From 988355d9d0d1953e8c17c4b5c935938573efe4ba Mon Sep 17 00:00:00 2001 From: Derrick Brashear Date: Sun, 10 Apr 2011 21:49:48 +0100 Subject: [PATCH 01/42] roken: Make tsearch build on windows no sys/cdefs.h on windows --- lib/roken/search.hin | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/roken/search.hin b/lib/roken/search.hin index 9e45c2a9e..b4edcffbb 100644 --- a/lib/roken/search.hin +++ b/lib/roken/search.hin @@ -18,7 +18,9 @@ #endif #endif +#ifndef _WIN32 #include +#endif #include typedef enum { From fedd232ee46a87bb505c16f35672acc6e3e465d9 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Mon, 11 Apr 2011 05:27:45 +0200 Subject: [PATCH 02/42] update PADL copyright information --- doc/copyright.texi | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/doc/copyright.texi b/doc/copyright.texi index 563493e3c..1f734ab6c 100644 --- a/doc/copyright.texi +++ b/doc/copyright.texi @@ -209,13 +209,14 @@ SUCH DAMAGE. @heading PADL Software Pty Ltd @table @asis -@item CFX implementation for GSS-API krb5 mech. +@item GSS-API CFX, SPNEGO, naming extensions, API extensions. @item KCM credential cache. +@item HDB LDAP backend. @end table @verbatim -Copyright (c) 2003, PADL Software Pty Ltd. +Copyright (c) 2003-2011, PADL Software Pty Ltd. All rights reserved. Redistribution and use in source and binary forms, with or without From 00b3524892a4ba0f37112f3956049fbe1d3d4f28 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Mon, 11 Apr 2011 17:35:59 -0700 Subject: [PATCH 03/42] link with libheimntlm.la --- kdc/Makefile.am | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kdc/Makefile.am b/kdc/Makefile.am index ed3417244..bcf222324 100644 --- a/kdc/Makefile.am +++ b/kdc/Makefile.am @@ -115,7 +115,8 @@ kdc_CFLAGS = $(CAPNG_CFLAGS) digest_service_LDADD = \ libkdc.la \ - ../lib/ipc/libheim-ipcs.la \ + $(top_builddir)/lib/ntlm/libheimntlm.la \ + $(top_builddir)/lib/ipc/libheim-ipcs.la \ $(LDADD) $(LIB_pidfile) kdc_replay_LDADD = libkdc.la $(LDADD) $(LIB_pidfile) From d9b3c87fc374b51ebd0cbb6875676cb5317eddd6 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Mon, 11 Apr 2011 17:36:31 -0700 Subject: [PATCH 04/42] use unix sockets too --- kdc/digest-service.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/kdc/digest-service.c b/kdc/digest-service.c index 3eaab27b6..b868ba8f7 100644 --- a/kdc/digest-service.c +++ b/kdc/digest-service.c @@ -272,6 +272,10 @@ main(int argc, char **argv) heim_sipc_timeout(60); } #endif + { + heim_sipc un; + heim_sipc_service_unix("org.h5l.ntlm-service", kcm_service, NULL, &un); + } heim_ipc_main(); return 0; From c178563beffc76000b77a100c5d1b82d0459efde Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Mon, 11 Apr 2011 18:15:02 -0700 Subject: [PATCH 05/42] use ntlm_service --- kdc/digest-service.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kdc/digest-service.c b/kdc/digest-service.c index b868ba8f7..1ba423bac 100644 --- a/kdc/digest-service.c +++ b/kdc/digest-service.c @@ -274,7 +274,7 @@ main(int argc, char **argv) #endif { heim_sipc un; - heim_sipc_service_unix("org.h5l.ntlm-service", kcm_service, NULL, &un); + heim_sipc_service_unix("org.h5l.ntlm-service", ntlm_service, NULL, &un); } heim_ipc_main(); From ec88b5d0435984ee0ebabdf54af259df753f4643 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Tue, 12 Apr 2011 08:05:29 -0700 Subject: [PATCH 06/42] move _gss_DES3_get_mic_compat to after ->target is set Patch from Roland Dowdeswell --- lib/gssapi/krb5/init_sec_context.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/lib/gssapi/krb5/init_sec_context.c b/lib/gssapi/krb5/init_sec_context.c index 53855ca04..84a839aa3 100644 --- a/lib/gssapi/krb5/init_sec_context.c +++ b/lib/gssapi/krb5/init_sec_context.c @@ -422,11 +422,6 @@ init_auth goto failure; } - ret = _gss_DES3_get_mic_compat(minor_status, ctx, context); - if (ret) - goto failure; - - /* * This is hideous glue for (NFS) clients that wants to limit the * available enctypes to what it can support (encryption in @@ -469,6 +464,10 @@ init_auth ctx->lifetime = ctx->kcred->times.endtime; + ret = _gss_DES3_get_mic_compat(minor_status, ctx, context); + if (ret) + goto failure; + ret = _gsskrb5_lifetime_left(minor_status, context, ctx->lifetime, From f632c5239e8403d4aec5e2be04cac2284cbd27e1 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Tue, 12 Apr 2011 09:01:41 -0700 Subject: [PATCH 07/42] one element per line --- lib/krb5/addr_families.c | 90 ++++++++++++++++++++++++++++++---------- 1 file changed, 67 insertions(+), 23 deletions(-) diff --git a/lib/krb5/addr_families.c b/lib/krb5/addr_families.c index 7c47da206..23c4e8ef7 100644 --- a/lib/krb5/addr_families.c +++ b/lib/krb5/addr_families.c @@ -727,34 +727,78 @@ addrport_print_addr (const krb5_address *addr, char *str, size_t len) } static struct addr_operations at[] = { - {AF_INET, KRB5_ADDRESS_INET, sizeof(struct sockaddr_in), - ipv4_sockaddr2addr, - ipv4_sockaddr2port, - ipv4_addr2sockaddr, - ipv4_h_addr2sockaddr, - ipv4_h_addr2addr, - ipv4_uninteresting, ipv4_is_loopback, ipv4_anyaddr, ipv4_print_addr, - ipv4_parse_addr, NULL, NULL, NULL, ipv4_mask_boundary }, + { + AF_INET, KRB5_ADDRESS_INET, sizeof(struct sockaddr_in), + ipv4_sockaddr2addr, + ipv4_sockaddr2port, + ipv4_addr2sockaddr, + ipv4_h_addr2sockaddr, + ipv4_h_addr2addr, + ipv4_uninteresting, + ipv4_is_loopback, + ipv4_anyaddr, + ipv4_print_addr, + ipv4_parse_addr, + NULL, + NULL, + NULL, + ipv4_mask_boundary + }, #ifdef HAVE_IPV6 - {AF_INET6, KRB5_ADDRESS_INET6, sizeof(struct sockaddr_in6), - ipv6_sockaddr2addr, - ipv6_sockaddr2port, - ipv6_addr2sockaddr, - ipv6_h_addr2sockaddr, - ipv6_h_addr2addr, - ipv6_uninteresting, ipv6_is_loopback, ipv6_anyaddr, ipv6_print_addr, - ipv6_parse_addr, NULL, NULL, NULL, ipv6_mask_boundary } , + { + AF_INET6, KRB5_ADDRESS_INET6, sizeof(struct sockaddr_in6), + ipv6_sockaddr2addr, + ipv6_sockaddr2port, + ipv6_addr2sockaddr, + ipv6_h_addr2sockaddr, + ipv6_h_addr2addr, + ipv6_uninteresting, + ipv6_is_loopback, + ipv6_anyaddr, + ipv6_print_addr, + ipv6_parse_addr, + NULL, + NULL, + NULL, + ipv6_mask_boundary + } , #endif #ifndef HEIMDAL_SMALLER /* fake address type */ - {KRB5_ADDRESS_ARANGE, KRB5_ADDRESS_ARANGE, sizeof(struct arange), - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, - arange_print_addr, arange_parse_addr, - arange_order_addr, arange_free, arange_copy }, + { + KRB5_ADDRESS_ARANGE, KRB5_ADDRESS_ARANGE, sizeof(struct arange), + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + arange_print_addr, + arange_parse_addr, + arange_order_addr, + arange_free, + arange_copy, + NULL + }, #endif - {KRB5_ADDRESS_ADDRPORT, KRB5_ADDRESS_ADDRPORT, 0, - NULL, NULL, NULL, NULL, NULL, NULL, - NULL, NULL, addrport_print_addr, NULL, NULL, NULL, NULL } + { + KRB5_ADDRESS_ADDRPORT, KRB5_ADDRESS_ADDRPORT, 0, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, + addrport_print_addr, + NULL, + NULL, + NULL, + NULL + } }; static int num_addrs = sizeof(at) / sizeof(at[0]); From d0502b2eb4f3fd8ee12f4d624e90de91379c976c Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Thu, 14 Apr 2011 12:47:47 -0700 Subject: [PATCH 08/42] return error message from lower layer, only modify for Kerberos --- lib/gssapi/mech/gss_krb5.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/lib/gssapi/mech/gss_krb5.c b/lib/gssapi/mech/gss_krb5.c index 594b41ef8..a88ae8112 100644 --- a/lib/gssapi/mech/gss_krb5.c +++ b/lib/gssapi/mech/gss_krb5.c @@ -188,7 +188,7 @@ out: GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gsskrb5_register_acceptor_identity(const char *identity) { - struct _gss_mech_switch *m; + gssapi_mech_interface m; gss_buffer_desc buffer; OM_uint32 junk; @@ -197,14 +197,12 @@ gsskrb5_register_acceptor_identity(const char *identity) buffer.value = rk_UNCONST(identity); buffer.length = strlen(identity); - HEIM_SLIST_FOREACH(m, &_gss_mechs, gm_link) { - if (m->gm_mech.gm_set_sec_context_option == NULL) - continue; - m->gm_mech.gm_set_sec_context_option(&junk, NULL, - GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X, &buffer); - } + m = __gss_get_mechanism(GSS_KRB5_MECHANISM); + if (m == NULL || m->gm_set_sec_context_option == NULL) + return GSS_S_FAILURE; - return (GSS_S_COMPLETE); + return m->gm_set_sec_context_option(&junk, NULL, + GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X, &buffer); } GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL From d8b5246607a25638c46d48545a90a1bbd8e80c4a Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Thu, 14 Apr 2011 12:48:23 -0700 Subject: [PATCH 09/42] catch error from gsskrb5_register_acceptor_identity --- lib/gssapi/test_context.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/gssapi/test_context.c b/lib/gssapi/test_context.c index 70c68185a..3af4f697a 100644 --- a/lib/gssapi/test_context.c +++ b/lib/gssapi/test_context.c @@ -549,8 +549,12 @@ main(int argc, char **argv) else mechoid = string_to_oid(mech_string); - if (gsskrb5_acceptor_identity) - gsskrb5_register_acceptor_identity(gsskrb5_acceptor_identity); + if (gsskrb5_acceptor_identity) { + maj_stat = gsskrb5_register_acceptor_identity(gsskrb5_acceptor_identity); + if (maj_stat) + errx(1, "gsskrb5_acceptor_identity: %s", + gssapi_err(maj_stat, 0, GSS_C_NO_OID)); + } if (client_name) { gss_buffer_desc cn; From 6f5b93fc8b8e9b08f3739a6814b6241e0172e7f6 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Thu, 14 Apr 2011 12:52:49 -0700 Subject: [PATCH 10/42] return error from lower layer --- lib/gssapi/krb5/set_sec_context_option.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/lib/gssapi/krb5/set_sec_context_option.c b/lib/gssapi/krb5/set_sec_context_option.c index 237af1a52..d13cfb6db 100644 --- a/lib/gssapi/krb5/set_sec_context_option.c +++ b/lib/gssapi/krb5/set_sec_context_option.c @@ -154,11 +154,10 @@ _gsskrb5_set_sec_context_option if (maj_stat != GSS_S_COMPLETE) return maj_stat; - _gsskrb5_register_acceptor_identity(str); + maj_stat = _gsskrb5_register_acceptor_identity(minor_status, str); free(str); - *minor_status = 0; - return GSS_S_COMPLETE; + return maj_stat; } else if (gss_oid_equal(desired_object, GSS_KRB5_SET_DEFAULT_REALM_X)) { char *str; From 523d84b417bfd0572b0efe716f3e3a7752d925fb Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Thu, 14 Apr 2011 12:53:29 -0700 Subject: [PATCH 11/42] return error from lower layer --- lib/gssapi/krb5/accept_sec_context.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/gssapi/krb5/accept_sec_context.c b/lib/gssapi/krb5/accept_sec_context.c index e607e08f5..1ee843092 100644 --- a/lib/gssapi/krb5/accept_sec_context.c +++ b/lib/gssapi/krb5/accept_sec_context.c @@ -55,11 +55,13 @@ validate_keytab(krb5_context context, const char *name, krb5_keytab *id) } OM_uint32 -_gsskrb5_register_acceptor_identity (const char *identity) +_gsskrb5_register_acceptor_identity(OM_uint32 *min_stat, const char *identity) { krb5_context context; krb5_error_code ret; + *min_stat = 0; + ret = _gsskrb5_init(&context); if(ret) return GSS_S_FAILURE; @@ -92,8 +94,10 @@ _gsskrb5_register_acceptor_identity (const char *identity) } } HEIMDAL_MUTEX_unlock(&gssapi_keytab_mutex); - if(ret) + if(ret) { + *min_stat = ret; return GSS_S_FAILURE; + } return GSS_S_COMPLETE; } From 81a03fafd21808b488c633d5adde5ba475c7f7a2 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Thu, 14 Apr 2011 13:08:16 -0700 Subject: [PATCH 12/42] is rk, not rx --- lib/roken/version-script.map | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/roken/version-script.map b/lib/roken/version-script.map index 1df4ba57c..9229a373c 100644 --- a/lib/roken/version-script.map +++ b/lib/roken/version-script.map @@ -140,7 +140,7 @@ HEIMDAL_ROKEN_1.0 { rk_timevalfix; rk_timevalsub; rk_tdelete; - rx_tfind; + rk_tfind; rk_tsearch; rk_twalk; rk_undumpdata; From 4244f1386644deb13cfaad8b7f5c248afbc41e74 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Sat, 16 Apr 2011 02:03:47 -0500 Subject: [PATCH 13/42] This makes hdb-sqlite work: moving the unseal of keys past the value2entry decoding. Signed-off-by: Love Hornquist Astrand --- lib/hdb/hdb-sqlite.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/lib/hdb/hdb-sqlite.c b/lib/hdb/hdb-sqlite.c index 91ecda711..d77416893 100644 --- a/lib/hdb/hdb-sqlite.c +++ b/lib/hdb/hdb-sqlite.c @@ -416,6 +416,13 @@ hdb_sqlite_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal princi } } + value.length = sqlite3_column_bytes(fetch, 0); + value.data = (void *) sqlite3_column_blob(fetch, 0); + + ret = hdb_value2entry(context, &value, &entry->entry); + if(ret) + goto out; + if (db->hdb_master_key_set && (flags & HDB_F_DECRYPT)) { ret = hdb_unseal_keys(context, db, &entry->entry); if(ret) { @@ -423,13 +430,6 @@ hdb_sqlite_fetch_kvno(krb5_context context, HDB *db, krb5_const_principal princi goto out; } } - - value.length = sqlite3_column_bytes(fetch, 0); - value.data = (void *) sqlite3_column_blob(fetch, 0); - - ret = hdb_value2entry(context, &value, &entry->entry); - if(ret) - goto out; ret = 0; From 7a4d4c5f4e20c75238ef18c9c0e59d8760407228 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Sat, 16 Apr 2011 10:26:43 -0700 Subject: [PATCH 14/42] Add HAVE_SQLITE3 that allows control if you want sqlite or not --- configure.ac | 2 ++ lib/hdb/hdb.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/configure.ac b/configure.ac index d59176b87..c00c25f03 100644 --- a/configure.ac +++ b/configure.ac @@ -172,6 +172,8 @@ if test "X$with_sqlite3" != Xyes ; then fi AM_CONDITIONAL(SQLITE3, test "X$with_sqlite3" = Xyes) +AC_DEFINE(HAVE_SQLITE3, 1, [Define if you want support for sqlite in Heimdal.]) + AC_ARG_ENABLE(sqlite-cache, AS_HELP_STRING([--disable-sqlite-cache],[if you want support for cache in sqlite])) if test "$enable_sqlite_cache" != no; then diff --git a/lib/hdb/hdb.c b/lib/hdb/hdb.c index 2c1de8b3d..045f2e2cc 100644 --- a/lib/hdb/hdb.c +++ b/lib/hdb/hdb.c @@ -78,7 +78,9 @@ static struct hdb_method methods[] = { { HDB_INTERFACE_VERSION, "ldap:", hdb_ldap_create}, { HDB_INTERFACE_VERSION, "ldapi:", hdb_ldapi_create}, #endif +#ifdef HAVE_SQLITE3 { HDB_INTERFACE_VERSION, "sqlite:", hdb_sqlite_create}, +#endif {0, NULL, NULL} }; From 17b38758ffae3535a2f27fd8445b083893896fde Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Sat, 23 Apr 2011 18:25:40 -0700 Subject: [PATCH 15/42] patch from Christos Zoulas --- kadmin/util.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/kadmin/util.c b/kadmin/util.c index 57b1cb8de..feaa58159 100644 --- a/kadmin/util.c +++ b/kadmin/util.c @@ -65,7 +65,7 @@ struct units kdb_attrs[] = { { "disallow-tgt-based", KRB5_KDB_DISALLOW_TGT_BASED }, { "disallow-forwardable", KRB5_KDB_DISALLOW_FORWARDABLE }, { "disallow-postdated", KRB5_KDB_DISALLOW_POSTDATED }, - { NULL } + { NULL, 0 } }; /* @@ -188,7 +188,7 @@ str2time_t (const char *str, time_t *t) if (str[0] == '+') { str++; *t = parse_time(str, "month"); - if (t < 0) + if (*t < 0) return -1; *t += time(NULL); return 0; @@ -430,7 +430,7 @@ edit_entry(kadm5_principal_ent_t ent, int *mask, */ int -set_entry(krb5_context context, +set_entry(krb5_context contextp, kadm5_principal_ent_t ent, int *mask, const char *max_ticket_life, @@ -442,14 +442,14 @@ set_entry(krb5_context context, if (max_ticket_life != NULL) { if (parse_deltat (max_ticket_life, &ent->max_life, mask, KADM5_MAX_LIFE)) { - krb5_warnx (context, "unable to parse `%s'", max_ticket_life); + krb5_warnx (contextp, "unable to parse `%s'", max_ticket_life); return 1; } } if (max_renewable_life != NULL) { if (parse_deltat (max_renewable_life, &ent->max_renewable_life, mask, KADM5_MAX_RLIFE)) { - krb5_warnx (context, "unable to parse `%s'", max_renewable_life); + krb5_warnx (contextp, "unable to parse `%s'", max_renewable_life); return 1; } } @@ -457,21 +457,21 @@ set_entry(krb5_context context, if (expiration) { if (parse_timet (expiration, &ent->princ_expire_time, mask, KADM5_PRINC_EXPIRE_TIME)) { - krb5_warnx (context, "unable to parse `%s'", expiration); + krb5_warnx (contextp, "unable to parse `%s'", expiration); return 1; } } if (pw_expiration) { if (parse_timet (pw_expiration, &ent->pw_expiration, mask, KADM5_PW_EXPIRATION)) { - krb5_warnx (context, "unable to parse `%s'", pw_expiration); + krb5_warnx (contextp, "unable to parse `%s'", pw_expiration); return 1; } } if (attributes != NULL) { if (parse_attributes (attributes, &ent->attributes, mask, KADM5_ATTRIBUTES)) { - krb5_warnx (context, "unable to parse `%s'", attributes); + krb5_warnx (contextp, "unable to parse `%s'", attributes); return 1; } } From 2bcacbd052cb88d7fa850798ce30a00442b87c64 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Sat, 23 Apr 2011 18:27:35 -0700 Subject: [PATCH 16/42] patch from Christos Zoulas --- kadmin/get.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/kadmin/get.c b/kadmin/get.c index 16d8381af..dcbcf01c0 100644 --- a/kadmin/get.c +++ b/kadmin/get.c @@ -110,9 +110,9 @@ add_column(struct get_entry_data *data, struct field_name *ff, const char *heade static int cmp_salt (const krb5_salt *salt, const krb5_key_data *k) { - if (salt->salttype != k->key_data_type[1]) + if (salt->salttype != (size_t)k->key_data_type[1]) return 1; - if (salt->saltvalue.length != k->key_data_length[1]) + if (salt->saltvalue.length != (size_t)k->key_data_length[1]) return 1; return memcmp (salt->saltvalue.data, k->key_data_contents[1], salt->saltvalue.length); @@ -245,7 +245,7 @@ format_field(kadm5_principal_ent_t princ, unsigned int field, krb5_tl_data *tl; for (tl = princ->tl_data; tl != NULL; tl = tl->tl_data_next) - if (tl->tl_data_type == subfield) + if ((unsigned)tl->tl_data_type == subfield) break; if (tl == NULL) { strlcpy(buf, "", buf_len); @@ -261,7 +261,8 @@ format_field(kadm5_principal_ent_t princ, unsigned int field, case KRB5_TL_PKINIT_ACL: { HDB_Ext_PKINIT_acl acl; size_t size; - int i, ret; + int ret; + size_t i; ret = decode_HDB_Ext_PKINIT_acl(tl->tl_data_contents, tl->tl_data_length, @@ -293,7 +294,8 @@ format_field(kadm5_principal_ent_t princ, unsigned int field, case KRB5_TL_ALIASES: { HDB_Ext_Aliases alias; size_t size; - int i, ret; + int ret; + size_t i; ret = decode_HDB_Ext_Aliases(tl->tl_data_contents, tl->tl_data_length, @@ -309,7 +311,7 @@ format_field(kadm5_principal_ent_t princ, unsigned int field, ret = krb5_unparse_name(context, &alias.aliases.val[i], &p); if (ret) break; - if (i < 0) + if (i > 0) strlcat(buf, " ", buf_len); strlcat(buf, p, buf_len); free(p); From 1b81d2db6b9e0177ef3d2ab115eb9a06c488ce2a Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Sat, 23 Apr 2011 18:57:12 -0700 Subject: [PATCH 17/42] support loading more then one verifier, use function name instead of module name patch from Tom Payerle --- lib/kadm5/password_quality.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/kadm5/password_quality.c b/lib/kadm5/password_quality.c index 35087d313..cb82567f5 100644 --- a/lib/kadm5/password_quality.c +++ b/lib/kadm5/password_quality.c @@ -386,10 +386,10 @@ kadm5_add_passwd_quality_verifier(krb5_context context, "password_quality", "policy_libraries", NULL); - if(tmp == NULL) + if(tmp == NULL || *tmp == NULL) return 0; - while(tmp) { + while (*tmp) { ret = add_verifier(context, *tmp); if (ret) return ret; @@ -432,7 +432,7 @@ find_func(krb5_context context, const char *name) if (module && strcmp(module, verifiers[i]->name) != 0) continue; for (f = verifiers[i]->funcs; f->name ; f++) - if (strcmp(name, f->name) == 0) { + if (strcmp(func, f->name) == 0) { if (module) free(module); return f; From 3b2e927c79003d493517cd73f36281b178052e35 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Sat, 23 Apr 2011 18:57:57 -0700 Subject: [PATCH 18/42] catch error from asprintf() --- lib/kadm5/ipropd_slave.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/kadm5/ipropd_slave.c b/lib/kadm5/ipropd_slave.c index bee97a32e..306428705 100644 --- a/lib/kadm5/ipropd_slave.c +++ b/lib/kadm5/ipropd_slave.c @@ -528,8 +528,8 @@ main(int argc, char **argv) setup_signal(); if (config_file == NULL) { - asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context)); - if (config_file == NULL) + if (asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context)) == -1 + || config_file == NULL) errx(1, "out of memory"); } From 311b3c4f32f84c97d4268364827d4057e784a83c Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Sat, 23 Apr 2011 19:31:43 -0700 Subject: [PATCH 19/42] catch error from asprintf() Patch from Tom Payerle --- lib/kadm5/ipropd_master.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/kadm5/ipropd_master.c b/lib/kadm5/ipropd_master.c index c5e0ffd84..16ac5f480 100644 --- a/lib/kadm5/ipropd_master.c +++ b/lib/kadm5/ipropd_master.c @@ -141,9 +141,11 @@ check_acl (krb5_context context, const char *name) FILE *fp; char buf[256]; int ret = 1; - char *slavefile; + char *slavefile = NULL; - asprintf(&slavefile, "%s/slaves", hdb_db_dir(context)); + if (asprintf(&slavefile, "%s/slaves", hdb_db_dir(context)) + || slavefile == NULL) + errx(1, "out of memory"); fn = krb5_config_get_string_default(context, NULL, From c5e6aa34dcb2bceef1a3961bc2b4764a7baa6e92 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Sat, 23 Apr 2011 19:32:23 -0700 Subject: [PATCH 20/42] add Tom Payerle --- doc/ack.texi | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/ack.texi b/doc/ack.texi index 9cccd4477..9d4d6af37 100644 --- a/doc/ack.texi +++ b/doc/ack.texi @@ -91,6 +91,7 @@ Bugfixes, documentation, encouragement, and code has been contributed by: @item Sho Hosoda, 細田 将 @item Stefan Metzmacher @item Ted Percival +@item Tom Payerle @item Victor Guerra @item Zeqing Xia @item Åke Sandgren From b507bdb54fdcd98aba436cf9a4a14759dea57560 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Sat, 23 Apr 2011 19:42:02 -0700 Subject: [PATCH 21/42] if _der_gmtime() failes (which is can't right now but eventially will) return ASN1_BAD_TIMEFORMAT --- lib/asn1/der_put.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/asn1/der_put.c b/lib/asn1/der_put.c index b8101458a..0b276d1eb 100644 --- a/lib/asn1/der_put.c +++ b/lib/asn1/der_put.c @@ -433,7 +433,8 @@ _heim_time2generalizedtime (time_t t, heim_octet_string *s, int gtimep) if (s->data == NULL) return ENOMEM; s->length = len; - _der_gmtime(t, &tm); + if (_der_gmtime(t, &tm) == NULL) + return ASN1_BAD_TIMEFORMAT; if (gtimep) snprintf (s->data, len + 1, "%04d%02d%02d%02d%02d%02dZ", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday, From 3ae4c52cbcd936e82ecb37ba1282ce98e5e4c14b Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Sat, 23 Apr 2011 19:57:14 -0700 Subject: [PATCH 22/42] make _der_gmtime pickier about times is willing to convert --- lib/asn1/timegm.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/asn1/timegm.c b/lib/asn1/timegm.c index b56947841..1b3b47fa5 100644 --- a/lib/asn1/timegm.c +++ b/lib/asn1/timegm.c @@ -98,6 +98,14 @@ _der_gmtime(time_t t, struct tm *tm) tm->tm_min = (secday % 3600) / 60; tm->tm_hour = secday / 3600; + /* + * Refuse to calculate time ~ 2000 years into the future, this is + * not possible for systems where time_t is a int32_t, however, + * when time_t is a int64_t, that can happen. + */ + if (days > 356000) + return NULL; + tm->tm_year = 70; while(1) { unsigned dayinyear = (is_leap(tm->tm_year) ? 366 : 365); From b3811999f73e63dde66fe9d62c21b1730bf0a97a Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Sat, 23 Apr 2011 20:03:57 -0700 Subject: [PATCH 23/42] fix error condition --- lib/kadm5/ipropd_master.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/kadm5/ipropd_master.c b/lib/kadm5/ipropd_master.c index 16ac5f480..d48caf205 100644 --- a/lib/kadm5/ipropd_master.c +++ b/lib/kadm5/ipropd_master.c @@ -143,7 +143,7 @@ check_acl (krb5_context context, const char *name) int ret = 1; char *slavefile = NULL; - if (asprintf(&slavefile, "%s/slaves", hdb_db_dir(context)) + if (asprintf(&slavefile, "%s/slaves", hdb_db_dir(context)) == -1 || slavefile == NULL) errx(1, "out of memory"); From 074a30618fd6776453bfce5e06b05724aa99d5d4 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Mon, 25 Apr 2011 11:33:58 -0700 Subject: [PATCH 24/42] Try to parse inner structure of an octet string (limited to CONS SEQ right now) --- lib/asn1/asn1_print.c | 38 ++++++++++++++++++++++++++++++-------- 1 file changed, 30 insertions(+), 8 deletions(-) diff --git a/lib/asn1/asn1_print.c b/lib/asn1/asn1_print.c index 279e969b0..917b8cd5f 100644 --- a/lib/asn1/asn1_print.c +++ b/lib/asn1/asn1_print.c @@ -41,9 +41,8 @@ #include #include -RCSID("$Id$"); - static int indent_flag = 1; +static int inner_flag = 0; static unsigned long indefinite_form_loop; static unsigned long indefinite_form_loop_max = 10000; @@ -167,17 +166,39 @@ loop (unsigned char *buf, size_t len, int indent) } case UT_OctetString : { heim_octet_string str; - int i; - unsigned char *uc; + size_t i; ret = der_get_octet_string (buf, length, &str, NULL); if (ret) errx (1, "der_get_octet_string: %s", error_message (ret)); printf ("(length %lu), ", (unsigned long)length); - uc = (unsigned char *)str.data; - for (i = 0; i < min(16,length); ++i) - printf ("%02x", uc[i]); - printf ("\n"); + + if (inner_flag) { + Der_class class; + Der_type type; + unsigned int tag; + + ret = der_get_tag(str.data, str.length, + &class, &type, &tag, &sz); + if (ret || sz > str.length || + type != CONS || tag != UT_Sequence) + goto just_an_octet_string; + + printf("{\n"); + loop (str.data, str.length, indent + 2); + for (i = 0; i < indent; ++i) + printf (" "); + printf ("}\n"); + + } else { + unsigned char *uc; + + just_an_octet_string: + uc = (unsigned char *)str.data; + for (i = 0; i < min(16,length); ++i) + printf ("%02x", uc[i]); + printf ("\n"); + } free (str.data); break; } @@ -295,6 +316,7 @@ static int version_flag; static int help_flag; struct getargs args[] = { { "indent", 0, arg_negative_flag, &indent_flag }, + { "inner", 0, arg_flag, &inner_flag, "try to parse inner structures of OCTET STRING" }, { "version", 0, arg_flag, &version_flag }, { "help", 0, arg_flag, &help_flag } }; From e062131344a30ecf44535fa6df20bfea64b1056a Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Mon, 25 Apr 2011 13:33:01 -0700 Subject: [PATCH 25/42] undef __weak_reference on freebsd since its different --- lib/libedit/src/vi.c | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/libedit/src/vi.c b/lib/libedit/src/vi.c index ee0b97839..0764d8438 100644 --- a/lib/libedit/src/vi.c +++ b/lib/libedit/src/vi.c @@ -918,6 +918,7 @@ vi_comment_out(EditLine *el, Int c) * NB: posix implies that we should enter insert mode, however * this is against historical precedent... */ +#undef __weak_reference /* __weak_reference is different on freebsd */ #ifdef __weak_reference __weakref_visible char *my_get_alias_text(const char *) __weak_reference(get_alias_text); From 66c15e7cafe6961e7a00bf83effd5ad17889fd4a Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Mon, 25 Apr 2011 14:46:38 -0700 Subject: [PATCH 26/42] add support for sha256 and sha512 for the nist kdf --- lib/krb5/crypto-pk.c | 19 ++++++-- lib/krb5/test_pknistkdf.c | 98 +++++++++++++++++++++++++++++++++++++-- 2 files changed, 108 insertions(+), 9 deletions(-) diff --git a/lib/krb5/crypto-pk.c b/lib/krb5/crypto-pk.c index eb783c899..ae70ca8b5 100644 --- a/lib/krb5/crypto-pk.c +++ b/lib/krb5/crypto-pk.c @@ -192,6 +192,8 @@ encode_otherinfo(krb5_context context, return 0; } + + krb5_error_code _krb5_pk_kdf(krb5_context context, const struct AlgorithmIdentifier *ai, @@ -211,10 +213,17 @@ _krb5_pk_kdf(krb5_context context, size_t keylen, offset; uint32_t counter; unsigned char *keydata; - unsigned char shaoutput[SHA_DIGEST_LENGTH]; + unsigned char shaoutput[SHA512_DIGEST_LENGTH]; + const EVP_MD *md; EVP_MD_CTX *m; - if (der_heim_oid_cmp(&asn1_oid_id_pkinit_kdf_ah_sha1, &ai->algorithm) != 0) { + if (der_heim_oid_cmp(&asn1_oid_id_pkinit_kdf_ah_sha1, &ai->algorithm) == 0) { + md = EVP_sha1(); + } else if (der_heim_oid_cmp(&asn1_oid_id_pkinit_kdf_ah_sha256, &ai->algorithm) == 0) { + md = EVP_sha256(); + } else if (der_heim_oid_cmp(&asn1_oid_id_pkinit_kdf_ah_sha512, &ai->algorithm) == 0) { + md = EVP_sha512(); + } else { krb5_set_error_message(context, KRB5_PROG_ETYPE_NOSUPP, N_("KDF not supported", "")); return KRB5_PROG_ETYPE_NOSUPP; @@ -264,7 +273,7 @@ _krb5_pk_kdf(krb5_context context, do { unsigned char cdata[4]; - EVP_DigestInit_ex(m, EVP_sha1(), NULL); + EVP_DigestInit_ex(m, md, NULL); _krb5_put_int(cdata, counter, 4); EVP_DigestUpdate(m, cdata, 4); EVP_DigestUpdate(m, dhdata, dhsize); @@ -274,9 +283,9 @@ _krb5_pk_kdf(krb5_context context, memcpy((unsigned char *)keydata + offset, shaoutput, - min(keylen - offset, sizeof(shaoutput))); + min(keylen - offset, EVP_MD_CTX_size(m))); - offset += sizeof(shaoutput); + offset += EVP_MD_CTX_size(m); counter++; } while(offset < keylen); memset(shaoutput, 0, sizeof(shaoutput)); diff --git a/lib/krb5/test_pknistkdf.c b/lib/krb5/test_pknistkdf.c index 33eb45ba9..d53dc51e5 100644 --- a/lib/krb5/test_pknistkdf.c +++ b/lib/krb5/test_pknistkdf.c @@ -53,10 +53,6 @@ struct testcase { /* 0 */ { NULL, /* AlgorithmIdentifier */ - /* == &asn1_oid_id_pkinit_kdf_ah_sha1. Addresses of exported - * symbols are not considered constant on all platforms - * (Windows). So we set it in main() below. */ - { /* Z */ 256, "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" @@ -99,6 +95,98 @@ struct testcase { "\xc7\x62\x89\xec\x4b\x28\xa6\x91\xff\xce\x80\xbb\xb7\xec\x82\x41" "\x52\x3f\x99\xb1\x90\xcf\x2d\x34\x8f\x54\xa8\x65\x81\x2c\x32\x73" } + }, + /* 1 */ + { + NULL, /* AlgorithmIdentifier */ + { /* Z */ + 256, + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + }, + "lha@SU.SE", /* client, partyUInfo */ + "krbtgt/SU.SE@SU.SE", /* server, partyVInfo */ + ETYPE_AES256_CTS_HMAC_SHA1_96, /* enctype */ + { /* as_req */ + 10, + "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA" + }, + { /* pk_as_rep */ + 9, + "\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB" + }, + { /* ticket */ + 55, + "\x61\x35\x30\x33\xa0\x03\x02\x01\x05\xa1\x07\x1b\x05\x53\x55\x2e" + "\x53\x45\xa2\x10\x30\x0e\xa0\x03\x02\x01\x01\xa1\x07\x30\x05\x1b" + "\x03\x6c\x68\x61\xa3\x11\x30\x0f\xa0\x03\x02\x01\x12\xa2\x08\x04" + "\x06\x68\x65\x6a\x68\x65\x6a" + }, + { /* key */ + 32, + "\x59\xf3\xca\x77\x5b\x20\x17\xe9\xad\x36\x3f\x47\xca\xbd\x43\xb8" + "\x8c\xb8\x90\x35\x8d\xc6\x0d\x52\x0d\x11\x9f\xb0\xdc\x24\x0b\x61" + } + }, + /* 2 */ + { + NULL, /* AlgorithmIdentifier */ + { /* Z */ + 256, + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + }, + "lha@SU.SE", /* client, partyUInfo */ + "krbtgt/SU.SE@SU.SE", /* server, partyVInfo */ + ETYPE_AES256_CTS_HMAC_SHA1_96, /* enctype */ + { /* as_req */ + 10, + "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA" + }, + { /* pk_as_rep */ + 9, + "\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB" + }, + { /* ticket */ + 55, + "\x61\x35\x30\x33\xa0\x03\x02\x01\x05\xa1\x07\x1b\x05\x53\x55\x2e" + "\x53\x45\xa2\x10\x30\x0e\xa0\x03\x02\x01\x01\xa1\x07\x30\x05\x1b" + "\x03\x6c\x68\x61\xa3\x11\x30\x0f\xa0\x03\x02\x01\x12\xa2\x08\x04" + "\x06\x68\x65\x6a\x68\x65\x6a" + }, + { /* key */ + 32, + "\x8a\x9a\xc5\x5f\x45\xda\x1a\x73\xd9\x1e\xe9\x88\x1f\xa9\x48\x81" + "\xce\xac\x66\x2d\xb1\xd3\xb9\x0a\x9d\x0e\x52\x83\xdf\xe1\x84\x3d" + } } }; @@ -265,6 +353,8 @@ main(int argc, char **argv) errx (1, "krb5_init_context failed: %d", ret); tests[0].oid = &asn1_oid_id_pkinit_kdf_ah_sha1; + tests[1].oid = &asn1_oid_id_pkinit_kdf_ah_sha256; + tests[2].oid = &asn1_oid_id_pkinit_kdf_ah_sha512; for (i = 0; i < sizeof(tests)/sizeof(tests[0]); i++) test_dh2key(context, i, &tests[i]); From f5f9014c90cdf795867ad336803caf802bac7fed Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Fri, 29 Apr 2011 20:25:05 -0700 Subject: [PATCH 27/42] Warning fixes from Christos Zoulas - shadowed variables - signed/unsigned confusion - const lossage - incomplete structure initializations - unused code --- admin/add.c | 2 +- admin/get.c | 21 +- admin/ktutil.c | 5 +- admin/list.c | 2 +- base/dict.c | 2 +- kadmin/ank.c | 10 +- kadmin/check.c | 2 +- kadmin/kadm_conn.c | 57 +++--- kadmin/kadmin.c | 13 +- kadmin/kadmind.c | 9 +- kadmin/load.c | 2 +- kadmin/mod.c | 14 +- kadmin/rpc.c | 166 +++++++-------- kadmin/server.c | 235 +++++++++++----------- kdc/config.c | 31 +-- kdc/connect.c | 16 +- kdc/digest-service.c | 18 +- kdc/digest.c | 80 ++++---- kdc/hprop.c | 16 +- kdc/hpropd.c | 13 +- kdc/kerberos5.c | 22 +- kdc/krb5tgs.c | 15 +- kdc/kstash.c | 12 +- kdc/log.c | 10 +- kdc/mit_dump.c | 4 +- kdc/pkinit.c | 17 +- kdc/string2key.c | 16 +- kpasswd/kpasswd.c | 9 +- kpasswd/kpasswdd.c | 29 +-- kuser/copy_cred_cache.c | 2 +- kuser/kcc.c | 4 +- kuser/kdestroy.c | 2 +- kuser/kdigest.c | 3 +- kuser/kgetcred.c | 12 +- kuser/kimpersonate.c | 34 ++-- kuser/kinit.c | 50 ++--- kuser/klist.c | 2 +- kuser/kswitch.c | 4 +- lib/asn1/der_format.c | 2 +- lib/asn1/der_get.c | 4 +- lib/asn1/der_length.c | 2 +- lib/asn1/gen_decode.c | 28 +-- lib/asn1/gen_encode.c | 8 +- lib/asn1/timegm.c | 4 +- lib/gssapi/gen-oid.pl | 2 +- lib/gssapi/gsstool.c | 2 +- lib/gssapi/krb5/arcfour.c | 4 +- lib/gssapi/krb5/cfx.c | 5 +- lib/gssapi/krb5/external.c | 24 ++- lib/gssapi/krb5/init_sec_context.c | 11 +- lib/gssapi/krb5/prf.c | 24 ++- lib/gssapi/krb5/process_context_token.c | 3 +- lib/gssapi/krb5/sequence.c | 2 +- lib/gssapi/krb5/unwrap.c | 2 +- lib/gssapi/krb5/verify_mic.c | 8 +- lib/gssapi/krb5/wrap.c | 2 +- lib/gssapi/mech/gss_acquire_cred.c | 2 +- lib/gssapi/mech/gss_aeap.c | 2 +- lib/gssapi/mech/gss_buffer_set.c | 2 +- lib/gssapi/mech/gss_cred.c | 2 +- lib/gssapi/mech/gss_indicate_mechs.c | 2 +- lib/gssapi/mech/gss_inquire_context.c | 8 +- lib/gssapi/mech/gss_inquire_cred_by_oid.c | 2 +- lib/gssapi/mech/gss_krb5.c | 2 +- lib/gssapi/mech/gss_mo.c | 24 +-- lib/gssapi/mech/gss_oid.c | 144 ++++++------- lib/gssapi/mech/gss_test_oid_set_member.c | 2 +- lib/gssapi/ntlm/accept_sec_context.c | 8 +- lib/gssapi/ntlm/external.c | 14 +- lib/gssapi/spnego/accept_sec_context.c | 13 +- lib/gssapi/spnego/compat.c | 6 +- lib/gssapi/spnego/context_stubs.c | 4 +- lib/gssapi/spnego/cred_stubs.c | 2 +- lib/gssapi/spnego/external.c | 17 +- lib/hdb/common.c | 7 +- lib/hdb/ext.c | 20 +- lib/hdb/hdb-mitdb.c | 2 +- lib/hdb/hdb.c | 6 +- lib/hdb/keys.c | 10 +- lib/hdb/keytab.c | 6 +- lib/hdb/mkey.c | 6 +- lib/hdb/print.c | 5 +- lib/hx509/ca.c | 4 +- lib/hx509/cms.c | 11 +- lib/hx509/collector.c | 7 +- lib/hx509/crypto.c | 65 +++--- lib/hx509/hxtool.c | 103 +++++----- lib/hx509/ks_dir.c | 16 +- lib/hx509/ks_file.c | 8 +- lib/hx509/ks_p11.c | 18 +- lib/hx509/ks_p12.c | 12 +- lib/hx509/lock.c | 2 +- lib/hx509/name.c | 38 ++-- lib/hx509/print.c | 19 +- lib/hx509/revoke.c | 13 +- lib/hx509/sel.c | 2 +- lib/hx509/sel.h | 2 +- lib/hx509/softp11.c | 37 ++-- lib/ipc/client.c | 24 +-- lib/ipc/server.c | 4 +- lib/kadm5/acl.c | 2 +- lib/kadm5/get_s.c | 4 +- lib/kadm5/iprop-log.c | 11 +- lib/kadm5/ipropd_master.c | 17 +- lib/kadm5/ipropd_slave.c | 17 +- lib/kadm5/keys.c | 2 +- lib/kadm5/log.c | 10 +- lib/kadm5/password_quality.c | 6 +- lib/kadm5/rename_s.c | 2 +- lib/kadm5/set_keys.c | 4 +- lib/kafs/kafs.h | 4 +- lib/krb5/acache.c | 8 +- lib/krb5/addr_families.c | 18 +- lib/krb5/changepw.c | 6 +- lib/krb5/config_file.c | 10 +- lib/krb5/crypto-des.c | 4 +- lib/krb5/crypto-evp.c | 4 +- lib/krb5/crypto.c | 29 +-- lib/krb5/digest.c | 6 +- lib/krb5/fcache.c | 10 +- lib/krb5/get_cred.c | 2 +- lib/krb5/get_host_realm.c | 2 +- lib/krb5/get_in_tkt.c | 8 +- lib/krb5/init_creds_pw.c | 12 +- lib/krb5/kcm.c | 4 +- lib/krb5/keytab_file.c | 15 +- lib/krb5/misc.c | 8 +- lib/krb5/mk_error.c | 3 +- lib/krb5/pac.c | 13 +- lib/krb5/padata.c | 4 +- lib/krb5/pkinit.c | 30 +-- lib/krb5/principal.c | 12 +- lib/krb5/rd_cred.c | 2 +- lib/krb5/rd_req.c | 2 +- lib/krb5/salt-des.c | 6 +- lib/krb5/salt.c | 2 +- lib/krb5/send_to_kdc.c | 6 +- lib/krb5/store-int.c | 2 +- lib/krb5/store.c | 54 ++--- lib/krb5/store_emem.c | 12 +- lib/krb5/store_mem.c | 8 +- lib/krb5/ticket.c | 4 +- lib/krb5/transited.c | 6 +- lib/ntlm/ntlm.c | 10 +- lib/roken/dumpdata.c | 2 +- lib/roken/getaddrinfo_hostspec.c | 6 +- lib/roken/getarg.c | 8 +- lib/roken/hex.c | 2 +- lib/roken/parse_units.c | 4 +- lib/roken/resolve.c | 10 +- lib/roken/roken_gethostby.c | 5 +- lib/roken/strsep_copy.c | 2 +- lib/sl/sl.c | 5 +- lib/sl/sl.h | 6 +- lib/sl/slc-gram.y | 2 +- lib/wind/stringprep.c | 2 +- 156 files changed, 1178 insertions(+), 1078 deletions(-) diff --git a/admin/add.c b/admin/add.c index 16216db4f..802782ffc 100644 --- a/admin/add.c +++ b/admin/add.c @@ -113,7 +113,7 @@ kt_add(struct add_options *opt, int argc, char **argv) goto out; } - if (hex_decode(opt->password_string, data, len) != len) { + if ((size_t)hex_decode(opt->password_string, data, len) != len) { free(data); krb5_warn(context, ENOMEM, "hex decode failed"); goto out; diff --git a/admin/get.c b/admin/get.c index ee96e5eeb..b4f808c28 100644 --- a/admin/get.c +++ b/admin/get.c @@ -90,7 +90,8 @@ kt_get(struct get_options *opt, int argc, char **argv) void *kadm_handle = NULL; krb5_enctype *etypes = NULL; size_t netypes = 0; - int i, j; + size_t i; + int a, j; unsigned int failed = 0; if((keytab = ktutil_open_keytab()) == NULL) @@ -120,7 +121,7 @@ kt_get(struct get_options *opt, int argc, char **argv) } - for(i = 0; i < argc; i++){ + for(a = 0; a < argc; a++){ krb5_principal princ_ent; kadm5_principal_ent_rec princ; int mask = 0; @@ -129,9 +130,9 @@ kt_get(struct get_options *opt, int argc, char **argv) int created = 0; krb5_keytab_entry entry; - ret = krb5_parse_name(context, argv[i], &princ_ent); + ret = krb5_parse_name(context, argv[a], &princ_ent); if (ret) { - krb5_warn(context, ret, "can't parse principal %s", argv[i]); + krb5_warn(context, ret, "can't parse principal %s", argv[a]); failed++; continue; } @@ -161,14 +162,14 @@ kt_get(struct get_options *opt, int argc, char **argv) if(ret == 0) created = 1; else if(ret != KADM5_DUP) { - krb5_warn(context, ret, "kadm5_create_principal(%s)", argv[i]); + krb5_warn(context, ret, "kadm5_create_principal(%s)", argv[a]); krb5_free_principal(context, princ_ent); failed++; continue; } ret = kadm5_randkey_principal(kadm_handle, princ_ent, &keys, &n_keys); if (ret) { - krb5_warn(context, ret, "kadm5_randkey_principal(%s)", argv[i]); + krb5_warn(context, ret, "kadm5_randkey_principal(%s)", argv[a]); krb5_free_principal(context, princ_ent); failed++; continue; @@ -177,7 +178,7 @@ kt_get(struct get_options *opt, int argc, char **argv) ret = kadm5_get_principal(kadm_handle, princ_ent, &princ, KADM5_PRINCIPAL | KADM5_KVNO | KADM5_ATTRIBUTES); if (ret) { - krb5_warn(context, ret, "kadm5_get_principal(%s)", argv[i]); + krb5_warn(context, ret, "kadm5_get_principal(%s)", argv[a]); for (j = 0; j < n_keys; j++) krb5_free_keyblock_contents(context, &keys[j]); krb5_free_principal(context, princ_ent); @@ -185,7 +186,7 @@ kt_get(struct get_options *opt, int argc, char **argv) continue; } if(!created && (princ.attributes & KRB5_KDB_DISALLOW_ALL_TIX)) - krb5_warnx(context, "%s: disallow-all-tix flag set - clearing", argv[i]); + krb5_warnx(context, "%s: disallow-all-tix flag set - clearing", argv[a]); princ.attributes &= (~KRB5_KDB_DISALLOW_ALL_TIX); mask = KADM5_ATTRIBUTES; if(created) { @@ -194,7 +195,7 @@ kt_get(struct get_options *opt, int argc, char **argv) } ret = kadm5_modify_principal(kadm_handle, &princ, mask); if (ret) { - krb5_warn(context, ret, "kadm5_modify_principal(%s)", argv[i]); + krb5_warn(context, ret, "kadm5_modify_principal(%s)", argv[a]); for (j = 0; j < n_keys; j++) krb5_free_keyblock_contents(context, &keys[j]); krb5_free_principal(context, princ_ent); @@ -205,7 +206,7 @@ kt_get(struct get_options *opt, int argc, char **argv) int do_add = TRUE; if (netypes) { - int k; + size_t k; do_add = FALSE; for (k = 0; k < netypes; ++k) diff --git a/admin/ktutil.c b/admin/ktutil.c index 756c595f5..5e154214a 100644 --- a/admin/ktutil.c +++ b/admin/ktutil.c @@ -118,8 +118,11 @@ help(void *opt, int argc, char **argv) argv[0]); } else { if(c->func) { - char *fake[] = { NULL, "--help", NULL }; + char shelp[] = "--help"; + char *fake[3]; fake[0] = argv[0]; + fake[1] = shelp; + fake[2] = NULL; (*c->func)(2, fake); fprintf(stderr, "\n"); } diff --git a/admin/list.c b/admin/list.c index 1dec14627..d2f082a96 100644 --- a/admin/list.c +++ b/admin/list.c @@ -113,7 +113,7 @@ do_list(struct list_options *opt, const char *keytab_str) rtbl_add_column_entry_by_id(table, 3, buf); } if(opt->keys_flag) { - int i; + size_t i; s = malloc(2 * entry.keyblock.keyvalue.length + 1); if (s == NULL) { krb5_warnx(context, "malloc failed"); diff --git a/base/dict.c b/base/dict.c index 7522c8c1c..7b30865f3 100644 --- a/base/dict.c +++ b/base/dict.c @@ -77,7 +77,7 @@ struct heim_type_data dict_object = { static size_t isprime(size_t p) { - int q, i; + size_t q, i; for(i = 2 ; i < p; i++) { q = p / i; diff --git a/kadmin/ank.c b/kadmin/ank.c index abb564a8f..0b7ebc027 100644 --- a/kadmin/ank.c +++ b/kadmin/ank.c @@ -39,21 +39,21 @@ */ static krb5_error_code -get_default (kadm5_server_context *context, +get_default (kadm5_server_context *contextp, krb5_principal princ, kadm5_principal_ent_t default_ent) { krb5_error_code ret; krb5_principal def_principal; - krb5_const_realm realm = krb5_principal_get_realm(context->context, princ); + krb5_const_realm realm = krb5_principal_get_realm(contextp->context, princ); - ret = krb5_make_principal (context->context, &def_principal, + ret = krb5_make_principal (contextp->context, &def_principal, realm, "default", NULL); if (ret) return ret; - ret = kadm5_get_principal (context, def_principal, default_ent, + ret = kadm5_get_principal (contextp, def_principal, default_ent, KADM5_PRINCIPAL_NORMAL_MASK); - krb5_free_principal (context->context, def_principal); + krb5_free_principal (contextp->context, def_principal); return ret; } diff --git a/kadmin/check.c b/kadmin/check.c index a9a915664..b5a03854a 100644 --- a/kadmin/check.c +++ b/kadmin/check.c @@ -86,7 +86,7 @@ do_check_entry(krb5_principal principal, void *data) ret = krb5_enctype_keysize(context, princ.key_data[i].key_data_type[0], &keysize); - if (ret == 0 && keysize != princ.key_data[i].key_data_length[0]) { + if (ret == 0 && keysize != (size_t)princ.key_data[i].key_data_length[0]) { krb5_warnx(context, "Principal %s enctype %d, wrong length: %lu\n", name, princ.key_data[i].key_data_type[0], diff --git a/kadmin/kadm_conn.c b/kadmin/kadm_conn.c index aaaa37962..e959d0362 100644 --- a/kadmin/kadm_conn.c +++ b/kadmin/kadm_conn.c @@ -43,12 +43,12 @@ struct kadm_port { } *kadm_ports; static void -add_kadm_port(krb5_context context, const char *service, unsigned int port) +add_kadm_port(krb5_context contextp, const char *service, unsigned int port) { struct kadm_port *p; p = malloc(sizeof(*p)); if(p == NULL) { - krb5_warnx(context, "failed to allocate %lu bytes\n", + krb5_warnx(contextp, "failed to allocate %lu bytes\n", (unsigned long)sizeof(*p)); return; } @@ -61,9 +61,9 @@ add_kadm_port(krb5_context context, const char *service, unsigned int port) } static void -add_standard_ports (krb5_context context) +add_standard_ports (krb5_context contextp) { - add_kadm_port(context, "kerberos-adm", 749); + add_kadm_port(contextp, "kerberos-adm", 749); } /* @@ -73,15 +73,15 @@ add_standard_ports (krb5_context context) */ void -parse_ports(krb5_context context, const char *str) +parse_ports(krb5_context contextp, const char *str) { char p[128]; while(strsep_copy(&str, " \t", p, sizeof(p)) != -1) { if(strcmp(p, "+") == 0) - add_standard_ports(context); + add_standard_ports(contextp); else - add_kadm_port(context, p, 0); + add_kadm_port(contextp, p, 0); } } @@ -120,10 +120,11 @@ terminate(int sig) } static int -spawn_child(krb5_context context, int *socks, +spawn_child(krb5_context contextp, int *socks, unsigned int num_socks, int this_sock) { - int