int
main(int argc, char **argv)
{
krb5_context ctx;
krb5_error_code ret, expected_err;
krb5_enctype *list;
krb5_boolean weak;
unsigned int i;
char *copy;
ret = krb5_init_context(&ctx);
if (ret) {
com_err("krb5_init_context", ret, "");
return 2;
}
for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) {
for (weak = FALSE; weak <= TRUE; weak++) {
ctx->allow_weak_crypto = weak;
if (weak)
expected_err = tests[i].expected_err_weak;
else
expected_err = tests[i].expected_err_noweak;
if (tests[i].str != NULL) {
copy = strdup(tests[i].str);
ret = krb5int_parse_enctype_list(ctx, "", copy,
tests[i].defaults, &list);
if (ret != expected_err) {
com_err("krb5int_parse_enctype_list", ret, "");
return 2;
}
} else {
/* No string; test the filtering on the set_default_etype_var
* instead. */
copy = NULL;
list = NULL;
ret = krb5_set_default_in_tkt_ktypes(ctx, tests[i].defaults);
if (ret != expected_err) {
com_err("krb5_set_default_in_tkt_ktypes", ret, "");
return 2;
}
}
if (!expected_err) {
compare(ctx, tests[i].str ? list : ctx->in_tkt_etypes,
(weak) ? tests[i].expected : tests[i].expected_noweak,
tests[i].str, weak);
}
free(copy);
free(list);
if (!tests[i].str)
krb5_set_default_in_tkt_ktypes(ctx, NULL);
}
}
krb5_free_context(ctx);
return 0;
}
int
main(int argc, char **argv)
{
krb5_context ctx, ctx2;
krb5_plugin_initvt_fn *mods;
const krb5_enctype etypes1[] = { ENCTYPE_DES3_CBC_SHA1, 0 };
const krb5_enctype etypes2[] = { ENCTYPE_AES128_CTS_HMAC_SHA1_96,
ENCTYPE_AES256_CTS_HMAC_SHA1_96, 0 };
krb5_prompt_type ptypes[] = { KRB5_PROMPT_TYPE_PASSWORD };
/* Copy a default context and verify the result. */
check(krb5_init_context(&ctx) == 0);
check(krb5_copy_context(ctx, &ctx2) == 0);
check_context(ctx2, ctx);
krb5_free_context(ctx2);
/* Set non-default values for all of the propagated fields in ctx. */
ctx->allow_weak_crypto = TRUE;
check(krb5_set_default_in_tkt_ktypes(ctx, etypes1) == 0);
check(krb5_set_default_tgs_enctypes(ctx, etypes2) == 0);
check(krb5_set_debugging_time(ctx, 1234, 5678) == 0);
check(krb5_cc_set_default_name(ctx, "defccname") == 0);
check(krb5_set_default_realm(ctx, "defrealm") == 0);
ctx->clockskew = 18;
ctx->kdc_req_sumtype = CKSUMTYPE_NIST_SHA;
ctx->default_ap_req_sumtype = CKSUMTYPE_HMAC_SHA1_96_AES128;
ctx->default_safe_sumtype = CKSUMTYPE_HMAC_SHA1_96_AES256;
ctx->kdc_default_options = KDC_OPT_FORWARDABLE;
ctx->library_options = 0;
ctx->profile_secure = TRUE;
ctx->udp_pref_limit = 2345;
ctx->use_conf_ktypes = TRUE;
ctx->ignore_acceptor_hostname = TRUE;
ctx->dns_canonicalize_hostname = CANONHOST_FALSE;
free(ctx->plugin_base_dir);
check((ctx->plugin_base_dir = strdup("/a/b/c/d")) != NULL);
/* Also set some of the non-propagated fields. */
ctx->prompt_types = ptypes;
check(k5_plugin_load_all(ctx, PLUGIN_INTERFACE_PWQUAL, &mods) == 0);
k5_plugin_free_modules(ctx, mods);
k5_setmsg(ctx, ENOMEM, "nooooooooo");
krb5_set_trace_callback(ctx, trace, ctx);
/* Copy the intentionally messy context and verify the result. */
check(krb5_copy_context(ctx, &ctx2) == 0);
check_context(ctx2, ctx);
krb5_free_context(ctx2);
krb5_free_context(ctx);
return 0;
}
static krb5_error_code
init_common (krb5_context *context, krb5_boolean secure, krb5_boolean kdc)
{
krb5_context ctx = 0;
krb5_error_code retval;
struct {
krb5_int32 now, now_usec;
long pid;
} seed_data;
krb5_data seed;
int tmp;
/* Verify some assumptions. If the assumptions hold and the
compiler is optimizing, this should result in no code being
executed. If we're guessing "unsigned long long" instead
of using uint64_t, the possibility does exist that we're
wrong. */
{
krb5_ui_8 i64;
assert(sizeof(i64) == 8);
i64 = 0, i64--, i64 >>= 62;
assert(i64 == 3);
i64 = 1, i64 <<= 31, i64 <<= 31, i64 <<= 1;
assert(i64 != 0);
i64 <<= 1;
assert(i64 == 0);
}
retval = krb5int_initialize_library();
if (retval)
return retval;
#if (defined(_WIN32))
/*
* Load the krbcc32.dll if necessary. We do this here so that
* we know to use API: later on during initialization.
