(context, 1, "no sockets to listen to - exiting");
krb5_errx(contextp, 1, "no sockets to listen to - exiting");
wait_for_connection(context, socks, num_socks);
wait_for_connection(contextp, socks, num_socks);
}

80
kadmin/kadmin.8
View File

@@ -40,34 +40,13 @@
.Sh SYNOPSIS
.Nm
.Bk -words
.Oo Fl p Ar string \*(Ba Xo
.Fl -principal= Ns Ar string
.Xc
.Oc
.Oo Fl K Ar string \*(Ba Xo
.Fl -keytab= Ns Ar string
.Xc
.Oc
.Oo Fl c Ar file \*(Ba Xo
.Fl -config-file= Ns Ar file
.Xc
.Oc
.Oo Fl k Ar file \*(Ba Xo
.Fl -key-file= Ns Ar file
.Xc
.Oc
.Oo Fl r Ar realm \*(Ba Xo
.Fl -realm= Ns Ar realm
.Xc
.Oc
.Oo Fl a Ar host \*(Ba Xo
.Fl -admin-server= Ns Ar host
.Xc
.Oc
.Oo Fl s Ar port number \*(Ba Xo
.Fl -server-port= Ns Ar port number
.Xc
.Oc
.Op Fl p Ar string \*(Ba Fl -principal= Ns Ar string
.Op Fl K Ar string \*(Ba Fl -keytab= Ns Ar string
.Op Fl c Ar file \*(Ba Fl -config-file= Ns Ar file
.Op Fl k Ar file \*(Ba Fl -key-file= Ns Ar file
.Op Fl r Ar realm \*(Ba Fl -realm= Ns Ar realm
.Op Fl a Ar host \*(Ba Fl -admin-server= Ns Ar host
.Op Fl s Ar port number \*(Ba Fl -server-port= Ns Ar port number
.Op Fl l | Fl -local
.Op Fl h | Fl -help
.Op Fl v | Fl -version
@@ -84,45 +63,21 @@ option).
.Pp
Supported options:
.Bl -tag -width Ds
.It Xo
.Fl p Ar string ,
.Fl -principal= Ns Ar string
.Xc
.It Fl p Ar string , Fl -principal= Ns Ar string
principal to authenticate as
.It Xo
.Fl K Ar string ,
.Fl -keytab= Ns Ar string
.Xc
.It Fl K Ar string , Fl -keytab= Ns Ar string
keytab for authentication principal
.It Xo
.Fl c Ar file ,
.Fl -config-file= Ns Ar file
.Xc
.It Fl c Ar file , Fl -config-file= Ns Ar file
location of config file
.It Xo
.Fl k Ar file ,
.Fl -key-file= Ns Ar file
.Xc
.It Fl k Ar file , Fl -key-file= Ns Ar file
location of master key file
.It Xo
.Fl r Ar realm ,
.Fl -realm= Ns Ar realm
.Xc
.It Fl r Ar realm , Fl -realm= Ns Ar realm
realm to use
.It Xo
.Fl a Ar host ,
.Fl -admin-server= Ns Ar host
.Xc
.It Fl a Ar host , Fl -admin-server= Ns Ar host
server to contact
.It Xo
.Fl s Ar port number ,
.Fl -server-port= Ns Ar port number
.Xc
.It Fl s Ar port number , Fl -server-port= Ns Ar port number
port to use
.It Xo
.Fl l ,
.Fl -local
.Xc
.It Fl l , Fl -local
local admin mode
.El
.Pp
@@ -148,10 +103,7 @@ Commands include:
.Nm add
.Op Fl r | Fl -random-key
.Op Fl -random-password
.Oo Fl p Ar string \*(Ba Xo
.Fl -password= Ns Ar string
.Xc
.Oc
.Op Fl p Ar string \*(Ba Fl -password= Ns Ar string
.Op Fl -key= Ns Ar string
.Op Fl -max-ticket-life= Ns Ar lifetime
.Op Fl -max-renewable-life= Ns Ar lifetime

13
kadmin/kadmin.c
View File

@@ -52,9 +52,9 @@ static getarg_strings policy_libraries = { 0, NULL };
static struct getargs args[] = {
{ "principal", 'p', arg_string, &client_name,
"principal to authenticate as" },
"principal to authenticate as", NULL },
{ "keytab", 'K', arg_string, &keytab,
"keytab for authentication principal" },
"keytab for authentication principal", NULL },
{
"config-file", 'c', arg_string, &config_file,
"location of config file", "file"
@@ -75,7 +75,8 @@ static struct getargs args[] = {
"server-port", 's', arg_integer, &server_port,
"port to use", "port number"
},
{ "ad", 0, arg_flag, &ad_flag, "active directory admin mode" },
{ "ad", 0, arg_flag, &ad_flag, "active directory admin mode",
NULL },
#ifdef HAVE_DLOPEN
{ "check-library", 0, arg_string, &check_library,
"library to load password check function from", "library" },
@@ -84,9 +85,9 @@ static struct getargs args[] = {
{ "policy-libraries", 0, arg_strings, &policy_libraries,
"password check function to load", "function" },
#endif
{ "local", 'l', arg_flag, &local_flag, "local admin mode" },
{ "help", 'h', arg_flag, &help_flag },
{ "version", 'v', arg_flag, &version_flag }
{ "local", 'l', arg_flag, &local_flag, "local admin mode", NULL },
{ "help", 'h', arg_flag, &help_flag, NULL, NULL },
{ "version", 'v', arg_flag, &version_flag, NULL, NULL }
};
static int num_args = sizeof(args) / sizeof(args[0]);

32
kadmin/kadmind.8
View File

@@ -76,8 +76,7 @@ The
.Xr kpasswdd 8
daemon is responsible for the Kerberos 5 password changing protocol
(used by
.Xr kpasswd 1 )
.
.Xr kpasswd 1 ) .
.Pp
This daemon should only be run on the master server, and not on any
slaves.
@@ -118,34 +117,17 @@ glob-style pattern.
.Pp
Supported options:
.Bl -tag -width Ds
.It Xo
.Fl c Ar file ,
.Fl -config-file= Ns Ar file
.Xc
.It Fl c Ar file , Fl -config-file= Ns Ar file
location of config file
.It Xo
.Fl k Ar file ,
.Fl -key-file= Ns Ar file
.Xc
.It Fl k Ar file , Fl -key-file= Ns Ar file
location of master key file
.It Xo
.Fl -keytab= Ns Ar keytab
.Xc
.It Fl -keytab= Ns Ar keytab
what keytab to use
.It Xo
.Fl r Ar realm ,
.Fl -realm= Ns Ar realm
.Xc
.It Fl r Ar realm , Fl -realm= Ns Ar realm
realm to use
.It Xo
.Fl d ,
.Fl -debug
.Xc
.It Fl d , Fl -debug
enable debugging
.It Xo
.Fl p Ar port ,
.Fl -ports= Ns Ar port
.Xc
.It Fl p Ar port , Fl -ports= Ns Ar port
ports to listen to. By default, if run as a daemon, it listens to port
749, but you can add any number of ports with this option. The port
string is a whitespace separated list of port specifications, with the

9
kadmin/kadmind.c
View File

@@ -37,7 +37,8 @@ static char *check_library = NULL;
static char *check_function = NULL;
static getarg_strings policy_libraries = { 0, NULL };
static char *config_file;
static char *keytab_str = "HDB:";
static char sHDB[] = "HDB:";
static char *keytab_str = sHDB;
static int help_flag;
static int version_flag;
static int debug_flag;
@@ -65,12 +66,12 @@ static struct getargs args[] = {
"password check function to load", "function" },
#endif
{ "debug", 'd', arg_flag, &debug_flag,
"enable debugging"
"enable debugging", NULL
},
{ "ports", 'p', arg_string, &port_str,
"ports to listen to", "port" },
{ "help", 'h', arg_flag, &help_flag },
{ "version", 'v', arg_flag, &version_flag }
{ "help", 'h', arg_flag, &help_flag, NULL, NULL },
{ "version", 'v', arg_flag, &version_flag, NULL, NULL }
};
static int num_args = sizeof(args) / sizeof(args[0]);

2
kadmin/load.c
View File

@@ -153,7 +153,7 @@ parse_keys(hdb_entry *ent, char *str)
krb5_error_code ret;
int tmp;
char *p;
int i;
size_t i;
p = strsep(&str, ":");
if (sscanf(p, "%d", &tmp) != 1)

14
kadmin/mod.c
View File

@@ -55,7 +55,7 @@ add_tl(kadm5_principal_ent_rec *princ, int type, krb5_data *data)
}
static void
add_constrained_delegation(krb5_context context,
add_constrained_delegation(krb5_context contextp,
kadm5_principal_ent_rec *princ,
struct getarg_strings *strings)
{
@@ -81,13 +81,13 @@ add_constrained_delegation(krb5_context context,
ext.data.u.allowed_to_delegate_to.len = strings->num_strings;
for (i = 0; i < strings->num_strings; i++) {
ret = krb5_parse_name(context, strings->strings[i], &p);
ret = krb5_parse_name(contextp, strings->strings[i], &p);
if (ret)
abort();
ret = copy_Principal(p, &ext.data.u.allowed_to_delegate_to.val[i]);
if (ret)
abort();
krb5_free_principal(context, p);
krb5_free_principal(contextp, p);
}
}
@@ -103,7 +103,7 @@ add_constrained_delegation(krb5_context context,
}
static void
add_aliases(krb5_context context, kadm5_principal_ent_rec *princ,
add_aliases(krb5_context contextp, kadm5_principal_ent_rec *princ,
struct getarg_strings *strings)
{
krb5_error_code ret;
@@ -128,9 +128,9 @@ add_aliases(krb5_context context, kadm5_principal_ent_rec *princ,
ext.data.u.aliases.aliases.len = strings->num_strings;
for (i = 0; i < strings->num_strings; i++) {
ret = krb5_parse_name(context, strings->strings[i], &p);
ret = krb5_parse_name(contextp, strings->strings[i], &p);
ret = copy_Principal(p, &ext.data.u.aliases.aliases.val[i]);
krb5_free_principal(context, p);
krb5_free_principal(contextp, p);
}
}
@@ -146,7 +146,7 @@ add_aliases(krb5_context context, kadm5_principal_ent_rec *princ,
}
static void
add_pkinit_acl(krb5_context context, kadm5_principal_ent_rec *princ,
add_pkinit_acl(krb5_context contextp, kadm5_principal_ent_rec *princ,
struct getarg_strings *strings)
{
krb5_error_code ret;

166
kadmin/rpc.c
View File

@@ -161,7 +161,7 @@ parse_name(const unsigned char *p, size_t len,
static void
gss_error(krb5_context context,
gss_error(krb5_context contextp,
gss_OID mech, OM_uint32 type, OM_uint32 error)
{
OM_uint32 new_stat;
@@ -176,7 +176,7 @@ gss_error(krb5_context context,
mech,
&msg_ctx,
&status_string);
krb5_warnx(context, "%.*s",
krb5_warnx(contextp, "%.*s",
(int)status_string.length,
(char *)status_string.value);
gss_release_buffer (&new_stat, &status_string);
@@ -184,11 +184,11 @@ gss_error(krb5_context context,
}
static void
gss_print_errors (krb5_context context,
gss_print_errors (krb5_context contextp,
OM_uint32 maj_stat, OM_uint32 min_stat)
{
gss_error(context, GSS_C_NO_OID, GSS_C_GSS_CODE, maj_stat);
gss_error(context, GSS_C_NO_OID, GSS_C_MECH_CODE, min_stat);
gss_error(contextp, GSS_C_NO_OID, GSS_C_GSS_CODE, maj_stat);
gss_error(contextp, GSS_C_NO_OID, GSS_C_MECH_CODE, min_stat);
}
static int
@@ -204,10 +204,10 @@ read_data(krb5_storage *sp, krb5_storage *msg, size_t len)
tlen = sizeof(buf);
slen = krb5_storage_read(sp, buf, tlen);
INSIST(slen == tlen);
INSIST((size_t)slen == tlen);
slen = krb5_storage_write(msg, buf, tlen);
INSIST(slen == tlen);
INSIST((size_t)slen == tlen);
len -= tlen;
}
@@ -252,7 +252,7 @@ store_data_xdr(krb5_storage *sp, krb5_data data)
static const char zero[4] = { 0, 0, 0, 0 };
ret = krb5_storage_write(sp, zero, res);
if(ret != res)
if((size_t)ret != res)
return (ret < 0)? errno : krb5_storage_get_eof_code(sp);
}
return 0;
@@ -273,7 +273,7 @@ ret_data_xdr(krb5_storage *sp, krb5_data *data)
res = 4 - (data->length % 4);
if (res != 4) {
ret = krb5_storage_read(sp, buf, res);
if(ret != res)
if((size_t)ret != res)
return (ret < 0)? errno : krb5_storage_get_eof_code(sp);
}
}
@@ -362,19 +362,19 @@ ret_string_xdr(krb5_storage *sp, char **str)
}
static int
store_principal_xdr(krb5_context context,
store_principal_xdr(krb5_context contextp,
krb5_storage *sp,
krb5_principal p)
{
char *str;
CHECK(krb5_unparse_name(context, p, &str));
CHECK(krb5_unparse_name(contextp, p, &str));
CHECK(store_string_xdr(sp, str));
free(str);
return 0;
}
static int
ret_principal_xdr(krb5_context context,
ret_principal_xdr(krb5_context contextp,
krb5_storage *sp,
krb5_principal *p)
{
@@ -382,27 +382,27 @@ ret_principal_xdr(krb5_context context,
*p = NULL;
CHECK(ret_string_xdr(sp, &str));
if (str) {
CHECK(krb5_parse_name(context, str, p));
CHECK(krb5_parse_name(contextp, str, p));
free(str);
}
return 0;
}
static int
store_principal_ent(krb5_context context,
store_principal_ent(krb5_context contextp,
krb5_storage *sp,
kadm5_principal_ent_rec *ent)
{
size_t i;
int i;
CHECK(store_principal_xdr(context, sp, ent->principal));
CHECK(store_principal_xdr(contextp, sp, ent->principal));
CHECK(krb5_store_uint32(sp, ent->princ_expire_time));
CHECK(krb5_store_uint32(sp, ent->pw_expiration));
CHECK(krb5_store_uint32(sp, ent->last_pwd_change));
CHECK(krb5_store_uint32(sp, ent->max_life));
CHECK(krb5_store_int32(sp, ent->mod_name == NULL));
if (ent->mod_name)
CHECK(store_principal_xdr(context, sp, ent->mod_name));
CHECK(store_principal_xdr(contextp, sp, ent->mod_name));
CHECK(krb5_store_uint32(sp, ent->mod_date));
CHECK(krb5_store_uint32(sp, ent->attributes));
CHECK(krb5_store_uint32(sp, ent->kvno));
@@ -443,7 +443,7 @@ store_principal_ent(krb5_context context,
}
static int
ret_principal_ent(krb5_context context,
ret_principal_ent(krb5_context contextp,
krb5_storage *sp,
kadm5_principal_ent_rec *ent)
{
@@ -452,7 +452,7 @@ ret_principal_ent(krb5_context context,
memset(ent, 0, sizeof(*ent));
CHECK(ret_principal_xdr(context, sp, &ent->principal));
CHECK(ret_principal_xdr(contextp, sp, &ent->principal));
CHECK(krb5_ret_uint32(sp, &flag));
ent->princ_expire_time = flag;
CHECK(krb5_ret_uint32(sp, &flag));
@@ -463,7 +463,7 @@ ret_principal_ent(krb5_context context,
ent->max_life = flag;
CHECK(krb5_ret_uint32(sp, &flag));
if (flag == 0)
ret_principal_xdr(context, sp, &ent->mod_name);
ret_principal_xdr(contextp, sp, &ent->mod_name);
CHECK(krb5_ret_uint32(sp, &flag));
ent->mod_date = flag;
CHECK(krb5_ret_uint32(sp, &flag));
@@ -508,13 +508,13 @@ ret_principal_ent(krb5_context context,
count++;
}
INSIST(ent->n_tl_data == count);
INSIST((size_t)ent->n_tl_data == count);
} else {
INSIST(ent->n_tl_data == 0);
}
CHECK(krb5_ret_uint32(sp, &num));
INSIST(num == ent->n_key_data);
INSIST(num == (uint32_t)ent->n_key_data);
ent->key_data = calloc(num, sizeof(ent->key_data[0]));
INSIST(ent->key_data != NULL);
@@ -538,7 +538,7 @@ ret_principal_ent(krb5_context context,
*/
static void
proc_create_principal(kadm5_server_context *context,
proc_create_principal(kadm5_server_context *contextp,
krb5_storage *in,
krb5_storage *out)
{
@@ -551,30 +551,30 @@ proc_create_principal(kadm5_server_context *context,
CHECK(krb5_ret_uint32(in, &version));
INSIST(version == VERSION2);
CHECK(ret_principal_ent(context->context, in, &ent));
CHECK(ret_principal_ent(contextp->context, in, &ent));
CHECK(krb5_ret_uint32(in, &mask));
CHECK(ret_string_xdr(in, &password));
INSIST(ent.principal);
ret = _kadm5_acl_check_permission(context, KADM5_PRIV_ADD, ent.principal);
ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_ADD, ent.principal);
if (ret)
goto fail;
ret = kadm5_create_principal(context, &ent, mask, password);
ret = kadm5_create_principal(contextp, &ent, mask, password);
fail:
krb5_warn(context->context, ret, "create principal");
krb5_warn(contextp->context, ret, "create principal");
CHECK(krb5_store_uint32(out, VERSION2)); /* api version */
CHECK(krb5_store_uint32(out, ret)); /* code */
free(password);
kadm5_free_principal_ent(context, &ent);
kadm5_free_principal_ent(contextp, &ent);
}
static void
proc_delete_principal(kadm5_server_context *context,
proc_delete_principal(kadm5_server_context *contextp,
krb5_storage *in,
krb5_storage *out)
{
@@ -584,24 +584,24 @@ proc_delete_principal(kadm5_server_context *context,
CHECK(krb5_ret_uint32(in, &version));
INSIST(version == VERSION2);
CHECK(ret_principal_xdr(context->context, in, &princ));
CHECK(ret_principal_xdr(contextp->context, in, &princ));
ret = _kadm5_acl_check_permission(context, KADM5_PRIV_DELETE, princ);
ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_DELETE, princ);
if (ret)
goto fail;
ret = kadm5_delete_principal(context, princ);
ret = kadm5_delete_principal(contextp, princ);
fail:
krb5_warn(context->context, ret, "delete principal");
krb5_warn(contextp->context, ret, "delete principal");
CHECK(krb5_store_uint32(out, VERSION2)); /* api version */
CHECK(krb5_store_uint32(out, ret)); /* code */
krb5_free_principal(context->context, princ);
krb5_free_principal(contextp->context, princ);
}
static void
proc_get_principal(kadm5_server_context *context,
proc_get_principal(kadm5_server_context *contextp,
krb5_storage *in,
krb5_storage *out)
{
@@ -614,29 +614,29 @@ proc_get_principal(kadm5_server_context *context,
CHECK(krb5_ret_uint32(in, &version));
INSIST(version == VERSION2);
CHECK(ret_principal_xdr(context->context, in, &princ));
CHECK(ret_principal_xdr(contextp->context, in, &princ));
CHECK(krb5_ret_uint32(in, &mask));
ret = _kadm5_acl_check_permission(context, KADM5_PRIV_GET, princ);
ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_GET, princ);
if(ret)
goto fail;
ret = kadm5_get_principal(context, princ, &ent, mask);
ret = kadm5_get_principal(contextp, princ, &ent, mask);
fail:
krb5_warn(context->context, ret, "get principal principal");
krb5_warn(contextp->context, ret, "get principal principal");
CHECK(krb5_store_uint32(out, VERSION2)); /* api version */
CHECK(krb5_store_uint32(out, ret)); /* code */
if (ret == 0) {
CHECK(store_principal_ent(context->context, out, &ent));
CHECK(store_principal_ent(contextp->context, out, &ent));
}
krb5_free_principal(context->context, princ);
kadm5_free_principal_ent(context, &ent);
krb5_free_principal(contextp->context, princ);
kadm5_free_principal_ent(contextp, &ent);
}
static void
proc_chrand_principal_v2(kadm5_server_context *context,
proc_chrand_principal_v2(kadm5_server_context *contextp,
krb5_storage *in,
krb5_storage *out)
{
@@ -648,36 +648,36 @@ proc_chrand_principal_v2(kadm5_server_context *context,
CHECK(krb5_ret_uint32(in, &version));
INSIST(version == VERSION2);
CHECK(ret_principal_xdr(context->context, in, &princ));
CHECK(ret_principal_xdr(contextp->context, in, &princ));
ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ);
ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_CPW, princ);
if(ret)
goto fail;
ret = kadm5_randkey_principal(context, princ,
ret = kadm5_randkey_principal(contextp, princ,
&new_keys, &n_keys);
fail:
krb5_warn(context->context, ret, "rand key principal");
krb5_warn(contextp->context, ret, "rand key principal");
CHECK(krb5_store_uint32(out, VERSION2)); /* api version */
CHECK(krb5_store_uint32(out, ret));
if (ret == 0) {
size_t i;
int i;
CHECK(krb5_store_int32(out, n_keys));
for(i = 0; i < n_keys; i++){
CHECK(krb5_store_uint32(out, new_keys[i].keytype));
CHECK(store_data_xdr(out, new_keys[i].keyvalue));
krb5_free_keyblock_contents(context->context, &new_keys[i]);
krb5_free_keyblock_contents(contextp->context, &new_keys[i]);
}
free(new_keys);
}
krb5_free_principal(context->context, princ);
krb5_free_principal(contextp->context, princ);
}
static void
proc_init(kadm5_server_context *context,
proc_init(kadm5_server_context *contextp,
krb5_storage *in,
krb5_storage *out)
{
@@ -687,7 +687,7 @@ proc_init(kadm5_server_context *context,
}
struct krb5_proc {
char *name;
const char *name;
void (*func)(kadm5_server_context *, krb5_storage *, krb5_storage *);
} procs[] = {
{ "NULL", NULL },
@@ -723,7 +723,7 @@ copyheader(krb5_storage *sp, krb5_data *data)
off = krb5_storage_seek(sp, 0, SEEK_CUR);
CHECK(krb5_data_alloc(data, off));
INSIST(off == data->length);
INSIST((size_t)off == data->length);
krb5_storage_seek(sp, 0, SEEK_SET);
sret = krb5_storage_read(sp, data->data, data->length);
INSIST(sret == off);
@@ -741,7 +741,7 @@ struct gctx {
};
static int
process_stream(krb5_context context,
process_stream(krb5_context contextp,
unsigned char *buf, size_t ilen,
krb5_storage *sp)
{
@@ -792,7 +792,7 @@ process_stream(krb5_context context,
if (ilen < 4) {
memcpy(tmp, buf, ilen);
slen = krb5_storage_read(sp, tmp + ilen, sizeof(tmp) - ilen);
INSIST(slen == sizeof(tmp) - ilen);
INSIST((size_t)slen == sizeof(tmp) - ilen);
ilen = sizeof(tmp);
buf = tmp;
@@ -809,12 +809,12 @@ process_stream(krb5_context context,
if (ilen) {
if (len < ilen) {
slen = krb5_storage_write(msg, buf, len);
INSIST(slen == len);
INSIST((size_t)slen == len);
ilen -= len;
len = 0;
} else {
slen = krb5_storage_write(msg, buf, ilen);
INSIST(slen == ilen);
INSIST((size_t)slen == ilen);
len -= ilen;
}
}
@@ -824,14 +824,14 @@ process_stream(krb5_context context,
if (!last_fragment) {
ret = collect_framents(sp, msg);
if (ret == HEIM_ERR_EOF)
krb5_errx(context, 0, "client disconnected");
krb5_errx(contextp, 0, "client disconnected");
INSIST(ret == 0);
}
} else {
ret = collect_framents(sp, msg);
if (ret == HEIM_ERR_EOF)
krb5_errx(context, 0, "client disconnected");
krb5_errx(contextp, 0, "client disconnected");
INSIST(ret == 0);
}
krb5_storage_seek(msg, 0, SEEK_SET);
@@ -873,7 +873,7 @@ process_stream(krb5_context context,
krb5_data data;
int conf_state;
uint32_t seq;
krb5_storage *sp;
krb5_storage *sp1;
INSIST(gcred.service == rpg_privacy);
@@ -892,10 +892,10 @@ process_stream(krb5_context context,
INSIST(maj_stat == GSS_S_COMPLETE);
INSIST(conf_state != 0);
sp = krb5_storage_from_mem(gout.value, gout.length);
INSIST(sp != NULL);
sp1 = krb5_storage_from_mem(gout.value, gout.length);
INSIST(sp1 != NULL);
CHECK(krb5_ret_uint32(sp, &seq));
CHECK(krb5_ret_uint32(sp1, &seq));
INSIST (seq == gcred.seq_num);
/*
@@ -905,19 +905,19 @@ process_stream(krb5_context context,
gctx.seq_num = seq;
/*
* If context is setup, priv data have the seq_num stored
* If contextp is setup, priv data have the seq_num stored
* first in the block, so add it here before users data is
* added.
*/
CHECK(krb5_store_uint32(dreply, gctx.seq_num));
if (chdr.proc >= sizeof(procs)/sizeof(procs[0])) {
krb5_warnx(context, "proc number out of array");
krb5_warnx(contextp, "proc number out of array");
} else if (procs[chdr.proc].func == NULL) {
krb5_warnx(context, "proc '%s' never implemented",
krb5_warnx(contextp, "proc '%s' never implemented",
procs[chdr.proc].name);
} else {
krb5_warnx(context, "proc %s", procs[chdr.proc].name);
krb5_warnx(contextp, "proc %s", procs[chdr.proc].name);
INSIST(server_handle != NULL);
(*procs[chdr.proc].func)(server_handle, sp, dreply);
}
@@ -957,29 +957,29 @@ process_stream(krb5_context context,
NULL,
NULL);
if (GSS_ERROR(maj_stat)) {
gss_print_errors(context, maj_stat, min_stat);
krb5_errx(context, 1, "gss error, exit");
gss_print_errors(contextp, maj_stat, min_stat);
krb5_errx(contextp, 1, "gss error, exit");
}
if ((maj_stat & GSS_S_CONTINUE_NEEDED) == 0) {
kadm5_config_params realm_params;
gss_buffer_desc buf;
gss_buffer_desc bufp;
char *client;
gctx.done = 1;
memset(&realm_params, 0, sizeof(realm_params));
maj_stat = gss_export_name(&min_stat, src_name, &buf);
maj_stat = gss_export_name(&min_stat, src_name, &bufp);
INSIST(maj_stat == GSS_S_COMPLETE);
CHECK(parse_name(buf.value, buf.length,
CHECK(parse_name(bufp.value, bufp.length,
GSS_KRB5_MECHANISM, &client));
gss_release_buffer(&min_stat, &buf);
gss_release_buffer(&min_stat, &bufp);
krb5_warnx(context, "%s connected", client);
krb5_warnx(contextp, "%s connected", client);
ret = kadm5_s_init_with_password_ctx(context,
ret = kadm5_s_init_with_password_ctx(contextp,
client,
NULL,
KADM5_ADMIN_SERVICE,
@@ -1002,9 +1002,9 @@ process_stream(krb5_context context,
break;
}
case RPG_DESTROY:
krb5_errx(context, 1, "client destroyed gss context");
krb5_errx(contextp, 1, "client destroyed gss contextp");
default:
krb5_errx(context, 1, "client sent unknown gsscode %d",
krb5_errx(contextp, 1, "client sent unknown gsscode %d",
(int)gcred.proc);
}
@@ -1026,7 +1026,7 @@ process_stream(krb5_context context,
CHECK(krb5_store_uint32(reply, 0)); /* SUCCESS */
CHECK(krb5_storage_to_data(dreply, &data));
INSIST(krb5_storage_write(reply, data.data, data.length) == data.length);
INSIST((size_t)krb5_storage_write(reply, data.data, data.length) == data.length);
krb5_data_free(&data);
} else {
@@ -1054,7 +1054,7 @@ process_stream(krb5_context context,
ssize_t sret;
gctx.inprogress = 0;
sret = krb5_storage_write(reply, data.data, data.length);
INSIST(sret == data.length);
INSIST((size_t)sret == data.length);
krb5_data_free(&data);
} else {
int conf_state;
@@ -1082,7 +1082,7 @@ process_stream(krb5_context context,
CHECK(krb5_storage_to_data(reply, &data));
CHECK(krb5_store_uint32(sp, data.length | LAST_FRAGMENT));
sret = krb5_storage_write(sp, data.data, data.length);
INSIST(sret == data.length);
INSIST((size_t)sret == data.length);
krb5_data_free(&data);
}
@@ -1091,16 +1091,16 @@ process_stream(krb5_context context,
int
handle_mit(krb5_context context, void *buf, size_t len, krb5_socket_t sock)
handle_mit(krb5_context contextp, void *buf, size_t len, krb5_socket_t sock)
{
krb5_storage *sp;
dcontext = context;
dcontext = contextp;
sp = krb5_storage_from_fd(sock);
INSIST(sp != NULL);
process_stream(context, buf, len, sp);
process_stream(contextp, buf, len, sp);
return 0;
}