e, i; + int e; + size_t i; struct sockaddr_storage __ss; struct sockaddr *sa = (struct sockaddr *)&__ss; socklen_t sa_size = sizeof(__ss); @@ -135,20 +136,20 @@ spawn_child(krb5_context context, int *socks, s = accept(socks[this_sock], sa, &sa_size); if(rk_IS_BAD_SOCKET(s)) { - krb5_warn(context, rk_SOCK_ERRNO, "accept"); + krb5_warn(contextp, rk_SOCK_ERRNO, "accept"); return 1; } - e = krb5_sockaddr2address(context, sa, &addr); + e = krb5_sockaddr2address(contextp, sa, &addr); if(e) - krb5_warn(context, e, "krb5_sockaddr2address"); + krb5_warn(contextp, e, "krb5_sockaddr2address"); else { e = krb5_print_address (&addr, buf, sizeof(buf), &buf_len); if(e) - krb5_warn(context, e, "krb5_print_address"); + krb5_warn(contextp, e, "krb5_print_address"); else - krb5_warnx(context, "connection from %s", buf); - krb5_free_address(context, &addr); + krb5_warnx(contextp, "connection from %s", buf); + krb5_free_address(contextp, &addr); } pid = fork(); @@ -167,7 +168,7 @@ spawn_child(krb5_context context, int *socks, } static void -wait_for_connection(krb5_context context, +wait_for_connection(krb5_context contextp, krb5_socket_t *socks, unsigned int num_socks) { unsigned int i; @@ -200,13 +201,13 @@ wait_for_connection(krb5_context context, e = select(max_fd + 1, &read_set, NULL, NULL, NULL); if(rk_IS_SOCKET_ERROR(e)) { if(rk_SOCK_ERRNO != EINTR) - krb5_warn(context, rk_SOCK_ERRNO, "select"); + krb5_warn(contextp, rk_SOCK_ERRNO, "select"); } else if(e == 0) - krb5_warnx(context, "select returned 0"); + krb5_warnx(contextp, "select returned 0"); else { for(i = 0; i < num_socks; i++) { if(FD_ISSET(socks[i], &read_set)) - if(spawn_child(context, socks, num_socks, i) == 0) + if(spawn_child(contextp, socks, num_socks, i) == 0) return; } } @@ -221,7 +222,7 @@ wait_for_connection(krb5_context context, void -start_server(krb5_context context, const char *port_str) +start_server(krb5_context contextp, const char *port_str) { int e; struct kadm_port *p; @@ -233,7 +234,7 @@ start_server(krb5_context context, const char *port_str) if (port_str == NULL) port_str = "+"; - parse_ports(context, port_str); + parse_ports(contextp, port_str); for(p = kadm_ports; p; p = p->next) { struct addrinfo hints, *ai, *ap; @@ -249,7 +250,7 @@ start_server(krb5_context context, const char *port_str) } if(e) { - krb5_warn(context, krb5_eai_to_heim_errno(e, errno), + krb5_warn(contextp, krb5_eai_to_heim_errno(e, errno), "%s", portstr); continue; } @@ -258,7 +259,7 @@ start_server(krb5_context context, const char *port_str) i++; tmp = realloc(socks, (num_socks + i) * sizeof(*socks)); if(tmp == NULL) { - krb5_warnx(context, "failed to reallocate %lu bytes", + krb5_warnx(contextp, "failed to reallocate %lu bytes", (unsigned long)(num_socks + i) * sizeof(*socks)); continue; } @@ -266,7 +267,7 @@ start_server(krb5_context context, const char *port_str) for(ap = ai; ap; ap = ap->ai_next) { krb5_socket_t s = socket(ap->ai_family, ap->ai_socktype, ap->ai_protocol); if(rk_IS_BAD_SOCKET(s)) { - krb5_warn(context, rk_SOCK_ERRNO, "socket"); + krb5_warn(contextp, rk_SOCK_ERRNO, "socket"); continue; } @@ -274,12 +275,12 @@ start_server(krb5_context context, const char *port_str) socket_set_ipv6only(s, 1); if (rk_IS_SOCKET_ERROR(bind (s, ap->ai_addr, ap->ai_addrlen))) { - krb5_warn(context, rk_SOCK_ERRNO, "bind"); + krb5_warn(contextp, rk_SOCK_ERRNO, "bind"); rk_closesocket(s); continue; } if (rk_IS_SOCKET_ERROR(listen (s, SOMAXCONN))) { - krb5_warn(context, rk_SOCK_ERRNO, "listen"); + krb5_warn(contextp, rk_SOCK_ERRNO, "listen"); rk_closesocket(s); continue; } @@ -288,7 +289,7 @@ start_server(krb5_context context, const char *port_str) freeaddrinfo (ai); } if(num_socks == 0) - krb5_errx(context, 1, "no sockets to listen to - exiting"); + krb5_errx(contextp, 1, "no sockets to listen to - exiting"); - wait_for_connection(context, socks, num_socks); + wait_for_connection(contextp, socks, num_socks); } diff --git a/kadmin/kadmin.c b/kadmin/kadmin.c index 1548359a5..30ad9814d 100644 --- a/kadmin/kadmin.c +++ b/kadmin/kadmin.c @@ -52,9 +52,9 @@ static getarg_strings policy_libraries = { 0, NULL }; static struct getargs args[] = { { "principal", 'p', arg_string, &client_name, - "principal to authenticate as" }, + "principal to authenticate as", NULL }, { "keytab", 'K', arg_string, &keytab, - "keytab for authentication principal" }, + "keytab for authentication principal", NULL }, { "config-file", 'c', arg_string, &config_file, "location of config file", "file" @@ -75,7 +75,8 @@ static struct getargs args[] = { "server-port", 's', arg_integer, &server_port, "port to use", "port number" }, - { "ad", 0, arg_flag, &ad_flag, "active directory admin mode" }, + { "ad", 0, arg_flag, &ad_flag, "active directory admin mode", + NULL }, #ifdef HAVE_DLOPEN { "check-library", 0, arg_string, &check_library, "library to load password check function from", "library" }, @@ -84,9 +85,9 @@ static struct getargs args[] = { { "policy-libraries", 0, arg_strings, &policy_libraries, "password check function to load", "function" }, #endif - { "local", 'l', arg_flag, &local_flag, "local admin mode" }, - { "help", 'h', arg_flag, &help_flag }, - { "version", 'v', arg_flag, &version_flag } + { "local", 'l', arg_flag, &local_flag, "local admin mode", NULL }, + { "help", 'h', arg_flag, &help_flag, NULL, NULL }, + { "version", 'v', arg_flag, &version_flag, NULL, NULL } }; static int num_args = sizeof(args) / sizeof(args[0]); diff --git a/kadmin/kadmind.c b/kadmin/kadmind.c index f6bff9004..4708d0f6e 100644 --- a/kadmin/kadmind.c +++ b/kadmin/kadmind.c @@ -37,7 +37,8 @@ static char *check_library = NULL; static char *check_function = NULL; static getarg_strings policy_libraries = { 0, NULL }; static char *config_file; -static char *keytab_str = "HDB:"; +static char sHDB[] = "HDB:"; +static char *keytab_str = sHDB; static int help_flag; static int version_flag; static int debug_flag; @@ -65,12 +66,12 @@ static struct getargs args[] = { "password check function to load", "function" }, #endif { "debug", 'd', arg_flag, &debug_flag, - "enable debugging" + "enable debugging", NULL }, { "ports", 'p', arg_string, &port_str, "ports to listen to", "port" }, - { "help", 'h', arg_flag, &help_flag }, - { "version", 'v', arg_flag, &version_flag } + { "help", 'h', arg_flag, &help_flag, NULL, NULL }, + { "version", 'v', arg_flag, &version_flag, NULL, NULL } }; static int num_args = sizeof(args) / sizeof(args[0]); diff --git a/kadmin/load.c b/kadmin/load.c index db5b2bb4d..e1913cb2d 100644 --- a/kadmin/load.c +++ b/kadmin/load.c @@ -153,7 +153,7 @@ parse_keys(hdb_entry *ent, char *str) krb5_error_code ret; int tmp; char *p; - int i; + size_t i; p = strsep(&str, ":"); if (sscanf(p, "%d", &tmp) != 1) diff --git a/kadmin/mod.c b/kadmin/mod.c index d0c2d681e..7fa222a00 100644 --- a/kadmin/mod.c +++ b/kadmin/mod.c @@ -55,7 +55,7 @@ add_tl(kadm5_principal_ent_rec *princ, int type, krb5_data *data) } static void -add_constrained_delegation(krb5_context context, +add_constrained_delegation(krb5_context contextp, kadm5_principal_ent_rec *princ, struct getarg_strings *strings) { @@ -81,13 +81,13 @@ add_constrained_delegation(krb5_context context, ext.data.u.allowed_to_delegate_to.len = strings->num_strings; for (i = 0; i < strings->num_strings; i++) { - ret = krb5_parse_name(context, strings->strings[i], &p); + ret = krb5_parse_name(contextp, strings->strings[i], &p); if (ret) abort(); ret = copy_Principal(p, &ext.data.u.allowed_to_delegate_to.val[i]); if (ret) abort(); - krb5_free_principal(context, p); + krb5_free_principal(contextp, p); } } @@ -103,7 +103,7 @@ add_constrained_delegation(krb5_context context, } static void -add_aliases(krb5_context context, kadm5_principal_ent_rec *princ, +add_aliases(krb5_context contextp, kadm5_principal_ent_rec *princ, struct getarg_strings *strings) { krb5_error_code ret; @@ -128,9 +128,9 @@ add_aliases(krb5_context context, kadm5_principal_ent_rec *princ, ext.data.u.aliases.aliases.len = strings->num_strings; for (i = 0; i < strings->num_strings; i++) { - ret = krb5_parse_name(context, strings->strings[i], &p); + ret = krb5_parse_name(contextp, strings->strings[i], &p); ret = copy_Principal(p, &ext.data.u.aliases.aliases.val[i]); - krb5_free_principal(context, p); + krb5_free_principal(contextp, p); } } @@ -146,7 +146,7 @@ add_aliases(krb5_context context, kadm5_principal_ent_rec *princ, } static void -add_pkinit_acl(krb5_context context, kadm5_principal_ent_rec *princ, +add_pkinit_acl(krb5_context contextp, kadm5_principal_ent_rec *princ, struct getarg_strings *strings) { krb5_error_code ret; diff --git a/kadmin/rpc.c b/kadmin/rpc.c index 1f28d8fac..cd68c9a01 100644 --- a/kadmin/rpc.c +++ b/kadmin/rpc.c @@ -161,7 +161,7 @@ parse_name(const unsigned char *p, size_t len, static void -gss_error(krb5_context context, +gss_error(krb5_context contextp, gss_OID mech, OM_uint32 type, OM_uint32 error) { OM_uint32 new_stat; @@ -176,7 +176,7 @@ gss_error(krb5_context context, mech, &msg_ctx, &status_string); - krb5_warnx(context, "%.*s", + krb5_warnx(contextp, "%.*s", (int)status_string.length, (char *)status_string.value); gss_release_buffer (&new_stat, &status_string); @@ -184,11 +184,11 @@ gss_error(krb5_context context, } static void -gss_print_errors (krb5_context context, +gss_print_errors (krb5_context contextp, OM_uint32 maj_stat, OM_uint32 min_stat) { - gss_error(context, GSS_C_NO_OID, GSS_C_GSS_CODE, maj_stat); - gss_error(context, GSS_C_NO_OID, GSS_C_MECH_CODE, min_stat); + gss_error(contextp, GSS_C_NO_OID, GSS_C_GSS_CODE, maj_stat); + gss_error(contextp, GSS_C_NO_OID, GSS_C_MECH_CODE, min_stat); } static int @@ -204,10 +204,10 @@ read_data(krb5_storage *sp, krb5_storage *msg, size_t len) tlen = sizeof(buf); slen = krb5_storage_read(sp, buf, tlen); - INSIST(slen == tlen); + INSIST((size_t)slen == tlen); slen = krb5_storage_write(msg, buf, tlen); - INSIST(slen == tlen); + INSIST((size_t)slen == tlen); len -= tlen; } @@ -252,7 +252,7 @@ store_data_xdr(krb5_storage *sp, krb5_data data) static const char zero[4] = { 0, 0, 0, 0 }; ret = krb5_storage_write(sp, zero, res); - if(ret != res) + if((size_t)ret != res) return (ret < 0)? errno : krb5_storage_get_eof_code(sp); } return 0; @@ -273,7 +273,7 @@ ret_data_xdr(krb5_storage *sp, krb5_data *data) res = 4 - (data->length % 4); if (res != 4) { ret = krb5_storage_read(sp, buf, res); - if(ret != res) + if((size_t)ret != res) return (ret < 0)? errno : krb5_storage_get_eof_code(sp); } } @@ -362,19 +362,19 @@ ret_string_xdr(krb5_storage *sp, char **str) } static int -store_principal_xdr(krb5_context context, +store_principal_xdr(krb5_context contextp, krb5_storage *sp, krb5_principal p) { char *str; - CHECK(krb5_unparse_name(context, p, &str)); + CHECK(krb5_unparse_name(contextp, p, &str)); CHECK(store_string_xdr(sp, str)); free(str); return 0; } static int -ret_principal_xdr(krb5_context context, +ret_principal_xdr(krb5_context contextp, krb5_storage *sp, krb5_principal *p) { @@ -382,27 +382,27 @@ ret_principal_xdr(krb5_context context, *p = NULL; CHECK(ret_string_xdr(sp, &str)); if (str) { - CHECK(krb5_parse_name(context, str, p)); + CHECK(krb5_parse_name(contextp, str, p)); free(str); } return 0; } static int -store_principal_ent(krb5_context context, +store_principal_ent(krb5_context contextp, krb5_storage *sp, kadm5_principal_ent_rec *ent) { - size_t i; + int i; - CHECK(store_principal_xdr(context, sp, ent->principal)); + CHECK(store_principal_xdr(contextp, sp, ent->principal)); CHECK(krb5_store_uint32(sp, ent->princ_expire_time)); CHECK(krb5_store_uint32(sp, ent->pw_expiration)); CHECK(krb5_store_uint32(sp, ent->last_pwd_change)); CHECK(krb5_store_uint32(sp, ent->max_life)); CHECK(krb5_store_int32(sp, ent->mod_name == NULL)); if (ent->mod_name) - CHECK(store_principal_xdr(context, sp, ent->mod_name)); + CHECK(store_principal_xdr(contextp, sp, ent->mod_name)); CHECK(krb5_store_uint32(sp, ent->mod_date)); CHECK(krb5_store_uint32(sp, ent->attributes)); CHECK(krb5_store_uint32(sp, ent->kvno)); @@ -443,7 +443,7 @@ store_principal_ent(krb5_context context, } static int -ret_principal_ent(krb5_context context, +ret_principal_ent(krb5_context contextp, krb5_storage *sp, kadm5_principal_ent_rec *ent) { @@ -452,7 +452,7 @@ ret_principal_ent(krb5_context context, memset(ent, 0, sizeof(*ent)); - CHECK(ret_principal_xdr(context, sp, &ent->principal)); + CHECK(ret_principal_xdr(contextp, sp, &ent->principal)); CHECK(krb5_ret_uint32(sp, &flag)); ent->princ_expire_time = flag; CHECK(krb5_ret_uint32(sp, &flag)); @@ -463,7 +463,7 @@ ret_principal_ent(krb5_context context, ent->max_life = flag; CHECK(krb5_ret_uint32(sp, &flag)); if (flag == 0) - ret_principal_xdr(context, sp, &ent->mod_name); + ret_principal_xdr(contextp, sp, &ent->mod_name); CHECK(krb5_ret_uint32(sp, &flag)); ent->mod_date = flag; CHECK(krb5_ret_uint32(sp, &flag)); @@ -508,13 +508,13 @@ ret_principal_ent(krb5_context context, count++; } - INSIST(ent->n_tl_data == count); + INSIST((size_t)ent->n_tl_data == count); } else { INSIST(ent->n_tl_data == 0); } CHECK(krb5_ret_uint32(sp, &num)); - INSIST(num == ent->n_key_data); + INSIST(num == (uint32_t)ent->n_key_data); ent->key_data = calloc(num, sizeof(ent->key_data[0])); INSIST(ent->key_data != NULL); @@ -538,7 +538,7 @@ ret_principal_ent(krb5_context context, */ static void -proc_create_principal(kadm5_server_context *context, +proc_create_principal(kadm5_server_context *contextp, krb5_storage *in, krb5_storage *out) { @@ -551,30 +551,30 @@ proc_create_principal(kadm5_server_context *context, CHECK(krb5_ret_uint32(in, &version)); INSIST(version == VERSION2); - CHECK(ret_principal_ent(context->context, in, &ent)); + CHECK(ret_principal_ent(contextp->context, in, &ent)); CHECK(krb5_ret_uint32(in, &mask)); CHECK(ret_string_xdr(in, &password)); INSIST(ent.principal); - ret = _kadm5_acl_check_permission(context, KADM5_PRIV_ADD, ent.principal); + ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_ADD, ent.principal); if (ret) goto fail; - ret = kadm5_create_principal(context, &ent, mask, password); + ret = kadm5_create_principal(contextp, &ent, mask, password); fail: - krb5_warn(context->context, ret, "create principal"); + krb5_warn(contextp->context, ret, "create principal"); CHECK(krb5_store_uint32(out, VERSION2)); /* api version */ CHECK(krb5_store_uint32(out, ret)); /* code */ free(password); - kadm5_free_principal_ent(context, &ent); + kadm5_free_principal_ent(contextp, &ent); } static void -proc_delete_principal(kadm5_server_context *context, +proc_delete_principal(kadm5_server_context *contextp, krb5_storage *in, krb5_storage *out) { @@ -584,24 +584,24 @@ proc_delete_principal(kadm5_server_context *context, CHECK(krb5_ret_uint32(in, &version)); INSIST(version == VERSION2); - CHECK(ret_principal_xdr(context->context, in, &princ)); + CHECK(ret_principal_xdr(contextp->context, in, &princ)); - ret = _kadm5_acl_check_permission(context, KADM5_PRIV_DELETE, princ); + ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_DELETE, princ); if (ret) goto fail; - ret = kadm5_delete_principal(context, princ); + ret = kadm5_delete_principal(contextp, princ); fail: - krb5_warn(context->context, ret, "delete principal"); + krb5_warn(contextp->context, ret, "delete principal"); CHECK(krb5_store_uint32(out, VERSION2)); /* api version */ CHECK(krb5_store_uint32(out, ret)); /* code */ - krb5_free_principal(context->context, princ); + krb5_free_principal(contextp->context, princ); } static void -proc_get_principal(kadm5_server_context *context, +proc_get_principal(kadm5_server_context *contextp, krb5_storage *in, krb5_storage *out) { @@ -614,29 +614,29 @@ proc_get_principal(kadm5_server_context *context, CHECK(krb5_ret_uint32(in, &version)); INSIST(version == VERSION2); - CHECK(ret_principal_xdr(context->context, in, &princ)); + CHECK(ret_principal_xdr(contextp->context, in, &princ)); CHECK(krb5_ret_uint32(in, &mask)); - ret = _kadm5_acl_check_permission(context, KADM5_PRIV_GET, princ); + ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_GET, princ); if(ret) goto fail; - ret = kadm5_get_principal(context, princ, &ent, mask); + ret = kadm5_get_principal(contextp, princ, &ent, mask); fail: - krb5_warn(context->context, ret, "get principal principal"); + krb5_warn(contextp->context, ret, "get principal principal"); CHECK(krb5_store_uint32(out, VERSION2)); /* api version */ CHECK(krb5_store_uint32(out, ret)); /* code */ if (ret == 0) { - CHECK(store_principal_ent(context->context, out, &ent)); + CHECK(store_principal_ent(contextp->context, out, &ent)); } - krb5_free_principal(context->context, princ); - kadm5_free_principal_ent(context, &ent); + krb5_free_principal(contextp->context, princ); + kadm5_free_principal_ent(contextp, &ent); } static void -proc_chrand_principal_v2(kadm5_server_context *context, +proc_chrand_principal_v2(kadm5_server_context *contextp, krb5_storage *in, krb5_storage *out) { @@ -648,36 +648,36 @@ proc_chrand_principal_v2(kadm5_server_context *context, CHECK(krb5_ret_uint32(in, &version)); INSIST(version == VERSION2); - CHECK(ret_principal_xdr(context->context, in, &princ)); + CHECK(ret_principal_xdr(contextp->context, in, &princ)); - ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ); + ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_CPW, princ); if(ret) goto fail; - ret = kadm5_randkey_principal(context, princ, + ret = kadm5_randkey_principal(contextp, princ, &new_keys, &n_keys); fail: - krb5_warn(context->context, ret, "rand key principal"); + krb5_warn(contextp->context, ret, "rand key principal"); CHECK(krb5_store_uint32(out, VERSION2)); /* api version */ CHECK(krb5_store_uint32(out, ret)); if (ret == 0) { - size_t i; + int i; CHECK(krb5_store_int32(out, n_keys)); for(i = 0; i < n_keys; i++){ CHECK(krb5_store_uint32(out, new_keys[i].keytype)); CHECK(store_data_xdr(out, new_keys[i].keyvalue)); - krb5_free_keyblock_contents(context->context, &new_keys[i]); + krb5_free_keyblock_contents(contextp->context, &new_keys[i]); } free(new_keys); } - krb5_free_principal(context->context, princ); + krb5_free_principal(contextp->context, princ); } static void -proc_init(kadm5_server_context *context, +proc_init(kadm5_server_context *contextp, krb5_storage *in, krb5_storage *out) { @@ -687,7 +687,7 @@ proc_init(kadm5_server_context *context, } struct krb5_proc { - char *name; + const char *name; void (*func)(kadm5_server_context *, krb5_storage *, krb5_storage *); } procs[] = { { "NULL", NULL }, @@ -723,7 +723,7 @@ copyheader(krb5_storage *sp, krb5_data *data) off = krb5_storage_seek(sp, 0, SEEK_CUR); CHECK(krb5_data_alloc(data, off)); - INSIST(off == data->length); + INSIST((size_t)off == data->length); krb5_storage_seek(sp, 0, SEEK_SET); sret = krb5_storage_read(sp, data->data, data->length); INSIST(sret == off); @@ -741,7 +741,7 @@ struct gctx { }; static int -process_stream(krb5_context context, +process_stream(krb5_context contextp, unsigned char *buf, size_t ilen, krb5_storage *sp) { @@ -792,7 +792,7 @@ process_stream(krb5_context context, if (ilen < 4) { memcpy(tmp, buf, ilen); slen = krb5_storage_read(sp, tmp + ilen, sizeof(tmp) - ilen); - INSIST(slen == sizeof(tmp) - ilen); + INSIST((size_t)slen == sizeof(tmp) - ilen); ilen = sizeof(tmp); buf = tmp; @@ -809,12 +809,12 @@ process_stream(krb5_context context, if (ilen) { if (len < ilen) { slen = krb5_storage_write(msg, buf, len); - INSIST(slen == len); + INSIST((size_t)slen == len); ilen -= len; len = 0; } else { slen = krb5_storage_write(msg, buf, ilen); - INSIST(slen == ilen); + INSIST((size_t)slen == ilen); len -= ilen; } } @@ -824,14 +824,14 @@ process_stream(krb5_context context, if (!last_fragment) { ret = collect_framents(sp, msg); if (ret == HEIM_ERR_EOF) - krb5_errx(context, 0, "client disconnected"); + krb5_errx(contextp, 0, "client disconnected"); INSIST(ret == 0); } } else { ret = collect_framents(sp, msg); if (ret == HEIM_ERR_EOF) - krb5_errx(context, 0, "client disconnected"); + krb5_errx(contextp, 0, "client disconnected"); INSIST(ret == 0); } krb5_storage_seek(msg, 0, SEEK_SET); @@ -873,7 +873,7 @@ process_stream(krb5_context context, krb5_data data; int conf_state; uint32_t seq; - krb5_storage *sp; + krb5_storage *sp1; INSIST(gcred.service == rpg_privacy); @@ -892,10 +892,10 @@ process_stream(krb5_context context, INSIST(maj_stat == GSS_S_COMPLETE); INSIST(conf_state != 0); - sp = krb5_storage_from_mem(gout.value, gout.length); - INSIST(sp != NULL); + sp1 = krb5_storage_from_mem(gout.value, gout.length); + INSIST(sp1 != NULL); - CHECK(krb5_ret_uint32(sp, &seq)); + CHECK(krb5_ret_uint32(sp1, &seq)); INSIST (seq == gcred.seq_num); /* @@ -905,19 +905,19 @@ process_stream(krb5_context context, gctx.seq_num = seq; /* - * If context is setup, priv data have the seq_num stored + * If contextp is setup, priv data have the seq_num stored * first in the block, so add it here before users data is * added. */ CHECK(krb5_store_uint32(dreply, gctx.seq_num)); if (chdr.proc >= sizeof(procs)/sizeof(procs[0])) { - krb5_warnx(context, "proc number out of array"); + krb5_warnx(contextp, "proc number out of array"); } else if (procs[chdr.proc].func == NULL) { - krb5_warnx(context, "proc '%s' never implemented", + krb5_warnx(contextp, "proc '%s' never implemented", procs[chdr.proc].name); } else { - krb5_warnx(context, "proc %s", procs[chdr.proc].name); + krb5_warnx(contextp, "proc %s", procs[chdr.proc].name); INSIST(server_handle != NULL); (*procs[chdr.proc].func)(server_handle, sp, dreply); } @@ -957,29 +957,29 @@ process_stream(krb5_context context, NULL, NULL); if (GSS_ERROR(maj_stat)) { - gss_print_errors(context, maj_stat, min_stat); - krb5_errx(context, 1, "gss error, exit"); + gss_print_errors(contextp, maj_stat, min_stat); + krb5_errx(contextp, 1, "gss error, exit"); } if ((maj_stat & GSS_S_CONTINUE_NEEDED) == 0) { kadm5_config_params realm_params; - gss_buffer_desc buf; + gss_buffer_desc bufp; char *client; gctx.done = 1; memset(&realm_params, 0, sizeof(realm_params)); - maj_stat = gss_export_name(&min_stat, src_name, &buf); + maj_stat = gss_export_name(&min_stat, src_name, &bufp); INSIST(maj_stat == GSS_S_COMPLETE); - CHECK(parse_name(buf.value, buf.length, + CHECK(parse_name(bufp.value, bufp.length, GSS_KRB5_MECHANISM, &client)); - gss_release_buffer(&min_stat, &buf); + gss_release_buffer(&min_stat, &bufp); - krb5_warnx(context, "%s connected", client); + krb5_warnx(contextp, "%s connected", client); - ret = kadm5_s_init_with_password_ctx(context, + ret = kadm5_s_init_with_password_ctx(contextp, client, NULL, KADM5_ADMIN_SERVICE, @@ -1002,9 +1002,9 @@ process_stream(krb5_context context, break; } case RPG_DESTROY: - krb5_errx(context, 1, "client destroyed gss context"); + krb5_errx(contextp, 1, "client destroyed gss contextp"); default: - krb5_errx(context, 1, "client sent unknown gsscode %d", + krb5_errx(contextp, 1, "client sent unknown gsscode %d", (int)gcred.proc); } @@ -1026,7 +1026,7 @@ process_stream(krb5_context context, CHECK(krb5_store_uint32(reply, 0)); /* SUCCESS */ CHECK(krb5_storage_to_data(dreply, &data)); - INSIST(krb5_storage_write(reply, data.data, data.length) == data.length); + INSIST((size_t)krb5_storage_write(reply, data.data, data.length) == data.length); krb5_data_free(&data); } else { @@ -1054,7 +1054,7 @@ process_stream(krb5_context context, ssize_t sret; gctx.inprogress = 0; sret = krb5_storage_write(reply, data.data, data.length); - INSIST(sret == data.length); + INSIST((size_t)sret == data.length); krb5_data_free(&data); } else { int conf_state; @@ -1082,7 +1082,7 @@ process_stream(krb5_context context, CHECK(krb5_storage_to_data(reply, &data)); CHECK(krb5_store_uint32(sp, data.length | LAST_FRAGMENT)); sret = krb5_storage_write(sp, data.data, data.length); - INSIST(sret == data.length); + INSIST((size_t)sret == data.length); krb5_data_free(&data); } @@ -1091,16 +1091,16 @@ process_stream(krb5_context context, int -handle_mit(krb5_context context, void *buf, size_t len, krb5_socket_t sock) +handle_mit(krb5_context contextp, void *buf, size_t len, krb5_socket_t sock) { krb5_storage *sp; - dcontext = context; + dcontext = contextp; sp = krb5_storage_from_fd(sock); INSIST(sp != NULL); - process_stream(context, buf, len, sp); + process_stream(contextp, buf, len, sp); return 0; } diff --git a/kadmin/server.c b/kadmin/server.c index 33d8839d1..e9e70ae2c 100644 --- a/kadmin/server.c +++ b/kadmin/server.c @@ -35,14 +35,14 @@ #include static kadm5_ret_t -kadmind_dispatch(void *kadm_handle, krb5_boolean initial, +kadmind_dispatch(void *kadm_handlep, krb5_boolean initial, krb5_data *in, krb5_data *out) { kadm5_ret_t ret; int32_t cmd, mask, tmp; - kadm5_server_context *context = kadm_handle; + kadm5_server_context *contextp = kadm_handlep; char client[128], name[128], name2[128]; - char *op = ""; + const char *op = ""; krb5_principal princ, princ2; kadm5_principal_ent_rec ent; char *password, *expression; @@ -52,12 +52,12 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial, int n_princs; krb5_storage *sp; - krb5_unparse_name_fixed(context->context, context->caller, + krb5_unparse_name_fixed(contextp->context, contextp->caller, client, sizeof(client)); sp = krb5_storage_from_data(in); if (sp == NULL) - krb5_errx(context->context, 1, "out of memory"); + krb5_errx(contextp->context, 1, "out of memory"); krb5_ret_int32(sp, &cmd); switch(cmd){ @@ -68,26 +68,26 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial, goto fail; ret = krb5_ret_int32(sp, &mask); if(ret){ - krb5_free_principal(context->context, princ); + krb5_free_principal(contextp->context, princ); goto fail; } mask |= KADM5_PRINCIPAL; - krb5_unparse_name_fixed(context->context, princ, name, sizeof(name)); - krb5_warnx(context->context, "%s: %s %s", client, op, name); - ret = _kadm5_acl_check_permission(context, KADM5_PRIV_GET, princ); + krb5_unparse_name_fixed(contextp->context, princ, name, sizeof(name)); + krb5_warnx(contextp->context, "%s: %s %s", client, op, name); + ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_GET, princ); if(ret){ - krb5_free_principal(context->context, princ); + krb5_free_principal(contextp->context, princ); goto fail; } - ret = kadm5_get_principal(kadm_handle, princ, &ent, mask); + ret = kadm5_get_principal(kadm_handlep, princ, &ent, mask); krb5_storage_free(sp); sp = krb5_storage_emem(); krb5_store_int32(sp, ret); if(ret == 0){ kadm5_store_principal_ent(sp, &ent); - kadm5_free_principal_ent(kadm_handle, &ent); + kadm5_free_principal_ent(kadm_handlep, &ent); } - krb5_free_principal(context->context, princ); + krb5_free_principal(contextp->context, princ); break; } case kadm_delete:{ @@ -95,15 +95,15 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial, ret = krb5_ret_principal(sp, &princ); if(ret) goto fail; - krb5_unparse_name_fixed(context->context, princ, name, sizeof(name)); - krb5_warnx(context->context, "%s: %s %s", client, op, name); - ret = _kadm5_acl_check_permission(context, KADM5_PRIV_DELETE, princ); + krb5_unparse_name_fixed(contextp->context, princ, name, sizeof(name)); + krb5_warnx(contextp->context, "%s: %s %s", client, op, name); + ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_DELETE, princ); if(ret){ - krb5_free_principal(context->context, princ); + krb5_free_principal(contextp->context, princ); goto fail; } - ret = kadm5_delete_principal(kadm_handle, princ); - krb5_free_principal(context->context, princ); + ret = kadm5_delete_principal(kadm_handlep, princ); + krb5_free_principal(contextp->context, princ); krb5_storage_free(sp); sp = krb5_storage_emem(); krb5_store_int32(sp, ret); @@ -116,28 +116,28 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial, goto fail; ret = krb5_ret_int32(sp, &mask); if(ret){ - kadm5_free_principal_ent(context->context, &ent); + kadm5_free_principal_ent(contextp->context, &ent); goto fail; } ret = krb5_ret_string(sp, &password); if(ret){ - kadm5_free_principal_ent(context->context, &ent); + kadm5_free_principal_ent(contextp->context, &ent); goto fail; } - krb5_unparse_name_fixed(context->context, ent.principal, + krb5_unparse_name_fixed(contextp->context, ent.principal, name, sizeof(name)); - krb5_warnx(context->context, "%s: %s %s", client, op, name); - ret = _kadm5_acl_check_permission(context, KADM5_PRIV_ADD, + krb5_warnx(contextp->context, "%s: %s %s", client, op, name); + ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_ADD, ent.principal); if(ret){ - kadm5_free_principal_ent(context->context, &ent); + kadm5_free_principal_ent(contextp->context, &ent); memset(password, 0, strlen(password)); free(password); goto fail; } - ret = kadm5_create_principal(kadm_handle, &ent, + ret = kadm5_create_principal(kadm_handlep, &ent, mask, password); - kadm5_free_principal_ent(kadm_handle, &ent); + kadm5_free_principal_ent(kadm_handlep, &ent); memset(password, 0, strlen(password)); free(password); krb5_storage_free(sp); @@ -152,20 +152,20 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial, goto fail; ret = krb5_ret_int32(sp, &mask); if(ret){ - kadm5_free_principal_ent(context, &ent); + kadm5_free_principal_ent(contextp, &ent); goto fail; } - krb5_unparse_name_fixed(context->context, ent.principal, + krb5_unparse_name_fixed(contextp->context, ent.principal, name, sizeof(name)); - krb5_warnx(context->context, "%s: %s %s", client, op, name); - ret = _kadm5_acl_check_permission(context, KADM5_PRIV_MODIFY, + krb5_warnx(contextp->context, "%s: %s %s", client, op, name); + ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_MODIFY, ent.principal); if(ret){ - kadm5_free_principal_ent(context, &ent); + kadm5_free_principal_ent(contextp, &ent); goto fail; } - ret = kadm5_modify_principal(kadm_handle, &ent, mask); - kadm5_free_principal_ent(kadm_handle, &ent); + ret = kadm5_modify_principal(kadm_handlep, &ent, mask); + kadm5_free_principal_ent(kadm_handlep, &ent); krb5_storage_free(sp); sp = krb5_storage_emem(); krb5_store_int32(sp, ret); @@ -178,27 +178,27 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial, goto fail; ret = krb5_ret_principal(sp, &princ2); if(ret){ - krb5_free_principal(context->context, princ); + krb5_free_principal(contextp->context, princ); goto fail; } - krb5_unparse_name_fixed(context->context, princ, name, sizeof(name)); - krb5_unparse_name_fixed(context->context, princ2, name2, sizeof(name2)); - krb5_warnx(context->context, "%s: %s %s -> %s", + krb5_unparse_name_fixed(contextp->context, princ, name, sizeof(name)); + krb5_unparse_name_fixed(contextp->context, princ2, name2, sizeof(name2)); + krb5_warnx(contextp->context, "%s: %s %s -> %s", client, op, name, name2); - ret = _kadm5_acl_check_permission(context, + ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_ADD, princ2) - || _kadm5_acl_check_permission(context, + || _kadm5_acl_check_permission(contextp, KADM5_PRIV_DELETE, princ); if(ret){ - krb5_free_principal(context->context, princ); - krb5_free_principal(context->context, princ2); + krb5_free_principal(contextp->context, princ); + krb5_free_principal(contextp->context, princ2); goto fail; } - ret = kadm5_rename_principal(kadm_handle, princ, princ2); - krb5_free_principal(context->context, princ); - krb5_free_principal(context->context, princ2); + ret = kadm5_rename_principal(kadm_handlep, princ, princ2); + krb5_free_principal(contextp->context, princ); + krb5_free_principal(contextp->context, princ2); krb5_storage_free(sp); sp = krb5_storage_emem(); krb5_store_int32(sp, ret); @@ -211,11 +211,11 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial, goto fail; ret = krb5_ret_string(sp, &password); if(ret){ - krb5_free_principal(context->context, princ); + krb5_free_principal(contextp->context, princ); goto fail; } - krb5_unparse_name_fixed(context->context, princ, name, sizeof(name)); - krb5_warnx(context->context, "%s: %s %s", client, op, name); + krb5_unparse_name_fixed(contextp->context, princ, name, sizeof(name)); + krb5_warnx(contextp->context, "%s: %s %s", client, op, name); /* * The change is allowed if at least one of: @@ -227,7 +227,7 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial, */ if (initial - && krb5_principal_compare (context->context, context->caller, + && krb5_principal_compare (contextp->context, contextp->caller, princ)) { krb5_data pwd_data; @@ -236,23 +236,23 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial, pwd_data.data = password; pwd_data.length = strlen(password); - pwd_reason = kadm5_check_password_quality (context->context, + pwd_reason = kadm5_check_password_quality (contextp->context, princ, &pwd_data); if (pwd_reason != NULL) ret = KADM5_PASS_Q_DICT; else ret = 0; } else - ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ); + ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_CPW, princ); if(ret) { - krb5_free_principal(context->context, princ); + krb5_free_principal(contextp->context, princ); memset(password, 0, strlen(password)); free(password); goto fail; } - ret = kadm5_chpass_principal(kadm_handle, princ, password); - krb5_free_principal(context->context, princ); + ret = kadm5_chpass_principal(kadm_handlep, princ, password); + krb5_free_principal(contextp->context, princ); memset(password, 0, strlen(password)); free(password); krb5_storage_free(sp); @@ -271,21 +271,21 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial, goto fail; ret = krb5_ret_int32(sp, &n_key_data); if (ret) { - krb5_free_principal(context->context, princ); + krb5_free_principal(contextp->context, princ); goto fail; } /* n_key_data will be squeezed into an int16_t below. */ if (n_key_data < 0 || n_key_data >= 1 << 16 || - n_key_data > UINT_MAX/sizeof(*key_data)) { + (size_t)n_key_data > UINT_MAX/sizeof(*key_data)) { ret = ERANGE; - krb5_free_principal(context->context, princ); + krb5_free_principal(contextp->context, princ); goto fail; } key_data = malloc (n_key_data * sizeof(*key_data)); if (key_data == NULL && n_key_data != 0) { ret = ENOMEM; - krb5_free_principal(context->context, princ); + krb5_free_principal(contextp->context, princ); goto fail; } @@ -294,38 +294,38 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial, if (ret) { int16_t dummy = i; - kadm5_free_key_data (context, &dummy, key_data); + kadm5_free_key_data (contextp, &dummy, key_data); free (key_data); - krb5_free_principal(context->context, princ); + krb5_free_principal(contextp->context, princ); goto fail; } } - krb5_unparse_name_fixed(context->context, princ, name, sizeof(name)); - krb5_warnx(context->context, "%s: %s %s", client, op, name); + krb5_unparse_name_fixed(contextp->context, princ, name, sizeof(name)); + krb5_warnx(contextp->context, "%s: %s %s", client, op, name); /* * The change is only allowed if the user is on the CPW ACL, * this it to force password quality check on the user. */ - ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ); + ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_CPW, princ); if(ret) { int16_t dummy = n_key_data; - kadm5_free_key_data (context, &dummy, key_data); + kadm5_free_key_data (contextp, &dummy, key_data); free (key_data); - krb5_free_principal(context->context, princ); + krb5_free_principal(contextp->context, princ); goto fail; } - ret = kadm5_chpass_principal_with_key(kadm_handle, princ, + ret = kadm5_chpass_principal_with_key(kadm_handlep, princ, n_key_data, key_data); { int16_t dummy = n_key_data; - kadm5_free_key_data (context, &dummy, key_data); + kadm5_free_key_data (contextp, &dummy, key_data); } free (key_data); - krb5_free_principal(context->context, princ); + krb5_free_principal(contextp->context, princ); krb5_storage_free(sp); sp = krb5_storage_emem(); krb5_store_int32(sp, ret); @@ -336,8 +336,8 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial, ret = krb5_ret_principal(sp, &princ); if(ret) goto fail; - krb5_unparse_name_fixed(context->context, princ, name, sizeof(name)); - krb5_warnx(context->context, "%s: %s %s", client, op, name); + krb5_unparse_name_fixed(contextp->context, princ, name, sizeof(name)); + krb5_warnx(contextp->context, "%s: %s %s", client, op, name); /* * The change is allowed if at least one of: * a) it's for the principal him/herself and this was an initial ticket @@ -345,19 +345,19 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial, */ if (initial - && krb5_principal_compare (context->context, context->caller, + && krb5_principal_compare (contextp->context, contextp->caller, princ)) ret = 0; else - ret = _kadm5_acl_check_permission(context, KADM5_PRIV_CPW, princ); + ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_CPW, princ); if(ret) { - krb5_free_principal(context->context, princ); + krb5_free_principal(contextp->context, princ); goto fail; } - ret = kadm5_randkey_principal(kadm_handle, princ, + ret = kadm5_randkey_principal(kadm_handlep, princ, &new_keys, &n_keys); - krb5_free_principal(context->context, princ); + krb5_free_principal(contextp->context, princ); krb5_storage_free(sp); sp = krb5_storage_emem(); krb5_store_int32(sp, ret); @@ -366,7 +366,7 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial, krb5_store_int32(sp, n_keys); for(i = 0; i < n_keys; i++){ krb5_store_keyblock(sp, new_keys[i]); - krb5_free_keyblock_contents(context->context, &new_keys[i]); + krb5_free_keyblock_contents(contextp->context, &new_keys[i]); } free(new_keys); } @@ -374,7 +374,7 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial, } case kadm_get_privs:{ uint32_t privs; - ret = kadm5_get_privs(kadm_handle, &privs); + ret = kadm5_get_privs(kadm_handlep, &privs); krb5_storage_free(sp); sp = krb5_storage_emem(); krb5_store_int32(sp, ret); @@ -393,14 +393,14 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial, goto fail; }else expression = NULL; - krb5_warnx(context->context, "%s: %s %s", client, op, + krb5_warnx(contextp->context, "%s: %s %s", client, op, expression ? expression : "*"); - ret = _kadm5_acl_check_permission(context, KADM5_PRIV_LIST, NULL); + ret = _kadm5_acl_check_permission(contextp, KADM5_PRIV_LIST, NULL); if(ret){ free(expression); goto fail; } - ret = kadm5_get_principals(kadm_handle, expression, &princs, &n_princs); + ret = kadm5_get_principals(kadm_handlep, expression, &princs, &n_princs); free(expression); krb5_storage_free(sp); sp = krb5_storage_emem(); @@ -410,12 +410,12 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial, krb5_store_int32(sp, n_princs); for(i = 0; i < n_princs; i++) krb5_store_string(sp, princs[i]); - kadm5_free_name_list(kadm_handle, princs, &n_princs); + kadm5_free_name_list(kadm_handlep, princs, &n_princs); } break; } default: - krb5_warnx(context->context, "%s: UNKNOWN OP %d", client, cmd); + krb5_warnx(contextp->context, "%s: UNKNOWN OP %d", client, cmd); krb5_storage_free(sp); sp = krb5_storage_emem(); krb5_store_int32(sp, KADM5_FAILURE); @@ -425,7 +425,7 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial, krb5_storage_free(sp); return 0; fail: - krb5_warn(context->context, ret, "%s", op); + krb5_warn(contextp->context, ret, "%s", op); krb5_storage_seek(sp, 0, SEEK_SET); krb5_store_int32(sp, ret); krb5_storage_to_data(sp, out); @@ -434,10 +434,10 @@ fail: } static void -v5_loop (krb5_context context, +v5_loop (krb5_context contextp, krb5_auth_context ac, krb5_boolean initial, - void *kadm_handle, + void *kadm_handlep, krb5_socket_t fd) { krb5_error_code ret; @@ -447,17 +447,17 @@ v5_loop (krb5_context context, doing_useful_work = 0; if(term_flag) exit(0); - ret = krb5_read_priv_message(context, ac, &fd, &in); + ret = krb5_read_priv_message(contextp, ac, &fd, &in); if(ret == HEIM_ERR_EOF) exit(0); if(ret) - krb5_err(context, 1, ret, "krb5_read_priv_message"); + krb5_err(contextp, 1, ret, "krb5_read_priv_message"); doing_useful_work = 1; - kadmind_dispatch(kadm_handle, initial, &in, &out); + kadmind_dispatch(kadm_handlep, initial, &in, &out); krb5_data_free(&in); - ret = krb5_write_priv_message(context, ac, &fd, &out); + ret = krb5_write_priv_message(contextp, ac, &fd, &out); if(ret) - krb5_err(context, 1, ret, "krb5_write_priv_message"); + krb5_err(contextp, 1, ret, "krb5_write_priv_message"); } } @@ -467,12 +467,13 @@ match_appl_version(const void *data, const char *appl_version) unsigned minor; if(sscanf(appl_version, "KADM0.