* The context being NULL is ok.
*/
krb5_win_ccdll_load(ctx);
/*
* krb5_vercheck() is defined in win_glue.c, and this is
* where we handle the timebomb and version server checks.
*/
retval = krb5_vercheck();
if (retval)
return retval;
#endif
*context = 0;
ctx = calloc(1, sizeof(struct _krb5_context));
if (!ctx)
return ENOMEM;
ctx->magic = KV5M_CONTEXT;
ctx->profile_secure = secure;
/* Set the default encryption types, possible defined in krb5/conf */
if ((retval = krb5_set_default_in_tkt_ktypes(ctx, NULL)))
goto cleanup;
if ((retval = krb5_set_default_tgs_ktypes(ctx, NULL)))
goto cleanup;
if ((retval = krb5_os_init_context(ctx, kdc)))
goto cleanup;
/* initialize the prng (not well, but passable) */
{
static pid_t done_seeding = 0;
static pthread_mutex_t m = PTHREAD_MUTEX_INITIALIZER;
int success = 0;
pthread_mutex_lock(&m);
if (done_seeding != getpid()) {
retval = krb5_c_random_os_entropy( ctx, 0, &success);
if (retval == 0 && success)
done_seeding = getpid();
}
pthread_mutex_unlock(&m);
if (retval)
goto cleanup;
}
if ((retval = krb5_crypto_us_timeofday(&seed_data.now, &seed_data.now_usec)))
goto cleanup;
seed_data.pid = getpid ();
seed.length = sizeof(seed_data);
seed.data = (char *) &seed_data;
if ((retval = krb5_c_random_add_entropy(ctx, KRB5_C_RANDSOURCE_TIMING, &seed)))
goto cleanup;
ctx->default_realm = 0;
profile_get_integer(ctx->profile, "libdefaults", "clockskew",
0, 5 * 60, &tmp);
ctx->clockskew = tmp;
#if 0
/* Default ticket lifetime is currently not supported */
profile_get_integer(ctx->profile, "libdefaults", "tkt_lifetime",
0, 10 * 60 * 60, &tmp);
ctx->tkt_lifetime = tmp;
#endif
/* DCE 1.1 and below only support CKSUMTYPE_RSA_MD4 (2) */
/* DCE add kdc_req_checksum_type = 2 to krb5.conf */
profile_get_integer(ctx->profile, "libdefaults",
"kdc_req_checksum_type", 0, CKSUMTYPE_RSA_MD5,
&tmp);
ctx->kdc_req_sumtype = tmp;
profile_get_integer(ctx->profile, "libdefaults",
"ap_req_checksum_type", 0, CKSUMTYPE_RSA_MD5,
&tmp);
ctx->default_ap_req_sumtype = tmp;
profile_get_integer(ctx->profile, "libdefaults",
"safe_checksum_type", 0,
CKSUMTYPE_RSA_MD5_DES, &tmp);
ctx->default_safe_sumtype = tmp;
profile_get_integer(ctx->profile, "libdefaults",
"kdc_default_options", 0,
KDC_OPT_RENEWABLE_OK, &tmp);
ctx->kdc_default_options = tmp;
#define DEFAULT_KDC_TIMESYNC 1
profile_get_integer(ctx->profile, "libdefaults",
"kdc_timesync", 0, DEFAULT_KDC_TIMESYNC,
&tmp);
ctx->library_options = tmp ? KRB5_LIBOPT_SYNC_KDCTIME : 0;
/*
* We use a default file credentials cache of 3. See
* lib/krb5/krb/ccache/file/fcc.h for a description of the
* credentials cache types.
*
* Note: DCE 1.0.3a only supports a cache type of 1
* DCE 1.1 supports a cache type of 2.
*/
#define DEFAULT_CCACHE_TYPE 4
profile_get_integer(ctx->profile, "libdefaults", "ccache_type",
0, DEFAULT_CCACHE_TYPE, &tmp);
ctx->fcc_default_format = tmp + 0x0500;
ctx->prompt_types = 0;
ctx->use_conf_ktypes = 0;
ctx->udp_pref_limit = -1;
*context = ctx;
return 0;
cleanup:
krb5_free_context(ctx);
return retval;
}
static krb5_error_code
init_common (krb5_context *context, krb5_boolean secure, krb5_boolean kdc)
{
krb5_context ctx = 0;
krb5_error_code retval;
#ifndef _KERNEL
struct {
krb5_int32 now, now_usec;
long pid;
} seed_data;
krb5_data seed;
int tmp;
/* Solaris Kerberos */
#if 0
/* Verify some assumptions. If the assumptions hold and the
compiler is optimizing, this should result in no code being
executed. If we're guessing "unsigned long long" instead
of using uint64_t, the possibility does exist that we're
wrong. */
{
krb5_ui_8 i64;
assert(sizeof(i64) == 8);
i64 = 0, i64--, i64 >>= 62;
assert(i64 == 3);
i64 = 1, i64 <<= 31, i64 <<= 31, i64 <<= 1;
assert(i64 != 0);
i64 <<= 1;
assert(i64 == 0);
}
#endif
retval = krb5int_initialize_library();
if (retval)
return retval;
#endif
#if (defined(_WIN32))
/*
* Load the krbcc32.dll if necessary. We do this here so that
* we know to use API: later on during initialization.