235
kadmin/server.c
View File

@@ -35,14 +35,14 @@
#include <krb5-private.h>
static kadm5_ret_t
kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
kadmind_dispatch(void *kadm_handlep, krb5_boolean initial,
krb5_data *in, krb5_data *out)
{
kadm5_ret_t ret;
int32_t cmd, mask, tmp;
kadm5_server_context *context = kadm_handle;
kadm5_server_context *contextp = kadm_handlep;
char client[128], name[128], name2[128];
char *op = "";
const char *op = "";
krb5_principal princ, princ2;
kadm5_principal_ent_rec ent;
char *password, *expression;
@@ -52,12 +52,12 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
int n_princs;
krb5_storage *sp;
krb5_unparse_name_fixed(context->context, context->caller,
krb5_unparse_name_fixed(contextp->context, contextp->caller,
client, sizeof(client));
sp = krb5_storage_from_data(in);
if (sp == NULL)
krb5_errx(context->context, 1, "out of memory");
krb5_errx(contextp->context, 1, "out of memory");
krb5_ret_int32(sp, &cmd);
switch(cmd){
@@ -68,26 +68,26 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
goto fail;
ret = krb5_ret_int32(sp, &mask);
if(ret){
krb5_free_principal(context->context, princ);
krb5_free_principal(contextp->context, princ);
goto fail;
}
mask |= KADM5_PRINCIPAL;
krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
krb5_warnx(context->context, "%s: %s %s", client, op, name);
ret = _kadm5_acl_check_permission(context, KADM5_PRIV_GET, princ);
krb5_unparse_name_fixed(contextp->context, princ, name, sizeof(name));
krb5_warnx(contextp->context, "%s: %s %s", client, op, name);
ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_GET, princ);
if(ret){
krb5_free_principal(context->context, princ);
krb5_free_principal(contextp->context, princ);
goto fail;
}
ret = kadm5_get_principal(kadm_handle, princ, &ent, mask);
ret = kadm5_get_principal(kadm_handlep, princ, &ent, mask);
krb5_storage_free(sp);
sp = krb5_storage_emem();
krb5_store_int32(sp, ret);
if(ret == 0){
kadm5_store_principal_ent(sp, &ent);
kadm5_free_principal_ent(kadm_handle, &ent);
kadm5_free_principal_ent(kadm_handlep, &ent);
}
krb5_free_principal(context->context, princ);
krb5_free_principal(contextp->context, princ);
break;
}
case kadm_delete:{
@@ -95,15 +95,15 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
ret = krb5_ret_principal(sp, &princ);
if(ret)
goto fail;
krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
krb5_warnx(context->context, "%s: %s %s", client, op, name);
ret = _kadm5_acl_check_permission(context, KADM5_PRIV_DELETE, princ);
krb5_unparse_name_fixed(contextp->context, princ, name, sizeof(name));
krb5_warnx(contextp->context, "%s: %s %s", client, op, name);
ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_DELETE, princ);
if(ret){
krb5_free_principal(context->context, princ);
krb5_free_principal(contextp->context, princ);
goto fail;
}
ret = kadm5_delete_principal(kadm_handle, princ);
krb5_free_principal(context->context, princ);
ret = kadm5_delete_principal(kadm_handlep, princ);
krb5_free_principal(contextp->context, princ);
krb5_storage_free(sp);
sp = krb5_storage_emem();
krb5_store_int32(sp, ret);
@@ -116,28 +116,28 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
goto fail;
ret = krb5_ret_int32(sp, &mask);
if(ret){
kadm5_free_principal_ent(context->context, &ent);
kadm5_free_principal_ent(contextp->context, &ent);
goto fail;
}
ret = krb5_ret_string(sp, &password);
if(ret){
kadm5_free_principal_ent(context->context, &ent);
kadm5_free_principal_ent(contextp->context, &ent);
goto fail;
}
krb5_unparse_name_fixed(context->context, ent.principal,
krb5_unparse_name_fixed(contextp->context, ent.principal,
name, sizeof(name));
krb5_warnx(context->context, "%s: %s %s", client, op, name);
ret = _kadm5_acl_check_permission(context, KADM5_PRIV_ADD,
krb5_warnx(contextp->context, "%s: %s %s", client, op, name);
ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_ADD,
ent.principal);
if(ret){
kadm5_free_principal_ent(context->context, &ent);
kadm5_free_principal_ent(contextp->context, &ent);
memset(password, 0, strlen(password));
free(password);
goto fail;
}
ret = kadm5_create_principal(kadm_handle, &ent,
ret = kadm5_create_principal(kadm_handlep, &ent,
mask, password);
kadm5_free_principal_ent(kadm_handle, &ent);
kadm5_free_principal_ent(kadm_handlep, &ent);
memset(password, 0, strlen(password));
free(password);
krb5_storage_free(sp);
@@ -152,20 +152,20 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
goto fail;
ret = krb5_ret_int32(sp, &mask);
if(ret){
kadm5_free_principal_ent(context, &ent);
kadm5_free_principal_ent(contextp, &ent);
goto fail;
}
krb5_unparse_name_fixed(context->context, ent.principal,
krb5_unparse_name_fixed(contextp->context, ent.principal,
name, sizeof(name));
krb5_warnx(context->context, "%s: %s %s", client, op, name);
ret = _kadm5_acl_check_permission(context, KADM5_PRIV_MODIFY,
krb5_warnx(contextp->context, "%s: %s %s", client, op, name);
ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_MODIFY,
ent.principal);
if(ret){
kadm5_free_principal_ent(context, &ent);
kadm5_free_principal_ent(contextp, &ent);
goto fail;
}
ret = kadm5_modify_principal(kadm_handle, &ent, mask);
kadm5_free_principal_ent(kadm_handle, &ent);
ret = kadm5_modify_principal(kadm_handlep, &ent, mask);
kadm5_free_principal_ent(kadm_handlep, &ent);
krb5_storage_free(sp);
sp = krb5_storage_emem();
krb5_store_int32(sp, ret);
@@ -178,27 +178,27 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
goto fail;
ret = krb5_ret_principal(sp, &princ2);
if(ret){
krb5_free_principal(context->context, princ);
krb5_free_principal(contextp->context, princ);
goto fail;
}
krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
krb5_unparse_name_fixed(context->context, princ2, name2, sizeof(name2));
krb5_warnx(context->context, "%s: %s %s -> %s",
krb5_unparse_name_fixed(contextp->context, princ, name, sizeof(name));
krb5_unparse_name_fixed(contextp->context, princ2, name2, sizeof(name2));
krb5_warnx(contextp->context, "%s: %s %s -> %s",
client, op, name, name2);
ret = _kadm5_acl_check_permission(context,
ret = _kadm5_acl_check_permission(contextp,
KADM5_PRIV_ADD,
princ2)
|| _kadm5_acl_check_permission(context,
|| _kadm5_acl_check_permission(contextp,
KADM5_PRIV_DELETE,
princ);
if(ret){
krb5_free_principal(context->context, princ);
krb5_free_principal(context->context, princ2);
krb5_free_principal(contextp->context, princ);
krb5_free_principal(contextp->context, princ2);
goto fail;
}
ret = kadm5_rename_principal(kadm_handle, princ, princ2);
krb5_free_principal(context->context, princ);
krb5_free_principal(context->context, princ2);
ret = kadm5_rename_principal(kadm_handlep, princ, princ2);
krb5_free_principal(contextp->context, princ);
krb5_free_principal(contextp->context, princ2);
krb5_storage_free(sp);
sp = krb5_storage_emem();
krb5_store_int32(sp, ret);
@@ -211,11 +211,11 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
goto fail;
ret = krb5_ret_string(sp, &password);
if(ret){
krb5_free_principal(context->context, princ);
krb5_free_principal(contextp->context, princ);
goto fail;
}
krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
krb5_warnx(context->context, "%s: %s %s", client, op, name);
krb5_unparse_name_fixed(contextp->context, princ, name, sizeof(name));
krb5_warnx(contextp->context, "%s: %s %s", client, op, name);
/*
* The change is allowed if at least one of:
@@ -227,7 +227,7 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
*/
if (initial
&& krb5_principal_compare (context->context, context->caller,
&& krb5_principal_compare (contextp->context, contextp->caller,
princ))
{
krb5_data pwd_data;
@@ -236,23 +236,23 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
pwd_data.data = password;
pwd_data.length = strlen(password);
pwd_reason = kadm5_check_password_quality (context->context,
pwd_reason = kadm5_check_password_quality (contextp->context,
princ, &pwd_data);
if (pwd_reason != NULL)
ret = KADM5_PASS_Q_DICT;
else
ret = 0;
} else
ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ);
ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_CPW, princ);
if(ret) {
krb5_free_principal(context->context, princ);
krb5_free_principal(contextp->context, princ);
memset(password, 0, strlen(password));
free(password);
goto fail;
}
ret = kadm5_chpass_principal(kadm_handle, princ, password);
krb5_free_principal(context->context, princ);
ret = kadm5_chpass_principal(kadm_handlep, princ, password);
krb5_free_principal(contextp->context, princ);
memset(password, 0, strlen(password));
free(password);
krb5_storage_free(sp);
@@ -271,21 +271,21 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
goto fail;
ret = krb5_ret_int32(sp, &n_key_data);
if (ret) {
krb5_free_principal(context->context, princ);
krb5_free_principal(contextp->context, princ);
goto fail;
}
/* n_key_data will be squeezed into an int16_t below. */
if (n_key_data < 0 || n_key_data >= 1 << 16 ||
n_key_data > UINT_MAX/sizeof(*key_data)) {
(size_t)n_key_data > UINT_MAX/sizeof(*key_data)) {
ret = ERANGE;
krb5_free_principal(context->context, princ);
krb5_free_principal(contextp->context, princ);
goto fail;
}
key_data = malloc (n_key_data * sizeof(*key_data));
if (key_data == NULL && n_key_data != 0) {
ret = ENOMEM;
krb5_free_principal(context->context, princ);
krb5_free_principal(contextp->context, princ);
goto fail;
}
@@ -294,38 +294,38 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
if (ret) {
int16_t dummy = i;
kadm5_free_key_data (context, &dummy, key_data);
kadm5_free_key_data (contextp, &dummy, key_data);
free (key_data);
krb5_free_principal(context->context, princ);
krb5_free_principal(contextp->context, princ);
goto fail;
}
}
krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
krb5_warnx(context->context, "%s: %s %s", client, op, name);
krb5_unparse_name_fixed(contextp->context, princ, name, sizeof(name));
krb5_warnx(contextp->context, "%s: %s %s", client, op, name);
/*
* The change is only allowed if the user is on the CPW ACL,
* this it to force password quality check on the user.
*/
ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ);
ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_CPW, princ);
if(ret) {
int16_t dummy = n_key_data;
kadm5_free_key_data (context, &dummy, key_data);
kadm5_free_key_data (contextp, &dummy, key_data);
free (key_data);
krb5_free_principal(context->context, princ);
krb5_free_principal(contextp->context, princ);
goto fail;
}
ret = kadm5_chpass_principal_with_key(kadm_handle, princ,
ret = kadm5_chpass_principal_with_key(kadm_handlep, princ,
n_key_data, key_data);
{
int16_t dummy = n_key_data;
kadm5_free_key_data (context, &dummy, key_data);
kadm5_free_key_data (contextp, &dummy, key_data);
}
free (key_data);
krb5_free_principal(context->context, princ);
krb5_free_principal(contextp->context, princ);
krb5_storage_free(sp);
sp = krb5_storage_emem();
krb5_store_int32(sp, ret);
@@ -336,8 +336,8 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
ret = krb5_ret_principal(sp, &princ);
if(ret)
goto fail;
krb5_unparse_name_fixed(context->context, princ, name, sizeof(name));
krb5_warnx(context->context, "%s: %s %s", client, op, name);
krb5_unparse_name_fixed(contextp->context, princ, name, sizeof(name));
krb5_warnx(contextp->context, "%s: %s %s", client, op, name);
/*
* The change is allowed if at least one of:
* a) it's for the principal him/herself and this was an initial ticket
@@ -345,19 +345,19 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
*/
if (initial
&& krb5_principal_compare (context->context, context->caller,
&& krb5_principal_compare (contextp->context, contextp->caller,
princ))
ret = 0;
else
ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ);
ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_CPW, princ);
if(ret) {
krb5_free_principal(context->context, princ);
krb5_free_principal(contextp->context, princ);
goto fail;
}
ret = kadm5_randkey_principal(kadm_handle, princ,
ret = kadm5_randkey_principal(kadm_handlep, princ,
&new_keys, &n_keys);
krb5_free_principal(context->context, princ);
krb5_free_principal(contextp->context, princ);
krb5_storage_free(sp);
sp = krb5_storage_emem();
krb5_store_int32(sp, ret);
@@ -366,7 +366,7 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
krb5_store_int32(sp, n_keys);
for(i = 0; i < n_keys; i++){
krb5_store_keyblock(sp, new_keys[i]);
krb5_free_keyblock_contents(context->context, &new_keys[i]);
krb5_free_keyblock_contents(contextp->context, &new_keys[i]);
}
free(new_keys);
}
@@ -374,7 +374,7 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
}
case kadm_get_privs:{
uint32_t privs;
ret = kadm5_get_privs(kadm_handle, &privs);
ret = kadm5_get_privs(kadm_handlep, &privs);
krb5_storage_free(sp);
sp = krb5_storage_emem();
krb5_store_int32(sp, ret);
@@ -393,14 +393,14 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
goto fail;
}else
expression = NULL;
krb5_warnx(context->context, "%s: %s %s", client, op,
krb5_warnx(contextp->context, "%s: %s %s", client, op,
expression ? expression : "*");
ret = _kadm5_acl_check_permission(context, KADM5_PRIV_LIST, NULL);
ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_LIST, NULL);
if(ret){
free(expression);
goto fail;
}
ret = kadm5_get_principals(kadm_handle, expression, &princs, &n_princs);
ret = kadm5_get_principals(kadm_handlep, expression, &princs, &n_princs);
free(expression);
krb5_storage_free(sp);
sp = krb5_storage_emem();
@@ -410,12 +410,12 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
krb5_store_int32(sp, n_princs);
for(i = 0; i < n_princs; i++)
krb5_store_string(sp, princs[i]);
kadm5_free_name_list(kadm_handle, princs, &n_princs);
kadm5_free_name_list(kadm_handlep, princs, &n_princs);
}
break;
}
default:
krb5_warnx(context->context, "%s: UNKNOWN OP %d", client, cmd);
krb5_warnx(contextp->context, "%s: UNKNOWN OP %d", client, cmd);
krb5_storage_free(sp);
sp = krb5_storage_emem();
krb5_store_int32(sp, KADM5_FAILURE);
@@ -425,7 +425,7 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
krb5_storage_free(sp);
return 0;
fail:
krb5_warn(context->context, ret, "%s", op);
krb5_warn(contextp->context, ret, "%s", op);
krb5_storage_seek(sp, 0, SEEK_SET);
krb5_store_int32(sp, ret);
krb5_storage_to_data(sp, out);
@@ -434,10 +434,10 @@ fail:
}
static void
v5_loop (krb5_context context,
v5_loop (krb5_context contextp,
krb5_auth_context ac,
krb5_boolean initial,
void *kadm_handle,
void *kadm_handlep,
krb5_socket_t fd)
{
krb5_error_code ret;
@@ -447,17 +447,17 @@ v5_loop (krb5_context context,
doing_useful_work = 0;
if(term_flag)
exit(0);
ret = krb5_read_priv_message(context, ac, &fd, &in);
ret = krb5_read_priv_message(contextp, ac, &fd, &in);
if(ret == HEIM_ERR_EOF)
exit(0);
if(ret)
krb5_err(context, 1, ret, "krb5_read_priv_message");
krb5_err(contextp, 1, ret, "krb5_read_priv_message");
doing_useful_work = 1;
kadmind_dispatch(kadm_handle, initial, &in, &out);
kadmind_dispatch(kadm_handlep, initial, &in, &out);
krb5_data_free(&in);
ret = krb5_write_priv_message(context, ac, &fd, &out);
ret = krb5_write_priv_message(contextp, ac, &fd, &out);
if(ret)
krb5_err(context, 1, ret, "krb5_write_priv_message");
krb5_err(contextp, 1, ret, "krb5_write_priv_message");
}
}
@@ -467,12 +467,13 @@ match_appl_version(const void *data, const char *appl_version)
unsigned minor;
if(sscanf(appl_version, "KADM0.%u", &minor) != 1)
return 0;
*(unsigned*)data = minor;
/*XXX*/
*(unsigned*)(intptr_t)data = minor;
return 1;
}
static void
handle_v5(krb5_context context,
handle_v5(krb5_context contextp,
krb5_keytab keytab,
krb5_socket_t fd)
{
@@ -480,29 +481,29 @@ handle_v5(krb5_context context,
krb5_ticket *ticket;
char *server_name;
char *client;
void *kadm_handle;
void *kadm_handlep;
krb5_boolean initial;
krb5_auth_context ac = NULL;
unsigned kadm_version;
kadm5_config_params realm_params;
ret = krb5_recvauth_match_version(context, &ac, &fd,
ret = krb5_recvauth_match_version(contextp, &ac, &fd,
match_appl_version, &kadm_version,
NULL, KRB5_RECVAUTH_IGNORE_VERSION,
keytab, &ticket);
if(ret == KRB5_KT_NOTFOUND)
krb5_errx(context, 1, "krb5_recvauth: key not found");
krb5_errx(contextp, 1, "krb5_recvauth: key not found");
if(ret)
krb5_err(context, 1, ret, "krb5_recvauth");
krb5_err(contextp, 1, ret, "krb5_recvauth");
ret = krb5_unparse_name (context, ticket->server, &server_name);
ret = krb5_unparse_name (contextp, ticket->server, &server_name);
if (ret)
krb5_err (context, 1, ret, "krb5_unparse_name");
krb5_err (contextp, 1, ret, "krb5_unparse_name");
if (strncmp (server_name, KADM5_ADMIN_SERVICE,
strlen(KADM5_ADMIN_SERVICE)) != 0)
krb5_errx (context, 1, "ticket for strange principal (%s)",
krb5_errx (contextp, 1, "ticket for strange principal (%s)",
server_name);
free (server_name);
@@ -511,31 +512,31 @@ handle_v5(krb5_context context,
if(kadm_version == 1) {
krb5_data params;
ret = krb5_read_priv_message(context, ac, &fd, &params);
ret = krb5_read_priv_message(contextp, ac, &fd, &params);
if(ret)
krb5_err(context, 1, ret, "krb5_read_priv_message");
_kadm5_unmarshal_params(context, &params, &realm_params);
krb5_err(contextp, 1, ret, "krb5_read_priv_message");
_kadm5_unmarshal_params(contextp, &params, &realm_params);
}
initial = ticket->ticket.flags.initial;
ret = krb5_unparse_name(context, ticket->client, &client);
ret = krb5_unparse_name(contextp, ticket->client, &client);
if (ret)
krb5_err (context, 1, ret, "krb5_unparse_name");
krb5_free_ticket (context, ticket);
ret = kadm5_s_init_with_password_ctx(context,
krb5_err (contextp, 1, ret, "krb5_unparse_name");
krb5_free_ticket (contextp, ticket);
ret = kadm5_s_init_with_password_ctx(contextp,
client,
NULL,
KADM5_ADMIN_SERVICE,
&realm_params,
0, 0,
&kadm_handle);
&kadm_handlep);
if(ret)
krb5_err (context, 1, ret, "kadm5_init_with_password_ctx");
v5_loop (context, ac, initial, kadm_handle, fd);
krb5_err (contextp, 1, ret, "kadm5_init_with_password_ctx");
v5_loop (contextp, ac, initial, kadm_handlep, fd);
}
krb5_error_code
kadmind_loop(krb5_context context,
kadmind_loop(krb5_context contextp,
krb5_keytab keytab,
krb5_socket_t sock)
{
@@ -543,30 +544,30 @@ kadmind_loop(krb5_context context,
ssize_t n;
unsigned long len;
n = krb5_net_read(context, &sock, buf, 4);
n = krb5_net_read(contextp, &sock, buf, 4);
if(n == 0)
exit(0);
if(n < 0)
krb5_err(context, 1, errno, "read");
krb5_err(contextp, 1, errno, "read");
_krb5_get_int(buf, &len, 4);
if (len == sizeof(KRB5_SENDAUTH_VERSION)) {
n = krb5_net_read(context, &sock, buf + 4, len);
n = krb5_net_read(contextp, &sock, buf + 4, len);
if (n < 0)
krb5_err (context, 1, errno, "reading sendauth version");
krb5_err (contextp, 1, errno, "reading sendauth version");
if (n == 0)
krb5_errx (context, 1, "EOF reading sendauth version");
krb5_errx (contextp, 1, "EOF reading sendauth version");
if(memcmp(buf + 4, KRB5_SENDAUTH_VERSION, len) == 0) {
handle_v5(context, keytab, sock);
handle_v5(contextp, keytab, sock);
return 0;
}
len += 4;
} else
len = 4;
handle_mit(context, buf, len, sock);
handle_mit(contextp, buf, len, sock);
return 0;
}