%u", &minor) != 1) return 0; - *(unsigned*)data = minor; + /*XXX*/ + *(unsigned*)(intptr_t)data = minor; return 1; } static void -handle_v5(krb5_context context, +handle_v5(krb5_context contextp, krb5_keytab keytab, krb5_socket_t fd) { @@ -480,29 +481,29 @@ handle_v5(krb5_context context, krb5_ticket *ticket; char *server_name; char *client; - void *kadm_handle; + void *kadm_handlep; krb5_boolean initial; krb5_auth_context ac = NULL; unsigned kadm_version; kadm5_config_params realm_params; - ret = krb5_recvauth_match_version(context, &ac, &fd, + ret = krb5_recvauth_match_version(contextp, &ac, &fd, match_appl_version, &kadm_version, NULL, KRB5_RECVAUTH_IGNORE_VERSION, keytab, &ticket); if(ret == KRB5_KT_NOTFOUND) - krb5_errx(context, 1, "krb5_recvauth: key not found"); + krb5_errx(contextp, 1, "krb5_recvauth: key not found"); if(ret) - krb5_err(context, 1, ret, "krb5_recvauth"); + krb5_err(contextp, 1, ret, "krb5_recvauth"); - ret = krb5_unparse_name (context, ticket->server, &server_name); + ret = krb5_unparse_name (contextp, ticket->server, &server_name); if (ret) - krb5_err (context, 1, ret, "krb5_unparse_name"); + krb5_err (contextp, 1, ret, "krb5_unparse_name"); if (strncmp (server_name, KADM5_ADMIN_SERVICE, strlen(KADM5_ADMIN_SERVICE)) != 0) - krb5_errx (context, 1, "ticket for strange principal (%s)", + krb5_errx (contextp, 1, "ticket for strange principal (%s)", server_name); free (server_name); @@ -511,31 +512,31 @@ handle_v5(krb5_context context, if(kadm_version == 1) { krb5_data params; - ret = krb5_read_priv_message(context, ac, &fd, ¶ms); + ret = krb5_read_priv_message(contextp, ac, &fd, ¶ms); if(ret) - krb5_err(context, 1, ret, "krb5_read_priv_message"); - _kadm5_unmarshal_params(context, ¶ms, &realm_params); + krb5_err(contextp, 1, ret, "krb5_read_priv_message"); + _kadm5_unmarshal_params(contextp, ¶ms, &realm_params); } initial = ticket->ticket.flags.initial; - ret = krb5_unparse_name(context, ticket->client, &client); + ret = krb5_unparse_name(contextp, ticket->client, &client); if (ret) - krb5_err (context, 1, ret, "krb5_unparse_name"); - krb5_free_ticket (context, ticket); - ret = kadm5_s_init_with_password_ctx(context, + krb5_err (contextp, 1, ret, "krb5_unparse_name"); + krb5_free_ticket (contextp, ticket); + ret = kadm5_s_init_with_password_ctx(contextp, client, NULL, KADM5_ADMIN_SERVICE, &realm_params, 0, 0, - &kadm_handle); + &kadm_handlep); if(ret) - krb5_err (context, 1, ret, "kadm5_init_with_password_ctx"); - v5_loop (context, ac, initial, kadm_handle, fd); + krb5_err (contextp, 1, ret, "kadm5_init_with_password_ctx"); + v5_loop (contextp, ac, initial, kadm_handlep, fd); } krb5_error_code -kadmind_loop(krb5_context context, +kadmind_loop(krb5_context contextp, krb5_keytab keytab, krb5_socket_t sock) { @@ -543,30 +544,30 @@ kadmind_loop(krb5_context context, ssize_t n; unsigned long len; - n = krb5_net_read(context, &sock, buf, 4); + n = krb5_net_read(contextp, &sock, buf, 4); if(n == 0) exit(0); if(n < 0) - krb5_err(context, 1, errno, "read"); + krb5_err(contextp, 1, errno, "read"); _krb5_get_int(buf, &len, 4); if (len == sizeof(KRB5_SENDAUTH_VERSION)) { - n = krb5_net_read(context, &sock, buf + 4, len); + n = krb5_net_read(contextp, &sock, buf + 4, len); if (n < 0) - krb5_err (context, 1, errno, "reading sendauth version"); + krb5_err (contextp, 1, errno, "reading sendauth version"); if (n == 0) - krb5_errx (context, 1, "EOF reading sendauth version"); + krb5_errx (contextp, 1, "EOF reading sendauth version"); if(memcmp(buf + 4, KRB5_SENDAUTH_VERSION, len) == 0) { - handle_v5(context, keytab, sock); + handle_v5(contextp, keytab, sock); return 0; } len += 4; } else len = 4; - handle_mit(context, buf, len, sock); + handle_mit(contextp, buf, len, sock); return 0; } diff --git a/kdc/config.c b/kdc/config.c index 40d858bf0..65c6c0192 100644 --- a/kdc/config.c +++ b/kdc/config.c @@ -74,30 +74,31 @@ static struct getargs args[] = { }, { "require-preauth", 'p', arg_negative_flag, &require_preauth, - "don't require pa-data in as-reqs" + "don't require pa-data in as-reqs", NULL }, { "max-request", 0, arg_string, &max_request_str, "max size for a kdc-request", "size" }, - { "enable-http", 'H', arg_flag, &enable_http, "turn on HTTP support" }, + { "enable-http", 'H', arg_flag, &enable_http, "turn on HTTP support", + NULL }, { "524", 0, arg_negative_flag, &enable_524, - "don't respond to 524 requests" + "don't respond to 524 requests", NULL }, { "kaserver", 'K', arg_flag, &enable_kaserver, - "enable kaserver support" + "enable kaserver support", NULL }, { "kerberos4", 0, arg_flag, &enable_v4, - "respond to kerberos 4 requests" + "respond to kerberos 4 requests", NULL }, { "v4-realm", 'r', arg_string, &v4_realm, - "realm to serve v4-requests for" + "realm to serve v4-requests for", NULL }, { "kerberos4-cross-realm", 0, arg_flag, &enable_v4_cross_realm, - "respond to kerberos 4 requests from foreign realms" + "respond to kerberos 4 requests from foreign realms", NULL }, { "ports", 'P', arg_string, rk_UNCONST(&port_str), "ports to listen to", "portspec" @@ -106,29 +107,29 @@ static struct getargs args[] = { #if DETACH_IS_DEFAULT { "detach", 'D', arg_negative_flag, &detach_from_console, - "don't detach from console" + "don't detach from console", NULL }, #else { "detach", 0 , arg_flag, &detach_from_console, - "detach from console" + "detach from console", NULL }, #endif #endif { "addresses", 0, arg_strings, &addresses_str, "addresses to listen on", "list of addresses" }, { "disable-des", 0, arg_flag, &disable_des, - "disable DES" }, + "disable DES", NULL }, { "builtin-hdb", 0, arg_flag, &builtin_hdb_flag, - "list builtin hdb backends"}, + "list builtin hdb backends", NULL}, { "runas-user", 0, arg_string, &runas_string, - "run as this user when connected to network" + "run as this user when connected to network", NULL }, { "chroot", 0, arg_string, &chroot_string, - "chroot directory to run in" + "chroot directory to run in", NULL }, - { "help", 'h', arg_flag, &help_flag }, - { "version", 'v', arg_flag, &version_flag } + { "help", 'h', arg_flag, &help_flag, NULL, NULL }, + { "version", 'v', arg_flag, &version_flag, NULL, NULL } }; static int num_args = sizeof(args) / sizeof(args[0]); diff --git a/kdc/connect.c b/kdc/connect.c index 873628639..c6f668245 100644 --- a/kdc/connect.c +++ b/kdc/connect.c @@ -60,7 +60,7 @@ struct port_desc{ /* the current ones */ static struct port_desc *ports; -static int num_ports; +static size_t num_ports; /* * add `family, port, protocol' to the list with duplicate suppresion. @@ -71,7 +71,7 @@ add_port(krb5_context context, int family, int port, const char *protocol) { int type; - int i; + size_t i; if(strcmp(protocol, "udp") == 0) type = SOCK_DGRAM; @@ -324,7 +324,7 @@ init_sockets(krb5_context context, struct descr **desc) { krb5_error_code ret; - int i, j; + size_t i, j; struct descr *d; int num = 0; krb5_addresses addresses; @@ -478,7 +478,7 @@ handle_udp(krb5_context context, struct descr *d) { unsigned char *buf; - int n; + ssize_t n; buf = malloc(max_request_udp); if(buf == NULL){ @@ -493,7 +493,7 @@ handle_udp(krb5_context context, else { addr_to_string (context, d->sa, d->sock_len, d->addr_string, sizeof(d->addr_string)); - if (n == max_request_udp) { + if ((size_t)n == max_request_udp) { krb5_data data; krb5_warn(context, errno, "recvfrom: truncated packet from %s, asking for TCP", @@ -754,7 +754,7 @@ handle_http_tcp (krb5_context context, return -1; } } - if (len > d->len) + if ((size_t)len > d->len) len = d->len; memcpy(d->buf, data, len); d->len = len; @@ -864,7 +864,7 @@ loop(krb5_context context, fd_set fds; int min_free = -1; int max_fd = 0; - int i; + size_t i; FD_ZERO(&fds); for(i = 0; i < ndescr; i++) { @@ -886,7 +886,7 @@ loop(krb5_context context, #endif #endif FD_SET(d[i].s, &fds); - } else if(min_free < 0 || i < min_free) + } else if(min_free < 0 || i < (size_t)min_free) min_free = i; } if(min_free == -1){ diff --git a/kdc/digest-service.c b/kdc/digest-service.c index 1ba423bac..8fa3b104a 100644 --- a/kdc/digest-service.c +++ b/kdc/digest-service.c @@ -63,7 +63,7 @@ ntlm_service(void *ctx, const heim_idata *req, NTLMReply ntp; size_t size; int ret; - char *domain; + const char *domain; kdc_log(context, config, 1, "digest-request: uid=%d", (int)heim_ipc_cred_get_uid(cred)); @@ -184,13 +184,13 @@ ntlm_service(void *ctx, const heim_idata *req, free(answer.data); { - EVP_MD_CTX *ctx; + EVP_MD_CTX *ctxp; - ctx = EVP_MD_CTX_create(); - EVP_DigestInit_ex(ctx, EVP_md4(), NULL); - EVP_DigestUpdate(ctx, key->key.keyvalue.data, key->key.keyvalue.length); - EVP_DigestFinal_ex(ctx, sessionkey, NULL); - EVP_MD_CTX_destroy(ctx); + ctxp = EVP_MD_CTX_create(); + EVP_DigestInit_ex(ctxp, EVP_md4(), NULL); + EVP_DigestUpdate(ctxp, key->key.keyvalue.data, key->key.keyvalue.length); + EVP_DigestFinal_ex(ctxp, sessionkey, NULL); + EVP_MD_CTX_destroy(ctxp); } } @@ -218,8 +218,8 @@ static int help_flag; static int version_flag; static struct getargs args[] = { - { "help", 'h', arg_flag, &help_flag }, - { "version", 'v', arg_flag, &version_flag } + { "help", 'h', arg_flag, &help_flag, NULL, NULL }, + { "version", 'v', arg_flag, &version_flag, NULL, NULL } }; static int num_args = sizeof(args) / sizeof(args[0]); diff --git a/kdc/digest.c b/kdc/digest.c index 70b45c2af..617f12e68 100644 --- a/kdc/digest.c +++ b/kdc/digest.c @@ -257,7 +257,7 @@ _kdc_do_digest(krb5_context context, /* check the server principal in the ticket matches digest/R@R */ { krb5_principal principal = NULL; - const char *p, *r; + const char *p, *rr; ret = krb5_ticket_get_server(context, ticket, &principal); if (ret) @@ -280,12 +280,12 @@ _kdc_do_digest(krb5_context context, krb5_free_principal(context, principal); goto out; } - r = krb5_principal_get_realm(context, principal); - if (r == NULL) { + rr = krb5_principal_get_realm(context, principal); + if (rr == NULL) { krb5_free_principal(context, principal); goto out; } - if (strcmp(p, r) != 0) { + if (strcmp(p, rr) != 0) { krb5_free_principal(context, principal); goto out; } @@ -616,7 +616,7 @@ _kdc_do_digest(krb5_context context, EVP_MD_CTX *ctx; unsigned char md[MD5_DIGEST_LENGTH]; char *mdx; - char id; + char idx; if ((config->digests_allowed & CHAP_MD5) == 0) { kdc_log(context, config, 0, "Digest CHAP MD5 not allowed"); @@ -630,7 +630,7 @@ _kdc_do_digest(krb5_context context, goto out; } - if (hex_decode(*ireq.u.digestRequest.identifier, &id, 1) != 1) { + if (hex_decode(*ireq.u.digestRequest.identifier, &idx, 1) != 1) { ret = EINVAL; krb5_set_error_message(context, ret, "failed to decode identifier"); goto out; @@ -645,7 +645,7 @@ _kdc_do_digest(krb5_context context, ctx = EVP_MD_CTX_create(); EVP_DigestInit_ex(ctx, EVP_md5(), NULL); - EVP_DigestUpdate(ctx, &id, 1); + EVP_DigestUpdate(ctx, &idx, 1); EVP_DigestUpdate(ctx, password, strlen(password)); EVP_DigestUpdate(ctx, serverNonce.data, serverNonce.length); EVP_DigestFinal_ex(ctx, md, NULL); @@ -804,7 +804,7 @@ _kdc_do_digest(krb5_context context, const char *username; struct ntlm_buf answer; Key *key = NULL; - EVP_MD_CTX *ctx; + EVP_MD_CTX *ctp; if ((config->digests_allowed & MS_CHAP_V2) == 0) { kdc_log(context, config, 0, "MS-CHAP-V2 not allowed"); @@ -831,10 +831,10 @@ _kdc_do_digest(krb5_context context, else username++; - ctx = EVP_MD_CTX_create(); + ctp = EVP_MD_CTX_create(); /* ChallangeHash */ - EVP_DigestInit_ex(ctx, EVP_sha1(), NULL); + EVP_DigestInit_ex(ctp, EVP_sha1(), NULL); { ssize_t ssize; krb5_data clientNonce; @@ -845,7 +845,7 @@ _kdc_do_digest(krb5_context context, ret = ENOMEM; krb5_set_error_message(context, ret, "malloc: out of memory"); - EVP_MD_CTX_destroy(ctx); + EVP_MD_CTX_destroy(ctp); goto out; } @@ -855,18 +855,18 @@ _kdc_do_digest(krb5_context context, ret = ENOMEM; krb5_set_error_message(context, ret, "Failed to decode clientNonce"); - EVP_MD_CTX_destroy(ctx); + EVP_MD_CTX_destroy(ctp); goto out; } - EVP_DigestUpdate(ctx, clientNonce.data, ssize); + EVP_DigestUpdate(ctp, clientNonce.data, ssize); free(clientNonce.data); } - EVP_DigestUpdate(ctx, serverNonce.data, serverNonce.length); - EVP_DigestUpdate(ctx, username, strlen(username)); + EVP_DigestUpdate(ctp, serverNonce.data, serverNonce.length); + EVP_DigestUpdate(ctp, username, strlen(username)); - EVP_DigestFinal_ex(ctx, challange, NULL); + EVP_DigestFinal_ex(ctp, challange, NULL); - EVP_MD_CTX_destroy(ctx); + EVP_MD_CTX_destroy(ctp); /* NtPasswordHash */ ret = krb5_parse_name(context, username, &clientprincipal); @@ -923,39 +923,39 @@ _kdc_do_digest(krb5_context context, if (r.u.response.success) { unsigned char hashhash[MD4_DIGEST_LENGTH]; - EVP_MD_CTX *ctx; + EVP_MD_CTX *ctxp; - ctx = EVP_MD_CTX_create(); + ctxp = EVP_MD_CTX_create(); /* hashhash */ { - EVP_DigestInit_ex(ctx, EVP_md4(), NULL); - EVP_DigestUpdate(ctx, + EVP_DigestInit_ex(ctxp, EVP_md4(), NULL); + EVP_DigestUpdate(ctxp, key->key.keyvalue.data, key->key.keyvalue.length); - EVP_DigestFinal_ex(ctx, hashhash, NULL); + EVP_DigestFinal_ex(ctxp, hashhash, NULL); } /* GenerateAuthenticatorResponse */ - EVP_DigestInit_ex(ctx, EVP_sha1(), NULL); - EVP_DigestUpdate(ctx, hashhash, sizeof(hashhash)); - EVP_DigestUpdate(ctx, answer.data, answer.length); - EVP_DigestUpdate(ctx, ms_chap_v2_magic1, + EVP_DigestInit_ex(ctxp, EVP_sha1(), NULL); + EVP_DigestUpdate(ctxp, hashhash, sizeof(hashhash)); + EVP_DigestUpdate(ctxp, answer.data, answer.length); + EVP_DigestUpdate(ctxp, ms_chap_v2_magic1, sizeof(ms_chap_v2_magic1)); - EVP_DigestFinal_ex(ctx, md, NULL); + EVP_DigestFinal_ex(ctxp, md, NULL); - EVP_DigestInit_ex(ctx, EVP_sha1(), NULL); - EVP_DigestUpdate(ctx, md, sizeof(md)); - EVP_DigestUpdate(ctx, challange, 8); - EVP_DigestUpdate(ctx, ms_chap_v2_magic2, + EVP_DigestInit_ex(ctxp, EVP_sha1(), NULL); + EVP_DigestUpdate(ctxp, md, sizeof(md)); + EVP_DigestUpdate(ctxp, challange, 8); + EVP_DigestUpdate(ctxp, ms_chap_v2_magic2, sizeof(ms_chap_v2_magic2)); - EVP_DigestFinal_ex(ctx, md, NULL); + EVP_DigestFinal_ex(ctxp, md, NULL); r.u.response.rsp = calloc(1, sizeof(*r.u.response.rsp)); if (r.u.response.rsp == NULL) { free(answer.data); krb5_clear_error_message(context); - EVP_MD_CTX_destroy(ctx); + EVP_MD_CTX_destroy(ctxp); ret = ENOMEM; goto out; } @@ -964,22 +964,22 @@ _kdc_do_digest(krb5_context context, if (r.u.response.rsp == NULL) { free(answer.data); krb5_clear_error_message(context); - EVP_MD_CTX_destroy(ctx); + EVP_MD_CTX_destroy(ctxp); ret = ENOMEM; goto out; } /* get_master, rfc 3079 3.4 */ - EVP_DigestInit_ex(ctx, EVP_sha1(), NULL); - EVP_DigestUpdate(ctx, hashhash, 16); - EVP_DigestUpdate(ctx, answer.data, answer.length); - EVP_DigestUpdate(ctx, ms_rfc3079_magic1, + EVP_DigestInit_ex(ctxp, EVP_sha1(), NULL); + EVP_DigestUpdate(ctxp, hashhash, 16); + EVP_DigestUpdate(ctxp, answer.data, answer.length); + EVP_DigestUpdate(ctxp, ms_rfc3079_magic1, sizeof(ms_rfc3079_magic1)); - EVP_DigestFinal_ex(ctx, md, NULL); + EVP_DigestFinal_ex(ctxp, md, NULL); free(answer.data); - EVP_MD_CTX_destroy(ctx); + EVP_MD_CTX_destroy(ctxp); r.u.response.session_key = calloc(1, sizeof(*r.u.response.session_key)); diff --git a/kdc/hprop.c b/kdc/hprop.c index e3846e932..290a85828 100644 --- a/kdc/hprop.c +++ b/kdc/hprop.c @@ -133,13 +133,13 @@ struct getargs args[] = { { "keytab", 'k', arg_string, rk_UNCONST(&ktname), "keytab to use for authentication", "keytab" }, - { "v5-realm", 'R', arg_string, &local_realm, "v5 realm to use" }, - { "decrypt", 'D', arg_flag, &decrypt_flag, "decrypt keys" }, - { "encrypt", 'E', arg_flag, &encrypt_flag, "encrypt keys" }, - { "stdout", 'n', arg_flag, &to_stdout, "dump to stdout" }, - { "verbose", 'v', arg_flag, &verbose_flag }, - { "version", 0, arg_flag, &version_flag }, - { "help", 'h', arg_flag, &help_flag } + { "v5-realm", 'R', arg_string, &local_realm, "v5 realm to use", NULL }, + { "decrypt", 'D', arg_flag, &decrypt_flag, "decrypt keys", NULL }, + { "encrypt", 'E', arg_flag, &encrypt_flag, "encrypt keys", NULL }, + { "stdout", 'n', arg_flag, &to_stdout, "dump to stdout", NULL }, + { "verbose", 'v', arg_flag, &verbose_flag, NULL, NULL }, + { "version", 0, arg_flag, &version_flag, NULL, NULL }, + { "help", 'h', arg_flag, &help_flag, NULL, NULL } }; static int num_args = sizeof(args) / sizeof(args[0]); @@ -213,7 +213,7 @@ struct { static int parse_source_type(const char *s) { - int i; + size_t i; for(i = 0; i < sizeof(types) / sizeof(types[0]); i++) { if(strstr(types[i].name, s) == types[i].name) return types[i].type; diff --git a/kdc/hpropd.c b/kdc/hpropd.c index 8b360cf42..86fb891cf 100644 --- a/kdc/hpropd.c +++ b/kdc/hpropd.c @@ -44,19 +44,20 @@ static char *ktname = NULL; struct getargs args[] = { { "database", 'd', arg_string, rk_UNCONST(&database), "database", "file" }, - { "stdin", 'n', arg_flag, &from_stdin, "read from stdin" }, - { "print", 0, arg_flag, &print_dump, "print dump to stdout" }, + { "stdin", 'n', arg_flag, &from_stdin, "read from stdin", NULL }, + { "print", 0, arg_flag, &print_dump, "print dump to stdout", NULL }, #ifdef SUPPORT_INETD { "inetd", 'i', arg_negative_flag, &inetd_flag, - "Not started from inetd" }, + "Not started from inetd", NULL }, #endif { "keytab", 'k', arg_string, &ktname, "keytab to use for authentication", "keytab" }, - { "realm", 'r', arg_string, &local_realm, "realm to use" }, + { "realm", 'r', arg_string, &local_realm, "realm to use", NULL }, { "version", 0, arg_flag, &version_flag, NULL, NULL }, { "help", 'h', arg_flag, &help_flag, NULL, NULL} }; static int num_args = sizeof(args) / sizeof(args[0]); +static char unparseable_name[] = "unparseable name"; static void usage(int ret) @@ -194,7 +195,7 @@ main(int argc, char **argv) char *s; ret = krb5_unparse_name(context, c2, &s); if (ret) - s = "unparseable name"; + s = unparseable_name; krb5_errx(context, 1, "Unauthorized connection from %s", s); } krb5_free_principal(context, c1); @@ -260,7 +261,7 @@ main(int argc, char **argv) char *s; ret = krb5_unparse_name(context, entry.entry.principal, &s); if (ret) - s = strdup("unparseable name"); + s = strdup(unparseable_name); krb5_warnx(context, "Entry exists: %s", s); free(s); } else if(ret) diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index a437b9dbd..1d97a60ae 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -74,9 +74,9 @@ _kdc_find_padata(const KDC_REQ *req, int *start, int type) if (req->padata == NULL) return NULL; - while(*start < req->padata->len){ + while((size_t)*start < req->padata->len){ (*start)++; - if(req->padata->val[*start - 1].padata_type == type) + if(req->padata->val[*start - 1].padata_type == (unsigned)type) return &req->padata->val[*start - 1]; } return NULL; @@ -127,7 +127,7 @@ _kdc_find_etype(krb5_context context, const hdb_entry_ex *princ, krb5_enctype *etypes, unsigned len, Key **ret_key) { - int i; + size_t i; krb5_error_code ret = KRB5KDC_ERR_ETYPE_NOSUPP; krb5_salt def_salt; @@ -211,7 +211,7 @@ log_patypes(krb5_context context, { struct rk_strpool *p = NULL; char *str; - int i; + size_t i; for (i = 0; i < padata->len; i++) { switch(padata->val[i].padata_type) { @@ -614,7 +614,7 @@ log_as_req(krb5_context context, krb5_error_code ret; struct rk_strpool *p; char *str; - int i; + size_t i; p = rk_strpoolprintf(NULL, "%s", "Client supported enctypes: "); @@ -809,7 +809,7 @@ _kdc_check_addresses(krb5_context context, krb5_address addr; krb5_boolean result; krb5_boolean only_netbios = TRUE; - int i; + size_t i; if(config->check_ticket_addresses == 0) return TRUE; @@ -1035,7 +1035,7 @@ _kdc_as_rep(krb5_context context, { const krb5_enctype *p; krb5_enctype clientbest = ETYPE_NULL; - int i, j; + size_t i, j; p = krb5_kerberos_enctypes(context); @@ -1663,7 +1663,7 @@ _kdc_as_rep(krb5_context context, PA_ClientCanonicalized canon; krb5_data data; PA_DATA pa; - krb5_crypto crypto; + krb5_crypto cryptox; size_t len; memset(&canon, 0, sizeof(canon)); @@ -1679,18 +1679,18 @@ _kdc_as_rep(krb5_context context, krb5_abortx(context, "internal asn.1 error"); /* sign using "returned session key" */ - ret = krb5_crypto_init(context, &et.key, 0, &crypto); + ret = krb5_crypto_init(context, &et.key, 0, &cryptox); if (ret) { free(data.data); goto out; } - ret = krb5_create_checksum(context, crypto, + ret = krb5_create_checksum(context, cryptox, KRB5_KU_CANONICALIZED_NAMES, 0, data.data, data.length, &canon.canon_checksum); free(data.data); - krb5_crypto_destroy(context, crypto); + krb5_crypto_destroy(context, cryptox); if (ret) goto out; diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c index 3db77cde6..94e684432 100644 --- a/kdc/krb5tgs.c +++ b/kdc/krb5tgs.c @@ -508,7 +508,7 @@ check_constrained_delegation(krb5_context context, { const HDB_Ext_Constrained_delegation_acl *acl; krb5_error_code ret; - int i; + size_t i; /* if client delegates to itself, that ok */ if (krb5_principal_compare(context, client->entry.principal, server) == TRUE) @@ -606,7 +606,7 @@ fix_transited_encoding(krb5_context context, krb5_error_code ret = 0; char **realms, **tmp; unsigned int num_realms; - int i; + size_t i; switch (tr->tr_type) { case DOMAIN_X500_COMPRESS: @@ -1131,6 +1131,7 @@ tgs_parse_request(krb5_context context, krb5_keyblock **replykey, int *rk_is_subkey) { + static char failed[] = ""; krb5_ap_req ap_req; krb5_error_code ret; krb5_principal princ; @@ -1174,7 +1175,7 @@ tgs_parse_request(krb5_context context, char *p; ret = krb5_unparse_name(context, princ, &p); if (ret != 0) - p = ""; + p = failed; krb5_free_principal(context, princ); kdc_log(context, config, 5, "Ticket-granting ticket account %s does not have secrets at this KDC, need to proxy", p); if (ret == 0) @@ -1186,7 +1187,7 @@ tgs_parse_request(krb5_context context, char *p; ret = krb5_unparse_name(context, princ, &p); if (ret != 0) - p = ""; + p = failed; krb5_free_principal(context, princ); kdc_log(context, config, 0, "Ticket-granting ticket not found in database: %s", msg); @@ -1198,13 +1199,13 @@ tgs_parse_request(krb5_context context, } if(ap_req.ticket.enc_part.kvno && - *ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){ + (size_t)*ap_req.ticket.enc_part.kvno != (*krbtgt)->entry.kvno){ char *p; ret = krb5_unparse_name (context, princ, &p); krb5_free_principal(context, princ); if (ret != 0) - p = ""; + p = failed; kdc_log(context, config, 0, "Ticket kvno = %d, DB kvno = %d (%s)", *ap_req.ticket.enc_part.kvno, @@ -1646,7 +1647,7 @@ server_lookup: krb5_enctype etype; if(b->kdc_options.enc_tkt_in_skey) { - int i; + size_t i; ekey = &adtkt.key; for(i = 0; i < b->etype.len; i++) if (b->etype.val[i] == adtkt.key.keytype) diff --git a/kdc/kstash.c b/kdc/kstash.c index c005f4239..1cd626e10 100644 --- a/kdc/kstash.c +++ b/kdc/kstash.c @@ -46,15 +46,17 @@ static int random_key_flag; static const char *enctype_str = "des3-cbc-sha1"; static struct getargs args[] = { - { "enctype", 'e', arg_string, rk_UNCONST(&enctype_str), "encryption type" }, + { "enctype", 'e', arg_string, rk_UNCONST(&enctype_str), "encryption type", + NULL }, { "key-file", 'k', arg_string, &keyfile, "master key file", "file" }, { "convert-file", 0, arg_flag, &convert_flag, - "just convert keyfile to new format" }, + "just convert keyfile to new format", NULL }, { "master-key-fd", 0, arg_integer, &master_key_fd, "filedescriptor to read passphrase from", "fd" }, - { "random-key", 0, arg_flag, &random_key_flag, "generate a random master key" }, - { "help", 'h', arg_flag, &help_flag }, - { "version", 0, arg_flag, &version_flag } + { "random-key", 0, arg_flag, &random_key_flag, + "generate a random master key", NULL }, + { "help", 'h', arg_flag, &help_flag, NULL, NULL }, + { "version", 0, arg_flag, &version_flag, NULL, NULL } }; int num_args = sizeof(args) / sizeof(args[0]); diff --git a/kdc/log.c b/kdc/log.c index 6657aca5c..6d85729f5 100644 --- a/kdc/log.c +++ b/kdc/log.c @@ -50,10 +50,12 @@ kdc_openlog(krb5_context context, krb5_addlog_dest(context, config->logf, *p); krb5_config_free_strings(s); }else { - char *s; - asprintf(&s, "0-1/FILE:%s/%s", hdb_db_dir(context), KDC_LOG_FILE); - krb5_addlog_dest(context, config->logf, s); - free(s); + char *ss; + if (asprintf(&ss, "0-1/FILE:%s/%s", hdb_db_dir(context), + KDC_LOG_FILE) < 0) + err(1, NULL); + krb5_addlog_dest(context, config->logf, ss); + free(ss); } krb5_set_warn_dest(context, config->logf); } diff --git a/kdc/mit_dump.c b/kdc/mit_dump.c index 48e1e1763..a0c99dfd9 100644 --- a/kdc/mit_dump.c +++ b/kdc/mit_dump.c @@ -77,7 +77,7 @@ unless no extra data static int hex_to_octet_string(const char *ptr, krb5_data *data) { - int i; + size_t i; unsigned int v; for(i = 0; i < data->length; i++) { if(sscanf(ptr + 2 * i, "%02x", &v) != 1) @@ -165,7 +165,7 @@ fix_salt(krb5_context context, hdb_entry *ent, int key_num) case KRB5_KDB_SALTTYPE_NOREALM: { size_t len; - int i; + size_t i; char *p; len = 0; diff --git a/kdc/pkinit.c b/kdc/pkinit.c index 9c0be23b1..6a6040c26 100644 --- a/kdc/pkinit.c +++ b/kdc/pkinit.c @@ -237,7 +237,7 @@ generate_dh_keyblock(krb5_context context, } dh_gen_keylen = DH_compute_key(dh_gen_key,client_params->u.dh.public_key, client_params->u.dh.key); - if (dh_gen_keylen == -1) { + if (dh_gen_keylen == (size_t)-1) { ret = KRB5KRB_ERR_GENERIC; krb5_set_error_message(context, ret, "Can't compute Diffie-Hellman key"); @@ -1247,7 +1247,7 @@ _kdc_pk_mk_pa_reply(krb5_context context, krb5_enctype enctype; int pa_type; hx509_cert kdc_cert = NULL; - int i; + size_t i; if (!config->enable_pkinit) { krb5_clear_error_message(context); @@ -1575,7 +1575,8 @@ match_rfc_san(krb5_context context, krb5_const_principal match) { hx509_octet_string_list list; - int ret, i, found = 0; + int ret, found = 0; + size_t i; memset(&list, 0 , sizeof(list)); @@ -1709,7 +1710,7 @@ _kdc_pk_check_client(krb5_context context, const HDB_Ext_PKINIT_cert *pc; krb5_error_code ret; hx509_name name; - int i; + size_t i; if (cp->cert == NULL) { @@ -1737,12 +1738,12 @@ _kdc_pk_check_client(krb5_context context, ret = hdb_entry_get_pkinit_cert(&client->entry, &pc); if (ret == 0 && pc) { hx509_cert cert; - unsigned int i; + size_t j; - for (i = 0; i < pc->len; i++) { + for (j = 0; j < pc->len; j++) { ret = hx509_cert_init_data(context->hx509ctx, - pc->val[i].cert.data, - pc->val[i].cert.length, + pc->val[j].cert.data, + pc->val[j].cert.length, &cert); if (ret) continue; diff --git a/kdc/string2key.c b/kdc/string2key.c index c351271e7..c4803e414 100644 --- a/kdc/string2key.c +++ b/kdc/string2key.c @@ -45,15 +45,17 @@ int version; int help; struct getargs args[] = { - { "version5", '5', arg_flag, &version5, "Output Kerberos v5 string-to-key" }, - { "version4", '4', arg_flag, &version4, "Output Kerberos v4 string-to-key" }, - { "afs", 'a', arg_flag, &afs, "Output AFS string-to-key" }, + { "version5", '5', arg_flag, &version5, "Output Kerberos v5 string-to-key", + NULL }, + { "version4", '4', arg_flag, &version4, "Output Kerberos v4 string-to-key", + NULL }, + { "afs", 'a', arg_flag, &afs, "Output AFS string-to-key", NULL }, { "cell", 'c', arg_string, &cell, "AFS cell to use", "cell" }, { "password", 'w', arg_string, &password, "Password to use", "password" }, { "principal",'p', arg_string, &principal, "Kerberos v5 principal to use", "principal" }, - { "keytype", 'k', arg_string, rk_UNCONST(&keytype_str), "Keytype" }, - { "version", 0, arg_flag, &version, "print version" }, - { "help", 0, arg_flag, &help, NULL } + { "keytype", 'k', arg_string, rk_UNCONST(&keytype_str), "Keytype", NULL }, + { "version", 0, arg_flag, &version, "print version", NULL }, + { "help", 0, arg_flag, &help, NULL, NULL } }; int num_args = sizeof(args) / sizeof(args[0]); @@ -73,7 +75,7 @@ tokey(krb5_context context, const char *label) { krb5_error_code ret; - int i; + size_t i; krb5_keyblock key; char *e; diff --git a/kpasswd/kpasswd.c b/kpasswd/kpasswd.c index 0258c1ac0..4a4bcf124 100644 --- a/kpasswd/kpasswd.c +++ b/kpasswd/kpasswd.c @@ -40,10 +40,11 @@ static char *admin_principal_str; static char *cred_cache_str; static struct getargs args[] = { - { "admin-principal", 0, arg_string, &admin_principal_str }, - { "cache", 'c', arg_string, &cred_cache_str }, - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } + { "admin-principal", 0, arg_string, &admin_principal_str, NULL, + NULL }, + { "cache", 'c', arg_string, &cred_cache_str, NULL, NULL }, + { "version", 0, arg_flag, &version_flag, NULL, NULL }, + { "help", 0, arg_flag, &help_flag, NULL, NULL } }; static void diff --git a/kpasswd/kpasswdd.c b/kpasswd/kpasswdd.c index 5ba459cf3..884cc7b68 100644 --- a/kpasswd/kpasswdd.c +++ b/kpasswd/kpasswdd.c @@ -680,11 +680,11 @@ doit (krb5_keytab keytab, int port) krb5_errx (context, 1, "No sockets!"); while(exit_flag == 0) { - int ret; + krb5_ssize_t retx; fd_set fdset = real_fdset; - ret = select (maxfd + 1, &fdset, NULL, NULL, NULL); - if (ret < 0) { + retx = select (maxfd + 1, &fdset, NULL, NULL, NULL); + if (retx < 0) { if (errno == EINTR) continue; else @@ -695,9 +695,9 @@ doit (krb5_keytab keytab, int port) u_char buf[BUFSIZ]; socklen_t addrlen = sizeof(__ss); - ret = recvfrom (sockets[i], buf, sizeof(buf), 0, + retx = recvfrom(sockets[i], buf, sizeof(buf), 0, sa, &addrlen); - if (ret < 0) { + if (retx < 0) { if(errno == EINTR) break; else @@ -707,7 +707,7 @@ doit (krb5_keytab keytab, int port) process (realms, keytab, sockets[i], &addrs.val[i], sa, addrlen, - buf, ret); + buf, retx); } } @@ -730,7 +730,8 @@ sigterm(int sig) static const char *check_library = NULL; static const char *check_function = NULL; static getarg_strings policy_libraries = { 0, NULL }; -static char *keytab_str = "HDB:"; +static char sHDB[] = "HDB:"; +static char *keytab_str = sHDB; static char *realm_str; static int version_flag; static int help_flag; @@ -750,11 +751,11 @@ struct getargs args[] = { "addresses to listen on", "list of addresses" }, { "keytab", 'k', arg_string, &keytab_str, "keytab to get authentication key from", "kspec" }, - { "config-file", 'c', arg_string, &config_file }, + { "config-file", 'c', arg_string, &config_file, NULL, NULL }, { "realm", 'r', arg_string, &realm_str, "default realm", "realm" }, - { "port", 'p', arg_string, &port_str, "port" }, - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } + { "port", 'p', arg_string, &port_str, "port", NULL }, + { "version", 0, arg_flag, &version_flag, NULL, NULL }, + { "help", 0, arg_flag, &help_flag, NULL, NULL } }; int num_args = sizeof(args) / sizeof(args[0]); @@ -836,10 +837,10 @@ main (int argc, char **argv) explicit_addresses.len = 0; if (addresses_str.num_strings) { - int i; + int j; - for (i = 0; i < addresses_str.num_strings; ++i) - add_one_address (addresses_str.strings[i], i == 0); + for (j = 0; j < addresses_str.num_strings; ++j) + add_one_address (addresses_str.strings[j], j == 0); free_getarg_strings (&addresses_str); } else { char **foo = krb5_config_get_strings (context, NULL, diff --git a/kuser/copy_cred_cache.c b/kuser/copy_cred_cache.c index d5bb2f0e2..21149d3b9 100644 --- a/kuser/copy_cred_cache.c +++ b/kuser/copy_cred_cache.c @@ -60,7 +60,7 @@ parse_ticket_flags(krb5_context context, memset(&ff, 0, sizeof(ff)); ff.proxy = 1; - if (parse_flags("proxy", asn1_TicketFlags_units(), 0) == TicketFlags2int(ff)) + if ((size_t)parse_flags("proxy", asn1_TicketFlags_units(), 0) == TicketFlags2int(ff)) ret_flags->i = flags; else ret_flags->i = bitswap32(flags); diff --git a/kuser/kcc.c b/kuser/kcc.c index 9a392fc1c..511398c92 100644 --- a/kuser/kcc.c +++ b/kuser/kcc.c @@ -40,8 +40,8 @@ static int version_flag; static int help_flag; static struct getargs args[] = { - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } + { "version", 0, arg_flag, &version_flag, NULL, NULL }, + { "help", 0, arg_flag, &help_flag, NULL, NULL } }; static void diff --git a/kuser/kdestroy.c b/kuser/kdestroy.c index 07e113e39..fae5e5ae8 100644 --- a/kuser/kdestroy.c +++ b/kuser/kdestroy.c @@ -47,7 +47,7 @@ struct getargs args[] = { { "credential", 0, arg_string, rk_UNCONST(&credential), "remove one credential", "principal" }, { "cache", 'c', arg_string, rk_UNCONST(&cache), "cache to destroy", "cache" }, - { "all", 'A', arg_flag, &all_flag, "destroy all caches" }, + { "all", 'A', arg_flag, &all_flag, "destroy all caches", NULL }, #ifndef NO_AFS { "unlog", 0, arg_negative_flag, &unlog_flag, "do not destroy tokens", NULL }, diff --git a/kuser/kdigest.c b/kuser/kdigest.c index 968328b38..e833b61ad 100644 --- a/kuser/kdigest.c +++ b/kuser/kdigest.c @@ -436,6 +436,7 @@ ntlm_server_init(struct ntlm_server_init_options *opt, krb5_data challenge, opaque; struct ntlm_buf data; char *s; + static char zero2[] = "\x00\x00"; memset(&type2, 0, sizeof(type2)); @@ -471,7 +472,7 @@ ntlm_server_init(struct ntlm_server_init_options *opt, krb5_err(context, 1, ret, "krb5_ntlm_init_get_flags"); krb5_ntlm_init_get_targetname(context, ntlm, &type2.targetname); - type2.targetinfo.data = "\x00\x00"; + type2.targetinfo.data = zero2; type2.targetinfo.length = 2; ret = heim_ntlm_encode_type2(&type2, &data); diff --git a/kuser/kgetcred.c b/kuser/kgetcred.c index f90acbafd..77421dca6 100644 --- a/kuser/kgetcred.c +++ b/kuser/kgetcred.c @@ -53,17 +53,17 @@ struct getargs args[] = { { "delegation-credential-cache",0,arg_string, &delegation_cred_str, NP_("where to find the ticket use for delegation", ""), "cache"}, { "canonicalize", 0, arg_flag, &canonicalize_flag, - NP_("canonicalize the principal", "") }, + NP_("canonicalize the principal", ""), NULL }, { "forwardable", 0, arg_flag, &forwardable_flag, - NP_("forwardable ticket requested", "")}, - { "transit-check", 0, arg_negative_flag, &transit_flag }, + NP_("forwardable ticket requested", ""), NULL}, + { "transit-check", 0, arg_negative_flag, &transit_flag, NULL, NULL }, { "enctype", 'e', arg_string, &etype_str, NP_("encryption type to use", ""), "enctype"}, { "impersonate", 0, arg_string, &impersonate_str, NP_("client to impersonate", ""), "principal"}, - { "name-type", 0, arg_string, &nametype_str }, - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } + { "name-type", 0, arg_string, &nametype_str, NULL, NULL }, + { "version", 0, arg_flag, &version_flag, NULL, NULL }, + { "help", 0, arg_flag, &help_flag, NULL, NULL } }; static void diff --git a/kuser/kimpersonate.c b/kuser/kimpersonate.c index 023f5587a..13a0fce20 100644 --- a/kuser/kimpersonate.c +++ b/kuser/kimpersonate.c @@ -44,7 +44,7 @@ static char *ccache_str = NULL; static char *ticket_flags_str = NULL; static TicketFlags ticket_flags; static char *keytab_file = NULL; -static char *enc_type = "des-cbc-md5"; +static const char *enc_type = "des-cbc-md5"; static int expiration_time = 3600; static struct getarg_strings client_addresses; static int version_flag = 0; @@ -268,21 +268,21 @@ struct getargs args[] = { { "ccache", 0, arg_string, &ccache_str, "name of kerberos 5 credential cache", "cache-name"}, { "server", 's', arg_string, &server_principal_str, - "name of server principal" }, + "name of server principal", NULL }, { "client", 'c', arg_string, &client_principal_str, - "name of client principal" }, + "name of client principal", NULL }, { "keytab", 'k', arg_string, &keytab_file, - "name of keytab file" }, + "name of keytab file", NULL }, { "krb5", '5', arg_flag, &use_krb5, - "create a kerberos 5 ticket"}, + "create a kerberos 5 ticket", NULL }, { "expire-time", 'e', arg_integer, &expiration_time, - "lifetime of ticket in seconds" }, + "lifetime of ticket in seconds", NULL }, { "client-addresses", 'a', arg_strings, &client_addresses, - "addresses of client" }, + "addresses of client", NULL }, { "enc-type", 't', arg_string, &enc_type, - "encryption type" }, + "encryption type", NULL }, { "ticket-flags", 'f', arg_string, &ticket_flags_str, - "ticket flags for krb5 ticket" }, + "ticket flags for krb5 ticket", NULL }, { "version", 0, arg_flag, &version_flag, "Print version", NULL }, { "help", 0, arg_flag, &help_flag, NULL, @@ -302,7 +302,7 @@ usage (int ret) int main (int argc, char **argv) { - int optind = 0; + int optidx = 0; krb5_error_code ret; krb5_context context; krb5_keytab kt; @@ -313,23 +313,23 @@ main (int argc, char **argv) if (ret) errx(1, "krb5_init_context failed: %u", ret); - if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv, - &optind)) - usage (1); + if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) + usage(1); if (help_flag) - usage (0); + usage(0); if (version_flag) { print_version(NULL); return 0; } - setup_env (context, &kt); + setup_env(context, &kt); if (use_krb5) - create_krb5_tickets (context, kt); + create_krb5_tickets(context, kt); + + krb5_kt_close(context, kt); - krb5_kt_close (context, kt); return 0; } diff --git a/kuser/kinit.c b/kuser/kinit.c index 846232a4f..1342ebcbc 100644 --- a/kuser/kinit.c +++ b/kuser/kinit.c @@ -96,31 +96,31 @@ static struct getargs args[] = { * 9: */ { "afslog", 0 , arg_flag, &do_afslog, - NP_("obtain afs tokens", "") }, + NP_("obtain afs tokens", ""), NULL }, { "cache", 'c', arg_string, &cred_cache, NP_("credentials cache", ""), "cachename" }, { "forwardable", 0, arg_negative_flag, &forwardable_flag, - NP_("get tickets not forwardable", "")}, + NP_("get tickets not forwardable", ""), NULL }, { NULL, 'f', arg_flag, &forwardable_flag, - NP_("get forwardable tickets", "")}, + NP_("get forwardable tickets", ""), NULL }, { "keytab", 't', arg_string, &keytab_str, NP_("keytab to use", ""), "keytabname" }, { "lifetime", 'l', arg_string, &lifetime, - NP_("lifetime of tickets", ""), "time"}, + NP_("lifetime of tickets", ""), "time" }, { "proxiable", 'p', arg_flag, &proxiable_flag, - NP_("get proxiable tickets", "") }, + NP_("get proxiable tickets", ""), NULL }, { "renew", 'R', arg_flag, &renew_flag, - NP_("renew TGT", "") }, + NP_("renew TGT", ""), NULL }, { "renewable", 0, arg_flag, &renewable_flag, - NP_("get renewable tickets", "") }, + NP_("get renewable tickets", ""), NULL }, { "renewable-life", 'r', arg_string, &renew_life, NP_("renewable lifetime of tickets", ""), "time" }, @@ -132,40 +132,40 @@ static struct getargs args[] = { NP_("when ticket gets valid", ""), "time" }, { "use-keytab", 'k', arg_flag, &use_keytab, - NP_("get key from keytab", "") }, + NP_("get key from keytab", ""), NULL }, { "validate", 'v', arg_flag, &validate_flag, - NP_("validate TGT", "") }, + NP_("validate TGT", ""), NULL }, { "enctypes", 'e', arg_strings, &etype_str, NP_("encryption types to use", ""), "enctypes" }, { "fcache-version", 0, arg_integer, &fcache_version, - NP_("file cache version to create", "") }, + NP_("file cache version to create", ""), NULL }, { "addresses", 'A', arg_negative_flag, &addrs_flag, - NP_("request a ticket with no addresses", "") }, + NP_("request a ticket with no addresses", ""), NULL }, { "extra-addresses",'a', arg_strings, &extra_addresses, NP_("include these extra addresses", ""), "addresses" }, { "anonymous", 0, arg_flag, &anonymous_flag, - NP_("request an anonymous ticket", "") }, + NP_("request an anonymous ticket", ""), NULL }, { "request-pac", 0, arg_flag, &pac_flag, - NP_("request a Windows PAC", "") }, + NP_("request a Windows PAC", ""), NULL }, { "password-file", 0, arg_string, &password_file, - NP_("read the password from a file", "") }, + NP_("read the password from a file", ""), NULL }, { "canonicalize",0, arg_flag, &canonicalize_flag, - NP_("canonicalize client principal", "") }, + NP_("canonicalize client principal", ""), NULL }, { "enterprise",0, arg_flag, &enterprise_flag, - NP_("parse principal as a KRB5-NT-ENTERPRISE name", "") }, + NP_("parse principal as a KRB5-NT-ENTERPRISE name", ""), NULL }, #ifdef PKINIT { "pk-enterprise", 0, arg_flag, &pk_enterprise_flag, - NP_("use enterprise name from certificate", "") }, + NP_("use enterprise name from certificate", ""), NULL }, { "pk-user", 'C', arg_string, &pk_user_id, NP_("principal's public/private/certificate identifier", ""), "id" }, @@ -174,7 +174,7 @@ static struct getargs args[] = { NP_("directory with CA certificates", ""), "directory" }, { "pk-use-enckey", 0, arg_flag, &pk_use_enckey, - NP_("Use RSA encrypted reply (instead of DH)", "") }, + NP_("Use RSA encrypted reply (instead of DH)", ""), NULL }, #endif #ifndef NO_NTLM { "ntlm-domain", 0, arg_string, &ntlm_domain, @@ -182,19 +182,19 @@ static struct getargs args[] = { #endif { "change-default", 0, arg_negative_flag, &switch_cache_flags, - NP_("switch the default cache to the new credentials cache", "") }, + NP_("switch the default cache to the new credentials cache", ""), NULL }, { "ok-as-delegate", 0, arg_flag, &ok_as_delegate_flag, - NP_("honor ok-as-delegate on tickets", "") }, + NP_("honor ok-as-delegate on tickets", ""), NULL }, { "use-referrals", 0, arg_flag, &use_referrals_flag, - NP_("only use referrals, no dns canalisation", "") }, + NP_("only use referrals, no dns canalisation", ""), NULL }, { "windows", 0, arg_flag, &windows_flag, - NP_("get windows behavior", "") }, + NP_("get windows behavior", ""), NULL }, - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } + { "version", 0, arg_flag, &version_flag, NULL, NULL }, + { "help", 0, arg_flag, &help_flag, NULL, NULL } }; static void @@ -357,7 +357,7 @@ get_new_tickets(krb5_context context, char passwd[256]; krb5_deltat start_time = 0; krb5_deltat renew = 0; - char *renewstr = NULL; + const char *renewstr = NULL; krb5_enctype *enctype = NULL; krb5_ccache tempccache; #ifndef NO_NTLM diff --git a/kuser/klist.c b/kuser/klist.c index aef1cf9b2..f77908a34 100644 --- a/kuser/klist.c +++ b/kuser/klist.c @@ -124,7 +124,7 @@ print_cred(krb5_context context, krb5_creds *cred, rtbl_t ct, int do_flags) static void print_cred_verbose(krb5_context context, krb5_creds *cred) { - int j; + size_t j; char *str; krb5_error_code ret; krb5_timestamp sec; diff --git a/kuser/kswitch.c b/kuser/kswitch.c index c6915f7bd..b8ea7b951 100644 --- a/kuser/kswitch.c +++ b/kuser/kswitch.c @@ -35,11 +35,11 @@ #include "kcc-commands.h" #ifdef HAVE_READLINE -char *readline(char *prompt); +char *readline(const char *prompt); #else static char * -readline(char *prompt) +readline(const char *prompt) { char buf[BUFSIZ]; printf ("%s", prompt); diff --git a/lib/asn1/der_format.c b/lib/asn1/der_format.c index fc79a30b5..4f06c1b01 100644 --- a/lib/asn1/der_format.c +++ b/lib/asn1/der_format.c @@ -108,7 +108,7 @@ int der_print_heim_oid (const heim_oid *oid, char delim, char **str) { struct rk_strpool *p = NULL; - int i; + size_t i; if (oid->length == 0) return EINVAL; diff --git a/lib/asn1/der_get.c b/lib/asn1/der_get.c index 3ea0d5ea1..3112da86f 100644 --- a/lib/asn1/der_get.c +++ b/lib/asn1/der_get.c @@ -141,9 +141,9 @@ der_get_general_string (const unsigned char *p, size_t len, * an strings in the NEED_PREAUTH case that includes a * trailing NUL. */ - while (p1 - p < len && *p1 == '\0') + while ((size_t)(p1 - p) < len && *p1 == '\0') p1++; - if (p1 - p != len) + if ((size_t)(p1 - p) != len) return ASN1_BAD_CHARACTER; } if (len > len + 1) diff --git a/lib/asn1/der_length.c b/lib/asn1/der_length.c index 7a41de9d2..db8202586 100644 --- a/lib/asn1/der_length.c +++ b/lib/asn1/der_length.c @@ -86,7 +86,7 @@ static size_t len_oid (const heim_oid *oid) { size_t ret = 1; - int n; + size_t n; for (n = 2; n < oid->length; ++n) { unsigned u = oid->components[n]; diff --git a/lib/asn1/gen_decode.c b/lib/asn1/gen_decode.c index 002a471e9..082580a27 100644 --- a/lib/asn1/gen_decode.c +++ b/lib/asn1/gen_decode.c @@ -209,7 +209,8 @@ range_check(const char *name, static int decode_type (const char *name, const Type *t, int optional, - const char *forwstr, const char *tmpstr, const char *dertype) + const char *forwstr, const char *tmpstr, const char *dertype, + size_t depth) { switch (t->type) { case TType: { @@ -328,7 +329,8 @@ decode_type (const char *name, const Type *t, int optional, if (asprintf (&s, "%s(%s)->%s", m->optional ? "" : "&", name, m->gen_name) < 0 || s == NULL) errx(1, "malloc"); - decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL); + decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL, + depth + 1); free (s); } @@ -369,7 +371,7 @@ decode_type (const char *name, const Type *t, int optional, "%s = calloc(1, sizeof(*%s));\n" "if (%s == NULL) { e = ENOMEM; %s; }\n", s, s, s, forwstr); - decode_type (s, m->type, 0, forwstr, m->gen_name, NULL); + decode_type (s, m->type, 0, forwstr, m->gen_name, NULL, depth + 1); free (s); fprintf(codefile, "members |= (1 << %d);\n", memno); @@ -442,7 +444,7 @@ decode_type (const char *name, const Type *t, int optional, errx(1, "malloc"); if (asprintf (&sname, "%s_s_of", tmpstr) < 0 || sname == NULL) errx(1, "malloc"); - decode_type (n, t->subtype, 0, forwstr, sname, NULL); + decode_type (n, t->subtype, 0, forwstr, sname, NULL, depth + 1); fprintf (codefile, "(%s)->len++;\n" "len = %s_origlen - ret;\n" @@ -480,7 +482,7 @@ decode_type (const char *name, const Type *t, int optional, tmpstr, tmpstr, typestring); if(support_ber) fprintf(codefile, - "int is_indefinite;\n"); + "int is_indefinite%zu;\n", depth); fprintf(codefile, "e = der_match_tag_and_length(p, len, %s, &%s, %s, " "&%s_datalen, &l);\n", @@ -516,20 +518,20 @@ decode_type (const char *name, const Type *t, int optional, tmpstr); if(support_ber) fprintf (codefile, - "if((is_indefinite = _heim_fix_dce(%s_datalen, &len)) < 0)\n" + "if((is_indefinite%zu = _heim_fix_dce(%s_datalen, &len)) < 0)\n" "{ e = ASN1_BAD_FORMAT; %s; }\n" - "if (is_indefinite) { if (len < 2) { e = ASN1_OVERRUN; %s; } len -= 2; }", - tmpstr, forwstr, forwstr); + "if (is_indefinite%zu) { if (len < 2) { e = ASN1_OVERRUN; %s; } len -= 2; }", + depth, tmpstr, forwstr, depth, forwstr); else fprintf(codefile, "if (%s_datalen > len) { e = ASN1_OVERRUN; %s; }\n" "len = %s_datalen;\n", tmpstr, forwstr, tmpstr); if (asprintf (&tname, "%s_Tag", tmpstr) < 0 || tname == NULL) errx(1, "malloc"); - decode_type (name, t->subtype, 0, forwstr, tname, ide); + decode_type (name, t->subtype, 0, forwstr, tname, ide, depth + 1); if(support_ber) fprintf(codefile, - "if(is_indefinite){\n" + "if(is_indefinite%zu){\n" "len += 2;\n" "e = der_match_tag_and_length(p, len, " "(Der_class)0, &%s, UT_EndOfContent, " @@ -538,6 +540,7 @@ decode_type (const char *name, const Type *t, int optional, "p += l; len -= l; ret += l;\n" "if (%s != (Der_type)0) { e = ASN1_BAD_ID; %s; }\n" "} else \n", + depth, typestring, tmpstr, forwstr, @@ -584,7 +587,8 @@ decode_type (const char *name, const Type *t, int optional, if (asprintf (&s, "%s(%s)->u.