* The context being NULL is ok.
*/
krb5_win_ccdll_load(ctx);
/*
* krb5_vercheck() is defined in win_glue.c, and this is
* where we handle the timebomb and version server checks.
*/
retval = krb5_vercheck();
if (retval)
return retval;
#endif
*context = 0;
ctx = MALLOC(sizeof(struct _krb5_context));
if (!ctx)
return ENOMEM;
(void) memset(ctx, 0, sizeof(struct _krb5_context));
ctx->magic = KV5M_CONTEXT;
ctx->profile_secure = secure;
if ((retval = krb5_os_init_context(ctx, kdc)))
goto cleanup;
/*
* Initialize the EF handle, its needed before doing
* the random seed.
*/
if ((retval = krb5_init_ef_handle(ctx)))
goto cleanup;
#ifndef _KERNEL
/* fork safety: set pid to current process ID for later checking */
ctx->pid = __krb5_current_pid;
/* Set the default encryption types, possible defined in krb5/conf */
if ((retval = krb5_set_default_in_tkt_ktypes(ctx, NULL)))
goto cleanup;
if ((retval = krb5_set_default_tgs_ktypes(ctx, NULL)))
goto cleanup;
if (ctx->tgs_ktype_count != 0) {
ctx->conf_tgs_ktypes = MALLOC(ctx->tgs_ktype_count *
sizeof(krb5_enctype));
if (ctx->conf_tgs_ktypes == NULL)
goto cleanup;
(void) memcpy(ctx->conf_tgs_ktypes, ctx->tgs_ktypes,
sizeof(krb5_enctype) * ctx->tgs_ktype_count);
}
ctx->conf_tgs_ktypes_count = ctx->tgs_ktype_count;
/* initialize the prng (not well, but passable) */
if ((retval = krb5_crypto_us_timeofday(&seed_data.now, &seed_data.now_usec)))
goto cleanup;
seed_data.pid = getpid ();
seed.length = sizeof(seed_data);
seed.data = (char *) &seed_data;
if ((retval = krb5_c_random_seed(ctx, &seed)))
/*
* Solaris Kerberos: we use /dev/urandom, which is
* automatically seeded, so its OK if this fails.
*/
retval = 0;
ctx->default_realm = 0;
profile_get_integer(ctx->profile, "libdefaults", "clockskew",
0, 5 * 60, &tmp);
ctx->clockskew = tmp;
#if 0
/* Default ticket lifetime is currently not supported */
profile_get_integer(ctx->profile, "libdefaults", "tkt_lifetime",
0, 10 * 60 * 60, &tmp);
ctx->tkt_lifetime = tmp;
#endif
/* DCE 1.1 and below only support CKSUMTYPE_RSA_MD4 (2) */
/* DCE add kdc_req_checksum_type = 2 to krb5.conf */
profile_get_integer(ctx->profile, "libdefaults",
"kdc_req_checksum_type", 0, CKSUMTYPE_RSA_MD5,
&tmp);
ctx->kdc_req_sumtype = tmp;
profile_get_integer(ctx->profile, "libdefaults",
"ap_req_checksum_type", 0, CKSUMTYPE_RSA_MD5,
&tmp);
ctx->default_ap_req_sumtype = tmp;
profile_get_integer(ctx->profile, "libdefaults",
"safe_checksum_type", 0,
CKSUMTYPE_RSA_MD5_DES, &tmp);
ctx->default_safe_sumtype = tmp;
profile_get_integer(ctx->profile, "libdefaults",
"kdc_default_options", 0,
KDC_OPT_RENEWABLE_OK, &tmp);
ctx->kdc_default_options = tmp;
#define DEFAULT_KDC_TIMESYNC 1
profile_get_integer(ctx->profile, "libdefaults",
"kdc_timesync", 0, DEFAULT_KDC_TIMESYNC,
&tmp);
ctx->library_options = tmp ? KRB5_LIBOPT_SYNC_KDCTIME : 0;
/*
* We use a default file credentials cache of 3. See
* lib/krb5/krb/ccache/file/fcc.h for a description of the
* credentials cache types.
*
* Note: DCE 1.0.3a only supports a cache type of 1
* DCE 1.1 supports a cache type of 2.
*/
#define DEFAULT_CCACHE_TYPE 4
profile_get_integer(ctx->profile, "libdefaults", "ccache_type",
0, DEFAULT_CCACHE_TYPE, &tmp);
ctx->fcc_default_format = tmp + 0x0500;
ctx->scc_default_format = tmp + 0x0500;
ctx->prompt_types = 0;
ctx->use_conf_ktypes = 0;
ctx->udp_pref_limit = -1;
#endif /* !_KERNEL */
*context = ctx;
return 0;
cleanup:
krb5_free_context(ctx);
return retval;
}