16
kadmin/util.c
View File

@@ -65,7 +65,7 @@ struct units kdb_attrs[] = {
{ "disallow-tgt-based", KRB5_KDB_DISALLOW_TGT_BASED },
{ "disallow-forwardable", KRB5_KDB_DISALLOW_FORWARDABLE },
{ "disallow-postdated", KRB5_KDB_DISALLOW_POSTDATED },
{ NULL }
{ NULL, 0 }
};
/*
@@ -188,7 +188,7 @@ str2time_t (const char *str, time_t *t)
if (str[0] == '+') {
str++;
*t = parse_time(str, "month");
if (t < 0)
if (*t < 0)
return -1;
*t += time(NULL);
return 0;
@@ -430,7 +430,7 @@ edit_entry(kadm5_principal_ent_t ent, int *mask,
*/
int
set_entry(krb5_context context,
set_entry(krb5_context contextp,
kadm5_principal_ent_t ent,
int *mask,
const char *max_ticket_life,
@@ -442,14 +442,14 @@ set_entry(krb5_context context,
if (max_ticket_life != NULL) {
if (parse_deltat (max_ticket_life, &ent->max_life,
mask, KADM5_MAX_LIFE)) {
krb5_warnx (context, "unable to parse `%s'", max_ticket_life);
krb5_warnx (contextp, "unable to parse `%s'", max_ticket_life);
return 1;
}
}
if (max_renewable_life != NULL) {
if (parse_deltat (max_renewable_life, &ent->max_renewable_life,
mask, KADM5_MAX_RLIFE)) {
krb5_warnx (context, "unable to parse `%s'", max_renewable_life);
krb5_warnx (contextp, "unable to parse `%s'", max_renewable_life);
return 1;
}
}
@@ -457,21 +457,21 @@ set_entry(krb5_context context,
if (expiration) {
if (parse_timet (expiration, &ent->princ_expire_time,
mask, KADM5_PRINC_EXPIRE_TIME)) {
krb5_warnx (context, "unable to parse `%s'", expiration);
krb5_warnx (contextp, "unable to parse `%s'", expiration);
return 1;
}
}
if (pw_expiration) {
if (parse_timet (pw_expiration, &ent->pw_expiration,
mask, KADM5_PW_EXPIRATION)) {
krb5_warnx (context, "unable to parse `%s'", pw_expiration);
krb5_warnx (contextp, "unable to parse `%s'", pw_expiration);
return 1;
}
}
if (attributes != NULL) {
if (parse_attributes (attributes, &ent->attributes,
mask, KADM5_ATTRIBUTES)) {
krb5_warnx (context, "unable to parse `%s'", attributes);
krb5_warnx (contextp, "unable to parse `%s'", attributes);
return 1;
}
}

85
kcm/kcm.8
View File

@@ -127,91 +127,42 @@ the ticket itself.
.Pp
Supported options:
.Bl -tag -width Ds
.It Xo
.Fl -cache-name= Ns Ar cachename
.Xc
.It Fl -cache-name= Ns Ar cachename
system cache name
.It Xo
.Fl c Ar file ,
.Fl -config-file= Ns Ar file
.Xc
.It Fl c Ar file , Fl -config-file= Ns Ar file
location of config file
.It Xo
.Fl g Ar group ,
.Fl -group= Ns Ar group
.Xc
.It Fl g Ar group , Fl -group= Ns Ar group
system cache group
.It Xo
.Fl -max-request= Ns Ar size
.Xc
.It Fl -max-request= Ns Ar size
max size for a kcm-request
.It Xo
.Fl -disallow-getting-krbtgt
.Xc
.It Fl -disallow-getting-krbtgt
disallow extracting any krbtgt from the
.Nm kcm
daemon.
.It Xo
.Fl -detach
.Xc
.It Fl -detach
detach from console
.It Xo
.Fl h ,
.Fl -help
.Xc
.It Xo
.Fl k Ar principal ,
.Fl -system-principal= Ns Ar principal
.Xc
.It Fl h , Fl -help
.It Fl k Ar principal , Fl -system-principal= Ns Ar principal
system principal name
.It Xo
.Fl l Ar time ,
.Fl -lifetime= Ns Ar time
.Xc
.It Fl l Ar time , Fl -lifetime= Ns Ar time
lifetime of system tickets
.It Xo
.Fl m Ar mode ,
.Fl -mode= Ns Ar mode
.Xc
.It Fl m Ar mode , Fl -mode= Ns Ar mode
octal mode of system cache
.It Xo
.Fl n ,
.Fl -no-name-constraints
.Xc
.It Fl n , Fl -no-name-constraints
disable credentials cache name constraints
.It Xo
.Fl r Ar time ,
.Fl -renewable-life= Ns Ar time
.Xc
.It Fl r Ar time , Fl -renewable-life= Ns Ar time
renewable lifetime of system tickets
.It Xo
.Fl s Ar path ,
.Fl -socket-path= Ns Ar path
.Xc
.It Fl s Ar path , Fl -socket-path= Ns Ar path
path to kcm domain socket
.It Xo
.Fl -door-path= Ns Ar path
.Xc
.It Fl -door-path= Ns Ar path
path to kcm door socket
.It Xo
.Fl S Ar principal ,
.Fl -server= Ns Ar principal
.Xc
.It Fl S Ar principal , Fl -server= Ns Ar principal
server to get system ticket for
.It Xo
.Fl t Ar keytab ,
.Fl -keytab= Ns Ar keytab
.Xc
.It Fl t Ar keytab , Fl -keytab= Ns Ar keytab
system keytab name
.It Xo
.Fl u Ar user ,
.Fl -user= Ns Ar user
.Xc
.It Fl u Ar user , Fl -user= Ns Ar user
system cache owner
.It Xo
.Fl v ,
.Fl -version
.Xc
.It Fl v , Fl -version
.El
.\".Sh ENVIRONMENT
.\".Sh FILES

3
kdc/Makefile.am
View File

@@ -115,7 +115,8 @@ kdc_CFLAGS = $(CAPNG_CFLAGS)
digest_service_LDADD = \
libkdc.la \
../lib/ipc/libheim-ipcs.la \
$(top_builddir)/lib/ntlm/libheimntlm.la \
$(top_builddir)/lib/ipc/libheim-ipcs.la \
$(LDADD) $(LIB_pidfile)
kdc_replay_LDADD = libkdc.la $(LDADD) $(LIB_pidfile)

70
kdc/config.c
View File

@@ -50,10 +50,6 @@ static int require_preauth = -1; /* 1 == require preauth for all principals */
static char *max_request_str; /* `max_request' as a string */
static int disable_des = -1;
static int enable_v4 = -1;
static int enable_kaserver = -1;
static int enable_524 = -1;
static int enable_v4_cross_realm = -1;
static int builtin_hdb_flag;
static int help_flag;
@@ -61,8 +57,6 @@ static int version_flag;
static struct getarg_strings addresses_str; /* addresses to listen on */
static char *v4_realm;
char *runas_string;
char *chroot_string;
@@ -74,31 +68,14 @@ static struct getargs args[] = {
},
{
"require-preauth", 'p', arg_negative_flag, &require_preauth,
"don't require pa-data in as-reqs"
"don't require pa-data in as-reqs", NULL
},
{
"max-request", 0, arg_string, &max_request_str,
"max size for a kdc-request", "size"
},
{ "enable-http", 'H', arg_flag, &enable_http, "turn on HTTP support" },
{ "524", 0, arg_negative_flag, &enable_524,
"don't respond to 524 requests"
},
{
"kaserver", 'K', arg_flag, &enable_kaserver,
"enable kaserver support"
},
{ "kerberos4", 0, arg_flag, &enable_v4,
"respond to kerberos 4 requests"
},
{
"v4-realm", 'r', arg_string, &v4_realm,
"realm to serve v4-requests for"
},
{ "kerberos4-cross-realm", 0, arg_flag,
&enable_v4_cross_realm,
"respond to kerberos 4 requests from foreign realms"
},
{ "enable-http", 'H', arg_flag, &enable_http, "turn on HTTP support",
NULL },
{ "ports", 'P', arg_string, rk_UNCONST(&port_str),
"ports to listen to", "portspec"
},
@@ -106,29 +83,29 @@ static struct getargs args[] = {
#if DETACH_IS_DEFAULT
{
"detach", 'D', arg_negative_flag, &detach_from_console,
"don't detach from console"
"don't detach from console", NULL
},
#else
{
"detach", 0 , arg_flag, &detach_from_console,
"detach from console"
"detach from console", NULL
},
#endif
#endif
{ "addresses", 0, arg_strings, &addresses_str,
"addresses to listen on", "list of addresses" },
{ "disable-des", 0, arg_flag, &disable_des,
"disable DES" },
"disable DES", NULL },
{ "builtin-hdb", 0, arg_flag, &builtin_hdb_flag,
"list builtin hdb backends"},
"list builtin hdb backends", NULL},
{ "runas-user", 0, arg_string, &runas_string,
"run as this user when connected to network"
"run as this user when connected to network", NULL
},
{ "chroot", 0, arg_string, &chroot_string,
"chroot directory to run in"
"chroot directory to run in", NULL
},
{ "help", 'h', arg_flag, &help_flag },
{ "version", 'v', arg_flag, &version_flag }
{ "help", 'h', arg_flag, &help_flag, NULL, NULL },
{ "version", 'v', arg_flag, &version_flag, NULL, NULL }
};
static int num_args = sizeof(args) / sizeof(args[0]);
@@ -261,15 +238,6 @@ configure(krb5_context context, int argc, char **argv)
}
}
if(enable_v4 != -1)
config->enable_v4 = enable_v4;
if(enable_v4_cross_realm != -1)
config->enable_v4_cross_realm = enable_v4_cross_realm;
if(enable_524 != -1)
config->enable_524 = enable_524;
if(enable_http == -1)
enable_http = krb5_config_get_bool(context, NULL, "kdc",
"enable-http", NULL);
@@ -285,9 +253,6 @@ configure(krb5_context context, int argc, char **argv)
krb5_errx(context, 1, "enforce-transited-policy deprecated, "
"use [kdc]transited-policy instead");
if (enable_kaserver != -1)
config->enable_kaserver = enable_kaserver;
#ifdef SUPPORT_DETACH
if(detach_from_console == -1)
detach_from_console = krb5_config_get_bool_default(context, NULL,
@@ -304,12 +269,6 @@ configure(krb5_context context, int argc, char **argv)
if (port_str == NULL)
port_str = "+";
if (v4_realm)
config->v4_realm = v4_realm;
if(config->v4_realm == NULL && (config->enable_kaserver || config->enable_v4))
krb5_errx(context, 1, "Kerberos 4 enabled but no realm configured");
if(disable_des == -1)
disable_des = krb5_config_get_bool_default(context, NULL,
FALSE,
@@ -322,13 +281,6 @@ configure(krb5_context context, int argc, char **argv)
krb5_enctype_disable(context, ETYPE_DES_CBC_NONE);
krb5_enctype_disable(context, ETYPE_DES_CFB64_NONE);
krb5_enctype_disable(context, ETYPE_DES_PCBC_NONE);
kdc_log(context, config,
0, "DES was disabled, turned off Kerberos V4, 524 "
"and kaserver");
config->enable_v4 = 0;
config->enable_524 = 0;
config->enable_kaserver = 0;
}
krb5_kdc_windc_init(context);