%s", m->optional ? "" : "&", name, m->gen_name) < 0 || s == NULL) errx(1, "malloc"); - decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL); + decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL, + depth + 1); fprintf(codefile, "(%s)->element = %s;\n", name, m->label); @@ -702,7 +706,7 @@ generate_type_decode (const Symbol *s) fprintf (codefile, "\n"); fprintf (codefile, "memset(data, 0, sizeof(*data));\n"); /* hack to avoid `unused variable' */ - decode_type ("data", s->type, 0, "goto fail", "Top", NULL); + decode_type ("data", s->type, 0, "goto fail", "Top", NULL, 1); if (preserve) fprintf (codefile, "data->_save.data = calloc(1, ret);\n" diff --git a/lib/asn1/gen_encode.c b/lib/asn1/gen_encode.c index 43f29c1fe..a9d2848a2 100644 --- a/lib/asn1/gen_encode.c +++ b/lib/asn1/gen_encode.c @@ -302,7 +302,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr) name, name); fprintf(codefile, - "for(i = 0; i < (%s)->len; i++) {\n", + "for(i = 0; i < (int)(%s)->len; i++) {\n", name); fprintf(codefile, @@ -326,7 +326,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr) fprintf(codefile, "if (totallen > len) {\n" - "for (i = 0; i < (%s)->len; i++) {\n" + "for (i = 0; i < (int)(%s)->len; i++) {\n" "free(val[i].data);\n" "}\n" "free(val);\n" @@ -339,7 +339,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr) name); fprintf (codefile, - "for(i = (%s)->len - 1; i >= 0; --i) {\n" + "for(i = (int)(%s)->len - 1; i >= 0; --i) {\n" "p -= val[i].length;\n" "ret += val[i].length;\n" "memcpy(p + 1, val[i].data, val[i].length);\n" @@ -355,7 +355,7 @@ encode_type (const char *name, const Type *t, const char *tmpstr) char *n = NULL; fprintf (codefile, - "for(i = (%s)->len - 1; i >= 0; --i) {\n" + "for(i = (int)(%s)->len - 1; i >= 0; --i) {\n" "size_t %s_for_oldret = ret;\n" "ret = 0;\n", name, tmpstr); diff --git a/lib/asn1/timegm.c b/lib/asn1/timegm.c index 1b3b47fa5..cd28c5c83 100644 --- a/lib/asn1/timegm.c +++ b/lib/asn1/timegm.c @@ -56,13 +56,13 @@ time_t _der_timegm (struct tm *tm) { time_t res = 0; - unsigned i; + int i; if (tm->tm_year < 0) return -1; if (tm->tm_mon < 0 || tm->tm_mon > 11) return -1; - if (tm->tm_mday < 1 || tm->tm_mday > ndays[is_leap(tm->tm_year)][tm->tm_mon]) + if (tm->tm_mday < 1 || tm->tm_mday > (int)ndays[is_leap(tm->tm_year)][tm->tm_mon]) return -1; if (tm->tm_hour < 0 || tm->tm_hour > 23) return -1; diff --git a/lib/gssapi/gen-oid.pl b/lib/gssapi/gen-oid.pl index 73549ad5e..4a519f89a 100644 --- a/lib/gssapi/gen-oid.pl +++ b/lib/gssapi/gen-oid.pl @@ -110,7 +110,7 @@ while(<>) { printf "#define $name (&$store)\n\n"; } else { printf "/* $name - $oid */\n"; - printf "gss_OID_desc GSSAPI_LIB_VARIABLE $store = { $length, \"$data\" };\n\n"; + printf "gss_OID_desc GSSAPI_LIB_VARIABLE $store = { $length, rk_UNCONST(\"$data\") };\n\n"; } } elsif (/^desc\s+([\w]+)\s+(\w+)\s+(\"[^\"]*\")\s+(\"[^\"]*\")/) { my ($type, $oid, $short, $long) = ($1, $2, $3, $4); diff --git a/lib/gssapi/gsstool.c b/lib/gssapi/gsstool.c index da043281f..d07656a33 100644 --- a/lib/gssapi/gsstool.c +++ b/lib/gssapi/gsstool.c @@ -132,7 +132,7 @@ supported_mechanisms(void *argptr, int argc, char **argv) return 0; } -void static +static void print_mech_attr(const char *mechname, gss_const_OID mech, gss_OID_set set) { gss_buffer_desc name, desc; diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c index dc59e997b..5be8cbcaa 100644 --- a/lib/gssapi/krb5/arcfour.c +++ b/lib/gssapi/krb5/arcfour.c @@ -255,7 +255,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, const gss_buffer_t token_buffer, gss_qop_t * qop_state, krb5_keyblock *key, - char *type) + const char *type) { krb5_error_code ret; uint32_t seq_number; @@ -270,7 +270,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, p = token_buffer->value; omret = _gsskrb5_verify_header (&p, token_buffer->length, - (u_char *)type, + type, GSS_KRB5_MECHANISM); if (omret) return omret; diff --git a/lib/gssapi/krb5/cfx.c b/lib/gssapi/krb5/cfx.c index 1189718ad..4d40060d2 100755 --- a/lib/gssapi/krb5/cfx.c +++ b/lib/gssapi/krb5/cfx.c @@ -285,7 +285,8 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status, gss_iov_buffer_desc *header, *trailer, *padding; size_t gsshsize, k5hsize; size_t gsstsize, k5tsize; - size_t i, rrc = 0, ec = 0; + size_t rrc = 0, ec = 0; + int i; gss_cfx_wrap_token token; krb5_error_code ret; int32_t seq_number; @@ -666,7 +667,7 @@ unrotate_iov(OM_uint32 *minor_status, size_t rrc, gss_iov_buffer_desc *iov, int q += iov[i].buffer.length; } } - assert((q - p) == len); + assert((size_t)(q - p) == len); /* unrotate first part */ q = p + rrc; diff --git a/lib/gssapi/krb5/external.c b/lib/gssapi/krb5/external.c index d6f14a48f..c0b92c915 100644 --- a/lib/gssapi/krb5/external.c +++ b/lib/gssapi/krb5/external.c @@ -180,7 +180,7 @@ static gss_mo_desc krb5_mo[] = { GSS_C_MA_SASL_MECH_NAME, GSS_MO_MA, "SASL mech name", - "GS2-KRB5", + rk_UNCONST("GS2-KRB5"), _gss_mo_get_ctx_as_string, NULL }, @@ -188,7 +188,7 @@ static gss_mo_desc krb5_mo[] = { GSS_C_MA_MECH_NAME, GSS_MO_MA, "Mechanism name", - "KRB5", + rk_UNCONST("KRB5"), _gss_mo_get_ctx_as_string, NULL }, @@ -196,7 +196,7 @@ static gss_mo_desc krb5_mo[] = { GSS_C_MA_MECH_DESCRIPTION, GSS_MO_MA, "Mechanism description", - "Heimdal Kerberos 5 mech", + rk_UNCONST("Heimdal Kerberos 5 mech"), _gss_mo_get_ctx_as_string, NULL }, @@ -214,19 +214,19 @@ static gss_mo_desc krb5_mo[] = { }, { GSS_C_MA_AUTH_TARG, - GSS_MO_MA + .flags = GSS_MO_MA }, { GSS_C_MA_AUTH_INIT_ANON, - GSS_MO_MA + .flags = GSS_MO_MA }, { GSS_C_MA_DELEG_CRED, - GSS_MO_MA + .flags = GSS_MO_MA }, { GSS_C_MA_INTEG_PROT, - GSS_MO_MA + .flags = GSS_MO_MA }, { GSS_C_MA_CONF_PROT, @@ -273,7 +273,7 @@ static gss_mo_desc krb5_mo[] = { static gssapi_mech_interface_desc krb5_mech = { GMI_VERSION, "kerberos 5", - {9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" }, + {9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") }, 0, _gsskrb5_acquire_cred, _gsskrb5_release_cred, @@ -323,7 +323,13 @@ static gssapi_mech_interface_desc krb5_mech = { NULL, NULL, krb5_mo, - sizeof(krb5_mo) / sizeof(krb5_mo[0]) + sizeof(krb5_mo) / sizeof(krb5_mo[0]), + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, }; gssapi_mech_interface diff --git a/lib/gssapi/krb5/init_sec_context.c b/lib/gssapi/krb5/init_sec_context.c index 84a839aa3..4df26c48e 100644 --- a/lib/gssapi/krb5/init_sec_context.c +++ b/lib/gssapi/krb5/init_sec_context.c @@ -675,7 +675,8 @@ init_auth_restart output_token->length = outbuf.length; } else { ret = _gsskrb5_encapsulate (minor_status, &outbuf, output_token, - (u_char *)"\x01\x00", GSS_KRB5_MECHANISM); + (u_char *)(intptr_t)"\x01\x00", + GSS_KRB5_MECHANISM); krb5_data_free (&outbuf); if (ret) goto failure; @@ -910,20 +911,20 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_init_sec_context return GSS_S_BAD_MECH; if (input_token == GSS_C_NO_BUFFER || input_token->length == 0) { - OM_uint32 ret; + OM_uint32 ret1; if (*context_handle != GSS_C_NO_CONTEXT) { *minor_status = 0; return GSS_S_FAILURE | GSS_S_CALL_BAD_STRUCTURE; } - ret = _gsskrb5_create_ctx(minor_status, + ret1 = _gsskrb5_create_ctx(minor_status, context_handle, context, input_chan_bindings, INITIATOR_START); - if (ret) - return ret; + if (ret1) + return ret1; } if (*context_handle == GSS_C_NO_CONTEXT) { diff --git a/lib/gssapi/krb5/prf.c b/lib/gssapi/krb5/prf.c index 323b4cc72..162a30970 100644 --- a/lib/gssapi/krb5/prf.c +++ b/lib/gssapi/krb5/prf.c @@ -47,18 +47,21 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status, krb5_crypto crypto; krb5_data input, output; uint32_t num; + OM_uint32 junk; unsigned char *p; krb5_keyblock *key = NULL; + size_t dol; if (ctx == NULL) { *minor_status = 0; return GSS_S_NO_CONTEXT; } - if (desired_output_len <= 0) { + if (desired_output_len <= 0 || prf_in->length + 4 < prf_in->length) { *minor_status = 0; return GSS_S_FAILURE; } + dol = desired_output_len; GSSAPI_KRB5_INIT (&context); @@ -88,21 +91,20 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status, return GSS_S_FAILURE; } - prf_out->value = malloc(desired_output_len); + prf_out->value = malloc(dol); if (prf_out->value == NULL) { _gsskrb5_set_status(GSS_KRB5_S_KG_INPUT_TOO_LONG, "Out of memory"); *minor_status = GSS_KRB5_S_KG_INPUT_TOO_LONG; krb5_crypto_destroy(context, crypto); return GSS_S_FAILURE; } - prf_out->length = desired_output_len; + prf_out->length = dol; HEIMDAL_MUTEX_lock(&ctx->ctx_id_mutex); input.length = prf_in->length + 4; input.data = malloc(prf_in->length + 4); if (input.data == NULL) { - OM_uint32 junk; _gsskrb5_set_status(GSS_KRB5_S_KG_INPUT_TOO_LONG, "Out of memory"); *minor_status = GSS_KRB5_S_KG_INPUT_TOO_LONG; gss_release_buffer(&junk, prf_out); @@ -110,15 +112,17 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status, HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); return GSS_S_FAILURE; } - memcpy(((unsigned char *)input.data) + 4, prf_in->value, prf_in->length); + memcpy(((uint8_t *)input.data) + 4, prf_in->value, prf_in->length); num = 0; p = prf_out->value; - while(desired_output_len > 0) { + while(dol > 0) { + size_t tsize; + _gsskrb5_encode_om_uint32(num, input.data); + ret = krb5_crypto_prf(context, crypto, &input, &output); if (ret) { - OM_uint32 junk; *minor_status = ret; free(input.data); gss_release_buffer(&junk, prf_out); @@ -126,9 +130,11 @@ _gsskrb5_pseudo_random(OM_uint32 *minor_status, HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); return GSS_S_FAILURE; } - memcpy(p, output.data, min(desired_output_len, output.length)); + + tsize = min(dol, output.length); + memcpy(p, output.data, tsize); p += output.length; - desired_output_len -= output.length; + dol -= tsize; krb5_data_free(&output); num++; } diff --git a/lib/gssapi/krb5/process_context_token.c b/lib/gssapi/krb5/process_context_token.c index 4feda0de0..0cc1c07cf 100644 --- a/lib/gssapi/krb5/process_context_token.c +++ b/lib/gssapi/krb5/process_context_token.c @@ -52,7 +52,8 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_process_context_token ( (gsskrb5_ctx)context_handle, context, token_buffer, &empty_buffer, - GSS_C_QOP_DEFAULT, "\x01\x02"); + GSS_C_QOP_DEFAULT, + "\x01\x02"); if (ret == GSS_S_COMPLETE) ret = _gsskrb5_delete_sec_context(minor_status, diff --git a/lib/gssapi/krb5/sequence.c b/lib/gssapi/krb5/sequence.c index fbbc5b6c7..c53b91aa6 100644 --- a/lib/gssapi/krb5/sequence.c +++ b/lib/gssapi/krb5/sequence.c @@ -141,7 +141,7 @@ OM_uint32 _gssapi_msg_order_check(struct gss_msg_order *o, OM_uint32 seq_num) { OM_uint32 r; - int i; + size_t i; if (o == NULL) return GSS_S_COMPLETE; diff --git a/lib/gssapi/krb5/unwrap.c b/lib/gssapi/krb5/unwrap.c index 7620d691b..3c7ba2944 100644 --- a/lib/gssapi/krb5/unwrap.c +++ b/lib/gssapi/krb5/unwrap.c @@ -54,7 +54,7 @@ unwrap_des DES_key_schedule schedule; DES_cblock deskey; DES_cblock zero; - int i; + size_t i; uint32_t seq_number; size_t padlength; OM_uint32 ret; diff --git a/lib/gssapi/krb5/verify_mic.c b/lib/gssapi/krb5/verify_mic.c index 9a5445698..3123787ff 100644 --- a/lib/gssapi/krb5/verify_mic.c +++ b/lib/gssapi/krb5/verify_mic.c @@ -44,7 +44,7 @@ verify_mic_des const gss_buffer_t token_buffer, gss_qop_t * qop_state, krb5_keyblock *key, - char *type + const char *type ) { u_char *p; @@ -142,7 +142,7 @@ verify_mic_des3 const gss_buffer_t token_buffer, gss_qop_t * qop_state, krb5_keyblock *key, - char *type + const char *type ) { u_char *p; @@ -276,7 +276,7 @@ _gsskrb5_verify_mic_internal const gss_buffer_t message_buffer, const gss_buffer_t token_buffer, gss_qop_t * qop_state, - char * type + const char * type ) { krb5_keyblock *key; @@ -348,7 +348,7 @@ _gsskrb5_verify_mic (gsskrb5_ctx)context_handle, context, message_buffer, token_buffer, - qop_state, "\x01\x01"); + qop_state, (void *)(intptr_t)"\x01\x01"); return ret; } diff --git a/lib/gssapi/krb5/wrap.c b/lib/gssapi/krb5/wrap.c index 54f92df60..efd0d82c4 100644 --- a/lib/gssapi/krb5/wrap.c +++ b/lib/gssapi/krb5/wrap.c @@ -214,7 +214,7 @@ wrap_des EVP_CIPHER_CTX des_ctx; DES_cblock deskey; DES_cblock zero; - int i; + size_t i; int32_t seq_number; size_t len, total_len, padlength, datalen; diff --git a/lib/gssapi/mech/gss_acquire_cred.c b/lib/gssapi/mech/gss_acquire_cred.c index c9900148c..ade65df8e 100644 --- a/lib/gssapi/mech/gss_acquire_cred.c +++ b/lib/gssapi/mech/gss_acquire_cred.c @@ -46,7 +46,7 @@ gss_acquire_cred(OM_uint32 *minor_status, struct _gss_cred *cred; struct _gss_mechanism_cred *mc; OM_uint32 min_time, cred_time; - int i; + size_t i; *minor_status = 0; if (output_cred_handle == NULL) diff --git a/lib/gssapi/mech/gss_aeap.c b/lib/gssapi/mech/gss_aeap.c index 141b6ae5a..99a13036b 100644 --- a/lib/gssapi/mech/gss_aeap.c +++ b/lib/gssapi/mech/gss_aeap.c @@ -168,7 +168,7 @@ gss_release_iov_buffer(OM_uint32 *minor_status, int iov_count) { OM_uint32 junk; - size_t i; + int i; if (minor_status) *minor_status = 0; diff --git a/lib/gssapi/mech/gss_buffer_set.c b/lib/gssapi/mech/gss_buffer_set.c index 3099b163b..48fb720ad 100644 --- a/lib/gssapi/mech/gss_buffer_set.c +++ b/lib/gssapi/mech/gss_buffer_set.c @@ -100,7 +100,7 @@ GSSAPI_LIB_FUNCTION OM_uint32 GSSAPI_LIB_CALL gss_release_buffer_set(OM_uint32 * minor_status, gss_buffer_set_t *buffer_set) { - int i; + size_t i; OM_uint32 minor; *minor_status = 0; diff --git a/lib/gssapi/mech/gss_cred.c b/lib/gssapi/mech/gss_cred.c index b8fa11185..31885e4f0 100644 --- a/lib/gssapi/mech/gss_cred.c +++ b/lib/gssapi/mech/gss_cred.c @@ -85,7 +85,7 @@ gss_export_cred(OM_uint32 * minor_status, } ret = krb5_storage_write(sp, buffer.value, buffer.length); - if (ret != buffer.length) { + if (ret < 0 || (size_t)ret != buffer.length) { gss_release_buffer(minor_status, &buffer); krb5_storage_free(sp); *minor_status = EINVAL; diff --git a/lib/gssapi/mech/gss_indicate_mechs.c b/lib/gssapi/mech/gss_indicate_mechs.c index 59a1dcf22..475dbfba0 100644 --- a/lib/gssapi/mech/gss_indicate_mechs.c +++ b/lib/gssapi/mech/gss_indicate_mechs.c @@ -35,7 +35,7 @@ gss_indicate_mechs(OM_uint32 *minor_status, struct _gss_mech_switch *m; OM_uint32 major_status; gss_OID_set set; - int i; + size_t i; _gss_load_mech(); diff --git a/lib/gssapi/mech/gss_inquire_context.c b/lib/gssapi/mech/gss_inquire_context.c index 0658267b2..256807598 100644 --- a/lib/gssapi/mech/gss_inquire_context.c +++ b/lib/gssapi/mech/gss_inquire_context.c @@ -37,7 +37,7 @@ gss_inquire_context(OM_uint32 *minor_status, gss_OID *mech_type, OM_uint32 *ctx_flags, int *locally_initiated, - int *open) + int *xopen) { OM_uint32 major_status; struct _gss_context *ctx = (struct _gss_context *) context_handle; @@ -47,8 +47,8 @@ gss_inquire_context(OM_uint32 *minor_status, if (locally_initiated) *locally_initiated = 0; - if (open) - *open = 0; + if (xopen) + *xopen = 0; if (lifetime_rec) *lifetime_rec = 0; @@ -68,7 +68,7 @@ gss_inquire_context(OM_uint32 *minor_status, mech_type, ctx_flags, locally_initiated, - open); + xopen); if (major_status != GSS_S_COMPLETE) { _gss_mg_error(m, major_status, *minor_status); diff --git a/lib/gssapi/mech/gss_inquire_cred_by_oid.c b/lib/gssapi/mech/gss_inquire_cred_by_oid.c index 900370a5d..e674dd48f 100644 --- a/lib/gssapi/mech/gss_inquire_cred_by_oid.c +++ b/lib/gssapi/mech/gss_inquire_cred_by_oid.c @@ -52,7 +52,7 @@ gss_inquire_cred_by_oid (OM_uint32 *minor_status, HEIM_SLIST_FOREACH(mc, &cred->gc_mc, gmc_link) { gss_buffer_set_t rset = GSS_C_NO_BUFFER_SET; - int i; + size_t i; m = mc->gmc_mech; if (m == NULL) { diff --git a/lib/gssapi/mech/gss_krb5.c b/lib/gssapi/mech/gss_krb5.c index a88ae8112..fe88a384b 100644 --- a/lib/gssapi/mech/gss_krb5.c +++ b/lib/gssapi/mech/gss_krb5.c @@ -439,7 +439,7 @@ gss_krb5_set_allowable_enctypes(OM_uint32 *minor_status, gss_buffer_desc buffer; krb5_storage *sp; krb5_data data; - int i; + size_t i; sp = krb5_storage_emem(); if (sp == NULL) { diff --git a/lib/gssapi/mech/gss_mo.c b/lib/gssapi/mech/gss_mo.c index cb24b764a..f00afb091 100644 --- a/lib/gssapi/mech/gss_mo.c +++ b/lib/gssapi/mech/gss_mo.c @@ -434,28 +434,28 @@ gss_display_mech_attr(OM_uint32 * minor_status, return GSS_S_BAD_MECH_ATTR; if (name) { - gss_buffer_desc n; - n.value = rk_UNCONST(ma->name); - n.length = strlen(ma->name); - major = _gss_copy_buffer(minor_status, &n, name); + gss_buffer_desc bd; + bd.value = rk_UNCONST(ma->name); + bd.length = strlen(ma->name); + major = _gss_copy_buffer(minor_status, &bd, name); if (major != GSS_S_COMPLETE) return major; } if (short_desc) { - gss_buffer_desc n; - n.value = rk_UNCONST(ma->short_desc); - n.length = strlen(ma->short_desc); - major = _gss_copy_buffer(minor_status, &n, short_desc); + gss_buffer_desc bd; + bd.value = rk_UNCONST(ma->short_desc); + bd.length = strlen(ma->short_desc); + major = _gss_copy_buffer(minor_status, &bd, short_desc); if (major != GSS_S_COMPLETE) return major; } if (long_desc) { - gss_buffer_desc n; - n.value = rk_UNCONST(ma->long_desc); - n.length = strlen(ma->long_desc); - major = _gss_copy_buffer(minor_status, &n, long_desc); + gss_buffer_desc bd; + bd.value = rk_UNCONST(ma->long_desc); + bd.length = strlen(ma->long_desc); + major = _gss_copy_buffer(minor_status, &bd, long_desc); if (major != GSS_S_COMPLETE) return major; } diff --git a/lib/gssapi/mech/gss_oid.c b/lib/gssapi/mech/gss_oid.c index bac97cacd..b2b7fa35a 100644 --- a/lib/gssapi/mech/gss_oid.c +++ b/lib/gssapi/mech/gss_oid.c @@ -2,220 +2,220 @@ #include "mech_locl.h" /* GSS_KRB5_COPY_CCACHE_X - 1.2.752.43.13.1 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_copy_ccache_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x01" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_copy_ccache_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x01") }; /* GSS_KRB5_GET_TKT_FLAGS_X - 1.2.752.43.13.2 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_tkt_flags_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x02" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_tkt_flags_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x02") }; /* GSS_KRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT_X - 1.2.752.43.13.3 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_extract_authz_data_from_sec_context_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x03" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_extract_authz_data_from_sec_context_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x03") }; /* GSS_KRB5_COMPAT_DES3_MIC_X - 1.2.752.43.13.4 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_compat_des3_mic_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x04" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_compat_des3_mic_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x04") }; /* GSS_KRB5_REGISTER_ACCEPTOR_IDENTITY_X - 1.2.752.43.13.5 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_register_acceptor_identity_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x05" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_register_acceptor_identity_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x05") }; /* GSS_KRB5_EXPORT_LUCID_CONTEXT_X - 1.2.752.43.13.6 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x06" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06") }; /* GSS_KRB5_EXPORT_LUCID_CONTEXT_V1_X - 1.2.752.43.13.6.1 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_v1_x_oid_desc = { 7, "\x2a\x85\x70\x2b\x0d\x06\x01" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_export_lucid_context_v1_x_oid_desc = { 7, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x06\x01") }; /* GSS_KRB5_SET_DNS_CANONICALIZE_X - 1.2.752.43.13.7 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_dns_canonicalize_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x07" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_dns_canonicalize_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x07") }; /* GSS_KRB5_GET_SUBKEY_X - 1.2.752.43.13.8 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_subkey_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x08" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_subkey_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x08") }; /* GSS_KRB5_GET_INITIATOR_SUBKEY_X - 1.2.752.43.13.9 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_initiator_subkey_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x09" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_initiator_subkey_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x09") }; /* GSS_KRB5_GET_ACCEPTOR_SUBKEY_X - 1.2.752.43.13.10 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_acceptor_subkey_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0a" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_acceptor_subkey_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0a") }; /* GSS_KRB5_SEND_TO_KDC_X - 1.2.752.43.13.11 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_send_to_kdc_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0b" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_send_to_kdc_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0b") }; /* GSS_KRB5_GET_AUTHTIME_X - 1.2.752.43.13.12 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_authtime_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0c" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_authtime_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0c") }; /* GSS_KRB5_GET_SERVICE_KEYBLOCK_X - 1.2.752.43.13.13 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_service_keyblock_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0d" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_service_keyblock_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0d") }; /* GSS_KRB5_SET_ALLOWABLE_ENCTYPES_X - 1.2.752.43.13.14 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_allowable_enctypes_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0e" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_allowable_enctypes_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0e") }; /* GSS_KRB5_SET_DEFAULT_REALM_X - 1.2.752.43.13.15 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_default_realm_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x0f" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_default_realm_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x0f") }; /* GSS_KRB5_CCACHE_NAME_X - 1.2.752.43.13.16 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_ccache_name_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x10" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_ccache_name_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x10") }; /* GSS_KRB5_SET_TIME_OFFSET_X - 1.2.752.43.13.17 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_time_offset_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x11" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_set_time_offset_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x11") }; /* GSS_KRB5_GET_TIME_OFFSET_X - 1.2.752.43.13.18 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_time_offset_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x12" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_get_time_offset_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x12") }; /* GSS_KRB5_PLUGIN_REGISTER_X - 1.2.752.43.13.19 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_plugin_register_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x13" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_plugin_register_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x13") }; /* GSS_NTLM_GET_SESSION_KEY_X - 1.2.752.43.13.20 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_get_session_key_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x14" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_get_session_key_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x14") }; /* GSS_C_NT_NTLM - 1.2.752.43.13.21 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_ntlm_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x15" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_ntlm_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x15") }; /* GSS_C_NT_DN - 1.2.752.43.13.22 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_dn_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x16" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_nt_dn_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x16") }; /* GSS_KRB5_NT_PRINCIPAL_NAME_REFERRAL - 1.2.752.43.13.23 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_nt_principal_name_referral_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x17" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_nt_principal_name_referral_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x17") }; /* GSS_C_NTLM_AVGUEST - 1.2.752.43.13.24 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_avguest_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x18" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_avguest_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x18") }; /* GSS_C_NTLM_V1 - 1.2.752.43.13.25 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_v1_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x19" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_v1_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x19") }; /* GSS_C_NTLM_V2 - 1.2.752.43.13.26 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_v2_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1a" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_v2_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1a") }; /* GSS_C_NTLM_SESSION_KEY - 1.2.752.43.13.27 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_session_key_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1b" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_session_key_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1b") }; /* GSS_C_NTLM_FORCE_V1 - 1.2.752.43.13.28 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_force_v1_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1c" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ntlm_force_v1_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1c") }; /* GSS_KRB5_CRED_NO_CI_FLAGS_X - 1.2.752.43.13.29 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_cred_no_ci_flags_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1d" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_cred_no_ci_flags_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1d") }; /* GSS_KRB5_IMPORT_CRED_X - 1.2.752.43.13.30 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_import_cred_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x1e" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_import_cred_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x1e") }; /* GSS_C_MA_SASL_MECH_NAME - 1.2.752.43.13.100 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_sasl_mech_name_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x64" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_sasl_mech_name_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x64") }; /* GSS_C_MA_MECH_NAME - 1.2.752.43.13.101 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_name_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x65" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_name_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x65") }; /* GSS_C_MA_MECH_DESCRIPTION - 1.2.752.43.13.102 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_description_oid_desc = { 6, "\x2a\x85\x70\x2b\x0d\x66" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_description_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x66") }; /* GSS_SASL_DIGEST_MD5_MECHANISM - 1.2.752.43.14.1 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_sasl_digest_md5_mechanism_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x01" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_sasl_digest_md5_mechanism_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x01") }; /* GSS_NETLOGON_MECHANISM - 1.2.752.43.14.2 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_mechanism_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x02" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_mechanism_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x02") }; /* GSS_NETLOGON_SET_SESSION_KEY_X - 1.2.752.43.14.3 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_set_session_key_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x03" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_set_session_key_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x03") }; /* GSS_NETLOGON_SET_SIGN_ALGORITHM_X - 1.2.752.43.14.4 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_set_sign_algorithm_x_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x04" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_set_sign_algorithm_x_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x04") }; /* GSS_NETLOGON_NT_NETBIOS_DNS_NAME - 1.2.752.43.14.5 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_nt_netbios_dns_name_oid_desc = { 6, "\x2a\x85\x70\x2b\x0e\x05" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_netlogon_nt_netbios_dns_name_oid_desc = { 6, rk_UNCONST("\x2a\x85\x70\x2b\x0e\x05") }; /* GSS_C_INQ_WIN2K_PAC_X - 1.2.752.43.13.3.128 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_inq_win2k_pac_x_oid_desc = { 8, "\x2a\x85\x70\x2b\x0d\x03\x81\x00" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_inq_win2k_pac_x_oid_desc = { 8, rk_UNCONST("\x2a\x85\x70\x2b\x0d\x03\x81\x00") }; /* GSS_C_INQ_SSPI_SESSION_KEY - 1.2.840.113554.1.2.2.5.5 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_inq_sspi_session_key_oid_desc = { 11, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_inq_sspi_session_key_oid_desc = { 11, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x05") }; /* GSS_KRB5_MECHANISM - 1.2.840.113554.1.2.2 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_mechanism_oid_desc = { 9, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_krb5_mechanism_oid_desc = { 9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02") }; /* GSS_NTLM_MECHANISM - 1.3.6.1.4.1.311.2.2.10 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_mechanism_oid_desc = { 10, "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_ntlm_mechanism_oid_desc = { 10, rk_UNCONST("\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a") }; /* GSS_SPNEGO_MECHANISM - 1.3.6.1.5.5.2 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_spnego_mechanism_oid_desc = { 6, "\x2b\x06\x01\x05\x05\x02" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_spnego_mechanism_oid_desc = { 6, rk_UNCONST("\x2b\x06\x01\x05\x05\x02") }; /* GSS_C_PEER_HAS_UPDATED_SPNEGO - 1.3.6.1.4.1.9513.19.5 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_peer_has_updated_spnego_oid_desc = { 9, "\x2b\x06\x01\x04\x01\xca\x29\x13\x05" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_peer_has_updated_spnego_oid_desc = { 9, rk_UNCONST("\x2b\x06\x01\x04\x01\xca\x29\x13\x05") }; /* GSS_C_MA_MECH_CONCRETE - 1.3.6.1.5.5.13.1 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_concrete_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x01" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_concrete_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x01") }; /* GSS_C_MA_MECH_PSEUDO - 1.3.6.1.5.5.13.2 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_pseudo_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x02" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_pseudo_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x02") }; /* GSS_C_MA_MECH_COMPOSITE - 1.3.6.1.5.5.13.3 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_composite_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x03" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_composite_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x03") }; /* GSS_C_MA_MECH_NEGO - 1.3.6.1.5.5.13.4 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_nego_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x04" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_nego_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x04") }; /* GSS_C_MA_MECH_GLUE - 1.3.6.1.5.5.13.5 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_glue_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x05" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mech_glue_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x05") }; /* GSS_C_MA_NOT_MECH - 1.3.6.1.5.5.13.6 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_not_mech_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x06" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_not_mech_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x06") }; /* GSS_C_MA_DEPRECATED - 1.3.6.1.5.5.13.7 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_deprecated_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x07" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_deprecated_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x07") }; /* GSS_C_MA_NOT_DFLT_MECH - 1.3.6.1.5.5.13.8 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_not_dflt_mech_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x08" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_not_dflt_mech_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x08") }; /* GSS_C_MA_ITOK_FRAMED - 1.3.6.1.5.5.13.9 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_itok_framed_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x09" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_itok_framed_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x09") }; /* GSS_C_MA_AUTH_INIT - 1.3.6.1.5.5.13.10 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0a" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0a") }; /* GSS_C_MA_AUTH_TARG - 1.3.6.1.5.5.13.11 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0b" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0b") }; /* GSS_C_MA_AUTH_INIT_INIT - 1.3.6.1.5.5.13.12 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_init_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0c" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_init_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0c") }; /* GSS_C_MA_AUTH_TARG_INIT - 1.3.6.1.5.5.13.13 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_init_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0d" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_init_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0d") }; /* GSS_C_MA_AUTH_INIT_ANON - 1.3.6.1.5.5.13.14 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_anon_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0e" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_init_anon_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0e") }; /* GSS_C_MA_AUTH_TARG_ANON - 1.3.6.1.5.5.13.15 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_anon_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x0f" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_auth_targ_anon_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x0f") }; /* GSS_C_MA_DELEG_CRED - 1.3.6.1.5.5.13.16 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_deleg_cred_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x10" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_deleg_cred_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x10") }; /* GSS_C_MA_INTEG_PROT - 1.3.6.1.5.5.13.17 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_integ_prot_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x11" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_integ_prot_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x11") }; /* GSS_C_MA_CONF_PROT - 1.3.6.1.5.5.13.18 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_conf_prot_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x12" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_conf_prot_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x12") }; /* GSS_C_MA_MIC - 1.3.6.1.5.5.13.19 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mic_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x13" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_mic_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x13") }; /* GSS_C_MA_WRAP - 1.3.6.1.5.5.13.20 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_wrap_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x14" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_wrap_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x14") }; /* GSS_C_MA_PROT_READY - 1.3.6.1.5.5.13.21 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_prot_ready_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x15" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_prot_ready_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x15") }; /* GSS_C_MA_REPLAY_DET - 1.3.6.1.5.5.13.22 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_replay_det_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x16" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_replay_det_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x16") }; /* GSS_C_MA_OOS_DET - 1.3.6.1.5.5.13.23 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_oos_det_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x17" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_oos_det_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x17") }; /* GSS_C_MA_CBINDINGS - 1.3.6.1.5.5.13.24 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_cbindings_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x18" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_cbindings_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x18") }; /* GSS_C_MA_PFS - 1.3.6.1.5.5.13.25 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_pfs_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x19" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_pfs_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x19") }; /* GSS_C_MA_COMPRESS - 1.3.6.1.5.5.13.26 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_compress_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x1a" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_compress_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x1a") }; /* GSS_C_MA_CTX_TRANS - 1.3.6.1.5.5.13.27 */ -gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_ctx_trans_oid_desc = { 7, "\x2b\x06\x01\x05\x05\x0d\x1b" }; +gss_OID_desc GSSAPI_LIB_VARIABLE __gss_c_ma_ctx_trans_oid_desc = { 7, rk_UNCONST("\x2b\x06\x01\x05\x05\x0d\x1b") }; struct _gss_oid_name_table _gss_ont_ma[] = { { GSS_C_MA_COMPRESS, "GSS_C_MA_COMPRESS", "compress", "" }, diff --git a/lib/gssapi/mech/gss_test_oid_set_member.c b/lib/gssapi/mech/gss_test_oid_set_member.c index 4c4d34904..715d34bf0 100644 --- a/lib/gssapi/mech/gss_test_oid_set_member.c +++ b/lib/gssapi/mech/gss_test_oid_set_member.c @@ -34,7 +34,7 @@ gss_test_oid_set_member(OM_uint32 *minor_status, const gss_OID_set set, int *present) { - int i; + size_t i; *present = 0; for (i = 0; i < set->count; i++) diff --git a/lib/gssapi/ntlm/accept_sec_context.c b/lib/gssapi/ntlm/accept_sec_context.c index f65ed7606..2fd07913f 100644 --- a/lib/gssapi/ntlm/accept_sec_context.c +++ b/lib/gssapi/ntlm/accept_sec_context.c @@ -155,15 +155,15 @@ _gss_ntlm_accept_sec_context &out); heim_ntlm_free_type1(&type1); if (major_status != GSS_S_COMPLETE) { - OM_uint32 junk; - _gss_ntlm_delete_sec_context(&junk, context_handle, NULL); + OM_uint32 gunk; + _gss_ntlm_delete_sec_context(&gunk, context_handle, NULL); return major_status; } output_token->value = malloc(out.length); if (output_token->value == NULL && out.length != 0) { - OM_uint32 junk; - _gss_ntlm_delete_sec_context(&junk, context_handle, NULL); + OM_uint32 gunk; + _gss_ntlm_delete_sec_context(&gunk, context_handle, NULL); *minor_status = ENOMEM; return GSS_S_FAILURE; } diff --git a/lib/gssapi/ntlm/external.c b/lib/gssapi/ntlm/external.c index 64ee6d310..d0474f4ec 100644 --- a/lib/gssapi/ntlm/external.c +++ b/lib/gssapi/ntlm/external.c @@ -38,7 +38,7 @@ static gss_mo_desc ntlm_mo[] = { GSS_C_MA_SASL_MECH_NAME, GSS_MO_MA, "SASL mech name", - "NTLM", + rk_UNCONST("NTLM"), _gss_mo_get_ctx_as_string, NULL }, @@ -46,7 +46,7 @@ static gss_mo_desc ntlm_mo[] = { GSS_C_MA_MECH_NAME, GSS_MO_MA, "Mechanism name", - "NTLMSPP", + rk_UNCONST("NTLMSPP"), _gss_mo_get_ctx_as_string, NULL }, @@ -54,7 +54,7 @@ static gss_mo_desc ntlm_mo[] = { GSS_C_MA_MECH_DESCRIPTION, GSS_MO_MA, "Mechanism description", - "Heimdal NTLMSSP Mechanism", + rk_UNCONST("Heimdal NTLMSSP Mechanism"), _gss_mo_get_ctx_as_string, NULL } @@ -113,7 +113,13 @@ static gssapi_mech_interface_desc ntlm_mech = { NULL, NULL, ntlm_mo, - sizeof(ntlm_mo) / sizeof(ntlm_mo[0]) + sizeof(ntlm_mo) / sizeof(ntlm_mo[0]), + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, }; gssapi_mech_interface diff --git a/lib/gssapi/spnego/accept_sec_context.c b/lib/gssapi/spnego/accept_sec_context.c index 35bc56fbb..8a5dbe742 100644 --- a/lib/gssapi/spnego/accept_sec_context.c +++ b/lib/gssapi/spnego/accept_sec_context.c @@ -316,7 +316,7 @@ select_mech(OM_uint32 *minor_status, MechType *mechType, int verify_p, gss_OID_desc oid; gss_OID oidp; gss_OID_set mechs; - int i; + size_t i; OM_uint32 ret, junk; ret = der_put_oid ((unsigned char *)mechbuf + sizeof(mechbuf) - 1, @@ -368,12 +368,13 @@ select_mech(OM_uint32 *minor_status, MechType *mechType, int verify_p, host = getenv("GSSAPI_SPNEGO_NAME"); if (host == NULL || issuid()) { + int rv; if (gethostname(hostname, sizeof(hostname)) != 0) { *minor_status = errno; return GSS_S_FAILURE; } - i = asprintf(&str, "host@%s", hostname); - if (i < 0 || str == NULL) { + rv = asprintf(&str, "host@%s", hostname); + if (rv < 0 || str == NULL) { *minor_status = ENOMEM; return GSS_S_FAILURE; } @@ -491,7 +492,6 @@ acceptor_start NegotiationToken nt; size_t nt_len; NegTokenInit *ni; - int i; gss_buffer_desc data; gss_buffer_t mech_input_token = GSS_C_NO_BUFFER; gss_buffer_desc mech_output_token; @@ -613,13 +613,14 @@ acceptor_start */ if (!first_ok && ni->mechToken != NULL) { + size_t j; preferred_mech_type = GSS_C_NO_OID; /* Call glue layer to find first mech we support */ - for (i = 1; i < ni->mechTypes.len; ++i) { + for (j = 1; j < ni->mechTypes.len; ++j) { ret = select_mech(minor_status, - &ni->mechTypes.val[i], + &ni->mechTypes.val[j], 1, &preferred_mech_type); if (ret == 0) diff --git a/lib/gssapi/spnego/compat.c b/lib/gssapi/spnego/compat.c index b23658cfd..cf5ee30a8 100644 --- a/lib/gssapi/spnego/compat.c +++ b/lib/gssapi/spnego/compat.c @@ -41,10 +41,10 @@ * Kerberos mechanism. */ gss_OID_desc _gss_spnego_mskrb_mechanism_oid_desc = - {9, (void *)"\x2a\x86\x48\x82\xf7\x12\x01\x02\x02"}; + {9, rk_UNCONST("\x2a\x86\x48\x82\xf7\x12\x01\x02\x02")}; gss_OID_desc _gss_spnego_krb5_mechanism_oid_desc = - {9, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"}; + {9, rk_UNCONST("\x2a\x86\x48\x86\xf7\x12\x01\x02\x02")}; /* * Allocate a SPNEGO context handle @@ -241,7 +241,7 @@ _gss_spnego_indicate_mechtypelist (OM_uint32 *minor_status, gss_OID_set supported_mechs = GSS_C_NO_OID_SET; gss_OID first_mech = GSS_C_NO_OID; OM_uint32 ret; - int i; + size_t i; mechtypelist->len = 0; mechtypelist->val = NULL; diff --git a/lib/gssapi/spnego/context_stubs.c b/lib/gssapi/spnego/context_stubs.c index 18c13fe29..60b348ec4 100644 --- a/lib/gssapi/spnego/context_stubs.c +++ b/lib/gssapi/spnego/context_stubs.c @@ -37,7 +37,7 @@ spnego_supported_mechs(OM_uint32 *minor_status, gss_OID_set *mechs) { OM_uint32 ret, junk; gss_OID_set m; - int i; + size_t i; ret = gss_indicate_mechs(minor_status, &m); if (ret != GSS_S_COMPLETE) @@ -565,7 +565,7 @@ OM_uint32 GSSAPI_CALLCONV _gss_spnego_inquire_names_for_mech ( { gss_OID_set mechs, names, n; OM_uint32 ret, junk; - int i, j; + size_t i, j; *name_types = NULL; diff --git a/lib/gssapi/spnego/cred_stubs.c b/lib/gssapi/spnego/cred_stubs.c index 2920f3d9b..fc43d6a4a 100644 --- a/lib/gssapi/spnego/cred_stubs.c +++ b/lib/gssapi/spnego/cred_stubs.c @@ -70,7 +70,7 @@ OM_uint32 GSSAPI_CALLCONV _gss_spnego_acquire_cred OM_uint32 ret, tmp; gss_OID_set_desc actual_desired_mechs; gss_OID_set mechs; - int i, j; + size_t i, j; *output_cred_handle = GSS_C_NO_CREDENTIAL; diff --git a/lib/gssapi/spnego/external.c b/lib/gssapi/spnego/external.c index 505475415..ca06d46e8 100644 --- a/lib/gssapi/spnego/external.c +++ b/lib/gssapi/spnego/external.c @@ -39,13 +39,12 @@ * negotiation token is identified by the Object Identifier * iso.org.dod.internet.security.mechanism.snego (1.3.6.1.5.5.2). */ - static gss_mo_desc spnego_mo[] = { { GSS_C_MA_SASL_MECH_NAME, GSS_MO_MA, "SASL mech name", - "SPNEGO", + rk_UNCONST("SPNEGO"), _gss_mo_get_ctx_as_string, NULL }, @@ -53,7 +52,7 @@ static gss_mo_desc spnego_mo[] = { GSS_C_MA_MECH_NAME, GSS_MO_MA, "Mechanism name", - "SPNEGO", + rk_UNCONST("SPNEGO"), _gss_mo_get_ctx_as_string, NULL }, @@ -61,7 +60,7 @@ static gss_mo_desc spnego_mo[] = { GSS_C_MA_MECH_DESCRIPTION, GSS_MO_MA, "Mechanism description", - "Heimdal SPNEGO Mechanism", + rk_UNCONST("Heimdal SPNEGO Mechanism"), _gss_mo_get_ctx_as_string, NULL }, @@ -78,7 +77,7 @@ static gss_mo_desc spnego_mo[] = { static gssapi_mech_interface_desc spnego_mech = { GMI_VERSION, "spnego", - {6, (void *)"\x2b\x06\x01\x05\x05\x02"}, + {6, rk_UNCONST("\x2b\x06\x01\x05\x05\x02") }, 0, _gss_spnego_acquire_cred, _gss_spnego_release_cred, @@ -128,7 +127,13 @@ static gssapi_mech_interface_desc spnego_mech = { NULL, NULL, spnego_mo, - sizeof(spnego_mo) / sizeof(spnego_mo[0]) + sizeof(spnego_mo) / sizeof(spnego_mo[0]), + NULL, + NULL, + NULL, + NULL, + NULL, + NULL, }; gssapi_mech_interface diff --git a/lib/hdb/common.c b/lib/hdb/common.c index 55857723f..f1d011a2b 100644 --- a/lib/hdb/common.c +++ b/lib/hdb/common.c @@ -171,7 +171,7 @@ hdb_remove_aliases(krb5_context context, HDB *db, krb5_data *key) krb5_error_code code; hdb_entry oldentry; krb5_data value; - int i; + size_t i; code = db->hdb__get(context, db, *key, &value); if (code == HDB_ERR_NOENTRY) @@ -211,7 +211,7 @@ hdb_add_aliases(krb5_context context, HDB *db, const HDB_Ext_Aliases *aliases; krb5_error_code code; krb5_data key, value; - int i; + size_t i; code = hdb_entry_get_aliases(&entry->entry, &aliases); if (code || aliases == NULL) @@ -240,7 +240,8 @@ static krb5_error_code hdb_check_aliases(krb5_context context, HDB *db, hdb_entry_ex *entry) { const HDB_Ext_Aliases *aliases; - int code, i; + int code; + size_t i; /* check if new aliases already is used */ diff --git a/lib/hdb/ext.c b/lib/hdb/ext.c index fb32fdb84..d2a4373b9 100644 --- a/lib/hdb/ext.c +++ b/lib/hdb/ext.c @@ -37,7 +37,7 @@ krb5_error_code hdb_entry_check_mandatory(krb5_context context, const hdb_entry *ent) { - int i; + size_t i; if (ent->extensions == NULL) return 0; @@ -63,13 +63,13 @@ hdb_entry_check_mandatory(krb5_context context, const hdb_entry *ent) HDB_extension * hdb_find_extension(const hdb_entry *entry, int type) { - int i; + size_t i; if (entry->extensions == NULL) return NULL; for (i = 0; i < entry->extensions->len; i++) - if (entry->extensions->val[i].data.element == type) + if (entry->extensions->val[i].data.element == (unsigned)type) return &entry->extensions->val[i]; return NULL; } @@ -112,7 +112,7 @@ hdb_replace_extension(krb5_context context, Der_type replace_type, list_type; unsigned int replace_tag, list_tag; size_t size; - int i; + size_t i; ret = der_get_tag(ext->data.u.asn1_ellipsis.data, ext->data.u.asn1_ellipsis.length, @@ -180,13 +180,13 @@ hdb_clear_extension(krb5_context context, hdb_entry *entry, int type) { - int i; + size_t i; if (entry->extensions == NULL) return 0; for (i = 0; i < entry->extensions->len; i++) { - if (entry->extensions->val[i].data.element == type) { + if (entry->extensions->val[i].data.element == (unsigned)type) { free_HDB_extension(&entry->extensions->val[i]); memmove(&entry->extensions->val[i], &entry->extensions->val[i + 1], @@ -286,7 +286,7 @@ hdb_entry_get_password(krb5_context context, HDB *db, ext = hdb_find_extension(entry, choice_HDB_extension_data_password); if (ext) { - heim_utf8_string str; + heim_utf8_string xstr; heim_octet_string pw; if (db->hdb_master_key_set && ext->data.u.password.mkvno) { @@ -314,13 +314,13 @@ hdb_entry_get_password(krb5_context context, HDB *db, return ret; } - str = pw.data; - if (str[pw.length - 1] != '\0') { + xstr = pw.data; + if (xstr[pw.length - 1] != '\0') { krb5_set_error_message(context, EINVAL, "malformed password"); return EINVAL; } - *p = strdup(str); + *p = strdup(xstr); der_free_octet_string(&pw); if (*p == NULL) { diff --git a/lib/hdb/hdb-mitdb.c b/lib/hdb/hdb-mitdb.c index 3c0998480..5ee9f6918 100644 --- a/lib/hdb/hdb-mitdb.c +++ b/lib/hdb/hdb-mitdb.c @@ -144,7 +144,7 @@ fix_salt(krb5_context context, hdb_entry *ent, int key_num) case KRB5_KDB_SALTTYPE_NOREALM: { size_t len; - int i; + size_t i; char *p; len = 0; diff --git a/lib/hdb/hdb.c b/lib/hdb/hdb.c index 045f2e2cc..4ce401aae 100644 --- a/lib/hdb/hdb.c +++ b/lib/hdb/hdb.c @@ -168,7 +168,7 @@ hdb_unlock(int fd) void hdb_free_entry(krb5_context context, hdb_entry_ex *ent) { - int i; + size_t i; if (ent->free_entry) (*ent->free_entry)(context, ent); @@ -217,7 +217,7 @@ hdb_check_db_format(krb5_context context, HDB *db) if (ret) return ret; - tag.data = HDB_DB_FORMAT_ENTRY; + tag.data = (void *)(intptr_t)HDB_DB_FORMAT_ENTRY; tag.length = strlen(tag.data); ret = (*db->hdb__get)(context, db, tag, &version); ret2 = db->hdb_unlock(context, db); @@ -250,7 +250,7 @@ hdb_init_db(krb5_context context, HDB *db) if (ret) return ret; - tag.data = HDB_DB_FORMAT_ENTRY; + tag.data = (void *)(intptr_t)HDB_DB_FORMAT_ENTRY; tag.length = strlen(tag.data); snprintf(ver, sizeof(ver), "%u", HDB_DB_FORMAT); version.data = ver; diff --git a/lib/hdb/keys.c b/lib/hdb/keys.c index 63f254d00..4f724e741 100644 --- a/lib/hdb/keys.c +++ b/lib/hdb/keys.c @@ -256,8 +256,8 @@ hdb_generate_key_set(krb5_context context, krb5_principal principal, char **ktypes, **kp; krb5_error_code ret; Key *k, *key_set; - int i, j; - char *default_keytypes[] = { + size_t i, j; + static const char *default_keytypes[] = { "aes256-cts-hmac-sha1-96:pw-salt", "des3-cbc-sha1:pw-salt", "arcfour-hmac-md5:pw-salt", @@ -267,7 +267,7 @@ hdb_generate_key_set(krb5_context context, krb5_principal principal, ktypes = krb5_config_get_strings(context, NULL, "kadmin", "default_keys", NULL); if (ktypes == NULL) - ktypes = default_keytypes; + ktypes = (char **)(intptr_t)default_keytypes; *ret_key_set = key_set = NULL; *nkeyset = 0; @@ -337,7 +337,7 @@ hdb_generate_key_set(krb5_context context, krb5_principal principal, *ret_key_set = key_set; out: - if (ktypes != default_keytypes) + if (ktypes != (char **)(intptr_t)default_keytypes) krb5_config_free_strings(ktypes); if (ret) { @@ -364,7 +364,7 @@ hdb_generate_key_set_password(krb5_context context, Key **keys, size_t *num_keys) { krb5_error_code ret; - int i; + size_t i; ret = hdb_generate_key_set(context, principal, keys, num_keys, 0); diff --git a/lib/hdb/keytab.c b/lib/hdb/keytab.c index 05b78dafc..c3445986f 100644 --- a/lib/hdb/keytab.c +++ b/lib/hdb/keytab.c @@ -184,7 +184,7 @@ hdb_get_entry(krb5_context context, const char *mkey = d->mkey; char *fdbname = NULL, *fmkey = NULL; HDB *db; - int i; + size_t i; memset(&ent, 0, sizeof(ent)); @@ -222,7 +222,7 @@ hdb_get_entry(krb5_context context, }else if(ret) goto out; - if(kvno && ent.entry.kvno != kvno) { + if(kvno && (krb5_kvno)ent.entry.kvno != kvno) { hdb_free_entry(context, &ent); ret = KRB5_KT_NOTFOUND; goto out; @@ -382,7 +382,7 @@ hdb_next_entry(krb5_context context, * next entry */ - if (c->key_idx == c->hdb_entry.entry.keys.len) { + if ((size_t)c->key_idx == c->hdb_entry.entry.keys.len) { hdb_free_entry(context, &c->hdb_entry); c->next = TRUE; c->key_idx = 0; diff --git a/lib/hdb/mkey.c b/lib/hdb/mkey.c index 760eccfd4..87d939f42 100644 --- a/lib/hdb/mkey.c +++ b/lib/hdb/mkey.c @@ -372,7 +372,7 @@ _hdb_find_master_key(uint32_t *mkvno, hdb_master_key mkey) if(mkvno == NULL) { if(ret == NULL || mkey->keytab.vno > ret->keytab.vno) ret = mkey; - } else if(mkey->keytab.vno == *mkvno) + } else if((uint32_t)mkey->keytab.vno == *mkvno) return mkey; mkey = mkey->next; } @@ -459,7 +459,7 @@ hdb_unseal_key_mkey(krb5_context context, Key *k, hdb_master_key mkey) krb5_error_code hdb_unseal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey) { - int i; + size_t i; for(i = 0; i < ent->keys.len; i++){ krb5_error_code ret; @@ -526,7 +526,7 @@ hdb_seal_key_mkey(krb5_context context, Key *k, hdb_master_key mkey) krb5_error_code hdb_seal_keys_mkey(krb5_context context, hdb_entry *ent, hdb_master_key mkey) { - int i; + size_t i; for(i = 0; i < ent->keys.len; i++){ krb5_error_code ret; diff --git a/lib/hdb/print.c b/lib/hdb/print.c index fff27d03e..510d53bbe 100644 --- a/lib/hdb/print.c +++ b/lib/hdb/print.c @@ -78,7 +78,8 @@ append_string(krb5_context context, krb5_storage *sp, const char *fmt, ...) static krb5_error_code append_hex(krb5_context context, krb5_storage *sp, krb5_data *data) { - int i, printable = 1; + int printable = 1; + size_t i; char *p; p = data->data; @@ -126,7 +127,7 @@ static krb5_error_code entry2string_int (krb5_context context, krb5_storage *sp, hdb_entry *ent) { char *p; - int i; + size_t i; krb5_error_code ret; /* --- principal */ diff --git a/lib/hx509/ca.c b/lib/hx509/ca.c index 492064d86..3faf54621 100644 --- a/lib/hx509/ca.c +++ b/lib/hx509/ca.c @@ -266,7 +266,7 @@ hx509_ca_tbs_set_template(hx509_context context, } if (flags & HX509_CA_TEMPLATE_EKU) { ExtKeyUsage eku; - int i; + size_t i; ret = _hx509_cert_get_eku(context, cert, &eku); if (ret) return ret; @@ -689,7 +689,7 @@ add_utf8_san(hx509_context context, const heim_oid *oid, const char *string) { - const PKIXXmppAddr ustring = (const PKIXXmppAddr)string; + const PKIXXmppAddr ustring = (const PKIXXmppAddr)(intptr_t)string; heim_octet_string os; size_t size; int ret; diff --git a/lib/hx509/cms.c b/lib/hx509/cms.c index 6e4eefaa1..2c6226398 100644 --- a/lib/hx509/cms.c +++ b/lib/hx509/cms.c @@ -362,7 +362,8 @@ hx509_cms_unenvelope(hx509_context context, heim_octet_string *params, params_data; heim_octet_string ivec; size_t size; - int ret, i, matched = 0, findflags = 0; + int ret, matched = 0, findflags = 0; + size_t i; memset(&key, 0, sizeof(key)); @@ -718,7 +719,8 @@ out: static int any_to_certs(hx509_context context, const SignedData *sd, hx509_certs certs) { - int ret, i; + int ret; + size_t i; if (sd->certificates == NULL) return 0; @@ -744,7 +746,7 @@ any_to_certs(hx509_context context, const SignedData *sd, hx509_certs certs) static const Attribute * find_attribute(const CMSAttributes *attr, const heim_oid *oid) { - int i; + size_t i; for (i = 0; i < attr->len; i++) if (der_heim_oid_cmp(&attr->val[i].type, oid) == 0) return &attr->val[i]; @@ -790,7 +792,8 @@ hx509_cms_verify_signed(hx509_context context, hx509_certs certs = NULL; SignedData sd; size_t size; - int ret, i, found_valid_sig; + int ret, found_valid_sig; + size_t i; *signer_certs = NULL; content->data = NULL; diff --git a/lib/hx509/collector.c b/lib/hx509/collector.c index 0cb186399..91d1d0f1b 100644 --- a/lib/hx509/collector.c +++ b/lib/hx509/collector.c @@ -253,7 +253,8 @@ _hx509_collector_collect_certs(hx509_context context, hx509_certs *ret_certs) { hx509_certs certs; - int ret, i; + int ret; + size_t i; *ret_certs = NULL; @@ -286,7 +287,7 @@ _hx509_collector_collect_private_keys(hx509_context context, struct hx509_collector *c, hx509_private_key **keys) { - int i, nkeys; + size_t i, nkeys; *keys = NULL; @@ -315,7 +316,7 @@ _hx509_collector_collect_private_keys(hx509_context context, void _hx509_collector_free(struct hx509_collector *c) { - int i; + size_t i; if (c->unenvelop_certs) hx509_certs_free(&c->unenvelop_certs); diff --git a/lib/hx509/crypto.c b/lib/hx509/crypto.c index c69ddfb5d..ef8651a23 100644 --- a/lib/hx509/crypto.c +++ b/lib/hx509/crypto.c @@ -589,7 +589,7 @@ rsa_verify_signature(hx509_context context, } /* Check for extra data inside the sigature */ - if (size != retsize) { + if (size != (size_t)retsize) { ret = HX509_CRYPTO_SIG_INVALID_FORMAT; hx509_set_error_string(context, 0, ret, "size from decryption mismatch"); goto out; @@ -620,7 +620,7 @@ rsa_verify_signature(hx509_context context, data, &di.digest); } else { - if (retsize != data->length || + if ((size_t)retsize != data->length || ct_memcmp(to, data->data, retsize) != 0) { ret = HX509_CRYPTO_SIG_INVALID_FORMAT; @@ -739,7 +739,7 @@ rsa_create_signature(hx509_context context, "RSA private encrypt failed: %d", ret); return ret; } - if (ret > sig->length) + if ((size_t)ret > sig->length) _hx509_abort("RSA signature prelen longer the output len"); sig->length = ret; @@ -1256,7 +1256,8 @@ static const struct signature_alg heim_rsa_pkcs1_x509 = { 0, NULL, rsa_verify_signature, - rsa_create_signature + rsa_create_signature, + 0 }; static const struct signature_alg pkcs1_rsa_sha1_alg = { @@ -1269,7 +1270,8 @@ static const struct signature_alg pkcs1_rsa_sha1_alg = { 0, NULL, rsa_verify_signature, - rsa_create_signature + rsa_create_signature, + 0 }; static const struct signature_alg rsa_with_sha512_alg = { @@ -1282,7 +1284,8 @@ static const struct signature_alg rsa_with_sha512_alg = { 0, NULL, rsa_verify_signature, - rsa_create_signature + rsa_create_signature, + 0 }; static const struct signature_alg rsa_with_sha384_alg = { @@ -1295,7 +1298,8 @@ static const struct signature_alg rsa_with_sha384_alg = { 0, NULL, rsa_verify_signature, - rsa_create_signature + rsa_create_signature, + 0 }; static const struct signature_alg rsa_with_sha256_alg = { @@ -1308,7 +1312,8 @@ static const struct signature_alg rsa_with_sha256_alg = { 0, NULL, rsa_verify_signature, - rsa_create_signature + rsa_create_signature, + 0 }; static const struct signature_alg rsa_with_sha1_alg = { @@ -1321,7 +1326,8 @@ static const struct signature_alg rsa_with_sha1_alg = { 0, NULL, rsa_verify_signature, - rsa_create_signature + rsa_create_signature, + 0 }; static const struct signature_alg rsa_with_sha1_alg_secsig = { @@ -1334,7 +1340,8 @@ static const struct signature_alg rsa_with_sha1_alg_secsig = { 0, NULL, rsa_verify_signature, - rsa_create_signature + rsa_create_signature, + 0 }; static const struct signature_alg rsa_with_md5_alg = { @@ -1347,7 +1354,8 @@ static const struct signature_alg rsa_with_md5_alg = { 1230739889, NULL, rsa_verify_signature, - rsa_create_signature + rsa_create_signature, + 0 }; static const struct signature_alg dsa_sha1_alg = { @@ -1361,6 +1369,7 @@ static const struct signature_alg dsa_sha1_alg = { NULL, dsa_verify_signature, /* create_signature */ NULL, + 0 }; static const struct signature_alg sha512_alg = { @@ -1373,7 +1382,8 @@ static const struct signature_alg sha512_alg = { 0, EVP_sha512, evp_md_verify_signature, - evp_md_create_signature + evp_md_create_signature, + 0 }; static const struct signature_alg sha384_alg = { @@ -1386,7 +1396,8 @@ static const struct signature_alg sha384_alg = { 0, EVP_sha384, evp_md_verify_signature, - evp_md_create_signature + evp_md_create_signature, + 0 }; static const struct signature_alg sha256_alg = { @@ -1399,7 +1410,8 @@ static const struct signature_alg sha256_alg = { 0, EVP_sha256, evp_md_verify_signature, - evp_md_create_signature + evp_md_create_signature, + 0 }; static const struct signature_alg sha1_alg = { @@ -1412,7 +1424,8 @@ static const struct signature_alg sha1_alg = { 0, EVP_sha1, evp_md_verify_signature, - evp_md_create_signature + evp_md_create_signature, + 0 }; static const struct signature_alg md5_alg = { @@ -1425,7 +1438,8 @@ static const struct signature_alg md5_alg = { 0, EVP_md5, evp_md_verify_signature, - NULL + NULL, + 0 }; /* @@ -1748,7 +1762,7 @@ hx509_private_key_private_decrypt(hx509_context context, "Failed to decrypt using private key: %d", ret); return HX509_CRYPTO_RSA_PRIVATE_DECRYPT; } - if (cleartext->length < ret) + if (cleartext->length < (size_t)ret) _hx509_abort("internal rsa decryption failure: ret > tosize"); cleartext->length = ret; @@ -2339,7 +2353,7 @@ static const struct hx509cipher ciphers[] = { static const struct hx509cipher * find_cipher_by_oid(const heim_oid *oid) { - int i; + size_t i; for (i = 0; i < sizeof(ciphers)/sizeof(ciphers[0]); i++) if (der_heim_oid_cmp(oid, ciphers[i].oid) == 0) @@ -2351,7 +2365,7 @@ find_cipher_by_oid(const heim_oid *oid) static const struct hx509cipher * find_cipher_by_name(const char *name) { - int i; + size_t i; for (i = 0; i < sizeof(ciphers)/sizeof(ciphers[0]); i++) if (strcasecmp(name, ciphers[i].name) == 0) @@ -2461,7 +2475,7 @@ hx509_crypto_set_padding(hx509_crypto crypto, int padding_type) int hx509_crypto_set_key_data(hx509_crypto crypto, const void *data, size_t length) { - if (EVP_CIPHER_key_length(crypto->c) > length) + if (EVP_CIPHER_key_length(crypto->c) > (int)length) return HX509_CRYPTO_INTERNAL_ERROR; if (crypto->key.data) { @@ -2558,7 +2572,7 @@ hx509_crypto_encrypt(hx509_crypto crypto, (crypto->flags & ALLOW_WEAK) == 0) return HX509_CRYPTO_ALGORITHM_BEST_BEFORE; - assert(EVP_CIPHER_iv_length(crypto->c) == ivec->length); + assert(EVP_CIPHER_iv_length(crypto->c) == (int)ivec->length); EVP_CIPHER_CTX_init(&evp); @@ -2598,7 +2612,7 @@ hx509_crypto_encrypt(hx509_crypto crypto, memcpy((*ciphertext)->data, data, length); if (padsize) { - int i; + size_t i; unsigned char *p = (*ciphertext)->data; p += length; for (i = 0; i < padsize; i++) @@ -2647,7 +2661,7 @@ hx509_crypto_decrypt(hx509_crypto crypto, (crypto->flags & ALLOW_WEAK) == 0) return HX509_CRYPTO_ALGORITHM_BEST_BEFORE; - if (ivec && EVP_CIPHER_iv_length(crypto->c) < ivec->length) + if (ivec && EVP_CIPHER_iv_length(crypto->c) < (int)ivec->length) return HX509_CRYPTO_INTERNAL_ERROR; if (crypto->key.data == NULL) @@ -2683,7 +2697,7 @@ hx509_crypto_decrypt(hx509_crypto crypto, unsigned char *p; int j, bsize = EVP_CIPHER_block_size(crypto->c); - if (clear->length < bsize) { + if ((int)clear->length < bsize) { ret = HX509_CMS_PADDING_ERROR; goto out; } @@ -2854,7 +2868,8 @@ _hx509_pbe_decrypt(hx509_context context, const EVP_CIPHER *c; const EVP_MD *md; PBE_string2key_func s2k; - int i, ret = 0; + int ret = 0; + size_t i; memset(&key, 0, sizeof(key)); memset(&iv, 0, sizeof(iv)); diff --git a/lib/hx509/hxtool.c b/lib/hx509/hxtool.c index 1770b6095..7cb4462d2 100644 --- a/lib/hx509/hxtool.c +++ b/lib/hx509/hxtool.c @@ -45,9 +45,9 @@ static int version_flag; static int help_flag; struct getargs args[] = { - { "statistic-file", 0, arg_string, &stat_file_string }, - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } + { "statistic-file", 0, arg_string, &stat_file_string, NULL, NULL }, + { "version", 0, arg_flag, &version_flag, NULL, NULL }, + { "help", 0, arg_flag, &help_flag, NULL, NULL } }; int num_args = sizeof(args) / sizeof(args[0]); @@ -80,15 +80,15 @@ lock_strings(hx509_lock lock, getarg_strings *pass) */ static void -certs_strings(hx509_context context, const char *type, hx509_certs certs, +certs_strings(hx509_context contextp, const char *type, hx509_certs certs, hx509_lock lock, const getarg_strings *s) { int i, ret; for (i = 0; i < s->num_strings; i++) { - ret = hx509_certs_append(context, certs, lock, s->strings[i]); + ret = hx509_certs_append(contextp, certs, lock, s->strings[i]); if (ret) - hx509_err(context, 1, ret, + hx509_err(contextp, 1, ret, "hx509_certs_append: %s %s", type, s->strings[i]); } } @@ -114,16 +114,16 @@ parse_oid(const char *str, const heim_oid *def, heim_oid *oid) */ static void -peer_strings(hx509_context context, +peer_strings(hx509_context contextp, hx509_peer_info *peer, const getarg_strings *s) { AlgorithmIdentifier *val; int ret, i; - ret = hx509_peer_info_alloc(context, peer); + ret = hx509_peer_info_alloc(contextp, peer); if (ret) - hx509_err(context, 1, ret, "hx509_peer_info_alloc"); + hx509_err(contextp, 1, ret, "hx509_peer_info_alloc"); val = calloc(s->num_strings, sizeof(*val)); if (val == NULL) @@ -132,9 +132,9 @@ peer_strings(hx509_context context, for (i = 0; i < s->num_strings; i++) parse_oid(s->strings[i], NULL, &val[i].algorithm); - ret = hx509_peer_info_set_cms_algs(context, *peer, val, s->num_strings); + ret = hx509_peer_info_set_cms_algs(contextp, *peer, val, s->num_strings); if (ret) - hx509_err(context, 1, ret, "hx509_peer_info_set_cms_algs"); + hx509_err(contextp, 1, ret, "hx509_peer_info_set_cms_algs"); for (i = 0; i < s->num_strings; i++) free_AlgorithmIdentifier(&val[i]); @@ -151,7 +151,7 @@ struct pem_data { }; static int -pem_reader(hx509_context context, const char *type, +pem_reader(hx509_context contextp, const char *type, const hx509_pem_header *headers, const void *data , size_t length, void *ctx) { @@ -211,22 +211,22 @@ cms_verify_sd(struct cms_verify_sd_options *opt, int argc, char **argv) certs_strings(context, "store", store, lock, &opt->certificate_strings); if (opt->pem_flag) { - struct pem_data p; + struct pem_data pd; FILE *f; - p.os = &co; - p.detached_data = 0; + pd.os = &co; + pd.detached_data = 0; f = fopen(argv[0], "r"); if (f == NULL) err(1, "Failed to open file %s", argv[0]); - ret = hx509_pem_read(context, f, pem_reader, &p); + ret = hx509_pem_read(context, f, pem_reader, &pd); fclose(f); if (ret) errx(1, "PEM reader failed: %d", ret); - if (p.detached_data && opt->signed_content_string == NULL) { + if (pd.detached_data && opt->signed_content_string == NULL) { char *r = strrchr(argv[0], '.'); if (r && strcasecmp(r, ".pem") == 0) { char *s = strdup(argv[0]); @@ -331,7 +331,7 @@ cms_verify_sd(struct cms_verify_sd_options *opt, int argc, char **argv) } static int -print_signer(hx509_context context, void *ctx, hx509_cert cert) +print_signer(hx509_context contextp, void *ctx, hx509_cert cert) { hx509_pem_header **header = ctx; char *signer_name = NULL; @@ -801,10 +801,10 @@ certificate_copy(struct certificate_copy_options *opt, int argc, char **argv) hx509_err(context, 1, ret, "hx509_certs_init"); while(argc-- > 1) { - int ret; - ret = hx509_certs_append(context, certs, inlock, argv[0]); - if (ret) - hx509_err(context, 1, ret, "hx509_certs_append"); + int retx; + retx = hx509_certs_append(context, certs, inlock, argv[0]); + if (retx) + hx509_err(context, 1, retx, "hx509_certs_append"); argv++; } @@ -1534,7 +1534,7 @@ hxtool_hex(struct hex_options *opt, int argc, char **argv) len = hex_decode(p, buf2, strlen(p)); if (len < 0) errx(1, "hex_decode failed"); - if (fwrite(buf2, 1, len, stdout) != len) + if (fwrite(buf2, 1, len, stdout) != (size_t)len) errx(1, "fwrite failed"); } } else { @@ -1558,38 +1558,38 @@ struct cert_type_opt { static int -https_server(hx509_context context, hx509_ca_tbs tbs, struct cert_type_opt *opt) +https_server(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt) { - return hx509_ca_tbs_add_eku(context, tbs, &asn1_oid_id_pkix_kp_serverAuth); + return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_serverAuth); } static int -https_client(hx509_context context, hx509_ca_tbs tbs, struct cert_type_opt *opt) +https_client(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt) { - return hx509_ca_tbs_add_eku(context, tbs, &asn1_oid_id_pkix_kp_clientAuth); + return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_clientAuth); } static int -peap_server(hx509_context context, hx509_ca_tbs tbs, struct cert_type_opt *opt) +peap_server(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt) { - return hx509_ca_tbs_add_eku(context, tbs, &asn1_oid_id_pkix_kp_serverAuth); + return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_serverAuth); } static int -pkinit_kdc(hx509_context context, hx509_ca_tbs tbs, struct cert_type_opt *opt) +pkinit_kdc(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt) { opt->pkinit++; - return hx509_ca_tbs_add_eku(context, tbs, &asn1_oid_id_pkkdcekuoid); + return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkkdcekuoid); } static int -pkinit_client(hx509_context context, hx509_ca_tbs tbs, struct cert_type_opt *opt) +pkinit_client(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt) { int ret; opt->pkinit++; - ret = hx509_ca_tbs_add_eku(context, tbs, &asn1_oid_id_pkekuoid); + ret = hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkekuoid); if (ret) return ret; @@ -1601,9 +1601,9 @@ pkinit_client(hx509_context context, hx509_ca_tbs tbs, struct cert_type_opt *opt } static int -email_client(hx509_context context, hx509_ca_tbs tbs, struct cert_type_opt *opt) +email_client(hx509_context contextp, hx509_ca_tbs tbs, struct cert_type_opt *opt) { - return hx509_ca_tbs_add_eku(context, tbs, &asn1_oid_id_pkix_kp_emailProtection); + return hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_emailProtection); } struct { @@ -1663,12 +1663,13 @@ print_eval_types(FILE *out) } static int -eval_types(hx509_context context, +eval_types(hx509_context contextp, hx509_ca_tbs tbs, const struct certificate_sign_options *opt) { struct cert_type_opt ctopt; - unsigned i, j; + int i; + size_t j; int ret; memset(&ctopt, 0, sizeof(ctopt)); @@ -1678,9 +1679,9 @@ eval_types(hx509_context context, for (j = 0; j < sizeof(certtypes)/sizeof(certtypes[0]); j++) { if (strcasecmp(type, certtypes[j].type) == 0) { - ret = (*certtypes[j].eval)(context, tbs, &ctopt); + ret = (*certtypes[j].eval)(contextp, tbs, &ctopt); if (ret) - hx509_err(context, 1, ret, + hx509_err(contextp, 1, ret, "Failed to evaluate cert type %s", type); break; } @@ -1697,47 +1698,47 @@ eval_types(hx509_context context, if (!ctopt.pkinit) errx(1, "pk-init principal given but no pk-init oid"); - ret = hx509_ca_tbs_add_san_pkinit(context, tbs, + ret = hx509_ca_tbs_add_san_pkinit(contextp, tbs, opt->pk_init_principal_string); if (ret) - hx509_err(context, 1, ret, "hx509_ca_tbs_add_san_pkinit"); + hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_pkinit"); } if (opt->ms_upn_string) { if (!ctopt.pkinit) errx(1, "MS upn given but no pk-init oid"); - ret = hx509_ca_tbs_add_san_ms_upn(context, tbs, opt->ms_upn_string); + ret = hx509_ca_tbs_add_san_ms_upn(contextp, tbs, opt->ms_upn_string); if (ret) - hx509_err(context, 1, ret, "hx509_ca_tbs_add_san_ms_upn"); + hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_ms_upn"); } for (i = 0; i < opt->hostname_strings.num_strings; i++) { const char *hostname = opt->hostname_strings.strings[i]; - ret = hx509_ca_tbs_add_san_hostname(context, tbs, hostname); + ret = hx509_ca_tbs_add_san_hostname(contextp, tbs, hostname); if (ret) - hx509_err(context, 1, ret, "hx509_ca_tbs_add_san_hostname"); + hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_hostname"); } for (i = 0; i < opt->email_strings.num_strings; i++) { const char *email = opt->email_strings.strings[i]; - ret = hx509_ca_tbs_add_san_rfc822name(context, tbs, email); + ret = hx509_ca_tbs_add_san_rfc822name(contextp, tbs, email); if (ret) - hx509_err(context, 1, ret, "hx509_ca_tbs_add_san_hostname"); + hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_hostname"); - ret = hx509_ca_tbs_add_eku(context, tbs, + ret = hx509_ca_tbs_add_eku(contextp, tbs, &asn1_oid_id_pkix_kp_emailProtection); if (ret) - hx509_err(context, 1, ret, "hx509_ca_tbs_add_eku"); + hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_eku"); } if (opt->jid_string) { - ret = hx509_ca_tbs_add_san_jid(context, tbs, opt->jid_string); + ret = hx509_ca_tbs_add_san_jid(contextp, tbs, opt->jid_string); if (ret) - hx509_err(context, 1, ret, "hx509_ca_tbs_add_san_jid"); + hx509_err(contextp, 1, ret, "hx509_ca_tbs_add_san_jid"); } return 0; diff --git a/lib/hx509/ks_dir.c b/lib/hx509/ks_dir.c index 8c8c6e50c..94d44b712 100644 --- a/lib/hx509/ks_dir.c +++ b/lib/hx509/ks_dir.c @@ -202,16 +202,12 @@ dir_iter_end(hx509_context context, static struct hx509_keyset_ops keyset_dir = { - "DIR", - 0, - dir_init, - NULL, - dir_free, - NULL, - NULL, - dir_iter_start, - dir_iter, - dir_iter_end + .name = "DIR", + .init = dir_init, + .free = dir_free, + .iter_start = dir_iter_start, + .iter = dir_iter, + .iter_end = dir_iter_end, }; void diff --git a/lib/hx509/ks_file.c b/lib/hx509/ks_file.c index ecd3a6eda..d8927eb1e 100644 --- a/lib/hx509/ks_file.c +++ b/lib/hx509/ks_file.c @@ -177,7 +177,8 @@ parse_pem_private_key(hx509_context context, const char *fn, const EVP_CIPHER *cipher; const struct _hx509_password *pw; hx509_lock lock; - int i, decrypted = 0; + int decrypted = 0; + size_t i; lock = _hx509_collector_get_lock(c); if (lock == NULL) { @@ -329,7 +330,8 @@ pem_func(hx509_context context, const char *type, const void *data, size_t len, void *ctx) { struct pem_ctx *pem_ctx = (struct pem_ctx*)ctx; - int ret = 0, j; + int ret = 0; + size_t j; for (j = 0; j < sizeof(formats)/sizeof(formats[0]); j++) { const char *q = formats[j].name; @@ -436,7 +438,7 @@ file_init_common(hx509_context context, else if (ret == HX509_PARSING_KEY_FAILED) { size_t length; void *ptr; - int i; + size_t i; ret = rk_undumpdata(p, &ptr, &length); if (ret) { diff --git a/lib/hx509/ks_p11.c b/lib/hx509/ks_p11.c index 30f5343b0..5a21ca8cc 100644 --- a/lib/hx509/ks_p11.c +++ b/lib/hx509/ks_p11.c @@ -152,7 +152,7 @@ p11_rsa_private_encrypt(int flen, } ret = P11FUNC(p11rsa->p, Sign, - (session, (CK_BYTE *)from, flen, to, &ck_sigsize)); + (session, (CK_BYTE *)(intptr_t)from, flen, to, &ck_sigsize)); p11_put_session(p11rsa->p, p11rsa->slot, session); if (ret != CKR_OK) return -1; @@ -190,7 +190,7 @@ p11_rsa_private_decrypt(int flen, const unsigned char *from, unsigned char *to, } ret = P11FUNC(p11rsa->p, Decrypt, - (session, (CK_BYTE *)from, flen, to, &ck_sigsize)); + (session, (CK_BYTE *)(intptr_t)from, flen, to, &ck_sigsize)); p11_put_session(p11rsa->p, p11rsa->slot, session); if (ret != CKR_OK) return -1; @@ -878,7 +878,8 @@ p11_init(hx509_context context, { CK_SLOT_ID_PTR slot_ids; - int i, num_tokens = 0; + int num_tokens = 0; + size_t i; slot_ids = malloc(p->num_slots * sizeof(*slot_ids)); if (slot_ids == NULL) { @@ -933,7 +934,7 @@ p11_init(hx509_context context, static void p11_release_module(struct p11_module *p) { - int i; + size_t i; if (p->ref == 0) _hx509_abort("pkcs11 ref to low"); @@ -957,7 +958,7 @@ p11_release_module(struct p11_module *p) free(p->slot[i].mechs.list); if (p->slot[i].mechs.infos) { - int j; + size_t j; for (j = 0 ; j < p->slot[i].mechs.num ; j++) free(p->slot[i].mechs.infos[j]); @@ -981,7 +982,7 @@ static int p11_free(hx509_certs certs, void *data) { struct p11_module *p = data; - int i; + size_t i; for (i = 0; i < p->num_slots; i++) { if (p->slot[i].certs) @@ -1002,7 +1003,8 @@ p11_iter_start(hx509_context context, { struct p11_module *p = data; struct p11_cursor *c; - int ret, i; + int ret; + size_t i; c = malloc(sizeof(*c)); if (c == NULL) { @@ -1103,7 +1105,7 @@ p11_printinfo(hx509_context context, void *ctx) { struct p11_module *p = data; - int i, j; + size_t i, j; _hx509_pi_printf(func, ctx, "pkcs11 driver with %d slot%s", p->num_slots, p->num_slots > 1 ? "s" : ""); diff --git a/lib/hx509/ks_p12.c b/lib/hx509/ks_p12.c index 704cf071d..31ed88345 100644 --- a/lib/hx509/ks_p12.c +++ b/lib/hx509/ks_p12.c @@ -56,7 +56,7 @@ parse_pkcs12_type(hx509_context, struct hx509_collector *, const heim_oid *, static const PKCS12_Attribute * find_attribute(const PKCS12_Attributes *attrs, const heim_oid *oid) { - int i; + size_t i; if (attrs == NULL) return NULL; for (i = 0; i < attrs->len; i++) @@ -168,7 +168,7 @@ certBag_parser(hx509_context context, const heim_oid *oids[] = { &asn1_oid_id_pkcs_9_at_localKeyId, &asn1_oid_id_pkcs_9_at_friendlyName }; - int i; + size_t i; for (i = 0; i < sizeof(oids)/sizeof(oids[0]); i++) { const heim_oid *oid = oids[i]; @@ -190,7 +190,8 @@ parse_safe_content(hx509_context context, const unsigned char *p, size_t len) { PKCS12_SafeContents sc; - int ret, i; + int ret; + size_t i; memset(&sc, 0, sizeof(sc)); @@ -310,7 +311,7 @@ parse_pkcs12_type(hx509_context context, const void *data, size_t length, const PKCS12_Attributes *attrs) { - int i; + size_t i; for (i = 0; i < sizeof(bagtypes)/sizeof(bagtypes[0]); i++) if (der_heim_oid_cmp(bagtypes[i].oid, oid) == 0) @@ -327,7 +328,8 @@ p12_init(hx509_context context, void *buf; PKCS12_PFX pfx; PKCS12_AuthenticatedSafe as; - int ret, i; + int ret; + size_t i; struct hx509_collector *c; *data = NULL; diff --git a/lib/hx509/lock.c b/lib/hx509/lock.c index 07e9d3612..b72d45962 100644 --- a/lib/hx509/lock.c +++ b/lib/hx509/lock.c @@ -121,7 +121,7 @@ _hx509_lock_unlock_certs(hx509_lock lock) void hx509_lock_reset_passwords(hx509_lock lock) { - int i; + size_t i; for (i = 0; i < lock->password.len; i++) free(lock->password.val[i]); free(lock->password.val); diff --git a/lib/hx509/name.c b/lib/hx509/name.c index 83b8f86d4..492f5f367 100644 --- a/lib/hx509/name.c +++ b/lib/hx509/name.c @@ -66,17 +66,17 @@ static const struct { const heim_oid *o; wind_profile_flags flags; } no[] = { - { "C", &asn1_oid_id_at_countryName }, - { "CN", &asn1_oid_id_at_commonName }, - { "DC", &asn1_oid_id_domainComponent }, - { "L", &asn1_oid_id_at_localityName }, - { "O", &asn1_oid_id_at_organizationName }, - { "OU", &asn1_oid_id_at_organizationalUnitName }, - { "S", &asn1_oid_id_at_stateOrProvinceName }, - { "STREET", &asn1_oid_id_at_streetAddress }, - { "UID", &asn1_oid_id_Userid }, - { "emailAddress", &asn1_oid_id_pkcs9_emailAddress }, - { "serialNumber", &asn1_oid_id_at_serialNumber } + { "C", &asn1_oid_id_at_countryName, 0 }, + { "CN", &asn1_oid_id_at_commonName, 0 }, + { "DC", &asn1_oid_id_domainComponent, 0 }, + { "L", &asn1_oid_id_at_localityName, 0 }, + { "O", &asn1_oid_id_at_organizationName, 0 }, + { "OU", &asn1_oid_id_at_organizationalUnitName, 0 }, + { "S", &asn1_oid_id_at_stateOrProvinceName, 0 }, + { "STREET", &asn1_oid_id_at_streetAddress, 0 }, + { "UID", &asn1_oid_id_Userid, 0 }, + { "emailAddress", &asn1_oid_id_pkcs9_emailAddress, 0 }, + { "serialNumber", &asn1_oid_id_at_serialNumber, 0 } }; static char * @@ -159,7 +159,8 @@ oidtostring(const heim_oid *type) static int stringtooid(const char *name, size_t len, heim_oid *oid) { - int i, ret; + int ret; + size_t i; char *s; memset(oid, 0, sizeof(*oid)); @@ -200,14 +201,16 @@ int _hx509_Name_to_string(const Name *n, char **str) { size_t total_len = 0; - int i, j, ret; + size_t i, j, m; + int ret; *str = strdup(""); if (*str == NULL) return ENOMEM; - for (i = n->u.rdnSequence.len - 1 ; i >= 0 ; i--) { + for (m = n->u.rdnSequence.len; m > 0; m--) { size_t len; + i = m - 1; for (j = 0; j < n->u.rdnSequence.val[i].len; j++) { DirectoryString *ds = &n->u.rdnSequence.val[i].val[j].value; @@ -438,7 +441,8 @@ _hx509_name_ds_cmp(const DirectoryString *ds1, int _hx509_name_cmp(const Name *n1, const Name *n2, int *c) { - int ret, i, j; + int ret; + size_t i, j; *c = n1->u.rdnSequence.len - n2->u.rdnSequence.len; if (*c) @@ -610,7 +614,7 @@ hx509_parse_name(hx509_context context, const char *str, hx509_name *name) goto out; } - if ((q - p) > len) { + if ((size_t)(q - p) > len) { ret = HX509_PARSING_NAME_FAILED; hx509_set_error_string(context, 0, ret, " = after , in %s", p); goto out; @@ -727,7 +731,7 @@ hx509_name_expand(hx509_context context, hx509_env env) { Name *n = &name->der_name; - int i, j; + size_t i, j; if (env == NULL) return 0; diff --git a/lib/hx509/print.c b/lib/hx509/print.c index 56e4f7211..998816d80 100644 --- a/lib/hx509/print.c +++ b/lib/hx509/print.c @@ -163,7 +163,7 @@ void hx509_bitstring_print(const heim_bit_string *b, hx509_vprint_func func, void *ctx) { - int i; + size_t i; print_func(func, ctx, "\tlength: %d\n\t", b->length); for (i = 0; i < (b->length + 7) / 8; i++) print_func(func, ctx, "%02x%s%s", @@ -481,7 +481,8 @@ check_CRLDistributionPoints(hx509_validate_ctx ctx, { CRLDistributionPoints dp; size_t size; - int ret, i; + int ret; + size_t i; check_Null(ctx, status, cf, e); @@ -499,7 +500,7 @@ check_CRLDistributionPoints(hx509_validate_ctx ctx, if (dp.val[i].distributionPoint) { DistributionPointName dpname; heim_any *data = dp.val[i].distributionPoint; - int j; + size_t j; ret = decode_DistributionPointName(data->data, data->length, &dpname, NULL); @@ -565,7 +566,8 @@ check_altName(hx509_validate_ctx ctx, { GeneralNames gn; size_t size; - int ret, i; + int ret; + size_t i; check_Null(ctx, status, cf, e); @@ -717,7 +719,8 @@ check_authorityInfoAccess(hx509_validate_ctx ctx, { AuthorityInfoAccessSyntax aia; size_t size; - int ret, i; + int ret; + size_t i; check_Null(ctx, status, cf, e); @@ -773,7 +776,7 @@ struct { { ext(certificateIssuer, Null), M_C }, { ext(nameConstraints, Null), M_C }, { ext(cRLDistributionPoints, CRLDistributionPoints), S_N_C }, - { ext(certificatePolicies, Null) }, + { ext(certificatePolicies, Null), 0 }, { ext(policyMappings, Null), M_N_C }, { ext(authorityKeyIdentifier, authorityKeyIdentifier), M_N_C }, { ext(policyConstraints, Null), D_C }, @@ -789,7 +792,7 @@ struct { check_Null, D_C }, { "Netscape cert comment", &asn1_oid_id_netscape_cert_comment, check_Null, D_C }, - { NULL } + { NULL, NULL, NULL, 0 } }; /** @@ -936,7 +939,7 @@ hx509_validate_cert(hx509_context context, free(str); if (t->extensions) { - int i, j; + size_t i, j; if (t->extensions->len == 0) { validate_print(ctx, diff --git a/lib/hx509/revoke.c b/lib/hx509/revoke.c index 6d2cac4af..715438d4b 100644 --- a/lib/hx509/revoke.c +++ b/lib/hx509/revoke.c @@ -349,7 +349,7 @@ load_ocsp(hx509_context context, struct revoke_ocsp *ocsp) } if (basic.certs) { - int i; + size_t i; ret = hx509_certs_init(context, "MEMORY:ocsp-certs", 0, NULL, &certs); @@ -760,8 +760,7 @@ hx509_revoke_verify(hx509_context context, if (ocsp->ocsp.tbsResponseData.responses.val[j].nextUpdate) { if (*ocsp->ocsp.tbsResponseData.responses.val[j].nextUpdate < now) continue; - } else - /* Should force a refetch, but can we ? */; + } /* else should force a refetch, but can we ? */ return 0; } @@ -1076,7 +1075,8 @@ int hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out) { struct revoke_ocsp ocsp; - int ret, i; + int ret; + size_t i; if (out == NULL) out = stdout; @@ -1141,7 +1141,7 @@ hx509_revoke_ocsp_print(hx509_context context, const char *path, FILE *out) status = "element unknown"; } - fprintf(out, "\t%d. status: %s\n", i, status); + fprintf(out, "\t%zu. status: %s\n", i, status); fprintf(out, "\tthisUpdate: %s\n", printable_time(ocsp.ocsp.tbsResponseData.responses.val[i].thisUpdate)); @@ -1188,7 +1188,8 @@ hx509_ocsp_verify(hx509_context context, { const Certificate *c = _hx509_get_cert(cert); OCSPBasicOCSPResponse basic; - int ret, i; + int ret; + size_t i; if (now == 0) now = time(NULL); diff --git a/lib/hx509/sel.c b/lib/hx509/sel.c index 561818c9f..00adc457e 100644 --- a/lib/hx509/sel.c +++ b/lib/hx509/sel.c @@ -223,7 +223,7 @@ _hx509_expr_parse(const char *buf) } void -_hx509_sel_yyerror (char *s) +_hx509_sel_yyerror (const char *s) { if (_hx509_expr_input.error) free(_hx509_expr_input.error); diff --git a/lib/hx509/sel.h b/lib/hx509/sel.h index 1dfc41818..177ec0a65 100644 --- a/lib/hx509/sel.h +++ b/lib/hx509/sel.h @@ -78,5 +78,5 @@ extern struct hx_expr_input _hx509_expr_input; int _hx509_sel_yyparse(void); int _hx509_sel_yylex(void); -void _hx509_sel_yyerror(char *); +void _hx509_sel_yyerror(const char *); diff --git a/lib/hx509/softp11.c b/lib/hx509/softp11.c index 0496b35b7..496423205 100644 --- a/lib/hx509/softp11.c +++ b/lib/hx509/softp11.c @@ -140,9 +140,9 @@ snprintf_fill(char *str, size_t size, char fillchar, const char *fmt, ...) va_start(ap, fmt); len = vsnprintf(str, size, fmt, ap); va_end(ap); - if (len < 0 || len > size) + if (len < 0 || (size_t)len > size) return; - while(len < size) + while ((size_t)len < size) str[len++] = fillchar; } @@ -152,9 +152,9 @@ snprintf_fill(char *str, size_t size, char fillchar, const char *fmt, ...) #define VERIFY_SESSION_HANDLE(s, state) \ { \ - CK_RV ret; \ - ret = verify_session_handle(s, state); \ - if (ret != CKR_OK) { \ + CK_RV xret; \ + xret = verify_session_handle(s, state); \ + if (xret != CKR_OK) { \ /* return CKR_OK */; \ } \ } @@ -163,7 +163,7 @@ static CK_RV verify_session_handle(CK_SESSION_HANDLE hSession, struct session_state **state) { - int i; + size_t i; for (i = 0; i < MAX_NUM_SESSION; i++){ if (soft_token.state[i].session_handle == hSession) @@ -421,6 +421,7 @@ struct foo { static int add_cert(hx509_context hxctx, void *ctx, hx509_cert cert) { + static char empty[] = ""; struct foo *foo = (struct foo *)ctx; struct st_object *o = NULL; CK_OBJECT_CLASS type; @@ -520,8 +521,8 @@ add_cert(hx509_context hxctx, void *ctx, hx509_cert cert) add_object_attribute(o, 0, CKA_KEY_TYPE, &key_type, sizeof(key_type)); add_object_attribute(o, 0, CKA_ID, foo->id, strlen(foo->id)); - add_object_attribute(o, 0, CKA_START_DATE, "", 1); /* XXX */ - add_object_attribute(o, 0, CKA_END_DATE, "", 1); /* XXX */ + add_object_attribute(o, 0, CKA_START_DATE, empty, 1); /* XXX */ + add_object_attribute(o, 0, CKA_END_DATE, empty, 1); /* XXX */ add_object_attribute(o, 0, CKA_DERIVE, &bool_false, sizeof(bool_false)); add_object_attribute(o, 0, CKA_LOCAL, &bool_false, sizeof(bool_false)); mech_type = CKM_RSA_X_509; @@ -557,8 +558,8 @@ add_cert(hx509_context hxctx, void *ctx, hx509_cert cert) add_object_attribute(o, 0, CKA_KEY_TYPE, &key_type, sizeof(key_type)); add_object_attribute(o, 0, CKA_ID, foo->id, strlen(foo->id)); - add_object_attribute(o, 0, CKA_START_DATE, "", 1); /* XXX */ - add_object_attribute(o, 0, CKA_END_DATE, "", 1); /* XXX */ + add_object_attribute(o, 0, CKA_START_DATE, empty, 1); /* XXX */ + add_object_attribute(o, 0, CKA_END_DATE, empty, 1); /* XXX */ add_object_attribute(o, 0, CKA_DERIVE, &bool_false, sizeof(bool_false)); add_object_attribute(o, 0, CKA_LOCAL, &bool_false, sizeof(bool_false)); mech_type = CKM_RSA_X_509; @@ -859,7 +860,7 @@ C_Initialize(CK_VOID_PTR a) { CK_C_INITIALIZE_ARGS_PTR args = a; CK_RV ret; - int i; + size_t i; st_logf("Initialize\n"); @@ -916,7 +917,7 @@ C_Initialize(CK_VOID_PTR a) CK_RV C_Finalize(CK_VOID_PTR args) { - int i; + size_t i; INIT_CONTEXT(); @@ -1112,7 +1113,7 @@ C_OpenSession(CK_SLOT_ID slotID, CK_NOTIFY Notify, CK_SESSION_HANDLE_PTR phSession) { - int i; + size_t i; INIT_CONTEXT(); st_logf("OpenSession: slot: %d\n", (int)slotID); @@ -1155,7 +1156,7 @@ C_CloseSession(CK_SESSION_HANDLE hSession) CK_RV C_CloseAllSessions(CK_SLOT_ID slotID) { - int i; + size_t i; INIT_CONTEXT(); st_logf("CloseAllSessions\n"); @@ -1429,7 +1430,7 @@ commonInit(CK_ATTRIBUTE *attr_match, int attr_match_len, static CK_RV -dup_mechanism(CK_MECHANISM_PTR *dup, const CK_MECHANISM_PTR pMechanism) +dup_mechanism(CK_MECHANISM_PTR *dp, const CK_MECHANISM_PTR pMechanism) { CK_MECHANISM_PTR p; @@ -1437,9 +1438,9 @@ dup_mechanism(CK_MECHANISM_PTR *dup, const CK_MECHANISM_PTR pMechanism) if (p == NULL) return CKR_DEVICE_MEMORY; - if (*dup) - free(*dup); - *dup = p; + if (*dp) + free(*dp); + *dp = p; memcpy(p, pMechanism, sizeof(*p)); return CKR_OK; diff --git a/lib/ipc/client.c b/lib/ipc/client.c index a99c852b3..a9d4798e2 100644 --- a/lib/ipc/client.c +++ b/lib/ipc/client.c @@ -393,7 +393,7 @@ unix_socket_ipc(void *ctx, if (net_write(s->fd, &len, sizeof(len)) != sizeof(len)) return -1; - if (net_write(s->fd, req->data, req->length) != req->length) + if (net_write(s->fd, req->data, req->length) != (ssize_t)req->length) return -1; if (net_read(s->fd, &len, sizeof(len)) != sizeof(len)) @@ -407,7 +407,7 @@ unix_socket_ipc(void *ctx, rep->data = malloc(rep->length); if (rep->data == NULL) return -1; - if (net_read(s->fd, rep->data, rep->length) != rep->length) + if (net_read(s->fd, rep->data, rep->length) != (ssize_t)rep->length) return -1; } else rep->data = NULL; @@ -489,9 +489,9 @@ struct hipc_ops ipcs[] = { { "MACH", mach_init, mach_release, mach_ipc, mach_async }, #endif #ifdef HAVE_DOOR - { "DOOR", door_init, common_release, door_ipc } + { "DOOR", door_init, common_release, door_ipc, NULL } #endif - { "UNIX", unix_socket_init, common_release, unix_socket_ipc } + { "UNIX", unix_socket_init, common_release, unix_socket_ipc, NULL } }; struct heim_ipc { @@ -546,29 +546,29 @@ heim_ipc_free_context(heim_ipc ctx) } int -heim_ipc_call(heim_ipc ctx, const heim_idata *send, heim_idata *recv, +heim_ipc_call(heim_ipc ctx, const heim_idata *snd, heim_idata *rcv, heim_icred *cred) { if (cred) *cred = NULL; - return (ctx->ops->ipc)(ctx->ctx, send, recv, cred); + return (ctx->ops->ipc)(ctx->ctx, snd, rcv, cred); } int -heim_ipc_async(heim_ipc ctx, const heim_idata *send, void *userctx, +heim_ipc_async(heim_ipc ctx, const heim_idata *snd, void *userctx, void (*func)(void *, int, heim_idata *, heim_icred)) { if (ctx->ops->async == NULL) { - heim_idata recv; + heim_idata rcv; heim_icred cred = NULL; int ret; - ret = (ctx->ops->ipc)(ctx->ctx, send, &recv, &cred); - (*func)(userctx, ret, &recv, cred); + ret = (ctx->ops->ipc)(ctx->ctx, snd, &rcv, &cred); + (*func)(userctx, ret, &rcv, cred); heim_ipc_free_cred(cred); - free(recv.data); + free(rcv.data); return ret; } else { - return (ctx->ops->async)(ctx->ctx, send, userctx, func); + return (ctx->ops->async)(ctx->ctx, snd, userctx, func); } } diff --git