26
kdc/connect.c
View File

@@ -60,7 +60,7 @@ struct port_desc{
/* the current ones */
static struct port_desc *ports;
static int num_ports;
static size_t num_ports;
/*
* add `family, port, protocol' to the list with duplicate suppresion.
@@ -71,7 +71,7 @@ add_port(krb5_context context,
int family, int port, const char *protocol)
{
int type;
int i;
size_t i;
if(strcmp(protocol, "udp") == 0)
type = SOCK_DGRAM;
@@ -148,16 +148,6 @@ add_standard_ports (krb5_context context,
add_port_service(context, family, "kerberos-sec", 88, "tcp");
if(enable_http)
add_port_service(context, family, "http", 80, "tcp");
if(config->enable_524) {
add_port_service(context, family, "krb524", 4444, "udp");
add_port_service(context, family, "krb524", 4444, "tcp");
}
if(config->enable_v4) {
add_port_service(context, family, "kerberos-iv", 750, "udp");
add_port_service(context, family, "kerberos-iv", 750, "tcp");
}
if (config->enable_kaserver)
add_port_service(context, family, "afs3-kaserver", 7004, "udp");
if(config->enable_kx509) {
add_port_service(context, family, "kca_service", 9878, "udp");
add_port_service(context, family, "kca_service", 9878, "tcp");
@@ -324,7 +314,7 @@ init_sockets(krb5_context context,
struct descr **desc)
{
krb5_error_code ret;
int i, j;
size_t i, j;
struct descr *d;
int num = 0;
krb5_addresses addresses;
@@ -478,7 +468,7 @@ handle_udp(krb5_context context,
struct descr *d)
{
unsigned char *buf;
int n;
ssize_t n;
buf = malloc(max_request_udp);
if(buf == NULL){
@@ -493,7 +483,7 @@ handle_udp(krb5_context context,
else {
addr_to_string (context, d->sa, d->sock_len,
d->addr_string, sizeof(d->addr_string));
if (n == max_request_udp) {
if ((size_t)n == max_request_udp) {
krb5_data data;
krb5_warn(context, errno,
"recvfrom: truncated packet from %s, asking for TCP",
@@ -754,7 +744,7 @@ handle_http_tcp (krb5_context context,
return -1;
}
}
if (len > d->len)
if ((size_t)len > d->len)
len = d->len;
memcpy(d->buf, data, len);
d->len = len;
@@ -864,7 +854,7 @@ loop(krb5_context context,
fd_set fds;
int min_free = -1;
int max_fd = 0;
int i;
size_t i;
FD_ZERO(&fds);
for(i = 0; i < ndescr; i++) {
@@ -886,7 +876,7 @@ loop(krb5_context context,
#endif
#endif
FD_SET(d[i].s, &fds);
} else if(min_free < 0 || i < min_free)
} else if(min_free < 0 || i < (size_t)min_free)
min_free = i;
}
if(min_free == -1){

39
kdc/default_config.c
View File

@@ -55,10 +55,6 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
c->allow_null_ticket_addresses = TRUE;
c->allow_anonymous = FALSE;
c->trpolicy = TRPOLICY_ALWAYS_CHECK;
c->enable_v4 = FALSE;
c->enable_kaserver = FALSE;
c->enable_524 = FALSE;
c->enable_v4_cross_realm = FALSE;
c->enable_pkinit = FALSE;
c->pkinit_princ_in_cert = TRUE;
c->pkinit_require_binding = TRUE;
@@ -70,19 +66,6 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
krb5_config_get_bool_default(context, NULL,
c->require_preauth,
"kdc", "require-preauth", NULL);
c->enable_v4 =
krb5_config_get_bool_default(context, NULL,
c->enable_v4,
"kdc", "enable-kerberos4", NULL);
c->enable_v4_cross_realm =
krb5_config_get_bool_default(context, NULL,
c->enable_v4_cross_realm,
"kdc",
"enable-kerberos4-cross-realm", NULL);
c->enable_524 =
krb5_config_get_bool_default(context, NULL,
c->enable_v4,
"kdc", "enable-524", NULL);
#ifdef DIGEST
c->enable_digest =
krb5_config_get_bool_default(context, NULL,
@@ -180,28 +163,6 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
}
}
{
const char *p;
p = krb5_config_get_string (context, NULL,
"kdc",
"v4-realm",
NULL);
if(p != NULL) {
c->v4_realm = strdup(p);
if (c->v4_realm == NULL)
krb5_errx(context, 1, "out of memory");
} else {
c->v4_realm = NULL;
}
}
c->enable_kaserver =
krb5_config_get_bool_default(context,
NULL,
c->enable_kaserver,
"kdc", "enable-kaserver", NULL);
c->encode_as_rep_as_tgs_rep =
krb5_config_get_bool_default(context, NULL,
c->encode_as_rep_as_tgs_rep,

22
kdc/digest-service.c
View File

@@ -63,7 +63,7 @@ ntlm_service(void *ctx, const heim_idata *req,
NTLMReply ntp;
size_t size;
int ret;
char *domain;
const char *domain;
kdc_log(context, config, 1, "digest-request: uid=%d",
(int)heim_ipc_cred_get_uid(cred));
@@ -184,13 +184,13 @@ ntlm_service(void *ctx, const heim_idata *req,
free(answer.data);
{
EVP_MD_CTX *ctx;
EVP_MD_CTX *ctxp;
ctx = EVP_MD_CTX_create();
EVP_DigestInit_ex(ctx, EVP_md4(), NULL);
EVP_DigestUpdate(ctx, key->key.keyvalue.data, key->key.keyvalue.length);
EVP_DigestFinal_ex(ctx, sessionkey, NULL);
EVP_MD_CTX_destroy(ctx);
ctxp = EVP_MD_CTX_create();
EVP_DigestInit_ex(ctxp, EVP_md4(), NULL);
EVP_DigestUpdate(ctxp, key->key.keyvalue.data, key->key.keyvalue.length);
EVP_DigestFinal_ex(ctxp, sessionkey, NULL);
EVP_MD_CTX_destroy(ctxp);
}
}
@@ -218,8 +218,8 @@ static int help_flag;
static int version_flag;
static struct getargs args[] = {
{ "help", 'h', arg_flag, &help_flag },
{ "version", 'v', arg_flag, &version_flag }
{ "help", 'h', arg_flag, &help_flag, NULL, NULL },
{ "version", 'v', arg_flag, &version_flag, NULL, NULL }
};
static int num_args = sizeof(args) / sizeof(args[0]);
@@ -272,6 +272,10 @@ main(int argc, char **argv)
heim_sipc_timeout(60);
}
#endif
{
heim_sipc un;
heim_sipc_service_unix("org.h5l.ntlm-service", ntlm_service, NULL, &un);
}
heim_ipc_main();
return 0;

80
kdc/digest.c
View File

@@ -257,7 +257,7 @@ _kdc_do_digest(krb5_context context,
/* check the server principal in the ticket matches digest/R@R */
{
krb5_principal principal = NULL;
const char *p, *r;
const char *p, *rr;
ret = krb5_ticket_get_server(context, ticket, &principal);
if (ret)
@@ -280,12 +280,12 @@ _kdc_do_digest(krb5_context context,
krb5_free_principal(context, principal);
goto out;
}
r = krb5_principal_get_realm(context, principal);
if (r == NULL) {
rr = krb5_principal_get_realm(context, principal);
if (rr == NULL) {
krb5_free_principal(context, principal);
goto out;
}
if (strcmp(p, r) != 0) {
if (strcmp(p, rr) != 0) {
krb5_free_principal(context, principal);
goto out;
}
@@ -616,7 +616,7 @@ _kdc_do_digest(krb5_context context,
EVP_MD_CTX *ctx;
unsigned char md[MD5_DIGEST_LENGTH];
char *mdx;
char id;
char idx;
if ((config->digests_allowed & CHAP_MD5) == 0) {
kdc_log(context, config, 0, "Digest CHAP MD5 not allowed");
@@ -630,7 +630,7 @@ _kdc_do_digest(krb5_context context,
goto out;
}
if (hex_decode(*ireq.u.digestRequest.identifier, &id, 1) != 1) {
if (hex_decode(*ireq.u.digestRequest.identifier, &idx, 1) != 1) {
ret = EINVAL;
krb5_set_error_message(context, ret, "failed to decode identifier");
goto out;
@@ -645,7 +645,7 @@ _kdc_do_digest(krb5_context context,
ctx = EVP_MD_CTX_create();
EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
EVP_DigestUpdate(ctx, &id, 1);
EVP_DigestUpdate(ctx, &idx, 1);
EVP_DigestUpdate(ctx, password, strlen(password));
EVP_DigestUpdate(ctx, serverNonce.data, serverNonce.length);
EVP_DigestFinal_ex(ctx, md, NULL);
@@ -804,7 +804,7 @@ _kdc_do_digest(krb5_context context,
const char *username;
struct ntlm_buf answer;
Key *key = NULL;
EVP_MD_CTX *ctx;
EVP_MD_CTX *ctp;
if ((config->digests_allowed & MS_CHAP_V2) == 0) {
kdc_log(context, config, 0, "MS-CHAP-V2 not allowed");
@@ -831,10 +831,10 @@ _kdc_do_digest(krb5_context context,
else
username++;
ctx = EVP_MD_CTX_create();
ctp = EVP_MD_CTX_create();
/* ChallangeHash */
EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
EVP_DigestInit_ex(ctp, EVP_sha1(), NULL);
{
ssize_t ssize;
krb5_data clientNonce;
@@ -845,7 +845,7 @@ _kdc_do_digest(krb5_context context,
ret = ENOMEM;
krb5_set_error_message(context, ret,
"malloc: out of memory");
EVP_MD_CTX_destroy(ctx);
EVP_MD_CTX_destroy(ctp);
goto out;
}
@@ -855,18 +855,18 @@ _kdc_do_digest(krb5_context context,
ret = ENOMEM;
krb5_set_error_message(context, ret,
"Failed to decode clientNonce");
EVP_MD_CTX_destroy(ctx);
EVP_MD_CTX_destroy(ctp);
goto out;
}
EVP_DigestUpdate(ctx, clientNonce.data, ssize);
EVP_DigestUpdate(ctp, clientNonce.data, ssize);
free(clientNonce.data);
}
EVP_DigestUpdate(ctx, serverNonce.data, serverNonce.length);
EVP_DigestUpdate(ctx, username, strlen(username));
EVP_DigestUpdate(ctp, serverNonce.data, serverNonce.length);
EVP_DigestUpdate(ctp, username, strlen(username));
EVP_DigestFinal_ex(ctx, challange, NULL);
EVP_DigestFinal_ex(ctp, challange, NULL);
EVP_MD_CTX_destroy(ctx);
EVP_MD_CTX_destroy(ctp);
/* NtPasswordHash */
ret = krb5_parse_name(context, username, &clientprincipal);
@@ -923,39 +923,39 @@ _kdc_do_digest(krb5_context context,
if (r.u.response.success) {
unsigned char hashhash[MD4_DIGEST_LENGTH];
EVP_MD_CTX *ctx;
EVP_MD_CTX *ctxp;
ctx = EVP_MD_CTX_create();
ctxp = EVP_MD_CTX_create();
/* hashhash */
{
EVP_DigestInit_ex(ctx, EVP_md4(), NULL);
EVP_DigestUpdate(ctx,
EVP_DigestInit_ex(ctxp, EVP_md4(), NULL);
EVP_DigestUpdate(ctxp,
key->key.keyvalue.data,
key->key.keyvalue.length);
EVP_DigestFinal_ex(ctx, hashhash, NULL);
EVP_DigestFinal_ex(ctxp, hashhash, NULL);
}
/* GenerateAuthenticatorResponse */
EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
EVP_DigestUpdate(ctx, hashhash, sizeof(hashhash));
EVP_DigestUpdate(ctx, answer.data, answer.length);
EVP_DigestUpdate(ctx, ms_chap_v2_magic1,
EVP_DigestInit_ex(ctxp, EVP_sha1(), NULL);
EVP_DigestUpdate(ctxp, hashhash, sizeof(hashhash));
EVP_DigestUpdate(ctxp, answer.data, answer.length);
EVP_DigestUpdate(ctxp, ms_chap_v2_magic1,
sizeof(ms_chap_v2_magic1));
EVP_DigestFinal_ex(ctx, md, NULL);
EVP_DigestFinal_ex(ctxp, md, NULL);
EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
EVP_DigestUpdate(ctx, md, sizeof(md));
EVP_DigestUpdate(ctx, challange, 8);
EVP_DigestUpdate(ctx, ms_chap_v2_magic2,
EVP_DigestInit_ex(ctxp, EVP_sha1(), NULL);
EVP_DigestUpdate(ctxp, md, sizeof(md));
EVP_DigestUpdate(ctxp, challange, 8);
EVP_DigestUpdate(ctxp, ms_chap_v2_magic2,
sizeof(ms_chap_v2_magic2));
EVP_DigestFinal_ex(ctx, md, NULL);
EVP_DigestFinal_ex(ctxp, md, NULL);
r.u.response.rsp = calloc(1, sizeof(*r.u.response.rsp));
if (r.u.response.rsp == NULL) {
free(answer.data);
krb5_clear_error_message(context);
EVP_MD_CTX_destroy(ctx);
EVP_MD_CTX_destroy(ctxp);
ret = ENOMEM;
goto out;
}
@@ -964,22 +964,22 @@ _kdc_do_digest(krb5_context context,
if (r.u.response.rsp == NULL) {
free(answer.data);
krb5_clear_error_message(context);
EVP_MD_CTX_destroy(ctx);
EVP_MD_CTX_destroy(ctxp);
ret = ENOMEM;
goto out;
}
/* get_master, rfc 3079 3.4 */
EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
EVP_DigestUpdate(ctx, hashhash, 16);
EVP_DigestUpdate(ctx, answer.data, answer.length);
EVP_DigestUpdate(ctx, ms_rfc3079_magic1,
EVP_DigestInit_ex(ctxp, EVP_sha1(), NULL);
EVP_DigestUpdate(ctxp, hashhash, 16);
EVP_DigestUpdate(ctxp, answer.data, answer.length);
EVP_DigestUpdate(ctxp, ms_rfc3079_magic1,
sizeof(ms_rfc3079_magic1));
EVP_DigestFinal_ex(ctx, md, NULL);
EVP_DigestFinal_ex(ctxp, md, NULL);
free(answer.data);
EVP_MD_CTX_destroy(ctx);
EVP_MD_CTX_destroy(ctxp);
r.u.response.session_key =
calloc(1, sizeof(*r.u.response.session_key));

41
kdc/hprop.8
View File

@@ -89,19 +89,11 @@ specified on the command by opening a TCP connection to port 754
.Pp
Supported options:
.Bl -tag -width Ds
.It Xo
.Fl m Ar file ,
.Fl -master-key= Ns Pa file
.Xc
.It Fl m Ar file , Fl -master-key= Ns Pa file
Where to find the master key to encrypt or decrypt keys with.
.It Xo
.Fl d Ar file ,
.Fl -database= Ns Pa file
.Xc
.It Fl d Ar file , Fl -database= Ns Pa file
The database to be propagated.
.It Xo
.Fl -source= Ns Ar heimdal|mit-dump
.Xc
.It Fl -source= Ns Ar heimdal|mit-dump|krb4-dump|kaserver
Specifies the type of the source database. Alternatives include:
.Pp
.Bl -tag -width mit-dump -compact -offset indent
@@ -110,42 +102,27 @@ a Heimdal database
.It mit-dump
a MIT Kerberos 5 dump file
.El
.It Xo
.Fl k Ar keytab ,
.Fl -keytab= Ns Ar keytab
.Xc
+.It Fl k Ar keytab , Fl -keytab= Ns Ar keytab
The keytab to use for fetching the key to be used for authenticating
to the propagation daemon(s). The key
.Pa hprop/hostname
is used from this keytab. The default is to fetch the key from the
KDC database.
.It Xo
.Fl R Ar string ,
.Fl -v5-realm= Ns Ar string
.Xc
.It Fl R Ar string , Fl -v5-realm= Ns Ar string
Local realm override.
.It Xo
.Fl D ,
.Fl -decrypt
.Xc
.It Fl D , Fl -decrypt
The encryption keys in the database can either be in clear, or
encrypted with a master key. This option transmits the database with
unencrypted keys.
.It Xo
.Fl E ,
.Fl -encrypt
.Xc
.It Fl E , Fl -encrypt
This option transmits the database with encrypted keys.
.It Xo
.Fl n ,
.Fl -stdout
.Xc
.It Fl n , Fl -stdout
Dump the database on stdout, in a format that can be fed to hpropd.
.El
.Sh EXAMPLES
The following will propagate a database to another machine (which
should run
.Xr hpropd 8 ):
.Xr hpropd 8 ) :
.Bd -literal -offset indent
$ hprop slave-1 slave-2
.Ed

16
kdc/hprop.c
View File

@@ -133,13 +133,13 @@ struct getargs args[] = {
{ "keytab", 'k', arg_string, rk_UNCONST(&ktname),
"keytab to use for authentication", "keytab" },
{ "v5-realm", 'R', arg_string, &local_realm, "v5 realm to use" },
{ "decrypt", 'D', arg_flag, &decrypt_flag, "decrypt keys" },
{ "encrypt", 'E', arg_flag, &encrypt_flag, "encrypt keys" },
{ "stdout", 'n', arg_flag, &to_stdout, "dump to stdout" },
{ "verbose", 'v', arg_flag, &verbose_flag },
{ "version", 0, arg_flag, &version_flag },
{ "help", 'h', arg_flag, &help_flag }
{ "v5-realm", 'R', arg_string, &local_realm, "v5 realm to use", NULL },
{ "decrypt", 'D', arg_flag, &decrypt_flag, "decrypt keys", NULL },
{ "encrypt", 'E', arg_flag, &encrypt_flag, "encrypt keys", NULL },
{ "stdout", 'n', arg_flag, &to_stdout, "dump to stdout", NULL },
{ "verbose", 'v', arg_flag, &verbose_flag, NULL, NULL },
{ "version", 0, arg_flag, &version_flag, NULL, NULL },
{ "help", 'h', arg_flag, &help_flag, NULL, NULL }
};
static int num_args = sizeof(args) / sizeof(args[0]);
@@ -213,7 +213,7 @@ struct {
static int
parse_source_type(const char *s)
{
int i;
size_t i;
for(i = 0; i < sizeof(types) / sizeof(types[0]); i++) {
if(strstr(types[i].name, s) == types[i].name)
return types[i].type;

29
kdc/hpropd.8
View File

@@ -73,34 +73,17 @@ are accepted.
.Pp
Options supported:
.Bl -tag -width Ds
.It Xo
.Fl d Ar file ,
.Fl -database= Ns Ar file
.Xc
.It Fl d Ar file , Fl -database= Ns Ar file
database
.It Xo
.Fl n ,
.Fl -stdin
.Xc
.It Fl n , Fl -stdin
read from stdin
.It Xo
.Fl -print
.Xc
.It Fl -print
print dump to stdout
.It Xo
.Fl i ,
.Fl -no-inetd
.Xc
.It Fl i , Fl -no-inetd
not started from inetd
.It Xo
.Fl k Ar keytab ,
.Fl -keytab= Ns Ar keytab
.Xc
.It Fl k Ar keytab , Fl -keytab= Ns Ar keytab
keytab to use for authentication
.It Xo
.Fl 4 ,
.Fl -v4dump
.Xc
.It Fl 4 , Fl -v4dump
create v4 type DB
.El
.Sh SEE ALSO

13
kdc/hpropd.c
View File

@@ -44,19 +44,20 @@ static char *ktname = NULL;
struct getargs args[] = {
{ "database", 'd', arg_string, rk_UNCONST(&database), "database", "file" },
{ "stdin", 'n', arg_flag, &from_stdin, "read from stdin" },
{ "print", 0, arg_flag, &print_dump, "print dump to stdout" },
{ "stdin", 'n', arg_flag, &from_stdin, "read from stdin", NULL },
{ "print", 0, arg_flag, &print_dump, "print dump to stdout", NULL },
#ifdef SUPPORT_INETD
{ "inetd", 'i', arg_negative_flag, &inetd_flag,
"Not started from inetd" },
"Not started from inetd", NULL },
#endif
{ "keytab", 'k', arg_string, &ktname, "keytab to use for authentication", "keytab" },
{ "realm", 'r', arg_string, &local_realm, "realm to use" },
{ "realm", 'r', arg_string, &local_realm, "realm to use", NULL },
{ "version", 0, arg_flag, &version_flag, NULL, NULL },
{ "help", 'h', arg_flag, &help_flag, NULL, NULL}
};
static int num_args = sizeof(args) / sizeof(args[0]);
static char unparseable_name[] = "unparseable name";
static void
usage(int ret)
@@ -194,7 +195,7 @@ main(int argc, char **argv)
char *s;
ret = krb5_unparse_name(context, c2, &s);
if (ret)
s = "unparseable name";
s = unparseable_name;
krb5_errx(context, 1, "Unauthorized connection from %s", s);
}
krb5_free_principal(context, c1);
@@ -260,7 +261,7 @@ main(int argc, char **argv)
char *s;
ret = krb5_unparse_name(context, entry.entry.principal, &s);
if (ret)
s = strdup("unparseable name");
s = strdup(unparseable_name);
krb5_warnx(context, "Entry exists: %s", s);
free(s);
} else if(ret)

55
kdc/kdc.8
View File

@@ -72,17 +72,11 @@ or from a default compiled-in value.
.Pp
Options supported:
.Bl -tag -width Ds
.It Xo
.Fl c Ar file ,
.Fl -config-file= Ns Ar file
.Xc
.It Fl c Ar file , Fl -config-file= Ns Ar file
Specifies the location of the config file, the default is
.Pa /var/heimdal/kdc.conf .
This is the only value that can't be specified in the config file.
.It Xo
.Fl p ,
.Fl -no-require-preauth
.Xc
.It Fl p , Fl -no-require-preauth
Turn off the requirement for pre-autentication in the initial AS-REQ
for all principals.
The use of pre-authentication makes it more difficult to do offline
@@ -95,34 +89,20 @@ pre-athentication.
The default is to require pre-authentication.
Adding the require-preauth per principal is a more flexible way of
handling this.
.It Xo
.Fl -max-request= Ns Ar size
.Xc
.It Fl -max-request= Ns Ar size
Gives an upper limit on the size of the requests that the kdc is
willing to handle.
.It Xo
.Fl H ,
.Fl -enable-http
.Xc
.It Fl H , Fl -enable-http
Makes the kdc listen on port 80 and handle requests encapsulated in HTTP.
.It Xo
.Fl -no-524
.Xc
.It Fl -no-524
don't respond to 524 requests
.It Xo
.Fl -kerberos4
.Xc
.It Fl -kerberos4
respond to Kerberos 4 requests
.It Xo
.Fl -kerberos4-cross-realm
.Xc
.It Fl -kerberos4-cross-realm
respond to Kerberos 4 requests from foreign realms.
This is a known security hole and should not be enabled unless you
understand the consequences and are willing to live with them.
.It Xo
.Fl r Ar string ,
.Fl -v4-realm= Ns Ar string
.Xc
.It Fl r Ar string , Fl -v4-realm= Ns Ar string
What realm this server should act as when dealing with version 4
requests.
The database can contain any number of realms, but since the version 4
@@ -130,17 +110,11 @@ protocol doesn't contain a realm for the server, it must be explicitly
specified.
The default is whatever is returned by
.Fn krb_get_lrealm .
This option is only availabe if the KDC has been compiled with version
This option is only available if the KDC has been compiled with version
4 support.
.It Xo
.Fl K ,
.Fl -kaserver
.Xc
.It Fl K , Fl -kaserver
Enable kaserver emulation (in case it's compiled in).
.It Xo
.Fl P Ar portspec ,
.Fl -ports= Ns Ar portspec
.Xc
.It Fl P Ar portspec , Fl -ports= Ns Ar portspec
Specifies the set of ports the KDC should listen on.
It is given as a
white-space separated list of services or port numbers.
@@ -198,11 +172,8 @@ Permit anonymous tickets with no addresses.
.It Li max-kdc-datagram-reply-length = Va number
Maximum packet size the UDP rely that the KDC will transmit, instead
the KDC sends back a reply telling the client to use TCP instead.
.It Li transited-policy = Xo
.Li always-check \*(Ba
.Li allow-per-principal |
.Li always-honour-request
.Xc
.It Li transited-policy = Li always-check \*(Ba \
Li allow-per-principal | Li always-honour-request
This controls how KDC requests with the
.Li disable-transited-check
flag are handled. It can be one of:

9
kdc/kdc.h
View File

@@ -64,15 +64,6 @@ typedef struct krb5_kdc_configuration {
krb5_boolean allow_anonymous;
enum krb5_kdc_trpolicy trpolicy;
char *v4_realm;
krb5_boolean enable_v4;
krb5_boolean enable_v4_cross_realm;
krb5_boolean enable_v4_per_principal;
krb5_boolean enable_kaserver;
krb5_boolean enable_524;
krb5_boolean enable_pkinit;
krb5_boolean pkinit_princ_in_cert;
const char *pkinit_kdc_identity;

22
kdc/kerberos5.c
View File

@@ -74,9 +74,9 @@ _kdc_find_padata(const KDC_REQ *req, int *start, int type)
if (req->padata == NULL)
return NULL;
while(*start < req->padata->len){
while((size_t)*start < req->padata->len){
(*start)++;
if(req->padata->val[*start - 1].padata_type == type)
if(req->padata->val[*start - 1].padata_type == (unsigned)type)
return &req->padata->val[*start - 1];
}
return NULL;
@@ -127,7 +127,7 @@ _kdc_find_etype(krb5_context context, const hdb_entry_ex *princ,
krb5_enctype *etypes, unsigned len,
Key **ret_key)
{
int i;
size_t i;
krb5_error_code ret = KRB5KDC_ERR_ETYPE_NOSUPP;
krb5_salt def_salt;
@@ -211,7 +211,7 @@ log_patypes(krb5_context context,
{
struct rk_strpool *p = NULL;
char *str;
int i;
size_t i;
for (i = 0; i < padata->len; i++) {
switch(padata->val[i].padata_type) {
@@ -614,7 +614,7 @@ log_as_req(krb5_context context,
krb5_error_code ret;
struct rk_strpool *p;
char *str;
int i;
size_t i;
p = rk_strpoolprintf(NULL, "%s", "Client supported enctypes: ");
@@ -809,7 +809,7 @@ _kdc_check_addresses(krb5_context context,
krb5_address addr;
krb5_boolean result;
krb5_boolean only_netbios = TRUE;
int i;
size_t i;
if(config->check_ticket_addresses == 0)
return TRUE;
@@ -1035,7 +1035,7 @@ _kdc_as_rep(krb5_context context,
{
const krb5_enctype *p;
krb5_enctype clientbest = ETYPE_NULL;
int i, j;
size_t i, j;
p = krb5_kerberos_enctypes(context);
@@ -1663,7 +1663,7 @@ _kdc_as_rep(krb5_context context,
PA_ClientCanonicalized canon;
krb5_data data;
PA_DATA pa;
krb5_crypto crypto;
krb5_crypto cryptox;
size_t len;
memset(&canon, 0, sizeof(canon));
@@ -1679,18 +1679,18 @@ _kdc_as_rep(krb5_context context,
krb5_abortx(context, "internal asn.1 error");
/* sign using "returned session key" */
ret = krb5_crypto_init(context, &et.key, 0, &crypto);
ret = krb5_crypto_init(context, &et.key, 0, &cryptox);
if (ret) {
free(data.data);
goto out;
}
ret = krb5_create_checksum(context, crypto,
ret = krb5_create_checksum(context, cryptox,
KRB5_KU_CANONICALIZED_NAMES, 0,
data.data, data.length,
&canon.canon_checksum);
free(data.data);
krb5_crypto_destroy(context, crypto);
krb5_crypto_destroy(context, cryptox);
if (ret)
goto out;

15
kdc/krb5tgs.c
View File

@@ -508,7 +508,7 @@ check_constrained_delegation(krb5_context context,
{
const HDB_Ext_Constrained_delegation_acl *acl;
krb5_error_code ret;
int i;
size_t i;
/* if client delegates to itself, that ok */
if (krb5_principal_compare(context, client->entry.principal, server) == TRUE)
@@ -606,7 +606,7 @@ fix_transited_encoding(krb5_context context,
krb5_error_code ret = 0;
char **realms, **tmp;
unsigned int num_realms;
int i;
size_t i;
switch (tr->tr_type) {
case DOMAIN_X500_COMPRESS:
@@ -1131,6 +1131,7 @@ tgs_parse_request(krb5_context context,
krb5_keyblock **replykey,
int *rk_is_subkey)
{
static char failed[] = "<unparse_name failed>";
krb5_ap_req ap_req;
krb5_error_code ret;
krb5_principal princ;
@@ -1174,7 +1175,7 @@ tgs_parse_request(krb5_context context,
char *p;
ret = krb5_unparse_name(context, princ, &p);
if (ret != 0)
p = "<unparse_name failed>";
p = failed;
krb5_free_principal(context, princ);
kdc_log(context, config, 5, "Ticket-granting ticket account %s does not have secrets at this KDC, need to proxy", p);
if (ret == 0)
@@ -1186,7 +1187,7 @@ tgs_parse_request(krb5_context context,
char *p;
ret = krb5_unparse_name(context, princ, &p);
if (ret != 0)
p = "<unparse_name failed>";
p = failed;
krb5_free_principal(context, princ);
kdc_log(context, config, 0,
"Ticket-granting ticket not found in database: %s", msg);
@@ -1198,13 +1199,13 @@ tgs_parse_request(krb5_context context,
}
if(ap_req.ticket.enc_part.kvno &&
*ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){
(size_t)*ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){
char *p;
ret = krb5_unparse_name (context, princ, &p);
krb5_free_principal(context, princ);
if (ret != 0)
p = "<unparse_name failed>";
p = failed;
kdc_log(context, config, 0,
"Ticket kvno = %d, DB kvno = %d (%s)",
*ap_req.ticket.enc_part.kvno,
@@ -1646,7 +1647,7 @@ server_lookup:
krb5_enctype etype;
if(b->kdc_options.enc_tkt_in_skey) {
int i;
size_t i;
ekey = &adtkt.key;
for(i = 0; i < b->etype.len; i++)
if (b->etype.val[i] == adtkt.key.keytype)

22
kdc/kstash.8
View File

@@ -62,28 +62,16 @@ used by the KDC.
.Pp
Supported options:
.Bl -tag -width Ds
.It Xo
.Fl e Ar string ,
.Fl -enctype= Ns Ar string
.Xc
.It Fl e Ar string , Fl -enctype= Ns Ar string
the encryption type to use, defaults to DES3-CBC-SHA1.
.It Xo
.Fl k Ar file ,
.Fl -key-file= Ns Ar file
.Xc
.It Fl k Ar file , Fl -key-file= Ns Ar file
the name of the master key file.
.It Xo
.Fl -convert-file
.Xc
.It Fl -convert-file
don't ask for a new master key, just read an old master key file, and
write it back in the new keyfile format.
.It Xo
.Fl -random-key
.Xc
.It Fl -random-key
generate a random master key.
.It Xo
.Fl -master-key-fd= Ns Ar fd
.Xc
.It Fl -master-key-fd= Ns Ar fd
filedescriptor to read passphrase from, if not specified the
passphrase will be read from the terminal.
.El

12
kdc/kstash.c
View File

@@ -46,15 +46,17 @@ static int random_key_flag;
static const char *enctype_str = "des3-cbc-sha1";
static struct getargs args[] = {
{ "enctype", 'e', arg_string, rk_UNCONST(&enctype_str), "encryption type" },
{ "enctype", 'e', arg_string, rk_UNCONST(&enctype_str), "encryption type",
NULL },
{ "key-file", 'k', arg_string, &keyfile, "master key file", "file" },
{ "convert-file", 0, arg_flag, &convert_flag,
"just convert keyfile to new format" },
"just convert keyfile to new format", NULL },
{ "master-key-fd", 0, arg_integer, &master_key_fd,
"filedescriptor to read passphrase from", "fd" },
{ "random-key", 0, arg_flag, &random_key_flag, "generate a random master key" },
{ "help", 'h', arg_flag, &help_flag },
{ "version", 0, arg_flag, &version_flag }
{ "random-key", 0, arg_flag, &random_key_flag,
"generate a random master key", NULL },
{ "help", 'h', arg_flag, &help_flag, NULL, NULL },
{ "version", 0, arg_flag, &version_flag, NULL, NULL }
};
int num_args = sizeof(args) / sizeof(args[0]);

10
kdc/log.c
View File

@@ -50,10 +50,12 @@ kdc_openlog(krb5_context context,
krb5_addlog_dest(context, config->logf, *p);
krb5_config_free_strings(s);
}else {
char *s;
asprintf(&s, "0-1/FILE:%s/%s", hdb_db_dir(context), KDC_LOG_FILE);
krb5_addlog_dest(context, config->logf, s);
free(s);
char *ss;
if (asprintf(&ss, "0-1/FILE:%s/%s", hdb_db_dir(context),
KDC_LOG_FILE) < 0)
err(1, NULL);
krb5_addlog_dest(context, config->logf, ss);
free(ss);
}
krb5_set_warn_dest(context, config->logf);
}

4
kdc/mit_dump.c
View File

@@ -77,7 +77,7 @@ unless no extra data
static int
hex_to_octet_string(const char *ptr, krb5_data *data)
{
int i;
size_t i;
unsigned int v;
for(i = 0; i < data->length; i++) {
if(sscanf(ptr + 2 * i, "%02x", &v) != 1)
@@ -165,7 +165,7 @@ fix_salt(krb5_context context, hdb_entry *ent, int key_num)
case KRB5_KDB_SALTTYPE_NOREALM:
{
size_t len;
int i;
size_t i;
char *p;
len = 0;

17
kdc/pkinit.c
View File

@@ -237,7 +237,7 @@ generate_dh_keyblock(krb5_context context,
}
dh_gen_keylen = DH_compute_key(dh_gen_key,client_params->u.dh.public_key, client_params->u.dh.key);
if (dh_gen_keylen == -1) {
if (dh_gen_keylen == (size_t)-1) {
ret = KRB5KRB_ERR_GENERIC;
krb5_set_error_message(context, ret,
"Can't compute Diffie-Hellman key");
@@ -1247,7 +1247,7 @@ _kdc_pk_mk_pa_reply(krb5_context context,
krb5_enctype enctype;
int pa_type;
hx509_cert kdc_cert = NULL;
int i;
size_t i;
if (!config->enable_pkinit) {
krb5_clear_error_message(context);
@@ -1575,7 +1575,8 @@ match_rfc_san(krb5_context context,
krb5_const_principal match)
{
hx509_octet_string_list list;
int ret, i, found = 0;
int ret, found = 0;
size_t i;
memset(&list, 0 , sizeof(list));
@@ -1709,7 +1710,7 @@ _kdc_pk_check_client(krb5_context context,
const HDB_Ext_PKINIT_cert *pc;
krb5_error_code ret;
hx509_name name;
int i;
size_t i;
if (cp->cert == NULL) {
@@ -1737,12 +1738,12 @@ _kdc_pk_check_client(krb5_context context,
ret = hdb_entry_get_pkinit_cert(&client->entry, &pc);
if (ret == 0 && pc) {
hx509_cert cert;
unsigned int i;
size_t j;
for (i = 0; i < pc->len; i++) {
for (j = 0; j < pc->len; j++) {
ret = hx509_cert_init_data(context->hx509ctx,
pc->val[i].cert.data,
pc->val[i].cert.length,
pc->val[j].cert.data,
pc->val[j].cert.length,
&cert);
if (ret)
continue;

43
kdc/string2key.8
View File

@@ -65,46 +65,21 @@ performs the string-to-key function.
This is useful when you want to handle the raw key instead of the password.
Supported options:
.Bl -tag -width Ds
.It Xo
.Fl 5 ,
.Fl -version5
.Xc
.It Fl 5 , Fl -version5
Output Kerberos v5 string-to-key
.It Xo
.Fl 4 ,
.Fl -version4
.Xc
.It Fl 4 , Fl -version4
Output Kerberos v4 string-to-key
.It Xo
.Fl a ,
.Fl -afs
.Xc
.It Fl a , Fl -afs
Output AFS string-to-key
.It Xo
.Fl c Ar cell ,
.Fl -cell= Ns Ar cell
.Xc
.It Fl c Ar cell , Fl -cell= Ns Ar cell
AFS cell to use
.It Xo
.Fl w Ar password ,
.Fl -password= Ns Ar password
.Xc
.It Fl w Ar password , Fl -password= Ns Ar password
Password to use
.It Xo
.Fl p Ar principal ,
.Fl -principal= Ns Ar principal
.Xc
.It Fl p Ar principal , Fl -principal= Ns Ar principal
Kerberos v5 principal to use
.It Xo
.Fl k Ar string ,
.Fl -keytype= Ns Ar string
.Xc
.It Fl k Ar string , Fl -keytype= Ns Ar string
Keytype
.It Xo
.Fl -version
.Xc
.It Fl -version
print version
.It Xo
.Fl -help
.Xc
.It Fl -help
.El

16
kdc/string2key.c
View File

@@ -45,15 +45,17 @@ int version;
int help;
struct getargs args[] = {
{ "version5", '5', arg_flag, &version5, "Output Kerberos v5 string-to-key" },
{ "version4", '4', arg_flag, &version4, "Output Kerberos v4 string-to-key" },
{ "afs", 'a', arg_flag, &afs, "Output AFS string-to-key" },
{ "version5", '5', arg_flag, &version5, "Output Kerberos v5 string-to-key",
NULL },
{ "version4", '4', arg_flag, &version4, "Output Kerberos v4 string-to-key",
NULL },
{ "afs", 'a', arg_flag, &afs, "Output AFS string-to-key", NULL },
{ "cell", 'c', arg_string, &cell, "AFS cell to use", "cell" },
{ "password", 'w', arg_string, &password, "Password to use", "password" },
{ "principal",'p', arg_string, &principal, "Kerberos v5 principal to use", "principal" },
{ "keytype", 'k', arg_string, rk_UNCONST(&keytype_str), "Keytype" },
{ "version", 0, arg_flag, &version, "print version" },
{ "help", 0, arg_flag, &help, NULL }
{ "keytype", 'k', arg_string, rk_UNCONST(&keytype_str), "Keytype", NULL },
{ "version", 0, arg_flag, &version, "print version", NULL },
{ "help", 0, arg_flag, &help, NULL, NULL }
};
int num_args = sizeof(args) / sizeof(args[0]);
@@ -73,7 +75,7 @@ tokey(krb5_context context,
const char *label)
{
krb5_error_code ret;
int i;
size_t i;
krb5_keyblock key;
char *e;

9
kpasswd/kpasswd.c
View File

@@ -40,10 +40,11 @@ static char *admin_principal_str;
static char *cred_cache_str;
static struct getargs args[] = {
{ "admin-principal", 0, arg_string, &admin_principal_str },
{ "cache", 'c', arg_string, &cred_cache_str },
{ "version", 0, arg_flag, &version_flag },
{ "help", 0, arg_flag, &help_flag }
{ "admin-principal", 0, arg_string, &admin_principal_str, NULL,
NULL },
{ "cache", 'c', arg_string, &cred_cache_str, NULL, NULL },
{ "version", 0, arg_flag, &version_flag, NULL, NULL },
{ "help", 0, arg_flag, &help_flag, NULL, NULL }
};
static void

27
kpasswd/kpasswdd.8
View File

@@ -64,20 +64,14 @@ the database directly and should thus only run on the master KDC.
.Pp
Supported options:
.Bl -tag -width Ds
.It Xo
.Fl -addresses= Ns Ar address
.Xc
.It Fl -addresses= Ns Ar address
For each till the argument is given, add the address to what kpasswdd
should listen too.
.It Xo
.Fl -check-library= Ns Ar library
.Xc
.It Fl -check-library= Ns Ar library
If your system has support for dynamic loading of shared libraries,
you can use an external function to check password quality. This
option specifies which library to load.
.It Xo
.Fl -check-function= Ns Ar function
.Xc
.It Fl -check-function= Ns Ar function
This is the function to call in the loaded library. The function
should look like this:
.Pp
@@ -92,20 +86,11 @@ is the one who tries to change passwords, and
is the new password. Note that the password (in
.Fa password->data )
is not zero terminated.
.It Xo
.Fl k Ar kspec ,
.Fl -keytab= Ns Ar kspec
.Xc
.It Fl k Ar kspec , Fl -keytab= Ns Ar kspec
Keytab to get authentication key from.
.It Xo
.Fl r Ar realm ,
.Fl -realm= Ns Ar realm
.Xc
.It Fl r Ar realm , Fl -realm= Ns Ar realm
Default realm.
.It Xo
.Fl p Ar string ,
.Fl -port= Ns Ar string
.Xc
.It Fl p Ar string , Fl -port= Ns Ar string
Port to listen on (default service kpasswd - 464).
.El
.Sh DIAGNOSTICS