a/lib/ipc/server.c b/lib/ipc/server.c index 4e425247a..bfa3c937a 100644 --- a/lib/ipc/server.c +++ b/lib/ipc/server.c @@ -557,7 +557,7 @@ update_client_creds(struct client *c) #endif #if defined(SOCKCREDSIZE) && defined(SCM_CREDS) /* NetBSD */ - if (c->unixrights.uid == -1) { + if (c->unixrights.uid == (uid_t)-1) { struct msghdr msg; socklen_t crmsgsize; void *crmsg; @@ -959,7 +959,7 @@ handle_write(struct client *c) if (len <= 0) { c->flags |= WAITING_CLOSE; c->flags &= ~(WAITING_WRITE); - } else if (c->olen != len) { + } else if (c->olen != (size_t)len) { memmove(&c->outmsg[0], &c->outmsg[len], c->olen - len); c->olen -= len; } else { diff --git a/lib/kadm5/acl.c b/lib/kadm5/acl.c index 382c0e288..5e263a325 100644 --- a/lib/kadm5/acl.c +++ b/lib/kadm5/acl.c @@ -44,7 +44,7 @@ static struct units acl_units[] = { { "modify", KADM5_PRIV_MODIFY }, { "add", KADM5_PRIV_ADD }, { "get", KADM5_PRIV_GET }, - { NULL } + { NULL, 0 } }; kadm5_ret_t diff --git a/lib/kadm5/get_s.c b/lib/kadm5/get_s.c index 9e6ae1c90..0372e6f84 100644 --- a/lib/kadm5/get_s.c +++ b/lib/kadm5/get_s.c @@ -142,7 +142,7 @@ kadm5_s_get_principal(void *server_handle, if(mask & KADM5_KVNO) out->kvno = ent.entry.kvno; if(mask & KADM5_MKVNO) { - int n; + size_t n; out->mkvno = 0; /* XXX */ for(n = 0; n < ent.entry.keys.len; n++) if(ent.entry.keys.val[n].mkvno) { @@ -169,7 +169,7 @@ kadm5_s_get_principal(void *server_handle, out->max_renewable_life = INT_MAX; } if(mask & KADM5_KEY_DATA){ - int i; + size_t i; Key *key; krb5_key_data *kd; krb5_salt salt; diff --git a/lib/kadm5/iprop-log.c b/lib/kadm5/iprop-log.c index deebef90c..b201de66d 100644 --- a/lib/kadm5/iprop-log.c +++ b/lib/kadm5/iprop-log.c @@ -124,7 +124,7 @@ print_entry(kadm5_server_context *server_context, strftime(t, sizeof(t), "%Y-%m-%d %H:%M:%S", localtime(×tamp)); - if(op < kadm_get || op > kadm_nop) { + if((int)op < (int)kadm_get || (int)op > (int)kadm_nop) { printf("unknown op: %d\n", op); krb5_storage_seek(sp, end, SEEK_SET); return; @@ -350,8 +350,8 @@ apply_entry(kadm5_server_context *server_context, struct replay_options *opt = ctx; krb5_error_code ret; - if((opt->start_version_integer != -1 && ver < opt->start_version_integer) || - (opt->end_version_integer != -1 && ver > opt->end_version_integer)) { + if((opt->start_version_integer != -1 && ver < (uint32_t)opt->start_version_integer) || + (opt->end_version_integer != -1 && ver > (uint32_t)opt->end_version_integer)) { /* XXX skip this entry */ krb5_storage_seek(sp, len, SEEK_CUR); return; @@ -426,8 +426,11 @@ help(void *opt, int argc, char **argv) argv[0]); } else { if(c->func) { - char *fake[] = { NULL, "--help", NULL }; + static char shelp[] = "--help"; + char *fake[3]; fake[0] = argv[0]; + fake[1] = shelp; + fake[2] = NULL; (*c->func)(2, fake); fprintf(stderr, "\n"); } diff --git a/lib/kadm5/ipropd_master.c b/lib/kadm5/ipropd_master.c index d48caf205..7243af3c5 100644 --- a/lib/kadm5/ipropd_master.c +++ b/lib/kadm5/ipropd_master.c @@ -575,7 +575,7 @@ process_msg (krb5_context context, slave *s, int log_fd, } /* new started slave that have old log */ if (s->version == 0 && tmp != 0) { - if (current_version < tmp) { + if (current_version < (uint32_t)tmp) { krb5_warnx (context, "Slave %s (version %lu) have later version " "the master (version %lu) OUT OF SYNC", s->name, (unsigned long)tmp, @@ -583,7 +583,7 @@ process_msg (krb5_context context, slave *s, int log_fd, } s->version = tmp; } - if (tmp < s->version) { + if ((uint32_t)tmp < s->version) { krb5_warnx (context, "Slave claims to not have " "version we already sent to it"); } else { @@ -720,10 +720,11 @@ write_stats(krb5_context context, slave *slaves, uint32_t current_version) } +static char sHDB[] = "HDB:"; static char *realm; static int version_flag; static int help_flag; -static char *keytab_str = "HDB:"; +static char *keytab_str = sHDB; static char *database; static char *config_file; static char *port_str; @@ -732,8 +733,8 @@ static int detach_from_console = 0; #endif static struct getargs args[] = { - { "config-file", 'c', arg_string, &config_file }, - { "realm", 'r', arg_string, &realm }, + { "config-file", 'c', arg_string, &config_file, NULL, NULL }, + { "realm", 'r', arg_string, &realm, NULL, NULL }, { "keytab", 'k', arg_string, &keytab_str, "keytab to get authentication from", "kspec" }, { "database", 'd', arg_string, &database, "database", "file"}, @@ -747,12 +748,12 @@ static struct getargs args[] = { "port ipropd will listen to", "port"}, #ifdef SUPPORT_DETACH { "detach", 0, arg_flag, &detach_from_console, - "detach from console" }, + "detach from console", NULL }, #endif { "hostname", 0, arg_string, rk_UNCONST(&master_hostname), "hostname of master (if not same as hostname)", "hostname" }, - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } + { "version", 0, arg_flag, &version_flag, NULL, NULL }, + { "help", 0, arg_flag, &help_flag, NULL, NULL } }; static int num_args = sizeof(args) / sizeof(args[0]); diff --git a/lib/kadm5/ipropd_slave.c b/lib/kadm5/ipropd_slave.c index 306428705..69c8bae88 100644 --- a/lib/kadm5/ipropd_slave.c +++ b/lib/kadm5/ipropd_slave.c @@ -38,7 +38,8 @@ RCSID("$Id$"); static const char *config_name = "ipropd-slave"; static krb5_log_facility *log_facility; -static char *server_time_lost = "5 min"; +static char five_min[] = "5 min"; +static char *server_time_lost = five_min; static int time_before_lost; const char *slave_str = NULL; @@ -198,9 +199,9 @@ receive_loop (krb5_context context, krb5_ret_int32 (sp, &tmp); op = tmp; krb5_ret_int32 (sp, &len); - if (vers <= server_context->log_context.version) + if ((uint32_t)vers <= server_context->log_context.version) krb5_storage_seek(sp, len + 8, SEEK_CUR); - } while(vers <= server_context->log_context.version); + } while((uint32_t)vers <= server_context->log_context.version); /* * Read up rest of the entires into the memory... @@ -460,8 +461,8 @@ static int detach_from_console = 0; #endif static struct getargs args[] = { - { "config-file", 'c', arg_string, &config_file }, - { "realm", 'r', arg_string, &realm }, + { "config-file", 'c', arg_string, &config_file, NULL, NULL }, + { "realm", 'r', arg_string, &realm, NULL, NULL }, { "keytab", 'k', arg_string, &keytab_str, "keytab to get authentication from", "kspec" }, { "time-lost", 0, arg_string, &server_time_lost, @@ -470,12 +471,12 @@ static struct getargs args[] = { "port ipropd-slave will connect to", "port"}, #ifdef SUPPORT_DETACH { "detach", 0, arg_flag, &detach_from_console, - "detach from console" }, + "detach from console", NULL }, #endif { "hostname", 0, arg_string, rk_UNCONST(&slave_str), "hostname of slave (if not same as hostname)", "hostname" }, - { "version", 0, arg_flag, &version_flag }, - { "help", 0, arg_flag, &help_flag } + { "version", 0, arg_flag, &version_flag, NULL, NULL }, + { "help", 0, arg_flag, &help_flag, NULL, NULL } }; static int num_args = sizeof(args) / sizeof(args[0]); diff --git a/lib/kadm5/keys.c b/lib/kadm5/keys.c index 9a8415d84..d46b8db73 100644 --- a/lib/kadm5/keys.c +++ b/lib/kadm5/keys.c @@ -70,7 +70,7 @@ _kadm5_init_keys (Key *keys, int len) int _kadm5_exists_keys(Key *keys1, int len1, Key *keys2, int len2) { - unsigned int i, j; + int i, j; for (i = 0; i < len1; ++i) { for (j = 0; j < len2; j++) { diff --git a/lib/kadm5/log.c b/lib/kadm5/log.c index 425e0df0c..05b84b1e0 100644 --- a/lib/kadm5/log.c +++ b/lib/kadm5/log.c @@ -193,12 +193,12 @@ kadm5_log_flush (kadm5_log_context *log_context, { krb5_data data; size_t len; - int ret; + ssize_t ret; krb5_storage_to_data(sp, &data); len = data.length; ret = write (log_context->log_fd, data.data, len); - if (ret != len) { + if (ret < 0 || (size_t)ret != len) { krb5_data_free(&data); return errno; } @@ -696,7 +696,7 @@ kadm5_log_replay_modify (kadm5_server_context *context, } if (mask & KADM5_KEY_DATA) { size_t num; - int i; + size_t i; for (i = 0; i < ent.entry.keys.len; ++i) free_Key(&ent.entry.keys.val[i]); @@ -880,7 +880,7 @@ kadm5_log_previous (krb5_context context, ret = krb5_ret_int32 (sp, &tmp); if (ret) goto end_of_storage; - if (tmp != *ver) { + if ((uint32_t)tmp != *ver) { krb5_storage_seek(sp, oldoff, SEEK_SET); krb5_set_error_message(context, KADM5_BAD_DB, "kadm5_log_previous: log entry " @@ -901,7 +901,7 @@ kadm5_log_previous (krb5_context context, ret = krb5_ret_int32 (sp, &tmp); if (ret) goto end_of_storage; - if (tmp != *len) { + if ((uint32_t)tmp != *len) { krb5_storage_seek(sp, oldoff, SEEK_SET); krb5_set_error_message(context, KADM5_BAD_DB, "kadm5_log_previous: log entry " diff --git a/lib/kadm5/password_quality.c b/lib/kadm5/password_quality.c index cb82567f5..e632e25e9 100644 --- a/lib/kadm5/password_quality.c +++ b/lib/kadm5/password_quality.c @@ -95,8 +95,8 @@ char_class_passwd_quality (krb5_context context, "1234567890", "!@#$%^&*()/?<>,.{[]}\\|'~`\" " }; - int i, counter = 0, req_classes; - size_t len; + int counter = 0, req_classes; + size_t i, len; char *pw; req_classes = krb5_config_get_int_default(context, NULL, 3, @@ -234,7 +234,7 @@ struct kadm5_pw_policy_check_func builtin_funcs[] = { { "minimum-length", min_length_passwd_quality }, { "character-class", char_class_passwd_quality }, { "external-check", external_passwd_quality }, - { NULL } + { NULL, NULL } }; struct kadm5_pw_policy_verifier builtin_verifier = { "builtin", diff --git a/lib/kadm5/rename_s.c b/lib/kadm5/rename_s.c index c29292bad..08351290c 100644 --- a/lib/kadm5/rename_s.c +++ b/lib/kadm5/rename_s.c @@ -62,7 +62,7 @@ kadm5_s_rename_principal(void *server_handle, goto out2; { /* fix salt */ - int i; + size_t i; Salt salt; krb5_salt salt2; memset(&salt, 0, sizeof(salt)); diff --git a/lib/kadm5/set_keys.c b/lib/kadm5/set_keys.c index 760173490..ea0b816c1 100644 --- a/lib/kadm5/set_keys.c +++ b/lib/kadm5/set_keys.c @@ -201,8 +201,8 @@ _kadm5_set_keys_randomly (kadm5_server_context *context, { krb5_keyblock *kblock = NULL; kadm5_ret_t ret = 0; - int i, des_keyblock; - size_t num_keys; + int des_keyblock; + size_t i, num_keys; Key *keys; ret = hdb_generate_key_set(context->context, ent->principal, diff --git a/lib/kafs/kafs.h b/lib/kafs/kafs.h index e80882bf6..dd20cab52 100644 --- a/lib/kafs/kafs.h +++ b/lib/kafs/kafs.h @@ -89,8 +89,8 @@ struct ViceIoctl { caddr_t in, out; - short in_size; - short out_size; + unsigned short in_size; + unsigned short out_size; }; struct ClearToken { diff --git a/lib/krb5/acache.c b/lib/krb5/acache.c index 6f20cdcf6..b7a5a0654 100644 --- a/lib/krb5/acache.c +++ b/lib/krb5/acache.c @@ -78,7 +78,7 @@ static const struct { static krb5_error_code translate_cc_error(krb5_context context, cc_int32 error) { - int i; + size_t i; krb5_clear_error_message(context); for(i = 0; i < sizeof(cc_errors)/sizeof(cc_errors[0]); i++) if (cc_errors[i].error == error) @@ -337,7 +337,7 @@ make_ccred_from_cred(krb5_context context, cc_credentials_v5_t *cred) { krb5_error_code ret; - int i; + size_t i; memset(cred, 0, sizeof(*cred)); @@ -1114,7 +1114,9 @@ KRB5_LIB_VARIABLE const krb5_cc_ops krb5_acc_ops = { acc_move, acc_get_default_name, acc_set_default, - acc_lastchange + acc_lastchange, + NULL, + NULL, }; #endif diff --git a/lib/krb5/addr_families.c b/lib/krb5/addr_families.c index 23c4e8ef7..768d77628 100644 --- a/lib/krb5/addr_families.c +++ b/lib/krb5/addr_families.c @@ -354,7 +354,7 @@ ipv6_print_addr (const krb5_address *addr, char *str, size_t len) if(inet_ntop(AF_INET6, addr->address.data, buf, sizeof(buf)) == NULL) { /* XXX this is pretty ugly, but better than abort() */ - int i; + size_t i; unsigned char *p = addr->address.data; buf[0] = '\0'; for(i = 0; i < addr->address.length; i++) { @@ -821,7 +821,7 @@ find_af(int af) } static struct addr_operations * -find_atype(int atype) +find_atype(krb5_address_type atype) { struct addr_operations *a; @@ -1111,17 +1111,17 @@ krb5_print_address (const krb5_address *addr, if (a == NULL || a->print_addr == NULL) { char *s; int l; - int i; + size_t i; s = str; l = snprintf(s, len, "TYPE_%d:", addr->addr_type); - if (l < 0 || l >= len) + if (l < 0 || (size_t)l >= len) return EINVAL; s += l; len -= l; for(i = 0; i < addr->address.length; i++) { l = snprintf(s, len, "%02x", ((char*)addr->address.data)[i]); - if (l < 0 || l >= len) + if (l < 0 || (size_t)l >= len) return EINVAL; len -= l; s += l; @@ -1307,7 +1307,7 @@ krb5_address_search(krb5_context context, const krb5_address *addr, const krb5_addresses *addrlist) { - int i; + size_t i; for (i = 0; i < addrlist->len; ++i) if (krb5_address_compare (context, addr, &addrlist->val[i])) @@ -1355,7 +1355,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_free_addresses(krb5_context context, krb5_addresses *addresses) { - int i; + size_t i; for(i = 0; i < addresses->len; i++) krb5_free_address(context, &addresses->val[i]); free(addresses->val); @@ -1406,7 +1406,7 @@ krb5_copy_addresses(krb5_context context, const krb5_addresses *inaddr, krb5_addresses *outaddr) { - int i; + size_t i; ALLOC_SEQ(outaddr, inaddr->len); if(inaddr->len > 0 && outaddr->val == NULL) return ENOMEM; @@ -1435,7 +1435,7 @@ krb5_append_addresses(krb5_context context, { krb5_address *tmp; krb5_error_code ret; - int i; + size_t i; if(source->len > 0) { tmp = realloc(dest->val, (dest->len + source->len) * sizeof(*tmp)); if(tmp == NULL) { diff --git a/lib/krb5/changepw.c b/lib/krb5/changepw.c index 22a7c87ef..4373f700b 100644 --- a/lib/krb5/changepw.c +++ b/lib/krb5/changepw.c @@ -276,7 +276,7 @@ process_reply (krb5_context context, { krb5_error_code ret; u_char reply[1024 * 3]; - ssize_t len; + size_t len; uint16_t pkt_len, pkt_ver; krb5_data ap_rep_data; int save_errno; @@ -328,7 +328,7 @@ process_reply (krb5_context context, if (len < 6) { str2data (result_string, "server %s sent to too short message " - "(%ld bytes)", host, (long)len); + "(%zu bytes)", host, len); *result_code = KRB5_KPASSWD_MALFORMED; return 0; } @@ -496,7 +496,7 @@ static struct kpwd_proc { chgpw_send_request, process_reply }, - { NULL } + { NULL, 0, NULL, NULL } }; /* diff --git a/lib/krb5/config_file.c b/lib/krb5/config_file.c index 89f778823..09d9e19d4 100644 --- a/lib/krb5/config_file.c +++ b/lib/krb5/config_file.c @@ -63,7 +63,7 @@ config_fgets(char *str, size_t len, struct fileptr *ptr) p = ptr->s + strcspn(ptr->s, "\n"); if(*p == '\n') p++; - l = min(len, p - ptr->s); + l = min(len, (size_t)(p - ptr->s)); if(len > 0) { memcpy(str, ptr->s, l); str[l] = '\0'; @@ -91,7 +91,7 @@ _krb5_config_get_entry(krb5_config_section **parent, const char *name, int type) for(q = parent; *q != NULL; q = &(*q)->next) if(type == krb5_config_list && - type == (*q)->type && + (unsigned)type == (*q)->type && strcmp(name, (*q)->name) == 0) return *q; *q = calloc(1, sizeof(**q)); @@ -635,7 +635,7 @@ vget_next(krb5_context context, const char *p = va_arg(args, const char *); while(b != NULL) { if(strcmp(b->name, name) == 0) { - if(b->type == type && p == NULL) { + if(b->type == (unsigned)type && p == NULL) { *pointer = b; return b->u.generic; } else if(b->type == krb5_config_list && p != NULL) { @@ -675,7 +675,7 @@ _krb5_config_vget_next (krb5_context context, /* we were called again, so just look for more entries with the same name and type */ for (b = (*pointer)->next; b != NULL; b = b->next) { - if(strcmp(b->name, (*pointer)->name) == 0 && b->type == type) { + if(strcmp(b->name, (*pointer)->name) == 0 && b->type == (unsigned)type) { *pointer = b; return b->u.generic; } @@ -865,7 +865,7 @@ krb5_config_get_string_default (krb5_context context, } static char * -next_component_string(char * begin, char * delims, char **state) +next_component_string(char * begin, const char * delims, char **state) { char * end; diff --git a/lib/krb5/crypto-des.c b/lib/krb5/crypto-des.c index 1c062b5e6..63ce901d9 100644 --- a/lib/krb5/crypto-des.c +++ b/lib/krb5/crypto-des.c @@ -77,7 +77,9 @@ static struct _krb5_key_type keytype_des_old = { krb5_DES_random_key, krb5_DES_schedule_old, _krb5_des_salt, - krb5_DES_random_to_key + krb5_DES_random_to_key, + NULL, + NULL }; static struct _krb5_key_type keytype_des = { diff --git a/lib/krb5/crypto-evp.c b/lib/krb5/crypto-evp.c index 3f9cd57bb..e8fb1caf6 100644 --- a/lib/krb5/crypto-evp.c +++ b/lib/krb5/crypto-evp.c @@ -98,7 +98,7 @@ _krb5_evp_encrypt_cts(krb5_context context, { size_t i, blocksize; struct _krb5_evp_schedule *ctx = key->schedule->data; - char tmp[EVP_MAX_BLOCK_LENGTH], ivec2[EVP_MAX_BLOCK_LENGTH]; + unsigned char tmp[EVP_MAX_BLOCK_LENGTH], ivec2[EVP_MAX_BLOCK_LENGTH]; EVP_CIPHER_CTX *c; unsigned char *p; @@ -142,7 +142,7 @@ _krb5_evp_encrypt_cts(krb5_context context, if (ivec) memcpy(ivec, p, blocksize); } else { - char tmp2[EVP_MAX_BLOCK_LENGTH], tmp3[EVP_MAX_BLOCK_LENGTH]; + unsigned char tmp2[EVP_MAX_BLOCK_LENGTH], tmp3[EVP_MAX_BLOCK_LENGTH]; p = data; if (len > blocksize * 2) { diff --git a/lib/krb5/crypto.c b/lib/krb5/crypto.c index 5d274e9af..a8a3df9cd 100644 --- a/lib/krb5/crypto.c +++ b/lib/krb5/crypto.c @@ -180,7 +180,7 @@ _krb5_internal_hmac(krb5_context context, unsigned char *ipad, *opad; unsigned char *key; size_t key_len; - int i; + size_t i; ipad = malloc(cm->blocksize + len); if (ipad == NULL) @@ -311,7 +311,7 @@ get_checksum_key(krb5_context context, if(ct->flags & F_DERIVED) ret = _get_derived_key(context, crypto, usage, key); else if(ct->flags & F_VARIANT) { - int i; + size_t i; *key = _new_derived_key(crypto, 0xff/* KRB5_KU_RFC1510_VARIANT */); if(*key == NULL) { @@ -1160,9 +1160,9 @@ decrypt_internal_special(krb5_context context, } static krb5_crypto_iov * -find_iv(krb5_crypto_iov *data, int num_data, int type) +find_iv(krb5_crypto_iov *data, size_t num_data, unsigned type) { - int i; + size_t i; for (i = 0; i < num_data; i++) if (data[i].flags == type) return &data[i]; @@ -1403,11 +1403,6 @@ krb5_decrypt_iov_ivec(krb5_context context, struct _krb5_encryption_type *et = crypto->et; krb5_crypto_iov *tiv, *hiv; - if (num_data < 0) { - krb5_clear_error_message(context); - return KRB5_CRYPTO_INTERNAL; - } - if(!derived_crypto(context, crypto)) { krb5_clear_error_message(context); return KRB5_CRYPTO_INTERNAL; @@ -1545,15 +1540,10 @@ krb5_create_checksum_iov(krb5_context context, Checksum cksum; krb5_crypto_iov *civ; krb5_error_code ret; - int i; + size_t i; size_t len; char *p, *q; - if (num_data < 0) { - krb5_clear_error_message(context); - return KRB5_CRYPTO_INTERNAL; - } - if(!derived_crypto(context, crypto)) { krb5_clear_error_message(context); return KRB5_CRYPTO_INTERNAL; @@ -1629,15 +1619,10 @@ krb5_verify_checksum_iov(krb5_context context, Checksum cksum; krb5_crypto_iov *civ; krb5_error_code ret; - int i; + size_t i; size_t len; char *p, *q; - if (num_data < 0) { - krb5_clear_error_message(context); - return KRB5_CRYPTO_INTERNAL; - } - if(!derived_crypto(context, crypto)) { krb5_clear_error_message(context); return KRB5_CRYPTO_INTERNAL; @@ -1730,7 +1715,7 @@ krb5_crypto_length_iov(krb5_context context, unsigned int num_data) { krb5_error_code ret; - int i; + size_t i; for (i = 0; i < num_data; i++) { ret = krb5_crypto_length(context, crypto, diff --git a/lib/krb5/digest.c b/lib/krb5/digest.c index c6733efc9..3b2973d36 100644 --- a/lib/krb5/digest.c +++ b/lib/krb5/digest.c @@ -727,8 +727,10 @@ krb5_digest_request(krb5_context context, ireq.u.digestRequest.type = digest->init.type; } - if (ireq.u.digestRequest.digest == NULL) - ireq.u.digestRequest.digest = "md5"; + if (ireq.u.digestRequest.digest == NULL) { + static char md5[] = "md5"; + ireq.u.digestRequest.digest = md5; + } ret = digest_request(context, realm, ccache, KRB5_KU_DIGEST_ENCRYPT, &ireq, &irep); diff --git a/lib/krb5/fcache.c b/lib/krb5/fcache.c index 218bd2cdb..b3bbfaab0 100644 --- a/lib/krb5/fcache.c +++ b/lib/krb5/fcache.c @@ -155,7 +155,7 @@ write_storage(krb5_context context, krb5_storage *sp, int fd) return ret; } sret = write(fd, data.data, data.length); - ret = (sret != data.length); + ret = (sret != (ssize_t)data.length); krb5_data_free(&data); if (ret) { ret = errno; @@ -220,7 +220,7 @@ scrub_file (int fd) return errno; memset(buf, 0, sizeof(buf)); while(pos > 0) { - ssize_t tmp = write(fd, buf, min(sizeof(buf), pos)); + ssize_t tmp = write(fd, buf, min((off_t)sizeof(buf), pos)); if (tmp < 0) return errno; @@ -334,11 +334,11 @@ fcc_gen_new(krb5_context context, krb5_ccache *id) fd = mkstemp(exp_file); if(fd < 0) { - int ret = errno; - krb5_set_error_message(context, ret, N_("mkstemp %s failed", ""), exp_file); + int xret = errno; + krb5_set_error_message(context, xret, N_("mkstemp %s failed", ""), exp_file); free(f); free(exp_file); - return ret; + return xret; } close(fd); f->filename = exp_file; diff --git a/lib/krb5/get_cred.c b/lib/krb5/get_cred.c index 7f2b57247..d4b56cf01 100644 --- a/lib/krb5/get_cred.c +++ b/lib/krb5/get_cred.c @@ -235,7 +235,7 @@ init_tgs_req (krb5_context context, goto fail; } { - int i; + size_t i; for (i = 0; i < padata->len; i++) { ret = copy_PA_DATA(&padata->val[i], &t->padata->val[i + 1]); if (ret) { diff --git a/lib/krb5/get_host_realm.c b/lib/krb5/get_host_realm.c index 7aee02734..ed7f54b3d 100644 --- a/lib/krb5/get_host_realm.c +++ b/lib/krb5/get_host_realm.c @@ -109,7 +109,7 @@ dns_find_realm(krb5_context context, domain++; for (i = 0; labels[i] != NULL; i++) { ret = snprintf(dom, sizeof(dom), "%s.%s.", labels[i], domain); - if(ret < 0 || ret >= sizeof(dom)) { + if(ret < 0 || (size_t)ret >= sizeof(dom)) { if (config_labels) krb5_config_free_strings(config_labels); return -1; diff --git a/lib/krb5/get_in_tkt.c b/lib/krb5/get_in_tkt.c index 15cbfba89..631fda119 100644 --- a/lib/krb5/get_in_tkt.c +++ b/lib/krb5/get_in_tkt.c @@ -103,7 +103,7 @@ add_padata(krb5_context context, PA_DATA *pa2; krb5_salt salt2; krb5_enctype *ep; - int i; + size_t i; if(salt == NULL) { /* default to standard salt */ @@ -247,7 +247,7 @@ init_as_req (krb5_context context, a->req_body.additional_tickets = NULL; if(preauth != NULL) { - int i; + size_t i; ALLOC(a->padata, 1); if(a->padata == NULL) { ret = ENOMEM; @@ -258,7 +258,7 @@ init_as_req (krb5_context context, a->padata->len = 0; for(i = 0; i < preauth->len; i++) { if(preauth->val[i].type == KRB5_PADATA_ENC_TIMESTAMP){ - int j; + size_t j; for(j = 0; j < preauth->val[i].info.len; j++) { krb5_salt *sp = &salt; @@ -331,7 +331,7 @@ set_ptypes(krb5_context context, if(error->e_data) { METHOD_DATA md; - int i; + size_t i; decode_METHOD_DATA(error->e_data->data, error->e_data->length, &md, diff --git a/lib/krb5/init_creds_pw.c b/lib/krb5/init_creds_pw.c index 29b882d05..6e34c4923 100644 --- a/lib/krb5/init_creds_pw.c +++ b/lib/krb5/init_creds_pw.c @@ -759,7 +759,7 @@ pa_etype_info2(krb5_context context, krb5_error_code ret; ETYPE_INFO2 e; size_t sz; - int i, j; + size_t i, j; memset(&e, 0, sizeof(e)); ret = decode_ETYPE_INFO2(data->data, data->length, &e, &sz); @@ -808,7 +808,7 @@ pa_etype_info(krb5_context context, krb5_error_code ret; ETYPE_INFO e; size_t sz; - int i, j; + size_t i, j; memset(&e, 0, sizeof(e)); ret = decode_ETYPE_INFO(data->data, data->length, &e, &sz); @@ -889,9 +889,9 @@ static struct pa_info pa_prefs[] = { }; static PA_DATA * -find_pa_data(const METHOD_DATA *md, int type) +find_pa_data(const METHOD_DATA *md, unsigned type) { - int i; + size_t i; if (md == NULL) return NULL; for (i = 0; i < md->len; i++) @@ -908,7 +908,7 @@ process_pa_info(krb5_context context, METHOD_DATA *md) { struct pa_info_data *p = NULL; - int i; + size_t i; for (i = 0; p == NULL && i < sizeof(pa_prefs)/sizeof(pa_prefs[0]); i++) { PA_DATA *pa = find_pa_data(md, pa_prefs[i].type); @@ -989,7 +989,7 @@ add_enc_ts_padata(krb5_context context, krb5_error_code ret; krb5_salt salt2; krb5_enctype *ep; - int i; + size_t i; if(salt == NULL) { /* default to standard salt */ diff --git a/lib/krb5/kcm.c b/lib/krb5/kcm.c index 1fe15d806..b661d67ac 100644 --- a/lib/krb5/kcm.c +++ b/lib/krb5/kcm.c @@ -1155,7 +1155,9 @@ KRB5_LIB_VARIABLE const krb5_cc_ops krb5_akcm_ops = { kcm_move, kcm_get_default_name_api, kcm_set_default, - kcm_lastchange + kcm_lastchange, + NULL, + NULL }; diff --git a/lib/krb5/keytab_file.c b/lib/krb5/keytab_file.c index 2b9ea7f11..309b9b951 100644 --- a/lib/krb5/keytab_file.c +++ b/lib/krb5/keytab_file.c @@ -101,7 +101,7 @@ krb5_kt_store_data(krb5_context context, if(ret < 0) return ret; ret = krb5_storage_write(sp, data.data, data.length); - if(ret != data.length){ + if(ret != (int)data.length){ if(ret < 0) return errno; return KRB5_KT_END; @@ -119,7 +119,7 @@ krb5_kt_store_string(krb5_storage *sp, if(ret < 0) return ret; ret = krb5_storage_write(sp, data, len); - if(ret != len){ + if(ret != (int)len){ if(ret < 0) return errno; return KRB5_KT_END; @@ -182,7 +182,7 @@ krb5_kt_ret_principal(krb5_context context, krb5_storage *sp, krb5_principal *princ) { - int i; + size_t i; int ret; krb5_principal p; int16_t len; @@ -262,7 +262,7 @@ krb5_kt_store_principal(krb5_context context, krb5_storage *sp, krb5_principal p) { - int i; + size_t i; int ret; if(krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_WRONG_NUM_COMPONENTS)) @@ -699,7 +699,7 @@ fkt_add_entry(krb5_context context, } if(len < 0) { len = -len; - if(len >= keytab.length) { + if(len >= (int)keytab.length) { krb5_storage_seek(sp, -4, SEEK_CUR); break; } @@ -749,8 +749,9 @@ fkt_remove_entry(krb5_context context, krb5_store_int32(cursor.sp, -len); memset(buf, 0, sizeof(buf)); while(len > 0) { - krb5_storage_write(cursor.sp, buf, min(len, sizeof(buf))); - len -= min(len, sizeof(buf)); + krb5_storage_write(cursor.sp, buf, + min((size_t)len, sizeof(buf))); + len -= min((size_t)len, sizeof(buf)); } } krb5_kt_free_entry(context, &e); diff --git a/lib/krb5/misc.c b/lib/krb5/misc.c index f90624cfc..e1fd68252 100644 --- a/lib/krb5/misc.c +++ b/lib/krb5/misc.c @@ -42,7 +42,7 @@ _krb5_s4u2self_to_checksumdata(krb5_context context, krb5_ssize_t ssize; krb5_storage *sp; size_t size; - int i; + size_t i; sp = krb5_storage_emem(); if (sp == NULL) { @@ -56,20 +56,20 @@ _krb5_s4u2self_to_checksumdata(krb5_context context, for (i = 0; i < self->name.name_string.len; i++) { size = strlen(self->name.name_string.val[i]); ssize = krb5_storage_write(sp, self->name.name_string.val[i], size); - if (ssize != size) { + if (ssize != (krb5_ssize_t)size) { ret = ENOMEM; goto out; } } size = strlen(self->realm); ssize = krb5_storage_write(sp, self->realm, size); - if (ssize != size) { + if (ssize != (krb5_ssize_t)size) { ret = ENOMEM; goto out; } size = strlen(self->auth); ssize = krb5_storage_write(sp, self->auth, size); - if (ssize != size) { + if (ssize != (krb5_ssize_t)size) { ret = ENOMEM; goto out; } diff --git a/lib/krb5/mk_error.c b/lib/krb5/mk_error.c index a837b5e29..c0a82ae26 100644 --- a/lib/krb5/mk_error.c +++ b/lib/krb5/mk_error.c @@ -75,7 +75,8 @@ krb5_mk_error(krb5_context context, msg.realm = server->realm; msg.sname = server->name; }else{ - msg.realm = ""; + static char unspec[] = ""; + msg.realm = unspec; } if(client){ msg.crealm = &client->realm; diff --git a/lib/krb5/pac.c b/lib/krb5/pac.c index 046a89cc6..ea09d1f19 100644 --- a/lib/krb5/pac.c +++ b/lib/krb5/pac.c @@ -464,7 +464,7 @@ verify_checksum(krb5_context context, goto out; } ret = krb5_storage_read(sp, cksum.checksum.data, cksum.checksum.length); - if (ret != cksum.checksum.length) { + if (ret != (int)cksum.checksum.length) { ret = EINVAL; krb5_set_error_message(context, ret, "PAC checksum missing checksum"); goto out; @@ -546,7 +546,7 @@ create_checksum(krb5_context context, * http://blogs.msdn.com/b/openspecification/archive/2010/01/01/verifying-the-server-signature-in-kerberos-privilege-account-certificate.aspx * for Microsoft's explaination */ - if (cksumtype == CKSUMTYPE_HMAC_MD5) { + if (cksumtype == (uint32_t)CKSUMTYPE_HMAC_MD5) { ret = HMAC_MD5_any_checksum(context, key, data, datalen, KRB5_KU_OTHER_CKSUM, &cksum); } else { @@ -748,7 +748,7 @@ build_logon_name(krb5_context context, ret = krb5_storage_write(sp, s2, len * 2); free(s2); - if (ret != len * 2) { + if (ret != (int)(len * 2)) { ret = krb5_enomem(context); goto out; } @@ -932,7 +932,8 @@ _krb5_pac_sign(krb5_context context, size_t server_size, priv_size; uint32_t server_offset = 0, priv_offset = 0; uint32_t server_cksumtype = 0, priv_cksumtype = 0; - int i, num = 0; + int num = 0; + size_t i; krb5_data logon, d; krb5_data_zero(&logon); @@ -1049,7 +1050,7 @@ _krb5_pac_sign(krb5_context context, end += len; e = ((end + PAC_ALIGNMENT - 1) / PAC_ALIGNMENT) * PAC_ALIGNMENT; - if (end != e) { + if ((int32_t)end != e) { CHECK(ret, fill_zeros(context, spdata, e - end), out); } end = e; @@ -1066,7 +1067,7 @@ _krb5_pac_sign(krb5_context context, goto out; } ret = krb5_storage_write(sp, d.data, d.length); - if (ret != d.length) { + if (ret != (int)d.length) { krb5_data_free(&d); ret = krb5_enomem(context); goto out; diff --git a/lib/krb5/padata.c b/lib/krb5/padata.c index 98420a733..babe22cb3 100644 --- a/lib/krb5/padata.c +++ b/lib/krb5/padata.c @@ -36,8 +36,8 @@ KRB5_LIB_FUNCTION PA_DATA * KRB5_LIB_CALL krb5_find_padata(PA_DATA *val, unsigned len, int type, int *idx) { - for(; *idx < len; (*idx)++) - if(val[*idx].padata_type == type) + for(; *idx < (int)len; (*idx)++) + if(val[*idx].padata_type == (unsigned)type) return val + *idx; return NULL; } diff --git a/lib/krb5/pkinit.c b/lib/krb5/pkinit.c index 7a8502727..a63e33f27 100644 --- a/lib/krb5/pkinit.c +++ b/lib/krb5/pkinit.c @@ -188,7 +188,8 @@ find_cert(krb5_context context, struct krb5_pk_identity *id, { "MS EKU" }, { "any (or no)" } }; - int i, ret, start = 1; + int ret; + size_t i, start; unsigned oids[] = { 1, 2, 840, 113635, 100, 3, 2, 1 }; const heim_oid mobileMe = { sizeof(oids)/sizeof(oids[0]), oids }; @@ -536,7 +537,7 @@ build_auth_pack(krb5_context context, #ifdef HAVE_OPENSSL ECParameters ecp; unsigned char *p; - int len; + int xlen; /* copy in public key, XXX find the best curve that the server support or use the clients curve if possible */ @@ -551,11 +552,11 @@ build_auth_pack(krb5_context context, free_ECParameters(&ecp); return ENOMEM; } - ASN1_MALLOC_ENCODE(ECParameters, p, len, &ecp, &size, ret); + ASN1_MALLOC_ENCODE(ECParameters, p, xlen, &ecp, &size, ret); free_ECParameters(&ecp); if (ret) return ret; - if (size != len) + if ((int)size != xlen) krb5_abortx(context, "asn1 internal error"); a->clientPublicValue->algorithm.parameters->data = p; @@ -578,18 +579,18 @@ build_auth_pack(krb5_context context, /* encode onto dhkey */ - len = i2o_ECPublicKey(ctx->u.eckey, NULL); - if (len <= 0) + xlen = i2o_ECPublicKey(ctx->u.eckey, NULL); + if (xlen <= 0) abort(); - dhbuf.data = malloc(len); + dhbuf.data = malloc(xlen); if (dhbuf.data == NULL) abort(); - dhbuf.length = len; + dhbuf.length = xlen; p = dhbuf.data; - len = i2o_ECPublicKey(ctx->u.eckey, &p); - if (len <= 0) + xlen = i2o_ECPublicKey(ctx->u.eckey, &p); + if (xlen <= 0) abort(); /* XXX verify that this is right with RFC3279 */ @@ -607,7 +608,8 @@ build_auth_pack(krb5_context context, if (a->supportedCMSTypes == NULL) return ENOMEM; - ret = hx509_crypto_available(context->hx509ctx, HX509_SELECT_ALL, NULL, + ret = hx509_crypto_available(context->hx509ctx, HX509_SELECT_ALL, + ctx->id->cert, &a->supportedCMSTypes->val, &a->supportedCMSTypes->len); if (ret) @@ -968,7 +970,7 @@ get_reply_key_win(krb5_context context, return ret; } - if (key_pack.nonce != nonce) { + if ((unsigned)key_pack.nonce != nonce) { krb5_set_error_message(context, ret, N_("PKINIT enckey nonce is wrong", "")); free_ReplyKeyPack_Win2k(&key_pack); @@ -1081,7 +1083,7 @@ pk_verify_host(krb5_context context, } if (ctx->require_krbtgt_otherName) { hx509_octet_string_list list; - int i; + size_t i; ret = hx509_cert_find_subjectAltName_otherName(context->hx509ctx, host->cert, @@ -1433,7 +1435,7 @@ pk_rd_pa_reply_dh(krb5_context context, N_("PKINIT: Can't compute Diffie-Hellman key", "")); goto out; } - if (dh_gen_keylen < size) { + if (dh_gen_keylen < (int)size) { size -= dh_gen_keylen; memmove(dh_gen_key + size, dh_gen_key, dh_gen_keylen); memset(dh_gen_key, 0, size); diff --git a/lib/krb5/principal.c b/lib/krb5/principal.c index 42169fc2f..869889318 100644 --- a/lib/krb5/principal.c +++ b/lib/krb5/principal.c @@ -426,7 +426,7 @@ unparse_name_fixed(krb5_context context, int flags) { size_t idx = 0; - int i; + size_t i; int short_form = (flags & KRB5_PRINCIPAL_UNPARSE_SHORT) != 0; int no_realm = (flags & KRB5_PRINCIPAL_UNPARSE_NO_REALM) != 0; int display = (flags & KRB5_PRINCIPAL_UNPARSE_DISPLAY) != 0; @@ -549,7 +549,7 @@ unparse_name(krb5_context context, int flags) { size_t len = 0, plen; - int i; + size_t i; krb5_error_code ret; /* count length */ if (princ_realm(principal)) { @@ -917,7 +917,7 @@ krb5_principal_compare_any_realm(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2) { - int i; + size_t i; if(princ_num_comp(princ1) != princ_num_comp(princ2)) return FALSE; for(i = 0; i < princ_num_comp(princ1); i++){ @@ -932,7 +932,7 @@ _krb5_principal_compare_PrincipalName(krb5_context context, krb5_const_principal princ1, PrincipalName *princ2) { - int i; + size_t i; if (princ_num_comp(princ1) != princ2->name_string.len) return FALSE; for(i = 0; i < princ_num_comp(princ1); i++){ @@ -1001,7 +1001,7 @@ krb5_principal_match(krb5_context context, krb5_const_principal princ, krb5_const_principal pattern) { - int i; + size_t i; if(princ_num_comp(princ) != princ_num_comp(pattern)) return FALSE; if(fnmatch(princ_realm(pattern), princ_realm(princ), 0) != 0) @@ -1096,7 +1096,7 @@ static const struct { { "ENT_PRINCIPAL_AND_ID", KRB5_NT_ENT_PRINCIPAL_AND_ID }, { "MS_PRINCIPAL", KRB5_NT_MS_PRINCIPAL }, { "MS_PRINCIPAL_AND_ID", KRB5_NT_MS_PRINCIPAL_AND_ID }, - { NULL } + { NULL, 0 } }; /** diff --git a/lib/krb5/rd_cred.c b/lib/krb5/rd_cred.c index 094f748b9..3473244bc 100644 --- a/lib/krb5/rd_cred.c +++ b/lib/krb5/rd_cred.c @@ -65,7 +65,7 @@ krb5_rd_cred(krb5_context context, EncKrbCredPart enc_krb_cred_part; krb5_data enc_krb_cred_part_data; krb5_crypto crypto; - int i; + size_t i; memset(&enc_krb_cred_part, 0, sizeof(enc_krb_cred_part)); diff --git a/lib/krb5/rd_req.c b/lib/krb5/rd_req.c index 8ce6570de..b78c2c40b 100644 --- a/lib/krb5/rd_req.c +++ b/lib/krb5/rd_req.c @@ -466,7 +466,7 @@ krb5_verify_ap_req2(krb5_context context, ac->keytype = ETYPE_NULL; if (etypes.val) { - int i; + size_t i; for (i = 0; i < etypes.len; i++) { if (krb5_enctype_valid(context, etypes.val[i]) == 0) { diff --git a/lib/krb5/salt-des.c b/lib/krb5/salt-des.c index 6939b6b50..56b285f72 100644 --- a/lib/krb5/salt-des.c +++ b/lib/krb5/salt-des.c @@ -52,7 +52,7 @@ krb5_DES_AFS3_CMU_string_to_key (krb5_data pw, DES_cblock *key) { char password[8+1]; /* crypt is limited to 8 chars anyway */ - int i; + size_t i; for(i = 0; i < 8; i++) { char c = ((i < pw.length) ? ((char*)pw.data)[i] : 0) ^ @@ -89,7 +89,7 @@ krb5_DES_AFS3_Transarc_string_to_key (krb5_data pw, memcpy(password, pw.data, min(pw.length, sizeof(password))); if(pw.length < sizeof(password)) { int len = min(cell.length, sizeof(password) - pw.length); - int i; + size_t i; memcpy(password + pw.length, cell.data, len); for (i = pw.length; i < pw.length + len; ++i) @@ -138,7 +138,7 @@ static void DES_string_to_key_int(unsigned char *data, size_t length, DES_cblock *key) { DES_key_schedule schedule; - int i; + size_t i; int reverse = 0; unsigned char *p; diff --git a/lib/krb5/salt.c b/lib/krb5/salt.c index 6f1830874..5a2115f95 100644 --- a/lib/krb5/salt.c +++ b/lib/krb5/salt.c @@ -98,7 +98,7 @@ krb5_get_pw_salt(krb5_context context, krb5_salt *salt) { size_t len; - int i; + size_t i; krb5_error_code ret; char *p; diff --git a/lib/krb5/send_to_kdc.c b/lib/krb5/send_to_kdc.c index 2ae8153c8..b0a4674b6 100644 --- a/lib/krb5/send_to_kdc.c +++ b/lib/krb5/send_to_kdc.c @@ -88,7 +88,7 @@ recv_loop (krb5_socket_t fd, return 0; if (limit) - nbytes = min(nbytes, limit - rep->length); + nbytes = min((size_t)nbytes, limit - rep->length); tmp = realloc (rep->data, rep->length + nbytes); if (tmp == NULL) { @@ -371,7 +371,7 @@ krb5_sendto (krb5_context context, { krb5_error_code ret; krb5_socket_t fd; - int i; + size_t i; krb5_data_zero(receive); @@ -602,7 +602,7 @@ krb5_sendto_context(krb5_context context, type = KRB5_KRBHST_KDC; } - if (send_data->length > context->large_msg_size) + if ((int)send_data->length > context->large_msg_size) ctx->flags |= KRB5_KRBHST_FLAGS_LARGE_MSG; /* loop until we get back a appropriate response */ diff --git a/lib/krb5/store-int.c b/lib/krb5/store-int.c index 0a18d0ddd..d57762971 100644 --- a/lib/krb5/store-int.c +++ b/lib/krb5/store-int.c @@ -50,7 +50,7 @@ _krb5_get_int(void *buffer, unsigned long *value, size_t size) { unsigned char *p = buffer; unsigned long v = 0; - int i; + size_t i; for (i = 0; i < size; i++) v = (v << 8) + p[i]; *value = v; diff --git a/lib/krb5/store.c b/lib/krb5/store.c index 0dedba3d7..555496625 100644 --- a/lib/krb5/store.c +++ b/lib/krb5/store.c @@ -262,10 +262,11 @@ krb5_storage_to_data(krb5_storage *sp, krb5_data *data) pos = sp->seek(sp, 0, SEEK_CUR); if (pos < 0) return HEIM_ERR_NOT_SEEKABLE; - size = (size_t)sp->seek(sp, 0, SEEK_END); - if (size > (size_t)-1) + size = sp->seek(sp, 0, SEEK_END); + /* don't allocate unresonable amount of memory */ + if (size > UINT_MAX/8) return HEIM_ERR_TOO_BIG; - ret = krb5_data_alloc (data, size); + ret = krb5_data_alloc(data, size); if (ret) { sp->seek(sp, pos, SEEK_SET); return ret; @@ -290,8 +291,10 @@ krb5_store_int(krb5_storage *sp, return EINVAL; _krb5_put_int(v, value, len); ret = sp->store(sp, v, len); - if (ret != len) - return (ret<0)?errno:sp->eof_code; + if (ret < 0) + return errno; + if ((size_t)ret != len) + return sp->eof_code; return 0; } @@ -346,8 +349,10 @@ krb5_ret_int(krb5_storage *sp, unsigned char v[4]; unsigned long w; ret = sp->fetch(sp, v, len); - if(ret != len) - return (ret<0)?errno:sp->eof_code; + if (ret < 0) + return errno; + if ((size_t)ret != len) + return sp->eof_code; _krb5_get_int(v, &w, len); *value = w; return 0; @@ -612,11 +617,10 @@ krb5_store_data(krb5_storage *sp, if(ret < 0) return ret; ret = sp->store(sp, data.data, data.length); - if(ret != data.length){ - if(ret < 0) - return errno; + if(ret < 0) + return errno; + if((size_t)ret != data.length) return sp->eof_code; - } return 0; } @@ -722,12 +726,10 @@ krb5_store_stringz(krb5_storage *sp, const char *s) ssize_t ret; ret = sp->store(sp, s, len); - if(ret != len) { - if(ret < 0) - return ret; - else - return sp->eof_code; - } + if(ret < 0) + return ret; + if((size_t)ret != len) + return sp->eof_code; return 0; } @@ -782,12 +784,10 @@ krb5_store_stringnl(krb5_storage *sp, const char *s) ssize_t ret; ret = sp->store(sp, s, len); - if(ret != len) { - if(ret < 0) - return ret; - else - return sp->eof_code; - } + if(ret < 0) + return ret; + if((size_t)ret != len) + return sp->eof_code; ret = sp->store(sp, "\n", 1); if(ret != 1) { if(ret < 0) @@ -860,7 +860,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_principal(krb5_storage *sp, krb5_const_principal p) { - int i; + size_t i; int ret; if(!krb5_storage_is_flags(sp, KRB5_STORAGE_PRINCIPAL_NO_NAME_TYPE)) { @@ -1122,7 +1122,7 @@ krb5_ret_address(krb5_storage *sp, krb5_address *adr) KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_addrs(krb5_storage *sp, krb5_addresses p) { - int i; + size_t i; int ret; ret = krb5_store_int32(sp, p.len); if(ret) return ret; @@ -1147,7 +1147,7 @@ krb5_store_addrs(krb5_storage *sp, krb5_addresses p) KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_ret_addrs(krb5_storage *sp, krb5_addresses *adr) { - int i; + size_t i; int ret; int32_t tmp; @@ -1179,7 +1179,7 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_store_authdata(krb5_storage *sp, krb5_authdata auth) { krb5_error_code ret; - int i; + size_t i; ret = krb5_store_int32(sp, auth.len); if(ret) return ret; for(i = 0; i < auth.len; i++){ diff --git a/lib/krb5/store_emem.c b/lib/krb5/store_emem.c index ccda751af..acd61f2e5 100644 --- a/lib/krb5/store_emem.c +++ b/lib/krb5/store_emem.c @@ -45,7 +45,7 @@ static ssize_t emem_fetch(krb5_storage *sp, void *data, size_t size) { emem_storage *s = (emem_storage*)sp->data; - if(s->base + s->len - s->ptr < size) + if((size_t)(s->base + s->len - s->ptr) < size) size = s->base + s->len - s->ptr; memmove(data, s->ptr, size); sp->seek(sp, size, SEEK_CUR); @@ -56,7 +56,7 @@ static ssize_t emem_store(krb5_storage *sp, const void *data, size_t size) { emem_storage *s = (emem_storage*)sp->data; - if(size > s->base + s->size - s->ptr){ + if(size > (size_t)(s->base + s->size - s->ptr)){ void *base; size_t sz, off; off = s->ptr - s->base; @@ -81,12 +81,12 @@ emem_seek(krb5_storage *sp, off_t offset, int whence) emem_storage *s = (emem_storage*)sp->data; switch(whence){ case SEEK_SET: - if(offset > s->size) + if((size_t)offset > s->size) offset = s->size; if(offset < 0) offset = 0; s->ptr = s->base + offset; - if(offset > s->len) + if((size_t)offset > s->len) s->len = offset; break; case SEEK_CUR: @@ -115,14 +115,14 @@ emem_trunc(krb5_storage *sp, off_t offset) s->size = 0; s->base = NULL; s->ptr = NULL; - } else if (offset > s->size || (s->size / 2) > offset) { + } else if ((size_t)offset > s->size || (s->size / 2) > (size_t)offset) { void *base; size_t off; off = s->ptr - s->base; base = realloc(s->base, offset); if(base == NULL) return ENOMEM; - if (offset > s->size) + if ((size_t)offset > s->size) memset((char *)base + s->size, 0, offset - s->size); s->size = offset; s->base = base; diff --git a/lib/krb5/store_mem.c b/lib/krb5/store_mem.c index b79bc1915..a6a8b96a5 100644 --- a/lib/krb5/store_mem.c +++ b/lib/krb5/store_mem.c @@ -44,7 +44,7 @@ static ssize_t mem_fetch(krb5_storage *sp, void *data, size_t size) { mem_storage *s = (mem_storage*)sp->data; - if(size > s->base + s->size - s->ptr) + if(size > (size_t)(s->base + s->size - s->ptr)) size = s->base + s->size - s->ptr; memmove(data, s->ptr, size); sp->seek(sp, size, SEEK_CUR); @@ -55,7 +55,7 @@ static ssize_t mem_store(krb5_storage *sp, const void *data, size_t size) { mem_storage *s = (mem_storage*)sp->data; - if(size > s->base + s->size - s->ptr) + if(size > (size_t)(s->base + s->size - s->ptr)) size = s->base + s->size - s->ptr; memmove(s->ptr, data, size); sp->seek(sp, size, SEEK_CUR); @@ -74,7 +74,7 @@ mem_seek(krb5_storage *sp, off_t offset, int whence) mem_storage *s = (mem_storage*)sp->data; switch(whence){ case SEEK_SET: - if(offset > s->size) + if((size_t)offset > s->size) offset = s->size; if(offset < 0) offset = 0; @@ -95,7 +95,7 @@ static int mem_trunc(krb5_storage *sp, off_t offset) { mem_storage *s = (mem_storage*)sp->data; - if(offset > s->size) + if((size_t)offset > s->size) return ERANGE; s->size = offset; if ((s->ptr - s->base) > offset) diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c index 869852282..3e2bc4918 100644 --- a/lib/krb5/ticket.c +++ b/lib/krb5/ticket.c @@ -195,7 +195,7 @@ find_type_in_ad(krb5_context context, int level) { krb5_error_code ret = 0; - int i; + size_t i; if (level > 9) { ret = ENOENT; /* XXX */ @@ -748,7 +748,7 @@ _krb5_extract_ticket(krb5_context context, /* compare nonces */ - if (nonce != rep->enc_part.nonce) { + if (nonce != (unsigned)rep->enc_part.nonce) { ret = KRB5KRB_AP_ERR_MODIFIED; krb5_set_error_message(context, ret, N_("malloc: out of memory", "")); goto out; diff --git a/lib/krb5/transited.c b/lib/krb5/transited.c index a72adc035..c3988642b 100644 --- a/lib/krb5/transited.c +++ b/lib/krb5/transited.c @@ -370,7 +370,7 @@ krb5_domain_x500_decode(krb5_context context, (*num_realms)++; } } - if (*num_realms < 0 || *num_realms + 1 > UINT_MAX/sizeof(**realms)) + if (*num_realms + 1 > UINT_MAX/sizeof(**realms)) return ERANGE; { @@ -431,7 +431,7 @@ krb5_check_transited(krb5_context context, { char **tr_realms; char **p; - int i; + size_t i; if(num_realms == 0) return 0; @@ -467,7 +467,7 @@ krb5_check_transited_realms(krb5_context context, unsigned int num_realms, int *bad_realm) { - int i; + size_t i; int ret = 0; char **bad_realms = krb5_config_get_strings(context, NULL, "libdefaults", diff --git a/lib/ntlm/ntlm.c b/lib/ntlm/ntlm.c index 6dad519d4..62674b528 100644 --- a/lib/ntlm/ntlm.c +++ b/lib/ntlm/ntlm.c @@ -109,8 +109,12 @@ static const unsigned char ntlmsigature[8] = "NTLMSSP\x00"; #define CHECK(f, e) \ do { \ - ret = f ; if (ret != (e)) { ret = HNTLM_ERR_DECODE; goto out; } } \ - while(0) + ret = f; \ + if (ret != (ssize_t)(e)) { \ + ret = HNTLM_ERR_DECODE; \ + goto out; \ + } \ + } while(/*CONSTCOND*/0) static struct units ntlm_flag_units[] = { #define ntlm_flag(x) { #x, NTLM_##x } @@ -1399,7 +1403,7 @@ static time_t nt2unixtime(uint64_t t) { t = ((t - (uint64_t)NTTIME_EPOCH) / (uint64_t)10000000); - if (t > (((time_t)(~(uint64_t)0)) >> 1)) + if (t > (((uint64_t)(time_t)(~(uint64_t)0)) >> 1)) return 0; return (time_t)t; } diff --git a/lib/roken/dumpdata.c b/lib/roken/dumpdata.c index f30f0e54c..844360187 100644 --- a/lib/roken/dumpdata.c +++ b/lib/roken/dumpdata.c @@ -81,7 +81,7 @@ rk_undumpdata(const char *filename, void **buf, size_t *size) sret = net_read(fd, *buf, *size); if (sret < 0) ret = errno; - else if (sret != *size) { + else if (sret != (ssize_t)*size) { ret = EINVAL; free(*buf); *buf = NULL; diff --git a/lib/roken/getaddrinfo_hostspec.c b/lib/roken/getaddrinfo_hostspec.c index b18c54fb6..17a18b082 100644 --- a/lib/roken/getaddrinfo_hostspec.c +++ b/lib/roken/getaddrinfo_hostspec.c @@ -57,9 +57,9 @@ roken_getaddrinfo_hostspec2(const char *hostspec, } *hstp, hst[] = { { "http://", SOCK_STREAM, IPPROTO_TCP, 80 }, { "http/", SOCK_STREAM, IPPROTO_TCP, 80 }, - { "tcp/", SOCK_STREAM, IPPROTO_TCP }, - { "udp/", SOCK_DGRAM, IPPROTO_UDP }, - { NULL } + { "tcp/", SOCK_STREAM, IPPROTO_TCP, 0 }, + { "udp/", SOCK_DGRAM, IPPROTO_UDP, 0 }, + { NULL, 0, 0, 0 } }; memset(&hints, 0, sizeof(hints)); diff --git a/lib/roken/getarg.c b/lib/roken/getarg.c index a96e5c85b..1a7321878 100644 --- a/lib/roken/getarg.c +++ b/lib/roken/getarg.c @@ -352,7 +352,7 @@ static int arg_match_long(struct getargs *args, size_t num_args, char *argv, int argc, char **rargv, int *goptind) { - int i; + size_t i; char *goptarg = NULL; int negate = 0; int partial_match = 0; @@ -477,7 +477,7 @@ static int arg_match_short (struct getargs *args, size_t num_args, char *argv, int argc, char **rargv, int *goptind) { - int j, k; + size_t j, k; for(j = 1; j > 0 && j < strlen(rargv[*goptind]); j++) { for(k = 0; k < num_args; k++) { @@ -500,9 +500,11 @@ arg_match_short (struct getargs *args, size_t num_args, } if(args[k].type == arg_collect) { struct getarg_collect_info *c = args[k].value; + int a = (int)j; - if((*c->func)(TRUE, argc, rargv, goptind, &j, c->data)) + if((*c->func)(TRUE, argc, rargv, goptind, &a, c->data)) return ARG_ERR_BAD_ARG; + j = a; break; } diff --git a/lib/roken/hex.c b/lib/roken/hex.c index 91590dd49..d9bc9f1c0 100644 --- a/lib/roken/hex.c +++ b/lib/roken/hex.c @@ -37,7 +37,7 @@ #include #include "hex.h" -const static char hexchar[] = "0123456789ABCDEF"; +static const char hexchar[16] = "0123456789ABCDEF"; static int pos(char c) diff --git a/lib/roken/parse_units.c b/lib/roken/parse_units.c index d2857cfa0..8b3cdf40e 100644 --- a/lib/roken/parse_units.c +++ b/lib/roken/parse_units.c @@ -267,7 +267,7 @@ ROKEN_LIB_FUNCTION void ROKEN_LIB_CALL print_units_table (const struct units *units, FILE *f) { const struct units *u, *u2; - int max_sz = 0; + size_t max_sz = 0; for (u = units; u->name; ++u) { max_sz = max(max_sz, strlen(u->name)); @@ -288,7 +288,7 @@ print_units_table (const struct units *units, FILE *f) if (u2->name == NULL) --u2; unparse_units (u->mult, u2, buf, sizeof(buf)); - fprintf (f, "1 %*s = %s\n", max_sz, u->name, buf); + fprintf (f, "1 %*s = %s\n", (int)max_sz, u->name, buf); } else { fprintf (f, "1 %s\n", u->name); } diff --git a/lib/roken/resolve.c b/lib/roken/resolve.c index 03715e5ff..df3f5c625 100644 --- a/lib/roken/resolve.c +++ b/lib/roken/resolve.c @@ -194,7 +194,7 @@ parse_record(const unsigned char *data, const unsigned char *end_data, dns_free_rr(rr); return -1; } - if (status + 2 > size) { + if ((size_t)status + 2 > size) { dns_free_rr(rr); return -1; } @@ -217,7 +217,7 @@ parse_record(const unsigned char *data, const unsigned char *end_data, dns_free_rr(rr); return -1; } - if (status + 6 > size) { + if ((size_t)status + 6 > size) { dns_free_rr(rr); return -1; } @@ -237,7 +237,7 @@ parse_record(const unsigned char *data, const unsigned char *end_data, break; } case rk_ns_t_txt:{ - if(size == 0 || size < *p + 1) { + if(size == 0 || size < (unsigned)(*p + 1)) { dns_free_rr(rr); return -1; } @@ -284,7 +284,7 @@ parse_record(const unsigned char *data, const unsigned char *end_data, dns_free_rr(rr); return -1; } - if (status + 18 > size) { + if ((size_t)status + 18 > size) { dns_free_rr(rr); return -1; } @@ -409,7 +409,7 @@ parse_reply(const unsigned char *data, size_t len) { const unsigned char *p; int status; - int i; + size_t i; char host[MAXDNAME]; const unsigned char *end_data = data + len; struct rk_dns_reply *r; diff --git a/lib/roken/roken_gethostby.c b/lib/roken/roken_gethostby.c index 1d6c8ffe8..327a7b392 100644 --- a/lib/roken/roken_gethostby.c +++ b/lib/roken/roken_gethostby.c @@ -142,6 +142,7 @@ roken_gethostby(const char *hostname) int offset = 0; int n; char *p, *foo; + size_t len; if(dns_addr.sin_family == 0) return NULL; /* no configured host */ @@ -160,7 +161,9 @@ roken_gethostby(const char *hostname) free(request); return NULL; } - if(write(s, request, strlen(request)) != strlen(request)) { + + len = strlen(request); + if(write(s, request, len) != (ssize_t)len) { close(s); free(request); return NULL; diff --git a/lib/roken/strsep_copy.c b/lib/roken/strsep_copy.c index 9624b5a46..1228f1a45 100644 --- a/lib/roken/strsep_copy.c +++ b/lib/roken/strsep_copy.c @@ -49,7 +49,7 @@ strsep_copy(const char **stringp, const char *delim, char *buf, size_t len) if(save == NULL) return -1; *stringp = *stringp + strcspn(*stringp, delim); - l = min(len, *stringp - save); + l = min(len, (size_t)(*stringp - save)); if(len > 0) { memcpy(buf, save, l); buf[l] = '\0'; diff --git a/lib/sl/sl.c b/lib/sl/sl.c index bc225a87e..c2ecbab00 100644 --- a/lib/sl/sl.c +++ b/lib/sl/sl.c @@ -371,8 +371,11 @@ sl_slc_help (SL_cmd *cmds, int argc, char **argv) argv[0]); } else { if(c->func) { - char *fake[] = { NULL, "--help", NULL }; + static char help[] = "--help"; + char *fake[3]; fake[0] = argv[0]; + fake[1] = help; + fake[2] = NULL; (*c->func)(2, fake); fprintf(stderr, "\n"); } diff --git a/lib/sl/sl.h b/lib/sl/sl.h index 85f254846..09225b0a5 100644 --- a/lib/sl/sl.h +++ b/lib/sl/sl.h @@ -41,10 +41,10 @@ typedef int (*cmd_func)(int, char **); struct sl_cmd { - char *name; + const char *name; cmd_func func; - char *usage; - char *help; + const char *usage; + const char *help; }; typedef struct sl_cmd SL_cmd; diff --git a/lib/sl/slc-gram.y b/lib/sl/slc-gram.y index ae5f96054..fb93508a9 100644 --- a/lib/sl/slc-gram.y +++ b/lib/sl/slc-gram.y @@ -394,7 +394,7 @@ static void defval_neg_flag(const char *name, struct assignment *defval) static void defval_string(const char *name, struct assignment *defval) { if(defval != NULL) - cprint(1, "opt.%s = \"%s\";\n", name, defval->u.value); + cprint(1, "opt.%s = (char *)(unsigned long)\"%s\";\n", name, defval->u.value); else cprint(1, "opt.%s = NULL;\n", name); } diff --git a/lib/wind/stringprep.c b/lib/wind/stringprep.c index ec4657665..002bc7259 100644 --- a/lib/wind/stringprep.c +++ b/lib/wind/stringprep.c @@ -111,7 +111,7 @@ wind_stringprep(const uint32_t *in, size_t in_len, return ret; } -const static struct { +static const struct { const char *name; wind_profile_flags flags; } profiles[] = { From 59f4918ef0e192bc9e4c9bf80517f64970dbdb15 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Fri, 29 Apr 2011 20:34:42 -0700 Subject: [PATCH 28/42] set the CFXSentByAcceptor flag, patch from Jaideep Padhye --- lib/gssapi/krb5/cfx.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/gssapi/krb5/cfx.c b/lib/gssapi/krb5/cfx.c index 4d40060d2..bc7a8442b 100755 --- a/lib/gssapi/krb5/cfx.c +++ b/lib/gssapi/krb5/cfx.c @@ -425,6 +425,9 @@ _gssapi_wrap_cfx_iov(OM_uint32 *minor_status, token->Flags = 0; token->Filler = 0xFF; + if ((ctx->more_flags & LOCAL) == 0) + token->Flags |= CFXSentByAcceptor; + if (ctx->more_flags & ACCEPTOR_SUBKEY) token->Flags |= CFXAcceptorSubkey; From 9a1a5e5da6cb85dc66427a20895f0fc8015cea7c Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Fri, 29 Apr 2011 20:37:33 -0700 Subject: [PATCH 29/42] Mandoc and spelling fixes from Thomas Klausner --- kadmin/kadmind.8 | 3 +-- kdc/hprop.8 | 2 +- kdc/kdc.8 | 2 +- kuser/copy_cred_cache.1 | 2 +- kuser/kdestroy.1 | 2 +- lib/gssapi/gss_acquire_cred.3 | 2 +- lib/gssapi/gssapi.3 | 2 +- lib/kadm5/iprop-log.8 | 2 +- lib/krb5/krb5.conf.5 | 2 +- lib/krb5/krb524_convert_creds_kdc.3 | 2 +- lib/krb5/krb5_c_make_checksum.3 | 10 +++++----- lib/krb5/krb5_is_thread_safe.3 | 2 +- lib/krb5/krb5_principal.3 | 4 ++-- lib/krb5/krb5_string_to_key.3 | 2 +- lib/roken/rtbl.3 | 2 +- 15 files changed, 20 insertions(+), 21 deletions(-) diff --git a/kadmin/kadmind.8 b/kadmin/kadmind.8 index bb81b6394..c4122df92 100644 --- a/kadmin/kadmind.8 +++ b/kadmin/kadmind.8 @@ -76,8 +76,7 @@ The .Xr kpasswdd 8 daemon is responsible for the Kerberos 5 password changing protocol (used by -.Xr kpasswd 1 ) -. +.Xr kpasswd 1 ) . .Pp This daemon should only be run on the master server, and not on any slaves. diff --git a/kdc/hprop.8 b/kdc/hprop.8 index 3aa91568a..61682d228 100644 --- a/kdc/hprop.8 +++ b/kdc/hprop.8 @@ -145,7 +145,7 @@ Dump the database on stdout, in a format that can be fed to hpropd. .Sh EXAMPLES The following will propagate a database to another machine (which should run -.Xr hpropd 8 ): +.Xr hpropd 8 ) : .Bd -literal -offset indent $ hprop slave-1 slave-2 .Ed diff --git a/kdc/kdc.8 b/kdc/kdc.8 index bbf00dbd6..16e05ec53 100644 --- a/kdc/kdc.8 +++ b/kdc/kdc.8 @@ -130,7 +130,7 @@ protocol doesn't contain a realm for the server, it must be explicitly specified. The default is whatever is returned by .Fn krb_get_lrealm . -This option is only availabe if the KDC has been compiled with version +This option is only available if the KDC has been compiled with version 4 support. .It Xo .Fl K , diff --git a/kuser/copy_cred_cache.1 b/kuser/copy_cred_cache.1 index 6dcc0450a..6fffa7913 100644 --- a/kuser/copy_cred_cache.1 +++ b/kuser/copy_cred_cache.1 @@ -88,7 +88,7 @@ $ copy_cred_cache --valid-for=1d --flags=initial FILE:/some/cache .Sh DIAGNOSTICS The .Nm -utility exits 0 on success, and \*[Gt]0 if an error occurs, or of no +utility exits 0 on success, and \*[Gt]0 if an error occurs, or if no credentials where actually copied. .\".Sh SEE ALSO .\".Sh STANDARDS diff --git a/kuser/kdestroy.1 b/kuser/kdestroy.1 index 16660c08b..0d87618a5 100644 --- a/kuser/kdestroy.1 +++ b/kuser/kdestroy.1 @@ -51,7 +51,7 @@ .Ek .Sh DESCRIPTION .Nm -remove one or the current set of tickets. +removes one credential or the current set of tickets. .Pp Supported options: .Bl -tag -width Ds diff --git a/lib/gssapi/gss_acquire_cred.3 b/lib/gssapi/gss_acquire_cred.3 index f2625847e..25d7b4d7f 100644 --- a/lib/gssapi/gss_acquire_cred.3 +++ b/lib/gssapi/gss_acquire_cred.3 @@ -513,7 +513,7 @@ In GSS-API an contiguous string name is stored in a .Dv gss_buffer_t . .Pp Exported names also have the property that they are specified by the -mechanism itself and compatible between diffrent GSS-API +mechanism itself and compatible between different GSS-API implementations. .El .Sh ACCESS CONTROL diff --git a/lib/gssapi/gssapi.3 b/lib/gssapi/gssapi.3 index 0205c07c3..e1fb65e64 100644 --- a/lib/gssapi/gssapi.3 +++ b/lib/gssapi/gssapi.3 @@ -147,7 +147,7 @@ the later will override. .Pp This config option modifies behaviour for both clients and servers. .Pp -Microsoft implemented SPNEGO to Windows2000, however, they manage to +Microsoft implemented SPNEGO to Windows2000, however, they managed to get it wrong, their implementation didn't fill in the MechListMIC in the reply token with the right content. There is a work around for this problem, but not all implementation diff --git a/lib/kadm5/iprop-log.8 b/lib/kadm5/iprop-log.8 index 8b4534df0..5fa86b527 100644 --- a/lib/kadm5/iprop-log.8 +++ b/lib/kadm5/iprop-log.8 @@ -125,7 +125,7 @@ configuration file realm .El .Pp -Print out all entires in the log to standard output. +Print out all entries in the log to standard output. .It replay .Bl -tag -width Ds .It Xo diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5 index 8e02eb126..4276eeafc 100644 --- a/lib/krb5/krb5.conf.5 +++ b/lib/krb5/krb5.conf.5 @@ -363,7 +363,7 @@ manual page for a list of defined destinations. .Bl -tag -width "xxx" -offset indent .It Li dbname Li = Va DATABASENAME Use this database for this realm. -See the info documetation how to configure diffrent database backends. +See the info documetation how to configure different database backends. .It Li realm Li = Va REALM Specifies the realm that will be stored in this database. It realm isn't set, it will used as the default database, there can diff --git a/lib/krb5/krb524_convert_creds_kdc.3 b/lib/krb5/krb524_convert_creds_kdc.3 index 98537efb1..511eabd91 100644 --- a/lib/krb5/krb524_convert_creds_kdc.3 +++ b/lib/krb5/krb524_convert_creds_kdc.3 @@ -66,7 +66,7 @@ to Kerberos 4 credential that is stored in .Fa credentials . .Pp .Fn krb524_convert_creds_kdc_ccache -is diffrent from +is different from .Fn krb524_convert_creds_kdc in that way that if .Fa in_cred diff --git a/lib/krb5/krb5_c_make_checksum.3 b/lib/krb5/krb5_c_make_checksum.3 index 01507185c..fb8f9c4aa 100644 --- a/lib/krb5/krb5_c_make_checksum.3 +++ b/lib/krb5/krb5_c_make_checksum.3 @@ -279,14 +279,14 @@ is a keyed checksum type. .Fn krb5_c_is_coll_proof_cksum returns true if .Fa ctype -is a collition proof checksum type. +is a collision proof checksum type. .Pp .Fn krb5_c_keylengths -return the minimum length ( -.Fa inlength ) +return the minimum length +.Fa ( inlength ) bytes needed to create a key and the -length ( -.Fa keylength ) +length +.Fa ( keylength ) of the resulting key for the .Fa enctype . diff --git a/lib/krb5/krb5_is_thread_safe.3 b/lib/krb5/krb5_is_thread_safe.3 index 8d6f7fb7e..1a73e853e 100644 --- a/lib/krb5/krb5_is_thread_safe.3 +++ b/lib/krb5/krb5_is_thread_safe.3 @@ -50,7 +50,7 @@ returns if the library was compiled with with multithread support. If the library isn't compiled, the consumer have to use a global lock to make sure Kerboros functions are not called at the same time by -diffrent threads. +different threads. .\" .Sh EXAMPLE .\" .Sh BUGS .Sh SEE ALSO diff --git a/lib/krb5/krb5_principal.3 b/lib/krb5/krb5_principal.3 index 1ed3ae5d4..3c7da9998 100644 --- a/lib/krb5/krb5_principal.3 +++ b/lib/krb5/krb5_principal.3 @@ -155,12 +155,12 @@ takes an extra argument the following flags can be passed in .Bl -tag -width Ds .It Dv KRB5_PRINCIPAL_PARSE_NO_REALM -requries the input string to be without a realm, and no realm is +requires the input string to be without a realm, and no realm is stored in the .Fa principal return argument. .It Dv KRB5_PRINCIPAL_PARSE_REQUIRE_REALM -requries the input string to with a realm. +requires the input string to with a realm. .El .Pp .Fn krb5_unparse_name diff --git a/lib/krb5/krb5_string_to_key.3 b/lib/krb5/krb5_string_to_key.3 index 9f44b48de..c77d4594c 100644 --- a/lib/krb5/krb5_string_to_key.3 +++ b/lib/krb5/krb5_string_to_key.3 @@ -114,7 +114,7 @@ The string to key functions convert a string to a kerberos key. .Pp .Fn krb5_string_to_key_data_salt_opaque is the function that does all the work, the rest of the functions are -just wrapers around +just wrappers around .Fn krb5_string_to_key_data_salt_opaque that calls it with default values. .Pp diff --git a/lib/roken/rtbl.3 b/lib/roken/rtbl.3 index 614e8d783..0d7091883 100644 --- a/lib/roken/rtbl.3 +++ b/lib/roken/rtbl.3 @@ -89,7 +89,7 @@ would be output from tools such as or .Xr netstat 1 , where you have a fixed number of columns, but don't know the column -widthds before hand. +widths before hand. .Pp A table is created with .Fn rtbl_create From b1909b2daab7ad4bddb180960080e709d30329c2 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Wed, 4 May 2011 21:31:10 -0700 Subject: [PATCH 30/42] Fixes from NetBSD via Thomas Klausner and Roland C. Dowdeswell --- admin/ktutil.8 | 86 ++++++--------------- kadmin/kadmin.8 | 80 ++++---------------- kadmin/kadmind.8 | 29 ++------ kcm/kcm.8 | 85 +++++---------------- kdc/hprop.8 | 39 ++-------- kdc/hpropd.8 | 29 ++------ kdc/kdc.8 | 53 +++---------- kdc/kstash.8 | 22 ++---- kdc/string2key.8 | 43 +++-------- kpasswd/kpasswdd.8 | 27 ++----- kuser/kdestroy.1 | 2 +- kuser/kgetcred.1 | 28 ++----- kuser/kimpersonate.8 | 84 +++++---------------- kuser/kinit.1 | 86 +++++---------------- kuser/klist.1 | 31 ++------ kuser/klist.c | 22 ++++-- lib/gssapi/gssapi.3 | 97 ++++++++++++------------ lib/hx509/revoke.c | 9 ++- lib/kadm5/iprop-log.8 | 48 +++--------- lib/kadm5/iprop.8 | 140 +++++++++++++---------------------- lib/krb5/auth_context.c | 2 + lib/krb5/krb5_get_in_cred.3 | 2 +- lib/krb5/krb5_init_context.3 | 2 +- lib/krb5/salt.c | 1 + lib/roken/get_window_size.c | 63 ++++++++++------ lib/roken/getarg.c | 5 +- lib/roken/roken.h.in | 2 +- lib/vers/print_version.c | 2 + 28 files changed, 337 insertions(+), 782 deletions(-) diff --git a/admin/ktutil.8 b/admin/ktutil.8 index 3c1405b3e..1796b8f32 100644 --- a/admin/ktutil.8 +++ b/admin/ktutil.8 @@ -53,72 +53,43 @@ is a program for managing keytabs. Supported options: .Bl -tag -width Ds -.It Xo -.Fl v , -.Fl -verbose -.Xc +.It Fl v , Fl -verbose Verbose output. .El .Pp .Ar command can be one of the following: .Bl -tag -width srvconvert -.It add Xo -.Op Fl p Ar principal -.Op Fl -principal= Ns Ar principal -.Op Fl V Ar kvno -.Op Fl -kvno= Ns Ar kvno -.Op Fl e Ar enctype -.Op Fl -enctype= Ns Ar enctype -.Op Fl w Ar password -.Op Fl -password= Ns Ar password -.Op Fl r -.Op Fl -random -.Op Fl s -.Op Fl -no-salt -.Op Fl H -.Op Fl -hex -.Xc +.It add Oo Fl p Ar principal Oc Oo Fl -principal= Ns Ar principal Oc \ +Oo Fl V Ar kvno Oc Oo Fl -kvno= Ns Ar kvno Oc Oo Fl e Ar enctype Oc \ +Oo Fl -enctype= Ns Ar enctype Oc Oo Fl w Ar password Oc \ +Oo Fl -password= Ns Ar password Oc Oo Fl r Oc Oo Fl -random Oc \ +Oo Fl s Oc Oo Fl -no-salt Oc Oo Fl H Oc Op Fl -hex Adds a key to the keytab. Options that are not specified will be prompted for. This requires that you know the password or the hex key of the principal to add; if what you really want is to add a new principal to the keytab, you should consider the .Ar get command, which talks to the kadmin server. -.It change Xo -.Op Fl r Ar realm -.Op Fl -realm= Ns Ar realm -.Op Fl -a Ar host -.Op Fl -admin-server= Ns Ar host -.Op Fl -s Ar port -.Op Fl -server-port= Ns Ar port -.Xc +.It change Oo Fl r Ar realm Oc Oo Fl -realm= Ns Ar realm Oc \ +Oo Fl -a Ar host Oc Oo Fl -admin-server= Ns Ar host Oc \ +Oo Fl -s Ar port Oc Op Fl -server-port= Ns Ar port Update one or several keys to new versions. By default, use the admin server for the realm of a keytab entry. Otherwise it will use the values specified by the options. .Pp If no principals are given, all the ones in the keytab are updated. -.It copy Xo -.Ar keytab-src -.Ar keytab-dest -.Xc +.It copy Ar keytab-src Ar keytab-dest Copies all the entries from .Ar keytab-src to .Ar keytab-dest . -.It get Xo -.Op Fl p Ar admin principal -.Op Fl -principal= Ns Ar admin principal -.Op Fl e Ar enctype -.Op Fl -enctypes= Ns Ar enctype -.Op Fl r Ar realm -.Op Fl -realm= Ns Ar realm -.Op Fl a Ar admin server -.Op Fl -admin-server= Ns Ar admin server -.Op Fl s Ar server port -.Op Fl -server-port= Ns Ar server port -.Ar principal ... -.Xc +.It get Oo Fl p Ar admin principal Oc \ +Oo Fl -principal= Ns Ar admin principal Oc Oo Fl e Ar enctype Oc \ +Oo Fl -enctypes= Ns Ar enctype Oc Oo Fl r Ar realm Oc \ +Oo Fl -realm= Ns Ar realm Oc Oo Fl a Ar admin server Oc \ +Oo Fl -admin-server= Ns Ar admin server Oc Oo Fl s Ar server port Oc \ +Oo Fl -server-port= Ns Ar server port Oc Ar principal ... For each .Ar principal , generate a new key for it (creating it if it doesn't already exist), @@ -128,35 +99,22 @@ If no .Ar realm is specified, the realm to operate on is taken from the first principal. -.It list Xo -.Op Fl -keys -.Op Fl -timestamp -.Xc +.It list Oo Fl -keys Oc Op Fl -timestamp List the keys stored in the keytab. -.It remove Xo -.Op Fl p Ar principal -.Op Fl -principal= Ns Ar principal -.Op Fl V kvno -.Op Fl -kvno= Ns Ar kvno -.Op Fl e enctype -.Op Fl -enctype= Ns Ar enctype -.Xc +.It remove Oo Fl p Ar principal Oc Oo Fl -principal= Ns Ar principal Oc \ +Oo Fl V kvno Oc Oo Fl -kvno= Ns Ar kvno Oc Oo Fl e enctype Oc \ +Oo Fl -enctype= Ns Ar enctype Oc Removes the specified key or keys. Not specifying a .Ar kvno removes keys with any version number. Not specifying an .Ar enctype removes keys of any type. -.It rename Xo -.Ar from-principal -.Ar to-principal -.Xc +.It rename Ar from-principal Ar to-principal Renames all entries in the keytab that match the .Ar from-principal to .Ar to-principal . -.It purge Xo -.Op Fl -age= Ns Ar age -.Xc +.It purge Op Fl -age= Ns Ar age Removes all old versions of a key for which there is a newer version that is at least .Ar age diff --git a/kadmin/kadmin.8 b/kadmin/kadmin.8 index 09a57280d..72f3845f0 100644 --- a/kadmin/kadmin.8 +++ b/kadmin/kadmin.8 @@ -40,34 +40,13 @@ .Sh SYNOPSIS .Nm .Bk -words -.Oo Fl p Ar string \*(Ba Xo -.Fl -principal= Ns Ar string -.Xc -.Oc -.Oo Fl K Ar string \*(Ba Xo -.Fl -keytab= Ns Ar string -.Xc -.Oc -.Oo Fl c Ar file \*(Ba Xo -.Fl -config-file= Ns Ar file -.Xc -.Oc -.Oo Fl k Ar file \*(Ba Xo -.Fl -key-file= Ns Ar file -.Xc -.Oc -.Oo Fl r Ar realm \*(Ba Xo -.Fl -realm= Ns Ar realm -.Xc -.Oc -.Oo Fl a Ar host \*(Ba Xo -.Fl -admin-server= Ns Ar host -.Xc -.Oc -.Oo Fl s Ar port number \*(Ba Xo -.Fl -server-port= Ns Ar port number -.Xc -.Oc +.Op Fl p Ar string \*(Ba Fl -principal= Ns Ar string +.Op Fl K Ar string \*(Ba Fl -keytab= Ns Ar string +.Op Fl c Ar file \*(Ba Fl -config-file= Ns Ar file +.Op Fl k Ar file \*(Ba Fl -key-file= Ns Ar file +.Op Fl r Ar realm \*(Ba Fl -realm= Ns Ar realm +.Op Fl a Ar host \*(Ba Fl -admin-server= Ns Ar host +.Op Fl s Ar port number \*(Ba Fl -server-port= Ns Ar port number .Op Fl l | Fl -local .Op Fl h | Fl -help .Op Fl v | Fl -version @@ -84,45 +63,21 @@ option). .Pp Supported options: .Bl -tag -width Ds -.It Xo -.Fl p Ar string , -.Fl -principal= Ns Ar string -.Xc +.It Fl p Ar string , Fl -principal= Ns Ar string principal to authenticate as -.It Xo -.Fl K Ar string , -.Fl -keytab= Ns Ar string -.Xc +.It Fl K Ar string , Fl -keytab= Ns Ar string keytab for authentication principal -.It Xo -.Fl c Ar file , -.Fl -config-file= Ns Ar file -.Xc +.It Fl c Ar file , Fl -config-file= Ns Ar file location of config file -.It Xo -.Fl k Ar file , -.Fl -key-file= Ns Ar file -.Xc +.It Fl k Ar file , Fl -key-file= Ns Ar file location of master key file -.It Xo -.Fl r Ar realm , -.Fl -realm= Ns Ar realm -.Xc +.It Fl r Ar realm , Fl -realm= Ns Ar realm realm to use -.It Xo -.Fl a Ar host , -.Fl -admin-server= Ns Ar host -.Xc +.It Fl a Ar host , Fl -admin-server= Ns Ar host server to contact -.It Xo -.Fl s Ar port number , -.Fl -server-port= Ns Ar port number -.Xc +.It Fl s Ar port number , Fl -server-port= Ns Ar port number port to use -.It Xo -.Fl l , -.Fl -local -.Xc +.It Fl l , Fl -local local admin mode .El .Pp @@ -148,10 +103,7 @@ Commands include: .Nm add .Op Fl r | Fl -random-key .Op Fl -random-password -.Oo Fl p Ar string \*(Ba Xo -.Fl -password= Ns Ar string -.Xc -.Oc +.Op Fl p Ar string \*(Ba Fl -password= Ns Ar string .Op Fl -key= Ns Ar string .Op Fl -max-ticket-life= Ns Ar lifetime .Op Fl -max-renewable-life= Ns Ar lifetime diff --git a/kadmin/kadmind.8 b/kadmin/kadmind.8 index c4122df92..cbfd032e9 100644 --- a/kadmin/kadmind.8 +++ b/kadmin/kadmind.8 @@ -117,34 +117,17 @@ glob-style pattern. .Pp Supported options: .Bl -tag -width Ds -.It Xo -.Fl c Ar file , -.Fl -config-file= Ns Ar file -.Xc +.It Fl c Ar file , Fl -config-file= Ns Ar file location of config file -.It Xo -.Fl k Ar file , -.Fl -key-file= Ns Ar file -.Xc +.It Fl k Ar file , Fl -key-file= Ns Ar file location of master key file -.It Xo -.Fl -keytab= Ns Ar keytab -.Xc +.It Fl -keytab= Ns Ar keytab what keytab to use -.It Xo -.Fl r Ar realm , -.Fl -realm= Ns Ar realm -.Xc +.It Fl r Ar realm , Fl -realm= Ns Ar realm realm to use -.It Xo -.Fl d , -.Fl -debug -.Xc +.It Fl d , Fl -debug enable debugging -.It Xo -.Fl p Ar port , -.Fl -ports= Ns Ar port -.Xc +.It Fl p Ar port , Fl -ports= Ns Ar port ports to listen to. By default, if run as a daemon, it listens to port 749, but you can add any number of ports with this option. The port string is a whitespace separated list of port specifications, with the diff --git a/kcm/kcm.8 b/kcm/kcm.8 index 71a1e618c..cde03362d 100644 --- a/kcm/kcm.8 +++ b/kcm/kcm.8 @@ -127,91 +127,42 @@ the ticket itself. .Pp Supported options: .Bl -tag -width Ds -.It Xo -.Fl -cache-name= Ns Ar cachename -.Xc +.It Fl -cache-name= Ns Ar cachename system cache name -.It Xo -.Fl c Ar file , -.Fl -config-file= Ns Ar file -.Xc +.It Fl c Ar file , Fl -config-file= Ns Ar file location of config file -.It Xo -.Fl g Ar group , -.Fl -group= Ns Ar group -.Xc +.It Fl g Ar group , Fl -group= Ns Ar group system cache group -.It Xo -.Fl -max-request= Ns Ar size -.Xc +.It Fl -max-request= Ns Ar size max size for a kcm-request -.It Xo -.Fl -disallow-getting-krbtgt -.Xc +.It Fl -disallow-getting-krbtgt disallow extracting any krbtgt from the .Nm kcm daemon. -.It Xo -.Fl -detach -.Xc +.It Fl -detach detach from console -.It Xo -.Fl h , -.Fl -help -.Xc -.It Xo -.Fl k Ar principal , -.Fl -system-principal= Ns Ar principal -.Xc +.It Fl h , Fl -help +.It Fl k Ar principal , Fl -system-principal= Ns Ar principal system principal name -.It Xo -.Fl l Ar time , -.Fl -lifetime= Ns Ar time -.Xc +.It Fl l Ar time , Fl -lifetime= Ns Ar time lifetime of system tickets -.It Xo -.Fl m Ar mode , -.Fl -mode= Ns Ar mode -.Xc +.It Fl m Ar mode , Fl -mode= Ns Ar mode octal mode of system cache -.It Xo -.Fl n , -.Fl -no-name-constraints -.Xc +.It Fl n , Fl -no-name-constraints disable credentials cache name constraints -.It Xo -.Fl r Ar time , -.Fl -renewable-life= Ns Ar time -.Xc +.It Fl r Ar time , Fl -renewable-life= Ns Ar time renewable lifetime of system tickets -.It Xo -.Fl s Ar path , -.Fl -socket-path= Ns Ar path -.Xc +.It Fl s Ar path , Fl -socket-path= Ns Ar path path to kcm domain socket -.It Xo -.Fl -door-path= Ns Ar path -.Xc +.It Fl -door-path= Ns Ar path path to kcm door socket -.It Xo -.Fl S Ar principal , -.Fl -server= Ns Ar principal -.Xc +.It Fl S Ar principal , Fl -server= Ns Ar principal server to get system ticket for -.It Xo -.Fl t Ar keytab , -.Fl -keytab= Ns Ar keytab -.Xc +.It Fl t Ar keytab , Fl -keytab= Ns Ar keytab system keytab name -.It Xo -.Fl u Ar user , -.Fl -user= Ns Ar user -.Xc +.It Fl u Ar user , Fl -user= Ns Ar user system cache owner -.It Xo -.Fl v , -.Fl -version -.Xc +.It Fl v , Fl -version .El .\".Sh ENVIRONMENT .\".Sh FILES diff --git a/kdc/hprop.8 b/kdc/hprop.8 index 61682d228..cca0d7acf 100644 --- a/kdc/hprop.8 +++ b/kdc/hprop.8 @@ -89,19 +89,11 @@ specified on the command by opening a TCP connection to port 754 .Pp Supported options: .Bl -tag -width Ds -.It Xo -.Fl m Ar file , -.Fl -master-key= Ns Pa file -.Xc +.It Fl m Ar file , Fl -master-key= Ns Pa file Where to find the master key to encrypt or decrypt keys with. -.It Xo -.Fl d Ar file , -.Fl -database= Ns Pa file -.Xc +.It Fl d Ar file , Fl -database= Ns Pa file The database to be propagated. -.It Xo -.Fl -source= Ns Ar heimdal|mit-dump -.Xc +.It Fl -source= Ns Ar heimdal|mit-dump|krb4-dump|kaserver Specifies the type of the source database. Alternatives include: .Pp .Bl -tag -width mit-dump -compact -offset indent @@ -110,36 +102,21 @@ a Heimdal database .It mit-dump a MIT Kerberos 5 dump file .El -.It Xo -.Fl k Ar keytab , -.Fl -keytab= Ns Ar keytab -.Xc ++.It Fl k Ar keytab , Fl -keytab= Ns Ar keytab The keytab to use for fetching the key to be used for authenticating to the propagation daemon(s). The key .Pa hprop/hostname is used from this keytab. The default is to fetch the key from the KDC database. -.It Xo -.Fl R Ar string , -.Fl -v5-realm= Ns Ar string -.Xc +.It Fl R Ar string , Fl -v5-realm= Ns Ar string Local realm override. -.It Xo -.Fl D , -.Fl -decrypt -.Xc +.It Fl D , Fl -decrypt The encryption keys in the database can either be in clear, or encrypted with a master key. This option transmits the database with unencrypted keys. -.It Xo -.Fl E , -.Fl -encrypt -.Xc +.It Fl E , Fl -encrypt This option transmits the database with encrypted keys. -.It Xo -.Fl n , -.Fl -stdout -.Xc +.It Fl n , Fl -stdout Dump the database on stdout, in a format that can be fed to hpropd. .El .Sh EXAMPLES diff --git a/kdc/hpropd.8 b/kdc/hpropd.8 index 982be9f80..0b9b02cbe 100644 --- a/kdc/hpropd.8 +++ b/kdc/hpropd.8 @@ -73,34 +73,17 @@ are accepted. .Pp Options supported: .Bl -tag -width Ds -.It Xo -.Fl d Ar file , -.Fl -database= Ns Ar file -.Xc +.It Fl d Ar file , Fl -database= Ns Ar file database -.It Xo -.Fl n , -.Fl -stdin -.Xc +.It Fl n , Fl -stdin read from stdin -.It Xo -.Fl -print -.Xc +.It Fl -print print dump to stdout -.It Xo -.Fl i , -.Fl -no-inetd -.Xc +.It Fl i , Fl -no-inetd not started from inetd -.It Xo -.Fl k Ar keytab , -.Fl -keytab= Ns Ar keytab -.Xc +.It Fl k Ar keytab , Fl -keytab= Ns Ar keytab keytab to use for authentication -.It Xo -.Fl 4 , -.Fl -v4dump -.Xc +.It Fl 4 , Fl -v4dump create v4 type DB .El .Sh SEE ALSO diff --git a/kdc/kdc.8 b/kdc/kdc.8 index 16e05ec53..93f9d282c 100644 --- a/kdc/kdc.8 +++ b/kdc/kdc.8 @@ -72,17 +72,11 @@ or from a default compiled-in value. .Pp Options supported: .Bl -tag -width Ds -.It Xo -.Fl c Ar file , -.Fl -config-file= Ns Ar file -.Xc +.It Fl c Ar file , Fl -config-file= Ns Ar file Specifies the location of the config file, the default is .Pa /var/heimdal/kdc.conf . This is the only value that can't be specified in the config file. -.It Xo -.Fl p , -.Fl -no-require-preauth -.Xc +.It Fl p , Fl -no-require-preauth Turn off the requirement for pre-autentication in the initial AS-REQ for all principals. The use of pre-authentication makes it more difficult to do offline @@ -95,34 +89,20 @@ pre-athentication. The default is to require pre-authentication. Adding the require-preauth per principal is a more flexible way of handling this. -.It Xo -.Fl -max-request= Ns Ar size -.Xc +.It Fl -max-request= Ns Ar size Gives an upper limit on the size of the requests that the kdc is willing to handle. -.It Xo -.Fl H , -.Fl -enable-http -.Xc +.It Fl H , Fl -enable-http Makes the kdc listen on port 80 and handle requests encapsulated in HTTP. -.It Xo -.Fl -no-524 -.Xc +.It Fl -no-524 don't respond to 524 requests -.It Xo -.Fl -kerberos4 -.Xc +.It Fl -kerberos4 respond to Kerberos 4 requests -.It Xo -.Fl -kerberos4-cross-realm -.Xc +.It Fl -kerberos4-cross-realm respond to Kerberos 4 requests from foreign realms. This is a known security hole and should not be enabled unless you understand the consequences and are willing to live with them. -.It Xo -.Fl r Ar string , -.Fl -v4-realm= Ns Ar string -.Xc +.It Fl r Ar string , Fl -v4-realm= Ns Ar string What realm this server should act as when dealing with version 4 requests. The database can contain any number of realms, but since the version 4 @@ -132,15 +112,9 @@ The default is whatever is returned by .Fn krb_get_lrealm . This option is only available if the KDC has been compiled with version 4 support. -.It Xo -.Fl K , -.Fl -kaserver -.Xc +.It Fl K , Fl -kaserver Enable kaserver emulation (in case it's compiled in). -.It Xo -.Fl P Ar portspec , -.Fl -ports= Ns Ar portspec -.Xc +.It Fl P Ar portspec , Fl -ports= Ns Ar portspec Specifies the set of ports the KDC should listen on. It is given as a white-space separated list of services or port numbers. @@ -198,11 +172,8 @@ Permit anonymous tickets with no addresses. .It Li max-kdc-datagram-reply-length = Va number Maximum packet size the UDP rely that the KDC will transmit, instead the KDC sends back a reply telling the client to use TCP instead. -.It Li transited-policy = Xo -.Li always-check \*(Ba -.Li allow-per-principal | -.Li always-honour-request -.Xc +.It Li transited-policy = Li always-check \*(Ba \ +Li allow-per-principal | Li always-honour-request This controls how KDC requests with the .Li disable-transited-check flag are handled. It can be one of: diff --git a/kdc/kstash.8 b/kdc/kstash.8 index 10f60d6dc..dca67f4a4 100644 --- a/kdc/kstash.8 +++ b/kdc/kstash.8 @@ -62,28 +62,16 @@ used by the KDC. .Pp Supported options: .Bl -tag -width Ds -.It Xo -.Fl e Ar string , -.Fl -enctype= Ns Ar string -.Xc +.It Fl e Ar string , Fl -enctype= Ns Ar string the encryption type to use, defaults to DES3-CBC-SHA1. -.It Xo -.Fl k Ar file , -.Fl -key-file= Ns Ar file -.Xc +.It Fl k Ar file , Fl -key-file= Ns Ar file the name of the master key file. -.It Xo -.Fl -convert-file -.Xc +.It Fl -convert-file don't ask for a new master key, just read an old master key file, and write it back in the new keyfile format. -.It Xo -.Fl -random-key -.Xc +.It Fl -random-key generate a random master key. -.It Xo -.Fl -master-key-fd= Ns Ar fd -.Xc +.It Fl -master-key-fd= Ns Ar fd filedescriptor to read passphrase from, if not specified the passphrase will be read from the terminal. .El diff --git a/kdc/string2key.8 b/kdc/string2key.8 index f92d20f18..57186aa07 100644 --- a/kdc/string2key.8 +++ b/kdc/string2key.8 @@ -65,46 +65,21 @@ performs the string-to-key function. This is useful when you want to handle the raw key instead of the password. Supported options: .Bl -tag -width Ds -.It Xo -.Fl 5 , -.Fl -version5 -.Xc +.It Fl 5 , Fl -version5 Output Kerberos v5 string-to-key -.It Xo -.Fl 4 , -.Fl -version4 -.Xc +.It Fl 4 , Fl -version4 Output Kerberos v4 string-to-key -.It Xo -.Fl a , -.Fl -afs -.Xc +.It Fl a , Fl -afs Output AFS string-to-key -.It Xo -.Fl c Ar cell , -.Fl -cell= Ns Ar cell -.Xc +.It Fl c Ar cell , Fl -cell= Ns Ar cell AFS cell to use -.It Xo -.Fl w Ar password , -.Fl -password= Ns Ar password -.Xc +.It Fl w Ar password , Fl -password= Ns Ar password Password to use -.It Xo -.Fl p Ar principal , -.Fl -principal= Ns Ar principal -.Xc +.It Fl p Ar principal , Fl -principal= Ns Ar principal Kerberos v5 principal to use -.It Xo -.Fl k Ar string , -.Fl -keytype= Ns Ar string -.Xc +.It Fl k Ar string , Fl -keytype= Ns Ar string Keytype -.It Xo -.Fl -version -.Xc +.It Fl -version print version -.It Xo -.Fl -help -.Xc +.It Fl -help .El diff --git a/kpasswd/kpasswdd.8 b/kpasswd/kpasswdd.8 index 0e05941f4..51d674beb 100644 --- a/kpasswd/kpasswdd.8 +++ b/kpasswd/kpasswdd.8 @@ -64,20 +64,14 @@ the database directly and should thus only run on the master KDC. .Pp Supported options: .Bl -tag -width Ds -.It Xo -.Fl -addresses= Ns Ar address -.Xc +.It Fl -addresses= Ns Ar address For each till the argument is given, add the address to what kpasswdd should listen too. -.It Xo -.Fl -check-library= Ns Ar library -.Xc +.It Fl -check-library= Ns Ar library If your system has support for dynamic loading of shared libraries, you can use an external function to check password quality. This option specifies which library to load. -.It Xo -.Fl -check-function= Ns Ar function -.Xc +.It Fl -check-function= Ns Ar function This is the function to call in the loaded library. The function should look like this: .Pp @@ -92,20 +86,11 @@ is the one who tries to change passwords, and is the new password. Note that the password (in .Fa password->data ) is not zero terminated. -.It Xo -.Fl k Ar kspec , -.Fl -keytab= Ns Ar kspec -.Xc +.It Fl k Ar kspec , Fl -keytab= Ns Ar kspec Keytab to get authentication key from. -.It Xo -.Fl r Ar realm , -.Fl -realm= Ns Ar realm -.Xc +.It Fl r Ar realm , Fl -realm= Ns Ar realm Default realm. -.It Xo -.Fl p Ar string , -.Fl -port= Ns Ar string -.Xc +.It Fl p Ar string , Fl -port= Ns Ar string Port to listen on (default service kpasswd - 464). .El .Sh DIAGNOSTICS diff --git a/kuser/kdestroy.1 b/kuser/kdestroy.1 index 0d87618a5..c8ba32432 100644 --- a/kuser/kdestroy.1 +++ b/kuser/kdestroy.1 @@ -36,7 +36,7 @@ .Os HEIMDAL .Sh NAME .Nm kdestroy -.Nd remove one credental or destroy the current ticket file +.Nd remove one credential or destroy the current ticket file .Sh SYNOPSIS .Nm .Bk -words diff --git a/kuser/kgetcred.1 b/kuser/kgetcred.1 index 42c39d356..4f0be6a42 100644 --- a/kuser/kgetcred.1 +++ b/kuser/kgetcred.1 @@ -61,30 +61,16 @@ ticket or of a special type. .Pp Supported options: .Bl -tag -width Ds -.It Xo -.Fl -canonicalize -.Xc +.It Fl -canonicalize requests that the KDC canonicalize the principal. -.It Xo -.Fl c Ar cache , -.Fl -cache= Ns Ar cache -.Xc +.It Fl c Ar cache , Fl -cache= Ns Ar cache the credential cache to use. -.It Xo -.Fl e Ar enctype , -.Fl -enctype= Ns Ar enctype -.Xc +.It Fl e Ar enctype , Fl -enctype= Ns Ar enctype encryption type to use. -.It Xo -.Fl -no-transit-check -.Xc -requests that the KDC doesn't do trasnit checking. -.It Xo -.Fl -version -.Xc -.It Xo -.Fl -help -.Xc +.It Fl -no-transit-check +requests that the KDC doesn't do transit checking. +.It Fl -version +.It Fl -help .El .Sh SEE ALSO .Xr kinit 1 , diff --git a/kuser/kimpersonate.8 b/kuser/kimpersonate.8 index d8fc3996a..a7a33e800 100644 --- a/kuser/kimpersonate.8 +++ b/kuser/kimpersonate.8 @@ -40,28 +40,14 @@ impersonate a user when there exist a srvtab, keyfile or KeyFile .Sh SYNOPSIS .Nm -.Oo Fl s Ar string \*(Ba Xo -.Fl -server= Ns Ar string Oc -.Xc -.Oo Fl c Ar string \*(Ba Xo -.Fl -client= Ns Ar string Oc -.Xc -.Oo Fl k Ar string \*(Ba Xo -.Fl -keytab= Ns Ar string Oc -.Xc +.Op Fl s Ar string \*(Ba Fl -server= Ns Ar string +.Op Fl c Ar string \*(Ba Fl -client= Ns Ar string +.Op Fl k Ar string \*(Ba Fl -keytab= Ns Ar string .Op Fl 5 | Fl -krb5 -.Oo Fl e Ar integer \*(Ba Xo -.Fl -expire-time= Ns Ar integer Oc -.Xc -.Oo Fl a Ar string \*(Ba Xo -.Fl -client-address= Ns Ar string Oc -.Xc -.Oo Fl t Ar string \*(Ba Xo -.Fl -enc-type= Ns Ar string Oc -.Xc -.Oo Fl f Ar string \*(Ba Xo -.Fl -ticket-flags= Ns Ar string Oc -.Xc +.Op Fl e Ar integer \*(Ba Fl -expire-time= Ns Ar integer +.Op Fl a Ar string \*(Ba Fl -client-address= Ns Ar string +.Op Fl t Ar string \*(Ba Fl -enc-type= Ns Ar string +.Op Fl f Ar string \*(Ba Fl -ticket-flags= Ns Ar string .Op Fl -verbose .Op Fl -version .Op Fl -help @@ -73,57 +59,27 @@ The service key can be read from a Kerberos 5 keytab, AFS KeyFile or (if compiled with support for Kerberos 4) a Kerberos 4 srvtab. Supported options: .Bl -tag -width Ds -.It Xo -.Fl s Ar string Ns , -.Fl -server= Ns Ar string -.Xc +.It Fl s Ar string Ns , Fl -server= Ns Ar string name of server principal -.It Xo -.Fl c Ar string Ns , -.Fl -client= Ns Ar string -.Xc +.It Fl c Ar string Ns , Fl -client= Ns Ar string name of client principal -.It Xo -.Fl k Ar string Ns , -.Fl -keytab= Ns Ar string -.Xc +.It Fl k Ar string Ns , Fl -keytab= Ns Ar string name of keytab file -.It Xo -.Fl 5 Ns , -.Fl -krb5 -.Xc +.It Fl 5 Ns , Fl -krb5 create a Kerberos 5 ticket -.It Xo -.Fl e Ar integer Ns , -.Fl -expire-time= Ns Ar integer -.Xc +.It Fl e Ar integer Ns , Fl -expire-time= Ns Ar integer lifetime of ticket in seconds -.It Xo -.Fl a Ar string Ns , -.Fl -client-address= Ns Ar string -.Xc +.It Fl a Ar string Ns , Fl -client-address= Ns Ar string address of client -.It Xo -.Fl t Ar string Ns , -.Fl -enc-type= Ns Ar string -.Xc +.It Fl t Ar string Ns , Fl -enc-type= Ns Ar string encryption type -.It Xo -.Fl f Ar string Ns , -.Fl -ticket-flags= Ns Ar string -.Xc +.It Fl f Ar string Ns , Fl -ticket-flags= Ns Ar string ticket flags for krb5 ticket -.It Xo -.Fl -verbose -.Xc +.It Fl -verbose Verbose output -.It Xo -.Fl -version -.Xc +.It Fl -version Print version -.It Xo -.Fl -help -.Xc +.It Fl -help .El .Sh FILES Uses @@ -131,9 +87,9 @@ Uses .Pa /etc/srvtab and .Pa /usr/afs/etc/KeyFile -when avalible and the the +when available and the .Fl k -is used with appropriate prefix. +option is used with an appropriate prefix. .Sh EXAMPLES .Nm can be used in diff --git a/kuser/kinit.1 b/kuser/kinit.1 index ed8770aa3..7bd7e63e4 100644 --- a/kuser/kinit.1 +++ b/kuser/kinit.1 @@ -96,41 +96,23 @@ can later be used to obtain tickets for other services. .Pp Supported options: .Bl -tag -width Ds -.It Xo -.Fl c Ar cachename -.Fl -cache= Ns Ar cachename -.Xc +.It Fl c Ar cachename Fl -cache= Ns Ar cachename The credentials cache to put the acquired ticket in, if other than default. -.It Xo -.Fl f -.Fl -no-forwardable -.Xc +.It Fl f Fl -no-forwardable Get ticket that can be forwarded to another host, or if the negative flags use, don't get a forwardable flag. -.It Xo -.Fl t Ar keytabname , -.Fl -keytab= Ns Ar keytabname -.Xc +.It Fl t Ar keytabname , Fl -keytab= Ns Ar keytabname Don't ask for a password, but instead get the key from the specified keytab. -.It Xo -.Fl l Ar time , -.Fl -lifetime= Ns Ar time -.Xc +.It Fl l Ar time , Fl -lifetime= Ns Ar time Specifies the lifetime of the ticket. The argument can either be in seconds, or a more human readable string like .Sq 1h . -.It Xo -.Fl p , -.Fl -proxiable -.Xc +.It Fl p , Fl -proxiable Request tickets with the proxiable flag set. -.It Xo -.Fl R , -.Fl -renew -.Xc +.It Fl R , Fl -renew Try to renew ticket. The ticket must have the .Sq renewable @@ -139,46 +121,26 @@ flag set, and must not be expired. The same as .Fl -renewable-life , with an infinite time. -.It Xo -.Fl r Ar time , -.Fl -renewable-life= Ns Ar time -.Xc +.It Fl r Ar time , Fl -renewable-life= Ns Ar time The max renewable ticket life. -.It Xo -.Fl S Ar principal , -.Fl -server= Ns Ar principal -.Xc +.It Fl S Ar principal , Fl -server= Ns Ar principal Get a ticket for a service other than krbtgt/LOCAL.REALM. -.It Xo -.Fl s Ar time , -.Fl -start-time= Ns Ar time -.Xc +.It Fl s Ar time , Fl -start-time= Ns Ar time Obtain a ticket that starts to be valid .Ar time (which can really be a generic time specification, like .Sq 1h ) seconds into the future. -.It Xo -.Fl k , -.Fl -use-keytab -.Xc +.It Fl k , Fl -use-keytab The same as .Fl -keytab , but with the default keytab name (normally .Ar FILE:/etc/krb5.keytab ) . -.It Xo -.Fl v , -.Fl -validate -.Xc +.It Fl v , Fl -validate Try to validate an invalid ticket. -.It Xo -.Fl e , -.Fl -enctypes= Ns Ar enctypes -.Xc +.It Fl e , Fl -enctypes= Ns Ar enctypes Request tickets with this particular enctype. -.It Xo -.Fl -password-file= Ns Ar filename -.Xc +.It Fl -password-file= Ns Ar filename read the password from the first line of .Ar filename . If the @@ -186,15 +148,10 @@ If the is .Ar STDIN , the password will be read from the standard input. -.It Xo -.Fl -fcache-version= Ns Ar version-number -.Xc +.It Fl -fcache-version= Ns Ar version-number Create a credentials cache of version .Ar version-number . -.It Xo -.Fl a , -.Fl -extra-addresses= Ns Ar enctypes -.Xc +.It Fl a , Fl -extra-addresses= Ns Ar enctypes Adds a set of addresses that will, in addition to the systems local addresses, be put in the ticket. This can be useful if all addresses a client can use can't be @@ -204,20 +161,13 @@ Also settable via .Li libdefaults/extra_addresses in .Xr krb5.conf 5 . -.It Xo -.Fl A , -.Fl -no-addresses -.Xc +.It Fl A , Fl -no-addresses Request a ticket with no addresses. -.It Xo -.Fl -anonymous -.Xc +.It Fl -anonymous Request an anonymous ticket (which means that the ticket will be issued to an anonymous principal, typically .Dq anonymous@REALM ) . -.It Xo -.Fl -enterprise -.Xc +.It Fl -enterprise Parse principal as a enterprise (KRB5-NT-ENTERPRISE) name. Enterprise