29
kpasswd/kpasswdd.c
View File

@@ -680,11 +680,11 @@ doit (krb5_keytab keytab, int port)
krb5_errx (context, 1, "No sockets!");
while(exit_flag == 0) {
int ret;
krb5_ssize_t retx;
fd_set fdset = real_fdset;
ret = select (maxfd + 1, &fdset, NULL, NULL, NULL);
if (ret < 0) {
retx = select (maxfd + 1, &fdset, NULL, NULL, NULL);
if (retx < 0) {
if (errno == EINTR)
continue;
else
@@ -695,9 +695,9 @@ doit (krb5_keytab keytab, int port)
u_char buf[BUFSIZ];
socklen_t addrlen = sizeof(__ss);
ret = recvfrom (sockets[i], buf, sizeof(buf), 0,
retx = recvfrom(sockets[i], buf, sizeof(buf), 0,
sa, &addrlen);
if (ret < 0) {
if (retx < 0) {
if(errno == EINTR)
break;
else
@@ -707,7 +707,7 @@ doit (krb5_keytab keytab, int port)
process (realms, keytab, sockets[i],
&addrs.val[i],
sa, addrlen,
buf, ret);
buf, retx);
}
}
@@ -730,7 +730,8 @@ sigterm(int sig)
static const char *check_library = NULL;
static const char *check_function = NULL;
static getarg_strings policy_libraries = { 0, NULL };
static char *keytab_str = "HDB:";
static char sHDB[] = "HDB:";
static char *keytab_str = sHDB;
static char *realm_str;
static int version_flag;
static int help_flag;
@@ -750,11 +751,11 @@ struct getargs args[] = {
"addresses to listen on", "list of addresses" },
{ "keytab", 'k', arg_string, &keytab_str,
"keytab to get authentication key from", "kspec" },
{ "config-file", 'c', arg_string, &config_file },
{ "config-file", 'c', arg_string, &config_file, NULL, NULL },
{ "realm", 'r', arg_string, &realm_str, "default realm", "realm" },
{ "port", 'p', arg_string, &port_str, "port" },
{ "version", 0, arg_flag, &version_flag },
{ "help", 0, arg_flag, &help_flag }
{ "port", 'p', arg_string, &port_str, "port", NULL },
{ "version", 0, arg_flag, &version_flag, NULL, NULL },
{ "help", 0, arg_flag, &help_flag, NULL, NULL }
};
int num_args = sizeof(args) / sizeof(args[0]);
@@ -836,10 +837,10 @@ main (int argc, char **argv)
explicit_addresses.len = 0;
if (addresses_str.num_strings) {
int i;
int j;
for (i = 0; i < addresses_str.num_strings; ++i)
add_one_address (addresses_str.strings[i], i == 0);
for (j = 0; j < addresses_str.num_strings; ++j)
add_one_address (addresses_str.strings[j], j == 0);
free_getarg_strings (&addresses_str);
} else {
char **foo = krb5_config_get_strings (context, NULL,

2
kuser/copy_cred_cache.1
View File

@@ -88,7 +88,7 @@ $ copy_cred_cache --valid-for=1d --flags=initial FILE:/some/cache
.Sh DIAGNOSTICS
The
.Nm
utility exits 0 on success, and \*[Gt]0 if an error occurs, or of no
utility exits 0 on success, and \*[Gt]0 if an error occurs, or if no
credentials where actually copied.
.\".Sh SEE ALSO
.\".Sh STANDARDS

2
kuser/copy_cred_cache.c
View File

@@ -60,7 +60,7 @@ parse_ticket_flags(krb5_context context,
memset(&ff, 0, sizeof(ff));
ff.proxy = 1;
if (parse_flags("proxy", asn1_TicketFlags_units(), 0) == TicketFlags2int(ff))
if ((size_t)parse_flags("proxy", asn1_TicketFlags_units(), 0) == TicketFlags2int(ff))
ret_flags->i = flags;
else
ret_flags->i = bitswap32(flags);

4
kuser/kcc.c
View File

@@ -40,8 +40,8 @@ static int version_flag;
static int help_flag;
static struct getargs args[] = {
{ "version", 0, arg_flag, &version_flag },
{ "help", 0, arg_flag, &help_flag }
{ "version", 0, arg_flag, &version_flag, NULL, NULL },
{ "help", 0, arg_flag, &help_flag, NULL, NULL }
};
static void

4
kuser/kdestroy.1
View File

@@ -36,7 +36,7 @@
.Os HEIMDAL
.Sh NAME
.Nm kdestroy
.Nd remove one credental or destroy the current ticket file
.Nd remove one credential or destroy the current ticket file
.Sh SYNOPSIS
.Nm
.Bk -words
@@ -51,7 +51,7 @@
.Ek
.Sh DESCRIPTION
.Nm
remove one or the current set of tickets.
removes one credential or the current set of tickets.
.Pp
Supported options:
.Bl -tag -width Ds

2
kuser/kdestroy.c
View File

@@ -47,7 +47,7 @@ struct getargs args[] = {
{ "credential", 0, arg_string, rk_UNCONST(&credential),
"remove one credential", "principal" },
{ "cache", 'c', arg_string, rk_UNCONST(&cache), "cache to destroy", "cache" },
{ "all", 'A', arg_flag, &all_flag, "destroy all caches" },
{ "all", 'A', arg_flag, &all_flag, "destroy all caches", NULL },
#ifndef NO_AFS
{ "unlog", 0, arg_negative_flag, &unlog_flag,
"do not destroy tokens", NULL },

3
kuser/kdigest.c
View File

@@ -436,6 +436,7 @@ ntlm_server_init(struct ntlm_server_init_options *opt,
krb5_data challenge, opaque;
struct ntlm_buf data;
char *s;
static char zero2[] = "\x00\x00";
memset(&type2, 0, sizeof(type2));
@@ -471,7 +472,7 @@ ntlm_server_init(struct ntlm_server_init_options *opt,
krb5_err(context, 1, ret, "krb5_ntlm_init_get_flags");
krb5_ntlm_init_get_targetname(context, ntlm, &type2.targetname);
type2.targetinfo.data = "\x00\x00";
type2.targetinfo.data = zero2;
type2.targetinfo.length = 2;
ret = heim_ntlm_encode_type2(&type2, &data);

28
kuser/kgetcred.1
View File

@@ -61,30 +61,16 @@ ticket or of a special type.
.Pp
Supported options:
.Bl -tag -width Ds
.It Xo
.Fl -canonicalize
.Xc
.It Fl -canonicalize
requests that the KDC canonicalize the principal.
.It Xo
.Fl c Ar cache ,
.Fl -cache= Ns Ar cache
.Xc
.It Fl c Ar cache , Fl -cache= Ns Ar cache
the credential cache to use.
.It Xo
.Fl e Ar enctype ,
.Fl -enctype= Ns Ar enctype
.Xc
.It Fl e Ar enctype , Fl -enctype= Ns Ar enctype
encryption type to use.
.It Xo
.Fl -no-transit-check
.Xc
requests that the KDC doesn't do trasnit checking.
.It Xo
.Fl -version
.Xc
.It Xo
.Fl -help
.Xc
.It Fl -no-transit-check
requests that the KDC doesn't do transit checking.
.It Fl -version
.It Fl -help
.El
.Sh SEE ALSO
.Xr kinit 1 ,

12
kuser/kgetcred.c
View File

@@ -53,17 +53,17 @@ struct getargs args[] = {
{ "delegation-credential-cache",0,arg_string, &delegation_cred_str,
NP_("where to find the ticket use for delegation", ""), "cache"},
{ "canonicalize", 0, arg_flag, &canonicalize_flag,
NP_("canonicalize the principal", "") },
NP_("canonicalize the principal", ""), NULL },
{ "forwardable", 0, arg_flag, &forwardable_flag,
NP_("forwardable ticket requested", "")},
{ "transit-check", 0, arg_negative_flag, &transit_flag },
NP_("forwardable ticket requested", ""), NULL},
{ "transit-check", 0, arg_negative_flag, &transit_flag, NULL, NULL },
{ "enctype", 'e', arg_string, &etype_str,
NP_("encryption type to use", ""), "enctype"},
{ "impersonate", 0, arg_string, &impersonate_str,
NP_("client to impersonate", ""), "principal"},
{ "name-type", 0, arg_string, &nametype_str },
{ "version", 0, arg_flag, &version_flag },
{ "help", 0, arg_flag, &help_flag }
{ "name-type", 0, arg_string, &nametype_str, NULL, NULL },
{ "version", 0, arg_flag, &version_flag, NULL, NULL },
{ "help", 0, arg_flag, &help_flag, NULL, NULL }
};
static void

84
kuser/kimpersonate.8
View File

@@ -40,28 +40,14 @@
impersonate a user when there exist a srvtab, keyfile or KeyFile
.Sh SYNOPSIS
.Nm
.Oo Fl s Ar string \*(Ba Xo
.Fl -server= Ns Ar string Oc
.Xc
.Oo Fl c Ar string \*(Ba Xo
.Fl -client= Ns Ar string Oc
.Xc
.Oo Fl k Ar string \*(Ba Xo
.Fl -keytab= Ns Ar string Oc
.Xc
.Op Fl s Ar string \*(Ba Fl -server= Ns Ar string
.Op Fl c Ar string \*(Ba Fl -client= Ns Ar string
.Op Fl k Ar string \*(Ba Fl -keytab= Ns Ar string
.Op Fl 5 | Fl -krb5
.Oo Fl e Ar integer \*(Ba Xo
.Fl -expire-time= Ns Ar integer Oc
.Xc
.Oo Fl a Ar string \*(Ba Xo
.Fl -client-address= Ns Ar string Oc
.Xc
.Oo Fl t Ar string \*(Ba Xo
.Fl -enc-type= Ns Ar string Oc
.Xc
.Oo Fl f Ar string \*(Ba Xo
.Fl -ticket-flags= Ns Ar string Oc
.Xc
.Op Fl e Ar integer \*(Ba Fl -expire-time= Ns Ar integer
.Op Fl a Ar string \*(Ba Fl -client-address= Ns Ar string
.Op Fl t Ar string \*(Ba Fl -enc-type= Ns Ar string
.Op Fl f Ar string \*(Ba Fl -ticket-flags= Ns Ar string
.Op Fl -verbose
.Op Fl -version
.Op Fl -help
@@ -73,57 +59,27 @@ The service key can be read from a Kerberos 5 keytab, AFS KeyFile or
(if compiled with support for Kerberos 4) a Kerberos 4 srvtab.
Supported options:
.Bl -tag -width Ds
.It Xo
.Fl s Ar string Ns ,
.Fl -server= Ns Ar string
.Xc
.It Fl s Ar string Ns , Fl -server= Ns Ar string
name of server principal
.It Xo
.Fl c Ar string Ns ,
.Fl -client= Ns Ar string
.Xc
.It Fl c Ar string Ns , Fl -client= Ns Ar string
name of client principal
.It Xo
.Fl k Ar string Ns ,
.Fl -keytab= Ns Ar string
.Xc
.It Fl k Ar string Ns , Fl -keytab= Ns Ar string
name of keytab file
.It Xo
.Fl 5 Ns ,
.Fl -krb5
.Xc
.It Fl 5 Ns , Fl -krb5
create a Kerberos 5 ticket
.It Xo
.Fl e Ar integer Ns ,
.Fl -expire-time= Ns Ar integer
.Xc
.It Fl e Ar integer Ns , Fl -expire-time= Ns Ar integer
lifetime of ticket in seconds
.It Xo
.Fl a Ar string Ns ,
.Fl -client-address= Ns Ar string
.Xc
.It Fl a Ar string Ns , Fl -client-address= Ns Ar string
address of client
.It Xo
.Fl t Ar string Ns ,
.Fl -enc-type= Ns Ar string
.Xc
.It Fl t Ar string Ns , Fl -enc-type= Ns Ar string
encryption type
.It Xo
.Fl f Ar string Ns ,
.Fl -ticket-flags= Ns Ar string
.Xc
.It Fl f Ar string Ns , Fl -ticket-flags= Ns Ar string
ticket flags for krb5 ticket
.It Xo
.Fl -verbose
.Xc
.It Fl -verbose
Verbose output
.It Xo
.Fl -version
.Xc
.It Fl -version
Print version
.It Xo
.Fl -help
.Xc
.It Fl -help
.El
.Sh FILES
Uses
@@ -131,9 +87,9 @@ Uses
.Pa /etc/srvtab
and
.Pa /usr/afs/etc/KeyFile
when avalible and the the
when available and the
.Fl k
is used with appropriate prefix.
option is used with an appropriate prefix.
.Sh EXAMPLES
.Nm
can be used in

34
kuser/kimpersonate.c
View File

@@ -44,7 +44,7 @@ static char *ccache_str = NULL;
static char *ticket_flags_str = NULL;
static TicketFlags ticket_flags;
static char *keytab_file = NULL;
static char *enc_type = "des-cbc-md5";
static const char *enc_type = "des-cbc-md5";
static int expiration_time = 3600;
static struct getarg_strings client_addresses;
static int version_flag = 0;
@@ -268,21 +268,21 @@ struct getargs args[] = {
{ "ccache", 0, arg_string, &ccache_str,
"name of kerberos 5 credential cache", "cache-name"},
{ "server", 's', arg_string, &server_principal_str,
"name of server principal" },
"name of server principal", NULL },
{ "client", 'c', arg_string, &client_principal_str,
"name of client principal" },
"name of client principal", NULL },
{ "keytab", 'k', arg_string, &keytab_file,
"name of keytab file" },
"name of keytab file", NULL },
{ "krb5", '5', arg_flag, &use_krb5,
"create a kerberos 5 ticket"},
"create a kerberos 5 ticket", NULL },
{ "expire-time", 'e', arg_integer, &expiration_time,
"lifetime of ticket in seconds" },
"lifetime of ticket in seconds", NULL },
{ "client-addresses", 'a', arg_strings, &client_addresses,
"addresses of client" },
"addresses of client", NULL },
{ "enc-type", 't', arg_string, &enc_type,
"encryption type" },
"encryption type", NULL },
{ "ticket-flags", 'f', arg_string, &ticket_flags_str,
"ticket flags for krb5 ticket" },
"ticket flags for krb5 ticket", NULL },
{ "version", 0, arg_flag, &version_flag, "Print version",
NULL },
{ "help", 0, arg_flag, &help_flag, NULL,
@@ -302,7 +302,7 @@ usage (int ret)
int
main (int argc, char **argv)
{
int optind = 0;
int optidx = 0;
krb5_error_code ret;
krb5_context context;
krb5_keytab kt;
@@ -313,23 +313,23 @@ main (int argc, char **argv)
if (ret)
errx(1, "krb5_init_context failed: %u", ret);
if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
&optind))
usage (1);
if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
usage(1);
if (help_flag)
usage (0);
usage(0);
if (version_flag) {
print_version(NULL);
return 0;
}
setup_env (context, &kt);
setup_env(context, &kt);
if (use_krb5)
create_krb5_tickets (context, kt);
create_krb5_tickets(context, kt);
krb5_kt_close(context, kt);
krb5_kt_close (context, kt);
return 0;
}

86
kuser/kinit.1
View File

@@ -96,41 +96,23 @@ can later be used to obtain tickets for other services.
.Pp
Supported options:
.Bl -tag -width Ds
.It Xo
.Fl c Ar cachename
.Fl -cache= Ns Ar cachename
.Xc
.It Fl c Ar cachename Fl -cache= Ns Ar cachename
The credentials cache to put the acquired ticket in, if other than
default.
.It Xo
.Fl f
.Fl -no-forwardable
.Xc
.It Fl f Fl -no-forwardable
Get ticket that can be forwarded to another host, or if the negative
flags use, don't get a forwardable flag.
.It Xo
.Fl t Ar keytabname ,
.Fl -keytab= Ns Ar keytabname
.Xc
.It Fl t Ar keytabname , Fl -keytab= Ns Ar keytabname
Don't ask for a password, but instead get the key from the specified
keytab.
.It Xo
.Fl l Ar time ,
.Fl -lifetime= Ns Ar time
.Xc
.It Fl l Ar time , Fl -lifetime= Ns Ar time
Specifies the lifetime of the ticket.
The argument can either be in seconds, or a more human readable string
like
.Sq 1h .
.It Xo
.Fl p ,
.Fl -proxiable
.Xc
.It Fl p , Fl -proxiable
Request tickets with the proxiable flag set.
.It Xo
.Fl R ,
.Fl -renew
.Xc
.It Fl R , Fl -renew
Try to renew ticket.
The ticket must have the
.Sq renewable
@@ -139,46 +121,26 @@ flag set, and must not be expired.
The same as
.Fl -renewable-life ,
with an infinite time.
.It Xo
.Fl r Ar time ,
.Fl -renewable-life= Ns Ar time
.Xc
.It Fl r Ar time , Fl -renewable-life= Ns Ar time
The max renewable ticket life.
.It Xo
.Fl S Ar principal ,
.Fl -server= Ns Ar principal
.Xc
.It Fl S Ar principal , Fl -server= Ns Ar principal
Get a ticket for a service other than krbtgt/LOCAL.REALM.
.It Xo
.Fl s Ar time ,
.Fl -start-time= Ns Ar time
.Xc
.It Fl s Ar time , Fl -start-time= Ns Ar time
Obtain a ticket that starts to be valid
.Ar time
(which can really be a generic time specification, like
.Sq 1h )
seconds into the future.
.It Xo
.Fl k ,
.Fl -use-keytab
.Xc
.It Fl k , Fl -use-keytab
The same as
.Fl -keytab ,
but with the default keytab name (normally
.Ar FILE:/etc/krb5.keytab ) .
.It Xo
.Fl v ,
.Fl -validate
.Xc
.It Fl v , Fl -validate
Try to validate an invalid ticket.
.It Xo
.Fl e ,
.Fl -enctypes= Ns Ar enctypes
.Xc
.It Fl e , Fl -enctypes= Ns Ar enctypes
Request tickets with this particular enctype.
.It Xo
.Fl -password-file= Ns Ar filename
.Xc
.It Fl -password-file= Ns Ar filename
read the password from the first line of
.Ar filename .
If the
@@ -186,15 +148,10 @@ If the
is
.Ar STDIN ,
the password will be read from the standard input.
.It Xo
.Fl -fcache-version= Ns Ar version-number
.Xc
.It Fl -fcache-version= Ns Ar version-number
Create a credentials cache of version
.Ar version-number .
.It Xo
.Fl a ,
.Fl -extra-addresses= Ns Ar enctypes
.Xc
.It Fl a , Fl -extra-addresses= Ns Ar enctypes
Adds a set of addresses that will, in addition to the systems local
addresses, be put in the ticket.
This can be useful if all addresses a client can use can't be
@@ -204,20 +161,13 @@ Also settable via
.Li libdefaults/extra_addresses
in
.Xr krb5.conf 5 .
.It Xo
.Fl A ,
.Fl -no-addresses
.Xc
.It Fl A , Fl -no-addresses
Request a ticket with no addresses.
.It Xo
.Fl -anonymous
.Xc
.It Fl -anonymous
Request an anonymous ticket (which means that the ticket will be
issued to an anonymous principal, typically
.Dq anonymous@REALM ) .
.It Xo
.Fl -enterprise
.Xc
.It Fl -enterprise
Parse principal as a enterprise (KRB5-NT-ENTERPRISE) name. Enterprise
names are email like principals that are stored in the name part of
the principal, and since there are two @ characters the parser needs