names are email like principals that are stored in the name part of the principal, and since there are two @ characters the parser needs diff --git a/kuser/klist.1 b/kuser/klist.1 index 7e85bfc33..b7744f7e6 100644 --- a/kuser/klist.1 +++ b/kuser/klist.1 @@ -60,27 +60,14 @@ known as the ticket file). .Pp Options supported: .Bl -tag -width Ds -.It Xo -.Fl c Ar cache , -.Fl -cache= Ns Ar cache -.Xc +.It Fl c Ar cache , Fl -cache= Ns Ar cache credential cache to list -.It Xo -.Fl s , -.Fl t , -.Fl -test -.Xc +.It Fl s , Fl t , Fl -test Test for there being an active and valid TGT for the local realm of the user in the credential cache. -.It Xo -.Fl T , -.Fl -tokens -.Xc +.It Fl T , Fl -tokens display AFS tokens -.It Xo -.Fl 5 , -.Fl -v5 -.Xc +.It Fl 5 , Fl -v5 display v5 cred cache (this is the default) .It Fl f Include ticket flags in short form, each character stands for a @@ -113,10 +100,7 @@ hardware authenticated This information is also output with the .Fl -verbose option, but in a more verbose way. -.It Xo -.Fl v , -.Fl -verbose -.Xc +.It Fl v , Fl -verbose Verbose output. Include all possible information: .Bl -tag -width XXXX -offset indent .It Server @@ -141,10 +125,7 @@ the flags set on the ticket .It Addresses the set of addresses from which this ticket is valid .El -.It Xo -.Fl l , -.Fl -list-caches -.Xc +.It Fl l , Fl -list-caches List the credential caches for the current users, not all cache types supports listing multiple caches. .Pp diff --git a/kuser/klist.c b/kuser/klist.c index f77908a34..986fd1a70 100644 --- a/kuser/klist.c +++ b/kuser/klist.c @@ -39,21 +39,29 @@ #include "kcc-commands.h" static char* -printable_time(time_t t) +printable_time_internal(time_t t, int x) { static char s[128]; - strlcpy(s, ctime(&t)+ 4, sizeof(s)); - s[15] = 0; + char *p; + + if ((p = ctime(&t)) == NULL) + strlcpy(s, "?", sizeof(s)); + else + strlcpy(s, p + 4, sizeof(s)); + s[x] = 0; return s; } +static char* +printable_time(time_t t) +{ + return printable_time_internal(t, 20); +} + static char* printable_time_long(time_t t) { - static char s[128]; - strlcpy(s, ctime(&t)+ 4, sizeof(s)); - s[20] = 0; - return s; + return printable_time_internal(t, 20); } #define COL_ISSUED NP_(" Issued","") diff --git a/lib/gssapi/gssapi.3 b/lib/gssapi/gssapi.3 index e1fb65e64..fa9b33e54 100644 --- a/lib/gssapi/gssapi.3 +++ b/lib/gssapi/gssapi.3 @@ -53,57 +53,52 @@ These functions constitute the gssapi library, .Em libgssapi . Declarations for these functions may be obtained from the include file .Pa gssapi.h . -.sp 2 -.nf -.ta \w'gss_inquire_names_for_mech'u+2n +\w'Description goes here'u -\fIName/Page\fP \fIDescription\fP -.ta \w'gss_inquire_names_for_mech'u+2n +\w'Description goes here'u+6nC -.sp 5p -gss_accept_sec_context.3 -gss_acquire_cred.3 -gss_add_cred.3 -gss_add_oid_set_member.3 -gss_canonicalize_name.3 -gss_compare_name.3 -gss_context_time.3 -gss_create_empty_oid_set.3 -gss_delete_sec_context.3 -gss_display_name.3 -gss_display_status.3 -gss_duplicate_name.3 -gss_export_name.3 -gss_export_sec_context.3 -gss_get_mic.3 -gss_import_name.3 -gss_import_sec_context.3 -gss_indicate_mechs.3 -gss_init_sec_context.3 -gss_inquire_context.3 -gss_inquire_cred.3 -gss_inquire_cred_by_mech.3 -gss_inquire_mechs_for_name.3 -gss_inquire_names_for_mech.3 -gss_krb5_ccache_name.3 -gss_krb5_compat_des3_mic.3 -gss_krb5_copy_ccache.3 -gss_krb5_extract_authz_data_from_sec_context.3 -gss_krb5_import_ccache.3 -gss_process_context_token.3 -gss_release_buffer.3 -gss_release_cred.3 -gss_release_name.3 -gss_release_oid_set.3 -gss_seal.3 -gss_sign.3 -gss_test_oid_set_member.3 -gss_unseal.3 -gss_unwrap.3 -gss_verify.3 -gss_verify_mic.3 -gss_wrap.3 -gss_wrap_size_limit.3 -.ta -.Fi +.Bl -column -compact +.It Sy Name/Page +.It Xr gss_accept_sec_context 3 +.It Xr gss_acquire_cred 3 +.It Xr gss_add_cred 3 +.It Xr gss_add_oid_set_member 3 +.It Xr gss_canonicalize_name 3 +.It Xr gss_compare_name 3 +.It Xr gss_context_time 3 +.It Xr gss_create_empty_oid_set 3 +.It Xr gss_delete_sec_context 3 +.It Xr gss_display_name 3 +.It Xr gss_display_status 3 +.It Xr gss_duplicate_name 3 +.It Xr gss_export_name 3 +.It Xr gss_export_sec_context 3 +.It Xr gss_get_mic 3 +.It Xr gss_import_name 3 +.It Xr gss_import_sec_context 3 +.It Xr gss_indicate_mechs 3 +.It Xr gss_init_sec_context 3 +.It Xr gss_inquire_context 3 +.It Xr gss_inquire_cred 3 +.It Xr gss_inquire_cred_by_mech 3 +.It Xr gss_inquire_mechs_for_name 3 +.It Xr gss_inquire_names_for_mech 3 +.It Xr gss_krb5_ccache_name 3 +.It Xr gss_krb5_compat_des3_mic 3 +.It Xr gss_krb5_copy_ccache 3 +.It Xr gss_krb5_extract_authz_data_from_sec_context 3 +.It Xr gss_krb5_import_ccache 3 +.It Xr gss_process_context_token 3 +.It Xr gss_release_buffer 3 +.It Xr gss_release_cred 3 +.It Xr gss_release_name 3 +.It Xr gss_release_oid_set 3 +.It Xr gss_seal 3 +.It Xr gss_sign 3 +.It Xr gss_test_oid_set_member 3 +.It Xr gss_unseal 3 +.It Xr gss_unwrap 3 +.It Xr gss_verify 3 +.It Xr gss_verify_mic 3 +.It Xr gss_wrap 3 +.It Xr gss_wrap_size_limit 3 +.El .Sh COMPATIBILITY The .Nm Heimdal diff --git a/lib/hx509/revoke.c b/lib/hx509/revoke.c index 715438d4b..e414c762b 100644 --- a/lib/hx509/revoke.c +++ b/lib/hx509/revoke.c @@ -1054,8 +1054,13 @@ static char * printable_time(time_t t) { static char s[128]; - strlcpy(s, ctime(&t)+ 4, sizeof(s)); - s[20] = 0; + char *p; + if ((p = ctime(&t)) == NULL) + strlcpy(s, "?", sizeof(s)); + else { + strlcpy(s, p + 4, sizeof(s)); + s[20] = 0; + } return s; } diff --git a/lib/kadm5/iprop-log.8 b/lib/kadm5/iprop-log.8 index 5fa86b527..5d326c7e5 100644 --- a/lib/kadm5/iprop-log.8 +++ b/lib/kadm5/iprop-log.8 @@ -83,28 +83,17 @@ maintain the iprop log file .Sh DESCRIPTION Supported options: .Bl -tag -width Ds -.It Xo -.Fl -version -.Xc -.It Xo -.Fl h , -.Fl -help -.Xc +.It Fl -version +.It Fl h , Fl -help .El .Pp command can be one of the following: .Bl -tag -width truncate .It truncate .Bl -tag -width Ds -.It Xo -.Fl c Ar file , -.Fl -config-file= Ns Ar file -.Xc +.It Fl c Ar file , Fl -config-file= Ns Ar file configuration file -.It Xo -.Fl r Ar string , -.Fl -realm= Ns Ar string -.Xc +.It Fl r Ar string , Fl -realm= Ns Ar string realm .El .Pp @@ -113,10 +102,7 @@ last entry of the old log. If the log is truncted by emptying the file, the log will start over at the first version (0). .It dump .Bl -tag -width Ds -.It Xo -.Fl c Ar file , -.Fl -config-file= Ns Ar file -.Xc +.It Fl c Ar file , Fl -config-file= Ns Ar file configuration file .It Xo .Fl r Ar string , @@ -128,23 +114,15 @@ realm Print out all entries in the log to standard output. .It replay .Bl -tag -width Ds -.It Xo -.Fl -start-version= Ns Ar version-number -.Xc +.It Fl -start-version= Ns Ar version-number start replay with this version .It Xo .Fl -end-version= Ns Ar version-number .Xc end replay with this version -.It Xo -.Fl c Ar file , -.Fl -config-file= Ns Ar file -.Xc +.It Fl c Ar file , Fl -config-file= Ns Ar file configuration file -.It Xo -.Fl r Ar string , -.Fl -realm= Ns Ar string -.Xc +.It Fl r Ar string , Fl -realm= Ns Ar string realm .El .Pp @@ -152,15 +130,9 @@ Replay the changes from specified entries (or all if none is specified) in the transaction log to the database. .It last-version .Bl -tag -width Ds -.It Xo -.Fl c Ar file , -.Fl -config-file= Ns Ar file -.Xc +.It Fl c Ar file , Fl -config-file= Ns Ar file configuration file -.It Xo -.Fl r Ar string , -.Fl -realm= Ns Ar string -.Xc +.It Fl r Ar string , Fl -realm= Ns Ar string realm .El .Pp diff --git a/lib/kadm5/iprop.8 b/lib/kadm5/iprop.8 index 0a07d7300..dcdff4a45 100644 --- a/lib/kadm5/iprop.8 +++ b/lib/kadm5/iprop.8 @@ -38,51 +38,49 @@ .Nm iprop , .Nm ipropd-master , .Nm ipropd-slave -.Nd -propagate changes to a Heimdal Kerberos master KDC to slave KDCs +.Nd propagate changes to a Heimdal Kerberos master KDC to slave KDCs .Sh SYNOPSIS .Nm ipropd-master .Oo Fl c Ar string \*(Ba Xo -.Fl -config-file= Ns Ar string +.Fl Fl config-file= Ns Ar string .Xc .Oc .Oo Fl r Ar string \*(Ba Xo -.Fl -realm= Ns Ar string +.Fl Fl realm= Ns Ar string .Xc .Oc .Oo Fl k Ar kspec \*(Ba Xo -.Fl -keytab= Ns Ar kspec +.Fl Fl keytab= Ns Ar kspec .Xc .Oc .Oo Fl d Ar file \*(Ba Xo -.Fl -database= Ns Ar file +.Fl Fl database= Ns Ar file .Xc .Oc -.Op Fl -slave-stats-file= Ns Ar file -.Op Fl -time-missing= Ns Ar time -.Op Fl -time-gone= Ns Ar time -.Op Fl -detach -.Op Fl -version -.Op Fl -help +.Op Fl Fl slave-stats-file= Ns Ar file +.Op Fl Fl time-missing= Ns Ar time +.Op Fl Fl time-gone= Ns Ar time +.Op Fl Fl detach +.Op Fl Fl version +.Op Fl Fl help .Nm ipropd-slave .Oo Fl c Ar string \*(Ba Xo -.Fl -config-file= Ns Ar string +.Fl Fl config-file= Ns Ar string .Xc .Oc .Oo Fl r Ar string \*(Ba Xo -.Fl -realm= Ns Ar string +.Fl Fl realm= Ns Ar string .Xc .Oc .Oo Fl k Ar kspec \*(Ba Xo -.Fl -keytab= Ns Ar kspec +.Fl Fl keytab= Ns Ar kspec .Xc .Oc -.Op Fl -time-lost= Ns Ar time -.Op Fl -detach -.Op Fl -version -.Op Fl -help +.Op Fl Fl time-lost= Ns Ar time +.Op Fl Fl detach +.Op Fl Fl version +.Op Fl Fl help .Ar master -.Pp .Sh DESCRIPTION .Nm ipropd-master is used to propagate changes to a Heimdal Kerberos database from the @@ -96,9 +94,9 @@ file in the KDC's database directory, e.g.\& .Pa /var/heimdal/slaves . This has principals one per-line of the form .Dl iprop/ Ns Ar slave Ns @ Ns Ar REALM -where -.Ar slave -is the hostname of the slave server in the given +where +.Ar slave +is the hostname of the slave server in the given .Ar REALM , e.g.\& .Dl iprop/kerberos-1.example.com@EXAMPLE.COM @@ -110,20 +108,23 @@ In contrast to .Xr hprop 8 , which sends the whole database to the slaves regularly, .Nm -normally sends only the changes as they happen on the master. The -master keeps track of all the changes by assigning a version number to -every change to the database. The slaves know which was the latest -version they saw, and in this way it can be determined if they are in -sync or not. A log of all the changes is kept on the master. When a -slave is at an older version than the oldest one in the log, the whole -database has to be sent. +normally sends only the changes as they happen on the master. +The master keeps track of all the changes by assigning a version +number to every change to the database. +The slaves know which was the latest version they saw, and in this +way it can be determined if they are in sync or not. +A log of all the changes is kept on the master. +When a slave is at an older version than the oldest one in the log, +the whole database has to be sent. .Pp The changes are propagated over a secure channel (on port 2121 by -default). This should normally be defined as +default). +This should normally be defined as .Dq iprop/tcp in .Pa /etc/services -or another source of the services database. The master and slaves +or another source of the services database. +The master and slaves must each have access to a keytab with keys for the .Nm iprop service principal on the local host. @@ -136,78 +137,37 @@ file (e.g.\& Supported options for .Nm ipropd-master : .Bl -tag -width Ds -.It Xo -.Fl c Ar string , -.Fl -config-file= Ns Ar string -.Xc -.It Xo -.Fl r Ar string , -.Fl -realm= Ns Ar string -.Xc -.It Xo -.Fl k Ar kspec , -.Fl -keytab= Ns Ar kspec -.Xc +.It Fl c Ar string , Fl Fl config-file= Ns Ar string +.It Fl r Ar string , Fl Fl realm= Ns Ar string +.It Fl k Ar kspec , Fl Fl keytab= Ns Ar kspec keytab to get authentication from -.It Xo -.Fl d Ar file , -.Fl -database= Ns Ar file -.Xc +.It Fl d Ar file , Fl Fl database= Ns Ar file Database (default per KDC) -.It Xo -.Fl -slave-stats-file= Ns Ar file -.Xc +.It Fl Fl slave-stats-file= Ns Ar file file for slave status information -.It Xo -.Fl -time-missing= Ns Ar time -.Xc +.It Fl Fl time-missing= Ns Ar time time before slave is polled for presence (default 2 min) -.It Xo -.Fl -time-gone= Ns Ar time -.Xc +.It Fl Fl time-gone= Ns Ar time time of inactivity after which a slave is considered gone (default 5 min) -.It Xo -.Fl -detach -.Xc +.It Fl Fl detach detach from console -.It Xo -.Fl -version -.Xc -.It Xo -.Fl -help -.Xc +.It Fl Fl version +.It Fl Fl help .El .Pp Supported options for .Nm ipropd-slave : .Bl -tag -width Ds -.It Xo -.Fl c Ar string , -.Fl -config-file= Ns Ar string -.Xc -.It Xo -.Fl r Ar string , -.Fl -realm= Ns Ar string -.Xc -.It Xo -.Fl k Ar kspec , -.Fl -keytab= Ns Ar kspec -.Xc +.It Fl c Ar string , Fl Fl config-file= Ns Ar string +.It Fl r Ar string , Fl Fl realm= Ns Ar string +.It Fl k Ar kspec , Fl Fl keytab= Ns Ar kspec keytab to get authentication from -.It Xo -.Fl -time-lost= Ns Ar time -.Xc +.It Fl Fl time-lost= Ns Ar time time before server is considered lost (default 5 min) -.It Xo -.Fl -detach -.Xc +.It Fl Fl detach detach from console -.It Xo -.Fl -version -.Xc -.It Xo -.Fl -help -.Xc +.It Fl Fl version +.It Fl Fl help .El Time arguments for the relevant options above may be specified in forms like 5 min, 300 s, or simply a number of seconds. diff --git a/lib/krb5/auth_context.c b/lib/krb5/auth_context.c index ea59c7393..4f74adb9e 100644 --- a/lib/krb5/auth_context.c +++ b/lib/krb5/auth_context.c @@ -262,6 +262,7 @@ krb5_auth_con_getaddrs(krb5_context context, return 0; } +/* coverity[+alloc : arg-*2] */ static krb5_error_code copy_key(krb5_context context, krb5_keyblock *in, @@ -289,6 +290,7 @@ krb5_auth_con_getlocalsubkey(krb5_context context, return copy_key(context, auth_context->local_subkey, keyblock); } +/* coverity[+alloc : arg-*2] */ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context, diff --git a/lib/krb5/krb5_get_in_cred.3 b/lib/krb5/krb5_get_in_cred.3 index 11dc3d314..c415aeca3 100644 --- a/lib/krb5/krb5_get_in_cred.3 +++ b/lib/krb5/krb5_get_in_cred.3 @@ -169,7 +169,7 @@ but are more specialized. .Nm krb5_get_in_tkt_with_password uses the clients password to authenticate. If the password argument is -.DV NULL +.Dv NULL the user user queried with the default password query function. .Pp .Nm krb5_get_in_tkt_with_keytab diff --git a/lib/krb5/krb5_init_context.3 b/lib/krb5/krb5_init_context.3 index 01d9cc782..95f46085a 100644 --- a/lib/krb5/krb5_init_context.3 +++ b/lib/krb5/krb5_init_context.3 @@ -219,7 +219,7 @@ error-code handler to the specified .Fa context . The error handler must generated by the the re-rentrant version of the -.Xr compile_et 3 +.Xr compile_et 1 program. .Fn krb5_add_extra_addresses add a list of addresses that should be added when requesting tickets. diff --git a/lib/krb5/salt.c b/lib/krb5/salt.c index 5a2115f95..5e4c8a1c8 100644 --- a/lib/krb5/salt.c +++ b/lib/krb5/salt.c @@ -33,6 +33,7 @@ #include "krb5_locl.h" +/* coverity[+alloc : arg-*3] */ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_salttype_to_string (krb5_context context, krb5_enctype etype, diff --git a/lib/roken/get_window_size.c b/lib/roken/get_window_size.c index 13e7ebf15..03d16db84 100644 --- a/lib/roken/get_window_size.c +++ b/lib/roken/get_window_size.c @@ -58,32 +58,46 @@ #include "roken.h" ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL -get_window_size(int fd, struct winsize *wp) +get_window_size(int fd, int *lines, int *columns) { - int ret = -1; - - memset(wp, 0, sizeof(*wp)); + int ret; + char *s; #if defined(TIOCGWINSZ) - ret = ioctl(fd, TIOCGWINSZ, wp); + { + struct winsize ws; + ret = ioctl(fd, TIOCGWINSZ, &ws); + if (ret != -1) { + if (lines) + *lines = ws.ws_row; + if (columns) + *columns = ws.ws_col; + return 0; + } + } #elif defined(TIOCGSIZE) { struct ttysize ts; ret = ioctl(fd, TIOCGSIZE, &ts); - if(ret == 0) { - wp->ws_row = ts.ts_lines; - wp->ws_col = ts.ts_cols; - } + if (ret != -1) { + if (lines) + *lines = ts.ws_lines; + if (columns) + *columns = ts.ts_cols; + return 0; + } } #elif defined(HAVE__SCRSIZE) { int dst[2]; - - _scrsize(dst); - wp->ws_row = dst[1]; - wp->ws_col = dst[0]; - ret = 0; + + _scrsize(dst); + if (lines) + *lines = dst[1]; + if (columns) + *columns = dst[0]; + return 0; } #elif defined(_WIN32) { @@ -100,14 +114,17 @@ get_window_size(int fd, struct winsize *wp) } } #endif - if (ret != 0) { - char *s; - if((s = getenv("COLUMNS"))) - wp->ws_col = atoi(s); - if((s = getenv("LINES"))) - wp->ws_row = atoi(s); - if(wp->ws_col > 0 && wp->ws_row > 0) - ret = 0; + if (columns) { + if ((s = getenv("COLUMNS"))) + *columns = atoi(s); + else + return -1; } - return ret; + if (lines) { + if ((s = getenv("LINES"))) + *lines = atoi(s); + else + return -1; + } + return 0; } diff --git a/lib/roken/getarg.c b/lib/roken/getarg.c index 1a7321878..03c221408 100644 --- a/lib/roken/getarg.c +++ b/lib/roken/getarg.c @@ -228,7 +228,6 @@ arg_printusage_i18n (struct getargs *args, size_t i, max_len = 0; char buf[128]; int col = 0, columns; - struct winsize ws; if (progname == NULL) progname = getprogname(); @@ -240,9 +239,7 @@ arg_printusage_i18n (struct getargs *args, mandoc_template(args, num_args, progname, extra_string, i18n); return; } - if(get_window_size(2, &ws) == 0) - columns = ws.ws_col; - else + if(get_window_size(2, NULL, &columns) == -1) columns = 80; col = 0; col += fprintf (stderr, "%s: %s", usage, progname); diff --git a/lib/roken/roken.h.in b/lib/roken/roken.h.in index 7324acf64..9723c876c 100644 --- a/lib/roken/roken.h.in +++ b/lib/roken/roken.h.in @@ -759,7 +759,7 @@ struct winsize { }; #endif -ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL get_window_size(int fd, struct winsize *); +ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL get_window_size(int fd, int *, int *); #ifndef HAVE_VSYSLOG #define vsyslog rk_vsyslog diff --git a/lib/vers/print_version.c b/lib/vers/print_version.c index f5c11b403..23cd25e0c 100644 --- a/lib/vers/print_version.c +++ b/lib/vers/print_version.c @@ -52,5 +52,7 @@ print_version(const char *progname) package_list = "no version information"; fprintf(stderr, "%s (%s)\n", progname, package_list); fprintf(stderr, "Copyright 1995-2011 Kungliga Tekniska Högskolan\n"); +#ifdef PACKAGE_BUGREPORT fprintf(stderr, "Send bug-reports to %s\n", PACKAGE_BUGREPORT); +#endif } From 41328aa28eae9f89a5ae76c18396aeec27ce285e Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Wed, 4 May 2011 21:50:17 -0700 Subject: [PATCH 31/42] fix argument to get_window_size --- appl/telnet/telnet/sys_bsd.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/appl/telnet/telnet/sys_bsd.c b/appl/telnet/telnet/sys_bsd.c index 52e74e7af..657b85eca 100644 --- a/appl/telnet/telnet/sys_bsd.c +++ b/appl/telnet/telnet/sys_bsd.c @@ -608,11 +608,11 @@ TerminalSpeeds(long *input_speed, long *output_speed) int TerminalWindowSize(long *rows, long *cols) { - struct winsize ws; + int irows, icols; - if (get_window_size (STDIN_FILENO, &ws) == 0) { - *rows = ws.ws_row; - *cols = ws.ws_col; + if (get_window_size(STDIN_FILENO, &irows, &icols) == 0) { + *rows = irows; + *cols = icols; return 1; } else return 0; From 0363c62520c3c2dffeaabd6acc9e56f6bc7f09bf Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Wed, 4 May 2011 21:53:10 -0700 Subject: [PATCH 32/42] no more strndup --- appl/test/http_client.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/appl/test/http_client.c b/appl/test/http_client.c index 1ebad8b1c..b9a61f22d 100644 --- a/appl/test/http_client.c +++ b/appl/test/http_client.c @@ -237,12 +237,16 @@ http_query(const char *host, const char *page, in_ptr -= 2; break; } else if (state == RESPONSE) { - req->response = strndup(in_buf, p - in_buf); + req->response = emalloc(p - in_buf + 1); + memcpy(req->response, in_buf, p - in_buf); + req->response[p - in_buf] = '\0'; state = HEADER; } else { req->headers = realloc(req->headers, (req->num_headers + 1) * sizeof(req->headers[0])); - req->headers[req->num_headers] = strndup(in_buf, p - in_buf); + req->headers[req->num_headers] = emalloc(p - in_buf + 1); + memcpy(req->headers[req->num_headers], in_buf, p - in_buf); + req->headers[req->num_headers][p - in_buf] = '\0'; if (req->headers[req->num_headers] == NULL) errx(1, "strdup"); req->num_headers++; From 1a77d64a979773e5c9d9e8cfeb613976394fb0eb Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Sat, 7 May 2011 06:34:36 -0700 Subject: [PATCH 33/42] check encoding of MechTypeList --- lib/asn1/check-gen.c | 30 ++++++++++++++++++++++++++++++ lib/asn1/test.asn1 | 3 +++ 2 files changed, 33 insertions(+) diff --git a/lib/asn1/check-gen.c b/lib/asn1/check-gen.c index cce8705ba..bad3356d9 100644 --- a/lib/asn1/check-gen.c +++ b/lib/asn1/check-gen.c @@ -1249,6 +1249,34 @@ check_seq_of_size(void) return 0; } +static int +check_TESTMechTypeList(void) +{ + TESTMechTypeList tl; + unsigned oid1[] = { 1, 2, 840, 48018, 1, 2, 2}; + TESTMechType t1 = { 7, oid1 }; + unsigned oid2[] = { 1, 2, 840, 113554, 1, 2, 2}; + TESTMechType t2 = { 7, oid2 }; + unsigned oid3[] = { 1, 3, 6, 1, 4, 1, 311, 2, 2, 30}; + TESTMechType t3 = { 10, oid3 }; + unsigned oid4[] = { 1, 3, 6, 1, 4, 1, 311, 2, 2, 10}; + TESTMechType t4 = { 10, oid4 }; + TESTMechType array[4] = { t1, t2, t3, t4 }; + size_t size, len; + void *ptr; + int ret; + + tl.len = 4; + tl.val = array; + + ASN1_MALLOC_ENCODE(TESTMechTypeList, ptr, len, &tl, &size, ret); + if (ret) + errx(1, "TESTMechTypeList: %d", ret); + if (len != size) + abort(); + return 0; +} + int main(int argc, char **argv) { @@ -1278,5 +1306,7 @@ main(int argc, char **argv) ret += check_seq(); ret += check_seq_of_size(); + ret += check_TESTMechTypeList(); + return ret; } diff --git a/lib/asn1/test.asn1 b/lib/asn1/test.asn1 index e3c72ac76..89154e337 100644 --- a/lib/asn1/test.asn1 +++ b/lib/asn1/test.asn1 @@ -132,4 +132,7 @@ TESTBitString ::= BIT STRING { thirtyone(31) } +TESTMechType::= OBJECT IDENTIFIER +TESTMechTypeList ::= SEQUENCE OF TESTMechType + END From 657297a738ec755dee9e63586fa87b4c0273f945 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Sat, 7 May 2011 11:44:15 -0700 Subject: [PATCH 34/42] clean the last bits of KRB4 support in KDC --- kdc/config.c | 49 -------------------------------------------- kdc/connect.c | 10 --------- kdc/default_config.c | 39 ----------------------------------- kdc/kdc.h | 9 -------- 4 files changed, 107 deletions(-) diff --git a/kdc/config.c b/kdc/config.c index 65c6c0192..ad71e158d 100644 --- a/kdc/config.c +++ b/kdc/config.c @@ -50,10 +50,6 @@ static int require_preauth = -1; /* 1 == require preauth for all principals */ static char *max_request_str; /* `max_request' as a string */ static int disable_des = -1; -static int enable_v4 = -1; -static int enable_kaserver = -1; -static int enable_524 = -1; -static int enable_v4_cross_realm = -1; static int builtin_hdb_flag; static int help_flag; @@ -61,8 +57,6 @@ static int version_flag; static struct getarg_strings addresses_str; /* addresses to listen on */ -static char *v4_realm; - char *runas_string; char *chroot_string; @@ -82,24 +76,6 @@ static struct getargs args[] = { }, { "enable-http", 'H', arg_flag, &enable_http, "turn on HTTP support", NULL }, - { "524", 0, arg_negative_flag, &enable_524, - "don't respond to 524 requests", NULL - }, - { - "kaserver", 'K', arg_flag, &enable_kaserver, - "enable kaserver support", NULL - }, - { "kerberos4", 0, arg_flag, &enable_v4, - "respond to kerberos 4 requests", NULL - }, - { - "v4-realm", 'r', arg_string, &v4_realm, - "realm to serve v4-requests for", NULL - }, - { "kerberos4-cross-realm", 0, arg_flag, - &enable_v4_cross_realm, - "respond to kerberos 4 requests from foreign realms", NULL - }, { "ports", 'P', arg_string, rk_UNCONST(&port_str), "ports to listen to", "portspec" }, @@ -262,15 +238,6 @@ configure(krb5_context context, int argc, char **argv) } } - if(enable_v4 != -1) - config->enable_v4 = enable_v4; - - if(enable_v4_cross_realm != -1) - config->enable_v4_cross_realm = enable_v4_cross_realm; - - if(enable_524 != -1) - config->enable_524 = enable_524; - if(enable_http == -1) enable_http = krb5_config_get_bool(context, NULL, "kdc", "enable-http", NULL); @@ -286,9 +253,6 @@ configure(krb5_context context, int argc, char **argv) krb5_errx(context, 1, "enforce-transited-policy deprecated, " "use [kdc]transited-policy instead"); - if (enable_kaserver != -1) - config->enable_kaserver = enable_kaserver; - #ifdef SUPPORT_DETACH if(detach_from_console == -1) detach_from_console = krb5_config_get_bool_default(context, NULL, @@ -305,12 +269,6 @@ configure(krb5_context context, int argc, char **argv) if (port_str == NULL) port_str = "+"; - if (v4_realm) - config->v4_realm = v4_realm; - - if(config->v4_realm == NULL && (config->enable_kaserver || config->enable_v4)) - krb5_errx(context, 1, "Kerberos 4 enabled but no realm configured"); - if(disable_des == -1) disable_des = krb5_config_get_bool_default(context, NULL, FALSE, @@ -323,13 +281,6 @@ configure(krb5_context context, int argc, char **argv) krb5_enctype_disable(context, ETYPE_DES_CBC_NONE); krb5_enctype_disable(context, ETYPE_DES_CFB64_NONE); krb5_enctype_disable(context, ETYPE_DES_PCBC_NONE); - - kdc_log(context, config, - 0, "DES was disabled, turned off Kerberos V4, 524 " - "and kaserver"); - config->enable_v4 = 0; - config->enable_524 = 0; - config->enable_kaserver = 0; } krb5_kdc_windc_init(context); diff --git a/kdc/connect.c b/kdc/connect.c index c6f668245..0ef7084f9 100644 --- a/kdc/connect.c +++ b/kdc/connect.c @@ -148,16 +148,6 @@ add_standard_ports (krb5_context context, add_port_service(context, family, "kerberos-sec", 88, "tcp"); if(enable_http) add_port_service(context, family, "http", 80, "tcp"); - if(config->enable_524) { - add_port_service(context, family, "krb524", 4444, "udp"); - add_port_service(context, family, "krb524", 4444, "tcp"); - } - if(config->enable_v4) { - add_port_service(context, family, "kerberos-iv", 750, "udp"); - add_port_service(context, family, "kerberos-iv", 750, "tcp"); - } - if (config->enable_kaserver) - add_port_service(context, family, "afs3-kaserver", 7004, "udp"); if(config->enable_kx509) { add_port_service(context, family, "kca_service", 9878, "udp"); add_port_service(context, family, "kca_service", 9878, "tcp"); diff --git a/kdc/default_config.c b/kdc/default_config.c index 1441c3161..0be5cc556 100644 --- a/kdc/default_config.c +++ b/kdc/default_config.c @@ -55,10 +55,6 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) c->allow_null_ticket_addresses = TRUE; c->allow_anonymous = FALSE; c->trpolicy = TRPOLICY_ALWAYS_CHECK; - c->enable_v4 = FALSE; - c->enable_kaserver = FALSE; - c->enable_524 = FALSE; - c->enable_v4_cross_realm = FALSE; c->enable_pkinit = FALSE; c->pkinit_princ_in_cert = TRUE; c->pkinit_require_binding = TRUE; @@ -70,19 +66,6 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) krb5_config_get_bool_default(context, NULL, c->require_preauth, "kdc", "require-preauth", NULL); - c->enable_v4 = - krb5_config_get_bool_default(context, NULL, - c->enable_v4, - "kdc", "enable-kerberos4", NULL); - c->enable_v4_cross_realm = - krb5_config_get_bool_default(context, NULL, - c->enable_v4_cross_realm, - "kdc", - "enable-kerberos4-cross-realm", NULL); - c->enable_524 = - krb5_config_get_bool_default(context, NULL, - c->enable_v4, - "kdc", "enable-524", NULL); #ifdef DIGEST c->enable_digest = krb5_config_get_bool_default(context, NULL, @@ -180,28 +163,6 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) } } - { - const char *p; - p = krb5_config_get_string (context, NULL, - "kdc", - "v4-realm", - NULL); - if(p != NULL) { - c->v4_realm = strdup(p); - if (c->v4_realm == NULL) - krb5_errx(context, 1, "out of memory"); - } else { - c->v4_realm = NULL; - } - } - - c->enable_kaserver = - krb5_config_get_bool_default(context, - NULL, - c->enable_kaserver, - "kdc", "enable-kaserver", NULL); - - c->encode_as_rep_as_tgs_rep = krb5_config_get_bool_default(context, NULL, c->encode_as_rep_as_tgs_rep, diff --git a/kdc/kdc.h b/kdc/kdc.h index 139b5e708..f5e38e217 100644 --- a/kdc/kdc.h +++ b/kdc/kdc.h @@ -64,15 +64,6 @@ typedef struct krb5_kdc_configuration { krb5_boolean allow_anonymous; enum krb5_kdc_trpolicy trpolicy; - char *v4_realm; - krb5_boolean enable_v4; - krb5_boolean enable_v4_cross_realm; - krb5_boolean enable_v4_per_principal; - - krb5_boolean enable_kaserver; - - krb5_boolean enable_524; - krb5_boolean enable_pkinit; krb5_boolean pkinit_princ_in_cert; const char *pkinit_kdc_identity; From 114dff9ebdb08ddfa6c77af6b5493cce0cf96489 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Sat, 7 May 2011 12:29:52 -0700 Subject: [PATCH 35/42] add depency on built headerfiels for librfc3961_la_OBJECTS --- lib/krb5/Makefile.am | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/krb5/Makefile.am b/lib/krb5/Makefile.am index cbe9ef87c..f0f7c5eb7 100644 --- a/lib/krb5/Makefile.am +++ b/lib/krb5/Makefile.am @@ -236,7 +236,7 @@ if versionscript libkrb5_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map endif -$(libkrb5_la_OBJECTS) $(verify_krb5_conf_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h +$(libkrb5_la_OBJECTS) $(verify_krb5_conf_OBJECTS) $(librfc3961_la_OBJECTS): $(srcdir)/krb5-protos.h $(srcdir)/krb5-private.h krb5_err.h heim_err.h k524_err.h krb5_err.h krb_err.h k524_err.h librfc3961_la_SOURCES = \ crc.c \ @@ -329,7 +329,7 @@ dist_include_HEADERS = \ krb5-private.h \ krb5_ccapi.h -nodist_include_HEADERS = krb5_err.h heim_err.h k524_err.h +nodist_include_HEADERS = krb5_err.h heim_err.h k524_err.h # XXX use nobase_include_HEADERS = krb5/locate_plugin.h krb5dir = $(includedir)/krb5 @@ -347,7 +347,7 @@ CLEANFILES = \ heim_err.c heim_err.h \ k524_err.c k524_err.h -$(libkrb5_la_OBJECTS): krb5_err.h krb_err.h heim_err.h k524_err.h crypto.h +$(libkrb5_la_OBJECTS): krb5_err.h krb_err.h heim_err.h k524_err.h test_config_strings.out: test_config_strings.cfg $(CP) $(srcdir)/test_config_strings.cfg test_config_strings.out From 86f200c2f7ca34a052f271210fa093a78152c920 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Sat, 7 May 2011 17:22:24 -0700 Subject: [PATCH 36/42] move time backward --- lib/hx509/test_nist2.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/hx509/test_nist2.in b/lib/hx509/test_nist2.in index 04ec7da95..0c4276b07 100644 --- a/lib/hx509/test_nist2.in +++ b/lib/hx509/test_nist2.in @@ -102,7 +102,7 @@ while read result cert other ; do args="$args crl:FILE:$a" done - cmd="${hxtool} verify $args" + cmd="${hxtool} verify --time=2008-05-20 $args" eval ${cmd} > /dev/null res=$? From 17ecd8bc9295288b2a6a00599efb081a65798a29 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Sat, 7 May 2011 17:22:37 -0700 Subject: [PATCH 37/42] move time backward --- lib/hx509/test_nist.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/hx509/test_nist.in b/lib/hx509/test_nist.in index 6e701e9f6..9dffbe691 100644 --- a/lib/hx509/test_nist.in +++ b/lib/hx509/test_nist.in @@ -96,7 +96,7 @@ while read id verify cert arg1 arg2 arg3 arg4 arg5 ; do args="$args crl:FILE:$nistdir/crls/TrustAnchorRootCRL.crl" args="$args cert:FILE:$nistdir/certs/$cert" - if ${hxtool} verify $args > /dev/null; then + if ${hxtool} verify --time=2008-05-20 $args > /dev/null; then if test "$verify" = "f"; then echo "verify passed on fail: $id $cert" exit 1 From adcaf1efe98fc2d859feea178c2659b21e194ba0 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Sat, 7 May 2011 19:01:32 -0700 Subject: [PATCH 38/42] use libedit --- lib/NTMakefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/NTMakefile b/lib/NTMakefile index aef3c0435..6844a6b79 100644 --- a/lib/NTMakefile +++ b/lib/NTMakefile @@ -43,7 +43,7 @@ dir_dce = kdfs dir_hcrypto = hcrypto !endif -SUBDIRS = vers editline com_err sl wind asn1 sqlite \ +SUBDIRS = vers libedit com_err sl wind asn1 sqlite \ $(dir_hcrypto) hx509 krb5 heimdal ntlm kafs gssapi hdb \ kadm5 $(dir_45) $(dir_otp) $(dir_dce) ..\packages\windows\assembly From 35652e4a03b0c13fa190c65b654b0aa4b317ff1d Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Sat, 7 May 2011 19:02:23 -0700 Subject: [PATCH 39/42] drop libeditline --- doc/copyright.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/copyright.texi b/doc/copyright.texi index 1f734ab6c..490abbcce 100644 --- a/doc/copyright.texi +++ b/doc/copyright.texi @@ -84,7 +84,7 @@ or implied warranty. @heading The Regents of the University of California -The parts of the libroken, most of libtelnet, libeditline, telnet, ftp, +The parts of the libroken, most of libtelnet, telnet, ftp, and popper. @verbatim From bd2d4c2f7993840ee9894e080b9fda669632b9ef Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Sun, 8 May 2011 00:16:02 -0700 Subject: [PATCH 40/42] ->max_alloc to krb5_storage and use it --- lib/krb5/store-int.h | 1 + lib/krb5/store.c | 61 ++++++++++++++++++++++++++++++++++--- lib/krb5/store_emem.c | 1 + lib/krb5/store_fd.c | 1 + lib/krb5/store_mem.c | 2 ++ lib/krb5/test_store.c | 30 ++++++++++++++---- lib/krb5/version-script.map | 1 + 7 files changed, 87 insertions(+), 10 deletions(-) diff --git a/lib/krb5/store-int.h b/lib/krb5/store-int.h index 0b7accb86..877ccc008 100644 --- a/lib/krb5/store-int.h +++ b/lib/krb5/store-int.h @@ -43,6 +43,7 @@ struct krb5_storage_data { void (*free)(struct krb5_storage_data*); krb5_flags flags; int eof_code; + size_t max_alloc; }; #endif /* __store_int_h__ */ diff --git a/lib/krb5/store.c b/lib/krb5/store.c index 555496625..ac1fe0ded 100644 --- a/lib/krb5/store.c +++ b/lib/krb5/store.c @@ -119,6 +119,41 @@ krb5_storage_get_byteorder(krb5_storage *sp) return sp->flags & KRB5_STORAGE_BYTEORDER_MASK; } +/** + * Set the max alloc value + * + * @param sp the storage buffer set the max allow for + * @param size maximum size to allocate, use 0 to remove limit + * + * @ingroup krb5_storage + */ + +KRB5_LIB_FUNCTION void KRB5_LIB_CALL +krb5_storage_set_max_alloc(krb5_storage *sp, size_t size) +{ + sp->max_alloc = size; +} + +/* don't allocate unresonable amount of memory */ +static krb5_error_code +size_too_large(krb5_storage *sp, size_t size) +{ + if (sp->max_alloc && sp->max_alloc < size) + return HEIM_ERR_TOO_BIG; + return 0; +} + +static krb5_error_code +size_too_large_num(krb5_storage *sp, size_t count, size_t size) +{ + if (sp->max_alloc == 0 || size == 0) + return 0; + size = sp->max_alloc / size; + if (size < count) + return HEIM_ERR_TOO_BIG; + return 0; +} + /** * Seek to a new offset. * @@ -263,9 +298,9 @@ krb5_storage_to_data(krb5_storage *sp, krb5_data *data) if (pos < 0) return HEIM_ERR_NOT_SEEKABLE; size = sp->seek(sp, 0, SEEK_END); - /* don't allocate unresonable amount of memory */ - if (size > UINT_MAX/8) - return HEIM_ERR_TOO_BIG; + ret = size_too_large(sp, size); + if (ret) + return ret; ret = krb5_data_alloc(data, size); if (ret) { sp->seek(sp, pos, SEEK_SET); @@ -645,6 +680,9 @@ krb5_ret_data(krb5_storage *sp, ret = krb5_ret_int32(sp, &size); if(ret) return ret; + ret = size_too_large(sp, size); + if (ret) + return ret; ret = krb5_data_alloc (data, size); if (ret) return ret; @@ -757,6 +795,9 @@ krb5_ret_stringz(krb5_storage *sp, char *tmp; len++; + ret = size_too_large(sp, len); + if (ret) + break; tmp = realloc (s, len); if (tmp == NULL) { free (s); @@ -823,6 +864,9 @@ krb5_ret_stringnl(krb5_storage *sp, } len++; + ret = size_too_large(sp, len); + if (ret) + break; tmp = realloc (s, len); if (tmp == NULL) { free (s); @@ -923,6 +967,11 @@ krb5_ret_principal(krb5_storage *sp, free(p); return EINVAL; } + ret = size_too_large_num(sp, ncomp, sizeof(p->name.name_string.val[0])); + if (ret) { + free(p); + return ret; + } p->name.name_type = type; p->name.name_string.len = ncomp; ret = krb5_ret_string(sp, &p->realm); @@ -930,7 +979,7 @@ krb5_ret_principal(krb5_storage *sp, free(p); return ret; } - p->name.name_string.val = calloc(ncomp, sizeof(*p->name.name_string.val)); + p->name.name_string.val = calloc(ncomp, sizeof(p->name.name_string.val[0])); if(p->name.name_string.val == NULL && ncomp != 0){ free(p->realm); free(p); @@ -1153,6 +1202,8 @@ krb5_ret_addrs(krb5_storage *sp, krb5_addresses *adr) ret = krb5_ret_int32(sp, &tmp); if(ret) return ret; + ret = size_too_large_num(sp, tmp, sizeof(adr->val[0])); + if (ret) return ret; adr->len = tmp; ALLOC(adr->val, adr->len); if (adr->val == NULL && adr->len != 0) @@ -1211,6 +1262,8 @@ krb5_ret_authdata(krb5_storage *sp, krb5_authdata *auth) int i; ret = krb5_ret_int32(sp, &tmp); if(ret) return ret; + ret = size_too_large_num(sp, tmp, sizeof(auth->val[0])); + if (ret) return ret; ALLOC_SEQ(auth, tmp); if (auth->val == NULL && tmp != 0) return ENOMEM; diff --git a/lib/krb5/store_emem.c b/lib/krb5/store_emem.c index acd61f2e5..7f91b0848 100644 --- a/lib/krb5/store_emem.c +++ b/lib/krb5/store_emem.c @@ -190,5 +190,6 @@ krb5_storage_emem(void) sp->seek = emem_seek; sp->trunc = emem_trunc; sp->free = emem_free; + sp->max_alloc = UINT_MAX/8; return sp; } diff --git a/lib/krb5/store_fd.c b/lib/krb5/store_fd.c index bd357dbe3..dbeec4234 100644 --- a/lib/krb5/store_fd.c +++ b/lib/krb5/store_fd.c @@ -128,5 +128,6 @@ krb5_storage_from_fd(krb5_socket_t fd_in) sp->seek = fd_seek; sp->trunc = fd_trunc; sp->free = fd_free; + sp->max_alloc = UINT_MAX/8; return sp; } diff --git a/lib/krb5/store_mem.c b/lib/krb5/store_mem.c index a6a8b96a5..e674a95db 100644 --- a/lib/krb5/store_mem.c +++ b/lib/krb5/store_mem.c @@ -145,6 +145,7 @@ krb5_storage_from_mem(void *buf, size_t len) sp->seek = mem_seek; sp->trunc = mem_trunc; sp->free = NULL; + sp->max_alloc = UINT_MAX/8; return sp; } @@ -203,5 +204,6 @@ krb5_storage_from_readonly_mem(const void *buf, size_t len) sp->seek = mem_seek; sp->trunc = mem_no_trunc; sp->free = NULL; + sp->max_alloc = UINT_MAX/8; return sp; } diff --git a/lib/krb5/test_store.c b/lib/krb5/test_store.c index 831762b2a..54682ed2f 100644 --- a/lib/krb5/test_store.c +++ b/lib/krb5/test_store.c @@ -193,8 +193,6 @@ test_storage(krb5_context context, krb5_storage *sp) test_uint8(context, sp); test_uint16(context, sp); test_uint32(context, sp); - - krb5_storage_free(sp); } @@ -217,10 +215,25 @@ test_truncate(krb5_context context, krb5_storage *sp, int fd) krb5_err(context, 1, errno, "fstat"); if (sb.st_size != 1024) krb5_errx(context, 1, "length not 2"); - - krb5_storage_free(sp); } +static void +check_too_large(krb5_context context, krb5_storage *sp) +{ + uint32_t too_big_sizes[] = { INT_MAX, INT_MAX / 2, INT_MAX / 4, INT_MAX / 8 + 1}; + krb5_error_code ret; + krb5_data data; + size_t n; + + for (n = 0; n < sizeof(too_big_sizes) / sizeof(too_big_sizes); n++) { + krb5_storage_truncate(sp, 0); + krb5_store_uint32(sp, too_big_sizes[n]); + krb5_storage_seek(sp, 0, SEEK_SET); + ret = krb5_ret_data(sp, &data); + if (ret != HEIM_ERR_TOO_BIG) + errx(1, "not too big: %lu", (unsigned long)n); + } +} /* * @@ -284,10 +297,13 @@ main(int argc, char **argv) krb5_errx(context, 1, "krb5_storage_emem: no mem"); test_storage(context, sp); + check_too_large(context, sp); + krb5_storage_free(sp); + fd = open(fn, O_RDWR|O_CREAT|O_TRUNC, 0600); if (fd < 0) - krb5_err(context, 1, errno, "open(%s", fn); + krb5_err(context, 1, errno, "open(%s)", fn); sp = krb5_storage_from_fd(fd); close(fd); @@ -295,6 +311,7 @@ main(int argc, char **argv) krb5_errx(context, 1, "krb5_storage_from_fd: %s no mem", fn); test_storage(context, sp); + krb5_storage_free(sp); unlink(fn); /* @@ -303,13 +320,14 @@ main(int argc, char **argv) fd = open(fn, O_RDWR|O_CREAT|O_TRUNC, 0600); if (fd < 0) - krb5_err(context, 1, errno, "open(%s", fn); + krb5_err(context, 1, errno, "open(%s)", fn); sp = krb5_storage_from_fd(fd); if (sp == NULL) krb5_errx(context, 1, "krb5_storage_from_fd: %s no mem", fn); test_truncate(context, sp, fd); + krb5_storage_free(sp); close(fd); unlink(fn); diff --git a/lib/krb5/version-script.map b/lib/krb5/version-script.map index a7913110e..a518422d9 100644 --- a/lib/krb5/version-script.map +++ b/lib/krb5/version-script.map @@ -606,6 +606,7 @@ HEIMDAL_KRB5_2.0 { krb5_storage_set_byteorder; krb5_storage_set_eof_code; krb5_storage_set_flags; + krb5_storage_set_max_alloc; krb5_storage_to_data; krb5_storage_truncate; krb5_storage_write; From 77c7747cc374d7eb4d4281a490d9640093d2e899 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Sun, 8 May 2011 11:21:44 -0700 Subject: [PATCH 41/42] plug memory leak --- lib/krb5/rd_req.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/krb5/rd_req.c b/lib/krb5/rd_req.c index b78c2c40b..31fbe8e45 100644 --- a/lib/krb5/rd_req.c +++ b/lib/krb5/rd_req.c @@ -135,7 +135,7 @@ static krb5_error_code check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc) { char **realms; - unsigned int num_realms; + unsigned int num_realms, n; krb5_error_code ret; /* @@ -161,6 +161,8 @@ check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc) ret = krb5_check_transited(context, enc->crealm, ticket->realm, realms, num_realms, NULL); + for (n = 0; n < num_realms; n++) + free(realms[n]); free(realms); return ret; } From be92276b8ba7ee66518eba4e0ef014cc455dc3f6 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Sun, 8 May 2011 11:22:07 -0700 Subject: [PATCH 42/42] =?UTF-8?q?Fix=20bug=20in=20realm=20encoding=20repor?= =?UTF-8?q?ted=20by=20Mark=20Pr=C3=B6hl?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Also, add basic test while here. --- lib/krb5/Makefile.am | 3 +- lib/krb5/test_x500.c | 110 +++++++++++++++++++++++++++++++++++++++++++ lib/krb5/transited.c | 2 +- 3 files changed, 113 insertions(+), 2 deletions(-) create mode 100644 lib/krb5/test_x500.c diff --git a/lib/krb5/Makefile.am b/lib/krb5/Makefile.am index f0f7c5eb7..2bcc32588 100644 --- a/lib/krb5/Makefile.am +++ b/lib/krb5/Makefile.am @@ -42,7 +42,8 @@ TESTS = \ test_princ \ test_pkinit_dh2key \ test_pknistkdf \ - test_time + test_time \ + test_x500 check_DATA = test_config_strings.out diff --git a/lib/krb5/test_x500.c b/lib/krb5/test_x500.c new file mode 100644 index 000000000..4d518e436 --- /dev/null +++ b/lib/krb5/test_x500.c @@ -0,0 +1,110 @@ +/* + * Copyright (c) 2011 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of KTH nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + +#include "krb5_locl.h" +#include + +/* + * + */ + +static void +check_linear(krb5_context context, + const char *client_realm, + const char *server_realm, + const char *realm, + ...) +{ + unsigned int num_inrealms = 0, num_realms = 0, n; + char **inrealms = NULL; + char **realms = NULL; + krb5_error_code ret; + krb5_data tr; + va_list va; + + krb5_data_zero(&tr); + + va_start(va, realm); + + while (realm) { + inrealms = erealloc(inrealms, (num_inrealms + 2) * sizeof(inrealms[0])); + inrealms[num_inrealms] = rk_UNCONST(realm); + num_inrealms++; + realm = va_arg(va, const char *); + } + if (inrealms) + inrealms[num_inrealms] = NULL; + + ret = krb5_domain_x500_encode(inrealms, num_inrealms, &tr); + if (ret) + krb5_err(context, 1, ret, "krb5_domain_x500_encode"); + + ret = krb5_domain_x500_decode(context, tr, + &realms, &num_realms, + client_realm, server_realm); + if (ret) + krb5_err(context, 1, ret, "krb5_domain_x500_decode"); + + krb5_data_free(&tr); + + if (num_inrealms != num_realms) + errx(1, "num_inrealms != num_realms"); + + for(n = 0; n < num_realms; n++) + free(realms[n]); + free(realms); + + free(inrealms); +} + + +int +main(int argc, char **argv) +{ + krb5_context context; + krb5_error_code ret; + + setprogname(argv[0]); + + ret = krb5_init_context(&context); + if (ret) + errx(1, "krb5_init_context"); + + + check_linear(context, "KTH1.SE", "KTH1.SE", NULL); + check_linear(context, "KTH1.SE", "KTH2.SE", NULL); + check_linear(context, "KTH1.SE", "KTH3.SE", "KTH2.SE", NULL); + check_linear(context, "KTH1.SE", "KTH4.SE", "KTH3.SE", "KTH2.SE", NULL); + check_linear(context, "KTH1.SE", "KTH5.SE", "KTH4.SE", "KTH3.SE", "KTH2.SE", NULL); + + return 0; +} diff --git a/lib/krb5/transited.c b/lib/krb5/transited.c index c3988642b..53bf98b2a 100644 --- a/lib/krb5/transited.c +++ b/lib/krb5/transited.c @@ -410,7 +410,7 @@ krb5_domain_x500_encode(char **realms, unsigned int num_realms, return ENOMEM; *s = '\0'; for(i = 0; i < num_realms; i++){ - if(i && i < num_realms - 1) + if(i) strlcat(s, ",", len + 1); if(realms[i][0] == '/') strlcat(s, " ", len + 1);