50
kuser/kinit.c
View File

@@ -96,31 +96,31 @@ static struct getargs args[] = {
* 9:
*/
{ "afslog", 0 , arg_flag, &do_afslog,
NP_("obtain afs tokens", "") },
NP_("obtain afs tokens", ""), NULL },
{ "cache", 'c', arg_string, &cred_cache,
NP_("credentials cache", ""), "cachename" },
{ "forwardable", 0, arg_negative_flag, &forwardable_flag,
NP_("get tickets not forwardable", "")},
NP_("get tickets not forwardable", ""), NULL },
{ NULL, 'f', arg_flag, &forwardable_flag,
NP_("get forwardable tickets", "")},
NP_("get forwardable tickets", ""), NULL },
{ "keytab", 't', arg_string, &keytab_str,
NP_("keytab to use", ""), "keytabname" },
{ "lifetime", 'l', arg_string, &lifetime,
NP_("lifetime of tickets", ""), "time"},
NP_("lifetime of tickets", ""), "time" },
{ "proxiable", 'p', arg_flag, &proxiable_flag,
NP_("get proxiable tickets", "") },
NP_("get proxiable tickets", ""), NULL },
{ "renew", 'R', arg_flag, &renew_flag,
NP_("renew TGT", "") },
NP_("renew TGT", ""), NULL },
{ "renewable", 0, arg_flag, &renewable_flag,
NP_("get renewable tickets", "") },
NP_("get renewable tickets", ""), NULL },
{ "renewable-life", 'r', arg_string, &renew_life,
NP_("renewable lifetime of tickets", ""), "time" },
@@ -132,40 +132,40 @@ static struct getargs args[] = {
NP_("when ticket gets valid", ""), "time" },
{ "use-keytab", 'k', arg_flag, &use_keytab,
NP_("get key from keytab", "") },
NP_("get key from keytab", ""), NULL },
{ "validate", 'v', arg_flag, &validate_flag,
NP_("validate TGT", "") },
NP_("validate TGT", ""), NULL },
{ "enctypes", 'e', arg_strings, &etype_str,
NP_("encryption types to use", ""), "enctypes" },
{ "fcache-version", 0, arg_integer, &fcache_version,
NP_("file cache version to create", "") },
NP_("file cache version to create", ""), NULL },
{ "addresses", 'A', arg_negative_flag, &addrs_flag,
NP_("request a ticket with no addresses", "") },
NP_("request a ticket with no addresses", ""), NULL },
{ "extra-addresses",'a', arg_strings, &extra_addresses,
NP_("include these extra addresses", ""), "addresses" },
{ "anonymous", 0, arg_flag, &anonymous_flag,
NP_("request an anonymous ticket", "") },
NP_("request an anonymous ticket", ""), NULL },
{ "request-pac", 0, arg_flag, &pac_flag,
NP_("request a Windows PAC", "") },
NP_("request a Windows PAC", ""), NULL },
{ "password-file", 0, arg_string, &password_file,
NP_("read the password from a file", "") },
NP_("read the password from a file", ""), NULL },
{ "canonicalize",0, arg_flag, &canonicalize_flag,
NP_("canonicalize client principal", "") },
NP_("canonicalize client principal", ""), NULL },
{ "enterprise",0, arg_flag, &enterprise_flag,
NP_("parse principal as a KRB5-NT-ENTERPRISE name", "") },
NP_("parse principal as a KRB5-NT-ENTERPRISE name", ""), NULL },
#ifdef PKINIT
{ "pk-enterprise", 0, arg_flag, &pk_enterprise_flag,
NP_("use enterprise name from certificate", "") },
NP_("use enterprise name from certificate", ""), NULL },
{ "pk-user", 'C', arg_string, &pk_user_id,
NP_("principal's public/private/certificate identifier", ""), "id" },
@@ -174,7 +174,7 @@ static struct getargs args[] = {
NP_("directory with CA certificates", ""), "directory" },
{ "pk-use-enckey", 0, arg_flag, &pk_use_enckey,
NP_("Use RSA encrypted reply (instead of DH)", "") },
NP_("Use RSA encrypted reply (instead of DH)", ""), NULL },
#endif
#ifndef NO_NTLM
{ "ntlm-domain", 0, arg_string, &ntlm_domain,
@@ -182,19 +182,19 @@ static struct getargs args[] = {
#endif
{ "change-default", 0, arg_negative_flag, &switch_cache_flags,
NP_("switch the default cache to the new credentials cache", "") },
NP_("switch the default cache to the new credentials cache", ""), NULL },
{ "ok-as-delegate", 0, arg_flag, &ok_as_delegate_flag,
NP_("honor ok-as-delegate on tickets", "") },
NP_("honor ok-as-delegate on tickets", ""), NULL },
{ "use-referrals", 0, arg_flag, &use_referrals_flag,
NP_("only use referrals, no dns canalisation", "") },
NP_("only use referrals, no dns canalisation", ""), NULL },
{ "windows", 0, arg_flag, &windows_flag,
NP_("get windows behavior", "") },
NP_("get windows behavior", ""), NULL },
{ "version", 0, arg_flag, &version_flag },
{ "help", 0, arg_flag, &help_flag }
{ "version", 0, arg_flag, &version_flag, NULL, NULL },
{ "help", 0, arg_flag, &help_flag, NULL, NULL }
};
static void
@@ -357,7 +357,7 @@ get_new_tickets(krb5_context context,
char passwd[256];
krb5_deltat start_time = 0;
krb5_deltat renew = 0;
char *renewstr = NULL;
const char *renewstr = NULL;
krb5_enctype *enctype = NULL;
krb5_ccache tempccache;
#ifndef NO_NTLM

31
kuser/klist.1
View File

@@ -60,27 +60,14 @@ known as the ticket file).
.Pp
Options supported:
.Bl -tag -width Ds
.It Xo
.Fl c Ar cache ,
.Fl -cache= Ns Ar cache
.Xc
.It Fl c Ar cache , Fl -cache= Ns Ar cache
credential cache to list
.It Xo
.Fl s ,
.Fl t ,
.Fl -test
.Xc
.It Fl s , Fl t , Fl -test
Test for there being an active and valid TGT for the local realm of
the user in the credential cache.
.It Xo
.Fl T ,
.Fl -tokens
.Xc
.It Fl T , Fl -tokens
display AFS tokens
.It Xo
.Fl 5 ,
.Fl -v5
.Xc
.It Fl 5 , Fl -v5
display v5 cred cache (this is the default)
.It Fl f
Include ticket flags in short form, each character stands for a
@@ -113,10 +100,7 @@ hardware authenticated
This information is also output with the
.Fl -verbose
option, but in a more verbose way.
.It Xo
.Fl v ,
.Fl -verbose
.Xc
.It Fl v , Fl -verbose
Verbose output. Include all possible information:
.Bl -tag -width XXXX -offset indent
.It Server
@@ -141,10 +125,7 @@ the flags set on the ticket
.It Addresses
the set of addresses from which this ticket is valid
.El
.It Xo
.Fl l ,
.Fl -list-caches
.Xc
.It Fl l , Fl -list-caches
List the credential caches for the current users, not all cache types
supports listing multiple caches.
.Pp

24
kuser/klist.c
View File

@@ -39,21 +39,29 @@
#include "kcc-commands.h"
static char*
printable_time(time_t t)
printable_time_internal(time_t t, int x)
{
static char s[128];
strlcpy(s, ctime(&t)+ 4, sizeof(s));
s[15] = 0;
char *p;
if ((p = ctime(&t)) == NULL)
strlcpy(s, "?", sizeof(s));
else
strlcpy(s, p + 4, sizeof(s));
s[x] = 0;
return s;
}
static char*
printable_time(time_t t)
{
return printable_time_internal(t, 20);
}
static char*
printable_time_long(time_t t)
{
static char s[128];
strlcpy(s, ctime(&t)+ 4, sizeof(s));
s[20] = 0;
return s;
return printable_time_internal(t, 20);
}
#define COL_ISSUED NP_(" Issued","")
@@ -124,7 +132,7 @@ print_cred(krb5_context context, krb5_creds *cred, rtbl_t ct, int do_flags)
static void
print_cred_verbose(krb5_context context, krb5_creds *cred)
{
int j;
size_t j;
char *str;
krb5_error_code ret;
krb5_timestamp sec;

4
kuser/kswitch.c
View File

@@ -35,11 +35,11 @@
#include "kcc-commands.h"
#ifdef HAVE_READLINE
char *readline(char *prompt);
char *readline(const char *prompt);
#else
static char *
readline(char *prompt)
readline(const char *prompt)
{
char buf[BUFSIZ];
printf ("%s", prompt);

2
lib/NTMakefile
View File

@@ -43,7 +43,7 @@ dir_dce = kdfs
dir_hcrypto = hcrypto
!endif
SUBDIRS = vers editline com_err sl wind asn1 sqlite \
SUBDIRS = vers libedit com_err sl wind asn1 sqlite \
$(dir_hcrypto) hx509 krb5 heimdal ntlm kafs gssapi hdb \
kadm5 $(dir_45) $(dir_otp) $(dir_dce) ..\packages\windows\assembly

38
lib/asn1/asn1_print.c
View File

@@ -41,9 +41,8 @@
#include <err.h>
#include <der.h>
RCSID("$Id$");
static int indent_flag = 1;
static int inner_flag = 0;
static unsigned long indefinite_form_loop;
static unsigned long indefinite_form_loop_max = 10000;
@@ -167,17 +166,39 @@ loop (unsigned char *buf, size_t len, int indent)
}
case UT_OctetString : {
heim_octet_string str;
int i;
unsigned char *uc;
size_t i;
ret = der_get_octet_string (buf, length, &str, NULL);
if (ret)
errx (1, "der_get_octet_string: %s", error_message (ret));
printf ("(length %lu), ", (unsigned long)length);
uc = (unsigned char *)str.data;
for (i = 0; i < min(16,length); ++i)
printf ("%02x", uc[i]);
printf ("\n");
if (inner_flag) {
Der_class class;
Der_type type;
unsigned int tag;
ret = der_get_tag(str.data, str.length,
&class, &type, &tag, &sz);
if (ret || sz > str.length ||
type != CONS || tag != UT_Sequence)
goto just_an_octet_string;
printf("{\n");
loop (str.data, str.length, indent + 2);
for (i = 0; i < indent; ++i)
printf (" ");
printf ("}\n");
} else {
unsigned char *uc;
just_an_octet_string:
uc = (unsigned char *)str.data;
for (i = 0; i < min(16,length); ++i)
printf ("%02x", uc[i]);
printf ("\n");
}
free (str.data);
break;
}
@@ -295,6 +316,7 @@ static int version_flag;
static int help_flag;
struct getargs args[] = {
{ "indent", 0, arg_negative_flag, &indent_flag },
{ "inner", 0, arg_flag, &inner_flag, "try to parse inner structures of OCTET STRING" },
{ "version", 0, arg_flag, &version_flag },
{ "help", 0, arg_flag, &help_flag }
};

30
lib/asn1/check-gen.c
View File

@@ -1249,6 +1249,34 @@ check_seq_of_size(void)
return 0;
}
static int
check_TESTMechTypeList(void)
{
TESTMechTypeList tl;
unsigned oid1[] = { 1, 2, 840, 48018, 1, 2, 2};
TESTMechType t1 = { 7, oid1 };
unsigned oid2[] = { 1, 2, 840, 113554, 1, 2, 2};
TESTMechType t2 = { 7, oid2 };
unsigned oid3[] = { 1, 3, 6, 1, 4, 1, 311, 2, 2, 30};
TESTMechType t3 = { 10, oid3 };
unsigned oid4[] = { 1, 3, 6, 1, 4, 1, 311, 2, 2, 10};
TESTMechType t4 = { 10, oid4 };
TESTMechType array[4] = { t1, t2, t3, t4 };
size_t size, len;
void *ptr;
int ret;
tl.len = 4;
tl.val = array;
ASN1_MALLOC_ENCODE(TESTMechTypeList, ptr, len, &tl, &size, ret);
if (ret)
errx(1, "TESTMechTypeList: %d", ret);
if (len != size)
abort();
return 0;
}
int
main(int argc, char **argv)
{
@@ -1278,5 +1306,7 @@ main(int argc, char **argv)
ret += check_seq();
ret += check_seq_of_size();
ret += check_TESTMechTypeList();
return ret;
}

2
lib/asn1/der_format.c
View File

@@ -108,7 +108,7 @@ int
der_print_heim_oid (const heim_oid *oid, char delim, char **str)
{
struct rk_strpool *p = NULL;
int i;
size_t i;
if (oid->length == 0)
return EINVAL;

4
lib/asn1/der_get.c
View File

@@ -141,9 +141,9 @@ der_get_general_string (const unsigned char *p, size_t len,
* an strings in the NEED_PREAUTH case that includes a
* trailing NUL.
*/
while (p1 - p < len && *p1 == '\0')
while ((size_t)(p1 - p) < len && *p1 == '\0')
p1++;
if (p1 - p != len)
if ((size_t)(p1 - p) != len)
return ASN1_BAD_CHARACTER;
}
if (len > len + 1)

2
lib/asn1/der_length.c
View File

@@ -86,7 +86,7 @@ static size_t
len_oid (const heim_oid *oid)
{
size_t ret = 1;
int n;
size_t n;
for (n = 2; n < oid->length; ++n) {
unsigned u = oid->components[n];

3
lib/asn1/der_put.c
View File

@@ -433,7 +433,8 @@ _heim_time2generalizedtime (time_t t, heim_octet_string *s, int gtimep)
if (s->data == NULL)
return ENOMEM;
s->length = len;
_der_gmtime(t, &tm);
if (_der_gmtime(t, &tm) == NULL)
return ASN1_BAD_TIMEFORMAT;
if (gtimep)
snprintf (s->data, len + 1, "%04d%02d%02d%02d%02d%02dZ",
tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday,

28
lib/asn1/gen_decode.c
View File

@@ -209,7 +209,8 @@ range_check(const char *name,
static int
decode_type (const char *name, const Type *t, int optional,
const char *forwstr, const char *tmpstr, const char *dertype)
const char *forwstr, const char *tmpstr, const char *dertype,
size_t depth)
{
switch (t->type) {
case TType: {
@@ -328,7 +329,8 @@ decode_type (const char *name, const Type *t, int optional,
if (asprintf (&s, "%s(%s)->%s", m->optional ? "" : "&",
name, m->gen_name) < 0 || s == NULL)
errx(1, "malloc");
decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL);
decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL,
depth + 1);
free (s);
}
@@ -369,7 +371,7 @@ decode_type (const char *name, const Type *t, int optional,
"%s = calloc(1, sizeof(*%s));\n"
"if (%s == NULL) { e = ENOMEM; %s; }\n",
s, s, s, forwstr);
decode_type (s, m->type, 0, forwstr, m->gen_name, NULL);
decode_type (s, m->type, 0, forwstr, m->gen_name, NULL, depth + 1);
free (s);
fprintf(codefile, "members |= (1 << %d);\n", memno);
@@ -442,7 +444,7 @@ decode_type (const char *name, const Type *t, int optional,
errx(1, "malloc");
if (asprintf (&sname, "%s_s_of", tmpstr) < 0 || sname == NULL)
errx(1, "malloc");
decode_type (n, t->subtype, 0, forwstr, sname, NULL);
decode_type (n, t->subtype, 0, forwstr, sname, NULL, depth + 1);
fprintf (codefile,
"(%s)->len++;\n"
"len = %s_origlen - ret;\n"
@@ -480,7 +482,7 @@ decode_type (const char *name, const Type *t, int optional,
tmpstr, tmpstr, typestring);
if(support_ber)
fprintf(codefile,
"int is_indefinite;\n");
"int is_indefinite%zu;\n", depth);
fprintf(codefile, "e = der_match_tag_and_length(p, len, %s, &%s, %s, "
"&%s_datalen, &l);\n",
@@ -516,20 +518,20 @@ decode_type (const char *name, const Type *t, int optional,
tmpstr);
if(support_ber)
fprintf (codefile,
"if((is_indefinite = _heim_fix_dce(%s_datalen, &len)) < 0)\n"
"if((is_indefinite%zu = _heim_fix_dce(%s_datalen, &len)) < 0)\n"
"{ e = ASN1_BAD_FORMAT; %s; }\n"
"if (is_indefinite) { if (len < 2) { e = ASN1_OVERRUN; %s; } len -= 2; }",
tmpstr, forwstr, forwstr);
"if (is_indefinite%zu) { if (len < 2) { e = ASN1_OVERRUN; %s; } len -= 2; }",
depth, tmpstr, forwstr, depth, forwstr);
else
fprintf(codefile,
"if (%s_datalen > len) { e = ASN1_OVERRUN; %s; }\n"
"len = %s_datalen;\n", tmpstr, forwstr, tmpstr);
if (asprintf (&tname, "%s_Tag", tmpstr) < 0 || tname == NULL)
errx(1, "malloc");
decode_type (name, t->subtype, 0, forwstr, tname, ide);
decode_type (name, t->subtype, 0, forwstr, tname, ide, depth + 1);
if(support_ber)
fprintf(codefile,
"if(is_indefinite){\n"
"if(is_indefinite%zu){\n"
"len += 2;\n"
"e = der_match_tag_and_length(p, len, "
"(Der_class)0, &%s, UT_EndOfContent, "
@@ -538,6 +540,7 @@ decode_type (const char *name, const Type *t, int optional,
"p += l; len -= l; ret += l;\n"
"if (%s != (Der_type)0) { e = ASN1_BAD_ID; %s; }\n"
"} else \n",
depth,
typestring,
tmpstr,
forwstr,
@@ -584,7 +587,8 @@ decode_type (const char *name, const Type *t, int optional,
if (asprintf (&s, "%s(%s)->u.%s", m->optional ? "" : "&",
name, m->gen_name) < 0 || s == NULL)
errx(1, "malloc");
decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL);
decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL,
depth + 1);
fprintf(codefile,
"(%s)->element = %s;\n",
name, m->label);
@@ -702,7 +706,7 @@ generate_type_decode (const Symbol *s)
fprintf (codefile, "\n");
fprintf (codefile, "memset(data, 0, sizeof(*data));\n"); /* hack to avoid `unused variable' */
decode_type ("data", s->type, 0, "goto fail", "Top", NULL);
decode_type ("data", s->type, 0, "goto fail", "Top", NULL, 1);
if (preserve)
fprintf (codefile,
"data->_save.data = calloc(1, ret);\n"

8
lib/asn1/gen_encode.c
View File

@@ -302,7 +302,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
name, name);
fprintf(codefile,
"for(i = 0; i < (%s)->len; i++) {\n",
"for(i = 0; i < (int)(%s)->len; i++) {\n",
name);
fprintf(codefile,
@@ -326,7 +326,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
fprintf(codefile,
"if (totallen > len) {\n"
"for (i = 0; i < (%s)->len; i++) {\n"
"for (i = 0; i < (int)(%s)->len; i++) {\n"
"free(val[i].data);\n"
"}\n"
"free(val);\n"
@@ -339,7 +339,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
name);
fprintf (codefile,
"for(i = (%s)->len - 1; i >= 0; --i) {\n"
"for(i = (int)(%s)->len - 1; i >= 0; --i) {\n"
"p -= val[i].length;\n"
"ret += val[i].length;\n"
"memcpy(p + 1, val[i].data, val[i].length);\n"
@@ -355,7 +355,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr)
char *n = NULL;
fprintf (codefile,
"for(i = (%s)->len - 1; i >= 0; --i) {\n"
"for(i = (int)(%s)->len - 1; i >= 0; --i) {\n"
"size_t %s_for_oldret = ret;\n"
"ret = 0;\n",
name, tmpstr);

3
lib/asn1/test.asn1
View File

@@ -132,4 +132,7 @@ TESTBitString ::= BIT STRING {
thirtyone(31)
}
TESTMechType::= OBJECT IDENTIFIER
TESTMechTypeList ::= SEQUENCE OF TESTMechType
END

12
lib/asn1/timegm.c
View File

@@ -56,13 +56,13 @@ time_t
_der_timegm (struct tm *tm)
{
time_t res = 0;
unsigned i;
int i;
if (tm->tm_year < 0)
return -1;
if (tm->tm_mon < 0 || tm->tm_mon > 11)
return -1;
if (tm->tm_mday < 1 || tm->tm_mday > ndays[is_leap(tm->tm_year)][tm->tm_mon])
if (tm->tm_mday < 1 || tm->tm_mday > (int)ndays[is_leap(tm->tm_year)][tm->tm_mon])
return -1;
if (tm->tm_hour < 0 || tm->tm_hour > 23)
return -1;
@@ -98,6 +98,14 @@ _der_gmtime(time_t t, struct tm *tm)
tm->tm_min = (secday % 3600) / 60;
tm->tm_hour = secday / 3600;
/*
* Refuse to calculate time ~ 2000 years into the future, this is
* not possible for systems where time_t is a int32_t, however,
* when time_t is a int64_t, that can happen.
*/
if (days > 356000)
return NULL;
tm->tm_year = 70;
while(1) {
unsigned dayinyear = (is_leap(tm->tm_year) ? 366 : 365);

2
lib/gssapi/gen-oid.pl
View File

@@ -110,7 +110,7 @@ while(<>) {
printf "#define $name (&$store)\n\n";
} else {
printf "/* $name - $oid */\n";
printf "gss_OID_desc GSSAPI_LIB_VARIABLE $store = { $length, \"$data\" };\n\n";
printf "gss_OID_desc GSSAPI_LIB_VARIABLE $store = { $length, rk_UNCONST(\"$data\") };\n\n";
}
} elsif (/^desc\s+([\w]+)\s+(\w+)\s+(\"[^\"]*\")\s+(\"[^\"]*\")/) {
my ($type, $oid, $short, $long) = ($1, $2, $3, $4);

2
lib/gssapi/gss_acquire_cred.3
View File

@@ -513,7 +513,7 @@ In GSS-API an contiguous string name is stored in a
.Dv gss_buffer_t .
.Pp
Exported names also have the property that they are specified by the
mechanism itself and compatible between diffrent GSS-API
mechanism itself and compatible between different GSS-API
implementations.
.El
.Sh ACCESS CONTROL

99
lib/gssapi/gssapi.3
View File

@@ -53,57 +53,52 @@ These functions constitute the gssapi library,
.Em libgssapi .
Declarations for these functions may be obtained from the include file
.Pa gssapi.h .
.sp 2
.nf
.ta \w'gss_inquire_names_for_mech'u+2n +\w'Description goes here'u
\fIName/Page\fP \fIDescription\fP
.ta \w'gss_inquire_names_for_mech'u+2n +\w'Description goes here'u+6nC
.sp 5p
gss_accept_sec_context.3
gss_acquire_cred.3
gss_add_cred.3
gss_add_oid_set_member.3
gss_canonicalize_name.3
gss_compare_name.3
gss_context_time.3
gss_create_empty_oid_set.3
gss_delete_sec_context.3
gss_display_name.3
gss_display_status.3
gss_duplicate_name.3
gss_export_name.3
gss_export_sec_context.3
gss_get_mic.3
gss_import_name.3
gss_import_sec_context.3
gss_indicate_mechs.3
gss_init_sec_context.3
gss_inquire_context.3
gss_inquire_cred.3
gss_inquire_cred_by_mech.3
gss_inquire_mechs_for_name.3
gss_inquire_names_for_mech.3
gss_krb5_ccache_name.3
gss_krb5_compat_des3_mic.3
gss_krb5_copy_ccache.3
gss_krb5_extract_authz_data_from_sec_context.3
gss_krb5_import_ccache.3
gss_process_context_token.3
gss_release_buffer.3
gss_release_cred.3
gss_release_name.3
gss_release_oid_set.3
gss_seal.3
gss_sign.3
gss_test_oid_set_member.3
gss_unseal.3
gss_unwrap.3
gss_verify.3
gss_verify_mic.3
gss_wrap.3
gss_wrap_size_limit.3
.ta
.Fi
.Bl -column -compact
.It Sy Name/Page
.It Xr gss_accept_sec_context 3
.It Xr gss_acquire_cred 3
.It Xr gss_add_cred 3
.It Xr gss_add_oid_set_member 3
.It Xr gss_canonicalize_name 3
.It Xr gss_compare_name 3
.It Xr gss_context_time 3
.It Xr gss_create_empty_oid_set 3
.It Xr gss_delete_sec_context 3
.It Xr gss_display_name 3
.It Xr gss_display_status 3
.It Xr gss_duplicate_name 3
.It Xr gss_export_name 3
.It Xr gss_export_sec_context 3
.It Xr gss_get_mic 3
.It Xr gss_import_name 3
.It Xr gss_import_sec_context 3
.It Xr gss_indicate_mechs 3
.It Xr gss_init_sec_context 3
.It Xr gss_inquire_context 3
.It Xr gss_inquire_cred 3
.It Xr gss_inquire_cred_by_mech 3
.It Xr gss_inquire_mechs_for_name 3
.It Xr gss_inquire_names_for_mech 3
.It Xr gss_krb5_ccache_name 3
.It Xr gss_krb5_compat_des3_mic 3
.It Xr gss_krb5_copy_ccache 3
.It Xr gss_krb5_extract_authz_data_from_sec_context 3
.It Xr gss_krb5_import_ccache 3
.It Xr gss_process_context_token 3
.It Xr gss_release_buffer 3
.It Xr gss_release_cred 3
.It Xr gss_release_name 3
.It Xr gss_release_oid_set 3
.It Xr gss_seal 3
.It Xr gss_sign 3
.It Xr gss_test_oid_set_member 3
.It Xr gss_unseal 3
.It Xr gss_unwrap 3
.It Xr gss_verify 3
.It Xr gss_verify_mic 3
.It Xr gss_wrap 3
.It Xr gss_wrap_size_limit 3
.El
.Sh COMPATIBILITY
The
.Nm Heimdal
@@ -147,7 +142,7 @@ the later will override.
.Pp
This config option modifies behaviour for both clients and servers.
.Pp
Microsoft implemented SPNEGO to Windows2000, however, they manage to
Microsoft implemented SPNEGO to Windows2000, however, they managed to
get it wrong, their implementation didn't fill in the MechListMIC in
the reply token with the right content.
There is a work around for this problem, but not all implementation

2
lib/gssapi/gsstool.c
View File

@@ -132,7 +132,7 @@ supported_mechanisms(void *argptr, int argc, char **argv)
return 0;
}
void static
static void
print_mech_attr(const char *mechname, gss_const_OID mech, gss_OID_set set)
{
gss_buffer_desc name, desc;

8
lib/gssapi/krb5/accept_sec_context.c
View File

@@ -55,11 +55,13 @@ validate_keytab(krb5_context context, const char *name, krb5_keytab *id)
}
OM_uint32
_gsskrb5_register_acceptor_identity (const char *identity)
_gsskrb5_register_acceptor_identity(OM_uint32 *min_stat, const char *identity)
{
krb5_context context;
krb5_error_code ret;
*min_stat = 0;
ret = _gsskrb5_init(&context);
if(ret)
return GSS_S_FAILURE;
@@ -92,8 +94,10 @@ _gsskrb5_register_acceptor_identity (const char *identity)
}
}
HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex);
if(ret)
if(ret) {
*min_stat = ret;
return GSS_S_FAILURE;
}
return GSS_S_COMPLETE;
}

4
lib/gssapi/krb5/arcfour.c
View File

@@ -255,7 +255,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
krb5_keyblock *key,
char *type)
const char *type)
{
krb5_error_code ret;
uint32_t seq_number;
@@ -270,7 +270,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
p = token_buffer->value;
omret = _gsskrb5_verify_header (&p,
token_buffer->length,
(u_char *)type,
type,
GSS_KRB5_MECHANISM);
if (omret)
return omret;

8
lib/gssapi/krb5/cfx.c
View File

@@ -285,7 +285,8 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status,
gss_iov_buffer_desc *header, *trailer, *padding;
size_t gsshsize, k5hsize;
size_t gsstsize, k5tsize;
size_t i, rrc = 0, ec = 0;
size_t rrc = 0, ec = 0;
int i;
gss_cfx_wrap_token token;
krb5_error_code ret;
int32_t seq_number;
@@ -424,6 +425,9 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status,
token->Flags = 0;
token->Filler = 0xFF;
if ((ctx->more_flags & LOCAL) == 0)
token->Flags |= CFXSentByAcceptor;
if (ctx->more_flags & ACCEPTOR_SUBKEY)
token->Flags |= CFXAcceptorSubkey;
@@ -666,7 +670,7 @@ unrotate_iov(OM_uint32 *minor_status, size_t rrc, gss_iov_buffer_desc *iov, int
q += iov[i].buffer.length;
}
}
assert((q - p) == len);
assert((size_t)(q - p) == len);
/* unrotate first part */
q = p + rrc;

24
lib/gssapi/krb5/external.c
View File

@@ -180,7 +180,7 @@ static gss_mo_desc krb5_mo[] = {
GSS_C_MA_SASL_MECH_NAME,
GSS_MO_MA,
"SASL mech name",
"GS2-KRB5",
rk_UNCONST("GS2-KRB5"),
_gss_mo_get_ctx_as_string,
NULL
},
@@ -188,7 +188,7 @@ static gss_mo_desc krb5_mo[] = {
GSS_C_MA_MECH_NAME,
GSS_MO_MA,
"Mechanism name",
"KRB5",
rk_UNCONST("KRB5"),
_gss_mo_get_ctx_as_string,
NULL
},
@@ -196,7 +196,7 @@ static gss_mo_desc krb5_mo[] = {
GSS_C_MA_MECH_DESCRIPTION,
GSS_MO_MA,
"Mechanism description",
"Heimdal Kerberos 5 mech",
rk_UNCONST("Heimdal Kerberos 5 mech"),
_gss_mo_get_ctx_as_string,
NULL
},
@@ -214,19 +214,19 @@ static gss_mo_desc krb5_mo[] = {
},
{
GSS_C_MA_AUTH_TARG,
GSS_MO_MA
.flags = GSS_MO_MA
},
{
GSS_C_MA_AUTH_INIT_ANON,
GSS_MO_MA
.flags = GSS_MO_MA
},
{
GSS_C_MA_DELEG_CRED,
GSS_MO_MA
.flags = GSS_MO_MA
},
{
GSS_C_MA_INTEG_PROT,
GSS_MO_MA
.flags = GSS_MO_MA
},
{
GSS_C_MA_CONF_PROT,
@@ -273,7 +273,7 @@ static gss_mo_desc krb5_mo[] = {
static gssapi_mech_interface_desc krb5_mech = {
GMI_VERSION,
"kerberos 5",
{9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" },
{9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") },
0,
_gsskrb5_acquire_cred,
_gsskrb5_release_cred,
@@ -323,7 +323,13 @@ static gssapi_mech_interface_desc krb5_mech = {
NULL,
NULL,
krb5_mo,
sizeof(krb5_mo) / sizeof(krb5_mo[0])
sizeof(krb5_mo) / sizeof(krb5_mo[0]),
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
};
gssapi_mech_interface

20
lib/gssapi/krb5/init_sec_context.c
View File

@@ -422,11 +422,6 @@ init_auth
goto failure;
}
ret = _gss_DES3_get_mic_compat(minor_status, ctx, context);
if (ret)
goto failure;
/*
* This is hideous glue for (NFS) clients that wants to limit the
* available enctypes to what it can support (encryption in
@@ -469,6 +464,10 @@ init_auth
ctx->lifetime = ctx->kcred->times.endtime;
ret = _gss_DES3_get_mic_compat(minor_status, ctx, context);
if (ret)
goto failure;
ret = _gsskrb5_lifetime_left(minor_status,
context,
ctx->lifetime,
@@ -676,7 +675,8 @@ init_auth_restart
output_token->length = outbuf.length;
} else {
ret = _gsskrb5_encapsulate (minor_status, &outbuf, output_token,
(u_char *)"\x01\x00", GSS_KRB5_MECHANISM);
(u_char *)(intptr_t)"\x01\x00",
GSS_KRB5_MECHANISM);
krb5_data_free (&outbuf);
if (ret)
goto failure;
@@ -911,20 +911,20 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_init_sec_context
return GSS_S_BAD_MECH;
if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) {
OM_uint32 ret;
OM_uint32 ret1;
if (*context_handle != GSS_C_NO_CONTEXT) {
*minor_status = 0;
return GSS_S_FAILURE | GSS_S_CALL_BAD_STRUCTURE;
}
ret = _gsskrb5_create_ctx(minor_status,
ret1 = _gsskrb5_create_ctx(minor_status,
context_handle,
context,
input_chan_bindings,
INITIATOR_START);
if (ret)
return ret;
if (ret1)
return ret1;
}
if (*context_handle == GSS_C_NO_CONTEXT) {

24
lib/gssapi/krb5/prf.c
View File

@@ -47,18 +47,21 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
krb5_crypto crypto;
krb5_data input, output;
uint32_t num;
OM_uint32 junk;
unsigned char *p;
krb5_keyblock *key = NULL;
size_t dol;
if (ctx == NULL) {
*minor_status = 0;
return GSS_S_NO_CONTEXT;
}
if (desired_output_len <= 0) {
if (desired_output_len <= 0 || prf_in->length + 4 < prf_in->length) {
*minor_status = 0;
return GSS_S_FAILURE;
}
dol = desired_output_len;
GSSAPI_KRB5_INIT (&context);
@@ -88,21 +91,20 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
return GSS_S_FAILURE;
}
prf_out->value = malloc(desired_output_len);
prf_out->value = malloc(dol);
if (prf_out->value == NULL) {
_gsskrb5_set_status(GSS_KRB5_S_KG_INPUT_TOO_LONG, "Out of memory");
*minor_status = GSS_KRB5_S_KG_INPUT_TOO_LONG;
krb5_crypto_destroy(context, crypto);
return GSS_S_FAILURE;
}
prf_out->length = desired_output_len;
prf_out->length = dol;
HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex);
input.length = prf_in->length + 4;
input.data = malloc(prf_in->length + 4);
if (input.data == NULL) {
OM_uint32 junk;
_gsskrb5_set_status(GSS_KRB5_S_KG_INPUT_TOO_LONG, "Out of memory");
*minor_status = GSS_KRB5_S_KG_INPUT_TOO_LONG;
gss_release_buffer(&junk, prf_out);
@@ -110,15 +112,17 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
return GSS_S_FAILURE;
}
memcpy(((unsigned char *)input.data) + 4, prf_in->value, prf_in->length);
memcpy(((uint8_t *)input.data) + 4, prf_in->value, prf_in->length);
num = 0;
p = prf_out->value;
while(desired_output_len > 0) {
while(dol > 0) {
size_t tsize;
_gsskrb5_encode_om_uint32(num, input.data);
ret = krb5_crypto_prf(context, crypto, &input, &output);
if (ret) {
OM_uint32 junk;
*minor_status = ret;
free(input.data);
gss_release_buffer(&junk, prf_out);
@@ -126,9 +130,11 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status,
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
return GSS_S_FAILURE;
}
memcpy(p, output.data, min(desired_output_len, output.length));
tsize = min(dol, output.length);
memcpy(p, output.data, tsize);
p += output.length;
desired_output_len -= output.length;
dol -= tsize;
krb5_data_free(&output);
num++;
}

3
lib/gssapi/krb5/process_context_token.c
View File

@@ -52,7 +52,8 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_process_context_token (
(gsskrb5_ctx)context_handle,
context,
token_buffer, &empty_buffer,
GSS_C_QOP_DEFAULT, "\x01\x02");
GSS_C_QOP_DEFAULT,
"\x01\x02");
if (ret == GSS_S_COMPLETE)
ret = _gsskrb5_delete_sec_context(minor_status,

2
lib/gssapi/krb5/sequence.c
View File

@@ -141,7 +141,7 @@ OM_uint32
_gssapi_msg_order_check(struct gss_msg_order *o, OM_uint32 seq_num)
{
OM_uint32 r;
int i;
size_t i;
if (o == NULL)
return GSS_S_COMPLETE;

5
lib/gssapi/krb5/set_sec_context_option.c
View File

@@ -154,11 +154,10 @@ _gsskrb5_set_sec_context_option
if (maj_stat != GSS_S_COMPLETE)
return maj_stat;
_gsskrb5_register_acceptor_identity(str);
maj_stat = _gsskrb5_register_acceptor_identity(minor_status, str);
free(str);
*minor_status = 0;
return GSS_S_COMPLETE;
return maj_stat;
} else if (gss_oid_equal(desired_object, GSS_KRB5_SET_DEFAULT_REALM_X)) {
char *str;

2
lib/gssapi/krb5/unwrap.c
View File

@@ -54,7 +54,7 @@ unwrap_des
DES_key_schedule schedule;
DES_cblock deskey;
DES_cblock zero;
int i;
size_t i;
uint32_t seq_number;
size_t padlength;
OM_uint32 ret;

8
lib/gssapi/krb5/verify_mic.c
View File

@@ -44,7 +44,7 @@ verify_mic_des
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
krb5_keyblock *key,
char *type
const char *type
)
{
u_char *p;
@@ -142,7 +142,7 @@ verify_mic_des3
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
krb5_keyblock *key,
char *type
const char *type
)
{
u_char *p;
@@ -276,7 +276,7 @@ _gsskrb5_verify_mic_internal
const gss_buffer_t message_buffer,
const gss_buffer_t token_buffer,
gss_qop_t * qop_state,
char * type
const char * type
)
{
krb5_keyblock *key;
@@ -348,7 +348,7 @@ _gsskrb5_verify_mic
(gsskrb5_ctx)context_handle,
context,
message_buffer, token_buffer,
qop_state, "\x01\x01");
qop_state, (void *)(intptr_t)"\x01\x01");
return ret;
}

2
lib/gssapi/krb5/wrap.c
View File

@@ -214,7 +214,7 @@ wrap_des
EVP_CIPHER_CTX des_ctx;
DES_cblock deskey;
DES_cblock zero;
int i;
size_t i;
int32_t seq_number;
size_t len, total_len, padlength, datalen;

2
lib/gssapi/mech/gss_acquire_cred.c
View File

@@ -46,7 +46,7 @@ gss_acquire_cred(OM_uint32 *minor_status,
struct _gss_cred *cred;
struct _gss_mechanism_cred *mc;
OM_uint32 min_time, cred_time;
int i;
size_t i;
*minor_status = 0;
if (output_cred_handle == NULL)

2
lib/gssapi/mech/gss_aeap.c
View File

@@ -168,7 +168,7 @@ gss_release_iov_buffer(OM_uint32 *minor_status,
int iov_count)
{
OM_uint32 junk;
size_t i;
int i;
if (minor_status)
*minor_status = 0;

2
lib/gssapi/mech/gss_buffer_set.c
View File

@@ -100,7 +100,7 @@ GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL
gss_release_buffer_set(OM_uint32 * minor_status,
gss_buffer_set_t *buffer_set)
{
int i;
size_t i;
OM_uint32 minor;
*minor_status = 0;

2
lib/gssapi/mech/gss_cred.c
View File

@@ -85,7 +85,7 @@ gss_export_cred(OM_uint32 * minor_status,
}
ret = krb5_storage_write(sp, buffer.value, buffer.length);
if (ret != buffer.length) {
if (ret < 0 || (size_t)ret != buffer.length) {
gss_release_buffer(minor_status, &buffer);
krb5_storage_free(sp);
*minor_status = EINVAL;

6
lib/gssapi/mech/gss_get_name_attribute.c
View File

@@ -47,8 +47,10 @@ gss_get_name_attribute(OM_uint32 *minor_status,
struct _gss_mechanism_name *mn;
*minor_status = 0;
*authenticated = 0;
*complete = 0;
if (authenticated != NULL)
*authenticated = 0;
if (complete != NULL)
*complete = 0;
_mg_buffer_zero(value);
_mg_buffer_zero(display_value);

14
lib/gssapi/mech/gss_import_name.c
View File

@@ -41,6 +41,7 @@ _gss_import_export_name(OM_uint32 *minor_status,
gssapi_mech_interface m;
struct _gss_name *name;
gss_name_t new_canonical_name;
int composite = 0;
*minor_status = 0;
*output_name = 0;
@@ -50,8 +51,17 @@ _gss_import_export_name(OM_uint32 *minor_status,
*/
if (len < 2)
return (GSS_S_BAD_NAME);
if (p[0] != 4 || p[1] != 1)
if (p[0] != 4)
return (GSS_S_BAD_NAME);
switch (p[1]) {
case 1: /* non-composite name */
break;
case 2: /* composite name */
composite = 1;
break;
default:
return (GSS_S_BAD_NAME);
}
p += 2;
len -= 2;
@@ -106,7 +116,7 @@ _gss_import_export_name(OM_uint32 *minor_status,
p += 4;
len -= 4;
if (len != t)
if (!composite && len != t)
return (GSS_S_BAD_NAME);
m = __gss_get_mechanism(&mech_oid);

2
lib/gssapi/mech/gss_indicate_mechs.c
View File

@@ -35,7 +35,7 @@ gss_indicate_mechs(OM_uint32 *minor_status,
struct _gss_mech_switch *m;
OM_uint32 major_status;
gss_OID_set set;
int i;
size_t i;
_gss_load_mech();

8
lib/gssapi/mech/gss_inquire_context.c
View File

@@ -37,7 +37,7 @@ gss_inquire_context(OM_uint32 *minor_status,
gss_OID *mech_type,
OM_uint32 *ctx_flags,
int *locally_initiated,
int *open)
int *xopen)
{
OM_uint32 major_status;
struct _gss_context *ctx = (struct _gss_context *) context_handle;
@@ -47,8 +47,8 @@ gss_inquire_context(OM_uint32 *minor_status,
if (locally_initiated)
*locally_initiated = 0;
if (open)
*open = 0;
if (xopen)
*xopen = 0;
if (lifetime_rec)
*lifetime_rec = 0;
@@ -68,7 +68,7 @@ gss_inquire_context(OM_uint32 *minor_status,
mech_type,
ctx_flags,
locally_initiated,
open);
xopen);
if (major_status != GSS_S_COMPLETE) {
_gss_mg_error(m, major_status, *minor_status);

2
lib/gssapi/mech/gss_inquire_cred_by_oid.c
View File

@@ -52,7 +52,7 @@ gss_inquire_cred_by_oid (OM_uint32 *minor_status,
HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) {
gss_buffer_set_t rset = GSS_C_NO_BUFFER_SET;
int i;
size_t i;
m = mc->gmc_mech;
if (m == NULL) {

Some files were not shown because too many files have changed in this diff Show More